Merge pull request #8531 from hashicorp/je.fix-broken-links

Docs Sidenav Update, Fix Broken Links
This commit is contained in:
Jeff Escalante 2020-08-24 15:43:08 -04:00 committed by GitHub
commit dfcd9c00cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 1700 additions and 1273 deletions

View File

@ -40,8 +40,6 @@
/docs/connect/terminating_gateway /docs/connect/gateways/terminating-gateway 301!
/docs/connect/terminating_gateway.html /docs/connect/gateways/terminating-gateway 301!
/docs/connect/terminating-gateway /docs/connect/gateways/terminating-gateway 301!
/docs/k8s/connect /docs/k8s/connect/overview 301!
/docs/k8s/connect.html /docs/k8s/connect/overview 301!
# CLI renames
@ -175,8 +173,8 @@
/docs/connect/platform/nomad.html /docs/connect/nomad 301!
/docs/connect/platform/nomad /docs/connect/nomad 301!
/docs/platform/k8s/run.html /docs/k8s/installation/overview 301!
/docs/platform/k8s/run /docs/k8s/installation/overview 301!
/docs/platform/k8s/run.html /docs/k8s/installation 301!
/docs/platform/k8s/run /docs/k8s/installation 301!
/docs/platform/k8s/consul-enterprise.html /docs/k8s/installation/deployment-configurations/consul-enterprise 301!
/docs/platform/k8s/consul-enterprise /docs/k8s/installation/deployment-configurations/consul-enterprise 301!
/docs/platform/k8s/clients-outside-kubernetes.html /docs/k8s/installation/deployment-configurations/clients-outside-kubernetes 301!

View File

@ -159,7 +159,12 @@ export default [
},
{
category: 'gateways',
content: [ 'mesh-gateway', 'wan-federation-via-mesh-gateways', 'ingress-gateway', 'terminating-gateway'],
content: [
'mesh-gateway',
'wan-federation-via-mesh-gateways',
'ingress-gateway',
'terminating-gateway',
],
},
{
category: 'registration',
@ -180,10 +185,8 @@ export default [
category: 'k8s',
content: [
{
name: 'Installation',
category: 'installation',
content: [
'overview',
{
category: 'platforms',
name: 'Platform Guides',
@ -222,8 +225,7 @@ export default [
},
{
category: 'multi-cluster',
name: 'Multi-Cluster Federation',
content: ['overview', 'kubernetes', 'vms-and-kubernetes'],
content: ['kubernetes', 'vms-and-kubernetes'],
},
],
},
@ -234,8 +236,11 @@ export default [
},
{
category: 'connect',
name: 'Connect Service Mesh',
content: ['overview', 'ingress-gateways', 'terminating-gateways', 'connect-ca-provider'],
content: [
'ingress-gateways',
'terminating-gateways',
'connect-ca-provider',
],
},
'service-sync',
'dns',

2592
website/package-lock.json generated

File diff suppressed because it is too large Load Diff

View File

@ -4,35 +4,34 @@
"version": "0.0.1",
"author": "HashiCorp",
"dependencies": {
"@hashicorp/nextjs-scripts": "11.1.0",
"@hashicorp/react-alert": "2.0.1",
"@hashicorp/react-alert-banner": "3.1.0",
"@hashicorp/react-button": "2.2.1",
"@hashicorp/react-call-to-action": "0.2.1",
"@hashicorp/react-case-study-slider": "2.1.1",
"@hashicorp/react-code-block": "1.2.7",
"@hashicorp/react-content": "4.0.0",
"@hashicorp/react-docs-page": "4.0.0",
"@hashicorp/react-docs-sidenav": "3.2.5",
"@hashicorp/react-featured-slider": "1.1.1",
"@hashicorp/react-global-styles": "4.4.0",
"@hashicorp/react-head": "1.1.1",
"@hashicorp/react-image": "2.0.1",
"@hashicorp/react-inline-svg": "1.0.0",
"@hashicorp/react-logo-grid": "2.1.1",
"@hashicorp/nextjs-scripts": "11.1.1",
"@hashicorp/react-alert": "2.0.3",
"@hashicorp/react-alert-banner": "3.2.1",
"@hashicorp/react-button": "2.2.4",
"@hashicorp/react-call-to-action": "0.2.4",
"@hashicorp/react-case-study-slider": "2.1.4",
"@hashicorp/react-code-block": "1.2.9",
"@hashicorp/react-content": "4.0.2",
"@hashicorp/react-docs-page": "5.0.0",
"@hashicorp/react-featured-slider": "1.1.4",
"@hashicorp/react-global-styles": "4.4.2",
"@hashicorp/react-head": "1.1.3",
"@hashicorp/react-image": "2.0.3",
"@hashicorp/react-inline-svg": "1.0.2",
"@hashicorp/react-logo-grid": "2.1.4",
"@hashicorp/react-mega-nav": "4.0.1-2",
"@hashicorp/react-product-downloader": "4.0.2",
"@hashicorp/react-product-features-list": "1.0.1",
"@hashicorp/react-section-header": "2.0.0",
"@hashicorp/react-subnav": "3.2.3",
"@hashicorp/react-text-and-content": "4.1.1",
"@hashicorp/react-text-split": "0.3.1",
"@hashicorp/react-text-split-with-code": "0.1.1",
"@hashicorp/react-text-split-with-image": "1.3.1",
"@hashicorp/react-text-split-with-logo-grid": "1.1.1",
"@hashicorp/react-use-cases": "1.0.4",
"@hashicorp/react-vertical-text-block-list": "2.0.1",
"algoliasearch": "4.3.0",
"@hashicorp/react-product-downloader": "4.1.1",
"@hashicorp/react-product-features-list": "1.0.3",
"@hashicorp/react-section-header": "2.0.2",
"@hashicorp/react-subnav": "3.2.6",
"@hashicorp/react-text-and-content": "4.1.4",
"@hashicorp/react-text-split": "0.4.0",
"@hashicorp/react-text-split-with-code": "0.2.0",
"@hashicorp/react-text-split-with-image": "1.4.0",
"@hashicorp/react-text-split-with-logo-grid": "1.3.0",
"@hashicorp/react-use-cases": "1.0.6",
"@hashicorp/react-vertical-text-block-list": "2.0.3",
"algoliasearch": "4.4.0",
"babel-plugin-import-glob-array": "0.2.0",
"dotenv": "8.2.0",
"gray-matter": "4.0.2",
@ -41,8 +40,8 @@
"react": "16.13.1",
"react-device-detect": "1.13.1",
"react-dom": "16.13.1",
"remark": "12.0.0",
"unist-util-visit": "2.0.2"
"remark": "12.0.1",
"unist-util-visit": "2.0.3"
},
"devDependencies": {
"dart-linkcheck": "2.0.15",

View File

@ -101,4 +101,4 @@ The Consul Helm chart can automate much of Consul Connect's configuration, and
makes it easy to automatically inject Envoy sidecars into new pods when they are
deployed. Learn about the [Helm chart](/docs/platform/k8s/helm) in general,
or if you are already familiar with it, check out it's
[connect specific configurations](/docs/platform/k8s/connect/overview).
[connect specific configurations](/docs/platform/k8s/connect).

View File

@ -10,7 +10,7 @@ description: |-
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher
~> This topic requires familiarity with [mesh gateways](/docs/connect/mesh-gateway).
~> This topic requires familiarity with [mesh gateways](/docs/connect/gateways/mesh-gateway).
WAN federation via mesh gateways allows for Consul servers in different datacenters
to be federated exclusively through mesh gateways.
@ -37,7 +37,7 @@ Sometimes this prerequisite is difficult or undesirable to meet:
Operators looking to simplify their WAN deployment and minimize the exposed
security surface area can elect to join these datacenters together using [mesh
gateways](/docs/connect/mesh-gateways.html) to do so.
gateways](/docs/connect/gateways/mesh-gateway) to do so.
## Architecture

View File

@ -423,7 +423,7 @@ environment.
[counting-1.json]: https://raw.githubusercontent.com/hashicorp/demo-consul-101/master/demo-config-localhost/counting-1.json
[dashboard service]: https://github.com/hashicorp/demo-consul-101/releases/download/0.0.2/dashboard-service_linux_amd64.zip
[dashboard.json]: https://raw.githubusercontent.com/hashicorp/demo-consul-101/master/demo-config-localhost/dashboard.json
[default acl policy]: https://www.consul.io/docs/agent/options.html#acl_default_policy
[default acl policy]: https://www.consul.io/docs/agent/options#acl_default_policy
[demo-consul-101 project]: https://github.com/hashicorp/demo-consul-101
[dev agent]: https://learn.hashicorp.com/consul/getting-started/agent
[docker guide]: https://learn.hashicorp.com/consul/day-0/containers-guide
@ -432,11 +432,11 @@ environment.
[img-flow]: /static/img/consul/connect-getting-started/consul_connect_demo_service_flow.png
[img-screenshot1]: /static/img/consul/connect-getting-started/screenshot1.png
[img-screenshot2]: /static/img/consul/connect-getting-started/screenshot2.png
[intention]: https://www.consul.io/docs/connect/intentions.html
[services-api]: https://www.consul.io/api/agent/service.html#register-service
[services-cli]: https://www.consul.io/docs/commands/services.html
[services-config]: https://www.consul.io/docs/agent/services.html#service-definition
[services-nomad]: https://www.nomadproject.io/docs/job-specification/service.html
[intention]: https://www.consul.io/docs/connect/intentions
[services-api]: https://www.consul.io/api/agent/service#register-service
[services-cli]: https://www.consul.io/docs/commands/services
[services-config]: https://www.consul.io/docs/agent/services#service-definition
[services-nomad]: https://www.nomadproject.io/docs/job-specification/service
[sidecar]: https://docs.microsoft.com/en-us/azure/architecture/patterns/sidecar
[sidecar_service]: https://www.consul.io/docs/connect/registration/sidecar-service.html
[services-k8s]: https://www.consul.io/docs/platform/k8s/connect/overview.html#installation-and-configuration
[sidecar_service]: https://www.consul.io/docs/connect/registration/sidecar-service
[services-k8s]: https://www.consul.io/docs/platform/k8s/connect#installation-and-configuration

View File

@ -80,4 +80,4 @@ $ consul -v
Consul currently supports all 'evergreen' browsers, as they are generally on
up-to-date versions. For more information on supported browsers, please see our
[FAQ](/faq.mdx)
[FAQ](/docs/faq)

View File

@ -286,7 +286,7 @@ If you have tried the above troubleshooting steps and are still stuck, DataWire
[ingress controller]: https://blog.getambassador.io/kubernetes-ingress-nodeport-load-balancers-and-ingress-controllers-6e29f1c44f2d
[proxies]: /docs/connect/proxies
[service sync]: /docs/k8s/service-sync
[connect sidecar]: /docs/k8s/connect/overview
[connect sidecar]: /docs/k8s/connect
[install]: https://www.getambassador.io/user-guide/consul-connect-ambassador/
[ambassador-service.yaml]: https://www.getambassador.io/yaml/ambassador/ambassador-service.yaml
[request access]: https://d6e.co/slack

View File

@ -88,20 +88,20 @@ global:
name: consul
server:
extraVolumes:
- type: secret
name: vault-config
load: true
items:
- key: config
path: vault-config.json
- type: secret
name: vault-ca
load: false
- type: secret
name: vault-config
load: true
items:
- key: config
path: vault-config.json
- type: secret
name: vault-ca
load: false
connectInject:
enabled: true
```
Finally, [install](/docs/k8s/installation/overview#installing-consul) the Helm chart using the above config file:
Finally, [install](/docs/k8s/installation#installing-consul) the Helm chart using the above config file:
```shell-session
$ helm install consul -f config.yaml hashicorp/consul

View File

@ -1,7 +1,7 @@
---
layout: docs
page_title: Connect Service Mesh - Kubernetes
sidebar_title: Overview
sidebar_title: Connect Service Mesh
description: >-
Connect is a feature built into to Consul that enables automatic
service-to-service authorization and connection encryption across your Consul
@ -21,12 +21,12 @@ your cluster, making configuration for Kubernetes automatic.
This functionality is provided by the
[consul-k8s project](https://github.com/hashicorp/consul-k8s) and can be
automatically installed and configured using the
[Consul Helm chart](/docs/k8s/installation/overview).
[Consul Helm chart](/docs/k8s/installation).
## Usage
When the
[Connect injector is installed](/docs/k8s/connect/overview#installation-and-configuration),
[Connect injector is installed](/docs/k8s/connect#installation-and-configuration),
the Connect sidecar can be automatically added to all pods. This sidecar can both
accept and establish connections using Connect, enabling the pod to communicate
to clients and dependencies exclusively over authorized and encrypted
@ -78,7 +78,7 @@ spec:
The only change for Connect is the addition of the
`consul.hashicorp.com/connect-inject` annotation. This enables injection
for this pod. The injector can also be
[configured](/docs/k8s/connect/overview#installation-and-configuration)
[configured](/docs/k8s/connect#installation-and-configuration)
to automatically inject unless explicitly disabled, but the default
installation requires opt-in using the annotation shown above.
@ -131,7 +131,7 @@ spec:
```
Pods must specify upstream dependencies with the
[`consul.hashicorp.com/connect-service-upstreams` annotation](/docs/k8s/connect/overview#consul-hashicorp-com-connect-service-upstreams).
[`consul.hashicorp.com/connect-service-upstreams` annotation](/docs/k8s/connect#consul-hashicorp-com-connect-service-upstreams).
This annotation declares the names of any upstream dependencies and a
local port for the proxy to listen on. When a connection is established to that local
port, the proxy establishes a connection to the target service
@ -332,7 +332,7 @@ provided by the
[consul-k8s project](https://github.com/hashicorp/consul-k8s).
This enables the automatic pod mutation shown in the usage section above.
Installation of the mutating admission webhook is automated using the
[Helm chart](/docs/k8s/installation/overview).
[Helm chart](/docs/k8s/installation).
To install the Connect injector, enable the Connect injection feature using
[Helm values](/docs/k8s/helm#configuration-values) and
@ -505,7 +505,7 @@ See [consul.hashicorp.com/connect-service-upstreams](#consul-hashicorp-com-conne
### Verifying the Installation
To verify the installation, run the
["Accepting Inbound Connections"](/docs/k8s/connect/overview#accepting-inbound-connections)
["Accepting Inbound Connections"](/docs/k8s/connect#accepting-inbound-connections)
example from the "Usage" section above. After running this example, run
`kubectl get pod static-server -o yaml`. In the raw YAML output, you should
see injected Connect containers and an annotation

View File

@ -16,14 +16,15 @@ See [Ingress Gateways](/docs/connect/ingress-gateway) for more information on us
Adding an ingress gateway is a multi-step process that consists of the following steps:
* Setting the helm chart configuration
* Deploying the helm chart
* Configuring the gateway
* Defining an Intention (if ACLs are enabled)
* Deploying your application to Kubernetes
* Connecting to your application
- Setting the helm chart configuration
- Deploying the helm chart
- Configuring the gateway
- Defining an Intention (if ACLs are enabled)
- Deploying your application to Kubernetes
- Connecting to your application
## Setting the helm chart configuration
When deploying the helm chart you must provide helm with a custom yaml file that contains your environment configuration.
```yaml
@ -38,25 +39,25 @@ ingressGateways:
service:
type: LoadBalancer
```
~> *Note:* this will create a public unauthenticated LoadBalancer in your cluster, please take appropriate security considerations.
~> _Note:_ this will create a public unauthenticated LoadBalancer in your cluster, please take appropriate security considerations.
The yaml snippet is the launching point for a valid configuration that must be supplied when installing using the [official consul-helm chart](https://hub.helm.sh/charts/hashicorp/consul).
Information on additional options can be found in the [Helm reference](/docs/k8s/helm). Configuration options for ingress gateways reside under the [ingressGateways](/docs/k8s/helm#v-ingressgateways) entry.
The gateways stanza is where you will define and configure the set of ingress gateways you want deployed to your environment.
The only required field for each entry is `name`, though entries may contain any of the fields found in the `defaults` stanza.
Values in this section override the values from the defaults stanza for the given ingress gateway with one exception:
the annotations from the defaults stanza will be *appended* to any user-defined annotations defined in the gateways stanza rather than being overridden.
the annotations from the defaults stanza will be _appended_ to any user-defined annotations defined in the gateways stanza rather than being overridden.
Please refer to the ingress gateway configuration [documentation](/docs/k8s/helm#v-ingressgateways-defaults) for a detailed explanation of each option.
-> *Note*: Make sure any ports that will be used as listeners in the ingress gateway's Consul config entry are included
-> _Note_: Make sure any ports that will be used as listeners in the ingress gateway's Consul config entry are included
in the `ports` object for each gateway. By default ports 8080 and 8443 are exposed for traffic.
## Deploying the helm chart
Ensure you have the latest consul-helm chart and install Consul via helm using the following
[guide](/docs/k8s/installation/overview#installing-consul) while being sure to provide the yaml configuration
[guide](/docs/k8s/installation#installing-consul) while being sure to provide the yaml configuration
as previously discussed.
## Configuring the gateway
@ -64,8 +65,8 @@ as previously discussed.
Now that Consul has been installed with ingress gateways enabled, you must add the corresponding configuration to Consul. This requires you to use the Consul CLI.
Configuring the ingress gateway requires:
* Accessing the Consul server
* Submitting an Ingress Gateway configuration entry to Consul
- Accessing the Consul server
- Submitting an Ingress Gateway configuration entry to Consul
### Accessing the Consul server
@ -74,17 +75,20 @@ You can access the Consul server directly from your host via `kubectl port-forwa
```shell-session
$ kubectl port-forward consul-server-0 8500 &
```
If TLS is enabled use port 8501.
-> Download the latest Consul binary from [Downloads](/downloads.html).
[https://releases.hashicorp.com/consul/](https://releases.hashicorp.com/consul/)
If TLS is enabled set:
```shell-session
$ export CONSUL_HTTP_ADDR=https://localhost:8501
```
If ACLs are enabled set :
```shell-session
$ export CONSUL_HTTP_TOKEN=$(kubectl get secret consul-bootstrap-acl-token -o jsonpath={.data.token} | base64 -D)
$ export CONSUL_HTTP_SSL_VERIFY=false
@ -129,6 +133,7 @@ If TLS is enabled, use :
If ACLs are enabled, you must define an [intention](/docs/connect/intentions) to allow the ingress gateway to access the upstream services defined in the config entry.
To create an intention that allows the ingress gateway to route to the service `static-server`, run:
```shell-session
$ consul intention create ingress-gateway static-server
```
@ -136,6 +141,7 @@ $ consul intention create ingress-gateway static-server
For detailed instructions on how to configure zero-trust networking with intentions please refer to this [guide](https://learn.hashicorp.com/tutorials/consul/service-mesh-zero-trust-network).
## Deploying your application to Kubernetes
Now you will deploy a sample application which echoes “hello world”
```yaml
@ -198,7 +204,7 @@ ingressGateways:
gateways:
- name: ingress-gateway
service:
type: LoadBalancer
type: LoadBalancer
```
And run Helm upgrade:

View File

@ -21,10 +21,10 @@ your components, you should be running a compatible version by default.
Adding a terminating gateway is a multi-step process:
* Update the helm chart with terminating gateway config options
* Deploying the helm chart
* Accessing the Consul agent
* Register external services with Consul
- Update the helm chart with terminating gateway config options
- Deploying the helm chart
- Accessing the Consul agent
- Register external services with Consul
## Update the helm chart with terminating gateway config options
@ -42,7 +42,7 @@ terminatingGateways:
## Deploying the helm chart
Ensure you have the latest consul-helm chart and install Consul via helm using the following
[guide](/docs/k8s/installation/overview#installing-consul) while being sure to provide the yaml configuration
[guide](/docs/k8s/installation#installing-consul) while being sure to provide the yaml configuration
as previously discussed.
## Accessing the Consul agent
@ -52,7 +52,9 @@ You can access the Consul server directly from your host via `kubectl port-forwa
```shell-session
$ kubectl port-foward consul-server-0 8500 &
```
If TLS is enabled use port 8501:
```shell-session
$ kubectl port-foward consul-server-0 8501 &
```
@ -63,12 +65,16 @@ $ kubectl port-foward consul-server-0 8501 &
```shell-session
$ export CONSUL_HTTP_ADDR=http://localhost:8500
```
If TLS is enabled set:
```shell-session
$ export CONSUL_HTTP_ADDR=https://localhost:8501
$ export CONSUL_HTTP_SSL_VERIFY=false
```
If ACLs are enabled also set:
```shell-session
$ export CONSUL_HTTP_TOKEN=$(kubectl get secret consul-bootstrap-acl-token -o jsonpath={.data.token} | base64 -D)
```
@ -76,46 +82,52 @@ $ export CONSUL_HTTP_TOKEN=$(kubectl get secret consul-bootstrap-acl-token -o js
## Register external services with Consul
Registering the external services with Consul is a multi-step process:
* Register external services with Consul
* Update the terminating gateway ACL token if ACLs are enabled
* Create the configuration entry for the terminating gateway
* Create intentions to allow access from services in the mesh to external service
* Define upstream annotations for any services that need to talk to the external services
- Register external services with Consul
- Update the terminating gateway ACL token if ACLs are enabled
- Create the configuration entry for the terminating gateway
- Create intentions to allow access from services in the mesh to external service
- Define upstream annotations for any services that need to talk to the external services
### Register external services with Consul
Create a sample external service and register it with Consul.
```json
{
"Node": "legacy_node",
"Address": "example.com",
"NodeMeta": {
"external-node": "true",
"external-probe": "true"
},
"Service": {
"ID": "example-https",
"Service": "example-https",
"Port": 443
}
"Node": "legacy_node",
"Address": "example.com",
"NodeMeta": {
"external-node": "true",
"external-probe": "true"
},
"Service": {
"ID": "example-https",
"Service": "example-https",
"Port": 443
}
}
```
Register the external service with Consul:
```shell-session
$ curl --request PUT --data @external.json -k $CONSUL_HTTP_ADDR/v1/catalog/register
```
If ACLs and TLS are enabled :
```shell-session
$ curl --request PUT --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" --data @external.json -k $CONSUL_HTTP_ADDR/v1/catalog/register
```
### Update terminating gateway ACL token if ACLs are enabled
If ACLs are enabled, update the terminating gateway acl token to have `service: write` permissions on all of the services
being represented by the gateway:
* Create a new policy that includes these permissions
* Update the existing token to include the new policy
- Create a new policy that includes these permissions
- Update the existing token to include the new policy
~> The CLI command should be run with the `-merge-policies`, `-merge-roles` and `-merge-service-identities` so
nothing is removed from the terminating gateway token
@ -125,21 +137,28 @@ service "example-https" {
policy = "write"
}
```
```shell-session
$ consul acl policy create -name "example-https-write-policy" -rules @write-policy.hcl
```
Now fetch the id of the terminating gateway token
```shell-session
$ consul acl token list | grep terminating-gateway-terminating-gateway-token
```
Update the terminating gateway acl token with the new policy
```shell-session
$ consul acl token update -id <token-id> -policy-name example-https-write-policy -merge-policies -merge-roles -merge-service-identities
```
### Create the configuration entry for the terminating gateway
Once the tokens have been updated, next write the Consul [config](/docs/agent/config-entries/terminating-gateway)
entry for the terminating gateway:
```hcl
Kind = "terminating-gateway"
Name = "terminating-gateway"
@ -150,20 +169,24 @@ Services = [
}
]
```
~> If TLS is enabled a `CAFile` must be provided, it must point to the system trust store of the terminating gateway
container.
Submit the terminating gateway entry with the Consul CLI using this command.
```shell-session
$ consul config write terminating-gateway.hcl
```
If using ACLs and TLS, create intentions to allow access from services in the mesh to the external service
```shell-session
$ consul intention create -allow static-client example-https
```
### Define the external services as upstreams for services in the mesh
Finally define and deploy the external services as upstreams for the internal mesh services that wish to talk to them.
An example deployment is provided which will serve as a static client for the terminating gateway service.
@ -188,25 +211,27 @@ spec:
labels:
app: static-client
annotations:
"consul.hashicorp.com/connect-inject": "true"
"consul.hashicorp.com/connect-service-upstreams": "example-https:1234"
'consul.hashicorp.com/connect-inject': 'true'
'consul.hashicorp.com/connect-service-upstreams': 'example-https:1234'
spec:
containers:
# This name will be the service name in Consul.
- name: static-client
image: tutum/curl:latest
command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
# If ACLs are enabled, the serviceAccountName must match the Consul service name.
command: ['/bin/sh', '-c', '--']
args: ['while true; do sleep 30; done;']
# If ACLs are enabled, the serviceAccountName must match the Consul service name.
serviceAccountName: static-client
```
Run the service via `kubectl apply`:
```shell-session
$ kubectl apply -f static-client.yaml
```
You can verify connectivity of the static-client and terminating gateway via a curl command:
```shell-session
$ kubectl exec deploy/static-client -- curl -vvvs -H "Host: example-https.com" http://localhost:1234/
```

View File

@ -148,7 +148,7 @@ and consider if they're appropriate for your deployment.
- `verify` ((#v-global-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`,
and `verify_incoming_rpc` will be set to `true` for Consul servers and clients.
Set this to false to incrementally roll out TLS on an existing Consul cluster.
Please see [Configuring TLS on an Existing Cluster](/docs/k8s/tls-on-existing-cluster)
Please see [Configuring TLS on an Existing Cluster](/docs/k8s/operations/tls-on-existing-cluster)
for more details.
- `httpsOnly` ((#v-global-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul
@ -194,11 +194,11 @@ and consider if they're appropriate for your deployment.
# Resources are defined as a YAML map:
resources:
requests:
memory: "25Mi"
cpu: "20m"
memory: '25Mi'
cpu: '20m'
limits:
memory: "50Mi"
cpu: "20m"
memory: '50Mi'
cpu: '20m'
```
- `server` ((#v-server)) - Values that configure running a Consul server within Kubernetes.
@ -419,7 +419,7 @@ and consider if they're appropriate for your deployment.
- `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on
port 8502 and expose it to the host. This will use slightly more resources, but is
required for [Connect](/docs/k8s/connect/overview).
required for [Connect](/docs/k8s/connect).
- `exposeGossipPorts` ((#v-client-exposegossipports)) (`boolean: false`) - If true, the Helm chart
will expose the clients' gossip ports as hostPorts. This is only necessary if pod IPs in the k8s cluster are not directly routable and the Consul servers are outside of the k8s cluster.
@ -662,7 +662,7 @@ and consider if they're appropriate for your deployment.
- `additionalSpec` ((#v-ui-service-additionalspec)) (`string: null`) - Additional Service spec
values. This should be a multi-line string mapping directly to a Kubernetes `Service` object.
- `connectInject` ((#v-connectinject)) - Values that configure running the [Connect injector](/docs/k8s/connect/overview).
- `connectInject` ((#v-connectinject)) - Values that configure running the [Connect injector](/docs/k8s/connect).
- `enabled` ((#v-connectinject-enabled)) (`boolean: false`) - If true, the chart will install all the
resources necessary for the Connect injector process to run. This will enable the injector but will
@ -672,7 +672,7 @@ and consider if they're appropriate for your deployment.
(including any tag) for the [consul-k8s](https://github.com/hashicorp/consul-k8s) binary.
- `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the
Connect sidecar into all pods by default. Otherwise, pods must specify the. [injection annotation](/docs/k8s/connect/overview#consul-hashicorp-com-connect-inject)
Connect sidecar into all pods by default. Otherwise, pods must specify the. [injection annotation](/docs/k8s/connect#consul-hashicorp-com-connect-inject)
to opt-in to Connect injection. If this is true, pods can use the same annotation
to explicitly opt-out of injection.
@ -773,7 +773,7 @@ and consider if they're appropriate for your deployment.
configuration feature. Pods that have a Connect proxy injected will have their service automatically registered in this central configuration.
- `defaultProtocol` ((#v-connectinject-centralconfig-defaultprotocol)) (`string: null`) - If
defined, this value will be used as the default protocol type for all services registered with the central configuration. This can be overridden by using the [protocol annotation](/docs/k8s/connect/overview#consul-hashicorp-com-connect-service-protocol) directly on any pod spec.
defined, this value will be used as the default protocol type for all services registered with the central configuration. This can be overridden by using the [protocol annotation](/docs/k8s/connect#consul-hashicorp-com-connect-service-protocol) directly on any pod spec.
- `proxyDefaults` ((#v-connectinject-centralconfig-proxydefaults)) (`string: "{}"`) - This value is
a raw json string that will be applied to all Connect proxy sidecar pods. It can include any valid configuration for the configured proxy.
@ -797,11 +797,11 @@ and consider if they're appropriate for your deployment.
# Resources are defined as a YAML map:
resources:
requests:
memory: "25Mi"
cpu: "20m"
memory: '25Mi'
cpu: '20m'
limits:
memory: "50Mi"
cpu: "20m"
memory: '50Mi'
cpu: '20m'
```
- `sidecarProxy` ((#v-connectinject-sidecarproxy)) - Configure the sidecar proxy that is injected into each Connect pod.
@ -811,17 +811,17 @@ and consider if they're appropriate for your deployment.
[ResourceRequirements](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) object.
By default, each key is set to `null`, which results in no resource limits.
These defaults can be overridden on a per-pod basis via [annotation](/docs/k8s/connect/overview#consul-hashicorp-com-sidecar-proxy).
These defaults can be overridden on a per-pod basis via [annotation](/docs/k8s/connect#consul-hashicorp-com-sidecar-proxy).
```yaml
# Recommended defaults
resources:
requests:
memory: "100Mi"
cpu: "100m"
memory: '100Mi'
cpu: '100m'
limits:
memory: "100Mi"
cpu: "100m"
memory: '100Mi'
cpu: '100m'
```
- `meshGateway` ((#v-meshgateway)) - Configure mesh gateways.
@ -933,11 +933,11 @@ and consider if they're appropriate for your deployment.
# Resources are defined as a YAML map:
resources:
requests:
memory: "25Mi"
cpu: "50m"
memory: '25Mi'
cpu: '50m'
limits:
memory: "150Mi"
cpu: "50m"
memory: '150Mi'
cpu: '50m'
```
- `affinity` ((#v-meshgateway-affinity)) (`string`) - Affinity setting for gateway pods. See values file for default.
@ -989,11 +989,11 @@ and consider if they're appropriate for your deployment.
# Resources are defined as a YAML map:
resources:
requests:
memory: "25Mi"
cpu: "50m"
memory: '25Mi'
cpu: '50m'
limits:
memory: "150Mi"
cpu: "50m"
memory: '150Mi'
cpu: '50m'
```
- `affinity` ((#v-ingressgateways-defaults-affinity)) (`string`) - Affinity setting for gateway pods. See values file for default.
@ -1049,11 +1049,11 @@ and consider if they're appropriate for your deployment.
# Resources are defined as a YAML map:
resources:
requests:
memory: "25Mi"
cpu: "50m"
memory: '25Mi'
cpu: '50m'
limits:
memory: "150Mi"
cpu: "50m"
memory: '150Mi'
cpu: '50m'
```
- `affinity` ((#v-terminatinggateways-defaults-affinity)) (`string`) - Affinity setting for gateway pods. See values file for default.

View File

@ -70,12 +70,12 @@ There are several ways to try Consul with Kubernetes in different environments.
- The [Consul and Kubernetes Deployment](https://learn.hashicorp.com/tutorials/consul/kubernetes-deployment-guide?utm_source=consul.io&utm_medium=docs) tutorial covers the necessary steps to install and configure a new Consul cluster on Kubernetes in production.
- The [Secure Consul and Registered Services on Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-secure-agents?in=consul/kubernetes) tutorial covers
the necessary steps to secure a Consul cluster running on Kubernetes in production.
the necessary steps to secure a Consul cluster running on Kubernetes in production.
- The [Layer 7 Observability with Consul Service Mesh](https://learn.hashicorp.com/tutorials/consul/kubernetes-layer7-observability) tutorial covers monitoring a
Consul service mesh running on Kubernetes with Prometheus and Grafana.
Consul service mesh running on Kubernetes with Prometheus and Grafana.
**Documentation**
- [Installing Consul](/docs/k8s/installation/overview) covers how to install Consul using the Helm chart.
- [Installing Consul](/docs/k8s/installation) covers how to install Consul using the Helm chart.
- [Helm Chart Reference](/docs/k8s/helm) describes the different options for configuring the Helm chart.

View File

@ -55,7 +55,7 @@ You may also consider adopting Consul Enterprise for
-> **Note:** Consul on Kubernetes currently does not support external servers that require mutual authentication
for the HTTPS clients of the Consul servers, that is when servers have either
`verify_incoming` or `verify_incoming_https` set to `true`.
As noted in the [Security Model](docs/internals/security#secure-configuration),
As noted in the [Security Model](/docs/internals/security#secure-configuration),
that setting isn't strictly necessary to support Consul's threat model as it is recommended that
all requests contain a valid ACL token.
@ -116,7 +116,7 @@ The bootstrap token requires the following minimal permissions:
- `agent:read` if using WAN federation over mesh gateways
Next, configure external servers. The Helm chart will use this configuration to talk to the Consul server's API
to create policies, tokens, and an auth method. If you are [enabling Consul Connect](/docs/k8s/connect/overview),
to create policies, tokens, and an auth method. If you are [enabling Consul Connect](/docs/k8s/connect),
`k8sAuthMethodHost` should be set to the address of your Kubernetes API server
so that the Consul servers can validate a Kubernetes service account token when using the [Kubernetes auth method](https://www.consul.io/docs/acl/auth-methods/kubernetes.html)
with `consul login`.

View File

@ -1,7 +1,7 @@
---
layout: docs
page_title: Installing Consul on Kubernetes - Kubernetes
sidebar_title: Overview
sidebar_title: Installation
description: >-
Consul can run directly on Kubernetes, both in server or client mode. For
pure-Kubernetes workloads, this enables Consul to also exist purely within
@ -18,7 +18,7 @@ a server running inside or outside of Kubernetes.
This page starts with a large how-to section for various specific tasks.
To learn more about the general architecture of Consul on Kubernetes, scroll
down to the [architecture](/docs/k8s/installation/overview.html#architecture) section.
down to the [architecture](/docs/k8s/installation#architecture) section.
If you would like to get hands-on experience testing Consul as a service mesh
for Kubernetes, check the guides in the [Getting Started with Consul service
mesh](https://learn.hashicorp.com/consul/gs-consul-service-mesh/understand-consul-service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) track.
@ -98,7 +98,7 @@ create a `config.yaml` file to override the default settings.
You can learn what settings are available by running `helm inspect values hashicorp/consul`
or by reading the [Helm Chart Reference](/docs/k8s/helm).
For example, if you want to enable the [Consul Connect](/docs/k8s/connect/overview) feature,
For example, if you want to enable the [Consul Connect](/docs/k8s/connect) feature,
use the following config file:
```yaml
@ -185,7 +185,7 @@ has important caching behavior, and allows you to use the simpler
[`/agent` endpoints for services and checks](/api/agent).
For Consul installed via the Helm chart, a client agent is installed on
each Kubernetes node. This is explained in the [architecture](/docs/k8s/installation/overview#client-agents)
each Kubernetes node. This is explained in the [architecture](/docs/k8s/installation#client-agents)
section. To access the agent, you may use the
[downward API](https://kubernetes.io/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/).
@ -297,7 +297,7 @@ The clients expose the Consul HTTP API via a static port (default 8500)
bound to the host port. This enables all other pods on the node to connect
to the node-local agent using the host IP that can be retrieved via the
Kubernetes downward API. See
[accessing the Consul HTTP API](/docs/k8s/installation/overview#accessing-the-consul-http-api)
[accessing the Consul HTTP API](/docs/k8s/installation#accessing-the-consul-http-api)
for an example.
There is a major limitation to this: there is no way to bind to a local-only

View File

@ -1,7 +1,7 @@
---
layout: docs
page_title: Multi-Cluster Federation Overview
sidebar_title: Overview
sidebar_title: Multi-Cluster Federation
description: >-
Installing on multiple Kubernetes clusters.
---

View File

@ -10,11 +10,11 @@ description: >-
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher
~> This topic requires familiarity with [Mesh Gateways](/docs/connect/mesh-gateway) and [WAN Federation Via Mesh Gateways](/docs/connect/wan-federation-via-mesh-gateways).
~> This topic requires familiarity with [Mesh Gateways](/docs/connect/mesh-gateway) and [WAN Federation Via Mesh Gateways](/docs/connect/gateways/wan-federation-via-mesh-gateways).
-> Looking for a step-by-step guide? Please follow our Learn tutorial: [Secure and Route Service Mesh Communication Across Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways).
This page describes how to federate multiple Kubernetes clusters. See [Multi-Cluster Overview](/docs/k8s/installation/multi-cluster/overview)
This page describes how to federate multiple Kubernetes clusters. See [Multi-Cluster Overview](/docs/k8s/installation/multi-cluster)
for more information on use-cases and how it works.
## Primary Datacenter
@ -113,7 +113,7 @@ Modifications:
mesh gateway, for example using a Node Port service or a custom DNS entry,
see the [Helm reference](/docs/k8s/helm#v-meshgateway) for that setting.
With your `config.yaml` ready to go, follow our [Installation Guide](/docs/k8s/installation/overview
With your `config.yaml` ready to go, follow our [Installation Guide](/docs/k8s/installation)
to install Consul on your primary cluster and then skip ahead to the [Federation Secret](#federation-secret)
section.
@ -152,7 +152,7 @@ If you've set `enableAutoEncrypt: true`, this is also supported.
creates a Kubernetes Load Balancer service. If you wish to customize the
mesh gateway, see the [Helm reference](/docs/k8s/helm#v-meshgateway) for that setting.
With the above settings added to your existing config, follow the [Upgrading](/localhost:3000/docs/k8s/operations/upgrading)
With the above settings added to your existing config, follow the [Upgrading](/docs/k8s/operations/upgrading)
guide to upgrade your cluster and then come back to the [Federation Secret](#federation-secret) section.
-> **NOTE:** You must be using consul-helm 0.21.0+. To update, run `helm repo update`.
@ -244,7 +244,7 @@ The automatically generated federation secret contains:
## Secondary Cluster(s)
With the primary cluster up and running, and the [federation secret](/docs/installation/multi-cluster#federation-secret) imported
With the primary cluster up and running, and the [federation secret](/docs/k8s/installation/multi-cluster#federation-secret) imported
into the secondary cluster, we can now install Consul into the secondary
cluster.
@ -337,7 +337,7 @@ Modifications:
mesh gateway, for example using a Node Port service or a custom DNS entry,
see the [Helm reference](/docs/k8s/helm#v-meshgateway) for that setting.
With your `config.yaml` ready to go, follow our [Installation Guide](/docs/k8s/installation/overview)
With your `config.yaml` ready to go, follow our [Installation Guide](/docs/k8s/installation)
to install Consul on your secondary cluster(s).
## Verifying Federation
@ -375,7 +375,7 @@ You can switch kubectl contexts and run the same command in `dc2` with the flag
### Consul UI
We can also use the Consul UI to verify federation.
See [Viewing the Consul UI](docs/k8s/installation/overview#viewing-the-consul-ui)
See [Viewing the Consul UI](/docs/k8s/installation#viewing-the-consul-ui)
for instructions on how to view the UI.
~> NOTE: If ACLs are enabled, your kubectl context must be in the primary datacenter
@ -391,4 +391,4 @@ in the top left:
With your Kubernetes clusters federated, try out using Consul service mesh to
route between services deployed on each cluster by following our Learn tutorial: [Secure and Route Service Mesh Communication Across Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways#deploy-microservices).
You can also read our in-depth documentation on [Consul Service Mesh In Kubernetes](/docs/k8s/connect/overview).
You can also read our in-depth documentation on [Consul Service Mesh In Kubernetes](/docs/k8s/connect).

View File

@ -10,11 +10,11 @@ description: >-
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher
~> This topic requires familiarity with [Mesh Gateways](/docs/connect/mesh-gateway) and [WAN Federation Via Mesh Gateways](/docs/connect/wan-federation-via-mesh-gateways).
~> This topic requires familiarity with [Mesh Gateways](/docs/connect/mesh-gateway) and [WAN Federation Via Mesh Gateways](/docs/connect/gateways/wan-federation-via-mesh-gateways).
Consul datacenters running on non-kubernetes platforms like VMs or bare metal can
be federated with Kubernetes datacenters. Just like with Kubernetes, one datacenter
must be the [primary](/docs/k8s/installation/multi-cluster/installation#primary-datacenter).
must be the [primary](/docs/k8s/installation/multi-cluster#primary-datacenter).
## Kubernetes as the Primary
@ -179,7 +179,7 @@ construct the [Federation Secret](#federation-secret) in order to federate
Kubernetes clusters as secondaries.
-> Your VM cluster must be running mesh gateways, and have mesh gateway WAN
federation enabled. See [WAN Federation via Mesh Gateways](/docs/connect/wan-federation-via-mesh-gateways).
federation enabled. See [WAN Federation via Mesh Gateways](/docs/connect/gateways/wan-federation-via-mesh-gateways).
You'll need:
@ -285,7 +285,7 @@ server:
name of your primary datacenter running on VMs and with the IPs of your mesh
gateways running on VMs.
With your config file ready to go, follow our [Installation Guide](/docs/k8s/installation/overview
With your config file ready to go, follow our [Installation Guide](/docs/k8s/installation)
to install Consul on your secondary cluster(s).
## Next Steps

View File

@ -9,7 +9,7 @@ description: Installing Consul on Self Hosted Kubernetes
Except for creating persistent volumes (see below), installing Consul on your
self-hosted Kubernetes cluster is the same process as installing Consul on a
cloud-hosted Kubernetes cluster. See the [Installation Overview](/docs/k8s/installation/overview)
cloud-hosted Kubernetes cluster. See the [Installation Overview](/docs/k8s/installation)
for install instructions.
## Predefined Persistent Volume Claims (PVCs)

View File

@ -35,7 +35,7 @@ This upgrade will trigger a rolling update of the clients, as well as any
other `consul-k8s` components, such as sync catalog or client snapshot deployments.
1. Perform a rolling upgrade of the servers, as described in
[Upgrade Consul Servers](/docs/k8s/upgrading#upgrading-consul-servers).
[Upgrade Consul Servers](/docs/k8s/operations/upgrading#upgrading-consul-servers).
1. Repeat steps 1 and 2, turning on TLS verification by setting `global.tls.verify`
to `true`.
@ -72,7 +72,7 @@ applications to it.
```
In this configuration, we're setting `server.updatePartition` to the number of
server replicas as described in [Upgrade Consul Servers](/docs/k8s/upgrading#upgrading-consul-servers)
server replicas as described in [Upgrade Consul Servers](/docs/k8s/operations/upgrading#upgrading-consul-servers)
and `client.updateStrategy` to `OnDelete` to manually trigger an upgrade of the clients.
1. Run `helm upgrade` with the above config file. The upgrade will trigger an update of all
@ -95,7 +95,7 @@ applications to it.
the sidecar proxy. Also, Kubernetes should schedule these applications on the new node pool.
1. Perform a rolling upgrade of the servers described in
[Upgrade Consul Servers](/docs/k8s/upgrading#upgrading-consul-servers).
[Upgrade Consul Servers](/docs/k8s/operations/upgrading#upgrading-consul-servers).
1. If everything is healthy, delete the old node pool.

View File

@ -15,7 +15,7 @@ services are available to Consul agents and services in Consul can be available
as first-class Kubernetes services. This functionality is provided by the
[consul-k8s project](https://github.com/hashicorp/consul-k8s) and can be
automatically installed and configured using the
[Consul Helm chart](/docs/k8s/installation/overview).
[Consul Helm chart](/docs/k8s/installation).
**Why sync Kubernetes services to Consul?** Kubernetes services synced to the
Consul catalog enable Kubernetes services to be accessed by any node that
@ -132,7 +132,7 @@ instances to be equal to the nodes running the target pods.
By default it will use the external IP of the node but this can be configured via
the [`nodePortSyncType` helm option](/docs/k8s/helm#v-synccatalog-nodeportsynctype).
The service instance's port will be set to the *first* defined node port of the service unless
The service instance's port will be set to the _first_ defined node port of the service unless
set specifically via the `consul.hashicorp.com/service-port` annotation (see [Service Ports](/docs/k8s/service-sync#service-ports)).
#### LoadBalancer
@ -142,7 +142,7 @@ the external IP of the created load balancer. Because this is already a load
balancer, only one service instance will be registered with Consul rather
than registering each individual pod endpoint.
The service instance's port will be set to the *first* defined port of the
The service instance's port will be set to the _first_ defined port of the
service unless set specifically via the `consul.hashicorp.com/service-port` annotation (see [Service Ports](/docs/k8s/service-sync#service-ports)).
#### External IPs
@ -157,7 +157,7 @@ If an external IP list is present, a service instance in Consul will be created
for each external IP. It is assumed that if an external IP is present that it
is routable and configured by some other system.
The service instance's port will be set to the *first* defined port of the
The service instance's port will be set to the _first_ defined port of the
service unless set specifically via the `consul.hashicorp.com/service-port` annotation (see [Service Ports](/docs/k8s/service-sync#service-ports)).
#### ClusterIP