mirror of https://github.com/status-im/consul.git
Update consul-helm enterprise docs for ACLs
If ACLs are added then slightly different commands are needed.
This commit is contained in:
parent
2a0d9ff882
commit
dcf922858a
|
@ -9,22 +9,22 @@ description: |-
|
|||
# Consul DNS on Kubernetes
|
||||
|
||||
One of the primary query interfaces to Consul is the
|
||||
[DNS interface](/docs/agent/dns.html). Consul DNS can be configured in
|
||||
[DNS interface](/docs/agent/dns.html). You can configure Consul DNS in
|
||||
Kubernetes using a
|
||||
[stub-domain configuration](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers)
|
||||
if using KubeDNS or a [proxy configuration](https://coredns.io/plugins/proxy/) if using CoreDNS.
|
||||
|
||||
Once configured, DNS requests in the form `{consul-service-name}.service.consul` will
|
||||
resolve for services in Consul. This will work from all namespaces.
|
||||
Once configured, DNS requests in the form `<consul-service-name>.service.consul` will
|
||||
resolve for services in Consul. This will work from all Kubernetes namespaces.
|
||||
|
||||
-> **Note:** If you want requests to just `{consul-service-name}` (without the `.service.consul`) to resolve, then you'll need
|
||||
-> **Note:** If you want requests to just `<consul-service-name>` (without the `.service.consul`) to resolve, then you'll need
|
||||
to turn on [Consul to Kubernetes Service Sync](/docs/platform/k8s/service-sync.html#consul-to-kubernetes).
|
||||
|
||||
## Consul DNS Cluster IP
|
||||
For configuring KubeDNS or CoreDNS you'll first need the `ClusterIP` of the Consul
|
||||
To configure KubeDNS or CoreDNS you'll first need the `ClusterIP` of the Consul
|
||||
DNS service created by the [Helm chart](/docs/platform/k8s/helm.html).
|
||||
|
||||
The name of the Consul DNS service will be `consul-consul-dns`. Use
|
||||
The default name of the Consul DNS service will be `consul-consul-dns`. Use
|
||||
that name to get the `ClusterIP`:
|
||||
|
||||
```bash
|
||||
|
@ -32,11 +32,11 @@ $ kubectl get svc consul-consul-dns -o jsonpath='{.spec.clusterIP}'
|
|||
10.35.240.78%
|
||||
```
|
||||
|
||||
-> *Note:* If you've installed Consul using a different helm release name than `consul`
|
||||
then the DNS service name will be `{release-name}-consul-dns`.
|
||||
|
||||
For this installation the `ClusterIP` is `10.35.240.78`.
|
||||
|
||||
-> **Note:** If you've installed Consul using a different helm release name than `consul`
|
||||
then the DNS service name will be `<release-name>-consul-dns`.
|
||||
|
||||
## KubeDNS
|
||||
If using KubeDNS, you need to create a `ConfigMap` that tells KubeDNS
|
||||
to use the Consul DNS service to resolve all domains ending with `.consul`:
|
||||
|
|
|
@ -414,8 +414,6 @@ You can also use this Helm chart to deploy Consul Enterprise by following a few
|
|||
|
||||
Find the license file that you received in your welcome email. It should have the extension `.hclic`. You will use the contents of this file to create a Kubernetes secret before installing the Helm chart.
|
||||
|
||||
-> **Note:** If you cannot find your `.hclic` file, please contact your sales team or Technical Account Manager.
|
||||
|
||||
You can use the following commands to create the secret:
|
||||
|
||||
```bash
|
||||
|
@ -423,6 +421,8 @@ secret=$(cat 1931d1f4-bdfd-6881-f3f5-19349374841f.hclic)
|
|||
kubectl create secret generic consul-ent-license --from-literal="key=${secret}"
|
||||
```
|
||||
|
||||
-> **Note:** If you cannot find your `.hclic` file, please contact your sales team or Technical Account Manager.
|
||||
|
||||
In your `values.yaml`, change the value of `global.image` to one of the enterprise [release tags](https://hub.docker.com/r/hashicorp/consul-enterprise/tags).
|
||||
|
||||
```yaml
|
||||
|
@ -439,17 +439,25 @@ server:
|
|||
secretKey: "key"
|
||||
```
|
||||
|
||||
Add the `--wait` option to your `helm install` command. This will force Helm to wait for all the pods
|
||||
to become ready before it applies the license to your Consul cluster.
|
||||
Now run `helm install`:
|
||||
|
||||
```bash
|
||||
$ helm install --wait --name consul -f ./values.yaml ./consul-helm
|
||||
```
|
||||
|
||||
Once the cluster is up, you can verify the nodes are running Consul Enterprise.
|
||||
Once the cluster is up, you can verify the nodes are running Consul Enterprise by
|
||||
using the `consul license get` command.
|
||||
|
||||
First, forward your local port 8500 to the Consul servers so you can run `consul`
|
||||
commands locally against the Consul servers in Kubernetes:
|
||||
|
||||
```bash
|
||||
$ kubectl port-forward service/consul-consul-server -n default 8500
|
||||
```
|
||||
|
||||
In a separate tab, run the `consul license get` command (if using ACLs see below):
|
||||
|
||||
```bash
|
||||
$ kubectl port-forward service/consul-consul-server 8500 &
|
||||
$ consul license get
|
||||
License is valid
|
||||
License ID: 1931d1f4-bdfd-6881-f3f5-19349374841f
|
||||
|
@ -471,9 +479,42 @@ consul-consul-server-1 10.60.1.229:8301 alive server 1.4
|
|||
consul-consul-server-2 10.60.2.197:8301 alive server 1.4.3+ent 2 dc1 <all>
|
||||
```
|
||||
|
||||
If you get an error:
|
||||
|
||||
```bash
|
||||
Error getting license: invalid character 'r' looking for beginning of value
|
||||
```
|
||||
|
||||
Then you have likely enabled ACLs. You need to specify your ACL token when
|
||||
running the `license get` command. First, get the ACL token:
|
||||
|
||||
```bash
|
||||
$ kubectl get secrets/consul-consul-bootstrap-acl-token --template={{.data.token}} | base64 -D
|
||||
4dae8373-b4d7-8009-9880-a796850caef9%
|
||||
```
|
||||
|
||||
Now use the token when running the `license get` command:
|
||||
|
||||
```bash
|
||||
$ consul license get -token=4dae8373-b4d7-8009-9880-a796850caef9
|
||||
License is valid
|
||||
License ID: 1931d1f4-bdfd-6881-f3f5-19349374841f
|
||||
Customer ID: b2025a4a-8fdd-f268-95ce-1704723b9996
|
||||
Expires At: 2020-03-09 03:59:59.999 +0000 UTC
|
||||
Datacenter: *
|
||||
Package: premium
|
||||
Licensed Features:
|
||||
Automated Backups
|
||||
Automated Upgrades
|
||||
Enhanced Read Scalability
|
||||
Network Segments
|
||||
Redundancy Zone
|
||||
Advanced Network Federation
|
||||
```
|
||||
|
||||
## Helm Chart Examples
|
||||
|
||||
The below `values.yaml` can be used to set up a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API.
|
||||
The below `values.yaml` results in a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API.
|
||||
|
||||
```yaml
|
||||
global:
|
||||
|
@ -488,7 +529,7 @@ ui:
|
|||
type: LoadBalancer
|
||||
```
|
||||
|
||||
The below `values.yaml` can be used to set up a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection for annotated pods in the "my-app" namespace.
|
||||
The below `values.yaml` results in a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection for annotated pods in the "my-app" namespace.
|
||||
|
||||
Note, this would require a secret that contains the enterprise license key.
|
||||
|
||||
|
|
|
@ -75,12 +75,6 @@ syncCatalog:
|
|||
See the [Helm configuration](/docs/platform/k8s/helm.html#v-synccatalog)
|
||||
for more information.
|
||||
|
||||
-> **Before installing,** please read the introduction paragraphs for the
|
||||
reference documentation below for both
|
||||
[Kubernetes to Consul](/docs/platform/k8s/service-sync.html#kubernetes-to-consul) and
|
||||
[Consul to Kubernetes](/docs/platform/k8s/service-sync.html#consul-to-kubernetes)
|
||||
sync to understand how the syncing works.
|
||||
|
||||
### Authentication
|
||||
|
||||
The sync process must authenticate to both Kubernetes and Consul to read
|
||||
|
@ -261,8 +255,8 @@ metadata:
|
|||
## Consul to Kubernetes
|
||||
|
||||
This syncs Consul services into first-class Kubernetes services.
|
||||
An [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname)
|
||||
`Service` is created for each Consul service. The "external name" will be
|
||||
The sync service will creat an [`ExternalName`](https://kubernetes.io/docs/concepts/services-networking/service/#externalname)
|
||||
`Service` for each Consul service. The "external name" will be
|
||||
the Consul DNS name.
|
||||
|
||||
For example, given a Consul service `foo`, a Kubernetes Service will be created
|
||||
|
@ -279,14 +273,14 @@ spec:
|
|||
type: ExternalName
|
||||
```
|
||||
|
||||
With Consul To Kubernetes syncing enabled, DNS requests of the form `{consul-service-name}`
|
||||
will be serviced by Consul DNS. From a different namespace than where Consul
|
||||
is deployed, the DNS request would need to be `{consul-service-name}.{consul-namespace}`.
|
||||
With Consul To Kubernetes syncing enabled, DNS requests of the form `<consul-service-name>`
|
||||
will be serviced by Consul DNS. From a different Kubernetes namespace than where Consul
|
||||
is deployed, the DNS request would need to be `<consul-service-name>.<consul-namespace>`.
|
||||
|
||||
-> **Note:** Consul to Kubernetes syncing **isn't required** if you've enabled [Consul DNS on Kubernetes](/docs/platform/k8s/dns.html)
|
||||
*and* all you need to do is address services in the form `{consul-service-name}.service.consul`, i.e. you don't need Kubernetes `Service` objects created.
|
||||
*and* all you need to do is address services in the form `<consul-service-name>.service.consul`, i.e. you don't need Kubernetes `Service` objects created.
|
||||
|
||||
-> **Requires Consul DNS via CoreDNS in Kubernetes:** This feature requires that
|
||||
~> **Requires Consul DNS via CoreDNS in Kubernetes:** This feature requires that
|
||||
[Consul DNS](/docs/platform/k8s/dns.html) is configured within Kubernetes.
|
||||
Additionally, **[CoreDNS](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#config-coredns)
|
||||
is required (instead of kube-dns)** to resolve an
|
||||
|
|
Loading…
Reference in New Issue