独家优惠奖金 100% 高达 1 BTC + 180 免费旋转

Service Mesh Communication Across Kubernetes Clusters

You can secure service-to-service communication across multiple Kubernetes clusters with Consul’s mesh gateway feature. Mesh gateways enable you to secure cross-data center communication that may be sent over the public internet with mTLS.

In this tutorial, you will deploy two Consul datacenters on separate Kubernetes clusters with Consul’s service mesh, WAN federation, and mesh gateways configured. You will then deploy two services into the service mesh, one in each Consul datacenter.

To securely connect the two services, you will configure the service sidecar proxies to route communication through the mesh gateways. Finally, you will test that the services can communicate.

To complete this tutorial, you will need the following environments provisioned.

You will use Helm 3 to install Consul on your existing Kubernetes clusters. In the Helm chart, you will need to configure your Consul servers, the Consul datacenter, and the following features:

You will learn how to configure each component section of the Helm values file, and then examine and apply the complete configuration for each data center.

For this tutorial, Consul is being installed into the Kubernetes default namespace. To install into another namespace, add the -n flag to the kubectl and helm commands.

First, you will need to add the HashiCorp Helm chart.

By default, all Consul agents will be added to the Consul service mesh and catalog. However, your Kubernetes services will still need sidecar proxies to secure communication.

The first step to enable Consul to automatically add a sidecar proxy to all the service pods is to install the resources necessary on the Kubernetes node. That is achieved by adding the following stanza to the values yaml files that will be applied to your data centers.

Note, you will still need to configure the service to automatically deploy sidecar proxies at deployment time.

Next, enable a mesh gateway. A mesh gateway is a proxy that provides an accessible IP address that other datacenters can reach. This also resolves issues with pod IP address ranges overlapping between datacenters. This stanza will also need to be included in the values yaml files that will be applied to your data centers.

WAN federation connects Consul servers from multiple datacenters into the same WAN gossip pool. WAN federation enables services to discover each other across data centers. The WAN federation configuration is slightly different for primary versus secondary datacenters. This yaml snippet shows how to configure the primary data center. Notice the createFederationSecret entry. This should only be set in a primary data center. Later in this tutorial, you will export the secret from the primary data center and inject it into the secondary data center. This will allow the secondary data center to automatically negotiate WAN federation with the primary.

Note mesh gateways also require TLS encryption.

Finish configuring dc1 and the Consul agents. Below is a complete Consul datacenter configuration file, helm-consul-dc1-values.yaml.

Your kubectl context should be connected to the Kubernetes cluster where you are deploying Consul datacenter dc1.

Use helm to install Consul with the hashicorp/consul chart.

This command will wait until Consul is completely installed, which may take a few minutes depending on your environment.

For this tutorial, create a file name proxy-defaults.yaml that contains a CRD specification that globally configures all proxies to run in local mode.

Use kubectl to apply the CRD.

You will need to export the federation secret created with the Consul datacenter dc1 to use with Consul datacenter dc2.

Now that you have deployed the Consul datacenter dc1, you can configure and deploy dc2. Connect your kubectl context to dc2.

Create the federation secret in dc2.

Now that you have prepared your Kubernetes cluster, finish configuring dc2 and the Consul agents. The dc2 datacenter will need the following additional options configured:

Create the customized chart helm-consul-dc2-values.yaml.

Finally, use helm to install Consul.

In dc2, you must also deploy a ProxyDefaults CRD that sets the mesh gateway mode. Use kubectl and the proxy-defaults.yaml the file you created earlier to apply the CRD to dc2.

To verify that the Consul datacenters are connected and WAN federated, you can use kubectl to execute a Consul CLI command to query for a list of servers in the WAN gossip pool. All the servers, from both data centers, should be listed.

Now that you have two connected Consul datacenters, you can deploy a service in each using kubectl.

The static-client service in this tutorial represents a frontend service, for example, a website.

Change contexts to communicate with Consul datacenter dc1.

The service definition includes two Consul specific annotations:

First, create a yaml file, static-client.yaml, to define the static-client service.

The "consul.hashicorp.com/connect-inject": "true" annotation causes Consul to deploy a sidecar proxy alongside the static-client service. The sidecar proxy can both accept and establish connections using Consul.

Now, deploy the static-client service into the Consul datacenter dc1.

Use kubectl to check that the pods were deployed and are running successfully.

The static-server service in this tutorial represents a backend service, for example, a database.

Change contexts to communicate with Consul datacenter dc2.

First, create a yaml file, static-server.yaml, to define the static-server service. Note, the static-server service also includes the consul.hashicorp.com/connect-inject annotation.

Now, deploy the static-server service.

Use kubectl to check that the pods were deployed and are running successfully.

Servers participate in WAN gossip to share membership information, which allows servers to perform cross-data center requests. To secure these requests, the WAN gossip is sent through the mesh gateways which encrypt the communication with mTLS. The requests include service queries.

To discover services across your Kubernetes clusters, you can use the Consul UI or CLI to query the available services.

First, connect to one of the servers in the Consul datacenter dc2.

Use kubectl to execute a Consul CLI command that retrieves a list of all services in the other data center, dc1. The output will confirm that you can request service information from the WAN-connected data center.

Finally, verify that communication is being routed through the mesh gateways. Use curl to verify that the server dc2 can retrieve data from the client in dc1.

Connect to the Kubernetes cluster where Consul datacenter dc1 is running.

Using kubectl to connect to the client and request data from the server.

If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇

Add a comment

What is your view?

Send

Related posts:

What to Know About Skin

In the grand scheme of things, we often tend to ignore our skin — the largest organ of the human body, our body’s natural defense against all weather and environmental forces. Dermatology, also known…

Thankyou!

We all wanted a break from the daily routine, from daily household chores, daily working for your office sitting in the same 4*4 cabin, daily meeting the same set of people who are not even family…

My intake after investing for almost a year in 2021

This year due to pandemic many things has changed including the way people invest in money. There are a lot of ways of investment. From a YouTube channel, I just heard different stocks that gain big…