Here's all of the things we've got setup for the installations of Vault + Consul + API Gateway:
global:
name: consul
gossipEncryption:
autoGenerate: true
tls:
enabled: true
enableAutoEncrypt: true
verify: true
httpsOnly: false
acls:
enabled: true
manageSystemACLs: true
default_policy: "allow"
enable_token_persistence: true
ui:
enabled: true
type: "LoadBalancer"
client:
enabled: true
connectInject:
enabled: true
controller:
enabled: true
terminatingGateways:
enabled: false
ingressGateways:
enabled: false
apiGateway:
enabled: true
image: hashicorp/consul-api-gateway:0.3.0
managedGatewayClass:
copyAnnotations:
service:
annotations: |
- 'networking.gke.io/load-balancer-type'
global:
enabled: true
tlsDisable: true
injector:
enabled: false
logLevel: debug
webhook:
failurePolicy: Fail
image:
repository: hashicorp/vault-k8s
tag: latest
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 256Mi
cpu: 250m
server:
resources:
requests:
memory: 8Gi
cpu: 2000m
limits:
memory: 16Gi
cpu: 2000m
readinessProbe:
enabled: true
path: /v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204
livenessProbe:
enabled: true
path: /v1/sys/health?standbyok=true
initialDelaySeconds: 60
auditStorage:
enabled: true
standalone:
enabled: false
ha:
enabled: true
replicas: 5
config: |
ui = true
listener "tcp" {
tls_disable = true
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "consul" {
path = "vault/"
address = "<consul_addr>"
token = "<consul_token>"
scheme = "https"
tls_skip_verify = true
}
API Gateway resources: (I'm including the TLS block in case it turns out to be a clue, but I have validated that the api gateway at least receives traffic ok over ssl)
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: vault-gateway
namespace: vault
annotations:
networking.gke.io/load-balancer-type: 'Internal'
spec:
gatewayClassName: consul-api-gateway
listeners:
- protocol: HTTPS
hostname: internal.vault.hostname
port: 443
name: https
allowedRoutes:
namespaces:
from: Same
tls:
certificateRefs:
- name: vault-ingress-certificate
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: vault-route
namespace: vault
spec:
parentRefs:
- name: vault-gateway
rules:
- backendRefs:
- kind: Service
name: vault
namespace: vault
port: 8200
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: ReferencePolicy
metadata:
name: vault-ref-policy-route
namespace: vault
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: vault
to:
- group: ""
kind: Service
name: vault
2022-08-04T20:42:28.917Z [ERROR] service/resolver.go:249: consul-api-gateway-server.k8s.Reconciler: could not resolve consul service: error="consul service vault/vault not found"
2022-08-04T20:43:00.370Z [ERROR] service/resolver.go:249: consul-api-gateway-server.k8s.Reconciler: could not resolve consul service: error="consul service vault/vault not found"
2022-08-04T20:43:31.315Z [ERROR] service/resolver.go:249: consul-api-gateway-server.k8s.Reconciler: could not resolve consul service: error="consul service vault/vault not found"
apiVersion: v1
items:
- apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: vault-route
namespace: vault
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: vault-gateway
rules:
- backendRefs:
- group: ""
kind: Service
name: vault
port: 8200
weight: 1
matches:
- path:
type: PathPrefix
value: /
status:
parents:
- conditions:
- lastTransitionTime: "2022-08-04T20:42:28Z"
message: Route accepted.
observedGeneration: 3
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: "2022-08-04T20:42:28Z"
message: 'consul: consul service vault/vault not found'
observedGeneration: 3
reason: ConsulServiceNotFound
status: "False"
type: ResolvedRefs
controllerName: hashicorp.com/consul-api-gateway-controller
parentRef:
group: gateway.networking.k8s.io
kind: Gateway
name: vault-gateway
kind: List
metadata:
resourceVersion: ""
selfLink: ""
The HTTPRoute registers both the kubernetes and consul service registrations for vault and allows for the api gateway to route traffic to vault.
In case this helps, below is also a listing of the vault service registered in consul.
{
"vault:10.4.0.59:8200": {
"ID": "vault:10.4.0.59:8200",
"Service": "vault",
"Tags": [
"standby",
"initialized"
],
"Meta": {
"external-source": "vault"
},
"Port": 8200,
"Address": "10.4.0.59",
"TaggedAddresses": {
"lan_ipv4": {
"Address": "10.4.0.59",
"Port": 8200
},
"wan_ipv4": {
"Address": "10.4.0.59",
"Port": 8200
}
},
"Weights": {
"Passing": 1,
"Warning": 1
},
"EnableTagOverride": false,
"Datacenter": "dc1"
},
"vault:10.4.1.89:8200": {
"ID": "vault:10.4.1.89:8200",
"Service": "vault",
"Tags": [
"active",
"initialized"
],
"Meta": {
"external-source": "vault"
},
"Port": 8200,
"Address": "10.4.1.89",
"TaggedAddresses": {
"lan_ipv4": {
"Address": "10.4.1.89",
"Port": 8200
},
"wan_ipv4": {
"Address": "10.4.1.89",
"Port": 8200
}
},
"Weights": {
"Passing": 1,
"Warning": 1
},
"EnableTagOverride": false,
"Datacenter": "dc1"
},
"vault:10.4.3.5:8200": {
"ID": "vault:10.4.3.5:8200",
"Service": "vault",
"Tags": [
"standby",
"initialized"
],
"Meta": {
"external-source": "vault"
},
"Port": 8200,
"Address": "10.4.3.5",
"TaggedAddresses": {
"lan_ipv4": {
"Address": "10.4.3.5",
"Port": 8200
},
"wan_ipv4": {
"Address": "10.4.3.5",
"Port": 8200
}
},
"Weights": {
"Passing": 1,
"Warning": 1
},
"EnableTagOverride": false,
"Datacenter": "dc1"
}
}