diff --git a/website/pages/docs/agent/config-entries/ingress-gateway.mdx b/website/pages/docs/agent/config-entries/ingress-gateway.mdx
index c9ecbd8bd9..b55d2ac6ca 100644
--- a/website/pages/docs/agent/config-entries/ingress-gateway.mdx
+++ b/website/pages/docs/agent/config-entries/ingress-gateway.mdx
@@ -43,11 +43,14 @@ description: >-
## Sample Config Entries
-Set up a TCP listener for a single service:
+
+
+
+Set up a TCP listener on an ingress gateway named "us-east-ingress" to proxy traffic to the "db" service:
```hcl
Kind = "ingress-gateway"
-Name = "ingress-service"
+Name = "us-east-ingress"
Listeners = [
{
@@ -62,13 +65,92 @@ Listeners = [
]
```
-Set up a wildcard HTTP listener to proxy traffic to all available services,
-make two services available over a custom port with user-provided hosts, and
-enable TLS on every listener:
+
+
+
+Set up a TCP listener on an ingress gateway named "us-east-ingress" in the default namespace
+to proxy traffic to the "db" service in the ops namespace:
```hcl
Kind = "ingress-gateway"
-Name = "ingress-service"
+Name = "us-east-ingress"
+Namespace = "default"
+
+Listeners = [
+ {
+ Port = 3456
+ Protocol = "tcp"
+ Services = [
+ {
+ Namespace = "ops"
+ Name = "db"
+ }
+ ]
+ }
+]
+```
+
+
+
+
+Set up a TCP listener on an ingress gateway named "us-east-ingress" to proxy traffic to the "db" service:
+
+```json
+{
+ "Kind": "ingress-gateway",
+ "Name": "us-east-ingress",
+ "Listeners": [
+ {
+ "Port": 3456,
+ "Protocol": "tcp",
+ "Services": [
+ {
+ "Name": "db"
+ }
+ ]
+ }
+ ]
+}
+```
+
+
+
+
+Set up a TCP listener on an ingress gateway named "us-east-ingress" in the default namespace
+to proxy traffic to the "db" service in the ops namespace:
+
+```json
+{
+ "Kind": "ingress-gateway",
+ "Name": "us-east-ingress",
+ "Namespace": "default",
+ "Listeners": [
+ {
+ "Port": 3456,
+ "Protocol": "tcp",
+ "Services": [
+ {
+ "Namespace": "ops",
+ "Name": "db"
+ }
+ ]
+ }
+ ]
+}
+```
+
+
+
+
+
+
+
+Set up a wildcard HTTP listener on an ingress gateway named "us-east-ingress" to proxy traffic to all services in the datacenter.
+Also make two services available over a custom port with user-provided hosts, and enable TLS on every listener:
+
+```hcl
+Kind = "ingress-gateway"
+Name = "us-east-ingress"
TLS {
Enabled = true
@@ -101,6 +183,140 @@ Listeners = [
]
```
+
+
+
+Set up a wildcard HTTP listener on an ingress gateway named "us-east-ingress" to proxy traffic to all services in the frontend namespace.
+Also make two services in the frontend namespace available over a custom port with user-provided hosts, and enable TLS on every listener:
+
+```hcl
+Kind = "ingress-gateway"
+Name = "us-east-ingress"
+Namespace = "default"
+
+TLS {
+ Enabled = true
+}
+
+Listeners = [
+ {
+ Port = 8080
+ Protocol = "http"
+ Services = [
+ {
+ Namespace = "frontend"
+ Name = "*"
+ }
+ ]
+ },
+ {
+ Port = 4567
+ Protocol = "http"
+ Services = [
+ {
+ Namespace = "frontend"
+ Name = "api"
+ Hosts = ["foo.example.com", "foo.example.com:4567"]
+ },
+ {
+ Namespace = "frontend"
+ Name = "web"
+ Hosts = ["website.example.com", "website.example.com:4567"]
+ }
+ ]
+ }
+]
+```
+
+
+
+
+Set up a wildcard HTTP listener on an ingress gateway named "us-east-ingress" to proxy traffic to all services in the datacenter.
+Also make two services available over a custom port with user-provided hosts, and enable TLS on every listener:
+
+```json
+{
+ "Kind": "ingress-gateway",
+ "Name": "us-east-ingress",
+ "TLS": {
+ "Enabled": true
+ },
+ "Listeners": [
+ {
+ "Port": 8080,
+ "Protocol": "http",
+ "Services": [
+ {
+ "Name": "*"
+ }
+ ]
+ },
+ {
+ "Port": 4567,
+ "Protocol": "http",
+ "Services": [
+ {
+ "Name": "api",
+ "Hosts": ["foo.example.com", "foo.example.com:4567"]
+ },
+ {
+ "Name": "web",
+ "Hosts": ["website.example.com", "website.example.com:4567"]
+ }
+ ]
+ }
+ ]
+}
+```
+
+
+
+
+Set up a wildcard HTTP listener on an ingress gateway named "us-east-ingress" to proxy traffic to all services in the frontend namespace.
+Also make two services in the frontend namespace available over a custom port with user-provided hosts, and enable TLS on every listener:
+
+```json
+{
+ "Kind": "ingress-gateway",
+ "Name": "us-east-ingress",
+ "Namespace": "default",
+ "TLS": {
+ "Enabled": true
+ },
+ "Listeners": [
+ {
+ "Port": 8080,
+ "Protocol": "http",
+ "Services": [
+ {
+ "Namespace": "frontend",
+ "Name": "*"
+ }
+ ]
+ },
+ {
+ "Port": 4567,
+ "Protocol": "http",
+ "Services": [
+ {
+ "Namespace": "frontend",
+ "Name": "api",
+ "Hosts": ["foo.example.com", "foo.example.com:4567"]
+ },
+ {
+ "Namespace": "frontend",
+ "Name": "web",
+ "Hosts": ["website.example.com", "website.example.com:4567"]
+ }
+ ]
+ }
+ ]
+}
+```
+
+
+
+
## Available Fields
- `Kind` - Must be set to `ingress-gateway`
diff --git a/website/pages/docs/agent/config-entries/terminating-gateway.mdx b/website/pages/docs/agent/config-entries/terminating-gateway.mdx
index 523da96814..77c02c0888 100644
--- a/website/pages/docs/agent/config-entries/terminating-gateway.mdx
+++ b/website/pages/docs/agent/config-entries/terminating-gateway.mdx
@@ -17,8 +17,8 @@ description: >-
and will apply to all instances of the gateway with that name.
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
- across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
- sets of services within their datacenter then the ingress gateways **must** be registered with different names.
+ across all federated Consul datacenters. If terminating gateways in different Consul datacenters need to route to different
+ sets of services within their datacenter then the terminating gateways **must** be registered with different names.
See [Terminating Gateway](/docs/connect/terminating-gateway) for more information.
@@ -43,11 +43,15 @@ description: >-
## Sample Config Entries
-Link gateway "us-west-gateway" with the billing service:
+
+
+
+Link gateway named "us-west-gateway" with the billing service:
```hcl
Kind = "terminating-gateway"
Name = "us-west-gateway"
+
Services = [
{
Name = "billing"
@@ -55,27 +59,176 @@ Services = [
]
```
-Link gateway "us-west-gateway" with the api service and specify a CA file for one-way TLS authentication:
+
+
+
+Link gateway named "us-west-gateway" in the default namespace with the billing service in the finance namespace:
```hcl
Kind = "terminating-gateway"
Name = "us-west-gateway"
+Namespace = "default"
+
Services = [
{
- Name = "api"
+ Namespace = "finance"
+ Name = "billing"
+ }
+]
+```
+
+
+
+
+Link gateway named "us-west-gateway" with the billing service:
+
+```json
+{
+ "Kind": "terminating-gateway",
+ "Name": "us-west-gateway",
+ "Services": [
+ {
+ "Name": "billing"
+ }
+ ]
+}
+```
+
+
+
+
+Link gateway named "us-west-gateway" in the default namespace with the billing service in the finance namespace:
+
+```json
+{
+ "Kind": "terminating-gateway",
+ "Name": "us-west-gateway",
+ "Namespace": "default",
+ "Services": [
+ {
+ "Namespace": "finance",
+ "Name": "billing"
+ }
+ ]
+}
+```
+
+
+
+
+
+
+
+Link gateway named "us-west-gateway" with the billing service and specify a CA file for one-way TLS authentication:
+
+```hcl
+Kind = "terminating-gateway"
+Name = "us-west-gateway"
+
+Services = [
+ {
+ Name = "billing"
+ CAFile = "/etc/certs/ca-chain.cert.pem"
+ }
+]
+```
+
+
+
+
+Link gateway named "us-west-gateway" in the default namespace with the billing service in the finance namespace,
+and specify a CA file for one-way TLS authentication:
+
+```hcl
+Kind = "terminating-gateway"
+Name = "us-west-gateway"
+Namespace = "default"
+
+Services = [
+ {
+ Namespace = "finance"
+ Name = "billing"
CAFile = "/etc/certs/ca-chain.cert.pem"
}
]
```
-Link gateway "us-west-gateway" with the payments service and specify a CA file, key file, and cert file for mutual TLS authentication:
+
+
+
+Link gateway named "us-west-gateway" with the billing service and specify a CA file for one-way TLS authentication:
+
+```json
+{
+ "Kind": "terminating-gateway",
+ "Name": "us-west-gateway",
+ "Services": [
+ {
+ "Name": "billing",
+ "CAFile": "/etc/certs/ca-chain.cert.pem"
+ }
+ ]
+}
+```
+
+
+
+
+Link gateway named "us-west-gateway" in the default namespace with the billing service in the finance namespace,
+and specify a CA file for one-way TLS authentication:
+
+```json
+{
+ "Kind": "terminating-gateway",
+ "Name": "us-west-gateway",
+ "Namespace": "default",
+ "Services": [
+ {
+ "Namespace": "finance",
+ "Name": "billing",
+ "CAFile": "/etc/certs/ca-chain.cert.pem"
+ }
+ ]
+}
+```
+
+
+
+
+
+
+
+Link gateway named "us-west-gateway" with the payments service and specify a CA file, key file, and cert file for mutual TLS authentication:
```hcl
Kind = "terminating-gateway"
Name = "us-west-gateway"
+
Services = [
{
- Name = "payments"
+ Name = "billing"
+ CAFile = "/etc/certs/ca-chain.cert.pem"
+ KeyFile = "/etc/certs/gateway.key.pem"
+ CertFile = "/etc/certs/gateway.cert.pem"
+ }
+]
+```
+
+
+
+
+Link gateway named "us-west-gateway" in the default namespace with the payments service in the finance namespace.
+Also specify a CA file, key file, and cert file for mutual TLS authentication:
+
+```hcl
+Kind = "terminating-gateway"
+Name = "us-west-gateway"
+Namespace = "default"
+
+Services = [
+ {
+ Namespace = "finance"
+ Name = "billing"
CAFile = "/etc/certs/ca-chain.cert.pem"
KeyFile = "/etc/certs/gateway.key.pem"
CertFile = "/etc/certs/gateway.cert.pem"
@@ -83,13 +236,88 @@ Services = [
]
```
-Link gateway "us-west-gateway" with all services in the finance namespace, and configure default certificates for mutual TLS.
+
+
+
+Link gateway named "us-west-gateway" with the payments service and specify a CA file, key file, and cert file for mutual TLS authentication:
+
+```json
+{
+ "Kind": "terminating-gateway",
+ "Name": "us-west-gateway",
+ "Services": [
+ {
+ "Name": "billing",
+ "CAFile": "/etc/certs/ca-chain.cert.pem",
+ "KeyFile": "/etc/certs/gateway.key.pem",
+ "CertFile": "/etc/certs/gateway.cert.pem"
+ }
+ ]
+}
+```
+
+
+
+
+Link gateway named "us-west-gateway" in the default namespace with the payments service in the finance namespace.
+Also specify a CA file, key file, and cert file for mutual TLS authentication:
+
+```json
+{
+ "Kind": "terminating-gateway",
+ "Name": "us-west-gateway",
+ "Namespace": "default",
+ "Services": [
+ {
+ "Namespace": "finance",
+ "Name": "billing",
+ "CAFile": "/etc/certs/ca-chain.cert.pem",
+ "KeyFile": "/etc/certs/gateway.key.pem",
+ "CertFile": "/etc/certs/gateway.cert.pem"
+ }
+ ]
+}
+```
+
+
+
+
+
+
+
+Link gateway named "us-west-gateway" with all services in the datacenter, and configure default certificates for mutual TLS.
Also override the SNI and CA file used for connections to the billing service:
+```hcl
+Kind = "terminating-gateway"
+Name = "us-west-gateway"
+
+Services = [
+ {
+ Name = "*"
+ CAFile = "/etc/common-certs/ca-chain.cert.pem"
+ KeyFile = "/etc/common-certs/gateway.key.pem"
+ CertFile = "/etc/common-certs/gateway.cert.pem"
+ },
+ {
+ Name = "billing"
+ CAFile = "/etc/billing-ca/ca-chain.cert.pem",
+ SNI = "billing.service.com"
+ }
+]
+```
+
+
+
+
+Link gateway named "us-west-gateway" in the default namespace with all services in the finance namespace,
+and configure default certificates for mutual TLS. Also override the SNI and CA file used for connections to the billing service:
+
```hcl
Kind = "terminating-gateway"
Name = "us-west-gateway"
Namespace = "default"
+
Services = [
{
Namespace = "finance"
@@ -101,12 +329,72 @@ Services = [
{
Namespace = "finance"
Name = "billing"
- CAFile = "/etc/billing-ca/ca-chain.cert.pem"
- SNI = "billing.service.com"
+ CAFile = "/etc/billing-ca/ca-chain.cert.pem",
+ SNI = "billing.service.com"
}
]
```
+
+
+
+Link gateway named "us-west-gateway" with all services in the datacenter, and configure default certificates for mutual TLS.
+Also override the SNI and CA file used for connections to the billing service:
+
+```json
+{
+ "Kind": "terminating-gateway",
+ "Name": "us-west-gateway",
+ "Services": [
+ {
+ "Name": "*",
+ "CAFile": "/etc/billing-ca/ca-chain.cert.pem",
+ "KeyFile": "/etc/certs/gateway.key.pem",
+ "CertFile": "/etc/certs/gateway.cert.pem",
+ "SNI": "billing.service.com"
+ },
+ {
+ "Name": "billing",
+ "CAFile": "/etc/billing-ca/ca-chain.cert.pem",
+ "SNI": "billing.service.com"
+ }
+ ]
+}
+```
+
+
+
+
+Link gateway named "us-west-gateway" in the default namespace with all services in the finance namespace,
+and configure default certificates for mutual TLS. Also override the SNI and CA file used for connections to the billing service:
+
+```json
+{
+ "Kind": "terminating-gateway",
+ "Name": "us-west-gateway",
+ "Namespace": "default",
+ "Services": [
+ {
+ "Namespace": "finance",
+ "Name": "*",
+ "CAFile": "/etc/billing-ca/ca-chain.cert.pem",
+ "KeyFile": "/etc/certs/gateway.key.pem",
+ "CertFile": "/etc/certs/gateway.cert.pem",
+ "SNI": "billing.service.com"
+ },
+ {
+ "Namespace": "finance",
+ "Name": "billing",
+ "CAFile": "/etc/billing-ca/ca-chain.cert.pem",
+ "SNI": "billing.service.com"
+ }
+ ]
+}
+```
+
+
+
+
## Available Fields
- `Kind` - Must be set to `terminating-gateway`