Blog

Getting Started With Traefik Proxy and HashiCorp Consul

HashiCorp Consul has established itself as one of the most popular service mesh solutions. It comes with service discovery, configuration, and segmentation into a single control plane. And all that without being locked to one single orchestrator or platform.

Traefik Proxy integrates with Consul and uses it as a provider to enable easy north-south traffic configuration. This complements the east-west service mesh that Consul service mesh provides while also sharing some architectural goals: being easy to configure, dynamic, and platform-agnostic. In Traefik Proxy 2.6, we also added support for Consul Namespace.

Webinar: Explore All the New Features of Traefik ProxyDive into the updated Kubernetes Gateway API, HTTP/3 advertised port, and other features of Traefik 2.6.Watch the Webinar

This tutorial demonstrates how to integrate Traefik Proxy with HCP Consul, leveraging the recently added namespace support on both the Consul and Consul Catalog Traefik providers.

Prerequisites

To follow through with this tutorial, you will need the following:

This guide assumes the DNS entry .consul.traefiklabs.tech exists and points to a load balancer type service in a Kubernetes cluster. The cluster runs on AWS and is connected to the HCP Consul environment through a VPC Peering connection.

Step 1: Configuring Traefik Proxy

For the sake of testing, I will use two providers for different purposes — Consul Catalog used for service discovery and ingress configuration, and the Consul K/V provider for internal shared configurations, such as the Dashboard routing and any middleware definition.

To accomplish this yourself, you need to create two separate namespaces in Consul — apps and traefik, respectively.

Now you can create and apply the static configuration in our Traefik instance. It should look like this:

api:
  dashboard: true
 
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
 
providers:
  consulCatalog:
    namespace: "apps"
    defaultRule: "Host(`{{ .Name }}.consul.traefiklabs.tech`)"
    endpoint:
      address: "<hcp-consul-address>"
      scheme: https
      token: <hcp-consul-token>
     
  consul:
    namespace: "traefik"
    rootKey: "traefik"
    token: <hcp-consul-token>
    endpoints:
      - "https://<hcp-consul-address>"
      ```

Note the use of a templating rule on the Host default rule. This will allow you to register automatically any application discovered by Consul Catalog with <service-name>.consul.traefiklabs.tech.

Once deployed, you can expose the Dashboard by creating the necessary key/values on Consul under the traefik namespace. This can be done from the CLI or from the Consul UI, as seen in the example below:

consul kv put -namespace traefik traefik/http/routers/dashboard/entryPoints/0 web
consul kv put -namespace traefik traefik/http/routers/dashboard/rule Host(`traefik.mydomain.com`)
consul kv put -namespace traefik traefik/http/routers/dashboard/service api@internal

Let’s also declare a middleware that you will use later on our demo application:

consul kv put -namespace traefik traefik/http/middlewares/stripfoo/stripPrefix/prefixes/0 foo

Here’s an example from the Consul UI:

Now, let’s check that the Traefik Dashboard is available according to the routing configuration applied.

Step 2: Registering an application

This demo app is registered on Consul Catalog by specifying a few annotations to its service manifest. This will trigger Traefik in fetching its configuration, such as the exposed port and endpoints, while also looking at its own custom tags for more advanced configuration such as linking to a middleware, enabling TLS, and so on.

On Kubernetes, this is what it looks like:

#---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: whoami
  namespace: apps
automountServiceAccountToken: true
 
---
apiVersion: v1
kind: Service
metadata:
  name: whoami
  namespace: apps
  annotations:
    consul.hashicorp.com/service-name: whoami
    consul.hashicorp.com/service-sync: "true"
    consul.hashicorp.com/service-tags: "traefik.enable=true,traefik.http.routers.whoami.middlewares=stripfoo@consul"
spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
      targetPort: 80
  selector:
    app: whoami
 
---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoami
  namespace: apps
  labels:
    app: whoami
spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      serviceAccountName: whoami
      containers:
        - name: whoami
          image: containous/whoami
          ports:
            - name: web
              containerPort: 80

Consul also allows you to manually register services, which is useful when targeting legacy or standalone applications that are not running in an orchestrated environment. To register a service, first, you must declare its configuration in a JSON file, like the one below, then send a request to the Consul Catalog API to register it as a service.

Example payload:

{
    "Datacenter": "dc1",
    "ID": "c820fcd8-0460-5721-a3f5-d2a20bc0a74f",
    "Node": "server-1",
    "Service": {
      "ID": "whoami1",
      "Service": "whoami",
      "Tags": ["traefik.enable=true","traefik.application_name=whoami"],
      "Address": "10.0.0.100",      
      "Port": 80
    },
  }

Example request:

curl \
    --request PUT \
    --data @payload.json \
    -H "X-Consul-Namespace: apps" \
    http://<my-consul-address>:8500/v1/catalog/register

You can find more detailed information on how to register services in HashiCorp documentation, and here you can see the Consul UI service list:

You should also register your application on Traefik Proxy and make it visible on the UI Dashboard:

Wrapping up

The diagram below shows an overview of the final stage of your environment.

Once the base configuration is done, you can already feel it empowers your environment — you can easily expose your application by adding one label/annotation/tag. At the same time, you also benefit from manually adding routing rules, middleware, TCP options, and much more directly within Consul. All these are made possible by leveraging the provider namespace mechanism Traefik Proxy provides.

Next steps

Now that you’ve learned how to configure Traefik Proxy to use a HashiCorp Consul server as a configuration provider, you are ready to leverage its potential to handle service discovery and registration while using Traefik as the edge proxy.

If you want to learn more about the new features introduced in Traefik Proxy 2.6, check these articles:

You can also watch on-demand our recent webinar, where we explored all the new features.

Webinar: Explore All the New Features of Traefik ProxyDive into the updated Kubernetes Gateway API, HTTP/3 advertised port, and other features of Traefik 2.6.Watch the Webinar

I also encourage you to visit other tutorials to learn more about Traefik and Consul:

Traefik Labs uses cookies to improve your experience. By continuing to browse the site you are agreeing to our use of cookies. Find out more in the Cookie Policy.