Integrate Consul with Ambassador Edge Stack on Kubernetes
This tutorial was contributed by Ambassador.
Ambassador Edge Stack (AES) is an API gateway that serves as an ingress controller into your Kubernetes cluster. AES offers a comprehensive set of security functionality, supports a broad range of protocols, and supports progressive releases with modern traffic management.
You can use Consul with AES for service discovery and end-to-end TLS, including mTLS between services. This capability is particularly useful when deploying AES in hybrid clouds, where applications are deployed on VMs and Kubernetes. In this environment, AES can securely route over TLS to any application regardless of where it is deployed.
In this tutorial, you will register a service with Consul and use AES to dynamically route requests to that service based on Consul's service discovery catalog.
Prerequisites
Before you start, you will need the following.
- kubectl v1.21+
- Helm v3.5.4+
- An active Kubernetes Cluster
- Properly configured permissions depending on your platform
Note
You may use Minikube with the VirtualBox driver in this tutorial. However, be aware that this deployment is intended for a public cloud environment. If you decide to use Minikube then ensure you are starting Minikube with sufficient resources minikube start --driver=virtualbox --cpus 4 --memory 6000MB
Install Ambassador
Install AES with the Ambassador Helm chart. You can reference the Ambassador quickstart for detailed installation instructions and options.
Add the Ambassador repository with Helm.
Next, create a namespace for Ambassador and install the Helm chart.
Verify the deployment is successful by retrieving the Ambassador services information.
Deploy Consul
You can deploy a complete Consul datacenter using the official Consul Helm chart or the Consul K8S CLI. Feel free to review the Consul Kubernetes installation documentation to learn more about these installation options.
Create a custom values file
Create a file named consul-values.yaml
and copy in the following Consul installation values.
Install Consul in your cluster
You can now deploy a complete Consul datacenter in your Kubernetes cluster using the official Consul Helm chart or the Consul K8S CLI.
Check that Consul is running in your Kubernetes cluster using kubectl
. Consul
setup is complete when all pods have a status of Running
, as illustrated in the
following output.
Configure Ambassador Edge Stack
You must have the AES quickstart completed or properly installed AES for this section to work.
The ConsulResolver allows services to register with Consul, it is opt-in and
must be configured. For each Mapping you want to use with the ConsulResolver,
you will apply the resolver: consul-dc1
value. If the ConsulResolver is not
specified, the default resolver will be used.
Enable AES to discover services registered to Consul by creating the Consul Resolver. Copy the configuration values below into a new YAML file named consul-resolver.yaml
and apply them with kubectl
.
Register an application with Consul
To test AES's routing functionality, register a demo application with Consul. AES will use the endpoint data from Consul once the service is registered.
Define and deploy the demo application
Create a specification that will register the quote pod as a Consul service with the name quote-consul
.
The quote application contains code to automatically register itself with Consul,
with the CONSUL_IP
and POD_IP
environment variables specified within the
quote container spec.
Note, the SERVICE_NAME
environment variable in the quote deployment specifies the service name for Consul. The default value is set to
quote-consul
, so you only need to include it if you want to change the service
name.
Deploy the demo application in Kubernetes. Note that in practice this application can be deployed anywhere in your data center (e.g., on VMs).
Verify success
Verify the quote pod is registered with Consul. You can verify the quote pod is registered correctly by accessing the Consul UI.
Navigate to http://localhost:8500/
from a web browser, the service
named quote-consul
should be displayed.
Route to Consul services
Now that you have a demo application registered with Consul, you can configure AES to route traffic to it.
Create the Mapping for Quote-Consul
Copy the following configuration values into a new YAML file.
Install the Mapping to your cluster with kubectl
.
Verify success
Add the Ambassador IP as an environment variable.
Note
If using Minikube, be aware that this deployment uses the Kubernetes resource type LoadBalancer. To circumvent this limitation and expose an external IP address in Minikube, you may follow the steps suggested in this StackOverflow post. You may also use the command minikube tunnel
as an alternative. If you choose to use minikube tunnel
then issue the command in a different shell session.
Send a request to the quote-consul
API with curl. Replace $AMBASSADOR_LB_ENDPOINT
with your Ambassador IP.
The response demonstrates that you are successfully routing traffic to the quote application, the location of which is registered in Consul.
Encrypt traffic with the Consul connector
AES can use certificates stored in Consul to originate encrypted TLS connections from AES to services in the Consul service mesh. This requires the use of the AES Consul connector.
The AES Consul connector retrieves the TLS certificate issued by the Consul CA and stores it in a Kubernetes secret for AES to use. The AES Consul Connector will install the following into your cluster:
- RBAC resources
- the Consul connector service
- a TLSContext named
ambassador-consul
to load theambassador-consul-connect
secret into Ambassador Edge Stack
Deploy the Ambassador Edge Stack Consul connector
Deploy Ambassador Edge Stack Consul connector with the following command.
Deploy another demo application
Deploy a new version of the demo application and configure it to inject the
Consul sidecar proxy by setting consul.hashicorp.com/connect-inject
to true
.
Copy the following configuration values into a new YAML file.
Annotations attach metadata to Kubernetes objects. You can use annotations to link external information to objects, working in a similar, yet different, fashion to labels. For more information on annotations, you can check out this article, or get started with annotations in your own cluster here.
Apply the demo application to your cluster with kubectl
This will deploy a demo application called quote-connect
with the Consul service
mesh sidecar proxy. The sidecar proxy will register the application with Consul,
require TLS to access the application, and expose other Consul service segmentation features.
Verify success
Verify the quote-connect
application is registered in Consul by accessing the Consul UI on http://localhost:8500/
after configuring port forwarding.
The quote
service should be displayed in the Consul UI. It gets its name from the
container’s name property we defined in the YAML above.
Create the Mapping for Consul service mesh
Create a Mapping to route to the quote
service in Consul.
Apply the mapping to your cluster.
Verify success
Send a request to the /quote-connect/
API. Replace $AMBASSADOR_LB_ENDPOINT
with your Ambassador IP, if you didn't set the environment variable through the AES quickstart.
The response demonstrates that you are securely routing traffic to the quote application through the Consul service mesh sidecar proxy.
Clean-up
You can remove all deployed resources by issuing the command below.
Next steps
In this tutorial you configured AES to route traffic to a service registered with Consul.
To learn more about Ambassador Edge Stack's use cases and features, review the Ambassador site. You can learn more about other load balancer integrations with Consul by visiting the LoadBalancer collection