gateway Block
Placement | job -> group -> service -> connect -> gateway |
The gateway
block allows configuration of Consul Connect
Gateways. Nomad will automatically create the
necessary Gateway Configuration Entry as
well as inject an Envoy proxy task into the Nomad job to serve as the Gateway.
The gateway
configuration is valid within the context of a connect
block.
Additional information about Gateway configurations can be found in Consul's
Connect Gateways documentation.
Note: Ingress Gateways are generally intended for enabling access into a Consul service mesh from within the same network. For public ingress products like NGINX provide more suitable features.
gateway
Parameters
Exactly one of ingress
, terminating
, or mesh
must be configured.
proxy
(proxy: nil)
- Configuration of the Envoy proxy that will be injected into the task group.ingress
(ingress: nil)
- Configuration Entry of typeingress-gateway
that will be associated with the service.terminating
(terminating: nil)
- Configuration Entry of typeterminating-gateway
that will be associated with the service.mesh
(mesh: nil)
- Indicates a mesh gateway will be associated with the service.
proxy
Parameters
connect_timeout
(string: "5s")
- The amount of time to allow when making upstream connections before timing out. Defaults to 5 seconds. If the upstream service has the configuration optionconnect_timeout_ms
set for theservice-resolver
, that timeout value will take precedence over this gateway proxy option.envoy_gateway_bind_tagged_addresses
(bool: false)
- Indicates that the gateway services tagged addresses should be bound to listeners in addition to the default listener address.envoy_gateway_bind_addresses
(map<string|address>: nil)
- A map of additional addresses to be bound. The keys to this map are the same of the listeners to be created and the values are a map with two keys - address and port, that combined make the address to bind the listener to. These are bound in addition to the default address. Ifbridge
networking is in use, this map is automatically populated with additional listeners enabling the Envoy proxy to work from inside the network namespace.
envoy_gateway_no_default_bind
(bool: false)
- Prevents binding to the default address of the gateway service. This should be used with one of the other options to configure the gateway's bind addresses. Ifbridge
networking is in use, this value will default totrue
since the Envoy proxy does not need to bind to the service address from inside the network namespace.envoy_dns_discovery_type
(string: optional)
- Determintes how Envoy will resolve hostnames. Defaults toLOGICAL_DNS
. Must be one ofSTRICT_DNS
orLOGICAL_DNS
. Details for each type are available in the Envoy Documentation. This option applies to terminating gateways that route to services addressed by a hostname.config
(map: nil)
- Escape hatch for Advanced Configuration of Envoy. Keys and values support runtime variable interpolation.
address
Parameters
address
(string: required)
- The address to bind to when combined withport
.port
(int: required)
- The port to listen to.
ingress
Parameters
listener
(array<listener> : required)
- One or more listeners that the ingress gateway should setup, uniquely identified by their port number.
listener
Parameters
port
(int: required)
- The port that the listener should receive traffic on.protocol
(string: "tcp")
- The protocol associated with the listener. One oftcp
,http
,http2
, orgrpc
.Note: If using any protocol other than
tcp
(for example:http
orgrpc
), preconfiguring a service-default in Consul to set the Protocol of the service to the desired protocol is mandatory due to an open issue.service
(array<listener-service>: required)
- One or more services to be exposed via this listener. Fortcp
listeners, only a single service is allowed.
Listener service
Parameters
The service
blocks for a listener under an ingress
gateway accept the
following parameters. Note these are different than the service
blocks under a
terminating
gateway.
name
(string: required)
- The name of the service that should be exposed through this listener. This can be either a service registered in the catalog, or a service defined by other config entries, or a service that is going to be configured by Nomad. If the wildcard specifier*
is provided, then ALL services will be exposed through this listener. This is not supported for a listener with protocoltcp
.hosts
(array<string>: nil)
- A list of hosts that specify what requests will match this service. This cannot be used with atcp
listener, and cannot be specified alongside a wildcard (*
) service name. If not specified, the default domain<service-name>.ingress.*
will be used to match services. Requests must send the correct host to be routed to the defined service.The wildcard specifier
*
can be used by itself to match all traffic coming to the ingress gateway, if TLS is not enabled. This allows a user to route all traffic to a single service without specifying a host, allowing simpler tests and demos. Otherwise, the wildcard specifier can be used as part of the host to match multiple hosts, but only in the leftmost DNS label. This ensures that all defined hosts are valid DNS records. For example,*.example.com
is valid whileexample.*
and*-suffix.example.com
are not.request_headers
([header modifiers]: <optional>)
- A set of HTTP-specific header modification rules that will be applied to requests routed to this service. This cannot be used with a tcp listener.response_headers
([header modifiers]: <optional>)
- A set of HTTP-specific header modification rules that will be applied to responses from this service. This cannot be used with a tcp listener.max_concurrent_requests
(int: <optional>)
- Specifies the maximum number of concurrent HTTP/2 traffic requests that are allowed at a single point in time. If unset, will default to the Envoy proxy's default.max_connections
(int: <optional>)
- Specifies the maximum number of HTTP/1.1 connections a service instance is allowed to establish against the upstream. If unset, will default to the Envoy proxy's default.max_pending_requests
(int: <optional>)
- Specifies the maximum number of requests that are allowed to queue while waiting to establish a connection. If unset, will default to the Envoy proxy's default.
Header modifier parameters
The request_headers
and response_headers
blocks of an ingress.service
block accept the following parameters. For more details, see the Consul
documentation.
add
(map<string|string>: optional)
- A set of key-value pairs to add to the headers, where header names are keys and header values are the values. Header names are not case-sensitive. If header values with the same name already exist, the value is appended and Consul applies both headers.set
(map<string|string>: optional)
- A set of key-value pairs to add to the response header or to replace existing header values with. Use header names as the keys. Header names are not case-sensitive. If header values with the same names already exist, Consul replaces the header values.remove
array(string): optional
- Defines a list of headers to remove. Consul removes only headers containing exact matches. Header names are not case-sensitive.
tls
Parameters
enabled
(bool: false)
- Set this configuration to enable TLS for every listener on the gateway. If TLS is enabled, then each host defined in thehost
field will be added as a DNSSAN to the gateway's x509 certificate.cipher_suites
(array<string>: optional)
- Set the default list of TLS cipher suites for the gateway's listeners. Refer toCipherSuites
in the Consul documentation for the supported cipher suites.sds
(block: optional)
- Defines a set of parameters that configures the listener to load TLS certificates from an external Secret Discovery Service (SDS).cluster_name
(string)
- The SDS cluster name to connect to to retrieve certificates.cert_resource
(string)
- The SDS resource name to request when fetching the certificate from the SDS service.
tls_max_version
(string: optional)
- Set the default maximum TLS version supported by the gateway. Refer toTLSMaxVersion
in the Consul documentation for supported versions.tls_min_version
(string: optional)
- Set the default minimum TLS version supported by the gateway. Refer toTLSMinVersion
in the Consul documentation for supported versions.
terminating
Parameters
service
(array<linked-service>: required)
- One or more services to be linked with the gateway. The gateway will proxy traffic to these services. These linked services must be registered with Consul for the gateway to discover their addresses. They must also be registered in the same Consul datacenter as the terminating gateway.
linked service
Parameters
The service
blocks for a terminating
gateway accept the following
parameters. Note these are different than the service
blocks for listeners
under an ingress
gateway.
name
(string: required)
- The name of the service to link with the gateway. If the wildcard specifier*
is provided, then ALL services within the Consul namespace wil lbe linked with the gateway.ca_file
(string: <optional>)
- A file path to a PEM-encoded certificate authority. The file must be accessible by the gateway task. The certificate authority is used to verify the authenticity of the service linked with the gateway. It can be provided along with acert_file
andkey_file
for mutual TLS authentication, or on its own for one-way TLS authentication. If none is provided the gateway will not encrypt traffic to the destination.cert_file
(string: <optional>)
- A file path to a PEM-encoded certificate. The file must be accessible by the gateway task. The certificate is provided to servers to verify the gateway's authenticity. It must be provided if akey_file
is provided.key_file
(string: <optional>)
- A file path to a PEM-encoded private key. The file must be accessible by the gateway task. The key is used with the certificate to verify the gateway's authenticity. It must be provided if acert_file
is provided.sni
(string: <optional>)
- An optional hostname or domain name to specify during the TLS handshake.
mesh
Parameters
The mesh
block currently does not have any configurable parameters.
Note: If using the Mesh Gateway for WAN Federation,
the additional piece of service metadata {"consul-wan-federation":"1"}
must
be applied. This can be done with the service meta
parameter.
Gateway with host networking
Nomad supports running gateways using host networking. A static port must be allocated for use by the Envoy admin interface and assigned to the proxy service definition.
Warning: There is no way to disable the Envoy admin interface, which will be accessible to any workload running on the same Nomad client. The admin interface exposes information about the proxy, including a Consul Service Identity token if Consul ACLs are enabled.
Specify Envoy image
The Docker image used for Connect gateway tasks defaults to the official Envoy
Docker image, docker.io/envoyproxy/envoy:v${NOMAD_envoy_version}
, where ${NOMAD_envoy_version}
is resolved automatically by a query to Consul. The image to use can be configured
by setting meta.connect.gateway_image
in the Nomad job. Custom images can still
make use of the envoy version interpolation, e.g.
Custom gateway task
The task created for the gateway can be configured manually using the
sidecar_task
block.
Examples
ingress gateway
terminating gateway
mesh gateway
Mesh gateways are useful when Connect services need to make cross-datacenter
requests where not all nodes in each datacenter have full connectivity. This example
demonstrates using mesh gateways to enable making requests between datacenters
one
and two
, where each mesh gateway will bind to the public
host network
configured on at least one Nomad client in each datacenter.
Job running where Nomad and Consul are in datacenter one
.
Job running where Nomad and Consul are in datacenter two
.