github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

update multicluster docs (#13334)

pull/13196/head
Kyle Schochenmaier 3 years ago committed by GitHub
parent
73af9e9737
commit
ce44f6f604
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 22
      website/content/docs/k8s/installation/multi-cluster/index.mdx
  2. 10
      website/content/docs/k8s/installation/multi-cluster/kubernetes.mdx

22
website/content/docs/k8s/installation/multi-cluster/index.mdx
Unescape View File

@ -57,15 +57,19 @@ federated with Consul datacenters running on virtual machines (and vice versa).
Because the communication between clusters is end-to-end encrypted, mesh gateways
can even be exposed on the public internet.
The only requirement is that the mesh gateways for each cluster can route to
one another. For example, if using a load balancer service in front of each cluster's
mesh gateway, the load balancer IP must be routable from the other mesh gateway pods.
If using a public load balancer, this is guaranteed. If using a private load balancer
then you'll need to make sure that its IP is routable from your other clusters.
In addition, if ACLs are enabled, primary clusters must be able to make requests to the Kubernetes API URL of
secondary clusters.
There are three networking requirements:
1. When Consul servers in secondary datacenters first start up, they must be able to make calls directly to the
primary datacenter's mesh gateways.
1. Once the Consul servers in secondary datacenters have made that initial call to the primary datacenter's mesh
gateways, the mesh gateways in the secondary datacenter will be able to start. From this point onwards, all
communication between servers will flow first to the local mesh gateways, and then to the remote mesh gateways.
This means all mesh gateways across datacenters must be able to route to one another.
For example, if using a load balancer service in front of each cluster's mesh gateway pods, the load balancer IP
must be routable from the other mesh gateway pods.
If using a public load balancer, this is guaranteed. If using a private load balancer
then you'll need to make sure that its IP/DNS address is routable from your other clusters.
1. If ACLs are enabled, primary clusters must be able to make requests to the Kubernetes API URLs of secondary clusters.
## Next Steps

10
website/content/docs/k8s/installation/multi-cluster/kubernetes.mdx
Unescape View File

@ -289,14 +289,13 @@ The automatically generated federation secret contains:
## Kubernetes API URL
If ACLs are enabled, you must next determine the Kubernetes API URL for the secondary cluster. The API URL of the primary cluster
must be specified in the config files for all secondary clusters because secondary clusters need
If ACLs are enabled, you must next determine the Kubernetes API URL for each secondary cluster. The API URL of the secondary cluster must be specified in the config files for each secondary cluster because they need
to create global Consul ACL tokens (tokens that are valid in all datacenters) and these tokens can only be created
by the primary datacenter. By setting the API URL, the secondary cluster will configure a [Consul auth method](/docs/security/acl/auth-methods)
in the primary cluster so that components in the secondary cluster can use their Kubernetes ServiceAccount tokens
to retrieve global Consul ACL tokens from the primary.
To determine the Kubernetes API URL, first get the cluster name in your kubeconfig:
To determine the Kubernetes API URL, first get the cluster name in your kubeconfig for your secondary:
```shell-session
$ export CLUSTER=$(kubectl config view -o jsonpath="{.contexts[?(@.name == \"$(kubectl config current-context)\")].context.cluster}")
@ -352,7 +351,7 @@ global:
federation:
enabled: true
k8sAuthMethodHost: <kubernetes-api-url>
k8sAuthMethodHost: <kubernetes-api-url-of-secondary>
primaryDatacenter: dc1
gossipEncryption:
secretName: consul-federation
@ -380,8 +379,7 @@ server:
Modifications:
1. If ACLs are enabled, change the value of `global.federation.k8sAuthMethodHost` to the full URL (including `https://`) of this cluster's
Kubernetes API.
1. If ACLs are enabled, change the value of `global.federation.k8sAuthMethodHost` to the full URL (including `https://`) of the secondary cluster's Kubernetes API.
1. `global.federation.primaryDatacenter` must be set to the name of the primary datacenter.
1. The Consul datacenter name for the datacenter in this example is `dc2`. The datacenter name in **each** federated cluster **must be unique**.
1. ACLs are enabled in the above config file. They can be disabled by removing

Write Preview
Loading…
Cancel
Save