@ -117,31 +117,33 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet
1. Create a server configuration file to override the default Consul Helm chart settings:
<CodeTabs heading="server.yaml">
<CodeBlockConfig lineNumbers>
```yaml
global:
enableConsulNamespaces: true
tls:
enabled: true
image: hashicorp/consul-enterprise:1.11.0-ent-beta3
adminPartitions:
enabled: true
tls:
enabled: true
image: hashicorp/consul-enterprise:1.11.0-ent-beta3
adminPartitions:
enabled: true
enterpriseLicense:
secretName: consul-ent-license
secretKey: key
server:
exposeGossipAndRPCPorts: true
enterpriseLicense:
secretName: license
secretKey: key
connectInject:
enabled: true
transparentProxy:
defaultEnabled: false
consulNamespaces:
mirroringK8S: true
mirroringK8S: true
controller:
enabled: true
```
</CodeBlockConfig>
</CodeTabs>
Note that the `transparentProxy` configuration is disabled. This is to enable multi-cluster networking.
@ -154,15 +156,25 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet
```shell-session
kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3m
servers-consul-connect-injector-svc ClusterIP 10.97.175.39 <none> 443/TCP 30s
servers-consul-controller-webhook ClusterIP 10.100.22.99 <none> 443/TCP 30s
servers-consul-dns ClusterIP 10.103.43.20 <none> 53/TCP,53/UDP 30s
servers-consul-partition-service LoadBalancer 10.111.255.152 35.192.119.38 8501:30643/TCP,8301:30466/TCP,8300:30657/TCP 30s
servers-consul-server ClusterIP None <none> 8501/TCP,8301/TCP,8301/UDP,8302/TCP,8302/UDP,8300/TCP,8600/TCP,8600/UDP 30s
servers-consul-ui ClusterIP 10.106.240.55 <none> 443/TCP 30s
kubernetes ClusterIP 10.8.0.1 <none> 443/TCP 77m
server-consul-connect-injector-svc ClusterIP 10.8.13.188 <none> 443/TCP 76s
server-consul-controller-webhook ClusterIP 10.8.14.178 <none> 443/TCP 77s
server-consul-dns ClusterIP 10.8.6.6 <none> 53/TCP,53/UDP 77s
server-consul-partition-service LoadBalancer 10.8.1.186 34.135.103.67 8501:31130/TCP,8301:31587/TCP,8300:30378/TCP 76s
server-consul-server ClusterIP None <none> 8501/TCP,8301/TCP,8301/UDP,8302/TCP,8302/UDP,8300/TCP,8600/TCP,8600/UDP 76s
server-consul-ui ClusterIP 10.8.0.218 <none> 443/TCP 77s
```
1. Get the Kubernetes authentication method URL for the workload cluster:
```shell-session
kubectl config view -o "jsonpath={.clusters[?(@.name=='<workload-cluster-name>')].cluster.server}"
```
Use the IP address printed to the console to configure the `k8sAuthMethodHost` parameter in the workload configuration file for your client nodes.
1. Create the workload configuration for client nodes in your cluster. Create a configuration for each admin partition. In the following example, the external IP address and the Kubernetes authentication method IP address from the previous steps have been applied:
1. Create the workload configuration for client nodes in your cluster. Create a configuration for each admin partition. In the following example, the external IP address from the previous step has been applied:
<CodeTabs heading="clients.yaml">
<CodeBlockConfig lineNumbers>
```yaml
global:
@ -171,7 +183,7 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet
image: hashicorp/consul-enterprise:1.11.0-ent-beta3
adminPartitions:
enabled: true
name: "clients" // partition name
name: "clients"
tls:
enabled: true
caCert:
@ -180,36 +192,40 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet
caKey:
secretName: consul-consul-ca-key
secretKey: tls.key
server:
enterpriseLicense:
secretName: license
secretKey: key
enterpriseLicense:
secretName: license
secretKey: key
externalServers:
enabled: true
hosts: "35.192.119.38" # Insert External IP of LoadBalancer here
hosts: [ "34.135.103.67" ]
tlsServerName: server.dc1.consul
k8sAuthMethodHost: "104.154.156.146"
client:
enabled: true
exposeGossipPorts: true
join: "35.192.119.38"
join: [ "34.135.103.67" ]
connectInject:
enabled: true
consulNamespaces:
mirroringK8S: true
mirroringK8S: true
controller:
enabled: true
meshGateway:
enabled: true
```
</CodeBlockConfig>
</CodeTabs>
1. Copy the server certificate to the workload cluster.
```shell-session
kubectl get secret server-consul-ca-cert --context server -o yaml | kubectl apply --context client -f -
kubectl get secret server-consul-ca-cert --context < server-context> -o yaml | kubectl apply --context < client-context> -f -
```
1. Copy the server key to the workload cluster.
```shell-session
kubectl get secret consul-consul-ca-key --context server -o yaml | kubectl apply --context client -f -
kubectl get secret server-consul-ca-key --context <server-context> -o yaml | kubectl apply --context <client-context> -f -
```
1. Start the workload client clusters: