feat: add PeerThroughMeshGateways to mesh config

2022-09-02 16:52:11 -04:00 · 2022-09-02 16:52:11 -04:00 · 0150e88200
parent e743eefbd1
commit 0150e88200
9 changed files with 859 additions and 608 deletions
--- a/agent/structs/config_entry_mesh.go
+++ b/agent/structs/config_entry_mesh.go
@ -17,6 +17,8 @@ type MeshConfigEntry struct {

 	HTTP *MeshHTTPConfig `json:",omitempty"`

+	Peering *PeeringMeshConfig `json:",omitempty"`
+
 	Meta               map[string]string `json:",omitempty"`
 	acl.EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
 	RaftIndex
@ -48,6 +50,16 @@ type MeshHTTPConfig struct {
 	SanitizeXForwardedClientCert bool `alias:"sanitize_x_forwarded_client_cert"`
 }

+// PeeringMeshConfig contains cluster-wide options pertaining to peering.
+type PeeringMeshConfig struct {
+	// PeerThroughMeshGateways determines whether peering traffic between
+	// control planes should flow through mesh gateways. If enabled,
+	// Consul servers will advertise mesh gateway addresses as their own.
+	// Additionally, mesh gateways will configure themselves to expose
+	// the local servers using a peering-specific SNI.
+	PeerThroughMeshGateways bool `alias:"peer_through_mesh_gateways"`
+}
+
 func (e *MeshConfigEntry) GetKind() string {
 	return MeshConfig
 }
--- a/agent/structs/config_entry_test.go
+++ b/agent/structs/config_entry_test.go
@ -1815,6 +1815,9 @@ func TestDecodeConfigEntry(t *testing.T) {
 				http {
 					sanitize_x_forwarded_client_cert = true
 				}
+				peering {
+					peer_through_mesh_gateways = true
+				}
 			`,
 			camel: `
 				Kind = "mesh"
@ -1846,6 +1849,9 @@ func TestDecodeConfigEntry(t *testing.T) {
 				HTTP {
 					SanitizeXForwardedClientCert = true
 				}
+				Peering {
+					PeerThroughMeshGateways = true
+				}
 			`,
 			expect: &MeshConfigEntry{
 				Meta: map[string]string{
@ -1876,6 +1882,9 @@ func TestDecodeConfigEntry(t *testing.T) {
 				HTTP: &MeshHTTPConfig{
 					SanitizeXForwardedClientCert: true,
 				},
+				Peering: &PeeringMeshConfig{
+					PeerThroughMeshGateways: true,
+				},
 			},
 		},
 		{
--- a/api/config_entry_mesh.go
+++ b/api/config_entry_mesh.go
@ -23,6 +23,8 @@ type MeshConfigEntry struct {

 	HTTP *MeshHTTPConfig `json:",omitempty"`

+	Peering *PeeringMeshConfig `json:",omitempty"`
+
 	Meta map[string]string `json:",omitempty"`

 	// CreateIndex is the Raft index this entry was created at. This is a
@ -54,6 +56,10 @@ type MeshHTTPConfig struct {
 	SanitizeXForwardedClientCert bool `alias:"sanitize_x_forwarded_client_cert"`
 }

+type PeeringMeshConfig struct {
+	PeerThroughMeshGateways bool `json:",omitempty" alias:"peer_through_mesh_gateways"`
+}
+
 func (e *MeshConfigEntry) GetKind() string            { return MeshConfig }
 func (e *MeshConfigEntry) GetName() string            { return MeshConfigMesh }
 func (e *MeshConfigEntry) GetPartition() string       { return e.Partition }
--- a/api/config_entry_test.go
+++ b/api/config_entry_test.go
@ -1316,6 +1316,9 @@ func TestDecodeConfigEntry(t *testing.T) {
 				},
 				"HTTP": {
 					"SanitizeXForwardedClientCert": true
+				},
+				"Peering": {
+					"PeerThroughMeshGateways": true
 				}
 			}
 			`,
@ -1348,6 +1351,9 @@ func TestDecodeConfigEntry(t *testing.T) {
 				HTTP: &MeshHTTPConfig{
 					SanitizeXForwardedClientCert: true,
 				},
+				Peering: &PeeringMeshConfig{
+					PeerThroughMeshGateways: true,
+				},
 			},
 		},
 	} {
--- a/proto/pbconfigentry/config_entry.gen.go
+++ b/proto/pbconfigentry/config_entry.gen.go
@ -415,6 +415,11 @@ func MeshConfigToStructs(s *MeshConfig, t *structs.MeshConfigEntry) {
 		MeshHTTPConfigToStructs(s.HTTP, &x)
 		t.HTTP = &x
 	}
+	if s.Peering != nil {
+		var x structs.PeeringMeshConfig
+		PeeringMeshConfigToStructs(s.Peering, &x)
+		t.Peering = &x
+	}
 	t.Meta = s.Meta
 }
 func MeshConfigFromStructs(t *structs.MeshConfigEntry, s *MeshConfig) {
@ -436,6 +441,11 @@ func MeshConfigFromStructs(t *structs.MeshConfigEntry, s *MeshConfig) {
 		MeshHTTPConfigFromStructs(t.HTTP, &x)
 		s.HTTP = &x
 	}
+	if t.Peering != nil {
+		var x PeeringMeshConfig
+		PeeringMeshConfigFromStructs(t.Peering, &x)
+		s.Peering = &x
+	}
 	s.Meta = t.Meta
 }
 func MeshDirectionalTLSConfigToStructs(s *MeshDirectionalTLSConfig, t *structs.MeshDirectionalTLSConfig) {
@ -496,6 +506,18 @@ func MeshTLSConfigFromStructs(t *structs.MeshTLSConfig, s *MeshTLSConfig) {
 		s.Outgoing = &x
 	}
 }
+func PeeringMeshConfigToStructs(s *PeeringMeshConfig, t *structs.PeeringMeshConfig) {
+	if s == nil {
+		return
+	}
+	t.PeerThroughMeshGateways = s.PeerThroughMeshGateways
+}
+func PeeringMeshConfigFromStructs(t *structs.PeeringMeshConfig, s *PeeringMeshConfig) {
+	if s == nil {
+		return
+	}
+	s.PeerThroughMeshGateways = t.PeerThroughMeshGateways
+}
 func RingHashConfigToStructs(s *RingHashConfig, t *structs.RingHashConfig) {
 	if s == nil {
 		return
--- a/proto/pbconfigentry/config_entry.pb.binary.go
+++ b/proto/pbconfigentry/config_entry.pb.binary.go
@ -67,6 +67,16 @@ func (msg *MeshHTTPConfig) UnmarshalBinary(b []byte) error {
 	return proto.Unmarshal(b, msg)
 }

+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *PeeringMeshConfig) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *PeeringMeshConfig) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}
+
 // MarshalBinary implements encoding.BinaryMarshaler
 func (msg *ServiceResolver) MarshalBinary() ([]byte, error) {
 	return proto.Marshal(msg)
--- a/proto/pbconfigentry/config_entry.pb.go
+++ b/proto/pbconfigentry/config_entry.pb.go
--- a/proto/pbconfigentry/config_entry.proto
+++ b/proto/pbconfigentry/config_entry.proto
@ -40,6 +40,7 @@ message MeshConfig {
  MeshTLSConfig TLS = 2;
  MeshHTTPConfig HTTP = 3;
  map<string, string> Meta = 4;
+  PeeringMeshConfig Peering = 5;
 }

 // mog annotation:
@ -84,6 +85,15 @@ message MeshHTTPConfig {
  bool SanitizeXForwardedClientCert = 1;
 }

+// mog annotation:
+//
+// target=github.com/hashicorp/consul/agent/structs.PeeringMeshConfig
+// output=config_entry.gen.go
+// name=Structs
+message PeeringMeshConfig {
+  bool PeerThroughMeshGateways = 1;
+}
+
 // mog annotation:
 //
 // target=github.com/hashicorp/consul/agent/structs.ServiceResolverConfigEntry
--- a/website/content/docs/connect/config-entries/mesh.mdx
+++ b/website/content/docs/connect/config-entries/mesh.mdx
@ -68,8 +68,6 @@ The `mesh` configuration entry can only be created in the `default` namespace an

 ```hcl
 Kind      = "mesh"
-Namespace = "default" # Can only be set to "default".
-Partition = "default"

 TLS {
  Incoming {
@ -156,8 +154,6 @@ The `mesh` configuration entry can only be created in the `default` namespace an

 ```hcl
 Kind      = "mesh"
-Namespace = "default" # Can only be set to "default".
-Partition = "default"

 TransparentProxy {
  MeshDestinationsOnly = true
@ -193,6 +189,87 @@ spec:

 Note that the Kubernetes example does not include a `partition` field. Configuration entries are applied on Kubernetes using [custom resource definitions (CRD)](/docs/k8s/crds), which can only be scoped to their own partition.

+###  Peer Through Mesh Gateways
+
+Set the `PeerThroughMeshGateways` parameter to `true` to route peering control plane traffic through mesh gateways.
+
+<Tabs>
+<Tab heading="Consul OSS">
+
+<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
+
+```hcl
+Kind = "mesh"
+Peering {
+  PeerThroughMeshGateways = true
+}
+```
+
+```yaml
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: Mesh
+metadata:
+  name: mesh
+spec:
+  peering:
+    peerThroughMeshGateways: true
+```
+
+```json
+{
+  "Kind": "mesh",
+  "Peering": {
+    "PeerThroughMeshGateways": true
+  }
+}
+```
+
+</CodeTabs>
+
+</Tab>
+<Tab heading="Consul Enterprise">
+
+You can only set the `PeerThroughMeshGateways` attribute on `mesh` configuration entries in the `default` partition.
+The `default` partition owns the traffic routed through the mesh gateway control plane to Consul servers.
+
+<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
+
+```hcl
+Kind = "mesh"
+
+Peering {
+  PeerThroughMeshGateways = true
+}
+```
+
+```yaml
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: Mesh
+metadata:
+  name: mesh
+  namespace: default
+spec:
+  peering:
+    peerThroughMeshGateways: true
+```
+
+```json
+{
+  "Kind": "mesh",
+  "Peering": {
+    "PeerThroughMeshGateways": true
+  }
+}
+```
+
+</CodeTabs>
+
+</Tab>
+</Tabs>
+
+Note that the Kubernetes example does not include a `partition` field. Configuration entries are applied on Kubernetes using [custom resource definitions (CRD)](/docs/k8s/crds), which can only be scoped to their own partition.
+
+
 ## Available Fields

 <ConfigEntryReference
@ -365,6 +442,21 @@ Note that the Kubernetes example does not include a `partition` field. Configura
        },
      ],
    },
+    {
+      name: 'Peering',
+      type: 'PeeringMeshConfig: <optional>',
+      description:
+        'Controls configuration specific to [peering connections](/docs/connect/cluster-peering).',
+      children: [
+        {
+          name: 'PeerThroughMeshGateways',
+          type: 'bool: <optional>',
+          description: `Determines if peering control-plane traffic should be routed through mesh gateways.
+                        When enabled, dialing cluster attempt to contact peers through their mesh gateway.
+                        Clusters that accept calls advertise the address of their mesh gateways, rather than the address of their Consul servers.`,
+        },
+      ],
+    },
  ]}
 />