Docs: for consul-k8s health checks (#8819)

* docs for consul-k8s health checks

Co-authored-by: Derek Strickland <1111455+DerekStrickland@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
This commit is contained in:
Kyle Schochenmaier 2020-11-12 16:55:44 -06:00 committed by GitHub
parent 8bca51405c
commit a3653a7ae2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 54 additions and 0 deletions

View File

@ -160,6 +160,7 @@ export default [
'terminating-gateways',
'connect-ca-provider',
'ambassador',
'health',
],
},
'service-sync',

View File

@ -0,0 +1,47 @@
---
layout: docs
page_title: Kubernetes Health Checks
sidebar_title: Health Checks
description: Configuring Kubernetes Health Checks
---
# Kubernetes Health Checks in Consul on Kubernetes
-> 0.26+: This feature is available in consul-helm versions 0.26 and higher and is defaulted on.
To disable it, set `connectInject.healthChecks.enabled: false`.
~> This topic requires familiarity with [Kubernetes Health Checks](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/).
This page describes how to enable Consul on Kubernetes to sync the Kubernetes readiness status to Consul for service mesh uses cases.
When deploying your Helm chart, you can provide Helm with a custom yaml file that contains your environment configuration.
Enabling health checks is done via the `healthChecks` stanza under `connectInject`.
The minimal configuration required to enable health check synchronization with Consul for service mesh traffic is:
```yaml
global:
name: consul
connectInject:
enabled: true
healthChecks:
enabled: true
```
When `enabled: true` is set, a [TTL health check](https://www.consul.io/docs/discovery/checks#ttl) will be registered within
Consul for each Kubernetes pod that is connect-injected. The Consul health check's state will reflect the pod's readiness
status, which is the combination of all Kubernetes probes registered with the pod.
When readiness probes are set for a pod, the status of the pod will be reflected within Consul and will cause Consul to redirect service
mesh traffic to the pod based on the pod's health. If the pod has failing health checks, Consul will no longer use
the service instance associated with the pod for service mesh traffic. When the pod passes its health checks, Consul will
then use the respective service instance for service mesh traffic.
In the case where no user defined health checks are assigned to a pod, the default behavior is that the Consul health check will
be marked `passing` until the pod becomes unready.
To disable the health check controller, set the configuration for `healthChecks` to `enabled: false`.
In this state no health checks will be associated with Consul for Kubernetes pods regardless of the pod's health probes.
-> It is highly recommended to [enable TLS](/docs/k8s/helm#v-global-tls-enabled) for all configurations which use healthChecks to mitigate any
security concerns should the pod network ever be compromised. The health checks controller makes calls across the network to Consul agents on all nodes so an attacker could potentially sniff ACL tokens if those calls are not encrypted.

View File

@ -747,6 +747,12 @@ and consider if they're appropriate for your deployment.
to opt-in to Connect injection. If this is true, pods can use the same annotation
to explicitly opt-out of injection.
- `healthChecks` ((#v-connectinject-healthchecks)) - Synchronization of Kubernetes health probes status with Consul.
- `enabled` ((#v-connectinject-healthchecks-enabled)) (`boolean: true`) - Enables the Consul health check controller which syncs the readiness status of connect-injected pods with Consul.
- `reconcilePeriod` ((#v-connectinject-healthchecks-reconcileperiod)) (`string: "1m"`) - If `healthChecks.enabled` is set to true, reconcilePeriod defines how often a full state reconcile is done after the initial reconcile at startup is completed.
- `imageConsul` ((#v-connectinject-imageconsul)) (`string: global.image`) - The name of the Docker
image (including any tag) for Consul. This is used for proxy service registration, Envoy configuration, etc.