2020-06-17 23:26:14 +00:00
---
layout: docs
page_title: Ingress Gateways - Kubernetes
description: Configuring Ingress Gateways on Kubernetes
---
2020-07-15 22:45:20 +00:00
# Ingress Gateways on Kubernetes
2021-01-08 22:30:41 +00:00
-> 1.9.0+: This feature is available in Consul versions 1.9.0 and higher
2020-07-15 22:45:20 +00:00
~> This topic requires familiarity with [Ingress Gateways](/docs/connect/ingress-gateway).
2021-04-16 19:49:02 +00:00
This page describes how to enable external access to Connect Service Mesh services running inside Kubernetes using Consul ingress gateways.
2020-07-15 22:45:20 +00:00
See [Ingress Gateways](/docs/connect/ingress-gateway) for more information on use-cases and how it works.
Adding an ingress gateway is a multi-step process that consists of the following steps:
2021-04-16 19:49:02 +00:00
- Setting the Helm chart configuration
- Deploying the Helm chart
2020-08-18 22:22:29 +00:00
- Configuring the gateway
- Defining an Intention (if ACLs are enabled)
- Deploying your application to Kubernetes
- Connecting to your application
2020-07-15 22:45:20 +00:00
## Setting the helm chart configuration
2020-08-18 22:22:29 +00:00
2021-04-16 19:49:02 +00:00
When deploying the Helm chart you must provide Helm with a custom YAML file that contains your environment configuration.
2020-07-15 22:45:20 +00:00
2021-07-31 01:37:33 +00:00
<CodeBlockConfig filename="config.yaml">
2020-07-15 22:45:20 +00:00
```yaml
global:
name: consul
connectInject:
enabled: true
2021-01-08 22:30:41 +00:00
controller:
enabled: true
2020-07-15 22:45:20 +00:00
ingressGateways:
enabled: true
gateways:
- name: ingress-gateway
service:
2020-07-15 23:24:55 +00:00
type: LoadBalancer
2020-07-15 22:45:20 +00:00
```
2020-08-18 22:22:29 +00:00
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2021-01-08 22:30:41 +00:00
~> **Note:** this will create a public unauthenticated LoadBalancer in your cluster, please take appropriate security considerations.
2020-07-15 22:45:20 +00:00
2021-04-16 19:49:02 +00:00
The YAML snippet is the launching point for a valid configuration that must be supplied when installing using the [official consul-helm chart](https://hub.helm.sh/charts/hashicorp/consul).
Information on additional options can be found in the [Helm reference](/docs/k8s/helm).
Configuration options for ingress gateways reside under the [ingressGateways](/docs/k8s/helm#v-ingressgateways) entry.
2020-07-15 22:45:20 +00:00
The gateways stanza is where you will define and configure the set of ingress gateways you want deployed to your environment.
The only required field for each entry is `name`, though entries may contain any of the fields found in the `defaults` stanza.
Values in this section override the values from the defaults stanza for the given ingress gateway with one exception:
2020-08-18 22:22:29 +00:00
the annotations from the defaults stanza will be _appended_ to any user-defined annotations defined in the gateways stanza rather than being overridden.
2020-07-15 22:45:20 +00:00
Please refer to the ingress gateway configuration [documentation](/docs/k8s/helm#v-ingressgateways-defaults) for a detailed explanation of each option.
2021-04-16 19:49:02 +00:00
## Deploying the Helm chart
2020-07-15 22:45:20 +00:00
Ensure you have the latest consul-helm chart and install Consul via helm using the following
2020-09-14 17:37:35 +00:00
[guide](/docs/k8s/installation/install#installing-consul) while being sure to provide the yaml configuration
2020-07-15 22:45:20 +00:00
as previously discussed.
## Configuring the gateway
2021-04-16 19:49:02 +00:00
Now that Consul has been installed with ingress gateways enabled,
you can configure the gateways via the [`IngressGateway`](/docs/connect/config-entries/ingress-gateway) custom resource.
2020-07-15 22:45:20 +00:00
2021-01-08 22:30:41 +00:00
Here is an example `IngressGateway` resource:
2020-07-15 22:45:20 +00:00
2021-07-31 01:37:33 +00:00
<CodeBlockConfig filename="ingress-gateway.yaml">
2021-01-08 22:30:41 +00:00
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: IngressGateway
metadata:
name: ingress-gateway
spec:
listeners:
- port: 8080
protocol: http
services:
- name: static-server
```
2021-08-27 00:58:59 +00:00
</CodeBlockConfig>
2021-08-04 23:25:36 +00:00
~> **Note:** The 'name' field for the IngressGateway resource must match the name
specified when creating the gateway in the Helm chart. In the above example, the
2021-08-17 23:32:35 +00:00
name "ingress-gateway" is the [default name](/docs/k8s/helm#v-ingressgateways-gateways-name)
2021-08-04 23:25:36 +00:00
used by the Helm chart when enabling ingress gateways.
2020-07-15 22:45:20 +00:00
2021-01-08 22:30:41 +00:00
Apply the `IngressGateway` resource with `kubectl apply`:
2020-07-15 22:45:20 +00:00
```shell-session
2021-01-08 22:30:41 +00:00
$ kubectl apply -f ingress-gateway.yaml
ingressgateway.consul.hashicorp.com/ingress-gateway created
2020-07-15 22:45:20 +00:00
```
2020-08-18 22:22:29 +00:00
2021-01-08 22:30:41 +00:00
Since we're using `protocol: http`, we also need to set the protocol of our service
`static-server` to http. To do that, we create a [`ServiceDefaults`](/docs/connect/config-entries/service-defaults) custom resource:
2020-07-15 22:45:20 +00:00
2021-07-31 01:37:33 +00:00
<CodeBlockConfig filename="service-defaults.yaml">
2021-01-08 22:30:41 +00:00
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
name: static-server
spec:
protocol: http
```
2020-07-15 22:45:20 +00:00
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2021-01-08 22:30:41 +00:00
Apply the `ServiceDefaults` resource with `kubectl apply`:
2020-08-18 22:22:29 +00:00
2020-07-15 22:45:20 +00:00
```shell-session
2021-01-08 22:30:41 +00:00
$ kubectl apply -f service-defaults.yaml
servicedefaults.consul.hashicorp.com/static-server created
2020-07-15 22:45:20 +00:00
```
2021-01-08 22:30:41 +00:00
Ensure both resources have synced to Consul successfully:
2020-08-18 22:22:29 +00:00
2020-07-15 22:45:20 +00:00
```shell-session
2021-01-08 22:30:41 +00:00
$ kubectl get servicedefaults
NAME SYNCED AGE
static-server True 45s
2020-07-15 22:45:20 +00:00
2021-01-08 22:30:41 +00:00
$ kubectl get ingressgateway
NAME SYNCED AGE
ingress-gateway True 13m
2020-07-15 22:45:20 +00:00
```
2021-01-08 22:30:41 +00:00
### Viewing the UI
2020-07-15 22:45:20 +00:00
You can confirm the ingress gateways have been configured as expected by viewing the ingress-gateway service instances
2021-01-08 22:30:41 +00:00
in the Consul UI.
To view the UI, use the `kubectl port-forward` command. See [Viewing The Consul UI](/docs/k8s/installation/install#viewing-the-consul-ui)
for full instructions.
Once you've port-forwarded to the UI, navigate to the Ingress Gateway instances: [http://localhost:8500/ui/dc1/services/ingress-gateway/instances](http://localhost:8500/ui/dc1/services/ingress-gateway/instances)
2020-07-15 22:45:20 +00:00
2021-01-08 22:30:41 +00:00
If TLS is enabled, use [https://localhost:8501/ui/dc1/services/ingress-gateway/instances](https://localhost:8501/ui/dc1/services/ingress-gateway/instances).
2020-07-15 22:45:20 +00:00
## Defining an Intention
2021-01-08 22:30:41 +00:00
If ACLs are enabled (via the `global.acls.manageSystemACLs` setting), you must define an [intention](/docs/connect/intentions)
to allow the ingress gateway to route to the upstream services defined in the `IngressGateway` resource (in the example above the upstream service is `static-server`).
2020-07-15 22:45:20 +00:00
2021-01-08 22:30:41 +00:00
To create an intention that allows the ingress gateway to route to the service `static-server`, create a [`ServiceIntentions`](/docs/connect/config-entries/service-intentions)
resource:
2021-07-31 01:37:33 +00:00
<CodeBlockConfig filename="service-intentions.yaml">
2021-01-08 22:30:41 +00:00
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
name: static-server
spec:
destination:
name: static-server
sources:
- name: ingress-gateway
action: allow
```
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2021-01-08 22:30:41 +00:00
Apply the `ServiceIntentions` resource with `kubectl apply`:
2020-08-18 22:22:29 +00:00
2020-07-15 22:45:20 +00:00
```shell-session
2021-01-08 22:30:41 +00:00
$ kubectl apply -f service-intentions.yaml
serviceintentions.consul.hashicorp.com/ingress-gateway created
2020-07-15 22:45:20 +00:00
```
2020-08-13 21:02:44 +00:00
For detailed instructions on how to configure zero-trust networking with intentions please refer to this [guide](https://learn.hashicorp.com/tutorials/consul/service-mesh-zero-trust-network).
2020-07-15 22:45:20 +00:00
## Deploying your application to Kubernetes
2020-08-18 22:22:29 +00:00
2020-07-15 22:45:20 +00:00
Now you will deploy a sample application which echoes “hello world”
2021-07-31 01:37:33 +00:00
<CodeBlockConfig filename="static-server.yaml">
2020-07-15 22:45:20 +00:00
```yaml
apiVersion: v1
2021-04-16 19:49:02 +00:00
kind: Service
2020-07-15 22:45:20 +00:00
metadata:
name: static-server
2021-04-16 19:49:02 +00:00
spec:
selector:
app: static-server
ports:
- protocol: TCP
port: 80
targetPort: 8080
2020-07-15 22:45:20 +00:00
---
apiVersion: v1
2021-04-16 19:49:02 +00:00
kind: ServiceAccount
metadata:
name: static-server
---
apiVersion: apps/v1
kind: Deployment
2020-07-15 22:45:20 +00:00
metadata:
name: static-server
spec:
2021-04-16 19:49:02 +00:00
replicas: 1
selector:
matchLabels:
app: static-server
template:
metadata:
name: static-server
labels:
app: static-server
annotations:
'consul.hashicorp.com/connect-inject': 'true'
spec:
containers:
- name: static-server
image: hashicorp/http-echo:latest
args:
- -text="hello world"
- -listen=:8080
ports:
- containerPort: 8080
name: http
serviceAccountName: static-server
2020-07-15 22:45:20 +00:00
```
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2020-07-15 22:45:20 +00:00
```shell-session
$ kubectl apply -f static-server.yaml
```
## Connecting to your application
You can validate the service is running and registered in the Consul UI by navigating to
[http://localhost:8500/ui/dc1/services/static-server/instances](http://localhost:8500/ui/dc1/services/static-server/instances)
2020-07-15 23:24:55 +00:00
If TLS is enabled, use: [https://localhost:8501/ui/dc1/services/static-server/instances](https://localhost:8501/ui/dc1/services/static-server/instances)
2020-07-15 22:45:20 +00:00
You can also validate the connectivity of the application from the ingress gateway using `curl`:
```shell-session
$ EXTERNAL_IP=$(kubectl get services | grep ingress-gateway | awk ‘ {print $4}’ )
2021-01-08 22:30:41 +00:00
$ echo "Connecting to \"$EXTERNAL_IP\""
$ curl -H "Host: static-server.ingress.consul" "http://$EXTERNAL_IP:8080"
"hello world"
2020-07-15 22:45:20 +00:00
```
~> **Security Warning:** Please be sure to delete the application and services created here as they represent a security risk through
leaving an open and unauthenticated load balancer alive in your cluster.
2021-07-31 01:37:33 +00:00
To delete the ingress gateway, set enabled to `false` in your Helm configuration:
<CodeBlockConfig filename="config.yaml" highlight="8">
2020-07-15 22:45:20 +00:00
```yaml
global:
name: consul
connectInject:
enabled: true
2021-01-08 22:30:41 +00:00
controller:
enabled: true
2020-07-15 22:45:20 +00:00
ingressGateways:
enabled: false # Set to false
gateways:
- name: ingress-gateway
service:
2020-08-18 22:22:29 +00:00
type: LoadBalancer
2020-07-15 22:45:20 +00:00
```
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2020-07-15 22:45:20 +00:00
And run Helm upgrade:
```shell-session
$ helm upgrade consul hashicorp/consul -f config.yaml
```