From ca414959df829ae0daf52bc566e5ab47ead1f527 Mon Sep 17 00:00:00 2001 From: Iryna Shustava Date: Thu, 17 Nov 2022 16:35:30 -0700 Subject: [PATCH] Update servers-outside-kubernetes.mdx --- .../servers-outside-kubernetes.mdx | 81 ++++++------------- 1 file changed, 24 insertions(+), 57 deletions(-) diff --git a/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx b/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx index b82d9b563e..5f14a79b92 100644 --- a/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx +++ b/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx @@ -8,25 +8,22 @@ description: >- # Join External Servers to Consul on Kubernetes If you have a Consul cluster already running, you can configure your -Consul clients inside Kubernetes to join this existing cluster. +Consul on Kubernetes installation to join this existing cluster. The below `values.yaml` file shows how to configure the Helm chart to install -Consul clients that will join an existing cluster. +Consul that will join an existing Consul server cluster. The `global.enabled` value first disables all chart components by default so that each component is opt-in. This allows us to _only_ setup the client agents. We then opt-in to the client agents by setting `client.enabled` to `true`. -Next, `client.exposeGossipPorts` can be set to `true` or `false` depending on if -you want the clients to be exposed on the Kubernetes internal node IPs (`true`) or -their pod IPs (`false`). - -Finally, `client.join` is set to an array of valid -[`-retry-join` values](/docs/agent/config/cli-flags#retry-join). In the -example above, a fake [cloud auto-join](/docs/install/cloud-auto-join) -value is specified. This should be set to resolve to the proper addresses of -your existing Consul cluster. +Next, configure `externalServers` to point it to Consul servers. +The `externalServers.hosts` value must be provided and should be set to a DNS, an IP, +or an `exec=` string with a command returning Consul IPs. Please see [this documentation](https://github.com/hashicorp/go-netaddrs) +on how the `exec=` string works.externalServers +Other values in the `externalServers` section are optional. Please refer to +[Helm Chart configuration](https://developer.hashicorp.com/consul/docs/k8s/helm#h-externalservers) for more details. @@ -34,26 +31,16 @@ your existing Consul cluster. global: enabled: false -client: - enabled: true - # Set this to true to expose the Consul clients using the Kubernetes node - # IPs. If false, the pod IPs must be routable from the external servers. - exposeGossipPorts: true - join: - - 'provider=my-cloud config=val ...' +externalServers: + hosts: [] ``` --> **Networking:** Note that for the Kubernetes nodes to join an existing -cluster, the nodes (and specifically the agent pods) must be able to connect -to all other server and client agents inside and _outside_ of Kubernetes over [LAN](/docs/install/glossary#lan-gossip). -If this isn't possible, consider running a separate Consul cluster inside Kubernetes -and federating it with your cluster outside Kubernetes. -You may also consider adopting Consul Enterprise for -[network segments](/docs/enterprise/network-segments). +-> **Note:** If you are looking to join Consul clients to an existing Consul server cluster, +please see [this documentation](https://developer.hashicorp.com/consul/docs/v1.13.x/k8s/deployment-configurations/servers-outside-kubernetes). -## Configuring TLS with Auto-encrypt +## Configuring TLS -> **Note:** Consul on Kubernetes currently does not support external servers that require mutual authentication for the HTTPS clients of the Consul servers, that is when servers have either @@ -62,10 +49,9 @@ As noted in the [Security Model](/docs/security#secure-configuration), that setting isn't strictly necessary to support Consul's threat model as it is recommended that all requests contain a valid ACL token. -Consul's auto-encrypt feature allows clients to automatically provision their certificates by making a request to the servers at startup. -If you would like to use this feature with external Consul servers, you need to configure the Helm chart with information about the servers -so that it can retrieve the clients' CA to use for securing the rest of the cluster. -To do that, you must add the following values, in addition to the values mentioned above: +If the Consul server has TLS enabled, you would also need to provide the CA certificate that Consul on Kubernetes will +need to talk to the server. First save this certificate in a Kubernetes secret and then provide it in your Helm values below, +in addition to the values mentioned above: @@ -73,19 +59,17 @@ To do that, you must add the following values, in addition to the values mention global: tls: enabled: true - enableAutoEncrypt: true + caCert: + secretName: + secretKey: externalServers: enabled: true - hosts: - - 'provider=my-cloud config=val ...' + hosts: [] ``` -In most cases, `externalServers.hosts` will be the same as `client.join`, however, both keys must be set because -they are used for different purposes: one for Serf LAN and the other for HTTPS connections. -Please see the [reference documentation](/docs/k8s/helm#v-externalservers-hosts) -for more info. If your HTTPS port is different from Consul's default `8501`, you must also set +If your HTTPS port is different from Consul's default `8501`, you must also set `externalServers.httpsPort`. ## Configuring ACLs @@ -137,8 +121,7 @@ with `consul login`. ```yaml externalServers: enabled: true - hosts: - - 'provider=my-cloud config=val ...' + hosts: [] k8sAuthMethodHost: 'https://kubernetes.example.com:443' ``` @@ -156,17 +139,9 @@ global: bootstrapToken: secretName: bootstrap-token secretKey: token -client: - enabled: true - # Set this to true to expose the Consul clients using the Kubernetes node - # IPs. If false, the pod IPs must be routable from the external servers. - exposeGossipPorts: true - join: - - 'provider=my-cloud config=val ...' externalServers: enabled: true - hosts: - - 'provider=my-cloud config=val ...' + hosts: [] k8sAuthMethodHost: 'https://kubernetes.example.com:443' ``` @@ -184,17 +159,9 @@ global: enabled: false acls: manageSystemACLs: true -client: - enabled: true - # Set this to true to expose the Consul clients using the Kubernetes node - # IPs. If false, the pod IPs must be routable from the external servers. - exposeGossipPorts: true - join: - - 'provider=my-cloud config=val ...' externalServers: enabled: true - hosts: - - 'provider=my-cloud config=val ...' + hosts: [] k8sAuthMethodHost: 'https://kubernetes.example.com:443' ```