[NET-4122] Doc guidance for federation with externalServers (#18207)

Doc guidance for federation with externalServers

Add guidance for proper configuration when joining to a secondary
cluster using WAN fed with external servers also enabled.

Also clarify federation requirements and fix formatting for an
unrelated value.

Update both the Helm chart reference (synced from `consul-k8s`, see
hashicorp/consul-k8s#2583) and the docs on using `externalServers`.
This commit is contained in:
Michael Zalimeni 2023-07-21 15:31:41 -04:00 committed by GitHub
parent 6671d7ebd7
commit c138f24cfd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 4 deletions

View File

@ -114,6 +114,10 @@ to create policies, tokens, and an auth method. If you are [enabling Consul serv
so that the Consul servers can validate a Kubernetes service account token when using the [Kubernetes auth method](/consul/docs/security/acl/auth-methods/kubernetes) so that the Consul servers can validate a Kubernetes service account token when using the [Kubernetes auth method](/consul/docs/security/acl/auth-methods/kubernetes)
with `consul login`. with `consul login`.
-> **Note:** If `externalServers.k8sAuthMethodHost` is set and you are also using WAN federation
(`global.federation.enabled` is set to `true`), ensure that `global.federation.k8sAuthMethodHost` is set to the same
value as `externalServers.k8sAuthMethodHost`.
<CodeBlockConfig filename="values.yaml"> <CodeBlockConfig filename="values.yaml">
```yaml ```yaml

View File

@ -484,8 +484,9 @@ Use these links to navigate to a particular top-level stanza.
- `enabled` ((#v-global-federation-enabled)) (`boolean: false`) - If enabled, this datacenter will be federation-capable. Only federation - `enabled` ((#v-global-federation-enabled)) (`boolean: false`) - If enabled, this datacenter will be federation-capable. Only federation
via mesh gateways is supported. via mesh gateways is supported.
Mesh gateways and servers will be configured to allow federation. Mesh gateways and servers will be configured to allow federation.
Requires `global.tls.enabled`, `meshGateway.enabled` and `connectInject.enabled` Requires `global.tls.enabled`, `connectInject.enabled`, and one of
to be true. Requires Consul 1.8+. `meshGateway.enabled` or `externalServers.enabled` to be true.
Requires Consul 1.8+.
- `createFederationSecret` ((#v-global-federation-createfederationsecret)) (`boolean: false`) - If true, the chart will create a Kubernetes secret that can be imported - `createFederationSecret` ((#v-global-federation-createfederationsecret)) (`boolean: false`) - If true, the chart will create a Kubernetes secret that can be imported
into secondary datacenters so they can federate with this datacenter. The into secondary datacenters so they can federate with this datacenter. The
@ -497,8 +498,8 @@ Use these links to navigate to a particular top-level stanza.
- `primaryDatacenter` ((#v-global-federation-primarydatacenter)) (`string: null`) - The name of the primary datacenter. - `primaryDatacenter` ((#v-global-federation-primarydatacenter)) (`string: null`) - The name of the primary datacenter.
- `primaryGateways` ((#v-global-federation-primarygateways)) (`array<string>: []`) - A list of addresses of the primary mesh gateways in the form `<ip>:<port>`. - `primaryGateways` ((#v-global-federation-primarygateways)) (`array<string>: []`) - A list of addresses of the primary mesh gateways in the form `<ip>:<port>`
(e.g. ["1.1.1.1:443", "2.3.4.5:443"] (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`).
- `k8sAuthMethodHost` ((#v-global-federation-k8sauthmethodhost)) (`string: null`) - If you are setting `global.federation.enabled` to true and are in a secondary datacenter, - `k8sAuthMethodHost` ((#v-global-federation-k8sauthmethodhost)) (`string: null`) - If you are setting `global.federation.enabled` to true and are in a secondary datacenter,
set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter.
@ -507,6 +508,9 @@ Use these links to navigate to a particular top-level stanza.
from the one used by the Consul Service Mesh. from the one used by the Consul Service Mesh.
Please refer to the [Kubernetes Auth Method documentation](/consul/docs/security/acl/auth-methods/kubernetes). Please refer to the [Kubernetes Auth Method documentation](/consul/docs/security/acl/auth-methods/kubernetes).
If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and
`externalServers.k8sAuthMethodHost` should be set to the same value.
You can retrieve this value from your `kubeconfig` by running: You can retrieve this value from your `kubeconfig` by running:
```shell-session ```shell-session
@ -1120,6 +1124,9 @@ Use these links to navigate to a particular top-level stanza.
This address must be reachable from the Consul servers. This address must be reachable from the Consul servers.
Please refer to the [Kubernetes Auth Method documentation](/consul/docs/security/acl/auth-methods/kubernetes). Please refer to the [Kubernetes Auth Method documentation](/consul/docs/security/acl/auth-methods/kubernetes).
If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and
`externalServers.k8sAuthMethodHost` should be set to the same value.
You could retrieve this value from your `kubeconfig` by running: You could retrieve this value from your `kubeconfig` by running:
```shell-session ```shell-session