Hello, thanks for your help, but I’m still really struggling with this. Below is the steps I take:
1 - I create 6 servers in 2 datacenters
- The primary is do-nyc2, the secondary is do-lon1.
- both have ssl setup
2 - in the primary datacenter (do-nyc2) I bootstrap the acl and get the secret. “consul members” in this primary DC now shows the three servers
3 - I create two policies in consul:
service_prefix "gateway" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
agent_prefix "" {
policy = "read"
}
acl = "write"
operator = "write"
service_prefix "" {
policy = "read"
intentions = "read"
}
4 - I create three tokens, storing the secrets:
- 1 for mesh gateway in primary dc
- 1 for mesh gateway in secondary dc
- 1 for replication
5 - I run the mesh gateway in the primary dc, node 0
consul connect envoy -gateway=mesh -register \
-service "gateway-primary" \
-address "$(ip a show eth1 |awk '$1 == "inet" {sub("/.*","",$2); print $2; exit}'):9999" \
-wan-address "$(ip a show eth0 |awk '$1 == "inet" {sub("/.*","",$2); print $2; exit}'):9999" \
-expose-servers \
-token=4337cd61-a3e9-1769-9700-ece230e426d0
At this point, running “consul members -wan” in the primary DC shows me the servers in the secondary DC! hurrah!
6 - in the secondary DC, on each server, I run:
export CONSUL_HTTP_TOKEN=<bootstrap token>
consul acl set-agent-token replication <replication token from step 4>
and I get “ACL token “replication” set successfully”
And this is where I’m stuck. The next step should be running the gateway on the secondary DC:
consul connect envoy -gateway=mesh -register \
> -service "gateway-secondary" \
> -address "$(ip a show eth1 |awk '$1 == "inet" {sub("/.*","",$2); print $2; exit}'):9999" \
> -wan-address "$(ip a show eth0 |awk '$1 == "inet" {sub("/.*","",$2); print $2; exit}'):9999" \
> -expose-servers \
> -token=0ca62fd3-6e64-c7e2-9846-f7f95fc3268f
but this gives me an error:
Error registering service "gateway-secondary": Unexpected response code: 403 (could not retrieve initial service_defaults config for service "gateway-secondary": ACL not found)
I check the replication status and it doesn’t seem to be replicating:
$ curl http://localhost:8500/v1/acl/replication?pretty
{
"Enabled": true,
"Running": true,
"SourceDatacenter": "do-nyc2",
"ReplicationType": "tokens",
"ReplicatedIndex": 0,
"ReplicatedRoleIndex": 0,
"ReplicatedTokenIndex": 0,
"LastSuccess": "0001-01-01T00:00:00Z",
"LastError": "2021-08-11T14:56:46Z"
}
I can post configs and logs if necessary, but only on request since this post is already very long
Thankyou very much for any help you can provide