github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update servers-outside-kubernetes.mdx

pull/15455/head
Iryna Shustava 2022-11-17 16:35:30 -07:00
parent 940084e097
commit ca414959df
No known key found for this signature in database
GPG Key ID: 5971648779A5A8A4
1 changed files with 24 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx
View File

@ -8,25 +8,22 @@ description: >-
# Join External Servers to Consul on Kubernetes # Join External Servers to Consul on Kubernetes
If you have a Consul cluster already running, you can configure your If you have a Consul cluster already running, you can configure your
Consul clients inside Kubernetes to join this existing cluster. Consul on Kubernetes installation to join this existing cluster.
The below `values.yaml` file shows how to configure the Helm chart to install The below `values.yaml` file shows how to configure the Helm chart to install
Consul clients that will join an existing cluster. Consul that will join an existing Consul server cluster.
The `global.enabled` value first disables all chart components by default The `global.enabled` value first disables all chart components by default
so that each component is opt-in. This allows us to _only_ setup the client so that each component is opt-in. This allows us to _only_ setup the client
agents. We then opt-in to the client agents by setting `client.enabled` to agents. We then opt-in to the client agents by setting `client.enabled` to
`true`. `true`.
Next, `client.exposeGossipPorts` can be set to `true` or `false` depending on if Next, configure `externalServers` to point it to Consul servers.
you want the clients to be exposed on the Kubernetes internal node IPs (`true`) or The `externalServers.hosts` value must be provided and should be set to a DNS, an IP,
their pod IPs (`false`). or an `exec=` string with a command returning Consul IPs. Please see [this documentation](https://github.com/hashicorp/go-netaddrs)
on how the `exec=` string works.externalServers
Finally, `client.join` is set to an array of valid Other values in the `externalServers` section are optional. Please refer to
[`-retry-join` values](/docs/agent/config/cli-flags#retry-join). In the [Helm Chart configuration](https://developer.hashicorp.com/consul/docs/k8s/helm#h-externalservers) for more details.
example above, a fake [cloud auto-join](/docs/install/cloud-auto-join)
value is specified. This should be set to resolve to the proper addresses of
your existing Consul cluster.
<CodeBlockConfig filename="values.yaml"> <CodeBlockConfig filename="values.yaml">
@ -34,26 +31,16 @@ your existing Consul cluster.
global: global:
enabled: false enabled: false
client: externalServers:
enabled: true hosts: [<consul server DNS, IP or exec= string>]
# Set this to true to expose the Consul clients using the Kubernetes node
# IPs. If false, the pod IPs must be routable from the external servers.
exposeGossipPorts: true
join:
- 'provider=my-cloud config=val ...'
``` ```
</CodeBlockConfig> </CodeBlockConfig>
-> **Networking:** Note that for the Kubernetes nodes to join an existing -> **Note:** If you are looking to join Consul clients to an existing Consul server cluster,
cluster, the nodes (and specifically the agent pods) must be able to connect please see [this documentation](https://developer.hashicorp.com/consul/docs/v1.13.x/k8s/deployment-configurations/servers-outside-kubernetes).
to all other server and client agents inside and _outside_ of Kubernetes over [LAN](/docs/install/glossary#lan-gossip).
If this isn't possible, consider running a separate Consul cluster inside Kubernetes
and federating it with your cluster outside Kubernetes.
You may also consider adopting Consul Enterprise for
[network segments](/docs/enterprise/network-segments).
## Configuring TLS with Auto-encrypt ## Configuring TLS
-> **Note:** Consul on Kubernetes currently does not support external servers that require mutual authentication -> **Note:** Consul on Kubernetes currently does not support external servers that require mutual authentication
for the HTTPS clients of the Consul servers, that is when servers have either for the HTTPS clients of the Consul servers, that is when servers have either
@ -62,10 +49,9 @@ As noted in the [Security Model](/docs/security#secure-configuration),
that setting isn't strictly necessary to support Consul's threat model as it is recommended that that setting isn't strictly necessary to support Consul's threat model as it is recommended that
all requests contain a valid ACL token. all requests contain a valid ACL token.
Consul's auto-encrypt feature allows clients to automatically provision their certificates by making a request to the servers at startup. If the Consul server has TLS enabled, you would also need to provide the CA certificate that Consul on Kubernetes will
If you would like to use this feature with external Consul servers, you need to configure the Helm chart with information about the servers need to talk to the server. First save this certificate in a Kubernetes secret and then provide it in your Helm values below,
so that it can retrieve the clients' CA to use for securing the rest of the cluster. in addition to the values mentioned above:
To do that, you must add the following values, in addition to the values mentioned above:
<CodeBlockConfig filename="values.yaml" highlight="2-8"> <CodeBlockConfig filename="values.yaml" highlight="2-8">
@ -73,19 +59,17 @@ To do that, you must add the following values, in addition to the values mention
global: global:
tls: tls:
enabled: true enabled: true
enableAutoEncrypt: true caCert:
secretName: <CA certificate secret name>
secretKey: <CA Certificate secret key>
externalServers: externalServers:
enabled: true enabled: true
hosts: hosts: [<consul server DNS, IP or exec= string>]
- 'provider=my-cloud config=val ...'
``` ```
</CodeBlockConfig> </CodeBlockConfig>
In most cases, `externalServers.hosts` will be the same as `client.join`, however, both keys must be set because If your HTTPS port is different from Consul's default `8501`, you must also set
they are used for different purposes: one for Serf LAN and the other for HTTPS connections.
Please see the [reference documentation](/docs/k8s/helm#v-externalservers-hosts)
for more info. If your HTTPS port is different from Consul's default `8501`, you must also set
`externalServers.httpsPort`. `externalServers.httpsPort`.
## Configuring ACLs ## Configuring ACLs
@ -137,8 +121,7 @@ with `consul login`.
```yaml ```yaml
externalServers: externalServers:
enabled: true enabled: true
hosts: hosts: [<consul server DNS, IP or exec= string>]
- 'provider=my-cloud config=val ...'
k8sAuthMethodHost: 'https://kubernetes.example.com:443' k8sAuthMethodHost: 'https://kubernetes.example.com:443'
``` ```
@ -156,17 +139,9 @@ global:
bootstrapToken: bootstrapToken:
secretName: bootstrap-token secretName: bootstrap-token
secretKey: token secretKey: token
client:
enabled: true
# Set this to true to expose the Consul clients using the Kubernetes node
# IPs. If false, the pod IPs must be routable from the external servers.
exposeGossipPorts: true
join:
- 'provider=my-cloud config=val ...'
externalServers: externalServers:
enabled: true enabled: true
hosts: hosts: [<consul server DNS, IP or exec= string>]
- 'provider=my-cloud config=val ...'
k8sAuthMethodHost: 'https://kubernetes.example.com:443' k8sAuthMethodHost: 'https://kubernetes.example.com:443'
``` ```
@ -184,17 +159,9 @@ global:
enabled: false enabled: false
acls: acls:
manageSystemACLs: true manageSystemACLs: true
client:
enabled: true
# Set this to true to expose the Consul clients using the Kubernetes node
# IPs. If false, the pod IPs must be routable from the external servers.
exposeGossipPorts: true
join:
- 'provider=my-cloud config=val ...'
externalServers: externalServers:
enabled: true enabled: true
hosts: hosts: [<consul server DNS, IP or exec= string>]
- 'provider=my-cloud config=val ...'
k8sAuthMethodHost: 'https://kubernetes.example.com:443' k8sAuthMethodHost: 'https://kubernetes.example.com:443'
``` ```