mirror of https://github.com/status-im/consul.git
docs: upgrading to tproxy (/docs/upgrades/upgrade-specific) (#10416)
* docs: update tproxy docs Co-authored-by: Blake Covarrubias <blake@covarrubi.as> Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> Co-authored-by: David Yu <dyu@hashicorp.com>
This commit is contained in:
parent
1fea51fbb5
commit
b72ad40286
|
@ -37,6 +37,9 @@ Otherwise, all Connect services can talk to all other services.
|
|||
The Kubernetes integration takes care of registering Kubernetes services with Consul, injecting a sidecar proxy, and
|
||||
enabling traffic redirection.
|
||||
|
||||
## Upgrading to Transparent Proxy
|
||||
|
||||
~> When upgrading from older versions (i.e Consul-k8s < `0.26.0` or Consul-helm < `0.32.0`) to Consul-k8s >= `0.26.0` and Consul-helm >= `0.32.0`, please make sure to follow the upgrade steps [here](/docs/upgrading/upgrade-specific/#transparent-proxy-on-kubernetes).
|
||||
|
||||
## Configuration
|
||||
|
||||
|
@ -112,8 +115,8 @@ Traffic redirection interferes with [Kubernetes HTTP health
|
|||
probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) since the
|
||||
probes expect that kubelet can directly reach the application container on the probe's endpoint, but that traffic will
|
||||
be redirected through the sidecar proxy, causing errors because kubelet itself is not encrypting that traffic using a
|
||||
mesh proxy. For this reason, Consul allows you to overwrite Kubernetes HTTP health probes to point to the proxy instead,
|
||||
to pass that traffic through via the proxy using the Helm value `connectInject.transparentProxy.defaultOverwriteProbes`
|
||||
mesh proxy. For this reason, Consul allows you to (overwrite Kubernetes HTTP health probes)[/docs/k8s/connect/health] to point to the proxy instead.
|
||||
This can be done using the Helm value `connectInject.transparentProxy.defaultOverwriteProbes`
|
||||
or the Pod annotation `consul.hashicorp.com/transparent-proxy-overwrite-probes`.
|
||||
|
||||
### Traffic Redirection Configuration
|
||||
|
|
|
@ -30,8 +30,8 @@ have a license loaded from a configuration file or from their environment the sa
|
|||
agents must have the license specified. Both agents can still perform automatic retrieval of their
|
||||
license but with a few extra stipulations. First, license auto-retrieval now requires that ACLs
|
||||
are on and that the client or snapshot agent is configured with a valid ACL token. Secondly, client
|
||||
agents require that either the [`start_join`](/docs/agent/opts#start_join) or
|
||||
[`retry_join`](/docs/agent/opts#retry_join) configurations are set and that they resolve to server
|
||||
agents require that either the [`start_join`](/docs/agent/options#start_join) or
|
||||
[`retry_join`](/docs/agent/options#retry_join) configurations are set and that they resolve to server
|
||||
agents. If those stipulations are not met, attempting to start the client or snapshot agent will
|
||||
result in it immediately shutting down.
|
||||
|
||||
|
@ -101,6 +101,17 @@ and [after](https://github.com/hashicorp/consul/blob/71d45a34601423abdfc0a64d44c
|
|||
|
||||
1. (Optionally) upgrade Envoy to the latest version supported in Consul 1.10.0.
|
||||
|
||||
### Transparent Proxy on Kubernetes
|
||||
|
||||
When upgrading to Consul >= 1.10.0, Consul-helm >= 0.32.0, and Consul-k8s >= 0.26.0, a Kubernetes Service must be added for every service registered to Consul. This Service should be added before
|
||||
performing the upgrade. This will allow services to be managed by a central component, called `endpoints-controller`, which will enable features like
|
||||
transparent proxy.
|
||||
|
||||
After the upgrade is performed, all Pods of a service will need to be restarted. The service will be up and health
|
||||
checks will continue to work without restarting the service, but a restart is required so the Pods can be re-injected with the latest
|
||||
container configuration.
|
||||
|
||||
|
||||
## Consul 1.9.0
|
||||
|
||||
### Changes to Raft Protocol Support
|
||||
|
|
Loading…
Reference in New Issue