Update consul-helm enterprise docs for ACLs

If ACLs are added then slightly different commands are needed.
This commit is contained in:
Luke Kysow 2019-09-06 11:34:11 +02:00
parent 2a0d9ff882
commit dcf922858a
No known key found for this signature in database
GPG Key ID: FA168D4DC3F04307
3 changed files with 65 additions and 30 deletions

View File

@ -9,22 +9,22 @@ description: |-
# Consul DNS on Kubernetes # Consul DNS on Kubernetes
One of the primary query interfaces to Consul is the One of the primary query interfaces to Consul is the
[DNS interface](/docs/agent/dns.html). Consul DNS can be configured in [DNS interface](/docs/agent/dns.html). You can configure Consul DNS in
Kubernetes using a Kubernetes using a
[stub-domain configuration](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers) [stub-domain configuration](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers)
if using KubeDNS or a [proxy configuration](https://coredns.io/plugins/proxy/) if using CoreDNS. if using KubeDNS or a [proxy configuration](https://coredns.io/plugins/proxy/) if using CoreDNS.
Once configured, DNS requests in the form `{consul-service-name}.service.consul` will Once configured, DNS requests in the form `<consul-service-name>.service.consul` will
resolve for services in Consul. This will work from all namespaces. resolve for services in Consul. This will work from all Kubernetes namespaces.
-> **Note:** If you want requests to just `{consul-service-name}` (without the `.service.consul`) to resolve, then you'll need -> **Note:** If you want requests to just `<consul-service-name>` (without the `.service.consul`) to resolve, then you'll need
to turn on [Consul to Kubernetes Service Sync](/docs/platform/k8s/service-sync.html#consul-to-kubernetes). to turn on [Consul to Kubernetes Service Sync](/docs/platform/k8s/service-sync.html#consul-to-kubernetes).
## Consul DNS Cluster IP ## Consul DNS Cluster IP
For configuring KubeDNS or CoreDNS you'll first need the `ClusterIP` of the Consul To configure KubeDNS or CoreDNS you'll first need the `ClusterIP` of the Consul
DNS service created by the [Helm chart](/docs/platform/k8s/helm.html). DNS service created by the [Helm chart](/docs/platform/k8s/helm.html).
The name of the Consul DNS service will be `consul-consul-dns`. Use The default name of the Consul DNS service will be `consul-consul-dns`. Use
that name to get the `ClusterIP`: that name to get the `ClusterIP`:
```bash ```bash
@ -32,11 +32,11 @@ $ kubectl get svc consul-consul-dns -o jsonpath='{.spec.clusterIP}'
10.35.240.78% 10.35.240.78%
``` ```
-> *Note:* If you've installed Consul using a different helm release name than `consul`
then the DNS service name will be `{release-name}-consul-dns`.
For this installation the `ClusterIP` is `10.35.240.78`. For this installation the `ClusterIP` is `10.35.240.78`.
-> **Note:** If you've installed Consul using a different helm release name than `consul`
then the DNS service name will be `<release-name>-consul-dns`.
## KubeDNS ## KubeDNS
If using KubeDNS, you need to create a `ConfigMap` that tells KubeDNS If using KubeDNS, you need to create a `ConfigMap` that tells KubeDNS
to use the Consul DNS service to resolve all domains ending with `.consul`: to use the Consul DNS service to resolve all domains ending with `.consul`:

View File

@ -414,8 +414,6 @@ You can also use this Helm chart to deploy Consul Enterprise by following a few
Find the license file that you received in your welcome email. It should have the extension `.hclic`. You will use the contents of this file to create a Kubernetes secret before installing the Helm chart. Find the license file that you received in your welcome email. It should have the extension `.hclic`. You will use the contents of this file to create a Kubernetes secret before installing the Helm chart.
-> **Note:** If you cannot find your `.hclic` file, please contact your sales team or Technical Account Manager.
You can use the following commands to create the secret: You can use the following commands to create the secret:
```bash ```bash
@ -423,6 +421,8 @@ secret=$(cat 1931d1f4-bdfd-6881-f3f5-19349374841f.hclic)
kubectl create secret generic consul-ent-license --from-literal="key=${secret}" kubectl create secret generic consul-ent-license --from-literal="key=${secret}"
``` ```
-> **Note:** If you cannot find your `.hclic` file, please contact your sales team or Technical Account Manager.
In your `values.yaml`, change the value of `global.image` to one of the enterprise [release tags](https://hub.docker.com/r/hashicorp/consul-enterprise/tags). In your `values.yaml`, change the value of `global.image` to one of the enterprise [release tags](https://hub.docker.com/r/hashicorp/consul-enterprise/tags).
```yaml ```yaml
@ -439,17 +439,25 @@ server:
secretKey: "key" secretKey: "key"
``` ```
Add the `--wait` option to your `helm install` command. This will force Helm to wait for all the pods Now run `helm install`:
to become ready before it applies the license to your Consul cluster.
```bash ```bash
$ helm install --wait --name consul -f ./values.yaml ./consul-helm $ helm install --wait --name consul -f ./values.yaml ./consul-helm
``` ```
Once the cluster is up, you can verify the nodes are running Consul Enterprise. Once the cluster is up, you can verify the nodes are running Consul Enterprise by
using the `consul license get` command.
First, forward your local port 8500 to the Consul servers so you can run `consul`
commands locally against the Consul servers in Kubernetes:
```bash
$ kubectl port-forward service/consul-consul-server -n default 8500
```
In a separate tab, run the `consul license get` command (if using ACLs see below):
```bash ```bash
$ kubectl port-forward service/consul-consul-server 8500 &
$ consul license get $ consul license get
License is valid License is valid
License ID: 1931d1f4-bdfd-6881-f3f5-19349374841f License ID: 1931d1f4-bdfd-6881-f3f5-19349374841f
@ -471,9 +479,42 @@ consul-consul-server-1 10.60.1.229:8301 alive server 1.4
consul-consul-server-2 10.60.2.197:8301 alive server 1.4.3+ent 2 dc1 <all> consul-consul-server-2 10.60.2.197:8301 alive server 1.4.3+ent 2 dc1 <all>
``` ```
If you get an error:
```bash
Error getting license: invalid character 'r' looking for beginning of value
```
Then you have likely enabled ACLs. You need to specify your ACL token when
running the `license get` command. First, get the ACL token:
```bash
$ kubectl get secrets/consul-consul-bootstrap-acl-token --template={{.data.token}} | base64 -D
4dae8373-b4d7-8009-9880-a796850caef9%
```
Now use the token when running the `license get` command:
```bash
$ consul license get -token=4dae8373-b4d7-8009-9880-a796850caef9
License is valid
License ID: 1931d1f4-bdfd-6881-f3f5-19349374841f
Customer ID: b2025a4a-8fdd-f268-95ce-1704723b9996
Expires At: 2020-03-09 03:59:59.999 +0000 UTC
Datacenter: *
Package: premium
Licensed Features:
Automated Backups
Automated Upgrades
Enhanced Read Scalability
Network Segments
Redundancy Zone
Advanced Network Federation
```
## Helm Chart Examples ## Helm Chart Examples
The below `values.yaml` can be used to set up a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API. The below `values.yaml` results in a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API.
```yaml ```yaml
global: global:
@ -488,7 +529,7 @@ ui:
type: LoadBalancer type: LoadBalancer
``` ```
The below `values.yaml` can be used to set up a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection for annotated pods in the "my-app" namespace. The below `values.yaml` results in a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection for annotated pods in the "my-app" namespace.
Note, this would require a secret that contains the enterprise license key. Note, this would require a secret that contains the enterprise license key.

View File

@ -75,12 +75,6 @@ syncCatalog:
See the [Helm configuration](/docs/platform/k8s/helm.html#v-synccatalog) See the [Helm configuration](/docs/platform/k8s/helm.html#v-synccatalog)
for more information. for more information.
-> **Before installing,** please read the introduction paragraphs for the
reference documentation below for both
[Kubernetes to Consul](/docs/platform/k8s/service-sync.html#kubernetes-to-consul) and
[Consul to Kubernetes](/docs/platform/k8s/service-sync.html#consul-to-kubernetes)
sync to understand how the syncing works.
### Authentication ### Authentication
The sync process must authenticate to both Kubernetes and Consul to read The sync process must authenticate to both Kubernetes and Consul to read
@ -261,8 +255,8 @@ metadata:
## Consul to Kubernetes ## Consul to Kubernetes
This syncs Consul services into first-class Kubernetes services. This syncs Consul services into first-class Kubernetes services.
An [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) The sync service will creat an [`ExternalName`](https://kubernetes.io/docs/concepts/services-networking/service/#externalname)
`Service` is created for each Consul service. The "external name" will be `Service` for each Consul service. The "external name" will be
the Consul DNS name. the Consul DNS name.
For example, given a Consul service `foo`, a Kubernetes Service will be created For example, given a Consul service `foo`, a Kubernetes Service will be created
@ -279,14 +273,14 @@ spec:
type: ExternalName type: ExternalName
``` ```
With Consul To Kubernetes syncing enabled, DNS requests of the form `{consul-service-name}` With Consul To Kubernetes syncing enabled, DNS requests of the form `<consul-service-name>`
will be serviced by Consul DNS. From a different namespace than where Consul will be serviced by Consul DNS. From a different Kubernetes namespace than where Consul
is deployed, the DNS request would need to be `{consul-service-name}.{consul-namespace}`. is deployed, the DNS request would need to be `<consul-service-name>.<consul-namespace>`.
-> **Note:** Consul to Kubernetes syncing **isn't required** if you've enabled [Consul DNS on Kubernetes](/docs/platform/k8s/dns.html) -> **Note:** Consul to Kubernetes syncing **isn't required** if you've enabled [Consul DNS on Kubernetes](/docs/platform/k8s/dns.html)
*and* all you need to do is address services in the form `{consul-service-name}.service.consul`, i.e. you don't need Kubernetes `Service` objects created. *and* all you need to do is address services in the form `<consul-service-name>.service.consul`, i.e. you don't need Kubernetes `Service` objects created.
-> **Requires Consul DNS via CoreDNS in Kubernetes:** This feature requires that ~> **Requires Consul DNS via CoreDNS in Kubernetes:** This feature requires that
[Consul DNS](/docs/platform/k8s/dns.html) is configured within Kubernetes. [Consul DNS](/docs/platform/k8s/dns.html) is configured within Kubernetes.
Additionally, **[CoreDNS](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#config-coredns) Additionally, **[CoreDNS](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#config-coredns)
is required (instead of kube-dns)** to resolve an is required (instead of kube-dns)** to resolve an