Mesh

    The configuration entry allows you to define a global default configuration that applies to all service mesh proxies. Settings in this config entry apply across all namespaces and federated datacenters.

    Enforce that service mesh mTLS traffic uses TLS v1.2 or newer.

    Mesh - 图2

    HCL

    • HCL
    • Kubernetes YAML
    • JSON
    1. Kind = "mesh"
    2. TLS {
    3.   Incoming {
    4.     TLSMinVersion = "TLSv1_2"
    5.   }
    6. }
    1. apiVersion: consul.hashicorp.com/v1alpha1
    2. kind: Mesh
    3. metadata:
    4.   name: mesh
    5. spec:
    6.   tls:
    7.     incoming:
    8.       tlsMinVersion: TLSv1_2
    1. apiVersion: consul.hashicorp.com/v1alpha1
    2. kind: Mesh
    3. metadata:
    4.   name: mesh
    5. spec:
    6.     incoming:
    7.       tlsMinVersion: TLSv1_2
    1. {
    2.   "Kind": "mesh",
    3.   "TLS": {
    4.     "Incoming": {
    5.       "TLSMinVersion": "TLSv1_2"
    6.     }
    7.   }
    8. }

    Note that the Kubernetes example does not include a partition field. Configuration entries are applied on Kubernetes using custom resource definitions (CRD), which can only be scoped to their own partition.

    Mesh Destinations Only

    Only allow transparent proxies to dial addresses in the mesh.

    Mesh - 图4

    HCL

    • HCL
    • Kubernetes YAML
    • JSON
    1. Kind = "mesh"
    2. TransparentProxy {
    3.   MeshDestinationsOnly = true
    4. }
    1. Kind = "mesh"
    3.   MeshDestinationsOnly = true
    4. }
    1. apiVersion: consul.hashicorp.com/v1alpha1
    2. kind: Mesh
    3. metadata:
    4.   name: mesh
    5. spec:
    6.   transparentProxy:
    1. {
    2.   "Kind": "mesh",
    3.   "TransparentProxy": {
    4.     "MeshDestinationsOnly": true
    5.   }
    6. }
    1. {
    2.   "Kind": "mesh",
    3.   "TransparentProxy": {
    4.     "MeshDestinationsOnly": true
    5.   }
    6. }

    Note that the Kubernetes example does not include a partition field. Configuration entries are applied on Kubernetes using custom resource definitions (CRD), which can only be scoped to their own partition.

    Mesh - 图7

    • - Must be set to mesh

    • Namespace (string: "default")

      Enterprise

      - Must be set to default. The configuration will apply to all namespaces.

    • (string: "default")

      Enterprise

      - Specifies the name of the admin partition in which the configuration entry applies. Refer to the Admin Partitions documentation for additional information.

    • (map<string|string>: nil) - Specifies arbitrary KV metadata pairs. Added in Consul 1.8.4.

      • MeshDestinationsOnly (bool: false) - Determines whether sidecar proxies operating in transparent mode can proxy traffic to IP addresses not registered in Consul’s mesh. If enabled, traffic will only be proxied to upstream proxies or Connect-native services. If disabled, requests will be proxied as-is to the original destination IP address. Consul will not encrypt the connection.

    • (TLSConfig: <optional>) - TLS configuration for the service mesh.

      • Incoming (TLSDirectionConfig: <optional>) - TLS configuration for inbound mTLS connections targeting the public listener on connect-proxy and terminating-gateway proxy kinds.

        • (string: "") - Set the default minimum TLS version supported. One of TLS_AUTO, , TLSv1_1, TLSv1_2, or TLSv1_3. If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, while older releases of Envoy default to TLS 1.0.

        • (string: "") - Set the default maximum TLS version supported. Must be greater than or equal to TLSMinVersion. One of TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, or TLSv1_3. If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections.

        • CipherSuites (array<string>: <optional>) - Set the default list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier. If unspecified, Envoy will use a . The list of supported cipher suites can seen in consul/types/tls.go and is dependent on underlying support in Envoy. Future releases of Envoy may remove currently-supported but insecure cipher suites, and future releases of Consul may add new supported cipher suites if any are added to Envoy.

      • (TLSDirectionConfig: <optional>) - TLS configuration for outbound mTLS connections dialing upstreams from connect-proxy and ingress-gateway proxy kinds.

        • TLSMinVersion (string: "") - Set the default minimum TLS version supported. One of TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, or TLSv1_3. If unspecified, Envoy v1.22.0 and newer , while older releases of Envoy default to TLS 1.0.

        • TLSMaxVersion (string: "") - Set the default maximum TLS version supported. Must be greater than or equal to TLSMinVersion. One of TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, or TLSv1_3. If unspecified, Envoy will default to TLS 1.2 as a max version for outgoing connections, but future Envoy releases .

        • CipherSuites (array<string>: <optional>) - Set the default list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier. If unspecified, Envoy will use a . The list of supported cipher suites can seen in consul/types/tls.go and is dependent on underlying support in Envoy. Future releases of Envoy may remove currently-supported but insecure cipher suites, and future releases of Consul may add new supported cipher suites if any are added to Envoy.

    Configuration entries may be protected by .

    Creating, updating, or deleting a config entry requires operator:write.