From a3b830f68f439f39a093cf956c882d8ec423323e Mon Sep 17 00:00:00 2001 From: Rebecca Zanzig Date: Tue, 29 Jan 2019 15:37:13 -0800 Subject: [PATCH 1/5] Update k8s ACL documentation Clarifies that an ACL token only needs to be provided when ACLs are enabled within the Consul cluster. --- .../source/docs/platform/k8s/service-sync.html.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/website/source/docs/platform/k8s/service-sync.html.md b/website/source/docs/platform/k8s/service-sync.html.md index ff2af3ddaf..952e451baf 100644 --- a/website/source/docs/platform/k8s/service-sync.html.md +++ b/website/source/docs/platform/k8s/service-sync.html.md @@ -67,17 +67,17 @@ sync to understand how the syncing works. The sync process must authenticate to both Kubernetes and Consul to read and write services. -For Consul, the process accepts both the standard CLI flag `-token` and -the environment variable `CONSUL_HTTP_TOKEN`. This should be set to an -Consul [ACL token](/docs/guides/acl.html) if ACLs are enabled. This -can also be configured using the Helm chart to read from a Kubernetes -secret. - For Kubernetes, a valid kubeconfig file must be provided with cluster and auth information. The sync process will look into the default locations for both in-cluster and out-of-cluster authentication. If `kubectl` works, then the sync program should work. +For Consul, if ACLs are configured on the cluster, a Consul [ACL token](/docs/guides/acl.html) +will need to be provided. The process accepts this token by using the +`CONSUL_HTTP_TOKEN` environment variable. This token should be set as a +[Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets) +and referenced in the Helm chart. + ## Kubernetes to Consul This sync registers Kubernetes services to the Consul catalog automatically. From c60efabed2f29953db478340c2e0447653ad819e Mon Sep 17 00:00:00 2001 From: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> Date: Fri, 1 Feb 2019 14:32:37 -0800 Subject: [PATCH 2/5] Update website/source/docs/platform/k8s/service-sync.html.md Co-Authored-By: adilyse --- website/source/docs/platform/k8s/service-sync.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/platform/k8s/service-sync.html.md b/website/source/docs/platform/k8s/service-sync.html.md index 952e451baf..2583da0137 100644 --- a/website/source/docs/platform/k8s/service-sync.html.md +++ b/website/source/docs/platform/k8s/service-sync.html.md @@ -74,7 +74,7 @@ then the sync program should work. For Consul, if ACLs are configured on the cluster, a Consul [ACL token](/docs/guides/acl.html) will need to be provided. The process accepts this token by using the -`CONSUL_HTTP_TOKEN` environment variable. This token should be set as a +[`CONSUL_HTTP_TOKEN`](docs/commands/index.html#consul_http_token) environment variable. This token should be set as a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets) and referenced in the Helm chart. From 9bdd921917e38c331246a65709ae6e310cd29d6d Mon Sep 17 00:00:00 2001 From: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> Date: Fri, 1 Feb 2019 14:33:06 -0800 Subject: [PATCH 3/5] Apply suggestions from code review Co-Authored-By: adilyse --- website/source/docs/platform/k8s/service-sync.html.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/source/docs/platform/k8s/service-sync.html.md b/website/source/docs/platform/k8s/service-sync.html.md index 2583da0137..a21e0762a1 100644 --- a/website/source/docs/platform/k8s/service-sync.html.md +++ b/website/source/docs/platform/k8s/service-sync.html.md @@ -68,11 +68,11 @@ The sync process must authenticate to both Kubernetes and Consul to read and write services. For Kubernetes, a valid kubeconfig file must be provided with cluster -and auth information. The sync process will look into the default locations +and authentication information. The sync process will look into the default locations for both in-cluster and out-of-cluster authentication. If `kubectl` works, then the sync program should work. -For Consul, if ACLs are configured on the cluster, a Consul [ACL token](/docs/guides/acl.html) +For Consul, if ACLs are configured on the cluster, a Consul [ACL token](https://learn.hashicorp.com/consul/advanced/day-1-operations/acl-guide) will need to be provided. The process accepts this token by using the [`CONSUL_HTTP_TOKEN`](docs/commands/index.html#consul_http_token) environment variable. This token should be set as a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets) From 5a98953c43e1b84ae2284f25b7e694506e08cb6f Mon Sep 17 00:00:00 2001 From: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> Date: Thu, 7 Feb 2019 13:08:04 -0800 Subject: [PATCH 4/5] Apply suggestions from code review Co-Authored-By: adilyse --- website/source/docs/platform/k8s/service-sync.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/platform/k8s/service-sync.html.md b/website/source/docs/platform/k8s/service-sync.html.md index a21e0762a1..d75fe25083 100644 --- a/website/source/docs/platform/k8s/service-sync.html.md +++ b/website/source/docs/platform/k8s/service-sync.html.md @@ -73,7 +73,7 @@ for both in-cluster and out-of-cluster authentication. If `kubectl` works, then the sync program should work. For Consul, if ACLs are configured on the cluster, a Consul [ACL token](https://learn.hashicorp.com/consul/advanced/day-1-operations/acl-guide) -will need to be provided. The process accepts this token by using the +will need to be provided. Review the [ACL rules](/docs/agent/acl-rules.html) when creating a token with only the necessary privileges. The process accepts this token by using the [`CONSUL_HTTP_TOKEN`](docs/commands/index.html#consul_http_token) environment variable. This token should be set as a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets) and referenced in the Helm chart. From 1ef6bf3902624ba63cfb2e491cb287991a2bf499 Mon Sep 17 00:00:00 2001 From: Rebecca Zanzig Date: Thu, 7 Feb 2019 13:26:17 -0800 Subject: [PATCH 5/5] Add additional clarification to the ACL token wording --- website/source/docs/platform/k8s/service-sync.html.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/website/source/docs/platform/k8s/service-sync.html.md b/website/source/docs/platform/k8s/service-sync.html.md index d75fe25083..66b36da6e5 100644 --- a/website/source/docs/platform/k8s/service-sync.html.md +++ b/website/source/docs/platform/k8s/service-sync.html.md @@ -72,9 +72,12 @@ and authentication information. The sync process will look into the default loca for both in-cluster and out-of-cluster authentication. If `kubectl` works, then the sync program should work. -For Consul, if ACLs are configured on the cluster, a Consul [ACL token](https://learn.hashicorp.com/consul/advanced/day-1-operations/acl-guide) -will need to be provided. Review the [ACL rules](/docs/agent/acl-rules.html) when creating a token with only the necessary privileges. The process accepts this token by using the -[`CONSUL_HTTP_TOKEN`](docs/commands/index.html#consul_http_token) environment variable. This token should be set as a +For Consul, if ACLs are configured on the cluster, a Consul +[ACL token](https://learn.hashicorp.com/consul/advanced/day-1-operations/acl-guide) +will need to be provided. Review the [ACL rules](/docs/agent/acl-rules.html) +when creating this token so that it only allows the necessary privileges. The catalog +sync process accepts this token by using the [`CONSUL_HTTP_TOKEN`](docs/commands/index.html#consul_http_token) +environment variable. This token should be set as a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets) and referenced in the Helm chart.