Merge pull request #6683 from hashicorp/service-account-connect-inject-docs

Document service account name requirements
This commit is contained in:
Luke Kysow 2019-10-28 10:26:52 -07:00 committed by GitHub
commit b5cd6f83a3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -54,6 +54,7 @@ metadata:
"consul.hashicorp.com/connect-inject": "true" "consul.hashicorp.com/connect-inject": "true"
spec: spec:
containers: containers:
# This name will be the service name in Consul.
- name: static-server - name: static-server
image: hashicorp/http-echo:latest image: hashicorp/http-echo:latest
args: args:
@ -62,6 +63,13 @@ spec:
ports: ports:
- containerPort: 8080 - containerPort: 8080
name: http name: http
# If ACLs are enabled, the serviceAccountName must match the Consul service name.
serviceAccountName: static-server
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: static-server
``` ```
The only change for Connect is the addition of the The only change for Connect is the addition of the
@ -83,6 +91,10 @@ This is useful to transition to Connect by allowing both Connect and
non-Connect connections. To restrict access to only Connect-authorized clients, non-Connect connections. To restrict access to only Connect-authorized clients,
any listeners should bind to localhost only (such as `127.0.0.1`). any listeners should bind to localhost only (such as `127.0.0.1`).
The service name registered in Consul will be set to the name of the first
container in the Pod. This can be customized with the `consul.hashicorp.com/connect-service`
annotation. If using ACLs, this name must be the same as the Pod's `ServiceAccount` name.
### Connecting to Connect-Enabled Services ### Connecting to Connect-Enabled Services
The example pod specification below configures a pod that is capable The example pod specification below configures a pod that is capable
@ -100,11 +112,19 @@ metadata:
"consul.hashicorp.com/connect-service-upstreams": "static-server:1234" "consul.hashicorp.com/connect-service-upstreams": "static-server:1234"
spec: spec:
containers: containers:
# This name will be the service name in Consul.
- name: static-client - name: static-client
image: tutum/curl:latest image: tutum/curl:latest
# Just spin & wait forever, we'll use `kubectl exec` to demo # Just spin & wait forever, we'll use `kubectl exec` to demo
command: [ "/bin/sh", "-c", "--" ] command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ] args: [ "while true; do sleep 30; done;" ]
# If ACLs are enabled, the serviceAccountName must match the Consul service name.
serviceAccountName: static-client
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: static-client
``` ```
Pods must specify upstream dependencies with the Pods must specify upstream dependencies with the
@ -164,6 +184,8 @@ Annotations can be used to configure the injection behavior.
connections, this specifies the name of the service that is being connections, this specifies the name of the service that is being
served. This defaults to the name of the first container in the pod. served. This defaults to the name of the first container in the pod.
If using ACLs, this must be the same name as the Pod's `ServiceAccount`.
* `consul.hashicorp.com/connect-service-port` - For pods that accept inbound * `consul.hashicorp.com/connect-service-port` - For pods that accept inbound
connections, this specifies the port to route inbound connections to. This connections, this specifies the port to route inbound connections to. This
is the port that the service is listening on. The service port defaults to is the port that the service is listening on. The service port defaults to
@ -241,8 +263,14 @@ spec:
"consul.hashicorp.com/connect-inject": "true" "consul.hashicorp.com/connect-inject": "true"
spec: spec:
containers: containers:
- name: example - name: consul-example
image: "nginx" image: "nginx"
serviceAccountName: consul-example
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: consul-example
``` ```
~> **A common mistake** is to set the annotation on the Deployment or ~> **A common mistake** is to set the annotation on the Deployment or
@ -286,6 +314,10 @@ are configured. These client agents must be successfully joined to a Consul
cluster. cluster.
The Consul server cluster can run either in or out of a Kubernetes cluster. The Consul server cluster can run either in or out of a Kubernetes cluster.
~> NOTE: If setting `global.bootstrapACLs: true`, it's important that your Pod's `ServiceAccount`
has the **same name** as the Consul service that's being registered. If not, the init
container will log: `Error logging in: Unexpected response code: 403 (rpc error making call: rpc error making call: Permission denied)`.
### Verifying the Installation ### Verifying the Installation
To verify the installation, run the To verify the installation, run the