Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

consul/connect: add support for connect mesh gateways #10658

Merged
merged 4 commits into from
Jun 4, 2021
Merged

consul/connect: add support for connect mesh gateways #10658

merged 4 commits into from
Jun 4, 2021

Commits on Jun 4, 2021

  1. consul/connect: add support for connect mesh gateways 

    This PR implements first-class support for Nomad running Consul
Connect Mesh Gateways. Mesh gateways enable services in the Connect
mesh to make cross-DC connections via gateways, where each datacenter
may not have full node interconnectivity.

Consul docs with more information:
https://www.consul.io/docs/connect/gateways/mesh-gateway

The following group level service block can be used to establish
a Connect mesh gateway.

service {
  connect {
    gateway {
      mesh {
        // no configuration
      }
    }
  }
}

Services can make use of a mesh gateway by configuring so in their
upstream blocks, e.g.

service {
  connect {
    sidecar_service {
      proxy {
        upstreams {
          destination_name = "<service>"
          local_bind_port  = <port>
          datacenter       = "<datacenter>"
          mesh_gateway {
            mode = "<mode>"
          }
        }
      }
    }
  }
}

Typical use of a mesh gateway is to create a bridge between datacenters.
A mesh gateway should then be configured with a service port that is
mapped from a host_network configured on a WAN interface in Nomad agent
config, e.g.

client {
  host_network "public" {
    interface = "eth1"
  }
}

Create a port mapping in the group.network block for use by the mesh
gateway service from the public host_network, e.g.

network {
  mode = "bridge"
  port "mesh_wan" {
    host_network = "public"
  }
}

Use this port label for the service.port of the mesh gateway, e.g.

service {
  name = "mesh-gateway"
  port = "mesh_wan"
  connect {
    gateway {
      mesh {}
    }
  }
}

Currently Envoy is the only supported gateway implementation in Consul.
By default Nomad client will run the latest official Envoy docker image
supported by the local Consul agent. The Envoy task can be customized
by setting `meta.connect.gateway_image` in agent config or by setting
the `connect.sidecar_task` block.

Gateways require Consul 1.8.0+, enforced by the Nomad scheduler.

Closes #9446
    @shoenig
    shoenig committed Jun 4, 2021
    Configuration menu
    Copy the full SHA
    312161c View commit details
    Browse the repository at this point in the history

  2. consul/connect: fix upstream mesh gateway default mode setting 

    This PR fixes the API to _not_ set the default mesh gateway mode. Before,
the mode would be set to "none" in Canonicalize, which is incorrect. We
should pass through the empty string so that folks can make use of Consul
service-defaults Config entries to configure the default mode.
    @shoenig
    shoenig committed Jun 4, 2021
    Configuration menu
    Copy the full SHA
    37b49ba View commit details
    Browse the repository at this point in the history

  3. consul/connect: use range on upstream canonicalize 

    Co-authored-by: Tim Gross <tgross@hashicorp.com>
    @shoenig @tgross
    shoenig and tgross committed Jun 4, 2021
    Configuration menu
    Copy the full SHA
    1ad0212 View commit details
    Browse the repository at this point in the history

  4. consul/connect: fix tests for mesh gateway mode

    @shoenig
    shoenig committed Jun 4, 2021
    Configuration menu
    Copy the full SHA
    67d801b View commit details
    Browse the repository at this point in the history