You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
consul/test/hostname/Bob.key

29 lines
1.7 KiB

wan federation via mesh gateways (#6884) This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch: There are several distinct chunks of code that are affected: * new flags and config options for the server * retry join WAN is slightly different * retry join code is shared to discover primary mesh gateways from secondary datacenters * because retry join logic runs in the *agent* and the results of that operation for primary mesh gateways are needed in the *server* there are some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur at multiple layers of abstraction just to pass the data down to the right layer. * new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers * the function signature for RPC dialing picked up a new required field (the node name of the destination) * several new RPCs for manipulating a FederationState object: `FederationState:{Apply,Get,List,ListMeshGateways}` * 3 read-only internal APIs for debugging use to invoke those RPCs from curl * raft and fsm changes to persist these FederationStates * replication for FederationStates as they are canonically stored in the Primary and replicated to the Secondaries. * a special derivative of anti-entropy that runs in secondaries to snapshot their local mesh gateway `CheckServiceNodes` and sync them into their upstream FederationState in the primary (this works in conjunction with the replication to distribute addresses for all mesh gateways in all DCs to all other DCs) * a "gateway locator" convenience object to make use of this data to choose the addresses of gateways to use for any given RPC or gossip operation to a remote DC. This gets data from the "retry join" logic in the agent and also directly calls into the FSM. * RPC (`:8300`) on the server sniffs the first byte of a new connection to determine if it's actually doing native TLS. If so it checks the ALPN header for protocol determination (just like how the existing system uses the type-byte marker). * 2 new kinds of protocols are exclusively decoded via this native TLS mechanism: one for ferrying "packet" operations (udp-like) from the gossip layer and one for "stream" operations (tcp-like). The packet operations re-use sockets (using length-prefixing) to cut down on TLS re-negotiation overhead. * the server instances specially wrap the `memberlist.NetTransport` when running with gateway federation enabled (in a `wanfed.Transport`). The general gist is that if it tries to dial a node in the SAME datacenter (deduced by looking at the suffix of the node name) there is no change. If dialing a DIFFERENT datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh gateways to eventually end up in a server's :8300 port. * a new flag when launching a mesh gateway via `consul connect envoy` to indicate that the servers are to be exposed. This sets a special service meta when registering the gateway into the catalog. * `proxycfg/xds` notice this metadata blob to activate additional watches for the FederationState objects as well as the location of all of the consul servers in that datacenter. * `xds:` if the extra metadata is in place additional clusters are defined in a DC to bulk sink all traffic to another DC's gateways. For the current datacenter we listen on a wildcard name (`server.<dc>.consul`) that load balances all servers as well as one mini-cluster per node (`<node>.server.<dc>.consul`) * the `consul tls cert create` command got a new flag (`-node`) to help create an additional SAN in certs that can be used with this flavor of federation.
5 years ago
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD31CRoghWGBrg7
oScNehw9EjLy+BZlmP/BqUVrDHHlsiMx6WLY+2GHu7kh00D3y11BtCI1jLBg3QgK
NVWH1JQsyEmRXBypToXShElc7du6swSzjOqCRaGq12LJWbSkZYxmrjR8wuaC91qQ
p4SfwTgs0aDeyV7j/M2PHhQwi/g4YFlQTQFn4N1Cob9KZgjEjC28NlFoVcO1LJ31
0a7LkBDco94G3bLLsI1r2KxIzHVM3haenIt7H4siigcUxe8mNzP11mBd/qnnECL5
DG2qI4ORLsWOEK4dDD+8j9Ri80+mdIhqxsP5ZFsoe0RrESdsoYY3i+6EFCL+9ehC
eV8EuGjLAgMBAAECggEAD6o2pO54CtE46vf8PnNV/pw8YTRCQijCHc0jyKjwOBsi
82AzsdBt8UTx5kvyotcVbXZD5UufyHegLvkBD4Vl2lDMqaX/X8pJVi2rb3bPeUUg
inLhTdu15NUZdu23J98NWV4wjiRJqsSU0mjsTqbJdLfJadujpliP67h0gT8PsQxy
MNIoFbhhHDukmLjehL0a5HhH89+aZVxOuvUU9HV8lkpCnNJuajJuwnu5gv/7RUZd
EG4lZLPTEb3ao9Bnm7/4q1IHQKGC9Cpwaegde3dYYSn5vxoOp87I6wnWxi8V7g0N
bdNglwCxE9d1hOQ4qefAq3UL6FyAL6wwbo4dNfl3bQKBgQD98vjIy6JdxSYnJOKm
VuG540uJykFqvqazgl85Vi1z4Ot6AVK1UvnWKWy4bHGiZr5H1R4afPDo/a+H9hoz
SXv8Vk8/AClcL/u2+czHqNipCssQIkhRfJ1hu3P7zDgVykSxJTrUCoTzHmKBtarn
kgGQnJC2M44hxFPI26FV0eyyzwKBgQD51IRGdfZT8jw7Bk6f6UFLXV8O7F/pDFs1
HjUw6+sPselXUSaNk9pIlWr+uTEfwqTG66fLoTFlw0dMzjTejXBiZomZB4Pw0jdF
ccJj0FvTqi4C6VabHP3S7CSp9eDyaaUDEDn/a8fjG+R08crif+jwTwSHbBdaDbaq
CArRW6oZRQKBgBmGIUE1TmV0WkhW6bzkQJ3JXZ9Ex9xtux2RvfZqVfkuoxxJI8H7
zAaddUL4C1fSUc+weO0an7AbR1g4ARwkh6SuHBrt7jpIzFjwtIdgzh33ar99Yp1m
E/9tstOdDAoMoWjYoBgN0p0I8cettba+sw+Q3O6jMebs76rhgE664bp7AoGAX458
paK6/DLb/MuVyS5jrhrhoAijSrVSMYgDWlnyR8eJ877zWxWhWT/lc9aLxpUhh4Bd
ZtKZ3U2K+QKqUDGTOd/0Y1bvjW4qe+JeMuVgKh6eiLiNSrkVENcH0wZb6vyjg/9x
35NvGhvyDxTowCeihkADAHVEnUo/gtuen6NK9W0CgYAyLd3mTpPUEfvb3SA2oibJ
j0Z2z4QC85UjoKa/6XKvK31hHABlYdtJLDap5WiXBSGbfZSLRa6bKioQh3a7Skyj
rWjIFdeAG2M08C+fjD7gci2bEE2zA2juaWYjGlsaQ82uKIvL0YXnYPDFFrubPRhv
Ut1e3EKg0Ys3N9ngov6A2w==
wan federation via mesh gateways (#6884) This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch: There are several distinct chunks of code that are affected: * new flags and config options for the server * retry join WAN is slightly different * retry join code is shared to discover primary mesh gateways from secondary datacenters * because retry join logic runs in the *agent* and the results of that operation for primary mesh gateways are needed in the *server* there are some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur at multiple layers of abstraction just to pass the data down to the right layer. * new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers * the function signature for RPC dialing picked up a new required field (the node name of the destination) * several new RPCs for manipulating a FederationState object: `FederationState:{Apply,Get,List,ListMeshGateways}` * 3 read-only internal APIs for debugging use to invoke those RPCs from curl * raft and fsm changes to persist these FederationStates * replication for FederationStates as they are canonically stored in the Primary and replicated to the Secondaries. * a special derivative of anti-entropy that runs in secondaries to snapshot their local mesh gateway `CheckServiceNodes` and sync them into their upstream FederationState in the primary (this works in conjunction with the replication to distribute addresses for all mesh gateways in all DCs to all other DCs) * a "gateway locator" convenience object to make use of this data to choose the addresses of gateways to use for any given RPC or gossip operation to a remote DC. This gets data from the "retry join" logic in the agent and also directly calls into the FSM. * RPC (`:8300`) on the server sniffs the first byte of a new connection to determine if it's actually doing native TLS. If so it checks the ALPN header for protocol determination (just like how the existing system uses the type-byte marker). * 2 new kinds of protocols are exclusively decoded via this native TLS mechanism: one for ferrying "packet" operations (udp-like) from the gossip layer and one for "stream" operations (tcp-like). The packet operations re-use sockets (using length-prefixing) to cut down on TLS re-negotiation overhead. * the server instances specially wrap the `memberlist.NetTransport` when running with gateway federation enabled (in a `wanfed.Transport`). The general gist is that if it tries to dial a node in the SAME datacenter (deduced by looking at the suffix of the node name) there is no change. If dialing a DIFFERENT datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh gateways to eventually end up in a server's :8300 port. * a new flag when launching a mesh gateway via `consul connect envoy` to indicate that the servers are to be exposed. This sets a special service meta when registering the gateway into the catalog. * `proxycfg/xds` notice this metadata blob to activate additional watches for the FederationState objects as well as the location of all of the consul servers in that datacenter. * `xds:` if the extra metadata is in place additional clusters are defined in a DC to bulk sink all traffic to another DC's gateways. For the current datacenter we listen on a wildcard name (`server.<dc>.consul`) that load balances all servers as well as one mini-cluster per node (`<node>.server.<dc>.consul`) * the `consul tls cert create` command got a new flag (`-node`) to help create an additional SAN in certs that can be used with this flavor of federation.
5 years ago
-----END PRIVATE KEY-----