2022-06-14 17:15:14 -05:00
---
layout: docs
page_title: Cluster Peering on Kubernetes
description: >-
This page describes how to create peering connections, deploy services, export cluster services, and end peering connections for Consul cluster peering using Kubernetes (K8s).
---
# Cluster Peering on Kubernetes
2022-06-15 16:25:57 -05:00
~> **Cluster peering is currently in technical preview:** Functionality associated
with cluster peering is subject to change. You should never use the technical
preview release in secure environments or production scenarios. Features in
technical preview may have performance issues, scaling issues, and limited support.
2022-06-14 17:15:14 -05:00
To establish a cluster peering connection on Kubernetes, you need to enable the feature in the Helm chart and create custom resource definitions for each side of the peering.
The following Custom Resource Definitions (CRDs) are used to create and manage a peering connection:
- `PeeringAcceptor`: Generates a peering token and accepts an incoming peering connection.
- `PeeringDialer`: Uses a peering token to make an outbound peering connection with the cluster that generated the token.
## Prerequisites
2022-06-22 19:12:08 -07:00
You must implement the following requirements to create and use cluster peering connections with Kubernetes:
- Consul 1.13 Alpha 2 or later
- At least two Kubernetes clusters
- The Kubernetes clusters must be running in a flat network
- The network must be running on Consul on Kubernetes v.0.45 or later
2022-06-14 17:15:14 -05:00
### Helm chart configuration
2022-06-15 16:25:57 -05:00
2022-06-14 17:15:14 -05:00
To establish cluster peering through Kubernetes, deploy clusters with the following Helm values.
2022-06-23 08:38:36 -07:00
<CodeBlockConfig filename="values.yaml">
```yaml
global:
image: "hashicorp/consul:1.13.0-alpha2"
peering:
enabled: true
connectInject:
enabled: true
2022-06-29 11:08:37 -07:00
controller:
enabled: true
2022-06-23 08:38:36 -07:00
meshGateway:
2022-06-14 17:15:14 -05:00
enabled: true
2022-06-23 08:38:36 -07:00
replicas: 1
```
</CodeBlockConfig>
2022-06-21 16:13:39 -07:00
2022-06-21 16:27:06 -07:00
Install Consul on Kubernetes on each Kubernetes cluster by applying `values.yaml` using the Helm CLI.
2022-06-21 16:13:39 -07:00
```shell-session
2022-06-21 16:27:06 -07:00
$ export HELM_RELEASE_NAME=cluster-name
2022-06-21 16:31:49 -07:00
```
```shell-session
2022-06-21 16:34:45 -07:00
$ helm install ${HELM_RELEASE_NAME} hashicorp/consul --version "0.45.0" --values values.yaml
2022-06-21 16:27:06 -07:00
```
2022-06-14 17:15:14 -05:00
## Create a peering connection
To peer Kubernetes clusters running Consul, you need to create a peering token and share it with the other cluster.
2022-06-21 16:13:39 -07:00
1. In `cluster-01`, create the `PeeringAcceptor` custom resource.
2022-06-14 17:15:14 -05:00
<CodeBlockConfig filename="acceptor.yml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: PeeringAcceptor
metadata:
name: cluster-02 ## The name of the peer you want to connect to
spec:
peer:
secret:
name: "peering-token"
key: "data"
backend: "kubernetes"
```
</CodeBlockConfig>
1. Apply the `PeeringAcceptor` resource to the first cluster.
```shell-session
2022-06-15 16:15:03 -05:00
$ kubectl apply --filename acceptor.yml
2022-06-14 17:15:14 -05:00
````
1. Save your peering token so that you can export it to the other cluster.
```shell-session
2022-06-15 16:15:03 -05:00
$ kubectl get secret peering-token --output yaml > peering-token.yml
2022-06-14 17:15:14 -05:00
```
1. Apply the peering token to the second cluster.
```shell-session
2022-06-15 16:15:03 -05:00
$ kubectl apply --filename peering-token.yml
2022-06-14 17:15:14 -05:00
```
2022-06-29 11:08:37 -07:00
1. In `cluster-02`, create the `PeeringDialer` custom resource.
2022-06-14 17:15:14 -05:00
<CodeBlockConfig filename="dialer.yml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: PeeringDialer
metadata:
name: cluster-01 ## The name of the peer you want to connect to
spec:
peer:
secret:
name: "peering-token"
key: "data"
backend: "kubernetes"
```
</CodeBlockConfig>
1. Apply the `PeeringDialer` resource to the second cluster.
```shell-session
2022-06-15 16:15:03 -05:00
$ kubectl apply --filename dialer.yml
2022-06-14 17:15:14 -05:00
```
## Deploy and export cluster services
2022-06-28 15:54:57 -07:00
1. For the service in "cluster-02" that you want to export, add the following [annotations](/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) to your service's pods. This service is referred to as "backend-service" in the following steps.
2022-06-14 17:15:14 -05:00
<CodeBlockConfig filename="backend-service.yml">
```yaml
##…
annotations:
"consul.hashicorp.com/connect-inject": "true"
"consul.hashicorp.com/transparent-proxy": "false"
##…
```
</CodeBlockConfig>
2022-06-29 11:08:37 -07:00
1. In `cluster-02`, create an `ExportedServices` custom resource.
2022-06-14 17:15:14 -05:00
<CodeBlockConfig filename="exportedsvc.yml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ExportedServices
metadata:
name: default ## The name of the partition containing the service
spec:
services:
2022-06-29 11:08:37 -07:00
- name: backend-service ## The name of the service you want to export
consumers:
- peer: cluster-01 ## The name of the peer that receives the service
2022-06-14 17:15:14 -05:00
```
</CodeBlockConfig>
1. Create service intentions for the second cluster.
<CodeBlockConfig filename="intention.yml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
name: backend-deny
spec:
destination:
name: backend-service
sources:
- name: "*"
action: deny
- name: frontend-service
action: allow
```
</CodeBlockConfig>
1. Apply the service file, the `ExportedServices` resource, and the intentions to the second cluster.
```shell-session
2022-06-15 16:15:03 -05:00
$ kubectl apply --filename backend-service.yml --filename exportedsvc.yml --filename intention.yml
2022-06-14 17:15:14 -05:00
```
2022-06-29 11:08:37 -07:00
1. To confirm that you peered your clusters, in `cluster-01`, query the `/health` HTTP endpoint.
2022-06-14 17:15:14 -05:00
```shell-session
$ curl "localhost:8500/v1/health/connect/backend?peer=cluster-02"
```
2022-06-29 11:08:37 -07:00
1. For the services in `cluster-01` that you want to access the "backend-service," add the following annotations to the service file.
2022-06-14 17:15:14 -05:00
<CodeBlockConfig filename="frontend-service.yml">
```yaml
##…
annotations:
"consul.hashicorp.com/connect-inject": "true"
"consul.hashicorp.com/transparent-proxy": "false"
"consul.hashicorp.com/connect-service-upstreams": "backend-service.svc.cluster-02.peer:1234"
##…
```
</CodeBlockConfig>
1. Apply the service file to the first cluster.
```shell-session
2022-06-15 16:15:03 -05:00
$ kubectl apply --filename frontend-service.yml
2022-06-14 17:15:14 -05:00
```
1. Run the following command and check the output to confirm that you peered your clusters successfully.
```shell-session
$ curl localhost:1234
{
2022-06-28 15:54:57 -07:00
"name": "backend-service",
2022-06-14 17:15:14 -05:00
##…
2022-06-28 15:54:57 -07:00
"body": "Response from backend",
"code": 200
2022-06-14 17:15:14 -05:00
}
```
## End a peering connection
To end a peering connection, delete both the `PeeringAcceptor` and `PeeringDialer` resources.
2022-06-29 11:08:37 -07:00
To confirm that you deleted your peering connection, in `cluster-01`, query the `/health` HTTP endpoint. The peered services should no longer appear.
2022-06-14 17:15:14 -05:00
```shell-session
$ curl "localhost:8500/v1/health/connect/backend?peer=cluster-02"
```