feat: add PeerThroughMeshGateways to mesh config

This commit is contained in:
DanStough 2022-09-02 16:52:11 -04:00 committed by Dan Stough
parent 017f00e6d4
commit fca4042bd9
9 changed files with 859 additions and 608 deletions

View File

@ -17,6 +17,8 @@ type MeshConfigEntry struct {
HTTP *MeshHTTPConfig `json:",omitempty"`
Peering *PeeringMeshConfig `json:",omitempty"`
Meta map[string]string `json:",omitempty"`
acl.EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
RaftIndex
@ -48,6 +50,16 @@ type MeshHTTPConfig struct {
SanitizeXForwardedClientCert bool `alias:"sanitize_x_forwarded_client_cert"`
}
// PeeringMeshConfig contains cluster-wide options pertaining to peering.
type PeeringMeshConfig struct {
// PeerThroughMeshGateways determines whether peering traffic between
// control planes should flow through mesh gateways. If enabled,
// Consul servers will advertise mesh gateway addresses as their own.
// Additionally, mesh gateways will configure themselves to expose
// the local servers using a peering-specific SNI.
PeerThroughMeshGateways bool `alias:"peer_through_mesh_gateways"`
}
func (e *MeshConfigEntry) GetKind() string {
return MeshConfig
}

View File

@ -1815,6 +1815,9 @@ func TestDecodeConfigEntry(t *testing.T) {
http {
sanitize_x_forwarded_client_cert = true
}
peering {
peer_through_mesh_gateways = true
}
`,
camel: `
Kind = "mesh"
@ -1845,7 +1848,10 @@ func TestDecodeConfigEntry(t *testing.T) {
}
HTTP {
SanitizeXForwardedClientCert = true
}
}
Peering {
PeerThroughMeshGateways = true
}
`,
expect: &MeshConfigEntry{
Meta: map[string]string{
@ -1876,6 +1882,9 @@ func TestDecodeConfigEntry(t *testing.T) {
HTTP: &MeshHTTPConfig{
SanitizeXForwardedClientCert: true,
},
Peering: &PeeringMeshConfig{
PeerThroughMeshGateways: true,
},
},
},
{

View File

@ -23,6 +23,8 @@ type MeshConfigEntry struct {
HTTP *MeshHTTPConfig `json:",omitempty"`
Peering *PeeringMeshConfig `json:",omitempty"`
Meta map[string]string `json:",omitempty"`
// CreateIndex is the Raft index this entry was created at. This is a
@ -54,6 +56,10 @@ type MeshHTTPConfig struct {
SanitizeXForwardedClientCert bool `alias:"sanitize_x_forwarded_client_cert"`
}
type PeeringMeshConfig struct {
PeerThroughMeshGateways bool `json:",omitempty" alias:"peer_through_mesh_gateways"`
}
func (e *MeshConfigEntry) GetKind() string { return MeshConfig }
func (e *MeshConfigEntry) GetName() string { return MeshConfigMesh }
func (e *MeshConfigEntry) GetPartition() string { return e.Partition }

View File

@ -1316,6 +1316,9 @@ func TestDecodeConfigEntry(t *testing.T) {
},
"HTTP": {
"SanitizeXForwardedClientCert": true
},
"Peering": {
"PeerThroughMeshGateways": true
}
}
`,
@ -1348,6 +1351,9 @@ func TestDecodeConfigEntry(t *testing.T) {
HTTP: &MeshHTTPConfig{
SanitizeXForwardedClientCert: true,
},
Peering: &PeeringMeshConfig{
PeerThroughMeshGateways: true,
},
},
},
} {

View File

@ -415,6 +415,11 @@ func MeshConfigToStructs(s *MeshConfig, t *structs.MeshConfigEntry) {
MeshHTTPConfigToStructs(s.HTTP, &x)
t.HTTP = &x
}
if s.Peering != nil {
var x structs.PeeringMeshConfig
PeeringMeshConfigToStructs(s.Peering, &x)
t.Peering = &x
}
t.Meta = s.Meta
}
func MeshConfigFromStructs(t *structs.MeshConfigEntry, s *MeshConfig) {
@ -436,6 +441,11 @@ func MeshConfigFromStructs(t *structs.MeshConfigEntry, s *MeshConfig) {
MeshHTTPConfigFromStructs(t.HTTP, &x)
s.HTTP = &x
}
if t.Peering != nil {
var x PeeringMeshConfig
PeeringMeshConfigFromStructs(t.Peering, &x)
s.Peering = &x
}
s.Meta = t.Meta
}
func MeshDirectionalTLSConfigToStructs(s *MeshDirectionalTLSConfig, t *structs.MeshDirectionalTLSConfig) {
@ -496,6 +506,18 @@ func MeshTLSConfigFromStructs(t *structs.MeshTLSConfig, s *MeshTLSConfig) {
s.Outgoing = &x
}
}
func PeeringMeshConfigToStructs(s *PeeringMeshConfig, t *structs.PeeringMeshConfig) {
if s == nil {
return
}
t.PeerThroughMeshGateways = s.PeerThroughMeshGateways
}
func PeeringMeshConfigFromStructs(t *structs.PeeringMeshConfig, s *PeeringMeshConfig) {
if s == nil {
return
}
s.PeerThroughMeshGateways = t.PeerThroughMeshGateways
}
func RingHashConfigToStructs(s *RingHashConfig, t *structs.RingHashConfig) {
if s == nil {
return

View File

@ -67,6 +67,16 @@ func (msg *MeshHTTPConfig) UnmarshalBinary(b []byte) error {
return proto.Unmarshal(b, msg)
}
// MarshalBinary implements encoding.BinaryMarshaler
func (msg *PeeringMeshConfig) MarshalBinary() ([]byte, error) {
return proto.Marshal(msg)
}
// UnmarshalBinary implements encoding.BinaryUnmarshaler
func (msg *PeeringMeshConfig) UnmarshalBinary(b []byte) error {
return proto.Unmarshal(b, msg)
}
// MarshalBinary implements encoding.BinaryMarshaler
func (msg *ServiceResolver) MarshalBinary() ([]byte, error) {
return proto.Marshal(msg)

File diff suppressed because it is too large Load Diff

View File

@ -40,6 +40,7 @@ message MeshConfig {
MeshTLSConfig TLS = 2;
MeshHTTPConfig HTTP = 3;
map<string, string> Meta = 4;
PeeringMeshConfig Peering = 5;
}
// mog annotation:
@ -84,6 +85,15 @@ message MeshHTTPConfig {
bool SanitizeXForwardedClientCert = 1;
}
// mog annotation:
//
// target=github.com/hashicorp/consul/agent/structs.PeeringMeshConfig
// output=config_entry.gen.go
// name=Structs
message PeeringMeshConfig {
bool PeerThroughMeshGateways = 1;
}
// mog annotation:
//
// target=github.com/hashicorp/consul/agent/structs.ServiceResolverConfigEntry

View File

@ -68,8 +68,6 @@ The `mesh` configuration entry can only be created in the `default` namespace an
```hcl
Kind = "mesh"
Namespace = "default" # Can only be set to "default".
Partition = "default"
TLS {
Incoming {
@ -156,8 +154,6 @@ The `mesh` configuration entry can only be created in the `default` namespace an
```hcl
Kind = "mesh"
Namespace = "default" # Can only be set to "default".
Partition = "default"
TransparentProxy {
MeshDestinationsOnly = true
@ -193,6 +189,87 @@ spec:
Note that the Kubernetes example does not include a `partition` field. Configuration entries are applied on Kubernetes using [custom resource definitions (CRD)](/docs/k8s/crds), which can only be scoped to their own partition.
### Peer Through Mesh Gateways
Set the `PeerThroughMeshGateways` parameter to `true` to route peering control plane traffic through mesh gateways.
<Tabs>
<Tab heading="Consul OSS">
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "mesh"
Peering {
PeerThroughMeshGateways = true
}
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: Mesh
metadata:
name: mesh
spec:
peering:
peerThroughMeshGateways: true
```
```json
{
"Kind": "mesh",
"Peering": {
"PeerThroughMeshGateways": true
}
}
```
</CodeTabs>
</Tab>
<Tab heading="Consul Enterprise">
You can only set the `PeerThroughMeshGateways` attribute on `mesh` configuration entries in the `default` partition.
The `default` partition owns the traffic routed through the mesh gateway control plane to Consul servers.
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "mesh"
Peering {
PeerThroughMeshGateways = true
}
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: Mesh
metadata:
name: mesh
namespace: default
spec:
peering:
peerThroughMeshGateways: true
```
```json
{
"Kind": "mesh",
"Peering": {
"PeerThroughMeshGateways": true
}
}
```
</CodeTabs>
</Tab>
</Tabs>
Note that the Kubernetes example does not include a `partition` field. Configuration entries are applied on Kubernetes using [custom resource definitions (CRD)](/docs/k8s/crds), which can only be scoped to their own partition.
## Available Fields
<ConfigEntryReference
@ -365,6 +442,21 @@ Note that the Kubernetes example does not include a `partition` field. Configura
},
],
},
{
name: 'Peering',
type: 'PeeringMeshConfig: <optional>',
description:
'Controls configuration specific to [peering connections](/docs/connect/cluster-peering).',
children: [
{
name: 'PeerThroughMeshGateways',
type: 'bool: <optional>',
description: `Determines if peering control-plane traffic should be routed through mesh gateways.
When enabled, dialing cluster attempt to contact peers through their mesh gateway.
Clusters that accept calls advertise the address of their mesh gateways, rather than the address of their Consul servers.`,
},
],
},
]}
/>