github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Terminating Gateways

pull/15384/head
boruszak 2022-11-14 16:21:43 -06:00
parent a796b1b28d
commit 311bab5546
1 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
website/content/docs/k8s/connect/terminating-gateways.mdx
View File

@ -9,18 +9,18 @@ description: >-
Adding a terminating gateway is a multi-step process: Adding a terminating gateway is a multi-step process:
- Update the Helm chart with terminating gateway config options - Update the Helm chart with terminating gateway configuration options
- Deploy the Helm chart - Deploy the Helm chart
- Access the Consul agent - Access the Consul agent
- Register external services with Consul - Register external services with Consul
## Requirements ## Requirements
- [Consul](https://www.consul.io/docs/install#install-consul) - [Consul](/docs/install#install-consul)
- [Consul on Kubernetes CLI](/docs/k8s/k8s-cli) - [Consul on Kubernetes CLI](/docs/k8s/k8s-cli)
- Familiarity with [Terminating Gateways](/docs/connect/gateways/terminating-gateway) - Familiarity with [Terminating Gateways](/docs/connect/gateways/terminating-gateway)
## Update the Helm chart with terminating gateway config options ## Update the Helm chart with terminating gateway configuration options
Minimum required Helm options: Minimum required Helm options:
@ -31,8 +31,6 @@ global:
name: consul name: consul
connectInject: connectInject:
enabled: true enabled: true
controller:
enabled: true
terminatingGateways: terminatingGateways:
enabled: true enabled: true
``` ```
@ -49,9 +47,10 @@ $ consul-k8s install -f values.yaml
## Accessing the Consul agent ## Accessing the Consul agent
You can access the Consul server directly from your host via `kubectl port-forward`. This is helpful for interacting with your Consul UI locally as well as for validating the connectivity of the application. You can access the Consul server directly from your host by running `kubectl port-forward`. This is helpful for interacting with your Consul UI locally as well as for validating the connectivity of the application.
<Tabs> <Tabs>
<Tab heading="Without TLS"> <Tab heading="Without TLS">
```shell-session ```shell-session
@ -62,6 +61,7 @@ $ kubectl port-forward consul-server-0 8500 &
$ export CONSUL_HTTP_ADDR=http://localhost:8500 $ export CONSUL_HTTP_ADDR=http://localhost:8500
``` ```
</Tab> </Tab>
<Tab heading="With TLS"> <Tab heading="With TLS">
If TLS is enabled use port 8501: If TLS is enabled use port 8501:
@ -75,6 +75,7 @@ $ export CONSUL_HTTP_ADDR=https://localhost:8501
$ export CONSUL_HTTP_SSL_VERIFY=false $ export CONSUL_HTTP_SSL_VERIFY=false
``` ```
</Tab> </Tab>
</Tabs> </Tabs>
If ACLs are enabled also set: If ACLs are enabled also set:
@ -149,11 +150,12 @@ $ kubectl apply --filename service-defaults.yaml
All other terminating gateway operations can use the name of the `ServiceDefaults` component, in this case "example-https", as a Consul service name. All other terminating gateway operations can use the name of the `ServiceDefaults` component, in this case "example-https", as a Consul service name.
</Tab> </Tab>
<Tab heading="Using Consul catalog"> <Tab heading="Using Consul catalog">
Normally, Consul services are registered with the Consul client on the node that Normally, Consul services are registered on the node that
they're running on. Since this is an external service, there is no Consul node they're running on. Since this service is an external service, there is no Consul node
to register it onto. Instead, we will make up a node name and register the to register it onto. Instead, we must make up a node name and register the
service to that node. service to that node.
Create a sample external service and register it with Consul. Create a sample external service and register it with Consul.
@ -275,7 +277,7 @@ spec:
If TLS is enabled for external services registered through the Consul catalog and you are not using [transparent proxy `destination`](#register-an-external-service-as-a-destination), you must include the [`caFile`](/docs/connect/config-entries/terminating-gateway#cafile) parameter that points to the system trust store of the terminating gateway container. If TLS is enabled for external services registered through the Consul catalog and you are not using [transparent proxy `destination`](#register-an-external-service-as-a-destination), you must include the [`caFile`](/docs/connect/config-entries/terminating-gateway#cafile) parameter that points to the system trust store of the terminating gateway container.
By default, the trust store is located in the `/etc/ssl/certs/ca-certificates.crt` directory. By default, the trust store is located in the `/etc/ssl/certs/ca-certificates.crt` directory.
Configure the [`caFile`](https://www.consul.io/docs/connect/config-entries/terminating-gateway#cafile) parameter in the `TerminatingGateway` config entry to point to the `/etc/ssl/cert.pem` directory if TLS is enabled and you are using one of the following components: Configure the [`caFile`](/docs/connect/config-entries/terminating-gateway#cafile) parameter in the `TerminatingGateway` config entry to point to the `/etc/ssl/cert.pem` directory if TLS is enabled and you are using one of the following components:
- Consul Helm chart 0.43 or older - Consul Helm chart 0.43 or older
- An Envoy image with an alpine base image - An Envoy image with an alpine base image