-
Notifications
You must be signed in to change notification settings - Fork 318
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm:Support for external Ingress controllers #664
Comments
Hi!
Let us know if any of these options may work for you and we can go into more detail. See also https://www.consul.io/docs/k8s/connect/ingress-gateways, https://www.consul.io/docs/connect/gateways/ingress-gateway, https://www.consul.io/docs/k8s/connect/ambassador |
Yeah so using another Ingress controller isn't really an option for us; we're far deeper in the Google Cloud stack than we are Consul, and the GCE Ingress Object works really well for us. Of those 3 options then what we're left with is to front all of our services with another ingress controller, and have the GCE controller route to that; however that kinda defeats the point of the GCE ingress controller. NEGs allow us to get much better performance out of our deployments -- tightly coupling the integration of HTTP(S) load balancing and all of its benefits -- with our backends. Personally I think a much more flexible solution which would enable anyone to bring their own Ingress object should they so choose, would be to drop down some of the functionality of the Ingress into the sidecars. Google can connect to secured backends, which Envoy provides in the form of the sidecar. Creating a policy in Consul which can be bound to the pod with the usual annotations that allows north-south traffic using the usual L4/L7 techniques means we're getting the best of both worlds here |
Do you know if there's a way to tell GCE which client certificate to use for its requests (between GCE and consul sidecars)? Then maybe we could have a process that is requesting a certificate for a service called "ingress-gateway" and supplying/updating that to the GCE controller config. Then you could create an intention from The reason we don't support non TLS traffic into the connect pods is that this would bypass the whole secure service mesh. |
You can't specify which client certificate to use for the HTTPS request from GCE, however thats not to say we couldn't build a strong cryptographic identity around the one we have now (especially if it's an inbound request) The GCE annotations mean that the scheme is enforced, so it should just come down to how to define an intention of some design that allows this traffic |
I talked a bit more with the team. This functionality doesn't exist right now (intention allowing ingress given a certain ca cert) so we'd need to open up an issue in For right now the only solutions I can think of are the ones I listed in my first comment. |
Stop acceptance tests on first failure
Going to close this since we now have general guidance on how to use Consul K8s with Ingress Controllers here: https://www.consul.io/docs/k8s/connect/ingress-controllers. If you have follow up feedback or issues please file a new issue! |
This requires changes in Consul in order to support this type of deployment. We are using hashicorp/consul#10626 to track this feature request. |
For those following along, @blake is correct! The the docs I linked above do not address this feature request, and address the use case where you are using Consul service mesh with ingress proxies that are deployed in-cluster. This GH issue is requesting support for ingress proxies that are external to the cluster, such as a cloud-hosted ingress. We are tracking this in Consul Core via hashicorp/consul#10626 |
I'm not sure if this is a pattern that's already supported, which if it is then the documentation isn't very clear.
I'm running multiple GKE clusters. They all have ingress controllers. They're very good ingress controllers that are very clever at what they do when you're building in Google Cloud.
I'm also running Consul as a Service Mesh. It's a very good service mesh, and I particularly enjoy injecting specific services across resources in a secure, mTLS-ed manner.
I want to leverage the proxy that is injected into these pods to secure the connection between the GCE Ingress controller, and the pods - not exactly an uncommon pattern.
Lets say I have a deployment manifest of an API like so:
deployment.yaml
I can expose this deployment with in a pattern that allows GCE to expose it for all its Layer 7 HTTP(S) magic:
service.yaml
Note the
cloud.google.com/neg
annotation - which means that GKE will create a Google NEG for the deployment, which can then be leveraged by the HTTP(S) Load Balancer (these concepts can get confusing all in I know)I can then create a said HTTP(S) Load Balancer in the form of a GCE Ingress Controller:
ingress.yaml
The issue
How do I go about securing the connection between the GCE LB, and the pods themselves?
The pods have the Consul sidecar attached, and the Envoy proxy.
Service Sync means that I have a first class Kubernetes Service available to reference in the Ingress manifest (it even has the
cloud.google.com/neg
annotation!) but it has no selector and thus no port, so the manifest is incomplete.Any advice on how to put this together, or if I'm barking up the wrong tree entirely. TIA
The text was updated successfully, but these errors were encountered: