Traefik Proxy and HashiCorp Consul | Traefik Labs

HashiCorp Consul has established itself as one of the most popular service mesh solutions. It comes with the Consul Connect feature, combined with service discovery, configuration, and segmentation into a single control plane. And all that without being locked to one single orchestrator or platform.

Traefik Proxy integrates with Consul and uses it as a provider to enable easy north-south traffic configuration. This complements the east-west service mesh that Consul Connect provides while also sharing some architectural goals: being easy to configure, dynamic, and platform-agnostic. In Traefik Proxy 2.6, we also added support for Consul Namespace.

Workshop: Tame Multiple Traefik Deployments with a GitOps StrategyLearn how to streamline collaboration at scale, create a single source of truth, and simplify your processes with a GitOps strategy.Watch the Webinar

This tutorial demonstrates how to integrate Traefik Proxy with HCP Consul, leveraging the recently added namespace support on both the Consul and Consul Catalog Traefik providers.

Prerequisites

To follow through with this tutorial, you will need the following:

This guide assumes the DNS entry .consul.traefiklabs.tech exists and points to a load balancer type service in a Kubernetes cluster. The cluster runs on AWS and is connected to the HCP Consul environment through a VPC Peering connection.

Step 1: Configuring Traefik Proxy

For the sake of testing, I will use two providers for different purposes — Consul Catalog used for service discovery and ingress configuration, and the Consul K/V provider for internal shared configurations, such as the Dashboard routing and any middleware definition.

To accomplish this yourself, you need to create two separate namespaces in Consul — apps and traefik, respectively.

Now you can create and apply the static configuration in our Traefik instance. It should look like this:

api:
  dashboard: true

entryPoints:
web:
address: ":80"
websecure:
address: ":443"

providers:
consulCatalog:
namespace: "apps"
defaultRule: "Host({{ .Name }}.consul.traefiklabs.tech)"
endpoint:
address: "<hcp-consul-address>"
scheme: https
token: <hcp-consul-token>

consul:
namespace: "traefik"
rootKey: "traefik"
token: <hcp-consul-token>
endpoints:
- "https://<hcp-consul-address>"
```

Note the use of a templating rule on the Host default rule. This will allow you to register automatically any application discovered by Consul Catalog with <service-name>.consul.traefiklabs.tech.

Once deployed, you can expose the Dashboard by creating the necessary key/values on Consul under the traefik namespace. This can be done from the CLI or from the Consul UI, as seen in the example below:

consul kv put -namespace traefik traefik/http/routers/dashboard/entryPoints/0 web
consul kv put -namespace traefik traefik/http/routers/dashboard/rule Host(`traefik.mydomain.com`)
consul kv put -namespace traefik traefik/http/routers/dashboard/service api@internal

Let’s also declare a middleware that you will use later on our demo application:

consul kv put -namespace traefik traefik/http/middlewares/stripfoo/stripPrefix/prefixes/0 foo

Here’s an example from the Consul UI:

Now, let’s check that the Traefik Dashboard is available according to the routing configuration applied.

Step 2: Registering an application

This demo app is registered on Consul Catalog by specifying a few annotations to its service manifest. This will trigger Traefik in fetching its configuration, such as the exposed port and endpoints, while also looking at its own custom tags for more advanced configuration such as linking to a middleware, enabling TLS, and so on.

On Kubernetes, this is what it looks like:

#---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: whoami
  namespace: apps
automountServiceAccountToken: true

apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: apps
annotations:
consul.hashicorp.com/service-name: whoami
consul.hashicorp.com/service-sync: "true"
consul.hashicorp.com/service-tags: "traefik.enable=true,traefik.http.routers.whoami.middlewares=stripfoo@consul"
spec:
ports:
- protocol: TCP
name: web
port: 80
targetPort: 80
selector:
app: whoami


kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
namespace: apps
labels:
app: whoami
spec:
replicas: 2
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
serviceAccountName: whoami
containers:
- name: whoami
image: containous/whoami
ports:
- name: web
containerPort: 80

Consul also allows you to manually register services, which is useful when targeting legacy or standalone applications that are not running in an orchestrated environment. To register a service, first, you must declare its configuration in a JSON file, like the one below, then send a request to the Consul Catalog API to register it as a service.

Example payload:

{
    "Datacenter": "dc1",
    "ID": "c820fcd8-0460-5721-a3f5-d2a20bc0a74f",
    "Node": "server-1",
    "Service": {
      "ID": "whoami1",
      "Service": "whoami",
      "Tags": ["traefik.enable=true","traefik.application_name=whoami"],
      "Address": "10.0.0.100",      
      "Port": 80
    },
  }

Example request:

curl \
    --request PUT \
    --data @payload.json \
    -H "X-Consul-Namespace: apps" \
    http://<my-consul-address>:8500/v1/catalog/register

You can find more detailed information on how to register services in HashiCorp documentation, and here you can see the Consul UI service list:

You should also register your application on Traefik Proxy and make it visible on the UI Dashboard:

Wrapping up

The diagram below shows an overview of the final stage of your environment.

Once the base configuration is done, you can already feel it empowers your environment — you can easily expose your application by adding one label/annotation/tag. At the same time, you also benefit from manually adding routing rules, middleware, TCP options, and much more directly within Consul. All these are made possible by leveraging the provider namespace mechanism Traefik Proxy provides.

Next steps

Now that you’ve learned how to configure Traefik Proxy to use a HashiCorp Consul server as a configuration provider, you are ready to leverage its potential to handle service discovery and registration while using Traefik as the edge proxy.

If you want to learn more about the new features introduced in Traefik Proxy 2.6, check these articles:

You can also watch on-demand our recent webinar, where we explored all the new features.

Workshop: Tame Multiple Traefik Deployments with a GitOps StrategyLearn how to streamline collaboration at scale, create a single source of truth, and simplify your processes with a GitOps strategy. Watch the Webinar

I also encourage you to visit other tutorials to learn more about Traefik and Consul:


This is a companion discussion topic for the original entry at https://traefik.io/blog/getting-started-traefik-proxy-and-hashicorp-consul/