feat: add PeerThroughMeshGateways to mesh config

agent/structs/config_entry_mesh.go

@@ -17,6 +17,8 @@ type MeshConfigEntry struct {
 
 	HTTP *MeshHTTPConfig `json:",omitempty"`
 
+	Peering *PeeringMeshConfig `json:",omitempty"`
+
 	Meta               map[string]string `json:",omitempty"`
 	acl.EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
 	RaftIndex
@@ -48,6 +50,16 @@ type MeshHTTPConfig struct {
 	SanitizeXForwardedClientCert bool `alias:"sanitize_x_forwarded_client_cert"`
 }
 
+// PeeringMeshConfig contains cluster-wide options pertaining to peering.
+type PeeringMeshConfig struct {
+	// PeerThroughMeshGateways determines whether peering traffic between
+	// control planes should flow through mesh gateways. If enabled,
+	// Consul servers will advertise mesh gateway addresses as their own.
+	// Additionally, mesh gateways will configure themselves to expose
+	// the local servers using a peering-specific SNI.
+	PeerThroughMeshGateways bool `alias:"peer_through_mesh_gateways"`
+}
+
 func (e *MeshConfigEntry) GetKind() string {
 	return MeshConfig
 }

agent/structs/config_entry_test.go

@@ -1815,6 +1815,9 @@ func TestDecodeConfigEntry(t *testing.T) {
 				http {
 					sanitize_x_forwarded_client_cert = true
 				}
+				peering {
+					peer_through_mesh_gateways = true
+				}
 			`,
 			camel: `
 				Kind = "mesh"
@@ -1845,7 +1848,10 @@ func TestDecodeConfigEntry(t *testing.T) {
 				}
 				HTTP {
 					SanitizeXForwardedClientCert = true
-				}	
+				}
+				Peering {
+					PeerThroughMeshGateways = true
+				}
 			`,
 			expect: &MeshConfigEntry{
 				Meta: map[string]string{
@@ -1876,6 +1882,9 @@ func TestDecodeConfigEntry(t *testing.T) {
 				HTTP: &MeshHTTPConfig{
 					SanitizeXForwardedClientCert: true,
 				},
+				Peering: &PeeringMeshConfig{
+					PeerThroughMeshGateways: true,
+				},
 			},
 		},
 		{

api/config_entry_mesh.go

@@ -23,6 +23,8 @@ type MeshConfigEntry struct {
 
 	HTTP *MeshHTTPConfig `json:",omitempty"`
 
+	Peering *PeeringMeshConfig `json:",omitempty"`
+
 	Meta map[string]string `json:",omitempty"`
 
 	// CreateIndex is the Raft index this entry was created at. This is a
@@ -54,6 +56,10 @@ type MeshHTTPConfig struct {
 	SanitizeXForwardedClientCert bool `alias:"sanitize_x_forwarded_client_cert"`
 }
 
+type PeeringMeshConfig struct {
+	PeerThroughMeshGateways bool `json:",omitempty" alias:"peer_through_mesh_gateways"`
+}
+
 func (e *MeshConfigEntry) GetKind() string            { return MeshConfig }
 func (e *MeshConfigEntry) GetName() string            { return MeshConfigMesh }
 func (e *MeshConfigEntry) GetPartition() string       { return e.Partition }

api/config_entry_test.go

@@ -1316,6 +1316,9 @@ func TestDecodeConfigEntry(t *testing.T) {
 				},
 				"HTTP": {
 					"SanitizeXForwardedClientCert": true
+				},
+				"Peering": {
+					"PeerThroughMeshGateways": true
 				}
 			}
 			`,
@@ -1348,6 +1351,9 @@ func TestDecodeConfigEntry(t *testing.T) {
 				HTTP: &MeshHTTPConfig{
 					SanitizeXForwardedClientCert: true,
 				},
+				Peering: &PeeringMeshConfig{
+					PeerThroughMeshGateways: true,
+				},
 			},
 		},
 	} {

proto/pbconfigentry/config_entry.gen.go

@@ -415,6 +415,11 @@ func MeshConfigToStructs(s *MeshConfig, t *structs.MeshConfigEntry) {
 		MeshHTTPConfigToStructs(s.HTTP, &x)
 		t.HTTP = &x
 	}
+	if s.Peering != nil {
+		var x structs.PeeringMeshConfig
+		PeeringMeshConfigToStructs(s.Peering, &x)
+		t.Peering = &x
+	}
 	t.Meta = s.Meta
 }
 func MeshConfigFromStructs(t *structs.MeshConfigEntry, s *MeshConfig) {
@@ -436,6 +441,11 @@ func MeshConfigFromStructs(t *structs.MeshConfigEntry, s *MeshConfig) {
 		MeshHTTPConfigFromStructs(t.HTTP, &x)
 		s.HTTP = &x
 	}
+	if t.Peering != nil {
+		var x PeeringMeshConfig
+		PeeringMeshConfigFromStructs(t.Peering, &x)
+		s.Peering = &x
+	}
 	s.Meta = t.Meta
 }
 func MeshDirectionalTLSConfigToStructs(s *MeshDirectionalTLSConfig, t *structs.MeshDirectionalTLSConfig) {
@@ -496,6 +506,18 @@ func MeshTLSConfigFromStructs(t *structs.MeshTLSConfig, s *MeshTLSConfig) {
 		s.Outgoing = &x
 	}
 }
+func PeeringMeshConfigToStructs(s *PeeringMeshConfig, t *structs.PeeringMeshConfig) {
+	if s == nil {
+		return
+	}
+	t.PeerThroughMeshGateways = s.PeerThroughMeshGateways
+}
+func PeeringMeshConfigFromStructs(t *structs.PeeringMeshConfig, s *PeeringMeshConfig) {
+	if s == nil {
+		return
+	}
+	s.PeerThroughMeshGateways = t.PeerThroughMeshGateways
+}
 func RingHashConfigToStructs(s *RingHashConfig, t *structs.RingHashConfig) {
 	if s == nil {
 		return

proto/pbconfigentry/config_entry.pb.binary.go

@@ -67,6 +67,16 @@ func (msg *MeshHTTPConfig) UnmarshalBinary(b []byte) error {
 	return proto.Unmarshal(b, msg)
 }
 
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *PeeringMeshConfig) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *PeeringMeshConfig) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}
+
 // MarshalBinary implements encoding.BinaryMarshaler
 func (msg *ServiceResolver) MarshalBinary() ([]byte, error) {
 	return proto.Marshal(msg)

proto/pbconfigentry/config_entry.proto

@@ -40,6 +40,7 @@ message MeshConfig {
   MeshTLSConfig TLS = 2;
   MeshHTTPConfig HTTP = 3;
   map<string, string> Meta = 4;
+  PeeringMeshConfig Peering = 5;
 }
 
 // mog annotation:
@@ -84,6 +85,15 @@ message MeshHTTPConfig {
   bool SanitizeXForwardedClientCert = 1;
 }
 
+// mog annotation:
+//
+// target=github.com/hashicorp/consul/agent/structs.PeeringMeshConfig
+// output=config_entry.gen.go
+// name=Structs
+message PeeringMeshConfig {
+  bool PeerThroughMeshGateways = 1;
+}
+
 // mog annotation:
 //
 // target=github.com/hashicorp/consul/agent/structs.ServiceResolverConfigEntry

website/content/docs/connect/config-entries/mesh.mdx

@@ -68,8 +68,6 @@ The `mesh` configuration entry can only be created in the `default` namespace an
 
 ```hcl
 Kind      = "mesh"
-Namespace = "default" # Can only be set to "default".
-Partition = "default"
 
 TLS {
   Incoming {
@@ -156,8 +154,6 @@ The `mesh` configuration entry can only be created in the `default` namespace an
 
 ```hcl
 Kind      = "mesh"
-Namespace = "default" # Can only be set to "default".
-Partition = "default"
 
 TransparentProxy {
   MeshDestinationsOnly = true
@@ -193,6 +189,87 @@ spec:
 
 Note that the Kubernetes example does not include a `partition` field. Configuration entries are applied on Kubernetes using [custom resource definitions (CRD)](/docs/k8s/crds), which can only be scoped to their own partition.
 
+###  Peer Through Mesh Gateways
+
+Set the `PeerThroughMeshGateways` parameter to `true` to route peering control plane traffic through mesh gateways.
+
+<Tabs>
+<Tab heading="Consul OSS">
+
+<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
+
+```hcl
+Kind = "mesh"
+Peering {
+  PeerThroughMeshGateways = true
+}
+```
+
+```yaml
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: Mesh
+metadata:
+  name: mesh
+spec:
+  peering:
+    peerThroughMeshGateways: true
+```
+
+```json
+{
+  "Kind": "mesh",
+  "Peering": {
+    "PeerThroughMeshGateways": true
+  }
+}
+```
+
+</CodeTabs>
+
+</Tab>
+<Tab heading="Consul Enterprise">
+
+You can only set the `PeerThroughMeshGateways` attribute on `mesh` configuration entries in the `default` partition.
+The `default` partition owns the traffic routed through the mesh gateway control plane to Consul servers.
+
+<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
+
+```hcl
+Kind = "mesh"
+
+Peering {
+  PeerThroughMeshGateways = true
+}
+```
+
+```yaml
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: Mesh
+metadata:
+  name: mesh
+  namespace: default
+spec:
+  peering:
+    peerThroughMeshGateways: true
+```
+
+```json
+{
+  "Kind": "mesh",
+  "Peering": {
+    "PeerThroughMeshGateways": true
+  }
+}
+```
+
+</CodeTabs>
+
+</Tab>
+</Tabs>
+
+Note that the Kubernetes example does not include a `partition` field. Configuration entries are applied on Kubernetes using [custom resource definitions (CRD)](/docs/k8s/crds), which can only be scoped to their own partition.
+
+
 ## Available Fields
 
 <ConfigEntryReference
@@ -365,6 +442,21 @@ Note that the Kubernetes example does not include a `partition` field. Configura
         },
       ],
     },
+    {
+      name: 'Peering',
+      type: 'PeeringMeshConfig: <optional>',
+      description:
+        'Controls configuration specific to [peering connections](/docs/connect/cluster-peering).',
+      children: [
+        {
+          name: 'PeerThroughMeshGateways',
+          type: 'bool: <optional>',
+          description: `Determines if peering control-plane traffic should be routed through mesh gateways.
+                        When enabled, dialing cluster attempt to contact peers through their mesh gateway.
+                        Clusters that accept calls advertise the address of their mesh gateways, rather than the address of their Consul servers.`,
+        },
+      ],
+    },
   ]}
 />