03cc81ba18
* Updates docs with ingress Host header changes Clarify that a Host header is required for L7 protocols, and specify that the default is to use the Consul DNS ingress subdomain * Add sentence about using '*' by itself for testing * Add optional step for using L7 routing config * Note that port numbers may need to be added in the Hosts field
181 lines
6.6 KiB
Plaintext
181 lines
6.6 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: 'Configuration Entry Kind: Ingress Gateway'
|
|
sidebar_title: ingress-gateway <sup> Beta </sup>
|
|
description: >-
|
|
The `ingress-gateway` config entry kind allows for configuring Ingress gateways
|
|
with listeners that expose a set of services outside the Consul service mesh.
|
|
---
|
|
|
|
# Ingress Gateway <sup> Beta </sup>
|
|
|
|
-> **1.8.0+:** This config entry is available in Consul versions 1.8.0 and newer.
|
|
|
|
The `ingress-gateway` config entry kind allows you to configure ingress gateways
|
|
with listeners that expose a set of services outside the Consul service mesh.
|
|
See [Ingress Gateway](/docs/connect/ingress-gateway) for more information.
|
|
|
|
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
|
|
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
|
|
sets of services within their datacenter then the ingress gateways **must** be registered with different names.
|
|
|
|
See [Ingress Gateway](/docs/connect/ingress-gateway) for more information.
|
|
|
|
## Wildcard service specification
|
|
|
|
Ingress gateways can optionally target all services within a Consul namespace by
|
|
specifying a wildcard `*` as the service name. A wildcard specifier allows
|
|
for a single listener to route traffic to all available services on the
|
|
Consul service mesh, differentiating between the services by their host/authority
|
|
header.
|
|
|
|
A wildcard specifier provides the following properties for an ingress
|
|
gateway:
|
|
- All services with the same
|
|
[protocol](/docs/agent/config-entries/ingress-gateway#protocol) as the
|
|
listener will be routable.
|
|
- The ingress gateway will route traffic based on the host/authority header,
|
|
expecting a value matching `<service-name>.ingress.*`, or if using namespaces,
|
|
`<service-name>.ingress.<namespace>.*`. This matches the [Consul DNS
|
|
ingress subdomain](/docs/agent/dns#ingress-service-lookups).
|
|
|
|
A wildcard specifier cannot be set on a listener of protocol `tcp`.
|
|
|
|
## Sample Config Entries
|
|
|
|
Set up a TCP listener for a single service:
|
|
|
|
```hcl
|
|
Kind = "ingress-gateway"
|
|
Name = "ingress-service"
|
|
|
|
Listeners = [
|
|
{
|
|
Port = 3456
|
|
Protocol = "tcp"
|
|
Services = [
|
|
{
|
|
Name = "db"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
```
|
|
|
|
Set up a wildcard HTTP listener to proxy traffic to all available services,
|
|
make two services available over a custom port with user-provided hosts, and
|
|
enable TLS on every listener:
|
|
|
|
```hcl
|
|
Kind = "ingress-gateway"
|
|
Name = "ingress-service"
|
|
|
|
TLS {
|
|
Enabled = true
|
|
}
|
|
|
|
Listeners = [
|
|
{
|
|
Port = 8080
|
|
Protocol = "http"
|
|
Services = [
|
|
{
|
|
Name = "*"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
Port = 4567
|
|
Protocol = "http"
|
|
Services = [
|
|
{
|
|
Name = "api"
|
|
Hosts = ["foo.example.com"]
|
|
},
|
|
{
|
|
Name = "web"
|
|
Hosts = ["website.example.com"]
|
|
}
|
|
]
|
|
}
|
|
]
|
|
```
|
|
|
|
## Available Fields
|
|
|
|
- `Kind` - Must be set to `ingress-gateway`
|
|
|
|
- `Name` `(string: <required>)` - Set to the name of the gateway being configured.
|
|
|
|
- `Namespace` `(string: "default")` - <EnterpriseAlert inline /> Specifies
|
|
the namespace the config entry will apply to. This must be the namespace
|
|
the gateway is registered in. If omitted, the namespace will be inherited
|
|
from [the request](/api/config#ns) or will default to the `default` namespace.
|
|
|
|
- `TLS` `(TLSConfig: <optional>)` - TLS configuration for this gateway.
|
|
|
|
- `Enabled` `(bool: false)` - Set this configuration to enable TLS for
|
|
every listener on the gateway.
|
|
|
|
If TLS is enabled, then each host defined in the `Host` field will be added
|
|
as a DNSSAN to the gateway's x509 certificate.
|
|
|
|
- `Listeners` `(array<IngressListener>: <optional>)` - A list of listeners that
|
|
the ingress gateway should setup, uniquely identified by their port number.
|
|
|
|
- `Port` `(int: 0)` - The port that the listener should receive traffic on.
|
|
|
|
- `Protocol` `(string: "tcp")` - The protocol associated with the listener.
|
|
This can be any protocol supported by
|
|
[service-defaults](/docs/agent/config-entries/service-defaults#protocol).
|
|
|
|
- `Services` `(array<IngressService>: <optional>)` - A list of services to be
|
|
exposed via this listener. For "tcp" listeners, only a single service is
|
|
allowed.
|
|
|
|
- `Name` `(string: "")` - The name of the service that should be exposed
|
|
through this listener. This can be either a service registered in the
|
|
catalog, or a service defined only by [other config
|
|
entries](/docs/connect/l7-traffic-management). If the wildcard specifier,
|
|
`*`, is provided, then ALL services will be exposed through the listener.
|
|
This is not supported for listener's with protocol "tcp".
|
|
|
|
- `Namespace` `(string: "")` - <EnterpriseAlert inline /> The namespace to resolve the service from
|
|
instead of the current namespace. If empty the current namespace is
|
|
assumed.
|
|
|
|
- `Hosts` `(array<string>: <optional>)` - A list of hosts that specify what
|
|
requests will match this service. This cannot be used with a `tcp`
|
|
listener, and cannot be specified alongside a `*` service name. If not
|
|
specified, the default domain `<service-name>.ingress.*` will be used to
|
|
match services. Requests **must** send the correct host to be routed to
|
|
the defined service.
|
|
|
|
The wildcard specifier, `*`, can be used by itself to match all traffic
|
|
coming to the ingress gateway, if TLS is not enabled. This allows a user
|
|
to route all traffic to a single service without specifying a host,
|
|
allowing simpler tests and demos. Otherwise, the wildcard specifier can
|
|
be used as part of the host to match multiple hosts, but only in the
|
|
leftmost DNS label. This ensures that all defined hosts are valid DNS
|
|
records. For example, `*.example.com` is valid, while `example.*` and
|
|
`*-suffix.example.com` are not.
|
|
|
|
~> **Note:** If a well-known port is not used, i.e. a port other than 80
|
|
(http) or 443 (https), then the port must be appended to the host to
|
|
correctly match traffic. This is defined in the [HTTP/1.1
|
|
RFC](https://tools.ietf.org/html/rfc2616#section-14.23). If TLS is
|
|
enabled, then the host **without** the port must be added to the `Hosts`
|
|
field as well. TLS verification only matches against the hostname of the
|
|
incoming connection, and thus does not take into account the port.
|
|
|
|
## ACLs
|
|
|
|
Configuration entries may be protected by
|
|
[ACLs](https://learn.hashicorp.com/consul/security-networking/production-acls).
|
|
|
|
Reading an `ingress-gateway` config entry requires `service:read` on the `Name`
|
|
field of the config entry.
|
|
|
|
Creating, updating, or deleting an `ingress-gateway` config entry requires
|
|
`operator:write`.
|