3.8 KiB
Executable File
+++ title = "Adding your service to the mesh" docpage = true [menu.docs] parent = "adding-your-service" +++
In order for your service to take advantage of Conduit, it needs to be added to the service mesh. This is done by using the Conduit CLI to add the Conduit proxy sidecar to each pod. By doing this as a rolling update, the availability of your application will not be affected.
Prerequisites
- Applications that use WebSockets or HTTP tunneling/proxying (use of the HTTP
CONNECTmethod), or plaintext MySQL, SMTP, or other protocols where the server sends data before the client sends data, require additional configuration. See the Protocol Support section below. - gRPC applications that use grpc-go must use grpc-go version 1.3 or later due to a bug in earlier versions.
- Conduit doesn't yet support external DNS lookups (e.g. proxying a call to a third-party API). This will be addressed in an upcoming release.
Adding your service
To add your service to the service mesh, run:
conduit inject deployment.yml | kubectl apply -f -
deployment.yml is the Kubernetes config file containing your
application. This will trigger a rolling update of your deployment, replacing
each pod with a new one that additionally contains the Conduit sidecar proxy.
You will know that your service has been successfully added to the service mesh if its proxy status is green in the Conduit dashboard.
You can always get to the Conduit dashboard by running
conduit dashboard
Protocol Support
Conduit supports most applications without requiring any configuration on your part. To accomplish this, Conduit automatically detects the protocol used on each connection. In some cases, however, Conduit's protocol detection can't be fully automated and requires some configuration from you.
HTTP Tunneling and WebSockets
Most HTTP traffic (including HTTP/2) will be handled automatically and
transparently by Conduit without any configuration on your part. However,
non-HTTPS WebSockets and HTTP tunneling/proxying (use of the HTTP CONNECT
method) currently require manual configuration to disable the layer 7 features
for those connections. For pods that accept incoming CONNECT requests and/or
incoming WebSocket connections, use the --skip-inbound-ports flag when running
conduit inject. For pods that make outgoing CONNECT requests and/or outgoing
WebSocket connections, use the --skip-outbound-ports flag when running
conduit inject. (Automatic transparent proxying of WebSockets will be
implemented in a future release.)
For example, to allow inbound traffic on ports 80 and 7777 to bypass the proxy, use the command:
conduit inject deployment.yml --skip-inbound-ports=80,7777 | kubectl apply -f -
MySQL and SMTP
Most non-HTTP traffic will also be handled automatically and transparently by
Conduit without any configuration on your part. However, for protocols where the
server sends data before the client sends, e.g. MySQL and SMTP connections that
aren't protected by TLS, Conduit currently requires some manual configuration.
In such cases, use the --skip-inbound-ports flag when running conduit inject. For pods that make outgoing connections using such protocols, use the
--skip-outbound-ports flag when running conduit inject. (Note that this
applies only to non-TLS'd connections; connections with TLS enabled do not
require any additional configuration irrespective of protocol.)