status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-01-18 17:52:17 +00:00
Code Issues Projects Releases Wiki Activity

update multicluster docs (#13334)

Browse Source
This commit is contained in:
Kyle Schochenmaier 2022-06-02 11:46:35 -05:00 committed by GitHub
parent 73af9e9737
commit ce44f6f604
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
website/content/docs/k8s/installation/multi-cluster/index.mdx
View File

@ -57,15 +57,19 @@ federated with Consul datacenters running on virtual machines (and vice versa).
Because the communication between clusters is end-to-end encrypted, mesh gateways Because the communication between clusters is end-to-end encrypted, mesh gateways
can even be exposed on the public internet. can even be exposed on the public internet.
The only requirement is that the mesh gateways for each cluster can route to There are three networking requirements:
one another. For example, if using a load balancer service in front of each cluster's 1. When Consul servers in secondary datacenters first start up, they must be able to make calls directly to the
mesh gateway, the load balancer IP must be routable from the other mesh gateway pods. primary datacenter's mesh gateways.
1. Once the Consul servers in secondary datacenters have made that initial call to the primary datacenter's mesh
gateways, the mesh gateways in the secondary datacenter will be able to start. From this point onwards, all
communication between servers will flow first to the local mesh gateways, and then to the remote mesh gateways.
This means all mesh gateways across datacenters must be able to route to one another.
If using a public load balancer, this is guaranteed. If using a private load balancer For example, if using a load balancer service in front of each cluster's mesh gateway pods, the load balancer IP
then you'll need to make sure that its IP is routable from your other clusters. must be routable from the other mesh gateway pods.
If using a public load balancer, this is guaranteed. If using a private load balancer
In addition, if ACLs are enabled, primary clusters must be able to make requests to the Kubernetes API URL of then you'll need to make sure that its IP/DNS address is routable from your other clusters.
secondary clusters. 1. If ACLs are enabled, primary clusters must be able to make requests to the Kubernetes API URLs of secondary clusters.
## Next Steps ## Next Steps

10
website/content/docs/k8s/installation/multi-cluster/kubernetes.mdx
View File

@ -289,14 +289,13 @@ The automatically generated federation secret contains:
## Kubernetes API URL ## Kubernetes API URL
If ACLs are enabled, you must next determine the Kubernetes API URL for the secondary cluster. The API URL of the primary cluster If ACLs are enabled, you must next determine the Kubernetes API URL for each secondary cluster. The API URL of the secondary cluster must be specified in the config files for each secondary cluster because they need
must be specified in the config files for all secondary clusters because secondary clusters need
to create global Consul ACL tokens (tokens that are valid in all datacenters) and these tokens can only be created to create global Consul ACL tokens (tokens that are valid in all datacenters) and these tokens can only be created
by the primary datacenter. By setting the API URL, the secondary cluster will configure a [Consul auth method](/docs/security/acl/auth-methods) by the primary datacenter. By setting the API URL, the secondary cluster will configure a [Consul auth method](/docs/security/acl/auth-methods)
in the primary cluster so that components in the secondary cluster can use their Kubernetes ServiceAccount tokens in the primary cluster so that components in the secondary cluster can use their Kubernetes ServiceAccount tokens
to retrieve global Consul ACL tokens from the primary. to retrieve global Consul ACL tokens from the primary.
To determine the Kubernetes API URL, first get the cluster name in your kubeconfig: To determine the Kubernetes API URL, first get the cluster name in your kubeconfig for your secondary:
```shell-session ```shell-session
$ export CLUSTER=$(kubectl config view -o jsonpath="{.contexts[?(@.name == \"$(kubectl config current-context)\")].context.cluster}") $ export CLUSTER=$(kubectl config view -o jsonpath="{.contexts[?(@.name == \"$(kubectl config current-context)\")].context.cluster}")
@ -352,7 +351,7 @@ global:
federation: federation:
enabled: true enabled: true
k8sAuthMethodHost: <kubernetes-api-url> k8sAuthMethodHost: <kubernetes-api-url-of-secondary>
primaryDatacenter: dc1 primaryDatacenter: dc1
gossipEncryption: gossipEncryption:
secretName: consul-federation secretName: consul-federation
@ -380,8 +379,7 @@ server:
Modifications: Modifications:
1. If ACLs are enabled, change the value of `global.federation.k8sAuthMethodHost` to the full URL (including `https://`) of this cluster's 1. If ACLs are enabled, change the value of `global.federation.k8sAuthMethodHost` to the full URL (including `https://`) of the secondary cluster's Kubernetes API.
Kubernetes API.
1. `global.federation.primaryDatacenter` must be set to the name of the primary datacenter. 1. `global.federation.primaryDatacenter` must be set to the name of the primary datacenter.
1. The Consul datacenter name for the datacenter in this example is `dc2`. The datacenter name in **each** federated cluster **must be unique**. 1. The Consul datacenter name for the datacenter in this example is `dc2`. The datacenter name in **each** federated cluster **must be unique**.
1. ACLs are enabled in the above config file. They can be disabled by removing 1. ACLs are enabled in the above config file. They can be disabled by removing