我的书签
添加书签
移除书签Cluster Peering on Kubernetes
To establish a cluster peering connection on Kubernetes, you need to enable the feature in the Helm chart and create custom resource definitions for each side of the peering.
The following Custom Resource Definitions (CRDs) are used to create and manage a peering connection:
- PeeringAcceptor: Generates a peering token and accepts an incoming peering connection.
- : Uses a peering token to make an outbound peering connection with the cluster that generated the token.
You must implement the following requirements to create and use cluster peering connections with Kubernetes:
- Consul 1.13 Alpha 2 or later
- At least two Kubernetes clusters
- The Kubernetes clusters must be running in a flat network
- The network must be running on Consul on Kubernetes v.0.45 or later
To establish cluster peering through Kubernetes, deploy clusters with the following Helm values.
values.yaml
image: "hashicorp/consul:1.13.0-alpha2"peering:enabled: trueconnectInject:enabled: truemeshGateway:enabled: truereplicas: 1
Install Consul on Kubernetes on each Kubernetes cluster by applying values.yaml using the Helm CLI.
$ export HELM_RELEASE_NAME=cluster-name
$ export HELM_RELEASE_NAME=cluster-name
$ helm install ${HELM_RELEASE_NAME} hashicorp/consul --version "0.45.0" --values values.yaml
$ helm install ${HELM_RELEASE_NAME} hashicorp/consul --version "0.45.0" --values values.yaml
To peer Kubernetes clusters running Consul, you need to create a peering token and share it with the other cluster.
In
cluster-01, create thePeeringAcceptorcustom resource.apiVersion: consul.hashicorp.com/v1alpha1kind: PeeringAcceptormetadata:name: cluster-02 ## The name of the peer you want to connect tospec:peer:secret:name: "peering-token"key: "data"backend: "kubernetes"
acceptor.yml
apiVersion: consul.hashicorp.com/v1alpha1kind: PeeringAcceptormetadata:name: cluster-02 ## The name of the peer you want to connect tospec:peer:secret:name: "peering-token"key: "data"backend: "kubernetes"
-
$ kubectl apply --filename acceptor.yml
$ kubectl apply --filename acceptor.yml
Save your peering token so that you can export it to the other cluster.
$ kubectl get secret peering-token --output yaml > peering-token.yml
$ kubectl get secret peering-token --output yaml > peering-token.yml
Apply the peering token to the second cluster.
$ kubectl apply --filename peering-token.yml
In “cluster-02,” create the
PeeringDialercustom resource.apiVersion: consul.hashicorp.com/v1alpha1kind: PeeringDialername: cluster-01 ## The name of the peer you want to connect tospec:peer:secret:name: "peering-token"key: "data"
dialer.yml
apiVersion: consul.hashicorp.com/v1alpha1kind: PeeringDialermetadata:name: cluster-01 ## The name of the peer you want to connect tospec:peer:secret:name: "peering-token"key: "data"backend: "kubernetes"
Apply the
PeeringDialerresource to the second cluster.$ kubectl apply --filename dialer.yml
$ kubectl apply --filename dialer.yml
For the service in “cluster-02” that you want to export, add the following annotations to your service’s pods. This service is referred to as “backend-service” in the following steps.
##…annotations:"consul.hashicorp.com/connect-inject": "true""consul.hashicorp.com/transparent-proxy": "false"##…
backend-service.yml
##…annotations:"consul.hashicorp.com/connect-inject": "true""consul.hashicorp.com/transparent-proxy": "false"##…
In “cluster-02,” create an
ExportedServicescustom resource.apiVersion: consul.hashicorp.com/v1alpha1kind: ExportedServicesmetadata:name: default ## The name of the partition containing the servicespec:services:name: backend-service ## The name of the service you want to exportconsumers:peerName: cluster-01 ## The name of the peer that receives the service
apiVersion: consul.hashicorp.com/v1alpha1kind: ExportedServicesmetadata:name: default ## The name of the partition containing the servicespec:services:name: backend-service ## The name of the service you want to exportconsumers:peerName: cluster-01 ## The name of the peer that receives the service
Create service intentions for the second cluster.
apiVersion: consul.hashicorp.com/v1alpha1kind: ServiceIntentionsmetadata:name: backend-denyspec:name: backend-servicesources:- name: "*"- name: frontend-serviceaction: allow
intention.yml
apiVersion: consul.hashicorp.com/v1alpha1kind: ServiceIntentionsmetadata:name: backend-denyspec:destination:name: backend-servicesources:- name: "*"action: deny- name: frontend-serviceaction: allow
Apply the service file, the
ExportedServicesresource, and the intentions to the second cluster.$ kubectl apply --filename backend-service.yml --filename exportedsvc.yml --filename intention.yml
To confirm that you peered your clusters, in “cluster-01,” query the
/healthHTTP endpoint.$ curl "localhost:8500/v1/health/connect/backend?peer=cluster-02"
$ curl "localhost:8500/v1/health/connect/backend?peer=cluster-02"
For the services in “cluster-01” that you want to access the “backend-service,” add the following annotations to the service file.
##…annotations:"consul.hashicorp.com/connect-inject": "true""consul.hashicorp.com/transparent-proxy": "false""consul.hashicorp.com/connect-service-upstreams": "backend-service.svc.cluster-02.peer:1234"##…
frontend-service.yml
##…annotations:"consul.hashicorp.com/connect-inject": "true""consul.hashicorp.com/transparent-proxy": "false""consul.hashicorp.com/connect-service-upstreams": "backend-service.svc.cluster-02.peer:1234"##…
Apply the service file to the first cluster.
$ kubectl apply --filename frontend-service.yml
$ kubectl apply --filename frontend-service.yml
Run the following command and check the output to confirm that you peered your clusters successfully.
$ curl localhost:1234{“name”: “backend-service”,##…“body”: “Response from backend”,“code”: 200}
$ curl localhost:1234{“name”: “backend-service”,##…“body”: “Response from backend”,“code”: 200}
To end a peering connection, delete both the PeeringAcceptor and PeeringDialer resources.
$ curl "localhost:8500/v1/health/connect/backend?peer=cluster-02"
