consul icon indicating copy to clipboard operation
consul copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Custom SSL Certificates for Ingress Gateways

Open nicholasjackson opened this issue 4 years ago • 5 comments
trafficstars

Feature Description

I would like to be able to secure ingress gateways using my own TLS certificates to be able to provide a valid certificate for the domain to which my application is exposed.

At present the IngressGateway can be configured to enable TLS for public listeners, however, this uses a certificate issued by Consul.

https://www.consul.io/docs/connect/config-entries/ingress-gateway#tls

I would like to be able to provide my own certificate for example using LetsEncrypt for my custom domain. Ideally, this feature would work in a combination with the Helm chart to automatically integrate with cert-manager for ease of use.

nicholasjackson avatar Feb 10 '21 18:02 nicholasjackson

I have the same issue. You might be interested in these alternative solutions:

  • https://doc.traefik.io/traefik/routing/providers/consul-catalog/
  • https://discuss.hashicorp.com/t/recommended-way-to-use-lets-encrypt-certificates-with-consul-ingress-gateways/18187

gdbelvin avatar Feb 15 '21 12:02 gdbelvin

Hi everyone, closing this issue as this is now addressed via the new Consul API Gateway that was released as beta today. The docs could be found here: https://www.consul.io/docs/api-gateway and a learn guide is posted here: https://learn.hashicorp.com/tutorials/consul/kubernetes-api-gateway

david-yu avatar Jan 28 '22 23:01 david-yu

Closed early, but it looks like for folks that do want a solution on VMs, this issue is still valid.

david-yu avatar Jan 28 '22 23:01 david-yu

Also would like to come at this from a Nomad context. This ingress works great but it would be lovely to have that cert could come from somewhere else, including vault. Just some workflow to be able to load in some other cert would be grand.

Edit: is this SDS implementation applicable? https://www.consul.io/docs/connect/gateways/ingress-gateway#custom-tls-certificates-via-secret-discovery-service-sds

iluminae avatar May 04 '22 03:05 iluminae

I am also desperately looking for a solution to be able to use custom TLS cert with the ingress gateway. The API gateway looks promising but it is not available for Nomad just yet. :/ Traefik and other Connect native loadbalancers are not a replacement for ingress gateway as those are ignoring L7 routing settings(service configuration entries routers/splitters/resolvers), like having a resolver that fails the service other to a different datacenter. Consul Connect is a great product but the lack of proper edge routing capability makes it useless(if you try to use it with Nomad).

vvarga007 avatar Jul 27 '22 02:07 vvarga007

Closing as API Gateway for VM support is now available in Consul 1.15.0. https://github.com/hashicorp/consul/issues/16369

david-yu avatar Feb 24 '23 17:02 david-yu