Mesh

v1.10.0+: This configuration entry is supported in Consul versions 1.10.0+.

The mesh configuration entry allows you to define a global default configuration that applies to all service mesh proxies. Settings in this config entry apply across all namespaces and federated datacenters.

Sample Configuration Entries

Mesh Destinations Only

Only allow transparent proxies to dial addresses in the mesh.

Mesh - 图1

Mesh - 图2

HCL

Mesh - 图3

  • HCL
  • Kubernetes YAML
  • JSON
  1. Kind = "mesh"
  2. TransparentProxy {
  3.   MeshDestinationsOnly = true
  4. }
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: Mesh
  3. metadata:
  4.   name: mesh
  5. spec:
  6.   transparentProxy:
  7.     meshDestinationsOnly: true
  1. {
  2.   "Kind": "mesh",
  3.   "TransparentProxy": {
  4.     "MeshDestinationsOnly": true
  5.   }
  6. }

Note that the Kubernetes example does not include a partition field. Configuration entries are applied on Kubernetes using custom resource definitions (CRD), which can only be scoped to their own partition.

Available Fields

Mesh - 图4

Mesh - 图5

  • Kind - Must be set to mesh

  • Namespace (string: "default")

    Enterprise

    - Must be set to default. The configuration will apply to all namespaces.

  • Partition (string: "default")

    Enterprise

    - Specifies the name of the admin partition in which the configuration entry applies. Refer to the Admin Partitions documentation for additional information.

  • Meta (map<string|string>: nil) - Specifies arbitrary KV metadata pairs. Added in Consul 1.8.4.

  • TransparentProxy (TransparentProxyConfig: <optional>) - Controls configuration specific to proxies in transparent mode. Added in v1.10.0.

    • MeshDestinationsOnly (bool: false) - Determines whether sidecar proxies operating in transparent mode can proxy traffic to IP addresses not registered in Consul’s mesh. If enabled, traffic will only be proxied to upstream proxies or Connect-native services. If disabled, requests will be proxied as-is to the original destination IP address. Consul will not encrypt the connection.

ACLs

Configuration entries may be protected by ACLs.

Reading a mesh config entry requires no specific privileges.

Creating, updating, or deleting a mesh config entry requires operator:write.