mirror of https://github.com/hashicorp/consul
fix a bunch of broken links
parent
7cfffa5a8e
commit
b44a36ce01
|
@ -101,4 +101,4 @@ The Consul Helm chart can automate much of Consul Connect's configuration, and
|
|||
makes it easy to automatically inject Envoy sidecars into new pods when they are
|
||||
deployed. Learn about the [Helm chart](/docs/platform/k8s/helm) in general,
|
||||
or if you are already familiar with it, check out it's
|
||||
[connect specific configurations](/docs/platform/k8s/connect/overview).
|
||||
[connect specific configurations](/docs/platform/k8s/connect).
|
||||
|
|
|
@ -10,7 +10,7 @@ description: |-
|
|||
|
||||
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher
|
||||
|
||||
~> This topic requires familiarity with [mesh gateways](/docs/connect/mesh-gateway).
|
||||
~> This topic requires familiarity with [mesh gateways](/docs/connect/gateways/mesh-gateway).
|
||||
|
||||
WAN federation via mesh gateways allows for Consul servers in different datacenters
|
||||
to be federated exclusively through mesh gateways.
|
||||
|
|
|
@ -423,7 +423,7 @@ environment.
|
|||
[counting-1.json]: https://raw.githubusercontent.com/hashicorp/demo-consul-101/master/demo-config-localhost/counting-1.json
|
||||
[dashboard service]: https://github.com/hashicorp/demo-consul-101/releases/download/0.0.2/dashboard-service_linux_amd64.zip
|
||||
[dashboard.json]: https://raw.githubusercontent.com/hashicorp/demo-consul-101/master/demo-config-localhost/dashboard.json
|
||||
[default acl policy]: https://www.consul.io/docs/agent/options.html#acl_default_policy
|
||||
[default acl policy]: https://www.consul.io/docs/agent/options#acl_default_policy
|
||||
[demo-consul-101 project]: https://github.com/hashicorp/demo-consul-101
|
||||
[dev agent]: https://learn.hashicorp.com/consul/getting-started/agent
|
||||
[docker guide]: https://learn.hashicorp.com/consul/day-0/containers-guide
|
||||
|
@ -432,11 +432,11 @@ environment.
|
|||
[img-flow]: /static/img/consul/connect-getting-started/consul_connect_demo_service_flow.png
|
||||
[img-screenshot1]: /static/img/consul/connect-getting-started/screenshot1.png
|
||||
[img-screenshot2]: /static/img/consul/connect-getting-started/screenshot2.png
|
||||
[intention]: https://www.consul.io/docs/connect/intentions.html
|
||||
[services-api]: https://www.consul.io/api/agent/service.html#register-service
|
||||
[services-cli]: https://www.consul.io/docs/commands/services.html
|
||||
[services-config]: https://www.consul.io/docs/agent/services.html#service-definition
|
||||
[services-nomad]: https://www.nomadproject.io/docs/job-specification/service.html
|
||||
[intention]: https://www.consul.io/docs/connect/intentions
|
||||
[services-api]: https://www.consul.io/api/agent/service#register-service
|
||||
[services-cli]: https://www.consul.io/docs/commands/services
|
||||
[services-config]: https://www.consul.io/docs/agent/services#service-definition
|
||||
[services-nomad]: https://www.nomadproject.io/docs/job-specification/service
|
||||
[sidecar]: https://docs.microsoft.com/en-us/azure/architecture/patterns/sidecar
|
||||
[sidecar_service]: https://www.consul.io/docs/connect/registration/sidecar-service.html
|
||||
[services-k8s]: https://www.consul.io/docs/platform/k8s/connect/overview.html#installation-and-configuration
|
||||
[sidecar_service]: https://www.consul.io/docs/connect/registration/sidecar-service
|
||||
[services-k8s]: https://www.consul.io/docs/platform/k8s/connect#installation-and-configuration
|
||||
|
|
|
@ -80,4 +80,4 @@ $ consul -v
|
|||
|
||||
Consul currently supports all 'evergreen' browsers, as they are generally on
|
||||
up-to-date versions. For more information on supported browsers, please see our
|
||||
[FAQ](/faq.mdx)
|
||||
[FAQ](/docs/faq)
|
||||
|
|
|
@ -286,7 +286,7 @@ If you have tried the above troubleshooting steps and are still stuck, DataWire
|
|||
[ingress controller]: https://blog.getambassador.io/kubernetes-ingress-nodeport-load-balancers-and-ingress-controllers-6e29f1c44f2d
|
||||
[proxies]: /docs/connect/proxies
|
||||
[service sync]: /docs/k8s/service-sync
|
||||
[connect sidecar]: /docs/k8s/connect/overview
|
||||
[connect sidecar]: /docs/k8s/connect
|
||||
[install]: https://www.getambassador.io/user-guide/consul-connect-ambassador/
|
||||
[ambassador-service.yaml]: https://www.getambassador.io/yaml/ambassador/ambassador-service.yaml
|
||||
[request access]: https://d6e.co/slack
|
||||
|
|
|
@ -88,20 +88,20 @@ global:
|
|||
name: consul
|
||||
server:
|
||||
extraVolumes:
|
||||
- type: secret
|
||||
name: vault-config
|
||||
load: true
|
||||
items:
|
||||
- key: config
|
||||
path: vault-config.json
|
||||
- type: secret
|
||||
name: vault-ca
|
||||
load: false
|
||||
- type: secret
|
||||
name: vault-config
|
||||
load: true
|
||||
items:
|
||||
- key: config
|
||||
path: vault-config.json
|
||||
- type: secret
|
||||
name: vault-ca
|
||||
load: false
|
||||
connectInject:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
Finally, [install](/docs/k8s/installation/overview#installing-consul) the Helm chart using the above config file:
|
||||
Finally, [install](/docs/k8s/installation#installing-consul) the Helm chart using the above config file:
|
||||
|
||||
```shell-session
|
||||
$ helm install consul -f config.yaml hashicorp/consul
|
||||
|
|
|
@ -21,12 +21,12 @@ your cluster, making configuration for Kubernetes automatic.
|
|||
This functionality is provided by the
|
||||
[consul-k8s project](https://github.com/hashicorp/consul-k8s) and can be
|
||||
automatically installed and configured using the
|
||||
[Consul Helm chart](/docs/k8s/installation/overview).
|
||||
[Consul Helm chart](/docs/k8s/installation).
|
||||
|
||||
## Usage
|
||||
|
||||
When the
|
||||
[Connect injector is installed](/docs/k8s/connect/overview#installation-and-configuration),
|
||||
[Connect injector is installed](/docs/k8s/connect#installation-and-configuration),
|
||||
the Connect sidecar can be automatically added to all pods. This sidecar can both
|
||||
accept and establish connections using Connect, enabling the pod to communicate
|
||||
to clients and dependencies exclusively over authorized and encrypted
|
||||
|
@ -78,7 +78,7 @@ spec:
|
|||
The only change for Connect is the addition of the
|
||||
`consul.hashicorp.com/connect-inject` annotation. This enables injection
|
||||
for this pod. The injector can also be
|
||||
[configured](/docs/k8s/connect/overview#installation-and-configuration)
|
||||
[configured](/docs/k8s/connect#installation-and-configuration)
|
||||
to automatically inject unless explicitly disabled, but the default
|
||||
installation requires opt-in using the annotation shown above.
|
||||
|
||||
|
@ -131,7 +131,7 @@ spec:
|
|||
```
|
||||
|
||||
Pods must specify upstream dependencies with the
|
||||
[`consul.hashicorp.com/connect-service-upstreams` annotation](/docs/k8s/connect/overview#consul-hashicorp-com-connect-service-upstreams).
|
||||
[`consul.hashicorp.com/connect-service-upstreams` annotation](/docs/k8s/connect#consul-hashicorp-com-connect-service-upstreams).
|
||||
This annotation declares the names of any upstream dependencies and a
|
||||
local port for the proxy to listen on. When a connection is established to that local
|
||||
port, the proxy establishes a connection to the target service
|
||||
|
@ -332,7 +332,7 @@ provided by the
|
|||
[consul-k8s project](https://github.com/hashicorp/consul-k8s).
|
||||
This enables the automatic pod mutation shown in the usage section above.
|
||||
Installation of the mutating admission webhook is automated using the
|
||||
[Helm chart](/docs/k8s/installation/overview).
|
||||
[Helm chart](/docs/k8s/installation).
|
||||
|
||||
To install the Connect injector, enable the Connect injection feature using
|
||||
[Helm values](/docs/k8s/helm#configuration-values) and
|
||||
|
@ -505,7 +505,7 @@ See [consul.hashicorp.com/connect-service-upstreams](#consul-hashicorp-com-conne
|
|||
### Verifying the Installation
|
||||
|
||||
To verify the installation, run the
|
||||
["Accepting Inbound Connections"](/docs/k8s/connect/overview#accepting-inbound-connections)
|
||||
["Accepting Inbound Connections"](/docs/k8s/connect#accepting-inbound-connections)
|
||||
example from the "Usage" section above. After running this example, run
|
||||
`kubectl get pod static-server -o yaml`. In the raw YAML output, you should
|
||||
see injected Connect containers and an annotation
|
||||
|
|
|
@ -16,14 +16,15 @@ See [Ingress Gateways](/docs/connect/ingress-gateway) for more information on us
|
|||
|
||||
Adding an ingress gateway is a multi-step process that consists of the following steps:
|
||||
|
||||
* Setting the helm chart configuration
|
||||
* Deploying the helm chart
|
||||
* Configuring the gateway
|
||||
* Defining an Intention (if ACLs are enabled)
|
||||
* Deploying your application to Kubernetes
|
||||
* Connecting to your application
|
||||
- Setting the helm chart configuration
|
||||
- Deploying the helm chart
|
||||
- Configuring the gateway
|
||||
- Defining an Intention (if ACLs are enabled)
|
||||
- Deploying your application to Kubernetes
|
||||
- Connecting to your application
|
||||
|
||||
## Setting the helm chart configuration
|
||||
|
||||
When deploying the helm chart you must provide helm with a custom yaml file that contains your environment configuration.
|
||||
|
||||
```yaml
|
||||
|
@ -38,25 +39,25 @@ ingressGateways:
|
|||
service:
|
||||
type: LoadBalancer
|
||||
```
|
||||
~> *Note:* this will create a public unauthenticated LoadBalancer in your cluster, please take appropriate security considerations.
|
||||
|
||||
~> _Note:_ this will create a public unauthenticated LoadBalancer in your cluster, please take appropriate security considerations.
|
||||
|
||||
The yaml snippet is the launching point for a valid configuration that must be supplied when installing using the [official consul-helm chart](https://hub.helm.sh/charts/hashicorp/consul).
|
||||
Information on additional options can be found in the [Helm reference](/docs/k8s/helm). Configuration options for ingress gateways reside under the [ingressGateways](/docs/k8s/helm#v-ingressgateways) entry.
|
||||
|
||||
|
||||
The gateways stanza is where you will define and configure the set of ingress gateways you want deployed to your environment.
|
||||
The only required field for each entry is `name`, though entries may contain any of the fields found in the `defaults` stanza.
|
||||
Values in this section override the values from the defaults stanza for the given ingress gateway with one exception:
|
||||
the annotations from the defaults stanza will be *appended* to any user-defined annotations defined in the gateways stanza rather than being overridden.
|
||||
the annotations from the defaults stanza will be _appended_ to any user-defined annotations defined in the gateways stanza rather than being overridden.
|
||||
Please refer to the ingress gateway configuration [documentation](/docs/k8s/helm#v-ingressgateways-defaults) for a detailed explanation of each option.
|
||||
|
||||
-> *Note*: Make sure any ports that will be used as listeners in the ingress gateway's Consul config entry are included
|
||||
-> _Note_: Make sure any ports that will be used as listeners in the ingress gateway's Consul config entry are included
|
||||
in the `ports` object for each gateway. By default ports 8080 and 8443 are exposed for traffic.
|
||||
|
||||
## Deploying the helm chart
|
||||
|
||||
Ensure you have the latest consul-helm chart and install Consul via helm using the following
|
||||
[guide](/docs/k8s/installation/overview#installing-consul) while being sure to provide the yaml configuration
|
||||
[guide](/docs/k8s/installation#installing-consul) while being sure to provide the yaml configuration
|
||||
as previously discussed.
|
||||
|
||||
## Configuring the gateway
|
||||
|
@ -64,8 +65,8 @@ as previously discussed.
|
|||
Now that Consul has been installed with ingress gateways enabled, you must add the corresponding configuration to Consul. This requires you to use the Consul CLI.
|
||||
Configuring the ingress gateway requires:
|
||||
|
||||
* Accessing the Consul server
|
||||
* Submitting an Ingress Gateway configuration entry to Consul
|
||||
- Accessing the Consul server
|
||||
- Submitting an Ingress Gateway configuration entry to Consul
|
||||
|
||||
### Accessing the Consul server
|
||||
|
||||
|
@ -74,17 +75,20 @@ You can access the Consul server directly from your host via `kubectl port-forwa
|
|||
```shell-session
|
||||
$ kubectl port-forward consul-server-0 8500 &
|
||||
```
|
||||
|
||||
If TLS is enabled use port 8501.
|
||||
|
||||
-> Download the latest Consul binary from [Downloads](/downloads.html).
|
||||
[https://releases.hashicorp.com/consul/](https://releases.hashicorp.com/consul/)
|
||||
|
||||
If TLS is enabled set:
|
||||
|
||||
```shell-session
|
||||
$ export CONSUL_HTTP_ADDR=https://localhost:8501
|
||||
```
|
||||
|
||||
If ACLs are enabled set :
|
||||
|
||||
```shell-session
|
||||
$ export CONSUL_HTTP_TOKEN=$(kubectl get secret consul-bootstrap-acl-token -o jsonpath={.data.token} | base64 -D)
|
||||
$ export CONSUL_HTTP_SSL_VERIFY=false
|
||||
|
@ -129,6 +133,7 @@ If TLS is enabled, use :
|
|||
If ACLs are enabled, you must define an [intention](/docs/connect/intentions) to allow the ingress gateway to access the upstream services defined in the config entry.
|
||||
|
||||
To create an intention that allows the ingress gateway to route to the service `static-server`, run:
|
||||
|
||||
```shell-session
|
||||
$ consul intention create ingress-gateway static-server
|
||||
```
|
||||
|
@ -136,6 +141,7 @@ $ consul intention create ingress-gateway static-server
|
|||
For detailed instructions on how to configure zero-trust networking with intentions please refer to this [guide](https://learn.hashicorp.com/tutorials/consul/service-mesh-zero-trust-network).
|
||||
|
||||
## Deploying your application to Kubernetes
|
||||
|
||||
Now you will deploy a sample application which echoes “hello world”
|
||||
|
||||
```yaml
|
||||
|
@ -198,7 +204,7 @@ ingressGateways:
|
|||
gateways:
|
||||
- name: ingress-gateway
|
||||
service:
|
||||
type: LoadBalancer
|
||||
type: LoadBalancer
|
||||
```
|
||||
|
||||
And run Helm upgrade:
|
||||
|
|
|
@ -21,10 +21,10 @@ your components, you should be running a compatible version by default.
|
|||
|
||||
Adding a terminating gateway is a multi-step process:
|
||||
|
||||
* Update the helm chart with terminating gateway config options
|
||||
* Deploying the helm chart
|
||||
* Accessing the Consul agent
|
||||
* Register external services with Consul
|
||||
- Update the helm chart with terminating gateway config options
|
||||
- Deploying the helm chart
|
||||
- Accessing the Consul agent
|
||||
- Register external services with Consul
|
||||
|
||||
## Update the helm chart with terminating gateway config options
|
||||
|
||||
|
@ -42,7 +42,7 @@ terminatingGateways:
|
|||
## Deploying the helm chart
|
||||
|
||||
Ensure you have the latest consul-helm chart and install Consul via helm using the following
|
||||
[guide](/docs/k8s/installation/overview#installing-consul) while being sure to provide the yaml configuration
|
||||
[guide](/docs/k8s/installation#installing-consul) while being sure to provide the yaml configuration
|
||||
as previously discussed.
|
||||
|
||||
## Accessing the Consul agent
|
||||
|
@ -52,7 +52,9 @@ You can access the Consul server directly from your host via `kubectl port-forwa
|
|||
```shell-session
|
||||
$ kubectl port-foward consul-server-0 8500 &
|
||||
```
|
||||
|
||||
If TLS is enabled use port 8501:
|
||||
|
||||
```shell-session
|
||||
$ kubectl port-foward consul-server-0 8501 &
|
||||
```
|
||||
|
@ -63,12 +65,16 @@ $ kubectl port-foward consul-server-0 8501 &
|
|||
```shell-session
|
||||
$ export CONSUL_HTTP_ADDR=http://localhost:8500
|
||||
```
|
||||
|
||||
If TLS is enabled set:
|
||||
|
||||
```shell-session
|
||||
$ export CONSUL_HTTP_ADDR=https://localhost:8501
|
||||
$ export CONSUL_HTTP_SSL_VERIFY=false
|
||||
```
|
||||
|
||||
If ACLs are enabled also set:
|
||||
|
||||
```shell-session
|
||||
$ export CONSUL_HTTP_TOKEN=$(kubectl get secret consul-bootstrap-acl-token -o jsonpath={.data.token} | base64 -D)
|
||||
```
|
||||
|
@ -76,46 +82,52 @@ $ export CONSUL_HTTP_TOKEN=$(kubectl get secret consul-bootstrap-acl-token -o js
|
|||
## Register external services with Consul
|
||||
|
||||
Registering the external services with Consul is a multi-step process:
|
||||
* Register external services with Consul
|
||||
* Update the terminating gateway ACL token if ACLs are enabled
|
||||
* Create the configuration entry for the terminating gateway
|
||||
* Create intentions to allow access from services in the mesh to external service
|
||||
* Define upstream annotations for any services that need to talk to the external services
|
||||
|
||||
- Register external services with Consul
|
||||
- Update the terminating gateway ACL token if ACLs are enabled
|
||||
- Create the configuration entry for the terminating gateway
|
||||
- Create intentions to allow access from services in the mesh to external service
|
||||
- Define upstream annotations for any services that need to talk to the external services
|
||||
|
||||
### Register external services with Consul
|
||||
|
||||
Create a sample external service and register it with Consul.
|
||||
|
||||
```json
|
||||
{
|
||||
"Node": "legacy_node",
|
||||
"Address": "example.com",
|
||||
"NodeMeta": {
|
||||
"external-node": "true",
|
||||
"external-probe": "true"
|
||||
},
|
||||
"Service": {
|
||||
"ID": "example-https",
|
||||
"Service": "example-https",
|
||||
"Port": 443
|
||||
}
|
||||
"Node": "legacy_node",
|
||||
"Address": "example.com",
|
||||
"NodeMeta": {
|
||||
"external-node": "true",
|
||||
"external-probe": "true"
|
||||
},
|
||||
"Service": {
|
||||
"ID": "example-https",
|
||||
"Service": "example-https",
|
||||
"Port": 443
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Register the external service with Consul:
|
||||
|
||||
```shell-session
|
||||
$ curl --request PUT --data @external.json -k $CONSUL_HTTP_ADDR/v1/catalog/register
|
||||
```
|
||||
|
||||
If ACLs and TLS are enabled :
|
||||
|
||||
```shell-session
|
||||
$ curl --request PUT --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" --data @external.json -k $CONSUL_HTTP_ADDR/v1/catalog/register
|
||||
```
|
||||
|
||||
### Update terminating gateway ACL token if ACLs are enabled
|
||||
|
||||
If ACLs are enabled, update the terminating gateway acl token to have `service: write` permissions on all of the services
|
||||
being represented by the gateway:
|
||||
* Create a new policy that includes these permissions
|
||||
* Update the existing token to include the new policy
|
||||
|
||||
- Create a new policy that includes these permissions
|
||||
- Update the existing token to include the new policy
|
||||
|
||||
~> The CLI command should be run with the `-merge-policies`, `-merge-roles` and `-merge-service-identities` so
|
||||
nothing is removed from the terminating gateway token
|
||||
|
@ -125,21 +137,28 @@ service "example-https" {
|
|||
policy = "write"
|
||||
}
|
||||
```
|
||||
|
||||
```shell-session
|
||||
$ consul acl policy create -name "example-https-write-policy" -rules @write-policy.hcl
|
||||
```
|
||||
|
||||
Now fetch the id of the terminating gateway token
|
||||
|
||||
```shell-session
|
||||
$ consul acl token list | grep terminating-gateway-terminating-gateway-token
|
||||
```
|
||||
|
||||
Update the terminating gateway acl token with the new policy
|
||||
|
||||
```shell-session
|
||||
$ consul acl token update -id <token-id> -policy-name example-https-write-policy -merge-policies -merge-roles -merge-service-identities
|
||||
```
|
||||
|
||||
### Create the configuration entry for the terminating gateway
|
||||
|
||||
Once the tokens have been updated, next write the Consul [config](/docs/agent/config-entries/terminating-gateway)
|
||||
entry for the terminating gateway:
|
||||
|
||||
```hcl
|
||||
Kind = "terminating-gateway"
|
||||
Name = "terminating-gateway"
|
||||
|
@ -150,20 +169,24 @@ Services = [
|
|||
}
|
||||
]
|
||||
```
|
||||
|
||||
~> If TLS is enabled a `CAFile` must be provided, it must point to the system trust store of the terminating gateway
|
||||
container.
|
||||
|
||||
Submit the terminating gateway entry with the Consul CLI using this command.
|
||||
|
||||
```shell-session
|
||||
$ consul config write terminating-gateway.hcl
|
||||
```
|
||||
|
||||
If using ACLs and TLS, create intentions to allow access from services in the mesh to the external service
|
||||
|
||||
```shell-session
|
||||
$ consul intention create -allow static-client example-https
|
||||
```
|
||||
|
||||
### Define the external services as upstreams for services in the mesh
|
||||
|
||||
Finally define and deploy the external services as upstreams for the internal mesh services that wish to talk to them.
|
||||
An example deployment is provided which will serve as a static client for the terminating gateway service.
|
||||
|
||||
|
@ -188,25 +211,27 @@ spec:
|
|||
labels:
|
||||
app: static-client
|
||||
annotations:
|
||||
"consul.hashicorp.com/connect-inject": "true"
|
||||
"consul.hashicorp.com/connect-service-upstreams": "example-https:1234"
|
||||
'consul.hashicorp.com/connect-inject': 'true'
|
||||
'consul.hashicorp.com/connect-service-upstreams': 'example-https:1234'
|
||||
spec:
|
||||
containers:
|
||||
# This name will be the service name in Consul.
|
||||
- name: static-client
|
||||
image: tutum/curl:latest
|
||||
command: [ "/bin/sh", "-c", "--" ]
|
||||
args: [ "while true; do sleep 30; done;" ]
|
||||
# If ACLs are enabled, the serviceAccountName must match the Consul service name.
|
||||
command: ['/bin/sh', '-c', '--']
|
||||
args: ['while true; do sleep 30; done;']
|
||||
# If ACLs are enabled, the serviceAccountName must match the Consul service name.
|
||||
serviceAccountName: static-client
|
||||
```
|
||||
|
||||
Run the service via `kubectl apply`:
|
||||
|
||||
```shell-session
|
||||
$ kubectl apply -f static-client.yaml
|
||||
```
|
||||
|
||||
You can verify connectivity of the static-client and terminating gateway via a curl command:
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec deploy/static-client -- curl -vvvs -H "Host: example-https.com" http://localhost:1234/
|
||||
```
|
||||
|
|
|
@ -194,11 +194,11 @@ and consider if they're appropriate for your deployment.
|
|||
# Resources are defined as a YAML map:
|
||||
resources:
|
||||
requests:
|
||||
memory: "25Mi"
|
||||
cpu: "20m"
|
||||
memory: '25Mi'
|
||||
cpu: '20m'
|
||||
limits:
|
||||
memory: "50Mi"
|
||||
cpu: "20m"
|
||||
memory: '50Mi'
|
||||
cpu: '20m'
|
||||
```
|
||||
|
||||
- `server` ((#v-server)) - Values that configure running a Consul server within Kubernetes.
|
||||
|
@ -419,7 +419,7 @@ and consider if they're appropriate for your deployment.
|
|||
|
||||
- `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on
|
||||
port 8502 and expose it to the host. This will use slightly more resources, but is
|
||||
required for [Connect](/docs/k8s/connect/overview).
|
||||
required for [Connect](/docs/k8s/connect).
|
||||
|
||||
- `exposeGossipPorts` ((#v-client-exposegossipports)) (`boolean: false`) - If true, the Helm chart
|
||||
will expose the clients' gossip ports as hostPorts. This is only necessary if pod IPs in the k8s cluster are not directly routable and the Consul servers are outside of the k8s cluster.
|
||||
|
@ -662,7 +662,7 @@ and consider if they're appropriate for your deployment.
|
|||
- `additionalSpec` ((#v-ui-service-additionalspec)) (`string: null`) - Additional Service spec
|
||||
values. This should be a multi-line string mapping directly to a Kubernetes `Service` object.
|
||||
|
||||
- `connectInject` ((#v-connectinject)) - Values that configure running the [Connect injector](/docs/k8s/connect/overview).
|
||||
- `connectInject` ((#v-connectinject)) - Values that configure running the [Connect injector](/docs/k8s/connect).
|
||||
|
||||
- `enabled` ((#v-connectinject-enabled)) (`boolean: false`) - If true, the chart will install all the
|
||||
resources necessary for the Connect injector process to run. This will enable the injector but will
|
||||
|
@ -672,7 +672,7 @@ and consider if they're appropriate for your deployment.
|
|||
(including any tag) for the [consul-k8s](https://github.com/hashicorp/consul-k8s) binary.
|
||||
|
||||
- `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the
|
||||
Connect sidecar into all pods by default. Otherwise, pods must specify the. [injection annotation](/docs/k8s/connect/overview#consul-hashicorp-com-connect-inject)
|
||||
Connect sidecar into all pods by default. Otherwise, pods must specify the. [injection annotation](/docs/k8s/connect#consul-hashicorp-com-connect-inject)
|
||||
to opt-in to Connect injection. If this is true, pods can use the same annotation
|
||||
to explicitly opt-out of injection.
|
||||
|
||||
|
@ -773,7 +773,7 @@ and consider if they're appropriate for your deployment.
|
|||
configuration feature. Pods that have a Connect proxy injected will have their service automatically registered in this central configuration.
|
||||
|
||||
- `defaultProtocol` ((#v-connectinject-centralconfig-defaultprotocol)) (`string: null`) - If
|
||||
defined, this value will be used as the default protocol type for all services registered with the central configuration. This can be overridden by using the [protocol annotation](/docs/k8s/connect/overview#consul-hashicorp-com-connect-service-protocol) directly on any pod spec.
|
||||
defined, this value will be used as the default protocol type for all services registered with the central configuration. This can be overridden by using the [protocol annotation](/docs/k8s/connect#consul-hashicorp-com-connect-service-protocol) directly on any pod spec.
|
||||
|
||||
- `proxyDefaults` ((#v-connectinject-centralconfig-proxydefaults)) (`string: "{}"`) - This value is
|
||||
a raw json string that will be applied to all Connect proxy sidecar pods. It can include any valid configuration for the configured proxy.
|
||||
|
@ -797,11 +797,11 @@ and consider if they're appropriate for your deployment.
|
|||
# Resources are defined as a YAML map:
|
||||
resources:
|
||||
requests:
|
||||
memory: "25Mi"
|
||||
cpu: "20m"
|
||||
memory: '25Mi'
|
||||
cpu: '20m'
|
||||
limits:
|
||||
memory: "50Mi"
|
||||
cpu: "20m"
|
||||
memory: '50Mi'
|
||||
cpu: '20m'
|
||||
```
|
||||
|
||||
- `sidecarProxy` ((#v-connectinject-sidecarproxy)) - Configure the sidecar proxy that is injected into each Connect pod.
|
||||
|
@ -811,17 +811,17 @@ and consider if they're appropriate for your deployment.
|
|||
[ResourceRequirements](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) object.
|
||||
By default, each key is set to `null`, which results in no resource limits.
|
||||
|
||||
These defaults can be overridden on a per-pod basis via [annotation](/docs/k8s/connect/overview#consul-hashicorp-com-sidecar-proxy).
|
||||
These defaults can be overridden on a per-pod basis via [annotation](/docs/k8s/connect#consul-hashicorp-com-sidecar-proxy).
|
||||
|
||||
```yaml
|
||||
# Recommended defaults
|
||||
resources:
|
||||
requests:
|
||||
memory: "100Mi"
|
||||
cpu: "100m"
|
||||
memory: '100Mi'
|
||||
cpu: '100m'
|
||||
limits:
|
||||
memory: "100Mi"
|
||||
cpu: "100m"
|
||||
memory: '100Mi'
|
||||
cpu: '100m'
|
||||
```
|
||||
|
||||
- `meshGateway` ((#v-meshgateway)) - Configure mesh gateways.
|
||||
|
@ -933,11 +933,11 @@ and consider if they're appropriate for your deployment.
|
|||
# Resources are defined as a YAML map:
|
||||
resources:
|
||||
requests:
|
||||
memory: "25Mi"
|
||||
cpu: "50m"
|
||||
memory: '25Mi'
|
||||
cpu: '50m'
|
||||
limits:
|
||||
memory: "150Mi"
|
||||
cpu: "50m"
|
||||
memory: '150Mi'
|
||||
cpu: '50m'
|
||||
```
|
||||
|
||||
- `affinity` ((#v-meshgateway-affinity)) (`string`) - Affinity setting for gateway pods. See values file for default.
|
||||
|
@ -989,11 +989,11 @@ and consider if they're appropriate for your deployment.
|
|||
# Resources are defined as a YAML map:
|
||||
resources:
|
||||
requests:
|
||||
memory: "25Mi"
|
||||
cpu: "50m"
|
||||
memory: '25Mi'
|
||||
cpu: '50m'
|
||||
limits:
|
||||
memory: "150Mi"
|
||||
cpu: "50m"
|
||||
memory: '150Mi'
|
||||
cpu: '50m'
|
||||
```
|
||||
|
||||
- `affinity` ((#v-ingressgateways-defaults-affinity)) (`string`) - Affinity setting for gateway pods. See values file for default.
|
||||
|
@ -1049,11 +1049,11 @@ and consider if they're appropriate for your deployment.
|
|||
# Resources are defined as a YAML map:
|
||||
resources:
|
||||
requests:
|
||||
memory: "25Mi"
|
||||
cpu: "50m"
|
||||
memory: '25Mi'
|
||||
cpu: '50m'
|
||||
limits:
|
||||
memory: "150Mi"
|
||||
cpu: "50m"
|
||||
memory: '150Mi'
|
||||
cpu: '50m'
|
||||
```
|
||||
|
||||
- `affinity` ((#v-terminatinggateways-defaults-affinity)) (`string`) - Affinity setting for gateway pods. See values file for default.
|
||||
|
|
|
@ -70,12 +70,12 @@ There are several ways to try Consul with Kubernetes in different environments.
|
|||
- The [Consul and Kubernetes Deployment](https://learn.hashicorp.com/tutorials/consul/kubernetes-deployment-guide?utm_source=consul.io&utm_medium=docs) tutorial covers the necessary steps to install and configure a new Consul cluster on Kubernetes in production.
|
||||
|
||||
- The [Secure Consul and Registered Services on Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-secure-agents?in=consul/kubernetes) tutorial covers
|
||||
the necessary steps to secure a Consul cluster running on Kubernetes in production.
|
||||
the necessary steps to secure a Consul cluster running on Kubernetes in production.
|
||||
|
||||
- The [Layer 7 Observability with Consul Service Mesh](https://learn.hashicorp.com/tutorials/consul/kubernetes-layer7-observability) tutorial covers monitoring a
|
||||
Consul service mesh running on Kubernetes with Prometheus and Grafana.
|
||||
Consul service mesh running on Kubernetes with Prometheus and Grafana.
|
||||
|
||||
**Documentation**
|
||||
|
||||
- [Installing Consul](/docs/k8s/installation/overview) covers how to install Consul using the Helm chart.
|
||||
- [Installing Consul](/docs/k8s/installation) covers how to install Consul using the Helm chart.
|
||||
- [Helm Chart Reference](/docs/k8s/helm) describes the different options for configuring the Helm chart.
|
||||
|
|
|
@ -55,7 +55,7 @@ You may also consider adopting Consul Enterprise for
|
|||
-> **Note:** Consul on Kubernetes currently does not support external servers that require mutual authentication
|
||||
for the HTTPS clients of the Consul servers, that is when servers have either
|
||||
`verify_incoming` or `verify_incoming_https` set to `true`.
|
||||
As noted in the [Security Model](docs/internals/security#secure-configuration),
|
||||
As noted in the [Security Model](/docs/internals/security#secure-configuration),
|
||||
that setting isn't strictly necessary to support Consul's threat model as it is recommended that
|
||||
all requests contain a valid ACL token.
|
||||
|
||||
|
@ -116,7 +116,7 @@ The bootstrap token requires the following minimal permissions:
|
|||
- `agent:read` if using WAN federation over mesh gateways
|
||||
|
||||
Next, configure external servers. The Helm chart will use this configuration to talk to the Consul server's API
|
||||
to create policies, tokens, and an auth method. If you are [enabling Consul Connect](/docs/k8s/connect/overview),
|
||||
to create policies, tokens, and an auth method. If you are [enabling Consul Connect](/docs/k8s/connect),
|
||||
`k8sAuthMethodHost` should be set to the address of your Kubernetes API server
|
||||
so that the Consul servers can validate a Kubernetes service account token when using the [Kubernetes auth method](https://www.consul.io/docs/acl/auth-methods/kubernetes.html)
|
||||
with `consul login`.
|
||||
|
|
|
@ -18,7 +18,7 @@ a server running inside or outside of Kubernetes.
|
|||
|
||||
This page starts with a large how-to section for various specific tasks.
|
||||
To learn more about the general architecture of Consul on Kubernetes, scroll
|
||||
down to the [architecture](/docs/k8s/installation/overview.html#architecture) section.
|
||||
down to the [architecture](/docs/k8s/installation#architecture) section.
|
||||
If you would like to get hands-on experience testing Consul as a service mesh
|
||||
for Kubernetes, check the guides in the [Getting Started with Consul service
|
||||
mesh](https://learn.hashicorp.com/consul/gs-consul-service-mesh/understand-consul-service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) track.
|
||||
|
@ -98,7 +98,7 @@ create a `config.yaml` file to override the default settings.
|
|||
You can learn what settings are available by running `helm inspect values hashicorp/consul`
|
||||
or by reading the [Helm Chart Reference](/docs/k8s/helm).
|
||||
|
||||
For example, if you want to enable the [Consul Connect](/docs/k8s/connect/overview) feature,
|
||||
For example, if you want to enable the [Consul Connect](/docs/k8s/connect) feature,
|
||||
use the following config file:
|
||||
|
||||
```yaml
|
||||
|
@ -185,7 +185,7 @@ has important caching behavior, and allows you to use the simpler
|
|||
[`/agent` endpoints for services and checks](/api/agent).
|
||||
|
||||
For Consul installed via the Helm chart, a client agent is installed on
|
||||
each Kubernetes node. This is explained in the [architecture](/docs/k8s/installation/overview#client-agents)
|
||||
each Kubernetes node. This is explained in the [architecture](/docs/k8s/installation#client-agents)
|
||||
section. To access the agent, you may use the
|
||||
[downward API](https://kubernetes.io/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/).
|
||||
|
||||
|
@ -297,7 +297,7 @@ The clients expose the Consul HTTP API via a static port (default 8500)
|
|||
bound to the host port. This enables all other pods on the node to connect
|
||||
to the node-local agent using the host IP that can be retrieved via the
|
||||
Kubernetes downward API. See
|
||||
[accessing the Consul HTTP API](/docs/k8s/installation/overview#accessing-the-consul-http-api)
|
||||
[accessing the Consul HTTP API](/docs/k8s/installation#accessing-the-consul-http-api)
|
||||
for an example.
|
||||
|
||||
There is a major limitation to this: there is no way to bind to a local-only
|
||||
|
|
|
@ -10,11 +10,11 @@ description: >-
|
|||
|
||||
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher
|
||||
|
||||
~> This topic requires familiarity with [Mesh Gateways](/docs/connect/mesh-gateway) and [WAN Federation Via Mesh Gateways](/docs/connect/wan-federation-via-mesh-gateways).
|
||||
~> This topic requires familiarity with [Mesh Gateways](/docs/connect/mesh-gateway) and [WAN Federation Via Mesh Gateways](/docs/connect/gateways/wan-federation-via-mesh-gateways).
|
||||
|
||||
-> Looking for a step-by-step guide? Please follow our Learn tutorial: [Secure and Route Service Mesh Communication Across Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways).
|
||||
|
||||
This page describes how to federate multiple Kubernetes clusters. See [Multi-Cluster Overview](/docs/k8s/installation/multi-cluster/overview)
|
||||
This page describes how to federate multiple Kubernetes clusters. See [Multi-Cluster Overview](/docs/k8s/installation/multi-cluster)
|
||||
for more information on use-cases and how it works.
|
||||
|
||||
## Primary Datacenter
|
||||
|
@ -113,7 +113,7 @@ Modifications:
|
|||
mesh gateway, for example using a Node Port service or a custom DNS entry,
|
||||
see the [Helm reference](/docs/k8s/helm#v-meshgateway) for that setting.
|
||||
|
||||
With your `config.yaml` ready to go, follow our [Installation Guide](/docs/k8s/installation/overview
|
||||
With your `config.yaml` ready to go, follow our [Installation Guide](/docs/k8s/installation)
|
||||
to install Consul on your primary cluster and then skip ahead to the [Federation Secret](#federation-secret)
|
||||
section.
|
||||
|
||||
|
@ -152,7 +152,7 @@ If you've set `enableAutoEncrypt: true`, this is also supported.
|
|||
creates a Kubernetes Load Balancer service. If you wish to customize the
|
||||
mesh gateway, see the [Helm reference](/docs/k8s/helm#v-meshgateway) for that setting.
|
||||
|
||||
With the above settings added to your existing config, follow the [Upgrading](/localhost:3000/docs/k8s/operations/upgrading)
|
||||
With the above settings added to your existing config, follow the [Upgrading](/docs/k8s/operations/upgrading)
|
||||
guide to upgrade your cluster and then come back to the [Federation Secret](#federation-secret) section.
|
||||
|
||||
-> **NOTE:** You must be using consul-helm 0.21.0+. To update, run `helm repo update`.
|
||||
|
@ -244,7 +244,7 @@ The automatically generated federation secret contains:
|
|||
|
||||
## Secondary Cluster(s)
|
||||
|
||||
With the primary cluster up and running, and the [federation secret](/docs/installation/multi-cluster#federation-secret) imported
|
||||
With the primary cluster up and running, and the [federation secret](/docs/k8s/installation/multi-cluster#federation-secret) imported
|
||||
into the secondary cluster, we can now install Consul into the secondary
|
||||
cluster.
|
||||
|
||||
|
@ -337,7 +337,7 @@ Modifications:
|
|||
mesh gateway, for example using a Node Port service or a custom DNS entry,
|
||||
see the [Helm reference](/docs/k8s/helm#v-meshgateway) for that setting.
|
||||
|
||||
With your `config.yaml` ready to go, follow our [Installation Guide](/docs/k8s/installation/overview)
|
||||
With your `config.yaml` ready to go, follow our [Installation Guide](/docs/k8s/installation)
|
||||
to install Consul on your secondary cluster(s).
|
||||
|
||||
## Verifying Federation
|
||||
|
@ -375,7 +375,7 @@ You can switch kubectl contexts and run the same command in `dc2` with the flag
|
|||
### Consul UI
|
||||
|
||||
We can also use the Consul UI to verify federation.
|
||||
See [Viewing the Consul UI](docs/k8s/installation/overview#viewing-the-consul-ui)
|
||||
See [Viewing the Consul UI](/docs/k8s/installation#viewing-the-consul-ui)
|
||||
for instructions on how to view the UI.
|
||||
|
||||
~> NOTE: If ACLs are enabled, your kubectl context must be in the primary datacenter
|
||||
|
@ -391,4 +391,4 @@ in the top left:
|
|||
With your Kubernetes clusters federated, try out using Consul service mesh to
|
||||
route between services deployed on each cluster by following our Learn tutorial: [Secure and Route Service Mesh Communication Across Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways#deploy-microservices).
|
||||
|
||||
You can also read our in-depth documentation on [Consul Service Mesh In Kubernetes](/docs/k8s/connect/overview).
|
||||
You can also read our in-depth documentation on [Consul Service Mesh In Kubernetes](/docs/k8s/connect).
|
||||
|
|
|
@ -10,11 +10,11 @@ description: >-
|
|||
|
||||
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher
|
||||
|
||||
~> This topic requires familiarity with [Mesh Gateways](/docs/connect/mesh-gateway) and [WAN Federation Via Mesh Gateways](/docs/connect/wan-federation-via-mesh-gateways).
|
||||
~> This topic requires familiarity with [Mesh Gateways](/docs/connect/mesh-gateway) and [WAN Federation Via Mesh Gateways](/docs/connect/gateways/wan-federation-via-mesh-gateways).
|
||||
|
||||
Consul datacenters running on non-kubernetes platforms like VMs or bare metal can
|
||||
be federated with Kubernetes datacenters. Just like with Kubernetes, one datacenter
|
||||
must be the [primary](/docs/k8s/installation/multi-cluster/installation#primary-datacenter).
|
||||
must be the [primary](/docs/k8s/installation/multi-cluster#primary-datacenter).
|
||||
|
||||
## Kubernetes as the Primary
|
||||
|
||||
|
@ -285,7 +285,7 @@ server:
|
|||
name of your primary datacenter running on VMs and with the IPs of your mesh
|
||||
gateways running on VMs.
|
||||
|
||||
With your config file ready to go, follow our [Installation Guide](/docs/k8s/installation/overview
|
||||
With your config file ready to go, follow our [Installation Guide](/docs/k8s/installation)
|
||||
to install Consul on your secondary cluster(s).
|
||||
|
||||
## Next Steps
|
||||
|
|
|
@ -9,7 +9,7 @@ description: Installing Consul on Self Hosted Kubernetes
|
|||
|
||||
Except for creating persistent volumes (see below), installing Consul on your
|
||||
self-hosted Kubernetes cluster is the same process as installing Consul on a
|
||||
cloud-hosted Kubernetes cluster. See the [Installation Overview](/docs/k8s/installation/overview)
|
||||
cloud-hosted Kubernetes cluster. See the [Installation Overview](/docs/k8s/installation)
|
||||
for install instructions.
|
||||
|
||||
## Predefined Persistent Volume Claims (PVCs)
|
||||
|
|
|
@ -35,7 +35,7 @@ This upgrade will trigger a rolling update of the clients, as well as any
|
|||
other `consul-k8s` components, such as sync catalog or client snapshot deployments.
|
||||
|
||||
1. Perform a rolling upgrade of the servers, as described in
|
||||
[Upgrade Consul Servers](/docs/k8s/upgrading#upgrading-consul-servers).
|
||||
[Upgrade Consul Servers](/docs/k8s/operations/upgrading#upgrading-consul-servers).
|
||||
|
||||
1. Repeat steps 1 and 2, turning on TLS verification by setting `global.tls.verify`
|
||||
to `true`.
|
||||
|
@ -72,7 +72,7 @@ applications to it.
|
|||
```
|
||||
|
||||
In this configuration, we're setting `server.updatePartition` to the number of
|
||||
server replicas as described in [Upgrade Consul Servers](/docs/k8s/upgrading#upgrading-consul-servers)
|
||||
server replicas as described in [Upgrade Consul Servers](/docs/k8s/operations/upgrading#upgrading-consul-servers)
|
||||
and `client.updateStrategy` to `OnDelete` to manually trigger an upgrade of the clients.
|
||||
|
||||
1. Run `helm upgrade` with the above config file. The upgrade will trigger an update of all
|
||||
|
@ -95,7 +95,7 @@ applications to it.
|
|||
the sidecar proxy. Also, Kubernetes should schedule these applications on the new node pool.
|
||||
|
||||
1. Perform a rolling upgrade of the servers described in
|
||||
[Upgrade Consul Servers](/docs/k8s/upgrading#upgrading-consul-servers).
|
||||
[Upgrade Consul Servers](/docs/k8s/operations/upgrading#upgrading-consul-servers).
|
||||
|
||||
1. If everything is healthy, delete the old node pool.
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ services are available to Consul agents and services in Consul can be available
|
|||
as first-class Kubernetes services. This functionality is provided by the
|
||||
[consul-k8s project](https://github.com/hashicorp/consul-k8s) and can be
|
||||
automatically installed and configured using the
|
||||
[Consul Helm chart](/docs/k8s/installation/overview).
|
||||
[Consul Helm chart](/docs/k8s/installation).
|
||||
|
||||
**Why sync Kubernetes services to Consul?** Kubernetes services synced to the
|
||||
Consul catalog enable Kubernetes services to be accessed by any node that
|
||||
|
@ -132,7 +132,7 @@ instances to be equal to the nodes running the target pods.
|
|||
By default it will use the external IP of the node but this can be configured via
|
||||
the [`nodePortSyncType` helm option](/docs/k8s/helm#v-synccatalog-nodeportsynctype).
|
||||
|
||||
The service instance's port will be set to the *first* defined node port of the service unless
|
||||
The service instance's port will be set to the _first_ defined node port of the service unless
|
||||
set specifically via the `consul.hashicorp.com/service-port` annotation (see [Service Ports](/docs/k8s/service-sync#service-ports)).
|
||||
|
||||
#### LoadBalancer
|
||||
|
@ -142,7 +142,7 @@ the external IP of the created load balancer. Because this is already a load
|
|||
balancer, only one service instance will be registered with Consul rather
|
||||
than registering each individual pod endpoint.
|
||||
|
||||
The service instance's port will be set to the *first* defined port of the
|
||||
The service instance's port will be set to the _first_ defined port of the
|
||||
service unless set specifically via the `consul.hashicorp.com/service-port` annotation (see [Service Ports](/docs/k8s/service-sync#service-ports)).
|
||||
|
||||
#### External IPs
|
||||
|
@ -157,7 +157,7 @@ If an external IP list is present, a service instance in Consul will be created
|
|||
for each external IP. It is assumed that if an external IP is present that it
|
||||
is routable and configured by some other system.
|
||||
|
||||
The service instance's port will be set to the *first* defined port of the
|
||||
The service instance's port will be set to the _first_ defined port of the
|
||||
service unless set specifically via the `consul.hashicorp.com/service-port` annotation (see [Service Ports](/docs/k8s/service-sync#service-ports)).
|
||||
|
||||
#### ClusterIP
|
||||
|
|
Loading…
Reference in New Issue