From a1605630682739a6670a48037f6179ec24f36fbd Mon Sep 17 00:00:00 2001 From: Nitya Dhanushkodi Date: Tue, 22 Jun 2021 16:41:08 -0700 Subject: [PATCH] docs: upgrading to tproxy (/docs/upgrades/upgrade-specific) (#10416) * docs: update tproxy docs Co-authored-by: Blake Covarrubias Co-authored-by: Iryna Shustava Co-authored-by: David Yu --- .../content/docs/connect/transparent-proxy.mdx | 7 +++++-- .../content/docs/upgrading/upgrade-specific.mdx | 15 +++++++++++++-- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/website/content/docs/connect/transparent-proxy.mdx b/website/content/docs/connect/transparent-proxy.mdx index 5635020e36..d7188f1929 100644 --- a/website/content/docs/connect/transparent-proxy.mdx +++ b/website/content/docs/connect/transparent-proxy.mdx @@ -37,6 +37,9 @@ Otherwise, all Connect services can talk to all other services. The Kubernetes integration takes care of registering Kubernetes services with Consul, injecting a sidecar proxy, and enabling traffic redirection. +## Upgrading to Transparent Proxy + +~> When upgrading from older versions (i.e Consul-k8s < `0.26.0` or Consul-helm < `0.32.0`) to Consul-k8s >= `0.26.0` and Consul-helm >= `0.32.0`, please make sure to follow the upgrade steps [here](/docs/upgrading/upgrade-specific/#transparent-proxy-on-kubernetes). ## Configuration @@ -112,8 +115,8 @@ Traffic redirection interferes with [Kubernetes HTTP health probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) since the probes expect that kubelet can directly reach the application container on the probe's endpoint, but that traffic will be redirected through the sidecar proxy, causing errors because kubelet itself is not encrypting that traffic using a -mesh proxy. For this reason, Consul allows you to overwrite Kubernetes HTTP health probes to point to the proxy instead, -to pass that traffic through via the proxy using the Helm value `connectInject.transparentProxy.defaultOverwriteProbes` +mesh proxy. For this reason, Consul allows you to (overwrite Kubernetes HTTP health probes)[/docs/k8s/connect/health] to point to the proxy instead. +This can be done using the Helm value `connectInject.transparentProxy.defaultOverwriteProbes` or the Pod annotation `consul.hashicorp.com/transparent-proxy-overwrite-probes`. ### Traffic Redirection Configuration diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index d3c8393437..fc4fe34af9 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -30,8 +30,8 @@ have a license loaded from a configuration file or from their environment the sa agents must have the license specified. Both agents can still perform automatic retrieval of their license but with a few extra stipulations. First, license auto-retrieval now requires that ACLs are on and that the client or snapshot agent is configured with a valid ACL token. Secondly, client -agents require that either the [`start_join`](/docs/agent/opts#start_join) or -[`retry_join`](/docs/agent/opts#retry_join) configurations are set and that they resolve to server +agents require that either the [`start_join`](/docs/agent/options#start_join) or +[`retry_join`](/docs/agent/options#retry_join) configurations are set and that they resolve to server agents. If those stipulations are not met, attempting to start the client or snapshot agent will result in it immediately shutting down. @@ -101,6 +101,17 @@ and [after](https://github.com/hashicorp/consul/blob/71d45a34601423abdfc0a64d44c 1. (Optionally) upgrade Envoy to the latest version supported in Consul 1.10.0. +### Transparent Proxy on Kubernetes + +When upgrading to Consul >= 1.10.0, Consul-helm >= 0.32.0, and Consul-k8s >= 0.26.0, a Kubernetes Service must be added for every service registered to Consul. This Service should be added before +performing the upgrade. This will allow services to be managed by a central component, called `endpoints-controller`, which will enable features like +transparent proxy. + +After the upgrade is performed, all Pods of a service will need to be restarted. The service will be up and health +checks will continue to work without restarting the service, but a restart is required so the Pods can be re-injected with the latest +container configuration. + + ## Consul 1.9.0 ### Changes to Raft Protocol Support