Update servers-outside-kubernetes.mdx

2022-11-17 16:35:30 -07:00 · 2022-11-17 16:35:30 -07:00 · ca414959df
parent 940084e097
commit ca414959df
1 changed files with 24 additions and 57 deletions
--- a/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx
+++ b/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx
@ -8,25 +8,22 @@ description: >-
 # Join External Servers to Consul on Kubernetes

 If you have a Consul cluster already running, you can configure your
-Consul clients inside Kubernetes to join this existing cluster.
+Consul on Kubernetes installation to join this existing cluster.

 The below `values.yaml` file shows how to configure the Helm chart to install
-Consul clients that will join an existing cluster.
+Consul that will join an existing Consul server cluster.

 The `global.enabled` value first disables all chart components by default
 so that each component is opt-in. This allows us to _only_ setup the client
 agents. We then opt-in to the client agents by setting `client.enabled` to
 `true`.

-Next, `client.exposeGossipPorts` can be set to `true` or `false` depending on if
-you want the clients to be exposed on the Kubernetes internal node IPs (`true`) or
-their pod IPs (`false`).
-
-Finally, `client.join` is set to an array of valid
-[`-retry-join` values](/docs/agent/config/cli-flags#retry-join). In the
-example above, a fake [cloud auto-join](/docs/install/cloud-auto-join)
-value is specified. This should be set to resolve to the proper addresses of
-your existing Consul cluster.
+Next, configure `externalServers` to point it to Consul servers.
+The `externalServers.hosts` value must be provided and should be set to a DNS, an IP,
+or an `exec=` string with a command returning Consul IPs. Please see [this documentation](https://github.com/hashicorp/go-netaddrs)
+on how the `exec=` string works.externalServers
+Other values in the `externalServers` section are optional. Please refer to
+[Helm Chart configuration](https://developer.hashicorp.com/consul/docs/k8s/helm#h-externalservers) for more details.

 <CodeBlockConfig filename="values.yaml">

@ -34,26 +31,16 @@ your existing Consul cluster.
 global:
  enabled: false

-client:
-  enabled: true
-  # Set this to true to expose the Consul clients using the Kubernetes node
-  # IPs. If false, the pod IPs must be routable from the external servers.
-  exposeGossipPorts: true
-  join:
-    - 'provider=my-cloud config=val ...'
+externalServers:
+  hosts: [<consul server DNS, IP or exec= string>]
 ```

 </CodeBlockConfig>

-> **Networking:** Note that for the Kubernetes nodes to join an existing
-cluster, the nodes (and specifically the agent pods) must be able to connect
-to all other server and client agents inside and _outside_ of Kubernetes over [LAN](/docs/install/glossary#lan-gossip).
-If this isn't possible, consider running a separate Consul cluster inside Kubernetes
-and federating it with your cluster outside Kubernetes.
-You may also consider adopting Consul Enterprise for
-[network segments](/docs/enterprise/network-segments).
+-> **Note:** If you are looking to join Consul clients to an existing Consul server cluster,
+please see [this documentation](https://developer.hashicorp.com/consul/docs/v1.13.x/k8s/deployment-configurations/servers-outside-kubernetes).

-## Configuring TLS with Auto-encrypt
+## Configuring TLS

 -> **Note:** Consul on Kubernetes currently does not support external servers that require mutual authentication
 for the HTTPS clients of the Consul servers, that is when servers have either
@ -62,10 +49,9 @@ As noted in the [Security Model](/docs/security#secure-configuration),
 that setting isn't strictly necessary to support Consul's threat model as it is recommended that
 all requests contain a valid ACL token.

-Consul's auto-encrypt feature allows clients to automatically provision their certificates by making a request to the servers at startup.
-If you would like to use this feature with external Consul servers, you need to configure the Helm chart with information about the servers
-so that it can retrieve the clients' CA to use for securing the rest of the cluster.
-To do that, you must add the following values, in addition to the values mentioned above:
+If the Consul server has TLS enabled, you would also need to provide the CA certificate that Consul on Kubernetes will
+need to talk to the server. First save this certificate in a Kubernetes secret and then provide it in your Helm values below,
+in addition to the values mentioned above:

 <CodeBlockConfig filename="values.yaml" highlight="2-8">

@ -73,19 +59,17 @@ To do that, you must add the following values, in addition to the values mention
 global:
  tls:
    enabled: true
-    enableAutoEncrypt: true
+    caCert:
+      secretName: <CA certificate secret name>
+      secretKey: <CA Certificate secret key>
 externalServers:
  enabled: true
-  hosts:
-    - 'provider=my-cloud config=val ...'
+  hosts: [<consul server DNS, IP or exec= string>]
 ```

 </CodeBlockConfig>

-In most cases, `externalServers.hosts` will be the same as `client.join`, however, both keys must be set because
-they are used for different purposes: one for Serf LAN and the other for HTTPS connections.
-Please see the [reference documentation](/docs/k8s/helm#v-externalservers-hosts)
-for more info. If your HTTPS port is different from Consul's default `8501`, you must also set
+If your HTTPS port is different from Consul's default `8501`, you must also set
 `externalServers.httpsPort`.

 ## Configuring ACLs
@ -137,8 +121,7 @@ with `consul login`.
 ```yaml
 externalServers:
  enabled: true
-  hosts:
-    - 'provider=my-cloud config=val ...'
+  hosts: [<consul server DNS, IP or exec= string>]
  k8sAuthMethodHost: 'https://kubernetes.example.com:443'
 ```

@ -156,17 +139,9 @@ global:
    bootstrapToken:
      secretName: bootstrap-token
      secretKey: token
-client:
-  enabled: true
-  # Set this to true to expose the Consul clients using the Kubernetes node
-  # IPs. If false, the pod IPs must be routable from the external servers.
-  exposeGossipPorts: true
-  join:
-    - 'provider=my-cloud config=val ...'
 externalServers:
  enabled: true
-  hosts:
-    - 'provider=my-cloud config=val ...'
+  hosts: [<consul server DNS, IP or exec= string>]
  k8sAuthMethodHost: 'https://kubernetes.example.com:443'
 ```

@ -184,17 +159,9 @@ global:
  enabled: false
  acls:
    manageSystemACLs: true
-client:
-  enabled: true
-  # Set this to true to expose the Consul clients using the Kubernetes node
-  # IPs. If false, the pod IPs must be routable from the external servers.
-  exposeGossipPorts: true
-  join:
-    - 'provider=my-cloud config=val ...'
 externalServers:
  enabled: true
-  hosts:
-    - 'provider=my-cloud config=val ...'
+  hosts: [<consul server DNS, IP or exec= string>]
  k8sAuthMethodHost: 'https://kubernetes.example.com:443'
 ```