Unless configured otherwise, the Consul API Gateway controller creates a load balancer for each Gateway
resource. Since we're in Kubernetes, we do this by spinning up a Service
resource with type: LoadBalancer
.
Each of the major cloud providers allow you to configure the resulting load balancer by specifying one or more annotations on the Kubernetes Service
object. You may not add these annotations directly to the Service
as the controller is creating it on your behalf; however, the Consul API Gateway controller will copy specific annotations from the Gateway
object - which you do control - to the Service
object that it creates. To do so, you must specify the list of keys for annotations that you would like copied in values.yaml
here. You must then add those annotations to the Gateway
. The API gateway controller will then copy any annotations from the Gateway
to the Service
where the key of the annotation is listed in values.yaml
.
In this example, we will configure our load balancer in Google Kubernetes Engine to be of type "internal" (docs).
$ helm upgrade --install --values ./values.yaml consul hashicorp/consul --version "0.49.0" --namespace consul --create-namespace
We can now verify that the GatewayClassConfig
which we'll use for our Gateway
contains the allow-list:
$ kubectl get gatewayclassconfig consul-api-gateway -o yaml
apiVersion: api-gateway.consul.hashicorp.com/v1alpha1
kind: GatewayClassConfig
...
spec:
...
copyAnnotations:
service:
- networking.gke.io/load-balancer-type
serviceType: LoadBalancer
Now we can create a Gateway
and see the annotations that were copied from our Gateway
resource to the Service
created by the controller:
$ kubectl apply --filename ./gateway.yaml
$ kubectl get service internal-gateway -o yaml
apiVersion: v1
kind: Service
metadata:
name: internal-gateway
namespace: consul
annotations:
networking.gke.io/load-balancer-type: Internal
...
spec:
type: LoadBalancer
...