mirror of https://github.com/status-im/consul.git
Update consul-helm enterprise docs for ACLs
If ACLs are added then slightly different commands are needed.
This commit is contained in:
parent
2a0d9ff882
commit
dcf922858a
|
@ -9,22 +9,22 @@ description: |-
|
||||||
# Consul DNS on Kubernetes
|
# Consul DNS on Kubernetes
|
||||||
|
|
||||||
One of the primary query interfaces to Consul is the
|
One of the primary query interfaces to Consul is the
|
||||||
[DNS interface](/docs/agent/dns.html). Consul DNS can be configured in
|
[DNS interface](/docs/agent/dns.html). You can configure Consul DNS in
|
||||||
Kubernetes using a
|
Kubernetes using a
|
||||||
[stub-domain configuration](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers)
|
[stub-domain configuration](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers)
|
||||||
if using KubeDNS or a [proxy configuration](https://coredns.io/plugins/proxy/) if using CoreDNS.
|
if using KubeDNS or a [proxy configuration](https://coredns.io/plugins/proxy/) if using CoreDNS.
|
||||||
|
|
||||||
Once configured, DNS requests in the form `{consul-service-name}.service.consul` will
|
Once configured, DNS requests in the form `<consul-service-name>.service.consul` will
|
||||||
resolve for services in Consul. This will work from all namespaces.
|
resolve for services in Consul. This will work from all Kubernetes namespaces.
|
||||||
|
|
||||||
-> **Note:** If you want requests to just `{consul-service-name}` (without the `.service.consul`) to resolve, then you'll need
|
-> **Note:** If you want requests to just `<consul-service-name>` (without the `.service.consul`) to resolve, then you'll need
|
||||||
to turn on [Consul to Kubernetes Service Sync](/docs/platform/k8s/service-sync.html#consul-to-kubernetes).
|
to turn on [Consul to Kubernetes Service Sync](/docs/platform/k8s/service-sync.html#consul-to-kubernetes).
|
||||||
|
|
||||||
## Consul DNS Cluster IP
|
## Consul DNS Cluster IP
|
||||||
For configuring KubeDNS or CoreDNS you'll first need the `ClusterIP` of the Consul
|
To configure KubeDNS or CoreDNS you'll first need the `ClusterIP` of the Consul
|
||||||
DNS service created by the [Helm chart](/docs/platform/k8s/helm.html).
|
DNS service created by the [Helm chart](/docs/platform/k8s/helm.html).
|
||||||
|
|
||||||
The name of the Consul DNS service will be `consul-consul-dns`. Use
|
The default name of the Consul DNS service will be `consul-consul-dns`. Use
|
||||||
that name to get the `ClusterIP`:
|
that name to get the `ClusterIP`:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -32,11 +32,11 @@ $ kubectl get svc consul-consul-dns -o jsonpath='{.spec.clusterIP}'
|
||||||
10.35.240.78%
|
10.35.240.78%
|
||||||
```
|
```
|
||||||
|
|
||||||
-> *Note:* If you've installed Consul using a different helm release name than `consul`
|
|
||||||
then the DNS service name will be `{release-name}-consul-dns`.
|
|
||||||
|
|
||||||
For this installation the `ClusterIP` is `10.35.240.78`.
|
For this installation the `ClusterIP` is `10.35.240.78`.
|
||||||
|
|
||||||
|
-> **Note:** If you've installed Consul using a different helm release name than `consul`
|
||||||
|
then the DNS service name will be `<release-name>-consul-dns`.
|
||||||
|
|
||||||
## KubeDNS
|
## KubeDNS
|
||||||
If using KubeDNS, you need to create a `ConfigMap` that tells KubeDNS
|
If using KubeDNS, you need to create a `ConfigMap` that tells KubeDNS
|
||||||
to use the Consul DNS service to resolve all domains ending with `.consul`:
|
to use the Consul DNS service to resolve all domains ending with `.consul`:
|
||||||
|
|
|
@ -414,8 +414,6 @@ You can also use this Helm chart to deploy Consul Enterprise by following a few
|
||||||
|
|
||||||
Find the license file that you received in your welcome email. It should have the extension `.hclic`. You will use the contents of this file to create a Kubernetes secret before installing the Helm chart.
|
Find the license file that you received in your welcome email. It should have the extension `.hclic`. You will use the contents of this file to create a Kubernetes secret before installing the Helm chart.
|
||||||
|
|
||||||
-> **Note:** If you cannot find your `.hclic` file, please contact your sales team or Technical Account Manager.
|
|
||||||
|
|
||||||
You can use the following commands to create the secret:
|
You can use the following commands to create the secret:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -423,6 +421,8 @@ secret=$(cat 1931d1f4-bdfd-6881-f3f5-19349374841f.hclic)
|
||||||
kubectl create secret generic consul-ent-license --from-literal="key=${secret}"
|
kubectl create secret generic consul-ent-license --from-literal="key=${secret}"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
-> **Note:** If you cannot find your `.hclic` file, please contact your sales team or Technical Account Manager.
|
||||||
|
|
||||||
In your `values.yaml`, change the value of `global.image` to one of the enterprise [release tags](https://hub.docker.com/r/hashicorp/consul-enterprise/tags).
|
In your `values.yaml`, change the value of `global.image` to one of the enterprise [release tags](https://hub.docker.com/r/hashicorp/consul-enterprise/tags).
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
@ -439,17 +439,25 @@ server:
|
||||||
secretKey: "key"
|
secretKey: "key"
|
||||||
```
|
```
|
||||||
|
|
||||||
Add the `--wait` option to your `helm install` command. This will force Helm to wait for all the pods
|
Now run `helm install`:
|
||||||
to become ready before it applies the license to your Consul cluster.
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ helm install --wait --name consul -f ./values.yaml ./consul-helm
|
$ helm install --wait --name consul -f ./values.yaml ./consul-helm
|
||||||
```
|
```
|
||||||
|
|
||||||
Once the cluster is up, you can verify the nodes are running Consul Enterprise.
|
Once the cluster is up, you can verify the nodes are running Consul Enterprise by
|
||||||
|
using the `consul license get` command.
|
||||||
|
|
||||||
|
First, forward your local port 8500 to the Consul servers so you can run `consul`
|
||||||
|
commands locally against the Consul servers in Kubernetes:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ kubectl port-forward service/consul-consul-server -n default 8500
|
||||||
|
```
|
||||||
|
|
||||||
|
In a separate tab, run the `consul license get` command (if using ACLs see below):
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ kubectl port-forward service/consul-consul-server 8500 &
|
|
||||||
$ consul license get
|
$ consul license get
|
||||||
License is valid
|
License is valid
|
||||||
License ID: 1931d1f4-bdfd-6881-f3f5-19349374841f
|
License ID: 1931d1f4-bdfd-6881-f3f5-19349374841f
|
||||||
|
@ -471,9 +479,42 @@ consul-consul-server-1 10.60.1.229:8301 alive server 1.4
|
||||||
consul-consul-server-2 10.60.2.197:8301 alive server 1.4.3+ent 2 dc1 <all>
|
consul-consul-server-2 10.60.2.197:8301 alive server 1.4.3+ent 2 dc1 <all>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
If you get an error:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
Error getting license: invalid character 'r' looking for beginning of value
|
||||||
|
```
|
||||||
|
|
||||||
|
Then you have likely enabled ACLs. You need to specify your ACL token when
|
||||||
|
running the `license get` command. First, get the ACL token:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ kubectl get secrets/consul-consul-bootstrap-acl-token --template={{.data.token}} | base64 -D
|
||||||
|
4dae8373-b4d7-8009-9880-a796850caef9%
|
||||||
|
```
|
||||||
|
|
||||||
|
Now use the token when running the `license get` command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ consul license get -token=4dae8373-b4d7-8009-9880-a796850caef9
|
||||||
|
License is valid
|
||||||
|
License ID: 1931d1f4-bdfd-6881-f3f5-19349374841f
|
||||||
|
Customer ID: b2025a4a-8fdd-f268-95ce-1704723b9996
|
||||||
|
Expires At: 2020-03-09 03:59:59.999 +0000 UTC
|
||||||
|
Datacenter: *
|
||||||
|
Package: premium
|
||||||
|
Licensed Features:
|
||||||
|
Automated Backups
|
||||||
|
Automated Upgrades
|
||||||
|
Enhanced Read Scalability
|
||||||
|
Network Segments
|
||||||
|
Redundancy Zone
|
||||||
|
Advanced Network Federation
|
||||||
|
```
|
||||||
|
|
||||||
## Helm Chart Examples
|
## Helm Chart Examples
|
||||||
|
|
||||||
The below `values.yaml` can be used to set up a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API.
|
The below `values.yaml` results in a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API.
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
global:
|
global:
|
||||||
|
@ -488,7 +529,7 @@ ui:
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
```
|
```
|
||||||
|
|
||||||
The below `values.yaml` can be used to set up a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection for annotated pods in the "my-app" namespace.
|
The below `values.yaml` results in a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection for annotated pods in the "my-app" namespace.
|
||||||
|
|
||||||
Note, this would require a secret that contains the enterprise license key.
|
Note, this would require a secret that contains the enterprise license key.
|
||||||
|
|
||||||
|
|
|
@ -75,12 +75,6 @@ syncCatalog:
|
||||||
See the [Helm configuration](/docs/platform/k8s/helm.html#v-synccatalog)
|
See the [Helm configuration](/docs/platform/k8s/helm.html#v-synccatalog)
|
||||||
for more information.
|
for more information.
|
||||||
|
|
||||||
-> **Before installing,** please read the introduction paragraphs for the
|
|
||||||
reference documentation below for both
|
|
||||||
[Kubernetes to Consul](/docs/platform/k8s/service-sync.html#kubernetes-to-consul) and
|
|
||||||
[Consul to Kubernetes](/docs/platform/k8s/service-sync.html#consul-to-kubernetes)
|
|
||||||
sync to understand how the syncing works.
|
|
||||||
|
|
||||||
### Authentication
|
### Authentication
|
||||||
|
|
||||||
The sync process must authenticate to both Kubernetes and Consul to read
|
The sync process must authenticate to both Kubernetes and Consul to read
|
||||||
|
@ -261,8 +255,8 @@ metadata:
|
||||||
## Consul to Kubernetes
|
## Consul to Kubernetes
|
||||||
|
|
||||||
This syncs Consul services into first-class Kubernetes services.
|
This syncs Consul services into first-class Kubernetes services.
|
||||||
An [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname)
|
The sync service will creat an [`ExternalName`](https://kubernetes.io/docs/concepts/services-networking/service/#externalname)
|
||||||
`Service` is created for each Consul service. The "external name" will be
|
`Service` for each Consul service. The "external name" will be
|
||||||
the Consul DNS name.
|
the Consul DNS name.
|
||||||
|
|
||||||
For example, given a Consul service `foo`, a Kubernetes Service will be created
|
For example, given a Consul service `foo`, a Kubernetes Service will be created
|
||||||
|
@ -279,14 +273,14 @@ spec:
|
||||||
type: ExternalName
|
type: ExternalName
|
||||||
```
|
```
|
||||||
|
|
||||||
With Consul To Kubernetes syncing enabled, DNS requests of the form `{consul-service-name}`
|
With Consul To Kubernetes syncing enabled, DNS requests of the form `<consul-service-name>`
|
||||||
will be serviced by Consul DNS. From a different namespace than where Consul
|
will be serviced by Consul DNS. From a different Kubernetes namespace than where Consul
|
||||||
is deployed, the DNS request would need to be `{consul-service-name}.{consul-namespace}`.
|
is deployed, the DNS request would need to be `<consul-service-name>.<consul-namespace>`.
|
||||||
|
|
||||||
-> **Note:** Consul to Kubernetes syncing **isn't required** if you've enabled [Consul DNS on Kubernetes](/docs/platform/k8s/dns.html)
|
-> **Note:** Consul to Kubernetes syncing **isn't required** if you've enabled [Consul DNS on Kubernetes](/docs/platform/k8s/dns.html)
|
||||||
*and* all you need to do is address services in the form `{consul-service-name}.service.consul`, i.e. you don't need Kubernetes `Service` objects created.
|
*and* all you need to do is address services in the form `<consul-service-name>.service.consul`, i.e. you don't need Kubernetes `Service` objects created.
|
||||||
|
|
||||||
-> **Requires Consul DNS via CoreDNS in Kubernetes:** This feature requires that
|
~> **Requires Consul DNS via CoreDNS in Kubernetes:** This feature requires that
|
||||||
[Consul DNS](/docs/platform/k8s/dns.html) is configured within Kubernetes.
|
[Consul DNS](/docs/platform/k8s/dns.html) is configured within Kubernetes.
|
||||||
Additionally, **[CoreDNS](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#config-coredns)
|
Additionally, **[CoreDNS](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#config-coredns)
|
||||||
is required (instead of kube-dns)** to resolve an
|
is required (instead of kube-dns)** to resolve an
|
||||||
|
|
Loading…
Reference in New Issue