Ensure you have the latest consul-helm chart and install Consul via helm using the following
guide while being sure to provide the yaml configuration
as previously discussed.
You can access the Consul server directly from your host via kubectl port-forward. This is helpful for interacting with your Consul UI locally as well as to validate connectivity of the application.
Note: Normal Consul services are registered with the Consul client on the node that
they're running on. Since this is an external service, there is no Consul node
to register it onto. Instead, we will make up a node name and register the
service to that node.
Create a sample external service and register it with Consul.
"Address": "example.com" is the address of our node. Services registered to that node will use this address if
their own address isn't specified. If you're registering multiple external services, ensure you
use different node names with different addresses or set the Service.Address key.
"Service": { "Address": "example.com" ... } is the address of our service. In this example this doesn't need to be set
since the address of the node is the same, but if there were two services registered to that same node
then this should be set.
Register the external service with Consul:
$curl --request PUT --data @external.json --insecure $CONSUL_HTTP_ADDR/v1/catalog/registertrue
$curl --request PUT --data @external.json --insecure $CONSUL_HTTP_ADDR/v1/catalog/registertrue
If ACLs and TLS are enabled :
$curl --request PUT --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" --data @external.json --insecure $CONSUL_HTTP_ADDR/v1/catalog/registertrue
$curl --request PUT --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" --data @external.json --insecure $CONSUL_HTTP_ADDR/v1/catalog/registertrue
»Update terminating gateway ACL role if ACLs are enabled
If ACLs are enabled, update the terminating gateway acl role to have service: write permissions on all of the services
being represented by the gateway:
Create a new policy that includes these permissions
Update the existing role to include the new policy
If TLS is enabled, you must include the caFile parameter that points to the system trust store of the terminating gateway container. By default, the trust store is located in the /etc/ssl/certs/ca-certificates.crt directory.
Configure the caFile parameter to point to the /etc/ssl/cert.pem directory if TLS is enabled and you are using one of the following components:
Consul Helm chart 0.43 or older
Or an Envoy image with an alpine base image
Apply the TerminatingGateway resource with kubectl apply:
Apply the ServiceIntentions resource with kubectl apply:
$kubectl apply --filename service-intentions.yaml
$kubectl apply --filename service-intentions.yaml
»Define the external services as upstreams for services in the mesh
Finally define and deploy the external services as upstreams for the internal mesh services that wish to talk to them.
An example deployment is provided which will serve as a static client for the terminating gateway service.