Terminating Gateway Configuration Entry

The terminating-gateway config entry kind (TerminatingGateway on Kubernetes) allows you to configure terminating gateways to proxy traffic from services in the Consul service mesh to services registered with Consul that do not have a service mesh sidecar proxy. The configuration is associated with the name of a gateway service and will apply to all instances of the gateway with that name.

Configuration entries are global in scope. A configuration entry for a gateway name applies across all federated Consul datacenters. If terminating gateways in different Consul datacenters need to route to different sets of services within their datacenter then the terminating gateways must be registered with different names.

See Terminating Gateway for more information.

TLS Origination

By specifying a path to a CA file connections from the terminating gateway will be encrypted using one-way TLS authentication. If a path to a client certificate and private key are also specified connections from the terminating gateway will be encrypted using mutual TLS authentication.

Setting the SNI field is strongly recommended when enabling TLS to a service. If this field is not set, Consul will not attempt to verify the Subject Alternative Name fields in the service’s certificate.

If none of these are provided, Consul will only encrypt connections to the gateway and not from the gateway to the destination service.

Wildcard service specification

Terminating gateways can optionally target all services within a Consul namespace by specifying a wildcard “*“ as the service name. Configuration options set on the wildcard act as defaults that can be overridden by options set on a specific service name.

Note that if the wildcard specifier is used, and some services in that namespace have a service mesh sidecar proxy, traffic from the mesh to those services will be evenly load-balanced between the gateway and their sidecars.

Sample Config Entries

Access an external service

Link gateway named “us-west-gateway” with the billing service.

Connections to the external service will be unencrypted.

  1. Kind = "terminating-gateway"
  2. Name = "us-west-gateway"
  4. Services = [
  5.   {
  6.     Name = "billing"
  7.   }
  8. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: TerminatingGateway
  3. metadata:
  4.   name: us-west-gateway
  5. spec:
  6.   services:
  7.     - name: billing
  1. {
  2.   "Kind": "terminating-gateway",
  3.   "Name": "us-west-gateway",
  4.   "Services": [
  5.     {
  6.       "Name": "billing"
  7.     }
  8.   ]
  9. }

Link gateway named “us-west-gateway” in the default namespace with the billing service in the finance namespace.

Connections to the external service will be unencrypted.

  1. Kind = "terminating-gateway"
  2. Name = "us-west-gateway"
  3. Namespace = "default"
  5. Services = [
  6.   {
  7.     Namespace = "finance"
  8.     Name      = "billing"
  9.   }
  10. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: TerminatingGateway
  3. metadata:
  4.   name: us-west-gateway
  5. spec:
  6.   services:
  7.     - name: billing
  8.       namespace: finance
  1. {
  2.   "Kind": "terminating-gateway",
  3.   "Name": "us-west-gateway",
  4.   "Namespace": "default",
  5.   "Services": [
  6.     {
  7.       "Namespace": "finance",
  8.       "Name": "billing"
  9.     }
  10.   ]
  11. }

Access an external service over TLS

Link gateway named “us-west-gateway” with the billing service, and specify a CA file to be used for one-way TLS authentication.

Note: When not using destinations in transparent proxy mode, you must specify the CAFile parameter and point to a valid CA bundle in order to properly initiate a TLS connection to the destination service. For more information about configuring a gateway for destinations, refer to Register an External Service as a Destination.

  1. Kind = "terminating-gateway"
  2. Name = "us-west-gateway"
  4. Services = [
  5.   {
  6.     Name   = "billing"
  7.     CAFile = "/etc/certs/ca-chain.cert.pem"
  8.     SNI    = "billing.service.com"
  9.   }
  10. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: TerminatingGateway
  3. metadata:
  4.   name: us-west-gateway
  5. spec:
  6.   services:
  7.     - name: billing
  8.       caFile: /etc/certs/ca-chain.cert.pem
  9.       sni: billing.service.com
  1. {
  2.   "Kind": "terminating-gateway",
  3.   "Name": "us-west-gateway",
  4.   "Services": [
  5.     {
  6.       "Name": "billing",
  7.       "CAFile": "/etc/certs/ca-chain.cert.pem"
  8.       "SNI": "billing.service.com"
  9.     }
  10.   ]
  11. }

Link gateway named “us-west-gateway” in the default namespace with the billing service in the finance namespace, and specify a CA file to be used for one-way TLS authentication.

Note: The CAFile parameter must be specified and point to a valid CA bundle in order to properly initiate a TLS connection to the destination service.

  1. Kind = "terminating-gateway"
  2. Name = "us-west-gateway"
  3. Namespace = "default"
  5. Services = [
  6.   {
  7.     Namespace = "finance"
  8.     Name      = "billing"
  9.     CAFile    = "/etc/certs/ca-chain.cert.pem"
  10.     SNI       = "billing.service.com"
  11.   }
  12. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: TerminatingGateway
  3. metadata:
  4.   name: us-west-gateway
  5. spec:
  6.   services:
  7.     - name: billing
  8.       namespace: finance
  9.       caFile: /etc/certs/ca-chain.cert.pem
  10.       sni: billing.service.com
  1. {
  2.   "Kind": "terminating-gateway",
  3.   "Name": "us-west-gateway",
  4.   "Namespace": "default",
  5.   "Services": [
  6.     {
  7.       "Namespace": "finance",
  8.       "Name": "billing",
  9.       "CAFile": "/etc/certs/ca-chain.cert.pem",
  10.       "SNI": "billing.service.com"
  11.     }
  12.   ]
  13. }

Access an external service over mutual TLS

Link gateway named “us-west-gateway” with the billing service, and specify a CA file, key file, and cert file to be used for mutual TLS authentication.

Note: The CAFile parameter must be specified and point to a valid CA bundle in order to properly initiate a TLS connection to the destination service.

  1. Kind = "terminating-gateway"
  2. Name = "us-west-gateway"
  4. Services = [
  5.   {
  6.     Name     = "billing"
  7.     CAFile   = "/etc/certs/ca-chain.cert.pem"
  8.     KeyFile  = "/etc/certs/gateway.key.pem"
  9.     CertFile = "/etc/certs/gateway.cert.pem"
  10.     SNI      = "billing.service.com"
  11.   }
  12. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: TerminatingGateway
  3. metadata:
  4.   name: us-west-gateway
  5. spec:
  6.   services:
  7.     - name: billing
  8.       caFile: /etc/certs/ca-chain.cert.pem
  9.       keyFile: /etc/certs/gateway.key.pem
  10.       certFile: /etc/certs/gateway.cert.pem
  11.       sni: billing.service.com
  1. {
  2.   "Kind": "terminating-gateway",
  3.   "Name": "us-west-gateway",
  4.   "Services": [
  5.     {
  6.       "Name": "billing",
  7.       "CAFile": "/etc/certs/ca-chain.cert.pem",
  8.       "KeyFile": "/etc/certs/gateway.key.pem",
  9.       "CertFile": "/etc/certs/gateway.cert.pem",
  10.       "SNI": "billing.service.com"
  11.     }
  12.   ]
  13. }

Link gateway named “us-west-gateway” in the default namespace with the billing service in the finance namespace. Also specify a CA file, key file, and cert file to be used for mutual TLS authentication.

Note: The CAFile parameter must be specified and point to a valid CA bundle in order to properly initiate a TLS connection to the destination service.

  1. Kind = "terminating-gateway"
  2. Name = "us-west-gateway"
  3. Namespace = "default"
  5. Services = [
  6.   {
  7.     Namespace = "finance"
  8.     Name      = "billing"
  9.     CAFile    = "/etc/certs/ca-chain.cert.pem"
  10.     KeyFile   = "/etc/certs/gateway.key.pem"
  11.     CertFile  = "/etc/certs/gateway.cert.pem"
  12.     SNI       = "billing.service.com"
  13.   }
  14. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: TerminatingGateway
  3. metadata:
  4.   name: us-west-gateway
  5. spec:
  6.   services:
  7.     - name: billing
  8.       namespace: finance
  9.       caFile: /etc/certs/ca-chain.cert.pem
  10.       keyFile: /etc/certs/gateway.key.pem
  11.       certFile: /etc/certs/gateway.cert.pem
  12.       sni: billing.service.com
  1. {
  2.   "Kind": "terminating-gateway",
  3.   "Name": "us-west-gateway",
  4.   "Namespace": "default",
  5.   "Services": [
  6.     {
  7.       "Namespace": "finance",
  8.       "Name": "billing",
  9.       "CAFile": "/etc/certs/ca-chain.cert.pem",
  10.       "KeyFile": "/etc/certs/gateway.key.pem",
  11.       "CertFile": "/etc/certs/gateway.cert.pem",
  12.       "SNI": "billing.service.com"
  13.     }
  14.   ]
  15. }

Override connection parameters for a specific service

Link gateway named “us-west-gateway” with all services in the datacenter, and configure default certificates for mutual TLS.

Override the SNI and CA file used for connections to the billing service.

  1. Kind = "terminating-gateway"
  2. Name = "us-west-gateway"
  4. Services = [
  5.   {
  6.     Name      = "*"
  7.     CAFile    = "/etc/common-certs/ca-chain.cert.pem"
  8.     KeyFile   = "/etc/common-certs/gateway.key.pem"
  9.     CertFile  = "/etc/common-certs/gateway.cert.pem"
  10.   },
  11.   {
  12.     Name      = "billing"
  13.     CAFile    = "/etc/billing-ca/ca-chain.cert.pem"
  14.     SNI       =  "billing.service.com"
  15.   }
  16. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: TerminatingGateway
  3. metadata:
  4.   name: us-west-gateway
  5. spec:
  6.   services:
  7.     - name: '*'
  8.       caFile: /etc/common-certs/ca-chain.cert.pem
  9.       keyFile: /etc/common-certs/gateway.key.pem
  10.       certFile: /etc/common-certs/gateway.cert.pem
  11.     - name: billing
  12.       caFile: /etc/billing-ca/ca-chain.cert.pem
  13.       sni: billing.service.com
  1. {
  2.   "Kind": "terminating-gateway",
  3.   "Name": "us-west-gateway",
  4.   "Services": [
  5.     {
  6.       "Name": "*",
  7.       "CAFile": "/etc/common-certs/ca-chain.cert.pem",
  8.       "KeyFile": "/etc/common-certs/gateway.key.pem",
  9.       "CertFile": "/etc/common-certs/gateway.cert.pem"
  10.     },
  11.     {
  12.       "Name": "billing",
  13.       "CAFile": "/etc/billing-ca/ca-chain.cert.pem",
  14.       "SNI": "billing.service.com"
  15.     }
  16.   ]
  17. }

Link gateway named “us-west-gateway” in the default namespace with all services in the finance namespace, and configure default certificates for mutual TLS.

Override the SNI and CA file used for connections to the billing service:

  1. Kind = "terminating-gateway"
  2. Name = "us-west-gateway"
  3. Namespace = "default"
  5. Services = [
  6.   {
  7.     Namespace = "finance"
  8.     Name      = "*"
  9.     CAFile    = "/etc/common-certs/ca-chain.cert.pem"
  10.     KeyFile   = "/etc/common-certs/gateway.key.pem"
  11.     CertFile  = "/etc/common-certs/gateway.cert.pem"
  12.   },
  13.   {
  14.     Namespace = "finance"
  15.     Name      = "billing"
  16.     CAFile    = "/etc/billing-ca/ca-chain.cert.pem"
  17.     SNI       =  "billing.service.com"
  18.   }
  19. ]
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: TerminatingGateway
  3. metadata:
  4.   name: us-west-gateway
  5. spec:
  6.   services:
  7.     - name: '*'
  8.       namespace: finance
  9.       caFile: /etc/common-certs/ca-chain.cert.pem
  10.       keyFile: /etc/common-certs/gateway.key.pem
  11.       certFile: /etc/common-certs/gateway.cert.pem
  12.     - name: billing
  13.       namespace: finance
  14.       caFile: /etc/billing-ca/ca-chain.cert.pem
  15.       sni: billing.service.com
  1. {
  2.   "Kind": "terminating-gateway",
  3.   "Name": "us-west-gateway",
  4.   "Namespace": "default",
  5.   "Services": [
  6.     {
  7.       "Namespace": "finance",
  8.       "Name": "*",
  9.       "CAFile": "/etc/common-certs/ca-chain.cert.pem",
  10.       "KeyFile": "/etc/common-certs/gateway.key.pem",
  11.       "CertFile": "/etc/common-certs/gateway.cert.pem"
  12.     },
  13.     {
  14.       "Namespace": "finance",
  15.       "Name": "billing",
  16.       "CAFile": "/etc/billing-ca/ca-chain.cert.pem",
  17.       "SNI": "billing.service.com"
  18.     }
  19.   ]
  20. }

Available Fields

  • Kind - Must be set to terminating-gateway

  • Name (string: <required>) - Set to the name of the gateway being configured.

  • Namespace (string: "default")Enterprise - Specifies the namespace to which the configuration entry will apply. This must match the namespace in which the gateway is registered. If omitted, the namespace will be inherited from the request or will default to the default namespace.

  • Partition (string: "default")Enterprise - Specifies the admin partition to which the configuration entry will apply. This must match the partition in which the gateway is registered. If omitted, the partition will be inherited from the request or will default to the default partition.

  • Meta (map<string|string>: nil) - Specifies arbitrary KV metadata pairs. Added in Consul 1.8.4.

  • Services (array<LinkedService>: <optional>) - A list of services or destinations to link with the gateway. The gateway will proxy traffic to these services. These linked services must be registered with Consul for the gateway to discover their addresses. They must also be registered in the same Consul datacenter as the terminating gateway. Destinations are an exception to this requirement, and only need to be defined as a service-defaults configuration entry in the same datacenter. If Consul ACLs are enabled, the Terminating Gateway’s ACL token must grant service:write for all linked services.

    • Name (string: "") - The name of the service to link with the gateway. If the wildcard specifier, *, is provided, then ALL services within the namespace will be linked with the gateway.

    • Namespace (string: "")Enterprise - The namespace of the service. If omitted, the namespace will be inherited from the config entry.

    • CAFile (string: "") - A file path to a PEM-encoded certificate authority. The file must be present on the proxy’s filesystem. The certificate authority is used to verify the authenticity of the service linked with the gateway. It can be provided along with a CertFile and KeyFile for mutual TLS authentication, or on its own for one-way TLS authentication. If none is provided the gateway will not encrypt the traffic to the destination.

    • CertFile (string: "") - A file path to a PEM-encoded certificate. The file must be present on the proxy’s filesystem. The certificate is provided servers to verify the gateway’s authenticity. It must be provided if a KeyFile was specified.

    • KeyFile (string: "") - A file path to a PEM-encoded private key. The file must be present on the proxy’s filesystem. The key is used with the certificate to verify the gateway’s authenticity. It must be provided along if a CertFile was specified.

    • SNI (string: "") - An optional hostname or domain name to specify during the TLS handshake. This option will also configure strict SAN matching, which requires the external services to have certificates with SANs, not having which will result in CERTIFICATE_VERIFY_FAILED error.

  • apiVersion - Must be set to consul.hashicorp.com/v1alpha1

  • kind - Must be set to TerminatingGateway

  • metadata

  • spec

    • services (array<LinkedService>: <optional>) - A list of services or destinations to link with the gateway. The gateway will proxy traffic to these services. These linked services must be registered with Consul for the gateway to discover their addresses. They must also be registered in the same Consul datacenter as the terminating gateway. Destinations are an exception to this requirement, and only need to be defined as a service-defaults configuration entry in the same datacenter. If Consul ACLs are enabled, the Terminating Gateway’s ACL token must grant service:write for all linked services.

      • name (string: "") - The name of the service to link with the gateway. If the wildcard specifier, *, is provided, then ALL services within the namespace will be linked with the gateway.

      • namespace (string: "")Enterprise - The namespace of the service. If omitted, the namespace will be inherited from the config entry.

      • caFile (string: "") - A file path to a PEM-encoded certificate authority. The file must be present on the proxy’s filesystem. The certificate authority is used to verify the authenticity of the service linked with the gateway. It can be provided along with a CertFile and KeyFile for mutual TLS authentication, or on its own for one-way TLS authentication. If none is provided the gateway will not encrypt the traffic to the destination.

      • certFile (string: "") - A file path to a PEM-encoded certificate. The file must be present on the proxy’s filesystem. The certificate is provided servers to verify the gateway’s authenticity. It must be provided if a keyFile was specified.

      • keyFile (string: "") - A file path to a PEM-encoded private key. The file must be present on the proxy’s filesystem. The key is used with the certificate to verify the gateway’s authenticity. It must be provided along if a certFile was specified.

      • sni (string: "") - An optional hostname or domain name to specify during the TLS handshake. This option will also configure strict SAN matching, which requires the external services to have certificates with SANs, not having which will result in CERTIFICATE_VERIFY_FAILED error.

ACLs

Configuration entries may be protected by ACLs.

Reading a terminating-gateway config entry requires service:read on the Name field of the config entry.

Creating, updating, or deleting a terminating-gateway config entry requires operator:write.