From 16f0a24ff56b9e096afc33efb19a5230cc264dd2 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 17 Oct 2023 16:59:31 -0700 Subject: [PATCH] docs: Fix multi-port install (#19262) * Update configure.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --- .../content/docs/k8s/multiport/configure.mdx | 55 +++++++++++-------- 1 file changed, 32 insertions(+), 23 deletions(-) diff --git a/website/content/docs/k8s/multiport/configure.mdx b/website/content/docs/k8s/multiport/configure.mdx index d53ea521f3..991a0817fb 100644 --- a/website/content/docs/k8s/multiport/configure.mdx +++ b/website/content/docs/k8s/multiport/configure.mdx @@ -59,7 +59,13 @@ Then install Consul to your Kubernetes cluster using either the `consul-k8s` CLI +For platforms other than Mac OSX amd64, refer to [Install a previous version](/consul/docs/k8s/installation/install-cli#install-a-previous-version) for instructions on how to install a specific version of the `consul-k8s` CLI prior to running `consul-k8s install`. + ```shell-session +$ export VERSION=1.3.0-rc1 && \ + curl --location "https://releases.hashicorp.com/consul-k8s/${VERSION}/consul-k8s_${VERSION}_darwin_amd64.zip" --output consul-k8s-cli.zip +$ unzip -o consul-k8s-cli.zip -d ~/consul-k8s +$ export PATH=$PATH:$HOME/consul-k8s $ consul-k8s install -config-file=values.yaml ``` @@ -68,7 +74,7 @@ $ consul-k8s install -config-file=values.yaml ```shell-session -$ helm install consul hashicorp/consul --create-namespace --namespace consul --values values.yaml +$ helm install consul hashicorp/consul --create-namespace --namespace consul --version 1.3.0-rc1 --values values.yaml ``` @@ -281,14 +287,14 @@ spec: To apply these services to your Kubernetes deployment and register them with Consul, run the following command: ```shell-session -$ kubectl apply -f api.yaml -f web.yaml --namespace consul +$ kubectl apply -f api.yaml -f web.yaml ``` ## Configure traffic permissions Consul uses traffic permissions to validate communication between services based on L4 identity. In the beta release of the v2 catalog API, traffic permissions allow all services by default. In order to verify that services function correctly on each port, create CRDs that deny traffic to each port. -The following examples create Consul CRDs that allow traffic to only one port of the multi-port service. Each resource separately denies `web` permission when it is a source of traffic to one of the services. These traffic permissions work with either method for defining a multi-port service. +The following examples create Consul CRDs that allow traffic to only one port of the multi-port service. Each resource separately denies `web` permission when it is a source of traffic to one of the services. These traffic permissions work with either method for defining a multi-port service. When following the instructions on this page, apply these permissions individually when you validate the ports. @@ -338,15 +344,18 @@ spec: To open a shell to the `web` container, you need the name of the Pod it currently runs on. Run the following command to return a list of Pods: ```shell-session -$ kubectl get pods --namespace consul +$ kubectl get pods NAME READY STATUS RESTARTS AGE api-5784b54bcc-tp98l 3/3 Running 0 6m55s -consul-connect-injector-54865fbcbf-sfjsl 1/1 Running 0 8m33s -consul-server-0 1/1 Running 0 8m33s -consul-webhook-cert-manager-666676bd5b-cdbxc 1/1 Running 0 8m33s web-6dcbd684bc-gk8n5 2/2 Running 0 6m55s ``` +Set environment variables to remember the pod name for the web workload for use in future commands. + +```shell-session +$ export WEB_POD=web-6dcbd684bc-gk8n5 +``` + ### Validate both ports Use the `web` Pod's name to open a shell session and test the `api` service on port 80. @@ -356,14 +365,14 @@ Use the `web` Pod's name to open a shell session and test the `api` service on p ```shell-session -$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80 +$ kubectl exec -it ${WEB_POD} -c web -- curl api:80 hello world ``` Then test the `api` service on port 90. ```shell-session -$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:90 +$ kubectl exec -it ${WEB_POD} -c web -- curl api:90 hello world from 9090 admin ``` @@ -372,14 +381,14 @@ hello world from 9090 admin ```shell-session -$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80 +$ kubectl exec -it ${WEB_POD} -c web -- curl api:80 hello world ``` Then test the `api-admin` service on port 90. ```shell-session -$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api-admin:90 +$ kubectl exec -it ${WEB_POD} -c web --namespace consul -- curl api-admin:90 hello world from 9090 admin ``` @@ -391,7 +400,7 @@ hello world from 9090 admin Apply the CRD to allow traffic to port 80 only: ```shell-session -$ kubectl apply -f deny-90.yaml --namespace consul +$ kubectl apply -f deny-90.yaml ``` @@ -401,14 +410,14 @@ $ kubectl apply -f deny-90.yaml --namespace consul Then, open a shell session in the `web` container and test the `api` service on port 80. ```shell-session -$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80 +$ kubectl exec -it ${WEB_POD} -c web -- curl api:80 hello world ``` Test the `api` service on port 90. This command should fail, indicating that the traffic permission is in effect. ```shell-session -$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:90 +$ kubectl exec -it ${WEB_POD} -c web -- curl api:90 ``` @@ -418,14 +427,14 @@ $ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:90 Then, open a shell session in the `web` container and test the `api` service on port 80. ```shell-session -$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80 +$ kubectl exec -it ${WEB_POD} -c web -- curl api:80 hello world ``` Test the `admin` service on port 90. This command should fail, indicating that the traffic permission is in effect. ```shell-session -$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api-admin:90 +$ kubectl exec -it ${WEB_POD} -c web -- curl api-admin:90 ``` @@ -434,7 +443,7 @@ $ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api-ad Before testing the other port, remove the `TrafficPermissions` CRD. ```shell-session -$ kubectl delete -f deny-90.yaml --namespace consul +$ kubectl delete -f deny-90.yaml ``` ### Validate port 90 @@ -442,7 +451,7 @@ $ kubectl delete -f deny-90.yaml --namespace consul Apply the CRD to allow traffic to port 90 only: ```shell-session -$ kubectl apply -f deny-80.yaml --namespace consul +$ kubectl apply -f deny-80.yaml ``` @@ -452,14 +461,14 @@ $ kubectl apply -f deny-80.yaml --namespace consul Then, open a shell session in the `web` container and test the `api` service on port 90. ```shell-session -$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:90 +$ kubectl exec -it ${WEB_POD} -c web -- curl api:90 hello world from 9090 admin ``` Test the `api` service on port 80. This command should fail, indicating that the traffic permission is in effect. ```shell-session -$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80 +$ kubectl exec -it ${WEB_POD} -c web -- curl api:80 ``` @@ -469,15 +478,15 @@ $ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80 Then, open a shell session in the `web` container and test the `api-admin` service on port 90. ```shell-session -$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api-admin:90 +$ kubectl exec -it ${WEB_POD} -c web -- curl api-admin:90 hello world from 9090 admin ``` Test the `api` service on port 80. This command should fail, indicating that the traffic permission is in effect. ```shell-session -$ kubectl exec -it web-6dcbd684bc-gk8n5 -c web --namespace consul -- curl api:80 +$ kubectl exec -it ${WEB_POD} -c web -- curl api:80 ``` - \ No newline at end of file +