Manage L7 traffic with cluster peering on Kubernetes

This usage topic describes how to configure the service-resolver custom resource definition (CRD) to set up and manage L7 traffic between services that have an existing cluster peering connection in Consul on Kubernetes deployments.

For general guidance for managing L7 traffic with cluster peering, refer to Manage L7 traffic with cluster peering.

Service resolvers for redirects and failover

When you use cluster peering to connect datacenters through their admin partitions, you can use dynamic traffic management to configure your service mesh so that services automatically forward traffic to services hosted on peer clusters.

However, the service-splitter and service-router CRDs do not natively support directly targeting a service instance hosted on a peer. Before you can split or route traffic to a service on a peer, you must define the service hosted on the peer as an upstream service by configuring a failover in a service-resolver CRD. Then, you can set up a redirect in a second service resolver to interact with the peer service by name.

For more information about formatting, updating, and managing configuration entries in Consul, refer to How to use configuration entries.

Configure dynamic traffic between peers

To configure L7 traffic management behavior in deployments with cluster peering connections, complete the following steps in order:

  1. Define the peer cluster as a failover target in the service resolver configuration.

    The following example updates the service-resolver CRD in cluster-01 so that Consul redirects traffic intended for the frontend service to a backup instance in peer cluster-02 when it detects multiple connection failures.

    1. apiVersion: consul.hashicorp.com/v1alpha1
    2. kind: ServiceResolver
    3. metadata:
    4.   name: frontend
    5. spec:
    6.   connectTimeout: 15s
    7.   failover:
    8.     '*':
    9.       targets:
    10.         - peer: 'cluster-02'
    11.           service: 'frontend'
    12.           namespace: 'default'

  2. Define the desired behavior in service-splitter or service-router CRD.

    The following example splits traffic evenly between frontend and frontend-peer:

    1. apiVersion: consul.hashicorp.com/v1alpha1
    2. kind: ServiceSplitter
    3. metadata:
    4.   name: frontend
    5. spec:
    6.   splits:
    7.     - weight: 50
    8.       ## defaults to service with same name as configuration entry ("frontend")
    9.     - weight: 50
    10.       service: frontend-peer

  3. Create a second service-resolver configuration entry on the local cluster that resolves the name of the peer service you used when splitting or routing the traffic.

    The following example uses the name frontend-peer to define a redirect targeting the frontend service on the peer cluster-02:

    1. apiVersion: consul.hashicorp.com/v1alpha1
    2. kind: ServiceResolver
    3. metadata:
    4.   name: frontend-peer
    5. spec:
    6.   redirect:
    7.     peer: 'cluster-02'
    8.     service: 'frontend'