mirror of https://github.com/hashicorp/consul
docs: Fix multi-port install (#19262) * Update configure.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>pull/19282/head
parent
057f39e834
commit
76b4295d7c
|
@ -59,7 +59,13 @@ Then install Consul to your Kubernetes cluster using either the `consul-k8s` CLI
|
|||
|
||||
<Tab heading="consul-k8s CLI" group="consul-k8s">
|
||||
|
||||
For platforms other than Mac OSX amd64, refer to [Install a previous version](/consul/docs/k8s/installation/install-cli#install-a-previous-version) for instructions on how to install a specific version of the `consul-k8s` CLI prior to running `consul-k8s install`.
|
||||
|
||||
```shell-session
|
||||
$ export VERSION=1.3.0-rc1 && \
|
||||
curl --location "https://releases.hashicorp.com/consul-k8s/${VERSION}/consul-k8s_${VERSION}_darwin_amd64.zip" --output consul-k8s-cli.zip
|
||||
$ unzip -o consul-k8s-cli.zip -d ~/consul-k8s
|
||||
$ export PATH=$PATH:$HOME/consul-k8s
|
||||
$ consul-k8s install -config-file=values.yaml
|
||||
```
|
||||
|
||||
|
@ -68,7 +74,7 @@ $ consul-k8s install -config-file=values.yaml
|
|||
<Tab heading="Helm" group="helm">
|
||||
|
||||
```shell-session
|
||||
$ helm install consul hashicorp/consul --create-namespace --namespace consul --values values.yaml
|
||||
$ helm install consul hashicorp/consul --create-namespace --namespace consul --version 1.3.0-rc1 --values values.yaml
|
||||
```
|
||||
|
||||
</Tab>
|
||||
|
@ -281,14 +287,14 @@ spec:
|
|||
To apply these services to your Kubernetes deployment and register them with Consul, run the following command:
|
||||
|
||||
```shell-session
|
||||
$ kubectl apply -f api.yaml -f web.yaml --namespace consul
|
||||
$ kubectl apply -f api.yaml -f web.yaml
|
||||
```
|
||||
|
||||
## Configure traffic permissions
|
||||
|
||||
Consul uses traffic permissions to validate communication between services based on L4 identity. In the beta release of the v2 catalog API, traffic permissions allow all services by default. In order to verify that services function correctly on each port, create CRDs that deny traffic to each port.
|
||||
|
||||
The following examples create Consul CRDs that allow traffic to only one port of the multi-port service. Each resource separately denies `web` permission when it is a source of traffic to one of the services. These traffic permissions work with either method for defining a multi-port service.
|
||||
The following examples create Consul CRDs that allow traffic to only one port of the multi-port service. Each resource separately denies `web` permission when it is a source of traffic to one of the services. These traffic permissions work with either method for defining a multi-port service. When following the instructions on this page, apply these permissions individually when you validate the ports.
|
||||
|
||||
<CodeTabs tabs={[ "Deny port 80", "Deny port 90" ]}>
|
||||
|
||||
|
@ -338,15 +344,18 @@ spec:
|
|||
To open a shell to the `web` container, you need the name of the Pod it currently runs on. Run the following command to return a list of Pods:
|
||||
|
||||
```shell-session
|
||||
$ kubectl get pods --namespace consul
|
||||
$ kubectl get pods
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
api-5784b54bcc-tp98l 3/3 Running 0 6m55s
|
||||
consul-connect-injector-54865fbcbf-sfjsl 1/1 Running 0 8m33s
|
||||
consul-server-0 1/1 Running 0 8m33s
|
||||
consul-webhook-cert-manager-666676bd5b-cdbxc 1/1 Running 0 8m33s
|
||||
web-6dcbd684bc-gk8n5 2/2 Running 0 6m55s
|
||||
```
|
||||
|
||||
Set environment variables to remember the pod name for the web workload for use in future commands.
|
||||
|
||||
```shell-session
|
||||
$ export WEB_POD=web-6dcbd684bc-gk8n5
|
||||
```
|
||||
|
||||
### Validate both ports
|
||||
|
||||
Use the `web` Pod's name to open a shell session and test the `api` service on port 80.
|
||||
|
@ -356,14 +365,14 @@ Use the `web` Pod's name to open a shell session and test the `api` service on p
|
|||
<Tab heading="Method 1" group="method1">
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
|
||||
hello world
|
||||
```
|
||||
|
||||
Then test the `api` service on port 90.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:90
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:90
|
||||
hello world from 9090 admin
|
||||
```
|
||||
|
||||
|
@ -372,14 +381,14 @@ hello world from 9090 admin
|
|||
<Tab heading="Method 2" group="method2">
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
|
||||
hello world
|
||||
```
|
||||
|
||||
Then test the `api-admin` service on port 90.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api-admin:90
|
||||
$ kubectl exec -it ${WEB_POD} -c web --namespace consul -- curl api-admin:90
|
||||
hello world from 9090 admin
|
||||
```
|
||||
|
||||
|
@ -391,7 +400,7 @@ hello world from 9090 admin
|
|||
Apply the CRD to allow traffic to port 80 only:
|
||||
|
||||
```shell-session
|
||||
$ kubectl apply -f deny-90.yaml --namespace consul
|
||||
$ kubectl apply -f deny-90.yaml
|
||||
```
|
||||
|
||||
<Tabs>
|
||||
|
@ -401,14 +410,14 @@ $ kubectl apply -f deny-90.yaml --namespace consul
|
|||
Then, open a shell session in the `web` container and test the `api` service on port 80.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
|
||||
hello world
|
||||
```
|
||||
|
||||
Test the `api` service on port 90. This command should fail, indicating that the traffic permission is in effect.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:90
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:90
|
||||
```
|
||||
|
||||
</Tab>
|
||||
|
@ -418,14 +427,14 @@ $ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:90
|
|||
Then, open a shell session in the `web` container and test the `api` service on port 80.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
|
||||
hello world
|
||||
```
|
||||
|
||||
Test the `admin` service on port 90. This command should fail, indicating that the traffic permission is in effect.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api-admin:90
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api-admin:90
|
||||
```
|
||||
|
||||
</Tab>
|
||||
|
@ -434,7 +443,7 @@ $ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api-ad
|
|||
Before testing the other port, remove the `TrafficPermissions` CRD.
|
||||
|
||||
```shell-session
|
||||
$ kubectl delete -f deny-90.yaml --namespace consul
|
||||
$ kubectl delete -f deny-90.yaml
|
||||
```
|
||||
|
||||
### Validate port 90
|
||||
|
@ -442,7 +451,7 @@ $ kubectl delete -f deny-90.yaml --namespace consul
|
|||
Apply the CRD to allow traffic to port 90 only:
|
||||
|
||||
```shell-session
|
||||
$ kubectl apply -f deny-80.yaml --namespace consul
|
||||
$ kubectl apply -f deny-80.yaml
|
||||
```
|
||||
|
||||
<Tabs>
|
||||
|
@ -452,14 +461,14 @@ $ kubectl apply -f deny-80.yaml --namespace consul
|
|||
Then, open a shell session in the `web` container and test the `api` service on port 90.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:90
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:90
|
||||
hello world from 9090 admin
|
||||
```
|
||||
|
||||
Test the `api` service on port 80. This command should fail, indicating that the traffic permission is in effect.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
|
||||
```
|
||||
|
||||
</Tab>
|
||||
|
@ -469,15 +478,15 @@ $ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
|
|||
Then, open a shell session in the `web` container and test the `api-admin` service on port 90.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api-admin:90
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api-admin:90
|
||||
hello world from 9090 admin
|
||||
```
|
||||
|
||||
Test the `api` service on port 80. This command should fail, indicating that the traffic permission is in effect.
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80
|
||||
$ kubectl exec -it ${WEB_POD} -c web -- curl api:80
|
||||
```
|
||||
|
||||
</Tab>
|
||||
</Tabs>
|
||||
</Tabs>
|
||||
|
|
Loading…
Reference in New Issue