docs: upgrading to tproxy (/docs/upgrades/upgrade-specific) (#10416)

* docs: update tproxy docs
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
pull/10407/head^2
Nitya Dhanushkodi 2021-06-22 16:41:08 -07:00 committed by GitHub
parent 1fea51fbb5
commit b72ad40286
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 4 deletions

View File

@ -37,6 +37,9 @@ Otherwise, all Connect services can talk to all other services.
The Kubernetes integration takes care of registering Kubernetes services with Consul, injecting a sidecar proxy, and
enabling traffic redirection.
## Upgrading to Transparent Proxy
~> When upgrading from older versions (i.e Consul-k8s < `0.26.0` or Consul-helm < `0.32.0`) to Consul-k8s >= `0.26.0` and Consul-helm >= `0.32.0`, please make sure to follow the upgrade steps [here](/docs/upgrading/upgrade-specific/#transparent-proxy-on-kubernetes).
## Configuration
@ -112,8 +115,8 @@ Traffic redirection interferes with [Kubernetes HTTP health
probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) since the
probes expect that kubelet can directly reach the application container on the probe's endpoint, but that traffic will
be redirected through the sidecar proxy, causing errors because kubelet itself is not encrypting that traffic using a
mesh proxy. For this reason, Consul allows you to overwrite Kubernetes HTTP health probes to point to the proxy instead,
to pass that traffic through via the proxy using the Helm value `connectInject.transparentProxy.defaultOverwriteProbes`
mesh proxy. For this reason, Consul allows you to (overwrite Kubernetes HTTP health probes)[/docs/k8s/connect/health] to point to the proxy instead.
This can be done using the Helm value `connectInject.transparentProxy.defaultOverwriteProbes`
or the Pod annotation `consul.hashicorp.com/transparent-proxy-overwrite-probes`.
### Traffic Redirection Configuration

View File

@ -30,8 +30,8 @@ have a license loaded from a configuration file or from their environment the sa
agents must have the license specified. Both agents can still perform automatic retrieval of their
license but with a few extra stipulations. First, license auto-retrieval now requires that ACLs
are on and that the client or snapshot agent is configured with a valid ACL token. Secondly, client
agents require that either the [`start_join`](/docs/agent/opts#start_join) or
[`retry_join`](/docs/agent/opts#retry_join) configurations are set and that they resolve to server
agents require that either the [`start_join`](/docs/agent/options#start_join) or
[`retry_join`](/docs/agent/options#retry_join) configurations are set and that they resolve to server
agents. If those stipulations are not met, attempting to start the client or snapshot agent will
result in it immediately shutting down.
@ -101,6 +101,17 @@ and [after](https://github.com/hashicorp/consul/blob/71d45a34601423abdfc0a64d44c
1. (Optionally) upgrade Envoy to the latest version supported in Consul 1.10.0.
### Transparent Proxy on Kubernetes
When upgrading to Consul >= 1.10.0, Consul-helm >= 0.32.0, and Consul-k8s >= 0.26.0, a Kubernetes Service must be added for every service registered to Consul. This Service should be added before
performing the upgrade. This will allow services to be managed by a central component, called `endpoints-controller`, which will enable features like
transparent proxy.
After the upgrade is performed, all Pods of a service will need to be restarted. The service will be up and health
checks will continue to work without restarting the service, but a restart is required so the Pods can be re-injected with the latest
container configuration.
## Consul 1.9.0
### Changes to Raft Protocol Support