Custom SSL Certificates for Ingress Gateways

[nicholasjackson]

Feature Description

I would like to be able to secure ingress gateways using my own TLS certificates to be able to provide a valid certificate for the domain to which my application is exposed.

At present the IngressGateway can be configured to enable TLS for public listeners, however, this uses a certificate issued by Consul.

https://www.consul.io/docs/connect/config-entries/ingress-gateway#tls

I would like to be able to provide my own certificate for example using LetsEncrypt for my custom domain. Ideally, this feature would work in a combination with the Helm chart to automatically integrate with cert-manager for ease of use.

[gdbelvin]

I have the same issue. You might be interested in these alternative solutions:

• https://doc.traefik.io/traefik/routing/providers/consul-catalog/
• https://discuss.hashicorp.com/t/recommended-way-to-use-lets-encrypt-certificates-with-consul-ingress-gateways/18187

[david-yu]

Hi everyone, closing this issue as this is now addressed via the new Consul API Gateway that was released as beta today. The docs could be found here: https://www.consul.io/docs/api-gateway and a learn guide is posted here: https://learn.hashicorp.com/tutorials/consul/kubernetes-api-gateway

[david-yu]

Closed early, but it looks like for folks that do want a solution on VMs, this issue is still valid.

[iluminae]

Also would like to come at this from a Nomad context. This ingress works great but it would be lovely to have that cert could come from somewhere else, including vault. Just some workflow to be able to load in some other cert would be grand.

Edit: is this SDS implementation applicable? https://www.consul.io/docs/connect/gateways/ingress-gateway#custom-tls-certificates-via-secret-discovery-service-sds

[vvarga007]

I am also desperately looking for a solution to be able to use custom TLS cert with the ingress gateway. The API gateway looks promising but it is not available for Nomad just yet. :/ Traefik and other Connect native loadbalancers are not a replacement for ingress gateway as those are ignoring L7 routing settings(service configuration entries routers/splitters/resolvers), like having a resolver that fails the service other to a different datacenter.
Consul Connect is a great product but the lack of proper edge routing capability makes it useless(if you try to use it with Nomad).

[david-yu]

Closing as API Gateway for VM support is now available in Consul 1.15.0. #16369