consul/website/content/docs/k8s/connect/terminating-gateways.mdx

394 lines
12 KiB
Plaintext
Raw Normal View History

---
layout: docs
page_title: Terminating Gateways - Kubernetes
description: Configuring Terminating Gateways on Kubernetes
---
# Terminating Gateways on Kubernetes
Adding a terminating gateway is a multi-step process:
- Update the Helm chart with terminating gateway config options
- Deploy the Helm chart
- Access the Consul agent
2020-08-18 22:22:29 +00:00
- Register external services with Consul
2022-08-25 17:02:55 +00:00
## Requirements
- [Consul]()
- [Consul on Kubernetes CLI]()
- Familiarity with [Terminating Gateways](/docs/connect/gateways/terminating-gateway)
## Update the helm chart with terminating gateway config options
Minimum required Helm options:
<CodeBlockConfig filename="config.yaml">
```yaml
global:
name: consul
connectInject:
enabled: true
controller:
enabled: true
terminatingGateways:
enabled: true
```
</CodeBlockConfig>
## Deploying the Helm chart
2022-08-25 16:49:54 +00:00
The Helm chart may be deployed using the [Consul on Kubernetes CLI](/docs/k8s/k8s-cli).
```shell-session
2022-08-25 17:02:55 +00:00
$ consul-k8s install -f config.yaml
2022-08-25 16:49:54 +00:00
```
## Accessing the Consul agent
2022-08-25 17:02:55 +00:00
You can access the Consul server directly from your host via `kubectl port-forward`. This is helpful for interacting with your Consul UI locally as well as for validating the connectivity of the application.
<Tabs>
<Tab heading="Without TLS">
```shell-session
$ kubectl port-forward consul-server-0 8500 &
```
2020-08-18 22:22:29 +00:00
```shell-session
2022-08-25 17:02:55 +00:00
$ export CONSUL_HTTP_ADDR=http://localhost:8500
```
2022-08-25 17:02:55 +00:00
</Tab>
<Tab heading="With TLS">
2022-08-25 17:02:55 +00:00
If TLS is enabled use port 8501:
```shell-session
2022-08-25 17:02:55 +00:00
$ kubectl port-forward consul-server-0 8501 &
```
2020-08-18 22:22:29 +00:00
```shell-session
$ export CONSUL_HTTP_ADDR=https://localhost:8501
$ export CONSUL_HTTP_SSL_VERIFY=false
```
2022-08-25 17:02:55 +00:00
</Tab>
</Tabs>
2020-08-18 22:22:29 +00:00
If ACLs are enabled also set:
2020-08-18 22:22:29 +00:00
```shell-session
$ export CONSUL_HTTP_TOKEN=$(kubectl get secret consul-bootstrap-acl-token --template='{{.data.token | base64decode }}')
```
## Register external services with Consul
Registering the external services with Consul is a multi-step process:
2020-08-18 22:22:29 +00:00
- Register external services with Consul
- Update the terminating gateway ACL token if ACLs are enabled
- Create a [`TerminatingGateway`](/docs/connect/config-entries/terminating-gateway) resource to configure the terminating gateway
- Create a [`ServiceIntentions`](/docs/connect/config-entries/service-intentions) resource to allow access from services in the mesh to external service
2020-08-18 22:22:29 +00:00
- Define upstream annotations for any services that need to talk to the external services
### Register external services with Consul
2022-08-02 18:57:58 +00:00
There are two ways to register an external service with Consul:
2022-08-19 20:51:11 +00:00
1. If [`TransparentProxy`](/docs/connect/transparent-proxy) is enabled, the preferred method is to declare external endpoints in the [`destination`](/docs/connect/config-entries/service-defaults#terminating-gateway-destination) field of `ServiceDefaults`.
2022-08-02 18:57:58 +00:00
1. You can add the service as a node in the Consul catalog.
2022-08-19 20:51:11 +00:00
#### Register an external service as a destination
2022-08-02 18:57:58 +00:00
2022-08-19 20:51:11 +00:00
The [`destination`](/docs/connect/config-entries/service-defaults#terminating-gateway-destination) field of the `ServiceDefaults` Custom Resource Definition (CRD) allows clients to dial the external service directly. It is valid only in [`TransparentProxy`](/docs/connect/transparent-proxy)) mode.
The following table describes traffic behaviors when using `destination`s to route traffic through a terminating gateway:
2022-08-02 18:57:58 +00:00
| External Services Layer | Client dials | Client uses TLS | Allowed | Notes |
|---|---|---|---|---|
| L4 | Hostname | Yes | Allowed | `CAFiles` are not allowed because traffic is already end-to-end encrypted by the client. |
| L4 | IP | Yes | Allowed | `CAFiles` are not allowed because traffic is already end-to-end encrypted by the client. |
| L4 | Hostname | No | Not allowed | The sidecar is not protocol aware and can not identify traffic going to the external service. |
| L4 | IP | No | Allowed | There are no limitations on dialing IPs without TLS. |
| L7 | Hostname | Yes | Not allowed | Because traffic is already encrypted before the sidecar, it cannot route as L7 traffic. |
| L7 | IP | Yes | Not allowed | Because traffic is already encrypted before the sidecar, it cannot route as L7 traffic. |
| L7 | Hostname | No | Allowed | A `Host` or `:authority` header is required. |
| L7 | IP | No | Allowed | There are no limitations on dialing IPs without TLS. |
You can provide a `caFile` to secure traffic between unencrypted clients that connect to external services through the terminating gateway.
2022-08-19 20:51:11 +00:00
Refer to [Create the configuration entry for the terminating gateway](#create-the-configuration-entry-for-the-terminating-gateway) for details.
2022-08-02 18:57:58 +00:00
2022-08-19 20:51:11 +00:00
Also note that regardless of the `protocol` specified in the `ServiceDefaults`, [L7 intentions](/docs/connect/config-entries/service-intentions#permissions) are not currently supported with `ServiceDefaults` destinations.
2022-08-02 18:57:58 +00:00
2022-08-19 20:51:11 +00:00
Create a `ServiceDefaults` custom resource for the external service:
<CodeBlockConfig filename="serviceDefaults.yaml">
2022-08-02 18:57:58 +00:00
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
name: example-https
spec:
protocol: tcp
destination:
addresses:
- "example.com"
port: 443
```
</CodeBlockConfig>
Apply the `ServiceDefaults` resource with `kubectl apply`:
```shell-session
2022-08-19 20:51:11 +00:00
$ kubectl apply --filename serviceDefaults.yaml
2022-08-02 18:57:58 +00:00
```
2022-08-19 20:51:11 +00:00
All other terminating gateway operations can use the name of the `ServiceDefaults` in place of a typical Consul service name.
2022-08-02 18:57:58 +00:00
#### Register an external service as a Catalog Node
-> **Note:** Normal Consul services are registered with the Consul client on the node that
they're running on. Since this is an external service, there is no Consul node
to register it onto. Instead, we will make up a node name and register the
service to that node.
Create a sample external service and register it with Consul.
2020-08-18 22:22:29 +00:00
<CodeBlockConfig filename="external.json">
```json
{
"Node": "example_com",
2020-08-18 22:22:29 +00:00
"Address": "example.com",
"NodeMeta": {
"external-node": "true",
"external-probe": "true"
},
"Service": {
"Address": "example.com",
2020-08-18 22:22:29 +00:00
"ID": "example-https",
"Service": "example-https",
"Port": 443
}
}
```
</CodeBlockConfig>
- `"Node": "example_com"` is our made up node name.
- `"Address": "example.com"` is the address of our node. Services registered to that node will use this address if
their own address isn't specified. If you're registering multiple external services, ensure you
use different node names with different addresses or set the `Service.Address` key.
- `"Service": { "Address": "example.com" ... }` is the address of our service. In this example this doesn't need to be set
since the address of the node is the same, but if there were two services registered to that same node
then this should be set.
Register the external service with Consul:
2020-08-18 22:22:29 +00:00
```shell-session
$ curl --request PUT --data @external.json --insecure $CONSUL_HTTP_ADDR/v1/catalog/register
true
```
2020-08-18 22:22:29 +00:00
If ACLs and TLS are enabled :
2020-08-18 22:22:29 +00:00
```shell-session
$ curl --request PUT --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" --data @external.json --insecure $CONSUL_HTTP_ADDR/v1/catalog/register
true
```
### Update terminating gateway ACL role if ACLs are enabled
2020-08-18 22:22:29 +00:00
If ACLs are enabled, update the terminating gateway acl role to have `service: write` permissions on all of the services
being represented by the gateway:
2020-08-18 22:22:29 +00:00
- Create a new policy that includes these permissions
- Update the existing role to include the new policy
<CodeBlockConfig filename="write-policy.hcl">
```hcl
service "example-https" {
policy = "write"
}
```
2020-08-18 22:22:29 +00:00
</CodeBlockConfig>
```shell-session
$ consul acl policy create -name "example-https-write-policy" -rules @write-policy.hcl
ID: xxxxxxxxxxxxxxx
Name: example-https-write-policy
Description:
Datacenters:
Rules:
service "example-https" {
policy = "write"
}
```
2020-08-18 22:22:29 +00:00
Now fetch the ID of the terminating gateway token
2020-08-18 22:22:29 +00:00
```shell-session
consul acl role list | grep -B 6 -- "- RELEASE_NAME-terminating-gateway-policy" | grep ID
ID: <role id>
```
2020-08-18 22:22:29 +00:00
Update the terminating gateway acl token with the new policy
2020-08-18 22:22:29 +00:00
```shell-session
$ consul acl role update -id <role id> -policy-name example-https-write-policy
AccessorID: <role id>
SecretID: <secret id>
Description: RELEASE_NAME-terminating-gateway-acl-role
Local: true
Create Time: 2021-01-08 21:18:47.957450486 +0000 UTC
Policies:
63bf1d9b-a87d-8672-ddcb-d25e2d88adb8 - RELEASE_NAME-terminating-gateway-policy
f63d1ae6-ffe7-44bd-bf7a-704a86939a63 - example-https-write-policy
```
### Create the configuration entry for the terminating gateway
2020-08-18 22:22:29 +00:00
Once the roles have been updated, create the [TerminatingGateway](/docs/connect/config-entries/terminating-gateway)
resource to configure the terminating gateway:
2020-08-18 22:22:29 +00:00
<CodeBlockConfig filename="terminating-gateway.yaml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: TerminatingGateway
metadata:
name: terminating-gateway
spec:
services:
- name: example-https
```
2020-08-18 22:22:29 +00:00
</CodeBlockConfig>
2022-08-19 20:51:11 +00:00
If TLS is enabled for external services registered through the Consul catalog and you are not using [transparent proxy `destination`](#register-an-external-service-as-a-destination), you must include the [`caFile`](/docs/connect/config-entries/terminating-gateway#cafile) parameter that points to the system trust store of the terminating gateway container.
2022-08-02 18:57:58 +00:00
By default, the trust store is located in the `/etc/ssl/certs/ca-certificates.crt` directory.
2022-08-19 20:51:11 +00:00
Configure the [`caFile`](https://www.consul.io/docs/connect/config-entries/terminating-gateway#cafile) parameter in the `TerminatingGateway` config entry to point to the `/etc/ssl/cert.pem` directory if TLS is enabled and you are using one of the following components:
- Consul Helm chart 0.43 or older
- An Envoy image with an alpine base image
For `ServiceDefaults` destinations, refer to [Register an external service as a destination](#register-an-external-service-as-a-destination).
Apply the `TerminatingGateway` resource with `kubectl apply`:
2020-08-18 22:22:29 +00:00
```shell-session
$ kubectl apply --filename terminating-gateway.yaml
```
2022-08-19 20:51:11 +00:00
If using ACLs and TLS, create a [`ServiceIntentions`](/docs/connect/config-entries/service-intentions) resource to allow access from services in the mesh to the external service:
<CodeBlockConfig filename="service-intentions.yaml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
name: example-https
spec:
destination:
name: example-https
sources:
- name: static-client
action: allow
```
</CodeBlockConfig>
2022-08-19 20:51:11 +00:00
-> **NOTE**: [L7 Intentions](/docs/connect/config-entries/service-intentions#permissions) are not currently supported for `ServiceDefaults` destinations.
Apply the `ServiceIntentions` resource with `kubectl apply`:
2020-08-18 22:22:29 +00:00
```shell-session
$ kubectl apply --filename service-intentions.yaml
```
### Define the external services as upstreams for services in the mesh
2020-08-18 22:22:29 +00:00
Finally define and deploy the external services as upstreams for the internal mesh services that wish to talk to them.
An example deployment is provided which will serve as a static client for the terminating gateway service.
<CodeBlockConfig filename="static-client.yaml">
```yaml
apiVersion: v1
kind: Service
metadata:
name: static-client
spec:
selector:
app: static-client
ports:
- port: 80
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: static-client
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: static-client
spec:
replicas: 1
selector:
matchLabels:
app: static-client
template:
metadata:
name: static-client
labels:
app: static-client
annotations:
2020-08-18 22:22:29 +00:00
'consul.hashicorp.com/connect-inject': 'true'
'consul.hashicorp.com/connect-service-upstreams': 'example-https:1234'
spec:
containers:
- name: static-client
image: curlimages/curl:latest
2020-08-18 22:22:29 +00:00
command: ['/bin/sh', '-c', '--']
args: ['while true; do sleep 30; done;']
serviceAccountName: static-client
```
</CodeBlockConfig>
Run the service via `kubectl apply`:
2020-08-18 22:22:29 +00:00
```shell-session
$ kubectl apply --filename static-client.yaml
```
Wait for the service to be ready:
```shell-session
$ kubectl rollout status deploy static-client --watch
deployment "static-client" successfully rolled out
```
You can verify connectivity of the static-client and terminating gateway via a curl command:
2020-08-18 22:22:29 +00:00
2022-08-02 18:57:58 +00:00
<CodeBlockConfig heading="External services registered with the Consul catalog">
```shell-session
$ kubectl exec deploy/static-client -- curl -vvvs --header "Host: example-https.com" http://localhost:1234/
```
2022-08-02 18:57:58 +00:00
</CodeBlockConfig>
2022-08-19 20:51:11 +00:00
<CodeBlockConfig heading="External services registered with `ServiceDefaults` destinations">
2022-08-02 18:57:58 +00:00
```shell-session
$ kubectl exec deploy/static-client -- curl -vvvs https://example.com/
```
</CodeBlockConfig>