add optional ingress resource

[msarmstr]

It would be nice if an ingress resource could optionally be configured for the ui, ideally with ability to configure labels, annotations, and TLS.

For example: how it's done in the prometheus-operator chart

[adilyse]

Hi @msarmstr,

We're still sorting out how Ingresses interact with Consul in Kubernetes, so I don't have a full answer for you. However, I just merged #105 that should allow a fair amount of flexibility in providing additional ways to configure the UI service to be accessed.

[botzill]

Hi.

Any updates on this issues?

[carpenike]

@adilyse -- looks like those changes enable annotations on a service, not the creation of an ingress object.

Suggest referencing a solution such as the one used by Minio:

https://github.com/helm/charts/blob/master/stable/minio/templates/ingress.yaml

This would allow for an ingress object to be created if the value is set. The actual ingress object is farily simple, mine is here:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: consul
  namespace: kube-system
  labels:
    app.kubernetes.io/name: consul
spec:
  rules:
  - host: consul.DOMAIN
    http:
      paths:
      - path: /
        backend:
          serviceName: consul-consul-ui
          servicePort: 80

I can pull together a PR if you guys would be willing to review it.

[hannahhearth]

The Consul team is looking for more feedback on the Consul Helm Chart. If any of you have 3 minutes, consider filling out our survey.

[jomcyp]

We have deployed Consul 1.8.4 using this helm chart ,which created a service for web-ui named as "consul-primary-ui" .To expose the ui we are creating the following ingress object , Unfortunately we are getting "404 page not found " .
Did any one try to make it work with ingress ?

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: consul-primary-ui
  namespace: consul
  annotations:
    kubernetes.io/ingress.class: "traefik"
spec:
  rules:
  - http:
      paths:
      - path: /*
        backend:
          serviceName: consul-primary-ui
          servicePort: 443

[carpenike]

@jomcyp -- is the service port (443) correct? Is the consul service itself configured to do TLS?

[ishustava]

Hey @jomcyp

I'm not sure that the /* is supported by ingress, unless this is something specific to traefik. It seems that you should either specify /ui as an exact path, which the path at which consul's UI is served, or expose all paths by using path of type pathPrefix with / prefix.

[jomcyp]

Thank you for the response
@carpenike Yes, We configured the service port as 443 for consul_primary_ui and TLS is enabled through helm chart.
see the service manifest below

kind: Service
apiVersion: v1
metadata:
  name: consul-primary-ui
  namespace: consul
  labels:
    app: consul
    app.kubernetes.io/managed-by: Helm
    chart: consul-helm
    component: ui
    heritage: Helm
    release: consul-cluster
  annotations:
    meta.helm.sh/release-name: consul-cluster
    meta.helm.sh/release-namespace: consul
spec:
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: 8501
  selector:
    app: consul
    component: server
    release: consul-cluster
  clusterIP: 172.20.15.4
  type: ClusterIP

I am able to access consul web ui with https , when i do kubectl port-forward at service level
kubectl port-forward svc/consul-primary-ui -n <consul-ns> 1234:443

@ishustava
I have tried with /* and /ui and / , but they all come back to 404 page not found .

Do we need to pass tls certificate through ingress object ? When I enabled tls with helm chart by default its using consul built-in CA to generate the certificates.

[ishustava]

@jomcyp

I've just remembered that the Kubernetes ingress doesn't support TLS on the backend, meaning TLS termination has to be done at the ingress controller, and the traffic from ingress to the backend pod (in this case consul servers) is in plaintext. Here are the kubernetes docs that mention that.

I know that some ingress controllers, e.g. NGINX, allow TLS passthrough. I saw from your annotations that you're using traefik and found this blog that talks about how to enable TLS passthrough. Ultimately, you'd need to check with the specific ingress implementation on whether they support TLS passthrough or turn off TLS on the consul cluster.

[thisisnotashwin]

Addressed by #774