Encrypt API gateway traffic on virtual machines
This topic describes how to make TLS certificates available to API gateways so that requests between the user and the gateway endpoint are encrypted.
Requirements
- Consul v1.15 or later is required to use the Consul API gateway on VMs
- Consul v1.19 or later is required to use the file system certificate configuration entry
- You must have a certificate and key from your CA
- A Consul cluster with service mesh enabled. Refer to
connect
- Network connectivity between the machine deploying the API gateway and a Consul cluster agent or server
ACL requirements
If ACLs are enabled, you must present a token with the following permissions to configure Consul and deploy API gateways:
Refer Mesh Rules for additional information about configuring policies that enable you to interact with Consul API gateway configurations.
Define TLS certificates
- Create a file system certificate or inline certificate and specify the following fields:
Kind
: Specifies the type of configuration entry. This must be set tofile-system-certificate
orinline-certificate
.Name
: Specify the name in the API gateway listener configuration to bind the certificate to that listener.Certificate
: Specifies the filepath to the certificate on the local system or the inline public certificate as plain text.PrivateKey
: Specifies the filepath to private key on the local system or the inline private key to as plain text.
- Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the file system certificate configuration reference or inline certificate configuration reference for more information.
- Save the configuration.
Examples
The following example defines a certificate named my-certificate
. API gateway configurations that specify inline-certificate
in the Certificate.Kind
field and my-certificate
in the Certificate.Name
field are able to use the certificate.
Kind = "inline-certificate"Name = "my-certificate" Certificate = <<EOF-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----EOF PrivateKey = <<EOF-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----EOF
Deploy the configuration to Consul
Run the consul config write
command to enable listeners to use the certificate. The following example writes a configuration called my-certificate.hcl
:
$ consul config write my-certificate.hcl