BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News HashiCorp Consul API Gateway Adds TCPRoute Support and Installation via Helm Chart

HashiCorp Consul API Gateway Adds TCPRoute Support and Installation via Helm Chart

This item in japanese

Bookmarks

HashiCorp has moved their Consul API Gateway into beta release. The release adds a number of new features to their Consul Service Mesh ingress solution including support for TCPRoute, installation via Helm Chart, and TLS settings per listener.

Consul API Gateway facilitates routing traffic to applications running on the Consul service mesh. It is meant to solve two primary problems: controlling access at the ingress point and simplifying traffic management. Consul API Gateway allows for setting the protocols of external connection requests and providing clients with TLS certificates from trusted providers. The service also allows for load balancing across services and routing traffic via pattern matching within the hostname, path, header, or HTTP verb.

Diagram illustrating Consul API Gateway in use with Consul Service Mesh

Diagram illustrating Consul API Gateway in use with Consul Service Mesh (credit: HashiCorp)

 

Consul API Gateway is built on the Kubernetes Gateway API specification. This specification defines custom resource definitions (CRD) to create gateways and routes based on the path or protocol of the client request. It is an open-source project that aims "to evolve Kubernetes service networking through expressive, extensible, and role-oriented interfaces that are implemented by many vendors and have broad industry support".

This release adds support for both TCP and TCP + TLS connections between clients and service mesh applications through TCPRoute. It is also possible to create TCP-based routes that leverage a TLS listener. The example below uses the Kubernetes Gateway API CRD to implement and manage the TCP route:

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
 name: tcp-app-1
spec:
 parentRefs:
 - name: my-tcp-gateway
   sectionName: foo
 rules:
 - backendRefs:
   - name: my-foo-service
     port: 6000

It is now possible to configure TLS settings on a per listener basis. This includes setting the minimum and maximum allowable TLS version and cipher suites. This example sets the minimum TLS version at 1.3 along with dictating the allowed cipher suites for HTTPS traffic on port 8843:

listeners:
 - protocol: HTTPS
   port: 8443
   name: https
   allowedRoutes:
     namespaces:
       from: Same
   tls:
     certificateRefs:
       - name: consul-server-cert
     options:
       "api-gateway.consul.hashicorp.com/tls_min_version": "TLSv1_3"
       "api-gateway.consul.hashicorp.com/tls_cipher_suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"

This release enhances the Consul Helm chart by having it now support installing and configuring the Consul API Gateway. This is available on version 0.40.0 and higher of the Consul Helm chart and the Consul servers must be running version 1.11.1 or higher.

More details about the release can be found on the HashiCorp blog and within the Consul documentation. There is also a new HashiCorp Learn Tutorial that walks through setting up Consul API Gateway on Kubernetes.

About the Author

Rate this Article

Adoption
Style

BT