mirror of https://github.com/hashicorp/consul
484 lines
13 KiB
Markdown
484 lines
13 KiB
Markdown
---
|
|
layout: docs
|
|
page_title: Consul Custom Resource Definitions (Beta)
|
|
sidebar_title: Custom Resource Definitions <sup>(Beta)</sup>
|
|
description: >-
|
|
Consul now supports managing configuration entries via Kubernetes Custom Resources.
|
|
These custom resource can be used to manage the configuration for workloads
|
|
deployed within the cluster.
|
|
---
|
|
|
|
# Custom Resource Definitions <sup>(beta)</sup>
|
|
|
|
## Overview
|
|
|
|
-> **This feature is currently in Beta.** It requires consul-helm >= 0.25.0 and
|
|
consul >= 1.8.4.
|
|
|
|
We support managing Consul [configuration entries](/docs/agent/config-entries)
|
|
via Kubernetes Custom Resources. Configuration entries are used to provide
|
|
cluster-wide defaults for the service mesh.
|
|
|
|
We currently support the follow configuration entry kinds:
|
|
|
|
- [`proxy-defaults`](/docs/agent/config-entries/proxy-defaults)
|
|
- [`service-defaults`](/docs/agent/config-entries/service-defaults)
|
|
- [`service-splitter`](/docs/agent/config-entries/service-splitter)
|
|
- [`service-router`](/docs/agent/config-entries/service-router)
|
|
- [`service-resolver`](/docs/agent/config-entries/service-resolver)
|
|
- [`service-intentions`](/docs/agent/config-entries/service-intentions) (requires Consul >= 1.9.0)
|
|
|
|
The following kinds are **not** currently supported:
|
|
|
|
- [`ingress-gateway`](/docs/agent/config-entries/ingress-gateway)
|
|
- [`terminating-gateway`](/docs/agent/config-entries/terminating-gateway)
|
|
|
|
## Installation
|
|
|
|
Ensure you have version `0.25.0` of the helm chart:
|
|
|
|
```shell-session
|
|
$ helm search repo hashicorp/consul
|
|
NAME CHART VERSION APP VERSION DESCRIPTION
|
|
hashicorp/consul 0.25.0 1.8.4 Official HashiCorp Consul Chart
|
|
```
|
|
|
|
If you don't have `0.25.0`, you will need to update your helm repository cache:
|
|
|
|
```shell-session
|
|
$ helm repo update
|
|
Hang tight while we grab the latest from your chart repositories...
|
|
...Successfully got an update from the "hashicorp" chart repository
|
|
Update Complete. ⎈Happy Helming!⎈
|
|
```
|
|
|
|
Next, you must configure consul-helm via your `values.yaml` to install the custom resource definitions
|
|
and enable the controller that acts on them:
|
|
|
|
```yaml
|
|
global:
|
|
name: consul
|
|
image: 'consul:1.9.0-beta1' # consul >= 1.8.4 must be used
|
|
imageK8S: 'hashicorp/consul-k8s:0.19.0'
|
|
|
|
controller:
|
|
enabled: true
|
|
|
|
connectInject:
|
|
enabled: true
|
|
```
|
|
|
|
Note that:
|
|
|
|
1. `controller.enabled: true` installs the CRDs and enables the controller.
|
|
1. `global.image` must be a Consul version `>= 1.8.4`, e.g. `consul:1.8.4` or `consul:1.9.0-beta1`.
|
|
1. `global.imageK8S` must be `>= 0.19.0`
|
|
1. Configuration entries are used to configure Consul service mesh so it's also
|
|
expected that `connectInject` will be enabled.
|
|
|
|
See [Install with Helm Chart](/docs/k8s/installation/install) for further installation
|
|
instructions.
|
|
|
|
## Usage
|
|
|
|
Once installed, you can use `kubectl` to create and manage Consul's configuration entries.
|
|
|
|
### Create
|
|
|
|
You can create configuration entries via `kubectl apply`.
|
|
|
|
```shell-session
|
|
$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ServiceDefaults
|
|
metadata:
|
|
name: foo
|
|
spec:
|
|
protocol: "http"
|
|
EOF
|
|
|
|
servicedefaults.consul.hashicorp.com/foo created
|
|
```
|
|
|
|
See [Specifications](#specifications) for detailed schema documentation.
|
|
|
|
### Get
|
|
|
|
You can use `kubectl get [kind] [name]` to get the status of the configuration entry:
|
|
|
|
```shell-session
|
|
$ kubectl get servicedefaults foo
|
|
NAME SYNCED
|
|
foo True
|
|
```
|
|
|
|
The `SYNCED` status shows whether the configuration entry was successfully created
|
|
in Consul.
|
|
|
|
### Describe
|
|
|
|
You can use `kubectl describe [kind] [name]` to investigate the status of the
|
|
configuration entry. If `SYNCED` is false, the status will contain the reason
|
|
why.
|
|
|
|
```shell-session
|
|
$ kubectl describe servicedefaults foo
|
|
Status:
|
|
Conditions:
|
|
Last Transition Time: 2020-10-09T21:15:50Z
|
|
Status: True
|
|
Type: Synced
|
|
```
|
|
|
|
### Edit
|
|
|
|
You can use `kubectl edit [kind] [name]` to edit the configuration entry:
|
|
|
|
```shell
|
|
$ kubectl edit servicedefaults foo
|
|
# change protocol: http => protocol: tcp
|
|
servicedefaults.consul.hashicorp.com/foo edited
|
|
```
|
|
|
|
You can then use `kubectl get` to ensure the change was synced to Consul:
|
|
|
|
```shell-session
|
|
$ kubectl get servicedefaults foo
|
|
NAME SYNCED
|
|
foo True
|
|
```
|
|
|
|
### Delete
|
|
|
|
You can use `kubectl delete [kind] [name]` to delete the configuration entry:
|
|
|
|
```shell-session
|
|
$ kubectl delete servicedefaults foo
|
|
servicedefaults.consul.hashicorp.com "foo" deleted
|
|
```
|
|
|
|
You can then use `kubectl get` to ensure the configuration entry was deleted:
|
|
|
|
```shell-session
|
|
$ kubectl get servicedefaults foo
|
|
Error from server (NotFound): servicedefaults.consul.hashicorp.com "foo" not found
|
|
```
|
|
|
|
#### Delete Hanging
|
|
|
|
If running `kubectl delete` hangs without exiting, there may be
|
|
a dependent configuration entry registered with Consul that prevents the target configuration entry from being
|
|
deleted. For example, if you set the protocol of your service to `http` via `ServiceDefaults` and then
|
|
create a `ServiceSplitter`, you won't be able to delete the `ServiceDefaults`.
|
|
|
|
This is because by deleting the `ServiceDefaults` config, you are setting the
|
|
protocol back to the default which is `tcp`. Since `ServiceSplitter` requires
|
|
that the service has an `http` protocol, Consul will not allow the `ServiceDefaults`
|
|
to be deleted since that would put Consul into a broken state.
|
|
|
|
In order to delete the `ServiceDefaults` config, you would need to first delete
|
|
the `ServiceSplitter`.
|
|
|
|
## Specifications
|
|
|
|
### ProxyDefaults
|
|
|
|
A [proxy-defaults](/docs/agent/config-entries/proxy-defaults)
|
|
entry configures global defaults across all proxies.
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ProxyDefaults
|
|
metadata:
|
|
name: global
|
|
spec:
|
|
config:
|
|
envoy_tracing_json: '{"http":{"config":{"collector_cluster":"jaeger_9411","collector_endpoint":"/api/v2/spans"},"name":"envoy.zipkin"}}'
|
|
expose:
|
|
checks: true
|
|
paths:
|
|
- listenerPort: 80
|
|
localPathPort: 42
|
|
path: /test/path
|
|
protocol: http
|
|
- listenerPort: 8080
|
|
localPathPort: 4201
|
|
path: /root/test/path
|
|
protocol: http2
|
|
meshGateway:
|
|
mode: local
|
|
```
|
|
|
|
Notes:
|
|
|
|
1. There can only be one `ProxyDefaults` resource and its name **must** be `global`.
|
|
1. Keys under `spec.config` will need to use `snake_case`, not `camelCase`, because
|
|
this config is passed directly to Envoy which uses `snake_case`, e.g.
|
|
```yaml
|
|
spec:
|
|
config:
|
|
envoy_statsd_url: 'udp://127.0.0.1:8125'
|
|
```
|
|
1. See [proxy-defaults](/docs/agent/config-entries/proxy-defaults) for full
|
|
documentation on this config entry.
|
|
|
|
### ServiceDefaults
|
|
|
|
A [service-defaults](/docs/agent/config-entries/service-defaults)
|
|
entry configures a specific service.
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ServiceDefaults
|
|
metadata:
|
|
name: your-service-name
|
|
spec:
|
|
protocol: https
|
|
meshGateway:
|
|
mode: local
|
|
expose:
|
|
checks: true
|
|
paths:
|
|
- listenerPort: 80
|
|
path: /path
|
|
localPathPort: 9000
|
|
protocol: http
|
|
- listenerPort: 8080
|
|
path: /another-path
|
|
localPathPort: 9091
|
|
protocol: http2
|
|
externalSNI: external-sni
|
|
```
|
|
|
|
Notes:
|
|
|
|
1. The name of the service that this `ServiceDefaults` configures is set by
|
|
`metadata.name`.
|
|
1. See [service-defaults](/docs/agent/config-entries/service-defaults) for full
|
|
documentation on this config entry.
|
|
|
|
### ServiceIntentions <sup>(Beta)</sup>
|
|
|
|
A [service-intentions](/docs/agent/config-entries/service-intentions)
|
|
entry configures traffic authorization for a destination service.
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ServiceIntentions
|
|
metadata:
|
|
name: my-intention
|
|
spec:
|
|
destination:
|
|
name: your-service-name
|
|
sources:
|
|
- name: svc1
|
|
namespace: test
|
|
action: allow
|
|
permissions: []
|
|
description: allow access from svc1
|
|
- name: '*'
|
|
namespace: not-test
|
|
action: deny
|
|
permissions: []
|
|
description: disallow access from namespace not-test
|
|
- name: svc-2
|
|
namespace: bar
|
|
action: ''
|
|
permissions:
|
|
- action: allow
|
|
http:
|
|
pathExact: /foo
|
|
pathPrefix: /bar
|
|
pathRegex: /baz
|
|
header:
|
|
- name: header
|
|
present: true
|
|
exact: exact
|
|
prefix: prefix
|
|
suffix: suffix
|
|
regex: regex
|
|
invert: true
|
|
methods:
|
|
- GET
|
|
- PUT
|
|
description: an L7 config
|
|
```
|
|
|
|
Notes:
|
|
|
|
1. This resource is only supported in Consul 1.9.0.
|
|
1. **Unlike the other configuration entries**, the value of `metadata.name` does not
|
|
define which service the intention applies to.
|
|
Instead, the name of the service this intention
|
|
is configuring is set in `spec.destination.name`.
|
|
|
|
The `metadata.name` field can be set to any value,
|
|
however, we recommend setting it to the name of the destination service the
|
|
intention is configuring.
|
|
|
|
1. Wildcard intentions can be created by setting `spec.destination.name` to `*` and/or
|
|
`spec.sources[].name` to `*`. For example to create a `deny` intention that applies
|
|
to all services:
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ServiceIntentions
|
|
metadata:
|
|
name: deny-all
|
|
spec:
|
|
destination:
|
|
name: *
|
|
sources:
|
|
- name: *
|
|
action: deny
|
|
```
|
|
|
|
1. See [service-intentions](/docs/agent/config-entries/service-intentions) for full
|
|
documentation on this config entry.
|
|
|
|
### ServiceResolver
|
|
|
|
A [service-resolver](/docs/agent/config-entries/service-resolver)
|
|
entry configures which service instances should satisfy Connect upstream discovery requests for a given service name.
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ServiceResolver
|
|
metadata:
|
|
name: your-service-name
|
|
spec:
|
|
defaultSubset: default_subset
|
|
subsets:
|
|
subset1:
|
|
filter: filter1
|
|
onlyPassing: true
|
|
subset2:
|
|
filter: filter2
|
|
redirect:
|
|
service: redirect
|
|
serviceSubset: redirect_subset
|
|
namespace: redirect_namespace
|
|
datacenter: redirect_datacenter
|
|
failover:
|
|
failover1:
|
|
service: failover1
|
|
serviceSubset: failover_subset1
|
|
namespaces: failover_namespace1
|
|
datacenters:
|
|
- failover1_dc1
|
|
- failover1_dc2
|
|
failover2:
|
|
service: failover2
|
|
serviceSubset: failover_subset2
|
|
namespaces: failover_namespace2
|
|
datacenters:
|
|
- failover2_dc1
|
|
- failover2_dc2
|
|
connectTimeout: 1000000000
|
|
loadBalancer:
|
|
policy: policy
|
|
ringHashConfig:
|
|
minimumRingSize: 1
|
|
maximumRingSize: 2
|
|
leastRequestConfig:
|
|
choiceCount: 1
|
|
hashPolicies:
|
|
- field: field
|
|
fieldValue: value
|
|
cookieConfig:
|
|
session: true
|
|
ttl: 1
|
|
path: path
|
|
sourceIP: true
|
|
terminal: true
|
|
```
|
|
|
|
Notes:
|
|
|
|
1. The name of the service that this `ServiceResolver` configures is set by
|
|
`metadata.name`.
|
|
1. See [service-resolver](/docs/agent/config-entries/service-resolver) for full
|
|
documentation on this config entry.
|
|
|
|
### ServiceRouter
|
|
|
|
A [service-router](/docs/agent/config-entries/service-router)
|
|
entry configures traffic routing and manipulation at networking layer 7 (e.g. HTTP).
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ServiceRouter
|
|
metadata:
|
|
name: your-service-name
|
|
spec:
|
|
routes:
|
|
- match:
|
|
http:
|
|
pathExact: pathExact
|
|
pathPrefix: pathPrefix
|
|
pathRegex: pathRegex
|
|
header:
|
|
- name: name
|
|
present: true
|
|
exact: exact
|
|
prefix: prefix
|
|
suffix: suffix
|
|
regex: regex
|
|
invert: true
|
|
queryParam:
|
|
- name: name
|
|
present: true
|
|
exact: exact
|
|
regex: regex
|
|
methods:
|
|
- method1
|
|
- method2
|
|
destination:
|
|
service: service
|
|
serviceSubset: serviceSubset
|
|
namespace: namespace
|
|
prefixRewrite: prefixRewrite
|
|
requestTimeout: 1000000000
|
|
numRetries: 1
|
|
retryOnConnectFailure: true
|
|
retryOnStatusCodes:
|
|
- 500
|
|
- 400
|
|
```
|
|
|
|
Notes:
|
|
|
|
1. The name of the service that this `ServiceRouter` configures is set by
|
|
`metadata.name`.
|
|
1. See [service-router](/docs/agent/config-entries/service-router) for full
|
|
documentation on this config entry.
|
|
|
|
### ServiceSplitter
|
|
|
|
A [service-splitter](/docs/agent/config-entries/service-splitter)
|
|
entry configures splitting incoming requests across different subsets of a single service.
|
|
|
|
```yaml
|
|
apiVersion: consul.hashicorp.com/v1alpha1
|
|
kind: ServiceSplitter
|
|
metadata:
|
|
name: your-service-name
|
|
spec:
|
|
splits:
|
|
- weight: 25.5
|
|
service: foo
|
|
serviceSubset: v1
|
|
namespace: baz
|
|
- weight: 74.5
|
|
service: foo
|
|
serviceSubset: v2
|
|
namespace: baz
|
|
```
|
|
|
|
Notes:
|
|
|
|
1. The name of the service that this `ServiceSplitter` configures is set by
|
|
`metadata.name`.
|
|
1. See [service-splitter](/docs/agent/config-entries/service-splitter) for full
|
|
documentation on this config entry.
|