mirror of https://github.com/status-im/consul.git
docs: update docs/k8s/connect to for tproxy GA. (#10408)
* Assume tproxy is enabled by default and connect to upstreams with kube DNS. * Update docs for missing annotations.
This commit is contained in:
parent
7494b25c1e
commit
1fea51fbb5
|
@ -55,6 +55,7 @@ service is **required** to run services on the Consul Service Mesh.
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
|
# This name will be the service name in Consul.
|
||||||
name: static-server
|
name: static-server
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
|
@ -87,7 +88,6 @@ spec:
|
||||||
'consul.hashicorp.com/connect-inject': 'true'
|
'consul.hashicorp.com/connect-inject': 'true'
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
# This name will be the service name in Consul.
|
|
||||||
- name: static-server
|
- name: static-server
|
||||||
image: hashicorp/http-echo:latest
|
image: hashicorp/http-echo:latest
|
||||||
args:
|
args:
|
||||||
|
@ -117,11 +117,12 @@ To establish a connection to the pod using Connect, a client must use another Co
|
||||||
proxy. The client Connect proxy will use Consul service discovery to find
|
proxy. The client Connect proxy will use Consul service discovery to find
|
||||||
all available upstream proxies and their public ports.
|
all available upstream proxies and their public ports.
|
||||||
|
|
||||||
In the example above, the server is listening on `:8080`. This means
|
In the example above, the server is listening on `:8080`.
|
||||||
the server will still bind to the pod IP and allow external connections.
|
By default, the Consul Service Mesh runs in [transparent proxy](/docs/connect/transparent-proxy) mode.
|
||||||
This is useful to transition to Connect by allowing both Connect and
|
This means that even though the server binds to all interfaces,
|
||||||
non-Connect connections. To restrict access to only Connect-authorized clients,
|
the inbound and outbound connections will automatically go through to the sidecar proxy.
|
||||||
any listeners should bind to localhost only (such as `127.0.0.1`).
|
It also allows you to use Kubernetes DNS like you normally would without the
|
||||||
|
Consul Service Mesh.
|
||||||
|
|
||||||
-> **Note:** As of consul `v1.10.0`, consul-k8s `v0.26.0` and Consul Helm `v0.32.0`,
|
-> **Note:** As of consul `v1.10.0`, consul-k8s `v0.26.0` and Consul Helm `v0.32.0`,
|
||||||
all Consul Service Mesh services will run with transparent proxy enabled by default. Running with transparent
|
all Consul Service Mesh services will run with transparent proxy enabled by default. Running with transparent
|
||||||
|
@ -138,13 +139,14 @@ of establishing connections to our previous example "static-server" service. The
|
||||||
connection to this static text service happens over an authorized and encrypted
|
connection to this static text service happens over an authorized and encrypted
|
||||||
connection via Connect.
|
connection via Connect.
|
||||||
|
|
||||||
-> **Note:** As of consul-k8s `v0.26.0-beta1` and Consul Helm `v0.32.0-beta1`, having a Kubernetes
|
-> **Note:** As of consul-k8s `v0.26.0` and Consul Helm `v0.32.0`, having a Kubernetes
|
||||||
Service is **required** to run services on the Consul Service Mesh.
|
Service is **required** to run services on the Consul Service Mesh.
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
|
# This name will be the service name in Consul.
|
||||||
name: static-client
|
name: static-client
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
|
@ -173,10 +175,8 @@ spec:
|
||||||
app: static-client
|
app: static-client
|
||||||
annotations:
|
annotations:
|
||||||
'consul.hashicorp.com/connect-inject': 'true'
|
'consul.hashicorp.com/connect-inject': 'true'
|
||||||
'consul.hashicorp.com/connect-service-upstreams': 'static-server:1234'
|
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
# This name will be the service name in Consul.
|
|
||||||
- name: static-client
|
- name: static-client
|
||||||
image: tutum/curl:latest
|
image: tutum/curl:latest
|
||||||
# Just spin & wait forever, we'll use `kubectl exec` to demo
|
# Just spin & wait forever, we'll use `kubectl exec` to demo
|
||||||
|
@ -186,33 +186,25 @@ spec:
|
||||||
serviceAccountName: static-client
|
serviceAccountName: static-client
|
||||||
```
|
```
|
||||||
|
|
||||||
Pods must specify upstream dependencies with the
|
By default when ACLs are enabled or when ACLs default policy is `allow`,
|
||||||
[`consul.hashicorp.com/connect-service-upstreams` annotation](/docs/k8s/connect#consul-hashicorp-com-connect-service-upstreams).
|
Consul will automatically configure proxies with all upstreams from the same datacenter.
|
||||||
This annotation declares the names of any upstream dependencies and a
|
When ACLs are enabled with default `deny` policy,
|
||||||
local port for the proxy to listen on. When a connection is established to that local
|
you must supply an [intention](/docs/connect/intentions) to tell Consul which upstream you need to talk to.
|
||||||
port, the proxy establishes a connection to the target service
|
|
||||||
(`static-server` in this example) using
|
|
||||||
mutual TLS and identifying as the source service (`static-client` in this
|
|
||||||
example).
|
|
||||||
|
|
||||||
The injector will also set environment variables `<NAME>_CONNECT_SERVICE_HOST`
|
When upstreams are specified explicitly with the
|
||||||
|
[`consul.hashicorp.com/connect-service-upstreams` annotation](/docs/k8s/connect#consul-hashicorp-com-connect-service-upstreams),
|
||||||
|
the injector will also set environment variables `<NAME>_CONNECT_SERVICE_HOST`
|
||||||
and `<NAME>_CONNECT_SERVICE_PORT` in every container in the Pod for every defined
|
and `<NAME>_CONNECT_SERVICE_PORT` in every container in the Pod for every defined
|
||||||
upstream. This is analogous to the standard Kubernetes service environment variables, but
|
upstream. This is analogous to the standard Kubernetes service environment variables, but
|
||||||
point instead to the correct local proxy port to establish connections via
|
point instead to the correct local proxy port to establish connections via
|
||||||
Connect.
|
Connect.
|
||||||
|
|
||||||
Any containers running in the Pod that need to establish connections
|
We can verify access to the static text server using `kubectl exec`.
|
||||||
to dependencies must be reconfigured to use the local upstream address either
|
Because transparent proxy is enabled by default,
|
||||||
directly or using the environment variables set by the injector (defined above).
|
we use Kubernetes DNS to connect to our desired upstream.
|
||||||
This means pods should not use Kubernetes service DNS or environment
|
|
||||||
variables for these connections.
|
|
||||||
|
|
||||||
We can verify access to the static text server using `kubectl exec`. Notice
|
|
||||||
that we use the local address and port from the upstream annotation (1234)
|
|
||||||
for this verification.
|
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ kubectl exec static-client -- curl -s http://127.0.0.1:1234/
|
$ kubectl exec deploy/static-client -- curl -s http://static-server/
|
||||||
"hello world"
|
"hello world"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -224,7 +216,7 @@ without updating either of the running pods. You can then remove this
|
||||||
intention to allow connections again.
|
intention to allow connections again.
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ kubectl exec static-client -- curl -s http://127.0.0.1:1234/
|
$ kubectl exec deploy/static-client -- curl -s http://static-server/
|
||||||
command terminated with exit code 52
|
command terminated with exit code 52
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -238,15 +230,34 @@ Pod annotations can be used to configure the injection behavior.
|
||||||
specifying this value as "true". This default can be changed in the
|
specifying this value as "true". This default can be changed in the
|
||||||
injector's configuration if desired.
|
injector's configuration if desired.
|
||||||
|
|
||||||
- `consul.hashicorp.com/transparent-proxy` <sup>Beta</sup> - If this is "true", this Pod
|
- `consul.hashicorp.com/transparent-proxy` - If this is "true", this Pod
|
||||||
will run with transparent proxy enabled. This means you can use Kubernetes
|
will run with transparent proxy enabled. This means you can use Kubernetes
|
||||||
DNS to access upstream services and all inbound and outbound traffic within
|
DNS to access upstream services and all inbound and outbound traffic within
|
||||||
the pod is redirected to go through the proxy.
|
the pod is redirected to go through the proxy.
|
||||||
Using this annotation requires consul-k8s `v0.26.0-beta1` or higher.
|
|
||||||
|
- `consul.hashicorp.com/transparent-proxy-overwrite-probes` - If this is "true"
|
||||||
|
and transparent proxy is enabled, the Connect injector will overwrite Kubernetes
|
||||||
|
HTTP probes to point to the Envoy proxy.
|
||||||
|
|
||||||
|
- `consul.hashicorp.com/transparent-proxy-exclude-inbound-ports` - A comma-separated
|
||||||
|
list of inbound ports to exclude from traffic redirection when running in transparent proxy
|
||||||
|
mode.
|
||||||
|
|
||||||
|
- `consul.hashicorp.com/transparent-proxy-exclude-inbound-cidrs` - A comma-separated
|
||||||
|
list of inbound CIDRs to exclude from traffic redirection when running in transparent proxy
|
||||||
|
mode.
|
||||||
|
|
||||||
|
- `consul.hashicorp.com/transparent-proxy-exclude-outbound-ports` - A comma-separated
|
||||||
|
list of outbound ports to exclude from traffic redirection when running in transparent proxy
|
||||||
|
mode.
|
||||||
|
|
||||||
|
- `consul.hashicorp.com/transparent-proxy-exclude-uids` - A comma-separated
|
||||||
|
list of additional user IDs to exclude from traffic redirection when running in transparent proxy
|
||||||
|
mode.
|
||||||
|
|
||||||
- `consul.hashicorp.com/connect-service` - For pods that accept inbound
|
- `consul.hashicorp.com/connect-service` - For pods that accept inbound
|
||||||
connections, this specifies the name of the service that is being
|
connections, this specifies the name of the service that is being
|
||||||
served. This defaults to the name of the first container in the pod.
|
served. This defaults to the name of the Kubernetes service associated with the pod.
|
||||||
|
|
||||||
If using ACLs, this must be the same name as the Pod's `ServiceAccount`.
|
If using ACLs, this must be the same name as the Pod's `ServiceAccount`.
|
||||||
|
|
||||||
|
@ -260,7 +271,8 @@ Pod annotations can be used to configure the injection behavior.
|
||||||
|
|
||||||
- `consul.hashicorp.com/connect-service-upstreams` - The list of upstream
|
- `consul.hashicorp.com/connect-service-upstreams` - The list of upstream
|
||||||
services that this pod needs to connect to via Connect along with a static
|
services that this pod needs to connect to via Connect along with a static
|
||||||
local port to listen for those connections.
|
local port to listen for those connections. When transparent proxy is enabled,
|
||||||
|
this annotation is optional.
|
||||||
|
|
||||||
- Services
|
- Services
|
||||||
|
|
||||||
|
@ -514,7 +526,12 @@ There are three options available:
|
||||||
|
|
||||||
### Consul Enterprise Namespace Upstreams
|
### Consul Enterprise Namespace Upstreams
|
||||||
|
|
||||||
To specify the namespace of your upstream services in the upstream annotation,
|
When [transparent proxy](/docs/connect/transparent-proxy) is enabled and ACLs are disabled,
|
||||||
|
the upstreams will be configured automatically across Consul namespaces.
|
||||||
|
When ACLs are enabled, you must configure it by specifying an [intention](/docs/connect/intentions),
|
||||||
|
allowing services across Consul namespaces to talk to each other.
|
||||||
|
|
||||||
|
If you wish to specify an upstream explicitly via the `consul.hashicorp.com/connect-service-upstreams` annotation,
|
||||||
use the format `[service-name].[namespace]:[port]:[optional datacenter]`:
|
use the format `[service-name].[namespace]:[port]:[optional datacenter]`:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
@ -525,6 +542,10 @@ annotations:
|
||||||
|
|
||||||
See [consul.hashicorp.com/connect-service-upstreams](#consul-hashicorp-com-connect-service-upstreams) for more details.
|
See [consul.hashicorp.com/connect-service-upstreams](#consul-hashicorp-com-connect-service-upstreams) for more details.
|
||||||
|
|
||||||
|
-> **Note:** When you specify upstreams via an upstreams annotation, you will need to use
|
||||||
|
`localhost:<port>` with the port from the upstreams annotation instead of KubeDNS to connect to your upstream
|
||||||
|
application.
|
||||||
|
|
||||||
### Verifying the Installation
|
### Verifying the Installation
|
||||||
|
|
||||||
To verify the installation, run the
|
To verify the installation, run the
|
||||||
|
|
|
@ -199,7 +199,6 @@ spec:
|
||||||
'consul.hashicorp.com/connect-inject': 'true'
|
'consul.hashicorp.com/connect-inject': 'true'
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
# This name will be the service name in Consul.
|
|
||||||
- name: static-server
|
- name: static-server
|
||||||
image: hashicorp/http-echo:latest
|
image: hashicorp/http-echo:latest
|
||||||
args:
|
args:
|
||||||
|
@ -208,7 +207,6 @@ spec:
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 8080
|
- containerPort: 8080
|
||||||
name: http
|
name: http
|
||||||
# If ACLs are enabled, the serviceAccountName must match the Consul service name.
|
|
||||||
serviceAccountName: static-server
|
serviceAccountName: static-server
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -267,12 +267,10 @@ spec:
|
||||||
'consul.hashicorp.com/connect-service-upstreams': 'example-https:1234'
|
'consul.hashicorp.com/connect-service-upstreams': 'example-https:1234'
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
# This name will be the service name in Consul.
|
|
||||||
- name: static-client
|
- name: static-client
|
||||||
image: tutum/curl:latest
|
image: tutum/curl:latest
|
||||||
command: ['/bin/sh', '-c', '--']
|
command: ['/bin/sh', '-c', '--']
|
||||||
args: ['while true; do sleep 30; done;']
|
args: ['while true; do sleep 30; done;']
|
||||||
# If ACLs are enabled, the serviceAccountName must match the Consul service name.
|
|
||||||
serviceAccountName: static-client
|
serviceAccountName: static-client
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue