mirror of
https://github.com/status-im/consul.git
synced 2025-01-10 13:55:55 +00:00
docs: destination docs for k8s
This commit is contained in:
parent
31afaa8097
commit
c3326d319a
@ -88,6 +88,58 @@ Registering the external services with Consul is a multi-step process:
|
|||||||
|
|
||||||
### Register external services with Consul
|
### Register external services with Consul
|
||||||
|
|
||||||
|
There are two ways to register an external service with Consul:
|
||||||
|
1. If [`TransparentProxy`](/docs/k8s/helm#v-connectinject-transparentproxy) is enabled, you can declare external endpoints in the [`Destination`](/docs/connect/config-entries/service-defaults#terminating-gateway-destination) field of `service-defaults`.
|
||||||
|
1. You can add the service as a node in the Consul catalog.
|
||||||
|
|
||||||
|
#### Register an external service as a Destination
|
||||||
|
|
||||||
|
`Destination` fields allow clients to dial the external service directly and are valid only in [`TransparentProxy`](/docs/k8s/helm#v-connectinject-transparentproxy) mode.
|
||||||
|
The following table describes traffic behaviors when using `Destination`s to route traffic through a terminating gateway:
|
||||||
|
|
||||||
|
| External Services Layer | Client dials | Client uses TLS | Allowed | Notes |
|
||||||
|
|---|---|---|---|---|
|
||||||
|
| L4 | Hostname | Yes | Allowed | `CAFiles` are not allowed because traffic is already end-to-end encrypted by the client. |
|
||||||
|
| L4 | IP | Yes | Allowed | `CAFiles` are not allowed because traffic is already end-to-end encrypted by the client. |
|
||||||
|
| L4 | Hostname | No | Not allowed | The sidecar is not protocol aware and can not identify traffic going to the external service. |
|
||||||
|
| L4 | IP | No | Allowed | There are no limitations on dialing IPs without TLS. |
|
||||||
|
| L7 | Hostname | Yes | Not allowed | Because traffic is already encrypted before the sidecar, it cannot route as L7 traffic. |
|
||||||
|
| L7 | IP | Yes | Not allowed | Because traffic is already encrypted before the sidecar, it cannot route as L7 traffic. |
|
||||||
|
| L7 | Hostname | No | Allowed | A `Host` or `:authority` header is required. |
|
||||||
|
| L7 | IP | No | Allowed | There are no limitations on dialing IPs without TLS. |
|
||||||
|
|
||||||
|
You can provide a `caFile` to secure traffic between unencrypted clients that connect to external services through the terminating gateway.
|
||||||
|
Refer to [Create the configuration entry for the terminating gateway](/docs/k8s/connect/terminating-gateways#create-the-configuration-entry-for-the-terminating-gateway) for details.
|
||||||
|
|
||||||
|
Create a `service-defaults` custom resource for the external service:
|
||||||
|
|
||||||
|
<CodeBlockConfig filename="service-defaults.yaml">
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: consul.hashicorp.com/v1alpha1
|
||||||
|
kind: ServiceDefaults
|
||||||
|
metadata:
|
||||||
|
name: example-https
|
||||||
|
spec:
|
||||||
|
protocol: tcp
|
||||||
|
destination:
|
||||||
|
addresses:
|
||||||
|
- "example.com"
|
||||||
|
port: 443
|
||||||
|
```
|
||||||
|
|
||||||
|
</CodeBlockConfig>
|
||||||
|
|
||||||
|
Apply the `ServiceDefaults` resource with `kubectl apply`:
|
||||||
|
|
||||||
|
```shell-session
|
||||||
|
$ kubectl apply --filename service-defaults.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
All other terminating gateway operations can use the name of the `service-defaults` in place of a typical Consul service name.
|
||||||
|
|
||||||
|
#### Register an external service as a Catalog Node
|
||||||
|
|
||||||
-> **Note:** Normal Consul services are registered with the Consul client on the node that
|
-> **Note:** Normal Consul services are registered with the Consul client on the node that
|
||||||
they're running on. Since this is an external service, there is no Consul node
|
they're running on. Since this is an external service, there is no Consul node
|
||||||
to register it onto. Instead, we will make up a node name and register the
|
to register it onto. Instead, we will make up a node name and register the
|
||||||
@ -205,13 +257,12 @@ metadata:
|
|||||||
spec:
|
spec:
|
||||||
services:
|
services:
|
||||||
- name: example-https
|
- name: example-https
|
||||||
caFile: /etc/ssl/certs/ca-certificates.crt
|
|
||||||
```
|
```
|
||||||
|
|
||||||
</CodeBlockConfig>
|
</CodeBlockConfig>
|
||||||
|
|
||||||
If TLS is enabled, you must include the `caFile` parameter that points to the system trust store of the terminating gateway container. By default, the trust store is located in the `/etc/ssl/certs/ca-certificates.crt` directory.
|
-> **NOTE**: If TLS is enabled for external services registered through the Consul catalog, you must include the `caFile` parameter that points to the system trust store of the terminating gateway container.
|
||||||
|
By default, the trust store is located in the `/etc/ssl/certs/ca-certificates.crt` directory.
|
||||||
Configure the `caFile` parameter to point to the `/etc/ssl/cert.pem` directory if TLS is enabled and you are using one of the following components:
|
Configure the `caFile` parameter to point to the `/etc/ssl/cert.pem` directory if TLS is enabled and you are using one of the following components:
|
||||||
* Consul Helm chart 0.43 or older
|
* Consul Helm chart 0.43 or older
|
||||||
* Or an Envoy image with an alpine base image
|
* Or an Envoy image with an alpine base image
|
||||||
@ -313,6 +364,18 @@ deployment "static-client" successfully rolled out
|
|||||||
|
|
||||||
You can verify connectivity of the static-client and terminating gateway via a curl command:
|
You can verify connectivity of the static-client and terminating gateway via a curl command:
|
||||||
|
|
||||||
|
<CodeBlockConfig heading="External services registered with the Consul catalog">
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ kubectl exec deploy/static-client -- curl -vvvs --header "Host: example-https.com" http://localhost:1234/
|
$ kubectl exec deploy/static-client -- curl -vvvs --header "Host: example-https.com" http://localhost:1234/
|
||||||
```
|
```
|
||||||
|
|
||||||
|
</CodeBlockConfig>
|
||||||
|
|
||||||
|
<CodeBlockConfig heading="External services registered with `service-defaults` destinations">
|
||||||
|
|
||||||
|
```shell-session
|
||||||
|
$ kubectl exec deploy/static-client -- curl -vvvs https://example.com/
|
||||||
|
```
|
||||||
|
|
||||||
|
</CodeBlockConfig>
|
||||||
|
Loading…
x
Reference in New Issue
Block a user