Encrypt API gateway traffic on virtual machines
This topic describes how to make TLS certificates available to API gateways so that requests between the user and the gateway endpoint are encrypted.
Requirements
- Consul 1.15 or later
- You must have a certificate and key from your CA
- A Consul cluster with service mesh enabled. Refer to
connect - Network connectivity between the machine deploying the API gateway and a Consul cluster agent or server
ACL requirements
If ACLs are enabled, you must present a token with the following permissions to configure Consul and deploy API gateways:
Refer Mesh Rules for additional information about configuring policies that enable you to interact with Consul API gateway configurations.
Define TLS certificates
- Create an
inline-certificateconfiguration entry and specify the following fields:Kind: Specifies the type of configuration entry. This must be set toinline-certificate.Name: Specify the name in the API gateway listener configuration to bind the certificate to that listener.Certificate: Specifies the inline public certificate to use for TLS as plain text.PrivateKey: Specifies the inline private key to use for TLS as plain text.
- Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the
inline-certificateconfiguration entry reference for additional information. - Save the configuration.
The following example defines a certificate named my-certificate. API gateway configurations that specify inline-certificate in the Certificate.Kind field and my-certificate in the Certificate.Name field are able to use the certificate.
Deploy the configuration to Consul
Run the consul config write command to enable listeners to use the certificate. The following example writes a configuration called my-certificate.hcl: