luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Specify that mesh gateways require Envoy (#6506) 

* Specify that mesh gateways must operate on L7

* Add feedback from Matt

* clarify gateway requirements
This commit is contained in:
Judith Malnick 2019-09-26 20:06:58 -07:00 committed by GitHub
parent 3e9455aff2
commit 746f786a9f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
website/source/docs/connect/mesh_gateway.html.md
View File

@ -30,11 +30,29 @@ Mesh gateways also require that your Consul datacenters are configured correctly
- You'll need to use Consul version 1.6.0. - You'll need to use Consul version 1.6.0.
- Consul [Connect](/docs/agent/options.html#connect) must be enabled in both datacenters. - Consul [Connect](/docs/agent/options.html#connect) must be enabled in both datacenters.
- Each of your [datacenters](/docs/agent/options.html#datacenter) must have a unique name. - Each of your [datacenters](/docs/agent/options.html#datacenter) must have a unique name.
- Your datacenters must be [WAN joined](https://learn.hashicorp.com/consul/security-networking/datacenters). - Your datacenters must be [WAN joined](https://learn.hashicorp.com/consul/security-networking/datacenters).
- The [primary datacenter](/docs/agent/options.html#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for Connect certificates and is required for services in all datacenters to establish mutual TLS with each other. - The [primary datacenter](/docs/agent/options.html#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for Connect certificates and is required for services in all datacenters to establish mutual TLS with each other.
- [gRPC](/docs/agent/options.html#grpc_port) must be enabled. - [gRPC](/docs/agent/options.html#grpc_port) must be enabled.
- If you want to [enable gateways globally](/docs/connect/mesh_gateway.html#enabling-gateways-globally) you must enable [centralized configuration](/docs/agent/options.html#enable_central_service_config). - If you want to [enable gateways globally](/docs/connect/mesh_gateway.html#enabling-gateways-globally) you must enable [centralized configuration](/docs/agent/options.html#enable_central_service_config).
Currently, Envoy is the only proxy with mesh gateway capabilities in Consul.
- Mesh gateway proxies receive their configuration through Consul, which
automatically generates it based on the proxy's registration. Currently Consul
can only translate mesh gateway registration information into Envoy
configuration, therefore the proxies acting as mesh gateways must be Envoy.
- Sidecar proxies that send traffic to an upstream service through a gateway
need to know the location of that gateway. They discover the gateway based on
their sidecar proxy registrations. Consul can only translate the gateway
registration information into Envoy configuration, so any sidecars that send
upstream traffic through a gateway must be Envoy.
Sidecar proxies that don't send upstream traffic through a gateway aren't
affected when you deploy gateways. If you are using Consul's built-in proxy as a
Connect sidecar it will continue to work for intra-datacenter traffic and will
receive incoming traffic even if that traffic has passed through a gateway.
## Modes of Operation ## Modes of Operation