mirror of https://github.com/status-im/consul.git
Update k8s fed docs to clarify role of acl token (#10233)
This commit is contained in:
parent
1fe17b720a
commit
832560b610
|
@ -20,24 +20,33 @@ must be the [primary](/docs/k8s/installation/multi-cluster/kubernetes#primary-da
|
|||
If your primary datacenter is running on Kubernetes, use the Helm config from the
|
||||
[Primary Datacenter](/docs/k8s/installation/multi-cluster/kubernetes#primary-datacenter) section to install Consul.
|
||||
|
||||
Once installed, and with the `ProxyDefaults` [resource created](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults),
|
||||
Once installed on Kubernetes, and with the `ProxyDefaults` [resource created](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults),
|
||||
you'll need to export the following information from the primary Kubernetes cluster:
|
||||
|
||||
* The certificate authority cert:
|
||||
- Certificate authority cert and key (in order to create SSL certs for VMs)
|
||||
- External addresses of Kubernetes mesh gateways
|
||||
- Replication ACL token
|
||||
- Gossip encryption key
|
||||
|
||||
The following sections detail how to export this data.
|
||||
|
||||
### Certificates
|
||||
|
||||
1. Retrieve the certificate authority cert:
|
||||
|
||||
```sh
|
||||
kubectl get secrets/consul-ca-cert --template='{{index .data "tls.crt" }}' |
|
||||
base64 -D > consul-agent-ca.pem
|
||||
```
|
||||
|
||||
* The certificate authority signing key:
|
||||
1. And the certificate authority signing key:
|
||||
|
||||
```sh
|
||||
kubectl get secrets/consul-ca-key --template='{{index .data "tls.key" }}' |
|
||||
base64 -D > consul-agent-ca-key.pem
|
||||
```
|
||||
|
||||
With the `consul-agent-ca.pem` and `consul-agent-ca-key.pem` files you can
|
||||
1. With the `consul-agent-ca.pem` and `consul-agent-ca-key.pem` files you can
|
||||
create certificates for your servers and clients running on VMs that share the
|
||||
same certificate authority as your Kubernetes servers.
|
||||
|
||||
|
@ -63,7 +72,7 @@ Not satisfying this requirement would result in the following error in the Consu
|
|||
See the help for output of `consul tls cert create -h` to see more options
|
||||
for generating server certificates.
|
||||
|
||||
These certificates can be used in your server config file:
|
||||
1. These certificates can be used in your server config file:
|
||||
|
||||
```hcl
|
||||
# server.hcl
|
||||
|
@ -72,7 +81,7 @@ key_file = "vm-dc-server-consul-0-key.pem"
|
|||
ca_file = "consul-agent-ca.pem"
|
||||
```
|
||||
|
||||
For clients, you can generate TLS certs with:
|
||||
1. For clients, you can generate TLS certs with:
|
||||
|
||||
```shell-session
|
||||
$ consul tls cert create -client
|
||||
|
@ -83,7 +92,9 @@ $ consul tls cert create -client
|
|||
|
||||
Or use the [auto_encrypt](/docs/agent/options#auto_encrypt) feature.
|
||||
|
||||
1. The WAN addresses of the mesh gateways:
|
||||
### Mesh Gateway Addresses
|
||||
|
||||
Retrieve the WAN addresses of the mesh gateways:
|
||||
|
||||
```shell-session
|
||||
$ kubectl exec statefulset/consul-server -- sh -c \
|
||||
|
@ -108,7 +119,9 @@ setting:
|
|||
primary_gateways = ["1.2.3.4:443"]
|
||||
```
|
||||
|
||||
1. If ACLs are enabled, you'll also need the replication ACL token:
|
||||
### Replication ACL Token
|
||||
|
||||
If ACLs are enabled, you'll also need the replication ACL token:
|
||||
|
||||
```shell-session
|
||||
$ kubectl get secrets/consul-acl-replication-acl-token --template='{{.data.token}}'
|
||||
|
@ -116,18 +129,22 @@ e7924dd1-dc3f-f644-da54-81a73ba0a178
|
|||
```
|
||||
|
||||
This token will be used in the server config for the replication token.
|
||||
You must also create your own agent policy and token.
|
||||
|
||||
```hcl
|
||||
acls {
|
||||
tokens {
|
||||
agent = "<your agent token>"
|
||||
replication = "e7924dd1-dc3f-f644-da54-81a73ba0a178"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
1. If gossip encryption is enabled, you'll need the key as well. The command
|
||||
-> **NOTE:** You'll also need to set up additional ACL tokens as needed by the
|
||||
ACL system. See tutorial [Secure Consul with Access Control Lists (ACLs)](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production#apply-individual-tokens-to-agents)
|
||||
for more information.
|
||||
|
||||
### Gossip Encryption Key
|
||||
|
||||
If gossip encryption is enabled, you'll need the key as well. The command
|
||||
to retrieve the key will depend on which Kubernetes secret you've stored it in.
|
||||
|
||||
This key will be used in server and client configs for the `encrypt` setting:
|
||||
|
@ -136,6 +153,8 @@ acls {
|
|||
encrypt = "uF+GsbI66cuWU21kiXLze5JLEX5j4iDFlDTb0ZWNpDI="
|
||||
```
|
||||
|
||||
### Final Configuration
|
||||
|
||||
A final example server config file might look like:
|
||||
|
||||
```hcl
|
||||
|
@ -293,11 +312,11 @@ gateways running on VMs.
|
|||
With your config file ready to go, follow our [Installation Guide](/docs/k8s/installation/install)
|
||||
to install Consul on your secondary cluster(s).
|
||||
|
||||
## Next Steps
|
||||
|
||||
After installation, if you're using consul-helm 0.30.0+, [create the
|
||||
`ProxyDefaults` resource](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults)
|
||||
to allow traffic between datacenters.
|
||||
|
||||
Follow the [Verifying Federation](/docs/k8s/installation/multi-cluster/kubernetes#verifying-federation)
|
||||
## Next Steps
|
||||
|
||||
In both cases (Kubernetes as primary or secondary), after installation, follow the [Verifying Federation](/docs/k8s/installation/multi-cluster/kubernetes#verifying-federation)
|
||||
section to verify that federation is working as expected.
|
||||
|
|
Loading…
Reference in New Issue