我的书签
添加书签
移除书签Terminating Gateways on Kubernetes
This topic requires familiarity with Terminating Gateways.
Adding a terminating gateway is a multi-step process:
- Update the Helm chart with terminating gateway config options
- Deploy the Helm chart
- Access the Consul agent
- Register external services with Consul
Minimum required Helm options:
config.yaml
Ensure you have the latest consul-helm chart and install Consul via helm using the following while being sure to provide the yaml configuration as previously discussed.
You can access the Consul server directly from your host via . This is helpful for interacting with your Consul UI locally as well as to validate connectivity of the application.
$ kubectl port-forward consul-server-0 8500 &
If TLS is enabled use port 8501:
$ kubectl port-forward consul-server-0 8501 &
Be sure the latest consul binary is installed locally on your host. https://releases.hashicorp.com/consul/
$ export CONSUL_HTTP_ADDR=http://localhost:8500
If TLS is enabled set:
$ export CONSUL_HTTP_ADDR=https://localhost:8501$ export CONSUL_HTTP_SSL_VERIFY=false
If ACLs are enabled also set:
$ export CONSUL_HTTP_TOKEN=$(kubectl get secret consul-bootstrap-acl-token --template='{{.data.token | base64decode }}')
Registering the external services with Consul is a multi-step process:
- Register external services with Consul
- Update the terminating gateway ACL token if ACLs are enabled
- Create a resource to configure the terminating gateway
- Create a ServiceIntentions resource to allow access from services in the mesh to external service
- Define upstream annotations for any services that need to talk to the external services
Create a sample external service and register it with Consul.
{"Node": "example_com","Address": "example.com","NodeMeta": {"external-node": "true","external-probe": "true"},"Service": {"Address": "example.com","ID": "example-https","Service": "example-https","Port": 443}}
external.json
- is our made up node name.
- “Address”: “example.com” is the address of our node. Services registered to that node will use this address if their own address isn’t specified. If you’re registering multiple external services, ensure you use different node names with different addresses or set the
Service.Addresskey. - is the address of our service. In this example this doesn’t need to be set since the address of the node is the same, but if there were two services registered to that same node then this should be set.
Register the external service with Consul:
If ACLs and TLS are enabled :
$ curl --request PUT --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" --data @external.json -k $CONSUL_HTTP_ADDR/v1/catalog/registertrue
If ACLs are enabled, update the terminating gateway acl token to have service: write permissions on all of the services being represented by the gateway:
- Update the existing token to include the new policy
The CLI command should be run with the -merge-policies, -merge-roles and -merge-service-identities so nothing is removed from the terminating gateway token
service "example-https" {policy = "write"}
write-policy.hcl
$ consul acl policy create -name "example-https-write-policy" -rules @write-policy.hclID: xxxxxxxxxxxxxxxName: example-https-write-policyDescription:Datacenters:Rules:service "example-https" {policy = "write"}
Now fetch the ID of the terminating gateway token
AccessorID: <token id>
Update the terminating gateway acl token with the new policy
$ consul acl token update -id <token-id> -policy-name example-https-write-policy -merge-policies -merge-roles -merge-service-identitiesAccessorID: <token id>SecretID: <secret id>Description: terminating-gateway-terminating-gateway-token TokenLocal: trueCreate Time: 2021-01-08 21:18:47.957450486 +0000 UTCPolicies:63bf1d9b-a87d-8672-ddcb-d25e2d88adb8 - terminating-gateway-terminating-gateway-tokenf63d1ae6-ffe7-44bd-bf7a-704a86939a63 - example-https-write-policy
Once the tokens have been updated, create the TerminatingGateway resource to configure the terminating gateway:
apiVersion: consul.hashicorp.com/v1alpha1kind: TerminatingGatewaymetadata:name: terminating-gatewayspec:services:- name: example-httpscaFile: /etc/ssl/cert.pem
terminating-gateway.yaml
If TLS is enabled a caFile must be provided, it must point to the system trust store of the terminating gateway container (/etc/ssl/cert.pem).
Apply the TerminatingGateway resource with kubectl apply:
If using ACLs and TLS, create a resource to allow access from services in the mesh to the external service
apiVersion: consul.hashicorp.com/v1alpha1kind: ServiceIntentionsmetadata:name: example-httpsspec:destination:name: example-httpssources:- name: static-client
service-intentions.yaml
Apply the ServiceIntentions resource with kubectl apply:
$ kubectl apply -f service-intentions.yaml
Finally define and deploy the external services as upstreams for the internal mesh services that wish to talk to them. An example deployment is provided which will serve as a static client for the terminating gateway service.
apiVersion: v1kind: Servicemetadata:spec:selector:app: static-clientports:- port: 80---apiVersion: v1kind: ServiceAccountmetadata:name: static-client---apiVersion: apps/v1kind: Deploymentmetadata:name: static-clientspec:replicas: 1selector:matchLabels:app: static-clienttemplate:metadata:name: static-clientlabels:app: static-clientannotations:'consul.hashicorp.com/connect-inject': 'true''consul.hashicorp.com/connect-service-upstreams': 'example-https:1234'spec:containers:- name: static-clientimage: curlimages/curl:latestcommand: ['/bin/sh', '-c', '--']args: ['while true; do sleep 30; done;']serviceAccountName: static-client
static-client.yaml
Run the service via kubectl apply:
$ kubectl apply -f static-client.yaml
Wait for the service to be ready:
$ kubectl rollout status deploy static-client --watch
