Deploy a Consul API Gateway on Nomad
An API Gateway is used for controlling access at entry and traffic management. In this tutorial, you will:
- Deploy Consul ACL roles, policies, and intentions for the API Gateway.
- Deploy an API Gateway job to Nomad.
- Deploy an example upstream job, and configure the gateway.
This tutorial uses Nomad's Workload Identity to authorize a Consul task to bootstrap the API Gateway task and correctly register the API Gateway with Consul. The API Gateway is deployed in its own Nomad namespace. You will add a Consul ACL role that grants the appropriate permissions to the API Gateway and matches the Consul binding rule for that Nomad namespace.
Prerequisites
Clone the API Gateway on Nomad repository. This repository contains all of the necessary Consul and Nomad configuration files.
Navigate to the cloned repository directory.
Follow the instructions in the README file to create a Nomad and Consul cluster with the correct configuration.
Create required policies
Create a Nomad namespace.
Create a Consul policy for the API Gateway.
Create a role with access to the api-gateways
policy. Note that the name of
the role must match the binding rule to use Nomad Workload Identity with
Consul. In this case, nomad-ingress-tasks
matches the format
nomad-${value.nomad_namespace}-tasks
with the Nomad ingress
namespace.
Upload certificates for API Gateway
The API Gateway job needs Consul mTLS certificates to communicate with
Consul. This tutorial uses Nomad Variables to store the certificates
securely, but you can also use Vault secrets. Add the certificates to the
ingress
namespace.
Deploy API Gateway
Run the Nomad job. You can pass additional values to the command with the
-var
option.
Once the deployment is complete, check the Consul UI to see that the API Gateway service has been registered.
Run an example upstream
Add intentions to allow traffic from the API Gateway to the hello
application.
Register a listener for the API Gateway.
Register http routes for the API Gateway so that Envoy knows how and where to write the traffic.
Start the hello
app.
Once the deployment is complete, you can test the API Gateway.
Find the allocation for the API gateway.
Find the address for the API Gateway allocation and provide the allocation ID
from the status
command above by replacing the placeholder <allocID>
in this
command.
Submit a request to the hello
app and observe the response. Replace the
placeholder values <api-gateway-address>
and <api-gateway-port>
with the
address and port respectively from the status
command.
Next steps
In this tutorial you deployed Consul ACL roles, policies, and intentions for an API Gateway, deployed an API Gateway job to Nomad, deployed an example upstream job, and configured an API gateway.
Learn more by checking out these resources.