github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

initial commit

pull/16291/head
boruszak 2023-01-03 10:58:28 -06:00
parent 7747384f1f
commit e878d2d3e4
1 changed files with 56 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
website/content/docs/connect/cluster-peering/configuration.mdx Normal file
View File

@ -0,0 +1,56 @@
---
layout: docs
page_title: Cluster Peering Configuration
description: >-
---
# Enabling Service-to-service Traffic Across Peered Clusters
The topic provides an overview of the configuration options and process for cluster peering.
## Prerequisites
To configure mesh gateways for cluster peering, make sure your Consul environment meets the following requirements:
- Consul version 1.14.0 or newer.
- A local Consul agent is required to manage mesh gateway configuration.
- Use [Envoy proxies](/docs/connect/proxies/envoy). Envoy is the only proxy with mesh gateway capabilities in Consul.
## Configuration
Configure the following settings to register and use the mesh gateway as a service in Consul.
### Gateway registration
- Specify `mesh-gateway` in the `kind` field to register the gateway with Consul.
- Define the `Proxy.Config` settings using opaque parameters compatible with your proxy. For Envoy, refer to the [Gateway Options](/docs/connect/proxies/envoy#gateway-options) and [Escape-hatch Overrides](/docs/connect/proxies/envoy#escape-hatch-overrides) documentation for additional configuration information.
Alternatively, you can also use the CLI to spin up and register a gateway in Consul. For additional information, refer to the [`consul connect envoy` command](/commands/connect/envoy#mesh-gateways).
### Sidecar registration
- Configure the `proxy.upstreams` parameters to route traffic to the correct service, namespace, and peer. Refer to the [`upstreams` documentation](/docs/connect/registration/service-registration#upstream-configuration-reference) for details.
- The service `proxy.upstreams.destination_name` is always required.
- The `proxy.upstreams.destination_peer` must be configured to enable cross-cluster traffic.
- The `proxy.upstream/destination_namespace` configuration is only necessary if the destination service is in a non-default namespace.
### Service exports
- Include the `exported-services` configuration entry to enable Consul to export services contained in a cluster to one or more additional clusters. For additional information, refer to the [Exported Services documentation](/docs/connect/config-entries/exported-services).
### ACL configuration
If ACLs are enabled, you must add a token granting `service:write` for the gateway's service name and `service:read` for all services in the Enterprise admin partition or OSS datacenter to the gateway's service definition.
These permissions authorize the token to route communications for other Consul service mesh services.
You must also grant `mesh:write` to mesh gateways routing peering traffic in the data plane.
This permission allows a leaf certificate to be issued for mesh gateways to terminate TLS sessions for HTTP requests.
### Modes
Modes are configurable as either `remote` or `local` for mesh gateways that connect peered clusters.
The `none` setting is invalid for mesh gateways in peered clusters and will be ignored by the gateway.
By default, all proxies connecting to peered clusters use mesh gateways in [remote mode](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters#remote).