backport: docs: Fix multi-port install (#19262) (#19265)

docs: Fix multi-port install (#19262)

* Update configure.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
pull/19282/head
David Yu 2023-10-18 08:18:20 -07:00 committed by GitHub
parent 057f39e834
commit 76b4295d7c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 32 additions and 23 deletions

View File

@ -59,7 +59,13 @@ Then install Consul to your Kubernetes cluster using either the `consul-k8s` CLI
<Tab heading="consul-k8s CLI" group="consul-k8s">
For platforms other than Mac OSX amd64, refer to [Install a previous version](/consul/docs/k8s/installation/install-cli#install-a-previous-version) for instructions on how to install a specific version of the `consul-k8s` CLI prior to running `consul-k8s install`.
```shell-session
$ export VERSION=1.3.0-rc1 && \
curl --location "https://releases.hashicorp.com/consul-k8s/${VERSION}/consul-k8s_${VERSION}_darwin_amd64.zip" --output consul-k8s-cli.zip
$ unzip -o consul-k8s-cli.zip -d ~/consul-k8s
$ export PATH=$PATH:$HOME/consul-k8s
$ consul-k8s install -config-file=values.yaml
```
@ -68,7 +74,7 @@ $ consul-k8s install -config-file=values.yaml
<Tab heading="Helm" group="helm">
```shell-session
$ helm install consul hashicorp/consul --create-namespace --namespace consul --values values.yaml
$ helm install consul hashicorp/consul --create-namespace --namespace consul --version 1.3.0-rc1 --values values.yaml
```
</Tab>
@ -281,14 +287,14 @@ spec:
To apply these services to your Kubernetes deployment and register them with Consul, run the following command:
```shell-session
$ kubectl apply -f api.yaml -f web.yaml --namespace consul
$ kubectl apply -f api.yaml -f web.yaml
```
## Configure traffic permissions
Consul uses traffic permissions to validate communication between services based on L4 identity. In the beta release of the v2 catalog API, traffic permissions allow all services by default. In order to verify that services function correctly on each port, create CRDs that deny traffic to each port.
The following examples create Consul CRDs that allow traffic to only one port of the multi-port service. Each resource separately denies `web` permission when it is a source of traffic to one of the services. These traffic permissions work with either method for defining a multi-port service.
The following examples create Consul CRDs that allow traffic to only one port of the multi-port service. Each resource separately denies `web` permission when it is a source of traffic to one of the services. These traffic permissions work with either method for defining a multi-port service. When following the instructions on this page, apply these permissions individually when you validate the ports.
<CodeTabs tabs={[ "Deny port 80", "Deny port 90" ]}>
@ -338,15 +344,18 @@ spec:
To open a shell to the `web` container, you need the name of the Pod it currently runs on. Run the following command to return a list of Pods:
```shell-session
$ kubectl get pods --namespace consul
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
api-5784b54bcc-tp98l 3/3 Running 0 6m55s
consul-connect-injector-54865fbcbf-sfjsl 1/1 Running 0 8m33s
consul-server-0 1/1 Running 0 8m33s
consul-webhook-cert-manager-666676bd5b-cdbxc 1/1 Running 0 8m33s
web-6dcbd684bc-gk8n5 2/2 Running 0 6m55s
```
Set environment variables to remember the pod name for the web workload for use in future commands.
```shell-session
$ export WEB_POD=web-6dcbd684bc-gk8n5
```
### Validate both ports
Use the `web` Pod's name to open a shell session and test the `api` service on port 80.
@ -356,14 +365,14 @@ Use the `web` Pod's name to open a shell session and test the `api` service on p
<Tab heading="Method 1" group="method1">
```shell-session
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
hello world
```
Then test the `api` service on port 90.
```shell-session
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:90
$ kubectl exec -it ${WEB_POD} -c web -- curl api:90
hello world from 9090 admin
```
@ -372,14 +381,14 @@ hello world from 9090 admin
<Tab heading="Method 2" group="method2">
```shell-session
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
hello world
```
Then test the `api-admin` service on port 90.
```shell-session
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api-admin:90
$ kubectl exec -it ${WEB_POD} -c web --namespace consul -- curl api-admin:90
hello world from 9090 admin
```
@ -391,7 +400,7 @@ hello world from 9090 admin
Apply the CRD to allow traffic to port 80 only:
```shell-session
$ kubectl apply -f deny-90.yaml --namespace consul
$ kubectl apply -f deny-90.yaml
```
<Tabs>
@ -401,14 +410,14 @@ $ kubectl apply -f deny-90.yaml --namespace consul
Then, open a shell session in the `web` container and test the `api` service on port 80.
```shell-session
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
hello world
```
Test the `api` service on port 90. This command should fail, indicating that the traffic permission is in effect.
```shell-session
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:90
$ kubectl exec -it ${WEB_POD} -c web -- curl api:90
```
</Tab>
@ -418,14 +427,14 @@ $ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:90
Then, open a shell session in the `web` container and test the `api` service on port 80.
```shell-session
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
hello world
```
Test the `admin` service on port 90. This command should fail, indicating that the traffic permission is in effect.
```shell-session
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api-admin:90
$ kubectl exec -it ${WEB_POD} -c web -- curl api-admin:90
```
</Tab>
@ -434,7 +443,7 @@ $ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api-ad
Before testing the other port, remove the `TrafficPermissions` CRD.
```shell-session
$ kubectl delete -f deny-90.yaml --namespace consul
$ kubectl delete -f deny-90.yaml
```
### Validate port 90
@ -442,7 +451,7 @@ $ kubectl delete -f deny-90.yaml --namespace consul
Apply the CRD to allow traffic to port 90 only:
```shell-session
$ kubectl apply -f deny-80.yaml --namespace consul
$ kubectl apply -f deny-80.yaml
```
<Tabs>
@ -452,14 +461,14 @@ $ kubectl apply -f deny-80.yaml --namespace consul
Then, open a shell session in the `web` container and test the `api` service on port 90.
```shell-session
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:90
$ kubectl exec -it ${WEB_POD} -c web -- curl api:90
hello world from 9090 admin
```
Test the `api` service on port 80. This command should fail, indicating that the traffic permission is in effect.
```shell-session
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
```
</Tab>
@ -469,15 +478,15 @@ $ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
Then, open a shell session in the `web` container and test the `api-admin` service on port 90.
```shell-session
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api-admin:90
$ kubectl exec -it ${WEB_POD} -c web -- curl api-admin:90
hello world from 9090 admin
```
Test the `api` service on port 80. This command should fail, indicating that the traffic permission is in effect.
```shell-session
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
```
</Tab>
</Tabs>
</Tabs>