3ad64aeb7d
* Update mesh, proxy-defaults and service-defaults docs to properly document Kubernetes YAML. Co-authored-by: David Yu <dyu@hashicorp.com>
156 lines
4 KiB
Plaintext
156 lines
4 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: 'Configuration Entry Kind: Mesh'
|
|
description: >-
|
|
The mesh config entry kind allows for globally defining default
|
|
configuration across all services mesh proxies.
|
|
Settings in this config entry apply across all namespaces and federated datacenters.
|
|
Currently, only one mesh entry is supported.
|
|
---
|
|
|
|
# Mesh
|
|
|
|
-> **v1.10.0+:** This config entry is supported in Consul versions 1.10.0+.
|
|
|
|
The `mesh` config entry kind allows for globally defining
|
|
default configuration that applies to all service mesh proxies.
|
|
Settings in this config entry apply across all namespaces and federated datacenters.
|
|
|
|
## Sample Config Entries
|
|
|
|
### Mesh Destinations Only
|
|
|
|
Only allow transparent proxies to dial addresses in the mesh.
|
|
|
|
<Tabs>
|
|
<Tab heading="HCL">
|
|
|
|
```hcl
|
|
Kind = "mesh"
|
|
TransparentProxy {
|
|
MeshDestinationsOnly = true
|
|
}
|
|
```
|
|
|
|
</Tab>
|
|
<Tab heading="HCL (Consul Enterprise)">
|
|
|
|
**NOTE:** The `mesh` config entry can only be created in the `default`
|
|
namespace and it will apply to proxies across **all** namespaces.
|
|
|
|
```hcl
|
|
Kind = "mesh"
|
|
Namespace = "default" # Can only be set to "default".
|
|
|
|
TransparentProxy {
|
|
MeshDestinationsOnly = true
|
|
}
|
|
```
|
|
|
|
</Tab>
|
|
<Tab heading="Kubernetes YAML">
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: Mesh
|
|
metadata:
|
|
name: mesh
|
|
spec:
|
|
transparentProxy:
|
|
meshDestinationsOnly: true
|
|
```
|
|
|
|
</Tab>
|
|
<Tab heading="Kubernetes YAML (Consul Enterprise)">
|
|
|
|
**NOTE:** A `Mesh` resource can be created in any Kubernetes
|
|
namespace but it will apply to proxies across **all** namespaces. Only one
|
|
`Mesh` resource can exist in the cluster.
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: Mesh
|
|
metadata:
|
|
name: mesh
|
|
spec:
|
|
transparentProxy:
|
|
meshDestinationsOnly: true
|
|
```
|
|
|
|
</Tab>
|
|
</Tabs>
|
|
|
|
## Available Fields
|
|
|
|
<ConfigEntryReference
|
|
keys={[
|
|
{
|
|
name: 'apiVersion',
|
|
description: 'Must be set to `consul.hashicorp.com/v1alpha1`',
|
|
hcl: false,
|
|
},
|
|
{
|
|
name: 'Kind',
|
|
description: {
|
|
hcl: 'Must be set to `mesh`',
|
|
yaml: 'Must be set to `Mesh`',
|
|
},
|
|
},
|
|
{
|
|
name: 'Namespace',
|
|
type: `string: "default"`,
|
|
enterprise: true,
|
|
description:
|
|
'Must be set to default. Config will apply to all namespaces.',
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'Meta',
|
|
type: 'map<string|string>: nil',
|
|
description:
|
|
'Specifies arbitrary KV metadata pairs. Added in Consul 1.8.4.',
|
|
yaml: false,
|
|
},
|
|
{
|
|
name: 'metadata',
|
|
children: [
|
|
{
|
|
name: 'name',
|
|
description: 'Must be set to `mesh`',
|
|
},
|
|
{
|
|
name: 'namespace',
|
|
description:
|
|
'If running Consul Open Source, the namespace is ignored (see [Kubernetes Namespaces in Consul OSS](/docs/k8s/crds#consul-oss)). If running Consul Enterprise see [Kubernetes Namespaces in Consul Enterprise](/docs/k8s/crds#consul-enterprise) for more details.',
|
|
},
|
|
],
|
|
hcl: false,
|
|
},
|
|
{
|
|
name: 'TransparentProxy',
|
|
type: 'TransparentProxyConfig: <optional>',
|
|
description:
|
|
'Controls configuration specific to proxies in `transparent` [mode](/docs/connect/config-entries/service-defaults#mode). Added in v1.10.0.',
|
|
children: [
|
|
{
|
|
name: 'MeshDestinationsOnly',
|
|
type: 'bool: false',
|
|
description: `Determines whether sidecar proxies operating in transparent mode can
|
|
proxy traffic to IP addresses not registered in Consul's mesh. If enabled, traffic will only be proxied
|
|
to upstream proxies or Connect-native services. If disabled, requests will be proxied as-is to the
|
|
original destination IP address. Consul will not encrypt the connection.`,
|
|
},
|
|
],
|
|
},
|
|
]}
|
|
/>
|
|
|
|
## ACLs
|
|
|
|
Configuration entries may be protected by [ACLs](/docs/security/acl).
|
|
|
|
Reading a `mesh` config entry requires no specific privileges.
|
|
|
|
Creating, updating, or deleting a `mesh` config entry requires
|
|
`operator:write`.
|