Ingress gateway configuration entry reference

Configuration - 图1

Note

Ingress gateway is deprecated and will not be enhanced beyond its current capabilities. Ingress gateway is fully supported in this version but will be removed in a future release of Consul.

Consul’s API gateway is the recommended alternative to ingress gateway.

This topic provides configuration reference information for the ingress gateway configuration entry. An ingress gateway is a type of proxy you register as a service in Consul to enable network connectivity from external services to services inside of the service mesh. Refer to Ingress gateways overview for additional information.

Configuration model

The following list describes the configuration hierarchy, language-specific data types, default values if applicable, and requirements for the configuration entry. Click on a property name to view additional details.

Complete configuration

When every field is defined, an ingress gateway configuration entry has the following form:

  1. Kind      = "ingress-gateway"          
  2. Name      = "<name of the gateway>"    
  3. Namespace = "<namespace to register the gateway>" 
  4. Partition = "<partition to register the gateway>" 
  5. Meta = {       
  6.   <key> = "<value>"
  7. }
  8. TLS = {        
  9.   Enabled       = false         
  10.   TLSMinVersion = "TLSv1_2"     
  11.   TLSMaxVersion = "<max version of TLS supported for this gateway>"  
  12.   CipherSuites = [   
  13.     "<cipher>"
  14.   ]
  15.   SDS = {      
  16.     ClusterName  = "<name of SDS cluster>"   
  17.     CertResource = "<SDS resource name>"     
  18.   }
  19. }
  20. Defaults = {         
  21.   MaxConnections        = 0      
  22.   MaxPendingRequests    = 0      
  23.   MaxConcurrentRequests = 0      
  24.   PassiveHealthCheck = {            
  25.     interval                  = 10  
  26.     max_failures              = 5   
  27.     enforcing_consecutive_5xx = 100 
  28.   }
  29. }
  30. Listeners = [           
  31.   {                     
  32.     Port     = 0        
  33.     Protocol = "tcp"    
  34.     Services = [        
  35.       {                 
  36.         Name      = "<name of external service>"                  
  37.         Namespace = "<namespace containing the external service>" 
  38.         Partition = "<partition containing the external service>" 
  39.         Hosts = [       
  40.           ".ingress.*"  
  41.         ]
  42.         RequestHeaders = {    
  43.           Add = {             
  44.             RequestHeaderName = "<request header value to add>"  
  45.           }
  46.           Set = {             
  47.             RequestHeaderName = "<request header value to set>" 
  48.           }
  49.           Remove = [          
  50.             "<request header to remove>"    
  51.           ]
  52.         }
  53.         ResponseHeaders = {   
  54.           Add = {             
  55.             ResponseHeaderName = "<response header value to add>"  
  56.           }
  57.           Set = {             
  58.             ResponseHeaderName = "<response header value to set>"  
  59.           }
  60.           Remove = [          
  61.             "<response header remove>"   
  62.           ]
  63.         }
  64.         TLS = {            
  65.           SDS = {            
  66.             ClusterName  = "<name of SDS cluster>"   
  67.             CertResource = "<name of SDS source>"    
  68.           }
  69.         }
  70.         MaxConnections        = <number>      
  71.         MaxPendingRequests    = <number>      
  72.         MaxConcurrentRequests = <number>      
  73.         PassiveHealthCheck = {            
  74.           interval                  = 10  
  75.           max_failures              = 5   
  76.           enforcing_consecutive_5xx = 100 
  77.         }
  78.     }]
  79.     TLS = {                       
  80.       Enabled       = false      
  81.       TLSMinVersion = "TLSv1_2"  
  82.       TLSMaxVersion = "<max supported version for the listener>" 
  83.       CipherSuites = [     
  84.         "<ciphersuite>"    
  85.       ]
  86.       SDS = {                    
  87.         ClusterName  = "<name of SDS cluster>" 
  88.         CertResource = "<SDS resource name>"   
  89.       }
  90.     }
  91.   }
  92. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: IngressGateway          
  3. metadata:
  4.   name: <name of the gateway>    
  5.   namespace: "<namespace to register the gateway>" 
  6. spec: 
  7.   tls:         
  8.     enabled: false         
  9.     tlsSMinVersion: TLSv1_2     
  10.     tlsMaxVersion: "<max version of TLS supported for this gateway>"  
  11.     cipherSuites:    
  12.      - <cipher>
  13.     sds:      
  14.       clusterName: <name of SDS cluster>   
  15.       certResource: <SDS resource name>     
  16.   defaults:          
  17.     maxConnections: 0      
  18.     maxPendingRequests: 0      
  19.     maxConcurrentRequests: 0      
  20.     passiveHealthCheck:            
  21.       interval: 10  
  22.       max_failures: 5   
  23.       enforcing_consecutive_5xx: 100 
  24.   listeners:                     
  25.     - port: 0        
  26.       protocol: tcp    
  27.       services:         
  28.         - name: <name of external service>                  
  29.           namespace: <namespace containing the external service> 
  30.           partition: <partition containing the external service>
  31.           hosts:       
  32.             - .ingress.*  
  33.           requestHeaders:     
  34.             add:             
  35.               requestHeaderName: <request header value to add>
  36.             set:
  37.               requestHeaderName: <request header value to set>
  38.      remove:           
  39.               - <request header to remove>    
  40.           responseHeaders:  
  41.             add:             
  42.               responseHeaderName: <response header value to add>  
  43.             set:             
  44.               responseHeaderName: <response header value to set>
  45.             remove:
  46.               - <response header remove>   
  47.           tls:            
  48.             sds:            
  49.               clusterName: <name of SDS cluster>
  50.               certResource: <name of SDS source>    
  51.             maxConnections: <number>      
  52.             maxPendingRequests: <number>      
  53.             maxConcurrentRequests: <number>      
  54.             passiveHealthCheck:            
  55.               interval: 10  
  56.               max_failures: 5   
  57.               enforcing_consecutive_5xx: 100        
  58.       tls:                       
  59.         enabled: false      
  60.         tlsMinVersion: TLSv1_2  
  61.         tlsMaxVersion: <max supported version for the listener> 
  62.         cipherSuites:      
  63.           - <ciphersuite>    
  64.         sds:                    
  65.           clusterName: <name of SDS cluster> 
  66.           certResource: <SDS resource name>
  1. {
  2.   "Kind" : "ingress-gateway",          
  3.   "Name" : "<name of the gateway>",    
  4.   "Namespace" : "<namespace to register the gateway>", 
  5.   "Partition" : "<partition to register the gateway>", 
  6.   "Meta": {       
  7.     "<key>" : "<value>"
  8.   },
  9.   "TLS" : {        
  10.     "Enabled" : false,         
  11.     "TLSMinVersion" : "TLSv1_2",     
  12.     "TLSMaxVersion" : "<max version of TLS supported for this gateway>",  
  13.     "CipherSuites" : [   
  14.       "<cipher>"
  15.     ],
  16.     "SDS": {      
  17.       "ClusterName" : "<name of SDS cluster>",   
  18.       "CertResource" : "<SDS resource name>"     
  19.     }
  20.   },
  21.   "Defaults" : {         
  22.     "MaxConnections" : 0,      
  23.     "MaxPendingRequests" : 0,      
  24.     "MaxConcurrentRequests": 0,      
  25.     "PassiveHealthCheck" : {            
  26.       "interval" : 10,  
  27.       "max_failures" : 5,   
  28.       "enforcing_consecutive_5xx" : 100 
  29.     }
  30.   },
  31.   "Listeners" : [           
  32.     {                     
  33.       "Port" : 0,        
  34.       "Protocol" : "tcp",    
  35.       "Services" : [        
  36.         {                 
  37.           "Name" : "<name of external service>",                  
  38.           "Namespace" : "<namespace containing the external service>", 
  39.           "Partition" : "<partition containing the external service>", 
  40.           "Hosts" :  [       
  41.             ".ingress.*"  
  42.           ],
  43.           "RequestHeaders" : {    
  44.             "Add" : {             
  45.               "RequestHeaderName" : "<request header value to add>"  
  46.             },
  47.             "Set" : {             
  48.               "RequestHeaderName" : "<request header value to set>" 
  49.             },
  50.             "Remove" : [          
  51.               "<request header to remove>"    
  52.             ]
  53.           },
  54.           "ResponseHeaders" : {   
  55.             "Add" : {             
  56.               "ResponseHeaderName" : "<response header value to add>"  
  57.             },
  58.             "Set" : {             
  59.               "ResponseHeaderName" : "<response header value to set>"  
  60.             },
  61.             "Remove" : [          
  62.               "<response header remove>"   
  63.             ]
  64.           },
  65.           "TLS" : {            
  66.             "SDS" : {            
  67.               "ClusterName" : "<name of SDS cluster>",   
  68.               "CertResource" : "<name of SDS source>"    
  69.             }
  70.           },
  71.           "MaxConnections" : <number>,      
  72.           "MaxPendingRequests" : <number>,      
  73.           "MaxConcurrentRequests" : <number>,      
  74.           "PassiveHealthCheck" : {            
  75.             "interval" : 10,  
  76.             "max_failures" : 5,   
  77.             "enforcing_consecutive_5xx" : 100 
  78.           }
  79.         }
  80.       ],
  81.       "TLS" : {                       
  82.         "Enabled" : false,      
  83.         "TLSMinVersion" : "TLSv1_2",  
  84.         "TLSMaxVersion" : "<max supported version for the listener>", 
  85.         "CipherSuites" : [     
  86.           "<ciphersuite>"    
  87.         ],
  88.         "SDS" : {                    
  89.           "ClusterName" : "<name of SDS cluster>", 
  90.           "CertResource" : "<SDS resource name>"   
  91.         }
  92.       }
  93.     }
  94.   ]
  95. }

Specification

This section provides details about the fields you can configure in the ingress gateway configuration entry.

Kind

Specifies the type of configuration entry. Must be set to ingress-gateway.

Values

  • Default: None
  • This field is required.
  • Data type: String value that must be set to ingress-gateway.

Name

Specifies a name for the gateway. The name is metadata that you can use to reference the configuration entry when performing Consul operations with the consul config command.

Values

  • Default: None
  • This field is required.
  • Data type: String

Namespace EnterpriseConfiguration - 图9Enterprise

Specifies the namespace to apply the configuration entry in. Refer to Namespaces for additional information about Consul namespaces.

If unspecified, the ingress gateway is applied to the default namespace. You can override the namespace when using the /config API endpoint to register the configuration entry by specifying the ns query parameter.

Values

  • Default: default,
  • Data type: String

Partition EnterpriseConfiguration - 图10Enterprise

Specifies the admin partition that the ingress gateway applies to. The value must match the partition in which the gateway is registered. Refer to Admin partitions for additional information.

If unspecified, the ingress gateway is applied to the default partition. You can override the partition when using the /config API endpoint to register the configuration entry by specifying the partition query parameter.

Values

  • Default: `default
  • Data type: String

Meta

Defines an arbitrary set of key-value pairs to store in the Consul KV.

Values

  • Default: None
  • Data type: Map of one or more key-value pairs.
    • keys: String
    • values: String, integer, or float

TLS

Specifies the TLS configuration settings for the gateway.

Values

TLS.Enabled

Enables and disables TLS for the configuration entry. Set to true to enable built-in TLS for every listener on the gateway. TLS is disabled by default.

When enabled, Consul adds each host defined in every service’s Hosts field to the gateway’s x509 certificate as a DNS subject alternative name (SAN).

Values

  • Default: false
  • Data type: boolean

TLS.TLSMinVersion

Specifies the minimum TLS version supported for gateway listeners.

Values

  • Default: Depends on the version of Envoy:
    • Envoy v1.22.0 and later: TLSv1_2
    • Older versions: TLSv1_0
  • Data type: String with one of the following values:

TLS.TLSMaxVersion

Specifies the maximum TLS version supported for gateway listeners.

Values

  • Default: Depends on the version of Envoy:
    • Envoy v1.22.0 and later: TLSv1_2
    • Older versions: TLSv1_0
  • Data type: String with one of the following values:

TLS.CipherSuites[]

Specifies a list of cipher suites that gateway listeners support when negotiating connections using TLS 1.2 or older. If unspecified, the Consul applies the default for the version of Envoy in use. Refer to the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tls parameters-cipher-suites) for details.

Values

  • Default: None
  • Data type: List of string values. Refer to the Consul repository for a list of supported ciphers.

TSL.SDS

Specifies parameters for loading the TLS certificates from an external SDS service. Refer to Serve custom TLS certificates from an external service for additional information.

Consul applies the SDS configuration specified in this field as defaults for all listeners defined in the gateway. You can override the SDS settings for per listener or per service defined in the listener. Refer to the following configurations for additional information:

Values

The following table describes how to configure SDS parameters.

ParameterDescriptionData type
ClusterNameSpecifies the name of the SDS cluster where Consul should retrieve certificates. The cluster must be specified in the gateway’s bootstrap configuration.String
CertResourceSpecifies an SDS resource name. Consul requests the SDS resource name when fetching the certificate from the SDS service. When set, Consul serves the certificate to all listeners over TLS unless a listener-specific TLS configuration overrides the SDS configuration.String

Defaults

Specifies default configurations for connecting upstream services.

Values

Defaults.MaxConnections

Specifies the maximum number of HTTP/1.1 connections a service instance is allowed to establish against the upstream.

Values

  • Default value is 0, which instructs Consul to use the proxy’s configuration. For Envoy, the default is 1024.
  • Data type: Integer

Defaults.MaxPendingRequests

Specifies the maximum number of requests that are allowed to queue while waiting to establish a connection. Listeners must use an L7 protocol for this configuration to take effect. Refer to Listeners.Protocol.

Values

  • Default value is 0, which instructs Consul to use the proxy’s configuration. For Envoy, the default is 1024.
  • Data type: Integer

Defaults.MaxConcurrentRequests

Specifies the maximum number of concurrent HTTP/2 traffic requests that are allowed at a single point in time. Listeners must use an L7 protocol for this configuration to take effect. Refer to Listeners.Protocol.

Values

  • Default value is 0, which instructs Consul to use the proxy’s configuration. For Envoy, the default is 1024.
  • Data type: Integer

Defaults.PassiveHealthCheck

Defines a passive health check configuration. Passive health checks remove hosts from the upstream cluster when they are unreachable or return errors.

Values

  • Default: None
  • Data type: Map

The following table describes the configurations for passive health checks:

ParameterDescriptionData typeDefault
intervalSpecifies the time in nanoseconds between checks.IntegerProxy’s default configuration, which is 10 for Envoy
max_failuresSpecifies the number of consecutive failures that cause a host to be removed from the upstream cluster.IntegerProxy’s default configuration, which is 5 for Envoy
enforcing_consecutive_5xxSpecifies a percentage that indicates how many times out of 100 that Consul ejects the host when it detects an outlier status. The outlier status is determined by consecutive errors in the 500-599 response range.IntegerProxy’s default configuration, which is 100 for Envoy

Listeners[]

Specifies a list of listeners in the mesh for the gateway. Listeners are uniquely identified by their port number.

Values

Listeners[].Port

Specifies the port that the listener receives traffic on. The port is bound to the IP address specified in the -address flag when starting the gateway. The listener port must not conflict with the health check port.

Values

  • Default: 0
  • Data type: Integer

Listeners[].Protocol

Specifies the protocol associated with the listener. To enable L7 network management capabilities, specify one of the following values:

Values

  • Default: tcp

  • Data type: String that contains one of the following values:

Listeners[].Services[]

Specifies a list of services that the listener exposes to services outside the mesh. Each service must have a unique name. The Namespace field is required for Consul Enterprise datacenters. If the [Listeners.Protocol] field is set to tcp, then Consul can only expose one service. You can expose multiple services if the listener uses any other supported protocol.

Values

Listeners[].Services[].Name

Specifies the name of a service to expose to the listener. You can specify services in the following ways:

  • Provide the name of a service registered in the Consul catalog.
  • Provide the name of a service defined in other configuration entries. Refer to Service Mesh Traffic Management Overview for additional information.
  • Provide a * wildcard to expose all services in the datacenter. Wild cards are not supported for listeners configured for TCP. Refer to Listeners[].Protocol for additional information.

Values

  • Default: None
  • Data type: String

Listeners[].Services[].Namespace EnterpriseConfiguration - 图13Enterprise

Specifies the namespace to use when resolving the location of the service.

Values

  • Default: Current namespace
  • Data type: String

Listeners[].Services[].Partition EnterpriseConfiguration - 图14Enterprise

Specifies the admin partition to use when resolving the location of the service.

Values

  • Default: Current partition
  • Data type: String

Listeners[].Services[].Hosts[]

Specifies one or more hosts that the listening services can receive requests on. The ingress gateway proxies external traffic to the specified services when external requests include host headers that match a host specified in this field.

If unspecified, Consul matches requests to services using the <service>.ingress.* domain. You cannot specify a host for listeners that communicate over TCP. You cannot specify a host when service names are specified with a * wildcard. Requests must include the correct host for Consul to proxy traffic to the service.

When TLS is disabled, you can use the * wildcard to match all hosts. Disabling TLS may be suitable for testing and learning purposes, but we recommend enabling TLS in production environments.

You can use the wildcard in the left-most DNS label to match a set of hosts. For example, *.example.com is valid, but example.* and *-suffix.example.com are invalid.

Values

  • Default: None
  • Data type: List of strings or *

Listeners[].Services[].RequestHeaders

Specifies a set of HTTP-specific header modification rules applied to requests routed through the gateway. You cannot configure request headers if the listener protocol is set to tcp. Refer to HTTP listener with Path-based Routing for an example configuration.

Values

  • Default: None

  • Data type: Object containing one or more fields that define header modification rules:

    • Add: Map of one or more key-value pairs
    • Set: Map of one or more key-value pairs
    • Remove: Map of one or more key-value pairs

The following table describes how to configure values for request headers:

RuleDescriptionData type
AddDefines a set of key-value pairs to add to the header. Use header names as the keys. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers. You can use variable placeholders.Map of strings
SetDefines a set of key-value pairs to add to the request header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values. You can use variable placeholders.Map of strings
RemoveDefines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive.List of strings
Use variable placeholders

For Add and Set, if the service is configured to use Envoy as the proxy, the value may contain variables to interpolate dynamic metadata into the value. For example, using the variable %DOWNSTREAM_REMOTE_ADDRESS% in your configuration entry allows you to pass a value that is generated at runtime.

Listeners[].Services[].ResponseHeaders

Specifies a set of HTTP-specific header modification rules applied to responses routed through the gateway. You cannot configure response headers if the listener protocol is set to tcp. Refer to HTTP listener with Path-based Routing for an example configuration.

Values

  • Default: None

  • Data type: Map containing one or more fields that define header modification rules:

    • Add: Map of one or more key-value pairs
    • Set: Map of one or more key-value pairs
    • Remove: Map of one or more key-value pairs

The following table describes how to configure values for request headers:

RuleDescriptionData type
AddDefines a set of key-value pairs to add to the header. Use header names as the keys. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers. You can use variable placeholders.Map of strings
SetDefines a set of key-value pairs to add to the response header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values. You can use variable placeholders.Map of strings
RemoveDefines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive.List of strings
Use variable placeholders

For Add and Set, if the service is configured to use Envoy as the proxy, the value may contain variables to interpolate dynamic metadata into the value. For example, using the variable %DOWNSTREAM_REMOTE_ADDRESS% in your configuration entry allows you to pass a value that is generated at runtime.

Listeners[].Services[].TLS

Specifies a TLS configuration for a specific service. The settings in this configuration overrides the main TLS settings for the configuration entry.

Values

  • Default: None
  • Data type: Map

Listeners[].Services[].TLS.SDS

Specifies parameters that configure the listener to load TLS certificates from an external SDS. Refer to Serve custom TLS certificates from an external service for additional information.

This configuration overrides the main TLS.SDS settings for configuration entry. If unspecified, Consul applies the top-level TLS.SDS settings.

Values

The following table describes how to configure SDS parameters. Refer to Configure static SDS clusters for usage information:

| Parameter | Description | Data type | | ClusterName | Specifies the name of the SDS cluster where Consul should retrieve certificates. The cluster must be specified in the gateway’s bootstrap configuration. | String | | CertResource | Specifies an SDS resource name. Consul requests the SDS resource name when fetching the certificate from the SDS service. When set, Consul serves the certificate to all listeners over TLS unless a listener-specific TLS configuration overrides the SDS configuration. | String |

Listeners[].Services[].MaxConnections

Specifies the maximum number of HTTP/1.1 connections a service instance is allowed to establish against the upstream.

When defined, this field overrides the Defaults.MaxConnections configuration.

Values

  • Default: None
  • Data type: Integer

Listeners[].Services.MaxPendingRequests

Specifies the maximum number of requests that are allowed to queue while waiting to establish a connection. When defined, this field overrides the value specified in the Defaults.MaxPendingRequests field of the configuration entry.

Listeners must use an L7 protocol for this configuration to take effect. Refer to Listeners.Protocol for more information.

Values

  • Default: None
  • Data type: Integer

Listeners[].Services[].MaxConcurrentRequests

Specifies the maximum number of concurrent HTTP/2 traffic requests that the service is allowed at a single point in time. This field overrides the value set in the Defaults.MaxConcurrentRequests field of the configuration entry.

Listeners must use an L7 protocol for this configuration to take effect. Refer to Listeners.Protocol for more information.

Values

  • Default: None
  • Data type: Integer

Listeners[].Services[].PassiveHealthCheck

Defines a passive health check configuration for the service. Passive health checks remove hosts from the upstream cluster when the service is unreachable or returns errors. This field overrides the value set in the Defaults.PassiveHealthCheck field of the configuration entry.

Values

  • Default: None
  • Data type: Map

The following table describes the configurations for passive health checks:

ParameterDescriptionData typeDefault
intervalSpecifies the time in nanoseconds between checks.IntegerProxy’s default configuration, which is 10 for Envoy
max_failuresSpecifies the number of consecutive failures that cause a host to be removed from the upstream cluster.IntegerProxy’s default configuration, which is 5 for Envoy
enforcing_consecutive_5xxSpecifies a percentage that indicates how many times out of 100 that Consul ejects the host when it detects an outlier status. The outlier status is determined by consecutive errors in the 500-599 response range.IntegerProxy’s default configuration, which is 100 for Envoy

Listeners[].TLS

Specifies the TLS configuration for the listener. If unspecified, Consul applies any service-specific TLS configurations. If neither the listener- nor service-specific TLS configurations are specified, Consul applies the main TLS settings for the configuration entry.

Values

Listeners[].TLS.Enabled

Set to true to enable built-in TLS for the listener. If enabled, Consul adds each host defined in every service’s Hosts field to the gateway’s x509 certificate as a DNS subject alternative name (SAN).

Values

  • Default: false
  • Data type: boolean

Listeners[].TLS.TLSMinVersion

Specifies the minimum TLS version supported for the listener.

Values

  • Default: Depends on the version of Envoy:
    • Envoy v1.22.0 and later: TLSv1_2
    • Older versions: TLSv1_0
  • Data type: String with one of the following values:

Listeners[].TLS.TLSMaxVersion

Specifies the maximum TLS version supported for the listener.

Values

  • Default: Depends on the version of Envoy:
    • Envoy v1.22.0 and later: TLSv1_2
    • Older versions: TLSv1_0
  • Data type: String with one of the following values:

Listeners[].TLS.CipherSuites

Specifies a list of cipher suites that the listener supports when negotiating connections using TLS 1.2 or older. If unspecified, the Consul applies the default for the version of Envoy in use. Refer to the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tls parameters-cipher-suites) for details.

Values

  • Default: None
  • Data type: List of string values. Refer to the Consul repository for a list of supported ciphers.

Listeners[].TLS.SDS

Specifies parameters for loading the TLS certificates from an external SDS service. Refer to Serve custom TLS certificates from an external service for additional information.

Consul applies the SDS configuration specified in this field to all services in the listener. You can override the Listeners.TLS.SDS configuration per service by configuring the Listeners.Services.TLS.SDS settings for each service.

Values

  • Default: None
  • The data type is a map containing ClusterName and CertResource fields.

The following table describes how to configure SDS parameters. Refer to Configure static SDS clusters for usage information:

ParameterDescriptionData type
ClusterNameSpecifies the name of the SDS cluster where Consul should retrieve certificates. The cluster must be specified in the gateway’s bootstrap configuration.String
CertResourceSpecifies an SDS resource name. Consul requests the SDS resource name when fetching the certificate from the SDS service. When set, Consul serves the certificate to all listeners over TLS unless a listener-specific TLS configuration overrides the SDS configuration.String

apiVersion

Kubernetes-only parameter that specifies the version of the Consul API that the configuration entry maps to Kubernetes configurations. The value must be consul.hashicorp.com/v1alpha1.

kind

Specifies the type of configuration entry to implement. Must be set to IngressGatewa.

Values

  • Default: None
  • This field is required.
  • Data type: String value that must be set to IngressGateway.

metadata

Specifies metadata for the gateway.

Values

  • Default: None
  • This field is required
  • Data type: Map the contains the following fields:

metadata.name

Specifies a name for the gateway. The name is metadata that you can use to reference the configuration entry when performing Consul operations with the consul config command.

Values

  • Default: None
  • This field is required.
  • Data type: String

metadata.namespace EnterpriseConfiguration - 图15Enterprise

Specifies the namespace to apply the configuration entry in. Refer to Namespaces for additional information about Consul namespaces.

If unspecified, the ingress gateway is applied to the default namespace. You can override the namespace when using the /config API endpoint to register the configuration entry by specifying the ns query parameter.

Values

  • Default: default,
  • Data type: String

spec

Kubernetes-only field that contains all of the configurations for ingress gateway pods.

Values

  • Default: None
  • This field is required.
  • Data type: Map containing the following fields:

spec.tls

Specifies the TLS configuration settings for the gateway.

Values

spec.tls.enabled

Enables and disables TLS for the configuration entry. Set to true to enable built-in TLS for every listener on the gateway. TLS is disabled by default.

When enabled, Consul adds each host defined in every service’s Hosts field to the gateway’s x509 certificate as a DNS subject alternative name (SAN).

Values

  • Default: false
  • Data type: boolean

spec.tls.tlsMinVersion

Specifies the minimum TLS version supported for gateway listeners.

Values

  • Default: Depends on the version of Envoy:
    • Envoy v1.22.0 and later: TLSv1_2
    • Older versions: TLSv1_0
  • Data type: String with one of the following values:

spec.tls.tlsMaxVersion

Specifies the maximum TLS version supported for gateway listeners.

Values

  • Default: Depends on the version of Envoy:
    • Envoy v1.22.0 and later: TLSv1_2
    • Older versions: TLSv1_0
  • Data type: String with one of the following values:

spec.tls.cipherSuites[]

Specifies a list of cipher suites that gateway listeners support when negotiating connections using TLS 1.2 or older. If unspecified, the Consul applies the default for the version of Envoy in use. Refer to the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tls parameters-cipher-suites) for details.

Values

  • Default: None
  • Data type: List of string values. Refer to the Consul repository for a list of supported ciphers.

spec.tls.sds

Specifies parameters for loading the TLS certificates from an external SDS service. Refer to Serve custom TLS certificates from an external service for additional information.

Consul applies the SDS configuration specified in this field as defaults for all listeners defined in the gateway. You can override the SDS settings for per listener or per service defined in the listener. Refer to the following configurations for additional information:

Values

  • Default: None
  • Data type: Map containing the following fields:
    • [clusterName]
    • [certResource]

The following table describes how to configure SDS parameters.

ParameterDescriptionData type
clusterNameSpecifies the name of the SDS cluster where Consul should retrieve certificates. The cluster must be specified in the gateway’s bootstrap configuration.String
certResourceSpecifies an SDS resource name. Consul requests the SDS resource name when fetching the certificate from the SDS service. When set, Consul serves the certificate to all listeners over TLS unless a listener-specific TLS configuration overrides the SDS configuration.String

spec.defaults

Specifies default configurations for upstream connections.

Values

spec.defaults.maxConnections

Specifies the maximum number of HTTP/1.1 connections a service instance is allowed to establish against the upstream. If unspecified, Consul uses Envoy’s configuration. The default configuration for Envoy is 1024.

Values

  • Default: 0
  • Data type: Integer

spec.defaults.maxPendingRequests

Specifies the maximum number of requests that are allowed to queue while waiting to establish a connection. Listeners must use an L7 protocol for this configuration to take effect. Refer to spec.listeners.Protocol.

If unspecified, Consul uses Envoy’s configuration. The default for Envoy is 1024.

Values

  • Default: 0
  • Data type: Integer

spec.defaults.maxConcurrentRequests

Specifies the maximum number of concurrent HTTP/2 traffic requests that are allowed at a single point in time. Listeners must use an L7 protocol for this configuration to take effect. Refer to spec.listeners.protocol.

If unspecified, Consul uses Envoy’s configuration. The default for Envoy is 1024.

Values

  • Default: 0
  • Data type: Integer

spec.defaults.passiveHealthCheck

Defines a passive health check configuration. Passive health checks remove hosts from the upstream cluster when they are unreachable or return errors.

Values

  • Default: None
  • Data type: Map

The following table describes the configurations for passive health checks:

ParameterDescriptionData typeDefault
intervalSpecifies the time in nanoseconds between checks.IntegerProxy’s default configuration, which is 10 for Envoy
max_failuresSpecifies the number of consecutive failures that cause a host to be removed from the upstream cluster.IntegerProxy’s default configuration, which is 5 for Envoy
enforcing_consecutive_5xxSpecifies a percentage that indicates how many times out of 100 that Consul ejects the host when it detects an outlier status. The outlier status is determined by consecutive errors in the 500-599 response range.IntegerProxy’s default configuration, which is 100 for Envoy

spec.listeners[]

Specifies a list of listeners in the mesh for the gateway. Listeners are uniquely identified by their port number.

Values

spec.listeners[].port

Specifies the port that the listener receives traffic on. The port is bound to the IP address specified in the -address flag when starting the gateway. The listener port must not conflict with the health check port.

Values

  • Default: 0
  • Data type: Integer

spec.listeners[].protocol

Specifies the protocol associated with the listener. To enable L7 network management capabilities, specify one of the following values:

Values

  • Default: tcp

  • Data type: String that contains one of the following values:

spec.listeners[].services[]

Specifies a list of services that the listener exposes to services outside the mesh. Each service must have a unique name. The namespace field is required for Consul Enterprise datacenters. If the listener’s protocol field is set to tcp, then Consul can only expose one service. You can expose multiple services if the listener uses any other supported protocol.

Values

spec.listeners[].services[].name

Specifies the name of a service to expose to the listener. You can specify services in the following ways:

Values

  • Default: None
  • Data type: String

spec.listeners[].services[].namespace EnterpriseConfiguration - 图18Enterprise

Specifies the namespace to use when resolving the location of the service.

Values

  • Default: Current namespace
  • Data type: String

spec.listeners[].services[].partition EnterpriseConfiguration - 图19Enterprise

Specifies the admin partition to use when resolving the location of the service.

Values

  • Default: Current partition
  • Data type: String

spec.listeners[].services[].hosts[]

Specifies one or more hosts that the listening services can receive requests on. The ingress gateway proxies external traffic to the specified services when external requests include host headers that match a host specified in this field.

If unspecified, Consul matches requests to services using the <service>.ingress.* domain. You cannot specify a host for listeners that communicate over TCP. You cannot specify a host when service names are specified with a * wildcard. Requests must include the correct host for Consul to proxy traffic to the service.

When TLS is disabled, you can use the * wildcard to match all hosts. Disabling TLS may be suitable for testing and learning purposes, but we recommend enabling TLS in production environments.

You can use the wildcard in the left-most DNS label to match a set of hosts. For example, *.example.com is valid, but example.* and *-suffix.example.com are invalid.

Values

  • Default: None
  • Data type: List of strings or *

spec.listeners[].services[].requestHeaders

Specifies a set of HTTP-specific header modification rules applied to requests routed through the gateway. You cannot configure request headers if the listener protocol is set to tcp. Refer to HTTP listener with path-based routing for an example configuration.

Values

  • Default: None

  • Data type: Object containing one or more fields that define header modification rules:

    • add: Map of one or more key-value pairs
    • set: Map of one or more key-value pairs
    • remove: Map of one or more key-value pairs

The following table describes how to configure values for request headers:

RuleDescriptionData type
addDefines a set of key-value pairs to add to the header. Use header names as the keys. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers. You can use variable placeholders.Map of strings
setDefines a set of key-value pairs to add to the request header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values. You can use variable placeholders.Map of strings
removeDefines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive.List of strings
Use variable placeholders

For add and set, if the service is configured to use Envoy as the proxy, the value may contain variables to interpolate dynamic metadata into the value. For example, using the variable %DOWNSTREAM_REMOTE_ADDRESS% in your configuration entry allows you to pass a value that is generated at runtime.

spec.listeners[].services[].responseHeaders

Specifies a set of HTTP-specific header modification rules applied to responses routed through the gateway. You cannot configure response headers if the listener protocol is set to tcp. Refer to HTTP listener with path-based routing for an example configuration.

Values

  • Default: None

  • Data type: Map containing one or more fields that define header modification rules:

    • add: Map of one or more key-value pairs
    • set: Map of one or more key-value pairs
    • remove: Map of one or more key-value pairs

The following table describes how to configure values for request headers:

RuleDescriptionData type
addDefines a set of key-value pairs to add to the header. Use header names as the keys. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers. You can use variable placeholders.Map of strings
setDefines a set of key-value pairs to add to the request header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values. You can use variable placeholders.Map of strings
removeDefines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive.List of strings
Use variable placeholders

For add and set, if the service is configured to use Envoy as the proxy, the value may contain variables to interpolate dynamic metadata into the value. For example, using the variable %DOWNSTREAM_REMOTE_ADDRESS% in your configuration entry allows you to pass a value that is generated at runtime.

spec.listeners[].services[].tls

Specifies a TLS configuration for a specific service. The settings in this configuration overrides the main tls settings for the configuration entry.

Values

  • Default: None
  • Data type: Map

spec.listeners[].services[].tls.sds

Specifies parameters that configure the listener to load TLS certificates from an external SDS. Refer to Serve custom TLS certificates from an external service for additional information.

If unspecified, Consul applies the sds settings configured for the ingress gateway. If both are specified, this configuration overrides the settings for configuration entry.

Values

The following table describes how to configure SDS parameters. Refer to Serve custom TLS certificates from an external service for usage information:

ParameterDescriptionData type
clusterNameSpecifies the name of the SDS cluster where Consul should retrieve certificates. The cluster must be specified in the gateway’s bootstrap configuration.String
certResourceSpecifies an SDS resource name. Consul requests the SDS resource name when fetching the certificate from the SDS service. When set, Consul serves the certificate to all listeners over TLS unless a listener-specific TLS configuration overrides the SDS configuration.String

spec-listeners[].services[].maxConnections

Specifies the maximum number of HTTP/1.1 connections a service instance is allowed to establish against the upstream.

A value specified in this field overrides the maxConnections field specified in the defaults configuration.

Values

  • Default: None
  • Data type: Integer

spec.listeners[].services.maxPendingRequests

Specifies the maximum number of requests that are allowed to queue while waiting to establish a connection. A value specified in this field overrides the maxPendingRequests field specified in the defaults configuration.

Listeners must use an L7 protocol for this configuration to take effect. Refer to spec.listeners.protocol for more information.

Values

  • Default: None
  • Data type: Integer

spec.listeners[].services[].maxConcurrentRequests

Specifies the maximum number of concurrent HTTP/2 traffic requests that the service is allowed at a single point in time. A value specified in this field overrides the maxConcurrentRequests field specified in the defaults configuration entry.

Listeners must use an L7 protocol for this configuration to take effect. Refer to spec.listeners.protocol for more information.

Values

  • Default: None
  • Data type: Integer

spec.listeners[].services[].passiveHealthCheck

Defines a passive health check configuration for the service. Passive health checks remove hosts from the upstream cluster when the service is unreachable or returns errors. Health checks specified for services override the health checks defined in the spec.defaults.passiveHealthCheck configuration.

Values

  • Default: None
  • Data type: Map

The following table describes the configurations for passive health checks:

ParameterDescriptionData typeDefault
intervalSpecifies the time in nanoseconds between checks.IntegerProxy’s default configuration, which is 10 for Envoy
max_failuresSpecifies the number of consecutive failures that cause a host to be removed from the upstream cluster.IntegerProxy’s default configuration, which is 5 for Envoy
enforcing_consecutive_5xxSpecifies a percentage that indicates how many times out of 100 that Consul ejects the host when it detects an outlier status. The outlier status is determined by consecutive errors in the 500-599 response range.IntegerProxy’s default configuration, which is 100 for Envoy

spec.listeners[].tls

Specifies the TLS configuration for the listener. If unspecified, Consul applies any service-specific TLS configurations. If neither the listener- nor service-specific TLS configurations are specified, Consul applies the main tls settings for the configuration entry.

Values

spec.listeners[].tls.enabled

Set to true to enable built-in TLS for the listener. If enabled, Consul adds each host defined in every service’s Hosts field to the gateway’s x509 certificate as a DNS subject alternative name (SAN).

Values

  • Default: false
  • Data type: boolean

spec.listeners[].tls.tlsMinVersion

Specifies the minimum TLS version supported for the listener.

Values

  • Default: Depends on the version of Envoy:
    • Envoy v1.22.0 and later: TLSv1_2
    • Older versions: TLSv1_0
  • Data type: String with one of the following values:

spec.listeners[].tls.tlsMaxVersion

Specifies the maximum TLS version supported for the listener.

Values

  • Default: Depends on the version of Envoy:
    • Envoy v1.22.0 and later: TLSv1_2
    • Older versions: TLSv1_0
  • Data type: String with one of the following values:

spec.listeners[].tls.cipherSuites

Specifies a list of cipher suites that the listener supports when negotiating connections using TLS 1.2 or older. If unspecified, the Consul applies the default for the version of Envoy in use. Refer to the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tls parameters-cipher-suites) for details.

Values

  • Default: None
  • Data type: List of string values. Refer to the Consul repository for a list of supported ciphers.

spec.listeners[].tls.sds

Specifies parameters for loading the TLS certificates from an external SDS service. Refer to Serve custom TLS certificates from an external service for additional information.

Consul applies the SDS configuration specified in this field to all services in the listener. You can override the spec.listeners[].tls.sds configuration per service by configuring the spec.listeners.services.tls.sds settings for each service.

Values

The following table describes how to configure SDS parameters. Refer to Configure static SDS clusters for usage information:

ParameterDescriptionData type
clusterNameSpecifies the name of the SDS cluster where Consul should retrieve certificates. The cluster must be specified in the gateway’s bootstrap configuration.String
certResourceSpecifies an SDS resource name. Consul requests the SDS resource name when fetching the certificate from the SDS service. When set, Consul serves the certificate to all listeners over TLS unless a listener-specific TLS configuration overrides the SDS configuration.String

Examples

Refer to the following examples for common ingress gateway configuration patterns:

Define a TCP listener

The following example sets up a TCP listener on an ingress gateway named us-east-ingress that proxies traffic to the db service. For Consul Enterprise, the db service can only listen for traffic in the default namespace inside the team-frontend admin partition:

Consul OSS

  1. Kind = "ingress-gateway"
  2. Name = "us-east-ingress"
  4. Listeners = [
  5.   {
  6.     Port     = 3456
  7.     Protocol = "tcp"
  8.     Services = [
  9.       {
  10.         Name = "db"
  11.       }
  12.     ]
  13.   }
  14. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: IngressGateway
  3. metadata:
  4.   name: us-east-ingress
  5. spec:
  6.   listeners:
  7.     - port: 3456
  8.       protocol: tcp
  9.       services:
  10.         - name: db
  1. {
  2.   "Kind": "ingress-gateway",
  3.   "Name": "us-east-ingress",
  4.   "Listeners": [
  5.     {
  6.       "Port": 3456,
  7.       "Protocol": "tcp",
  8.       "Services": [
  9.         {
  10.           "Name": "db"
  11.         }
  12.       ]
  13.     }
  14.   ]
  15. }

Consul Enterprise

  1. Kind = "ingress-gateway"
  2. Name = "us-east-ingress"
  3. Namespace = "default"
  4. Partition = "team-frontend"
  6. Listeners = [
  7.   {
  8.     Port     = 3456
  9.     Protocol = "tcp"
  10.     Services = [
  11.       {
  12.         Namespace = "ops"
  13.         Name = "db"
  14.       }
  15.     ]
  16.   }
  17. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: IngressGateway
  3. metadata:
  4.   name: us-east-ingress
  5.   namespace: default
  6. spec:
  7.   listeners:
  8.     - port: 3456
  9.       protocol: tcp
  10.       services:
  11.         - name: db
  12.           namespace: ops
  1. {
  2.   "Kind": "ingress-gateway",
  3.   "Name": "us-east-ingress",
  4.   "Namespace": "default",
  5.   "Partition": "team-frontend",
  6.   "Listeners": [
  7.     {
  8.       "Port": 3456,
  9.       "Protocol": "tcp",
  10.       "Services": [
  11.         {
  12.           "Namespace": "ops",
  13.           "Name": "db"
  14.         }
  15.       ]
  16.     }
  17.   ]
  18. }

Use wildcards to define an HTTP listener

The following example gateway is named us-east-ingress and defines two listeners. The first listener is configured to listen on port 8080 and uses a wildcard (*) to proxy traffic to all services in the datacenter. The second listener exposes the api and web services on port 4567 at user-provided hosts.

TLS is enabled on every listener. The max_connections of the ingress gateway proxy to each upstream cluster is set to 4096.

The Consul Enterprise version implements the following additional configurations:

  • The ingress gateway is set up in the default namespace and proxies traffic to all services in the frontend namespace.
  • The api and web services are proxied to team-specific admin partitions:

Consul OSS

  1. Kind = "ingress-gateway"
  2. Name = "us-east-ingress"
  4. TLS {
  5.   Enabled = true
  6. }
  8. Defaults {
  9.   MaxConnections = 4096
  10. }
  12. Listeners = [
  13.   {
  14.     Port     = 8080
  15.     Protocol = "http"
  16.     Services = [
  17.       {
  18.         Name = "*"
  19.       }
  20.     ]
  21.   },
  22.   {
  23.     Port     = 4567
  24.     Protocol = "http"
  25.     Services = [
  26.       {
  27.         Name  = "api"
  28.         Hosts = ["foo.example.com"]
  29.       },
  30.       {
  31.         Name  = "web"
  32.         Hosts = ["website.example.com"]
  33.       }
  34.     ]
  35.   }
  36. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: IngressGateway
  3. metadata:
  4.   name: us-east-ingress
  5. spec:
  6.   tls:
  7.     enabled: true
  8.   listeners:
  9.     - port: 8080
  10.       protocol: http
  11.       services:
  12.         - name: '*'
  13.     - port: 4567
  14.       protocol: http
  15.       services:
  16.         - name: api
  17.           hosts: ['foo.example.com']
  18.         - name: web
  19.           hosts: ['website.example.com']
  1. {
  2.   "Kind": "ingress-gateway",
  3.   "Name": "us-east-ingress",
  4.   "TLS": {
  5.     "Enabled": true
  6.   },
  7.   "Listeners": [
  8.     {
  9.       "Port": 8080,
  10.       "Protocol": "http",
  11.       "Services": [
  12.         {
  13.           "Name": "*"
  14.         }
  15.       ]
  16.     },
  17.     {
  18.       "Port": 4567,
  19.       "Protocol": "http",
  20.       "Services": [
  21.         {
  22.           "Name": "api",
  23.           "Hosts": ["foo.example.com"]
  24.         },
  25.         {
  26.           "Name": "web",
  27.           "Hosts": ["website.example.com"]
  28.         }
  29.       ]
  30.     }
  31.   ]
  32. }

Consul Enterprise

  1. Kind = "ingress-gateway"
  2. Name = "us-east-ingress"
  3. Namespace = "default"
  5. TLS {
  6.   Enabled = true
  7. }
  9. Listeners = [
  10.   {
  11.     Port     = 8080
  12.     Protocol = "http"
  13.     Services = [
  14.       {
  15.         Namespace = "frontend"
  16.         Name = "*"
  17.       }
  18.     ]
  19.   },
  20.   {
  21.     Port     = 4567
  22.     Protocol = "http"
  23.     Services = [
  24.       {
  25.         Namespace = "frontend"
  26.         Name  = "api"
  27.         Hosts = ["foo.example.com"]
  28.         Partition = "api-team"
  29.       },
  30.       {
  31.         Namespace = "frontend"
  32.         Name  = "web"
  33.         Hosts = ["website.example.com"]
  34.         Partition = "web-team"
  35.       }
  36.     ]
  37.   }
  38. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: IngressGateway
  3. metadata:
  4.   name: us-east-ingress
  5.   namespace: default
  6. spec:
  7.   tls:
  8.     enabled: true
  9.   listeners:
  10.     - port: 8080
  11.       protocol: http
  12.       services:
  13.         - name: '*'
  14.           namespace: frontend
  15.     - port: 4567
  16.       protocol: http
  17.       services:
  18.         - name: api
  19.           namespace: frontend
  20.           hosts: ['foo.example.com']
  21.           partition: api-team
  22.         - name: web
  23.           namespace: frontend
  24.           hosts: ['website.example.com']
  25.           partition: web-team
  1. {
  2.   "Kind": "ingress-gateway",
  3.   "Name": "us-east-ingress",
  4.   "Namespace": "default",
  5.   "TLS": {
  6.     "Enabled": true
  7.   },
  8.   "Listeners": [
  9.     {
  10.       "Port": 8080,
  11.       "Protocol": "http",
  12.       "Services": [
  13.         {
  14.           "Namespace": "frontend",
  15.           "Name": "*"
  16.         }
  17.       ]
  18.     },
  19.     {
  20.       "Port": 4567,
  21.       "Protocol": "http",
  22.       "Services": [
  23.         {
  24.           "Namespace": "frontend",
  25.           "Name": "api",
  26.           "Hosts": ["foo.example.com"],
  27.           "Partition": "api-team"
  28.         },
  29.         {
  30.           "Namespace": "frontend",
  31.           "Name": "web",
  32.           "Hosts": ["website.example.com"],
  33.           "Partition": "web-team"
  34.         }
  35.       ]
  36.     }
  37.   ]
  38. }