diff --git a/website/content/docs/agent/config-entries.mdx b/website/content/docs/agent/config-entries.mdx deleted file mode 100644 index 9eb3f82f7f5..00000000000 --- a/website/content/docs/agent/config-entries.mdx +++ /dev/null @@ -1,168 +0,0 @@ ---- -layout: docs -page_title: How to Use Configuration Entries -description: >- - Configuration entries define the behavior of Consul service mesh components. Learn how to use the `consul config` command to create, manage, and delete configuration entries. ---- - -# How to Use Configuration Entries - -Configuration entries can be created to provide cluster-wide defaults for -various aspects of Consul. - -Outside of Kubernetes, configuration entries can be specified in HCL or JSON using either -`snake_case` or `CamelCase` for key names. On Kubernetes, configuration -entries can be managed by custom resources in YAML. - -Outside of Kubernetes, every configuration entry specified in HCL or JSON has at least two fields: -`Kind` and `Name`. Those two fields are used to uniquely identify a -configuration entry. Configuration entries specified as HCL or JSON objects -use either `snake_case` or `CamelCase` for key names. - - - -```hcl -Kind = "" -Name = "" -``` - - - -On Kubernetes, `Kind` is set as the custom resource `kind` and `Name` is set -as `metadata.name`: - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: -metadata: - name: -``` - - - -## Supported Config Entries - -See [Service Mesh - Config Entries](/consul/docs/connect/config-entries) for the list -of supported config entries. - -## Managing Configuration Entries In Kubernetes - -See [Kubernetes Custom Resource Definitions](/consul/docs/k8s/crds). - -## Managing Configuration Entries Outside Of Kubernetes - -Configuration entries outside of Kubernetes should be managed with the Consul -[CLI](/consul/commands/config) or [API](/consul/api-docs/config). Additionally, as a -convenience for initial cluster bootstrapping, configuration entries can be -specified in all of the Consul server -[configuration files](/consul/docs/agent/config/config-files#config_entries_bootstrap) - -### Managing Configuration Entries with the CLI - -#### Creating or Updating a Configuration Entry - -The [`consul config write`](/consul/commands/config/write) command is used to -create and update configuration entries. This command will load either a JSON or -HCL file holding the configuration entry definition and then will push this -configuration to Consul. - -Example HCL Configuration File: - - - -```hcl -Kind = "proxy-defaults" -Name = "global" -Config { - local_connect_timeout_ms = 1000 - handshake_timeout_ms = 10000 -} -``` - - - -Then to apply this configuration, run: - -```shell-session -$ consul config write proxy-defaults.hcl -``` - -If you need to make changes to a configuration entry, simple edit that file and -then rerun the command. This command will not output anything unless there is an -error in applying the configuration entry. The `write` command also supports a -`-cas` option to enable performing a compare-and-swap operation to prevent -overwriting other unknown modifications. - -#### Reading a Configuration Entry - -The [`consul config read`](/consul/commands/config/read) command is used to -read the current value of a configuration entry. The configuration entry will be -displayed in JSON form which is how its transmitted between the CLI client and -Consul's HTTP API. - -Example: - -```shell-session -$ consul config read -kind service-defaults -name web -{ - "Kind": "service-defaults", - "Name": "web", - "Protocol": "http" -} -``` - -#### Listing Configuration Entries - -The [`consul config list`](/consul/commands/config/list) command is used to -list out all the configuration entries for a given kind. - -Example: - -```shell-session -$ consul config list -kind service-defaults -web -api -db -``` - -#### Deleting Configuration Entries - -The [`consul config delete`](/consul/commands/config/delete) command is used -to delete an entry by specifying both its `kind` and `name`. - -Example: - -```shell-session -$ consul config delete -kind service-defaults -name web -``` - -This command will not output anything when the deletion is successful. - -#### Configuration Entry Management with Namespaces - -Configuration entry operations support passing a namespace in -order to isolate the entry to affect only operations within that namespace. This was -added in Consul 1.7.0. - -Example: - -```shell-session -$ consul config write service-defaults.hcl -namespace foo -``` - -```shell-session -$ consul config list -kind service-defaults -namespace foo -web -api -``` - -### Bootstrapping From A Configuration File - -Configuration entries can be bootstrapped by adding them [inline to each Consul -server's configuration file](/consul/docs/agent/config/config-files#config_entries). When a -server gains leadership, it will attempt to initialize the configuration entries. -If a configuration entry does not already exist outside of the servers -configuration, then it will create it. If a configuration entry does exist, that -matches both `kind` and `name`, then the server will do nothing. diff --git a/website/content/docs/agent/config/index.mdx b/website/content/docs/agent/config/index.mdx deleted file mode 100644 index c620ef72e05..00000000000 --- a/website/content/docs/agent/config/index.mdx +++ /dev/null @@ -1,95 +0,0 @@ ---- -layout: docs -page_title: Agents - Configuration Explained -description: >- - Agent configuration is the process of defining server and client agent properties with CLI flags and configuration files. Learn what properties can be configured on reload and how Consul sets precedence for configuration settings. ---- - -# Agent Configuration - -The agent has various configuration options that can be specified via -the command-line or via configuration files. All of the configuration -options are completely optional. Defaults are specified with their -descriptions. - -Configuration precedence is evaluated in the following order: - -1. [Command line arguments](/consul/docs/agent/config/cli-flags) -2. [Configuration files](/consul/docs/agent/config/config-files) - -When loading configuration, the Consul agent loads the configuration from files and -directories in lexical order. For example, configuration file -`basic_config.json` will be processed before `extra_config.json`. Configuration -can be in either [HCL](https://github.com/hashicorp/hcl#syntax) or JSON format. -Available in Consul 1.0 and later, the HCL support now requires an `.hcl` or -`.json` extension on all configuration files in order to specify their format. - -Configuration specified later will be merged into configuration specified -earlier. In most cases, "merge" means that the later version will override the -earlier. In some cases, such as event handlers, merging appends the handlers to -the existing configuration. The exact merging behavior is specified for each -option below. - -The Consul agent also supports reloading configuration when it receives the -SIGHUP signal. Not all changes are respected, but those that are -documented below in the -[Reloadable Configuration](#reloadable-configuration) section. The -[reload command](/consul/commands/reload) can also be used to trigger a -configuration reload. - -You can test the following configuration options by following the -[Get Started](/consul/tutorials/get-started-vms?utm_source=docs) -tutorials to install an agent in a VM. - -## Ports Used - -Consul requires up to 6 different ports to work properly, some on -TCP, UDP, or both protocols. - -Review the [required ports](/consul/docs/install/ports) table for a list of -required ports and their default settings. - -## Reloadable Configuration - -Some agent configuration options are reloadable at runtime. -You can run the [`consul reload` command](/consul/commands/reload) to manually reload supported options from configuration files in the configuration directory. -To configure the agent to automatically reload configuration files updated on disk, -set the [`auto_reload_config` configuration option](/consul/docs/agent/config/config-files#auto_reload_config) parameter to `true`. - -The following agent configuration options are reloadable at runtime: -- ACL Tokens -- [Configuration Entry Bootstrap](/consul/docs/agent/config/config-files#config_entries_bootstrap) -- Checks -- [Discard Check Output](/consul/docs/agent/config/config-files#discard_check_output) -- HTTP Client Address -- Log level -- [Metric Prefix Filter](/consul/docs/agent/config/config-files#telemetry-prefix_filter) -- [Node Metadata](/consul/docs/agent/config/config-files#node_meta) -- Some Raft options (since Consul 1.10.0) - - [`raft_snapshot_threshold`](/consul/docs/agent/config/config-files#_raft_snapshot_threshold) - - [`raft_snapshot_interval`](/consul/docs/agent/config/config-files#_raft_snapshot_interval) - - [`raft_trailing_logs`](/consul/docs/agent/config/config-files#_raft_trailing_logs) - - These can be important in certain outage situations so being able to control - them without a restart provides a recovery path that doesn't involve - downtime. They generally shouldn't be changed otherwise. -- [RPC rate limits](/consul/docs/agent/config/config-files#limits) -- [Reporting](/consul/docs/agent/config/config-files#reporting) -- [HTTP Maximum Connections per Client](/consul/docs/agent/config/config-files#http_max_conns_per_client) -- Services -- TLS Configuration - - Please be aware that this is currently limited to reload a configuration that is already TLS enabled. You cannot enable or disable TLS only with reloading. - - To avoid a potential security issue, the following TLS configuration parameters do not automatically reload when [-auto-reload-config](/consul/docs/agent/config/cli-flags#_auto_reload_config) is enabled: - - [encrypt_verify_incoming](/consul/docs/agent/config/config-files#encrypt_verify_incoming) - - [verify_incoming](/consul/docs/agent/config/config-files#verify_incoming) - - [verify_incoming_rpc](/consul/docs/agent/config/config-files#verify_incoming_rpc) - - [verify_incoming_https](/consul/docs/agent/config/config-files#verify_incoming_https) - - [verify_outgoing](/consul/docs/agent/config/config-files#verify_outgoing) - - [verify_server_hostname](/consul/docs/agent/config/config-files#verify_server_hostname) - - [ca_file](/consul/docs/agent/config/config-files#ca_file) - - [ca_path](/consul/docs/agent/config/config-files#ca_path) - - If any of those configurations are changed while [-auto-reload-config](/consul/docs/agent/config/cli-flags#_auto_reload_config) is enabled, - Consul will issue the following warning, `Static Runtime config has changed and need a manual config reload to be applied`. - You must manually issue the `consul reload` command or send a `SIGHUP` to the Consul process to reload the new values. -- Watches -- [License](/consul/docs/enterprise/license/overview) diff --git a/website/content/docs/agent/index.mdx b/website/content/docs/agent/index.mdx deleted file mode 100644 index 468e9087c2a..00000000000 --- a/website/content/docs/agent/index.mdx +++ /dev/null @@ -1,464 +0,0 @@ ---- -layout: docs -page_title: Agents Overview -description: >- - Agents maintain register services, respond to queries, maintain datacenter membership information, and make most of Consul’s functions possible. Learn how to start, stop, and configure agents, as well as their requirements and lifecycle. ---- - -# Agents Overview - -This topic provides an overview of the Consul agent, which is the core process of Consul. -The agent maintains membership information, registers services, runs checks, responds to queries, and more. -The agent must run on every node that is part of a Consul cluster. - -Agents run in either client or server mode. Client nodes are lightweight processes that make up the majority of the cluster. -They interface with the server nodes for most operations and maintain very little state of their own. -Clients run on every node where services are running. - -In addition to the core agent operations, server nodes participate in the [consensus quorum](/consul/docs/architecture/consensus). -The quorum is based on the Raft protocol, which provides strong consistency and availability in the case of failure. -Server nodes should run on dedicated instances because they are more resource intensive than client nodes. - -## Lifecycle - -Every agent in the Consul cluster goes through a lifecycle. -Understanding the lifecycle is useful for building a mental model of an agent's interactions with a cluster and how the cluster treats a node. -The following process describes the agent lifecycle within the context of an existing cluster: - -1. **An agent is started** either manually or through an automated or programmatic process. - Newly-started agents are unaware of other nodes in the cluster. -1. **An agent joins a cluster**, which enables the agent to discover agent peers. - Agents join clusters on startup when the [`join`](/consul/commands/join) command is issued or according the [auto-join configuration](/consul/docs/install/cloud-auto-join). -1. **Information about the agent is gossiped to the entire cluster**. - As a result, all nodes will eventually become aware of each other. -1. **Existing servers will begin replicating to the new node** if the agent is a server. - -### Failures and crashes - -In the event of a network failure, some nodes may be unable to reach other nodes. -Unreachable nodes will be marked as _failed_. - -Distinguishing between a network failure and an agent crash is impossible. -As a result, agent crashes are handled in the same manner is network failures. - -Once a node is marked as failed, this information is updated in the service -catalog. - --> **Note:** Updating the catalog is only possible if the servers can still [form a quorum](/consul/docs/architecture/consensus). -Once the network recovers or a crashed agent restarts, the cluster will repair itself and unmark a node as failed. -The health check in the catalog will also be updated to reflect the current state. - -### Exiting nodes - -When a node leaves a cluster, it communicates its intent and the cluster marks the node as having _left_. -In contrast to changes related to failures, all of the services provided by a node are immediately deregistered. -If a server agent leaves, replication to the exiting server will stop. - -To prevent an accumulation of dead nodes (nodes in either _failed_ or _left_ -states), Consul will automatically remove dead nodes out of the catalog. This -process is called _reaping_. This is currently done on a configurable -interval of 72 hours (changing the reap interval is _not_ recommended due to -its consequences during outage situations). Reaping is similar to leaving, -causing all associated services to be deregistered. - -## Limit traffic rates -You can define a set of rate limiting configurations that help operators protect Consul servers from excessive or peak usage. The configurations enable you to gracefully degrade Consul servers to avoid a global interruption of service. Consul supports global server rate limiting, which lets configure Consul servers to deny requests that exceed the read or write limits. Refer to [Traffic Rate Limits Overview](/consul/docs/agent/limits). - -## Requirements - -You should run one Consul agent per server or host. -Instances of Consul can run in separate VMs or as separate containers. -At least one server agent per Consul deployment is required, but three to five server agents are recommended. -Refer to the following sections for information about host, port, memory, and other requirements: - -- [Server Performance](/consul/docs/install/performance) -- [Required Ports](/consul/docs/install/ports) - -The [Datacenter Deploy tutorial](/consul/tutorials/production-deploy/reference-architecture#deployment-system-requirements) contains additional information, including licensing configuration, environment variables, and other details. - -### Maximum latency network requirements - -Consul uses the gossip protocol to share information across agents. To function properly, you cannot exceed the protocol's maximum latency threshold. The latency threshold is calculated according to the total round trip time (RTT) for communication between all agents. Other network usages outside of Gossip are not bound by these latency requirements (i.e. client to server RPCs, HTTP API requests, xDS proxy configuration, DNS). - -For data sent between all Consul agents the following latency requirements must be met: - -- Average RTT for all traffic cannot exceed 50ms. -- RTT for 99 percent of traffic cannot exceed 100ms. - -## Starting the Consul agent - -Start a Consul agent with the `consul` command and `agent` subcommand using the following syntax: - -```shell-session -$ consul agent -``` - -Consul ships with a `-dev` flag that configures the agent to run in server mode and several additional settings that enable you to quickly get started with Consul. -The `-dev` flag is provided for learning purposes only. -We strongly advise against using it for production environments. - --> **Getting Started Tutorials**: You can test a local agent in a VM by following the -[Get Started tutorials](/consul/tutorials/get-started-vms?utm_source=docs). - -When starting Consul with the `-dev` flag, the only additional information Consul needs to run is the location of a directory for storing agent state data. -You can specify the location with the `-data-dir` flag or define the location in an external file and point the file with the `-config-file` flag. - -You can also point to a directory containing several configuration files with the `-config-dir` flag. -This enables you to logically group configuration settings into separate files. See [Configuring Consul Agents](/consul/docs/agent#configuring-consul-agents) for additional information. - -The following example starts an agent in dev mode and stores agent state data in the `tmp/consul` directory: - -```shell-session -$ consul agent -data-dir=tmp/consul -dev -``` - -Agents are highly configurable, which enables you to deploy Consul to any infrastructure. Many of the default options for the `agent` command are suitable for becoming familiar with a local instance of Consul. In practice, however, several additional configuration options must be specified for Consul to function as expected. Refer to [Agent Configuration](/consul/docs/agent/config) topic for a complete list of configuration options. - -### Understanding the agent startup output - -Consul prints several important messages on startup. -The following example shows output from the [`consul agent`](/consul/commands/agent) command: - -```shell-session -$ consul agent -data-dir=/tmp/consul -==> Starting Consul agent... -==> Consul agent running! - Node name: 'Armons-MacBook-Air' - Datacenter: 'dc1' - Server: false (bootstrap: false) - Client Addr: 127.0.0.1 (HTTP: 8500, DNS: 8600) - Cluster Addr: 192.168.1.43 (LAN: 8301, WAN: 8302) - -==> Log data will now stream in as it occurs: - - [INFO] serf: EventMemberJoin: Armons-MacBook-Air.local 192.168.1.43 -... -``` - -- **Node name**: This is a unique name for the agent. By default, this - is the hostname of the machine, but you may customize it using the - [`-node`](/consul/docs/agent/config/cli-flags#_node) flag. - -- **Datacenter**: This is the datacenter in which the agent is configured to - run. For single-DC configurations, the agent will default to `dc1`, but you can configure which datacenter the agent reports to with the [`-datacenter`](/consul/docs/agent/config/cli-flags#_datacenter) flag. - Consul has first-class support for multiple datacenters, but configuring each node to report its datacenter improves agent efficiency. - -- **Server**: This indicates whether the agent is running in server or client - mode. - Running an agent in server mode requires additional overhead. This is because they participate in the consensus quorum, store cluster state, and handle queries. A server may also be - in ["bootstrap"](/consul/docs/agent/config/cli-flags#_bootstrap_expect) mode, which enables the server to elect itself as the Raft leader. Multiple servers cannot be in bootstrap mode because it would put the cluster in an inconsistent state. - -- **Client Addr**: This is the address used for client interfaces to the agent. - This includes the ports for the HTTP and DNS interfaces. By default, this - binds only to localhost. If you change this address or port, you'll have to - specify a `-http-addr` whenever you run commands such as - [`consul members`](/consul/commands/members) to indicate how to reach the - agent. Other applications can also use the HTTP address and port - [to control Consul](/consul/api-docs). - -- **Cluster Addr**: This is the address and set of ports used for communication - between Consul agents in a cluster. Not all Consul agents in a cluster have to - use the same port, but this address **MUST** be reachable by all other nodes. - -When running under `systemd` on Linux, Consul notifies systemd by sending -`READY=1` to the `$NOTIFY_SOCKET` when a LAN join has completed. For -this either the `join` or `retry_join` option has to be set and the -service definition file has to have `Type=notify` set. - -## Configuring Consul agents - -You can specify many options to configure how Consul operates when issuing the `consul agent` command. -You can also create one or more configuration files and provide them to Consul at startup using either the `-config-file` or `-config-dir` option. -Configuration files must be written in either JSON or HCL format. - --> **Consul Terminology**: Configuration files are sometimes called "service definition" files when they are used to configure client agents. -This is because clients are most commonly used to register services in the Consul catalog. - -The following example starts a Consul agent that takes configuration settings from a file called `server.json` located in the current working directory: - -```shell-session hideClipboard -$ consul agent -config-file=server.json -``` - -The configuration options necessary to successfully use Consul depend on several factors, including the type of agent you are configuring (client or server), the type of environment you are deploying to (e.g., on-premise, multi-cloud, etc.), and the security options you want to implement (ACLs, gRPC encryption). -The following examples are intended to help you understand some of the combinations you can implement to configure Consul. - -### Common configuration settings - -The following settings are commonly used in the configuration file (also called a service definition file when registering services with Consul) to configure Consul agents: - -| Parameter | Description | Default | -| ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | -| `node_name` | String value that specifies a name for the agent node.
See [`-node-id`](/consul/docs/agent/config/cli-flags#_node_id) for details. | Hostname of the machine | -| `server` | Boolean value that determines if the agent runs in server mode.
See [`-server`](/consul/docs/agent/config/cli-flags#_server) for details. | `false` | -| `datacenter` | String value that specifies which datacenter the agent runs in.
See [-datacenter](/consul/docs/agent/config/cli-flags#_datacenter) for details. | `dc1` | -| `data_dir` | String value that specifies a directory for storing agent state data.
See [`-data-dir`](/consul/docs/agent/config/cli-flags#_data_dir) for details. | none | -| `log_level` | String value that specifies the level of logging the agent reports.
See [`-log-level`](/consul/docs/agent/config/cli-flags#_log_level) for details. | `info` | -| `retry_join` | Array of string values that specify one or more agent addresses to join after startup. The agent will continue trying to join the specified agents until it has successfully joined another member.
See [`-retry-join`](/consul/docs/agent/config/cli-flags#_retry_join) for details. | none | -| `addresses` | Block of nested objects that define addresses bound to the agent for internal cluster communication. | `"http": "0.0.0.0"` See the Agent Configuration page for [default address values](/consul/docs/agent/config/config-files#addresses) | -| `ports` | Block of nested objects that define ports bound to agent addresses.
See (link to addresses option) for details. | See the Agent Configuration page for [default port values](/consul/docs/agent/config/config-files#ports) | - -### Server node in a service mesh - -The following example configuration is for a server agent named "`consul-server`". The server is [bootstrapped](/consul/docs/agent/config/cli-flags#_bootstrap) and the Consul GUI is enabled. -The reason this server agent is configured for a service mesh is that the `connect` configuration is enabled. The connect subsystem provides Consul's service mesh capabilities, including service-to-service connection authorization and encryption using mutual Transport Layer Security (TLS). Applications can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections without being aware of Consul service mesh at all. Refer to [Consul Service Mesh](/consul/docs/connect) for details. - - - -```hcl -node_name = "consul-server" -server = true -bootstrap = true -ui_config { - enabled = true -} -datacenter = "dc1" -data_dir = "consul/data" -log_level = "INFO" -addresses { - http = "0.0.0.0" -} -connect { - enabled = true -} -``` - - -```json -{ - "node_name": "consul-server", - "server": true, - "bootstrap": true, - "ui_config": { - "enabled": true - }, - "datacenter": "dc1", - "data_dir": "consul/data", - "log_level": "INFO", - "addresses": { - "http": "0.0.0.0" - }, - "connect": { - "enabled": true - } -} -``` - - - -### Server node with encryption enabled - -The following example shows a server node configured with encryption enabled. -Refer to the [Security](/consul/docs/security) chapter for additional information about how to configure security options for Consul. - - - -```hcl -node_name = "consul-server" -server = true -ui_config { - enabled = true -} -data_dir = "consul/data" -addresses { - http = "0.0.0.0" -} -retry_join = [ - "consul-server2", - "consul-server3" -] -encrypt = "aPuGh+5UDskRAbkLaXRzFoSOcSM+5vAK+NEYOWHJH7w=" - -tls { - defaults { - verify_incoming = true - verify_outgoing = true - ca_file = "/consul/config/certs/consul-agent-ca.pem" - cert_file = "/consul/config/certs/dc1-server-consul-0.pem" - key_file = "/consul/config/certs/dc1-server-consul-0-key.pem" - verify_server_hostname = true - } -} - -``` - - -```json -{ - "node_name": "consul-server", - "server": true, - "ui_config": { - "enabled": true - }, - "data_dir": "consul/data", - "addresses": { - "http": "0.0.0.0" - }, - "retry_join": ["consul-server1", "consul-server2"], - "encrypt": "aPuGh+5UDskRAbkLaXRzFoSOcSM+5vAK+NEYOWHJH7w=", - "tls": { - "defaults": { - "verify_incoming": true, - "verify_outgoing": true, - "ca_file": "/consul/config/certs/consul-agent-ca.pem", - "cert_file": "/consul/config/certs/dc1-server-consul-0.pem", - "key_file": "/consul/config/certs/dc1-server-consul-0-key.pem" - }, - "internal_rpc": { - "verify_server_hostname": true - } - } -} -``` - - - -### Client node registering a service - -Using Consul as a central service registry is a common use case. -The following example configuration includes common settings to register a service with a Consul agent and enable health checks. Refer to [Define Health Checks](/consul/docs/services/usage/checks) to learn more about health checks. - - - -```hcl -node_name = "consul-client" -server = false -datacenter = "dc1" -data_dir = "consul/data" -log_level = "INFO" -retry_join = ["consul-server"] -service { - id = "dns" - name = "dns" - tags = ["primary"] - address = "localhost" - port = 8600 - check { - id = "dns" - name = "Consul DNS TCP on port 8600" - tcp = "localhost:8600" - interval = "10s" - timeout = "1s" - } -} - -``` - -```json -{ - "node_name": "consul-client", - "server": false, - "datacenter": "dc1", - "data_dir": "consul/data", - "log_level": "INFO", - "retry_join": ["consul-server"], - "service": { - "id": "dns", - "name": "dns", - "tags": ["primary"], - "address": "localhost", - "port": 8600, - "check": { - "id": "dns", - "name": "Consul DNS TCP on port 8600", - "tcp": "localhost:8600", - "interval": "10s", - "timeout": "1s" - } - } -} -``` - - - -## Client node with multiple interfaces or IP addresses - -The following example shows how to configure Consul to listen on multiple interfaces or IP addresses using a [go-sockaddr template]. - -The `bind_addr` is used for internal RPC and Serf communication ([read the Agent Configuration for more information](/consul/docs/agent/config/config-files#bind_addr)). - -The `client_addr` configuration specifies IP addresses used for HTTP, HTTPS, DNS and gRPC servers. ([read the Agent Configuration for more information](/consul/docs/agent/config/config-files#client_addr)). - - - -```hcl -node_name = "consul-client" -server = false -bootstrap = true -ui_config { - enabled = true -} -datacenter = "dc1" -data_dir = "consul/data" -log_level = "INFO" - -# used for internal RPC and Serf -bind_addr = "0.0.0.0" - -# Used for HTTP, HTTPS, DNS, and gRPC addresses. -# loopback is not included in GetPrivateInterfaces because it is not routable. -client_addr = "{{ GetPrivateInterfaces | exclude \"type\" \"ipv6\" | join \"address\" \" \" }} {{ GetAllInterfaces | include \"flags\" \"loopback\" | join \"address\" \" \" }}" - -# advertises gossip and RPC interface to other nodes -advertise_addr = "{{ GetInterfaceIP \"en0\" }}" -``` - -```json -{ - "node_name": "consul-client", - "server": false, - "bootstrap": true, - "ui_config": { - "enabled": true - }, - "datacenter": "dc1", - "data_dir": "consul/data", - "log_level": "INFO", - "bind_addr": "{{ GetPrivateIP }}", - "client_addr": "{{ GetPrivateInterfaces | exclude \"type\" \"ipv6\" | join \"address\" \" \" }} {{ GetAllInterfaces | include \"flags\" \"loopback\" | join \"address\" \" \" }}", - "advertise_addr": "{{ GetInterfaceIP \"en0\"}}" -} -``` - - - -## Stopping an agent - -An agent can be stopped in two ways: gracefully or forcefully. Servers and -Clients both behave differently depending on the leave that is performed. There -are two potential states a process can be in after a system signal is sent: -_left_ and _failed_. - -To gracefully halt an agent, send the process an _interrupt signal_ (usually -`Ctrl-C` from a terminal, or running `kill -INT consul_pid` ). For more -information on different signals sent by the `kill` command, see -[here](https://www.linux.org/threads/kill-signals-and-commands-revised.11625/) - -When a Client is gracefully exited, the agent first notifies the cluster it -intends to leave the cluster. This way, other cluster members notify the -cluster that the node has _left_. - -When a Server is gracefully exited, the server will not be marked as _left_. -This is to minimally impact the consensus quorum. Instead, the Server will be -marked as _failed_. To remove a server from the cluster, the -[`force-leave`](/consul/commands/force-leave) command is used. Using -`force-leave` will put the server instance in a _left_ state so long as the -Server agent is not alive. - -Alternatively, you can forcibly stop an agent by sending it a -`kill -KILL consul_pid` signal. This will stop any agent immediately. The rest -of the cluster will eventually (usually within seconds) detect that the node has -died and notify the cluster that the node has _failed_. - -For client agents, the difference between a node _failing_ and a node _leaving_ -may not be important for your use case. For example, for a web server and load -balancer setup, both result in the same outcome: the web node is removed -from the load balancer pool. - -The [`skip_leave_on_interrupt`](/consul/docs/agent/config/config-files#skip_leave_on_interrupt) and -[`leave_on_terminate`](/consul/docs/agent/config/config-files#leave_on_terminate) configuration -options allow you to adjust this behavior. - - - -[go-sockaddr template]: https://godoc.org/github.com/hashicorp/go-sockaddr/template diff --git a/website/content/docs/agent/monitor/alerts.mdx b/website/content/docs/agent/monitor/alerts.mdx deleted file mode 100644 index d8dcc902478..00000000000 --- a/website/content/docs/agent/monitor/alerts.mdx +++ /dev/null @@ -1,83 +0,0 @@ ---- -layout: docs -page_title: Consul monitoring and alerts recommendations -description: >- - Apply best practices towards Consul monitoring and alerts. ---- - -# Consul monitoring and alerts recommendations - -This document will guide you through which host resources to monitor and how monitoring tools can help you set up alerts to notify you when your Consul cluster exceeds its limits. By monitoring Consul and setting up alerts, you can ensure Consul works as expected for all your service discovery and service mesh needs. - -## Instance level monitoring - -While each host environment and Consul deployment is unique, these recommendations can serve as a starting point for you to reference to meet the unique needs of your deployment. - -A Consul datacenter is the smallest unit of Consul infrastructure that can perform basic Consul operations like service discovery or service mesh. A datacenter contains at least one Consul server agent, but a real-world deployment contains three or five server agents and several Consul client agents. - -Consul server agents store all state information, including service and node IP addresses, health checks, and configuration. Consul clients report node and service health status to the Consul cluster. In a typical deployment, you must run client agents on every compute node in your datacenter. If you have Kubernetes workloads, you can also run Consul with an alternate service mesh configuration that deploys Envoy proxies but not client agents. Refer to [Simplified service mesh with Consul dataplanes](/consul/docs/connect/dataplane) for more information. - -We recommend monitoring the following parameters for Consul agents health: -- Disk space and file handles -- [RAM utilization](/consul/docs/agent/telemetry#memory-usage) -- CPU utilization -- Network activity and utilization - -We recommend using an [application performance monitoring (APM) system](#monitoring-tools) to track these metrics. For a full list of key metrics, visit the [Key metrics](/consul/docs/agent/telemetry#key-metrics) section of Telemetry documentation. - -## Recommendations for host-level alerts - -We recommend starting with a small cluster for most initial production deployments or for testing environments. For production environments with a consistently high workload, we recommend large clusters . Refer to the [Consul capacity planning](/well-architected-framework/reliability/reliability-consul-capacity-planning#minimum-hardware-requirements) article for more information. - -When collecting metrics, it is important to establish a baseline. This baseline ensures your Consul deployment is healthy, and serves as a reference point when troubleshooting abnormal Cluster behavior. Complete the [Monitor Consul datacenter health](/consul/tutorials/day-2-operations/monitor-datacenter-health#how-to-collect-metrics) tutorial to learn how to collect metrics. - -Once you have established a baseline for your metrics, use them and the following recommendations to configure reasonable alerts for your Consul agent. - -### Memory alert recommendations - -Consul uses RAM as the primary storage for data on its leader node, while periodically flushing it to disk. Reference the [Memory usage](/consul/docs/agent/telemetry#memory-usage) section of the Telemetry documentation for more details. The recommended instance type depends on your hosting provider. Refer to the [Hardware sizing for Consul servers](/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) for recommended instance types for most cloud providers along with other up-to-date hardware recommendations. - -When determining how much RAM you should allocate, we recommend enough RAM for your server agents to contain between 2 to 4 times the working set size. You can determine the working set size by noting the value of `consul.runtime.alloc_bytes` in the telemetry data. - -Set up an alert if your RAM usage exceeds a reasonable threshold (for example, 90% of your allocated RAM). - -### CPU alert recommendations - -Your Consul servers should scale up to handle peak CPU load, not idle load. When idle, Consul servers are waiting to react to changes in service health, placement, or other configuration. If there are any service state changes, the Consul server has to notify all impacted Consul clients simultaneously. For example, if the Consul server has to notify hundreds or thousands of Consul clients of a service state update, the Consul server CPU may spike. - -If this happens, your monitoring dashboard will show a CPU spike on all servers immediately after a big registration/deregistration operation. This should not happen — you should be able to do a rollout or other high-change operation without taxing the Consul servers. - -Set up an alert to detect CPU spikes on your Consul server agents. When this happens, evaluate the size of your Consul servers and upgrade them accordingly. - -### Network recommendations - -The data sent between all Consul agents must follow latency requirements for total round trip time (RTT): - -Average RTT for all traffic cannot exceed 50ms. -RTT for 99 percent of traffic cannot exceed 100ms. - -Refer to the [Reference architecture](/consul/tutorials/production-deploy/reference-architecture#network-latency-and-bandwidth) to learn more about network latency and bandwidth guidance. - -Set an alert to detect when the RTT exceeds these values. When this happens, Therefore, you should monitor metrics related to the host's network latency so the RTT does not exceed these values. - -### Monitoring Consul using Prometheus and Grafana - -Time series based observability tools, such as Grafana and Prometheus, help you monitor the health of Consul clusters over long intervals of time. Refer to the -[Monitoring for Layer 7 observability with Prometheus, Grafana, and Kubernetes](/consul/tutorials/day-2-operations/kubernetes-layer7-observability) tutorial for additional information. - -### Monitoring Consul using Datadog - -Datadog is a SaaS-based monitoring and analytics platform for large-scale applications and infrastructure. It is one of the supported platforms for monitoring Consul. Datadogs agents run on your host reporting logs, metrics and traces. By configuring Datadog agents on your Consul server and client instances, you can monitor your Consul cluster's health. - -Refer to the following resources for more information: - -- [Setup Consul logging with DataDog](https://www.datadoghq.com/blog/consul-datadog/) -- [Datadog monitoring solutions brief](https://www.datocms-assets.com/2885/1576713622-datadog-consul.pdf) -- [Hashicorp partner portal for Consul support on Datadog](https://www.hashicorp.com/partners/tech/datadog#consul) - -## Next steps - -In this guide, you learned which host resources to monitor and how monitoring tools can help you set up alerts to notify you when your Consul cluster exceeds its limits. - -- To learn about monitoring the Consul control and data plane, visit our [Monitoring Consul components](/well-architected-framework/reliability/reliability-consul-monitoring-consul-components) documentation. -- Complete the [Monitor Consul datacenter health with Telegraf](/consul/tutorials/day-2-operations/monitor-health-telegraf) tutorial for additional metrics and alerting recommendations. diff --git a/website/content/docs/agent/monitor/components.mdx b/website/content/docs/agent/monitor/components.mdx deleted file mode 100644 index 1c3d49270e4..00000000000 --- a/website/content/docs/agent/monitor/components.mdx +++ /dev/null @@ -1,121 +0,0 @@ ---- -layout: docs -page_title: Monitoring Consul components -description: >- - Apply best practices monitoring your Consul control and data plane. ---- - -# Monitoring Consul components - -This document will guide you recommendations for monitoring your Consul control and data plane. By keeping track of these components and setting up alerts, you can better maintain the overall health and resilience of your service mesh. - -## Background - -A Consul datacenter is the smallest unit of Consul infrastructure that can perform basic Consul operations like service discovery or service mesh. A datacenter contains at least one Consul server agent, but a real-world deployment contains three or five server agents and several Consul client agents. - -The Consul control plane consists of server agents that store all state information, including service and node IP addresses, health checks, and configuration. In addition, the control plane is responsible for securing the mesh, facilitating service discovery, health checking, policy enforcement, and other similar operational concerns. In addition, the control plane contains client agents that report node and service health status to the Consul cluster. In a typical deployment, you must run client agents on every compute node in your datacenter. - -The Consul data plane consists of proxies deployed locally alongside each service instance. These proxies, called sidecar proxies, receive mesh configuration data from the control plane, and control network communication between their local service instance and other services in the network. The sidecar proxy handles inbound and outbound service connections, and ensures TLS connections between services are both verified and encrypted. - -If you have Kubernetes workloads, you can also run Consul with an alternate service mesh configuration that deploys Envoy proxies but not client agents. Refer to [Simplified service mesh with Consul dataplanes](/consul/docs/connect/dataplane) for more information. - -## Consul control plane monitoring - -The Consul control plane consists of the following components: - -- RPC Communication between Consul servers and clients. -- Data plane routing instructions for the Envoy Layer 7 proxy. -- Serf Traffic: LAN and WAN -- Consul cluster peering and server federation - -It is important to monitor and establish baseline and alert thresholds for Consul control plane components for abnormal behavior detection. Note that these alerts can also be triggered by some planned events like Consul cluster upgrades, configuration changes, or leadership change. - -To help monitor your Consul control plane, we recommend to establish a baseline and standard deviation for the following: - -- [Server health](/consul/docs/agent/telemetry#server-health) -- [Leadership changes](/consul/docs/agent/telemetry#leadership-changes) -- [Key metrics](/consul/docs/agent/telemetry#key-metrics) -- [Autopilot](/consul/docs/agent/telemetry#autopilot) -- [Network activity](/consul/docs/agent/telemetry#network-activity-rpc-count) -- [Certificate authority expiration](/consul/docs/agent/telemetry#certificate-authority-expiration) - -It is important to have a highly performant network with low network latency. Ensure network latency for gossip in all datacenters are within the 8ms latency budget for all Consul agents. View the [Production server requirements](/consul/docs/install/performance#production-server-requirements) for more information. - -### Raft recommendations - -Consul uses [Raft for consensus protocol](/consul/docs/architecture/consensus). High saturation of the Raft goroutines can lead to elevated latency in the rest of the system and may cause the Consul cluster to be unstable. As a result, it is important to monitor Raft to track your control plane health. We recommend the following actions to keep control plane healthy: -- Create an alert that notifies you when [Raft thread saturation](/consul/docs/agent/telemetry#raft-thread-saturation) exceeds 50%. -- Monitor [Raft replication capacity](/consul/docs/agent/telemetry#raft-replication-capacity-issues) when Consul is handling large amounts of data and high write throughput. -- Lower [`raft_multiplier`](/consul/docs/install/performance#production) to keep your Consul cluster stable. The value of `raft_multiplier` defines the scaling factor for Consul. Default value for raft_multiplier is 5. - - A short multiplier minimizes failure detection and election time but may trigger frequently in high latency situations. This can cause constant leadership churn and associated unavailability. A high multiplier reduces the chances that spurious failures will cause leadership churn but it does this at the expense of taking longer to detect real failures and thus takes longer to restore Consul cluster availability. - - Wide networks with higher latency will perform better with larger `raft_multiplier` values. - -Raft uses BoltDB for storing data and maintaining its own state. Refer to the [Bolt DB performance metrics](/consul/docs/agent/telemetry#bolt-db-performance) when you are troubleshooting Raft performance issues. - -## Consul data plane monitoring - -The data plane of Consul consists of Consul clients or [Connect proxies](/consul/docs/connect/proxies) interacting with each other through service-to-service communication. Service-to-service traffic always stays within the data plane, while the control plane only enforces traffic rules. Monitoring service-to-service communication is important but may become extremely complex in an enterprise setup with multiple services communicating to each other across federated Consul clusters through mesh, ingress and terminating gateways. - -### Service monitoring - -You can extract the following service-related information: - -- Use the [`catalog`](/consul/commands/catalog) command or the Consul UI to query all registered services in a Consul datacenter. -- Use the [`/agent/service/:service_id`](/consul/api-docs/agent/service#get-service-configuration) API endpoint to query individual services. Connect proxies use this endpoint to discover embedded configuration. - -### Proxy monitoring - -Envoy is the supported Connect proxy for Consul service mesh. For virtual machines (VMs), Envoy starts as a sidecar service process. For Kubernetes, Envoy starts as a sidecar container in a Kubernetes service pod. -Refer to the [Supported Envoy versions](/consul/docs/connect/proxies/envoy#supported-versions) documentation to find the compatible Envoy versions for your version of Consul. - -For troubleshooting service mesh issues, set Consul logs to `trace` or `debug`. The following example annotation sets Envoy logging to `debug`. - -```yaml -annotations: - consul.hashicorp.com/envoy-extra-args: '--log-level debug --disable-hot-restart' -``` - -Refer to the [Enable logging on Envoy sidecar pods](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-envoy-extra-args) documentation for more information. - -#### Envoy Admin Interface - -To troubleshoot service-to-service communication issues, monitor Envoy host statistics. Envoy exposes a local administration interface that can be used to query and modify different aspects of the server on port `19000` by default. Envoy also exposes a public listener port to receive mTLS connections from other proxies in the mesh on port `20000` by default. - -All endpoints exposed by Envoy are available at the node running Envoy on port `19000`. The node can either be a pod in Kubernetes or VM running Consul Service Mesh. For example, if you forward the Envoy port to your local machine, you can access the Envoy admin interface at `http://localhost:19000/`. - -The following Envoy admin interface endpoints are particularly useful: - -- The `listeners` endpoint lists all listeners running on `localhost`. This allows you to confirm whether the upstream services are binding correctly to Envoy. - -```shell-session -$ curl http://localhost:19000/listeners -public_listener:192.168.19.168:20000::192.168.19.168:20000 -Outbound_listener:127.0.0.1:15001::127.0.0.1:15001 -``` - -- The `/clusters` endpoint displays information about the xDS clusters, such as service requests and mTLS related data. The following example shows a truncated output. - -```shell-session -$ http://localhost:19000/clusters -`local_app::observability_name::local_app -local_app::default_priority::max_connections::1024 -local_app::default_priority::max_pending_requests::1024 -local_app::default_priority::max_requests::1024 -local_app::default_priority::max_retries::3 -local_app::high_priority::max_connections::1024 -local_app::high_priority::max_pending_requests::1024 -local_app::high_priority::max_requests::1024 -local_app::high_priority::max_retries::3 -local_app::added_via_api::true -## ... -``` - -Visit the main admin interface (`http://localhost:19000`) to find the full list of possible Consul admin endpoints. Refer to the [Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/operations/admin) for more information. - -## Next steps - -In this guide, you learned recommendations for monitoring your Consul control and data plane. - -To learn about monitoring the Consul host and instance resources, visit our [Monitoring best practices](/well-architected-framework/reliability/reliability-monitoring-service-to-service-communication-with-envoy) documentation. diff --git a/website/content/docs/agent/sentinel.mdx b/website/content/docs/agent/sentinel.mdx deleted file mode 100644 index e7bfbf8eb65..00000000000 --- a/website/content/docs/agent/sentinel.mdx +++ /dev/null @@ -1,95 +0,0 @@ ---- -layout: docs -page_title: Sentinel ACL Policies (Enterprise) -description: >- - Sentinel allows you to include conditional logic in access control policies. Learn how Consul can use Sentinel policies to extend the ACL system's capabilities for controlling key-value (KV) write access. ---- - -# Sentinel for KV ACL Policy Enforcement - - - -Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement. -Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny" -policies to support full conditional logic and integration with external systems. - -## Sentinel in Consul - -Sentinel policies are applied during writes to the KV Store. - -An optional `sentinel` field specifying code and enforcement level can be added to [ACL policy definitions](/consul/docs/security/acl/acl-rules#sentinel-integration) for Consul KV. The following policy ensures that the value written during a KV update must end with "dc1". - - - -```go -key "datacenter_name" { - policy = "write" - sentinel { - code = < - -If the `enforcementlevel` property is not set, it defaults to "hard-mandatory". - -## Imports - -Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http). All functions in these imports are available to be used in policies. - -## Injected Variables - -Consul passes some context as variables into Sentinel, which are available to use inside any policies you write. - -#### Variables injected during KV store writes - -| Variable Name | Type | Description | -| ------------- | -------- | ---------------------- | -| `key` | `string` | Key being written | -| `value` | `string` | Value being written | -| `flags` | `uint64` | [Flags](/consul/api-docs/kv#flags) | - -## Sentinel Examples - -The following are two examples of ACL policies with Sentinel rules. - -### Required Key Suffix - - - -```go -key "dc1" { - policy = "write" - sentinel { - code = < - -### Restricted Update Time - - - -```go -key "haproxy_version" { - policy = "write" - sentinel { - code = < 8 and time.now.hour < 17 } -EOF - } -} -``` - - diff --git a/website/content/docs/architecture/anti-entropy.mdx b/website/content/docs/architecture/anti-entropy.mdx deleted file mode 100644 index 292f5c0070d..00000000000 --- a/website/content/docs/architecture/anti-entropy.mdx +++ /dev/null @@ -1,123 +0,0 @@ ---- -layout: docs -page_title: Anti-Entropy Enforcement -description: >- - Anti-entropy keeps distributed systems consistent. Learn how Consul uses an anti-entropy mechanism to periodically sync agent states with the service catalog to prevent the catalog from becoming stale. ---- - -# Anti-Entropy Enforcement - -Consul uses an advanced method of maintaining service and health information. -This page details how services and checks are registered, how the catalog is -populated, and how health status information is updated as it changes. - -### Components - -It is important to first understand the moving pieces involved in services and -health checks: the [agent](#agent) and the [catalog](#catalog). These are -described conceptually below to make anti-entropy easier to understand. - -#### Agent - -Each Consul agent maintains its own set of service and check registrations as -well as health information. The agents are responsible for executing their own -health checks and updating their local state. - -Services and checks within the context of an agent have a rich set of -configuration options available. This is because the agent is responsible for -generating information about its services and their health through the use of -[health checks](/consul/docs/services/usage/checks). - -#### Catalog - -Consul's service discovery is backed by a service catalog. This catalog is -formed by aggregating information submitted by the agents. The catalog maintains -the high-level view of the cluster, including which services are available, -which nodes run those services, health information, and more. The catalog is -used to expose this information via the various interfaces Consul provides, -including DNS and HTTP. - -Services and checks within the context of the catalog have a much more limited -set of fields when compared with the agent. This is because the catalog is only -responsible for recording and returning information _about_ services, nodes, and -health. - -The catalog is maintained only by server nodes. This is because the catalog is -replicated via the [Raft log](/consul/docs/architecture/consensus) to provide a -consolidated and consistent view of the cluster. - -### Anti-Entropy - -Entropy is the tendency of systems to become increasingly disordered. Consul's -anti-entropy mechanisms are designed to counter this tendency, to keep the -state of the cluster ordered even through failures of its components. - -Consul has a clear separation between the global service catalog and the agent's -local state as discussed above. The anti-entropy mechanism reconciles these two -views of the world: anti-entropy is a synchronization of the local agent state and -the catalog. For example, when a user registers a new service or check with the -agent, the agent in turn notifies the catalog that this new check exists. -Similarly, when a check is deleted from the agent, it is consequently removed from -the catalog as well. - -Anti-entropy is also used to update availability information. As agents run -their health checks, their status may change in which case their new status -is synced to the catalog. Using this information, the catalog can respond -intelligently to queries about its nodes and services based on their -availability. - -During this synchronization, the catalog is also checked for correctness. If -any services or checks exist in the catalog that the agent is not aware of, they -will be automatically removed to make the catalog reflect the proper set of -services and health information for that agent. Consul treats the state of the -agent as authoritative; if there are any differences between the agent -and catalog view, the agent-local view will always be used. - -### Periodic Synchronization - -In addition to running when changes to the agent occur, anti-entropy is also a -long-running process which periodically wakes up to sync service and check -status to the catalog. This ensures that the catalog closely matches the agent's -true state. This also allows Consul to re-populate the service catalog even in -the case of complete data loss. - -To avoid saturation, the amount of time between periodic anti-entropy runs will -vary based on cluster size. The table below defines the relationship between -cluster size and sync interval: - -| Cluster Size | Periodic Sync Interval | -| ------------ | ---------------------- | -| 1 - 128 | 1 minute | -| 129 - 256 | 2 minutes | -| 257 - 512 | 3 minutes | -| 513 - 1024 | 4 minutes | -| ... | ... | - -The intervals above are approximate. Each Consul agent will choose a randomly -staggered start time within the interval window to avoid a thundering herd. - -### Best-effort sync - -Anti-entropy can fail in a number of cases, including misconfiguration of the -agent or its operating environment, I/O problems (full disk, filesystem -permission, etc.), networking problems (agent cannot communicate with server), -among others. Because of this, the agent attempts to sync in best-effort -fashion. - -If an error is encountered during an anti-entropy run, the error is logged and -the agent continues to run. The anti-entropy mechanism is run periodically to -automatically recover from these types of transient failures. - -### Enable Tag Override - -Synchronization of service registration can be partially modified to -allow external agents to change the tags for a service. This can be -useful in situations where an external monitoring service needs to be -the source of truth for tag information. For example, the Redis -database and its monitoring service Redis Sentinel have this kind of -relationship. Redis instances are responsible for much of their -configuration, but Sentinels determine whether the Redis instance is a -primary or a secondary. Enable the -[`enable_tag_override`](/consul/docs/services/configuration/services-configuration-reference#enable_tag_override) parameter in your service definition file to tell the Consul agent where the Redis database is running to bypass -tags during anti-entropy synchronization. Refer to -[Modify anti-entropy synchronization](/consul/docs/services/usage/define-services#modify-anti-entropy-synchronization) for additional information. diff --git a/website/content/docs/architecture/capacity-planning.mdx b/website/content/docs/architecture/capacity-planning.mdx deleted file mode 100644 index 2f80c4cf289..00000000000 --- a/website/content/docs/architecture/capacity-planning.mdx +++ /dev/null @@ -1,188 +0,0 @@ ---- -layout: docs -page_title: Consul capacity planning -description: >- - Learn how to maintain your Consul cluster in a healthy state by provisioning the correct resources. ---- - -# Consul capacity planning - -This page describes our capacity planning recommendations when deploying and maintaining a Consul cluster in production. When your organization designs a production environment, you should consider your available resources and their impact on network capacity. - -## Introduction - -It is important to select the correct size for your server instances. Consul server environments have a standard set of minimum requirements. However, these requirements may vary depending on what you are using Consul for. - -Insufficient resource allocations may cause network issues or degraded performance in general. When a slowdown in performance results in a Consul leader node that is unable to respond to requests in sufficient time, the Consul cluster triggers a new leader election. Consul pauses all network requests and Raft updates until the election ends. - -## Hardware requirements - -The minimum hardware requirements for Consul servers in production clusters as recommended by the [reference architecture](/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) are: - -| CPU | Memory | Disk Capacity | Disk IO | Disk Throughput | Avg Round-Trip-Time | 99% Round-Trip-Time | -| --------- | ------------ | ------------- | ----------- | --------------- | ------------------- | ------------------- | -| 8-16 core | 32-64 GB RAM | 200+ GB | 7500+ IOPS | 250+ MB/s | Lower than 50ms | Lower than 100ms | - -For the major cloud providers, we recommend starting with one of the following instances that meet the minimum requirements. Then scale up as needed. We also recommend avoiding "burstable" CPU and storage options where performance may drop after a consistent load. - -| Provider | Size | Instance/VM Types | Disk Volume Specs | -| --------- | ----- | ------------------------------------- | --------------------------------- | -| **AWS** | Large | `m5.2xlarge`, `m5.4xlarge` | 200+GB `gp3`, 10000 IOPS, 250MB/s | -| **Azure** | Large | `Standard_D8s_v3`, `Standard_D16s_v3` | 2048GB `Premium SSD`, 7500 IOPS, 200MB/s | -| **GCP** | Large | `n2-standard-8`, `n2-standard-16` | 1000GB `pd-ssd`, 30000 IOPS, 480MB/s | - - -For HCP Consul Dedicated, cluster size is measured in the number of service instances supported. Find out more information in the [HCP Consul Dedicated pricing page](https://cloud.hashicorp.com/products/consul/pricing). - -## Workload input and output requirements - -Workloads are any actions that interact with the Consul cluster. These actions consist of key/value reads and writes, service registrations and deregistrations, adding or removing Consul client agents, and more. - -Input/output operations per second (IOPS) is a unit of measurement for the amount of reads and writes to non-adjacent storage locations. -For high workloads, ensure that the Consul server disks support a [high number of IOPS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html#ebs-io-iops) to keep up with the rapid Raft log update rate. -Unlike bare-metal environments, IOPS for virtual instances in cloud environments is often tied to storage sizing. More storage GBs typically grants you more IOPS. Therefore, we recommend deploying on [IOPS-optimized instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/provisioned-iops.html). - -Consul server agents are generally I/O bound for writes and CPU bound for reads. For additional tuning recommendations, refer to [raft tuning](#raft-tuning). - -## Memory requirements - -You should allocate RAM for server agents so that they contain 2 to 4 times the working set size. You can determine the working set size of a running cluster by noting the value of `consul.runtime.alloc_bytes` in the leader node's telemetry data. Inspect your monitoring solution for the telemetry value, or run the following commands with the [jq](https://stedolan.github.io/jq/download/) tool installed on your Consul leader instance. - - - -For Kubernetes, execute the command from the leader pod. `jq` is available in the Consul server containers. - - - -Set `$CONSUL_HTTP_TOKEN` to an ACL token with valid permissions, then retrieve the working set size. - -```shell-session -$ curl --silent --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" http://127.0.0.1:8500/v1/agent/metrics | jq '.Gauges[] | select(.Name=="consul.runtime.alloc_bytes") | .Value'` -616017920 -``` - -## Kubernetes storage requirements - -When you set up persistent volumes (PV) resources, you should define the correct server storage class parameter because the defaults are likely insufficient in performance. To set the [storageClass Helm chart parameter](/consul/docs/k8s/helm#v-server-storageclass), refer to the [Kubernetes documentation on storageClasses](https://kubernetes.io/docs/concepts/storage/storage-classes/) for more information about your specific cloud provider. - -## Read and write heavy workload recommendations - -In production, your use case may lead to Consul performing read-heavy workloads, write-heavy workloads, or both. Refer to the following table for specific resource recommendations for these types of workloads. - -| Workload type | Instance Recommendations | Workload element examples | Enterprise Feature Recommendations | -| ------------- | ------------------------- | ------------------------ | ------------------------ | -| Read-heavy | Instances of type `m5.4xlarge (AWS)`, `Standard_D16s_v3 (Azure)`, `n2-standard-16 (GCP)` | Raft RPCs calls, DNS queries, key/value retrieval | [Read replicas](/consul/docs/enterprise/read-scale) | -| Write-heavy | IOPS performance of `10 000+` | Consul agent joins and leaves, services registration and deregistration, key/value writes | [Network segments](/consul/docs/enterprise/network-segments/network-segments-overview) | - -For recommendations on troubleshooting issues with read-heavy or write-heavy workloads, refer to [Consul at Scale](/consul/docs/architecture/scale#resource-usage-and-metrics-recommendations). - -## Monitor performance - -Monitoring is critical to ensure that your Consul datacenter has sufficient resources to continue operations. A proactive monitoring strategy helps you find problems in your network before they impact your deployments. - -We recommend completing the [Monitor Consul server health and performance with metrics and logs](/consul/tutorials/observe-your-network/server-metrics-and-logs) tutorial as a starting point for Consul metrics and telemetry. The following tutorials guide you through specific monitoring solutions for your Consul cluster. - -- [Monitor Consul server health and performance with metrics and logs](/consul/tutorials/observe-your-network/server-metrics-and-logs) -- [Observe Consul service mesh traffic](/consul/tutorials/get-started-kubernetes/kubernetes-gs-observability) - -### Important metrics - -In production environments, create baselines for your Consul cluster's metrics. After you discover the baselines, you will be able to define alerts and receive notifications when there are unexpected values. For a detailed explanation on the metrics and their values, refer to [Consul Agent telemetry](/consul/docs/agent/telemetry). - -### Transaction metrics - -These metrics indicate how long it takes to complete write operations in various parts of the Consul cluster. - -- [`consul.kvs.apply`](/consul/docs/agent/monitor/telemetry#transaction-timing) measures the time it takes to complete an update to the KV store. -- [`consul.txn.apply`](/consul/docs/agent/monitor/telemetry#transaction-timing) measures the time spent applying a transaction operation. -- [`consul.raft.apply`](/consul/docs/agent/monitor/telemetry#transaction-timing) counts the number of Raft transactions applied during the measurement interval. This metric is only reported on the leader. -- [`consul.raft.commitTime`](/consul/docs/agent/monitor/telemetry#transaction-timing) measures the time it takes to commit a new entry to the Raft log on disk on the leader. - -### Memory metrics - -These performance indicators can help you diagnose if the current instance sizing is unable to handle the workload. - -- [`consul.runtime.alloc_bytes`](/consul/docs/agent/monitor/telemetry#memory-usage) measures the number of bytes allocated by the Consul process. -- [`consul.runtime.sys_bytes`](/consul/docs/agent/monitor/telemetry#memory-usage) measures the total number of bytes of memory obtained from the OS. -- [`consul.runtime.heap_objects`](/consul/docs/agent/monitor/telemetry#metrics-reference) measures the number of objects allocated on the heap and is a general memory pressure indicator. - -### Leadership metrics - -Leadership changes are not a cause for concern but frequent changes may be a symptom of a deeper problem. Frequent elections or leadership changes may indicate network issues between the Consul servers, or the Consul servers are unable to keep up with the load. - -- [`consul.raft.leader.lastContact`](/consul/docs/agent/monitor/telemetry#leadership-changes) measures the time since the leader was last able to contact the follower nodes when checking its leader lease. -- [`consul.raft.state.candidate`](/consul/docs/agent/monitor/telemetry#leadership-changes) increments whenever a Consul server starts an election. -- [`consul.raft.state.leader`](/consul/docs/agent/monitor/telemetry#leadership-changes) increments whenever a Consul server becomes a leader. -- [`consul.server.isLeader`](/consul/docs/agent/monitor/telemetry#leadership-changes) tracks whether a server is a leader. - -### Network metrics - -Network activity and RPC count measurements indicate the current load created from a Consul agent, including when the load becomes high enough to be rate limited. If an unusually high RPC count occurs, you should investigate before it overloads the cluster. - -- [`consul.client.rpc`](/consul/docs/agent/monitor/telemetry#network-activity-rpc-count) increments whenever a Consul agent in client mode makes an RPC request to a Consul server. -- [`consul.client.rpc.exceeded`](/consul/docs/agent/monitor/telemetry#network-activity-rpc-count) increments whenever a Consul agent in client mode makes an RPC request to a Consul server gets rate limited by that agent's limits configuration. -- [`consul.client.rpc.failed`](/consul/docs/agent/monitor/telemetry#network-activity-rpc-count) increments whenever a Consul agent in client mode makes an RPC request to a Consul server and fails. - -## Network constraints and alternate approaches - -If it is impossible for you to allocate the required resources, you can make changes to Consul's performance so that it operates with lower speed or resilience. These changes ensure that your cluster remains within its resource capacity. - -- Soft limits prevent your cluster from degrading due to overload. -- Raft tuning lets you compensate for unfavorable environments. - -### Soft limits - -The recommended maximum size for a single datacenter is 5,000 Consul client agents. This recommendation is based on a standard, non-tuned environment and considers a blast radius's risk management factor. The maximum number of agents may be lower, depending on how you use Consul. - -If you require more than 5,000 client agents, you should break up the single Consul datacenter into multiple smaller datacenters. - -- When the nodes are spread across separate physical locations such as different regions, you can model multiple datacenter structures based on physical locations. -- Use [network segments](/consul/docs/enterprise/network-segments/network-segments-overview) in a single available zone or region to lower overall resource usage in a single datacenter. - -When deploying [Consul in Kubernetes](/consul/docs/k8s), we recommend you set both _requests_ and _limits_ in the Helm chart. Refer to the [Helm chart documentation](/consul/docs/k8s/helm#v-server-resources) for more information. - -- Requests allocate the required resources for your Consul workloads. -- Limits prevent your pods from being terminated and restarted if they consume more resources than requested and Kubernetes needs to reclaim these resources. Limits can prevent outage situations where the Consul leader's container gets terminated and redeployed due to resource constraints. - -The following is an example Helm configuration that allocates 16 CPU cores and 64 gigabytes of memory: - - - -```yaml -global: - image: "hashicorp/consul" -## ... -resources: - requests: - memory: '64G' - cpu: '16000m' - limits: - memory: '64G' - cpu: '16000m' -``` - - - -### Raft tuning - -Consul uses the [Raft consensus algorithm](/consul/docs/architecture/consensus) to provide consistency. -You may need to adjust Raft to suit your specific environment. Adjust the [`raft_multiplier` configuration](/consul/docs/agent/config/config-files#raft_multiplier) to define the trade-off between leader stability and time to recover from a leader failure. - -- A lower multiplier minimizes failure detection and election time, but it may trigger frequently in high latency situations. -- A higher multiplier reduces the chances that failures cause leadership churn, but your cluster takes longer to detect real failures and restore availability. - -The value of `raft_multiplier` has a default value of 5. It is a scaling factor setting that directly affects the following parameters: - -| Parameter name | Default value | Derived from | -| --- | --- | --- | -| HeartbeatTimeout | 5000ms | 5 x 1000ms | -| ElectionTimeout | 5000ms | 5 x 1000ms | -| LeaderLeaseTimeout | 2500ms | 5 x 500ms | - -You can use the telemetry from [`consul.raft.leader.lastContact`](/consul/docs/agent/telemetry#leadership-changes) to observe Raft timing performance. - -Wide networks with more latency perform better with larger values of `raft_multiplier`, but cluster failure detection will take longer. If your network operates with low latency, we recommend that you do not set the Raft multiplier higher than 5. Instead, you should either replace the servers with more powerful ones or minimize the network latency between nodes. - -We recommend you start from a baseline and perform [chaos engineering testing](/consul/tutorials/resiliency/introduction-chaos-engineering?in=consul%2Fresiliency) with different values for the Raft multiplier to find the acceptable time for problem detection and recovery for the cluster. Then scale the cluster and its dedicated resources with the number of workloads handled. This approach gives you the best balance between pure resource growth and pure Raft tuning strategies because it lets you use Raft tuning as a backup plan if you cannot scale your resources. - -The types of workloads the Consul cluster handles also play an important role in Raft tuning. For example, if your Consul clusters are mostly static and do not handle many events, you should increase your Raft multiplier instead of scaling your resources because the risk of an important event happening while the cluster is converging or re-electing a leader is lower. diff --git a/website/content/docs/architecture/catalog.mdx b/website/content/docs/architecture/catalog.mdx deleted file mode 100644 index dad1ef9aceb..00000000000 --- a/website/content/docs/architecture/catalog.mdx +++ /dev/null @@ -1,39 +0,0 @@ ---- -layout: docs -page_title: v1 Catalog API -description: Learn about version 1 of the Consul catalog, including what Consul servers record when they register a service. ---- - -# v1 Catalog API - -This topic provides conceptual information about version 1 (v1) of the Consul catalog API. The catalog tracks registered services and their locations for both service discovery and service mesh use cases. - -For more information about the information returned when querying the catalog, including filtering options when querying the catalog for a list of nodes, services, or gateways, refer to the [`/catalog` endpoint reference in the HTTP API documentation](/consul/api-docs/catalog). - -## Introduction - -Consul tracks information about registered services through its catalog API. This API records user-defined information about the external services, such as their partitions and required health checks. It also records information that Consul assigns for its own operations, such as an ID for each service instance and the [Raft indices](/consul/docs/architecture/consensus) when the instance is registered and modified. - -### v2 Catalog - -Consul introduced an experimental v2 Catalog API in v1.17.0. This API supported multi-port Service configurations on Kubernetes, and it was made available for testing and development purposes. The v2 catalog and its support for multiport Kubernetes Services were deprecated in the v1.19.0 release. - -## Catalog structure - -When Consul registers a service instance using the v1 catalog API, it records the following information about each instance: - -| v1 Catalog field | Description | Source | -| :--------------- | :---------- | :----- | -| ID | A unique identifier for a service instance. | Defined by user in [service definition](/consul/docs/services/configuration/services-configuration-reference#id). | -| Node | The connection point where the service is available. | On VMs, defined by user.

On Kubernetes, computed by Consul according to [Kubernetes Nodes](https://kubernetes.io/docs/concepts/architecture/nodes/). | -| Address | The registered address of the service instance. | Defined by user in [service definition](/consul/docs/services/configuration/services-configuration-reference#address). | -| Tagged Addresses | User-defined labels for addresses. | Defined by user in [service definition](/consul/docs/services/configuration/services-configuration-reference#tagged_addresses). | -| NodeMeta | User-defined metadata about the node. | Defined by user | -| Datacenter | The name of the datacenter the service is registered in. | Defined by user | -| Service | The name of the service Consul registers the service instance under. | Defined by user | -| Agent Check | The health checks defined for a service instance managed by a Consul client agent. | Computed by Consul | -| Health Checks | The health checks defined for the service. Refer to [define health checks](/consul/docs/services/usage/checks) for more information. | Defined by user | -| Partition | The name of the admin partition the service is registered in. Refer to [admin partitions](/consul/docs/enterprise/admin-partitions) for more information. | Defined by user | -| Locality | Region and availability zone of the service. Refer to [`locality`](/consul/docs/agent/config/config-files#locality) for more information. | Defined by user | - -Depending on the configuration entries or custom resource definitions you apply to your Consul installation, additional information such as [proxy default behavior](/consul/docs/connect/config-entries/proxy-defaults) is automatically recorded to the catalog for services. You can return this information using the [`/catalog` HTTP API endpoint](/consul/api-docs/catalog). diff --git a/website/content/docs/architecture/consensus.mdx b/website/content/docs/architecture/consensus.mdx deleted file mode 100644 index 9e10a05e571..00000000000 --- a/website/content/docs/architecture/consensus.mdx +++ /dev/null @@ -1,223 +0,0 @@ ---- -layout: docs -page_title: Consensus Protocol | Raft -description: >- - Consul ensures a consistent state using the Raft protocol. A quorum, or a majority of server agents with one leader, agree to state changes before committing to the state log. Learn how Raft works in Consul to ensure state consistency and how that state can be read with different consistency modes to balance read latency and consistency. ---- - -# Consensus Protocol - -Consul uses a [consensus protocol]() -to provide [Consistency (as defined by CAP)](https://en.wikipedia.org/wiki/CAP_theorem). -The consensus protocol is based on -["Raft: In search of an Understandable Consensus Algorithm"](https://raft.github.io/raft.pdf). -For a visual explanation of Raft, see [The Secret Lives of Data](http://thesecretlivesofdata.com/raft). - -## Raft Protocol Overview - -Raft is a consensus algorithm that is based on -[Paxos](https://en.wikipedia.org/wiki/Paxos_%28computer_science%29). Compared -to Paxos, Raft is designed to have fewer states and a simpler, more -understandable algorithm. - -There are a few key terms to know when discussing Raft: - -- Log - The primary unit of work in a Raft system is a log entry. The problem - of consistency can be decomposed into a _replicated log_. A log is an ordered - sequence of entries. Entries includes any cluster change: adding nodes, adding services, new key-value pairs, etc. We consider the log consistent - if all members agree on the entries and their order. - -- FSM - [Finite State Machine](https://en.wikipedia.org/wiki/Finite-state_machine). - An FSM is a collection of finite states with transitions between them. As new logs - are applied, the FSM is allowed to transition between states. Application of the - same sequence of logs must result in the same state, meaning behavior must be deterministic. - -- Peer set - The peer set is the set of all members participating in log replication. - For Consul's purposes, all server nodes are in the peer set of the local datacenter. - -- Quorum - A quorum is a majority of members from a peer set: for a set of size `N`, - quorum requires at least `(N/2)+1` members. - For example, if there are 5 members in the peer set, we would need 3 nodes - to form a quorum. If a quorum of nodes is unavailable for any reason, the - cluster becomes _unavailable_ and no new logs can be committed. - -- Committed Entry - An entry is considered _committed_ when it is durably stored - on a quorum of nodes. Once an entry is committed it can be applied. - -- Leader - At any given time, the peer set elects a single node to be the leader. - The leader is responsible for ingesting new log entries, replicating to followers, - and managing when an entry is considered committed. - -Raft is a complex protocol and will not be covered here in detail (for those who -desire a more comprehensive treatment, the full specification is available in this -[paper](https://raft.github.io/raft.pdf)). -We will, however, attempt to provide a high level description which may be useful -for building a mental model. - -Raft nodes are always in one of three states: follower, candidate, or leader. All -nodes initially start out as a follower. In this state, nodes can accept log entries -from a leader and cast votes. If no entries are received for some time, nodes -self-promote to the candidate state. In the candidate state, nodes request votes from -their peers. If a candidate receives a quorum of votes, then it is promoted to a leader. -The leader must accept new log entries and replicate to all the other followers. -In addition, if stale reads are not acceptable, all queries must also be performed on -the leader. - -Once a cluster has a leader, it is able to accept new log entries. A client can -request that a leader append a new log entry (from Raft's perspective, a log entry -is an opaque binary blob). The leader then writes the entry to durable storage and -attempts to replicate to a quorum of followers. Once the log entry is considered -_committed_, it can be _applied_ to a finite state machine. The finite state machine -is application specific; in Consul's case, we use -[MemDB](https://github.com/hashicorp/go-memdb) to maintain cluster state. Consul's writes -block until it is both _committed_ and _applied_. This achieves read after write semantics -when used with the [consistent](/consul/api-docs/features/consistency#consistent) mode for queries. - -Obviously, it would be undesirable to allow a replicated log to grow in an unbounded -fashion. Raft provides a mechanism by which the current state is snapshotted and the -log is compacted. Because of the FSM abstraction, restoring the state of the FSM must -result in the same state as a replay of old logs. This allows Raft to capture the FSM -state at a point in time and then remove all the logs that were used to reach that -state. This is performed automatically without user intervention and prevents unbounded -disk usage while also minimizing time spent replaying logs. One of the advantages of -using MemDB is that it allows Consul to continue accepting new transactions even while -old state is being snapshotted, preventing any availability issues. - -Consensus is fault-tolerant up to the point where quorum is available. -If a quorum of nodes is unavailable, it is impossible to process log entries or reason -about peer membership. For example, suppose there are only 2 peers: A and B. The quorum -size is also 2, meaning both nodes must agree to commit a log entry. If either A or B -fails, it is now impossible to reach quorum. This means the cluster is unable to add -or remove a node or to commit any additional log entries. This results in -_unavailability_. At this point, manual intervention would be required to remove -either A or B and to restart the remaining node in bootstrap mode. - -A Raft cluster of 3 nodes can tolerate a single node failure while a cluster -of 5 can tolerate 2 node failures. The recommended configuration is to either -run 3 or 5 Consul servers per datacenter. This maximizes availability without -greatly sacrificing performance. The [deployment table](#deployment_table) below -summarizes the potential cluster size options and the fault tolerance of each. - -In terms of performance, Raft is comparable to Paxos. Assuming stable leadership, -committing a log entry requires a single round trip to half of the cluster. -Thus, performance is bound by disk I/O and network latency. Although Consul is -not designed to be a high-throughput write system, it should handle on the order -of hundreds to thousands of transactions per second depending on network and -hardware configuration. - -## Raft in Consul - -Only Consul server nodes participate in Raft and are part of the peer set. All -client nodes forward requests to servers. Part of the reason for this design is -that, as more members are added to the peer set, the size of the quorum also increases. -This introduces performance problems as you may be waiting for hundreds of machines -to agree on an entry instead of a handful. - -When getting started, a single Consul server is put into "bootstrap" mode. This mode -allows it to self-elect as a leader. Once a leader is elected, other servers can be -added to the peer set in a way that preserves consistency and safety. Eventually, -once the first few servers are added, bootstrap mode can be disabled. See [this -document](/consul/docs/install/bootstrapping) for more details. - -Since all servers participate as part of the peer set, they all know the current -leader. When an RPC request arrives at a non-leader server, the request is -forwarded to the leader. If the RPC is a _query_ type, meaning it is read-only, -the leader generates the result based on the current state of the FSM. If -the RPC is a _transaction_ type, meaning it modifies state, the leader -generates a new log entry and applies it using Raft. Once the log entry is committed -and applied to the FSM, the transaction is complete. - -Because of the nature of Raft's replication, performance is sensitive to network -latency. For this reason, each datacenter elects an independent leader and maintains -a disjoint peer set. Data is partitioned by datacenter, so each leader is responsible -only for data in their datacenter. When a request is received for a remote datacenter, -the request is forwarded to the correct leader. This design allows for lower latency -transactions and higher availability without sacrificing consistency. - -## Consistency Modes - -Although all writes to the replicated log go through Raft, reads are more -flexible. To support various trade-offs that developers may want, Consul -supports 3 different consistency modes for reads. - -The three read modes are: - -- `default` - Raft makes use of leader leasing, providing a time window - in which the leader assumes its role is stable. However, if a leader - is partitioned from the remaining peers, a new leader may be elected - while the old leader is holding the lease. This means there are 2 leader - nodes. There is no risk of a split-brain since the old leader will be - unable to commit new logs. However, if the old leader services any reads, - the values are potentially stale. The default consistency mode relies only - on leader leasing, exposing clients to potentially stale values. We make - this trade-off because reads are fast, usually strongly consistent, and - only stale in a hard-to-trigger situation. The time window of stale reads - is also bounded since the leader will step down due to the partition. - -- `consistent` - This mode is strongly consistent without caveats. It requires - that a leader verify with a quorum of peers that it is still leader. This - introduces an additional round-trip to all server nodes. The trade-off is - always consistent reads but increased latency due to the extra round trip. - -- `stale` - This mode allows any server to service the read regardless of whether - it is the leader. This means reads can be arbitrarily stale but are generally - within 50 milliseconds of the leader. The trade-off is very fast and scalable - reads but with stale values. This mode allows reads without a leader meaning - a cluster that is unavailable will still be able to respond. - -For more documentation about using these various modes, see the -[HTTP API](/consul/api-docs/features/consistency). - -## Deployment Table ((#deployment_table)) - -Below is a table that shows quorum size and failure tolerance for various -cluster sizes. The recommended deployment is either 3 or 5 servers. A single -server deployment is _**highly**_ discouraged as data loss is inevitable in a -failure scenario. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ServersQuorum SizeFailure Tolerance
110
220
321
431
532
642
743
diff --git a/website/content/docs/architecture/coordinates.mdx b/website/content/docs/architecture/coordinates.mdx deleted file mode 100644 index 7bc37cc9c02..00000000000 --- a/website/content/docs/architecture/coordinates.mdx +++ /dev/null @@ -1,114 +0,0 @@ ---- -layout: docs -page_title: Network Coordinates -description: >- - Network coordinates are node locations in network tomography used to estimate round trip time (RTT). Learn how network coordinates manifest in Consul, how it calculates RTT, and how to work with coordinates to sort catalog information by nearness to a given node. ---- - -# Network Coordinates - -Consul uses a [network tomography](https://en.wikipedia.org/wiki/Network_tomography) -system to compute network coordinates for nodes in the cluster. These coordinates -allow the network round trip time to be estimated between any two nodes using a -very simple calculation. This allows for many useful applications, such as finding -the service node nearest a requesting node, or failing over to services in the next -closest datacenter. - -All of this is provided through the use of the [Serf library](https://github.com/hashicorp/serf/). -Serf's network tomography is based on ["Vivaldi: A Decentralized Network Coordinate System"](http://www.cs.ucsb.edu/~ravenben/classes/276/papers/vivaldi-sigcomm04.pdf), -with some enhancements based on other research. There are more details about -[Serf's network coordinates here](https://github.com/hashicorp/serf/blob/master/docs/internals/coordinates.html.markdown). - -## Network Coordinates in Consul - -Network coordinates manifest in several ways inside Consul: - -- The [`consul rtt`](/consul/commands/rtt) command can be used to query for the - network round trip time between any two nodes. - -- The [Catalog endpoints](/consul/api-docs/catalog) and - [Health endpoints](/consul/api-docs/health) can sort the results of queries based - on the network round trip time from a given node using a "?near=" parameter. - -- [Prepared queries](/consul/api-docs/query) can automatically fail over services - to other Consul datacenters based on network round trip times. See the - [Geo Failover](/consul/tutorials/developer-discovery/automate-geo-failover) for some examples. - -- The [Coordinate endpoint](/consul/api-docs/coordinate) exposes raw network - coordinates for use in other applications. - -Consul uses Serf to manage two different gossip pools, one for the LAN with members -of a given datacenter, and one for the WAN which is made up of just the Consul servers -in all datacenters. It's important to note that **network coordinates are not compatible -between these two pools**. LAN coordinates only make sense in calculations with other -LAN coordinates, and WAN coordinates only make sense with other WAN coordinates. - -## Working with Coordinates - -Computing the estimated network round trip time between any two nodes is simple -once you have their coordinates. Here's a sample coordinate, as returned from the -[Coordinate endpoint](/consul/api-docs/coordinate). - - - -```json -[ - { - "Node": "agent-one", - "Segment": "", - "Coord": { - "Adjustment": 0.1, - "Error": 1.5, - "Height": 0.02, - "Vec": [0.34,0.68,0.003,0.01,0.05,0.1,0.34,0.06] - } - } -] -``` - - - -All values are floating point numbers in units of seconds, except for the error -term which isn't used for distance calculations. - -Here's a complete example in Go showing how to compute the distance between two -coordinates: - - - -```go -import ( - "math" - "time" - - "github.com/hashicorp/serf/coordinate" -) - -func dist(a *coordinate.Coordinate, b *coordinate.Coordinate) time.Duration { - // Coordinates will always have the same dimensionality, so this is - // just a sanity check. - if len(a.Vec) != len(b.Vec) { - panic("dimensions aren't compatible") - } - - // Calculate the Euclidean distance plus the heights. - sumsq := 0.0 - for i := 0; i < len(a.Vec); i++ { - diff := a.Vec[i] - b.Vec[i] - sumsq += diff * diff - } - rtt := math.Sqrt(sumsq) + a.Height + b.Height - - // Apply the adjustment components, guarding against negatives. - adjusted := rtt + a.Adjustment + b.Adjustment - if adjusted > 0.0 { - rtt = adjusted - } - - // Go's times are natively nanoseconds, so we convert from seconds. - const secondsToNanoseconds = 1.0e9 - return time.Duration(rtt * secondsToNanoseconds) -} -``` - - diff --git a/website/content/docs/architecture/gossip.mdx b/website/content/docs/architecture/gossip.mdx deleted file mode 100644 index 12a4ef8de7a..00000000000 --- a/website/content/docs/architecture/gossip.mdx +++ /dev/null @@ -1,56 +0,0 @@ ---- -layout: docs -page_title: Gossip Protocol | Serf -description: >- - Consul agents manage membership in datacenters and WAN federations using the Serf protocol. Learn about the differences between LAN and WAN gossip pools and how `serfHealth` affects health checks. ---- - -# Gossip Protocol - -Consul uses a [gossip protocol](https://en.wikipedia.org/wiki/Gossip_protocol) -to manage membership and broadcast messages to the cluster. The protocol, membership management, and message broadcasting is provided -through the [Serf library](https://github.com/hashicorp/serf/). The gossip protocol -used by Serf is based on a modified version of the -[SWIM (Scalable Weakly-consistent Infection-style Process Group Membership)](https://www.cs.cornell.edu/projects/Quicksilver/public_pdfs/SWIM.pdf) protocol. -Refer to the [Serf documentation](https://github.com/hashicorp/serf/blob/master/docs/internals/gossip.html.markdown) for additional information about the gossip protocol. - -## Gossip in Consul - -Consul uses a LAN gossip pool and a WAN gossip pool to perform different functions. The pools -are able to perform their functions by leveraging an embedded [Serf](https://github.com/hashicorp/serf/) -library. The library is abstracted and masked by Consul to simplify the user experience, -but developers may find it useful to understand how the library is leveraged. - -### LAN Gossip Pool - -Each datacenter that Consul operates in has a LAN gossip pool containing all members -of the datacenter (clients _and_ servers). Membership information provided by the -LAN pool allows clients to automatically discover servers, reducing the amount of -configuration needed. Failure detection is also distributed and shared by the entire cluster, -instead of concentrated on a few servers. Lastly, the gossip pool allows for fast and -reliable event broadcasts. - -### WAN Gossip Pool - -The WAN pool is globally unique. All servers should participate in the WAN pool, -regardless of datacenter. Membership information provided by the WAN pool allows -servers to perform cross-datacenter requests. The integrated failure detection -allows Consul to gracefully handle loss of connectivity--whether the loss is for -an entire datacenter, or a single server in a remote datacenter. - -## Lifeguard Enhancements ((#lifeguard)) - -SWIM assumes that the local node is healthy, meaning that soft real-time packet -processing is possible. The assumption may be violated, however, if the local node -experiences CPU or network exhaustion. In these cases, the `serfHealth` check status -can flap. This can result in false monitoring alarms, additional telemetry noise, and -CPU and network resources being wasted as they attempt to diagnose non-existent failures. - -Lifeguard completely resolves this issue with novel enhancements to SWIM. - -For more details about Lifeguard, please see the -[Making Gossip More Robust with Lifeguard](https://www.hashicorp.com/blog/making-gossip-more-robust-with-lifeguard/) -blog post, which provides a high level overview of the HashiCorp Research paper -[Lifeguard : SWIM-ing with Situational Awareness](https://arxiv.org/abs/1707.00788). The -[Serf gossip protocol guide](https://github.com/hashicorp/serf/blob/master/docs/internals/gossip.html.markdown#lifeguard-enhancements) -also provides some lower-level details about the gossip protocol and Lifeguard. diff --git a/website/content/docs/architecture/improving-consul-resilience.mdx b/website/content/docs/architecture/improving-consul-resilience.mdx deleted file mode 100644 index aea40f3558e..00000000000 --- a/website/content/docs/architecture/improving-consul-resilience.mdx +++ /dev/null @@ -1,177 +0,0 @@ ---- -layout: docs -page_title: Fault Tolerance in Consul -description: >- - Fault tolerance is a system's ability to operate without interruption despite component failure. Learn how a set of Consul servers provide fault tolerance through use of a quorum, and how to further improve control plane resilience through use of infrastructure zones and Enterprise redundancy zones. ---- - -# Fault tolerance - - -You must give careful consideration to reliability in the architecture frameworks that you build. When you build a resilient platform, it minimizes the remediation actions you need to take when a failure occurs. This document provides useful information on how to design and operate a resilient Consul cluster, including the methods and functionalities for this goal. - -Consul has many features that operate both locally and remotely that can help you offer a resilient service across multiple datacenters. - - -## Introduction - -Fault tolerance is the ability of a system to continue operating without interruption -despite the failure of one or more components. In Consul, the number of server agents determines the fault tolerance. - - -Each Consul datacenter depends on a set of Consul voting server agents. -The voting servers ensure Consul has a consistent, fault-tolerant state -by requiring a majority of voting servers, known as a quorum, to agree upon any state changes. -Examples of state changes include: adding or removing services, -adding or removing nodes, and changes in service or node health status. - -Without a quorum, Consul experiences an outage: -it cannot provide most of its capabilities because they rely on -the availability of this state information. -If Consul has an outage, normal operation can be restored by following the -[Disaster recovery for Consul clusters guide](/consul/tutorials/datacenter-operations/recovery-outage). - -If Consul is deployed with 3 servers, the quorum size is 2. The deployment can lose 1 -server and still maintain quorum, so it has a fault tolerance of 1. -If Consul is instead deployed with 5 servers, the quorum size increases to 3, so -the fault tolerance increases to 2. -To learn more about the relationship between the -number of servers, quorum, and fault tolerance, refer to the -[consensus protocol documentation](/consul/docs/architecture/consensus#deployment_table). - -Effectively mitigating your risk is more nuanced than just increasing the fault tolerance -because the infrastructure costs can outweigh the improved resiliency. You must also consider correlated risks at the infrastructure-level. There are occasions when multiple servers fail at the same time. That means that a single failure could cause a Consul outage, even if your server-level fault tolerance is 2. - -Different options for your resilient datacenter present trade-offs between operational complexity, computing cost, and Consul request performance. Consider these factors when designing your resilient architecture. - -## Fault tolerance - -The following sections explore several options for increasing Consul's fault tolerance. For enhanced reliability, we recommend taking a holistic approach by layering these multiple functionalities together. - -- Spread servers across infrastructure [availability zones](#availability-zones). -- Use a [minimum quorum size](#quorum-size) to avoid performance impacts. -- Use [redundancy zones](#redundancy-zones) to improve fault tolerance. -- Use [Autopilot](#autopilot) to automatically prune failed servers and maintain quorum size. -- Use [cluster peering](#cluster-peering) to provide service redundancy. - -### Availability zones - - -The cloud or on-premise infrastructure underlying your [Consul datacenter](/consul/docs/install/glossary#datacenter) can run across multiple availability zones. - -An availability zone is meant to share no points of failure with other zones by: -- Having power, cooling, and networking systems independent from other zones -- Being physically distant enough from other zones so that large-scale disruptions - such as natural disasters (flooding, earthquakes) are very unlikely to affect multiple zones - -Availability zones are available in the regions of most cloud providers and in some on-premise installations. -If possible, spread your Consul voting servers across 3 availability zones -to protect your Consul datacenter from a single zone-level failure. -For example, if deploying 5 Consul servers across 3 availability zones, place no more than 2 servers in each zone. -If one zone fails, at most 2 servers are lost and quorum will be maintained by the 3 remaining servers. - -To distribute your Consul servers across availability zones, modify your infrastructure configuration with your infrastructure provider. No change is needed to your Consul server's agent configuration. - -Additionally, you should leverage resources that can automatically restore your compute instance, -such as autoscaling groups, virtual machine scale sets, or compute engine autoscaler. -Customize autoscaling resources to re-deploy servers into specific availability zones and ensure the desired numbers of servers are available at all times. - -### Quorum size - -For most production use cases, we recommend using a minimum quorum of either 3 or 5 voting servers, -yielding a server-level fault tolerance of 1 or 2 respectively. - -Even though it would improve fault tolerance, -adding voting servers beyond 5 is **not recommended** because it decreases Consul's performance— -it requires Consul to involve more servers in every state change or consistent read. - -Consul Enterprise users can use redundancy zones to improve fault tolerance without this performance penalty. - -### Redundancy zones - -Use Consul Enterprise [redundancy zones](/consul/docs/enterprise/redundancy) to improve fault tolerance without the performance penalty of increasing the number of voting servers. - -![Reference architecture diagram for Consul Redundancy zones](/img/architecture/consul-redundancy-zones-light.png#light-theme-only) -![Reference architecture diagram for Consul Redundancy zones](/img/architecture/consul-redundancy-zones-dark.png#dark-theme-only) - -Each redundancy zone should be assigned 2 or more Consul servers. -If all servers are healthy, only one server per redundancy zone will be an active voter; -all other servers will be backup voters. -If a zone's voter is lost, it will be replaced by: -- A backup voter within the same zone, if any. Otherwise, -- A backup voter within another zone, if any. - -Consul can replace lost voters with backup voters within 30 seconds in most cases. -Because this replacement process is not instantaneous, -redundancy zones do not improve immediate fault tolerance— -the number of healthy voting servers that can fail at once without causing an outage. -Instead, redundancy zones improve optimistic fault tolerance: -the number of healthy active and back-up voting servers that can fail gradually without causing an outage. - -The relationship between these two types of fault tolerance is: - -_Optimistic fault tolerance = immediate fault tolerance + the number of healthy backup voters_ - -For example, consider a Consul datacenter with 3 redundancy zones and 2 servers per zone. -There will be 3 voting servers (1 per zone), meaning a quorum size of 2 and an immediate fault tolerance of 1. -There will also be 3 backup voters (1 per zone), each of which increase the optimistic fault tolerance. -Therefore, the optimistic fault tolerance is 4. -This provides performance similar to a 3 server setup with fault tolerance similar to a 7 server setup. - -We recommend associating each Consul redundancy zone with an infrastructure availability zone -to also gain the infrastructure-level fault tolerance benefits provided by availability zones. -However, Consul redundancy zones can be used even without the backing of infrastructure availability zones. - -For more information on redundancy zones, refer to: -- [Redundancy zone documentation](/consul/docs/enterprise/redundancy) - for a more detailed explanation -- [Redundancy zone tutorial](/consul/tutorials/enterprise/redundancy-zones) - to learn how to use them - -### Autopilot - -Autopilot is a set of functions that introduce servers to a cluster, cleans up dead servers, and monitors the state of the Raft protocol in the Consul cluster. - -When you enable Autopilot's dead server cleanup, Autopilot marks failed servers as `Left` and removes them from the Raft peer set to prevent them from interfering with the quorum size. Autopilot does that as soon as a replacement Consul server comes online. This behavior is beneficial when server nodes failed and have been redeployed but Consul considers them as new nodes because their IP address and hostnames have changed. Autopilot keeps the cluster peer set size correct and the quorum requirement simple. - -To illustrate the Autopilot advantage, consider a scenario where Consul has a cluster of five server nodes. The quorum is three, which means the cluster can lose two server nodes before the cluster fails. The following events happen: - -1. Two server nodes fail. -1. Two replacement nodes are deployed with new hostnames and IPs. -1. The two replacement nodes rejoin the Consul cluster. -1. Consul treats the replacement nodes as extra nodes, unrelated to the previously failed nodes. - -_With Autopilot not enabled_, the following happens: - -1. Consul does not immediately clean up the failed nodes when the replacement nodes join the cluster. -1. The cluster now has the three surviving nodes, the two failed nodes, and the two replacement nodes, for a total of seven nodes. - - The quorum is increased to four, which means the cluster can only afford to lose one node until after the two failed nodes are deleted in seventy-two hours. - - The redundancy level has decreased from its initial state. - -_With Autopilot enabled_, the following happens: - -1. Consul immediately cleans up the failed nodes when the replacement nodes join the cluster. -1. The cluster now has the three surviving nodes and the two replacement nodes, for a total of five nodes. - - The quorum stays at three, which means the cluster can afford to lose two nodes before it fails. - - The redundancy level remains the same. - -### Cluster peering - -Linking multiple Consul clusters together to provide service redundancy is the most effective method to prevent disruption from failure. This method is enhanced when you design individual Consul clusters with resilience in mind. Consul clusters interconnect in two ways: WAN federation and cluster peering. We recommend using cluster peering whenever possible. - -Cluster peering lets you connect two or more independent Consul clusters using mesh gateways, so that services can communicate between non-identical partitions in different datacenters. - -![Reference architecture diagram for Consul cluster peering](/img/architecture/cluster-peering-diagram-light.png#light-theme-only) -![Reference architecture diagram for Consul cluster peering](/img/architecture/cluster-peering-diagram-dark.png#dark-theme-only) - -Cluster peering is the preferred way to interconnect clusters because it is operationally easier to configure and manage than WAN federation. Cluster peering communication between two datacenters runs only on one port on the related Consul mesh gateway, which makes it operationally easy to expose for routing purposes. - -When you use cluster peering to connect admin partitions between datacenters, use Consul’s dynamic traffic management functionalities `service-splitter`, `service-router` and `service-failover` to configure your service mesh to automatically forward or failover service traffic between peer clusters. Consul can then manage the traffic intended for the service and do [failover](/consul/docs/connect/config-entries/service-resolver#spec-failover), [load-balancing](/consul/docs/connect/config-entries/service-resolver#spec-loadbalancer), or [redirection](/consul/docs/connect/config-entries/service-resolver#spec-redirect). - -Cluster peering also extends service discovery across different datacenters independent of service mesh functions. After you peer datacenters, you can refer to services between datacenters with `.virtual.peer.consul` in Consul DNS. For Consul Enterprise, your query string may need to include the namespace, partition, or both. Refer to the [Consul DNS documentation](/consul/docs/services/discovery/dns-static-lookups#service-virtual-ip-lookups) for details on building virtual service lookups. - -For more information on cluster peering, refer to: -- [Cluster peering documentation](/consul/docs/connect/cluster-peering) - for a more detailed explanation -- [Cluster peering tutorial](/consul/tutorials/implement-multi-tenancy/cluster-peering) - to learn how to implement cluster peering diff --git a/website/content/docs/architecture/index.mdx b/website/content/docs/architecture/index.mdx deleted file mode 100644 index dc3f7954bdd..00000000000 --- a/website/content/docs/architecture/index.mdx +++ /dev/null @@ -1,114 +0,0 @@ ---- -layout: docs -page_title: Consul Architecture -description: >- - Consul datacenters consist of clusters of server agents (control plane) and client agents deployed alongside service instances (data plane). Learn how these components and their different communication methods make Consul possible. ---- - -# Consul Architecture - -This topic provides an overview of the Consul architecture. We recommend reviewing the Consul [glossary](/consul/docs/install/glossary) as a companion to this topic to help you become familiar with HashiCorp terms. - -> Refer to the [Reference Architecture tutorial](/consul/tutorials/production-deploy/reference-architecture) for hands-on guidance about deploying Consul in production. - -## Introduction - -Consul provides a control plane that enables you to register, access, and secure services deployed across your network. The _control plane_ is the part of the network infrastructure that maintains a central registry to track services and their respective IP addresses. - -When using Consul’s service mesh capabilities, Consul dynamically configures sidecar and gateway proxies in the request path, which enables you to authorize service-to-service connections, route requests to healthy service instances, and enforce mTLS encryption without modifying your service’s code. This ensures that communication remains performant and reliable. Refer to [Service Mesh Proxy Overview](/consul/docs/connect/proxies) for an overview of sidecar proxies. - -![Diagram of the Consul control plane](/img/consul-arch/consul-arch-overview-control-plane.svg) - -## Datacenters - -The Consul control plane contains one or more _datacenters_. A datacenter is the smallest unit of Consul infrastructure that can perform basic Consul operations. A datacenter contains at least one [Consul server agent](#server-agents), but a real-world deployment contains three or five server agents and several [Consul client agents](#client-agents). You can create multiple datacenters and allow nodes in different datacenters to interact with each other. Refer to [Bootstrap a Datacenter](/consul/docs/install/bootstrapping) for information about how to create a datacenter. - -### Clusters - -A collection of Consul agents that are aware of each other is called a _cluster_. The terms _datacenter_ and _cluster_ are often used interchangeably. In some cases, however, _cluster_ refers only to Consul server agents, such as in [HCP Consul Dedicated](https://cloud.hashicorp.com/products/consul). In other contexts, such as the [_admin partitions_](/consul/docs/enterprise/admin-partitions) feature included with Consul Enterprise, a cluster may refer to collection of client agents. - -## Agents - -You can run the Consul binary to start Consul _agents_, which are daemons that implement Consul control plane functionality. You can start agents as servers or clients. Refer to [Consul Agent](/consul/docs/agent) for additional information. - -### Server agents - -Consul server agents store all state information, including service and node IP addresses, health checks, and configuration. We recommend deploying three or five servers in a cluster. The more servers you deploy, the greater the resilience and availability in the event of a failure. More servers, however, slow down [consensus](#consensus-protocol), which is a critical server function that enables Consul to efficiently and effectively process information. - -#### Consensus protocol - -Consul clusters elect a single server to be the _leader_ through a process called _consensus_. The leader processes all queries and transactions, which prevents conflicting updates in clusters containing multiple servers. - -Servers that are not currently acting as the cluster leader are called _followers_. Followers forward requests from client agents to the cluster leader. The leader replicates the requests to all other servers in the cluster. Replication ensures that if the leader is unavailable, other servers in the cluster can elect another leader without losing any data. - -Consul servers establish consensus using the Raft algorithm on port `8300`. Refer to [Consensus Protocol](/consul/docs/architecture/consensus) for additional information. - -![Diagram of the Consul control plane consensus traffic](/img/consul-arch/consul-arch-overview-consensus.svg) - -### Client agents - -Consul clients report node and service health status to the Consul cluster. In a typical deployment, you must run client agents on every compute node in your datacenter. Clients use remote procedure calls (RPC) to interact with servers. By default, clients send RPC requests to the servers on port `8300`. - -There are no limits to the number of client agents or services you can use with Consul, but production deployments should distribute services across multiple Consul datacenters. Using a multi-datacenter deployment enhances infrastructure resilience and limits control plane issues. We recommend deploying a maximum of 5,000 client agents per datacenter. Some large organizations have deployed tens of thousands of client agents and hundreds of thousands of service instances across a multi-datacenter deployment. Refer to [Cross-datacenter requests](#cross-datacenter-requests) for additional information. - -You can also run Consul with an alternate service mesh configuration that deploys Envoy proxies but not client agents. Refer to [Simplified Service Mesh with Consul Dataplanes](/consul/docs/connect/dataplane) for more information. - -## LAN gossip pool - -Client and server agents participate in a LAN gossip pool so that they can distribute and perform node [health checks](/consul/docs/services/usage/checks). Agents in the pool propagate the health check information across the cluster. Agent gossip communication occurs on port `8301` using UDP. Agent gossip falls back to TCP if UDP is not available. Refer to [Gossip Protocol](/consul/docs/architecture/gossip) for additional information. - -The following simplified diagram shows the interactions between servers and clients. - - - - - -![Diagram of the Consul LAN gossip pool](/img/consul-arch/consul-arch-overview-lan-gossip-pool.svg) - - - - -![Diagram of RPC communication between Consul agents](/img/consul-arch/consul-arch-overview-rpc.svg) - - - - -## Cross-datacenter requests - -Each Consul datacenter maintains its own catalog of services and their health. By default, the information is not replicated across datacenters. WAN federation and cluster peering are two multi-datacenter deployment models that enable service connectivity across datacenters. - -### WAN federation - -WAN federation is an approach for connecting multiple Consul datacenters. It requires you to designate a _primary datacenter_ that contains authoritative information about all datacenters, including service mesh configurations and access control list (ACL) resources. - -In this model, when a client agent requests a resource in a remote secondary datacenter, a local Consul server forwards the RPC request to a remote Consul server that has access to the resource. A remote server sends the results to the local server. If the remote datacenter is unavailable, its resources are also unavailable. By default, WAN-federated servers send cross-datacenter requests over TCP on port `8300`. - -You can configure control plane and data plane traffic to go through mesh gateways, which simplifies networking requirements. - -> **Hands-on**: To enable services to communicate across datacenters when the ACL system is enabled, refer to the [ACL Replication for Multiple Datacenters](/consul/tutorials/security-operations/access-control-replication-multiple-datacenters) tutorial. - -#### WAN gossip pool - -Servers may also participate in a WAN gossip pool, which is optimized for greater latency imposed by the Internet. The pool enables servers to exchange information, such as their addresses and health, and gracefully handle loss of connectivity in the event of a failure. - -In the following diagram, the servers in each data center participate in a WAN gossip pool by sending data over TCP/UDP on port `8302`. Refer to [Gossip Protocol](/consul/docs/architecture/gossip) for additional information. - - - - - -![Diagram of the Consul LAN gossip pool](/img/consul-arch/consul-arch-overview-wan-gossip-cross-cluster.svg) - - - - -![Diagram of RPC communication between Consul agents](/img/consul-arch/consul-arch-overview-remote-dc-forwarding-cross-cluster.svg) - - - - -### Cluster peering - -You can create peering connections between two or more independent clusters so that services deployed to different datacenters or admin partitions can communicate. An [admin partition](/consul/docs/enterprise/admin-partitions) is a feature in Consul Enterprise that enables you to define isolated network regions that use the same Consul servers. In the cluster peering model, you create a token in one of the datacenters or partitions and configure another datacenter or partition to present the token to establish the connection. - -Refer to [What is Cluster Peering?](/consul/docs/connect/cluster-peering) for additional information. diff --git a/website/content/docs/architecture/jepsen.mdx b/website/content/docs/architecture/jepsen.mdx deleted file mode 100644 index 44a433c8d35..00000000000 --- a/website/content/docs/architecture/jepsen.mdx +++ /dev/null @@ -1,118 +0,0 @@ ---- -layout: docs -page_title: Consistency Verification | Jepsen Testing Results -description: >- - Jepsen is a tool to measure the reliability and consistency of distributed systems across network partitions. Learn about the Jepsen testing performed on Consul to ensure it gracefully recovers from partitions and maintains consistent state. ---- - -# Jepsen Testing Results - -[Jepsen](http://aphyr.com/posts/281-call-me-maybe-carly-rae-jepsen-and-the-perils-of-network-partitions) -is a tool, written by Kyle Kingsbury, designed to test the partition -tolerance of distributed systems. It creates network partitions while fuzzing -the system with random operations. The results are analyzed to see if the system -violates any of the consistency properties it claims to have. - -As part of our Consul testing, we ran a Jepsen test to determine if -any consistency issues could be uncovered. In our testing, Consul -gracefully recovered from partitions without introducing any consistency -issues. - -## Running the tests - -At the moment, testing with Jepsen is rather complex as it requires -setting up multiple virtual machines, SSH keys, DNS configuration, -and a working Clojure environment. We hope to contribute our Consul -testing code upstream and to provide a Vagrant environment for Jepsen -testing soon. - -## Output - -Below is the output captured from Jepsen. We ran Jepsen multiple times, -and it passed each time. This output is only representative of a single -run and has been edited for length. Please reach out on [Consul's Discuss](https://discuss.hashicorp.com/c/consul) -if you would like to reproduce the Jepsen results. - - - -```shell-session -$ lein test :only jepsen.system.consul-test - -lein test jepsen.system.consul-test -INFO jepsen.os.debian - :n5 setting up debian -INFO jepsen.os.debian - :n3 setting up debian -INFO jepsen.os.debian - :n4 setting up debian -INFO jepsen.os.debian - :n1 setting up debian -INFO jepsen.os.debian - :n2 setting up debian -INFO jepsen.os.debian - :n4 debian set up -INFO jepsen.os.debian - :n5 debian set up -INFO jepsen.os.debian - :n3 debian set up -INFO jepsen.os.debian - :n1 debian set up -INFO jepsen.os.debian - :n2 debian set up -INFO jepsen.system.consul - :n1 consul nuked -INFO jepsen.system.consul - :n4 consul nuked -INFO jepsen.system.consul - :n5 consul nuked -INFO jepsen.system.consul - :n3 consul nuked -INFO jepsen.system.consul - :n2 consul nuked -INFO jepsen.system.consul - Running nodes: {:n1 false, :n2 false, :n3 false, :n4 false, :n5 false} -INFO jepsen.system.consul - :n2 consul nuked -INFO jepsen.system.consul - :n3 consul nuked -INFO jepsen.system.consul - :n4 consul nuked -INFO jepsen.system.consul - :n5 consul nuked -INFO jepsen.system.consul - :n1 consul nuked -INFO jepsen.system.consul - :n1 starting consul -INFO jepsen.system.consul - :n2 starting consul -INFO jepsen.system.consul - :n4 starting consul -INFO jepsen.system.consul - :n5 starting consul -INFO jepsen.system.consul - :n3 starting consul -INFO jepsen.system.consul - :n3 consul ready -INFO jepsen.system.consul - :n2 consul ready -INFO jepsen.system.consul - Running nodes: {:n1 true, :n2 true, :n3 true, :n4 true, :n5 true} -INFO jepsen.system.consul - :n5 consul ready -INFO jepsen.system.consul - :n1 consul ready -INFO jepsen.system.consul - :n4 consul ready -INFO jepsen.core - Worker 0 starting -INFO jepsen.core - Worker 2 starting -INFO jepsen.core - Worker 1 starting -INFO jepsen.core - Worker 3 starting -INFO jepsen.core - Worker 4 starting -INFO jepsen.util - 2 :invoke :read nil -INFO jepsen.util - 3 :invoke :cas [4 4] -INFO jepsen.util - 0 :invoke :write 4 -INFO jepsen.util - 1 :invoke :write 1 -INFO jepsen.util - 4 :invoke :cas [4 0] -INFO jepsen.util - 2 :ok :read nil -INFO jepsen.util - 4 :fail :cas [4 0] -(Log Truncated...) -INFO jepsen.util - 4 :invoke :cas [3 3] -INFO jepsen.util - 4 :fail :cas [3 3] -INFO jepsen.util - :nemesis :info :stop nil -INFO jepsen.util - :nemesis :info :stop "fully connected" -INFO jepsen.util - 0 :fail :read nil -INFO jepsen.util - 1 :fail :write 0 -INFO jepsen.util - :nemesis :info :stop nil -INFO jepsen.util - :nemesis :info :stop "fully connected" -INFO jepsen.core - nemesis done -INFO jepsen.core - Worker 3 done -INFO jepsen.util - 1 :invoke :read nil -INFO jepsen.core - Worker 2 done -INFO jepsen.core - Worker 4 done -INFO jepsen.core - Worker 0 done -INFO jepsen.util - 1 :ok :read 3 -INFO jepsen.core - Worker 1 done -INFO jepsen.core - Run complete, writing -INFO jepsen.core - Analyzing -(Log Truncated...) -INFO jepsen.core - Analysis complete -INFO jepsen.system.consul - :n3 consul nuked -INFO jepsen.system.consul - :n2 consul nuked -INFO jepsen.system.consul - :n4 consul nuked -INFO jepsen.system.consul - :n1 consul nuked -INFO jepsen.system.consul - :n5 consul nuked -1964 element history linearizable. :D - -Ran 1 tests containing 1 assertions. -0 failures, 0 errors. -``` - - diff --git a/website/content/docs/automate/consul-template.mdx b/website/content/docs/automate/consul-template.mdx new file mode 100644 index 00000000000..0b2e83a7d20 --- /dev/null +++ b/website/content/docs/automate/consul-template.mdx @@ -0,0 +1,29 @@ +--- +layout: docs +page_title: Consul Template overview +description: >- + Consul Template is a tool available as a distinct binary that enables dynamic application configuration and secrets rotation for Consul deployments based on Go templates. +--- + +# Consul Template overview + +This topic provides an overview of the Consul Template tool, which enables a programmatic method for rendering configuration files from a variety of locations, including the Consul KV store. It is an effective workflow option for replacing complicated API queries that often require custom formatting. + +For more information about the KV store and using it to automatically configure application deployments, refer to [dynamically configure applications](/consul/docs/dynamic-app/consul-template). + +## Introduction + +The Consul template tool is not part of the Consul binary. It has a [dedicated GitHub repo](https://github.com/hashicorp/consul-template) and you must [install `consul-template`](https://github.com/hashicorp/consul-template#installation) before running it on the command line. Consul templates are based on Go templates and shares many of the same attributes. When initiated, the rool reads one or more template files and queries Consul for all data needed to render them. + +In a typical scenario, you run `consul-template` as a daemon that fetches the initial values and then continues to watch for updates. The template re-renders whenever there are relevant changes in the datacenter. The template can also run arbitrary commands after the update process completes. For example, it can send the HUP signal to the load balancer service after a configuration change has been made. + +The Consul template tool is flexible, it can fit into many different environments and workflows. Depending on the use case, you may have a single `consul-template` instance on a handful of hosts, or you may need to run several instances on every host. Each `consul-template` process can manage multiple unrelated files and removes duplicated information as needed when files share data dependencies. + +## Tutorials + +To get started with Consul Template and learn more about how you can use it to configure and manage application deployments, refer to the following tutorials: + +- Learn how to programmatically render service configuration in the [Service configuration with Consul Template tutorial](/consul/tutorials/developer-configuration/consul-template). +- Learn how to use Consul and Consul template to automatically update an NGINX configuration file with the latest list of backend servers found by Consul's service discovery in the [Load Balancing with NGINX and Consul Template tutorial](/consul/tutorials/load-balancing/load-balancing-nginx). +- Learn how to use Vault's PKI Secrets Engine to generate and renew dynamic X.509 certificates and then use `consul-template` to rotate your certificates in the [Generate mTLS Certificates for Consul with Vault tutorial](/consul/tutorials/vault-secure/vault-pki-consul-secure-tls). +- Learn how to use Vault to store a gossip encryption key and then use `consul-template` to retrieve and rotate the key automatically in the [Automatically Rotate Gossip Encryption Keys Secured in Vault tutorial](/consul/tutorials/vault-secure/vault-kv-consul-secure-gossip). diff --git a/website/content/docs/automate/index.mdx b/website/content/docs/automate/index.mdx new file mode 100644 index 00000000000..b30ffbe0a92 --- /dev/null +++ b/website/content/docs/automate/index.mdx @@ -0,0 +1,40 @@ +--- +layout: docs +page_title: Dynamically configure applications +description: >- + This topic provides an overview of deployment strategies that use Consul's key/value (KV) store to dynamically update applications and Consul configurations in response to deployment changes. +--- + +# Dynamically configure applications + +This topic provides an overview for dynamically configuring applications when Consul detects certain changes in your network. Many of these operations rely on Consul's key/value (KV)store. + +For information about automatically deploying infrastructure when Consul detects failed health checks or increased network traffic, refer to [Consul-Terraform-Sync](/consul/docs/cts). + +## Introduction + +Platform operators managing a Consul deployment at scale require automated processes for generating and distributing updated configurations dynamically as applications change. You can use Consul's KV store to store data for generating Consul agent configurations, and set up the agent to invoke custom scripts in response to changes. + +## Key/value store + +@include 'text/descriptions/kv/store.mdx' + +## Consul template + +@include 'text/descriptions/consul-template.mdx' + +## Sessions + +@include 'text/descriptions/kv/session.mdx' + +## Watches + +@include 'text/descriptions/kv/watch.mdx' + +## Guidance + +@include 'text/guidance/automate.mdx' + +### Constraints, limitations, and troubleshooting + +@include 'text/limitations/kv.mdx' \ No newline at end of file diff --git a/website/content/docs/automate/kv/index.mdx b/website/content/docs/automate/kv/index.mdx new file mode 100644 index 00000000000..c837535410c --- /dev/null +++ b/website/content/docs/automate/kv/index.mdx @@ -0,0 +1,62 @@ +--- +layout: docs +page_title: Consul key/value (KV) store overview +description: >- + Consul includes a KV store for indexed objects, configuration parameters, and metadata that you can use to dynamically configure apps. Learn about accessing and using the KV store to extend Consul's functionality through watches, sessions, and Consul Template. +--- + +# Consul key/value (KV) store overview + + +The Consul KV API, CLI, and UI are now considered feature complete and no new feature development is planned for future releases. + + +Consul KV is a core feature of Consul and is installed with the Consul agent. Once installed with the agent, it will have reasonable defaults. Consul KV allows users to store indexed objects, though its main uses are storing configuration parameters and metadata. It is a simple KV store and is not intended to be a full featured datastore (such as DynamoDB). + +The Consul KV datastore is located on the servers, but can be accessed by any agent (client or server). The natively integrated [RPC functionality](/consul/docs/architecture) allows clients to forward requests to servers, including key/value reads and writes. Part of Consul's core design allows data to be replicated automatically across all the servers. Having a quorum of servers will decrease the risk of data loss if an outage occurs. + +If you have not used Consul KV, complete this [Getting Started tutorial](/consul/tutorials/interactive/get-started-key-value-store?utm_source=docs) on HashiCorp. + +## Accessing the KV store + +The KV store can be accessed by the [consul kv CLI subcommands](/consul/commands/kv), [HTTP API](/consul/api-docs/kv), and Consul UI. To restrict access, enable and configure [ACLs](/consul/docs/secure-consul/acl). Once the ACL system has been bootstrapped, users and services, will need a valid token with KV [privileges](/consul/docs/secure-consul/acl/rules#key-value-rules) to access the data store, this includes even reads. We recommend creating a token with limited privileges, for example, you could create a token with write privileges on one key for developers to update the value related to their application. + +The datastore itself is located on the Consul servers in the [data directory](/consul/docsreference-cli/agent#_data_dir). To ensure data is not lost in the event of a complete outage, use the [`consul snapshot`](/consul/commands/snapshot/restore) feature to backup the data. + +## Using Consul KV + +Objects are opaque to Consul, meaning there are no restrictions on the type of object stored in a key/value entry. The main restriction on an object is size - the maximum is 512 KB. Due to the maximum object size and main use cases, you should not need extra storage; the general [sizing recommendations](/consul/docs/reference/agent#kv_max_value_size) are usually sufficient. + +Keys, like objects are not restricted by type and can include any character. However, we recommend using URL-safe chars - `[a-zA-Z0-9-._~]` with the exception of `/`, which can be used to help organize data. Note, `/` will be treated like any other character and is not fixed to the file system. Meaning, including `/` in a key does not fix it to a directory structure. This model is similar to Amazon S3 buckets. However, `/` is still useful for organizing data and when recursively searching within the data store. We also recommend that you avoid the use of `*`, `?`, `'`, and `%` because they can cause issues when using the API and in shell scripts. + +## Using Sentinel to apply policies for Consul KV + + + +This feature requires HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. + + + +You can also use Sentinel as a Policy-as-code framework for defining advanced key-value storage access control policies. Sentinel policies extend the ACL system in Consul beyond static "read", "write", and "deny" policies to support full conditional logic and integration with external systems. Reference the [Sentinel documentation](https://docs.hashicorp.com/sentinel/concepts) for high-level Sentinel concepts. + +To get started with Sentinel in Consul, refer to the [Sentinel documentation](https://docs.hashicorp.com/sentinel/consul) or [Consul documentation](/consul/docs/agent/sentinel). + +## Extending Consul KV + +### Consul Template + +If you plan to use Consul KV as part of your configuration management process review the [Consul Template](/consul/tutorials/developer-configuration/consul-template?utm_source=docs) tutorial on how to update configuration based on value updates in the KV. Consul Template is based on Go Templates and allows for a series of scripted actions to be initiated on value changes to a Consul key. + +### Watches + +Consul KV can also be extended with the use of watches. [Watches](/consul/docs/dynamic-app/watches) are a way to monitor data for updates. When an update is detected, an external handler is invoked. To use watches with the KV store the [key](/consul/docs/dynamic-app/watches#key) watch type should be used. + +### Consul Sessions + +Consul sessions can be used to build distributed locks with Consul KV. Sessions act as a binding layer between nodes, health checks, and key/value data. The KV API supports an `acquire` and `release` operation. The `acquire` operation acts like a Check-And-Set operation. On success, there is a key update and an increment to the `LockIndex` and the session value is updated to reflect the session holding the lock. Review the session documentation for more information on the [integration](/consul/docs/dynamic-app/sessions#k-v-integration). + +Review the following tutorials to learn how to use Consul sessions for [application leader election](/consul/tutorials/developer-configuration/application-leader-elections) and to [build distributed semaphores](/consul/tutorials/developer-configuration/distributed-semaphore). + +### Vault + +If you plan to use Consul KV as a backend for Vault, please review [this tutorial](/vault/tutorials/day-one-consul/ha-with-consul?utm_source=docs). \ No newline at end of file diff --git a/website/content/docs/dynamic-app-config/kv/store.mdx b/website/content/docs/automate/kv/store.mdx similarity index 100% rename from website/content/docs/dynamic-app-config/kv/store.mdx rename to website/content/docs/automate/kv/store.mdx diff --git a/website/content/docs/automate/session.mdx b/website/content/docs/automate/session.mdx new file mode 100644 index 00000000000..5fe3b992602 --- /dev/null +++ b/website/content/docs/automate/session.mdx @@ -0,0 +1,60 @@ +--- +layout: docs +page_title: Sessions and Distributed Locks Overview +description: >- + Consul supports sessions that you can use to build distributed locks with granular locking. Learn about sessions, how they can prevent ""split-brain"" systems by ensuring consistency in deployments, and how they can integrate with the key/value (KV) store. +--- + +# Sessions and Distributed Locks Overview + +Consul provides a session mechanism which can be used to build distributed locks. Sessions act as a binding layer between nodes, health checks, and key/value data. They are designed to provide granular locking and are heavily inspired by [The Chubby Lock Service for Loosely-Coupled Distributed Systems](http://research.google.com/archive/chubby.html). + +## Session Design + +A session in Consul represents a contract that has very specific semantics. When a session is constructed, a node name, a list of health checks, a behavior, a TTL, and a `lock-delay` may be provided. The newly constructed session is provided with a named ID that can be used to identify it. This ID can be used with the KV store to acquire locks: advisory mechanisms for mutual exclusion. + +Below is a diagram showing the relationship between these components: + +![Consul Sessions](/img/consul-sessions.png) + +The contract that Consul provides is that under any of the following situations, the session will be _invalidated_: + +- Node is deregistered +- Any of the health checks are deregistered +- Any of the health checks go to the critical state +- Session is explicitly destroyed +- TTL expires, if applicable + +When a session is invalidated, it is destroyed and can no longer be used. What happens to the associated locks depends on the behavior specified at creation time. Consul supports a `release` and `delete` behavior. The `release` behavior is the default if none is specified. + +If the `release` behavior is being used, any of the locks held in association with the session are released, and the `ModifyIndex` of the key is incremented. Alternatively, if the `delete` behavior is used, the key corresponding to any of the held locks is simply deleted. This can be used to create ephemeral entries that are automatically deleted by Consul. + +While this is a simple design, it enables a multitude of usage patterns. By default, the [gossip based failure detector](/consul/docs/architecture/gossip) is used as the associated health check. This failure detector allows Consul to detect when a node that is holding a lock has failed and to automatically release the lock. This ability provides **liveness** to Consul locks; that is, under failure the system can continue to make progress. However, because there is no perfect failure detector, it's possible to have a false positive (failure detected) which causes the lock to be released even though the lock owner is still alive. This means we are sacrificing some **safety**. + +Conversely, it is possible to create a session with no associated health checks. This removes the possibility of a false positive and trades liveness for safety. You can be absolutely certain Consul will not release the lock even if the existing owner has failed. Since Consul APIs allow a session to be force destroyed, this allows systems to be built that require an operator to intervene in the case of a failure while precluding the possibility of a split-brain. + +A third health checking mechanism is session TTLs. When creating a session, a TTL can be specified. If the TTL interval expires without being renewed, the session has expired and an invalidation is triggered. This type of failure detector is also known as a heartbeat failure detector. It is less scalable than the gossip based failure detector as it places an increased burden on the servers but may be applicable in some cases. The contract of a TTL is that it represents a lower bound for invalidation; that is, Consul will not expire the session before the TTL is reached, but it is allowed to delay the expiration past the TTL. The TTL is renewed on session creation, on session renew, and on leader failover. When a TTL is being used, clients should be aware of clock skew issues: namely, time may not progress at the same rate on the client as on the Consul servers. It is best to set conservative TTL values and to renew in advance of the TTL to account for network delay and time skew. + +The final nuance is that sessions may provide a `lock-delay`. This is a time duration, between 0 and 60 seconds. When a session invalidation takes place, Consul prevents any of the previously held locks from being re-acquired for the `lock-delay` interval; this is a safeguard inspired by Google's Chubby. The purpose of this delay is to allow the potentially still live leader to detect the invalidation and stop processing requests that may lead to inconsistent state. While not a bulletproof method, it does avoid the need to introduce sleep states into application logic and can help mitigate many issues. While the default is to use a 15 second delay, clients are able to disable this mechanism by providing a zero delay value. + +## K/V Integration + +Integration between the KV store and sessions is the primary place where sessions are used. A session must be created prior to use and is then referred to by its ID. + +The KV API is extended to support an `acquire` and `release` operation. The `acquire` operation acts like a Check-And-Set operation except it can only succeed if there is no existing lock holder (the current lock holder can re-`acquire`, see below). On success, there is a normal key update, but there is also an increment to the `LockIndex`, and the `Session` value is updated to reflect the session holding the lock. + +If the lock is already held by the given session during an `acquire`, then the `LockIndex` is not incremented but the key contents are updated. This lets the current lock holder update the key contents without having to give up the lock and reacquire it. + +Once held, the lock can be released using a corresponding `release` operation, providing the same session. Again, this acts like a Check-And-Set operation since the request will fail if given an invalid session. A critical note is that the lock can be released without being the creator of the session. This is by design as it allows operators to intervene and force-terminate a session if necessary. As mentioned above, a session invalidation will also cause all held locks to be released or deleted. When a lock is released, the `LockIndex` does not change; however, the `Session` is cleared and the `ModifyIndex` increments. + +These semantics (heavily borrowed from Chubby), allow the tuple of (Key, LockIndex, Session) to act as a unique "sequencer". This `sequencer` can be passed around and used to verify if the request belongs to the current lock holder. Because the `LockIndex` is incremented on each `acquire`, even if the same session re-acquires a lock, the `sequencer` will be able to detect a stale request. Similarly, if a session is invalided, the Session corresponding to the given `LockIndex` will be blank. + +To be clear, this locking system is purely _advisory_. There is no enforcement that clients must acquire a lock to perform any operation. Any client can read, write, and delete a key without owning the corresponding lock. It is not the goal of Consul to protect against misbehaving clients. + +## Leader Election + +The primitives provided by sessions and the locking mechanisms of the KV store can be used to build client-side leader election algorithms. These are covered in more detail in the [Leader Election guide](/consul/tutorials/developer-configuration/application-leader-elections). + +## Prepared Query Integration + +Prepared queries may be attached to a session in order to automatically delete the prepared query when the session is invalidated. diff --git a/website/content/docs/dynamic-app-config/watches.mdx b/website/content/docs/automate/watch.mdx similarity index 71% rename from website/content/docs/dynamic-app-config/watches.mdx rename to website/content/docs/automate/watch.mdx index 8eac5888628..6f174edf4fc 100644 --- a/website/content/docs/dynamic-app-config/watches.mdx +++ b/website/content/docs/automate/watch.mdx @@ -1,54 +1,34 @@ --- layout: docs -page_title: Watches Overview and Reference +page_title: Watches overview description: >- - Watches monitor the key/value (KV) store, services, nodes, health checks, and events for updates. When a watch detects a change, it invokes a handler that can call an HTTP endpoint or run an executable. Learn how to configure watches to dynamically respond to changes in Consul. + Watches monitor the key/value (KV) store, services, nodes, health checks, and events for updates. When a watch detects a change, it invokes a handler that can call an HTTP endpoint or runs an executable. Learn how to configure watches to dynamically respond to changes in Consul. --- -# Watches Overview and Reference +# Watches overview -Watches are a way of specifying a view of data (e.g. list of nodes, KV pairs, health -checks) which is monitored for updates. When an update is detected, an external handler -is invoked. A handler can be any executable or HTTP endpoint. As an example, you could watch the status -of health checks and notify an external system when a check is critical. +Watches are a way of specifying a view of data (e.g. list of nodes, KV pairs, health checks) which is monitored for updates. When an update is detected, an external handler is invoked. A handler can be any executable or HTTP endpoint. As an example, you could watch the status of health checks and notify an external system when a check is critical. -Watches are implemented using blocking queries in the [HTTP API](/consul/api-docs). -Agents automatically make the proper API calls to watch for changes -and inform a handler when the data view has updated. +Watches are implemented using blocking queries in the [HTTP API](/consul/api-docs). Agents automatically make the proper API calls to watch for changes and inform a handler when the data view has updated. -Watches can be configured as part of the [agent's configuration](/consul/docs/agent/config/config-files#watches), -causing them to run once the agent is initialized. Reloading the agent configuration -allows for adding or removing watches dynamically. +Watches can be configured as part of the [agent's configuration](/consul/docs/reference/agent#watches), causing them to run once the agent is initialized. Reloading the agent configuration allows for adding or removing watches dynamically. -Alternatively, the [watch command](/consul/commands/watch) enables a watch to be -started outside of the agent. This can be used by an operator to inspect data in Consul -or to easily pipe data into processes without being tied to the agent lifecycle. +Alternatively, the [watch command](/consul/commands/watch) enables a watch to be started outside of the agent. This can be used by an operator to inspect data in Consul or to easily pipe data into processes without being tied to the agent lifecycle. -In either case, the `type` of the watch must be specified. Each type of watch -supports different parameters, some required and some optional. These options are specified -in a JSON body when using agent configuration or as CLI flags for the watch command. +In either case, the `type` of the watch must be specified. Each type of watch supports different parameters, some required and some optional. These options are specified in a JSON body when using agent configuration or as CLI flags for the watch command. ## Handlers -The watch configuration specifies the view of data to be monitored. -Once that view is updated, the specified handler is invoked. Handlers can be either an -executable or an HTTP endpoint. A handler receives JSON formatted data -with invocation info, following a format that depends on the type of the watch. -Each watch type documents the format type. Because they map directly to an HTTP -API, handlers should expect the input to match the format of the API. A Consul -index is also given, corresponding to the responses from the -[HTTP API](/consul/api-docs). +The watch configuration specifies the view of data to be monitored. Once that view is updated, the specified handler is invoked. Handlers can be either an executable or an HTTP endpoint. A handler receives JSON formatted data with invocation info, following a format that depends on the type of the watch. Each watch type documents the format type. Because they map directly to an HTTP API, handlers should expect the input to match the format of the API. A Consul index is also given, corresponding to the responses from the [HTTP API](/consul/api-docs). ### Executable -An executable handler reads the JSON invocation info from stdin. Additionally, -the `CONSUL_INDEX` environment variable will be set to the Consul index. -Anything written to stdout is logged. +An executable handler reads the JSON invocation info from stdin. Additionally, the `CONSUL_INDEX` environment variable will be set to the Consul index. Anything written to stdout is logged. -Here is an example configuration, where `handler_type` is optionally set to -`script`: +Here is an example configuration, where `handler_type` is optionally set to `script`: + ```hcl @@ -63,7 +43,6 @@ watches = [ ``` - ```json @@ -80,29 +59,20 @@ watches = [ ``` - -Prior to Consul 1.0, watches used a single `handler` field to define the command to run, and -would always run in a shell. In Consul 1.0, the `args` array was added so that handlers can be -run without a shell. The `handler` field is deprecated, and you should include the shell in -the `args` to run under a shell, eg. `"args": ["sh", "-c", "..."]`. +Prior to Consul 1.0, watches used a single `handler` field to define the command to run, and would always run in a shell. In Consul 1.0, the `args` array was added so that handlers can be run without a shell. The `handler` field is deprecated, and you should include the shell in the `args` to run under a shell, eg. `"args": ["sh", "-c", "..."]`. ### HTTP endpoint -An HTTP handler sends an HTTP request when a watch is invoked. The JSON invocation info is sent -as a payload along the request. The response also contains the Consul index as a header named -`X-Consul-Index`. +An HTTP handler sends an HTTP request when a watch is invoked. The JSON invocation info is sent as a payload along the request. The response also contains the Consul index as a header named `X-Consul-Index`. -The HTTP handler can be configured by setting `handler_type` to `http`. Additional handler options -are set using `http_handler_config`. The only required parameter is the `path` field which specifies -the URL to the HTTP endpoint. Consul uses `POST` as the default HTTP method, but this is also configurable. -Other optional fields are `header`, `timeout` and `tls_skip_verify`. The watch invocation data is -always sent as a JSON payload. +The HTTP handler can be configured by setting `handler_type` to `http`. Additional handler options are set using `http_handler_config`. The only required parameter is the `path` field which specifies the URL to the HTTP endpoint. Consul uses `POST` as the default HTTP method, but this is also configurable. Other optional fields are `header`, `timeout` and `tls_skip_verify`. The watch invocation data is always sent as a JSON payload. Here is an example configuration: + ```hcl @@ -125,6 +95,7 @@ watches = [ ``` + ```json @@ -147,12 +118,12 @@ watches = [ ``` + ## Global Parameters -In addition to the parameters supported by each option type, there -are a few global parameters that all watches support: +In addition to the parameters supported by each option type, there are a few global parameters that all watches support: - `datacenter` - Can be provided to override the agent's default datacenter. - `token` - Can be provided to override the agent's default ACL token. @@ -173,8 +144,7 @@ The following types are supported. Detailed documentation on each is below: ### Type: key ((#key)) -The "key" watch type is used to watch a specific key in the KV store. -It requires that the `key` parameter be specified. +The "key" watch type is used to watch a specific key in the KV store. It requires that the `key` parameter be specified. This maps to the `/v1/kv/` API internally. @@ -182,6 +152,8 @@ Here is an example configuration: + + ```hcl { type = "key" @@ -190,6 +162,10 @@ Here is an example configuration: } ``` + + + + ```json { "type": "key", @@ -198,6 +174,8 @@ Here is an example configuration: } ``` + + Or, using the watch command: @@ -222,10 +200,7 @@ An example of the output of this command: ### Type: keyprefix ((#keyprefix)) -The `keyprefix` watch type is used to watch a prefix of keys in the KV store. -It requires that the `prefix` parameter be specified. This watch -returns _all_ keys matching the prefix whenever _any_ key matching the prefix -changes. +The `keyprefix` watch type is used to watch a prefix of keys in the KV store. It requires that the `prefix` parameter be specified. This watch returns _all_ keys matching the prefix whenever _any_ key matching the prefix changes. This maps to the `/v1/kv/` API internally. @@ -233,6 +208,8 @@ Here is an example configuration: + + ```hcl { type = "keyprefix" @@ -241,6 +218,10 @@ Here is an example configuration: } ``` + + + + ```json { "type": "keyprefix", @@ -249,6 +230,8 @@ Here is an example configuration: } ``` + + Or, using the watch command: @@ -293,8 +276,7 @@ An example of the output of this command: ### Type: services ((#services)) -The "services" watch type is used to watch the list of available -services. It has no parameters. +The "services" watch type is used to watch the list of available services. It has no parameters. This maps to the `/v1/catalog/services` API internally. @@ -302,6 +284,8 @@ Below is an example configuration: + + ```hcl { type = "services" @@ -309,6 +293,10 @@ Below is an example configuration: } ``` + + + + ```json { "type": "services", @@ -316,6 +304,8 @@ Below is an example configuration: } ``` + + Or, using the watch command: @@ -336,8 +326,7 @@ An example of the output of this command: ### Type: nodes ((#nodes)) -The "nodes" watch type is used to watch the list of available -nodes. It has no parameters. +The "nodes" watch type is used to watch the list of available nodes. It has no parameters. This maps to the `/v1/catalog/nodes` API internally. @@ -345,6 +334,8 @@ Below is an example configuration: + + ```hcl { type = "nodes" @@ -352,6 +343,10 @@ Below is an example configuration: } ``` + + + + ```json { "type": "nodes", @@ -359,6 +354,8 @@ Below is an example configuration: } ``` + + Or, using the watch command: @@ -405,13 +402,7 @@ An example of the output of this command: ### Type: service ((#service)) -The "service" watch type is used to monitor the providers -of a single service. It requires the `service` parameter -and optionally takes the parameters `tag` and -`passingonly`. The `tag` parameter will filter by one or more tags. -It may be either a single string value or a slice of strings. -The `passingonly` parameter is a boolean that will filter to only the -instances passing all health checks. +The "service" watch type is used to monitor the providers of a single service. It requires the `service` parameter and optionally takes the parameters `tag` and `passingonly`. The `tag` parameter will filter by one or more tags. It may be either a single string value or a slice of strings. The `passingonly` parameter is a boolean that will filter to only the instances passing all health checks. This maps to the `/v1/health/service` API internally. @@ -419,6 +410,8 @@ Here is an example configuration with a single tag: + + ```hcl { type = "service" @@ -428,6 +421,10 @@ Here is an example configuration with a single tag: } ``` + + + + ```json { "type": "service", @@ -437,12 +434,16 @@ Here is an example configuration with a single tag: } ``` + + Here is an example configuration with multiple tags: + + ```hcl { type = "service" @@ -452,6 +453,10 @@ Here is an example configuration with multiple tags: } ``` + + + + ```json { "type": "service", @@ -461,6 +466,8 @@ Here is an example configuration with multiple tags: } ``` + + Or, using the watch command: @@ -549,18 +556,16 @@ An example of the output of this command: ### Type: checks ((#checks)) -The "checks" watch type is used to monitor the checks of a given -service or those in a specific state. It optionally takes the `service` -parameter to filter to a specific service or the `state` parameter to -filter to a specific state. By default, it will watch all checks. +The "checks" watch type is used to monitor the checks of a given service or those in a specific state. It optionally takes the `service` parameter to filter to a specific service or the `state` parameter to filter to a specific state. By default, it will watch all checks. -This maps to the `/v1/health/state/` API if monitoring by state -or `/v1/health/checks/` if monitoring by service. +This maps to the `/v1/health/state/` API if monitoring by state or `/v1/health/checks/` if monitoring by service. Here is an example configuration for monitoring by state: + + ```hcl { type = "checks" @@ -569,6 +574,10 @@ Here is an example configuration for monitoring by state: } ``` + + + + ```json { "type": "checks", @@ -577,12 +586,16 @@ Here is an example configuration for monitoring by state: } ``` + + Here is an example configuration for monitoring by service: + + ```hcl { type = "checks" @@ -591,6 +604,10 @@ Here is an example configuration for monitoring by service: } ``` + + + + ```json { "type": "checks", @@ -599,6 +616,8 @@ Here is an example configuration for monitoring by service: } ``` + + Or, using the watch command: @@ -634,10 +653,7 @@ An example of the output of this command: ### Type: event ((#event)) -The "event" watch type is used to monitor for custom user -events. These are fired using the [consul event](/consul/commands/event) command. -It takes only a single optional `name` parameter which restricts -the watch to only events with the given name. +The "event" watch type is used to monitor for custom user events. These are fired using the [consul event](/consul/commands/event) command. It takes only a single optional `name` parameter which restricts the watch to only events with the given name. This maps to the `/v1/event/list` API internally. @@ -645,6 +661,8 @@ Here is an example configuration: + + ```hcl { type = "event" @@ -653,6 +671,10 @@ Here is an example configuration: } ``` + + + + ```json { "type": "event", @@ -661,6 +683,8 @@ Here is an example configuration: } ``` + + Or, using the watch command: diff --git a/website/content/docs/concepts/service-discovery.mdx b/website/content/docs/concepts/service-discovery.mdx deleted file mode 100644 index 44c83b74147..00000000000 --- a/website/content/docs/concepts/service-discovery.mdx +++ /dev/null @@ -1,95 +0,0 @@ ---- -layout: docs -page_title: Service Discovery Explained -description: >- - Service discovery dynamically tracks and monitors service instances on your network and makes them discoverable through DNS queries. Learn about the benefits of service discovery and how it works. ---- - -# What is service discovery? - -_Service discovery_ helps you discover, track, and monitor the health of services within a network. Service discovery registers and maintains a record of all your services in a _service catalog_. This service catalog acts as a single source of truth that allows your services to query and communicate with each other. - -## Benefits of service discovery - -Service discovery provides benefits for all organizations, ranging from simplified scalability to improved application resiliency. Some of the benefits of service discovery include: - -- Dynamic IP address and port discovery -- Simplified horizontal service scaling -- Abstracts discovery logic away from applications -- Reliable service communication ensured by health checks -- Load balances requests across healthy service instances -- Faster deployment times achieved by high-speed discovery -- Automated service registration and de-registration - -## How does service discovery work? - -Service discovery uses a service's identity instead of traditional access information (IP address and port). This allows you to dynamically map services and track any changes within a service catalog. Service consumers (users or other services) then use DNS to dynamically retrieve other service's access information from the service catalog. The lifecycle of a service may look like the following: - -A service consumer communicates with the "Web" service via a unique Consul DNS entry provided by the service catalog. - -![Example diagram of how service consumers query for services](/img/what_is_service_discovery\_1.png) - -A new instance of the "Web" service registers itself to the service catalog with its IP address and port. As new instances of your services are registered to the service catalog, they will participate in the load balancing pool for handling service consumer requests. - -![Example diagram of how a service is registered to the service catalog](/img/what_is_service_discovery\_2.png) - -The service catalog is dynamically updated as new instances of the service are added and legacy or unhealthy service instances are removed. Removed services will no longer participate in the load balancing pool for handling service consumer requests. - -![Example diagram of how unhealthy services are removed from the service catalog](/img/what_is_service_discovery\_3.png) - -## What is service discovery in microservices? - -In a microservices application, the set of active service instances changes frequently across a large, dynamic environment. These service instances rely on a service catalog to retrieve the most up-to-date access information from the respective services. A reliable service catalog is especially important for service discovery in microservices to ensure healthy, scalable, and highly responsive application operation. - -## What are the two main types of service discovery? - -There are two main service‑discovery patterns: _client-side_ discovery and _server-side_ discovery. - -In systems that use client‑side discovery, the service consumer is responsible for determining the access information of available service instances and load balancing requests between them. - -1. The service consumer queries the service catalog -1. The service catalog retrieves and returns all access information -1. The service consumer selects a healthy downstream service and makes requests directly to it - -![Example diagram of client-side discovery concept](/img/what_is_service_discovery\_4.png) - -In systems that use server‑side discovery, the service consumer uses an intermediary to query the service catalog and make requests to them. - -1. The service consumer queries an intermediary (Consul) -1. The intermediary queries the service catalog and routes requests to the available service instances. - -![Example diagram of server-side discovery concept](/img/what_is_service_discovery\_5.png) - -For modern applications, this discovery method is advantageous because developers can make their applications faster and more lightweight by decoupling and centralizing service discovery logic. - -## Service discovery vs load balancing - -Service discovery and load balancing share a similarity in distributing requests to back end services, but differ in many important ways. - -Traditional load balancers are not designed for rapid registration and de-registration of services, nor are they designed for high-availability. By contrast, service discovery systems use multiple nodes that maintain the service registry state and a peer-to-peer state management system for increased resilience across any type of infrastructure. - -For modern, cloud-based applications, service discovery is the preferred method for directing traffic to the right service provider due to its ability to scale and remain resilient, independent of infrastructure. - -## How do you implement service discovery? - -You can implement service discovery systems across any type of infrastructure, whether it is on-premise or in the cloud. Service discovery is a native feature of many container orchestrators such as Kubernetes or Nomad. There are also platform-agnostic service discovery methods available for non-container workloads such as VMs and serverless technologies. Implementing a resilient service discovery system involves creating a set of servers that maintain and facilitate service registry operations. You can achieve this by installing a service discovery system or using a managed service discovery service. - -## What is Consul? - -Consul is a service networking solution that lets you automate network configurations, discover services, and enable secure connectivity across any cloud or runtime. With these features, Consul helps you solve the complex networking and security challenges of operating microservices and cloud infrastructure (multi-cloud and hybrid cloud). You can use these features independently or together to achieve [zero trust](https://www.hashicorp.com/solutions/zero-trust-security) security. - -Consul's service discovery capabilities help you discover, track, and monitor the health of services within a network. Consul acts as a single source of truth that allows your services to query and communicate with each other. - -You can use Consul with virtual machines (VMs), containers, serverless technologies, or with container orchestration platforms, such as [Nomad](https://www.nomadproject.io/) and Kubernetes. Consul is platform agnostic which makes it a great fit for all environments, including legacy platforms. - -Consul is available as a [self-managed](/consul/downloads) project or as a fully managed service mesh solution ([HCP Consul Dedicated](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs)). HCP Consul Dedicated enables users to discover and securely connect services without the added operational burden of maintaining a service mesh on their own. - -## Next steps - -Get started with service discovery today by leveraging Consul on HCP, Consul on Kubernetes, or Consul on VMs. Prepare your organization for the future of multi-cloud and embrace a [zero-trust](https://www.hashicorp.com/solutions/zero-trust-security) architecture. - -Feel free to get started with Consul by exploring one of these Consul tutorials: - -- [Get Started with Consul on VMs](/consul/tutorials/get-started-vms) -- [Get Started with Consul on HCP](/consul/tutorials/get-started-hcp) -- [Get Started with Consul on Kubernetes](/consul/tutorials/get-started-kubernetes) diff --git a/website/content/docs/concepts/service-mesh.mdx b/website/content/docs/concepts/service-mesh.mdx deleted file mode 100644 index 33ebf1478d8..00000000000 --- a/website/content/docs/concepts/service-mesh.mdx +++ /dev/null @@ -1,118 +0,0 @@ ---- -layout: docs -page_title: Service Mesh Explained -description: >- - Service mesh is a dedicated network layer for secure, resilient, observable microservice communication. Learn about using Consul's service mesh to solve service networking challenges in application architectures and manage complexity in multi-cloud, hybrid cloud, and multi-platform environments. ---- - -# What is a service mesh? - -A _service mesh_ is a dedicated network layer that provides secure service-to-service communication within and across infrastructure, including on-premises and cloud environments. -Service meshes are often used with a microservice architectural pattern, but can provide value in any scenario where complex networking is involved. - -## Benefits of a service mesh - -A service mesh provides benefits for all organizations, ranging from security to improved application resiliency. -Some of the benefits of a service mesh include; - -- service discovery -- application health monitoring -- load balancing -- automatic failover -- traffic management -- encryption -- observability and traceability -- authentication and authorization -- network automation - -A common use case for leveraging a service mesh is to achieve a [_zero trust_ model](https://www.consul.io/use-cases/zero-trust-networking). -In a zero trust model, applications require identity-based access to ensure all communication within the service mesh is authenticated with TLS certificates and encrypted in transit. - -In traditional security strategies, protection is primarily focused at the perimeter of a network. -In cloud environments, the surface area for network access is much wider than the traditional on-premises networks. -In addition, traditional security practices overlook the fact that many bad actors can originate from within the network walls. -A zero trust model addresses these concerns while allowing organizations to scale as needed. - -## How does a service mesh work? - -A service mesh typically consist of a control plane and a data plane. The control plane maintains a central registry that keeps track of all services and their respective IP addresses. This activity is called [service discovery](https://www.hashicorp.com/products/consul/service-discovery-and-health-checking). -As long as the application is registered with the control plane, the control plane will be able to share with other members of the mesh how to communicate with the application and enforce rules for who can communicate with each other. - -The control plane is responsible for securing the mesh, facilitating service discovery, health checking, policy enforcement, and other similar operational concerns. - -The data plane handles communication between services. -Many service mesh solutions employ a sidecar proxy to handle data plane communications, and thus limit the level of awareness the services need to have about the network environment. - -![Overview of a service mesh](/img/what_is_service_mesh\_1.png) - -## API gateway vs service mesh - -An API gateway is a centralized access point for handling incoming client requests and delivering them to services. -The API gateway acts as a control plane that allows operators and developers to manage incoming client requests and apply different handling logic depending on the request. -The API gateway will route the incoming requests to the respective service. The primary function of an API gateway is to handle requests and return the reply from the service back to the client. - -A service mesh specializes in the network management of services and the communication between services. -The mesh is responsible for keeping track of services and their health status, IP address, and traffic routing and ensuring all traffic between services is authenticated and encrypted. -Unlike some API gateways, a service mesh will track all registered services' lifecycle and ensure requests are routed to healthy instances of the service. -API gateways are frequently deployed alongside a load balancer to ensure traffic is directed to healthy and available instances of the service. -The mesh reduces the load balancer footprint as routing responsibilities are handled in a decentralized manner. - -API gateways can be used with a service mesh to bridge external networks (non-mesh) with a service mesh. - --> **API gateways and traffic direction:** API gateways are often used to accept north-south traffic. North-south traffic is networking traffic that either enters or exits a datacenter or a virtual private network (VPC). You can connect API gateways to a service mesh and provide access to it from outside the mesh. -A service mesh is primarily used for handling east-west traffic. East-west traffic traditionally remains inside a data center or a VPC. -A service mesh can be connected to another service mesh in another data center or VPC to form a federated mesh. - -## What problems does a service mesh solve? - -Modern infrastructure is transitioning from being primarily static to dynamic in nature (ephemeral). -This dynamic infrastructure has a short life cycle, meaning virtual machines (VM) and containers are frequently recycled. -It's difficult for an organization to manage and keep track of application services that live on short-lived resources. A service mesh solves this problem by acting as a central registry of all registered services. -As instances of a service (e.g., VM, container, serverless functions) come up and down, the mesh is aware of their state and availability. The ability to conduct _service discovery_ is the foundation to the other problems a service mesh solves. - -As a service mesh is aware of the state of a service and its instances, the mesh can implement more intelligent and dynamic network routing. -Many service meshes offer L7 traffic management capabilities. As a result, operators and developers can create powerful rules to direct network traffic as needed, such as load balancing, traffic splitting, dynamic failover, and custom resolvers. -A service mesh's dynamic network behavior allows application owners to improve application resiliency and availability with no application changes. - -Implementing dynamic network behavior is critical as more and more applications are deployed across different cloud providers (multi-cloud) and private data centers. -Organizations may need to route network traffic to other infrastructure environments. Ensuring this traffic is secure is on top of mind for all organizations. -Service meshes offer the ability to enforce network traffic encryption (mTLS) and authentication between all services. The service mesh can automatically generate an SSL certificate for each service and its instances. -The certificate authenticates with other services inside the mesh and encrypts the TCP/UDP/gRPC connection with SSL. - -Fine-grained policies that dictate what services are allowed to communicate with each other is another benefit of a service mesh. -Traditionally, services are permitted to communicate with other services through firewall rules. -The traditional firewall (IP-based) model is difficult to enforce with dynamic infrastructure resources with a short lifecycle and frequently recycling IP addresses. -As a result, network administrators have to open up network ranges to permit network traffic between services without differentiating the services generating the network traffic. However, a service mesh allows operators and developers to shift away from an IP-based model and focus more on service to service permissions. -An operator defines a policy that only allows _service A_ to communicate with _service B_. Otherwise, the default action is to deny the traffic. -This shift from an IP address-based security model to a service-focused model reduces the overhead of securing network traffic and allows an organization to take advantage of multi-cloud environments without sacrificing security due to complexity. - -## How do you implement a service mesh? - -Service meshes are commonly installed in Kubernetes clusters. There are also platform-agnostic service meshes available for non-Kubernetes-based workloads. -For Kubernetes, most service meshes can be installed by operators through a [Helm chart](https://helm.sh/). Additionally, the service mesh may offer a CLI tool that supports the installation and maintenance of the service mesh. -Non-Kubernetes based service meshes can be installed through infrastructure as code (IaC) products such as [Terraform](https://www.terraform.io/), CloudFormation, ARM Templates, Puppet, Chef, etc. - -## What is a multi platform service mesh? - -A multi-platform service mesh is capable of supporting various infrastructure environments. -This can range from having the service mesh support Kubernetes and non-Kubernetes workloads, to having a service mesh span across various cloud environments (multi-cloud and hybrid cloud). - -## What is Consul? - -Consul is a multi-networking tool that offers a fully-featured service mesh solution that solves the networking and security challenges of operating microservices and cloud infrastructure (multi-cloud and hybrid cloud). -Consul offers a software-driven approach to routing and segmentation. It also brings additional benefits such as failure handling, retries, and network observability. -Each of these features can be used individually as needed or they can be used together to build a full service mesh and achieve [zero trust](https://www.hashicorp.com/solutions/zero-trust-security) security. -In simple terms, Consul is the control plane of the service mesh. The data plane is supported by Consul through its first class support of [Envoy](https://www.envoyproxy.io/) as a proxy. - -You can use Consul with virtual machines (VMs), containers, or with container orchestration platforms, such as [Nomad](https://www.nomadproject.io/) and Kubernetes. -Consul is platform agnostic which makes it a great fit for all environments, including legacy platforms. - -Consul is available as a [self-install](/consul/downloads) project or as a fully managed service mesh solution called [HCP Consul Dedicated](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs). -HCP Consul Dedicated enables users to discover and securely connect services without the added operational burden of maintaining a service mesh on their own. - -You can learn more about Consul by visiting the Consul [tutorials](/consul/tutorials). - -## Next - -Get started today with a service mesh by leveraging [HCP Consul Dedicated](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs). -Prepare your organization for the future of multi-cloud and embrace a [zero-trust](https://www.hashicorp.com/solutions/zero-trust-security) architecture. diff --git a/website/content/docs/connect/config-entries/file-system-certificate.mdx b/website/content/docs/connect/config-entries/file-system-certificate.mdx deleted file mode 100644 index d633139a776..00000000000 --- a/website/content/docs/connect/config-entries/file-system-certificate.mdx +++ /dev/null @@ -1,170 +0,0 @@ ---- -layout: docs -page_title: File system certificate configuration reference -description: Learn how to configure a file system certificate bound to an API Gateway on VMs. ---- - -# File system certificate configuration reference - -This topic provides reference information for the file system certificate -configuration entry. The file system certificate is a more secure alternative to the [inline certificate configuration entry](/consul/docs/connect/config-entries/inline-certificate) when using Consul API Gateway on VMs because it references a local filepath instead of including sensitive information in the configuration entry itself. File system certificates also include a file system watch that implements certificate and key changes without restarting the gateway. - -Consul on Kubernetes deployments that use `consul-k8s` Helm chart v1.5.0 or later use file system certificates without additional configuration. To learn about configuring certificates for Kubernetes environments, refer to [Gateway Resource Configuration](/consul/docs/connect/gateways/api-gateway/configuration/gateway). - -## Configuration model - -The following list outlines field hierarchy, language-specific data types, and -requirements in a `file-system-certificate` configuration entry. Click on a property name -to view additional details, including default values. - -- [`Kind`](#kind): string | must be set to `"file-system-certificate"` -- [`Name`](#name): string | no default -- [`Namespace`](#namespace): string | no default -- [`Partition`](#partition): string | no default -- [`Meta`](#meta): map | no default -- [`Certificate`](#certificate): string | no default -- [`PrivateKey`](#privatekey): string | no default - -## Complete configuration - -When every field is defined, a `file-system-certificate` configuration entry has the following form: - - - - - -```hcl -Kind = "file-system-certificate" -Name = "" -Namespace = "ns" -Partition = "default" -Meta = { - "" = "" -} - -Certificate = "" -PrivateKey = "" -``` - - - - - -```json -{ - "Kind": "file-system-certificate", - "Name": "", - "Namespace": "ns", - "Partition": "default", - "Meta": { - "key": "value" - }, - "Certificate": "", - "PrivateKey": "" -} -``` - - - - -## Specification - -### `Kind` - -Specifies the type of configuration entry to implement. - -#### Values - -- Default: None -- This field is required. -- Data type: string that must equal `"file-system-certificate"` - -### `Name` - -Specifies a name for the configuration entry. The name is metadata that you can -use to reference the configuration entry when performing Consul operations, such -as applying a configuration entry to a specific cluster. - -#### Values - -- Default: None -- This field is required. -- Data type: string - -### `Namespace` - -Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to apply to the configuration entry. - -#### Values - -- Default: `"default"` in Enterprise -- Data type: string - -### `Partition` - -Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) to apply to the configuration entry. - -#### Values - -- Default: `"default"` in Enterprise -- Data type: string - -### `Meta` - -Specifies an arbitrary set of key-value pairs to associate with the gateway. - -#### Values - -- Default: None -- Data type: map containing one or more keys and string values. - -### `Certificate` - -Specifies the path to a file that contains a public certificate to use for TLS. This filepath must be accessible to the API gateway proxy at runtime. - -#### Values - -- Default: none -- This field is required. -- Data type: string value of the filepath to a public certificate - -### `PrivateKey` - -Specifies the path to a file that contains a private key to use for TLS. This filepath must be accessible to the API gateway proxy at runtime. - -#### Values - -- Default: none -- This field is required. -- Data type: string value of the filepath to a private key - -## Examples - -The following example demonstrates a file system certificate configuration. - - - - - -```hcl -Kind = "file-system-certificate" -Name = "tls-certificate" -Certificate = "/opt/consul/tls/api-gateway.crt" -PrivateKey = "/opt/consul/tls/api-gateway.key" -``` - - - - - -```json -{ - "Kind": "file-system-certificate", - "Name": "tls-certificate", - "Certificate": "opt/consul/tls/api-gateway.crt", - "PrivateKey": "/opt/consul/tls/api-gateway.key" -} -``` - - - \ No newline at end of file diff --git a/website/content/docs/connect/config-entries/index.mdx b/website/content/docs/connect/config-entries/index.mdx deleted file mode 100644 index 309ea26b177..00000000000 --- a/website/content/docs/connect/config-entries/index.mdx +++ /dev/null @@ -1,60 +0,0 @@ ---- -layout: docs -page_title: Configuration Entry Overview -description: >- - Configuration entries define service mesh behaviors in order to secure and manage traffic. Learn about Consul’s different config entry kinds and get links to configuration reference pages. ---- - -# Configuration Entry Overview - -Configuration entries can be used to configure the behavior of Consul service mesh. - -The following configuration entries are supported: - -- [API Gateway](/consul/docs/connect/config-entries/api-gateway) - defines the configuration for an API gateway - -- [Ingress Gateway](/consul/docs/connect/config-entries/ingress-gateway) - defines the - configuration for an ingress gateway - -- [Mesh](/consul/docs/connect/config-entries/mesh) - controls - mesh-wide configuration that applies across namespaces and federated datacenters. - -- [Exported Services](/consul/docs/connect/config-entries/exported-services) - enables - Consul to export service instances to other peers or to other admin partitions local or remote to the datacenter. - -- [Proxy Defaults](/consul/docs/connect/config-entries/proxy-defaults) - controls - proxy configuration - -- [Sameness Group](/consul/docs/connect/config-entries/sameness-group) - defines partitions and cluster peers with identical services - -- [Service Defaults](/consul/docs/connect/config-entries/service-defaults) - configures - defaults for all the instances of a given service - -- [Service Intentions](/consul/docs/connect/config-entries/service-intentions) - defines - the [intentions](/consul/docs/connect/intentions) for a destination service - -- [Service Resolver](/consul/docs/connect/config-entries/service-resolver) - matches - service instances with a specific Connect upstream discovery requests - -- [Service Router](/consul/docs/connect/config-entries/service-router) - defines - where to send layer 7 traffic based on the HTTP route - -- [Service Splitter](/consul/docs/connect/config-entries/service-splitter) - defines - how to divide requests for a single HTTP route based on percentages - -- [Terminating Gateway](/consul/docs/connect/config-entries/terminating-gateway) - defines the - services associated with terminating gateway - -## Managing Configuration Entries - -See [Agent - Config Entries](/consul/docs/agent/config-entries). - -## Using Configuration Entries For Service Defaults - -Outside of Kubernetes, when the agent is -[configured](/consul/docs/agent/config/config-files#enable_central_service_config) to enable -central service configurations, it will look for service configuration defaults -that match a registering service instance. If it finds any, the agent will merge -those defaults with the service instance configuration. This allows for things -like service protocol or proxy configuration to be defined globally and -inherited by any affected service registrations. diff --git a/website/content/docs/connect/config-entries/registration.mdx b/website/content/docs/connect/config-entries/registration.mdx deleted file mode 100644 index 95740cb084f..00000000000 --- a/website/content/docs/connect/config-entries/registration.mdx +++ /dev/null @@ -1,670 +0,0 @@ ---- -layout: docs -page_title: Registration CRD configuration reference -description: The Registration CRD enables Consul on Kubernetes to register an external service without a terminating gateway. Learn how to configure a Registration CRD in YAML with a specification reference, configuration model, a complete example, and example code. ---- - -# Registration CRD configuration reference - -This topic provides reference information for `Registration` custom resource definitions (CRDs). You can use this CRD to register an external service with Consul on Kubernetes. For more information. Refer to [Register services running on external nodes to Consul on Kubernetes](/consul/docs/k8s/deployment-configurations/external-service) for more information. - -## Configuration model - -The following list outlines field hierarchy, language-specific data types, and requirements in a `Registration` CRD. Click on a property name to view additional details, including default values. - -- [`apiVersion`](#apiversion): string | required | must be set to `consul.hashicorp.com/v1alpha1` -- [`kind`](#kind): string | required | must be set to `Registration` -- [`metadata`](#metadata): map - - [`name`](#metadata-name): string -- [`spec`](#spec): map | required - - [`address`](#spec-address): string - - [`check`](#spec-check): map - - [`checkId`](#spec-check-checkid): string - - [`definition`](#spec-check-definition): map - - [`body`](#spec-check-definition): string - - [`deregisterCriticalServiceAfterDuration`](#spec-check-definition): string - - [`grpc`](#spec-check-definition): string - - [`grpcUseTLS`](#spec-check-definition): boolean | `false` - - [`header`](#spec-check-definition): map of strings - - [`http`](#spec-check-definition): string - - [`intervalDuration`](#spec-check-definition): string - - [`method`](#spec-check-definition): string - - [`osService`](#spec-check-definition): string - - [`tcp`](#spec-check-definition): string - - [`tcpUseTLS`](#spec-check-definition): boolean - - [`timeoutDuration`](#spec-check-definition): string - - [`tlsServerName`](#spec-check-definition): string - - [`tlsSkipVerify`](#spec-check-definition): boolean | `false` - - [`udp`](#spec-check-definition): string - - [`exposedPort`](#spec-check-exposed-port): integer - - [`name`](#spec-check-name): string - - [`namespace`](#spec-check-namespace): string - - [`node`](#spec-check-node): string - - [`notes`](#spec-check-notes): string - - [`output`](#spec-check-output): string - - [`partition`](#spec-check-partition): string - - [`serviceId`](#spec-check-serviceid): string - - [`serviceName`](#spec-check-servicename): string - - [`status`](#spec-check-status): string - - [`type`](#spec-check-type): string - - [`datacenter`](#spec-datacenter): string - - [`id`](#spec-id): string - - [`locality`](#spec-locality): map - - [`region`](#spec-locality): string - - [`zone`](#spec-locality): string - - [`node`](#spec-node): string - - [`nodeMeta`](#spec-nodemeta): map of strings - - [`partition`](#spec-partition): string - - [`service`](#spec-service): map - - [`address`](#spec-service-address): string - - [`enableTagOverride`](#spec-service-enabletagoverride): boolean | `false` - - [`id`](#spec-service-id): string - - [`locality`](#spec-service-locality): map - - [`region`](#spec-service-locality): string - - [`zone`](#spec-service-locality): string - - [`meta`](#spec-service-meta): map of strings - - [`name`](#spec-service-name): string - - [`namespace`](#spec-service-namespace): string - - [`partition`](#spec-service-partition): string - - [`port`](#spec-service-port): integer - - [`socketPath`](#spec-service-socketpath): string - - [`taggedAddresses`](#spec-service-taggedaddresses): map - - [`address`](#spec-service-taggedaddresses): string - - [`port`](#spec-service-port): integer - - [`tags`](#spec-service-tags): map of strings - - [`weights`](#spec-service-weights): map - - [`passing`](#spec-service-weights): integer | `1` - - [`warning`](#spec-service-weights): integer | `1` - - [`skipNodeUpdate`](#spec-skipnodeupdate): boolean | `false` - - [`taggedAddresses`](#spec-taggedaddresses): map of strings - -## Complete configuration - -When every field is defined, a `Registration` CRD has the following form: - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 # required -kind: Registration # required -metadata: - name: -spec: - address: 10.0.0.1 - check: - name: external-health-check - checkId: unique-id - definition: - body: "{\"custom\": \"json\"}" - deregisterCriticalServiceAfterDuration: false - grpc: 127.0.0.1:443 - grpcUseTLS: false - header: - name: - intervalDuration: "5s" - method: "GET" - osService: - tcp: 127.0.0.1:4242 - tcpUseTLS: false - timeoutDuration: 10s - tlsServerName: - tlsSkipVerify: false - udp: 127.0.0.1:80 - exposedPort: 200 - namespace: default - notes: "Human readable description" - output: "Human readable output" - partition: default - serviceId: - serviceName: - status: critical - type: HTTP - datacenter: dc1 - id: - locality: - region: us-east-1 - zone: us-east-1a - node: - nodeMeta: - - key: value - partition: default - service: - address: "10.0.0.1:8300" - enableTagOverride: false - id: - locality: - region: us-east-1 - zone: us-east-1a - meta: - key: value - name: - namespace: default - partition: default - port: 5400 - socketPath: /folder/socket - taggedAddresses: - lan: - address: 127.0.1.0 - port: 80 - tags: - - "v2" - - "primary" - weights: - passing: 1 - warning: 1 - skipNodeUpdate: false - taggedAddresses: - lan: "192.168.10.10" -``` - -## Specification - -This section provides details about the fields you can configure in the `Registration` CRD. - -### `apiVersion` - -Specifies the version of the Consul API for integrating with Kubernetes. The value must be `consul.hashicorp.com/v1alpha1`. - -#### Values - -- Default: None -- This field is required. -- String value that must be set to `consul.hashicorp.com/v1alpha1`. - -### `kind` - -Specifies the type of configuration entry to implement. Must be set to `Registration`. - -#### Values - -- Default: None -- This field is required. -- Data type: String value that must be set to `Registration`. - -### `metadata` - -Map that contains an arbitrary name for the configuration entry and the namespace it applies to. - -#### Values - -- Default: None -- Data type: Map - -### `metadata.name` - -Specifies a name for the configuration entry that is used to identify the sameness group. To ensure consistency, use descriptive names and make sure that the same name is used when creating configuration entries to add each member to the sameness group. - -#### Values - -- Default: None -- This field is required. -- Data type: String - -### `spec` - -Map that contains the details about the `Registration` CRD. The `apiVersion`, `kind`, and `metadata` fields are siblings of the spec field. All other configurations are children. - -#### Values - -- Default: None -- This field is required. -- Data type: Map - -### `spec.address` - -Specifies the IP address where the external service is available. - -#### Values - -- Default: None -- Data type: String - -### `spec.check` - -Specifies details for a health check. Health checks perform several safety functions, such as allowing a web balancer to gracefully remove failing nodes and allowing a database to replace a failed secondary. You can configure health checks to monitor the health of the entire node. - -For more information about configuring health checks for Consul, refer to [health check configuration reference](/consul/docs/services/configuration/checks-configuration-reference). - -#### Values - -- Default: None -- Data type: Map - -### `spec.check.checkId` - -Specifies an ID for the health check. When `name` values conflict, provide a unique identifier to avoid overwriting existing checks. - -#### Values - -- Default: None -- Data type: String - -### `spec.check.definition` - -Specifies additional configuration details for the health check. - -Requires child parameters `deregisterCriticalServiceAfterDuration`, `intervalDuration`, and `timeoutDuration`. - -#### Values - -- Default: None -- Data type: Map that can contain the following parameters: - -| Parameter | Description | Type | Default | -| :------------------------------------------------------------- | :---------- | :---------- | :---------- | -| `spec.check.definition.body` | Specifies JSON attributes to send in HTTP check requests. You must escape the quotation marks around the keys and values for each attribute. | String | None | -| `spec.check.definition.deregisterCriticalServiceAfterDuration` | Specifies how long a service and its associated checks are allowed to be in a `critical` state. Consul deregisters services if they are `critical` for the specified amount of time. This parameter is required to configure `spec.check.definition`. | String | `"30s"` | -| `spec.check.definition.grpc` | Specifies the gRPC endpoint, including port number, to send requests to. Append the endpoint with `:/` and a service identifier to check a specific service. The endpoint must support the [gRPC health checking protocol](https://github.com/grpc/grpc/blob/master/doc/health-checking.md). | String | None | -| `spec.check.definition.grpcUseTLS` | Enables TLS for gRPC checks when set to `true`. | Boolean | `false` | -| `spec.check.definition.header` | Specifies header fields to send in HTTP check requests. | Map of strings | None | -| `spec.check.definition.http` | Specifies an HTTP endpoint to send requests to. | String | None | -| `spec.check.definition.intervalDuration` | Specifies how frequently to run the health check. This parameter is required to configure `spec.check.definition`. | String | `"5s"` | -| `spec.check.definition.method` | Specifies the request method to send during HTTP checks. | String | `GET` | -| `spec.check.definition.osService` | Specifies the name of the name of a service to check during an OSService check. | String | None | -| `spec.check.definition.tcp` | Specifies an IP address or host and port number that the check establishes a TCP connection with. | String | None | -| `spec.check.definition.tcpUseTLS` | Enables TLS for TCP checks when set to `true`. | Boolean | `false` | -| `spec.check.definition.timeoutDuration` | Specifies how long unsuccessful requests take to end with a timeout. This parameter is required to configure `spec.check.definition`. | String | `"10s"` | -| `spec.check.definition.tlsServerName` | Specifies the server name used to verify the hostname on the returned certificates unless `tls_skip_verify` is configured. This value is also included in the client's handshake to support SNI. It is recommended that this field be left unspecified. Refer to [health check configuration reference](/consul/docs/services/configuration/checks-configuration-reference#check-block) for more information. | String | None | -| `spec.check.definition.tlsSkipVerify` | Determines if the check verifies the chain and hostname of the certificate that the server presents. Set to `true` to disable verification. We recommend setting to `false` in production environments. | Boolean | `false` | -| `spec.check.definition.udp` | Specifies an IP address or host and port number for the check to send UDP datagrams to. | String | None | - -### `spec.check.exposedPort` - -Specifies the port the service exposes to health checks. - -#### Values - -- Default: None -- Data type: Integer - -### `spec.check.name` - -Specifies a name for the health check. Defaults to [`spec.service.id`](#spec-service-id). - -#### Values - -- Default: None -- Data type: String - -### `spec.check.namespace` - -Specifies the Consul namespace the health check applies to. Refer to [namespaces](/consul/docs/enterprise/namespace) for more information. - -#### Values - -- Default: None -- Data type: String - -### `spec.check.node` - -Specifies the name of the node the health check applies to. - -#### Values - -- Default: None -- Data type: String - -### `spec.check.notes` - -Provides a human-readable description of the health check. The contents are not visible to Consul. - -#### Values - -- Default: None -- Data type: String - -### `spec.check.output` - -Specifies human readable output in response to a health check. - -#### Values - -- Default: None -- Data type: String - -### `spec.check.partition` - -Specifies the Consul admin partition the health check applies to. Refer to [admin partitions](/consul/docs/enterprise/admin-partitions) for more information. - -#### Values - -- Default: None -- Data type: String - -### `spec.check.serviceId` - -Specifies the ID of the service to perform the health check on. - -#### Values - -- Default: None -- Data type: String - -### `spec.check.serviceName` - -Specifies the name of the service to perform the health check on. - -#### Values - -- Default: None -- Data type: String - -### `spec.check.status` - -Specifies the initial status of the health check. The default value for this field is `critical`, which requires services to pass a health check before making them available for service disocvery. You can specify one the following values: - -- `critical` -- `warning` -- `passing` - -#### Values - -- Default: `critical` -- Data type: String - -### `spec.check.type` - -Specifies the type health check in the form of a Kubernetes probe. - -#### Values - -- Default: None -- Data type: String - -### `spec.datacenter` - -Specifies the datacenter to register the service's node in, which defaults to the agent's datacenter if not provided. - -#### Values - -- Default: None -- Data type: String - -### `spec.id` - -Specifies a unique ID for the node to register. This optional ID must be a 36-character UUID-formatted string. - -#### Values - -- Default: None -- Data type: String - -### `spec.locality` - -Specifies the cloud region and zone where the node is available. - -#### Values - -- Default: None -- Data type: Map that can contain the following parameters: - -| Parameter | Description | Data type | Default | -| :-------- | :---------- | :-------- | :------ | -| `spec.locality.region` | Specifies the region where the node is running. Consul assigns this value to services registered to that agent. When service proxy regions match, Consul is able to prioritize routes between service instances in the same region over instances in other regions. You must specify values that are consistent with how regions are defined in your network, for example `us-west-1` for networks in AWS. | String | None | -| `spec.locality.zone` | Specifies the availability zone where the node is running. Consul assigns this value to services registered to that agent. When service proxy regions match, Consul is able to prioritize routes between service instances in the same region and zone over instances in other regions and zones. When healthy service instances are available in multiple zones within the most-local region, Consul prioritizes instances that also match the downstream proxy's `zone`. You must specify values that are consistent with how zones are defined in your network, for example `us-west-1a` for networks in AWS. | String | None | - -### `spec.node` - -Specifies the name of the node to register. - -#### Values - -- Default: None -- Data type: String - -### `spec.nodeMeta` - -Specifies arbitrary KV metadata pairs for filtering purposes. - -#### Values - -- Default: None -- Data type: Map of strings - -### `spec.partition` - -Specifies the admin partition of the node to register. - -#### Values - -- Default: None -- Data type: String - -### `spec.service` - -Specifies the service to register. The `Service.Service` field is required. If `Service.ID` is not provided, the default is the `Service.Service`. - -You can only specify one service with a given `ID` per node. We recommend using valid DNS labels for service definition names. Refer to [Internet Engineering Task Force's RFC 1123](https://datatracker.ietf.org/doc/html/rfc1123#page-72) for additional information. Service names that conform to standard usage ensures compatibility with external DNSs. Refer to [Services Configuration Reference](/consul/docs/services/configuration/services-configuration-reference#name) for more information. - -#### Values - -- Default: None -- Data type: Map - -### `spec.service.address` - -Specifies a service-specific IP address or hostname. If no value is specified, the IP address of the agent node is used by default. There is no service-side validation of this parameter. - -#### Values - -- Default: None -- Data type: String - -### `spec.service.enableTagOverride` - -Setermines if the anti-entropy feature for the service is enabled. - -Set to `true` to allow external Consul agents to modify tags on the services in the Consul catalog. The local Consul agent ignores updated tags during subsequent sync operations. - -This parameter only applies to the locally-registered service. When multiple nodes register a service with the same name, the `enable_tag_override` configuration and all other service configuration items operate independently. - -Refer to [Modify anti-entropy synchronization](/consul/docs/services/usage/define-services#modify-anti-entropy-synchronization) for additional information. - -#### Values - -- Default: `false` -- Data type: Boolean - -### `spec.service.id` - -Specifies an ID for the service. Services on the same node must have unique IDs. We recommend specifying unique values if the default name conflicts with other services. - -#### Values - -- Default: None -- Data type: String - -### `spec.service.locality` - -Specifies the region and zone in the cloud service provider (CSP) where the service is available. Configure this field to enable Consul to route traffic to the nearest physical service instance. Services inherit the `locality` configuration of the Consul agent they are registered with, but you can explicitly define locality for your service instances if an override is needed. Refer to [Route traffic to local upstreams](/consul/docs/connect/manage-traffic/route-to-local-upstreams) for additional information. - -#### Values - -- Default: None -- Data type: Map that can contain the following parameters: - -| Parameter | Description | Data type | Default | -| :-------- | :---------- | :-------- | :------ | -| `spec.service.locality.region` | Specifies the region where the Consul agent is running. Consul assigns this value to services registered to that agent. When service proxy regions match, Consul is able to prioritize routes between service instances in the same region over instances in other regions. You must specify values that are consistent with how regions are defined in your network, for example `us-west-1` for networks in AWS. | String | None | -| `spec.service.locality.zone` | Specifies the availability zone where the Consul agent is running. Consul assigns this value to services registered to that agent. When service proxy regions match, Consul is able to prioritize routes between service instances in the same region and zone over instances in other regions and zones. When healthy service instances are available in multiple zones within the most-local region, Consul prioritizes instances that also match the downstream proxy's `zone`. You must specify values that are consistent with how zones are defined in your network, for example `us-west-1a` for networks in AWS. | String | None | - -### `spec.service.meta` - -Specifies custom key-value pairs that associate semantic metadata with the service. You can specify up to 64 pairs that meet the following requirements: - -- Keys and values must be strings. -- Keys can only contain ASCII characters (`A` -` Z`, `a`- `z`, `0` - `9`, `_`, and `-`). -- Keys can not have special characters. -- Keys are limited to 128 characters. -- Values are limited to 512 characters. - -#### Values - -- Default: None -- Data type: Map of strings - -### `spec.service.name` - -Specifies a name for the service. We recommend using valid DNS labels for service definition names for compatibility with external DNSs. The value of this parameter is also used as the service ID if the `spec.service.id` parameter is not specified. - -#### Values - -- Default: None -- Data type: String - -### `spec.service.namespace` - -Specifies the Consul namespace to register the service in. Refer to [namespaces](/consul/docs/enterprise/namespaces) for more information. - -#### Values - -- Default: None -- Data type: String - -### `spec.service.partition` - -Specifies the Consul admin partition to register the service in. Refer to [admin partitions](/consul/docs/enterprise/admin-partitions) for more information. - -#### Values - -- Default: None -- Data type: String - -### `spec.service.port` - -Specifies a port number for the service. To improve service discoverability, we recommend specifying the port number, as well as an address in the tagged_addresses parameter. - -#### Values - -- Default: None -- Data type: Integer - -### `spec.service.socketPath` - -Specifies the path to the service socket. Specify this parameter to expose the service to the mesh if the service listens on a Unix Domain socket. - -#### Values - -- Default: None -- Data type: String - -### `spec.service.taggedAddresses` - -Configures additional addresses for a node or service. Remote agents and services can communicate with the service using a tagged address as an alternative to the address specified in [`spec.service.address`](#spec-serviceaddress). You can configure multiple addresses for a node or service. The following tags are supported: - -- `lan`: IPv4 LAN address where the node or service is accessible. -- `lan_ipv4`: IPv4 LAN address where the node or service is accessible. -- `lan_ipv6`: IPv6 LAN address where the node or service is accessible. -- `virtual`: A fixed address for the instances of a given logical service. -- `wan`: IPv4 WAN address where the node or service is accessible when dialed from a remote data center. -- `wan_ipv4`: IPv4 WAN address where the node or service is accessible when dialed from a remote data center. -- `wan_ipv6`: IPv6 WAN address at which the node or service is accessible when being dialed from a remote data center. - -#### Values - -- Default: None -- Data type: Map that contains a supported tag and a child map containing the following fields: - -| Parameter | Description | Type | Default | -| :------------------------------------- | :---------------------------- | :---------- | :---------- | -| `spec.service.taggedAddresses.address` | The address saved in the tag. | String | None | -| `spec.service.taggedAddresses.port` | The port saved in the tag. | String | None | - -### `spec.service.tags` - -Specifies a list of string values that add service-level labels. Tag values are opaque to Consul. We recommend using valid DNS labels for service definition IDs for compatibility with external DNSs. In the following example, the service is tagged as `v2` and `primary`: - -```yaml -spec: - service: - tags: ["v2", "primary"] -``` - -Consul uses tags as an anti-entropy mechanism to maintain the state of the cluster. You can disable the anti-entropy feature for a service using [`spec.service.enable_tag_override`](#spec-service-enabletagoverride), which enables external agents to modify tags on services in the catalog. Refer to [Modify anti-entropy synchronization](/consul/docs/services/usage/define-services#modify-anti-entropy-synchronization) for additional usage information. - -#### Values - -- Default: None -- Data type: Map of strings - -### `spec.service.weights` - -Configures how a service instance is weighted in a DNS SRV request based on the service's health status. Configuring tells DNS clients to direct more traffic to instances with a higher weight. A use case would be adjusting the weight higher for an instance with large capacity. It could also be used to reduce the load on services with checks in `warning` status by favoring passing instances with a higher weight. - -Larger integer values increase the weight state. - -You can specify one or more of the following states and configure an integer value indicating its weight: - -- `passing` -- `warning` - -Services in a `critical` state are excluded from DNS responses. Services with `warning` checks are included in responses by default. - -#### Values - -- Default: None -- Data type: Map containing the following parameters: - -| Parameter | Description | Type | Default | -| :----------------------------- | :---------------------------- | :---------- | :---------- | -| `spec.service.weights.passing` | Higher values increases the likelihood that a request is routed to a service in a `passing` state. | Integer | `1` | -| `spec.service.weights.warning` | Higher values increases the likelihood that a request is routed to a service in a `warning` state. | Integer | `1` | - -### `spec.skipNodeUpdate` - -Specifies whether to skip updating the node's information in the registration. This field is useful in casew where only a health check or service entry on a node needs to be updated or when a register request is intended to update a service entry or health check. In both use cases, node information is not be overwritten, if the node is already registered. Note, if the parameter is enabled for a node that does not exist, it is still be created. - -#### Values - -- Default: `false` -- Data type: Boolean - -### `spec.taggedAddresses` - -Specifies tagged addresses for the node. Remote agents and services can communicate with the service using a tagged address as an alternative to the address specified in [`spec.address`](#spec-serviceaddress). You can configure multiple addresses for a node or service. The following tags are supported: - -- `lan`: IPv4 LAN address where the node or service is accessible. -- `lan_ipv4`: IPv4 LAN address where the node or service is accessible. -- `lan_ipv6`: IPv6 LAN address where the node or service is accessible. -- `virtual`: A fixed address for the instances of a given logical service. -- `wan`: IPv4 WAN address where the node or service is accessible when dialed from a remote data center. -- `wan_ipv4`: IPv4 WAN address where the node or service is accessible when dialed from a remote data center. -- `wan_ipv6`: IPv6 WAN address at which the node or service is accessible when being dialed from a remote data center. - -#### Values - -- Default: None -- Data type: Map of strings - -## Examples - -The following example demonstrates a common `Registration` CRD configuration pattern. In this example, Consul registers a database service available at the IP address `10.96.32.66` that runs outside of the Kubernetes cluster where Consul is deployed. Consul runs an HTTP health check on this service every 10 seconds. - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: Registration -metadata: - name: external-database -spec: - node: node-virtual - check: - node: node-virtual - checkId: db-check - name: db - serviceName: db - serviceId: db-external - notes: "Runs the external health check for the database." - status: "passing" - definition: - http: "10.96.32.66:8081/health" - intervalDuration: "10s" - timeoutDuration: "10s" - deregisterCriticalServiceAfterDuration: "30s" - service: - name: db - id: db-external - address: "10.96.32.66" - port: 8081 - weights: - passing: 1 - warning: 1 - address: 10.96.32.66 -``` \ No newline at end of file diff --git a/website/content/docs/connect/config-entry.mdx b/website/content/docs/connect/config-entry.mdx new file mode 100644 index 00000000000..19d23cc6556 --- /dev/null +++ b/website/content/docs/connect/config-entry.mdx @@ -0,0 +1,67 @@ +--- +layout: docs +page_title: Service Mesh Configuration - Overview +description: >- + Learn how to enable and configure Consul's service mesh capabilities in agent configurations, and how to integrate with schedulers like Kubernetes and Nomad. Consul's service mesh capabilities are provided by the ""connect"" subsystem. +--- + +# Configure service mesh + +There are many configuration options exposed for Consul service mesh. The only option that must be set is the `connect.enabled` option on Consul servers to enable Consul service mesh. All other configurations are optional and have defaults suitable for many environments. + +The noun _connect_ is used throughout this documentation to refer to the connect subsystem that provides Consul's service mesh capabilities. Where you encounter the _noun_ connect, it is usually functionality specific to service mesh. + +## Agent configuration + +Begin by enabling service mesh for your Consul cluster. By default, service is disabled. Enabling service mesh requires changing the configuration of only your Consul _servers_ (not client agents). To enable service mesh, add the following to a new or existing [server configuration file](/consul/docs/reference/agent). In an existing cluster, this configuration change requires a Consul server restart, which you can perform one server at a time to maintain availability. In HCL: + + + + +```hcl +connect { + enabled = true +} +``` + +```json +{ + "connect": { + "enabled": true + } +} +``` + + +This will enable service mesh and configure your Consul cluster to use the built-in certificate authority for creating and managing certificates. You may also configure Consul to use an external [certificate management system](/consul/docs/secure-mesh/certificate), such as [Vault](https://www.vaultproject.io/). + +Services and proxies may always register with service mesh settings, but unless service mesh is enabled on the server agents, their attempts to communicate will fail because they have no means to obtain or verify service mesh TLS certificates. + +Other optional service mesh configurations that you can set in the server configuration file include: + +- [certificate authority settings](/consul/docs/reference/agent#connect) +- [token replication](/consul/docs/reference/agent#acl_tokens_replication) +- [dev mode](/consul/docsreference-cli/agent#_dev) +- [server host name verification](/consul/docs/reference/agent#tls_internal_rpc_verify_server_hostname) + +If you would like to use Envoy as your service mesh proxy you will need to [enable gRPC](/consul/docs/reference/agent#grpc_port). + +Additionally if you plan on using the observability features of Consul service mesh, it can be convenient to configure your proxies and services using [configuration entries](/consul/docs/agent/config-entries) which you can interact with using the CLI or API, or by creating configuration entry files. You will want to enable [centralized service configuration](/consul/docs/reference/agent#enable_central_service_config) on clients, which allows each service's proxy configuration to be managed centrally via API. + +!> **Security note:** Enabling service mesh is enough to try the feature but doesn't automatically ensure complete security. Please read the [service mesh production tutorial](/consul/tutorials/developer-mesh/service-mesh-production-checklist) to understand the additional steps needed for a secure deployment. + +## Centralized proxy and service configuration + +If your network contains many instances of the same service and many colocated sidecar proxies, you can specify global settings for proxies or services in [Configuration Entries](/consul/docs/agent/config-entries). You can override the centralized configurations for individual proxy instances in their [sidecar service definitions](/consul/docs/reference/proxy/sidecar), and the default protocols for service instances in their [service definitions](/consul/docs/register/service/vm/define). + +## Schedulers + +Consul service mesh is especially useful if you are using an orchestrator like Nomad or Kubernetes, because these orchestrators can deploy thousands of service instances which frequently move hosts. Sidecars for each service can be configured through these schedulers, and in some cases they can automate Consul configuration, sidecar deployment, and service registration. + +### Nomad + +Consul service mesh can be used with Nomad to provide secure service-to-service communication between Nomad jobs and task groups. The ability to use the dynamic port feature of Nomad makes Consul service mesh particularly easy to use. Learn about how to configure Consul service mesh on Nomad by reading the [integration documentation](/consul/docs/connect/nomad). + +### Kubernetes + +The Consul Helm chart can automate much of Consul's service mesh configuration, and makes it easy to automatically inject Envoy sidecars into new pods when they are deployed. Learn about the [Helm chart](/consul/docs/reference/k8s/helm) in general, or if you are already familiar with it, check out its [service mesh specific configurations](/consul/docs/k8s/connect). diff --git a/website/content/docs/connect/configuration.mdx b/website/content/docs/connect/configuration.mdx deleted file mode 100644 index dd1e8e156d8..00000000000 --- a/website/content/docs/connect/configuration.mdx +++ /dev/null @@ -1,109 +0,0 @@ ---- -layout: docs -page_title: Service Mesh Configuration - Overview -description: >- - Learn how to enable and configure Consul's service mesh capabilities in agent configurations, and how to integrate with schedulers like Kubernetes and Nomad. Consul's service mesh capabilities are provided by the ""connect"" subsystem. ---- - -# Service Mesh Configuration Overview - -There are many configuration options exposed for Consul service mesh. The only option -that must be set is the `connect.enabled` option on Consul servers to enable Consul service mesh. -All other configurations are optional and have defaults suitable for many environments. - -The noun _connect_ is used throughout this documentation to refer to the connect -subsystem that provides Consul's service mesh capabilities. -Where you encounter the _noun_ connect, it is usually functionality specific to -service mesh. - -## Agent configuration - -Begin by enabling service mesh for your Consul -cluster. By default, service is disabled. Enabling service mesh requires changing -the configuration of only your Consul _servers_ (not client agents). To enable -service mesh, add the following to a new or existing -[server configuration file](/consul/docs/agent/config/config-files). In an existing cluster, this configuration change requires a Consul server restart, which you can perform one server at a time to maintain availability. In HCL: - - - - -```hcl -connect { - enabled = true -} -``` - -```json -{ - "connect": { - "enabled": true - } -} -``` - - -This will enable service mesh and configure your Consul cluster to use the -built-in certificate authority for creating and managing certificates. -You may also configure Consul to use an external -[certificate management system](/consul/docs/connect/ca), such as -[Vault](https://www.vaultproject.io/). - -Services and proxies may always register with service mesh settings, but unless -service mesh is enabled on the server agents, their attempts to communicate will fail -because they have no means to obtain or verify service mesh TLS certificates. - -Other optional service mesh configurations that you can set in the server -configuration file include: - -- [certificate authority settings](/consul/docs/agent/config/config-files#connect) -- [token replication](/consul/docs/agent/config/config-files#acl_tokens_replication) -- [dev mode](/consul/docs/agent/config/cli-flags#_dev) -- [server host name verification](/consul/docs/agent/config/config-files#tls_internal_rpc_verify_server_hostname) - -If you would like to use Envoy as your service mesh proxy you will need to [enable -gRPC](/consul/docs/agent/config/config-files#grpc_port). - -Additionally if you plan on using the observability features of Consul service mesh, it can -be convenient to configure your proxies and services using [configuration -entries](/consul/docs/agent/config-entries) which you can interact with using the -CLI or API, or by creating configuration entry files. You will want to enable -[centralized service -configuration](/consul/docs/agent/config/config-files#enable_central_service_config) on -clients, which allows each service's proxy configuration to be managed centrally -via API. - -!> **Security note:** Enabling service mesh is enough to try the feature but doesn't -automatically ensure complete security. Please read the [service mesh production -tutorial](/consul/tutorials/developer-mesh/service-mesh-production-checklist) to understand the additional steps -needed for a secure deployment. - -## Centralized proxy and service configuration - -If your network contains many instances of the same service and many colocated sidecar proxies, you can specify global settings for proxies or services in [Configuration Entries](/consul/docs/agent/config-entries). You can override the centralized configurations for individual proxy instances in their -[sidecar service definitions](/consul/docs/connect/proxies/deploy-sidecar-services), -and the default protocols for service instances in their [service -definitions](/consul/docs/services/usage/define-services). - -## Schedulers - -Consul service mesh is especially useful if you are using an orchestrator like Nomad -or Kubernetes, because these orchestrators can deploy thousands of service instances -which frequently move hosts. Sidecars for each service can be configured through -these schedulers, and in some cases they can automate Consul configuration, -sidecar deployment, and service registration. - -### Nomad - -Consul service mesh can be used with Nomad to provide secure service-to-service -communication between Nomad jobs and task groups. The ability to use the dynamic -port feature of Nomad makes Consul service mesh particularly easy to use. Learn about how to -configure Consul service mesh on Nomad by reading the -[integration documentation](/consul/docs/connect/nomad). - -### Kubernetes - -The Consul Helm chart can automate much of Consul's service mesh configuration, and -makes it easy to automatically inject Envoy sidecars into new pods when they are -deployed. Learn about the [Helm chart](/consul/docs/k8s/helm) in general, -or if you are already familiar with it, check out its -[service mesh specific configurations](/consul/docs/k8s/connect). diff --git a/website/content/docs/connect/connect-internals.mdx b/website/content/docs/connect/connect-internals.mdx deleted file mode 100644 index 99541f012c3..00000000000 --- a/website/content/docs/connect/connect-internals.mdx +++ /dev/null @@ -1,138 +0,0 @@ ---- -layout: docs -page_title: Service Mesh - How it Works -description: >- - Consul's service mesh enforces secure service communication using mutual TLS (mTLS) encryption and explicit authorization. Learn how the service mesh certificate authorities, intentions, and agents work together to provide Consul’s service mesh capabilities. ---- - -# How Service Mesh Works - -This topic describes how many of the core features of Consul's service mesh functionality works. -It is not a prerequisite, -but this information will help you understand how Consul service mesh behaves in more complex scenarios. - -The noun _connect_ is used throughout this documentation to refer to the connect -subsystem that provides Consul's service mesh capabilities. -Where you encounter the _noun_ connect, it is usually functionality specific to -service mesh. - -To try service mesh locally, complete the [Getting Started with Consul service -mesh](/consul/tutorials/kubernetes-deploy/service-mesh?utm_source=docs) -tutorial. - -## Mutual Transport Layer Security (mTLS) - -The core of Consul service mesh is based on [mutual TLS](https://en.wikipedia.org/wiki/Mutual_authentication). - -Consul service mesh provides each service with an identity encoded as a TLS certificate. -This certificate is used to establish and accept connections to and from other -services. The identity is encoded in the TLS certificate in compliance with -the [SPIFFE X.509 Identity Document](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md). -This enables Consul service mesh services to establish and accept connections with -other SPIFFE-compliant systems. - -The client service verifies the destination service certificate -against the [public CA bundle](/consul/api-docs/connect/ca#list-ca-root-certificates). -This is very similar to a typical HTTPS web browser connection. In addition -to this, the client provides its own client certificate to show its -identity to the destination service. If the connection handshake succeeds, -the connection is encrypted and authorized. - -The destination service verifies the client certificate against the [public CA -bundle](/consul/api-docs/connect/ca#list-ca-root-certificates). After verifying the -certificate, the next step depends upon the configured application protocol of -the destination service. TCP (L4) services must authorize incoming _connections_ -against the configured set of Consul [intentions](/consul/docs/connect/intentions), -whereas HTTP (L7) services must authorize incoming _requests_ against those same -intentions. If the intention check responds successfully, the -connection/request is established. Otherwise the connection/request is -rejected. - -To generate and distribute certificates, Consul has a built-in CA that -requires no other dependencies, and -also ships with built-in support for [Vault](/consul/docs/connect/ca/vault). The PKI system is designed to be pluggable -and can be extended to support any system by adding additional CA providers. - -All APIs required for Consul service mesh typically respond in microseconds and impose -minimal overhead to existing services. To ensure this, Consul service mesh-related API calls -are all made to the local Consul agent over a loopback interface, and all [agent -Connect endpoints](/consul/api-docs/agent/connect) implement local caching, background -updating, and support blocking queries. Most API calls operate on purely local -in-memory data. - -## Agent Caching and Performance - -To enable fast responses on endpoints such as the [agent connect -API](/consul/api-docs/agent/connect), the Consul agent locally caches most Consul service mesh-related -data and sets up background [blocking queries](/consul/api-docs/features/blocking) against -the server to update the cache in the background. This allows most API calls -such as retrieving certificates or authorizing connections to use in-memory -data and respond very quickly. - -All data cached locally by the agent is populated on demand. Therefore, if -Consul service mesh is not used at all, the cache does not store any data. On first request, -the data is loaded from the server and cached. The set of data cached is: public -CA root certificates, leaf certificates, intentions, and service discovery -results for upstreams. For leaf certificates and intentions, only data related -to the service requested is cached, not the full set of data. - -Further, the cache is partitioned by ACL token and datacenters. This is done -to minimize the complexity of the cache and prevent bugs where an ACL token -may see data it shouldn't from the cache. This results in higher memory usage -for cached data since it is duplicated per ACL token, but with the benefit -of simplicity and security. - -With Consul service mesh enabled, you'll likely see increased memory usage by the -local Consul agent. The total memory is dependent on the number of intentions -related to the services registered with the agent accepting Consul service mesh-based -connections. The other data (leaf certificates and public CA certificates) -is a relatively fixed size per service. In most cases, the overhead per -service should be relatively small: single digit kilobytes at most. - -The cache does not evict entries due to memory pressure. If memory capacity -is reached, the process will attempt to swap. If swap is disabled, the Consul -agent may begin failing and eventually crash. Cache entries do have TTLs -associated with them and will evict their entries if they're not used. Given -a long period of inactivity (3 days by default), the cache will empty itself. - -## Connections Across Datacenters - -A sidecar proxy's [upstream configuration](/consul/docs/connect/proxies/proxy-config-reference#upstream-configuration-reference) -may specify an alternative datacenter or a prepared query that can address services -in multiple datacenters (such as the [geo failover](/consul/tutorials/developer-discovery/automate-geo-failover) pattern). - -[Intentions](/consul/docs/connect/intentions) verify connections between services by -source and destination name seamlessly across datacenters. - -Connections can be made via gateways to enable communicating across network -topologies, allowing connections between services in each datacenter without -externally routable IPs at the service level. - -## Intention Replication - -Intention replication happens automatically but requires the -[`primary_datacenter`](/consul/docs/agent/config/config-files#primary_datacenter) -configuration to be set to specify a datacenter that is authoritative -for intentions. In production setups with ACLs enabled, the -[replication token](/consul/docs/agent/config/config-files#acl_tokens_replication) must also -be set in the secondary datacenter server's configuration. - -## Certificate Authority Federation - -The primary datacenter also acts as the root Certificate Authority (CA) for Consul service mesh. -The primary datacenter generates a trust-domain UUID and obtains a root certificate -from the configured CA provider which defaults to the built-in one. - -Secondary datacenters fetch the root CA public key and trust-domain ID from the -primary and generate their own key and Certificate Signing Request (CSR) for an -intermediate CA certificate. This CSR is signed by the root in the primary -datacenter and the certificate is returned. The secondary datacenter can now use -this intermediate to sign new Consul service mesh certificates in the secondary datacenter -without WAN communication. CA keys are never replicated between datacenters. - -The secondary maintains watches on the root CA certificate in the primary. If the -CA root changes for any reason such as rotation or migration to a new CA, the -secondary automatically generates new keys and has them signed by the primary -datacenter's new root before initiating an automatic rotation of all issued -certificates in use throughout the secondary datacenter. This makes CA root key -rotation fully automatic and with zero downtime across multiple datacenters. diff --git a/website/content/docs/connect/connectivity-tasks.mdx b/website/content/docs/connect/connectivity-tasks.mdx deleted file mode 100644 index bd5a4bc66f6..00000000000 --- a/website/content/docs/connect/connectivity-tasks.mdx +++ /dev/null @@ -1,72 +0,0 @@ ---- -layout: docs -page_title: Gateway Types -description: >- - Ingress, terminating, and mesh gateways are proxies that direct traffic into, out of, and inside of Consul's service mesh. Learn how these gateways enable different kinds of service-to-service communication. ---- - -# Types of Gateway Connections in a Service Mesh - -~> **Note**: The features shown below are extensions of Consul's service mesh capabilities. If you are not utilizing -Consul service mesh then these features will not be relevant to your task. - -## Service-to-service traffic between Consul datacenters - --> **1.6.0+:** This feature is available in Consul versions 1.6.0 and newer. - -Mesh gateways enable routing of service mesh traffic between different Consul datacenters. Those datacenters can reside -in different clouds or runtime environments where general interconnectivity between all services in all datacenters -isn't feasible. One scenario where this is useful is when connecting networks with overlapping IP address space. - -These gateways operate by sniffing the SNI header out of the mTLS connection and then routing the connection to the -appropriate destination based on the server name requested. - -As of Consul 1.8.0, mesh gateways can also forward gossip and RPC traffic between Consul servers. -This is enabled by [WAN federation via mesh gateways](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways). - -As of Consul 1.14.0, mesh gateways can route both data-plane (service-to-service) and control-plane (consul-to-consul) traffic for peered clusters. -See [Mesh Gateways for Peering Control Plane Traffic](/consul/docs/connect/gateways/mesh-gateway/peering-via-mesh-gateways) - -For more information about mesh gateways, review the [complete documentation](/consul/docs/connect/gateways/mesh-gateway) -and the [mesh gateway tutorial](/consul/tutorials/developer-mesh/service-mesh-gateways). - -![Mesh Gateway Architecture](/img/mesh-gateways.png) - -## Traffic from outside the Consul service mesh to services in the mesh - --> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer. - -Ingress gateways are an entrypoint for outside traffic. They enable potentially unauthenticated ingress traffic from -services outside the Consul service mesh to services inside the service mesh. - -These gateways allow you to define what services should be exposed, on what port, and by what hostname. You configure -an ingress gateway by defining a set of listeners that can map to different sets of backing services. - -Ingress gateways are tightly integrated with Consul's L7 configuration and enable dynamic routing of HTTP requests by -attributes like the request path. - -For more information about ingress gateways, review the [complete documentation](/consul/docs/connect/gateways/ingress-gateway) -and the [ingress gateway tutorial](/consul/tutorials/developer-mesh/service-mesh-gateways). - -![Ingress Gateway Architecture](/img/ingress-gateways.png) - -## Traffic from services in the Consul service mesh to external services - --> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer. - -Terminating gateways enable connectivity from services in the Consul service mesh to services outside the mesh. -Services outside the mesh do not have sidecar proxies or are not [integrated natively](/consul/docs/connect/native). -These may be services running on legacy infrastructure or managed cloud services running on -infrastructure you do not control. - -Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate service mesh -mTLS connections, enforce Consul intentions, and forward requests to the appropriate destination. - -These gateways also simplify authorization from dynamic service addresses. Consul's intentions determine whether -connections through the gateway are authorized. Then traditional tools like firewalls or IAM roles can authorize the -connections from the known gateway nodes to the destination services. - -For more information about terminating gateways, review the [complete documentation](/consul/docs/connect/gateways/terminating-gateway) -and the [terminating gateway tutorial](/consul/tutorials/developer-mesh/terminating-gateways-connect-external-services). - -![Terminating Gateway Architecture](/img/terminating-gateways.png) diff --git a/website/content/docs/connect/dataplane/index.mdx b/website/content/docs/connect/dataplane/index.mdx deleted file mode 100644 index 2f16014cac6..00000000000 --- a/website/content/docs/connect/dataplane/index.mdx +++ /dev/null @@ -1,138 +0,0 @@ ---- -layout: docs -page_title: Simplified Service Mesh with Consul Dataplane -description: >- - Consul Dataplane removes the need to run a client agent for service discovery and service mesh by leveraging orchestrator functions. Learn about Consul Dataplane, how it can lower latency for Consul on Kubernetes and AWS ECS, and how it enables Consul support for AWS Fargate and GKE Autopilot. ---- - -# Simplified Service Mesh with Consul Dataplane - -This topic provides an overview of Consul Dataplane, a lightweight process for managing Envoy proxies. Consul Dataplane removes the need to run client agents on every node in a cluster for service discovery and service mesh. Instead, Consul deploys sidecar proxies that provide lower latency, support additional runtimes, and integrate with cloud infrastructure providers. - -## Supported environments - -- Dataplanes can connect to Consul servers v1.14.0 and newer. -- Dataplanes on Kubernetes requires Consul K8s v1.0.0 and newer. -- Dataplanes on AWS Elastic Container Services (ECS) requires Consul ECS v0.7.0 and newer. - - -## What is Consul Dataplane? - -When deployed to virtual machines or bare metal environments, the Consul control plane requires _server agents_ and _client agents_. Server agents maintain the service catalog and service mesh, including its security and consistency, while client agents manage communications between service instances, their sidecar proxies, and the servers. While this model is optimal for applications deployed on virtual machines or bare metal servers, orchestrators such as Kubernetes and ECS have native components that support health checking and service location functions typically provided by the client agent. - -Consul Dataplane manages Envoy proxies and leaves responsibility for other functions to the orchestrator. As a result, it removes the need to run client agents on every node. In addition, services no longer need to be reregistered to a local client agent after restarting a service instance, as a client agent’s lack of access to persistent data storage in container-orchestrated deployments is no longer an issue. - -The following diagram shows how Consul Dataplanes facilitate service mesh in a Kubernetes-orchestrated environment. - -![Diagram of Consul Dataplanes in Kubernetes deployment](/img/k8s-dataplanes-architecture.png) - -### Impact on performance - -Consul Dataplanes replace node-level client agents and function as sidecars attached to each service instance. Dataplanes handle communication between Consul servers and Envoy proxies, using fewer resources than client agents. Consul servers need to consume additional resources in order to generate xDS resources for Envoy proxies. - -As a result, small deployments require fewer overall resources. For especially large deployments or deployments that expect to experience high levels of churn, consider the following impacts to your network's performance: - -1. In our internal tests, which used 5000 proxies and services flapping every 2 seconds, additional CPU utilization remained under 10% on the control plane. -1. As you deploy more services, the resource usage for dataplanes grows on a linear scale. -1. Envoy reconfigurations are rate limited to prevent excessive configuration changes from generating significant load on the servers. -1. To avoid generating significant load on an individual server, proxy configuration is load balanced proactively. -1. The frequency of the orchestrator's liveness and readiness probes determine how quickly Consul's control plane can become aware of failures. There is no impact on service mesh applications, however, as Envoy proxies have a passive ability to detect endpoint failure and steer traffic to healthy instances. - -## Benefits - -**Fewer networking requirements**: Without client agents, Consul does not require bidirectional network connectivity across multiple protocols to enable gossip communication. Instead, it requires a single gRPC connection to the Consul servers, which significantly simplifies requirements for the operator. - -**Simplified set up**: Because there are no client agents to engage in gossip, you do not have to generate and distribute a gossip encryption key to agents during the initial bootstrapping process. Securing agent communication also becomes simpler, with fewer tokens to track, distribute, and rotate. - -**Additional environment and runtime support**: Consul on Kubernetes versions _prior_ to v1.0 (Consul v1.14) require the use of hostPorts and DaemonSets for client agents, which limits Consul’s ability to be deployed in environments where those features are not supported. -As of Consul on Kubernetes version 1.0 (Consul 1.14) with the new Consul Dataplane, `hostPorts` are no longer required and Consul now supports AWS Fargate and GKE Autopilot. - -**Easier upgrades**: With Consul Dataplane, updating Consul to a new version no longer requires upgrading client agents. Consul Dataplane also has better compatibility across Consul server versions, so the process to upgrade Consul servers becomes easier. - -## Get started - -To get started with Consul Dataplane, use the following reference resources: - -- For `consul-dataplane` commands and usage examples, including required flags for startup, refer to the [`consul-dataplane` CLI reference](/consul/docs/connect/dataplane/consul-dataplane). -- For Helm chart information, refer to the [Helm Chart reference](/consul/docs/k8s/helm). -- For Envoy, Consul, and Consul Dataplane version compatibility, refer to the [Envoy compatibility matrix](/consul/docs/connect/proxies/envoy). -- For Consul on ECS workloads, refer to [Consul on AWS Elastic Container Service (ECS) Overview](/consul/docs/ecs). - - -### Installation - - - - - -To install Consul Dataplane, set `VERSION` to `1.0.0` and then follow the instructions to install a specific version of Consul [with the Helm Chart](/consul/docs/k8s/installation/install#install-consul) or [with the Consul-k8s CLI](/consul/docs/k8s/installation/install-cli#install-a-previous-version). - -#### Helm - -```shell-session -$ export VERSION=1.0.0 -$ helm install consul hashicorp/consul --set global.name=consul --version ${VERSION} --create-namespace --namespace consul -``` - -#### Consul-k8s CLI - -```shell-session -$ export VERSION=1.0.0 && \ - curl --location "https://releases.hashicorp.com/consul-k8s/${VERSION}/consul-k8s_${VERSION}_darwin_amd64.zip" --output consul-k8s-cli.zip -``` - - - - -Refer to the following documentation for Consul on ECS workloads: - -- [Deploy Consul with the Terraform module](/consul/docs/ecs/deploy/terraform) -- [Deploy Consul manually](/consul/docs/ecs/deploy/manual) - - - - - - -### Upgrading - - - - - -Before you upgrade Consul to a version that uses Consul Dataplane, you must edit your Helm chart so that client agents are removed from your deployments. Refer to [upgrading to Consul Dataplane](/consul/docs/k8s/upgrade#upgrading-to-consul-dataplanes) for more information. - - - - - -Refer to [Upgrade to dataplane architecture](/consul/docs/ecs/upgrade-to-dataplanes) for instructions. - - - - - -## Feature support - -Consul Dataplane on Kubernetes supports the following features: - -- Single and multi-cluster installations, including those with WAN federation, cluster peering, and admin partitions are supported. -- Ingress, terminating, and mesh gateways are supported. -- Running Consul service mesh in AWS Fargate and GKE Autopilot is supported. -- xDS load balancing is supported. -- Servers running in Kubernetes and servers external to Kubernetes are both supported. -- HCP Consul Dedicated is supported. -- Consul API Gateway - -Consul Dataplane on ECS support the following features: - -- Single and multi-cluster installations, including those with WAN federation, cluster peering, and admin partitions -- Mesh gateways -- Running Consul service mesh in AWS Fargate and EC2 -- xDS load balancing -- Self-managed Enterprise and HCP Consul Dedicated servers - -### Technical Constraints - -- Consul Dataplane is not supported on Windows. -- Consul Dataplane requires the `NET_BIND_SERVICE` capability. Refer to [Set capabilities for a Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container) in the Kubernetes Documentation for more information. diff --git a/website/content/docs/connect/dev.mdx b/website/content/docs/connect/dev.mdx deleted file mode 100644 index e31a2f423a6..00000000000 --- a/website/content/docs/connect/dev.mdx +++ /dev/null @@ -1,65 +0,0 @@ ---- -layout: docs -page_title: Service Mesh Debugging -description: >- - Use the `consul connect proxy` command to connect to services or masquerade as other services for development and debugging purposes. Example code demonstrates connecting to services that are part of the service mesh as listeners only. ---- - -# Service Mesh Debugging - -It is often necessary to connect to a service for development or debugging. -If a service only exposes a service mesh listener, then we need a way to establish -a mutual TLS connection to the service. The -[`consul connect proxy` command](/consul/commands/connect/proxy) can be used -for this task on any machine with access to a Consul agent (local or remote). - -Restricting access to services only via service mesh ensures that the only way to -connect to a service is through valid authorization of the -[intentions](/consul/docs/connect/intentions). This can extend to developers -and operators, too. - -## Connecting to Mesh-only Services - -As an example, let's assume that we have a PostgreSQL database running that -we want to connect to via `psql`, but the only non-loopback listener is -via Connect. Let's also assume that we have an ACL token to identify as -`operator-mitchellh`. We can start a local proxy: - -```shell-session -$ consul connect proxy \ - -service operator-mitchellh \ - -upstream postgresql:8181 -``` - -This works because the source `-service` does not need to be registered -in the local Consul catalog. However, to retrieve a valid identifying -certificate, the ACL token must have `service:write` permissions. This -can be used as a sort of "debug service" to represent people, too. In -the example above, the proxy is identifying as `operator-mitchellh`. - -With the proxy running, we can now use `psql` like normal: - -```shell-session -$ psql --host=127.0.0.1 --port=8181 --username=mitchellh mydb -> -``` - -This `psql` session is now happening through our local proxy via an -authorized mutual TLS connection to the PostgreSQL service in our Consul -catalog. - -### Masquerading as a Service - -You can also easily masquerade as any source service by setting the -`-service` value to any service. Note that the proper ACL permissions are -required to perform this task. - -For example, if you have an ACL token that allows `service:write` for -`web` and you want to connect to the `postgresql` service as "web", you -can start a proxy like so: - -```shell-session -$ consul connect proxy \ - -service web \ - -upstream postgresql:8181 -``` diff --git a/website/content/docs/ecs/deploy/configure-routes.mdx b/website/content/docs/connect/ecs.mdx similarity index 87% rename from website/content/docs/ecs/deploy/configure-routes.mdx rename to website/content/docs/connect/ecs.mdx index ed9b9961048..fe044ca77c4 100644 --- a/website/content/docs/ecs/deploy/configure-routes.mdx +++ b/website/content/docs/connect/ecs.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Configure routes between ECS tasks +page_title: Connect ECS services with Consul description: >- - Learn how to configure routes between tasks after deploying Consul service mesh to your ECS workloads. + Consul documentation provides reference material for all features and options available in Consul. --- -# Configure routes between ECS tasks +# Connect ECS services with Consul This topic describes how to configure routes between tasks after registering the tasks to Consul service mesh. @@ -20,8 +20,8 @@ To enable tasks to call through the service mesh, complete the following steps: Consul service mesh must be deployed to ECS before you can bind a network address. For more information, refer to the following topics: -- [Deploy Consul to ECS using the Terraform module](/consul/docs/ecs/deploy/terraform) -- [Deploy Consul to ECS manually](/consul/docs/ecs/deploy/manual) +- [Deploy Consul to ECS using the Terraform module](/consul/docs/ecs/deploy/install-terraform) +- [Deploy Consul to ECS manually](/consul/docs/ecs/deploy/install-manual) ## Configure the sidecar proxy @@ -76,4 +76,4 @@ module "web" { ] ... } -``` +``` \ No newline at end of file diff --git a/website/content/docs/connect/enable.mdx b/website/content/docs/connect/enable.mdx new file mode 100644 index 00000000000..a00ffd41532 --- /dev/null +++ b/website/content/docs/connect/enable.mdx @@ -0,0 +1,86 @@ +--- +layout: docs +page_title: Enable service mesh +description: >- + Learn how to enable and configure Consul's service mesh capabilities in agent configurations. +--- + +# Enable service mesh + +This page describes the process to enable Consul's service mesh features. + +For more information about configurable options in the service mesh and the process to full bootstrap Consul's service mesh, refer to [Connect services](/consul/docs/connect). + +## Enable mesh in server agent configuration + +Consul's service mesh features are not enabled by default when running Consul on virtual machines. To enable the service mesh, you must change the configuration of your Consul servers. You do not need to change client agent configurations in order to use the service mesh. + +To enable Consul's service mesh, set `connect.enabled` to `true` in a new or existing [agent configuration file](/consul/docs/reference/agent). + +Service mesh is enabled by default on Kubernetes deployments. + + + + + +```hcl +connect { + enabled = true +} +``` + + + + + +```json +{ + "connect": { + "enabled": true + } +} +``` + + + + + +```yaml +server: + connect: + enabled: true +``` + + + + + +## Apply configuration to Consul + +After you update your cluster's configuration, the Consul agent must restart before the service mesh is enabled. + +On VM deployments, restart each server in the cluster one at a time in order to maintain the cluster's availability. + +On Kubernetes deployments, you can run the following command to apply the configuration to your deployment: + +```shell-session +$ kubectl apply -f values.yaml +``` + +If you use the Consul on Kubernetes CLI, you can run the following command instead: + +```shell-session +$ consul-k8s upgrade -config-file values.yaml +``` + +For information about the `consul-k8s` CLI and how to install it, refer to [Install Consul on Kubernetes from Consul K8s CLI](/consul/docs/k8s/installation/install-cli) + +## Next steps + +After you enable Consul's service mesh, enable the built-in certificate authority to ensure secure service-to-service communication and configure defaults settings for the Envoy proxies in the service mesh. You can also enable Consul's Access Control List (ACL) system to provide additional security. + +Refer to the following topics for more information: + +- [Bootstrap Consul's built-in CA](/consul/docs/secure-mesh/certificate/bootstrap) +- [Configure proxy defaults](/consul/docs/connect/proxy) +- [Enable Consul's ACL system](/consul/docs/secure/acl) \ No newline at end of file diff --git a/website/content/docs/connect/gateways/api-gateway/configuration/index.mdx b/website/content/docs/connect/gateways/api-gateway/configuration/index.mdx deleted file mode 100644 index f6fc99d05de..00000000000 --- a/website/content/docs/connect/gateways/api-gateway/configuration/index.mdx +++ /dev/null @@ -1,45 +0,0 @@ ---- -layout: docs -page_title: Consul API gateway configuration overview -description: >- - Configure your Consul API Gateway to manage traffic into your service mesh. Learn about the Kubernetes Gateway Specification items you can configure and how to configure custom API Gateways. ---- - -# Consul API gateway configuration overview - -This topic provides an overview of the configuration items you can use to create API gateways, configure listeners, define routes, and apply additional resources that may be necessary to operate Consul API gateways in your environment. - -## Configurations for virtual machines - -Apply the following configuration items if your network runs on virtual machines nodes: - -| Configuration | Description | Usage | -| --- | --- | --- | -| [`api-gateway`](/consul/docs/connect/config-entries/api-gateway) | Defines the main infrastructure resource for declaring an API gateway and listeners on the gateway. | [Deploy API gateway listeners on virtual machines](/consul/docs/connect/gateways/api-gateway/deploy/listeners-vms) | -| [`http-route`](/consul/docs/connect/config-entries/http-route) | Enables HTTP traffic to reach services in the mesh from a listener on the gateway.| [Define routes on virtual machines](/consul/docs/connect/gateways/api-gateway/define-routes/routes-vms) | -| [`tcp-route`](/consul/docs/connect/config-entries/tcp-route) | Enables TCP traffic to reach services in the mesh from a listener on the gateway.| [Define routes on virtual machines](/consul/docs/connect/gateways/api-gateway/define-routes/routes-vms) | -| [`file-system-certificate`](/consul/docs/connect/config-entries/file-system-certificate) | Provides gateway with a CA certificate so that requests between the user and the gateway endpoint are encrypted. | [Encrypt API gateway traffic on virtual machines](/consul/docs/connect/gateways/api-gateway/secure-traffic/encrypt-vms) | -| [`inline-certificate`](/consul/docs/connect/config-entries/inline-certificate) | Provides gateway with a CA certificate so that requests between the user and the gateway endpoint are encrypted. | [Encrypt API gateway traffic on virtual machines](/consul/docs/connect/gateways/api-gateway/secure-traffic/encrypt-vms) | -| [`service-intentions`](/consul/docs/connect/config-entries/service-intentions) | Specifies traffic communication rules between services in the mesh. Intentions also enforce rules for service-to-service traffic routed through a Consul API gateway. | General configuration for securing a service mesh | - -## Configurations for Kubernetes - -Apply the following configuration items if your network runs on Kubernetes: - -| Configuration | Description | Usage | -| --- | --- | --- | -| [`Gateway`](/consul/docs/connect/gateways/api-gateway/configuration/gateway) | Defines the main infrastructure resource for declaring an API gateway and listeners on the gateway. It also specifies the name of the `GatewayClass`. | [Deploy listeners on Kubernetes](/consul/docs/connect/gateways/api-gateway/deploy/listeners-k8s) | -| [`GatewayClass`](/consul/docs/connect/gateways/api-gateway/configuration/gatewayclass) | Defines a class of gateway resources used as a template for creating gateways. The default gateway class is `consul` and is suitable for most API gateway implementations. | [Deploy listeners on Kubernetes](/consul/docs/connect/gateways/api-gateway/deploy/listeners-k8s) | -| [`GatewayClassConfig`](/consul/docs/connect/gateways/api-gateway/configuration/gatewayclassconfig) | Describes additional gateway-related configuration parameters for the `GatewayClass` resource. | [Deploy listeners on Kubernetes](/consul/docs/connect/gateways/api-gateway/deploy/listeners-k8s) | -| [`Routes`](/consul/docs/connect/gateways/api-gateway/configuration/routes) | Specifies paths from the gateway listener to backend services. | [Define routes on Kubernetes](/consul/docs/connect/gateways/api-gateway/define-routes/routes-k8s)

[Reroute traffic in Kubernetes](/consul/docs/connect/gateways/api-gateway/define-routes/reroute-http-requests)

[Route traffic to peered services in Kubernetes](/consul/docs/connect/gateways/api-gateway/define-routes/route-to-peered-services)

| -| [`MeshServices`](/consul/docs/connect/gateways/api-gateway/configuration/meshservices) | Enables routes to reference services in Consul. | [Route traffic to peered services in Kubernetes](/consul/docs/connect/gateways/api-gateway/define-routes/route-to-peered-services) | -| [`ServiceIntentions`](/consul/docs/connect/config-entries/service-intentions) | Specifies traffic communication rules between services in the mesh. Intentions also enforce rules for service-to-service traffic routed through a Consul API gateway. | General configuration for securing a service mesh | - - diff --git a/website/content/docs/connect/gateways/api-gateway/define-routes/reroute-http-requests.mdx b/website/content/docs/connect/gateways/api-gateway/define-routes/reroute-http-requests.mdx deleted file mode 100644 index 5a56aeee792..00000000000 --- a/website/content/docs/connect/gateways/api-gateway/define-routes/reroute-http-requests.mdx +++ /dev/null @@ -1,58 +0,0 @@ ---- -layout: docs -page_title: Reroute HTTP Requests -description: >- - Learn how to configure Consul API Gateway to reroute HTTP requests to a specific path. ---- - -# Reroute HTTP Requests - -This topic describes how to configure Consul API Gateway to reroute HTTP requests. - -## Requirements - -1. Verify that the [requirements](/consul/docs/api-gateway/tech-specs) have been met. -1. Verify that the Consul API Gateway CRDs and controller have been installed and applied. Refer to [Installation](/consul/docs/connect/gateways/api-gateway/deploy/install-k8s) for details. - -## Configuration - -Specify the following fields in your `Route` configuration. Refer to the [Route configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/routes) for details about the parameters. - -- [`rules.filters.type`](/consul/docs/connect/gateways/api-gateway/configuration/routes#rules-filters-type): Set this parameter to `URLRewrite` to instruct Consul API Gateway to rewrite the URL when specific conditions are met. -- [`rules.filters.urlRewrite`](/consul/docs/connect/gateways/api-gateway/configuration/routes#rules-filters-urlrewrite): Specify the `path` configuration. -- [`rules.filters.urlRewrite.path`](/consul/docs/connect/gateways/api-gateway/configuration/routes#rules-filters-urlrewrite-path): Contains the paths that incoming requests should be rewritten to based on the match conditions. - -To configure the route to accept paths with or without a trailing slash, you must make two separate routes to handle each case. - -### Example - -In the following example, requests to` /incoming-request-prefix/` are forwarded to the `backendRef` as `/prefix-backend-receives/`. As a result, requests to `/incoming-request-prefix/request-path` are received by `backendRef` as `/prefix-backend-receives/request-path`. - - - -```yaml hideClipboard -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: example-route - ##... -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: api-gateway - rules: - - backendRefs: - . . . - filters: - - type: URLRewrite - urlRewrite: - path: - replacePrefixMatch: /prefix-backend-receives/ - type: ReplacePrefixMatch - matches: - - path: - type: PathPrefix - value: /incoming–request-prefix/ -``` - \ No newline at end of file diff --git a/website/content/docs/connect/gateways/api-gateway/install-k8s.mdx b/website/content/docs/connect/gateways/api-gateway/install-k8s.mdx deleted file mode 100644 index 9362100cde0..00000000000 --- a/website/content/docs/connect/gateways/api-gateway/install-k8s.mdx +++ /dev/null @@ -1,133 +0,0 @@ ---- -layout: docs -page_title: Install API Gateway for Kubernetes -description: >- - Learn how to install custom resource definitions (CRDs) and configure the Helm chart so that you can run Consul API Gateway on your Kubernetes deployment. ---- - -# Install API gateway for Kubernetes - -The Consul API gateway ships with Consul and is automatically installed when you install Consul on Kubernetes. Before you begin the installation process, verify that the environment you are deploying Consul and the API gateway in meets the requirements listed in the [Technical Specifications](/consul/docs/connect/gateways/api-gateway/tech-specs). Refer to the [Release Notes](/consul/docs/release-notes) for any additional information about the version you are deploying. - -1. The Consul Helm chart deploys the API gateway using the configuration specified in the `values.yaml` file. Refer to [Helm Chart Configuration - `connectInject.apiGateway`](/consul/docs/k8s/helm#apigateway) for information about the Helm chart configuration options. Create a `values.yaml` file for configuring your Consul API gateway deployment and include the following settings: - - - - - - - ```yaml - global: - name: consul - connectInject: - enabled: true - apiGateway: - manageExternalCRDs: true - ``` - - - - - - - If you are installing Consul on an OpenShift Kubernetes cluster, you must include the `global.openShift.enabled` parameter and set it to `true`. Refer to [OpenShift requirements](/consul/docs/connect/gateways/api-gateway/tech-specs#openshift-requirements) for additional information. - - - - ```yaml - global: - openshift: - enabled: true - connectInject: - enabled: true - apiGateway: - manageExternalCRDs: true - cni: - enabled: true - logLevel: info - multus: true - cniBinDir: "/var/lib/cni/bin" - cniNetDir: "/etc/kubernetes/cni/net.d" - ``` - - - - - - By default, GKE Autopilot installs [Gateway API resources](https://gateway-api.sigs.k8s.io), so we recommend customizing the `connectInject.apiGateway` stanza to accommodate the pre-installed Gateway API CRDs. - - The following working example enables both Consul Service Mesh and Consul API Gateway on GKE Autopilot. Refer to [`connectInject.agiGateway` in the Helm chart reference](https://developer.hashicorp.com/consul/docs/k8s/helm#v-connectinject-apigateway) for additional information. - - - - ```yaml - global: - name: consul - connectInject: - enabled: true - apiGateway: - manageExternalCRDs: false - manageNonStandardCRDs: true - cni: - enabled: true - logLevel: debug - cniBinDir: "/home/kubernetes/bin" - cniNetDir: "/etc/cni/net.d" - server: - resources: - requests: - memory: "500Mi" - cpu: "500m" - limits: - memory: "500Mi" - cpu: "500m" - ``` - - - - - -1. Install Consul API Gateway using the standard Consul Helm chart or Consul K8s CLI specify the custom values file. Refer to the [Consul Helm chart](https://github.com/hashicorp/consul-k8s/releases) in GitHub releases for the available versions. - - - - - Refer to the official [Consul K8S CLI documentation](/consul/docs/k8s/k8s-cli) to find additional settings. - - ```shell-session - $ brew tap hashicorp/tap - ``` - - ```shell-session - $ brew install hashicorp/tap/consul-k8s - ``` - - ```shell-session - $ consul-k8s install -config-file=values.yaml -set global.image=hashicorp/consul:1.17.0 - ``` - - - - - Add the HashiCorp Helm repository. - - ```shell-session - $ helm repo add hashicorp https://helm.releases.hashicorp.com - ``` - - Install Consul with API Gateway on your Kubernetes cluster by specifying the `values.yaml` file. - - ```shell-session - $ helm install consul hashicorp/consul --version 1.3.0 --values values.yaml --create-namespace --namespace consul - ``` - - - - - - -[tech-specs]: /consul/docs/api-gateway/tech-specs -[rel-notes]: /consul/docs/release-notes diff --git a/website/content/docs/connect/gateways/api-gateway/secure-traffic/encrypt-vms.mdx b/website/content/docs/connect/gateways/api-gateway/secure-traffic/encrypt-vms.mdx deleted file mode 100644 index fd1cdfe86cb..00000000000 --- a/website/content/docs/connect/gateways/api-gateway/secure-traffic/encrypt-vms.mdx +++ /dev/null @@ -1,89 +0,0 @@ ---- -layout: docs -page_title: Encrypt API gateway traffic on virtual machines -description: Learn how to define inline certificate config entries and deploy them to Consul. Inline certificate and file system certificate configuration entries enable you to attach TLS certificates and keys to gateway listeners so that traffic between external clients and gateway listeners is encrypted. ---- - -# Encrypt API gateway traffic on virtual machines - -This topic describes how to make TLS certificates available to API gateways so that requests between the user and the gateway endpoint are encrypted. - -## Requirements - -- Consul v1.15 or later is required to use the Consul API gateway on VMs - - Consul v1.19 or later is required to use the [file system certificate configuration entry](/consul/docs/connect/config-entries/file-system-certificate) -- You must have a certificate and key from your CA -- A Consul cluster with service mesh enabled. Refer to [`connect`](/consul/docs/agent/config/config-files#connect) -- Network connectivity between the machine deploying the API gateway and a - Consul cluster agent or server - -### ACL requirements - -If ACLs are enabled, you must present a token with the following permissions to -configure Consul and deploy API gateways: - -- `mesh: read` -- `mesh: write` - -Refer [Mesh Rules](/consul/docs/security/acl/acl-rules#mesh-rules) for -additional information about configuring policies that enable you to interact -with Consul API gateway configurations. - -## Define TLS certificates - -1. Create a [file system certificate](/consul/docs/connect/config-entries/file-system-certificate) or [inline certificate](/consul/docs/connect/config-entries/inline-certificate) and specify the following fields: - - `Kind`: Specifies the type of configuration entry. This must be set to `file-system-certificate` or `inline-certificate`. - - `Name`: Specify the name in the [API gateway listener configuration](/consul/docs/connect/gateways/api-gateway/configuration/api-gateway#listeners) to bind the certificate to that listener. - - `Certificate`: Specifies the filepath to the certificate on the local system or the inline public certificate as plain text. - - `PrivateKey`: Specifies the filepath to private key on the local system or the inline private key to as plain text. -1. Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the [file system certificate configuration reference](/consul/docs/connect/config-entries/file-system-certificate) or [inline certificate configuration reference](/consul/docs/connect/config-entries/inline-certificate) for more information. -1. Save the configuration. - -### Examples - - - - - -The following example defines a certificate named `my-certificate`. API gateway configurations that specify `inline-certificate` in the `Certificate.Kind` field and `my-certificate` in the `Certificate.Name` field are able to use the certificate. - -```hcl -Kind = "inline-certificate" -Name = "my-certificate" - -Certificate = < - - - -The following example defines a certificate named `my-certificate`. API gateway configurations that specify `file-system-certificate` in the `Certificate.Kind` field and `my-certificate` in the `Certificate.Name` field are able to use the certificate. - -```hcl -Kind = "file-system-certificate" -Name = "my-certificate" -Certificate = "/opt/consul/tls/api-gateway.crt" -PrivateKey = "/opt/consul/tls/api-gateway.key" -``` - - - - -## Deploy the configuration to Consul - -Run the `consul config write` command to enable listeners to use the certificate. The following example writes a configuration called `my-certificate.hcl`: - -```shell-session -$ consul config write my-certificate.hcl -``` diff --git a/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx b/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx deleted file mode 100644 index 6bd8f28ccd8..00000000000 --- a/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx +++ /dev/null @@ -1,226 +0,0 @@ ---- -layout: docs -page_title: Use JWTs to verify requests to API gateways on Kubernetes -description: Learn how to use JSON web tokens (JWT) to verify requests from external clients to listeners on an API gateway on Kubernetes-orchestrated networks. ---- - -# Use JWTs to verify requests to API gateways on Kubernetes - -This topic describes how to use JSON web tokens (JWT) to verify requests to API gateways deployed to Kubernetes-orchestrated containers. If your API gateway is deployed to virtual machines, refer to [Use JWTs to verify requests to API gateways on VMs](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms). - - This feature is available in Consul Enterprise. - -## Overview - -You can configure API gateways to use JWTs to verify incoming requests so that you can stop unverified traffic at the gateway. You can configure JWT verification at different levels: - -- Listener defaults: Define basic defaults in a GatewayPolicy resource to apply them to all routes attached to a listener. -- HTTP route-specific settings: You can define JWT authentication settings for specific HTTP routes. Route-specific JWT settings override default listener configurations. -- Listener overrides: Define override settings in a GatewayPolicy resource that take precedence over default and route-specific configurations. Use override settings to set enforceable policies for listeners. - - -Complete the following steps to use JWTs to verify requests: - -1. Define a JWTProvider that specifies the JWT provider and claims used to verify requests to the gateway. -1. Define a GatewayPolicy that specifies default and override settings for API gateway listeners and attach it to the gateway. -1. Define a RouteAuthFilter that specifies route-specific JWT verification settings. -1. Reference the RouteAuthFilter from the HTTPRoute. -1. Apply the configurations. - - -## Requirements - -- Consul v1.17+ -- Consul on Kubernetes CLI or Helm chart v1.3.0+ -- JWT details, such as claims and provider - - -## Define a JWTProvider - -Create a `JWTProvider` CRD that defines the JWT provider to verify claims against. - -In the following example, the JWTProvider CRD contains a local JWKS. In production environments, use a production-grade JWKs endpoint instead. - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: JWTProvider -metadata: - name: local -spec: - issuer: local - jsonWebKeySet: - local: - jwks: "" -``` - - - -For more information about the fields you can configure in this CRD, refer to [`JWTProvider` configuration reference](/consul/docs/connect/config-entries/jwtprovider). - -## Define a GatewayPolicy - -Create a `GatewayPolicy` CRD that defines default and override settings for JWT verification. - -- `kind`: Must be set to `GatewayPolicy` -- `metadata.name`: Specifies a name for the policy. -- `spec.targetRef.name`: Specifies the name of the API gateway to attach the policy to. -- `spec.targetRef.kind`: Specifies the kind of resource to attach to the policy to. Must be set to `Gateway`. -- `spec.targetRef.group`: Specifies the resource group. Unless you have created a custom group, this should be set to `gateway.networking.k8s.io/v1beta1`. -- `spec.targetRef.sectionName`: Specifies a part of the gateway that the policy applies to. -- `spec.targetRef.override.jwt.providers`: Specifies a list of providers and claims used to verify requests to the gateway. The override settings take precedence over the default and route-specific JWT verification settings. -- `spec.targetRef.default.jwt.providers`: Specifies a list of default providers and claims used to verify requests to the gateway. - -The following examples configure a Gateway and the GatewayPolicy being attached to it so that every request coming through the listener must meet these conditions: - -- The request must be signed by the `local` provider -- The request must have a claim of `role` with a value of `user` unless the HTTPRoute attached to the listener overrides it - - - - - - -```yaml -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: api-gateway -spec: - gatewayClassName: consul - listeners: - - protocol: HTTP - port: 30002 - name: listener-one -``` - - - - - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: GatewayPolicy -metadata: - name: gw-policy -spec: - targetRef: - name: api-gateway - sectionName: listener-one - group: gateway.networking.k8s.io/v1beta1 - kind: Gateway - override: - jwt: - providers: - - name: "local" - default: - jwt: - providers: - - name: "local" - verifyClaims: - - path: - - role - value: user -``` - - - - - - -For more information about the fields you can configure, refer to [`GatewayPolicy` configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/gatewaypolicy). - -## Define a RouteAuthFilter - -Create an `RouteAuthFilter` CRD that defines overrides for the default JWT verification configured in the GatewayPolicy. - -- `kind`: Must be set to `RouteAuthFilter` -- `metadata.name`: Specifies a name for the filter. -- `metadata.namespace`: Specifies the Consul namespace the filter applies to. -- `spec.jwt.providers`: Specifies a list of providers and claims used to verify requests to the gateway. The override settings take precedence over the default and route-specific JWT verification settings. - -In the following example, the RouteAuthFilter overrides default settings set in the GatewayPolicy so that every request coming through the listener must meet these conditions: - -- The request must be signed by the `local` provider -- The request must have a `role` claim -- The value of the claim must be `admin` - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: RouteAuthFilter -metadata: - name: auth-filter -spec: - jwt: - providers: - - name: local - verifyClaims: - - path: - - role - value: admin -``` - - - -For more information about the fields you can configure, refer to [`RouteAuthFilter` configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/routeauthfilter). - -## Attach the auth filter to your HTTP routes - -In the `filters` field of your HTTPRoute configuration, define the filter behavior that results from JWT verification. - -- `type: extensionRef`: Declare list of extension references. -- `extensionRef.group`: Specifies the resource group. Unless you have created a custom group, this should be set to `gateway.networking.k8s.io/v1beta1`. -- `extensionRef.kind`: Specifies the type of extension reference to attach to the route. Must be `RouteAuthFilter` -- `extensionRef.name`: Specifies the name of the auth filter. - -The following example configures an HTTPRoute so that every request to `api-gateway-fqdn:3002/admin` must meet these conditions: - -- The request be signed by the `local` provider. -- The request must have a `role` claim. -- The value of the claim must be `admin`. - -Every other request must be signed by the `local` provider and have a claim of `role` with a value of `user`, as defined in the GatewayPolicy. - - - -```yaml -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: http-route -spec: - parentRefs: - - name: api-gateway - rules: - - matches: - - path: - type: PathPrefix - value: /admin - filters: - - type: ExtensionRef - extensionRef: - group: consul.hashicorp.com - kind: RouteAuthFilter - name: auth-filter - backendRefs: - - kind: Service - name: admin - port: 8080 - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - kind: Service - name: user-service - port: 8081 -``` - - diff --git a/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms.mdx b/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms.mdx deleted file mode 100644 index fda579669fa..00000000000 --- a/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms.mdx +++ /dev/null @@ -1,184 +0,0 @@ ---- -layout: docs -page_title: Use JWTs to verify requests to API gateways on virtual machines -description: Learn how to use JSON web tokens (JWT) to verify requests from external clients to listeners on an API gateway. ---- - -# Use JWTs to verify requests to API gateways on virtual machines - -This topic describes how to use JSON web tokens (JWT) to verify requests to API gateways on virtual machines (VM). If your services are deployed to Kubernetes-orchestrated containers, refer to [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s). - - This feature is available in Consul Enterprise. - -## Overview - -You can configure API gateways to use JWTs to verify incoming requests so that you can stop unverified traffic at the gateway. You can configure JWT verification at different levels: - -- Listener defaults: Define basic defaults that apply to all routes attached to a listener. -- HTTP route-specific settings: You can define JWT authentication settings for specific HTTP routes. Route-specific JWT settings override default configurations. -- Listener overrides: Define override settings that take precedence over default and route-specific configurations. This enables you to set enforceable policies for listeners. - -Complete the following steps to use JWTs to verify requests: - -1. Define a JWTProvider that specifies the JWT provider and claims used to verify requests to the gateway. -1. Configure default and override settings for listeners in the API gateway configuration entry. -1. Define route-specific JWT verification settings as filters in the HTTP route configuration entries. -1. Write the configuration entries to Consul to begin verifying requests using JWTs. - -## Requirements - -- Consul 1.17 or later -- JWT details, such as claims and provider - -## Define a JWTProvider - -Create a JWTProvider config entry that defines the JWT provider to verify claims against. -In the following example, the JWTProvider CRD contains a local JWKS. In production environments, use a production-grade JWKs endpoint instead. - - - -```hcl -Kind = "jwt-provider" -Name = "local" - -Issuer = "local" - -JSONWebKeySet = { - Local = { - JWKS="" - } -} -``` - - - -For more information about the fields you can configure in this CRD, refer to [`JWTProvider` configuration reference](/consul/docs/connect/config-entries/jwtprovider). - -## Configure default and override settings - -Define default and override settings for JWT verification in the [API gateway configuration entry](/consul/docs/connect/gateways/api-gateway/configuration/api-gateway). - -1. Add a `default.JWT` block to the listener that you want to apply JWT verification to. Consul applies these configurations to routes attached to the listener. Refer to the [`Listeners.default.JWT`](/consul/docs/connect/config-entries/api-gateway#listeners-default-jwt) configuration reference for details. -1. Add an `override.JWT` block to the listener that you want to apply JWT verification policies to. Consul applies these configurations to all routes attached to the listener, regardless of the `default` or route-specific settings. Refer to the [`Listeners.override.JWT`](/consul/docs/connect/config-entries/api-gateway#listeners-override-jwt) configuration reference for details. -1. Apply the settings in the API gateway configuration entry. You can use the [`/config` API endpoint](/consul/api-docs/config#apply-configuration) or the [`consul config write` command](/consul/commands/config/write). - -The following examples configure a Gateway so that every request coming through the listener must meet these conditions: -- The request must be signed by the `local` provider -- The request must have a claim of `role` with a value of `user` unless the HTTPRoute attached to the listener overrides it - - - -```hcl -Kind = "api-gateway" -Name = "api-gateway" -Listeners = [ - { - Name = "listener-one" - Port = 9001 - Protocol = "http" - Override = { - JWT = { - Providers = [ - { - Name = "local" - } - ] - } - } - default = { - JWT = { - Providers = [ - { - Name = "local" - VerifyClaims = [ - { - Path = ["role"] - Value = "pet" - } - ] - } - ] - } - } - } -] -``` - - - -## Configure verification for specific HTTP routes - -Define filters to enable route-specific JWT verification settings in the [HTTP route configuration entry](/consul/docs/connect/config-entries/http-route). - -1. Add a `JWT` configuration to the `rules.filter` block. Route-specific configurations that overlap the [default settings ](/consul/docs/connect/config-entries/api-gateway#listeners-default-jwt) in the API gateway configuration entry take precedence. Configurations defined in the [listener override settings](/consul/docs/connect/config-entries/api-gateway#listeners-override-jwt) take the highest precedence. -1. Apply the settings in the API gateway configuration entry. You can use the [`/config` API endpoint](/consul/api-docs/config#apply-configuration) or the [`consul config write` command](/consul/commands/config/write). - -The following example configures an HTTPRoute so that every request to `api-gateway-fqdn:3002/admin` must meet these conditions: -- The request be signed by the `local` provider. -- The request must have a `role` claim. -- The value of the claim must be `admin`. - -Every other request must be signed by the `local` provider and have a claim of `role` with a value of `user`, as defined in the Gateway listener. - - - -```hcl -Kind = "http-route" -Name = "api-gateway-route" -Parents = [ - { - SectionName = "listener-one" - Name = "api-gateway" - Kind = "api-gateway" - }, -] -Rules = [ - { - Matches = [ - { - Path = { - Match = "prefix" - Value = "/admin" - } - } - ] - Filters = { - JWT = { - Providers = [ - { - Name = "local" - VerifyClaims = [ - { - Path = ["role"] - Value = "admin" - } - ] - } - ] - } - } - Services = [ - { - Name = "admin-service" - } - ] - }, - { - Matches = [ - { - Path = { - Match = "prefix" - Value = "/" - } - } - ] - Services = [ - { - Name = "user-service" - } - ] - }, -] -``` - - diff --git a/website/content/docs/connect/gateways/index.mdx b/website/content/docs/connect/gateways/index.mdx deleted file mode 100644 index 067d3b27767..00000000000 --- a/website/content/docs/connect/gateways/index.mdx +++ /dev/null @@ -1,101 +0,0 @@ ---- -layout: docs -page_title: Gateways Overview -description: >- - Gateways are proxies that direct traffic into, out of, and inside of Consul's service mesh. They secure communication with external or non-mesh network resources and enable services on different runtimes, cloud providers, or with overlapping IP addresses to communicate with each other. ---- - -# Gateways Overview - -This topic provides an overview of the gateway features shipped with Consul. Gateways provide connectivity into, out of, and between Consul service meshes. You can configure the following types of gateways: - -- [Mesh gateways](#mesh-gateways) enable service-to-service traffic between Consul datacenters or between Consul admin partitions. They also enable datacenters to be federated across wide area networks. -- [Ingress gateways](#ingress-gateways) enable connectivity within your organizational network from services outside the Consul service mesh to services in the mesh. -- [Terminating gateways](#terminating-gateways) enable connectivity within your organizational network from services in the Consul service mesh to services outside the mesh. - -[![Gateway Architecture](/img/consul-connect/svgs/consul_gateway_overview.svg)](/img/consul-connect/svgs/consul_gateway_overview.svg) - -## Mesh Gateways - -Mesh gateways enable service mesh traffic to be routed between different Consul datacenters and admin partitions. The datacenters or partitions can reside -in different clouds or runtime environments where general interconnectivity between all services in all datacenters -isn't feasible. - -They operate by sniffing and extracting the server name indication (SNI) header from the service mesh session and routing the connection to the appropriate destination based on the server name requested. - -Mesh gateways enable the following scenarios: - -* **Federate multiple datacenters across a WAN**. Since Consul 1.8.0, mesh gateways can forward gossip and RPC traffic between Consul servers. See [WAN federation via mesh gateways](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways) for additional information. -- **Service-to-service communication across WAN-federated datacenters**. Refer to [Enabling Service-to-service Traffic Across Datacenters](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters) for additional information. -- **Service-to-service communication across admin partitions**. Since Consul 1.11.0, you can create administrative boundaries for single Consul deployments called "admin partitions". You can use mesh gateways to facilitate cross-partition communication. Refer to [Enabling Service-to-service Traffic Across Admin Partitions](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions) for additional information. -- **Bridge multiple datacenters using Cluster Peering**. Since Consul 1.14.0, mesh gateways can be used to route peering control-plane traffic between peered Consul Servers. See [Mesh Gateways for Peering Control Plane Traffic](/consul/docs/connect/gateways/mesh-gateway/peering-via-mesh-gateways) for more information. -- **Service-to-service communication across peered datacenters**. Refer to [Establish cluster peering connections](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering) for more information. - --> **Mesh gateway tutorial**: Follow the [mesh gateway tutorial](/consul/tutorials/developer-mesh/service-mesh-gateways) to learn concepts associated with mesh gateways. - -## API Gateways - -API gateways enable network access, from outside a service mesh, to services running in a Consul service mesh. The -systems accessing the services in the mesh, may be within your organizational network or external to it. This type of -network traffic is commonly called _north-south_ network traffic because it refers to the flow of data into and out of -a specific environment. - -API gateways solve the following primary use cases: - -- **Control access at the point of entry**: Set the protocols of external connection - requests and secure inbound connections with TLS certificates from trusted - providers, such as Verisign and Let's Encrypt. -- **Simplify traffic management**: Load balance requests across services and route - traffic to the appropriate service by matching one or more criteria, such as - hostname, path, header presence or value, and HTTP method. - -Refer to the following documentation for information on how to configure and deploy API gateways: -- [API Gateways on VMs](/consul/docs/connect/gateways/api-gateway/deploy/listeners-vms) -- [API Gateways for Kubernetes](/consul/docs/connect/gateways/api-gateway/deploy/listeners-k8s). - - -## Ingress Gateways - - - -Ingress gateway is deprecated and will not be enhanced beyond its current capabilities. Ingress gateway is fully supported -in this version but will be removed in a future release of Consul. - -Consul's API gateway is the recommended alternative to ingress gateway. - - - -Ingress gateways enable connectivity within your organizational network from services outside the Consul service mesh -to services in the mesh. To accept ingress traffic from the public internet, use Consul's -[API Gateway](https://www.hashicorp.com/blog/announcing-hashicorp-consul-api-gateway) instead. - -These gateways allow you to define what services should be exposed, on what port, and by what hostname. You configure -an ingress gateway by defining a set of listeners that can map to different sets of backing services. - -Ingress gateways are tightly integrated with Consul's L7 configuration and enable dynamic routing of HTTP requests by -attributes like the request path. - -For more information about ingress gateways, review the [complete documentation](/consul/docs/connect/gateways/ingress-gateway) -and the [ingress gateway tutorial](/consul/tutorials/developer-mesh/service-mesh-ingress-gateways). - -![Ingress Gateway Architecture](/img/ingress-gateways.png) - -## Terminating Gateways - -Terminating gateways enable connectivity within your organizational network from services in the Consul service mesh -to services outside the mesh. -Services outside the mesh do not have sidecar proxies or are not [integrated natively](/consul/docs/connect/native). -These may be services running on legacy infrastructure or managed cloud services running on -infrastructure you do not control. - -Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate service mesh -mTLS connections, enforce Consul intentions, and forward requests to the appropriate destination. - -These gateways also simplify authorization from dynamic service addresses. Consul's intentions determine whether -connections through the gateway are authorized. Then traditional tools like firewalls or IAM roles can authorize the -connections from the known gateway nodes to the destination services. - -For more information about terminating gateways, review the [complete documentation](/consul/docs/connect/gateways/terminating-gateway) -and the [terminating gateway tutorial](/consul/tutorials/developer-mesh/terminating-gateways-connect-external-services). - -![Terminating Gateway Architecture](/img/terminating-gateways.png) diff --git a/website/content/docs/connect/gateways/ingress-gateway/index.mdx b/website/content/docs/connect/gateways/ingress-gateway/index.mdx deleted file mode 100644 index 3f0b4ea836f..00000000000 --- a/website/content/docs/connect/gateways/ingress-gateway/index.mdx +++ /dev/null @@ -1,35 +0,0 @@ ---- -layout: docs -page_title: Ingress gateway overview -description: >- - Ingress gateways enable you to connect external services to services in your mesh. Ingress gateways are a type of proxy that listens for requests from external network locations and route authorized traffic to destinations in the service mesh. ---- - -# Ingress gateways overview - -An ingress gateway is a type of proxy that enables network connectivity from external services to services inside the mesh. The following diagram describes the ingress gateway workflow: - -![Ingress Gateway Architecture](/img/ingress-gateways.png) - - - -Ingress gateway is deprecated and will not be enhanced beyond its current capabilities. Ingress gateway is fully supported -in this version but will be removed in a future release of Consul. - -Consul's API gateway is the recommended alternative to ingress gateway. - - - -## Workflow - -The following stages describe how to add an ingress gateway to your service mesh: - -1. Configure ingress gateway listeners: Create an ingress gateway configuration entry and specify which services to expose to external requests. The configuration entry allows you to define what services should be exposed, on what port, and by what hostname. You can expose services registered with Consul or expose virtual services defined in other configuration entries. Refer to [Ingress gateway configuration entry reference](/consul/docs/connect/config-entries/ingress-gateway) for details on the configuration parameters you can specify. - -1. Define an ingress gateway proxy service: Ingress gateways are a special-purpose proxy service that you can define and register in a similar manner to other services. When you register the ingress gateway service, Consul applies the configurations defined in the ingress gateway configuration reference. Refer to [Implement an ingress gateway](/consul/docs/connect/gateways/ingress-gateway/usage) for additional information. - -1. Start the network proxy: The ingress gateway proxy service accepts configurations from the configuration entry and directs requests to the exposed services. When the external traffic passes through the ingress gateway, your sidecar proxy handles the inbound and outbound connections between the exposed services and the gateway. Refer to [Service mesh proxy overview](/consul/docs/connect/proxies) to learn more about the proxies Consul supports. - -## Integrations with custom TLS management solutions - -You can configure the ingress gateway to retrieve and serve custom TLS certificates from external systems. This functionality is designed to help you integrate with custom TLS management software. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/gateways/ingress-gateway/tls-external-service) for additional information. \ No newline at end of file diff --git a/website/content/docs/connect/gateways/ingress-gateway/usage.mdx b/website/content/docs/connect/gateways/ingress-gateway/usage.mdx deleted file mode 100644 index 2b4c55e279a..00000000000 --- a/website/content/docs/connect/gateways/ingress-gateway/usage.mdx +++ /dev/null @@ -1,127 +0,0 @@ ---- -layout: docs -page_title: Implement an ingress gateway -description: Learn how to implement ingress gateways, which are Consul service mesh constructs that listen for requests from external network locations and route authorized traffic to destinations in the service mesh. ---- - -# Implement an ingress gateway - -This topic describes how to add ingress gateways to your Consul service mesh. Ingress gateways enable connectivity within your organizational network by allowing services outside of the service mesh to send traffic to services in the mesh. Refer to [Ingress gateways overview](/consul/docs/connect/gateways/ingress-gateway/) for additional information about ingress gateways. - -This topic describes ingress gateway usage for virtual machine (VM) environments. Refer to [Configure ingress gateways for Consul on Kubernetes](/consul/docs/k8s/connect/ingress-gateways) for instructions on how to implement ingress gateways in Kubernetes environments. - -## Overview - -Ingress gateways are a type of proxy service included with Consul. Complete the following steps to set up an ingress gateway: - -1. Define listeners and the services they expose. Specify these details in an ingress gateway configuration entry. -1. Register an ingress gateway service. Define the services in a service definition file. -1. Start the ingress gateway. This step deploys the Envoy proxy that functions as the ingress gateway. - -After specifying listeners and services in the ingress gateway configuration entry, you can register the gateway service and start Envoy with a single CLI command instead of completing these steps separately. Refer [Register an ingress service on Envoy startup](#register-an-ingress-service-on-envoy-startup). - -## Requirements - -- Service mesh must be enabled for all agents. Set the [`connect.enabled` parameter](/consul/docs/agent/config/config-files#connect) to `true` to enable service mesh. -- The gRPC port must be configured for all server agents in the datacenter. Specify the gRPC port in the [`ports.grpc` parameter](/consul/docs/agent/config/config-files#grpc_port). We recommend setting the port to `8502` to simplify configuration when ACLs are enabled. Refer to [ACL requirements](#acl-requirements) for additional information. -- You must use Envoy for sidecar proxies in your service mesh. Refer to [Envoy Proxy Configuration for Service Mesh](/consul/docs/connect/proxies/envoy) for supported versions. - -### ACL requirements - -If ACLs are enabled, you must present a token when registering ingress gateways that grant the following permissions: - -`service:write` for the ingress gateway's service name -`service:read` for all services in the ingress gateway's configuration entry -`node:read` for all nodes of the services in the ingress gateway's configuration entry. - -These privileges authorize the token to route communications to other services in the mesh. If the Consul client agent on the gateway's node is not configured to use the default `8502` gRPC port, then the gateway's token must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies. - -## Expose services - -Define and apply an ingress gateway configuration entry to specify which services in the mesh to expose to external services. - -### Define an ingress gateway configuration entry - -Ingress gateway configuration entries map downstream ingress listeners to upstream services. When you register an ingress gateway proxy that matches the configuration entry name, Consul applies the settings specified in the configuration entry. Configure the following fields: - -- [`Kind`](/consul/docs/connect/config-entries/ingress-gateway#kind): Set the value to `ingress-gateway`. -- [`Name`](/consul/docs/connect/config-entries/ingress-gateway#name): Consul applies the configuration entry settings to ingress gateway proxies with names that match the `Name` field. -- [`Listeners`](/consul/docs/connect/config-entries/ingress-gateway#listeners): Specify one or more listeners. - - [`Listeners.Port`](/consul/docs/connect/config-entries/ingress-gateway#listeners-port): Specify a port for the listener. Each listener is uniquely identified by its port number. - - [`Listeners.Protocol`](/consul/docs/connect/config-entries/ingress-gateway#listeners-protocol): The default protocol is `tcp`, but you must specify the protocol used by the services you want to allow traffic from. - - [`Listeners.Services`](/consul/docs/connect/config-entries/ingress-gateway#listeners-services): The `Services` field contains the services that you want to expose to upstream services. The field contains several options and sub-configurations that enable granular control over ingress traffic, such as health check and TLS configurations. - -For Consul Enterprise service meshes, you may also need to configure the [`Partition`](/consul/docs/connect/config-entries/ingress-gateway#partition) and [`Namespace`](/consul/docs/connect/config-entries/ingress-gateway#namespace) fields for the gateway and for each exposed service. - -Refer to [Ingress gateway configuration entry reference](/consul/docs/connect/config-entries/ingress-gateway) for details about the supported parameters. - -### Register an ingress gateway configuration entry - -You can register the configuration entry using the [`consul config` command](/consul/commands/config) or by calling the [`/config` API endpoint](/consul/api-docs/config). Refer to [How to Use Configuration Entries](/consul/docs/agent/config-entries) for details about applying configuration entries. - -The following example registers an ingress gateway configuration entry named `public-ingress.hcl` that is stored on the local system: - -```shell-session -$ consul config write public-ingress.hcl -``` - -## Deploy an ingress gateway service - -To deploy an ingress gateway service, create a service definition and register it with Consul. - -You can also define an ingress gateway service and register it with Consul while starting an Envoy proxy from the command line. Refer to [Register an ingress service on Envoy startup](#register-an-ingress-service-on-envoy-startup) for details. - -### Create a service definition for the ingress gateway - -Consul applies the settings defined in the ingress gateway configuration entry to ingress gateway services that match the configuration entry name. Refer to [Define services](/consul/docs/services/usage/define-services) for additional information about defining services in Consul. - -The following fields are required for the ingress gateway service definition: - -- [`Kind`](/consul/docs/services/configuration/services-configuration-reference#kind): The field must be set to `ingress-gateway`. -- [`Name`](/consul/docs/services/configuration/services-configuration-reference#name): The name should match the value specified for the `Name` field in the configuration entry. - -All other service definition fields are optional, but we recommend defining health checks to verify the health of the gateway. Refer to [Services configuration reference](/consul/docs/services/configuration/services-configuration-reference) for information about defining services. - -### Register the ingress gateway proxy service - -You can register the ingress gateway using API or CLI. Refer to [Register services and health checks](/consul/docs/services/usage/register-services-checks) for instructions on registering services in Consul. - -The following example registers an ingress gateway defined in `ingress-gateway.hcl` from the Consul CLI: - -```shell-session -$ consul services register ingress-service.hcl -``` - -## Start an Envoy proxy - -Run the `consul connect envoy` command to start Envoy. Specify the name of the ingress gateway service and include the `-gateway=ingress` flag. Refer to [Consul Connect Envoy](/consul/commands/connect/envoy) for details about using the command. - -The following example starts Envoy for the `ingress-service` gateway service: - -```shell-session -$ consul connect envoy -gateway=ingress ingress-service -``` - -### Register an ingress service on Envoy startup - -You can also automatically register the ingress gateway service when starting the Envoy proxy. Specify the following flags with the `consul connect envoy` command: - -- `-gateway=ingress` -- `-register` -- `-service=` - -The following example starts Envoy and registers an ingress gateway service named `ingress-service` bound to the agent address at port `8888`: - -```shell-session -$ consul connect envoy -gateway=ingress -register \ - -service ingress-service \ - -address '{{ GetInterfaceIP "eth0" }}:8888' -``` -You cannot register the ingress gateway service and start the proxy at the same time if you configure the gateway to retrieve and serve TLS certificates from their external downstreams. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/gateways/ingress-gateway/tls-external-service) for more information. - -## Additional Envoy configurations - -Ingress gateways support additional Envoy gateway options and escape-hatch overrides. Specify gateway options in the ingress gateway service definition to use them. To use escape-hatch overrides, you must add them to your global proxy defaults configuration entry. Refer to the following documentation for additional information: - -- [Gateway options](/consul/docs/connect/proxies/envoy#gateway-options) -- [Escape-hatch overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) diff --git a/website/content/docs/connect/gateways/terminating-gateway.mdx b/website/content/docs/connect/gateways/terminating-gateway.mdx deleted file mode 100644 index 86014850eb2..00000000000 --- a/website/content/docs/connect/gateways/terminating-gateway.mdx +++ /dev/null @@ -1,130 +0,0 @@ ---- -layout: docs -page_title: Terminating Gateway | Service Mesh -description: >- - Terminating gateways send requests from inside the service mesh to external network locations and services outside the mesh. Learn about requirements and terminating gateway interactions with Consul's service catalog. ---- - -# Terminating Gateways - --> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer. - -Terminating gateways enable connectivity within your organizational network from services in the Consul service mesh to -services and [destinations](/consul/docs/connect/config-entries/service-defaults#terminating-gateway-destination) outside the mesh. These gateways effectively act as service mesh proxies that can -represent more than one service. They terminate service mesh mTLS connections, enforce intentions, -and forward requests to the appropriate destination. - -![Terminating Gateway Architecture](/img/terminating-gateways.png) - -For additional use cases and usage patterns, review the tutorial for -[understanding terminating gateways](/consul/tutorials/developer-mesh/service-mesh-terminating-gateways?utm_source=docs). - -~> **Known limitations:** Terminating gateways currently do not support targeting service subsets with -[L7 configuration](/consul/docs/connect/manage-traffic). They route to all instances of a service with no capabilities -for filtering by instance. - -## Security Considerations - -~> We recommend that terminating gateways are not exposed to the WAN or open internet. This is because terminating gateways -hold certificates to decrypt Consul service mesh traffic directed at them and may be configured with credentials to connect -to linked services. Connections over the WAN or open internet should flow through [mesh gateways](/consul/docs/connect/gateways/mesh-gateway) -whenever possible since they are not capable of decrypting traffic or connecting directly to services. - -By specifying a path to a [CA file](/consul/docs/connect/config-entries/terminating-gateway#cafile) connections -from the terminating gateway will be encrypted using one-way TLS authentication. If a path to a -[client certificate](/consul/docs/connect/config-entries/terminating-gateway#certfile) -and [private key](/consul/docs/connect/config-entries/terminating-gateway#keyfile) are also specified connections -from the terminating gateway will be encrypted using mutual TLS authentication. - -If none of these are provided, Consul will **only** encrypt connections to the gateway and not -from the gateway to the destination service. - -When certificates for linked services are rotated, the gateway must be restarted to pick up the new certificates from disk. -To avoid downtime, perform a rolling restart to reload the certificates. Registering multiple terminating gateway instances -with the same [name](/consul/commands/connect/envoy#service) provides additional fault tolerance -as well as the ability to perform rolling restarts. - --> **Note:** If certificates and keys are configured the terminating gateway will upgrade HTTP connections to TLS. -Client applications can issue plain HTTP requests even when connecting to servers that require HTTPS. - -## Prerequisites - -Each terminating gateway needs: - -1. A local Consul client agent to manage its configuration. -2. General network connectivity to services within its local Consul datacenter. -3. General network connectivity to services and destinations outside the mesh that are part of the gateway services list. - -Terminating gateways also require that your Consul datacenters are configured correctly: - -- You'll need to use Consul version 1.8.0 or newer. -- Consul [service mesh](/consul/docs/agent/config/config-files#connect) must be enabled on the datacenter's Consul servers. -- [gRPC](/consul/docs/agent/config/config-files#grpc_port) must be enabled on all client agents. - -Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with terminating gateway capabilities in Consul. - -- Terminating gateway proxies receive their configuration through Consul, which - automatically generates it based on the gateway's registration. Currently Consul - can only translate terminating gateway registration information into Envoy - configuration, therefore the proxies acting as terminating gateways must be Envoy. - -Service mesh proxies that send upstream traffic through a gateway aren't -affected when you deploy terminating gateways. If you are using non-Envoy proxies as -Service mesh proxies they will continue to work for traffic directed at services linked to -a terminating gateway as long as they discover upstreams with the -[/health/connect](/consul/api-docs/health#list-nodes-for-connect-capable-service) endpoint. - -## Running and Using a Terminating Gateway - -For a complete example of how to enable connections from services in the Consul service mesh to -services outside the mesh, review the [terminating gateway tutorial](/consul/tutorials/developer-mesh/terminating-gateways-connect-external-services). - -## Terminating Gateway Configuration - -Terminating gateways are configured in service definitions and registered with Consul like other services, with two exceptions. -The first is that the [kind](/consul/api-docs/agent/service#kind) must be "terminating-gateway". Second, -the terminating gateway service definition may contain a `Proxy.Config` entry just like a -service mesh proxy service, to define opaque configuration parameters useful for the actual proxy software. -For Envoy there are some supported [gateway options](/consul/docs/connect/proxies/envoy#gateway-options) as well as -[escape-hatch overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides). - --> **Note:** If ACLs are enabled, terminating gateways must be registered with a token granting `node:read` on the nodes -of all services in its configuration entry. The token must also grant `service:write` for the terminating gateway's service name **and** -the names of all services in the terminating gateway's configuration entry. These privileges will authorize the gateway -to terminate mTLS connections on behalf of the linked services and then route the traffic to its final destination. -If the Consul client agent on the gateway's node is not configured to use the default gRPC port, 8502, then the gateway's token -must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies. - -You can link services and destinations to a terminating gateway with a `terminating-gateway` -[configuration entry](/consul/docs/connect/config-entries/terminating-gateway). This config entry can be applied via the -[CLI](/consul/commands/config/write) or [API](/consul/api-docs/config#apply-configuration). - -Gateways with the same name in Consul's service catalog are configured with a single configuration entry. -This means that additional gateway instances registered with the same name will determine their routing based on the existing configuration entry. -Adding replicas of a gateway that routes to a particular set of services requires running the -[envoy subcommand](/consul/commands/connect/envoy#terminating-gateways) on additional hosts and specifying -the same gateway name with the `service` flag. - -~> [Configuration entries](/consul/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies -across all federated Consul datacenters. If terminating gateways in different Consul datacenters need to route to different -sets of services within their datacenter then the terminating gateways **must** be registered with different names. - -The services that the terminating gateway will proxy for must be registered with Consul, even the services outside the mesh. They must also be registered -in the same Consul datacenter as the terminating gateway. Otherwise the terminating gateway will not be able to -discover the services' addresses. These services can be registered with a local Consul agent. -If there is no agent present, the services can be registered [directly in the catalog](/consul/api-docs/catalog#register-entity) -by sending the registration request to a client or server agent on a different host. - -All services registered in the Consul catalog must be associated with a node, even when their node is -not managed by a Consul client agent. All agent-less services with the same address can be registered under the same node name and address. -However, ensure that the [node name](/consul/api-docs/catalog#node) for external services registered directly in the catalog -does not match the node name of any Consul client agent node. If the node name overlaps with the node name of a Consul client agent, -Consul's [anti-entropy sync](/consul/docs/architecture/anti-entropy) will delete the services registered via the `/catalog/register` HTTP API endpoint. - -Service-defaults [destinations](/consul/docs/connect/config-entries/service-defaults#destination) let you -define endpoints external to the mesh and routable through a terminating gateway in transparent mode. -After you define a service-defaults configuration entry for each destination, you can use the service-default name as part of the terminating gateway services list. -If a service and a destination service-defaults have the same name, the terminating gateway will use the service. - -For a complete example of how to register external services review the -[external services tutorial](/consul/tutorials/developer-discovery/service-registration-external-services). diff --git a/website/content/docs/connect/index.mdx b/website/content/docs/connect/index.mdx index 6bdc9989f52..b60f01aca65 100644 --- a/website/content/docs/connect/index.mdx +++ b/website/content/docs/connect/index.mdx @@ -1,77 +1,10 @@ --- layout: docs -page_title: Service Mesh on Consul +page_title: Connect services description: >- - Consul’s service mesh makes application and microservice networking secure and observable with identity-based authentication, mutual TLS (mTLS) encryption, and explicit service-to-service authorization enforced by sidecar proxies. Learn how Consul’s service mesh works and get started on VMs or Kubernetes. + Consul documentation provides reference material for all features and options available in Consul. --- -# Consul service mesh +# Connect service mesh overview -Consul service mesh provides service-to-service connection authorization and -encryption using mutual Transport Layer Security (TLS). - -Applications can use [sidecar proxies](/consul/docs/connect/proxies) in a service mesh configuration to -establish TLS connections for inbound and outbound connections without being aware of the service mesh at all. -Applications may also [natively integrate with Consul service mesh](/consul/docs/connect/native) for optimal performance and security. -Consul service mesh can help you secure your services and provide data about service-to-service communications. - -The noun _connect_ is used throughout this documentation to refer to the connect -subsystem that provides Consul's service mesh capabilities. -Where you encounter the _noun_ connect, it is usually functionality specific to -service mesh. - -Review the video below to learn more about Consul service mesh from HashiCorp's co-founder Armon. - - - -## Application security - -Consul service mesh enables secure deployment best-practices with automatic -service-to-service encryption, and identity-based authorization. -Consul uses the registered service identity, rather than IP addresses, to -enforce access control with [intentions](/consul/docs/connect/intentions). This -makes it easier to control access and enables services to be -rescheduled by orchestrators, including Kubernetes and Nomad. Intention -enforcement is network agnostic, so Consul service mesh works with physical networks, cloud -networks, software-defined networks, cross-cloud, and more. - -## Observability - -One of the key benefits of Consul service mesh is the uniform and consistent view it can -provide of all the services on your network, irrespective of their different -programming languages and frameworks. When you configure Consul service mesh to use -sidecar proxies, those proxies see all service-to-service traffic and can -collect data about it. Consul service mesh can configure Envoy proxies to collect -layer 7 metrics and export them to tools like Prometheus. Correctly instrumented -applications can also send open tracing data through Envoy. - -## Getting started with Consul service mesh - -Complete the following tutorials try Consul service mesh in different environments: - -- The [Getting Started with Consul Service Mesh collection](/consul/tutorials/kubernetes-deploy/service-mesh?utm_source=docs) - walks you through installing Consul as service mesh for Kubernetes using the Helm - chart, deploying services in the service mesh, and using intentions to secure service - communications. - -- The [Getting Started With Consul for Kubernetes](/consul/tutorials/get-started-kubernetes?utm_source=docs) tutorials guides you through installing Consul on Kubernetes to set up a service mesh for establishing communication between Kubernetes services. - -- The [Secure Service-to-Service Communication tutorial](/consul/tutorials/developer-mesh/service-mesh-with-envoy-proxy?utm_source=docs) - is a simple walk through of connecting two services on your local machine - and configuring your first intention. - -- The [Kubernetes tutorial](/consul/tutorials/kubernetes/kubernetes-minikube?utm_source=docs) - walks you through configuring Consul service mesh in Kubernetes using the Helm - chart, and using intentions. You can run the guide on Minikube or an existing - Kubernetes cluster. - -- The [observability tutorial](/consul/tutorials/kubernetes/kubernetes-layer7-observability) - shows how to deploy a basic metrics collection and visualization pipeline on - a Minikube or Kubernetes cluster using the official Helm charts for Consul, - Prometheus, and Grafana. +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/connect/intentions/legacy.mdx b/website/content/docs/connect/intentions/legacy.mdx deleted file mode 100644 index 9151b1e8ca6..00000000000 --- a/website/content/docs/connect/intentions/legacy.mdx +++ /dev/null @@ -1,188 +0,0 @@ ---- -layout: docs -page_title: Intentions (Legacy Mode) -description: >- - Intentions define service communication permissions in the service mesh. As of version 1.9, Consul uses a new system for creating and managing intentions. Learn how intentions worked in earlier versions of Consul with this legacy documentation. ---- - -# Intentions in Legacy Mode - -~> **1.8.x and earlier:** This document only applies in Consul versions 1.8.x -and before. If you are using version 1.9.0 or later, refer to the [current intentions documentation](/consul/docs/connect/intentions). - -Intentions define access control for service-to-service connections in the service mesh. Intentions can be -managed via the API, CLI, or UI. - -Intentions are enforced by the [proxy](/consul/docs/connect/proxies) -or [natively integrated application](/consul/docs/connect/native) on -inbound connections. After verifying the TLS client certificate, the -[authorize API endpoint](/consul/api-docs/agent/connect#authorize) is called which verifies the connection -is allowed by testing the intentions. If authorize returns false the -connection must be terminated. - -The default intention behavior is defined by the default [ACL -policy](/consul/docs/agent/config/config-files#acl_default_policy). If the default ACL policy is -"allow all", then all service-to-service connections in the mesh are allowed by default. If the -default ACL policy is "deny all", then all service-to-service connections are denied by -default. - -## Intention Basics - -Intentions can be managed via the [API](/consul/api-docs/connect/intentions), -[CLI](/consul/commands/intention), or UI. Please see the respective documentation for -each for full details on options, flags, etc. Below is an example of a basic -intention to show the basic attributes of an intention. The full data model of -an intention can be found in the [API -documentation](/consul/api-docs/connect/intentions). - -```shell-session -$ consul intention create -deny web db -Created: web => db (deny) -``` - -The intention above is a deny intention with a source of "web" and -destination of "db". This says that connections from web to db are not -allowed and the connection will be rejected. - -When an intention is modified, existing connections will not be affected. -This means that changing a connection from "allow" to "deny" today -_will not_ kill the connection. Addressing this shortcoming is on -the near term roadmap for Consul. - -### Wildcard Intentions - -An intention source or destination may also be the special wildcard -value `*`. This matches _any_ value and is used as a catch-all. Example: - -```shell-session -$ consul intention create -deny web '*' -Created: web => * (deny) -``` - -This example says that the "web" service cannot connect to _any_ service. - -### Metadata - -Arbitrary string key/value data may be associated with intentions. This -is unused by Consul but can be used by external systems or for visibility -in the UI. - -```shell-session -$ consul intention create \ - -deny \ - -meta description='Hello there' \ - web db -... - -$ consul intention get web db -Source: web -Destination: db -Action: deny -ID: 31449e02-c787-f7f4-aa92-72b5d9b0d9ec -Meta[description]: Hello there -Created At: Friday, 25-May-18 02:07:51 CEST -``` - -## Precedence and Match Order - -Intentions are matched in an implicit order based on specificity, preferring -deny over allow. Specificity is determined by whether a value is an exact -specified value or is the wildcard value `*`. -The full precedence table is shown below and is evaluated -top to bottom, with larger numbers being evaluated first. - -| Source Namespace | Source Name | Destination Namespace | Destination Name | Precedence | -| ---------------- | ----------- | --------------------- | ---------------- | ---------- | -| Exact | Exact | Exact | Exact | 9 | -| Exact | `*` | Exact | Exact | 8 | -| `*` | `*` | Exact | Exact | 7 | -| Exact | Exact | Exact | `*` | 6 | -| Exact | `*` | Exact | `*` | 5 | -| `*` | `*` | Exact | `*` | 4 | -| Exact | Exact | `*` | `*` | 3 | -| Exact | `*` | `*` | `*` | 2 | -| `*` | `*` | `*` | `*` | 1 | - -The precedence value can be read from the [API](/consul/api-docs/connect/intentions) -after an intention is created. -Precedence cannot be manually overridden today. This is a feature that will -be added in a later version of Consul. - -In the case the two precedence values match, Consul will evaluate -intentions based on lexicographical ordering of the destination then -source name. In practice, this is a moot point since authorizing a connection -has an exact source and destination value so its impossible for two -valid non-wildcard intentions to match. - -The numbers in the table above are not stable. Their ordering will remain -fixed but the actual number values may change in the future. - --> **Consul Enterprise** - Namespaces are an Enterprise feature. In Consul CE, any of the rows in -the table with a `*` for either the source namespace or destination namespace are not applicable. - -## Intention Management Permissions - -Intention management can be protected by [ACLs](/consul/docs/security/acl). -Permissions for intentions are _destination-oriented_, meaning the ACLs -for managing intentions are looked up based on the destination value -of the intention, not the source. - -Intention permissions are by default implicitly granted at `read` level -when granting `service:read` or `service:write`. This is because a -service registered that wants to use service mesh needs `intentions:read` -for its own service name in order to know whether or not to authorize -connections. The following ACL policy will implicitly grant `intentions:read` -(note _read_) for service `web`. - -```hcl -service "web" { - policy = "write" -} -``` - -It is possible to explicitly specify intention permissions. For example, -the following policy will allow a service to be discovered without granting -access to read intentions for it. - -```hcl -service "web" { - policy = "read" - intentions = "deny" -} -``` - -Note that `intentions:read` is required for a token that a mesh-enabled -service uses to register itself or its proxy. If the token used does not -have `intentions:read` then the agent will be unable to resolve intentions -for the service and so will not be able to authorize any incoming connections. - -~> **Security Note:** Explicitly allowing `intentions:write` on the token you -provide to a service instance at registration time opens up a significant -additional vulnerability. Although you may trust the service _team_ to define -which inbound connections they accept, using a combined token for registration -allows a compromised instance to to redefine the intentions which allows many -additional attack vectors and may be hard to detect. We strongly recommend only -delegating `intentions:write` using tokens that are used by operations teams or -orchestrators rather than spread via application config, or only manage -intentions with management tokens. - -## Performance and Intention Updates - -The intentions for services registered with a Consul agent are cached -locally on that agent. They are then updated via a background blocking query -against the Consul servers. - -Service mesh connection attempts require only local agent -communication for authorization and generally only impose microseconds -of latency to the connection. All actions in the data path of connections -require only local data to ensure minimal performance overhead. - -Updates to intentions are propagated nearly instantly to agents since agents -maintain a continuous blocking query in the background for intention updates -for registered services. - -Because all the intention data is cached locally, the agents can fail static. -Even if the agents are severed completely from the Consul servers, inbound -connection authorization continues to work for a configured amount of time. -Changes to intentions will not be picked up until the partition heals, but -will then automatically take effect when connectivity is restored. diff --git a/website/content/docs/connect/k8s.mdx b/website/content/docs/connect/k8s.mdx new file mode 100644 index 00000000000..3a79e139d18 --- /dev/null +++ b/website/content/docs/connect/k8s.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Connect Kubernetes services with Consul +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# Connect Kubernetes service mesh with Consul + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/connect/lambda/index.mdx b/website/content/docs/connect/lambda/index.mdx new file mode 100644 index 00000000000..4fe3790372b --- /dev/null +++ b/website/content/docs/connect/lambda/index.mdx @@ -0,0 +1,40 @@ +--- +layout: docs +page_title: Connect Lambda services with Consul +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# Connect Lambda services with Consul + +You can configure Consul to allow services in your mesh to invoke Lambda functions, as well as allow Lambda functions to invoke services in your mesh. Lambda functions are programs or scripts that run in AWS Lambda. Refer to the [AWS Lambda website](https://aws.amazon.com/lambda/) for additional information. + +## Register Lambda functions into Consul + +The first step is to register your Lambda functions into Consul. We recommend using the [Lambda registrator module](https://github.com/hashicorp/terraform-aws-consul-lambda/tree/main/modules/lambda-registrator) to automatically synchronize Lambda functions into Consul. You can also manually register Lambda functions into Consul if you are unable to use the Lambda registrator. + +Refer to [Lambda Function Registration Requirements](/consul/docs/lambda/registration) for additional information about registering Lambda functions into Consul. + +## Invoke Lambda functions from Consul service mesh + +After registering AWS Lambda functions, you can invoke Lambda functions from the Consul service mesh through terminating gateways (recommended) or directly from connected proxies. + +Refer to [Invoke Lambda Functions from Services](/consul/docs/connect/lambda/invoke-function) for details. + +## Invoke mesh services from Lambda function + + + +Functionality associated with beta features are subject to change. You should never use the beta release in secure environments or production scenarios. Features in beta may have performance issues, scaling issues, and limited support. + + + +You can also add the `consul-lambda-extension` plugin as a layer in your Lambda functions, which enables them to send requests to services in the mesh. The plugin starts a lightweight sidecar proxy that directs requests from Lambda functions to [mesh gateways](/consul/docs/connect/gateways#mesh-gateways). The gateways route traffic to the destination service to complete the request. + +![Invoke mesh service from Lambda function](/img/invoke-service-from-lambda-flow.svg) + +Refer to [Invoke Services from Lambda Functions](/consul/docs/lambda/invoke-from-lambda) for additional information about registering Lambda functions into Consul. + +Consul mesh gateways are required to send requests from Lambda functions to mesh services. Refer to [Mesh Gateways](/consul/docs/east-west/mesh-gateway/) for additional information. + +Note that L7 traffic management features are not supported. As a result, requests from Lambda functions ignore service routes and splitters. diff --git a/website/content/docs/lambda/invocation.mdx b/website/content/docs/connect/lambda/invoke-function.mdx similarity index 86% rename from website/content/docs/lambda/invocation.mdx rename to website/content/docs/connect/lambda/invoke-function.mdx index cdfe774ef64..a98046de0a4 100644 --- a/website/content/docs/lambda/invocation.mdx +++ b/website/content/docs/connect/lambda/invoke-function.mdx @@ -58,24 +58,26 @@ The following diagram shows the invocation procedure: 2. The service mesh proxy invokes the Lambda. ## Invoke a Lambda Function -Before you can invoke a Lambda function, register the service used to invoke -the Lambda function and the service running in Lambda with -Consul (refer to [registration](/consul/docs/lambda/registration) for -instructions). The service used to invoke the function must be deployed to the -service mesh. + +Before you can invoke a Lambda function, register the service used to invoke the Lambda function and the service running in Lambda with Consul (refer to [registration](/consul/docs/lambda/registration) for instructions). The service used to invoke the function must be deployed to the service mesh. 1. Update the invoking service to use the Lambda service as an upstream. In the following example, the `destination_name` for the invoking service (`api`) points to a Lambda service called `authentication`: - ```hcl - upstreams { - local_bind_port = 2345 - destination_name = "authentication" - } - ``` + + ```hcl + upstreams { + local_bind_port = 2345 + destination_name = "authentication" + } + ``` + 1. Issue the `consul services register` command to store the configuration: - ```shell-session - $ consul services register api-sidecar-proxy.hcl - ``` + + ```shell-session + $ consul services register api-sidecar-proxy.hcl + ``` + 1. Call the upstream service to invoke the Lambda function. In the following example, the `api` service invokes the `authentication` service at `localhost:2345`: - ```shell-session - $ curl https://localhost:2345 - ``` + + ```shell-session + $ curl https://localhost:2345 + ``` diff --git a/website/content/docs/connect/lambda/invoke-service.mdx b/website/content/docs/connect/lambda/invoke-service.mdx new file mode 100644 index 00000000000..d5d6e327abd --- /dev/null +++ b/website/content/docs/connect/lambda/invoke-service.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Invoke Lambda service +description: >- + This topic provides +--- + +# Invoke Lambda service + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/connect/manage-traffic/discovery-chain.mdx b/website/content/docs/connect/manage-traffic/discovery-chain.mdx deleted file mode 100644 index b7ee4e975ef..00000000000 --- a/website/content/docs/connect/manage-traffic/discovery-chain.mdx +++ /dev/null @@ -1,248 +0,0 @@ ---- -layout: docs -page_title: Service Mesh Traffic Management - Discovery Chain -description: >- - The discovery chain compiles service router, splitter, and resolver configuration entries to direct traffic to specific instances in a service mesh. Learn about compiled discovery chain results, including discovery graph nodes and targets. ---- - -# Discovery Chain for Service Mesh Traffic Management - --> **1.6.0+:** This feature is available in Consul versions 1.6.0 and newer. - -~> This topic is part of a [low-level API](/consul/api-docs/discovery-chain) -primarily targeted at developers building external [Consul service mesh proxy -integrations](/consul/docs/connect/proxies/integrate). - -The service discovery process can be modeled as a "discovery chain" which -passes through three distinct stages: routing, splitting, and resolution. Each -of these stages is controlled by a set of [configuration -entries](/consul/docs/agent/config-entries). By configuring different phases of -the discovery chain a user can control how proxy upstreams are ultimately -resolved to specific instances for load balancing. - --> **Note:** The discovery chain is currently only used to discover -[service mesh](/consul/docs/connect) proxy upstreams. - -## Configuration - -The configuration entries used in the discovery chain are designed to be simple -to read and modify for narrowly tailored changes, but at discovery-time the -various configuration entries interact in more complex ways. For example: - -- If a [`service-resolver`](/consul/docs/connect/config-entries/service-resolver) - is created with a [service - redirect](/consul/docs/connect/config-entries/service-resolver#service) defined, - then all references made to the original service in any other configuration - entry is replaced with the redirect destination. - -- If a [`service-resolver`](/consul/docs/connect/config-entries/service-resolver) - is created with a [default - subset](/consul/docs/connect/config-entries/service-resolver#defaultsubset) - defined then all references made to the original service in any other - configuration entry that did not specify a subset will be replaced with the - default. - -- If a [`service-splitter`](/consul/docs/connect/config-entries/service-splitter) - is created with a [service - split](/consul/docs/connect/config-entries/service-splitter#splits), and the target service has its - own `service-splitter` then the overall effect is flattened and only a single - aggregate traffic split is ultimately configured in the proxy. - -- [`service-resolver`](/consul/docs/connect/config-entries/service-resolver) - redirect loops must be rejected as invalid. - -- [`service-router`](/consul/docs/connect/config-entries/service-router) and - [`service-splitter`](/consul/docs/connect/config-entries/service-splitter) - configuration entries require an L7 compatible protocol be set for the - service via either a - [`service-defaults`](/consul/docs/connect/config-entries/service-defaults) or - [`proxy-defaults`](/consul/docs/connect/config-entries/proxy-defaults) config - entry. Violations must be rejected as invalid. - -- When an [upstream - configuration](/consul/docs/connect/proxies/proxy-config-reference#upstream-configuration-reference) - `datacenter` parameter is defined, any configuration entry that does not explicitly - refer to a desired datacenter uses the value defined in the upstream. - -## Compilation - -To correctly interpret a collection of configuration entries as a valid -discovery chain, we first compile them into a form more directly usable by the -layers responsible for configuring service mesh sidecar proxies. - -You can interact with the compiler directly using the [discovery-chain -API](/consul/api-docs/discovery-chain). - -### Compilation Parameters - -- **Service Name** - The service being discovered by name. -- **Datacenter** - The datacenter to use as the basis of compilation. -- **Overrides** - Discovery-time tweaks to apply when compiling. These should - be derived from either the - [proxy](/consul/docs/connect/proxies/proxy-config-reference#complete-configuration-example) - or - [upstream](/consul/docs/connect/proxies/proxy-config-reference#upstream-configuration-reference) - configurations if either are set. - -### Compilation Results - -The response is a single wrapped `CompiledDiscoveryChain` field: - -```json -{ - "Chain": {......} -} -``` - -#### `CompiledDiscoveryChain` - -The chain encodes a digraph of [nodes](#discoverygraphnode) and -[targets](#discoverytarget). Nodes are the compiled representation of various -discovery chain stages and targets are instructions on how to use the [health -API](/consul/api-docs/health#list-nodes-for-mesh-capable-service) to retrieve -relevant service instance lists. - -You should traverse the nodes starting with [`StartNode`](#startnode). The -nodes can be resolved by name using the [`Nodes`](#nodes) field. Targets can be -resolved by name using the [`Targets`](#targets) field. - -- `ServiceName` `(string)` - The requested service. -- `Partition` `(string)` - The requested partition. -- `Namespace` `(string)` - The requested namespace. -- `Datacenter` `(string)` - The requested datacenter. - -- `CustomizationHash` `(string: )` - A unique hash of any overrides - that affected the compilation of the discovery chain. - - If set, this value should be used to prefix/suffix any generated load - balancer data plane objects to avoid sharing customized and non-customized - versions. - -- `Default` `(bool: )` - Indicates if this discovery chain is based on no - `service-resolver`, `service-splitter`, or `service-router` config entries. - -- `Protocol` `(string)` - The overall protocol shared by everything in the - chain. - -- `ServiceMeta` `(map)` - The metadata from the underlying `service-defaults` config - entry for the service named `ServiceName`. - -- `StartNode` `(string)` - The first key into the `Nodes` map that should be - followed when traversing the discovery chain. - -- `Nodes` `(map)` - All nodes available for traversal in - the chain keyed by a unique name. You can walk this by starting with - `StartNode`. - - -> The names should be treated as opaque values and are only guaranteed to be - consistent within a single compilation. - -- `Targets` `(map)` - A list of all targets used in this chain. - - -> The names should be treated as opaque values and are only guaranteed to be - consistent within a single compilation. - -#### `DiscoveryGraphNode` - -A single node in the compiled discovery chain. - -- `Type` `(string)` - The type of the node. Valid values are: `router`, - `splitter`, and `resolver`. - -- `Name` `(string)` - The unique name of the node. - -- `Routes` `(array)` - Only set for `Type:router`. List of routes to - render. - - - `Definition` `(ServiceRoute)` - Relevant portion of underlying - `service-router` - [route](/consul/docs/connect/config-entries/service-router#routes). - - - `NextNode` `(string)` - The name of the next node in the chain in [`Nodes`](#nodes). - -- `Splits` `(array)` - Only set for `Type:splitter`. List of traffic - splits. - - - `Weight` `(float32)` - Copy of underlying `service-splitter` - [`weight`](/consul/docs/connect/config-entries/service-splitter#weight) field. - - - `NextNode` `(string)` - The name of the next node in the chain in [`Nodes`](#nodes). - -- `Resolver` `(DiscoveryResolver: )` - Only set for `Type:resolver`. How - to resolve the service instances. - - - `Default` `(bool)` - Set to true if no `service-resolver` config entry is - defined for this node and the default was synthesized. - - - `ConnectTimeout` `(duration)` - Copy of the underlying `service-resolver` - [`ConnectTimeout`](/consul/docs/connect/config-entries/service-resolver#connecttimeout) - field. If one is not defined the default of `5s` is returned. - - - `Target` `(string)` - The name of the target to use found in [`Targets`](#targets). - - - `Failover` `(DiscoveryFailover: )` - Compiled form of the - underlying `service-resolver` - [`Failover`](/consul/docs/connect/config-entries/service-resolver#failover) - definition to use for this request. - - - `Targets` `(array)` - List of targets found in - [`Targets`](#targets) to failover to in order of preference. - - - `LoadBalancer` `(LoadBalancer: `) - Copy of the underlying `service-resolver` - [`LoadBalancer`](/consul/docs/connect/config-entries/service-resolver#loadbalancer) field. - - If a `service-splitter` splits between services with differing `LoadBalancer` configuration - the first hash-based load balancing policy is copied. - -#### `DiscoveryTarget` - -- `ID` `(string)` - The unique name of this target. - -- `Service` `(string)` - The service to query when resolving a list of service instances. - -- `ServiceSubset` `(string: )` - The - [subset](/consul/docs/connect/config-entries/service-resolver#service-subsets) of - the service to resolve. - -- `Partition` `(string)` - The partition to use when resolving a list of service instances. - -- `Namespace` `(string)` - The namespace to use when resolving a list of service instances. - -- `Datacenter` `(string)` - The datacenter to use when resolving a list of service instances. - -- `Subset` `(ServiceResolverSubset)` - Copy of the underlying - `service-resolver` - [`Subsets`](/consul/docs/connect/config-entries/service-resolver#subsets) - definition for this target. - - - `Filter` `(string: "")` - The - [filter expression](/consul/api-docs/features/filtering) to be used for selecting - instances of the requested service. If empty all healthy instances are - returned. - - - `OnlyPassing` `(bool: false)` - Specifies the behavior of the resolver's - health check interpretation. If this is set to false, instances with checks - in the passing as well as the warning states will be considered healthy. If - this is set to true, only instances with checks in the passing state will - be considered healthy. - -- `MeshGateway` `(MeshGatewayConfig)` - The [mesh gateway - configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) - to use when connecting to this target's service instances. - - - `Mode` `(string: "")` - One of `none`, `local`, or `remote`. - -- `External` `(bool: false)` - True if this target is outside of this consul cluster. - -- `ConnectTimeout` `(duration)` - Copy of the underlying `service-resolver` - [`ConnectTimeout`](/consul/docs/connect/config-entries/service-resolver#connecttimeout) - field. If one is not defined the default of `5s` is returned. - -- `SNI` `(string)` - This value should be used as the - [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) value when - connecting to this set of endpoints over TLS. - -- `Name` `(string)` - The unique name for this target for use when generating - load balancer objects. This has a structure similar to [SNI](#sni), but will - not be affected by SNI customizations such as - [`ExternalSNI`](/consul/docs/connect/config-entries/service-defaults#externalsni). diff --git a/website/content/docs/connect/manage-traffic/fault-injection.mdx b/website/content/docs/connect/manage-traffic/fault-injection.mdx deleted file mode 100644 index 2b81328466d..00000000000 --- a/website/content/docs/connect/manage-traffic/fault-injection.mdx +++ /dev/null @@ -1,204 +0,0 @@ ---- -layout: docs -page_title: Fault injection -description: Learn how to use fault injection in a Consul service mesh to inject artificial latency, response codes, or bandwidth limits for application testing. ---- - -# Fault Injection - -This topic describes the process to inject different types of faults into the services in Consul's service mesh to help you test your network's resilience. - - This feature is available in Consul Enterprise. - -## Introduction - -Consul allows you to configure fault injection filters to alter the responses from an upstream service. By injecting HTTP and gRPC statuses, bandwidth limits, or delays, users can test the resilience of their system to different unexpected issues. - -Consul applies fault injection filters to an upstream service as part of its service defaults. For example, to simulate that an upstream returned a 500 HTTP status code 50 percent of the time, add an `Abort` configuration to the Envoy extensions block in the service default configuration for the upstream service. - -The fault injection filters may be used individually, or in a combination of the three types by adding multiple blocks to the `Arguments.Config` section of the configuration. - -## Requirements - -Consul Enterprise v1.18.0 or later - -## Inject delays - -Specify the fault injection behavior in the [service defaults configuration entry](/consul/docs/connect/config-entries/service-defaults). - - - - -To inject a delay fault when Consul runs on virtual machines, configure the following parameters: - -1. `Arguments.Config.Delay.Duration`: The delay in milliseconds to use when injecting a delay type fault. -1. `Arguments.Config.Delay.Percentage`: The percentage of responses to inject the delay behavior into. - -The following example configures the default behavior for a service named `billing`. This configuration injects a 100 ms delay into 50 percent of responses from the billing service. - -```hcl -Kind = "service-defaults" -Name = "billing" -EnvoyExtensions = [ -{ - Name = "builtin/fault-injection" - Arguments = { - Config = { - Delay = { - Duration = 100 - Percentage = 50 - } - } - } -} -] -``` - - - - -To inject a delay fault when Consul runs on Kubernetes, configure the following parameters: - -1. `spec.arguments.config.delay.duration`: The delay in milliseconds to use when injecting a delay type fault. -1. `spec.arguments.config.delay.percentage`: The percentage of responses to inject the delay behavior into. - -The following example configures the default behavior for a service named `billing`. This configuration injects a 100 ms delay into 50 percent of responses from the billing service. - -```yaml -kind: ServiceDefaults -metadata: - name: billing -spec: - envoyExtensions: - - name: "builtin/fault-injection" - arguments: - config: - delay: - duration: 100 - percentage: 50 -``` - - - - - -Refer to the [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for additional specifications and example configurations. - -## Inject statuses - - - -To inject a status code when aborting a response, configure the following parameters: - -1. `Arguments.Config.Abort.HttpStatus`: The HTTP status code to inject into responses when injecting an abort type fault. You may specify either a HTTP status or a gRPC status but not both. -1. `Arguments.Config.Abort.GrpcStatus`: The gRPC status to inject into responses when injecting an abort type fault. You may specify either a HTTP status or a gRPC status but not both. -1. `Arguments.Config.Abort.Percentage`: The percentage of responses to inject the abort behavior into. - -The following example configures the default behavior for a service named `billing`. This configuration injects an HTTP status code of 503 into 5 percent of responses from the billing service. - -```hcl -Kind = "service-defaults" -Name = "billing" -EnvoyExtensions = [ -{ - Name = "builtin/fault-injection" - Arguments = { - Config = { - Abort = { - HttpStatus = 503 - Percentage = 5 - } - } - } -} -] -``` - - - - -To inject a status code when aborting a response, configure the following parameters: - -1. `spec.arguments.config.abort.httpStatus`: The HTTP status code to inject into responses when injecting an abort type fault. You may specify either a HTTP status or a gRPC status but not both. -1. `spec.arguments.config.abort.grpcStatus`: The gRPC status to inject into responses when injecting an abort type fault. You may specify either a HTTP status or a gRPC status but not both. -1. `spec.arguments.config.abort.percentage`: The percentage of responses to inject the abort behavior into. - -The following example configures the default behavior for a service named `billing`. This configuration injects an HTTP status code of 503 into 5 percent of responses from the billing service. - -```yaml -kind: ServiceDefaults -metadata: - name: billing -spec: - envoyExtensions: - - name: "builtin/fault-injection" - arguments: - config: - abort: - httpStatus: 503 - percentage: 5 -``` - - - - -Refer to the [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for additional specifications and example configurations. - -## Inject bandwidth limit - - - - -To inject a rate limit into a response, configure the following parameters: - -1. `Arguments.Config.Bandwidth.Limit`: The amount of data allowed through the filter when applied. This value is specified in KiB/s. When the limit is exceeded, requests, operations, or connections will be subjected to rate limiting. -1. `Arguments.Config.Bandwidth.Percentage`: The percent of responses to inject the bandwidth limit behavior into. - -The following example configures the default behavior for a service named `billing`. This configuration limits the bandwidth of outgoing requests to 100 KiB/s for 50 percent of responses from the billing service. - -```hcl -Kind = "service-defaults" -Name = "billing" -EnvoyExtensions = [ -{ - Name = "builtin/fault-injection" - Arguments = { - Config = { - Bandwidth = { - Limit = 100 - Percentage = 50 - } - } - } -} -] -``` - - - - -To inject a rate limit into a response, configure the following parameters: - -1. `spec.arguments.config.bandwidth.limit`: The amount of data allowed through the filter when applied. This value is specified in KiB/s. When the limit is exceeded, requests, operations, or connections will be subjected to rate limiting. -1. `spec.arguments.config.bandwidth.percentage`: The percent of responses to inject the bandwidth limit behavior into. - -The following example configures the default behavior for a service named `billing`. This configuration limits the bandwidth of outgoing requests to 100 KiB/s for 50 percent of responses from the billing service. - -```yaml -kind: ServiceDefaults -metadata: - name: billing -spec: - envoyExtensions: - - name: "builtin/fault-injection" - arguments: - config: - bandwidth: - limit: 100 - percentage: 50 -``` - - - - -Refer to the [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for additional specifications and example configurations. diff --git a/website/content/docs/connect/native/go.mdx b/website/content/docs/connect/native/go.mdx deleted file mode 100644 index e3068058fd1..00000000000 --- a/website/content/docs/connect/native/go.mdx +++ /dev/null @@ -1,253 +0,0 @@ ---- -layout: docs -page_title: Service Mesh Native App Integration - Go Apps -description: >- - Consul's service mesh supports native integrations of Go applications into the service mesh through a Go library. Example code demonstrates how to connect your Go applications to the service mesh. ---- - -# Service Mesh Native Integration for Go Applications - - - -The Connect Native golang SDK is currently deprecated and will be removed in a future Consul release. -The SDK will be removed when the long term replacement to native application integration (such as a proxyless gRPC service mesh integration) is delivered. Refer to [GH-10339](https://github.com/hashicorp/consul/issues/10339) for additional information and to track progress toward one potential solution that is tracked as replacement functionality. - - - -We provide a library that makes it drop-in simple to integrate Consul service mesh -with most [Go](https://golang.org/) applications. This page shows examples -of integrating this library for accepting or establishing mesh-based -connections. For most Go applications, Consul service mesh can be natively integrated -in just a single line of code excluding imports and struct initialization. - -In addition to this, please read and understand the -[overview of service mesh native integrations](/consul/docs/connect/native). -In particular, after natively integrating applications with Consul service mesh, -they must declare that they accept mesh-based connections via their service definitions. - -The noun _connect_ is used throughout this documentation and the Go API -to refer to the connect subsystem that provides Consul's service mesh capabilities. - -## Accepting Connections - --> **Note:** When calling `ConnectAuthorize()` on incoming connections this library -will return _deny_ if `Permissions` are defined on the matching intention. -The method is currently only suited for networking layer 4 (e.g. TCP) integration. - -Any server that supports TLS (HTTP, gRPC, net/rpc, etc.) can begin -accepting mesh-based connections in just a few lines of code. For most -existing applications, converting the server to accept mesh-based -connections will require only a one-line change excluding imports and -structure initialization. - -The -Go library exposes a `*tls.Config` that _automatically_ communicates with -Consul to load certificates and authorize inbound connections during the -TLS handshake. This also automatically starts goroutines to update any -changing certs. - -Example, followed by more details: - -```go -import( - "net/http" - - "github.com/hashicorp/consul/api" - "github.com/hashicorp/consul/connect" -) - -func main() { - // Create a Consul API client - client, _ := api.NewClient(api.DefaultConfig()) - - // Create an instance representing this service. "my-service" is the - // name of _this_ service. The service should be cleaned up via Close. - svc, _ := connect.NewService("my-service", client) - defer svc.Close() - - // Creating an HTTP server that serves via service mesh - server := &http.Server{ - Addr: ":8080", - TLSConfig: svc.ServerTLSConfig(), - // ... other standard fields - } - - // Serve! - server.ListenAndServeTLS("", "") -} -``` - -The first step is to create a Consul API client. This is almost always the -default configuration with an ACL token set, since you want to communicate -to the local agent. The default configuration will also read the ACL token -from environment variables if set. The Go library will use this client to request certificates, -authorize connections, and more. - -Next, `connect.NewService` is called to create a service structure representing -the _currently running service_. This structure maintains all the state -for accepting and establishing connections. An application should generally -create one service and reuse that one service for all servers and clients. - -Finally, a standard `*http.Server` is created. The magic line is the `TLSConfig` -value. This is set to a TLS configuration returned by the service structure. -This TLS configuration is configured to automatically load certificates -in the background, cache them, and authorize inbound connections. The service -structure automatically handles maintaining blocking queries to update certificates -in the background if they change. - -Since the service returns a standard `*tls.Config`, _any_ server that supports -TLS can be configured. This includes gRPC, net/rpc, basic TCP, and more. -Another example is shown below with just a plain TLS listener: - -```go -import( - "crypto/tls" - - "github.com/hashicorp/consul/api" - "github.com/hashicorp/consul/connect" -) - -func main() { - // Create a Consul API client - client, _ := api.NewClient(api.DefaultConfig()) - - // Create an instance representing this service. "my-service" is the - // name of _this_ service. The service should be cleaned up via Close. - svc, _ := connect.NewService("my-service", client) - defer svc.Close() - - // Creating an HTTP server that serves via service mesh - listener, _ := tls.Listen("tcp", ":8080", svc.ServerTLSConfig()) - defer listener.Close() - - // Accept - go acceptLoop(listener) -} -``` - -## HTTP Clients - -For Go applications that need to connect to HTTP-based upstream dependencies, -the Go library can construct an `*http.Client` that automatically establishes -mesh-based connections as long as Consul-based service discovery is used. - -Example, followed by more details: - -```go -import( - "github.com/hashicorp/consul/api" - "github.com/hashicorp/consul/connect" -) - -func main() { - // Create a Consul API client - client, _ := api.NewClient(api.DefaultConfig()) - - // Create an instance representing this service. "my-service" is the - // name of _this_ service. The service should be cleaned up via Close. - svc, _ := connect.NewService("my-service", client) - defer svc.Close() - - // Get an HTTP client - httpClient := svc.HTTPClient() - - // Perform a request, then use the standard response - resp, _ := httpClient.Get("https://userinfo.service.consul/user/mitchellh") -} -``` - -The first step is to create a Consul API client and service. These are the -same steps as accepting connections and are explained in detail in the -section above. If your application is both a client and server, both the -API client and service structure can be shared and reused. - -Next, we call `svc.HTTPClient()` to return a specially configured -`*http.Client`. This client will automatically established mesh-based -connections using Consul service discovery. - -Finally, we perform an HTTP `GET` request to a hypothetical userinfo service. -The HTTP client configuration automatically sends the correct client -certificate, verifies the server certificate, and manages background -goroutines for updating our certificates as necessary. - -If the application already uses a manually constructed `*http.Client`, -the `svc.HTTPDialTLS` function can be used to configure the -`http.Transport.DialTLS` field to achieve equivalent behavior. - -### Hostname Requirements - -The hostname used in the request URL is used to identify the logical service -discovery mechanism for the target. **It's not actually resolved via DNS** but -used as a logical identifier for a Consul service discovery mechanism. It has -the following specific limitations: - -- The scheme must be `https://`. -- It must be a Consul DNS name in one of the following forms: - - `.service[.].consul` to discover a healthy service - instance for a given service. - - `.query[.].consul` to discover an instance via - [Prepared Query](/consul/api-docs/query). -- The top-level domain _must_ be `.consul` even if your cluster has a custom - `domain` configured for its DNS interface. This might be relaxed in the - future. -- Tag filters for services are not currently supported (i.e. - `tag1.web.service.consul`) however the same behavior can be achieved using a - prepared query. -- External DNS names, raw IP addresses and so on will cause an error and should - be fetched using a separate `HTTPClient`. - -## Raw TLS Connection - -For a raw `net.Conn` TLS connection, the `svc.Dial` function can be used. -This will establish a connection to the desired service via the service mesh and -return the `net.Conn`. This connection can then be used as desired. - -Example: - -```go -import ( - "context" - - "github.com/hashicorp/consul/api" - "github.com/hashicorp/consul/connect" -) - -func main() { - // Create a Consul API client - client, _ := api.NewClient(api.DefaultConfig()) - - // Create an instance representing this service. "my-service" is the - // name of _this_ service. The service should be cleaned up via Close. - svc, _ := connect.NewService("my-service", client) - defer svc.Close() - - // Connect to the "userinfo" Consul service. - conn, _ := svc.Dial(context.Background(), &connect.ConsulResolver{ - Client: client, - Name: "userinfo", - }) -} -``` - -This uses a familiar `Dial`-like function to establish raw `net.Conn` values. -The second parameter to dial is an implementation of the `connect.Resolver` -interface. The example above uses the `*connect.ConsulResolver` implementation -to perform Consul-based service discovery. This also automatically determines -the correct certificate metadata we expect the remote service to serve. - -## Static Addresses, Custom Resolvers - -In the raw TLS connection example, you see the use of a `connect.Resolver` -implementation. This interface can be implemented to perform address -resolution. This must return the address and also the URI SAN expected -in the TLS certificate served by the remote service. - -The Go library provides two built-in resolvers: - -- `*connect.StaticResolver` can be used for static addresses where no - service discovery is required. The expected cert URI SAN must be - manually specified. - -- `*connect.ConsulResolver` which resolves services and prepared queries - via the Consul API. This also automatically determines the expected - cert URI SAN. diff --git a/website/content/docs/connect/native/index.mdx b/website/content/docs/connect/native/index.mdx deleted file mode 100644 index 3cf64f346c2..00000000000 --- a/website/content/docs/connect/native/index.mdx +++ /dev/null @@ -1,165 +0,0 @@ ---- -layout: docs -page_title: Service Mesh Native App Integration - Overview -description: >- - When using sidecar proxies is not possible, applications can natively integrate with Consul service mesh, but have reduced access to service mesh features. Learn how "mesh-native" or "connect-native" apps use mTLS to authenticate with Consul and how to add integrations to service registrations. ---- - -# Service Mesh Native App Integration Overview - - - -The Connect Native Golang SDK and `v1/agent/connect/authorize`, `v1/agent/connect/ca/leaf`, -and `v1/agent/connect/ca/roots` APIs are deprecated and will be removed in a future release. Although Connect Native -will still operate as designed, we do not recommend leveraging this feature because it is deprecated and will be removed -removed when the long term replacement to native application integration (such as a proxyless gRPC service mesh integration) is delivered. Refer to [GH-10339](https://github.com/hashicorp/consul/issues/10339) for additional information and to track progress toward one potential solution that is tracked as replacement functionality. - -The Native App Integration does not support many of the Consul's service mesh features, and is not under active development. -The [Envoy proxy](/consul/docs/connect/proxies/envoy) should be used for most production environments. - - - -Applications can natively integrate with Consul's service mesh API to support accepting -and establishing connections to other mesh services without the overhead of a -[proxy sidecar](/consul/docs/connect/proxies). This option is especially useful -for applications that may be experiencing performance issues with the proxy -sidecar deployment. This page will cover the high-level overview of -integration, registering the service, etc. For language-specific examples, see -the sidebar navigation to the left. It is also required if your service uses -relies on a dynamic set of upstream services. - -Service mesh traffic is just basic mutual TLS. This means that almost any application -can easily integrate with Consul service mesh. There is no custom protocol in use; -any language that supports TLS can accept and establish mesh-based -connections. - -We currently provide an easy-to-use [Go integration](/consul/docs/connect/native/go) -to assist with the getting the proper certificates, verifying connections, -etc. We plan to add helper libraries for other languages in the future. -However, without library support, it is still possible for any major language -to integrate with Consul service mesh. - -The noun _connect_ is used throughout this documentation to refer to the connect -subsystem that provides Consul's service mesh capabilities. - -## Overview - -The primary work involved in natively integrating with service mesh is -[acquiring the proper TLS certificate](/consul/api-docs/agent/connect#service-leaf-certificate), -[verifying TLS certificates](/consul/api-docs/agent/connect#certificate-authority-ca-roots), -and [authorizing inbound connections or requests](/consul/api-docs/connect/intentions#list-matching-intentions). - -All of this is done using the Consul HTTP APIs linked above. - -An overview of the sequence is shown below. The diagram and the following -details may seem complex, but this is a _regular mutual TLS connection_ with -an API call to verify the incoming client certificate. - -![Native Integration Overview](/img/connect-native-overview.png) - --> **Note:** This diagram depicts the simpler networking layer 4 (e.g. TCP) [integration -mechanism](/consul/api-docs/agent/connect#authorize). - -Details on the steps are below: - -- **Service discovery** - This is normal service discovery using Consul, - a static IP, or any other mechanism. If you're using Consul DNS, the - [`.connect`](/consul/docs/services/discovery/dns-static-lookups#service-mesh-enabled-service-lookups) - syntax to find mesh-capable endpoints for a service. After service - discovery, choose one address from the list of **service addresses**. - -- **Mutual TLS** - As a client, connect to the discovered service address - over normal TLS. As part of the TLS connection, provide the - [service certificate](/consul/api-docs/agent/connect#service-leaf-certificate) - as the client certificate. Verify the remote certificate against the - [public CA roots](/consul/api-docs/agent/connect#certificate-authority-ca-roots). - As a client, if the connection is established then you've established - a mesh-based connection and there are no further steps! - -- **Authorization** - As a server accepting connections, verify the client - certificate against the [public CA - roots](/consul/api-docs/agent/connect#certificate-authority-ca-roots). After verifying - the certificate, parse some basic fields from it and use those to determine - if the connection should be allowed. How this is done is dependent on - the level of integration desired: - - - **Simple integration (TCP-only)** - Call the [authorizing - API](/consul/api-docs/agent/connect#authorize) against the local agent. If this returns - successfully, complete the TLS handshake and establish the connection. If - authorization fails, close the connection. - - -> **NOTE:** This API call is expected to be called in the connection path, - so if the local Consul agent is down or unresponsive it will effect the - success rate of new connections. The agent uses locally cached data to - authorize the connection and typically responds in microseconds. Therefore, - the impact to the TLS handshake is typically microseconds. - - - **Complete integration** - Like how the calls to acquire the leaf - certificate and CA roots are expected to be done out of band and reused, so - should the [intention match - API](/consul/api-docs/connect/intentions#list-matching-intentions). With all of the - relevant intentions cached for the destination, all enforcement operations - can be done entirely by the service without calling any Consul APIs in the - connection or request path. If the service is networking layer 7 (e.g. - HTTP) aware it can safely enforce intentions per _request_ instead of the - coarser per _connection_ model. - -## Update certificates and certificate roots - -The leaf certificate and CA roots can be updated at any time and the -natively integrated application must react to this relatively quickly -so that new connections are not disrupted. This can be done through -Consul blocking queries (HTTP long polling) or through periodic polling. - -The API calls for -[acquiring a service mesh TLS certificate](/consul/api-docs/agent/connect#service-leaf-certificate) -and [reading service mesh CA roots](/consul/api-docs/agent/connect#certificate-authority-ca-roots) -both support -[blocking queries](/consul/api-docs/features/blocking). By using blocking -queries, an application can efficiently wait for an updated value. For example, -the leaf certificate API will block until the certificate is near expiration -or the signing certificates have changed and will issue and return a new -certificate. - -In some languages, using blocking queries may not be simple. In that case, -we still recommend using the blocking query parameters but with a very short -`timeout` value set. Doing this is documented with -[blocking queries](/consul/api-docs/features/blocking). The low timeout will -ensure the API responds quickly. We recommend that applications poll the -certificate endpoints frequently, such as multiple times per minute. - -The overhead for the blocking queries (long or periodic polling) is minimal. -The API calls are to the local agent and the local agent uses locally -cached data multiplexed over a single TCP connection to the Consul leader. -Even if a single machine has 1,000 mesh-enabled services all blocking -on certificate updates, this translates to only one TCP connection to the -Consul server. - -Some language libraries such as the -[Go library](/consul/docs/connect/native/go) automatically handle updating -and locally caching the certificates. - -## Service registration - -Mesh-native applications must tell Consul that they support service mesh -natively. This enables the service to be returned as part of service -discovery for service mesh-capable services used by other mesh-native applications -and client [proxies](/consul/docs/connect/proxies). - -You can enable native service mesh support directly in the [service definition](/consul/docs/services/configuration/services-configuration-reference#connect) by configuring the `connect` block. In the following example, the `redis` service is configured to support service mesh natively: - -```json -{ - "service": { - "name": "redis", - "port": 8000, - "connect": { - "native": true - } - } -} -``` - -Services that support service mesh natively are still returned through the standard -service discovery mechanisms in addition to the mesh-only service discovery -mechanisms. diff --git a/website/content/docs/connect/nomad.mdx b/website/content/docs/connect/nomad.mdx index c65f07bc916..222bf95a993 100644 --- a/website/content/docs/connect/nomad.mdx +++ b/website/content/docs/connect/nomad.mdx @@ -1,29 +1,10 @@ --- layout: docs -page_title: Service Mesh - Nomad Integration +page_title: Connect Nomad services with Consul description: >- - Consul's service mesh can be applied to provide secure communication between services managed by Nomad's scheduler and orchestrator functions, including Nomad jobs and task groups. Use the guide and reference documentation to learn more. + Consul documentation provides reference material for all features and options available in Consul. --- -# Consul and Nomad Integration +# Connect Nomad services with Consul -Consul service mesh can be used with [Nomad](https://www.nomadproject.io/) to provide -secure service-to-service communication between Nomad jobs and task groups. -Nomad is a simple, flexible scheduler and workload orchestrator. The ability to -use the [dynamic port](/nomad/docs/job-specification/network#dynamic-ports) -feature of Nomad with Consul service mesh reduces operational complexity. - -For more information -about using Consul service mesh with Nomad, select one of the following resources. - -For a step-by-step guide on using Consul service mesh with Nomad: - -- [Nomad with Consul service mesh Guide](/nomad/docs/integrations/consul-connect) - -For reference information about configuring Nomad jobs to use Consul service mesh: - -- [Nomad Job Specification - `connect`](/nomad/docs/job-specification/connect) -- [Nomad Job Specification - `sidecar_service`](/nomad/docs/job-specification/sidecar_service) -- [Nomad Job Specification - `sidecar_task`](/nomad/docs/job-specification/sidecar_task) -- [Nomad Job Specification - `proxy`](/nomad/docs/job-specification/proxy) -- [Nomad Job Specification - `upstreams`](/nomad/docs/job-specification/upstreams) +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. diff --git a/website/content/docs/connect/observability/grafanadashboards/consuldataplanedashboard.mdx b/website/content/docs/connect/observability/grafanadashboards/consuldataplanedashboard.mdx deleted file mode 100644 index 24436828aa7..00000000000 --- a/website/content/docs/connect/observability/grafanadashboards/consuldataplanedashboard.mdx +++ /dev/null @@ -1,133 +0,0 @@ ---- -layout: docs -page_title: Dashboard for Consul dataplane metrics -description: >- - This Grafana dashboard provides Consul dataplane metrics on Kubernetes deployments. Learn about the Grafana queries that produce the metrics and visualizations in this dashboard. ---- - -# Consul dataplane monitoring dashboard - -This page provides reference information about the [Grafana dashboard configuration included in the `hashicorp/consul` GitHub repository](https://github.com/hashicorp/consul/blob/main/grafana/consuldataplanedashboard.json). The Consul dataplane dashboard provides a comprehensive view of the service health, performance, and resource utilization within the Consul service mesh. You can monitor key metrics at both the cluster and service levels with this dashboard. It can help you ensure service reliability and performance. - -![Preview of the Consul dataplane dashboard](/public/img/grafana/consul-dataplane-dashboard.png) - -This image provides an example of the dashboard's visual layout and contents. - -## Grafana queries overview - -The Consul dataplane dashboard provides the following information about service mesh operations. - -### Live service count - -**Description:** Displays the total number of live Envoy proxies currently running in the service mesh. It helps track the overall availability of services and identify any outages or other widespread issues in the service mesh. - -```promql -sum(envoy_server_live{app=~"$service"}) -``` - -### Total request success rate - -**Description:** Tracks the percentage of successful requests across the service mesh. It excludes 4xx and 5xx response codes to focus on operational success. Use it to monitor the overall reliability of your services. - -```promql -sum(irate(envoy_cluster_upstream_rq_xx{envoy_response_code_class!~"5|4",consul_destination_service=~"$service"}[10m])) / sum(irate(envoy_cluster_upstream_rq_xx{consul_destination_service=~"$service"}[10m])) -``` - -### Total failed requests - -**Description:** This pie chart shows the total number of failed requests within the service mesh, categorized by service. It provides a visual breakdown of where failures are occurring, allowing operators to focus on problematic services. - -```promql -sum(increase(envoy_cluster_upstream_rq_xx{envoy_response_code_class=~"4|5", consul_destination_service=~"$service"}[10m])) by (local_cluster) -``` - -### Requests per second - -**Description:** This metric shows the rate of incoming HTTP requests per second to the selected services. It helps operators understand the current load on services and how much traffic they are processing. - -```promql -sum(rate(envoy_http_downstream_rq_total{service=~"$service",envoy_http_conn_manager_prefix="public_listener"}[5m])) by (service) -``` - -### Unhealthy clusters - -**Description:** This metric tracks the number of unhealthy clusters in the mesh, helping operators identify services that are experiencing issues and need attention to ensure operational health. - -```promql -(sum(envoy_cluster_membership_healthy{app=~"$service",envoy_cluster_name=~"$cluster"}) - sum(envoy_cluster_membership_total{app=~"$service",envoy_cluster_name=~"$cluster"})) -``` - -### Heap size - -**Description:** This metric displays the total memory heap size of the Envoy proxies. Monitoring heap size is essential to detect memory issues and ensure that services are operating efficiently. - -```promql -SUM(envoy_server_memory_heap_size{app=~"$service"}) -``` - -### Allocated memory - -**Description:** This metric shows the amount of memory allocated by the Envoy proxies. It helps operators monitor the resource usage of services to prevent memory overuse and optimize performance. - -```promql -SUM(envoy_server_memory_allocated{app=~"$service"}) -``` - -### Avg uptime per node - -**Description:** This metric calculates the average uptime of Envoy proxies across all nodes. It helps operators monitor the stability of services and detect potential issues with service restarts or crashes. - -```promql -avg(envoy_server_uptime{app=~"$service"}) -``` - -### Cluster state - -**Description:** This metric indicates whether all clusters are healthy. It provides a quick overview of the cluster state to ensure that there are no issues affecting service performance. - -```promql -(sum(envoy_cluster_membership_total{app=~"$service",envoy_cluster_name=~"$cluster"})-sum(envoy_cluster_membership_healthy{app=~"$service",envoy_cluster_name=~"$cluster"})) == bool 0 -``` - -### CPU throttled seconds by namespace - -**Description:** This metric tracks the number of seconds during which CPU usage was throttled. Monitoring CPU throttling helps operators identify when services are exceeding their allocated CPU limits and may need optimization. - -```promql -rate(container_cpu_cfs_throttled_seconds_total{namespace=~"$namespace"}[5m]) -``` - -### Memory usage by pod limits - -**Description:** This metric shows memory usage as a percentage of the memory limit set for each pod. It helps operators ensure that services are staying within their allocated memory limits to avoid performance degradation. - -```promql -100 * max (container_memory_working_set_bytes{namespace=~"$namespace"} / on(container, pod) label_replace(kube_pod_container_resource_limits{resource="memory"}, "pod", "$1", "exported_pod", "(.+)")) by (pod) -``` - -### CPU usage by pod limits - -**Description:** This metric displays CPU usage as a percentage of the CPU limit set for each pod. Monitoring CPU usage helps operators optimize service performance and prevent CPU exhaustion. - -```promql -100 * max( - container_memory_working_set_bytes{namespace=~"$namespace"} / - on(container, pod) label_replace(kube_pod_container_resource_limits{resource="memory"}, "pod", "$1", "exported_pod", "(.+)") -) by (pod) -``` - -### Total active upstream connections - -**Description:** This metric tracks the total number of active upstream connections to other services in the mesh. It provides insight into service dependencies and network load. - -```promql -sum(envoy_cluster_upstream_cx_active{app=~"$service",envoy_cluster_name=~"$cluster"}) by (app, envoy_cluster_name) -``` - -### Total active downstream connections - -**Description:** This metric tracks the total number of active downstream connections from services to clients. It helps operators monitor service load and ensure that services are able to handle the traffic effectively. - -```promql -sum(envoy_http_downstream_cx_active{app=~"$service"}) -``` diff --git a/website/content/docs/connect/observability/grafanadashboards/consulk8sdashboard.mdx b/website/content/docs/connect/observability/grafanadashboards/consulk8sdashboard.mdx deleted file mode 100644 index 5dc35e40d47..00000000000 --- a/website/content/docs/connect/observability/grafanadashboards/consulk8sdashboard.mdx +++ /dev/null @@ -1,128 +0,0 @@ ---- -layout: docs -page_title: Dashboard for Consul k8s control plane metrics -description: >- - This documentation provides an overview of the Consul on Kubernetes Grafana Dashboard. Learn about the metrics it displays and the queries that produce the metrics. ---- - -# Consul on Kubernetes control plane monitoring dashboard - -This page provides reference information about the [Grafana dashboard configuration included in the `hashicorp/consul` GitHub repository](https://github.com/hashicorp/consul/blob/main/grafana/consul-k8s-control-plane-monitoring.json). - -## Grafana queries overview - -This dashboard provides the following information about service mesh operations. - -### Number of Consul servers - -**Description:** Displays the number of Consul servers currently active. This metric provides insight into the cluster's health and the number of Consul nodes running in the environment. - -```promql -consul_consul_server_0_consul_members_servers{pod="consul-server-0"} -``` - -### Number of connected Consul dataplanes - -**Description:** Tracks the number of connected Consul dataplanes. This metric helps operators understand how many Envoy sidecars are actively connected to the mesh. - -```promql -count(consul_dataplane_envoy_connected) -``` - -### CPU usage in seconds (Consul servers) - -**Description:** This metric shows the CPU usage of the Consul servers over time, helping operators monitor resource consumption. - -```promql -rate(container_cpu_usage_seconds_total{container="consul", pod=~"consul-server-.*"}[5m]) -``` - -### Memory usage (Consul servers) - -**Description:** Displays the memory usage of the Consul servers. This metric helps ensure that the servers have sufficient memory resources for proper operation. - -```promql -container_memory_working_set_bytes{container="consul", pod=~"consul-server-.*"} -``` - -### Disk read/write total per 5 minutes (Consul servers) - -**Description:** Tracks the total network bytes received by Consul servers within a 5 minute window. This metric helps assess the network load on Consul nodes. - -```promql -sum(rate(container_fs_writes_bytes_total{pod=~"consul-server-.*", container="consul"}[5m])) by (pod, device) -``` - -```promql -sum(rate(container_fs_reads_bytes_total{pod=~"consul-server-.*", container="consul"}[5m])) by (pod, device) -``` - -### Received bytes total per 5 minutes (Consul servers) - -**Description:** Tracks the total network bytes received by Consul servers within a 5 minute window. This metric helps assess the network load on Consul nodes. - -```promql -sum(rate(container_network_receive_bytes_total{pod=~"consul-server-.*"}[5m])) by (pod) -``` - -### Memory limit (Consul servers) - -**Description:** Displays the memory limit for Consul servers. This metric ensures that memory usage stays within the defined limits for each Consul server. - -```promql -kube_pod_container_resource_limits{resource="memory", pod="consul-server-0"} -``` - -### CPU limit in seconds (Consul servers) - -**Description:** Displays the CPU limit for Consul servers. Monitoring CPU limits helps operators ensure that the services are not constrained by resource limitations. - -```promql -kube_pod_container_resource_limits{resource="cpu", pod="consul-server-0"} -``` - -### Disk usage (Consul servers) - -**Description:** Shows the amount of filesystem storage used by Consul servers. This metric helps operators track disk usage and plan for capacity. - -```promql -sum(container_fs_usage_bytes{}) by (pod) -``` - -```promql -sum(container_fs_usage_bytes{pod="consul-server-0"}) -``` - -### CPU usage in seconds (Connect injector) - -**Description:** Tracks the CPU usage of the Connect injector, which is responsible for injecting Envoy sidecars and other operations within the mesh. Monitoring this helps ensure that Connect injector has adequate CPU resources. - -```promql -rate(container_cpu_usage_seconds_total{pod=~".*-connect-injector-.*", container="sidecar-injector"}[5m]) -``` - -### CPU limit in seconds (Connect injector) - -**Description:** Displays the CPU limit for the Connect injector. Monitoring the CPU limits ensures that Connect injector is not constrained by resource limitations. - -```promql -max(kube_pod_container_resource_limits{resource="cpu", container="sidecar-injector"}) -``` - -### Memory usage (Connect injector) - -**Description:** Tracks the memory usage of the Connect injector. Monitoring this helps ensure the Connect injector has sufficient memory resources. - -```promql -container_memory_working_set_bytes{pod=~".*-connect-injector-.*", container="sidecar-injector"} -``` - -### Memory limit (Connect injector) - -**Description:** Displays the memory limit for the Connect injector, helping to monitor if the service is nearing its resource limits. - -```promql -max(kube_pod_container_resource_limits{resource="memory", container="sidecar-injector"}) -``` - - diff --git a/website/content/docs/connect/observability/grafanadashboards/consulserverdashboard.mdx b/website/content/docs/connect/observability/grafanadashboards/consulserverdashboard.mdx deleted file mode 100644 index e3e2ff49bf9..00000000000 --- a/website/content/docs/connect/observability/grafanadashboards/consulserverdashboard.mdx +++ /dev/null @@ -1,164 +0,0 @@ ---- -layout: docs -page_title: Dashboard for Consul server metrics -description: >- - This documentation provides an overview of the Consul Server Dashboard. Learn about the metrics it displays and the queries that produce the metrics. ---- - -# Consul server monitoring dashboard - -This page provides reference information about the [Grafana dashboard configuration included in the `hashicorp/consul` GitHub repository](https://github.com/hashicorp/consul/blob/main/grafana/consul-server-monitoring.json). - -## Grafana queries overview - -This dashboard provides the following information about service mesh operations. - -### Raft commit time - -**Description:** This metric measures the time it takes to commit Raft log entries. Stable values are expected for a healthy cluster. High values can indicate issues with resources such as memory, CPU, or disk space. - -```promql -consul_raft_commitTime -``` - -### Raft commits per 5 minutes - -**Description:** This metric tracks the rate of Raft log commits emitted by the leader, showing how quickly changes are being applied across the cluster. - -```promql -rate(consul_raft_apply[5m]) -``` - -### Last contacted leader - -**Description:** Measures the duration since the last contact with the Raft leader. Spikes in this metric can indicate network issues or an unavailable leader, which may affect cluster stability. - -```promql -consul_raft_leader_lastContact != 0 -``` - -### Election events - -**Description:** Tracks Raft state transitions, which indicate leadership elections. Frequent transitions might suggest cluster instability and require investigation. - -```promql -rate(consul_raft_state_candidate[1m]) -``` - -```promql -rate(consul_raft_state_leader[1m]) -``` - -### Autopilot health - -**Description:** A boolean metric that shows a value of 1 when Autopilot is healthy and 0 when issues are detected. Ensures that the cluster has sufficient resources and an operational leader. - -```promql -consul_autopilot_healthy -``` - -### DNS queries per 5 minutes - -**Description:** This metric tracks the rate of DNS queries per node, bucketed into 5 minute intervals. It helps monitor the query load on Consul’s DNS service. - -```promql -rate(consul_dns_domain_query_count[5m]) -``` - -### DNS domain query time - -**Description:** Measures the time spent handling DNS domain queries. Spikes in this metric may indicate high contention in the catalog or too many concurrent queries. - -```promql -consul_dns_domain_query -``` - -### DNS reverse query time - -**Description:** Tracks the time spent processing reverse DNS queries. Spikes in query time may indicate performance bottlenecks or increased workload. - -```promql -consul_dns_ptr_query -``` - -### KV applies per 5 minutes - -**Description:** This metric tracks the rate of key-value store applies over 5 minute intervals, indicating the operational load on Consul’s KV store. - -```promql -rate(consul_kvs_apply_count[5m]) -``` - -### KV apply time - -**Description:** Measures the time taken to apply updates to the key-value store. Spikes in this metric might suggest resource contention or client overload. - -```promql -consul_kvs_apply -``` - -### Transaction apply time - -**Description:** Tracks the time spent applying transaction operations in Consul, providing insights into potential bottlenecks in transaction operations. - -```promql -consul_txn_apply -``` - -### ACL resolves per 5 minutes - -**Description:** This metric tracks the rate of ACL token resolutions over 5 minute intervals. It provides insights into the activity related to ACL tokens within the cluster. - -```promql -rate(consul_acl_ResolveToken_count[5m]) -``` - -### ACL resolve token time - -**Description:** Measures the time taken to resolve ACL tokens into their associated policies. - -```promql -consul_acl_ResolveToken -``` - -### ACL updates per 5 minutes - -**Description:** Tracks the rate of ACL updates over 5 minute intervals. This metric helps monitor changes in ACL configurations over time. - -```promql -rate(consul_acl_apply_count[5m]) -``` - -### ACL apply time - -**Description:** Measures the time spent applying ACL changes. Spikes in apply time might suggest resource constraints or high operational load. - -```promql -consul_acl_apply -``` - -### Catalog operations per 5 minutes - -**Description:** Tracks the rate of register and deregister operations in the Consul catalog, providing insights into the churn of services within the cluster. - -```promql -rate(consul_catalog_register_count[5m]) -``` - -```promql -rate(consul_catalog_deregister_count[5m]) -``` - -### Catalog operation time - -**Description:** Measures the time taken to complete catalog register or deregister operations. Spikes in this metric may indicate performance issues within the catalog. - -```promql -consul_catalog_register -``` - -```promql -consul_catalog_deregister -``` - - diff --git a/website/content/docs/connect/observability/grafanadashboards/index.mdx b/website/content/docs/connect/observability/grafanadashboards/index.mdx deleted file mode 100644 index 2a21ec6f2fc..00000000000 --- a/website/content/docs/connect/observability/grafanadashboards/index.mdx +++ /dev/null @@ -1,91 +0,0 @@ ---- -layout: docs -page_title: Service Mesh Observability - Dashboards -description: >- - This documentation provides an overview of several dashboards designed for monitoring and managing services within a Consul-managed Envoy service mesh. Learn how to enable access logs and configure key performance and operational metrics to ensure the reliability and performance of services in the service mesh. ---- - -# Dashboards for service mesh observability - -This topic describes the configuration and usage of dashboards for monitoring and managing services within a Consul-managed Envoy service mesh. These dashboards provide critical insights into the health, performance, and resource utilization of services. The dashboards described here are essential tools for ensuring the stability, efficiency, and reliability of your service mesh environment. - -This page provides reference information about the Grafana dashboard configurations included in the [`grafana` directory in the `hashicorp/consul` GitHub repository](https://github.com/hashicorp/consul/tree/main/grafana). - -## Dashboards overview - -The repository includes the following dashboards: - - - **Consul service-to-service dashboard**: Provides a detailed view of service-to-service communications, monitoring key metrics like access logs, HTTP requests, error counts, response code distributions, and request success rates. The dashboard includes customizable filters for focusing on specific services and namespaces. - - - **Consul service dashboard**: Tracks key metrics for Envoy proxies at the cluster and service levels, ensuring the performance and reliability of individual services within the mesh. - - - **Consul dataplane dashboard**: Offers a comprehensive overview of service health and performance, including request success rates, resource utilization (CPU and memory), active connections, and cluster health. It helps operators maintain service reliability and optimize resource usage. - - - **Consul k8s dashboard**: Focuses on monitoring the health and resource usage of the Consul control plane within a Kubernetes environment, ensuring the stability of the control plane. - - - **Consul server dashboard**: Provides detailed monitoring of Consul servers, tracking key metrics like server health, CPU and memory usage, disk I/O, and network performance. This dashboard is critical for ensuring the stability and performance of Consul servers within the service mesh. - -## Enabling prometheus - -Add the following configurations to your Consul Helm chart to enable the prometheus tools. - - - -```yaml -global: - metrics: - enabled: true - provider: "prometheus" - enableAgentMetrics: true - agentMetricsRetentionTime: "10m" - -prometheus: - enabled: true - -ui: - enabled: true - metrics: - enabled: true - provider: "prometheus" - baseURL: http://prometheus-server.consul -``` - - - -## Enable access logs - -Access logs configurations are defined globally in the [`proxy-defaults`](/consul/docs/connect/config-entries/proxy-defaults#accesslogs) configuration entry. - -The following example is a minimal configuration for enabling access logs: - - - -```hcl -Kind = "proxy-defaults" -Name = "global" -AccessLogs { - Enabled = true -} -``` - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ProxyDefaults -metadata: - name: global -spec: - accessLogs: - enabled: true -``` - -```json -{ - "Kind": "proxy-defaults", - "Name": "global", - "AccessLogs": { - "Enabled": true - } -} -``` - - diff --git a/website/content/docs/connect/observability/grafanadashboards/service-to-servicedashboard.mdx b/website/content/docs/connect/observability/grafanadashboards/service-to-servicedashboard.mdx deleted file mode 100644 index f6abad471e9..00000000000 --- a/website/content/docs/connect/observability/grafanadashboards/service-to-servicedashboard.mdx +++ /dev/null @@ -1,183 +0,0 @@ ---- -layout: docs -page_title: Dashboard for monitoring Consul service-to-service mesh -description: >- - This documentation provides an overview of the Service-to-service dashboard. Learn about the metrics it displays and the queries that produce the metrics. ---- - -# Service-to-service dashboard - -This page provides reference information about the [Grafana dashboard configuration included in the `hashicorp/consul` GitHub repository](https://github.com/hashicorp/consul/blob/main/grafana/consulservicetoservicedashboard.json). The service-to-service dashboard provides deep visibility into the traffic and interactions between services within the Consul service mesh. It focuses on critical metrics such as logs, error rates, traffic patterns, and success rates, all of which help operators maintain smooth and reliable service-to-service communication. - -![Preview of the service to service mesh dashboard](/public/img/grafana/service-to-service-1.png) - -## Grafana queries overview - -This dashboard provides the following information about service mesh operations. - -### Access logs and errors monitoring - -**Description:** This section provides visibility into logs and errors related to service-to-service communications. It tracks and displays the number of logs generated, errors encountered, and the percentage of logs matching specific patterns. - -### Total logs - -**Description:** This metric counts the total number of log lines produced by Consul dataplane containers. It provides an overview of the volume of logs being generated for a specific namespace. - -```promql -sum(count_over_time(({container="consul-dataplane",namespace=~"$namespace"})[$__interval])) -``` - -### Total logs containing "$searchable_pattern" - -**Description:** This metric tracks the number of logs containing the specified pattern. It is useful for filtering and monitoring specific log events across the service mesh. - -```promql -sum(count_over_time({container="consul-dataplane", namespace=~"$namespace"} |~ (?i)(?i)$searchable_pattern [$__interval])) -``` - -### Percentage of logs containing "$searchable_pattern" - -**Description:** This metric calculates the percentage of logs containing the specified search pattern within the total log volume. It helps gauge the proportion of specific log events. - -```promql -(sum(count_over_time({container="consul-dataplane", namespace=~"$namespace"} |~ (?i)(?i)$searchable_pattern [$__interval])) * 100) / sum(count_over_time({container="consul-dataplane", namespace=~"$namespace"} [$__interval])) -``` - -### Total response code distribution - -**Description:** This pie chart visualizes the distribution of HTTP response codes, helping identify any 4xx and 5xx error codes generated by the services. - -```promql -sum by(response_code) (count_over_time({container="consul-dataplane", namespace="$namespace"} | json | response_code != "0" | __error__= [$__range])) -``` - -### Rate of logs containing "$searchable_pattern" per service - -**Description:** This metric monitors the rate at which specific patterns appear in logs per service, helping to detect trends and anomalies in log data. - -```promql -sum by(app) (rate({container="consul-dataplane", namespace=~"$namespace"} |~ (?i)(?i)$searchable_pattern [$__range])) -``` - -### TCP metrics - service level - -### TCP inbound and outbound bytes - -**Description:** This metric tracks the inbound and outbound TCP bytes transferred between services. It is essential for understanding the network traffic flow between source and destination services. - -```promql -sum(rate(envoy_tcp_downstream_cx_rx_bytes_total{}[10m])) by (service, destination_service) -``` - -### TCP inbound and outbound bytes buffered - -**Description:** This metric monitors the amount of TCP bytes buffered for inbound and outbound traffic between services. It helps identify potential network performance bottlenecks. - -```promql -sum(rate(envoy_tcp_downstream_cx_rx_bytes_buffered{}[10m])) by (service, destination_service) -``` - -### TCP downstream connections - -**Description:** This metric counts the number of active TCP downstream connections from the source service to the destination service, providing visibility into the volume of connections between services. - -```promql -sum(envoy_tcp_downstream_cx_total) by (service, destination_service) -``` - -### Outbound traffic monitoring -![Preview of the outbound traffic monitoring](/public/img/grafana/service-to-service-2.png) - -### Upstream traffic - -**Description:** This metric monitors the upstream traffic from the source service to the destination service. It shows how much traffic is being sent between services. - -```promql -sum(irate(envoy_cluster_upstream_rq_total{local_cluster=~"$source_service",consul_destination_service=~"$destination_service"}[10m])) -``` - -### Upstream request response timeliness - -**Description:** This metric calculates the 95th percentile of upstream request response times between the source and destination services. It helps ensure that service communications are handled promptly. - -```promql -histogram_quantile(0.95, sum(rate(envoy_cluster_upstream_rq_time_bucket{local_cluster=~"$source_service",consul_destination_target!=""}[10m])) by (le, consul_destination_target)) -``` - -### Upstream request success rate - -**Description:** This metric tracks the success rate of requests from the source service to the destination service, excluding 4xx and 5xx errors. It helps assess the reliability of service communications. - -```promql -sum(irate(envoy_cluster_upstream_rq_xx{envoy_response_code_class!="5",local_cluster=~"$source_service",consul_destination_service=~"$destination_service"}[10m])) -``` - -### Inbound traffic monitoring -![Preview of the inbound traffic monitoring](/public/img/grafana/service-to-service-3.png) - -### Requests sent - -**Description:** This metric tracks the number of requests sent between the source service and destination service within the service mesh. - -```promql -sum(irate(envoy_cluster_upstream_rq_total{consul_destination_datacenter="dc1",local_cluster=~"$source_service",consul_destination_service=~"$destination_service"}[10m])) by (consul_destination_service, local_cluster) -``` - -### Request success rate - -**Description:** This metric tracks the success rate of requests from the source service to the destination service, helping identify failures or bottlenecks in communication. - -```promql -sum(irate(envoy_cluster_upstream_rq_xx{envoy_response_code_class!="5",local_cluster=~"$source_service",consul_destination_service=~"$destination_service"}[10m])) by (local_cluster, consul_destination_service) / sum(irate(envoy_cluster_upstream_rq_xx{consul_destination_service=~"$destination_service"}[10m])) by (local_cluster, consul_destination_service) -``` - -### Response success by status code - -**Description:** This metric tracks response success by status code for requests sent by the source service to the destination service. - -```promql -sum(increase(envoy_http_downstream_rq_xx{local_cluster=~"$source_service",envoy_http_conn_manager_prefix="public_listener"}[10m])) by (local_cluster, envoy_response_code_class) -``` - -### Request duration - -**Description:** This metric tracks the request duration between the source and destination services, helping monitor performance and response times. - -```promql -histogram_quantile(0.95, sum(rate(envoy_cluster_upstream_rq_time_bucket{consul_destination_datacenter="dc1", consul_destination_service=~"$destination_service",local_cluster=~"$source_service"}[10m])) by (le, cluster, local_cluster, consul_destination_service)) -``` - -### Response success - -**Description:** This metric tracks the success of responses for the source service's requests across the service mesh. - -```promql -sum(increase(envoy_http_downstream_rq_total{local_cluster=~"$source_service",envoy_http_conn_manager_prefix="public_listener"}[10m])) by (local_cluster) -``` - -### Request response rate - -**Description:** This metric tracks the rate at which responses are being generated by the source service, providing insight into service activity and performance. - -```promql -sum(irate(envoy_http_downstream_rq_total{local_cluster=~"$source_service",envoy_http_conn_manager_prefix="public_listener"}[10m])) by (local_cluster) -``` - -## Customization options - -![Preview of the nginx service selection as a customization option on the service to service dashboard](/public/img/grafana/service-to-service-4.png) - -The service-to-service dashboard includes a variety of customization options to help you analyze specific aspects of service-to-service communications, tailor the dashboard for more targeted monitoring, and enhance visibility into the service mesh. - -- **Filter by source service:** You can filter the dashboard to focus on traffic originating from a specific source service, allowing you to analyze interactions from the source service to all destination services. - -- **Filter by destination service:** Similarly, you can filter the dashboard by destination service to track and analyze the traffic received by specific services. This helps pinpoint communication issues or performance bottlenecks related to specific services. - -- **Filter by namespace:** The dashboard can be customized to focus on service interactions within a particular namespace. This is especially useful for isolating issues in multi-tenant environments or clusters that operate with strict namespace isolation. - -- **Log pattern search:** You can apply custom search patterns to logs to filter out specific log events of interest, such as error messages or specific HTTP status codes. This enables you to narrow down on specific log entries and identify patterns that may indicate issues. - -- **Time range selection:** The dashboard supports dynamic time range selection, allowing you to focus on service interactions over specific time intervals. This helps in analyzing traffic trends, troubleshooting incidents, and understanding the timing of service communications. - -By using these customization options, you can tailor the dashboard to your specific needs and ensure they are always monitoring the most relevant data for maintaining a healthy and performant service mesh. - diff --git a/website/content/docs/connect/observability/grafanadashboards/servicedashboard.mdx b/website/content/docs/connect/observability/grafanadashboards/servicedashboard.mdx deleted file mode 100644 index dfe684c3437..00000000000 --- a/website/content/docs/connect/observability/grafanadashboards/servicedashboard.mdx +++ /dev/null @@ -1,157 +0,0 @@ ---- -layout: docs -page_title: Dashboard for monitoring Consul service mesh -description: >- - This documentation provides an overview of the Service Dashboard. Learn about the metrics it displays and the queries that produce the metrics. ---- - -# Service dashboard - -This page provides reference information about the [Grafana dashboard configuration included in the `hashicorp/consul` GitHub repository](https://github.com/hashicorp/consul/blob/main/grafana/consulservicedashboard.json). The service dashboard offers an overview of the performance and health of individual services within the Consul service mesh. It provides insights into service availability, request success rates, latency, and connection metrics. This dashboard is essential for maintaining optimal service performance and quickly identifying any issues with service communications. - -![Preview of the service dashboard](/public/img/grafana/service-dashboard-2.png) - -## Grafana queries overview - -This dashboard provides the following information about service mesh operations. - -### Total running services - -**Description:** This gauge tracks the total number of running services within the mesh that are not labeled as `traffic-generator`. It provides an overall view of active services, helping operators maintain visibility into service availability. - -```promql -sum(envoy_server_live{app!="traffic-generator"}) -``` - -### Total request success rate - -**Description:** This stat visualizes the success rate of upstream requests to the selected service. It filters out 4xx and 5xx response codes, providing a clearer picture of how well the service is performing in terms of handling requests successfully. - -```promql -sum(irate(envoy_cluster_upstream_rq_xx{envoy_response_code_class!="5", envoy_response_code_class!="4", consul_destination_service=~"$service"}[10m])) / sum(irate(envoy_cluster_upstream_rq_xx{consul_destination_service=~"$service"}[10m])) -``` - -### Total failed request rate - -**Description:** This stat tracks the rate of failed requests for the selected service according to 4xx and 5xx errors. It helps operators quickly identify if there are issues with client requests or server errors for a specific service. - -```promql -sum(irate(envoy_cluster_upstream_rq_xx{envoy_response_code_class=~"4|5", consul_destination_service=~"$service"}[10m])) / sum(irate(envoy_cluster_upstream_rq_xx{consul_destination_service=~"$service"}[10m])) -``` - -### Average request response time in milliseconds - -**Description:** This gauge displays the average response time for requests to the selected service, providing an overview of the service's performance and responsiveness. - -```promql -sum(rate(envoy_cluster_upstream_rq_time_sum{consul_destination_service=~"$service"}[10m])) / sum(rate(envoy_cluster_upstream_rq_total{consul_destination_service=~"$service"}[10m])) -``` - -### Total failed requests - -**Description:** This gauge tracks the total number of failed requests over a 10 minute window, categorized by service. It allows for easy identification of services that are experiencing high failure rates. - -```promql -sum(increase(envoy_cluster_upstream_rq_xx{envoy_response_code_class=~"4|5", consul_destination_service=~"$service"}[10m])) by(local_cluster) -``` - -### Dataplane latency - -**Description:** This stat tracks the dataplane latency percentiles (p50, p75, p90, p99.9) for the selected service. It gives detailed insights into the distribution of latency within the service's request handling, helping identify performance bottlenecks. - -![Preview of the dataplane latency metrics](/public/img/grafana/service-dashboard-1.png) - -```promql -histogram_quantile(0.50, sum by(le) (rate(envoy_cluster_upstream_rq_time_bucket{kubernetes_namespace=~"$namespace", local_cluster=~"$service"}[5m]))) -``` - -```promql -histogram_quantile(0.75, sum by(le) (rate(envoy_cluster_upstream_rq_time_bucket{kubernetes_namespace=~"$namespace", local_cluster=~"$service"}[5m]))) -``` - -```promql -histogram_quantile(0.90, sum by(le) (rate(envoy_cluster_upstream_rq_time_bucket{kubernetes_namespace=~"$namespace", local_cluster=~"$service"}[5m]))) -``` - -```promql -histogram_quantile(0.999, sum by(le) (rate(envoy_cluster_upstream_rq_time_bucket{kubernetes_namespace=~"$namespace", local_cluster=~"$service"}[5m]))) -``` - -### Total TCP inbound and outbound bytes - -**Description:** This time series shows the total number of inbound and outbound TCP bytes for services within the mesh. It provides visibility into the data transfer patterns and volume between services. - -```promql -sum(rate(envoy_tcp_downstream_cx_rx_bytes_total{}[10m])) by (local_cluster) -``` - -### Total TCP inbound and outbound bytes buffered - -**Description:** This metric tracks the amount of TCP traffic buffered during inbound and outbound communications. It helps in identifying whether there is any potential latency caused by packet buffering or congestion. - -```promql -sum(rate(envoy_tcp_downstream_cx_rx_bytes_buffered{}[10m])) by (local_cluster) -``` - -### Total TCP downstream active connections - -**Description:** This metric counts the total number of active TCP downstream connections, providing an overview of the current connection load on the services within the mesh. - -```promql -sum(rate(envoy_tcp_downstream_cx_total{}[10m])) by(local_cluster) -``` - -### Total active HTTP upstream connections - -**Description:** This time series tracks the total number of active HTTP upstream connections for the selected service. It helps monitor connection patterns and assess load. - -```promql -sum(envoy_cluster_upstream_cx_active{app=~"$service"}) by (app) -``` - -### Total active HTTP downstream connections - -**Description:** This time series monitors the number of active HTTP downstream connections for the selected service, providing visibility into the current active user or client load on the service. - -```promql -sum(envoy_http_downstream_cx_active{app=~"$service"}) by (app) -``` - -### Upstream requests by status code - -**Description:** This metric tracks the number of upstream requests, grouped by HTTP status codes, giving insight into the health of the requests being made to upstream services from the selected service. - -```promql -sum by(namespace,app,envoy_response_code_class) (rate(envoy_cluster_upstream_rq_xx[5m])) -``` - -### Downstream requests by status code - -**Description:** This time series tracks downstream HTTP requests by status code, showing how well the selected service is responding to downstream requests from clients. - -```promql -sum(rate(envoy_http_downstream_rq_xx{envoy_http_conn_manager_prefix="public_listener"}[5m])) by (namespace, app, envoy_response_code_class) -``` - -### Connections rejected - -**Description:** This metric tracks the number of connections rejected due to overload or overflow conditions on listeners. Monitoring these values helps identify if the service is under too much load or has insufficient capacity to handle the incoming connections. - -```promql -rate(envoy_listener_downstream_cx_overload_reject{}[$__interval]) -``` - -## Customization options - -The service dashboard offers various customization options to help you analyze specific services and metrics. Use these options to tailor the dashboard to your needs and improve your ability to monitor and troubleshoot service health. - -- **Filter by service:** You can filter the dashboard by the service you want to monitor. This helps narrow down the metrics to the service of interest and provides a more targeted view of its performance. - -- **Filter by namespace:** The namespace filter allows operators to focus on a particular namespace in a multi-tenant or multi-namespace environment, isolating the service metrics within that specific context. - -- **Time range selection:** The dashboard supports flexible time range selection, allowing operators to analyze service behavior over different time periods. This is helpful for pinpointing issues that may occur at specific times or during high-traffic periods. - -- **Percentile latency tracking:** The dashboard allows operators to track multiple latency percentiles (p50, p75, p90, p99.9) to get a more detailed view of how the service performs across different levels of traffic load. - - - diff --git a/website/content/docs/connect/observability/index.mdx b/website/content/docs/connect/observability/index.mdx deleted file mode 100644 index 95dce806a0a..00000000000 --- a/website/content/docs/connect/observability/index.mdx +++ /dev/null @@ -1,58 +0,0 @@ ---- -layout: docs -page_title: Service Mesh Observability - Overview -description: >- - To use Consul's observability features, configure sidecar proxies in the service mesh to collect and emit L7 metrics. Learn about configuring metrics destinations and a service's protocol and upstreams. ---- - -# Service Mesh Observability Overview - -In order to take advantage of the service mesh's L7 observability features you will need -to: - -- Deploy sidecar proxies that are capable of emitting metrics with each of your - services. We have first class support for Envoy. -- Define where your proxies should send metrics that they collect. -- Define the protocols for each of your services. -- Define the upstreams for each of your services. - -If you are using Envoy as your sidecar proxy, you will need to [enable -gRPC](/consul/docs/agent/config/config-files#grpc_port) on your client agents. To define the -metrics destination and service protocol you may want to enable [configuration -entries](/consul/docs/agent/config/config-files#config_entries) and [centralized service -configuration](/consul/docs/agent/config/config-files#enable_central_service_config). - -### Kubernetes -If you are using Kubernetes, the Helm chart can simplify much of the configuration needed to enable observability. See -our [Kubernetes observability docs](/consul/docs/k8s/connect/observability/metrics) for more information. - -### Metrics destination - -For Envoy the metrics destination can be configured in the proxy configuration -entry's `config` section. - -``` -kind = "proxy-defaults" -name = "global" -config { - "envoy_dogstatsd_url": "udp://127.0.0.1:9125" -} -``` - -Find other possible metrics syncs in the [Envoy documentation](/consul/docs/connect/proxies/envoy#bootstrap-configuration). - -### Service protocol - -You can specify the [`protocol`](/consul/docs/connect/config-entries/service-defaults#protocol) -for all service instances in the `service-defaults` configuration entry. You can also override the default protocol when defining and registering proxies in a service definition file. Refer to [Expose Paths Configuration Reference](/consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference) for additional information. - -By default, proxies only provide L4 metrics. -Defining the protocol allows proxies to handle requests at the L7 -protocol and emit L7 metrics. It also allows proxies to make per-request -load balancing and routing decisions. - -### Service upstreams - -You can set the upstream for each service using the proxy's -[`upstreams`](/consul/docs/connect/proxies/proxy-config-reference#upstreams) -sidecar parameter, which can be defined in a service's [sidecar registration](/consul/docs/connect/proxies/deploy-sidecar-services). diff --git a/website/content/docs/connect/observability/service.mdx b/website/content/docs/connect/observability/service.mdx deleted file mode 100644 index 55b4580aff7..00000000000 --- a/website/content/docs/connect/observability/service.mdx +++ /dev/null @@ -1,212 +0,0 @@ ---- -layout: docs -page_title: Monitoring service-to-service communication with Envoy -description: >- - Learn to monitor the appropriate metrics when using Envoy proxy. ---- - -# Monitoring service-to-service communication with Envoy - -When running a service mesh with Envoy as the proxy, there are a wide array of possible metrics produced from traffic flowing through the data plane. This document covers a set of scenarios and key baseline metrics and potential alerts that will help you maintain the overall health and resilience of the mesh for HTTP services. In addition, it provides examples of using these metrics in specific ways to generate a Grafana dashboard using a Prometheus backend to better understand how the metrics behave. - -When collecting metrics, it is important to establish a baseline. This baseline ensures your Consul deployment is healthy, and serves as a reference point when troubleshooting abnormal Cluster behavior. Once you have established a baseline for your metrics, use them and the following recommendations to configure reasonable alerts for your Consul agent. - - - - The following examples assume that the operator adds the cluster name (i.e. datacenter) using the label “cluster” and the node name (i.e. machine or pod) using the label “node” to all scrape targets. - - - -## General scenarios - -### Is Envoy's configuration growing stale? - -When Envoy connects to the Consul control plane over xDS, it will rapidly converge to the current configuration that the control plane expects it to have. If the xDS stream terminates and does not reconnect for an extended period, then the xDS configuration currently in the Envoy instances will “fail static” and slowly grow out of date. - -##### Metric - -`envoy_control_plane_connected_state` - -#### Alerting - -If the value for a given node/pod/machine was 0 for an extended period of time. - -#### Example dashboard (table) - -``` -group(last_over_time(envoy_control_plane_connected_state{cluster="$cluster"}[1m] ) == 0) by (node) -``` - -## Inbound traffic scenarios - -### Is this service being sent requests? - -Within a mesh, a request travels from one service to another. You may choose to measure many relevant metrics from the calling-side, the serving-side, or both. - -It is useful to track the perceived request rate of requests from the calling-side as that would include all requests, even those that fail to arrive at the serving-side due to any failures. - -Any measurement of the request rate is also generally useful for capacity planning purposes as increased traffic typically correlates with a need for a scale-up event in the near future. - -##### Metric - -`envoy_cluster_upstream_rq_total` - -#### Alerting - -If the value has a significant change, check if services are properly interacting with each other and if you need to increase your Consul agent resource requirements. - -#### Example dashboard (plot; rate) - -``` -sum(irate(envoy_cluster_upstream_rq_total{consul_destination_datacenter="$cluster", -consul_destination_service="$service"}[1m])) by (cluster, local_cluster) -``` - -### Are requests sent to this service mostly successful? - -A service mesh is about communication between services, so it is important to track the perceived success rate of requests witnessed by the calling services. - -##### Metric - -`envoy_cluster_upstream_rq_xx` - -#### Alerting - -If the value crosses a user defined baseline. - -#### Example dashboard (plot; %) - -``` -sum(irate(envoy_cluster_upstream_rq_xx{envoy_response_code_class!="5",consul_destination_datacenter="$cluster",consul_destination_service="$service"}[1m])) by (cluster, local_cluster) / sum(irate(envoy_cluster_upstream_rq_xx{consul_destination_datacenter="$cluster",consul_destination_service="$service"}[1m])) by (cluster, local_cluster) -``` - -### Are requests sent to this service handled in a timely manner? - -If you undersize your infrastructure from a resource perspective, then you may expect a decline in response speed over time. You can track this by plotting the 95th percentile of the latency as experienced by the clients. - -##### Metric - -`envoy_cluster_upstream_rq_time_bucket` - -#### Alerting - -If the value crosses a user defined baseline. - -#### Example dashboard (plot; value) - -``` -histogram_quantile(0.95, sum(rate(envoy_cluster_upstream_rq_time_bucket{consul_destination_datacenter="$cluster",consul_destination_service="$service",local_cluster!=""}[1m])) by (le, cluster, local_cluster)) -``` - -### Is this service responding to requests that it receives? - -Unlike the perceived request rate, which is measured from the calling side, this is the real request rate measured on the serving-side. This is a serving-side parallel metric that can help clarify underlying causes of problems in the calling-side equivalent metric. Ideally this metric should roughly track the calling side values in a 1-1 manner. - -##### Metric - -`envoy_http_downstream_rq_total` - -#### Alerting - -If the value crosses a user defined baseline. - -#### Example dashboard (plot; rate) - -``` -sum(irate(envoy_http_downstream_rq_total{cluster="$cluster",local_cluster="$service",envoy_http_conn_manager_prefix="public_listener"}[1m])) -``` - -### Are responses from this service mostly successful? - -Unlike the perceived success rate of requests, which is measured from the calling side, this is the real success rate of requests measured on the serving-side. This is a serving-side parallel metric that can help clarify underlying causes of problems in the calling-side equivalent metric. Ideally this metric should roughly track the calling side values in a 1-1 manner. - -##### Metrics - -`envoy_http_downstream_rq_total` - -`envoy_http_downstream_rq_xx` - -#### Alerting - -If the value crosses a user defined baseline. - -#### Example dashboard (plot; %) - -##### Total - -``` -sum(increase(envoy_http_downstream_rq_total{cluster="$cluster",local_cluster="$service",envoy_http_conn_manager_prefix="public_listener"}[1m])) -``` - -##### BY STATUS CODE: - -``` -sum(increase(envoy_http_downstream_rq_xx{cluster="$cluster",local_cluster="$service",envoy_http_conn_manager_prefix="public_listener"}[1m])) by (envoy_response_code_class) -``` - -## Outbound traffic scenarios - -### Is this service sending traffic to its upstreams? - -Similar to the real request rate for requests arriving at a service, it may be helpful to view the perceived request rate departing from a service through its upstreams. - -##### Metric - -`envoy_cluster_upstream_rq_total` - -#### Alerting - -If the value crosses a user defined success threshold. - -#### Example dashboard (plot; rate) - -``` -sum(irate(envoy_cluster_upstream_rq_total{cluster="$cluster", -local_cluster="$service", -consul_destination_target!=""}[1m])) by (consul_destination_target) -``` - -### Are requests from this service to its upstreams mostly successful? - -Similar to the real success rate of requests arriving at a service, it is also important to track the perceived success rate of requests departing from a service through its upstreams. - -##### Metric - -`envoy_cluster_upstream_rq_xx` - -#### Alerting - -If the value crosses a user defined success threshold. - -#### Example dashboard (plot; value) - -``` -sum(irate(envoy_cluster_upstream_rq_xx{envoy_response_code_class!="5", -cluster="$cluster",local_cluster="$service", -consul_destination_target!=""}[1m])) by (consul_destination_target) / sum(irate(envoy_cluster_upstream_rq_xx{cluster="$cluster",local_cluster="$service",consul_destination_target!=""}[1m])) by (consul_destination_target) -``` - -### Are requests from this service to its upstreams handled in a timely manner? - -Similar to the latency of requests departing for a service, it is useful to track the 95th percentile of the latency of requests departing from a service through its upstreams. - -##### Metric - -`envoy_cluster_upstream_rq_time_bucket` - -#### Alerting - -If the value crosses a user defined success threshold. - -#### Example dashboard (plot; value) - -``` -histogram_quantile(0.95, sum(rate(envoy_cluster_upstream_rq_time_bucket{cluster="$cluster", -local_cluster="$service",consul_target!=""}[1m])) by (le, consul_destination_target)) -``` - -## Next steps - -In this guide, you learned recommendations for monitoring your Envoy metrics, and why monitoring these metrics is important for your Consul deployment. - -To learn about monitoring Consul components, visit our [Monitoring Consul components](/well-architected-framework/reliability/reliability-consul-monitoring-consul-components) documentation. diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/lambda.mdx b/website/content/docs/connect/proxies/envoy-extensions/usage/lambda.mdx deleted file mode 100644 index c06bf3bd220..00000000000 --- a/website/content/docs/connect/proxies/envoy-extensions/usage/lambda.mdx +++ /dev/null @@ -1,161 +0,0 @@ ---- -layout: docs -page_title: Lambda Envoy Extension -description: >- - Learn how the `lambda` Envoy extension enables Consul to join AWS Lambda functions to its service mesh. ---- - -# Invoke Lambda functions in Envoy proxy - -The Lambda Envoy extension configures outbound traffic on upstream dependencies allowing mesh services to properly invoke AWS Lambda functions. Lambda functions appear in the catalog as any other Consul service. - -You can only enable the Lambda extension through `service-defaults`. This is because the Consul uses the `service-defaults` configuration entry name as the catalog name for the Lambda functions. - -## Specification - -The Lambda Envoy extension has the following arguments: - -| Arguments | Description | -| -------------------- | ------------------------------------------------------------------------------------------------ | -| `ARN` | Specifies the [AWS ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) for the service's Lambda. | -| `InvocationMode` | Determines if Consul configures the Lambda to be invoked using the synchronous or asynchronous [invocation mode](https://docs.aws.amazon.com/lambda/latest/operatorguide/invocation-modes.html). | -| `PayloadPassthrough` | Determines if the body Envoy receives is converted to JSON or directly passed to Lambda. | - -Be aware that unlike [manual lambda registration](/consul/docs/lambda/registration/manual#supported-meta-fields), region is inferred from the ARN when specified through an Envoy extension. - -## Workflow - -There are two steps to configure the Lambda Envoy extension: - -1. Configure EnvoyExtensions through `service-defaults`. -1. Apply the configuration entry. - -### Configure `EnvoyExtensions` - -To use the Lambda Envoy extension, you must configure and apply a `service-defaults` configuration entry. Consul uses the name of the entry as the Consul service name for the Lambdas in the catalog. Downstream services also use the name to invoke the Lambda. - -The following example configures the Lambda Envoy extension to create a service named `lambda` in the mesh that can invoke the associated Lambda function. - - - - - -```hcl -Kind = "service-defaults" -Name = "lambdaInvokingApp" -Protocol = "http" -EnvoyExtensions { - Name = "builtin/aws/lambda" - Arguments = { - ARN = "arn:aws:lambda:us-west-2:111111111111:function:lambda-1234" - } -} -``` - - - - - - -```hcl -{ - "kind": "service-defaults", - "name": "lambdaInvokingApp", - "protocol": "http", - "envoy_extensions": [{ - "name": "builtin/aws/lambda", - "arguments": { - "arn": "arn:aws:lambda:us-west-2:111111111111:function:lambda-1234" - } - }] -} - -``` - - - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceDefaults -metadata: - name: lambda -spec: - protocol: http - envoyExtensions: - name = "builtin/aws/lambda" - arguments: - arn: arn:aws:lambda:us-west-2:111111111111:function:lambda-1234 -``` - - - - - - -For a full list of parameters for `EnvoyExtensions`, refer to the [`service-defaults`](/consul/docs/connect/config-entries/service-defaults#envoyextensions) and [`proxy-defaults`](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions) configuration entries reference documentation. - -~> **Note:** You can only enable the Lambda extension through `service-defaults`. - -Refer to [Configuration specification](#configuration-specification) section to find a full list of arguments for the Lambda Envoy extension. - -### Apply the configuration entry - -Apply the `service-defaults` configuration entry. - - - - -```shell-session -$ consul config write lambda-envoy-extension.hcl -``` - - - - -```shell-session -$ consul config write lambda-envoy-extension.json -``` - - - - -```shell-session -$ kubectl apply lambda-envoy-extension.yaml -``` - - - - -## Examples - -In the following example, the Lambda Envoy extension adds a single Lambda function running in two regions into the mesh. Then, you can use the `lambda` service name to invoke it, as if it was any other service in the mesh. - - - -```hcl -Kind = "service-defaults" -Name = "lambda" -Protocol = "http" -EnvoyExtensions { - Name = "builtin/aws/lambda" - - Arguments = { - payloadPassthrough: false - arn: arn:aws:lambda:us-west-2:111111111111:function:lambda-1234 - } -} -EnvoyExtensions { - Name = "builtin/aws/lambda" - - Arguments = { - payloadPassthrough: false - arn: arn:aws:lambda:us-east-1:111111111111:function:lambda-1234 - } -} -``` - - \ No newline at end of file diff --git a/website/content/docs/connect/proxies/index.mdx b/website/content/docs/connect/proxy/index.mdx similarity index 84% rename from website/content/docs/connect/proxies/index.mdx rename to website/content/docs/connect/proxy/index.mdx index 839a24a49f4..89c2964ec8e 100644 --- a/website/content/docs/connect/proxies/index.mdx +++ b/website/content/docs/connect/proxy/index.mdx @@ -15,13 +15,13 @@ You can configure proxies to perform several different types of functions in Con ### Service mesh proxies -A _service mesh proxy_ is any type of proxy service that you use for communication in a service mesh. Specialized proxy implementations, such as sidecar proxies and gateways, are subsets of service mesh proxies. Refer to [Deploy service mesh proxy services](/consul/docs/connect/proxies/deploy-service-mesh-proxies) for instructions on how to deploy a service mesh proxy. +A _service mesh proxy_ is any type of proxy service that you use for communication in a service mesh. Specialized proxy implementations, such as sidecar proxies and gateways, are subsets of service mesh proxies. Refer to [Deploy service mesh proxy services](/consul/docs/deploy/service-mesh/deploy-proxy) for instructions on how to deploy a service mesh proxy. ### Sidecars Sidecar proxies are service mesh proxy implementations that transparently handles inbound and outbound service connections. Sidecars automatically wrap and verify TLS connections. In a non-containerized network, each service in your mesh should have its own sidecar proxy. -Refer to [Deploy sidecar services](/consul/docs/connect/proxies/deploy-sidecar-services) for additional information. +Refer to [Deploy sidecar services](/consul/docs/reference/proxy/sidecar) for additional information. ### Gateways @@ -43,10 +43,10 @@ Refer to the following topics for additional information: Consul has first-class support for Envoy proxies, which is a highly configurable open source edge service proxy. Consul configures Envoy by optionally exposing a gRPC service on the local agent that serves Envoy's xDS configuration API. Refer to the following documentation for additional information: -- [Envoy proxy reference](/consul/docs/connect/proxies/envoy) +- [Envoy proxy reference](/consul/docs/reference/proxy/envoy) - [Envoy API documentation](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-docs/xds_protocol) -You can use Consul's built-in proxy service that supports L4 network traffic, which is suitable for testing and development but not recommended for production environments. Refer to the [built-in proxy reference](/consul/docs/connect/proxies/built-in) for additional information. +You can use Consul's built-in proxy service that supports L4 network traffic, which is suitable for testing and development but not recommended for production environments. Refer to the [built-in proxy reference](/consul/docs/reference/proxy/built-in) for additional information. ## Workflow @@ -74,14 +74,14 @@ Refer to the following resources for help using service mesh proxies: ### Usage documentation -- [Deploy service mesh proxies](/consul/docs/connect/proxies/deploy-service-mesh-proxies) -- [Deploy sidecar proxies](/consul/docs/connect/proxies/deploy-sidecar-services) -- [Extend Envoy proxies](/consul/docs/connect/proxies/envoy-extensions) -- [Integrate custom proxies](/consul/docs/connect/proxies/integrate) +- [Deploy service mesh proxies](/consul/docs/deploy/service-mesh/deploy-proxy) +- [Deploy sidecar proxies](/consul/docs/reference/proxy/sidecar) +- [Extend Envoy proxies](/consul/docs/reference/proxy/envoy-extensions) +- [Integrate custom proxies](/consul/docs/integrate/proxy) ### Reference documentation -- [Proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) for additional information. -- [Envoy proxies reference](/consul/docs/connect/proxies/envoy) -- [Service mesh proxy configuration reference](/consul/docs/connect/proxies/proxy-config-reference) +- [Proxy defaults configuration entry reference](/consul/docs/reference/config-entry/proxy-defaults) for additional information. +- [Envoy proxies reference](/consul/docs/reference/proxy/envoy) +- [Service mesh proxy configuration reference](/consul/docs/reference/proxy/connect-proxy) - [`consul connect envoy` command](/consul/commands/connect/envoy) diff --git a/website/content/docs/connect/proxies/deploy-service-mesh-proxies.mdx b/website/content/docs/connect/proxy/mesh.mdx similarity index 77% rename from website/content/docs/connect/proxies/deploy-service-mesh-proxies.mdx rename to website/content/docs/connect/proxy/mesh.mdx index 0bb3f7df038..951b25f33d4 100644 --- a/website/content/docs/connect/proxies/deploy-service-mesh-proxies.mdx +++ b/website/content/docs/connect/proxy/mesh.mdx @@ -1,64 +1,64 @@ --- layout: docs page_title: Deploy service mesh proxies -description: >- +description: >- Envoy and other proxies in Consul service mesh enable service-to-service communication across your network. Learn how to deploy service mesh proxies in this topic. --- # Deploy service mesh proxies services -This topic describes how to create, register, and start service mesh proxies in Consul. Refer to [Service mesh proxies overview](/consul/docs/connect/proxies) for additional information about how proxies enable Consul functionalities. +This topic describes how to create, register, and start service mesh proxies in Consul. Refer to [Service mesh proxies overview](/consul/docs/connect/proxy) for additional information about how proxies enable Consul functionalities. -For information about deploying proxies as sidecars for service instances, refer to [Deploy sidecar proxy services](/consul/docs/connect/proxies/deploy-sidecar-services). +For information about deploying proxies as sidecars for service instances, refer to [Deploy sidecar proxy services](/consul/docs/reference/proxy/sidecar). ## Overview Complete the following steps to deploy a service mesh proxy: -1. It is not required, but you can create a proxy defaults configuration entry that contains global passthrough settings for all Envoy proxies. +1. It is not required, but you can create a proxy defaults configuration entry that contains global passthrough settings for all Envoy proxies. 1. Create a service definition file and specify the proxy configurations in the `proxy` block. 1. Register the service using the API or CLI. 1. Start the proxy service. Proxies appear in the list of services registered to Consul, but they must be started before they begin to route traffic in your service mesh. ## Requirements -If ACLs are enabled and you want to configure global Envoy settings using the [proxy defaults configuration entry](/consul/docs/connect/config-entries/proxy-defaults), you must present a token with `operator:write` permissions. Refer to [Create a service token](/consul/docs/security/acl/tokens/create/create-a-service-token) for additional information. +If ACLs are enabled and you want to configure global Envoy settings using the [proxy defaults configuration entry](/consul/docs/connect/config-entries/proxy-defaults), you must present a token with `operator:write` permissions. Refer to [Create a service token](/consul/docs/secure-consul/acl/token/service-token) for additional information. ## Configure global Envoy passthrough settings -If you want to define global passthrough settings for all Envoy proxies, create a proxy defaults configuration entry and specify default settings, such as access log configuration. Note that [service defaults configuration entries](/consul/docs/connect/config-entries/service-defaults) override proxy defaults and individual service configurations override both configuration entries. +If you want to define global passthrough settings for all Envoy proxies, create a proxy defaults configuration entry and specify default settings, such as access log configuration. Note that [service defaults configuration entries](/consul/docs/reference/config-entry/service-default) override proxy defaults and individual service configurations override both configuration entries. 1. Create a proxy defaults configuration entry and specify the following parameters: - `Kind`: Must be set to `proxy-defaults` - `Name`: Must be set to `global` -1. Configure any additional settings you want to apply to all proxies. Refer to [Proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) for details about all settings available in the configuration entry. +1. Configure any additional settings you want to apply to all proxies. Refer to [Proxy defaults configuration entry reference](/consul/docs/reference/config-entry/proxy-defaults) for details about all settings available in the configuraiton entry. 1. Apply the configuration by either calling the [`/config` HTTP API endpoint](/consul/api-docs/config) or running the [`consul config write` CLI command](/consul/commands/config/write). The following example writes a proxy defaults configuration entry from a local HCL file using the CLI: ```shell-session $ consul config write proxy-defaults.hcl ``` -## Define service mesh proxy +## Define service mesh proxy Create a service definition file and configure the following fields to define a service mesh proxy: -1. Set the `kind` field to `connect-proxy`. Refer to the [services configuration reference](/consul/docs/services/configuration/services-configuration-reference#kind) for information about other kinds of proxies you can declare. +1. Set the `kind` field to `connect-proxy`. Refer to the [services configuration reference](/consul/docs/reference/service#kind) for information about other kinds of proxies you can declare. 1. Specify a name for the proxy service in the `name` field. Consul applies the configurations to any proxies you bootstrap with the same name. -1. In the `proxy.destination_service_name` field, specify the name of the service that the proxy represents. -1. Configure any additional proxy behaviors that you want to implement in the `proxy` block. Refer to the [Service mesh proxy configuration reference](/consul/docs/connect/proxies/proxy-config-reference) for information about all parameters. +1. In the `proxy.destination_service_name` field, specify the name of the service that the proxy represents. +1. Configure any additional proxy behaviors that you want to implement in the `proxy` block. Refer to the [Service mesh proxy configuration reference](/consul/docs/reference/proxy/connect-proxy) for information about all parameters. 1. Specify a port number where other services registered with Consul can discover and connect to the proxies service in the `port` field. To ensure that services only allow external connections established through the service mesh protocol, you should configure all services to only accept connections on a loopback address. -Refer to the [Service mesh proxy configuration reference](/consul/docs/connect/proxies/proxy-config-reference) for example configurations. +Refer to the [Service mesh proxy configuration reference](/consul/docs/reference/proxy/connect-proxy) for example configurations. -## Register the service +## Register the service Provide the service definition to the Consul agent to register your proxy service. You can use the same methods for registering proxy services as you do for registering application services: - + - Place the service definition in a Consul agent's configuration directory and start, restart, or reload the agent. Use this method when implementing changes to an existing proxy service. - Use the `consul services register` command to register the proxy service with a running Consul agent. - Call the `/agent/service/register` HTTP API endpoint to register the proxy service with a running Consul agent. -Refer to [Register services and health checks](/consul/docs/services/usage/register-services-checks) for instructions. +Refer to [Register services and health checks](/consul/docs/register/service/vm) for instructions. In the following example, the `consul services register` command registers a proxy service stored in `proxy.hcl`: @@ -68,7 +68,7 @@ $ consul services register proxy.hcl ## Start the proxy -Envoy requires a bootstrap configuration file before it can start. Use the [`consul connect envoy` command](/consul/commands/connect/envoy) to create the Envoy bootstrap configuration and start the proxy service. Specify the ID of the proxy you want to start with the `-proxy-id` option. +Envoy requires a bootstrap configuration file before it can start. Use the [`consul connect envoy` command](/consul/commands/connect/envoy) to create the Envoy bootstrap configuration and start the proxy service. Specify the ID of the proxy you want to start with the `-proxy-id` option. The following example command starts an Envoy proxy for the `web-proxy` service: @@ -76,4 +76,4 @@ The following example command starts an Envoy proxy for the `web-proxy` service: $ consul connect envoy -proxy-id=web-proxy ``` -For details about operating an Envoy proxy in Consul, refer to the [Envoy proxy reference](/consul/docs/connect/proxies/envoy). +For details about operating an Envoy proxy in Consul, refer to the [Envoy proxy reference](/consul/docs/reference/proxy/envoy). diff --git a/website/content/docs/connect/proxies/deploy-sidecar-services.mdx b/website/content/docs/connect/proxy/sidecar.mdx similarity index 84% rename from website/content/docs/connect/proxies/deploy-sidecar-services.mdx rename to website/content/docs/connect/proxy/sidecar.mdx index c42a5b2c7f5..42119f16af0 100644 --- a/website/content/docs/connect/proxies/deploy-sidecar-services.mdx +++ b/website/content/docs/connect/proxy/sidecar.mdx @@ -7,46 +7,46 @@ description: >- # Deploy sidecar services -This topic describes how to create, register, and start sidecar proxy services in Consul. Refer to [Service mesh proxies overview](/consul/docs/connect/proxies) for additional information about how proxies enable Consul's functions and operations. For information about deploying service mesh proxies, refer to [Deploy service mesh proxies](/consul/docs/connect/proxies/deploy-service-mesh-proxies). +This topic describes how to create, register, and start sidecar proxy services in Consul. Refer to [Service mesh proxies overview](/consul/docs/connect/proxy) for additional information about how proxies enable Consul's functions and operations. For information about deploying service mesh proxies, refer to [Deploy service mesh proxies](/consul/docs/deploy/service-mesh/deploy-proxy). ## Overview -Sidecar proxies run on the same node as the single service instance that they handle traffic for. -They may be on the same VM or running as a separate container in the same network namespace. +Sidecar proxies run on the same node as the single service instance that they handle traffic for. +They may be on the same VM or running as a separate container in the same network namespace. You can attach a sidecar proxy to a service you want to deploy to your mesh: -1. It is not required, but you can create a proxy defaults configuration entry that contains global passthrough settings for all Envoy proxies. +1. It is not required, but you can create a proxy defaults configuration entry that contains global passthrough settings for all Envoy proxies. 1. Create the service definition and include the `connect` block. The `connect` block contains the sidecar proxy configurations that allow the service to interact with other services in the mesh. 1. Register the service using either the API or CLI. -1. Start the sidecar proxy service. +1. Start the sidecar proxy service. ## Requirements -If ACLs are enabled and you want to configure global Envoy settings in the [proxy defaults configuration entry](/consul/docs/connect/config-entries/proxy-defaults), you must present a token with `operator:write` permissions. Refer to [Create a service token](/consul/docs/security/acl/tokens/create/create-a-service-token) for additional information. +If ACLs are enabled and you want to configure global Envoy settings in the [proxy defaults configuration entry](/consul/docs/connect/config-entries/proxy-defaults), you must present a token with `operator:write` permissions. Refer to [Create a service token](/consul/docs/secure-consul/acl/token/service-token) for additional information. ## Configure global Envoy passthrough settings -If you want to define global passthrough settings for all Envoy proxies, create a proxy defaults configuration entry and specify default settings, such as access log configuration. [Service defaults configuration entries](/consul/docs/connect/config-entries/service-defaults) override proxy defaults and individual service configurations override both configuration entries. +If you want to define global passthrough settings for all Envoy proxies, create a proxy defaults configuration entry and specify default settings, such as access log configuration. [Service defaults configuration entries](/consul/docs/reference/config-entry/service-default) override proxy defaults and individual service configurations override both configuration entries. 1. Create a proxy defaults configuration entry and specify the following parameters: - `Kind`: Must be set to `proxy-defaults` - `Name`: Must be set to `global` -1. Configure any additional settings you want to apply to all proxies. Refer to [Proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) for details about all settings available in the configuration entry. +1. Configure any additional settings you want to apply to all proxies. Refer to [Proxy defaults configuration entry reference](/consul/docs/reference/config-entry/proxy-defaults) for details about all settings available in the configuraiton entry. 1. Apply the configuration by either calling the [`/config` API endpoint](/consul/api-docs/config) or running the [`consul config write` CLI command](/consul/commands/config/write). The following example writes a proxy defaults configuration entry from a local HCL file using the CLI: ```shell-session $ consul config write proxy-defaults.hcl ``` -## Define service mesh proxy +## Define service mesh proxy -Create a service definition and configure the following fields: +Create a service definition and configure the following fields: -1. `name`: Specify a name for the service you want to attach a sidecar proxy to in the `name` field. This field is required for all services you want to register in Consul. +1. `name`: Specify a name for the service you want to attach a sidecar proxy to in the `name` field. This field is required for all services you want to register in Consul. 1. `port`: Specify a port number where other services registered with Consul can discover and connect to the service in the `port` field. This field is required for all services you want to register in Consul. 1. `connect`: Set the `connect` field to `{ sidecar_service: {} }`. The `{ sidecar_service: {} }` value is a macro that applies a set of default configurations that enable you to quickly implement a sidecar. Refer to [Sidecar service defaults](#sidecar-service-defaults) for additional information. -1. Configure any additional options for your service. Refer to [Services configuration reference](/consul/docs/services/configuration/services-configuration-reference) for details. +1. Configure any additional options for your service. Refer to [Services configuration reference](/consul/docs/reference/service) for details. In the following example, a service named `web` is configured with a sidecar proxy: @@ -60,7 +60,7 @@ service = { port = 8080 connect = { sidecar_service = {} } } -``` +``` @@ -89,7 +89,7 @@ When Consul processes the service definition, it generates the following configu ```hcl -services = [ +services = [ { name = "web" port = 8080 @@ -114,7 +114,7 @@ services = [ } ] -``` +``` @@ -156,17 +156,17 @@ services = [ - + -## Register the service +## Register the service Provide the service definition to the Consul agent to register your proxy service. You can use the same methods for registering proxy services as you do for registering application services: - + - Place the service definition in a Consul agent's configuration directory and start, restart, or reload the agent. Use this method when implementing changes to an existing proxy service. - Use the `consul services register` command to register the proxy service with a running Consul agent. - Call the `/agent/service/register` HTTP API endpoint to register the proxy service with a running Consul agent. -Refer to [Register services and health checks](/consul/docs/services/usage/register-services-checks) for instructions. +Refer to [Register services and health checks](/consul/docs/register/service/vm) for instructions. In the following example, the `consul services register` command registers a proxy service stored in `proxy.hcl`: @@ -176,7 +176,7 @@ $ consul services register proxy.hcl ## Start the proxy -Envoy requires a bootstrap configuration file before it can start. Use the [`consul connect envoy` command](/consul/commands/connect/envoy) to create the Envoy bootstrap configuration and start the proxy service. Specify the name of the service with the attached proxy with the `-sidecar-for` option. +Envoy requires a bootstrap configuration file before it can start. Use the [`consul connect envoy` command](/consul/commands/connect/envoy) to create the Envoy bootstrap configuration and start the proxy service. Specify the name of the service with the attached proxy with the `-sidecar-for` option. The following example command starts an Envoy sidecar proxy for the `web` service: @@ -184,11 +184,11 @@ The following example command starts an Envoy sidecar proxy for the `web` servic $ consul connect envoy -sidecar-for=web ``` -For details about operating an Envoy proxy in Consul, refer to [](/consul/docs/connect/proxies/envoy) +For details about operating an Envoy proxy in Consul, refer to [](/consul/docs/reference/proxy/envoy) ## Configuration reference -The `sidecar_service` block is a service definition that can contain most regular service definition fields. Refer to [Limitations](#limitations) for information about unsupported service definition fields for sidecar proxies. +The `sidecar_service` block is a service definition that can contain most regular service definition fields. Refer to [Limitations](#limitations) for information about unsupported service definition fields for sidecar proxies. Consul treats sidecar proxy service definitions as a root-level service definition. All fields are optional in nested definitions, which default to opinionated settings that are intended to reduce burden of setting up a sidecar proxy. @@ -207,12 +207,12 @@ proxy. - `tags` - Defaults to the tags of the parent service. - `meta` - Defaults to the service metadata of the parent service. - `port` - Defaults to being auto-assigned from a configurable - range specified by [`sidecar_min_port`](/consul/docs/agent/config/config-files#sidecar_min_port) - and [`sidecar_max_port`](/consul/docs/agent/config/config-files#sidecar_max_port). + range specified by [`sidecar_min_port`](/consul/docs/reference/agent#sidecar_min_port) + and [`sidecar_max_port`](/consul/docs/reference/agent#sidecar_max_port). - `kind` - Defaults to `connect-proxy`. This value cannot be overridden. - `check`, `checks` - By default we add a TCP check on the local address and port for the proxy, and a [service alias - check](/consul/docs/services/usage/checks#alias-checks) for the parent service. If either + check](/consul/docs/register/service/vm/health-checks#alias-checks) for the parent service. If either `check` or `checks` fields are set, only the provided checks are registered. - `proxy.destination_service_name` - Defaults to the parent service name. - `proxy.destination_service_id` - Defaults to the parent service ID. @@ -222,9 +222,9 @@ proxy. ### Example with overwritten configurations In the following example, the `sidecar_service` macro sets baselines configurations for the proxy, but the [proxy -upstreams](/consul/docs/connect/proxies/proxy-config-reference#upstream-configuration-reference) +upstreams](/consul/docs/reference/proxy/connect-proxy#upstream-configuration-reference) and [built-in proxy -configuration](/consul/docs/connect/proxies/built-in) fields contain custom values: +configuration](/consul/docs/reference/proxy/built-in) fields contain custom values: ```json { @@ -281,4 +281,4 @@ service's ID, which enables the following behavior. - When reloading the configuration files, if a service definition changes its ID, then a new service instance and a new sidecar instance are registered. The old instance and proxy are removed because they are no longer found in - the configuration files. + the configuration files. \ No newline at end of file diff --git a/website/content/docs/connect/proxy/transparent-proxy/ecs.mdx b/website/content/docs/connect/proxy/transparent-proxy/ecs.mdx new file mode 100644 index 00000000000..2e796cd584e --- /dev/null +++ b/website/content/docs/connect/proxy/transparent-proxy/ecs.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Transparent proxy on ECS +description: >- + This topic provides +--- + +# Transparent proxy on ECS + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/k8s/connect/transparent-proxy/enable-transparent-proxy.mdx b/website/content/docs/connect/proxy/transparent-proxy/enable.mdx similarity index 79% rename from website/content/docs/k8s/connect/transparent-proxy/enable-transparent-proxy.mdx rename to website/content/docs/connect/proxy/transparent-proxy/enable.mdx index ce3df409eb9..08a9c310c1b 100644 --- a/website/content/docs/k8s/connect/transparent-proxy/enable-transparent-proxy.mdx +++ b/website/content/docs/connect/proxy/transparent-proxy/enable.mdx @@ -7,7 +7,7 @@ description: >- # Enable transparent proxy mode -This topic describes how to use transparent proxy mode in your service mesh. Transparent proxy allows applications to communicate through the service mesh without modifying their configurations. Transparent proxy also hardens application security by preventing direct inbound connections that bypass the mesh. Refer to [Transparent proxy overview](/consul/docs/k8s/connect/transparent-proxy) for additional information. +This topic describes how to use transparent proxy mode in your service mesh. Transparent proxy allows applications to communicate through the service mesh without modifying their configurations. Transparent proxy also hardens application security by preventing direct inbound connections that bypass the mesh. Refer to [Transparent proxy overview](/consul/docs/connect/proxy/transparent-proxy) for additional information. ## Requirements @@ -16,16 +16,16 @@ Your network must meet the following environment and software requirements to us * Transparent proxy is available for Kubernetes environments. * Consul 1.10.0+ * Consul Helm chart 0.32.0+. If you want to use the Consul CNI plugin to redirect traffic, Helm chart 0.48.0+ is required. Refer to [Enable the Consul CNI plugin](#enable-the-consul-cni-plugin) for additional information. -* You must create [service intentions](/consul/docs/connect/intentions) that explicitly allow communication between services. Consul uses service intentions to infer upstream connections and route messages appropriately between sidecar proxies. +* You must create [service intentions](/consul/docs/secure-mesh/intentions) that explicitly allow communication between intended services so that Consul can infer upstream connections and use sidecar proxies to route messages appropriately. * The `ip_tables` kernel module must be running on all worker nodes within a Kubernetes cluster. If you are using the `modprobe` Linux utility, for example, issue the following command: `$ modprobe ip_tables` -~> **Upgrading to a supported version**: Always follow the [proper upgrade path](/consul/docs/upgrading/upgrade-specific/#transparent-proxy-on-kubernetes) when upgrading to a supported version of Consul, Consul on Kubernetes (`consul-k8s`), and the Consul Helm chart. +~> **Upgrading to a supported version**: Always follow the [proper upgrade path](/consul/docs/upgrade/version-specific/#transparent-proxy-on-kubernetes) when upgrading to a supported version of Consul, Consul on Kubernetes (`consul-k8s`), and the Consul Helm chart. ## Enable transparent proxy -Transparent proxy mode is enabled for the entire cluster by default when you install Consul on Kubernetes using the Consul Helm chart. Refer to the [Consul Helm chart reference](/consul/docs/k8s/helm) for information about all default configurations. +Transparent proxy mode is enabled for the entire cluster by default when you install Consul on Kubernetes using the Consul Helm chart. Refer to the [Consul Helm chart reference](/consul/docs/reference/k8s/helm) for information about all default configurations. You can explicitly enable transparent proxy for the entire cluster, individual namespaces, and individual services. @@ -116,7 +116,7 @@ Both mechanisms redirect all inbound and outbound traffic, but you can configure ### Exclude inbound ports -The [`consul.hashicorp.com/transparent-proxy-exclude-inbound-ports`](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-transparent-proxy-exclude-inbound-ports) annotation defines a comma-separated list of inbound ports to exclude from traffic redirection when running in transparent proxy mode. The port numbers are string data values. In the following example, services in the pod at port `8200` and `8201` are not redirected through the transparent proxy: +The [`consul.hashicorp.com/transparent-proxy-exclude-inbound-ports`](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-transparent-proxy-exclude-inbound-ports) annotation defines a comma-separated list of inbound ports to exclude from traffic redirection when running in transparent proxy mode. The port numbers are string data values. In the following example, services in the pod at port `8200` and `8201` are not redirected through the transparent proxy: @@ -130,7 +130,7 @@ metadata: ### Exclude outbound ports -The [`consul.hashicorp.com/transparent-proxy-exclude-outbound-ports`](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-transparent-proxy-exclude-outbound-ports) annotation defines a comma-separated list of outbound ports to exclude from traffic redirection when running in transparent proxy mode. The port numbers are string data values. In the following example, services in the pod at port `8200` and `8201` are not redirected through the transparent proxy: +The [`consul.hashicorp.com/transparent-proxy-exclude-outbound-ports`](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-transparent-proxy-exclude-outbound-ports) annotation defines a comma-separated list of outbound ports to exclude from traffic redirection when running in transparent proxy mode. The port numbers are string data values. In the following example, services in the pod at port `8200` and `8201` are not redirected through the transparent proxy: @@ -144,7 +144,7 @@ metadata: ### Exclude outbound CIDR blocks -The [`consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs`](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-transparent-proxy-exclude-outbound-cidrs) annotation +The [`consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs`](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-transparent-proxy-exclude-outbound-cidrs) annotation defines a comma-separated list of outbound CIDR blocks to exclude from traffic redirection when running in transparent proxy mode. The CIDR blocks are string data values. In the following example, services in the `3.3.3.3/24` IP range are not redirected through the transparent proxy: @@ -159,7 +159,7 @@ metadata: ### Exclude user IDs -The [`consul.hashicorp.com/transparent-proxy-exclude-uids`](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-transparent-proxy-exclude-uids) annotation +The [`consul.hashicorp.com/transparent-proxy-exclude-uids`](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-transparent-proxy-exclude-uids) annotation defines a comma-separated list of additional user IDs to exclude from traffic redirection when running in transparent proxy mode. The user IDs are string data values. In the following example, services with the IDs `4444 ` and `44444 ` are not redirected through the transparent proxy: @@ -190,25 +190,25 @@ Refer to [Kubernetes Health Checks in Consul on Kubernetes](/consul/docs/k8s/con ## Dial services across Kubernetes cluster -If your [Consul servers are federated between Kubernetes clusters](/consul/docs/k8s/deployment-configurations/multi-cluster/kubernetes), +If your [Consul servers are federated between Kubernetes clusters](/consul/docs/east-west/wan-federation/k8s), then you must configure services in one Kubernetes cluster to explicitly dial a service in the datacenter of another Kubernetes cluster using the -[consul.hashicorp.com/connect-service-upstreams](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) annotation. +[consul.hashicorp.com/connect-service-upstreams](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-connect-service-upstreams) annotation. The following example configures the service to dial an upstream service called `my-service` in datacenter `dc2` on port `1234`: ```yaml consul.hashicorp.com/connect-service-upstreams: "my-service:1234:dc2" ``` -If your Consul cluster is deployed to a [single datacenter spanning multiple Kubernetes clusters](/consul/docs/k8s/deployment-configurations/single-dc-multi-k8s), +If your Consul cluster is deployed to a [single datacenter spanning multiple Kubernetes clusters](/consul/docs/deploy/server/k8s/multi/multiple-clusters), then you must configure services in one Kubernetes cluster to explicitly dial a service in another Kubernetes cluster using the -[consul.hashicorp.com/connect-service-upstreams](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) annotation. +[consul.hashicorp.com/connect-service-upstreams](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-connect-service-upstreams) annotation. The following example configures the service to dial an upstream service called `my-service` in another Kubernetes cluster on port `1234`: ```yaml consul.hashicorp.com/connect-service-upstreams: "my-service:1234" ``` -You do not need to configure services to explicitly dial upstream services if your Consul clusters are connected with a [peering connection](/consul/docs/connect/cluster-peering). +You do not need to configure services to explicitly dial upstream services if your Consul clusters are connected with a [peering connection](/consul/docs/east-west/cluster-peering). ## Configure service selectors @@ -218,7 +218,7 @@ The Kubernetes Service name must match the Consul service name to use KubeDNS. T Kubernetes annotation to the service pods. The annotation overrides the Consul service name. Consul configures redirection for each Pod bound to the Kubernetes Service using `iptables` rules. The rules redirect all inbound and outbound traffic through an inbound and outbound listener on the sidecar proxy. Consul configures the proxy to route traffic to the appropriate upstream services based on [service -intentions](/consul/docs/connect/config-entries/service-intentions), which address the upstream services using KubeDNS. +intentions](/consul/docs/reference/config-entry/service-intention), which address the upstream services using KubeDNS. In the following example, the Kubernetes service selects `sample-app` application Pods so that they can be reached within the mesh. @@ -240,12 +240,12 @@ spec: -Additional services can query the [KubeDNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) at `sample-app.default.svc.cluster.local` to reach `sample-app`. If ACLs are enabled and configured with default `deny` policies, the configuration also requires a [`ServiceIntention`](/consul/docs/connect/config-entries/service-intentions) to allow it to talk to `sample-app`. +Additional services can query the [KubeDNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) at `sample-app.default.svc.cluster.local` to reach `sample-app`. If ACLs are enabled and configured with default `deny` policies, the configuration also requires a [`ServiceIntention`](/consul/docs/reference/config-entry/service-intention) to allow it to talk to `sample-app`. -You can query the KubeDNS for a service that belongs to a sameness group at `sample-app.virtual.group-name.sg.consul`. This syntax is required when failover is desired. To use KubeDNS with sameness groups, `spec.defaultForFailover` must be set to `true` in the sameness group CRD. Refer to [sameness group configuration entry reference](/consul/docs/connect/config-entries/sameness-group) for more information. +You can query the KubeDNS for a service that belongs to a sameness group at `sample-app.virtual.group-name.sg.consul`. This syntax is required when failover is desired and `spec.defaultForFailover` is set to `false` in the sameness group CRD. Refer to [sameness group configuration entry reference](/consul/docs/reference/config-entry/sameness-group) for more information. ### Headless services -For services that are not addressed using a virtual cluster IP, you must configure the upstream service using the [DialedDirectly](/consul/docs/connect/config-entries/service-defaults#dialeddirectly) option. Then, use DNS to discover individual instance addresses and dial them through the transparent proxy. When this mode is enabled on the upstream, services present service mesh certificates for mTLS and intentions are enforced at the destination. +For services that are not addressed using a virtual cluster IP, you must configure the upstream service using the [DialedDirectly](/consul/docs/reference/config-entry/service-default#dialeddirectly) option. Then, use DNS to discover individual instance addresses and dial them through the transparent proxy. When this mode is enabled on the upstream, services present service mesh certificates for mTLS and intentions are enforced at the destination. Note that when dialing individual instances, Consul ignores the HTTP routing rules configured with configuration entries. The transparent proxy acts as a TCP proxy to the original destination IP address. @@ -253,4 +253,4 @@ Note that when dialing individual instances, Consul ignores the HTTP routing rul - Deployment configurations with federation across or a single datacenter spanning multiple clusters must explicitly dial a service in another datacenter or cluster using annotations. -- When dialing headless services, the request is proxied using a plain TCP proxy. Consul does not take into consideration the upstream's protocol. +- When dialing headless services, the request is proxied using a plain TCP proxy. Consul does not take into consideration the upstream's protocol. \ No newline at end of file diff --git a/website/content/docs/k8s/connect/transparent-proxy/index.mdx b/website/content/docs/connect/proxy/transparent-proxy/index.mdx similarity index 97% rename from website/content/docs/k8s/connect/transparent-proxy/index.mdx rename to website/content/docs/connect/proxy/transparent-proxy/index.mdx index 78db657133f..12c92b8dd57 100644 --- a/website/content/docs/k8s/connect/transparent-proxy/index.mdx +++ b/website/content/docs/connect/proxy/transparent-proxy/index.mdx @@ -44,4 +44,4 @@ Consul supports the following intra-datacenter connection types for discovering Transparent proxy mode is enabled by default when you install Consul on Kubernetes using the Consul Helm chart. As a result, all services in the mesh must communicate through sidecar proxies, which enforce service intentions and mTLS encryption for the service mesh. While onboarding new services to service mesh, your network may have mixed mTLS and non-mTLS traffic, which can result in broken service-to-service communication. -You can temporarily enable permissive mTLS mode during the onboarding process so that existing mesh services can accept traffic from services that are not yet fully onboarded. Permissive mTLS enables sidecar proxies to access both mTLS and non-mTLS traffic. Refer to [Onboard mesh services in transparent proxy mode](/consul/docs/k8s/connect/onboarding-tproxy-mode) for additional information. +You can temporarily enable permissive mTLS mode during the onboarding process so that existing mesh services can accept traffic from services that are not yet fully onboarded. Permissive mTLS enables sidecar proxies to access both mTLS and non-mTLS traffic. Refer to [Onboard mesh services in transparent proxy mode](/consul/docs/register/external/permissive-mtls) for additional information. diff --git a/website/content/docs/connect/proxy/transparent-proxy/k8s.mdx b/website/content/docs/connect/proxy/transparent-proxy/k8s.mdx new file mode 100644 index 00000000000..08a9c310c1b --- /dev/null +++ b/website/content/docs/connect/proxy/transparent-proxy/k8s.mdx @@ -0,0 +1,256 @@ +--- +layout: docs +page_title: Enable transparent proxy mode +description: >- + Learn how to enable transparent proxy mode, which enables Consul on Kubernetes to direct inbound and outbound traffic through the service mesh and increase application security without configuring individual upstream services. +--- + +# Enable transparent proxy mode + +This topic describes how to use transparent proxy mode in your service mesh. Transparent proxy allows applications to communicate through the service mesh without modifying their configurations. Transparent proxy also hardens application security by preventing direct inbound connections that bypass the mesh. Refer to [Transparent proxy overview](/consul/docs/connect/proxy/transparent-proxy) for additional information. + +## Requirements + +Your network must meet the following environment and software requirements to use transparent proxy. + +* Transparent proxy is available for Kubernetes environments. +* Consul 1.10.0+ +* Consul Helm chart 0.32.0+. If you want to use the Consul CNI plugin to redirect traffic, Helm chart 0.48.0+ is required. Refer to [Enable the Consul CNI plugin](#enable-the-consul-cni-plugin) for additional information. +* You must create [service intentions](/consul/docs/secure-mesh/intentions) that explicitly allow communication between intended services so that Consul can infer upstream connections and use sidecar proxies to route messages appropriately. +* The `ip_tables` kernel module must be running on all worker nodes within a Kubernetes cluster. If you are using the `modprobe` Linux utility, for example, issue the following command: + + `$ modprobe ip_tables` + +~> **Upgrading to a supported version**: Always follow the [proper upgrade path](/consul/docs/upgrade/version-specific/#transparent-proxy-on-kubernetes) when upgrading to a supported version of Consul, Consul on Kubernetes (`consul-k8s`), and the Consul Helm chart. + +## Enable transparent proxy + +Transparent proxy mode is enabled for the entire cluster by default when you install Consul on Kubernetes using the Consul Helm chart. Refer to the [Consul Helm chart reference](/consul/docs/reference/k8s/helm) for information about all default configurations. + +You can explicitly enable transparent proxy for the entire cluster, individual namespaces, and individual services. + +### Entire cluster + +Use the `connectInject.transparentProxy.defaultEnabled` Helm value to enable or disable transparent proxy for the entire cluster: + +```yaml +connectInject: + transparentProxy: + defaultEnabled: true +``` + +### Kubernetes namespace + +Apply the `consul.hashicorp.com/transparent-proxy=true` label to enable transparent proxy for a Kubernetes namespace. The label overrides the `connectInject.transparentProxy.defaultEnabled` Helm value and defines the default behavior of Pods in the namespace. The following example enables transparent proxy for Pods in the `my-app` namespace: + +```shell-session +$ kubectl label namespaces my-app "consul.hashicorp.com/transparent-proxy=true" +``` +### Individual service + +Apply the `consul.hashicorp.com/transparent-proxy=true` annotation to enable transparent proxy on the Pod for each service. The annotation overrides the Helm value and the namespace label. The following example enables transparent proxy for the `static-server` service: + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: static-server +spec: + selector: + app: static-server + ports: + - protocol: TCP + port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: static-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: static-server +spec: + replicas: 1 + selector: + matchLabels: + app: static-server + template: + metadata: + name: static-server + labels: + app: static-server + annotations: + 'consul.hashicorp.com/connect-inject': 'true' + 'consul.hashicorp.com/transparent-proxy': 'true' + spec: + containers: + - name: static-server + image: hashicorp/http-echo:latest + args: + - -text="hello world" + - -listen=:8080 + ports: + - containerPort: 8080 + name: http + serviceAccountName: static-server +``` + +## Enable the Consul CNI plugin + +By default, Consul generates a `connect-inject init` container as part of the Kubernetes Pod startup process. The container configures traffic redirection in the service mesh through the sidecar proxy. To configure redirection, the container requires elevated CAP_NET_ADMIN privileges, which may not be compatible with security policies in your organization. + +Instead, you can enable the Consul container network interface (CNI) plugin to perform traffic redirection. Because the plugin is executed by the Kubernetes kubelet, it already has the elevated privileges necessary to configure the network. Additionally, you do not need to specify annotations that automatically overwrite Kubernetes HTTP health probes when the plugin is enabled (see [Overwrite Kubernetes HTTP health probes](#overwrite-kubernetes-http-health-probes)). + +The Consul Helm chart installs the CNI plugin, but it is disabled by default. Refer to the [instructions for enabling the CNI plugin](/consul/docs/k8s/installation/install#enable-the-consul-cni-plugin) in the Consul on Kubernetes installation documentation for additional information. + +## Traffic redirection + +There are two mechanisms for redirecting traffic through the sidecar proxies. By default, Consul injects an init container that redirects all inbound and outbound traffic. The default mechanism requires elevated permissions (CAP_NET_ADMIN) in order to redirect traffic to the service mesh. + +Alternatively, you can enable the Consul CNI plugin to handle traffic redirection. Because the Kubernetes kubelet runs CNI plugins, the Consul CNI plugin has the necessary privileges to apply routing tables in the network. + +Both mechanisms redirect all inbound and outbound traffic, but you can configure exceptions for specific Pods or groups of Pods. The following annotations enable you to exclude certain traffic from being redirected to sidecar proxies. + +### Exclude inbound ports + +The [`consul.hashicorp.com/transparent-proxy-exclude-inbound-ports`](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-transparent-proxy-exclude-inbound-ports) annotation defines a comma-separated list of inbound ports to exclude from traffic redirection when running in transparent proxy mode. The port numbers are string data values. In the following example, services in the pod at port `8200` and `8201` are not redirected through the transparent proxy: + + + +```yaml +metadata: + annotations: + consul.hashicorp.com/transparent-proxy-exclude-inbound-ports: "8200, 8201" +``` + + + +### Exclude outbound ports + +The [`consul.hashicorp.com/transparent-proxy-exclude-outbound-ports`](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-transparent-proxy-exclude-outbound-ports) annotation defines a comma-separated list of outbound ports to exclude from traffic redirection when running in transparent proxy mode. The port numbers are string data values. In the following example, services in the pod at port `8200` and `8201` are not redirected through the transparent proxy: + + + +```yaml +metadata: + annotations": + consul.hashicorp.com/transparent-proxy-exclude-outbound-ports: "8200, 8201" +``` + + + +### Exclude outbound CIDR blocks + +The [`consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs`](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-transparent-proxy-exclude-outbound-cidrs) annotation +defines a comma-separated list of outbound CIDR blocks to exclude from traffic redirection when running in transparent proxy mode. The CIDR blocks are string data values. +In the following example, services in the `3.3.3.3/24` IP range are not redirected through the transparent proxy: + + + +```yaml +metadata: + annotations: + consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs: "3.3.3.3,3.3.3.3/24" +``` + + +### Exclude user IDs + +The [`consul.hashicorp.com/transparent-proxy-exclude-uids`](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-transparent-proxy-exclude-uids) annotation +defines a comma-separated list of additional user IDs to exclude from traffic redirection when running in transparent proxy mode. The user IDs are string data values. +In the following example, services with the IDs `4444 ` and `44444 ` are not redirected through the transparent proxy: + + + +```yaml +metadata: + annotations: + consul.hashicorp.com/transparent-proxy-exclude-uids: "4444,44444" + } +} +``` + + + +## Kubernetes HTTP health probes configuration + +By default, `connect-inject` is disabled. As a result, Consul on Kubernetes uses a mechanism for traffic redirection that interferes with [Kubernetes HTTP health +probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/). This is because probes expect the kubelet to reach the application container on the probe's endpoint. Instead, traffic is redirected through the sidecar proxy. As a result, health probes return errors because the kubelet does not encrypt that traffic using a mesh proxy. + +There are two methods for solving this issue. The first method is to set the `connectInject.transparentProxy.defaultOverwriteProbes` annotation to overwrite the Kubernetes HTTP health probes so that they point to the proxy. The second method is to [enable the Consul container network interface (CNI) plugin](#enable-the-consul-cni-plugin) to perform traffic redirection. Refer to the [Consul on Kubernetes installation instructions](/consul/docs/k8s/installation/install) for additional information. + +### Overwrite Kubernetes HTTP health probes + +You can either include the `connectInject.transparentProxy.defaultOverwriteProbes` Helm value to your command or add the `consul.hashicorp.com/transparent-proxy-overwrite-probes` Kubernetes annotation to your pod configuration to overwrite health probes. + +Refer to [Kubernetes Health Checks in Consul on Kubernetes](/consul/docs/k8s/connect/health) for additional information. + +## Dial services across Kubernetes cluster + +If your [Consul servers are federated between Kubernetes clusters](/consul/docs/east-west/wan-federation/k8s), +then you must configure services in one Kubernetes cluster to explicitly dial a service in the datacenter of another Kubernetes cluster using the +[consul.hashicorp.com/connect-service-upstreams](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-connect-service-upstreams) annotation. +The following example configures the service to dial an upstream service called `my-service` in datacenter `dc2` on port `1234`: + +```yaml +consul.hashicorp.com/connect-service-upstreams: "my-service:1234:dc2" +``` + +If your Consul cluster is deployed to a [single datacenter spanning multiple Kubernetes clusters](/consul/docs/deploy/server/k8s/multi/multiple-clusters), +then you must configure services in one Kubernetes cluster to explicitly dial a service in another Kubernetes cluster using the +[consul.hashicorp.com/connect-service-upstreams](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-connect-service-upstreams) annotation. +The following example configures the service to dial an upstream service called `my-service` in another Kubernetes cluster on port `1234`: + +```yaml +consul.hashicorp.com/connect-service-upstreams: "my-service:1234" +``` + +You do not need to configure services to explicitly dial upstream services if your Consul clusters are connected with a [peering connection](/consul/docs/east-west/cluster-peering). + +## Configure service selectors + +When transparent proxy is enabled, traffic sent to [KubeDNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) +or Pod IP addresses is redirected through the proxy. You must use a selector to bind Kubernetes Services to Pods as you define Kubernetes Services in the mesh. +The Kubernetes Service name must match the Consul service name to use KubeDNS. This is the default behavior unless you have applied the `consul.hashicorp.com/connect-service` +Kubernetes annotation to the service pods. The annotation overrides the Consul service name. + +Consul configures redirection for each Pod bound to the Kubernetes Service using `iptables` rules. The rules redirect all inbound and outbound traffic through an inbound and outbound listener on the sidecar proxy. Consul configures the proxy to route traffic to the appropriate upstream services based on [service +intentions](/consul/docs/reference/config-entry/service-intention), which address the upstream services using KubeDNS. + +In the following example, the Kubernetes service selects `sample-app` application Pods so that they can be reached within the mesh. + + + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: sample-app + namespace: default +spec: + selector: + app: sample-app + ports: + - protocol: TCP + port: 80 +``` + + + +Additional services can query the [KubeDNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) at `sample-app.default.svc.cluster.local` to reach `sample-app`. If ACLs are enabled and configured with default `deny` policies, the configuration also requires a [`ServiceIntention`](/consul/docs/reference/config-entry/service-intention) to allow it to talk to `sample-app`. + +You can query the KubeDNS for a service that belongs to a sameness group at `sample-app.virtual.group-name.sg.consul`. This syntax is required when failover is desired and `spec.defaultForFailover` is set to `false` in the sameness group CRD. Refer to [sameness group configuration entry reference](/consul/docs/reference/config-entry/sameness-group) for more information. + +### Headless services +For services that are not addressed using a virtual cluster IP, you must configure the upstream service using the [DialedDirectly](/consul/docs/reference/config-entry/service-default#dialeddirectly) option. Then, use DNS to discover individual instance addresses and dial them through the transparent proxy. When this mode is enabled on the upstream, services present service mesh certificates for mTLS and intentions are enforced at the destination. + +Note that when dialing individual instances, Consul ignores the HTTP routing rules configured with configuration entries. The transparent proxy acts as a TCP proxy to the original destination IP address. + +## Known limitations + +- Deployment configurations with federation across or a single datacenter spanning multiple clusters must explicitly dial a service in another datacenter or cluster using annotations. + +- When dialing headless services, the request is proxied using a plain TCP proxy. Consul does not take into consideration the upstream's protocol. \ No newline at end of file diff --git a/website/content/docs/connect/security.mdx b/website/content/docs/connect/security.mdx deleted file mode 100644 index cefcaa3be21..00000000000 --- a/website/content/docs/connect/security.mdx +++ /dev/null @@ -1,158 +0,0 @@ ---- -layout: docs -page_title: Service Mesh Security - Best Practices -description: >- - Consul provides secure service mesh communication by default. Additional configuration can improve network security by preventing unauthorized access and traffic sniffing. Review security considerations, our recommendations, and best practices. ---- - -# Best Practices for Service Mesh Security - -Consul service mesh enables secure service-to-service communication over mutual TLS. This -provides both in-transit data encryption as well as authorization. This page -will document how to secure the service mesh. To try service mesh locally, complete the -[Getting Started guide](/consul/tutorials/kubernetes-deploy/service-mesh?utm_source=docs) or for a full security model reference, -see the dedicated [Consul security model](/consul/docs/security) page. When -setting up service mesh in production, review this [tutorial](/consul/tutorials/developer-mesh/service-mesh-production-checklist?utm_source=consul.io&utm_medium=docs). - -Consul service mesh will function in any Consul configuration. However, unless the checklist -below is satisfied, the service mesh is not providing the security guarantees it was -built for. The checklist below can be incrementally adopted towards full -security if you prefer to operate in less secure models initially. - -~> **Warning**: The checklist below should not be considered exhaustive. Please -read and understand the [Consul security model](/consul/docs/security) -in depth to assess whether your deployment satisfies the security requirements -of Consul. - -## Checklist - -### Default Intention Policy Set - -Consul should be configured with a default deny intention policy. This forces -all service-to-service communication to be explicitly -allowed via an allow [intention](/consul/docs/connect/intentions). - -One advantage of using a default deny policy in combination with specific "allow" rules -is that a failure of intentions due to misconfiguration always results in -_denied_ traffic, rather than unwanted _allowed_ traffic. - -In the absence of `default_intention_policy` Consul will fall back to the ACL -default policy when determining whether to allow or deny communications without -an explicit intention. - -### Request Normalization Configured for L7 Intentions - -~> **Compatibility warning**: This feature is available as of Consul CE 1.20.1 and Consul Enterprise 1.20.1, 1.19.2, 1.18.3, and 1.15.15. We recommend upgrading to the latest version of Consul to take advantage of the latest features and improvements. - -Atypical traffic patterns may interfere with the enforcement of L7 intentions. For -example, if a service makes request to a non-normalized URI path and Consul is not -configured to force path normalization, it becomes possible to circumvent path match rules. While a -default deny policy can limit the impact of this issue, we still recommend -that you review your current request normalization configuration. Normalization is critical to avoid unwanted -traffic, especially when using unrecommended security options such as a default allow intentions policy. - -Consul adopts a default normalization mode that adheres to [RFC 3986]( -https://tools.ietf.org/html/rfc3986#section-6), but additional options to enable stricter -normalization are available in the cluster-wide [Mesh configuration entry]( -/consul/docs/connect/config-entries/mesh). We recommend reviewing these options and -enabling the strictest set that does not interfere with application traffic. - -We also recommend that you review L7 intention header match rules for potential -issues with multiple header values. Refer to the [service intentions -configuration entry reference](/consul/docs/connect/config-entries/service-intentions#spec-sources-permissions-http-header) -for more information. - -You do not need to enable request normalization if you are not using L7 intentions. -However, normalization may also benefit the use of other service mesh features that -rely on L7 attribute matching, such as [service routers](/consul/docs/connect/manage-traffic#routing). - -### ACLs Enabled with Default Deny - -Consul must be configured to use ACLs with a default deny policy. This forces -all requests to have explicit anonymous access or provide an ACL token. - -To learn how to enable ACLs, please see the -[tutorial on ACLs](/consul/tutorials/security/access-control-setup-production). - -**If ACLs are enabled but are in default allow mode**, then services will be -able to communicate by default. Additionally, if a proper anonymous token -is not configured, this may allow anyone to edit intentions. We do not recommend -this. **If ACLs are not enabled**, deny intentions will still be enforced, but anyone -may edit intentions. This renders the security of the created intentions -effectively useless. - -The advantage of a default deny policy in combination with specific "allow" rules -is that at worst, a failure of intentions due to misconfiguration will result in -_denied_ traffic, rather than unwanted _allowed_ traffic. - -### TCP and UDP Encryption Enabled - -TCP and UDP encryption must be enabled to prevent plaintext communication -between Consul agents. At a minimum, `verify_outgoing` should be enabled -to verify server authenticity with each server having a unique TLS certificate. -`verify_incoming` provides additional agent verification, but doesn't directly -affect service mesh since requests must also always contain a valid ACL token. -Clients calling Consul APIs should be forced over encrypted connections. - -See the [Consul agent encryption page](/consul/docs/security/encryption) to -learn more about configuring agent encryption. - -**If encryption is not enabled**, a malicious actor can sniff network -traffic or perform a man-in-the-middle attack to steal ACL tokens, always -authorize connections, etc. - -### Prevent Unauthorized Access to the Config and Data Directories - -The configuration and data directories of the Consul agent on both -clients and servers should be protected from unauthorized access. This -protection must be done outside of Consul via access control systems provided -by your target operating system. - -The [full Consul security model](/consul/docs/security) explains the -risk of unauthorized access for both client agents and server agents. In -general, the blast radius of unauthorized access for client agent directories -is much smaller than servers. However, both must be protected against -unauthorized access. - -### Prevent Non-Mesh Traffic to Services - -For services that are using -[proxies](/consul/docs/connect/proxies) -(are not [natively integrated](/consul/docs/connect/native)), -network access via their unencrypted listeners must be restricted -to only the proxy. This requires at a minimum restricting the listener -to bind to loopback only. More complex solutions may involve using -network namespacing techniques provided by the underlying operating system. - -For scenarios where multiple services are running on the same machine -without isolation, these services must all be trusted. We call this the -**trusted multi-tenancy** deployment model. Any service could theoretically -connect to any other service via the loopback listener, bypassing the service mesh -completely. In this scenario, all services must be trusted _or_ isolation -mechanisms must be used. - -For developer or operator access to a service, we recommend -using a local service mesh proxy. This is documented in the -[development and debugging guide](/consul/docs/connect/dev). - -**If non-proxy traffic can communicate with the service**, this traffic -will not be encrypted or authorized via service mesh. - -### Restrict Access to Envoy's Administration Interface - -Envoy exposes an **unauthenticated** -[administration interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin) -that can be used to query and modify the proxy. This interface -allows potentially sensitive information to be retrieved, such as: - -* Envoy configuration -* TLS certificates -* List of upstream services and endpoints - -We **strongly advise** only exposing the administration interface on a loopback -address (default configuration) and restricting access to a subset of users. - -**If the administration interface is exposed externally**, for -example by specifying a routable [`-admin-bind`](/consul/commands/connect/envoy#admin-bind) -address, it may be possible for a malicious actor to gain access to Envoy's -configuration, or impact the service's availability within the cluster. diff --git a/website/content/docs/connect/troubleshoot/develop-debug.mdx b/website/content/docs/connect/troubleshoot/develop-debug.mdx new file mode 100644 index 00000000000..8c3e35aba16 --- /dev/null +++ b/website/content/docs/connect/troubleshoot/develop-debug.mdx @@ -0,0 +1,45 @@ +--- +layout: docs +page_title: Debug Consul service mesh +description: >- + Use the `consul connect proxy` command to connect to services or masquerade as other services for development and debugging purposes. Example code demonstrates connecting to services that are part of the service mesh as listeners only. +--- + +# Debug Consul service mesh + +It is often necessary to connect to a service for development or debugging. If a service only exposes a service mesh listener, then we need a way to establish a mutual TLS connection to the service. The [`consul connect proxy` command](/consul/commands/connect/proxy) can be used for this task on any machine with access to a Consul agent (local or remote). + +Restricting access to services only via service mesh ensures that the only way to connect to a service is through valid authorization of the [intentions](/consul/docs/secure-mesh/intentions). This can extend to developers and operators too. + +## Connecting to mesh-only services + +As an example, let's assume that we have a PostgreSQL database running that we want to connect to via `psql`, but the only non-loopback listener is via Connect. Let's also assume that we have an ACL token to identify as `operator-mitchellh`. We can start a local proxy: + +```shell-session +$ consul connect proxy \ + -service operator-mitchellh \ + -upstream postgresql:8181 +``` + +This works because the source `-service` does not need to be registered in the local Consul catalog. However, to retrieve a valid identifying certificate, the ACL token must have `service:write` permissions. This can be used as a sort of "debug service" to represent people, too. In the example above, the proxy is identifying as `operator-mitchellh`. + +With the proxy running, we can now use `psql` like normal: + +```shell-session +$ psql --host=127.0.0.1 --port=8181 --username=mitchellh mydb +> +``` + +This `psql` session is now happening through our local proxy via an authorized mutual TLS connection to the PostgreSQL service in our Consul catalog. + +### Masquerading as a service + +You can also easily masquerade as any source service by setting the `-service` value to any service. Note that the proper ACL permissions are required to perform this task. + +For example, if you have an ACL token that allows `service:write` for `web` and you want to connect to the `postgresql` service as "web", you can start a proxy like so: + +```shell-session +$ consul connect proxy \ + -service web \ + -upstream postgresql:8181 +``` diff --git a/website/content/docs/connect/troubleshoot/index.mdx b/website/content/docs/connect/troubleshoot/index.mdx new file mode 100644 index 00000000000..086cf12b92f --- /dev/null +++ b/website/content/docs/connect/troubleshoot/index.mdx @@ -0,0 +1,42 @@ +--- +layout: docs +page_title: Service mesh troubleshoot overview +description: >- + Consul includes a built-in tool for troubleshooting communication between services in a service mesh. +--- + +# Service mesh troubleshoot overview + +This topic provides an overview of Consul’s built-in service-to-service troubleshooting capabilities. When communication between an upstream service and a downstream service in a service mesh fails, you can run the `consul troubleshoot` command to initiate a series of automated validation tests. + +For more information, refer to the [`consul troubleshoot` CLI documentation](/consul/commands/troubleshoot) or the [`consul-k8s troubleshoot` CLI reference](/consul/docs/k8s/k8s-cli#troubleshoot). + +## Introduction + +When communication between upstream and downstream services in a service mesh fails, you can diagnose the cause manually with one or more of Consul’s built-in features, including [health check queries](/consul/docs/services/usage/checks), [the UI topology view](/consul/docs/observe/mesh/vm), and [agent telemetry metrics](/consul/docs/agent/telemetry#metrics-reference). + +The `consul troubleshoot` command performs several checks in sequence that enable you to discover issues that impede service-to-service communication. The process systematically queries the [Envoy administration interface API](https://www.envoyproxy.io/docs/envoy/latest/operations/admin) and the Consul API to determine the cause of the communication failure. + +The troubleshooting command validates service-to-service communication by checking for the following common issues: + +- Upstream service does not exist +- One or both hosts are unhealthy +- A filter affects the upstream service +- The CA has expired mTLS certificates +- The services have expired mTLS certificates + +Consul outputs the results of these validation checks to the terminal along with suggested actions to resolve the service communication failure. When it detects rejected configurations or connection failures, Consul also outputs Envoy metrics for services. + +### Envoy proxies in a service mesh + +Consul validates communication in a service mesh by checking the Envoy proxies that are deployed as sidecars for the upstream and downstream services. As a result, troubleshooting requires that [Consul’s service mesh features are enabled](/consul/docs/connect/configuration). + +For more information about using Envoy proxies with Consul, refer to [Envoy proxy configuration for service mesh](/consul/docs/connect/proxies/envoy). + +### Technical constraints + +When troubleshooting service-to-service communication issues, be aware of the following constraints: + +- The troubleshooting tool does not check service intentions. For more information about intentions, including precedence and match order, refer to [service mesh intentions](/consul/docs/secure-mesh/intentions). +- The troubleshooting tool validates one direct connection between a downstream service and an upstream service. You must run the `consul troubleshoot` command with the Envoy ID for an individual upstream service. It does support validating multiple connections simultaneously. +- The troubleshooting tool only validates Envoy configurations for sidecar proxies. As a result, the troubleshooting tool does not validate Envoy configurations on upstream proxies such as mesh gateways and terminating gateways. \ No newline at end of file diff --git a/website/content/docs/troubleshoot/troubleshoot-services.mdx b/website/content/docs/connect/troubleshoot/service-to-service.mdx similarity index 92% rename from website/content/docs/troubleshoot/troubleshoot-services.mdx rename to website/content/docs/connect/troubleshoot/service-to-service.mdx index 92a66881475..88ca18a8798 100644 --- a/website/content/docs/troubleshoot/troubleshoot-services.mdx +++ b/website/content/docs/connect/troubleshoot/service-to-service.mdx @@ -5,15 +5,15 @@ description: >- Consul includes a built-in tool for troubleshooting communication between services in a service mesh. Learn how to use the `consul troubleshoot` command to validate communication between upstream and downstream Envoy proxies on VM and Kubernetes deployments. --- -# Service-to-service troubleshooting overview +# Troubleshoot service-to-service communication -This topic provides an overview of Consul’s built-in service-to-service troubleshooting capabilities. When communication between an upstream service and a downstream service in a service mesh fails, you can run the `consul troubleshoot` command to initiate a series of automated validation tests. +This page describes the process for troubleshooting service-to-service communication in a service mesh using the `consul troubleshoot` CLI command. -For more information, refer to the [`consul troubleshoot` CLI documentation](/consul/commands/troubleshoot) or the [`consul-k8s troubleshoot` CLI reference](/consul/docs/k8s/k8s-cli#troubleshoot). +For more information, refer to the [`consul troubleshoot` CLI documentation](/consul/commands/troubleshoot) or the [`consul-k8s troubleshoot` CLI reference](/consul/docs/reference-cli/consul-k8s#troubleshoot). ## Introduction -When communication between upstream and downstream services in a service mesh fails, you can diagnose the cause manually with one or more of Consul’s built-in features, including [health check queries](/consul/docs/services/usage/checks), [the UI topology view](/consul/docs/connect/observability/ui-visualization), and [agent telemetry metrics](/consul/docs/agent/telemetry#metrics-reference). +When communication between upstream and downstream services in a service mesh fails, you can diagnose the cause manually with one or more of Consul’s built-in features, including [health check queries](/consul/docs/register/service/vm/health-checks), [the UI topology view](/consul/docs/observe/mesh/vm), and [agent telemetry metrics](/consul/docs/agent/telemetry#metrics-reference). The `consul troubleshoot` command performs several checks in sequence that enable you to discover issues that impede service-to-service communication. The process systematically queries the [Envoy administration interface API](https://www.envoyproxy.io/docs/envoy/latest/operations/admin) and the Consul API to determine the cause of the communication failure. @@ -29,9 +29,9 @@ Consul outputs the results of these validation checks to the terminal along with ### Envoy proxies in a service mesh -Consul validates communication in a service mesh by checking the Envoy proxies that are deployed as sidecars for the upstream and downstream services. As a result, troubleshooting requires that [Consul’s service mesh features are enabled](/consul/docs/connect/configuration). +Consul validates communication in a service mesh by checking the Envoy proxies that are deployed as sidecars for the upstream and downstream services. As a result, troubleshooting requires that [Consul’s service mesh features are enabled](/consul/docs/connect/configuration-entries). -For more information about using Envoy proxies with Consul, refer to [Envoy proxy configuration for service mesh](/consul/docs/connect/proxies/envoy). +For more information about using Envoy proxies with Consul, refer to [Envoy proxy configuration for service mesh](/consul/docs/reference/proxy/envoy). ## Requirements @@ -42,7 +42,7 @@ For more information about using Envoy proxies with Consul, refer to [Envoy prox When troubleshooting service-to-service communication issues, be aware of the following constraints: -- The troubleshooting tool does not check service intentions. For more information about intentions, including precedence and match order, refer to [service mesh intentions](/consul/docs/connect/intentions). +- The troubleshooting tool does not check service intentions. For more information about intentions, including precedence and match order, refer to [service mesh intentions](/consul/docs/secure-mesh/intentions). - The troubleshooting tool validates one direct connection between a downstream service and an upstream service. You must run the `consul troubleshoot` command with the Envoy ID for an individual upstream service. It does support validating multiple connections simultaneously. - The troubleshooting tool only validates Envoy configurations for sidecar proxies. As a result, the troubleshooting tool does not validate Envoy configurations on upstream proxies such as mesh gateways and terminating gateways. @@ -55,7 +55,12 @@ Using the service-to-service troubleshooting tool is a two-step process: In deployments without transparent proxies, the identifier is the _Envoy ID for the upstream service’s sidecar proxy_. If you use transparent proxies, the identifier is the _upstream service’s IP address_. For more information about using transparent proxies, refer to [Enable transparent proxy mode](/consul/docs/connect/transparent-proxy). -### Troubleshoot on VMs +## Requirements + +- Consul v1.15 or later. +- For Kubernetes, the `consul-k8s` CLI must be installed. + +## Troubleshoot on VMs To troubleshoot service-to-service communication issues in deployments that use VMs or bare-metal servers: @@ -104,7 +109,7 @@ The output from the troubleshooting process identifies service instances accordi For more information, refer to the [`consul troubleshoot` CLI documentation](/consul/commands/troubleshoot). -### Troubleshoot on Kubernetes +## Troubleshoot on Kubernetes To troubleshoot service-to-service communication issues in deployments that use Kubernetes, retrieve the upstream information for the pod that is experiencing communication failures and use the upstream information to identify the proxy you want to perform the troubleshooting process on. @@ -147,4 +152,4 @@ In the example output, troubleshooting upstream communication reveals that the ` The output from the troubleshooting process identifies service instances according to their [Consul DNS address](/consul/docs/k8s/dns). Use the DNS information for failing services to diagnose the specific issues affecting the service instance. -For more information, refer to the [`consul-k8s troubleshoot` CLI reference](/consul/docs/k8s/k8s-cli#troubleshoot). \ No newline at end of file +For more information, refer to the [`consul-k8s troubleshoot` CLI reference](/consul/docs/reference-cli/consul-k8s#troubleshoot). \ No newline at end of file diff --git a/website/content/docs/connect/vm.mdx b/website/content/docs/connect/vm.mdx new file mode 100644 index 00000000000..00155a1a5c4 --- /dev/null +++ b/website/content/docs/connect/vm.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Connect services with Consul on virtual machines (VMs) +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# Connect services with Consul on virtual machines (VMs) + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. diff --git a/website/content/docs/consul-vs-other/api-gateway-compare.mdx b/website/content/docs/consul-vs-other/api-gateway-compare.mdx deleted file mode 100644 index 6fae646e128..00000000000 --- a/website/content/docs/consul-vs-other/api-gateway-compare.mdx +++ /dev/null @@ -1,16 +0,0 @@ ---- -layout: docs -page_title: Consul Compared to Other API Gateways -description: >- - The Consul API Gateway is an implementation of the Kubernetes Gateway API that provides a single entry point that routes public requests to services within the service mesh. ---- - -# Consul Compared to Other API Gateways - -**Examples**: Kong Gateway, Apigee, Mulesoft, Gravitee - -The [Consul API Gateway](/consul/docs/api-gateway) is an implementation of the [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/). Traditionally, API gateways are used for two things: _client traffic management_ and _API lifecycle management_. - -Client traffic management refers to an API gateway's role in controlling the point of entry for public traffic into a given environment, also known as _managing north-south traffic_. The Consul API Gateway is deployed alongside Consul service mesh and is responsible for routing inbound client requests to the mesh based on defined routes. For a full list of supported traffic management features, refer to the [Consul API Gateway documentation](/consul/docs/api-gateway). - -API lifecycle management refers to how application developers use an API gateway to deploy, iterate, and manage versions of an API. At this time, the Consul API Gateway does not support API lifecycle management. diff --git a/website/content/docs/consul-vs-other/config-management-compare.mdx b/website/content/docs/consul-vs-other/config-management-compare.mdx deleted file mode 100644 index 14de4933c49..00000000000 --- a/website/content/docs/consul-vs-other/config-management-compare.mdx +++ /dev/null @@ -1,23 +0,0 @@ ---- -layout: docs -page_title: Consul Compared to Other Configuration Management Tools -description: >- - Chef, Puppet, and other configuration management tools build service discovery mechanisms by querying global state and constructing configuration files on each node during a periodic convergence run. ---- - -# Consul Compared to Other Configuration Management Tools - -**Examples**: Chef, Puppet - -There are many configuration management tools, however, they typically focus on static provisioning. Consul enables you to dynamically configure your services based on service and node state. Both static and dynamic configuration are important and work well together. Since Consul offers a number of different capabilities, there are times when its functionality overlaps with other configuration management tools. - -For example, Chef and Puppet are configuration management tools that can build service discovery mechanisms. However, they only support configuration information that is static. As a result, the time it takes to implement updates depends on the frequency of conversion runs (several minutes to hours). Additionally, these tools do not let you incorporate the system state in the configuration. This could lead to load balancers sending traffic to unhealthy nodes, further exacerbating issues. Supporting multiple datacenters is also challenging with these tools, since a central group of servers must manage all datacenters. - -Consul's service discovery layer is specifically designed to dynamically track and respond to your service's state. By using the integrated health checking, Consul can route traffic away from unhealthy nodes, allowing systems and services to gracefully recover. In addition, Consul’s service discovery layer works with Terraform. Consul-Terraform-Sync (CTS) automates updates to network infrastructure based on dynamic changes to each service. For example, as services scale up or down, CTS can trigger Terraform to update firewalls or load balancers to reflect the latest changes. Also, since each datacenter runs independently, supporting multiple datacenters is no different than supporting a single datacenter. - -Consul is not a replacement for other configuration management tools. These tools are still critical for setting up applications, including Consul. Static provisioning is best managed by existing tools, while Consul enables you to leverage dynamic configuration and service discovery. - -By separating configuration management and cluster management tools, you can take advantage of simpler workflows: -- Periodic runs are no longer required for service or configuration changes. -- Chef recipes and Puppet manifests are simpler because they do not require a global state. -- Infrastructure can become immutable because configuration management runs do not require global state. diff --git a/website/content/docs/consul-vs-other/dns-tools-compare.mdx b/website/content/docs/consul-vs-other/dns-tools-compare.mdx deleted file mode 100644 index f4d27de8ab4..00000000000 --- a/website/content/docs/consul-vs-other/dns-tools-compare.mdx +++ /dev/null @@ -1,16 +0,0 @@ ---- -layout: docs -page_title: Consul Compared to Other DNS Tools -description: >- - Service discovery is one of Consul's foundational capabilities. Consul is platform agnostic, which allows it to discover services across multiple runtimes and cloud providers including VMs, bare-metal, Kubernetes, Nomad, EKS, AKS, ECS, and Lambda. ---- - - -# Consul Compared to Other DNS Tools - -**Examples**: NS1, AWS Route53, AzureDNS, Cloudflare DNS - -Consul was originally designed as a centralized service registry for any cloud environment that dynamically tracks services as they are added, changed, or removed within a compute infrastructure. Consul maintains a catalog of these registered services and their attributes, such as IP addresses or service name. For more information, refer to [What is Service Discovery?](/consul/docs/concepts/service-discovery). - -As a result, Consul can also provide basic DNS functionality, including [lookups, alternate domains, and access controls](/consul/docs/services/discovery/dns-overview). Since Consul is platform agnostic, you can retrieve service information across both cloud and on-premises data centers. Consul does not natively support some advanced DNS capabilities, such as filters or advanced routing logic. However, you can integrate Consul with existing DNS solutions, such as [NS1](https://help.ns1.com/hc/en-us/articles/360039417093-NS1-Consul-Integration-Overview) and [DNSimple](https://blog.dnsimple.com/2022/05/consul-integration/), to support these advanced capabilities. - diff --git a/website/content/docs/consul-vs-other/index.mdx b/website/content/docs/consul-vs-other/index.mdx deleted file mode 100644 index 26901a3db43..00000000000 --- a/website/content/docs/consul-vs-other/index.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -layout: docs -page_title: Why Choose Consul? -description: >- - Consul is a service networking platform that centralizes service discovery, enables zero trust networking with service mesh, automates network infrastructure, and controls access to mesh services with the Consul API Gateway. Compare Consul with other software that provide similar capabilities with one or more of the core use cases. ---- - -# Why Choose Consul? - -HashiCorp Consul is a service networking platform that encompasses multiple capabilities to secure and simplify network service management. These capabilities include service mesh, service discovery, configuration management, and API gateway functionality. While competing products offer a few of these core capabilities, Consul is developed to address all four. The topics in this section provide a general overview of how Consul’s capabilities compare to some other tools on the market. Visit the following pages to read more about how: - -- [Consul compares with other service meshes](/consul/docs/consul-vs-other/service-mesh-compare) -- [Consul compares with other DNS tools](/consul/docs/consul-vs-other/dns-tools-compare) -- [Consul compares with other configuration management tools](/consul/docs/consul-vs-other/config-management-compare) -- [Consul compares with other API Gateways](/consul/docs/consul-vs-other/api-gateway-compare) diff --git a/website/content/docs/consul-vs-other/service-mesh-compare.mdx b/website/content/docs/consul-vs-other/service-mesh-compare.mdx deleted file mode 100644 index 1164336781a..00000000000 --- a/website/content/docs/consul-vs-other/service-mesh-compare.mdx +++ /dev/null @@ -1,18 +0,0 @@ ---- -layout: docs -page_title: Consul compared to other service meshes -description: >- - Consul's service mesh provides zero trust networking based on service identities to authorize, authenticate, and encrypt network services. Consul's service mesh can also provide advanced traffic management capabilities. Although there are many similar capabilities between Consul and other providers like Istio, Solo, Linkerd, Kong, Tetrate, and AWS App Mesh, we highlight the main differentiating factors for help customers compare. ---- - -# Consul compared to other service mesh software - -**Examples**: Istio, Solo Gloo Mesh, Linkerd, Kong/Kuma, AWS App Mesh - -Consul’s service mesh allows organizations to securely connect and manage their network services across multiple different environments. Using Envoy as the sidecar proxy attached to every service, Consul ensures that all service-to-service communication is authorized, authenticated, and encrypted. Consul includes traffic management capabilities like load balancing and traffic splitting, which help developers perform canary testing, A/B tests, and blue/green deployments. Consul also includes health check and observability features. - -Consul is platform agnostic — it supports any runtime (Kubernetes, EKS, AKS, GKE, VMs, ECS, Lambda, Nomad) and any cloud provider (AWS, Microsoft Azure, GCP, private clouds). This makes it one of the most flexible service discovery and service mesh platforms. While other service mesh software provides support for multiple runtimes for the data plane, they require you to run the control plane solely on Kubernetes. With Consul, you can run both the control plane and data plane in different runtimes. - -Consul also has several unique integrations with Vault, an industry standard for secrets management. Operators have the option to use Consul’s built-in certificate authority, or leverage Vault’s PKI engine to generate and store TLS certificates for both the data plane and control plane. In addition, Consul can automatically rotate the TLS certificates on both the data plane and control plane without requiring any type of restarts. This lets you rotate the certificates more frequently without incurring additional management burden on operators. -When deploying Consul on Kubernetes, you can store sensitive data including licenses, ACL tokens, and TLS certificates centrally in Vault instead of Kubernetes secrets. Vault is much more secure than Kubernetes secrets because it automatically encrypts all data, provides advanced access controls to secrets, and provides centralized governance for all secrets. - diff --git a/website/content/docs/nia/architecture.mdx b/website/content/docs/cts/architecture.mdx similarity index 84% rename from website/content/docs/nia/architecture.mdx rename to website/content/docs/cts/architecture.mdx index 14ff0da3c0c..e40ed915844 100644 --- a/website/content/docs/nia/architecture.mdx +++ b/website/content/docs/cts/architecture.mdx @@ -41,9 +41,9 @@ A driver encapsulates the resources required to communicate the updates to the network infrastructure. The following [drivers](/consul/docs/nia/network-drivers#terraform) are supported: - Terraform driver -- HCP Terraform driver +- Terraform Cloud driver -Each driver includes a set of providers that [enables support](/consul/docs/nia/terraform-modules) for a wide variety of infrastructure applications. +Each driver includes a set of providers that [enables support](/consul/docs/reference/cts/terraform-module) for a wide variety of infrastructure applications. ## State storage and persistence @@ -51,28 +51,28 @@ The following types of state information are associated with CTS. ### Terraform state information -By default, CTS stores [Terraform state data](/terraform/language/state) in the Consul KV, but you can specify where this information is stored by configuring the `backend` setting in the [Terraform driver configuration](/consul/docs/nia/configuration#backend). The data persists if CTS stops and the backend is configured to a remote location. +By default, CTS stores [Terraform state data](/terraform/language/state) in the Consul KV, but you can specify where this information is stored by configuring the `backend` setting in the [Terraform driver configuration](/consul/docs/reference/cts/configuration#backend). The data persists if CTS stops and the backend is configured to a remote location. ### CTS task and event data By default, CTS stores task and event data in memory. This data is transient and does not persist. If you configure [CTS to run with high availability enabled](/consul/docs/nia/usage/run-ha), CTS stores the data in the Consul KV. High availability is an enterprise feature that promotes CTS resiliency. When high availability is enabled, CTS stores and persists task changes and events that occur when an instance stops. -The data stored when operating in high availability mode includes task changes made using the task API or CLI. Examples of task changes include creating a new task, deleting a task, and enabling or disabling a task. You can empty the leader’s stored state information by starting CTS with the [`-reset-storage` flag](/consul/docs/nia/cli/start#options). +The data stored when operating in high availability mode includes task changes made using the task API or CLI. Examples of task changes include creating a new task, deleting a task, and enabling or disabling a task. You can empty the leader’s stored state information by starting CTS with the [`-reset-storage` flag](/consul/docs/reference/cts/cli/start#options). ## Instance compatibility checks (high availability) If you [run CTS with high availability enabled](/consul/docs/nia/usage/run-ha), CTS performs instance compatibility checks to ensure that all instances in the cluster behave consistently. Consistent instance behavior enables CTS to properly perform automations configured in the state storage. -The CTS instance compatibility check reports an error if the task [module](/consul/docs/nia/configuration#module) is configured with a local module, but the module does not exist on the CTS instance. Refer to the [Terraform documentation](/terraform/language/modules/sources#module-sources) for additional information about module sources. Example log: +The CTS instance compatibility check reports an error if the task [module](/consul/docs/reference/cts/configuration#module) is configured with a local module, but the module does not exist on the CTS instance. Refer to the [Terraform documentation](/terraform/language/modules/sources#module-sources) for additional information about module sources. Example log: ```shell-session [ERROR] ha.compat: error="compatibility check failure: stat ./example-module: no such file or directory" ``` -Refer to [Error Messages](/consul/docs/nia/usage/errors-ref) for additional information. +Refer to [Error Messages](/consul/docs/error-messages/cts) for additional information. CTS instances perform a compatibility check on start-up based on the stored state and every five minutes after starting. If the check detects an incompatible CTS instance, it generates a log so that an operator can address it. -CTS logs the error message and continues to run when it finds an incompatibility. CTS can still elect an incompatible instance to be the leader, but tasks affected by the incompatibility do not run successfully. This can happen when all active CTS instances enter [`once-mode`](/consul/docs/nia/cli/start#modes) and run the tasks once when initially elected. +CTS logs the error message and continues to run when it finds an incompatibility. CTS can still elect an incompatible instance to be the leader, but tasks affected by the incompatibility do not run successfully. This can happen when all active CTS instances enter [`once-mode`](/consul/docs/reference/cts/cli/start#modes) and run the tasks once when initially elected. ## Security guidelines diff --git a/website/content/docs/nia/compatibility.mdx b/website/content/docs/cts/compatibility.mdx similarity index 93% rename from website/content/docs/nia/compatibility.mdx rename to website/content/docs/cts/compatibility.mdx index 7e473bc3564..f160fe64478 100644 --- a/website/content/docs/nia/compatibility.mdx +++ b/website/content/docs/cts/compatibility.mdx @@ -13,7 +13,7 @@ This topic describes Consul-Terraform-Sync (CTS) cross-compatibility with Consul Below are CTS versions with supported Consul versions. The latest CTS binary supports the three most recent Consul minor versions, along with their latest patch versions. -| CTS Version | Consul Community Edition & Enterprise Version | HCP Consul Dedicated Version | +| CTS Version | Consul Community Edition & Enterprise Version | HCP Consul Version | | :--------------------- | :------------------------------ | :----------------- | | CTS Enterprise 0.6+ | 1.8+ | 1.9+ | | CTS Enterprise 0.3-0.5 | 1.8+ | N/A | @@ -24,7 +24,7 @@ Below are CTS versions with supported Consul versions. The latest CTS binary sup CTS integration with Terraform is supported for the following: -| CTS Version | Terraform CLI Version | HCP Terraform Version | Terraform Enterprise Version | +| CTS Version | Terraform CLI Version | Terraform Cloud Version | Terraform Enterprise Version | | :------------------ | :-------------------- | :---------------------- | :--------------------------- | | CTS Enterprise 0.7 | 0.13-1.2 | Latest | v202010-2 - Latest | | CTS Enterprise 0.4+ | 0.13 - 1.1 | Latest | v202010-2 - Latest | diff --git a/website/content/docs/nia/installation/configure.mdx b/website/content/docs/cts/configure.mdx similarity index 72% rename from website/content/docs/nia/installation/configure.mdx rename to website/content/docs/cts/configure.mdx index 1f9d5265fc4..1c76017880b 100644 --- a/website/content/docs/nia/installation/configure.mdx +++ b/website/content/docs/cts/configure.mdx @@ -7,13 +7,13 @@ description: >- # Configure Consul-Terraform-Sync -The page will cover the main components for configuring your Network Infrastructure Automation with Consul at a high level. For the full list of configuration options, visit the [Consul-Terraform-Sync (CTS) configuration page](/consul/docs/nia/configuration). +The page will cover the main components for configuring your Network Infrastructure Automation with Consul at a high level. For the full list of configuration options, visit the [Consul-Terraform-Sync (CTS) configuration page](/consul/docs/reference/cts/configuration). ## Tasks A task captures a network automation process by defining which network resources to update on a given condition. Configure CTS with one or more tasks that contain a list of Consul services, a Terraform module, and various Terraform providers. -Within the [`task` block](/consul/docs/nia/configuration#task), the list of services for a task represents the service layer that drives network automation. The `module` is the discovery location of the Terraform module that defines the network automation process for the task. The `condition`, not shown below, defaults to the services condition when unconfigured such that network resources are updated on changes to the list of services over time. +Within the [`task` block](/consul/docs/reference/cts/configuration#task), the list of services for a task represents the service layer that drives network automation. The `module` is the discovery location of the Terraform module that defines the network automation process for the task. The `condition`, not shown below, defaults to the services condition when unconfigured such that network resources are updated on changes to the list of services over time. Review the Terraform module to be used for network automation and identify the Terraform providers required by the module. If the module depends on a set of providers, include the list of provider names in the `providers` field to associate the corresponding provider configuration with the task. These providers will need to be configured later in a separate block. @@ -32,7 +32,7 @@ task { ## Terraform Providers -Configuring Terraform providers within CTS requires 2 config components. The first component is required within the [`driver.terraform` block](/consul/docs/nia/configuration#terraform-driver). All providers configured for CTS must be listed within the `required_providers` stanza to satisfy a [Terraform v0.13+ requirement](/terraform/language/providers/requirements#requiring-providers) for Terraform to discover and install them. The providers listed are later organized by CTS to be included in the appropriate Terraform configuration files for each task. +Configuring Terraform providers within CTS requires 2 config components. The first component is required within the [`driver.terraform` block](/consul/docs/reference/cts/configuration#terraform-driver). All providers configured for CTS must be listed within the `required_providers` stanza to satisfy a [Terraform v0.13+ requirement](/terraform/language/providers/requirements#requiring-providers) for Terraform to discover and install them. The providers listed are later organized by CTS to be included in the appropriate Terraform configuration files for each task. ```hcl driver "terraform" { @@ -45,7 +45,7 @@ driver "terraform" { } ``` -The second component for configuring a provider is the [`terraform_provider` block](/consul/docs/nia/configuration#terraform-provider). This block resembles [provider blocks for Terraform configuration](/terraform/language/providers/configuration) and has the same responsibility for understanding API interactions and exposing resources for a specific infrastructure platform. +The second component for configuring a provider is the [`terraform_provider` block](/consul/docs/reference/cts/configuration#terraform-provider). This block resembles [provider blocks for Terraform configuration](/terraform/language/providers/configuration) and has the same responsibility for understanding API interactions and exposing resources for a specific infrastructure platform. Terraform modules configured for task automation may require configuring the referenced providers. For example, configuring the host address and authentication to interface with your network infrastructure. Refer to the Terraform provider documentation hosted on the [Terraform Registry](https://registry.terraform.io/browse/providers) to find available options. The `terraform_provider` block is loaded by CTS during runtime and processed to be included in [autogenerated Terraform configuration files](/consul/docs/nia/network-drivers#provider) used for task automation. Omitting the `terraform_provider` block for a provider will defer to the Terraform behavior assuming an empty default configuration. diff --git a/website/content/docs/nia/enterprise/index.mdx b/website/content/docs/cts/enterprise/index.mdx similarity index 69% rename from website/content/docs/nia/enterprise/index.mdx rename to website/content/docs/cts/enterprise/index.mdx index 94b42f6c902..4ea19665049 100644 --- a/website/content/docs/nia/enterprise/index.mdx +++ b/website/content/docs/cts/enterprise/index.mdx @@ -9,22 +9,22 @@ description: >- Consul-Terraform-Sync (CTS) Enterprise is available with [Consul Enterprise](https://www.hashicorp.com/products/consul) and requires a Consul [license](/consul/docs/nia/enterprise/license) to be applied. -Enterprise features of CTS address organization complexities of collaboration, operations, scale, and governance. CTS Enterprise supports an official integration with [HCP Terraform](https://cloud.hashicorp.com/products/terraform) and [Terraform Enterprise](/terraform/enterprise), the self-hosted distribution, to extend insight into dynamic updates of your network infrastructure. +Enterprise features of CTS address organization complexities of collaboration, operations, scale, and governance. CTS Enterprise supports an official integration with [Terraform Cloud](https://cloud.hashicorp.com/products/terraform) and [Terraform Enterprise](/terraform/enterprise), the self-hosted distribution, to extend insight into dynamic updates of your network infrastructure. | Features | Community Edition | Enterprise | |----------|-------------|------------| | Consul Namespace | Default namespace only | Filter task triggers by any namespace | -| Automation Driver | Terraform Community Edition | Terraform Community Edition, HCP Terraform, or Terraform Enterprise | -| Terraform Workspaces | Local | Local workspaces with the Terraform driver or [remote workspaces](/terraform/cloud-docs/workspaces) with the HCP Terraform driver | -| Terraform Backend Options | [azurerm](/terraform/language/settings/backends/azurerm), [consul](/terraform/language/settings/backends/consul), [cos](/terraform/language/settings/backends/cos), [gcs](/terraform/language/settings/backends/gcs), [kubernetes](/terraform/language/settings/backends/kubernetes), [local](/terraform/language/settings/backends/local), [manta](/terraform/language/v1.2.x/settings/backends/manta), [pg](/terraform/language/settings/backends/pg), and [s3](/terraform/language/settings/backends/s3) with the Terraform driver | The supported backends for CTS with the Terraform driver or HCP Terraform with the HCP Terraform driver | -| Terraform Version | One Terraform version for all tasks | Optional Terraform version per task when using the HCP Terraform driver | -| Terraform Run Output | CTS logs | CTS logs or Terraform output organized by HCP Terraform remote workspaces | +| Automation Driver | Terraform Community Edition | Terraform Community Edition, Terraform Cloud, or Terraform Enterprise | +| Terraform Workspaces | Local | Local workspaces with the Terraform driver or [remote workspaces](/terraform/cloud-docs/workspaces) with the Terraform Cloud driver | +| Terraform Backend Options | [azurerm](/terraform/language/settings/backends/azurerm), [consul](/terraform/language/settings/backends/consul), [cos](/terraform/language/settings/backends/cos), [gcs](/terraform/language/settings/backends/gcs), [kubernetes](/terraform/language/settings/backends/kubernetes), [local](/terraform/language/settings/backends/local), [manta](/terraform/language/v1.2.x/settings/backends/manta), [pg](/terraform/language/settings/backends/pg), and [s3](/terraform/language/settings/backends/s3) with the Terraform driver | The supported backends for CTS with the Terraform driver or Terraform Cloud with the Terraform Cloud driver | +| Terraform Version | One Terraform version for all tasks | Optional Terraform version per task when using the Terraform Cloud driver | +| Terraform Run Output | CTS logs | CTS logs or Terraform output organized by Terraform Cloud remote workspaces | | Credentials and secrets | On disk as `.tfvars` files or in shell environment | Secured variables stored in remote workspace | -| Audit | | Terraform audit logs ([HCP Terraform](/terraform/cloud-docs/api-docs/audit-trails) or [Terraform Enterprise](/terraform/enterprise/admin/infrastructure/logging)) | -| Collaboration | | Run [history](/terraform/cloud-docs/run/manage), [triggers](/terraform/cloud-docs/workspaces/settings/run-triggers), and [notifications](/terraform/cloud-docs/workspaces/settings/notifications) supported on HCP Terraform | +| Audit | | Terraform audit logs ([Terraform Cloud](/terraform/cloud-docs/api-docs/audit-trails) or [Terraform Enterprise](/terraform/enterprise/admin/infrastructure/logging)) | +| Collaboration | | Run [history](/terraform/cloud-docs/run/manage), [triggers](/terraform/cloud-docs/workspaces/settings/run-triggers), and [notifications](/terraform/cloud-docs/workspaces/settings/notifications) supported on Terraform Cloud | | Governance | | [Sentinel](/terraform/cloud-docs/policy-enforcement) to enforce governance policies as code | -The [HCP Terraform driver](/consul/docs/nia/configuration#terraform-cloud-driver) enables CTS Enterprise to integrate with HCP Terraform or Terraform Enterprise. The [HCP Terraform driver](/consul/docs/nia/network-drivers/terraform-cloud) page provides an overview of how the integration works within CTS. +The [Terraform Cloud driver](/consul/docs/reference/cts/configuration#terraform-cloud-driver) enables CTS Enterprise to integrate with Terraform Cloud or Terraform Enterprise. The [Terraform Cloud driver](/consul/docs/nia/network-drivers/terraform-cloud) page provides an overview of how the integration works within CTS. ## Consul Admin Partition Support CTS subscribes to a Consul agent. Depending on the admin partition the Consul agent is a part of and the services within the admin partition, CTS will be able to subscribe to those services and support the automation workflow. As such, admin partitions are not relevant to the CTS workflow. We recommend deploying a single CTS instance that subscribes to services/KV within a single partition and using a different CTS instance (or instances) to subscribe to services/KV in another partition. diff --git a/website/content/docs/nia/enterprise/license.mdx b/website/content/docs/cts/enterprise/license.mdx similarity index 84% rename from website/content/docs/nia/enterprise/license.mdx rename to website/content/docs/cts/enterprise/license.mdx index 338e6813440..b3ac76cb17c 100644 --- a/website/content/docs/nia/enterprise/license.mdx +++ b/website/content/docs/cts/enterprise/license.mdx @@ -11,7 +11,7 @@ description: >- Licenses are only required for Consul-Terraform-Sync (CTS) Enterprise -CTS Enterprise binaries require a [Consul Enterprise license](/consul/docs/enterprise/license/overview) to run. There is no CTS Enterprise specific license. As a result, CTS Enterprise's licensing is very similar to Consul Enterprise. +CTS Enterprise binaries require a [Consul Enterprise license](/consul/docs/enterprise/license) to run. There is no CTS Enterprise specific license. As a result, CTS Enterprise's licensing is very similar to Consul Enterprise. All CTS Enterprise features are available with a valid Consul Enterprise license, regardless of your Consul Enterprise packaging or pricing model. @@ -20,7 +20,7 @@ To get a trial license for CTS, you can sign-up for the [trial license for Consu ## Automatic License Retrieval CTS automatically retrieves a license from Consul on startup and then attempts to retrieve a new license once a day. If the current license is reaching its expiration date, CTS attempts to retrieve a license with increased frequency, as defined by the [License Expiration Date Handling](/consul/docs/nia/enterprise/license#license-expiration-handling). -~> Enabling automatic license retrieval is recommended when using HCP Consul Dedicated, as HCP Consul Dedicated licenses expire more frequently than Consul Enterprise licenses. Without auto-retrieval enabled, you have to restart CTS every time you load a new license. +~> Enabling automatic license retrieval is recommended when using HCP Consul, as HCP Consul licenses expire more frequently than Consul Enterprise licenses. Without auto-retrieval enabled, you have to restart CTS every time you load a new license. ## Setting the License Manually @@ -38,7 +38,7 @@ If a license needs to be manually set, choose one of the following methods (in o export CONSUL_LICENSE_PATH=// ``` -1. To point to the file containing the license, in the configuration file, configure the [`license`](/consul/docs/nia/configuration#license) path option. +1. To point to the file containing the license, in the configuration file, configure the [`license`](/consul/docs/reference/cts/configuration#license) path option. ```hcl license { @@ -46,13 +46,13 @@ If a license needs to be manually set, choose one of the following methods (in o } ``` -1. To point to the file containing the license, in the configuration file, configure the [`license_path`](/consul/docs/nia/configuration#license_path) option i. **Deprecated in CTS 0.6.0 and will be removed in a future release. Use [license block](/consul/docs/nia/configuration#license) instead.** +1. To point to the file containing the license, in the configuration file, configure the [`license_path`](/consul/docs/reference/cts/configuration#license_path) option i. **Deprecated in CTS 0.6.0 and will be removed in a future release. Use [license block](/consul/docs/reference/cts/configuration#license) instead.** ```hcl license_path = "//" ``` -~> **Note**: the [options to set the license and the order of precedence](/consul/docs/enterprise/license/overview#binaries-without-built-in-licenses) are the same as Consul Enterprise server agents. +~> **Note**: the [options to set the license and the order of precedence](/consul/docs/enterprise/license#binaries-without-built-in-licenses) are the same as Consul Enterprise server agents. Visit the [Enterprise License Tutorial](/nomad/tutorials/enterprise/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key. ### Updating the License Manually diff --git a/website/content/docs/nia/index.mdx b/website/content/docs/cts/index.mdx similarity index 90% rename from website/content/docs/nia/index.mdx rename to website/content/docs/cts/index.mdx index 453a2beb83e..a3441e403a0 100644 --- a/website/content/docs/nia/index.mdx +++ b/website/content/docs/cts/index.mdx @@ -35,11 +35,11 @@ CTS is available as an open source and enterprise distribution. Follow the [Auto - `Network Infrastructure Automation (NIA)` - Enables dynamic updates to network infrastructure devices triggered when specific conditions, such as service changes and registration, are met. -- `Scheduled Tasks` - A scheduled task is a type of task that is triggered only on a schedule. It is configured with a [schedule condition](/consul/docs/nia/configuration#schedule-condition). +- `Scheduled Tasks` - A scheduled task is a type of task that is triggered only on a schedule. It is configured with a [schedule condition](/consul/docs/reference/cts/configuration#schedule-condition). - `Services` - A service in CTS represents a service that is registered with Consul for service discovery. Services are grouped by their service names. There may be more than one instance of a particular service, each with its own unique ID. CTS monitors services based on service names and can provide service instance details to a Terraform module for network automation. -- `Module Input` - A module input defines objects that provide values or metadata to the Terraform module. See [module input](/consul/docs/nia/terraform-modules#module-input) for the supported metadata and values. For example, a user can configure a Consul KV module input to provide KV pairs as variables to their respective Terraform Module. +- `Module Input` - A module input defines objects that provide values or metadata to the Terraform module. See [module input](/consul/docs/reference/cts/terraform-module#module-input) for the supported metadata and values. For example, a user can configure a Consul KV module input to provide KV pairs as variables to their respective Terraform Module. The module input can be configured in a couple of ways: - Setting the `condition` block's `use_as_module_input` field to true @@ -53,7 +53,7 @@ CTS is available as an open source and enterprise distribution. Follow the [Auto - `Tasks` - A task is the translation of dynamic service information from the Consul Catalog into network infrastructure changes downstream. -- `HCP Terraform` - Per the [Terraform documentation](/terraform/cloud-docs), "HCP Terraform" describes both HCP Terraform and Terraform Enterprise, which are different distributions of the same application. Documentation will apply to both distributions unless specifically stated otherwise. +- `Terraform Cloud` - Per the [Terraform documentation](/terraform/cloud-docs), "Terraform Cloud" describes both Terraform Cloud and Terraform Enterprise, which are different distributions of the same application. Documentation will apply to both distributions unless specifically stated otherwise. - `Terraform Module` - A [Terraform module](/terraform/language/modules) is a container for multiple Terraform resources that are used together. @@ -73,4 +73,4 @@ module. - [Contribute](https://github.com/hashicorp/consul-terraform-sync) to the open source project - [Report](https://github.com/hashicorp/consul-terraform-sync/issues) bugs or request enhancements - [Discuss](https://discuss.hashicorp.com/tags/c/consul/29/consul-terraform-sync) with the community or ask questions -- [Build integrations](/consul/docs/nia/terraform-modules) for CTS +- [Build integrations](/consul/docs/reference/cts/terraform-module) for CTS diff --git a/website/content/docs/nia/installation/install.mdx b/website/content/docs/cts/install.mdx similarity index 92% rename from website/content/docs/nia/installation/install.mdx rename to website/content/docs/cts/install.mdx index a8027b44368..cf5de23c0ea 100644 --- a/website/content/docs/nia/installation/install.mdx +++ b/website/content/docs/cts/install.mdx @@ -94,7 +94,7 @@ $ consul-terraform-sync -version ## Connect your Consul Cluster -CTS connects with your Consul cluster in order to monitor the Consul catalog for service changes. These service changes lead to downstream updates to your network devices. You can configure your Consul cluster in CTS with the [Consul block](/consul/docs/nia/configuration#consul). Below is an example: +CTS connects with your Consul cluster in order to monitor the Consul catalog for service changes. These service changes lead to downstream updates to your network devices. You can configure your Consul cluster in CTS with the [Consul block](/consul/docs/reference/cts/configuration#consul). Below is an example: ```hcl consul { @@ -107,7 +107,7 @@ consul { CTS interacts with your network device through a network driver. For the Terraform network driver, CTS uses Terraform providers to make changes to your network infrastructure resources. You can reference existing provider docs on the Terraform Registry to configure each provider or create a new Terraform provider. -Once you have identified a Terraform provider for all of your network devices, you can configure them in CTS with a [`terraform_provider` block](/consul/docs/nia/configuration#terraform-provider) for each network device. Below is an example: +Once you have identified a Terraform provider for all of your network devices, you can configure them in CTS with a [`terraform_provider` block](/consul/docs/reference/cts/configuration#terraform-provider) for each network device. Below is an example: ```hcl terraform_provider "fake-firewall" { @@ -121,4 +121,4 @@ This provider is then used by task(s) to execute a Terraform module that will up ### Multiple Instances per Provider -You might have multiple instances of the same type of network device; for example, multiple instances of a firewall or load balancer. You can configure each instance with its own provider block and distinguish it by the `alias` meta-argument. See [multiple provider configurations](/consul/docs/nia/configuration#multiple-provider-configurations) for more details and an example of the configuration. +You might have multiple instances of the same type of network device; for example, multiple instances of a firewall or load balancer. You can configure each instance with its own provider block and distinguish it by the `alias` meta-argument. See [multiple provider configurations](/consul/docs/reference/cts/configuration#multiple-provider-configurations) for more details and an example of the configuration. diff --git a/website/content/docs/nia/network-drivers/index.mdx b/website/content/docs/cts/network-drivers/index.mdx similarity index 61% rename from website/content/docs/nia/network-drivers/index.mdx rename to website/content/docs/cts/network-drivers/index.mdx index dd89f448d9b..422128a9877 100644 --- a/website/content/docs/nia/network-drivers/index.mdx +++ b/website/content/docs/cts/network-drivers/index.mdx @@ -2,7 +2,7 @@ layout: docs page_title: Network Drivers description: >- - Consul-Terraform-Sync Network Drivers with Terraform and HCP Terraform + Consul-Terraform-Sync Network Drivers with Terraform and Terraform Cloud --- # Network Drivers @@ -11,18 +11,18 @@ Consul-Terraform-Sync (CTS) uses network drivers to execute and update network i CTS is a HashiCorp solution to Network Infrastructure Automation. It bridges Consul's networking features and Terraform infrastructure management capabilities. The solution seamlessly embeds Terraform as network drivers to manage automation of Terraform modules. This expands the Consul ecosystem and taps into the rich features and community of Terraform and Terraform providers. -The following table highlights some of the additional features Terraform and HCP Terraform offer when used as a network driver for CTS. Visit the [Terraform product page](https://www.hashicorp.com/products/terraform) or [contact our sales team](https://www.hashicorp.com/contact-sales) for a comprehensive list of features. +The following table highlights some of the additional features Terraform and Terraform Cloud offer when used as a network driver for CTS. Visit the [Terraform product page](https://www.hashicorp.com/products/terraform) or [contact our sales team](https://www.hashicorp.com/contact-sales) for a comprehensive list of features. | Network Driver | Description | Features | | -------------- | ----------- | -------- | -| [Terraform driver](/consul/docs/nia/network-drivers/terraform) | CTS automates a local installation of the [Terraform CLI](https://www.terraform.io/) | - Local Terraform execution
- Local workspace directories
- [Backend options](/consul/docs/nia/configuration#backend) available for state storage
| -| [HCP Terraform driver](/consul/docs/nia/network-drivers/terraform-cloud) | CTS Enterprise automates remote workspaces on [HCP Terraform](/terraform/cloud-docs) | - [Remote Terraform execution](/terraform/cloud-docs/run/remote-operations)
- Concurrent runs
- [Secured variables](/terraform/cloud-docs/workspaces/variables)
- [State versions](/terraform/cloud-docs/workspaces/state)
- [Sentinel](/terraform/cloud-docs/policy-enforcement) to enforce governance policies as code
- Audit [logs](/terraform/enterprise/admin/infrastructure/logging) and [trails](/terraform/cloud-docs/api-docs/audit-trails)
- Run [history](/terraform/cloud-docs/run/manage), [triggers](/terraform/cloud-docs/workspaces/settings/run-triggers), and [notifications](/terraform/cloud-docs/workspaces/settings/notifications)
- [Terraform Cloud Agents](/terraform/cloud-docs/agents) | +| [Terraform driver](/consul/docs/nia/network-drivers/terraform) | CTS automates a local installation of the [Terraform CLI](https://www.terraform.io/) | - Local Terraform execution
- Local workspace directories
- [Backend options](/consul/docs/reference/cts/configuration#backend) available for state storage
| +| [Terraform Cloud driver](/consul/docs/nia/network-drivers/terraform-cloud) | CTS Enterprise automates remote workspaces on [Terraform Cloud](/terraform/cloud-docs) | - [Remote Terraform execution](/terraform/cloud-docs/run/remote-operations)
- Concurrent runs
- [Secured variables](/terraform/cloud-docs/workspaces/variables)
- [State versions](/terraform/cloud-docs/workspaces/state)
- [Sentinel](/terraform/cloud-docs/policy-enforcement) to enforce governance policies as code
- Audit [logs](/terraform/enterprise/admin/infrastructure/logging) and [trails](/terraform/cloud-docs/api-docs/audit-trails)
- Run [history](/terraform/cloud-docs/run/manage), [triggers](/terraform/cloud-docs/workspaces/settings/run-triggers), and [notifications](/terraform/cloud-docs/workspaces/settings/notifications)
- [Terraform Cloud Agents](/terraform/cloud-docs/agents) | ## Understanding Terraform Automation CTS automates Terraform execution using a templated configuration to carry out infrastructure changes. The auto-generated configuration leverages input variables sourced from Consul and builds on top of reusable Terraform modules published and maintained by HashiCorp partners and the community. CTS can also run your custom built modules that suit your team's specific network automation needs. -The network driver for CTS determines how the Terraform automation operates. Visit the driver pages to read more about the [Terraform driver](/consul/docs/nia/network-drivers/terraform) and the [HCP Terraform driver](/consul/docs/nia/network-drivers/terraform-cloud). +The network driver for CTS determines how the Terraform automation operates. Visit the driver pages to read more about the [Terraform driver](/consul/docs/nia/network-drivers/terraform) and the [Terraform Cloud driver](/consul/docs/nia/network-drivers/terraform-cloud). ### Upgrading Terraform diff --git a/website/content/docs/nia/network-drivers/hcp-terraform.mdx b/website/content/docs/cts/network-drivers/terraform-cloud.mdx similarity index 58% rename from website/content/docs/nia/network-drivers/hcp-terraform.mdx rename to website/content/docs/cts/network-drivers/terraform-cloud.mdx index 4deb27ead9c..5473f96d919 100644 --- a/website/content/docs/nia/network-drivers/hcp-terraform.mdx +++ b/website/content/docs/cts/network-drivers/terraform-cloud.mdx @@ -1,37 +1,37 @@ --- layout: docs -page_title: HCP Terraform Driver +page_title: Terraform Cloud Driver description: >- - Consul-Terraform-Sync Network Drivers with HCP Terraform + Consul-Terraform-Sync Network Drivers with Terraform Cloud --- -# HCP Terraform Driver +# Terraform Cloud Driver This feature requires{' '} Consul-Terraform-Sync Enterprise{' '} which is available with Consul Enterprise. -Consul-Terraform-Sync (CTS) is more powerful when you integrate it with [HCP Terraform](https://cloud.hashicorp.com/products/terraform). Integrating with HCP Terraform provides features, such as enhanced workspaces and insight into Terraform operations as CTS dynamically updates your network infrastructure. CTS is compatible with both the [self-hosted](https://www.hashicorp.com/products/terraform/editions/enterprise) and [managed service](https://www.hashicorp.com/products/terraform/editions/cloud) versions of HCP Terraform. It also supports all [tiers](https://www.hashicorp.com/products/terraform/pricing) of the HCP Terraform managed service. +Consul-Terraform-Sync (CTS) is more powerful when you integrate it with [Terraform Cloud](https://cloud.hashicorp.com/products/terraform). Integrating with Terraform Cloud provides features, such as enhanced workspaces and insight into Terraform operations as CTS dynamically updates your network infrastructure. CTS is compatible with both the [self-hosted](https://www.hashicorp.com/products/terraform/editions/enterprise) and [managed service](https://www.hashicorp.com/products/terraform/editions/cloud) versions of Terraform Cloud. It also supports all [tiers](https://www.hashicorp.com/products/terraform/pricing) of the Terraform Cloud managed service. -This page describes how the HCP Terraform driver operates within CTS. +This page describes how the Terraform Cloud driver operates within CTS. ## Terraform Workspace Automation -CTS manages Terraform runs following the [API-driven run workflow](/terraform/cloud-docs/run/api) for workspaces in HCP Terraform. +CTS manages Terraform runs following the [API-driven run workflow](/terraform/cloud-docs/run/api) for workspaces in Terraform Cloud. On startup, CTS: -1. Creates or discovers HCP Terraform workspaces corresponding to the configured tasks. +1. Creates or discovers Terraform Cloud workspaces corresponding to the configured tasks. 2. Prepares the local environment and generates Terraform configuration files that make up the root module for each task. -3. Packages the generated files and uploads them as a configuration version for the task's workspace on HCP Terraform. +3. Packages the generated files and uploads them as a configuration version for the task's workspace on Terraform Cloud. -Once all workspaces are set up, CTS monitors the Consul catalog for service changes. When relevant changes are detected, the HCP Terraform driver dynamically updates input variables for that task directly as [workspace variables](/terraform/cloud-docs/workspaces/variables) using the HCP Terraform API. The driver then queues a run on the workspace, with auto-apply enabled, to update your network infrastructure. +Once all workspaces are set up, CTS monitors the Consul catalog for service changes. When relevant changes are detected, the Terraform Cloud driver dynamically updates input variables for that task directly as [workspace variables](/terraform/cloud-docs/workspaces/variables) using the Terraform Cloud API. The driver then queues a run on the workspace, with auto-apply enabled, to update your network infrastructure. ~> **Note:** Although workspaces for tasks are executed in isolated environments, this does not guarantee the infrastructure changes from concurrent task executions are independent. Ensure that modules across all tasks are not modifying the same resource objects or have overlapping changes that may result in race conditions during automation. ## Remote Workspaces -CTS will discover or create a new workspaces based on your configured tasks. The task configuration [`name`](/consul/docs/nia/configuration#name-1) and [`description`](/consul/docs/nia/configuration#description) are used to set the workspace name and description. The task configuration [`terraform_cloud_workspace`](/consul/docs/nia/configuration#terraform_cloud_workspace) is used to set options like Terraform version, execution mode, and agent pool if relevant. CTS will also use any globally set workspace configurations, specified in the driver configuration [`workspaces`](/consul/docs/nia/configuration#workspaces). +CTS will discover or create a new workspaces based on your configured tasks. The task configuration [`name`](/consul/docs/reference/cts/configuration#name-1) and [`description`](/consul/docs/reference/cts/configuration#description) are used to set the workspace name and description. The task configuration [`terraform_cloud_workspace`](/consul/docs/reference/cts/configuration#terraform_cloud_workspace) is used to set options like Terraform version, execution mode, and agent pool if relevant. CTS will also use any globally set workspace configurations, specified in the driver configuration [`workspaces`](/consul/docs/reference/cts/configuration#workspaces). [![CTS Workspace Overview](/img/nia/cts-tfc-workspace.png)](/img/nia/cts-tfc-workspace.png) @@ -39,7 +39,7 @@ Workspace automation requirements for CTS are in place to avoid overriding other * Must be set to remote or agent execution mode * Cannot be connected to a VCS * Cannot have an existing configuration version uploaded by another application -* Must satisfy workspace [tag requirements](/consul/docs/nia/configuration#tags_allowlist) and [tag restrictions](/consul/docs/nia/configuration#tags_denylist) set by the CTS operator +* Must satisfy workspace [tag requirements](/consul/docs/reference/cts/configuration#tags_allowlist) and [tag restrictions](/consul/docs/reference/cts/configuration#tags_denylist) set by the CTS operator Workspaces created by CTS will be configured with the following settings: @@ -47,10 +47,10 @@ Workspaces created by CTS will be configured with the following settings: | ------- | ----- | | Workspace name | CTS task name | | Description | CTS task description | -| Execution mode | [`task.terraform_cloud_workspace.execution_mode`](/consul/docs/nia/configuration#execution_mode) or remote by default | +| Execution mode | [`task.terraform_cloud_workspace.execution_mode`](/consul/docs/reference/cts/configuration#execution_mode) or remote by default | | Apply method | Auto apply | -| Terraform Version | [`task.terraform_cloud_workspace.terraform_version`](/consul/docs/nia/configuration#terraform_version-1), [`task.terraform_version`](/consul/docs/nia/configuration#terraform_version) (deprecated), or the latest [Terraform version compatible with CTS](/consul/docs/nia/compatibility#terraform) available for the organization. | -| Tags | `source:cts` and [additional tags](/consul/docs/nia/configuration#tags) set by the CTS operator | +| Terraform Version | [`task.terraform_cloud_workspace.terraform_version`](/consul/docs/reference/cts/configuration#terraform_version-1), [`task.terraform_version`](/consul/docs/reference/cts/configuration#terraform_version) (deprecated), or the latest [Terraform version compatible with CTS](/consul/docs/nia/compatibility#terraform) available for the organization. | +| Tags | `source:cts` and [additional tags](/consul/docs/reference/cts/configuration#tags) set by the CTS operator | Other workspace settings can be pre-configured or updated, such as setting the workspace to [manual apply](#manual-apply) or adding a [run notification](/terraform/cloud-docs/workspaces/settings/notifications) to send messages to a Slack channel when CTS updates your network infrastructure. @@ -61,18 +61,18 @@ CTS can automate remote workspaces with either auto apply or manual apply config When CTS detects new changes for a workspace that already has a run pending on approval, CTS will discard the stale run and queue a new run with the latest values. The new run will go through plan and then again wait on an operator to approve it. Only once the run is approved will the infrastructure be updated with the latest Consul changes. There are two approaches to setup manual apply for a workspace managed by CTS based on how the workspace is created. -* For CTS created workspaces, update the apply method from auto to manual via the HCP Terraform web application or API. -* For pre-configured workspaces, create the workspace prior to CTS task automation via the HCP Terraform web application or API. +* For CTS created workspaces, update the apply method from auto to manual via the Terraform Cloud web application or API. +* For pre-configured workspaces, create the workspace prior to CTS task automation via the Terraform Cloud web application or API. 1. Create a workspace with the same name as the desired task. 1. Set the workspace to [API-driven run workflow](/terraform/cloud-docs/run/api) and the execution mode to remote. 1. Ensure that the apply method for the workspace is set to manual apply. 1. Configure the task for the workspace and run CTS. --> **Tip**: Setup [run notifications](/terraform/cloud-docs/workspaces/settings/notifications#creating-a-notification-configuration) for workspaces with manual apply to not miss automated runs by CTS. Look into setting the [buffer period](/consul/docs/nia/configuration#buffer_period-1) or a [schedule condition](/consul/docs/nia/configuration#schedule-condition) to group changes together and reduce runs requiring approval. +-> **Tip**: Setup [run notifications](/terraform/cloud-docs/workspaces/settings/notifications#creating-a-notification-configuration) for workspaces with manual apply to not miss automated runs by CTS. Look into setting the [buffer period](/consul/docs/reference/cts/configuration#buffer_period-1) or a [schedule condition](/consul/docs/reference/cts/configuration#schedule-condition) to group changes together and reduce runs requiring approval. ## Configuration Version -An example configuration version for a task named "cts-example" would have the folder structure below when running with the HCP Terraform driver and using the default working directory. +An example configuration version for a task named "cts-example" would have the folder structure below when running with the Terraform Cloud driver and using the default working directory. ```shell-session $ tree sync-tasks/ @@ -88,10 +88,10 @@ sync-tasks/ - `provider` blocks - The provider blocks generated in the root module resemble the `terraform_provider` blocks from the configuration for CTS. They have identical arguments present and are set from the intermediate variable created per provider. - `module` block - The module block is where the task's module is called as a [child module](/terraform/language/modules#calling-a-child-module). The child module contains the core logic for automation. Required and optional input variables are passed as arguments to the module. - `variables.tf` - This file contains three types of variable declarations: - - `services` input variable (required) determines module compatibility with Consul-Terraform Sync (read more on [compatible Terraform modules](/consul/docs/nia/terraform-modules) for more details). - - Any additional [optional input variables](/consul/docs/nia/terraform-modules#optional-input-variables) provided by CTS that the module may use. + - `services` input variable (required) determines module compatibility with Consul-Terraform Sync (read more on [compatible Terraform modules](/consul/docs/reference/cts/terraform-module) for more details). + - Any additional [optional input variables](/consul/docs/reference/cts/terraform-module#optional-input-variables) provided by CTS that the module may use. - Various intermediate variables used to configure providers. Intermediate provider variables are interpolated from the provider blocks and arguments configured in the CTS configuration. -- `variables.module.tf` - This file is created if there are [variables configured for the task](/consul/docs/nia/configuration#variable_files) and contains the interpolated variable declarations that match the variables from configuration. These are then used to proxy the configured variables to the module through explicit assignment in the module block. +- `variables.module.tf` - This file is created if there are [variables configured for the task](/consul/docs/reference/cts/configuration#variable_files) and contains the interpolated variable declarations that match the variables from configuration. These are then used to proxy the configured variables to the module through explicit assignment in the module block. ## Variables @@ -103,23 +103,23 @@ You can view the latest service information in the Terraform UI by navigating to ~> **Caution:** Dynamic variables maintained by CTS are formatted for automation. Unexpected manual changes to these variables may result in automation errors. -## Setting Up HCP Terraform Driver +## Setting Up Terraform Cloud Driver ### Deployment -Because a CTS instance can only be configured with one driver, an instance can only be associated with either a Terraform driver or a HCP Terraform driver. If there is a need to run both types of drivers, users will need to deploy a separate CTS instance for each type of driver. Relatedly, if there is a need to run CTS across multiple HCP Terraform organizations, users will need to deploy a separate instance for each organization. +Because a CTS instance can only be configured with one driver, an instance can only be associated with either a Terraform driver or a Terraform Cloud driver. If there is a need to run both types of drivers, users will need to deploy a separate CTS instance for each type of driver. Relatedly, if there is a need to run CTS across multiple Terraform Cloud organizations, users will need to deploy a separate instance for each organization. ### Required Setup -This section captures requirements for setting up CTS to integrate with your [HCP Terraform](https://cloud.hashicorp.com/products/terraform) solution. +This section captures requirements for setting up CTS to integrate with your [Terraform Cloud](https://cloud.hashicorp.com/products/terraform) solution. -1. Hostname of your HCP Terraform, self-hosted distribution +1. Hostname of your Terraform Cloud, self-hosted distribution 1. Name of your organization -1. [Team API token](/terraform/cloud-docs/users-teams-organizations/api-tokens) used for authentication with HCP Terraform +1. [Team API token](/terraform/cloud-docs/users-teams-organizations/api-tokens) used for authentication with Terraform Cloud -Prior to running CTS with an HCP Terraform driver, you will need an account and organization set up, as well as a dedicated token. We recommend using a team token that is restricted to [Manage Workspaces](/terraform/cloud-docs/users-teams-organizations/teams#managing-workspace-access)-level permissions. Below are the steps for the recommended setup. +Prior to running CTS with a Terraform Cloud driver, you will need an account and organization set up, as well as a dedicated token. We recommend using a team token that is restricted to [Manage Workspaces](/terraform/cloud-docs/users-teams-organizations/teams#managing-workspace-access)-level permissions. Below are the steps for the recommended setup. -The first step is to create an account with your HCP Terraform service. After creating an account, create a new [organization](/terraform/cloud-docs/users-teams-organizations/organizations#creating-organizations) or select an existing organization. The address of your HCP Terraform service will be used to configure the [`hostname`](/consul/docs/nia/configuration#hostname), and the organization name will be used to configure the [`organization`](/consul/docs/nia/configuration#organization) on the HCP Terraform driver. +The first step is to create an account with your Terraform Cloud service. After creating an account, create a new [organization](/terraform/cloud-docs/users-teams-organizations/organizations#creating-organizations) or select an existing organization. The address of your Terraform Cloud service will be used to configure the [`hostname`](/consul/docs/reference/cts/configuration#hostname), and the organization name will be used to configure the [`organization`](/consul/docs/reference/cts/configuration#organization) on the Terraform Cloud driver. Once you have an account and organization, the next step is to [create a team](/terraform/cloud-docs/users-teams-organizations/teams). We recommend using a dedicated team and team token to run and authenticate CTS. Using a team token has the benefits of restricting organization permissions as well as associating CTS automated actions with the team rather than an individual. @@ -127,12 +127,12 @@ After creating a dedicated team, update the team's permissions with "Manage Work [![CTS Terraform Team Setup](/img/nia/cts-tfc-team-setup.png)](/img/nia/cts-tfc-team-setup.png) -After setting the team's permissions, the final setup step is to [generate the associated team token](/terraform/cloud-docs/users-teams-organizations/api-tokens), which can be done on the same team management page. This token will be used by CTS for API authentication and will be used to configure the [`token`](/consul/docs/nia/configuration#token) on the HCP Terraform driver. +After setting the team's permissions, the final setup step is to [generate the associated team token](/terraform/cloud-docs/users-teams-organizations/api-tokens), which can be done on the same team management page. This token will be used by CTS for API authentication and will be used to configure the [`token`](/consul/docs/reference/cts/configuration#token) on the Terraform Cloud driver. ### Recommendations We recommend configuring workspaces managed by CTS with [run notifications](/terraform/cloud-docs/workspaces/settings/notifications) through the Terraform web application. Run notifications notify external systems about the progress of runs and could help notify users of CTS events, particularly errored runs. -[![CTS HCP Terraform Run Notifications](/img/nia/cts-tfc-run-notifications.png)](/img/nia/cts-tfc-run-notifications.png) +[![CTS Terraform Cloud Run Notifications](/img/nia/cts-tfc-run-notifications.png)](/img/nia/cts-tfc-run-notifications.png) -In order to configure a run notification, users can [manually create a notification configuration](/terraform/cloud-docs/workspaces/settings/notifications#creating-a-notification-configuration) for workspaces automated by CTS. A workspace may already exist for a task if the workspace name is identical to the configured task's [`name`](/consul/docs/nia/configuration#name-2). This may occur if CTS has already already run and created the workspace for the task. This may also occur if the workspace is manually created for the task prior to CTS running. +In order to configure a run notification, users can [manually create a notification configuration](/terraform/cloud-docs/workspaces/settings/notifications#creating-a-notification-configuration) for workspaces automated by CTS. A workspace may already exist for a task if the workspace name is identical to the configured task's [`name`](/consul/docs/reference/cts/configuration#name-2). This may occur if CTS has already already run and created the workspace for the task. This may also occur if the workspace is manually created for the task prior to CTS running. diff --git a/website/content/docs/nia/network-drivers/terraform.mdx b/website/content/docs/cts/network-drivers/terraform.mdx similarity index 80% rename from website/content/docs/nia/network-drivers/terraform.mdx rename to website/content/docs/cts/network-drivers/terraform.mdx index 1796c1298fa..1d08e320338 100644 --- a/website/content/docs/nia/network-drivers/terraform.mdx +++ b/website/content/docs/cts/network-drivers/terraform.mdx @@ -22,7 +22,7 @@ Once all workspaces are set up, CTS monitors the Consul catalog for service chan Within the CTS configuration for a task, practitioners can select the desired module to run for the task as well as set the condition to execute the task. Each task executed by the Terraform driver corresponds to an automated root module that calls the selected module in an isolated Terraform environment. CTS will manage concurrent execution of these tasks. -Autogenerated root modules for tasks are maintained in local subdirectories of the CTS working directory. Each subdirectory represents the local workspace for a task. By default, the working directory `sync-tasks` is created in the current directory. To configure where Terraform configuration files are stored, set [`working_dir`](/consul/docs/nia/configuration#working_dir) to the desired path or configure the [`task.working_dir`](/consul/docs/nia/configuration#working_dir-1) individually. +Autogenerated root modules for tasks are maintained in local subdirectories of the CTS working directory. Each subdirectory represents the local workspace for a task. By default, the working directory `sync-tasks` is created in the current directory. To configure where Terraform configuration files are stored, set [`working_dir`](/consul/docs/reference/cts/configuration#working_dir) to the desired path or configure the [`task.working_dir`](/consul/docs/reference/cts/configuration#working_dir-1) individually. ~> **Note:** Although Terraform state files for task workspaces are independent, this does not guarantee the infrastructure changes from concurrent task executions are independent. Ensure that modules across all tasks are not modifying the same resource objects or have overlapping changes that may result in race conditions during automation. @@ -43,18 +43,18 @@ sync-tasks/ └── terraform.tfvars.tmpl ``` -The following files of the root module are generated for each task. An [example of a root module created by CTS](https://github.com/hashicorp/consul-terraform-sync/tree/master/examples) can be found in the project repository. +The following files of the root module are generated for each task. An [example of a root module created by CTS](https://github.com/hashicorp/consul-terraform-sync/tree/master/multi) can be found in the project repository. - `main.tf` - The main file contains the terraform block, provider blocks, and a module block calling the module configured for the task. - `terraform` block - The corresponding provider source and versions for the task from the configuration files are placed into this block for the root module. The Terraform backend from the configuration is also templated here. - `provider` blocks - The provider blocks generated in the root module resemble the `terraform_provider` blocks from the configuration for CTS. They have identical arguments present and are set from the intermediate variable created per provider. - `module` block - The module block is where the task's module is called as a [child module](/terraform/language/modules). The child module contains the core logic for automation. Required and optional input variables are passed as arguments to the module. - `variables.tf` - This file contains three types of variable declarations. - - `services` input variable (required) determines module compatibility with Consul-Terraform Sync (read more on [compatible Terraform modules](/consul/docs/nia/terraform-modules) for more details). - - Any additional [optional input variables](/consul/docs/nia/terraform-modules#optional-input-variables) provided by CTS that the module may use. + - `services` input variable (required) determines module compatibility with Consul-Terraform Sync (read more on [compatible Terraform modules](/consul/docs/reference/cts/terraform-module) for more details). + - Any additional [optional input variables](/consul/docs/reference/cts/terraform-module#optional-input-variables) provided by CTS that the module may use. - Various intermediate variables used to configure providers. Intermediate provider variables are interpolated from the provider blocks and arguments configured in the CTS configuration. -- `variables.module.tf` - This file is created if there are [variables configured for the task](/consul/docs/nia/configuration#variable_files) and contains the interpolated variable declarations that match the variables from configuration. These are then used to proxy the configured variables to the module through explicit assignment in the module block. -- `providers.tfvars` - This file is created if there are [providers configured for the task](/consul/docs/nia/configuration#providers) and defined [`terraform_provider` blocks](/consul/docs/nia/configuration#terraform-provider). This file may contain sensitive information. To omit sensitive information from this file, you can [securely configure Terraform providers for CTS](/consul/docs/nia/configuration#securely-configure-terraform-providers) using environment variables or templating. +- `variables.module.tf` - This file is created if there are [variables configured for the task](/consul/docs/reference/cts/configuration#variable_files) and contains the interpolated variable declarations that match the variables from configuration. These are then used to proxy the configured variables to the module through explicit assignment in the module block. +- `providers.tfvars` - This file is created if there are [providers configured for the task](/consul/docs/reference/cts/configuration#providers) and defined [`terraform_provider` blocks](/consul/docs/reference/cts/configuration#terraform-provider). This file may contain sensitive information. To omit sensitive information from this file, you can [securely configure Terraform providers for CTS](/consul/docs/reference/cts/configuration#securely-configure-terraform-providers) using environment variables or templating. - `terraform.tfvars` - The variable definitions file is where the services input variable and any optional CTS input variables are assigned values from Consul. It is periodically updated, typically when the task condition is met, to reflect the current state of Consul. - `terraform.tfvars.tmpl` - The template file is used by CTS to template information from Consul by using the HashiCorp configuration and templating library ([hashicorp/hcat](https://github.com/hashicorp/hcat)). diff --git a/website/content/docs/nia/usage/requirements.mdx b/website/content/docs/cts/requirements.mdx similarity index 89% rename from website/content/docs/nia/usage/requirements.mdx rename to website/content/docs/cts/requirements.mdx index e7c5fe8c879..40ce40853bf 100644 --- a/website/content/docs/nia/usage/requirements.mdx +++ b/website/content/docs/cts/requirements.mdx @@ -15,7 +15,7 @@ The following components are required to run Consul-Terraform-Sync (CTS): You can add support for your network infrastructure through Terraform providers so that you can apply Terraform modules to implement network integrations. -The following guidance is for running CTS using the Terraform driver. The HCP Terraform driver has [additional prerequisites](/consul/docs/nia/network-drivers/terraform-cloud#setting-up-terraform-cloud-driver). +The following guidance is for running CTS using the Terraform driver. The Terraform Cloud driver has [additional prerequisites](/consul/docs/nia/network-drivers/terraform-cloud#setting-up-terraform-cloud-driver). ## Run a Consul cluster @@ -35,9 +35,9 @@ The Consul agent must be running in order to dynamically update network devices. When running a Consul agent with CTS in production, consider that CTS uses [blocking queries](/consul/api-docs/features/blocking) to monitor task dependencies, such as changes to registered services. This results in multiple long-running TCP connections between CTS and the agent to poll changes for each dependency. Consul may quickly reach the agent connection limits if CTS is monitoring a high number of services. -To avoid reaching the limit prematurely, we recommend using HTTP/2 (requires HTTPS) to communicate between CTS and the Consul agent. When using HTTP/2, CTS establishes a single connection and reuses it for all communication. Refer to the [Consul Configuration section](/consul/docs/nia/configuration#consul) for details. +To avoid reaching the limit prematurely, we recommend using HTTP/2 (requires HTTPS) to communicate between CTS and the Consul agent. When using HTTP/2, CTS establishes a single connection and reuses it for all communication. Refer to the [Consul Configuration section](/consul/docs/reference/cts/configuration#consul) for details. -Alternatively, you can configure the [`limits.http_max_conns_per_client`](/consul/docs/agent/config/config-files#http_max_conns_per_client) option to set a maximum number of connections to meet your needs. +Alternatively, you can configure the [`limits.http_max_conns_per_client`](/consul/docs/reference/agent#http_max_conns_per_client) option to set a maximum number of connections to meet your needs. ### Register services @@ -58,7 +58,7 @@ $ curl --request PUT --data @payload.json http://localhost:8500/v1/agent/service The example represents a non-existent web service running at `10.10.10.10:8000` that is now available for CTS to consume. -You can configure CTS to monitor the web service, execute a task, and update network device(s) by configuring `web` in the [`condition "services"`](/consul/docs/nia/configuration#services-condition) task block. If the web service has any non-default values, it can also be configured in `condition "services"`. +You can configure CTS to monitor the web service, execute a task, and update network device(s) by configuring `web` in the [`condition "services"`](/consul/docs/reference/cts/configuration#services-condition) task block. If the web service has any non-default values, it can also be configured in `condition "services"`. For more details on registering a service using the HTTP API endpoint, refer to the [register service API docs](/consul/api-docs/agent/service#register-service). @@ -87,9 +87,9 @@ If a Terraform provider does not exist for your environment, you can create a ne The Terraform module for a task in CTS is the core component of the integration. It declares which resources to use and how your infrastructure is dynamically updated. The module, along with how it is configured within a task, determines the conditions under which your infrastructure is updated. -Working with a Terraform provider, you can write an integration task for CTS by [creating a Terraform module](/consul/docs/nia/terraform-modules) that is compatible with the Terraform driver. You can also use a [module built by partners](#partner-terraform-modules). +Working with a Terraform provider, you can write an integration task for CTS by [creating a Terraform module](/consul/docs/reference/cts/terraform-module) that is compatible with the Terraform driver. You can also use a [module built by partners](#partner-terraform-modules). -Refer to [Configuration](/consul/docs/nia/configuration) for information about configuring CTS and how to use Terraform providers and modules for tasks. +Refer to [Configuration](/consul/docs/reference/cts/configuration) for information about configuring CTS and how to use Terraform providers and modules for tasks. ### Partner Terraform Modules diff --git a/website/content/docs/nia/usage/run-ha.mdx b/website/content/docs/cts/run.mdx similarity index 67% rename from website/content/docs/nia/usage/run-ha.mdx rename to website/content/docs/cts/run.mdx index 7ef90e29d08..1f611c72f5c 100644 --- a/website/content/docs/nia/usage/run-ha.mdx +++ b/website/content/docs/cts/run.mdx @@ -1,6 +1,6 @@ --- layout: docs -page_title: Run Consul-Terraform-Sync with high availability +page_title: Run Consul-Terraform-Sync description: >- Improve network automation resiliency by enabling high availability for Consul-Terraform-Sync. HA enables persistent task and event data so that CTS functions as expected during a failover event. --- @@ -11,6 +11,52 @@ description: >- An enterprise license is only required for enterprise distributions of Consul-Terraform-Sync (CTS). +Basic run + +``` +--- +layout: docs +page_title: Run Consul-Terraform-Sync +description: >- + Consul-Terraform-Sync requires a Terraform Provider, a Terraform Module and a running Consul Cluster outside of the `consul-terraform-sync` daemon. +--- +``` + +# Run Consul-Terraform-Sync + +This topic describes the basic procedure for running Consul-Terraform-Sync (CTS). Verify that you have met the [basic requirements](/consul/docs/nia/usage/requirements) before attempting to run CTS. + +1. Move the `consul-terraform-sync` binary to a location available on your `PATH`. + + ```shell-session + $ mv ~/Downloads/consul-terraform-sync /usr/local/bin/consul-terraform-sync + ``` + +2. Create the config.hcl file and configure the options for your use case. Refer to the [configuration reference](/consul/docs/reference/cts/configuration) for details about all CTS configurations. + +3. Run Consul-Terraform-Sync (CTS). + + ```shell-session + $ consul-terraform-sync start -config-file + ``` + +4. Check status of tasks. Replace port number if configured in Step 2. Refer to [Consul-Terraform-Sync API](/consul/docs/reference/cts/api) for additional information. + + ```shell-session + $ curl localhost:8558/status/tasks + ``` + +## Other Run modes + +You can [configure CTS for high availability](/consul/docs/nia/usage/run-ha), which is an enterprise capability that ensures that all changes to Consul that occur during a failover transition are processed and that CTS continues to operate as expected. + +You can start CTS in [inspect mode](/consul/docs/reference/cts/cli/start#modes) to review and test your configuration before applying any changes. Inspect mode allows you to verify that the changes work as expected before running them in an unsupervised daemon mode. + +For hands-on instructions on using inspect mode, refer to the [Consul-Terraform-Sync Run Modes and Status Inspection](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-run-and-inspect?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) tutorial. + + +--- + This topic describes how to run Consul-Terraform-Sync (CTS) configured for high availability. High availability is an enterprise capability that ensures that all changes to Consul that occur during a failover transition are processed and that CTS continues to operate as expected. ## Introduction @@ -35,8 +81,8 @@ The following diagram shows the CTS cluster state after the leader stops. CTS In - The time it takes for a new leader to be elected is determined by the `high_availability.cluster.storage.session_ttl` configuration. The minimum failover time is equal to the `session_ttl` value. The maximum failover time is double the `session_ttl` value. - If failover occurs during task execution, a new leader is elected. The new leader will attempt to run all tasks once before continuing to monitor for changes. -- If using the [HCP Terraform driver](/consul/docs/nia/network-drivers/terraform-cloud), the task finishes and CTS starts a new leader that attempts to queue a run for each task in HCP Terraform in once-mode. -- If using [Terraform driver](/consul/docs/nia/network-drivers/terraform), the task may complete depending on the cause of the failover. The new leader starts and attempts to run each task in [once-mode](/consul/docs/nia/cli/start#modes). Depending on the module and provider, the task may require manual intervention to fix any inconsistencies between the infrastructure and Terraform state. +- If using the [Terraform Cloud (TFC) driver](/consul/docs/nia/network-drivers/terraform-cloud), the task finishes and CTS starts a new leader that attempts to queue a run for each task in TFC in once-mode. +- If using [Terraform driver](/consul/docs/nia/network-drivers/terraform), the task may complete depending on the cause of the failover. The new leader starts and attempts to run each task in [once-mode](/consul/docs/reference/cts/cli/start#modes). Depending on the module and provider, the task may require manual intervention to fix any inconsistencies between the infrastructure and Terraform state. - If failover occurs when no task is executing, CTS elects a new leader that attempts to run all tasks in once-mode. Note that driver behavior is consistent whether or not CTS is running in high availability mode. @@ -51,11 +97,11 @@ Verify that you have met the [basic requirements](/consul/docs/nia/usage/require You must configure appropriate ACL permissions for your cluster. Refer to [ACL permissions](#) for details. -We recommend specifying the [HCP Terraform driver](/consul/docs/nia/network-drivers/terraform-cloud) in your CTS configuration if you want to run in high availability mode. +We recommend specifying the [TFC driver](/consul/docs/nia/network-drivers/terraform-cloud) in your CTS configuration if you want to run in high availability mode. ## Configuration -Add the `high_availability` block in your CTS configuration and configure the required settings to enable high availability. Refer to the [Configuration reference](/consul/docs/nia/configuration#high-availability) for details about the configuration fields for the `high_availability` block. +Add the `high_availability` block in your CTS configuration and configure the required settings to enable high availability. Refer to the [Configuration reference](/consul/docs/reference/cts/configuration#high-availability) for details about the configuration fields for the `high_availability` block. The following example configures high availability functionality for a cluster named `cts-cluster`: @@ -81,7 +127,7 @@ high_availability { ### ACL permissions -The `session` and `keys` resources in your Consul environment must have `write` permissions. Refer to the [ACL documentation](/consul/docs/security/acl) for details on how to define ACL policies. +The `session` and `keys` resources in your Consul environment must have `write` permissions. Refer to the [ACL documentation](/secure-consul/acl) for details on how to define ACL policies. If the `high_availability.cluster.storage.namespace` field is configured, then your ACL policy must also enable `write` permissions for the `namespace` resource. @@ -89,12 +135,12 @@ If the `high_availability.cluster.storage.namespace` field is configured, then y We recommend deploying a cluster that includes three CTS instances. This is so that the cluster has one leader and two followers. -1. Create an HCL configuration file that includes the settings you want to include, including the `high_availability` block. Refer to [Configuration Options for Consul-Terraform-Sync](/consul/docs/nia/configuration) for all configuration options. -1. Issue the startup command and pass the configuration file. Refer to the [`start` command reference](/consul/docs/nia/cli/start#modes) for additional information about CTS startup modes. +1. Create an HCL configuration file that includes the settings you want to include, including the `high_availability` block. Refer to [Configuration Options for Consul-Terraform-Sync](/consul/docs/reference/cts/configuration) for all configuration options. +1. Issue the startup command and pass the configuration file. Refer to the [`start` command reference](/consul/docs/reference/cts/cli/start#modes) for additional information about CTS startup modes. ```shell-session $ consul-terraform-sync start -config-file ha-config.hcl ``` -1. You can call the `/status` API endpoint to verify the status of tasks CTS is configured to monitor. Only the leader of the cluster will return a successful response. Refer to the [`/status` API reference documentation](/consul/docs/nia/api/status) for information about usage and responses. +1. You can call the `/status` API endpoint to verify the status of tasks CTS is configured to monitor. Only the leader of the cluster will return a successful response. Refer to the [`/status` API reference documentation](/consul/docs/reference/cts/api/status) for information about usage and responses. ```shell-session $ curl localhost:/status/tasks @@ -106,7 +152,7 @@ Repeat the procedure to start the remaining instances for your cluster. We recom You can implement a rolling update to update a non-task configuration for a CTS instance, such as the Consul connection settings. If you need to update a task in the instance configuration, refer to [Modify tasks](#modify-tasks). -1. Identify the leader CTS instance by either making a call to the [`status/cluster` API endpoint](/consul/docs/nia/api/status#cluster-status) or by checking the logs for the following entry: +1. Identify the leader CTS instance by either making a call to the [`status/cluster` API endpoint](/consul/docs/reference/cts/api/status#cluster-status) or by checking the logs for the following entry: ```shell-session [INFO] ha: acquired leadership lock: id= ``` @@ -126,18 +172,18 @@ You can use the following methods for modifying tasks when high availability is We recommend deleting and recreating a task if you need to make a modification. Use the CTS API to identify the CTS leader instance and replace a task. -1. Identify the leader CTS instance by either making a call to the [`status/cluster` API endpoint](/consul/docs/nia/api/status#cluster-status) or by checking the logs for the following entry: +1. Identify the leader CTS instance by either making a call to the [`status/cluster` API endpoint](/consul/docs/reference/cts/api/status#cluster-status) or by checking the logs for the following entry: ```shell-session [INFO] ha: acquired leadership lock: id= ``` -1. Send a `DELETE` call to the [`/task/` endpoint](/consul/docs/nia/api/tasks#delete-task) to delete the task. In the following example, the leader instance is at `localhost:8558`: +1. Send a `DELETE` call to the [`/task/` endpoint](/consul/docs/reference/cts/api/tasks#delete-task) to delete the task. In the following example, the leader instance is at `localhost:8558`: ```shell-session $ curl --request DELETE localhost:8558/v1/tasks/task_a ``` - You can also use the [`task delete` command](/consul/docs/nia/cli/task#task-delete) to complete this step. + You can also use the [`task delete` command](/consul/docs/reference/cts/cli/task#task-delete) to complete this step. 1. Send a `POST` call to the `/task/` endpoint and include the updated task in your payload. ```shell-session @@ -147,11 +193,11 @@ We recommend deleting and recreating a task if you need to make a modification. localhost:8558/v1/tasks ``` - You can also use the [`task-create` command](/consul/docs/nia/cli/task#task-create) to complete this step. + You can also use the [`task-create` command](/consul/docs/reference/cts/cli/task#task-create) to complete this step. ### Discard data with the `-reset-storage` flag -You can restart the CTS cluster using the [`-reset-storage` flag](/consul/docs/nia/cli/start#options) to discard persisted data if you need to update a task. +You can restart the CTS cluster using the [`-reset-storage` flag](/consul/docs/reference/cts/cli/start#options) to discard persisted data if you need to update a task. 1. Stop a follower instance. 1. Update the instance’s task configuration. @@ -164,7 +210,7 @@ You can restart the CTS cluster using the [`-reset-storage` flag](/consul/docs/n Use the following troubleshooting procedure if a previous leader had been running a task successfully but the new leader logs an error after a failover: -1. Check the logs printed to the console for errors. Refer to the [`syslog` configuration](/consul/docs/nia/configuration#syslog) for information on how to locate the logs. In the following example output, CTS reported a `401: Bad credentials` error: +1. Check the logs printed to the console for errors. Refer to the [`syslog` configuration](/consul/docs/reference/cts/configuration#syslog) for information on how to locate the logs. In the following example output, CTS reported a `401: Bad credentials` error: ```shell-session 2022-08-23T09:25:09.501-0700 [ERROR] tasksmanager: error applying task: task_name=config-task error= diff --git a/website/content/docs/nia/tasks.mdx b/website/content/docs/cts/task.mdx similarity index 69% rename from website/content/docs/nia/tasks.mdx rename to website/content/docs/cts/task.mdx index f3a0ab11f35..b9cce12c5c1 100644 --- a/website/content/docs/nia/tasks.mdx +++ b/website/content/docs/cts/task.mdx @@ -24,15 +24,15 @@ task { } ``` -In the example task above, the "fake-firewall" and "null" providers, listed in the `providers` field, are used. These providers themselves should be configured in their own separate [`terraform_provider` blocks](/consul/docs/nia/configuration#terraform-provider). These providers are used in the Terraform module "example/firewall-policy/module", configured in the `module` field, to create, update, and destroy resources. This module may do something like use the providers to create and destroy firewall policy objects based on IP addresses. The IP addresses come from the "web" and "image" service instances configured in the `condition "services"` block. This service-level information is retrieved by CTS which watches Consul catalog for changes. +In the example task above, the "fake-firewall" and "null" providers, listed in the `providers` field, are used. These providers themselves should be configured in their own separate [`terraform_provider` blocks](/consul/docs/reference/cts/configuration#terraform-provider). These providers are used in the Terraform module "example/firewall-policy/module", configured in the `module` field, to create, update, and destroy resources. This module may do something like use the providers to create and destroy firewall policy objects based on IP addresses. The IP addresses come from the "web" and "image" service instances configured in the `condition "services"` block. This service-level information is retrieved by CTS which watches Consul catalog for changes. -See [task configuration](/consul/docs/nia/configuration#task) for more details on how to configure a task. +See [task configuration](/consul/docs/reference/cts/configuration#task) for more details on how to configure a task. -A task can be either enabled or disabled using the [task cli](/consul/docs/nia/cli/task). When enabled, tasks are executed and automated as described in sections below. However, disabled tasks do not execute when changes are detected from Consul catalog. Since disabled tasks do not execute, they also do not store [events](/consul/docs/nia/tasks#event) until re-enabled. +A task can be either enabled or disabled using the [task cli](/consul/docs/reference/cts/cli/task). When enabled, tasks are executed and automated as described in sections below. However, disabled tasks do not execute when changes are detected from Consul catalog. Since disabled tasks do not execute, they also do not store [events](/consul/docs/reference/cts/task#event) until re-enabled. ## Task Execution -An enabled task can be configured to monitor and execute on different types of conditions, such as changes to services ([services condition](/consul/docs/nia/tasks#services-condition)) or service registration and deregistration ([catalog-services condition](/consul/docs/nia/tasks#catalog-services-condition)). +An enabled task can be configured to monitor and execute on different types of conditions, such as changes to services ([services condition](/consul/docs/reference/cts/task#services-condition)) or service registration and deregistration ([catalog-services condition](/consul/docs/reference/cts/task#catalog-services-condition)). A task can also monitor, but not execute on, other variables that provide additional information to the task's module. For example, a task with a catalog-services condition may execute on registration changes and additionally monitor service instances for IP information. @@ -43,8 +43,8 @@ All configured monitored information, regardless if it's used for execution or n Tasks with the services condition monitor and execute on either changes to a list of configured services or changes to any services that match a given regex. There are two ways to configure a task with a services condition. Only one of the two options below can be configured for a single task: -1. Configure a task's [`services`](/consul/docs/nia/configuration#services) field (deprecated) to specify the list of services to trigger the task -1. Configure a task's `condition` block with the [services condition](/consul/docs/nia/configuration#services-condition) type to specify services to trigger the task. +1. Configure a task's [`services`](/consul/docs/reference/cts/configuration#services) field (deprecated) to specify the list of services to trigger the task +1. Configure a task's `condition` block with the [services condition](/consul/docs/reference/cts/configuration#services-condition) type to specify services to trigger the task. The services condition operates by monitoring the [Health List Nodes For Service API](/consul/api-docs/health#list-nodes-for-service) and executing the task on any change of information for services configured. These changes include one or more changes to service values, like IP address, added or removed service instance, or tags. A complete list of values that would cause a task to run are expanded below: @@ -81,7 +81,7 @@ task { } ``` -The services condition can provide input for the [`services` input variable](/consul/docs/nia/terraform-modules#services-variable) that is required for each CTS module. This can be provided depending on how the services condition is configured: +The services condition can provide input for the [`services` input variable](/consul/docs/reference/cts/terraform-module#services-variable) that is required for each CTS module. This can be provided depending on how the services condition is configured: - task's `services` field (deprecated): services object is automatically passed as module input - task's `condition "services"` block: users can configure the `use_as_module_input` field to optionally use the condition's services object as module input - Field was previously named `source_includes_var` (deprecated) @@ -113,9 +113,9 @@ task { } ``` -Using the condition block's `use_as_module_input` field, users can configure CTS to use the condition's object as module input for the [`catalog_services` input variable](/consul/docs/nia/terraform-modules#catalog-services-variable). Users can refer to the configured module's documentation on how to set `use_as_module_input`. +Using the condition block's `use_as_module_input` field, users can configure CTS to use the condition's object as module input for the [`catalog_services` input variable](/consul/docs/reference/cts/terraform-module#catalog-services-variable). Users can refer to the configured module's documentation on how to set `use_as_module_input`. -See the [Catalog-Services Condition](/consul/docs/nia/configuration#catalog-services-condition) configuration section for further details and additional configuration options. +See the [Catalog-Services Condition](/consul/docs/reference/cts/configuration#catalog-services-condition) configuration section for further details and additional configuration options. ### Consul KV Condition @@ -140,15 +140,15 @@ task { } ``` -Using the condition block's `use_as_module_input` field, users can configure CTS to use the condition's object as module input for the [`consul_kv` input variable](/consul/docs/nia/terraform-modules#consul-kv-variable). Users can refer to the configured module's documentation on how to set `use_as_module_input`. +Using the condition block's `use_as_module_input` field, users can configure CTS to use the condition's object as module input for the [`consul_kv` input variable](/consul/docs/reference/cts/terraform-module#consul-kv-variable). Users can refer to the configured module's documentation on how to set `use_as_module_input`. -See the [Consul-KV Condition](/consul/docs/nia/configuration#consul-kv-condition) configuration section for more details and additional configuration options. +See the [Consul-KV Condition](/consul/docs/reference/cts/configuration#consul-kv-condition) configuration section for more details and additional configuration options. ### Schedule Condition -All scheduled tasks must be configured with a schedule condition. The schedule condition sets the cadence to trigger a task with a [`cron`](/consul/docs/nia/configuration#cron) configuration. The schedule condition block does not support parameters to configure module input. As a result, inputs must be configured separately. You can configure [`module_input` blocks](/consul/docs/nia/configuration#module_input) to define the module inputs. +All scheduled tasks must be configured with a schedule condition. The schedule condition sets the cadence to trigger a task with a [`cron`](/consul/docs/reference/cts/configuration#cron) configuration. The schedule condition block does not support parameters to configure module input. As a result, inputs must be configured separately. You can configure [`module_input` blocks](/consul/docs/reference/cts/configuration#module_input) to define the module inputs. -Below is an example configuration for a task that will execute every Monday, which is set by the schedule condition's [`cron`](/consul/docs/nia/configuration#cron) configuration. The module input is defined by the `module_input` block. When the task is triggered on Monday, it will retrieve the latest information on "web" and "db" from Consul and provide this to the module's input variables. +Below is an example configuration for a task that will execute every Monday, which is set by the schedule condition's [`cron`](/consul/docs/reference/cts/configuration#cron) configuration. The module input is defined by the `module_input` block. When the task is triggered on Monday, it will retrieve the latest information on "web" and "db" from Consul and provide this to the module's input variables. ```hcl task { @@ -167,25 +167,25 @@ task { Below are the available options for module input types and how to configure them: -- [Services module input](/consul/docs/nia/terraform-modules/#services-module-input): - - [`task.services`](/consul/docs/nia/configuration#services) field (deprecated) - - [`module_input "services"`](/consul/docs/nia/configuration#services-configure-input) block +- [Services module input](/consul/docs/reference/cts/terraform-module/#services-module-input): + - [`task.services`](/consul/docs/reference/cts/configuration#services) field (deprecated) + - [`module_input "services"`](/consul/docs/reference/cts/configuration#services-configure-input) block - Block was previously named `source_input "services"` (deprecated) -- [Consul KV module input](/consul/docs/nia/terraform-modules/#consul-kv-module-input): - - [`module_input "consul-kv"`](/consul/docs/nia/configuration#consul-kv-module-input) +- [Consul KV module input](/consul/docs/reference/cts/terraform-module/#consul-kv-module-input): + - [`module_input "consul-kv"`](/consul/docs/reference/cts/configuration#consul-kv-module-input) - Block was previously named `source_input "consul-kv"` (deprecated) #### Running Behavior Scheduled tasks generally run on schedule, but they can be triggered on demand when running CTS in the following ways: -- [Long-running mode](/consul/docs/nia/cli#long-running-mode): At the beginning of the long-running mode, CTS first passes through a once-mode phase in which all tasks are executed once. Scheduled tasks will trigger once during this once-mode phase. This behavior also applies to tasks that are not scheduled. After once-mode has completed, scheduled tasks subsequently trigger on schedule. +- [Long-running mode](/consul/docs/reference/cts/cli#long-running-mode): At the beginning of the long-running mode, CTS first passes through a once-mode phase in which all tasks are executed once. Scheduled tasks will trigger once during this once-mode phase. This behavior also applies to tasks that are not scheduled. After once-mode has completed, scheduled tasks subsequently trigger on schedule. -- [Inspect mode](/consul/docs/nia/cli#inspect-mode): When running in inspect mode, the terminal will output a plan of proposed updates that would be made if the tasks were to trigger at that moment and then exit. No changes are applied in this mode. The outputted plan for a scheduled task is also the proposed updates that would be made if the task was triggered at that moment, even if off-schedule. +- [Inspect mode](/consul/docs/reference/cts/cli#inspect-mode): When running in inspect mode, the terminal will output a plan of proposed updates that would be made if the tasks were to trigger at that moment and then exit. No changes are applied in this mode. The outputted plan for a scheduled task is also the proposed updates that would be made if the task was triggered at that moment, even if off-schedule. -- [Once mode](/consul/docs/nia/cli#once-mode): During the once mode, all tasks are only triggered one time. Scheduled tasks will execute during once mode even if not on the schedule. +- [Once mode](/consul/docs/reference/cts/cli#once-mode): During the once mode, all tasks are only triggered one time. Scheduled tasks will execute during once mode even if not on the schedule. -- [Enable CLI](/consul/docs/nia/cli/task#task-enable): When a task is enabled through the CLI, any type of task, including scheduled tasks, will be triggered at that time. +- [Enable CLI](/consul/docs/reference/cts/cli/task#task-enable): When a task is enabled through the CLI, any type of task, including scheduled tasks, will be triggered at that time. #### Buffer Period @@ -199,11 +199,11 @@ Because scheduled tasks trigger on a configured cadence, buffer periods are disa CTS will attempt to execute each enabled task once upon startup to synchronize infrastructure with the current state of Consul. The daemon will stop and exit if any error occurs while preparing the automation environment or executing a task for the first time. This helps ensure tasks have proper configuration and are executable before the daemon transitions into running tasks in full automation as service changes are discovered over time. As a result, it is not recommended to configure a task as disabled from the start. After all tasks have successfully executed once, task failures during automation will be logged and retried or attempted again after a subsequent change. -Tasks are executed near-real time when service changes are detected. For services or environments that are prone to flapping, it may be useful to configure a [buffer period](/consul/docs/nia/configuration#buffer_period-1) for a task to accumulate changes before it is executed. The buffer period would reduce the number of consecutive network calls to infrastructure by batching changes for a task over a short duration of time. +Tasks are executed near-real time when service changes are detected. For services or environments that are prone to flapping, it may be useful to configure a [buffer period](/consul/docs/reference/cts/configuration#buffer_period-1) for a task to accumulate changes before it is executed. The buffer period would reduce the number of consecutive network calls to infrastructure by batching changes for a task over a short duration of time. ## Status Information -Status-related information is collected and offered via [status API](/consul/docs/nia/api#status) to provide visibility into what and how the tasks are running. Information is offered in three-levels (lowest to highest): +Status-related information is collected and offered via [status API](/consul/docs/reference/cts/api#status) to provide visibility into what and how the tasks are running. Information is offered in three-levels (lowest to highest): - Event data - Task status @@ -233,7 +233,7 @@ Sample event: } ``` -For complete information on the event structure, see [events in our API documentation](/consul/docs/nia/api#event). Event information can be retrieved by using the [`include=events` parameter](/consul/docs/nia/api#include) with the [task status API](/consul/docs/nia/api#task-status). +For complete information on the event structure, see [events in our API documentation](/consul/docs/reference/cts/api#event). Event information can be retrieved by using the [`include=events` parameter](/consul/docs/reference/cts/api#include) with the [task status API](/consul/docs/reference/cts/api#task-status). ### Task Status @@ -251,7 +251,7 @@ Sample task status: } ``` -Task status information can be retrieved with [task status API](/consul/docs/nia/api#task-status). The API documentation includes details on what health statuses are available and how it is calculated based on events' success/failure information. +Task status information can be retrieved with [task status API](/consul/docs/reference/cts/api#task-status). The API documentation includes details on what health statuses are available and how it is calculated based on events' success/failure information. ### Overall Status @@ -269,4 +269,4 @@ Sample overall status: } ``` -Overall status information can be retrieved with [overall status API](/consul/docs/nia/api#overall-status). The API documentation includes details on what health statuses are available and how it is calculated based on task statuses' health status information. +Overall status information can be retrieved with [overall status API](/consul/docs/reference/cts/api#overall-status). The API documentation includes details on what health statuses are available and how it is calculated based on task statuses' health status information. diff --git a/website/content/docs/nia/terraform-modules.mdx b/website/content/docs/cts/terraform-module.mdx similarity index 83% rename from website/content/docs/nia/terraform-modules.mdx rename to website/content/docs/cts/terraform-module.mdx index 8e041de79b7..30c245abf79 100644 --- a/website/content/docs/nia/terraform-modules.mdx +++ b/website/content/docs/cts/terraform-module.mdx @@ -37,14 +37,14 @@ A task's module input is slightly different from the task's condition, even thou The module input, however, monitors defined objects with the intent of providing values or metadata about these objects to the Terraform module. The monitored module input and condition objects can be the same object, such as a task configured with a `condition "services"` block and `use_as_module_input` set to `true`. The module input and condition can also be different objects and configured separately, such as a task configured with a `condition "catalog-services` and `module_input "consul-kv"` block. As a result, the monitored module input is decoupled from the provided condition in order to satisfy the Terraform module. -Each type of object that CTS monitors can only be defined through one configuration within a task definition. For example, if a task monitors services, the task cannot have both `condition "services"` and `module_input "services"` configured. See [Task Module Input configuration](/consul/docs/nia/configuration#task-module-input) for more details. +Each type of object that CTS monitors can only be defined through one configuration within a task definition. For example, if a task monitors services, the task cannot have both `condition "services"` and `module_input "services"` configured. See [Task Module Input configuration](/consul/docs/reference/cts/configuration#task-module-input) for more details. There are a few ways that a module input can be defined: -- [**`services` list**](/consul/docs/nia/configuration#services) (deprecated) - The list of services to use as module input. +- [**`services` list**](/consul/docs/reference/cts/configuration#services) (deprecated) - The list of services to use as module input. - **`condition` block's `use_as_module_input` field** - When set to true, the condition's objects are used as module input. - Field was previously named `source_includes_var` (deprecated) -- [**`module_input` blocks**](/consul/docs/nia/configuration#module-input) - This block can be configured multiple times to define objects to use as module input. +- [**`module_input` blocks**](/consul/docs/reference/cts/configuration#module-input) - This block can be configured multiple times to define objects to use as module input. - Block was previously named `source_input` (deprecated) Multiple ways of defining a module input adds configuration flexibility, and allows for optional additional input variables to be supported by CTS alongside the `services` input variable. @@ -95,10 +95,10 @@ services = { In order to configure a task with the services module input, the list of services that will be used for the input must be configured in one of the following ways: -- the task's [`services`](/consul/docs/nia/configuration#services) (deprecated) -- a [`condition "services"` block](/consul/docs/nia/configuration#services-condition) configured with `use_as_module_input` field set to true +- the task's [`services`](/consul/docs/reference/cts/configuration#services) (deprecated) +- a [`condition "services"` block](/consul/docs/reference/cts/configuration#services-condition) configured with `use_as_module_input` field set to true - Field was previously named `source_includes_var` (deprecated) -- a [`module_input "services"` block](/consul/docs/nia/configuration#services-module-input) +- a [`module_input "services"` block](/consul/docs/reference/cts/configuration#services-module-input) - Block was previously named `source_input "services"` (deprecated) The services module input operates by monitoring the [Health List Nodes For Service API](/consul/api-docs/health#list-nodes-for-service) and provides the latest service information to the input variables. A complete list of service information that would be provided to the module is expanded below: @@ -155,12 +155,12 @@ consul_kv = { To configure a task with the Consul KV module input, the KVs which will be used for the input must be configured in one of the following ways: -- a [`condition "consul-kv"` block](/consul/docs/nia/configuration#consul-kv-condition) configured with the `use_as_module_input` field set to true. +- a [`condition "consul-kv"` block](/consul/docs/reference/cts/configuration#consul-kv-condition) configured with the `use_as_module_input` field set to true. - Field was previously named `source_includes_var` (deprecated) -- a [`module_input "consul-kv"` block](/consul/docs/nia/configuration#consul-kv-module-input). +- a [`module_input "consul-kv"` block](/consul/docs/reference/cts/configuration#consul-kv-module-input). - Block was previously named `source_input "consul-kv"` (deprecated) -Below is a similar example to the one provided in the [Consul KV Condition](/consul/docs/nia/tasks#consul-kv-condition) section. However, the difference in this example is that instead of triggering based on a change to Consul KV, this task will instead execute on a schedule. Once execution is triggered, Consul KV information is then provided to the task's module. +Below is a similar example to the one provided in the [Consul KV Condition](/consul/docs/reference/cts/task#consul-kv-condition) section. However, the difference in this example is that instead of triggering based on a change to Consul KV, this task will instead execute on a schedule. Once execution is triggered, Consul KV information is then provided to the task's module. ```hcl task { @@ -201,7 +201,7 @@ catalog_services = { To configure a task with the Catalog Services module input, the catalog services which will be used for the input must be configured in one of the following ways: -- a [`condition "catalog-services"` block](/consul/docs/nia/configuration#consul-kv-condition) configured with `use_as_module_input` field. +- a [`condition "catalog-services"` block](/consul/docs/reference/cts/configuration#consul-kv-condition) configured with `use_as_module_input` field. - Field was previously named `source_includes_var` (deprecated) -> **Note:** Currently there is no support for a `module_input "catalog-services"` block. @@ -250,11 +250,11 @@ resource "local_file" "consul_services" { -Something important to consider before authoring your module is deciding the [condition under which it will execute](/consul/docs/nia/tasks#task-execution). This will allow you to potentially use other types of CTS provided input variables in your module. It will also help inform your documentation and how users should configure their task for your module. +Something important to consider before authoring your module is deciding the [condition under which it will execute](/consul/docs/reference/cts/task#task-execution). This will allow you to potentially use other types of CTS provided input variables in your module. It will also help inform your documentation and how users should configure their task for your module. ### Services Variable -To satisfy the specification requirements for a compatible module, copy the `services` variable declaration to the `variables.tf` file. Your module can optionally have other [variable declarations](#module-input-variables) and [CTS provided input variables](/consul/docs/nia/terraform-modules#optional-input-variables) in addition to `var.services`. +To satisfy the specification requirements for a compatible module, copy the `services` variable declaration to the `variables.tf` file. Your module can optionally have other [variable declarations](#module-input-variables) and [CTS provided input variables](/consul/docs/reference/cts/terraform-module#optional-input-variables) in addition to `var.services`. @@ -288,7 +288,7 @@ variable "services" { -Keys of the `services` map are unique identifiers of the service across Consul agents and data centers. Keys follow the format `service-id.node.datacenter` (or `service-id.node.namespace.datacenter` for Consul Enterprise). A complete list of attributes available for the `services` variable is included in the [documentation for CTS tasks](/consul/docs/nia/tasks#services-condition). +Keys of the `services` map are unique identifiers of the service across Consul agents and data centers. Keys follow the format `service-id.node.datacenter` (or `service-id.node.namespace.datacenter` for Consul Enterprise). A complete list of attributes available for the `services` variable is included in the [documentation for CTS tasks](/consul/docs/reference/cts/task#services-condition). Terraform variables when passed as module arguments can be [lossy for object types](/terraform/language/expressions/type-constraints#conversion-of-complex-types). This allows CTS to declare the full variable with every object attribute in the generated root module, and pass the variable to a child module that contains a subset of these attributes for its variable declaration. Modules compatible with CTS may simplify the `var.services` declaration within the module by omitting unused attributes. For example, the following services variable has 4 attributes with the rest omitted. @@ -313,7 +313,7 @@ variable "services" { ### Catalog Services Variable -If you are creating a module for a [catalog-services condition](/consul/docs/nia/tasks#catalog-services-condition), then you have the option to add the `catalog_services` variable, which contains service registration and tag information. If your module would benefit from consuming this information, you can copy the `catalog_services` variable declaration to your `variables.tf` file in addition to the other variables. +If you are creating a module for a [catalog-services condition](/consul/docs/reference/cts/task#catalog-services-condition), then you have the option to add the `catalog_services` variable, which contains service registration and tag information. If your module would benefit from consuming this information, you can copy the `catalog_services` variable declaration to your `variables.tf` file in addition to the other variables. @@ -328,13 +328,13 @@ variable "catalog_services" { The keys of the `catalog_services` map are the names of the services that are registered with Consul at the given datacenter. The value for each service name is a list of all known tags for that service. -We recommend that if you make a module with with a catalog-services condition, that you document this in the README. This way, users that want to configure a task with your module will know to configure a catalog-services [condition](/consul/docs/nia/configuration#condition) block. +We recommend that if you make a module with with a catalog-services condition, that you document this in the README. This way, users that want to configure a task with your module will know to configure a catalog-services [condition](/consul/docs/reference/cts/configuration#condition) block. -Similarly, if you use the `catalog_services` variable in your module, we recommend that you also document this usage in the README. Users of your module will then know to set the catalog-services condition [`use_as_module_input`](/consul/docs/nia/configuration#catalog-services-condition) configuration to be true. When this field is set to true, CTS will declare the `catalog_services` variable in the generated root module, and pass the variable to a child module. Therefore, if this field is configured inconsistently, CTS will error and exit. +Similarly, if you use the `catalog_services` variable in your module, we recommend that you also document this usage in the README. Users of your module will then know to set the catalog-services condition [`use_as_module_input`](/consul/docs/reference/cts/configuration#catalog-services-condition) configuration to be true. When this field is set to true, CTS will declare the `catalog_services` variable in the generated root module, and pass the variable to a child module. Therefore, if this field is configured inconsistently, CTS will error and exit. ### Consul KV Variable -If you are creating a module for a [consul-kv condition](/consul/docs/nia/tasks#consul-kv-condition), then you have the option to add the `consul_kv` variable, which contains a map of the keys and values for the Consul KV pairs. If your module would benefit from consuming this information, you can copy the `consul_kv` variable declaration to your `variables.tf` file in addition to the other variables. +If you are creating a module for a [consul-kv condition](/consul/docs/reference/cts/task#consul-kv-condition), then you have the option to add the `consul_kv` variable, which contains a map of the keys and values for the Consul KV pairs. If your module would benefit from consuming this information, you can copy the `consul_kv` variable declaration to your `variables.tf` file in addition to the other variables. @@ -347,7 +347,7 @@ variable "consul_kv" { -If your module contains the `consul_kv` variable, we recommend documenting the usage in the README file so that users know to set the [`use_as_module_input`](/consul/docs/nia/configuration#consul-kv-condition) configuration to `true` in the `consul-kv` condition. Setting the field to `true` instructs CTS to declare the `consul_kv` variable in the generated root module and pass the variable to a child module. Therefore, if this field is configured inconsistently, CTS will error and exit. +If your module contains the `consul_kv` variable, we recommend documenting the usage in the README file so that users know to set the [`use_as_module_input`](/consul/docs/reference/cts/configuration#consul-kv-condition) configuration to `true` in the `consul-kv` condition. Setting the field to `true` instructs CTS to declare the `consul_kv` variable in the generated root module and pass the variable to a child module. Therefore, if this field is configured inconsistently, CTS will error and exit. ### Module Input Variables @@ -359,7 +359,7 @@ Network infrastructure differs vastly across teams and organizations, and the au 4. Set reasonable default values for variables that are optional, or omit default values for variables that are required module arguments. 5. Set the [sensitive argument](/terraform/language/values/variables) for variables that contain secret or sensitive values. When set, Terraform will redact the value from output when Terraform commands are run. -Terraform is an explicit configuration language and requires variables to be declared, typed, and passed explicitly through as module arguments. CTS abstracts this by creating intermediate variables at the root level from the module input. These values are configured by practitioners within the [`task` block](/consul/docs/nia/configuration#variable_files). Value assignments are parsed to interpolate the corresponding variable declaration and are written to the appropriate Terraform files. A few assumptions are made for the intermediate variables: the variables users provide CTS are declared and supported by the module, matching name and type. +Terraform is an explicit configuration language and requires variables to be declared, typed, and passed explicitly through as module arguments. CTS abstracts this by creating intermediate variables at the root level from the module input. These values are configured by practitioners within the [`task` block](/consul/docs/reference/cts/configuration#variable_files). Value assignments are parsed to interpolate the corresponding variable declaration and are written to the appropriate Terraform files. A few assumptions are made for the intermediate variables: the variables users provide CTS are declared and supported by the module, matching name and type. ### Module Guidelines diff --git a/website/content/docs/deploy/index.mdx b/website/content/docs/deploy/index.mdx new file mode 100644 index 00000000000..fccf04acf79 --- /dev/null +++ b/website/content/docs/deploy/index.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Deploy Consul +description: >- + Placeholder +--- + +# Deploy Consul overview + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/deploy/server/ecs.mdx b/website/content/docs/deploy/server/ecs.mdx new file mode 100644 index 00000000000..697f0dfc09f --- /dev/null +++ b/website/content/docs/deploy/server/ecs.mdx @@ -0,0 +1,150 @@ +--- +layout: docs +page_title: Consul Enterprise on AWS Elastic Container Service (ECS) +description: >- + You can deploy Consul Enterprise on Amazon Web Services ECS with an official Docker image. Learn about supported Enterprise features, including requirements for admin partitions, namespaces, and audit logging. +--- + +# Deploy Consul Enterprise on AWS Elastic Container Service (ECS) + +You can run Consul Enterprise on ECS by specifying the Consul Enterprise Docker image in the Terraform module parameters. + +## Specify the Consul image + +When you set up an instance of the [`mesh-task`](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task) or [`gateway-task`](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/gateway-task) module, +set the parameter `consul_image` to a Consul Enterprise image. The following example instructs the `mesh-task` module to import Consul Enterprise version 1.12.0: + +```hcl +module "my_task" { + source = "hashicorp/consul-ecs/aws//modules/mesh-task" + version = "" + + consul_image = "hashicorp/consul-enterprise:1.12.0-ent" + ... +} +``` + +## Licensing + +!> **Warning:** Consul Enterprise is currently only fully supported when [ACLs are enabled](/consul/docs/ecs/deploy/terraform#secure-configuration-requirements). + +Consul Enterprise [requires a license](/consul/docs/enterprise/license/overview). If running +Consul on ECS with ACLs enabled, the license will be automatically pulled down from Consul servers. + +Currently there is no capability for specifying the license when ACLs are disabled so if you wish to +run Consul Enterprise clients then you must enable ACLs. + +## Running Consul Community Edition clients + +You can operate Consul Enterprise servers with Consul CE (community edition) clients as long as the features you are using do not require Consul Enterprise client support. Admin partitions and namespaces, for example, require Consul Enterprise clients and are not supported with Consul CE. + +## Feature Support + +Consul on ECS supports the following Consul Enterprise features. +If you are only using features that run on Consul servers, then you can use a CE client in your service mesh tasks on ECS. +If client support is required for any of the features, then you must use a Consul Enterprise client in your `mesh-tasks`. + +| Feature | Supported | Description | +|-----------------------------------|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Automated Backups/Snapshot Agent | Yes\* | Running the snapshot agent on ECS is not currently supported but you are able to run the snapshot agent alongside your Consul servers on VMs. | +| Automated Upgrades | Yes (servers) | This feature runs on Consul servers. | +| Enhanced Read Scalability | Yes (servers) | This feature runs on Consul servers. | +| Single Sign-On/OIDC | Yes (servers) | This feature runs on Consul servers. | +| Redundancy Zones | Yes (servers) | This feature runs on Consul servers. | +| Advanced Federation/Network Areas | Yes (servers) | This feature runs on Consul servers. | +| Sentinel | Yes (servers) | This feature runs on Consul servers. | +| Network Segments | No | Currently there is no capability to configure the network segment Consul clients on ECS run in. | +| Namespaces | Yes | This feature requires Consul Enterprise servers. CE clients can register into the `default` namespace. Registration into a non-default namespace requires a Consul Enterprise client. | +| Admin Partitions | Yes | This feature requires Consul Enterprise servers. CE clients can register into the `default` admin partition. Registration into a non-default partition requires a Consul Enterprise client. | +| Audit Logging | Yes | This feature requires Consul Enterprise clients. | + +### Admin Partitions and Namespaces + +Consul on ECS supports [admin partitions](/consul/docs/enterprise/admin-partitions) and [namespaces](/consul/docs/enterprise/namespaces) when Consul Enterprise servers and clients are used. These features have the following requirements: + +- ACLs must be enabled. +- ACL controller must run in the ECS cluster. +- `mesh-task` must use a Consul Enterprise client image. +- `gateway-task` must use a Consul Enterprise client image. + +The ACL controller manages configuration of the AWS IAM auth method on the Consul servers. It +ensures unused tokens created by tasks are cleaned up. It also creates admin partitions and +namespaces if they do not already exist. + +~> **Note:** The ACL controller does not delete admin partitions or namespaces once they are created. + +Each ACL controller manages a single admin partition. Consul on ECS supports one ACL controller per ECS cluster; +therefore, the administrative boundary for admin partitions is one admin partition per ECS cluster. + +The following example demonstrates how to configure the ACL controller to enable admin partitions +and manage an admin partition named `my-partition`. The `consul_partition` field is optional and if it +is not provided when `consul_partitions_enabled = true`, will default to the `default` admin partition. + + + +```hcl +module "acl_controller" { + source = "hashicorp/consul-ecs/aws//modules/acl-controller" + + ... + + consul_partitions_enabled = true + consul_partition = "my-partition" +} +``` + + + +Services are assigned to admin partitions and namespaces through the use of [task tags](/consul/docs/ecs/deploy/manual#configure-task-tags). +The `mesh-task` module automatically adds the necessary tags to the task definition. +If the ACL controller is configured for admin partitions, services on the mesh will +always be assigned to an admin partition and namespace. If the `mesh-task` does not define +the partition it will default to the `default` admin partition. Similarly, if a `mesh-task` does +not define the namespace it will default to the `default` namespace. + +The following example demonstrates how to create a `mesh-task` assigned to the admin partition named +`my-partition`, in the `my-namespace` namespace. + + + +```hcl +module "my_task" { + source = "hashicorp/consul-ecs/aws//modules/mesh-task" + family = "my_task" + + ... + + consul_image = "hashicorp/consul-enterprise:-ent" + consul_partition = "my-partition" + consul_namespace = "my-namespace" +} +``` + + + +### Audit Logging + +Consul on ECS supports [audit logging](/consul/docs/enterprise/audit-logging) when using Consul Enterprise clients. +This feature has the following requirements: + +- ACLs must be enabled. +- `mesh-task` must use a Consul Enterprise image. +- `gateway-task` must use a Consul Enterprise image. + +To enable audit logging, set `audit_logging = true` when configuring the client. + + + +```hcl +module "my_task" { + source = "hashicorp/consul-ecs/aws//modules/mesh-task" + family = "my_task" + + ... + + consul_image = "hashicorp/consul-enterprise:-ent" + audit_logging = true +} +``` + + diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/deploy/server/fips.mdx similarity index 75% rename from website/content/docs/enterprise/fips.mdx rename to website/content/docs/deploy/server/fips.mdx index dc4d2ed3bc9..da7068398d7 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/deploy/server/fips.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: FIPS 140-2 +page_title: Deploy FIPS 140-2 compliant Consul servers description: >- - A version of Consul compliant with FIPS 140-2 is available to Enterprise users. Learn about where to find FIPS-compliant versions of Consul, its usage restrictions, technical details, and Leidos validation. + A version of Consul compliant with FIPS 140-2 is available to Enterprise users. Learn about where to find FIPS-compliant versions of Consul, as well as usage restrictions and technical details. --- -# FIPS 140-2 +# Deploy FIPS 140-2 compliant Consul servers This feature requires Consul Enterprise. @@ -13,13 +13,13 @@ description: >- Builds of Consul Enterprise marked with a `fips1402` feature name include built-in support for FIPS 140-2 compliance. -To use this feature, you must have an [active or trial license for Consul Enterprise](/consul/docs/enterprise/license/overview). To start a trial, contact HashiCorp sales. +To use this feature, you must have an [active or trial license for Consul Enterprise](/consul/docs/enterprise/license). To start a trial, contact HashiCorp sales. ## Using FIPS 140-2 Consul Enterprise -FIPS 140-2 builds of Consul Enterprise behave in the same way as non-FIPS builds. There are no restrictions on Consul algorithms and ensuring that Consul remains in a FIPS-compliant mode of operation is your responsibility. To maintain FIPS-compliant operation, you must [ensure that TLS is enabled](/consul/tutorials/archive/tls-encryption-secure) so that communication is encrypted. Consul products surface some helpful warnings where settings are insecure. +FIPS 140-2 builds of Consul Enterprise behave in the same way as non-FIPS builds. There are no restrictions on Consul algorithms and ensuring that Consul remains in a FIPS-compliant mode of operation is your responsibility. To maintain FIPS-compliant operation, you must [ensure that TLS is enabled](/consul/docs/secure-consul/encryption/tls/builtin) so that communication is encrypted. Consul products surface some helpful warnings where settings are insecure. -Encryption is disabled in Consul Enterprise by default. As a result, Consul may transmit sensitive control plane information. You must ensure that gossip encryption and mTLS is enabled for all agents when running Consul with FIPS-compliant settings. In addition, be aware that TLS v1.3 does not work with FIPS 140-2, as HKDF is not a certified primitive. +Encryption is disabled in Consul Enterprise by default. As a result, Consul may transmit sensitive control plane information. You must ensure that gossip encryption and mTLS is enabled for all agents when running Consul with FIPS-compliant settings. In addition, be aware that TLSv1.3 does not work with FIPS 140-2, as HKDF is not a certified primitive. HashiCorp is not a NIST-certified testing laboratory and can only provide general guidance about using Consul Enterprise in a FIPS-compliant manner. We recommend consulting an approved auditor for further information. @@ -32,10 +32,6 @@ The FIPS 140-2 variant of Consul uses separate binaries that are available from The above naming conventions, which append `.fips1402` to binary names and tags, and `-fips` to registry names, also apply to `consul-k8s`, `consul-k8s-control-plane`, `consul-dataplane`, and `consul-ecs`, which are packaged separately from Consul Enterprise. -### Cluster peering support - -A Consul cluster running FIPS variants of Consul can peer with any combination of standard (non-FIPS) Consul clusters and FIPS Consul clusters. Consul supports all cluster peering features between FIPS clusters and non-FIPS clusters. - ### Usage restrictions When using Consul Enterprise with FIPS 140-2, be aware of the following operation restrictions: @@ -126,21 +122,6 @@ Similarly, on a FIPS Windows binary, run `go tool nm` on the binary to get a sym On both Linux and Windows non-FIPS builds, the search output yields no results. -## Leidos validation - -In 2024, Leidos certified the integration of FIPS 140-2 cryptographic module [BoringCrypto Cert. #4407](https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/4407) for the following Consul releases: - -- Consul Enterprise builds: - - [`consul_1.16.0+ent.fips1402`](https://releases.hashicorp.com/consul/1.16.0+ent.fips1402/) - - [`consul_1.16.1+ent.fips1402`](https://releases.hashicorp.com/consul/1.16.1+ent.fips1402/) -- Consul Dataplane builds: - - [`consul-dataplane_1.2.0+fips1402`](https://releases.hashicorp.com/consul-dataplane/1.2.0+fips1402/) - - [`consul-dataplane_1.2.1+fips1402`](https://releases.hashicorp.com/consul-dataplane/1.2.1+fips1402/) -- Consul K8s builds: - - [`consul-k8s_1.2.0+fips1402`](https://releases.hashicorp.com/consul-k8s/1.2.0+fips1402/) - - [`consul-k8s_1.2.1+fips1402`](https://releases.hashicorp.com/consul-k8s/1.2.1+fips1402/) -- Consul K8s Control Plane builds: - - [`consul-k8s-control-plane_1.2.0+fips1402`](https://releases.hashicorp.com/consul-k8s-control-plane/1.2.0+fips1402/) - - [`consul-k8s-control-plane_1.2.1+fips1402`](https://releases.hashicorp.com/consul-k8s-control-plane/1.2.2+fips1402/) +### Compliance validation -For more information about verified platform architectures and confirmed feature support, [review the Leidos certification letter](https://www.datocms-assets.com/2885/1715791547-boringcrypto_compliance_letter_signed.pdf). \ No newline at end of file +A Lab, authorized by the U.S. Government to certify FIPS 140-2 compliance, is in the process of verifying that Consul Enterprise and its related packages are compliant with the requirements of FIPS 140-2 Level 1. diff --git a/website/content/docs/deploy/server/hcp.mdx b/website/content/docs/deploy/server/hcp.mdx new file mode 100644 index 00000000000..33d58068ff4 --- /dev/null +++ b/website/content/docs/deploy/server/hcp.mdx @@ -0,0 +1,44 @@ +--- +layout: docs +page_title: Deploy servers on HCP Consul +description: >- + This topic provides an overview for deploying clusters of Consul servers using HCP Consul. You can deploy HashiCorp-managed clusters or create and link a new self-managed cluster. +--- + +# Deploy servers on HCP Consul + +This page provides an overview for deploying Consul servers using HCP Consul. You can deploy HashiCorp-managed clusters or you can use guided workflows to create a self-managed cluster and link it to HCP Consul Central. + +For more information about HashiCorp-managed clusters and how they differ from self-managed clusters, refer to [cluster management](/hcp/docs/consul/cluster-management) in the HCP Consul documentation. + +## Introduction + +Creating a HashiCorp-managed server cluster simplifies the overall process of bootstrapping Consul servers. Additional cluster maintenance operations are also simplified through the HCP Consul UI. The HCP platform automates the following parts of a server's lifecycle: + +- Generating and distributing a gossip key between servers +- Starting the certificate authority and distributing TLS certificates to servers +- Bootstrapping the ACL system and saving tokens to a secure Vault environment +- Rotating expired TLS certificates after expiration +- Upgrading servers to new versions of Consul + +You can also link your own self-managed Consul server clusters, or clusters you install, configure, and manage yourself, to HCP Consul. Using self-managed clusters with HCP Consul can help you streamline network operations while maintaining control over your clusters. It also enables HCP Consul Central features, such as observability dashboards, for your self-managed clusters. + +## Guidance + +The following resources are available in the [HCP Consul documentation](/hcp/docs/consul) to help you deploy HashiCorp-managed servers. + +### Tutorials + +- [Deploy HCP Consul](/consul/tutorials/get-started-hcp/hcp-gs-deploy) demonstrates the end-to-end deployment for a development tier cluster using the automated Terraform workflow. + +### Concepts and reference + +- [Cluster management](/hcp/docs/consul/concepts/cluster-management) explains the difference between HashiCorp-managed clusters and self-managed clusters. +- [Cluster tiers](/hcp/docs/consul/concepts/cluster-tiers) explains how the tier you select when creating a HashiCorp-managed cluster determines its multi-cloud functionality. +- [Cluster configuration reference](/hcp/docs/consul/hcp-managed/reference) provides reference information about cluster properties, including the [ports HashiCorp-managed servers listen on](/hcp/docs/consul/hcp-managed/reference#cluster-server-ports). + +### Usage documentation + +- [Create a HashiCorp-managed cluster](/hcp/docs/consul/hcp-managed/create) +- [Access a HashiCorp-managed cluster](/hcp/docs/consul/hcp-managed/access) +- [Link new self-managed clusters](/hcp/docs/consul/self-managed/new) \ No newline at end of file diff --git a/website/content/docs/deploy/server/index.mdx b/website/content/docs/deploy/server/index.mdx new file mode 100644 index 00000000000..a24219c4383 --- /dev/null +++ b/website/content/docs/deploy/server/index.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Deploy Consul servers overview page +description: >- + Placeholder +--- + +# Deploy Consul servers overview page + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/deploy/server/k8s/consul-k8s.mdx b/website/content/docs/deploy/server/k8s/consul-k8s.mdx new file mode 100644 index 00000000000..254c15f252e --- /dev/null +++ b/website/content/docs/deploy/server/k8s/consul-k8s.mdx @@ -0,0 +1,95 @@ +--- +layout: docs +page_title: Install Consul on Kubernetes with the Consul K8s CLI +description: >- + You can use the Consul K8s CLI tool to schedule Kubernetes deployments instead of using Helm. Learn how to download and install the tool to interact with Consul on Kubernetes using the `consul-k8s` command. +--- + +# Install Consul on Kubernetes with the Consul K8s CLI + +This topic describes how to install Consul on Kubernetes using the Consul K8s CLI (`consul-k8s`). The Consul K8s CLI lets you quickly install and interact with Consul on Kubernetes. Use the Consul K8s CLI tool to install Consul on Kubernetes if you are deploying a single cluster. + +We recommend using the [Helm chart installation method](/consul/docs/deploy/server/k8s/helm) if you are installing Consul on Kubernetes for multi-cluster deployments that involve cross-partition or cross datacenter communication. + +## Requirements + +You must meet the following requirements to install Consul on Kubernetes with `consul-k8s`: + +- `kubectl` configured to point to the Kubernetes cluster you want to install Consul on +- `consul-k8s` installed on your local machine. Refer to [Consul on Kubernetes CLI reference](/consul/docs/reference-cli/consul-k8s#install-the-cli) for instructions. + + + + You must install the correct version of the CLI for your Consul on Kubernetes deployment. To deploy a previous version of Consul on Kubernetes, download the specific version of the CLI that matches the version of the control plane that you would like to deploy. Refer to the [compatibility matrix](/consul/docs/k8s/compatibility) for details. + + + + +## Install Consul on Kubernetes + +Issue the `install` subcommand to install Consul on your existing Kubernetes cluster. If you do not include any additional options, the `consul-k8s` CLI installs Consul on Kubernetes using the default settings from the Consul Helm chart values. + +You can specify options to configure your Consul install. For example, you can include the `-auto-approve` option set to `true` to proceed with the installation if the pre-install checks pass. Refer to the [Consul K8s CLI reference](/consul/docs/reference-cli/consul-k8s) for details about all commands and available options. + +The following example installs Consul on Kubernetes with service mesh and CRDs enabled. + +```shell-session +$ consul-k8s install +==> Pre-Install Checks +No existing installations found. + ✓ No previous persistent volume claims found + ✓ No previous secrets found +==> Consul Installation Summary + Installation name: consul + Namespace: consul + Overrides: + connectInject: + enabled: true + + Proceed with installation? (y/N) y + +==> Running Installation + ✓ Downloaded charts +--> creating 1 resource(s) +--> creating 45 resource(s) +--> beginning wait for 45 resources with timeout of 10m0s + ✓ Consul installed into namespace "consul" +``` + +The pre-install checks may fail if existing `PersistentVolumeClaims` (PVC) are detected. Refer to the [uninstall instructions](/consul/docs/deploy/server/k8s/uninstall) for information about removing PVCs. + +## Custom installation + +You can create a values file and specify parameters to overwrite the default Helm chart installation. Add the `-f` and specify your values file to implement your configuration, for example: + +```shell-session +$ consul-k8s install -f values.yaml +``` + +### Install Consul on OpenShift clusters + +[Red Hat OpenShift](https://www.redhat.com/en/technologies/cloud-computing/openshift) is a security-conscious, opinionated wrapper for Kubernetes. To install Consul on OpenShift-managed Kubernetes, set `global.openshift.enabled=true` in your [custom installation](#custom-installation) values file: + +```yaml +global: + openshift: + enabled: true +``` + +Refer to [`openshift` in the Helm chart reference](/consul/docs/reference/k8s/helm#v-global-openshift) for additional information. + +## Check the Consul cluster status + +Issue the `consul-k8s status` command to view the status of the installed Consul cluster. + +```shell-session +$ consul-k8s status + +==> Consul-K8s Status Summary + NAME | NAMESPACE | STATUS | CHARTVERSION | APPVERSION | REVISION | LAST UPDATED +---------+-----------+----------+--------------+------------+----------+-------------------------- + consul | consul | deployed | 0.40.0 | 1.14.0 | 1 | 2022/01/31 16:58:51 PST + +✓ Consul servers healthy (3/3) +✓ Consul clients healthy (3/3) +``` diff --git a/website/content/docs/k8s/deployment-configurations/consul-enterprise.mdx b/website/content/docs/deploy/server/k8s/enterprise.mdx similarity index 55% rename from website/content/docs/k8s/deployment-configurations/consul-enterprise.mdx rename to website/content/docs/deploy/server/k8s/enterprise.mdx index 29314c94354..a475a2242f2 100644 --- a/website/content/docs/k8s/deployment-configurations/consul-enterprise.mdx +++ b/website/content/docs/deploy/server/k8s/enterprise.mdx @@ -7,22 +7,36 @@ description: >- # Deploy Consul Enterprise on Kubernetes -You can use this Helm chart to deploy Consul Enterprise by following a few extra steps. +This topic describes how to install Consul Enterprise on Kubernetes using the Helm chart. It assumes you are storing your license as a Kubernetes Secret. If you would like to store the enterprise license in Vault, reference [Store Enterprise license in Vault](/consul/docs/deploy/server/k8s/multi/vault/data-integration/enterprise-license). + +## Requirements Find the license file that you received in your welcome email. It should have a `.hclic` extension. You will use the contents of this file to create a Kubernetes secret before installing the Helm chart. --> **Note:** This guide assumes you are storing your license as a Kubernetes Secret. If you would like to store the enterprise license in Vault, please reference [Storing the Enterprise License in Vault](/consul/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license). + + +If you cannot find your `.hclic` file, please contact your sales team or Technical Account Manager. -You can use the following commands to create the secret with name `consul-ent-license` and key `key`: + + -```bash -secret=$(cat 1931d1f4-bdfd-6881-f3f5-19349374841f.hclic) -kubectl create secret generic consul-ent-license --from-literal="key=${secret}" +## Create Kubernetes secret + +Export an environment variable named `secret` with the contents of your Enterprise license file. + +```shell-session +$ secret=$(cat 1931d1f4-bdfd-6881-f3f5-19349374841f.hclic) ``` --> **Note:** If you cannot find your `.hclic` file, please contact your sales team or Technical Account Manager. +Create a Kubernetes secret named `consul-ent-license` and key `key` with the value of the license file. -In your `values.yaml`, change the value of `global.image` to one of the enterprise [release tags](https://hub.docker.com/r/hashicorp/consul-enterprise/tags). +```shell-session +$ kubectl create secret generic consul-ent-license --from-literal="key=${secret}" +``` + +## Configure Helm chart + +In your `values.yaml`, change the value of `global.image` to one of the enterprise [release tags](https://hub.docker.com/r/hashicorp/consul-enterprise/tags). Enterprise images end with `-ent`. @@ -33,9 +47,15 @@ global: -Add the name and key of the secret you just created to `server.enterpriseLicense`, if using Consul version 1.10+. +Define your Consul Enterprise secret. + + + + - +If you are using Consul v1.10+, add the name and key of the secret you just created to `server.enterpriseLicense`. + + ```yaml global: @@ -47,12 +67,14 @@ global: -If the version of Consul is < 1.10, use the following config with the name and key of the secret you just created. -(These values are required on top of your normal configuration.) + + + +If you are using a Consul version older than 1.10, use the following configuration with the name and key of the secret you just created. These values are required on top of your normal configuration. --> **Note:** The value of `server.enterpriseLicense.enableLicenseAutoload` must be set to `false`. +You must set `server.enterpriseLicense.enableLicenseAutoload` to `false`. - + ```yaml global: @@ -65,23 +87,29 @@ global: -Now run `helm install`: + + + + +## Install Consul Enterprise + +Now, install Consul Enterprise on your Kubernetes cluster using the updated Helm chart. ```shell-session $ helm install --wait hashicorp hashicorp/consul --values values.yaml ``` -Once the cluster is up, you can verify the nodes are running Consul Enterprise by -using the `consul license get` command. +## Verify installation + +Once the cluster is up, you can verify the nodes are running Consul Enterprise by using the `consul license get` command. -First, forward your local port 8500 to the Consul servers so you can run `consul` -commands locally against the Consul servers in Kubernetes: +First, forward your local port 8500 to the Consul servers so you can run `consul` commands locally against the Consul servers in Kubernetes. ```shell-session $ kubectl port-forward service/hashicorp-consul-server 8500:8500 ``` -In a separate tab, run the `consul license get` command (if using ACLs see below): +In a separate tab, run the `consul license get` command. ```shell-session $ consul license get @@ -98,6 +126,11 @@ Licensed Features: Network Segments Redundancy Zone Advanced Network Federation +``` + +List the Consul servers. Notice the `+ent` in the `Build` column, indicating that the servers are running Consul Enterprise. + +```shell-session $ consul members Node Address Status Type Build Protocol DC Segment hashicorp-consul-server-0 10.60.0.187:8301 alive server 1.10.0+ent 2 dc1 @@ -105,20 +138,21 @@ hashicorp-consul-server-1 10.60.1.229:8301 alive server 1.1 hashicorp-consul-server-2 10.60.2.197:8301 alive server 1.10.0+ent 2 dc1 ``` -If you get an error: +### ACLs enabled + +If the commands return the following error message, your Consul deployment likely has ACLs enabled. ```bash Error getting license: invalid character 'r' looking for beginning of value ``` -Then you have likely enabled ACLs. You need to specify your ACL token when -running the `license get` command. First, assign the ACL token to the `CONSUL_HTTP_TOKEN` environment variable: +You need to specify your ACL token when running the `license get` command. First, assign the ACL token to the `CONSUL_HTTP_TOKEN` environment variable: ```shell-session $ export CONSUL_HTTP_TOKEN=$(kubectl get secrets/hashicorp-consul-bootstrap-acl-token --template='{{.data.token | base64decode }}') ``` -Now the token will be used when running Consul commands: +Now, the token will be used when running Consul commands. ```shell-session $ consul license get diff --git a/website/content/docs/k8s/installation/install.mdx b/website/content/docs/deploy/server/k8s/helm.mdx similarity index 57% rename from website/content/docs/k8s/installation/install.mdx rename to website/content/docs/deploy/server/k8s/helm.mdx index 30dab8c19d8..58d741818a9 100644 --- a/website/content/docs/k8s/installation/install.mdx +++ b/website/content/docs/deploy/server/k8s/helm.mdx @@ -7,25 +7,27 @@ description: >- # Install Consul on Kubernetes with Helm -This topic describes how to install Consul on Kubernetes using the official Consul Helm chart. For instruction on how to install Consul on Kubernetes using the Consul K8s CLI, refer to [Installing the Consul K8s CLI](/consul/docs/k8s/installation/install-cli). +This topic describes how to install Consul on Kubernetes using the official Consul Helm chart. We recommend using this method if you are installing Consul on Kubernetes for multi-cluster deployments that involve cross-partition or cross datacenter communication. + +For instruction on how to install Consul on Kubernetes using the Consul K8s CLI, refer to [Install Consul on Kubernetes with the Consul K8s CLI](http://localhost:3000/consul/docs/deploy/server/k8s/consul-k8s-cli). ## Introduction We recommend using the Consul Helm chart to install Consul on Kubernetes for multi-cluster installations that involve cross-partition or cross datacenter communication. The Helm chart installs and configures all necessary components to run Consul. -Consul can run directly on Kubernetes so that you can leverage Consul functionality if your workloads are fully deployed to Kubernetes. For heterogeneous workloads, Consul agents can join a server running inside or outside of Kubernetes. Refer to the [Consul on Kubernetes architecture](/consul/docs/k8s/architecture) to learn more about its general architecture. +Consul can run directly on Kubernetes so that you can leverage Consul functionality if your workloads are fully deployed to Kubernetes. For heterogeneous workloads, Consul agents can join a server running inside or outside of Kubernetes. Refer to the [Consul on Kubernetes architecture](/consul/docs/architecture/kubernetes) to learn more about its general architecture. The Helm chart exposes several useful configurations and automatically sets up complex resources, but it does not automatically operate Consul. You must still become familiar with how to monitor, backup, and upgrade the Consul cluster. -The Helm chart has no required configuration, so it installs a Consul cluster with default configurations. We strongly recommend that you [learn about the configuration options](/consul/docs/k8s/helm#configuration-values) before going to production. +The Helm chart has no required configuration, so it installs a Consul cluster with default configurations. We strongly recommend that you [learn about the configuration options](/consul/docs/reference/k8s/helm) before going to production. --> **Security warning**: By default, Helm installs Consul with security configurations disabled so that the out-of-box experience is optimized for new users. We strongly recommend using a properly-secured Kubernetes cluster or making sure that you understand and enable [Consul’s security features](/consul/docs/security) before going into production. Some security features are not supported in the Helm chart and require additional manual configuration. + + +By default, Helm installs Consul with security configurations disabled so that the out-of-box experience is optimized for new users. We strongly recommend using a properly-secured Kubernetes cluster or making sure that you understand and enable [Consul's security features](/consul/docs/secure-consul) before going into production. Some security features are not supported in the Helm chart and require additional manual configuration. -Refer to the [architecture](/consul/docs/k8s/installation/install#architecture) section to learn more about the general architecture of Consul on Kubernetes. + -For a hands-on experience with Consul as a service mesh -for Kubernetes, follow the [Getting Started with Consul service -mesh](/consul/tutorials/get-started-kubernetes) tutorial. +For a hands-on experience with Consul as a service mesh for Kubernetes, follow the [Getting Started with Consul service mesh](/consul/tutorials/get-started-kubernetes) tutorial. ## Requirements @@ -40,12 +42,12 @@ Using the Helm Chart requires Helm version 3.6+. Visit the [Helm website](https: "hashicorp" has been added to your repositories ``` -1. Verify that you have access to the consul chart: +1. Verify that you have access to the Consul chart: ```shell-session $ helm search repo hashicorp/consul NAME CHART VERSION APP VERSION DESCRIPTION - hashicorp/consul 1.0.1 1.14.1 Official HashiCorp Consul Chart + hashicorp/consul 1.3.1 1.17.1 Official HashiCorp Consul Chart ``` 1. Before you install Consul on Kubernetes with Helm, ensure that the `consul` Kubernetes namespace does not exist. We recommend installing Consul on a dedicated namespace. @@ -61,31 +63,36 @@ Using the Helm Chart requires Helm version 3.6+. Visit the [Helm website](https: 1. Install Consul on Kubernetes using Helm. The Helm chart does everything to set up your deployment: after installation, agents automatically form clusters, elect leaders, and run the necessary agents. - - Run the following command to install the latest version of Consul on Kubernetes with its default configuration. + - Run the following command to install the latest version of Consul on Kubernetes with its default configuration. - ```shell-session - $ helm install consul hashicorp/consul --set global.name=consul --create-namespace --namespace consul - ``` + ```shell-session + $ helm install consul hashicorp/consul --set global.name=consul --create-namespace --namespace consul + ``` - You can also install Consul on a dedicated namespace of your choosing by modifying the value of the `-n` flag for the Helm install. + You can also install Consul on a dedicated namespace of your choosing by modifying the value of the `-n` flag for the Helm install. - - To install a specific version of Consul on Kubernetes, issue the following command with `--version` flag: + - To install a specific version of Consul on Kubernetes, issue the following command with `--version` flag: - ```shell-session - $ export VERSION=1.0.1 - $ helm install consul hashicorp/consul --set global.name=consul --version ${VERSION} --create-namespace --namespace consul - ``` + ```shell-session + $ export VERSION=1.0.1 && \ + helm install consul hashicorp/consul + --set global.name=consul + --version ${VERSION} + --create-namespace + --namespace consul + ``` + +### Update your Consul on Kubernetes configuration + +If you already installed Consul and want to make changes, you need to run `helm upgrade`. Refer to [Upgrading](/consul/docs/k8s/upgrade) for more details. ## Custom installation -If you want to customize your installation, -create a `values.yaml` file to override the default settings. -To learn what settings are available, run `helm inspect values hashicorp/consul` -or read the [Helm Chart Reference](/consul/docs/k8s/helm). +If you want to customize your installation, create a `values.yaml` file to override the default settings. To learn what settings are available, run `helm inspect values hashicorp/consul` or review the [Helm Chart Reference](/consul/docs/reference/k8s/helm). ### Minimal `values.yaml` for Consul service mesh -The following `values.yaml` config file contains the minimum required settings to enable [Consul Service Mesh](/consul/docs/k8s/connect): +The following `values.yaml` config file contains the minimum required settings to enable [Consul service mesh](/consul/docs/k8s/connect): @@ -104,9 +111,9 @@ NAME: consul ... ``` -### Install Consul on Red Hat OpenShift +### Install Consul on OpenShift clusters -[Red Hat OpenShift](https://www.redhat.com/en/technologies/cloud-computing/openshift) is a security-conscious, opinionated wrapper for Kubernetes. To install Consul on OpenShift-managed Kubernetes, set `global.openshift.enabled=true` in your [custom installation](#custom-installation) values file: +[Red Hat OpenShift](https://www.redhat.com/en/technologies/cloud-computing/openshift) is a security-conscious, opinionated wrapper for Kubernetes. To install Consul on OpenShift-managed Kubernetes, set `global.openshift.enabled=true` in your values file: ```yaml global: @@ -114,53 +121,15 @@ global: enabled: true ``` -Refer to [`openshift` in the Helm chart reference](/consul/docs/k8s/helm#v-global-openshift) for additional information regarding the OpenShift stanza. In addition, refer to the [Deploy Consul on RedHat OpenShift tutorial](/consul/tutorials/kubernetes/kubernetes-openshift-red-hat) for a complete working example that deploys Consul Service Mesh using Red Hat Certified UBI images. - -### Install Consul on GKE Autopilot - -GKE Autopilot provides a fully managed environment for containerized workloads and requires the Consul CNI plugin to be installed. Refer to [Enable the Consul CNI plugin](#enable-the-consul-cni-plugin) for a full reference on how to enable the CNI plugin. - -By default, GKE Autopilot also installs [Gateway API resources](https://gateway-api.sigs.k8s.io), so we recommend customizing the `connectInject.apiGateway` stanza to accommodate for the pre-installed Gateway API CRDs. - -The following working example enables both Consul Service Mesh and Consul API Gateway on GKE Autopilot. Refer to [`connectInject.agiGateway` in the Helm chart reference](https://developer.hashicorp.com/consul/docs/k8s/helm#v-connectinject-apigateway) for additional information. - - - - ```yaml - global: - name: consul - connectInject: - enabled: true - apiGateway: - manageExternalCRDs: false - manageNonStandardCRDs: true - cni: - enabled: true - logLevel: debug - cniBinDir: "/home/kubernetes/bin" - cniNetDir: "/etc/cni/net.d" - server: - resources: - requests: - memory: "500Mi" - cpu: "500m" - limits: - memory: "500Mi" - cpu: "500m" - ``` - +Refer to [`openshift` in the Helm chart reference](/consul/docs/reference/k8s/helm#v-global-openshift) for additional information. ### Enable the Consul CNI plugin -By default, Consul injects a `connect-inject-init` init container as part of the Kubernetes pod startup process when Consul is in [transparent proxy mode](/consul/docs/connect/transparent-proxy). -The container configures traffic redirection in the service mesh through the sidecar proxy. -To configure redirection, the container requires elevated `CAP_NET_ADMIN` privileges, which may not be compatible with security policies in your organization. +By default, Consul injects a `connect-inject-init` init container as part of the Kubernetes pod startup process when Consul is in [transparent proxy mode](/consul/docs/connect/transparent-proxy). The container configures traffic redirection in the service mesh through the sidecar proxy. To configure redirection, the container requires elevated `CAP_NET_ADMIN` privileges, which may not be compatible with security policies in your organization. -Instead, you can enable the Consul container network interface (CNI) plugin to perform traffic redirection. -Because the plugin is executed by the local Kubernetes kubelet, the plugin already has the elevated privileges necessary to configure the network. +Instead, you can enable the Consul container network interface (CNI) plugin to perform traffic redirection. Because the plugin is executed by the local Kubernetes kubelet, the plugin already has the elevated privileges necessary to configure the network. -The Consul Helm Chart is responsible for installing the Consul CNI plugin. -To configure the plugin to be installed, add the following configuration to your `values.yaml` file: +The Consul Helm Chart is responsible for installing the Consul CNI plugin. To configure the plugin to be installed, add the following configuration to your `values.yaml` file: @@ -237,9 +206,9 @@ The following table describes the available CNI plugin options: ### Enable Consul service mesh on select namespaces -By default, Consul Service Mesh is enabled on almost all namespaces within a Kubernetes cluster, with the exception of `kube-system` and `local-path-storage`. To restrict the service mesh to a subset of namespaces: +By default, Consul service mesh is enabled on almost all namespaces within a Kubernetes cluster, except `kube-system` and `local-path-storage`. To restrict the service mesh to a subset of namespaces: -1. specify a `namespaceSelector` that matches a label attached to each namespace where you want to deploy the service mesh. In order to default to enabling service mesh on select namespaces by label, the `connectInject.default` value must be set to `true`. +1. Specify a `namespaceSelector` that matches a label attached to each namespace where you want to deploy the service mesh. To enable service mesh on select namespaces by label by default, you must set the `connectInject.default` value to `true`. @@ -256,11 +225,12 @@ By default, Consul Service Mesh is enabled on almost all namespaces within a Kub -1. Label the namespaces where you would like to enable Consul Service Mesh. +1. Label the namespaces where you would like to enable Consul service mesh. ```shell-session - $ kubectl create ns foo - $ kubectl label namespace foo connect-inject=enabled + $ export NAMESPACE=foo && \ + kubectl create ns $NAMESPACE && \ + kubectl label namespace $NAMESPACE connect-inject=enabled ``` 1. Run `helm install` with the `--values` flag: @@ -270,11 +240,6 @@ By default, Consul Service Mesh is enabled on almost all namespaces within a Kub NAME: consul ``` -### Update your Consul on Kubernetes configuration - -If you already installed Consul and want to make changes, you need to run -`helm upgrade`. Refer to [Upgrading](/consul/docs/k8s/upgrade) for more details. - ## Usage You can view the Consul UI and access the Consul HTTP API after installation. @@ -283,8 +248,7 @@ You can view the Consul UI and access the Consul HTTP API after installation. The Consul UI is enabled by default when using the Helm chart. -For security reasons, it is not exposed through a `LoadBalancer` service by default. To visit the UI, you must -use `kubectl port-forward`. +For security reasons, it is not exposed through a `LoadBalancer` service by default. To visit the UI, you must use `kubectl port-forward`. #### Port forward with TLS disabled @@ -292,7 +256,6 @@ If running with TLS disabled, the Consul UI is accessible through http on port 8 ```shell-session $ kubectl port-forward service/consul-server --namespace consul 8500:8500 -... ``` After you set up the port forward, navigate to [http://localhost:8500](http://localhost:8500). @@ -303,15 +266,17 @@ If running with TLS enabled, the Consul UI is accessible through https on port 8 ```shell-session $ kubectl port-forward service/consul-server --namespace consul 8501:8501 -... ``` After you set up the port forward, navigate to [https://localhost:8501](https://localhost:8501). -~> You need to click through an SSL warning from your browser because the -Consul certificate authority is self-signed and not in the browser's trust store. + + +You need to click through an SSL warning from your browser because the Consul certificate authority is self-signed and not in the browser's trust store. + + -#### ACLs Enabled +#### ACLs enabled If ACLs are enabled, you need to input an ACL token to display all resources and make modifications in the UI. @@ -324,26 +289,23 @@ e7924dd1-dc3f-f644-da54-81a73ba0a178% Then paste the token into the UI under the ACLs tab (without the `%`). -~> NOTE: If using multi-cluster federation, your kubectl context must be in the primary datacenter -to retrieve the bootstrap token since secondary datacenters use a separate token -with less permissions. + + +If using multi-cluster federation, your `kubectl` context must be in the primary datacenter to retrieve the bootstrap token since secondary datacenters use a separate token with less permissions. + + #### Exposing the UI through a service -If you want to expose the UI via a Kubernetes Service, configure -the [`ui.service` chart values](/consul/docs/k8s/helm#v-ui-service). -Because this service allows requests to the Consul servers, it should -not be open to the world. +If you want to expose the UI via a Kubernetes Service, configure the [`ui.service` chart values](/consul/docs/reference/k8s/helm#v-ui-service). Because this service allows requests to the Consul servers, it should not be open to the world. -### Accessing the Consul HTTP API +### Access the Consul HTTP API While technically any listening agent can respond to the HTTP API, communicating with the local Consul node has important caching behavior and allows you to use the simpler [`/agent` endpoints for services and checks](/consul/api-docs/agent). To find information about a node, you can use the [downward API](https://kubernetes.io/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/). -An example pod specification is shown below. In addition to pods, anything -with a pod template can also access the downward API and can therefore also -access Consul: StatefulSets, Deployments, Jobs, etc. +The following is an example pod specification. In addition to pods, anything with a pod template can also access the Consul API and can therefore also access Consul: StatefulSets, Deployments, Jobs, etc. ```yaml apiVersion: v1 @@ -368,8 +330,7 @@ spec: restartPolicy: Never ``` -An example `Deployment` is also shown below to show how the host IP can -be accessed from nested pod specifications: +The following example `Deployment` shows how you can access the host IP can be accessed from nested pod specifications: @@ -405,11 +366,3 @@ spec: ``` - -## Next Steps - -If you are still considering a move to Kubernetes, or to Consul on Kubernetes specifically, our [Migrate to Microservices with Consul Service Mesh on Kubernetes](/consul/tutorials/microservices?utm_source=docs) -collection uses an example application written by a fictional company to illustrate why and how organizations can -migrate from monolith to microservices using Consul service mesh on Kubernetes. The case study in this collection -should provide information valuable for understanding how to develop services that leverage Consul during any stage -of your microservices journey. diff --git a/website/content/docs/deploy/server/k8s/index.mdx b/website/content/docs/deploy/server/k8s/index.mdx new file mode 100644 index 00000000000..31d2c933b26 --- /dev/null +++ b/website/content/docs/deploy/server/k8s/index.mdx @@ -0,0 +1,39 @@ +--- +layout: docs +page_title: Deploy Consul server on Kubernetes +description: >- + To deploy a Consul server on Kubernetes, use either Helm or the `consul-k8s` CLI to schedule the server. Learn about additional steps for deploying a Consul server to different Kubernetes platforms. +--- + +# Deploy Consul server on Kubernetes + +This topic provides an overview for deploying a Consul server when running Consul on Kubernetes + +## Basic deployments + +To schedule a Consul server on a Kubernetes cluster, you can use either Helm or the Consul on Kubernetes CLI. Depending on your Kubernetes platform and cloud provider, there may be additional steps. + +To get started, refer to the following topics: + +- [Deploy Consul Community edition with Helm](/consul/docs/deploy/server/k8s/helm) +- [Deploy Consul Enterprise with Helm](/consul/docs/deploy/server/k8s/enterprise) +- [Deploy Consul with the `consul-k8s` CLI](/consul/docs/deploy/server/k8s/consul-k8s) + +Refer to the following platform deployment guides more specific information: + +- [Azure Kubernetes Service (AKS)](/consul/docs/deploy/server/k8s/platform/aks) +- [AWS Elastic Kubernetes Service (EKS)](/consul/docs/deploy/server/k8s/platform/eks) +- [Google Kubernetes Engine (GKE)](/consul/docs/deploy/server/k8s/platform/gke) +- [Kind](/consul/docs/deploy/server/k8s/platform/kind) +- [Minikube](/consul/docs/deploy/server/k8s/platform/minikube) +- [Openshift](/consul/docs/deploy/server/k8s/platform/openshift) +- [Self-hosted](/consul/docs/deploy/server/k8s/platform/self-hosted) + +## Advanced deployments + +You can configure Consul to run on Kubernetes clusters that are deployed in dispersed networks. Refer to the following topics for more information: + +- [Deploy a single Consul datacenter across multiple Kubernetes clusters](/consul/docs/deploy/server/k8s/multi/multiple-clusters) +- [Deploy Consul servers outside of Kubernetes](/consul/docs/deploy/server/k8s/multi/servers-outside) +- [Deploy Consul with Vault as Secrets backend](/consul/docs/deploy/server/k8s/multi/vault) +- [Deploy Consul servers to federated datacenters](/consul/docs/deploy/server/k8s/multi/federation) \ No newline at end of file diff --git a/website/content/docs/k8s/deployment-configurations/multi-cluster/index.mdx b/website/content/docs/deploy/server/k8s/multi/federation/index.mdx similarity index 89% rename from website/content/docs/k8s/deployment-configurations/multi-cluster/index.mdx rename to website/content/docs/deploy/server/k8s/multi/federation/index.mdx index dbffe877c98..bf722b2f073 100644 --- a/website/content/docs/k8s/deployment-configurations/multi-cluster/index.mdx +++ b/website/content/docs/deploy/server/k8s/multi/federation/index.mdx @@ -1,18 +1,18 @@ --- layout: docs -page_title: WAN Federation Through Mesh Gateways - Overview +page_title: Multi-cluster federation — Overview description: >- Federating Consul datacenters through mesh gateways enables agents to engage in WAN communication across runtimes and cloud providers. Learn about multi-cluster federation and its network requirements for Consul on Kubernetes. --- -# WAN Federation Through Mesh Gateways Overview +# Multi-cluster federation — Overview In Consul, federation is the act of joining two or more Consul datacenters. When datacenters are joined, Consul servers in each datacenter can communicate with one another. This enables the following features: - Services on all clusters can make calls to each other through Consul Service Mesh. -- [Intentions](/consul/docs/connect/intentions) can be used to enforce rules about which services can communicate across all clusters. +- [Intentions](/consul/docs/secure-mesh/intentions) can be used to enforce rules about which services can communicate across all clusters. - [L7 Routing Rules](/consul/docs/connect/manage-traffic) can enable multi-cluster failover and traffic splitting. - The Consul UI has a drop-down menu that lets you navigate between datacenters. @@ -74,6 +74,6 @@ There are three networking requirements: ## Next Steps Now that you have an overview of federation, proceed to either the -[Federation Between Kubernetes Clusters](/consul/docs/k8s/deployment-configurations/multi-cluster/kubernetes) -or [Federation Between VMs and Kubernetes](/consul/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes) +[Federation Between Kubernetes Clusters](/consul/docs/east-west/wan-federation/k8s) +or [Federation Between VMs and Kubernetes](/consul/docs/east-west/wan-federation/k8s-vm) pages depending on your use case. diff --git a/website/content/docs/deploy/server/k8s/multi/federation/k8s-vm.mdx b/website/content/docs/deploy/server/k8s/multi/federation/k8s-vm.mdx new file mode 100644 index 00000000000..cacfa4ec99d --- /dev/null +++ b/website/content/docs/deploy/server/k8s/multi/federation/k8s-vm.mdx @@ -0,0 +1,398 @@ +--- +layout: docs +page_title: Multi-cluster federation — VMs and Kubernetes +description: >- + WAN federation through mesh gateways extends service mesh deployments by enabling Consul on Kubernetes to securely communicate with instances on VMs. Learn how to configure multi-cluster federation with k8s as either the primary or secondary datacenter. +--- + +# Multi-cluster federation — VMs and Kubernetes + +This page describes how to federate Consul clusters separately deployed in VM and Kubernetes runtimes. Refer to [Multi-Cluster Overview](/consul/docs/east-west/wan-federation) +for more information, including [Kubernetes networking requirements](/consul/docs/east-west/wan-federation#network-requirements). + +Consul datacenters running on non-kubernetes platforms like VMs or bare metal can +be federated with Kubernetes datacenters. + +## Kubernetes as the Primary + +One Consul datacenter must be the [primary](/consul/docs/east-west/wan-federation/k8s#primary-datacenter). If your primary datacenter is running on Kubernetes, use the Helm config from the [Primary Datacenter](/consul/docs/east-west/wan-federation/k8s#primary-datacenter) section to install Consul. + +Once installed on Kubernetes, and with the `ProxyDefaults` [resource created](/consul/docs/east-west/wan-federation/k8s#proxydefaults), +you'll need to export the following information from the primary Kubernetes cluster: + +- Certificate authority cert and key (in order to create SSL certs for VMs) +- External addresses of Kubernetes mesh gateways +- Replication ACL token +- Gossip encryption key + +The following sections detail how to export this data. + +### Certificates + +1. Retrieve the certificate authority cert: + + ```sh + kubectl get secrets/consul-ca-cert --namespace consul --template='{{index .data "tls.crt" | base64decode }}' > consul-agent-ca.pem + ``` + +1. And the certificate authority signing key: + + ```sh + kubectl get secrets/consul-ca-key --namespace consul --template='{{index .data "tls.key" | base64decode }}' > consul-agent-ca-key.pem + ``` + +1. With the `consul-agent-ca.pem` and `consul-agent-ca-key.pem` files you can + create certificates for your servers and clients running on VMs that share the + same certificate authority as your Kubernetes servers. + + You can use the `consul tls` commands to generate those certificates: + + ```sh + # NOTE: consul-agent-ca.pem and consul-agent-ca-key.pem must be in the current + # directory. + $ consul tls cert create -server -dc=vm-dc -node + ==> WARNING: Server Certificates grants authority to become a + server and access all state in the cluster including root keys + and all ACL tokens. Do not distribute them to production hosts + that are not server nodes. Store them as securely as CA keys. + ==> Using consul-agent-ca.pem and consul-agent-ca-key.pem + ==> Saved vm-dc-server-consul-0.pem + ==> Saved vm-dc-server-consul-0-key.pem + ``` + + -> Note the `-node` option in the above command. This should be same as the node name of the [Consul Agent](/consul/docs/agent#running-an-agent). This is a [requirement](/consul/docs/east-west/mesh-gateway/enable#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, or you don't know the nodename in advance, use `-node "*"` instead. + Not satisfying this requirement would result in the following error in the Consul Server logs: + `[ERROR] agent.server.rpc: TLS handshake failed: conn=from= error="remote error: tls: bad certificate"` + + See the help for output of `consul tls cert create -h` to see more options + for generating server certificates. + +1. These certificates can be used in your server config file: + + + + ```hcl + tls { + defaults { + cert_file = "vm-dc-server-consul-0.pem" + key_file = "vm-dc-server-consul-0-key.pem" + ca_file = "consul-agent-ca.pem" + } + } + ``` + + + +1. For clients, you can generate TLS certs with: + + ```shell-session + $ consul tls cert create -client + ==> Using consul-agent-ca.pem and consul-agent-ca-key.pem + ==> Saved dc1-client-consul-0.pem + ==> Saved dc1-client-consul-0-key.pem + ``` + + Or use the [auto_encrypt](/consul/docs/reference/agent#auto_encrypt) feature. + +### Mesh Gateway Addresses + +Retrieve the WAN addresses of the mesh gateways: + +```shell-session +$ kubectl exec statefulset/consul-server --namespace consul -- sh -c \ + 'curl --silent --insecure https://localhost:8501/v1/catalog/service/mesh-gateway | jq ".[].ServiceTaggedAddresses.wan"' +{ + "Address": "1.2.3.4", + "Port": 443 +} +{ + "Address": "1.2.3.4", + "Port": 443 +} +``` + +In this example, the addresses are the same because both mesh gateway pods are +fronted by the same Kubernetes load balancer. + +These addresses will be used in the server config for the `primary_gateways` +setting: + +```hcl +primary_gateways = ["1.2.3.4:443"] +``` + +### Replication ACL Token + +If ACLs are enabled, you'll also need the replication ACL token: + +```shell-session +$ kubectl get secrets/consul-acl-replication-acl-token --namespace consul --template='{{.data.token | base64decode}}' +e7924dd1-dc3f-f644-da54-81a73ba0a178 +``` + +This token will be used in the server config for the replication token. + +```hcl +acls { + tokens { + replication = "e7924dd1-dc3f-f644-da54-81a73ba0a178" + } +} +``` + +You also need to set up additional ACL tokens as needed by the ACL system. Refer to the [ACLs](/consul/docs/secure-consul/acl) for more information. + +### Gossip Encryption Key + +If gossip encryption is enabled, you'll need the key as well. The command +to retrieve the key will depend on which Kubernetes secret you've stored it in. + +This key will be used in server and client configs for the `encrypt` setting: + +```hcl +encrypt = "uF+GsbI66cuWU21kiXLze5JLEX5j4iDFlDTb0ZWNpDI=" +``` + +### Final Configuration + +A final example server config file might look like: + +```hcl +# From above +tls { + defaults { + cert_file = "vm-dc-server-consul-0.pem" + key_file = "vm-dc-server-consul-0-key.pem" + ca_file = "consul-agent-ca.pem" + } + + internal_rpc { + verify_incoming = true + verify_outgoing = true + verify_server_hostname = true + } +} +primary_gateways = ["1.2.3.4:443"] +acl { + enabled = true + default_policy = "deny" + down_policy = "extend-cache" + tokens { + agent = "e7924dd1-dc3f-f644-da54-81a73ba0a178" + replication = "e7924dd1-dc3f-f644-da54-81a73ba0a178" + } +} +encrypt = "uF+GsbI66cuWU21kiXLze5JLEX5j4iDFlDTb0ZWNpDI=" + +# Other server settings +server = true +datacenter = "vm-dc" +data_dir = "/opt/consul" +enable_central_service_config = true +primary_datacenter = "dc1" +connect { + enabled = true + enable_mesh_gateway_wan_federation = true +} +ports { + https = 8501 + http = -1 + grpc = 8502 +} +``` + +## Kubernetes as the Secondary + +If you're running your primary datacenter on VMs then you'll need to manually +construct the [Federation Secret](/consul/docs/east-west/wan-federation/k8s#federation-secret) in order to federate +Kubernetes clusters as secondaries. In addition, primary clusters must be able to make requests to the Kubernetes API URLs of secondary clusters when ACLs are enabled. + +-> Your VM cluster must be running mesh gateways, and have mesh gateway WAN +federation enabled. See [WAN Federation via Mesh Gateways](/consul/docs/east-west/mesh-gateway/enable). + +You'll need: + +1. The root certificate authority cert placed in `consul-agent-ca.pem`. +1. The root certificate authority key placed in `consul-agent-ca-key.pem`. +1. The IP addresses of the mesh gateways running in your VM datacenter. These must + be routable from the Kubernetes cluster. +1. If ACLs are enabled you must create an ACL replication token with the following rules: + + ```hcl + acl = "write" + operator = "write" + agent_prefix "" { + policy = "read" + } + node_prefix "" { + policy = "write" + } + service_prefix "" { + policy = "read" + intentions = "read" + } + ``` + + This token is used for ACL replication and for automatic ACL management in Kubernetes. + + If you're running Consul Enterprise you'll need the rules: + + ```hcl + operator = "write" + agent_prefix "" { + policy = "read" + } + node_prefix "" { + policy = "write" + } + namespace_prefix "" { + acl = "write" + service_prefix "" { + policy = "read" + intentions = "read" + } + } + ``` +1. If ACLs are enabled you must also modify the [anonymous token](/secure-consul/acl/tokens#anonymous-token) policy to have the following permissions: + + ```hcl + node_prefix "" { + policy = "read" + } + service_prefix "" { + policy = "read" + } + ``` + + With Consul Enterprise, use: + + ```hcl + partition_prefix "" { + namespace_prefix "" { + node_prefix "" { + policy = "read" + } + service_prefix "" { + policy = "read" + } + } + } + ``` + + These permissions are needed to allow cross-datacenter requests. To make a cross-dc request the sidecar proxy in the originating DC needs to know about the + services running in the remote DC. To do so, it needs an ACL token that allows it to look up the services in the remote DC. The way tokens are created in + Kubernetes, the sidecar proxies have local ACL tokens–i.e tokens that are only valid in the local DC. When a request goes from one DC to another, if the + request has a local token, it is stripped from the request because the remote DC won't be able to validate it. When the request lands in the other DC, + it has no ACL token and so will be subject to the anonymous token policy. This is why the anonymous token policy must be configured to allow read access + to all services. When the Kubernetes DC is the primary, this is handled automatically, but when the primary DC is on VMs, this must be configured manually. + + To configure the anonymous token policy, first create a policy with the above rules, then attach it to the anonymous token. For example using the CLI: + + ```sh + echo 'node_prefix "" { + policy = "read" + } + service_prefix "" { + policy = "read" + }' | consul acl policy create -name anonymous -rules - + + consul acl token update -id 00000000-0000-0000-0000-000000000002 -policy-name anonymous + ``` + +1. If gossip encryption is enabled, you'll need the key. + +With that data ready, you can create the Kubernetes federation secret: + +```sh +kubectl create secret generic consul-federation \ + --from-literal=caCert=$(cat consul-agent-ca.pem) \ + --from-literal=caKey=$(cat consul-agent-ca-key.pem) + # If ACLs are enabled uncomment. + # --from-literal=replicationToken="" \ + # If using gossip encryption uncomment. + # --from-literal=gossipEncryptionKey="" +``` + +If ACLs are enabled, you must next determine the Kubernetes API URL for the secondary cluster. The API URL of the +must be specified in the config files for all secondary clusters because secondary clusters need +to create global Consul ACL tokens (tokens that are valid in all datacenters) and these tokens can only be created +by the primary datacenter. By setting the API URL, the secondary cluster will configure a [Consul auth method](/consul/docs/secure-consul/acl/auth-methods) +in the primary cluster so that components in the secondary cluster can use their Kubernetes ServiceAccount tokens +to retrieve global Consul ACL tokens from the primary. + +To determine the Kubernetes API URL, first get the cluster name in your kubeconfig: + +```shell-session +$ export CLUSTER=$(kubectl config view -o jsonpath="{.contexts[?(@.name == \"$(kubectl config current-context)\")].context.cluster}") +``` + +Then get the API URL: + +```shell-session +$ kubectl config view -o jsonpath="{.clusters[?(@.name == \"$CLUSTER\")].cluster.server}" +https:// +``` + +You'll use this URL when setting `global.federation.k8sAuthMethodHost`. + +Then use the following Helm config file: + +```yaml +global: + name: consul + datacenter: dc2 + tls: + enabled: true + caCert: + secretName: consul-federation + secretKey: caCert + caKey: + secretName: consul-federation + secretKey: caKey + + # Delete this acls section if ACLs are disabled. + acls: + manageSystemACLs: true + replicationToken: + secretName: consul-federation + secretKey: replicationToken + + federation: + enabled: true + k8sAuthMethodHost: + primaryDatacenter: dc1 + + # Delete this gossipEncryption section if gossip encryption is disabled. + gossipEncryption: + secretName: consul-federation + secretKey: gossipEncryptionKey + +connectInject: + enabled: true +meshGateway: + enabled: true +server: + extraConfig: | + { + "primary_gateways": ["", "", ...] + } +``` + +Notes: + +1. You must fill out the `server.extraConfig` section with the IPs of your mesh +gateways running on VMs. +1. Set `global.federation.k8sAuthMethodHost` to the Kubernetes API URL of this cluster (including `https://`). +1. `global.federation.primaryDatacenter` should be set to the name of your primary datacenter. + +With your config file ready to go, follow our [Installation Guide](/consul/docs/k8s/installation/install) +to install Consul on your secondary cluster(s). + +After installation, if you're using consul-helm 0.30.0+, [create the +`ProxyDefaults` resource](/consul/docs/east-west/wan-federation/k8s#proxydefaults) +to allow traffic between datacenters. + +## Next Steps + +In both cases (Kubernetes as primary or secondary), after installation, follow the [Verifying Federation](/consul/docs/east-west/wan-federation/k8s#verifying-federation) +section to verify that federation is working as expected. diff --git a/website/content/docs/k8s/deployment-configurations/multi-cluster/kubernetes.mdx b/website/content/docs/deploy/server/k8s/multi/federation/k8s.mdx similarity index 91% rename from website/content/docs/k8s/deployment-configurations/multi-cluster/kubernetes.mdx rename to website/content/docs/deploy/server/k8s/multi/federation/k8s.mdx index 406ca258ec6..b246deca801 100644 --- a/website/content/docs/k8s/deployment-configurations/multi-cluster/kubernetes.mdx +++ b/website/content/docs/deploy/server/k8s/multi/federation/k8s.mdx @@ -1,20 +1,14 @@ --- layout: docs -page_title: WAN Federation Through Mesh Gateways - Multiple Kubernetes Clusters +page_title: Multi-cluster federation — Kubernetes description: >- WAN federation through mesh gateways enables federating multiple Kubernetes clusters in Consul. Learn how to configure primary and secondary datacenters, export a federation secret, get the k8s API URL, and verify federation. --- -# WAN Federation Between Multiple Kubernetes Clusters Through Mesh Gateways +# Multi-cluster federation — Kubernetes --> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher - -~> This topic requires familiarity with [Mesh Gateways](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters) and [WAN Federation Via Mesh Gateways](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways). - --> Looking for a step-by-step guide? Complete the [Secure and Route Service Mesh Communication Across Kubernetes](/consul/tutorials/kubernetes/kubernetes-mesh-gateways?utm_source=docs) tutorial to learn more. - -This page describes how to federate multiple Kubernetes clusters. Refer to [Multi-Cluster Overview](/consul/docs/k8s/deployment-configurations/multi-cluster) -for more information, including [networking requirements](/consul/docs/k8s/deployment-configurations/multi-cluster#network-requirements). +This page describes how to federate multiple Kubernetes clusters. Refer to [Multi-Cluster Overview](/consul/docs/east-west/wan-federation) +for more information, including [networking requirements](/consul/docs/east-west/wan-federation#network-requirements). ## Primary Datacenter @@ -108,7 +102,7 @@ Modifications: 1. The default mesh gateway configuration creates a Kubernetes Load Balancer service. If you wish to customize the mesh gateway, for example using a Node Port service or a custom DNS entry, - see the [Helm reference](/consul/docs/k8s/helm#v-meshgateway) for that setting. + see the [Helm reference](/consul/docs/reference/k8s/helm#v-meshgateway) for that setting. With your `values.yaml` ready to go, follow our [Installation Guide](/consul/docs/k8s/installation/install) to install Consul on your primary cluster. @@ -138,7 +132,7 @@ meshGateway: -1. `global.tls.enabled` must be `true`. See [Configuring TLS on an Existing Cluster](/consul/docs/k8s/operations/tls-on-existing-cluster) +1. `global.tls.enabled` must be `true`. See [Configuring TLS on an Existing Cluster](/consul/docs/secure-mesh/certificate/existing) for more information on safely upgrading a cluster to use TLS. If you've set `enableAutoEncrypt: true`, this is also supported. @@ -150,16 +144,16 @@ If you've set `enableAutoEncrypt: true`, this is also supported. with the primary. 1. Mesh Gateways are enabled with the default configuration. The default configuration creates a Kubernetes Load Balancer service. If you wish to customize the - mesh gateway, see the [Helm reference](/consul/docs/k8s/helm#v-meshgateway) for that setting. + mesh gateway, see the [Helm reference](/consul/docs/reference/k8s/helm#v-meshgateway) for that setting. -With the above settings added to your existing config, follow the [Upgrading](/consul/docs/k8s/upgrade) +With the above settings added to your existing config, follow the [Upgrading](/consul/docs/upgrade/k8s) guide to upgrade your cluster and then come back to the [Federation Secret](#federation-secret) section. -> **NOTE:** You must be using consul-helm 0.21.0+. #### ProxyDefaults -If you are using consul-helm 0.30.0+ you must also create a [`ProxyDefaults`](/consul/docs/connect/config-entries/proxy-defaults) +If you are using consul-helm 0.30.0+ you must also create a [`ProxyDefaults`](/consul/docs/reference/config-entry/proxy-defaults) resource to configure Consul to use the mesh gateways for service mesh traffic. ```yaml @@ -261,8 +255,8 @@ The automatically generated federation secret contains: - **Consul server config** - This is a JSON snippet that must be used as part of the server config for secondary datacenters. It sets: - - [`primary_datacenter`](/consul/docs/agent/config/config-files#primary_datacenter) to the name of the primary datacenter. - - [`primary_gateways`](/consul/docs/agent/config/config-files#primary_gateways) to an array of IPs or hostnames + - [`primary_datacenter`](/consul/docs/reference/agent#primary_datacenter) to the name of the primary datacenter. + - [`primary_gateways`](/consul/docs/reference/agent#primary_gateways) to an array of IPs or hostnames for the mesh gateways in the primary datacenter. These are the addresses that Consul servers in secondary clusters will use to communicate with the primary datacenter. @@ -287,7 +281,7 @@ The automatically generated federation secret contains: If ACLs are enabled, you must next determine the Kubernetes API URL for each secondary cluster. The API URL of the secondary cluster must be specified in the config files for each secondary cluster because they need to create global Consul ACL tokens (tokens that are valid in all datacenters) and these tokens can only be created -by the primary datacenter. By setting the API URL, the secondary cluster will configure a [Consul auth method](/consul/docs/security/acl/auth-methods) +by the primary datacenter. By setting the API URL, the secondary cluster will configure a [Consul auth method](/consul/docs/secure-consul/acl/auth-methods) in the primary cluster so that components in the secondary cluster can use their Kubernetes ServiceAccount tokens to retrieve global Consul ACL tokens from the primary. @@ -406,7 +400,7 @@ Modifications: 1. The default mesh gateway configuration creates a Kubernetes Load Balancer service. If you wish to customize the mesh gateway, for example using a Node Port service or a custom DNS entry, - see the [Helm reference](/consul/docs/k8s/helm#v-meshgateway) for that setting. + see the [Helm reference](/consul/docs/reference/k8s/helm#v-meshgateway) for that setting. With your `values.yaml` ready to go, follow our [Installation Guide](/consul/docs/k8s/installation/install) to install Consul on your secondary cluster(s). diff --git a/website/content/docs/k8s/deployment-configurations/single-dc-multi-k8s.mdx b/website/content/docs/deploy/server/k8s/multi/multiple-clusters.mdx similarity index 94% rename from website/content/docs/k8s/deployment-configurations/single-dc-multi-k8s.mdx rename to website/content/docs/deploy/server/k8s/multi/multiple-clusters.mdx index 4f23ccddabe..7cd8314c9f0 100644 --- a/website/content/docs/k8s/deployment-configurations/single-dc-multi-k8s.mdx +++ b/website/content/docs/deploy/server/k8s/multi/multiple-clusters.mdx @@ -1,13 +1,14 @@ --- layout: docs -page_title: Deploy Single Consul Datacenter Across Multiple K8s Clusters +page_title: Deploy a single Consul datacenter across multiple Kubernetes clusters description: >- A single Consul datacenter can run across multiple Kubernetes pods in a flat network as long as only one pod has server agents. Learn how to configure the Helm chart, deploy pods in sequence, and verify your service mesh. --- -# Deploy Single Consul Datacenter Across Multiple Kubernetes Clusters +# Deploy a single Consul datacenter across multiple Kubernetes clusters -~> **Note:** When running Consul across multiple Kubernetes clusters, we recommend using [admin partitions](/consul/docs/enterprise/admin-partitions) for production environments. This Consul Enterprise feature allows you to accommodate multiple tenants without resource collisions when administering a cluster at scale. Admin partitions also enable you to run Consul on Kubernetes clusters across a non-flat network. + +~> **Note:** When running Consul across multiple Kubernetes clusters, we recommend using [admin partitions](/consul/docs/segment/admin-partition) for production environments. This Consul Enterprise feature allows you to accommodate multiple tenants without resource collisions when administering a cluster at scale. Admin partitions also enable you to run Consul on Kubernetes clusters across a non-flat network. This page describes deploying a single Consul datacenter in multiple Kubernetes clusters, with servers running in one cluster and only Consul on Kubernetes components in the rest of the clusters. @@ -190,7 +191,7 @@ $ helm install ${HELM_RELEASE_CONSUL} --values cluster2-values.yaml hashicorp/co ## Verifying the Consul Service Mesh works -~> When Transparent proxy is enabled, services in one Kubernetes cluster that need to communicate with a service in another Kubernetes cluster must have an explicit upstream configured through the ["consul.hashicorp.com/connect-service-upstreams"](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) annotation. +~> When Transparent proxy is enabled, services in one Kubernetes cluster that need to communicate with a service in another Kubernetes cluster must have an explicit upstream configured through the ["consul.hashicorp.com/connect-service-upstreams"](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-connect-service-upstreams) annotation. Now that the Consul cluster spanning across multiple k8s clusters is up and running, deploy two services in separate k8s clusters and verify that they can connect to each other. diff --git a/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx b/website/content/docs/deploy/server/k8s/multi/servers-outside.mdx similarity index 93% rename from website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx rename to website/content/docs/deploy/server/k8s/multi/servers-outside.mdx index a794f3643d5..42837110ada 100644 --- a/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx +++ b/website/content/docs/deploy/server/k8s/multi/servers-outside.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Join Kubernetes Clusters to external Consul Servers +page_title: Deploy Consul servers outside of Kubernetes description: >- Kubernetes clusters can be joined to existing Consul clusters in a much simpler way with the introduction of Consul Dataplane. Learn how to add Kubernetes Clusters into an existing Consul cluster and bootstrap ACLs by configuring the Helm chart. --- -# Join Kubernetes Clusters to external Consul Servers +# Deploy Consul servers outside of Kubernetes If you have a Consul cluster already running, you can configure your Consul on Kubernetes installation to join this existing cluster. @@ -21,7 +21,7 @@ The `externalServers.hosts` value must be provided and should be set to a DNS, a or an `exec=` string with a command returning Consul IPs. Please see [this documentation](https://github.com/hashicorp/go-netaddrs) on how the `exec=` string works. Other values in the `externalServers` section are optional. Please refer to -[Helm Chart configuration](/consul/docs/k8s/helm#h-externalservers) for more details. +[Helm Chart configuration](/consul/docs/reference/k8s/helm#h-externalservers) for more details. @@ -37,7 +37,7 @@ externalServers: With the introduction of [Consul Dataplane](/consul/docs/connect/dataplane#what-is-consul-dataplane), Consul installation on Kubernetes is simplified by removing the Consul Client agents. This requires the Helm installation and rest of the consul-k8s components installed on Kubernetes to talk to Consul Servers directly on various ports. -Before starting the installation, ensure that the Consul Servers are configured to have the gRPC port enabled `8502/tcp` using the [`ports.grpc = 8502`](/consul/docs/agent/config/config-files#grpc) configuration option. +Before starting the installation, ensure that the Consul Servers are configured to have the gRPC port enabled `8502/tcp` using the [`ports.grpc = 8502`](/consul/docs/reference/agent#grpc) configuration option. ## Configuring TLS @@ -45,7 +45,7 @@ Before starting the installation, ensure that the Consul Servers are configured -> **Note:** Consul on Kubernetes currently does not support external servers that require mutual authentication for the HTTPS clients of the Consul servers, that is when servers have either `tls.defaults.verify_incoming` or `tls.https.verify_incoming` set to `true`. -As noted in the [Security Model](/consul/docs/security#secure-configuration), +As noted in the [Security Model](/consul/docs/secure-consul/security-model), that setting isn't strictly necessary to support Consul's threat model as it is recommended that all requests contain a valid ACL token. @@ -111,7 +111,7 @@ The bootstrap token requires the following minimal permissions: Next, configure external servers. The Helm chart will use this configuration to talk to the Consul server's API to create policies, tokens, and an auth method. If you are [enabling Consul service mesh](/consul/docs/k8s/connect), `k8sAuthMethodHost` should be set to the address of your Kubernetes API server -so that the Consul servers can validate a Kubernetes service account token when using the [Kubernetes auth method](/consul/docs/security/acl/auth-methods/kubernetes) +so that the Consul servers can validate a Kubernetes service account token when using the [Kubernetes auth method](/consul/docs/secure-consul/acl/auth-methods/kubernetes) with `consul login`. -> **Note:** If `externalServers.k8sAuthMethodHost` is set and you are also using WAN federation diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/bootstrap-token.mdx similarity index 81% rename from website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx rename to website/content/docs/deploy/server/k8s/multi/vault/data-integration/bootstrap-token.mdx index ea63dc99242..a70e8cda631 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx +++ b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/bootstrap-token.mdx @@ -1,15 +1,17 @@ --- layout: docs -page_title: Storing the ACL Bootstrap Token in Vault +page_title: Store ACL bootstrap token on Vault secrets backend description: >- Configuring the Consul Helm chart to use an ACL bootstrap token stored in Vault. --- -# Storing the ACL Bootstrap Token in Vault +# Store ACL bootstrap token on Vault secrets backend This topic describes how to configure the Consul Helm chart to use an ACL bootstrap token stored in Vault. + ## Overview -To use an ACL bootstrap token stored in Vault, follow the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section. + +To use an ACL bootstrap token stored in Vault, follow the steps outlined in the [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section. Complete the following steps once: 1. Store the secret in Vault. @@ -21,15 +23,15 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/consul/docs/deploy/server/k8s/multi/vault/system-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). +2. Read the [Data Integration Overview](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). ## Store the Secret in Vault First, generate and store the ACL bootstrap token in Vault. You will only need to perform this action once: ```shell-session -$ vault kv put consul-kv/secret/bootstrap-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" +$ vault kv put secret/consul/bootstrap-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ## Create Vault policy @@ -41,7 +43,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "consul-kv/data/secret/bootstrap-token" { +path "secret/data/consul/bootstrap-token" { capabilities = ["read"] } ``` @@ -88,7 +90,7 @@ global: manageSystemACLsRole: consul-server-acl-init acls: bootstrapToken: - secretName: consul-kv/data/secret/bootstrap-token + secretName: secret/data/consul/bootstrap-token secretKey: token ``` diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/enterprise-license.mdx similarity index 82% rename from website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx rename to website/content/docs/deploy/server/k8s/multi/vault/data-integration/enterprise-license.mdx index 9b32cf468eb..5f28db137a5 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx +++ b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/enterprise-license.mdx @@ -1,15 +1,17 @@ --- layout: docs -page_title: Storing the Enterprise License in Vault +page_title: Store Consul Enterprise license on Vault secrets backend description: >- Configuring the Consul Helm chart to use an enterprise license stored in Vault. --- -# Storing the Enterprise License in Vault +# Store Consul Enterprise license on Vault secrets backend This topic describes how to configure the Consul Helm chart to use an enterprise license stored in Vault. + ## Overview -Complete the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section to use an enterprise license stored in Vault. + +Complete the steps outlined in the [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section to use an enterprise license stored in Vault. Complete the following steps once: 1. Store the secret in Vault. @@ -21,15 +23,15 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/consul/docs/deploy/server/k8s/multi/vault/system-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). +2. Read the [Data Integration Overview](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). ## Store the Secret in Vault First, store the enterprise license in Vault: ```shell-session -$ vault kv put consul-kv/secret/enterpriselicense key="" +$ vault kv put secret/consul/license key="" ``` ## Create Vault policy @@ -41,7 +43,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "consul-kv/data/secret/enterpriselicense" { +path "secret/data/consul/license" { capabilities = ["read"] } ``` @@ -103,7 +105,7 @@ global: consulServerRole: consul-server consulClientRole: consul-client enterpriseLicense: - secretName: consul-kv/data/secret/enterpriselicense + secretName: secret/data/consul/enterpriselicense secretKey: key ``` diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/gossip-encryption-key.mdx similarity index 83% rename from website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx rename to website/content/docs/deploy/server/k8s/multi/vault/data-integration/gossip-encryption-key.mdx index c6c71875a56..a73946f645c 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx +++ b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/gossip-encryption-key.mdx @@ -1,16 +1,17 @@ --- layout: docs -page_title: Storing the Gossip Encryption Key in Vault +page_title: Store Consul gossip encryption key on Vault secrets backend description: >- Configuring the Consul Helm chart to use a gossip encryption key stored in Vault. --- -# Storing Gossip Encryption Key in Vault +# Store Consul gossip encryption key on Vault secrets backend This topic describes how to configure the Consul Helm chart to use a gossip encryption key stored in Vault. ## Overview -Complete the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section to use a gossip encryption key stored in Vault. + +Complete the steps outlined in the [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section to use a gossip encryption key stored in Vault. Complete the following steps once: 1. Store the secret in Vault. @@ -22,14 +23,14 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/consul/docs/deploy/server/k8s/multi/vault/system-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). +2. Read the [Data Integration Overview](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). ## Store the Secret in Vault First, generate and store the gossip key in Vault. You will only need to perform this action once: ```shell-session -$ vault kv put consul-kv/secret/gossip key="$(consul keygen)" +$ vault kv put secret/consul/gossip key="$(consul keygen)" ``` ## Create Vault policy @@ -40,7 +41,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "consul-kv/data/secret/gossip" { +path "secret/data/consul/gossip" { capabilities = ["read"] } ``` @@ -101,7 +102,7 @@ global: consulServerRole: consul-server consulClientRole: consul-client gossipEncryption: - secretName: consul-kv/data/secret/gossip + secretName: secret/data/consul/gossip secretKey: key ``` diff --git a/website/content/docs/deploy/server/k8s/multi/vault/data-integration/index.mdx b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/index.mdx new file mode 100644 index 00000000000..52cca666334 --- /dev/null +++ b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/index.mdx @@ -0,0 +1,137 @@ +--- +layout: docs +page_title: Vault as secrets backend — Data integration overview +description: >- + Overview of the data integration aspects to using Vault as the secrets backend for Consul on Kubernetes. +--- + +# Vault as secrets backend — Data integration overview + +his topic describes how to configure Vault and Consul in order to share secrets for use within Consul. + +## Prerequisites + +Before you set up the data integration between Vault and Consul on Kubernetes, read and complete the steps in the [Systems Integration](/consul/docs/deploy/server/k8s/multi/vault/system-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). + +## General integration steps + +For each secret you want to store in Vault, you must complete two multi-step procedures. + +Complete the following steps once: + 1. Store the secret in Vault. + 1. Create a Vault policy that authorizes the desired level of access to the secret. + +Repeat the following steps for each datacenter in the cluster: + 1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access. + 1. Update the Consul on Kubernetes Helm chart. + +## Secrets-to-service account mapping + +At the most basic level, the goal of this configuration is to authorize a Consul on Kubernetes service account to access a secret in Vault. + +The following table associates Vault secrets and the Consul on Kubernetes service accounts that require access. +(NOTE: `Consul components` refers to all other services and jobs that are not Consul servers or clients. +It includes things like terminating gateways, ingress gateways, etc.) + +### Primary datacenter + +| Secret | Service Account For | Configurable Role in Consul k8s Helm | +| ------ | ------------------- | ------------------------------------ | +|[ACL Bootstrap token](/consul/docs/deploy/server/k8s/multi/vault/data-integration/bootstrap-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)| +|[ACL Partition token](/consul/docs/deploy/server/k8s/multi/vault/data-integration/partition-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)| +|[ACL Replication token](/consul/docs/deploy/server/k8s/multi/vault/data-integration/replication-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)| +|[Enterprise license](/consul/docs/deploy/server/k8s/multi/vault/data-integration/enterprise-license) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| +|[Gossip encryption key](/consul/docs/deploy/server/k8s/multi/vault/data-integration/gossip-encryption-key) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| +|[Snapshot Agent config](/consul/docs/deploy/server/k8s/multi/vault/data-integration/snapshot-agent) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| +|[Server TLS credentials](/consul/docs/deploy/server/k8s/multi/vault/data-integration/server-tls) | Consul servers
Consul clients
Consul components | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulclientrole)
[`global.secretsBackend.vault.consulCARole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulcarole)| +|[Service Mesh and Consul client TLS credentials](/consul/docs/deploy/server/k8s/multi/vault/data-integration/service-mesh-certificate) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| +|[Webhook TLS certificates for controller and connect inject](/consul/docs/deploy/server/k8s/multi/vault/data-integration/service-mesh-certificate) | Consul controllers
Consul connect inject | [`global.secretsBackend.vault.controllerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-controllerrole)
[`global.secretsBackend.vault.connectInjectRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-controllerrole)| + +### Secondary datacenters + +The mapping for secondary data centers is similar with the following differences: + +- There is no use of bootstrap token because ACLs would have been bootstrapped in the primary datacenter. +- ACL Partition token is mapped to both the `server-acl-init` job and the `partition-init` job service accounts. +- ACL Replication token is mapped to both the `server-acl-init` job and Consul service accounts. + +| Secret | Service Account For | Configurable Role in Consul k8s Helm | +| ------ | ------------------- | ------------------------------------ | +|[ACL Partition token](/consul/docs/deploy/server/k8s/multi/vault/data-integration/partition-token) | Consul server-acl-init job
Consul partition-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)
[`global.secretsBackend.vault.adminPartitionsRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-adminpartitionsrole)| +|[ACL Replication token](/consul/docs/deploy/server/k8s/multi/vault/data-integration/replication-token) | Consul server-acl-init job
Consul servers | [`global.secretsBackend.vault.manageSystemACLsRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)
[`global.secretsBackend.vault.consulServerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| +|[Enterprise license](/consul/docs/deploy/server/k8s/multi/vault/data-integration/enterprise-license) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| +|[Gossip encryption key](/consul/docs/deploy/server/k8s/multi/vault/data-integration/gossip-encryption-key) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| +|[Snapshot Agent config](/consul/docs/deploy/server/k8s/multi/vault/data-integration/snapshot-agent) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| +|[Server TLS credentials](/consul/docs/deploy/server/k8s/multi/vault/data-integration/server-tls) | Consul servers
Consul clients
Consul components | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulclientrole)
[`global.secretsBackend.vault.consulCARole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulcarole)| +|[Service Mesh and Consul client TLS credentials](/consul/docs/deploy/server/k8s/multi/vault/data-integration/service-mesh-certificate) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| +|[Webhook TLS certificates for controller and connect inject](/consul/docs/deploy/server/k8s/multi/vault/data-integration/service-mesh-certificate) | Consul controllers
Consul connect inject | [`global.secretsBackend.vault.controllerRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-controllerrole)
[`global.secretsBackend.vault.connectInjectRole`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-controllerrole)| + +### Combining policies within roles + +Depending upon your needs, a Consul on Kubernetes service account may need to request more than one secret. To request multiple secrets, create one role for the Consul on Kubernetes service account that is mapped to multiple policies associated with the required secrets. + +For example, if your Consul on Kubernetes servers need access to [Consul Server TLS credentials](/consul/docs/deploy/server/k8s/multi/vault/data-integration/server-tls) and an [Enterprise license](/consul/docs/deploy/server/k8s/multi/vault/data-integration/enterprise-license): + +1. Create a policy for each secret. + + 1. Consul Server TLS credentials + + + + ```HCL + path "pki/cert/ca" { + capabilities = ["read"] + } + ``` + + + + ```shell-session + $ vault policy write ca-policy ca-policy.hcl + ``` + + 1. Enterprise License + + + + ```HCL + path "secret/data/consul/license" { + capabilities = ["read"] + } + ``` + + + + ```shell-session + $ vault policy write license-policy license-policy.hcl + ``` + +1. Create one role that maps the Consul on Kubernetes service account to the 3 policies. + ```shell-session + $ vault write auth/kubernetes/role/consul-server \ + bound_service_account_names= \ + bound_service_account_namespaces= \ + policies=ca-policy,license-policy \ + ttl=1h + ``` + +## Detailed data integration guides + +The following secrets can be stored in Vault KV secrets engine, which is meant to handle arbitrary secrets: + +- [ACL Bootstrap token](/consul/docs/deploy/server/k8s/multi/vault/data-integration/bootstrap-token) +- [ACL Partition token](/consul/docs/deploy/server/k8s/multi/vault/data-integration/partition-token) +- [ACL Replication token](/consul/docs/deploy/server/k8s/multi/vault/data-integration/replication-token) +- [Enterprise license](/consul/docs/deploy/server/k8s/multi/vault/data-integration/enterprise-license) +- [Gossip encryption key](/consul/docs/deploy/server/k8s/multi/vault/data-integration/gossip-encryption-key) +- [Snapshot Agent config](/consul/docs/deploy/server/k8s/multi/vault/data-integration/snapshot-agent) + +The following TLS certificates and keys can generated and managed by Vault the Vault PKI Engine, which is meant to handle things like certificate expiration and rotation: + +- [Server TLS credentials](/consul/docs/deploy/server/k8s/multi/vault/data-integration/server-tls) +- [Service Mesh and Consul client TLS credentials](/consul/docs/deploy/server/k8s/multi/vault/data-integration/service-mesh-certificate) +- [Vault as the Webhook Certificate Provider for Consul Controller and Connect Inject on Kubernetes](/consul/docs/deploy/server/k8s/multi/vault/data-integration/webhook-certificate) + +## Secrets-to-service account mapping + +Read through the [detailed data integration guides](#detailed-data-integration-guides) that are pertinent to your environment. diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/partition-token.mdx similarity index 79% rename from website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx rename to website/content/docs/deploy/server/k8s/multi/vault/data-integration/partition-token.mdx index 329c96ebef0..99eadcefc12 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx +++ b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/partition-token.mdx @@ -1,16 +1,17 @@ --- layout: docs -page_title: Storing the ACL Partition Token in Vault +page_title: Store ACL partition token on Vault secrets backend description: >- Configuring the Consul Helm chart to use an ACL partition token stored in Vault. --- -# Storing the ACL Partition Token in Vault +# Store ACL partition token on Vault secrets backend -This topic describes how to configure the Consul Helm chart to use an ACL partition token stored in Vault when using [Admin Partitions](/consul/docs/enterprise/admin-partitions) in Consul Enterprise. +This topic describes how to configure the Consul Helm chart to use an ACL partition token stored in Vault when using [Admin Partitions](/consul/docs/segment/admin-partition) in Consul Enterprise. ## Overview -Complete the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section to use an ACL partition token stored in Vault. + +Complete the steps outlined in the [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section to use an ACL partition token stored in Vault. Complete the following steps once: 1. Store the secret in Vault. @@ -22,15 +23,15 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/consul/docs/deploy/server/k8s/multi/vault/system-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). +2. Read the [Data Integration Overview](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). ## Store the Secret in Vault First, generate and store the ACL partition token in Vault. You will only need to perform this action once: ```shell-session -$ vault kv put consul-kv/secret/partition-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" +$ vault kv put secret/consul/partition-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ## Create Vault policy @@ -42,7 +43,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "consul-kv/data/secret/consul/partition-token" { +path "secret/data/consul/partition-token" { capabilities = ["read"] } ``` @@ -90,7 +91,7 @@ global: adminPartitionsRole: consul-partition-init acls: partitionToken: - secretName: consul-kv/data/secret/partition-token + secretName: secret/data/consul/partition-token secretKey: token ``` diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/replication-token.mdx similarity index 80% rename from website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx rename to website/content/docs/deploy/server/k8s/multi/vault/data-integration/replication-token.mdx index 6d6077facda..5880f5a1299 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx +++ b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/replication-token.mdx @@ -1,15 +1,17 @@ --- layout: docs -page_title: Storing the ACL Replication Token in Vault +page_title: Store ACL replication token in Vault secrets backend description: >- Configuring the Consul Helm chart to use an ACL replication token stored in Vault. --- -# Storing the ACL Replication Token in Vault +# Store ACL replication token in Vault secrets backend This topic describes how to configure the Consul Helm chart to use an ACL replication token stored in Vault. + ## Overview -To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section. + +To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section. Complete the following steps once: 1. Store the secret in Vault. @@ -21,15 +23,15 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/consul/docs/deploy/server/k8s/multi/vault/system-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). +2. Read the [Data Integration Overview](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). ## Store the Secret in Vault First, generate and store the ACL replication token in Vault. You will only need to perform this action once: ```shell-session -$ vault kv put consul-kv/secret/replication-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" +$ vault kv put secret/consul/replication-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ## Create Vault policy @@ -41,7 +43,7 @@ The path to the secret referenced in the `path` resource is the same value that ```HCL -path "consul-kv/data/secret/replication-token" { +path "secret/data/consul/replication-token" { capabilities = ["read"] } ``` @@ -88,7 +90,7 @@ global: manageSystemACLsRole: consul-server-acl-init acls: replicationToken: - secretName: consul-kv/data/secret/replication-token + secretName: secret/data/consul/replication-token secretKey: token ``` diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/server-tls.mdx b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/server-tls.mdx similarity index 92% rename from website/content/docs/k8s/deployment-configurations/vault/data-integration/server-tls.mdx rename to website/content/docs/deploy/server/k8s/multi/vault/data-integration/server-tls.mdx index f20e0e9a00e..1690e83e566 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/server-tls.mdx +++ b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/server-tls.mdx @@ -1,14 +1,13 @@ --- layout: docs -page_title: Vault as the Server TLS Certificate Provider on Kubernetes +page_title: Vault as the Consul server TLS certificate provider on Kubernetes description: >- Configuring the Consul Helm chart to use TLS certificates issued by Vault for the Consul server. --- -# Vault as the Server TLS Certificate Provider on Kubernetes +# Vault as the Consul server TLS certificate provider on Kubernetes -## Overview -To use Vault as the server TLS certificate provider on Kubernetes, complete a modified version of the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section. +To use Vault as the server TLS certificate provider on Kubernetes, complete a modified version of the steps outlined in the [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section. Complete the following steps once: 1. Create a Vault policy that authorizes the desired level of access to the secret. @@ -20,8 +19,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/consul/docs/deploy/server/k8s/multi/vault/system-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). +2. Read the [Data Integration Overview](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). 3. Complete the [Bootstrapping the PKI Engine](#bootstrapping-the-pki-engine) section. ## Bootstrapping the PKI Engine diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/service-mesh-certificate.mdx similarity index 84% rename from website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx rename to website/content/docs/deploy/server/k8s/multi/vault/data-integration/service-mesh-certificate.mdx index 7550eb44420..e7c47769f17 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx +++ b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/service-mesh-certificate.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Vault as the Service Mesh Certificate Provider on Kubernetes +page_title: Vault as the Consul service mesh certificate authority on Kubernetes description: >- Using Vault as the provider for the Service Mesh certificates on Kubernetes. --- -# Vault as the Service Mesh Certificate Provider on Kubernetes +# Vault as the Consul service mesh certificate authority on Kubernetes This topic describes how to configure the Consul Helm chart to use TLS certificates issued by Vault for Consul service mesh communication. @@ -17,7 +17,7 @@ This allows for automatic token rotation once the renewal is no longer possible. ## Overview -To use Vault as the service mesh certificate provider on Kubernetes, you will complete a modified version of the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section. +To use Vault as the service mesh certificate provider on Kubernetes, you will complete a modified version of the steps outlined in the [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section. Complete the following steps once: 1. Create a Vault policy that authorizes the desired level of access to the secret. @@ -28,14 +28,14 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/consul/docs/deploy/server/k8s/multi/vault/system-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). +2. Read the [Data Integration Overview](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). ## Create Vault policy -To configure [Vault as the provider](/consul/docs/connect/ca/vault) for the Consul service mesh certificates, +To configure [Vault as the provider](/consul/docs/secure-mesh/certificate/vault) for the Consul service mesh certificates, you will first need to decide on the type of policy that is suitable for you. -To see the permissions that Consul would need in Vault, please see [Vault ACL policies](/consul/docs/connect/ca/vault#vault-acl-policies) +To see the permissions that Consul would need in Vault, please see [Vault ACL policies](/consul/docs/secure-mesh/certificate/vault#vault-acl-policies) documentation. ## Create Vault Authorization Roles for Consul diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/snapshot-agent-config.mdx similarity index 78% rename from website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx rename to website/content/docs/deploy/server/k8s/multi/vault/data-integration/snapshot-agent-config.mdx index 532b415b095..dc050230169 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx +++ b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/snapshot-agent-config.mdx @@ -1,15 +1,17 @@ --- layout: docs -page_title: Storing the Snapshot Agent Config in Vault +page_title: Store snapshot agent configuration in Vault secrets backend description: >- Configuring the Consul Helm chart to use a snapshot agent config stored in Vault. --- -# Storing the Snapshot Agent Config in Vault +# Store snapshot agent configuration in Vault secrets backend + +This topic describes how to configure the Consul Helm chart to use a snapshot agent configuration stored in Vault. -This topic describes how to configure the Consul Helm chart to use a snapshot agent config stored in Vault. ## Overview -To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section. + +To use a snapshot agent configuration stored in Vault, follow the steps outlined in the [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section. Complete the following steps once: 1. Store the secret in Vault. @@ -21,15 +23,15 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Before you set up data integration between Vault and Consul on Kubernetes, complete the following prerequisites: -1. Read and completed the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/consul/docs/deploy/server/k8s/multi/vault/system-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). +2. Read the [Data Integration Overview](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). ## Store the Secret in Vault First, store the snapshot agent config in Vault: ```shell-session -$ vault kv put consul-kv/secret/snapshot-agent-config key="" +$ vault kv put secret/consul/snapshot-agent-config key="" ``` ## Create Vault policy @@ -41,7 +43,7 @@ The path to the secret referenced in the `path` resource is the same values that ```HCL -path "consul-kv/data/secret/snapshot-agent-config" { +path "secret/data/consul/snapshot-agent-config" { capabilities = ["read"] } ``` @@ -91,7 +93,7 @@ global: client: snapshotAgent: configSecret: - secretName: consul-kv/data/secret/snapshot-agent-config + secretName: secret/data/consul/snapshot-agent-config secretKey: key ``` diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/webhook-certificates.mdx similarity index 92% rename from website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx rename to website/content/docs/deploy/server/k8s/multi/vault/data-integration/webhook-certificates.mdx index b615d31fabd..558f323304e 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx +++ b/website/content/docs/deploy/server/k8s/multi/vault/data-integration/webhook-certificates.mdx @@ -1,15 +1,16 @@ --- layout: docs -page_title: Vault as the Webhook Certificate Provider for Consul Controller and Connect Inject on Kubernetes +page_title: Vault as service mesh webhook certificate provider on Kubernetes description: >- Configuring the Consul Helm chart to use TLS certificates issued by Vault for the Consul Controller and Connect Inject webhooks. --- -# Vault as the Controller and Connect Inject Webhook Certificate Provider on Kubernetes +# Vault as service mesh webhook certificate provider on Kubernetes This topic describes how to configure the Consul Helm chart to use TLS certificates issued by Vault in the Consul controller and connect inject webhooks. ## Overview + In a Consul Helm chart configuration that does not use Vault, `webhook-cert-manager` ensures that a valid certificate is updated to the `mutatingwebhookconfiguration` of either the controller or connect inject to ensure that Kubernetes can communicate with each of these services. When Vault is configured as the controller and connect inject Webhook Certificate Provider on Kubernetes: @@ -19,7 +20,7 @@ When Vault is configured as the controller and connect inject Webhook Certificat - Controller and connect inject each locally update its own `mutatingwebhookconfiguration` so that Kubernetes can relay events. - Vault manages certificate rotation and rotates certificates to each webhook. -To use Vault as the controller and connect inject Webhook Certificate Provider, we will need to modify the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section: +To use Vault as the controller and connect inject Webhook Certificate Provider, we will need to modify the steps outlined in the [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section: These following steps will be repeated for each datacenter: 1. Create a Vault policy that authorizes the desired level of access to the secret. @@ -29,10 +30,10 @@ These following steps will be repeated for each datacenter: ## Prerequisites Complete the following prerequisites prior to implementing the integration described in this topic: -1. Verify that you have completed the steps described in [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). -1. You should be familiar with the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). -1. Configure [Vault as the Server TLS Certificate Provider on Kubernetes](/consul/docs/k8s/deployment-configurations/vault/data-integration/server-tls) -1. Configure [Vault as the Service Mesh Certificate Provider on Kubernetes](/consul/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) +1. Verify that you have completed the steps described in [Systems Integration](/consul/docs/deploy/server/k8s/multi/vault/system-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). +1. You should be familiar with the [Data Integration Overview](/consul/docs/deploy/server/k8s/multi/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). +1. Configure [Vault as the Server TLS Certificate Provider on Kubernetes](/consul/docs/deploy/server/k8s/multi/vault/data-integration/server-tls) +1. Configure [Vault as the Service Mesh Certificate Provider on Kubernetes](/consul/docs/deploy/server/k8s/multi/vault/data-integration/service-mesh-certificate) ## Bootstrapping the PKI Engines Issue the following commands to enable and configure the PKI Secrets Engine to serve TLS certificates for the controller and connect inject webhooks: diff --git a/website/content/docs/k8s/deployment-configurations/vault/index.mdx b/website/content/docs/deploy/server/k8s/multi/vault/index.mdx similarity index 79% rename from website/content/docs/k8s/deployment-configurations/vault/index.mdx rename to website/content/docs/deploy/server/k8s/multi/vault/index.mdx index a3c1f24b7d8..b0d23125c8b 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/index.mdx +++ b/website/content/docs/deploy/server/k8s/multi/vault/index.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Vault as the Secrets Backend Overview +page_title: Vault as secrets backend — Overview description: >- Using Vault as the secrets backend for Consul on Kubernetes. --- -# Vault as the Secrets Backend Overview +# Vault as secrets backend — Overview By default, Consul Helm chart will expect that any credentials it needs are stored as Kubernetes secrets. As of Consul 1.11 and Consul Helm chart v0.38.0, we integrate more natively with Vault making it easier @@ -46,9 +46,8 @@ The following TLS certificates and keys can be generated and managed by the Vaul ## Next Steps The Vault integration with Consul on Kubernetes has two aspects or phases: -- [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) - Configure Vault and Consul on Kubernetes systems to leverage Vault as the secrets store. -- [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) - Configure specific secrets to be stored and +- [Systems Integration](/consul/docs/deploy/server/k8s/multi/vault/system-integration) - Configure Vault and Consul on Kubernetes systems to leverage Vault as the secrets store. +- [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/data-integration) - Configure specific secrets to be stored and retrieved from Vault for use with Consul on Kubernetes. -As a next step, please proceed to [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) overview to understand how to first setup Vault and Consul on Kubernetes to leverage Vault as a secrets backend. - +As a next step, please proceed to [Systems Integration](/consul/docs/deploy/server/k8s/multi/vault/system-integration) overview to understand how to first setup Vault and Consul on Kubernetes to leverage Vault as a secrets backend. \ No newline at end of file diff --git a/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx b/website/content/docs/deploy/server/k8s/multi/vault/system-integration.mdx similarity index 84% rename from website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx rename to website/content/docs/deploy/server/k8s/multi/vault/system-integration.mdx index a35a9969e24..28429811a1d 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx +++ b/website/content/docs/deploy/server/k8s/multi/vault/system-integration.mdx @@ -1,45 +1,44 @@ --- layout: docs -page_title: Vault as the Secrets Backend Systems Integration Overview +page_title: Vault as secrets backend — System integrations description: >- Overview of the systems integration aspects to using Vault as the secrets backend for Consul on Kubernetes. --- -# Vault as the Secrets Backend - Systems Integration +# Vault as secrets backend — System integrations -## Overview Integrating Vault with Consul on Kubernetes includes a one-time setup on Vault and setting up the secrets backend for each Consul datacenter via Helm. Complete the following steps once: - Enabling Vault KV Secrets Engine - Version 2 to store arbitrary secrets - - Enabling Vault PKI Engine if you are choosing to store and manage either [Consul Server TLS credentials](/consul/docs/k8s/deployment-configurations/vault/data-integration/server-tls) or [Service Mesh and Consul client TLS credentials](/consul/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) + - Enabling Vault PKI Engine if you are choosing to store and manage either [Consul Server TLS credentials](/consul/docs/deploy/server/k8s/multi/vault/data-integration/server-tls) or [Service Mesh and Consul client TLS credentials](/consul/docs/deploy/server/k8s/multi/vault/data-integration/service-mesh-certificate) Repeat the following steps for each datacenter in the cluster: - Installing the Vault Injector within the Consul datacenter installation - Configuring a Kubernetes Auth Method in Vault to authenticate and authorize operations from the Consul datacenter - Enable Vault as the Secrets Backend in the Consul datacenter -Please read [Run Vault on Kubernetes](/vault/docs/platform/k8s/helm/run) if instructions on setting up a Vault cluster are needed. +Please read [Run Vault on Kubernetes](/vault/docs/platform/reference/k8s/helm/run) if instructions on setting up a Vault cluster are needed. ## Vault KV Secrets Engine - Version 2 The following secrets can be stored in Vault KV secrets engine, which is meant to handle arbitrary secrets: -- ACL Bootstrap token ([`global.acls.bootstrapToken`](/consul/docs/k8s/helm#v-global-acls-bootstraptoken)) -- ACL Partition token ([`global.acls.partitionToken`](/consul/docs/k8s/helm#v-global-acls-partitiontoken)) -- ACL Replication token ([`global.acls.replicationToken`](/consul/docs/k8s/helm#v-global-acls-replicationtoken)) -- Gossip encryption key ([`global.gossipEncryption`](/consul/docs/k8s/helm#v-global-gossipencryption)) -- Enterprise license ([`global.enterpriseLicense`](/consul/docs/k8s/helm#v-global-enterpriselicense)) -- Snapshot Agent config ([`client.snapshotAgent.configSecret`](/consul/docs/k8s/helm#v-client-snapshotagent-configsecret)) +- ACL Bootstrap token ([`global.acls.bootstrapToken`](/consul/docs/reference/k8s/helm#v-global-acls-bootstraptoken)) +- ACL Partition token ([`global.acls.partitionToken`](/consul/docs/reference/k8s/helm#v-global-acls-partitiontoken)) +- ACL Replication token ([`global.acls.replicationToken`](/consul/docs/reference/k8s/helm#v-global-acls-replicationtoken)) +- Gossip encryption key ([`global.gossipEncryption`](/consul/docs/reference/k8s/helm#v-global-gossipencryption)) +- Enterprise license ([`global.enterpriseLicense`](/consul/docs/reference/k8s/helm#v-global-enterpriselicense)) +- Snapshot Agent config ([`client.snapshotAgent.configSecret`](/consul/docs/reference/k8s/helm#v-client-snapshotagent-configsecret)) In order to store any of these secrets, we must enable the [Vault KV secrets engine - Version 2](/vault/docs/secrets/kv/kv-v2). ```shell-session -$ vault secrets enable -path=consul-kv kv-v2 +$ vault secrets enable -path=consul kv-v2 ``` ## Vault PKI Engine -The Vault PKI Engine must be enabled in order to leverage Vault for issuing Consul Server TLS certificates. More details for configuring the PKI Engine is found in [Bootstrapping the PKI Engine](/consul/docs/k8s/deployment-configurations/vault/data-integration/server-tls#bootstrapping-the-pki-engine) under the Server TLS section. +The Vault PKI Engine must be enabled in order to leverage Vault for issuing Consul Server TLS certificates. More details for configuring the PKI Engine is found in [Bootstrapping the PKI Engine](/consul/docs/deploy/server/k8s/multi/vault/data-integration/server-tls#bootstrapping-the-pki-engine) under the Server TLS section. ```shell-session $ vault secrets enable pki @@ -123,7 +122,7 @@ Before installing the Vault Injector and configuring the Vault Kubernetes Auth M ## Install Vault Injector in Consul k8s cluster -A minimal valid installation of Vault Kubernetes must include the Agent Injector which is utilized for accessing secrets from Vault. Vault servers could be deployed external to Vault on Kubernetes with the [`injector.externalVaultAddr`](/vault/docs/platform/k8s/helm/configuration#externalvaultaddr) value in the Vault Helm Configuration. +A minimal valid installation of Vault Kubernetes must include the Agent Injector which is utilized for accessing secrets from Vault. Vault servers could be deployed external to Vault on Kubernetes with the [`injector.externalVaultAddr`](/vault/docs/platform/reference/k8s/helm/configuration#externalvaultaddr) value in the Vault Helm Configuration. ```shell-session $ cat <> vault-injector.yaml @@ -175,14 +174,14 @@ $ vault write auth/kubernetes/config \ ## Update Vault Helm chart Finally, you will configure the Consul on Kubernetes helm chart for the datacenter to expect to receive the following values (if you have configured them) to be retrieved from Vault: -- ACL Bootstrap token ([`global.acls.bootstrapToken`](/consul/docs/k8s/helm#v-global-acls-bootstraptoken)) -- ACL Partition token ([`global.acls.partitionToken`](/consul/docs/k8s/helm#v-global-acls-partitiontoken)) -- ACL Replication token ([`global.acls.replicationToken`](/consul/docs/k8s/helm#v-global-acls-replicationtoken)) -- Enterprise license ([`global.enterpriseLicense`](/consul/docs/k8s/helm#v-global-enterpriselicense)) -- Gossip encryption key ([`global.gossipEncryption`](/consul/docs/k8s/helm#v-global-gossipencryption)) -- Snapshot Agent config ([`client.snapshotAgent.configSecret`](/consul/docs/k8s/helm#v-client-snapshotagent-configsecret)) -- TLS CA certificates ([`global.tls.caCert`](/consul/docs/k8s/helm#v-global-tls-cacert)) -- Server TLS certificates ([`server.serverCert`](/consul/docs/k8s/helm#v-server-servercert)) +- ACL Bootstrap token ([`global.acls.bootstrapToken`](/consul/docs/reference/k8s/helm#v-global-acls-bootstraptoken)) +- ACL Partition token ([`global.acls.partitionToken`](/consul/docs/reference/k8s/helm#v-global-acls-partitiontoken)) +- ACL Replication token ([`global.acls.replicationToken`](/consul/docs/reference/k8s/helm#v-global-acls-replicationtoken)) +- Enterprise license ([`global.enterpriseLicense`](/consul/docs/reference/k8s/helm#v-global-enterpriselicense)) +- Gossip encryption key ([`global.gossipEncryption`](/consul/docs/reference/k8s/helm#v-global-gossipencryption)) +- Snapshot Agent config ([`client.snapshotAgent.configSecret`](/consul/docs/reference/k8s/helm#v-client-snapshotagent-configsecret)) +- TLS CA certificates ([`global.tls.caCert`](/consul/docs/reference/k8s/helm#v-global-tls-cacert)) +- Server TLS certificates ([`server.serverCert`](/consul/docs/reference/k8s/helm#v-server-servercert)) @@ -197,7 +196,7 @@ global: ## Next Steps -As a next step, please proceed to Vault integration with Consul on Kubernetes' [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration). +As a next step, please proceed to Vault integration with Consul on Kubernetes' [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/data-integration). ## Troubleshooting diff --git a/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx b/website/content/docs/deploy/server/k8s/multi/vault/wan.mdx similarity index 89% rename from website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx rename to website/content/docs/deploy/server/k8s/multi/vault/wan.mdx index 3afcbb7072c..f9a7449af9e 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx +++ b/website/content/docs/deploy/server/k8s/multi/vault/wan.mdx @@ -1,18 +1,16 @@ --- layout: docs -page_title: Federation Between Kubernetes Clusters with Vault as Secrets Backend +page_title: Vault as secrets backend — WAN federation description: >- Federating multiple Kubernetes clusters using Vault as secrets backend. --- -# Federation Between Kubernetes Clusters with Vault as Secrets Backend +# Vault as secrets backend — WAN federation -~> **Note**: This topic requires familiarity with [Mesh Gateways](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters), [WAN Federation Via Mesh Gateways](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways). - -This page describes how you can federate multiple Kubernetes clusters using Vault as the secrets backend. See the [Multi-Cluster Overview](/consul/docs/k8s/deployment-configurations/multi-cluster) for more information on use cases and how it works. +This page describes how you can federate multiple Kubernetes clusters using Vault as the secrets backend. See the [Multi-Cluster Overview](/consul/docs/east-west/wan-federation) for more information on use cases and how it works. ## Differences Between Using Kubernetes Secrets vs. Vault -The [Federation Between Kubernetes Clusters](/consul/docs/k8s/deployment-configurations/multi-cluster/kubernetes) page provides an overview of WAN Federation using Mesh Gateways with Kubernetes secrets as the secret backend. When using Vault as the secrets backend, there are different systems and data integration configuration that will be explained in the [Usage](#usage) section of this page. The other main difference is that when using Vault, there is no need for you to export and import a [Federation Secret](/consul/docs/k8s/deployment-configurations/multi-cluster/kubernetes#federation-secret) in each datacenter. +The [Federation Between Kubernetes Clusters](/consul/docs/east-west/wan-federation/k8s) page provides an overview of WAN Federation using Mesh Gateways with Kubernetes secrets as the secret backend. When using Vault as the secrets backend, there are different systems and data integration configuration that will be explained in the [Usage](#usage) section of this page. The other main difference is that when using Vault, there is no need for you to export and import a [Federation Secret](/consul/docs/east-west/wan-federation/k8s#federation-secret) in each datacenter. ## Usage @@ -28,7 +26,7 @@ The Vault Agents on each Consul pod will communicate directly with Vault on its ![Vault agent and server communication](/img/k8s/consul-vault-wan-federation-vault-communication.svg 'Vault agent and server communication') -The two data centers will federated using mesh gateways. This communication topology is also described in the [WAN Federation Via Mesh Gateways](/consul/docs/k8s/deployment-configurations/multi-cluster#wan-federation-via-mesh-gateways) section of [Multi-Cluster Federation Overview](/consul/docs/k8s/deployment-configurations/multi-cluster). +The two data centers will federated using mesh gateways. This communication topology is also described in the [WAN Federation Via Mesh Gateways](/consul/docs/east-west/wan-federation#wan-federation-via-mesh-gateways) section of [Multi-Cluster Federation Overview](/consul/docs/east-west/wan-federation). ![Mesh Federation via Mesh Gateways](/img/k8s/consul-vault-wan-federation-mesh-communication.svg 'Mesh Federation via Mesh Gateways') @@ -126,10 +124,10 @@ Repeat the following steps for each datacenter in the cluster: 1. Enable Vault as the Secrets Backend in the Consul datacenter ### Configure Vault Secrets engines -1. Enable [Vault KV secrets engine - Version 2](/vault/docs/secrets/kv/kv-v2) in order to store the [Gossip Encryption Key](/consul/docs/k8s/helm#v-global-acls-replicationtoken) and the ACL Replication token ([`global.acls.replicationToken`](/consul/docs/k8s/helm#v-global-acls-replicationtoken)). +1. Enable [Vault KV secrets engine - Version 2](/vault/docs/secrets/kv/kv-v2) in order to store the [Gossip Encryption Key](/consul/docs/reference/k8s/helm#v-global-acls-replicationtoken) and the ACL Replication token ([`global.acls.replicationToken`](/consul/docs/reference/k8s/helm#v-global-acls-replicationtoken)). ```shell-session - $ vault secrets enable -path=consul-kv kv-v2 + $ vault secrets enable -path=consul kv-v2 ``` 1. Enable Vault PKI Engine in order to leverage Vault for issuing Consul Server TLS certificates. @@ -184,7 +182,7 @@ Repeat the following steps for each datacenter in the cluster: $ vault write auth/kubernetes-dc1/config kubernetes_host=https://kubernetes.default.svc ``` -1. Enable Vault as the secrets backend in the primary datacenter (dc1). However, you will not yet apply the Helm install command. You will issue the Helm upgrade command after the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/wan-federation#setup-per-consul-datacenter-1) section. +1. Enable Vault as the secrets backend in the primary datacenter (dc1). However, you will not yet apply the Helm install command. You will issue the Helm upgrade command after the [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/wan#setup-per-consul-datacenter-1) section. @@ -286,7 +284,7 @@ Repeat the following steps for each datacenter in the cluster: kubernetes_ca_cert="${K8S_DC2_CA_CERT}" ``` -1. Enable Vault as the secrets backend in the secondary Consul datacenter (dc2). However, you will not yet apply the Helm install command. You will issue the Helm upgrade command after the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/wan-federation#setup-per-consul-datacenter-1) section. +1. Enable Vault as the secrets backend in the secondary Consul datacenter (dc2). However, you will not yet apply the Helm install command. You will issue the Helm upgrade command after the [Data Integration](/consul/docs/deploy/server/k8s/multi/vault/wan#setup-per-consul-datacenter-1) section. @@ -314,15 +312,15 @@ Repeat the following steps for each datacenter in the cluster: 1. Store the ACL bootstrap and replication tokens, gossip encryption key, and root CA certificate secrets in Vault. ```shell-session - $ vault kv put consul-kv/secret/gossip key="$(consul keygen)" + $ vault kv put consul/secret/gossip key="$(consul keygen)" ``` ```shell-session - $ vault kv put consul-kv/secret/bootstrap token="$(uuidgen | tr '[:upper:]' '[:lower:]')" + $ vault kv put consul/secret/bootstrap token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ```shell-session - $ vault kv put consul-kv/secret/replication token="$(uuidgen | tr '[:upper:]' '[:lower:]')" + $ vault kv put consul/secret/replication token="$(uuidgen | tr '[:upper:]' '[:lower:]')" ``` ```shell-session $ vault write pki/root/generate/internal common_name="Consul CA" ttl=87600h @@ -332,7 +330,7 @@ Repeat the following steps for each datacenter in the cluster: ```shell-session $ vault policy write gossip - <- + Deploy Consul on AKS and learn how to manage your Consul datacenter with the Consul CLI, UI, and API. +--- + +# Deploy Consul on AKS + +This topic describes how to deploy a Consul datacenter to an Azure Kubernetes Services (AKS) cluster. After deploying Consul, you will interact with Consul using the CLI, UI, and/or API. + +## Requirements + +To deploy Consul on AKS, you will need: + +- An Azure account with the ability to create a Kubernetes cluster +- [Azure Cloud Shell](https://shell.azure.com/) +- [consul v1.14.0+](/consul/install/) +- [Helm v3.6+](https://helm.sh/docs/helm/helm_install/) +- [consul-k8s v1.0.2+](/consul/docs/reference-cli/consul-k8s#install-the-cli) + +This example uses the latest version of Helm and `kubectl`, which are installed with the Azure Cloud Shell. + +### Create an AKS cluster + +You need at least a three node AKS cluster to deploy Consul using the official Consul Helm chart or the Consul K8S CLI. Create a three node cluster on AKS by following the [AKS documentation](https://docs.microsoft.com/en-us/azure/aks/). + +### Configure kubectl to interact to your cluster + +Login to the Azure Shell on your console. + +```shell-session +$ az login +``` + +Configure `kubectl` to connect to your Kubernetes cluster. This command downloads credentials and configures the Kubernetes CLI to use them. Replace `myResourceGroup` and `myAKSCluster` with your resource group and AKS cluster name. + +```shell-session +$ az aks get-credentials --resource-group myResourceGroup --name myAKSCluster +``` + +Verify you are connected to your Kubernetes cluster. + +```shell-session +$ kubectl cluster-info +Kubernetes control plane is running at +CoreDNS is running at https:///api/v1/namespaces/kube-system/services/kube-dns:dns/proxy +Metrics-server is running at https:///api/v1/namespaces/kube-system/services/https:metrics-server:/proxy + +To further debug and diagnose cluster problems, use the command`kubectl cluster-info dump`. +``` + +## Deploy Consul + +You can deploy a complete Consul datacenter using the official Consul Helm chart or the Consul K8S CLI. By default, these methods will install a total of three Consul servers. You can review the Consul Kubernetes installation [documentation](/consul/docs/k8s/installation/install) to learn more about these installation options. + +### Create a values file + +To customize your deployment, create a `values.yaml` file to customization your Consul deployment. + + + +```yaml +# Contains values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. + # If true, servers, clients, Consul DNS and the Consul UI will be enabled. + enabled: true + # The prefix used for all resources created in the Helm chart. + name: consul + # The name of the datacenter that the agents should register as. + datacenter: dc1 + # Enables TLS across the cluster to verify authenticity of the Consul servers and clients. + tls: + enabled: true + # Enables ACLs across the cluster to secure access to data and APIs. + acls: + # If true, automatically manage ACL tokens and policies for all Consul components. + manageSystemACLs: true +# Configures values that configure the Consul server cluster. +server: + enabled: true + # The number of server agents to run. This determines the fault tolerance of the cluster. + replicas: 3 +# Contains values that configure the Consul UI. +ui: + enabled: true + # Registers a Kubernetes Service for the Consul UI as a LoadBalancer. + service: + type: LoadBalancer +# Configures and installs the automatic Consul Connect sidecar injector. +connectInject: + enabled: true +``` + + + +### Install Consul in your cluster + +You can now deploy a complete Consul datacenter in your Kubernetes cluster using the official Consul Helm chart or the Consul K8S CLI. + + + + +Install Consul onto the AKS cluster with `consul-k8s`. Confirm the installation with a `y` when prompted. + +```shell-session +$ consul-k8s install -config-file=values.yaml -set global.image=hashicorp/consul:1.14.0 +``` + +Review the official [Consul K8S CLI documentation](/consul/docs/reference-cli/consul-k8s) to learn more about additional settings. + + + + +Install Consul onto the kind cluster with Helm. Confirm the installation with a `y` when prompted. + +```shell-session +$ helm install --values values.yaml consul hashicorp/consul --create-namespace --namespace consul --version "1.0.0" +``` + +Review the official [Helm chart values](/consul/docs/reference/k8s/helm#configuration-values) to learn more about the default settings. + + + + +Verify the Consul resources were successfully created. + +```shell-session +$ kubectl get pods --namespace consul +NAME READY STATUS RESTARTS AGE +consul-connect-injector-6fc8d669b8-2n82l 1/1 Running 0 2m34s +consul-connect-injector-6fc8d669b8-9mqfm 1/1 Running 0 2m34s +consul-controller-554c7f79c4-2xc64 1/1 Running 0 2m34s +consul-server-0 1/1 Running 0 2m34s +consul-server-1 1/1 Running 0 2m34s +consul-server-2 1/1 Running 0 2m34s +consul-webhook-cert-manager-64889c4964-wxc9b 1/1 Running 0 2m34s +``` + +## Configure your CLI to interact with Consul cluster + +In this section, you will set environment variables in your terminal so your Consul CLI can interact with your Consul cluster. The Consul CLI reads these environment variables for behavior defaults and will reference these values when you run `consul` commands. + +Tokens are artifacts in the ACL system used to authenticate users, services, and Consul agents. Since ACLs are enabled in this Consul datacenter, entities requesting access to a resource must include a token that is linked with a policy, service identity, or node identity that grants permission to the resource. The ACL system checks the token and grants or denies access to resources based on the associated permissions. A bootstrap token has unrestricted privileges to all resources and APIs. + +Retrieve the ACL bootstrap token from the respective Kubernetes secret and set it as an environment variable. + +```shell-session +$ export CONSUL_HTTP_TOKEN=$(kubectl get --namespace consul secrets/consul-bootstrap-acl-token --template={{.data.token}} | base64 -d) +``` + +Set the Consul destination address. + +```shell-session +$ export CONSUL_HTTP_ADDR=https://$(kubectl get services/consul-ui --namespace consul -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +``` + +Remove SSL verification checks to simplify communication to your Consul cluster. + +```shell-session +$ export CONSUL_HTTP_SSL_VERIFY=false +``` + + + + In a production environment, we recommend keeping this SSL verification set to `true`. Only remove this verification for if you have a Consul cluster without TLS configured in development environment and demonstration purposes. + + + +## View Consul services + +In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh. + + + + +Run the CLI command `consul catalog services` to return the list of services registered in Consul. Notice this returns only the `consul` service since it is the only running service in your Consul cluster. + +```shell-session +$ consul catalog services +consul +``` + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +Run the CLI command `consul members` to return the list of Consul agents in your environment. + +```shell-session +$ consul members +Node Address Status Type Build Protocol DC Partition Segment +consul-server-0 10.0.4.117:8301 alive server 1.14.0beta1 2 dc1 default +consul-server-1 10.0.5.11:8301 alive server 1.14.0beta1 2 dc1 default +consul-server-2 10.0.4.55:8301 alive server 1.14.0beta1 2 dc1 default +``` + + + + +Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI. + +```shell-session +$ echo $CONSUL_HTTP_TOKEN +fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc +``` + +Open a separate terminal window and expose the Consul UI with `kubectl port-forward` using the `consul-ui` service name as the target. By default, Consul UI runs on port `6443` when you enable TLS, and port `8500` when TLS is disabled. + +```shell-session +$ kubectl port-forward svc/consul-ui --namespace consul 6443:443 +``` + +Open [https://localhost:6443](https://localhost:6443) in your browser to find the Consul UI. Since this environment uses a self-signed TLS certificate for its resources, click to proceed through the certificate warnings. + +On the left navigation pane, click **Services** to review your deployed services. At this time, you will only find the `consul` service. + +![Consul UI Services Page](/img/consul/kubernetes-gs-deploy_consul_ui_services.png 'Consul services page in UI with Consul services') + +By default, the anonymous ACL policy allows you to view the contents of Consul services, nodes, and intentions. To make changes and see more details within the Consul UI, click **Log In** in the top right and insert your bootstrap ACL token. + +![Consul UI Login Page](/img/consul/kubernetes-gs-deploy_consul_ui_login.png 'Consul login page in UI') + +After successfully authenticating with your ACL token, you are now able to view additional Consul components and make changes in the UI. Notice you can view and manage more options under the **Access Controls** section on the left navigation pane. + +![Consul UI Post Authentication](/img/consul/kubernetes-gs-deploy_consul_ui_post_authentication.png 'Consul UI post authentication') + +On the left navigation pane, click on **Nodes**. + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +![Consul UI Nodes](/img/consul/kubernetes-eks-aws-consul_view_nodes.png 'Consul UI Nodes') + + + + +View the list of services registered in Consul. + +```shell-session +$ curl -k \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + $CONSUL_HTTP_ADDR/v1/catalog/services +``` + +Sample output: + +```json hideClipboard +{"consul":[]} +``` + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +View the list of server and client Consul agents in your environment. + +```shell-session +$ curl -k \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + $CONSUL_HTTP_ADDR/v1/agent/members\?pretty +``` + +Sample output: + +```json hideClipboard +[ + { + "Name": "consul-server-0", + "Addr": "10.244.0.13", + "Port": 8301, + "Tags": { + "acls": "1", + "bootstrap": "1", + "build": "1.14.0", + "dc": "dc1", + "ft_fs": "1", + "ft_si": "1", + "grpc_port": "8502", + "id": "8016fc4d-767f-8552-b018-0812228bd135", + "port": "8300", + "raft_vsn": "3", + "role": "consul", + "segment": "", + "use_tls": "1", + "vsn": "2", + "vsn_max": "3", + "vsn_min": "2", + "wan_join_port": "8302" + }, + "Status": 1, + "ProtocolMin": 1, + "ProtocolMax": 5, + "ProtocolCur": 2, + "DelegateMin": 2, + "DelegateMax": 5, + "DelegateCur": 4 + } + ## ... +] +``` + + + + +All services listed in your Consul catalog are empowered with Consul's service discovery capabilities that simplify scalability challenges and improve application resiliency. Review the [Service Discovery overview](/consul/docs/concepts/service-discovery) page to learn more. + +## Next steps + +You learned how to deploy a Consul datacenter onto an Azure Kubernetes Service (AKS) cluster. After deploying Consul, you interacted with Consul using the CLI, UI, and API. + +To learn more about deployment best practices, review the [Kubernetes reference architecture tutorial](/consul/tutorials/kubernetes/kubernetes-reference-architecture). \ No newline at end of file diff --git a/website/content/docs/deploy/server/k8s/platform/eks.mdx b/website/content/docs/deploy/server/k8s/platform/eks.mdx new file mode 100644 index 00000000000..c2e70296e42 --- /dev/null +++ b/website/content/docs/deploy/server/k8s/platform/eks.mdx @@ -0,0 +1,300 @@ +--- +layout: docs +page_title: Deploy Consul on EKS +description: >- + Deploy Consul on EKS and learn how to manage your Consul datacenter with the Consul CLI, UI, and API. +--- + +# Deploy Consul on EKS + +This topic describes how to deploy a Consul datacenter to an AWS Elastic Kubernetes Services (EKS) cluster. After deploying Consul, you will interact with Consul using the CLI, UI, and/or API. + +## Requirements + +To deploy Consul on AKS, you will need: + +- An AWS account with the ability to create a Kubernetes cluster +- [aws-cli](https://aws.amazon.com/cli/) +- [kubectl >= 1.21](https://kubernetes.io/docs/tasks/tools/install-kubectl/) +- [consul >= 1.14.0](/consul/install/) +- [Helm v3.6+](https://helm.sh/docs/helm/helm_install/) +- [consul-k8s v1.0.2+](/consul/docs/reference-cli/consul-k8s#install-the-cli) + +### Create an EKS cluster + +You need at least a three node EKS cluster to deploy Consul using the official Consul Helm chart or the Consul K8S CLI. Create a three node cluster on EKS by following the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html). + +### Configure kubectl to talk to your cluster + +Configure `kubectl` to talk to your EKS cluster. + +```shell-session +$ aws eks update-kubeconfig --region --name +``` + +Verify you are connected to your Kubernetes cluster. + +```shell-session +$ kubectl cluster-info +Kubernetes master is running at https://.eks.amazonaws.com +CoreDNS is running at https://.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy +``` + +Refer to the [AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html) for additional information and help to configuring `kubectl` and EKS. + +## Deploy Consul + +You can deploy a complete Consul datacenter using the official Consul Helm chart or the Consul K8S CLI. By default, these methods will install a total of three Consul servers. You can review the Consul Kubernetes installation [documentation](/consul/docs/k8s/installation/install) to learn more about these installation options. + +### Create a values file + +To customize your deployment, create a `values.yaml` file to customization your Consul deployment. + + + +```yaml +# Contains values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. + # If true, servers, clients, Consul DNS and the Consul UI will be enabled. + enabled: true + # The prefix used for all resources created in the Helm chart. + name: consul + # The name of the datacenter that the agents should register as. + datacenter: dc1 + # Enables TLS across the cluster to verify authenticity of the Consul servers and clients. + tls: + enabled: true + # Enables ACLs across the cluster to secure access to data and APIs. + acls: + # If true, automatically manage ACL tokens and policies for all Consul components. + manageSystemACLs: true +# Configures values that configure the Consul server cluster. +server: + enabled: true + # The number of server agents to run. This determines the fault tolerance of the cluster. + replicas: 3 +# Contains values that configure the Consul UI. +ui: + enabled: true + # Registers a Kubernetes Service for the Consul UI as a LoadBalancer. + service: + type: LoadBalancer +# Configures and installs the automatic Consul Connect sidecar injector. +connectInject: + enabled: true +``` + + + +### Install Consul in your cluster + +You can now deploy a complete Consul datacenter in your Kubernetes cluster using the official Consul Helm chart or the Consul K8S CLI. + + + + +Install Consul onto the AKS cluster with `consul-k8s`. Confirm the installation with a `y` when prompted. + +```shell-session +$ consul-k8s install -config-file=values.yaml -set global.image=hashicorp/consul:1.14.0 +``` + +Review the official [Consul K8S CLI documentation](/consul/docs/reference-cli/consul-k8s) to learn more about additional settings. + + + + +Install Consul onto the kind cluster with Helm. Confirm the installation with a `y` when prompted. + +```shell-session +$ helm install --values values.yaml consul hashicorp/consul --create-namespace --namespace consul --version "1.0.0" +``` + +Review the official [Helm chart values](/consul/docs/reference/k8s/helm#configuration-values) to learn more about the default settings. + + + + +Verify the Consul resources were successfully created. + +```shell-session +$ kubectl get pods --namespace consul +NAME READY STATUS RESTARTS AGE +consul-connect-injector-6fc8d669b8-2n82l 1/1 Running 0 2m34s +consul-connect-injector-6fc8d669b8-9mqfm 1/1 Running 0 2m34s +consul-controller-554c7f79c4-2xc64 1/1 Running 0 2m34s +consul-server-0 1/1 Running 0 2m34s +consul-server-1 1/1 Running 0 2m34s +consul-server-2 1/1 Running 0 2m34s +consul-webhook-cert-manager-64889c4964-wxc9b 1/1 Running 0 2m34s +``` + +## Configure your CLI to interact with Consul cluster + +In this section, you will set environment variables in your terminal so your Consul CLI can interact with your Consul cluster. The Consul CLI reads these environment variables for behavior defaults and will reference these values when you run `consul` commands. + +Tokens are artifacts in the ACL system used to authenticate users, services, and Consul agents. Since ACLs are enabled in this Consul datacenter, entities requesting access to a resource must include a token that is linked with a policy, service identity, or node identity that grants permission to the resource. The ACL system checks the token and grants or denies access to resources based on the associated permissions. A bootstrap token has unrestricted privileges to all resources and APIs. + +Retrieve the ACL bootstrap token from the respective Kubernetes secret and set it as an environment variable. + +```shell-session +$ export CONSUL_HTTP_TOKEN=$(kubectl get --namespace consul secrets/consul-bootstrap-acl-token --template={{.data.token}} | base64 -d) +``` + +Set the Consul destination address. + +```shell-session +$ export CONSUL_HTTP_ADDR=https://$(kubectl get services/consul-ui --namespace consul -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') +``` + +Remove SSL verification checks to simplify communication to your Consul cluster. + +```shell-session +$ export CONSUL_HTTP_SSL_VERIFY=false +``` + + + + In a production environment, we recommend keeping this SSL verification set to `true`. Only remove this verification for if you have a Consul cluster without TLS configured in development environment and demonstration purposes. + + + +## View Consul services + +In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh. + + + + +Run the CLI command `consul catalog services` to return the list of services registered in Consul. Notice this returns only the `consul` service since it is the only running service in your Consul cluster. + +```shell-session +$ consul catalog services +consul +``` + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +Run the CLI command `consul members` to return the list of Consul agents in your environment. + +```shell-session +$ consul members +Node Address Status Type Build Protocol DC Partition Segment +consul-server-0 10.0.4.117:8301 alive server 1.14.0beta1 2 dc1 default +consul-server-1 10.0.5.11:8301 alive server 1.14.0beta1 2 dc1 default +consul-server-2 10.0.4.55:8301 alive server 1.14.0beta1 2 dc1 default +``` + + + + +Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI. + +```shell-session +$ echo $CONSUL_HTTP_TOKEN +fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc +``` + +Open a separate terminal window and expose the Consul UI with `kubectl port-forward` using the `consul-ui` service name as the target. By default, Consul UI runs on port `6443` when you enable TLS, and port `8500` when TLS is disabled. + +```shell-session +$ kubectl port-forward svc/consul-ui --namespace consul 6443:443 +``` + +Open [https://localhost:6443](https://localhost:6443) in your browser to find the Consul UI. Since this environment uses a self-signed TLS certificate for its resources, click to proceed through the certificate warnings. + +On the left navigation pane, click **Services** to review your deployed services. At this time, you will only find the `consul` service. + +![Consul UI Services Page](/img/consul/kubernetes-gs-deploy_consul_ui_services.png 'Consul services page in UI with Consul services') + +By default, the anonymous ACL policy allows you to view the contents of Consul services, nodes, and intentions. To make changes and see more details within the Consul UI, click **Log In** in the top right and insert your bootstrap ACL token. + +![Consul UI Login Page](/img/consul/kubernetes-gs-deploy_consul_ui_login.png 'Consul login page in UI') + +After successfully authenticating with your ACL token, you are now able to view additional Consul components and make changes in the UI. Notice you can view and manage more options under the **Access Controls** section on the left navigation pane. + +![Consul UI Post Authentication](/img/consul/kubernetes-gs-deploy_consul_ui_post_authentication.png 'Consul UI post authentication') + +On the left navigation pane, click on **Nodes**. + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +![Consul UI Nodes](/img/consul/kubernetes-eks-aws-consul_view_nodes.png 'Consul UI Nodes') + + + + +View the list of services registered in Consul. + +```shell-session +$ curl -k \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + $CONSUL_HTTP_ADDR/v1/catalog/services +``` + +Sample output: + +```json hideClipboard +{"consul":[]} +``` + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +View the list of server and client Consul agents in your environment. + +```shell-session +$ curl -k \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + $CONSUL_HTTP_ADDR/v1/agent/members\?pretty +``` + +Sample output: + +```json hideClipboard +[ + { + "Name": "consul-server-0", + "Addr": "10.244.0.13", + "Port": 8301, + "Tags": { + "acls": "1", + "bootstrap": "1", + "build": "1.14.0", + "dc": "dc1", + "ft_fs": "1", + "ft_si": "1", + "grpc_port": "8502", + "id": "8016fc4d-767f-8552-b018-0812228bd135", + "port": "8300", + "raft_vsn": "3", + "role": "consul", + "segment": "", + "use_tls": "1", + "vsn": "2", + "vsn_max": "3", + "vsn_min": "2", + "wan_join_port": "8302" + }, + "Status": 1, + "ProtocolMin": 1, + "ProtocolMax": 5, + "ProtocolCur": 2, + "DelegateMin": 2, + "DelegateMax": 5, + "DelegateCur": 4 + } + ## ... +] +``` + + + + +All services listed in your Consul catalog are empowered with Consul's service discovery capabilities that simplify scalability challenges and improve application resiliency. Review the [Service Discovery overview](/consul/docs/concepts/service-discovery) page to learn more. + +## Next steps + +You learned how to deploy a Consul datacenter onto an EKS cluster. After deploying Consul, you interacted with Consul using the CLI, UI, and API. + +To learn more about deployment best practices, review the [Kubernetes reference architecture tutorial](/consul/tutorials/kubernetes/kubernetes-reference-architecture). diff --git a/website/content/docs/deploy/server/k8s/platform/gke.mdx b/website/content/docs/deploy/server/k8s/platform/gke.mdx new file mode 100644 index 00000000000..a8eb9e2478f --- /dev/null +++ b/website/content/docs/deploy/server/k8s/platform/gke.mdx @@ -0,0 +1,325 @@ +--- +layout: docs +page_title: Deploy Consul on GKE +description: >- + Deploy Consul on GKE and learn how to manage your Consul datacenter with the Consul CLI, UI, and API. +--- + +# Deploy Consul on GKE + + +This topic describes how to deploy a Consul datacenter to a Google Kubernetes Engine (GKE) cluster on Google Cloud. After deploying Consul, you will interact with Consul using the CLI, UI, and/or API. + +## Prerequisites + +To deploy Consul on AKS, you will need: + +- A GCP account with the ability to create a Kubernetes cluster +- [Google Cloud CLI](https://cloud.google.com/sdk/docs/downloads-interactive) +- [kubectl >= 1.21](https://kubernetes.io/docs/tasks/tools/install-kubectl/) +- [consul >= 1.14.0](/consul/downloads/) +- [Helm v3.6+](https://helm.sh/docs/helm/helm_install/) +- [consul-k8s v1.0.2+](/consul/docs/reference-cli/consul-k8s#install-the-cli) + +### Initialize Google Cloud CLI + +Initialize the Google Cloud CLI. + +```shell-session +$ gcloud init +``` + +### Service account authentication (optional) + +You should create a GCP IAM service account and authenticate with it on the command line. + +- To review the GCP IAM service account documentation, go [here](https://cloud.google.com/sdk/gcloud/reference/auth/activate-service-account) +- To interact with GCP IAM service accounts, go [here](https://console.cloud.google.com/iam-admin/serviceaccounts) + +Once you have obtained your GCP IAM service account `key-file`, authenticate `gcloud`. + +```shell-session +$ gcloud auth activate-service-account --key-file="" +``` + +### Create a GKE cluster + +You need at least a three node GKE cluster to deploy Consul using the official Consul Helm chart or the Consul K8S CLI. Create a three node cluster on GKE by following the the [GKE documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster). + +### Configure kubectl to talk to your cluster + +Configure `kubectl` to connect to your Kubernetes cluster. This command downloads credentials and configures the Kubernetes CLI to use them. Replace `my-consul-cluster`, `us-west1-b` and `my-project` with your cluster name, zone, and project name. + +```shell-session +$ gcloud container clusters get-credentials my-consul-cluster --zone us-west1-b --project my-project +``` + +Verify you are connected to your Kubernetes cluster. + +```shell-session +$ kubectl cluster-info +Kubernetes master is running at https:// +GLBCDefaultBackend is running at https:///api/v1/namespaces/kube-system/services/default-http-backend:http/proxy +Heapster is running at https:///api/v1/namespaces/kube-system/services/heapster/proxy +KubeDNS is running at https:///api/v1/namespaces/kube-system/services/kube-dns:dns/proxy +Metrics-server is running at https:///api/v1/namespaces/kube-system/services/https:metrics-server:/proxy + +To further debug and diagnose cluster problems, use `kubectl cluster-info dump`. +``` + +## Deploy Consul + +You can deploy a complete Consul datacenter using the official Consul Helm chart or the Consul K8S CLI. By default, these methods will install a total of three Consul servers. You can review the Consul Kubernetes installation [documentation](/consul/docs/k8s/installation/install) to learn more about these installation options. + +### Create a values file + +To customize your deployment, create a `values.yaml` file to customization your Consul deployment. + + + +```yaml +# Contains values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. + # If true, servers, clients, Consul DNS and the Consul UI will be enabled. + enabled: true + # The prefix used for all resources created in the Helm chart. + name: consul + # The name of the datacenter that the agents should register as. + datacenter: dc1 + # Enables TLS across the cluster to verify authenticity of the Consul servers and clients. + tls: + enabled: true + # Enables ACLs across the cluster to secure access to data and APIs. + acls: + # If true, automatically manage ACL tokens and policies for all Consul components. + manageSystemACLs: true +# Configures values that configure the Consul server cluster. +server: + enabled: true + # The number of server agents to run. This determines the fault tolerance of the cluster. + replicas: 3 +# Contains values that configure the Consul UI. +ui: + enabled: true + # Registers a Kubernetes Service for the Consul UI as a LoadBalancer. + service: + type: LoadBalancer +# Configures and installs the automatic Consul Connect sidecar injector. +connectInject: + enabled: true +``` + + + +### Install Consul in your cluster + +You can now deploy a complete Consul datacenter in your Kubernetes cluster using the official Consul Helm chart or the Consul K8S CLI. + + + + +Install Consul onto the AKS cluster with `consul-k8s`. Confirm the installation with a `y` when prompted. + +```shell-session +$ consul-k8s install -config-file=values.yaml -set global.image=hashicorp/consul:1.14.0 +``` + +Review the official [Consul K8S CLI documentation](/consul/docs/reference-cli/consul-k8s) to learn more about additional settings. + + + + +Install Consul onto the kind cluster with Helm. Confirm the installation with a `y` when prompted. + +```shell-session +$ helm install --values values.yaml consul hashicorp/consul --create-namespace --namespace consul --version "1.0.0" +``` + +Review the official [Helm chart values](/consul/docs/reference/k8s/helm#configuration-values) to learn more about the default settings. + + + + +Verify the Consul resources were successfully created. + +```shell-session +$ kubectl get pods --namespace consul +NAME READY STATUS RESTARTS AGE +consul-connect-injector-6fc8d669b8-2n82l 1/1 Running 0 2m34s +consul-connect-injector-6fc8d669b8-9mqfm 1/1 Running 0 2m34s +consul-controller-554c7f79c4-2xc64 1/1 Running 0 2m34s +consul-server-0 1/1 Running 0 2m34s +consul-server-1 1/1 Running 0 2m34s +consul-server-2 1/1 Running 0 2m34s +consul-webhook-cert-manager-64889c4964-wxc9b 1/1 Running 0 2m34s +``` + +## Configure your CLI to interact with Consul cluster + +In this section, you will set environment variables in your terminal so your Consul CLI can interact with your Consul cluster. The Consul CLI reads these environment variables for behavior defaults and will reference these values when you run `consul` commands. + +Tokens are artifacts in the ACL system used to authenticate users, services, and Consul agents. Since ACLs are enabled in this Consul datacenter, entities requesting access to a resource must include a token that is linked with a policy, service identity, or node identity that grants permission to the resource. The ACL system checks the token and grants or denies access to resources based on the associated permissions. A bootstrap token has unrestricted privileges to all resources and APIs. + +Retrieve the ACL bootstrap token from the respective Kubernetes secret and set it as an environment variable. + +```shell-session +$ export CONSUL_HTTP_TOKEN=$(kubectl get --namespace consul secrets/consul-bootstrap-acl-token --template={{.data.token}} | base64 -d) +``` + +Set the Consul destination address. + +```shell-session +$ export CONSUL_HTTP_ADDR=https://$(kubectl get services/consul-ui --namespace consul -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +``` + +Remove SSL verification checks to simplify communication to your Consul cluster. + +```shell-session +$ export CONSUL_HTTP_SSL_VERIFY=false +``` + + + + In a production environment, we recommend keeping this SSL verification set to `true`. Only remove this verification for if you have a Consul cluster without TLS configured in development environment and demonstration purposes. + + + +## View Consul services + +In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh. + + + + +Run the CLI command `consul catalog services` to return the list of services registered in Consul. Notice this returns only the `consul` service since it is the only running service in your Consul cluster. + +```shell-session +$ consul catalog services +consul +``` + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +Run the CLI command `consul members` to return the list of Consul agents in your environment. + +```shell-session +$ consul members +Node Address Status Type Build Protocol DC Partition Segment +consul-server-0 10.0.4.117:8301 alive server 1.14.0beta1 2 dc1 default +consul-server-1 10.0.5.11:8301 alive server 1.14.0beta1 2 dc1 default +consul-server-2 10.0.4.55:8301 alive server 1.14.0beta1 2 dc1 default +``` + + + + +Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI. + +```shell-session +$ echo $CONSUL_HTTP_TOKEN +fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc +``` + +Open a separate terminal window and expose the Consul UI with `kubectl port-forward` using the `consul-ui` service name as the target. By default, Consul UI runs on port `6443` when you enable TLS, and port `8500` when TLS is disabled. + +```shell-session +$ kubectl port-forward svc/consul-ui --namespace consul 6443:443 +``` + +Open [https://localhost:6443](https://localhost:6443) in your browser to find the Consul UI. Since this environment uses a self-signed TLS certificate for its resources, click to proceed through the certificate warnings. + +On the left navigation pane, click **Services** to review your deployed services. At this time, you will only find the `consul` service. + +![Consul UI Services Page](/img/consul/kubernetes-gs-deploy_consul_ui_services.png 'Consul services page in UI with Consul services') + +By default, the anonymous ACL policy allows you to view the contents of Consul services, nodes, and intentions. To make changes and see more details within the Consul UI, click **Log In** in the top right and insert your bootstrap ACL token. + +![Consul UI Login Page](/img/consul/kubernetes-gs-deploy_consul_ui_login.png 'Consul login page in UI') + +After successfully authenticating with your ACL token, you are now able to view additional Consul components and make changes in the UI. Notice you can view and manage more options under the **Access Controls** section on the left navigation pane. + +![Consul UI Post Authentication](/img/consul/kubernetes-gs-deploy_consul_ui_post_authentication.png 'Consul UI post authentication') + +On the left navigation pane, click on **Nodes**. + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +![Consul UI Nodes](/img/consul/kubernetes-eks-aws-consul_view_nodes.png 'Consul UI Nodes') + + + + +View the list of services registered in Consul. + +```shell-session +$ curl -k \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + $CONSUL_HTTP_ADDR/v1/catalog/services +``` + +Sample output: + +```json hideClipboard +{"consul":[]} +``` + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +View the list of server and client Consul agents in your environment. + +```shell-session +$ curl -k \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + $CONSUL_HTTP_ADDR/v1/agent/members\?pretty +``` + +Sample output: + +```json hideClipboard +[ + { + "Name": "consul-server-0", + "Addr": "10.244.0.13", + "Port": 8301, + "Tags": { + "acls": "1", + "bootstrap": "1", + "build": "1.14.0", + "dc": "dc1", + "ft_fs": "1", + "ft_si": "1", + "grpc_port": "8502", + "id": "8016fc4d-767f-8552-b018-0812228bd135", + "port": "8300", + "raft_vsn": "3", + "role": "consul", + "segment": "", + "use_tls": "1", + "vsn": "2", + "vsn_max": "3", + "vsn_min": "2", + "wan_join_port": "8302" + }, + "Status": 1, + "ProtocolMin": 1, + "ProtocolMax": 5, + "ProtocolCur": 2, + "DelegateMin": 2, + "DelegateMax": 5, + "DelegateCur": 4 + } + ## ... +] +``` + + + + +All services listed in your Consul catalog are empowered with Consul's service discovery capabilities that simplify scalability challenges and improve application resiliency. Review the [Service Discovery overview](/consul/docs/concepts/service-discovery) page to learn more. + +## Next steps + +You learned how to deploy a Consul datacenter onto an Google Kubernetes Engine (GKE) cluster. After deploying Consul, you interacted with Consul using the CLI, UI, and API. + +To learn more about deployment best practices, review the [Kubernetes reference architecture tutorial](/consul/tutorials/kubernetes/kubernetes-reference-architecture). \ No newline at end of file diff --git a/website/content/docs/deploy/server/k8s/platform/kind.mdx b/website/content/docs/deploy/server/k8s/platform/kind.mdx new file mode 100644 index 00000000000..0648736dce0 --- /dev/null +++ b/website/content/docs/deploy/server/k8s/platform/kind.mdx @@ -0,0 +1,307 @@ +--- +layout: docs +page_title: Deploy Consul on kind +description: >- + Deploy Consul locally on kind and learn how to manage your Consul datacenter with the Consul CLI, UI, and API. Finally, configure Consul service mesh for services in your Kubernetes cluster. +--- + +# Deploy Consul on kind + +This topic describes how to create a local Kubernetes cluster with `kind`, and deploy a Consul datacenter to your `minikube` cluster. After deploying Consul, you will interact with Consul using the CLI, UI, and/or API. + +## Requirements + +To deploy Consul on Minikube, you will need: + +- [kind >= 0.17.0](https://kind.sigs.k8s.io/docs/user/quick-start/) +- [kubectl >= 1.23](https://kubernetes.io/docs/tasks/tools/install-kubectl/) +- [docker >= 20.0](https://docs.docker.com/get-docker/) +- [consul >= 1.15.1](/consul/install/) +- [Helm v3.6+](https://helm.sh/docs/helm/helm_install/) +- [consul-k8s v1.0.2+](/consul/docs/reference-cli/consul-k8s#install-the-cli) + +## Create a Kind cluster + +With `kind` you can quickly create a local Kubernetes cluster. By default, `kind` names your cluster "kind", but you may name it anything you like by specifying the `--name` option. These instructions assumes the cluster is named `dc1`. Refer to the [kind documentation](https://kind.sigs.k8s.io/docs/user/quick-start/#setting-kubernetes-version) for information about how to specify additional parameters using a YAML configuration file. + +```shell-session +$ kind create cluster --name dc1 +Creating cluster "dc1" ... + ✓ Ensuring node image (kindest/node:v1.25.1) 🖼 + ✓ Preparing nodes 📦 + ✓ Writing configuration 📜 + ✓ Starting control-plane 🕹️ + ✓ Installing CNI 🔌 + ✓ Installing StorageClass 💾 +Set kubectl context to "kind-dc1" +You can now use your cluster with: + +kubectl cluster-info --context kind-dc1 + +Have a nice day! 👋 +``` + +## Deploy Consul + +You can deploy a complete Consul datacenter using the official Consul Helm chart or the Consul K8S CLI. The chart comes with reasonable defaults, however, you will override a few values to integrate more easily with `kind` and enable useful features. You can review the Consul Kubernetes installation [documentation](/consul/docs/k8s/installation/install) to learn more about these installation options. + +### Create a values file + +To customize your deployment, create a `values.yaml` file to customization your Consul deployment. + + + +```yaml +# Contains values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. + # If true, servers, clients, Consul DNS and the Consul UI will be enabled. + enabled: true + # The prefix used for all resources created in the Helm chart. + name: consul + # The name of the datacenter that the agents should register as. + datacenter: dc1 + # Enables TLS across the cluster to verify authenticity of the Consul servers and clients. + tls: + enabled: true + # Enables ACLs across the cluster to secure access to data and APIs. + acls: + # If true, automatically manage ACL tokens and policies for all Consul components. + manageSystemACLs: true +# Configures values that configure the Consul server cluster. +server: + enabled: true + # The number of server agents to run. This determines the fault tolerance of the cluster. + replicas: 1 +# Contains values that configure the Consul UI. +ui: + enabled: true + # Registers a Kubernetes Service for the Consul UI as a NodePort. + service: + type: NodePort +``` + + + +### Install Consul in your cluster + +You can now deploy a complete Consul datacenter in your Kubernetes cluster using the official Consul Helm chart or the Consul K8S CLI. + + + + +Install Consul onto the kind cluster with `consul-k8s`. Confirm the installation with a `y` when prompted. + +```shell-session +$ consul-k8s install -config-file=values.yaml -set global.image=hashicorp/consul:1.15.1 +## ... +Proceed with installation? (y/N) y +``` + +Review the official [Consul K8S CLI documentation](/consul/docs/reference-cli/consul-k8s) to learn more about additional settings. + + + + +Install Consul onto the kind cluster with Helm. Confirm the installation with a `y` when prompted. + +```shell-session +$ helm install --values values.yaml consul hashicorp/consul --create-namespace --namespace consul --version "1.1.0" +``` + + +Review the official [Helm chart values](/consul/docs/reference/k8s/helm#configuration-values) to learn more about the default settings. + + + + +Verify the Consul resources were successfully created. + +```shell-session +$ kubectl get pods --namespace consul +NAME READY STATUS RESTARTS AGE +consul-connect-injector-6fc8d669b8-2n82l 1/1 Running 0 2m34s +consul-server-0 1/1 Running 0 2m34s +consul-webhook-cert-manager-64889c4964-wxc9b 1/1 Running 0 2m34s +``` + +## Configure your CLI to interact with Consul cluster + +In this section, you will set environment variables in your terminal so your Consul CLI can interact with your Consul cluster. The Consul CLI reads these environment variables for behavior defaults and will reference these values when you run `consul` commands. + +Tokens are artifacts in the ACL system used to authenticate users, services, and Consul agents. Since ACLs are enabled in this Consul datacenter, entities requesting access to a resource must include a token that is linked with a policy, service identity, or node identity that grants permission to the resource. The ACL system checks the token and grants or denies access to resources based on the associated permissions. A bootstrap token has unrestricted privileges to all resources and APIs. + +Retrieve the ACL bootstrap token from the respective Kubernetes secret and set it as an environment variable. + +```shell-session +$ export CONSUL_HTTP_TOKEN=$(kubectl get --namespace consul secrets/consul-bootstrap-acl-token --template={{.data.token}} | base64 -d) +``` + +Set the Consul destination address. By default, Consul runs on port `8500` for `http` and `8501` for `https`. + +```shell-session +$ export CONSUL_HTTP_ADDR=https://127.0.0.1:8501 +``` + +Remove SSL verification checks to simplify communication to your Consul cluster. + +```shell-session +$ export CONSUL_HTTP_SSL_VERIFY=false +``` + + + + In a production environment, we recommend keeping this SSL verification set to `true`. Only remove this verification for if you have a Consul cluster without TLS configured in development environment and demonstration purposes. + + + +## View Consul services + +In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh. + + + + +Open a separate terminal window and expose the Consul server with `kubectl port-forward` using the `consul-ui` service name as the target. + +```shell-session +$ kubectl port-forward svc/consul-ui --namespace consul 8501:443 +``` + +In your original terminal, run the CLI command `consul catalog services` to return the list of services registered in Consul. Notice this returns only the `consul` service since it is the only running service in your Consul cluster. + +```shell-session +$ consul catalog services +consul +``` + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +Run the CLI command `consul members` to return the list of Consul agents in your environment. + +```shell-session +$ consul members +Node Address Status Type Build Protocol DC Partition Segment +consul-server-0 10.244.0.12:8301 alive server 1.14.0 2 dc1 default +``` + + + + +Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI. + +```shell-session +$ echo $CONSUL_HTTP_TOKEN +fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc +``` + +Open a separate terminal window and expose the Consul UI with `kubectl port-forward` using the `consul-ui` service name as the target. + +```shell-session +$ kubectl port-forward svc/consul-ui --namespace consul 8501:443 +``` + +Open [https://localhost:8501](https://localhost:8501) in your browser to find the Consul UI. Since this environment uses a self-signed TLS certificate for its resources, click to proceed through the certificate warnings. + +On the left navigation pane, click **Services** to review your deployed services. At this time, you will only find the `consul` service. + +![Consul UI Services Page](/img/consul/kubernetes-gs-deploy_consul_ui_services.png 'Consul services page in UI with Consul services') + +By default, the anonymous ACL policy allows you to view the contents of Consul services, nodes, and intentions. To make changes and see more details within the Consul UI, click **Log In** in the top right and insert your bootstrap ACL token. + +![Consul UI Login Page](/img/consul/kubernetes-gs-deploy_consul_ui_login.png 'Consul login page in UI') + +After successfully authenticating with your ACL token, you are now able to view additional Consul components and make changes in the UI. Notice you can view and manage more options under the **Access Controls** section on the left navigation pane. + +![Consul UI Post Authentication](/img/consul/kubernetes-gs-deploy_consul_ui_post_authentication.png 'Consul UI post authentication') + +On the left navigation pane, click on **Nodes**. + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +![Consul UI Post Authentication](/img/consul/kubernetes-gs-deploy_consul_view_nodes.png 'Consul UI post authentication') + + + + +Open a separate terminal window and expose the Consul server with `kubectl port-forward` using the `consul-ui` service name as the target. + +```shell-session +$ kubectl port-forward svc/consul-ui --namespace consul 8501:443 +``` + +In your original terminal, view the list of services registered in Consul. + +```shell-session +$ curl -k \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + $CONSUL_HTTP_ADDR/v1/catalog/services +``` + +Sample output: + +```json hideClipboard +{"consul":[]} +``` + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +View the list of server and client Consul agents in your environment. + +```shell-session +$ curl -k \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + $CONSUL_HTTP_ADDR/v1/agent/members\?pretty +``` + +Sample output: + +```json hideClipboard +[ + { + "Name": "consul-server-0", + "Addr": "10.244.0.13", + "Port": 8301, + "Tags": { + "acls": "1", + "bootstrap": "1", + "build": "1.14.0", + "dc": "dc1", + "ft_fs": "1", + "ft_si": "1", + "grpc_port": "8502", + "id": "8016fc4d-767f-8552-b018-0812228bd135", + "port": "8300", + "raft_vsn": "3", + "role": "consul", + "segment": "", + "use_tls": "1", + "vsn": "2", + "vsn_max": "3", + "vsn_min": "2", + "wan_join_port": "8302" + }, + "Status": 1, + "ProtocolMin": 1, + "ProtocolMax": 5, + "ProtocolCur": 2, + "DelegateMin": 2, + "DelegateMax": 5, + "DelegateCur": 4 + } +] +``` + + + + +All services listed in your Consul catalog are empowered with Consul's service discovery capabilities that simplify scalability challenges and improve application resiliency. Review the [Service Discovery overview](/consul/docs/concepts/service-discovery) page to learn more. + +## Clean up + +Run `kind delete cluster` to clean up your local demo environment. + +```shell-session +$ kind delete cluster --name dc1 +Deleting cluster "dc1" ... +``` \ No newline at end of file diff --git a/website/content/docs/deploy/server/k8s/platform/minikube.mdx b/website/content/docs/deploy/server/k8s/platform/minikube.mdx new file mode 100644 index 00000000000..921af4eac4d --- /dev/null +++ b/website/content/docs/deploy/server/k8s/platform/minikube.mdx @@ -0,0 +1,317 @@ +--- +layout: docs +page_title: Deploy Consul on Minikube +description: >- + Deploy Consul locally on Minikube and learn how to manage your Consul datacenter with the Consul CLI, UI, and API. Finally, configure Consul service mesh for services in your Kubernetes cluster. +--- + +# Deploy Consul on Minikube + +This topic describes how to create a local Kubernetes cluster with `minikube`, and deploy a Consul datacenter to your `minikube` cluster. After deploying Consul, you will interact with Consul using the CLI, UI, and/or API. + +## Requirements + +To deploy Consul on Minikube, you will need: + +- [minkube >= 1.22](https://kubernetes.io/docs/tasks/tools/install-minikube/) +- [kubectl >= 1.22](https://kubernetes.io/docs/tasks/tools/install-kubectl/) +- [docker >= 20.0](https://docs.docker.com/get-docker/) +- [consul >= 1.14.0](/consul/install/) +- [Helm v3.6+](https://helm.sh/docs/helm/helm_install/) +- [consul-k8s v1.0.2+](/consul/docs/reference-cli/consul-k8s#install-the-cli) + +## Create a Minikube cluster + +The following command will create a Kubernetes cluster with `minikube` that sets the cluster name to `dc1`, uses 4GB of memory, and specifies a Kubernetes version of `v1.22.0`. + +```shell-session +$ minikube start --profile dc1 --memory 4096 --kubernetes-version=v1.22.0 +😄 minikube v1.28.0 on Darwin 12.6 +🎉 minikube 1.25.3 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.25.1 +💡 To disable this notice, run: 'minikube config set WantUpdateNotification false' + +✨ Automatically selected the docker driver. Other choices: hyperkit, virtualbox +👍 Starting control plane node minikube in cluster minikube +🔥 Creating docker container (CPUs=2, Memory=4096MB) ... +🐳 Preparing Kubernetes v1.22.0 on Docker 20.10.0 ... + ▪ Generating certificates and keys ... + ▪ Booting up control plane ... + ▪ Configuring RBAC rules ... +🔎 Verifying Kubernetes components... +🌟 Enabled addons: storage-provisioner, default-storageclass +🏄 Done! kubectl is now configured to use "dc1" cluster and "default" namespace by default +``` + +Refer to the [minikube documentation](https://minikube.sigs.k8s.io/docs/commands/start/) for information about how to specify additional cluster parameters. + +## Deploy Consul + +You can deploy a complete Consul datacenter using the official Consul Helm chart or the Consul K8S CLI. The chart comes with reasonable defaults, however, you will override a few values to integrate more easily with `minikube` and enable useful features. You can review the Consul Kubernetes installation [documentation](/consul/docs/k8s/installation/install) to learn more about these installation options. + +### Create a values file + +To customize your deployment, create a `values.yaml` file to customization your Consul deployment. + + + +```yaml +# Contains values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. + # If true, servers, clients, Consul DNS and the Consul UI will be enabled. + enabled: true + # The prefix used for all resources created in the Helm chart. + name: consul + # The name of the datacenter that the agents should register as. + datacenter: dc1 + # Enables TLS across the cluster to verify authenticity of the Consul servers and clients. + tls: + enabled: true + # Enables ACLs across the cluster to secure access to data and APIs. + acls: + # If true, automatically manage ACL tokens and policies for all Consul components. + manageSystemACLs: true +# Configures values that configure the Consul server cluster. +server: + enabled: true + # The number of server agents to run. This determines the fault tolerance of the cluster. + replicas: 1 +# Contains values that configure the Consul UI. +ui: + enabled: true + # Registers a Kubernetes Service for the Consul UI as a NodePort. + service: + type: NodePort +# Configures and installs the automatic Consul Connect sidecar injector. +connectInject: + enabled: true +``` + + + +### Install Consul in your cluster + +You can now deploy a complete Consul datacenter in your Kubernetes cluster using the official Consul Helm chart or the Consul K8S CLI. + + + + +Install Consul onto the kind cluster with `consul-k8s`. Confirm the installation with a `y` when prompted. + +```shell-session +$ consul-k8s install -config-file=values.yaml -set global.image=hashicorp/consul:1.14.0 +## ... +Proceed with installation? (y/N) y +``` + +Review the official [Consul K8S CLI documentation](/consul/docs/reference-cli/consul-k8s) to learn more about additional settings. + + + + +Install Consul onto the kind cluster with Helm. Confirm the installation with a `y` when prompted. + +```shell-session +$ helm install --values values.yaml consul hashicorp/consul --create-namespace --namespace consul --version "1.0.0" +``` + +Review the official [Helm chart values](/consul/docs/reference/k8s/helm#configuration-values) to learn more about the default settings. + + + + +Verify the Consul resources were successfully created. + +```shell-session +$ kubectl get pods --namespace consul +NAME READY STATUS RESTARTS AGE +consul-connect-injector-6fc8d669b8-2n82l 1/1 Running 0 2m34s +consul-connect-injector-6fc8d669b8-9mqfm 1/1 Running 0 2m34s +consul-controller-554c7f79c4-2xc64 1/1 Running 0 2m34s +consul-server-0 1/1 Running 0 2m34s +consul-webhook-cert-manager-64889c4964-wxc9b 1/1 Running 0 2m34s +``` + +## Configure your CLI to interact with Consul cluster + +In this section, you will set environment variables in your terminal so your Consul CLI can interact with your Consul cluster. The Consul CLI reads these environment variables for behavior defaults and will reference these values when you run `consul` commands. + +Tokens are artifacts in the ACL system used to authenticate users, services, and Consul agents. Since ACLs are enabled in this Consul datacenter, entities requesting access to a resource must include a token that is linked with a policy, service identity, or node identity that grants permission to the resource. The ACL system checks the token and grants or denies access to resources based on the associated permissions. A bootstrap token has unrestricted privileges to all resources and APIs. + +Retrieve the ACL bootstrap token from the respective Kubernetes secret and set it as an environment variable. + +```shell-session +$ export CONSUL_HTTP_TOKEN=$(kubectl get --namespace consul secrets/consul-bootstrap-acl-token --template={{.data.token}} | base64 -d) +``` + +Set the Consul destination address. By default, Consul runs on port `8500` for `http` and `8501` for `https`. + +```shell-session +$ export CONSUL_HTTP_ADDR=https://127.0.0.1:8501 +``` + +Remove SSL verification checks to simplify communication to your Consul cluster. + +```shell-session +$ export CONSUL_HTTP_SSL_VERIFY=false +``` + + + + In a production environment, we recommend keeping this SSL verification set to `true`. Only remove this verification for if you have a Consul cluster without TLS configured in development environment and demonstration purposes. + + + +## View Consul services + +In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh. + + + + +Open a separate terminal window and expose the Consul server with `kubectl port-forward` using the `consul-ui` service name as the target. + +```shell-session +$ kubectl port-forward svc/consul-ui --namespace consul 8501:443 +``` + +In your original terminal, run the CLI command `consul catalog services` to return the list of services registered in Consul. Notice this returns only the `consul` service since it is the only running service in your Consul cluster. + +```shell-session +$ consul catalog services +consul +``` + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +Run the CLI command `consul members` to return the list of Consul agents in your environment. + +```shell-session +$ consul members +Node Address Status Type Build Protocol DC Partition Segment +consul-server-0 10.244.0.12:8301 alive server 1.14.0 2 dc1 default +``` + + + + +Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI. + +```shell-session +$ echo $CONSUL_HTTP_TOKEN +fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc +``` + +Open a separate terminal window and expose the Consul UI with `kubectl port-forward` using the `consul-ui` service name as the target. + +```shell-session +$ kubectl port-forward svc/consul-ui --namespace consul 8501:443 +``` + +Open [https://localhost:8501](https://localhost:8501) in your browser to find the Consul UI. Since this environment uses a self-signed TLS certificate for its resources, click to proceed through the certificate warnings. + +On the left navigation pane, click **Services** to review your deployed services. At this time, you will only find the `consul` service. + +![Consul UI Services Page](/img/consul/kubernetes-gs-deploy_consul_ui_services.png 'Consul services page in UI with Consul services') + +By default, the anonymous ACL policy allows you to view the contents of Consul services, nodes, and intentions. To make changes and see more details within the Consul UI, click **Log In** in the top right and insert your bootstrap ACL token. + +![Consul UI Login Page](/img/consul/kubernetes-gs-deploy_consul_ui_login.png 'Consul login page in UI') + +After successfully authenticating with your ACL token, you are now able to view additional Consul components and make changes in the UI. Notice you can view and manage more options under the **Access Controls** section on the left navigation pane. + +![Consul UI Post Authentication](/img/consul/kubernetes-gs-deploy_consul_ui_post_authentication.png 'Consul UI post authentication') + +On the left navigation pane, click on **Nodes**. + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +![Consul UI Post Authentication](/img/consul/kubernetes-gs-deploy_consul_view_nodes.png 'Consul UI post authentication') + + + + +Open a separate terminal window and expose the Consul server with `kubectl port-forward` using the `consul-ui` service name as the target. + +```shell-session +$ kubectl port-forward svc/consul-ui --namespace consul 8501:443 +``` + +In your original terminal, view the list of services registered in Consul. + +```shell-session +$ curl -k \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + $CONSUL_HTTP_ADDR/v1/catalog/services +``` + +Sample output: + +```json hideClipboard +{"consul":[]} +``` + +Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running. + +View the list of server and client Consul agents in your environment. + +```shell-session +$ curl -k \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + $CONSUL_HTTP_ADDR/v1/agent/members\?pretty +``` + +Sample output: + +```json hideClipboard +[ + { + "Name": "consul-server-0", + "Addr": "10.244.0.13", + "Port": 8301, + "Tags": { + "acls": "1", + "bootstrap": "1", + "build": "1.14.0", + "dc": "dc1", + "ft_fs": "1", + "ft_si": "1", + "grpc_port": "8502", + "id": "8016fc4d-767f-8552-b018-0812228bd135", + "port": "8300", + "raft_vsn": "3", + "role": "consul", + "segment": "", + "use_tls": "1", + "vsn": "2", + "vsn_max": "3", + "vsn_min": "2", + "wan_join_port": "8302" + }, + "Status": 1, + "ProtocolMin": 1, + "ProtocolMax": 5, + "ProtocolCur": 2, + "DelegateMin": 2, + "DelegateMax": 5, + "DelegateCur": 4 + } +] +``` + + + + +All services listed in your Consul catalog are empowered with Consul's service discovery capabilities that simplify scalability challenges and improve application resiliency. Review the [Service Discovery overview](/consul/docs/concepts/service-discovery) page to learn more. + +## Clean up + +Run `minikube delete` to clean up your local demo environment. + +```shell-session +$ minikube delete --profile dc1 +🔥 Deleting "dc1" in docker ... +🔥 Deleting container "dc1" ... +🔥 Removing /Users/consul-user/.minikube/machines/dc1 ... +💀 Removed all traces of the "dc1" cluster. +``` \ No newline at end of file diff --git a/website/content/docs/deploy/server/k8s/platform/openshift.mdx b/website/content/docs/deploy/server/k8s/platform/openshift.mdx new file mode 100644 index 00000000000..8d79f61f74f --- /dev/null +++ b/website/content/docs/deploy/server/k8s/platform/openshift.mdx @@ -0,0 +1,743 @@ +--- +layout: docs +page_title: Deploy Consul on Openshift +description: >- + Deploy Consul on OpenShift with the official Helm chart and deploy services into Consul's service mesh. +--- + +# Deploy Consul on Openshift + +This topic describes how to deploy a Consul datacenter to an Openshift Kubernetes cluster. After deploying Consul, you will interact with Consul using the CLI, UI, and/or API. + +[Red Hat OpenShift](https://www.openshift.com/learn/what-is-openshift) is a distribution of the Kubernetes platform that provides a number of usability and security enhancements. + + + + This tutorial is not for production use. The chart was installed with an insecure configuration of Consul. Refer to the [Secure Consul and Registered Services on Kubernetes tutorial](/consul/tutorials/kubernetes/kubernetes-secure-agents) to learn how you can secure Consul on Kubernetes in production. + + + +## Requirements + +To deploy Consul on Openshift, you will need: + +- Access to a Kubernetes cluster deployed with OpenShift +- A Red Hat account +- [CodeReady Containers v1.17.0+](https://access.redhat.com/documentation/en-us/red_hat_codeready_containers/1.0/html/getting_started_guide/getting-started-with-codeready-containers_gsg) +- [consul v1.14.0+](/consul/install/) +- [Helm v3.6+](https://helm.sh/docs/helm/helm_install/) +- [consul-k8s v1.0.2+](/consul/docs/reference-cli/consul-k8s#install-the-cli) + +--- + +## Deploy OpenShift + +You can deploy OpenShift on multiple [platforms](https://docs.openshift.com/container-platform/4.8/installing/index.html#supported-platforms-for-openshift-clusters_ocp-installation-overview), and there are several installation options available for installing OpenShift on either production and development environments. This guide requires a running OpenShift cluster to deploy Consul on Kubernetes. If an OpenShift cluster is already provisioned in a production or development environment to be used for deploying Consul on Kubernetes, skip ahead to [Deploy Consul](#deploy-consul). + +This tutorial will use CodeReady Containers (CRC) to provide a pre-configured development OpenShift environment on your local machine. CRC is bundled as a Red Hat Enterprise Linux virtual machine that supports native hypervisors for Linux, macOS, and Windows 10. CRC is the quickest way to get started building OpenShift clusters. It is designed to run on a local computer to simplify setup and emulate the cloud development environment locally with all the tools needed to develop container-based apps. While we use CRC in this tutorial, the Consul Helm deployment process will work on any OpenShift cluster and is production ready. + +If deploying CRC is not preferred, a managed OpenShift cluster could quickly be provisioned within less than an hour using [Azure RedHat OpenShift](https://docs.microsoft.com/en-us/azure/openshift/tutorial-create-cluster). [Azure RedHat Openshift](https://docs.microsoft.com/en-us/azure/openshift/intro-openshift) requires an Azure subscription. However, it provides the simplest installation flow for getting a production-ready OpenShift cluster available to be used for this tutorial. + +### CRC Setup + +After installing CodeReady Containers, issue the following command to setup your environment. + +```shell-session +$ crc setup +INFO Using bundle path /Users/hashicorp/.crc/cache/crc_vfkit_4.11.3_arm64.crcbundle +INFO Checking if running as non-root +INFO Checking if crc-admin-helper executable is cached +INFO Checking for obsolete admin-helper executable +INFO Checking if running on a supported CPU architecture +INFO Checking minimum RAM requirements +INFO Checking if crc executable symlink exists +INFO Creating symlink for crc executable +INFO Checking if running emulated on a M1 CPU +INFO Checking if vfkit is installed +INFO Checking if CRC bundle is extracted in '$HOME/.crc' +INFO Checking if /Users/hashicorp/.crc/cache/crc_vfkit_4.11.3_arm64.crcbundle exists +INFO Checking if old launchd config for tray and/or daemon exists +INFO Checking if crc daemon plist file is present and loaded +INFO Adding crc daemon plist file and loading it +Your system is correctly setup for using CRC. Use 'crc start' to start the instance +``` + +### CRC start + +Once the setup is complete, you can start the CRC service with the following command. The command will perform a few system checks to ensure your system meets the minimum requirements and will then ask you to provide an image pull secret. You should have your [Red Hat account](https://cloud.redhat.com/openshift/install/crc/installer-provisioned) +open so that you can easily copy your image pull secret when prompted. + +```shell-session +$ crc start +INFO Checking if running as non-root +INFO Checking if crc-admin-helper executable is cached +INFO Checking for obsolete admin-helper executable +INFO Checking if running on a supported CPU architecture +INFO Checking minimum RAM requirements +INFO Checking if crc executable symlink exists +INFO Checking if running emulated on a M1 CPU +INFO Checking if vfkit is installed +INFO Checking if old launchd config for tray and/or daemon exists +INFO Checking if crc daemon plist file is present and loaded +INFO Loading bundle: crc_vfkit_4.11.3_arm64... +CRC requires a pull secret to download content from Red Hat. +You can copy it from the Pull Secret section of https://console.redhat.com/openshift/create/local. +? Please enter the pull secret +``` + +Next, paste the image pull secret into the terminal and press enter. + +Example output: + + + +```plain-text +INFO Creating CRC VM for openshift 4.11.3... +INFO Generating new SSH key pair... +INFO Generating new password for the kubeadmin user +...TRUNCATED... + +INFO Adding crc-admin and crc-developer contexts to kubeconfig... +Started the OpenShift cluster. + +The server is accessible via web console at: + https://console-openshift-console.apps-crc.testing + +Log in as administrator: + Username: kubeadmin + Password: + +Log in as user: + Username: developer + Password: developer + +Use the 'oc' command line interface: + $ eval $(crc oc-env) + $ oc login -u developer https://api.crc.testing:6443 +``` + + + +Notice that the output instructs you to configure your `oc-env`, and also includes +a login command and secret password. The secret is specific to your installation. +Make note of this command, as you will use it to login to CRC on your development +host later. + +### Configure CRC environment + +Next, configure the environment as instructed by CRC using the following command. + +```shell-session +$ eval $(crc oc-env) +``` + +### Login to the OpenShift cluster + +Next, use the login command you made note of before to authenticate with the OpenShift cluster. + +-> **Note** You will have to replace the secret password below with the value output +by CRC. + +```shell-session +$ oc login -u kubeadmin -p https://api.crc.testing:6443 +Login successful. + +You have access to 66 projects, the list has been suppressed. You can list all projects with 'oc projects' + +Using project "default". +``` + +### Verify configuration + +Validate that your CRC setup was successful with the following command. + +```shell-session +$ kubectl cluster-info +Kubernetes control plane is running at https://api.crc.testing:6443 + +To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. +``` + +### Create a new project + +First, create an OpenShift project to install Consul on Kubernetes. Creating an OpenShift project creates a Kubernetes namespace to deploy Kubernetes resources. + +```shell-session +$ oc new-project consul +Now using project "consul" on server "https://api.crc.testing:6443". + +You can add applications to this project with the 'new-app' command. For example, try: + + oc new-app rails-postgresql-example + +to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: + + kubectl create deployment hello-node --image=k8s.gcr.io/e2e-test-images/agnhost:2.33 -- /agnhost serve-hostname +``` + +### Create an image pull secret for a RedHat Registry service account + +You must create an image pull secret before authenticating to the RedHat Registry and pulling images from the container registry. You must first create a registry service account on the [RedHat Customer Portal](https://access.redhat.com/terms-based-registry/), and then apply the OpenShift secret that is associated with the registry service account as shown below: + +```shell-session +$ kubectl create -f openshift-secret.yml --namespace=consul +secret/15490118-openshift-secret-secret created +``` + +In the Helm chart values file, use the output of previous command and update the attribute `imagePullSecrets` stanza with its value. + +## Deploy Consul + +### Helm chart configuration + +To customize your deployment, you can pass a YAML configuration file to be used during the deployment. +Any values specified in the values file will override the Helm chart's default settings. +The following example file sets the `global.openshift.enabled` entry to true, +which is required to operate Consul on OpenShift. Generate a +file named `values.yaml` that you will reference in the `helm install` command later. + + + +```yaml +global: + name: consul + datacenter: dc1 + image: registry.connect.redhat.com/hashicorp/consul:1.14.3-ubi + imageK8S: registry.connect.redhat.com/hashicorp/consul-k8s-control-plane:1.0.2-ubi + imageConsulDataplane: registry.connect.redhat.com/hashicorp/consul-dataplane:1.0.0-ubi + imagePullSecrets: + - name: + openshift: + enabled: true + +server: + replicas: 1 + bootstrapExpect: 1 + disruptionBudget: + enabled: true + maxUnavailable: 0 + +ui: + enabled: true + +connectInject: + enabled: true + default: true + cni: + enabled: true + logLevel: info + multus: true + cniBinDir: /var/lib/cni/bin + cniNetDir: /etc/kubernetes/cni/net.d + +``` + + + +### Install Consul + + + + +### Helm chart preparation + +Consul on Kubernetes provides a Helm chart to deploy a Consul datacenter on Kubernetes in a highly customized configuration. Review the docs on [Helm chart Configuration](/consul/docs/reference/k8s/helm) to learn more about the available configurations. + + + + + +If you have not already done so, download the latest official consul-helm +chart now. + +```shell-session +$ helm repo add hashicorp https://helm.releases.hashicorp.com +"hashicorp" has been added to your repositories +``` + + + + + +If you have already installed the official Consul Helm chart, update it now +to ensure you have the latest chart versions available. + +```shell-session +$ helm repo update +Hang tight while we grab the latest from your chart repositories... +...Successfully got an update from the "hashicorp" chart repository +``` + + + + + +### Verify chart version + +To ensure you have version `1.0.2` of the Helm chart, search your local repo. + +```shell-session +$ helm search repo hashicorp/consul +NAME CHART VERSION APP VERSION DESCRIPTION +hashicorp/consul 1.0.2 1.14.3 Official HashiCorp Consul Chart +``` + +If the correct version is not displayed in the output, try +updating your helm repo. + +```shell-session +$ helm repo update +Hang tight while we grab the latest from your chart repositories... +...Successfully got an update from the "hashicorp" chart repository +``` + +### Import images from RedHat Catalog + +Instead of pulling images directly from the RedHat Registry, Consul and Consul on Kubernetes images could also be pre-loaded onto the internal OpenShift registry using the `oc import` command. Read more about importing images into the internal OpenShift Registry in the RedHat OpenShift [cookbook](https://cookbook.openshift.org/image-registry-and-image-streams/how-do-i-import-an-image-from-an-external-image.html) + +```shell-session +$ oc import-image hashicorp/consul:1.14.3-ubi --from=registry.connect.redhat.com/hashicorp/consul:1.14.3-ubi --confirm +$ oc import-image hashicorp/consul-k8s-control-plane:1.0.2-ubi --from=registry.connect.redhat.com/hashicorp/consul-k8s-control-plane:1.0.2-ubi --confirm +$ oc import-image hashicorp/consul-dataplane:1.0.0-ubi --from=registry.connect.redhat.com/hashicorp/consul-dataplane:1.0.0-ubi --confirm +``` + +### Install Consul in your cluster + +You can now deploy a complete Consul datacenter in your Kubernetes cluster using the official Consul Helm chart or the Consul K8S CLI. + + + + +Now, issue the `helm install` command. The following command specifies that the +installation should: + +- Use the custom values file you created earlier +- Use the `hashicorp/consul` chart you downloaded in the last step +- Set your Consul installation name to `consul` +- Create Consul resources in the `consul` namespace +- Use `consul-helm` chart version `1.0.2` + + +```shell-session +$ helm install consul hashicorp/consul --values values.yaml --create-namespace --namespace consul --version "1.0.2" --wait +``` + +The output will be similar to the following. + +```shell-session +NAME: consul +LAST DEPLOYED: Wed Sep 28 11:00:16 2022 +NAMESPACE: consul +STATUS: deployed +REVISION: 1 +NOTES: +Thank you for installing HashiCorp Consul! + +Your release is named consul. + +To learn more about the release, run: + + $ helm status consul + $ helm get all consul + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/reference/k8s/consul-k8s-cli +``` + + + + +Consul K8s CLI is a tool for quickly installing and interacting with Consul on Kubernetes. Ensure that you are installing the correct version of the CLI for your Consul on Kubernetes deployment, as the CLI and the control plane are version dependent. + +In order to install the latest version of the Consul K8s CLI depending on your operating system, follow the instructions [here](/consul/docs/k8s/installation/install-cli#install-the-cli). + +```shell-session +$ consul-k8s install -config-file=values.yaml +``` + + + + You can review the official [Consul K8S CLI documentation](/consul/docs/reference-cli/consul-k8s) to learn more about additional settings. + + + +When Consul is installed successfully, expect the following output: + +```shell-session +==> Installing Consul + ✓ Downloaded charts + --> creating 1 resource(s) + --> creating 46 resource(s) + --> beginning wait for 46 resources with timeout of 10m0s + ✓ Consul installed in namespace "consul". +``` + + + + +### Verify installation + + +Use `kubectl get pods` to verify your installation. + +```shell-session +$ watch kubectl get pods --namespace consul +NAME READY STATUS RESTARTS AGE +consul-cni-45fgb 1/1 Running 0 3m +consul-connect-injector-574799b944-n6jf6 1/1 Running 0 3m +consul-connect-injector-574799b944-xvksv 1/1 Running 0 3m +consul-server-0 1/1 Running 0 3m +consul-webhook-cert-manager-74467cdd8d-88m6j 1/1 Running 0 3m +``` + +Once all pods have a status of `Running`, enter `CTRL-C` to stop the watch. + +## Accessing the Consul UI + +Now that Consul has been deployed, you can access the Consul UI to verify that the Consul installation was successful, +and that the environment is healthy. + +### Expose the UI service to the host + +Since the application is running on your local development host, you can expose +the Consul UI to the development host using `kubectl port-forward`. The UI and the +HTTP API Server run on the `consul-server-0` pod. Issue the following command to +expose the server endpoint at port `8500` to your local development host. + +```shell-session +$ kubectl port-forward consul-server-0 --namespace consul 8500:8500 +Forwarding from 127.0.0.1:8500 -> 8500 +Forwarding from [::1]:8500 -> 8500 +``` + +Open [`http://localhost:8500`](http://localhost:8500) in a new browser tab, and you should observe a +page that looks similar to the following. + +![OpenShift Consul UI](/img/consul/consul-k8s/consul-ui-openshift.png) + +### Accessing Consul with the CLI and HTTP API + +To access Consul with the CLI, set the `CONSUL_HTTP_ADDR` following environment variable on the development host so that the Consul CLI knows which Consul server to interact with. + +```shell-session +$ export CONSUL_HTTP_ADDR=http://127.0.0.1:8500 +``` + +You should be able to issue the `consul members` command to view all available +Consul datacenter members. + +```shell-session +$ consul members +Node Address Status Type Build Protocol DC Partition Segment +consul-server-0 10.217.0.106:8301 alive server 1.14.3 2 dc1 default +crc-dzk9v-master-0 10.217.0.104:8301 alive client 1.14.3 2 dc1 default +``` + +You can use the same URL to make HTTP API requests with your custom code. + +## Deploy example services + +### Create a 'demo' project + +To simulate an active environment you will deploy a client, and an upstream backend +service. First, create a new project to deploy the client and server to: + +```shell-session +$ oc create-project demo +Now using project "demo" on server "https://api.crc.testing:6443". + +You can add applications to this project with the 'new-app' command. For example, try: + + oc new-app rails-postgresql-example + +to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: + + kubectl create deployment hello-node --image=k8s.gcr.io/e2e-test-images/agnhost:2.33 -- /agnhost serve-hostname +``` + +### Create security context constraints for the application sidecars + +The `consul-dataplane` sidecar injected into each application pod runs with user ID 100, which is not allowed by default in OpenShift. Run the following commands to use this user ID. + +First, export the target namespace as an environment variable. + +```shell-session +$ export TARGET_NAMESPACE=demo +``` + +Add the service accounts in the targeted namespace access to the anyuid [security context constraints (SCC)](https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html). + +```shell-session +$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:$TARGET_NAMESPACE +``` + +When removing your application, remove the permissions as follows. + +```shell-session +$ oc adm policy remove-scc-from-group anyuid system:serviceaccounts:$TARGET_NAMESPACE +``` + +### Create a network attachment definition + +By default, OpenShift uses Multus for managed CNI, and thus requires a `NetworkAttachmentDefinition` in the application namespace to invoke the `consul-cni` plugin. +Read about the [Network Attachment Definition](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/how-to-use.md) Custom Resource for more details. Issue the following command to create a file named `networkattachmentdefinition.yaml` +that will be used to create a Network Attachment Definition in the `demo` namespace: + + + + If your OpenShift cluster has network isolation enabled, a Network Attachment Definition will be need per namespace. If network isolation is disabled, it is possible to use the Network Attachment Definition created in the namespace where Consul is installed. + + + +```shell-session +$ cat > networkattachementdefinition.yaml < server.yaml < client.yaml < + +```plaintext +INFO Stopping the OpenShift cluster, this may take a few minutes... +Stopped the OpenShift cluster +``` + + + +### Delete CRC + +Next, issue the following command to delete the cluster. + +```shell-session +$ crc delete +``` + +The CRC CLI will ask you to confirm that you want to delete the cluster. + +Example prompt: + + + +```plaintext +Do you want to delete the OpenShift cluster? [y/N]: +``` + + + +Enter `y` to confirm. + +Example output: + + + +```plaintext +Deleted the OpenShift cluster +``` + + + +## Next steps + +In this tutorial you created a [Red Hat OpenShift](https://www.openshift.com/learn/what-is-openshift) +cluster, and installed Consul to the cluster. + +Specifically, you: + +- Deployed an OpenShift cluster +- Deployed a Consul datacenter +- Accessed the Consul UI +- Used the Consul CLI to inspect your environment +- Decommissioned the environment + +It is highly recommended that you properly secure your Kubernetes cluster and +that you understand and enable the recommended security features of Consul. +Refer to the +[Secure Consul and Registered Services on Kubernetes tutorial](/consul/tutorials/kubernetes/kubernetes-secure-agents) +to learn how you can deploy an example workload, and secure Consul on Kubernetes +for production. + +For more information on the Consul Helm chart configuration options, review the +[consul-helm chart documentation](/consul/docs/reference/k8s/helm). diff --git a/website/content/docs/deploy/server/k8s/platform/self-hosted.mdx b/website/content/docs/deploy/server/k8s/platform/self-hosted.mdx new file mode 100644 index 00000000000..c0060fb19de --- /dev/null +++ b/website/content/docs/deploy/server/k8s/platform/self-hosted.mdx @@ -0,0 +1,43 @@ +--- +layout: docs +page_title: Deploy Consul on self-hosted Kubernetes +description: >- + The process for installing Consul on Kubernetes is the same as installing it on cloud-hosted k8s platforms, but requires additional configuration. Learn how to pre-define Persistent Volume Claims (PVCs) and a default storage class for server agents. +--- + +# Deploy Consul on self-hosted Kubernetes + +This topic describes how to deploy a Consul datacenter to an a self-hosted Kubernetes cluster. The instructions are the same as for cloud-hosted Kubernetes, but you may need to pre-define Persistent Volume Claims (PVCs) and a default storage class for server agents. + +Refer to the [Deploy Consul with Helm](/consul/docs/deploy/server/k8s/helm) and [Deploy Consul with `consul-k8s`](/consul/docs/deploy/server/k8s/consul-k8s) for the general installation process. + +## Predefined persistent volume claims (PVCs) + +If running a self-hosted Kubernetes installation, you may need to pre-create the persistent volumes for the stateful set that the Consul servers run in. + +The only way to use a pre-created PVC is to name them in the format Kubernetes expects. + +```text +data---consul-server- +``` + +The Kubernetes namespace you are installing into, Helm release name, and ordinal must match between your Consul servers and your pre-created PVCs. You only need as many PVCs as you have Consul servers. For example, given a Kubernetes namespace of "vault," a release name of "consul," and 5 servers, you would need to create PVCs with the following names. + +```text +data-vault-consul-consul-server-0 +data-vault-consul-consul-server-1 +data-vault-consul-consul-server-2 +data-vault-consul-consul-server-3 +data-vault-consul-consul-server-4 +``` + +## Storage class + +Your Kubernetes installation must either have a default storage class specified (refer to [Storage classes](https://kubernetes.io/docs/concepts/storage/storage-classes/) and [Change default storage class](https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/)) or you must specify the storage class for the Consul servers. + +```yaml +server: + storageClass: your-class +``` + +Refer t the [Helm reference](/consul/docs/reference/k8s/helm#v-server-storageclass) for more information. \ No newline at end of file diff --git a/website/content/docs/deploy/server/k8s/requirements.mdx b/website/content/docs/deploy/server/k8s/requirements.mdx new file mode 100644 index 00000000000..219ebefc2a3 --- /dev/null +++ b/website/content/docs/deploy/server/k8s/requirements.mdx @@ -0,0 +1,50 @@ +--- +layout: docs +page_title: Consul on Kubernetes Version Compatibility +description: >- + New releases require corresponding version updates to Consul on Kubernetes and its Helm chart. Review the compatibility matrix for Consul and consul-k8s and additional notes for integrating Vault and third-party platforms. +--- + +# Consul on Kubernetes Version Compatibility + +For every release of Consul on Kubernetes, a Helm chart, `consul-k8s-control-plane` binary and a `consul-k8s` CLI binary is built and distributed through a single version. When deploying via Helm, the recommended best path for upgrading Consul on Kubernetes, is to upgrade using the same `consul-k8s-control-plane` version as the Helm Chart, as the Helm Chart and Control Plane binary are tightly coupled. + +## Supported Consul and Kubernetes versions + +Consul Kubernetes versions all of its components (`consul-k8s` CLI, `consul-k8s-control-plane`, and Helm chart) with a single semantic version. When installing or upgrading to a specific versions, ensure that you are using the correct Consul version with the compatible Helm chart or `consul-k8s` CLI. + +| Consul version | Compatible `consul-k8s` versions | Compatible Kubernetes versions | Compatible OpenShift versions | +| -------------- | -------------------------------- | -------------------------------| -------------------------------------- | +| 1.17.x | 1.3.x | 1.25.x - 1.28.x | 4.12.x - 4.14.x (4.15.x not available) | +| 1.16.x | 1.2.x | 1.24.x - 1.27.x | 4.11.x - 4.14.x | +| 1.15.x | 1.1.x | 1.23.x - 1.26.x | 4.10.x - 4.13.x | + +### Version-specific upgrade requirements + +As of Consul v1.14.0, Kubernetes deployments use [Consul Dataplane](/consul/docs/connect/dataplane) instead of client agents. If you upgrade Consul from a version that uses client agents to a version that uses dataplanes, you must follow specific steps to update your Helm chart and remove client agents from the existing deployment. Refer to [Upgrading to Consul Dataplane](/consul/docs/upgrade/k8s#upgrading-to-consul-dataplane) for more information. + +The v1.0.0 release of the Consul on Kubernetes Helm chart also introduced a change to the [`externalServers[].hosts` parameter](/consul/docs/reference/k8s/helm#v-externalservers-hosts). Previously, you were able to enter a provider lookup as a string in this field. Now, you must include `exec=` at the start of a string containing a provider lookup. Otherwise, the string is treated as a DNS name. Refer to the [`go-netaddrs`](https://github.com/hashicorp/go-netaddrs) library and command line tool for more information. + +## Supported Envoy versions + +Supported versions of Envoy and `consul-dataplane` (for Consul K8s 1.0 and above) for Consul versions are also found in [Envoy - Supported Versions](/consul/docs/reference/proxy/envoy#supported-versions). Starting with `consul-k8s` 1.0, `consul-dataplane` will include a bundled version of Envoy. The recommended best practice is to use the default version of Envoy or `consul-dataplane` that is provided in the Helm `values.yaml` file, as that is the version that has been tested with the default Consul and Consul Kubernetes binaries for a given Helm chart. + +## Vault as a Secrets Backend compatibility + +Starting with Consul K8s 0.39.0 and Consul 1.11.x, Consul Kubernetes supports the ability to utilize Vault as the secrets backend for all the secrets utilized by Consul on Kubernetes. + +| `consul-k8s` Versions | Compatible Vault Versions | Compatible `vault-k8s` Versions | +| ------------------------ | --------------------------| ----------------------------- | +| 0.39.0 - latest | 1.9.0 - latest | 0.14.0 - latest | + +## Platform specific compatibility notes + +### Red Hat OpenShift + +You can enable support for Red Hat OpenShift by setting `enabled: true` in the `global.openshift` stanza. Refer to the [Deploy Consul on RedHat OpenShift tutorial](/consul/deploy/server/k8s/platform/openshift) for instructions on deploying to OpenShift. + +### VMware Tanzu Kubernetes Grid and Tanzu Kubernetes Grid Integrated Edition + +Consul Kubernetes is [certified](https://marketplace.cloud.vmware.com/services/details/hashicorp-consul-1?slug=true) for both VMware Tanzu Kubernetes Grid, and VMware Tanzu Kubernetes Integrated Edition. + +- Tanzu Kubernetes Grid is certified for version 1.3.0 and above. Only Calico is supported as the CNI Plugin. \ No newline at end of file diff --git a/website/content/docs/k8s/operations/uninstall.mdx b/website/content/docs/deploy/server/k8s/uninstall.mdx similarity index 99% rename from website/content/docs/k8s/operations/uninstall.mdx rename to website/content/docs/deploy/server/k8s/uninstall.mdx index 3d780df1830..a92ef303ebc 100644 --- a/website/content/docs/k8s/operations/uninstall.mdx +++ b/website/content/docs/deploy/server/k8s/uninstall.mdx @@ -112,4 +112,4 @@ Run the `helm uninstall` **and** manually remove resources that Helm does not de ```shell-session $ kubectl delete ns consul - ``` + ``` \ No newline at end of file diff --git a/website/content/docs/install/ports.mdx b/website/content/docs/deploy/server/ports.mdx similarity index 82% rename from website/content/docs/install/ports.mdx rename to website/content/docs/deploy/server/ports.mdx index dea835f51be..5ea1d72ccb8 100644 --- a/website/content/docs/install/ports.mdx +++ b/website/content/docs/deploy/server/ports.mdx @@ -1,14 +1,14 @@ --- layout: docs page_title: Consul ports reference -description: Find information about the ports that Consul requires for its networking functions, including required ports for HCP Consul Dedicated. Required ports differ for Consul servers and clients. +description: Find information about the ports that Consul requires for its networking functions, including required ports for HCP Consul. Required ports differ for Consul servers and clients. --- # Consul ports reference This page provides reference information about the required ports that Consul exposes for its operations. -You can change or disable Consul's default ports in the [agent configuration file](/consul/docs/agent/config/config-files#ports) or using the [`consul agent` CLI command](/consul/docs/agent/config/cli-flags). +You can change or disable Consul's default ports in the [agent configuration file](/consul/docs/reference/agent#ports) or using the [`consul agent` CLI command](/consul/docsreference-cli/agent). ## Overview @@ -16,13 +16,13 @@ The exact ports that Consul requires depend on your network's specific configura There are slight differences between the port requirements for Consul servers and clients. When a Consul server has services, proxies, or gateways registered to it, then it acts as both a server and client. -[HCP Consul Dedicated servers](/hcp/docs/consul) have distinct port assignments. For more information, refer to [cluster management in the HCP documentation](https://developer.hashicorp.com/hcp/docs/consul/concepts/cluster-management#hashicorp-managed-clusters). +HashiCorp-managed servers deployed using [HCP Consul](/hcp/docs/consul) have distinct port assignments. For more information, refer to [cluster management in the HCP documentation](/hcp/docs/consul/concepts/cluster-management#hashicorp-managed-clusters). ## Consul servers -The following table lists port names, their function, their network protocols, their default port numbers, whether they are enabled or disabled by default, port assignments for HCP Consul Dedicated server clusters, and the direction of traffic from the Consul server's perspective. +The following table lists port names, their function, their network protocols, their default port numbers, whether they are enabled or disabled by default, port assignments for HashiCorp-managed server clusters, and the direction of traffic from the Consul server's perspective. -| Port name | Use | Protocol | Default port | Default status | HCP Consul Dedicated port | Direction | +| Port name | Use | Protocol | Default port | Default status | HCP-managed port | Direction | | :------------------------ | :----------------------------------------- | :---------- | :----------- | :------------- | :--------------- | :-------------------- | | [DNS](#dns) | The DNS server | TCP and UDP | `8600` | Enabled | Unsupported | Incoming | | [HTTP](#http) | The HTTP API | TCP | `8500` | Enabled | Unsupported | Incoming | @@ -47,7 +47,7 @@ The server's DNS port does not need to be open when DNS queries are sent to Cons If you configure recursors in Consul to upstream DNS servers, then you need outbound access to those servers on port `53`. -To resolve Consul DNS requests when using HCP Consul Dedicated, we recommend running Consul clients and resolving DNS against the clients. If your use case cannot accommodate this recommendation, open a support ticket. +To resolve Consul DNS requests when using HashiCorp-managed servers on HCP Consul, we recommend running Consul clients and resolving DNS against the clients. If your use case cannot accomodate this recommendation, open a support ticket. ### HTTP @@ -63,13 +63,13 @@ The server's HTTP port does not need to be open when Consul clients service all The Consul CLI uses the HTTP port to interact with Consul by default. -HCP Consul Dedicated does not support the HTTP port. +HCP Consul does not support the HTTP port. ### HTTPS The following table lists information about the Consul server API's HTTPS port defaults: -| Default port | Protocol | Default status | HCP Consul Dedicated server port | +| Default port | Protocol | Default status | Hashicorp-managed server port | | :----------- | :------- | :------------------ | :---------------------------- | | `8501` | TCP | Disabled by default | `443` | @@ -77,9 +77,9 @@ This port receives incoming traffic from workloads that make HTTPS API calls. The server HTTPS port does not need to be open when Consul clients service all HTTPS API calls. Consul does not use this port for internal communication between servers, clients, dataplanes, gateways, and Envoy proxies. -This port is disabled by default. You can enable it in the [agent configuration file](/consul/docs/agent/config/config-files#ports) or using the [`consul agent` CLI command](/consul/docs/agent/config/cli-flags). +This port is disabled by default. You can enable it in the [agent configuration file](/consul/docs/reference/agent#ports) or using the [`consul agent` CLI command](/consul/docsreference-cli/agent). -HCP Consul Dedicated assigns port `443` to HCP Consul Dedicated clusters, instead of the default `8501`. +HCP Consul assigns port `443` to HashiCorp-managed clusters, instead of the default `8501`. ### gRPC @@ -91,21 +91,21 @@ The following table lists information about the Consul API's gRPC port defaults: When using [Consul Dataplane](/consul/docs/connect/dataplane), this port receives incoming traffic from the dataplanes. -We recommend using gRPC TLS instead, so this port is disabled by default. You can enable it in the [agent configuration file](/consul/docs/agent/config/config-files#ports) or using the [`consul agent` CLI command](/consul/docs/agent/config/cli-flags). +We recommend using gRPC TLS instead, so this port is disabled by default. You can enable it in the [agent configuration file](/consul/docs/reference/agent#ports) or using the [`consul agent` CLI command](/consul/docsreference-cli/agent). -HCP Consul Dedicated does not support the gRPC port. +HCP Consul does not support the gRPC port. ### gRPC TLS The following table lists information about the Consul API's gRPC with TLS port defaults: -| Default port | Protocol | Default status | HCP Consul Dedicated server port | +| Default port | Protocol | Default status | Hashicorp-managed server port | | :----------- | :------- | :------------------ | :---------------------------- | | `8503` | TCP | Enabled by default | `8502` | This port receives incoming traffic from the dataplanes when using [Consul Dataplane](/consul/docs/connect/dataplane) instead of client agents. We recommend using `8503` as your conventional gRPC port number because it allows some tools to work automatically. -In deployments with [cluster peering connections](/consul/docs/connect/cluster-peering), this port provides incoming and outgoing access between remote server peers. Specifically, the dialing peer needs outgoing access and the accepting peer needs incoming access. The address dialed depends on whether or not the cluster peering connection uses mesh gateways and whether the mesh gateway is in remote or local mode: +In deployments with [cluster peering connections](/consul/docs/east-west/cluster-peering), this port provides incoming and outgoing access between remote server peers. Specifically, the dialing peer needs outgoing access and the accepting peer needs incoming access. The address dialed depends on whether or not the cluster peering connection uses mesh gateways and whether the mesh gateway is in remote or local mode: - When not using mesh gateways, servers dial the remote server addresses directly. - When using mesh gateways in local mode, servers dial the local mesh gateway. @@ -113,13 +113,15 @@ In deployments with [cluster peering connections](/consul/docs/connect/cluster-p In both local and remote cases, incoming traffic comes from the mesh gateways. -HCP Consul Dedicated assigns port `8502` to clusters, instead of the default `8503`. +HCP Consul assigns port `8502` to HashiCorp-managed clusters, instead of the default `8503`. + +When the [v2 catalog](/consul/docs/architecture/catalog/v2) is enabled, all API calls from external systems, such as the Consul CLI and Terraform provider, use this port. ### Server RPC The following table lists information about the Server RPC port defaults: -| Default port | Protocol | Default status | HCP Consul Dedicated server port | +| Default port | Protocol | Default status | Hashicorp-managed server port | | :----------- | :------- | :----------------- | :---------------------------- | | `8300` | TCP | Enabled by default | `8300` | @@ -133,7 +135,7 @@ When using WAN federation with mesh gateways, Consul servers must accept server The following table lists information about the LAN serf port defaults: -| Default port | Protocol | Default status | HCP Consul Dedicated server port | +| Default port | Protocol | Default status | Hashicorp-managed server port | | :----------- | :-----------| :----------------- | :---------------------------- | | `8301` | TCP and UDP | Enabled by default | `8301` | @@ -145,11 +147,11 @@ When running Enterprise deployments that use multiple admin partitions, all Cons The following table lists information about the WAN serf port defaults: -| Default port | Protocol | Default status | HCP Consul Dedicated server port | +| Default port | Protocol | Default status | Hashicorp-managed server port | | :----------- | :---------- | :----------------- | :---------------------------- | | `8302` | TCP and UDP | Enabled by default | `8302` | -This port sends and receives traffic between Consul servers in a federated network. WAN-federated networks require one cluster to serve as the primary datacenter while the others function as secondary datacenters. Refer to [Enabling WAN Federation Control Plane Traffic](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways) for additional information. +This port sends and receives traffic between Consul servers in a federated network. WAN-federated networks require one cluster to serve as the primary datacenter while the others function as secondary datacenters. Refer to [Enabling WAN Federation Control Plane Traffic](/consul/docs/east-west/mesh-gateway/enable) for additional information. When using WAN federation without mesh gateways, incoming and outgoing traffic on this port is required between all federated servers. @@ -202,7 +204,7 @@ The following table lists information about the Consul client's HTTPS port defau This port receives incoming traffic from workloads that make HTTPS API calls. Consul does not use this port for internal communication between servers, clients, dataplanes, gateways, and Envoy proxies. -This port is disabled by default. You can enable it in the [agent configuration file](/consul/docs/agent/config/config-files#ports) or using the [`consul agent` CLI command](/consul/docs/agent/config/cli-flags). +This port is disabled by default. You can enable it in the [agent configuration file](/consul/docs/reference/agent#ports) or using the [`consul agent` CLI command](/consul/docsreference-cli/agent). When this port is enabled, the Consul CLI uses it to interact with Consul. @@ -228,7 +230,7 @@ The following table lists information about the Consul client's gRPC with TLS po This port receives incoming traffic from the gateways and Envoy proxies registered to this client. We recommend using `8503` as your conventional gRPC port number, as it allows some tools to work automatically. -This port is disabled by default. You can enable it in the [agent configuration file](/consul/docs/agent/config/config-files#ports) or using the [`consul agent` CLI command](/consul/docs/agent/config/cli-flags). +This port is disabled by default. You can enable it in the [agent configuration file](/consul/docs/reference/agent#ports) or using the [`consul agent` CLI command](/consul/docsreference-cli/agent). ### Client LAN serf diff --git a/website/content/docs/deploy/server/vm/bootstrap.mdx b/website/content/docs/deploy/server/vm/bootstrap.mdx new file mode 100644 index 00000000000..19d92e00fe9 --- /dev/null +++ b/website/content/docs/deploy/server/vm/bootstrap.mdx @@ -0,0 +1,136 @@ +--- +layout: docs +page_title: Bootstrap a Consul datacenter (VM) +description: >- + Bootstrapping a datacenter is the initial deployment process in Consul that starts server agents and joins them together. Learn how to deploy and join Consul servers running on a virtual machine. +--- + +# Bootstrap a Consul datacenter + +This page describes the process to bootstrap a Consul datacenter running on a virtual machine (VM). + +## Background + +In Consul, a datacenter is an organizational unit that governs the assignment of resources such as servers, proxies, and gateways. Objects in a datacenter share security resources, including tokens and mTLS certificates, which are managed by a Consul server cluster. This server cluster is a group of one to five Consul servers deployed within a single cloud region. + +When a cluster is first created, it must initiate the consensus protocol and elect a leader before it can service requests. _Bootstrapping a datacenter_ refers to the process of configuring and joining the initial server nodes in a cluster. After you bootstrap a datacenter, you can use [cloud auto-join](/consul/docs/deploy/server/vm/cloud-auto-join) to automatically connect to Consul agents in the control plane and data plane as you deploy them. + +## Prerequisites + +Bootstrapping a Consul datacenter requires at least one node with a local [Consul binary installation](/consul/install). For testing and development scenarios, you can use your local node to deploy a datacenter that runs as a single Consul server. + +## Bootstrap a datacenter + +You can bootstrap a datacenter by passing configurations through flags on the `consul agent` command. You can also define multiple servers using a single agent configuration file, and then start each agent using that file. When the Consul servers detect the expected number of servers, they hold an election and communicate according to the Raft protocol. + +Complete the following steps to bootstrap a cluster: + +1. Initiate the cluster and specify the number of server agents to start. +1. Join the servers either automatically or manually. + +Use the [`-bootstrap-expect`](/consul/docsreference-cli/agent#_bootstrap_expect) flag on the command line or configure `bootstrap_expect` in the agent configuration. This option declares the expected number of servers and automatically bootstraps them when the specified number of servers are available. To prevent inconsistencies and deployments where multiple servers consider themselves leader, you should either specify the same value for each server's `bootstrap_expect` parameter or specify no value at all on all the servers. When `-bootstrap-expect` is omitted, Consul defaults to `1` for the number of expected servers. + +The following command bootstraps a datacenter consisting of three Consul servers: + +```shell-session +$ consul agent -data-dir /tmp/consul -server -bootstrap-expect 3 +``` + +You can also create an agent configuration file to use when deploying multiple Consul servers. The following example demonstrates a basic agent configuration for bootstrapping a datacenter with three servers: + + + +```hcl +datacenter = "dc1" +data_dir = "/tmp/consul" +log_level = "INFO" +server = true +bootstrap_expect = 3 +``` + + + +To apply the agent configuration to each server, run the following command on each VM: + +```shell-session +$ consul agent -config-file=bootstrap.hcl +``` + +Consul prints a warning message to the console when the number of servers in a cluster is less than the expected bootstrap number: + +```log hideClipboard +[WARN] raft: EnableSingleNode disabled, and no known peers. Aborting election. +``` + +### Join the servers + +After you start the servers, you must join them in a cluster to initiate the Raft election. To join servers automatically, specify network addresses or [cloud auto join](/consul/docs/deploy/server/vm/cloud-auto-join) tags for supported cloud environments using either the [-retry-join CLI flag](/consul/docsreference-cli/agent#_retry_join) or the [`retry_join` configuration option](/consul/docs/reference/agent#retry_join). + +The following examples demonstrate address options and their formatting for the `-retry-join` CLI flag. + + + + ```shell-session + $ consul agent -retry-join "consul.domain.internal" + ``` + + + + + + ```shell-session + $ consul agent -retry-join "10.0.4.67" + ``` + + + + + + ```shell-session + $ consul agent -retry-join "192.0.2.10:8304" + ``` + + + + + + ```shell-session + $ consul agent -retry-join "[::1]:8301" + ``` + + + + + + ```shell-session + $ consul agent -retry-join "consul.domain.internal" -retry-join "10.0.4.67" + ``` + + + + + + ```shell-session + $ consul agent -retry-join "provider=aws tag_key=..." + ``` + + + +### Verify the Raft status + +To verify that the bootstrap process completed successfully, you can use the [`consul info`](/consul/commands/info) command to check the cluster's current Raft status. In particular, verify the following: + +- `raft.num_peers` should be one less than the number of expected bootstrap servers, minus one +- `raft.last_log_index` should be a non-zero number + +## Next steps + +After you bootstrap a datacenter, you can make additional changes to the datacenter by modifying the agent configuration and then running the [`consul reload` command](/consul/commands/reload). + +We recommend removing `bootstrap_expect` from agent configurations and reloading the agents after the initial bootstrap process is complete. This action prevents server agents that fail from unintentionally bootstrapping again after they restart. Instead, they will rejoin a datacenter's cluster automatically. + +You can also enable Consul's browser-based user interface, deploy client agents, and register services in the Consul catalog for service discovery and service mesh use cases. Refer to the following topics for more information: + +- [Consul UI visualization](/consul/docs/concept/ui) +- [Configure client agents](/consul/docs/deploy/workload/configure-vm-agent) +- [Register service](/register/service/vm) \ No newline at end of file diff --git a/website/content/docs/install/cloud-auto-join.mdx b/website/content/docs/deploy/server/vm/cloud-auto-join.mdx similarity index 81% rename from website/content/docs/install/cloud-auto-join.mdx rename to website/content/docs/deploy/server/vm/cloud-auto-join.mdx index 82cf6b6d592..440bb90d65c 100644 --- a/website/content/docs/install/cloud-auto-join.mdx +++ b/website/content/docs/deploy/server/vm/cloud-auto-join.mdx @@ -5,20 +5,13 @@ description: >- Auto-join enables agents to automatically join other agents running in the cloud. To configure auto-join, specify agent addresses with compute node metadata for the cloud provider instead of an IP address. Use the CLI or an agent configuration file to configure cloud auto-join. --- -# Cloud Auto-join +# Automatic agent discovery (cloud auto-join) -As of Consul 0.9.1, `retry-join` accepts a unified interface using the -[go-discover](https://github.com/hashicorp/go-discover) library for -automatically joining a Consul datacenter using cloud metadata. To use `retry-join` with a -supported cloud provider, specify the configuration on the command line or -configuration file as a `key=value key=value ...` string. +As of Consul 0.9.1, `retry-join` accepts a unified interface using the [go-discover](https://github.com/hashicorp/go-discover) library for automatically joining a Consul datacenter using cloud metadata. To use `retry-join` with a supported cloud provider, specify the configuration on the command line or configuration file as a `key=value key=value ...` string. -In Consul 0.9.1-0.9.3 the values need to be URL encoded but for most -practical purposes you need to replace spaces with `+` signs. +In Consul 0.9.1-0.9.3, the values need to be URL encoded but for most practical purposes you need to replace spaces with `+` signs. -As of Consul 1.0 the values are taken literally and must not be URL -encoded. If the values contain spaces, equals, backslashes or double quotes then -they need to be double quoted and the usual escaping rules apply. +As of Consul 1.0 the values are taken literally and must not be URL encoded. If the values contain spaces, equals, backslashes or double quotes then they need to be double quoted and the usual escaping rules apply. ```shell-session $ consul agent -retry-join 'provider=my-cloud config=val config2="some other val" ...' @@ -34,9 +27,7 @@ or via a configuration file: ## Auto-join with Network Segments -In order to use cloud auto-join with [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview), -you must reconfigure the Consul agent's Serf LAN port to match that of the -segment you wish to join. +In order to use cloud auto-join with [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview), you must reconfigure the Consul agent's Serf LAN port to match that of the segment you wish to join. For example, given the following segment configuration on the server agents: @@ -61,14 +52,12 @@ segments = [ -A Consul client agent wishing to join the "alpha" segment would need to be configured -to use port `8303` as its Serf LAN port prior to attempting to join the cluster. +A Consul client agent wishing to join the "alpha" segment would need to be configured to use port `8303` as its Serf LAN port prior to attempting to join the cluster. -The following example configuration overrides the default Serf LAN port using the -[`ports.serf_lan`](/consul/docs/agent/config/config-files#serf_lan_port) configuration option. +The following example configuration overrides the default Serf LAN port using the [`ports.serf_lan`](/consul/docs/reference/agent#serf_lan_port) configuration option. @@ -83,8 +72,7 @@ ports { -The following example overrides the default Serf LAN port using the -[`-serf-lan-port`](/consul/docs/agent/config/cli-flags#_serf_lan_port) command line flag. +The following example overrides the default Serf LAN port using the [`-serf-lan-port`](/consul/docsreference-cli/agent#_serf_lan_port) command line flag. ```shell $ consul agent -serf-lan-port=8303 -retry-join "provider=..." @@ -95,21 +83,15 @@ $ consul agent -serf-lan-port=8303 -retry-join "provider=..." ## Provider-specific configurations -The cloud provider-specific configurations are detailed below. This can be -combined with static IP or DNS addresses or even multiple configurations -for different providers. +The cloud provider-specific configurations are detailed below. This can be combined with static IP or DNS addresses or even multiple configurations for different providers. -In order to use discovery behind a proxy, you will need to set -`HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY` environment variables per -[Golang `net/http` library](https://golang.org/pkg/net/http/#ProxyFromEnvironment). +In order to use discovery behind a proxy, you will need to set `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY` environment variables per [Golang `net/http` library](https://golang.org/pkg/net/http/#ProxyFromEnvironment). -The following sections give the options specific to each supported cloud -provider. +The following sections give the options specific to each supported cloud provider. ### Amazon EC2 and ECS -This returns the first private IP address of all servers in the given -region which have the given `tag_key` and `tag_value`. +This returns the first private IP address of all servers in the given region which have the given `tag_key` and `tag_value`. ```shell-session $ consul agent -retry-join "provider=aws tag_key=... tag_value=..." @@ -133,7 +115,7 @@ $ consul agent -retry-join "provider=aws tag_key=... tag_value=..." - `ecs_family` (optional) - String value limits searches to a AWS ECS task definition family. By default, Consul searches all task definition families with the specified tags. - `endpoint` (optional) - String value that specifies the endpoint URL of the AWS service to use. If not set, the AWS client sets the value, which defaults to the public DNS name for the service in the specified region. -#### Authentication & Precedence +#### Authentication & precedence - Static credentials `access_key_id=... secret_access_key=...` - Environment variables (`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`) @@ -156,9 +138,7 @@ If the region is omitted from the configuration, Consul obtains it from the loca ### Microsoft Azure -This returns the first private IP address of all servers in the given region -which have the given `tag_key` and `tag_value` applied to their virtual NIC in the tenant and subscription, or in -the given `resource_group` of a `vm_scale_set` for Virtual Machine Scale Sets. +This returns the first private IP address of all servers in the given region which have the given `tag_key` and `tag_value` applied to their virtual NIC in the tenant and subscription, or in the given `resource_group` of a `vm_scale_set` for Virtual Machine Scale Sets. ```shell-session $ consul agent -retry-join "provider=azure tag_key=... tag_value=... tenant_id=... client_id=... subscription_id=... secret_access_key=..." @@ -199,16 +179,15 @@ that contains the virtual NICs for the Virtual Machines. When using Virtual Machine Scale Sets the only role action needed is `Microsoft.Compute/virtualMachineScaleSets/*/read`. -~> **Note:** If the Consul datacenter is hosted on Azure, Consul can use Managed Service Identities (MSI) to access Azure instead of an environment -variable, shared client id and secret. MSI must be enabled on the VMs or Virtual Machine Scale Sets hosting Consul. It is the preferred configuration -since MSI prevents your Azure credentials from being stored in Consul configuration. This feature is supported in Consul 1.7 and above. When using -MSI, the `tag_key`, `tag_value` and `subscription_id` need to be supplied for Virtual machines. -Be aware that the amount of time that Azure takes for the VMs to detect the MSI permissions can be between a minute to an hour. + + +If the Consul datacenter is hosted on Azure, Consul can use Managed Service Identities (MSI) to access Azure instead of an environment variable, shared client id and secret. MSI must be enabled on the VMs or Virtual Machine Scale Sets hosting Consul. It is the preferred configuration since MSI prevents your Azure credentials from being stored in Consul configuration. This feature is supported in Consul 1.7 and above. When using MSI, the `tag_key`, `tag_value` and `subscription_id` need to be supplied for Virtual machines. Be aware that the amount of time that Azure takes for the VMs to detect the MSI permissions can be between a minute to an hour. + + ### Google Compute Engine -This returns the first private IP address of all servers in the given -project which have the given `tag_value`. +This returns the first private IP address of all servers in the given project which have the given `tag_value`. ```shell-session $ consul agent -retry-join "provider=gce project_name=... tag_value=..." @@ -226,11 +205,9 @@ $ consul agent -retry-join "provider=gce project_name=... tag_value=..." - `zone_pattern` (optional) - the list of zones can be restricted through an RE2 compatible regular expression. If omitted, servers in all zones are returned. - `credentials_file` (optional) - the credentials file for authentication. Note, if you set `-config-dir` do not store the credentials.json file in the configuration directory as it will be parsed as a config file and Consul will fail to start. See below for more information. -#### Authentication & Precedence +#### Authentication & precedence -Discovery requires a [GCE Service -Account](https://cloud.google.com/compute/docs/access/service-accounts). -Credentials are searched using the following paths, in order of precedence. +Discovery requires a [GCE Service Account](https://cloud.google.com/compute/docs/north-south/service-accounts). Credentials are searched using the following paths, in order of precedence. - Use credentials from `credentials_file`, if provided. - Use JSON file from `GOOGLE_APPLICATION_CREDENTIALS` environment variable. @@ -242,8 +219,7 @@ Credentials are searched using the following paths, in order of precedence. ### IBM SoftLayer -This returns the first private IP address of all servers for the given -datacenter with the given `tag_value`. +This returns the first private IP address of all servers for the given datacenter with the given `tag_value`. ```shell-session $ consul agent -retry-join "provider=softlayer datacenter=... tag_value=... username=... api_key=..." @@ -265,8 +241,7 @@ $ consul agent -retry-join "provider=softlayer datacenter=... tag_value=... user ### Aliyun (Alibaba Cloud) -This returns the first private IP address of all servers for the given -`region` with the given `tag_key` and `tag_value`. +This returns the first private IP address of all servers for the given `region` with the given `tag_key` and `tag_value`. ```shell-session $ consul agent -retry-join "provider=aliyun region=... tag_key=consul tag_value=... access_key_id=... access_key_secret=..." @@ -287,13 +262,11 @@ $ consul agent -retry-join "provider=aliyun region=... tag_key=consul tag_value= - `access_key_id` (required) -the access key to use for auth. - `access_key_secret` (required) - the secret key to use for auth. -The required RAM permission is `ecs:DescribeInstances`. -It is recommended you make a dedicated key used to auto-join. +The required RAM permission is `ecs:DescribeInstances`. It is recommended you make a dedicated key used to auto-join. ### Digital Ocean -This returns the first private IP address of all servers for the given -`region` with the given `tag_name`. +This returns the first private IP address of all servers for the given `region` with the given `tag_name`. ```shell-session $ consul agent -retry-join "provider=digitalocean region=... tag_name=... api_token=..." @@ -312,8 +285,7 @@ $ consul agent -retry-join "provider=digitalocean region=... tag_name=... api_to ### Openstack -This returns the first private IP address of all servers for the given -`region` with the given `tag_key` and `tag_value`. +This returns the first private IP address of all servers for the given `region` with the given `tag_key` and `tag_value`. ```shell-session $ consul agent -retry-join "provider=os tag_key=consul tag_value=server user_name=... password=... auth_url=..." @@ -344,8 +316,7 @@ The configuration can also be provided by environment variables. ### Scaleway -This returns the first private IP address of all servers for the given -`region` with the given `tag_name`. +This returns the first private IP address of all servers for the given `region` with the given `tag_name`. ```shell-session $ consul agent -retry-join "provider=scaleway organization=my-org tag_name=consul-server token=... region=..." @@ -389,8 +360,7 @@ $ consul agent -retry-join "provider=tencentcloud region=... tag_key=consul tag_ - `access_key_id` (required) - The secret id of TencentCloud. - `access_key_secret` (required) - The secret key of TencentCloud. -This required permission to 'cvm:DescribeInstances'. -It is recommended you make a dedicated key used to auto-join the Consul datacenter. +This required permission to 'cvm:DescribeInstances'. It is recommended you make a dedicated key used to auto-join the Consul datacenter. ### Joyent Triton @@ -488,20 +458,11 @@ Variables can also be provided by environment variables: ### Kubernetes (k8s) -The Kubernetes provider finds the IP addresses of pods with the matching -[label or field selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). -This is useful for non-Kubernetes agents that are joining a server cluster -running within Kubernetes. +The Kubernetes provider finds the IP addresses of pods with the matching [label or field selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). This is useful for non-Kubernetes agents that are joining a server cluster running within Kubernetes. -The pod IP is used by default, which requires that the agent connecting can -network to the pod IP. The `host_network` boolean can be set to true to use -the host IP instead, but this requires the agent ports (Gossip, RPC, etc.) -to be exported to the host as well. +The pod IP is used by default, which requires that the agent connecting can network to the pod IP. The `host_network` boolean can be set to true to use the host IP instead, but this requires the agent ports (Gossip, RPC, etc.) to be exported to the host as well. -By default, no port is specified. This causes Consul to use the default -gossip port (default behavior with all join requests). The pod may specify -the `consul.hashicorp.com/auto-join-port` annotation to set the port. The value -may be an integer or a named port. +By default, no port is specified. This causes Consul to use the default gossip port (default behavior with all join requests). The pod may specify the `consul.hashicorp.com/auto-join-port` annotation to set the port. The value may be an integer or a named port. ```shell-session $ consul agent -retry-join "provider=k8s label_selector=\"app=consul,component=server\"" @@ -522,5 +483,4 @@ $ consul agent -retry-join "provider=k8s label_selector=\"app=consul,component=s - `label_selector` (optional) - the label selector for matching pods. - `field_selector` (optional) - the field selector for matching pods. -The Kubernetes token used by the provider needs to have permissions to list pods -in the desired namespace. +The Kubernetes token used by the provider needs to have permissions to list pods in the desired namespace. \ No newline at end of file diff --git a/website/content/docs/deploy/server/vm/index.mdx b/website/content/docs/deploy/server/vm/index.mdx new file mode 100644 index 00000000000..73fb28555c8 --- /dev/null +++ b/website/content/docs/deploy/server/vm/index.mdx @@ -0,0 +1,20 @@ +--- +layout: docs +page_title: Deploy Consul on virtual machines overview +description: >- + To deploy a Consul server on VMs, install the binary, bootstrap the server, and then join additional server to the cluster. +--- + +# Deploy Consul server on virtual machines + +This topic provides an overview for deploying a Consul server when running Consul on virtual machines (VMs). + +## Overview + +The process to deploy a Consul server on virtual machines consists of the following steps: + +1. Install the Consul binary on the VM +1. [Bootstrap the Consul server](/consul/docs/deploy/server/vm/bootstrap) +1. [Join additional servers to the cluster](/consul/docs/deploy/server/vm/cloud-auto-join) + +For step-by-step guidance on the processes described in this topic, refer to the [Deploy Consul on VMs getting started tutorial](/consul/tutorials/get-started-vms/virtual-machine-gs-deploy?variants=consul-workflow%3Alab). \ No newline at end of file diff --git a/website/content/docs/install/performance.mdx b/website/content/docs/deploy/server/vm/requirements.mdx similarity index 91% rename from website/content/docs/install/performance.mdx rename to website/content/docs/deploy/server/vm/requirements.mdx index c035cbf8404..e8014c3a4b5 100644 --- a/website/content/docs/install/performance.mdx +++ b/website/content/docs/deploy/server/vm/requirements.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Server Performance Requirements +page_title: Consul server requirements on VMs description: >- Consul servers require sufficient compute resources to communicate and process data quickly. Learn about Consul's minimum server requirements and recommendations for different workloads. --- -# Server Performance +# Consul server requirements on VMs Since Consul servers run a [consensus protocol](/consul/docs/architecture/consensus) to process all write operations and are contacted on nearly all read operations, server @@ -16,7 +16,7 @@ reads work from a fully in-memory data store that is optimized for concurrent ac ## Minimum Server Requirements ((#minimum)) -In Consul 0.7, the default server [performance parameters](/consul/docs/agent/config/config-files#performance) +In Consul 0.7, the default server [performance parameters](/consul/docs/reference/agent#performance) were tuned to allow Consul to run reliably (but relatively slowly) on a server cluster of three [AWS t2.micro](https://aws.amazon.com/ec2/instance-types/) instances. These thresholds were determined empirically using a leader instance that was under sufficient read, write, @@ -41,7 +41,7 @@ The default performance configuration is equivalent to this: ## Production Server Requirements ((#production)) When running Consul 0.7 and later in production, it is recommended to configure the server -[performance parameters](/consul/docs/agent/config/config-files#performance) back to Consul's original +[performance parameters](/consul/docs/reference/agent#performance) back to Consul's original high-performance settings. This will let Consul servers detect a failed leader and complete leader elections much more quickly than the default configuration which extends key Raft timeouts by a factor of 5, so it can be quite slow during these events. @@ -101,25 +101,25 @@ Here are some general recommendations: issues between the servers or insufficient CPU resources. Users in cloud environments often bump their servers up to the next instance class with improved networking and CPU until leader elections stabilize, and in Consul 0.7 or later the [performance - parameters](/consul/docs/agent/config/config-files#performance) configuration now gives you tools + parameters](/consul/docs/reference/agent#performance) configuration now gives you tools to trade off performance instead of upsizing servers. You can use the [`consul.raft.leader.lastContact` telemetry](/consul/docs/agent/telemetry#leadership-changes) to observe how the Raft timing is performing and guide the decision to de-tune Raft performance or add more powerful servers. - For DNS-heavy workloads, configuring all Consul agents in a cluster with the - [`allow_stale`](/consul/docs/agent/config/config-files#allow_stale) configuration option will allow reads to + [`allow_stale`](/consul/docs/reference/agent#allow_stale) configuration option will allow reads to scale across all Consul servers, not just the leader. Consul 0.7 and later enables stale reads - for DNS by default. See [Stale Reads](/consul/docs/services/discovery/dns-cache#stale-reads) in the - [DNS Caching](/consul/docs/services/discovery/dns-cache) guide for more details. It's also good to set - reasonable, non-zero [DNS TTL values](/consul/docs/services/discovery/dns-cache#ttl-values) if your clients will + for DNS by default. See [Stale Reads](/consul/tutorials/networking/dns-caching#stale-reads) in the + [DNS Caching](/consul/tutorials/networking/dns-caching) guide for more details. It's also good to set + reasonable, non-zero [DNS TTL values](/consul/tutorials/networking/dns-caching#ttl-values) if your clients will respect them. - In other applications that perform high volumes of reads against Consul, consider using the [stale consistency mode](/consul/api-docs/features/consistency#stale) available to allow reads to scale across all the servers and not just be forwarded to the leader. -- In Consul 0.9.3 and later, a new [`limits`](/consul/docs/agent/config/config-files#limits) configuration is +- In Consul 0.9.3 and later, a new [`limits`](/consul/docs/reference/agent#limits) configuration is available on Consul clients to limit the RPC request rate they are allowed to make against the Consul servers. After hitting the limit, requests will start to return rate limit errors until time has passed and more requests are allowed. Configuring this across the cluster can help with @@ -158,7 +158,7 @@ Since writes must be synced to disk (persistent storage) on a quorum of servers For a **read-heavy** workload, configure all Consul server agents with the `allow_stale` DNS option, or query the API with the `stale` [consistency mode](/consul/api-docs/features/consistency). By default, all queries made to the server are RPC forwarded to and serviced by the leader. By enabling stale reads, any server will respond to any query, thereby reducing overhead on the leader. Typically, the stale response is `100ms` or less from consistent mode but it drastically improves performance and reduces latency under high load. -If the leader server is out of memory or the disk is full, the server eventually stops responding, loses its election and cannot move past its last commit time. However, by configuring `max_stale` and setting it to a large value, Consul will continue to respond to queries during such outage scenarios. ([max_stale documentation](/consul/docs/agent/config/config-files#max_stale)). +If the leader server is out of memory or the disk is full, the server eventually stops responding, loses its election and cannot move past its last commit time. However, by configuring `max_stale` and setting it to a large value, Consul will continue to respond to queries during such outage scenarios. ([max_stale documentation](/consul/docs/reference/agent#max_stale)). It should be noted that `stale` is not appropriate for coordination where strong consistency is important (i.e. locking or application leader election). For critical cases, the optional `consistent` API query mode is required for true linearizability; the trade off is that this turns a read into a full quorum write so requires more resources and takes longer. @@ -166,7 +166,7 @@ It should be noted that `stale` is not appropriate for coordination where strong Consul's agents use network sockets for communicating with the other nodes (gossip) and with the server agent. In addition, file descriptors are also opened for watch handlers, health checks, and log files. For a **write heavy** cluster, the `ulimit` size must be increased from the default value (`1024`) to prevent the leader from running out of file descriptors. -To prevent any CPU spikes from a misconfigured client, RPC requests to the server should be [rate limited](/consul/docs/agent/config/config-files#limits) +To prevent any CPU spikes from a misconfigured client, RPC requests to the server should be [rate limited](/consul/docs/reference/agent#limits) ~> **NOTE** Rate limiting is configured on the client agent only. @@ -189,8 +189,8 @@ Smearing requests over 30s is sufficient to bring RPC load to a reasonable level in all but the very largest clusters, but the extra CPU load from cryptographic operations could impact the server's normal work. To limit that, Consul since 1.4.1 exposes two ways to limit the impact Certificate signing has on the leader -[`csr_max_per_second`](/consul/docs/agent/config/config-files#ca_csr_max_per_second) and -[`csr_max_concurrent`](/consul/docs/agent/config/config-files#ca_csr_max_concurrent). +[`csr_max_per_second`](/consul/docs/reference/agent#ca_csr_max_per_second) and +[`csr_max_concurrent`](/consul/docs/reference/agent#ca_csr_max_concurrent). By default we set a limit of 50 per second which is reasonable on modest hardware but may be too low and impact rotation times if more than 1500 service diff --git a/website/content/docs/agent/wal-logstore/enable.mdx b/website/content/docs/deploy/server/wal/enable.mdx similarity index 92% rename from website/content/docs/agent/wal-logstore/enable.mdx rename to website/content/docs/deploy/server/wal/enable.mdx index e80315928f2..d250312310d 100644 --- a/website/content/docs/agent/wal-logstore/enable.mdx +++ b/website/content/docs/deploy/server/wal/enable.mdx @@ -23,13 +23,13 @@ The overall process for enabling the WAL LogStore backend for one server consist ## Requirements -- Consul v1.15 or later is required for all servers in the datacenter. Refer to the [standard upgrade procedure](/consul/docs/upgrading/instructions/general-process) and the [1.15 upgrade notes](/consul/docs/upgrading/upgrade-specific#consul-1-15-x) for additional information. +- Consul v1.15 or later is required for all servers in the datacenter. Refer to the [standard upgrade procedure](/consul/docs/upgrade/instructions/general) and the [1.15 upgrade notes](/consul/docs/upgrade/version-specific#consul-1-15-x) for additional information. - A Consul cluster with at least three nodes are required to safely test the WAL backend without downtime. We recommend taking the following additional measures: - Take a snapshot prior to testing. -- Monitor Consul server metrics and logs, and set an alert on specific log events that occur when WAL is enabled. Refer to [Monitor Raft metrics and logs for WAL](/consul/docs/agent/wal-logstore/monitoring) for more information. +- Monitor Consul server metrics and logs, and set an alert on specific log events that occur when WAL is enabled. Refer to [Monitor Raft metrics and logs for WAL](/consul/docs/deploy/server/wal/monitor-raft) for more information. - Enable WAL in a pre-production environment and run it for a several days before enabling it in production. ## Known issues @@ -136,15 +136,15 @@ $ consul operator raft list-peers ## Monitor target server Raft metrics and logs -Refer to [Monitor Raft metrics and logs for WAL](/consul/docs/agent/wal-logstore/monitoring) for details. +Refer to [Monitor Raft metrics and logs for WAL](/consul/docs/deploy/server/wal/monitor-raft) for details. We recommend leaving the cluster in the test configuration for several days or weeks, as long as you observe no errors. An extended test provides more confidence that WAL operates correctly under varied workloads and during routine server restarts. If you observe any errors, end the test immediately and report them. -If you disabled configuration management automation, consider reenabling it during the testing phase to pick up other updates for the host. You must ensure that it does not revert the Consul configuration file and remove the altered backend configuration. One way to do this is add the `raft_logstore` block to a separate file that is not managed by your automation. This file can either be added to the directory if [`-config-dir`](/consul/docs/agent/config/cli-flags#_config_dir) is used or as an additional [`-config-file`](/consul/docs/agent/config/cli-flags#_config_file) argument. +If you disabled configuration management automation, consider reenabling it during the testing phase to pick up other updates for the host. You must ensure that it does not revert the Consul configuration file and remove the altered backend configuration. One way to do this is add the `raft_logstore` block to a separate file that is not managed by your automation. This file can either be added to the directory if [`-config-dir`](/consul/docsreference-cli/agent#_config_dir) is used or as an additional [`-config-file`](/consul/docsreference-cli/agent#_config_file) argument. ## Next steps -- If you observe any verification errors, performance anomalies, or other suspicious behavior from the target server during the test, you should immediately follow [the procedure to revert back to BoltDB](/consul/docs/agent/wal-logstore/revert-to-boltdb). Report failures through GitHub. +- If you observe any verification errors, performance anomalies, or other suspicious behavior from the target server during the test, you should immediately follow [the procedure to revert back to BoltDB](/consul/docs/deploy/server/wal/revert-boltdb). Report failures through GitHub. - If you do not see errors and would like to expand the test further, you can repeat the above procedure on another target server. We suggest waiting after each test expansion and slowly rolling WAL out to other parts of your environment. Once the majority of your servers use WAL, any bugs not yet discovered may result in cluster unavailability. diff --git a/website/content/docs/agent/wal-logstore/index.mdx b/website/content/docs/deploy/server/wal/index.mdx similarity index 90% rename from website/content/docs/agent/wal-logstore/index.mdx rename to website/content/docs/deploy/server/wal/index.mdx index b215db158c8..fb3359767cb 100644 --- a/website/content/docs/agent/wal-logstore/index.mdx +++ b/website/content/docs/deploy/server/wal/index.mdx @@ -7,14 +7,9 @@ description: >- # Experimental WAL LogStore backend overview -This topic provides an overview of the WAL (write-ahead log) LogStore backend. -The WAL backend is an experimental feature. Refer to -[Requirements](/consul/docs/agent/wal-logstore/enable#requirements) for -supported environments and known issues. +This topic provides an overview of the WAL (write-ahead log) LogStore backend. The WAL backend is an experimental feature. Refer to [Requirements](/consul/docs/deploy/server/wal/enable#requirements) for supported environments and known issues. -We do not recommend enabling the WAL backend in production without following -[our guide for safe -testing](/consul/docs/agent/wal-logstore/enable). +We do not recommend enabling the WAL backend in production without following [our guide for safe testing](/consul/docs/deploy/server/wal/enable). ## WAL versus BoltDB @@ -32,7 +27,7 @@ To mitigate risks associated with sudden bursts of log data, Consul tries to lim But the larger the file, the more likely it is to have a large freelist or suddenly form one after a burst of writes. For this reason, the many of Consul's default options associated with snapshots, truncating logs, and keeping the log history aggressively keep BoltDT small rather than using disk IO more efficiently. -Other reliability issues, such as [raft replication capacity issues](/consul/docs/agent/monitor/telemetry#raft-replication-capacity-issues), are much simpler to solve without the performance concerns caused by storing more logs in BoltDB. +Other reliability issues, such as [raft replication capacity issues](/consul/docs/agent/telemetry#raft-replication-capacity-issues), are much simpler to solve without the performance concerns caused by storing more logs in BoltDB. ### WAL approaches storage issues differently @@ -50,4 +45,4 @@ The WAL backend has been tested thoroughly during development: We are aware of how complex and critical disk-persistence is for your data. -We hope that many users at different scales will try WAL in their environments after upgrading to 1.15 or later and report success or failure so that we can confidently replace BoltDB as the default for new clusters in a future release. +We hope that many users at different scales will try WAL in their environments after upgrading to 1.15 or later and report success or failure so that we can confidently replace BoltDB as the default for new clusters in a future release. \ No newline at end of file diff --git a/website/content/docs/agent/wal-logstore/monitoring.mdx b/website/content/docs/deploy/server/wal/monitor-raft.mdx similarity index 90% rename from website/content/docs/agent/wal-logstore/monitoring.mdx rename to website/content/docs/deploy/server/wal/monitor-raft.mdx index f4f81a986d2..721c7bfa04a 100644 --- a/website/content/docs/agent/wal-logstore/monitoring.mdx +++ b/website/content/docs/deploy/server/wal/monitor-raft.mdx @@ -7,7 +7,7 @@ description: >- # Monitor Raft metrics and logs for WAL -This topic describes how to monitor Raft metrics and logs if you are testing the WAL backend. We strongly recommend monitoring the Consul cluster, especially the target server, for evidence that the WAL backend is not functioning correctly. Refer to [Enable the experimental WAL LogStore backend](/consul/docs/agent/wal-logstore/enable) for additional information about the WAL backend. +This topic describes how to monitor Raft metrics and logs if you are testing the WAL backend. We strongly recommend monitoring the Consul cluster, especially the target server, for evidence that the WAL backend is not functioning correctly. Refer to [Enable the experimental WAL LogStore backend](/consul/docs/deploy/server/wal/enable) for additional information about the WAL backend. !> **Upgrade warning:** The WAL LogStore backend is experimental. @@ -39,7 +39,7 @@ The `consul.raft.logstore.verifier.write_checksum_failures` metric increments wh ## Resolve checksum failures -If either type of corruption is detected, complete the instructions for [reverting to BoltDB](/consul/docs/agent/wal-logstore/revert-to-boltdb). If the server already uses BoltDB, the errors likely indicate a latent bug in BoltDB or a bug in the verification code. In both cases, you should follow the revert instructions. +If either type of corruption is detected, complete the instructions for [reverting to BoltDB](/consul/docs/deploy/server/wal/revert-boltdb). If the server already uses BoltDB, the errors likely indicate a latent bug in BoltDB or a bug in the verification code. In both cases, you should follow the revert instructions. Report all verification failures as a [GitHub issue](https://github.com/hashicorp/consul/issues/new?assignees=&labels=&template=bug_report.md&title=WAL:%20Checksum%20Failure). @@ -51,7 +51,7 @@ In your report, include the following: - Any metrics or description of the workload you have. For example, how many raft commits per second. Also include the performance metrics described on this page. -We recommend setting up an alert on Consul server logs containing `verification checksum FAILED` or on the `consul.raft.logstore.verifier.{read|write}_checksum_failures` metrics. The sooner you respond to a corrupt server, the lower the chance of any of the [potential risks](/consul/docs/agent/wal-logstore/enable#risks) causing problems in your cluster. +We recommend setting up an alert on Consul server logs containing `verification checksum FAILED` or on the `consul.raft.logstore.verifier.{read|write}_checksum_failures` metrics. The sooner you respond to a corrupt server, the lower the chance of any of the [potential risks](/consul/docs/deploy/server/wal/enable#risks) causing problems in your cluster. ## Performance metrics diff --git a/website/content/docs/agent/wal-logstore/revert-to-boltdb.mdx b/website/content/docs/deploy/server/wal/revert-boltdb.mdx similarity index 100% rename from website/content/docs/agent/wal-logstore/revert-to-boltdb.mdx rename to website/content/docs/deploy/server/wal/revert-boltdb.mdx diff --git a/website/content/docs/k8s/deployment-configurations/clients-outside-kubernetes.mdx b/website/content/docs/deploy/workload/client/k8s.mdx similarity index 94% rename from website/content/docs/k8s/deployment-configurations/clients-outside-kubernetes.mdx rename to website/content/docs/deploy/workload/client/k8s.mdx index cb57f165269..c32f0a09e49 100644 --- a/website/content/docs/k8s/deployment-configurations/clients-outside-kubernetes.mdx +++ b/website/content/docs/deploy/workload/client/k8s.mdx @@ -1,18 +1,18 @@ --- layout: docs -page_title: Join External Services to Consul on Kubernetes +page_title: Deploy Consul clients outside of Kubernetes description: >- Services running on a virtual machine (VM) can join a Consul datacenter running on Kubernetes. Learn how to configure the Kubernetes installation to accept communication from external services. --- -# Join External Services to Consul on Kubernetes +# Deploy Consul clients outside of Kubernetes Services running on non-Kubernetes nodes can join a Consul cluster running within Kubernetes. ## Auto-join The recommended way to join a cluster running within Kubernetes is to -use the ["k8s" cloud auto-join provider](/consul/docs/install/cloud-auto-join#kubernetes-k8s). +use the ["k8s" cloud auto-join provider](/consul/docs/deploy/server/vm/cloud-auto-join#kubernetes-k8s). The auto-join provider dynamically discovers IP addresses to join using the Kubernetes API. It authenticates with Kubernetes using a standard @@ -21,7 +21,7 @@ as well as self-hosted installations. The token in the `kubeconfig` file needs to have permissions to list pods in the namespace where Consul servers are deployed. -The auto-join string below joins a Consul server agent to a cluster using the [official Helm chart](/consul/docs/k8s/helm): +The auto-join string below joins a Consul server agent to a cluster using the [official Helm chart](/consul/docs/reference/k8s/helm): ```shell-session $ consul agent -retry-join 'provider=k8s label_selector="app=consul,component=server"' @@ -46,7 +46,7 @@ For more information, refer to [Azure AKS CNI](https://docs.microsoft.com/en-us/ [AWS EKS CNI](https://docs.aws.amazon.com/eks/latest/userguide/pod-networking.html) and [GKE VPC-native clusters](https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips). -To join external agents with Consul on Kubernetes deployments installed with default values through the [official Helm chart](/consul/docs/k8s/helm): +To join external agents with Consul on Kubernetes deployments installed with default values through the [official Helm chart](/consul/docs/reference/k8s/helm): 1. Make sure the pod IPs of the servers in Kubernetes are routable from the VM and that the VM can access port 8301 (for gossip) and @@ -88,7 +88,7 @@ To join external agents with Consul on Kubernetes deployments installed with def If your external VMs cannot connect to Kubernetes pod IPs but they can connect to the internal host IPs of the nodes in the Kubernetes cluster, you can join the two by exposing ports on the host IP instead. - 1. Install the [official Helm chart](/consul/docs/k8s/helm) with the following values: + 1. Install the [official Helm chart](/consul/docs/reference/k8s/helm) with the following values: ```yaml client: exposeGossipPorts: true # exposes client gossip ports as hostPorts diff --git a/website/content/docs/deploy/workload/client/vm.mdx b/website/content/docs/deploy/workload/client/vm.mdx new file mode 100644 index 00000000000..6cc47508316 --- /dev/null +++ b/website/content/docs/deploy/workload/client/vm.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Configure client agents on virtual machines +description: >- + Learn how to enable and configure Consul client agents. +--- + +# Configure client agents on virtual machines + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. diff --git a/website/content/docs/deploy/workload/dataplane/ecs.mdx b/website/content/docs/deploy/workload/dataplane/ecs.mdx new file mode 100644 index 00000000000..32b1af1f922 --- /dev/null +++ b/website/content/docs/deploy/workload/dataplane/ecs.mdx @@ -0,0 +1,89 @@ +--- +layout: docs +page_title: Deploy Consul Dataplane on ECS +description: >- + Consul Dataplane removes the need to run a client agent for service discovery and service mesh by leveraging orchestrator functions. +--- + +# Deploy Consul Dataplane on ECS + +This page describes the requirements to set up Consul on ECS deployments to use dataplanes instead of client agents, as well as the process to update existing deployments to use dataplanes instead of agents. + +If you already have a Consul cluster deployed on Kubernetes and +would like to turn on TLS for internal Consul communication, +refer to [Configuring TLS on an Existing Cluster](/consul/docs/k8s/operations/tls-on-existing-cluster). + +## Requirements + +- Dataplanes can connect to Consul servers v1.14.0 and newer. +- Dataplanes on AWS Elastic Container Services (ECS) requires Consul ECS v0.7.0 and newer. + +## Installation + +Refer to the following documentation for Consul on ECS workloads: + +- [Deploy Consul with the Terraform module](/consul/docs/ecs/deploy/terraform) +- [Deploy Consul manually](/consul/ecs/install-manul) + +## Upgrading to Consul Dataplanes + +Since v0.7.0, Consul service mesh on ECS uses [Consul dataplanes](/consul/docs/connect/dataplane), which are lightweight processes for managing Envoy proxies in containerized networks. Refer to the [release notes](/consul/docs/release-notes/consul-ecs/v0_7_x) for additional information about the switch to Consul dataplanes. + +### Requirements + +Before you upgrading to the dataplane-based architecture, you must upgrade your Consul servers to a version compatible with Consul ECS: + +- Consul 1.14.x and later +- Consul dataplane 1.3.x and laterS + +### Deploy the latest version of the ECS controller module + +In an ACL enabled cluster, deploy the latest version of the ECS controller module in `hashicorp/terraform-aws-consul-ecs` along with the older version of the ACL controller. Note that both the controllers should coexist until the upgrade is complete. The new version of the controller only tracks tasks that use dataplanes. + +### Upgrade workloads + +For application tasks, upgrade the individual task definitions to `v0.7.0` or later of the `mesh-task` module. You must upgrade each task one at a time. + +```hcl +module "my_task" { + source = "hashicorp/consul-ecs/aws//modules/mesh-task" + version = "v0.7.0" +} +``` + +For gateway tasks, upgrade the individual task definitions to `v0.7.0` or later of the `gateway-task` module. You must upgrade each task one by one independently. ECS creates new versions of tasks before shutting down the older tasks to support zero downtime deployments. + +```hcl +module "my_task" { + source = "hashicorp/consul-ecs/aws//modules/gateway-task" + version = "v0.7.0" +} +``` + +### Delete previous tasks + +After upgrading all tasks, you can destroy the `acl-controller` containers, which are replaced by the ECS controller. You can manually remove any artifacts related to the old architecture, including Consul clients and ACL controllers, by executing the following commands: + +1. Run `consul acl policy delete` to delete the client policy. You can pass either the ID of the policy or the name of the policy, for example: + + ```shell-session + $ consul acl policy delete -name="consul-ecs-client-policy" + ``` + + Refer to the [`consul acl policy delete`](/consul/commands/acl/policy/delete) documentation for additional information. + +1. Run the `consul acl role delete` command to delete the client role. You can pass either the ID of the role or the name of the role, for example: + + ```shell-session + $ consul acl role delete -name="consul-ecs-client-role" + ``` + + Refer to the [`consul acl role delete`](/consul/commands/acl/role/delete) documentation for additional information. + +1. Run the `consul acl auth-method delete` command and specify the auth method name to delete. + + ```shell-session + $ consul acl auth-method delete -name="iam-ecs-client-token" + ``` + + Refer to the [`consul acl auth-method delete`](/consul/commands/acl/auth-method/delete) documentation for additional information. \ No newline at end of file diff --git a/website/content/docs/deploy/workload/dataplane/k8s.mdx b/website/content/docs/deploy/workload/dataplane/k8s.mdx new file mode 100644 index 00000000000..50998963bdf --- /dev/null +++ b/website/content/docs/deploy/workload/dataplane/k8s.mdx @@ -0,0 +1,79 @@ +--- +layout: docs +page_title: Deploy Consul Dataplane on Kubernetes +description: >- + Consul Dataplane removes the need to run a client agent for service discovery and service mesh by leveraging orchestrator functions. +--- + +# Deploy Consul Dataplane on Kubernetes + +This page describes the requirements to set up Consul on Kubernetes deployments to use dataplanes instead of client agents, as well as the process to update existing deployments to use dataplanes instead of agents. + +If you already have a Consul cluster deployed on Kubernetes and +would like to turn on TLS for internal Consul communication, +refer to [Configuring TLS on an Existing Cluster](/consul/docs/k8s/operations/tls-on-existing-cluster). + +## Requirements + +- Dataplanes can connect to Consul servers v1.14.0 and newer. +- Dataplanes on Kubernetes requires Consul K8s v1.0.0 and newer. +- Consul Dataplane is not supported on Windows. +- Consul Dataplane requires the `NET_BIND_SERVICE` capability. Refer to [Set capabilities for a Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container) in the Kubernetes Documentation for more information. + +## Installation + +To install Consul Dataplane, set `VERSION` to `1.0.0` and then follow the instructions to install a specific version of Consul [with the Helm Chart](/consul/docs/k8s/installation/install#install-consul) or [with the Consul-k8s CLI](/consul/docs/k8s/installation/install-cli#install-a-previous-version). + +### Helm + +```shell-session +$ export VERSION=1.0.0 +$ helm install consul hashicorp/consul --set global.name=consul --version ${VERSION} --create-namespace --namespace consul +``` + +### Consul-k8s CLI + +```shell-session +$ export VERSION=1.0.0 && \ + curl --location "https://releases.hashicorp.com/consul-k8s/${VERSION}/consul-k8s_${VERSION}_darwin_amd64.zip" --output consul-k8s-cli.zip +``` + +## Upgrading to Consul Dataplane + +In earlier versions, Consul on Kubernetes used client agents in its deployments. As of v1.14.0, Consul uses [Consul Dataplane](/consul/docs/connect/dataplane/) in Kubernetes deployments instead of client agents. + +If you upgrade Consul from a version that uses client agents to a version the uses dataplanes, complete the following steps to upgrade your deployment safely and without downtime. + +1. If ACLs are enabled, you must first upgrade to consul-k8s 0.49.8 or above. These versions expose the setting `connectInject.prepareDataplanesUpgrade` + which is required for no-downtime upgrades when ACLs are enabled. + + Set `connectInject.prepareDataplanesUpgrade` to `true` and then perform the upgrade to 0.49.8 or above (whichever is the latest in the 0.49.x series) + + ```yaml filename="values.yaml" + connectInject: + prepareDataplanesUpgrade: true + ``` + +1. Consul dataplanes disables Consul clients by default, but during an upgrade you need to ensure Consul clients continue to run. Edit your Helm chart configuration and set the [`client.enabled`](/consul/docs/k8s/helm#v-client-enabled) field to `true` and specify an action for Consul to take during the upgrade process in the [`client.updateStrategy`](/consul/docs/k8s/helm#v-client-updatestrategy) field: + + ```yaml filename="values.yaml" + client: + enabled: true + updateStrategy: | + type: OnDelete + ``` + +1. Follow our [recommended procedures to upgrade servers](#upgrade-consul-servers) on Kubernetes deployments to upgrade Helm values for the new version of Consul. The latest version of consul-k8s components may be in a CrashLoopBackoff state during the performance of the server upgrade from versions <1.14.x until all Consul servers are on versions >=1.14.x. Components in CrashLoopBackoff will not negatively affect the cluster because older versioned components will still be operating. Once all servers have been fully upgraded, the latest consul-k8s components will automatically restore from CrashLoopBackoff and older component versions will be spun down. + +1. Run `kubectl rollout restart` to restart your service mesh applications. Restarting service mesh application causes Kubernetes to re-inject them with the webhook for dataplanes. + +1. Restart all gateways in your service mesh. + +1. Now that all services and gateways are using Consul dataplanes, disable client agents in your Helm chart by deleting the `client` stanza or setting `client.enabled` to `false` and running a `consul-k8s` or Helm upgrade. + +1. If ACLs are enabled, outdated ACL tokens will persist a result of the upgrade. You can manually delete the tokens to declutter your Consul environment. + + Outdated connect-injector tokens have the following description: `token created via login: {"component":"connect-injector"}`. Do not delete + the tokens that have a description where `pod` is a key, for example `token created via login: {"component":"connect-injector","pod":"default/consul-connect-injector-576b65747c-9547x"}`). The dataplane-enabled connect inject pods use these tokens. + + You can also review the creation date for the tokens and only delete the injector tokens created before your upgrade, but do not delete all old tokens without considering if they are still in use. Some tokens, such as the server tokens, are still necessary. \ No newline at end of file diff --git a/website/content/docs/deploy/workload/index.mdx b/website/content/docs/deploy/workload/index.mdx new file mode 100644 index 00000000000..8d2a9e08110 --- /dev/null +++ b/website/content/docs/deploy/workload/index.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Configure Consul workloads for your data plane +description: >- + Learn how to enable and configure Consul workfloads for your data plane. +--- + +# Configure Consul workloads for your data plane + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/discover/dns/configure.mdx b/website/content/docs/discover/dns/configure.mdx new file mode 100644 index 00000000000..0a3f146f639 --- /dev/null +++ b/website/content/docs/discover/dns/configure.mdx @@ -0,0 +1,77 @@ +--- +layout: docs +page_title: Configure Consul DNS behavior +description: >- + Learn how to modify the default DNS behavior so that services and nodes can easily discover other services and nodes in your network. +--- + +# Configure Consul DNS behavior + +This topic describes the default behavior of the Consul DNS functionality and how to customize how Consul performs queries. + +## Introduction + +@include 'text/descriptions/consul-dns.mdx' + +## Configure DNS behaviors + +By default, the Consul DNS listens for queries at `127.0.0.1:8600` and uses the `consul` domain. Specify the following parameters in the agent configuration to determine DNS behavior when querying services: + +- [`client_addr`](/consul/docs/reference/agent#client_addr) +- [`ports.dns`](/consul/docs/reference/agent#dns_port): By default, Consul does not use port `53`, which is typically reserved for the default port for DNS resolvers, because it requires an escalated privilege to bind to. +- [`recursors`](/consul/docs/reference/agent#recursors) +- [`domain`](/consul/docs/reference/agent#domain) +- [`alt_domain`](/consul/docs/reference/agent#alt_domain) +- [`dns_config`](/consul/docs/reference/agent#dns_config) + +### Configure WAN address translation + +By default, Consul DNS queries return a node's local address, even when being queried from a remote datacenter. You can configure the DNS to reach a node from outside its datacenter by specifying the address in the following configuration fields in the Consul agent: + +- [advertise-wan](/consul/docsreference-cli/agent#_advertise-wan) +- [translate_wan_addrs](/consul/docs/reference/agent#translate_wan_addrs) + +### Use a custom DNS resolver library + +You can specify a list of addresses in the agent's [`recursors`](/consul/docs/reference/agent#recursors) field to provide upstream DNS servers that recursively resolve queries that are outside the service domain for Consul. + +Nodes that query records outside the `consul.` domain resolve to an upstream DNS. You can specify IP addresses or use `go-sockaddr` templates. Consul resolves IP addresses in the specified order and ignores duplicates. + +### Enable non-Consul queries + +You enable non-Consul queries to be resolved by setting Consul as the DNS server for a node and providing a [`recursors`](/consul/docs/reference/agent#recursors) configuration. + +### Forward queries to an agent + +You can forward all queries sent to the `consul.` domain from the existing DNS server to a Consul agent. Refer to [Forward DNS for Consul Service Discovery](/consul/tutorials/networking/dns-forwarding) for instructions. + +### Query an alternate domain + +By default, Consul responds to DNS queries in the `consul` domain, but you can set a specific domain for responding to DNS queries by configuring the [`domain`](/consul/docs/reference/agent#domain) parameter. + +You can also specify an additional domain in the [`alt_domain`](/consul/docs/reference/agent#alt_domain) agent configuration option, which configures Consul to respond to queries in a secondary domain. Configuring an alternate domain may be useful during a DNS migration or to distinguish between internal and external queries, for example. + +Consul's DNS response uses the same domain as the query. + +In the following example, the `alt_domain` parameter in the agent configuration is set to `test-domain`, which enables operators to query the domain: + +```shell-session +$ dig @127.0.0.1 -p 8600 consul.service.test-domain SRV +;; QUESTION SECTION: +;consul.service.test-domain. IN SRV + +;; ANSWER SECTION: +consul.service.test-domain. 0 IN SRV 1 1 8300 machine.node.dc1.test-domain. + +;; ADDITIONAL SECTION: +machine.node.dc1.test-domain. 0 IN A 127.0.0.1 +machine.node.dc1.test-domain. 0 IN TXT "consul-network-segment=" +``` + +#### PTR queries + +Responses to pointer record (PTR) queries, such as `.in-addr.arpa.`, always use the [primary domain](/consul/docs/reference/agent#domain) and not the alternative domain. + +### Caching + +By default, DNS results served by Consul are not cached. Refer to the [DNS Caching tutorial](/consul/tutorials/networking/dns-caching) for instructions on how to enable caching. \ No newline at end of file diff --git a/website/content/docs/services/discovery/dns-overview.mdx b/website/content/docs/discover/dns/index.mdx similarity index 56% rename from website/content/docs/services/discovery/dns-overview.mdx rename to website/content/docs/discover/dns/index.mdx index d961cc884d8..8f9a6be01e2 100644 --- a/website/content/docs/services/discovery/dns-overview.mdx +++ b/website/content/docs/discover/dns/index.mdx @@ -1,27 +1,27 @@ --- layout: docs -page_title: DNS usage overview +page_title: Consul DNS overview description: >- For service discovery use cases, Domain Name Service (DNS) is the main interface to look up, query, and address Consul nodes and services. Learn how a Consul DNS lookup can help you find services by tag, name, namespace, partition, datacenter, or domain. --- -# DNS usage overview +# Consul DNS overview This topic provides overview information about how to look up Consul nodes and services using the Consul DNS. ## Consul DNS -The Consul DNS is the primary interface for discovering services registered in the Consul catalog. The DNS enables you to look up services and nodes registered with Consul using terminal commands instead of making HTTP API requests to Consul. +Consul DNS is the primary interface for querying records when Consul service mesh is disabled and your network runs in a non-Kubernetes environment. Consul DNS lets you look up services and nodes registered with Consul without making HTTP API requests to Consul. We recommend using the DNS for service discovery in virtual machine (VM) environments because it removes the need to modify native applications so that they can consume the Consul service discovery APIs. -The DNS has several default configurations, but you can customize how the server processes lookups. Refer to [Configure DNS Behaviors](/consul/docs/services/discovery/dns-configuration) for additional information. +The DNS has several default configurations, but you can customize how the server processes lookups. Refer to [Configure Consul DNS behavior](/consul/docs/discover/dns/configure) for additional information. ### DNS versus native app integration You can use DNS to reach services registered with Consul or modify your application to natively consume the Consul service discovery HTTP APIs. -We recommend using the DNS because it is less invasive. You do not have to modify your application with Consul to retrieve the service’s connection information. Instead, you can use a DNS fully qualified domain (FQDN) that conforms to Consul's lookup format to retrieve the relevant information. +We recommend using the DNS because it is less invasive. You do not have to modify your application with Consul to retrieve the service's connection information. Instead, you can use a DNS fully qualified domain (FQDN) that conforms to Consul's lookup format to retrieve the relevant information. Refer to [Native App Integration](/consul/docs/connect/native) and its [Go package](/consul/docs/connect/native/go) for additional information. @@ -29,32 +29,18 @@ Refer to [Native App Integration](/consul/docs/connect/native) and its [Go packa If you are using Consul for service discovery and have not enabled service mesh features, then use the DNS to discover services and nodes in the Consul catalog. -If you are using Consul for service mesh on VMs, you can use upstreams or DNS. We recommend using upstreams because you can query services and nodes without modifying the application code or environment variables. Refer to [Upstream Configuration Reference](/consul/docs/connect/proxies/proxy-config-reference#upstream-configuration-reference) for additional information. +If you are using Consul for service mesh on VMs, you can use upstreams or DNS. We recommend using upstreams because you can query services and nodes without modifying the application code or environment variables. Refer to [Upstream Configuration Reference](/consul/docs/reference/proxy/connect-proxy#upstream-configuration-reference) for additional information. -If you are using Consul on Kubernetes, refer to [the upstreams annotation documentation](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) for additional information. - -## Consul DNS on Kubernetes - -Consul on Kubernetes supports approaches to using the Consul DNS in Kubernetes clusters. - -For service discovery operations, refer to [Consul DNS views on Kubernetes](/consul/docs/k8s/dns/views). - -For service mesh operations, refer to [Resolve Consul DNS requests in Kubernetes](/consul/docs/k8s/dns/enable). - -## DNS forwarding - -You can configure your local DNS servers to use Consul. - -Refer to [DNS Forwarding](/consul/docs/services/discovery/dns-forwarding) for additional information. +If you are using Consul on Kubernetes, refer to [the upstreams annotation documentation](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-connect-service-upstreams) for additional information. ## Static queries Node lookups and service lookups are the fundamental types of static queries. Depending on your use case, you may need to use different query methods and syntaxes to query the DNS for services and nodes. -Consul relies on a very specific format for queries to resolve names. Note that all queries are case-sensitive. +Consul relies on a specific format for queries to resolve names. Note that all queries are case-sensitive. -Refer to [Perform Static DNS Lookups](/consul/docs/services/discovery/dns-static-lookups) for details about how to perform node and service lookups. +Refer to [Perform static DNS lookups](/consul/docs/discover/dns/static-lookup) for details about how to perform node and service lookups. ## Prepared queries -Prepared queries are configurations that enable you to register complex DNS queries. They provide lookup features that extend Consul's service discovery capabilities, such as filtering by multiple tags and automatically querying remote datacenters for services if no healthy nodes are available in the local datacenter. You can also create prepared query templates that match names using a prefix match, allowing a single template to apply to potentially many services. Refer to [Enable Dynamic DNS Queries](/consul/docs/services/discovery/dns-dynamic-lookups) for additional information. +Prepared queries are configurations that enable you to register complex DNS queries. They provide lookup features that extend Consul's service discovery capabilities, such as filtering by multiple tags and automatically querying remote datacenters for services if no healthy nodes are available in the local datacenter. You can also create prepared query templates that match names using a prefix match, allowing a single template to apply to potentially many services. Refer to [Perform dynamic DNS queries](/consul/docs/discover/dns/dynamic-lookup) for additional information. diff --git a/website/content/docs/discover/dns/k8s.mdx b/website/content/docs/discover/dns/k8s.mdx new file mode 100644 index 00000000000..2800c554410 --- /dev/null +++ b/website/content/docs/discover/dns/k8s.mdx @@ -0,0 +1,197 @@ +--- +layout: docs +page_title: Resolve Consul DNS requests in Kubernetes +description: >- + Use a k8s ConfigMap to configure KubeDNS or CoreDNS so that you can use Consul's `.service.consul` syntax for queries and other DNS requests. In Kubernetes, this process uses either stub-domain or proxy configuration. +--- + +# Resolve Consul DNS requests in Kubernetes + +This topic describes how to resolve Consul DNS requests in Kubernetes. Before you do so, you need to configure KubeDNS or CoreDNS to interface with Consul. + +## Introduction + +[Consul DNS](/consul/docs/discover/dns) is the primary interface for querying records. You can configure Consul DNS in Kubernetes using: + +1. A [stub-domain configuration](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers) if using KubeDNS +1. A [proxy configuration](https://coredns.io/plugins/forward/) if using CoreDNS + +Once configured, DNS requests in the form `.service.consul` will resolve for services in Consul. This will work from all Kubernetes namespaces. + +If you want resolve requests using `` (without the `.service.consul`), then you need to enable [service sync](/consul/docs/register/service/k8s/service-sync#consul-to-kubernetes). + +## Retrieve Consul DNS cluster IP + +To configure KubeDNS or CoreDNS, you need the `ClusterIP` of the Consul DNS service created by the [Helm chart](/consul/docs/reference/k8s/helm). + +The default name of the Consul DNS service will be `consul-dns`. Use that name to get the `ClusterIP`. For this installation, the `ClusterIP` is `10.35.240.78`. + +```shell-session +$ kubectl get svc consul-dns --output jsonpath='{.spec.clusterIP}' +10.35.240.78% +``` + +If you've installed Consul using a different Helm release name than `consul`, then the DNS service name will be `-consul-dns`. + +Once you have the `ClusterIP`, you can go to the KubeDNS or CoreDNS section that matches your Kubernetes setup. + +## Configure KubeDNS + +If using KubeDNS, you need to create a `ConfigMap` that tells KubeDNS to use Consul DNS to resolve all domains ending with `.consul`. + +First, export the Consul DNS IP as an environment variable. This is the IP address you retrieved in the previous step. + +```bash +$ export CONSUL_DNS_IP=10.35.240.78 +``` + +Then, define the `ConfigMap`. If using a different zone than `.consul`, change the stub domain to that zone. + + + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + addonmanager.kubernetes.io/mode: EnsureExists + name: kube-dns + namespace: kube-system +data: + stubDomains: | + { "consul": ["$CONSUL_DNS_IP"] } +``` + + + +Create the `ConfigMap`. + +```shell-session +$ kubectl apply --filename consul-kubedns-config-map.yaml +``` + +Verify that the `ConfigMap` was created successfully. + +```shell-session +$ kubectl get configmap kube-dns --namespace kube-system --output yaml +apiVersion: v1 +data: + stubDomains: | + {"consul": ["10.35.240.78"]} +kind: ConfigMap +## ... +``` + +The `stubDomain` can only point to a static IP. If the cluster IP of Consul DNS changes, then you must update the `ConfigMap` to match the new service IP. The cluster IP of Consul DNS may change if the service is deleted and recreated, such as in full cluster rebuilds. + +Now, skip ahead to the [Verify DNS](#verify-dns) section. + +## Configure CoreDNS + +If using CoreDNS, you need to update your existing `coredns` ConfigMap in the `kube-system` namespace to include a `forward` definition for `consul` that points to the cluster IP of the Consul DNS service. + +Edit the `coreDNS` `ConfigMap`. + +```shell-session +$ kubectl edit configmap coredns --namespace kube-system +``` + +You need to edit the following items: + +- Add the `consul` block below the default `.:53` block. +- Replace `` with the DNS Service's IP address you retrieved previously. +- If using a different zone than `.consul`, change the key accordingly. + + + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + addonmanager.kubernetes.io/mode: EnsureExists + name: coredns + namespace: kube-system +data: + Corefile: | + .:53 { + ## Existing CoreDNS definition... + } + consul { + errors + cache 30 + forward . + } +``` + + + +The Consul proxy can only point to a static IP. If the cluster IP of Consul DNS changes, then you must update the `ConfigMap` to match the new service IP. The cluster IP of Consul DNS may change if the service is deleted and recreated, such as in full cluster rebuilds. + +## Verify DNS + +To verify DNS works, run the following example job to query DNS. Save the following job to the file `job.yaml`. + + + +```yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: dns +spec: + template: + spec: + containers: + - name: dns + image: anubhavmishra/tiny-tools + command: ['dig', 'consul.service.consul'] + restartPolicy: Never + backoffLimit: 4 +``` + + + +Deploy the example job to your cluster. + +```shell-session +$ kubectl apply --filename job.yaml +``` + +Then, retrieve the pod name of the job. + +```shell-session +$ kubectl get pods --show-all | grep dns +dns-lkgzl 0/1 Completed 0 6m +``` + +Finally, retrieve the logs for the pod. The logs should show a successful DNS query, something similar to the following. If the logs show any errors, then DNS is not configured properly. + +```shell-session +$ kubectl logs dns-lkgzl +; <<>> DiG 9.11.2-P1 <<>> consul.service.consul +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4489 +;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 4096 +;; QUESTION SECTION: +;consul.service.consul. IN A + +;; ANSWER SECTION: +consul.service.consul. 0 IN A 10.36.2.23 +consul.service.consul. 0 IN A 10.36.4.12 +consul.service.consul. 0 IN A 10.36.0.11 + +;; ADDITIONAL SECTION: +consul.service.consul. 0 IN TXT "consul-network-segment=" +consul.service.consul. 0 IN TXT "consul-network-segment=" +consul.service.consul. 0 IN TXT "consul-network-segment=" + +;; Query time: 5 msec +;; SERVER: 10.39.240.10#53(10.39.240.10) +;; WHEN: Wed Sep 12 02:12:30 UTC 2018 +;; MSG SIZE rcvd: 206 +``` diff --git a/website/content/docs/discover/index.mdx b/website/content/docs/discover/index.mdx new file mode 100644 index 00000000000..f6d100573dd --- /dev/null +++ b/website/content/docs/discover/index.mdx @@ -0,0 +1,38 @@ +--- +layout: docs +page_title: Discover services overview +description: >- + This topic provides an overview of the service discovery features and operations enabled by Consul DNS, including application load balancing, static lookups, and prepared queries. +--- + +# Discover services overview + +This topic provides an overview of Consul service discovery operations. After you register services with Consul, you can address them using Consul DNS to perform application load balancing and static service lookups. You can also create prepared queries for dynamic service lookups and service failover. + +If you run Consul on Kubernetes or AWS ECS and prefer to use your runtime's built-in service discovery alongside Consul's service mesh features, refer to [onboard services in transparent proxy mode](/consul/docs/connect/proxy/transparent-proxy). + +## Introduction + +When a service registers with Consul, the catalog records the address of each service's node. Consul then updates an instance's catalog entry with the results of each health check it performs. Consul agents replicate catalog information between each other using the [Raft consensus protocol](/consul/docs/architecture/consensus), enabling high availability service networking through any Consul agent. + +Consul's service discovery operations use [Consul DNS addresses](consul/docs/discover/dns) to route traffic to healthy service instances and return information about service nodes registered to Consul. + +## Application load balancing + +@include 'text/descriptions/load-balancer.mdx' + +## Static lookups + +@include 'text/descriptions/static-query.mdx' + +## Prepared queries + +@include 'text/descriptions/prepared-query.mdx' + +## Guidance + +@include 'text/guidance/discover.mdx' + +## Constraints, limitations, and troubleshooting + +@include 'text/limitations/discover.mdx' \ No newline at end of file diff --git a/website/content/docs/discover/k8s.mdx b/website/content/docs/discover/k8s.mdx new file mode 100644 index 00000000000..0bcb22cbc05 --- /dev/null +++ b/website/content/docs/discover/k8s.mdx @@ -0,0 +1,59 @@ +--- +layout: docs +page_title: Discover services with Consul on Kubernetes +description: >- + This topic provides an overview of the service discovery features and operations Consul supports when running on Kubernetes. +--- + +# Discover services with Consul on Kubernetes + +This topic provides an overview of Consul service discovery operations when running on Kubernetes. + +You can use KubeDNS to perform service discovery operations by default. If you use Consul's service mesh features and prefer to use KubeDNS, refer to [onboard services in transparent proxy mode](/consul/docs/connect/proxy/transparent-proxy). + +## Introduction + +Kubernetes deployments support Consul's service discovery features. When running Consul on Kubernetes, you can adopt either of the following service discovery strategies: + +- [Configure Kubernetes to use Consul DNS](/consul/docs/discover/dns/k8s) +- Use KubeDNS to resolve DNS addresses and manage service discovery in your employment + +You can also use the `kubectl exec` command to connect directly to a Consul container and interact with Consul's service discovery features. + +If you use KubeDNS with Consul's service mesh enabled, you must also configure [transparent proxy mode](/consul/docs/connect/proxy/transparent-proxy) to enable permissive mTLS between services. + +## Application load balancing + +@include 'text/descriptions/load-balancer.mdx' + +## Static lookups + +@include 'text/descriptions/static-query.mdx' + +## Prepared queries + +@include 'text/descriptions/prepared-query.mdx' + +## Tutorials + +To get started with Consul's service discovery features on Kubernetes, refer to the following tutorials: + +- [Forward DNS for Consul service discovery](/consul/tutorials/networking/dns-forwarding) +- [Integrate Consul with Ambassador Edge Stack on Kubernetes](/consul/tutorials/developer-mesh/service-mesh-gateway-ambassador) + +## Runtime specific usage documentation + +For runtime-specific guidance, refer to the following pages: + +- [Resolve Consul DNS requests in Kubernetes](/consul/docs/discover/dns/k8s) + +## Reference documentation + +For reference material related to Consul's service discovery functions on Kubernetes, refer to the following pages: + +- [Consul DNS reference](/consul/docs/reference/dns) +- [Consul on Kubernetes annotations and labels reference](/consul/docs/reference/k8s/annotation-label) + +## Constraints, limitations, and troubleshooting + +@include 'text/limitations/discover.mdx' \ No newline at end of file diff --git a/website/content/docs/discover/load-balancer/envoy.mdx b/website/content/docs/discover/load-balancer/envoy.mdx new file mode 100644 index 00000000000..70e4de47fc7 --- /dev/null +++ b/website/content/docs/discover/load-balancer/envoy.mdx @@ -0,0 +1,353 @@ +--- +layout: docs +page_title: Load balancing services in Consul service mesh with Envoy +description: >- + Manage traffic across services within Consul service mesh with Envoy load balancing policies. +--- + +# Load balancing services in Consul service mesh with Envoy + +Load balancing is a mechanism of distributing traffic between multiple targets in order to make use of available resources in the most effective way. There are many different ways of accomplishing this, so Envoy provides several different load balancing strategies. To take advantage of this Envoy functionality, Consul supports changing the load balancing policy used by the Envoy data plane proxy. Consul configuration entries specify the desired load balancing algorithm. + +Load balancing policies apply to both requests from internal services inside the service mesh, and requests from external clients accessing services in your datacenter through an ingress gateway. + +The policies will be defined using a [`service-resolver`](/consul/docs/connect/config-entries/service-resolver) configuration entry. + +This tutorial will guide you through the steps needed to change the load balancing policy for a service in your mesh. You will learn how to configure sticky session for services using the _maglev_ policy and how to setup a _least_request_ policy that will take into account the amount of requests on service instances for load balancing traffic. + +## Prerequisites + +In order to deploy and test Consul load balancing policies for Envoy proxies, you will need the following resources deployed in a non-production environment: + +- A Consul version 1.13.1 cluster or later with Consul service mesh functionality enabled. Check [Secure Service-to-Service Communication](/consul/tutorials/developer-mesh/service-mesh-with-envoy-proxy) for configuration guidance. In this tutorial, this will be referred to as the _server_ node. + +- Two nodes, each hosting an instance of a service, called _backend_ that requires load balancing policy tuning. + +- One node, hosting a client service, you are going to use to route requests to the backend services. The client service is configured to use the _backend_ service as upstream. In this tutorial we will refer to this as the _client_ node. + +Optional: + +- One node running as ingress gateway. + + + + The content of this tutorial also applies to Consul clusters hosted on HashiCorp Cloud (HCP). + + + +The diagram below shows the minimal architecture needed to demonstrate the functionality. + +![Architectural diagram showing two backend services and a client service within a Consul service mesh](/img/consul/consul-lb-envoy-client-service.png) + + + + + + This tutorial is not for production use. By default, the lab will install an insecure configuration of Consul. + + + +## Available load balancing policies + +Consul implements load balancing by automating Envoy configuration to reflect the selected approach. + +The following policies are available: + +| Policy | Description | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `round_robin` _(default)_ | The request will be resolved to any healthy service, in a round robin order. | +| `least_request` | An _O(1)_ algorithm selects N random available hosts as specified in the configuration (2 by default) and picks the host which has the fewest active requests. | +| `ring_hash` | Implements consistent hashing to upstream hosts. Each host is mapped onto a circle (the “ring”) by hashing its address; each request is then routed to a host by hashing properties of the request, and finding the nearest corresponding host clockwise around the ring. | +| `maglev` | Implements consistent hashing to upstream hosts. It can be used as a replacement for the ring_hash load balancer in any place in which consistent hashing is desired. | +| `random` | The request will be resolved to any healthy service, randomly. | + + + + These policies are a reflection of the Envoy [supported load balancers](https://www.envoyproxy.io/docs/envoy/v1.23.0/intro/arch_overview/upstream/load_balancing/load_balancers). Refer to [Envoy supported versions](/consul/docs/connect/proxies/envoy#supported-versions) in the documentation to make sure your Envoy version is compatible with your Consul version. + + + +## Default load balancing policy + +Consul automatically balances traffic across all the healthy instances of the resolved service using the _round_robin_ policy. + +You can verify this by using the `curl` command from the node running the _client_ service. + +First login to the _client_ node, then run a request against the client service. + +```shell-session +$ curl --silent localhost:9192 +``` + +Example output: + +```json +{ + "name": "main", + "uri": "/", + "type": "HTTP", + "ip_addresses": ["172.18.0.4"], + "start_time": "2020-10-01T16:15:54.151406", + "end_time": "2020-10-01T16:15:54.151885", + "duration": "478.867µs", + "body": "Hello World", + "code": 200 +} +``` + +If you run the command multiple times you will be able to confirm, using the output, that the requests are being balanced across the two different instances of the service. + +## Configure service defaults + +In order to enable service resolution and apply load balancer policies, you first need to configure HTTP as the service protocol in the service's `service-defaults` configuration entry. + +First, login to the _server_ node, then create a `default.hcl` file with the following content: + + + + +```hcl +Kind = "service-defaults" +Name = "backend" +Protocol = "http" +``` + + + + +Then, apply the configuration to your Consul datacenter. + +```shell-session +$ consul config write /etc/consul.d/default.hcl +``` + +Example output: + +```plaintext hideClipboard +Config entry written: service-defaults/backend +``` + +## Configure a sticky session for service resolution + +A common requirement for many applications is to have the ability to direct all the requests from a specific client to the same server. These configurations usually rely on an HTTP header to map client requests to a specific backend and route the traffic accordingly. + +For this tutorial you will configure a policy using the `x-user-id` header to implement sticky session. + +First login to the _server_ node and create a `hash-resolver.hcl` file using the following content: + + + + +```hcl +Kind = "service-resolver" +Name = "backend" +LoadBalancer = { + Policy = "maglev" + HashPolicies = [ + { + Field = "header" + FieldValue = "x-user-id" + } + ] +} +``` + + + + +This configuration creates a `service-resolver` configuration for the service `backend` that uses the `maglev` policy and relies on the content of the `x-user-id` header to resolve requests. + +You can apply the policy using the `consul config` command. + +```shell-session +$ consul config write /etc/consul.d/hash-resolver.hcl +``` + +Example output: + +```plaintext hideClipboard +Config entry written: service-resolver/backend +``` + +### Verify the policy is applied + +Once the policy is in place, you can test it using the `curl` command from the _client_ node and applying the `x-user-id` header to the request: + +```shell-session +$ curl --silent localhost:9192 --header "x-user-id: 12345" +``` + +Example output: + +```json +{ + "name": "main", + "uri": "/", + "type": "HTTP", + "ip_addresses": ["172.18.0.4"], + "start_time": "2020-10-01T16:15:47.950151", + "end_time": "2020-10-01T16:15:47.950581", + "duration": "430.088µs", + "body": "Hello World", + "code": 200 +} +``` + +If you execute the previous command multiple times, you will always be redirected to the same instance of the _backend_ service. + + + + sticky sessions are consistent given a stable service configuration. If the number of backend hosts changes, a fraction of the sessions will be routed to a new host after the change. + + + +## Use least_request LB policy + +The default load balancing policy, _round_robin_, is usually the best approach in scenarios where requests are homogeneous and the system is over-provisioned. + +In scenarios where the different instances might be subject to substantial differences in terms of workload, there are better approaches. + +Using the _least_request_ policy enables Consul to route requests using information on connection-level metrics and select the one with the lowest number of connections. + +### Configure least_request load balancing policy + +The tutorial's lab environment provides an example configuration file, `least-req-resolver.hcl` for the _least_request_ policy. + + + + +```hcl +Kind = "service-resolver" +Name = "backend" +LoadBalancer = { + Policy = "least_request" + LeastRequestConfig = { + ChoiceCount = "2" + } +} +``` + + + + +This configuration creates a `service-resolver` configuration for the service `backend`, which for every request will select 2 (as expressed by `ChoiceCount`) random instances of the service, and route to the one with the least amount of load. + +You can apply the policy using the `consul config` command. + +```shell-session +$ consul config write least-req-resolver.hcl +``` + +Example output: + +```plaintext hideClipboard +Config entry written: service-resolver/backend +``` + +### Verify the policy is applied + +Once the policy is in place, you can test it using the `curl` command and applying the `x-user-id` header to the request. +First, log in to the _client_ node and then use the following command: + +```shell-session +$ curl --silent localhost:9192 --header "x-user-id: 12345" +``` + +Example output: + +```json +{ + "name": "main", + "uri": "/", + "type": "HTTP", + "ip_addresses": ["172.18.0.4"], + "start_time": "2020-10-01T16:25:47.950151", + "end_time": "2020-10-01T16:25:47.950581", + "duration": "420.066µs", + "body": "Hello World", + "code": 200 +} +``` + +If you execute the command multiple times, you will notice that despite applying the header used by the previous policy, the request is served by different instances of the service. + +-> The _least_request_ configuration with `ChoiceCount` set to 2 is also known as P2C (power of two choices). The P2C load balancer has the property that a host with the highest number of active requests in the cluster will never receive new requests. It will be allowed to drain until it is less than or equal to all of the other hosts. You can read more on this in [this paper](https://www.eecs.harvard.edu/~michaelm/postscripts/handbook2001.pdf) + +## Load balancer policies and ingress gateways (optional) + +The load balancing policy for the datacenter applies also to the service resolution performed by ingress gateways. Once you have configured the policies for the services and tested it internally using the client service, you can introduce an ingress gateway in your configuration, and the same policies will be now respected by external requests being served by your Consul datacenter. + +Consul reduces the amount of configuration needed for specifying load balancing policies by using a common policy to resolve internal requests from services inside the mesh, and external requests from clients outside the mesh. + +![Architectural diagram showing two backend services and a client service accessing the Consul service mesh using an ingress gateway](/img/consul/consul-lb-envoy-ingress-gw.png) + +You can deploy an ingress gateway using the following configuration: + + + + +```hcl +Kind = "ingress-gateway" +Name = "ingress-service" + +Listeners = [ + { + Port = 8080 + Protocol = "http" + Services = [ + { + Name = "backend" + } + ] + } +] +``` + + + + +Once the configuration is applied, using command `consul config write` you can start the gateway on the gateway node using the following command: + +```shell-session +$ consul connect envoy -gateway=ingress -register -service ingress-service -address '{{ GetInterfaceIP "eth0" }}:8888' +``` + +Once the Envoy proxy is active, you can test the load balancing policy accessing the service from your browser using the ingress gateway at `http://backend.ingress.consul:8080`, and test the policy by refreshing the page. + +Alternatively, you can test it using the `curl` command as explained in the previous chapters but using the DNS name and port `8080`. + +```shell-session +$ curl --silent backend.ingress.consul:8080 +``` + +Example output: + +```json +{ + "name": "main", + "uri": "/", + "type": "HTTP", + "ip_addresses": ["172.18.0.4"], + "start_time": "2020-10-01T18:15:27.650151", + "end_time": "2020-10-01T18:15:27.650581", + "duration": "420.066µs", + "body": "Hello World", + "code": 200 +} +``` + +-> Configuration Info: When using an `http` listener in the ingress gateway configuration, Consul will accept requests to the ingress gateway service only if the hostname matches with the internal naming convention `.ingress.*`. If you need the service to be accessible using a different hostname or an IP, please refer to the ingress gateway [configuration entry](/consul/docs/connect/config-entries/ingress-gateway#hosts) documentation. + + + + Try to configure the load balancing policy with a sticky session, and then use `curl` to verify the sticky session is configured for the traffic routed from the ingress gateway. + + + +## Next steps + +In this tutorial, you learned how to change the default load balancing policy for services in your service mesh. + +You can learn more about the other options for traffic splitting available in Consul from our [Deploy seamless canary deployments with service splitters](/consul/tutorials/developer-mesh/service-splitters-canary-deployment) tutorial. + +If you want to learn more on how to deploy an ingress gateway for your Consul service mesh, you can complete the [Allow External Traffic Inside Your Service Mesh With Ingress Gateways](/consul/tutorials/developer-mesh/service-mesh-ingress-gateways) tutorial. diff --git a/website/content/docs/discover/load-balancer/f5.mdx b/website/content/docs/discover/load-balancer/f5.mdx new file mode 100644 index 00000000000..9bead452206 --- /dev/null +++ b/website/content/docs/discover/load-balancer/f5.mdx @@ -0,0 +1,400 @@ +--- +layout: docs +page_title: Load balancing with F5 +description: >- + Use Consul to configure F5 BIG-IP nodes and server pools based on changes in Consul service discovery. +--- + +# Load balancing with F5 + +The F5 BIG-IP AS3 service discovery integration with Consul queries Consul's +catalog on a regular, configurable basis to get updates about changes for a +given service, and adjusts the node pools dynamically without operator +intervention. + +In this tutorial you will use Consul to configure F5 BIG-IP nodes and server pools. +You will set up a basic F5 BIG-IP AS3 declaration that generates the F5 load +balancer backend-server-pool configuration based on the available service +instances registered in Consul's service catalog. + +## Prerequisites + +To complete this tutorial, you will need previous experience with F5 BIG-IP and +Consul. You can either manually deploy the necessary infrastructure, or use the +terraform demo code. + +### Watch the video - Optional + +Consul's integration with F5 was demonstrated in a webinar. If you would prefer +to learn about the integration but aren't ready to try it out, you can watch the +webinar recording to see the integration in action. + +### Manually deploy your infrastructure + +You should configure the following infrastructure. + +- A single Consul datacenter with server and client nodes, and the configuration + directory for Consul agents at `/etc/consul.d/`. + +- A running instance of the F5 BIG-IP platform. If you don’t already have one + you can use a [hosted AWS + instance](https://aws.amazon.com/marketplace/pp/B079C44MFH) for this tutorial. + +- The AS3 package version 3.7.0 + [installed](https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/installation.html) + on your F5 BIG-IP platform. + +- Standard web server running on a node, listening on HTTP port 80. We will use + NGINX in this tutorial. + +**Note** The content of this tutorial also applies to Consul clusters hosted on HashiCorp Cloud (HCP) + +### Deploy a demo using Terraform - Optional + +You can set up the prerequisites on your own, or use the terraform +configuration in [this +repository](https://github.com/hashicorp/f5-terraform-consul-sd-webinar) to set +up the entire tutorial environment. + +Once your environment is set up, you'll be able to visit the F5 GUI at +`:8443/tmui/login.jsp` where `` is the address provided in your +Terraform output. Login with the username `admin` and the password from your +Terraform output. + +### Verify your environment + +Check your environment to ensure you have a healthy Consul datacenter by +checking your datacenter members. You can do this by running the `consul members` command on the machine where Consul is running, or by accessing the +Consul web UI at the IP address of your consul instances, on port 8500. + +If you deployed your infrastructure using the provided terraform you can SSH to +the machine running consul using the key you will find in the terraform +directory. For example `ssh ubuntu@ -i terraform-20190917053444504900000001.pem`. Remember to replace `` +with the address of your Consul node. + +```shell-session +$ consul members +``` + +```plaintext hideClipboard +Node Address Status Type Build Protocol DC Segment +consul 10.0.0.100:8301 alive server 1.5.3 2 dc1 +nginx 10.0.0.109:8301 alive client 1.5.3 2 dc1 +``` + +In this sample environment we have one Consul server node and one web server +node with a Consul client. + +## Register a web service + +To register the web service on your client node with Consul, create a +service definition in Consul's config directory `/etc/consul.d/` and +paste in the following configuration, which includes a tcp +check for the web server so that Consul can monitor its health. (you many need +to change directory permissions using `chmod` before writing the file). + + + + + +```hcl +service { + name = "nginx" + port = 80 + checks = [ + { + id = "nginx" + name = "nginx TCP Check" + tcp = "localhost:80" + interval = "5s" + timeout = "1s" + } + ] +} +``` + + + + + +```json +{ + "service": { + "name": "nginx", + "port": 80, + "checks": [ + { + "id": "nginx", + "name": "nginx TCP Check", + "tcp": "localhost:80", + "interval": "5s", + "timeout": "1s" + } + ] + } +} +``` + + + + + +Reload the client to read the new service definition. + +```shell-session +$ consul reload +``` + +In a browser window, visit the services page of the Consul web UI at +`:8500/ui/dc1/services/nginx`. Remember to add your own node IP +address. + +![Consul UI with NGINX registered](/img/consul-f5-nginx.png 'Consul web +UI with a healthy NGINX service') + +You should notice your instance of the nginx service listed and healthy. + +## Apply an AS3 declaration + +Next, you will configure BIG-IP to use Consul Service discovery with an AS3 +declaration. You will use cURL to apply the declaration to the BIG-IP Instance. + +First construct an authorization header to authenticate our API call with +BIG-IP. You will need to use a username and password for your instance. Below is +an example for username “admin”, and password “password”. + +```shell-session +$ echo -n 'admin:password' | base64 +``` + +```plaintext hideClipboard +YWRtaW46YWRtaW4= +``` + +The below declaration does the following: + +- Creates a partition (tenant) named `Consul_SD`. + +- Defines a virtual server named `serviceMain` in `Consul_SD` partition with: + + - A pool named web_pool monitored by the http health monitor. + + - NGINX Pool members auto-discovered via Consul's [catalog HTTP API + endpoint](/consul/api-docs/catalog#list-nodes-for-service). + For the `virtualAddresses` make sure to substitute your BIG-IP Virtual + Server. + + - A URI specific to your Consul environment for the scheme, host, and port of + your consul address discovery. This could be a single server, load balanced + endpoint, or co-located agent, depending on your requirements. Make sure to + replace the `uri` in your configuration with the IP of your Consul client. + +Use cURL to send the authorized declaration to the BIG-IP Instance. It may +be useful to edit the below command in a text editor before pasting it into the +terminal. + +- Replace `` with the value you created above for + your BIG-IP instance in the authorization header. + +- Replace `` with the real IP address. + +- Replace `` with BIG-IP's virtual IP. + +- Replace `` with Consul's IP address. + +```shell-session +$ curl -X POST \ + https:///mgmt/shared/appsvcs/declare \ + -H 'authorization: Basic ' \ + -d '{ + "class": "ADC", + "schemaVersion": "3.7.0", + "id": "Consul_SD", + "controls": { + "class": "Controls", + "trace": true, + "logLevel": "debug" + }, + "Consul_SD": { + "class": "Tenant", + "Nginx": { + "class": "Application", + "template": "http", + "serviceMain": { + "class": "Service_HTTP", + "virtualPort": 8080, + "virtualAddresses": [ + "" + ], + "pool": "web_pool" + }, + "web_pool": { + "class": "Pool", + "monitors": [ + "http" + ], + "members": [ + { + "servicePort": 80, + "addressDiscovery": "consul", + "updateInterval": 5, + "uri": "http://:8500/v1/catalog/service/nginx" + } + ] + } + } + } +}' +``` + +You should get a similar output to the following after you’ve applied your +declaration. + +```json hideClipboard +{ + "results": [ + { + "message": "success", + "lineCount": 26, + "code": 200, + "host": "localhost", + "tenant": "Consul_SD", + "runTime": 3939 + } + ], + "declaration": { + "class": "ADC", + "schemaVersion": "3.7.0", + "id": "Consul_SD", + "controls": { + "class": "Controls", + "trace": true, + "logLevel": "debug", + "archiveTimestamp": "2019-09-06T03:12:06.641Z" + }, + "Consul_SD": { + "class": "Tenant", + "Nginx": { + "class": "Application", + "template": "http", + "serviceMain": { + "class": "Service_HTTP", + "virtualPort": 8080, + "virtualAddresses": ["10.0.0.200"], + "pool": "web_pool" + }, + "web_pool": { + "class": "Pool", + "monitors": ["http"], + "members": [ + { + "servicePort": 80, + "addressDiscovery": "consul", + "updateInterval": 5, + "uri": "http://10.0.0.100:8500/v1/catalog/service/nginx" + } + ] + } + } + }, + "updateMode": "selective" + } +} +``` + +You can find more information on Consul SD declarations in [F5’s Consul service +discovery +documentation](https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/declarations/discovery.html#service-discovery-using-hashicorp-consul) + +You can read more about composing AS3 declarations in the [F5 +documentation](https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/composing-a-declaration.html). +The Terraform provider for BIG-IP [also supports AS3 +resources](https://registry.terraform.io/providers/F5Networks/bigip/latest/docs/resources/bigip_as3.html). + +## Verify BIG-IP Consul communication + +Use the `consul monitor` command on the Consul client specified in the AS3 URI +to verify that you are receiving catalog requests from the BIG-IP instance. + +```shell-session +$ consul monitor -log-level=debug +``` + +```log hideClipboard +[DEBUG] http: Request GET /v1/catalog/service/nginx (103.796µs) from=10.0.0.200:29487 +[DEBUG] http: Request GET /v1/catalog/service/nginx (104.95µs) from=10.0.0.200:42079 +[DEBUG] http: Request GET /v1/catalog/service/nginx (98.652µs) from=10.0.0.200:45536 +[DEBUG] http: Request GET /v1/catalog/service/nginx (101.242µs) from=10.0.0.200:45940 +``` + +Check that the interval matches the value you supplied in your AS3 declaration. + +## Verify the BIG-IP dynamic pool + +Check the network map of the BIG-IP instance to make sure that the NGINX +instances registered in Consul are also in your BIG-IP dynamic pool. + +To check the network map, open a browser window and navigate to +`https:///tmui/tmui/locallb/network_map/app/?xui=false#!/?p=Consul_SD`. +Remember to replace the IP address. + +![NGINX instances in BIG-IP](/img/consul-f5-partition.png 'NGINX +instances listed in the BIG-IP web graphical user interface') + +You can read more about the network map in the [F5 +documentation](https://support.f5.com/csp/article/K20448153#accessing%20map). + +## Test the BIG-IP virtual server + +Now that you have a healthy virtual service, you can use it to access your NGINX +web server. + +```shell-session +$ curl :8080 +``` + +```html + + + + Welcome to nginx! + + + +

Welcome to nginx!

+

+ If you see this page, the nginx web server is successfully installed and + working. Further configuration is required. +

+ +

+ For online documentation and support please refer to + nginx.org.
+ Commercial support is available at + nginx.com. +

+ +

Thank you for using nginx.

+ + +``` + +## Next steps + +The F5 BIG-IP AS3 service discovery integration with Consul queries Consul's +catalog on a regular, configurable basis to get updates about changes for a +given service, and adjusts the node pools dynamically without operator +intervention. + +In this tutorial you configured an F5 BIG-IP instance to natively integrate with +Consul for service discovery. You were able to monitor dynamic node registration +for a web server pool member and test it with a virtual server. + +As a follow up, you can add or remove web server nodes registered with Consul +and validate that the network map on the F5 BIG-IP updates automatically. diff --git a/website/content/docs/discover/load-balancer/index.mdx b/website/content/docs/discover/load-balancer/index.mdx new file mode 100644 index 00000000000..d2825da5672 --- /dev/null +++ b/website/content/docs/discover/load-balancer/index.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Application load balancing +description: >- + Learn how to use standard Consul DNS addresses to load balance requests between services to healthy instances. +--- + +# Application load balancing + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. diff --git a/website/content/docs/discover/load-balancer/nginx.mdx b/website/content/docs/discover/load-balancer/nginx.mdx new file mode 100644 index 00000000000..cfcbc0a4b80 --- /dev/null +++ b/website/content/docs/discover/load-balancer/nginx.mdx @@ -0,0 +1,416 @@ +--- +layout: docs +page_title: Load Balancing with NGINX and Consul Template +description: >- + Use Consul template to update NGINX load balancer configurations based on changes in Consul service discovery. +--- + +# Load Balancing with NGINX and Consul Template + +This tutorial describes how to use Consul and Consul template to automatically +update an NGINX configuration file with the latest list of backend servers using +Consul's service discovery. + +While following this tutorial you will: + +- Register an example service with Consul +- Configure Consul template +- Create an NGINX load balancer configuration template +- Run Consul template +- Scale your servers +- Test Consul's health checks + +Once you have completed this tutorial you will end up with an architecture like the +one diagramed below. NGINX will get a list of healthy servers from Consul +service discovery via Consul template and will balance internet traffic to those +servers according to its own configuration. + +![NGINX and Consul template architecture](/img/consul-nginx-template-arch.png 'Consul template gets healthy services from Consul service discovery and uses them to populate NGINX configuration') + +## Prerequisites + +To complete this tutorial you will need: + +- A Consul cluster. We recommend three Consul server nodes + +- A minimum of two application servers registered to Consul service discovery + with a Consul client agent running on the node (We assume a standard web + server listening on HTTP port 80 in the following examples) + +- A node running NGINX + +- A Consul client agent on the NGINX node + +- [Consul-template](https://github.com/hashicorp/consul-template#installation) + on the NGINX node to keep the NGINX configuration file updated + + + + The content of this tutorial also applies to Consul clusters hosted on HashiCorp Cloud (HCP). + + + +## Register your web servers to Consul + +If you haven't already registered your web servers in Consul Service Registry +create a service definition for your web service in Consul's configuration +directory `/etc/consul.d/`. + +Create a service registration file for the `web` service with the following content. + + + + + +```hcl +service { + name = "web" + port = 80 + check { + args = ["curl", "localhost"] + interval = "3s" + } +} +``` + + + + + +```json +{ + "service": { + "Name": "web", + "Port": 80, + "check": { + "args": ["curl", "localhost"], + "interval": "3s" + } + } +} +``` + + + + + +-> Since this service definition contains a basic "curl" health check for a web +server, `enable_local_script_checks` must be set to `true` in the configuration +of the Consul agent where the web server is running. + +Reload the local Consul agent to read the new service definition. + +```shell-session +$ consul reload +``` + +After registering the service it will appear in Consul's Service Registry. + +![Healthy web service](/img/consul-nginx-template-web.png 'The Consul UI displaying a healthy web service') + +After repeating the registration step for all your web server instances, all +instances will appear in the instances view of the "web" service. + +## Configure Consul template + +A Consul template configuration file will specify which input template to use, +which output file to generate, and which command will reload Consul template's +target application (NGINX in this tutorial) with its new configuration. + +Create a configuration file called `consul-template-config.hcl` with the +following content. + + + +```hcl +consul { + address = "localhost:8500" + + retry { + enabled = true + attempts = 12 + backoff = "250ms" + } +} +template { + source = "/etc/nginx/conf.d/load-balancer.conf.ctmpl" + destination = "/etc/nginx/conf.d/load-balancer.conf" + perms = 0600 + command = "service nginx reload" +} +``` + + + +The `consul` stanza tells consul-template, where to find the Consul API, which +is located on localhost, as we are running a Consul client agent on the same +node as our NGINX instance. + +The `template` stanza tells Consul template: + +- Where the `source` (input) template file will be located, in this case + `/etc/nginx/conf.d/load-balancer.conf.ctmpl` + +- Where the destination (output) file should be located, in this case + `/etc/nginx/conf.d/load-balancer.conf`. (This is a default path that NGINX uses + to read its configuration. You will either use it or `/usr/local/nginx/conf/` + depending on your NGINX distribution.) + +- Which `permissions` the destination file needs + +- Which command to run after rendering the destination file. In this case, + `service nginx reload` will trigger NGINX to reload its configuration + +For all available configuration options for Consul template, please see the +[GitHub repo](https://github.com/hashicorp/consul-template). + +## Create an input template + +Now you will create the basic NGINX Load Balancer configuration template which +Consul template will use to render the final `load-balancer.conf` for your NGINX +load balancer instance. + +Create a template file called `load-balancer.conf.ctmpl` in the location you +specified as a `source` (in this example, `/etc/nginx/conf.d/`) with the +following content: + + + +```go +upstream backend { +{{- range service "web" }} + server {{ .Address }}:{{ .Port }}; +{{- end }} +} + +server { + listen 80; + + location / { + proxy_pass http://backend; + } +} +``` + + + +Instead of explicitly putting your backend server IP addresses directly in the +load balancer configuration file, you will use Consul template's templating +language to specify some variables in this file, which will automatically fetch +the final values from Consul's Service Registry and render the final load +balancer configuration file. + +Specifically, the below snippet from the above template file tells Consul +template to query Consul's Service Registry for all healthy nodes of the "web" +service in the current data center, and put the IP addresses and service ports +of those endpoints in the generated output configuration file. + +```go +{{- range service "web" }} + server {{ .Address }}:{{ .Port }}; +{{- end }} +``` + +For all available options on how to build template files for use with +Consul template, please see the [GitHub +repo](https://github.com/hashicorp/consul-template). + +### Clean up NGINX default sites config + +To make sure your NGINX instance will act as a load balancer and not as a web +server delete the following file if it exists. + +```nginx +/etc/nginx/sites-enabled/default +``` + +Then reload the NGINX service. + +```shell-session +$ service nginx reload +``` + +Now your NGINX load balancer should not have any configuration and you should +not see a web page when browsing to your NGINX IP address. + +## Run Consul template + +Start Consul template with the earlier generated configuration file. + +```shell-session +$ consul-template -config=consul-template-config.hcl +``` + +This will start Consul template running in the foreground until you stop the +process. It will automatically connect to Consul's API, render the NGINX +configuration for you and reload the NGINX service. + +Your NGINX load balancer should now serve traffic and perform simple round-robin +load balancing amongst all of your registered and healthy "web" server +instances. + +The resulting load balancer configuration located at +`/etc/nginx/conf.d/load-balancer.conf` should look like this: + + + +```nginx +upstream backend { + server 192.168.43.101:80; + server 192.168.43.102:80; +} + +server { + listen 80; + + location / { + proxy_pass http://backend; + } +} +``` + + + +Notice that Consul template filled the variables from the template file with +actual IP addresses and ports of your "web" servers. + +## Verify your implementation + +Now that everything is set up and running, test out your implementation by +watching what happens when you scale or stop your services. In both cases, +Consul template should keep NGINX's configuration up to date. + +### Scale your backend services + +Consul template uses a long-lived HTTP query (blocking query) against Consul's +API and will get an immediate notification about updates to the requested +service "web". + +As soon as you scale your "web" and the new instances register themselves to the +Consul Service Registry, Consul template will see the change in your service and +trigger a new generation of the configuration file. + +After scaling your backend server from two to three instances, the resulting +load balancer configuration for your NGINX instance located at +`/etc/nginx/conf.d/load-balancer.conf` should look like this: + + + +```nginx +upstream backend { + server 192.168.43.101:80; + server 192.168.43.102:80; + server 192.168.43.103:80; +} + +server { + listen 80; + + location / { + proxy_pass http://backend; + } +} +``` + + + +### Cause an error in a web service instance + +Not only will Consul template update your backend configuration automatically +depending on available service endpoints, but it will also only use healthy +endpoints when rendering the final configuration. + +You configured Consul to perform a basic curl-based health check in your service +definition, so Consul will notice if a "web" server instance is in an unhealthy +state. + +To simulate an error and see how Consul health checks are working, stop one +instance of the web process. + +```shell-session +$ service nginx stop +``` + +You will see the state of this service instance as "Unhealthy" in the Consul UI +because no service on this node is responding to requests on HTTP port 80. + +![Unhealthy web service](/img/consul-nginx-template-web-unhealthy.png 'The Consul UI displaying an unhealthy web service') + +Because of its blocking query against Consul's API, Consul template will be +notified immediately that a change in the health of one of the service endpoints +occurred and will re-render a new Load Balancer configuration file excluding the +unhealthy service instance: + + + +```nginx +upstream backend { + server 192.168.43.101:80; + server 192.168.43.103:80; +} + +server { + listen 80; + + location / { + proxy_pass http://backend; + } +} +``` + + + +Your NGINX instance will now only balance traffic between the remaining healthy +service endpoints. + +As soon as you restart your stopped "web" server instance and Consul health +check marks the service endpoint as "Healthy" again, the process automatically +starts over and the instance will be included in the load balancer backend +configuration to serve traffic: + + + +```nginx +upstream backend { + server 192.168.43.101:80; + server 192.168.43.102:80; + server 192.168.43.103:80; +} + +server { + listen 80; + + location / { + proxy_pass http://backend; + } +} +``` + + + +-> Consul health checks can be much more sophisticated. They can check CPU or +RAM utilization or other service metrics, which you are not able to monitor from +a central Load Balancing instance. You can learn more about Consul's Health +Check feature [here](/consul/tutorials/developer-discovery/service-registration-health-checks). + +## Next steps + +In this tutorial you discovered how Consul template can generate the configuration +for your NGINX load balancer based on available and healthy service endpoints +registered in Consul's Service Registry. You learned how to scale up and down +services without manually reconfiguring your NGINX load balancer every time a +new service endpoint was started or deleted. + +You learned how Consul template uses blocking queries against Consul's HTTP API +to get immediate notifications about service changes and re-renders the required +configuration files automatically for you. + +This tutorial described how to use consul template to configure NGINX, but a +similar process would apply for other load balancers as well. To use another +load balancer you will need to replace the NGINX input template, output file, +and reload command, as well as any NGINX CLI commands. + +Learn more about Consul [service registration and +discovery](/consul/tutorials/get-started-vms/virtual-machine-gs-service-discovery) and +[Consul +template](/consul/tutorials/developer-configuration/consul-template). \ No newline at end of file diff --git a/website/content/docs/services/discovery/dns-dynamic-lookups.mdx b/website/content/docs/discover/service/dynamic.mdx similarity index 50% rename from website/content/docs/services/discovery/dns-dynamic-lookups.mdx rename to website/content/docs/discover/service/dynamic.mdx index b56d3ce7074..fc7a0e59ea6 100644 --- a/website/content/docs/services/discovery/dns-dynamic-lookups.mdx +++ b/website/content/docs/discover/service/dynamic.mdx @@ -1,17 +1,17 @@ --- layout: docs -page_title: Enable dynamic DNS queries -description: -> - Learn how to dynamically query the Consul DNS using prepared queries, which enable robust service and node lookups. +page_title: Perform dynamic DNS service lookups with prepared queries +description: >- + Learn how to dynamically query the Consul DNS using prepared queries, which enable robust service and node lookups. --- -# Enable dynamic DNS queries +# Perform dynamic service lookups with prepared queries -This topic describes how to dynamically query the Consul catalog using prepared queries. Prepared queries are configurations that enable you to register a complex service query and execute it on demand. For information about how to perform standard node and service lookups, refer to [Perform Static DNS Queries](/consul/docs/services/discovery/dns-static-lookups). +This topic describes how to dynamically query the Consul catalog using prepared queries. Prepared queries are configurations that let you register a complex service query and execute it on demand. For information about how to perform standard node and service lookups, refer to [Perform static DNS queries](/consul/docs/discover/dns/static). ## Introduction -Prepared queries provide a rich set of lookup features, such as filtering by multiple tags and automatically failing over to look for services in remote datacenters if no healthy nodes are available in the local datacenter. You can also create prepared query templates that match names using a prefix match, allowing a single template to apply to potentially many services. Refer to [Query Consul Nodes and Services Overview](/consul/docs/services/discovery/dns-overview) for additional information about DNS query behaviors. +Prepared queries provide a rich set of lookup features, such as filtering by multiple tags and automatically failing over to look for services in remote datacenters if no healthy nodes are available in the local datacenter. You can also create prepared query templates that match names using a prefix match, allowing a single template to apply to potentially many services. Refer to [Consul DNS overview](/consul/docs/discover/dns) for additional information about DNS query behaviors. ## Requirements @@ -21,9 +21,9 @@ Consul 0.6.4 or later is required to create prepared query templates. If ACLs are enabled, the querying service must present a token linked to permissions that enable read access for query, service, and node resources. Refer to the following documentation for information about creating policies to enable read access to the necessary resources: -- [Prepared query rules](/consul/docs/security/acl/acl-rules#prepared-query-rules) -- [Service rules](/consul/docs/security/acl/acl-rules#service-rules) -- [Node rules](/consul/docs/security/acl/acl-rules#node-rules) +- [Prepared query rules](/consul/docs/secure-consul/acl/rules#prepared-query-rules) +- [Service rules](/consul/docs/secure-consul/acl/rules#service-rules) +- [Node rules](/consul/docs/secure-consul/acl/rules#node-rules) ## Create prepared queries @@ -31,53 +31,53 @@ Refer to the [prepared query reference](/consul/api-docs/query#create-prepared-q 1. Specify the prepared query options in JSON format. The following prepared query targets all instances of the `redis` service in `dc1` and `dc2`: - - - ```json - { - "Name": "my-query", - "Session": "adf4238a-882b-9ddc-4a9d-5b6758e4159e", - "Token": "", - "Service": { - "Service": "redis", - "Failover": { - "NearestN": 3, - "Datacenters": ["dc1", "dc2"] - }, - "Near": "node1", - "OnlyPassing": false, - "Tags": ["primary", "!experimental"], - "NodeMeta": { - "instance_type": "m3.large" - }, - "ServiceMeta": { - "environment": "production" - } + + + ```json + { + "Name": "my-query", + "Session": "adf4238a-882b-9ddc-4a9d-5b6758e4159e", + "Token": "", + "Service": { + "Service": "redis", + "Failover": { + "NearestN": 3, + "Datacenters": ["dc1", "dc2"] }, - "DNS": { - "TTL": "10s" + "Near": "node1", + "OnlyPassing": false, + "Tags": ["primary", "!experimental"], + "NodeMeta": { + "instance_type": "m3.large" + }, + "ServiceMeta": { + "environment": "production" } - } - ``` + }, + "DNS": { + "TTL": "10s" + } + } + ``` - + - Refer to the [prepared query configuration reference](/consul/api-docs/query#create-prepared-query) for information about all available options. + Refer to the [prepared query configuration reference](/consul/api-docs/query#create-prepared-query) for information about all available options. 1. Send the query in a POST request to the [`/query` API endpoint](/consul/api-docs/query). If the request is successful, Consul prints an ID for the prepared query. - In the following example, the prepared query configuration is stored in the `payload.json` file: + In the following example, the prepared query configuration is stored in the `payload.json` file: - ```shell-session - $ curl --request POST --data @payload.json http://127.0.0.1:8500/v1/query - {"ID":"014af5ff-29e6-e972-dcf8-6ee602137127"}% - ``` + ```shell-session + $ curl --request POST --data @payload.json http://127.0.0.1:8500/v1/query + {"ID":"014af5ff-29e6-e972-dcf8-6ee602137127"}% + ``` 1. To run the query, send a GET request to the endpoint and specify the ID returned from the POST call. - ```shell-session - $ curl http://127.0.0.1:8500/v1/query/14af5ff-29e6-e972-dcf8-6ee602137127/execute\?near\=_agent - ``` + ```shell-session + $ curl http://127.0.0.1:8500/v1/query/14af5ff-29e6-e972-dcf8-6ee602137127/execute\?near\=_agent + ``` ## Execute prepared queries @@ -91,7 +91,7 @@ Use the following format to execute a prepared query using the standard lookup f .query[.]. ``` -Refer [Standard lookups](/consul/docs/services/discovery/dns-static-lookups#standard-lookups) for additional information about the standard lookup format in Consul. +Refer [Standard lookup](/consul/docs/discover/dns/static-lookups#standard-lookups) for additional information about the standard lookup format in Consul. ### RFC 2782 SRV lookup @@ -101,7 +101,7 @@ Use the following format to execute a prepared query using the RFC 2782 lookup f _._tcp.query[.]. ``` -For additional information about following the RFC 2782 SRV lookup format in Consul, refer to [RFC 2782 Lookup](/consul/docs/services/discovery/dns-static-lookups#rfc-2782-lookup). For general information about the RFC 2782 specification, refer to [A DNS RR for specifying the location of services \(DNS SRV\)](https://tools.ietf.org/html/rfc2782). +For additional information about following the RFC 2782 SRV lookup format in Consul, refer to [RFC 2782 Lookup](/consul/docs/discover/dns/static-lookup#rfc-2782-lookup). For general information about the RFC 2782 specification, refer to [A DNS RR for specifying the location of services \(DNS SRV\)](https://tools.ietf.org/html/rfc2782). ### Lookup options @@ -109,6 +109,6 @@ The `datacenter` subdomain is optional. By default, the lookup queries the datac The `query name` or `id` subdomain is the name or ID of an existing prepared query. -## Results +## Query results To allow for simple load balancing, Consul returns the set of nodes in random order for each query. Prepared queries support A and SRV records. SRV records provide the port that a service is registered. Consul only serves SRV records if the client specifically requests them. diff --git a/website/content/docs/services/discovery/dns-static-lookups.mdx b/website/content/docs/discover/service/static.mdx similarity index 79% rename from website/content/docs/services/discovery/dns-static-lookups.mdx rename to website/content/docs/discover/service/static.mdx index 74807c756ad..61bb197330d 100644 --- a/website/content/docs/services/discovery/dns-static-lookups.mdx +++ b/website/content/docs/discover/service/static.mdx @@ -1,25 +1,28 @@ --- layout: docs page_title: Perform static DNS queries -description: -> - Learn how to use standard Consul DNS lookup formats to enable service discovery for services and nodes. +description: >- + Learn how to use standard Consul DNS lookup formats to enable service discovery for services and nodes. --- # Perform static DNS queries -This topic describes how to query the Consul DNS to look up nodes and services registered with Consul. Refer to [Enable Dynamic DNS Queries](/consul/docs/services/discovery/dns-dynamic-lookups) for information about using prepared queries. + +This topic describes how to query the Consul DNS to look up nodes and services registered with Consul. Refer to [Perform dynamic DNS queries](/consul/docs/discover/dns/dynamic-lookup) for information about using prepared queries. ## Introduction -Node lookups and service lookups are the fundamental types of queries you can perform using the Consul DNS. Node lookups interrogate the catalog for named Consul agents. Service lookups interrogate the catalog for services registered with Consul. Refer to [DNS Usage Overview](/consul/docs/services/discovery/dns-overview) for additional background information. + +Node lookups and service lookups are the fundamental types of queries you can perform using the Consul DNS. Node lookups query the catalog for named Consul agents. Service lookups query the catalog for services registered with Consul. Refer to [DNS Usage Overview](/consul/docs/discover/dns) for additional background information. ## Requirements + All versions of Consul support DNS lookup features. ### ACLs -If ACLs are enabled, you must present a token linked with the necessary policies. We recommend using a separate token in production deployments for querying the DNS. By default, Consul agents resolve DNS requests using the preconfigured tokens in order of precedence: -The agent's [`default` token](/consul/docs/agent/config/config-files#acl_tokens_default) -The built-in [`anonymous` token](/consul/docs/security/acl/tokens#built-in-tokens). +If ACLs are enabled, you must present a token linked with the necessary policies. We recommend using a separate token in production deployments for querying the DNS. By default, Consul agents resolve DNS requests using the preconfigured tokens in order of precedence: +1. The agent's [`default` token](/consul/docs/reference/agent#acl_tokens_default) +1. The built-in [`anonymous` token](/consul/docs/secure-consul/acl/token#built-in-tokens). The following table describes the available DNS lookups and required policies when ACLs are enabled: @@ -28,9 +31,8 @@ The following table describes the available DNS lookups and required policies wh | `*.node.consul` | Node | Allows Consul to resolve DNS requests for the target node. Example: `.node.consul` | `node:read` | | `*.service.consul`
`*.connect.consul`
`*.ingress.consul`
`*.virtual.consul` |Service: standard | Allows Consul to resolve DNS requests for target service instances running on ACL-authorized nodes. Example: `.service.consul` | `service:read`
`node:read` | -> **Tutorials**: For hands-on guidance on how to configure an appropriate token for DNS, refer to the tutorial for [Production Environments](/consul/tutorials/security/access-control-setup-production#token-for-dns) and [Development Environments](/consul/tutorials/day-0/access-control-setup#enable-acls-on-consul-clients). - ## Node lookups + Specify the name of the node, datacenter, and domain using the following FQDN syntax: ```text @@ -39,7 +41,7 @@ Specify the name of the node, datacenter, and domain using the following FQDN sy The `datacenter` subdomain is optional. By default, the lookup queries the datacenter of the agent. -By default, the domain is `consul`. Refer to [Configure DNS Behaviors](/consul/docs/services/discovery/dns-configuration) for information about using alternate domains. +By default, the domain is `consul`. Refer to [Configure Consul DNS behavior](/consul/docs/discover/dns/configure) for information about using alternate domains. ### Node lookup results @@ -51,7 +53,6 @@ The following example lookup queries the `foo` node in the `default` datacenter: ```shell-session $ dig @127.0.0.1 -p 8600 foo.node.consul ANY - ; <<>> DiG 9.8.3-P1 <<>> @127.0.0.1 -p 8600 foo.node.consul ANY ; (1 server found) ;; global options: +cmd @@ -68,54 +69,54 @@ foo.node.consul. 0 IN A 10.1.10.12 foo.node.consul. 0 IN TXT "meta_key=meta_value" foo.node.consul. 0 IN TXT "value only" - ;; AUTHORITY SECTION: consul. 0 IN SOA ns.consul. postmaster.consul. 1392836399 3600 600 86400 0 ``` ### Node lookups for Consul Enterprise -Consul Enterprise includes the admin partition concept, which is an abstraction that lets you define isolated administrative network areas. Refer to [Admin Partitions](/consul/docs/enterprise/admin-partitions) for additional information. +Consul Enterprise includes the admin partition concept, which is an abstraction that lets you define isolated administrative network areas. Refer to [Admin partitions](/consul/docs/enterprise/admin-partitions) for additional information. Consul nodes reside in admin partitions within a datacenter. By default, node lookups query the same partition and datacenter of the Consul agent that received the DNS query. Use the following query format to specify a partition for a node lookup: -``` +```text .node[..ap][..dc]. ``` Consul server agents are in the `default` partition. If you send a DNS query to Consul server agents, you must explicitly specify the partition of the target node if it is not `default`. ## Service lookups + You can query the network for service providers using either the [standard lookup](#standard-lookup) method or [strict RFC 2782 lookup](#rfc-2782-lookup) method. -By default, all SRV records are weighted equally in service lookup responses, but you can configure the weights using the [`Weights`](/consul/docs/services/configuration/services-configuration-reference#weights) attribute of the service definition. Refer to [Define Services](/consul/docs/services/usage/define-services) for additional information. +By default, all SRV records are weighted equally in service lookup responses, but you can configure the weights using the [`Weights`](/consul/docs/reference/service#weights) attribute of the service definition. Refer to [Define Services](/consul/docs/register/service/vm/define) for additional information. The DNS protocol limits the size of requests, even when performing DNS TCP queries, which may affect your experience querying for services. For services with more than 500 instances, you may not be able to retrieve the complete list of instances for the service. Refer to [RFC 1035, Domain Names - Implementation and Specification](https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.4) for additional information. Consul randomizes DNS SRV records and ignores weights specified in service configurations when printing responses. If records are truncated, each client using weighted SRV responses may have partial and inconsistent views of instance weights. As a result, the request distribution may be skewed from the intended weights. We recommend calling the [`/catalog/nodes` API endpoint](/consul/api-docs/catalog#list-nodes) to retrieve the complete list of nodes. You can apply query parameters to API calls to sort and filter the results. ### Standard lookups + To perform standard service lookups, specify tags, the name of the service, datacenter, cluster peer, and domain using the following syntax to query for service providers: ```text [.].service[..dc][..peer][..sg]. ``` -The `tag` subdomain is optional. It filters responses so that only service providers containing the tag appear. - -The `datacenter` subdomain is optional. By default, Consul interrogates the querying agent's datacenter. +- The `tag` subdomain is optional. It filters responses so that only service providers containing the tag appear. -The `cluster-peer` name is optional, and specifies the [cluster peer](/consul/docs/connect/cluster-peering) whose [exported services](/consul/docs/connect/config-entries/exported-services) should be the target of the query. +- The `datacenter` subdomain is optional. By default, Consul interrogates the querying agent's datacenter. -The `sameness-group` name is optional, and specifies the [sameness group](/consul/docs/connect/cluster-peering/usage/create-sameness-groups) that should be the target of the query. When Consul receives a DNS request for a service that is a member of a sameness group and the sameness groups is configured with `DefaultForFailover` set to `true`, it returns service instances from the first healthy member of the sameness group. If the local partition is a member of a sameness group, local service instances take precedence over the members of its sameness group. Optionally, you can include a namespace or admin partition when performing a lookup on a sameness group. +- The `cluster-peer` name is optional, and specifies the [cluster peer](/consul/docs/connect/cluster-peering) whose [exported services](/consul/docs/connect/config-entries/exported-services) should be the target of the query. -Only sameness groups with `DefaultForFailover` set `true` can be queried through DNS. If `DefaultForFailover` is not true, then Consul DNS returns an error response. Refer to [Service lookups for Consul Enterprise](#service-lookups-for-consul-enterprise) for more information. +- The `sameness-group` name is optional, and specifies the [sameness group](/consul/docs/east-west/cluster-peering/usage/create-sameness-groups) that should be the target of the query. When Consul receives a DNS request for a service that is tied to a sameness group, it returns service instances from the first healthy member of the sameness group. If the local partition is a member of a sameness group, its service instances take precedence over the members of its sameness group. Optionally, you can include a namespace or admin partition when performing a lookup on a sameness group. Refer to [Service lookups for Consul Enterprise](#service-lookups-for-consul-enterprise) for more information. -By default, the lookups query in the `consul` domain. Refer to [Configure DNS Behaviors](/consul/docs/services/discovery/dns-configuration) for information about using alternate domains. +By default, the lookups query in the `consul` domain. Refer to [Configure Consul DNS behavior](/consul/docs/discover/dns/configure) for information about using alternate domains. #### Standard lookup results + Standard services queries return A and SRV records. SRV records include the port that the service is registered on. SRV records are only served if the client specifically requests them. Services that fail their health check or that fail a node system check are omitted from the results. As a load balancing measure, Consul randomizes the set of nodes returned in the response. These mechanisms help you use DNS with application-level retries as the foundation for a self-healing service-oriented architecture. @@ -167,6 +168,7 @@ primary.postgresql.service.dc2.consul. 0 IN A 10.1.10.12 ``` ### RFC 2782 lookup + Per [RFC 2782](https://tools.ietf.org/html/rfc2782), SRV queries must prepend `service` and `protocol` values with an underscore (`_`) to prevent DNS collisions. Use the following syntax to perform RFC 2782 lookups: ```text @@ -183,7 +185,6 @@ The following example queries the `rabbitmq` service tagged with `amqp`, which r ```shell-session $ dig @127.0.0.1 -p 8600 _rabbitmq._amqp.service.consul SRV - ; <<>> DiG 9.8.3-P1 <<>> @127.0.0.1 -p 8600 _rabbitmq._amqp.service.consul ANY ; (1 server found) ;; global options: +cmd @@ -202,7 +203,7 @@ _rabbitmq._amqp.service.consul. 0 IN SRV 1 1 5672 rabbitmq.node1.dc1.consul. rabbitmq.node1.dc1.consul. 0 IN A 10.1.11.20 ``` -You can also perform RFC 2782 lookups that target a specific [cluster peer](/consul/docs/connect/cluster-peering) or datacenter by including `.dc` or `.peer` in the query labels: +You can also perform RFC 2782 lookups that target a specific [cluster peer](/consul/docs/east-west/cluster-peering) or datacenter by including `.dc` or `.peer` in the query labels: ```text _._[.service][..dc][..peer]. @@ -211,8 +212,7 @@ _._[.service][..dc][..peer]. The following example queries the `redis` service tagged with `tcp` for the cluster peer `phx1`, which returns two instances, one at `10.1.11.83:29081` and one at `10.1.11.86:29142`: ```shell-session -dig @127.0.0.1 -p 8600 _redis._tcp.service.phx1.peer.consul SRV - +$ dig @127.0.0.1 -p 8600 _redis._tcp.service.phx1.peer.consul SRV ; <<>> DiG 9.18.15 <<>> @127.0.0.1 -p 8600 _redis._tcp.service.phx1.peer.consul SRV ;; global options: +cmd ;; Got answer: @@ -235,7 +235,7 @@ _redis._tcp.service.phx1.peer.consul. 0 IN SRV 1 1 29142 0a010d56.addr.consul. #### SRV responses for hosts in the .addr subdomain -If a service registered with Consul is configured with an explicit IP address or addresses in the [`address`](/consul/docs/services/configuration/services-configuration-reference#address) or [`tagged_address`](/consul/docs/services/configuration/services-configuration-reference#tagged_address) parameter, then Consul returns the hostname in the target field of the answer section for the DNS SRV query according to the following format: +If a service registered with Consul is configured with an explicit IP address or addresses in the [`address`](/consul/docs/reference/service#address) or [`tagged_address`](/consul/docs/reference/service#tagged_address) parameter, then Consul returns the hostname in the target field of the answer section for the DNS SRV query according to the following format: ```text .addr..consul. @@ -279,7 +279,7 @@ $ dig @127.0.0.1 -p 8600 -t srv _rabbitmq._tcp.service.consul +short You can convert hex octets to decimals to reveal the IP address. The following example command converts the hostname expressed as `c000020a` into the IPv4 address specified in the service registration. -``` +```shell-session $ echo -n "c000020a" | perl -ne 'printf("%vd\n", pack("H*", $_))' 192.0.2.10 ``` @@ -313,7 +313,7 @@ services { -The following example SRV query response contains a single record with a hostname written as a hexadecimal value: +The following example SRV query response contains a single record with a hostname written as a hexadecimal value. ```shell-session $ dig @127.0.0.1 -p 8600 -t SRV _rabbitmq._tcp.service.consul +short @@ -328,6 +328,7 @@ $ echo -n "20010db800010002cafe000000001337" | perl -ne 'printf join(":", unpack ``` ### Service lookups for Consul Enterprise + You can perform the following types of service lookups to query for services in another namespace, partition, and datacenter: - `.service` @@ -379,7 +380,7 @@ This returns the unique virtual IP for any service mesh-capable service. Each se The peer name is an optional. The DNS uses it to query for the virtual IP of a service imported from the specified peer. -Consul adds virtual IPs to the [`tagged_addresses`](/consul/docs/services/configuration/services-configuration-reference#tagged_addresses) field in the service definition under the `consul-virtual` tag. +Consul adds virtual IPs to the [`tagged_addresses`](/consul/docs/reference/service#tagged_addresses) field in the service definition under the `consul-virtual` tag. #### Service virtual IP lookups for Consul Enterprise @@ -392,7 +393,7 @@ To lookup services imported from a partition in another cluster peered to the qu To lookup services in a cluster peer that have not been imported, refer to [Service lookups for Consul Enterprise](#service-lookups-for-consul-enterprise). -### Ingress Service Lookups +### Ingress service lookups Add the `.ingress` subdomain to your DNS FQDN to find ingress-enabled services: diff --git a/website/content/docs/discover/vm.mdx b/website/content/docs/discover/vm.mdx new file mode 100644 index 00000000000..5a66a343509 --- /dev/null +++ b/website/content/docs/discover/vm.mdx @@ -0,0 +1,52 @@ +--- +layout: docs +page_title: Discover services on virtual machines (VMs) +description: >- + This topic provides an overview of the service discovery features and operations enabled on virtual machines by Consul DNS, including application load balancing, static lookups, and prepared queries. +--- + +# Discover services on virtual machines (VMs) + +This topic provides an overview of Consul service discovery operations on virtual machines. After you register services with Consul, you can address them using Consul DNS to perform application load balancing and static service lookups. You can also create prepared queries for dynamic service lookups and service failover. + +## Introduction + +When a service registers with Consul, the catalog records the address of each service's node. Consul then updates an instance's catalog entry with the results of each health check it performs. Consul agents replicate catalog information between each other using the [Raft consensus protocol](/consul/docs/architecture/consensus), enabling high availability service networking through any Consul agent. + +Consul's service discovery operations use [Consul DNS addresses](consul/docs/discover/dns) to route traffic to healthy service instances and return information about service nodes registered to Consul. + +## Application load balancing + +@include 'text/descriptions/load-balancer.mdx' + +## Static lookups + +@include 'text/descriptions/static-query.mdx' + +## Prepared queries + +@include 'text/descriptions/prepared-query.mdx' + +## Tutorials + +To get started with Consul's service discovery features on VMs, refer to the following tutorials: + +- [Register your services to Consul](/consul/tutorials/get-started-vms/virtual-machine-gs-service-discovery) includes service queries with Consul DNS +- [Ensure only healthy services are discoverable](/consul/tutorials/developer-discovery/service-registration-health-checks) +- [DNS caching](/consul/tutorials/networking/dns-caching) +- [Forward DNS for Consul service discovery](/consul/tutorials/networking/dns-forwarding) +- [Register external services with Consul service discovery](/consul/tutorials/developer-discovery/service-registration-external-services) +- [Load Balancing with NGINX Plus' Service Discovery Integration](/consul/tutorials/load-balancing/load-balancing-nginx-plus) +- [Load Balancing with NGINX and Consul Template](/consul/tutorials/load-balancing/load-balancing-nginx) +- [Load Balancing with HAProxy Service Discovery Integration](/consul/tutorials/load-balancing/load-balancing-haproxy) +- [Load balancing with F5 and Consul](/consul/tutorials/load-balancing/load-balancing-f5) + +## Reference documentation + +For reference material related to Consul's service discovery functions, refer to the following pages: + +- [Consul DNS reference](/consul/docs/reference/dns) + +## Constraints, limitations, and troubleshooting + +@include 'text/limitations/discover.mdx' \ No newline at end of file diff --git a/website/content/docs/dynamic-app-config/kv/index.mdx b/website/content/docs/dynamic-app-config/kv/index.mdx deleted file mode 100644 index 677037321d6..00000000000 --- a/website/content/docs/dynamic-app-config/kv/index.mdx +++ /dev/null @@ -1,120 +0,0 @@ ---- -layout: docs -page_title: Key/Value (KV) Store Overview -description: >- - Consul includes a KV store for indexed objects, configuration parameters, and metadata that you can use to dynamically configure apps. Learn about accessing and using the KV store to extend Consul's functionality through watches, sessions, and Consul Template. ---- - -# Key/Value (KV) Store Overview - - -The Consul KV API, CLI, and UI are now considered feature complete and no new feature development is planned for future releases. - - -Consul KV is a core feature of Consul and is installed with the Consul agent. -Once installed with the agent, it will have reasonable defaults. Consul KV allows -users to store indexed objects, though its main uses are storing configuration -parameters and metadata. Please note that it is a simple KV store and is not -intended to be a full featured datastore (such as DynamoDB) but has some -similarities to one. - -The Consul KV datastore is located on the servers, but can be accessed by any -agent (client or server). The natively integrated [RPC -functionality](/consul/docs/architecture) allows clients to forward -requests to servers, including key/value reads and writes. Part of Consul's -core design allows data to be replicated automatically across all the servers. -Having a quorum of servers will decrease the risk of data loss if an outage -occurs. - -If you have not used Consul KV, complete this [Getting Started -tutorial](/consul/tutorials/interactive/get-started-key-value-store?utm_source=docs) on HashiCorp. - -## Accessing the KV store - -The KV store can be accessed by the [consul kv CLI -subcommands](/consul/commands/kv), [HTTP API](/consul/api-docs/kv), and Consul UI. -To restrict access, enable and configure -[ACLs](/consul/tutorials/security/access-control-setup-production). -Once the ACL system has been bootstrapped, users and services, will need a -valid token with KV [privileges](/consul/docs/security/acl/acl-rules#key-value-rules) to -access the data store, this includes even reads. We recommend creating a -token with limited privileges, for example, you could create a token with write -privileges on one key for developers to update the value related to their -application. - -The datastore itself is located on the Consul servers in the [data -directory](/consul/docs/agent/config/cli-flags#_data_dir). To ensure data is not lost in -the event of a complete outage, use the [`consul snapshot`](/consul/commands/snapshot/restore) feature to backup the data. - -## Using Consul KV - -Objects are opaque to Consul, meaning there are no restrictions on the type of -object stored in a key/value entry. The main restriction on an object is size - -the maximum is 512 KB. Due to the maximum object size and main use cases, you -should not need extra storage; the general [sizing -recommendations](/consul/docs/agent/config/config-files#kv_max_value_size) -are usually sufficient. - -Keys, like objects are not restricted by type and can include any character. -However, we recommend using URL-safe chars - `[a-zA-Z0-9-._~]` with the -exception of `/`, which can be used to help organize data. Note, `/` will be -treated like any other character and is not fixed to the file system. Meaning, -including `/` in a key does not fix it to a directory structure. This model is -similar to Amazon S3 buckets. However, `/` is still useful for organizing data -and when recursively searching within the data store. We also recommend that -you avoid the use of `*`, `?`, `'`, and `%` because they can cause issues when -using the API and in shell scripts. - -## Using Sentinel to apply policies for Consul KV - - - -This feature requires -HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. - - - -You can also use Sentinel as a Policy-as-code framework for defining advanced key-value storage access control policies. Sentinel policies extend the ACL system in Consul beyond static "read", "write", -and "deny" policies to support full conditional logic and integration with -external systems. Reference the [Sentinel documentation](https://docs.hashicorp.com/sentinel/concepts) for high-level Sentinel concepts. - -To get started with Sentinel in Consul, -refer to the [Sentinel documentation](https://docs.hashicorp.com/sentinel/consul) or -[Consul documentation](/consul/docs/agent/sentinel). - - -## Extending Consul KV - -### Consul Template - -If you plan to use Consul KV as part of your configuration management process -review the [Consul -Template](/consul/tutorials/developer-configuration/consul-template?utm_source=docs) -tutorial on how to update configuration based on value updates in the KV. Consul -Template is based on Go Templates and allows for a series of scripted actions -to be initiated on value changes to a Consul key. - -### Watches - -Consul KV can also be extended with the use of watches. -[Watches](/consul/docs/dynamic-app-config/watches) are a way to monitor data for updates. When -an update is detected, an external handler is invoked. To use watches with the -KV store the [key](/consul/docs/dynamic-app-config/watches#key) watch type should be used. - -### Consul Sessions - -Consul sessions can be used to build distributed locks with Consul KV. Sessions -act as a binding layer between nodes, health checks, and key/value data. The KV -API supports an `acquire` and `release` operation. The `acquire` operation acts -like a Check-And-Set operation. On success, there is a key update and an -increment to the `LockIndex` and the session value is updated to reflect the -session holding the lock. Review the session documentation for more information -on the [integration](/consul/docs/dynamic-app-config/sessions#k-v-integration). - -Review the following tutorials to learn how to use Consul sessions for [application leader election](/consul/docs/dynamic-app-config/sessions/application-leader-election) and -to [build distributed semaphores](/consul/tutorials/developer-configuration/distributed-semaphore). - -### Vault - -If you plan to use Consul KV as a backend for Vault, please review [this -tutorial](/vault/tutorials/day-one-consul/ha-with-consul?utm_source=docs). diff --git a/website/content/docs/dynamic-app-config/sessions/application-leader-election.mdx b/website/content/docs/dynamic-app-config/sessions/application-leader-election.mdx deleted file mode 100644 index 5b14bcdc9e1..00000000000 --- a/website/content/docs/dynamic-app-config/sessions/application-leader-election.mdx +++ /dev/null @@ -1,396 +0,0 @@ ---- -layout: docs -page_title: Application leader election -description: >- - Learn how to perform client-side leader elections using sessions and Consul key/value (KV) store. ---- - -# Application leader election - -This topic describes the process for building client-side leader elections for service instances using Consul's [session mechanism for building distributed locks](/consul/docs/dynamic-app-config/sessions) and the [Consul key/value store](/consul/docs/dynamic-app-config/kv), which is Consul's key/value datastore. - -This topic is not related to Consul's leader election. For more information about the Raft leader election used internally by Consul, refer to -[consensus protocol](/consul/docs/architecture/consensus) documentation. - -## Background - -Some distributed applications, like HDFS or ActiveMQ, require setting up one instance as a leader to ensure application data is current and stable. - -Consul's support for [sessions](/consul/docs/dynamic-app-config/sessions) and [watches](/consul/docs/dynamic-app-config/watches) allows you to build a client-side leader election process where clients use a lock on a key in the KV datastore to ensure mutual exclusion and to gracefully handle failures. - -All service instances that are participating should coordinate on a key format. We recommend the following pattern: - -```plaintext -service//leader -``` - -## Requirements - -- A running Consul server -- A path in the Consul KV datastore to acquire locks and to store information about the leader. The instructions on this page use the following key: `service/leader`. -- If ACLs are enabled, a token with the following permissions: - - `session:write` permissions over the service session name - - `key:write` permissions over the key - - The `curl` command - -Expose the token using the `CONSUL_HTTP_TOKEN` environment variable. - -## Client-side leader election procedure - -The workflow for building a client-side leader election process has the following steps: - -- For each client trying to acquire the lock: - 1. [Create a session](#create-a-new-session) associated with the client node. - 1. [Acquire the lock](#acquire-the-lock) on the designated key in the KV store using the `acquire` parameter. - 1. [Watch the KV key](#watch-the-kv-key-for-locks) to verify if the lock was released. If no lock is present, try to acquire a lock. - -- For the client that acquires the lock: - 1. Periodically, [renew the session](#renew-a-session) to avoid expiration. - 1. Optionally, [release the lock](#release-a-lock). - -- For other services: - 1. [Watch the KV key](#watch-the-kv-key-for-locks) to verify there is at least one process holding the lock. - 1. Use the values written under the KV path to identify the leader and update configurations accordingly. - -## Create a new session - -Create a configuration for the session. -The minimum viable configuration requires that you specify the session name. The following example demonstrates this configuration. - - - -```json -{ - "Name": "session_name" -} -``` - - - -Create a session using the [`/session` Consul HTTP API](/consul/api-docs/session) endpoint. In the following example, the node's `hostname` is the session name. - -```shell-session -$ curl --silent \ - --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ - --data '{"Name": "'`hostname`'"}' \ - --request PUT \ - http://127.0.0.1:8500/v1/session/create | jq -``` - - -The command returns a JSON object containing the ID of the newly created session. - -```json -{ - "ID": "d21d60ad-c2d2-b32a-7432-ca4048a4a7d6" -} -``` - -### Verify session - -Use the `/v1/session/list` endpoint to retrieve existing sessions. - -```shell-session -$ curl --silent \ - --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ - --request GET \ - http://127.0.0.1:8500/v1/session/list | jq -``` - -The command returns a JSON array containing all available sessions in the system. - - - -```json -[ - { - "ID": "d21d60ad-c2d2-b32a-7432-ca4048a4a7d6", - "Name": "hashicups-db-0", - "Node": "hashicups-db-0", - "LockDelay": 15000000000, - "Behavior": "release", - "TTL": "", - "NodeChecks": [ - "serfHealth" - ], - "ServiceChecks": null, - "CreateIndex": 11956, - "ModifyIndex": 11956 - } -] -``` - - - -You can verify from the output that the session is associated with the `hashicups-db-0` node, which is the client agent where the API request was made. - -With the exception of the `Name`, all parameters are set to their default values. The session is created without a `TTL` value, which means that it never expires and requires you to delete it explicitly. - -Depending on your needs you can create sessions specifying more parameters such as: - -- `TTL` - If provided, the session is invalidated and deleted if it is not renewed before the TTL expires. -- `ServiceChecks` - Specifies a list of service checks to monitor. The session is invalidated if the checks return a critical state. - -By setting these extra parameters, you can create a client-side leader election workflow that automatically releases the lock after a specified amount of time since the last renew, or that automatically releases locks when the service holding them fails. - -For a full list of parameters available refer to the [`/session/create` endpoint documentation](/consul/api-docs/session#create-session). - -## Acquire the lock - -Create the data object to associate to the lock request. - -The data of the request should be a JSON object representing the local instance. This value is opaque to Consul, but it should contain whatever information clients require to communicate with your application. For example, it could be a JSON object that contains the node's name and the application's port. - - - -```json -{ - "Node": "node-name", - "Port": "8080" -} -``` - - - - - - -Acquire a lock for a given key using the PUT method on a [KV entry](/consul/api-docs/kv) with the -`?acquire=` query parameter. - -```shell-session -$ curl --silent \ - --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ - --data '{"Node": "'`hostname`'"}' \ - --request PUT \ - http://localhost:8500/v1/kv/service/leader?acquire=d21d60ad-c2d2-b32a-7432-ca4048a4a7d6 | jq -``` - -This request returns either `true` or `false`. If `true`, the lock was acquired and -the local service instance is now the leader. If `false`, a different node acquired -the lock. - - - - - -```shell-session -$ consul kv put -acquire -session=d21d60ad-c2d2-b32a-7432-ca4048a4a7d6 /service/leader '{"Node": "'`hostname`'"}' -``` - -In case of success, the command exits with exit code `0` and outputs the following message. - - - -```plaintext -Success! Lock acquired on: service/leader -``` - - - -If the lock was already acquired by another node, the command exits with exit code `1` and outputs the following message. - - - -```plaintext -Error! Did not acquire lock -``` - - - - - - -This example used the node's `hostname` as the key data. This data can be used by the other services to create configuration files. - -Be aware that this locking system has no enforcement mechanism that requires clients to acquire a lock before they perform an operation. Any client can read, write, and delete a key without owning the corresponding lock. - -## Watch the KV key for locks - -Existing locks need to be monitored by all nodes involved in the client-side leader elections, as well as by the other nodes that need to know the identity of the leader. - - - Lock holders need to monitor the lock because the session might get invalidated by an operator. - - Other services that want to acquire the lock need to monitor it to check if the lock is released so they can try acquire the lock. - - Other nodes need to monitor the lock to see if the value of the key changed and update their configuration accordingly. - - - - -Monitor the lock using the GET method on a [KV entry](/consul/api-docs/kv) with the blocking query enabled. - -First, verify the latest index for the current value. - -```shell-session -$ curl --silent \ - --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ - --request GET \ - http://127.0.0.1:8500/v1/kv/service/leader?index=1 | jq -``` - -The command outputs the key data, including the `ModifyIndex` for the object. - - - -```json -[ - { - "LockIndex": 0, - "Key": "service/leader", - "Flags": 0, - "Value": "eyJOb2RlIjogImhhc2hpY3Vwcy1kYi0wIn0=", - "Session": "d21d60ad-c2d2-b32a-7432-ca4048a4a7d6", - "CreateIndex": 12399, - "ModifyIndex": 13061 - } -] -``` - - - -Using the value of the `ModifyIndex`, run a [blocking query](/consul/api-docs/features/blocking) against the lock. - -```shell-session -$ curl --silent \ - --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ - --request GET \ - http://127.0.0.1:8500/v1/kv/service/leader?index=13061 | jq -``` -The command hangs until a change is made on the KV path and after that the path data prints on the console. - - - -```json -[ - { - "LockIndex": 0, - "Key": "service/leader", - "Flags": 0, - "Value": "eyJOb2RlIjogImhhc2hpY3Vwcy1kYi0xIn0=", - "Session": "d21d60ad-c2d2-b32a-7432-ca4048a4a7d6", - "CreateIndex": 12399, - "ModifyIndex": 13329 - } -] -``` - - - -For automation purposes, add logic to the blocking query mechanism to trigger a command every time a change is returned. -A better approach is to use the CLI command `consul watch`. - - - - -Monitor the lock using the [`consul watch`](/consul/commands/watch) command. - -```shell-session -$ consul watch -type=key -key=service/leader cat | jq -``` - -In this example, the command output prints to the shell. However, it is possible to pass more complex option to the command as well as a script that contains more complex logic to react to the lock data change. - -An example output for the command is: - - - -```json -{ - "Key": "service/leader", - "CreateIndex": 12399, - "ModifyIndex": 13061, - "LockIndex": 0, - "Flags": 0, - "Value": "eyJOb2RlIjogImhhc2hpY3Vwcy1kYi0wIn0=", - "Session": "d21d60ad-c2d2-b32a-7432-ca4048a4a7d6" -} -``` - - - -The `consul watch` command polls the KV path for changes and runs the specified command on the output when a change is made. - - - - -From the output, notice that once the lock is acquired, the `Session` parameter contains the ID of the session that holds the lock. - -## Renew a session - -If a session is created with a `TTL` value set, you need to renew the session before the TTL expires. - -Use the [`/v1/session/renew`](/consul/api-docs/session#renew-session) endpoint to renew existing sessions. - -```shell-session -$ curl --silent \ - --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ - --request PUT \ - http://127.0.0.1:8500/v1/session/renew/f027470f-2759-6b53-542d-066ae4185e67 | jq -``` - -If the command succeeds, the session information in JSON format is printed. - - - -```json -[ - { - "ID": "f027470f-2759-6b53-542d-066ae4185e67", - "Name": "test", - "Node": "consul-server-0", - "LockDelay": 15000000000, - "Behavior": "release", - "TTL": "30s", - "NodeChecks": [ - "serfHealth" - ], - "ServiceChecks": null, - "CreateIndex": 11842, - "ModifyIndex": 11842 - } -] -``` - - - -## Release a lock - -A lock associated with a session with no `TTL` value set might never be released, even when the service holding it fails. - -In such cases, you need to manually release the lock. - - - - -```shell-session -$ curl --silent \ - --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ - --data '{"Node": "'`hostname`'"}' \ - --request PUT \ - http://localhost:8500/v1/kv/service/leader?release=d21d60ad-c2d2-b32a-7432-ca4048a4a7d6 | jq -``` - -The command prints `true` on success. - - - - -```shell-session -$ consul kv put -release -session=d21d60ad-c2d2-b32a-7432-ca4048a4a7d6 service/leader '{"Node": "'`hostname`'"}' -``` - -On success, the command outputs a success message. - - - -```plaintext -Success! Lock released on: service/leader -``` - - - - - - -After a lock is released, the key data do not show a value for `Session` in the results. -Other clients can use this as a way to coordinate their lock requests. - diff --git a/website/content/docs/dynamic-app-config/sessions/index.mdx b/website/content/docs/dynamic-app-config/sessions/index.mdx deleted file mode 100644 index 3eb26f558f5..00000000000 --- a/website/content/docs/dynamic-app-config/sessions/index.mdx +++ /dev/null @@ -1,144 +0,0 @@ ---- -layout: docs -page_title: Sessions and Distributed Locks Overview -description: >- - Consul supports sessions that you can use to build distributed locks with granular locking. Learn about sessions, how they can prevent ""split-brain"" systems by ensuring consistency in deployments, and how they can integrate with the key/value (KV) store. ---- - -# Sessions and Distributed Locks Overview - -Consul provides a session mechanism which can be used to build distributed locks. -Sessions act as a binding layer between nodes, health checks, and key/value data. -They are designed to provide granular locking and are heavily inspired by -[The Chubby Lock Service for Loosely-Coupled Distributed Systems](http://research.google.com/archive/chubby.html). - -## Session Design - -A session in Consul represents a contract that has very specific semantics. -When a session is constructed, a node name, a list of health checks, a behavior, -a TTL, and a `lock-delay` may be provided. The newly constructed session is provided with -a named ID that can be used to identify it. This ID can be used with the KV -store to acquire locks: advisory mechanisms for mutual exclusion. - -Below is a diagram showing the relationship between these components: - -![Consul Sessions](/img/consul-sessions.png) - -The contract that Consul provides is that under any of the following -situations, the session will be _invalidated_: - -- Node is deregistered -- Any of the health checks are deregistered -- Any of the health checks go to the critical state -- Session is explicitly destroyed -- TTL expires, if applicable - -When a session is invalidated, it is destroyed and can no longer -be used. What happens to the associated locks depends on the -behavior specified at creation time. Consul supports a `release` -and `delete` behavior. The `release` behavior is the default -if none is specified. - -If the `release` behavior is being used, any of the locks held in -association with the session are released, and the `ModifyIndex` of -the key is incremented. Alternatively, if the `delete` behavior is -used, the key corresponding to any of the held locks is simply deleted. -This can be used to create ephemeral entries that are automatically -deleted by Consul. - -While this is a simple design, it enables a multitude of usage -patterns. By default, the -[gossip based failure detector](/consul/docs/architecture/gossip) -is used as the associated health check. This failure detector allows -Consul to detect when a node that is holding a lock has failed and -to automatically release the lock. This ability provides **liveness** to -Consul locks; that is, under failure the system can continue to make -progress. However, because there is no perfect failure detector, it's possible -to have a false positive (failure detected) which causes the lock to -be released even though the lock owner is still alive. This means -we are sacrificing some **safety**. - -Conversely, it is possible to create a session with no associated -health checks. This removes the possibility of a false positive -and trades liveness for safety. You can be absolutely certain Consul -will not release the lock even if the existing owner has failed. -Since Consul APIs allow a session to be force destroyed, this allows -systems to be built that require an operator to intervene in the -case of a failure while precluding the possibility of a split-brain. - -A third health checking mechanism is session TTLs. When creating -a session, a TTL can be specified. If the TTL interval expires without -being renewed, the session has expired and an invalidation is triggered. -This type of failure detector is also known as a heartbeat failure detector. -It is less scalable than the gossip based failure detector as it places -an increased burden on the servers but may be applicable in some cases. -The contract of a TTL is that it represents a lower bound for invalidation; -that is, Consul will not expire the session before the TTL is reached, but it -is allowed to delay the expiration past the TTL. The TTL is renewed on -session creation, on session renew, and on leader failover. When a TTL -is being used, clients should be aware of clock skew issues: namely, -time may not progress at the same rate on the client as on the Consul servers. -It is best to set conservative TTL values and to renew in advance of the TTL -to account for network delay and time skew. - -The final nuance is that sessions may provide a `lock-delay`. This -is a time duration, between 0 and 60 seconds. When a session invalidation -takes place, Consul prevents any of the previously held locks from -being re-acquired for the `lock-delay` interval; this is a safeguard -inspired by Google's Chubby. The purpose of this delay is to allow -the potentially still live leader to detect the invalidation and stop -processing requests that may lead to inconsistent state. While not a -bulletproof method, it does avoid the need to introduce sleep states -into application logic and can help mitigate many issues. While the -default is to use a 15 second delay, clients are able to disable this -mechanism by providing a zero delay value. - -## K/V Integration - -Integration between the KV store and sessions is the primary -place where sessions are used. A session must be created prior to use -and is then referred to by its ID. - -The KV API is extended to support an `acquire` and `release` operation. -The `acquire` operation acts like a Check-And-Set operation except it -can only succeed if there is no existing lock holder (the current lock holder -can re-`acquire`, see below). On success, there is a normal key update, but -there is also an increment to the `LockIndex`, and the `Session` value is -updated to reflect the session holding the lock. - -If the lock is already held by the given session during an `acquire`, then -the `LockIndex` is not incremented but the key contents are updated. This -lets the current lock holder update the key contents without having to give -up the lock and reacquire it. - -Once held, the lock can be released using a corresponding `release` operation, -providing the same session. Again, this acts like a Check-And-Set operation -since the request will fail if given an invalid session. A critical note is -that the lock can be released without being the creator of the session. -This is by design as it allows operators to intervene and force-terminate -a session if necessary. As mentioned above, a session invalidation will also -cause all held locks to be released or deleted. When a lock is released, the `LockIndex` -does not change; however, the `Session` is cleared and the `ModifyIndex` increments. - -These semantics (heavily borrowed from Chubby), allow the tuple of (Key, LockIndex, Session) -to act as a unique "sequencer". This `sequencer` can be passed around and used -to verify if the request belongs to the current lock holder. Because the `LockIndex` -is incremented on each `acquire`, even if the same session re-acquires a lock, -the `sequencer` will be able to detect a stale request. Similarly, if a session is -invalided, the Session corresponding to the given `LockIndex` will be blank. - -To be clear, this locking system is purely _advisory_. There is no enforcement -that clients must acquire a lock to perform any operation. Any client can -read, write, and delete a key without owning the corresponding lock. It is not -the goal of Consul to protect against misbehaving clients. - -## Leader Election - -You can use the primitives provided by sessions and the locking mechanisms of the KV -store to build client-side leader election algorithms. -These are covered in more detail in the [Leader Election guide](/consul/docs/dynamic-app-config/sessions/application-leader-election). - -## Prepared Query Integration - -Prepared queries may be attached to a session in order to automatically delete -the prepared query when the session is invalidated. diff --git a/website/content/docs/k8s/connect/cluster-peering/usage/establish-peering.mdx b/website/content/docs/east-west/cluster-peering/establish/k8s.mdx similarity index 92% rename from website/content/docs/k8s/connect/cluster-peering/usage/establish-peering.mdx rename to website/content/docs/east-west/cluster-peering/establish/k8s.mdx index bc82be872a1..2767451ca2c 100644 --- a/website/content/docs/k8s/connect/cluster-peering/usage/establish-peering.mdx +++ b/website/content/docs/east-west/cluster-peering/establish/k8s.mdx @@ -18,9 +18,9 @@ The overall process for establishing a cluster peering connection consists of th Cluster peering between services cannot be established until all four steps are complete. -Cluster peering between services cannot be established until all four steps are complete. If you want to establish cluster peering connections and create sameness groups at the same time, refer to the guidance in [create sameness groups](/consul/docs/k8s/connect/cluster-peering/usage/create-sameness-groups). +Cluster peering between services cannot be established until all four steps are complete. If you want to establish cluster peering connections and create sameness groups at the same time, refer to the guidance in [create sameness groups](/consul/docs/east-west/sameness-group). -For general guidance for establishing cluster peering connections, refer to [Establish cluster peering connections](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering). +For general guidance for establishing cluster peering connections, refer to [Establish cluster peering connections](/consul/docs/east-west/cluster-peering/establish-connection/vm). ## Prerequisites @@ -194,7 +194,7 @@ Next, use the peering token to establish a secure connection between the cluster After you establish a connection between the clusters, you need to create an `exported-services` CRD that defines the services that are available to another admin partition. -While the CRD can target admin partitions either locally or remotely, clusters peering always exports services to remote admin partitions. Refer to [exported service consumers](/consul/docs/connect/config-entries/exported-services#consumers-1) for more information. +While the CRD can target admin partitions either locally or remotely, clusters peering always exports services to remote admin partitions. Refer to [exported service consumers](/consul/docs/reference/config-entry/exported-services#consumers-1) for more information. 1. For the service in `cluster-02` that you want to export, add the `"consul.hashicorp.com/connect-inject": "true"` annotation to your service's pods prior to deploying. The annotation allows the workload to join the mesh. It is highlighted in the following example: @@ -439,4 +439,19 @@ Before you can call services from peered clusters, you must set service intentio } ``` - \ No newline at end of file + + +### Authorize service reads with ACLs + +If ACLs are enabled on a Consul cluster, sidecar proxies that access exported services as an upstream must have an ACL token that grants read access. + +Read access to all imported services is granted using either of the following rules associated with an ACL token: + +- `service:write` permissions for any service in the sidecar's partition. +- `service:read` and `node:read` for all services and nodes, respectively, in sidecar's namespace and partition. + +For Consul Enterprise, the permissions apply to all imported services in the service's partition. These permissions are satisfied when using a [service identity](/consul/docs/reference/acl/rule#service-identities). + +Refer to [Reading servers](/consul/docs/reference/config-entry/exported-services#reading-services) in the `exported-services` configuration entry documentation for example rules. + +For additional information about how to configure and use ACLs, refer to [ACLs system overview](/consul/docs/secure-consul/acl). \ No newline at end of file diff --git a/website/content/docs/connect/cluster-peering/usage/establish-cluster-peering.mdx b/website/content/docs/east-west/cluster-peering/establish/vm.mdx similarity index 91% rename from website/content/docs/connect/cluster-peering/usage/establish-cluster-peering.mdx rename to website/content/docs/east-west/cluster-peering/establish/vm.mdx index b2ed30f4605..6c2f8d09b8f 100644 --- a/website/content/docs/connect/cluster-peering/usage/establish-cluster-peering.mdx +++ b/website/content/docs/east-west/cluster-peering/establish/vm.mdx @@ -14,9 +14,9 @@ This page details the process for establishing a cluster peering connection betw 1. Export services between clusters. 1. Create intentions to authorize services for peers. -Cluster peering between services cannot be established until all four steps are complete. If you want to establish cluster peering connections and create sameness groups at the same time, refer to the guidance in [create sameness groups](/consul/docs/connect/cluster-peering/usage/create-sameness-groups). +Cluster peering between services cannot be established until all four steps are complete. If you want to establish cluster peering connections and create sameness groups at the same time, refer to the guidance in [create sameness groups](/consul/docs/east-west/cluster-peering/usage/create-sameness-groups). -For Kubernetes guidance, refer to [Establish cluster peering connections on Kubernetes](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering). +For Kubernetes guidance, refer to [Establish cluster peering connections on Kubernetes](/consul/docs/east-west/cluster-peering/establish-connection/k8s). For HCP Consul guidance, refer to [Establish cluster peering connections on HCP Consul](/hcp/docs/consul/usage/cluster-peering/create-connections). ## Requirements @@ -25,13 +25,13 @@ You must meet the following requirements to use cluster peering: - Consul v1.14.1 or higher - Services hosted in admin partitions on separate datacenters -If you need to make services available to an admin partition in the same datacenter, do not use cluster peering. Instead, use the [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) to make service upstreams available to other admin partitions in a single datacenter. +If you need to make services available to an admin partition in the same datacenter, do not use cluster peering. Instead, use the [`exported-services` configuration entry](/consul/docs/reference/config-entry/exported-services) to make service upstreams available to other admin partitions in a single datacenter. ### Mesh gateway requirements Consul's default configuration supports cluster peering connections directly between clusters. In production environments, we recommend using mesh gateways to securely route service mesh traffic between partitions with cluster peering connections. -To enable cluster peering through mesh gateways and configure mesh gateways to support cluster peering, refer to [mesh gateway specifications](/consul/docs/connect/cluster-peering/tech-specs#mesh-gateway-specifications). +To enable cluster peering through mesh gateways and configure mesh gateways to support cluster peering, refer to [mesh gateway specifications](/consul/docs/east-west/cluster-peering/tech-specs#mesh-gateway-specifications). ## Create a peering token @@ -139,7 +139,7 @@ You can dial the `peering/establish` endpoint once per peering token. Peering to After you establish a connection between the clusters, you need to create an `exported-services` configuration entry that defines the services that are available for other clusters. Consul uses this configuration entry to advertise service information and support service mesh connections across clusters. -An `exported-services` configuration entry makes services available to another admin partition. While it can target admin partitions either locally or remotely. Clusters peers always export services to remote partitions. Refer to [exported service consumers](/consul/docs/connect/config-entries/exported-services#consumers-1) for more information. +An `exported-services` configuration entry makes services available to another admin partition. While it can target admin partitions either locally or remotely. Clusters peers always export services to remote partitions. Refer to [exported service consumers](/consul/docs/reference/config-entry/exported-services#consumers-1) for more information. You must use the Consul CLI to complete this step. The HTTP API and the Consul UI do not support `exported-services` configuration entries. @@ -179,7 +179,7 @@ You must use the Consul CLI to complete this step. The HTTP API and the Consul U $ consul config write peering-config.hcl ``` -Before you proceed, wait for the clusters to sync and make services available to their peers. To check the peered cluster status, [read the cluster peering connection](/consul/docs/connect/cluster-peering/usage/manage-connections#read-a-peering-connection). +Before you proceed, wait for the clusters to sync and make services available to their peers. To check the peered cluster status, [read the cluster peering connection](/consul/docs/east-west/cluster-peering/manage-connection/vm#read-a-peering-connection). @@ -262,8 +262,8 @@ Read access to all imported services is granted using either of the following ru - `service:write` permissions for any service in the sidecar's partition. - `service:read` and `node:read` for all services and nodes, respectively, in sidecar's namespace and partition. -For Consul Enterprise, the permissions apply to all imported services in the service's partition. These permissions are satisfied when using a [service identity](/consul/docs/security/acl/acl-roles#service-identities). +For Consul Enterprise, the permissions apply to all imported services in the service's partition. These permissions are satisfied when using a [service identity](/consul/docs/reference/acl/rule#service-identities). -Refer to [Reading services](/consul/docs/connect/config-entries/exported-services#reading-services) in the `exported-services` configuration entry documentation for example rules. +Refer to [Reading servers](/consul/docs/reference/config-entry/exported-services#reading-services) in the `exported-services` configuration entry documentation for example rules. -For additional information about how to configure and use ACLs, refer to [ACLs system overview](/consul/docs/security/acl). +For additional information about how to configure and use ACLs, refer to [ACLs system overview](/consul/docs/secure-consul/acl). \ No newline at end of file diff --git a/website/content/docs/connect/cluster-peering/index.mdx b/website/content/docs/east-west/cluster-peering/index.mdx similarity index 74% rename from website/content/docs/connect/cluster-peering/index.mdx rename to website/content/docs/east-west/cluster-peering/index.mdx index 83cc4b97e4c..da6cc6d8eda 100644 --- a/website/content/docs/connect/cluster-peering/index.mdx +++ b/website/content/docs/east-west/cluster-peering/index.mdx @@ -8,11 +8,12 @@ description: >- # Cluster peering overview This topic provides an overview of cluster peering, which lets you connect two or more independent Consul clusters so that services deployed to different partitions or datacenters can communicate. + Cluster peering is enabled in Consul by default. For specific information about cluster peering configuration and usage, refer to following pages. -## What is cluster peering? +## Introduction -Consul supports cluster peering connections between two [admin partitions](/consul/docs/enterprise/admin-partitions) _in different datacenters_. Deployments without an Enterprise license can still use cluster peering because every datacenter automatically includes a default partition. Meanwhile, admin partitions _in the same datacenter_ do not require cluster peering connections because you can export services between them without generating or exchanging a peering token. +Consul supports cluster peering connections between two [admin partitions](/consul/docs/segment/admin-partition) _in different datacenters_. Deployments without an Enterprise license can still use cluster peering because every datacenter automatically includes a default partition. Meanwhile, admin partitions _in the same datacenter_ do not require cluster peering connections because you can export services between them without generating or exchanging a peering token. The following diagram describes Consul's cluster peering architecture. @@ -22,10 +23,10 @@ In this diagram, the `default` partition in Consul DC 1 has a cluster peering co Cluster peering leverages several components of Consul's architecture to enforce secure communication between services: -- A _peering token_ contains an embedded secret that securely establishes communication when shared symmetrically between datacenters. Sharing this token enables each datacenter's server agents to recognize requests from authorized peers, similar to how the [gossip encryption key secures agent LAN gossip](/consul/docs/security/encryption#gossip-encryption). +- A _peering token_ contains an embedded secret that securely establishes communication when shared symmetrically between datacenters. Sharing this token enables each datacenter's server agents to recognize requests from authorized peers, similar to how the [gossip encryption key secures agent LAN gossip](/consul/docs/secure-consul/encryption#gossip-encryption). - A _mesh gateway_ encrypts outgoing traffic, decrypts incoming traffic, and directs traffic to healthy services. Consul's service mesh features must be enabled in order to use mesh gateways. Mesh gateways support the specific admin partitions they are deployed on. Refer to [Mesh gateways](/consul/docs/connect/gateways/mesh-gateway) for more information. - An _exported service_ communicates with downstreams deployed in other admin partitions. They are explicitly defined in an [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services). -- A _service intention_ secures [service-to-service communication in a service mesh](/consul/docs/connect/intentions). Intentions enable identity-based access between services by exchanging TLS certificates, which the service's sidecar proxy verifies upon each request. +- A _service intention_ secures [service-to-service communication in a service mesh](/consul/docs/secure-mesh/intentions). Intentions enable identity-based access between services by exchanging TLS certificates, which the service's sidecar proxy verifies upon each request. ### Compared with WAN federation @@ -45,6 +46,7 @@ Regardless of whether you connect your clusters through WAN federation or cluste | Replicates exported services for service discovery | ❌ | ✅ | | Gossip protocol: Requires LAN gossip only | ❌ | ✅ | | Forwards service requests for service discovery | ✅ | ❌ | +| Shares key/value stores | ✅ | ❌ | | Can replicate ACL tokens, policies, and roles | ✅ | ❌ | ## Guidance @@ -57,22 +59,29 @@ The following resources are available to help you use Consul's cluster peering f ### Usage documentation -- [Establish cluster peering connections](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering) -- [Manage cluster peering connections](/consul/docs/connect/cluster-peering/usage/manage-connections) -- [Manage L7 traffic with cluster peering](/consul/docs/connect/cluster-peering/usage/peering-traffic-management) -- [Create sameness groups](/consul/docs/connect/cluster-peering/usage/create-sameness-groups) +- [Establish cluster peering connections](/consul/docs/east-west/cluster-peering/establish-connection/vm) +- [Manage cluster peering connections](/consul/docs/east-west/cluster-peering/manage-connection/vm) +- [Manage L7 traffic with cluster peering](/consul/docs/east-west/cluster-peering/usage/peering-traffic-management) +- [Create sameness groups](/consul/docs/east-west/cluster-peering/usage/create-sameness-groups) ### Kubernetes documentation - [Cluster peering on Kubernetes technical specifications](/consul/docs/k8s/connect/cluster-peering/tech-specs) -- [Establish cluster peering connections on Kubernetes](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering) -- [Manage cluster peering connections on Kubernetes](/consul/docs/k8s/connect/cluster-peering/usage/manage-peering) +- [Establish cluster peering connections on Kubernetes](/consul/docs/east-west/cluster-peering/establish-connection/k8s) +- [Manage cluster peering connections on Kubernetes](/consul/docs/east-west/cluster-peering/manage-connection/k8s) - [Manage L7 traffic with cluster peering on Kubernetes](/consul/docs/k8s/connect/cluster-peering/usage/l7-traffic) -- [Create sameness groups on Kubernetes](/consul/docs/k8s/connect/cluster-peering/usage/create-sameness-groups) +- [Create sameness groups on Kubernetes](/consul/docs/east-west/sameness-group) + +### HCP Consul documentation + +- [Cluster peering](/hcp/docs/consul/usage/cluster-peering) +- [Cluster peering topologies](/hcp/docs/consul/usage/cluster-peering/topologies) +- [Establish cluster peering connections on HCP Consul](/hcp/docs/consul/usage/cluster-peering/create-connections) +- [Cluster peering with HCP Consul Central](/hcp/docs/extend/cluster-peering/establish) ### Reference documentation -- [Cluster peering technical specifications](/consul/docs/connect/cluster-peering/tech-specs) +- [Cluster peering technical specifications](/consul/docs/east-west/cluster-peering/tech-specs) - [HTTP API reference: `/peering/` endpoint](/consul/api-docs/peering) - [CLI reference: `peering` command](/consul/commands/peering). @@ -82,7 +91,7 @@ If you experience errors when using Consul's cluster peering features, refer to - Peer names can only contain lowercase characters. - Services with node, instance, and check definitions totaling more than 8MB cannot be exported to a peer. -- Two admin partitions in the same datacenter cannot be peered. Use the [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services#exporting-services-to-peered-clusters) instead. -- To manage intentions that specify services in peered clusters, use [configuration entries](/consul/docs/connect/config-entries/service-intentions). The `consul intention` CLI command is not supported. +- Two admin partitions in the same datacenter cannot be peered. Use the [`exported-services` configuration entry](/consul/docs/reference/config-entry/exported-services#exporting-services-to-peered-clusters) instead. +- To manage intentions that specify services in peered clusters, use [configuration entries](/consul/docs/reference/config-entry/service-intention). The `consul intention` CLI command is not supported. - The Consul UI does not support exporting services between clusters or creating service intentions. Use either the API or the CLI to complete these required steps when establishing new cluster peering connections. - Accessing key/value stores across peers is not supported. diff --git a/website/content/docs/k8s/connect/cluster-peering/usage/manage-peering.mdx b/website/content/docs/east-west/cluster-peering/manage/k8s.mdx similarity index 95% rename from website/content/docs/k8s/connect/cluster-peering/usage/manage-peering.mdx rename to website/content/docs/east-west/cluster-peering/manage/k8s.mdx index 42f8fc59832..c327f2b1c5b 100644 --- a/website/content/docs/k8s/connect/cluster-peering/usage/manage-peering.mdx +++ b/website/content/docs/east-west/cluster-peering/manage/k8s.mdx @@ -11,7 +11,7 @@ This usage topic describes how to manage cluster peering connections on Kubernet After you establish a cluster peering connection, you can get a list of all active peering connections, read a specific peering connection's information, and delete peering connections. -For general guidance for managing cluster peering connections, refer to [Manage L7 traffic with cluster peering](/consul/docs/connect/cluster-peering/usage/peering-traffic-management). +For general guidance for managing cluster peering connections, refer to [Manage L7 traffic with cluster peering](/consul/docs/east-west/cluster-peering/usage/peering-traffic-management). ## Reset a peering connection @@ -38,7 +38,7 @@ To reset the cluster peering connection, you need to generate a new peering toke -1. After updating `PeeringAcceptor`, repeat all of the steps to [establish a new peering connection](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering). +1. After updating `PeeringAcceptor`, repeat all of the steps to [establish a new peering connection](/consul/docs/east-west/cluster-peering/establish-connection/k8s). ## List all peering connections diff --git a/website/content/docs/connect/cluster-peering/usage/manage-connections.mdx b/website/content/docs/east-west/cluster-peering/manage/vm.mdx similarity index 98% rename from website/content/docs/connect/cluster-peering/usage/manage-connections.mdx rename to website/content/docs/east-west/cluster-peering/manage/vm.mdx index a4e92373328..19b01c0cf21 100644 --- a/website/content/docs/connect/cluster-peering/usage/manage-connections.mdx +++ b/website/content/docs/east-west/cluster-peering/manage/vm.mdx @@ -11,7 +11,7 @@ This usage topic describes how to manage cluster peering connections using the C After you establish a cluster peering connection, you can get a list of all active peering connections, read a specific peering connection's information, and delete peering connections. -For Kubernetes-specific guidance for managing cluster peering connections, refer to [Manage cluster peering connections on Kubernetes](/consul/docs/k8s/connect/cluster-peering/usage/manage-peering). +For Kubernetes-specific guidance for managing cluster peering connections, refer to [Manage cluster peering connections on Kubernetes](/consul/docs/east-west/cluster-peering/manage-connection/k8s). ## List all peering connections diff --git a/website/content/docs/connect/cluster-peering/tech-specs.mdx b/website/content/docs/east-west/cluster-peering/tech-specs.mdx similarity index 83% rename from website/content/docs/connect/cluster-peering/tech-specs.mdx rename to website/content/docs/east-west/cluster-peering/tech-specs.mdx index 36c7dc9d913..45bc9bbffb8 100644 --- a/website/content/docs/connect/cluster-peering/tech-specs.mdx +++ b/website/content/docs/east-west/cluster-peering/tech-specs.mdx @@ -7,7 +7,7 @@ description: >- # Cluster peering technical specifications -This reference topic describes the technical specifications associated with using cluster peering in your deployments. These specifications include required Consul components and their configurations. To learn more about Consul's cluster peering feature, refer to [cluster peering overview](/consul/docs/connect/cluster-peering). +This reference topic describes the technical specifications associated with using cluster peering in your deployments. These specifications include required Consul components and their configurations. To learn more about Consul's cluster peering feature, refer to [cluster peering overview](/consul/docs/east-west/cluster-peering). For cluster peering requirements in Kubernetes deployments, refer to [cluster peering on Kubernetes technical specifications](/consul/docs/k8s/connect/cluster-peering/tech-specs). @@ -18,7 +18,7 @@ Consul's default configuration supports cluster peering connections directly bet In addition, make sure your Consul environment meets the following prerequisites: - Consul v1.14 or higher. -- Use [Envoy proxies](/consul/docs/connect/proxies/envoy). Envoy is the only proxy with mesh gateway capabilities in Consul. +- Use [Envoy proxies](/consul/docs/reference/proxy/envoy). Envoy is the only proxy with mesh gateway capabilities in Consul. - A local Consul agent is required to manage mesh gateway configurations. ## Mesh gateway specifications @@ -49,31 +49,31 @@ When cluster peering through mesh gateways, consider the following deployment re - A cluster requires a registered mesh gateway in order to export services to peers in other regions or cloud providers. - The mesh gateway must also be registered in the same admin partition as the exported services and their `exported-services` configuration entry. An enterprise license is required to use multiple admin partitions with a single cluster of Consul servers. - To use the `local` mesh gateway mode, you must register a mesh gateway in the importing cluster. -- Define the `Proxy.Config` settings using opaque parameters compatible with your proxy. Refer to the [Gateway options](/consul/docs/connect/proxies/envoy#gateway-options) and [Escape-hatch Overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) documentation for additional Envoy proxy configuration information. +- Define the `Proxy.Config` settings using opaque parameters compatible with your proxy. Refer to the [Gateway options](/consul/docs/reference/proxy/envoy#gateway-options) and [Escape-hatch Overrides](/consul/docs/reference/proxy/envoy#escape-hatch-overrides) documentation for additional Envoy proxy configuration information. ### Mesh gateway modes -By default, cluster peering connections use mesh gateways in [remote mode](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters#remote). Be aware of these additional requirements when changing a mesh gateway's mode. +By default, cluster peering connections use mesh gateways in [remote mode](/consul/docs/east-west/mesh-gateway/federation#remote). Be aware of these additional requirements when changing a mesh gateway's mode. - For mesh gateways that connect peered clusters, you can set the `mode` as either `remote` or `local`. - The `none` mode is invalid for mesh gateways with cluster peering connections. -Refer to [mesh gateway modes](/consul/docs/connect/gateways/mesh-gateway#modes) for more information. +Refer to [mesh gateway modes](/consul/docs/east-west/mesh-gateway/#modes) for more information. ## Sidecar proxy specifications -The Envoy proxies that function as sidecars in your service mesh require configuration in order to properly route traffic to peers. Sidecar proxies are defined in the [service definition](/consul/docs/services/usage/define-services). +The Envoy proxies that function as sidecars in your service mesh require configuration in order to properly route traffic to peers. Sidecar proxies are defined in the [service definition](/consul/docs/register/service/vm/define). -- Configure the `proxy.upstreams` parameters to route traffic to the correct service, namespace, and peer. Refer to the [`upstreams`](/consul/docs/connect/proxies/proxy-config-reference#upstream-configuration-reference) documentation for details. +- Configure the `proxy.upstreams` parameters to route traffic to the correct service, namespace, and peer. Refer to the [`upstreams`](/consul/docs/reference/proxy/connect-proxy#upstream-configuration-reference) documentation for details. - The `proxy.upstreams.destination_name` parameter is always required. - The `proxy.upstreams.destination_peer` parameter must be configured to enable cross-cluster traffic. - The `proxy.upstream/destination_namespace` configuration is only necessary if the destination service is in a non-default namespace. ## Exported service specifications -The `exported-services` configuration entry is required in order for services to communicate across partitions with cluster peering connections. Basic guidance on using the `exported-services` configuration entry is included in [Establish cluster peering connections](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering#export-services-between-clusters). +The `exported-services` configuration entry is required in order for services to communicate across partitions with cluster peering connections. Basic guidance on using the `exported-services` configuration entry is included in [Establish cluster peering connections](/consul/docs/east-west/cluster-peering/establish-connection/vm#export-services-between-clusters). -Refer to the [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) reference for more information. +Refer to the [`exported-services` configuration entry](/consul/docs/reference/config-entry/exported-services) reference for more information. ## ACL specifications diff --git a/website/content/docs/east-west/index.mdx b/website/content/docs/east-west/index.mdx new file mode 100644 index 00000000000..8c35d67f05b --- /dev/null +++ b/website/content/docs/east-west/index.mdx @@ -0,0 +1,45 @@ +--- +layout: docs +page_title: Link east/west network segments +description: >- + This topic provides an overview of linking segments of your service mesh in an east/west direction. You can extend your service mesh across regions, runtimes, and cloud providers with cluster peering or WAN federation. +--- + +# Link east/west network segments + +This topic provides an overview of the strategies and processes for linking defined segments of your service mesh to extend east/west operations across cloud regions, runtimes, and platforms. Linking network segments into an extended service mesh enables advanced strategies for deploying and monitoring service operations in your network. + +For more information about how to divide your network, including the difference between deployment strategies enabled by methods such as WAN federation and cluster peering, refer to [segment network](/consul/docs/segment). + +## Introduction + +Consul supports two general strategies for extending east/west service mesh traffic across your network: + +- Cluster peering +- Wide Area Network (WAN) federation + +Consul community edition supports basic cluster peering and federation scenarios. Implementing advanced scenarios such as federated network areas and cluster peering between multiple admin partitions in datacenters require Consul Enterprise. Refer to [Consul Enterprise](consul/docs/enterprise) for more information. + +## Cluster peering + +@include 'text/descriptions/cluster-peering.mdx' + +## WAN federation + +@include 'text/descriptions/wan-federation.mdx' + +## Federated network areas + +@include 'text/descriptions/network-area.mdx' + +## Secure communication with mesh gateways + +@include 'text/descriptions/mesh-gateway.mdx' + +## Guidance + +@include 'text/guidance/east-west.mdx' + +## Constraints, limitations, and troubleshooting + +@include 'text/limitations/east-west.mdx' \ No newline at end of file diff --git a/website/content/docs/east-west/k8s.mdx b/website/content/docs/east-west/k8s.mdx new file mode 100644 index 00000000000..3b12c198769 --- /dev/null +++ b/website/content/docs/east-west/k8s.mdx @@ -0,0 +1,55 @@ +--- +layout: docs +page_title: Link east/west network segments on Kubernetes +description: >- + This topic provides an overview of linking segments of your service mesh in an east/west direction on Kubernetes. You can extend your service mesh across regions and cloud providers with cluster peering or WAN federation. +--- + +# Link east/west network segments on Kubernetes + +This topic provides an overview of the strategies and processes for linking defined segments of your service mesh to extend east/west operations across cloud regions and platforms when running Consul on Kubernetes. Linking network segments into an extended service mesh enables advanced strategies for deploying and monitoring service operations in your network. + +For more information about how to divide your network on Kubernetes, including the difference between deployment strategies enabled by methods such as WAN federation and cluster peering, refer to [segment network](/consul/docs/segment/k8s). + +## Introduction + +Consul supports two general strategies for extending east/west service mesh traffic across your network: + +- Cluster peering +- Wide Area Network (WAN) federation + +Consul community edition supports basic cluster peering and federation scenarios. Implementing advanced scenarios such as federated network areas and cluster peering between multiple admin partitions in datacenters require Consul Enterprise. Refer to [Consul Enterprise](consul/docs/enterprise) for more information. + +## Cluster peering + +@include 'text/descriptions/cluster-peering.mdx' + +Refer to the following pages for guidance about using cluster peering with Consul on Kubernetes: + +- [Establish cluster peering connections on Kubernetes](/consul/docs/east-west/cluster-peering/establish/k8s) +- [Manage cluster peering connections on Kubernetes](/consul/docs/east-west/cluster-peering/manage/k8s) + +## WAN federation + +@include 'text/descriptions/wan-federation.mdx' + +Refer to the following pages for guidance about using WAN federation with Consul on Kubernetes: + +- [WAN federation between multiple Kubernetes clusters](/consul/docs/east-west/wan-federation/k8s) +- [WAN federation between virtual machines and Kubernetes clusters](/consul/docs/east-west/wan-federation/k8s-vm) + +## Secure communication with mesh gateways + +@include 'text/descriptions/mesh-gateway.mdx' + +## Reference documentation + +For reference material related to the processes for extending your service mesh by linking segments of your network, refer to the following pages: + +- [Proxy defaults configuration reference](/consul/docs/reference/config-entry/proxy-defaults) +- [Helm chart reference](/consul/docs/reference/reference/k8s/helm) +- [Upstream annotations reference](/consul/docs/reference/k8s/annotation-label) + +## Constraints, limitations, and troubleshooting + +@include 'text/limitations/link.mdx' \ No newline at end of file diff --git a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx b/website/content/docs/east-west/mesh-gateway/admin-partition.mdx similarity index 88% rename from website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx rename to website/content/docs/east-west/mesh-gateway/admin-partition.mdx index 4c7fe3ba2aa..acaca5dcb5c 100644 --- a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx +++ b/website/content/docs/east-west/mesh-gateway/admin-partition.mdx @@ -1,15 +1,15 @@ --- layout: docs -page_title: Enabling Service-to-service Traffic Across Admin Partitions +page_title: Enable service-to-service traffic across admin partitions description: >- Mesh gateways are specialized proxies that route data between services that cannot communicate directly with upstreams. Learn how to enable service-to-service traffic across admin partitions and review example configuration entries. --- -# Enabling Service-to-service Traffic Across Admin Partitions +# Enable service-to-service traffic across admin partitions -> **Consul Enterprise 1.11.0+:** Admin partitions are supported in Consul Enterprise versions 1.11.0 and newer. -Mesh gateways enable you to route service mesh traffic between different Consul [admin partitions](/consul/docs/enterprise/admin-partitions). +Mesh gateways enable you to route service mesh traffic between different Consul [admin partitions](/consul/docs/segment/admin-partition). Partitions can reside in different clouds or runtime environments where general interconnectivity between all services in all partitions isn't feasible. @@ -23,9 +23,9 @@ Ensure that your Consul environment meets the following requirements. * Consul Enterprise version 1.11.0 or newer. * A local Consul agent is required to manage its configuration. -* Consul service mesh must be enabled in all partitions. Refer to the [`connect` documentation](/consul/docs/agent/config/config-files#connect) for details. +* Consul service mesh must be enabled in all partitions. Refer to the [`connect` documentation](/consul/docs/reference/agent#connect) for details. * Each partition must have a unique name. Refer to the [admin partitions documentation](/consul/docs/enterprise/admin-partitions) for details. -* If you want to [enable gateways globally](/consul/docs/connect/gateways/mesh-gateway#enabling-gateways-globally) you must enable [centralized configuration](/consul/docs/agent/config/config-files#enable_central_service_config). +* If you want to [enable gateways globally](/consul/docs/east-west/mesh-gateway/#enabling-gateways-globally) you must enable [centralized configuration](/consul/docs/reference/agent#enable_central_service_config). ### Proxy @@ -43,9 +43,9 @@ Sidecar proxies that do not send upstream traffic through a gateway are not affe Configure the following settings to register the mesh gateway as a service in Consul. * Specify `mesh-gateway` in the `kind` field to register the gateway with Consul. -* Configure the `proxy.upstreams` parameters to route traffic to the correct service, namespace, and partition. Refer to the [`upstreams` documentation](/consul/docs/connect/proxies/proxy-config-reference#upstream-configuration-reference) for details. The service `proxy.upstreams.destination_name` is always required. The `proxy.upstreams.destination_partition` must be configured to enable cross-partition traffic. The `proxy.upstreams.destination_namespace` configuration is only necessary if the destination service is in a different namespace. -* Configure the `exported-services` configuration entry to enable Consul to export services contained in an admin partition to one or more additional partitions. Refer to the [Exported Services documentation](/consul/docs/connect/config-entries/exported-services) for details. -* Define the `Proxy.Config` settings using opaque parameters compatible with your proxy, i.e., Envoy. For Envoy, refer to the [Gateway Options](/consul/docs/connect/proxies/envoy#gateway-options) and [Escape-hatch Overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) documentation for additional configuration information. +* Configure the `proxy.upstreams` parameters to route traffic to the correct service, namespace, and partition. Refer to the [`upstreams` documentation](/consul/docs/reference/proxy/connect-proxy#upstream-configuration-reference) for details. The service `proxy.upstreams.destination_name` is always required. The `proxy.upstreams.destination_partition` must be configured to enable cross-partition traffic. The `proxy.upstreams.destination_namespace` configuration is only necessary if the destination service is in a different namespace. +* Configure the `exported-services` configuration entry to enable Consul to export services contained in an admin partition to one or more additional partitions. Refer to the [Exported Services documentation](/consul/docs/reference/config-entry/exported-services) for details. +* Define the `Proxy.Config` settings using opaque parameters compatible with your proxy, i.e., Envoy. For Envoy, refer to the [Gateway Options](/consul/docs/reference/proxy/envoy#gateway-options) and [Escape-hatch Overrides](/consul/docs/reference/proxy/envoy#escape-hatch-overrides) documentation for additional configuration information. * If ACLs are enabled, a token granting `service:write` for the gateway's service name and `service:read` for all services in the datacenter or partition must be added to the gateway's service definition. These permissions authorize the token to route communications for other Consul service mesh services, but does not allow decrypting any of their communications. ### Modes @@ -148,7 +148,7 @@ spec: ### Enabling Gateways for a Service Instance -The following [proxy service configuration](/consul/docs/connect/proxies/deploy-service-mesh-proxies) +The following [proxy service configuration](/consul/docs/deploy/service-mesh/deploy-proxy) enables gateways for `web` service instances in the `finance` partition. diff --git a/website/content/docs/connect/gateways/mesh-gateway/peering-via-mesh-gateways.mdx b/website/content/docs/east-west/mesh-gateway/cluster-peer.mdx similarity index 75% rename from website/content/docs/connect/gateways/mesh-gateway/peering-via-mesh-gateways.mdx rename to website/content/docs/east-west/mesh-gateway/cluster-peer.mdx index 97334950f62..5c2434e1885 100644 --- a/website/content/docs/connect/gateways/mesh-gateway/peering-via-mesh-gateways.mdx +++ b/website/content/docs/east-west/mesh-gateway/cluster-peer.mdx @@ -1,13 +1,13 @@ --- layout: docs -page_title: Enabling Peering Control Plane Traffic +page_title: Enable control plane traffic between cluster peers description: >- Mesh gateways are specialized proxies that route data between services that cannot communicate directly. Learn how to enable traffic across clusters in different datacenters or admin partitions that have an established peering connection. --- -# Enabling Peering Control Plane Traffic +# Enable control plane traffic between cluster peers -This topic describes how to configure a mesh gateway to route control plane traffic between Consul clusters that share a peer connection. For information about routing service traffic between cluster peers through a mesh gateway, refer to [Enabling Service-to-service Traffic Across Admin Partitions](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions). +This topic describes how to configure a mesh gateway to route control plane traffic between Consul clusters that share a peer connection. For information about routing service traffic between cluster peers through a mesh gateway, refer to [Enabling Service-to-service Traffic Across Admin Partitions](/consul/docs/east-west/mesh-gateway/admin-partition). Control plane traffic between cluster peers includes the initial secret handshake and the bi-directional stream replicating peering data. @@ -34,7 +34,7 @@ To configure mesh gateways for cluster peering control plane traffic, make sure - Consul version 1.14.0 or newer. - A local Consul agent in both clusters is required to manage mesh gateway configuration. -- Use [Envoy proxies](/consul/docs/connect/proxies/envoy). Envoy is the only proxy with mesh gateway capabilities in Consul. +- Use [Envoy proxies](/consul/docs/reference/proxy/envoy). Envoy is the only proxy with mesh gateway capabilities in Consul. ## Configuration @@ -45,8 +45,8 @@ Configure the following settings to register and use the mesh gateway as a servi Register a mesh gateway in each of cluster that will be peered. - Specify `mesh-gateway` in the `kind` field to register the gateway with Consul. -- Define the `Proxy.Config` settings using opaque parameters compatible with your proxy. For Envoy, refer to the [Gateway Options](/consul/docs/connect/proxies/envoy#gateway-options) and [Escape-hatch Overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) documentation for additional configuration information. -- Apply a [Mesh config entry](/consul/docs/connect/config-entries/mesh#peer-through-mesh-gateways) with `PeerThroughMeshGateways = true`. See [modes](#modes) for a discussion of when to apply this. +- Define the `Proxy.Config` settings using opaque parameters compatible with your proxy. For Envoy, refer to the [Gateway Options](/consul/docs/reference/proxy/envoy#gateway-options) and [Escape-hatch Overrides](/consul/docs/reference/proxy/envoy#escape-hatch-overrides) documentation for additional configuration information. +- Apply a [Mesh config entry](/consul/docs/reference/config-entry/mesh#peer-through-mesh-gateways) with `PeerThroughMeshGateways = true`. See [modes](#modes) for a discussion of when to apply this. Alternatively, you can also use the CLI to spin up and register a gateway in Consul. For additional information, refer to the [`consul connect envoy` command](/consul/commands/connect/envoy#mesh-gateways). @@ -57,7 +57,7 @@ For Consul Enterprise clusters, mesh gateways must be registered in the "default -In addition to the [ACL Configuration](/consul/docs/connect/cluster-peering/tech-specs#acl-specifications) necessary for service-to-service traffic, mesh gateways that route peering control plane traffic must be granted `peering:read` access to all peerings. +In addition to the [ACL Configuration](/consul/docs/east-west/cluster-peering/tech-specs#acl-specifications) necessary for service-to-service traffic, mesh gateways that route peering control plane traffic must be granted `peering:read` access to all peerings. This access allows the mesh gateway to list all peerings in a Consul cluster and generate unique routing per peered datacenter. @@ -79,7 +79,7 @@ peering = "read" -In addition to the [ACL Configuration](/consul/docs/connect/cluster-peering/tech-specs#acl-specifications) necessary for service-to-service traffic, mesh gateways that route peering control plane traffic must be granted `peering:read` access to all peerings in all partitions. +In addition to the [ACL Configuration](/consul/docs/east-west/cluster-peering/tech-specs#acl-specifications) necessary for service-to-service traffic, mesh gateways that route peering control plane traffic must be granted `peering:read` access to all peerings in all partitions. This access allows the mesh gateway to list all peerings in a Consul cluster and generate unique routing per peered partition. @@ -131,9 +131,9 @@ spec: ``` -By setting this mesh config on a cluster before [creating a peering token](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering#create-a-peering-token), inbound control plane traffic will be sent through the mesh gateway registered this cluster, also known the accepting cluster. +By setting this mesh config on a cluster before [creating a peering token](/consul/docs/east-west/cluster-peering/establish-connection/vm#create-a-peering-token), inbound control plane traffic will be sent through the mesh gateway registered this cluster, also known the accepting cluster. As mesh gateway instances are registered at the accepting cluster, their addresses will be exposed to the dialing cluster over the bi-directional peering stream. -Setting this mesh config on a cluster before [establishing a connection](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering#establish-a-connection-between-clusters) will cause the outbound control plane traffic to flow through the mesh gateway. +Setting this mesh config on a cluster before [establishing a connection](/consul/docs/east-west/cluster-peering/establish-connection/vm#establish-a-connection-between-clusters) will cause the outbound control plane traffic to flow through the mesh gateway. To route all peering control plane traffic though mesh gateways, both the accepting and dialing cluster must have the mesh config entry applied. diff --git a/website/content/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways.mdx b/website/content/docs/east-west/mesh-gateway/enable.mdx similarity index 91% rename from website/content/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways.mdx rename to website/content/docs/east-west/mesh-gateway/enable.mdx index d637a8f1346..cf577eb8bbe 100644 --- a/website/content/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways.mdx +++ b/website/content/docs/east-west/mesh-gateway/enable.mdx @@ -1,21 +1,21 @@ --- layout: docs -page_title: Enabling WAN Federation Control Plane Traffic +page_title: Enable WAN federation control plane traffic description: >- You can use mesh gateways to simplify the networking requirements for WAN federated Consul datacenters. Mesh gateways reduce cross-datacenter connection paths, ports, and communication protocols. --- -# Enabling WAN Federation Control Plane Traffic +# Enable WAN federation control plane traffic -> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher -~> This topic requires familiarity with [mesh gateways](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters). +~> This topic requires familiarity with [mesh gateways](/consul/docs/east-west/mesh-gateway/federation). WAN federation via mesh gateways allows for Consul servers in different datacenters to be federated exclusively through mesh gateways. When setting up a -[multi-datacenter](/consul/tutorials/networking/federation-gossip-wan) +[multi-datacenter](/consul/docs/east-west/wan-federation/create) Consul cluster, operators must ensure that all Consul servers in every datacenter must be directly connectable over their WAN-advertised network address from each other. @@ -38,7 +38,7 @@ Sometimes this prerequisite is difficult or undesirable to meet: Operators looking to simplify their WAN deployment and minimize the exposed security surface area can elect to join these datacenters together using [mesh -gateways](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters) to do so. +gateways](/consul/docs/east-west/mesh-gateway/federation) to do so. [![WAN federation with mesh gateways](/img/wan-federation-connectivity-mesh-gateways.png)](/img/wan-federation-connectivity-mesh-gateways.png) @@ -102,7 +102,7 @@ each datacenter otherwise the WAN will become only partly connected. There are a few necessary additional pieces of configuration beyond those required for standing up a -[multi-datacenter](/consul/tutorials/networking/federation-gossip-wan) +[multi-datacenter](/consul/docs/east-west/wan-federation/create) Consul cluster. Consul servers in the _primary_ datacenter should add this snippet to the @@ -126,8 +126,8 @@ connect { } ``` -The [`retry_join_wan`](/consul/docs/agent/config/config-files#retry_join_wan) addresses are -only used for the [traditional federation process](/consul/docs/k8s/deployment-configurations/multi-cluster#traditional-wan-federation). +The [`retry_join_wan`](/consul/docs/reference/agent#retry_join_wan) addresses are +only used for the [traditional federation process](/consul/docs/east-west/wan-federation#traditional-wan-federation). They must be omitted when federating Consul servers via gateways. -> The `primary_gateways` configuration can also use `go-discover` syntax just @@ -194,7 +194,7 @@ If the primary gateways are upgraded, and their previous instances are decommiss before the updates are propagated, then the primary datacenter will become unreachable. To safely upgrade primary gateways, we recommend that you apply one of the following policies: -- Avoid decommissioning primary gateway IP addresses. This is because the [primary_gateways](/consul/docs/agent/config/config-files#primary_gateways) addresses configured on the secondary servers act as a fallback mechanism for re-establishing connectivity to the primary. +- Avoid decommissioning primary gateway IP addresses. This is because the [primary_gateways](/consul/docs/reference/agent#primary_gateways) addresses configured on the secondary servers act as a fallback mechanism for re-establishing connectivity to the primary. - Verify that addresses of the new mesh gateways in the primary were propagated to the secondary datacenters before decommissioning the old mesh gateways in the primary. diff --git a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx b/website/content/docs/east-west/mesh-gateway/federation.mdx similarity index 84% rename from website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx rename to website/content/docs/east-west/mesh-gateway/federation.mdx index d9df2de8f18..03f2c7d54de 100644 --- a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx +++ b/website/content/docs/east-west/mesh-gateway/federation.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Enabling Service-to-service Traffic Across WAN Federated Datacenters +page_title: Enable service-to-service traffic across WAN-federated datacenters description: >- Mesh gateways are specialized proxies that route data between services that cannot communicate directly. Learn how to enable service-to-service traffic across wan-federated datacenters and review example configuration entries. --- -# Enabling Service-to-service Traffic Across WAN Federated Datacenters +# Enable service-to-service traffic across WAN-federated datacenters -> **1.6.0+:** This feature is available in Consul versions 1.6.0 and newer. @@ -29,12 +29,12 @@ Ensure that your Consul environment meets the following requirements. * Consul version 1.6.0 or newer. * A local Consul agent is required to manage its configuration. -* Consul [service mesh](/consul/docs/agent/config/config-files#connect) must be enabled in both datacenters. -* Each [datacenter](/consul/docs/agent/config/config-files#datacenter) must have a unique name. -* Each datacenters must be [WAN joined](/consul/tutorials/networking/federation-gossip-wan). -* The [primary datacenter](/consul/docs/agent/config/config-files#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for service mesh certificates and is required for services in all datacenters to establish mutual TLS with each other. -* [gRPC](/consul/docs/agent/config/config-files#grpc_port) must be enabled. -* If you want to [enable gateways globally](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters#enabling-gateways-globally) you must enable [centralized configuration](/consul/docs/agent/config/config-files#enable_central_service_config). +* Consul [service mesh](/consul/docs/reference/agent#connect) must be enabled in both datacenters. +* Each [datacenter](/consul/docs/reference/agent#datacenter) must have a unique name. +* Each datacenters must be [WAN joined](/consul/docs/east-west/wan-federation/create). +* The [primary datacenter](/consul/docs/reference/agent#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for service mesh certificates and is required for services in all datacenters to establish mutual TLS with each other. +* [gRPC](/consul/docs/reference/agent#grpc_port) must be enabled. +* If you want to [enable gateways globally](/consul/docs/east-west/mesh-gateway/federation#enabling-gateways-globally) you must enable [centralized configuration](/consul/docs/reference/agent#enable_central_service_config). ### Network @@ -57,8 +57,8 @@ Sidecar proxies that do not send upstream traffic through a gateway are not affe Configure the following settings to register the mesh gateway as a service in Consul. * Specify `mesh-gateway` in the `kind` field to register the gateway with Consul. -* Configure the `proxy.upstreams` parameters to route traffic to the correct service, namespace, and datacenter. Refer to the [`upstreams` documentation](/consul/docs/connect/proxies/proxy-config-reference#upstream-configuration-reference) for details. The service `proxy.upstreams.destination_name` is always required. The `proxy.upstreams.datacenter` must be configured to enable cross-datacenter traffic. The `proxy.upstreams.destination_namespace` configuration is only necessary if the destination service is in a different namespace. -* Define the `Proxy.Config` settings using opaque parameters compatible with your proxy (i.e., Envoy). For Envoy, refer to the [Gateway Options](/consul/docs/connect/proxies/envoy#gateway-options) and [Escape-hatch Overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) documentation for additional configuration information. +* Configure the `proxy.upstreams` parameters to route traffic to the correct service, namespace, and datacenter. Refer to the [`upstreams` documentation](/consul/docs/reference/proxy/connect-proxy#upstream-configuration-reference) for details. The service `proxy.upstreams.destination_name` is always required. The `proxy.upstreams.datacenter` must be configured to enable cross-datacenter traffic. The `proxy.upstreams.destination_namespace` configuration is only necessary if the destination service is in a different namespace. +* Define the `Proxy.Config` settings using opaque parameters compatible with your proxy (i.e., Envoy). For Envoy, refer to the [Gateway Options](/consul/docs/reference/proxy/envoy#gateway-options) and [Escape-hatch Overrides](/consul/docs/reference/proxy/envoy#escape-hatch-overrides) documentation for additional configuration information. * If ACLs are enabled, a token granting `service:write` for the gateway's service name and `service:read` for all services in the datacenter or partition must be added to the gateway's service definition. These permissions authorize the token to route communications for other Consul service mesh services, but does not allow decrypting any of their communications. ### Modes @@ -157,12 +157,13 @@ spec: "Mode": "local" } } +``` ### Enabling Gateways for a Service Instance -The following [proxy service configuration](/consul/docs/connect/proxies/deploy-service-mesh-proxies) +The following [proxy service configuration](/consul/docs/deploy/service-mesh/deploy-proxy) enables gateways for the service instance in the `remote` mode. @@ -275,6 +276,7 @@ service { } } ``` + ```json { "service": { diff --git a/website/content/docs/connect/gateways/mesh-gateway/index.mdx b/website/content/docs/east-west/mesh-gateway/index.mdx similarity index 85% rename from website/content/docs/connect/gateways/mesh-gateway/index.mdx rename to website/content/docs/east-west/mesh-gateway/index.mdx index efb1bc1066e..6023d25920b 100644 --- a/website/content/docs/connect/gateways/mesh-gateway/index.mdx +++ b/website/content/docs/east-west/mesh-gateway/index.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Mesh Gateways +page_title: Mesh gateways overview description: >- Mesh gateways are specialized proxies that route data between services that cannot communicate directly. Learn how mesh gateways are used in different Consul configurations. --- -# Mesh Gateways +# Mesh gateways overview Mesh gateways enable service mesh traffic to be routed between different Consul datacenters. Datacenters can reside in different clouds or runtime environments where general interconnectivity between all services in all datacenters isn't feasible. @@ -15,13 +15,13 @@ Datacenters can reside in different clouds or runtime environments where general Mesh gateways can be used with any of the following Consul configurations for managing separate datacenters or partitions. 1. WAN Federation - * [Mesh gateways can be used to route service-to-service traffic between datacenters](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters) - * [Mesh gateways can be used to route all WAN traffic, including from Consul servers](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways) + * [Mesh gateways can be used to route service-to-service traffic between datacenters](/consul/docs/east-west/mesh-gateway/federation) + * [Mesh gateways can be used to route all WAN traffic, including from Consul servers](/consul/docs/east-west/mesh-gateway/enable) 2. Cluster Peering - * [Mesh gateways can be used to route service-to-service traffic between datacenters](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering) - * [Mesh gateways can be used to route control-plane traffic from Consul servers](/consul/docs/connect/gateways/mesh-gateway/peering-via-mesh-gateways) + * [Mesh gateways can be used to route service-to-service traffic between datacenters](/consul/docs/east-west/cluster-peering/establish-connection/vm) + * [Mesh gateways can be used to route control-plane traffic from Consul servers](/consul/docs/east-west/mesh-gateway/cluster-peer) 3. Admin Partitions - * [Mesh gateways can be used to route service-to-service traffic between admin partitions in the same Consul datacenter](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions) + * [Mesh gateways can be used to route service-to-service traffic between admin partitions in the same Consul datacenter](/consul/docs/east-west/mesh-gateway/admin-partition) ### Consul @@ -48,8 +48,8 @@ Sidecar proxies that do not send upstream traffic through a gateway are not affe Configure the following settings to register the mesh gateway as a service in Consul. * Specify `mesh-gateway` in the `kind` field to register the gateway with Consul. -* Configure the `proxy.upstreams` parameters to route traffic to the correct service, namespace, and datacenter. Refer to the [`upstreams` documentation](/consul/docs/connect/proxies/proxy-config-reference#upstream-configuration-reference) for details. The service `proxy.upstreams.destination_name` is always required. The `proxy.upstreams.datacenter` must be configured to enable cross-datacenter traffic. The `proxy.upstreams.destination_namespace` configuration is only necessary if the destination service is in a different namespace. -* Define the `Proxy.Config` settings using opaque parameters compatible with your proxy (i.e., Envoy). For Envoy, refer to the [Gateway Options](/consul/docs/connect/proxies/envoy#gateway-options) and [Escape-hatch Overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) documentation for additional configuration information. +* Configure the `proxy.upstreams` parameters to route traffic to the correct service, namespace, and datacenter. Refer to the [`upstreams` documentation](/consul/docs/reference/proxy/connect-proxy#upstream-configuration-reference) for details. The service `proxy.upstreams.destination_name` is always required. The `proxy.upstreams.datacenter` must be configured to enable cross-datacenter traffic. The `proxy.upstreams.destination_namespace` configuration is only necessary if the destination service is in a different namespace. +* Define the `Proxy.Config` settings using opaque parameters compatible with your proxy (i.e., Envoy). For Envoy, refer to the [Gateway Options](/consul/docs/reference/proxy/envoy#gateway-options) and [Escape-hatch Overrides](/consul/docs/reference/proxy/envoy#escape-hatch-overrides) documentation for additional configuration information. * If ACLs are enabled, a token granting `service:write` for the gateway's service name and `service:read` for all services in the datacenter or partition must be added to the gateway's service definition. These permissions authorize the token to route communications for other Consul service mesh services, but does not allow decrypting any of their communications. ### Modes @@ -154,7 +154,7 @@ spec: ### Enabling Gateways for a Service Instance -The following [proxy service configuration](/consul/docs/connect/proxies/deploy-service-mesh-proxies) +The following [proxy service configuration](/consul/docs/deploy/service-mesh/deploy-proxy) enables gateways for the service instance in the `remote` mode. @@ -307,3 +307,11 @@ service { ``` + +## Guidance + +The following usage documentation is available to help you use mesh gateways in different deployment strategies: + +- [Enable service-to-service traffic across admin partitions](/consul/docs/east-west/mesh-gateway/federation) +- [Enable service-to-service traffic across cluster peers](/consul/docs/east-west/mesh-gateway/federation) +- [Enable service-to-service traffic across WAN-federated datacenters](/consul/docs/east-west/mesh-gateway/federation) \ No newline at end of file diff --git a/website/content/docs/east-west/network-area.mdx b/website/content/docs/east-west/network-area.mdx new file mode 100644 index 00000000000..c600e11051f --- /dev/null +++ b/website/content/docs/east-west/network-area.mdx @@ -0,0 +1,211 @@ +--- +layout: docs +page_title: Federate multiple datacenters with network areas +description: >- + Use network areas for advanced datacenter federation. Network areas specify a relationship between a pair of Consul datacenters. +--- + +# Federate multiple datacenters with network areas + + + + The network area functionality demonstrated here requires version 0.8.0+ of HashiCorp Cloud Platform (HCP) or self-managed [Consul Enterprise](https://www.hashicorp.com/products/consul/pricing/). If you've purchased or wish to try out Consul Enterprise, refer to [how to access Consul Enterprise](/consul/docs/enterprise#access-consul-enterprise). + + + +One of the key features of Consul is its support for multiple datacenters. The architecture of Consul is designed to promote a low coupling of datacenters so that connectivity issues or failure of any datacenter does not impact the availability of Consul in other datacenters. This means each datacenter runs independently, each having a dedicated group of servers and a private LAN gossip pool. + +This tutorial covers the advanced form of federating Consul datacenters using the new network areas capability added in Consul Enterprise version 0.8.0. For the basic form of federation available in the open source version of Consul, check the [basic federation tutorial](/consul/docs/east-west/wan-federation/create) for more details. + +## Configure advanced federation + +To get started, follow the [Deployment Guide](/consul/tutorials/production-deploy/deployment-guide) to start each datacenter. After bootstrapping, you should have two datacenters now which will be referred to, during this tutorial, as `dc1` and `dc2`. Note that datacenter names are opaque to Consul; they are simply labels that help human operators reason about the Consul datacenters. + +A compatible pair of areas must be created in each datacenter: + + + +```shell-session +$ consul operator area create -peer-datacenter=dc2 +Created area "beb39435-43e8-5979-7c11-b5e011e04f51" with peer datacenter "dc2"! +``` + + + + + +```shell-session +$ consul operator area create -peer-datacenter=dc1 +Created area "37465cea-f00e-106e-f1ba-fe70b425ec4d" with peer datacenter "dc1"! +``` + + + +Now you can query for the members of the area: + + + +```shell-session +$ consul operator area members +Area Node Address Status Build Protocol DC RTT +beb39435-43e8-5979-7c11-b5e011e04f51 server.dc1 10.20.10.11:8300 alive 1.6.2+ent 2 dc1 0s +``` + + + +-> Until servers are not joined in a network area the command output will show only local servers. + +## Join servers + +Consul will automatically make sure that all servers within the datacenter where the area was created are joined to the area using the LAN information. You need to join with at least one Consul server in the other datacenter to complete the area: + + + +```shell-session +$ consul operator area join -peer-datacenter=dc2 10.20.10.12 +Address Joined Error +10.20.10.12 true (none) +``` + + + +With a successful join, the remote Consul servers should now be listed as part of the area's members: + + + +```shell-session +$ consul operator area members +Area Node Address Status Build Protocol DC RTT +beb39435-43e8-5979-7c11-b5e011e04f51 server.dc1 10.20.10.11:8300 alive 1.6.2+ent 2 dc1 0s +beb39435-43e8-5979-7c11-b5e011e04f51 server.dc2 10.20.10.12:8300 alive 1.6.2+ent 2 dc2 4.359428ms +``` + + + +## Route RPCs + +Now you can route RPC commands in both directions. Here's a sample command to set a KV entry in dc2 from dc1: + + + +```shell-session +$ consul kv put -datacenter=dc2 hello_from_dc1 world +Success! Data written to: hello_from_dc1 +``` + + + +Similarly you can use the parameter to retrieve data from the other datacenter: + + + +```shell-session +$ consul kv get -datacenter=dc2 hello_from_dc1 +world +``` + + + +-> The `-datacenter` option is available for multiple commands you can refer to [Consul CLI commands](/consul/commands/) for more info on this. + +## DNS lookups + +The DNS interface supports federation as well: + + + +```shell-session +$ dig @127.0.0.1 -p 8600 consul.service.dc2.consul +; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @127.0.0.1 -p 8600 consul.service.dc2.consul +; (1 server found) +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45946 +;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 +;; WARNING: recursion requested but not available + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 4096 +;; QUESTION SECTION: +;consul.service.dc2.consul. IN A + +;; ANSWER SECTION: +consul.service.dc2.consul. 0 IN A 10.20.10.12 + +;; ADDITIONAL SECTION: +consul.service.dc2.consul. 0 IN TXT "consul-network-segment=" + +;; Query time: 5 msec +;; SERVER: 127.0.0.1#8600(127.0.0.1) +;; WHEN: Wed Jan 08 12:12:33 UTC 2020 +;; MSG SIZE rcvd: 106 +``` + + + +There are a few networking requirements that must be satisfied for this to work. First, all server nodes must be able to talk to each other via their server RPC ports (8300/tcp). If service discovery is to be used across datacenters, the network must be able to route traffic between IP addresses across regions as well. Usually, this means that all datacenters must be connected using a VPN or other tunneling mechanism. Consul does not handle VPN or NAT traversal for you. + +The [`translate_wan_addrs`](/consul/docs/reference/agent#translate_wan_addrs) configuration provides a basic address rewriting capability. + +## Network area overview + +Consul's WAN gossip federation support relies on all Consul servers in all datacenters having full mesh connectivity via server RPC (8300/tcp) and Serf WAN (8302/tcp and 8302/udp). Securing this setup requires TLS in combination with managing a gossip keyring. With massive Consul deployments, it becomes tricky to support a full mesh with all Consul servers, and to manage the keyring. + +Consul Enterprise version 0.8.0 added support for a new federation model based on operator-created network areas. Network areas specify a relationship between a pair of Consul datacenters. Operators create reciprocal areas on each side of the relationship and then join them together, so a given Consul datacenter can participate in many areas, even when some of the peer areas cannot contact each other. This allows for more flexible relationships between Consul datacenters, such as hub/spoke or more general tree structures. Traffic between areas is all performed via server RPC (8300/tcp) so it can be secured with just TLS. + +Currently, Consul will only route RPC requests to datacenters it is immediately adjacent to via an area (or via the WAN), but future versions of Consul may add routing support. + +The following can be used to manage network areas: + +- [Network areas HTTP endpoint](/consul/api-docs/operator/area) +- [Network areas CLI](/consul/commands/operator/area) + +### Network areas and the WAN gossip pool + +Networks areas can be used alongside the Consul's WAN gossip federation model and the WAN gossip pool. This helps ease migration, and datacenters like the [primary datacenter](/consul/docs/reference/agent#primary_datacenter) are more easily managed via the WAN because they need to be available to all Consul datacenters. + +A peer datacenter can be connected via the WAN gossip pool and a network area at the same time, and RPC requests will be forwarded as long as servers are available in either. + +### Data replication + +In general, data is not replicated between different Consul datacenters. When a request is made for a resource in another datacenter, the local Consul servers forward an RPC request to the remote Consul servers for that resource and return the results. If the remote datacenter is not available, then those resources will also not be available, but that won't otherwise affect the local datacenter. There are some special situations where a limited subset of data can be replicated, such as with Consul's built-in ACL replication capability, or external tools like [consul-replicate](https://github.com/hashicorp/consul-replicate/). + +## Maintenance and troubleshooting + +### Delete network areas + +Consul does not provide a command to leave a previously joined network area, in case you want to remove the federation between two datacenters the suggested approach is to remove the network area from both: + + + +```shell-session +$ consul operator area delete -id=37465cea-f00e-106e-f1ba-fe70b425ec4d +Deleted area "37465cea-f00e-106e-f1ba-fe70b425ec4d"! +``` + + + +Once the command is execute from one of the datacenters, the federation is already removed and the servers from the other datacenter will be shown as left: + + + +```shell-session +$ consul operator area members +Area Node Address Status Build Protocol DC RTT +beb39435-43e8-5979-7c11-b5e011e04f51 server.dc1 10.20.10.11:8300 alive 1.6.2+ent 2 dc1 0s +beb39435-43e8-5979-7c11-b5e011e04f51 server.dc2 10.20.10.12:8300 left 1.6.2+ent 2 dc2 4.391502ms +``` + + + +### Functionality compatibility + +Network areas are the suggested approach when your architecture layout does not permit a full mesh connectivity between all servers across datacenters. Due to the same connectivity constraints, some of the latest Consul functionalities do not have full compatibility with network areas. + +In case you are trying to setup ACL replication using the [1.4 ACL system](/consul/docs/secure-consul/acl) or enabling Consul service mesh with CA replication, we recommend you to use WAN gossip federation to leverage all Consul's latest functionalities. + +Future version of Consul will gradually integrate all functionalities into network areas. + +## Next steps + +In this tutorial, you setup advanced federation using network areas. You then learned how to route RPC commands and use the DNS interface with multiple datacenters. \ No newline at end of file diff --git a/website/content/docs/east-west/vm.mdx b/website/content/docs/east-west/vm.mdx new file mode 100644 index 00000000000..5466f9337e0 --- /dev/null +++ b/website/content/docs/east-west/vm.mdx @@ -0,0 +1,68 @@ +--- +layout: docs +page_title: Link east/west network segments on virtual machines (VMs) +description: >- + This topic provides an overview of linking segments of your service mesh in an east/west direction on virtual machines (VMs). You can extend your service mesh across regions, runtimes, and cloud providers with cluster peering or WAN federation. +--- + +# Link east/west network segments on virtual machines (VMs) + +This topic provides an overview of the strategies and processes for linking defined segments of your service mesh to extend east/west operations across cloud regions, runtimes, and platforms when running the Consul binary on VMs. Linking network segments into an extended service mesh enables advanced strategies for deploying and monitoring service operations in your network. + +For more information about how to divide your network, including the difference between deployment strategies enabled by methods such as WAN federation and cluster peering, refer to [segment network](/consul/docs/segment/vm). + +## Introduction + +Consul supports two general strategies for extending east/west service mesh traffic across your network: + +- Cluster peering +- Wide Area Network (WAN) federation + +Consul community edition supports basic cluster peering and federation scenarios. Implementing advanced scenarios such as federated network areas and cluster peering between multiple admin partitions in datacenters require Consul Enterprise. Refer to [Consul Enterprise](consul/docs/enterprise) for more information. + +## Cluster peering + +@include 'text/descriptions/cluster-peering.mdx' + +Refer to the following pages for guidance about using cluster peering with Consul on VMs: + +- [Establish cluster peering connections on VMs](/consul/docs/east-west/cluster-peering/establish/vm) +- [Manage cluster peering connections on VMs](/consul/docs/east-west/cluster-peering/manage/vms) + +## WAN federation + +@include 'text/descriptions/wan-federation.mdx' + +Refer to the following pages for guidance about using WAN federation with Consul on VMs: + +- [WAN federation between VMs](/consul/docs/east-west/wan-federation/vm) +- [WAN federation between virtual machines and Kubernetes clusters](/consul/docs/east-west/wan-federation/k8s-vm) + +## Federated network areas + +@include 'text/descriptions/network-area.mdx' + +## Secure communication with mesh gateways + +@include 'text/descriptions/mesh-gateway.mdx' + +Refer to the following pages for guidance about using mesh gateways with Consul: + +- [WAN federation with mesh gateways](/consul/docs/east-west/mesh-gateway/federation) +- [Cluster peering with mesh gateways](/consul/docs/east-west/mesh-gateway/cluster-peering) + +## Reference documentation + +For reference material related to the processes for extending your service mesh by linking segments of your network, refer to the following pages: + +- [CLI reference: `consul join` command](/consul/commands/join) +- [CLI reference: `consul operator area` command](/consul/commands/operator/area) +- [CLI reference: `peering` command](/consul/commands/peering) +- [HTTP API reference: `/operator/area` endpoint](/consul/api-docs/operator/area) +- [HTTP API reference: `/peering` endpoint](/consul/api-docs/peering) +- [Mesh gateway configuration reference](/consul/docs/reference/proxy/connect-proxy) +- [Proxy defaults configuration reference](/consul/docs/reference/config-entry/proxy-defaults) + +## Constraints, limitations, and troubleshooting + +@include 'text/limitations/link.mdx' \ No newline at end of file diff --git a/website/content/docs/east-west/wan-federation/create.mdx b/website/content/docs/east-west/wan-federation/create.mdx new file mode 100644 index 00000000000..d7d6056528c --- /dev/null +++ b/website/content/docs/east-west/wan-federation/create.mdx @@ -0,0 +1,200 @@ +--- +layout: docs +page_title: Create and manage federation connections +description: >- + Federating Consul datacenters through mesh gateways enables agents to engage in WAN communication across runtimes and cloud providers. Learn about multi-cluster federation and its network requirements for Consul on Kubernetes. +--- + +# Create and manage federation connections + +One of the key features of Consul is its support for multiple datacenters. +The architecture of Consul is designed to promote a low coupling of datacenters +so that connectivity issues or failure of any datacenter does not impact the +availability of Consul in other datacenters. This means each datacenter runs +independently, each having a dedicated group of servers and a private LAN gossip +pool. + +## WAN gossip pool + +This tutorial covers the basic form of federating Consul datacenters using a +single WAN gossip pool, interconnecting all Consul servers. +Consul Enterprise version 0.8.0 added support for an advanced multiple +datacenter capability. Check the +[Federate Multiple Datacenters with Network Areas tutorial](/consul/docs/east-west/network-area) for more details. + +## Setup two datacenters + +To get started, follow the [Deployment guide](/consul/tutorials/production-deploy/deployment-guide) +to start each datacenter. If ACLs are enabled or you are using Consul Enterprise, +you must set the [`primary_datacenter`](/consul/docs/reference/agent#primary_datacenter) in the server's configuration in both datacenters. + +After bootstrapping you should have two datacenters, `dc1` and `dc2`. Note that +datacenter names are opaque to Consul; they are simply labels that help human +operators reason about the Consul datacenters. + +To query the known WAN nodes, use the `members` command with the `-wan` +parameter on either datacenter. + +```shell-session +$ consul members -wan +``` + +This will provide a list of all known members in the WAN gossip pool. In +this case, you have not connected the servers so there will be no output. + +`consul members -wan` should +only contain server nodes. Client nodes send requests to a datacenter-local server, +so they do not participate in WAN gossip. Client requests are forwarded by local +servers to a server in the target datacenter as necessary. + +## Join the servers + +The next step is to ensure that all the server nodes join the WAN gossip pool +(include all the servers in all the datacenters). + +```shell-session +$ consul join -wan ... +``` + +The `join` command is used with the `-wan` flag to indicate you are attempting +to join a server in the WAN gossip pool. As with LAN gossip, you only need to +join a single existing member, and the gossip protocol will be used to exchange +information about all known members. For the initial setup, however, each server +will only know about itself and must be added to the datacenter. Consul 0.8.0 +added WAN join flooding, so if one Consul server in a datacenter joins the WAN, +it will automatically join the other servers in its local datacenter that it +knows about via the LAN. + +### Persist join with retry join + +In order to persist the `join` information, the following can be added to each +server's configuration file, in both datacenters. For example, in `dc1` server +nodes. + + + +```hcl +retry_join_wan = ["dc2-server-1", "dc2-server-2"] +``` + +```json +{ + "retry_join_wan": ["dc2-server-1", "dc2-server-2"] +} +``` + + + + +## Verify datacenter configuration + +Once the join is complete, the `members` command can be used to verify that all +server nodes gossiping over WAN. + +```shell-session +$ consul members -wan +``` + +```plaintext hideClipboard +Node Address Status Type Build Protocol DC Segment +dc1-server-1 127.0.0.1:8701 alive server 1.4.3 2 dc1 +dc2-server-1 127.0.0.1:8702 alive server 1.4.3 2 dc2 +``` + +You can also verify that both datacenters are known using the +[HTTP Catalog API](/consul/api-docs/catalog#list-datacenters): + +```shell-session +$ curl http://localhost:8500/v1/catalog/datacenters +["dc1", "dc2"] +``` + +As a simple test, you can try to query the nodes in each datacenter: + +```shell-session +$ curl http://localhost:8500/v1/catalog/nodes?dc=dc1 +``` + +```json hideClipboard +{ + "ID": "ee8b5f7b-9cc1-a382-978c-5ce4b1219a55", + "Node": "dc1-server-1", + "Address": "127.0.0.1", + "Datacenter": "dc1", + "TaggedAddresses": { + "lan": "127.0.0.1", + "wan": "127.0.0.1" + }, + "Meta": { + "consul-network-segment": "" + }, + "CreateIndex": 12, + "ModifyIndex": 14 +} +``` + +```shell-session +$ curl http://localhost:8500/v1/catalog/nodes?dc=dc2 +``` + +```json hideClipboard +{ + "ID": "ee8b5f7b-9cc1-a382-978c-5ce4b1219a55", + "Node": "dc2-server-1", + "Address": "127.0.0.1", + "Datacenter": "dc1", + "TaggedAddresses": { + "lan": "127.0.0.1", + "wan": "127.0.0.1" + }, + "Meta": { + "consul-network-segment": "" + }, + "CreateIndex": 11, + "ModifyIndex": 16 +} +``` + +## Network configuration + +There are a few networking requirements that must be satisfied for this to work. +First, all server nodes must be able to talk to each other. Otherwise, +the gossip protocol as well as RPC forwarding will not work. If service discovery +is to be used across datacenters, the network must be able to route traffic +between IP addresses across regions as well. Usually, this means that all +datacenters must be connected using a VPN or other tunneling mechanism. Consul +does not handle VPN or NAT traversal for you. + +Note that for RPC forwarding to work the bind address must be accessible from +remote nodes. Configuring `serf_wan`, `advertise_addr_wan` and `translate_wan_addrs` +can lead to a situation where `consul members -wan` lists remote nodes but RPC +operations fail with one of the following errors: + +- `No path to datacenter` +- `rpc error getting client: failed to get conn: dial tcp :0->:: i/o timeout` + +The most likely cause of these errors is that `bind_addr` is set to a private +address preventing the RPC server from accepting connections across the WAN. +Setting `bind_addr` to a public address (or one that can be routed across the WAN) +will resolve this issue. Be aware that exposing the RPC server on a public port +should only be done **after** firewall rules have been established. + +The [`translate_wan_addrs`](/consul/docs/reference/agent#translate_wan_addrs) +configuration provides a basic address rewriting capability. + +## Data replication + +In general, data is not replicated between different Consul datacenters. When a +request is made for a resource in another datacenter, the local Consul servers +forward an RPC request to the remote Consul servers for that resource and return +the results. If the remote datacenter is not available, then those resources +will also not be available, but that won't otherwise affect the local datacenter. +There are some special situations where a limited subset of data can be +replicated, such as with Consul's built-in ACL replication capability, or +external tools like [consul-replicate](https://github.com/hashicorp/consul-replicate/). + +## Next steps + +In this tutorial, you setup WAN gossip across two datacenters to create basic +federation. You also used the Consul HTTP API to ensure the datacenters were +properly configured. diff --git a/website/content/docs/east-west/wan-federation/index.mdx b/website/content/docs/east-west/wan-federation/index.mdx new file mode 100644 index 00000000000..fda545a8425 --- /dev/null +++ b/website/content/docs/east-west/wan-federation/index.mdx @@ -0,0 +1,87 @@ +--- +layout: docs +page_title: WAN Federation Through Mesh Gateways - Overview +description: >- + Federating Consul datacenters through mesh gateways enables agents to engage in WAN communication across runtimes and cloud providers. Learn about multi-cluster federation and its network requirements for Consul on Kubernetes. +--- + +# WAN Federation Through Mesh Gateways Overview + +In Consul, federation is the act of joining two or more Consul datacenters. +When datacenters are joined, Consul servers in each datacenter can communicate +with one another. This enables the following features: + +- Services on all clusters can make calls to each other through Consul Service Mesh. +- [Intentions](/consul/docs/secure-mesh/intentions) can be used to enforce rules about which services can communicate across all clusters. +- [L7 Routing Rules](/consul/docs/connect/manage-traffic) can enable multi-cluster failover + and traffic splitting. +- The Consul UI has a drop-down menu that lets you navigate between datacenters. + +## Traditional WAN Federation vs. WAN Federation Via Mesh Gateways + +Consul provides two mechanisms for WAN (Wide Area Network) federation: + +1. Traditional WAN Federation +1. WAN Federation Via Mesh Gateways (newly available in Consul 1.8.0) + +### Traditional WAN Federation + +With traditional WAN federation, all Consul servers must be exposed on the wide area +network. In the Kubernetes context this is often difficult to set up. It would require that +each Consul server pod is running on a Kubernetes node with an IP address that is routable from +all other Kubernetes clusters. Often Kubernetes clusters are deployed into private +subnets that other clusters cannot route to without additional network devices and configuration. + +The Kubernetes solution to the problem of exposing pods is load balancer services but these can't be used +with traditional WAN federation because it requires proxying both UDP and TCP and Kubernetes load balancers only proxy TCP. +In addition, each Consul server would need its own load balancer because each +server needs a unique address. This would increase cost and complexity. + +![Traditional WAN Federation](/img/traditional-wan-federation.png 'Traditional WAN Federation') + +### WAN Federation Via Mesh Gateways + +To solve the problems that occurred with traditional WAN federation, +Consul 1.8.0 now supports WAN federation **via mesh gateways**. This mechanism +only requires that mesh gateways are exposed with routable addresses, not Consul servers. We can front +the mesh gateway pods with a single Kubernetes service and all traffic flows between +datacenters through the mesh gateways. + +![WAN Federation Via Mesh Gateway](/img/mesh-gateway-wan-federation.png 'WAN Federation Via Mesh Gateway') + +## Network Requirements + +Clusters/datacenters can be federated even if they have overlapping pod IP spaces or if they're +on different cloud providers or platforms. Kubernetes clusters can even be +federated with Consul datacenters running on virtual machines (and vice versa). +Because the communication between clusters is end-to-end encrypted, mesh gateways +can even be exposed on the public internet. + +There are three networking requirements: +1. When Consul servers in secondary datacenters first start up, they must be able to make calls directly to the + primary datacenter's mesh gateways. +1. Once the Consul servers in secondary datacenters have made that initial call to the primary datacenter's mesh + gateways, the mesh gateways in the secondary datacenter will be able to start. From this point onwards, all + communication between servers will flow first to the local mesh gateways, and then to the remote mesh gateways. + This means all mesh gateways across datacenters must be able to route to one another. + + For example, if using a load balancer service in front of each cluster's mesh gateway pods, the load balancer IP + must be routable from the other mesh gateway pods. + If using a public load balancer, this is guaranteed. If using a private load balancer + then you'll need to make sure that its IP/DNS address is routable from your other clusters. +1. If ACLs are enabled, primary clusters must be able to make requests to the Kubernetes API URLs of secondary clusters. + +## Next Steps + +Now that you have an overview of federation, proceed to either the +[Federation Between Kubernetes Clusters](/consul/docs/east-west/wan-federation/k8s) +or [Federation Between VMs and Kubernetes](/consul/docs/east-west/wan-federation/k8s-vm) +pages depending on your use case. + +## Guidance + +The following usage documentation is available to help you use WAN federation: + +- [WAN federation between VMs](/consul/docs/east-west/wan-federation/vm) +- [WAN federation between virtual machines and Kubernetes clusters](/consul/docs/east-west/wan-federation/k8s-vm) +- [WAN federation between multiple Kubernetes clusters](/consul/docs/east-west/wan-federation/k8s) \ No newline at end of file diff --git a/website/content/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes.mdx b/website/content/docs/east-west/wan-federation/k8s-vm.mdx similarity index 85% rename from website/content/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes.mdx rename to website/content/docs/east-west/wan-federation/k8s-vm.mdx index 763dcda5a8f..b6fee006b37 100644 --- a/website/content/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes.mdx +++ b/website/content/docs/east-west/wan-federation/k8s-vm.mdx @@ -9,19 +9,19 @@ description: >- -> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher -~> This topic requires familiarity with [Mesh Gateways](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters) and [WAN Federation Via Mesh Gateways](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways). +~> This topic requires familiarity with [Mesh Gateways](/consul/docs/east-west/mesh-gateway/federation) and [WAN Federation Via Mesh Gateways](/consul/docs/east-west/mesh-gateway/enable). -This page describes how to federate Consul clusters separately deployed in VM and Kubernetes runtimes. Refer to [Multi-Cluster Overview](/consul/docs/k8s/deployment-configurations/multi-cluster) -for more information, including [Kubernetes networking requirements](/consul/docs/k8s/deployment-configurations/multi-cluster#network-requirements). +This page describes how to federate Consul clusters separately deployed in VM and Kubernetes runtimes. Refer to [Multi-Cluster Overview](/consul/docs/east-west/wan-federation) +for more information, including [Kubernetes networking requirements](/consul/docs/east-west/wan-federation#network-requirements). Consul datacenters running on non-kubernetes platforms like VMs or bare metal can be federated with Kubernetes datacenters. ## Kubernetes as the Primary -One Consul datacenter must be the [primary](/consul/docs/k8s/deployment-configurations/multi-cluster/kubernetes#primary-datacenter). If your primary datacenter is running on Kubernetes, use the Helm config from the [Primary Datacenter](/consul/docs/k8s/deployment-configurations/multi-cluster/kubernetes#primary-datacenter) section to install Consul. +One Consul datacenter must be the [primary](/consul/docs/east-west/wan-federation/k8s#primary-datacenter). If your primary datacenter is running on Kubernetes, use the Helm config from the [Primary Datacenter](/consul/docs/east-west/wan-federation/k8s#primary-datacenter) section to install Consul. -Once installed on Kubernetes, and with the `ProxyDefaults` [resource created](/consul/docs/k8s/deployment-configurations/multi-cluster/kubernetes#proxydefaults), +Once installed on Kubernetes, and with the `ProxyDefaults` [resource created](/consul/docs/east-west/wan-federation/k8s#proxydefaults), you'll need to export the following information from the primary Kubernetes cluster: - Certificate authority cert and key (in order to create SSL certs for VMs) @@ -64,7 +64,7 @@ The following sections detail how to export this data. ==> Saved vm-dc-server-consul-0-key.pem ``` - -> Note the `-node` option in the above command. This should be same as the node name of the [Consul Agent](/consul/docs/agent#running-an-agent). This is a [requirement](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, or you don't know the nodename in advance, use `-node "*"` instead. + -> Note the `-node` option in the above command. This should be same as the node name of the [Consul Agent](/consul/docs/agent#running-an-agent). This is a [requirement](/consul/docs/east-west/mesh-gateway/enable#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, or you don't know the nodename in advance, use `-node "*"` instead. Not satisfying this requirement would result in the following error in the Consul Server logs: `[ERROR] agent.server.rpc: TLS handshake failed: conn=from= error="remote error: tls: bad certificate"` @@ -96,7 +96,7 @@ The following sections detail how to export this data. ==> Saved dc1-client-consul-0-key.pem ``` - Or use the [auto_encrypt](/consul/docs/agent/config/config-files#auto_encrypt) feature. + Or use the [auto_encrypt](/consul/docs/reference/agent#auto_encrypt) feature. ### Mesh Gateway Addresses @@ -144,8 +144,7 @@ acls { } ``` --> **NOTE:** You'll also need to set up additional ACL tokens as needed by the -ACL system. See tutorial [Secure Consul with Access Control Lists (ACLs)](/consul/tutorials/security/access-control-setup-production#apply-individual-tokens-to-agents) +You need to set up additional ACL tokens as needed by the ACL system. Refer to the [ACLs](/consul/docs/secure-consul/acl) docs for more information. ### Gossip Encryption Key @@ -210,11 +209,11 @@ ports { ## Kubernetes as the Secondary If you're running your primary datacenter on VMs then you'll need to manually -construct the [Federation Secret](/consul/docs/k8s/deployment-configurations/multi-cluster/kubernetes#federation-secret) in order to federate +construct the [Federation Secret](/consul/docs/east-west/wan-federation/k8s#federation-secret) in order to federate Kubernetes clusters as secondaries. In addition, primary clusters must be able to make requests to the Kubernetes API URLs of secondary clusters when ACLs are enabled. -> Your VM cluster must be running mesh gateways, and have mesh gateway WAN -federation enabled. See [WAN Federation via Mesh Gateways](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways). +federation enabled. See [WAN Federation via Mesh Gateways](/consul/docs/east-west/mesh-gateway/enable). You'll need: @@ -259,7 +258,7 @@ You'll need: } } ``` -1. If ACLs are enabled you must also modify the [anonymous token](/consul/docs/security/acl/tokens#anonymous-token) policy to have the following permissions: +1. If ACLs are enabled you must also modify the [anonymous token](/consul/docs/secure-consul/acl/tokens#anonymous-token) policy to have the following permissions: ```hcl node_prefix "" { @@ -322,7 +321,7 @@ kubectl create secret generic consul-federation \ If ACLs are enabled, you must next determine the Kubernetes API URL for the secondary cluster. The API URL of the must be specified in the config files for all secondary clusters because secondary clusters need to create global Consul ACL tokens (tokens that are valid in all datacenters) and these tokens can only be created -by the primary datacenter. By setting the API URL, the secondary cluster will configure a [Consul auth method](/consul/docs/security/acl/auth-methods) +by the primary datacenter. By setting the API URL, the secondary cluster will configure a [Consul auth method](/consul/docs/secure-consul/acl/auth-methods) in the primary cluster so that components in the secondary cluster can use their Kubernetes ServiceAccount tokens to retrieve global Consul ACL tokens from the primary. @@ -395,10 +394,10 @@ With your config file ready to go, follow our [Installation Guide](/consul/docs/ to install Consul on your secondary cluster(s). After installation, if you're using consul-helm 0.30.0+, [create the -`ProxyDefaults` resource](/consul/docs/k8s/deployment-configurations/multi-cluster/kubernetes#proxydefaults) +`ProxyDefaults` resource](/consul/docs/east-west/wan-federation/k8s#proxydefaults) to allow traffic between datacenters. ## Next Steps -In both cases (Kubernetes as primary or secondary), after installation, follow the [Verifying Federation](/consul/docs/k8s/deployment-configurations/multi-cluster/kubernetes#verifying-federation) -section to verify that federation is working as expected. +In both cases (Kubernetes as primary or secondary), after installation, follow the [Verifying Federation](/consul/docs/east-west/wan-federation/k8s#verifying-federation) +section to verify that federation is working as expected. \ No newline at end of file diff --git a/website/content/docs/east-west/wan-federation/k8s.mdx b/website/content/docs/east-west/wan-federation/k8s.mdx new file mode 100644 index 00000000000..8a5a8393c69 --- /dev/null +++ b/website/content/docs/east-west/wan-federation/k8s.mdx @@ -0,0 +1,378 @@ +--- +layout: docs +page_title: WAN Federation Through Mesh Gateways - Multiple Kubernetes Clusters +description: >- + WAN federation through mesh gateways enables federating multiple Kubernetes clusters in Consul. Learn how to configure primary and secondary datacenters, export a federation secret, get the k8s API URL, and verify federation. +--- + +# WAN Federation Between Multiple Kubernetes Clusters Through Mesh Gateways + +-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher + +~> This topic requires familiarity with [Mesh Gateways](/consul/docs/east-west/mesh-gateway/federation) and [WAN Federation Via Mesh Gateways](/consul/docs/east-west/mesh-gateway/enable). + +-> Looking for a step-by-step guide? Complete the [Secure and Route Service Mesh Communication Across Kubernetes](/consul/tutorials/kubernetes/kubernetes-mesh-gateways?utm_source=docs) tutorial to learn more. + +This page describes how to federate multiple Kubernetes clusters. Refer to [Multi-Cluster Overview](/consul/docs/east-west/wan-federation) for more information, including [networking requirements](/consul/docs/east-west/wan-federation#network-requirements). + +## Primary Datacenter + +Consul treats each Kubernetes cluster as a separate Consul datacenter. In order to federate clusters, one cluster must be designated the primary datacenter. This datacenter will be responsible for creating the certificate authority that signs the TLS certificates that Consul service mesh uses to encrypt and authorize traffic. It also handles validating global ACL tokens. All other clusters that are federated are considered secondaries. + +#### First Time Installation + +If you haven't installed Consul on your cluster, continue reading below. If you've already installed Consul on a cluster and want to upgrade it to support federation, see [Upgrading An Existing Cluster](#upgrading-an-existing-cluster). + +You will need to use the following `values.yaml` file for your primary cluster, with the possible modifications listed below. + + + +```yaml +global: + name: consul + datacenter: dc1 + + # TLS configures whether Consul components use TLS. + tls: + # TLS must be enabled for federation in Kubernetes. + enabled: true + + federation: + enabled: true + # This will cause a Kubernetes secret to be created that + # can be imported by secondary datacenters to configure them + # for federation. + createFederationSecret: true + + acls: + manageSystemACLs: true + # If ACLs are enabled, we must create a token for secondary + # datacenters to replicate ACLs. + createReplicationToken: true + + # Gossip encryption secures the protocol Consul uses to quickly + # discover new nodes and detect failure. + gossipEncryption: + autoGenerate: true + +connectInject: + # Consul Connect service mesh must be enabled for federation. + enabled: true + +meshGateway: + # Mesh gateways are gateways between datacenters. They must be enabled + # for federation in Kubernetes since the communication between datacenters + # goes through the mesh gateways. + enabled: true +``` + + + +Modifications: + +1. The Consul datacenter name is `dc1`. The datacenter name in each federated cluster **must be unique**. +1. ACLs are enabled in the template configuration. When ACLs are enabled, primary clusters must be able to make requests to the Kubernetes API URLs of secondary clusters. To disable ACLs for testing purposes, change the following settings: + + ```yaml + global: + acls: + manageSystemACLs: false + createReplicationToken: false + ``` + + ACLs secure Consul by requiring every API call to present an ACL token that is validated to ensure it has the proper permissions. +1. Gossip encryption is enabled in the above config file. To disable it, comment out or delete the `gossipEncryption` key: + + ```yaml + global: + # gossipEncryption: + # autoGenerate: true + ``` + + Gossip encryption encrypts the communication layer used to discover other nodes in the cluster and report on failure. If you are only testing Consul, this is not required. + +1. The default mesh gateway configuration creates a Kubernetes Load Balancer service. If you wish to customize the mesh gateway, for example using a Node Port service or a custom DNS entry, see the [Helm reference](/consul/docs/reference/k8s/helm#v-meshgateway) for that setting. + +With your `values.yaml` ready to go, follow our [Installation Guide](/consul/docs/k8s/installation/install) to install Consul on your primary cluster. + +-> **NOTE:** You must be using consul-helm 0.21.0+. To update, run `helm repo update`. + +#### Upgrading An Existing Cluster + +If you have an existing cluster, you will need to upgrade it to ensure it has the following config: + + + +```yaml +global: + tls: + enabled: true + federation: + enabled: true + createFederationSecret: true + acls: + manageSystemACLs: true + createReplicationToken: true +meshGateway: + enabled: true +``` + + + +1. `global.tls.enabled` must be `true`. See [Configuring TLS on an Existing Cluster](/consul/docs/secure-mesh/certificate/existing) for more information on safely upgrading a cluster to use TLS. + +If you've set `enableAutoEncrypt: true`, this is also supported. + +1. `global.federation.enabled` must be set to `true`. This is a new config setting. +1. If using ACLs, you'll already have `global.acls.manageSystemACLs: true`. For the primary cluster, you'll also need to set `global.acls.createReplicationToken: true`. This ensures that an ACL token is created that secondary clusters can use to authenticate with the primary. +1. Mesh Gateways are enabled with the default configuration. The default configuration creates a Kubernetes Load Balancer service. If you wish to customize the mesh gateway, see the [Helm reference](/consul/docs/reference/k8s/helm#v-meshgateway) for that setting. + +With the above settings added to your existing config, follow the [Upgrading](/consul/docs/upgrade/k8s) guide to upgrade your cluster and then come back to the [Federation Secret](#federation-secret) section. + +-> **NOTE:** You must be using consul-helm 0.21.0+. + +#### ProxyDefaults + +If you are using consul-helm 0.30.0+ you must also create a [`ProxyDefaults`](/consul/docs/reference/config-entry/proxy-defaults) resource to configure Consul to use the mesh gateways for service mesh traffic. + +```yaml +apiVersion: consul.hashicorp.com/v1alpha1 +kind: ProxyDefaults +metadata: + name: global +spec: + meshGateway: + mode: 'local' +``` + +The `spec.meshGateway.mode` can be set to `local` or `remote`. If set to `local`, traffic from one datacenter to another will egress through the local mesh gateway. This may be useful if you prefer all your cross-cluster network traffic to egress from the same locations. If set to `remote`, traffic will be routed directly from the pod to the remote mesh gateway (resulting in one less hop). + +Verify that the resource was synced to Consul: + +```shell-session +$ kubectl get proxydefaults global +NAME SYNCED AGE +global True 1s +``` + +Its `SYNCED` status should be `True`. + +-> **NOTE:** The `ProxyDefaults` resource can be created in any namespace, but we recommend creating it in the same namespace that Consul is installed in. Its name must be `global`. + +## Federation Secret + +The federation secret is a Kubernetes secret containing information needed for secondary datacenters/clusters to federate with the primary. This secret is created automatically by setting: + + + +```yaml +global: + federation: + createFederationSecret: true +``` + + + +After the installation into your primary cluster you will need to export this secret: + +```shell-session +$ kubectl get secret consul-federation --namespace consul --output yaml > consul-federation-secret.yaml +``` + +!> **Security note:** The federation secret makes it possible to gain full admin privileges in Consul. This secret must be kept securely, i.e. it should be deleted from your filesystem after importing it to your secondary cluster and you should use RBAC permissions to ensure only administrators can read it from Kubernetes. + +~> **Secret doesn't exist?** If you haven't set `global.name` to `consul` then the name of the secret will be your Helm release name suffixed with `-consul-federation` e.g. `helm-release-consul-federation`. Also ensure you're using the namespace Consul was installed into. + +Now you're ready to import the secret into your secondary cluster(s). + +Switch `kubectl` context to your secondary Kubernetes cluster. In this example our context for our secondary cluster is `dc2`: + +```shell-session +$ kubectl config use-context dc2 +Switched to context "dc2". +``` + +And import the secret: + +```shell-session +$ kubectl apply --filename consul-federation-secret.yaml +secret/consul-federation configured +``` + +#### Federation Secret Contents + +The automatically generated federation secret contains: + +- **Server certificate authority certificate** - This is the certificate authority used to sign Consul server-to-server communication. This is required by secondary clusters because they must communicate with the Consul servers in the primary cluster. +- **Server certificate authority key** - This is the signing key for the server certificate authority. This is required by secondary clusters because they need to create server certificates for each Consul server using the same certificate authority as the primary. + + !> **Security note:** The certificate authority key would enable an attacker to compromise Consul, it should be kept securely. + +- **Consul server config** - This is a JSON snippet that must be used as part of the server config for secondary datacenters. It sets: + + - [`primary_datacenter`](/consul/docs/reference/agent#primary_datacenter) to the name of the primary datacenter. + - [`primary_gateways`](/consul/docs/reference/agent#primary_gateways) to an array of IPs or hostnames for the mesh gateways in the primary datacenter. These are the addresses that Consul servers in secondary clusters will use to communicate with the primary datacenter. + + Even if there are multiple secondary datacenters, only the primary gateways need to be configured. Upon first connection with a primary datacenter, the addresses for other secondary datacenters will be discovered. + +- **ACL replication token** - If ACLs are enabled, secondary datacenters need an ACL token in order to authenticate with the primary datacenter. This ACL token is also used to replicate ACLs from the primary datacenter so that components in each datacenter can authenticate with one another. +- **Gossip encryption key** - If gossip encryption is enabled, secondary datacenters need the gossip encryption key in order to be part of the gossip pool. Gossip is the method by which Consul discovers the addresses and health of other nodes. + + !> **Security note:** This gossip encryption key would enable an attacker to compromise Consul, it should be kept securely. + +## Kubernetes API URL + +If ACLs are enabled, you must next determine the Kubernetes API URL for each secondary cluster. The API URL of the secondary cluster must be specified in the config files for each secondary cluster because they need to create global Consul ACL tokens (tokens that are valid in all datacenters) and these tokens can only be created by the primary datacenter. By setting the API URL, the secondary cluster will configure a [Consul auth method](/consul/docs/secure-consul/acl/auth-methods) in the primary cluster so that components in the secondary cluster can use their Kubernetes ServiceAccount tokens to retrieve global Consul ACL tokens from the primary. + +To determine the Kubernetes API URL, first get the cluster name in your kubeconfig for your secondary: + +```shell-session +$ export CLUSTER=$(kubectl config view -o jsonpath="{.contexts[?(@.name == \"$(kubectl config current-context)\")].context.cluster}") +``` + +Then get the API URL: + +```shell-session +$ kubectl config view -o jsonpath="{.clusters[?(@.name == \"$CLUSTER\")].cluster.server}" +https:// +``` + +Keep track of this URL, you'll need it in the next section. + +## Secondary Cluster(s) + +With the primary cluster up and running, and the [federation secret](#federation-secret) imported into the secondary cluster, we can now install Consul into the secondary cluster. + +You will need to use the following `values.yaml` file for your secondary cluster(s), with the modifications listed below. + +-> **NOTE: ** You must use a separate Helm config file for each cluster (primary and secondaries) since their settings are different. + + + +```yaml +global: + name: consul + datacenter: dc2 + tls: + enabled: true + + # Here we're using the shared certificate authority from the primary + # datacenter that was exported via the federation secret. + caCert: + secretName: consul-federation + secretKey: caCert + caKey: + secretName: consul-federation + secretKey: caKey + + acls: + manageSystemACLs: true + + # Here we're importing the replication token that was + # exported from the primary via the federation secret. + replicationToken: + secretName: consul-federation + secretKey: replicationToken + + federation: + enabled: true + k8sAuthMethodHost: + primaryDatacenter: dc1 + gossipEncryption: + secretName: consul-federation + secretKey: gossipEncryptionKey +connectInject: + enabled: true +meshGateway: + enabled: true +server: + # Here we're including the server config exported from the primary + # via the federation secret. This config includes the addresses of + # the primary datacenter's mesh gateways so Consul can begin federation. + extraVolumes: + - type: secret + name: consul-federation + items: + - key: serverConfigJSON + path: config.json + load: true +``` + + + +Modifications: + +1. If ACLs are enabled, change the value of `global.federation.k8sAuthMethodHost` to the full URL (including `https://`) of the secondary cluster's Kubernetes API. +1. `global.federation.primaryDatacenter` must be set to the name of the primary datacenter. +1. The Consul datacenter name for the datacenter in this example is `dc2`. The datacenter name in **each** federated cluster **must be unique**. +1. ACLs are enabled in the above config file. They can be disabled by removing the whole `acls` block: + + ```yaml + acls: + manageSystemACLs: false + replicationToken: + secretName: consul-federation + secretKey: replicationToken + ``` + + If ACLs are enabled in one datacenter, they must be enabled in all datacenters because in order to communicate with that one datacenter ACL tokens are required. + +1. Gossip encryption is enabled in the above config file. To disable it, don't set the `gossipEncryption` key: + + ```yaml + global: + # gossipEncryption: + # secretName: consul-federation + # secretKey: gossipEncryptionKey + ``` + + If gossip encryption is enabled in one datacenter, it must be enabled in all datacenters because in order to communicate with that one datacenter the encryption key is required. + +1. The default mesh gateway configuration creates a Kubernetes Load Balancer service. If you wish to customize the mesh gateway, for example using a Node Port service or a custom DNS entry, see the [Helm reference](/consul/docs/reference/k8s/helm#v-meshgateway) for that setting. + +With your `values.yaml` ready to go, follow our [Installation Guide](/consul/docs/k8s/installation/install) to install Consul on your secondary cluster(s). + +## Verifying Federation + +To verify that both datacenters are federated, run the `consul members -wan` command on one of the Consul server pods: + +```shell-session +$ kubectl exec statefulset/consul-server --namespace consul -- consul members -wan +Node Address Status Type Build Protocol DC Segment +consul-server-0.dc1 10.32.4.216:8302 alive server 1.8.0 2 dc1 +consul-server-0.dc2 192.168.2.173:8302 alive server 1.8.0 2 dc2 +consul-server-1.dc1 10.32.5.161:8302 alive server 1.8.0 2 dc1 +consul-server-1.dc2 192.168.88.64:8302 alive server 1.8.0 2 dc2 +consul-server-2.dc1 10.32.1.175:8302 alive server 1.8.0 2 dc1 +consul-server-2.dc2 192.168.35.174:8302 alive server 1.8.0 2 dc2 +``` + +In this example (run from `dc1`), you can see that this datacenter knows about the servers in dc2 and that they have status `alive`. + +You can also use the `consul catalog services` command with the `-datacenter` flag to ensure each datacenter can read each other's services. In this example, our `kubectl` context is `dc1` and we're querying for the list of services in `dc2`: + +```shell-session +$ kubectl exec statefulset/consul-server --namespace consul -- consul catalog services -datacenter dc2 +consul +mesh-gateway +``` + +You can switch kubectl contexts and run the same command in `dc2` with the flag `-datacenter dc1` to ensure `dc2` can communicate with `dc1`. + +### Consul UI + +We can also use the Consul UI to verify federation. See [Viewing the Consul UI](/consul/docs/k8s/installation/install#viewing-the-consul-ui) for instructions on how to view the UI. + +~> NOTE: If ACLs are enabled, your kubectl context must be in the primary datacenter to retrieve the bootstrap token mentioned in the UI documentation. + +With the UI open, you'll be able to switch between datacenters via the dropdown in the top left: + +![Consul Datacenter Dropdown](/img/data-center-dropdown.png 'Consul Datacenter Dropdown') + +## Next Steps + +With your Kubernetes clusters federated, complete the [Secure and Route Service Mesh Communication Across Kubernetes](/consul/tutorials/kubernetes/kubernetes-mesh-gateways?utm_source=docs#deploy-microservices) tutorial to learn how to use Consul service mesh to route between services deployed on each cluster. + +You can also read our in-depth documentation on [Consul Service Mesh In Kubernetes](/consul/docs/k8s/connect). + +If you are still considering a move to Kubernetes, or to Consul on Kubernetes specifically, our [Migrate to Microservices with Consul Service Mesh on Kubernetes](/consul/tutorials/microservices?utm_source=docs) collection uses an example application written by a fictional company to illustrate why and how organizations can migrate from monolith to microservices using Consul service mesh on Kubernetes. The case study in this collection should provide information valuable for understanding how to develop services that leverage Consul during any stage of your microservices journey. \ No newline at end of file diff --git a/website/content/docs/ecs.mdx b/website/content/docs/ecs.mdx new file mode 100644 index 00000000000..c7d8e61de55 --- /dev/null +++ b/website/content/docs/ecs.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Consul on ECS +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# Consul on ECS + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. diff --git a/website/content/docs/ecs/architecture.mdx b/website/content/docs/ecs/architecture.mdx deleted file mode 100644 index 96823ae1bd6..00000000000 --- a/website/content/docs/ecs/architecture.mdx +++ /dev/null @@ -1,98 +0,0 @@ ---- -layout: docs -page_title: Consul on AWS Elastic Container Service (ECS) architecture -description: >- - Learn about the Consul architecture on Amazon Web Services ECS deployments. Learn about how the two work together, including the order tasks and containers startup and shutdown, as well as requirements for the AWS IAM auth method, the ACL controller and tokens, and health check syncing. ---- - -# Consul on AWS Elastic Container Service (ECS) architecture - -This topic provides reference information about the Consul's deployment architecture on AWS ECS. The following diagram shows the main components of the Consul architecture when deployed to an ECS cluster. - -![Diagram that provides an overview of the Consul Architecture on ECS](/img/ecs/consul-on-ecs-architecture-dataplanes.png#light-theme-only) -![Diagram that provides an overview of the Consul Architecture on ECS ](/img/ecs/consul-on-ecs-architecture-dataplanes-dark.png#dark-theme-only) - -## Components - -Consul starts several components and containers inside the ECS cluster. Using a combination of short-lived containers (`mesh-init`) and long-lived containers (`health-sync`) ensures that any long running containers do not have root access to Consul. Refer to [Startup sequence](#startup-sequence) for details about the order of the startup procedure. - -### `mesh-init` container - -The `mesh-init` container is a short-lived container that performs the following actions: - -- Logs into Consul servers -- Communicates directly with Consul server -- Registers proxies and services -- Creates a bootstrap configuration file for Consul dataplane container and stores it in a shared volume -- Invokes the `iptables` SDK to configure traffic redirection rules - -### `health-sync` container - -The `health-sync` container is a long-lived container that performs the following actions: - -- Synchronizes ECS health checks -- Watches the Consul server for changes - -When you stop the ECS task, it performs the following actions: - -- Deregisters service and proxy instances on receiving SIGTERM to support graceful shutdown -- Performs logout from [ACL auth method](/consul/docs/security/acl/auth-methods) - -### `dataplane` container - -The dataplane process runs in the same container as the Envoy proxy and performs the following actions: - -- Consumes and configures itself according to the bootstrap configuration written by the `mesh-init` container. -- Contains and starts up the Envoy sidecar. - -### ECS controller container - -One ECS task in the cluster contains the controller container, which performs the following actions: - -- Creates AWS IAM auth methods -- Creates ACL policies and roles -- Maintains ACL state -- Removes tokens when services exit -- Deregisters services if the ECS task exits without deregistering them -- Registers a _synthetic node_ that enables Consul to register services to the catalog - -## Startup sequence - -Deploying Consul to ECS starts the following process to build the architecture: - -1. The `mesh-init` container starts and logs in to Consul. -1. The `mesh-init` container registers services and proxies with the Consul servers. -1. The `mesh-init` container writes the bootstrap configuration for the Consul dataplane process and stores it in a shared volume. -1. The `mesh-init` container configures Consul DNS and modifies traffic redirection rules. -1. The `dataplane` container starts and configures itself using the bootstrap configuration generated by the `mesh-init` container. -1. The `dataplane` container starts the Envoy sidecar proxy. -1. The `health-sync` container starts listening for ECS health checks. -1. When the ECS task indicates that the application instance is healthy, the `health-sync` container marks the service as healthy and allows traffic to flow. - -## Consul security components - -Consul leverages AWS components to facilitate its own security features. - -### Auth methods - -Consul on ECS uses the AWS IAM auth method so that ECS tasks can automatically obtain Consul ACL tokens during startup. - -When ACLs are enabled, the Terraform modules for Consul on ECS support AWS IAM auth methods by default. The ECS controller sets up the auth method on the Consul servers. The `mesh-task` module configures the ECS task definition to be compatible with the auth method. - -A unique task IAM role is required for each ECS task family. A task family represents only one Consul service and the task IAM role must encode the Consul service name. As a result, task IAM roles must not be shared by different task families. - -By default, the mesh-task module creates and configures the task IAM role for you. - -To pass an existing IAM role to the mesh-task module using the `task_role` input variable, configure the IAM role as described in ECS Task Role Configuration to be compatible with the AWS IAM auth method. - -### ECS task roles - -The [ECS task role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) is an IAM role associated with an ECS task. - -When an ECS task starts up, it runs a `consul login` command. The command obtains credentials for the task role from AWS and then uses those credentials to sign the login request to the AWS IAM auth method. The credentials prove the ECS task's identity to the Consul servers. - -You must configure the task role with the following details for it to be compatible with the AWS IAM auth method: - -- An `iam:GetRole` permission to fetch itself. Refer to [IAM Policies](/consul/docs/security/acl/auth-methods/aws-iam#iam-policies) for additional information. -- A `consul.hashicorp.com.service-name` tag on the task role which contains the Consul service name for the application in this task. -- When using Consul Enterprise, add a `consul.hashicorp.com.namespace` tag on the task role indicating the Consul Enterprise namespace where this service is registered. \ No newline at end of file diff --git a/website/content/docs/ecs/index.mdx b/website/content/docs/ecs/index.mdx deleted file mode 100644 index 992d7eb3df7..00000000000 --- a/website/content/docs/ecs/index.mdx +++ /dev/null @@ -1,54 +0,0 @@ ---- -layout: docs -page_title: Consul on AWS Elastic Container Service (ECS) Overview -description: >- - You can deploy Consul service mesh applications to Amazon Web Services ECS by running each task with an application container, a client agent, and an Envoy proxy. Learn how Consul service mesh works on ECS and find getting started tutorials for several scenarios. ---- - -# Consul on AWS Elastic Container Service (ECS) overview -This overview provides information about connecting your workloads managed by [AWS Elastic Container Service (ECS)](https://aws.amazon.com/ecs/) to a Consul service mesh. A Consul service mesh automates service-to-service authorization and encryption across your Consul services. You can use a service mesh in ECS networks to secure communication between ECS tasks and communication between tasks and external services. - - -## Workflow - -You can install Consul on ECS with the [HashiCorp Terraform modules](/consul/docs/ecs/deploy/terraform) or by [manually configuring the task definition](/consul/docs/ecs/deploy/manual). We strongly recommend using the Terraform modules and resources because Terraform automatically builds and enables Consul service mesh containers for your workloads. The Terraform module installation method also allows you to add your existing ECS task definitions to the Consul service mesh without additional configuration. - -### Terraform module installation - -1. Create and run a Terraform configuration that includes the ECS task, modules, and resources. -1. Configure routes between ECS tasks in your cluster. Once the service mesh is built, you must define paths for traffic between services. -1. Configure the ECS bind address. Binding to the loopback address allows the sidecar proxy running in the same task to only make requests within the service mesh. - - -### Manual installation - -To manually install Consul, you must create definitions for each container that operates in the ECS cluster. Refer to [Architecture](/consul/docs/ecs/architecture) for information about the Consul containers you must deploy. Note that there is no manual process for creating gateway task containers. Gateways enable you to connect multiple datacenters or admin partitions. You must use Terraform if you want to deploy gateways to your network. - -## Guidance - -Refer to the following documentation and tutorials for additional guidance. - -### Tutorials - -- [Integrate your AWS ECS services into Consul service mesh](/consul/tutorials/cloud-integrations/consul-ecs): Shows how to use Terraform to run Consul service mesh applications on ECS with self-managed Enterprise or HCP Consul Dedicated. - -You can also refer to the following example configurations: - -- [Examples on GitHub](https://github.com/hashicorp/terraform-aws-consul-ecs/tree/main/examples) -- [Consul with dev server on ECS using the Fargate launch type](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-fargate) -- [Consul with dev server onn ECS using the EC2 launch type](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-ec2) - -### Documentation - -- [Install Consul on ECS with Terraform](/consul/docs/ecs/deploy/terraform) -- [Configure routes between ECS tasks](/consul/docs/ecs/deploy/configure-routes) -- [Configure the ECS task bind address](/consul/docs/ecs/deploy/bind-addresses) -- [Install Consul on ECS manually](/consul/docs/ecs/deploy/manual) - -### Reference - -- [Architecture](/consul/docs/ecs/architecture) -- [Technical specifications](/consul/docs/ecs/tech-specs) -- [Task configuration reference](/consul/docs/ecs/reference/configuration-reference) -- [Cross-compatibility reference](/consul/docs/ecs/reference/compatibility) -- [Consul server JSON schema reference](/consul/docs/ecs/reference/consul-server-json) \ No newline at end of file diff --git a/website/content/docs/enterprise/backups.mdx b/website/content/docs/enterprise/backups.mdx deleted file mode 100644 index ba00952566c..00000000000 --- a/website/content/docs/enterprise/backups.mdx +++ /dev/null @@ -1,38 +0,0 @@ ---- -layout: docs -page_title: Automated Backups (Enterprise) -description: >- - Learn about launching the snapshot agent to automatically backup files to a cloud storage provider so that you can restore Consul servers. Supported providers include Amazon S3, Google Cloud Storage, and Azure Blob Storage. ---- - -# Automated Backups - - - -This feature requires -HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. -Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. - - - -Consul Enterprise enables you to run -the snapshot agent within your environment as a service (Systemd as an example) -or scheduled through other means. Once running, the snapshot agent service operates as a highly -available process that integrates with the snapshot API to automatically manage -taking snapshots, backup rotation, and sending backup files offsite to Amazon S3 -(or another S3-compatible endpoint), Google Cloud Storage, or Azure Blob Storage. - -This capability provides an enterprise solution for backup and restoring the state of Consul servers -within an environment in an automated manner. These snapshots are atomic and point-in-time. Consul -datacenter backups include (but are not limited to): - -- Key/Value Store Entries -- Service Catalog Registrations -- Prepared Queries -- Sessions -- Access Control Lists (ACLs) -- Namespaces - -For more experience leveraging Consul's snapshot functionality, complete the [Datacenter Backups in Consul](/consul/tutorials/production-deploy/backup-and-restore?utm_source=docs) tutorial. -For detailed configuration information on configuring the Consul Enterprise's snapshot agent, review the -[Consul Snapshot Agent documentation](/consul/commands/snapshot/agent). diff --git a/website/content/docs/enterprise/ent-to-ce-downgrades.mdx b/website/content/docs/enterprise/ent-to-ce-downgrades.mdx deleted file mode 100644 index a5b6061f40a..00000000000 --- a/website/content/docs/enterprise/ent-to-ce-downgrades.mdx +++ /dev/null @@ -1,208 +0,0 @@ ---- -layout: docs -page_title: Downgrade from Consul Enterprise to the community edition -description: >- - Learn how to downgrade your installation of Consul Enterprise to the free Consul community edition (CE) ---- - -# Downgrade from Consul Enterprise to the community edition - -This document describes how to downgrade from Consul Enterprise to Consul community edition (CE). - -## Overview - -You can downgrade Consul editions if you no longer require Consul Enterprise features. Complete the following steps to downgrade to Consul CE: - -1. Download the CE binary. -1. Backup your Consul data and set appropriate log levels. -1. Complete the downgrade procedures. - -### Request-handling details - -During the downgrade process, the Consul CE server handles the raft replication logs in one of the following ways: - -- Drops the request. -- Filters out data from requests sent from non-default namespaces or partitions. -- Panics and stops the downgrade. - -The following examples describe scenarios where the server may drop the requests: - -- Registration requests in non-default namespace -- Services or health checks in non-default namespaces or partitions. - -- Write requests to peered clusters if the local partition connecting to the peer is non-default. - -The following examples describe scenarios where the server may filter out data from requests: - -- Intention sources that target non-default namespaces or partitions are filtered out of the configuration entry. -- Exports of services within non-default namespaces or partitions are filtered out of the configuration entry. - -The server may panic and stop the downgrade when Consul cannot safely filter configuration entries that route traffic. This is because Consul is unable to determine if the filtered configuration entries send traffic to services that are able to handle the traffic. Consul CE panics in order to prevent harm to existing service mesh routes. - -In these situations, you must first remove references to services within non-default namespaces or partitions from those configuration entries. - -The server may panic in the following cases: - -- Service splitter, service resolver, and service router configuration entry requests that have references to services located in non-default namespaces or partitions cause the server to panic. - -## Requirements - -You can only downgrade Consul editions for v1.18 and later. - -## Download the CE binary version - -First, download the binary for CE. - - - - -All current and past versions of the CE and Enterprise releases are -available on the [HashiCorp releases page](https://releases.hashicorp.com/consul) - -Example: -```shell-session -$ export VERSION=1.18.0 -$ curl https://releases.hashicorp.com/consul/${VERSION}/consul_${VERSION} _linux_amd64.zip -``` - - - - -To downgrade Consul edition on Kubernetes, modify the image version in your Helm chart and follow the upgrade process described in [Upgrade Consul version](/consul/docs/k8s/upgrade#upgrade-consul-version). - - - - - -## Prepare for the downgrade to CE - -1. Take a snapshot of the existing Consul state so that you have a safe fallback if an error occurs. - - ```shell-session - $ consul snapshot save backup.snap - ``` - -1. Run the following command to verify that the snapshot was successfully saved: - - ```shell-session - $ consul snapshot inspect backup.snap - ``` - - Example output: - - ``` - ID 2-1182-1542056499724 - Size 4115 - Index 1182 - Term 2 - Version 1 - ``` - -1. Store the snapshot in a safe location. Refer to the following documentation for additional information about using snapshots: - - - [Consul snapshot](/consul/commands/snapshot) - - [Backup Consul Data and State tutorial](/consul/tutorials/production-deploy/backup-and-restore) - -1. Temporarily modify your Consul configuration so that its [log_level](/consul/docs/agent/config/cli-flags#_log_level) - is set to `debug`. This enables Consul to report detailed information if an error occurs. -1. Issue the following command on your servers to reload the configuration: - - ```shell-session - $ consul reload - ``` - -1. If applicable, modify the following configuration entries: - - [Service resolver](/consul/docs/connect/config-entries/service-resolver): - 1. Remove services configured as failovers in non-default namespaces or services that belong to a sameness group. - 1. Remove services configured as redirects that belong to non-default namespaces or partitions. - - [Service splitter](/consul/docs/connect/config-entries/service-splitter): - 1. Remove services configured as splits that belong to non-default namespaces or partitions. - - [Service router](/consul/docs/connect/config-entries/service-router): - 1. Remove services configured as a destination that belong to non-default namespaces or partitions. - -## Perform the downgrade - -1. Restart or redeploy all Consul clients with a CE version of the binary. You can use a service management system, such as `systemd` or `upstart`, to restart the Consul service. If you are not using a service management system, you must restart the agent manually. The following example uses `systemctl` to restart the Consul service: - - ```shell-session - $ sudo systemctl restart consul - ``` - -1. Issue the following command to discover which server is currently the leader: - - ```shell-session - $ consul operator raft list-peers - ``` - - Consul prints the raft information. The format and content may differ based on your version of Consul: - - ```shell-session - Node ID Address State Voter RaftProtocol - dc1-node1 ae15858f-7f5f-4dcb-b7d5-710fdcdd2745 10.11.0.2:8300 leader true 3 - dc1-node2 20e6be1b-f1cb-4aab-929f-f7d2d43d9a96 10.11.0.3:8300 follower true 3 - dc1-node3 658c343b-8769-431f-a71a-236f9dbb17b3 10.11.0.4:8300 follower true 3 - ``` - -1. Make a note of the leader so that you can perform the downgrade on agents in the proper order. - -1. Update the server binaries to use the CE version. Complete the following steps in order for each server agent in the `follower` state. Then, repeat the steps for the `leader` agent. - - 1. Set an environment variable named `CONSUL_ENTERPRISE_DOWNGRADE_TO_CE` to `true`. The following example sets variable using `systemd`: - 1. Edit the Consul systemd service unit file: - ```shell-session - $ sudo vi /etc/systemd/system/consul.service - ``` - 1. Add the environment variables you want to set for Consul under the `[Service]` section of the unit file and save the changes: - ```shell-session - [Service] - Environment=CONSUL_ENTERPRISE_DOWNGRADE_TO_CE=true - ``` - 1. Reload `systemd`: - ```shell-session - $ sudo systemctl daemon-reload - ``` - 1. Restart the Consul service. You can use a service management system, such as `systemd` or `upstart`. If you are not using a service management system, you must restart the agent manually. The following example restarts Consul using `systemctl`: - ```shell-session - $ sudo systemctl restart consul - ``` - 1. To validate that the agent has rejoined the cluster and is in sync with the leader, issue the following command: - ```shell-session - $ consul info - ``` - Verify that the `commit_index` and `last_log_index` fields have the same value. Differing values may be result of an unexpected leadership election due to loss of quorum. - -1. Run the following command to verify that all servers appear in the cluster as expected and are on the correct version: - - ```shell-session - $ consul members - ``` - - Consul prints cluster membership information. The exact format and content depends on your Consul version: - - ```shell-session - Node Address Status Type Build Protocol DC - dc1-node1 10.11.0.2:8301 alive server 1.18.0 2 dc1 - dc1-node2 10.11.0.3:8301 alive server 1.18.0 2 dc1 - dc1-node3 10.11.0.4:8301 alive server 1.18.0 2 dc1 - ``` - -1. Verify the raft state to make sure there is a leader and sufficient voters: - - ```shell-session - $ consul operator raft list-peers - ``` - - Consul prints the raft information. The format and content may differ based on your version of Consul: - - ```shell-session - Node ID Address State Voter RaftProtocol - dc1-node1 ae15858f-7f5f-4dcb-b7d5-710fdcdd2745 10.11.0.2:8300 leader true 3 - dc1-node2 20e6be1b-f1cb-4aab-929f-f7d2d43d9a96 10.11.0.3:8300 follower true 3 - dc1-node3 658c343b-8769-431f-a71a-236f9dbb17b3 10.11.0.4:8300 follower true 3 - ``` - -1. Set your `log_level` back to its original value and issue the following command on your servers to reload the configuration: - - ```shell-session - $ consul reload - ``` \ No newline at end of file diff --git a/website/content/docs/enterprise/federation.mdx b/website/content/docs/enterprise/federation.mdx deleted file mode 100644 index 9f84ef5d378..00000000000 --- a/website/content/docs/enterprise/federation.mdx +++ /dev/null @@ -1,33 +0,0 @@ ---- -layout: docs -page_title: Federated Network Areas (Enterprise) -description: >- - Network areas connect individual datacenters in a WAN federation, providing an alternative to connecting every datacenter. Learn how to support hub-and-spoke network topologies in a WAN federated Consul deployment. ---- - -# Consul Enterprise Advanced Federation - - - -This feature requires -self-managed Consul Enterprise. -Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. - - - -Consul's core federation capability uses the same gossip mechanism that is used -for a single datacenter. This requires that every server from every datacenter -be in a fully connected mesh with an open gossip port (8302/tcp and 8302/udp) -and an open server RPC port (8300/tcp). For organizations with large numbers of -datacenters, it becomes difficult to support a fully connected mesh. It is often -desirable to have topologies like hub-and-spoke with central management -datacenters and "spoke" datacenters that can't interact with each other. - -[Consul Enterprise](https://www.hashicorp.com/consul) offers a [network -area mechanism](/consul/tutorials/datacenter-operations/federation-network-areas) that allows operators to -federate Consul datacenters together on a pairwise basis, enabling -partially-connected network topologies. Once a link is created, Consul agents -can make queries to the remote datacenter in service of both API and DNS -requests for remote resources (in spite of the partially-connected nature of the -topology as a whole). Consul datacenters can simultaneously participate in both -network areas and the existing WAN pool, which eases migration. diff --git a/website/content/docs/enterprise/index.mdx b/website/content/docs/enterprise/index.mdx index b77df696923..f6fb46a57e2 100644 --- a/website/content/docs/enterprise/index.mdx +++ b/website/content/docs/enterprise/index.mdx @@ -18,43 +18,41 @@ The following features are [available in several forms of Consul Enterprise](#co ### Multi-Tenancy -- [Admin Partitions](/consul/docs/enterprise/admin-partitions): Define administrative boundaries between tenants within a single Consul datacenter. -- [Namespaces](/consul/docs/enterprise/namespaces): Define resource boundaries within a single admin partition for further organizational flexibility. -- [Sameness Groups](/consul/docs/connect/config-entries/sameness-group): Define partitions and cluster peers as members of a group with identical services. +- [Admin Partitions](/consul/docs/segment/admin-partition): Define administrative boundaries between tenants within a single Consul datacenter +- [Namespaces](/consul/docs/segment/namespace): Define resource boundaries within a single admin partition for further organizational flexibility +- [Sameness Groups](/consul/docs/reference/config-entry/sameness-group): Define partitions and cluster peers as members of a group with identical services ### Resiliency -- [Automated Backups](/consul/docs/enterprise/backups): Configure the automatic backup of Consul state. -- [Redundancy Zones](/consul/docs/enterprise/redundancy): Deploy backup voting Consul servers to efficiently improve Consul fault tolerance -- [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips): Limit gRPC and RPC traffic to servers for source IP addresses. -- [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates): Limit the rate of HTTP requests a service receives per service instance. +- [Automated Backups](/consul/docs/manage-consul/automated-backups): Configure the automatic backup of Consul state +- [Redundancy Zones](/consul/docs/manage-consul/redundancy-zones): Deploy backup voting Consul servers to efficiently improve Consul fault tolerance +- [Server request rate limits per source IP](/consul/docs/manage-consul/agent-rate-limit/source-ip-addresses): Limit gRPC and RPC traffic to servers for source IP addresses. +- [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates): Limit the rate of HTTP requests a service receives per service instance. - [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams): Prioritize upstream services in the same region and zone as the downstream service. -- [Fault injection](/consul/docs/connect/manage-traffic/fault-injection): Explore the resiliency of downstream services in response to problems with an upstream service, such as errors, latency, or response rate limits. ### Scalability -- [Read Replicas](/consul/docs/enterprise/read-scale): Deploy non-voting Consul servers to enhance the scalability of read requests. +- [Read Replicas](/consul/docs/manage-consul/read-replicas): Deploy non-voting Consul servers to enhance the scalability of read requests ### Operational simplification -- [Long Term Support (LTS)](/consul/docs/enterprise/long-term-support): Reduce operational overhead and risk by using LTS releases that are maintained for longer than standard releases. -- [Automated Upgrades](/consul/docs/enterprise/upgrades): Ease upgrades by automating the transition from existing to newly deployed Consul servers. -- [Consul-Terraform-Sync Enterprise](/consul/docs/nia/enterprise): Leverage the enhanced network infrastructure automation capabilities of the enterprise version of Consul-Terraform-Sync. +- [Automated Upgrades](/consul/docs/upgrade/automated): Ease upgrades by automating the transition from existing to newly deployed Consul servers +- [Consul-Terraform-Sync Enterprise](/consul/docs/nia/enterprise): Leverage the enhanced network infrastructure automation capabilities of the enterprise version of Consul-Terraform-Sync ### Complex network topology support -- [Network Areas](/consul/docs/enterprise/federation): Support complex network topologies between federated Consul datacenters with pairwise federation rather than full mesh federation. -- [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview): Support complex network topologies within a Consul datacenter by enforcing boundaries in Consul client gossip traffic. +- [Network Areas](/consul/docs/enterprise/federation): Support complex network topologies between federated Consul datacenters with pairwise federation rather than full mesh federation +- [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview): Support complex network topologies within a Consul datacenter by enforcing boundaries in Consul client gossip traffic ### Governance -- [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc): Manage user access to Consul through an OIDC identity provider instead of Consul ACL tokens directly. -- [Audit Logging](/consul/docs/enterprise/audit-logging): Understand Consul access and usage patterns by reviewing access to the Consul HTTP API. -- JWT authentication and authorization for API gateway: Prevent unverified traffic at the API gateway using JWTs for authentication and authorization on [VMs](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) and on [Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s). +- [OIDC Auth Method](/consul/docs/secure-consul/acl/auth-methods/oidc): Manage user access to Consul through an OIDC identity provider instead of Consul ACL tokens directly +- [Audit Logging](/consul/docs/enterprise/audit-logging): Understand Consul access and usage patterns by reviewing access to the Consul HTTP API +- JWT authentication and authorization for API gateway: Prevent unverified traffic at the API gateway using JWTs for authentication and authorization on [VMs](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) and on [Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s): ### Regulatory compliance -- [FIPS 140-2 Compliance](/consul/docs/enterprise/fips): Leverage FIPS builds of Consul Enterprise to ensure your Consul deployments are secured with BoringCrypto and CNGCrypto, and compliant with FIPS 140-2. +- [FIPS 140-2 Compliance](/consul/docs/deploy/server/fips): Leverage FIPS builds of Consul Enterprise to ensure your Consul deployments are secured with BoringCrypto and CNGCrypto, and compliant with FIPS 140-2. @@ -65,20 +63,20 @@ The following features are [available in several forms of Consul Enterprise](#co ## Access Consul Enterprise The method of accessing Consul Enterprise and its features depends on the whether using -HashiCorp Cloud Platform or self-managed Consul Enterprise. +HashiCorp Cloud Platform or self-managed Consul. -### HCP Consul Dedicated +### HCP Consul No action is required to access Consul Enterprise in a [HashiCorp Cloud Platform](https://cloud.hashicorp.com/products/consul) installation. -You can try out HCP Consul Dedicated for free. Refer to the -[HCP Consul Dedicated product page](https://cloud.hashicorp.com/products/consul) for more details. +You can try out HCP Consul for free. Refer to the +[HCP Consul product page](https://cloud.hashicorp.com/products/consul) for more details. -### Self-managed Consul Enterprise +### Self-Managed Consul To access Consul Enterprise in a self-managed installation, -[apply a purchased license](/consul/docs/enterprise/license/overview) +[apply a purchased license](/consul/docs/enterprise/license) to the Consul Enterprise binary that grants access to the desired features. Contact your [HashiCorp Support contact](https://support.hashicorp.com/) for a development license. @@ -91,28 +89,27 @@ The Consul Enterprise features that are available depend on your license and the Available Enterprise features per Consul form and license include: -| Feature | [HashiCorp Cloud Platform (HCP) Consul] | [Consul Enterprise] | Legacy Consul Enterprise (module-based) | -| ------------------------------------------------------------------------------------------------------------- | --------------------------------------- | ------------------- | ------------------------------------------------- | -| Consul servers as a managed service | Yes | No (self-managed) | No (self-managed) | -| [Admin Partitions](/consul/docs/enterprise/admin-partitions) | All tiers | Yes | With Governance and Policy module | -| [Audit Logging](/consul/docs/enterprise/audit-logging) | Standard tier and above | Yes | With Governance and Policy module | -| [Automated Server Backups](/consul/docs/enterprise/backups) | All tiers | Yes | Yes | -| [Automated Server Upgrades](/consul/docs/enterprise/upgrades) | All tiers | Yes | Yes | -| [Consul-Terraform-Sync Enterprise](/consul/docs/nia/enterprise) | All tiers | Yes | Yes | -| [Enhanced Read Scalability](/consul/docs/enterprise/read-scale) | No | Yes | With Global Visibility, Routing, and Scale module | -| [Fault injection](/consul/docs/connect/manage-traffic/fault-injection) | Yes | Yes | No | -| [FIPS 140-2 Compliance](/consul/docs/enterprise/fips) | No | Yes | No | -| [JWT verification for API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) | Yes | Yes | Yes | -| [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams) | Yes | Yes | Yes | -| [Long Term Support (LTS)](/consul/docs/enterprise/long-term-support) | Not applicable | Yes | Not applicable | -| [Namespaces](/consul/docs/enterprise/namespaces) | All tiers | Yes | With Governance and Policy module | -| [Network Areas](/consul/docs/enterprise/federation) | No | Yes | With Global Visibility, Routing, and Scale module | -| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | No | Yes | With Global Visibility, Routing, and Scale module | -| [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | No | Yes | Yes | -| [Redundancy Zones](/consul/docs/enterprise/redundancy) | Not applicable | Yes | With Global Visibility, Routing, and Scale module | -| [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | No | Yes | Not applicable | -| [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | All tiers | Yes | With Governance and Policy module | -| [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates) | Yes | Yes | Yes | +| Feature | [HashiCorp Cloud Platform (HCP) Consul] | [Consul Enterprise] | Legacy Consul Enterprise (module-based) | +| -------------------------------------------------------- | --------------------------------------- | ------------------- | ------------------------------------------------- | +| Consul servers as a managed service | Yes | No (self-managed) | No (self-managed) | +| [Admin Partitions](/consul/docs/segment/admin-partition) | All tiers | Yes | With Governance and Policy module | +| [Audit Logging](/consul/docs/enterprise/audit-logging) | Standard tier and above | Yes | With Governance and Policy module | +| [Automated Server Backups](/consul/docs/manage-consul/automated-backups) | All tiers | Yes | Yes | +| [Automated Server Upgrades](/consul/docs/upgrade/automated) | All tiers | Yes | Yes | +| [Consul-Terraform-Sync Enterprise](/consul/docs/nia/enterprise) | All tiers | Yes | Yes | +| [Enhanced Read Scalability](/consul/docs/manage-consul/read-replicas) | No | Yes | With Global Visibility, Routing, and Scale module | +| [FIPS 140-2 Compliance](/consul/docs/deploy/server/fips) | No | Yes | No | +| [JWT verification for API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) | Yes | Yes | Yes | +| [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams) | Yes | Yes | Yes | +| [Namespaces](/consul/docs/segment/namespace) | All tiers | Yes | With Governance and Policy module | +| [Network Areas](/consul/docs/enterprise/federation) | No | Yes | With Global Visibility, Routing, and Scale module | +| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | No | Yes | With Global Visibility, Routing, and Scale module | +| [OIDC Auth Method](/consul/docs/secure-consul/acl/auth-methods/oidc) | No | Yes | Yes | +| [Redundancy Zones](/consul/docs/manage-consul/redundancy-zones) | Not applicable | Yes | With Global Visibility, Routing, and Scale module | +| [Sameness Groups](/consul/docs/reference/config-entry/sameness-group) | No | Yes | N/A | +| [Server request rate limits per source IP](/consul/docs/manage-consul/agent-rate-limit/source-ip-addresses) | All tiers | Yes | With Governance and Policy module | +| [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates) | Yes | Yes | Yes | + [HashiCorp Cloud Platform (HCP) Consul]: https://cloud.hashicorp.com/products/consul [Consul Enterprise]: https://www.hashicorp.com/products/consul/ @@ -125,75 +122,69 @@ Consul Enterprise feature availability can change depending on your server and c -| Enterprise Feature | VM Client | K8s Client | ECS Client | -|-------------------------------------------------------------------------------------------------------------- | :-------: | :--------: | :--------: | -| [Admin Partitions](/consul/docs/enterprise/admin-partitions) | ✅ | ✅ | ✅ | -| [Audit Logging](/consul/docs/enterprise/audit-logging) | ✅ | ✅ | ✅ | -| [Automated Server Backups](/consul/docs/enterprise/backups) | ✅ | ✅ | ✅ | -| [Automated Server Upgrades](/consul/docs/enterprise/upgrades) | ✅ | ✅ | ✅ | -| [Enhanced Read Scalability](/consul/docs/enterprise/read-scale) | ✅ | ✅ | ✅ | -| [Fault injection](/consul/docs/connect/manage-traffic/fault-injection) | ✅ | ✅ | ✅ | -| [FIPS 140-2 Compliance](/consul/docs/enterprise/fips) | ✅ | ✅ | ✅ | -| [JWT verification for API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) | ✅ | ✅ | ❌ | -| [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams) | ✅ | ✅ | ✅ | -| [Long Term Support (LTS)](/consul/docs/enterprise/long-term-support) | ✅ | ✅ | ❌ | -| [Namespaces](/consul/docs/enterprise/namespaces) | ✅ | ✅ | ✅ | -| [Network Areas](/consul/docs/enterprise/federation) | ✅ | ✅ | ✅ | -| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ✅ | ✅ | ❌ | -| [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ✅ | ✅ | ✅ | -| [Redundancy Zones](/consul/docs/enterprise/redundancy) | ✅ | ✅ | ✅ | -| [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | ✅ | ✅ | ✅ | -| [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | ✅ | ✅ | ✅ | -| [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates) | ✅ | ✅ | ✅ | +| Enterprise Feature | VM Client | K8s Client | ECS Client | +|----------------------------------------------------------------------------------------------------------|:---------:|:----------:| :--------: | +| [Admin Partitions](/consul/docs/segment/admin-partition) | ✅ | ✅ | ✅ | +| [Audit Logging](/consul/docs/enterprise/audit-logging) | ✅ | ✅ | ✅ | +| [Automated Server Backups](/consul/docs/manage-consul/automated-backups) | ✅ | ✅ | ✅ | +| [Automated Server Upgrades](/consul/docs/upgrade/automated) | ✅ | ✅ | ✅ | +| [Enhanced Read Scalability](/consul/docs/manage-consul/read-replicas) | ✅ | ✅ | ✅ | +| [FIPS 140-2 Compliance](/consul/docs/deploy/server/fips) | ✅ | ✅ | ✅ | +| [JWT verification for API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) | ✅ | ✅ | ❌ | +| [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams) | ✅ | ✅ | ✅ | +| [Namespaces](/consul/docs/segment/namespace) | ✅ | ✅ | ✅ | +| [Network Areas](/consul/docs/enterprise/federation) | ✅ | ✅ | ✅ | +| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ✅ | ✅ | ❌ | +| [OIDC Auth Method](/consul/docs/secure-consul/acl/auth-methods/oidc) | ✅ | ✅ | ✅ | +| [Redundancy Zones](/consul/docs/manage-consul/redundancy-zones) | ✅ | ✅ | ✅ | +| [Sameness Groups](/consul/docs/reference/config-entry/sameness-group) | ✅ | ✅ | ✅ | +| [Server request rate limits per source IP](/consul/docs/manage-consul/agent-rate-limit/source-ip-addresses) | ✅ | ✅ | ✅ | +| [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates) | ✅ | ✅ | ✅ | | Enterprise Feature | VM Client | K8s Client | ECS Client | -|-------------------------------------------------------------------------------------------------------------- | :-------: | :--------: | :--------: | -| [Admin Partitions](/consul/docs/enterprise/admin-partitions) | ✅ | ✅ | ✅ | -| [Audit Logging](/consul/docs/enterprise/audit-logging) | ✅ | ✅ | ✅ | -| [Automated Server Backups](/consul/docs/enterprise/backups) | ✅ | ✅ | ✅ | -| [Automated Server Upgrades](/consul/docs/enterprise/upgrades) | ❌ | ❌ | ❌ | -| [Enhanced Read Scalability](/consul/docs/enterprise/read-scale) | ❌ | ❌ | ❌ | -| [Fault injection](/consul/docs/connect/manage-traffic/fault-injection) | ✅ | ✅ | ✅ | -| [FIPS 140-2 Compliance](/consul/docs/enterprise/fips) | ✅ | ✅ | ✅ | -| [JWT verification for API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) | ✅ | ✅ | ❌ | -| [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams) | ✅ | ✅ | ✅ | -| [Long Term Support (LTS)](/consul/docs/enterprise/long-term-support) | ✅ | ✅ | ❌ | -| [Namespaces](/consul/docs/enterprise/namespaces) | ✅ | ✅ | ✅ | -| [Network Areas](/consul/docs/enterprise/federation) | ✅ | ✅ | ✅ | +|---------------------------------------------------------------------------------------------------------------| :-------: | :--------: | :--------: | +| [Admin Partitions](/consul/docs/segment/admin-partition) | ✅ | ✅ | ✅ | +| [Audit Logging](/consul/docs/enterprise/audit-logging) | ✅ | ✅ | ✅ | +| [Automated Server Backups](/consul/docs/manage-consul/automated-backups) | ✅ | ✅ | ✅ | +| [Automated Server Upgrades](/consul/docs/upgrade/automated) | ❌ | ❌ | ❌ | +| [Enhanced Read Scalability](/consul/docs/manage-consul/read-replicas) | ❌ | ❌ | ❌ | +| [FIPS 140-2 Compliance](/consul/docs/deploy/server/fips) | ✅ | ✅ | ✅ | +| [JWT verification for API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) | ✅ | ✅ | ❌ | +| [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams) | ✅ | ✅ | ✅ | +| [Namespaces](/consul/docs/segment/namespace) | ✅ | ✅ | ✅ | +| [Network Areas](/consul/docs/enterprise/federation) | ✅ | ✅ | ✅ | | [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ✅ | ✅ | ❌ | -| [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ✅ | ✅ | ✅ | -| [Redundancy Zones](/consul/docs/enterprise/redundancy) | ❌ | ❌ | ❌ | -| [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | ✅ | ✅ | ✅ | -| [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | ✅ | ✅ | ✅ | -| [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates) | ✅ | ✅ | ✅ | +| [OIDC Auth Method](/consul/docs/secure-consul/acl/auth-methods/oidc) | ✅ | ✅ | ✅ | +| [Redundancy Zones](/consul/docs/manage-consul/redundancy-zones) | ❌ | ❌ | ❌ | +| [Sameness Groups](/consul/docs/reference/config-entry/sameness-group) | ✅ | ✅ | ✅ | +| [Server request rate limits per source IP](/consul/docs/manage-consul/agent-rate-limit/source-ip-addresses) | ✅ | ✅ | ✅ | +| [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates) | ✅ | ✅ | ✅ | -| Enterprise Feature | VM Client | K8s Client | ECS Client | -| ------------------------------------------------------------------------------------------------------------- | :-------: | :--------: | :--------: | -| [Admin Partitions](/consul/docs/enterprise/admin-partitions) | ✅ | ✅ | ✅ | -| [Audit Logging](/consul/docs/enterprise/audit-logging) | ✅ | ✅ | ✅ | -| [Automated Server Backups](/consul/docs/enterprise/backups) | ✅ | ✅ | ✅ | -| [Automated Server Upgrades](/consul/docs/enterprise/upgrades) | ✅ | ✅ | ✅ | -| [Enhanced Read Scalability](/consul/docs/enterprise/read-scale) | ❌ | ❌ | ❌ | -| [Fault injection](/consul/docs/connect/manage-traffic/fault-injection) | ✅ | ✅ | ✅ | -| [FIPS 140-2 Compliance](/consul/docs/enterprise/fips) | ❌ | ❌ | ❌ | -| [JWT verification for API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) | ✅ | ✅ | ❌ | -| [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams) | ✅ | ✅ | ✅ | -| [Long Term Support (LTS)](/consul/docs/enterprise/long-term-support) | N/A | N/A | N/A | -| [Namespaces](/consul/docs/enterprise/namespaces) | ✅ | ✅ | ✅ | -| [Network Areas](/consul/docs/enterprise/federation) | ❌ | ❌ | ❌ | -| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ❌ | ❌ | ❌ | -| [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ❌ | ❌ | ❌ | -| [Redundancy Zones](/consul/docs/enterprise/redundancy) | N/A | N/A | N/A | -| [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | ✅ | ✅ | ✅ | -| [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | ✅ | ✅ | ✅ | -| [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates) | ✅ | ✅ | ✅ | +| Enterprise Feature | VM Client | K8s Client | ECS Client | +| ----------------------------------------------------------------------- | :-------: | :--------: | :--------: | +| [Admin Partitions](/consul/docs/segment/admin-partition) | ✅ | ✅ | ✅ | +| [Audit Logging](/consul/docs/enterprise/audit-logging) | ✅ | ✅ | ✅ | +| [Automated Server Backups](/consul/docs/manage-consul/automated-backups) | ✅ | ✅ | ✅ | +| [Automated Server Upgrades](/consul/docs/upgrade/automated) | ✅ | ✅ | ✅ | +| [Enhanced Read Scalability](/consul/docs/manage-consul/read-replicas) | ❌ | ❌ | ❌ | +| [FIPS 140-2 Compliance](/consul/docs/deploy/server/fips) | ❌ | ❌ | ❌ | +| [JWT verification for API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) | ✅ | ✅ | ❌ | +| [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams) | ✅ | ✅ | ✅ | +| [Namespaces](/consul/docs/segment/namespace) | ✅ | ✅ | ✅ | +| [Network Areas](/consul/docs/enterprise/federation) | ❌ | ❌ | ❌ | +| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ❌ | ❌ | ❌ | +| [OIDC Auth Method](/consul/docs/secure-consul/acl/auth-methods/oidc) | ❌ | ❌ | ❌ | +| [Redundancy Zones](/consul/docs/manage-consul/redundancy-zones) | n/a | n/a | n/a | +| [Sameness Groups](/consul/docs/reference/config-entry/sameness-group) | ✅ | ✅ | ✅ | +| [Server request rate limits per source IP](/consul/docs/manage-consul/agent-rate-limit/source-ip-addresses) | ✅ | ✅ | ✅ | +| [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates) | ✅ | ✅ | ✅ | diff --git a/website/content/docs/enterprise/license/utilization-reporting.mdx b/website/content/docs/enterprise/license/automated-entitlement-utilization.mdx similarity index 100% rename from website/content/docs/enterprise/license/utilization-reporting.mdx rename to website/content/docs/enterprise/license/automated-entitlement-utilization.mdx diff --git a/website/content/docs/enterprise/license/faq.mdx b/website/content/docs/enterprise/license/faq.mdx index 4278f7ec5eb..3bb1eb7b002 100644 --- a/website/content/docs/enterprise/license/faq.mdx +++ b/website/content/docs/enterprise/license/faq.mdx @@ -26,7 +26,7 @@ This will no longer work since each server must be able to find a valid license All customers on Consul Enterprise 1.8/1.9 must first upgrade their client and server agents to the latest patch release. During the upgrade the license file must also be configured on client agents in an environment variable or file path, otherwise the Consul agents will fail to retrieve the license with a valid agent token. The upgrade process varies if ACLs are enabled or disabled in the cluster. -Refer to the instructions on [upgrading to 1.10.x](/consul/docs/upgrading/instructions/upgrade-to-1-10-x) for details. +Refer to the instructions on [upgrading to 1.10.x](/consul/docs/upgrade/instructions/1-10-x) for details. ## Q: Is there a tutorial available for the license configuration steps? @@ -36,11 +36,11 @@ Please visit the [Enterprise License Tutorial](/nomad/tutorials/enterprise/hashi The list below is a great starting point for learning more about the license changes introduced in Consul Enterprise 1.10.0+ent. -- [Consul Enterprise Upgrade Documentation](/consul/docs/enterprise/upgrades) +- [Consul Enterprise Upgrade Documentation](/consul/docs/upgrade/automated) -- [Consul License Documentation](/consul/docs/enterprise/license/overview) +- [Consul License Documentation](/consul/docs/enterprise/license) -- [License configuration values documentation](/consul/docs/enterprise/license/overview#binaries-without-built-in-licenses) +- [License configuration values documentation](/consul/docs/enterprise/license#binaries-without-built-in-licenses) - [Install a HashiCorp Enterprise License Tutorial](/nomad/tutorials/enterprise/hashicorp-enterprise-license?utm_source=docs) @@ -120,9 +120,9 @@ Contact your organization's [HashiCorp account team](https://support.hashicorp.c The license files are not locked to a specific cluster or cluster node. The above changes apply to all nodes in a cluster. -## Q: Will this impact HCP Consul Dedicated? +## Q: Will this impact HCP Consul? -This will not impact HCP Consul Dedicated. +This will not impact HCP Consul. ## Q: Does this need to happen every time a node restarts, or is this a one-time check? @@ -147,7 +147,7 @@ Please see the [upgrade requirements](/consul/docs/enterprise/license/faq#q-what 1. Run [`consul license get -signed`](/consul/commands/license#get) to extract the license from their running cluster. Store the license in a secure location on disk. 1. Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable. 1. Visit the [Enterprise License Tutorial](/nomad/tutorials/enterprise/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key. -1. Follow the Consul upgrade [documentation](/consul/docs/upgrading). +1. Follow the Consul upgrade [documentation](/consul/docs/upgrade). ### Kubernetes @@ -155,10 +155,10 @@ Please see the [upgrade requirements](/consul/docs/enterprise/license/faq#q-what 1. In order to use Consul Enterprise 1.10.0 or greater on Kubernetes you must use version 0.32.0 or greater of the Helm chart. 1. You should already have a Consul Enterprise license set as a Kubernetes secret. If you do not, refer to [how to obtain a copy of your license](/consul/docs/enterprise/license/faq#q-i-m-an-existing-enterprise-customer-but-don-t-have-my-license-how-can-i-get-it). -Once you have the license then create a Kubernetes secret containing the license as described in [Kubernetes - Consul Enterprise](/consul/docs/k8s/deployment-configurations/consul-enterprise). -1. Follow the [Kubernetes Upgrade Docs](/consul/docs/k8s/upgrade) to upgrade. No changes to your `values.yaml` file are needed to enable enterprise autoloading since this support is built in to consul-helm 0.32.0 and greater. +Once you have the license then create a Kubernetes secret containing the license as described in [Kubernetes - Consul Enterprise](/consul/docs/deploy/server/k8s/multi/enterprise). +1. Follow the [Kubernetes Upgrade Docs](/consul/docs/upgrade/k8s) to upgrade. No changes to your `values.yaml` file are needed to enable enterprise autoloading since this support is built in to consul-helm 0.32.0 and greater. -!> **Warning:** If you are upgrading the Helm chart but **not** upgrading the Consul version, you must set `server.enterpriseLicense.enableLicenseAutoload: false`. See [Kubernetes - Consul Enterprise](/consul/docs/k8s/deployment-configurations/consul-enterprise) for more details. +!> **Warning:** If you are upgrading the Helm chart but **not** upgrading the Consul version, you must set `server.enterpriseLicense.enableLicenseAutoload: false`. See [Kubernetes - Consul Enterprise](/consul/docs/deploy/server/k8s/multi/enterprise) for more details. ## Q: What is the migration path for customers who want to migrate from their existing perpetually-licensed binaries to the license on disk flow? @@ -168,14 +168,14 @@ Once you have the license then create a Kubernetes secret containing the license 1. Store the license in a secure location on disk. 1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable. Visit the [Enterprise License Tutorial](/nomad/tutorials/enterprise/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key. -1. Follow the Consul upgrade [documentation](/consul/docs/upgrading). +1. Follow the Consul upgrade [documentation](/consul/docs/upgrade). ### Kubernetes 1. Acquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's [customer success manager](https://support.hashicorp.com/hc/en-us) (CSM) for information on how to get your organization's enterprise license. 1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable. Visit the [Enterprise License Tutorial](/nomad/tutorials/enterprise/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key. -1. Proceed with the `helm` [upgrade instructions](/consul/docs/k8s/upgrade) +1. Proceed with the `helm` [upgrade instructions](/consul/docs/upgrade/k8s) ## Q: Will Consul downgrades/rollbacks work? diff --git a/website/content/docs/enterprise/license/overview.mdx b/website/content/docs/enterprise/license/index.mdx similarity index 92% rename from website/content/docs/enterprise/license/overview.mdx rename to website/content/docs/enterprise/license/index.mdx index d2bcb88a4ae..912472ce366 100644 --- a/website/content/docs/enterprise/license/overview.mdx +++ b/website/content/docs/enterprise/license/index.mdx @@ -28,7 +28,7 @@ Virtual agents are nodes that Consul service mesh services run on. HashiCorp use ### Applying a License For Consul Enterprise 1.10.0 or greater, a license must be available at the time the agent starts. -For server agents this means that they must either have the [`license_path`](/consul/docs/agent/config/config-files#license_path) +For server agents this means that they must either have the [`license_path`](/consul/docs/reference/agent#license_path) configuration set or have a license configured in the servers environment with the `CONSUL_LICENSE` or `CONSUL_LICENSE_PATH` environment variables. Both the configuration item and the `CONSUL_LICENSE_PATH` environment variable point to a file containing the license whereas the `CONSUL_LICENSE` environment @@ -39,7 +39,7 @@ the following order of precedence applies: 2. `CONSUL_LICENSE_PATH` environment variable 3. `license_path` configuration item. -Client agents and [snapshot agents](/consul/docs/enterprise/backups) +Client agents and [snapshot agents](/consul/docs/manage-consul/automated-backups) may also be licensed in the very same manner. However, to avoid the need to configure the license on many client agents and snapshot agents, those agents have the capability to retrieve the license automatically under the conditions described below. @@ -59,8 +59,8 @@ When a client agent starts without a license in its configuration or environment license from the servers via RPCs. That RPC always requires a valid non-anonymous ACL token to authorize the request but the token doesn't need any particular permissions. As the license is required before the client actually joins the cluster, where to make those RPC requests to is inferred from the -[`retry_join`](/consul/docs/agent/config/config-files#retry_join) configuration. If `retry_join` is unset or no -[`agent` token](/consul/docs/agent/config/config-files#acl_tokens_agent) is set then the client agent will immediately shut itself down. +[`retry_join`](/consul/docs/reference/agent#retry_join) configuration. If `retry_join` is unset or no +[`agent` token](/consul/docs/reference/agent#acl_tokens_agent) is set then the client agent will immediately shut itself down. If all preliminary checks pass the client agent will attempt to reach out to any server on its RPC port to request the license. These requests will be retried for up to 5 minutes and if it is unable to retrieve a diff --git a/website/content/docs/enterprise/read-scale.mdx b/website/content/docs/enterprise/read-scale.mdx deleted file mode 100644 index f4357d301ef..00000000000 --- a/website/content/docs/enterprise/read-scale.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -layout: docs -page_title: Read Replicas (Enterprise) -description: >- - Learn how you can add non-voting servers to datacenters as read replicas to provide enhanced read scalability without impacting write latency. ---- - -# Enhanced Read Scalability with Read Replicas - - - -This feature requires -HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. -Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. - - - -Consul Enterprise provides the ability to scale clustered Consul servers -to include voting servers and read replicas. Read replicas still receive data from the cluster replication, -however, they do not take part in quorum election operations. Expanding your Consul cluster in this way can scale -reads without impacting write latency. - -For more details, review the [Consul server configuration](/consul/docs/agent/config) -documentation and the [-read-replica](/consul/docs/agent/config/cli-flags#_read_replica) -configuration flag. diff --git a/website/content/docs/enterprise/redundancy.mdx b/website/content/docs/enterprise/redundancy.mdx deleted file mode 100644 index 8d68b6b43aa..00000000000 --- a/website/content/docs/enterprise/redundancy.mdx +++ /dev/null @@ -1,33 +0,0 @@ ---- -layout: docs -page_title: Redundancy Zones (Enterprise) -description: >- - Redundancy zones are regions of a cluster containing "hot standby" servers, or non-voting servers that can replace voting servers in the event of a failure. Learn about redundancy zones and how they improve resiliency and increase fault tolerance without affecting latency. ---- - -# Redundancy Zones - - - -This feature requires -self-managed Consul Enterprise. -Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. - - - -Consul Enterprise redundancy zones provide -both scaling and resiliency benefits by enabling the deployment of non-voting -servers alongside voting servers on a per availability zone basis. - -When using redundancy zones, if an operator chooses to deploy Consul across 3 availability zones, they -could have 2 (or more) servers (1 voting/1 non-voting) in each zone. In the event that a voting -member in an availability zone fails, the redundancy zone configuration would automatically -promote the non-voting member to a voting member. In the event that an entire availability -zone was lost, a non-voting member in one of the existing availability zones would promote -to a voting member, keeping server quorum. This capability functions as a "hot standby" -for server nodes while also providing (and expanding) the capabilities of -[enhanced read scalability](/consul/docs/enterprise/read-scale) by also including recovery -capabilities. - -For more information, complete the [Redundancy Zones](/consul/tutorials/datacenter-operations/autopilot-datacenter-operations#redundancy-zones) tutorial -and reference the [Consul Autopilot](/consul/commands/operator/autopilot) documentation. diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/apigee-ext-authz.mdx b/website/content/docs/envoy-extension/apigee-external-authz.mdx similarity index 84% rename from website/content/docs/connect/proxies/envoy-extensions/usage/apigee-ext-authz.mdx rename to website/content/docs/envoy-extension/apigee-external-authz.mdx index a0492de0b24..63ea52575f3 100644 --- a/website/content/docs/connect/proxies/envoy-extensions/usage/apigee-ext-authz.mdx +++ b/website/content/docs/envoy-extension/apigee-external-authz.mdx @@ -8,7 +8,7 @@ description: Learn how to use the `ext-authz` Envoy extension to delegate data p This topic describes how to use the external authorization Envoy extension to delegate data plane authorization requests to Apigee. -For more detailed guidance, refer to the [`learn-consul-apigee-external-authz` repo](https://github.com/hashicorp-education/learn-consul-apigee-external-authz) on GitHub. +For more detailed guidance, refer to the [`learn-consul-apigee-external-authz` repository](https://github.com/hashicorp-education/learn-consul-apigee-external-authz) on GitHub. ## Workflow @@ -22,12 +22,11 @@ Complete the following steps to use the external authorization extension with Ap The [Apigee Adapter for Envoy](https://cloud.google.com/apigee/docs/api-platform/envoy-adapter/v2.0.x/concepts) is an Apigee-managed API gateway that uses Envoy to proxy API traffic. -To download and install Apigee Adapter for Envoy, refer to the [getting started documentation](https://cloud.google.com/apigee/docs/api-platform/envoy-adapter/v2.0.x/getting-started) or follow along with the [`learn-consul-apigee-external-authz` repo](https://github.com/hashicorp-education/learn-consul-apigee-external-authz) on GitHub. +To download and install Apigee Adapter for Envoy, refer to the [getting started documentation](https://cloud.google.com/apigee/docs/api-platform/envoy-adapter/v2.0.x/getting-started) or follow along with the [`learn-consul-apigee-external-authz` GitHub repository](https://github.com/hashicorp-education/learn-consul-apigee-external-authz). After you deploy the service in your desired runtime, create a service defaults configuration entry for the service's gRPC protocol. - - + ```hcl @@ -35,9 +34,8 @@ Kind = "service-defaults" Name = "apigee-remote-service-envoy" Protocol = "grpc" ``` + - - ```json @@ -49,8 +47,6 @@ Protocol = "grpc" ``` - - ```yaml @@ -62,9 +58,9 @@ metadata: spec: protocol: grpc ``` + - - + ## Configure the `EnvoyExtensions` @@ -81,8 +77,7 @@ Consul applies Envoy extensions configured in proxy defaults before it applies e The following example configures the default behavior for all services named `api` so that the Envoy proxies running as sidecars for those service instances target the apigee-remote-service-envoy service for gRPC authorization requests: - - + ```hcl @@ -107,9 +102,6 @@ EnvoyExtensions = [ ] ``` - - - ```json @@ -136,9 +128,6 @@ EnvoyExtensions = [ ``` - - - ```yaml @@ -160,40 +149,35 @@ spec: namespace: apigee ``` - - + + +Refer to the [external authorization extension configuration reference](/consul/docs/reference/proxy/envoy-extensions/configuration/ext-authz) for details on how to configure the extension. -Refer to the [external authorization extension configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/ext-authz) for details on how to configure the extension. +Refer to the [proxy defaults configuration entry reference](/consul/docs/reference/config-entry/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/reference/config-entry/service-default) for details on how to define the configuration entries. -Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries. + + Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases. + ## Apply the configuration entry On the CLI, you can use the `consul config write` command and specify the names of the configuration entries to apply them to Consul. For Kubernetes-orchestrated networks, use the `kubectl apply` command to update the relevant CRD. - - + ```shell-session $ consul config write apigee-remote-service-envoy.hcl $ consul config write api-auth-service-defaults.hcl ``` - - - ```shell-session $ consul config write apigee-remote-service-envoy.json $ consul config write api-auth-service-defaults.json ``` - - - ```shell-session $ kubectl apply -f apigee-remote-service-envoy.yaml $ kubectl apply -f api-auth-service-defaults.yaml ``` - - + diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/ext-authz.mdx b/website/content/docs/envoy-extension/external-authz.mdx similarity index 75% rename from website/content/docs/connect/proxies/envoy-extensions/usage/ext-authz.mdx rename to website/content/docs/envoy-extension/external-authz.mdx index 51a004c17b3..1d5ff9b2beb 100644 --- a/website/content/docs/connect/proxies/envoy-extensions/usage/ext-authz.mdx +++ b/website/content/docs/envoy-extension/external-authz.mdx @@ -26,8 +26,7 @@ Consul applies Envoy extensions configured in proxy defaults before it applies e The following example shows a service defaults configuration entry for the `api` service that directs the Envoy proxy to make gRPC authorization requests to the `authz` service: - - + ```hcl @@ -52,8 +51,6 @@ EnvoyExtensions = [ ] ``` - - ```json @@ -80,8 +77,6 @@ EnvoyExtensions = [ ``` - - ```yaml @@ -103,14 +98,15 @@ spec: namespace: authz ``` - - + -Refer to the [external authorization extension configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/ext-authz) for details on how to configure the extension. +Refer to the [external authorization extension configuration reference](/consul/docs/reference/proxy/envoy-extensions/configuration/ext-authz) for details on how to configure the extension. -Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries. +Refer to the [proxy defaults configuration entry reference](/consul/docs/reference/config-entry/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/reference/config-entry/service-default) for details on how to define the configuration entries. -!> **Warning:** Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases. + + Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases. + ### Unsupported Envoy configuration fields @@ -118,36 +114,28 @@ The following Envoy configurations are not supported: | Configuration | Workaround | | --- | --- | -| `deny_at_disable` | Disable filter by removing it from the service’s configuration in the configuration entry. | -| `failure_mode_allow` | Set the `EnvoyExtension.Required` field to `true` in the [service defaults configuration entry](/consul/docs/connect/config-entries/service-defaults#envoyextensions) or [proxy defaults configuration entry](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions). | -| `filter_enabled` | Set the `EnvoyExtension.Required` field to `true` in the [service defaults configuration entry](/consul/docs/connect/config-entries/service-defaults#envoyextensions) or [proxy defaults configuration entry](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions). | -| `filter_enabled_metadata` | Set the `EnvoyExtension.Required` field to `true` in the [service defaults configuration entry](/consul/docs/connect/config-entries/service-defaults#envoyextensions) or [proxy defaults configuration entry](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions). | +| `deny_at_disable` | Disable filter by removing it from the service's configuration in the configuration entry. | +| `failure_mode_allow` | Set the `EnvoyExtension.Required` field to `true` in the [service defaults configuration entry](/consul/docs/reference/config-entry/service-default#envoyextensions) or [proxy defaults configuration entry](/consul/docs/reference/config-entry/proxy-defaults#envoyextensions). | +| `filter_enabled` | Set the `EnvoyExtension.Required` field to `true` in the [service defaults configuration entry](/consul/docs/reference/config-entry/service-default#envoyextensions) or [proxy defaults configuration entry](/consul/docs/reference/config-entry/proxy-defaults#envoyextensions). | +| `filter_enabled_metadata` | Set the `EnvoyExtension.Required` field to `true` in the [service defaults configuration entry](/consul/docs/reference/config-entry/service-default#envoyextensions) or [proxy defaults configuration entry](/consul/docs/reference/config-entry/proxy-defaults#envoyextensions). | | `transport_api_version` | Consul only supports v3 of the transport API. As a result, there is no workaround for implementing the behavior of this field. | ## Apply the configuration entry If your network is deployed to virtual machines, use the `consul config write` command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command. The following example applies the extension in a proxy defaults configuration entry. - - + ```shell-session $ consul config write api-auth-service-defaults.hcl ``` - - - ```shell-session $ consul config write api-auth-service-defaults.json ``` - - - ```shell-session $ kubectl apply -f api-auth-service-defaults.yaml ``` - - + diff --git a/website/content/docs/connect/proxies/envoy-extensions/index.mdx b/website/content/docs/envoy-extension/index.mdx similarity index 61% rename from website/content/docs/connect/proxies/envoy-extensions/index.mdx rename to website/content/docs/envoy-extension/index.mdx index 8fd19feed38..1f81eff0002 100644 --- a/website/content/docs/connect/proxies/envoy-extensions/index.mdx +++ b/website/content/docs/envoy-extension/index.mdx @@ -2,56 +2,50 @@ layout: docs page_title: Envoy Extensions description: >- - Learn how Envoy extensions enables you to add support for additional Envoy features without modifying the Consul codebase. + Envoy extensions are plugins that you can use to add support for additional Envoy features without modifying the Consul codebase. --- # Envoy extensions overview -This topic provides an overview of Envoy extensions in Consul service mesh deployments. You can modify Consul-generated Envoy resources to add additional functionality without modifying the Consul codebase. +This topic provides an overview of Envoy extensions in Consul service mesh deployments. You can modify Consul-generated Envoy resources to add support for additional Envoy features without modifying the Consul codebase. ## Introduction -Consul supports two methods for modifying Envoy behavior. You can either modify the Envoy resources Consul generates through [escape hatches](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) or configure your services to use Envoy extensions using the `EnvoyExtension` parameter. Implementing escape hatches requires rewriting the Envoy resources so that they are compatible with Consul, a task that also requires understanding how Consul names Envoy resources and enforces intentions. - -Instead of modifying Consul code, you can configure your services to use Envoy extensions through the `EnvoyExtensions` field. This field is definable in [`proxy-defaults`](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions) and [`service-defaults`](/consul/docs/connect/config-entries/service-defaults#envoyextensions) configuration entries. +Consul supports two methods for modifying Envoy behavior. You can either modify the Envoy resources Consul generates through [escape hatches](/consul/docs/reference/proxy/envoy#escape-hatch-overrides) or configure your services to use Envoy extensions using the `EnvoyExtension` parameter. Implementing escape hatches requires rewriting the Envoy resources so that they are compatible with Consul, a task that also requires understanding how Consul names Envoy resources and enforces intentions. +Instead of modifying Consul code, you can configure your services to use Envoy extensions through the `EnvoyExtensions` field. This field is definable in [`proxy-defaults`](/consul/docs/reference/config-entry/proxy-defaults#envoyextensions) and [`service-defaults`](/consul/docs/reference/config-entry/service-default#envoyextensions) configuration entries. ## Supported extensions Envoy extensions enable additional service mesh functionality in Consul by changing how the sidecar proxies behave. Extensions dynamically modify the configuration of Envoy proxies based on Consul configuration entries, enabling a wider set of use cases for the service mesh traffic that passes through an Envoy proxy. Consul supports the following extensions: - External authorization -- Fault injection - Lua - Lambda -- OpenTelemetry Access Logging +- OpenTelemetry (OTel) access logging - Property override - WebAssembly (Wasm) ### External authorization -The `ext-authz` extension lets you configure external authorization filters for Envoy proxy so that you can route requests to external authorization systems. Refer to the [external authorization documentation](/consul/docs/connect/proxies/envoy-extensions/usage/ext-authz) for more information. - -### Fault injection - -The `fault-injection` extension lets you alter responses from an upstream service so that users can test the resilience of their system to different unexpected issues. Refer to the [fault injection documentation](/consul/docs/connect/manage-traffic/fault-injection) for more information. +The `ext-authz` extension lets you configure external authorization filters for Envoy proxy so that you can route requests to external authorization systems. Refer to the [external authorization documentation](/consul/docs/reference/proxy/envoy-extensions/usage/ext-authz) for more information. ### Lambda -The `lambda` Envoy extension enables services to make requests to AWS Lambda functions through the mesh as if they are a normal part of the Consul catalog. Refer to the [Lambda extension documentation](/consul/docs/connect/proxies/envoy-extensions/usage/lambda) for more information. +The `lambda` Envoy extension enables services to make requests to AWS Lambda functions through the mesh as if they are a normal part of the Consul catalog. Refer to the [Lambda extension documentation](/consul/docs/reference/proxy/envoy-extensions/usage/connect/lambda) for more information. ### Lua -The `lua` Envoy extension enables HTTP Lua filters in your Consul Envoy proxies. It allows you to run Lua scripts during Envoy requests and responses from Consul-generated Envoy resources. Refer to the [Lua extension documentation](/consul/docs/connect/proxies/envoy-extensions/usage/lua) for more information. +The `lua` Envoy extension enables HTTP Lua filters in your Consul Envoy proxies. It allows you to run Lua scripts during Envoy requests and responses from Consul-generated Envoy resources. Refer to the [Lua extension documentation](/consul/docs/reference/proxy/envoy-extensions/usage/lua) for more information. ### OpenTelemetry Access Logging -The `otel-access-logging` Envoy extension lets you configure Envoy proxies to send access logs to OpenTelemetry collector service. Refer to the [OpenTelemetry Access Logging extension documentation](/consul/docs/connect/proxies/envoy-extensions/usage/otel-access-logging) for more information. +The `otel-access-logging` Envoy extension lets you configure Envoy proxies to send access logs to OpenTelemetry collector service. Refer to the [OpenTelemetry Access Logging extension documentation](/consul/docs/reference/proxy/envoy-extensions/usage/otel-access-logging) for more information. ### Property override -The `property-override` extension lets you set and unset individual properties on the Envoy resources that Consul generates. Use the extension instead of [escape-hatch overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) to enable advanced Envoy configuration. Refer to the [property override documentation](/consul/docs/connect/proxies/envoy-extensions/usage/property-override) for more information. +The `property-override` extension lets you set and unset individual properties on the Envoy resources that Consul generates. Use the extension instead of [escape-hatch overrides](/consul/docs/reference/proxy/envoy#escape-hatch-overrides) to enable advanced Envoy configuration. Refer to the [property override documentation](/consul/docs/reference/proxy/envoy-extensions/usage/property-override) for more information. ### WebAssembly -The `wasm` extension enables you to configure TCP and HTTP filters that invoke custom WebAssembly (Wasm) plugins. Refer to the [WebAssembly extension documentation](/consul/docs/connect/proxies/envoy-extensions/usage/wasm) for more information. +The `wasm` extension lets you configure TCP and HTTP filters that invoke custom WebAssembly (Wasm) plugins. Refer to the [WebAssembly extension documentation](/consul/docs/reference/proxy/envoy-extensions/usage/wasm) for more information. diff --git a/website/content/docs/envoy-extension/lambda.mdx b/website/content/docs/envoy-extension/lambda.mdx new file mode 100644 index 00000000000..075d5142437 --- /dev/null +++ b/website/content/docs/envoy-extension/lambda.mdx @@ -0,0 +1,192 @@ +--- +layout: docs +page_title: Lambda Envoy Extension +description: >- + Learn how the `lambda` Envoy extension enables Consul to join AWS Lambda functions to its service mesh. +--- + +# Invoke Lambda functions in Envoy proxy + +The Lambda Envoy extension configures outbound traffic on upstream dependencies allowing mesh services to properly invoke AWS Lambda functions. Lambda functions appear in the catalog as any other Consul service. + +You can only enable the Lambda extension through `service-defaults`. This is because the Consul uses the `service-defaults` configuration entry name as the catalog name for the Lambda functions. + +## Configuration specifications + +The Lambda Envoy extension has the following arguments: + +| Arguments | Type | Default | Description | +| ---------------- | ----------| -------- | -------------------------------------------------------------------------------- | +| `ARN` | `string` | Required | Specifies the [AWS ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) for the service's Lambda. | +| `InvocationMode` | `boolean` | `false` | Determines if Consul configures the Lambda to be invoked using the `synchronous` or `asynchronous` [invocation mode](https://docs.aws.amazon.com/lambda/latest/operatorguide/invocation-modes.html). | +| `PayloadPassthrough` | `string` | `synchronous` | Determines if the body Envoy receives is converted to JSON or directly passed to Lambda. | + +Unlike [manual lambda registration](/consul/docs/register/service/lambda/manual#supported-meta-fields), the Envoy extension infers the region from the ARN. + +## Workflow + +Complete the following steps to use the Lambda Envoy extension: + +1. Configure EnvoyExtensions through `service-defaults`. +1. Apply the configuration entry. + +### Configure `EnvoyExtensions` + +To use the Lambda Envoy extension, you must configure and apply a `service-defaults` configuration entry. Consul uses service default's name as the Consul service name for the Lambda function. Downstream services also use the name to invoke the Lambda. + +The following example configures the Lambda Envoy extension to create a service named `lambda-1234` in the mesh that can invoke the associated Lambda function. + + + + +```hcl +Kind = "service-defaults" +Name = "lambda-1234" +Protocol = "http" +EnvoyExtensions { + Name = "builtin/aws/lambda" + Arguments = { + ARN = "arn:aws:lambda:us-west-2:111111111111:function:lambda-1234" + } +} +``` + + + + +```json +{ + "kind": "service-defaults", + "name": "lambda-1234", + "protocol": "http", + "envoy_extensions": [{ + "name": "builtin/aws/lambda", + "arguments": { + "arn": "arn:aws:lambda:us-west-2:111111111111:function:lambda-1234" + } + }] +} +``` + + + + +```yaml +apiVersion: consul.hashicorp.com/v1alpha1 +kind: ServiceDefaults +metadata: + name: lambda-1234 +spec: + protocol: http + envoyExtensions: + - name = "builtin/aws/lambda" + arguments: + arn: arn:aws:lambda:us-west-2:111111111111:function:lambda-1234 +``` + + + + +For a full list of parameters for `EnvoyExtensions`, refer to the [`service-defaults`](/consul/docs/reference/config-entry/service-default#envoyextensions). + + You can only enable the Lambda extension through `service-defaults`. + +Refer to [Configuration specification](#configuration-specification) section to find a full list of arguments for the Lambda Envoy extension. + +### Apply the configuration entry + +Apply the `service-defaults` configuration entry. + + + +```shell-session +$ consul config write lambda-envoy-extension.hcl +``` + +```shell-session +$ consul config write lambda-envoy-extension.json +``` + +```shell-session +$ kubectl apply lambda-envoy-extension.yaml +``` + + + +## Examples + +The following example configuration adds a single Lambda function running in two regions into the mesh. You can use the `lambda-1234` service name to invoke it, as if it was any other service in the mesh. + + + + +```hcl +Kind = "service-defaults" +Name = "lambda-1234" +Protocol = "http" +EnvoyExtensions { + Name = "builtin/aws/lambda" + + Arguments = { + payloadPassthrough: false + arn: arn:aws:lambda:us-west-2:111111111111:function:lambda-1234 + } +} +EnvoyExtensions { + Name = "builtin/aws/lambda" + + Arguments = { + payloadPassthrough: false + arn: arn:aws:lambda:us-east-1:111111111111:function:lambda-1234 + } +} +``` + + + + +```hcl +{ + "kind": "service-defaults", + "name": "lambda-1234", + "protocol": "http", + "envoy_extensions": [{ + "name": "builtin/aws/lambda", + "arguments": { + "payload_passthrough": false, + "arn": "arn:aws:lambda:us-west-2:111111111111:function:lambda-1234" + } + }, + { + "name": "builtin/aws/lambda", + "arguments": { + "payload_passthrough": false, + "arn": "arn:aws:lambda:us-east-1:111111111111:function:lambda-1234" + } + }] +} +``` + + + + +```yaml +apiVersion: consul.hashicorp.com/v1alpha1 +kind: ServiceDefaults +metadata: + name: lambda-1234 +spec: + protocol: http + envoyExtensions: + - name = "builtin/aws/lambda" + arguments: + payloadPassthrough: false + arn: arn:aws:lambda:us-west-2:111111111111:function:lambda-1234 + - name = "builtin/aws/lambda" + arguments: + payloadPassthrough: false + arn: arn:aws:lambda:us-east-1:111111111111:function:lambda-1234 +``` + + + \ No newline at end of file diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/lua.mdx b/website/content/docs/envoy-extension/lua.mdx similarity index 75% rename from website/content/docs/connect/proxies/envoy-extensions/usage/lua.mdx rename to website/content/docs/envoy-extension/lua.mdx index 5bac9081360..b23797c431d 100644 --- a/website/content/docs/connect/proxies/envoy-extensions/usage/lua.mdx +++ b/website/content/docs/envoy-extension/lua.mdx @@ -15,13 +15,15 @@ Envoy filters support setting and getting dynamic metadata, allowing a filter to To use the Lua Envoy extension, configure the following arguments in the `EnvoyExtensions` block: -- `ProxyType`: string | `connect-proxy` - Determines the proxy type the extension applies to. The only supported value is `connect-proxy`. -- `ListenerType`: string | required - Specifies if the extension is applied to the `inbound` or `outbound` listener. -- `Script`: string | required - The Lua script that is configured to run by the HTTP Lua filter. +| Arguments | Type | Default | Description | +| -------------- | -------- | -------- | -------------------------------------------------------------------------------- | +| `ListenerType` | `string` | Required | Specifies if the extension is applied to the `inbound` or `outbound` listener. | +| `ProxyType` | `string` | `connect-proxy` | Determines the proxy type the extension applies to. The only supported value is `connect-proxy`. | +| `Script` | `string` | Required | The Lua script that is configured to run by the HTTP Lua filter. | ## Workflow -There are two steps to configure the Lua Envoy extension: +Complete the following steps to use the Lua Envoy extension: 1. Configure EnvoyExtensions through `service-defaults` or `proxy-defaults`. 1. Apply the configuration entry. @@ -37,8 +39,7 @@ Consul applies Envoy extensions configured in `proxy-defaults` before it applies The following example configures the Lua Envoy extension on every service by using the `proxy-defaults`. - - + ```hcl @@ -67,11 +68,9 @@ end ``` - - -```hcl +```json { "kind": "proxy-defaults", "name": "global", @@ -88,8 +87,6 @@ end ``` - - ```yaml @@ -100,11 +97,11 @@ metadata: spec: protocol: http envoyExtensions: - name = "builtin/lua" - arguments: - proxyType: "connect-proxy" - listener: "inbound" - script: |- + - name = "builtin/lua" + arguments: + proxyType: "connect-proxy" + listener: "inbound" + script: |- function envoy_on_request(request_handle) meta = request_handle:streamInfo():dynamicMetadata() m = meta:get("consul") @@ -116,12 +113,13 @@ end ``` - - + -For a full list of parameters for `EnvoyExtensions`, refer to the [`service-defaults`](/consul/docs/connect/config-entries/service-defaults#envoyextensions) and [`proxy-defaults`](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions) configuration entries reference documentation. +For a full list of parameters for `EnvoyExtensions`, refer to the [`service-defaults`](/consul/docs/reference/config-entry/service-default#envoyextensions) and [`proxy-defaults`](/consul/docs/reference/config-entry/proxy-defaults#envoyextensions) configuration entries reference documentation. -!> **Warning:** Applying `EnvoyExtensions` to `ProxyDefaults` may produce unintended consequences. We recommend enabling `EnvoyExtensions` with `ServiceDefaults` in most cases. + + Applying `EnvoyExtensions` to `ProxyDefaults` may produce unintended consequences. We recommend enabling `EnvoyExtensions` with `ServiceDefaults` in most cases. + Refer to [Configuration specification](#configuration-specification) section to find a full list of arguments for the Lua Envoy extension. @@ -129,34 +127,26 @@ Refer to [Configuration specification](#configuration-specification) section to Apply the `proxy-defaults` or `service-defaults` configuration entry. - - + ```shell-session $ consul config write lua-envoy-extension-proxy-defaults.hcl ``` - - - ```shell-session $ consul config write lua-envoy-extension-proxy-defaults.json ``` - - - ```shell-session $ kubectl apply lua-envoy-extension-proxy-defaults.yaml ``` - - + ## Examples -In the following example, the `service-defaults` configure the Lua Envoy extension to insert the HTTP Lua filter for service `myservice` and add the Consul service name to the`x-consul-service` header for all inbound requests. The `ListenerType` makes it so that the extension applies only on the inbound listener of the service's connect proxy. +The following example configuration configures the Lua Envoy extension to insert the HTTP Lua filter for all Consul services named `myservice` and add the Consul service name to the`x-consul-service` header for all inbound requests. The `ListenerType` makes it so that the extension applies only on the inbound listener of the service's connect proxy. @@ -183,7 +173,7 @@ EnvoyExtensions = [ -Alternatively, you can apply the same extension configuration to [`proxy-defaults`](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions) configuration entries. +Alternatively, you can apply the same extension configuration to [`proxy-defaults`](/consul/docs/reference/config-entry/proxy-defaults#envoyextensions) configuration entries. This will apply to all services instead of the one you specified in the proxy default's name. You can also specify multiple Lua filters through the Envoy extensions. They will not override each other. diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/otel-access-logging.mdx b/website/content/docs/envoy-extension/otel-access-logging.mdx similarity index 82% rename from website/content/docs/connect/proxies/envoy-extensions/usage/otel-access-logging.mdx rename to website/content/docs/envoy-extension/otel-access-logging.mdx index 34b4d844acb..23031a5d04f 100644 --- a/website/content/docs/connect/proxies/envoy-extensions/usage/otel-access-logging.mdx +++ b/website/content/docs/envoy-extension/otel-access-logging.mdx @@ -10,7 +10,7 @@ This topic describes how to use the OpenTelemetry Access Logging Envoy extension ## Workflow -Complete the following steps to use the OpenTelemetry Access Logging extension: +Complete the following steps to use the OpenTelemetry access logging extension: 1. Configure an `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry. 1. Apply the configuration entry. @@ -24,10 +24,9 @@ Add Envoy extension configurations to a proxy defaults or service defaults confi Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults. -The following example shows a service defaults configuration entry for the `api` service that directs the Envoy proxy to make gRPC OpenTelemetry Access Logging requests to the `otel-collector` service: +The following example shows a service defaults configuration entry for the `api` service that directs the Envoy proxy to make gRPC OpenTelemetry access logging requests to the `otel-collector` service: - - + ```hcl @@ -52,8 +51,6 @@ EnvoyExtensions = [ ] ``` - - ```json @@ -79,8 +76,6 @@ EnvoyExtensions = [ ``` - - ```yaml @@ -101,15 +96,17 @@ spec: name: otel-collector namespace: otel-collector ``` + - - + -Refer to the [OpenTelemetry Access Logging extension configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/otel-access-logging) for details on how to configure the extension. +Refer to the [OpenTelemetry Access Logging extension configuration reference](/consul/docs/reference/proxy/envoy-extensions/configuration/otel-access-logging) for details on how to configure the extension. -Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries. +Refer to the [proxy defaults configuration entry reference](/consul/docs/reference/config-entry/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/reference/config-entry/service-default) for details on how to define the configuration entries. -!> **Warning:** Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases. + + Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases. + ### Unsupported Envoy configuration fields @@ -123,26 +120,18 @@ The following Envoy configurations are not supported: If your network is deployed to virtual machines, use the `consul config write` command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command. The following example applies the extension in a proxy defaults configuration entry. - - + ```shell-session $ consul config write api-otel-collector-service-defaults.hcl ``` - - - ```shell-session $ consul config write api-otel-collector-service-defaults.json ``` - - - ```shell-session $ kubectl apply -f api-otel-collector-service-defaults.yaml ``` - - + diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/property-override.mdx b/website/content/docs/envoy-extension/property-override.mdx similarity index 69% rename from website/content/docs/connect/proxies/envoy-extensions/usage/property-override.mdx rename to website/content/docs/envoy-extension/property-override.mdx index 3c82d3c7c2c..6e90516401b 100644 --- a/website/content/docs/connect/proxies/envoy-extensions/usage/property-override.mdx +++ b/website/content/docs/envoy-extension/property-override.mdx @@ -6,7 +6,7 @@ description: Learn how to use the property-override extension for Envoy proxies # Configure Envoy proxy properties -This topic describes how to use the `property-override` extension to set and remove individual properties for the Envoy resources Consul generates. The extension uses the [protoreflect](https://pkg.go.dev/google.golang.org/protobuf/reflect/protoreflect), which enables Consul to dynamically manipulate messages. +This topic describes how to use the `property-override` extension to set and remove individual properties for the Envoy resources Consul generates. The extension uses [`protoreflect`](https://pkg.go.dev/google.golang.org/protobuf/reflect/protoreflect), which enables Consul to dynamically manipulate messages. The extension currently supports setting scalar and enum fields, removing individual fields addressable by `Path`, and initializing unset intermediate message fields indicated in `Path`. @@ -17,11 +17,14 @@ It currently does _not_ support the following use cases: ## Workflow -- Complete the following steps to use the `property-override` extension: -- Configure an `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry. -- Apply the configuration entry. +Complete the following steps to use the `property-override` extension: -!> **Security warning**: The property override extension is an advanced feature capable of introducing unintended consequences or reducing cluster security if used incorrectly. Consul does not enforce TLS retention, intentions, or other security-critical components of the Envoy configuration. Additionally, Consul does not verify that the configuration does not contain errors that affect service traffic. +1. Configure an `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry. +1. Apply the configuration entry. + + + The property override extension is an advanced feature capable of introducing unintended consequences or reducing cluster security if used incorrectly. Consul does not enforce TLS retention, intentions, or other security-critical components of the Envoy configuration. Additionally, Consul does not verify that the configuration does not contain errors that affect service traffic. + ## Add the `EnvoyExtensions` @@ -32,10 +35,9 @@ Add Envoy extension configurations to a proxy defaults or service defaults confi Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults. -In the following proxy defaults configuration entry example, Consul sets the `/respect_dns_ttl` field on the `api` service proxy's cluster configuration for the `other-svc` upstream service: +The following example shows a service defaults configuration entry named `api` that sets the `/respect_dns_ttl` field for the `other-svc` upstream service: - - + ```hcl @@ -66,9 +68,6 @@ EnvoyExtensions = [ ] ``` - - - ```json @@ -95,8 +94,6 @@ EnvoyExtensions = [ } ``` - - ```yaml @@ -122,21 +119,24 @@ spec: ``` - - + -Refer to the [property override configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/property-override) for details on how to configure the extension. +Refer to the [property override configuration reference](/consul/docs/reference/proxy/envoy-extensions/configuration/property-override) for details on how to configure the extension. -Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries. +Refer to the [proxy defaults configuration entry reference](/consul/docs/reference/config-entry/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/reference/config-entry/service-default) for details on how to define the configuration entries. -!> **Warning:** Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases. + + Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases. + ### Constructing paths -To target the properties for an Envoy resource type, you must specify the path where the properties exist in the [`Path` field](/consul/docs/connect/proxies/envoy-extensions/configuration/property-override#patches-path) of the property override extension configuration. Set the `Path` field to an empty or partially invalid string when saving the configuration entry and Consul returns an error with a list of supported fields for the first unrecognized segment of the path. By default, Consul only returns the first ten fields, but you can set the [`Debug` field](/consul/docs/connect/proxies/envoy-extensions/configuration/property-override#debug) to `true` to direct Consul to output all possible fields. +To target the properties for an Envoy resource type, you must specify the path where the properties exist in the [`Path` field](/consul/docs/reference/proxy/envoy-extensions/configuration/property-override#patches-path) of the property override extension configuration. + +To view a list of supported fields for the `Path` field, set the `Path` field to an empty or partially invalid string. Consul will return an error with a list of supported fields for the first unrecognized segment of the path. By default, Consul only returns the first ten fields, but you can set the [`Debug` field](/consul/docs/reference/proxy/envoy-extensions/configuration/property-override#debug) to `true` to direct Consul to output all possible fields. -In the following example, Consul outputs the top-level fields available for the Envoy cluster resource: +The following examplem configure will trigger Consul to return an error with the top-level fields available for the Envoy cluster resource: ```hcl Kind = "service-defaults" @@ -176,7 +176,7 @@ type cluster_type eds_cluster_config connect_timeout -... +## ... ``` You can use the output to help you construct the appropriate value for the `Path` field. For example: @@ -186,34 +186,22 @@ $ consul config write api.hcl 2>&1 | grep round_robin round_robin_lb_config ``` - - - ## Apply the configuration entry If your network is deployed to virtual machines, use the `consul config write` command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command. The following example applies the extension in a proxy defaults configuration entry. - - + ```shell-session $ consul config write property-override-extension-service-defaults.hcl ``` - - - ```shell-session $ consul config write property-override-extension-service-defaults.json - ``` - - - ```shell-session $ kubectl apply property-override-extension-service-defaults.yaml ``` - - + diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/wasm.mdx b/website/content/docs/envoy-extension/wasm.mdx similarity index 83% rename from website/content/docs/connect/proxies/envoy-extensions/usage/wasm.mdx rename to website/content/docs/envoy-extension/wasm.mdx index 5f5b371e736..63e9c0ce2b9 100644 --- a/website/content/docs/connect/proxies/envoy-extensions/usage/wasm.mdx +++ b/website/content/docs/envoy-extension/wasm.mdx @@ -7,13 +7,13 @@ description: Learn how to use the Consul wasm extension for Envoy, which directs # Run WebAssembly plug-ins in Envoy proxy -This topic describes how to use the `wasm` extension, which directs Consul to run your WebAssembly (Wasm) plug-ins for Envoy proxies. - -## Workflow +This topic describes how to use the `wasm` extension, which directs Consul to run your WebAssembly (Wasm) plug-ins for Envoy proxies. You can create Wasm plugins for Envoy and integrate them using the `wasm` extension. Wasm is a binary instruction format for stack-based virtual machines that has the potential to run anywhere after it has been compiled. Wasm plug-ins run as filters in a service mesh application's sidecar proxy. -The following steps describe the process of integrating Wasm plugins: +## Workflow + +Complete the following steps to use the Wasm Envoy extension: - Create your Wasm plugin. You must ensure that your plugin functions as expected. Refer to the [WebAssembly website](https://webassembly.org/) for information and links to documentation. - Configure an `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry. @@ -28,10 +28,9 @@ Add Envoy extension configuration to a proxy defaults or service defaults config Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults. -In the following example, the extension uses an upstream service named `file-server` to serve a Wasm-based web application firewall (WAF). +The following example shows a service defaults configuration entry named `api` that uses an upstream service named `file-server` to serve a Wasm-based web application firewall (WAF). - - + ```hcl @@ -75,8 +74,6 @@ EOF ] ``` - - ```json @@ -118,10 +115,7 @@ EOF } ``` - - - ```yaml @@ -155,40 +149,32 @@ spec: ``` - - - + -Refer to the [Wasm extension configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/wasm) for details on how to configure the extension. +Refer to the [Wasm extension configuration reference](/consul/docs/reference/proxy/envoy-extensions/configuration/wasm) for details on how to configure the extension. -Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries. +Refer to the [proxy defaults configuration entry reference](/consul/docs/reference/config-entry/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/reference/config-entry/service-default) for details on how to define the configuration entries. -!> **Warning:** Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases. + + Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases. + ## Apply the configuration entry If your network is deployed to virtual machines, use the `consul config write` command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command. The following example applies the extension in a proxy defaults configuration entry. - - + ```shell-session $ consul config write wasm-extension-serve-waf.hcl ``` - - - ```shell-session $ consul config write wasm-extension-serve-waf.json ``` - - - ```shell-session $ kubectl apply wasm-extension-serve-waf.yaml ``` - - + diff --git a/website/content/docs/connect/gateways/api-gateway/errors.mdx b/website/content/docs/error-messages/api-gateway.mdx similarity index 72% rename from website/content/docs/connect/gateways/api-gateway/errors.mdx rename to website/content/docs/error-messages/api-gateway.mdx index 96ed7364fe6..eb1efac8d2d 100644 --- a/website/content/docs/connect/gateways/api-gateway/errors.mdx +++ b/website/content/docs/error-messages/api-gateway.mdx @@ -1,34 +1,32 @@ --- layout: docs -page_title: Consul API Gateway Error Messages -description: >- - Learn how to apply a configured Consul API Gateway to your Kubernetes cluster, review the required fields for rerouting HTTP requests, and troubleshoot an error message. +page_title: API gateway on Kubernetes error messages +description: Use error message outputs to debug and troubleshoot Consul API gateways on Kubernetes. --- -# Error Messages +# API gateway on Kubernetes error messages This topic provides information about potential error messages associated with Consul API Gateway. If you receive an error message that does not appear in this section, refer to the following resources: -- [Common Consul errors](/consul/docs/troubleshoot/common-errors#common-errors-on-kubernetes) -- [Consul troubleshooting guide](/consul/docs/troubleshoot/common-errors) +- [Consul error messages](/consul/docs/error-messages/consul) +- [Consul on Kubernetes error messages](/consul/docs/error-messages/k8s) +- [Consul-Terraform-Sync error messages](/consul/docs/error-messages/cts) - [Consul Discuss forum](https://discuss.hashicorp.com/) - +--> ## Helm installation failed: "no matches for kind" + + ```log Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: [unable to recognize "": no matches for kind "GatewayClass" in version "gateway.networking.k8s.io/v1alpha2", unable to recognize "": no matches for kind "GatewayClassConfig" in version "api-gateway.consul.hashicorp.com/v1alpha1"] ``` + + + **Conditions:** Consul API Gateway generates this error when the required CRD files have not been installed in Kubernetes prior to installing Consul API Gateway. @@ -61,10 +63,14 @@ Install the required CRDs. Refer to the [Consul API Gateway installation instruc ## Operation cannot be fulfilled, the object has been modified -``` -{"error": "Operation cannot be fulfilled on gatewayclassconfigs.consul.hashicorp.com \"consul-api-gateway\": the object has been modified; please apply your changes to the latest version and try again"} + +```log +{"error": "Operation cannot be fulfilled on gatewayclassconfigs.consul.hashicorp.com \"consul-api-gateway\": the object has been modified; please apply your changes to the latest version and try again"} ``` + + + **Conditions:** This error occurs when the gateway controller attempts to update an object that has been modified previously. It is a normal part of running the controller and will resolve itself by automatically retrying. @@ -72,4 +78,4 @@ This error occurs when the gateway controller attempts to update an object that Excessive error logs are produced, but there is no impact to the functionality of the controller. **Resolution:** -No action needs to be taken to resolve this issue. +No action needs to be taken to resolve this issue. \ No newline at end of file diff --git a/website/content/docs/error-messages/consul.mdx b/website/content/docs/error-messages/consul.mdx new file mode 100644 index 00000000000..274355aeef6 --- /dev/null +++ b/website/content/docs/error-messages/consul.mdx @@ -0,0 +1,242 @@ +--- +layout: docs +page_title: Consul error messages +description: >- + Troubleshoot issues based on the error message. Common errors result from failed actions, timeouts, multiple entries, bad and expired certificates, invalid characters, syntax parsing, malformed responses, and exceeded deadlines. +--- + +# Consul error messages + +This topic provides information about potential error messages associated with Consul. If you receive an error message that does not appear in this section, refer to the following resources: + +- [Consul on Kubernetes error messages](/consul/docs/error-messages/k8s) +- [API Gateway error messages](/consul/docs/error-messages/api-gateway) +- [Consul-Terraform-Sync error messages](/consul/docs/error-messages/cts) +- [Consul Discuss forum](https://discuss.hashicorp.com/) + +## Configuration file errors + +The following errors are related to misconfigured files. + +### Multiple network interfaces + + + +```log +Multiple private IPv4 addresses found. Please configure one with 'bind' and/or 'advertise'. +``` + + + +Your server has multiple active network interfaces. Consul needs to know which interface to use for local LAN communications. Add the [`bind`][bind] option to your configuration. + + + +If your server does not have a static IP address, you can use a [go-sockaddr template][go-sockaddr] as the argument to the `bind` option. For example: `"bind_addr": "{{GetInterfaceIP \"eth0\"}}"`. + + + +### Configuration syntax errors + +If Consul returns the following errors, there is a syntax error in your configuration file. + +```shell-session +$ consul agent -server -config-file server.json +==> Error parsing server.json: invalid character '`' looking for beginning of value + +## Other examples +==> Error parsing config.hcl: At 1:12: illegal char +==> Error parsing config.hcl: At 1:32: key 'foo' expected start of object ('{') or assignment ('=') +==> Error parsing server.json: invalid character '`' looking for beginning of value +``` + +If the error message doesn't identify the exact location in the file where the problem is, try using [jq] to find it. For example: + +```shell-session +$ jq . server.json +parse error: Invalid numeric literal at line 3, column 29 +``` + +## Invalid host name + +If Consul returns the following errors, you have specified an invalid host name. + + + +```log +Node name "consul_client.internal" will not be discoverable via DNS due to invalid characters. +``` + + + +Add the [`node name`][node_name] option to your agent configuration and provide a valid DNS name. + +## I/O timeouts + +If Consul returns the following errors, Consul is experience I/O timeouts. + + + +```log +Failed to join 10.0.0.99: dial tcp 10.0.0.99:8301: i/o timeout +``` + + + + + +```log +Failed to sync remote state: No cluster leader +``` + + + +If the Consul client and server are on the same LAN, then most likely, a firewall is blocking connections to the Consul server. + +If they are not on the same LAN, check the [`retry_join`][retry_join] settings in the Consul client configuration. The client should be configured to join a cluster inside its local network. + +## Deadline exceeded + +If Consul returns the following errors, there may be a general performance problem on the Consul server. + + + +```log +Error getting server health from "XXX": context deadline exceeded +``` + + + +Make sure you are monitoring Consul telemetry and system metrics according to our [monitoring guide][monitoring]. Increase the CPU or memory allocation to the server if needed. Check the performance of the network between Consul nodes. + +## Too many open files + +If Consul returns the following errors on a busy cluster, the operating system may not provide enough file descriptors to the Consul process. + + + +```log +Error accepting TCP connection: accept tcp [::]:8301: too many open files in system +``` + + + + + +```log +Get http://localhost:8500/: dial tcp 127.0.0.1:31643: socket: too many open files +``` + + + +You need to increase the limit for the Consul user and maybe the system-wide limit. Refer to [this guide][files] for instructions to do so on Linux. Alternatively, if you are starting Consul from `systemd`, you could add `LimitNOFILE=65536` to the unit file for Consul. Refer to the [sample systemd file][systemd]. + +## Snapshot close error + +Our RPC protocol requires support for a TCP half-close in order to signal the other side that they are done reading the stream, since we don't know the size in advance. This saves us from having to buffer just to calculate the size. + +If a host does not properly implement half-close, you may see an error message `[ERR] consul: Failed to close snapshot: write tcp ->: write: broken pipe` when saving snapshots. This should not affect saving and restoring snapshots. + +This has been a [known issue](https://github.com/docker/libnetwork/issues/1204) in Docker, but may manifest in other environments as well. + +## ACL not found + +If Consul returns the following error, this indicates that you have ACL enabled in your cluster but you aren't passing a valid token. + + + +```log +RPC error making call: rpc error making call: ACL not found +``` + + + +Make sure that when creating your tokens that they have the correct permissions set. In addition, you would want to make sure that an agent token is provided on each call. + +## TLS and certificates + +The follow errors are related to TLS and certificate issues. + +### Incorrect certificate or certificate name + +If Consul returns the following error, if you have provided Consul with invalid certificates. + + + +```log +Remote error: tls: bad certificate +``` + + + + + +```log +X509: certificate signed by unknown authority +``` + + + +Make sure that your Consul clients and servers are using the correct certificates, and that they've been signed by the same CA. Refer to the [Enable TLS encryption with built-in certificate authority][certificates] for step-by-step instructions. + +If you generate your own certificates, make sure the server certificates include the special name `server.dc1.consul` in the Subject Alternative Name (SAN) field. (If you change the values of `datacenter` or `domain` in your configuration, update the SAN accordingly.) + +### HTTP instead of HTTPS + +If Consul returns the following error, you are attempting to connect to a Consul agent with HTTP on a port that has been configured for HTTPS. + + + +```log +Error querying agent: malformed HTTP response +``` + + + + +```log +Net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02" +``` + + + +If you are using the Consul CLI, make sure you are specifying `https` in the `-http-addr` flag or the `CONSUL_HTTP_ADDR` environment variable. + +If you are interacting with the API, change the URI scheme to `https`. + +## License warnings + +If Consul returns the following error, you have installed Consul Enterprise and your license is about to expire. + + + +```log +License: expiration time: YYYY-MM-DD HH:MM:SS -0500 EST, time left: 29m0s +``` + + + +If you are an Enterprise customer, [provide a license key][license] to Consul before it shuts down. Otherwise, install the Consul Community edition binary instead. + +Enterprise binaries are followed by a `+ent` suffix on the [download site][releases]. + +## Rate limit reached on the server + +You may receive a `RESOURCE_EXHAUSTED` error from the Consul server if the maximum number of read or write requests per second have been reached. Refer to [Set a global limit on traffic rates](/consul/docs/manage-consul/agent-rate-limit/set-global) for additional information. You can retry another server unless the number of retries is exhausted. If the number of retries is exhausted, you should implement an exponential backoff. + +The `RESOURCE_EXHAUSTED` RPC response is translated into a `429 Too Many Requests` error code on the HTTP interface. + +The server may respond as `UNAVAILABLE` if it is the leader node and the global write request rate limit is reached. The solution is to apply an exponential backoff until the leader has capacity to serve those requests. + +The `UNAVAILABLE` RPC response is translated into a `503 Service Unavailable` error code on the RPC requests sent through HTTP interface. + +[node_name]: /consul/docs/agent/config/config-files#node_name +[retry_join]: /consul/docsreference-cli/agent#retry-join +[license]: /consul/commands/license +[releases]: https://releases.hashicorp.com/consul/ +[files]: https://easyengine.io/tutorials/linux/increase-open-files-limit +[certificates]: /consul/docs/secure-consul/encryption/tls/builtin +[systemd]: /consul/tutorials/production-deploy/deployment-guide#configure-systemd +[monitoring]: /consul/tutorials/day-2-operations/monitor-datacenter-health +[bind]: /consul/docsreference-cli/agent#_bind +[jq]: https://stedolan.github.io/jq/ diff --git a/website/content/docs/error-messages/cts.mdx b/website/content/docs/error-messages/cts.mdx new file mode 100644 index 00000000000..dec1c8807c0 --- /dev/null +++ b/website/content/docs/error-messages/cts.mdx @@ -0,0 +1,157 @@ +--- +layout: docs +page_title: Consul-Terraform-Sync error messages +description: >- + Look up Consul-Terraform-Sync error message to learn how to resolve potential issues using CTS. +--- + +# Consul-Terraform-Sync error messages + +This topic provides information about potential error messages associated with Consul-Terraform-Sync (CTS). If you receive an error message that does not appear in this section, refer to the following resources: + +- [Consul error messages](/consul/docs/error-messages/consul) +- [Consul on Kubernetes error messages](/consul/docs/error-messages/k8s) +- [API Gateway error messages](/consul/docs/error-messages/api-gateway) +- [Consul Discuss forum](https://discuss.hashicorp.com/) + +## Missing local module + +If you configured the CTS cluster to run in [high availability mode](/consul/docs/nia/usage/run-ha) and the local module is missing, then the following message appears in the log: + +```log hideClipboard +[ERROR] ha.compat: error="compatibility check failure: stat ./example-module: no such file or directory" +``` + +The resolution is to add the missing local module on the incompatible CTS instance. Refer to the [`module` documentation](/consul/docs/reference/cts/configuration#module) in the CTS configuration reference for additional information. + +## Redirect requests to leader __ at address + +```json hideClipboard +{ + "error": { + "message": "redirect requests to leader 'cts-01' at cts-01.example.com:8558" + } +} +``` + +**Conditions**: + +- CTS can determine the leader. +- `high_availability.instance.address` is configured for the leader. +- The CTS instance you sent the request to is not the leader. + +**Resolution**: + +Redirect the request to the leader instance, for example: + +```shell-session +$ curl --request GET cts-01.example.com:8558/v1/tasks +``` + + +## Redirect requests to leader __ + +```json +{ + "error": { + "message": "redirect requests to leader 'cts-01'" + } +} +``` + +**Conditions**: + +- CTS can determine the leader. +- The CTS instance you sent the request to is not the leader. +- `high_availability.instance.address` is not configured. + +**Resolution**: + +Identify the leader instance address and redirect the request to the leader. You can identify the leader by calling the [`status/cluster` API endpoint](/consul/docs/reference/cts/api/status#cluster-status) or by checking the logs for the following entry: + + + +```log +[INFO] ha: acquired leadership lock: id=. +``` + + + +We recommend deploying a cluster that has three instances. + +## Redirect requests to leader + + + +```json +{ + "error": { + "message": "redirect requests to leader" + } +} +``` + + + +**Conditions**: + +- The CTS instance you sent the request to is not the leader. +- The CTS is unable to determine the leader. +- Note that these conditions are rare. + +**Resolution**: + +Identify and send the request to the leader CTS instance. You can identify the leader by calling the [`status/cluster` API endpoint](/consul/docs/reference/cts/api/status#cluster-status) or by checking the logs for the following entry: + + + +```log +[INFO] ha: acquired leadership lock: id= +``` + + + +## This endpoint is only available with high availability configured + + + +```json +{ + "error": { + "message": "this endpoint is only available with high availability configured" + } +} +``` + + + +**Conditions**: + +- You called the [`status/cluster` API endpoint](/consul/docs/reference/cts/api/status#cluster-status) without configuring CTS for [high availability](/consul/docs/nia/usage/run-ha). + +**Resolution**: + +Configure CTS to run in [high availability mode](/consul/docs/nia/usage/run-ha). + +## Unsupported status parameter value + + + +```json +{ + "error": { + "message": "example error message: unsupported status parameter value" + } +} +``` + + + +**Conditions**: + +- You sent a request to the `status` API endpoint. +- The request included an unsupported parameter value. + +**Resolution**: + +Send a new request and verify that all of the parameter values are correct. \ No newline at end of file diff --git a/website/content/docs/error-messages/k8s.mdx b/website/content/docs/error-messages/k8s.mdx new file mode 100644 index 00000000000..cbe34ff14d5 --- /dev/null +++ b/website/content/docs/error-messages/k8s.mdx @@ -0,0 +1,114 @@ +--- +layout: docs +page_title: Consul on Kubernetes error messages +description: >- + Troubleshoot issues based on the error message. Common errors result from failed actions, timeouts, multiple entries, bad and expired certificates, invalid characters, syntax parsing, malformed responses, and exceeded deadlines. +--- + +# Consul on Kubernetes error messages + +This topic provides information about potential error messages associated with Consul on Kubernetes. If you receive an error message that does not appear in this section, refer to the following resources: + +- [Consul error messages](/consul/docs/error-messages/consul) +- [API Gateway error messages](/consul/docs/error-messages/api-gateway) +- [Consul-Terraform-Sync error messages](/consul/docs/error-messages/cts) +- [Consul Discuss forum](https://discuss.hashicorp.com/) + +## Unable to connect to the Consul client on the same host + +If the pods are unable to connect to a Consul client running on the same host, first check if the Consul clients are up and running with `kubectl get pods`. + +```shell-session +$ kubectl get pods --selector="component=client" +NAME READY STATUS RESTARTS AGE +consul-kzws6 1/1 Running 0 58s +``` + +If you are still unable to connect and see `i/o timeout` or `connection refused` errors when connecting to the Consul client on the Kubernetes worker, this could be because the container networking interface (CNI) does not [support](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#support-hostport) the use of `hostPort`. + +The IP `10.0.0.10` in the following example error messages refers to the IP of the host where the Consul client pods are running. + + + +```log +Put http://10.0.0.10:8500/v1/catalog/register: dial tcp 10.0.0.10:8500: connect: connection refused +Put http://10.0.0.10:8500/v1/agent/service/register: dial tcp 10.0.0.10:8500: connect: connection refused +Get http://10.0.0.10:8500/v1/status/leader: dial tcp 10.0.0.10:8500: i/o timeout +``` + + + +To work around this issue, enable [`hostNetwork`](/consul/docs/reference/k8s/helm#v-client-hostnetwork) in your Helm values. Using the host network will enable the pod to use the host's network namespace without the need for CNI to support port mappings between containers and the host. + +```yaml +client: + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +``` + + + +Using host network has security implications because it gives the Consul client unnecessary access to all network traffic on the host. We recommend raising an issue with the CNI you're using to add support for `hostPort` and switching back to `hostPort` eventually. + + + +## ACL auth method login failed + +If you see the following error in the init container logs of service mesh pods, check that the pod has a service account name that matches its Kubernetes Service. + + + +```log +consul-server-connection-manager: ACL auth method login failed: error="rpc error: code = PermissionDenied desc = Permission denied" +``` + + + +For example, this deployment will fail because the `serviceAccountName` is `does-not-match` instead of `static-server`. + + + +```yaml +apiVersion: v1 +kind: Service +metadata: + # This name will be the service name in Consul. + name: static-server +spec: + selector: + app: static-server + ports: + - protocol: TCP + port: 80 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: static-server +spec: + replicas: 1 + selector: + matchLabels: + app: static-server + template: + metadata: + name: static-server + labels: + app: static-server + annotations: + 'consul.hashicorp.com/connect-inject': 'true' + spec: + containers: + - name: static-server + image: hashicorp/http-echo:latest + args: + - -text="hello world" + - -listen=:8080 + ports: + - containerPort: 8080 + name: http + serviceAccountName: does-not-match +``` + + \ No newline at end of file diff --git a/website/content/docs/glossary.mdx b/website/content/docs/glossary.mdx new file mode 100644 index 00000000000..473534511da --- /dev/null +++ b/website/content/docs/glossary.mdx @@ -0,0 +1,90 @@ +--- +layout: docs +page_title: Glossary +description: >- + The glossary is a list of technical terms with a specific meaning in Consul. Use the glossary to understand Consul concepts and study for the certification exam. +--- + +# Glossary + +This page defines terms used in Consul and provides links to its supporting documentation. + +## Access logs + +@include 'text/descriptions/access-log.mdx' + +## Admin partitions + +@include 'text/descriptions/admin-partition.mdx' + +## Application load balancing + +@include 'text/descriptions/load-balancer.mdx' + +## Certificate authority + +@include 'text/descriptions/certificate-authority.mdx' + +## Cluster peering + +@include 'text/descriptions/cluster-peering.mdx' + +## Consul template + +@include 'text/descriptions/consul-template.mdx' + +## Distributed tracing + +@include 'text/descriptions/distributed-tracing.mdx' + +## Key/value store + +@include 'text/descriptions/kv/store.mdx' + +## Mesh gateways + +@include 'text/descriptions/mesh-gateway.mdx' + +## Namespaces + +@include 'text/descriptions/namespace.mdx' + +## Network areas + +@include 'text/descriptions/network-area.mdx' + +## Network segments + +@include 'text/descriptions/network-segment.mdx' + +## Prepared queries + +@include 'text/descriptions/prepared-query.mdx' + +## Sameness groups + +@include 'text/descriptions/sameness-group.mdx' + +## Service intentions + +@include 'text/descriptions/service-intention.mdx' + +## Service mesh telemetry metrics + +@include 'text/descriptions/telemetry.mdx' + +## Sessions + +@include 'text/descriptions/kv/session.mdx' + +## Static lookups + +@include 'text/descriptions/static-query.mdx' + +## WAN federation + +@include 'text/descriptions/wan-federation.mdx' + +## Watches + +@include 'text/descriptions/kv/watch.mdx' diff --git a/website/content/docs/guides/index.mdx b/website/content/docs/guides/index.mdx deleted file mode 100644 index 24f96d794a0..00000000000 --- a/website/content/docs/guides/index.mdx +++ /dev/null @@ -1,38 +0,0 @@ ---- -layout: docs -page_title: Guides -description: |- - This section provides various guides for common actions. Due to the nature of - Consul, some of these procedures can be complex, so our goal is to provide - guidance to do them safely. ---- - -# Consul Guides - -~> The Consul guides are now Consul [tutorials](/consul/tutorials). - -[Guides](/consul/tutorials) are step by step command-line -walkthroughs that demonstrate how to perform common operations using Consul, and -complement the feature-focused Consul documentation. - -Guide content begins with getting-started tracks to help new users learn the -basics of Consul, and continues through production-playbook tracks that cover -topics like Day 1 and Day 2 operations, production considerations, and -recommendations for securing your Consul cluster. - -You can work through the guides sequentially using the tracks, or just refer to -the material that is most relevant to you. - -Tracks include: - -- Getting Started -- Getting Started with Kubernetes -- Setup a Secure Development Environment -- Day 1: Deploying Your First Datacenter -- Day 1: Security and Network Operations -- Day 1: Kubernetes Production Deployment -- Maintenance and Monitoring Operations -- Service Discovery and Consul DNS -- Service Segmentation and Consul Service Mesh -- Service Configuration and Consul KV -- Cloud and Load Balancer Integrations diff --git a/website/content/docs/index.mdx b/website/content/docs/index.mdx index 8477ac18ab5..6f021e0c17b 100644 --- a/website/content/docs/index.mdx +++ b/website/content/docs/index.mdx @@ -5,11 +5,6 @@ description: >- Consul documentation provides reference material for all features and options available in Consul. --- -# Consul Documentation +# Consul documentation -The Consul documentation provides reference material for all features and options available in Consul. -Click the following links to access documentation and tutorials for common tasks: - -- [Install Consul](/consul/docs/install) -- [Configuration options](/consul/docs/agent/config) -- [Step-by-step tutorials](/consul/tutorials) +This is the top-level Consul Docs page. It does not appear on developer.hashicorp.com, and was left in place intentionally. \ No newline at end of file diff --git a/website/content/docs/install/bootstrapping.mdx b/website/content/docs/install/bootstrapping.mdx deleted file mode 100644 index a9918402045..00000000000 --- a/website/content/docs/install/bootstrapping.mdx +++ /dev/null @@ -1,102 +0,0 @@ ---- -layout: docs -page_title: Bootstrap a Datacenter -description: >- - Bootstrapping a datacenter is the initial deployment process in Consul that starts server agents and joins them together. Learn how to automatically or manually join servers in a cluster. ---- - -# Bootstrap a Datacenter - -An agent can run in either client or server mode. Server nodes are responsible for running the -[consensus protocol](/consul/docs/architecture/consensus) and storing the cluster state. -The client nodes are mostly stateless and rely heavily on the server nodes. - -Before a Consul cluster can begin to service requests, -a server node must be elected leader. Bootstrapping is the process -of joining these initial server nodes into a cluster. Read the -[architecture documentation](/consul/docs/architecture) to learn more about -the internals of Consul. - -It is recommended to have three or five total servers per datacenter. A single server deployment is _highly_ discouraged -as data loss is inevitable in a failure scenario. Please refer to the -[deployment table](/consul/docs/architecture/consensus#deployment-table) for more detail. - -~> **Note**: In versions of Consul prior to 0.4, bootstrapping was a manual process. For details on using the `-bootstrap` flag directly, see the -[manual bootstrapping documentation](/consul/docs/install/bootstrapping#manually-join-the-servers). -Manual bootstrapping with `-bootstrap` is not recommended in -newer versions of Consul (0.5 and newer) as it is more error-prone. -Instead you should use automatic bootstrapping -with [`-bootstrap-expect`](/consul/docs/agent/config/cli-flags#_bootstrap_expect). - -## Bootstrapping the Servers - -The recommended way to bootstrap the servers is to use the [`-bootstrap-expect`](/consul/docs/agent/config/cli-flags#_bootstrap_expect) -configuration option. This option informs Consul of the expected number of -server nodes and automatically bootstraps when that many servers are available. To prevent -inconsistencies and split-brain (clusters where multiple servers consider -themselves leader) situations, you should either specify the same value for -[`-bootstrap-expect`](/consul/docs/agent/config/cli-flags#_bootstrap_expect) -or specify no value at all on all the servers. Only servers that specify a value will attempt to bootstrap the cluster. - -Suppose we are starting a three server cluster. We can start `Node A`, `Node B`, and `Node C` with each -providing the `-bootstrap-expect 3` flag. Once the nodes are started, you should see a warning message in the service output. - -```log -[WARN] raft: EnableSingleNode disabled, and no known peers. Aborting election. -``` - -The warning indicates that the nodes are expecting 2 peers but none are known yet. Below you will learn how to connect the servers so that one can be -elected leader. - -## Creating the Cluster - -You can trigger leader election by joining the servers together, to create a cluster. You can either configure the nodes to join automatically or manually. - -### Automatically Join the Servers - -There are two options for joining the servers. Choose the method which best suits your environment and specific use case. - -- Specify a list of servers with [-retry-join](/consul/docs/agent/config/cli-flags#_retry_join) option. -- Use automatic joining by tag for supported cloud environments with the [-retry-join](/consul/docs/agent/config/cli-flags#_retry_join) option. - -All three methods can be set in the agent configuration file or -the command line flag. - -### Manually Join the Servers - -To manually create a cluster, you should connect to one of the servers -and run the `consul join` command. - -```shell-session -$ consul join -Successfully joined cluster by contacting 3 nodes. -``` - -Since a join operation is symmetric, it does not matter which node initiates it. Once the join is successful, one of the nodes will output something like: - -```log -[INFO] consul: adding server foo (Addr: 127.0.0.2:8300) (DC: dc1) -[INFO] consul: adding server bar (Addr: 127.0.0.1:8300) (DC: dc1) -[INFO] consul: Attempting bootstrap with nodes: [127.0.0.3:8300 127.0.0.2:8300 127.0.0.1:8300] - ... -[INFO] consul: cluster leadership acquired -``` - -### Verifying the Cluster and Connect the Clients - -As a sanity check, the [`consul info`](/consul/commands/info) command -is a useful tool. It can be used to verify the `raft.num_peers` -and to view the latest log index under `raft.last_log_index`. When -running [`consul info`](/consul/commands/info) on the followers, you -should see `raft.last_log_index` converge to the same value once the -leader begins replication. That value represents the last log entry that -has been stored on disk. - -Now that the servers are all started and replicating to each other, you can -join the clients with the same join method you used for the servers. -Clients are much easier as they can join against any existing node. All nodes participate in a gossip -protocol to perform basic discovery, so once joined to any member of the -cluster, new clients will automatically find the servers and register -themselves. - --> **Note:** It is not strictly necessary to start the server nodes before the clients; however, most operations will fail until the servers are available. diff --git a/website/content/docs/install/glossary.mdx b/website/content/docs/install/glossary.mdx deleted file mode 100644 index c8bee74d6d7..00000000000 --- a/website/content/docs/install/glossary.mdx +++ /dev/null @@ -1,377 +0,0 @@ ---- -layout: docs -page_title: Glossary -description: >- - The glossary is a list of technical terms with a specific meaning in Consul. Use the glossary to understand Consul concepts and study for the certification exam. ---- - -# Consul Vocabulary - -This section collects brief definitions of some of the technical terms used in the documentation for Consul and Consul Enterprise, as well as some terms that come up frequently in conversations throughout the Consul community. - -## Agent - -An agent is the long running daemon on every member of the Consul cluster. -It is started by running `consul agent`. The agent is able to run in either _client_ -or _server_ mode. Since all nodes must be running an agent, it is simpler to refer to -the node as being either a client or server, but there are other instances of the agent. All -agents can run the DNS or HTTP interfaces, and are responsible for running checks and -keeping services in sync. - -## Client - -A client is an agent that forwards all RPCs to a server. The client is relatively -stateless. The only background activity a client performs is taking part in the LAN gossip -pool. This has a minimal resource overhead and consumes only a small amount of network -bandwidth. - -## Server - -A server is an agent with an expanded set of responsibilities including -participating in the Raft quorum, maintaining cluster state, responding to RPC queries, -exchanging WAN gossip with other datacenters, and forwarding queries to leaders or -remote datacenters. - -## Datacenter - -We define a datacenter to be a networking environment that is -private, low latency, and high bandwidth. This excludes communication that would traverse -the public internet, but for our purposes multiple availability zones within a single EC2 -region would be considered part of a single datacenter. - -## Consensus - -When used in our documentation we use consensus to mean agreement upon -the elected leader as well as agreement on the ordering of transactions. Since these -transactions are applied to a -[finite-state machine](https://en.wikipedia.org/wiki/Finite-state_machine), our definition -of consensus implies the consistency of a replicated state machine. Consensus is described -in more detail on [Wikipedia](), -and our implementation is described [here](/consul/docs/architecture/consensus). - -## Gossip - -Consul is built on top of [Serf](https://github.com/hashicorp/serf/) which provides a full -[gossip protocol](https://en.wikipedia.org/wiki/Gossip_protocol) that is used for multiple purposes. -Serf provides membership, failure detection, and event broadcast. Our use of these -is described more in the [gossip documentation](/consul/docs/architecture/gossip). It is enough to know -that gossip involves random node-to-node communication, primarily over UDP. - -## LAN Gossip - -Refers to the LAN gossip pool which contains nodes that are all -located on the same local area network or datacenter. - -## WAN Gossip - -Refers to the WAN gossip pool which contains only servers. These -servers are primarily located in different datacenters and typically communicate -over the internet or wide area network. - -## RPC - -Remote Procedure Call. This is a request / response mechanism allowing a -client to make a request of a server. - -# Consul Glossary -This section collects brief definitions of some of the terms used in the discussions around networking in a cloud-native world. - - -## Access Control List (ACL) -An Access Control List (ACL) is a list of user permissions for a file, folder, or -other object. It defines what users and groups can access the object and what -operations they can perform. - -Consul uses Access Control Lists (ACLs) to secure the UI, API, CLI, service -communications, and agent communications. -Visit [Consul ACL Documentation and Guides](/consul/docs/security/acl) - -## API Gateway -An Application Programming Interface (API) is a common software interface that -allows two applications to communicate. Most modern applications are built using -APIs. An API Gateway is a single point of entry into these modern applications -built using APIs. - -## Application Security -Application Security is the process of making applications secure by detecting -and fixing any threats or information leaks. This can be done during or after -the app development lifecycle; although, it is easier for app teams and security -teams to incorporate security into an app even before the development process -begins. - -## Application Services -Application Services are a group of services, such as application performance -monitoring, load balancing, service discovery, service proxy, security, -autoscaling, etc. needed to deploy, run, and improve applications. - -## Authentication and Authorization (AuthN and AuthZ) -Authentication (AuthN) deals with establishing user identity while Authorization -(AuthZ) allows or denies access to the user based on user identity. - -## Auto Scaling Groups -An Auto Scaling Group is an AWS specific term that represents a collection of -Amazon EC2 instances that are treated as a logical grouping for the purposes of -automatic scaling and management. -Learn more about Auto Scaling Groups -[here](https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html). - -## Autoscaling -Autoscaling is the process of automatically scaling computational resources based -on network traffic requirements. Autoscaling can be done either horizontally or -vertically. Horizontal scaling is done by adding more machines into the pool of -resources whereas vertical scaling means increasing the capacity of an existing -machine. - -## Blue-Green Deployments -Blue-Green Deployment is a deployment method designed to reduce downtime by -running two identical production environments labeled Blue and Green. Blue is -the active while Green is the idle environment. - -## Canary Deployments -Canary deployment is the pattern used for rolling out releases to a subset of -users or servers. The goal is deploy the updates to a subset of users, test it, -and then roll out the changes to everyone. - -## Client-side Load Balancing -Client-side load balancing is a load balancing approach that relies on clients' -decision to call the right servers. As the name indicates, this approach is part -of the client application. Servers can still have their own load balancer -alongside the client-side load balancer. - -## Cloud Native Computing Foundation -The [Cloud Native Computing Foundation (CNCF)](https://github.com/cncf/foundation) -is a Linux Foundation project that was founded in 2015 to help advance -container technology and align the tech industry around its evolution. - -HashiCorp joined Cloud Native Computing Foundation to further HashiCorp -product integrations with CNCF projects and to work more closely with the -broader cloud-native community of cloud engineers. Read more -[here](https://www.hashicorp.com/blog/hashicorp-joins-the-cncf/). - -## Custom Resource Definition (CRD) -Custom resources are the extensions of the Kubernetes API. A Custom Resource -Definition (CRD) file allows users to define their own custom resources and -allows the API server to handle the lifecycle. - -## Egress Traffic -Egress traffic is network traffic that begins inside a network and proceeds -through its routers to a destination outside the network. - -## Elastic Provisioning -Elastic Provisioning is the ability to provision computing resources -dynamically to meet user demand. - -## Envoy Proxy -[Envoy Proxy](https://www.envoyproxy.io/) is a modern, high performance, -small footprint edge and service proxy. Originally written and deployed at -[Lyft](https://eng.lyft.com/announcing-envoy-c-l7-proxy-and-communication-bus-92520b6c8191), - Envoy Proxy is now an official project at [Cloud Native Computing Foundation - (CNCF)](https://www.cncf.io/cncf-envoy-project-journey/) - -## Forward Proxy -A forward proxy is used to forward outgoing requests from inside the network -to the Internet, usually through a firewall. The objective is to provide a level -of security and to reduce network traffic. - -## Hybrid Cloud Architecture -A hybrid cloud architecture is an IT architectural approach that mixes -on-premises, private cloud, and public cloud services. A hybrid cloud -environment incorporates workload portability, orchestration, and management -across the environments. - -A private cloud, traditionally on-premises, is referred to an infrastructure -environment managed by the user themselves. - -A public cloud, traditionally off-premises, is referred to an infrastructure -service provided by a third party. - -## Identity-based authorization -Identity-based authorization is a security approach to restrict or allow access -based on the authenticated identity of an individual. - -## Infrastructure as a Service -Infrastructure as a Service, often referred to as IaaS, is a cloud computing -approach where the computing resources are delivered online via APIs. These -APIs communicate with underlying infrastructure like physical computing resources, - location, data partitioning, scaling, security, backup, etc. - -IaaS is one of the four types of cloud services along with SaaS -(Software as a Service), PaaS (Platform as a Service), and Serverless. - -## Infrastructure as Code -Infrastructure as Code (IaC) is the process of developers and operations teams' -ability of provisioning and managing computing resources automatically through -software, instead of using configuration tools. - -## Ingress Controller -In Kubernetes, "ingress" is an object that allows access Kubernetes services -from outside the Kubernetes cluster. An ingress controller is responsible for -ingress, generally with a load balancer or an edge router that can help with -traffic management. - -## Ingress Gateway -An Ingress Gateway is an edge of the mesh load balancer that provides secure and -reliable access from external networks to Kubernetes clusters. - -## Ingress Traffic -Ingress Traffic is the network traffic that originates outside the network and -has a destination inside the network. - -## Key-Value Store -A Key-Value Store (or a KV Store) also referred to as a Key-Value Database is -a data model where each key is associated with one and only one value in -a collection. - -## L4 - L7 Services -L4-L7 Services are a set of functions such as load balancing, web application -firewalls, service discovery, and monitoring for network layers within the -Open Systems Interconnection (OSI) model. - -## Layer 7 Observability -Layer 7 Observability is a feature of Consul Service Mesh that enables a -unified workflow for metric collection, distributed tracking, and logging. -It also allows centralized configuration and management for a distributed -data plane. - -## Load Balancer -A load balancer is a network appliance that acts as a [reverse proxy](#reverse-proxy) -and distributes network and application traffic across the servers. - -## Load Balancing -Load Balancing is the process of distributing network and application traffic -across multiple servers. - -## Load Balancing Algorithms -Load balancers follow an algorithm to determine how to route the traffic across -the server farm. Some of the commonly used algorithms are: -1. Round Robin -2. Least Connections -3. Weighted Connections -4. Source IP Hash -5. Least Response Time Method -6. Least Bandwidth Method - -## Multi-cloud -A multi-cloud environment generally uses two or more cloud computing services -from different vendors in a single architecture. This refers to the distribution -of compute resources, storage, and networking aspects across cloud environments. -A multi-cloud environment could be either all private cloud or all public cloud -or a combination of both. - -## Multi-cloud Networking -Multi-cloud Networking provides network configuration and management across -multiple cloud providers via APIs. - -## Mutual Transport Layer Security (mTLS) -Mutual Transport Layer Security, also known as mTLS, is an authentication -mechanism that ensures network traffic security in both directions between -a client and server. - -## Network Middleware Automation -The process of publishing service changes to network middleware such as -load balancers and firewalls and automating network tasks is called Network -Middleware Automation. - -## Network security -Network security is the process of protecting data and network. It consists -of a set of policies and practices that are designed to prevent and monitor -unauthorized access, misuse, modification, or denial of a computer network -and network-accessible resources. - -## Network traffic management -Network Traffic Management is the process of ensuring optimal network operation -by using a set of network monitoring tools. Network traffic management also -focuses on traffic management techniques such as bandwidth monitoring, deep -packet inspection, and application based routing. - -## Network Visualization -Network Visualization is the process of visually displaying networks and -connected entities in a "boxes and lines" kind of a diagram. - -In the context of microservices architecture, visualization can provide a clear -picture of how services are connected to each other, the service-to-service -communication, and resource utilization of each service. - -## Observability -Observability is the process of logging, monitoring, and alerting on the -events of a deployment or an instance. - -## Elastic Scaling -Elastic Scaling is the ability to automatically add or remove compute or -networking resources based on the changes in application traffic patterns. - -## Platform as a Service -Platform-as-a-Service (PaaS) is a category of cloud computing that allows -users to develop, run, and manage applications without the complexity of -building and maintaining the infrastructure typically associated with -developing and launching the application. - -## Reverse Proxy -A reverse proxy handles requests coming from outside, to the internal -network. Reverse Proxy provides a level of security that prevents the -external clients from having direct access to data on the corporate servers. -The reverse proxy is usually placed between the web server and the external -traffic. - -## Role-based Access Controls -The act of restricting or provisioning access -to a user based on their specific role in the organization. - -## Server side load balancing -A Server-side Load Balancer sits between the client and the server farm, -accepts incoming traffic, and distributes the traffic across multiple backend -servers using various load balancing methods. - -## Service configuration -A service configuration includes the name, description, and the specific -function of a service. In a microservices application architecture setting, -a service configuration file includes a service definition. - -## Service Catalog -A service catalog is an organized and curated collection of services that -are available for developers to bind to their applications. - -## Service Discovery -Service Discovery is the process of detecting services and devices on a -network. In a microservices context, service discovery is how applications -and microservices locate each other on a network. - -## Service Mesh -Service Mesh is the infrastructure layer that facilitates service-to-service -communication between microservices, often using a sidecar proxy. This -network of microservices make up microservice applications and the -interactions between them. - -## Service Networking -Service networking brings several entities together to deliver a particular -service. Service Networking acts as the brain of an organization's -networking and monitoring operations. - -## Service Proxy -A service proxy is the client-side proxy for a microservice application. -It allows applications to send and receive messages over a proxy server. - -## Service Registration -Service registration is the process of letting clients (of the service) -and routers know about the available instances of the service. -Service instances are registered with a service registry on startup and deregistered at shutdown. - -## Service Registry -Service Registry is a database of service instances and information on -how to send requests to these service instances. - -## Microservice Segmentation -Microservice segmentation, sometimes visual, of microservices is the -segmentation in a microservices application architecture that enables -administrators to view their functions and interactions. - -## Service-to-service communication -Service-to-service communication, sometimes referred to as -inter-service communication, is the ability of a microservice -application instance to communicate with another to collaborate and -handle client requests. - -## Software as a Service -Software as a Service is a licensing and delivery approach to software -delivery where the software is hosted by a provider and licensed -to users on a subscription basis. diff --git a/website/content/docs/install/index.mdx b/website/content/docs/install/index.mdx deleted file mode 100644 index a1ac4ea8b4d..00000000000 --- a/website/content/docs/install/index.mdx +++ /dev/null @@ -1,105 +0,0 @@ ---- -layout: docs -page_title: Install Consul -description: >- - Install Consul to get started with service discovery and service mesh. Follow the installation instructions to download the precompiled binary, or use Go to compile from source. ---- - -# Install Consul - -Installing Consul is simple. There are three approaches to installing Consul: - -1. Using a [precompiled binary](#precompiled-binaries) - -1. Installing [from source](#compiling-from-source) - -1. Installing [on Kubernetes](/consul/docs/k8s/installation/install) - -Downloading a precompiled binary is easiest, and we provide downloads over TLS -along with SHA256 sums to verify the binary. We also distribute a PGP signature -with the SHA256 sums that can be verified. - -The [Get Started on VMs tutorials](/consul/tutorials/get-started-vms?utm_source=docs) provide a quick walkthrough of installing and using Consul on a VM. - -## Precompiled Binaries - -To install the precompiled binary, [download](/consul/downloads) the appropriate -package for your system. Consul is currently packaged as a zip file. We do not -have any near term plans to provide system packages. - -Once the zip is downloaded, unzip it into any directory. The `consul` binary -inside is all that is necessary to run Consul (or `consul.exe` for Windows). -No additional files are required to run Consul. - -Copy the binary to anywhere on your system. If you intend to access it from the -command-line, make sure to place it somewhere on your `PATH`. - -## Compiling from Source - -To compile from source, you will need [Go](https://golang.org) installed and -a copy of [`git`](https://www.git-scm.com/) in your `PATH`. - -1. Clone the Consul repository from GitHub: - - ```shell - $ git clone https://github.com/hashicorp/consul.git - $ cd consul - ``` - -1. Build Consul for your target system. The binary will be placed in `./bin` - (relative to the git checkout). - - - - - - - ```shell-session - $ make dev - ``` - - - - - Specify your target system by setting the following environment variables - before building: - - - `GOOS`: Target operating system. Valid values include: - `linux`, `darwin`, `windows`, `solaris`, `freebsd`. - - `GOARCH`: Target architecture. Valid values include: - `386`, `amd64`, `arm`, `arm64` - - ```shell-session - $ export GOOS=linux GOARCH=amd64 - $ make dev - ``` - - - - -## Verifying the Installation - -To verify Consul is properly installed, run `consul version` on your system. You -should see help output. If you are executing it from the command line, make sure -it is on your PATH or you may get an error about Consul not being found. - -```shell-session -$ consul version -``` - -## Browser Compatibility Considerations - -Consul currently supports all 'evergreen' browsers, as they are generally on -up-to-date versions. For more information on supported browsers, please see our -[FAQ](/consul/docs/troubleshoot/faq) diff --git a/website/content/docs/install/manual-bootstrap.mdx b/website/content/docs/install/manual-bootstrap.mdx deleted file mode 100644 index 99cfbf71958..00000000000 --- a/website/content/docs/install/manual-bootstrap.mdx +++ /dev/null @@ -1,100 +0,0 @@ ---- -layout: docs -page_title: Manually Bootstrap a Datacenter -description: >- - Manually bootstrap a datacenter to deploy your Consul servers and join them together for the first time. For Consul v0.4+, we recommend automatic bootstrapping instead. ---- - -# Manually Bootstrapping a Datacenter - -When deploying Consul to a datacenter for the first time, there is an initial -bootstrapping that must be done. As of Consul 0.4, an -[automatic bootstrapping](/consul/docs/install/bootstrapping) is available and is -the recommended approach. However, older versions only support a manual -bootstrap that is documented here. - -Generally, the first nodes that are started are the server nodes. Remember that -an agent can run in both client and server mode. Server nodes are responsible -for running the [consensus protocol](/consul/docs/architecture/consensus), and -storing the cluster state. The client nodes are mostly stateless and rely on the -server nodes, so they can be started easily. - -Manual bootstrapping requires that the first server that is deployed in a new -datacenter provide the [`-bootstrap` configuration option](/consul/docs/agent/config/cli-flags#_bootstrap). -This option allows the server -to assert leadership of the cluster without agreement from any other server. -This is necessary because at this point, there are no other servers running in -the datacenter! Lets call this first server `Node A`. When starting `Node A` -something like the following will be logged: - -```log -2014/02/22 19:23:32 [INFO] consul: cluster leadership acquired -``` - -Once `Node A` is running, we can start the next set of servers. There is a -[deployment table](/consul/docs/architecture/consensus#deployment_table) that covers various -options, but it is recommended to have 3 or 5 total servers per datacenter. A -single server deployment is _**highly**_ discouraged as data loss is inevitable -in a failure scenario. We start the next servers **without** specifying -`-bootstrap`. This is critical, since only one server should ever be running in -bootstrap mode. Once `Node B` and `Node C` are started, you should see a -message to the effect of: - -```log -[WARN] raft: EnableSingleNode disabled, and no known peers. Aborting election. -``` - -This indicates that the node is not in bootstrap mode, and it will not elect -itself as leader. We can now join these machines together. Since a join -operation is symmetric it does not matter which node initiates it. From -`Node B` and `Node C` you can do the following: - -```shell-session -$ consul join -Successfully joined cluster by contacting 1 nodes. -``` - -Alternatively, from `Node A` you can do the following: - -```shell-session -$ consul join -Successfully joined cluster by contacting 2 nodes. -``` - -Once the join is successful, `Node A` should output something like: - -```log -[INFO] raft: Added peer 127.0.0.2:8300, starting replication -.... -[INFO] raft: Added peer 127.0.0.3:8300, starting replication -``` - -As a sanity check, the `consul info` command is a useful tool. It can be used to -verify `raft.num_peers` is now 2, and you can view the latest log index under -`raft.last_log_index`. When running `consul info` on the followers, you should -see `raft.last_log_index` converge to the same value as the leader begins -replication. That value represents the last log entry that has been stored on -disk. - -This indicates that `Node B` and `Node C` have been added as peers. At this -point, all three nodes see each other as peers, `Node A` is the leader, and -replication should be working. - -The final step is to remove the `-bootstrap` flag. This is important since we -don't want the node to be able to make unilateral decisions in the case of a -failure of the other two nodes. To do this, we send a `SIGINT` to `Node A` to -allow it to perform a graceful leave. Then we remove the `-bootstrap` flag and -restart the node. The node will need to rejoin the cluster, since the graceful -exit leaves the cluster. Any transactions that took place while `Node A` was -offline will be replicated and the node will catch up. - -Now that the servers are all started and replicating to each other, all the -remaining clients can be joined. Clients are much easier, as they can be started -and perform a `join` against any existing node. All nodes participate in a -gossip protocol to perform basic discovery, so clients will automatically find -the servers and register themselves. - --> If you accidentally start another server with the flag set, do not fret. -Shutdown the node, and remove the `raft/` folder from the data directory. This -will remove the bad state caused by being in `-bootstrap` mode. Then restart the -node and join the cluster normally. diff --git a/website/content/docs/integrate/download-tools.mdx b/website/content/docs/integrate/consul-tools.mdx similarity index 100% rename from website/content/docs/integrate/download-tools.mdx rename to website/content/docs/integrate/consul-tools.mdx diff --git a/website/content/docs/integrate/partnerships.mdx b/website/content/docs/integrate/consul.mdx similarity index 81% rename from website/content/docs/integrate/partnerships.mdx rename to website/content/docs/integrate/consul.mdx index 024a5b5413d..c7b0c1458df 100644 --- a/website/content/docs/integrate/partnerships.mdx +++ b/website/content/docs/integrate/consul.mdx @@ -17,7 +17,7 @@ The program is intended to be largely self-service with links to resources, code ## Categories of Consul Integrations -By leveraging Consul's RESTful HTTP API system, prospective partners are able to build extensible integrations at the data plane, platform, and the infrastructure layer to extend Consul's functionalities. These integrations can be performed both with the community edition of Consul, Consul Enterprise, and HCP Consul Dedicated. +By leveraging Consul's RESTful HTTP API system, prospective partners are able to build extensible integrations at the data plane, platform, and the infrastructure layer to extend Consul's functionalities. These integrations can be performed both with the community edition of Consul, Consul Enterprise, and HCP Consul. **The Consul ecosystem of integrations:** @@ -35,11 +35,11 @@ By leveraging Consul's RESTful HTTP API system, prospective partners are able to **Infrastructure**: There are two integration options in this category: natively through a direct integration with Consul or via Consul-Terraform-Sync (CTS). By leveraging Consul's powerful **Network Infrastructure Automation (NIA)*** capabilities through CTS, changes in an infrastructure are seamlessly automated when Consul detects a change in its service catalog. For example, these integrations could be used to automate IP updates of load balancers or firewall security policies by leveraging Consul service discovery. --> **Network Infrastructure Automation (NIA)***: These integrations leverage Consul's service catalog to seamlessly integrate with Consul-Terraform-Sync (CTS) to automate changes in network infrastructure via a publisher-subscriber method. Refer to the [NIA documentation](/consul/docs/integrate/nia-integration) for details. +-> **Network Infrastructure Automation (NIA)***: These integrations leverage Consul's service catalog to seamlessly integrate with Consul-Terraform-Sync (CTS) to automate changes in network infrastructure via a publisher-subscriber method. Refer to the [NIA documentation](/consul/docs/integrate/nia) for details. -**HCP Consul Dedicated**: HCP Consul Dedicated is secure by default and offers an out-of-the-box service mesh solution to streamline operations without the hassle of managing Consul servers. [Sign up for a free HCP Consul Dedicated account](https://cloud.hashicorp.com/products/consul). +**HCP Consul**: HCP Consul is secure by default and offers an out-of-the-box service mesh solution to streamline operations without the hassle of managing Consul servers. [Sign up for a free HCP Consul account](https://cloud.hashicorp.com/products/consul). -**Consul integration verification badges**: Partners will be issued the Consul Enterprise badge for integrations that work with [Consul Enterprise features](/consul/docs/enterprise) such as namespaces. Partners will be issued the HCP Consul Dedicated badge for integrations validated to work with [HCP Consul Dedicated](/hcp/docs/consul#features). Each badge would be displayed on HashiCorp's partner page as well as be available for posting on the partner's own website to provide better visibility and differentiation of the integration for joint customers. +**Consul integration verification badges**: Partners will be issued the Consul Enterprise badge for integrations that work with [Consul Enterprise features](/consul/docs/enterprise) such as namespaces. Partners will be issued the HCP Consul badge for integrations validated to work with [HCP Consul](/hcp/docs/consul#features). Each badge would be displayed on HashiCorp's partner page as well as be available for posting on the partner's own website to provide better visibility and differentiation of the integration for joint customers. @@ -49,12 +49,12 @@ By leveraging Consul's RESTful HTTP API system, prospective partners are able to -![HCP Consul Dedicated](/img/HCPc_badge.png) +![HCP Consul](/img/HCPc_badge.png) -Developing a valid integration with either Consul Enterprise or HCP Consul Dedicated also qualifies the partner for the Premier tier of the HashiCorp Technology Partners program. The process for verification of these integrations is detailed below. +Developing a valid integration with either Consul Enterprise or HCP Consul also qualifies the partner for the Premier tier of the HashiCorp Technology Partners program. The process for verification of these integrations is detailed below. ## Development Process @@ -87,7 +87,7 @@ Here are links to resources, documentation, examples and best practices to guide - [Consul Telemetry Documentation](/consul/docs/agent/telemetry) - [Monitoring Consul with Datadog APM](https://www.datadoghq.com/blog/consul-datadog/) -- [Monitor HCP Consul Dedicated with New Relic Instant Observability](https://github.com/newrelic-experimental/hashicorp-quickstart-annex/blob/main/hcp-consul/README.md) +- [Monitor HCP Consul with New Relic Instant Observability](https://github.com/newrelic-experimental/hashicorp-quickstart-annex/blob/main/hcp-consul/README.md) - [HCP Consul and CloudFabrix AIOps Integration](https://bot-docs.cloudfabrix.io/Bots/consul/?h=consul) - [Consul and SnappyFlow Full Stack Observability](https://docs.snappyflow.io/docs/Integrations/hcp_consul) @@ -118,7 +118,7 @@ Here are links to resources, documentation, examples and best practices to guide #### Platform: -- [Deploy Consul on Red Hat OpenShift](/consul/tutorials/kubernetes/kubernetes-openshift-red-hat) +- [Deploy Consul on Red Hat OpenShift](/consul/deploy/server/k8s/platform/openshift) - [Consul Integration with Layer5 Meshery](https://www.hashicorp.com/integrations/layer5-io/consul) - [Consul Integration with VMware Tanzu Application Service](/consul/tutorials/cloud-integrations/sync-pivotal-cloud-services?utm_source=docs) @@ -167,17 +167,17 @@ Here are links to resources, documentation, examples and best practices to guide The only knowledge necessary to write a plugin is basic command-line skills and knowledge of the [Go programming language](http://www.golang.org). Use the plugin interface to develop your integration. All integrations should contain unit and acceptance testing. -**HCP Consul Dedicated**: As a managed service, minimal configuration is required to deploy HCP Consul Dedicated server clusters. You only need to install Consul client agents. Furthermore, HashiCorp provides all new users an initial credit, which provides approximately two months worth of [development cluster](https://cloud.hashicorp.com/products/consul/pricing) access. When deployed with AWS or Azure free tier services, there should be no cost beyond the time spent by the designated tester. Refer to the [Deploy HCP Consul Dedicated tutorial](/consul/tutorials/get-started-hcp/hcp-gs-deploy) for details on getting started. +**HCP Consul**: As a managed service, minimal configuration is required to deploy HCP Consul server clusters. You only need to install Consul client agents. Furthermore, HashiCorp provides all new users an initial credit, which provides approximately two months worth of [development cluster](https://cloud.hashicorp.com/products/consul/pricing) access. When deployed with AWS or Azure free tier services, there should be no cost beyond the time spent by the designated tester. Refer to the [Deploy HCP Consul tutorial](/consul/tutorials/get-started-hcp/hcp-gs-deploy) for details on getting started. -HCP Consul Dedicated is currently only deployed on AWS and Microsoft Azure, so your application can be deployed to or run in AWS or Azure. +HCP Consul is currently only deployed on AWS and Microsoft Azure, so your application can be deployed to or run in AWS or Azure. -#### HCP Consul Dedicated Resource Links: +#### HCP Consul Resource Links: -- [Getting Started with HCP Consul Dedicated](/consul/tutorials/get-started-hcp/hcp-gs-deploy) -- [HCP Consul Dedicated End-to-End Deployment](/consul/tutorials/cloud-deploy-automation/consul-end-to-end-overview) -- [Deploy HCP Consul Dedicated with EKS using Terraform](/consul/tutorials/cloud-deploy-automation/consul-end-to-end-eks) -- [HCP Consul Dedicated Deployment Automation](/consul/tutorials/cloud-deploy-automation) -- [HCP Consul Dedicated documentation](/hcp/docs/consul/usage) +- [Getting Started with HCP Consul](/consul/tutorials/get-started-hcp/hcp-gs-deploy) +- [HCP Consul End-to-End Deployment](/consul/tutorials/cloud-deploy-automation/consul-end-to-end-overview) +- [Deploy HCP Consul with EKS using Terraform](/consul/tutorials/cloud-deploy-automation/consul-end-to-end-eks) +- [HCP Consul Deployment Automation](/consul/tutorials/cloud-deploy-automation) +- [HCP Consul documentation](/hcp/docs/consul/usage) **Consul Enterprise**: An integration qualifies for Consul Enterprise when it is tested and compatible with Consul Enterprise Namespaces. diff --git a/website/content/docs/integrate/index.mdx b/website/content/docs/integrate/index.mdx new file mode 100644 index 00000000000..79c8a8986fb --- /dev/null +++ b/website/content/docs/integrate/index.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Consul integration overview +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# Consul integration overview + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/integrate/nia-integration.mdx b/website/content/docs/integrate/nia.mdx similarity index 95% rename from website/content/docs/integrate/nia-integration.mdx rename to website/content/docs/integrate/nia.mdx index 1da7ca7417e..b8edad9cc22 100644 --- a/website/content/docs/integrate/nia-integration.mdx +++ b/website/content/docs/integrate/nia.mdx @@ -17,7 +17,7 @@ Consul-Terraform-Sync executes one or more automation tasks with an appropriate [![NIA Architecture](/img/nia-highlevel-diagram.svg)](/img/nia-highlevel-diagram.svg) --> Please note that the above indicated solution is a "push" based method and is not the only way to integrate network devices with Consul and drive Network Infrastructure Automation Integration. If your preferred method is to directly integrate with Consul without using Terraform, then please use [Consul Integration Program](/consul/docs/integrate/partnerships). +-> Please note that the above indicated solution is a "push" based method and is not the only way to integrate network devices with Consul and drive Network Infrastructure Automation Integration. If your preferred method is to directly integrate with Consul without using Terraform, then please use [Consul Integration Program](/consul/docs/integrate/consul). ## NIA Program Steps @@ -44,14 +44,14 @@ Consul-Terraform-Sync compatible Terraform module development process is fairly - Consul [documentation](/consul/docs) - Consul-Terraform-Sync [documentation](/consul/docs/nia) -- Writing Consul-Terraform-Sync compatible Terraform modules using our [guide](/consul/docs/nia/terraform-modules) and [tutorial](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-module?utm_source=docs) +- Writing Consul-Terraform-Sync compatible Terraform modules using our [guide](/consul/docs/reference/cts/terraform-module) and [tutorial](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-module?utm_source=docs) - Example Terraform Modules for reference: [PAN-OS](https://registry.terraform.io/modules/PaloAltoNetworks/dag-nia/panos/latest), [Simple Print Module](https://registry.terraform.io/modules/findkim/print/cts/latest) and a [Template to structure your Terraform Modules](https://github.com/hashicorp/consul-terraform-sync-template-module) - Publishing to the Terraform Registry [guidelines](/terraform/registry/modules/publish) ### 3. Develop & Test Terraform modules are written in HashiCorp Configuration Language (HCL). Writing [Terraform modules](/terraform/language/modules/develop) or a [tutorial to build a module](/terraform/tutorials/modules/module-create) are good resources to begin writing a new module. -Consul-Terraform-Sync compatible modules follow the [standard module structure](/terraform/language/modules/develop). Modules can use syntax supported by Terraform version 0.13, or higher. Consul-Terraform-Sync is designed to integrate with any module that satisfies these [specifications](/consul/docs/nia/terraform-modules#module-specifications). The guide will give you an introduction of the code structure and the basics of authoring a plugin that Terraform can interact with. +Consul-Terraform-Sync compatible modules follow the [standard module structure](/terraform/language/modules/develop). Modules can use syntax supported by Terraform version 0.13, or higher. Consul-Terraform-Sync is designed to integrate with any module that satisfies these [specifications](/consul/docs/reference/cts/terraform-module#module-specifications). The guide will give you an introduction of the code structure and the basics of authoring a plugin that Terraform can interact with. It is recommended that partners develop modules that cater to specific workflows on an individual platform in their product portfolio rather than having overarching modules that try to cover multiple workflows across different platforms. This is to keep the automation modular and adoptable by a broad set of users with varying network infrastructure topologies. Partners are encouraged to test the functionality of the modules against their supported platforms. diff --git a/website/content/docs/connect/proxies/integrate.mdx b/website/content/docs/integrate/proxy.mdx similarity index 68% rename from website/content/docs/connect/proxies/integrate.mdx rename to website/content/docs/integrate/proxy.mdx index 80708badff0..050498169af 100644 --- a/website/content/docs/connect/proxies/integrate.mdx +++ b/website/content/docs/integrate/proxy.mdx @@ -14,7 +14,7 @@ description: >- will still operate as designed, we do not recommend leveraging this feature because it is deprecated and will be removed when the long term replacement to native application integration (such as a proxyless gRPC service mesh integration) is delivered. Refer to [GH-10339](https://github.com/hashicorp/consul/issues/10339) for additional information and to track progress toward one potential solution that is tracked as replacement functionality. The Native App Integration does not support many of the Consul's service mesh features, and is not under active development. - The [Envoy proxy](/consul/docs/connect/proxies/envoy) should be used for most production environments. + The [Envoy proxy](/consul/docs/reference/proxy/envoy) should be used for most production environments. @@ -22,19 +22,17 @@ This topic describes the process and API endpoints you can use to extend proxies ## Overview -You can extend any proxy to support Consul service mesh. Consul ships with a built-in -proxy suitable for an out-of-the-box development experience, but you may require a more robust proxy solution for production environments. +You can extend any proxy to support Consul service mesh. Consul ships with a built-in proxy suitable for an out-of-the-box development experience, but you may require a more robust proxy solution for production environments. The proxy you integrate must be able to accept inbound connections and/or establish outbound connections identified as a particular service. In some cases, either ability may be acceptable, but both are generally required to support for full sidecar functionality. Sidecar proxies may support L4 or L7 network functionality. L4 integration is simpler and adequate for securing all traffic. L4 treats all traffic as TCP, however, so advanced routing or metrics features are not supported. -Full L7 support is built on top of L4 support. An L7 proxy integration supports most or all of the L7 traffic routing features in Consul service mesh by dynamically configuring routing, retries, and other L7 features. The built-in proxy only supports L4, while [Envoy](/consul/docs/connect/proxies/envoy) supports the full L7 feature set. +Full L7 support is built on top of L4 support. An L7 proxy integration supports most or all of the L7 traffic routing features in Consul service mesh by dynamically configuring routing, retries, and other L7 features. The built-in proxy only supports L4, while [Envoy](/consul/docs/reference/proxy/envoy) supports the full L7 feature set. Areas where the integration approach differs between L4 and L7 are identified in this topic. -The noun _connect_ is used throughout this documentation to refer to the connect -subsystem that provides Consul's service mesh capabilities. +The noun _connect_ is used throughout this documentation to refer to the connect subsystem that provides Consul's service mesh capabilities. ## Accepting Inbound Connections @@ -97,97 +95,50 @@ Intentions currently use TLS URI Subject Alternative Name (SAN) for enforcement. ### Updating data -The API endpoints described in this section operate on agent-local data that is updated in the -background. The leaf, roots, and intentions should be updated in the background -by the proxy. +The API endpoints described in this section operate on agent-local data that is updated in the background. The leaf, roots, and intentions should be updated in the background by the proxy. -The leaf cert, root cert, and intentions endpoints support [blocking -queries](/consul/api-docs/features/blocking), which should be used to get near-immediate -updates for root key rotations, new leaf certs before expiry, and intention -changes. +The leaf cert, root cert, and intentions endpoints support [blocking queries](/consul/api-docs/features/blocking), which should be used to get near-immediate updates for root key rotations, new leaf certs before expiry, and intention changes. ### SPIFFE certificates -Although Consul follows the SPIFFE spec for certificates, some CA providers do not allow strict adherence. For example, CA certificates may not have the correct trust-domain SPIFFE URI SAN for the -cluster. If SPIFFE validation is performed in the proxy, be aware that it -should be possible to opt out, otherwise certain CA providers supported by -Consul will not be compatible with the use of that proxy. Neither -Envoy nor the built-in proxy currently validate the SPIFFE URI of the chain beyond the -leaf certificate. +Although Consul follows the SPIFFE spec for certificates, some CA providers do not allow strict adherence. For example, CA certificates may not have the correct trust-domain SPIFFE URI SAN for the cluster. If SPIFFE validation is performed in the proxy, be aware that it should be possible to opt out, otherwise certain CA providers supported by Consul will not be compatible with the use of that proxy. Neither Envoy nor the built-in proxy currently validate the SPIFFE URI of the chain beyond the leaf certificate. ## Establishing Outbound Connections -For outbound connections, the proxy should communicate with a mesh-capable -endpoint for a service and provide a client certificate from the -[`/v1/agent/connect/ca/leaf/`] API endpoint. The proxy must use the root certificate obtained from the [`/v1/agent/connect/ca/roots`] endpoint to verify the certificate served from the destination endpoint. +For outbound connections, the proxy should communicate with a mesh-capable endpoint for a service and provide a client certificate from the [`/v1/agent/connect/ca/leaf/`] API endpoint. The proxy must use the root certificate obtained from the [`/v1/agent/connect/ca/roots`] endpoint to verify the certificate served from the destination endpoint. ## Configuration Discovery -The [`/v1/agent/service/:service_id`](/consul/api-docs/agent/service#get-service-configuration) -API endpoint enables any proxy to discover proxy configurations registered with a local service. This endpoint supports hash-based blocking, which enables long-polling for changes -to the registration/configuration. Any changes to the registration/config will -result in the new config being returned immediately. +The [`/v1/agent/service/:service_id`](/consul/api-docs/agent/service#get-service-configuration) API endpoint enables any proxy to discover proxy configurations registered with a local service. This endpoint supports hash-based blocking, which enables long-polling for changes to the registration/configuration. Any changes to the registration/config will result in the new config being returned immediately. -Refer to the [built-in proxy](/consul/docs/connect/proxies/built-in) for an example implementation. Using the Go SDK, the proxy calls the HTTP "pull" API via the `watch` package: [`consul/connect/proxy/config.go`]. +Refer to the [built-in proxy](/consul/docs/reference/proxy/built-in) for an example implementation. Using the Go SDK, the proxy calls the HTTP "pull" API via the `watch` package: [`consul/connect/proxy/config.go`]. -The [discovery chain] for each upstream service should be fetched from the -[`/v1/discovery-chain/:service_id`](/consul/api-docs/discovery-chain#read-compiled-discovery-chain) -API endpoint. This will return a compiled graph of configurations a sidecar needs for a particular upstream service. +The [discovery chain] for each upstream service should be fetched from the [`/v1/discovery-chain/:service_id`](/consul/api-docs/discovery-chain#read-compiled-discovery-chain) API endpoint. This will return a compiled graph of configurations a sidecar needs for a particular upstream service. -If you are only implementing L4 support in your proxy, set the -[`OverrideProtocol`](/consul/api-docs/discovery-chain#overrideprotocol) value to `tcp` when -fetching the discovery chain so that L7 features, such as HTTP routing rules, are -not returned. +If you are only implementing L4 support in your proxy, set the [`OverrideProtocol`](/consul/api-docs/discovery-chain#overrideprotocol) value to `tcp` when fetching the discovery chain so that L7 features, such as HTTP routing rules, are not returned. -For each [target](/consul/docs/connect/manage-traffic/discovery-chain#targets) in the resulting -discovery chain, a list of healthy, mesh-capable endpoints may be fetched -from the [`/v1/health/connect/:service_id`] API endpoint as described in the [Service -Discovery](#service-discovery) section. +For each [target](/consul/docs/connect/manage-traffic/discovery-chain#targets) in the resulting discovery chain, a list of healthy, mesh-capable endpoints may be fetched from the [`/v1/health/connect/:service_id`] API endpoint as described in the [Service Discovery](#service-discovery) section. -The remaining nodes in the chain include configurations that should be -translated into the nearest equivalent for features, such as HTTP routing, connection -timeouts, connection pool settings, rate limits, etc. See the full [discovery -chain] documentation and relevant [config entry](/consul/docs/agent/config-entries) -documentation for details about supported configuration parameters. +The remaining nodes in the chain include configurations that should be translated into the nearest equivalent for features, such as HTTP routing, connection timeouts, connection pool settings, rate limits, etc. See the full [discovery chain] documentation and relevant [config entry](/consul/docs/agent/config-entries) documentation for details about supported configuration parameters. ### Service Discovery -Proxies can use Consul's [service discovery API](/consul/api-docs/health#list-service-instances-for-mesh-enabled-service) to return all available, mesh-capable endpoints for a given service. This endpoint supports a `cached` query parameter, which uses [agent caching](/consul/api-docs/features/caching) to improve -performance. The API package provides a [`UseCache`] query option to leverage caching. -In addition to performance improvements, using the cache makes the mesh more resilient to Consul server outages. This is because the mesh "fails static" with the last known set of service instances still used, rather than errors on new connections. +Proxies can use Consul's [service discovery API](/consul/api-docs/health#list-service-instances-for-mesh-enabled-service) to return all available, mesh-capable endpoints for a given service. This endpoint supports a `cached` query parameter, which uses [agent caching](/consul/api-docs/features/caching) to improve performance. The API package provides a [`UseCache`] query option to leverage caching. In addition to performance improvements, using the cache makes the mesh more resilient to Consul server outages. This is because the mesh "fails static" with the last known set of service instances still used, rather than errors on new connections. -Proxies can decide whether to perform just-in-time queries to the API when a -new connection needs to be routed, or to use blocking queries to load the -current set of endpoints for a service and keep that list updated. The SDK and -built-in proxy currently use just-in-time resolution however many existing -proxies are likely to find it easier to integrate by pulling the set of -endpoints and maintaining it in local memory using blocking queries. +Proxies can decide whether to perform just-in-time queries to the API when a new connection needs to be routed, or to use blocking queries to load the current set of endpoints for a service and keep that list updated. The SDK and built-in proxy currently use just-in-time resolution however many existing proxies are likely to find it easier to integrate by pulling the set of endpoints and maintaining it in local memory using blocking queries. -Upstreams may be defined with the Prepared Query target type. These upstreams -should use Consul's [prepared query](/consul/api-docs/query) API to determine a list of upstream endpoints for the service. Note that the `PreparedQuery` API does not support blocking, so proxies choosing to populate endpoints in memory will need to poll the endpoint at a suitable and, ideally, configurable frequency. +Upstreams may be defined with the Prepared Query target type. These upstreams should use Consul's [prepared query](/consul/api-docs/query) API to determine a list of upstream endpoints for the service. Note that the `PreparedQuery` API does not support blocking, so proxies choosing to populate endpoints in memory will need to poll the endpoint at a suitable and, ideally, configurable frequency. --> **Long-term support for [`service-resolver`](/consul/docs/connect/config-entries/service-resolver) configuration -entries**. The `service-resolver` configuration will completely replace prepared queries in future versions of Consul. In some instances, however, prepared queries are still used. +-> **Long-term support for [`service-resolver`](/consul/docs/reference/config-entry/service-resolver) configuration entries**. The `service-resolver` configuration will completely replace prepared queries in future versions of Consul. In some instances, however, prepared queries are still used. ## Sidecar Instantiation -Consul does not start or manage sidecar proxy processes. Proxies running on a -physical host or VM are designed to be started and run by process supervisor -systems, such as init, systemd, supervisord, etc. If deployed within a -cluster scheduler (Kubernetes, Nomad), proxies should run as a sidecar container in the -same namespace. +Consul does not start or manage sidecar proxy processes. Proxies running on a physical host or VM are designed to be started and run by process supervisor systems, such as init, systemd, supervisord, etc. If deployed within a cluster scheduler (Kubernetes, Nomad), proxies should run as a sidecar container in the same namespace. -Proxies will use the [`CONSUL_HTTP_TOKEN`](/consul/commands#consul_http_token) and -[`CONSUL_HTTP_ADDR`](/consul/commands#consul_http_addr) environment variables to -contact Consul and fetch certificates. This occurs if the `CONSUL_HTTP_TOKEN` -environment variable contains a Consul ACL token that has the necessary permissions -to read configurations for that service. If you use the Go [`api` package], then -the environment variables will be read and the client configured for you -automatically. +Proxies will use the [`CONSUL_HTTP_TOKEN`](/consul/commands#consul_http_token) and [`CONSUL_HTTP_ADDR`](/consul/commands#consul_http_addr) environment variables to contact Consul and fetch certificates. This occurs if the `CONSUL_HTTP_TOKEN` environment variable contains a Consul ACL token that has the necessary permissions to read configurations for that service. If you use the Go [`api` package], then the environment variables will be read and the client configured for you automatically. Alternatively, you may also use the flags `-token` or `-token-file` to provide the Consul ACL token. - @@ -206,7 +157,6 @@ $ consul connect proxy -sidecar-for "web" -token-file=/etc/consul.d/consul.token - If TLS is enabled on Consul, you will also need to add the following environment variables _prior_ to starting the proxy: - [`CONSUL_CACERT`](/consul/commands#consul_cacert) @@ -217,10 +167,7 @@ The `CONSUL_CACERT`, `CONSUL_CLIENT_CERT` and `CONSUL_CLIENT_KEY` can also be pr The proxy service ID comes from the user. See [`consul connect envoy`](/consul/commands/connect/envoy#examples) for an example. You can use the `-proxy-id` flag to specify the ID of the proxy service you have already registered with the local agent. -Alternatively, you can start the service using the `-sidecar-for=` option. This option queries Consul for a proxy that is registered as a sidecar for the specified ``. If exactly one service associated with the proxy is returned, the ID will be used to start the proxy. Your controller only needs to accept `-proxy-id` as an argument; the Consul CLI will resolve the -ID for the name specified in `-sidecar-for` flag. - - +Alternatively, you can start the service using the `-sidecar-for=` option. This option queries Consul for a proxy that is registered as a sidecar for the specified ``. If exactly one service associated with the proxy is returned, the ID will be used to start the proxy. Your controller only needs to accept `-proxy-id` as an argument; the Consul CLI will resolve the ID for the name specified in `-sidecar-for` flag. [`/v1/agent/connect/ca/leaf/`]: /consul/api-docs/agent/connect#service-leaf-certificate [`/v1/agent/connect/ca/roots`]: /consul/api-docs/agent/connect#certificate-authority-ca-roots @@ -229,4 +176,4 @@ ID for the name specified in `-sidecar-for` flag. [`consul/connect/tls.go`]: https://github.com/hashicorp/consul/blob/v1.8.3/connect/tls.go#L232-L237 [discovery chain]: /consul/docs/connect/manage-traffic/discovery-chain [`usecache`]: https://github.com/hashicorp/consul/blob/v1.8.3/api/api.go#L99-L102 -[protocol]: /consul/docs/connect/config-entries/service-defaults#protocol +[protocol]: /consul/docs/reference/config-entry/service-default#protocol diff --git a/website/content/docs/internals/acl.mdx b/website/content/docs/internals/acl.mdx deleted file mode 100644 index 87e35844179..00000000000 --- a/website/content/docs/internals/acl.mdx +++ /dev/null @@ -1,13 +0,0 @@ ---- -layout: docs -page_title: ACL System -description: >- - Consul provides an optional Access Control List (ACL) system which can be used - to control access to data and APIs. The ACL system is a Capability-based - system that relies on tokens which can have fine grained rules applied to - them. It is very similar to AWS IAM in many ways. ---- - -# ACL System ((#version_8_acls)) - -This content has been moved into the [ACL Guide](/consul/tutorials/security/access-control-setup-production). \ No newline at end of file diff --git a/website/content/docs/internals/index.mdx b/website/content/docs/internals/index.mdx deleted file mode 100644 index c4a1d08f6b9..00000000000 --- a/website/content/docs/internals/index.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -layout: docs -page_title: Internals Overview -description: >- - To enhance your understanding of how to use, troubleshoot, and secure Consul, learn more about Consul's internal properties and how it works under the hood. ---- - -# Consul Internals Overview - -This section covers some of the internals of Consul. Understanding the internals of Consul is necessary to successfully -use it in production. - -Please review the following documentation to understand how Consul works. - -- [Architecture](/consul/docs/architecture) -- [Consensus Protocol](/consul/docs/architecture/consensus) -- [Gossip Protocol](/consul/docs/architecture/gossip) -- [Network Coordinates](/consul/docs/architecture/coordinates) -- [Sessions](/consul/docs/security/acl/auth-methods/oidc) -- [Anti-Entropy](/consul/docs/architecture/anti-entropy) -- [Security Model](/consul/docs/security) -- [Discovery Chain](/consul/docs/connect/manage-traffic/discovery-chain) - -You should also be familiar with [Jepsen testing](/consul/docs/architecture/jepsen), before deploying -a production datacenter. diff --git a/website/content/docs/intro/index.mdx b/website/content/docs/intro/index.mdx deleted file mode 100644 index 1708f3d84b5..00000000000 --- a/website/content/docs/intro/index.mdx +++ /dev/null @@ -1,90 +0,0 @@ ---- -layout: docs -page_title: What is Consul? -description: >- - Consul is a service networking solution that delivers service discovery, service mesh, and network security capabilities. It supports multi-cloud infrastructure by automating connectivity between cloud providers. Learn how Consul can help you scale operations and provide high availability across your network. ---- - -# What is Consul? - -HashiCorp Consul is a service networking solution that enables teams to manage secure network connectivity between services and across on-prem and multi-cloud environments and runtimes. Consul offers service discovery, service mesh, traffic management, and automated updates to network infrastructure devices. You can use these features individually or together in a single Consul deployment. - -> **Hands-on**: Complete the Getting Started tutorials to learn how to deploy Consul: -- [Get Started on Kubernetes](/consul/tutorials/get-started-kubernetes) -- [Get Started on VMs](/consul/tutorials/get-started-vms) -- [HashiCorp Cloud Platform (HCP) Consul](/consul/tutorials/get-started-hcp) - -## How does Consul work? - -Consul provides a _control plane_ that enables you to register, query, and secure services deployed across your network. The control plane is the part of the network infrastructure that maintains a central registry to track services and their respective IP addresses. It is a distributed system that runs on clusters of nodes, such as physical servers, cloud instances, virtual machines, or containers. - -Consul interacts with the _data plane_ through proxies. The data plane is the part of the network infrastructure that processes data requests. Refer to [Consul Architecture](/consul/docs/architecture) for details. - -![Basic Consul workflow](/img/what-is-consul-overview-diagram.png) - -The core Consul workflow consists of the following stages: - -- **Register**: Teams add services to the Consul catalog, which is a central registry that lets services automatically discover each other without requiring a human operator to modify application code, deploy additional load balancers, or hardcode IP addresses. It is the runtime source of truth for all services and their addresses. Teams can manually [define](/consul/docs/services/usage/define-services) and [register](/consul/docs/services/usage/register-services-checks) using the CLI or the API, or you can automate the process in Kubernetes with [service sync](/consul/docs/k8s/service-sync). Services can also include health checks so that Consul can monitor for unhealthy services. -- **Query**: Consul’s identity-based DNS lets you find healthy services in the Consul catalog. Services registered with Consul provide health information, access points, and other data that help you control the flow of data through your network. Your services only access other services through their local proxy according to the identity-based policies you define. -- **Secure**: After services locate upstreams, Consul ensures that service-to-service communication is authenticated, authorized, and encrypted. Consul service mesh secures microservice architectures with mTLS and can allow or restrict access based on service identities, regardless of differences in compute environments and runtimes. - -## Why Consul? -Consul increases application resilience, bolsters uptime, accelerates application deployment, and improves security across service-to-service communications. HashiCorp co-founder and CTO Armon Dadgar explains how Consul solves networking challenges. - - - -### Automate service discovery - -Adopting a microservices architecture on cloud infrastructure is a critical step toward delivering value at scale, but knowing where healthy services are running on your networks in real time becomes a challenge. Consul automates service discovery by replacing service connections usually handled with load balancers with an identity-based service catalog. The service catalog is a centralized source of truth that you can query through Consul’s DNS server or API. The catalog always knows which services are available, which have been removed, and which services are healthy. - -### Connect services across runtimes and cloud providers - -Modern organizations may deploy services to a combination of on-prem infrastructure environments and public cloud providers across multiple regions. Services may run on bare metal, virtual machines, or as containers across Kubernetes clusters. - -Consul routes network traffic to any runtime or infrastructure environment your services need to reach. You can also use Consul API Gateway to route traffic into and out of the network. Consul service mesh provides additional capabilities, such as securing communication between services, traffic management, and observability, with no application code changes. - -Consul also has many integrations with Kubernetes that enable you to leverage Consul features in containerized environments. For example, Consul can automatically inject sidecar proxies into Kubernetes Pods and sync Kubernetes Services and non-Kubernetes services into the Consul service registry without manual changes to the application or changing the Pod definition. - -You can also schedule Consul workloads with [HashiCorp Nomad](https://www.nomadproject.io/) to provide secure service-to-service communication between Nomad jobs and task groups. - -### Enable zero-trust network security - -Microservice architectures are complex and difficult to secure against accidental disclosure to malicious actors. Consul provides several mechanisms that enhance network security without any changes to your application code, including mutual transport layer security (mTLS) encryption on all traffic between services and Consul intentions, which are service-to-service permissions that you can manage through the Consul UI, API, and CLI. - -When you deploy Consul to Kubernetes clusters, you can also integrate with [HashiCorp Vault](https://www.vaultproject.io/) to manage sensitive data. By default, Consul on Kubernetes leverages Kubernetes secrets as the backend system. Kubernetes secrets are base64 encoded, unencrypted, and lack lease or time-to-live properties. By leveraging Vault as a secrets backend for Consul on Kubernetes, you can manage and store Consul related secrets within a centralized Vault cluster to use across one or many Consul on Kubernetes datacenters. Refer to [Vault as the Secrets Backend](/consul/docs/k8s/deployment-configurations/vault) for additional information. - -You can also secure your Consul deployment, itself, by defining security policies in access control lists (ACL) to control access to data and Consul APIs. - -### Protect your services against network failure - -Outages are unavoidable, but with distributed systems it is critical that a power failure in one datacenter doesn’t disrupt downstream service operations. You can enable automated backups, redundancy zones, read-replicas, and other features that prevent data loss and downtime after a catastrophic event. L7 observability features also deliver service traffic metrics in the Consul UI, which help you understand the state of a service and its connections within the mesh. - -### Dynamically update network infrastructure devices - -Change to your network, including day-to-day operational tasks such as updating network device endpoints and firewall or load balancer rules, can lead to problems that disrupt operations at critical moments. You can deploy the Consul-Terraform-Sync (CTS) add-on to dynamically update network infrastructure devices when a service changes. CTS monitors the service information stored in Consul and automatically launches an instance of HashiCorp Terraform to drive relevant changes to the network infrastructure when Consul registers a change, reducing the manual effort of configuring network infrastructure. - -### Optimize traffic routes for deployment and testing scenarios - -Rolling out changes can be risky, especially in complex network environments. Updated services may not behave as expected when connected to other services, resulting in upstream or downstream issues. Consul service mesh supports layer 7 (L7) traffic management, which lets you divide L7 traffic into different subsets of service instances. This enables you to divide your pool of services for canary testing, A/B tests, blue/green deployments, and soft multi-tenancy (prod/qa/staging sharing compute resources) deployments. - -## Consul Enterprise - -HashiCorp offers core Consul functionality for free in the community edition, which is ideal for smaller businesses and teams that want to pilot Consul within their organizations. As your business grows, you can upgrade to Consul Enterprise, which offers additional capabilities designed to address organizational complexities of collaboration, operations, scale, and governance. - -### HCP Consul Dedicated - -HashiCorp Cloud Platform (HCP) Consul is our SaaS that delivers Consul Enterprise capabilities and shifts the burden of managing the control plane to us. Create an HCP organization and leverage our expertise to simplify control plane maintenance and configuration. Learn more at [HashiCorp Cloud Platform](https://cloud.hashicorp.com/products/consul). - -## Community - -We welcome questions, suggestions, and contributions from the community. - -- Ask questions in [HashiCorp Discuss](https://discuss.hashicorp.com/c/consul/29). -- Read our [contributing guide](https://github.com/hashicorp/consul/blob/main/.github/CONTRIBUTING.md). -- [Submit a Github issue](https://github.com/hashicorp/consul/issues/new/choose) for feature requests and bug reports. diff --git a/website/content/docs/k8s/index.mdx b/website/content/docs/k8s.mdx similarity index 96% rename from website/content/docs/k8s/index.mdx rename to website/content/docs/k8s.mdx index e1a8291abe3..01399e4022e 100644 --- a/website/content/docs/k8s/index.mdx +++ b/website/content/docs/k8s.mdx @@ -1,6 +1,6 @@ --- layout: docs -page_title: Consul on Kubernetes +page_title: Consul on Kubernetes overview description: >- Consul supports Kubernetes natively, allowing you to deploy Consul sidecars to a Kubernetes service mesh and sync the k8s service registry with non-k8s services. Learn how to install Consul on Kubernetes with Helm or the Consul K8s CLI and get started with tutorials. --- @@ -68,4 +68,4 @@ There are several ways to try Consul with Kubernetes in different environments. ### Documentation - [Installing Consul](/consul/docs/k8s/installation/install) covers how to install Consul using the Helm chart. -- [Helm Chart Reference](/consul/docs/k8s/helm) describes the different options for configuring the Helm chart. +- [Helm Chart Reference](/consul/docs/reference/k8s/helm) describes the different options for configuring the Helm chart. diff --git a/website/content/docs/k8s/architecture.mdx b/website/content/docs/k8s/architecture.mdx deleted file mode 100644 index 58526dc3ba2..00000000000 --- a/website/content/docs/k8s/architecture.mdx +++ /dev/null @@ -1,48 +0,0 @@ ---- -layout: docs -page_title: Consul on Kubernetes Control Plane Architecture -description: >- - When running on Kubernetes, Consul’s control plane architecture does not change significantly. Server agents are deployed as a StatefulSet with a persistent volume, while client agents can run as a k8s DaemonSet with an exposed API port or be omitted with Consul Dataplanes. ---- - -# Architecture - -This topic describes the architecture, components, and resources associated with Consul deployments to Kubernetes. Consul employs the same architectural design on Kubernetes as it does with other platforms, but Kubernetes provides additional benefits that make operating a Consul cluster easier. Refer to [Consul Architecture](/consul/docs/architecture) for more general information on Consul's architecture. - -> **For more specific guidance:** -> - For guidance on datacenter design, refer to [Consul and Kubernetes Reference Architecture](/consul/tutorials/kubernetes-production/kubernetes-reference-architecture). -> - For step-by-step deployment guidance, refer to [Consul and Kubernetes Deployment Guide](/consul/tutorials/kubernetes-production/kubernetes-deployment-guide). -> - For non-Kubernetes guidance, refer to the standard [production deployment guide](/consul/tutorials/production-deploy/deployment-guide). - -## Server Agents - -The server agents are deployed as a `StatefulSet` and use persistent volume -claims to store the server state. This also ensures that the -[node ID](/consul/docs/agent/config/config-files#node_id) is persisted so that servers -can be rescheduled onto new IP addresses without causing issues. The server agents -are configured with -[anti-affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) -rules so that they are placed on different nodes. A readiness probe is -configured that marks the pod as ready only when it has established a leader. - -A Kubernetes `Service` is registered to represent the servers and exposes ports that are required to communicate to the Consul server pods. -The servers utilize the DNS address of this service to join a Consul cluster, without requiring any other access to the Kubernetes cluster. Additional consul servers may also utilize non-ready endpoints which are published by the Kubernetes service, so that servers can utilize the service for joining during bootstrap and upgrades. - -Additionally, a **PodDisruptionBudget** is configured so the Consul server -cluster maintains quorum during voluntary operational events. The maximum -unavailable is `(n/2)-1` where `n` is the number of server agents. - --> **Note:** Kubernetes and Helm do not delete Persistent Volumes or Persistent -Volume Claims when a -[StatefulSet is deleted](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-storage), -so this must done manually when removing servers. - -## Consul Dataplane - -By default, Consul on Kubernetes uses an alternate service mesh configuration that injects sidecars without client agents. _Consul Dataplane_ manages Envoy proxies and leaves responsibility for other functions to the orchestrator, which removes the need to run client agents on every node. - -![Diagram of Consul Dataplanes in Kubernetes deployment](/img/k8s-dataplanes-architecture.png) - -Refer to [Simplified Service Mesh with Consul Dataplanes](/consul/docs/connect/dataplane) for more information. - -Consul Dataplane is the default proxy manager in Consul on Kubernetes 1.14 and later. If you are on Consul 1.13 or older, refer to [upgrading to Consul Dataplane](/consul/docs/k8s/upgrade#upgrading-to-consul-dataplanes) for specific upgrade instructions. diff --git a/website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx b/website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx deleted file mode 100644 index f6c0ae03163..00000000000 --- a/website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx +++ /dev/null @@ -1,161 +0,0 @@ ---- -layout: docs -page_title: Cluster Peering on Kubernetes Technical Specifications -description: >- - In Kubernetes deployments, cluster peering connections interact with mesh gateways, exported services, and ACLs. Learn about requirements specific to k8s, including required Helm values and custom resource definitions (CRDs). ---- - -# Cluster peering on Kubernetes technical specifications - -This reference topic describes the technical specifications associated with using cluster peering in your Kubernetes deployments. These specifications include [required Helm values](#helm-requirements) and [required custom resource definitions (CRDs)](#crd-requirements), as well as required Consul components and their configurations. To learn more about Consul's cluster peering feature, refer to [cluster peering overview](/consul/docs/connect/cluster-peering). - -For cluster peering requirements in non-Kubernetes deployments, refer to [cluster peering technical specifications](/consul/docs/connect/cluster-peering/tech-specs). - -## General requirements - -Make sure your Consul environment meets the following prerequisites: - -- Consul v1.14 or higher -- Consul on Kubernetes v1.0.0 or higher -- At least two Kubernetes clusters - -You must also configure the following service mesh components in order to establish cluster peering connections: - -- [Helm](#helm-requirements) -- [Custom resource definitions (CRD)](#crd-requirements) -- [Mesh gateways](#mesh-gateway-requirements) -- [Exported services](#exported-service-requirements) -- [ACLs](#acl-requirements) - -## Helm specifications - -Consul's default configuration supports cluster peering connections directly between clusters. In production environments, we recommend using mesh gateways to securely route service mesh traffic between partitions with cluster peering connections. The following values must be set in the Helm chart to enable mesh gateways: - -- [`global.tls.enabled = true`](/consul/docs/k8s/helm#v-global-tls-enabled) -- [`meshGateway.enabled = true`](/consul/docs/k8s/helm#v-meshgateway-enabled) - -Refer to the following example Helm configuration: - - - -```yaml -global: - name: consul - image: "hashicorp/consul:1.16.0" - peering: - enabled: true - tls: - enabled: true -meshGateway: - enabled: true -``` - - - -After mesh gateways are enabled in the Helm chart, you can separately [configure Mesh CRDs](#mesh-gateway-configuration-for-kubernetes). - -## CRD specifications - -You must create the following CRDs in order to establish a peering connection: - -- `PeeringAcceptor`: Generates a peering token and accepts an incoming peering connection. -- `PeeringDialer`: Uses a peering token to make an outbound peering connection with the cluster that generated the token. - -Refer to the following example CRDs: - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: PeeringAcceptor -metadata: - name: cluster-02 ## The name of the peer you want to connect to -spec: - peer: - secret: - name: "peering-token" - key: "data" - backend: "kubernetes" -``` - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: PeeringDialer -metadata: - name: cluster-01 ## The name of the peer you want to connect to -spec: - peer: - secret: - name: "peering-token" - key: "data" - backend: "kubernetes" -``` - - - - -## Mesh gateway specifications - -To change Consul's default configuration and enable cluster peering through mesh gateways, use a mesh configuration entry to update your network's service mesh proxies globally: - -1. In `cluster-01` create the `Mesh` custom resource with `peeringThroughMeshGateways` set to `true`. - - - - ```yaml - apiVersion: consul.hashicorp.com/v1alpha1 - kind: Mesh - metadata: - name: mesh - spec: - peering: - peerThroughMeshGateways: true - ``` - - - -1. Apply the mesh CRD to `cluster-01`. - - ```shell-session - $ kubectl --context $CLUSTER1_CONTEXT apply -f mesh.yaml - ``` - -1. Apply the mesh CRD to `cluster-02`. - - ```shell-session - $ kubectl --context $CLUSTER2_CONTEXT apply -f mesh.yaml - ``` - - - - For help setting up the cluster context variables used in this example, refer to [assign cluster IDs to environmental variables](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#assign-cluster-ids-to-environmental-variables). - - - -When cluster peering through mesh gateways, consider the following deployment requirements: - -- A Consul cluster requires a registered mesh gateway in order to export services to peers in other regions or cloud providers. -- The mesh gateway must also be registered in the same admin partition as the exported services and their `exported-services` configuration entry. An enterprise license is required to use multiple admin partitions with a single cluster of Consul servers. -- To use the `local` mesh gateway mode, you must register a mesh gateway in the importing cluster. -- Define the `Proxy.Config` settings using opaque parameters compatible with your proxy. For additional Envoy proxy configuration information, refer to [Gateway options](/consul/docs/connect/proxies/envoy#gateway-options) and [Escape-hatch overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides). - -### Mesh gateway modes - -By default, all cluster peering connections use mesh gateways in [remote mode](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters#remote). Be aware of these additional requirements when changing a mesh gateway's mode. - -- For mesh gateways that connect peered clusters, you can set the `mode` as either `remote` or `local`. -- The `none` mode is invalid for mesh gateways with cluster peering connections. - -To learn how to change the mesh gateway mode to `local` on your Kubernetes deployment, refer to [configure the mesh gateway mode for traffic between services](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#configure-the-mesh-gateway-mode-for-traffic-between-services). - -## Exported service specifications - -The `exported-services` CRD is required in order for services to communicate across partitions with cluster peering connections. Basic guidance on using the `exported-services` configuration entry is included in [Establish cluster peering connections](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#export-services-between-clusters). - -Refer to [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) for more information. \ No newline at end of file diff --git a/website/content/docs/k8s/connect/cluster-peering/usage/create-sameness-groups.mdx b/website/content/docs/k8s/connect/cluster-peering/usage/create-sameness-groups.mdx deleted file mode 100644 index 2674805e166..00000000000 --- a/website/content/docs/k8s/connect/cluster-peering/usage/create-sameness-groups.mdx +++ /dev/null @@ -1,292 +0,0 @@ ---- -page_title: Create sameness groups -description: |- - Learn how to create sameness groups between partitions and cluster peers on Kubernetes so that Consul can identify instances of the same service across partitions and datacenters. ---- - -# Create sameness groups on Kubernetes - -This topic describes how to create a sameness group, which designates a set of admin partitions as functionally identical in a Consul deployment running Kubernetes. Adding an admin partition to a sameness group enables Consul to recognize services registered to remote partitions with cluster peering connections as instances of the same service when they share a name and Consul namespace. - -For information about configuring a failover strategy using sameness groups, refer to [Failover with sameness groups](/consul/docs/connect/manage-traffic/failover/sameness). - -## Overview - -Sameness groups are a user-defined set of partitions with identical configurations, includingcustom resource definitions (CRDs) for service and proxy defaults. Partitions on separate clusters should have an established cluster peering connection in order to recognize each other. - -To create and use sameness groups in your network, complete the following steps: - -- **Create sameness group custom resource definitions (CRDs) for each member of the group**. For each partition that you want to include in the sameness group, you must write and apply a sameness group CRD that defines the group’s members from that partition’s perspective. Refer to the [sameness group configuration entry reference](/consul/docs/connect/config-entries/sameness-group) for details on configuration hierarchy, default values, and specifications. -- **Export services to members of the sameness group**. You must write and apply an exported services CRD that makes the partition’s services available to other members of the group. Refer to [exported services configuration entry reference](/consul/docs/connect/config-entries/exported-services) for additional specification information. -- **Create service intentions for each member of the sameness group**. For each partition that you want to include in the sameness group, you must write and apply service intentions CRDs to authorize traffic to your services from all members of the group. Refer to the [service intentions configuration entry reference](/consul/docs/connect/config-entries/service-intentions) for additional specification information. - -## Requirements - -- All datacenters where you want to create sameness groups must run Consul v1.16 or later. Refer to [upgrade instructions](/consul/docs/k8s/upgrade) for more information about how to upgrade your deployment. -- A [Consul Enterprise license](/consul/docs/enterprise/license/overview) is required. - -### Before you begin - -Before creating a sameness group, take the following actions to prepare your network: - -#### Check Consul namespaces and service naming conventions - -Sameness groups are defined at the partition level. Consul assumes all partitions in the group have identical configurations, including identical service names and identical Consul namespaces. This behavior occurs even when two partitions in the group contain functionally different services that share a common name and namespace. For example, if distinct services both named `api` were registered to different members of a sameness group, it could lead to errors because requests may be sent to the incorrect service. - -To prevent errors, check the names of the services deployed to your network and the namespaces they are deployed in. Pay particular attention to the default namespace to confirm that services have unique names. If different services share a name, you should either change one of the service’s names or deploy one of the services to a different namespace. - -#### Deploy mesh gateways for each partition - -Mesh gateways are required for cluster peering connections and recommended to secure cross-partition traffic in a single datacenter. Therefore, we recommend securing your network, and especially your production environment, by deploying mesh gateways to each datacenter. Refer to [mesh gateways specifications](/consul/docs/k8s/connect/cluster-peering/tech-specs#mesh-gateway-specifications) for more information about configuring mesh gateways. - -#### Establish cluster peering relationships between remote partitions - -You must establish connections with cluster peers before you can create a sameness group that includes them. A cluster peering connection exists between two admin partitions in different datacenters, and each connection between two partitions must be established separately with each peer. Refer to [establish cluster peering connections](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering) for step-by-step instructions. - -To establish cluster peering connections and define a group as part of the same workflow, follow instructions up to [Export services between clusters](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#export-services-between-clusters). You can use the same exported services and service intention configuration entries to establish the cluster peering connection and create the sameness group. - -## Create a sameness group - -To create a sameness group, you must write and apply a set of three CRDs for each partition that is a member of the group: - -- Sameness group CRDs: Define the sameness group from each partition’s perspective. -- Exported services CRDs: Make services available to other partitions in the group. -- Service intentions CRDs: Authorize traffic between services across partitions. - -### Define the sameness group from each partition’s perspective - -To define a sameness group for a partition, create a [sameness group CRD](/consul/docs/connect/config-entries/sameness-group) that describes the partitions and cluster peers that are part of the group. Typically, this order follows this pattern: - -1. The local partition -1. Other partitions in the same datacenter -1. Partitions with established cluster peering relationships - -If you want all services to failover to other instances in the sameness group by default, set `spec.defaultForFailover=true` and list the group members in the order you want to use in a failover scenario. Refer to [failover with sameness groups](/consul/docs/connect/manage-traffic/failover/sameness) for more information. - -Be aware that the sameness group CRDs are different for each partition. The following example demonstrates how to format three different CRDs for three partitions that are part of the sameness group `product-group` when Partition 1 and Partition 2 are in DC1, and the third partition is Partition 1 in DC2: - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: SamenessGroup -metadata: - name: product-group -spec: - defaultForFailover: true - members: - - partition: partition-1 - - partition: partition-2 - - peer: dc2-partition-1 -``` - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: SamenessGroup -metadata: - name: product-group -spec: - defaultForFailover: true - members: - - partition: partition-2 - - partition: partition-1 - - peer: dc2-partition-1 -``` - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: SamenessGroup -metadata: - name: product-group -spec: - defaultForFailover: true - members: - - partition: partition-1 - - peer: dc1-partition-1 - - peer: dc1-partition-2 -``` - - - - - -After you create the CRD, apply it to the Consul server with the following `kubectl` CLI command: - -```shell-session -$ kubectl apply -f product-group.yaml -``` - -Then, repeat the process to create and apply a CRD for every partition that is a member of the sameness group. - -### Export services to other partitions in the sameness group - -To make services available to other members of the sameness group, you must write and apply an [exported services CRD](/consul/docs/connect/config-entries/exported-services) for each partition in the group. This CRD exports the local partition's services to the rest of the group members. In each CRD, set the sameness group as the `consumer` for the exported services. You can export multiple services in a single exported services configuration entry. - -Because you are configuring the consumer to reference the sameness group instead of listing out each partition and cluster peer, you do not need to edit this configuration again when you add a partition or peer to the group. - -The following example demonstrates how to format three different `ExportedServices` CRDs to make a service named `api` deployed to the `store` namespace of each partition available to all other group members: - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -Kind: ExportedServices -metadata: - name: partition-1 -spec: - services: - - name: api - namespace: store - consumers: - - samenessGroup: product-group -``` - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -Kind: ExportedServices -metadata: - name: partition-2 -spec: - services: - - name: api - namespace: store - consumers: - - samenessGroup: product-group -``` - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -Kind: ExportedServices -metadata: - name: partition-1 -spec: - services: - - name: api - namespace: store - consumers: - - samenessGroup: product-group -``` - - - - - -For more information about exporting services, including examples of CRDs that export multiple services at the same time, refer to the [exported services configuration entry reference](/consul/docs/connect/config-entries/exported-services). - -After you create each exported services configuration entry, apply it to the Consul server with the following CLI command: - -```shell-session -$ kubectl apply -f product-group-export.yaml -``` - -#### Export services for cluster peers and sameness groups as part of the same workflow - -Creating a cluster peering connection between two partitions and then adding the partitions to a sameness group requires that you write and apply two separate exported services CRDs. One CRD exports services to the peer, and a second CRD exports services to other members of the group. - -If your goal for peering clusters is to create a sameness group, you can write and apply a single exported services configuration entry by configuring the `services[].consumers` block with the `samenessGroup` field instead of the `peer` field. Be aware that this scenario requires you to write the `SamenessGroup` CRD to Kubernetes before you apply the `ExportedServices` CRD that references the sameness group. - -### Create service intentions to authorize traffic between group members - -Exporting the service to other members of the sameness group makes the services visible to remote partitions, but you must also create service intentions so that local services are authorized to send and receive traffic from a member of the sameness group. - -For each partition that is a member of the group, write and apply a [service intentions CRD](/consul/docs/connect/config-entries/service-intentions) that defines intentions for the services that are part of the group. In the `sources` block of the configuration entry, include the service name, its namespace, the sameness group and grant `allow` permissions. - -Because you are using the sameness group in the `sources` block rather than listing out each partition and cluster peer, you do not have to make further edits to the service intentions configuration entries when members are added to or removed from the group. - -The following example demonstrates how to format three different `ServiceIntentions` CRDs to make a service named `api` available to all instances of `payments` deployed in all members of the sameness group including the local partition. In this example, `api` is deployed to the `store` namespace in all three partitions. - - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceIntentions -metadata: - name: api-intentions -spec: - sources: - - name: api - action: allow - namespace: store - samenessGroup: product-group -``` - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceIntentions -metadata: - name: api-intentions -spec: - sources: - - name: api - action: allow - namespace: store - samenessGroup: product-group -``` - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceIntentions -metadata: - name: api-intentions -spec: - sources: - - name: api - action: allow - namespace: store - samenessGroup: product-group -``` - - - - - -Refer to [create and manage intentions](/consul/docs/connect/intentions/create-manage-intentions) for more information about how to create and apply service intentions in Consul. - -After you create each service intentions configuration entry, apply it to the Consul server with the following CLI command: - -```shell-session -$ kubectl apply -f api-intentions.yaml -``` - -#### Create service intentions for cluster peers and sameness groups as part of the same workflow - -Creating a cluster peering connection between two partitions and then adding the partitions to a sameness group requires that you write and apply two separate service intentions CRDs. One CRD authorizes services for the peer, and a second CRD authorizes services for other members of the group. - -If your goal for peering clusters is to create a sameness group, you can write and apply a single service intentions CRD by configuring the `sources` block with the `samenessGroup` field instead of the `peer` field. Be aware that this scenario requires you to write the `SamenessGroup` CRD to Kubernetes before you apply the `ServiceIntentions` CRD that references the sameness group. - -## Next steps - -When `defaultForFailover=true` in a sameness group CRD, additional upstream configuration is not required. - -After creating a sameness group, you can also set up failover between services in a sameness group. Refer to [Failover with sameness groups](/consul/docs/connect/manage-traffic/failover/sameness) for more information. diff --git a/website/content/docs/k8s/connect/connect-ca-provider.mdx b/website/content/docs/k8s/connect/connect-ca-provider.mdx deleted file mode 100644 index cdab172bcc2..00000000000 --- a/website/content/docs/k8s/connect/connect-ca-provider.mdx +++ /dev/null @@ -1,196 +0,0 @@ ---- -layout: docs -page_title: Configure Service Mesh Certificate Authority (CA) for Consul on Kubernetes -description: >- - Consul includes a built-in CA, but when bootstrapping a cluster on k8s, you can configure your service mesh to use a custom certificate provider instead. Learn how to configure Vault as an external CA in primary and secondary datacenters and manually rotate Vault tokens. ---- - -# Configure Service Mesh Certificate Authority for Consul on Kubernetes - -If `connect` is enabled, the built-in Consul CA provider is automatically enabled for the service mesh certificate authority (CA). You can use different CA providers with Consul service mesh. Refer to [Service Mesh Certificate Management](/consul/docs/connect/ca) for supported providers. - -## Overview - -You should only complete the following instructions during the initial cluster bootstrapping procedure with Consul K8s CLI 0.38.0 or later. To update the Consul service mesh CA provider on an existing cluster or to update any provider properties, such as tokens, refer to [Update CA Configuration Endpoint](/consul/api-docs/connect/ca#update-ca-configuration). - -To configure an external CA provider using the Consul Helm chart, complete the following steps: - -1. Create a configuration file containing your provider information. -1. Create a Kubernetes secret containing the configuration file. -1. Reference the Kubernetes secret in the [`server.extraVolumes`](/consul/docs/k8s/helm#v-server-extravolumes) value in the Helm chart. - -To configure the Vault service mesh provider, refer to [Vault as the Service Mesh Certificate Provider on Kubernetes](/consul/docs/k8s/deployment-configurations/vault/data-integration/connect-ca). - -## Configuring Vault as a Service Mesh CA (Consul K8s 0.37.0 and earlier) - - -If you use Vault 1.11.0+ as Consul's service mesh CA, versions of Consul released before Dec 13, 2022 will develop an issue with Consul control plane or service mesh communication ([GH-15525](https://github.com/hashicorp/consul/pull/15525)). Use or upgrade to a [Consul version that includes the fix](https://support.hashicorp.com/hc/en-us/articles/11308460105491#01GMC24E6PPGXMRX8DMT4HZYTW) to avoid this problem. - -The following instructions are only valid for Consul K8s CLI 0.37.0 and prior. It describes how to configure Vault as the service mesh CA. You can configure other providers during initial bootstrap of the cluster by providing the appropriate [`ca_config`] and [`ca_provider`] values for your provider. - --> **Auto-renewal:** If using Vault as your service mesh CA, we strongly recommend Consul 1.8.5 or later, which includes support for token auto-renewal. If the Vault token is [renewable](/vault/api-docs/auth/token#renewable), then Consul automatically renews the token periodically. Otherwise, you must [manually rotate](#manually-rotating-vault-tokens) the Vault token before it expires. - -### Primary Datacenter - -To configure Vault as a CA provider for Consul service mesh, -first, create a provider configuration JSON file. -Please refer to [Vault as a service mesh CA](/consul/docs/connect/ca/vault) for the configuration options. -You will need to provide a Vault token to the `token` property. -Please refer to [these docs](/consul/docs/connect/ca/vault#token) for the permissions that the token needs to have. -This token should be [renewable](/vault/api-docs/auth/token#renewable). - -To provide a CA, you first need to create a Kubernetes secret containing the CA. -For example, you may create a secret with the Vault CA like so: - -```shell-session -kubectl create secret generic vault-ca --from-file vault.ca=/path/to/your/vault/ca -``` - -And then reference it like this in the provider configuration: - - - -```json -{ - "connect": [ - { - "ca_config": [ - { - "address": "https://vault:8200", - "intermediate_pki_path": "dc1/connect-intermediate", - "root_pki_path": "connect-root", - "token": "s.VgQvaXl8xGFO1RUxAPbPbsfN", - "ca_file": "/consul/userconfig/vault-ca/vault.ca" - } - ], - "ca_provider": "vault" - } - ] -} -``` - - - -This example configuration file is pointing to a Vault instance running in the same Kubernetes cluster, -which has been deployed with TLS enabled. Note that the `ca_file` is pointing to the file location -based on the Kubernetes secret for the Vault CA that we have created before. -We will provide that secret later in the Helm values for our Consul cluster. - -~> NOTE: If you have used Kubernetes CA to sign Vault's certificate, -such as shown in [Standalone Server with TLS](/vault/docs/platform/k8s/helm/examples/standalone-tls), -you don't need to create a Kubernetes secret with Vault's CA and can reference the CA directly -by setting `ca_file` to `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. - -Next, create a Kubernetes secret with this configuration file. - -```shell-session -$ kubectl create secret generic vault-config --from-file=config=vault-config.json -``` - -We will provide this secret and the Vault CA secret, to the Consul server via the -`server.extraVolumes` Helm value. - - - - ```yaml - global: - name: consul - server: - extraVolumes: - - type: secret - name: vault-config - load: true - items: - - key: config - path: vault-config.json - - type: secret - name: vault-ca - load: false - connectInject: - enabled: true - ``` - - - -Finally, [install](/consul/docs/k8s/installation/install#installing-consul) the Helm chart using the above config file: - -```shell-session -$ helm install consul --values values.yaml hashicorp/consul -``` - -Verify that the CA provider is set correctly: - -```shell-session -$ kubectl exec consul-server-0 -- curl --silent http://localhost:8500/v1/connect/ca/configuration\?pretty -{ - "Provider": "vault", - "Config": { - "Address": "https://vault:8200", - "CAFile": "/consul/userconfig/vault-server-tls/vault.ca", - "IntermediateCertTTL": "8760h", - "IntermediatePKIPath": "connect-intermediate", - "LeafCertTTL": "72h", - "RootPKIPath": "connect-root", - "Token": "s.VgQvaXl8xGFO1RUxAPbPbsfN" - }, - "State": null, - "ForceWithoutCrossSigning": false, - "CreateIndex": 5, - "ModifyIndex": 5 -} -``` - -### Secondary Datacenters - -To configure Vault as the service mesh CA in secondary datacenters, you need to make sure that the Root CA is the same, -but the intermediate is different for each datacenter. In the `connect` configuration for a secondary datacenter, -you can specify a `intermediate_pki_path` that is, for example, prefixed with the datacenter -for which this configuration is intended. -You will similarly need to create a Vault token and a Kubernetes secret with -Vault's CA in each secondary Kubernetes cluster. - - - -```json -{ - "connect": [ - { - "ca_config": [ - { - "address": "https://vault:8200", - "intermediate_pki_path": "dc2/connect-intermediate", - "root_pki_path": "connect-root", - "token": "s.VgQvaXl8xGFO1RUxAPbPbsfN", - "ca_file": "/consul/userconfig/vault-ca/vault.ca" - } - ], - "ca_provider": "vault" - } - ] -} -``` - - - -Note that all secondary datacenters need to have access to the same Vault instance as the primary. - -### Manually Rotating Vault Tokens - -If running Consul < 1.8.5 or using a Vault token that is not [renewable](/vault/api-docs/auth/token#renewable) -then you will need to manually renew or rotate the Vault token before it expires. - -#### Rotating Vault Token - -The [`ca_config`] and [`ca_provider`] options defined in the Consul agent -configuration are only used when initially bootstrapping the cluster. Once the -cluster is running, subsequent changes to the [`ca_provider`] config are **ignored**–even if `consul reload` is run or the servers are restarted. - -To update any settings under these keys, you must use Consul's [Update CA Configuration](/consul/api-docs/connect/ca#update-ca-configuration) API or the [`consul connect ca set-config`](/consul/commands/connect/ca#set-config) command. - -#### Renewing Vault Token - -To renew the Vault token, use the [`vault token renew`](/vault/docs/commands/token/renew) CLI command -or API. - -[`ca_config`]: /consul/docs/agent/config/config-files#connect_ca_config -[`ca_provider`]: /consul/docs/agent/config/config-files#connect_ca_provider diff --git a/website/content/docs/k8s/connect/health.mdx b/website/content/docs/k8s/connect/health.mdx deleted file mode 100644 index a3096d5c9cb..00000000000 --- a/website/content/docs/k8s/connect/health.mdx +++ /dev/null @@ -1,39 +0,0 @@ ---- -layout: docs -page_title: Configure Health Checks for Consul on Kubernetes -description: >- - Kubernetes has built-in health probes you can sync with Consul's health checks to ensure service mesh traffic is routed to healthy pods. ---- - -# Configure Health Checks for Consul on Kubernetes - -~> This topic requires familiarity with [Kubernetes Health Checks](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/). - -This page describes how Consul on Kubernetes will sync the status of Kubernetes health probes of a pod to Consul for service mesh use cases. -Health check synchronization with Consul is done automatically whenever `connectInject.enabled` is `true`. - -For each Kubernetes pod that is connect-injected the following will be configured: - -1. A [Consul health check](/consul/api-docs/catalog#register-entity) is registered within Consul catalog. -The Consul health check's state reflects the pod's readiness status. - -1. If the pod is using [transparent proxy mode](/consul/docs/connect/transparent-proxy), -the mutating webhook redirects all `http` based startup, liveness, and readiness probes in the pod through the Envoy proxy. -This webhook is defined in the -[`ExposePaths` configuration](/consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference) -for each probe so that kubelet can access the endpoint through the Envoy proxy. - -The mutation behavior can be disabled, by setting either the `consul.hashicorp.com/transparent-proxy-overwrite-probes` -pod annotation to `false` or the `connectInject.defaultOverwriteProbes` Helm value to `false`. - -When readiness probes are set for a pod, the status of the pod will be reflected within Consul and will cause Consul to redirect service -mesh traffic to the pod based on the pod's health. If the pod has failing health checks, Consul will no longer use -the service instance associated with the pod for service mesh traffic. When the pod passes its health checks, Consul will -then use the respective service instance for service mesh traffic. - -In the case where no user defined health checks are assigned to a pod, the default behavior is that the Consul health check will -be marked `passing` until the pod becomes unready. - --> It is highly recommended to [enable TLS](/consul/docs/k8s/helm#v-global-tls-enabled) for all production configurations to mitigate any -security concerns should the pod network ever be compromised. The controller makes calls across the network to Consul agents on all -nodes so an attacker could potentially sniff ACL tokens *if those calls are not encrypted* via TLS. diff --git a/website/content/docs/k8s/connect/index.mdx b/website/content/docs/k8s/connect/index.mdx deleted file mode 100644 index 0f320d34378..00000000000 --- a/website/content/docs/k8s/connect/index.mdx +++ /dev/null @@ -1,705 +0,0 @@ ---- -layout: docs -page_title: How does Consul Service Mesh Work on Kubernetes? -description: >- - An injection annotation allows Consul to automatically deploy sidecar proxies on Kubernetes pods, enabling Consul's service mesh for containers running on k8s. Learn how to configure sidecars, enable services with multiple ports, change default injection settings. ---- - -# How does Consul Service Mesh Work on Kubernetes? - -Consul service mesh automates service-to-service authorization and encryption across your Consul services. You can use service mesh in Kubernetes-orchestrated networks to secure communication between pods as well as communication between pods and external Kubernetes services. - -## Workflow - -Consul service mesh is enabled by default when you install Consul on Kubernetes using the Consul Helm chart. Consul also automatically injects sidecars into the pods in your clusters that run Envoy. These sidecar proxies, called Consul dataplanes, are enabled when `connectInject.default` is set to `false` in the Helm chart. Refer to the following documentation for additional information about these concepts: - -- [Installation and Configuration](#installation-and-configuration) in this topic -- [Consul Helm chart reference](/consul/docs/k8s/helm) -- [Simplified Service Mesh with Consul Dataplane](/consul/docs/connect/dataplane) - -If `connectInject.default` is set to `false` or you want to explicitly enable service mesh sidecar proxy injection for a specific deployment, add the `consul.hashicorp.com/connect-inject` annotation to the pod specification template and set it to `true` when connecting services to the mesh. - -### Service names - -When the service is onboarded, the name registered in Consul is set to the name of the Kubernetes Service associated with the Pod. You can use the [`consul.hashicorp.com/connect-service` annotation](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service) to specify a custom name for the service, but if ACLs are enabled then the name of the service registered in Consul must match the Pod's `ServiceAccount` name. - -### Transparent proxy mode - -By default, the Consul service mesh runs in transparent proxy mode. This mode forces inbound and outbound traffic through the sidecar proxy even though the service binds to all interfaces. Transparent proxy infers the location of upstream services using Consul service intentions, and also allows you to use Kubernetes DNS as you normally would for your workloads. - -When transparent proxy mode is enabled, all service-to-service traffic is required to use mTLS. When onboarding new services to service mesh, your network may have mixed mTLS and non-mTLS traffic, which can result in broken service-to-service communication. You can temporarily enable permissive mTLS mode during the onboarding process so that existing mesh services can accept traffic from services that are not yet fully onboarded. Permissive mTLS enables sidecar proxies to access both mTLS and non-mTLS traffic. Refer to [Onboard mesh services in transparent proxy mode](/consul/docs/k8s/connect/onboarding-tproxy-mode) for additional information. - -### Kubernetes service mesh workload scenarios - --> **Note:** A Kubernetes Service is required in order to register services on the Consul service mesh. Consul monitors the lifecycle of the Kubernetes Service and its service instances using the service object. In addition, the Kubernetes service is used to register and de-register the service from Consul's catalog. - -The following configurations are examples for registering workloads on Kubernetes into Consul's service mesh in different scenarios. Each scenario provides an example Kubernetes manifest to demonstrate how to use Consul's service mesh with a specific Kubernetes workload type. - -- [Kubernetes Pods running as a deployment](#kubernetes-pods-running-as-a-deployment) -- [Connecting to mesh-enabled Services](#connecting-to-mesh-enabled-services) -- [Kubernetes Jobs](#kubernetes-jobs) -- [Kubernetes Pods with multiple ports](#kubernetes-pods-with-multiple-ports) - -#### Kubernetes Pods running as a deployment - -The following example shows a Kubernetes configuration that specifically enables service mesh connections for the `static-server` service. Consul starts and registers a sidecar proxy that listens on port 20000 by default and proxies valid inbound connections to port 8080. - - - -```yaml -apiVersion: v1 -kind: Service -metadata: - # This name will be the service name in Consul. - name: static-server -spec: - selector: - app: static-server - ports: - - protocol: TCP - port: 80 - targetPort: 8080 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: static-server ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: static-server -spec: - replicas: 1 - selector: - matchLabels: - app: static-server - template: - metadata: - name: static-server - labels: - app: static-server - annotations: - 'consul.hashicorp.com/connect-inject': 'true' - spec: - containers: - - name: static-server - image: hashicorp/http-echo:latest - args: - - -text="hello world" - - -listen=:8080 - ports: - - containerPort: 8080 - name: http - # If ACLs are enabled, the serviceAccountName must match the Consul service name. - serviceAccountName: static-server -``` - - - -To establish a connection to the upstream Pod using service mesh, a client must dial the upstream workload using a mesh proxy. The client mesh proxy will use Consul service discovery to find all available upstream proxies and their public ports. - -#### Connecting to mesh-enabled Services - -The example Deployment specification below configures a Deployment that is capable -of establishing connections to our previous example "static-server" service. The -connection to this static text service happens over an authorized and encrypted -connection via service mesh. - - - -```yaml -apiVersion: v1 -kind: Service -metadata: - # This name will be the service name in Consul. - name: static-client -spec: - selector: - app: static-client - ports: - - port: 80 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: static-client ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: static-client -spec: - replicas: 1 - selector: - matchLabels: - app: static-client - template: - metadata: - name: static-client - labels: - app: static-client - annotations: - 'consul.hashicorp.com/connect-inject': 'true' - spec: - containers: - - name: static-client - image: curlimages/curl:latest - # Just spin & wait forever, we'll use `kubectl exec` to demo - command: ['/bin/sh', '-c', '--'] - args: ['while true; do sleep 30; done;'] - # If ACLs are enabled, the serviceAccountName must match the Consul service name. - serviceAccountName: static-client -``` - - - -By default when ACLs are enabled or when ACLs default policy is `allow`, -Consul will automatically configure proxies with all upstreams from the same datacenter. -When ACLs are enabled with default `deny` policy, -you must supply an [intention](/consul/docs/connect/intentions) to tell Consul which upstream you need to talk to. - -When upstreams are specified explicitly with the -[`consul.hashicorp.com/connect-service-upstreams` annotation](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams), -the injector will also set environment variables `_CONNECT_SERVICE_HOST` -and `_CONNECT_SERVICE_PORT` in every container in the Pod for every defined -upstream. This is analogous to the standard Kubernetes service environment variables, but -point instead to the correct local proxy port to establish connections via -service mesh. - -You cannot reference auto-generated environment variables when the upstream annotation contains a dot. This is because Consul also renders the environment variables to include a dot. For example, Consul renders the variables generated for `static-server.svc:8080` as `STATIC-SERVER.SVC_CONNECT_SERVICE_HOST` and `STATIC_SERVER.SVC_CONNECT_SERVICE_PORT`, which makes the variables unusable. -You can verify access to the static text server using `kubectl exec`. -Because transparent proxy is enabled by default, -use Kubernetes DNS to connect to your desired upstream. - -```shell-session -$ kubectl exec deploy/static-client -- curl --silent http://static-server/ -"hello world" -``` - -You can control access to the server using [intentions](/consul/docs/connect/intentions). -If you use the Consul UI or [CLI](/consul/commands/intention/create) to -deny communication between -"static-client" and "static-server", connections are immediately rejected -without updating either of the running pods. You can then remove this -intention to allow connections again. - -```shell-session -$ kubectl exec deploy/static-client -- curl --silent http://static-server/ -command terminated with exit code 52 -``` - -#### Kubernetes Jobs - -Kubernetes Jobs run pods that only make outbound requests to services on the mesh and successfully terminate when they are complete. In order to register a Kubernetes Job with the mesh, you must provide an integer value for the `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` annotation. Then, issue a request to the `http://127.0.0.1:20600/graceful_shutdown` API endpoint so that Kubernetes gracefully shuts down the `consul-dataplane` sidecar after the job is complete. - -Below is an example Kubernetes manifest that deploys a job correctly. - - - -```yaml ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: test-job - namespace: default ---- -apiVersion: v1 -kind: Service -metadata: - name: test-job - namespace: default -spec: - selector: - app: test-job - ports: - - port: 80 ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: test-job - namespace: default - labels: - app: test-job -spec: - template: - metadata: - annotations: - 'consul.hashicorp.com/connect-inject': 'true' - 'consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds': '5' - labels: - app: test-job - spec: - containers: - - name: test-job - image: alpine/curl:3.14 - ports: - - containerPort: 80 - command: - - /bin/sh - - -c - - | - echo "Started test job" - sleep 10 - echo "Killing proxy" - curl --max-time 2 -s -f -X POST http://127.0.0.1:20600/graceful_shutdown - sleep 10 - echo "Ended test job" - serviceAccountName: test-job - restartPolicy: Never -``` - - - -Upon completing the job you should be able to verify that all containers are shut down within the pod. - -```shell-session -$ kubectl get pods -NAME READY STATUS RESTARTS AGE -test-job-49st7 0/2 Completed 0 3m55s -``` - -```shell-session -$ kubectl get job -NAME COMPLETIONS DURATION AGE -test-job 1/1 30s 4m31s -``` - -In addition, based on the logs emitted by the pod you can verify that the proxy was shut down before the Job completed. - -```shell-session -$ kubectl logs test-job-49st7 -c test-job -Started test job -Killing proxy -Ended test job -``` - -#### Kubernetes Pods with multiple ports - -To configure a pod with multiple ports to be a part of the service mesh and receive and send service mesh traffic, you -will need to add configuration so that a Consul service can be registered per port. This is because services in Consul -currently support a single port per service instance. - -In the following example, suppose we have a pod which exposes 2 ports, `8080` and `9090`, both of which will need to -receive service mesh traffic. - -First, decide on the names for the two Consul services that will correspond to those ports. In this example, the user -chooses the names `web` for `8080` and `web-admin` for `9090`. - -Create two service accounts for `web` and `web-admin`: - - - -```yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: web ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: web-admin -``` - - - - -Create two Service objects for `web` and `web-admin`: - - - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: web -spec: - selector: - app: web - ports: - - protocol: TCP - port: 80 - targetPort: 8080 ---- -apiVersion: v1 -kind: Service -metadata: - name: web-admin -spec: - selector: - app: web - ports: - - protocol: TCP - port: 80 - targetPort: 9090 -``` - - - -`web` will target `containerPort` `8080` and select pods labeled `app: web`. `web-admin` will target `containerPort` -`9090` and will also select the same pods. - -~> Kubernetes 1.24+ only -In Kubernetes 1.24+ you need to [create a Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets) for each additional Consul service associated with the pod in order to expose the Kubernetes ServiceAccount token to the Consul dataplane container running under the pod serviceAccount. The Kubernetes secret name must match the ServiceAccount name: - - - -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: web - annotations: - kubernetes.io/service-account.name: web -type: kubernetes.io/service-account-token ---- -apiVersion: v1 -kind: Secret -metadata: - name: web-admin - annotations: - kubernetes.io/service-account.name: web-admin -type: kubernetes.io/service-account-token -``` - - - -Create a Deployment with any chosen name, and use the following annotations: -```yaml -annotations: - 'consul.hashicorp.com/connect-inject': 'true' - 'consul.hashicorp.com/transparent-proxy': 'false' - 'consul.hashicorp.com/connect-service': 'web,web-admin' - 'consul.hashicorp.com/connect-service-port': '8080,9090' -``` -Note that the order the ports are listed in the same order as the service names, i.e. the first service name `web` -corresponds to the first port, `8080`, and the second service name `web-admin` corresponds to the second port, `9090`. - -The service account on the pod spec for the deployment should be set to the first service name `web`: -```yaml -serviceAccountName: web -``` - -The following deployment example demonstrates the required annotations for the manifest. In addition, the previous YAML manifests can also be combined into a single manifest for easier deployment. - - - -```yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: web -spec: - replicas: 1 - selector: - matchLabels: - app: web - template: - metadata: - name: web - labels: - app: web - annotations: - 'consul.hashicorp.com/connect-inject': 'true' - 'consul.hashicorp.com/transparent-proxy': 'false' - 'consul.hashicorp.com/connect-service': 'web,web-admin' - 'consul.hashicorp.com/connect-service-port': '8080,9090' - spec: - containers: - - name: web - image: hashicorp/http-echo:latest - args: - - -text="hello world" - - -listen=:8080 - ports: - - containerPort: 8080 - name: http - - name: web-admin - image: hashicorp/http-echo:latest - args: - - -text="hello world from 9090" - - -listen=:9090 - ports: - - containerPort: 9090 - name: http - serviceAccountName: web -``` - - - -After deploying the `web` application, you can test service mesh connections by deploying the `static-client` -application with the configuration in the [previous section](#connecting-to-mesh-enabled-services) and add the -`consul.hashicorp.com/connect-service-upstreams: 'web:1234,web-admin:2234'` annotation to the pod template on `static-client`: - - - -```yaml -apiVersion: v1 -kind: Service -metadata: - # This name will be the service name in Consul. - name: static-client -spec: - selector: - app: static-client - ports: - - port: 80 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: static-client ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: static-client -spec: - replicas: 1 - selector: - matchLabels: - app: static-client - template: - metadata: - name: static-client - labels: - app: static-client - annotations: - 'consul.hashicorp.com/connect-inject': 'true' - 'consul.hashicorp.com/connect-service-upstreams': 'web:1234,web-admin:2234' - spec: - containers: - - name: static-client - image: curlimages/curl:latest - # Just spin & wait forever, we'll use `kubectl exec` to demo - command: ['/bin/sh', '-c', '--'] - args: ['while true; do sleep 30; done;'] - # If ACLs are enabled, the serviceAccountName must match the Consul service name. - serviceAccountName: static-client -``` - - - -If you exec on to a static-client pod, using a command like: -```shell-session -$ kubectl exec -it static-client-5bd667fbd6-kk6xs -- /bin/sh -``` -you can then run: -```shell-session -$ curl localhost:1234 -``` -to see the output `hello world` and run: -```shell-session -$ curl localhost:2234 -``` -to see the output `hello world from 9090`. - -The way this works is that a Consul service instance is being registered per port on the Pod, so there are 2 Consul -services in this case. An additional Envoy sidecar proxy and `connect-init` init container are also deployed per port in -the Pod. So the upstream configuration can use the individual service names to reach each port as seen in the example. - - -#### Caveats for Multi-port Pods -* Transparent proxy is not supported for multi-port Pods. -* Metrics and metrics merging is not supported for multi-port Pods. -* Upstreams will only be set on the first service's Envoy sidecar proxy for the pod. - * This means that ServiceIntentions from a multi-port pod to elsewhere, will need to use the first service's name, - `web` in the example above to accept connections from either `web` or `web-admin`. ServiceIntentions from elsewhere - to a multi-port pod can use the individual service names within the multi-port Pod. -* Health checking is done on a per-Pod basis, so if any Kubernetes health checks (like readiness, liveness, etc) are - failing for any container on the Pod, the entire Pod is marked unhealthy, and any Consul service referencing that Pod - will also be marked as unhealthy. So, if `web` has a failing health check, `web-admin` would also be marked as - unhealthy for service mesh traffic. - -## Installation and Configuration - -The service mesh sidecar proxy is injected via a -[mutating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) -call the connect injector provided by the -[consul-k8s project](https://github.com/hashicorp/consul-k8s). -This enables the automatic pod mutation shown in the usage section above. -Installation of the mutating admission webhook is automated using the -[Helm chart](/consul/docs/k8s/installation/install). - -To install the connect injector, enable the connect injection feature using -[Helm values](/consul/docs/k8s/helm#configuration-values) and -upgrade the installation using `helm upgrade` for existing installs or -`helm install` for a fresh install. - -```yaml -connectInject: - enabled: true -``` - -This will configure the injector to inject when the -[injection annotation](#consul-hashicorp-com-connect-inject) -is set to `true`. Other values in the Helm chart can be used to limit the namespaces -the injector runs in, enable injection by default, and more. - -### Verifying the Installation - -To verify the installation, run the -["Accepting Inbound Connections"](/consul/docs/k8s/connect#accepting-inbound-connections) -example from the "Usage" section above. After running this example, run -`kubectl get pod static-server --output yaml`. In the raw YAML output, you should -see connect injected containers and an annotation -`consul.hashicorp.com/connect-inject-status` set to `injected`. This -confirms that injection is working properly. - -If you do not see this, then use `kubectl logs` against the injector pod -and note any errors. - -### Controlling Injection Via Annotation - -By default, the injector will inject only when the -[injection annotation](#consul-hashicorp-com-connect-inject) -on the pod (not the deployment) is set to `true`: - -```yaml -annotations: - 'consul.hashicorp.com/connect-inject': 'true' -``` - -### Injection Defaults - -If you wish for the injector to always inject, you can set the default to `true` -in the Helm chart: - -```yaml -connectInject: - enabled: true - default: true -``` - -You can then exclude specific pods via annotation: - -```yaml -annotations: - 'consul.hashicorp.com/connect-inject': 'false' -``` - -### Controlling Injection Via Namespace - -You can control which Kubernetes namespaces are allowed to be injected via -the `k8sAllowNamespaces` and `k8sDenyNamespaces` keys: - -```yaml -connectInject: - enabled: true - k8sAllowNamespaces: ['*'] - k8sDenyNamespaces: [] -``` - -In the default configuration (shown above), services from all namespaces are allowed -to be injected. Whether or not they're injected depends on the value of `connectInject.default` -and the `consul.hashicorp.com/connect-inject` annotation. - -If you wish to only enable injection in specific namespaces, you can list only those -namespaces in the `k8sAllowNamespaces` key. In the configuration below -only the `my-ns-1` and `my-ns-2` namespaces will be enabled for injection. -All other namespaces will be ignored, even if the connect inject [annotation](#consul-hashicorp-com-connect-inject) -is set. - -```yaml -connectInject: - enabled: true - k8sAllowNamespaces: ['my-ns-1', 'my-ns-2'] - k8sDenyNamespaces: [] -``` - -If you wish to enable injection in every namespace _except_ specific namespaces, you can -use `*` in the allow list to allow all namespaces and then specify the namespaces to exclude in the deny list: - -```yaml -connectInject: - enabled: true - k8sAllowNamespaces: ['*'] - k8sDenyNamespaces: ['no-inject-ns-1', 'no-inject-ns-2'] -``` - --> **NOTE:** The deny list takes precedence over the allow list. If a namespace -is listed in both lists, it will **not** be synced. - -~> **NOTE:** The `kube-system` and `kube-public` namespaces will never be injected. - -### Consul Enterprise Namespaces - -Consul Enterprise 1.7+ supports Consul namespaces. When Kubernetes pods are registered -into Consul, you can control which Consul namespace they are registered into. - -There are three options available: - -1. **Single Destination Namespace** – Register all Kubernetes pods, regardless of namespace, - into the same Consul namespace. - - This can be configured with: - - ```yaml - global: - enableConsulNamespaces: true - - connectInject: - enabled: true - consulNamespaces: - consulDestinationNamespace: 'my-consul-ns' - ``` - - -> **NOTE:** If the destination namespace does not exist we will create it. - -1. **Mirror Namespaces** - Register each Kubernetes pod into a Consul namespace with the same name as its Kubernetes namespace. - For example, pod `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `ns-1`. - If a mirrored namespace does not exist in Consul, it will be created. - - This can be configured with: - - ```yaml - global: - enableConsulNamespaces: true - - connectInject: - enabled: true - consulNamespaces: - mirroringK8S: true - ``` - -1. **Mirror Namespaces With Prefix** - Register each Kubernetes pod into a Consul namespace with the same name as its Kubernetes - namespace **with a prefix**. - For example, given a prefix `k8s-`, pod `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `k8s-ns-1`. - - This can be configured with: - - ```yaml - global: - enableConsulNamespaces: true - - connectInject: - enabled: true - consulNamespaces: - mirroringK8S: true - mirroringK8SPrefix: 'k8s-' - ``` - -### Consul Enterprise Namespace Upstreams - -When [transparent proxy](/consul/docs/connect/transparent-proxy) is enabled and ACLs are disabled, -the upstreams will be configured automatically across Consul namespaces. -When ACLs are enabled, you must configure it by specifying an [intention](/consul/docs/connect/intentions), -allowing services across Consul namespaces to talk to each other. - -If you wish to specify an upstream explicitly via the `consul.hashicorp.com/connect-service-upstreams` annotation, -use the format `[service-name].[namespace]:[port]:[optional datacenter]`: - -```yaml -annotations: - 'consul.hashicorp.com/connect-inject': 'true' - 'consul.hashicorp.com/connect-service-upstreams': '[service-name].[namespace]:[port]:[optional datacenter]' -``` - -See [consul.hashicorp.com/connect-service-upstreams](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) for more details. - --> **Note:** When you specify upstreams via an upstreams annotation, you will need to use -`localhost:` with the port from the upstreams annotation instead of KubeDNS to connect to your upstream -application. diff --git a/website/content/docs/k8s/connect/ingress-controllers.mdx b/website/content/docs/k8s/connect/ingress-controllers.mdx deleted file mode 100644 index dcec16e1704..00000000000 --- a/website/content/docs/k8s/connect/ingress-controllers.mdx +++ /dev/null @@ -1,94 +0,0 @@ ---- -layout: docs -page_title: Configure Ingress Controllers for Consul on Kubernetes -description: >- - Ingress controllers are pluggable components that must be configured in k8s in order to use the Ingress resource. Learn how to deploy sidecars with the controller to secure its communication with Consul, review common configuration issues, and find links to example configurations. ---- - -# Configure Ingress Controllers for Consul on Kubernetes - --> This topic requires Consul 1.10+, Consul-k8s 0.26+, Consul-helm 0.32+ configured with [Transparent Proxy](/consul/docs/connect/transparent-proxy) mode enabled. In addition, this topic assumes that the reader is familiar with [Ingress Controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) on Kubernetes. - -~> If you are looking for a fully supported solution for ingress traffic into Consul Service Mesh, please visit [Consul API Gateway](/consul/docs/api-gateway) for instruction on how to install Consul API Gateway along with Consul on Kubernetes. - -This page describes a general approach for integrating Ingress Controllers with Consul on Kubernetes to secure traffic from the Controller -to the backend services by deploying sidecars along with your Ingress Controller. This allows Consul to transparently secure traffic from the ingress point through the entire traffic flow of the service. - -A few steps are generally required to enable an Ingress controller to join the mesh and pass traffic through to a service: - -* Enable connect-injection via an annotation on the Ingress Controller's deployment: `consul.hashicorp.com/connect-inject` is `true`. - -* Using the following annotations on the Ingress controller's deployment, set up exclusion rules for its ports. - * [`consul.hashicorp.com/transparent-proxy-exclude-inbound-ports`](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-transparent-proxy-exclude-inbound-ports) - Provides the ability to exclude a list of ports for -inbound traffic that the service exposes from redirection. Typical configurations would require all inbound service ports -for the controller to be included in this list. - * [`consul.hashicorp.com/transparent-proxy-exclude-outbound-ports`](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-transparent-proxy-exclude-outbound-ports) - Provides the ability to exclude a list of ports for -outbound traffic that the service exposes from redirection. These would be outbound ports used by your ingress controller - which expect to skip the mesh and talk to non-mesh services. - * [`consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs`](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-transparent-proxy-exclude-outbound-cidrs) - Provides the ability to exclude a list of CIDRs that -the service communicates with for outbound requests from redirection. It is somewhat common that an Ingress controller -will expect to make API calls to the Kubernetes service for service/endpoint management. As such including the ClusterIP of the -Kubernetes service is common. - -~> Note: Depending on which ingress controller you use, these stanzas may differ in name and layout, but it is important to apply -these annotations to the *pods* of your *ingress controller*. - ```yaml - # An example list of pod annotations for an ingress controller, which need be applied to PODS for the controller, not the deployment itself. - podAnnotations: - consul.hashicorp.com/connect-inject: "true" - # Add the container ports used by your ingress controller - consul.hashicorp.com/transparent-proxy-exclude-inbound-ports: "80,8000,9000,8443" - # And the CIDR of your Kubernetes API: `kubectl get svc kubernetes --output jsonpath='{.spec.clusterIP}' - consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs: "10.108.0.1/32" - ``` - -* If the Ingress controller acts as a LoadBalancer and routes directly to Pod IPs instead of the ClusterIP of your Kubernetes Services -a `ServiceDefault` CRD must be applied to *each backend service* allowing it to use the `dialedDirectly` features. By default this is disabled. - - ```yaml - # Example Service defaults config entry - apiVersion: consul.hashicorp.com/v1alpha1 - kind: ServiceDefaults - metadata: - name: backend - spec: - transparentProxy: - dialedDirectly: true - ``` - -* An intention from the Ingress Controller to the backend application must also be applied, this could be an L4 or L7 intention: - - ```yaml - # example L4 intention, but an L7 intention can also be used to control access to specific routes. - apiVersion: consul.hashicorp.com/v1alpha1 - kind: ServiceIntentions - metadata: - name: ingress-backend - spec: - destination: - name: backend - sources: - - name: ingress - action: allow - ``` - -### Common Configuration Problems: -- The Ingress Controller's ServiceAccount name and Service name differ by default in some platforms. Consul on Kubernetes requires the -ServiceAccount and Service to have the same name. To resolve this be sure to explicitly set ServiceAccount name the same as the ingress -controller service name using it's respective helm configurations. - -- If the Ingress Controller does not have the correct inbound ports excluded it will fail to start and the Ingress' -service will not get created, causing the controller to hang in the init container. The required container ports are not -always readily available in the helm charts, so in order to resolve this examine the ingress controller's -underlying pod spec and look for the required container ports, adding these to the `consul.hashicorp.com/transparent-proxy-exclude-inbound-ports` -annotation on the ingress controller deployment. - -### Examples: -Here are a couple example configurations which can be used as reference points in setting up your own ingress controller configuration! -These were used in dev environments and are not intended to be fully supported but should provide some idea how to extend the information -above to your own uses cases. - -- [Traefik Consul example - kschoche](https://github.com/kschoche/traefik-consul) -- [Kong and Traefik Ingress Controller examples - joatmon08](https://github.com/joatmon08/consul-k8s-ingress-controllers) -- [NGINX Ingress Controller example](https://github.com/hashicorp-education/consul-k8s-nginx-ingress-controller) - diff --git a/website/content/docs/k8s/connect/ingress-gateways.mdx b/website/content/docs/k8s/connect/ingress-gateways.mdx deleted file mode 100644 index 2675214d64a..00000000000 --- a/website/content/docs/k8s/connect/ingress-gateways.mdx +++ /dev/null @@ -1,296 +0,0 @@ ---- -layout: docs -page_title: Configure Ingress Gateways for Consul on Kubernetes -description: >- - Ingress gateways listen for external requests and route authorized traffic to instances in the service mesh running on Kubernetes. Learn how to configure ingress gateways, set intentions, and connect them to k8s applications. ---- - -# Configure Ingress Gateways for Consul on Kubernetes - - - -Ingress gateway is deprecated and will not be enhanced beyond its current capabilities. Ingress gateway is fully supported -in this version but will be removed in a future release of Consul. - -Consul's API gateway is the recommended alternative to ingress gateway. - - - -~> This topic requires familiarity with [Ingress Gateways](/consul/docs/connect/gateways/ingress-gateway). - -This page describes how to enable external access through Consul ingress gateways to mesh services running inside Kubernetes. -See [Ingress Gateways](/consul/docs/connect/gateways/ingress-gateway) for more information on use-cases and how it works. - -Adding an ingress gateway is a multi-step process that consists of the following steps: - -- Setting the Helm chart configuration -- Deploying the Helm chart -- Configuring the gateway -- Defining an Intention (if ACLs are enabled) -- Deploying your application to Kubernetes -- Connecting to your application - -## Setting the helm chart configuration - -When deploying the Helm chart you must provide Helm with a custom YAML file that contains your environment configuration. - - - -```yaml -global: - name: consul -connectInject: - enabled: true -ingressGateways: - enabled: true - gateways: - - name: ingress-gateway - service: - type: LoadBalancer -``` - - - -~> **Note:** this will create a public unauthenticated LoadBalancer in your cluster, please take appropriate security considerations. - -The YAML snippet is the launching point for a valid configuration that must be supplied when installing using the [official consul-helm chart](https://hub.helm.sh/charts/hashicorp/consul). -Information on additional options can be found in the [Helm reference](/consul/docs/k8s/helm). -Configuration options for ingress gateways reside under the [ingressGateways](/consul/docs/k8s/helm#v-ingressgateways) entry. - -The gateways stanza is where you will define and configure the set of ingress gateways you want deployed to your environment. -The only required field for each entry is `name`, though entries may contain any of the fields found in the `defaults` stanza. -Values in this section override the values from the defaults stanza for the given ingress gateway with one exception: -the annotations from the defaults stanza will be _appended_ to any user-defined annotations defined in the gateways stanza rather than being overridden. -Please refer to the ingress gateway configuration [documentation](/consul/docs/k8s/helm#v-ingressgateways-defaults) for a detailed explanation of each option. - -## Deploying the Helm chart - -Ensure you have the latest consul-helm chart and install Consul via helm using the following -[guide](/consul/docs/k8s/installation/install#installing-consul) while being sure to provide the yaml configuration -as previously discussed. - -The following example installs Consul 1.0.4 using the `values.yaml` configuration: - -```shell-session -$ helm install consul -f values.yaml hashicorp/consul --version 1.0.4 --wait --debug -``` - -## Configuring the gateway - -Now that Consul has been installed with ingress gateways enabled, -you can configure the gateways via the [`IngressGateway`](/consul/docs/connect/config-entries/ingress-gateway) custom resource. - -Here is an example `IngressGateway` resource: - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: IngressGateway -metadata: - name: ingress-gateway -spec: - listeners: - - port: 8080 - protocol: http - services: - - name: static-server -``` - - - -~> **Note:** The 'name' field for the IngressGateway resource must match the name -specified when creating the gateway in the Helm chart. In the above example, the -name "ingress-gateway" is the [default name](/consul/docs/k8s/helm#v-ingressgateways-gateways-name) -used by the Helm chart when enabling ingress gateways. - -Apply the `IngressGateway` resource with `kubectl apply`: - -```shell-session -$ kubectl apply --filename ingress-gateway.yaml -ingressgateway.consul.hashicorp.com/ingress-gateway created -``` - -Since we're using `protocol: http`, we also need to set the protocol of our service -`static-server` to http. To do that, we create a [`ServiceDefaults`](/consul/docs/connect/config-entries/service-defaults) custom resource: - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceDefaults -metadata: - name: static-server -spec: - protocol: http -``` - - - -Apply the `ServiceDefaults` resource with `kubectl apply`: - -```shell-session -$ kubectl apply --filename service-defaults.yaml -servicedefaults.consul.hashicorp.com/static-server created -``` - -Ensure both resources have synced to Consul successfully: - -```shell-session -$ kubectl get servicedefaults -NAME SYNCED AGE -static-server True 45s - -$ kubectl get ingressgateway -NAME SYNCED AGE -ingress-gateway True 13m -``` - -### Viewing the UI - -You can confirm the ingress gateways have been configured as expected by viewing the ingress-gateway service instances -in the Consul UI. - -To view the UI, use the `kubectl port-forward` command. See [Viewing The Consul UI](/consul/docs/k8s/installation/install#viewing-the-consul-ui) -for full instructions. - -Once you've port-forwarded to the UI, navigate to the Ingress Gateway instances: [http://localhost:8500/ui/dc1/services/ingress-gateway/instances](http://localhost:8500/ui/dc1/services/ingress-gateway/instances) - -If TLS is enabled, use [https://localhost:8501/ui/dc1/services/ingress-gateway/instances](https://localhost:8501/ui/dc1/services/ingress-gateway/instances). - -## Defining an Intention - -If ACLs are enabled (via the `global.acls.manageSystemACLs` setting), you must define an [intention](/consul/docs/connect/intentions) -to allow the ingress gateway to route to the upstream services defined in the `IngressGateway` resource (in the example above the upstream service is `static-server`). - -To create an intention that allows the ingress gateway to route to the service `static-server`, create a [`ServiceIntentions`](/consul/docs/connect/config-entries/service-intentions) -resource: - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceIntentions -metadata: - name: static-server -spec: - destination: - name: static-server - sources: - - name: ingress-gateway - action: allow -``` - - - -Apply the `ServiceIntentions` resource with `kubectl apply`: - -```shell-session -$ kubectl apply --filename service-intentions.yaml -serviceintentions.consul.hashicorp.com/ingress-gateway created -``` - -For detailed instructions on how to configure zero-trust networking with intentions please refer to this [guide](/consul/tutorials/kubernetes-features/service-mesh-zero-trust-network?utm_source=docs). - -## Deploying your application to Kubernetes - -Now you will deploy a sample application which echoes "hello world" - - - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: static-server -spec: - selector: - app: static-server - ports: - - protocol: TCP - port: 80 - targetPort: 8080 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: static-server ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: static-server -spec: - replicas: 1 - selector: - matchLabels: - app: static-server - template: - metadata: - name: static-server - labels: - app: static-server - annotations: - 'consul.hashicorp.com/connect-inject': 'true' - spec: - containers: - - name: static-server - image: hashicorp/http-echo:latest - args: - - -text="hello world" - - -listen=:8080 - ports: - - containerPort: 8080 - name: http - serviceAccountName: static-server -``` - - - -```shell-session -$ kubectl apply --filename static-server.yaml -``` - -## Connecting to your application - -You can validate the service is running and registered in the Consul UI by navigating to -[http://localhost:8500/ui/dc1/services/static-server/instances](http://localhost:8500/ui/dc1/services/static-server/instances) - -If TLS is enabled, use: [https://localhost:8501/ui/dc1/services/static-server/instances](https://localhost:8501/ui/dc1/services/static-server/instances) - -You can also validate the connectivity of the application from the ingress gateway using `curl`: - -```shell-session -$ EXTERNAL_IP=$(kubectl get services --selector component=ingress-gateway --output jsonpath="{range .items[*]}{@.status.loadBalancer.ingress[*].ip}{end}") -$ echo "Connecting to \"$EXTERNAL_IP\"" -$ curl --header "Host: static-server.ingress.consul" "http://$EXTERNAL_IP:8080" -"hello world" -``` - -~> **Security Warning:** Please be sure to delete the application and services created here as they represent a security risk through -leaving an open and unauthenticated load balancer alive in your cluster. - -To delete the ingress gateway, set enabled to `false` in your Helm configuration: - - - -```yaml -global: - name: consul -connectInject: - enabled: true -ingressGateways: - enabled: false # Set to false - gateways: - - name: ingress-gateway - service: - type: LoadBalancer -``` - - - -And run Helm upgrade: - -```shell-session -$ helm upgrade consul hashicorp/consul --values values.yaml -``` diff --git a/website/content/docs/k8s/crds/index.mdx b/website/content/docs/k8s/crds/index.mdx deleted file mode 100644 index 3db8edaf2f4..00000000000 --- a/website/content/docs/k8s/crds/index.mdx +++ /dev/null @@ -1,390 +0,0 @@ ---- -layout: docs -page_title: Custom Resource Definitions for Consul on Kubernetes -description: >- - Consul on Kubernetes supports Consul's configuration entry kind through Custom Resource Definitions (CRDs). Learn how to configure Helm charts to enable CRDs and use kubectl to create, manage, and delete mesh components like gateways and intentions on k8s. ---- - -# Custom Resource Definitions (CRDs) for Consul on Kubernetes - -This topic describes how to manage Consul [configuration entries](/consul/docs/agent/config-entries) -with Kubernetes Custom Resources. Configuration entries provide cluster-wide defaults for the service mesh. - -## Supported Configuration Entries - -You can specify the following values in the `kind` field. Click on a configuration entry to view its documentation: - -- [`Mesh`](/consul/docs/connect/config-entries/mesh) -- [`ExportedServices`](/consul/docs/connect/config-entries/exported-services) -- [`PeeringAcceptor`](/consul/docs/k8s/connect/cluster-peering/tech-specs#peeringacceptor) -- [`PeeringDialer`](/consul/docs/k8s/connect/cluster-peering/tech-specs#peeringdialer) -- [`ProxyDefaults`](/consul/docs/connect/config-entries/proxy-defaults) -- [`Registration`](/consul/docs/connect/config-entries/registration) -- [`SamenessGroup`](/consul/docs/connect/config-entries/sameness-group) -- [`ServiceDefaults`](/consul/docs/connect/config-entries/service-defaults) -- [`ServiceSplitter`](/consul/docs/connect/config-entries/service-splitter) -- [`ServiceRouter`](/consul/docs/connect/config-entries/service-router) -- [`ServiceResolver`](/consul/docs/connect/config-entries/service-resolver) -- [`ServiceIntentions`](/consul/docs/connect/config-entries/service-intentions) -- [`IngressGateway`](/consul/docs/connect/config-entries/ingress-gateway) -- [`TerminatingGateway`](/consul/docs/connect/config-entries/terminating-gateway) - -## Installation - -Verify that the minimum version of the helm chart (`0.28.0`) is installed: - -```shell-session -$ helm search repo hashicorp/consul -NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/consul 0.28.0 1.9.1 Official HashiCorp Consul Chart -``` - -Update your helm repository cache if necessary: - -```shell-session -$ helm repo update -Hang tight while we grab the latest from your chart repositories... -...Successfully got an update from the "hashicorp" chart repository -Update Complete. ⎈Happy Helming!⎈ -``` - -Refer to [Install with Helm Chart](/consul/docs/k8s/installation/install) for further installation -instructions. - -**Note**: Configuration entries require `connectInject` to be enabled, which is a default behavior in the official Helm Chart. If you disabled this setting, you must re-enable it to use CRDs. - -## Upgrading An Existing Cluster to CRDs - -If you have an existing Consul cluster running on Kubernetes you may need to perform -extra steps to migrate to CRDs. Refer to [Upgrade An Existing Cluster to CRDs](/consul/docs/k8s/crds/upgrade-to-crds) for full instructions. - -## Usage - -Once installed, you can use `kubectl` to create and manage Consul's configuration entries. - -### Create - -You can create configuration entries with `kubectl apply`. - -```shell-session -$ cat < protocol: tcp -servicedefaults.consul.hashicorp.com/foo edited -``` - -You can then use `kubectl get` to ensure the change was synced to Consul: - -```shell-session -$ kubectl get servicedefaults foo -NAME SYNCED -foo True -``` - -### Delete - -You can use `kubectl delete [kind] [name]` to delete the configuration entry: - -```shell-session -$ kubectl delete servicedefaults foo -servicedefaults.consul.hashicorp.com "foo" deleted -``` - -You can then use `kubectl get` to ensure the configuration entry was deleted: - -```shell-session -$ kubectl get servicedefaults foo -Error from server (NotFound): servicedefaults.consul.hashicorp.com "foo" not found -``` - -#### Delete Hanging - -If running `kubectl delete` hangs without exiting, there may be -a dependent configuration entry registered with Consul that prevents the target configuration entry from being -deleted. For example, if you set the protocol of your service to `http` in `ServiceDefaults` and then -create a `ServiceSplitter`, you will not be able to delete `ServiceDefaults`. - -This is because by deleting the `ServiceDefaults` config, you are setting the -protocol back to the default which is `tcp`. Because `ServiceSplitter` requires -that the service has an `http` protocol, Consul will not allow the `ServiceDefaults` -to be deleted since that would put Consul into a broken state. - -In order to delete the `ServiceDefaults` config, you would need to first delete -the `ServiceSplitter`. - -## Kubernetes Namespaces - -### Consul CE ((#consul_oss)) - -Consul Community Edition (Consul CE) ignores Kubernetes namespaces and registers all services into the same -global Consul registry based on their names. For example, service `web` in Kubernetes namespace -`web-ns` and service `admin` in Kubernetes namespace `admin-ns` are registered into -Consul as `web` and `admin` with the Kubernetes source namespace ignored. - -When creating custom resources to configure these services, the namespace of the -custom resource is also ignored. For example, you can create a `ServiceDefaults` -custom resource for service `web` in the Kubernetes namespace `admin-ns` even though -the `web` service is actually running in the `web-ns` namespace (although this is not recommended): - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceDefaults -metadata: - name: web - namespace: admin-ns -spec: - protocol: http ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: web - namespace: web-ns -spec: ... -``` - -~> **Note:** If you create two custom resources with identical `kind` and `name` values in different Kubernetes namespaces, the last one you create is not able to sync. - -#### ServiceIntentions Special Case - -`ServiceIntentions` are different from the other custom resources because the -name of the resource doesn't matter. For other resources, the name of the resource -determines which service it configures. For example, this resource configures -the service `web`: - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceDefaults -metadata: - name: web -spec: - protocol: http -``` - - - -For `ServiceIntentions`, because we need to support the ability to create -wildcard intentions (e.g. `foo => * (allow)` meaning that `foo` can talk to **any** service), -and because `*` is not a valid Kubernetes resource name, we instead use the field `spec.destination.name` -to configure the destination service for the intention: - - - -```yaml -# foo => * (allow) -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceIntentions -metadata: - name: name-does-not-matter -spec: - destination: - name: '*' - sources: - - name: foo - action: allow ---- -# foo => web (allow) -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceIntentions -metadata: - name: name-does-not-matter -spec: - destination: - name: web - sources: - - name: foo - action: allow -``` - - - -~> **Note:** If two `ServiceIntentions` resources set the same `spec.destination.name`, the -last one created is not synced. - -### Consul Enterprise - -Consul Enterprise supports multiple configurations for how Kubernetes namespaces are mapped -to Consul namespaces. The Consul namespace that the custom resource is registered -into depends on the configuration being used but in general, you should create your -custom resources in the same Kubernetes namespace as the service they configure. - -The details on each configuration are: - -1. **Mirroring** - The Kubernetes namespace is mirrored into Consul. For example, the - service `web` in Kubernetes namespace `web-ns` is registered as service `web` - in the Consul namespace `web-ns`. In the same vein, a `ServiceDefaults` custom resource with - name `web` in Kubernetes namespace `web-ns` configures that same service. - - This is configured with [`connectInject.consulNamespaces`](/consul/docs/k8s/helm#v-connectinject-consulnamespaces): - - - - ```yaml - global: - name: consul - enableConsulNamespaces: true - image: hashicorp/consul-enterprise:-ent - connectInject: - consulNamespaces: - mirroringK8S: true - ``` - - - -1. **Mirroring with prefix** - The Kubernetes namespace is mirrored into Consul - with a prefix added to the Consul namespace. For example, if the prefix is `k8s-` then service `web` in Kubernetes namespace `web-ns` will be registered as service `web` - in the Consul namespace `k8s-web-ns`. In the same vein, a `ServiceDefaults` custom resource with - name `web` in Kubernetes namespace `web-ns` configures that same service. - - This is configured with [`connectInject.consulNamespaces`](/consul/docs/k8s/helm#v-connectinject-consulnamespaces): - - - - ```yaml - global: - name: consul - enableConsulNamespaces: true - image: hashicorp/consul-enterprise:-ent - connectInject: - consulNamespaces: - mirroringK8S: true - mirroringK8SPrefix: k8s- - ``` - - - -1. **Single destination namespace** - The Kubernetes namespace is ignored and all services - are registered into the same Consul namespace. For example, if the destination Consul - namespace is `my-ns` then service `web` in Kubernetes namespace `web-ns` is registered as service `web` in Consul namespace `my-ns`. - - In this configuration, the Kubernetes namespace of the custom resource is ignored. - For example, a `ServiceDefaults` custom resource with the name `web` in Kubernetes - namespace `admin-ns` configures the service with name `web` even though that - service is running in Kubernetes namespace `web-ns` because the `ServiceDefaults` - resource ends up registered into the same Consul namespace `my-ns`. - - This is configured with [`connectInject.consulNamespaces`](/consul/docs/k8s/helm#v-connectinject-consulnamespaces): - - - - ```yaml - global: - name: consul - enableConsulNamespaces: true - image: hashicorp/consul-enterprise:-ent - connectInject: - consulNamespaces: - consulDestinationNamespace: 'my-ns' - ``` - - - - ~> **Note:** In this configuration, if two custom resources are created in two Kubernetes namespaces with identical `name` and `kind` values, the last one created is not synced. - -#### ServiceIntentions Special Case (Enterprise) - -`ServiceIntentions` are different from the other custom resources because the -name of the resource does not matter. For other resources, the name of the resource -determines which service it configures. For example, this resource configures -the service `web`: - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceDefaults -metadata: - name: web -spec: - protocol: http -``` - - - -For `ServiceIntentions`, because we need to support the ability to create -wildcard intentions (e.g. `foo => * (allow)` meaning that `foo` can talk to any service), -and because `*` is not a valid Kubernetes resource name, we instead use the field `spec.destination.name` -to configure the destination service for the intention: - - - -```yaml -# foo => * (allow) -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceIntentions -metadata: - name: name-does-not-matter -spec: - destination: - name: '*' - sources: - - name: foo - action: allow ---- -# foo => web (allow) -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceIntentions -metadata: - name: name-does-not-matter -spec: - destination: - name: web - sources: - - name: foo - action: allow -``` - - - -In addition, we support the field `spec.destination.namespace` to configure -the destination service's Consul namespace. If `spec.destination.namespace` -is empty, then the Consul namespace used is the same as the other -config entries as outlined above. diff --git a/website/content/docs/k8s/deployment-configurations/argo-rollouts-configuration.mdx b/website/content/docs/k8s/deployment-configurations/argo-rollouts-configuration.mdx deleted file mode 100644 index 5bd2a1e44d7..00000000000 --- a/website/content/docs/k8s/deployment-configurations/argo-rollouts-configuration.mdx +++ /dev/null @@ -1,262 +0,0 @@ ---- -layout: docs -page_title: Argo Rollouts Progressive Delivery with Consul on Kubernetes -description: >- - Configure the Argo Rollouts Controller to enable Canary deployments for subset-based routing. Learn how k8s Rollouts integrate with Consul's service mesh. ---- - -# Argo Rollouts Progressive Delivery with Consul on Kubernetes - -This page describes the process to configure and use the [Argo Rollouts Controller](https://argo-rollouts.readthedocs.io/en/stable/) with Consul on Kubernetes to manage advanced subset-based routing for Canary deployments. - -Consul's support for Argo Rollouts is currently limited to subset-based routing. - -## Install Argo Rollouts Controller - -There are three methods for installing the Argo Rollouts Controller with Consul on Kubernetes: - -1. [Install Rollouts Using Helm and init containers](#install-rollouts-using-helm-and-binary). We recommend installing the Argo Rollouts Controllor using this method. -1. [Install Rollouts Using Helm and binary](#install-rollouts-using-helm-and-binary) -1. [Standalone installation](#stand-alone-installation) - -After installing the controller, you must [apply the RBAC CRD](https://raw.githubusercontent.com/argoproj-labs/rollouts-plugin-trafficrouter-consul/main/yaml/rbac.yaml) to your Kubernetes cluster. - -### Install Rollouts Using Helm and init containers - -We recommend using this method to install this plugin. - -Add the following code to your `values.yaml` file to configure the plugin: - -```yaml -controller: - initContainers: - - name: copy-consul-plugin - image: hashicorp/rollouts-plugin-trafficrouter-consul - command: ["/bin/sh", "-c"] - args: - # Copy the binary from the image to the rollout container - - cp /bin/rollouts-plugin-trafficrouter-consul /plugin-bin/hashicorp - volumeMounts: - - name: consul-plugin - mountPath: /plugin-bin/hashicorp - trafficRouterPlugins: - trafficRouterPlugins: |- - - name: "hashicorp/consul" - location: "file:///plugin-bin/hashicorp/rollouts-plugin-trafficrouter-consul" - volumes: - - name: consul-plugin - emptyDir: {} - volumeMounts: - - name: consul-plugin - mountPath: /plugin-bin/hashicorp -``` - -Then install the `argo-rollouts` and apply your updated values using Helm: - -```shell-session -$ helm install argo-rollouts argo/argo-rollouts -f values.yaml -n argo-rollouts -``` - -### Install Rollouts Using Helm and binary - -To build the binary and install Rollouts, complete the following steps: - -1. Build this plugin using your preferred tool. For example, `make build`. -1. Mount the built plugin onto the `argo-rollouts` container. -1. Add the following code to your `values.yaml` file to configure the plugin: - -```yaml -controller: - trafficRouterPlugins: - trafficRouterPlugins: |- - - name: "argoproj-labs/consul" - location: "file:///plugin-bin/hashicorp/rollouts-plugin-trafficrouter-consul" - volumes: - - name: consul-route-plugin - hostPath: - # The path being mounted to, change this depending on your mount path - path: /rollouts-plugin-trafficrouter-consul - type: DirectoryOrCreate - volumeMounts: - - name: consul-route-plugin - mountPath: /plugin-bin/hashicorp -``` - -Then install the `argo-rollouts` and apply your updated values using Helm: - -```shell-session - $ helm install argo-rollouts argo/argo-rollouts -f values.yaml -n argo-rollouts -``` - -### Stand-alone installation - -This section describes the process to create a stand-alone installation. These instructions are for illustrative purposes. We recommend using init containers to create and install this plugin. - -To create a stand-alone installation of the Rollouts plugin, complete the following steps: - -1. Build this plugin. -1. Put the plugin on the path and mount it to the `argo-rollouts`container. -1. Create a `ConfigMap` to configure `argo-rollouts` with the plugin's location. - -The following example schedules a Deployment and mounts it to the `argo-rollouts` container: - -```yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argo-rollouts - namespace: argo-rollouts -spec: - selector: - matchLabels: - app.kubernetes.io/name: argo-rollouts - template: - spec: - # ... - volumes: - # ... - - name: consul-plugin - hostPath: - path: /plugin-bin/hashicorp/rollouts-plugin-trafficrouter-consul - type: DirectoryOrCreate - containers: - - name: argo-rollouts - # ... - volumeMounts: - - name: consul-route-plugin - mountPath: /plugin-bin/hashicorp - -``` - -The following example creates the `ConfigMap` with the location of the plugin: - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argo-rollouts-config - namespace: argo-rollouts -data: - trafficRouterPlugins: |- - - name: "argoproj-labs/consul" - location: "file:///plugin-bin/hashicorp/rollouts-plugin-trafficrouter-consul" -binaryData: {} -``` - -### Install the RBAC - -After either mounting the binary or using an init container, configure an RBAC using [Argo Rollout Consul plugin `rbac.yaml`](https://raw.githubusercontent.com/argoproj-labs/rollouts-plugin-trafficrouter-consul/main/yaml/rbac.yaml): - -```shell-session -$ kubectl apply -f https://raw.githubusercontent.com/argoproj-labs/rollouts-plugin-trafficrouter-consul/main/yaml/rbac.yaml -``` - -## Use the Argo Rollouts Consul plugin - -Schedule the Kubernetes Service utilized by the service being rolled out. Additionally, configure any service defaults and proxy defaults required for the service. - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: test-service -spec: - selector: - app: test-service - ports: - - name: http - port: 80 - targetPort: 8080 -``` - -Next, create the service resolver and service splitter CRDs for your stable service. Argo automatically modifies these CRDs during canary deployments. - -The following example demonstrates the configuration of the service resolver CRD, which creates service subsets and sets the stable subset as the default: - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceResolver -metadata: - name: test-service -spec: - subsets: - stable: - filter: Service.Meta.version == 1 - canary: - filter: "" - defaultSubset: stable -``` - -The following example demonstrates the configuration of the service splitter CRD, which initially sends 100% of traffic to the stable deployment: - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceSplitter -metadata: - name: test-service -spec: - splits: - - weight: 100 - serviceSubset: stable - - weight: 0 - serviceSubset: canary -``` - -Then configure your Argo Rollout resource to incrementally rollout the canary deployment: - -```yaml -apiVersion: argoproj.io/v1alpha1 -kind: Rollout -metadata: - name: test-service -spec: - replicas: 3 - selector: - matchLabels: - app: test-service - template: - metadata: - labels: - app: test-service - annotations: - consul.hashicorp.com/connect-inject: "true" - consul.hashicorp.com/service-meta-version: "1" - consul.hashicorp.com/service-tags: "v1" - spec: - containers: - - name: test-service - # Using alpine vs latest as there is a build issue with M1s. Also other tests in multiport-app reference - # alpine so standardizing this. - image: docker.mirror.hashicorp.services/hashicorp/http-echo:alpine - args: - - -text="I am v1" - - -listen=:8080 - ports: - - containerPort: 8080 - name: http - serviceAccountName: test-service - terminationGracePeriodSeconds: 0 # so deletion is quick - strategy: - canary: - trafficRouting: - plugins: - hashicorp/consul: - stableSubsetName: stable # subset name of the stable service - canarySubsetName: canary # subset name of the canary service - serviceName: test-service - steps: - - setWeight: 20 - - pause: {} - - setWeight: 40 - - pause: {duration: 10} - - setWeight: 60 - - pause: {duration: 10} - - setWeight: 80 - - pause: {duration: 10} -``` - -Finally, perform the Rollout operation using the Argo Rollouts Kubectl plugin. - -```shell-session -$ kubectl argo rollouts promote test-service -``` diff --git a/website/content/docs/k8s/deployment-configurations/datadog.mdx b/website/content/docs/k8s/deployment-configurations/datadog.mdx deleted file mode 100644 index c3df799f4df..00000000000 --- a/website/content/docs/k8s/deployment-configurations/datadog.mdx +++ /dev/null @@ -1,468 +0,0 @@ ---- -layout: docs -page_title: Configure Datadog metrics collection for Consul on Kubernetes -description: >- - Consul can integrate with external platforms such as Datadog to stream metrics about its operations. Learn how to enable Consul monitoring with Datadog by configuring the `metrics.datadog` Helm value override options. ---- - -# Configure Datadog metrics collection for Consul on Kubernetes - -This page describes the processes for integrating Datadog metrics collection in your Consul on Kubernetes deployment. The Helm chart includes automated configuration options to simplify the integration process. - -## Datadog Metrics Integration Methods - -- [DogstatsD](#dogstatsd) -- [Datadog Checks: Official Consul Integration](#datadog-checks-official-consul-integration) -- [Openmetrics Prometheus](#openmetrics-prometheus) - -Users should choose **_one_** integration method from the three described below that best suites the intent for metrics collection. **[DogStatsD](https://docs.datadoghq.com/developers/dogstatsd/?tab=kubernetes)**, **[Consul Integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized)**, and **[Openmetrics Prometheus](https://docs.datadoghq.com/containers/kubernetes/prometheus/?tab=kubernetesadv2)** methods of integration are **_mutually exclusive_**. - -**Reasoning:** _The consul-k8s helm chart automated configuration implements Datadog's [Consul Integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized) method using the [`use_prometheus_endpoint`](https://github.com/DataDog/integrations-core/blob/07c04c5e9465ba1f3e0198830896d05923e81283/consul/datadog_checks/consul/data/conf.yaml.example#L59) configuration parameter. **DogstatsD**, **Consul Integration**, and **Openmetrics Prometheus** Metrics **by design** share the same [metric name](https://docs.datadoghq.com/integrations/consul/?tab=host#data-collected) syntax for collection, and would therefore cause a conflict. The [consul.py](https://github.com/DataDog/integrations-core/blob/07c04c5e9465ba1f3e0198830896d05923e81283/consul/datadog_checks/consul/consul.py#L55-L61) integration source code, as well as the [consul-k8s helm chart](https://github.com/hashicorp/consul-k8s/blob/4cac70496788f50354f96e9331003fcf338f419c/charts/consul/templates/_helpers.tpl#L595-L598) prohibit the enablement of more that one integration at a time._ - - -## DogstatsD - -This method of implementation leverages the [hashicorp/go-metrics DogstatsD client library](https://github.com/hashicorp/go-metrics/tree/master/datadog) to manage metrics collection. -Metrics are aggregated and sent via UDP or UDS transports to a Datadog Agent that runs on the same Kube Node as the Consul servers. - -Enabling this method of metrics collection allows Consul to control the delivery of metrics traffic directly to a Datadog agent rather -than a Datadog agent attempting to reach Consul and scrape the `/v1/agent/metrics` API endpoint. - -This is accomplished by updating each server agent's configuration telemetry stanza. - -### Helm Chart Configuration - - - - - Consul Helm Chart Overrides - - ```yaml - metrics: - enabled: true - enableAgentMetrics: true - datadog: - enabled: true - namespace: "datadog" - dogstatsd: - enabled: true - socketTransportType: "UDS" - dogstatsdAddr: "/var/run/datadog/dsd.socket" - ``` - - Resulting server agent telemetry configuration - - ```json - { - "telemetry": { - "dogstatsd_addr": "unix:///var/run/datadog/dsd.socket" - } - } - ``` - - - - - - Consul Helm Chart Overrides - - ```yaml - metrics: - enabled: true - enableAgentMetrics: true - datadog: - enabled: true - namespace: "datadog" - dogstatsd: - enabled: true - socketTransportType: "UDP" - # Set `dogstatsdPort` to `0` (default) to omit port number append to address. - dogstatsdPort: 0 - dogstatsdAddr: "datadog-agent.datadog.svc.cluster.local" - ``` - - Resulting server agent telemetry configuration - - ```json - { - "telemetry": { - "dogstatsd_addr": "datadog-agent.datadog.svc.cluster.local" - } - } - ``` - - - - - - Consul Helm Chart Overrides - - ```yaml - metrics: - enabled: true - enableAgentMetrics: true - datadog: - enabled: true - namespace: "datadog" - dogstatsd: - enabled: true - socketTransportType: "UDP" - dogstatsdPort: 8125 - dogstatsdAddr: "172.20.180.10" - ``` - - Resulting server agent telemetry configuration - - ```json - { - "telemetry": { - "dogstatsd_addr": "172.20.180.10:8125", - } - } - ``` - - - - -### UDS/UDP Advantages and Disadvantages - -This integration method accomplishes metrics collection by leveraging either [Unix Domain Sockets](https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=kubernetes) (**UDS**) or [User Datagram Protocol](https://docs.datadoghq.com/developers/dogstatsd/?tab=kubernetes#agent) (**UDP**) transport. -Practitioners who manage their Kubernetes infrastructure and/or service-mesh should take into account the implications outlined in the tables below. - -#### UDS - -**Packet Transport**: Unix Domain Socket File - -| Advantages | Disadvantages | -|-------------------------------------------------------|------------------------------------------------------------------------------------------------------| -| No IP or DNS resolution requirement for Datadog Agent | Requires [hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) Volume attachment | -| Improved network performance | Datadog Agent must run on every host you send metrics from | -| Higher throughput capacity | | -| Packet error handling | | -| Automatic container ID tagging | | - -#### UDP - -**Packet Transport**: - * Kubernetes Service `IP:Port` - * Container Host Port - -| Advantages | Disadvantages | -|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| -| Does **not** require [hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) Volume attachment | **No** packet error handling | -| (**_KubeDNS_**) Does **not** require Hostport exposure if accessible from cluster | (**_Hostport_**) Requires a networking provider that adheres to the CNI specification, such as Calico, Canal, or Flannel. | -| Similar `IP:Port` configuration as Virtual Machine hosts | (**_Hostport_**) Requires port to be exposed on host using `hostNetwork` | -| | (**_Hostport_**) Requires firewall access controls to permit access | -| | (**_Hostport_**) Network Namespace sharing is required | - - -#### Verifying DogstatsD Metric Collection - -To confirm you're Datadog agent is receiving traffic, the `status` subcommand can be ran from the Datadog Agent expecting to receive DogstatsD traffic from Consul. - -There should be an increase in either UDP or UDS traffic packet counts from the resultant output after the configuration has been properly established. - - - | Transport | Command | Pod | Container | - |:---------------|----------------------------------------------------------------------------|---------------|-----------| - | `UDP`\|\|`UDS` | `agent status` | datadog-agent | agent | - - - - - - ```shell - # Example: UDP Packet and Metric Packet Traffic Increase - ========= - DogStatsD - ========= - Event Packets: 0 - Event Parse Errors: 0 - Metric Packets: 5,908 - Metric Parse Errors: 0 - Service Check Packets: 0 - Service Check Parse Errors: 0 - Udp Bytes: 636,872 - Udp Packet Reading Errors: 0 - Udp Packets: 3,300 - Uds Bytes: 0 - Uds Origin Detection Errors: 0 - Uds Packet Reading Errors: 0 - Uds Packets: 0 - Unterminated Metric Errors: 0 - ``` - - - - ```shell - # Example: UDS Packet and Metric Packet Traffic Increase - ========= - DogStatsD - ========= - Event Packets: 0 - Event Parse Errors: 0 - Metric Packets: 30,523 - Metric Parse Errors: 0 - Service Check Packets: 0 - Service Check Parse Errors: 0 - Udp Bytes: 124,635 - Udp Packet Reading Errors: 0 - Udp Packets: 731 - Uds Bytes: 2,957,433 - Uds Origin Detection Errors: 0 - Uds Packet Reading Errors: 0 - Uds Packets: 11,563 - Unterminated Metric Errors: 0 - ``` - - - - -Traffic verification can also be accomplished using the `netstat` command line utility from a consul-server expected to be submitting -metrics data to Datadog. - - - Using netstat requires privileged container permissions to install open-bsd networking tools on the consul-server for testing. - - -| Transport | Command | Pod | Container | -|:-----------------|-----------|---------------|-----------| -| `UDP` \|\| `UDS` | `netstat` | consul-server | consul | - - - - - ```shell - $ netstat -nup | grep "172.28.13.12:8125.*ESTABLISHED - udp 0 0 127.0.0.1:53874 127.0.0.1:8125 ESTABLISHED 23176/consul - ``` - - - - - - ```shell - $ netstat -x - Active UNIX domain sockets (w/o servers) - Proto RefCnt Flags Type State I-Node Path - unix 2 [ ] DGRAM CONNECTED 15952473 - unix 2 [ ] DGRAM 15652537 @9d10c - ``` - - - - - -UDS provides the additional capability for verification by sending a test metrics packet to the Unix Socket configured. - - - Using netcat (nc) requires privileged container permissions to install open-bsd networking tools on the consul-server for testing. - - -| Transport | Command | Pod | Container | -|:----------|---------|---------------|-----------| -| `UDS` | `nc` | consul-server | consul | - - - - ```shell - $ echo -n "custom.metric.name:1|c" | nc -U -u -w1 /var/run/datadog/dsd.socket - Bound on /tmp/nc-IjJkoG/recv.sock - ``` - - - -#### Use Case - -DogstatsD integration provides full-scope metrics collection from Consul, and minimizes access control configuration requirements as traffic -flow is outbound (toward the Datadog Agent) as opposed to inbound (toward the `/v1/agent/metrics/` API endpoint). - - -#### Metrics Data Collected - - - Full list of metrics sent via DogstatsD consists of those listed in the [Agent Telemetry](https://developer.hashicorp.com/consul/docs/agent/telemetry) documentation. - - -## Datadog Checks: Official Consul Integration - -The Datadog Agent package includes official third-party integrations for built-in availability upon agent deployment. - -The Consul Integration Datadog checks provided some additional metric verification checks that leverage Consul's built-in feature-set, and help monitor Consul -during normal operation beyond that of Consul's available metrics. - -See the below [table](#additional-integration-checks-performed) for an outline of the features added by the official integration. - - - Currently, the annotations configured by the Helm overrides with Consul RPC TLS enabled - assume server and ca certificate secrets are shared with the Datadog agent release namespace and mount the valid tls.crt, tls.key, - and ca.crt secret volumes at the /etc/datadog-agent/conf.d/consul.d/certs path on the Datadog Agent, agent container. - - -### Helm Chart Configuration - - - - - Consul Helm Chart Overrides - - ```yaml - global: - tls: - enabled: true - enableAutoEncrypt: true - acls: - manageSystemACLs: true - metrics: - enabled: true - enableAgentMetrics: true - datadog: - enabled: true - namespace: "datadog" - ``` - - - Consul `server-statefulset.yaml` annotations - - ```yaml - "ad.datadoghq.com/consul.checks": | - { - "consul": { - "init_config": {}, - "instances": [ - { - "url": "https://consul-server.consul.svc:8501", - "tls_cert": "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt", - "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key", - "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt", - "use_prometheus_endpoint": true, - "acl_token": "ENC[k8s_secret@consul/consul-datadog-agent-metrics-acl-token/token]", - "new_leader_checks": true, - "network_latency_checks": true, - "catalog_checks": true, - "auth_type": "basic" - } - ] - } - } - ``` - - - - -### Additional Integration Checks Performed - -| Consul Component | Description | API Endpoint(s) | -|------------------|-----------------------------------------------------|----------------------------------------------------------------------| -| Agent | Agent Metadata (i.e., version) | `/v1/agent/self` | -| Metrics | Prometheus formatted metrics | `/v1/agent/metrics` | -| Serf | Events and Membership Flaps | `/v1/health/service/consul` `/v1/agent/self` | -| Raft | Monitors Raft peer information and leader elections | `/v1/status/leader` `/v1/status/peers` | -| Catalog Services | Service Health Status and Node Count | `/v1/catalog/services` `/v1/health/state/any` | -| Catalog Nodes | Node Service Count and Health Status | `/v1/health/state/any` `/v1/health/service/` | -| Consul Latency | Consul LAN + WAN Coordinate Latency Calculations | `/v1/agent/self` `/v1/coordinate/nodes` `/v1/coordinate/datacenters` | - -#### Use Case - -This integration is primarily for basic Consul monitoring with focus on the service discovery. - -#### Metrics Data Collected - -The list of Consul's Prometheus metrics scraped and mapped by this method are listed in the latest [metrics.py](https://github.com/DataDog/integrations-core/blob/master/consul/datadog_checks/consul/metrics.py) of the integration source code. - -To understand how Consul Latency metrics are calculated, review the [Consul Network Coordinates](https://developer.hashicorp.com/consul/docs/architecture/coordinates) documentation. - -Review the [Datadog Documentation](https://docs.datadoghq.com/integrations/consul/?tab=containerized#data-collected) for the full description of Metrics data collected. - -## Openmetrics Prometheus - -For Datadog agents at or above v6.5.0, OpenMetrics and Prometheus checks are available to scrape Kubernetes application Prometheus endpoints. - -This method implements the collection via Openmetrics as that is fully supported for Prometheus text format and is accomplished using pod annotations as demonstrated below. - - - Enabling OpenMetrics collection via Datadog by design removes the prometheus.io/path and prometheus.io/port annotations from the consul-server statefulset deployment to allow Datadog - to scrape the agent's metrics API endpoint using either RPC TLS and Consul ACLs as necessary. - - - - Currently, the annotations configured by the Helm overrides with Consul RPC TLS enabled - assume server and ca certificate secrets are shared with the Datadog agent release namespace and mount the valid tls.crt, tls.key, - and ca.crt secret volumes at the /etc/datadog-agent/conf.d/consul.d/certs path on the Datadog Agent, agent container. - - -### Helm Chart Configuration - - - - - Consul Helm Chart Overrides - - ```yaml - global: - tls: - enabled: true - enableAutoEncrypt: true - acls: - manageSystemACLs: true - metrics: - enabled: true - enableAgentMetrics: true - datadog: - enabled: true - namespace: "datadog" - openMetricsPrometheus: - enabled: true - ``` - - Consul `server-statefulset.yaml` annotations - - ```yaml - ad.datadoghq.com/consul.checks: | - { - "openmetrics": { - "init_config": {}, - "instances": [ - { - "openmetrics_endpoint": "https://consul-server.consul.svc:8501/v1/agent/metrics?format=prometheus", - "tls_cert": "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt", - "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key", - "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt", - "headers": { - "X-Consul-Token": "ENC[k8s_secret@consul/consul-datadog-agent-metrics-acl-token/token]" - }, - "namespace": "consul", - "metrics": [ ".*" ] - } - ] - } - } - ``` - - - - -#### Use Case - -This method of integration is useful for Prometheus-enabled scrapes with further customization of the collected data. - -By default, all metrics pulled using this method scrape Consul metrics using the `/v1/agent/metrics?format=prometheus` API query, and are considered to be custom metrics. - -Use of this method maps to Datadog as described in [Mapping Prometheus Metrics to Datadog Metrics](https://docs.datadoghq.com/integrations/guide/prometheus-metrics/?tab=latestversion). The following table summarizing how these metrics map to each other. - -| OpenMetrics metric type | Datadog metric type | -|:------------------------|:-----------------------------------| -| `Gauge` | `gauge` | -| `Counter` | `count` | -| Histogram: `_count ` | `count.count` | -| Histogram: `_sum` | `count.sum` | -| Histogram: `_bucket` | `count.bucket` \|\| `distribution` | -| Summary: `_count` | `count.count` | -| Summary: `_sum` | `count.sum` | -| Summary: `sample` | `gauge.quantile` | - - -#### Metrics Data Collected - -The integration, by default, uses a wildcard (`".*"`) to collect **_all_** metrics emitted from the `/v1/agent/metrics` endpoint. - -Please refer to the [Agent Telemetry](https://developer.hashicorp.com/consul/docs/agent/telemetry) documentation for a full list and description of the metrics data collected. diff --git a/website/content/docs/k8s/deployment-configurations/external-service.mdx b/website/content/docs/k8s/deployment-configurations/external-service.mdx deleted file mode 100644 index 711f0164085..00000000000 --- a/website/content/docs/k8s/deployment-configurations/external-service.mdx +++ /dev/null @@ -1,38 +0,0 @@ ---- -layout: docs -page_title: Register services running on external nodes to Consul on Kubernetes -description: >- - Learn how to register a service running on an external node to the Consul catalog when running Consul on Kubernetes. ---- - -# Register services running on external nodes to Consul on Kubernetes - -This page provides an overview for registering services in the Consul catalog when the service runs on a node that is not part of the Kubernetes cluster. - -## Introduction - -Because Kubernetes has built-in service discovery capabilities, Consul on Kubernetes includes components such as [Consul dataplanes](/consul/docs/connect/dataplane) and [service sync](/consul/docs/k8s/service-sync) so that operators can continue to use Kubernetes tools and processes. However, this approach to service networking still requires a service to run on a node that Consul is aware of, either through a local Consul client agent or the Kubernetes cluster. We call services that run on external nodes that Consul cannot automatically recognize _external services_. - -Previously, the only way to register an external service when running Consul on Kubernetes was using Consul's HTTP API. This approach requires additional ACLs and direct access to Consul's HTTP API endpoint. Consul now supports registering external services and their associated health checks in the Consul catalog using a [`Registration` custom resource definition (CRD)](/consul/docs/connect/config-entries/registration) that follows the format of [Consul's service definitions](/consul/docs/services/configuration/services-configuration-reference). - -## Workflows - -The process to register an external service in Consul on Kubernetes consists of the following steps: - -1. [Start Consul ESM](/consul/tutorials/connect-services/service-registration-external-services#monitor-the-external-service-with-consul-esm). You must use Consul ESM to run health checks on external services. -1. Define the external service and its health checks in a [`Registration` CRD](/consul/docs/connect/config-entries/registration). -1. Apply the CRD to your Kubernetes cluster. Internally, this action triggers an API call to Consul's [`/catalog/register` endpoint](/consul/api-docs/catalog#register-entity) to register the service. -1. When using Consul's service mesh, you should also: - - Deploy a [terminating gateway](/consul/docs/k8s/connect/terminating-gateways) so that downstream services can communicate with the external service. - - Define [service intentions](/consul/docs/connect/intentions) for the external service and the downstream services that communicate with it. - -## Guidance - -The following resources are available to help you register external services to Consul on Kubernetes. - -### Reference - -- [`Registration` custom resource definition (CRD) configuration reference](/consul/docs/connect/config-entries/registration) -- [`/catalog/register` HTTP API endpoint reference](/consul/api-docs/catalog#register-entity) -- [Service configuration reference](/consul/docs/services/configuration/services-configuration-reference) -- [Health check configuration reference](/consul/docs/services/configuration/checks-configuration-reference) \ No newline at end of file diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx deleted file mode 100644 index 819d0e4a975..00000000000 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx +++ /dev/null @@ -1,141 +0,0 @@ ---- -layout: docs -page_title: Vault as the Secrets Backend Data Integration Overview -description: >- - Overview of the data integration aspects to using Vault as the secrets backend for Consul on Kubernetes. ---- - -# Vault as the Secrets Backend - Data Integration - -This topic describes how to configure Vault and Consul in order to share secrets for use within Consul. - -## Prerequisites - -Before you set up the data integration between Vault and Consul on Kubernetes, read and complete the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). - -## General integration steps - -For each secret you want to store in Vault, you must complete two multi-step procedures. - -Complete the following steps once: - 1. Store the secret in Vault. - 1. Create a Vault policy that authorizes the desired level of access to the secret. - -Repeat the following steps for each datacenter in the cluster: - 1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access. - 1. Update the Consul on Kubernetes Helm chart. - -## Secrets-to-service account mapping - -At the most basic level, the goal of this configuration is to authorize a Consul on Kubernetes service account to access a secret in Vault. - -The following table associates Vault secrets and the Consul on Kubernetes service accounts that require access. -(NOTE: `Consul components` refers to all other services and jobs that are not Consul servers or clients. -It includes things like terminating gateways, ingress gateways, etc.) - -### Primary datacenter - -| Secret | Service Account For | Configurable Role in Consul k8s Helm | -| ------ | ------------------- | ------------------------------------ | -|[ACL Bootstrap token](/consul/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)| -|[ACL Partition token](/consul/docs/k8s/deployment-configurations/vault/data-integration/partition-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)| -|[ACL Replication token](/consul/docs/k8s/deployment-configurations/vault/data-integration/replication-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)| -|[Enterprise license](/consul/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| -|[Gossip encryption key](/consul/docs/k8s/deployment-configurations/vault/data-integration/gossip) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| -|[Snapshot Agent config](/consul/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| -|[Server TLS credentials](/consul/docs/k8s/deployment-configurations/vault/data-integration/server-tls) | Consul servers
Consul clients
Consul components | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)
[`global.secretsBackend.vault.consulCARole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulcarole)| -|[Service Mesh and Consul client TLS credentials](/consul/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| -|[Webhook TLS certificates for controller and connect inject](/consul/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) | Consul controllers
Consul connect inject | [`global.secretsBackend.vault.controllerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)
[`global.secretsBackend.vault.connectInjectRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)| - -### Secondary datacenters - -The mapping for secondary data centers is similar with the following differences: - -- There is no use of bootstrap token because ACLs would have been bootstrapped in the primary datacenter. -- ACL Partition token is mapped to both the `server-acl-init` job and the `partition-init` job service accounts. -- ACL Replication token is mapped to both the `server-acl-init` job and Consul service accounts. - -| Secret | Service Account For | Configurable Role in Consul k8s Helm | -| ------ | ------------------- | ------------------------------------ | -|[ACL Partition token](/consul/docs/k8s/deployment-configurations/vault/data-integration/partition-token) | Consul server-acl-init job
Consul partition-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)
[`global.secretsBackend.vault.adminPartitionsRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-adminpartitionsrole)| -|[ACL Replication token](/consul/docs/k8s/deployment-configurations/vault/data-integration/replication-token) | Consul server-acl-init job
Consul servers | [`global.secretsBackend.vault.manageSystemACLsRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)
[`global.secretsBackend.vault.consulServerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| -|[Enterprise license](/consul/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| -|[Gossip encryption key](/consul/docs/k8s/deployment-configurations/vault/data-integration/gossip) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| -|[Snapshot Agent config](/consul/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| -|[Server TLS credentials](/consul/docs/k8s/deployment-configurations/vault/data-integration/server-tls) | Consul servers
Consul clients
Consul components | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)
[`global.secretsBackend.vault.consulCARole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulcarole)| -|[Service Mesh and Consul client TLS credentials](/consul/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| -|[Webhook TLS certificates for controller and connect inject](/consul/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) | Consul controllers
Consul connect inject | [`global.secretsBackend.vault.controllerRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)
[`global.secretsBackend.vault.connectInjectRole`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)| - -### Combining policies within roles - -Depending upon your needs, a Consul on Kubernetes service account may need to request more than one secret. To request multiple secrets, create one role for the Consul on Kubernetes service account that is mapped to multiple policies associated with the required secrets. - -For example, if your Consul on Kubernetes servers need access to [Consul Server TLS credentials](/consul/docs/k8s/deployment-configurations/vault/data-integration/server-tls) and an [Enterprise license](/consul/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license): - -1. Create a policy for each secret. - - 1. Consul Server TLS credentials - - - - ```HCL - path "pki/cert/ca" { - capabilities = ["read"] - } - ``` - - - - ```shell-session - $ vault policy write ca-policy ca-policy.hcl - ``` - - 1. Enterprise License - - - Vault API calls to version 2 of the Key-Value secrets engine require the `data` field in the path configuration. In the following example, the key-value data in `consul-kv/secret/enterpriselicense` becomes accessible for Vault API calls on the `consul-kv/data/secret/enterpriselicense` path. - - - - - ```HCL - path "consul-kv/data/secret/enterpriselicense" { - capabilities = ["read"] - } - ``` - - - - ```shell-session - $ vault policy write license-policy license-policy.hcl - ``` - -1. Create one role that maps the Consul on Kubernetes service account to the 3 policies. - ```shell-session - $ vault write auth/kubernetes/role/consul-server \ - bound_service_account_names= \ - bound_service_account_namespaces= \ - policies=ca-policy,license-policy \ - ttl=1h - ``` - -## Detailed data integration guides - -The following secrets can be stored in Vault KV secrets engine, which is meant to handle arbitrary secrets: - -- [ACL Bootstrap token](/consul/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token) -- [ACL Partition token](/consul/docs/k8s/deployment-configurations/vault/data-integration/partition-token) -- [ACL Replication token](/consul/docs/k8s/deployment-configurations/vault/data-integration/replication-token) -- [Enterprise license](/consul/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license) -- [Gossip encryption key](/consul/docs/k8s/deployment-configurations/vault/data-integration/gossip) -- [Snapshot Agent config](/consul/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config) - -The following TLS certificates and keys can generated and managed by Vault the Vault PKI Engine, which is meant to handle things like certificate expiration and rotation: - -- [Server TLS credentials](/consul/docs/k8s/deployment-configurations/vault/data-integration/server-tls) -- [Service Mesh and Consul client TLS credentials](/consul/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) -- [Vault as the Webhook Certificate Provider for Consul Controller and Connect Inject on Kubernetes](/consul/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs) - -## Secrets-to-service account mapping - -Read through the [detailed data integration guides](#detailed-data-integration-guides) that are pertinent to your environment. diff --git a/website/content/docs/k8s/dns/enable.mdx b/website/content/docs/k8s/dns/enable.mdx deleted file mode 100644 index 708ca9241c2..00000000000 --- a/website/content/docs/k8s/dns/enable.mdx +++ /dev/null @@ -1,263 +0,0 @@ ---- -layout: docs -page_title: Resolve Consul DNS requests in Kubernetes -description: >- - Use a k8s ConfigMap to configure KubeDNS or CoreDNS so that you can use Consul's `.service.consul` syntax for queries and other DNS requests. In Kubernetes, this process uses either stub-domain or proxy configuration. ---- - -# Resolve Consul DNS requests in Kubernetes - -This topic describes how to configure Consul DNS in -Kubernetes using a -[stub-domain configuration](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers) -if using KubeDNS or a [proxy configuration](https://coredns.io/plugins/forward/) if using CoreDNS. - -Once configured, DNS requests in the form `.service.consul` will -resolve for services in Consul. This works from all Kubernetes namespaces. - --> **Note:** If you want requests to just `` (without the `.service.consul`) to resolve, then you'll need -to turn on [Consul to Kubernetes Service Sync](/consul/docs/k8s/service-sync#consul-to-kubernetes). - -## Consul DNS Cluster IP - -To configure KubeDNS or CoreDNS you'll first need the `ClusterIP` of the Consul -DNS service created by the [Helm chart](/consul/docs/k8s/helm). - -The default name of the Consul DNS service will be `consul-dns`. Use -that name to get the `ClusterIP`: - -```shell-session -$ kubectl get svc consul-dns --output jsonpath='{.spec.clusterIP}' -10.35.240.78% -``` - -For this installation the `ClusterIP` is `10.35.240.78`. - --> **Note:** If you've installed Consul using a different helm release name than `consul` -then the DNS service name will be `-consul-dns`. - -## KubeDNS - -If using KubeDNS, you need to create a `ConfigMap` that tells KubeDNS -to use the Consul DNS service to resolve all domains ending with `.consul`: - -Export the Consul DNS IP as an environment variable: - -```bash -export CONSUL_DNS_IP=10.35.240.78 -``` - -And create the `ConfigMap`: - -```shell-session -$ cat < **Note:** The `stubDomain` can only point to a static IP. If the cluster IP -of the Consul DNS service changes, then it must be updated in the config map to -match the new service IP for this to continue -working. This can happen if the service is deleted and recreated, such as -in full cluster rebuilds. - --> **Note:** If using a different zone than `.consul`, change the stub domain to -that zone. - -Now skip ahead to the [Verifying DNS Works](#verifying-dns-works) section. - -## CoreDNS Configuration - -If using CoreDNS instead of KubeDNS in your Kubernetes cluster, you will -need to update your existing `coredns` ConfigMap in the `kube-system` namespace to -include a `forward` definition for `consul` that points to the cluster IP of the -Consul DNS service. - -Edit the `ConfigMap`: - -```shell-session -$ kubectl edit configmap coredns --namespace kube-system -``` - -And add the `consul` block below the default `.:53` block and replace -`` with the DNS Service's IP address you -found previously. - -```diff -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - addonmanager.kubernetes.io/mode: EnsureExists - name: coredns - namespace: kube-system -data: - Corefile: | - .:53 { - - } -+ consul { -+ errors -+ cache 30 -+ forward . -+ } -``` - --> **Note:** The consul proxy can only point to a static IP. If the cluster IP -of the `consul-dns` service changes, then it must be updated to the new IP to continue -working. This can happen if the service is deleted and recreated, such as -in full cluster rebuilds. - --> **Note:** If using a different zone than `.consul`, change the key accordingly. - -## OpenShift DNS Operator - --> **Note:** OpenShift CLI `oc` is utilized below complete the following steps. You can find more details on how to install OpenShift CLI from [Getting started with OpenShift CLI](https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html). - -You can use DNS forwarding to override the default forwarding configuration in the `/etc/resolv.conf` file by specifying -the `consul-dns` service for the `consul` subdomain (zone). - -Find `consul-dns` service clusterIP: - -```shell-session -$ oc get svc consul-dns --namespace consul --output jsonpath='{.spec.clusterIP}' -172.30.186.254 -``` - -Edit the `default` DNS Operator: - -```shell-session -$ oc edit edit dns.operator/default -``` - -Append the following `servers` section entry to the `spec` section of the DNS Operator configuration: - -```yaml -spec: - servers: - - name: consul-server - zones: - - consul - forwardPlugin: - policy: Random - upstreams: - - 172.30.186.254 # Set to clusterIP of consul-dns service -``` - -Save the configuration changes and verify the `dns-default` configmap has been updated: - -```shell-session -$ oc get configmap/dns-default -n openshift-dns -o yaml -``` - -Example output with updated `consul` forwarding zone: - -```yaml -... -data: - Corefile: | - # consul-server - consul:5353 { - prometheus 127.0.0.1:9153 - forward . 172.30.186.254 { - policy random - } - errors - log . { - class error - } - bufsize 1232 - cache 900 { - denial 9984 30 - } - } -... -``` - -## Verifying DNS Works - -To verify DNS works, run a simple job to query DNS. Save the following -job to the file `job.yaml` and run it: - - - -```yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: dns -spec: - template: - spec: - containers: - - name: dns - image: anubhavmishra/tiny-tools - command: ['dig', 'consul.service.consul'] - restartPolicy: Never - backoffLimit: 4 -``` - - - -```shell-session -$ kubectl apply --filename job.yaml -``` - -Then query the pod name for the job and check the logs. You should see -output similar to the following showing a successful DNS query. If you see -any errors, then DNS is not configured properly. - -```shell-session -$ kubectl get pods --show-all | grep dns -dns-lkgzl 0/1 Completed 0 6m - -$ kubectl logs dns-lkgzl -; <<>> DiG 9.11.2-P1 <<>> consul.service.consul -;; global options: +cmd -;; Got answer: -;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4489 -;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4 - -;; OPT PSEUDOSECTION: -; EDNS: version: 0, flags:; udp: 4096 -;; QUESTION SECTION: -;consul.service.consul. IN A - -;; ANSWER SECTION: -consul.service.consul. 0 IN A 10.36.2.23 -consul.service.consul. 0 IN A 10.36.4.12 -consul.service.consul. 0 IN A 10.36.0.11 - -;; ADDITIONAL SECTION: -consul.service.consul. 0 IN TXT "consul-network-segment=" -consul.service.consul. 0 IN TXT "consul-network-segment=" -consul.service.consul. 0 IN TXT "consul-network-segment=" - -;; Query time: 5 msec -;; SERVER: 10.39.240.10#53(10.39.240.10) -;; WHEN: Wed Sep 12 02:12:30 UTC 2018 -;; MSG SIZE rcvd: 206 -``` diff --git a/website/content/docs/k8s/dns/views/enable.mdx b/website/content/docs/k8s/dns/views/enable.mdx deleted file mode 100644 index 3f29eac346c..00000000000 --- a/website/content/docs/k8s/dns/views/enable.mdx +++ /dev/null @@ -1,102 +0,0 @@ ---- -layout: docs -page_title: Enable Consul DNS proxy for Kubernetes -description: -> - Learn how to schedule a Consul DNS proxy for a Kubernetes Pod so that your services can return Consul DNS results for service discovery. ---- - -# Enable Consul DNS proxy for Kubernetes - -This page describes the process to deploy a Consul DNS proxy in a Kubernetes Pod so that Services can resolve Consul DNS requests. For more information, refer to [Consul DNS views for Kubernetes](/consul/docs/k8s/dns/views). - -## Prerequisites - -You must meet the following minimum application versions to enable the Consul DNS proxy for Kubernetes: - -- Consul v1.20.0 or higher -- Either Consul on Kubernetes or the Consul Helm chart, v1.6.0 or higher - -## Update Helm values - -To enable the Consul DNS proxy, add the required [Helm values](/consul/docs/k8s/helm) to your Consul on Kubernetes deployment. - -```yaml -connectInject: - enabled: true -dns: - enabled: true - proxy: true -``` - -### ACLs - -We recommend you create a dedicated [ACL token with DNS permissions](/consul/docs/security/acl/tokens/create/create-a-dns-token) for the Consul DNS proxy. The Consul DNS proxy requires these ACL permissions. - -```hcl -node_prefix "" { - policy = "read" -} - -service_prefix "" { - policy = "read" -} -``` - -You can manage ACL tokens with Consul on Kubernetes, or you can configure the DNS proxy to access a token stored in Kubernetes secret. To use a Kubernetes secret, add the following configuration to your Helm chart. - -```yaml -dns: - proxy: - aclToken: - secretName: - secretKey: -``` - -## Retrieve Consul DNS proxy's address - -To look up the IP address for the Consul DNS proxy in the Kubernetes Pod, run the following command. - -```shell-session -$ kubectl get services –-all-namespaces --selector="app=consul,component=dns-proxy" --output jsonpath='{.spec.clusterIP}' -10.96.148.46 -``` - -Use this address when you update the ConfigMap resource. - -## Update Kubernetes ConfigMap - -Create or update a [ConfigMap object in the Kubernetes cluster](https://kubernetes.io/docs/concepts/configuration/configmap/) so that Kubernetes forwards DNS requests with the `.consul` domain to the IP address of the Consul DNS proxy. - -The following example of a `coredns-custom` ConfigMap configures Kubernetes to forward Consul DNS requests in the cluster to the Consul DNS Proxy running on `10.96.148.46`. This resource modifies the CoreDNS without modifications to the original `Corefile`. - -```yaml -kind: ConfigMap -metadata: - name: coredns-custom - namespace: kube-system -data: - consul.server: | - consul:53 { - errors - cache 30 - forward . 10.96.148.46 - reload - } -``` - -After updating the DNS configuration, perform a rolling restart of the CoreDNS. - -```shell-session -kubectl -n kube-system rollout restart deployment coredns -``` - -For more information about using a `coredns-custom` resource, refer to the [Rewrite DNS guide in the Azure documentation](https://learn.microsoft.com/en-us/azure/aks/coredns-custom#rewrite-dns). For general information about modifying a ConfigMap, refer to [the Kubernetes documentation](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#coredns). - -## Next steps - -After you enable the Consul DNS proxy, services in the Kubernetes cluster can resolve Consul DNS addresses. - -- To learn more about Consul DNS for service discovery, refer to [DNS usage overview](/consul/docs/services/discovery/dns-overview). -- If your datacenter has ACLs enabled, create a [Consul ACL token](/consul/docs/security/acl/tokens) for the Consul DNS proxy and then restart the DNS proxy. -- To enable service discovery across admin partitions, [export services between partitions](/consul/docs/connect/config-entries/exported-services). -- To use Consul DNS for service discovery with other runtimes, across cloud regions, or between cloud providers, [establish a cluster peering connection](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering). diff --git a/website/content/docs/k8s/dns/views/index.mdx b/website/content/docs/k8s/dns/views/index.mdx deleted file mode 100644 index 7d482a9d3e8..00000000000 --- a/website/content/docs/k8s/dns/views/index.mdx +++ /dev/null @@ -1,48 +0,0 @@ ---- -layout: docs -page_title: Consul DNS views for Kubernetes -description: -> - Kubernetes clusters can use the Consul DNS proxy to return service discovery results from the Consul catalog. Learn about how to configure your k8s cluster so that applications can resolve Consul DNS addresses without gossip communication. ---- - -# Consul DNS views for Kubernetes - -This topic describes how to schedule a dedicated Consul DNS proxy in a Kubernetes Pod so that applications in Kubernetes can resolve Consul DNS addresses. You can use the Consul DNS proxy to enable service discovery across admin partitions in Kubernetes deployments without needing to deploy Consul client agents. - -## Introduction - -Kubernetes operators typically choose networking tools such as [kube-dns](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) or [CoreDNS](https://kubernetes.io/docs/tasks/administer-cluster/coredns/) for their service discovery operations, and choose to bypass Consul DNS entirely. These DNS options are often sufficient for service networking operations within a single Kubernetes cluster. - -Consul on Kubernetes supports [configuring Kubernetes to resolve Consul DNS](/consul/docs/k8s/dns). However, two common challenges result when you rely on these configurations: - -- Kubernetes requires Consul to use gossip communication with agents or dataplanes in order to enable Consul DNS. -- Consul requires that admin partitions be included in the DNS address. Otherwise, DNS queries assume the `default` partition by default. - -The `consul-dns` proxy does not require the presence of Consul client agents or Consul dataplanes, removing gossip communication as a requirement for Consul DNS on Kubernetes. The proxy is also designed for deployment in a Kubernetes cluster with [external servers enabled](/consul/docs/k8s/deployment-configurations/servers-outside-kubernetes). When a cluster runs in a non-default admin partition and uses the proxy to query external servers, Consul automatically recognizes the admin partition that originated the request and returns service discovery results scoped to that specific admin partition. - -To use Consul DNS for service discovery on Kubernetes, deploy a `dns-proxy` service in each Kubernetes Pod that needs to resolve Consul DNS. Kubernetes sends all DNS requests to the Kubernetes controller first. The controller forwards requests for the `.consul` domain to the `dns-proxy` service, which then queries the Consul catalog and returns service discovery results. - -## Workflows - -The process to enable Consul DNS views for service discovery in Kubernetes deployments consists of the following steps: - -1. In a cluster configured to use [external Consul servers](/consul/docs/k8s/deployment-configurations/servers-outside-kubernetes), update the Helm values for your Consul on Kubernetes deployment so that `dns.proxy.enabled=true`. When you apply the updated configuration, Kubernetes deploys the Consul DNS proxy. -1. Look up the IP address for the Consul DNS proxy in the Kubernetes cluster. -1. Update the ConfigMap resource in the Kubernetes cluster so that it forwards requests for the `.consul` domain to the IP address of the Consul DNS proxy. - -For more information about the underlying concepts described in this workflow, refer to [DNS forwarding overview](/consul/docs/services/discovery/dns-forwarding). - -## Benefits - -Consul on Kubernetes currently uses [Consul dataplanes](/consul/docs/connect/dataplane) by default. These lightweight processes provide Consul access to the sidecar proxies in the service mesh, but leave Kubernetes in charge of most other service discovery and service mesh operations. - -- **Use Kubernetes DNS and Consul DNS in a single deployment**. The Consul DNS proxy enables any application in a Pod to resolve an address through Consul DNS without disrupting the underlying Kubernetes DNS functionality. -- **Consul service discovery using fewer resources**. When you use the Consul DNS proxy for service discovery, you do not need to schedule Consul client agents or dataplanes as sidecars. One Kubernetes Service that uses the same resources as a single Consul dataplane provides Pods access to the Consul service catalog. -- **Consul DNS without gossip communication**. The Consul DNS service runs on both Consul server and Consul client agents, which use [gossip communication](/consul/docs/security/encryption/gossip) to ensure that service discovery results are up-to-date. The Consul DNS proxy provides access to Consul DNS without the security overhead of agent-to-agent gossip. - -## Constraints and limitations - -If you experience issues using the Consul DNS proxy for Kubernetes, refer to the following list of technical constraints and limitations. - -- You must use Kubernetes as your runtime to use the Consul DNS proxy. You cannot schedule the Consul DNS proxy in other container-based environments. -- To perform DNS lookups on other admin partitions, you must [export services between partitions](/consul/docs/connect/config-entries/exported-services) before you can query them. \ No newline at end of file diff --git a/website/content/docs/k8s/installation/install-cli.mdx b/website/content/docs/k8s/installation/install-cli.mdx deleted file mode 100644 index 0665641755e..00000000000 --- a/website/content/docs/k8s/installation/install-cli.mdx +++ /dev/null @@ -1,284 +0,0 @@ ---- -layout: docs -page_title: Install Consul on K8s CLI -description: >- - You can use the Consul K8s CLI tool to schedule Kubernetes deployments instead of using Helm. Learn how to download and install the tool to interact with Consul on Kubernetes using the `consul-k8s` command. ---- - -# Install Consul on Kubernetes from Consul K8s CLI - -This topic describes how to install Consul on Kubernetes using the Consul K8s CLI tool. The Consul K8s CLI tool enables you to quickly install and interact with Consul on Kubernetes. Use the Consul K8s CLI tool to install Consul on Kubernetes if you are deploying a single cluster. We recommend using the [Helm chart installation method](/consul/docs/k8s/installation/install) if you are installing Consul on Kubernetes for multi-cluster deployments that involve cross-partition or cross datacenter communication. - -## Introduction - -If it is your first time installing Consul on Kubernetes, then you must first install the Consul K8s CLI tool. You can install Consul on Kubernetes using the Consul K8s tool after installing the CLI. - -## Requirements - -- The `kubectl` client must already be configured to authenticate to the Kubernetes cluster using a valid `kubeconfig` file. -- Install one of the following package managers so that you can install the Consul K8s CLI tool. The installation instructions also provide commands for installing and using the package managers: - - MacOS: [Homebrew](https://brew.sh) - - Ubuntu/Debian: apt - - CentOS/RHEL: yum - -You must install the correct version of the CLI for your Consul on Kubernetes deployment. To deploy a previous version of Consul on Kubernetes, download the specific version of the CLI that matches the version of the control plane that you would like to deploy. Refer to the [compatibility matrix](/consul/docs/k8s/compatibility) for details. - - -## Install the CLI - -The following instructions describe how to install the latest version of the Consul K8s CLI tool, as well as earlier versions, so that you can install an appropriate version of tool for your control plane. - -### Install the latest version - -Complete the following instructions for a fresh installation of Consul on Kubernetes. - - - - - -The [Homebrew](https://brew.sh) package manager is required to complete the following installation instructions. The Homebrew formulae always installs the latest version of a binary. - -1. Install the HashiCorp `tap`, which is a repository of all Homebrew packages for HashiCorp: - ```shell-session - $ brew tap hashicorp/tap - ``` - -1. Install the Consul K8s CLI with `hashicorp/tap/consul` formula. - ```shell-session - $ brew install hashicorp/tap/consul-k8s - ``` - -1. (Optional) Issue the `consul-k8s version` command to verify the installation: - - ```shell-session - $ consul-k8s version - consul-k8s 1.0 - ``` - - - - - -1. Add the HashiCorp GPG key. - - ```shell-session - $ curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - - ``` - -1. Add the HashiCorp apt repository. - - ```shell-session - $ sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" - ``` - -1. Run apt-get install to install the `consul-k8s` CLI. - - ```shell-session - $ sudo apt-get update && sudo apt-get install consul-k8s - ``` - -1. (Optional) Issue the `consul-k8s version` command to verify the installation. - - ```shell-session - $ consul-k8s version - consul-k8s 1.0 - ``` - - - - - -1. Install `yum-config-manager` to manage your repositories. - - ```shell-session - $ sudo yum install -y yum-utils - ``` - -1. Use `yum-config-manager` to add the official HashiCorp Linux repository. - - ```shell-session - $ sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo - ``` - -1. Install the `consul-k8s` CLI. - - ```shell-session - $ sudo yum -y install consul-k8s - ``` - -1. (Optional) Issue the `consul-k8s version` command to verify the installation. - - ```shell-session - $ consul-k8s version - consul-k8s 1.0 - ``` - - - - - -### Install a previous version - -Complete the following instructions to install a specific version of the CLI so that your tool is compatible with your Consul on Kubernetes control plane. Refer to the [compatibility matrix](/consul/docs/k8s/compatibility) for additional information. - - - - - -1. Download the appropriate version of Consul K8s CLI using the following `curl` command. Set the `$VERSION` environment variable to the appropriate version for your deployment. - - ```shell-session - $ export VERSION=1.1.1 && \ - curl --location "https://releases.hashicorp.com/consul-k8s/${VERSION}/consul-k8s_${VERSION}_darwin_amd64.zip" --output consul-k8s-cli.zip - ``` - -1. Unzip the zip file output to extract the `consul-k8s` CLI binary. This overwrites existing files and also creates a `.consul-k8s` subdirectory in your `$HOME` folder. - - ```shell-session - $ unzip -o consul-k8s-cli.zip -d ~/consul-k8s - ``` - -1. Add the path to your directory. In order to persist the `$PATH` across sessions, dd it to your shellrc (i.e. shell run commands) file for the shell used by your terminal. - - ```shell-session - $ export PATH=$PATH:$HOME/consul-k8s - ``` - -1. (Optional) Issue the `consul-k8s version` command to verify the installation. - - ```shell-session - $ consul-k8s version - consul-k8s 1.0 - ``` - - - - - -1. Add the HashiCorp GPG key. - - ```shell-session - $ curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - - ``` - -1. Add the HashiCorp apt repository. - - ```shell-session - $ sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" - ``` - -1. Run apt-get install to install the `consul-k8s` CLI. - - ```shell-session - $ export VERSION=0.39.0 && \ - sudo apt-get update && sudo apt-get install consul-k8s=${VERSION} - ``` - -1. (Optional) Issue the `consul-k8s version` command to verify the installation. - - ```shell-session - $ consul-k8s version - consul-k8s 1.0 - ``` - - - - - -1. Install `yum-config-manager` to manage your repositories. - - ```shell-session - $ sudo yum install -y yum-utils - ``` - -1. Use `yum-config-manager` to add the official HashiCorp Linux repository. - - ```shell-session - $ sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo - ``` - -1. Install the `consul-k8s` CLI. - - ```shell-session - $ export VERSION=-1.0 && \ - sudo yum -y install consul-k8s-${VERSION}-1 - ``` - -2. (Optional) Issue the `consul-k8s version` command to verify the installation. - - ```shell-session - $ consul-k8s version - consul-k8s 1.0 - ``` - - - - - -## Install Consul on Kubernetes - -After installing the Consul K8s CLI tool (`consul-k8s`), issue the `install` subcommand and any additional options to install Consul on your existing Kubernetes cluster. Refer to the [Consul K8s CLI reference](/consul/docs/k8s/k8s-cli) for details about all commands and available options. If you do not include any additional options, the `consul-k8s` CLI installs Consul on Kubernetes using the default settings form the Consul Helm chart values. The following example installs Consul on Kubernetes with service mesh and CRDs enabled. - -```shell-session -$ consul-k8s install - -==> Pre-Install Checks -No existing installations found. - ✓ No previous persistent volume claims found - ✓ No previous secrets found -==> Consul Installation Summary - Installation name: consul - Namespace: consul - Overrides: - connectInject: - enabled: true - - Proceed with installation? (y/N) y - -==> Running Installation - ✓ Downloaded charts ---> creating 1 resource(s) ---> creating 45 resource(s) ---> beginning wait for 45 resources with timeout of 10m0s - ✓ Consul installed into namespace "consul" -``` - -You can include the `-auto-approve` option set to `true` to proceed with the installation if the pre-install checks pass. - -The pre-install checks may fail if existing `PersistentVolumeClaims` (PVC) are detected. Refer to the [uninstall instructions](/consul/docs/k8s/operations/uninstall#uninstall-consul) for information about removing PVCs. - -## Custom installation - -You can create a values file and specify parameters to overwrite the default Helm chart installation. Add the `-f` and specify your values file to implement your configuration, for example: - -```shell-session -$ consul-k8s install -f values.yaml -``` - -### Install Consul on OpenShift clusters - -[Red Hat OpenShift](https://www.redhat.com/en/technologies/cloud-computing/openshift) is a security-conscious, opinionated wrapper for Kubernetes. To install Consul on OpenShift-managed Kubernetes, set `global.openshift.enabled=true` in your [custom installation](#custom-installation) values file: - -```yaml -global: - openshift: - enabled: true -``` - -Refer to [`openshift` in the Helm chart reference](/consul/docs/k8s/helm#v-global-openshift) for additional information. - -## Check the Consul cluster status - -Issue the `consul-k8s status` command to view the status of the installed Consul cluster. - -```shell-session -$ consul-k8s status - -==> Consul-K8s Status Summary - NAME | NAMESPACE | STATUS | CHARTVERSION | APPVERSION | REVISION | LAST UPDATED ----------+-----------+----------+--------------+------------+----------+-------------------------- - consul | consul | deployed | 0.40.0 | 1.14.0 | 1 | 2022/01/31 16:58:51 PST - -✓ Consul servers healthy (3/3) -✓ Consul clients healthy (3/3) -``` diff --git a/website/content/docs/k8s/operations/certificate-rotation.mdx b/website/content/docs/k8s/operations/certificate-rotation.mdx deleted file mode 100644 index 85f86a7b9cd..00000000000 --- a/website/content/docs/k8s/operations/certificate-rotation.mdx +++ /dev/null @@ -1,28 +0,0 @@ ---- -layout: docs -page_title: Rotate TLS Certificates for Consul on Kubernetes -description: >- - In Consul Helm version 0.29.0 and later, new server agent TLS certificates are issued every time the Helm version is upgraded. Learn how to manually trigger certificate rotation if they do not rotate automatically. ---- - -# Rotate TLS Certificates for Consul on Kubernetes - -As of Consul Helm version `0.29.0`, if TLS is enabled, new TLS certificates for the Consul Server -are issued every time the Helm chart is upgraded. These certificates are signed by the same CA and will -continue to work as expected in the existing cluster. - -Consul servers read the certificates from Kubernetes secrets during start-up and keep them in memory. In order to ensure the -servers use the newer certificate, the server pods need to be [restarted explicitly](/consul/docs/k8s/upgrade#upgrading-consul-servers) in -a situation where `helm upgrade` does not restart the server pods. - -To explicitly perform server certificate rotation, follow these steps: - -1. Perform a `helm upgrade`: - - ```shell-session - $ helm upgrade consul hashicorp/consul --values /path/to/my/values.yaml - ``` - - This should run the `tls-init` job that will generate new Server certificates. - -1. Restart the Server pods following the steps [here](/consul/docs/k8s/upgrade#upgrading-consul-servers). diff --git a/website/content/docs/k8s/platforms/self-hosted-kubernetes.mdx b/website/content/docs/k8s/platforms/self-hosted-kubernetes.mdx deleted file mode 100644 index e5f1f0031ff..00000000000 --- a/website/content/docs/k8s/platforms/self-hosted-kubernetes.mdx +++ /dev/null @@ -1,52 +0,0 @@ ---- -layout: docs -page_title: Install Consul on Self-Hosted Kubernetes Clusters -description: >- - The process for installing Consul on Kubernetes is the same as installing it on cloud-hosted k8s platforms, but requires additional configuration. Learn how to pre-define Persistent Volume Claims (PVCs) and a default storage class for server agents. ---- - -# Install Consul on Self-Hosted Kubernetes Clusters - -Except for creating persistent volumes and ensuring there is a storage class -configured (see below), installing Consul on your -self-hosted Kubernetes cluster is the same process as installing Consul on a -cloud-hosted Kubernetes cluster. See the [Installation Overview](/consul/docs/k8s/installation/install) -for install instructions. - -## Predefined Persistent Volume Claims (PVCs) - -If running a self-hosted Kubernetes installation, you may need to pre-create -the persistent volumes for the stateful set that the Consul servers run in. - -The only way to use a pre-created PVC is to name them in the format Kubernetes expects: - -```text -data---consul-server- -``` - -The Kubernetes namespace you are installing into, Helm release name, and ordinal -must match between your Consul servers and your pre-created PVCs. You only -need as many PVCs as you have Consul servers. For example, given a Kubernetes -namespace of "vault," a release name of "consul," and 5 servers, you would need -to create PVCs with the following names: - -```text -data-vault-consul-consul-server-0 -data-vault-consul-consul-server-1 -data-vault-consul-consul-server-2 -data-vault-consul-consul-server-3 -data-vault-consul-consul-server-4 -``` - -## Storage Class - -Your Kubernetes installation must either have a default storage class specified -(see https://kubernetes.io/docs/concepts/storage/storage-classes/ and https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/) -or you must specify the storage class for the Consul servers: - -```yaml -server: - storageClass: your-class -``` - -See the [Helm reference](/consul/docs/k8s/helm#v-server-storageclass) for that setting for more information. diff --git a/website/content/docs/lambda/index.mdx b/website/content/docs/lambda.mdx similarity index 96% rename from website/content/docs/lambda/index.mdx rename to website/content/docs/lambda.mdx index 50af9ce6f06..df238d4c3e8 100644 --- a/website/content/docs/lambda/index.mdx +++ b/website/content/docs/lambda.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Consul and AWS Lambda Overview +page_title: Consul Lambda overview description: >- Consul supports Amazon Web Services Lambda functions, which are event-driven programs and scripts. Learn about Consul's requirements for registering and invoking AWS Lambda functions in your service mesh. --- -# Consul and AWS Lambda Overview +# Consul Lambda overview You can configure Consul to allow services in your mesh to invoke Lambda functions, as well as allow Lambda functions to invoke services in your mesh. Lambda functions are programs or scripts that run in AWS Lambda. Refer to the [AWS Lambda website](https://aws.amazon.com/lambda/) for additional information. @@ -33,4 +33,4 @@ Refer to [Invoke Services from Lambda Functions](/consul/docs/lambda/invoke-from Consul mesh gateways are required to send requests from Lambda functions to mesh services. Refer to [Mesh Gateways](/consul/docs/connect/gateways/mesh-gateway) for additional information. -Note that L7 traffic management features are not supported. As a result, requests from Lambda functions ignore service routes and splitters. +Note that L7 traffic management features are not supported. As a result, requests from Lambda functions ignore service routes and splitters. \ No newline at end of file diff --git a/website/content/docs/lambda/invoke-from-lambda.mdx b/website/content/docs/lambda/invoke-from-lambda.mdx deleted file mode 100644 index 0582cad2005..00000000000 --- a/website/content/docs/lambda/invoke-from-lambda.mdx +++ /dev/null @@ -1,273 +0,0 @@ ---- -layout: docs -page_title: Invoke Services from Lambda Functions -description: >- - This topic describes how to invoke services in the mesh from Lambda functions registered with Consul. ---- - -# Invoke Services from Lambda Functions - -This topic describes how to invoke services in the mesh from Lambda functions registered with Consul. - -~> **Lambda-to-mesh functionality is currently in beta**: Functionality associated with beta features are subject to change. You should never use the beta release in secure environments or production scenarios. Features in beta may have performance issues, scaling issues, and limited support. - -## Introduction - -The following steps describe the process: - -1. Deploy the destination service and mesh gateway. -1. Deploy the Lambda extension layer. -1. Deploy the Lambda registrator. -1. Write the Lambda function code. -1. Deploy the Lambda function. -1. Invoke the Lambda function. - -You must add the `consul-lambda-extension` extension as a Lambda layer to enable Lambda functions to send requests to mesh services. Refer to the [AWS Lambda documentation](https://docs.aws.amazon.com/lambda/latest/dg/invocation-layers.html) for instructions on how to add layers to your Lambda functions. - -The layer runs an external Lambda extension that starts a sidecar proxy. The proxy listens on one port for each upstream service and upgrades the outgoing connections to mTLS. It then proxies the requests through to [mesh gateways](/consul/docs/connect/gateways#mesh-gateways). - -## Prerequisites - -You must deploy the destination services and mesh gateway prior to deploying your Lambda service with the `consul-lambda-extension` layer. - -### Deploy the destination service - -There are several methods for deploying services to Consul service mesh. The following example configuration deploys a service named `static-server` with Consul on Kubernetes. - -```yaml -kind: Service -apiVersion: v1 -metadata: - # Specifies the service name in Consul. - name: static-server -spec: - selector: - app: static-server - ports: - - protocol: TCP - port: 80 - targetPort: 8080 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: static-server ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: static-server -spec: - replicas: 1 - selector: - matchLabels: - app: static-server - template: - metadata: - name: static-server - labels: - app: static-server - annotations: - 'consul.hashicorp.com/connect-inject': 'true' - spec: - containers: - - name: static-server - image: hashicorp/http-echo:latest - args: - - -text="hello world" - - -listen=:8080 - ports: - - containerPort: 8080 - name: http - serviceAccountName: static-server -``` - -### Deploy the mesh gateway - -The mesh gateway must be running and registered to the Lambda function’s Consul datacenter. Refer to the following documentation and tutorials for instructions: - -- [Mesh Gateways between WAN-Federated Datacenters](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters) -- [Mesh Gateways between Admin Partitions](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions) -- [Establish cluster peering connections](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering) -- [Connect Services Across Datacenters with Mesh Gateways](/consul/tutorials/developer-mesh/service-mesh-gateways) - -## Deploy the Lambda extension layer - -The `consul-lambda-extension` extension runs during the `Init` phase of the Lambda function execution. The extension retrieves the data that the Lambda registrator has been configured to store from AWS Parameter Store and creates a lightweight TCP proxy. The proxy creates a local listener for each upstream defined in the `CONSUL_SERVICE_UPSTREAMS` environment variable. - -The extension periodically retrieves the data from the AWS Parameter Store so that the function can process requests. When the Lambda function receives a shutdown event, the extension also stops. - -1. Download the `consul-lambda-extension` extension from [releases.hashicorp.com](https://releases.hashicorp.com/): - - ```shell-session - curl -o consul-lambda-extension__linux_amd64.zip https://releases.hashicorp.com/consul-lambda//consul-lambda-extension__linux_amd64.zip - ``` -1. Create the AWS Lambda layer in the same AWS region as the Lambda function. You can create the layer manually using the AWS CLI or AWS Console, but we recommend using Terraform: - - - - ```hcl - resource "aws_lambda_layer_version" "consul_lambda_extension" { - layer_name = "consul-lambda-extension" - filename = "consul-lambda-extension__linux_amd64.zip" - source_code_hash = filebase64sha256("consul-lambda-extension__linux_amd64.zip") - description = "Consul service mesh extension for AWS Lambda" - } - ``` - - - -## Deploy the Lambda registrator - -Configure and deploy the Lambda registrator. Refer to the [registrator configuration documentation](/consul/docs/lambda/registration/automate#configuration) and the [registrator deployment documentation](/consul/docs/lambda/registration/automate#deploy-the-lambda-registrator) for instructions. - -## Write the Lambda function code - -Refer to the [AWS Lambda documentation](https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html) for instructions on how to write a Lambda function. In the following example, the function calls an upstream service on port `2345`: - - -```go -package main - -import ( - "context" - "io" - "fmt" - "net/http" - "github.com/aws/aws-lambda-go/lambda" -) - -type Response struct { - StatusCode int `json:"statusCode"` - Body string `json:"body"` -} - -func HandleRequest(ctx context.Context, _ interface{}) (Response, error) { - resp, err := http.Get("http://localhost:2345") - fmt.Println("Got response", resp) - if err != nil { - return Response{StatusCode: 500, Body: "Something bad happened"}, err - } - - if resp.StatusCode != 200 { - return Response{StatusCode: resp.StatusCode, Body: resp.Status}, err - } - - defer resp.Body.Close() - - b, err := io.ReadAll(resp.Body) - if err != nil { - return Response{StatusCode: 500, Body: "Error decoding body"}, err - } - - return Response{StatusCode: 200, Body: string(b)}, nil -} - -func main() { - lambda.Start(HandleRequest) -} -``` - -## Deploy the Lambda function - -1. Create and apply an IAM policy that allows the Lambda function’s role to fetch the Lambda extension’s data from the AWS Parameter Store. The following example, creates an IAM role for the Lambda function, creates an IAM policy with the necessary permissions and attaches the policy to the role: - - - - ```hcl - resource "aws_iam_role" "lambda" { - name = "lambda-role" - - assume_role_policy = < - -1. Configure and deploy the Lambda function. Refer to the [Lambda extension configuration](#lambda-extension-configuration) reference for information about all available options. There are several methods for deploying Lambda functions. The following example uses Terraform to deploy a function that can invoke the `static-server` upstream service using mTLS data stored under the `/lambda_extension_data` prefix: - - - - ```hcl - resource "aws_lambda_function" "example" { - … - function_name = "lambda" - role = aws_iam_role.lambda.arn - tags = { - "serverless.consul.hashicorp.com/v1alpha1/lambda/enabled" = "true" - } - variables = { - environment = { - CONSUL_MESH_GATEWAY_URI = var.mesh_gateway_http_addr - CONSUL_SERVICE_UPSTREAMS = "static-server:2345:dc1" - CONSUL_EXTENSION_DATA_PREFIX = "/lambda_extension_data" - } - } - layers = [aws_lambda_layer_version.consul_lambda_extension.arn] - ``` - - - -1. Run the `terraform apply` command and Consul automatically configures a service for the Lambda function. - -### Lambda extension configuration - -Define the following environment variables in your Lambda functions to configure the Lambda extension. The variables apply to each Lambda function in your environment: - -| Variable | Description | Default | -| --- | --- | --- | -| `CONSUL_MESH_GATEWAY_URI` | Specifies the URI where the mesh gateways that the plugin makes requests are running. The mesh gateway should be registered in the same Consul datacenter and partition that the service is running in. For optimal performance, this mesh gateway should run in the same AWS region. | none | -| `CONSUL_EXTENSION_DATA_PREFIX` | Specifies the prefix that the plugin pulls configuration data from. The data must be located in the following directory:
`"${CONSUL_EXTENSION_DATA_PREFIX}/${CONSUL_SERVICE_PARTITION}/${CONSUL_SERVICE_NAMESPACE}/"` | none | -| `CONSUL_SERVICE_NAMESPACE` | Specifies the Consul namespace the service is registered into. | `default` | -| `CONSUL_SERVICE_PARTITION` | Specifies the Consul partition the service is registered into. | `default` | -| `CONSUL_REFRESH_FREQUENCY` | Specifies the amount of time the extension waits before re-pulling data from the Parameter Store. Use [Go `time.Duration`](https://pkg.go.dev/time@go1.19.1#ParseDuration) string values, for example, `"30s"`.
The time is added to the duration configured in the Lambda registrator `sync_frequency_in_minutes` configuration. Refer to [Lambda registrator configuration options](/consul/docs/lambda/registration/automate#lambda-registrator-configuration-options). The combined configurations determine how stale the data may become. Lambda functions can run for up to 14 hours, so we recommend configuring a value that results in acceptable staleness for certificates. | `"5m"` | -| `CONSUL_SERVICE_UPSTREAMS` | Specifies a comma-separated list of upstream services that the Lambda function can call. Specify the value as an unlabelled annotation according to the [`consul.hashicorp.com/connect-service-upstreams` annotation format](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) in Consul on Kubernetes. For example, `"[service-name]:[port]:[optional-datacenter]"` | none | - -## Invoke the Lambda function - -If _intentions_ are enabled in the Consul service mesh, you must create an intention that allows the Lambda function's Consul service to invoke all upstream services prior to invoking the Lambda function. Refer to [Service mesh intentions](/consul/docs/connect/intentions) for additional information. - -There are several ways to invoke Lambda functions. In the following example, the `aws lambda invoke` CLI command invokes the function: - -```shell-session -$ aws lambda invoke --function-name lambda /dev/stdout | cat -``` diff --git a/website/content/docs/lambda/registration/index.mdx b/website/content/docs/lambda/registration/index.mdx deleted file mode 100644 index 16e16cde050..00000000000 --- a/website/content/docs/lambda/registration/index.mdx +++ /dev/null @@ -1,79 +0,0 @@ ---- -layout: docs -page_title: Lambda Function Registration Requirements -description: >- - This topic provides an overview of how to register AWS Lambda functions with Consul service mesh and describes the requirements and prerequisites for registering Lambda functions with Consul. ---- -# Lambda Function Registration Requirements - -Verify that your environment meets the requirements and that you have completed the prerequisites before registering Lambda functions. - -## Introduction - -You can either manually register AWS Lambda functions with Consul or use the Lambda registrator to automatically synchronize Lambda state into Consul. We recommend using the Lambda registrator when possible so that you can keep the configuration entry up to date. The registrator automatically registers, reconfigures, and deregisters Lambdas based on the Lambda function's tags. - -## Requirements - -Consul v1.12.1 and later - -## Prerequisites - -Complete the following prerequisites prior to registering your Lambda functions. You only need to perform these steps once. - -### Configure IAM Permissions for Envoy - -The Envoy proxy that invokes Lambda must have the `lambda:InvokeFunction` AWS IAM -permissions. In the following example, the IAM policy -enables an IAM user or role to invoke the `example` Lambda function: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Invoke", - "Effect": "Allow", - "Action": [ - "lambda:InvokeFunction" - ], - "Resource": "arn:aws:lambda:us-east-1:123456789012:function:example" - } - ] -} -``` - -Define AWS IAM credentials in environment variables, EC2 metadata, or -ECS metadata. On [AWS EKS](https://aws.amazon.com/eks/), associate an IAM role with the proxy's `ServiceAccount`. Refer to the [AWS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) documentation for instructions. - -### Mesh gateway - -A mesh gateway is required in the following scenarios: - -- Invoking mesh services from Lambda functions -- Invoking Lambda functions from a service deployed to a separate Consul datacenter - -Mesh gateways are optional for enabling services to invoke Lambda functions if they are in the same datacenter. - -The mesh gateway must be running and registered in the relevant Consul datacenters and admin partitions. Refer to the following documentation and tutorials for instructions on how to set up mesh gateways: - -- [Mesh gateway documentation](/consul/docs/connect/gateways#mesh-gateways) -- [Connect Services Across Datacenters with Mesh Gateways tutorial](/consul/tutorials/developer-mesh/service-mesh-gateways) -- [Secure Service Mesh Communication Across Kubernetes Clusters tutorial](/consul/tutorials/kubernetes/kubernetes-mesh-gateways?utm_source=docs%3Fin%3Dconsul%2Fkubernetes) - -When using admin partitions, you must add Lambda services to the `Services` -field of [the `exported-services` configuration -entry](/consul/docs/connect/config-entries/exported-services). - -### Optional: Terminating gateway - -A terminating gateway is an access point in a Consul datacenter to an external service or node. Terminating gateways are optional when invoking Lambda functions from a mesh service, but they do not play a role when invoking services from Lambda functions. - -Refer to the following documentation and tutorials for instructions on how to set up a terminating gateway: - -- [Terminating gateways documentation](/consul/docs/connect/gateways#terminating-gateways) -- [Terminating gateways on Kubernetes documentation](/consul/docs/k8s/connect/terminating-gateways) -- [Connect External Services to Consul With Terminating Gateways tutorial](/consul/tutorials/developer-mesh/terminating-gateways-connect-external-services) - -To register a Lambda service with a terminating gateway, add the service to the -`Services` field of the terminating gateway's `terminating-gateway` -configuration entry. diff --git a/website/content/docs/k8s/connect/cluster-peering/usage/l7-traffic.mdx b/website/content/docs/manage-traffic/cluster-peering/k8s.mdx similarity index 95% rename from website/content/docs/k8s/connect/cluster-peering/usage/l7-traffic.mdx rename to website/content/docs/manage-traffic/cluster-peering/k8s.mdx index 0c3b28d693e..e424ce6fcca 100644 --- a/website/content/docs/k8s/connect/cluster-peering/usage/l7-traffic.mdx +++ b/website/content/docs/manage-traffic/cluster-peering/k8s.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Manage L7 Traffic With Cluster Peering on Kubernetes +page_title: Manage L7 traffic for Consul on Kubernetes with cluster peering connections description: >- Combine service resolver configurations with splitter and router configurations to manage L7 traffic in Consul on Kubernetes deployments with cluster peering connections. Learn how to define dynamic traffic rules to target peers for redirects in k8s. --- -# Manage L7 traffic with cluster peering on Kubernetes +# Manage L7 traffic for Consul on Kubernetes with cluster peering connections This usage topic describes how to configure the `service-resolver` custom resource definition (CRD) to set up and manage L7 traffic between services that have an existing cluster peering connection in Consul on Kubernetes deployments. diff --git a/website/content/docs/connect/cluster-peering/usage/peering-traffic-management.mdx b/website/content/docs/manage-traffic/cluster-peering/vm.mdx similarity index 97% rename from website/content/docs/connect/cluster-peering/usage/peering-traffic-management.mdx rename to website/content/docs/manage-traffic/cluster-peering/vm.mdx index 63942e5bdee..cfa94489238 100644 --- a/website/content/docs/connect/cluster-peering/usage/peering-traffic-management.mdx +++ b/website/content/docs/manage-traffic/cluster-peering/vm.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Cluster Peering L7 Traffic Management +page_title: Manage L7 traffic for VMs with cluster peering connections description: >- Combine service resolver configurations with splitter and router configurations to manage L7 traffic in Consul deployments with cluster peering connections. Learn how to define dynamic traffic rules to target peers for redirects and failover. --- -# Manage L7 traffic with cluster peering +# Manage L7 traffic for VMs with cluster peering connections This usage topic describes how to configure and apply the [`service-resolver` configuration entry](/consul/docs/connect/config-entries/service-resolver) to set up redirects and failovers between services that have an existing cluster peering connection. diff --git a/website/content/docs/k8s/l7-traffic/failover-tproxy.mdx b/website/content/docs/manage-traffic/failover/configure-k8s.mdx similarity index 94% rename from website/content/docs/k8s/l7-traffic/failover-tproxy.mdx rename to website/content/docs/manage-traffic/failover/configure-k8s.mdx index b5bd4983a27..9eb7f8dd941 100644 --- a/website/content/docs/k8s/l7-traffic/failover-tproxy.mdx +++ b/website/content/docs/manage-traffic/failover/configure-k8s.mdx @@ -26,11 +26,11 @@ Complete the following steps to configure failover service instances in Consul o ### ACL requirements -The default ACLs that the Consul Helm chart configures are suitable for most cases, but if you have more complex security policies for Consul API access, refer to the [ACL documentation](/consul/docs/security/acl) for additional guidance. +The default ACLs that the Consul Helm chart configures are suitable for most cases, but if you have more complex security policies for Consul API access, refer to the [ACL documentation](/consul/docs/secure-consul/acl) for additional guidance. ## Create a service resolver configuration entry -Specify the target failover in the [`spec.failover.targets`](/consul/docs/connect/config-entries/service-resolver#failover-targets-service) field in the service resolver configuration entry. In the following example, the `api-beta` service is configured to failover to the `api` service in any service subset: +Specify the target failover in the [`spec.failover.targets`](/consul/docs/reference/config-entry/service-resolver#failover-targets-service) field in the service resolver configuration entry. In the following example, the `api-beta` service is configured to failover to the `api` service in any service subset: @@ -48,7 +48,7 @@ spec: -Refer to the [service resolver configuration entry reference](/consul/docs/connect/config-entries/service-resolver) documentation for information about all service resolver configurations. +Refer to the [service resolver configuration entry reference](/consul/docs/reference/config-entry/service-resolver) documentation for information about all service resolver configurations. You can apply the configuration using the `kubectl apply` command: @@ -89,7 +89,7 @@ spec: -Refer to the [service intentions configuration entry reference](/consul/docs/connect/config-entries/service-intentions) for additional information about configuring service intentions. +Refer to the [service intentions configuration entry reference](/consul/docs/reference/config-entry/service-intention) for additional information about configuring service intentions. You can apply the configuration using the `kubectl apply` command: diff --git a/website/content/docs/connect/manage-traffic/failover/index.mdx b/website/content/docs/manage-traffic/failover/index.mdx similarity index 97% rename from website/content/docs/connect/manage-traffic/failover/index.mdx rename to website/content/docs/manage-traffic/failover/index.mdx index 52030e40689..54589ad9bbe 100644 --- a/website/content/docs/connect/manage-traffic/failover/index.mdx +++ b/website/content/docs/manage-traffic/failover/index.mdx @@ -33,7 +33,7 @@ Although cluster peering connections support the [`Failover` field of the prepar You can implement a service resolver configuration entry and specify a pool of failover service instances that other services can exchange messages with when the primary service becomes unhealthy or unreachable. We recommend adopting this strategy as a minimum baseline when implementing Consul service mesh and layering additional failover strategies to build resilience into your application network. -Refer to the [`Failover` configuration ](/consul/docs/connect/config-entries/service-resolver#failover) for examples of how to configure failover services in the service resolver configuration entry on both VMs and Kubernetes deployments. +Refer to the [`Failover` configuration ](/consul/docs/reference/config-entry/service-resolver#failover) for examples of how to configure failover services in the service resolver configuration entry on both VMs and Kubernetes deployments. ### Failover configuration for WAN-federated datacenters diff --git a/website/content/docs/manage-traffic/failover/prepared-query.mdx b/website/content/docs/manage-traffic/failover/prepared-query.mdx new file mode 100644 index 00000000000..03566b56db6 --- /dev/null +++ b/website/content/docs/manage-traffic/failover/prepared-query.mdx @@ -0,0 +1,200 @@ +--- +layout: docs +page_title: Automate geo-failover with prepared queries +description: Learn about failover strategies and service mesh features you can implement to route traffic if services become unhealthy or unreachable, including sameness groups, prepared queries, and service resolvers. +--- + +# Automate geo-failover with prepared queries + + + + The content of this tutorial also applies to Consul clusters hosted on HashiCorp Cloud (HCP). + + + +Within a single datacenter, Consul provides automatic failover for services by omitting failed service instances from DNS lookups and by providing service health information in APIs. + +When there are no more instances of a service available in the local datacenter, it can be challenging to implement failover policies to other datacenters because typically that logic would need to be written into each application. Fortunately, Consul has a [prepared query](/consul/api-docs/query) API +that provides the capability to let users define failover policies in a centralized way. It's easy to expose these to applications using Consul's DNS interface and it's also available to applications that consume Consul's APIs. + +Failover policies are flexible and can be applied in a variety of ways including: + +- Fully static lists of alternate datacenters. +- Fully dynamic policies that make use of Consul's [network coordinate](/consul/docs/architecture/coordinates) subsystem. +- Automatically determine the next best datacenter to failover to based on network round trip time. + +Prepared queries can be made with policies specific to certain services and prepared query templates can allow one policy to apply to many, or even all services, with just a small number of templates. + +This tutorial shows how to build geo failover policies using prepared queries through a set of examples. It also includes information on how to use prepared +query templates to simplify the failover process. + +## Prerequisites + +To complete this tutorial, you must have a Consul WAN federation of three +Consul clusters. In this example, the local Consul datacenter is called `dc1`, +and it has been federated with two remote datacenters - `dc2` and `dc3`. For +more information on how to federate clusters, please read the +[Federate Multiple Datacenters tutorial](/consul/docs/east-west/wan-federation/create). + +## Prepared query introduction + +Prepared queries are objects that are defined at the datacenter level. They +only need to be created once and are stored on the Consul servers. This method is similar to the values in Consul's KV store. + +Once created, prepared queries can then be invoked by applications to perform the query and get the latest results. + +Here's an example request to create a prepared query: + +```shell-session +$ curl http://127.0.0.1:8500/v1/query \ + --request POST \ + --data @- << EOF +{ + "Name": "banking-app", + "Service": { + "Service": "banking-app", + "Tags": ["v1.2.3"] + } +} +EOF +``` + +This creates a prepared query called "banking-app" that does a lookup for all instances of the "banking-app" service with the tag "v1.2.3". This policy could be used to control which version of a "banking-app" applications should be using in a centralized way. By [updating this prepared query](/consul/api-docs/query#update-prepared-query) to look for the tag "v1.2.4" applications could start to find the newer version of the service without having to reconfigure anything. + +Applications can make use of this query in two ways. + +1. Since we gave the prepared query a name, they can simply do a DNS lookup for "banking-app.query.consul" instead of "banking-app.service.consul". Now with the prepared query, there's the additional filter policy working behind the scenes that the application doesn't have to know about. + +1. Queries can also be executed using the [prepared query execute API](/consul/api-docs/query#execute-prepared-query) for applications that integrate with Consul's APIs directly. + +## Failover policy types + +Using the techniques in this section you will develop prepared queries with failover policies where simply changing application configurations to look up "banking-app.query.consul" instead of "banking-app.service.consul" via DNS will result in automatic geo failover to the next closest [federated](/consul/docs/east-west/wan-federation/create) Consul datacenters, in order of increasing network round trip time. + +Failover is just another policy choice for a prepared query, it works in the same manner as the previous example and is similarly transparent to applications. The failover policy is configured using the `Failover` structure, which contains two fields, both of which are optional, and determine what happens if no healthy nodes are available in the local datacenter when the query is executed. + +- `NearestN` `(int: 0)` - Specifies that the query will be forwarded to up to `NearestN` other datacenters based on their estimated network round trip time using [network coordinates](/consul/docs/architecture/coordinates). + +- `Datacenters` `(array: nil)` - Specifies a fixed list of remote datacenters to forward the query to if there are no healthy nodes in the local datacenter. Datacenters are queried in the order given in the list. + +The following examples use those fields to implement different geo failover policies methods. + +### Static policy + +A static failover policy includes a fixed list of datacenters to contact once there are no healthy instances in the local datacenter. + +Here's the example from the introduction, expanded with a static failover policy: + +```shell-session +$ curl http://127.0.0.1:8500/v1/query \ + --request POST \ + --data @- << EOF +{ + "Name": "banking-app", + "Service": { + "Service": "banking-app", + "Tags": ["v1.2.3"], + "Failover": { + "Datacenters": ["dc2", "dc3"] + } + } +} +EOF +``` + +When this query is executed, such as with a DNS lookup to "banking-app.query.consul", the following actions will occur: + +1. Consul servers in the local datacenter will attempt to find healthy instances of the "banking-app" service with the required tag. +2. If none are available locally, the Consul servers will make an RPC request to the Consul servers in "dc2" to perform the query there. +3. If none are available in "dc2", then an RPC will be made to the Consul servers in "dc3" to perform the query there. +4. Finally an error will be returned if none of these datacenters had any instances available. + +### Dynamic policy + +In a complex federated environment with many Consul datacenters, it can be cumbersome to set static failover policies, so Consul offers a dynamic option based on Consul's [network coordinate](/consul/docs/architecture/coordinates) subsystem. + +Consul continuously maintains an estimate of the network round trip time from the local datacenter to the servers in other datacenters it is federated with. Each server uses the median round trip time from itself to the servers in the remote datacenter. This means that failover can simply try other remote datacenters in order of increasing network round trip time, and if datacenters come and go, or experience network issues, this order will adjust automatically. + +Here's the example from the introduction, expanded with a dynamic failover policy: + +```shell-session +$ curl http://127.0.0.1:8500/v1/query \ + --request POST \ + --data @- << EOF +{ + "Name": "banking-app", + "Service": { + "Service": "banking-app", + "Tags": ["v1.2.3"], + "Failover": { + "NearestN": 2 + } + } +} +EOF +``` + +This query is resolved in a similar fashion to the previous example, except the choice of "dc1" or "dc2", or possibly some other datacenter, is made automatically. + +### Hybrid policy + +It is possible to combine `Datacenters` and `NearestN` in the same policy. The `NearestN` queries will be performed first, followed by the list given by `Datacenters`. + +```shell-session +$ curl http://127.0.0.1:8500/v1/query \ + --request POST \ + --data @- << EOF +{ + "Name": "banking-app", + "Service": { + "Service": "banking-app", + "Tags": ["v1.2.3"], + "Failover": { + "NearestN": 2, + "Datacenters": ["dc2", "dc3"] + } + } +} +EOF +``` + +Note, a given datacenter will only be queried one time during a failover, even if it is selected by both `NearestN` and is listed in `Datacenters`. This is useful for allowing a limited number of round trip-based attempts, followed by a static configuration for some known datacenter to failover to. + +### Prepared query template + +For datacenters with many services, it can be challenging to define a geo failover policy for each service. To relieve this challenge, Consul provides a [prepared query template](/consul/api-docs/query#prepared-query-templates) that allows one prepared query to apply to many, and even all, services. + +Templates can match on prefixes or use full regular expressions to determine which services they match. + +Below is an example request to create a prepared query template that applies a catch-all policy of dynamic geo failover to all services accessed by query lookup (`*.query.consul`). By specifying the `name_prefix_match` type and an empty name, this query template's policy will be applied to any name (`.query.consul`) that doesn't [match a higher-precedence query](/consul/api-docs/query#type). + +```shell-session +$ curl http://127.0.0.1:8500/v1/query \ + --request POST \ + --data @- << EOF +{ + "Name": "", + "Template": { + "Type": "name_prefix_match" + }, + "Service": { + "Service": "${name.full}", + "Failover": { + "NearestN": 2 + } + } +} +EOF +``` + + + + If multiple queries are registered, the most specific one will be selected, so it's possible to have a template like this as a catch-all, and then apply more specific policies to certain services. + + + +With this one prepared query template in place, simply changing application configurations to look up `banking-app.query.consul` instead of `banking-app.service.consul` via DNS will result in automatic geo failover to the next closest federated Consul datacenters, in order of increasing network round trip time. + +## Next steps + +In this tutorial, you learned how to use prepared queries for failover when integrating Consul with other applications. You can now configure your policies to failover to the nearest federated datacenter or to a list of secondary datacenters. You can also create a prepared query template which will help you reduce some complexity of creating policies for each individual service. diff --git a/website/content/docs/connect/manage-traffic/failover/sameness.mdx b/website/content/docs/manage-traffic/failover/sameness-group.mdx similarity index 89% rename from website/content/docs/connect/manage-traffic/failover/sameness.mdx rename to website/content/docs/manage-traffic/failover/sameness-group.mdx index ac8c8745fec..da87e5f7175 100644 --- a/website/content/docs/connect/manage-traffic/failover/sameness.mdx +++ b/website/content/docs/manage-traffic/failover/sameness-group.mdx @@ -6,13 +6,13 @@ description: You can configure sameness groups so that when a service instance f # Failover with sameness groups -This page describes how to use sameness groups to automatically redirect service traffic to healthy instances in failover scenarios. Sameness groups are a user-defined set of Consul admin partitions with identical registered services. These admin partitions typically belong to Consul datacenters in different cloud regions, which enables sameness groups to participate in several service failover configuration strategies. +This page describes how to use sameness groups to automatically redirect service traffic to healthy instances in failover scenarios. Sameness groups are a user-defined set of Consul admin partitions with identical registered services. These admin paritions typically belong to Consul datacenters in different cloud regions, which enables sameness groups to participate in several service failover configuration strategies. -To create a sameness group and configure each Consul datacenter to allow traffic from other members of the group, refer to [create sameness groups](/consul/docs/connect/cluster-peering/usage/create-sameness-groups). +To create a sameness group and configure each Consul datacenter to allow traffic from other members of the group, refer to [create sameness groups](/consul/docs/east-west/cluster-peering/usage/create-sameness-groups). ## Failover strategies -You can edit a sameness group configuration entry so that all services failover to healthy instances on other members of a sameness group by default. You can also reference the sameness group in other configuration entries to enact other failover strategies for your network. +You can edit a sameness group configuration entry so that all services failover to healthy instances on other members of a sameness group by default. You can also reference the sameness group in other configuration entries to enact other failover strategies for your network. You can establish a failover strategy by configuring sameness group behavior in the following locations: @@ -33,9 +33,9 @@ In the following example configuration entry, datacenter `dc1` has two partition ```hcl -Kind = "sameness-group" +Kind = "sameness-group" Name = "example-sg" -Partition = "partition-1" +Partition = "partition-1" DefaultForFailover = true Members = [ {Partition = "partition-1"}, @@ -50,8 +50,8 @@ Members = [ ``` { - "Kind": "sameness-group", - "Name": "example-sg", + "Kind": "sameness-group", + "Name": "example-sg", "Partition": "partition-1", "DefaultForFailover": true, "Members": [ @@ -74,12 +74,12 @@ Members = [ ```yaml apiVersion: consul.hashicorp.com/v1alpha1 -kind: SamenessGroup +kind: SamenessGroup metadata: name: example-sg spec: defaultForFailover: true - members: + members: - partition: partition-1 - partition: partition-2 - peer: dc2-partition-1 @@ -92,7 +92,7 @@ When a sameness group is configured as the failover default, sameness group fail All services registered in the admin partition must failover to another member of the sameness group. You cannot choose subsets of services to use the sameness group as the failover default. If groups do not have identical services, or if a service is registered to some group members but not all members, this failover strategy may produce errors. -For more information about specifying sameness group members and failover, refer to [sameness group configuration entry reference](/consul/docs/connect/config-entries/sameness-group). +For more information about specifying sameness group members and failover, refer to [sameness group configuration entry reference](/consul/docs/connects/config-entries/sameness-group). ### Failover with a service resolver configuration entry @@ -132,8 +132,8 @@ Failover { ``` { - "Kind": "service-resolver", - "Name": "db", + "Kind": "service-resolver", + "Name": "db", "DefaultSubset": "v1", "Subsets": { "v1": { @@ -142,7 +142,7 @@ Failover { "v2": { "Filter": "Service.Meta.version == v2" } - }, + }, "Failover": { "v1": { "SamenessGroup": "product-group" @@ -180,7 +180,7 @@ spec: -For more information, including additional examples, refer to [service resolver configuration entry reference](/consul/docs/connect/config-entries/service-resolver). +For more information, including additional examples, refer to [service resolver configuration entry reference](/consul/docs/reference/config-entry/service-resolver). ### Failover with a prepared query @@ -200,4 +200,4 @@ The following example demonstrates a prepared query that can be referenced with } ``` -In prepared queries, the sameness group is mutually exclusive with the [`Failover`](/consul/api-docs/query#failover) field because the sameness group includes failover targets based on the sameness group’s members. For more information about using prepared queries, refer to [Enable dynamic DNS queries](/consul/docs/services/discovery/dns-dynamic-lookups). +In prepared queries, the sameness group is mutually exclusive with the [`Failover`](/consul/api-docs/query#failover) field because the sameness group includes failover targets based on the sameness group’s members. For more information about using prepared queries, refer to [Enable dynamic DNS queries](/consul/docs/services/discovery/dns-dynamic-lookups). \ No newline at end of file diff --git a/website/content/docs/k8s/l7-traffic/route-to-virtual-services.mdx b/website/content/docs/manage-traffic/failover/virtual-service.mdx similarity index 94% rename from website/content/docs/k8s/l7-traffic/route-to-virtual-services.mdx rename to website/content/docs/manage-traffic/failover/virtual-service.mdx index bd8c9e3db31..a9b0c1472fc 100644 --- a/website/content/docs/k8s/l7-traffic/route-to-virtual-services.mdx +++ b/website/content/docs/manage-traffic/failover/virtual-service.mdx @@ -28,11 +28,11 @@ Complete the following steps to configure failover service instances in Consul o ### ACL requirements -The default ACLs that the Consul Helm chart configures are suitable for most cases, but if you have more complex security policies for Consul API access, refer to the [ACL documentation](/consul/docs/security/acl) for additional guidance. +The default ACLs that the Consul Helm chart configures are suitable for most cases, but if you have more complex security policies for Consul API access, refer to the [ACL documentation](/consul/docs/secure-consul/acl) for additional guidance. ## Create a service resolver configuration entry -Specify the target failover in the [`spec.redirect.service`](/consul/docs/connect/config-entries/service-resolver#spec-redirect-service) field in the service resolver configuration entry. In the following example, the `virtual-api` service is configured to redirect to the `real-api`: +Specify the target failover in the [`spec.redirect.service`](/consul/docs/reference/config-entry/service-resolver#spec-redirect-service) field in the service resolver configuration entry. In the following example, the `virtual-api` service is configured to redirect to the `real-api`: @@ -48,7 +48,7 @@ spec: -Refer to the [service resolver configuration entry reference](/consul/docs/connect/config-entries/service-resolver) documentation for information about all service resolver configurations. +Refer to the [service resolver configuration entry reference](/consul/docs/reference/config-entry/service-resolver) documentation for information about all service resolver configurations. You can apply the configuration using the `kubectl apply` command: @@ -89,7 +89,7 @@ spec: -Refer to the [service intentions configuration entry reference](/consul/docs/connect/config-entries/service-intentions) for additional information about configuring service intentions. +Refer to the [service intentions configuration entry reference](/consul/docs/reference/config-entry/service-intention) for additional information about configuring service intentions. You can apply the configuration using the `kubectl apply` command: diff --git a/website/content/docs/connect/manage-traffic/index.mdx b/website/content/docs/manage-traffic/index.mdx similarity index 88% rename from website/content/docs/connect/manage-traffic/index.mdx rename to website/content/docs/manage-traffic/index.mdx index 29ff68d9cef..f972cd63300 100644 --- a/website/content/docs/connect/manage-traffic/index.mdx +++ b/website/content/docs/manage-traffic/index.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Service mesh traffic management overview +page_title: Manage application traffic description: >- Consul can route, split, and resolve Layer 7 traffic in a service mesh to support workflows like canary testing and blue/green deployments. Learn about the three configuration entry kinds that define L7 traffic management behavior in Consul. --- -# Service mesh traffic management overview +# Manage application traffic This topic provides overview information about the application layer traffic management capabilities available in Consul service mesh. These capabilities are also referred to as *Layer 7* or *L7 traffic management*. @@ -13,8 +13,8 @@ This topic provides overview information about the application layer traffic man Consul service mesh allows you to divide application layer traffic between different subsets of service instances. You can leverage L7 traffic management capabilities to perform complex processes, such as configuring backup services for failover scenarios, canary and A-B testing, blue-green deployments, and soft multi-tenancy in which production, QA, and staging environments share compute resources. L7 traffic management with Consul service mesh allows you to designate groups of service instances in the Consul catalog smaller than all instances of single service and configure when that subset should receive traffic. -You cannot manage L7 traffic with the [built-in proxy](/consul/docs/connect/proxies/built-in), -[native proxies](/consul/docs/connect/native), or some [Envoy proxy escape hatches](/consul/docs/connect/proxies/envoy#escape-hatch-overrides). +You cannot manage L7 traffic with the [built-in proxy](/consul/docs/reference/proxy/built-in), +[native proxies](/consul/docs/connect/native), or some [Envoy proxy escape hatches](/consul/docs/reference/proxy/envoy#escape-hatch-overrides). ## Discovery chain @@ -32,13 +32,13 @@ The Consul UI shows discovery chain stages in the **Routing** tab of the **Servi You can define how Consul manages each stage of the discovery chain in a Consul _configuration entry_. [Configuration entries](/consul/docs/connect/config-entries) modify the default behavior of the Consul service mesh. -When managing L7 traffic with cluster peering, there are additional configuration requirements to resolve peers in the discovery chain. Refer to [Cluster peering L7 traffic management](/consul/docs/connect/cluster-peering/usage/peering-traffic-management) for more information. +When managing L7 traffic with cluster peering, there are additional configuration requirements to resolve peers in the discovery chain. Refer to [Cluster peering L7 traffic management](/consul/docs/east-west/cluster-peering/usage/peering-traffic-management) for more information. ### Routing The first stage of the discovery chain is the service router. Routers intercept traffic according to a set of L7 attributes, such as path prefixes and HTTP headers, and route the traffic to a different service or service subset. -Apply a [service router configuration entry](/consul/docs/connect/config-entries/service-router) to implement a router. Service router configuration entries can only reference service splitter or service resolver configuration entries. +Apply a [service router configuration entry](/consul/docs/reference/config-entry/service-router) to implement a router. Service router configuration entries can only reference service splitter or service resolver configuration entries. ![screenshot of service router in the UI](/img/l7-routing/Router.png) @@ -46,7 +46,7 @@ Apply a [service router configuration entry](/consul/docs/connect/config-entries The second stage of the discovery chain is the service splitter. Service splitters split incoming requests and route them to different services or service subsets. Splitters enable staged canary rollouts, versioned releases, and similar use cases. -Apply a [service splitter configuration entry](/consul/docs/connect/config-entries/service-splitter) to implement a splitter. Service splitters configuration entries can only reference other service splitters or service resolver configuration entries. +Apply a [service splitter configuration entry](/consul/docs/reference/config-entry/service-splitter) to implement a splitter. Service splitters configuration entries can only reference other service splitters or service resolver configuration entries. ![screenshot of service splitter in the UI](/img/l7-routing/Splitter.png) @@ -59,7 +59,6 @@ splitter[B]: A=50%, B=50% splitter[effective_B]: A_v1=25%, A_v2=25%, B=50% ``` - ### Resolution The third stage of the discovery chain is the service resolver. Service resolvers specify which instances of a service satisfy discovery requests for the provided service name. Service resolvers enable several use cases, including: @@ -70,8 +69,7 @@ The third stage of the discovery chain is the service resolver. Service resolver - Route traffic to specific Consul datacenters. - Create virtual services that route traffic to instances of the actual service in specific Consul datacenters. -Apply a [service resolver configuration entry](/consul/docs/connect/config-entries/service-resolver) to implement a resolver. Service resolver configuration entries can only reference other service resolvers. - +Apply a [service resolver configuration entry](/consul/docs/reference/config-entry/service-resolver) to implement a resolver. Service resolver configuration entries can only reference other service resolvers. ![screenshot of service resolver in the UI](/img/l7-routing/Resolver.png) @@ -81,4 +79,4 @@ Service resolver configuration entries can also process network layer, also call ## Locality-aware routing -By default, Consul balances traffic to all healthy upstream instances in the cluster, even if the instances are in different network regions and zones. You can configure Consul to route requests to upstreams in the same region and zone, which reduces latency and transfer costs. Refer to [Route traffic to local upstreams](/consul/docs/connect/manage-traffic/route-to-local-upstreams) for additional information. +By default, Consul balances traffic to all healthy upstream instances in the cluster, even if the instances are in different network regions and zones. You can configure Consul to route requests to upstreams in the same region and zone, which reduces latency and transfer costs. Refer to [Route traffic to local upstreams](/consul/docs/connect/manage-traffic/route-to-local-upstreams) for additional information. \ No newline at end of file diff --git a/website/content/docs/manage-traffic/k8s.mdx b/website/content/docs/manage-traffic/k8s.mdx new file mode 100644 index 00000000000..27889b63597 --- /dev/null +++ b/website/content/docs/manage-traffic/k8s.mdx @@ -0,0 +1,75 @@ +--- +layout: docs +page_title: Manage traffic for peered clusters on Kubernetes +description: >- + Combine service resolver configurations with splitter and router configurations to manage L7 traffic in Consul on Kubernetes deployments with cluster peering connections. Learn how to define dynamic traffic rules to target peers for redirects in k8s. +--- + +# Manage traffic for peered clusters on Kubernetes + +This usage topic describes how to configure the `service-resolver` custom resource definition (CRD) to set up and manage L7 traffic between services that have an existing cluster peering connection in Consul on Kubernetes deployments. + +For general guidance for managing L7 traffic with cluster peering, refer to [Manage L7 traffic with cluster peering](/consul/docs/east-west/cluster-peering/usage/peering-traffic-management). + +## Service resolvers for redirects and failover + +When you use cluster peering to connect datacenters through their admin partitions, you can use [dynamic traffic management](/consul/docs/connect/manage-traffic) to configure your service mesh so that services automatically forward traffic to services hosted on peer clusters. + +However, the `service-splitter` and `service-router` CRDs do not natively support directly targeting a service instance hosted on a peer. Before you can split or route traffic to a service on a peer, you must define the service hosted on the peer as an upstream service by configuring a failover in a `service-resolver` CRD. Then, you can set up a redirect in a second service resolver to interact with the peer service by name. + +For more information about formatting, updating, and managing configuration entries in Consul, refer to [How to use configuration entries](/consul/docs/agent/config-entries). + +## Configure dynamic traffic between peers + +To configure L7 traffic management behavior in deployments with cluster peering connections, complete the following steps in order: + +1. Define the peer cluster as a failover target in the service resolver configuration. + + The following example updates the [`service-resolver` CRD](/consul/docs/connect/config-entries/) in `cluster-01` so that Consul redirects traffic intended for the `frontend` service to a backup instance in peer `cluster-02` when it detects multiple connection failures. + + ```yaml + apiVersion: consul.hashicorp.com/v1alpha1 + kind: ServiceResolver + metadata: + name: frontend + spec: + connectTimeout: 15s + failover: + '*': + targets: + - peer: 'cluster-02' + service: 'frontend' + namespace: 'default' + ``` + +1. Define the desired behavior in `service-splitter` or `service-router` CRD. + + The following example splits traffic evenly between `frontend` and `frontend-peer`: + + ```yaml + apiVersion: consul.hashicorp.com/v1alpha1 + kind: ServiceSplitter + metadata: + name: frontend + spec: + splits: + - weight: 50 + ## defaults to service with same name as configuration entry ("frontend") + - weight: 50 + service: frontend-peer + ``` + +1. Create a second `service-resolver` configuration entry on the local cluster that resolves the name of the peer service you used when splitting or routing the traffic. + + The following example uses the name `frontend-peer` to define a redirect targeting the `frontend` service on the peer `cluster-02`: + + ```yaml + apiVersion: consul.hashicorp.com/v1alpha1 + kind: ServiceResolver + metadata: + name: frontend-peer + spec: + redirect: + peer: 'cluster-02' + service: 'frontend' + ``` diff --git a/website/content/docs/connect/manage-traffic/limit-request-rates.mdx b/website/content/docs/manage-traffic/rate-limit.mdx similarity index 97% rename from website/content/docs/connect/manage-traffic/limit-request-rates.mdx rename to website/content/docs/manage-traffic/rate-limit.mdx index adf2af5b706..9c096f95369 100644 --- a/website/content/docs/connect/manage-traffic/limit-request-rates.mdx +++ b/website/content/docs/manage-traffic/rate-limit.mdx @@ -68,7 +68,7 @@ rateLimit: -Refer to the [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for additional specifications and example configurations. +Refer to the [service defaults configuration entry reference](/consul/docs/reference/config-entry/service-default) for additional specifications and example configurations. ## Specify request rate limits for specific paths @@ -141,4 +141,4 @@ rateLimit: -Refer to the [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for additional specifications and example configurations. \ No newline at end of file +Refer to the [service defaults configuration entry reference](/consul/docs/reference/config-entry/service-default) for additional specifications and example configurations. \ No newline at end of file diff --git a/website/content/docs/connect/manage-traffic/route-to-local-upstreams.mdx b/website/content/docs/manage-traffic/route-local.mdx similarity index 88% rename from website/content/docs/connect/manage-traffic/route-to-local-upstreams.mdx rename to website/content/docs/manage-traffic/route-local.mdx index 4d5be2e5b55..540499bf94e 100644 --- a/website/content/docs/connect/manage-traffic/route-to-local-upstreams.mdx +++ b/website/content/docs/manage-traffic/route-local.mdx @@ -19,7 +19,6 @@ By default, Consul balances traffic to all healthy upstream instances in the clu When properly implemented, routing traffic to local upstreams can reduce latency and transfer costs associated with sending requests to other regions. - ### Workflow For networks deployed to virtual machines, complete the following steps to route traffic to local upstream services: @@ -32,19 +31,19 @@ For networks deployed to virtual machines, complete the following steps to route If you deployed Consul to a Kubernetes or ECS environment using `consul-k8s` or `consul-ecs`, service instance locality information is inherited from the host machine. As a result, you do not need to specify the regions and zones on containerized platforms unless you are implementing a custom deployment. -On Kubernetes, Consul automatically populates geographic information about service instances using the `topology.kubernetes.io/region` and `topology.kubernetes.io/zone` labels from the Kubernetes nodes. On AWS ECS, Consul uses the `AWS_REGION` environment variable and `AvailabilityZone` attribute of the ECS task meta. +On Kubernetes, Consul automatically populates geographic information about service instances using the `topology.kubernetes.io/region` and `topology.kubernetes.io/zone` labels from the Kubernetes nodes. On AWS ECS, Consul uses the `AWS_REGION` environment variable and `AvailabilityZone` attribute of the ECS task meta. ### Requirements -You should only enable locality-aware routing when each set of external upstream instances within the same zone and region have enough capacity to handle requests from downstream service instances in their respective zones. Locality-aware routing is an advanced feature that may adversely impact service capacity if used incorrectly. When enabled, Consul routes all traffic to the nearest set of service instances and only fails over when no healthy instances are available in the nearest set. +You should only enable locality-aware routing when each set of external upstream instances within the same zone and region have enough capacity to handle requests from downstream service instances in their respective zones. Locality-aware routing is an advanced feature that may adversely impact service capacity if used incorrectly. When enabled, Consul routes all traffic to the nearest set of service instances and only fails over when no healthy instances are available in the nearest set. ## Specify the locality of your Consul agents The `locality` configuration on a Consul client applies to all services registered to the client. -1. Configure the `locality` block in your Consul client agent configuration files. The `locality` block is a map containing the `region` and `zone` parameters. +1. Configure the `locality` block in your Consul client agent configuration files. The `locality` block is a map containing the `region` and `zone` parameters. - The parameters should match the values for regions and zones defined in your network. Refer to [`locality`](/consul/docs/agent/config/config-files#locality) in the agent configuration reference for additional information. + The parameters should match the values for regions and zones defined in your network. Refer to [`locality`](/consul/docs/reference/agent#locality) in the agent configuration reference for additional information. 1. Start or restart the agent to apply the configuration. Refer to [Starting a Consul agent](/consul/docs/agent#starting-the-consul-agent) for instructions. @@ -59,18 +58,18 @@ locality = { ## Specify the localities of your service instances (optional) -This step is optional in most scenarios. Refer to [Workflow](#workflow) for additional information. +This step is optional in most scenarios. Refer to [Workflow](#workflow) for additional information. 1. Configure the `locality` block in your service definition for both downstream (client) and upstream services. The `locality` block is a map containing the `region` and `zone` parameters. When you start a proxy for the service, Consul passes the locality to the proxy so that it can route traffic accordingly. - The parameters should match the values for regions and zones defined in your network. Refer to [`locality`](/consul/docs/services/configuration/services-configuration-reference#locality) in the services configuration reference for additional information. + The parameters should match the values for regions and zones defined in your network. Refer to [`locality`](/consul/docs/reference/service#locality) in the services configuration reference for additional information. -1. Verify that your service is also configured with a proxy. Refer to [Define service mesh proxy](/consul/docs/connect/proxies/deploy-sidecar-services#define-service-mesh-proxy) for additional information. -Register or re-register the service to apply the configuration. Refer to [Register services and health checks](/consul/docs/services/usage/register-services-checks) for instructions. +1. Verify that your service is also configured with a proxy. Refer to [Define service mesh proxy](/consul/docs/reference/proxy/sidecar#define-service-mesh-proxy) for additional information. +Register or re-register the service to apply the configuration. Refer to [Register services and health checks](/consul/docs/register/service/vm) for instructions. In the following example, the `web` service is available in the `us-west-1` region and `us-west-1a` zone on AWS: -```hcl +```hcl service { id = "web" locality = { @@ -89,7 +88,7 @@ You can configure the default routing behavior for all proxies in the mesh as we ### Configure default routing behavior -Configure the `PrioritizeByLocality` block in the proxy defaults configuration entry and specify the `failover` mode. This configuration enables proxies in the mesh to use the region and zone defined in the service configuration to route traffic. Refer to [`PrioritizeByLocality`](/consul/docs/connect/config-entries/proxy-defaults#prioritizebylocality) in the proxy defaults reference for details about the configuration. +Configure the `PrioritizeByLocality` block in the proxy defaults configuration entry and specify the `failover` mode. This configuration enables proxies in the mesh to use the region and zone defined in the service configuration to route traffic. Refer to [`PrioritizeByLocality`](/consul/docs/reference/config-entry/proxy-defaults#prioritizebylocality) in the proxy defaults reference for details about the configuration. @@ -167,12 +166,12 @@ Apply the configuration by either running the [`consul config write` CLI command 1. Create a service resolver configuration entry and specify the following fields: - `Name`: The name of the target upstream service for which downstream clients should use locality-aware routing. - - `PrioritizeByLocality`: This block enables proxies in the mesh to use the region and zone defined in the service configuration to route traffic. Set the `mode` inside the block to `failover`. Refer to [`PrioritizeByLocality`](/consul/docs/connect/config-entries/service-resolver#prioritizebylocality) in the service resolver reference for details about the configuration. + - `PrioritizeByLocality`: This block enables proxies in the mesh to use the region and zone defined in the service configuration to route traffic. Set the `mode` inside the block to `failover`. Refer to [`PrioritizeByLocality`](/consul/docs/reference/config-entry/service-resolver#prioritizebylocality) in the service resolver reference for details about the configuration. - + ```hcl Kind = "service-resolver" Name = "api" @@ -182,10 +181,10 @@ Apply the configuration by either running the [`consul config write` CLI command ``` - + - + ```json { "kind": "service-resolver", @@ -199,7 +198,7 @@ Apply the configuration by either running the [`consul config write` CLI command - + ```yaml apiversion: consul.hashicorp.com/v1alpha1 kind: ServiceResolver @@ -209,7 +208,7 @@ Apply the configuration by either running the [`consul config write` CLI command prioritizeByLocality: mode: failover ``` - + @@ -218,32 +217,32 @@ Apply the configuration by either running the [`consul config write` CLI command - + ```shell-session $ consul config write api-resolver.hcl ``` - + - + - + ```shell-session $ kubectl apply -f api-resolver.yaml ``` - + - + ```shell-session $ curl --request PUT --data @api-resolver.hcl http://127.0.0.1:8500/v1/config ``` - + ### Configure locality on Kubernetes test clusters explicitly -You can explicitly configure locality for each Kubernetes node so that you can test locality-aware routing with a local Kubernetes cluster or in an environment where `topology.kubernetes.io` labels are not set. +You can explicitly configure locality for each Kubernetes node so that you can test locality-aware routing with a local Kubernetes cluster or in an environment where `topology.kubernetes.io` labels are not set. Run the `kubectl label node` command and specify the locality as arguments. The following example specifies the `us-east-1` region and `us-east-1a` zone for the node: @@ -259,9 +258,9 @@ The routes from each downstream service instance to the nearest set of healthy u Consul configures Envoy's built-in [`overprovisioning_factor`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint.proto#config-endpoint-v3-clusterloadassignment) and [outlier detection](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/outlier_detection.proto#config-cluster-v3-outlierdetection) settings to enforce failover behavior. However, Envoy does not provide granular metrics specific to failover or endpoint traffic within a cluster. As a result, using external observability tools that expose network traffic within your environment is the best method for observing route changes. -To verify that locality-aware routing and failover configurations, you can inspect Envoy's xDS configuration dump for a downstream proxy. Refer to the [consul-k8s CLI docs](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli#proxy-read) for details on how to obtain the xDS configuration dump on Kubernetes. For other workloads, use the Envoy [admin interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin) and ensure that you [include EDS](https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--config_dump?include_eds). +To verify that locality-aware routing and failover configurations, you can inspect Envoy's xDS configuration dump for a downstream proxy. Refer to the [consul-k8s CLI docs](/consul/docs/reference-cli/consul-k8s#proxy-read) for details on how to obtain the xDS configuration dump on Kubernetes. For other workloads, use the Envoy [admin interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin) and ensure that you [include EDS](https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--config_dump?include_eds). -Inspect the [priority](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/priority#arch-overview-load-balancing-priority-levels) on each set of endpoints under the upstream `ClusterLoadAssignment` in the `EndpointsConfigDump`. Alternatively, the same priorities should be visible within the output of the [`/clusters?format=json`](https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--clusters?format=json) admin endpoint. +Inspect the [priority](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/priority#arch-overview-load-balancing-priority-levels) on each set of endpoints under the upstream `ClusterLoadAssignment` in the `EndpointsConfigDump`. Alternatively, the same priorities should be visibile within the output of the [`/clusters?format=json`](https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--clusters?format=json) admin endpoint. ```json { @@ -342,13 +341,13 @@ Refer to [Troubleshooting](#troubleshooting) if you do not observe the expected ## Adjust load balancing and failover behavior -You can adjust the global or per-service load balancing and failover behaviors by applying the property override Envoy extension. The property override extension allows you to set and remove individual properties on the Envoy resources Consul generates. Refer to [Configure Envoy proxy properties](/consul/docs/connect/proxies/envoy-extensions/usage/property-override) for additional information. +You can adjust the global or per-service load balancing and failover behaviors by applying the property override Envoy extension. The property override extension allows you to set and remove individual properties on the Envoy resources Consul generates. Refer to [Configure Envoy proxy properties](/consul/docs/reference/proxy/envoy-extensions/usage/property-override) for additional information. 1. Add the `EnvoyExtensions` configuration block to the service defaults or proxy defaults configuration entry. 1. Configure the following settings in the `EnvoyExtensions` configuration: - [`overprovisioning_factor`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint.proto#config-endpoint-v3-clusterloadassignment) - [outlier detection](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/outlier_detection.proto#config-cluster-v3-outlierdetection) configuration. -1. Apply the configuration. Refer to [Apply the configuration entry](/consul/docs/connect/proxies/envoy-extensions/usage/property-override#apply-the-configuration-entry) for details. +1. Apply the configuration. Refer to [Apply the configuration entry](/consul/docs/reference/proxy/envoy-extensions/usage/property-override#apply-the-configuration-entry) for details. By default, Consul sets `overprovisioning_factor` to `100000`, which enforces total failover, and `max_ejection_percent` to `100`. Refer to the Envoy documentation about these fields before attempting to modify them. diff --git a/website/content/docs/manage-traffic/split-multi-port-traffic.mdx b/website/content/docs/manage-traffic/split-multi-port-traffic.mdx new file mode 100644 index 00000000000..113c1ffd980 --- /dev/null +++ b/website/content/docs/manage-traffic/split-multi-port-traffic.mdx @@ -0,0 +1,164 @@ +--- +layout: docs +page_title: Split traffic between multi-port services +description: Learn how to configure Consul to split TCP traffic between two ports of a multi-port service using the TCPRoute resource and the v2 catalog API +--- + +# Split TCP traffic between multi-port services + + + +Multi-port services are part of a beta release. This documentation supports testing and development scenarios. Do not use multi-port services or the v2 catalog API in secure production environments. + + + +This page describes the process for splitting TCP, HTTP, and gRPC traffic between two ports of a multi-port service. It includes an example TCPRoute resource configuration to demonstrate Consul's multi-port features. + +## Prerequisites + +Splitting traffic between two ports of a multi-port service requires the [v2 catalog API](/consul/docs/architecture/catalog/v2). + +In addition, how you define a multi-port service affects how Services are addressed in Kubernetes. The instructions on this page offer examples for two configuration methods: + +- **Method 1**: Define a single Kubernetes Service that exposes multiple ports +- **Method 2**: Define multiple Kubernetes Services that expose individual ports + +For guidance on enabling the v2 catalog, deploying multi-port services using these methods, and applying traffic permissions to the services, refer to [configure multi-port services](/consul/docs/connect/multi-port/configure). + +## Overview + +Complete the following steps to implement a split in TCP traffic between two services: + +1. Define the resource's behavior in a custom resource definition (CRD). +1. Apply the resource to your cluster. + +## Define route resource + +The following example splits traffic for the services in the `api` Pod. + + + + + +TCP traffic for services registered to the Consul catalog that are available at the `admin` port is split so that 50% of the traffic routes to the service at the `api` port and 50% routes to the service at the `admin` port. + + + +```yaml +apiVersion: mesh.consul.hashicorp.com/v2beta1 +kind: TCPRoute +metadata: + name: api-split +spec: + parentRefs: + - ref: + type: + group: catalog + groupVersion: v2beta1 + kind: Service + name: api + port: "admin" + rules: + - backendRefs: + - backendRef: + ref: + type: + group: catalog + groupVersion: v2beta1 + kind: Service + name: api + port: "api" + weight: 50 + - backendRef: + ref: + type: + group: catalog + groupVersion: v2beta1 + kind: Service + name: api + port: "admin" + weight: 50 +``` + + + + + + +TCP traffic for services registered to the Consul catalog that are available at the `api-admin` port is split so that 50% of the traffic routes to the service at the `api` port and 50% routes to the service at the `api-admin` port. + + + +```yaml +apiVersion: mesh.consul.hashicorp.com/v2beta1 +kind: TCPRoute +metadata: + name: api-split +spec: + parentRefs: + - ref: + type: + group: catalog + groupVersion: v2beta1 + kind: Service + name: api-admin + port: "admin" + rules: + - backendRefs: + - backendRef: + ref: + type: + group: catalog + groupVersion: v2beta1 + kind: Service + name: api + port: "api" + weight: 50 + - backendRef: + ref: + type: + group: catalog + groupVersion: v2beta1 + kind: Service + name: api-admin + port: "admin" + weight: 50 +``` + + + + + + +## Apply the resource + +Use the `kubectl` command to apply the resource to your Consul cluster. + +```shell-session +$ kubectl apply -f api-split.yaml +``` + + + + + +Then, open a shell session in the `web` container and test the `api` service on port 90. + +```shell-session +$ kubectl exec -it ${WEB_POD} -c web -- curl api:90 +``` + + + + + +Then, open a shell session in the `web` container and test the `api-admin` service on port 90. + +```shell-session +$ kubectl exec -it ${WEB_POD} -c web -- curl api-admin:90 +``` + + + + +Half of the traffic should respond with the `hello world` response from port 80, instead of port 90's response of `hello world from 9090 admin`. Repeat the command several times to verify that you receive both responses. \ No newline at end of file diff --git a/website/content/docs/manage-traffic/vm.mdx b/website/content/docs/manage-traffic/vm.mdx new file mode 100644 index 00000000000..2a9be6965b3 --- /dev/null +++ b/website/content/docs/manage-traffic/vm.mdx @@ -0,0 +1,168 @@ +--- +layout: docs +page_title: Manage traffic for peered clusters on VMs +description: >- + Combine service resolver configurations with splitter and router configurations to manage L7 traffic in Consul deployments with cluster peering connections. Learn how to define dynamic traffic rules to target peers for redirects and failover. +--- + +# Manage traffic for peered clusters on VMs + +This usage topic describes how to configure and apply the [`service-resolver` configuration entry](/consul/docs/reference/config-entry/service-resolver) to set up redirects and failovers between services that have an existing cluster peering connection. + +For Kubernetes-specific guidance for managing L7 traffic with cluster peering, refer to [Manage L7 traffic with cluster peering on Kubernetes](/consul/docs/k8s/connect/cluster-peering/usage/l7-traffic). + +## Service resolvers for redirects and failover + +When you use cluster peering to connect datacenters through their admin partitions, you can use [dynamic traffic management](/consul/docs/connect/manage-traffic) to configure your service mesh so that services automatically forward traffic to services hosted on peer clusters. + +However, the `service-splitter` and `service-router` configuration entry kinds do not natively support directly targeting a service instance hosted on a peer. Before you can split or route traffic to a service on a peer, you must define the service hosted on the peer as an upstream service by configuring a failover in the `service-resolver` configuration entry. Then, you can set up a redirect in a second service resolver to interact with the peer service by name. + +For more information about formatting, updating, and managing configuration entries in Consul, refer to [How to use configuration entries](/consul/docs/agent/config-entries). + +## Configure dynamic traffic between peers + +To configure L7 traffic management behavior in deployments with cluster peering connections, complete the following steps in order: + +1. Define the peer cluster as a failover target in the service resolver configuration. + + The following examples update the [`service-resolver` configuration entry](/consul/docs/reference/config-entry/service-resolver) in `cluster-01` so that Consul redirects traffic intended for the `frontend` service to a backup instance in peer `cluster-02` when it detects multiple connection failures. + + + + ```hcl + Kind = "service-resolver" + Name = "frontend" + ConnectTimeout = "15s" + Failover = { + "*" = { + Targets = [ + {Peer = "cluster-02"} + ] + } + } + ``` + + ```json + { + "ConnectTimeout": "15s", + "Kind": "service-resolver", + "Name": "frontend", + "Failover": { + "*": { + "Targets": [ + { + "Peer": "cluster-02" + } + ] + } + }, + "CreateIndex": 250, + "ModifyIndex": 250 + } + ``` + + ```yaml + apiVersion: consul.hashicorp.com/v1alpha1 + kind: ServiceResolver + metadata: + name: frontend + spec: + connectTimeout: 15s + failover: + '*': + targets: + - peer: 'cluster-02' + service: 'frontend' + namespace: 'default' + ``` + + + +1. Define the desired behavior in `service-splitter` or `service-router` configuration entries. + + The following example splits traffic evenly between `frontend` services hosted on peers by defining the desired behavior locally: + + + + ```hcl + Kind = "service-splitter" + Name = "frontend" + Splits = [ + { + Weight = 50 + ## defaults to service with same name as configuration entry ("frontend") + }, + { + Weight = 50 + Service = "frontend-peer" + }, + ] + ``` + + ```json + { + "Kind": "service-splitter", + "Name": "frontend", + "Splits": [ + { + "Weight": 50 + }, + { + "Weight": 50, + "Service": "frontend-peer" + } + ] + } + ``` + + ```yaml + apiVersion: consul.hashicorp.com/v1alpha1 + kind: ServiceSplitter + metadata: + name: frontend + spec: + splits: + - weight: 50 + ## defaults to service with same name as configuration entry ("frontend") + - weight: 50 + service: frontend-peer + ``` + + + +1. Create a local `service-resolver` configuration entry named `frontend-peer` and define a redirect targeting the peer and its service: + + + + ```hcl + Kind = "service-resolver" + Name = "frontend-peer" + Redirect { + Service = frontend + Peer = "cluster-02" + } + ``` + + ```json + { + "Kind": "service-resolver", + "Name": "frontend-peer", + "Redirect": { + "Service": "frontend", + "Peer": "cluster-02" + } + } + ``` + + ```yaml + apiVersion: consul.hashicorp.com/v1alpha1 + kind: ServiceResolver + metadata: + name: frontend-peer + spec: + redirect: + peer: 'cluster-02' + service: 'frontend' + ``` + + diff --git a/website/content/docs/agent/limits/index.mdx b/website/content/docs/manage/agent-rate-limit/index.mdx similarity index 83% rename from website/content/docs/agent/limits/index.mdx rename to website/content/docs/manage/agent-rate-limit/index.mdx index ecf6deac49b..5b0046ab061 100644 --- a/website/content/docs/agent/limits/index.mdx +++ b/website/content/docs/manage/agent-rate-limit/index.mdx @@ -6,7 +6,6 @@ description: Rate limiting is a set of Consul server agent configurations that y # Traffic rate limiting overview - This topic provides overview information about the traffic rates limits you can configure for Consul datacenters. ## Introduction @@ -17,11 +16,11 @@ Configuring rate limits on RPC and gRPC traffic mitigates the risks to Consul se You can set global limits on the rate of read and write requests that affect individual servers in the datacenter. You can set limits for all source IP addresses, which enables you to specify a budget for read and write requests to prevent any single source IP from overwhelming the Consul server and negatively affecting the network. The following steps describe the general process for setting global read and write rate limits: -1. Set arbitrary limits to begin understanding the upper boundary of RPC and gRPC loads in your network. Refer to [Initialize rate limit settings](/consul/docs/agent/limits/usage/init-rate-limits) for additional information. +1. Set arbitrary limits to begin understanding the upper boundary of RPC and gRPC loads in your network. Refer to [Initialize rate limit settings](/consul/docs/manage-consul/agent-rate-limit/initialize) for additional information. -1. Monitor the metrics and logs and readjust the initial configurations as necessary. Refer to [Monitor rate limit data](/consul/docs/agent/limits/usage/monitor-rate-limits) +1. Monitor the metrics and logs and readjust the initial configurations as necessary. Refer to [Monitor rate limit data](/consul/docs/manage-consul/agent-rate-limit/monitor) -1. Define your final operational limits based on your observations. If you are defining global rate limits, refer to [Set global traffic rate limits](/consul/docs/agent/limits/usage/set-global-traffic-rate-limits) for additional information. For information about setting limits per source IP address, refer to [Limit traffic rates for a source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips). +1. Define your final operational limits based on your observations. If you are defining global rate limits, refer to [Set global traffic rate limits](/consul/docs/manage-consul/agent-rate-limit/set-global) for additional information. For information about setting limits per source IP address, refer to [Limit traffic rates for a source IP](/consul/docs/manage-consul/agent-rate-limit/source-ip-addresses). Setting limits per source IP requires Consul Enterprise. @@ -58,4 +57,4 @@ You can define request rate limits in the agent configuration and in the control ## Kubernetes -To define global rate limits, configure the `request_limits` settings in the Consul Helm chart. Refer to the [Helm chart reference](/consul/docs/k8s/helm) for additional information. Refer to the [control plane request limit configuration entry reference](/consul/docs/connect/config-entries/control-plane-request-limit) for information about applying a CRD for limiting traffic rates from source IPs. +To define global rate limits, configure the `request_limits` settings in the Consul Helm chart. Refer to the [Helm chart reference](/consul/docs/reference/k8s/helm) for additional information. Refer to the [control plane request limit configuration entry reference](/consul/docs/reference/config-entry/control-plane-request-limit) for information about applying a CRD for limiting traffic rates from source IPs. diff --git a/website/content/docs/agent/limits/usage/init-rate-limits.mdx b/website/content/docs/manage/agent-rate-limit/initialize.mdx similarity index 82% rename from website/content/docs/agent/limits/usage/init-rate-limits.mdx rename to website/content/docs/manage/agent-rate-limit/initialize.mdx index 1c84ca4f6e5..c910a2caf2a 100644 --- a/website/content/docs/agent/limits/usage/init-rate-limits.mdx +++ b/website/content/docs/manage/agent-rate-limit/initialize.mdx @@ -14,7 +14,7 @@ Because each network has different needs and application, you need to find out w - Number of servers and the projected load - Existing metrics expressing requests per second -1. Set the [`limits.request_limits.mode`](/consul/docs/agent/config/config-files#mode-1) parameter in the agent configuration to `permissive`. In the following example, the configuration allows up to 1000 reads and 500 writes per second for each Consul agent: +1. Set the [`limits.request_limits.mode`](/consul/docs/reference/agent#mode-1) parameter in the agent configuration to `permissive`. In the following example, the configuration allows up to 1000 reads and 500 writes per second for each Consul agent: ```hcl request_limits { @@ -23,7 +23,7 @@ Because each network has different needs and application, you need to find out w write_rate = 500.0 } ``` -1. Observe the logs and metrics for your application's typical cycle, such as a 24 hour period. Refer to [Monitor traffic rate limit data](/consul/docs/agent/limits/usage/monitor-rate-limits) for additional information. Call the [`/agent/metrics`](/consul/api-docs/agent#view-metrics) HTTP API endpoint and check the data for the following metrics: +1. Observe the logs and metrics for your application's typical cycle, such as a 24 hour period. Refer to [Monitor traffic rate limit data](/consul/docs/manage-consul/agent-rate-limit/monitor) for additional information. Call the [`/agent/metrics`](/consul/api-docs/agent#view-metrics) HTTP API endpoint and check the data for the following metrics: - `rpc.rate_limit.exceeded` with value `global/read` for label `limit_type` - `rpc.rate_limit.exceeded` with value `global/write` for label `limit_type` diff --git a/website/content/docs/agent/limits/usage/monitor-rate-limits.mdx b/website/content/docs/manage/agent-rate-limit/monitor.mdx similarity index 87% rename from website/content/docs/agent/limits/usage/monitor-rate-limits.mdx rename to website/content/docs/manage/agent-rate-limit/monitor.mdx index 23502d1cb14..ebe1aae778b 100644 --- a/website/content/docs/agent/limits/usage/monitor-rate-limits.mdx +++ b/website/content/docs/manage/agent-rate-limit/monitor.mdx @@ -14,13 +14,13 @@ Consul prints a log line for each rate limit request. The log provides the neces The following example log shows that RPC request from `127.0.0.1:53562` to `KVS.Apply` exceeded the limit: -```text +```text hideClipboard 2023-02-17T10:01:15.565-0500 [DEBUG] agent.server.rpc-rate-limit: RPC exceeded allowed rate limit: rpc=KVS.Apply source_addr=127.0.0.1:53562 limit_type=global/write limit_enforced=false ``` -Refer to [`log_file`](/consul/docs/agent/config/config-files#log_file) for information about where to retrieve log files. +Refer to [`log_file`](/consul/docs/reference/agent#log_file) for information about where to retrieve log files. ## Review rate limit metrics @@ -70,8 +70,8 @@ Refer to [Telemetry](/consul/docs/agent/telemetry) for additional information. When an HTTP request is denied for rate limiting reason, Consul returns one of the following errors: -- **429 Resource Exhausted**: Indicates that a server is not able to perform the request but that another server could potentially fulfill it. This error is most common on stale reads because any server may fulfill stale read requests. To resolve this type of error, we recommend immediately retrying the request to another server. If the request came from a Consul client agent, the agent automatically retries the request up to the limit set in the [`rpc_hold_timeout`](/consul/docs/agent/config/config-files#rpc_hold_timeout) configuration . +- **429 Resource Exhausted**: Indicates that a server is not able to perform the request but that another server could potentially fulfill it. This error is most common on stale reads because any server may fulfill stale read requests. To resolve this type of error, we recommend immediately retrying the request to another server. If the request came from a Consul client agent, the agent automatically retries the request up to the limit set in the [`rpc_hold_timeout`](/consul/docs/reference/agent#rpc_hold_timeout) configuration . -- **503 Service Unavailable**: Indicates that server is unable to perform the request and that no other server can fulfill the request, either. This usually occurs on consistent reads or for writes. In this case we recommend retrying according to an exponential backoff schedule. If the request came from a Consul client agent, the agent automatically retries the request according to the [`rpc_hold_timeout`](/consul/docs/agent/config/config-files#rpc_hold_timeout) configuration. +- **503 Service Unavailable**: Indicates that server is unable to perform the request and that no other server can fulfill the request, either. This usually occurs on consistent reads or for writes. In this case we recommend retrying according to an exponential backoff schedule. If the request came from a Consul client agent, the agent automatically retries the request according to the [`rpc_hold_timeout`](/consul/docs/reference/agent#rpc_hold_timeout) configuration. -Refer to [Rate limit reached on the server](/consul/docs/troubleshoot/common-errors#rate-limit-reached-on-the-server) for additional information. \ No newline at end of file +Refer to [Rate limit reached on the server](/consul/docs/error-messages/consul#rate-limit-reached-on-the-server) for additional information. \ No newline at end of file diff --git a/website/content/docs/agent/limits/usage/set-global-traffic-rate-limits.mdx b/website/content/docs/manage/agent-rate-limit/set-global.mdx similarity index 63% rename from website/content/docs/agent/limits/usage/set-global-traffic-rate-limits.mdx rename to website/content/docs/manage/agent-rate-limit/set-global.mdx index c0afeec9010..e8068fe9d89 100644 --- a/website/content/docs/agent/limits/usage/set-global-traffic-rate-limits.mdx +++ b/website/content/docs/manage/agent-rate-limit/set-global.mdx @@ -14,15 +14,15 @@ Rate limits apply to each Consul server separately and limit the number of read Because all requests coming to a Consul server eventually perform an RPC or an internal gRPC request, global rate limits apply to Consul's user interfaces, such as the HTTP API interface, the CLI, and the external gRPC endpoint for services in the service mesh. -Refer to [Initialize Rate Limit Settings](/consul/docs/agent/limits/init-rate-limits) for additional information about right-sizing your gRPC request configurations. +Refer to [Initialize Rate Limit Settings](/consul/docs/manage-consul/agent-rate-limit/initialize) for additional information about right-sizing your gRPC request configurations. ## Set a global rate limit for a Consul server Configure the following settings in your Consul server configuration to limit the RPC and gRPC traffic rates. -- Set the rate limiter [`mode`](/consul/docs/agent/config/config-files#mode-1) -- Set the [`read_rate`](/consul/docs/agent/config/config-files#read_rate) -- Set the [`write_rate`](/consul/docs/agent/config/config-files#write_rate) +- Set the rate limiter [`mode`](/consul/docs/reference/agent#mode-1) +- Set the [`read_rate`](/consul/docs/reference/agent#read_rate) +- Set the [`write_rate`](/consul/docs/reference/agent#write_rate) In the following example, the Consul server is configured to prevent more than `500` read and `200` write RPC calls: @@ -55,8 +55,8 @@ limits = { ## Monitor request rate traffic -You should continue to monitor request traffic to ensure that request rates remain within the threshold you defined. Refer to [Monitor traffic rate limit data](/consul/docs/agent/limits/usage/monitor-rate-limits) for instructions about checking metrics and log entries, as well as troubleshooting information. +You should continue to monitor request traffic to ensure that request rates remain within the threshold you defined. Refer to [Monitor traffic rate limit data](/consul/docs/manage-consul/agent-rate-limit/monitor) for instructions about checking metrics and log entries, as well as troubleshooting information. ## Disable request rate limits -Set the [`limits.request_limits.mode`](/consul/docs/agent/config/config-files#mode-1) to `disabled` to allow services to exceed the specified read and write requests limits, even limits specified in the [control plane request limits configuration entry](/consul/docs/connect/config-entries/control-plane-request-limit). Note that any other mode specified in the agent configuration only applies to global traffic rate limits. +Set the [`limits.request_limits.mode`](/consul/docs/reference/agent#mode-1) to `disabled` to allow services to exceed the specified read and write requests limits, even limits specified in the [control plane request limits configuration entry](/consul/docs/reference/config-entry/control-plane-request-limit). Note that any other mode specified in the agent configuration only applies to global traffic rate limits. diff --git a/website/content/docs/agent/limits/usage/limit-request-rates-from-ips.mdx b/website/content/docs/manage/agent-rate-limit/source-ip-address.mdx similarity index 75% rename from website/content/docs/agent/limits/usage/limit-request-rates-from-ips.mdx rename to website/content/docs/manage/agent-rate-limit/source-ip-address.mdx index 530ad7b26a7..8a4c5d34309 100644 --- a/website/content/docs/agent/limits/usage/limit-request-rates-from-ips.mdx +++ b/website/content/docs/manage/agent-rate-limit/source-ip-address.mdx @@ -6,7 +6,7 @@ description: Learn how to set read and request rate limits on RPC and gRPC traff # Limit traffic rates from source IP addresses -This topic describes how to configure RPC and gRPC traffic rate limits for source IP addresses. This enables you to specify a budget for read and write requests to prevent any single source IP from overwhelming the Consul server and negatively affecting the network. For information about setting global traffic rate limits, refer to [Set a global limit on traffic rates](/consul/docs/agent/limits/usage/set-global-traffic-rate-limits). For an overview of Consul's server rate limiting capabilities, refer to [Limit traffic rates overview](/consul/docs/agent/limits). +This topic describes how to configure RPC and gRPC traffic rate limits for source IP addresses. This enables you to specify a budget for read and write requests to prevent any single source IP from overwhelming the Consul server and negatively affecting the network. For information about setting global traffic rate limits, refer to [Set a global limit on traffic rates](/consul/docs/manage-consul/agent-rate-limit/set-global). For an overview of Consul's server rate limiting capabilities, refer to [Limit traffic rates overview](/consul/docs/manage-consul/agent-rate-limit). @@ -16,7 +16,7 @@ This feature requires Consul Enterprise. Refer to the [feature compatibility mat ## Overview -You can set limits on the rate of read and write requests from source IP addresses to specific resources, which mitigates the risks to Consul servers when consul clients send excessive requests to a specific resource type. Before configuring traffic rate limits, you should complete the initialization process to understand normal traffic loads in your network. Refer to [Initialize rate limit settings](/consul/docs/agent/limits/init-rate-limits) for additional information. +You can set limits on the rate of read and write requests from source IP addresses to specific resources, which mitigates the risks to Consul servers when consul clients send excessive requests to a specific resource type. Before configuring traffic rate limits, you should complete the initialization process to understand normal traffic loads in your network. Refer to [Initialize rate limit settings](/consul/docs/manage-consul/agent-rate-limit/initialize) for additional information. Complete the following steps to configure traffic rate limits from a source IP address: @@ -24,11 +24,11 @@ Complete the following steps to configure traffic rate limits from a source IP a 1. Apply the configuration entry to enact the limits. -You should also monitor read and write rate activity and make any necessary adjustments. Refer to [Monitor rate limit data](/consul/docs/agent/limits/usage/monitor-rate-limits) for additional information. +You should also monitor read and write rate activity and make any necessary adjustments. Refer to [Monitor rate limit data](/consul/docs/manage-consul/agent-rate-limit/monitor) for additional information. ## Define rate limits -Create a control plane request limit configuration entry in the `default` partition. The configuration entry applies to all client requests targeting any partition. Refer to the [control plane request limit configuration entry](/consul/docs/connect/config-entries/control-plane-request-limit) reference documentation for details about the available configuration parameters. +Create a control plane request limit configuration entry in the `default` partition. The configuration entry applies to all client requests targeting any partition. Refer to the [control plane request limit configuration entry](/consul/docs/reference/config-entry/control-plane-request-limit) reference documentation for details about the available configuration parameters. Specify the following parameters: @@ -69,4 +69,4 @@ $ kubectl apply control-plane-request-limit.yaml ## Disable request rate limits -Set the [limits.request_limits.mode](/consul/docs/agent/config/config-files#mode-1) in the agent configuration to `disabled` to allow services to exceed the specified read and write requests limits. The `disabled` mode applies to all request rate limits, even limits specified in the [control plane request limits configuration entry](/consul/docs/connect/config-entries/control-plane-request-limit). Note that any other mode specified in the agent configuration only applies to global traffic rate limits. +Set the [limits.request_limits.mode](/consul/docs/reference/agent#mode-1) in the agent configuration to `disabled` to allow services to exceed the specified read and write requests limits. The `disabled` mode applies to all request rate limits, even limits specified in the [control plane request limits configuration entry](/consul/docs/reference/config-entry/control-plane-request-limit). Note that any other mode specified in the agent configuration only applies to global traffic rate limits. diff --git a/website/content/docs/manage/automated-backup.mdx b/website/content/docs/manage/automated-backup.mdx new file mode 100644 index 00000000000..203c5900c68 --- /dev/null +++ b/website/content/docs/manage/automated-backup.mdx @@ -0,0 +1,27 @@ +--- +layout: docs +page_title: Automated Backups (Enterprise) +description: >- + Learn about launching the snapshot agent to automatically backup files to a cloud storage provider so that you can restore Consul servers. Supported providers include Amazon S3, Google Cloud Storage, and Azure Blob Storage. +--- + +# Automated Backups + + + +This feature requires HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. + + + +Consul Enterprise enables you to run the snapshot agent within your environment as a service (Systemd as an example) or scheduled through other means. Once running, the snapshot agent service operates as a highly available process that integrates with the snapshot API to automatically manage taking snapshots, backup rotation, and sending backup files offsite to Amazon S3 (or another S3-compatible endpoint), Google Cloud Storage, or Azure Blob Storage. + +This capability provides an enterprise solution for backup and restoring the state of Consul servers within an environment in an automated manner. These snapshots are atomic and point-in-time. Consul datacenter backups include (but are not limited to): + +- Key/Value Store Entries +- Service Catalog Registrations +- Prepared Queries +- Sessions +- Access Control Lists (ACLs) +- Namespaces + +For more experience leveraging Consul's snapshot functionality, complete the [Datacenter Backups in Consul](/consul/tutorials/production-deploy/backup-and-restore?utm_source=docs) tutorial. For detailed configuration information on configuring the Consul Enterprise's snapshot agent, review the [Consul Snapshot Agent documentation](/consul/commands/snapshot/agent). diff --git a/website/content/docs/manage/index.mdx b/website/content/docs/manage/index.mdx new file mode 100644 index 00000000000..67691606271 --- /dev/null +++ b/website/content/docs/manage/index.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Manage Consul +description: >- + Placeholder +--- + +# Manage Consul + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/manage/read-replica.mdx b/website/content/docs/manage/read-replica.mdx new file mode 100644 index 00000000000..e03231a3daa --- /dev/null +++ b/website/content/docs/manage/read-replica.mdx @@ -0,0 +1,18 @@ +--- +layout: docs +page_title: Read Replicas (Enterprise) +description: >- + Learn how you can add non-voting servers to datacenters as read replicas to provide enhanced read scalability without impacting write latency. +--- + +# Enhanced Read Scalability with Read Replicas + + + +This feature requires HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. + + + +Consul Enterprise provides the ability to scale clustered Consul servers to include voting servers and read replicas. Read replicas still receive data from the cluster replication, however, they do not take part in quorum election operations. Expanding your Consul cluster in this way can scale reads without impacting write latency. + +For more details, review the [Consul server configuration](/consul/docs/agent/config) documentation and the [-read-replica](/consul/docsreference-cli/agent#_read_replica) configuration flag. diff --git a/website/content/docs/manage/redundancy-zone.mdx b/website/content/docs/manage/redundancy-zone.mdx new file mode 100644 index 00000000000..f80ce78862c --- /dev/null +++ b/website/content/docs/manage/redundancy-zone.mdx @@ -0,0 +1,20 @@ +--- +layout: docs +page_title: Redundancy Zones (Enterprise) +description: >- + Redundancy zones are regions of a cluster containing "hot standby" servers, or non-voting servers that can replace voting servers in the event of a failure. Learn about redundancy zones and how they improve resiliency and increase fault tolerance without affecting latency. +--- + +# Redundancy Zones + + + +This feature requires self-managed Consul Enterprise. Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. + + + +Consul Enterprise redundancy zones provide both scaling and resiliency benefits by enabling the deployment of non-voting servers alongside voting servers on a per availability zone basis. + +When using redundancy zones, if an operator chooses to deploy Consul across 3 availability zones, they could have 2 (or more) servers (1 voting/1 non-voting) in each zone. In the event that a voting member in an availability zone fails, the redundancy zone configuration would automatically promote the non-voting member to a voting member. In the event that an entire availability zone was lost, a non-voting member in one of the existing availability zones would promote to a voting member, keeping server quorum. This capability functions as a "hot standby" for server nodes while also providing (and expanding) the capabilities of [enhanced read scalability](/consul/docs/manage-consul/read-replicas) by also including recovery capabilities. + +For more information, complete the [Redundancy Zones](/consul/tutorials/datacenter-operations/autopilot-datacenter-operations#redundancy-zones) tutorial and reference the [Consul Autopilot](/consul/commands/operator/autopilot) documentation. diff --git a/website/content/docs/architecture/scale.mdx b/website/content/docs/manage/scale.mdx similarity index 88% rename from website/content/docs/architecture/scale.mdx rename to website/content/docs/manage/scale.mdx index 119e05454ab..eb5c66ad227 100644 --- a/website/content/docs/architecture/scale.mdx +++ b/website/content/docs/manage/scale.mdx @@ -5,7 +5,7 @@ description: >- When using Consul for large scale deployments, you can ensure network resilience by tailoring your network to your needs. Learn more about HashiCorp's recommendations for deploying Consul at scale. --- -# Operating Consul at Scale +# Recommendations for operating Consul at scale This page describes how Consul's architecture impacts its performance with large scale deployments and shares recommendations for operating Consul in production at scale. @@ -29,11 +29,11 @@ To make service-to-service communication resilient against outages and failures, - Runtime platform instances, such as Kubernetes clusters - Consul datacenters -In the event that any individual domain experiences a failure, service failover ensures that healthy instances in other domains remain discoverable. Consul automatically provides service failover between instances within a single [admin partition](/consul/docs/enterprise/admin-partitions) or datacenter. +In the event that any individual domain experiences a failure, service failover ensures that healthy instances in other domains remain discoverable. Consul automatically provides service failover between instances within a single [admin partition](/consul/docs/segment/admin-partition) or datacenter. Service failover across Consul datacenters must be configured in the datacenters before you can use it. Use one of the following methods to configure failover across datacenters: -- **If you are using Consul service mesh**: Implement failover using [service-resolver configuration entries](/consul/docs/connect/config-entries/service-resolver#failover). +- **If you are using Consul service mesh**: Implement failover using [service-resolver configuration entries](/consul/docs/reference/config-entry/service-resolver#failover). - **If you are using Consul service discovery without service mesh**: Implement [geo-redundant failover using prepared queries](/consul/tutorials/developer-discovery/automate-geo-failover). ### Control plane resiliency @@ -65,7 +65,7 @@ For most use cases, a limit of 5,000 agents is appropriate. When the `consul.ser In Kubernetes, even though it is possible to deploy Consul agents inside pods alongside services running in the same pod, this unsupported deployment pattern has known performance issues at scale. At large volumes, pod registration and deregistration in Kubernetes causes gossip instability that can lead to cascading failures as services are marked unhealthy, resulting in further cluster churn. -In Consul v1.14 and higher, Consul on Kubernetes does not need to run client agents on every node in a cluster for service discovery and service mesh. This deployment configuration lowers Consul’s resource usage in the data plane, but requires additional resources in the control plane to process [xDS resources](/consul/docs/agent/config/config-files#xds-server-parameters). To learn more, refer to [simplified service mesh with Consul Dataplane](/consul/docs/connect/dataplane). +In Consul v1.14 and higher, Consul on Kubernetes does not need to run client agents on every node in a cluster for service discovery and service mesh. This deployment configuration lowers Consul’s resource usage in the data plane, but requires additional resources in the control plane to process [xDS resources](/consul/docs/reference/agent#xds-server-parameters). To learn more, refer to [simplified service mesh with Consul Dataplane](/consul/docs/connect/dataplane). **If you use Kubernetes and Consul as a backend for Vault**: Use Vault’s integrated storage backend instead of Consul. A runtime dependency conflict prevents Consul dataplanes from being compatible with Vault. If you need to use Consul v1.14 and higher as a backend for Vault in your Kubernetes deployment, create a separate Consul datacenter that is not federated or peered to your other Consul servers. You can size this datacenter according to your needs and use it exclusively for backend storage for Vault. @@ -77,12 +77,12 @@ Consul server agents are an important part of Consul’s architecture. This sect Consul servers can be deployed on a few different runtimes: -- **HashiCorp Cloud Platform (HCP) Consul Dedicated**. These Consul servers are deployed in a hosted environment managed by HCP. To get started with HCP Consul Dedicated servers in Kubernetes or VM deployments, refer to the [Deploy HCP Consul Dedicated tutorial](/consul/tutorials/get-started-hcp/hcp-gs-deploy). +- **HashiCorp Cloud Platform (HCP) Consul (Managed)**. These Consul servers are deployed in a hosted environment managed by HCP. To get started with HCP Consul servers in Kubernetes or VM deployments, refer to the [Deploy HCP Consul tutorial](/consul/tutorials/get-started-hcp/hcp-gs-deploy). - **VMs or bare metal servers (Self-managed)**. To get started with Consul on VMs or bare metal servers, refer to the [Deploy Consul server tutorial](/consul/tutorials/get-started-vms/virtual-machine-gs-deploy). For a full list of configuration options, refer to [Agents Overview](/consul/docs/agent). - **Kubernetes (Self-managed)**. To get started with Consul on Kubernetes, refer to the [Deploy Consul on Kubernetes tutorial](/consul/tutorials/get-started-kubernetes/kubernetes-gs-deploy). - **Other container environments, including Docker, Rancher, and Mesos (Self-managed)**. -When operating Consul at scale, self-managed VM or bare metal server deployments offer the most flexibility. Some Consul Enterprise features that can enhance fault tolerance and read scalability, such as [redundancy zones](/consul/docs/enterprise/redundancy) and [read replicas](/consul/docs/enterprise/read-scale), are not available to server agents on Kubernetes runtimes. To learn more, refer to [Consul Enterprise feature availability by runtime](/consul/docs/enterprise#feature-availability-by-runtime). +When operating Consul at scale, self-managed VM or bare metal server deployments offer the most flexibility. Some Consul Enterprise features that can enhance fault tolerance and read scalability, such as [redundancy zones](/consul/docs/manage-consul/redundancy-zones) and [read replicas](/consul/docs/manage-consul/read-replicas), are not available to server agents on Kubernetes runtimes. To learn more, refer to [Consul Enterprise feature availability by runtime](/consul/docs/enterprise#feature-availability-by-runtime). ### Number of Consul servers @@ -94,7 +94,7 @@ Determining the number of Consul servers to deploy on your network has two key c Fault tolerance should determine your initial decision for how many Consul server agents to deploy. Our recommendation for the number of servers to deploy depends on whether you have access to Consul Enterprise redundancy zones: - **With redundancy zones**: Deploy 6 Consul servers across 3 availability zones. This deployment provides the performance of a 3 server deployment with the fault tolerance of a 7 server deployment. -- **Without redundancy zones**: Deploy 5 Consul servers across 3 availability zones. All 5 servers should be voting servers, not [read replicas](/consul/docs/enterprise/read-scale). +- **Without redundancy zones**: Deploy 5 Consul servers across 3 availability zones. All 5 servers should be voting servers, not [read replicas](/consul/docs/manage-consul/read-replicas). For more details, refer to [Improving Consul Resilience](/consul/docs/architecture/improving-consul-resilience). @@ -110,7 +110,7 @@ Consul's agents use network sockets for gossip communication with the other node Auto scaling groups (ASGs) are infrastructure associations in cloud providers used to ensure a specific number of replicas are available for a deployment. When using ASGs for Consul servers, there are specific requirements and processes for bootstrapping Raft and maintaining quorum. -We recommend using the [`bootstrap-expect` command-line flag](/consul/docs/agent/config/cli-flags#_bootstrap_expect) during cluster creation. However, if you spawn new servers to add to a cluster or upgrade servers, do not configure them to automatically bootstrap. If `bootstrap-expect` is set on these replicas, it is possible for them to create a separate Raft system, which causes a _split brain_ and leads to errors and general cluster instability. +We recommend using the [`bootstrap-expect` command-line flag](/consul/docsreference-cli/agent#_bootstrap_expect) during cluster creation. However, if you spawn new servers to add to a cluster or upgrade servers, do not configure them to automatically bootstrap. If `bootstrap-expect` is set on these replicas, it is possible for them to create a separate Raft system, which causes a _split brain_ and leads to errors and general cluster instability. #### NUMA architecture awareness @@ -126,7 +126,7 @@ We strongly recommend using [stale consistency mode for DNS lookups](/consul/api We also recommend that you do not configure [`dns_config.max_stale` to limit the staleness of DNS responses](/consul/api-docs/features/consistency#limiting-staleness-advanced-usage), as it may result in a prolonged outage if your Consul servers become overloaded. If bounded result consistency is required by a service, consider modifying the service to use consistent service discovery HTTP API queries instead of DNS lookups. -Avoid using [`dns_config.use_cache`](/consul/docs/agent/config/config-files#dns_use_cache) when operating Consul at scale. Because the Consul agent cache allocates memory for each requested route and each allocation can live up to 3 days, severe memory issues may occur. To implement DNS caching, we instead recommend that you [configure TTLs for services and nodes](/consul/docs/services/discovery/dns-cache#ttl) to enable the DNS client to cache responses from Consul. +Avoid using [`dns_config.use_cache`](/consul/docs/reference/agent#dns_use_cache) when operating Consul at scale. Because the Consul agent cache allocates memory for each requested route and each allocation can live up to 3 days, severe memory issues may occur. To implement DNS caching, we instead recommend that you [configure TTLs for services and nodes](/consul/tutorials/networking/dns-caching#ttl) to enable the DNS client to cache responses from Consul. #### HTTP API @@ -150,7 +150,7 @@ Depending on your needs, choose one of the following strategies to mitigate serv - The fastest mitigation strategy is to vertically scale servers. However, this strategy increases compute costs and does not scale indefinitely. - The most effective long term mitigation strategy is to use [stale consistency mode](/consul/api-docs/features/consistency#stale) for as many read requests as possible. In Consul v1.12 and higher, operators can use the [`consul.rpc.server.call` metric](/consul/docs/agent/telemetry#server-workload) to identify the most frequent type of read requests made to the Consul servers. Cross reference the results with each endpoint’s [HTTP API documentation](/consul/api-docs) and use stale consistency for endpoints that support it. -- If most read requests already use stale consistency mode and you still need to reduce your request load, add more non-voting servers to your deployment. You can use either [redundancy zones](/consul/docs/enterprise/redundancy) or [read replicas](/consul/docs/enterprise/read-scale) to scale reads without impacting write latency. We recommend adding more servers to redundancy zones because they improve both fault tolerance and stale read scalability. +- If most read requests already use stale consistency mode and you still need to reduce your request load, add more non-voting servers to your deployment. You can use either [redundancy zones](/consul/docs/manage-consul/redundancy-zones) or [read replicas](/consul/docs/manage-consul/read-replicas) to scale reads without impacting write latency. We recommend adding more servers to redundancy zones because they improve both fault tolerance and stale read scalability. - In Consul v1.14 and higher, servers handle Envoy XDS streams for [Consul Dataplane deployments](/consul/docs/connect/dataplane) in stale consistency mode. As a result, server consistency mode is not configurable. Use the `consul.xds.server.*` metrics to identify issues related to XDS streams. ### Write-heavy workload sources and solutions @@ -161,7 +161,7 @@ As a starting point, you should make sure your hardware meets the requirements f If you use network storage, such as AWS EBS, we recommend provisioned I/O volumes. While general purpose volumes function properly, their burstable IOps make it harder to capacity plan. A small peak in writes may not trigger alerts, but as usage grows you may reach a point where the burst limit runs out and workload performance worsens. -For more information, refer to the [server performance read/write tuning](/consul/docs/install/performance#read-write-tuning). +For more information, refer to the [server performance read/write tuning](/consul/docs/deploy/server/vm/requirements#read-write-tuning). ### Raft database performance sources and solutions @@ -189,14 +189,14 @@ To figure out if a Consul server’s disk performance issues are the result of B - Use the [`consul.raft.leader.dispatchLog` metric](/consul/docs/agent/telemetry#server-health) to get information about how long it takes to write a batch of logs to disk. - In Consul v1.13 and higher, you can use [Raft thread saturation metrics](/consul/docs/agent/telemetry#raft-thread-saturation) to figure out if Raft is experiencing back pressure and is unable to accept new work due disk limitations. -In Consul v1.11 and higher, you can prevent BoltDB from writing the freelist to disk by setting [`raftboltdb.NoFreelistSync`](/consul/docs/agent/config/config-files#NoFreelistSync) to `true`. This setting causes BoltDB to retain the freelist in memory instead. However, be aware that when BoltDB restarts, it needs to scan the database file to manually create the freelist. Small delays in startup may occur. On a fast disk, we measured these delays at the order of tens of seconds for a raft.db file that was 5GiB in size with only 250MiB of used pages. +In Consul v1.11 and higher, you can prevent BoltDB from writing the freelist to disk by setting [`raftboltdb.NoFreelistSync`](/consul/docs/reference/agent#NoFreelistSync) to `true`. This setting causes BoltDB to retain the freelist in memory instead. However, be aware that when BoltDB restarts, it needs to scan the database file to manually create the freelist. Small delays in startup may occur. On a fast disk, we measured these delays at the order of tens of seconds for a raft.db file that was 5GiB in size with only 250MiB of used pages. -In general, set [`raftboltdb.NoFreelistSync`](/consul/docs/agent/config/config-files#NoFreelistSync) to `true` to produce the following effects: +In general, set [`raftboltdb.NoFreelistSync`](/consul/docs/reference/agent#NoFreelistSync) to `true` to produce the following effects: - Reduce the amount of data written to disk - Increase the amount of time it takes to load the raft.db file on startup -We recommend operators optimize networks according to their individual concerns. For example, if your server runs into disk performance issues but Consul servers do not restart often, setting [`raftboltdb.NoFreelistSync`](/consul/docs/agent/config/config-files#NoFreelistSync) to `true` may solve your problems. However, the same action causes issues for deployments with large database files and frequent server restarts. +We recommend operators optimize networks according to their individual concerns. For example, if your server runs into disk performance issues but Consul servers do not restart often, setting [`raftboltdb.NoFreelistSync`](/consul/docs/reference/agent#NoFreelistSync) to `true` may solve your problems. However, the same action causes issues for deployments with large database files and frequent server restarts. #### Raft snapshots @@ -210,7 +210,7 @@ When the leader takes snapshot B at index 199, it truncates the logs that accumu Because the new server restored snapshot A, the new server has a current index of 99. It requests logs 100 to 150 because index 150 was the current index when it started the replication restore process. At this point, the leader recognizes that it only has logs 200 and higher, and does not have logs for indexes 100 to 150. The leader determines that the new server’s state is stale and starts the process over by sending the new server the latest snapshot, snapshot B. -Consul keeps a configurable number of [Raft trailing logs](/consul/docs/agent/config/config-files#raft_trailing_logs) to prevent the snapshot install loop from repeating. The trailing logs are the last logs that went into the snapshot, and the new server can more easily catch up to the current state using these logs. The default Raft trailing logs configuration value is suitable for most deployments. +Consul keeps a configurable number of [Raft trailing logs](/consul/docs/reference/agent#raft_trailing_logs) to prevent the snapshot install loop from repeating. The trailing logs are the last logs that went into the snapshot, and the new server can more easily catch up to the current state using these logs. The default Raft trailing logs configuration value is suitable for most deployments. In Consul v1.10 and higher, operators can try to prevent a snapshot install loop by monitoring and comparing Consul servers’ `consul.raft.rpc.installSnapshot` and `consul.raft.leader.oldestLogAge` timing metrics. Monitor these metrics for the following situations: @@ -232,11 +232,11 @@ Several factors influence Consul performance at scale when used primarily for it - The overall number of registered service instances - The use of [stale reads](/consul/api-docs/features/consistency#consul-dns-queries) for DNS queries - The number of entities, such as Consul client agents or dataplane components, that are monitoring Consul for changes in a service's instances, including registration and health status. When any service change occurs, all of those entities incur a computational cost because they must process the state change and reconcile it with previously known data for the service. In addition, the Consul server agents also incur a computational cost when sending these updates. -- Number of [watches](/consul/docs/dynamic-app-config/watches) monitoring for changes to a service. +- Number of [watches](/consul/docs/dynamic-app/watches) monitoring for changes to a service. - Rate of catalog updates, which is affected by the following events: - A service instance’s health check status changes - A service instance’s node loses connectivity to Consul servers - - The contents of the [service definition file](/consul/docs/services/configuration/services-configuration-reference) changes + - The contents of the [service definition file](/consul/docs/reference/service) changes - Service instances are registered or deregistered - Orchestrators such as Kubernetes or Nomad move a service to a new node @@ -257,7 +257,7 @@ Consul ESM enables health checks and monitoring for external services. When usin Because Consul’s service mesh uses service discovery subsystems, service mesh performance is also optimized by deploying multiple small clusters with consistent numbers of service instances and watches. Service mesh performance is influenced by the following additional factors: - The [transparent proxy](/consul/docs/connect/transparent-proxy) feature causes client agents to listen for service instance updates across all services instead of a subset. To prevent performance issues, we recommend that you do not use the permissive intention, `default: allow`, with the transparent proxy feature. When combined, every service instance update propagates to every proxy, which causes additional server load. -- When you use the [built-in service mesh CA provider](/consul/docs/connect/ca/consul#built-in-ca), Consul leaders are responsible for signing certificates used for mTLS across the service mesh. The impact on CPU utilization depends on the total number of service instances and configured certificate TTLs. You can use the [CA provider configuration options](/consul/docs/agent/config/config-files#common-ca-config-options) to control the number of requests a server processes. We recommend adjusting [`csr_max_concurrent`](/consul/docs/agent/config/config-files#ca_csr_max_concurrent) and [`csr_max_per_second`](/consul/docs/agent/config/config-files#ca_csr_max_concurrent) to suit your environment. +- When you use the [built-in service mesh CA provider](/consul/docs/secure-mesh/certificate/built-in#built-in-ca), Consul leaders are responsible for signing certificates used for mTLS across the service mesh. The impact on CPU utilization depends on the total number of service instances and configured certificate TTLs. You can use the [CA provider configuration options](/consul/docs/reference/agent#common-ca-config-options) to control the number of requests a server processes. We recommend adjusting [`csr_max_concurrent`](/consul/docs/reference/agent#ca_csr_max_concurrent) and [`csr_max_per_second`](/consul/docs/reference/agent#ca_csr_max_concurrent) to suit your environment. ### K/V store @@ -280,4 +280,4 @@ At scale, using Consul as a backend for Vault results in increased memory and CP In situations where Consul handles large amounts of data and has high write throughput, we recommend adding monitoring for the [capacity and health of raft replication on servers](/consul/docs/agent/telemetry#raft-replication-capacity-issues). If the server experiences heavy load when the size of its stored data is large enough, a follower may be unable to catch up on replication and become a voter after restarting. This situation occurs when the time it takes for a server to restore from disk takes longer than it takes for the leader to write a new snapshot and truncate its logs. Refer to [Raft snapshots](#raft-snapshots) for more information. -Vault v1.4 and higher provides [integrated storage](/vault/docs/concepts/integrated-storage) as its recommended storage option. If you currently use Consul as a storage backend for Vault, we recommend switching to integrated storage. For a comparison between Vault's integrated storage and Consul as a backend for Vault, refer to [storage backends in the Vault documentation](/vault/docs/configuration/storage#integrated-storage-vs-consul-as-vault-storage). For detailed guidance on migrating the Vault backend from Consul to Vault's integrated storage, refer to the [storage migration tutorial](/vault/docs/configuration/storage#integrated-storage-vs-consul-as-vault-storage). Integrated storage improves resiliency by preventing a Consul outage from also affecting Vault functionality. +Vault v1.4 and higher provides [integrated storage](/vault/docs/concepts/integrated-storage) as its recommended storage option. If you currently use Consul as a storage backend for Vault, we recommend switching to integrated storage. For a comparison between Vault's integrated storage and Consul as a backend for Vault, refer to [storage backends in the Vault documentation](/vault/docs/configuration/storage#integrated-storage-vs-consul-as-vault-storage). For detailed guidance on migrating the Vault backend from Consul to Vault's integrated storage, refer to the [storage migration tutorial](/vault/docs/configuration/storage#integrated-storage-vs-consul-as-vault-storage). Integrated storage improves resiliency by preventing a Consul outage from also affecting Vault functionality. \ No newline at end of file diff --git a/website/content/docs/manage/snapshot.mdx b/website/content/docs/manage/snapshot.mdx new file mode 100644 index 00000000000..841176d84e6 --- /dev/null +++ b/website/content/docs/manage/snapshot.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Snapshots +description: >- + Placeholder +--- + +# Snapshots + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/monitor/index.mdx b/website/content/docs/monitor/index.mdx new file mode 100644 index 00000000000..719c6e3a77d --- /dev/null +++ b/website/content/docs/monitor/index.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Monitor Consul +description: >- + Placeholder +--- + +# Monitor Consul + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/monitor/log/agent.mdx b/website/content/docs/monitor/log/agent.mdx new file mode 100644 index 00000000000..f1716bdca0b --- /dev/null +++ b/website/content/docs/monitor/log/agent.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Log agent behavior +description: >- + Placeholder +--- + +# Log agent behavior + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/enterprise/audit-logging.mdx b/website/content/docs/monitor/log/audit.mdx similarity index 72% rename from website/content/docs/enterprise/audit-logging.mdx rename to website/content/docs/monitor/log/audit.mdx index 75d3b33a410..4a496faceff 100644 --- a/website/content/docs/enterprise/audit-logging.mdx +++ b/website/content/docs/monitor/log/audit.mdx @@ -9,43 +9,28 @@ description: >- -This feature requires -HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. -Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. +This feature requires HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. -With Consul Enterprise v1.8.0+, audit logging can be used to capture a clear and -actionable log of authenticated events (both attempted and committed) that Consul -processes via its HTTP API. These events are then compiled into a JSON format for easy export -and contain a timestamp, the operation performed, and the user who initiated the action. +With Consul Enterprise v1.8.0+, audit logging can be used to capture a clear and actionable log of authenticated events (both attempted and committed) that Consul processes via its HTTP API. These events are then compiled into a JSON format for easy export and contain a timestamp, the operation performed, and the user who initiated the action. -Audit logging enables security and compliance teams within an organization to get -greater insight into Consul access and usage patterns. +Audit logging enables security and compliance teams within an organization to get greater insight into Consul access and usage patterns. Complete the [Capture Consul Events with Audit Logging](/consul/tutorials/datacenter-operations/audit-logging) tutorial to learn more about Consul's audit logging functionality, -For detailed configuration information on configuring the Consul Enterprise's audit -logging, review the Consul [Audit Log](/consul/docs/agent/config/config-files#audit) -documentation. +For detailed configuration information on configuring the Consul Enterprise's audit logging, review the Consul [Audit Log](/consul/docs/reference/agent#audit) documentation. ## Example Configuration -Audit logging must be enabled on every agent in order to accurately capture all -operations performed through the HTTP API. To enable logging, add -the [`audit`](/consul/docs/agent/config/config-files#audit) stanza to the agent's configuration. +Audit logging must be enabled on every agent in order to accurately capture all operations performed through the HTTP API. To enable logging, add the [`audit`](/consul/docs/reference/agent#audit) stanza to the agent's configuration. --> **Note**: Consul only logs operations which are initiated via the HTTP API. -The audit log does not record operations that take place over the internal RPC -communication channel used for agent communication. +-> **Note**: Consul only logs operations which are initiated via the HTTP API. The audit log does not record operations that take place over the internal RPC communication channel used for agent communication. -The following example configures a destination called "My Sink". Since rotation is enabled, -audit events will be stored at files named: `/tmp/audit-.json`. The log file will -be rotated either every 24 hours, or when the log file size is greater than 25165824 bytes -(24 megabytes). +The following example configures a destination called "My Sink". Since rotation is enabled, audit events will be stored at files named: `/tmp/audit-.json`. The log file will be rotated either every 24 hours, or when the log file size is greater than 25165824 bytes (24 megabytes). @@ -103,9 +88,7 @@ server: - -The following example configures a destination called "My Sink" which emits audit -logs to standard out. +The following example configures a destination called "My Sink" which emits audit logs to standard out. @@ -156,15 +139,11 @@ server: ## Example Audit Log -In this example a client has issued an HTTP GET request to look up the `ssh` -service in the `/v1/catalog/service/` endpoint. +In this example a client has issued an HTTP GET request to look up the `ssh` service in the `/v1/catalog/service/` endpoint. -Details from the HTTP request are recorded in the audit log. The `stage` field -is set to `OperationStart` which indicates the agent has begun processing the -request. +Details from the HTTP request are recorded in the audit log. The `stage` field is set to `OperationStart` which indicates the agent has begun processing the request. -The value of the `payload.auth.accessor_id` field is the accessor ID of the -[ACL token](/consul/docs/security/acl#tokens) which issued the request. +The value of the `payload.auth.accessor_id` field is the accessor ID of the [ACL token](/consul/docs/secure-consul/acl#tokens) which issued the request. @@ -196,9 +175,7 @@ The value of the `payload.auth.accessor_id` field is the accessor ID of the -After the request is processed, a corresponding log entry is written for the HTTP -response. The `stage` field is set to `OperationComplete` which indicates the agent -has completed processing the request. +After the request is processed, a corresponding log entry is written for the HTTP response. The `stage` field is set to `OperationComplete` which indicates the agent has completed processing the request. diff --git a/website/content/docs/monitor/telemetry/agent.mdx b/website/content/docs/monitor/telemetry/agent.mdx new file mode 100644 index 00000000000..ddd14af818e --- /dev/null +++ b/website/content/docs/monitor/telemetry/agent.mdx @@ -0,0 +1,371 @@ +--- +layout: docs +page_title: Agents - Enable Telemetry Metrics +description: >- + Configure agent telemetry to collect operations metrics you can use to debug and observe Consul behavior and performance. Learn about configuration options, the metrics you can collect, and why they're important. +--- + +# Agent Telemetry + +The Consul agent collects various runtime metrics about the performance of +different libraries and subsystems. These metrics are aggregated on a ten +second (10s) interval and are retained for one minute. An _interval_ is the period of time between instances of data being collected and aggregated. + +When telemetry is being streamed to an external metrics store, the interval is defined to be that store's flush interval. + +|External Store|Interval (seconds)| +|:--------|:--------| +|[dogstatsd](https://docs.datadoghq.com/developers/dogstatsd/?tab=hostagent#how-it-works)|10s| +|[Prometheus](https://vector.dev/docs/reference/configuration/sinks/prometheus_exporter/#flush_period_secs)| 60s| +|[statsd](https://github.com/statsd/statsd/blob/master/docs/metric_types.md#timing)|10s| + +To view this data, you must send a signal to the Consul process: on Unix, +this is `USR1` while on Windows it is `BREAK`. Once Consul receives the signal, +it will dump the current telemetry information to the agent's `stderr`. + +This telemetry information can be used for debugging or otherwise +getting a better view of what Consul is doing. Review the [Monitoring and +Metrics tutorial](/consul/tutorials/day-2-operations/monitor-datacenter-health?utm_source=docs) to learn how collect and interpret Consul data. + +By default, all metric names of gauge type are prefixed with the hostname of the consul agent, e.g., +`consul.hostname.server.isLeader`. To disable prefixing the hostname, set +`telemetry.disable_hostname=true` in the [agent configuration](/consul/docs/reference/agent#telemetry). + +Additionally, if the [`telemetry` configuration options](/consul/docs/reference/agent#telemetry) +are provided, the telemetry information will be streamed to a +[statsite](http://github.com/armon/statsite) or [statsd](http://github.com/etsy/statsd) server where +it can be aggregated and flushed to Graphite or any other metrics store. +For a configuration example for Telegraf, review the [Monitoring with Telegraf tutorial](/consul/tutorials/day-2-operations/monitor-health-telegraf?utm_source=docs). + +This +information can also be viewed with the [metrics endpoint](/consul/api-docs/agent#view-metrics) in JSON +format or using [Prometheus](https://prometheus.io/) format. + + + +```log +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.num_goroutines': 19.000 +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.alloc_bytes': 755960.000 +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.malloc_count': 7550.000 +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.free_count': 4387.000 +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.heap_objects': 3163.000 +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.total_gc_pause_ns': 1151002.000 +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.total_gc_runs': 4.000 +[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.agent.ipc.accept': Count: 5 Sum: 5.000 +[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.agent.ipc.command': Count: 10 Sum: 10.000 +[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.serf.events': Count: 5 Sum: 5.000 +[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.serf.events.foo': Count: 4 Sum: 4.000 +[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.serf.events.baz': Count: 1 Sum: 1.000 +[2014-01-29 10:56:50 -0800 PST][S] 'consul-agent.memberlist.gossip': Count: 50 Min: 0.007 Mean: 0.020 Max: 0.041 Stddev: 0.007 Sum: 0.989 +[2014-01-29 10:56:50 -0800 PST][S] 'consul-agent.serf.queue.Intent': Count: 10 Sum: 0.000 +[2014-01-29 10:56:50 -0800 PST][S] 'consul-agent.serf.queue.Event': Count: 10 Min: 0.000 Mean: 2.500 Max: 5.000 Stddev: 2.121 Sum: 25.000 +``` + + + +# Key Metrics + +These are some metrics emitted that can help you understand the health of your cluster at a glance. A [Grafana dashboard](https://grafana.com/grafana/dashboards/13396) is also available, which is maintained by the Consul team and displays these metrics for easy visualization. For a full list of metrics emitted by Consul, see [Metrics Reference](#metrics-reference) + +### Transaction timing + +| Metric Name | Description | Unit | Type | +| :----------------------- | :----------------------------------------------------------------------------------- | :--------------------------- | :------ | +| `consul.kvs.apply` | Measures the time it takes to complete an update to the KV store. | ms | timer | +| `consul.txn.apply` | Measures the time spent applying a transaction operation. | ms | timer | +| `consul.raft.apply` | Counts the number of Raft transactions applied during the interval. This metric is only reported on the leader. | raft transactions / interval | counter | +| `consul.raft.commitTime` | Measures the time it takes to commit a new entry to the Raft log on the leader. | ms | timer | + +**Why they're important:** Taken together, these metrics indicate how long it takes to complete write operations in various parts of the Consul cluster. Generally these should all be fairly consistent and no more than a few milliseconds. Sudden changes in any of the timing values could be due to unexpected load on the Consul servers, or due to problems on the servers themselves. + +**What to look for:** Deviations (in any of these metrics) of more than 50% from baseline over the previous hour. + +### Leadership changes + +| Metric Name | Description | Unit | Type | +| :------------------------------- | :------------------------------------------------------------------------------------------------------------- | :-------- | :------ | +| `consul.raft.leader.lastContact` | Measures the time since the leader was last able to contact the follower nodes when checking its leader lease. | ms | timer | +| `consul.raft.state.candidate` | Increments whenever a Consul server starts an election. | elections | counter | +| `consul.raft.state.leader` | Increments whenever a Consul server becomes a leader. | leaders | counter | +| `consul.server.isLeader` | Track if a server is a leader(1) or not(0). | 1 or 0 | gauge | + +**Why they're important:** Normally, your Consul cluster should have a stable leader. If there are frequent elections or leadership changes, it would likely indicate network issues between the Consul servers, or that the Consul servers themselves are unable to keep up with the load. + +**What to look for:** For a healthy cluster, you're looking for a `lastContact` lower than 200ms, `leader` > 0 and `candidate` == 0. Deviations from this might indicate flapping leadership. + +### Certificate Authority Expiration + +| Metric Name | Description | Unit | Type | +| :------------------------- | :---------------------------------------------------------------------------------- | :------ | :---- | +| `consul.mesh.active-root-ca.expiry` | The number of seconds until the root CA expires, updated every hour. | seconds | gauge | +| `consul.mesh.active-signing-ca.expiry` | The number of seconds until the signing CA expires, updated every hour. | seconds | gauge | +| `consul.agent.tls.cert.expiry` | The number of seconds until the server agent's TLS certificate expires, updated every hour. | seconds | gauge | + +** Why they're important:** Consul Mesh requires a CA to sign all certificates +used to connect the mesh and the mesh network ceases to work if they expire and +become invalid. The Root is particularly important to monitor as Consul does +not automatically rotate it. The TLS certificate metric monitors the certificate +that the server's agent uses to connect with the other agents in the cluster. + +** What to look for:** The Root CA should be monitored for an approaching +expiration, to indicate it is time for you to rotate the "root" CA either +manually or with external automation. Consul should rotate the signing (intermediate) certificate +automatically, but we recommend monitoring the rotation. When the certificate does not rotate, check the server agent logs for +messages related to the CA system. The agent TLS certificate's rotation handling +varies based on the configuration. + +### Autopilot + +| Metric Name | Description | Unit | Type | +| :------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------- | :---- | +| `consul.autopilot.healthy` | Tracks the overall health of the local server cluster. If all servers are considered healthy by Autopilot, this will be set to 1. If any are unhealthy, this will be 0. | health state | gauge | + +**Why it's important:** Autopilot can expose the overall health of your cluster with a simple boolean. + +**What to look for:** Alert if `healthy` is 0. Some other indicators of an unhealthy cluster would be: +- `consul.raft.commitTime` - This can help reflect the speed of state store +changes being performed by the agent. If this number is rising, the server may +be experiencing an issue due to degraded resources on the host. +- [Leadership change metrics](#leadership-changes) - Check for deviation from +the recommended values. This can indicate failed leadership elections or +flapping nodes. + +### Memory usage + +| Metric Name | Description | Unit | Type | +| :--------------------------- | :----------------------------------------------------------------- | :---- | :---- | +| `consul.runtime.alloc_bytes` | Measures the number of bytes allocated by the Consul process. | bytes | gauge | +| `consul.runtime.sys_bytes` | Measures the total number of bytes of memory obtained from the OS. | bytes | gauge | + +**Why they're important:** Consul keeps all of its data in memory. If Consul consumes all available memory, it will crash. + +**What to look for:** If `consul.runtime.sys_bytes` exceeds 90% of total available system memory. + +**NOTE:** This metric is calculated using Go's runtime package +[MemStats](https://golang.org/pkg/runtime/#MemStats). This will have a +different output than using information gathered from `top`. For more +information, see [GH-4734](https://github.com/hashicorp/consul/issues/4734). + +### Garbage collection + +| Metric Name | Description | Unit | Type | +| :--------------------------------- | :---------------------------------------------------------------------------------------------------- | :--- | :---- | +| `consul.runtime.total_gc_pause_ns` | Number of nanoseconds consumed by stop-the-world garbage collection (GC) pauses since Consul started. | ns | gauge | + +**Why it's important:** GC pause is a "stop-the-world" event, meaning that all runtime threads are blocked until GC completes. Normally these pauses last only a few nanoseconds. But if memory usage is high, the Go runtime may GC so frequently that it starts to slow down Consul. + +**What to look for:** Warning if `total_gc_pause_ns` exceeds 2 seconds/minute, critical if it exceeds 5 seconds/minute. + +**NOTE:** `total_gc_pause_ns` is a cumulative counter, so in order to calculate rates (such as GC/minute), +you will need to apply a function such as InfluxDB's [`non_negative_difference()`](https://docs.influxdata.com/influxdb/v1.5/query_language/functions/#non-negative-difference). + +### Network activity - RPC Count + +| Metric Name | Description | Unit | Type | +| :--------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | :------ | +| `consul.client.rpc` | Increments whenever a Consul agent makes an RPC request to a Consul server | requests | counter | +| `consul.client.rpc.exceeded` | Increments whenever a Consul agent makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/consul/docs/reference/agent#limits) configuration. | requests | counter | +| `consul.client.rpc.failed` | Increments whenever a Consul agent makes an RPC request to a Consul server and fails. | requests | counter | + +**Why they're important:** These measurements indicate the current load created from a Consul agent, including when the load becomes high enough to be rate limited. A high RPC count, especially from `consul.client.rpcexceeded` meaning that the requests are being rate-limited, could imply a misconfigured Consul agent. + +**What to look for:** +Sudden large changes to the `consul.client.rpc` metrics (greater than 50% deviation from baseline). +`consul.client.rpc.exceeded` or `consul.client.rpc.failed` count > 0, as it implies that an agent is being rate-limited or fails to make an RPC request to a Consul server + +### Raft Thread Saturation + +| Metric Name | Description | Unit | Type | +| :----------------------------------- | :----------------------------------------------------------------------------------------------------------------------- | :--------- | :----- | +| `consul.raft.thread.main.saturation` | An approximate measurement of the proportion of time the main Raft goroutine is busy and unavailable to accept new work. | percentage | sample | +| `consul.raft.thread.fsm.saturation` | An approximate measurement of the proportion of time the Raft FSM goroutine is busy and unavailable to accept new work. | percentage | sample | + +**Why they're important:** These measurements are a useful proxy for how much +capacity a Consul server has to accept additional write load. High saturation +of the Raft goroutines can lead to elevated latency in the rest of the system +and cause cluster instability. + +**What to look for:** Generally, a server's steady-state saturation should be +less than 50%. + +**NOTE:** These metrics are approximate and under extremely heavy load won't +give a perfect fine-grained view of how much headroom a server has available. +Instead, treat them as an early warning sign. + +** Requirements: ** +* Consul 1.13.0+ + +### Raft Replication Capacity Issues + +| Metric Name | Description | Unit | Type | +| :--------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | :------ | +| `consul.raft.fsm.lastRestoreDuration` | Measures the time taken to restore the FSM from a snapshot on an agent restart or from the leader calling installSnapshot. This is a gauge that holds it's value since most servers only restore during restarts which are typically infrequent. | ms | gauge | +| `consul.raft.leader.oldestLogAge` | The number of milliseconds since the _oldest_ log in the leader's log store was written. This can be important for replication health where write rate is high and the snapshot is large as followers may be unable to recover from a restart if restoring takes longer than the minimum value for the current leader. Compare this with `consul.raft.fsm.lastRestoreDuration` and `consul.raft.rpc.installSnapshot` to monitor. In normal usage this gauge value will grow linearly over time until a snapshot completes on the leader and the log is truncated. | ms | gauge | +| `consul.raft.rpc.installSnapshot` | Measures the time taken to process the installSnapshot RPC call. This metric should only be seen on agents which are currently in the follower state. | ms | timer | + +**Why they're important:** These metrics allow operators to monitor the health +and capacity of raft replication on servers. **When Consul is handling large +amounts of data and high write throughput** it is possible for the cluster to +get into the following state: + * Write throughput is high (say 500 commits per second or more) and constant + * The leader is writing out a large snapshot every minute or so + * The snapshot is large enough that it takes considerable time to restore from + disk on a restart or from the leader if a follower gets behind + * Disk IO available allows the leader to write a snapshot faster than it can be + restored from disk on a follower + +Under these conditions, a follower after a restart may be unable to catch up on +replication and become a voter again since it takes longer to restore from disk +or the leader than the leader takes to write a new snapshot and truncate its +logs. Servers retain +[`raft_trailing_logs`](/consul/docs/reference/agent#raft_trailing_logs) (default +`10240`) log entries even if their snapshot was more recent. On a leader +processing 500 commits/second, that is only about 20 seconds worth of logs. +Assuming the leader is able to write out a snapshot and truncate the logs in +less than 20 seconds, there will only be 20 seconds worth of "recent" logs +available on the leader right after the leader has taken a snapshot and never +more than about 80 seconds worth assuming it is taking a snapshot and truncating +logs every 60 seconds. + +In this state, followers must be able to restore a snapshot into memory and +resume replication in under 80 seconds otherwise they will never be able to +rejoin the cluster until write rates reduce. If they take more than 20 seconds +then there will be a chance that they are unlucky with timing when they restart +and have to download a snapshot again from the servers one or more times. If +they take 50 seconds or more then they will likely fail to catch up more often +than they succeed and will remain non-voters for some time until they happen to +complete the restore just before the leader truncates its logs. + +In the worst case, the follower will be left continually downloading snapshots +from the leader which are always too old to use by the time they are restored. +This can put additional strain on the leader transferring large snapshots +repeatedly as well as reduce the fault tolerance and serving capacity of the +cluster. + +Since Consul 1.5.3 +[`raft_trailing_logs`](/consul/docs/reference/agent#raft_trailing_logs) has been +configurable. Increasing it allows the leader to retain more logs and give +followers more time to restore and catch up. The tradeoff is potentially +slower appends which eventually might affect write throughput and latency +negatively so setting it arbitrarily high is not recommended. Before Consul +1.10.0 it required a rolling restart to change this configuration on the leader +though and since no followers could restart without loosing health this could +mean loosing cluster availability and needing to recover the cluster from a loss +of quorum. + +Since Consul 1.10.0 +[`raft_trailing_logs`](/consul/docs/reference/agent#raft_trailing_logs) is now +reloadable with `consul reload` or `SIGHUP` allowing operators to increase this +without the leader restarting or loosing leadership allowing the cluster to be +recovered gracefully. + +Monitoring these metrics can help avoid or diagnose this state. + +**What to look for:** + +`consul.raft.leader.oldestLogAge` should look like a saw-tooth wave increasing +linearly with time until the leader takes a snapshot and then jumping down as +the oldest logs are truncated. The lowest point on that line should remain +comfortably higher (i.e. 2x or more) than the time it takes to restore a +snapshot. + +There are two ways a snapshot can be restored on a follower: from disk on +startup or from the leader during an `installSnapshot` RPC. The leader only +sends an `installSnapshot` RPC if the follower is new and has no state, or if +it's state is too old for it to catch up with the leaders logs. + +`consul.raft.fsm.lastRestoreDuration` shows the time it took to restore from +either source the last time it happened. Most of the time this is when the +server was started. It's a gauge that will always show the last restore duration +(in Consul 1.10.0 and later) however long ago that was. + +`consul.raft.rpc.installSnapshot` is the timing information from the leader's +perspective when it installs a new snapshot on a follower. It includes the time +spent transferring the data as well as the follower restoring it. Since these +events are typically infrequent, you may need to graph the last value observed, +for example using `max_over_time` with a large range in Prometheus. While the +restore part will also be reflected in `lastRestoreDuration`, it can be useful +to observe this too since the logs need to be able to cover this entire +operation including the snapshot delivery to ensure followers can always catch +up safely. + +Graphing `consul.raft.leader.oldestLogAge` on the same axes as the other two +metrics here can help see at a glance if restore times are creeping dangerously +close to the limit of what the leader is retaining at the current write rate. + +Note that if servers don't restart often, then the snapshot could have grown +significantly since the last restore happened so last restore times might not +reflect what would happen if an agent restarts now. + +### License Expiration + +| Metric Name | Description | Unit | Type | +| :-------------------------------- | :--------------------------------------------------------------- | :---- | :---- | +| `consul.system.licenseExpiration` | Number of hours until the Consul Enterprise license will expire. | hours | gauge | + +**Why they're important:** + +This measurement indicates how many hours are left before the Consul Enterprise license expires. When the license expires some +Consul Enterprise features will cease to work. An example of this is that after expiration, it is no longer possible to create +or modify resources in non-default namespaces or to manage namespace definitions themselves even though reads of namespaced +resources will still work. + +**What to look for:** + +This metric should be monitored to ensure that the license doesn't expire to prevent degradation of functionality. + + +### Bolt DB Performance + +| Metric Name | Description | Unit | Type | +| :-------------------------------- | :--------------------------------------------------------------- | :---- | :---- | +| `consul.raft.boltdb.freelistBytes` | Represents the number of bytes necessary to encode the freelist metadata. When [`raft_logstore.boltdb.no_freelist_sync`](/consul/docs/reference/agent#raft_logstore_boltdb_no_freelist_sync) is set to `false` these metadata bytes must also be written to disk for each committed log. | bytes | gauge | +| `consul.raft.boltdb.logsPerBatch` | Measures the number of logs being written per batch to the db. | logs | sample | +| `consul.raft.boltdb.storeLogs` | Measures the amount of time spent writing logs to the db. | ms | timer | +| `consul.raft.boltdb.writeCapacity` | Theoretical write capacity in terms of the number of logs that can be written per second. Each sample outputs what the capacity would be if future batched log write operations were similar to this one. This similarity encompasses 4 things: batch size, byte size, disk performance and boltdb performance. While none of these will be static and its highly likely individual samples of this metric will vary, aggregating this metric over a larger time window should provide a decent picture into how this BoltDB store can perform | logs/second | sample | + + +** Requirements: ** +* Consul 1.11.0+ + +**Why they're important:** + +The `consul.raft.boltdb.storeLogs` metric is a direct indicator of disk write performance of a Consul server. If there are issues with the disk or +performance degradations related to Bolt DB, these metrics will show the issue and potentially the cause as well. + +**What to look for:** + +The primary thing to look for are increases in the `consul.raft.boltdb.storeLogs` times. Its value will directly govern an +upper limit to the throughput of write operations within Consul. + +In Consul each write operation will turn into a single Raft log to be committed. Raft will process these +logs and store them within Bolt DB in batches. Each call to store logs within Bolt DB is measured to record how long +it took as well as how many logs were contained in the batch. Writing logs in this fashion is serialized so that +a subsequent log storage operation can only be started after the previous one completed. The maximum number +of log storage operations that can be performed each second is represented with the `consul.raft.boltdb.writeCapacity` +metric. When log storage operations are becoming slower you may not see an immediate decrease in write capacity +due to increased batch sizes of the each operation. However, the max batch size allowed is 64 logs. Therefore if +the `logsPerBatch` metric is near 64 and the `storeLogs` metric is seeing increased time to write each batch to disk, +then it is likely that increased write latencies and other errors may occur. + +There can be a number of potential issues that can cause this. Often times it could be performance of the underlying +disks that is the issue. Other times it may be caused by Bolt DB behavior. Bolt DB keeps track of free space within +the `raft.db` file. When needing to allocate data it will use existing free space first before further expanding the +file. By default, Bolt DB will write a data structure containing metadata about free pages within the DB to disk for +every log storage operation. Therefore if the free space within the database grows excessively large, such as after +a large spike in writes beyond the normal steady state and a subsequent slow down in the write rate, then Bolt DB +could end up writing a large amount of extra data to disk for each log storage operation. This has the potential +to drastically increase disk write throughput, potentially beyond what the underlying disks can keep up with. To +detect this situation you can look at the `consul.raft.boltdb.freelistBytes` metric. This metric is a count of +the extra bytes that are being written for each log storage operation beyond the log data itself. While not a clear +indicator of an actual issue, this metric can be used to diagnose why the `consul.raft.boltdb.storeLogs` metric +is high. + +If Bolt DB log storage performance becomes an issue and is caused by free list management then setting +[`raft_logstore.boltdb.no_freelist_sync`](/consul/docs/reference/agent#raft_logstore_boltdb_no_freelist_sync) to `true` in the server's configuration +may help to reduce disk IO and log storage operation times. Disabling free list syncing will however increase +the startup time for a server as it must scan the raft.db file for free space instead of loading the already +populated free list structure. + +Consul includes an experiment backend configuration that you can use instead of BoldDB. Refer to [Experimental WAL LogStore backend](/consul/docs/deploy/server/wal/) for more information. + diff --git a/website/content/docs/connect/dataplane/telemetry.mdx b/website/content/docs/monitor/telemetry/dataplane.mdx similarity index 79% rename from website/content/docs/connect/dataplane/telemetry.mdx rename to website/content/docs/monitor/telemetry/dataplane.mdx index ce111e4872b..987568dcbeb 100644 --- a/website/content/docs/connect/dataplane/telemetry.mdx +++ b/website/content/docs/monitor/telemetry/dataplane.mdx @@ -1,29 +1,23 @@ --- layout: docs -page_title: Consul Dataplane - Enable Telemetry Metrics +page_title: Enable Dataplane telemetry metrics description: >- Configure telemetry to collect metrics you can use to debug and observe Consul Dataplane behavior and performance. --- -# Consul Dataplane Telemetry +# Enable Dataplane telemetry metrics -Consul Dataplane collects metrics about its own status and performance. -The following external metrics stores are supported: +Consul Dataplane collects metrics about its own status and performance. The following external metrics stores are supported: - [DogstatsD](https://docs.datadoghq.com/developers/dogstatsd/) - [Prometheus](https://prometheus.io/docs/prometheus/latest/) - [StatsD](https://github.com/statsd/statsd) -Consul Dataplane uses the same external metrics store that is configured for Envoy. To enable -telemetry for Consul Dataplane, enable telemetry for Envoy by specifying an external metrics store -in the proxy-defaults configuration entry or directly in the proxy.config field of the proxy service -definition. Refer to the [Envoy bootstrap -configuration](/consul/docs/connect/proxies/envoy#bootstrap-configuration) for details. +Consul Dataplane uses the same external metrics store that is configured for Envoy. To enable telemetry for Consul Dataplane, enable telemetry for Envoy by specifying an external metrics store in the proxy-defaults configuration entry or directly in the proxy.config field of the proxy service definition. Refer to the [Envoy bootstrap configuration](/consul/docs/connect/proxies/envoy#bootstrap-configuration) for details. -## Prometheus Metrics Merging +## Merge Prometheus metrics -When Prometheus metrics are used, Consul Dataplane configures Envoy to serve merged metrics through -a single endpoint. Metrics from the following sources are collected and merged: +When you use Prometheus metrics, Consul Dataplane configures Envoy to serve merged metrics through a single endpoint. The dataplane collects and merges metrics from the following sources: - Consul Dataplane - The Envoy process managed by Consul Dataplane @@ -40,4 +34,4 @@ Consul Dataplane supports the following metrics: | `consul_dataplane.connection_errors` | Measures the number of errors encountered on gRPC streams. This is labeled with the gRPC error status code. | number of errors | gauge | | `consul_dataplane.discover_servers_duration` | Measures the time `consul-dataplane` spends discovering Consul server IP addresses. | ms | timer | | `consul_dataplane.envoy_connected` | Indicates whether Envoy is currently connected to `consul-dataplane` and able to receive xDS updates. | 1 or 0 | gauge | -| `consul_dataplane.login_duration` | Measures the time `consul-dataplane` spends logging in to an ACL auth method. | ms | timer | +| `consul_dataplane.login_duration` | Measures the time `consul-dataplane` spends logging in to an ACL auth method. | ms | timer | \ No newline at end of file diff --git a/website/content/docs/monitor/telemetry/index.mdx b/website/content/docs/monitor/telemetry/index.mdx new file mode 100644 index 00000000000..7664e5e3bf7 --- /dev/null +++ b/website/content/docs/monitor/telemetry/index.mdx @@ -0,0 +1,12 @@ +--- +layout: docs +page_title: Monitor Consul - Telemetry +description: >- + Placeholder +--- + +# Consul Telemetry + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. + +Overview page that explains the difference between agent and dataplane telemetry. \ No newline at end of file diff --git a/website/content/docs/multi-tenant/admin-partition/index.mdx b/website/content/docs/multi-tenant/admin-partition/index.mdx new file mode 100644 index 00000000000..5b320d275e7 --- /dev/null +++ b/website/content/docs/multi-tenant/admin-partition/index.mdx @@ -0,0 +1,119 @@ +--- +page_title: Create admin partitions +description: |- + Admin partitions define boundaries between services managed by separate teams, enabling a service mesh across k8s clusters controlled by a single Consul server. Learn about their requirements and how to deploy admin partitions on Kubernetes. +--- + +# Admin partitions overview + + + +This feature requires version 1.11.0+ of +HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. +Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. + + + +This topic provides and overview of admin partitions, which are entities that define one or more administrative boundaries for single Consul deployments. + +## Introduction + +Admin partitions exist a level above namespaces in the identity hierarchy. They contain one or more namespaces and allow multiple independent tenants to share a Consul server cluster. As a result, admin partitions enable you to define administrative and communication boundaries between services managed by separate teams or belonging to separate stakeholders. They can also segment production and non-production services within the Consul deployment. + +As of Consul v1.11, every _datacenter_ contains a single administrative partition named `default` when created. With Consul Enterprise, operators have the option of creating multiple partitions within a single datacenter. + +-> **Preexisting nodes**: Admin partitions were introduced in Consul 1.11. Nodes existed in global scope prior to 1.11. After upgrading to Consul 1.11 or later, all nodes will be scoped to an admin partition, which will be the `default` partition when initially upgrading an existing deployment or for CE versions. + +There are tutorials available to help you get started with admin partitions. + +- [Multi-Tenancy with Administrative Partitions](/consul/tutorials/enterprise/consul-admin-partitions?utm_source=docs) +- [Multi Cluster Applications with Consul Enterprise Admin Partitions](/consul/tutorials/kubernetes/kubernetes-admin-partitions?utm_source=docs) + +### Default Admin Partition + +Each Consul cluster will have a default admin partition named `default`. The `default` partition must contain the Consul servers. The `default` admin partition is different from other partitions that may be created because the namespaces and resources in this partition are replicated between datacenters when they are federated. + +Any resource created without specifying an admin partition will inherit the partition of the ACL token used to create the resource. + +-> **Preexisting resources and the `default` partition**: Admin partitions were introduced in Consul 1.11. After upgrading to Consul 1.11 or later, the `default` partition will contain all resources created in previous versions. + +### Naming Admin Partitions + +Only characters that are valid in DNS names can be used to name admin partitions. +Names must also begin with a lowercase letter. + +### Namespaces + +When an admin partition is created, it will include the `default` namespace. You can create additional namespaces within the partition. Resources created within a namespace are not shared across partitions. + +### Cross-datacenter Replication + +Only resources in the `default` admin partition will be replicated to secondary datacenters (also see [Known Limitations](#known-limitations)). + +### DNS Queries + +When queried, the DNS interface returns results for a single admin partition. +The query may explicitly specify the admin partition to use in the lookup. +If you do not specify an admin partition in the query, +the lookup uses the admin partition of the Consul agent that received the query. +Server agents always exist within the `default` admin partition. +Client agents are configured to operate within a specific admin partition. + +By default, Consul on Kubernetes uses [Consul dataplanes](/consul/docs/connect/dataplane) instead of client agents to manage communication between service instances. But to use the Consul DNS for service discovery, you must start a Consul client in client admin partitions. + +### Service Mesh Configurations + +The partition in which [`proxy-defaults`](/consul/docs/connect/config-entries/proxy-defaults) and [`mesh`](/consul/docs/connect/config-entries/mesh) configurations are created define the scope of the configurations. Services registered in a partition will use the `proxy-defaults` and `mesh` configurations that have been created in the partition. + +### Cross-partition Networking + +You can configure services to be discoverable by downstream services in any partition within the datacenter. Specify the upstream services that you want to be available for discovery by configuring the `exported-services` configuration entry in the partition where the services are registered. Refer to the [`exported-services` documentation](/consul/docs/connect/config-entries/exported-services) for details. Additionally, the requests made by downstream applications must have the correct DNS name for the Virtual IP Service lookup to occur. Service Virtual IP lookups allow for communications across Admin Partitions when using Transparent Proxy. Refer to the [Service Virtual IP Lookups for Consul Enterprise](/consul/docs/services/discovery/dns-static-lookups#service-virtual-ip-lookups-for-consul-enterprise) for additional information. + +-> **Export mesh gateway **: When ACL is enabled in Consul-k8s and `meshgateway.mode` is set to `local`, the `mesh-gateway` service must be exported to their consumers for cross-partition traffic. + +### Cluster Peering + +You can use [cluster peering](/consul/docs/connect/cluster-peering/) between two admin partitions to connect clusters owned by different operators. Without Consul Enterprise, cluster peering is limited to the `default` partitions in each datacenter. Enterprise users can [establish cluster peering connections](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering) between any two admin partitions as long as the partitions are in separate datacenters. It is not possible to establish cluster peering connections between two partitions in a single datacenter. + +## Requirements + +Your Consul configuration must meet the following requirements to use admin partitions. + +### Versions + +- Consul 1.11.1 and newer + +### General Networking Requirements + +All Consul clients must be able to initiate Gossip, HTTPS, and RPC connections to the servers. All servers must also be able to initiate Gossip connections to the clients. + +For Consul on Kubernetes, a dedicated `partition` Kubernetes `LoadBalancer` service is deployed to allow communication from clients to servers for admin partitions support (refer to [Kubernetes Requirements](#kubernetes-requirements) for additional information). + +For other runtimes, refer to the documentation for your infrastructure environment for instructions on how to allow communication on the following ports: +- 443 (HTTPS API requests) +- 8300 (RPC) +- 8301 (Gossip) +- 8502 (gRPC from [Consul Dataplane](/consul/docs/connect/dataplane/consul-dataplane)) + +### Security Configurations + +- The agent token used by the client agent must allow `node:write` in the admin partition. +- The `write` permission for `proxy-defaults` requires `mesh:write`. See [Admin Partition Rules](/consul/docs/security/acl/acl-rules#admin-partition-rules) for additional information. +- The `write` permissions for ingress and terminating gateways require `mesh:write` privileges. +- Wildcards (`*`) are not supported for the partition field when creating intentions for admin partitions. The partition name must be explicitly specified. +- With the exception of the `default` admin partition, ACL rules configured for admin partitions are isolated, so policies defined in partitions outside of the `default` partition can only reference their local partition. + +### Agent Configurations + +- The admin partition name should be specified in client agent configurations: + + ```hcl + partition = "" + ``` + +- The anti-entropy sync will use the configured admin partition name when registering the node. + +## Known Limitations + +- Only the `default` admin partition is supported when federating multiple Consul datacenters in a WAN. +- Admin partitions have no theoretical limit. We intend to conduct a large-scale test to identify a recommended max in the future. diff --git a/website/content/docs/enterprise/admin-partitions.mdx b/website/content/docs/multi-tenant/admin-partition/k8s.mdx similarity index 91% rename from website/content/docs/enterprise/admin-partitions.mdx rename to website/content/docs/multi-tenant/admin-partition/k8s.mdx index f9dc2f6b350..02705005e65 100644 --- a/website/content/docs/enterprise/admin-partitions.mdx +++ b/website/content/docs/multi-tenant/admin-partition/k8s.mdx @@ -1,11 +1,10 @@ --- -layout: docs -page_title: Admin Partitions (Enterprise) -description: >- +page_title: Configure partitions on Kubernetes +description: |- Admin partitions define boundaries between services managed by separate teams, enabling a service mesh across k8s clusters controlled by a single Consul server. Learn about their requirements and how to deploy admin partitions on Kubernetes. --- -# Consul Enterprise Admin Partitions +# Configure partitions on Kubernetes @@ -64,17 +63,17 @@ By default, Consul on Kubernetes uses [Consul dataplanes](/consul/docs/connect/d ### Service Mesh Configurations -The partition in which [`proxy-defaults`](/consul/docs/connect/config-entries/proxy-defaults) and [`mesh`](/consul/docs/connect/config-entries/mesh) configurations are created define the scope of the configurations. Services registered in a partition will use the `proxy-defaults` and `mesh` configurations that have been created in the partition. +The partition in which [`proxy-defaults`](/consul/docs/reference/config-entry/proxy-defaults) and [`mesh`](/consul/docs/reference/config-entry/mesh) configurations are created define the scope of the configurations. Services registered in a partition will use the `proxy-defaults` and `mesh` configurations that have been created in the partition. ### Cross-partition Networking -You can configure services to be discoverable by downstream services in any partition within the datacenter. Specify the upstream services that you want to be available for discovery by configuring the `exported-services` configuration entry in the partition where the services are registered. Refer to the [`exported-services` documentation](/consul/docs/connect/config-entries/exported-services) for details. Additionally, the requests made by downstream applications must have the correct DNS name for the Virtual IP Service lookup to occur. Service Virtual IP lookups allow for communications across Admin Partitions when using Transparent Proxy. Refer to the [Service Virtual IP Lookups for Consul Enterprise](/consul/docs/services/discovery/dns-static-lookups#service-virtual-ip-lookups-for-consul-enterprise) for additional information. +You can configure services to be discoverable by downstream services in any partition within the datacenter. Specify the upstream services that you want to be available for discovery by configuring the `exported-services` configuration entry in the partition where the services are registered. Refer to the [`exported-services` documentation](/consul/docs/reference/config-entry/exported-services) for details. Additionally, the requests made by downstream applications must have the correct DNS name for the Virtual IP Service lookup to occur. Service Virtual IP lookups allow for communications across Admin Partitions when using Transparent Proxy. Refer to the [Service Virtual IP Lookups for Consul Enterprise](/consul/docs/services/discovery/dns-static-lookups#service-virtual-ip-lookups-for-consul-enterprise) for additional information. -> **Export mesh gateway **: When ACL is enabled in Consul-k8s and `meshgateway.mode` is set to `local`, the `mesh-gateway` service must be exported to their consumers for cross-partition traffic. ### Cluster Peering -You can use [cluster peering](/consul/docs/connect/cluster-peering/) between two admin partitions to connect clusters owned by different operators. Without Consul Enterprise, cluster peering is limited to the `default` partitions in each datacenter. Enterprise users can [establish cluster peering connections](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering) between any two admin partitions as long as the partitions are in separate datacenters. It is not possible to establish cluster peering connections between two partitions in a single datacenter. +You can use [cluster peering](/consul/docs/east-west/cluster-peering/) between two admin partitions to connect clusters owned by different operators. Without Consul Enterprise, cluster peering is limited to the `default` partitions in each datacenter. Enterprise users can [establish cluster peering connections](/consul/docs/east-west/cluster-peering/establish-connection/vm) between any two admin partitions as long as the partitions are in separate datacenters. It is not possible to establish cluster peering connections between two partitions in a single datacenter. ## Requirements @@ -94,12 +93,12 @@ For other runtimes, refer to the documentation for your infrastructure environme - 443 (HTTPS API requests) - 8300 (RPC) - 8301 (Gossip) -- 8502 (gRPC from [Consul Dataplane](/consul/docs/connect/dataplane/consul-dataplane)) +- 8502 (gRPC from [Consul Dataplane](/consul/docsreference-cli/consul-dataplane)) ### Security Configurations - The agent token used by the client agent must allow `node:write` in the admin partition. -- The `write` permission for `proxy-defaults` requires `mesh:write`. See [Admin Partition Rules](/consul/docs/security/acl/acl-rules#admin-partition-rules) for additional information. +- The `write` permission for `proxy-defaults` requires `mesh:write`. Refer to [Admin partition rules](/consul/docs/secure-consul/acl/rules#admin-partition-rules) for additional information. - The `write` permissions for ingress and terminating gateways require `mesh:write` privileges. - Wildcards (`*`) are not supported for the partition field when creating intentions for admin partitions. The partition name must be explicitly specified. - With the exception of the `default` admin partition, ACL rules configured for admin partitions are isolated, so policies defined in partitions outside of the `default` partition can only reference their local partition. @@ -202,7 +201,7 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet - Refer to the [Helm Chart Configuration reference](/consul/docs/k8s/helm) for details about the parameters you can specify in the file. + Refer to the [Helm Chart Configuration reference](/consul/docs/reference/k8s/helm) for details about the parameters you can specify in the file. 1. Install the Consul server(s) using the values file created in the previous step: @@ -325,8 +324,3 @@ You can log into the Consul UI to verify that the partitions appear as expected. You will see the `default` and `clients` partitions available in the **Admin Partition** drop-down menu. ![Partitions will appear in the Admin Partitions drop-down menu within the Consul UI.](/img/admin-partitions/consul-admin-partitions-verify-in-ui.png) - -## Known Limitations - -- Only the `default` admin partition is supported when federating multiple Consul datacenters in a WAN. -- Admin partitions have no theoretical limit. We intend to conduct a large-scale test to identify a recommended max in the future. diff --git a/website/content/docs/multi-tenant/index.mdx b/website/content/docs/multi-tenant/index.mdx new file mode 100644 index 00000000000..a9abfe49ee3 --- /dev/null +++ b/website/content/docs/multi-tenant/index.mdx @@ -0,0 +1,44 @@ +--- +layout: docs +page_title: Administrate multi-tenant Consul datacenters +description: >- + This topic provides an overview of Consul's multi-tenancy features, including admin partitions, namespaces, network segmwents, and sameness groups. +--- + +# Administrate multi-tenant Consul datacenters + +This topic provides an overview of Consul's multi-tenancy features. A single Consul datacenter can support multiple teams and organizations by restricting resources, service traffic, and user access to a combination of admin partitions, namespaces, networking segments, and sameness groups. + +Consul Community Edition supports the `default` partition and `default` namespace, but does not support multi-tenancy. For more information, refer to [Consul Enterprise](/consul/docs/enterprise). + +## Introduction + +In large enterprise organizations, configuring, deploying, securing, and managing separate Consul datacenters for each team or project can be an impractical and resource-intensive solution. Consul Enterprise users can implement multi-tenant configurations of Consul server clusters so that teams can share a set of Consul servers. This arrangement can lower deployment costs while maintaining network security and preventing conflicts in resource names. + +The two main elements in Consul's multi-tenancy support are _admin partitions_ and _namespaces_. Consul namespaces are distinct from Kubernetes Namespaces, but you can configure Consul to mirror existing Kubernetes Namespaces. Consul also supports multi-tenancy configurations for networks that are segmented according to firewalls, and enables operators to manage a set of admin partitions and namespaces using sameness groups. + +## Admin partitions + +@include 'text/descriptions/admin-partition.mdx' + +## Namespaces + +@include 'text/descriptions/namespace.mdx' + +## Network segments + +@include 'text/descriptions/network-segment.mdx' + +## Sameness groups + +@include 'text/descriptions/sameness-group.mdx' + +## Guidance + +The following resources are available to help you learn about Consul multi-tenancy and its usage. + +@include 'text/guidance/multi-tenant.mdx' + +## Constraints, limitations, and troubleshooting + +@include 'text/limitations/multi-tenant.mdx' diff --git a/website/content/docs/multi-tenant/namespace/index.mdx b/website/content/docs/multi-tenant/namespace/index.mdx new file mode 100644 index 00000000000..cbb7fb3d065 --- /dev/null +++ b/website/content/docs/multi-tenant/namespace/index.mdx @@ -0,0 +1,25 @@ +--- +page_title: Namespaces overview +description: |- + Namespaces reduce operational challenges in large deployments. Learn how to define a namespace so that multiple users or teams can access and use the same datacenter without impacting each other. +--- + +# Namespaces overview + + + +This feature requires +HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. +Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. + + + +With Consul Enterprise 1.7.0+, data for different users or teams +can be isolated from each other with the use of namespaces. Namespaces help reduce operational challenges +by removing restrictions around uniqueness of resource names across distinct teams, and enable operators +to provide self-service through delegation of administrative privileges. + +For more information on how to use namespaces with Consul Enterprise please review the following tutorials: + +- [Register and Discover Services within Namespaces](/consul/tutorials/namespaces/namespaces-share-datacenter-access?utm_source=docs) - Register multiple services within different namespaces in Consul. +- [Setup Secure Namespaces](/consul/tutorials/namespaces/namespaces-secure-shared-access?utm_source=docs) - Secure resources within a namespace and delegate namespace ACL rights via ACL tokens. \ No newline at end of file diff --git a/website/content/docs/multi-tenant/namespace/k8s.mdx b/website/content/docs/multi-tenant/namespace/k8s.mdx new file mode 100644 index 00000000000..f2c5290e8d9 --- /dev/null +++ b/website/content/docs/multi-tenant/namespace/k8s.mdx @@ -0,0 +1,62 @@ +--- +page_title: Using Consul and Kubernetes namespaces +description: |- + Namespaces reduce operational challenges in large deployments. Learn how to define a namespace so that multiple users or teams can access and use the same datacenter without impacting each other. +--- + +# Using Consul and Kubernetes namespaces + +Consul Enterprise 1.7+ supports Consul namespaces. When Kubernetes pods are registered +into Consul, you can control which Consul namespace they are registered into. + +There are three options available: + +1. **Single Destination Namespace** – Register all Kubernetes pods, regardless of namespace, + into the same Consul namespace. + + This can be configured with: + + ```yaml + global: + enableConsulNamespaces: true + + connectInject: + enabled: true + consulNamespaces: + consulDestinationNamespace: 'my-consul-ns' + ``` + + -> **NOTE:** If the destination namespace does not exist we will create it. + +1. **Mirror Namespaces** - Register each Kubernetes pod into a Consul namespace with the same name as its Kubernetes namespace. + For example, pod `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `ns-1`. + If a mirrored namespace does not exist in Consul, it will be created. + + This can be configured with: + + ```yaml + global: + enableConsulNamespaces: true + + connectInject: + enabled: true + consulNamespaces: + mirroringK8S: true + ``` + +1. **Mirror Namespaces With Prefix** - Register each Kubernetes pod into a Consul namespace with the same name as its Kubernetes + namespace **with a prefix**. + For example, given a prefix `k8s-`, pod `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `k8s-ns-1`. + + This can be configured with: + + ```yaml + global: + enableConsulNamespaces: true + + connectInject: + enabled: true + consulNamespaces: + mirroringK8S: true + mirroringK8SPrefix: 'k8s-' + ``` \ No newline at end of file diff --git a/website/content/docs/enterprise/network-segments/network-segments-overview.mdx b/website/content/docs/multi-tenant/network-segment/index.mdx similarity index 88% rename from website/content/docs/enterprise/network-segments/network-segments-overview.mdx rename to website/content/docs/multi-tenant/network-segment/index.mdx index f23358c4bed..ae3c2e3259c 100644 --- a/website/content/docs/enterprise/network-segments/network-segments-overview.mdx +++ b/website/content/docs/multi-tenant/network-segment/index.mdx @@ -1,24 +1,24 @@ --- layout: docs -page_title: Network Segments Overview +page_title: Network segments overview description: >- Network segments enable LAN gossip traffic within a datacenter when network rules or firewalls prevent specific sets of clients from communicating directly. Learn about segmented network concepts. --- -# Network Segments Overview +# Network segments overview -Network segmentation is the practice of dividing a network into multiple segments or subnets that act as independent networks. This topic provides an overview of concepts related to operating Consul in a segmented network. +Network segmentation is the practice of dividing a network into multiple segments or subnets that act as independent networks. This topic provides an overview of concepts related to operating Consul in a segmented network. -This feature requires Consul Enterprise version 0.9.3 or later. +This feature requires Consul Enterprise version 0.9.3 or later. Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. ## Segmented networks -Consul requires full connectivity between all agents in a datacenter within a LAN gossip pool. In some environments, however, business policies enforced through network rules or firewalls prevent full connectivity between all agents. These environments are called _segmented networks_. Network segments are isolated LAN gossip pools that only require full connectivity between agent members on the same segment. +Consul requires full connectivity between all agents in a datacenter within a LAN gossip pool. In some environments, however, business policies enforced through network rules or firewalls prevent full connectivity between all agents. These environments are called _segmented networks_. Network segments are isolated LAN gossip pools that only require full connectivity between agent members on the same segment. To use Consul in a segmented network, you must define the segments in your server agent configuration and direct client agents to join one of the segments. The Consul network segment configuration should match the LAN gossip pool boundaries. The following diagram shows how a network may be segmented: @@ -26,17 +26,19 @@ To use Consul in a segmented network, you must define the segments in your serve ## Default network segment -By default, all Consul agents are part of a shared Serf LAN gossip pool, referred to as the `` network segment. Because all agents are within the same segment, full mesh connectivity within the datacenter is required. The following diagram shows the `` network segment: +By default, all Consul agents are part of a shared Serf LAN gossip pool, referred to as the `` network segment. Because all agents are within the same segment, full mesh connectivity within the datacenter is required. The following diagram shows the `` network segment: ![Consul datacenter default agent connectivity: one network segment](/img/network-segments/consul-network-segments-single.png) ## Segment membership -Server agents are members of all segments. The datacenter includes the `` segment, as well as additional segments defined in the `segments` server agent configuration option. Refer to the [`segments`](/consul/docs/agent/config/config-files#segments) documentation for additional information. +Server agents are members of all segments. The datacenter includes the `` segment, as well as additional segments defined in the `segments` server agent configuration option. Refer to the [`segments`](/consul/docs/reference/agent#segments) documentation for additional information. -Each client agent can only be a member of one segment at a time. Client agents are members of the `` segment unless they are configured to join a different segment. +Each client agent can only be a member of one segment at a time. Client agents are members of the `` segment unless they are configured to join a different segment. For a client agent to join the Consul datacenter, it must connect to another agent (client or server) within its configured segment. +Read the [Network Segments documentation](/consul/docs/enterprise/network-segments/network-segments-overview) to learn more about network segments. + -> **Info:** Network segments enable you to operate a Consul datacenter without full mesh (LAN) connectivity between agents. To federate multiple Consul datacenters without full mesh (WAN) connectivity between all server agents in all datacenters, diff --git a/website/content/docs/enterprise/network-segments/create-network-segment.mdx b/website/content/docs/multi-tenant/network-segment/vm.mdx similarity index 88% rename from website/content/docs/enterprise/network-segments/create-network-segment.mdx rename to website/content/docs/multi-tenant/network-segment/vm.mdx index bc300f7708a..db7917f147c 100644 --- a/website/content/docs/enterprise/network-segments/create-network-segment.mdx +++ b/website/content/docs/multi-tenant/network-segment/vm.mdx @@ -1,22 +1,20 @@ --- -layout: docs -page_title: Create Network Segments -description: >- - Learn how to create Consul network segments to enable services in the LAN gossip pool to communicate across communication boundaries. +page_title: Create network segments +description: |- + Learn how to create Consul network segments to enable services in the LAN gossip pool to communicate across communication boundaries. --- -# Create Network Segments +# Create network segments on virtual machines (VMs) This topic describes how to create Consul network segments so that services can connect to other services in the LAN gossip pool that have been placed into separate communication boundaries. Refer to [Network Segments Overview](/consul/docs/enterprise/network-segments/network-segments-overview) for additional information. - ## Requirements - Consul Enterprise 0.9.3+ ## Define segments in the server configuration -1. Add the `segments` block to your server configuration. Refer to the [`segments`](/consul/docs/agent/config/config-files#segments) documentation for details about how to define the configuration. +1. Add the `segments` block to your server configuration. Refer to the [`segments`](/consul/docs/reference/agent#segments) documentation for details about how to define the configuration. In the following example, an `alpha` segment is configured to listen for traffic on port `8303` and a `beta` segment is configured to listen to traffic on port `8304`: @@ -81,13 +79,13 @@ This topic describes how to create Consul network segments so that services can ## Configure clients to join segments -Client agents can only be members of one segment at a time. You can direct clients to join a segment by specifying the address and name of the segment with the [`-join`](/consul/docs/agent/config/cli-flags#_join) and [`-segment`](/consul/docs/agent/config/cli-flags#_segment) command line flags when starting the agent. +Client agents can only be members of one segment at a time. You can direct clients to join a segment by specifying the address and name of the segment with the [`-join`](/consul/docsreference-cli/agent#_join) and [`-segment`](/consul/docsreference-cli/agent#_segment) command line flags when starting the agent. ```shell-session $ consul agent -config-file client.hcl -join 10.20.10.11:8303 -segment alpha ``` -Alternatively, you can add the [`retry_join`](/consul/docs/agent/config/config-files#retry_join) and [`segment`](/consul/docs/agent/config/config-files#segment-1) parameters to your client agent configuration file: +Alternatively, you can add the [`retry_join`](/consul/docs/reference/agent#retry_join) and [`segment`](/consul/docs/reference/agent#segment-1) parameters to your client agent configuration file: ```hcl node_name = "consul-client" diff --git a/website/content/docs/connect/cluster-peering/usage/create-sameness-groups.mdx b/website/content/docs/multi-tenant/sameness-group.mdx similarity index 88% rename from website/content/docs/connect/cluster-peering/usage/create-sameness-groups.mdx rename to website/content/docs/multi-tenant/sameness-group.mdx index 71537355eb9..f9d214d93af 100644 --- a/website/content/docs/connect/cluster-peering/usage/create-sameness-groups.mdx +++ b/website/content/docs/multi-tenant/sameness-group.mdx @@ -16,14 +16,14 @@ Sameness groups are a user-defined set of partitions with identical configuratio To create and use sameness groups in your network, complete the following steps: -- **Create sameness group configuration entries for each member of the group**. For each partition that you want to include in the sameness group, you must write and apply a sameness group configuration entry that defines the group’s members from that partition’s perspective. Refer to the [sameness group configuration entry reference](/consul/docs/connect/config-entries/sameness-group) for details on configuration hierarchy, default values, and specifications. -- **Export services to members of the sameness group**. You must write and apply an exported services configuration entry that makes the partition’s services available to other members of the group. Refer to [exported services configuration entry reference](/consul/docs/connect/config-entries/exported-services) for additional specification information. -- **Create service intentions to authorize other members of the sameness group**. For each partition that you want to include in the sameness group, you must write and apply service intentions configuration entries to authorize traffic to your services from all members of the group. Refer to the [service intentions configuration entry reference](/consul/docs/connect/config-entries/service-intentions) for additional specification information. +- **Create sameness group configuration entries for each member of the group**. For each partition that you want to include in the sameness group, you must write and apply a sameness group configuration entry that defines the group’s members from that partition’s perspective. Refer to the [sameness group configuration entry reference](/consul/docs/reference/config-entry/sameness-group) for details on configuration hierarchy, default values, and specifications. +- **Export services to members of the sameness group**. You must write and apply an exported services configuration entry that makes the partition’s services available to other members of the group. Refer to [exported services configuration entry reference](/consul/docs/reference/config-entry/exported-services) for additional specification information. +- **Create service intentions to authorize other members of the sameness group**. For each partition that you want to include in the sameness group, you must write and apply service intentions configuration entries to authorize traffic to your services from all members of the group. Refer to the [service intentions configuration entry reference](/consul/docs/reference/config-entry/service-intention) for additional specification information. ## Requirements -- All datacenters where you want to create sameness groups must run Consul v1.16 or later. Refer to [upgrade instructions](/consul/docs/upgrading/instructions) for more information about how to upgrade your deployment. -- A [Consul Enterprise license](/consul/docs/enterprise/license/overview) is required. +- All datacenters where you want to create sameness groups must run Consul v1.16 or later. Refer to [upgrade instructions](/consul/docs/upgrade/instructions) for more information about how to upgrade your deployment. +- A [Consul Enterprise license](/consul/docs/enterprise/license) is required. ### Before you begin @@ -37,13 +37,15 @@ To prevent errors, check the names of the services deployed to your network and #### Deploy mesh gateways for each partition -Mesh gateways are required for cluster peering connections and recommended to secure cross-partition traffic in a single datacenter. Therefore, we recommend securing your network, and especially your production environment, by deploying mesh gateways to each datacenter. Refer to [mesh gateways specifications](/consul/docs/connect/cluster-peering/tech-specs#mesh-gateway-specifications) for more information about configuring mesh gateways. +Mesh gateways are required for cluster peering connections and recommended to secure cross-partition traffic in a single datacenter. Therefore, we recommend securing your network, and especially your production environment, by deploying mesh gateways to each datacenter. Refer to [mesh gateways specifications](/consul/docs/east-west/cluster-peering/tech-specs#mesh-gateway-specifications) for more information about configuring mesh gateways. #### Establish cluster peering relationships between remote partitions -You must establish connections with cluster peers before you can create a sameness group that includes them. A cluster peering connection exists between two admin partitions in different datacenters, and each connection between two partitions must be established separately with each peer. Refer to [establish cluster peering connections](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering) for step-by-step instructions. +You must establish connections with cluster peers before you can create a sameness group that includes them. A cluster peering connection exists between two admin partitions in different datacenters, and each connection between two partitions must be established separately with each peer. Refer to [establish cluster peering connections](/consul/docs/east-west/cluster-peering/establish-connection/vm) for step-by-step instructions. -To establish cluster peering connections and define a group as part of the same workflow, follow instructions up to [Export services between clusters](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering#export-services-between-clusters). You can use the same exported services and service intention configuration entries to establish the cluster peering connection and create the sameness group. +You can establish and manage cluster peering relationships between all of your self-managed clusters using [HCP Consul Central](/hcp/docs/consul/concepts/consul-central). For more information, refer to [cluster peering global view](/hcp/docs/consul/monitor/consul-central/global-views#cluster-peering) in the HCP documentation. + +To establish cluster peering connections and define a group as part of the same workflow, follow instructions up to [Export services between clusters](/consul/docs/east-west/cluster-peering/establish-connection/vm#export-services-between-clusters). You can use the same exported services and service intention configuration entries to establish the cluster peering connection and create the sameness group. ## Create a sameness group @@ -55,7 +57,7 @@ To create a sameness group, you must write and apply a set of three configuratio ### Define the sameness group from each partition’s perspective -To define a sameness group for a partition, create a [sameness group configuration entry](/consul/docs/connect/config-entries/sameness-group) that describes the partitions and cluster peers that are part of the group. Typically, the order follows this pattern: +To define a sameness group for a partition, create a [sameness group configuration entry](/consul/docs/reference/config-entry/sameness-group) that describes the partitions and cluster peers that are part of the group. Typically, the order follows this pattern: 1. The local partition 1. Other partitions in the same datacenter @@ -124,7 +126,7 @@ Then, repeat the process to create and apply a configuration entry for every par ### Export services to other partitions in the sameness group -To make services available to other members of the sameness group, you must write and apply an [exported services configuration entry](/consul/docs/connect/config-entries/exported-services) to each partition in the group. This configuration entry exports the local partition's services to the rest of the group members. In each configuration entry, set the sameness group as the `Consumer` for the exported services. You can export multiple services in a single exported services configuration entry. +To make services available to other members of the sameness group, you must write and apply an [exported services configuration entry](/consul/docs/reference/config-entry/exported-services) to each partition in the group. This configuration entry exports the local partition's services to the rest of the group members. In each configuration entry, set the sameness group as the `Consumer` for the exported services. You can export multiple services in a single exported services configuration entry. Because you are configuring the consumer to reference the sameness group instead of listing out each partition and cluster peer, you do not need to edit this configuration again when you add a partition or peer to the group. @@ -191,7 +193,7 @@ Services = [ -For more information about exporting services, including examples of configuration entries that export multiple services at the same time, refer to the [exported services configuration entry reference](/consul/docs/connect/config-entries/exported-services). +For more information about exporting services, including examples of configuration entries that export multiple services at the same time, refer to the [exported services configuration entry reference](/consul/docs/reference/config-entry/exported-services). After you create each exported services configuration entry, apply it to the Consul server with the following CLI command: @@ -211,7 +213,7 @@ Be aware that this scenario requires you to write the `sameness-group` configura Exporting the service to other members of the sameness group makes the services visible to remote partitions, but you must also create service intentions so that local services are authorized to send and receive traffic from a member of the sameness group. -For each partition that is member of the group, write and apply a [service intentions configuration entry](/consul/docs/connect/config-entries/service-intentions) that defines intentions for the services that are part of the group. In the `Sources` block of the configuration entry, include the service name, its namespace, the sameness group, and grant `allow` permissions. +For each partition that is member of the group, write and apply a [service intentions configuration entry](/consul/docs/reference/config-entry/service-intention) that defines intentions for the services that are part of the group. In the `Sources` block of the configuration entry, include the service name, its namespace, the sameness group, and grant `allow` permissions. Because you are using the sameness group in the `Sources` block rather than listing out each partition and cluster peer, you do not have to make further edits to the service intentions configuration entries when members are added to or removed from the group. @@ -279,7 +281,7 @@ Sources = [ -Refer to [create and manage intentions](/consul/docs/connect/intentions/create-manage-intentions) for more information about how to create and apply service intentions in Consul. +Refer to [create and manage intentions](/consul/docs/secure-mesh/intentions/create) for more information about how to create and apply service intentions in Consul. After you create each service intentions configuration entry, apply it to the Consul server with the following CLI command: diff --git a/website/content/docs/nia/usage/errors-ref.mdx b/website/content/docs/nia/usage/errors-ref.mdx deleted file mode 100644 index 4cbb525a3a1..00000000000 --- a/website/content/docs/nia/usage/errors-ref.mdx +++ /dev/null @@ -1,143 +0,0 @@ ---- -layout: docs -page_title: Error Messages -description: >- - Look up Consul-Terraform-Sync error message to learn how to resolve potential issues using CTS. ---- - -# Error Messages - -This topic explains error messages you may encounter when using Consul-Terraform-Sync (CTS). - -## Example error log messages - -If you configured the CTS cluster to run in [high availability mode](/consul/docs/nia/usage/run-ha) and the local module is missing, then the following message appears in the log: - -```shell-session -[ERROR] ha.compat: error="compatibility check failure: stat ./example-module: no such file or directory" -``` - -The resolution is to add the missing local module on the incompatible CTS instance. Refer to the [`module` documentation](/consul/docs/nia/configuration#module) in the CTS configuration reference for additional information. - -## Example API and CLI error messages - -**Error**: - -```json -{ - "error": { - "message": "redirect requests to leader 'cts-01' at cts-01.example.com:8558" - } -} -``` - -**Conditions**: - -- CTS can determine the leader. -- `high_availability.instance.address` is configured for the leader. -- The CTS instance you sent the request to is not the leader. - - - -**Resolution**: - -Redirect the request to the leader instance, for example: - -```shell-session -$ curl --request GET cts-01.example.com:8558/v1/tasks -``` ---- - - -**Error**: - -```json -{ - "error": { - "message": "redirect requests to leader 'cts-01'" - } -} -``` - -**Conditions**: - -* CTS can determine the leader. -* The CTS instance you sent the request to is not the leader. -* `high_availability.instance.address` is not configured. - -**Resolution**: - -Identify the leader instance address and redirect the request to the leader. You can identify the leader by calling the [`status/cluster` API endpoint](/consul/docs/nia/api/status#cluster-status) or by checking the logs for the following entry: - -```shell-session -[INFO] ha: acquired leadership lock: id=. - -We recommend deploying a cluster that has three instances. - ---- - -**Error**: - -```json -{ - "error": { - "message": "redirect requests to leader" - } -} -``` - -**Conditions**: - -* The CTS instance you sent the request to is not the leader. -* The CTS is unable to determine the leader. -* Note that these conditions are rare. - - -**Resolution**: - -Identify and send the request to the leader CTS instance. You can identify the leader by calling the [`status/cluster` API endpoint](/consul/docs/nia/api/status#cluster-status) or by checking the logs for the following entry: - -```shell-session -[INFO] ha: acquired leadership lock: id= -``` - ---- - -**Error**: - -```json -{ - "error": { - "message": "this endpoint is only available with high availability configured" - } -} -``` - -**Conditions**: - -- You called the [`status/cluster` API endpoint](/consul/docs/nia/api/status#cluster-status) without configuring CTS for [high availability](/consul/docs/nia/usage/run-ha). - -**Resolution**: - -Configure CTS to run in [high availability mode](/consul/docs/nia/usage/run-ha). - ---- - -**Error**: - -```json -{ - "error": { - "message": "example error message: unsupported status parameter value" - } -} -``` - -**Conditions**: - -- You sent a request to the `status` API endpoint. -- The request included an unsupported parameter value. - -**Resolution**: - -Send a new request and verify that all of the parameter values are correct. \ No newline at end of file diff --git a/website/content/docs/nia/usage/run.mdx b/website/content/docs/nia/usage/run.mdx deleted file mode 100644 index 43e35f09c39..00000000000 --- a/website/content/docs/nia/usage/run.mdx +++ /dev/null @@ -1,41 +0,0 @@ ---- -layout: docs -page_title: Run Consul-Terraform-Sync -description: >- - Consul-Terraform-Sync requires a Terraform Provider, a Terraform Module and a running Consul Cluster outside of the `consul-terraform-sync` daemon. ---- - -# Run Consul-Terraform-Sync - -This topic describes the basic procedure for running Consul-Terraform-Sync (CTS). Verify that you have met the [basic requirements](/consul/docs/nia/usage/requirements) before attempting to run CTS. - -1. Move the `consul-terraform-sync` binary to a location available on your `PATH`. - - ```shell-session - $ mv ~/Downloads/consul-terraform-sync /usr/local/bin/consul-terraform-sync - ``` - -2. Create the config.hcl file and configure the options for your use case. Refer to the [configuration reference](/consul/docs/nia/configuration) for details about all CTS configurations. - -3. Run Consul-Terraform-Sync (CTS). - - ```shell-session - $ consul-terraform-sync start -config-file - ``` - -4. Check status of tasks. Replace port number if configured in Step 2. Refer to [Consul-Terraform-Sync API](/consul/docs/nia/api) for additional information. - - ```shell-session - $ curl localhost:8558/status/tasks - ``` - -## Other Run modes - -You can [configure CTS for high availability](/consul/docs/nia/usage/run-ha), which is an enterprise capability that ensures that all changes to Consul that occur during a failover transition are processed and that CTS continues to operate as expected. - -You can start CTS in [inspect mode](/consul/docs/nia/cli/start#modes) to review and test your configuration before applying any changes. Inspect mode allows you to verify that the changes work as expected before running them in an unsupervised daemon mode. - -For hands-on instructions on using inspect mode, refer to the [Consul-Terraform-Sync Run Modes and Status Inspection](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-run-and-inspect?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) tutorial. - - - diff --git a/website/content/docs/nomad.mdx b/website/content/docs/nomad.mdx new file mode 100644 index 00000000000..897981e035b --- /dev/null +++ b/website/content/docs/nomad.mdx @@ -0,0 +1,8 @@ +--- +layout: docs +page_title: Consul on Nomad +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# Consul on Nomad \ No newline at end of file diff --git a/website/content/docs/nomad/index.mdx b/website/content/docs/nomad/index.mdx deleted file mode 100644 index a9ba57fb6a0..00000000000 --- a/website/content/docs/nomad/index.mdx +++ /dev/null @@ -1,58 +0,0 @@ ---- -layout: docs -page_title: Consul on Nomad -description: >- - Consul is a service networking solution that you can run with Nomad. Learn more about Consul on Nomad and find documentation specific to the Nomad runtime. ---- - -# Consul on Nomad - -This topic provides an overview of the documentation available for users running Consul with Nomad. - -For more information about using Nomad to schedule clusters and applications, refer to the [Nomad documentation](/nomad/docs). - -## Introduction - -Nomad is HashiCorp’s workload orchestrator. It enables you to run containers, legacy, and batch applications together on the same infrastructure. Just like a Consul client runs as a system daemon on a worker node, Nomad is deployed in a similar fashion. In order to use Consul with Nomad, you must configure Nomad to access the Consul cluster. We recommend running a Consul client alongside each Nomad client. - -Consul and Nomad operate independently in their deployment and functions, but can integrate to simplify the other’s operations. For example, Nomad can register tasks as services in the Consul catalog and configure sidecar proxies. Furthermore, Nomad servers can also register themselves as a service in Consul, which helps with bootstrapping a Nomad cluster. - -Deployments in Nomad can take advantage of Consul service discovery, service mesh, or both. You can leverage Consul DNS and run the Nomad service workloads, or start a sidecar process for each service to abstract the networking layer within the service mesh environment. - -Nomad supports the following Consul features: - -- Automatic clustering -- Concurrent connections to multiple Consul clusters -- Service discovery -- Service mesh -- Key/value store for dynamic application configuration -- Consul access controls -- Namespaces -- Admin partitions - -## Tutorials - -If you are familiar with virtualized workloads in a Linux environment, we recommend you attempt the [Nomad getting started tutorials](/nomad/tutorials/get-started) to get acquainted with the basics of running workloads in Nomad. Then complete the [Consul getting started on VMs tutorials](/consul/tutorials/get-started-vms) to learn how to configure and deploy Consul. Then review the dedicated Consul and Nomad tutorials to understand how both systems interact together. - -To learn more about using Consul with Nomad, refer to the following tutorials in the Nomad documentation: - -- [Convert from Nomad service discovery to Consul service discovery](/nomad/tutorials/service-discovery/service-discovery-consul-conversion) -- [Secure Nomad jobs with Consul service mesh](/nomad/tutorials/integrate-consul/consul-service-mesh) -- [Consul ACL with Nomad Workload Identities](/nomad/tutorials/integrate-consul/consul-acl) -- [Use Consul to automatically cluster Nomad nodes](/nomad/tutorials/manage-clusters/clustering#use-consul-to-automatically-cluster-nodes) - -## Nomad documentation - -[Nomad Consul Service Integration](/nomad/docs/integrations/consul/service-mesh) enables Nomad users to automatically register services to Consul and deploy sidecar proxies alongside their services. The following resources are available in the Nomad documentation to help you define Consul jobs: - -- [consul Block specification](/nomad/docs/job-specification/consul) -- [connect Block specification](/nomad/docs/job-specification/connect) -- [check Block specification](/nomad/docs/job-specification/check) -- [check_restart Block specification](/nomad/docs/job-specification/check_restart) -- [gateway Block specification](/nomad/docs/job-specification/gateway) -- [identity Block specification](/nomad/docs/job-specification/identity) -- [proxy Block specification](/nomad/docs/job-specification/proxy) -- [service Block specification](/nomad/docs/job-specification/service) -- [sidecar_service Block specification](/nomad/docs/job-specification/sidecar_service) -- [sidecar_task Block specification](/nomad/docs/job-specification/sidecar_task) -- [upstreams Block specification](/nomad/docs/job-specification/upstreams) \ No newline at end of file diff --git a/website/content/docs/connect/gateways/api-gateway/define-routes/routes-k8s.mdx b/website/content/docs/north-south/api-gateway/define-route/k8s/index.mdx similarity index 68% rename from website/content/docs/connect/gateways/api-gateway/define-routes/routes-k8s.mdx rename to website/content/docs/north-south/api-gateway/define-route/k8s/index.mdx index 13413e82bd3..c774afcf084 100644 --- a/website/content/docs/connect/gateways/api-gateway/define-routes/routes-k8s.mdx +++ b/website/content/docs/north-south/api-gateway/define-route/k8s/index.mdx @@ -6,7 +6,7 @@ description: Learn how to define and attach HTTP and TCP routes to Consul API ga # Define API gateway routes on Kubernetes -This topic describes how to configure HTTP and TCP routes and attach them to Consul API gateway listeners in Kubernetes-orchestrated networks. Routes are rule-based configurations that allow external clients to send requests to services in the mesh. For information +This topic describes how to configure HTTP and TCP routes and attach them to Consul API gateway listeners in Kubernetes-orchestrated networks. Routes are rule-based configurations that allow external clients to send requests to services in the mesh. Refer to [Define API gateway routes on virtual machines](/consul/docs/north-south/api-gateway/define-route/vm) for instructions on defining routes on VMs. ## Overview @@ -19,11 +19,11 @@ Routes and the gateways they are attached to are eventually-consistent objects. ## Requirements -Verify that your environment meets the requirements specified in [Technical specifications for Kubernetes](/consul/docs/connect/gateways/api-gateway/tech-specs). +Verify that your environment meets the requirements specified in [Technical specifications for Kubernetes](/consul/docs/north-south/api-gateway/tech-specs). ### OpenShift -If your Kubernetes-orchestrated network runs on OpenShift, verify that OpenShift is enabled for your Consul installation. Refer to [OpenShift requirements](/consul/docs/connect/gateways/api-gateway/tech-specs#openshift-requirements) for additional information. +If your Kubernetes-orchestrated network runs on OpenShift, verify that OpenShift is enabled for your Consul installation. Refer to [OpenShift requirements](/consul/docs/north-south/api-gateway/tech-specs#openshift-requirements) for additional information. ## Define routes @@ -31,13 +31,13 @@ Define route configurations and bind them to listeners configured on the gateway 1. Create a configuration file and specify the following fields: - - `apiVersion`: Specifies the Kubernetes API gateway version. This must be set to `gateway.networking.k8s.io/v1beta1` - - `kind`: Set to `HTTPRoute` or `TCPRoute`. - - `metadata.name`: Specify a name for the route. The name is metadata that you can use to reference the configuration when performing Consul operations. - - `spec.parentRefs.name`: Specifies a list of API gateways that the route binds to. - - `spec. rules`: Specifies a list of routing rules for constructing a routing table that maps listeners to services. + - `apiVersion`: Specifies the Kuberenetes API gateway version. This must be set to `gateway.networking.k8s.io/v1beta1` + - `kind`: Set to `HTTPRoute` or `TCPRoute`. + - `metadata.name`: Specify a name for the route. The name is metadata that you can use to reference the configuration when performing Consul operations. + - `spec.parentRefs.name`: Specifies a list of API gateways that the route binds to. + - `spec. rules`: Specifies a list of routing rules for constructing a routing table that maps listeners to services. - Refer to the [`Routes` configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/routes) for details about configuring route rules. + Refer to the [`Routes` configuration reference](/consul/docs/reference/k8s/api-gateway/routes) for details about configuring route rules. 1. Configure any additional fields necessary for your use case, such as the namespace or admin partition. 1. Save the configuration. @@ -65,4 +65,4 @@ Apply the configuration to your cluster using the `kubectl` command. The followi ```shell-session $ kubectl apply -f my-route.yaml -n consul -``` +``` \ No newline at end of file diff --git a/website/content/docs/connect/gateways/api-gateway/define-routes/route-to-peered-services.mdx b/website/content/docs/north-south/api-gateway/define-route/k8s/peer.mdx similarity index 64% rename from website/content/docs/connect/gateways/api-gateway/define-routes/route-to-peered-services.mdx rename to website/content/docs/north-south/api-gateway/define-route/k8s/peer.mdx index 414ce45f535..02fbb4a5aa9 100644 --- a/website/content/docs/connect/gateways/api-gateway/define-routes/route-to-peered-services.mdx +++ b/website/content/docs/north-south/api-gateway/define-route/k8s/peer.mdx @@ -1,27 +1,27 @@ --- -page_title: Route Traffic to Peered Services -description: Learn how to configure Consul API Gateway to route traffic to services connected to the mesh through a peering connection. +page_title: Route traffic to peered services +description: Learn how to configure Consul API gateway to route traffic to services connected to the mesh through a peering connection. --- -# Route Traffic to Peered Services +# Route traffic to peered services -This topic describes how to configure Consul API Gateway to route traffic to services connected to the mesh through a cluster peering connection. +This topic describes how to configure Consul API gateway to route traffic to services connected to the mesh through a cluster peering connection. These instructions apply to API gateways running in Kubernetes. ## Requirements - Consul v1.14 or later -- Verify that the [requirements](/consul/docs/api-gateway/tech-specs) have been met. -- Verify that the Consul API Gateway CRDs and controller have been installed and applied. Refer to [Installation](/consul/docs/connect/gateways/api-gateway/deploy/install-k8s) for details. -- A peering connection must already be established between Consul clusters. Refer to [Cluster Peering on Kubernetes](/consul/docs/k8s/connect/cluster-peering/tech-specs) for instructions. -- The Consul service that you want to route traffic to must be exported to the cluster containing your `Gateway`. Refer to [Cluster Peering on Kubernetes](/consul/docs/k8s/connect/cluster-peering/tech-specs) for instructions. -- A `ServiceResolver` for the Consul service you want to route traffic to must be created in the cluster that contains your `Gateway`. Refer to [Service Resolver Configuration Entry](/consul/docs/connect/config-entries/service-resolver) for instructions. +- Verify that the [requirements](/consul/docs/north-south/api-gateway/tech-specs) have been met. +- Verify that the Consul API Gateway CRDs and controller have been installed and applied. Refer to [Install API gateway on Kubernetes](/consul/docs/north-south/api-gateway/install) for details. +- A peering connection must already be established between Consul clusters. Refer to [Cluster Peering on Kubernetes](/consul/docs/east-west/cluster-peering/tech-specs) for instructions. +- The Consul service that you want to route traffic to must be exported to the cluster containing your `Gateway`. Refer to [Cluster Peering on Kubernetes](/consul/docs/east-west/cluster-peering/tech-specs) for instructions. +- A `ServiceResolver` for the Consul service you want to route traffic to must be created in the cluster that contains your `Gateway`. Refer to [Service resolver configuration reference](/consul/docs/reference/config-entry/service-resolver) for instructions. ## Configuration -Specify the following fields in your `MeshService` configuration to use this feature. Refer to the [MeshService configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/meshservice) for details about the parameters. +Specify the following fields in your `MeshService` configuration to use this feature. Refer to the [MeshService configuration reference](/consul/docs/reference/k8s/api-gateway/meshservice) for details about the parameters. -- [`name`](/consul/docs/connect/gateways/api-gateway/configuration/meshservice#name) -- [`peer`](/consul/docs/connect/gateways/api-gateway/configuration/meshservice#peer) +- [`name`](/consul/docs/reference/k8s/api-gateway/meshservice#name) +- [`peer`](/consul/docs/reference/k8s/api-gateway/meshservice#peer) ## Example @@ -73,4 +73,4 @@ spec: port: 3000 ... ``` - + \ No newline at end of file diff --git a/website/content/docs/north-south/api-gateway/define-route/k8s/reroute.mdx b/website/content/docs/north-south/api-gateway/define-route/k8s/reroute.mdx new file mode 100644 index 00000000000..d1897dfb9ca --- /dev/null +++ b/website/content/docs/north-south/api-gateway/define-route/k8s/reroute.mdx @@ -0,0 +1,58 @@ +--- +layout: docs +page_title: Reroute HTTP requests +description: >- + Learn how to reroute HTTP requests through an API gateway to a specific path in Kubernetes. +--- + +# Reroute HTTP requests + +This topic describes how to configure routes attached to API gateways so that they filter HTTP requests and reroute the traffic to specific destinations. These instructions apply to service meshes running on Kubernetes. + +## Requirements + +1. Verify that the [requirements](/consul/docs/north-south/api-gateway/tech-specs) have been met. +1. Verify that the Consul API Gateway CRDs and controller have been installed and applied. Refer to [Installation](/consul/docs/north-south/api-gateway/install) for details. + +## Configuration + +Specify the following fields in your `Route` configuration. Refer to the [Route configuration reference](/consul/docs/reference/k8s/api-gateway/routes) for details about the parameters. + +- [`rules.filters.type`](/consul/docs/reference/k8s/api-gateway/routes#rules-filters-type): Set this parameter to `URLRewrite` to instruct Consul API Gateway to rewrite the URL when specific conditions are met. +- [`rules.filters.urlRewrite`](/consul/docs/reference/k8s/api-gateway/routes#rules-filters-urlrewrite): Specify the `path` configuration. +- [`rules.filters.urlRewrite.path`](/consul/docs/reference/k8s/api-gateway/routes#rules-filters-urlrewrite-path): Contains the paths that incoming requests should be rewritten to based on the match conditions. + +To configure the route to accept paths with or without a trailing slash, you must make two separate routes to handle each case. + +### Example + +In the following example, requests to` /incoming-request-prefix/` are forwarded to the `backendRef` as `/prefix-backend-receives/`. As a result, requests to `/incoming-request-prefix/request-path` are received by `backendRef` as `/prefix-backend-receives/request-path`. + + + +```yaml hideClipboard +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: example-route + ##... +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: api-gateway + rules: + - backendRefs: + . . . + filters: + - type: URLRewrite + urlRewrite: + path: + replacePrefixMatch: /prefix-backend-receives/ + type: ReplacePrefixMatch + matches: + - path: + type: PathPrefix + value: /incoming–request-prefix/ +``` + \ No newline at end of file diff --git a/website/content/docs/connect/gateways/api-gateway/define-routes/routes-vms.mdx b/website/content/docs/north-south/api-gateway/define-route/vm.mdx similarity index 79% rename from website/content/docs/connect/gateways/api-gateway/define-routes/routes-vms.mdx rename to website/content/docs/north-south/api-gateway/define-route/vm.mdx index 5fe459d2062..cefbd11bc9e 100644 --- a/website/content/docs/connect/gateways/api-gateway/define-routes/routes-vms.mdx +++ b/website/content/docs/north-south/api-gateway/define-route/vm.mdx @@ -1,18 +1,18 @@ --- layout: docs page_title: Define API gateway routes on virtual machines -description: Learn how to define and attach HTTP and TCP routes to Consul API gateway listeners so that requests from external clients can reach services in the mesh. +description: Learn how to define and attach HTTP and TCP routes to Consul API gateway listeners so that requests from external clients can reach services in the mesh. --- # Define API gateway routes on virtual machines -This topic describes how to configure HTTP and TCP routes and attach them to Consul API gateway listeners. Routes are rule-based configurations that allow external clients to send requests to services in the mesh. +This topic describes how to configure HTTP and TCP routes and attach them to Consul API gateway listeners. Routes are rule-based configurations that allow external clients to send requests to services in the mesh. ## Overview The following steps describe the general workflow for defining and deploying routes: -1. Define routes in an HTTP or TCP configuration entry. The configuration entry includes rules for routing requests, target services in the mesh for the traffic, and the name of the gateway to attach to. +1. Define routes in an HTTP or TCP configuration entry. The configuration entry includes rules for routing requests, target services in the mesh for the traffic, and the name of the gateway to attach to. 1. Deploy the configuration entry to create the routes and attach them to the gateway. Routes and the gateways they are attached to are eventually-consistent objects. They provide feedback about their current state through a series of status conditions. As a result, you must manually check the route status to determine if the route is bound to the gateway successfully. @@ -22,7 +22,7 @@ Routes and the gateways they are attached to are eventually-consistent objects. The following requirements must be satisfied to use API gateways on VMs: - Consul 1.15 or later -- A Consul cluster with service mesh enabled. Refer to [`connect`](/consul/docs/agent/config/config-files#connect) +- A Consul cluster with service mesh enabled. Refer to [`connect`](/consul/docs/reference/agent#connect) - Network connectivity between the machine deploying the API Gateway and a Consul cluster agent or server ### ACL requirements @@ -33,7 +33,7 @@ configure Consul and deploy API gateway routes: - `mesh: read` - `mesh: write` -Refer [Mesh Rules](/consul/docs/security/acl/acl-rules#mesh-rules) for +Refer the [ACL configuration reference](/consul/docs/reference/acl) for additional information about configuring policies that enable you to interact with Consul API gateway configurations. @@ -42,15 +42,15 @@ with Consul API gateway configurations. Define route configurations and bind them to listeners configured on the gateway so that Consul can route incoming requests to services in the mesh. 1. Create a route configuration entry file and specify the following settings: - - `Kind`: Set to `http` or `tcp`. - - `Name`: Specify a name for the route. The name is metadata that you can use to reference the configuration when performing Consul operations. - - `Parents`: Specifies a list of API gateways that the route binds to. - - `Rules`: If you are configuring HTTP routes, define a list of routing rules for constructing a routing table that maps listeners to services. Each member of the list is a map that may containing the following fields: - - `Filters` - - `Matches` - - `Services` - - Refer to the [HTTP route configuration entry](/consul/docs/connect/config-entries/http-route) and [TCP route configuration entry](/consul/docs/connect/config-entries/tcp-route) reference for details about configuring routes. + - `Kind`: Set to `http` or `tcp`. + - `Name`: Specify a name for the route. The name is metadata that you can use to reference the configuration when performing Consul operations. + - `Parents`: Specifies a list of API gateways that the route binds to. + - `Rules`: If you are configuring HTTP routes, define a list of routing rules for constructing a routing table that maps listeners to services. Each member of the list is a map that may containing the following fields: + - `Filters` + - `Matches` + - `Services` + + Refer to the [HTTP route configuration entry](/consul/docs/reference/config-entry/http-route) and [TCP route configuration entry](/consul/docs/reference/config-entry/tcp-route) reference for details about configuring routes. 1. Configure any additional fields necessary for your use case, such as the namespace or admin partition. 1. Save the configuration. diff --git a/website/content/docs/connect/gateways/api-gateway/deploy/listeners-k8s.mdx b/website/content/docs/north-south/api-gateway/deploy-listener/k8s.mdx similarity index 61% rename from website/content/docs/connect/gateways/api-gateway/deploy/listeners-k8s.mdx rename to website/content/docs/north-south/api-gateway/deploy-listener/k8s.mdx index 7ce6ed9c500..44e9c496b63 100644 --- a/website/content/docs/connect/gateways/api-gateway/deploy/listeners-k8s.mdx +++ b/website/content/docs/north-south/api-gateway/deploy-listener/k8s.mdx @@ -1,32 +1,31 @@ --- layout: docs page_title: Deploy API gateway listeners in Kubernetes -description: >- - Learn how to create API gateway configurations in Kubernetes that enable you to instantiate gateway instances. +description: Learn how to create API gateway configurations in Kubernetes that enable you to instantiate gateway instances. --- # Deploy API gateway listeners in Kubernetes -This topic describes how to deploy Consul API gateway listeners to Kubernetes-orchestrated environments. If you want to implement API gateway listeners on VMs, refer to [Deploy API gateway listeners to virtual machines](/consul/docs/connect/gateways/api-gateway/deploy/listeners-vms). +This topic describes how to deploy Consul API gateway listeners to Kubernetes-orchestrated environments. If you want to implement API gateway listeners on VMs, refer to [Deploy API gateway listeners to virtual machines](/consul/docs/north-south/api-gateway/deploy-listener/vms). ## Overview -API gateways have one or more listeners that serve as ingress points for requests to services in a Consul service mesh. Create an [API gateway configuration](/consul/docs/connect/gateways/api-gateway/configuration/gateway) and define listeners that expose ports on the endpoint for ingress. Apply the configuration to direct Kubernetes to start API gateway services. +API gateways have one or more listeners that serve as ingress points for requests to services in a Consul service mesh. Create an [API gateway configuration](/consul/docs/reference/k8s/api-gateway/gateway) and define listeners that expose ports on the endpoint for ingress. Apply the configuration to direct Kubernetes to start API gateway services. ### Routes -After deploying the gateway, attach HTTP or TCP [routes](/consul/docs/connect/gateways/api-gateway/configuration/routes) to listeners defined in the gateway to control how requests route to services in the network. +After deploying the gateway, attach HTTP or TCP [routes](/consul/docs/references/k8s/api-gateway/routes) to listeners defined in the gateway to control how requests route to services in the network. ### Intentions -Configure Consul intentions to allow or prevent traffic between gateway listeners and services in the mesh. Refer to [Service intentions](/consul/docs/connect/intentions) for additional information. +Configure Consul intentions to allow or prevent traffic between gateway listeners and services in the mesh. Refer to [Service intentions](/consul/docs/secure-mesh/intentions) for additional information. ## Requirements -1. Verify that your environment meets the requirements specified in [Technical specifications for Kubernetes](/consul/docs/connect/gateways/api-gateway/tech-specs). -1. Verify that the Consul API Gateway CRDs were applied. Refer to [Installation](/consul/docs/connect/gateways/api-gateway/install-k8s) for details. -1. If your Kubernetes-orchestrated network runs on OpenShift, verify that OpenShift is enabled for your Consul installation. Refer to [OpenShift requirements](/consul/docs/connect/gateways/api-gateway/tech-specs#openshift-requirements) for additional information. +1. Verify that your environment meets the requirements specified in [Technical specifications for Kubernetes](/consul/docs/north-south/api-gateway/tech-specs). +1. Verify that the Consul API Gateway CRDs were applied. Refer to [Installation](/consul/docs/north-south/api-gateway/install) for details. +1. If your Kubernetes-orchestrated network runs on OpenShift, verify that OpenShift is enabled for your Consul installation. Refer to [OpenShift requirements](/consul/docs/north-south/api-gateway/tech-specs#openshift-requirements) for additional information. ## Define the gateway and listeners @@ -34,15 +33,15 @@ Create an API gateway values file that defines the gateway and listeners. 1. Specify the following fields: - `apiVersion`: Specifies the Kubernetes gateway API version. Must be `gateway.networking.k8s.io/v1beta1`. - - `kind`: Specifies the type of configuration entry to implement. This must be `Gateway`. + - `kind`: Specifies the type of configuration entry to implement. This must be `Gateway`. - `metadata.name`: Specify a name for the gateway configuration. The name is metadata that you can use to reference the configuration when performing Consul operations. - - `spec.gatewayClassName`: Specify the name of a `gatewayClass` configuration. Gateway classes are template-like resources in Kubernetes for instantiating gateway services. Specify `consul` to use the default gateway class shipped with Consul. Refer to the [GatewayClass configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/gatewayclass) for additional information. + - `spec.gatewayClassName`: Specify the name of a `gatewayClass` configuration. Gateway classes are template-like resources in Kubernetes for instantiating gateway services. Specify `consul` to use the default gateway class shipped with Consul. Refer to the [GatewayClass configuration reference](/consul/docs/reference/k8s/api-gateway/gatewayclass) for additional information. - `spec.listeners`: Specify a list of listener configurations. Each listener is map containing the following fields: - - `port`: Specifies the port that the listener receives traffic on. - - `name`: Specifies a unique name for the listener. - - `protocol`: You can set either `tcp` or `http` - - `allowedRoutes.namespaces`: Contains configurations for determining which namespaces are allowed to attach a route to the listener. -1. Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the [API gateway configuration entry reference](/consul/docs/connect/gateways/api-gateway/configuration/gateway) for additional information. + - `port`: Specifies the port that the listener receives traffic on. + - `name`: Specifies a unique name for the listener. + - `protocol`: You can set either `tcp` or `http` + - `allowedRoutes.namespaces`: Contains configurations for determining which namespaces are allowed to attach a route to the listener. +1. Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the [API gateway configuration entry reference](/consul/docs/reference/k8s/api-gateway/gateway) for additional information. 1. Save the configuration. In the following example, the API gateway specifies an HTTP listener on port `80`: diff --git a/website/content/docs/connect/gateways/api-gateway/deploy/listeners-vms.mdx b/website/content/docs/north-south/api-gateway/deploy-listener/vm.mdx similarity index 67% rename from website/content/docs/connect/gateways/api-gateway/deploy/listeners-vms.mdx rename to website/content/docs/north-south/api-gateway/deploy-listener/vm.mdx index 1a868ca8570..e236f67c98a 100644 --- a/website/content/docs/connect/gateways/api-gateway/deploy/listeners-vms.mdx +++ b/website/content/docs/north-south/api-gateway/deploy-listener/vm.mdx @@ -6,11 +6,11 @@ description: Learn how to configure and Consul API gateways and gateway listener # Deploy API gateway listeners to virtual machines -This topic describes how to deploy Consul API gateway listeners to networks that operate in virtual machine (VM) environments. If you want to implement API gateway listeners in a Kubernetes environment, refer to [Deploy API gateway listeners to Kubernetes](/consul/docs/connect/gateways/api-gateway/deploy/listeners-k8s). +This topic describes how to deploy Consul API gateway listeners to networks that operate in virtual machine (VM) environments. If you want to implement API gateway listeners in a Kubernetes environment, refer to [Deploy API gateway listeners to Kubernetes](/consul/docs/north-south/api-gateway/deploy-listener/k8s). ## Overview -API gateways have one or more listeners that serve as ingress points for requests to services in a Consul service mesh. Create an [API gateway configuration entry](/consul/docs/connect/config-entries/api-gateway) and define listeners that expose ports on the endpoint for ingress. +API gateways have one or more listeners that serve as ingress points for requests to services in a Consul service mesh. Create an [API gateway configuration entry](/consul/docs/reference/config-entry/api-gateway) and define listeners that expose ports on the endpoint for ingress. The following steps describe the general workflow for deploying a Consul API gateway to a VM environment: @@ -19,18 +19,18 @@ The following steps describe the general workflow for deploying a Consul API gat ### Encryption -To encrypt traffic between the external client and the service that the API gateway routes traffic to, define an inline certificate configuration and attach it to your listeners. Refer to [Encrypt API gateway traffic on virtual machines](/consul/docs/connect/gateways/api-gateway/secure-traffic/encrypt-vms) for additional information. +To encrypt traffic between the external client and the service that the API gateway routes traffic to, define an inline certificate configuration and attach it to your listeners. Refer to [Encrypt API gateway traffic on virtual machines](/consul/docs/north-south/api-gateway/secure-traffic/encrypt) for additional information. ### Routes -After deploying the gateway, attach [HTTP](/consul/docs/connect/config-entries/http-route) routes and [TCP](/consul/docs/connect/config-entries/tcp-route) routes to listeners defined in the gateway to control how requests route to services in the network. Refer to [Define API gateway routes on VMs](/consul/docs/connect/gateways/api-gateway/define-routes/routes-vms) for additional information. +After deploying the gateway, attach [HTTP](/consul/docs/reference/config-entry/http-route) routes and [TCP](/consul/docs/reference/config-entry/tcp-route) routes to listeners defined in the gateway to control how requests route to services in the network. Refer to [Define API gateway routes on VMs](/consul/docs/north-south/api-gateway/define-route/vm) for additional information. ## Requirements The following requirements must be satisfied to use API gateways on VMs: - Consul 1.15 or later -- A Consul cluster with service mesh enabled. Refer to [`connect`](/consul/docs/agent/config/config-files#connect) +- A Consul cluster with service mesh enabled. Refer to [`connect`](/consul/docs/reference/agent#connect) - Network connectivity between the machine deploying the API Gateway and a Consul cluster agent or server @@ -42,7 +42,7 @@ configure Consul and deploy API gateways: - `mesh: read` - `mesh: write` -Refer to [Mesh Rules](/consul/docs/security/acl/acl-rules#mesh-rules) for +Refer to the [ACL configuration reference](/consul/docs/reference/acl) for additional information about configuring policies that enable you to interact with Consul API gateway configurations. @@ -52,16 +52,16 @@ Create an API gateway configuration entry that defines listeners and TLS certifi in the mesh. 1. Specify the following fields: - - `Kind`: Specifies the type of configuration entry to implement. This must be `api-gateway`. - - `Name`: Specify a name for the gateway configuration. The name is metadata that you can use to reference the configuration entry when performing Consul operations. - - `Listeners`: Specify a list of listener configurations. Each listener is map containing the following fields: - - `Port`: Specifies the port that the listener receives traffic on. - - `Name`: Specifies a unique name for the listener. - - `Protocol`: You can set either `tcp` or `http` - - `TLS`: Defines TLS encryption configurations for the listener. - - Refer to the [API gateway configuration entry reference](/consul/docs/connect/config-entries/api-gateway) for details on how to define fields in the `Listeners` block. -1. Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the [API gateway configuration entry reference](/consul/docs/connect/config-entries/api-gateway) for additional information. + - `Kind`: Specifies the type of configuration entry to implement. This must be `api-gateway`. + - `Name`: Specify a name for the gateway configuration. The name is metadata that you can use to reference the configuration entry when performing Consul operations. + - `Listeners`: Specify a list of listener configurations. Each listener is map containing the following fields: + - `Port`: Specifies the port that the listener receives traffic on. + - `Name`: Specifies a unique name for the listener. + - `Protocol`: You can set either `tcp` or `http` + - `TLS`: Defines TLS encryption configurations for the listener. + + Refer to the [API gateway configuration entry reference](/consul/docs/reference/config-entry/api-gateway) for details on how to define fields in the `Listeners` block. +1. Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the [API gateway configuration entry reference](/consul/docs/reference/config-entry/api-gateway) for additional information. 1. Save the configuration. In the following example, the API gateway specifies an HTTP listener on port `8443`. It also requires an inline-certificate configuration entry named `my-certificate` that contains a valid certificate and private key pair: @@ -88,7 +88,7 @@ Listeners = [ ] ``` -Refer to [API Gateway Configuration Reference](/consul/docs/connect/gateways/api-gateway/configuration/api-gateway) for +Refer to [API gateway configuration reference](/consul/docs/reference/config-entry/api-gateway) for information about all configuration fields. Gateways and routes are eventually-consistent objects that provide feedback @@ -110,4 +110,4 @@ Run the following command to deploy an API gateway instance: $ consul connect envoy -gateway api -register -service my-api-gateway ``` -The command directs Consul to configure Envoy as an API gateway. Gateways and routes are eventually-consistent objects that provide feedback about their current state through a series of status conditions. As a result, you must manually check the route status to determine if the route successfully bound to the gateway successfully. +The command directs Consul to configure Envoy as an API gateway. Gateways and routes are eventually-consistent objects that provide feedback about their current state through a series of status conditions. As a result, you must manually check the route status to determine if the route successfully bound to the gateway successfully. \ No newline at end of file diff --git a/website/content/docs/north-south/api-gateway/enable/k8s.mdx b/website/content/docs/north-south/api-gateway/enable/k8s.mdx new file mode 100644 index 00000000000..8f1d9659587 --- /dev/null +++ b/website/content/docs/north-south/api-gateway/enable/k8s.mdx @@ -0,0 +1,83 @@ +--- +layout: docs +page_title: Enable API Gateway for Kubernetes +description: >- + Learn how to install custom resource definitions (CRDs) and configure the Helm chart so that you can run Consul API Gateway on your Kubernetes deployment. +--- + +# Enable API gateway for Kubernetes + +The Consul API gateway ships with Consul and is automatically installed when you install Consul on Kubernetes. Before you begin the installation process, verify that the environment you are deploying Consul and the API gateway in meets the requirements listed in the [Technical Specifications](/consul/docs/north-south/api-gateway/tech-specs). Refer to the [Release Notes](/consul/docs/release-notes) for any additional information about the version you are deploying. + +1. Create a `values.yaml` file for configuring your Consul API gateway deployment and include the following settings: + + + + ```yaml + global: + name: consul + connectInject: + enabled: true + apiGateway: + manageExternalCRDs: true + ``` + + + +The Consul Helm chart deploys the API gateway using the configuration specified in the `values.yaml` file. Refer to [Helm Chart Configuration - `connectInject.apiGateway`](/consul/docs/reference/reference/k8s/helm#apigateway) for information about the Helm chart configuration options. + +1. If you are installing Consul on an OpenShift Kubernetes cluster, you must include the `global.openShift.enabled` parameter and set it to `true`: + + + + ```yaml + global: + openshift: + enabled: true + ``` + + + + Refer to [OpenShift requirements](/consul/docs/connect/gateways/api-gateway/tech-specs#openshift-requirements) for additional information. + +1. Install Consul API Gateway using the standard Consul Helm chart or Consul K8s CLI specify the custom values file. Refer to the [Consul Helm chart](https://github.com/hashicorp/consul-k8s/releases) in GitHub releases for the available versions. + + + + +Refer to the official [Consul K8S CLI documentation](/consul/docs/reference-cli/consul-k8s) to find additional settings. + +```shell-session +$ brew tap hashicorp/tap +``` + +```shell-session +$ brew install hashicorp/tap/consul-k8s +``` + +```shell-session +$ consul-k8s install -config-file=values.yaml -set global.image=hashicorp/consul:1.16.0 +``` + + + + +Add the HashiCorp Helm repository. + +```shell-session +$ helm repo add hashicorp https://helm.releases.hashicorp.com +``` +Install Consul with API Gateway on your Kubernetes cluster by specifying the `values.yaml` file. + +```shell-session +$ helm install consul hashicorp/consul --version 1.2.0 --values values.yaml --create-namespace --namespace consul +``` + + + + +[tech-specs]: /consul/docs/api-gateway/tech-specs +[rel-notes]: /consul/docs/release-notes \ No newline at end of file diff --git a/website/content/docs/connect/gateways/api-gateway/index.mdx b/website/content/docs/north-south/api-gateway/index.mdx similarity index 51% rename from website/content/docs/connect/gateways/api-gateway/index.mdx rename to website/content/docs/north-south/api-gateway/index.mdx index c6202d898b0..9066ab189c3 100644 --- a/website/content/docs/connect/gateways/api-gateway/index.mdx +++ b/website/content/docs/north-south/api-gateway/index.mdx @@ -6,7 +6,11 @@ description: API gateways provide an ingress point for service mesh traffic. Lea # API gateways overview -This topic provides overview information about API gateways in Consul. API gateways enable external network clients to access applications and services running in a Consul datacenter. Consul API gateways can also forward requests from clients to specific destinations based on path or request protocol. +This topic provides overview information about API gateways in Consul. + +## Introduction + +API gateways enable external network clients to access applications and services running in a Consul datacenter. Consul API gateways can also forward requests from clients to specific destinations based on path or request protocol. Systems that access services in the mesh may be internal or external to your organizational network. _North-south traffic_ is a common term to describe this type of network traffic. ## API gateway use cases @@ -17,7 +21,7 @@ API gateways solve the following primary use cases: ## Workflows -You can deploy API gateways to networks that implement a variety of computing environments: +You can deploy API gateways to networks that implement a variety of computing environments: - Services hosted on VMs - Kubernetes-orchestrated service containers @@ -25,16 +29,15 @@ You can deploy API gateways to networks that implement a variety of computing en The following steps describe the general workflow for deploying a Consul API gateways: -1. For Kubernetes-orchestrated services, install Consul on your cluster. For Kubernetes-orchestrated services on OpenShift, you must also enable the `openShift.enabled` parameter. Refer to [Install Consul on Kubernetes](/consul/docs/connect/gateways/api-gateway/install-k8s) for additional information. -1. Define and deploy the API gateway configurations to create the API gateway artifacts. For VM-hosted services, create configuration entries for the gateway service, listeners configurations, and TLS certificates. For Kubernetes-orchestrated services, configurations also include `GatewayClassConfig` and `parametersRef`. All Consul API Gateways created in Kubernetes with the `consul-k8s` Helm chart v1.5.0 or later use file system certificates when TLS is enabled. - -1. Define and deploy routes between the gateway listeners and services in the mesh. +1. For Kubernetes-orchestrated services, install Consul on your cluster. For Kubernetes-orchestrated services on OpenShift, you must also enable the `openShift.enabled` parameter. Refer to [Install Consul on Kubernetes](/consul/docs/north-south/api-gateway/install) for additional information. +1. Define and deploy the API gateway configurations to create the API gateway artifacts. For VM-hosted services, create configuration entries for the gateway service, listeners configurations, and references to TLS certificates. For Kubernetes-orchestrated, configurations also include `GatewayClassConfig`s and `parametersRef`s. +1. Define and deploy routes between the gateway listeners and services in the mesh. Gateway configurations are modular, so you can define and attach routes and inline certificates to multiple gateways. ## Technical specifications -Refer to [Technical specifications for API gateways on Kubernetes](/consul/docs/connect/gateways/api-gateway/tech-specs) for additional details and considerations about using API gateways in Kubernetes-orchestrated networks. +Refer to [Technical specifications for API gateways on Kubernetes](/consul/docs/north-south/api-gateway/tech-specs) for additional details and considerations about using API gateways in Kubernetes-orchestrated networks. ## Guidance @@ -46,17 +49,20 @@ Refer to the following resources for help setting up and using API gateways: ### Usage documentation -- [Deploy API gateway listeners to VMs](/consul/docs/connect/gateways/api-gateway/deploy/listeners-vms) -- [Deploy API gateway listeners to Kubernetes](/consul/docs/connect/gateways/api-gateway/deploy/listeners-k8s) -- [Deploy API gateway routes to VMs](/consul/docs/connect/gateways/api-gateway/define-routes/routes-vms) -- [Deploy API gateway routes to Kubernetes](/consul/docs/connect/gateways/api-gateway/define-routes/routes-k8s) -- [Reroute HTTP requests in Kubernetes](/consul/docs/connect/gateways/api-gateway/define-routes/reroute-http-requests) -- [Route traffic to peered services in Kubernetes](/consul/docs/connect/gateways/api-gateway/define-routes/route-to-peered-services) -- [Encrypt API gateway traffic on VMs](/consul/docs/connect/gateways/api-gateway/secure-traffic/encrypt-vms) -- [Use JWTs to verify requests to API gateways on VMs](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) -- [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) +- [Deploy API gateway listeners to VMs](/consul/docs/north-south/api-gateway/deploy-listener/vm) +- [Deploy API gateway listeners to Kubernetes](/consul/docs/north-south/api-gateway/deploy-listener/k8s) +- [Deploy API gateway routes to VMs](/consul/docs/north-south/api-gateway/define-route/vm) +- [Deploy API gateway routes to Kubernetes](/consul/docs/north-south/api-gateway/define-route/k8s) +- [Reroute HTTP requests in Kubernetes](/consul/docs/north-south/api-gateway/define-route/k8s-reroute-traffic) +- [Route traffic to peered services in Kubernetes](/consul/docs/north-south/api-gateway/define-route/k8s-route-peered) +- [Encrypt API gateway traffic on VMs](/consul/docs/north-south/api-gateway/secure-traffic/vm-encrypt) +- [Use JWTs to verify requests to API gateways on VMs](/consul/docs/north-south/api-gateway/secure-traffic/vm-jwt) +- [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/north-south/api-gateway/secure-traffic/k8s-jwt) ### Reference -- [API gateway configuration reference overview](/consul/docs/connect/gateways/api-gateway/configuration/) -- [Error messages](/consul/docs/connect/gateways/api-gateway/errors) +- [API gateway configuration reference for Kubernetes](/consul/docs/reference/k8s/api-gateway/) +- [API gateway configuration entry reference](/consul/docs/reference/config-entry/api-gateway) +- [HTTP route configuration entry reference](/consul/docs/reference/config-entry/http-route) +- [TCP route configuration entry reference](/consul/docs/reference/config-entry/tcp-route) +- [Error messages](/consul/docs/common-error-messages/api-gateway) diff --git a/website/content/docs/north-south/api-gateway/secure-traffic/encrypt/index.mdx b/website/content/docs/north-south/api-gateway/secure-traffic/encrypt/index.mdx new file mode 100644 index 00000000000..24b1eabd52f --- /dev/null +++ b/website/content/docs/north-south/api-gateway/secure-traffic/encrypt/index.mdx @@ -0,0 +1,66 @@ +--- +layout: docs +page_title: Encrypt API gateway traffic on virtual machines +description: Learn how to define inline certificate config entries and deploy them to Consul. Inline certificate configuration entries enable you to attach TLS certificates and keys to gateway listeners so that traffic between external clients and gateway listeners is encrypted. +--- + +# Encrypt API gateway traffic on virtual machines + +This topic describes how to make TLS certificates available to API gateways so that requests between the user and the gateway endpoint are encrypted. + +## Requirements + +- Consul 1.15 or later +- You must have a certificate and key from your CA +- A Consul cluster with service mesh enabled. Refer to [`connect`](/consul/docs/reference/agent#connect) +- Network connectivity between the machine deploying the API gateway and a + Consul cluster agent or server + +### ACL requirements + +If ACLs are enabled, you must present a token with the following permissions to +configure Consul and deploy API gateways: + +- `mesh: read` +- `mesh: write` + +Refer the [ACL configuration reference](/consul/docs/reference/acl) for +additional information about configuring policies that enable you to interact +with Consul API gateway configurations. + +## Define TLS certificates + +1. Create an [`inline-certificate` configuration entry](/consul/docs/reference/config-entry/inline-certificate) and specify the following fields: + - `Kind`: Specifies the type of configuration entry. This must be set to `inline-certificate`. + - `Name`: Specify the name in the [API gateway listener configuration](/consul/docs/reference/config-entry/api-gateway#listeners) to bind the certificate to that listener. + - `Certificate`: Specifies the inline public certificate to use for TLS as plain text. + - `PrivateKey`: Specifies the inline private key to use for TLS as plain text. +1. Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the [`inline-certificate` configuration entry](/consul/docs/reference/config-entry/inline-certificate) reference for additional information. +1. Save the configuration. + +The following example defines a certificate named `my-certificate`. API gateway configurations that specify `inline-certificate` in the `Certificate.Kind` field and `my-certificate` in the `Certificate.Name` field are able to use the certificate. + +```hcl +Kind = "inline-certificate" +Name = "my-certificate" + +Certificate = < This feature is available in Consul Enterprise. + +## Overview + +You can configure API gateways to use JWTs to verify incoming requests so that you can stop unverified traffic at the gateway. You can configure JWT verification at different levels: + +- Listener defaults: Define basic defaults that apply to all routes attached to a listener. +- HTTP route-specific settings: You can define JWT authentication settings for specific HTTP routes. Route-specific JWT settings override default listener configurations. +- Listener overrides: Define override settings that take precedence over default and route-specific configurations. This enables you to set enforceable policies for listeners. + + +Complete the following steps to use JWTs to verify requests: + +1. Define a policy that specifies default and override settings for API gateway listeners and attach it to the gateway. +1. Define an HTTP route auth filter that specifies route-specific JWT verification settings. +1. Attach the auth filter to the HTTP route values file. +1. Apply the configurations. + + +## Requirements + +- Consul v1.17+ +- Consul on Kubernetes CLI or Helm chart v1.3.0+ +- JWT details, such as claims and provider + +## Define override and default settings + +Create a `GatewayPolicy` values file and configure the following fields to define default and override settings for JWT verification. Refer to [`GatewayPolicy` configuration reference](/consul/docs/reference/k8s/api-gateway/gatewaypolicy) for details. + +- `kind`: Must be set to `GatewayPolicy` +- `metadata.name`: Specifies a name for the policy. +- `spec.targetRef.name`: Specifies the name of the API gateway to attach the policy to. +- `spec.targetRef.kind`: Specifies the kind of resource to attach to the policy to. Must be set to `Gateway`. +- `spec.targetRef.group`: Specifies the resource group. Unless you have created a custom group, this should be set to `gateway.networking.kuberenetes.io`. +- `spec.targetRef.sectionName`: Specifies a part of the gateway that the policy applies to. +- `spec.targetRef.override.jwt.providers`: Specifies a list of providers and claims used to verify requests to the gateway. The override settings take precedence over the default and route-specific JWT verification settings. +- `spec.targetRef.default.jwt.providers`: Specifies a list of default providers and claims used to verify requests to the gateway. + +## Define an HTTP route auth filter + +Create an `RouteAuthFilter` values file and configure the following fields. Refer to [`RouteAuthFilter` configuration reference](/consul/docs/reference/k8s/api-gateway/routeauthfilter) for details. + +- `kind`: Must be set to `RouteAuthFilter` +- `metadata.name`: Specifies a name for the filter. +- `metadata.namespace`: Specifies the Consul namespace the filter applies to. +- `spec.jwt.providers`: Specifies a list of providers and claims used to verify requests to the gateway. The override settings take precedence over the default and route-specific JWT verification settings. + +## Attach the auth filter to your HTTP routes + +In the `filters` field of your HTTP route configuration, add the following fields. Refer to the [`extensionRef` configuration reference](/consul/docs/reference/k8s/api-gateway/routes#rules-filters-extensionref) for details: + +- `type: extensionRef`: Declare list of extension references. +- `extensionRef.group`: Specifies the resource group. Unless you have created a custom group, this should be set to `gateway.networking.kuberenetes.io`. +- `extensionRef.kind`: Specifies the type of extension reference to attach to the route. Must be `RouteAuthFilter` +- `extensionRef.name`: Specifies the name of the auth filter. + +## Apply the configurations + +Run the `kubectl apply` command and specify the values files to apply the configurations. The following example applies the values files stored in the `jwt-routes` directory: + +```shell-session +$ kubectl apply -f jwt-routes +``` diff --git a/website/content/docs/north-south/api-gateway/secure-traffic/jwt/vm.mdx b/website/content/docs/north-south/api-gateway/secure-traffic/jwt/vm.mdx new file mode 100644 index 00000000000..39916e782d9 --- /dev/null +++ b/website/content/docs/north-south/api-gateway/secure-traffic/jwt/vm.mdx @@ -0,0 +1,45 @@ +--- +layout: docs +page_title: Use JWTs to verify requests to API gateways on virtual machines +description: Learn how to use JSON web tokens (JWT) to verify requests from external clients to listeners on an API gateway. +--- + +# Use JWTs to verify requests to API gateways on virtual machines + +This topic describes how to use JSON web tokens (JWT) to verify requests to API gateways on virtual machines (VM). If your services are deployed to Kubernetes-orchestrated containers, refer to [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/north-south/api-gateway/secure-traffic/jwt-k8s). + + This feature is available in Consul Enterprise. + +## Overview + +You can configure API gateways to use JWTs to verify incoming requests so that you can stop unverified traffic at the gateway. You can configure JWT verification at different levels: + +- Listener defaults: Define basic defaults that apply to all routes attached to a listener. +- HTTP route-specific settings: You can define JWT authentication settings for specific HTTP routes. Route-specific JWT settings override default configurations. +- Listener overrides: Define override settings that take precedence over default and route-specific configurations. This enables you to set enforceable policies for listeners. + +Complete the following steps to use JWTs to verify requests: + +1. Configure default and override settings for listeners in the API gateway configuration entry. +1. Define route-specific JWT verification settings as filters in the HTTP route configuration entries. +1. Write the configuration entries to Consul to begin verifying requests using JWTs. + +## Requirements + +- Consul 1.17 or later +- JWT details, such as claims and provider + +## Configure default and override settings + +Define default and override settings for JWT verification in the [API gateway configuration entry](/consul/docs/reference/config-entry/api-gateway). + +1. Add a `default.JWT` block to the listener that you want to apply JWT verification to. Consul applies these configurations to routes attached to the listener. Refer to the [`Listeners.default.JWT`](/consul/docs/reference/config-entry/api-gateway#listeners-default-jwt) configuration reference for details. +1. Add an `override.JWT` block to the listener that you want to apply JWT verification policies to. Consul applies these configurations to all routes attached to the listener, regardless of the `default` or route-specific settings. Refer to the [`Listeners.override.JWT`](/consul/docs/reference/config-entry/api-gateway#listeners-override-jwt) configuration reference for details. +1. Apply the settings in the API gateway configuration entry. You can use the [`/config` API endpoint](/consul/api-docs/config#apply-configuration) or the [`consul config write` command](/consul/commands/config/write). + +## Configure verification for specific HTTP routes + +Define filters to enable route-specific JWT verification settings in the [HTTP route configuration entry](/consul/docs/reference/config-entry/http-route). + +1. Add a `JWT` configuration to the `rules.filter` block. Route-specific configurations that overlap the [default settings ](/consul/docs/reference/config-entry/api-gateway#listeners-default-jwt) in the API gateway configuration entry take precedence. Configurations defined in the [listener override settings](/consul/docs/reference/config-entry/api-gateway#listeners-override-jwt) take the highest precedence. +1. Apply the settings in the API gateway configuration entry. You can use the [`/config` API endpoint](/consul/api-docs/config#apply-configuration) or the [`consul config write` command](/consul/commands/config/write). \ No newline at end of file diff --git a/website/content/docs/connect/gateways/api-gateway/tech-specs.mdx b/website/content/docs/north-south/api-gateway/tech-specs/k8s.mdx similarity index 93% rename from website/content/docs/connect/gateways/api-gateway/tech-specs.mdx rename to website/content/docs/north-south/api-gateway/tech-specs/k8s.mdx index 9a79f75ca12..fc7dd8bf373 100644 --- a/website/content/docs/connect/gateways/api-gateway/tech-specs.mdx +++ b/website/content/docs/north-south/api-gateway/tech-specs/k8s.mdx @@ -1,8 +1,7 @@ --- layout: docs page_title: API gateway for Kubernetes technical specifications -description: >- - Learn about the requirements for installing and using the Consul API gateway for Kubernetes, including required ports, component version minimums, Consul Enterprise limitations, and compatible k8s cloud environments. +description: Learn about the requirements for installing and using the Consul API gateway for Kubernetes, including required ports, component version minimums, Consul Enterprise limitations, and compatible k8s cloud environments. --- # API gateway for Kubernetes technical specifications @@ -74,7 +73,7 @@ Refer to the [release notes](/consul/docs/release-notes) for your version of Con ## Supported Kubernetes gateway specification features -Consul API gateways for Kubernetes support a subset of the Kubernetes Gateway API specification. For a complete list of features, including the list of gateway and route statuses and an explanation on how they +Consul API gateways for Kuberentes support a subset of the Kubernetes Gateway API specification. For a complete list of features, including the list of gateway and route statuses and an explanation on how they are used, refer to the [documentation in our GitHub repo](https://github.com/hashicorp/consul-api-gateway/blob/main/dev/docs/supported-features.md): ### `GatewayClass` @@ -87,7 +86,7 @@ You must specify the `"hashicorp.com/consul-api-gateway-controller"` controller The `Gateway` resource is the core API gateway component. Gateways have one or more listeners that can route `HTTP`, `HTTPS`, or `TCP` traffic. You can define header-based hostname matching for listeners, but SNI is not supported. -You can apply filters to add, remove, and set header values on incoming requests. Gateways support the `terminate` TLS mode and `core/v1/Secret` TLS certificates. Extended option support includes TLS version and cipher constraints. Refer to [Kubernetes `Gateway` resource configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/gateway) for more information. +You can apply filters to add, remove, and set header values on incoming requests. Gateways support the `terminate` TLS mode and `core/v1/Secret` TLS certificates. Extended option support includes TLS version and cipher constraints. Refer to the [Kubernetes `Gateway` documentation](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.Gateway) for additional information. ### `HTTPRoute` @@ -121,10 +120,10 @@ Refer to the [Kubernetes `ReferenceGrant` documentation](https://gateway-api.sig ## Consul server deployments -- Consul Enterprise and the community edition are both supported. +- Consul Enterprise and the free community edition are both supported. - Supported Consul Server deployment types: - - Self-Managed - - HCP Consul Dedicated + - Self-Managed + - HCP Consul ### Consul feature support @@ -152,3 +151,5 @@ The following resources are allocated for each component of the API gateway. - **CPU**: None. Either the namespace or cluster default is allocated, depending on the Kubernetes cluster configuration. - **Memory**: None. Either the namespace or cluster default is allocated, depending on the Kubernetes cluster configuration. + + diff --git a/website/content/docs/north-south/index.mdx b/website/content/docs/north-south/index.mdx new file mode 100644 index 00000000000..f10a9bba7b4 --- /dev/null +++ b/website/content/docs/north-south/index.mdx @@ -0,0 +1,41 @@ +--- +page_title: Secure north/south access overview +description: API gateways and ingress gateways are types of service mesh proxies that you can use to securely allow systems outside the Consul service mesh to access services in the mesh. Learn how API and ingress gateways can help you enable access to services registered by Consul. +layout: docs +--- + +# Secure north/south access overview + +This topic provides an overview of the Consul components that securely allow systems outside the service mesh to access services inside the mesh. Network traffic that connects services inside the mesh to external clients or services is referred to as _north-south traffic_. + +For information about intra-mesh, or _east-west traffic_ in your service mesh, refer to [Link network segments overview](/consul/docs/link). + +## Introduction + +You can define points of ingress to the service mesh using either API gateways or ingress gateways. These gateways allow external network clients to access applications and services running in a Consul datacenter. + +API gateways forward requests from clients to specific destinations based on path or request protocol. Ingress gateways are Consul's legacy capability for ingress. We recommend using API gateways instead of ingress gateways. + +## API gateways + +API gateways enable external network clients to securely access applications and services running in a Consul datacenter. Consul API gateways can also forward requests from clients to specific destinations in the service mesh based on request's path or protocol. + +To enable an API gateway, you must configure the gateway, its listeners, and its routes. Refer to [API gateway overview](/consul/docs/north-south/api-gateway) for additional information about deploying API gateways to your Consul service mesh. + +## Ingress gateways + +Ingress gateways listen for external requests and route authorized traffic to instances in the service mesh. They provide one-way traffic from external sources to services in the mesh. If you want to enable traffic from services in the mesh to external destinations, then you must also configure a [terminating gateway](/consul/docs/register/external/terminating-gateway), which is a separate component that requires additional configuration and maintenance. + +We recommend using API gateways to enable north-south traffic instead of implementing ingress gateways and terminating gateways. + +Refer to [Ingress gateway overview](/consul/docs/north-south/ingress-gateway) for additional information about deploying ingress gateways to your Consul service mesh. + + + +Ingress gateways are deprecated. Use [Consul API gateways](/north-south/api-gateway) to secure service mesh ingress instead. + + + +## Guidance + +@include 'text/guidance/north-south.mdx' \ No newline at end of file diff --git a/website/content/docs/connect/gateways/ingress-gateway/tls-external-service.mdx b/website/content/docs/north-south/ingress-gateway/external.mdx similarity index 76% rename from website/content/docs/connect/gateways/ingress-gateway/tls-external-service.mdx rename to website/content/docs/north-south/ingress-gateway/external.mdx index d3d11676183..b0fa2d79f6a 100644 --- a/website/content/docs/connect/gateways/ingress-gateway/tls-external-service.mdx +++ b/website/content/docs/north-south/ingress-gateway/external.mdx @@ -6,7 +6,7 @@ description: Learn how to configure ingress gateways to serve TLS certificates f # Serve custom TLS certificates from an external service -This is an advanced topic that describes how to configure ingress gateways to serve TLS certificates sourced from an external service to inbound traffic using secret discovery service (SDS). SDS is a low-level feature designed for developers building integrations with custom TLS management solutions. For instructions on more common ingress gateway implementations, refer to [Implement an ingress gateway](/consul/docs/connect/gateways/ingress-gateway/usage). +This is an advanced topic that describes how to configure ingress gateways to serve TLS certificates sourced from an external service to inbound traffic using secret discovery service (SDS). SDS is a low-level feature designed for developers building integrations with custom TLS management solutions. For instructions on more common ingress gateway implementations, refer to [Create and manage ingress gateways on virtual machines](/consul/docs/north-south/ingress-gateway/create-vm). ## Overview @@ -14,7 +14,7 @@ The following process describes the general procedure for configuring ingress ga 1. Configure static SDS clusters in the ingress gateway service definition. 1. Register the service definition. -1. Configure TLS client authentication +1. Configure TLS client authentication. 1. Start Envoy. 1. Configure SDS settings in an ingress gateway configuration entry. 1. Register the ingress gateway configuration entry with Consul. @@ -23,8 +23,8 @@ The following process describes the general procedure for configuring ingress ga - The external service must implement Envoy's [gRPC secret discovery service (SDS) API](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret). - You should have some familiarity with Envoy configuration and the SDS protocol. -- The [`connect.enabled` parameter](/consul/docs/agent/config/config-files#connect) must be set to `true` for all server agents in the Consul datacenter. -- The [`ports.grpc` parameter](/consul/docs/agent/config/config-files#connect) must be configured for all server agents in the Consul datacenter. +- The [`connect.enabled` parameter](/consul/docs/reference/agent#connect) must be set to `true` for all server agents in the Consul datacenter. +- The [`ports.grpc` parameter](/consul/docs/reference/agent#connect) must be configured for all server agents in the Consul datacenter. ### ACL requirements @@ -40,7 +40,7 @@ These privileges authorize the token to route communications to other services i You must define one or more additional static clusters in the ingress gateway service definition for each Envoy proxy associated with the gateway. The additional clusters define how Envoy should connect to the required SDS services. -Configure the static clusters in the [`Proxy.Config.envoy_envoy_extra_static_clusters_json`](/consul/docs/connect/proxies/envoy#envoy_extra_static_clusters_json) parameter in the service definition. +Configure the static clusters in the [`Proxy.Config.envoy_envoy_extra_static_clusters_json`](/consul/docs/reference/proxy/envoy#envoy_extra_static_clusters_json) parameter in the service definition. The clusters must provide connection information and any necessary authentication information, such as mTLS credentials. @@ -131,7 +131,7 @@ Issue the `consul services register` command on the Consul agent on the Envoy pr $ consul services register public-ingress.hcl ``` -Refer to [Register services and health checks](/consul/docs/services/usage/register-services-checks) for additional information about registering services in Consul. +Refer to [Register services and health checks](/consul/docs/register/service/vm) for additional information about registering services in Consul. ## Configure TLS client authentication @@ -199,20 +199,20 @@ Refer to [Consul Connect Envoy](/consul/commands/connect/envoy) for additional i Create an ingress gateway configuration entry that enables the gateway to use certificates from SDS. The configuration entry also maps downstream ingress listeners to upstream services. Configure the following fields: -- [`Kind`](/consul/docs/connect/config-entries/ingress-gateway#kind): Set the value to `ingress-gateway`. -- [`Name`](/consul/docs/connect/config-entries/ingress-gateway#name): Consul applies the configuration entry settings to ingress gateway proxies with names that match the `Name` field. -- [`TLS`](/consul/docs/connect/config-entries/ingress-gateway#tls): The main `TLS` parameter for the configuration entry holds the SDS configuration. You can also specify TLS configurations per listener and per service. - - [`TLS.SDS`](/consul/docs/connect/config-entries/ingress-gateway#tls-sds): The `SDS` map includes the following configuration settings: - - [`ClusterName`](/consul/docs/connect/config-entries/ingress-gateway#tls-sds-clustername): Specifies the name of the cluster you specified when [configuring the SDS cluster](#configure-static-SDS-clusters). - - [`CertResource`](/consul/docs/connect/config-entries/ingress-gateway#tls-sds-certresource): Specifies the name of the certificate resource to load. -- [`Listeners`](/consul/docs/connect/config-entries/ingress-gateway#listeners): Specify one or more listeners. - - [`Listeners.Port`](/consul/docs/connect/config-entries/ingress-gateway#listeners-port): Specify a port for the listener. Each listener is uniquely identified by its port number. - - [`Listeners.Protocol`](/consul/docs/connect/config-entries/ingress-gateway#listeners-protocol): The default protocol is `tcp`, but you must specify the protocol used by the services you want to allow traffic from. - - [`Listeners.Services`](/consul/docs/connect/config-entries/ingress-gateway#listeners-services): The `Services` field contains the services that you want to expose to upstream services. The field contains several options and sub-configurations that enable granular control over ingress traffic, such as health check and TLS configurations. +- [`Kind`](/consul/docs/reference/config-entry/ingress-gateway#kind): Set the value to `ingress-gateway`. +- [`Name`](/consul/docs/reference/config-entry/ingress-gateway#name): Consul applies the configuration entry settings to ingress gateway proxies with names that match the `Name` field. +- [`TLS`](/consul/docs/reference/config-entry/ingress-gateway#tls): The main `TLS` parameter for the configuration entry holds the SDS configuration. You can also specify TLS configurations per listener and per service. + - [`TLS.SDS`](/consul/docs/reference/config-entry/ingress-gateway#tls-sds): The `SDS` map includes the following configuration settings: + - [`ClusterName`](/consul/docs/reference/config-entry/ingress-gateway#tls-sds-clustername): Specifies the name of the cluster you specified when [configuring the SDS cluster](#configure-static-SDS-clusters). + - [`CertResource`](/consul/docs/reference/config-entry/ingress-gateway#tls-sds-certresource): Specifies the name of the certificate resource to load. +- [`Listeners`](/consul/docs/reference/config-entry/ingress-gateway#listeners): Specify one or more listeners. + - [`Listeners.Port`](/consul/docs/reference/config-entry/ingress-gateway#listeners-port): Specify a port for the listener. Each listener is uniquely identified by its port number. + - [`Listeners.Protocol`](/consul/docs/reference/config-entry/ingress-gateway#listeners-protocol): The default protocol is `tcp`, but you must specify the protocol used by the services you want to allow traffic from. + - [`Listeners.Services`](/consul/docs/reference/config-entry/ingress-gateway#listeners-services): The `Services` field contains the services that you want to expose to upstream services. The field contains several options and sub-configurations that enable granular control over ingress traffic, such as health check and TLS configurations. -For Consul Enterprise service meshes, you may also need to configure the [`Partition`](/consul/docs/connect/config-entries/ingress-gateway#partition) and [`Namespace`](/consul/docs/connect/config-entries/ingress-gateway#namespace) fields for the gateway and for each exposed service. +For Consul Enterprise service meshes, you may also need to configure the [`Partition`](/consul/docs/reference/config-entry/ingress-gateway#partition) and [`Namespace`](/consul/docs/reference/config-entry/ingress-gateway#namespace) fields for the gateway and for each exposed service. -Refer to [Ingress gateway configuration entry reference](/consul/docs/connect/config-entries/ingress-gateway) for details about the supported parameters. +Refer to [Ingress gateway configuration entry reference](/consul/docs/reference/config-entry/ingress-gateway) for details about the supported parameters. The following example directs Consul to retrieve `example.com-public-cert` certificates from an SDS cluster named `sds-cluster` and serve them to all listeners: @@ -242,7 +242,7 @@ Listeners = [ ## Register the ingress gateway configuration entry -You can register the configuration entry using the [`consul config` command](/consul/commands/config) or by calling the [`/config` API endpoint](/consul/api-docs/config). Refer to [How to Use Configuration Entries](/consul/docs/agent/config-entries) for details about applying configuration entries. +You can register the configuration entry using the [`consul config` command](/consul/commands/config) or by calling the [`/config` API endpoint](/consul/api-docs/config). The following example registers an ingress gateway configuration entry named `public-ingress-cfg.hcl` that is stored on the local system: @@ -250,4 +250,4 @@ The following example registers an ingress gateway configuration entry named `pu $ consul config write public-ingress-cfg.hcl ``` -The Envoy instance starts a listener on the port specified in the configuration entry and fetches the TLS certificate named from the SDS server. +The Envoy instance starts a listener on the port specified in the configuration entry and fetches the TLS certificate named from the SDS server. \ No newline at end of file diff --git a/website/content/docs/north-south/ingress-gateway/index.mdx b/website/content/docs/north-south/ingress-gateway/index.mdx new file mode 100644 index 00000000000..f30c649bf70 --- /dev/null +++ b/website/content/docs/north-south/ingress-gateway/index.mdx @@ -0,0 +1,47 @@ +--- +layout: docs +page_title: Ingress gateway overview +description: >- + Ingress gateways enable you to connect external services to services in your mesh. Ingress gateways are a type of proxy that listens for requests from external network locations and route authorized traffic to destinations in the service mesh. +--- + +# Ingress gateway overview + +This topic provides an overview of ingress gateways in Consul. An ingress gateway is a type of proxy that enables network connectivity from external services to services inside the mesh. They listen for external requests and route authorized traffic to instances in the service mesh. Refer to [Access services overview](/north-south/) for additional information about connecting external clients to services in the mesh. + + + +Ingress gateways are deprecated. Use [Consul API gateways](/north-south/api-gateway) to secure service mesh ingress instead. + + + +## Workflow + +The following workflow describes how to deploy ingress gateways to service meshes on virtual machines (VM) and Kubernetes (K8s): + +1. For networks operating on K8s, enable ingress gateways in the Helm chart configuration when installing Consul. +1. Define listeners and the services they expose to external clients. When ACLs are enabled, you must also define service intentions to allow traffic to the destination services. +1. Register the ingress gateway service with Consul and start the ingress gateway proxy service. + +You can also configure ingress gateways to retrieve and serve custom TLS certificates from external systems. This functionality is designed to help you integrate with custom TLS management software. Refer to [Serve custom TLS certificates from an external service](/consul/docs/north-south/ingress-gateway/tls-external-service) for additional information. + +The following diagram describes how external traffic reaches services inside the mesh through an ingress gateway: + +![How external traffic reaches services inside the mesh through an ingress gateway](/img/ingress-gateways.png) + +## Guidance + +Refer to the following resources to help you enable secure access to service mesh resources from external clients. + +### Usage + +- [Create ingress gateways on VMs](/consul/docs/north-south/ingress-gateway/create-vm) +- [Create ingress gateways on K8s](/consul/docs/north-south/ingress-gateway/create-k8s) +- [Serve TLS certificates from external services](/consul/docs/north-south/ingress-gateway/tls-external-service) + +### Reference + +- [Ingress gateway configuration](/consul/docs/reference/config-entry/ingress-gateway) +- [Helm chart configuration](/consul/docs/reference/reference/k8s/helm) +- [Service intentions configuration](/consul/docs/reference/config-entry/service-intention) + diff --git a/website/content/docs/north-south/ingress-gateway/k8s.mdx b/website/content/docs/north-south/ingress-gateway/k8s.mdx new file mode 100644 index 00000000000..b718fe5cbd5 --- /dev/null +++ b/website/content/docs/north-south/ingress-gateway/k8s.mdx @@ -0,0 +1,299 @@ +--- +layout: docs +page_title: Create and manage ingress gateways on Kubernetes +description: Learn how to create and manage an ingress gateway on K8s. Ingress gateways are Consul service mesh constructs that listen for requests from external network locations and route authorized traffic to destinations in the service mesh. +--- + +# Create and manage ingress gateways on Kubernetes + +This topic describes how to add ingress gateways to your Consul service mesh in Kubernetes environments. Refer to [Create and manage ingress gateways on Kubernetes](/consul/docs/north-south/ingress-gateway/create-vm) for instructions on how to implement ingress gateways in virtual machine (VM) environments. + + + +Ingress gateways are deprecated and will no longer be updated. Ingress gateways are fully supported +in this version, but we will remove them in a future release of Consul. Use [Consul API gateways](/consul/docs/north-south/api-gateway) instead. + + + + +## Overview + +Ingress gateways enable services outside the service mesh to send traffic to services in the mesh. Refer to [Ingress gateways overview](/consul/docs/north-south/ingress-gateway/) for additional information about ingress gateways. + +Complete the following steps to add an ingress gateway: + +1. Enable ingress gateways in the Helm chart configuration +1. Configure ingress gateway listeners and destinations +1. If ACLs are enabled, define service intentions +1. Deploy your application to Kubernetes +1. Connect to your application + +## Enable ingress gateways in the Helm chart + +1. Create custom YAML values file and configure the `ingressGateways` object. You can specify one or more gateways for you environment in the `ingressGateways.gateways` field. The only required field for each entry is `ingressGateways.gateways.name`. Refer to the [Helm chart reference](/consul/docs/reference/reference/k8s/helm#ingressgateways) for details about the supported fields. + + The following example configuration creates an ingress as a public, unauthenticated LoadBalancer in your cluster: + + + + ```yaml + global: + name: consul + connectInject: + enabled: true + ingressGateways: + enabled: true + gateways: + - name: ingress-gateway + service: + type: LoadBalancer + ``` + + + +1. Deploy the Helm chart and pass the custom YAML file that contains your environment configuration. We recommend verifying that the latest Consul Helm chart is installed. Refer to [Consul on Kubernetes installation overview](/consul/docs/deploy/server/k8s) for additional information. + + The following example installs Consul 1.17.0 using a `values.yaml` configuration file: + + ```shell-session + $ helm install consul -f values.yaml hashicorp/consul --version 1.17.0 --wait --debug + ``` + +## Configure gateway listeners and destinations + +Create an ingress gateway custom resource and specify listeners and destination services in the configuration. The `name` field for the must match the name specified when creating the gateway in the Helm chart. +Refer to the [ingress gateway configuration reference](/consul/docs/reference/config-entry/ingress-gateway) for details. + +The following example creates an ingress gateway that listens for HTTP traffic on port `8080` and routes traffic to `static-server`: + + + +```yaml +apiVersion: consul.hashicorp.com/v1alpha1 +kind: IngressGateway +metadata: + name: ingress-gateway +spec: + listeners: + - port: 8080 + protocol: http + services: + - name: static-server +``` + + + + +Apply the `IngressGateway` resource with `kubectl apply`: + +```shell-session +$ kubectl apply --filename ingress-gateway.yaml +ingressgateway.consul.hashicorp.com/ingress-gateway created +``` + +### Configure the default protocol + +Destination services mapped to the gateway listeners must use the same protocol specified in the ingress gateway custom resource. +You can create and apply a service defaults custom resource configuration to set the default protocol for all instances of a service in your mesh. +Refer to the [service defaults configuration reference](/consul/docs/reference/config-entry/service-default) for additional information. + +The following example directs the `static-server` service to communicate with other services in the mesh over HTTP: + + + +```yaml +apiVersion: consul.hashicorp.com/v1alpha1 +kind: ServiceDefaults +metadata: + name: static-server +spec: + protocol: http +``` + + + +Run the `kubectl apply` command to apply the service defaults resource: + +```shell-session +$ kubectl apply --filename service-defaults.yaml +servicedefaults.consul.hashicorp.com/static-server created +``` + +### Verify the custom resources + +You can run the `kubectl get` command to verify that your custom resources have successfully synced to Consul: + +```shell-session +$ kubectl get servicedefaults +NAME SYNCED AGE +static-server True 45s + +$ kubectl get ingressgateway +NAME SYNCED AGE +ingress-gateway True 13m +``` + +### View the gateway in the Consul UI + +You can confirm the ingress gateways have been configured as expected by viewing the ingress gateway service instances +in the Consul UI. + +Run the `kubectl port-forward` command. Refer to [View the Consul UI](/consul/docs/deploy/server/k8s#viewing-the-consul-ui) +for instructions. + +After forwarding the port, you can open [http://localhost:8500/ui/dc1/services/ingress-gateway/instances](http://localhost:8500/ui/dc1/services/ingress-gateway/instances) in a web browser to view the ingress gateway instances. + +If TLS is enabled, use open [https://localhost:8501/ui/dc1/services/ingress-gateway/instances](https://localhost:8501/ui/dc1/services/ingress-gateway/instances). + +## Define service intentions + +When ACLs are enabled, you must define service intentions to allow the ingress gateway to route traffic to the destination service. Refer to [Create service intentions](/consul/docs/secure-mesh/intentions/create) for additional information. + +To define an intention, create a service intention configuration and apply it to your cluster. Refer to [Service intention configuration reference](/consul/docs/reference/config-entry/service-intention) for details. + +In the following example, Consul allows the `ingress-gateway` service to send traffic to the `static-server` destination service: + + + +```yaml +apiVersion: consul.hashicorp.com/v1alpha1 +kind: ServiceIntentions +metadata: + name: static-server +spec: + destination: + name: static-server + sources: + - name: ingress-gateway + action: allow +``` + + + +Run the `kubectl apply` command to apply the service intention configuration: + +```shell-session +$ kubectl apply --filename service-intentions.yaml +serviceintentions.consul.hashicorp.com/ingress-gateway created +``` + +Refer to the [zero trust network tutorial ](/consul/tutorials/kubernetes-features/service-mesh-zero-trust-network?utm_source=docs) for additional guidance on how to configure zero-trust networking with intentions. + +## Deploy your application to Kubernetes + +Deploy your application to the cluster. Refer to the [Kubernetes documentation](https://kubernetes.io/docs/tutorials/kubernetes-basics/deploy-app/) for instructions on creating deployments. + +The following configuration defines a Kubernetes Deployment container called `static-server` that uses the `hashicorp/http-echo:latest` image to print `"hello world"`: + + + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: static-server +spec: + selector: + app: static-server + ports: + - protocol: TCP + port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: static-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: static-server +spec: + replicas: 1 + selector: + matchLabels: + app: static-server + template: + metadata: + name: static-server + labels: + app: static-server + annotations: + 'consul.hashicorp.com/connect-inject': 'true' + spec: + containers: + - name: static-server + image: hashicorp/http-echo:latest + args: + - -text="hello world" + - -listen=:8080 + ports: + - containerPort: 8080 + name: http + serviceAccountName: static-server +``` + + + +Rune the `kubectl apply` command to apply the configuration and deploy the application. + +```shell-session +$ kubectl apply --filename static-server.yaml +``` + +## Validate the service registration + +You can validate that the service is registered with Consul using the UI or by sending a request to the service. + + + + + +1. Open the Consul UI in a web browser. By default, the Consul UI is on port 8500, for example `http://localhost:8500/ui/dc1/services/static-server/instances`. When TLS is enabled, the default port number is 8501. +1. Click on the **Services** tab. +1. Click on the name of your service. + + + + +The following example sends a cURL request to the cluster: + +```shell-session +$ EXTERNAL_IP=$(kubectl get services --selector component=ingress-gateway --output jsonpath="{range .items[*]}{@.status.loadBalancer.ingress[*].ip}{end}") +$ echo "Connecting to \"$EXTERNAL_IP\"" +$ curl --header "Host: static-server.ingress.consul" "http://$EXTERNAL_IP:8080" +"hello world" +``` + + + + +!> **Security Warning:** Always delete applications and services you created as part of your test and development procedures. Open and unauthenticated load balancer that you leave alive in your cluster represent a security risk. + +## Delete an ingress gateway + +To delete the ingress gateway, set `ingressGateways.enabled` to `false` in your Helm configuration: + + + +```yaml +global: + name: consul +connectInject: + enabled: true +ingressGateways: + enabled: false # Set to false + gateways: + - name: ingress-gateway + service: + type: LoadBalancer +``` + + + +Rune `helm upgrade` to apply the configuration: + +```shell-session +$ helm upgrade consul hashicorp/consul --values values.yaml +``` \ No newline at end of file diff --git a/website/content/docs/north-south/ingress-gateway/vm.mdx b/website/content/docs/north-south/ingress-gateway/vm.mdx new file mode 100644 index 00000000000..8e21890fb94 --- /dev/null +++ b/website/content/docs/north-south/ingress-gateway/vm.mdx @@ -0,0 +1,127 @@ +--- +layout: docs +page_title: Create and manage ingress gateways on virtual machines +description: Learn how to create and manage an ingress gateway on virtual machines. Ingress gateways are Consul service mesh constructs that listen for requests from external network locations and route authorized traffic to destinations in the service mesh. +--- + +# Create and manage ingress gateways on virtual machines + +This topic describes how to add ingress gateways to your Consul service mesh in virtual machine (VM) environments. Refer to [Create and manage ingress gateways on Kubernetes](/consul/docs/north-south/ingress-gateway/create-k8s) for instructions on how to implement ingress gateways in Kubernetes environments. + + + +Ingress gateways are deprecated and will no longer be updated. Ingress gateways are fully supported +in this version, but we will remove them in a future release of Consul. Use [Consul API gateways](/consul/docs/north-south/api-gateway) instead. + + + +## Overview + +Ingress gateways enable services outside the service mesh to send traffic to services in the mesh. Refer to [Ingress gateways overview](/consul/docs/north-south/ingress-gateway/) for additional information about ingress gateways. + +Complete the following steps to set up an ingress gateway: + +1. Define listeners and the services they expose in an ingress gateway configuration entry. +1. Register the ingress gateway configuration entry to Consul. +1. Create a service definition for the ingress gateway proxy service and deploy it to the mesh. +1. Start the ingress gateway. This step deploys the Envoy proxy that functions as the ingress gateway. + +After specifying listeners and services in the ingress gateway configuration entry, you can register the gateway service and start Envoy with a single CLI command instead of completing these steps separately. Refer [Register an ingress service on Envoy startup](#register-an-ingress-service-on-envoy-startup). + +## Requirements + +- Service mesh must be enabled for all agents. Set the [`connect.enabled` parameter](/consul/docs/reference/agent#connect) to `true` to enable service mesh. +- The gRPC port must be configured for all server agents in the datacenter. Specify the gRPC port in the [`ports.grpc` parameter](/consul/docs/reference/agent#grpc_port). We recommend setting the port to `8502` to simplify configuration when ACLs are enabled. Refer to [ACL requirements](#acl-requirements) for additional information. +- You must use Envoy for sidecar proxies in your service mesh. Refer to [Configure and deploy sidecar proxies](/consul/docs/connect/proxy/deploy-sidecar) for additional information. + +### ACL requirements + +If ACLs are enabled, you must present a token when registering ingress gateways that grant the following permissions: + +- `service:write` for the ingress gateway's service name +- `service:read` for all services in the ingress gateway's configuration entry +- `node:read` for all nodes of the services in the ingress gateway's configuration entry. + +These privileges authorize the token to route communications to other services in the mesh. If the Consul client agent on the gateway's node is not configured to use the default `8502` gRPC port, then the gateway's token must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies. + +## Define listeners + +Specify listener configurations in an ingress gateway configuration entry. Listener configurations are traffic entry points to the service mesh that map to upstream services. When you register an ingress gateway proxy that matches the configuration entry name, Consul applies the settings specified in the configuration entry. Configure the following fields: + +- [`Kind`](/consul/docs/reference/config-entry/ingress-gateway#kind): Set the value to `ingress-gateway`. +- [`Name`](/consul/docs/reference/config-entry/ingress-gateway#name): Consul applies the configuration entry settings to ingress gateway proxies with names that match the `Name` field. +- [`Listeners`](/consul/docs/reference/config-entry/ingress-gateway#listeners): Specify one or more listeners. + - [`Listeners.Port`](/consul/docs/reference/config-entry/ingress-gateway#listeners-port): Specify a port for the listener. Each listener is uniquely identified by its port number. + - [`Listeners.Protocol`](/consul/docs/reference/config-entry/ingress-gateway#listeners-protocol): The default protocol is `tcp`, but you must specify the protocol used by the services you want to allow traffic from. + - [`Listeners.Services`](/consul/docs/reference/config-entry/ingress-gateway#listeners-services): The `Services` field contains the services that you want to expose to upstream services. The field contains several options and sub-configurations that enable granular control over ingress traffic, such as health check and TLS configurations. + +For Consul Enterprise service meshes, you may also need to configure the [`Partition`](/consul/docs/reference/config-entry/ingress-gateway#partition) and [`Namespace`](/consul/docs/reference/config-entry/ingress-gateway#namespace) fields for the gateway and for each exposed service. + +Refer to [Ingress gateway configuration entry reference](/consul/docs/referenece/config-entry/ingress-gateway) for details about the supported parameters. + +## Register the ingress gateway + +You can either use the [`consul config` command](/consul/commands/config) or call the [`/config` API endpoint](/consul/api-docs/config) to register the gateway configuration entry. +The following example command registers an ingress gateway configuration entry named `public-ingress.hcl` that is stored on the local system: + +```shell-session +$ consul config write public-ingress.hcl +``` + +## Deploy an ingress gateway service + +To deploy an ingress gateway service, create a service definition and register it with Consul. + +You can also define an ingress gateway service and register it with Consul while starting an Envoy proxy from the command line. Refer to [Register an ingress service on Envoy startup](#register-an-ingress-service-on-envoy-startup) for details. + +### Create a service definition for the ingress gateway + +Consul applies the settings defined in the ingress gateway configuration entry to ingress gateway services that match the configuration entry name. Refer to [Define services](/consul/docs/register/service/vm/define) for additional information about defining services in Consul. + +The following fields are required for the ingress gateway service definition: + +- [`Kind`](/consul/docs/reference/service#kind): The field must be set to `ingress-gateway`. +- [`Name`](/consul/docs/reference/service#name): The name should match the value specified for the `Name` field in the configuration entry. + +All other service definition fields are optional, but we recommend defining health checks to verify the health of the gateway. Refer to [Services configuration reference](/consul/docs/reference/service) for information about defining services. + +### Register the ingress gateway proxy service + +You can register the ingress gateway using API or CLI. Refer to [Register services and health checks](/consul/docs/register/service/vm/) for instructions on registering services in Consul. + +The following example registers an ingress gateway defined in `ingress-gateway.hcl` from the Consul CLI: + +```shell-session +$ consul services register ingress-service.hcl +``` + +## Start an Envoy proxy + +Run the `consul connect envoy` command to start Envoy. Specify the name of the ingress gateway service and include the `-gateway=ingress` flag. Refer to [Consul Connect Envoy](/consul/commands/connect/envoy) for details about using the command. + +The following example starts Envoy for the `ingress-service` gateway service: + +```shell-session +$ consul connect envoy -gateway=ingress ingress-service +``` + +### Register an ingress service on Envoy startup + +You can also automatically register the ingress gateway service when starting the Envoy proxy. Specify the following flags with the `consul connect envoy` command: + +- `-gateway=ingress` +- `-register` +- `-service=` + +The following example starts Envoy and registers an ingress gateway service named `ingress-service` bound to the agent address at port `8888`: + +```shell-session +$ consul connect envoy -gateway=ingress -register \ + -service ingress-service \ + -address '{{ GetInterfaceIP "eth0" }}:8888' +``` +You cannot register the ingress gateway service and start the proxy at the same time if you configure the gateway to retrieve and serve TLS certificates from their external downstreams. Refer to [Serve custom TLS certificates from an external service](/consul/docs/north-south/ingress-gateway/tls-external-service) for more information. + +## Additional Envoy configurations + +Ingress gateways support additional Envoy gateway options and escape-hatch overrides. Specify gateway options in the ingress gateway service definition to use them. To use escape-hatch overrides, you must add them to your global proxy defaults configuration entry. Refer to the [Envoy configuration reference](/consul/docs/reference/proxy/envoy) for additional information. \ No newline at end of file diff --git a/website/content/docs/north-south/k8s.mdx b/website/content/docs/north-south/k8s.mdx new file mode 100644 index 00000000000..38aea0ec9c3 --- /dev/null +++ b/website/content/docs/north-south/k8s.mdx @@ -0,0 +1,64 @@ +--- +page_title: Service mesh ingress on Kubernetes +description: API gateways and ingress gateways are types of service mesh proxies that you can use to securely allow systems outside the Consul service mesh to access services in the mesh. Learn how API and ingress gateways can help you enable access to services registered by Consul on Kubernetes. +layout: docs +--- + +# Service mesh ingress on Kubernetes + +This topic provides an overview of how Consul securely allows systems outside the service mesh to access services inside the mesh on Kubernetes. Network traffic that connects services inside the mesh to external clients or services is referred to as _north-south traffic_. + +For information about enabling intra-mesh, or _east-west traffic_ , refer to [Link network segments overview](/consul/docs/link). + +## Introduction + +You can define points of ingress to the service mesh using either API gateways or ingress gateways. These gateways allow external network clients to access applications and services running in a Consul datacenter. + +API gateways forward requests from clients to specific destinations based on path or request protocol. Ingress gateways are Consul's legacy capability for ingress and have been deprecated in favor of API gateways. + +## API gateways + +API gateways enable external network clients to securely access applications and services running in a Consul datacenter. Consul API gateways can also forward requests from clients to specific destinations in the service mesh based on request's path or protocol. + + +To enable an API gateway, you must configure the gateway, its listeners, and its routes. Refer to [API gateway overview](/consul/docs/north-south/api-gateway) for additional information about deploying API gateways to your Consul service mesh. + +## Ingress gateways + +Ingress gateways listen for external requests and route authorized traffic to instances in the service mesh. They provide one-way traffic from external sources to services in the mesh. If you want to enable traffic from services in the mesh to external destinations, then you must also configure a [terminating gateway](/consul/docs/register/external/terminating-gateway), which is a separate component that requires additional configuration and maintenance. + +We recommend using API gateways to enable north-south traffic instead of implementing ingress gateways and terminating gateways. + +Refer to [Ingress gateway overview](/consul/docs/north-south/ingress-gateway) for additional information about deploying ingress gateways to your Consul service mesh. + + + +Ingress gateways are deprecated. Use [Consul API gateways](/north-south/api-gateway) to secure service mesh ingressinstead. + + + +## Guidance + +Refer to the following resources for help setting up and using API gateways: + +### Tutorials + +- [Control access into the service mesh with Consul API gateway](/consul/tutorials/developer-mesh/kubernetes-api-gateway) + +### Usage documentation + +- [Deploy API gateway listeners to Kubernetes](/consul/docs/north-south/api-gateway/deploy-listener/k8s) +- [Deploy API gateway routes to Kubernetes](/consul/docs/north-south/api-gateway/define-route/k8s) +- [Reroute HTTP requests in Kubernetes](/consul/docs/north-south/api-gateway/define-route/k8s-reroute-traffic) +- [Route traffic to peered services in Kubernetes](/consul/docs/north-south/api-gateway/define-route/k8s-route-peered) +- [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/north-south/api-gateway/secure-traffic/k8s-jwt) + +### Reference + +- [`Gateway`](/consul/docs/reference/k8s/api-gateway/gateway) +- [`GatewayClass`](/consul/docs/reference/k8s/api-gateway/gatewayclass) +- [`GatewayClassConfig`](/consul/docs/reference/k8s/api-gateway/gatewayclassconfig) +- [`Routes`](/consul/docs/reference/k8s/api-gateway/routes) +- [`MeshServices`](/consul/docs/reference/k8s/api-gateway/meshservices) +- [`ServiceIntentions`](/consul/docs/reference/config-entry/service-intention) +- [Error messages](/consul/docs/common-error-messages/api-gateway) \ No newline at end of file diff --git a/website/content/docs/north-south/vm.mdx b/website/content/docs/north-south/vm.mdx new file mode 100644 index 00000000000..6005662986b --- /dev/null +++ b/website/content/docs/north-south/vm.mdx @@ -0,0 +1,61 @@ +--- +page_title: Service mesh ingress on virtual machines +description: API gateways and ingress gateways are types of service mesh proxies that you can use to securely allow systems outside the Consul service mesh to access services in the mesh. Learn how API and ingress gateways can help you enable access to services registered by Consul when running Consul on virtual machines (VMs). +layout: docs +--- + +# Service mesh ingress on virtual machines + +This topic provides an overview of how Consul securely allows systems outside the service mesh to access services inside the mesh when running the Consul binary on virtual machines (VM). Network traffic that connects services inside the mesh to external clients or services is referred to as _north-south traffic_. + +For information about enabling intra-mesh, or _east-west traffic_, refer to [Link network segments overview](/consul/docs/link). + +## Introduction + +You can define points of ingress to the service mesh using either API gateways or ingress gateways. These gateways allow external network clients to access applications and services running in a Consul datacenter. + +API gateways forward requests from clients to specific destinations based on path or request protocol. Ingress gateways are Consul's legacy capability for ingress and have been deprecated in favor of API gateways. + +## API gateways + +API gateways enable external network clients to access applications and services running in a Consul datacenter. Consul API gateways can also forward requests from clients to specific destinations based on path or request protocol. + +Systems that access services in the mesh may be internal or external to your organizational network. This type of network traffic is commonly called north-south network traffic. + +Refer to [API gateway overview](/consul/docs/north-south/api-gateway) for additional information about deploying API gateways to your Consul service mesh. + +## Ingress gateways + +Ingress gateways listen for external requests and route authorized traffic to instances in the service mesh. They provide one-way traffic from external sources to services in the mesh. If you want to enable traffic from services in the mesh to external destinations, then you must also configure a _terminating gateway_. Refer to [Terminating gateways overview](/consul/docs/register/external/terminating-gateway). + +Note that terminating gateways are separate components from ingress gateways and require additional configuration and maintenance. Use API gateways to enable north-south traffic Instead of implementing ingress gateways and terminating gateways. + +Refer to [Ingress gateway overview](/consul/docs/north-south/ingress-gateway) for additional information about deploying ingress gateways to your Consul service mesh. + + + +Ingress gateways are deprecated. Use [Consul API gateways](/north-south/api-gateway) to secure service mesh ingress instead. + + + +## Guidance + +Refer to the following resources for help setting up and using API gateways: + +### Tutorials + +- [Control access into the service mesh with Consul API gateway](/consul/tutorials/developer-mesh/kubernetes-api-gateway) + +### Usage documentation + +- [Deploy API gateway listeners to VMs](/consul/docs/north-south/api-gateway/deploy-listener/vm) +- [Deploy API gateway routes to VMs](/consul/docs/north-south/api-gateway/define-route/vm) +- [Encrypt API gateway traffic on VMs](/consul/docs/north-south/api-gateway/secure-traffic/vm-encrypt) +- [Use JWTs to verify requests to API gateways on VMs](/consul/docs/north-south/api-gateway/secure-traffic/vm-jwt) + +### Reference + +- [API gateway configuration entry reference](/consul/docs/reference/config-entry/api-gateway) +- [HTTP route configuration entry reference](/consul/docs/reference/config-entry/http-route) +- [TCP route configuration entry reference](/consul/docs/reference/config-entry/tcp-route) +- [Error messages](/consul/docs/common-error-messages/api-gateway) \ No newline at end of file diff --git a/website/content/docs/connect/observability/access-logs.mdx b/website/content/docs/observe/access-log.mdx similarity index 94% rename from website/content/docs/connect/observability/access-logs.mdx rename to website/content/docs/observe/access-log.mdx index 377b32b517c..18aa6fc2cc4 100644 --- a/website/content/docs/connect/observability/access-logs.mdx +++ b/website/content/docs/observe/access-log.mdx @@ -1,6 +1,6 @@ --- layout: docs -page_title: Service Mesh Observability - Access Logs +page_title: Access Logs description: >- Consul can emit access logs for application connections and requests that pass through Envoy proxies in the service mesh. Learn how to configure access logs, including minimum configuration requirements and the default log format. --- @@ -14,11 +14,11 @@ You can use the application traffic records in access to logs to help you perfor - **Threat Detection**: Operators can review details about unauthorized attempts to access the service mesh and their origins. - **Audit Compliance**: Operators can use access less for security compliance requirements for traffic entering and exiting the service mesh through gateways. -Consul supports access logs capture through Envoy proxies started through the [`consul connect envoy`](/consul/commands/connect/envoy) CLI command and [`consul-dataplane`](/consul/docs/connect/dataplane). Other proxies are not supported. +Consul supports access logs capture through Envoy proxies started through the [`consul connect envoy`](/consul/commands/connect/envoy) CLI command and [`consul-dataplane`](/consul/docs/connect/dataplane). Other proxies are not supported. You can also configure the [OpenTelemetry Envoy extension](/consul/docs.envoy-extension/otel-access-logging) to capture and stream access logs. ## Enable access logs -Access logs configurations are defined globally in the [`proxy-defaults`](/consul/docs/connect/config-entries/proxy-defaults#accesslogs) configuration entry. +Access logs configurations are defined globally in the [`proxy-defaults`](/consul/docs/reference/config-entry/proxy-defaults#accesslogs) configuration entry. The following example is a minimal configuration for enabling access logs: @@ -108,7 +108,7 @@ Custom logs can be either JSON format or text format. You can format access logs in JSON so that you can parse them with Application Monitoring Platforms (APMs). -To use a custom access log, in the `proxy-defaults` configuration entry, set [`JSONFormat`](/consul/docs/connect/config-entries/proxy-defaults#jsonformat) to the string representation of the desired JSON. +To use a custom access log, in the `proxy-defaults` configuration entry, set [`JSONFormat`](/consul/docs/reference/config-entry/proxy-defaults#jsonformat) to the string representation of the desired JSON. Nesting is supported. @@ -162,7 +162,7 @@ spec: ### Text format -To use a custom access log formatted in plaintext, in the `proxy-defaults` configuration entry, set [`TextFormat`](/consul/docs/connect/config-entries/proxy-defaults#textformat) to the desired customized string. +To use a custom access log formatted in plaintext, in the `proxy-defaults` configuration entry, set [`TextFormat`](/consul/docs/reference/config-entry/proxy-defaults#textformat) to the desired customized string. New lines are automatically added to the end of the log to keep each access log on its own line in the output. @@ -205,7 +205,7 @@ spec: ## Kubernetes As part of its normal operation, the Envoy debugging logs for the `consul-dataplane`, `envoy`, or `envoy-sidecar` containers are written to `stderr`. -The access log [`Type`](/consul/docs/connect/config-entries/proxy-defaults#type) is set to `stdout` by default for access logs when enabled. +The access log [`Type`](/consul/docs/reference/config-entry/proxy-defaults#type) is set to `stdout` by default for access logs when enabled. Use a log aggregating solution to separate the machine-readable access logs from the Envoy process debug logs. ## Write to a file diff --git a/website/content/docs/connect/distributed-tracing.mdx b/website/content/docs/observe/distributed-tracing.mdx similarity index 93% rename from website/content/docs/connect/distributed-tracing.mdx rename to website/content/docs/observe/distributed-tracing.mdx index ffe5ef033bb..25b9e48cb16 100644 --- a/website/content/docs/connect/distributed-tracing.mdx +++ b/website/content/docs/observe/distributed-tracing.mdx @@ -1,6 +1,6 @@ --- layout: docs -page_title: Service Mesh Distributed Tracing +page_title: Distributed Tracing description: >- Distributed tracing tracks the path of a request as it traverses the service mesh. Consul supports distributed tracing for applications that have it implemented. Learn how to integrate tracing libraries in your application and configure Consul to participate in that tracing. --- @@ -145,16 +145,16 @@ spec: --> **NOTE:** This example uses a [proxy defaults](/consul/docs/connect/config-entries/proxy-defaults) configuration entry, which applies to all proxies, +-> **NOTE:** This example uses a [proxy defaults](/consul/docs/reference/config-entry/proxy-defaults) configuration entry, which applies to all proxies, but you can also apply the configuration in the -[`proxy` block of your service configuration](/consul/docs/connect/proxies/proxy-config-reference#proxy-parameters). The proxy service registration is not supported on Kubernetes. +[`proxy` block of your service configuration](/consul/docs/reference/proxy/connect-proxy#proxy-parameters). The proxy service registration is not supported on Kubernetes. Within the config there are two keys you need to customize: -1. [`envoy_tracing_json`](/consul/docs/connect/proxies/envoy#envoy_tracing_json): Sets the tracing configuration for your specific tracing type. +1. [`envoy_tracing_json`](/consul/docs/reference/proxy/envoy#envoy_tracing_json): Sets the tracing configuration for your specific tracing type. See the [Envoy tracers documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/trace) for your specific collector's configuration. This configuration will reference the cluster name defined in `envoy_extra_static_clusters_json`. -1. [`envoy_extra_static_clusters_json`](/consul/docs/connect/proxies/envoy#envoy_extra_static_clusters_json): Defines the address +1. [`envoy_extra_static_clusters_json`](/consul/docs/reference/proxy/envoy#envoy_extra_static_clusters_json): Defines the address of your tracing collector where Envoy will send its spans. In this example the URL was `collector-url:9411`. ## Applying the configuration diff --git a/website/content/docs/observe/index.mdx b/website/content/docs/observe/index.mdx new file mode 100644 index 00000000000..657f5c0a0dc --- /dev/null +++ b/website/content/docs/observe/index.mdx @@ -0,0 +1,38 @@ +--- +layout: docs +page_title: Observe your service mesh +description: >- + This topic provides an overview of Consul's service mesh observability features, including L7 telemetry visualizations, access logs, and distributed tracing. +--- + +# Observe your service mesh + +This topic provides an overview of Consul's observability features. Consul can be configured with Prometheus to provide visualizations about agent operations and service traffic between proxies in your service mesh. + +## Introduction + +Consul supports observability functions that enable you to understand the state of your service mesh while it is running. By monitoring agent, client, dataplane, gateway, mesh proxy, and sidecar proxy requests and their L7 traffic, you can diagnose network issues and effectively mitigate communication failures in your service mesh. Consul can be configured to expose three kinds of telemetry features to help you observe your service mesh: + +- Access logs +- Distributed traces +- Service mesh telemetry metrics + +## Access logs + +@include 'text/descriptions/access-log.mdx' + +## Distributed tracing + +@include 'text/descriptions/distributed-tracing.mdx' + +## Service mesh telemetry metrics + +@include 'text/descriptions/telemetry.mdx' + +## Guidance + +@include 'text/guidance/observe.mdx' + +### Constraints, limitations, and troubleshooting + +@include 'text/limitations/observe.mdx' \ No newline at end of file diff --git a/website/content/docs/k8s/connect/observability/metrics.mdx b/website/content/docs/observe/telemetry/k8s.mdx similarity index 96% rename from website/content/docs/k8s/connect/observability/metrics.mdx rename to website/content/docs/observe/telemetry/k8s.mdx index 167f2c7613c..bae11dc8003 100644 --- a/website/content/docs/k8s/connect/observability/metrics.mdx +++ b/website/content/docs/observe/telemetry/k8s.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Configure metrics for Consul on Kubernetes +page_title: Observe service mesh telemetry on Kubernetes description: >- Use the `connectInject.metrics` Helm values to enable Prometheus and Grafana integrations and capture metrics. Consul can collect metrics from the service mesh, sidecar proxies, agents, and gateways in a k8s cluster and then display service traffic metrics in Consul’s UI for additional observability. --- -# Configure Metrics for Consul on Kubernetes +# Observe service mesh telemetry on Kubernetes Consul on Kubernetes integrates with Prometheus and Grafana to provide metrics for Consul service mesh. The metrics available are: @@ -30,7 +30,7 @@ The diagram below illustrates how the metrics integration works when merging is [![Metrics Merging Architecture](/img/metrics-arch.png)](/img/metrics-arch.png) --> -Metrics for services in the mesh can be configured with the Helm values nested under [`connectInject.metrics`](/consul/docs/k8s/helm#v-connectinject-metrics). +Metrics for services in the mesh can be configured with the Helm values nested under [`connectInject.metrics`](/consul/docs/reference/k8s/helm#v-connectinject-metrics). Metrics and metrics merging can be enabled by default for all connect-injected Pods with the following Helm values: @@ -110,7 +110,7 @@ global: ## Metrics in the UI Topology Visualization -Consul's built-in UI has a topology visualization for services that are part of the Consul service mesh. The topology visualization has the ability to fetch basic metrics from a metrics provider for each service and display those metrics as part of the [topology visualization](/consul/docs/connect/observability/ui-visualization). +Consul's built-in UI has a topology visualization for services that are part of the Consul service mesh. The topology visualization has the ability to fetch basic metrics from a metrics provider for each service and display those metrics as part of the [topology visualization](/consul/docs/observe/mesh/vm). The diagram below illustrates how the UI displays service metrics for a sample application: diff --git a/website/content/docs/connect/observability/ui-visualization.mdx b/website/content/docs/observe/telemetry/vm.mdx similarity index 95% rename from website/content/docs/connect/observability/ui-visualization.mdx rename to website/content/docs/observe/telemetry/vm.mdx index 2cbf0b0ae26..e50c615d9da 100644 --- a/website/content/docs/connect/observability/ui-visualization.mdx +++ b/website/content/docs/observe/telemetry/vm.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Service Mesh Observability - UI Visualization +page_title: Observe service mesh telemetry on virtual machines (VMs) description: >- Consul's UI can display a service's topology and associated metrics from the service mesh. Learn how to configure the UI to collect metrics from your metrics provider, modify access for metrics proxies, and integrate custom metrics providers. --- -# Service Mesh Observability: UI Visualization +# Observe service mesh telemetry on virtual machines (VMs) -> Coming here from "Configure metrics dashboard" or "Configure dashboard"? See [Configuring Dashboard URLs](#configuring-dashboard-urls). @@ -14,7 +14,7 @@ show a service's immediate connectivity at a glance. It is not intended as a replacement for dedicated monitoring solutions, but rather as a quick overview of the state of a service and its connections within the Service Mesh. -The topology visualization requires services to be using [service mesh](/consul/docs/connect) via [sidecar proxies](/consul/docs/connect/proxies). +The topology visualization requires services to be using [service mesh](/consul/docs/connect) via [sidecar proxies](/consul/docs/connect/proxy). The visualization may optionally be configured to include a link to an external per-service dashboard. This is designed to provide convenient deep links to your @@ -35,7 +35,7 @@ Providers](#custom-metrics-providers). ## Kubernetes If running Consul in Kubernetes, the Helm chart can automatically configure Consul's UI to display topology -visualizations. See our [Kubernetes observability docs](/consul/docs/k8s/connect/observability/metrics) for more information. +visualizations. See our [Kubernetes observability docs](/consul/docs/observe/mesh/k8s) for more information. ## Configuring the UI To Display Metrics @@ -45,11 +45,11 @@ UI. If there are multiple clients with the UI enabled in a datacenter for redundancy these configurations must be added to all of them. We assume that the UI is already enabled by setting -[`ui_config.enabled`](/consul/docs/agent/config/config-files#ui_config_enabled) to `true` in the +[`ui_config.enabled`](/consul/docs/reference/agent#ui_config_enabled) to `true` in the agent's configuration file. To use the built-in Prometheus provider -[`ui_config.metrics_provider`](/consul/docs/agent/config/config-files#ui_config_metrics_provider) +[`ui_config.metrics_provider`](/consul/docs/reference/agent#ui_config_metrics_provider) must be set to `prometheus`. The UI must query the metrics provider through a proxy endpoint. This simplifies @@ -57,7 +57,7 @@ deployment where Prometheus is not exposed externally to UI user's browsers. To set this up, provide the URL that the _Consul agent_ should use to reach the Prometheus server in -[`ui_config.metrics_proxy.base_url`](/consul/docs/agent/config/config-files#ui_config_metrics_proxy_base_url). +[`ui_config.metrics_proxy.base_url`](/consul/docs/reference/agent#ui_config_metrics_proxy_base_url). For example in Kubernetes, the Prometheus helm chart by default installs a service named `prometheus-server` so each Consul agent can reach it on `http://prometheus-server` (using Kubernetes' DNS resolution). @@ -111,7 +111,7 @@ ui: --> **Note**: For more information on configuring the observability UI on Kubernetes, use this [reference](/consul/docs/k8s/connect/observability/metrics). +-> **Note**: For more information on configuring the observability UI on Kubernetes, use this [reference](/consul/docs/observe/mesh/k8s). ## Configuring Dashboard URLs @@ -122,7 +122,7 @@ service-specific dashboard in an external tool like [Grafana](https://grafana.com) or a hosted provider. To configure this, you must provide a URL template in the [agent configuration -file](/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) for all agents that +file](/consul/docs/reference/agent#ui_config_dashboard_url_templates) for all agents that have the UI enabled. The template is essentially the URL to the external dashboard, but can have placeholder values which will be replaced with the service name, namespace and datacenter where appropriate to allow deep-linking @@ -189,7 +189,7 @@ server: ~> **Note**: On Kubernetes, the Consul Server configuration set in the Helm config's -[`server.extraConfig`](/consul/docs/k8s/helm#v-server-extraconfig) key must be specified +[`server.extraConfig`](/consul/docs/reference/k8s/helm#v-server-extraconfig) key must be specified as JSON. The `{{` characters in the URL must be escaped using `{{ "{{" }}` so that Helm doesn't try to template them. @@ -296,7 +296,7 @@ namespace_prefix "" { It's typical for most authenticated users to have this level of access in Consul as it's required for viewing the catalog or discovering services. If you use a -[Single Sign-On integration](/consul/docs/security/acl/auth-methods/oidc) (Consul +[Single Sign-On integration](/consul/docs/secure-consul/acl/auth-methods/oidc) (Consul Enterprise) users of the UI can be automatically issued an ACL token with the privileges above to be allowed access to the metrics through the proxy. @@ -657,12 +657,12 @@ ui_config { More than one JavaScript file may be specified in -[`metrics_provider_files`](/consul/docs/agent/config/config-files#ui_config_metrics_provider_files) +[`metrics_provider_files`](/consul/docs/reference/agent#ui_config_metrics_provider_files) and all will be served allowing flexibility if needed to include dependencies. Only one metrics provider can be configured and used at one time. The -[`metrics_provider_options_json`](/consul/docs/agent/config/config-files#ui_config_metrics_provider_options_json) +[`metrics_provider_options_json`](/consul/docs/reference/agent#ui_config_metrics_provider_options_json) field is an optional literal JSON object which is passed to the provider's `init` method at startup time. This allows configuring arbitrary parameters for the provider in config rather than hard coding them into the provider itself to @@ -671,7 +671,7 @@ make providers more reusable. The provider may fetch metrics directly from another source although in this case the agent will probably need to serve the correct CORS headers to prevent browsers from blocking these requests. These may be configured with -[`http_config.response_headers`](/consul/docs/agent/config/config-files#response_headers). +[`http_config.response_headers`](/consul/docs/reference/agent#response_headers). Alternatively, the provider may choose to use the [built-in metrics proxy](#metrics-proxy) to avoid cross domain issues or to inject additional diff --git a/website/content/docs/agent/config/cli-flags.mdx b/website/content/docs/reference-cli/agent.mdx similarity index 93% rename from website/content/docs/agent/config/cli-flags.mdx rename to website/content/docs/reference-cli/agent.mdx index a38ddff8cbb..ae99df11647 100644 --- a/website/content/docs/agent/config/cli-flags.mdx +++ b/website/content/docs/reference-cli/agent.mdx @@ -7,7 +7,7 @@ description: >- # Agents Command-line Reference ((#commandline_options)) --> **Note:** Some CLI arguments may be different from HCL keys. See [Configuration Key Reference](/consul/docs/agent/config/config-files#config_key_reference) for equivalent HCL Keys. +-> **Note:** Some CLI arguments may be different from HCL keys. See [Configuration Key Reference](/consul/docs/reference/agent#config_key_reference) for equivalent HCL Keys. This topic describes the available command-line options for the Consul agent. @@ -33,7 +33,7 @@ information. limit of 4k for maximum size of checks, this is a positive value. By limiting this size, it allows to put less pressure on Consul servers when many checks are having a very large output in their checks. In order to completely disable check output - capture, it is possible to use [`discard_check_output`](/consul/docs/agent/config/config-files#discard_check_output). + capture, it is possible to use [`discard_check_output`](/consul/docs/reference/agent#discard_check_output). - `-client` ((#\_client)) - The address to which Consul will bind client interfaces, including the HTTP and DNS servers. By default, this is "127.0.0.1", @@ -82,7 +82,7 @@ information. - `-dev` ((#\_dev)) - Enable development server mode. This is useful for quickly starting a Consul agent with all persistence options turned off, enabling an in-memory server which can be used for rapid prototyping or developing against - the API. In this mode, [service mesh is enabled](/consul/docs/connect/configuration) and + the API. In this mode, [service mesh is enabled](/consul/docs/connect/configuration-entries) and will by default create a new root CA certificate on startup. This mode is **not** intended for production use as it does not write any data to disk. The gRPC port is also defaulted to `8502` in this mode. @@ -92,7 +92,7 @@ information. only the given `-encrypt` key will be available on startup. This defaults to false. - `-enable-script-checks` ((#\_enable_script_checks)) This controls whether - [health checks that execute scripts](/consul/docs/services/usage/checks) are enabled on this + [health checks that execute scripts](/consul/docs/register/service/vm/health-checks) are enabled on this agent, and defaults to `false` so operators must opt-in to allowing these. This was added in Consul 0.9.0. @@ -148,21 +148,21 @@ information. to close the agent or `SIGHUP` to update check definitions) to the agent. - `-protocol` ((#\_protocol)) - The Consul protocol version to use. Consul - agents speak protocol 2 by default, however agents will automatically use protocol > 2 when speaking to compatible agents. This should be set only when [upgrading](/consul/docs/upgrading). You can view the protocol versions supported by Consul by running `consul version`. + agents speak protocol 2 by default, however agents will automatically use protocol > 2 when speaking to compatible agents. This should be set only when [upgrading](/consul/docs/upgrade). You can view the protocol versions supported by Consul by running `consul version`. - `-raft-protocol` ((#\_raft_protocol)) - This controls the internal version of the Raft consensus protocol used for server communications. This must be set - to 3 in order to gain access to Autopilot features, with the exception of [`cleanup_dead_servers`](/consul/docs/agent/config/config-files#cleanup_dead_servers). Defaults to 3 in Consul 1.0.0 and later (defaulted to 2 previously). See [Raft Protocol Version Compatibility](/consul/docs/upgrading/upgrade-specific#raft-protocol-version-compatibility) for more details. + to 3 in order to gain access to Autopilot features, with the exception of [`cleanup_dead_servers`](/consul/docs/reference/agent#cleanup_dead_servers). Defaults to 3 in Consul 1.0.0 and later (defaulted to 2 previously). See [Raft Protocol Version Compatibility](/consul/docs/upgrade/version-specific#raft-protocol-version-compatibility) for more details. - `-segment` ((#\_segment)) - This flag is used to set the name of the network segment the agent belongs to. An agent can only join and communicate with other agents within its network segment. Ensure the [join - operation uses the correct port for this segment](/consul/docs/enterprise/network-segments/create-network-segment#configure-clients-to-join-segments). - Review the [Network Segments documentation](/consul/docs/enterprise/network-segments/create-network-segment) + operation uses the correct port for this segment](/consul/docs/segment/network-segment/vm#configure-clients-to-join-segments). + Review the [Network Segments documentation](/consul/docs/segment/network-segment/vm) for more details. By default, this is an empty string, which is the `` network segment. - ~> **Warning:** The `segment` flag cannot be used with the [`partition`](/consul/docs/agent/config/config-files#partition-1) option. + ~> **Warning:** The `segment` flag cannot be used with the [`partition`](/consul/docs/reference/agent#partition-1) option. ## Advertise Address Options @@ -184,13 +184,13 @@ information. - `-advertise-wan` ((#\_advertise-wan)) - The advertise WAN address is used to change the address that we advertise to server nodes joining through the WAN. - This can also be set on client agents when used in combination with the [`translate_wan_addrs`](/consul/docs/agent/config/config-files#translate_wan_addrs) configuration option. By default, the [`-advertise`](#_advertise) address + This can also be set on client agents when used in combination with the [`translate_wan_addrs`](/consul/docs/reference/agent#translate_wan_addrs) configuration option. By default, the [`-advertise`](#_advertise) address is advertised. However, in some cases all members of all datacenters cannot be on the same physical or virtual network, especially on hybrid setups mixing cloud and private datacenters. This flag enables server nodes gossiping through the public network for the WAN while using private VLANs for gossiping to each other and their client agents, and it allows client agents to be reached at this address when being - accessed from a remote datacenter if the remote datacenter is configured with [`translate_wan_addrs`](/consul/docs/agent/config/config-files#translate_wan_addrs). In Consul 1.1.0 and later this can be dynamically defined with a [go-sockaddr] + accessed from a remote datacenter if the remote datacenter is configured with [`translate_wan_addrs`](/consul/docs/reference/agent#translate_wan_addrs). In Consul 1.1.0 and later this can be dynamically defined with a [go-sockaddr] template that is resolved at runtime. ## Address Bind Options @@ -264,7 +264,7 @@ information. ## Configuration File Options - `-config-file` ((#\_config_file)) - A configuration file to load. For - more information on the format of this file, read the [Configuration Files](/consul/docs/agent/config/config-files) + more information on the format of this file, read the [Configuration Files](/consul/docs/reference/agent) section. This option can be specified multiple times to load multiple configuration files. If it is specified multiple times, configuration files loaded later will merge with configuration files loaded earlier. During a config merge, single-value @@ -277,7 +277,7 @@ information. the [`config-file`](#_config_file) option above. This option can be specified multiple times to load multiple directories. Sub-directories of the config directory are not loaded. For more information on the format of the configuration files, see - the [Configuration Files](/consul/docs/agent/config/config-files) section. + the [Configuration Files](/consul/docs/reference/agent) section. - `-config-format` ((#\_config_format)) - The format of the configuration files to load. Normally, Consul detects the format of the config files from the @@ -304,7 +304,7 @@ information. - `-recursor` ((#\_recursor)) - Specifies the address of an upstream DNS server. This option may be provided multiple times, and is functionally equivalent - to the [`recursors` configuration option](/consul/docs/agent/config/config-files#recursors). + to the [`recursors` configuration option](/consul/docs/reference/agent#recursors). - `-join` ((#\_join)) - **Deprecated in Consul 1.15. This flag will be removed in a future version of Consul. Use the `-retry-join` flag instead.** This is an alias of [`-retry-join`](#_retry_join). @@ -321,9 +321,9 @@ information. This can be dynamically defined with a [go-sockaddr] template that is resolved at runtime. - If Consul is running on a non-default Serf LAN port, you must specify the port number in the address when using the `-retry-join` flag. Alternatively, you can specify the custom port number as the default in the agent's [`ports.serf_lan`](/consul/docs/agent/config/config-files#serf_lan_port) configuration or with the [`-serf-lan-port`](#_serf_lan_port) command line flag when starting the agent. + If Consul is running on a non-default Serf LAN port, you must specify the port number in the address when using the `-retry-join` flag. Alternatively, you can specify the custom port number as the default in the agent's [`ports.serf_lan`](/consul/docs/reference/agent#serf_lan_port) configuration or with the [`-serf-lan-port`](#_serf_lan_port) command line flag when starting the agent. - If your network contains network segments, refer to the [network segments documentation](/consul/docs/enterprise/network-segments/create-network-segment) for additional information. + If your network contains network segments, refer to the [network segments documentation](/consul/docs/segment/network-segment/vm) for additional information. Here are some examples of using `-retry-join`: @@ -372,7 +372,7 @@ information. The `-retry-join` option accepts a unified interface using the [go-discover](https://github.com/hashicorp/go-discover) library for doing automatic cluster joining using cloud metadata. For more information, see - the [Cloud Auto-join page](/consul/docs/install/cloud-auto-join). + the [Cloud Auto-join page](/consul/docs/deploy/server/vm/cloud-auto-join). @@ -424,13 +424,13 @@ information. - `-log-file` ((#\_log_file)) - writes all the Consul agent log messages to a file at the path indicated by this flag. The filename defaults to `consul.log`. - When the log file rotates, this value is used as a prefix for the path to the log and the current timestamp is + When the log file rotates, this value is used as a prefix for the path to the log and the current timestamp is appended to the file name. If the value ends in a path separator, `consul-` will be appended to the value. If the file name is missing an extension, `.log` is appended. For example, setting `log-file` to `/var/log/` would result in a log file path of `/var/log/consul.log`. `log-file` can be combined with [`-log-rotate-bytes`](#_log_rotate_bytes) and [`-log-rotate-duration`](#_log_rotate_duration) - for a fine-grained log rotation experience. After rotation, the path and filename take the following form: + for a fine-grained log rotation experience. After rotation, the path and filename take the following form: `/var/log/consul-{timestamp}.log` - `-log-rotate-bytes` ((#\_log_rotate_bytes)) - to specify the number of @@ -554,12 +554,13 @@ information. specifying only the `-ui` flag is enough to enable the Web UI. Specifying both the '-ui' and '-ui-dir' flags will result in an error. + - `-ui-content-path` ((#\_ui\_content\_path)) - This flag provides the option to change the path the Consul UI loads from and will be displayed in the browser. By default, the path is `/ui/`, for example `http://localhost:8500/ui/`. Only alphanumerics, - `-`, and `_` are allowed in a custom path. `/v1/` is not allowed as it would overwrite + `-`, and `_` are allowed in a custom path.`/v1/` is not allowed as it would overwrite the API endpoint. -{/* list of reference-style links */} + [go-sockaddr]: https://godoc.org/github.com/hashicorp/go-sockaddr/template diff --git a/website/content/docs/connect/dataplane/consul-dataplane.mdx b/website/content/docs/reference-cli/consul-dataplane.mdx similarity index 82% rename from website/content/docs/connect/dataplane/consul-dataplane.mdx rename to website/content/docs/reference-cli/consul-dataplane.mdx index 4bbc9602a74..ca2c8d21cfc 100644 --- a/website/content/docs/connect/dataplane/consul-dataplane.mdx +++ b/website/content/docs/reference-cli/consul-dataplane.mdx @@ -5,24 +5,78 @@ description: >- Consul Dataplane runs as a separate binary controlled with the `consul-dataplane` CLI command. Learn how to use this command to configure your dataplane on Kubernetes with this reference guide and example code. --- -# Consul Dataplane CLI Reference +# Consul Dataplane CLI reference The `consul-dataplane` command interacts with the binary for [simplified service mesh with Consul Dataplane](/consul/docs/connect/dataplane). Use this command to install Consul Dataplane, configure its Envoy proxies, and secure Dataplane deployments. -## Usage +## Install Consul Dataplane CLI + + + + + +To install Consul Dataplane, set `VERSION` to `1.0.0` and then follow the instructions to install a specific version of Consul [with the Helm Chart](/consul/docs/k8s/installation/install#install-consul) or [with the Consul-k8s CLI](/consul/docs/k8s/installation/install-cli#install-a-previous-version). + +#### Helm + +```shell-session +$ export VERSION=1.0.0 && \ + helm install consul hashicorp/consul --set global.name=consul --version ${VERSION} --create-namespace --namespace consul +``` + +#### Consul-k8s CLI + +```shell-session +$ export VERSION=1.0.0 && \ + curl --location "https://releases.hashicorp.com/consul-k8s/${VERSION}/consul-k8s_${VERSION}_darwin_amd64.zip" --output consul-k8s-cli.zip +``` + + + + +Refer to the following documentation for Consul on ECS workloads: + +- [Deploy Consul with the Terraform module](/consul/docs/ecs/deploy/terraform) +- [Deploy Consul manually](/consul/ecs/install-manul) + + + + + + +### Upgrade + + + + + +Before you upgrade Consul to a version that uses Consul Dataplane, you must edit your Helm chart so that client agents are removed from your deployments. Refer to [upgrading to Consul Dataplane](/consul/docs/k8s/upgrade#upgrading-to-consul-dataplanes) for more information. + + + + + +Refer to [Upgrade to dataplane architecture](/consul/docs/ecs/upgrade-to-dataplanes) for instructions. + + + + -Usage: `consul-dataplane [options]` ### Requirements Consul Dataplane requires servers running Consul version `v1.14+`. To find a specific version of Consul, refer to [HashiCorp's Official Release Channels](https://www.hashicorp.com/official-release-channels). +## Usage + +Usage: `consul-dataplane [options]` + ### Startup The following options are required when starting `consul-dataplane` with the CLI: - + - `-addresses` - `-service-node-name` @@ -30,19 +84,19 @@ The following options are required when starting `consul-dataplane` with the CLI - + - `-addresses` - `-service-node-name` +- `-proxy-service-id` - `-service-namespace` - `-service-partition` -- `-proxy-service-id` -### Command Options +## Commands options - `-addresses` - Consul server gRPC addresses. Can be a DNS name or an executable command. Accepted environment variable is `DP_CONSUL_ADDRESSES`. Refer to [go-netaddrs](https://github.com/hashicorp/go-netaddrs#summary) for details and examples. - `-ca-certs` - The path to a file or directory containing CA certificates used to verify the server's certificate. Accepted environment variable is `DP_CA_CERTS`. @@ -80,7 +134,7 @@ The following options are required when starting `consul-dataplane` with the CLI - `-telemetry-prom-cert-file` - The path to the client certificate used to serve Prometheus metrics. Accepted environment variable is `DP_TELEMETRY_PROM_CERT_FILE`. - `-telemetry-prom-key-file` - The path to the client private key used to serve Prometheus metrics. Accepted environment variable is `DP_TELEMETRY_PROM_KEY_FILE`. - `-telemetry-prom-merge-port` - The local port used to serve merged Prometheus metrics. Default is `20100`. If your service instance uses the same default port, this flag must be set to a different port in order to avoid a port conflict. Accepted environment variable is `DP_TELEMETRY_PROM_MERGE_PORT`. -- `-telemetry-prom-retention-time` - The duration for Prometheus metrics aggregation. Default is `1m0s`. Accepted environment variable is `DP_TELEMETRY_PROM_RETENTION_TIME`. Refer to [`prometheus_retention_time`](/consul/docs/agent/config/config-files#telemetry-prometheus_retention_time) for details on setting this value. +- `-telemetry-prom-retention-time` - The duration for Prometheus metrics aggregation. Default is `1m0s`. Accepted environment variable is `DP_TELEMETRY_PROM_RETENTION_TIME`. Refer to [`prometheus_retention_time`](/consul/docs/reference/agent#telemetry-prometheus_retention_time) for details on setting this value. - `-telemetry-prom-scrape-path` - The URL path where Envoy serves Prometheus metrics. Default is `"/metrics"`. Accepted environment variable is `DP_TELEMETRY_PROM_SCRAPE_PATH`. - `-telemetry-prom-service-metrics-url` - The URL where your service instance serves Prometheus metrics. If this is set, the metrics at this URL are included in Consul Dataplane's merged Prometheus metrics. Accepted environment variable is `DP_TELEMETRY_PROM_SERVICE_METRICS_URL`. - `-telemetry-use-central-config` - Controls whether the proxy applies the central telemetry configuration. Default is `true`. Accepted environment variable is `DP_TELEMETRY_USE_CENTRAL_CONFIG`. @@ -103,7 +157,7 @@ Consul Dataplane resolves a domain name to discover Consul server IP addresses. $ consul-dataplane -addresses my.consul.example.com ``` -### Executable Command +### Executable command Consul Dataplane runs a script that, on success, returns one or more IP addresses separated by whitespace. @@ -116,10 +170,10 @@ Consul Dataplane runs a script that, on success, returns one or more IP addresse $ consul-dataplane -addresses "exec=./my-script.sh" ``` -### Go Discover Nodes for Cloud Providers +### Go Discover nodes for cloud providers The [`go-discover`](https://github.com/hashicorp/go-discover) binary is included in the `hashicorp/consul-dataplane` image for use with this mode of server discovery, which functions in - a way similar to [Cloud Auto-join](/consul/docs/install/cloud-auto-join). The + a way similar to [Cloud Auto-join](/consul/docs/deploy/server/vm/cloud-auto-join). The following example demonstrates how to use the `go-discover` binary with Consul Dataplane. ```shell-session @@ -136,10 +190,10 @@ A static ACL token is passed to Consul Dataplane. ### Auth method login -Consul Dataplane logs in to one of Consul's supported [auth methods](/consul/docs/security/acl/auth-methods). +Consul Dataplane logs in to one of Consul's supported [auth methods](/consul/docs/secure-consul/acl/auth-methods). - + ```shell-session $ consul-dataplane -credential-type "login" @@ -151,7 +205,7 @@ Consul Dataplane logs in to one of Consul's supported [auth methods](/consul/doc - + ```shell-session $ consul-dataplane -credential-type "login" @@ -166,16 +220,12 @@ Consul Dataplane logs in to one of Consul's supported [auth methods](/consul/doc -### Consul Servers Behind a Load Balancer +### Consul servers behind a load balancer -When Consul servers are behind a load balancer, you must pass `-server-watch-disabled` to Consul -Dataplane. +When Consul servers are behind a load balancer, you must pass `-server-watch-disabled` to Consul Dataplane. ```shell-session $ consul-dataplane -server-watch-disabled ``` -By default, Consul Dataplane opens a server watch stream to a Consul server, which enables the server -to inform Consul Dataplane of new or different Consul server addresses. However, if Consul Dataplane -is connecting through a load balancer, then it must ignore the Consul server addresses that are -returned from the server watch stream. +By default, Consul Dataplane opens a server watch stream to a Consul server, which enables the server to inform Consul Dataplane of new or different Consul server addresses. However, if Consul Dataplane is connecting through a load balancer, then it must ignore the Consul server addresses that are returned from the server watch stream. diff --git a/website/content/docs/k8s/k8s-cli.mdx b/website/content/docs/reference-cli/consul-k8s.mdx similarity index 91% rename from website/content/docs/k8s/k8s-cli.mdx rename to website/content/docs/reference-cli/consul-k8s.mdx index 005363ec3cf..a4e9082b687 100644 --- a/website/content/docs/k8s/k8s-cli.mdx +++ b/website/content/docs/reference-cli/consul-k8s.mdx @@ -1,20 +1,210 @@ --- layout: docs -page_title: Consul on Kubernetes CLI Reference +page_title: Consul on Kubernetes CLI reference description: >- - The Consul on Kubernetes CLI tool enables you to manage Consul with the `consul-k8s` command instead of direct interaction with Helm, kubectl, or Consul’s CLI. Learn about commands, their flags, and review examples in this reference guide. + The Consul on Kubernetes CLI tool enables you to manage Consul with the `consul-k8s` command instead of direct interaction with Helm, kubectl, or Consul's CLI. Learn about commands, their flags, and review examples in this reference guide. --- -# Consul on Kubernetes CLI Reference +# Consul on Kubernetes CLI reference -The Consul on Kubernetes CLI, `consul-k8s`, is a tool for managing Consul -that does not require direct interaction with Helm, the [Consul CLI](/consul/commands), -or `kubectl`. +The Consul on Kubernetes CLI, `consul-k8s`, lets you manage Consul without interacting directly with Helm, the [Consul CLI](/consul/commands), or `kubectl`. -For guidance on how to install `consul-k8s`, refer to the -[Installing the Consul K8s CLI](/consul/docs/k8s/installation/install-cli) documentation. +This topic describes how to install `consul-k8s`, and lists the commands and available options for using `consul-k8s`. -This topic describes the commands and available options for using `consul-k8s`. +## Install the CLI + +The following instructions describe how to install the latest version of `consul-k8s`, as well as earlier versions, so that you can install an appropriate version of tool for your control plane. + + + +You must install the correct version of the CLI for your Consul on Kubernetes deployment. To deploy a previous version of Consul on Kubernetes, download the specific version of the CLI that matches the version of the control plane that you would like to deploy. Refer to the [compatibility matrix](/consul/docs/k8s/compatibility) for details. + + + +### Install the latest version + +Complete the following instructions for a fresh installation of Consul on Kubernetes. + + + + +The [Homebrew](https://brew.sh) package manager is required to complete the following installation instructions. The Homebrew formulae always installs the latest version of a binary. + +1. Install the HashiCorp `tap`, which is a repository of all Homebrew packages for HashiCorp: + ```shell-session + $ brew tap hashicorp/tap + ``` + +1. Install the Consul K8s CLI with `hashicorp/tap/consul` formula. + ```shell-session + $ brew install hashicorp/tap/consul-k8s + ``` + +1. (Optional) Issue the `consul-k8s version` command to verify the installation: + + ```shell-session + $ consul-k8s version + consul-k8s 1.0 + ``` + + + + +1. Add the HashiCorp GPG key. + + ```shell-session + $ curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - + ``` + +1. Add the HashiCorp apt repository. + + ```shell-session + $ sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" + ``` + +1. Run apt-get install to install the `consul-k8s` CLI. + + ```shell-session + $ sudo apt-get update && sudo apt-get install consul-k8s + ``` + +1. (Optional) Issue the `consul-k8s version` command to verify the installation. + + ```shell-session + $ consul-k8s version + consul-k8s 1.0 + ``` + + + + + +1. Install `yum-config-manager` to manage your repositories. + + ```shell-session + $ sudo yum install -y yum-utils + ``` + +1. Use `yum-config-manager` to add the official HashiCorp Linux repository. + + ```shell-session + $ sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo + ``` + +1. Install the `consul-k8s` CLI. + + ```shell-session + $ sudo yum -y install consul-k8s + ``` + +1. (Optional) Issue the `consul-k8s version` command to verify the installation. + + ```shell-session + $ consul-k8s version + consul-k8s 1.0 + ``` + + + + + +### Install a previous version + +Complete the following instructions to install a specific version of the CLI so that your tool is compatible with your Consul on Kubernetes control plane. Refer to the [compatibility matrix](/consul/docs/k8s/compatibility) for additional information. + + + + + +1. Download the appropriate version of Consul K8s CLI using the following `curl` command. Set the `$VERSION` environment variable to the appropriate version for your deployment. + + ```shell-session + $ export VERSION=1.1.1 && \ + curl --location "https://releases.hashicorp.com/consul-k8s/${VERSION}/consul-k8s_${VERSION}_darwin_amd64.zip" --output consul-k8s-cli.zip + ``` + +1. Unzip the zip file output to extract the `consul-k8s` CLI binary. This overwrites existing files and also creates a `.consul-k8s` subdirectory in your `$HOME` folder. + + ```shell-session + $ unzip -o consul-k8s-cli.zip -d ~/consul-k8s + ``` + +1. Add the path to your directory. In order to persist the `$PATH` across sessions, dd it to your shellrc (i.e. shell run commands) file for the shell used by your terminal. + + ```shell-session + $ export PATH=$PATH:$HOME/consul-k8s + ``` + +1. (Optional) Issue the `consul-k8s version` command to verify the installation. + + ```shell-session + $ consul-k8s version + consul-k8s 1.0 + ``` + + + + + +1. Add the HashiCorp GPG key. + + ```shell-session + $ curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - + ``` + +1. Add the HashiCorp apt repository. + + ```shell-session + $ sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" + ``` + +1. Run apt-get install to install the `consul-k8s` CLI. + + ```shell-session + $ export VERSION=0.39.0 && \ + sudo apt-get update && sudo apt-get install consul-k8s=${VERSION} + ``` + +1. (Optional) Issue the `consul-k8s version` command to verify the installation. + + ```shell-session + $ consul-k8s version + consul-k8s 1.0 + ``` + + + + + +1. Install `yum-config-manager` to manage your repositories. + + ```shell-session + $ sudo yum install -y yum-utils + ``` + +1. Use `yum-config-manager` to add the official HashiCorp Linux repository. + + ```shell-session + $ sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo + ``` + +1. Install the `consul-k8s` CLI. + + ```shell-session + $ export VERSION=-1.0 && \ + sudo yum -y install consul-k8s-${VERSION}-1 + ``` + +2. (Optional) Issue the `consul-k8s version` command to verify the installation. + + ```shell-session + $ consul-k8s version + consul-k8s 1.0 + ``` + + + + ## Usage @@ -177,9 +367,9 @@ This command lists proxies and their `Type`. Types of proxies include: - `Ingress Gateway`: These pods run a proxy to manage ingress into the Kubernetes cluster. Read more about [ingress gateways](/consul/docs/k8s/connect/ingress-gateways). - `Terminating Gateway`: These pods run a proxy to control connections to - external services. Read more about [terminating gateways](/consul/docs/k8s/connect/terminating-gateways). + external services. Read more about [terminating gateways](/consul/docs/register/external/terminating-gateway/k8s). - `Mesh Gateway`: These pods run a proxy to manage connections between - Consul clusters connected using mesh federation. Read more about [Consul Mesh Federation](/consul/docs/k8s/deployment-configurations/multi-cluster/kubernetes). + Consul clusters connected using mesh federation. Read more about [Consul Mesh Federation](/consul/docs/east-west/wan-federation/k8s). #### Example Commands diff --git a/website/content/docs/reference-cli/index.mdx b/website/content/docs/reference-cli/index.mdx new file mode 100644 index 00000000000..b58bdf86be4 --- /dev/null +++ b/website/content/docs/reference-cli/index.mdx @@ -0,0 +1,8 @@ +--- +layout: docs +page_title: CLI reference docs overview +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# CLI reference docs overview \ No newline at end of file diff --git a/website/content/docs/reference/acl/auth-method/aws-iam.mdx b/website/content/docs/reference/acl/auth-method/aws-iam.mdx new file mode 100644 index 00000000000..0633876fc5b --- /dev/null +++ b/website/content/docs/reference/acl/auth-method/aws-iam.mdx @@ -0,0 +1,210 @@ +--- +layout: docs +page_title: Access Control List (ACL) AWS Identity and Access Management (IAM) auth method configuration reference +description: >- + Use the AWS IAM auth method to authenticate to Consul through Amazon Web Service Identity Access Management role and user identities. Learn how to configure the auth method parameters using this reference page and example configuration. +--- + +# ACL AWS Identity and Access Management (IAM) auth method configuration reference + +The AWS Identity and Access Management (IAM) auth method type allows for AWS +IAM Roles and Users to be used to authenticate to Consul in order to obtain +a Consul token. + +This page assumes general knowledge of [AWS +IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) +and the concepts described in the main [auth method +documentation](/consul/docs/secure-consul/acl/auth-methods). + +## Overview + +The AWS IAM auth method for Consul uses a variation on the approach used by the [IAM auth method for +Vault](/vault/docs/auth/aws#iam-auth-method). Specifically, the IAM auth method +for Consul avoids the need to configure Consul servers with AWS credentials by requiring clients to +provided pre-signed AWS API requests. + +An IAM role or user authenticates by presenting certain signed AWS API requests in a specific JSON +format. The client signs the necessary AWS API requests with its AWS credentials using the [AWS +Signature v4 algorithm](https://docs.aws.amazon.com/general/latest/gr/sigv4\_signing.html). When the +auth method receives the signed AWS API requests, it forwards the requests to AWS. AWS validates the +client's signature and, if the signature is valid, responds with the client's identity details. The +signature validation performed by AWS on the `sts:GetCallerIdentity` request provides the auth +method with a strong guarantee of the client's identity. The auth method compares the Amazon +Resource Name (ARN) of the client with the `BoundIAMPrincipalARNs` list to determine if the client +is permitted to login. + +## Config parameters + +The following are the auth method [`Config`](/consul/api-docs/acl/auth-methods#config) +parameters for an auth method of type `aws-iam`: + +- `BoundIAMPrincipalARNs` `(array: )` - The list of IAM role or IAM user ARNs + which are permitted to login. A client authenticating to Consul must have an ARN that matches one + of the ARNs in this list. + - If `EnableIAMEntityDetails=false`, then bound ARNs must not contain the full path of the role + or user, and wildcards are not supported. For example, + `arn:aws:iam::123456789012:user/MyUserName` will permit the IAM user named "MyUserName" to log + in, and `arn:aws:iam::123456789012:role/MyRoleName` will permit the IAM role named "MyRoleName" + to log in. + - If `EnableIAMEntityDetails=true`, then bound ARNs with the full path must be used, such as, + `arn:aws:iam::123456789012:role/path/to/MyRoleName`. Additionally, ARNs may contain a single + trailing wildcard. For example, `arn:aws:iam::123456789012:*` will permit any role or user in + the account `123456789012` to login, while `arn:aws:iam::123456789012:role/path/to/roles/*` + will permit only roles at the path `/path/to/roles/`. +- `EnableIAMEntityDetails` `(bool: )` - This enables the auth method to fetch the IAM role or + IAM user details, including tags and the full role or user path. If enabled, clients must pass the + `-aws-include-entity` option to `consul login`. Additionally, an IAM role or user attempting to + login must have an `iam:GetRole` or `iam:GetUser` permission, respectively, to retrieve itself. + This setting is required in order to fetch the full path and tags of the IAM user or role and in + order to use wildcards in the `BoundIAMPrincipalARNs`. +- `IAMEntityTags` `(array: [])` - The list of tag keys retrieved from the IAM role or user + and made available to binding rules. Tags are only supported when `EnableIAMEntityDetails=true`. + By default, no tags are made available to binding rules. Each tag in the `IAMEntityTags` list can + be referenced in binding rules using `entity_tags.`. For example, if `IAMEntityTags` contains + `service-name` and if a `service-name` tag exists on the IAM role or user, then you can reference + the tag value using `entity_tags.service-name` in binding rules. If the tag is not present on the + IAM role or user, then `entity_tags.service-name` evaluates to the empty string in binding rules. +- `ServerIDHeaderValue` `(string: "")` - The value to require in the `X-Consul-IAM-ServerID` header + in login requests. If set, clients must include the `X-Consul-IAM-ServerID` header in the AWS API + requests used to login to the auth method, and the client-provided value for the header must match + this setting in order to successfully log in. If not set, no header is required or validated. This + can be used to protect against different types of replay attacks - for example, a signed request + sent to a dev server being resent to a production server. Consider setting this to the Consul + server's DNS name. When this is set, clients must set pass the `-aws-server-id-header-value` + option to the `consul login` command. +- `MaxRetries` `(integer: 0)` - The maximum number of retries to use for recoverable errors when + making AWS API requests. +- `IAMEndpoint` `(string: "")` - The URL where `iam:GetRole` and `iam:GetUser` requests are sent. + This can be used to send requests to a private endpoint or through a network proxy. +- `STSEndpoint` `(string: "")` - The URL where `sts:GetCallerIdentity` requests are sent. This can + be used to send requests to a private endpoint or through a network proxy. +- `AllowedSTSHeaderValues` `(array: [])` - A list of additional allowed headers on + `sts:GetCallerIdentity` requests. In any case, a default list of headers AWS STS expects are + allowed. + +### Sample + +```json +{ + "Name": "example-iam-auth", + "Type": "aws-iam", + "Description": "Example AWS IAM auth method", + "Config": { + "BoundIAMPrincipalARNs": ["arn:aws:iam::123456789012:role/MyRoleName"], + "EnableIAMEntityDetails": true, + "IAMEntityTags": ["consul-namespace"], + "ServerIDHeaderValue": "my.consul.server.example.com", + "MaxRetries": 3, + "IAMEndpoint": "https://iam.amazonaws.com/", + "STSEndpoint": "https://sts.us-east-1.amazonaws.com/", + "AllowedSTSHeaderValues": ["X-Extra-Header"] + } +} +``` + +## Trusted identity attributes + +The authentication step returns the following trusted identity attributes for use in binding rule +selectors and bind name interpolation. All of these attributes are strings that can be interpolated +and support the following selector operations: `Equal, Not Equal, In, Not In, Matches, Not Matches` + +| Attribute | Description | Requirement | +| -------------------- | --------------------------------------- | ------------------------------------------------------------------ | +| `entity_name` | Name of IAM role or user | | +| `entity_id` | Unique ID of IAM role or user | | +| `account_id` | AWS account id of IAM role or user | | +| `entity_path` | The path of the IAM role or user | `EnableIAMEntityDetails=true` | +| `entity_tags.` | Value of a tag on the IAM role or user | `EnableIAMEntityDetails=true` and `IAMEntityTags` contains `` | + +## IAM policies + +When `EnableIAMEntityDetails=false`, no specific IAM policies are needed. + +When `EnableIAMEntityDetails=true`, an authenticating client must provide either a signed +`iam:GetRole` or `iam:GetUser` request. This request is signed with the client's AWS credentials, so +the client must have permission to fetch the role or user, respectively. + +- If the authenticating client is an IAM role, the client must have an `iam:GetRole` permission to + fetch its own role. The following shows an example of an AWS IAM Policy document which grants this + permission: + + ```json + { + "Statement": [ + { + "Action": ["iam:GetRole"], + "Effect": "Allow", + "Resource": ["arn:aws:iam::123456789012:role/MyRoleName"] + } + ], + "Version": "2012-10-17" + } + ``` + +- If the authenticating client is an IAM user, the client must have an `iam:GetUser` permission to + fetch its own role. The following shows an example of an AWS IAM Policy document which grants this + permission: + + ```json + { + "Statement": [ + { + "Action": ["iam:GetUser"], + "Effect": "Allow", + "Resource": ["arn:aws:iam::123456789012:user/MyUserName"] + } + ], + "Version": "2012-10-17" + } + ``` + +## Authentication procedure + +If `EnableIAMEntityDetails=false`, a client must log in with the following `consul login` command. + +```shell-session +$ consul login -type aws-iam -aws-auto-bearer-token ... +``` + +- Format and sign an `sts:GetCallerIdentity` request +- Format these request details as JSON to form a bearer token +- Send the bearer token to the IAM auth method to authenticate + +Otherwise, if `EnableIAMEntityDetails=true`, the client must log in with the following `consul login` command, +in order to include a signed `iam:GetRole` or `iam:GetUser` request in the bearer token. + +```shell-session +$ consul login -type aws-iam -aws-auto-bearer-token -aws-include-entity ... +``` + +This command does the following: + +- Make an `sts:GetCallerIdentity` request to determine its own role or user name +- Format a new `sts:GetCallerIdentity` request +- Embed a signed `iam:GetRole` or `iam:GetUser` request in the headers of the + `sts:GetCallerIdentity` request +- Sign the `sts:GetCallerIdentity` request +- Format the request details as JSON to form a bearer token +- Send the bearer token to the IAM auth method to authenticate + +On the Consul servers, the IAM auth method validates a client's identity during the [Login to Auth +Method](/consul/api-docs/acl#login-to-auth-method) API request, using the following steps: + +- Decode the `sts:GetCallerIdentity` request from the bearer token +- Optionally, decode the `iam:GetRole` or `iam:GetUser` request from the bearer token, + if `EnableIAMEntityDetails=true` in the auth method configuration +- Send the `sts:GetCallerIdentity` request to AWS. This request is pre-signed by the client, so no + other credentials or permissions are needed to make this request. AWS validates the client's + signature when it receives the request. If the signature is valid, AWS returns the client's + identity in the response. This is a strong guarantee of the client's identity. +- Optionally, the auth method sends the `iam:GetRole` or `iam:GetUser` request to AWS, + if `EnableIAMEntityDetails=true` in the auth method configuration. This request is pre-signed + by the client, so no other credentials or permissions are required to make the request. Only the + client needs the `iam:GetRole` or `iam:GetUser` permission. AWS validates the client's signature + when it receives the request. If the signature is valid, AWS returns the IAM role or user details. + This response is not a guarantee of the client's identity - any role or user name may have been + included in the request - so the auth method requires the IAM role or user to have a [unique + id](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) + match with the `sts:GetCallerIdentity` response. +- Finally, the auth method makes an authentication decision. If the client's IAM role or user ARN + matches one of the configured `BoundIAMPrincipalARNs`, then the client is permitted to login. diff --git a/website/content/docs/reference/acl/auth-method/jwt.mdx b/website/content/docs/reference/acl/auth-method/jwt.mdx new file mode 100644 index 00000000000..f797a77f299 --- /dev/null +++ b/website/content/docs/reference/acl/auth-method/jwt.mdx @@ -0,0 +1,177 @@ +--- +layout: docs +page_title: Access Control List (ACL) JSON Web Token (JWT) auth method configuration reference +description: >- + Use the JWT auth method to authenticate to Consul with a JSON web token and receive an ACL token with privileges based on JWT identity attributes. Learn how to configure the auth method parameters using this reference page and example configuration. +--- + +# ACL JSON Web Token (JWT) auth method configuration reference + + This feature is available in Consul versions 1.8.0 and newer. + +The `jwt` auth method can be used to authenticate with Consul by providing a +[JWT](https://en.wikipedia.org/wiki/JSON_Web_Token) directly. The JWT is +cryptographically verified using locally-provided keys, or, if configured, an +OIDC Discovery service can be used to fetch the appropriate keys. + +This page assumes general knowledge of JWTs and the concepts described in the +main [auth method documentation](/consul/docs/secure-consul/acl/auth-methods). + +Both the [`jwt`](/consul/docs/secure-consul/acl/auth-methods/jwt) and the +[`oidc`](/consul/docs/secure-consul/acl/auth-methods/oidc) auth method types allow additional +processing of the claims data in the JWT. + +@include 'jwt_or_oidc.mdx' + +## Config parameters + +The following auth method [`Config`](/consul/api-docs/acl/auth-methods#config) +parameters are required to properly configure an auth method of type +`jwt`: + +- `JWTValidationPubKeys` `(array)` - A list of PEM-encoded public keys + to use to authenticate signatures locally. + + Exactly one of `JWKSURL` `JWTValidationPubKeys`, or `OIDCDiscoveryURL` is required. + +- `OIDCDiscoveryURL` `(string: "")` - The OIDC Discovery URL, without any + .well-known component (base path). + + Exactly one of `JWKSURL` `JWTValidationPubKeys`, or `OIDCDiscoveryURL` is required. + +- `OIDCDiscoveryCACert` `(string: "")` - PEM encoded CA cert for use by the TLS + client used to talk with the OIDC Discovery URL. NOTE: Every line must end + with a newline (`\n`). If not set, system certificates are used. + +- `JWKSURL` `(string: "")` - The JWKS URL to use to authenticate signatures. + + Exactly one of `JWKSURL` `JWTValidationPubKeys`, or `OIDCDiscoveryURL` is required. + +- `JWKSCACert` `(string: "")` - PEM encoded CA cert for use by the TLS client + used to talk with the JWKS URL. NOTE: Every line must end with a newline + (`\n`). If not set, system certificates are used. + +- `ClaimMappings` `(map[string]string)` - Mappings of claims (key) that + [will be copied to a metadata field](#trusted-identity-attributes-via-claim-mappings) + (value). Use this if the claim you are capturing is singular (such as an attribute). + + When mapped, the values can be any of a number, string, or boolean and will + all be stringified when returned. + +- `ListClaimMappings` `(map[string]string)` - Mappings of claims (key) + [will be copied to a metadata field](#trusted-identity-attributes-via-claim-mappings) + (value). Use this if the claim you are capturing is list-like (such as groups). + + When mapped, the values in each list can be any of a number, string, or + boolean and will all be stringified when returned. + +- `JWTSupportedAlgs` `(array)` - JWTSupportedAlgs is a list of + supported signing algorithms. Defaults to `RS256`. + +- `BoundAudiences` `(array)` - List of `aud` claims that are valid for + login; any match is sufficient. + +- `BoundIssuer` `(string: "")` - The value against which to match the `iss` + claim in a JWT. + +- `ExpirationLeeway` `(duration: 0s)` - Duration in seconds of leeway when + validating expiration of a token to account for clock skew. Defaults to 150 + (2.5 minutes) if set to 0 and can be disabled if set to -1. + +- `NotBeforeLeeway` `(duration: 0s)` - Duration in seconds of leeway when + validating not before values of a token to account for clock skew. Defaults + to 150 (2.5 minutes) if set to 0 and can be disabled if set to -1. + +- `ClockSkewLeeway` `(duration: 0s)` - Duration in seconds of leeway when + validating all claims to account for clock skew. Defaults to 60 (1 minute) + if set to 0 and can be disabled if set to -1. + +### Sample configs + +#### Static keys + +```json +{ + "Name": "example-jwt-auth-static-keys", + "Type": "jwt", + "Description": "Example JWT auth method with static keys", + "Config": { + "BoundIssuer": "corp-issuer", + "JWTValidationPubKeys": [ + "" + ], + "ClaimMappings": { + "http://example.com/first_name": "first_name", + "http://example.com/last_name": "last_name" + }, + "ListClaimMappings": { + "http://example.com/groups": "groups" + } + } +} +``` + +#### JWKS + +```json +{ + "Name": "example-jwt-auth-jwks", + "Type": "jwt", + "Description": "Example JWT auth method with JWKS", + "Config": { + "JWKSURL": "https://my-corp-jwks-url.example.com/", + "ClaimMappings": { + "http://example.com/first_name": "first_name", + "http://example.com/last_name": "last_name" + }, + "ListClaimMappings": { + "http://example.com/groups": "groups" + } + } +} +``` + +#### OIDC discovery + +```json +{ + "Name": "example-oidc-auth", + "Type": "oidc", + "Description": "Example OIDC auth method", + "Config": { + "BoundAudiences": [ + "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt" + ], + "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/", + "ClaimMappings": { + "http://example.com/first_name": "first_name", + "http://example.com/last_name": "last_name" + }, + "ListClaimMappings": { + "http://example.com/groups": "groups" + } + } +} +``` + +## JWT verification + +JWT signatures will be verified against public keys from the issuer. This +process can be done one of three ways: + +- **Static Keys** - A set of public keys is stored directly in the + configuration. + +- **JWKS** - A JSON Web Key Set ([JWKS](https://tools.ietf.org/html/rfc7517)) + URL (and optional certificate chain) is configured. Keys will be fetched from + this endpoint during authentication. + +- **OIDC Discovery** - An OIDC Discovery URL (and optional certificate chain) + is configured. Keys will be fetched from this URL during authentication. When + OIDC Discovery is used, OIDC validation criteria (e.g. `iss`, `aud`, etc.) + will be applied. + +If multiple methods are needed, another auth method of this type may be created +with a different name. + +@include 'jwt_claim_mapping_details.mdx' diff --git a/website/content/docs/reference/acl/auth-method/k8s.mdx b/website/content/docs/reference/acl/auth-method/k8s.mdx new file mode 100644 index 00000000000..a26e2f5f743 --- /dev/null +++ b/website/content/docs/reference/acl/auth-method/k8s.mdx @@ -0,0 +1,163 @@ +--- +layout: docs +page_title: Access Control List (ACL) Kubernetes auth method configuration reference +description: >- + Use the Kubernetes auth method type to authenticate to Consul with a Kubernetes service account token and receive an ACL token with privileges based on JWT identity attributes. Learn how to configure auth method parameters using this reference page and example configuration. +--- + +# ACL Kubernetes auth method configuration reference + + This feature is available in Consul versions 1.5.0 and newer. + +The `kubernetes` auth method type allows for a Kubernetes service account token +to be used to authenticate to Consul. This method of authentication makes it +easy to introduce a Consul token into a Kubernetes pod. + +This page assumes general knowledge of [Kubernetes](https://kubernetes.io/) and +the concepts described in the main [auth method +documentation](/consul/docs/secure-consul/acl/auth-methods). + +## Config parameters + +The following auth method [`Config`](/consul/api-docs/acl/auth-methods#config) +parameters are required to properly configure an auth method of type +`kubernetes`: + +- `Host` `(string: )` - Must be a host string, a host:port pair, or a + URL to the base of the Kubernetes API server. + +- `CACert` `(string: )` - PEM encoded CA cert for use by the TLS + client used to talk with the Kubernetes API. NOTE: Every line must end with a + newline (`\n`). If not set, system certificates are used. + +- `ServiceAccountJWT` `(string: )` - A Service Account Token + ([JWT](https://jwt.io/ 'JSON Web Token')) used by the Consul leader to + validate application JWTs during login. + +- `MapNamespaces` `(bool: )` - + **Deprecated in Consul 1.8.0 in favor of [namespace rules](/consul/api-docs/acl/auth-methods#namespacerules).** + Indicates whether the auth method should attempt to map the Kubernetes namespace to a Consul + namespace instead of creating tokens in the auth methods own namespace. Note + that mapping namespaces requires the auth method to reside within the + `default` namespace. + Deprecated in Consul 1.8.0 in favor of [namespace rules](/consul/api-docs/acl/auth-methods#namespacerules). + +- `ConsulNamespacePrefix` `(string: )` - + **Deprecated in Consul 1.8.0 in favor of [namespace rules](/consul/api-docs/acl/auth-methods#namespacerules).** + When `MapNamespaces` is enabled, this value will be prefixed to the Kubernetes + namespace to determine the Consul namespace to create the new token within. + Deprecated in Consul 1.8.0 in favor of [namespace rules](/consul/api-docs/acl/auth-methods#namespacerules). + +- `ConsulNamespaceOverrides` `(map: )` - + **Deprecated in Consul 1.8.0 in favor of [namespace rules](/consul/api-docs/acl/auth-methods#namespacerules).** + This field is a mapping of Kubernetes namespace names to Consul namespace + names. If a Kubernetes namespace is present within this map, the value will + be used without adding the `ConsulNamespacePrefix`. If the value in the map + is `""` then the auth methods namespace will be used instead of attempting + to determine an alternate namespace. + Deprecated in Consul 1.8.0 in favor of [namespace rules](/consul/api-docs/acl/auth-methods#namespacerules). + +### Sample config + +```json +{ + "Name": "example-k8s-auth", + "Type": "kubernetes", + "Description": "Example JWT auth method", + "Config": { + "Host": "https://192.0.2.42:8443", + "CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n", + "ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9..." + } +} +``` + +## RBAC + +The Kubernetes service account corresponding to the configured +[`ServiceAccountJWT`](/consul/docs/secure-consul/acl/auth-methods/kubernetes#serviceaccountjwt) +needs to have access to two Kubernetes APIs: + +- [**TokenReview**](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) + + + + Kubernetes should be running with `--service-account-lookup`. This is + defaulted to true in Kubernetes 1.7, but any versions prior should ensure + the Kubernetes API server is started with this setting. + + + +- [**ServiceAccount**](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens) + +The following is an example +[RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) +configuration snippet to grant the necessary permissions to a service account +named `consul-auth-method-example`: + +```yaml +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: review-tokens + namespace: default +subjects: + - kind: ServiceAccount + name: consul-auth-method-example + namespace: default +roleRef: + kind: ClusterRole + name: system:auth-delegator + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: service-account-getter + namespace: default +rules: + - apiGroups: [''] + resources: ['serviceaccounts'] + verbs: ['get'] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: get-service-accounts + namespace: default +subjects: + - kind: ServiceAccount + name: consul-auth-method-example + namespace: default +roleRef: + kind: ClusterRole + name: service-account-getter + apiGroup: rbac.authorization.k8s.io +``` + +## Kubernetes authentication details + +Initially the +[`ServiceAccountJWT`](/consul/docs/secure-consul/acl/auth-methods/kubernetes#serviceaccountjwt) +given to the Consul leader uses the TokenReview API to validate the provided +JWT. The trusted attributes of `serviceaccount.namespace`, +`serviceaccount.name`, and `serviceaccount.uid` are populated directly from the +Service Account metadata. + +The Consul leader makes an additional query, this time to the ServiceAccount +API to check for the existence of an annotation of +`consul.hashicorp.com/service-name` on the ServiceAccount object. If one is +found its value will override the trusted attribute of `serviceaccount.name` +for the purposes of evaluating any binding rules. + +## Trusted identity attributes + +The authentication step returns the following trusted identity attributes for +use in binding rule selectors and bind name interpolation. + +| Attributes | Supported Selector Operations | Can be Interpolated | +| -------------------------- | -------------------------------------------------- | ------------------- | +| `serviceaccount.namespace` | Equal, Not Equal, In, Not In, Matches, Not Matches | yes | +| `serviceaccount.name` | Equal, Not Equal, In, Not In, Matches, Not Matches | yes | +| `serviceaccount.uid` | Equal, Not Equal, In, Not In, Matches, Not Matches | yes | diff --git a/website/content/docs/reference/acl/auth-method/oidc.mdx b/website/content/docs/reference/acl/auth-method/oidc.mdx new file mode 100644 index 00000000000..36d5d7c5c5e --- /dev/null +++ b/website/content/docs/reference/acl/auth-method/oidc.mdx @@ -0,0 +1,215 @@ +--- +layout: docs +page_title: Access Control List (ACL) OpenID Connect (OIDC) auth method configuration reference +description: >- + Use the OIDC auth method type to authenticate to Consul through a web browser with an OpenID Connect provider. Learn how to configure the auth method parameters using this reference page and example configuration. +--- + +# ACL OpenID Connect (OIDC) auth method configuration reference + + + +This feature requires version 1.8.0+ of +self-managed Consul Enterprise. +Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. + + + +The `oidc` auth method can be used to authenticate with Consul using +[OIDC](https://en.wikipedia.org/wiki/OpenID_Connect). This method allows +authentication via a configured OIDC provider using the user's web browser. +This method may be initiated from the Consul UI or the command line. + +This page assumes general knowledge of [OIDC +concepts](https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1) and +the concepts described in the main [auth method +documentation](/consul/docs/secure-consul/acl/auth-methods). + +Both the [`jwt`](/consul/docs/secure-consul/acl/auth-methods/jwt) and the +[`oidc`](/consul/docs/secure-consul/acl/auth-methods/oidc) auth method types allow additional +processing of the claims data in the JWT. + +@include 'jwt_or_oidc.mdx' + +## Config parameters + +The following auth method [`Config`](/consul/api-docs/acl/auth-methods#config) +parameters are required to properly configure an auth method of type +`oidc`: + +- `OIDCDiscoveryURL` `(string: )` - The OIDC Discovery URL, without any + .well-known component (base path). + +- `OIDCDiscoveryCACert` `(string: "")` - PEM encoded CA cert for use by the TLS + client used to talk with the OIDC Discovery URL. NOTE: Every line must end + with a newline (`\n`). If not set, system certificates are used. + +- `OIDCClientID` `(string: )` - The OAuth Client ID configured with + your OIDC provider. + +- `OIDCClientSecret` `(string: )` - The OAuth Client Secret configured with + your OIDC provider. + +- `AllowedRedirectURIs` `(array)` - A list of allowed + values for `redirect_uri`. Must be non-empty. + +- `ClaimMappings` `(map[string]string)` - Mappings of claims (key) that + [will be copied to a metadata field](#trusted-identity-attributes-via-claim-mappings) + (value). Use this if the claim you are capturing is singular (such as an attribute). + + When mapped, the values can be any of a number, string, or boolean and will + all be stringified when returned. + +- `ListClaimMappings` `(map[string]string)` - Mappings of claims (key) + [will be copied to a metadata field](#trusted-identity-attributes-via-claim-mappings) + (value). Use this if the claim you are capturing is list-like (such as groups). + + When mapped, the values in each list can be any of a number, string, or + boolean and will all be stringified when returned. + +- `OIDCScopes` `(array)` - A list of OIDC scopes. + +- `OIDCACRValues` `(array)` - A list of Authentication Context Class Reference values to use for the authentication request. Refer to [OIDC reference](https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1) for more info on this parameter. Added in v1.11.0. + +- `JWTSupportedAlgs` `(array)` - JWTSupportedAlgs is a list of + supported signing algorithms. Defaults to `RS256`. ([Available + algorithms](https://github.com/hashicorp/consul/blob/main/internal/go-sso/oidcauth/jwt.go)) + +- `BoundAudiences` `(array)` - List of `aud` claims that are valid for + login; any match is sufficient. + +- `VerboseOIDCLogging` `(bool: false)` - Log received OIDC tokens and claims when + debug-level logging is active. Not recommended in production since sensitive + information may be present in OIDC responses. + +### Sample config + +```json +{ + "Name": "example-oidc-auth", + "Type": "oidc", + "Description": "Example OIDC auth method", + "Config": { + "AllowedRedirectURIs": [ + "http://localhost:8550/oidc/callback", + "http://localhost:8500/ui/oidc/callback" + ], + "BoundAudiences": [ + "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt" + ], + "ClaimMappings": { + "http://example.com/first_name": "first_name", + "http://example.com/last_name": "last_name" + }, + "ListClaimMappings": { + "http://consul.com/groups": "groups" + }, + "OIDCClientID": "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt", + "OIDCClientSecret": "...(omitted)...", + "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/" + } +} +``` + +## JWT verification + +JWT signatures will be verified against public keys from the issuer via OIDC +discovery. Keys will be fetched from the OIDC Discovery URL during +authentication and OIDC validation criteria (e.g. `iss`, `aud`, etc.) will be +applied. + +## OIDC authentication + +Consul includes two built-in OIDC login flows: the Consul UI, and the CLI using +[`consul login`](/consul/commands/login). + +### Redirect URIs + +An important part of OIDC auth method configuration is properly setting +redirect URIs. This must be done both in Consul and with the OIDC provider, and +these configurations must align. The redirect URIs are specified for an auth +method with the [`AllowedRedirectURIs`](#allowedredirecturis) parameter. There +are different redirect URIs to configure the Consul UI and CLI flows, so one or +both will need to be set up depending on the installation. + +#### Consul UI + +Logging in via the Consul UI requires a redirect URI of the form: +`http://localhost:8500/ui/oidc/callback` or +`https://{host:port}/ui/oidc/callback` + +The "host:port" must be correct for the Consul agent serving the Consul UI. + +#### CLI + +If you plan to support authentication via `consul login -type=oidc -method=`, a localhost redirect URI must be set (usually this is +`http://localhost:8550/oidc/callback`). Logins via the CLI may specify a +different host and/or listening port if needed, and a URI with this host/port +must match one of the configured redirected URIs. These same "localhost" URIs +must be added to the provider as well. + +### OIDC login + +#### Consul UI + +1. Click the "Log in" link at the top right of the menu bar. +2. Click one of the "Continue with..." buttons for your OIDC auth method of choice. +3. Complete the authentication with the configured provider. + +#### CLI + +```shell-session +$ consul login -method=oidc -type=oidc -token-sink-file=consul.token + +Complete the login via your OIDC provider. Launching browser to: + + https://myco.auth0.com/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A8550%2Foidc%2Fcallback&client_id=r3qXc2bix9eF... +``` + +The browser will open to the generated URL to complete the provider's login. +The URL may be entered manually if the browser cannot be automatically opened. + +The callback listener may be customized with the following optional parameters. +These are typically not required to be set: + +The callback listener defaults to listen on `localhost:8550`. If you want to +customize that use the optional flag +[`-oidc-callback-listen-addr=`](/consul/commands/login#oidc-callback-listen-addr). + +## Troubleshoot OIDC configuration + +The amount of configuration required for OIDC is relatively small, but it can +be tricky to debug why things aren't working. Some tips for setting up OIDC: + +- Monitor the log output for the Consul servers. Important information about + OIDC validation failures will be emitted. + +- Ensure Redirect URIs are correct in Consul and on the provider. They need to + match exactly. Check: http/https, 127.0.0.1/localhost, port numbers, whether + trailing slashes are present. + +- [`BoundAudiences`](#boundaudiences) is optional and typically + not required. OIDC providers will use the `client_id` as the audience and + OIDC validation expects this. + +- Check your provider for what scopes are required in order to receive all of + the information you need. The scopes "profile" and "groups" often need to be + requested, and can be added by setting + `[OIDCScopes](#oidcscopes)="profile,groups"` on the auth method. + +- If you're refer to ing claim-related errors in logs, review the provider's docs + very carefully to refer to how they're naming and structuring their claims. + Depending on the provider, you may be able to construct a simple `curl` + [implicit grant](https://developer.okta.com/blog/2018/05/24/what-is-the-oauth2-implicit-grant-type) + request to obtain a JWT that you can inspect. An example of how to decode the + JWT (in this case located in the `access_token` field of a JSON response): + + jq --raw-output '.access_token / "." | .[1] | @base64d' jwt.json + +- The [`VerboseOIDCLogging`](#verboseoidclogging) option is available which + will log the received OIDC token if debug level logging is enabled. This can + be helpful when debugging provider setup and verifying that the received + claims are what you expect. Since claims data is logged verbatim and may + contain sensitive information, this option should not be used in production. + +@include 'jwt_claim_mapping_details.mdx' diff --git a/website/content/docs/security/acl/acl-policies.mdx b/website/content/docs/reference/acl/policy.mdx similarity index 97% rename from website/content/docs/security/acl/acl-policies.mdx rename to website/content/docs/reference/acl/policy.mdx index ab21b8c8929..fc192a56c5d 100644 --- a/website/content/docs/security/acl/acl-policies.mdx +++ b/website/content/docs/reference/acl/policy.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: ACL Policies +page_title: Access Control List (ACL) policy configuration reference description: >- ACL policies define access control rules for resources in Consul. When an ACL token is submitted with a request, Consul authorizes access based on the token's associated policies. Learn how to format and combine rules into policies and apply them to tokens. --- -# ACL Policies +# Access Control List (ACL) policy configuration reference This topic describes policies, which are components in Consul's access control list (ACL) system. Policies define which services and agents are authorized to interact with resources in the network. @@ -104,7 +104,7 @@ Use the `policy` keyword and one of the following access levels to set a policy - `write`: Allows the resource to be read and modified. - `deny`: Denies read and write access to the resource. -The special `list` access level provides access to all keys with the specified resource label in the [Consul KV](/consul/commands/kv/). The `list` access level can only be used with the `key_prefix` resource. The [`acl.enable_key_list_policy`](/consul/docs/agent/config/config-files#acl_enable_key_list_policy) setting must be set to `true`. +The special `list` access level provides access to all keys with the specified resource label in the [Consul KV](/consul/commands/kv/). The `list` access level can only be used with the `key_prefix` resource. The [`acl.enable_key_list_policy`](/consul/docs/reference/agent#acl_enable_key_list_policy) setting must be set to `true`. ### Matching and Prefix Values @@ -246,7 +246,7 @@ operator = "read" ## Rule Scope The rules from all policies, including roles and service identities, linked with a token are combined to form that token's effective rule set. -Policy rules can be defined in either an `allowlist` or `denylist` mode, depending on the configuration of the [`acl_default_policy`](/consul/docs/agent/config/config-files#acl_default_policy). +Policy rules can be defined in either an `allowlist` or `denylist` mode, depending on the configuration of the [`acl_default_policy`](/consul/docs/reference/agent#acl_default_policy). If the default policy is configured to deny access to all resources, then you can specify `allowlist` in policy rules to explicitly allow access to resources. Conversely, if the default policy is configured to allow access to all resources, then you can specify `denylist` in policy rules to explicitly deny access to resources. @@ -336,8 +336,8 @@ Additional metadata, such as the values of the `ID` and `name` fields, provide h Refer to the following topics for additional information: -- [Namespaces](/consul/docs/enterprise/namespaces) -- [Admin Partitions](/consul/docs/enterprise/admin-partitions) +- [Namespaces](/consul/docs/segment/namespace) +- [Admin Partitions](/consul/docs/segment/admin-partition) ACL policies can have the following attributes: @@ -457,7 +457,7 @@ service "consul-snapshot" { ### Enable Vault to Access the Consul Storage Backend -If you are using [Vault](/vault/docs) to manage secrets in your infrastructure, you can configure Vault to use Consul's key/value (KV) store as backend storage to persist Vault's data. Refer to the [Consul KV documentation](/consul/docs/dynamic-app-config/kv) and the [Vault storage documentation](/vault/docs/configuration/storage) for additional information. +If you are using [Vault](/vault/docs) to manage secrets in your infrastructure, you can configure Vault to use Consul's key/value (KV) store as backend storage to persist Vault's data. Refer to the [Consul KV documentation](/consul/docs/dynamic-app/kv) and the [Vault storage documentation](/vault/docs/configuration/storage) for additional information. In the following example, the ACL policy enables Vault to register as a service and provides access to the `vault/` path in Consul's KV store. diff --git a/website/content/docs/security/acl/acl-roles.mdx b/website/content/docs/reference/acl/role.mdx similarity index 95% rename from website/content/docs/security/acl/acl-roles.mdx rename to website/content/docs/reference/acl/role.mdx index 834e433349b..85ebf756cca 100644 --- a/website/content/docs/security/acl/acl-roles.mdx +++ b/website/content/docs/reference/acl/role.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: ACL Roles +page_title: Access Control List (ACL) role configuration reference description: >- Roles are a named collection of ACL policies, service identities, and node identities. Learn how roles allow you to reuse and update access control policies without needing to distribute new tokens to users. --- -# ACL Roles +# Access Control List (ACL) role configuration reference A role is a collection of policies that your ACL administrator can link to a token. They enable you to reuse policies by decoupling the policies from the token distributed to team members. @@ -62,17 +62,17 @@ Roles may contain the following attributes: - `Name`: A unique meaningful name for the role. You can specify the role `Name` when linking it to tokens. - `Description`: (Optional) A human-readable description of the role. - `Policies`: Specifies a the list of policies that are applicable for the role. The object can reference the policy `ID` or `Name` attribute. -- `TemplatedPolicies`: Specifies a list of templated policies that are applicable for the role. See [Templated Policies](#templated-policies) for details. +- `TemplatedPolicies`: Specifies a list of templated polcicies that are applicable for the role. See [Templated Policies](#templated-policies) for details. - `ServiceIdentities`: Specifies a list of services that are applicable for the role. See [Service Identities](#service-identities) for details. - `NodeIdentities`: Specifies a list of nodes that are applicable for the role. See [Node Identities](#node-identities) for details. -- `Namespace`: The namespace that the policy resides in. Roles can only be linked to policies that are defined in the same namespace. See [Namespaces](/consul/docs/enterprise/namespaces) for additional information. Requires Consul Enterprise 1.7.0+ -- `Partition`: The admin partition that the policy resides in. Roles can only be linked to policies that are defined in the same admin partition. See [Admin Partitions](/consul/docs/enterprise/admin-partitions) for additional information. Requires Consul Enterprise 1.10.0+. +- `Namespace`: The namespace that the policy resides in. Roles can only be linked to policies that are defined in the same namespace. See [Namespaces](/consul/docs/segment/namespace) for additional information. Requires Consul Enterprise 1.7.0+ +- `Partition`: The admin partition that the policy resides in. Roles can only be linked to policies that are defined in the same admin partition. See [Admin Partitions](/consul/docs/segment/admin-partition) for additional information. Requires Consul Enterprise 1.10.0+. ## Templated policies You can specify a templated policy when configuring roles or linking tokens to policies. Templated policies enable you to quickly construct policies for common Consul use cases, rather than creating identical policies for each use cases. -Consul uses templated policies during the authorization process to automatically generate a policy for the use case specified. Consul links the generated policy to the role or token so that it will have permission for the specific use case. +Consul uses templated policies during the authorization process to automatically generate a policy for the use case specified. Consul links the generated policy to the role or token so that it will have permission for the specific use case. ### Templated policy specification @@ -308,7 +308,7 @@ node_prefix "" { You can specify a node identity when configuring roles or linking tokens to policies. _Node_ commonly refers to a Consul agent, but a node can also be a physical server, cloud instance, virtual machine, or container. -Node identities enable you to quickly construct policies for nodes, rather than manually creating identical polices for each node. They are used during the authorization process to automatically generate a policy for the node(s) specified. You can specify the token linked to the policy in the [`acl_tokens_agent`](/consul/docs/agent/config/config-files#acl_tokens_agent) field when configuring the agent. +Node identities enable you to quickly construct policies for nodes, rather than manually creating identical polices for each node. They are used during the authorization process to automatically generate a policy for the node(s) specified. You can specify the token linked to the policy in the [`acl_tokens_agent`](/consul/docs/reference/agent#acl_tokens_agent) field when configuring the agent. ### Node identity specification @@ -398,4 +398,4 @@ service_prefix "" { } ``` - + \ No newline at end of file diff --git a/website/content/docs/security/acl/acl-rules.mdx b/website/content/docs/reference/acl/rule.mdx similarity index 83% rename from website/content/docs/security/acl/acl-rules.mdx rename to website/content/docs/reference/acl/rule.mdx index a89985d528e..1a5007f7785 100644 --- a/website/content/docs/security/acl/acl-rules.mdx +++ b/website/content/docs/reference/acl/rule.mdx @@ -1,13 +1,13 @@ --- layout: docs -page_title: ACL Rules +page_title: Access Control List (ACL) rule configuration reference description: >- - Rules define read, write, and deny access controls for datacenter resources. Learn about these resources and how to assign rules to them, as well as their restrictions and API interactions. + Consul documentation provides reference material for all features and options available in Consul. --- -# ACL Rules +# ACL rule configuration reference -This topic provides reference information for the types of access control list (ACL) rules you can create and how they affect access to datacenter resources. For details on how to create rules and group them into policies, see [Policies](/consul/docs/security/acl/acl-policies). +This topic provides reference information for the types of access control list (ACL) rules you can create and how they affect access to datacenter resources. For details on how to create rules and group them into policies, refer to [Policies](/consul/docs/secure-consul/acl/policies). ## Overview @@ -15,20 +15,21 @@ The following table provides an overview of the resources you can use to create | Resource | Description | Labels | | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| `acl` | Controls access to ACL operations in the [ACL API](/consul/api-docs/acl).
See [ACL Resource Rules](#acl-resource-rules) for details. | No | -| `partition`
`partition_prefix` | Controls access to one or more admin partitions.
See [Admin Partition Rules](#admin-partition-rules) for details. | Yes | -| `agent`
`agent_prefix` | Controls access to the utility operations in the [Agent API](/consul/api-docs/agent), such as `join` and `leave`.
See [Agent Rules](#agent-rules) for details. | Yes | -| `event`
`event_prefix` | Controls access to event operations in the [Event API](/consul/api-docs/event), such as firing and listing events.
See [Event Rules](#event-rules) for details. | Yes | -| `key`
`key_prefix`   | Controls access to key/value store operations in the [KV API](/consul/api-docs/kv).
Can also use the `list` access level when setting the policy disposition.
Has additional value options in Consul Enterprise for integrating with [Sentinel](https://docs.hashicorp.com/sentinel/consul).
See [Key/Value Rules](#key-value-rules) for details. | Yes | -| `keyring`       | Controls access to keyring operations in the [Keyring API](/consul/api-docs/operator/keyring).
See [Keyring Rules](#keyring-rules) for details. | No | -| `mesh`       | Provides operator-level permissions for resources in the admin partition, such as ingress gateways or mesh proxy defaults. See [Mesh Rules](#mesh-rules) for details. | No | +| `acl` | Controls access to ACL operations in the [ACL API](/consul/api-docs/acl).
Refer to [ACL Resource Rules](#acl-resource-rules) for details. | No | +| `partition`
`partition_prefix` | Controls access to one or more admin partitions.
Refer to [Admin Partition Rules](#admin-partition-rules) for details. | Yes | +| `agent`
`agent_prefix` | Controls access to the utility operations in the [Agent API](/consul/api-docs/agent), such as `join` and `leave`.
Refer to [Agent Rules](#agent-rules) for details. | Yes | +| `event`
`event_prefix` | Controls access to event operations in the [Event API](/consul/api-docs/event), such as firing and listing events.
Refer to [Event Rules](#event-rules) for details. | Yes | +| `identity`
`identity_prefix` | Controls access to workload identity operations in the [Catalog v2 group](/consul/docs/architecture/catalog/v2). +| `key`
`key_prefix`   | Controls access to key/value store operations in the [KV API](/consul/api-docs/kv).
Can also use the `list` access level when setting the policy disposition.
Has additional value options in Consul Enterprise for integrating with [Sentinel](https://docs.hashicorp.com/sentinel/consul).
Refer to [Key/Value Rules](#key-value-rules) for details. | Yes | +| `keyring`       | Controls access to keyring operations in the [Keyring API](/consul/api-docs/operator/keyring).
Refer to [Keyring Rules](#keyring-rules) for details. | No | +| `mesh`       | Provides operator-level permissions for resources in the admin partition, such as ingress gateways or mesh proxy defaults. Refer to [Mesh Rules](#mesh-rules) for details. | No | | `peering`       | Controls access to cluster peerings in the [Cluster Peering API](/consul/api-docs/peering). For more details, refer to [Peering Rules](#peering-rules). | No | -| `namespace`
`namespace_prefix` | Controls access to one or more namespaces.
See [Namespace Rules](#namespace-rules) for details. | Yes | -| `node`
`node_prefix`   | Controls access to node-level operations in the [Catalog API](/consul/api-docs/catalog), [Health API](/consul/api-docs/health), [Prepared Query API](/consul/api-docs/query), [Network Coordinate API](/consul/api-docs/coordinate), and [Agent API](/consul/api-docs/agent)
See [Node Rules](#node-rules) for details. | Yes | -| `operator`       | Controls access to cluster-level operations available in the [Operator API](/consul/api-docs/operator) excluding keyring API endpoints.
See [Operator Rules](#operator-rules) for details. | No | -| `query`
`query_prefix` | Controls access to create, update, and delete prepared queries in the [Prepared Query API](/consul/api-docs/query). Access to the [node](#node-rules) and [service](#service-rules) must also be granted.
See [Prepared Query Rules](#prepared-query-rules) for details. | Yes | -| `service`
`service_prefix` | Controls service-level operations in the [Catalog API](/consul/api-docs/catalog), [Health API](/consul/api-docs/health), [Intentions API](/consul/api-docs/connect/intentions), [Prepared Query API](/consul/api-docs/query), and [Agent API](/consul/api-docs/agent).
See [Service Rules](#service-rules) for details. | Yes | -| `session`
`session_prefix` | Controls access to operations in the [Session API](/consul/api-docs/session).
See [Session Rules](#session-rules) for details. | Yes | +| `namespace`
`namespace_prefix` | Controls access to one or more namespaces.
Refer to [Namespace Rules](#namespace-rules) for details. | Yes | +| `node`
`node_prefix`   | Controls access to node-level operations in the [Catalog API](/consul/api-docs/catalog), [Health API](/consul/api-docs/health), [Prepared Query API](/consul/api-docs/query), [Network Coordinate API](/consul/api-docs/coordinate), and [Agent API](/consul/api-docs/agent)
Refer to [Node Rules](#node-rules) for details. | Yes | +| `operator`       | Controls access to cluster-level operations available in the [Operator API](/consul/api-docs/operator) excluding keyring API endpoints.
Refer to [Operator Rules](#operator-rules) for details. | No | +| `query`
`query_prefix` | Controls access to create, update, and delete prepared queries in the [Prepared Query API](/consul/api-docs/query). Access to the [node](#node-rules) and [service](#service-rules) must also be granted.
Refer to [Prepared Query Rules](#prepared-query-rules) for details. | Yes | +| `service`
`service_prefix` | Controls service-level operations in the [Catalog API](/consul/api-docs/catalog), [Health API](/consul/api-docs/health), [Intentions API](/consul/api-docs/connect/intentions), [Prepared Query API](/consul/api-docs/query), and [Agent API](/consul/api-docs/agent).
Refer to [Service Rules](#service-rules) for details. | Yes | +| `session`
`session_prefix` | Controls access to operations in the [Session API](/consul/api-docs/session).
Refer to [Session Rules](#session-rules) for details. | Yes | The following resources are not covered by ACL policies: @@ -36,7 +37,7 @@ The following resources are not covered by ACL policies: - The datacenter listing operation of the [Catalog API](/consul/api-docs/catalog#list-datacenters) similarly exposes the names of known Consul datacenters, and does not allow modification of any state. - The [service mesh CA roots endpoint](/consul/api-docs/connect/ca#list-ca-root-certificates) exposes just the public TLS certificate which other systems can use to verify the TLS connection with Consul. --> **Consul Enterprise Namespace** - In addition to directly-linked policies, roles, and service identities, Consul Enterprise enables ACL policies and roles to be defined in the [Namespaces definition](/consul/docs/enterprise/namespaces#namespace-definition) (Consul Enterprise 1.7.0+). +-> **Consul Enterprise Namespace** - In addition to directly-linked policies, roles, and service identities, Consul Enterprise enables ACL policies and roles to be defined in the [Namespaces definition](/consul/docs/segment/namespace#namespace-definition) (Consul Enterprise 1.7.0+). The following topics provide additional details about the available resources. @@ -203,7 +204,7 @@ name that starts with `bar`. Since [Agent API](/consul/api-docs/agent) utility operations may be required before an agent is joined to a cluster, or during an outage of the Consul servers or ACL datacenter, a special token may be -configured with [`acl.tokens.agent_recovery`](/consul/docs/agent/config/config-files#acl_tokens_agent_recovery) to allow +configured with [`acl.tokens.agent_recovery`](/consul/docs/reference/agent#acl_tokens_agent_recovery) to allow write access to these operations even if no ACL resolution capability is available. ## Event Rules @@ -245,7 +246,49 @@ read-only access to any event, and firing of the "deploy" event. The [`consul exec`](/consul/commands/exec) command uses events with the "\_rexec" prefix during operation, so to enable this feature in a Consul environment with ACLs enabled, you will need to give agents a token with access to this event prefix, in addition to configuring -[`disable_remote_exec`](/consul/docs/agent/config/config-files#disable_remote_exec) to `false`. +[`disable_remote_exec`](/consul/docs/reference/agent#disable_remote_exec) to `false`. + +## Identity Rules + +The `identity` and `identity_prefix` resources control workload-identity-level registration and read access to the [Catalog v2 API group](/consul/docs/architecture/catalog/v2). +Specify the resource label in identity rules to set the scope of the rule. +The resource label in the following example is empty. As a result, the rules allow read-only access to any workload identity name with the empty prefix. +The rules also allow read-write access to the `app` identity and deny all access to the `admin` identity: + + + +```hcl +identity_prefix "" { + policy = "read" +} +identity "app" { + policy = "write" +} +identity "admin" { + policy = "deny" +} +``` + +```json +{ + "identity_prefix": { + "": { + "policy": "read" + } + }, + "identity": { + "app": { + "policy": "write" + }, + "admin": { + "policy": "deny" + } + } +} +``` + + + ## Key/Value Rules @@ -353,7 +396,7 @@ EOF } ``` -For more detailed information, see the [Consul Sentinel documentation](/consul/docs/agent/sentinel). +For more detailed information, refer to the [Consul Sentinel documentation](/consul/docs/agent/sentinel). ## Keyring Rules @@ -396,13 +439,17 @@ mesh = "write" -See [Admin Partition Rules](#admin-partition-rules) for another example rule that uses the `mesh` resource. +Refer to [Admin Partition Rules](#admin-partition-rules) for another example rule that uses the `mesh` resource. ## Namespace Rules The `namespace` and `namespace_prefix` resource controls access to Consul namespaces. Namespaces define a scope of resources for which ACL rules apply. ACL rules, themselves, can then be defined to only to apply to specific namespaces. --> **Consul 1.7.0 and later**: The ability to add many types of resources to separate namespaces was added to [Consul Enterprise](https://www.hashicorp.com/consul) 1.7.0. + + +The ability to add many types of resources to separate namespaces was added to [Consul Enterprise](https://www.hashicorp.com/consul) 1.7.0. + + The following examples describe how namespace rules can be defined in a policy: @@ -573,20 +620,20 @@ node "admin" { Agents must be configured with `write` privileges for their own node name so that the agent can register their node metadata, tagged addresses, and other information in the catalog. If configured incorrectly, the agent will print an error to the console when it tries to sync its state with the catalog. -Configure `write` access in the [`acl.tokens.agent`](/consul/docs/agent/config/config-files#acl_tokens_agent) parameter. +Configure `write` access in the [`acl.tokens.agent`](/consul/docs/reference/agent#acl_tokens_agent) parameter. -The [`acl.token.default`](/consul/docs/agent/config/config-files#acl_tokens_default) used by the agent should have `read` access to a given node so that the DNS interface can be queried. +The [`acl.token.default`](/consul/docs/reference/agent#acl_tokens_default) used by the agent should have `read` access to a given node so that the DNS interface can be queried. Node rules are used to filter query results when reading from the catalog or retrieving information from the health endpoints. This allows for configurations where a token has access to a given service name, but only on an allowed subset of node names. Consul agents check tokens locally when health checks are registered and when Consul performs periodic [anti-entropy](/consul/docs/architecture/anti-entropy) syncs. These actions may required an ACL token to complete. Use the following methods to configure ACL tokens for registration events: -* Configure a global token in the [acl.tokens.default](/consul/docs/agent/config/config-files#acl_tokens_default) parameter. +* Configure a global token in the [acl.tokens.default](/consul/docs/reference/agent#acl_tokens_default) parameter. This allows a single token to be used during all check registration operations. * Provide an ACL token with `service` and `check` definitions at registration time. This allows for greater flexibility and enables the use of multiple tokens on the same agent. - Refer to the [services](/consul/docs/services/usage/define-services) and [checks](/consul/docs/services/usage/checks) documentation for examples. You can also pass tokens to the [HTTP API](/consul/api-docs) for operations that require them. + Refer to the [services](/consul/docs/register/service/vm/define) and [checks](/consul/docs/register/service/vm/health-checks) documentation for examples. You can also pass tokens to the [HTTP API](/consul/api-docs) for operations that require them. ### Reading Imported Nodes @@ -595,12 +642,12 @@ Read access to all imported nodes is granted when either of the following rule s - `service:write` is granted to any service. - `node:read` is granted to all nodes. -For Consul Enterprise, either set of rules must be scoped to the requesting service's partition and at least one namespace. +For Consul Enterprise, either set of rules must be scoped to the requesting services's partition and at least one namespace. You may need similarly scoped [Service Rules](#reading-imported-services) to read Consul data, depending on the endpoint (e.g. `/v1/health/service/:name`). -These permissions are satisfied when using a [service identity](/consul/docs/security/acl/acl-roles#service-identities). +These permissions are satisfied when using a [service identity](/consul/docs/reference/acl/rule#service-identities). -Refer to [Reading Services](/consul/docs/connect/config-entries/exported-services#reading-services) for example ACL policies used to read imported services using the health endpoint. +Refer to [Reading Services](/consul/docs/reference/config-entry/exported-services#reading-services) for example ACL policies used to read imported services using the health endpoint. ## Operator Rules @@ -695,7 +742,7 @@ here, with examples: clients, and they are only reachable if the prepared query ID is known. Since these IDs are generated using the same random ID scheme as ACL Tokens, it is infeasible to guess them. When listing all prepared queries, only a management - token will be able to see these types, though clients can read instances for + token will be able to refer to these types, though clients can read instances for which they have an ID. An example use for this type is a query built by a startup script, tied to a session, and written to a configuration file for a process to use via DNS. @@ -751,7 +798,7 @@ These differences are outlined in the table below: | Create static query with `Name` | The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query. | The client token's `query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query. | | Manage static query without `Name` | The ACL Token used to create the query or a token with management privileges must be supplied in order to perform these operations. | Any client with the ID of the query can perform these operations. | | Manage static query with a `Name` | The ACL token used to create the query or a token with management privileges must be supplied in order to perform these operations. | Similar to create, the client token's `query` ACL policy is used to determine if these operations are allowed. | -| List queries | A token with management privileges is required to list any queries. | The client token's `query` ACL policy is used to determine which queries they can see. Only tokens with management privileges can see prepared queries without `Name`. | +| List queries | A token with management privileges is required to list any queries. | The client token's `query` ACL policy is used to determine which queries they can refer to . Only tokens with management privileges can refer to prepared queries without `Name`. | | Execute query | Since a `Token` is always captured when a query is created, that is used to check access to the service being queried. Any token supplied by the client is ignored. | The captured token, client's token, or anonymous token is used to filter the results, as described above. | ## Service Rules @@ -796,7 +843,7 @@ service "admin" { Consul's DNS interface is affected by restrictions on service rules. If the -[`acl.tokens.default`](/consul/docs/agent/config/config-files#acl_tokens_default) used by the agent does not have `read` access to a +[`acl.tokens.default`](/consul/docs/reference/agent#acl_tokens_default) used by the agent does not have `read` access to a given service, then the DNS interface will return no records when queried for it. When reading from the catalog or retrieving information from the health endpoints, service rules are @@ -808,38 +855,38 @@ performs periodic [anti-entropy](/consul/docs/architecture/anti-entropy) syncs, ACL token to complete. To accommodate this, Consul provides two methods of configuring ACL tokens to use for registration events: -1. Using the [acl.tokens.default](/consul/docs/agent/config/config-files#acl_tokens_default) configuration +1. Using the [acl.tokens.default](/consul/docs/reference/agent#acl_tokens_default) configuration directive. This allows a single token to be configured globally and used during all service and check registration operations. 2. Providing an ACL token with service and check definitions at registration time. This allows for greater flexibility and enables the use of multiple tokens on the same agent. Examples of what this looks like are available for - both [services](/consul/docs/services/usage/define-services) and - [checks](/consul/docs/services/usage/checks). Tokens may also be passed to the [HTTP + both [services](/consul/docs/register/service/vm/define) and + [checks](/consul/docs/register/service/vm/health-checks). Tokens may also be passed to the [HTTP API](/consul/api-docs) for operations that require them. Note that all tokens passed to an agent are persisted on local disk to allow recovery from restarts. Refer to [`-data-dir` flag - documentation](/consul/docs/agent/config/cli-flags#_data_dir) for information about securing + documentation](/consul/docsreference-cli/agent#_data_dir) for information about securing access. In addition to ACLs, in Consul 0.9.0 and later, the agent must be configured with -[`enable_script_checks`](/consul/docs/agent/config/config-files#enable_script_checks) or -[`enable_local_script_checks`](/consul/docs/agent/config/config-files#enable_local_script_checks) +[`enable_script_checks`](/consul/docs/reference/agent#enable_script_checks) or +[`enable_local_script_checks`](/consul/docs/reference/agent#enable_local_script_checks) set to `true` in order to enable script checks. ### Reading Imported Services -Service rules affect read access to services exported by [`exported-services` configuration entries](/consul/docs/connect/config-entries/exported-services#reading-services), including services exported between [cluster peerings](/consul/docs/connect/cluster-peering) or [admin partitions](/consul/docs/enterprise/admin-partitions) (Enterprise-only). +Service rules affect read access to services exported by [`exported-services` configuration entries](/consul/docs/reference/config-entry/exported-services#reading-services), including services exported between [cluster peerings](/consul/docs/east-west/cluster-peering) or [admin partitions](/consul/docs/enterprise/admin-partitions) (Enterprise-only). Read access to all imported services is granted when either of the following rule sets are attached to a token: - `service:write` is granted to any service. - `service:read` is granted to all services. -For Consul Enterprise, either set of rules must be scoped to the requesting service's partition and at least one namespace. +For Consul Enterprise, either set of rules must be scoped to the requesting services's partition and at least one namespace. You may need similarly scoped [Node Rules](#reading-imported-nodes) to read Consul data, depending on the endpoint (e.g. `/v1/health/service/:name`). -These permissions are satisfied when using a [service identity](/consul/docs/security/acl/acl-roles#service-identities). +These permissions are satisfied when using a [service identity](/consul/docs/reference/acl/rule#service-identities). -Refer to [Reading Services](/consul/docs/connect/config-entries/exported-services#reading-services) for example ACL policies used to read imported services using the health endpoint. +Refer to [Reading Services](/consul/docs/reference/config-entry/exported-services#reading-services) for example ACL policies used to read imported services using the health endpoint. ### Intentions @@ -869,7 +916,7 @@ service "app" { -Refer to [ACL requirements for intentions](/consul/docs/connect/intentions/create-manage-intentions#acl-requirements) +Refer to [ACL requirements for intentions](/consul/docs/secure-mesh/intentions/create#acl-requirements) for more information about managing intentions access with service rules. ## Session Rules diff --git a/website/content/docs/reference/acl/token.mdx b/website/content/docs/reference/acl/token.mdx new file mode 100644 index 00000000000..b3c581232c2 --- /dev/null +++ b/website/content/docs/reference/acl/token.mdx @@ -0,0 +1,29 @@ +--- +layout: docs +page_title: Access Control List (ACL) token configuration reference +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# ACL token configuration reference + +This topic provides reference information for the types of access control list (ACL) rules you can create and how they affect access to datacenter resources. For details on how to create rules and group them into policies, refer to [Policies](/consul/docs/secure-consul/acl/policies). + +## Token attributes + +The following table is a partial list of attributes that a token may contain. +Refer to the [API](/consul/api-docs/acl/tokens) or [command line](/consul/commands/acl/token) documentation for all attributes that can be assigned or generated for a token: + +| Attribute | Description | Type | Default | +| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------- | +| `AccessorID` | Used for [audit logging](/consul/docs/enterprise/audit-logging). The accessor ID is also returned in API responses to identify the token without revealing the secret ID. | String | auto-generated | +| `SecretID` | Used to request access to resources, data, and APIs. | String | auto-generated | +| `Partition` | Specifies the name of the admin partition in which the token is valid. Refer to [Admin Partitions](/consul/docs/enterprise/admin-partitions) for additional information. | String | `default` | +| `Namespace` | Specifies the name of the Consul namespace in which the token is valid. Refer to [Namespaces](/consul/docs/enterprise/namespaces) for additional information. | String | `default` | +| `Description` | Human-readable description for documenting the purpose of the token. | String | none | +| `Local` | Indicates whether the token should be replicated globally or local to the datacenter.
Set to `false` to replicate globally across all reachable datacenters.
Setting to `true` configures the token to functional in the local datacenter only. | Boolean | `false` | +| `TemplatedPolicies` | Specifies a list of templated policies to apply to the token. Refer to [Templated Policies](/consul/docs/reference/acl/rule#templated-policies) in the "Roles" topic for additional information. | Array | none | +| `ServiceIdentities` | Specifies a list of service identities to apply to the token. Refer to [Service Identities](/consul/docs/reference/acl/rule#service-identities) in the "Roles" topic for additional information. | Array | none | +| `NodeIdentities` | Specifies a list of node identities to apply to the token. Refer to [Node Identities](/consul/docs/reference/acl/rule#node-identities) in the "Roles" topic for additional information. | Array | none | +| `Policies` | List of policies linked to the token, including the policy ID and name. | String | none | +| `Roles` | List of roles linked to the token, including the role ID and name. | String | none | \ No newline at end of file diff --git a/website/content/docs/agent/config/config-files.mdx b/website/content/docs/reference/agent/index.mdx similarity index 90% rename from website/content/docs/agent/config/config-files.mdx rename to website/content/docs/reference/agent/index.mdx index 63e8137c4f0..97b4be037bb 100644 --- a/website/content/docs/agent/config/config-files.mdx +++ b/website/content/docs/reference/agent/index.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Agents - Configuration File Reference +page_title: Agent configuration reference description: >- Use agent configuration files to assign attributes to agents and configure multiple agents at once. Learn about agent configuration file parameters and formatting with this reference page and sample code. --- -# Agents Configuration File Reference ((#configuration_files)) +# Agent configuration reference This topic describes the parameters for configuring Consul agents. For information about how to start Consul agents, refer to [Starting the Consul Agent](/consul/docs/agent#starting-the-consul-agent). @@ -113,7 +113,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `grpc` - The gRPC API. Defaults to `client_addr` - `grpc_tls` - The gRPC API with TLS. Defaults to `client_addr` -- `alt_domain` Equivalent to the [`-alt-domain` command-line flag](/consul/docs/agent/config/cli-flags#_alt_domain) +- `alt_domain` Equivalent to the [`-alt-domain` command-line flag](/consul/docsreference-cli/agent#_alt_domain) - `audit` - Added in Consul 1.8, the audit object allow users to enable auditing and configure a sink and filters for their audit logs. For more information, review the [audit log tutorial](/consul/tutorials/datacenter-operations/audit-logging). @@ -249,9 +249,13 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati service mesh because it is vital for `auto_config`, more specifically the service mesh CA and certificates infrastructure. - ~> **Warning:** Enabling `auto_config` conflicts with the [`auto_encrypt.tls`](#tls) feature. + + + Enabling `auto_config` conflicts with the [`auto_encrypt.tls`](#tls) feature. Only one option may be specified. + + - `intro_token` (Defaults to `""`) This specifies the JWT to use for the initial `auto_config` RPC to the Consul servers. This can be overridden with the `CONSUL_INTRO_TOKEN` environment variable @@ -263,7 +267,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `server_addresses` (Defaults to `[]`) This specifies the addresses of servers in the local datacenter to use for the initial RPC. These addresses support - [Cloud Auto-Joining](/consul/docs/agent/config/cli-flags#cloud-auto-joining) and can optionally include a port to + [Cloud Auto-Joining](/consul/docsreference-cli/agent#cloud-auto-joining) and can optionally include a port to use when making the outbound connection. If no port is provided, the `server_port` will be used. @@ -281,7 +285,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `static` This object controls configuring the static authorizer setup in the Consul configuration file. Almost all sub-keys are identical to those provided by the [JWT - Auth Method](/consul/docs/security/acl/auth-methods/jwt). + Auth Method](/consul/docs/secure-consul/acl/auth-methods/jwt). - `jwt_validation_pub_keys` (Defaults to `[]`) A list of PEM-encoded public keys to use to authenticate signatures locally. @@ -379,9 +383,9 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `partition` - The admin partition name the client is requesting. -- `auto_reload_config` Equivalent to the [`-auto-reload-config` command-line flag](/consul/docs/agent/config/cli-flags#_auto_reload_config). +- `auto_reload_config` Equivalent to the [`-auto-reload-config` command-line flag](/consul/docsreference-cli/agent#_auto_reload_config). -- `bind_addr` Equivalent to the [`-bind` command-line flag](/consul/docs/agent/config/cli-flags#_bind). +- `bind_addr` Equivalent to the [`-bind` command-line flag](/consul/docsreference-cli/agent#_bind). This parameter can be set to a go-sockaddr template that resolves to a single address. Special characters such as backslashes `\` or double quotes `"` @@ -402,7 +406,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati -- `cache` configuration for client agents. When an `?index` query parameter is specified but '?cached' is not appended in a [streaming backend call](/consul/api-docs/features/blocking#streaming-backend), Consul bypasses these configuration values. The configurable values are the following: +- `cache` configuration for client agents. The configurable values are the following: - `entry_fetch_max_burst` The size of the token bucket used to recharge the rate-limit per cache entry. The default value is 2 and means that when cache has not been updated @@ -429,7 +433,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati changes state, the new state and associated output is synchronized immediately. To disable this behavior, set the value to "0s". -- `client_addr` Equivalent to the [`-client` command-line flag](/consul/docs/agent/config/cli-flags#_client). +- `client_addr` Equivalent to the [`-client` command-line flag](/consul/docsreference-cli/agent#_client). - `config_entries` This object allows setting options for centralized config entries. @@ -440,19 +444,15 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati the Consul server gains leadership. This option is only applicable to server nodes. Each bootstrap entry will be created only if it does not exist. When reloading, any new entries that have been added to the configuration will be processed. - See the [configuration entry docs](/consul/docs/agent/config-entries) for more + Refer to the [configuration entry docs](/consul/docs/agent/config-entries) for more details about the contents of each entry. -- `datacenter` Equivalent to the [`-datacenter` command-line flag](/consul/docs/agent/config/cli-flags#_datacenter). - -- `data_dir` Equivalent to the [`-data-dir` command-line flag](/consul/docs/agent/config/cli-flags#_data_dir). +- `datacenter` Equivalent to the [`-datacenter` command-line flag](/consul/docsreference-cli/agent#_datacenter). -- `default_intention_policy` Controls how service-to-service traffic is authorized - in the absence of specific intentions. - Can be set to `allow`, `deny`, or left empty to default to [`acl.default_policy`](#acl_default_policy). +- `data_dir` Equivalent to the [`-data-dir` command-line flag](/consul/docsreference-cli/agent#_data_dir). - `disable_anonymous_signature` Disables providing an anonymous - signature for de-duplication with the update check. See [`disable_update_check`](#disable_update_check). + signature for de-duplication with the update check. Refer to [`disable_update_check`](#disable_update_check). - `disable_http_unprintable_char_filter` Defaults to false. Consul 1.0.3 fixed a potential security vulnerability where malicious users could craft KV keys with unprintable chars that would confuse operators using the CLI or UI into taking wrong actions. Users who had data written in older versions of Consul that did not have this restriction will be unable to delete those values by default in 1.0.3 or later. This setting enables those users to **temporarily** disable the filter such that delete operations can work on those keys again to get back to a healthy state. It is strongly recommended that this filter is not disabled permanently as it exposes the original security vulnerability. @@ -478,17 +478,21 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `enable_debug` (boolean, default is `false`): When set to `true`, enables Consul to report additional debugging information, including runtime profiling (`pprof`) data. This setting is only required for clusters without ACL [enabled](#acl_enabled). If you change this setting, you must restart the agent for the change to take effect. -- `enable_script_checks` Equivalent to the [`-enable-script-checks` command-line flag](/consul/docs/agent/config/cli-flags#_enable_script_checks). +- `enable_script_checks` Equivalent to the [`-enable-script-checks` command-line flag](/consul/docsreference-cli/agent#_enable_script_checks). - ACLs must be enabled for agents and the `enable_script_checks` option must be set to `true` to enable script checks in Consul 0.9.0 and later. See [Registering and Querying Node Information](/consul/docs/security/acl/acl-rules#registering-and-querying-node-information) for related information. + ACLs must be enabled for agents and the `enable_script_checks` option must be set to `true` to enable script checks in Consul 0.9.0 and later. See [Registering and Querying Node Information](/consul/docs/secure-consul/acl/rules#registering-and-querying-node-information) for related information. - ~> **Security Warning:** Enabling script checks in some configurations may introduce a known remote execution vulnerability targeted by malware. We strongly recommend `enable_local_script_checks` instead. Refer to the following article for additional guidance: [_Protecting Consul from RCE Risk in Specific Configurations_](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations) + + + Enabling script checks in some configurations may introduce a known remote execution vulnerability targeted by malware. We strongly recommend `enable_local_script_checks` instead. Refer to the following article for additional guidance: [_Protecting Consul from RCE Risk in Specific Configurations_](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations) for more details. -- `enable_local_script_checks` Equivalent to the [`-enable-local-script-checks` command-line flag](/consul/docs/agent/config/cli-flags#_enable_local_script_checks). + + +- `enable_local_script_checks` Equivalent to the [`-enable-local-script-checks` command-line flag](/consul/docsreference-cli/agent#_enable_local_script_checks). - `disable_keyring_file` - Equivalent to the - [`-disable-keyring-file` command-line flag](/consul/docs/agent/config/cli-flags#_disable_keyring_file). + [`-disable-keyring-file` command-line flag](/consul/docsreference-cli/agent#_disable_keyring_file). - `disable_coordinates` - Disables sending of [network coordinates](/consul/docs/architecture/coordinates). When network coordinates are disabled the `near` query param will not work to sort the nodes, @@ -508,7 +512,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati only works with API endpoints, not `/ui` or `/debug`, those must be disabled with their respective configuration options. Any CLI commands that use disabled endpoints will no longer function as well. For more general access control, Consul's - [ACL system](/consul/tutorials/security/access-control-setup-production) + [ACLs system](/consul/docs/secure/acl) should be used, but this option is useful for removing access to HTTP API endpoints completely, or on specific agents. This is available in Consul 0.9.0 and later. @@ -544,7 +548,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `leave_on_terminate` If enabled, when the agent receives a TERM signal, it will send a `Leave` message to the rest of the cluster and gracefully leave. The default behavior for this feature varies based on whether or not the agent is running as a client or a server (prior to Consul 0.7 the default value was unconditionally set to `false`). On agents in client-mode, this defaults to `true` and for agents in server-mode, this defaults to `false`. -- `license_path` This specifies the path to a file that contains the Consul Enterprise license. Alternatively the license may also be specified in either the `CONSUL_LICENSE` or `CONSUL_LICENSE_PATH` environment variables. See the [licensing documentation](/consul/docs/enterprise/license/overview) for more information about Consul Enterprise license management. Added in versions 1.10.0, 1.9.7 and 1.8.13. Prior to version 1.10.0 the value may be set for all agents to facilitate forwards compatibility with 1.10 but will only actually be used by client agents. +- `license_path` This specifies the path to a file that contains the Consul Enterprise license. Alternatively the license may also be specified in either the `CONSUL_LICENSE` or `CONSUL_LICENSE_PATH` environment variables. Refer to the [licensing documentation](/consul/docs/enterprise/license) for more information about Consul Enterprise license management. Added in versions 1.10.0, 1.9.7 and 1.8.13. Prior to version 1.10.0 the value may be set for all agents to facilitate forwards compatibility with 1.10 but will only actually be used by client agents. - `limits`: This block specifies various types of limits that the Consul server agent enforces. @@ -561,13 +565,13 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `rpc_client_timeout` - Configures the limit for how long a client is allowed to read from an RPC connection. This is used to set an upper bound for calls to eventually terminate so that RPC connections are not held indefinitely. Blocking queries can override this timeout. Default is `60s`. - `rpc_max_conns_per_client` - Configures a limit of how many concurrent TCP connections a single source IP address is allowed to open to a single server. It affects both clients connections and other server connections. In general Consul clients multiplex many RPC calls over a single TCP connection so this can typically be kept low. It needs to be more than one though since servers open at least one additional connection for raft RPC, possibly more for WAN federation when using network areas, and snapshot requests from clients run over a separate TCP conn. A reasonably low limit significantly reduces the ability of an unauthenticated attacker to consume unbounded resources by holding open many connections. You may need to increase this if WAN federated servers connect via proxies or NAT gateways or similar causing many legitimate connections from a single source IP. Default value is `100` which is designed to be extremely conservative to limit issues with certain deployment patterns. Most deployments can probably reduce this safely. 100 connections on modern server hardware should not cause a significant impact on resource usage from an unauthenticated attacker though. - `rpc_rate` - Configures the RPC rate limiter on Consul _clients_ by setting the maximum request rate that this agent is allowed to make for RPC requests to Consul servers, in requests per second. Defaults to infinite, which disables rate limiting. - - `rpc_max_burst` - The size of the token bucket used to recharge the RPC rate limiter on Consul _clients_. Defaults to 1000 tokens, and each token is good for a single RPC call to a Consul server. See https://en.wikipedia.org/wiki/Token_bucket for more details about how token bucket rate limiters operate. + - `rpc_max_burst` - The size of the token bucket used to recharge the RPC rate limiter on Consul _clients_. Defaults to 1000 tokens, and each token is good for a single RPC call to a Consul server. Refer to https://en.wikipedia.org/wiki/Token_bucket for more details about how token bucket rate limiters operate. - `kv_max_value_size` - **(Advanced)** Configures the maximum number of bytes for a kv request body to the [`/v1/kv`](/consul/api-docs/kv) endpoint. This limit defaults to [raft's](https://github.com/hashicorp/raft) suggested max size (512KB). **Note that tuning these improperly can cause Consul to fail in unexpected ways**, it may potentially affect leadership stability and prevent timely heartbeat signals by increasing RPC IO duration. This option affects the txn endpoint too, but Consul 1.7.2 introduced `txn_max_req_len` which is the preferred way to set the limit for the txn endpoint. If both limits are set, the higher one takes precedence. - `txn_max_req_len` - **(Advanced)** Configures the maximum number of bytes for a transaction request body to the [`/v1/txn`](/consul/api-docs/txn) endpoint. This limit defaults to [raft's](https://github.com/hashicorp/raft) suggested max size (512KB). **Note that tuning these improperly can cause Consul to fail in unexpected ways**, it may potentially affect leadership stability and prevent timely heartbeat signals by increasing RPC IO duration. -- `default_query_time` Equivalent to the [`-default-query-time` command-line flag](/consul/docs/agent/config/cli-flags#_default_query_time). +- `default_query_time` Equivalent to the [`-default-query-time` command-line flag](/consul/docsreference-cli/agent#_default_query_time). -- `max_query_time` Equivalent to the [`-max-query-time` command-line flag](/consul/docs/agent/config/cli-flags#_max_query_time). +- `max_query_time` Equivalent to the [`-max-query-time` command-line flag](/consul/docsreference-cli/agent#_max_query_time). - `peering` This object allows setting options for cluster peering. @@ -581,27 +585,31 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `partition` - This flag is used to set the name of the admin partition the agent belongs to. An agent can only join and communicate with other agents within its admin partition. Review the - [Admin Partitions documentation](/consul/docs/enterprise/admin-partitions) for more + [Admin Partitions documentation](/consul/docs/segment/admin-partition) for more details. By default, this is an empty string, which is the `default` admin partition. This cannot be set on a server agent. - ~> **Warning:** The `partition` option cannot be used either the - [`segment`](#segment-2) option or [`-segment`](/consul/docs/agent/config/cli-flags#_segment) flag. + + + The `partition` option cannot be used either the + [`segment`](#segment-2) option or [`-segment`](/consul/docsreference-cli/agent#_segment) flag. -- `performance` Available in Consul 0.7 and later, this is a nested object that allows tuning the performance of different subsystems in Consul. See the [Server Performance](/consul/docs/install/performance) documentation for more details. The following parameters are available: + + +- `performance` Available in Consul 0.7 and later, this is a nested object that allows tuning the performance of different subsystems in Consul. Refer to the [Server Performance](/consul/docs/deploy/server/vm/requirements) documentation for more details. The following parameters are available: - `leave_drain_time` - A duration that a server will dwell during a graceful leave in order to allow requests to be retried against other Consul servers. Under normal circumstances, this can prevent clients from experiencing "no leader" errors when performing a rolling update of the Consul servers. This was added in Consul 1.0. Must be a duration value such as 10s. Defaults to 5s. - `raft_multiplier` - An integer multiplier used by Consul servers to scale key Raft timing parameters. Omitting this value or setting it to 0 uses default timing described below. Lower values are used to tighten timing and increase sensitivity while higher values relax timings and reduce sensitivity. Tuning this affects the time it takes Consul to detect leader failures and to perform leader elections, at the expense of requiring more network and CPU resources for better performance. By default, Consul will use a lower-performance timing that's suitable - for [minimal Consul servers](/consul/docs/install/performance#minimum), currently equivalent + for [minimal Consul servers](/consul/docs/deploy/server/vm/requirements#minimum), currently equivalent to setting this to a value of 5 (this default may be changed in future versions of Consul, depending if the target minimum server profile changes). Setting this to a value of 1 will configure Raft to its highest-performance mode, equivalent to the default timing of Consul - prior to 0.7, and is recommended for [production Consul servers](/consul/docs/install/performance#production). + prior to 0.7, and is recommended for [production Consul servers](/consul/docs/deploy/server/vm/requirements#production). - See the note on [last contact](/consul/docs/install/performance#production-server-requirements) timing for more + Refer to the note on [last contact](/consul/docs/deploy/server/vm/requirements#production-server-requirements) timing for more details on tuning this parameter. The maximum allowed value is 10. - `rpc_hold_timeout` - A duration that a client @@ -614,7 +622,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `grpc_keepalive_timeout` - A duration that determines how long a Consul server waits for a reply to a keep-alive message. If the server does not receive a reply before the end of the duration, Consul flags the gRPC connection as unhealthy and forcibly removes it. Defaults to `20s`. -- `pid_file` Equivalent to the [`-pid-file` command line flag](/consul/docs/agent/config/cli-flags#_pid_file). +- `pid_file` Equivalent to the [`-pid-file` command line flag](/consul/docsreference-cli/agent#_pid_file). - `ports` This is a nested object that allows setting the bind ports for the following keys: @@ -635,25 +643,25 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati tools to work automatically. `grpc_tls` is always guaranteed to be encrypted. Both `grpc` and `grpc_tls` can be configured at the same time, but they may not utilize the same port number. This field was added in Consul 1.14. - `serf_lan` ((#serf_lan_port)) - The Serf LAN port. Default 8301. TCP - and UDP. Equivalent to the [`-serf-lan-port` command line flag](/consul/docs/agent/config/cli-flags#_serf_lan_port). + and UDP. Equivalent to the [`-serf-lan-port` command line flag](/consul/docsreference-cli/agent#_serf_lan_port). - `serf_wan` ((#serf_wan_port)) - The Serf WAN port. Default 8302. - Equivalent to the [`-serf-wan-port` command line flag](/consul/docs/agent/config/cli-flags#_serf_wan_port). Set + Equivalent to the [`-serf-wan-port` command line flag](/consul/docsreference-cli/agent#_serf_wan_port). Set to -1 to disable. **Note**: this will disable WAN federation which is not recommended. Various catalog and WAN related endpoints will return errors or empty results. TCP and UDP. - `server` ((#server_rpc_port)) - Server RPC address. Default 8300. TCP only. - `sidecar_min_port` ((#sidecar_min_port)) - Inclusive minimum port number - to use for automatically assigned [sidecar service registrations](/consul/docs/connect/proxies/deploy-sidecar-services). + to use for automatically assigned [sidecar service registrations](/consul/docs/reference/proxy/sidecar). Default 21000. Set to `0` to disable automatic port assignment. - `sidecar_max_port` ((#sidecar_max_port)) - Inclusive maximum port number - to use for automatically assigned [sidecar service registrations](/consul/docs/connect/proxies/deploy-sidecar-services). + to use for automatically assigned [sidecar service registrations](/consul/docs/reference/proxy/sidecar). Default 21255. Set to `0` to disable automatic port assignment. - `expose_min_port` ((#expose_min_port)) - Inclusive minimum port number - to use for automatically assigned [exposed check listeners](/consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference). + to use for automatically assigned [exposed check listeners](/consul/docs/reference/proxy/connect-proxy#expose-paths-configuration-reference). Default 21500. Set to `0` to disable automatic port assignment. - `expose_max_port` ((#expose_max_port)) - Inclusive maximum port number - to use for automatically assigned [exposed check listeners](/consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference). + to use for automatically assigned [exposed check listeners](/consul/docs/reference/proxy/connect-proxy#expose-paths-configuration-reference). Default 21755. Set to `0` to disable automatic port assignment. - `primary_datacenter` - This designates the datacenter @@ -665,7 +673,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati enforcement of ACLs. - `primary_gateways` Equivalent to the [`-primary-gateway` - command-line flag](/consul/docs/agent/config/cli-flags#_primary_gateway). Takes a list of addresses to use as the + command-line flag](/consul/docsreference-cli/agent#_primary_gateway). Takes a list of addresses to use as the mesh gateways for the primary datacenter when authoritative replicated catalog data is not present. Discovery happens every [`primary_gateways_interval`](#primary_gateways_interval) until at least one primary mesh gateway is discovered. This was added in Consul @@ -676,7 +684,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati 30s. This was added in Consul 1.8.0. - `protocol` ((#protocol)) Equivalent to the [`-protocol` command-line - flag](/consul/docs/agent/config/cli-flags#_protocol). + flag](/consul/docsreference-cli/agent#_protocol). - `reap` This controls Consul's automatic reaping of child processes, which is useful if Consul is running as PID 1 in a Docker container. If this isn't @@ -684,7 +692,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati is running as PID 1. If this is set to true or false, then it controls reaping regardless of Consul's PID (forces reaping on or off, respectively). This option was removed in Consul 0.7.1. For later versions of Consul, you will need to reap - processes using a wrapper, please see the [Consul Docker image entry point script](https://github.com/hashicorp/docker-consul/blob/master/0.X/docker-entrypoint.sh) + processes using a wrapper, please refer to the [Consul Docker image entry point script](https://github.com/hashicorp/docker-consul/blob/master/0.X/docker-entrypoint.sh) for an example. If you are using Docker 1.13.0 or later, you can use the new `--init` option of the `docker run` command and docker will enable an init process with PID 1 that reaps child processes for the container. More info on [Docker docs](https://docs.docker.com/engine/reference/commandline/run/#options). @@ -722,13 +730,17 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `license` - The license object allows users to control automatic reporting of license utilization metrics to HashiCorp. - `enabled`: (Defaults to `true`) Enables automatic license utilization reporting. -- `segment` - Equivalent to the [`-segment` command-line flag](/consul/docs/agent/config/cli-flags#_segment). +- `segment` - Equivalent to the [`-segment` command-line flag](/consul/docsreference-cli/agent#_segment). + + + + The `segment` option cannot be used with the [`partition`](#partition-1) option. - ~> **Warning:** The `segment` option cannot be used with the [`partition`](#partition-1) option. + - `segments` - (Server agents only) This is a list of nested objects that specifies user-defined network segments, not including the `` segment, which is - created automatically. Refer to the [network segments documentation](/consul/docs/enterprise/network-segments/create-network-segment)for additional information. + created automatically. Refer to the [network segments documentation](/consul/docs/segment/network-segment/vm)for additional information. for more details. - `name` ((#segment_name)) - The name of the segment. Must be a string @@ -738,24 +750,24 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `port` ((#segment_port)) - The port to use for the segment's gossip layer (required). - `advertise` ((#segment_advertise)) - The advertise address to use for - the segment's gossip layer. Defaults to the [`-advertise`](/consul/docs/agent/config/cli-flags#_advertise) value + the segment's gossip layer. Defaults to the [`-advertise`](/consul/docsreference-cli/agent#_advertise) value if not provided. - `rpc_listener` ((#segment_rpc_listener)) - If true, a separate RPC - listener will be started on this segment's [`-bind`](/consul/docs/agent/config/cli-flags#_bind) address on the rpc - port. Only valid if the segment's bind address differs from the [`-bind`](/consul/docs/agent/config/cli-flags#_bind) + listener will be started on this segment's [`-bind`](/consul/docsreference-cli/agent#_bind) address on the rpc + port. Only valid if the segment's bind address differs from the [`-bind`](/consul/docsreference-cli/agent#_bind) address. Defaults to false. -- `server` Equivalent to the [`-server` command-line flag](/consul/docs/agent/config/cli-flags#_server). +- `server` Equivalent to the [`-server` command-line flag](/consul/docsreference-cli/agent#_server). - `server_rejoin_age_max` - controls the allowed maximum age of a stale server attempting to rejoin a cluster. If the server has not ran during this period, it will refuse to start up again until an operator intervenes by manually deleting the `server_metadata.json` file located in the data dir. This is to protect clusters from instability caused by decommissioned servers accidentally being started again. - Note: the default value is 168h (equal to 7d) and the minimum value is 6h. + The default value is 168h (equal to 7d) and the minimum value is 6h. -- `non_voting_server` - **This field is deprecated in Consul 1.9.1. See the [`read_replica`](#read_replica) field instead.** +- `non_voting_server` - **This field is deprecated in Consul 1.9.1. Refer to the [`read_replica`](#read_replica) field instead.** -- `read_replica` - Equivalent to the [`-read-replica` command-line flag](/consul/docs/agent/config/cli-flags#_read_replica). +- `read_replica` - Equivalent to the [`-read-replica` command-line flag](/consul/docsreference-cli/agent#_read_replica). - `session_ttl_min` The minimum allowed session TTL. This ensures sessions are not created with TTLs shorter than the specified limit. It is recommended to keep this limit at or above @@ -773,14 +785,14 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati a client will gracefully leave). - `translate_wan_addrs` If set to true, Consul - will prefer a node's configured [WAN address](/consul/docs/agent/config/cli-flags#_advertise-wan) + will prefer a node's configured [WAN address](/consul/docsreference-cli/agent#_advertise-wan) when servicing DNS and HTTP requests for a node in a remote datacenter. This allows the node to be reached within its own datacenter using its local address, and reached from other datacenters using its WAN address, which is useful in hybrid setups with mixed networks. This is disabled by default. Starting in Consul 0.7 and later, node addresses in responses to HTTP requests will also prefer a - node's configured [WAN address](/consul/docs/agent/config/cli-flags#_advertise-wan) when querying for a node in a remote + node's configured [WAN address](/consul/docsreference-cli/agent#_advertise-wan) when querying for a node in a remote datacenter. An [`X-Consul-Translate-Addresses`](/consul/api-docs/api-structure#translated-addresses) header will be present on all responses when translation is enabled to help clients know that the addresses may be translated. The `TaggedAddresses` field in responses also have a `lan` address for clients that @@ -819,7 +831,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `watches` - Watches is a list of watch specifications which allow an external process to be automatically invoked when a particular data view - is updated. See the [watch documentation](/consul/docs/dynamic-app-config/watches) for more detail. + is updated. Refer to the [watch documentation](/consul/docs/dynamic-app/watches) for more detail. Watches can be modified when the configuration is reloaded. ## ACL Parameters @@ -880,13 +892,17 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati secondary Consul datacenters will perform replication of only ACL policies and roles. Setting this configuration will will enable ACL token replication and allow for the creation of both [local tokens](/consul/api-docs/acl/tokens#local) and - [auth methods](/consul/docs/security/acl/auth-methods) in connected secondary datacenters. + [auth methods](/consul/docs/secure-consul/acl/auth-methods) in connected secondary datacenters. - ~> **Warning:** When enabling ACL token replication on the secondary datacenter, + + + When enabling ACL token replication on the secondary datacenter, global tokens already present in the secondary datacenter will be lost. For production environments, consider configuring ACL replication in your initial datacenter bootstrapping process. + + - `enable_token_persistence` ((#acl_enable_token_persistence)) - Either `true` or `false`. When `true` tokens set using the API will be persisted to disk and reloaded when an agent restarts. @@ -916,7 +932,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `default` ((#acl_tokens_default)) - When provided, this agent will use this token by default when making requests to the Consul servers - instead of the [anonymous token](/consul/docs/security/acl/tokens#anonymous-token). + instead of the [anonymous token](/consul/docs/secure-consul/acl/tokens#anonymous-token). Consul HTTP API requests can provide an alternate token in their authorization header to override the `default` or anonymous token on a per-request basis, as described in [HTTP API Authentication](/consul/api-docs/api-structure#authentication). @@ -941,7 +957,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati [`acl.tokens.agent_recovery`](#acl_tokens_agent_recovery).** - `config_file_service_registration` ((#acl_tokens_config_file_service_registration)) - Specifies the ACL - token the agent uses to register services and checks from [service](/consul/docs/services/usage/define-services) and [check](/consul/docs/services/usage/checks) definitions + token the agent uses to register services and checks from [service](/consul/docs/register/service/vm/define) and [check](/consul/docs/register/service/vm/health-checks) definitions specified in configuration files or fragments passed to the agent using the `-hcl` flag. @@ -964,18 +980,22 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `dns` ((#acl_tokens_dns)) - Specifies the token that agents use to request information needed to respond to DNS queries. If the `dns` token is not set, the `default` token is used instead. Because the `default` token allows unauthenticated HTTP API access to list nodes and services, we - strongly recommend using the `dns` token. Create DNS tokens using the [templated policy](/consul/docs/security/acl/tokens/create/create-a-dns-token#create_a_dns_token) + strongly recommend using the `dns` token. Create DNS tokens using the [templated policy](/consul/docs/secure-consul/acl/token/dns-token#create_a_dns_token) option to ensure that the token has the permissions needed to respond to all DNS queries. - `replication` ((#acl_tokens_replication)) - Specifies the token that the agent uses to authorize secondary datacenters with the primary datacenter for replication operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) when ACLs are enabled. This token may be provided later using the [agent token API](/consul/api-docs/agent#update-acl-tokens) on each server. This token must have at least "read" permissions on ACL data but if ACL token replication is enabled then it must have "write" permissions. This also enables service mesh data replication, for which the token will require both operator "write" and intention "read" permissions for replicating CA and Intention data. - ~> **Warning:** When enabling ACL token replication on the secondary datacenter, + + + When enabling ACL token replication on the secondary datacenter, policies and roles already present in the secondary datacenter will be lost. For production environments, consider configuring ACL replication in your initial datacenter bootstrapping process. + + - `managed_service_provider` ((#acl_tokens_managed_service_provider)) - An array of ACL tokens used by Consul managed service providers for cluster operations. @@ -999,13 +1019,13 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati -- `acl_datacenter` - **This field is deprecated in Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.** +- `acl_datacenter` - **This field is deprecated in Consul 1.4.0. Refer to the [`primary_datacenter`](#primary_datacenter) field instead.** This designates the datacenter which is authoritative for ACL information. It must be provided to enable ACLs. All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all you need for cluster-level enforcement, but for the APIs to forward properly from the clients, it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement - of ACLs. Please review the [ACL tutorial](/consul/tutorials/security/access-control-setup-production) for more details. + of ACLs. Refer to [ACLs](/consul/docs/secure/acl) documentation for more details. -- `acl_default_policy` ((#acl_default_policy_legacy)) - **Deprecated in Consul 1.4.0. See the [`acl.default_policy`](#acl_default_policy) field instead.** +- `acl_default_policy` ((#acl_default_policy_legacy)) - **Deprecated in Consul 1.4.0. Refer to the [`acl.default_policy`](#acl_default_policy) field instead.** Either "allow" or "deny"; defaults to "allow". The default policy controls the behavior of a token when there is no matching rule. In "allow" mode, ACLs are a denylist: any operation not specifically prohibited is allowed. In "deny" mode, @@ -1013,7 +1033,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati this will not take effect until you've set `primary_datacenter` to enable ACL support. - `acl_down_policy` ((#acl_down_policy_legacy)) - **Deprecated in Consul - 1.4.0. See the [`acl.down_policy`](#acl_down_policy) field instead.** Either "allow", + 1.4.0. Refer to the [`acl.down_policy`](#acl_down_policy) field instead.** Either "allow", "deny", "extend-cache" or "async-cache"; "extend-cache" is the default. In the case that the policy for a token cannot be read from the [`primary_datacenter`](#primary_datacenter) or leader node, the down policy is applied. In "allow" mode, all actions are permitted, @@ -1025,7 +1045,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati not impacted. - `acl_agent_master_token` ((#acl_agent_master_token_legacy)) - **Deprecated - in Consul 1.4.0. See the [`acl.tokens.agent_master`](#acl_tokens_agent_master) + in Consul 1.4.0. Refer to the [`acl.tokens.agent_master`](#acl_tokens_agent_master) field instead.** Used to access [agent endpoints](/consul/api-docs/agent) that require agent read or write privileges, or node read privileges, even if Consul servers aren't present to validate any tokens. This should only be used by operators @@ -1033,7 +1053,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati was added in Consul 0.7.2 and is only used when [`acl_enforce_version_8`](#acl_enforce_version_8) is set to true. - `acl_agent_token` ((#acl_agent_token_legacy)) - **Deprecated in Consul - 1.4.0. See the [`acl.tokens.agent`](#acl_tokens_agent) field instead.** Used for + 1.4.0. Refer to the [`acl.tokens.agent`](#acl_tokens_agent) field instead.** Used for clients and servers to perform internal operations. If this isn't specified, then the [`acl_token`](#acl_token) will be used. This was added in Consul 0.7.2. @@ -1048,12 +1068,12 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati by allowing policies to be in place before enforcement begins. - `acl_master_token` ((#acl_master_token_legacy)) - **Deprecated in Consul - 1.4.0. See the [`acl.tokens.master`](#acl_tokens_master) field instead.** + 1.4.0. Refer to the [`acl.tokens.master`](#acl_tokens_master) field instead.** - `acl_replication_token` ((#acl_replication_token_legacy)) - **Deprecated - in Consul 1.4.0. See the [`acl.tokens.replication`](#acl_tokens_replication) field + in Consul 1.4.0. Refer to the [`acl.tokens.replication`](#acl_tokens_replication) field instead.** Only used for servers outside the [`primary_datacenter`](#primary_datacenter) - running Consul 0.7 or later. When provided, this will enable [ACL replication](/consul/tutorials/security-operations/access-control-replication-multiple-datacenters) + running Consul 0.7 or later. When provided, this will enable [ACL replication](/consul/docs/secure-consul/acl/enable-federated-datacenters) using this ACL replication using this token to retrieve and replicate the ACLs to the non-authoritative local datacenter. In Consul 0.9.1 and later you can enable ACL replication using [`acl.enable_token_replication`](#acl_enable_token_replication) and then @@ -1062,13 +1082,13 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati set [`acl.enable_token_replication`](#acl_enable_token_replication) to true for backward compatibility. If there's a partition or other outage affecting the authoritative datacenter, and the - [`acl_down_policy`](/consul/docs/agent/config/config-files#acl_down_policy) is set to "extend-cache", tokens not + [`acl_down_policy`](/consul/docs/reference/agent#acl_down_policy) is set to "extend-cache", tokens not in the cache can be resolved during the outage using the replicated set of ACLs. -- `acl_token` ((#acl_token_legacy)) - **Deprecated in Consul 1.4.0. See +- `acl_token` ((#acl_token_legacy)) - **Deprecated in Consul 1.4.0. Refer to the [`acl.tokens.default`](#acl_tokens_default) field instead.** -- `acl_ttl` ((#acl_ttl_legacy)) - **Deprecated in Consul 1.4.0. See the +- `acl_ttl` ((#acl_ttl_legacy)) - **Deprecated in Consul 1.4.0. Refer to the [`acl.token_ttl`](#acl_token_ttl) field instead.**Used to control Time-To-Live caching of ACLs. By default, this is 30 seconds. This setting has a major performance impact: reducing it will cause more frequent refreshes while increasing it reduces @@ -1079,22 +1099,26 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati When set on a Consul server, enables ACL replication without having to set the replication token via [`acl_replication_token`](#acl_replication_token). Instead, enable ACL replication and then introduce the token using the [agent token API](/consul/api-docs/agent#update-acl-tokens) on each server. - See [`acl_replication_token`](#acl_replication_token) for more details. + Refer to [`acl_replication_token`](#acl_replication_token) for more details. - ~> **Warning:** When enabling ACL token replication on the secondary datacenter, + + + When enabling ACL token replication on the secondary datacenter, policies and roles already present in the secondary datacenter will be lost. For production environments, consider configuring ACL replication in your initial datacenter bootstrapping process. + + ## Advertise Address Parameters -- `advertise_addr` Equivalent to the [`-advertise` command-line flag](/consul/docs/agent/config/cli-flags#_advertise). +- `advertise_addr` Equivalent to the [`-advertise` command-line flag](/consul/docsreference-cli/agent#_advertise). - `advertise_addr_ipv4` This was added together with [`advertise_addr_ipv6`](#advertise_addr_ipv6) to support dual stack IPv4/IPv6 environments. Using this, both IPv4 and IPv6 addresses can be specified and requested during eg service discovery. - `advertise_addr_ipv6` This was added together with [`advertise_addr_ipv4`](#advertise_addr_ipv4) to support dual stack IPv4/IPv6 environments. Using this, both IPv4 and IPv6 addresses can be specified and requested during eg service discovery. -- `advertise_addr_wan` Equivalent to the [`-advertise-wan` command-line flag](/consul/docs/agent/config/cli-flags#_advertise-wan). +- `advertise_addr_wan` Equivalent to the [`-advertise-wan` command-line flag](/consul/docsreference-cli/agent#_advertise-wan). - `advertise_addr_wan_ipv4` This was added together with [`advertise_addr_wan_ipv6`](#advertise_addr_wan_ipv6) to support dual stack IPv4/IPv6 environments. Using this, both IPv4 and IPv6 addresses can be specified and requested during eg service discovery. @@ -1107,9 +1131,9 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati ## Bootstrap Parameters -- `bootstrap` Equivalent to the [`-bootstrap` command-line flag](/consul/docs/agent/config/cli-flags#_bootstrap). +- `bootstrap` Equivalent to the [`-bootstrap` command-line flag](/consul/docsreference-cli/agent#_bootstrap). -- `bootstrap_expect` Equivalent to the [`-bootstrap-expect` command-line flag](/consul/docs/agent/config/cli-flags#_bootstrap_expect). +- `bootstrap_expect` Equivalent to the [`-bootstrap-expect` command-line flag](/consul/docsreference-cli/agent#_bootstrap_expect). ## Self-managed HCP Parameters @@ -1190,7 +1214,7 @@ subsystem that provides Consul's service mesh capabilities. - `auth_method` ((#vault_ca_auth_method)) Vault auth method to use for logging in to Vault. - Please see [Vault Auth Methods](/vault/docs/auth) for more information + Please refer to [Vault Auth Methods](/vault/docs/auth) for more information on how to configure individual auth methods. If auth method is provided, Consul will obtain a new token from Vault when the token can no longer be renewed. @@ -1200,7 +1224,7 @@ subsystem that provides Consul's service mesh capabilities. If not provided the auth method type will be used as the mount path. - `params` The parameters to configure the auth method. - Please see [Vault Auth Methods](/vault/docs/auth) for information on how + Please refer to [Vault Auth Methods](/vault/docs/auth) for information on how to configure the auth method you wish to use. If using the Kubernetes auth method, Consul will read the service account token from the default mount path `/var/run/secrets/kubernetes.io/serviceaccount/token` if the `jwt` parameter is not provided. @@ -1301,7 +1325,7 @@ subsystem that provides Consul's service mesh capabilities. ## DNS and Domain Parameters - `dns_config` This object allows a number of sub-keys - to be set which can tune how DNS queries are serviced. Refer to [DNS caching](/consul/docs/services/discovery/dns-cache) for more information. + to be set which can tune how DNS queries are serviced. Check the tutorial on [DNS caching](/consul/tutorials/networking/dns-caching) for more detail. The following sub-keys are available: @@ -1353,7 +1377,7 @@ subsystem that provides Consul's service mesh capabilities. `sequential`. - `recursor_timeout` - Timeout used by Consul when - recursively querying an upstream DNS server. See [`recursors`](#recursors) for more details. Default is 2s. This is available in Consul 0.7 and later. + recursively querying an upstream DNS server. Refer to [`recursors`](#recursors) for more details. Default is 2s. This is available in Consul 0.7 and later. - `disable_compression` - If set to true, DNS responses will not be compressed. Compression was added and enabled by default @@ -1408,7 +1432,7 @@ subsystem that provides Consul's service mesh capabilities. - `cache_max_age` ((#dns_cache_max_age)) - When [use_cache](#dns_use_cache) is enabled, the agent will attempt to re-fetch the result from the servers if - the cached value is older than this duration. See: [agent caching](/consul/api-docs/features/caching). + the cached value is older than this duration. Refer to : [agent caching](/consul/api-docs/features/caching). **Note** that unlike the `max-age` HTTP header, a value of 0 for this field is equivalent to "no max age". To get a fresh value from the cache use a very small value @@ -1421,7 +1445,7 @@ subsystem that provides Consul's service mesh capabilities. When set to `false`, the default, the behavior is the same as non-Enterprise versions and treats the single label as the datacenter. -- `domain` Equivalent to the [`-domain` command-line flag](/consul/docs/agent/config/cli-flags#_domain). +- `domain` Equivalent to the [`-domain` command-line flag](/consul/docsreference-cli/agent#_domain). ## Encryption Parameters @@ -1453,9 +1477,13 @@ subsystem that provides Consul's service mesh capabilities. only with a CA, or finally without a CA and without ACL enabled. In any case, the communication to the `auto_encrypt` endpoint is always TLS encrypted. - ~> **Warning:** Enabling `auto_encrypt.tls` conflicts with the [`auto_config`](#auto_config) feature. + + + Enabling `auto_encrypt.tls` conflicts with the [`auto_config`](#auto_config) feature. Only one option may be specified. + + - `dns_san` (Defaults to `[]`) When this option is being used, the certificates requested by `auto_encrypt` from the server have these `dns_san` set as DNS SAN. @@ -1464,18 +1492,18 @@ subsystem that provides Consul's service mesh capabilities. the certificates requested by `auto_encrypt` from the server have these `ip_san` set as IP SAN. -- `encrypt` Equivalent to the [`-encrypt` command-line flag](/consul/docs/agent/config/cli-flags#_encrypt). +- `encrypt` Equivalent to the [`-encrypt` command-line flag](/consul/docsreference-cli/agent#_encrypt). - `encrypt_verify_incoming` - This is an optional parameter that can be used to disable enforcing encryption for incoming gossip in order to upshift from unencrypted to encrypted gossip on a running cluster. - See [this section](/consul/docs/security/encryption#configuring-gossip-encryption-on-an-existing-cluster) + Refer to [Enable gossip encryption for existing datacenters](/consul/docs/secure-consul/encryption/gossip/existing) for more information. Defaults to true. - `encrypt_verify_outgoing` - This is an optional parameter that can be used to disable enforcing encryption for outgoing gossip in order to upshift from unencrypted to encrypted gossip on a running cluster. - See [this section](/consul/docs/security/encryption#configuring-gossip-encryption-on-an-existing-cluster) + Refer to [Enable gossip encryption for existing datacenters](/consul/docs/secure-consul/encryption/gossip/existing) for more information. Defaults to true. ## Gossip Parameters @@ -1566,39 +1594,39 @@ subsystem that provides Consul's service mesh capabilities. ## Join Parameters -- `rejoin_after_leave` Equivalent to the [`-rejoin` command-line flag](/consul/docs/agent/config/cli-flags#_rejoin). +- `rejoin_after_leave` Equivalent to the [`-rejoin` command-line flag](/consul/docsreference-cli/agent#_rejoin). -- `retry_join` - Equivalent to the [`-retry-join`](/consul/docs/agent/config/cli-flags#retry-join) command-line flag. +- `retry_join` - Equivalent to the [`-retry-join`](/consul/docsreference-cli/agent#retry-join) command-line flag. -- `retry_interval` Equivalent to the [`-retry-interval` command-line flag](/consul/docs/agent/config/cli-flags#_retry_interval). +- `retry_interval` Equivalent to the [`-retry-interval` command-line flag](/consul/docsreference-cli/agent#_retry_interval). -- `retry_max` - Equivalent to the [`-retry-max`](/consul/docs/agent/config/cli-flags#_retry_max) command-line flag. +- `retry_max` - Equivalent to the [`-retry-max`](/consul/docsreference-cli/agent#_retry_max) command-line flag. -- `retry_join_wan` Equivalent to the [`-retry-join-wan` command-line flag](/consul/docs/agent/config/cli-flags#_retry_join_wan). Takes a list of addresses to attempt joining to WAN every [`retry_interval_wan`](#_retry_interval_wan) until at least one join works. +- `retry_join_wan` Equivalent to the [`-retry-join-wan` command-line flag](/consul/docsreference-cli/agent#_retry_join_wan). Takes a list of addresses to attempt joining to WAN every [`retry_interval_wan`](#_retry_interval_wan) until at least one join works. -- `retry_interval_wan` Equivalent to the [`-retry-interval-wan` command-line flag](/consul/docs/agent/config/cli-flags#_retry_interval_wan). +- `retry_interval_wan` Equivalent to the [`-retry-interval-wan` command-line flag](/consul/docsreference-cli/agent#_retry_interval_wan). -- `start_join` **Deprecated in Consul 1.15. Use the [`retry_join`](/consul/docs/agent/config/config-files#retry_join) field instead. This field will be removed in a future version of Consul.** +- `start_join` **Deprecated in Consul 1.15. Use the [`retry_join`](/consul/docs/reference/agent#retry_join) field instead. This field will be removed in a future version of Consul.** This field is an alias of `retry_join`. -- `start_join_wan` **Deprecated in Consul 1.15. Use the [`retry_join_wan`](/consul/docs/agent/config/config-files#retry_join_wan) field instead. This field will be removed in a future version of Consul.** +- `start_join_wan` **Deprecated in Consul 1.15. Use the [`retry_join_wan`](/consul/docs/reference/agent#retry_join_wan) field instead. This field will be removed in a future version of Consul.** This field is an alias of `retry_join_wan`. ## Log Parameters -- `log_file` Equivalent to the [`-log-file` command-line flag](/consul/docs/agent/config/cli-flags#_log_file). +- `log_file` Equivalent to the [`-log-file` command-line flag](/consul/docsreference-cli/agent#_log_file). -- `log_rotate_duration` Equivalent to the [`-log-rotate-duration` command-line flag](/consul/docs/agent/config/cli-flags#_log_rotate_duration). +- `log_rotate_duration` Equivalent to the [`-log-rotate-duration` command-line flag](/consul/docsreference-cli/agent#_log_rotate_duration). -- `log_rotate_bytes` Equivalent to the [`-log-rotate-bytes` command-line flag](/consul/docs/agent/config/cli-flags#_log_rotate_bytes). +- `log_rotate_bytes` Equivalent to the [`-log-rotate-bytes` command-line flag](/consul/docsreference-cli/agent#_log_rotate_bytes). -- `log_rotate_max_files` Equivalent to the [`-log-rotate-max-files` command-line flag](/consul/docs/agent/config/cli-flags#_log_rotate_max_files). +- `log_rotate_max_files` Equivalent to the [`-log-rotate-max-files` command-line flag](/consul/docsreference-cli/agent#_log_rotate_max_files). -- `log_level` Equivalent to the [`-log-level` command-line flag](/consul/docs/agent/config/cli-flags#_log_level). +- `log_level` Equivalent to the [`-log-level` command-line flag](/consul/docsreference-cli/agent#_log_level). -- `log_json` Equivalent to the [`-log-json` command-line flag](/consul/docs/agent/config/cli-flags#_log_json). +- `log_json` Equivalent to the [`-log-json` command-line flag](/consul/docsreference-cli/agent#_log_json). -- `enable_syslog` Equivalent to the [`-syslog` command-line flag](/consul/docs/agent/config/cli-flags#_syslog). +- `enable_syslog` Equivalent to the [`-syslog` command-line flag](/consul/docsreference-cli/agent#_syslog). - `syslog_facility` When [`enable_syslog`](#enable_syslog) is provided, this controls to which facility messages are sent. By default, `LOCAL0` @@ -1606,11 +1634,11 @@ subsystem that provides Consul's service mesh capabilities. ## Node Parameters -- `node_id` Equivalent to the [`-node-id` command-line flag](/consul/docs/agent/config/cli-flags#_node_id). +- `node_id` Equivalent to the [`-node-id` command-line flag](/consul/docsreference-cli/agent#_node_id). -- `node_name` Equivalent to the [`-node` command-line flag](/consul/docs/agent/config/cli-flags#_node). +- `node_name` Equivalent to the [`-node` command-line flag](/consul/docsreference-cli/agent#_node). -- `node_meta` Available in Consul 0.7.3 and later, This object allows associating arbitrary metadata key/value pairs with the local node, which can then be used for filtering results from certain catalog endpoints. See the [`-node-meta` command-line flag](/consul/docs/agent/config/cli-flags#_node_meta) for more information. +- `node_meta` Available in Consul 0.7.3 and later, This object allows associating arbitrary metadata key/value pairs with the local node, which can then be used for filtering results from certain catalog endpoints. Refer to the [`-node-meta` command-line flag](/consul/docsreference-cli/agent#_node_meta) for more information. @@ -1630,7 +1658,7 @@ subsystem that provides Consul's service mesh capabilities. -- `disable_host_node_id` Equivalent to the [`-disable-host-node-id` command-line flag](/consul/docs/agent/config/cli-flags#_disable_host_node_id). +- `disable_host_node_id` Equivalent to the [`-disable-host-node-id` command-line flag](/consul/docsreference-cli/agent#_disable_host_node_id). ## Raft Parameters @@ -1655,7 +1683,7 @@ subsystem that provides Consul's service mesh capabilities. engine to use to persist logs. Valid options are `boltdb` or `wal`. Default is `boltdb`. The `wal` option specifies an experimental backend that should be used with caution. Refer to - [Experimental WAL LogStore backend](/consul/docs/agent/wal-logstore) + [Experimental WAL LogStore backend](/consul/docs/deploy/server/wal/) for more information. - `disable_log_cache` ((#raft_logstore_disable_log_cache)) Disables the in-memory cache for recent logs. We recommend using it for performance testing purposes, as no significant improvement has been measured when the cache is disabled. While the in-memory log cache theoretically prevents disk reads for recent logs, recent logs are also stored in the OS page cache, which does not slow either the `boltdb` or `wal` backend's ability to read them. @@ -1680,7 +1708,7 @@ subsystem that provides Consul's service mesh capabilities. data directory, and restart so it can be caught back up with a correct server again. Please report verification failures including details about your hardware and workload via GitHub issues. Refer to - [Experimental WAL LogStore backend](/consul/docs/agent/wal-logstore) + [Experimental WAL LogStore backend](/consul/docs/deploy/server/wal/) for more information. - `enabled` ((#raft_logstore_verification_enabled)) - Set to `true` to @@ -1704,8 +1732,8 @@ subsystem that provides Consul's service mesh capabilities. because Consul must scan the database to find free space within the file. - - `wal` ((#raft_logstore_wal)) - Object that configures the `wal` backend. - Refer to [Experimental WAL LogStore backend](/consul/docs/agent/wal-logstore) + - - `wal` ((#raft_logstore_wal)) - Object that configures the `wal` backend. + Refer to [Experimental WAL LogStore backend](/consul/docs/deploy/server/wal/) for more information. - `segment_size_mb` ((#raft_logstore_wal_segment_size_mb)) - Integer value @@ -1719,7 +1747,7 @@ subsystem that provides Consul's service mesh capabilities. configuration for performance testing purposes. - `raft_protocol` ((#raft_protocol)) Equivalent to the [`-raft-protocol` - command-line flag](/consul/docs/agent/config/cli-flags#_raft_protocol). + command-line flag](/consul/docsreference-cli/agent#_raft_protocol). - `raft_snapshot_threshold` ((#\_raft_snapshot_threshold)) This controls the minimum number of raft commit entries between snapshots that are saved to @@ -1768,14 +1796,14 @@ subsystem that provides Consul's service mesh capabilities. ## Serf Parameters -- `serf_lan` ((#serf_lan_bind)) Equivalent to the [`-serf-lan-bind` command-line flag](/consul/docs/agent/config/cli-flags#_serf_lan_bind). +- `serf_lan` ((#serf_lan_bind)) Equivalent to the [`-serf-lan-bind` command-line flag](/consul/docsreference-cli/agent#_serf_lan_bind). This is an IP address, not to be confused with [`ports.serf_lan`](#serf_lan_port). -- `serf_lan_allowed_cidrs` ((#serf_lan_allowed_cidrs)) Equivalent to the [`-serf-lan-allowed-cidrs` command-line flag](/consul/docs/agent/config/cli-flags#_serf_lan_allowed_cidrs). +- `serf_lan_allowed_cidrs` ((#serf_lan_allowed_cidrs)) Equivalent to the [`-serf-lan-allowed-cidrs` command-line flag](/consul/docsreference-cli/agent#_serf_lan_allowed_cidrs). -- `serf_wan` ((#serf_wan_bind)) Equivalent to the [`-serf-wan-bind` command-line flag](/consul/docs/agent/config/cli-flags#_serf_wan_bind). +- `serf_wan` ((#serf_wan_bind)) Equivalent to the [`-serf-wan-bind` command-line flag](/consul/docsreference-cli/agent#_serf_wan_bind). -- `serf_wan_allowed_cidrs` ((#serf_wan_allowed_cidrs)) Equivalent to the [`-serf-wan-allowed-cidrs` command-line flag](/consul/docs/agent/config/cli-flags#_serf_wan_allowed_cidrs). +- `serf_wan_allowed_cidrs` ((#serf_wan_allowed_cidrs)) Equivalent to the [`-serf-wan-allowed-cidrs` command-line flag](/consul/docsreference-cli/agent#_serf_wan_allowed_cidrs). ## Telemetry Parameters @@ -1842,9 +1870,6 @@ subsystem that provides Consul's service mesh capabilities. - `disable_hostname` ((#telemetry-disable_hostname)) Set to `true` to stop prepending the machine's hostname to gauge-type metrics. Default is `false`. - - `disable_per_tenancy_usage_metrics` ((#telemetry-disable_per_tenancy_usage_metrics)) - Set to `true` to exclude tenancy labels from usage metrics. This significantly decreases CPU utilization in clusters with many admin partitions or namespaces. - - `dogstatsd_addr` ((#telemetry-dogstatsd_addr)) This provides the address of a DogStatsD instance in the format `host:port`. DogStatsD is a protocol-compatible flavor of statsd, with the added ability to decorate metrics with tags and event @@ -1937,8 +1962,8 @@ subsystem that provides Consul's service mesh capabilities. ## UI Parameters -- `ui` - **This field is deprecated in Consul 1.9.0. See the [`ui_config.enabled`](#ui_config_enabled) field instead.** - Equivalent to the [`-ui`](/consul/docs/agent/config/cli-flags#_ui) command-line flag. +- `ui` - **This field is deprecated in Consul 1.9.0. Refer to the [`ui_config.enabled`](#ui_config_enabled) field instead.** + Equivalent to the [`-ui`](/consul/docsreference-cli/agent#_ui) command-line flag. - `ui_config` - This object allows a number of sub-keys to be set which controls the display or features available in the UI. Configuring the UI with this @@ -1949,16 +1974,16 @@ subsystem that provides Consul's service mesh capabilities. - `enabled` ((#ui_config_enabled)) - This enables the service of the web UI from this agent. Boolean value, defaults to false. In `-dev` mode this defaults to true. Replaces `ui` from before 1.9.0. Equivalent to the - [`-ui`](/consul/docs/agent/config/cli-flags#_ui) command-line flag. + [`-ui`](/consul/docsreference-cli/agent#_ui) command-line flag. - `dir` ((#ui_config_dir)) - This specifies that the web UI should be served from an external dir rather than the build in one. This allows for customization or development. Replaces `ui_dir` from before 1.9.0. - Equivalent to the [`-ui-dir`](/consul/docs/agent/config/cli-flags#_ui_dir) command-line flag. + Equivalent to the [`-ui-dir`](/consul/docsreference-cli/agent#_ui_dir) command-line flag. - `content_path` ((#ui_config_content_path)) - This specifies the HTTP path that the web UI should be served from. Defaults to `/ui/`. Equivalent to the - [`-ui-content-path`](/consul/docs/agent/config/cli-flags#_ui_content_path) flag. + [`-ui-content-path`](/consul/docsreference-cli/agent#_ui_content_path) flag. - `metrics_provider` ((#ui_config_metrics_provider)) - Specifies a named metrics provider implementation the UI should use to fetch service metrics. @@ -1973,11 +1998,15 @@ subsystem that provides Consul's service mesh capabilities. implementations and registration enabling UI metric queries to be customized or implemented for an alternative time-series backend. - ~> **Security Note:** These javascript files are included in the UI with no + + + These javascript files are included in the UI with no further validation or sand-boxing. By configuring them here the operator is fully trusting anyone able to write to them as well as the original authors not to include malicious code in the UI being served. + + - `metrics_provider_options_json` ((#ui_config_metrics_provider_options_json)) - This is an optional raw JSON object as a string which is passed to the provider implementation's `init` method at startup to allow arbitrary @@ -1991,15 +2020,19 @@ subsystem that provides Consul's service mesh capabilities. serving graphs to UI users without them needing individual access tokens for the metrics backend. - ~> **Security Note:** Exposing your metrics backend via Consul in this way + + + Exposing your metrics backend via Consul in this way should be carefully considered in production. As Consul doesn't understand the requests, it can't limit access to only specific resources. For example **this might make it possible for a malicious user on the network to query for arbitrary metrics about any server or workload in your infrastructure, - or overload the metrics infrastructure with queries**. See [Metrics Proxy - Security](/consul/docs/connect/observability/ui-visualization#metrics-proxy-security) + or overload the metrics infrastructure with queries**. Refer to [Metrics Proxy + Security](/consul/docs/observe/mesh/vm#metrics-proxy-security) for more details. + + The following sub-keys are available: - `base_url` ((#ui_config_metrics_provider_base_url)) - This is required to @@ -2016,10 +2049,10 @@ subsystem that provides Consul's service mesh capabilities. `base_url`. It defaults to `["/api/v1/query_range", "/api/v1/query"]` which are the endpoints required for the built-in Prometheus provider. If a [custom - provider](/consul/docs/connect/observability/ui-visualization#custom-metrics-providers) + provider](/consul/docs/observe/mesh/vm#custom-metrics-providers) is used that requires the metrics proxy, the correct allowlist must be - specified to enable proxying to necessary endpoints. See [Path - Allowlist](/consul/docs/connect/observability/ui-visualization#path-allowlist) + specified to enable proxying to necessary endpoints. Refer to [Path + Allowlist](/consul/docs/observe/mesh/vm#path-allowlist) for more information. - `add_headers` ((#ui_config_metrics_proxy_add_headers)) - This is an @@ -2044,15 +2077,15 @@ subsystem that provides Consul's service mesh capabilities. correct values in content when rendered in the UI. The placeholders available are listed for each template. - For more information and examples see [UI - Visualization](/consul/docs/connect/observability/ui-visualization#configuring-dashboard-urls) + For more information and examples refer to [UI + Visualization](/consul/docs/observe/mesh/vm#configuring-dashboard-urls) The following named templates are defined: - `service` ((#ui_config_dashboard_url_templates_service)) - This is the URL to use when linking to the dashboard for a specific service. It is shown as part of the [Topology - Visualization](/consul/docs/connect/observability/ui-visualization). + Visualization](/consul/docs/observe/mesh/vm). The placeholders available are: @@ -2062,8 +2095,8 @@ subsystem that provides Consul's service mesh capabilities. partition or empty if admin partitions are not enabled. - `{{Datacenter}}` - Replaced with the current service's datacenter. -- `ui_dir` - **This field is deprecated in Consul 1.9.0. See the [`ui_config.dir`](#ui_config_dir) field instead.** - Equivalent to the [`-ui-dir`](/consul/docs/agent/config/cli-flags#_ui_dir) command-line +- `ui_dir` - **This field is deprecated in Consul 1.9.0. Refer to the [`ui_config.dir`](#ui_config_dir) field instead.** + Equivalent to the [`-ui-dir`](/consul/docsreference-cli/agent#_ui_dir) command-line flag. This configuration key is not required as of Consul version 0.7.0 and later. Specifying this configuration key will enable the web UI. There is no need to specify both ui-dir and ui. Specifying both will result in an error. @@ -2074,13 +2107,17 @@ This section documents all of the configuration settings that apply to Agent TLS TLS is used by the HTTP API, internal RPC, and gRPC/xDS interfaces. Some of these settings may also be applied automatically by [auto_config](#auto_config) or [auto_encrypt](#auto_encrypt). -~> **Security Note:** The Certificate Authority (CA) configured on the internal RPC interface + + +The Certificate Authority (CA) configured on the internal RPC interface (either explicitly by `tls.internal_rpc` or implicitly by `tls.defaults`) should be a private CA, not a public one. We recommend using a dedicated CA which should not be used with any other systems. Any certificate signed by the CA will be allowed to communicate with the cluster and a specially crafted certificate signed by the CA can be used to gain full access to Consul. -- `tls` Added in Consul 1.12, for previous versions see + + +- `tls` Added in Consul 1.12, for previous versions refer to [Deprecated Options](#tls_deprecated_options). - `defaults` ((#tls_defaults)) Provides default settings that will be applied @@ -2141,10 +2178,14 @@ specially crafted certificate signed by the CA can be used to gain full access t to TLS 1.2 and below only. The list of all ciphersuites supported by Consul is available in [the TLS configuration source code](https://github.com/hashicorp/consul/search?q=%22var+goTLSCipherSuites%22). - ~> **Note:** The ordering of cipher suites will not be guaranteed from - Consul 1.11 onwards. See this [post](https://go.dev/blog/tls-cipher-suites) + + + The ordering of cipher suites will not be guaranteed from + Consul 1.11 onwards. Refer to this [post](https://go.dev/blog/tls-cipher-suites) for details. + + - `verify_incoming` - ((#tls_defaults_verify_incoming)) If set to true, Consul requires that all incoming connections make use of TLS and that the client provides a certificate signed by a Certificate Authority from @@ -2160,7 +2201,7 @@ specially crafted certificate signed by the CA can be used to gain full access t will not make use of TLS for outgoing connections. This applies to clients and servers as both will make outgoing connections. This setting does not apply to the gRPC interface as Consul makes no outgoing connections on this - interface. When set to true for the HTTPS interface, this parameter applies to [watches](/consul/docs/dynamic-app-config/watches), which operate by making HTTPS requests to the local agent. + interface. - `grpc` ((#tls_grpc)) Provides settings for the gRPC/xDS interface. To enable the gRPC interface you must define a port via [`ports.grpc_tls`](#grpc_tls_port). @@ -2217,28 +2258,40 @@ specially crafted certificate signed by the CA can be used to gain full access t - `verify_incoming` - ((#tls_internal_rpc_verify_incoming)) Overrides [`tls.defaults.verify_incoming`](#tls_defaults_verify_incoming). - ~> **Security Note:** `verify_incoming` *must* be set to true to prevent + + + `verify_incoming` *must* be set to true to prevent anyone with access to the internal RPC port from gaining full access to the Consul cluster. + + - `verify_outgoing` ((#tls_internal_rpc_verify_outgoing)) Overrides [`tls.defaults.verify_outgoing`](#tls_defaults_verify_outgoing). - ~> **Security Note:** Servers that specify `verify_outgoing = true` will + + + Servers that specify `verify_outgoing = true` will always talk to other servers over TLS, but they still _accept_ non-TLS connections to allow for a transition of all clients to TLS. Currently the only way to enforce that no client can communicate with a server unencrypted is to also enable `verify_incoming` which requires client certificates too. + + - `verify_server_hostname` Overrides [tls.defaults.verify_server_hostname](#tls_defaults_verify_server_hostname). When set to true, Consul verifies the TLS certificate presented by the servers match the hostname `server..`. By default this is false, and Consul does not verify the hostname of the certificate, only that it is signed by a trusted CA. - ~> **Security Note:** `verify_server_hostname` *must* be set to true to prevent a + + + `verify_server_hostname` *must* be set to true to prevent a compromised client from gaining full read and write access to all cluster data *including all ACL tokens and service mesh CA root keys*. + + - `server_name` When provided, this overrides the [`node_name`](#_node) for the TLS certificate. It can be used to ensure that the certificate name matches the hostname we declare. @@ -2248,36 +2301,38 @@ specially crafted certificate signed by the CA can be used to gain full access t The following options were deprecated in Consul 1.12, please use the [`tls`](#tls-1) stanza instead. -- `ca_file` See: [`tls.defaults.ca_file`](#tls_defaults_ca_file). +- `ca_file` Refer to : [`tls.defaults.ca_file`](#tls_defaults_ca_file). -- `ca_path` See: [`tls.defaults.ca_path`](#tls_defaults_ca_path). +- `ca_path` Refer to : [`tls.defaults.ca_path`](#tls_defaults_ca_path). -- `cert_file` See: [`tls.defaults.cert_file`](#tls_defaults_cert_file). +- `cert_file` Refer to : [`tls.defaults.cert_file`](#tls_defaults_cert_file). -- `key_file` See: [`tls.defaults.key_file`](#tls_defaults_key_file). +- `key_file` Refer to : [`tls.defaults.key_file`](#tls_defaults_key_file). - `tls_min_version` Added in Consul 0.7.4. - See: [`tls.defaults.tls_min_version`](#tls_defaults_tls_min_version). + Refer to : [`tls.defaults.tls_min_version`](#tls_defaults_tls_min_version). - `tls_cipher_suites` Added in Consul 0.8.2. - See: [`tls.defaults.tls_cipher_suites`](#tls_defaults_tls_cipher_suites). + Refer to : [`tls.defaults.tls_cipher_suites`](#tls_defaults_tls_cipher_suites). - `tls_prefer_server_cipher_suites` Added in Consul 0.8.2. This setting will - be ignored (see [this post](https://go.dev/blog/tls-cipher-suites) for details). + be ignored (refer to [this post](https://go.dev/blog/tls-cipher-suites) for details). -- `verify_incoming` See: [`tls.defaults.verify_incoming`](#tls_defaults_verify_incoming). +- `verify_incoming` Refer to : [`tls.defaults.verify_incoming`](#tls_defaults_verify_incoming). -- `verify_incoming_rpc` See: [`tls.internal_rpc.verify_incoming`](#tls_internal_rpc_verify_incoming). +- `verify_incoming_rpc` Refer to : [`tls.internal_rpc.verify_incoming`](#tls_internal_rpc_verify_incoming). -- `verify_incoming_https` See: [`tls.https.verify_incoming`](#tls_https_verify_incoming). +- `verify_incoming_https` Refer to : [`tls.https.verify_incoming`](#tls_https_verify_incoming). -- `verify_outgoing` See: [`tls.defaults.verify_outgoing`](#tls_defaults_verify_outgoing). +- `verify_outgoing` Refer to : [`tls.defaults.verify_outgoing`](#tls_defaults_verify_outgoing). -- `verify_server_hostname` See: [`tls.internal_rpc.verify_server_hostname`](#tls_internal_rpc_verify_server_hostname). +- `verify_server_hostname` Refer to : [`tls.internal_rpc.verify_server_hostname`](#tls_internal_rpc_verify_server_hostname). ### Example Configuration File, with TLS -~> **Security Note:** all three verify options should be set as `true` to enable + + +All three verify options should be set as `true` to enable secure mTLS communication, enabling both encryption and authentication. Failing to set [`verify_incoming`](#tls_defaults_verify_incoming) or [`verify_outgoing`](#tls_defaults_verify_outgoing) either in the @@ -2286,7 +2341,9 @@ interface-specific stanza (e.g. `tls.internal_rpc`, `tls.https`) or in a [`ca_file`](#tls_defaults_ca_file), [`cert_file`](#tls_defaults_cert_file), and [`key_file`](#tls_defaults_key_file). -See, especially, the use of the `ports` setting highlighted below. + + +Refer to , especially, the use of the `ports` setting highlighted below. diff --git a/website/content/docs/agent/monitor/telemetry.mdx b/website/content/docs/reference/agent/telemetry.mdx similarity index 84% rename from website/content/docs/agent/monitor/telemetry.mdx rename to website/content/docs/reference/agent/telemetry.mdx index 322ec40997d..8d70298f6a7 100644 --- a/website/content/docs/agent/monitor/telemetry.mdx +++ b/website/content/docs/reference/agent/telemetry.mdx @@ -1,377 +1,19 @@ --- layout: docs -page_title: Agents - Enable Telemetry Metrics +page_title: Consul agent telemetry metrics reference description: >- Configure agent telemetry to collect operations metrics you can use to debug and observe Consul behavior and performance. Learn about configuration options, the metrics you can collect, and why they're important. --- -# Agent Telemetry +## Consul agent telemetry reference -The Consul agent collects various runtime metrics about the performance of -different libraries and subsystems. These metrics are aggregated on a ten -second (10s) interval and are retained for one minute. An _interval_ is the period of time between instances of data being collected and aggregated. +This page provides reference information for Consul agent events and the metrics they produce. -When telemetry is being streamed to an external metrics store, the interval is defined to be that store's flush interval. +For information about service mesh traffic metrics, refer to [Observe service mesh telemetry](/consul/docs/observe). -|External Store|Interval (seconds)| -|:--------|:--------| -|[dogstatsd](https://docs.datadoghq.com/developers/dogstatsd/?tab=hostagent#how-it-works)|10s| -|[Prometheus](https://vector.dev/docs/reference/configuration/sinks/prometheus_exporter/#flush_period_secs)| 60s| -|[statsd](https://github.com/statsd/statsd/blob/master/docs/metric_types.md#timing)|10s| +## Agent metrics -To view this data, you must send a signal to the Consul process: on Unix, -this is `USR1` while on Windows it is `BREAK`. Once Consul receives the signal, -it will dump the current telemetry information to the agent's `stderr`. - -This telemetry information can be used for debugging or otherwise -getting a better view of what Consul is doing. Review the [Monitoring and -Metrics tutorial](/consul/tutorials/day-2-operations/monitor-datacenter-health?utm_source=docs) to learn how collect and interpret Consul data. - -By default, all metric names of gauge type are prefixed with the hostname of the consul agent, e.g., -`consul.hostname.server.isLeader`. To disable prefixing the hostname, set -`telemetry.disable_hostname=true` in the [agent configuration](/consul/docs/agent/config/config-files#telemetry). - -Additionally, if the [`telemetry` configuration options](/consul/docs/agent/config/config-files#telemetry) -are provided, the telemetry information will be streamed to a -[statsite](http://github.com/armon/statsite) or [statsd](http://github.com/etsy/statsd) server where -it can be aggregated and flushed to Graphite or any other metrics store. -For a configuration example for Telegraf, review the [Monitoring with Telegraf tutorial](/consul/tutorials/day-2-operations/monitor-health-telegraf?utm_source=docs). - -This -information can also be viewed with the [metrics endpoint](/consul/api-docs/agent#view-metrics) in JSON -format or using [Prometheus](https://prometheus.io/) format. - - - -```log -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.num_goroutines': 19.000 -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.alloc_bytes': 755960.000 -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.malloc_count': 7550.000 -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.free_count': 4387.000 -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.heap_objects': 3163.000 -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.total_gc_pause_ns': 1151002.000 -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.total_gc_runs': 4.000 -[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.agent.ipc.accept': Count: 5 Sum: 5.000 -[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.agent.ipc.command': Count: 10 Sum: 10.000 -[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.serf.events': Count: 5 Sum: 5.000 -[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.serf.events.foo': Count: 4 Sum: 4.000 -[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.serf.events.baz': Count: 1 Sum: 1.000 -[2014-01-29 10:56:50 -0800 PST][S] 'consul-agent.memberlist.gossip': Count: 50 Min: 0.007 Mean: 0.020 Max: 0.041 Stddev: 0.007 Sum: 0.989 -[2014-01-29 10:56:50 -0800 PST][S] 'consul-agent.serf.queue.Intent': Count: 10 Sum: 0.000 -[2014-01-29 10:56:50 -0800 PST][S] 'consul-agent.serf.queue.Event': Count: 10 Min: 0.000 Mean: 2.500 Max: 5.000 Stddev: 2.121 Sum: 25.000 -``` - - - -# Key Metrics - -These are some metrics emitted that can help you understand the health of your cluster at a glance. A [Grafana dashboard](https://grafana.com/grafana/dashboards/13396) is also available, which is maintained by the Consul team and displays these metrics for easy visualization. For a full list of metrics emitted by Consul, see [Metrics Reference](#metrics-reference) - -### Transaction timing - -| Metric Name | Description | Unit | Type | -| :----------------------- | :----------------------------------------------------------------------------------- | :--------------------------- | :------ | -| `consul.kvs.apply` | Measures the time it takes to complete an update to the KV store. | ms | timer | -| `consul.txn.apply` | Measures the time spent applying a transaction operation. | ms | timer | -| `consul.raft.apply` | Counts the number of Raft transactions applied during the interval. This metric is only reported on the leader. | raft transactions / interval | counter | -| `consul.raft.commitTime` | Measures the time it takes to commit a new entry to the Raft log on the leader. | ms | timer | - -**Why they're important:** Taken together, these metrics indicate how long it takes to complete write operations in various parts of the Consul cluster. Generally these should all be fairly consistent and no more than a few milliseconds. Sudden changes in any of the timing values could be due to unexpected load on the Consul servers, or due to problems on the servers themselves. - -**What to look for:** Deviations (in any of these metrics) of more than 50% from baseline over the previous hour. - -### Leadership changes - -| Metric Name | Description | Unit | Type | -| :------------------------------- | :------------------------------------------------------------------------------------------------------------- | :-------- | :------ | -| `consul.raft.leader.lastContact` | Measures the time since the leader was last able to contact the follower nodes when checking its leader lease. | ms | timer | -| `consul.raft.state.candidate` | Increments whenever a Consul server starts an election. | elections | counter | -| `consul.raft.state.leader` | Increments whenever a Consul server becomes a leader. | leaders | counter | -| `consul.server.isLeader` | Track if a server is a leader(1) or not(0). | 1 or 0 | gauge | - -**Why they're important:** Normally, your Consul cluster should have a stable leader. If there are frequent elections or leadership changes, it would likely indicate network issues between the Consul servers, or that the Consul servers themselves are unable to keep up with the load. - -**What to look for:** For a healthy cluster, you're looking for a `lastContact` lower than 200ms, `leader` > 0 and `candidate` == 0. Deviations from this might indicate flapping leadership. - -### Certificate Authority Expiration - -| Metric Name | Description | Unit | Type | -| :------------------------- | :---------------------------------------------------------------------------------- | :------ | :---- | -| `consul.mesh.active-root-ca.expiry` | The number of seconds until the root CA expires, updated every hour. | seconds | gauge | -| `consul.mesh.active-signing-ca.expiry` | The number of seconds until the signing CA expires, updated every hour. | seconds | gauge | -| `consul.agent.tls.cert.expiry` | The number of seconds until the server agent's TLS certificate expires, updated every hour. | seconds | gauge | - -** Why they're important:** Consul Mesh requires a CA to sign all certificates -used to connect the mesh and the mesh network ceases to work if they expire and -become invalid. The Root is particularly important to monitor as Consul does -not automatically rotate it. The TLS certificate metric monitors the certificate -that the server's agent uses to connect with the other agents in the cluster. - -** What to look for:** The Root CA should be monitored for an approaching -expiration, to indicate it is time for you to rotate the "root" CA either -manually or with external automation. Consul should rotate the signing (intermediate) certificate -automatically, but we recommend monitoring the rotation. When the certificate does not rotate, check the server agent logs for -messages related to the CA system. The agent TLS certificate's rotation handling -varies based on the configuration. - -### Autopilot - -| Metric Name | Description | Unit | Type | -| :------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------- | :---- | -| `consul.autopilot.healthy` | Tracks the overall health of the local server cluster. If all servers are considered healthy by Autopilot, this will be set to 1. If any are unhealthy, this will be 0. | health state | gauge | - -**Why it's important:** Autopilot can expose the overall health of your cluster with a simple boolean. - -**What to look for:** Alert if `healthy` is 0. Some other indicators of an unhealthy cluster would be: -- `consul.raft.commitTime` - This can help reflect the speed of state store -changes being performed by the agent. If this number is rising, the server may -be experiencing an issue due to degraded resources on the host. -- [Leadership change metrics](#leadership-changes) - Check for deviation from -the recommended values. This can indicate failed leadership elections or -flapping nodes. - -### Memory usage - -| Metric Name | Description | Unit | Type | -| :--------------------------- | :----------------------------------------------------------------- | :---- | :---- | -| `consul.runtime.alloc_bytes` | Measures the number of bytes allocated by the Consul process. | bytes | gauge | -| `consul.runtime.sys_bytes` | Measures the total number of bytes of memory obtained from the OS. | bytes | gauge | - -**Why they're important:** Consul keeps all of its data in memory. If Consul consumes all available memory, it will crash. - -**What to look for:** If `consul.runtime.sys_bytes` exceeds 90% of total available system memory. - -**NOTE:** This metric is calculated using Go's runtime package -[MemStats](https://golang.org/pkg/runtime/#MemStats). This will have a -different output than using information gathered from `top`. For more -information, see [GH-4734](https://github.com/hashicorp/consul/issues/4734). - -### Garbage collection - -| Metric Name | Description | Unit | Type | -| :--------------------------------- | :---------------------------------------------------------------------------------------------------- | :--- | :---- | -| `consul.runtime.total_gc_pause_ns` | Number of nanoseconds consumed by stop-the-world garbage collection (GC) pauses since Consul started. | ns | gauge | - -**Why it's important:** GC pause is a "stop-the-world" event, meaning that all runtime threads are blocked until GC completes. Normally these pauses last only a few nanoseconds. But if memory usage is high, the Go runtime may GC so frequently that it starts to slow down Consul. - -**What to look for:** Warning if `total_gc_pause_ns` exceeds 2 seconds/minute, critical if it exceeds 5 seconds/minute. - -**NOTE:** `total_gc_pause_ns` is a cumulative counter, so in order to calculate rates (such as GC/minute), -you will need to apply a function such as InfluxDB's [`non_negative_difference()`](https://docs.influxdata.com/influxdb/v1.5/query_language/functions/#non-negative-difference). - -### Network activity - RPC Count - -| Metric Name | Description | Unit | Type | -| :--------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | :------ | -| `consul.client.rpc` | Increments whenever a Consul agent makes an RPC request to a Consul server | requests | counter | -| `consul.client.rpc.exceeded` | Increments whenever a Consul agent makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/consul/docs/agent/config/config-files#limits) configuration. | requests | counter | -| `consul.client.rpc.failed` | Increments whenever a Consul agent makes an RPC request to a Consul server and fails. | requests | counter | - -**Why they're important:** These measurements indicate the current load created from a Consul agent, including when the load becomes high enough to be rate limited. A high RPC count, especially from `consul.client.rpcexceeded` meaning that the requests are being rate-limited, could imply a misconfigured Consul agent. - -**What to look for:** -Sudden large changes to the `consul.client.rpc` metrics (greater than 50% deviation from baseline). -`consul.client.rpc.exceeded` or `consul.client.rpc.failed` count > 0, as it implies that an agent is being rate-limited or fails to make an RPC request to a Consul server - -### Raft Thread Saturation - -| Metric Name | Description | Unit | Type | -| :----------------------------------- | :----------------------------------------------------------------------------------------------------------------------- | :--------- | :----- | -| `consul.raft.thread.main.saturation` | An approximate measurement of the proportion of time the main Raft goroutine is busy and unavailable to accept new work. | percentage | sample | -| `consul.raft.thread.fsm.saturation` | An approximate measurement of the proportion of time the Raft FSM goroutine is busy and unavailable to accept new work. | percentage | sample | - -**Why they're important:** These measurements are a useful proxy for how much -capacity a Consul server has to accept additional write load. High saturation -of the Raft goroutines can lead to elevated latency in the rest of the system -and cause cluster instability. - -**What to look for:** Generally, a server's steady-state saturation should be -less than 50%. - -**NOTE:** These metrics are approximate and under extremely heavy load won't -give a perfect fine-grained view of how much headroom a server has available. -Instead, treat them as an early warning sign. - -** Requirements: ** -* Consul 1.13.0+ - -### Raft Replication Capacity Issues - -| Metric Name | Description | Unit | Type | -| :--------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | :------ | -| `consul.raft.fsm.lastRestoreDuration` | Measures the time taken to restore the FSM from a snapshot on an agent restart or from the leader calling installSnapshot. This is a gauge that holds it's value since most servers only restore during restarts which are typically infrequent. | ms | gauge | -| `consul.raft.leader.oldestLogAge` | The number of milliseconds since the _oldest_ log in the leader's log store was written. This can be important for replication health where write rate is high and the snapshot is large as followers may be unable to recover from a restart if restoring takes longer than the minimum value for the current leader. Compare this with `consul.raft.fsm.lastRestoreDuration` and `consul.raft.rpc.installSnapshot` to monitor. In normal usage this gauge value will grow linearly over time until a snapshot completes on the leader and the log is truncated. | ms | gauge | -| `consul.raft.rpc.installSnapshot` | Measures the time taken to process the installSnapshot RPC call. This metric should only be seen on agents which are currently in the follower state. | ms | timer | - -**Why they're important:** These metrics allow operators to monitor the health -and capacity of raft replication on servers. **When Consul is handling large -amounts of data and high write throughput** it is possible for the cluster to -get into the following state: - * Write throughput is high (say 500 commits per second or more) and constant - * The leader is writing out a large snapshot every minute or so - * The snapshot is large enough that it takes considerable time to restore from - disk on a restart or from the leader if a follower gets behind - * Disk IO available allows the leader to write a snapshot faster than it can be - restored from disk on a follower - -Under these conditions, a follower after a restart may be unable to catch up on -replication and become a voter again since it takes longer to restore from disk -or the leader than the leader takes to write a new snapshot and truncate its -logs. Servers retain -[`raft_trailing_logs`](/consul/docs/agent/config/config-files#raft_trailing_logs) (default -`10240`) log entries even if their snapshot was more recent. On a leader -processing 500 commits/second, that is only about 20 seconds worth of logs. -Assuming the leader is able to write out a snapshot and truncate the logs in -less than 20 seconds, there will only be 20 seconds worth of "recent" logs -available on the leader right after the leader has taken a snapshot and never -more than about 80 seconds worth assuming it is taking a snapshot and truncating -logs every 60 seconds. - -In this state, followers must be able to restore a snapshot into memory and -resume replication in under 80 seconds otherwise they will never be able to -rejoin the cluster until write rates reduce. If they take more than 20 seconds -then there will be a chance that they are unlucky with timing when they restart -and have to download a snapshot again from the servers one or more times. If -they take 50 seconds or more then they will likely fail to catch up more often -than they succeed and will remain non-voters for some time until they happen to -complete the restore just before the leader truncates its logs. - -In the worst case, the follower will be left continually downloading snapshots -from the leader which are always too old to use by the time they are restored. -This can put additional strain on the leader transferring large snapshots -repeatedly as well as reduce the fault tolerance and serving capacity of the -cluster. - -Since Consul 1.5.3 -[`raft_trailing_logs`](/consul/docs/agent/config/config-files#raft_trailing_logs) has been -configurable. Increasing it allows the leader to retain more logs and give -followers more time to restore and catch up. The tradeoff is potentially -slower appends which eventually might affect write throughput and latency -negatively so setting it arbitrarily high is not recommended. Before Consul -1.10.0 it required a rolling restart to change this configuration on the leader -though and since no followers could restart without loosing health this could -mean loosing cluster availability and needing to recover the cluster from a loss -of quorum. - -Since Consul 1.10.0 -[`raft_trailing_logs`](/consul/docs/agent/config/config-files#raft_trailing_logs) is now -reloadable with `consul reload` or `SIGHUP` allowing operators to increase this -without the leader restarting or loosing leadership allowing the cluster to be -recovered gracefully. - -Monitoring these metrics can help avoid or diagnose this state. - -**What to look for:** - -`consul.raft.leader.oldestLogAge` should look like a saw-tooth wave increasing -linearly with time until the leader takes a snapshot and then jumping down as -the oldest logs are truncated. The lowest point on that line should remain -comfortably higher (i.e. 2x or more) than the time it takes to restore a -snapshot. - -There are two ways a snapshot can be restored on a follower: from disk on -startup or from the leader during an `installSnapshot` RPC. The leader only -sends an `installSnapshot` RPC if the follower is new and has no state, or if -it's state is too old for it to catch up with the leaders logs. - -`consul.raft.fsm.lastRestoreDuration` shows the time it took to restore from -either source the last time it happened. Most of the time this is when the -server was started. It's a gauge that will always show the last restore duration -(in Consul 1.10.0 and later) however long ago that was. - -`consul.raft.rpc.installSnapshot` is the timing information from the leader's -perspective when it installs a new snapshot on a follower. It includes the time -spent transferring the data as well as the follower restoring it. Since these -events are typically infrequent, you may need to graph the last value observed, -for example using `max_over_time` with a large range in Prometheus. While the -restore part will also be reflected in `lastRestoreDuration`, it can be useful -to observe this too since the logs need to be able to cover this entire -operation including the snapshot delivery to ensure followers can always catch -up safely. - -Graphing `consul.raft.leader.oldestLogAge` on the same axes as the other two -metrics here can help see at a glance if restore times are creeping dangerously -close to the limit of what the leader is retaining at the current write rate. - -Note that if servers don't restart often, then the snapshot could have grown -significantly since the last restore happened so last restore times might not -reflect what would happen if an agent restarts now. - -### License Expiration - -| Metric Name | Description | Unit | Type | -| :-------------------------------- | :--------------------------------------------------------------- | :---- | :---- | -| `consul.system.licenseExpiration` | Number of hours until the Consul Enterprise license will expire. | hours | gauge | - -**Why they're important:** - -This measurement indicates how many hours are left before the Consul Enterprise license expires. When the license expires some -Consul Enterprise features will cease to work. An example of this is that after expiration, it is no longer possible to create -or modify resources in non-default namespaces or to manage namespace definitions themselves even though reads of namespaced -resources will still work. - -**What to look for:** - -This metric should be monitored to ensure that the license doesn't expire to prevent degradation of functionality. - - -### Bolt DB Performance - -| Metric Name | Description | Unit | Type | -| :-------------------------------- | :--------------------------------------------------------------- | :---- | :---- | -| `consul.raft.boltdb.freelistBytes` | Represents the number of bytes necessary to encode the freelist metadata. When [`raft_logstore.boltdb.no_freelist_sync`](/consul/docs/agent/config/config-files#raft_logstore_boltdb_no_freelist_sync) is set to `false` these metadata bytes must also be written to disk for each committed log. | bytes | gauge | -| `consul.raft.boltdb.logsPerBatch` | Measures the number of logs being written per batch to the db. | logs | sample | -| `consul.raft.boltdb.storeLogs` | Measures the amount of time spent writing logs to the db. | ms | timer | -| `consul.raft.boltdb.writeCapacity` | Theoretical write capacity in terms of the number of logs that can be written per second. Each sample outputs what the capacity would be if future batched log write operations were similar to this one. This similarity encompasses 4 things: batch size, byte size, disk performance and boltdb performance. While none of these will be static and its highly likely individual samples of this metric will vary, aggregating this metric over a larger time window should provide a decent picture into how this BoltDB store can perform | logs/second | sample | - - -** Requirements: ** -* Consul 1.11.0+ - -**Why they're important:** - -The `consul.raft.boltdb.storeLogs` metric is a direct indicator of disk write performance of a Consul server. If there are issues with the disk or -performance degradations related to Bolt DB, these metrics will show the issue and potentially the cause as well. - -**What to look for:** - -The primary thing to look for are increases in the `consul.raft.boltdb.storeLogs` times. Its value will directly govern an -upper limit to the throughput of write operations within Consul. - -In Consul each write operation will turn into a single Raft log to be committed. Raft will process these -logs and store them within Bolt DB in batches. Each call to store logs within Bolt DB is measured to record how long -it took as well as how many logs were contained in the batch. Writing logs in this fashion is serialized so that -a subsequent log storage operation can only be started after the previous one completed. The maximum number -of log storage operations that can be performed each second is represented with the `consul.raft.boltdb.writeCapacity` -metric. When log storage operations are becoming slower you may not see an immediate decrease in write capacity -due to increased batch sizes of the each operation. However, the max batch size allowed is 64 logs. Therefore if -the `logsPerBatch` metric is near 64 and the `storeLogs` metric is seeing increased time to write each batch to disk, -then it is likely that increased write latencies and other errors may occur. - -There can be a number of potential issues that can cause this. Often times it could be performance of the underlying -disks that is the issue. Other times it may be caused by Bolt DB behavior. Bolt DB keeps track of free space within -the `raft.db` file. When needing to allocate data it will use existing free space first before further expanding the -file. By default, Bolt DB will write a data structure containing metadata about free pages within the DB to disk for -every log storage operation. Therefore if the free space within the database grows excessively large, such as after -a large spike in writes beyond the normal steady state and a subsequent slow down in the write rate, then Bolt DB -could end up writing a large amount of extra data to disk for each log storage operation. This has the potential -to drastically increase disk write throughput, potentially beyond what the underlying disks can keep up with. To -detect this situation you can look at the `consul.raft.boltdb.freelistBytes` metric. This metric is a count of -the extra bytes that are being written for each log storage operation beyond the log data itself. While not a clear -indicator of an actual issue, this metric can be used to diagnose why the `consul.raft.boltdb.storeLogs` metric -is high. - -If Bolt DB log storage performance becomes an issue and is caused by free list management then setting -[`raft_logstore.boltdb.no_freelist_sync`](/consul/docs/agent/config/config-files#raft_logstore_boltdb_no_freelist_sync) to `true` in the server's configuration -may help to reduce disk IO and log storage operation times. Disabling free list syncing will however increase -the startup time for a server as it must scan the raft.db file for free space instead of loading the already -populated free list structure. - -Consul includes an experiment backend configuration that you can use instead of BoldDB. Refer to [Experimental WAL LogStore backend](/consul/docs/agent/wal-logstore) for more information. - -## Metrics Reference - -This is a full list of metrics emitted by Consul. +The following table describes the metrics that Consul agents emit. | Metric | Description | Unit | Type | |--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|---------| @@ -379,7 +21,7 @@ This is a full list of metrics emitted by Consul. | `consul.acl.blocked.{check,node,service}.registration` | Increments whenever a registration fails for an entity (check, node or service) is blocked by an ACL. | requests | counter | | `consul.api.http` | This samples how long it takes to service the given HTTP request for the given verb and path. Includes labels for `path` and `method`. `path` does not include details like service or key names, for these an underscore will be present as a placeholder (eg. path=`v1.kv._`) | ms | timer | | `consul.client.rpc` | Increments whenever a Consul agent makes an RPC request to a Consul server. This gives a measure of how much a given agent is loading the Consul servers. Currently, this is only generated by agents in client mode, not Consul servers. | requests | counter | -| `consul.client.rpc.exceeded` | Increments whenever a Consul agent makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/consul/docs/agent/config/config-files#limits) configuration. This gives an indication that there's an abusive application making too many requests on the agent, or that the rate limit needs to be increased. Currently, this only applies to agents in client mode, not Consul servers. | rejected requests | counter | +| `consul.client.rpc.exceeded` | Increments whenever a Consul agent makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/consul/docs/reference/agent#limits) configuration. This gives an indication that there's an abusive application making too many requests on the agent, or that the rate limit needs to be increased. Currently, this only applies to agents in client mode, not Consul servers. | rejected requests | counter | | `consul.client.rpc.failed` | Increments whenever a Consul agent makes an RPC request to a Consul server and fails. | requests | counter | | `consul.client.api.catalog_register` | Increments whenever a Consul agent receives a catalog register request. | requests | counter | | `consul.client.api.success.catalog_register` | Increments whenever a Consul agent successfully responds to a catalog register request. | requests | counter | @@ -444,7 +86,7 @@ These metrics are used to monitor the health of the Consul servers. | `consul.raft.applied_index` | Represents the raft applied index. | index | gauge | | `consul.raft.apply` | Counts the number of Raft transactions occurring over the interval, which is a general indicator of the write load on the Consul servers. | raft transactions / interval | counter | | `consul.raft.barrier` | Counts the number of times the agent has started the barrier i.e the number of times it has issued a blocking call, to ensure that the agent has all the pending operations that were queued, to be applied to the agent's FSM. | blocks / interval | counter | -| `consul.raft.boltdb.freelistBytes` | Represents the number of bytes necessary to encode the freelist metadata. When [`raft_logstore.boltdb.no_freelist_sync`](/consul/docs/agent/config/config-files#raft_logstore_boltdb_no_freelist_sync) is set to `false` these metadata bytes must also be written to disk for each committed log. | bytes | gauge | +| `consul.raft.boltdb.freelistBytes` | Represents the number of bytes necessary to encode the freelist metadata. When [`raft_logstore.boltdb.no_freelist_sync`](/consul/docs/reference/agent#raft_logstore_boltdb_no_freelist_sync) is set to `false` these metadata bytes must also be written to disk for each committed log. | bytes | gauge | | `consul.raft.boltdb.freePageBytes` | Represents the number of bytes of free space within the raft.db file. | bytes | gauge | | `consul.raft.boltdb.getLog` | Measures the amount of time spent reading logs from the db. | ms | timer | | `consul.raft.boltdb.logBatchSize` | Measures the total size in bytes of logs being written to the db in a single batch. | bytes | sample | @@ -479,11 +121,11 @@ These metrics are used to monitor the health of the Consul servers. | `consul.raft.leader.dispatchLog` | Measures the time it takes for the leader to write log entries to disk. | ms | timer | | `consul.raft.leader.dispatchNumLogs` | Measures the number of logs committed to disk in a batch. | logs | gauge | | `consul.raft.logstore.verifier.checkpoints_written` | Counts the number of checkpoint entries written to the LogStore. | checkpoints | counter | -| `consul.raft.logstore.verifier.dropped_reports` | Counts how many times the verifier routine was still busy when the next checksum came in and so verification for a range was skipped. If you see this happen, consider increasing the interval between checkpoints with [`raft_logstore.verification.interval`](/consul/docs/agent/config/config-files#raft_logstore_verification) | reports dropped | counter | -| `consul.raft.logstore.verifier.ranges_verified` | Counts the number of log ranges for which a verification report has been completed. Refer to [Monitor Raft metrics and logs for WAL](/consul/docs/agent/wal-logstore/monitoring) for more information. | log ranges verifications | counter | -| `consul.raft.logstore.verifier.read_checksum_failures` | Counts the number of times a range of logs between two check points contained at least one disk corruption. Refer to [Monitor Raft metrics and logs for WAL](/consul/docs/agent/wal-logstore/monitoring) for more information. | disk corruptions | counter | +| `consul.raft.logstore.verifier.dropped_reports` | Counts how many times the verifier routine was still busy when the next checksum came in and so verification for a range was skipped. If you see this happen, consider increasing the interval between checkpoints with [`raft_logstore.verification.interval`](/consul/docs/reference/agent#raft_logstore_verification) | reports dropped | counter | +| `consul.raft.logstore.verifier.ranges_verified` | Counts the number of log ranges for which a verification report has been completed. Refer to [Monitor Raft metrics and logs for WAL](/consul/docs/deploy/server/wal/monitor-raft) for more information. | log ranges verifications | counter | +| `consul.raft.logstore.verifier.read_checksum_failures` | Counts the number of times a range of logs between two check points contained at least one disk corruption. Refer to [Monitor Raft metrics and logs for WAL](/consul/docs/deploy/server/wal/monitor-raft) for more information. | disk corruptions | counter | | `consul.raft.logstore.verifier.write_checksum_failures` | Counts the number of times a follower has a different checksum to the leader at the point where it writes to the log. This could be caused by either a disk-corruption on the leader (unlikely) or some other corruption of the log entries in-flight. | in-flight corruptions | counter | -| `consul.raft.leader.lastContact` | Measures the time since the leader was last able to contact the follower nodes when checking its leader lease. It can be used as a measure for how stable the Raft timing is and how close the leader is to timing out its lease.The lease timeout is 500 ms times the [`raft_multiplier` configuration](/consul/docs/agent/config/config-files#raft_multiplier), so this telemetry value should not be getting close to that configured value, otherwise the Raft timing is marginal and might need to be tuned, or more powerful servers might be needed. See the [Server Performance](/consul/docs/install/performance) guide for more details. | ms | timer | +| `consul.raft.leader.lastContact` | Measures the time since the leader was last able to contact the follower nodes when checking its leader lease. It can be used as a measure for how stable the Raft timing is and how close the leader is to timing out its lease.The lease timeout is 500 ms times the [`raft_multiplier` configuration](/consul/docs/reference/agent#raft_multiplier), so this telemetry value should not be getting close to that configured value, otherwise the Raft timing is marginal and might need to be tuned, or more powerful servers might be needed. See the [Server Performance](/consul/docs/deploy/server/vm/requirements) guide for more details. | ms | timer | | `consul.raft.leader.oldestLogAge` | The number of milliseconds since the _oldest_ log in the leader's log store was written. This can be important for replication health where write rate is high and the snapshot is large as followers may be unable to recover from a restart if restoring takes longer than the minimum value for the current leader. Compare this with `consul.raft.fsm.lastRestoreDuration` and `consul.raft.rpc.installSnapshot` to monitor. In normal usage this gauge value will grow linearly over time until a snapshot completes on the leader and the log is truncated. Note: this metric won't be emitted until the leader writes a snapshot. After an upgrade to Consul 1.10.0 it won't be emitted until the oldest log was written after the upgrade. | ms | gauge | | `consul.raft.replication.heartbeat` | Measures the time taken to invoke appendEntries on a peer, so that it doesn't timeout on a periodic basis. | ms | timer | | `consul.raft.replication.appendEntries` | Measures the time it takes to replicate log entries to followers. This is a general indicator of the load pressure on the Consul servers, as well as the performance of the communication between the servers. | ms | timer | @@ -595,29 +237,7 @@ These metrics are used to monitor the health of the Consul servers. ** Requirements: ** * Consul 1.12.0+ -The following label-based RPC metrics provide insight about the workload on a Consul server and the source of the workload. - -The [`prefix_filter`](/consul/docs/agent/config/config-files#telemetry-prefix_filter) telemetry configuration setting blocks or enables all RPC metric method calls. Specify the RPC metrics you want to allow in the `prefix_filter`: - - - -```hcl -telemetry { - prefix_filter = ["+consul.rpc.server.call"] -} -``` - -```json -{ - "telemetry": { - "prefix_filter": [ - "+consul.rpc.server.call" - ] - } -} -``` - - +Label based RPC metrics were added in Consul 1.12.0 as a Beta feature to better understand the workload on a Consul server and, where that workload is coming from. The following metric(s) provide that insight | Metric | Description | Unit | Type | | ------------------------------------- | --------------------------------------------------------- | ------ | --------- | @@ -666,6 +286,7 @@ Here is a Prometheus style example of an RPC metric and its labels: +Any metric in this section can be turned off with the [`prefix_filter`](/consul/docs/reference/agent#telemetry-prefix_filter). ## Cluster Health @@ -681,7 +302,7 @@ are allowed for . | `consul.memberlist.degraded.timeout` | Counts the number of times an agent was marked as a dead node, whilst not getting enough confirmations from a randomly selected list of agent nodes in an agent's membership. | occurrence / interval | counter | | `consul.memberlist.msg.dead` | Counts the number of times an agent has marked another agent to be a dead node. | messages / interval | counter | | `consul.memberlist.health.score` | Describes a node's perception of its own health based on how well it is meeting the soft real-time requirements of the protocol. This metric ranges from 0 to 8, where 0 indicates "totally healthy". This health score is used to scale the time between outgoing probes, and higher scores translate into longer probing intervals. For more details see section IV of the Lifeguard paper: https://arxiv.org/pdf/1707.00788.pdf | score | gauge | -| `consul.memberlist.msg.suspect` | Increments when an agent suspects another as failed when executing random probes as part of the gossip protocol. These can be an indicator of overloaded agents, network problems, or configuration errors where agents can not connect to each other on the [required ports](/consul/docs/agent/config/config-files#ports). | suspect messages received / interval | counter | +| `consul.memberlist.msg.suspect` | Increments when an agent suspects another as failed when executing random probes as part of the gossip protocol. These can be an indicator of overloaded agents, network problems, or configuration errors where agents can not connect to each other on the [required ports](/consul/docs/reference/agent#ports). | suspect messages received / interval | counter | | `consul.memberlist.tcp.accept` | Counts the number of times an agent has accepted an incoming TCP stream connection. | connections accepted / interval | counter | | `consul.memberlist.udp.sent/received` | Measures the total number of bytes sent/received by an agent through the UDP protocol. | bytes sent or bytes received / interval | counter | | `consul.memberlist.tcp.connect` | Counts the number of times an agent has initiated a push/pull sync with an other agent. | push/pull initiated / interval | counter | @@ -696,8 +317,8 @@ are allowed for . | `consul.memberlist.queue.broadcasts` | Measures the number of messages waiting to be broadcast to other gossip participants. | messages | sample | | `consul.memberlist.size.local` | Measures the size in bytes of the memberlist before it is sent to another gossip recipient. | bytes | gauge | | `consul.memberlist.size.remote` | Measures the size in bytes of incoming memberlists from other gossip participants. | bytes | gauge | -| `consul.serf.member.failed` | Increments when an agent is marked dead. This can be an indicator of overloaded agents, network problems, or configuration errors where agents cannot connect to each other on the [required ports](/consul/docs/agent/config/config-files#ports). | failures / interval | counter | -| `consul.serf.member.flap` | Available in Consul 0.7 and later, this increments when an agent is marked dead and then recovers within a short time period. This can be an indicator of overloaded agents, network problems, or configuration errors where agents cannot connect to each other on the [required ports](/consul/docs/agent/config/config-files#ports). | flaps / interval | counter | +| `consul.serf.member.failed` | Increments when an agent is marked dead. This can be an indicator of overloaded agents, network problems, or configuration errors where agents cannot connect to each other on the [required ports](/consul/docs/reference/agent#ports). | failures / interval | counter | +| `consul.serf.member.flap` | Available in Consul 0.7 and later, this increments when an agent is marked dead and then recovers within a short time period. This can be an indicator of overloaded agents, network problems, or configuration errors where agents cannot connect to each other on the [required ports](/consul/docs/reference/agent#ports). | flaps / interval | counter | | `consul.serf.member.join` | Increments when an agent joins the cluster. If an agent flapped or failed this counter also increments when it re-joins. | joins / interval | counter | | `consul.serf.member.left` | Increments when an agent leaves the cluster. | leaves / interval | counter | | `consul.serf.events` | Increments when an agent processes an [event](/consul/commands/event). Consul uses events internally so there may be additional events showing in telemetry. There are also a per-event counters emitted as `consul.serf.events.`. | events / interval | counter | @@ -761,11 +382,11 @@ agent. The table below describes the additional metrics exported by the proxy. **Requirements:** - Consul 1.13.0+ -[Cluster peering](/consul/docs/connect/cluster-peering) refers to Consul clusters that communicate through a peer connection, as opposed to a federated connection. Consul collects metrics that describe the number of services exported to a peered cluster. Peering metrics are only emitted by the leader server. These metrics are emitted every 9 seconds. +[Cluster peering](/consul/docs/east-west/cluster-peering) refers to Consul clusters that communicate through a peer connection, as opposed to a federated connection. Consul collects metrics that describe the number of services exported to a peered cluster. Peering metrics are only emitted by the leader server. These metrics are emitted every 9 seconds. | Metric | Description | Unit | Type | | ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | ------- | -| `consul.peering.exported_services` | Counts the number of services exported with [exported service configuration entries](/consul/docs/connect/config-entries/exported-services) to a peer cluster. | count | gauge | +| `consul.peering.exported_services` | Counts the number of services exported with [exported service configuration entries](/consul/docs/reference/config-entry/exported-services) to a peer cluster. | count | gauge | | `consul.peering.healthy` | Tracks the health of a peering connection as reported by the server. If Consul detects errors while sending or receiving from a peer which do not recover within a reasonable time, this metric returns 0. Healthy connections return 1. | health | gauge | ### Labels @@ -781,7 +402,7 @@ Consul attaches the following labels to metric values. ## Server Host Metrics Consul servers can report the following metrics about the host's system resources. -This feature must be enabled in the [agent telemetry configuration](/consul/docs/agent/config/config-files#telemetry-enable_host_metrics). +This feature must be enabled in the [agent telemetry configuration](/consul/docs/reference/agent#telemetry-enable_host_metrics). Note that if the Consul server is operating inside a container these metrics still report host resource usage and do not report any resource limits placed on the container. diff --git a/website/content/docs/connect/config-entries/api-gateway.mdx b/website/content/docs/reference/config-entry/api-gateway.mdx similarity index 88% rename from website/content/docs/connect/config-entries/api-gateway.mdx rename to website/content/docs/reference/config-entry/api-gateway.mdx index dc5d6f63e2a..023aa0816f6 100644 --- a/website/content/docs/connect/config-entries/api-gateway.mdx +++ b/website/content/docs/reference/config-entry/api-gateway.mdx @@ -1,12 +1,13 @@ --- layout: docs -page_title: API Gateway configuration reference -description: Learn how to configure a Consul API gateway on VMs. +page_title: API gateway configuration entry reference +description: >- + Learn how to configure a Consul API gateway on VMs. --- -# API gateway configuration reference +# API gateway configuration entry reference -This topic provides reference information for the API gateway configuration entry that you can deploy to networks in virtual machine (VM) environments. For reference information about configuring Consul API gateways on Kubernetes, refer to [Gateway Resource Configuration](/consul/docs/connect/gateways/api-gateway/configuration/gateway). +This topic provides reference information for the API gateway configuration entry that you can deploy to networks in virtual machine (VM) environments. For reference information about configuring Consul API gateways on Kubernetes, refer to [Gateway Resource Configuration](/consul/docs/reference/k8s/api-gateway/gateway). ## Introduction @@ -31,19 +32,19 @@ The following list outlines field hierarchy, language-specific data types, and r - [`MaxVersion`](#listeners-tls-maxversion): string | no default - [`CipherSuites`](#listeners-tls-ciphersuites): list of strings | Envoy default cipher suites - [`Certificates`](#listeners-tls-certificates): list of objects | no default - - [`Kind`](#listeners-tls-certificates-kind): string | no default + - [`Kind`](#listeners-tls-certificates-kind): string | must be `"inline-certificate"` - [`Name`](#listeners-tls-certificates-name): string | no default - [`Namespace`](#listeners-tls-certificates-namespace): string | no default - [`Partition`](#listeners-tls-certificates-partition): string | no default - [`default`](#listeners-default): map - - [`JWT`](#listeners-default-jwt): map + - [`JWT`](#listeners-default-jwt): map - [`Providers`](#listeners-default-jwt-providers): list - [`Name`](#listeners-default-jwt-providers): string - [`VerifyClaims`](#listeners-default-jwt-providers): map - [`Path`](#listeners-default-jwt-providers): list - [`Value`](#listeners-default-jwt-providers): string - [`override`](#listeners-override): map - - [`JWT`](#listeners-override-jwt): map + - [`JWT`](#listeners-override-jwt): map - [`Providers`](#listeners-override-jwt-providers): list - [`Name`](#listeners-override-jwt-providers): string - [`VerifyClaims`](#listeners-override-jwt-providers): map @@ -81,8 +82,8 @@ Listeners = [ ] Certificates = [ { - Kind = "file-system-certificate" - Name = "" + Kind = "inline-certificate" + Name = "" Namespace = "" Partition = "" } @@ -97,7 +98,7 @@ Listeners = [ Value = "" } ] - } + } } override = { JWT = { @@ -108,7 +109,7 @@ Listeners = [ Value = "" } ] - } + } } } ] @@ -136,8 +137,8 @@ Listeners = [ ], "Certificates": [ { - "Kind": "file-system-certificate", - "Name": "", + "Kind": "inline-certificate", + "Name": "", "Namespace": "", "Partition": "" } @@ -210,7 +211,7 @@ such as applying a configuration entry to a specific cluster. ### `Namespace` -Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to apply to the configuration entry. +Specifies the Enterprise [namespace](/consul/docs/segment/namespace) to apply to the configuration entry. #### Values @@ -219,7 +220,7 @@ Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to appl ### `Partition` -Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) to apply to the configuration entry. +Specifies the Enterprise [admin partition](/consul/docs/segment/admin-partition) to apply to the configuration entry. #### Values @@ -349,7 +350,7 @@ Specifies a list of cipher suites that the listener supports when negotiating co ### `Listeners[].TLS.Certificates[]` -The list of references to [file system](/consul/docs/connect/config-entries/file-system-certificate) or [inline certificates](/consul/docs/connect/config-entries/inline-certificate) that the listener uses for TLS termination. You should create the configuration entry for the certificate separately and then reference the configuration entry in the `Name` field. +The list of references to inline certificates that the listener uses for TLS termination. #### Values @@ -362,17 +363,17 @@ The list of references to [file system](/consul/docs/connect/config-entries/file ### `Listeners[].TLS.Certificates[].Kind` -The list of references to certificates that the listener uses for TLS termination. +The list of references to inline-certificates that the listener uses for TLS termination. #### Values - Default: None -- This field is required. -- The data type is one of the following string values: `"file-system-certificate"` or `"inline-certificate"`. +- This field is required and must be set to `"inline-certificate"`. +- Data type: string ### `Listeners[].TLS.Certificates[].Name` -Specifies the name of the [file system certificate](/consul/docs/connect/config-entries/file-system-certificate) or [inline certificate](/consul/docs/connect/config-entries/inline-certificate) that the listener uses for TLS termination. +The list of references to inline certificates that the listener uses for TLS termination. #### Values @@ -382,7 +383,7 @@ Specifies the name of the [file system certificate](/consul/docs/connect/config- ### `Listeners[].TLS.Certificates[].Namespace` -Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) where the certificate can be found. +Specifies the Enterprise [namespace](/consul/docs/segment/namespace) where the certificate can be found. #### Values @@ -391,7 +392,7 @@ Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) where t ### `Listeners[].TLS.Certificates[].Partition` -Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) where the certificate can be found. +Specifies the Enterprise [admin partition](/consul/docs/segment/admin-partition) where the certificate can be found. #### Values @@ -400,7 +401,7 @@ Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partiti ### `Listeners[].default` -Specifies a block of default configurations to apply to the gateway listener. All routes attached to the listener inherit the default configurations. You can specify override configurations that have precedence over default configurations in the [`override` block](#listeners-override) as well as in the `JWT` block in the [HTTP route configuration entry](/consul/docs/connect/config-entries/http-route). +Specifies a block of default configurations to apply to the gateway listener. All routes attached to the listener inherit the default configurations. You can specify override configurations that have precedence over default configurations in the [`override` block](#listeners-override) as well as in the `JWT` block in the [HTTP route configuration entry](/consul/docs/connect/config-entries/http-route). #### Values @@ -409,7 +410,7 @@ Specifies a block of default configurations to apply to the gateway listener. Al ### `Listeners[].default{}.JWT` -Specifies a block of default JWT verification configurations to apply to the gateway listener. Specify configurations that have precedence over the defaults in either the [`override.JWT` block](#listeners-override) or in the [`JWT` block](/consul/docs/connect/config-entries/http-route#rules-filters-jwt) in the HTTP route configuration. Refer to [Use JWTs to verify requests to API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) for order of precedence and other details about using JWT verification in API gateways. +Specifies a block of default JWT verification configurations to apply to the gateway listener. Specify configurations that have precedence over the defaults in either the [`override.JWT` block](#listeners-override) or in the [`JWT` block](/consul/docs/connect/config-entries/http-route#rules-filters-jwt) in the HTTP route configuration. Refer to [Use JWTs to verify requests to API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) for order of precedence and other details about using JWT verification in API gateways. #### Values @@ -418,7 +419,7 @@ Specifies a block of default JWT verification configurations to apply to the gat ### `Listeners[].default{}.JWT{}.Providers` -Specifies a list of default JWT provider configurations to apply to the gateway listener. A provider configuration contains the name of the provider and claims. Specify configurations that have precedence over the defaults in either the [`override.JWT.Providers` block](#listeners-override-providers) or in the [`JWT` block](/consul/docs/connect/config-entries/http-route#rules-filters-jwt-providers) of the HTTP route configuration. Refer to [Use JWTs to verify requests to API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) for order of precedence and other details about using JWT verification in API gateways. +Specifies a list of default JWT provider configurations to apply to the gateway listener. A provider configuration contains the name of the provider and claims. Specify configurations that have precedence over the defaults in either the [`override.JWT.Providers` block](#listeners-override-providers) or in the [`JWT` block](/consul/docs/connect/config-entries/http-route#rules-filters-jwt-providers) of the HTTP route configuration. Refer to [Use JWTs to verify requests to API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) for order of precedence and other details about using JWT verification in API gateways. #### Values @@ -432,7 +433,7 @@ The following table describes the parameters you can specify in a member of the | `Name` | Specifies the name of the provider. | String | None | | `VerifyClaims` | Specifies a list of paths and a value that define the claim that Consul verifies when it receives a request. The `VerifyClaims` map specifies the following settings:
  • `Path`: Specifies a list of one or more registered or custom claims.
  • `Value`: Specifies the expected value of the claim.
| Map | None | -Refer to [Configure JWT verification settings](#configure-jwt-verification-settings) for an example configuration. +Refer to [Configure JWT verification settings](#configure-jwt-verification-settings) for an example configuration. ### `Listeners[].override` @@ -454,7 +455,7 @@ Specifies a block of JWT verification configurations to apply to the gateway lis ### `Listeners[].override{}.JWT{}.Providers` -Specifies a list of JWT provider configurations to apply to the gateway listener. A provider configuration contains the name of the provider and claims. The override settings have precedence over `Listeners[].defaults{}.JWT{}.Providers` as well as any listener-specific configuration. +Specifies a list of JWT provider configurations to apply to the gateway listener. A provider configuration contains the name of the provider and claims. The override settings have precedence over `Listeners[].defaults{}.JWT{}.Providers` as well as any listener-specific configuration. #### Values @@ -468,7 +469,7 @@ The following table describes the parameters you can specify in a member of the | `Name` | Specifies the name of the provider. | String | None | | `VerifyClaims` | Specifies a list of paths and a value that define the claim that Consul verifies when it receives a request. The `VerifyClaims` map specifies the following settings:
  • `Path`: Specifies a list of one or more registered or custom claims.
  • `Value`: Specifies the expected value of the claim.
| Map | None | -Refer to [Configure JWT verification settings](#configure-jwt-verification-settings) for an example configuration. +Refer to [Configure JWT verification settings](#configure-jwt-verification-settings) for an example configuration. ## Examples @@ -489,7 +490,7 @@ Listeners = [ name = "listener-one" port = 9001 protocol = "http" - # override and default are backed by the same type of data structure, see the following section for more on how they interact + # override and default are backed by the same type of data structure, refer to the following section for more on how they interact override = { JWT = { Providers = [ @@ -530,7 +531,7 @@ Listeners = [ { "name": "listener-one", "port": 9001, - "protocol": "http", + "protocol": "http", "override": { "JWT": { "Providers": [{ @@ -559,4 +560,4 @@ Listeners = [ ``` - + \ No newline at end of file diff --git a/website/content/docs/connect/config-entries/control-plane-request-limit.mdx b/website/content/docs/reference/config-entry/control-plane-request-limit.mdx similarity index 94% rename from website/content/docs/connect/config-entries/control-plane-request-limit.mdx rename to website/content/docs/reference/config-entry/control-plane-request-limit.mdx index 53404c0d3f6..e7574c075a5 100644 --- a/website/content/docs/connect/config-entries/control-plane-request-limit.mdx +++ b/website/content/docs/reference/config-entry/control-plane-request-limit.mdx @@ -1,10 +1,12 @@ --- layout: docs -page_title: Control Plane Request Limit configuration reference -description: Learn how to configure the control-plane-request-limit configuration entry, which defines how Consul agents limit read and request traffic rate limits. +page_title: Control plane request limit configuration entry reference +description: >- + Learn how to configure the control-plane-request-limit configuration entry, which defines how Consul agents limit read and request traffic rate limits. --- -# Control Plane Request Limit configuration reference +# Control plane request limit configuration entry reference + This topic describes the configuration options for the `control-plane-request-limit` configuration entry. You can only write the `control-plane-request-limit` configuration entry to the `default` partition, but the configuration entry applies to all client requests that target any partition. diff --git a/website/content/docs/connect/config-entries/exported-services.mdx b/website/content/docs/reference/config-entry/exported-services.mdx similarity index 97% rename from website/content/docs/connect/config-entries/exported-services.mdx rename to website/content/docs/reference/config-entry/exported-services.mdx index ba783b48375..4fc30a380c4 100644 --- a/website/content/docs/connect/config-entries/exported-services.mdx +++ b/website/content/docs/reference/config-entry/exported-services.mdx @@ -1,13 +1,13 @@ --- layout: docs -page_title: Exported Services configuration reference +page_title: Exported services configuration entry reference description: >- - An exported services configuration entry defines the availability of a cluster's services to cluster peers and local admin partitions. Learn about `""exported-services""` config entry parameters and exporting services to other datacenters. + An exported services configuration entry defines the availability of a cluster's services to cluster peers and local admin partitions. Learn about `exported-services` config entry parameters and exporting services to other datacenters. --- -# Exported Services configuration reference +# Exported services configuration entry reference -This topic describes the `exported-services` configuration entry type. The `exported-services` configuration entry enables Consul to export service instances to other clusters from a single file and connect services across clusters. For additional information, refer to [Cluster Peering](/consul/docs/connect/cluster-peering) and [Admin Partitions](/consul/docs/enterprise/admin-partitions). +This topic describes the `exported-services` configuration entry type. The `exported-services` configuration entry enables Consul to export service instances to other clusters from a single file and connect services across clusters. For additional information, refer to [Cluster Peering](/consul/docs/east-west/cluster-peering) and [Admin Partitions](/consul/docs/enterprise/admin-partitions). ## Introduction @@ -21,7 +21,7 @@ You can configure the settings defined in the `exported-services` configuration ## Usage 1. Verify that your datacenter meets the conditions specified in the [Requirements](#requirements). -1. Specify the `exported-services` configuration in the agent configuration file (see [`config_entries`](/consul/docs/agent/config/config-files#config_entries)) as described in [Configuration](#configuration). +1. Specify the `exported-services` configuration in the agent configuration file (refer to [`config_entries`](/consul/docs/reference/agent#config_entries)) as described in [Configuration](#configuration). 1. Apply the configuration using one of the following methods: - Kubernetes CRD: Refer to the [Custom Resource Definitions](/consul/docs/k8s/crds) documentation for details. - Issue the `consul config write` command: Refer to the [Consul Config Write](/consul/commands/config/write) documentation for details. @@ -526,7 +526,7 @@ spec: ### Exporting a service to a sameness group -The following example configures Consul to export a service named `api` to a defined group of partitions that belong to a separately defined [sameness group](/consul/docs/connect/config-entries/sameness-group) named `monitoring`. +The following example configures Consul to export a service named `api` to a defined group of partitions that belong to a separately defined [sameness group](/consul/docs/reference/config-entry/sameness-group) named `monitoring`. diff --git a/website/content/docs/connect/config-entries/http-route.mdx b/website/content/docs/reference/config-entry/http-route.mdx similarity index 97% rename from website/content/docs/connect/config-entries/http-route.mdx rename to website/content/docs/reference/config-entry/http-route.mdx index 6265930b3e5..c4cf4bea07c 100644 --- a/website/content/docs/connect/config-entries/http-route.mdx +++ b/website/content/docs/reference/config-entry/http-route.mdx @@ -1,12 +1,14 @@ --- layout: docs -page_title: HTTP Route configuration reference -description: Learn how to configure an HTTP Route bound to an API Gateway on VMs. +page_title: HTTP route configuration entry reference +description: >- + Learn how to configure an HTTP Route bound to an API Gateway on VMs. --- -# HTTP route configuration reference +# HTTP route configuration entry reference -This topic provides reference information for the gateway routes configuration entry. Refer to [Route Resource Configuration](/consul/docs/connect/gateways/api-gateway/configuration/routes) for information about configuring API gateway routes in Kubernetes environments. + +This topic provides reference information for the gateway routes configuration entry. Refer to [Route Resource Configuration](/consul/docs/reference/k8s/api-gateway/routes) for information about configuring API gateway routes in Kubernetes environments. ## Configuration model @@ -389,7 +391,7 @@ such as applying a configuration entry to a specific cluster. ### `Namespace` -Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to apply to the configuration entry. +Specifies the Enterprise [namespace](/consul/docs/segment/namespace) to apply to the configuration entry. #### Values @@ -398,7 +400,7 @@ Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to appl ### `Partition` -Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) to apply to the configuration entry. +Specifies the Enterprise [admin partition](/consul/docs/segment/admin-partition) to apply to the configuration entry. #### Values @@ -451,7 +453,7 @@ Specifies the name of the api-gateway to bind to. ### `Parents[].Namespace` -Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to apply to the configuration entry. +Specifies the Enterprise [namespace](/consul/docs/segment/namespace) to apply to the configuration entry. #### Values @@ -460,7 +462,7 @@ Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to appl ### `Parents[].Partition` -Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) to apply to the configuration entry. +Specifies the Enterprise [admin partition](/consul/docs/segment/admin-partition) to apply to the configuration entry. #### Values @@ -854,7 +856,7 @@ Specifies the name of an HTTP-based service to route to. ### `Rules[].Services[].Namespace` -Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to apply to the configuration entry. +Specifies the Enterprise [namespace](/consul/docs/segment/namespace) to apply to the configuration entry. #### Values @@ -863,7 +865,7 @@ Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to appl ### `Rules[].Services.Partition` -Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) to apply to the configuration entry. +Specifies the Enterprise [admin partition](/consul/docs/segment/admin-partition) to apply to the configuration entry. #### Values diff --git a/website/content/docs/connect/config-entries/ingress-gateway.mdx b/website/content/docs/reference/config-entry/ingress-gateway.mdx similarity index 96% rename from website/content/docs/connect/config-entries/ingress-gateway.mdx rename to website/content/docs/reference/config-entry/ingress-gateway.mdx index cd8eaf326f1..eaebe95d9a7 100644 --- a/website/content/docs/connect/config-entries/ingress-gateway.mdx +++ b/website/content/docs/reference/config-entry/ingress-gateway.mdx @@ -1,19 +1,11 @@ --- layout: docs -page_title: Ingress gateway configuration reference +page_title: Ingress gateway configuration entry reference description: >- - The ingress gateway configuration entry kind defines behavior for securing incoming communication between the service mesh and external sources. Learn about `""ingress-gateway""` config entry parameters for exposing TCP and HTTP listeners. + The ingress gateway configuration entry kind defines behavior for securing incoming communication between the service mesh and external sources. Learn about `ingress-gateway` config entry parameters for exposing TCP and HTTP listeners. --- -# Ingress gateway configuration reference - - - -Ingress gateway is deprecated and will not be enhanced beyond its current capabilities. Ingress gateway is fully supported in this version but will be removed in a future release of Consul. - -Consul's API gateway is the recommended alternative to ingress gateway. - - +# Ingress gateway configuration entry reference This topic provides configuration reference information for the ingress gateway configuration entry. An ingress gateway is a type of proxy you register as a service in Consul to enable network connectivity from external services to services inside of the service mesh. Refer to [Ingress gateways overview](/consul/docs/connect/gateways/ingress-gateway) for additional information. @@ -479,7 +471,7 @@ Specifies a name for the gateway. The name is metadata that you can use to refer ### `Namespace` -Specifies the namespace to apply the configuration entry in. Refer to [Namespaces](/consul/docs/enterprise/namespaces) for additional information about Consul namespaces. +Specifies the namespace to apply the configuration entry in. Refer to [Namespaces](/consul/docs/segment/namespace) for additional information about Consul namespaces. If unspecified, the ingress gateway is applied to the `default` namespace. You can override the namespace when using the [`/config` API endpoint](/consul/api-docs/config) to register the configuration entry by specifying the `ns` query parameter. @@ -490,7 +482,7 @@ If unspecified, the ingress gateway is applied to the `default` namespace. You c ### `Partition` -Specifies the admin partition that the ingress gateway applies to. The value must match the partition in which the gateway is registered. Refer to [Admin partitions](/consul/docs/enterprise/admin-partitions) for additional information. +Specifies the admin partition that the ingress gateway applies to. The value must match the partition in which the gateway is registered. Refer to [Admin partitions](/consul/docs/segment/admin-partition) for additional information. If unspecified, the ingress gateway is applied to the `default` partition. You can override the partition when using the [`/config` API endpoint](/consul/api-docs/config) to register the configuration entry by specifying the `partition` query parameter. @@ -576,9 +568,9 @@ Specifies a list of cipher suites that gateway listeners support when negotiatin - Default: None - Data type: List of string values. Refer to the [Consul repository](https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169) for a list of supported ciphers. -### `TLS.SDS` +### `TSL.SDS` -Specifies parameters for loading the TLS certificates from an external SDS service. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/gateways/ingress-gateway/tls-external-service) for additional information. +Specifies parameters for loading the TLS certificates from an external SDS service. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/north-south/ingress-gateway/tls-external-service) for additional information. Consul applies the SDS configuration specified in this field as defaults for all listeners defined in the gateway. You can override the SDS settings for per listener or per service defined in the listener. Refer to the following configurations for additional information: @@ -825,7 +817,7 @@ Specifies a TLS configuration for a specific service. The settings in this confi ### `Listeners[].Services[].TLS.SDS` -Specifies parameters that configure the listener to load TLS certificates from an external SDS. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/gateways/ingress-gateway/tls-external-service) for additional information. +Specifies parameters that configure the listener to load TLS certificates from an external SDS. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/north-south/ingress-gateway/tls-external-service) for additional information. This configuration overrides the main [`TLS.SDS`](#tls-sds) settings for configuration entry. If unspecified, Consul applies the top-level [`TLS.SDS`](#tls-sds) settings. @@ -837,7 +829,7 @@ This configuration overrides the main [`TLS.SDS`](#tls-sds) settings for configu - `ClusterName` - `CertResource` -The following table describes how to configure SDS parameters. Refer to [Configure static SDS clusters](/consul/docs/connect/gateways/ingress-gateway/tls-external-service#configure-static-sds-clusters) for usage information: +The following table describes how to configure SDS parameters. Refer to [Configure static SDS clusters](/consul/docs/connect/north-south/ingress-gateway/tls-external-service#configure-static-sds-clusters) for usage information: | Parameter | Description | Data type | | `ClusterName` | Specifies the name of the SDS cluster where Consul should retrieve certificates. The cluster must be specified in the gateway's bootstrap configuration. | String | @@ -961,7 +953,7 @@ Specifies a list of cipher suites that the listener supports when negotiating co ### `Listeners[].TLS.SDS` -Specifies parameters for loading the TLS certificates from an external SDS service. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/gateways/ingress-gateway/tls-external-service) for additional information. +Specifies parameters for loading the TLS certificates from an external SDS service. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/north-south/ingress-gateway/tls-external-service) for additional information. Consul applies the SDS configuration specified in this field to all services in the listener. You can override the `Listeners.TLS.SDS` configuration per service by configuring the [`Listeners.Services.TLS.SDS`](#listeners-services-tls-sds) settings for each service. @@ -970,7 +962,7 @@ Consul applies the SDS configuration specified in this field to all services in - Default: None - The data type is a map containing `ClusterName` and `CertResource` fields. -The following table describes how to configure SDS parameters. Refer to [Configure static SDS clusters](/consul/docs/connect/gateways/ingress-gateway/tls-external-service#configure-static-sds-clusters) for usage information: +The following table describes how to configure SDS parameters. Refer to [Configure static SDS clusters](/consul/docs/connect/north-south/ingress-gateway/tls-external-service#configure-static-sds-clusters) for usage information: | Parameter | Description | Data type | | --- | --- | --- | @@ -1019,7 +1011,7 @@ Specifies a name for the gateway. The name is metadata that you can use to refer ### `metadata.namespace` -Specifies the namespace to apply the configuration entry in. Refer to [Namespaces](/consul/docs/enterprise/namespaces) for additional information about Consul namespaces. +Specifies the namespace to apply the configuration entry in. Refer to [Namespaces](/consul/docs/segment/namespace) for additional information about Consul namespaces. If unspecified, the ingress gateway is applied to the `default` namespace. You can override the namespace when using the [`/config` API endpoint](/consul/api-docs/config) to register the configuration entry by specifying the `ns` query parameter. @@ -1109,7 +1101,7 @@ Specifies a list of cipher suites that gateway listeners support when negotiatin ### `spec.tls.sds` -Specifies parameters for loading the TLS certificates from an external SDS service. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/gateways/ingress-gateway/tls-external-service) for additional information. +Specifies parameters for loading the TLS certificates from an external SDS service. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/north-south/ingress-gateway/tls-external-service) for additional information. Consul applies the SDS configuration specified in this field as defaults for all listeners defined in the gateway. You can override the SDS settings for per listener or per service defined in the listener. Refer to the following configurations for additional information: @@ -1360,7 +1352,7 @@ Specifies a TLS configuration for a specific service. The settings in this confi ### `spec.listeners[].services[].tls.sds` -Specifies parameters that configure the listener to load TLS certificates from an external SDS. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/gateways/ingress-gateway/tls-external-service) for additional information. +Specifies parameters that configure the listener to load TLS certificates from an external SDS. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/north-south/ingress-gateway/tls-external-service) for additional information. If unspecified, Consul applies the [`sds`](#spec-tls-sds) settings configured for the ingress gateway. If both are specified, this configuration overrides the settings for configuration entry. @@ -1372,7 +1364,7 @@ If unspecified, Consul applies the [`sds`](#spec-tls-sds) settings configured fo - `clusterName` - `certResource` -The following table describes how to configure SDS parameters. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/gateways/ingress-gateway/tls-external-service) for usage information: +The following table describes how to configure SDS parameters. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/north-south/ingress-gateway/tls-external-service) for usage information: | Parameter | Description | Data type | | --- | --- | --- | @@ -1497,7 +1489,7 @@ Specifies a list of cipher suites that the listener supports when negotiating co ### `spec.listeners[].tls.sds` -Specifies parameters for loading the TLS certificates from an external SDS service. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/gateways/ingress-gateway/tls-external-service) for additional information. +Specifies parameters for loading the TLS certificates from an external SDS service. Refer to [Serve custom TLS certificates from an external service](/consul/docs/connect/north-south/ingress-gateway/tls-external-service) for additional information. Consul applies the SDS configuration specified in this field to all services in the listener. You can override the `spec.listeners[].tls.sds` configuration per service by configuring the [`spec.listeners.services.tls.sds`](#spec-listeners-services-tls-sds) settings for each service. @@ -1508,7 +1500,7 @@ Consul applies the SDS configuration specified in this field to all services in - `clusterName` - `certResource` -The following table describes how to configure SDS parameters. Refer to [Configure static SDS clusters](/consul/docs/connect/gateways/ingress-gateway/tls-external-service#configure-static-sds-clusters) for usage information: +The following table describes how to configure SDS parameters. Refer to [Configure static SDS clusters](/consul/docs/connect/north-south/ingress-gateway/tls-external-service#configure-static-sds-clusters) for usage information: | Parameter | Description | Data type | | --- | --- | --- | @@ -1654,8 +1646,8 @@ TLS is enabled on every listener. The `max_connections` of the ingress gateway p The Consul Enterprise version implements the following additional configurations: -- The ingress gateway is set up in the `default` [namespace](/consul/docs/enterprise/namespaces) and proxies traffic to all services in the `frontend` namespace. -- The `api` and `web` services are proxied to team-specific [admin partitions](/consul/docs/enterprise/admin-partitions): +- The ingress gateway is set up in the `default` [namespace](/consul/docs/segment/namespace) and proxies traffic to all services in the `frontend` namespace. +- The `api` and `web` services are proxied to team-specific [admin partitions](/consul/docs/segment/admin-partition): #### Consul CE diff --git a/website/content/docs/connect/config-entries/inline-certificate.mdx b/website/content/docs/reference/config-entry/inline-certificate.mdx similarity index 58% rename from website/content/docs/connect/config-entries/inline-certificate.mdx rename to website/content/docs/reference/config-entry/inline-certificate.mdx index abf68dc9b2d..a21b529262c 100644 --- a/website/content/docs/connect/config-entries/inline-certificate.mdx +++ b/website/content/docs/reference/config-entry/inline-certificate.mdx @@ -1,15 +1,14 @@ --- layout: docs -page_title: Inline certificate configuration reference -description: Learn how to configure an inline certificate bound to an API Gateway on VMs. +page_title: Inline certificate configuration entry reference +description: >- + Learn how to configure an inline certificate bound to an API Gateway on VMs. --- -# Inline certificate configuration reference +# Inline certificate configuration entry reference -This topic provides reference information for the inline certificate -configuration entry. The inline certificate secures TLS for the Consul API gateway on VMs. In production environments, we recommend you use the more secure [file system certificate configuration entry](/consul/docs/connect/config-entries/file-system-certificate) instead. - -The inline certificate configuration entry is not used for Consul on Kubernetes deployments. To learn about configuring certificates for Kubernetes environments, refer to [Gateway Resource Configuration](/consul/docs/connect/gateways/api-gateway/configuration/gateway). +This topic provides reference information for the gateway inline certificate +configuration entry. For information about certificate configuration for Kubernetes environments, refer to [Gateway Resource Configuration](/consul/docs/reference/k8s/api-gateway/gateway). ## Configuration model @@ -29,11 +28,9 @@ to view additional details, including default values. When every field is defined, an `inline-certificate` configuration entry has the following form: - - - + -```hcl +```HCL Kind = "inline-certificate" Name = "" @@ -45,24 +42,19 @@ Certificate = "" PrivateKey = "" ``` - - - - -```json +```JSON { "Kind": "inline-certificate", "Name": "", "Meta": { "any key": "any value" - }, + } "Certificate": "", "PrivateKey": "" } ``` - - + ## Specification @@ -90,7 +82,7 @@ as applying a configuration entry to a specific cluster. ### `Namespace` -Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to apply to the configuration entry. +Specifies the Enterprise [namespace](/consul/docs/segment/namespace) to apply to the configuration entry. #### Values @@ -99,7 +91,7 @@ Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to appl ### `Partition` -Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) to apply to the configuration entry. +Specifies the Enterprise [admin partition](/consul/docs/segment/admin-partition) to apply to the configuration entry. #### Values @@ -134,34 +126,3 @@ Specifies the inline private key to use for TLS. - Default: none - This field is required. - Data type: string value of the private key - -## Examples - -The following example demonstrates an inline certificate configuration. - - - - - -```hcl -Kind = "inline-certificate" -Name = "tls-certificate" -Certificate = "" -PrivateKey = "" -``` - - - - - -```json -{ - "Kind": "inline-certificate", - "Name": "tls-certificate", - "Certificate": "", - "PrivateKey": "" -} -``` - - - \ No newline at end of file diff --git a/website/content/docs/connect/config-entries/jwt-provider.mdx b/website/content/docs/reference/config-entry/jwt-provider.mdx similarity index 98% rename from website/content/docs/connect/config-entries/jwt-provider.mdx rename to website/content/docs/reference/config-entry/jwt-provider.mdx index d1bedd93553..e27012a479c 100644 --- a/website/content/docs/connect/config-entries/jwt-provider.mdx +++ b/website/content/docs/reference/config-entry/jwt-provider.mdx @@ -1,12 +1,13 @@ --- -page_title: JWT provider configuration reference -description: |- - JWT provider configuration entries add JSON Web Token token validation to intentions in the service mesh. Learn how to write `jwt-provider` config entries in HCL or YAML with a specification reference, configuration model, a complete example, and example code by use case. +layout: docs +page_title: JSON web token (JWT) provider configuration entry reference +description: >- + JWT provider configuration entries add JSON Web Token token validation to intentions in the service mesh. Learn how to write `jwt-provider` config entries in HCL or YAML with a specification reference, configuration model, a complete example, and example code by use case. --- -# JWT provider configuration reference +# JSON web token (JWT) provider configuration entry reference -This page provides reference information for the JWT provider configuration entry, which configures Consul to use a JSON Web Token (JWT) and JSON Web Key Set (JWKS) in order to add JWT validation to proxies in the service mesh. Refer to [Use JWT authorization with service intentions](/consul/docs/connect/intentions/jwt-authorization) for more information. +This page provides reference information for the JWT provider configuration entry, which configures Consul to use a JSON Web Token (JWT) and JSON Web Key Set (JWKS) in order to add JWT validation to proxies in the service mesh. Refer to [Use JWT authorization with service intentions](/consul/docs/secure-mesh/intentions/jwt) for more information. ## Configuration model @@ -804,7 +805,7 @@ Specifies a name for the configuration entry. The name is metadata that you can ### `metadata.namespace` -Specifies the namespace that the configuration applies to. Refer to [namespaces](/consul/docs/enterprise/namespaces) for more information. +Specifies the namespace that the configuration applies to. Refer to [namespaces](/consul/docs/segment/namespace) for more information. #### Values @@ -1222,7 +1223,11 @@ http.public_listener.jwt_authn.jwt_cache_hit http.public_listener.jwt_authn.jwt_cache_miss ``` -~> **Note:** Currently, Envoy does not reference these metrics in their documentation. Refer to [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/) for more information about exposed metrics. + + +Currently, Envoy does not reference these metrics in their documentation. Refer to [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/) for more information about exposed metrics. + + ## Examples diff --git a/website/content/docs/connect/config-entries/mesh.mdx b/website/content/docs/reference/config-entry/mesh.mdx similarity index 67% rename from website/content/docs/connect/config-entries/mesh.mdx rename to website/content/docs/reference/config-entry/mesh.mdx index cf75c4bfa4a..316e9df2699 100644 --- a/website/content/docs/connect/config-entries/mesh.mdx +++ b/website/content/docs/reference/config-entry/mesh.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Mesh - Configuration Entry Reference +page_title: Mesh configuration entry reference description: >- - The mesh configuration entry kind defines global default settings like TLS version requirements for proxies inside the service mesh. Use the reference guide to learn about `""mesh""` config entry parameters and how to control communication with services outside of the mesh. + The mesh configuration entry kind defines global default settings like TLS version requirements for proxies inside the service mesh. Use the reference guide to learn about `mesh` config entry parameters and how to control communication with services outside of the mesh. --- -# Mesh Configuration Entry +# Mesh configuration entry reference The `mesh` configuration entry allows you to define a global default configuration that applies to all service mesh proxies. Settings in this config entry apply across all namespaces and federated datacenters. @@ -264,60 +264,6 @@ spec: Note that the Kubernetes example does not include a `partition` field. Configuration entries are applied on Kubernetes using [custom resource definitions (CRD)](/consul/docs/k8s/crds), which can only be scoped to their own partition. -### Request Normalization - -Enable options under `HTTP.Incoming.RequestNormalization` to apply normalization to all inbound traffic to mesh proxies. - -~> **Compatibility warning**: This feature is available as of Consul CE 1.20.1 and Consul Enterprise 1.20.1, 1.19.2, 1.18.3, and 1.15.15. We recommend upgrading to the latest version of Consul to take advantage of the latest features and improvements. - - - -```hcl -Kind = "mesh" -HTTP { - Incoming { - RequestNormalization { - InsecureDisablePathNormalization = false // default false, shown for completeness - MergeSlashes = true - PathWithEscapedSlashesAction = "UNESCAPE_AND_FORWARD" - HeadersWithUnderscoresAction = "REJECT_REQUEST" - } - } -} -``` - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: Mesh -metadata: - name: mesh -spec: - http: - incoming: - requestNormalization: - insecureDisablePathNormalization: false # default false, shown for completeness - mergeSlashes: true - pathWithEscapedSlashesAction: UNESCAPE_AND_FORWARD - headersWithUnderscoresAction: REJECT_REQUEST -``` - -```json -{ - "Kind": "mesh", - "HTTP": { - "Incoming": { - "RequestNormalization": { - "InsecureDisablePathNormalization": false, - "MergeSlashes": true, - "PathWithEscapedSlashesAction": "UNESCAPE_AND_FORWARD", - "HeadersWithUnderscoresAction": "REJECT_REQUEST" - } - } - } -} -``` - - ## Available Fields @@ -348,7 +294,7 @@ spec: type: `string: "default"`, enterprise: true, description: - 'Specifies the name of the admin partition in which the configuration entry applies. Refer to the [Admin Partitions documentation](/consul/docs/enterprise/admin-partitions) for additional information.', + 'Specifies the name of the admin partition in which the configuration entry applies. Refer to the [Admin Partitions documentation](/consul/docs/segment/admin-partition) for additional information.', yaml: false, }, { @@ -369,7 +315,7 @@ spec: name: 'namespace', enterprise: true, description: - 'Must be set to `default`. If running Consul Community Edition, the namespace is ignored (see [Kubernetes Namespaces in Consul CE](/consul/docs/k8s/crds#consul-ce)). If running Consul Enterprise see [Kubernetes Namespaces in Consul Enterprise](/consul/docs/k8s/crds#consul-enterprise) for additional information.', + 'Must be set to `default`. If running Consul Community Edition, the namespace is ignored (refer to [Kubernetes Namespaces in Consul CE](/consul/docs/k8s/crds#consul-ce)). If running Consul Enterprise refer to [Kubernetes Namespaces in Consul Enterprise](/consul/docs/k8s/crds#consul-enterprise) for additional information.', }, ], hcl: false, @@ -378,7 +324,7 @@ spec: name: 'TransparentProxy', type: 'TransparentProxyConfig: ', description: - 'Controls configuration specific to proxies in `transparent` [mode](/consul/docs/connect/config-entries/service-defaults#mode). Added in v1.10.0.', + 'Controls configuration specific to proxies in `transparent` [mode](/consul/docs/reference/config-entry/service-default#mode). Added in v1.10.0.', children: [ { name: 'MeshDestinationsOnly', @@ -396,17 +342,6 @@ spec: description: 'Controls whether `MutualTLSMode=permissive` can be set in the `proxy-defaults` and `service-defaults` configuration entries. ' }, - { - name: 'ValidateClusters', - type: 'bool: false', - description: - `Controls whether the clusters the route table refers to are validated. The default value is false. When set to - false and a route refers to a cluster that does not exist, the route table loads and routing to a non-existent - cluster results in a 404. When set to true and the route is set to a cluster that do not exist, the route table - will not load. For more information, refer to - [HTTP route configuration in the Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-v3-api-field-config-route-v3-routeconfiguration-validate-clusters) - for more details. `, - }, { name: 'TLS', type: 'TLSConfig: ', @@ -442,7 +377,7 @@ spec: to support when negotiating connections using TLS 1.2 or earlier. If unspecified, Envoy will use a [default server cipher list](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites). - The list of supported cipher suites can seen in + The list of supported cipher suites can refer to n in [\`consul/types/tls.go\`](https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169) and is dependent on underlying support in Envoy. Future releases of Envoy may remove currently-supported but @@ -482,7 +417,7 @@ spec: to support when negotiating connections using TLS 1.2 or earlier. If unspecified, Envoy will use a [default server cipher list](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites). - The list of supported cipher suites can seen in + The list of supported cipher suites can refer to n in [\`consul/types/tls.go\`](https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169) and is dependent on underlying support in Envoy. Future releases of Envoy may remove currently-supported but @@ -506,64 +441,13 @@ spec: for all Envoy proxies. As a result, Consul will not include the \`x-forwarded-client-cert\` header in the next hop. If set to \`false\` (default), the XFCC header is propagated to upstream applications.`, }, - { - name: 'Incoming', - type: 'DirectionalHTTPConfig: ', - description: `HTTP configuration for inbound traffic to mesh proxies.`, - children: [ - { - name: 'RequestNormalization', - type: 'RequestNormalizationConfig: ', - description: `Request normalization configuration for inbound traffic to mesh proxies.`, - children: [ - { - name: 'InsecureDisablePathNormalization', - type: 'bool: false', - description: `Sets the value of the \`normalize_path\` option in the Envoy listener's \`HttpConnectionManager\`. The default value is \`false\`. - When set to \`true\` in Consul, \`normalize_path\` is set to \`false\` for the Envoy proxy. - This parameter disables the normalization of request URL paths according to RFC 3986, - conversion of \`\\\` to \`/\`, and decoding non-reserved %-encoded characters. When using L7 - intentions with path match rules, we recommend enabling path normalization in order - to avoid match rule circumvention with non-normalized path values.`, - }, - { - name: 'MergeSlashes', - type: 'bool: false', - description: `Sets the value of the \`merge_slashes\` option in the Envoy listener's \`HttpConnectionManager\`. The default value is \`false\`. - This option controls the normalization of request URL paths by merging consecutive \`/\` characters. This normalization is not part - of RFC 3986. When using L7 intentions with path match rules, we recommend enabling this setting to avoid match rule circumvention through non-normalized path values, unless legitimate service - traffic depends on allowing for repeat \`/\` characters, or upstream services are configured to - differentiate between single and multiple slashes.`, - }, - { - name: 'PathWithEscapedSlashesAction', - type: 'string: ""', - description: `Sets the value of the \`path_with_escaped_slashes_action\` option in the Envoy listener's - \`HttpConnectionManager\`. The default value of this option is empty, which is - equivalent to \`IMPLEMENTATION_SPECIFIC_DEFAULT\`. This parameter controls the action taken in response to request URL paths with escaped - slashes in the path. When using L7 intentions with path match rules, we recommend enabling this setting to avoid match rule circumvention through non-normalized path values, unless legitimate service - traffic depends on allowing for escaped \`/\` or \`\\\` characters, or upstream services are configured to - differentiate between escaped and unescaped slashes. Refer to the Envoy documentation for more information on available - options.`, - }, - { - name: 'HeadersWithUnderscoresAction', - type: 'string: ""', - description: `Sets the value of the \`headers_with_underscores_action\` option in the Envoy listener's - \`HttpConnectionManager\` under \`common_http_protocol_options\`. The default value of this option is - empty, which is equivalent to \`ALLOW\`. Refer to the Envoy documentation for more information on available options.`, - }, - ], - }, - ], - } ], }, { name: 'Peering', type: 'PeeringMeshConfig: ', description: - 'Controls configuration specific to [peering connections](/consul/docs/connect/cluster-peering).', + 'Controls configuration specific to [peering connections](/consul/docs/east-west/cluster-peering).', children: [ { name: 'PeerThroughMeshGateways', @@ -579,9 +463,9 @@ spec: ## ACLs -Configuration entries may be protected by [ACLs](/consul/docs/security/acl). +Configuration entries may be protected by [ACLs](/consul/docs/secure-consul/acl). Reading a `mesh` config entry requires no specific privileges. Creating, updating, or deleting a `mesh` config entry requires -`operator:write`. +`operator:write`. \ No newline at end of file diff --git a/website/content/docs/connect/config-entries/proxy-defaults.mdx b/website/content/docs/reference/config-entry/proxy-defaults.mdx similarity index 89% rename from website/content/docs/connect/config-entries/proxy-defaults.mdx rename to website/content/docs/reference/config-entry/proxy-defaults.mdx index 824ce835998..9e07b567c15 100644 --- a/website/content/docs/connect/config-entries/proxy-defaults.mdx +++ b/website/content/docs/reference/config-entry/proxy-defaults.mdx @@ -5,13 +5,13 @@ description: >- The proxy defaults configuration entry kind defines default behaviors for proxies in the service mesh. Use the reference guide to learn about `""proxy-defaults""` config entry parameters. --- -# Proxy defaults configuration reference +# Proxy defaults configuration entry reference -This topic provides reference information for proxy defaults configuration entries. Refer to [Service mesh proxy overview](/consul/docs/connect/proxies) for information about using proxies in Consul. +This topic provides reference information for proxy defaults configuration entries. Refer to [Service mesh proxy overview](/consul/docs/connect/proxy) for information about using proxies in Consul. ## Introduction -Proxy defaults configuration entries set global passthrough Envoy settings for proxies in the service mesh, including sidecars and gateways. Proxy defaults configuration entries do not control features for peered clusters, transparent proxy, or TLS behavior. For information about configuring Consul settings that affect service mesh behavior, refer to the [mesh configuration entry reference](/consul/docs/connect/config-entries/mesh). +Proxy defaults configuration entries set global passthrough Envoy settings for proxies in the service mesh, including sidecars and gateways. Proxy defaults configuration entries do not control features for peered clusters, transparent proxy, or TLS behavior. For information about configuring Consul settings that affect service mesh behavior, refer to the [mesh configuration entry reference](/consul/docs/reference/config-entry/mesh). Consul only supports one global proxy defaults configuration entry at a time. If multiple configuration entries are defined in Consul Enterprise, Consul implements the configuration entry in the `default` partition. @@ -27,7 +27,7 @@ The following list outlines field hierarchy, language-specific data types, and r - [`Name`](#name): string | must be set to `global` - [`Namespace`](#namespace): string | `default` | - [`Partition`](#partition): string | `default` | -- [`Meta`](#meta): map +- [`Meta`](#meta): map - [`Config`](#meta): map - [`EnvoyExtensions`](#envoyextensions): list of maps - [`Name`](#envoyextensions): string @@ -39,16 +39,16 @@ The following list outlines field hierarchy, language-specific data types, and r - [`TransparentProxy`](#transparentproxy): map - [`OutboundListenerPort`](#transparentproxy): number | `15001` - [`DialedDirectly`](#transparentproxy): boolean | `false` -- [`MutualTLSMode`](#mutualtlsmode): string +- [`MutualTLSMode`](#mutualtlsmode): string - [`MeshGateway`](#meshgateway): map - [`Mode`](#meshgateway): string - [`Expose`](#expose): map - [`Checks`](#expose-checks): boolean | `false` - [`Paths`](#expose-paths): list of maps - - [`Path`](#expose-paths-path): string | must begin with `/` - - [`LocalPathPort`](#expose-paths): number | `0` - - [`ListenerPort`](#expose-paths): number | `0` - - [`Protocol`](#expose-paths): string | `http` + - [`Path`](#expose-paths-path): string | must begin with `/` + - [`LocalPathPort`](#expose-paths): number | `0` + - [`ListenerPort`](#expose-paths): number | `0` + - [`Protocol`](#expose-paths): string | `http` - [`PrioritizeByLocality`](#prioritizebylocality): map | - [`Mode`](#prioritizebylocality): string | `failover` - [`AccessLogs`](#accesslogs): map @@ -56,8 +56,8 @@ The following list outlines field hierarchy, language-specific data types, and r - [`DisableListenerLogs`](#accesslogs): boolean | `false` - [`Type`](#accesslogs): string | `stdout` - [`Path`](#accesslogs): string - - [`JSONFormat`](#accesslogs): string - - [`TextFormat`](#accesslogs): string + - [`JSONFormat`](#accesslogs): string + - [`TextFormat`](#accesslogs): string @@ -79,16 +79,16 @@ The following list outlines field hierarchy, language-specific data types, and r - [`transparentProxy`](#spec-transparentproxy): map - [`outboundListenerPort`](#spec-transparentproxy): number | `15001` - [`dialedDirectly`](#spec-transparentproxy): boolean | `false` - - [`mutualTLSMode`](#spec-mutualtlsmode): string + - [`mutualTLSMode`](#spec-mutualtlsmode): string - [`meshGateway`](#spec-meshgateway): map - [`mode`](#spec-meshgateway): string - [`expose`](#spec-expose): map - [`checks`](#spec-expose-checks): boolean | `false` - [`paths`](#spec-expose-paths): list - - [`path`](#spec-expose-paths): string | must begin with `/` - - [`localPathPort`](#spec-expose-paths): number | `0` - - [`listenerPort`](#spec-expose-paths): number | `0` - - [`protocol`](#spec-expose-paths): string | `http` + - [`path`](#spec-expose-paths): string | must begin with `/` + - [`localPathPort`](#spec-expose-paths): number | `0` + - [`listenerPort`](#spec-expose-paths): number | `0` + - [`protocol`](#spec-expose-paths): string | `http` - [`prioritizeByLocality`](#prioritizebylocality): map | - [`mode`](#prioritizebylocality): string | `failover` - [`accessLogs`](#spec-accesslogs): map @@ -96,8 +96,8 @@ The following list outlines field hierarchy, language-specific data types, and r - [`disableListenerLogs`](#spec-accesslogs): boolean | `false` - [`type`](#spec-accesslogs): string | `stdout` - [`path`](#spec-accesslogs): string - - [`jsonFormat`](#spec-accesslogs): string - - [`textFormat`](#spec-accesslogs): string + - [`jsonFormat`](#spec-accesslogs): string + - [`textFormat`](#spec-accesslogs): string @@ -121,15 +121,15 @@ Meta { Config { = } -EnvoyExtensions = [ - { +EnvoyExtensions = [ + { Name= "" Required = "required" Arguments = "" ConsulVersion = "" EnvoyVersion = "" } -] +] Mode = "" TransparentProxy { OutboundListenerPort = @@ -183,7 +183,7 @@ spec: required: required arguments: consulVersion: - envoyVersion: + envoyVersion: mode: transparentProxy: outboundListenerPort: @@ -296,7 +296,7 @@ Specifies a name for the configuration entry that is used to identify the config ### `Namespace` -Specifies the namespace that the proxy defaults apply to. You can only specify the `default` namespace. +Specifies the namespace that the proxy defaults apply to. You can only specify the `default` namespace. #### Values @@ -305,7 +305,7 @@ Specifies the namespace that the proxy defaults apply to. You can only specify t ### `Partition` -Specifies the local admin partition that the proxy defaults apply to. Refer to [admin partitions](/consul/docs/enterprise/admin-partitions) for more information. +Specifies the local admin partition that the proxy defaults apply to. Refer to [admin partitions](/consul/docs/segment/admin-partition) for more information. #### Values @@ -314,7 +314,7 @@ Specifies the local admin partition that the proxy defaults apply to. Refer to [ ### `Meta` -Specifies a set of custom key-value pairs to add the [Consul KV](#/consul/docs/dynamic-app-config/kv) store. +Specifies a set of custom key-value pairs to add the [Consul KV](#/consul/docs/dynamic-app-config/kv) store. #### Values @@ -327,8 +327,8 @@ Specifies a set of custom key-value pairs to add the [Consul KV](#/consul/docs/d Specifies an arbitrary map of configuration values used by service mesh proxies. The available configurations depend on the mesh proxy you use. You can configure any global values that your proxy allows in this field. Refer to the following topics for additional information: -- [Envoy proxy configuration option](/consul/docs/connect/proxies/envoy#proxy-config-options) -- [Built-in proxy configuration options](/consul/docs/connect/proxies/built-in#proxy-config-key-reference) +- [Envoy proxy configuration option](/consul/docs/reference/proxy/envoy#proxy-config-options) +- [Built-in proxy configuration options](/consul/docs/reference/proxy/built-in#proxy-config-key-reference) #### Values @@ -337,7 +337,7 @@ Specifies an arbitrary map of configuration values used by service mesh proxies. ### `EnvoyExtensions` -Specifies a list of extensions that modify Envoy proxy configurations. Refer to [Envoy extensions](/consul/docs/connect/proxies/envoy-extensions) for additional information. +Specifies a list of extensions that modify Envoy proxy configurations. Refer to [Envoy extensions](/consul/docs/reference/proxy/envoy-extensions) for additional information. #### Values @@ -363,18 +363,18 @@ The following table describes how to configure values in the `EnvoyExtensions` m Specifies a mode for how proxies direct inbound and outbound traffic. You can specify one of the following values: -- `transparent`: In transparent mode, proxies capture and redirect inbound and outbound traffic. The mode does not enable traffic redirection, but directs Consul to configure Envoy as if traffic is already being redirected. +- `transparent`: In transparent mode, proxies capture and redirect inbound and outbound traffic. The mode does not enable traffic redirection, but directs Consul to configure Envoy as if traffic is already being redirected. -- `direct`: In this mode, the local application and other proxies must directly dial proxy listeners. +- `direct`: In this mode, the local application and other proxies must directly dial proxy listeners. #### Values - Default: None -- Data type: String +- Data type: String ### `TransparentProxy` -Contains configurations for proxies that are running in transparent proxy mode. This mode enables permissive mTLS for Consul so that you can use your Kubernetes cluster's DNS service instead of Consul DNS. Refer to [Transparent proxy mode](/consul/docs/k8s/connect/transparent-proxy) for additional information. +Contains configurations for proxies that are running in transparent proxy mode. This mode enables permissive mTLS for Consul so that you can use your Kubernetes cluster's DNS service instead of Consul DNS. Refer to [Transparent proxy mode](/consul/docs/connect/proxy/transparent-proxy) for additional information. #### Values @@ -388,15 +388,15 @@ The following table describes how to configure values in the `TransparentProxy` | Parameter | Description | Data type | Default | | --- | --- | --- | --- | | `OutboundListenerPort` | Specifies the port that the proxy listens on for outbound traffic. Outbound application traffic must be captured and redirected to this port. | Integer | `15001` | -| `DialedDirectly` | Determines whether other proxies in transparent mode can directly dial this proxy instance's IP address. Proxies in transparent mode commonly dial upstreams at the [`virtual` tagged address](/consul/docs/services/configuration/services-configuration-reference#tagged_addresses-virtual), which load balances across instances. Dialing individual instances can be helpful when sending requests to stateful services, such as database clusters with a leader. | Boolean | `false` | +| `DialedDirectly` | Determines whether other proxies in transparent mode can directly dial this proxy instance's IP address. Proxies in transparent mode commonly dial upstreams at the [`virtual` tagged address](/consul/docs/reference/service#tagged_addresses-virtual), which load balances across instances. Dialing individual instances can be helpful when sending requests to stateful services, such as database clusters with a leader. | Boolean | `false` | ### `MutualTLSMode` -Controls the default mutual TLS (mTLS) mode for all proxies. You can only set mutual TLS mode for services in transparent proxy mode. +Controls the default mutual TLS (mTLS) mode for all proxies. You can only set mutual TLS mode for services in transparent proxy mode. You can specify one of the following modes: -`strict`: The sidecar proxy requires mTLS for incoming traffic. +`strict`: The sidecar proxy requires mTLS for incoming traffic. `permissive`: The sidecar proxy accepts mTLS traffic on the sidecar proxy service port and accepts any traffic on the destination service port. We recommend only using permissive mode if necessary while onboarding services to the service mesh. #### Values @@ -421,7 +421,7 @@ Sets the default mesh gateway `mode` field for all proxies. You can specify the ### `Expose` -Specifies default configurations for exposing HTTP paths through Envoy. Exposing paths through Envoy enables services to protect themselves by only listening on `localhost`. Applications that are not Consul service mesh-enabled are still able to contact an HTTP endpoint. +Specifies default configurations for exposing HTTP paths through Envoy. Exposing paths through Envoy enables services to protect themselves by only listening on `localhost`. Applications that are not Consul service mesh-enabled are still able to contact an HTTP endpoint. Example use-cases include exposing the `/metrics` endpoint to a monitoring system, such as Prometheus, and exposing the `/healthz` endpoint to the kubelet for liveness checks. Refer to [Expose Paths Configuration Reference](/consul/docs/connect/proxy-config-reference#expose-paths-configuration-reference) for additional information. @@ -434,7 +434,7 @@ Example use-cases include exposing the `/metrics` endpoint to a monitoring syste ### `Expose{}.Checks` -Exposes all HTTP and gRPC checks registered with the agent when set to `true`. Envoy exposes listeners for the checks and only accepts connections originating from localhost or the [Consul agent's `advertise_addr`](/consul/docs/agent/config/config-files#advertise). The ports for the listeners are dynamically allocated from the [agent's `expose_min_port`](/consul/docs/agent/config/config-files#expose_min_port) and [`expose_max_port`](/consul/docs/agent/config/config-files#expose_max_port) configurations. +Exposes all HTTP and gRPC checks registered with the agent when set to `true`. Envoy exposes listeners for the checks and only accepts connections originating from localhost or the [Consul agent's `advertise_addr`](/consul/docs/reference/agent#advertise). The ports for the listeners are dynamically allocated from the [agent's `expose_min_port`](/consul/docs/reference/agent#expose_min_port) and [`expose_max_port`](/consul/docs/reference/agent#expose_max_port) configurations. We recommend enabling the `Checks` configuration when a Consul client cannot reach registered services over localhost. @@ -445,12 +445,12 @@ We recommend enabling the `Checks` configuration when a Consul client cannot rea ### `Expose{}.Paths[]` -Specifies a list of configuration maps that define paths to expose through Envoy when `Expose.Checks` is set to `true`. +Specifies a list of configuration maps that define paths to expose through Envoy when `Expose.Checks` is set to `true`. #### Values - Default: None -- Data type: List of maps +- Data type: List of maps The following table describes the parameters for each map you can define in the list: @@ -461,7 +461,7 @@ The following table describes the parameters for each map you can define in the | `ListenPort` | Specifies the port where the proxy listens for connections. The port must be available. If the port is unavailable, Envoy does not expose a listener for the path and the proxy registration still succeeds. | Integer | `0` | | `Protocol` | Specifies the protocol of the listener. You can configure one of the following values:
  • `http`
  • `http2`: Use with gRPC traffic
    • | String | `http` | -### `PrioritizeByLocality` +### `PrioritizeByLocality` Sets a mode for the service that allows instances to prioritize upstream targets that are in the same network region and zone. You can specify the following string values for the `mode` field: @@ -479,7 +479,7 @@ Specifies [Envoy access logger](https://www.envoyproxy.io/docs/envoy/latest/intr #### Values - Default: None -- Data type: Map +- Data type: Map The following table describes the parameters you can define in the `AccessLogs` map: @@ -489,7 +489,7 @@ The following table describes the parameters you can define in the `AccessLogs` | `DisabledListenerLogs` | Disables access logs for traffic rejected at the listener level. Rejected traffic includes connections that do not match any of Envoy's configured filters, such as Consul upstream services. Set this option to `true` if you do not want to log unknown requests that Envoy is not forwarding. | Boolean | `false` | | `Type` | Specifies the destination for access logs. You can specify one of the following types:
  • `stdout`
  • `stderr`
  • `file`
    • | String | None | | `Path` | Specifies the destination for writing access logs to file when `Type` is set to `file`. | String | None | -| `JSONFormat` | Specifies a JSON-formatted string that represents the format for each emitted access log. You can use [Envoy command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) to customize the emitted data. You can also nest data. You cannot set this field and the `TextFormat` field concurrently. | String | [Default log format](/consul/docs/connect/observability/access-logs#default-log-format) | +| `JSONFormat` | Specifies a JSON-formatted string that represents the format for each emitted access log. You can use [Envoy command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) to customize the emitted data. You can also nest data. You cannot set this field and the `TextFormat` field concurrently. | String | [Default log format](/consul/docs/observe/access-logs#default-log-format) | | `TextFormat` | Specifies a text-formatted string that represents the format for each emitted access log. You can use [Envoy command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) to customize the emitted data. You can also nest data. You cannot set this field and the `JSONFormat` field concurrently. | String | None | @@ -498,7 +498,7 @@ The following table describes the parameters you can define in the `AccessLogs` ### apiVersion -Specifies the version of the Consul API to use to apply the configuration entry. This must be set to `consul.hashicorp.com/v1alpha1`. +Specifies the verion of the Consul API to use to apply the configuration entry. This must be set to `consul.hashicorp.com/v1alpha1`. #### Values @@ -556,17 +556,17 @@ Map that contains the details about the ProxyDefaults configuration entry. The ` Specifies an arbitrary map of configuration values used by service mesh proxies. The available configurations depend on the mesh proxy you use. You can configure any global values that your proxy allows in this field. Refer to the following topics for additional information: -- [Envoy proxy configuration option](/consul/docs/connect/proxies/envoy#proxy-config-options) -- [Built-in proxy configuration options](/consul/docs/connect/proxies/built-in#proxy-config-key-reference) +- [Envoy proxy configuration option](/consul/docs/reference/proxy/envoy#proxy-config-options) +- [Built-in proxy configuration options](/consul/docs/reference/proxy/built-in#proxy-config-key-reference) #### Values - Default: None -- Data type: Map +- Data type: Map ### `spec.envoyExtensions` -Specifies a list of extensions that modify Envoy proxy configurations. Refer to [Envoy extensions](/consul/docs/connect/proxies/envoy-extensions) for additional information. +Specifies a list of extensions that modify Envoy proxy configurations. Refer to [Envoy extensions](/consul/docs/reference/proxy/envoy-extensions) for additional information. #### Values @@ -592,18 +592,18 @@ The following table describes how to configure values in the `EnvoyExtensions` m Specifies a mode for how proxies direct inbound and outbound traffic. You can specify one of the following values: -- `transparent`: In transparent mode, proxies capture and redirect inbound and outbound traffic. The mode does not enable traffic redirection, but directs Consul to configure Envoy as if traffic is already being redirected. +- `transparent`: In transparent mode, proxies capture and redirect inbound and outbound traffic. The mode does not enable traffic redirection, but directs Consul to configure Envoy as if traffic is already being redirected. -- `direct`: In this mode, the local application and other proxies must directly dial proxy listeners. +- `direct`: In this mode, the local application and other proxies must directly dial proxy listeners. #### Values - Default: None -- Data type: String +- Data type: String ### `spec.transparentProxy` -Contains configurations for proxies that are running in transparent proxy mode. This mode enables permissive mTLS for Consul so that you can use your Kubernetes cluster's DNS service instead of Consul DNS. Refer to [Transparent proxy mode](/consul/docs/k8s/connect/transparent-proxy) for additional information. +Contains configurations for proxies that are running in transparent proxy mode. This mode enables permissive mTLS for Consul so that you can use your Kubernetes cluster's DNS service instead of Consul DNS. Refer to [Transparent proxy mode](/consul/docs/connect/proxy/transparent-proxy) for additional information. #### Values @@ -617,15 +617,15 @@ The following table describes how to configure values in the `TransparentProxy` | Parameter | Description | Data type | Default | | --- | --- | --- | --- | | `outboundListenerPort` | Specifies the port that the proxy listens on for outbound traffic. Outbound application traffic must be captured and redirected to this port. | Integer | `15001` | -| `dialedDirectly` | Determines whether other proxies in transparent mode can directly dial this proxy instance's IP address. Proxies in transparent mode commonly dial upstreams at the [`virtual` tagged address](/consul/docs/services/configuration/services-configuration-reference#tagged_addresses-virtual), which load balances across instances. Dialing individual instances can be helpful when sending requests to stateful services, such as database clusters with a leader. | Boolean | `false` | +| `dialedDirectly` | Determines whether other proxies in transparent mode can directly dial this proxy instance's IP address. Proxies in transparent mode commonly dial upstreams at the [`virtual` tagged address](/consul/docs/reference/service#tagged_addresses-virtual), which load balances across instances. Dialing individual instances can be helpful when sending requests to stateful services, such as database clusters with a leader. | Boolean | `false` | ### `spec.mutualTLSMode` -Controls the default mutual TLS (mTLS) mode for all proxies. You can only set mutual TLS mode for services in transparent proxy mode. +Controls the default mutual TLS (mTLS) mode for all proxies. You can only set mutual TLS mode for services in transparent proxy mode. You can specify one of the following modes: -`strict`: The sidecar proxy requires mTLS for incoming traffic. +`strict`: The sidecar proxy requires mTLS for incoming traffic. `permissive`: The sidecar proxy accepts mTLS traffic on the sidecar proxy service port and accepts any traffic on the destination service port. We recommend only using permissive mode if necessary while onboarding services to the service mesh. #### Values @@ -650,7 +650,7 @@ Sets the default mesh gateway `mode` field for all proxies. You can specify the ### `spec.expose` -Specifies default configurations for exposing HTTP paths through Envoy. Exposing paths through Envoy enables services to protect themselves by only listening on `localhost`. Applications that are not Consul service mesh-enabled are still able to contact an HTTP endpoint. +Specifies default configurations for exposing HTTP paths through Envoy. Exposing paths through Envoy enables services to protect themselves by only listening on `localhost`. Applications that are not Consul service mesh-enabled are still able to contact an HTTP endpoint. Example use-cases include exposing the `/metrics` endpoint to a monitoring system, such as Prometheus, and exposing the `/healthz` endpoint to the kubelet for liveness checks. Refer to [Expose Paths Configuration Reference](/consul/docs/connect/proxy-config-reference#expose-paths-configuration-reference) for additional information. @@ -659,11 +659,11 @@ Example use-cases include exposing the `/metrics` endpoint to a monitoring syste - Default: None - Data type: Map containing the following parameters: - [`checks`](#expose-checks) - - [`paths`](#expose-paths) + - [`aths`](#expose-paths) ### `spec.expose{}.checks` -Exposes all HTTP and gRPC checks registered with the agent when set to `true`. Envoy exposes listeners for the checks and only accepts connections originating from localhost or the [Consul agent's `advertise_addr`](/consul/docs/agent/config/config-files#advertise). The ports for the listeners are dynamically allocated from the [agent's `expose_min_port`](/consul/docs/agent/config/config-files#expose_min_port) and [`expose_max_port`](/consul/docs/agent/config/config-files#expose_max_port) configurations. +Exposes all HTTP and gRPC checks registered with the agent when set to `true`. Envoy exposes listeners for the checks and only accepts connections originating from localhost or the [Consul agent's `advertise_addr`](/consul/docs/reference/agent#advertise). The ports for the listeners are dynamically allocated from the [agent's `expose_min_port`](/consul/docs/reference/agent#expose_min_port) and [`expose_max_port`](/consul/docs/reference/agent#expose_max_port) configurations. We recommend enabling the `Checks` configuration when a Consul client cannot reach registered services over localhost, such as when Consul agents run in their own pods in Kubernetes. @@ -674,12 +674,12 @@ We recommend enabling the `Checks` configuration when a Consul client cannot rea ### `spec.expose{}.paths[]` -Specifies a list of configuration maps that define paths to expose through Envoy when `spec.expose.checks` is set to `true`. +Specifies a list of configuration maps that define paths to expose through Envoy when `spec.expose.checks` is set to `true`. #### Values - Default: None -- Data type: List of maps. +- Data type: List of maps. The following table describes the parameters for each map you can define in the list: @@ -708,7 +708,7 @@ Specifies [Envoy access logger](https://www.envoyproxy.io/docs/envoy/latest/intr #### Values - Default: None -- Data type: Map +- Data type: Map The following table describes the parameters you can define in the `accessLogs` map: @@ -718,7 +718,7 @@ The following table describes the parameters you can define in the `accessLogs` | `disabledListenerLogs` | Disables access logs for traffic rejected at the listener level. Rejected traffic includes connections that do not match any of Envoy's configured filters, such as Consul upstream services. Set this option to `true` if you do not want to log unknown requests that Envoy is not forwarding. | Boolean | `false` | | `type` | Specifies the destination for access logs. You can specify one of the following types:
  • `stdout`
  • `stderr`
  • `file`
    • | String | None | | `path` | Specifies the destination for writing access logs to file when `type` is set to `file`. | String | None | -| `jsonFormat` | Specifies a JSON-formatted string that represents the format for each emitted access log. You can use [Envoy command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) to customize the emitted data. You can also nest data. You cannot set this field and the `textFormat` field concurrently. | String | [Default log format](/consul/docs/connect/observability/access-logs#default-log-format) | +| `jsonFormat` | Specifies a JSON-formatted string that represents the format for each emitted access log. You can use [Envoy command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) to customize the emitted data. You can also nest data. You cannot set this field and the `textFormat` field concurrently. | String | [Default log format](/consul/docs/observe/access-logs#default-log-format) | | `textFormat` | Specifies a text-formatted string that represents the format for each emitted access log. You can use [Envoy command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) to customize the emitted data. You can also nest data. You cannot set this field and the `jsonFormat` field concurrently. | String | None | @@ -874,7 +874,7 @@ spec: ### Access Logs -The following example enables access logs for all proxies. Refer to [access logs](/consul/docs/connect/observability/access-logs) for more detailed examples. +The following example enables access logs for all proxies. Refer to [access logs](/consul/docs/observe/access-logs) for more detailed examples. diff --git a/website/content/docs/connect/config-entries/sameness-group.mdx b/website/content/docs/reference/config-entry/sameness-group.mdx similarity index 91% rename from website/content/docs/connect/config-entries/sameness-group.mdx rename to website/content/docs/reference/config-entry/sameness-group.mdx index f9fdffcd7a6..3242d3309ee 100644 --- a/website/content/docs/connect/config-entries/sameness-group.mdx +++ b/website/content/docs/reference/config-entry/sameness-group.mdx @@ -1,14 +1,15 @@ --- -page_title: Sameness group configuration reference -description: |- +layout: docs +page_title: Sameness group configuration entry reference +description: >- Sameness groups enable Consul to associate service instances with the same name deployed to the same namespace as identical services. Learn how to configure a `sameness-group` configuration entry to enable failover between partitions and cluster peers in non-federated networks. --- -# Sameness groups configuration reference +# Sameness group configuration entry reference This page provides reference information for sameness group configuration entries. Sameness groups associate identical admin partitions to facilitate traffic between identical services. When partitions are part of the same Consul datacenter, you can create a sameness group by listing them in the `Members[].Partition` field. When partitions are located on remote clusters, you must establish cluster peering connections between remote partitions in order to add them to a sameness group in the `Members[].Peer` field. -To learn more about creating a sameness group, refer to [Create sameness groups](/consul/docs/connect/cluster-peering/usage/create-sameness-groups) or [Create sameness groups on Kubernetes](/consul/docs/k8s/connect/cluster-peering/usage/create-sameness-groups). +To learn more about creating a sameness group, refer to [Create sameness groups](/consul/docs/east-west/cluster-peering/usage/create-sameness-groups) or [Create sameness groups on Kubernetes](/consul/docs/k8s/connect/cluster-peering/usage/create-sameness-groups). ## Configuration model @@ -75,7 +76,7 @@ Members = [ # required "Name": "", // required "Partition": "", "DefaultForFailover": false, - "IncludeLocal": true, + "IncludeLocal": true, "Members": [ // required { "Partition": "" @@ -137,7 +138,7 @@ Specifies a name for the configuration entry that is used to identify the samene ### `Partition` -Specifies the local admin partition that the sameness group applies to. Refer to [admin partitions](/consul/docs/enterprise/admin-partitions) for more information. +Specifies the local admin partition that the sameness group applies to. Refer to [admin partitions](/consul/docs/segment/admin-partition) for more information. #### Values @@ -150,9 +151,7 @@ Determines whether the sameness group should be used to establish connections to When this field is set to `true`, upstream requests automatically fail over to services in the sameness group according to the order of the members in the `Members` list. It impacts all services on the partition. -When this field is set to `false`, you can use a sameness group for failover by configuring the `Failover` block of a [service resolver configuration entry](/consul/docs/connect/config-entries/service-resolver). - -When you [query Consul DNS](/consul/docs/services/discovery/dns-static-lookups) using sameness groups, `DefaultForFailover` must be set to `true`. Otherwise, Consul DNS returns an error. +When this field is set to `false`, you can use a sameness group for failover by configuring the `Failover` block of a [service resolver configuration entry](/consul/docs/reference/config-entry/service-resolver). #### Values @@ -174,7 +173,7 @@ If you enable this parameter, you do not need to list the local partition as the Specifies the partitions and cluster peers that are members of the sameness group from the perspective of the local partition. -The local partition should be the first member listed unless `IncludeLocal=true`. The order of the members determines their precedence during failover scenarios. If a member is listed but Consul cannot connect to it, failover proceeds with the next healthy member in the list. For an example demonstrating how to configure this parameter, refer to [Failover between sameness groups](#failover-between-members-of-a-sameness-group). +The local partition should be the first member listed unless `IncludeLocal=true`. The order of the members determines their precedence during failover scenarios. If a member is listed but Consul cannot connect to it, failover proceeds with the next healthy member in the list. For an example demonstrating how to configure this parameter, refer to [Failover between sameness groups](#failover-between-sameness-groups). Each partition can belong to a single sameness group. You cannot associate a partition or cluster peer with multiple sameness groups. @@ -199,7 +198,7 @@ Specifies a partition in the local datacenter that is a member of the sameness g Specifies the name of a cluster peer that is a member of the sameness group. -Cluster peering connections must be established before adding a remote partition to the list of members. Refer to [establish cluster peering connections](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering) for more information. +Cluster peering connections must be established before adding a remote partition to the list of members. Refer to [establish cluster peering connections](/consul/docs/east-west/cluster-peering/establish-connection/vm) for more information. #### Values @@ -212,7 +211,7 @@ Cluster peering connections must be established before adding a remote partition ### `apiVersion` -Specifies the version of the Consul API for integrating with Kubernetes. The value must be `consul.hashicorp.com/v1alpha1`. +Specifies the version of the Consul API for integrating with Kubernetes. The value must be `consul.hashicorp.com/v1alpha1`. #### Values @@ -230,7 +229,7 @@ Specifies the type of configuration entry to implement. Must be set to `Sameness - This field is required. - Data type: String value that must be set to `SamenessGroup`. -### `metadata` +## `metadata` Map that contains an arbitrary name for the configuration entry and the namespace it applies to. @@ -263,7 +262,7 @@ Map that contains the details about the `SamenessGroup` configuration entry. The Determines whether the sameness group should be used to establish connections to services with the same name during failover scenarios. When this field is set to `true`, upstream requests automatically failover to services in the sameness group according to the order of the members in the `spec.members` list. This setting affects all services on the partition. -When this field is set to `false`, you can use a sameness group for failover by configuring the `spec.failover` block of a [service resolver CRD](/consul/docs/connect/config-entries/service-resolver). +When this field is set to `false`, you can use a sameness group for failover by configuring the `spec.failover` block of a [service resolver CRD](/consul/docs/reference/config-entry/service-resolver). #### Values @@ -294,7 +293,7 @@ Each partition can belong to a single sameness group. You cannot associate a par - Default: None - This field is required. - Data type: List that can contain maps of the following parameters: - + - [`partition`](#spec-members-partition) - [`peer`](#spec-members-peer) @@ -311,7 +310,7 @@ Specifies a partition in the local datacenter that is a member of the sameness g Specifies the name of a cluster peer that is a member of the sameness group. -Cluster peering connections must be established before adding a peer to the list of members. Refer to [establish cluster peering connections](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering) for more information. +Cluster peering connections must be established before adding a peer to the list of members. Refer to [establish cluster peering connections](/consul/docs/east-west/cluster-peering/establish-connection/vm) for more information. #### Values @@ -339,7 +338,7 @@ In the following example, the configuration entry defines a sameness group named ```hcl -Kind = "sameness-group" +Kind = "sameness-group" Name = "products-api" Partition = "store-east" Members = [ @@ -356,8 +355,8 @@ Members = [ ```json { - "Kind": "sameness-group", - "Name": "products-api", + "Kind": "sameness-group", + "Name": "products-api", "Partition": "store-east", "Members": [ { @@ -382,11 +381,11 @@ Members = [ ```yaml apiVersion: consul.hashicorp.com/v1alpha1 -kind: SamenessGroup +kind: SamenessGroup metadata: name: products-api spec: - members: + members: - partition: store-east - partition: inventory-east - peer: dc2-store-west diff --git a/website/content/docs/connect/config-entries/service-defaults.mdx b/website/content/docs/reference/config-entry/service-defaults.mdx similarity index 95% rename from website/content/docs/connect/config-entries/service-defaults.mdx rename to website/content/docs/reference/config-entry/service-defaults.mdx index 271256bbae9..34d2b3f4559 100644 --- a/website/content/docs/connect/config-entries/service-defaults.mdx +++ b/website/content/docs/reference/config-entry/service-defaults.mdx @@ -1,13 +1,13 @@ --- layout: docs -page_title: Service defaults configuration reference -description: -> +page_title: Service defaults configuration entry reference +description: >- Use the service-defaults configuration entry to set default configurations for services, such as upstreams, protocols, and namespaces. Learn how to configure service-defaults. --- -# Service defaults configuration reference +# Service defaults configuration entry reference -This topic describes how to configure service defaults configuration entries. The service defaults configuration entry contains common configuration settings for service mesh services, such as upstreams and gateways. Refer to [Define service defaults](/consul/docs/services/usage/define-services#define-service-defaults) for usage information. +This topic describes how to configure service defaults configuration entries. The service defaults configuration entry contains common configuration settings for service mesh services, such as upstreams and gateways. Refer to [Define service defaults](/consul/docs/register/service/vm/define#define-service-defaults) for usage information. ## Configuration model @@ -547,7 +547,7 @@ Specifies the Consul namespace that the configuration entry applies to. ### `Partition` -Specifies the name of the Consul admin partition that the configuration entry applies to. Refer to [Admin Partitions](/consul/docs/enterprise/admin-partitions) for additional information. +Specifies the name of the Consul admin partition that the configuration entry applies to. Refer to [Admin Partitions](/consul/docs/segment/admin-partition) for additional information. #### Values @@ -556,7 +556,7 @@ Specifies the name of the Consul admin partition that the configuration entry ap ### `Meta` -Specifies a set of custom key-value pairs to add to the [Consul KV](/consul/docs/dynamic-app-config/kv) store. +Specifies a set of custom key-value pairs to add to the [Consul KV](/consul/docs/dynamic-app/kv) store. #### Values @@ -570,11 +570,11 @@ Specifies a set of custom key-value pairs to add to the [Consul KV](/consul/docs Specifies the default protocol for the service. In service mesh use cases, the `protocol` configuration is required to enable the following features and components: - [observability](/consul/docs/connect/observability) -- [service splitter configuration entry](/consul/docs/connect/config-entries/service-splitter) -- [service router configuration entry](/consul/docs/connect/config-entries/service-router) -- [L7 intentions](/consul/docs/connect/intentions#l7-traffic-intentions) +- [service splitter configuration entry](/consul/docs/reference/config-entry/service-splitter) +- [service router configuration entry](/consul/docs/reference/config-entry/service-router) +- [L7 intentions](/consul/docs/secure-mesh/intentions#l7-traffic-intentions) -You can set the global protocol for proxies in the [`proxy-defaults`](/consul/docs/connect/config-entries/proxy-defaults#default-protocol) configuration entry, but the protocol specified in the `service-defaults` configuration entry overrides the `proxy-defaults` configuration. +You can set the global protocol for proxies in the [`proxy-defaults`](/consul/docs/reference/config-entry/proxy-defaults#default-protocol) configuration entry, but the protocol specified in the `service-defaults` configuration entry overrides the `proxy-defaults` configuration. #### Values @@ -662,7 +662,7 @@ The following table describes the parameters you can specify in the `Routes` map | --- | --- | --- | --- | | `PathExact` | Specifies the exact path to match on the request path. When using this field, do not configure `PathPrefix` or `PathRegex` in the same `Routes` map. | String | None | | `PathPrefix` | Specifies the path prefix to match on the request path. When using this field, do not configure `PathExact` or `PathRegex` in the same `Routes` map. | String | None | -| `PathRegex` | Specifies a regular expression to match on the request path. When using this field, do not configure `PathExact` or `PathPrefix` in the same `Routes` map. The syntax is proxy-specific. When [using Envoy](/consul/docs/connect/proxies/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. | String | None | +| `PathRegex` | Specifies a regular expression to match on the request path. When using this field, do not configure `PathExact` or `PathPrefix` in the same `Routes` map. The syntax is proxy-specific. When [using Envoy](/consul/docs/reference/proxy/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. | String | None | | `RequestsPerSecond` | Specifies the average number of requests per second allowed to the service. Overrides the [`RequestsPerSecond`](#ratelimits-instancelevel-requestspersecond) parameter specified for the service. | Integer | None | | `RequestsMaxBurst` | Specifies the maximum number of concurrent requests temporarily allowed to the service. When the limit is reached, Consul blocks additional requests. You must specify a value equal to or greater than the `Routes.RequestsPerSecond` parameter. Overrides the [`RequestsMaxBurst`](#ratelimits-instancelevel-requestsmaxburst) parameter specified for the service. | Integer | None | @@ -729,7 +729,7 @@ We recommend configuring the protocol in the main [`Protocol`](#protocol) field Specifies how long in milliseconds that the service should attempt to establish an upstream connection before timing out. -We recommend configuring the upstream timeout in the [`connection_timeout`](/consul/docs/connect/config-entries/service-resolver#connecttimeout) field of the `service-resolver` configuration entry for the upstream destination service. Doing so enables you to leverage [L7 features](/consul/docs/connect/manage-traffic). Configuring the timeout in the `service-defaults` upstream configuration limits L7 management functionality. +We recommend configuring the upstream timeout in the [`connection_timeout`](/consul/docs/reference/config-entry/service-resolver#connecttimeout) field of the `service-resolver` configuration entry for the upstream destination service. Doing so enables you to leverage [L7 features](/consul/docs/connect/manage-traffic). Configuring the timeout in the `service-defaults` upstream configuration limits L7 management functionality. #### Values @@ -738,7 +738,7 @@ We recommend configuring the upstream timeout in the [`connection_timeout`](/con ### `UpstreamConfig.Overrides[].MeshGateway` -Map that contains the default mesh gateway `mode` field for the upstream. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. +Map that contains the default mesh gateway `mode` field for the upstream. Refer to [Service Mesh Proxy Configuration](/consul/docs/east-west/mesh-gateway/#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. #### Values @@ -814,14 +814,14 @@ We recommend configuring the protocol in the main [`Protocol`](#protocol) field Specifies how long in milliseconds that all services should continue attempting to establish an upstream connection before timing out. -For non-Kubernetes environments, we recommend configuring the upstream timeout in the [`connection_timeout`](/consul/docs/connect/config-entries/service-resolver#connecttimeout) field of the `service-resolver` configuration entry for the upstream destination service. Doing so enables you to leverage [L7 features](/consul/docs/connect/manage-traffic). Configuring the timeout in the `service-defaults` upstream configuration limits L7 management functionality. +For non-Kubernetes environments, we recommend configuring the upstream timeout in the [`connection_timeout`](/consul/docs/reference/config-entry/service-resolver#connecttimeout) field of the `service-resolver` configuration entry for the upstream destination service. Doing so enables you to leverage [L7 features](/consul/docs/connect/manage-traffic). Configuring the timeout in the `service-defaults` upstream configuration limits L7 management functionality. - Default: `5000` - Data type: Integer ### `UpstreamConfig.Defaults.MeshGateway` -Specifies the default mesh gateway `mode` field for all upstreams. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. +Specifies the default mesh gateway `mode` field for all upstreams. Refer to [Service Mesh Proxy Configuration](/consul/docs/east-west/mesh-gateway/#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. You can specify the following string values for the `mode` field: @@ -860,7 +860,7 @@ Map that specifies a set of rules that enable Consul to remove hosts from the up ### `TransparentProxy` -Controls configurations specific to proxies in transparent mode. Refer to [Transparent Proxy Mode](/consul/docs/k8s/connect/transparent-proxy) for additional information. +Controls configurations specific to proxies in transparent mode. Refer to [Transparent Proxy Mode](/consul/docs/connect/proxy/transparent-proxy) for additional information. You can configure the following parameters in the `TransparentProxy` block: @@ -884,7 +884,7 @@ You can specify the following string values for the `MutualTLSMode` field: ### `EnvoyExtensions` -List of extensions to modify Envoy proxy configuration. Refer to [Envoy Extensions](/consul/docs/connect/proxies/envoy-extensions) for additional information. +List of extensions to modify Envoy proxy configuration. Refer to [Envoy Extensions](/consul/docs/reference/proxy/envoy-extensions) for additional information. The following table describes how to configure values in the `EnvoyExtensions` map: @@ -900,7 +900,7 @@ The following table describes how to configure values in the `EnvoyExtensions` m Configures the destination for service traffic through terminating gateways. Refer to [Terminating Gateway](/consul/docs/connect/gateways/terminating-gateway) for additional information. -To use the `Destination` block, proxy services must be in transparent proxy mode. Refer to [Enable transparent proxy mode](/consul/docs/k8s/connect/transparent-proxy/enable-transparent-proxy) for additional information. +To use the `Destination` block, proxy services must be in transparent proxy mode. Refer to [Enable transparent proxy mode](/consul/docs/connect/proxy/transparent-proxy/enable) for additional information. You can configure the following parameters in the `Destination` block: @@ -932,7 +932,7 @@ Specifies the timeout for HTTP requests to the local application instance. Appli ### `MeshGateway` -Specifies the default mesh gateway `mode` field for the service. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. +Specifies the default mesh gateway `mode` field for the service. Refer to [Service Mesh Proxy Configuration](/consul/docs/east-west/mesh-gateway/#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. You can specify the following string values for the `mode` field: @@ -956,7 +956,7 @@ Specifies default configurations for exposing HTTP paths through Envoy. Exposing ### `Expose.Checks` -Exposes all HTTP and gRPC checks registered with the agent if set to `true`. Envoy exposes listeners for the checks and only accepts connections originating from localhost or Consul's [`advertise_addr`](/consul/docs/agent/config/config-files#advertise_addr). The ports for the listeners are dynamically allocated from the agent's [`expose_min_port`](/consul/docs/agent/config/config-files#expose_min_port) and [`expose_max_port`](/consul/docs/agent/config/config-files#expose_max_port) configurations. +Exposes all HTTP and gRPC checks registered with the agent if set to `true`. Envoy exposes listeners for the checks and only accepts connections originating from localhost or Consul's [`advertise_addr`](/consul/docs/reference/agent#advertise_addr). The ports for the listeners are dynamically allocated from the agent's [`expose_min_port`](/consul/docs/reference/agent#expose_min_port) and [`expose_max_port`](/consul/docs/reference/agent#expose_max_port) configurations. We recommend enabling the `Checks` configuration when a Consul client cannot reach registered services over localhost, such as when Consul agents run in their own pods in Kubernetes. @@ -1032,11 +1032,11 @@ Map that contains the details about the `ServiceDefaults` configuration entry. T Specifies the default protocol for the service. In service service mesh use cases, the `protocol` configuration is required to enable the following features and components: - [observability](/consul/docs/connect/observability) -- [`service-splitter` configuration entry](/consul/docs/connect/config-entries/service-splitter) -- [`service-router` configuration entry](/consul/docs/connect/config-entries/service-router) -- [L7 intentions](/consul/docs/connect/intentions#l7-traffic-intentions) +- [`service-splitter` configuration entry](/consul/docs/reference/config-entry/service-splitter) +- [`service-router` configuration entry](/consul/docs/reference/config-entry/service-router) +- [L7 intentions](/consul/docs/secure-mesh/intentions#l7-traffic-intentions) -You can set the global protocol for proxies in the [`ProxyDefaults` configuration entry](/consul/docs/connect/config-entries/proxy-defaults#default-protocol), but the protocol specified in the `ServiceDefaults` configuration entry overrides the `ProxyDefaults` configuration. +You can set the global protocol for proxies in the [`ProxyDefaults` configuration entry](/consul/docs/reference/config-entry/proxy-defaults#default-protocol), but the protocol specified in the `ServiceDefaults` configuration entry overrides the `ProxyDefaults` configuration. #### Values @@ -1128,7 +1128,7 @@ The following table describes the parameters you can specify in the `routes` map | --- | --- | --- | --- | | `pathExact` | Specifies the exact path to match on the request path. When using this field, do not configure `pathPrefix` or `pathRegex` in the same `routes` map. | String | None | | `pathPrefix` | Specifies the path prefix to match on the request path. When using this field, do not configure `pathExact` or `pathRegex` in the same `routes` map. | String | None | -| `pathRegex` | Specifies a regular expression to match on the request path. When using this field, do not configure `pathExact` or `pathPrefix` in the same `routes` map. The syntax is proxy-specific. When [using Envoy](/consul/docs/connect/proxies/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. | String | None | +| `pathRegex` | Specifies a regular expression to match on the request path. When using this field, do not configure `pathExact` or `pathPrefix` in the same `routes` map. The syntax is proxy-specific. When [using Envoy](/consul/docs/reference/proxy/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. | String | None | | `requestsPerSecond` | Specifies the average number of requests per second allowed to the service. Overrides the [`requestsPerSecond`](#spec-ratelimits-instancelevel-requestspersecond) parameter specified for the service. | Integer | None | | `requestsMaxBurst` | Specifies the maximum number of concurrent requests temporarily allowed to the service. When the limit is reached, Consul blocks additional requests. You must specify a value equal to or greater than the `routes.requestsPerSecond` parameter. Overrides the [`requestsMaxBurst`](#spec-ratelimits-instancelevel-requestsmaxburst) parameter specified for the service. | Integer | None | @@ -1193,7 +1193,7 @@ Specifies the protocol to use for requests to the upstream listener. We recommen Specifies how long in milliseconds that the service should attempt to establish an upstream connection before timing out. -We recommend configuring the upstream timeout in the [`connectTimeout`](/consul/docs/connect/config-entries/service-resolver#connecttimeout) field of the `ServiceResolver` CRD for the upstream destination service. Doing so enables you to leverage [L7 features](/consul/docs/connect/manage-traffic). Configuring the timeout in the `ServiceDefaults` upstream configuration limits L7 management functionality. +We recommend configuring the upstream timeout in the [`connectTimeout`](/consul/docs/reference/config-entry/service-resolver#connecttimeout) field of the `ServiceResolver` CRD for the upstream destination service. Doing so enables you to leverage [L7 features](/consul/docs/connect/manage-traffic). Configuring the timeout in the `ServiceDefaults` upstream configuration limits L7 management functionality. #### Values @@ -1202,7 +1202,7 @@ We recommend configuring the upstream timeout in the [`connectTimeout`](/consul/ ### `spec.upstreamConfig.overrides[].meshGateway.mode` -Map that contains the default mesh gateway `mode` field for the upstream. Refer to [Connect Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration) in the mesh gateway documentation for additional information. +Map that contains the default mesh gateway `mode` field for the upstream. Refer to [Connect Proxy Configuration](/consul/docs/east-west/mesh-gateway/#connect-proxy-configuration) in the mesh gateway documentation for additional information. #### Values @@ -1273,7 +1273,7 @@ Specifies default protocol for upstream listeners. We recommend configuring the Specifies how long in milliseconds that all services should continue attempting to establish an upstream connection before timing out. -We recommend configuring the upstream timeout in the [`connectTimeout`](/consul/docs/connect/config-entries/service-resolver#connecttimeout) field of the `ServiceResolver` CRD for upstream destination services. Doing so enables you to leverage [L7 features](/consul/docs/connect/manage-traffic). Configuring the timeout in the `ServiceDefaults` upstream configuration limits L7 management functionality. +We recommend configuring the upstream timeout in the [`connectTimeout`](/consul/docs/reference/config-entry/service-resolver#connecttimeout) field of the `ServiceResolver` CRD for upstream destination services. Doing so enables you to leverage [L7 features](/consul/docs/connect/manage-traffic). Configuring the timeout in the `ServiceDefaults` upstream configuration limits L7 management functionality. #### Values @@ -1282,7 +1282,7 @@ We recommend configuring the upstream timeout in the [`connectTimeout`](/consul/ ### `spec.upstreamConfig.defaults.meshGateway.mode` -Specifies the default mesh gateway `mode` field for all upstreams. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. +Specifies the default mesh gateway `mode` field for all upstreams. Refer to [Service Mesh Proxy Configuration](/consul/docs/east-west/mesh-gateway/#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. #### Values @@ -1360,7 +1360,7 @@ You can specify the following string values for the `MutualTLSMode` field: ### `spec.envoyExtensions` -List of extensions to modify Envoy proxy configuration. Refer to [Envoy Extensions](/consul/docs/connect/proxies/envoy-extensions) for additional information. +List of extensions to modify Envoy proxy configuration. Refer to [Envoy Extensions](/consul/docs/reference/proxy/envoy-extensions) for additional information. #### Values @@ -1378,7 +1378,7 @@ The following table describes how to configure values in the `envoyExtensions` m Map of configurations that specify one or more destinations for service traffic routed through terminating gateways. Refer to [Terminating Gateway](/consul/docs/connect/gateways/terminating-gateway) for additional information. -To use the `destination` block, proxy services must be in transparent proxy mode. Refer to [Enable transparent proxy mode](/consul/docs/k8s/connect/transparent-proxy/enable-transparent-proxy) for additional information. +To use the `destination` block, proxy services must be in transparent proxy mode. Refer to [Enable transparent proxy mode](/consul/docs/connect/proxy/transparent-proxy/enable) for additional information. #### Values @@ -1417,7 +1417,7 @@ Specifies the timeout for HTTP requests to the local application instance. Appli - Data type: String ### `spec.meshGateway.mode` -Specifies the default mesh gateway `mode` field for the service. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. +Specifies the default mesh gateway `mode` field for the service. Refer to [Service Mesh Proxy Configuration](/consul/docs/east-west/mesh-gateway/#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. #### Values @@ -1438,7 +1438,7 @@ Specifies the TLS server name indication (SNI) when federating with an external ### `spec.expose` -Specifies default configurations for exposing HTTP paths through Envoy. Exposing paths through Envoy enables services to listen on `localhost` only. Applications that are not Consul service mesh-enabled can still contact an HTTP endpoint. Refer to [Expose Paths Configuration Reference](/consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference) for additional information and example configurations. +Specifies default configurations for exposing HTTP paths through Envoy. Exposing paths through Envoy enables services to listen on `localhost` only. Applications that are not Consul service mesh-enabled can still contact an HTTP endpoint. Refer to [Expose Paths Configuration Reference](/consul/docs/reference/proxy/connect-proxy#expose-paths-configuration-reference) for additional information and example configurations. #### Values @@ -1447,7 +1447,7 @@ Specifies default configurations for exposing HTTP paths through Envoy. Exposing ### `spec.expose.checks` -Exposes all HTTP and gRPC checks registered with the agent if set to `true`. Envoy exposes listeners for the checks and only accepts connections originating from localhost or Consul's [`advertise_addr`](/consul/docs/agent/config/config-files#advertise_addr). The ports for the listeners are dynamically allocated from the agent's [`expose_min_port`](/consul/docs/agent/config/config-files#expose_min_port) and [`expose_max_port`](/consul/docs/agent/config/config-files#expose_max_port) configurations. +Exposes all HTTP and gRPC checks registered with the agent if set to `true`. Envoy exposes listeners for the checks and only accepts connections originating from localhost or Consul's [`advertise_addr`](/consul/docs/reference/agent#advertise_addr). The ports for the listeners are dynamically allocated from the agent's [`expose_min_port`](/consul/docs/reference/agent#expose_min_port) and [`expose_max_port`](/consul/docs/reference/agent#expose_max_port) configurations. We recommend enabling the `Checks` configuration when a Consul client cannot reach registered services over localhost, such as when Consul agents run in their own pods in Kubernetes. @@ -1511,7 +1511,7 @@ spec: -You can also set the global default protocol for all proxies in the [`proxy-defaults` configuration entry](/consul/docs/connect/config-entries/proxy-defaults#default-protocol), but the protocol specified for individual service instances in the `service-defaults` configuration entry takes precedence over the globally-configured value set in the `proxy-defaults`. +You can also set the global default protocol for all proxies in the [`proxy-defaults` configuration entry](/consul/docs/reference/config-entry/proxy-defaults#default-protocol), but the protocol specified for individual service instances in the `service-defaults` configuration entry takes precedence over the globally-configured value set in the `proxy-defaults`. ### Upstream configuration @@ -1695,7 +1695,7 @@ spec: The following examples creates a default destination assigned to a terminating gateway. A destination represents a location outside the Consul cluster. Services can dial destinations dialed directly when transparent proxy mode is enabled. -Proxy services must be in transparent proxy mode to configure destinations. Refer to [Enable transparent proxy mode](/consul/docs/k8s/connect/transparent-proxy/enable-transparent-proxy) for additional information. +Proxy services must be in transparent proxy mode to configure destinations. Refer to [Enable transparent proxy mode](/consul/docs/connect/proxy/transparent-proxy/enable) for additional information. diff --git a/website/content/docs/connect/config-entries/service-intentions.mdx b/website/content/docs/reference/config-entry/service-intentions.mdx similarity index 86% rename from website/content/docs/connect/config-entries/service-intentions.mdx rename to website/content/docs/reference/config-entry/service-intentions.mdx index 47d980f9a82..63e8feeecca 100644 --- a/website/content/docs/connect/config-entries/service-intentions.mdx +++ b/website/content/docs/reference/config-entry/service-intentions.mdx @@ -1,13 +1,13 @@ --- layout: docs -page_title: Service intentions configuration reference +page_title: Service intentions configuration entry reference description: >- - Use the service intentions configuration entry to allow or deny traffic to services in the mesh from specific sources. Learn how to configure `service-intention` config entries + Use the service intentions configuration entry to allow or deny traffic to services in the mesh from specific sources. Learn how to configure `service-intention` config entries. --- -# Service intentions configuration reference +# Service intentions configuration entry reference -This topic provides reference information for the service intentions configuration entry. Intentions are configurations for controlling access between services in the service mesh. A single service intentions configuration entry specifies one destination service and one or more L4 traffic sources, L7 traffic sources, or combination of traffic sources. Refer to [Service mesh intentions overview](/consul/docs/connect/intentions) for additional information. +This topic provides reference information for the service intentions configuration entry. Intentions are configurations for controlling access between services in the service mesh. A single service intentions configuration entry specifies one destination service and one or more L4 traffic sources, L7 traffic sources, or combination of traffic sources. Refer to [Service mesh intentions overview](/consul/docs/secure-mesh/intentions) for additional information. ## Configuration model @@ -48,9 +48,7 @@ The following outline shows how to format the service intentions configuration e - [`Exact`](#sources-permissions-http-header): string - [`Prefix`](#sources-permissions-http-header): string - [`Suffix`](#sources-permissions-http-header): string - - [`Contains`](#spec-sources-permissions-http-header): string - - [`Regex`](#spec-sources-permissions-http-header): string - - [`IgnoreCase`](#spec-sources-permissions-http-header): boolean | `false` + - [`Regex`](#sources-permissions-http-header): string - [`Invert`](#sources-permissions-http-header): boolean | `false` - [`Precedence`](#sources-precedence): number - [`Type`](#sources-type): string | `consul` @@ -98,9 +96,7 @@ The following outline shows how to format the service intentions configuration e - [`exact`](#spec-sources-permissions-http-header): string | no default - [`prefix`](#spec-sources-permissions-http-header): string | no default - [`suffix`](#spec-sources-permissions-http-header): string | no default - - [`contains`](#spec-sources-permissions-http-header): string | no default - [`regex`](#spec-sources-permissions-http-header): string | no default - - [`ignoreCase`](#spec-sources-permissions-http-header): boolean | `false` - [`invert`](#spec-sources-permissions-http-header): boolean | `false` - [`description`](#spec-sources-description): string @@ -160,31 +156,18 @@ Sources = [ { Name = "" # string Present = # boolean - Invert = # boolean }, { Name = "" # string Exact = "" # boolean - IgnoreCase = # boolean - Invert = # boolean }, { Name = "" # string Prefix = "" # string - IgnoreCase = # boolean - Invert = # boolean }, { Name = "" # string Suffix = "" # string - IgnoreCase = # boolean - Invert = # boolean - }, - { - Name = "" # string - Contains = "" # string - IgnoreCase = # boolean - Invert = # boolean }, { Name = "" # string @@ -244,23 +227,12 @@ spec: header: - name: present: true - invert: false - name: - exact: - ignoreCase: false - invert: false + exact: false - name: prefix: - ignoreCase: false - invert: false - name: suffix: - ignoreCase: false - invert: false - - name: - contains: - ignoreCase: false - invert: false - name: regex: invert: false @@ -315,32 +287,19 @@ spec: "Header":[ { "Name":"", - "Present":true, - "Invert":false - }, - { - "Name":"", - "Exact":"", - "IgnoreCase":false,, - "Invert":false + "Present":true }, { "Name":"", - "Prefix":"", - "IgnoreCase":false, - "Invert":false + "Exact":false }, { "Name":"", - "Suffix":"", - "IgnoreCase":false, - "Invert":false + "Prefix":"" }, { "Name":"", - "Contains":"", - "IgnoreCase":false, - "Invert":false + "Suffix":"" }, { "Name":"", @@ -399,7 +358,7 @@ You can also specify a wildcard character (`*`) to match all services without in ### `Namespace` -Specifies the [namespace](/consul/docs/enterprise/namespaces) that the configuration entry applies to. Services in the namespace are the traffic destinations that the intentions allow or deny traffic to. +Specifies the [namespace](/consul/docs/segment/namespace) that the configuration entry applies to. Services in the namespace are the traffic destinations that the intentions allow or deny traffic to. #### Values @@ -410,7 +369,7 @@ You can also specify a wildcard character (`*`) to match all namespaces. Intenti ### `Partition` -Specifies the [admin partition](/consul/docs/enterprise/admin-partitions) to apply the configuration entry. Services in the specified partition are the traffic destinations that the intentions allow or deny traffic to. +Specifies the [admin partition](/consul/docs/segment/admin-partition) to apply the configuration entry. Services in the specified partition are the traffic destinations that the intentions allow or deny traffic to. #### Values @@ -430,7 +389,7 @@ Specifies key-value pairs to add to the KV store when the configuration entry is ### `JWT` -Specifies a JSON Web Token provider configured in a [JWT provider configuration entry](/consul/docs/connect/config-entries/jwt-provider), as well as additional configurations for verifying a service's JWT before authorizing communication between services +Specifies a JSON Web Token provider configured in a [JWT provider configuration entry](/consul/docs/reference/config-entry/jwt-provider), as well as additional configurations for verifying a service's JWT before authorizing communication between services #### Values @@ -439,7 +398,7 @@ Specifies a JSON Web Token provider configured in a [JWT provider configuration ### `JWT{}.Providers` -Specifies the names of one or more previously configured [JWT provider configuration entries](/consul/docs/connect/config-entries/jwt-provider), which include the information necessary to validate a JSON web token. +Specifies the names of one or more previously configured [JWT provider configuration entry](/consul/docs/reference/config-entry/jwt-provider), which include the information necessary to validate a JSON web token. #### Values @@ -448,7 +407,7 @@ Specifies the names of one or more previously configured [JWT provider configura ### `JWT{}.Providers[].Name` -Specifies the name of a JWT provider defined in the `Name` field of the [`jwt-provider` configuration entry](/consul/docs/connect/config-entries/jwt-provider). You must write the JWT Provider to Consul before referencing it in a service intention. +Specifies the name of a JWT provider defined in the `Name` field of the [`jwt-provider` configuration entry](/consul/docs/reference/config-entry/jwt-provider). You must write the JWT Provider to Consul before referencing it in a service intention. #### Values @@ -478,7 +437,7 @@ Specifies the path to the claim in the JSON web token. For more information abou ### `JWT{}.Providers[].VerifyClaims.Value` -Specifies the value to match on when verifying the claim designated in [`JWT{}.Providers[].VerifyClaims[].Path`](#jwt-providers-verifyclaims-path). +Specifies the value to match on when verifying the the claim designated in [`JWT{}.Providers[].VerifyClaims[].Path`](#jwt-providers-verifyclaims-path). #### Values @@ -520,7 +479,7 @@ Specifies the name of the source that the intention allows or denies traffic fro ### `Sources[].Peer` -Specifies the name of a peered Consul cluster that the intention allows or denies traffic from. Refer to [Cluster peering overview](/consul/docs/connect/cluster-peering) for additional information about peers. +Specifies the name of a peered Consul cluster that the intention allows or denies traffic from. Refer to [Cluster peering overview](/consul/docs/east-west/cluster-peering) for additional information about peers. The `Peer` and `Partition` fields are mutually exclusive. @@ -540,7 +499,7 @@ Specifies the traffic source namespace that the intention allows or denies traff ### `Sources[].Partition` -Specifies the name of an admin partition that the intention allows or denies traffic from. Refer to [Admin Partitions](/consul/docs/enterprise/admin-partitions) for additional information about partitions. +Specifies the name of an admin partition that the intention allows or denies traffic from. Refer to [Admin Partitions](/consul/docs/segment/admin-partition) for additional information about partitions. The `Peer` and `Partition` fields are mutually exclusive. @@ -551,7 +510,7 @@ The `Peer` and `Partition` fields are mutually exclusive. ### `Sources[].SamenessGroup` -Specifies the name of a sameness group that the intention allows or denies traffic from. Refer to [create sameness groups](/consul/docs/connect/cluster-peering/usage/create-sameness-groups) for additional information. +Specifies the name of a sameness group that the intention allows or denies traffic from. Refer to [create sameness groups](/consul/docs/east-west/cluster-peering/usage/create-sameness-groups) for additional information. #### Values @@ -582,7 +541,7 @@ Specifies a list of permissions for L7 traffic sources. The list contains one or Consul applies permissions in the order specified in the configuration. Beginning at the top of the list, Consul applies the first matching request and stops evaluating against the remaining configurations. -For requests that do not match any of the defined permissions, Consul applies the intention behavior defined in the [`acl_default_policy`](/consul/docs/agent/config/config-files#acl_default_policy) configuration. +For requests that do not match any of the defined permissions, Consul applies the intention behavior defined in the [`acl_default_policy`](/consul/docs/reference/agent#acl_default_policy) configuration. Do not configure this field for L4 intentions. Use the [`Sources.Action`](#sources-action) parameter instead. @@ -650,14 +609,12 @@ Each member of the `Header` list is a map that contains a `Name` field and at le | `Exact` | Specifies a value for the header key set in the `Name` field. If the request header value matches the `Exact` value, Consul applies the permission. Do not specify `Exact` if `Present`, `Prefix`, `Suffix`, or `Regex` are configured in the same `Header` configuration. | string | optional | | `Prefix` | Specifies a prefix value for the header key set in the `Name` field. If the request header value starts with the `Prefix` value, Consul applies the permission. Do not specify `Prefix` if `Present`, `Exact`, `Suffix`, or `Regex` are configured in the same `Header` configuration. | string | optional | | `Suffix` | Specifies a suffix value for the header key set in the `Name` field. If the request header value ends with the `Suffix` value, Consul applies the permission. Do not specify `Suffix` if `Present`, `Exact`, `Prefix`, or `Regex` are configured in the same `Header` configuration. | string | optional | -| `Contains` | Specifies a contains value for the header key set in the `Name` field. If the request header value includes the `Contains` value, Consul applies the permission. Do not specify `Contains` if `Present`, `Exact`, `Prefix`, `Suffix`, or `Regex` are configured in the same `header` configuration. | string | optional | -| `Regex` | Specifies a regular expression pattern as the value for the header key set in the `Name` field. If the request header value matches the regex, Consul applies the permission. Do not specify `Regex` if `Present`, `Exact`, `Prefix`, `Suffix`, or `Contains` are configured in the same `Header` configuration. The regex syntax is proxy-specific. If using Envoy, refer to the [re2 documentation](https://github.com/google/re2/wiki/Syntax) for details. | string | optional | -| `IgnoreCase` | Ignores the case of the provided header value when matching with `Exact`, `Prefix`, `Suffix`, or `Contains`. Default is `false`. | boolean | optional | +| `Regex` | Specifies a regular expression pattern as the value for the header key set in the `Name` field. If the request header value matches the regex, Consul applies the permission. Do not specify `Regex` if `Present`, `Exact`, `Prefix`, or `Suffix` are configured in the same `Header` configuration. The regex syntax is proxy-specific. If using Envoy, refer to the [re2 documentation](https://github.com/google/re2/wiki/Syntax) for details. | string | optional | | `Invert` | Inverts the matching logic configured in the `Header`. Default is `false`. | boolean | optional | ### `Sources[].Precedence` -The `Precedence` field contains a read-only integer. Consul generates the value based on name configurations for the source and destination services. Refer to [Precedence and matching order](/consul/docs/connect/intentions/create-manage-intentions#precedence-and-matching-order) for additional information. +The `Precedence` field contains a read-only integer. Consul generates the value based on name configurations for the source and destination services. Refer to [Precedence and matching order](/consul/docs/secure-mesh/intentions/create#precedence-and-matching-order) for additional information. ### `Sources[].Type` @@ -740,7 +697,7 @@ Specifies an arbitrary name for the configuration entry. Note that in other conf ### `metadata.namespace` -Specifies the [namespace](/consul/docs/enterprise/namespaces) that the configuration entry applies to. Refer to [Consul Enterprise](/consul/docs/k8s/crds#consul-enterprise) for information about how Consul namespaces map to Kubernetes Namespaces. Consul Community Edition (Consul CE) ignores the `metadata.namespace` configuration. +Specifies the [namespace](/consul/docs/segment/namespace) that the configuration entry applies to. Refer to [Consul Enterprise](/consul/docs/k8s/crds#consul-enterprise) for information about how Consul namespaces map to Kubernetes Namespaces. Consul Community Edition (Consul CE) ignores the `metadata.namespace` configuration. #### Values @@ -780,7 +737,7 @@ You can also specify a wildcard character (`*`) to match all services that are m ### `spec.jwt` -Specifies a JSON Web Token provider configured in a [JWT provider configuration entry](/consul/docs/connect/config-entries/jwt-provider), as well as additional configurations for verifying a service's JWT before authorizing communication between services +Specifies a JSON Web Token provider configured in a [JWT provider configuration entry](/consul/docs/reference/config-entry/jwt-provider), as well as additional configurations for verifying a service's JWT before authorizing communication between services #### Values @@ -789,7 +746,7 @@ Specifies a JSON Web Token provider configured in a [JWT provider configuration ### `spec.jwt.providers` -Specifies the names of one or more previously configured [JWT provider configuration entries](/consul/docs/connect/config-entries/jwt-provider), which include the information necessary to validate a JSON web token. +Specifies the names of one or more previously configured [JWT provider configuration entries](/consul/docs/reference/config-entry/jwt-provider), which include the information necessary to validate a JSON web token. #### Values @@ -798,7 +755,7 @@ Specifies the names of one or more previously configured [JWT provider configura ### `spec.jwt.providers[].name` -Specifies the name of a JWT provider defined in the `metadata.name` field of the [JWT provider configuration entry](/consul/docs/connect/config-entries/jwt-provider). You must write the JWT Provider to Consul before referencing it in a service intention. +Specifies the name of a JWT provider defined in the `metadata.name` field of the [JWT provider configuration entry](/consul/docs/reference/config-entry/jwt-provider). You must write the JWT Provider to Consul before referencing it in a service intention. #### Values @@ -828,7 +785,7 @@ Specifies the path to the claim in the JSON web token. For more information abou ### `spec.jwt.providers[].verifyClaims[].value` -Specifies the value to match on when verifying the claim designated in [`JWT{}.Providers[].VerifyClaims[].Path`](#jwt-providers-verifyclaims-path). +Specifies the value to match on when verifying the the claim designated in [`JWT{}.Providers[].VerifyClaims[].Path`](#jwt-providers-verifyclaims-path). #### Values @@ -865,7 +822,7 @@ Specifies the name of the source that the intention allows or denies traffic fro ### `spec.sources[].peer` -Specifies the name of a peered Consul cluster that the intention allows or denies traffic from. Refer to [Cluster peering overview](/consul/docs/connect/cluster-peering) for additional information about peers. The `peer` and `partition` fields are mutually exclusive. +Specifies the name of a peered Consul cluster that the intention allows or denies traffic from. Refer to [Cluster peering overview](/consul/docs/east-west/cluster-peering) for additional information about peers. The `peer` and `partition` fields are mutually exclusive. #### Values - Default: None @@ -882,7 +839,7 @@ Specifies the traffic source namespace that the intention allows or denies traff ### `spec.sources[].partition` -Specifies the name of an admin partition that the intention allows or denies traffic from. Refer to [Admin Partitions](/consul/docs/enterprise/admin-partitions) for additional information about partitions. The `peer` and `partition` fields are mutually exclusive. +Specifies the name of an admin partition that the intention allows or denies traffic from. Refer to [Admin Partitions](/consul/docs/segment/admin-partition) for additional information about partitions. The `peer` and `partition` fields are mutually exclusive. #### Values @@ -891,7 +848,7 @@ Specifies the name of an admin partition that the intention allows or denies tra ### `spec.sources[].samenessGroup` -Specifies the name of a sameness group that the intention allows or denies traffic from. Refer to [create sameness groups](/consul/docs/k8s/connect/cluster-peering/usage/create-sameness-groups) for additional information. +Specifies the name of a sameness group that the intention allows or denies traffic from. Refer to [create sameness groups](/consul/docs/east-west/sameness-group) for additional information. #### Values @@ -914,7 +871,7 @@ Specifies a list of permissions for L7 traffic sources. The list contains one or Consul applies permissions in the order specified in the configuration. Starting at the beginning of the list, Consul applies the first matching request and stops evaluating against the remaining configurations. -For requests that do not match any of the defined permissions, Consul applies the intention behavior defined in the [`acl_default_policy`](/consul/docs/agent/config/config-files#acl_default_policy) configuration. +For requests that do not match any of the defined permissions, Consul applies the intention behavior defined in the [`acl_default_policy`](/consul/docs/reference/agent#acl_default_policy) configuration. Do not configure this field for L4 intentions. Use the [`spec.sources.action`](#sources-action) parameter instead. @@ -966,22 +923,16 @@ Specifies a set of criteria for matching HTTP request headers. The request heade - Default: None - Data type: List of maps -Each member of the `header` list is a map that contains a `name` field and at least one match criterion. - -~> **Warning**: If it is possible for a header to contain multiple values, we recommend using `contains` or `regex` rather than `exact`, `prefix`, or `suffix`. Envoy internally concatenates multiple header values into a single CSV value prior to applying match rules, which may result in match rules that depend on the beginning or end of a string vulnerable to circumvention. A more robust alternative is using `contains` or, if a stricter value match is required, configuring a regex pattern that is tolerant of comma-separated values. These options are available as of Consul CE 1.20.1 and Consul Enterprise 1.20.1, 1.19.2, 1.18.3, and 1.15.15. - -The following table describes the parameters that each member of the `header` list may contain: +Each member of the `header` list is a map that contains a `name` field and at least one match criterion. The following table describes the parameters that each member of the `header` list may contain: | Parameter | Description | Data type | Required | | --- | --- | --- | --- | | `name` | Specifies the name of the header to match. | string | required | -| `present` | Enables a match if the header configured in the `name` field appears in the request. Consul matches on any value as long as the header key appears in the request. Do not specify `present` if `exact`, `prefix`, `suffix`, `contains`, or `regex` are configured in the same `header` configuration. | boolean | optional | -| `Exact` | Specifies a value for the header key set in the `Name` field. If the request header value matches the `exact` value, Consul applies the permission. Do not specify `exact` if `present`, `prefix`, `suffix`, `contains`, or `regex` are configured in the same `header` configuration. | string | optional | -| `prefix` | Specifies a prefix value for the header key set in the `name` field. If the request header value starts with the `prefix` value, Consul applies the permission. Do not specify `prefix` if `present`, `exact`, `suffix`, `contains`, or `regex` are configured in the same `header` configuration. | string | optional | -| `suffix` | Specifies a suffix value for the header key set in the `name` field. If the request header value ends with the `suffix` value, Consul applies the permission. Do not specify `suffix` if `present`, `exact`, `prefix`, `contains`, or `regex` are configured in the same `header` configuration. | string | optional | -| `contains` | Specifies a contains value for the header key set in the `name` field. If the request header value includes the `contains` value, Consul applies the permission. Do not specify `contains` if `present`, `exact`, `prefix`, `suffix`, or `regex` are configured in the same `header` configuration. | string | optional | -| `regex` | Specifies a regular expression pattern as the value for the header key set in the `name` field. If the request header value matches the regex, Consul applies the permission. Do not specify `regex` if `present`, `exact`, `prefix`, `suffix`, or `contains` are configured in the same `header` configuration. The regex syntax is proxy-specific. If using Envoy, refer to the [re2 documentation](https://github.com/google/re2/wiki/Syntax) for details. | string | optional | -| `ignoreCase` | Ignores the case of the provided header value when matching with exact, prefix, suffix, or contains. Default is `false`. | boolean | optional | +| `present` | Enables a match if the header configured in the `name` field appears in the request. Consul matches on any value as long as the header key appears in the request. Do not specify `present` if `exact`, `prefix`, `suffix`, or `regex` are configured in the same `header` configuration. | boolean | optional | +| `Exact` | Specifies a value for the header key set in the `Name` field. If the request header value matches the `exact` value, Consul applies the permission. Do not specify `exact` if `present`, `prefix`, `suffix`, or `regex` are configured in the same `header` configuration. | string | optional | +| `prefix` | Specifies a prefix value for the header key set in the `name` field. If the request header value starts with the `prefix` value, Consul applies the permission. Do not specify `prefix` if `present`, `exact`, `suffix`, or `regex` are configured in the same `header` configuration. | string | optional | +| `suffix` | Specifies a suffix value for the header key set in the `name` field. If the request header value ends with the `suffix` value, Consul applies the permission. Do not specify `suffix` if `present`, `exact`, `prefix`, or `regex` are configured in the same `header` configuration. | string | optional | +| `regex` | Specifies a regular expression pattern as the value for the header key set in the `name` field. If the request header value matches the regex, Consul applies the permission. Do not specify `regex` if `present`, `exact`, `prefix`, or `suffix` are configured in the same `header` configuration. The regex syntax is proxy-specific. If using Envoy, refer to the [re2 documentation](https://github.com/google/re2/wiki/Syntax) for details. | string | optional | | `invert` | Inverts the matching logic configured in the `header`. Default is `false`. | boolean | optional | ### `spec.sources[].type` diff --git a/website/content/docs/connect/config-entries/service-resolver.mdx b/website/content/docs/reference/config-entry/service-resolver.mdx similarity index 96% rename from website/content/docs/connect/config-entries/service-resolver.mdx rename to website/content/docs/reference/config-entry/service-resolver.mdx index bce568514d6..73cd9391b15 100644 --- a/website/content/docs/connect/config-entries/service-resolver.mdx +++ b/website/content/docs/reference/config-entry/service-resolver.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Service Resolver configuration reference +page_title: Service resolver configuration entry reference description: >- Service resolver configuration entries are L7 traffic management tools for defining sets of service instances that resolve upstream requests and Consul’s behavior when resolving them. Learn how to write `service-resolver` config entries in HCL or YAML with a specification reference, configuration model, a complete example, and example code by use case. --- -# Service resolver configuration reference +# Service resolver configuration entry reference This page provides reference information for service resolver configuration entries. Configure and apply service resolvers to create named subsets of service instances and define their behavior when satisfying upstream requests. @@ -399,7 +399,7 @@ Specifies a name for the configuration entry. The name is metadata that you can ### `Namespace` -Specifies the namespace that the service resolver applies to. Refer to [namespaces](/consul/docs/enterprise/namespaces) for more information. +Specifies the namespace that the service resolver applies to. Refer to [namespaces](/consul/docs/segment/namespace) for more information. #### Values @@ -408,7 +408,7 @@ Specifies the namespace that the service resolver applies to. Refer to [namespac ### `Partition` -Specifies the admin partition that the service resolver applies to. Refer to [admin partitions](/consul/docs/enterprise/admin-partitions) for more information. +Specifies the admin partition that the service resolver applies to. Refer to [admin partitions](/consul/docs/segment/admin-partition) for more information. #### Values @@ -543,7 +543,7 @@ Specifies the datacenter at the redirect’s destination that resolves local ups ### `Redirect{}.Peer` -Specifies the cluster with an active cluster peering connection at the redirect’s destination that resolves local upstream requests. Requires separately defined service intentions that [authorize services for peers](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering#authorize-services-for-peers). When Consul runs a health check before resolving requests from the peer, it does not apply health checks that were defined on the peer and exported to the local cluster through the exported services configuration entry. +Specifies the cluster with an active cluster peering connection at the redirect’s destination that resolves local upstream requests. Requires separately defined service intentions that [authorize services for peers](/consul/docs/east-west/cluster-peering/establish-connection/vm#authorize-services-for-peers). When Consul runs a health check before resolving requests from the peer, it does not apply health checks that were defined on the peer and exported to the local cluster through the exported services configuration entry. #### Values @@ -689,7 +689,7 @@ Specifies the WAN federated datacenter to use for the failover target. If empty, ### `Failover{}.Targets[].Peer` -Specifies the destination cluster peer to resolve the target service name from. [Intentions](/consul/docs/connect/cluster-peering/create-manage-peering#authorize-services-for-peers) must be defined on the peered cluster so that the source service can access this failover target service as an upstream. When the peer name is specified, Consul uses Envoy's outlier detection to determine the health of the failover target based on whether services can communicate with the failover target. Consul ignores service health checks imported from a peer for failover targets because the checks do not account for service routers, splitters, and resolvers that may be defined in the peer for the target service. +Specifies the destination cluster peer to resolve the target service name from. [Intentions](/consul/docs/east-west/cluster-peering/create-manage-peering#authorize-services-for-peers) must be defined on the peered cluster so that the source service can access this failover target service as an upstream. When the peer name is specified, Consul uses Envoy's outlier detection to determine the health of the failover target based on whether services can communicate with the failover target. Consul ignores service health checks imported from a peer for failover targets because the checks do not account for service routers, splitters, and resolvers that may be defined in the peer for the target service. #### Values @@ -881,7 +881,7 @@ Specifies a name for the configuration entry. The name is metadata that you can ### `metadata.namespace` -Specifies the namespace that the service resolver applies to. Refer to [namespaces](/consul/docs/enterprise/namespaces) for more information. +Specifies the namespace that the service resolver applies to. Refer to [namespaces](/consul/docs/segment/namespace) for more information. #### Values @@ -1016,7 +1016,7 @@ Specifies the datacenter at the redirect’s destination that resolves local ups ### `spec.redirect.peer` -Specifies the cluster with an active cluster peering connection at the redirect’s destination that resolves local upstream requests. Requires separately defined service intentions that [authorize services for peers](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering#authorize-services-for-peers). When Consul runs a health check before resolving requests from the peer, it does not apply health checks that were defined on the peer and exported to the local cluster through the exported services configuration entry. +Specifies the cluster with an active cluster peering connection at the redirect’s destination that resolves local upstream requests. Requires separately defined service intentions that [authorize services for peers](/consul/docs/east-west/cluster-peering/establish-connection/vm#authorize-services-for-peers). When Consul runs a health check before resolving requests from the peer, it does not apply health checks that were defined on the peer and exported to the local cluster through the exported services configuration entry. #### Values @@ -1113,7 +1113,7 @@ For examples, refer to the [failover example configurations](#service-failover). - [`namespace`](#spec-failover-targets-namespace) - [`partition`](#spec-failover-targets-partition) - [`datacenter`](#spec-failover-targets-datacenter) - - [`peer`](#spec-failover-targets-peer) + - [`peer](#spec-failover-targets-peer) ### `spec.failover.targets.service` @@ -1162,7 +1162,7 @@ Specifies the WAN federated datacenter to use for the failover target. If empty, ### `spec.failover.targets.peer` -Specifies the destination cluster peer to resolve the target service name from. [Intentions](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#authorize-services-for-peers) must be defined on the peered cluster so that the source service can access this failover target service as an upstream. When the peer name is specified, Consul uses Envoy's outlier detection to determine the health of the failover target based on whether services can communicate with the failover target. Consul ignores service health checks imported from a peer for failover targets because the checks do not account for service routers, splitters, and resolvers that may be defined in the peer for the target service. +Specifies the destination cluster peer to resolve the target service name from. [Intentions](/consul/docs/east-west/cluster-peering/establish-connection/k8s#authorize-services-for-peers) must be defined on the peered cluster so that the source service can access this failover target service as an upstream. When the peer name is specified, Consul uses Envoy's outlier detection to determine the health of the failover target based on whether services can communicate with the failover target. Consul ignores service health checks imported from a peer for failover targets because the checks do not account for service routers, splitters, and resolvers that may be defined in the peer for the target service. #### Values diff --git a/website/content/docs/connect/config-entries/service-router.mdx b/website/content/docs/reference/config-entry/service-router.mdx similarity index 96% rename from website/content/docs/connect/config-entries/service-router.mdx rename to website/content/docs/reference/config-entry/service-router.mdx index d384b83be39..8c8d02bc706 100644 --- a/website/content/docs/connect/config-entries/service-router.mdx +++ b/website/content/docs/reference/config-entry/service-router.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Service Router configuration reference +page_title: Service router configuration entry reference description: >- Service router configuration entries are L7 traffic management tools for redirecting requests for a service to a particular instance or set of instances. Learn how to write `service-router` config entries in HCL or YAML with a specification reference, configuration model, a complete example, and example code by use case. --- -# Service router configuration reference +# Service router configuration entry reference This page provides reference information for service router configuration entries. Service routers use L7 network information to redirect a traffic request for a service to one or more specific service instances. @@ -30,7 +30,6 @@ The following list outlines field hierarchy, language-specific data types, and r - [`PathExact`](#routes-match-http-pathexact): string - [`PathPrefix`](#routes-match-http-pathprefix): string - [`PathRegex`](#routes-match-http-pathregex): string - - [`CaseInsensitive`](#routes-match-http-caseinsensitive): boolean | `false` - [`Methods`](#routes-match-http-methods): list - [`Header`](#routes-match-http-header): list - [`Name`](#routes-match-http-header-name): string @@ -373,7 +372,7 @@ Specifies a name for the configuration entry. The name is metadata that you can ### `Namespace` -Specifies the namespace to apply the configuration entry to. Refer to [Namespaces](/consul/docs/enterprise/namespaces) for additional information about Consul namespaces. +Specifies the namespace to apply the configuration entry to. Refer to [Namespaces](/consul/docs/segment/namespace) for additional information about Consul namespaces. #### Values @@ -382,7 +381,7 @@ Specifies the namespace to apply the configuration entry to. Refer to [Namespace ### `Partition` -Specifies the admin partition to apply the configuration entry to. Refer to [Admin partitions](/consul/docs/enterprise/admin-partitions) for additional information. +Specifies the admin partition to apply the configuration entry to. Refer to [Admin partitions](/consul/docs/segment/admin-partition) for additional information. #### Values @@ -457,18 +456,9 @@ Specifies the path prefix to match on the HTTP request path. When using this fie - Default: None - Data type: String -### `Routes[].Match{}.HTTP{}.CaseInsensitive` - -Specifies the path prefix to match on the HTTP request path must be case insensitive or not. - -#### Values - -- Default: `false` -- Data type: Boolean - ### `Routes[].Match{}.HTTP{}.PathRegex` -Specifies a regular expression to match on the HTTP request path. When using this field, do not configure `PathExact` or `PathPrefix` in the same HTTP map. The syntax for the regular expression field is proxy-specific. When [using Envoy](/consul/docs/connect/proxies/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. +Specifies a regular expression to match on the HTTP request path. When using this field, do not configure `PathExact` or `PathPrefix` in the same HTTP map. The syntax for the regular expression field is proxy-specific. When [using Envoy](/consul/docs/reference/proxy/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. #### Values @@ -561,7 +551,7 @@ Specifies that a request matches when the header with the given name has this su ### `Routes[].Match{}.HTTP{}.Header[].Regex` -Specifies that a request matches when the header with the given name matches this regular expression. When using this field, do not configure `Present`, `Exact`, `Prefix`, or `Suffix` in the same HTTP map . The syntax for the regular expression field is proxy-specific. When [using Envoy](/consul/docs/connect/proxies/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. +Specifies that a request matches when the header with the given name matches this regular expression. When using this field, do not configure `Present`, `Exact`, `Prefix`, or `Suffix` in the same HTTP map . The syntax for the regular expression field is proxy-specific. When [using Envoy](/consul/docs/reference/proxy/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. #### Values @@ -622,7 +612,7 @@ Specifies that a request matches when the query parameter with the given name is ### `Routes[].Match{}.HTTP{}.QueryParam[].Regex` -Specifies that a request matches when the query parameter with the given name matches this regular expression. When using this field, do not configure `Present` or `Exact` in the same map. The syntax for the regular expression field is proxy-specific. When [using Envoy](/consul/docs/connect/proxies/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. +Specifies that a request matches when the query parameter with the given name matches this regular expression. When using this field, do not configure `Present` or `Exact` in the same map. The syntax for the regular expression field is proxy-specific. When [using Envoy](/consul/docs/reference/proxy/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. #### Values @@ -663,7 +653,7 @@ Specifies the name of the service to resolve. If this parameter is not specified ### `Routes[].Destination{}.ServiceSubset` -Specifies a named subset of the given service to resolve instead of the one defined as that service's `DefaultSubset` in the [service resolver configuration entry](/consul/docs/connect/config-entries/service-resolver). If this parameter is not specified, the default subset is used. +Specifies a named subset of the given service to resolve instead of the one defined as that service's `DefaultSubset` in the [service resolver configuration entry](/consul/docs/reference/config-entry/service-resolver). If this parameter is not specified, the default subset is used. #### Values @@ -945,7 +935,7 @@ Specifies the path prefix to match on the HTTP request path. When using this fie ### `spec.routes[].match.http.pathRegex` -Specifies a regular expression to match on the HTTP request path. When using this field, do not configure `pathExact` or `pathPrefix` in the same HTTP map. The syntax for the regular expression field is proxy-specific. When [using Envoy](/consul/docs/connect/proxies/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. +Specifies a regular expression to match on the HTTP request path. When using this field, do not configure `pathExact` or `pathPrefix` in the same HTTP map. The syntax for the regular expression field is proxy-specific. When [using Envoy](/consul/docs/reference/proxy/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. #### Values @@ -1038,7 +1028,7 @@ Specifies that a request matches when the header with the given name has this su ### `spec.routes[].match.http.header.regex` -Specifies that a request matches when the header with the given name matches this regular expression. When using this field, do not configure `present`, `exact`, `prefix`, or `suffix` in the same HTTP map . The syntax for the regular expression field is proxy-specific. When [using Envoy](/consul/docs/connect/proxies/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. +Specifies that a request matches when the header with the given name matches this regular expression. When using this field, do not configure `present`, `exact`, `prefix`, or `suffix` in the same HTTP map . The syntax for the regular expression field is proxy-specific. When [using Envoy](/consul/docs/reference/proxy/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. #### Values @@ -1098,7 +1088,7 @@ Specifies that a request matches when the query parameter with the given name is ### `spec.routes[].match.http.queryParam[].regex` -Specifies that a request matches when the query parameter with the given name matches this regular expression. When using this field, do not configure `present` or `exact` in the same map. The syntax for the regular expression field is proxy-specific. When [using Envoy](/consul/docs/connect/proxies/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. +Specifies that a request matches when the query parameter with the given name matches this regular expression. When using this field, do not configure `present` or `exact` in the same map. The syntax for the regular expression field is proxy-specific. When [using Envoy](/consul/docs/reference/proxy/envoy), refer to [the documentation for Envoy v1.11.2 or newer](https://github.com/google/re2/wiki/Syntax) or [the documentation for Envoy v1.11.1 or older](https://en.cppreference.com/w/cpp/regex/ecmascript), depending on the version of Envoy you use. #### Values @@ -1139,7 +1129,7 @@ Specifies the name of the service to resolve. If this parameter is not specified ### `spec.routes[].destination.serviceSubset` -Specifies a named subset of the given service to resolve instead of the one defined as that service's `defaultSubset` in the [service resolver configuration entry](/consul/docs/connect/config-entries/service-resolver). If this parameter is not specified, the default subset is used. +Specifies a named subset of the given service to resolve instead of the one defined as that service's `defaultSubset` in the [service resolver configuration entry](/consul/docs/reference/config-entry/service-resolver). If this parameter is not specified, the default subset is used. #### Values @@ -1382,78 +1372,6 @@ spec: -### Path prefix matching with case insensitive - -The following example routes HTTP requests for the `web` service to a service named `admin` when they have `/admin` or `/Admin` at the start of their path. - - - - -```hcl -Kind = "service-router" -Name = "web" -Routes = [ - { - Match { - HTTP { - PathPrefix = "/Admin" - CaseInsensitive = true - } - } - - Destination { - Service = "admin" - } - }, -] -``` - - - - - -```yaml -apiVersion: consul.hashicorp.com/v1alpha1 -kind: ServiceRouter -metadata: - name: web -spec: - routes: - - match: - http: - pathPrefix: /Admin - caseInsensitive: true - destination: - service: admin -``` - - - - - -```json -{ - "Kind": "service-router", - "Name": "web", - "Routes": [ - { - "Match": { - "HTTP": { - "PathPrefix": "/Admin", - "CaseInsensitive": true - } - }, - "Destination": { - "Service": "admin" - } - } - ] -} -``` - - - - ### Match a header and query parameter The following example routes HTTP traffic to the `web` service to a subset of `canary` instances when the requests have `x-debug` in either the header or the URL parameter. diff --git a/website/content/docs/connect/config-entries/service-splitter.mdx b/website/content/docs/reference/config-entry/service-splitter.mdx similarity index 96% rename from website/content/docs/connect/config-entries/service-splitter.mdx rename to website/content/docs/reference/config-entry/service-splitter.mdx index f7247be924c..3a9943ea73e 100644 --- a/website/content/docs/connect/config-entries/service-splitter.mdx +++ b/website/content/docs/reference/config-entry/service-splitter.mdx @@ -1,13 +1,13 @@ --- layout: docs -page_title: Service Splitter configuration reference -description: >- +page_title: Service splitter configuration entry reference +description: >- Service splitter configuration entries are L7 traffic management tools for redirecting requests for a service to multiple instances. Learn how to write `service-splitter` config entries in HCL or YAML with a specification reference, configuration model, a complete example, and example code by use case. --- -# Service Splitter configuration reference +# Service splitter configuration entry reference This reference page describes the structure and contents of service splitter configuration entries. Configure and apply service splitters to redirect a percentage of incoming traffic requests for a service to one or more specific service instances. @@ -244,7 +244,7 @@ Specifies a name for the configuration entry. The name is metadata that you can ### `Namespace` -Specifies the [namespace](/consul/docs/enterprise/namespaces) to apply the configuration entry. +Specifies the [namespace](/consul/docs/segment/namespace) to apply the configuration entry. #### Values @@ -253,7 +253,7 @@ Specifies the [namespace](/consul/docs/enterprise/namespaces) to apply the confi ### `Partition` -Specifies the [admin partition](/consul/docs/enterprise/admin-partitions) to apply the configuration entry. +Specifies the [admin partition](/consul/docs/segment/admin-partition) to apply the configuration entry. #### Values @@ -311,7 +311,7 @@ Specifies the name of the service to resolve. Specifies a subset of the service to resolve. A service subset assigns a name to a specific subset of discoverable service instances within a datacenter, such as `version2` or `canary`. All services have an unnamed default subset that returns all healthy instances. -You can define service subsets in a [service resolver configuration entry](/consul/docs/connect/config-entries/service-resolver), which are referenced by their names throughout the other configuration entries. This field overrides the default subset value in the service resolver configuration entry. +You can define service subsets in a [service resolver configuration entry](/consul/docs/reference/config-entry/service-resolver), which are referenced by their names throughout the other configuration entries. This field overrides the default subset value in the service resolver configuration entry. #### Values @@ -320,7 +320,7 @@ You can define service subsets in a [service resolver configuration entry](/cons ### `Splits[].Namespace` -Specifies the [namespace](/consul/docs/enterprise/namespaces) to use in the FQDN when resolving the service. +Specifies the [namespace](/consul/docs/segment/namespace) to use in the FQDN when resolving the service. #### Values @@ -329,7 +329,7 @@ Specifies the [namespace](/consul/docs/enterprise/namespaces) to use in the FQDN ### `Splits[].Partition` -Specifies the [admin partition](/consul/docs/enterprise/admin-partitions) to use in the FQDN when resolving the service. +Specifies the [admin partition](/consul/docs/segment/admin-partition) to use in the FQDN when resolving the service. #### Values @@ -491,7 +491,7 @@ Specifies a subset of the service to resolve. This field overrides the `DefaultS ### `spec.splits[].namespace` -Specifies the [namespace](/consul/docs/enterprise/namespaces) to use when resolving the service. +Specifies the [namespace](/consul/docs/segment/namespace) to use when resolving the service. #### Values @@ -500,7 +500,7 @@ Specifies the [namespace](/consul/docs/enterprise/namespaces) to use when resolv ### `spec.splits[].partition` -Specifies which [admin partition](/consul/docs/enterprise/admin-partitions) to use in the FQDN when resolving the service. +Specifies which [admin partition](/consul/docs/segment/admin-partition) to use in the FQDN when resolving the service. #### Values diff --git a/website/content/docs/connect/config-entries/tcp-route.mdx b/website/content/docs/reference/config-entry/tcp-route.mdx similarity index 83% rename from website/content/docs/connect/config-entries/tcp-route.mdx rename to website/content/docs/reference/config-entry/tcp-route.mdx index e7eda8c1ccb..4332f95c3d5 100644 --- a/website/content/docs/connect/config-entries/tcp-route.mdx +++ b/website/content/docs/reference/config-entry/tcp-route.mdx @@ -1,13 +1,14 @@ --- layout: docs -page_title: TCP Route configuration reference -description: Learn how to configure a TCP Route that is bound to an API gateway on VMs. +page_title: TCP route configuration entry reference +description: >- + Learn how to configure a TCP Route that is bound to an API gateway on VMs. --- -# TCP route configuration reference +# TCP route configuration entry reference This topic provides reference information for the gateway TCP routes configuration -entry. Refer to [Route Resource Configuration](/consul/docs/connect/gateways/api-gateway/configuration/routes) for information +entry. Refer to [Route Resource Configuration](/consul/docs/reference/k8s/api-gateway/routes) for information about configuring API gateways in Kubernetes environments. ## Configuration model @@ -128,7 +129,7 @@ such as applying a configuration entry to a specific cluster. ### `Namespace` -Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to apply to the configuration entry. +Specifies the Enterprise [namespace](/consul/docs/segment/namespace) to apply to the configuration entry. #### Values @@ -137,7 +138,7 @@ Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to appl ### `Partition` -Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) to apply to the configuration entry. +Specifies the Enterprise [admin partition](/consul/docs/segment/admin-partition) to apply to the configuration entry. #### Values @@ -177,7 +178,7 @@ Specifies the list of TCP-based services to route to. You can specify a maximum ### `Services.Namespace` -Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) where the service is located. +Specifies the Enterprise [namespace](/consul/docs/segment/namespace) where the service is located. #### Values @@ -186,7 +187,7 @@ Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) where t ### `Services.Partition` -Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) where the service is located. +Specifies the Enterprise [admin partition](/consul/docs/segment/admin-partition) where the service is located. #### Values @@ -230,7 +231,7 @@ Specifies the name of the API gateway to bind to. ### `Parents.Namespace` -Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) where the parent is located. +Specifies the Enterprise [namespace](/consul/docs/segment/namespace) where the parent is located. #### Values @@ -239,7 +240,7 @@ Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) where t ### `Parents.Partition` -Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) where the parent is located. +Specifies the Enterprise [admin partition](/consul/docs/segment/admin-partition) where the parent is located. #### Values @@ -248,7 +249,7 @@ Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partiti ### `Parents.SectionName` -Specifies the name of the listener defined in the [`api-gateway` configuration](/consul/docs/connect/gateways/api-gateway/configuration/api-gateway) that the route binds to. If the field is configured to an empty string, the route binds to all listeners on the parent gateway. +Specifies the name of the listener defined in the [`api-gateway` configuration](/consul/docs/reference/config-entry/api-gateway) that the route binds to. If the field is configured to an empty string, the route binds to all listeners on the parent gateway. #### Values diff --git a/website/content/docs/connect/config-entries/terminating-gateway.mdx b/website/content/docs/reference/config-entry/terminating-gateway.mdx similarity index 88% rename from website/content/docs/connect/config-entries/terminating-gateway.mdx rename to website/content/docs/reference/config-entry/terminating-gateway.mdx index 4512cf1a814..bca4725893f 100644 --- a/website/content/docs/connect/config-entries/terminating-gateway.mdx +++ b/website/content/docs/reference/config-entry/terminating-gateway.mdx @@ -1,34 +1,42 @@ --- layout: docs -page_title: Terminating Gateway - Configuration Entry Reference +page_title: Terminating gateway configuration entry reference description: >- - The terminating gateway configuration entry kind defines behavior to secure outgoing communication between the service mesh and non-mesh services. Use the reference guide to learn about `""terminating-gateway""` config entry parameters and connecting from your service mesh to external or non-mesh services registered with Consul. + The terminating gateway configuration entry kind defines behavior to secure outgoing communication between the service mesh and non-mesh services. Use the reference guide to learn about `terminating-gateway` config entry parameters and connecting from your service mesh to external or non-mesh services registered with Consul. --- -# Terminating Gateway Configuration Entry +# Terminating gateway configuration entry reference The `terminating-gateway` config entry kind (`TerminatingGateway` on Kubernetes) allows you to configure terminating gateways to proxy traffic from services in the Consul service mesh to services registered with Consul that do not have a -[service mesh sidecar proxy](/consul/docs/connect/proxies). The configuration is associated with the name of a gateway service +[service mesh sidecar proxy](/consul/docs/connect/proxy). The configuration is associated with the name of a gateway service and will apply to all instances of the gateway with that name. -~> [Configuration entries](/consul/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies + + +[Configuration entries](/consul/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies across all federated Consul datacenters. If terminating gateways in different Consul datacenters need to route to different sets of services within their datacenter then the terminating gateways **must** be registered with different names. -See [Terminating Gateway](/consul/docs/connect/gateways/terminating-gateway) for more information. + + +Refer to [Terminating Gateway](/consul/docs/connect/gateways/terminating-gateway) for more information. ## TLS Origination -By specifying a path to a [CA file](/consul/docs/connect/config-entries/terminating-gateway#cafile) connections +By specifying a path to a [CA file](/consul/docs/reference/config-entry/terminating-gateway#cafile) connections from the terminating gateway will be encrypted using one-way TLS authentication. If a path to a -[client certificate](/consul/docs/connect/config-entries/terminating-gateway#certfile) -and [private key](/consul/docs/connect/config-entries/terminating-gateway#keyfile) are also specified connections +[client certificate](/consul/docs/reference/config-entry/terminating-gateway#certfile) +and [private key](/consul/docs/reference/config-entry/terminating-gateway#keyfile) are also specified connections from the terminating gateway will be encrypted using mutual TLS authentication. -~> Setting the `SNI` field is strongly recommended when enabling TLS to a service. If this field is not set, + + +Setting the `SNI` field is strongly recommended when enabling TLS to a service. If this field is not set, Consul will not attempt to verify the Subject Alternative Name fields in the service's certificate. + + If none of these are provided, Consul will **only** encrypt connections to the gateway and not from the gateway to the destination service. @@ -149,9 +157,11 @@ spec: Link gateway named "us-west-gateway" with the billing service, and specify a CA file to be used for one-way TLS authentication. --> **Note**: When not using destinations in transparent proxy mode, you must specify the `CAFile` parameter -and point to a valid CA bundle in order to properly initiate a TLS -connection to the destination service. For more information about configuring a gateway for destinations, refer to [Register an External Service as a Destination](/consul/docs/k8s/connect/terminating-gateways#register-an-external-service-as-a-destination). + + +When not using destinations in transparent proxy mode, you must specify the `CAFile` parameter and point to a valid CA bundle in order to properly initiate a TLS connection to the destination service. For more information about configuring a gateway for destinations, refer to [Register an External Service as a Destination](/consul/docs/register/external/terminating-gateway/k8s#register-an-external-service-as-a-destination). + + @@ -202,8 +212,11 @@ spec: Link gateway named "us-west-gateway" in the default namespace with the billing service in the finance namespace, and specify a CA file to be used for one-way TLS authentication. --> **Note**: The `CAFile` parameter must be specified _and_ point to a valid CA -bundle in order to properly initiate a TLS connection to the destination service. + + +The `CAFile` parameter must be specified _and_ point to a valid CA bundle in order to properly initiate a TLS connection to the destination service. + + @@ -264,8 +277,11 @@ spec: Link gateway named "us-west-gateway" with the billing service, and specify a CA file, key file, and cert file to be used for mutual TLS authentication. --> **Note**: The `CAFile` parameter must be specified _and_ point to a valid CA -bundle in order to properly initiate a TLS connection to the destination service. + + +The `CAFile` parameter must be specified _and_ point to a valid CA bundle in order to properly initiate a TLS connection to the destination service. + + @@ -322,8 +338,11 @@ spec: Link gateway named "us-west-gateway" in the default namespace with the billing service in the finance namespace. Also specify a CA file, key file, and cert file to be used for mutual TLS authentication. --> **Note**: The `CAFile` parameter must be specified _and_ point to a valid CA -bundle in order to properly initiate a TLS connection to the destination service. + + +The `CAFile` parameter must be specified _and_ point to a valid CA bundle in order to properly initiate a TLS connection to the destination service. + + @@ -611,7 +630,7 @@ spec: { name: 'namespace', description: - 'If running Consul Community Edition, the namespace is ignored (see [Kubernetes Namespaces in Consul CE](/consul/docs/k8s/crds#consul-ce)). If running Consul Enterprise see [Kubernetes Namespaces in Consul Enterprise](/consul/docs/k8s/crds#consul-enterprise) for more details.', + 'If running Consul Community Edition, the namespace is ignored (refer to [Kubernetes Namespaces in Consul CE](/consul/docs/k8s/crds#consul-ce)). If running Consul Enterprise refer to [Kubernetes Namespaces in Consul Enterprise](/consul/docs/k8s/crds#consul-enterprise) for more details.', }, ], hcl: false, @@ -679,12 +698,6 @@ spec: `An optional hostname or domain name to specify during the TLS handshake. This option will also configure [strict SAN matching](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-certificatevalidationcontext-match-typed-subject-alt-names), which requires the external services to have certificates with SANs, not having which will result in \`CERTIFICATE_VERIFY_FAILED\` error.`, }, - { - name: 'DisableAutoHostRewrite', - type: 'bool: ""', - description: - 'When set to true, Terminating Gateway will not modify the incoming requests host header for this service.', - }, ], }, ]} @@ -692,7 +705,7 @@ spec: ## ACLs -Configuration entries may be protected by [ACLs](/consul/docs/security/acl). +Configuration entries may be protected by [ACLs](/consul/docs/secure-consul/acl). Reading a `terminating-gateway` config entry requires `service:read` on the `Name` field of the config entry. diff --git a/website/content/docs/nia/api/health.mdx b/website/content/docs/reference/cts/api/health.mdx similarity index 97% rename from website/content/docs/nia/api/health.mdx rename to website/content/docs/reference/cts/api/health.mdx index 6a04aba5eae..b147a45fd9c 100644 --- a/website/content/docs/nia/api/health.mdx +++ b/website/content/docs/reference/cts/api/health.mdx @@ -13,7 +13,7 @@ The `/health` endpoint returns a successful response when Consul-Terraform-Sync | ------ | ------------------- | ------------------ | | `GET` | `/health` | `application/json` | -### Response Statuses +### Response statuses | Status | Reason | | ------ | ---------------------------------------------------- | diff --git a/website/content/docs/nia/api/index.mdx b/website/content/docs/reference/cts/api/index.mdx similarity index 83% rename from website/content/docs/nia/api/index.mdx rename to website/content/docs/reference/cts/api/index.mdx index 2e0cf3d8405..46b44548387 100644 --- a/website/content/docs/nia/api/index.mdx +++ b/website/content/docs/reference/cts/api/index.mdx @@ -5,13 +5,13 @@ description: >- Consul-Terraform-Sync provides an API interface that lets you query CTS instance health, check CTS instance status, and run CTS tasks. --- -# Consul-Terraform-Sync API Overview +# Consul-Terraform-Sync API overview Consul-Terraform-Sync (CTS) provides an HTTP API interface for querying CTS instances and running and managing tasks. ## Port -The API is served at the default port `8558` or a different port if set with [`port` configuration](/consul/docs/nia/configuration#port) +The API is served at the default port `8558` or a different port if set with [`port` configuration](/consul/docs/reference/cts/configuration#port) ## Version prefix @@ -27,4 +27,4 @@ Each call to a CTS API endpoint returns a `request_id` field. The field is a str ## Error messages -The API sends a response code in the 200 range if the call is successful. If the call is unsuccessful, the API sends an error message that includes additional information when possible. Refer to [Error Messages](/consul/docs/nia/usage/errors-ref) for additional information. \ No newline at end of file +The API sends a response code in the 200 range if the call is successful. If the call is unsuccessful, the API sends an error message that includes additional information when possible. Refer to [Error Messages](/consul/docs/error-messages/cts) for additional information. \ No newline at end of file diff --git a/website/content/docs/nia/api/status.mdx b/website/content/docs/reference/cts/api/status.mdx similarity index 88% rename from website/content/docs/nia/api/status.mdx rename to website/content/docs/reference/cts/api/status.mdx index d95ed72456d..8f04198690d 100644 --- a/website/content/docs/nia/api/status.mdx +++ b/website/content/docs/reference/cts/api/status.mdx @@ -6,9 +6,9 @@ description: >- --- # Status -The `/status` endpoints return status-related information for tasks. This endpoint returns a count of successful and failed task events that are recorded whenever tasks execute an automation. Currently, only the five most recent events are stored in Consul-Terraform-Sync (CTS). For more information on the hierarchy of status information and how it is collected, refer to [Status Information](/consul/docs/nia/tasks#status-information). +The `/status` endpoints return status-related information for tasks. This endpoint returns a count of successful and failed task events that are recorded whenever tasks execute an automation. Currently, only the five most recent events are stored in Consul-Terraform-Sync (CTS). For more information on the hierarchy of status information and how it is collected, refer to [Status Information](/consul/docs/reference/cts/task#status-information). -If CTS is configured [for high availability](/consul/docs/nia/usage/run-ha), you can send requests to the [`/status/cluster` endpoint path](#cluster-status) on any CTS cluster member instance to receive information about the entire cluster. Calling the `status` endpoint path (without `/cluster`), however, returns a 400 error if the request is sent to a follower instance. The error message depends on what information the follower instance is able to obtain about the leader. Refer to [Error Messages](/consul/docs/nia/usage/errors-ref) for more information. +If CTS is configured [for high availability](/consul/docs/nia/usage/run-ha), you can send requests to the [`/status/cluster` endpoint path](#cluster-status) on any CTS cluster member instance to receive information about the entire cluster. Calling the `status` endpoint path (without `/cluster`), however, returns a 400 error if the request is sent to a follower instance. The error message depends on what information the follower instance is able to obtain about the leader. Refer to [Error Messages](/consul/docs/error-messages/cts) for more information. ## Status for all tasks @@ -68,7 +68,7 @@ Response: This endpoint returns the individual task status information for a single specified task or for all tasks. -Task health status value is determined by the success or failure of all stored [event data](/consul/docs/nia/tasks#event) on the process of updating network infrastructure for a task. Currently only the 5 most recent events are stored per task. +Task health status value is determined by the success or failure of all stored [event data](/consul/docs/reference/cts/task#event) on the process of updating network infrastructure for a task. Currently only the 5 most recent events are stored per task. - Successful: The most recent stored event is successful. - Errored: The most recent stored event is not successful but all previous stored events are successful. - Critical: The most recent stored event is not successful and one or more previous stored events are also not successful. @@ -103,11 +103,11 @@ The response is a JSON map of task name to a status information structure with t |`services` | list[string] | **Deprecated in CTS 0.5.0 and will be removed in a future major release.** List of the services configured for the task. |`providers` | list[string] | **Deprecated in CTS 0.5.0 and will be removed in v0.8.0.** List of the providers configured for the task. |`events_url` | string | Relative URL to retrieve the event data stored for the task. -|`events` | list[[Event](/consul/docs/nia/api/status#event)] | List of stored events that inform the task's status. See [section below](/consul/docs/nia/api/status#event) for information on event data. This field is only included in the response upon request by setting the `?include=events` parameter. The relative URL for the request to include events can be retrieved from the `events_url` field. +|`events` | list[[Event](/consul/docs/reference/cts/api/status#event)] | List of stored events that inform the task's status. Refer to [section below](/consul/docs/reference/cts/api/status#event) for information on event data. This field is only included in the response upon request by setting the `?include=events` parameter. The relative URL for the request to include events can be retrieved from the `events_url` field. #### Event -Event represents the process of updating network infrastructure of a task. The data is captured in a JSON structure. For more details on the scope of an event, see [Event](/consul/docs/nia/tasks#event). +Event represents the process of updating network infrastructure of a task. The data is captured in a JSON structure. For more details on the scope of an event, refer to [Event](/consul/docs/reference/cts/task#event). | Name | Type | Description | | ----------- | ------ | ------------------ | @@ -229,7 +229,7 @@ Response: ## Cluster status -The `/v1/status/cluster` API endpoint returns information about high-availability clusters and its members, such as health status and leadership. This endpoint is only supported when using CTS in [high availability mode](/consul/docs/nia/usage/run-ha). If you call the endpoint without configuring CTS for high availability, then CTS prints an error to the console. Refer to [Error Messages](/consul/docs/nia/usage/errors-ref) for information about CTS error messages. +The `/v1/status/cluster` API endpoint returns information about high-availability clusters and its members, such as health status and leadership. This endpoint is only supported when using CTS in [high availability mode](/consul/docs/nia/usage/run-ha). If you call the endpoint without configuring CTS for high availability, then CTS prints an error to the console. Refer to [Error Messages](/consul/docs/error-messages/cts) for information about CTS error messages. | Method | Path | Response format | | ------ | ----------------- | ------------------ | @@ -258,11 +258,11 @@ The following table describes the fields available for objects in the `members` | Field | Type | Description | | --- | ---- | --- | -| `address` | string | Indicates the location of the instance. The address is only included in the response if the `high_availability.instance.address` option is configured on the leader instance. Refer to the [high availability instance configuration](/consul/docs/nia/configuration#high-availability-instance) reference for additional information. | -| `healthy` | boolean | Indicates the health of the service instance health. Refer to [Service Registration](/consul/docs/nia/configuration#service-registration) for additional information. | -| `id` | string | Indicates the service registration ID. Refer to [Service Registration](/consul/docs/nia/configuration#service-registration) for additional information. | +| `address` | string | Indicates the location of the instance. The address is only included in the response if the `high_availability.instance.address` option is configured on the leader instance. Refer to the [high availability instance configuration](/consul/docs/reference/cts/configuration#high-availability-instance) reference for additional information. | +| `healthy` | boolean | Indicates the health of the service instance health. Refer to [Service Registration](/consul/docs/reference/cts/configuration#service-registration) for additional information. | +| `id` | string | Indicates the service registration ID. Refer to [Service Registration](/consul/docs/reference/cts/configuration#service-registration) for additional information. | | `leader` | boolean | Identifies the cluster leader. | -| `service_name` | string | Identifies the name of the service that the instance represents. The value is set by the `service_name` field in the [Service Registration](/consul/docs/nia/configuration#service-registration) configuration. | +| `service_name` | string | Identifies the name of the service that the instance represents. The value is set by the `service_name` field in the [Service Registration](/consul/docs/reference/cts/configuration#service-registration) configuration. | ### Example diff --git a/website/content/docs/nia/api/tasks.mdx b/website/content/docs/reference/cts/api/tasks.mdx similarity index 86% rename from website/content/docs/nia/api/tasks.mdx rename to website/content/docs/reference/cts/api/tasks.mdx index f45253c3431..67cf3932334 100644 --- a/website/content/docs/nia/api/tasks.mdx +++ b/website/content/docs/reference/cts/api/tasks.mdx @@ -9,9 +9,9 @@ description: >- The `/tasks` endpoints interact with the tasks that Consul-Terraform-Sync (CTS) is responsible for running. -If you [run CTS with high availability enabled](/consul/docs/nia/usage/run-ha), you can send requests to the `/tasks` endpoint on CTS leader or follower instances. Requests to a follower instance, however, return a 400 Bad Request and error message. The error message depends on what information the follower instance is able to obtain about the leader. Refer to [Error Messages](/consul/docs/nia/usage/errors-ref) for more information. +If you [run CTS with high availability enabled](/consul/docs/nia/usage/run-ha), you can send requests to the `/tasks` endpoint on CTS leader or follower instances. Requests to a follower instance, however, return a 400 Bad Request and error message. The error message depends on what information the follower instance is able to obtain about the leader. Refer to [Error Messages](/consul/docs/error-messages/cts) for more information. -## Get Tasks +## Get tasks This endpoint returns information about all existing tasks. @@ -19,33 +19,25 @@ This endpoint returns information about all existing tasks. | ------ | ------------------- | ------------------ | | `GET` | `/tasks` | `application/json` | -### Response Statuses +### Response statuses | Status | Reason | | ------ | ---------------------------------------------------- | | 200 | Successfully retrieved and returned a list of tasks | -### Response Fields +### Response fields | Name | Type | Description | | ------------ | ------------- | ---------------------------------------------------------------------------------- | | `request_id` | string | The ID of the request. Used for auditing and debugging purposes. | -| `tasks` | list[[Task](/consul/docs/nia/api/tasks#task-object)] | A list of Tasks | +| `tasks` | list[[Task](/consul/docs/reference/cts/api/tasks#task-object)] | A list of Tasks | ### Example: Retrieve all tasks -In this example, CTS contains a single task - -Request: +In this example, CTS contains a single task. ```shell-session -$ curl --request GET \ - localhost:8558/v1/tasks -``` - -Response: - -```json +$ curl --request GET localhost:8558/v1/tasks { "request_id": "0e0290f9-94df-3a4a-fd17-72467a16083c", "tasks": [ @@ -78,7 +70,7 @@ Response: } ``` -## Get Task +## Get task This endpoint returns information about an existing task. @@ -86,38 +78,32 @@ This endpoint returns information about an existing task. | ------ | ------------------- | ------------------ | | `GET` | `/tasks/:task_name` | `application/json` | -### Request Parameters +### Request parameters | Name | Required | Type | Description | Default | | ------------ | -------- | ------ | ------------------------------------------ | ------- | | `:task_name` | Required | string | Specifies the name of the task to retrieve | none | -### Response Statuses +### Response statuses | Status | Reason | | ------ | ---------------------------------------------------- | | 200 | Successfully retrieved and returned task information | | 404 | Task with the given name not found | -### Response Fields +### Response fields | Name | Type | Description | | ------------ | ------ | ---------------------------------------------------------------------------------- | | `request_id` | string | The ID of the request. Used for auditing and debugging purposes. | -| `task` | object | The task's configuration information. See [task object](#task-object) for details. | +| `task` | object | The task's configuration information. Refer to [task object](#task-object) for details. | ### Example: Retrieve a task Request: ```shell-session -$ curl --request GET \ - localhost:8558/v1/tasks/task_a -``` - -Response: - -```json +$ curl --request GET localhost:8558/v1/tasks/task_a { "request_id": "b7559ab0-5111-381b-367a-0dfb7e216d41", "task": { @@ -155,7 +141,7 @@ Response: } ``` -# Create Task +# Create task This endpoint allows for creation of a task. It only supports creation of a new task, and does not support updating a task. @@ -163,30 +149,30 @@ This endpoint allows for creation of a task. It only supports creation of a new | ------ | -------- | ------------------ | | `POST` | `/tasks` | `application/json` | -### Request Parameters +### Request parameters | Name | Required | Type | Description | Default | | ----- | -------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | `run` | Optional | string | Values can only be `"inspect"` and `"now"`.
    • `"inspect"`: Does not create the task but returns information on if/how resources would be changed for the proposed task creation.
    • `"now"`: Creates the task accordingly and immediately runs the task, rather than allowing the task to run at the natural daemon cadence
    | none | -### Request Body +### Request body | Name | Required | Type | Description | | ------ | -------- | ------ | ---------------------------------------------------------------------------------- | -| `task` | Required | object | The task's configuration information. See [task object](#task-object) for details. | +| `task` | Required | object | The task's configuration information. Refer to [task object](#task-object) for details. | -### Response Statuses +### Response statuses | Status | Reason | | ------ | ----------------------------- | | 201 | Successfully created the task | -### Response Fields +### Response fields | Name | Type | Description | | ------------ | ------ | ------------------------------------------------------------------------------------------------- | | `request_id` | string | The ID of the request. Used for auditing and debugging purposes. | -| `task` | object | The task's configuration information after creation. See [task object](#task-object) for details. | +| `task` | object | The task's configuration information after creation. Refer to [task object](#task-object) for details. | ### Example: Create a task @@ -251,41 +237,41 @@ Response: } ``` -## Update Task +## Update task -This endpoint allows patch updates to specifically supported fields for existing tasks. Currently only supports updating a task's [`enabled` value](/consul/docs/nia/configuration#enabled-7). +This endpoint allows patch updates to specifically supported fields for existing tasks. Currently only supports updating a task's [`enabled` value](/consul/docs/reference/cts/configuration#enabled-7). | Method | Path | Produces | | ------- | ------------------- | ------------------ | | `PATCH` | `/tasks/:task_name` | `application/json` | -### Request Parameters +### Request parameters | Name | Required | Type | Description | Default | | ------------ | -------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | `:task_name` | Required | string | Specifies the name of the task to update | none | | `run` | Optional | string | Values can only be `"inspect"` and `"now"`.
    • `"inspect"`: Does not update the task but returns information on if/how resources would be changed for the proposed task update.
    • `"now"`: Updates the task accordingly and immediately runs the task, rather than allowing the task to run at the natural daemon cadence
    | none | -### Request Body +### Request body | Name | Required | Type | Description | | --------- | -------- | ------- | -------------------------------------------------------- | | `enabled` | Required | boolean | Whether the task is enabled to run and manage resources. | -### Response Statuses +### Response statuses | Status | Reason | | ------ | ---------------------------------- | | 200 | Successfully updated the task | | 404 | Task with the given name not found | -### Response Fields +### Response fields | Name | Type | Description | | ------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `inspect` | object | Information on how resources would be changed given a proposed task update, similar to [inspect-mode](/consul/docs/nia/cli/#inspect-mode). This is only returned when passed the `run=inspect` request parameter. | +| `inspect` | object | Information on how resources would be changed given a proposed task update, similar to [inspect-mode](/consul/docs/reference/cts/cli/#inspect-mode). This is only returned when passed the `run=inspect` request parameter. | | `inspect.changes_present` | boolean | Whether or not changes were detected for running the proposed task update. | -| `inspect.plan` | string | The Terraform plan generated for the proposed task update. Note: a non-empty string does not necessarily indicate changes were detected. | +| `inspect.plan` | string | The Terraform plan generated for the proposed task update. A non-empty string does not necessarily indicate changes were detected. | ### Example: Disable a task @@ -337,53 +323,51 @@ Response if changes present: } ``` -## Delete Task +## Delete task This endpoint allows for deletion of existing tasks. It marks a task for deletion based on the name provided. If the task is not running, it will be deleted immediately. Otherwise, it will be deleted once the task is completed. --> **Note:** Deleting a task will not destroy the infrastructure managed by the task. + + + Deleting a task will not destroy the infrastructure managed by the task. + + | Method | Path | Produces | | -------- | ------------------- | ------------------ | | `DELETE` | `/tasks/:task_name` | `application/json` | -### Request Parameters +### Request parameters | Name | Required | Type | Description | Default | | ------------ | -------- | ------ | ------------------------------------------ | ------- | | `:task_name` | Required | string | Specifies the name of the task to retrieve | none | -### Response Statuses +### Response statuses | Status | Reason | | ------ | ----------------------------------------- | | 202 | Successfully marked the task for deletion | | 404 | Task with the given name not found | -### Response Fields +### Response fields | Name | Type | Description | | ------------ | ------ | ---------------------------------------------------------------- | | `request_id` | string | The ID of the request. Used for auditing and debugging purposes. | -### Sample Request +### Sample request ```shell-session -$ curl --request DELETE \ - localhost:8558/v1/tasks/task_a -``` - -### Sample Response - -```json +$ curl --request DELETE localhost:8558/v1/tasks/task_a { "request_id": "9b23eea7-a435-2797-c71e-10c15766cd73" } ``` -## Task Object +## Task object -The task object is used by the Task APIs as part of a request or response. It represents the task's [configuration information](/consul/docs/nia/configuration#task). +The task object is used by the Task APIs as part of a request or response. It represents the task's [configuration information](/consul/docs/reference/cts/configuration#task). | Name | Required | Type | Description | Default | | ----------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | @@ -391,14 +375,14 @@ The task object is used by the Task APIs as part of a request or response. It re | `buffer_period.enabled` | bool | Optional | Whether the buffer period is enabled or disabled. | The global buffer period's enabled value configured for CTS. | | `buffer_period.min` | string | Optional | The minimum period of time to wait after changes are detected before triggering the task. | The global buffer period's min value configured for CTS. | | `buffer_period.max` | string | Optional | The maximum period of time to wait after changes are detected before triggering the task. | The global buffer period's max value configured for CTS. | -| `condition` | object | Required | The [condition](/consul/docs/nia/configuration#task-condition) on which to trigger the task to execute.

    If the task has the deprecated `services` field configured as a module input, it is represented here as `condition.services`. | none | +| `condition` | object | Required | The [condition](/consul/docs/reference/cts/configuration#task-condition) on which to trigger the task to execute.

    If the task has the deprecated `services` field configured as a module input, it is represented here as `condition.services`. | none | | `description` | string | Optional | The human readable text to describe the task. | none | | `enabled` | bool | Optional | Whether the task is enabled or disabled from executing. | `true` | | `module` | string | Required | The location of the Terraform module. | none | -| `module_input` | object | Optional | The additional [module input(s)](/consul/docs/nia/configuration#task-source-input) that the tasks provides to the Terraform module on execution.

    If the task has the deprecated `services` field configured as a module input, it is represented here as `module_input.services`. | none | +| `module_input` | object | Optional | The additional [module input(s)](/consul/docs/reference/cts/configuration#task-source-input) that the tasks provides to the Terraform module on execution.

    If the task has the deprecated `services` field configured as a module input, it is represented here as `module_input.services`. | none | | `name` | string | Required | The unique name of the task. | none | | `providers` | list[string] | Optional | The list of provider names that the task's module uses. | none | | `variables` | map[string] | Optional | The map of variables that are provided to the task's module. | none | | `version` | string | Optional | The version of the configured module that the task uses. | The latest version. | -| `terraform_version` | string | Optional | **Deprecated in CTS 0.6.0 and will be removed in 0.8.0. Review `terraform_version` in `terraform_cloud_workspace` instead.** The version of Terraform to use for the HCP Terraform workspace associated with the task. This is only available when used with the [HCP Terraform driver](/consul/docs/nia/configuration#hcp-terraform-driver). | The latest compatible version supported by the organization. | -| `terraform_cloud_workspace` | object | Optional | The [configurable attributes of the HCP Terraform workspace](/consul/docs/nia/configuration#terraform_cloud_workspace) associated with the task. This option is only available when used with the [HCP Terraform driver](/consul/docs/nia/configuration#hcp-terraform-driver).| none | +| `terraform_version` | string | Optional | **Deprecated in CTS 0.6.0 and will be removed in 0.8.0. Review `terraform_version` in `terraform_cloud_workspace` instead.** The version of Terraform to use for the Terraform Cloud workspace associated with the task. This is only available when used with the [Terraform Cloud driver](/consul/docs/reference/cts/configuration#terraform-cloud-driver). | The latest compatible version supported by the organization. | +| `terraform_cloud_workspace` | object | Optional | The [configurable attributes of the Terraform Cloud workspace](/consul/docs/reference/cts/configuration#terraform_cloud_workspace) associated with the task. This option is only available when used with the [Terraform Cloud driver](/consul/docs/reference/cts/configuration#terraform-cloud-driver).| none | diff --git a/website/content/docs/nia/cli/index.mdx b/website/content/docs/reference/cts/cli/index.mdx similarity index 88% rename from website/content/docs/nia/cli/index.mdx rename to website/content/docs/reference/cts/cli/index.mdx index 9e338819da5..c2ec0026501 100644 --- a/website/content/docs/nia/cli/index.mdx +++ b/website/content/docs/reference/cts/cli/index.mdx @@ -11,7 +11,11 @@ Consul-Terraform-Sync (CTS) is controlled via an easy to use command-line interf ## Daemon -~> Running CTS as a daemon without using a command is deprecated in CTS 0.6.0 and will be removed at a much later date in a major release. For information on the preferred way to run CTS as a daemon review the [`start` command docs](/consul/docs/nia/cli/start) + + +Running CTS as a daemon without using a command is deprecated in CTS 0.6.0 and will be removed at a much later date in a major release. For information on the preferred way to run CTS as a daemon review the [`start` command docs](/consul/docs/reference/cts/cli/start) + + When CTS runs as a daemon, there is no default configuration to start CTS. You must set a configuration flag -config-file or -config-dir. For example: @@ -27,12 +31,12 @@ In addition to running the daemon, CTS has a set of commands that act as a clien To get help for a command, run: `consul-terraform-sync -h` -### CLI Structure +### CLI structure CTS commands follow the below structure ```shell-session -consul-terraform-sync [options] [args] +$ consul-terraform-sync [options] [args] ``` - `options`: Flags to specify additional settings. There are general options that can be used across all commands and command-specific options. @@ -41,7 +45,7 @@ consul-terraform-sync [options] [args] Example: ```shell-session -consul-terraform-sync task disable -http-addr=http://localhost:2000 task_a +$ consul-terraform-sync task disable -http-addr=http://localhost:2000 task_a ``` ### Autocompletion @@ -50,11 +54,12 @@ The `consul-terraform-sync` command features opt-in autocompletion for flags, su arguments (where supported). To enable autocompletion, run: + ```shell-session $ consul-terraform-sync -autocomplete-install ``` -~> After you install autocomplete, you must restart your shell for the change to take effect. +After you install autocomplete, you must restart your shell for the change to take effect. When you start typing a CTS command, press the `` key to show a list of available completions. To show available flag completes, type `-`. @@ -67,7 +72,7 @@ When autocompletion makes the query to the running CTS server, it will also use Assume a tab is typed at the end of each prompt line: -```shell-session +```shell-session hideClipboard $ consul-terraform-sync start task @@ -89,5 +94,5 @@ Below are options that can be used across all commands: | `-ssl-verify` | Optional | boolean | Enables verification for TLS/SSL connections to the API if set to true. This does not affect insecure HTTP connections.

    Alternatively, you can specify the value using the `CTS_SSL_VERIFY` environment variable. | `true` | | `-ca-cert` | Optional | string | Path to a PEM-encoded certificate authority file that is used to verify TLS/SSL connections. Takes precedence over `-ca-path` if both are provided.

    Alternatively, you can specify the value using the `CTS_CACERT` environment variable. | none | | `-ca-path` | Optional | string | Path to a directory containing a PEM-encoded certificate authority file that is used to verify TLS/SSL connections.

    Alternatively, you can specify the value using the `CTS_CAPATH` environment variable. | none | -| `-client-cert`                                                   | Optional | string | Path to a PEM-encoded client certificate that the CTS API requires when [`verify_incoming`](/consul/docs/nia/configuration#verify_incoming) is set to `true` on the API.

    Alternatively, you can specify the value using the `CTS_CLIENT_CERT` environment variable. | none | -| `-client-key` | Optional | string | Path to a PEM-encoded client key for the certificate configured with the `-client-cert` option. This is required if `-client-cert` is set and if [`verify_incoming`](/consul/docs/nia/configuration#verify_incoming) is set to `true` on the CTS API.

    Alternatively, you can specify the value using the `CTS_CLIENT_KEY` environment variable. | none | +| `-client-cert`                                                   | Optional | string | Path to a PEM-encoded client certificate that the CTS API requires when [`verify_incoming`](/consul/docs/reference/cts/configuration#verify_incoming) is set to `true` on the API.

    Alternatively, you can specify the value using the `CTS_CLIENT_CERT` environment variable. | none | +| `-client-key` | Optional | string | Path to a PEM-encoded client key for the certificate configured with the `-client-cert` option. This is required if `-client-cert` is set and if [`verify_incoming`](/consul/docs/reference/cts/configuration#verify_incoming) is set to `true` on the CTS API.

    Alternatively, you can specify the value using the `CTS_CLIENT_KEY` environment variable. | none | diff --git a/website/content/docs/nia/cli/start.mdx b/website/content/docs/reference/cts/cli/start.mdx similarity index 97% rename from website/content/docs/nia/cli/start.mdx rename to website/content/docs/reference/cts/cli/start.mdx index 68b3f6bd7ac..329269a6d37 100644 --- a/website/content/docs/nia/cli/start.mdx +++ b/website/content/docs/reference/cts/cli/start.mdx @@ -15,7 +15,7 @@ The `start` command starts the Consul-Terraform-Sync (CTS) daemon. $ consul-terraform-sync start -config-file [OPTIONS] ``` -The `-config-file` or `-config-dir` flag is required. Use the flag to specify the [CTS instance configuration file](/consul/docs/nia/configuration) or directory containing several configuration files to start a CTS cluster. +The `-config-file` or `-config-dir` flag is required. Use the flag to specify the [CTS instance configuration file](/consul/docs/reference/cts/configuration) or directory containing several configuration files to start a CTS cluster. ## Options diff --git a/website/content/docs/nia/cli/task.mdx b/website/content/docs/reference/cts/cli/task.mdx similarity index 82% rename from website/content/docs/nia/cli/task.mdx rename to website/content/docs/reference/cts/cli/task.mdx index d5ead540cc6..7ed8e0b95cd 100644 --- a/website/content/docs/nia/cli/task.mdx +++ b/website/content/docs/reference/cts/cli/task.mdx @@ -7,9 +7,9 @@ description: >- # task -## task create +## `task create` -`task create` command creates a new task so that it will run and update task resources. The command generates and outputs a Terraform plan, similar to [inspect-mode](/consul/docs/nia/cli/start#modes), of how resources will be modified if the task is created. The command will then ask for user approval before creating the task. +`task create` command creates a new task so that it will run and update task resources. The command generates and outputs a Terraform plan, similar to [inspect-mode](/consul/docs/reference/cts/cli/start#modes), of how resources will be modified if the task is created. The command will then ask for user approval before creating the task. It is not to be used for updating a task and will not create a task if the task name already exists. @@ -19,11 +19,11 @@ It is not to be used for updating a task and will not create a task if the task **Options:** -In addition to [general options](/consul/docs/nia/cli#general-options) this command also supports the following: +In addition to [general options](/consul/docs/reference/cts/cli#general-options) this command also supports the following: | Name | Required | Type | Description | | ------------ | -------- | ------ | ------------------------------------------------------------------------------------------------------------------- | -| `-task-file` | Required | string | The path to the task configuration file. See [configuration information](/consul/docs/nia/configuration#task) for details. | +| `-task-file` | Required | string | The path to the task configuration file. Refer to [configuration information](/consul/docs/reference/cts/configuration#task) for details. | | `-auto-approve`   | Optional | boolean | Whether to skip the interactive approval of the plan before creating. | ### Example @@ -82,16 +82,16 @@ Enter a value: yes ==> Creating and running task 'api-task'... The task creation request has been sent to the CTS server. - Please be patient as it may take some time to see a confirmation that this task has completed. + Please be patient as it may take some time to refer to a confirmation that this task has completed. Warning: Terminating this process will not stop task creation. ==> Task 'task_a' created Request ID: '78eddd74-0f08-83d6-72b2-6aaac1424fba' ``` -## task enable +## `task enable` -`task enable` command enables an existing task so that it will run and update task resources. If the task is already enabled, it will return a success. The command generates and outputs a Terraform plan, similar to [inspect-mode](/consul/docs/nia/cli#inspect-mode), of how resources will be modified if task becomes enabled. If resources changes are detected, the command will ask for user approval before enabling the task. If no resources are detected, the command will go ahead and enable the task. +`task enable` command enables an existing task so that it will run and update task resources. If the task is already enabled, it will return a success. The command generates and outputs a Terraform plan, similar to [inspect-mode](/consul/docs/reference/cts/cli#inspect-mode), of how resources will be modified if task becomes enabled. If resources changes are detected, the command will ask for user approval before enabling the task. If no resources are detected, the command will go ahead and enable the task. ### Usage @@ -105,7 +105,7 @@ Enter a value: yes **Options:** -In addition to [general options](/consul/docs/nia/cli/#general-options) this command also supports the following: +In addition to [general options](/consul/docs/reference/cts/cli/#general-options) this command also supports the following: | Name | Required | Type | Description | | --------------- | -------- | ------- | ------------------------------- | @@ -144,7 +144,7 @@ Enter a value: yes ==> 'task_a' enable complete! ``` -## task disable +## `task disable` `task disable` command disables an existing task so that it will no longer run and update task resources. If the task is already disabled, it will return a success. @@ -158,7 +158,7 @@ Enter a value: yes | ----------- | -------- | ------ | -------------------------------- | | `task_name` | Required | string | The name of the task to disable. | -**Options:** Currently only supporting [general options](/consul/docs/nia/cli#general-options) +**Options:** Currently only supporting [general options](/consul/docs/reference/cts/cli#general-options) ### Example @@ -169,11 +169,15 @@ $ consul-terraform-sync task disable task_b ==> 'task_b' disable complete! ``` -## task delete +## `task delete` `task delete` command deletes an existing task. The command will ask the user for approval before deleting the task. The task will be marked for deletion and will be deleted immediately if it is not running. Otherwise, the task will be deleted once it has completed. --> **Note:** Deleting a task will not destroy the infrastructure managed by the task. + + +Deleting a task will not destroy the infrastructure managed by the task. + + ### Usage @@ -187,7 +191,7 @@ $ consul-terraform-sync task disable task_b **Options:** -In addition to [general options](/consul/docs/nia/cli#general-options) this command also supports the following: +In addition to [general options](/consul/docs/reference/cts/cli#general-options) this command also supports the following: | Name | Required | Type | Description | | --------------- | -------- | ------- | ------------------------------- | diff --git a/website/content/docs/nia/configuration.mdx b/website/content/docs/reference/cts/index.mdx similarity index 78% rename from website/content/docs/nia/configuration.mdx rename to website/content/docs/reference/cts/index.mdx index ec07f3474d3..d82aacf972c 100644 --- a/website/content/docs/nia/configuration.mdx +++ b/website/content/docs/reference/cts/index.mdx @@ -5,7 +5,7 @@ description: >- Consul-Terraform-Sync requires a Terraform Provider, a Terraform Module and a running Consul Cluster outside of the consul-terraform-sync daemon. --- -# Consul-Terraform-Sync Configuration +# Consul-Terraform-Sync configuration This topic contains configuration reference information for Consul-Terraform-Sync (CTS). Pass configuration settings in an HCL or JSON configuration file to configure the CTS daemon. Refer to the [HashiCorp Configuration Language](https://github.com/hashicorp/hcl) to learn the HCL syntax. @@ -57,7 +57,7 @@ tls { - `verify_incoming` - (bool: false) Enable mutual TLS. Requires all incoming connections to the CTS API to use a TLS connection and provide a certificate signed by a Certificate Authority specified by the `ca_cert` or `ca_path`. - `ca_cert` - (string) The path to a PEM-encoded certificate authority file used to verify the authenticity of the incoming client connections to the CTS API when `verify_incoming` is set to true. Takes precedence over `ca_path` if both are configured. - `ca_path` - (string) The path to a directory of PEM-encoded certificate authority files used to verify the authenticity of the incoming client connections to the CTS API when `verify_incoming` is set to true. -- `license_path` - (string) **Deprecated in CTS 0.6.0 and will be removed in a future release. Use [license block](/consul/docs/nia/configuration#license) instead.** Configures the path to the file that contains the license. You must specify a license in order to use enterprise features. You can also set the license by defining the `CONSUL_LICENSE` and `CONSUL_LICENSE_PATH` environment variables. For more information, refer to [Setting the License](/consul/docs/nia/enterprise/license#setting-the-license). +- `license_path` - (string) **Deprecated in CTS 0.6.0 and will be removed in a future release. Use [license block](/consul/docs/reference/cts/configuration#license) instead.** Configures the path to the file that contains the license. You must specify a license in order to use enterprise features. You can also set the license by defining the `CONSUL_LICENSE` and `CONSUL_LICENSE_PATH` environment variables. For more information, refer to [Setting the License](/consul/docs/nia/enterprise/license#setting-the-license). ## License @@ -79,14 +79,18 @@ license { | Parameter | Required | Type | Description | Default | | --------- | -------- | ---- | ----------- | ------- | | `path` | Optional | string | Configures the path to the file containing a license. If a path to a license is configured, this license is used until you enable automatic license retrieval. You can also set the license by defining the `CONSUL_LICENSE` and `CONSUL_LICENSE_PATH` environment variables. To learn more, review [Setting the License](/consul/docs/nia/enterprise/license#setting-the-license). | none | -| `auto_retrieval` | Optional | object | Configures the license auto-retrieval used by CTS. To learn more, review [Auto-Retrieval](/consul/docs/nia/configuration#auto-retrieval) for details | Review [Auto-Retrieval](/consul/docs/nia/configuration#auto-retrieval) for defaults. | +| `auto_retrieval` | Optional | object | Configures the license auto-retrieval used by CTS. To learn more, review [Auto-Retrieval](/consul/docs/reference/cts/configuration#auto-retrieval) for details | Review [Auto-Retrieval](/consul/docs/reference/cts/configuration#auto-retrieval) for defaults. | ### Auto-retrieval You can use the `auto_retrieval` block to configure the automatic license retrieval in CTS. When enabled, CTS attempts to retrieve a new license from its configured Consul Enterprise backend once a day. If CTS cannot retrieve a license and the current license is reaching its expiration date, CTS attempts to retrieve a license with increased frequency, as defined by the [License Expiration Date Handling](/consul/docs/nia/enterprise/license#license-expiration-handling). -~> Enabling `auto_retrieval` is recommended when using HCP Consul Dedicated, as HCP Consul Dedicated licenses expire more frequently than Consul Enterprise licenses. Without auto-retrieval enabled, you have to restart CTS every time you load a new license. + + +Enabling `auto_retrieval` is recommended when using HCP Consul, as HCP Consul licenses expire more frequently than Consul Enterprise licenses. Without auto-retrieval enabled, you have to restart CTS every time you load a new license. + + | Parameter | Required | Type | Description | Default | | --------- | -------- | ---- | ----------- | ------- | @@ -96,9 +100,13 @@ You can use the `auto_retrieval` block to configure the automatic license retrie The `consul` block configures the CTS connection with a Consul agent so that CTS can perform queries for task execution. It also configures the automatic registration of CTS as a service with Consul. --> **Note:** Use HTTP/2 to improve Consul-Terraform-Sync performance when communicating with the local Consul process. [TLS/HTTPS](/consul/docs/agent/config/config-files) must be configured for the local Consul with the [cert_file](/consul/docs/agent/config/config-files#cert_file) and [key_file](/consul/docs/agent/config/config-files#key_file) parameters set. For the Consul-Terraform-Sync configuration, set `tls.enabled = true` and set the `address` parameter to the HTTPS URL, e.g., `address = example.consul.com:8501`. If using self-signed certificates for Consul, you will also need to set `tls.verify = false` or add the certificate to `ca_cert` or `ca_path`. + + +Use HTTP/2 to improve Consul-Terraform-Sync performance when communicating with the local Consul process. [TLS/HTTPS](/consul/docs/reference/agent) must be configured for the local Consul with the [cert_file](/consul/docs/reference/agent#cert_file) and [key_file](/consul/docs/reference/agent#key_file) parameters set. For the Consul-Terraform-Sync configuration, set `tls.enabled = true` and set the `address` parameter to the HTTPS URL, e.g., `address = example.consul.com:8501`. If using self-signed certificates for Consul, you will also need to set `tls.verify = false` or add the certificate to `ca_cert` or `ca_path`. + + -To read more on suggestions for configuring the Consul agent, see [run an agent](/consul/docs/nia/usage/requirements#run-an-agent). +To read more on suggestions for configuring the Consul agent, refer to [run an agent](/consul/docs/nia/usage/requirements#run-an-agent). ```hcl consul { @@ -121,13 +129,14 @@ consul { | Parameter | Required | Type | Description | Default | | --------- | -------- | ---- | ----------- | ------- | | `address` | Optional | string | The address of the Consul agent. It may be an IP or FQDN. | `localhost:8500` | -| `token` | Optional | string | The ACL token to use for client communication with the local Consul agent. See [ACL Requirements](/consul/docs/nia/configuration#acl-requirements) for required privileges.

    The token can also be provided through the `CONSUL_TOKEN` or `CONSUL_HTTP_TOKEN` environment variables. | none | -| `auth` | Optional | [auth](/consul/docs/nia/configuration#auth) | HTTP basic authentication for communicating with Consul || -| `tls` | Optional | [tls](/consul/docs/nia/configuration#tls-1) | Secure client connection with Consul || -| `transport` | Optional | [transport](/consul/docs/nia/configuration#transport) | Low-level network connection details || -| `service_registration` | Optional| [service_registration](/consul/docs/nia/configuration#service-registration) | Options for how CTS will register itself as a service with a health check to Consul. || +| `token` | Optional | string | The ACL token to use for client communication with the local Consul agent. Refer to [ACL Requirements](/consul/docs/reference/cts/configuration#acl-requirements) for required privileges.

    The token can also be provided through the `CONSUL_TOKEN` or `CONSUL_HTTP_TOKEN` environment variables. | none | +| `auth` | Optional | [auth](/consul/docs/reference/cts/configuration#auth) | HTTP basic authentication for communicating with Consul || +| `tls` | Optional | [tls](/consul/docs/reference/cts/configuration#tls-1) | Secure client connection with Consul || +| `transport` | Optional | [transport](/consul/docs/reference/cts/configuration#transport) | Low-level network connection details || +| `service_registration` | Optional| [service_registration](/consul/docs/reference/cts/configuration#service-registration) | Options for how CTS will register itself as a service with a health check to Consul. || ### ACL requirements + The following table describes the ACL policies required by CTS. For more information, refer to the [Secure Consul-Terraform-Sync for Production](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-secure?utm_source=docs#configure-acl-privileges-for-consul-terraform-sync) tutorial. | Policy | Resources | @@ -136,11 +145,12 @@ The following table describes the ACL policies required by CTS. For more informa | `node:read` | Any nodes hosting services monitored by tasks | | `keys:read` | Any Consul KV pairs monitored by tasks | | `namespace:read` | Any namespaces for resources monitored by tasks | -| `service:write` | The CTS service when [service registration](/consul/docs/nia/configuration#service-registration) is enabled | -| `keys:write` | `consul-terraform-sync/` Only required when using Consul as the [Terraform backend](/consul/docs/nia/configuration#backend). | +| `service:write` | The CTS service when [service registration](/consul/docs/reference/cts/configuration#service-registration) is enabled | +| `keys:write` | `consul-terraform-sync/` Only required when using Consul as the [Terraform backend](/consul/docs/reference/cts/configuration#backend). | ### Auth + Configures HTTP basic authentication for communicating with Consul. | Parameter | Required | Type | Description | Default | @@ -151,7 +161,7 @@ Configures HTTP basic authentication for communicating with Consul. ### TLS -Configure TLS to use a secure client connection with Consul. Using HTTP/2 can solve issues related to hitting Consul's maximum connection limits, as well as improve efficiency when processing many blocking queries. This option is required for Consul-Terraform-Sync when connecting to a [Consul agent with TLS verification enabled for HTTPS connections](/consul/docs/agent/config/config-files#verify_incoming). +Configure TLS to use a secure client connection with Consul. Using HTTP/2 can solve issues related to hitting Consul's maximum connection limits, as well as improve efficiency when processing many blocking queries. This option is required for Consul-Terraform-Sync when connecting to a [Consul agent with TLS verification enabled for HTTPS connections](/consul/docs/reference/agent#verify_incoming). If Consul is using a self-signed certificate that you have not added to the global CA chain, you can set this certificate with `ca_cert` or `ca_path`. Alternatively, you can disable SSL verification by setting `verify` to false. However, disabling verification is a potential security vulnerability. @@ -166,11 +176,12 @@ If Consul is using a self-signed certificate that you have not added to the glob | `server_name` | Optional | string | The server name to use as the Server Name Indication (SNI) for Consul when connecting via TLS.

    Can also be provided through the `CONSUL_TLS_SERVER_NAME` environment variable. | none | ### Transport + Configures the low-level network connection details to Consul. -To achieve the shortest latency between a Consul service update to a task execution, configure `max_idle_conns_per_host` equal to or greater than the number of services in automation across all tasks. This value should be lower than the configured [`http_max_conns_per_client`](/consul/docs/agent/config/config-files#http_max_conns_per_client) for the Consul agent. +To achieve the shortest latency between a Consul service update to a task execution, configure `max_idle_conns_per_host` equal to or greater than the number of services in automation across all tasks. This value should be lower than the configured [`http_max_conns_per_client`](/consul/docs/reference/agent#http_max_conns_per_client) for the Consul agent. -If `max_idle_conns_per_host` and the number of services in automation is greater than the Consul agent limit, CTS may error due to connection limits (status code 429). You may increase the agent limit with caution. _Note: requests to the Consul agent made by Terraform subprocesses or any other process on the same host as CTS will contribute to the Consul agent connection limit._ +If `max_idle_conns_per_host` and the number of services in automation is greater than the Consul agent limit, CTS may error due to connection limits (status code 429). You may increase the agent limit with caution. _Requests to the Consul agent made by Terraform subprocesses or any other process on the same host as CTS will contribute to the Consul agent connection limit._ | Parameter | Required | Type | Description | Default | | --------- | -------- | ---- | ----------- | ------- | @@ -184,9 +195,10 @@ If `max_idle_conns_per_host` and the number of services in automation is greater ### Service registration -CTS automatically registers itself with Consul as a service with a health check, using the [`id`](/consul/docs/nia/configuration#id) configuration as the service ID. CTS deregisters itself with Consul when CTS stops gracefully. If CTS is unable to register with Consul, then it will log the error and continue without exiting. -Service registration requires that the [Consul token](/consul/docs/nia/configuration#consul) has an ACL policy of `service:write` for the CTS service. +CTS automatically registers itself with Consul as a service with a health check, using the [`id`](/consul/docs/reference/cts/configuration#id) configuration as the service ID. CTS deregisters itself with Consul when CTS stops gracefully. If CTS is unable to register with Consul, then it will log the error and continue without exiting. + +Service registration requires that the [Consul token](/consul/docs/reference/cts/configuration#consul) has an ACL policy of `service:write` for the CTS service. | Parameter | Required | Type | Description | Default | | --------- | -------- | ---- | ----------- | ------- | @@ -195,9 +207,9 @@ Service registration requires that the [Consul token](/consul/docs/nia/configura | `address` | Optional | string | The IP address or hostname for CTS. | IP address of the Consul agent node | | `namespace` | Optional | string | The namespace to register CTS in. | In order of precedence:
    1. Inferred from the CTS ACL token
    2. The `default` namespace. | | `default_check.enabled` | Optional | boolean | Enables CTS to create the default health check. | `true` | -| `default_check.address` | Optional | string | The address to use for the default HTTP health check. Needs to include the scheme (`http`/`https`) and the port, if applicable. | `http://localhost:` or `https://localhost:`. Determined from the [port configuration](/consul/docs/nia/configuration#port) and whether [TLS is enabled](/consul/docs/nia/configuration#enabled-2) on the CTS API. | +| `default_check.address` | Optional | string | The address to use for the default HTTP health check. Needs to include the scheme (`http`/`https`) and the port, if applicable. | `http://localhost:` or `https://localhost:`. Determined from the [port configuration](/consul/docs/reference/cts/configuration#port) and whether [TLS is enabled](/consul/docs/reference/cts/configuration#enabled-2) on the CTS API. | -The default health check is an [HTTP check](/consul/docs/services/usage/checks#http-checks) that calls the [Health API](/consul/docs/nia/api/health). The following table describes the values CTS sets for this default check, corresponding to the [Consul register check API](/consul/api-docs/agent/check#register-check). If an option is not listed in this table, then CTS is using the default value. +The default health check is an [HTTP check](/consul/docs/register/service/vm/health-checks#http-checks) that calls the [Health API](/consul/docs/reference/cts/api/health). The following table describes the values CTS sets for this default check, corresponding to the [Consul register check API](/consul/api-docs/agent/check#register-check). If an option is not listed in this table, then CTS is using the default value. | Parameter | Value | | --------- | ----- | @@ -206,7 +218,7 @@ The default health check is an [HTTP check](/consul/docs/services/usage/checks#h | Namespace | `service_registration.namespace` | | Notes | `Check created by Consul-Terraform-Sync`| | DeregisterCriticalServiceAfter | `30m` | -| ServiceID | [`id`](/consul/docs/nia/configuration#id) | +| ServiceID | [`id`](/consul/docs/reference/cts/configuration#id) | | Status | `critical` | | HTTP | `/v1/health` | | Method | `GET` | @@ -245,7 +257,11 @@ The `instance` parameter is an object that contains configurations unique to the ## Service -~> **Note:** Deprecated in CTS 0.5.0 and will be removed in a future major release. `service` blocks are used to define the `task` block's `services` fields, which were also deprecated and replaced with [Services Condition](/consul/docs/nia/configuration#services-condition) and [Services Module Input](/consul/docs/nia/configuration#services-module-input). `service` block configuration can be replaced by configuring the equivalent fields of the corresponding Services Condition and Services Module Input. Refer to [0.5.0 release notes](/consul/docs/release-notes/consul-terraform-sync/v0_5_x#deprecate-service-block) for examples. + + +Deprecated in CTS 0.5.0 and will be removed in a future major release. `service` blocks are used to define the `task` block's `services` fields, which were also deprecated and replaced with [Services Condition](/consul/docs/reference/cts/configuration#services-condition) and [Services Module Input](/consul/docs/reference/cts/configuration#services-module-input). `service` block configuration can be replaced by configuring the equivalent fields of the corresponding Services Condition and Services Module Input. Refer to [0.5.0 release notes](/consul/docs/release-notes/consul-terraform-sync/v0_5_x#deprecate-service-block) for examples. + + A `service` block is an optional block to explicitly define the services configured in the `task` block's `services` field (deprecated). `service` blocks do not define services configured in the `task` block's `condition "services"` or `module_input "services` blocks. @@ -267,11 +283,11 @@ service { | `datacenter` | Optional | string | Name of a datacenter to query for the task. | Datacenter of the agent that CTS queries. | | `namespace` | Optional | string |
    Namespace of the services to query for the task. | In order of precedence:
    1. Inferred from the CTS ACL token
    2. The `default` namespace. | | `filter` | Optional | string | Expression used to additionally filter the services to monitor.

    Refer to the [services filtering documentation](/consul/api-docs/health#filtering-2) and section about [how to write filter expressions](/consul/api-docs/features/filtering#creating-expressions) for additional information. | none | -| `cts_user_defined_meta` | Optional | map[string] | User-defined metadata that is appended to the [service input variable](/consul/docs/nia/terraform-modules#services-module-input) for compatible Terraform modules.

    Some modules do not use the configured metadata. Refer to the module configured for the task for information about metadata usage and expected keys and format.

    If multiple tasks depend on the same service but require different metadata, you can declare different sets of metadata for the same service. Define multiple service blocks for the service with unique IDs (and identical names) for those blocks. The metadata can then be separated per task based on the service IDs. | none| +| `cts_user_defined_meta` | Optional | map[string] | User-defined metadata that is appended to the [service input variable](/consul/docs/reference/cts/terraform-module#services-module-input) for compatible Terraform modules.

    Some modules do not use the configured metadata. Refer to the module configured for the task for information about metadata usage and expected keys and format.

    If multiple tasks depend on the same service but require different metadata, you can declare different sets of metadata for the same service. Define multiple service blocks for the service with unique IDs (and identical names) for those blocks. The metadata can then be separated per task based on the service IDs. | none| ## Task -A `task` block configures which task to execute in automation. Use the `condition` block to specify when the task executes. You can specify the `task` block multiple times to configure multiple tasks, or you can omit it entirely. If task blocks are not specified in your initial configuration, you can add them to a running CTS instance by using the [`/tasks` API endpoint](/consul/docs/nia/api/tasks#tasks) or the [CLI's `task` command](/consul/docs/nia/cli/task#task). +A `task` block configures which task to execute in automation. Use the `condition` block to specify when the task executes. You can specify the `task` block multiple times to configure multiple tasks, or you can omit it entirely. If task blocks are not specified in your initial configuration, you can add them to a running CTS instance by using the [`/tasks` API endpoint](/consul/docs/reference/cts/api/tasks#tasks) or the [CLI's `task` command](/consul/docs/reference/cts/cli/task#task). ```hcl task { @@ -292,17 +308,17 @@ task { - `name` - (string: required) Name is the unique name of the task (required). A task name must start with a letter or underscore and may contain only letters, digits, underscores, and dashes. - `enabled` - (bool: true) Enable or disable a task from running and managing resources. - `providers` - (list[string]) Providers is the list of provider names the task is dependent on. This is used to map [Terraform provider configuration](#terraform-provider) to the task. -- `services` - (list[string]) **Deprecated in CTS 0.5.0 and will be removed in a future major release. Use [Services Condition](/consul/docs/nia/configuration#services-condition) or [Services Module Input](/consul/docs/nia/configuration#services-module-input) instead. See [0.5.0 release notes](/consul/docs/release-notes/consul-terraform-sync/v0_5_x#deprecate-services-field) for examples.** Specifies an optional list of logical service names or service IDs that the task monitors for changes in the Consul catalog. The `services` can act in different ways depending on the configuration of the task's `condition` block: +- `services` - (list[string]) **Deprecated in CTS 0.5.0 and will be removed in a future major release. Use [Services Condition](/consul/docs/reference/cts/configuration#services-condition) or [Services Module Input](/consul/docs/reference/cts/configuration#services-module-input) instead. Refer to [0.5.0 release notes](/consul/docs/release-notes/consul-terraform-sync/v0_5_x#deprecate-services-field) for examples.** Specifies an optional list of logical service names or service IDs that the task monitors for changes in the Consul catalog. The `services` can act in different ways depending on the configuration of the task's `condition` block: - no `condition` block configured: `services` will act as the task's condition and provide the services information as module input - the `condition` block configured for type `services`: `services` is incompatible with this type of `condition` because both configure the services module input. CTS will return an error. - the `condition` block configured for all other types: `services` will act only to provide services module input. Service values that are not explicitly defined by a `service` block that have a matching ID are assumed to be logical service names in the `default` namespace. -- `source` - (string: required) **Deprecated in CTS 0.5.0 and will be removed in a future major release. See the `module` field instead.** +- `source` - (string: required) **Deprecated in CTS 0.5.0 and will be removed in a future major release. Refer to the `module` field instead.** - `module` - (string: required) Module is the location the driver uses to discover the Terraform module used for automation. The module's source can be local or remote on the [Terraform Registry](https://registry.terraform.io/) or private module registry. Read more on [Terraform module source and other supported types here](/terraform/language/modules/sources). - To use a private module with the [`terraform` driver](#terraform-driver), run the command [`terraform login [hostname]`](/terraform/tutorials/cloud/cloud-login?utm_source=docs) to authenticate the local Terraform CLI prior to starting CTS. - - To use a private module with the [`terraform_cloud` driver](#hcp-terraform-driver), no extra steps are needed. + - To use a private module with the [`terraform_cloud` driver](#terraform-cloud-driver), no extra steps are needed. ```hcl // local module example: "./terraform-cts-hello" @@ -336,21 +352,21 @@ task { - `enabled` - (bool) Enable or disable buffer periods for this task. Specifying `min` will also enable it. - `min` - (string: "5s") The minimum period of time to wait after changes are detected before triggering related tasks. - `max` - (string: "20s") The maximum period of time to wait after changes are detected before triggering related tasks. If `min` is set, the default period for `max` is 4 times the value of `min`. -- `condition` - (obj: required) The requirement that, when met, triggers CTS to execute the task. Only one `condition` may be configured per task. CTS supports different types of conditions, which each have their own configuration options. See [Task Condition](#task-condition) configuration for full details on configuration options for each condition type. -- `source_input` - (obj) **Deprecated in CTS 0.5.0 and will be removed in 0.8.0. See the `module_input` block instead.** +- `condition` - (obj: required) The requirement that, when met, triggers CTS to execute the task. Only one `condition` may be configured per task. CTS supports different types of conditions, which each have their own configuration options. Refer to [Task Condition](#task-condition) configuration for full details on configuration options for each condition type. +- `source_input` - (obj) **Deprecated in CTS 0.5.0 and will be removed in 0.8.0. Refer to the `module_input` block instead.** - `module_input` - (obj) Specifies a Consul object containing values or metadata to be provided to the Terraform Module. The `module_input` block defines any extra module inputs needed for task execution. This is in addition to any module input provided by the `condition` block or `services` field (deprecated). Multiple `module_input` blocks can be configured per task. [Task Module Input](#task-module-input) configuration for full details on usage and restrictions. -- `terraform_version` - (string) **Deprecated in CTS 0.6.0 and will be removed in 0.8.0. Review `terraform_cloud_workspace.terraform_version` instead.** The version of Terraform to use for the HCP Terraform workspace associated with the task. Defaults to the latest compatible version supported by the organization. This option is only available when used with the [HCP Terraform driver](#hcp-terraform-driver); otherwise, set the version within the [Terraform driver](#terraform-driver). -- `terraform_cloud_workspace` - (obj) Configures attributes of the HCP Terraform workspace associated with the task. This option is only available when used with the [HCP Terraform driver](#hcp-terraform-driver). For global configurations of all workspaces, review [`driver.workspaces`](#workspaces). - - `execution_mode` - (string: "remote") The execution mode that determines whether to use HCP Terraform as the Terraform execution platform. Only supports "remote" or "agent". +- `terraform_version` - (string) **Deprecated in CTS 0.6.0 and will be removed in 0.8.0. Review `terraform_cloud_workspace.terraform_version` instead.** The version of Terraform to use for the Terraform Cloud workspace associated with the task. Defaults to the latest compatible version supported by the organization. This option is only available when used with the [Terraform Cloud driver](#terraform-cloud-driver); otherwise, set the version within the [Terraform driver](#terraform-driver). +- `terraform_cloud_workspace` - (obj) Configures attributes of the Terraform Cloud workspace associated with the task. This option is only available when used with the [Terraform Cloud driver](#terraform-cloud-driver). For global configurations of all workspaces, review [`driver.workspaces`](#workspaces). + - `execution_mode` - (string: "remote") The execution mode that determines whether to use Terraform Cloud as the Terraform execution platform. Only supports "remote" or "agent". - `agent_pool_id` - (string) Only supported if `execution_mode` is set to "agent". The ID of the agent pool that should run the Terraform workloads. Either `agent_pool_id` or `agent_pool_name` are required if `execution_mode` is set to "agent". `agent_pool_id` takes precedence over `agent_pool_name` if both are provided. - `agent_pool_name` - (string) Only supported if `execution_mode` is set to "agent". The name of the agent pool that should run the Terraform workloads. Only supported if `execution_mode` is set to "agent". Either `agent_pool_id` or `agent_pool_name` are required. `agent_pool_id` takes precedence over `agent_pool_name` if both are provided. - - `terraform_version` - (string) The version of Terraform to use for the HCP Terraform workspace associated with the task. Defaults to the latest compatible version supported by the organization. + - `terraform_version` - (string) The version of Terraform to use for the Terraform Cloud workspace associated with the task. Defaults to the latest compatible version supported by the organization. -### Task Condition +### Task condition A `task` block is configured with a `condition` block to set the conditions that should be met in order to execute that particular task. Below are the different types of conditions that CTS supports. -#### Services Condition +#### Services condition This condition will trigger the task on services that match the regular expression configured in `regexp` or services listed by name in `names`. Either `regexp` or `names` must be configured, but not both. @@ -358,9 +374,9 @@ When a `condition "services"` block is configured for a task, then the following - the task cannot be configured with the `services` field (deprecated) - the task cannot be configure with a `module_input "services"` or `source_input "services"` (deprecated) block -These restrictions are due to the fact that the monitored services information for a task can only be set through one configuration option. Any services module input that the task needs should be configured solely through the `condition` block. +CTS places these restrictions because the monitored services information for a task can only be set through one configuration option. Any services module input that the task needs should be configured solely through the `condition` block. -See [Task Execution: Services Condition](/consul/docs/nia/tasks#services-condition) for more details on how tasks are triggered with a services condition. +Refer to [Task Execution: Services Condition](/consul/docs/reference/cts/task#services-condition) for more details on how tasks are triggered with a services condition. ```hcl task { @@ -380,6 +396,7 @@ task { } } ``` + ```hcl task { name = "services_condition_names_task" @@ -406,16 +423,16 @@ task { | `datacenter` | Optional | string | Name of a datacenter to query for the task. | Datacenter of the agent that CTS queries. | | `namespace` | Optional | string |
    Namespace of the services to query for the task. | In order of precedence:
    1. Inferred from the CTS ACL token
    2. The `default` namespace. | | `filter` | Optional | string | Expression used to additionally filter the services to monitor.

    Refer to the [services filtering documentation](/consul/api-docs/health#filtering-2) and section about [how to write filter expressions](/consul/api-docs/features/filtering#creating-expressions) for additional information. | none | -| `cts_user_defined_meta` | Optional | map[string] | User-defined metadata that is appended to the [service input variable](/consul/docs/nia/terraform-modules#services-module-input) for compatible Terraform modules.

    Some modules do not use the configured metadata. Refer to the module configured for the task for information about metadata usage and expected keys and format. | none| -| `source_includes_var` | Optional | boolean | **Deprecated in CTS 0.5.0 and will be removed in 0.8.0. See the `use_as_module_input` field instead.** | true | -| `use_as_module_input` | Optional | boolean | Whether or not the values of the condition object should also be used as input for the [`services` variable](/consul/docs/nia/terraform-modules#services-variable) for the Terraform module

    Please refer to the selected module's documentation for guidance on how to configure this field. If configured inconsistently with the module, CTS will error and exit. | true | +| `cts_user_defined_meta` | Optional | map[string] | User-defined metadata that is appended to the [service input variable](/consul/docs/reference/cts/terraform-module#services-module-input) for compatible Terraform modules.

    Some modules do not use the configured metadata. Refer to the module configured for the task for information about metadata usage and expected keys and format. | none| +| `source_includes_var` | Optional | boolean | **Deprecated in CTS 0.5.0 and will be removed in 0.8.0. Refer to the `use_as_module_input` field instead.** | true | +| `use_as_module_input` | Optional | boolean | Whether or not the values of the condition object should also be used as input for the [`services` variable](/consul/docs/reference/cts/terraform-module#services-variable) for the Terraform module

    Please refer to the selected module's documentation for guidance on how to configure this field. If configured inconsistently with the module, CTS will error and exit. | true | -#### Catalog-Services Condition +#### Catalog-services condition A catalog-services condition block configures a task to only execute on service registration and deregistration, more specifically on first service instance registration and last service instance deregistration respectively. The catalog-services condition has additional configuration options to specify the services that can trigger the task on registration and deregistration. -See [Task Execution: Catalog Services Condition](/consul/docs/nia/tasks#catalog-services-condition) for more information on how tasks are triggered with a catalog-services condition. +Refer to [Task Execution: Catalog Services Condition](/consul/docs/reference/cts/task#catalog-services-condition) for more information on how tasks are triggered with a catalog-services condition. ```hcl task { @@ -442,17 +459,16 @@ task { | `datacenter` | Optional | string | Name of a datacenter to query for the task. | Datacenter of the agent that CTS queries. | | `namespace` | Optional | string |
    Namespace of the services to query for the task. | In order of precedence:
    1. Inferred from the CTS ACL token
    2. The `default` namespace. | | `node_meta` | Optional | map[string] | Node metadata key/value pairs to use to filter services. Only services registered at a node with the specified key/value pairs are used by the task. | none | -| `source_includes_var` | Optional | boolean | **Deprecated in CTS 0.5.0 and will be removed in 0.8.0. See the `use_as_module_input` field instead.** | true | -| `use_as_module_input` | Optional | boolean | Whether or not the values of the condition object should also be used as input for the [`catalog_services` variable](/consul/docs/nia/terraform-modules#catalog-services-variable) for the Terraform module

    Please refer to the selected module's documentation for guidance on how to configure this field. If configured inconsistently with the module, CTS will error and exit. | true | +| `source_includes_var` | Optional | boolean | **Deprecated in CTS 0.5.0 and will be removed in 0.8.0. Refer to the `use_as_module_input` field instead.** | true | +| `use_as_module_input` | Optional | boolean | Whether or not the values of the condition object should also be used as input for the [`catalog_services` variable](/consul/docs/reference/cts/terraform-module#catalog-services-variable) for the Terraform module

    Please refer to the selected module's documentation for guidance on how to configure this field. If configured inconsistently with the module, CTS will error and exit. | true | -#### Consul KV Condition +#### Consul KV condition A `condition "consul-kv"` block configures a task to only execute on changes to a Consul KV entry. The condition can be configured for a single Consul KV entry or for any Consul KV entries that are prefixed with a given path. When a `condition "consul-kv"` block is configured for a task, the task cannot be configured with a `module_input "consul-kv"` or `source_input "consul-kv"` (deprecated) block. The monitored consul-kv information for a task can only be set through one configuration option. Any consul-kv module input that the task needs should be configured solely through the `condition` block. - -See [Task Execution: Consul KV Condition](/consul/docs/nia/tasks#consul-kv-condition) for more information on how tasks are triggered with a consul-kv condition. +Refer to [Task Execution: Consul KV Condition](/consul/docs/reference/cts/task#consul-kv-condition) for more information on how tasks are triggered with a consul-kv condition. ```hcl task { @@ -477,19 +493,19 @@ task { | `recurse` | Optional | boolean | Enables CTS to treat the path as a prefix. If set to `false`, the path will be treated as a literal match. | `false` | | `datacenter` | Optional | string | Name of a datacenter to query for the task. | Datacenter of the agent that CTS queries. | | `namespace` | Optional | string |
    Namespace of the services to query for the task. | In order of precedence:
    1. Inferred from the CTS ACL token
    2. The `default` namespace. | -| `source_includes_var` | Optional | boolean | **Deprecated in CTS 0.5.0 and will be removed in 0.8.0. See the `use_as_module_input` field instead.** | true | -| `use_as_module_input` | Optional | boolean | Whether or not the values of the condition object should also be used as input for the [`consul_kv` variable](/consul/docs/nia/terraform-modules#consul-kv-variable) for the Terraform module

    Please refer to the selected module's documentation for guidance on how to configure this field. If configured inconsistently with the module, CTS will error and exit. | true | +| `source_includes_var` | Optional | boolean | **Deprecated in CTS 0.5.0 and will be removed in 0.8.0. Refer to the `use_as_module_input` field instead.** | true | +| `use_as_module_input` | Optional | boolean | Whether or not the values of the condition object should also be used as input for the [`consul_kv` variable](/consul/docs/reference/cts/terraform-module#consul-kv-variable) for the Terraform module

    Please refer to the selected module's documentation for guidance on how to configure this field. If configured inconsistently with the module, CTS will error and exit. | true | -#### Schedule Condition +#### Schedule condition A scheduled task has a schedule condition block, which defines the schedule for executing the task. Unlike a dynamic task, a scheduled task does not dynamically trigger on changes in Consul. -Schedule tasks also rely on additional task configuration, separate from the condition block to determine the module input information to provide to the task module. See [`module_input`](#module_input) block configuration for details on how to configure module input. +Schedule tasks also rely on additional task configuration, separate from the condition block to determine the module input information to provide to the task module. Refer to [`module_input`](#module_input) block configuration for details on how to configure module input. -See [Task Execution: Schedule Condition](/consul/docs/nia/tasks#schedule-condition) for more information on how tasks are triggered with schedule conditions. +Refer to [Task Execution: Schedule Condition](/consul/docs/reference/cts/task#schedule-condition) for more information on how tasks are triggered with schedule conditions. -See [Terraform Module: Module Input](/consul/docs/nia/terraform-modules#module-input) for more information on module input options for a scheduled task. +Refer to [Terraform Module: Module Input](/consul/docs/reference/cts/terraform-module#module-input) for more information on module input options for a scheduled task. ```hcl task { @@ -509,11 +525,15 @@ task { | Parameter | Required | Type | Description | Default | | --------- | -------- | ---- | ----------- | ------- | -| `cron` | Required | string | The CRON expression that dictates the schedule to trigger the task. For more information on CRON expressions, see the [cronexpr parsing library](https://github.com/hashicorp/cronexpr). | none | +| `cron` | Required | string | The CRON expression that dictates the schedule to trigger the task. For more information on CRON expressions, refer to the [cronexpr parsing library](https://github.com/hashicorp/cronexpr). | none | ### Task Module Input ((#task-source-input)) -~> `module_input` was renamed from `source_input` in CTS 0.5.0. Documentation for the `module_input` block also applies to the `source_input` block. + + +`module_input` was renamed from `source_input` in CTS 0.5.0. Documentation for the `module_input` block also applies to the `source_input` block. + + You can optionally add one or more `module_input` blocks to the `task` block. A `module_input` block specifies a Consul object containing values or metadata to be provided to the Terraform Module. Both scheduled and dynamic tasks can be configured with `module_input` blocks. @@ -535,13 +555,13 @@ task { } ``` -~> The type of the `module_input` block that can be configured depends on the `condition` block type and the `services` field (deprecated). See [Task Module Input Restrictions](/consul/docs/nia/configuration#task-module-input-restrictions) for more details. +The type of the `module_input` block that can be configured depends on the `condition` block type and the `services` field (deprecated). Refer to [Task Module Input Restrictions](/consul/docs/reference/cts/configuration#task-module-input-restrictions) for more details. The following sections describe the module input types that CTS supports. -#### Services Module Input ((#services-source-input)) +#### Services module input ((#services-source-input)) -This `services` module input object defines services registered to Consul whose metadata will be used as [services module input to the Terraform Module](/consul/docs/nia/terraform-modules/#services-module-input). The following parameters are supported: +This `services` module input object defines services registered to Consul whose metadata will be used as [services module input to the Terraform Module](/consul/docs/reference/cts/terraform-module/#services-module-input). The following parameters are supported: | Parameter | Required | Type | Description | Default | | --------- | -------- | ---- | ----------- | ------- | @@ -550,7 +570,7 @@ This `services` module input object defines services registered to Consul whose | `datacenter` | Optional | string | Name of a datacenter to query for the task. | Datacenter of the agent that CTS queries. | | `namespace` | Optional | string |
    String value indicating the namespace of the services to query for the task. | In order of precedence:
    1. Inferred from the CTS ACL token
    2. The `default` namespace. | | `filter` | Optional | string | Expression used to additionally filter the services to monitor.

    Refer to the [services filtering documentation](/consul/api-docs/health#filtering-2) and section about [how to write filter expressions](/consul/api-docs/features/filtering#creating-expressions) for additional information. | none | -| `cts_user_defined_meta` | Optional | map[string] | User-defined metadata that is appended to the [service input variable](/consul/docs/nia/terraform-modules#services-module-input) for compatible Terraform modules.

    Some modules do not use the configured metadata. Refer to the module configured for the task for information about metadata usage and expected keys and format. | none| +| `cts_user_defined_meta` | Optional | map[string] | User-defined metadata that is appended to the [service input variable](/consul/docs/reference/cts/terraform-module#services-module-input) for compatible Terraform modules.

    Some modules do not use the configured metadata. Refer to the module configured for the task for information about metadata usage and expected keys and format. | none| In the following example, the scheduled task queries all Consul services with `web` as the suffix. The metadata of matching services are provided to the Terraform module. @@ -576,9 +596,9 @@ task { } ``` -#### Consul KV Module Input ((#consul-kv-source-input)) +#### Consul KV module input ((#consul-kv-source-input)) -A Consul KV module input block defines changes to Consul KV that will be monitored. These changes will then be provided as [Consul KV module input to the Terraform Module](/consul/docs/nia/terraform-modules/#consul-kv-module-input). The module input can be configured for a single Consul KV entry or for any Consul KV entries that are prefixed with a given path. The following parameters are supported: +A Consul KV module input block defines changes to Consul KV that will be monitored. These changes will then be provided as [Consul KV module input to the Terraform Module](/consul/docs/reference/cts/terraform-module/#consul-kv-module-input). The module input can be configured for a single Consul KV entry or for any Consul KV entries that are prefixed with a given path. The following parameters are supported: | Parameter | Required | Type | Description | Default | | --------- | -------- | ---- | ----------- | ------- | @@ -608,7 +628,7 @@ task { } ``` -#### Task Module Input Restrictions +#### Task module input restrictions There are some limitations to the type of `module_input` blocks that can be configured for a task given the task's `condition` block and `services` field (deprecated). This is because a task cannot have multiple configurations defining the same type of monitored variable: - A task cannot be configured with a `condition` and `module_input` block of the same type. For example, configuring `condition "consul-kv"` and `module_input "consul-kv"` will error because both configure the `consul_kv` variable. @@ -621,13 +641,13 @@ There are some limitations to the type of `module_input` blocks that can be conf All of the listed configurations define the `services` variable and including more than one configuration will return an error. -## Network Drivers +## Network drivers A driver is required for CTS to propagate network infrastructure change. The `driver` block configures the subprocess that CTS runs in automation. The default driver is the [Terraform driver](#terraform-driver) which automates Terraform as a local installation of the Terraform CLI. Only one network driver can be configured per deployment of CTS. -## Terraform Driver +## Terraform driver The Terraform driver block is used to configure CTS for installing and automating Terraform locally. The driver block supports Terraform configuration to specify the `backend` used for state management and `required_providers` configuration used for provider discovery. @@ -653,7 +673,7 @@ driver "terraform" { - `backend` - (obj) The backend stores [Terraform state files](/terraform/language/state) for each task. This option is similar to the [Terraform backend configuration](/terraform/language/settings/backends/configuration). CTS supports Terraform backends used as a state store. - Supported backend options: [azurerm](/terraform/language/settings/backends/azurerm), [consul](/terraform/language/settings/backends/consul), [cos](/terraform/language/settings/backends/cos), [gcs](/terraform/language/settings/backends/gcs), [kubernetes](/terraform/language/settings/backends/kubernetes), [local](/terraform/language/settings/backends/local), [manta](/terraform/language/v1.2.x/settings/backends/manta), [pg](/terraform/language/settings/backends/pg) (Terraform v0.14+), [s3](/terraform/language/settings/backends/s3). Visit the Terraform documentation links for details on backend configuration options. - If omitted, CTS will generate default values and use configurations from the [`consul` block](#consul) to configure [Consul as the backend](/terraform/language/settings/backends/consul), which stores Terraform statefiles in the Consul KV. The [ACL token provided for Consul authentication](#consul) is used to read and write to the KV store and requires [Consul KV privileges](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-secure?utm_source=docs#configure-acl-privileges-for-consul-terraform-sync). The Consul KV path is the base path to store state files for tasks. The full path of each state file will have the task identifier appended to the end of the path, e.g. `consul-terraform-sync/terraform-env:task-name`. - - The remote enhanced backend is not supported with the Terraform driver to run operations in HCP Terraform. Use the [HCP Terraform driver](#hcp-terraform-driver) to integrate CTS with HCP Terraform for remote workspaces and remote operations. + - The remote enhanced backend is not supported with the Terraform driver to run operations in Terraform Cloud. Use the [Terraform Cloud driver](#terraform-cloud-driver) to integrate CTS with Terraform Cloud for remote workspaces and remote operations. - The `local` backend type is not supported with CTS instances configured for high availability. If high availability is configured and the Terraform backend type is `local`, CTS logs an error and exits. - `log` - (bool) Enable all Terraform output (stderr and stdout) to be included in the CTS log. This is useful for debugging and development purposes. It may be difficult to work with log aggregators that expect uniform log format. - `path` - (string) The file path to install Terraform or discover an existing Terraform binary. If omitted, Terraform will be installed in the same directory as the CTS daemon. To resolve an incompatible Terraform version or to change versions will require removing the existing binary or change to a different path. @@ -661,7 +681,7 @@ driver "terraform" { - `required_providers` - (obj: required) Declare each Terraform provider used across all tasks. This can be configured the same as how you would configure [Terraform `terraform.required_providers`](/terraform/language/providers/requirements#requiring-providers) field to specify the source and version for each provider. CTS will process these requirements when preparing each task that uses the provider. - `version` - (string) The Terraform version to install and run in automation for task execution. If omitted, the driver will install the latest [compatible release of Terraform](/consul/docs/nia/compatibility#terraform). To change versions, remove the existing binary or change the path to install the desired version. Verify that the desired Terraform version is compatible across all Terraform modules used for CTS automation. -## HCP Terraform Driver +## Terraform Cloud driver This feature requires{' '} @@ -671,9 +691,9 @@ driver "terraform" { which is available with Consul Enterprise. -The HCP Terraform driver enables CTS Enterprise to integrate with HCP Terraform, including both the [self-hosted distribution](https://www.hashicorp.com/products/terraform/editions/enterprise) and the [managed service](https://www.hashicorp.com/products/terraform/editions/cloud). With this driver, CTS automates Terraform runs and remote operations for workspaces. +The Terraform Cloud driver enables CTS Enterprise to integrate with **Terraform Cloud**, including both the [self-hosted distribution](https://www.hashicorp.com/products/terraform/editions/enterprise) and the [managed service](https://www.hashicorp.com/products/terraform/editions/cloud). With this driver, CTS automates Terraform runs and remote operations for workspaces. -An overview of features enabled with HCP Terraform can be viewed within the [Network Drivers](/consul/docs/nia/network-drivers) documentation. +An overview of features enabled with Terraform Cloud can be viewed within the [Network Drivers](/consul/docs/nia/network-drivers) documentation. Only one network driver can be configured per deployment of CTS. @@ -701,16 +721,16 @@ driver "terraform-cloud" { } ``` -- `hostname` - (string) The HCP Terraform hostname to connect to. Can be overridden with the `TFC_HOSTNAME` environment variable. -- `organization` - (string) The HCP Terraform organization that hosts the managed workspaces by CTS. Can be overridden with the `TFC_ORGANIZATION` environment variable. -- `token` - (string) Required [Team API token](/terraform/cloud-docs/users-teams-organizations/api-tokens#team-api-tokens) used for authentication with HCP Terraform and workspace management. Only workspace permissions are needed for CTS. The token can also be provided using the `TFC_TOKEN` environment variable. - - We recommend creating a dedicated team and team API token to isolate automation by CTS from other HCP Terraform operations. +- `hostname` - (string) The Terraform Cloud hostname to connect to. Can be overridden with the `TFC_HOSTNAME` environment variable. +- `organization` - (string) The Terraform Cloud organization that hosts the managed workspaces by CTS. Can be overridden with the `TFC_ORGANIZATION` environment variable. +- `token` - (string) Required [Team API token](/terraform/cloud-docs/users-teams-organizations/api-tokens#team-api-tokens) used for authentication with Terraform Cloud and workspace management. Only workspace permissions are needed for CTS. The token can also be provided using the `TFC_TOKEN` environment variable. + - We recommend creating a dedicated team and team API token to isolate automation by CTS from other Terraform Cloud operations. - `workspace_prefix` - (string) **Deprecated in CTS 0.5.0**, use the [`workspaces.prefix`](#prefix) option instead. Specifies a prefix to prepend to the automatically-generated workspace names used for automation. This prefix will be used by all tasks that use this driver. By default, when no prefix is configured, the workspace name will be the task name. When a prefix is configured, the workspace name will be `-`, with the character '-' between the workspace prefix and task name. For example, if you configure the prefix as "cts", then a task with the name "task-firewall" will have the workspace name "cts-task-firewall". -- `workspaces` - Configure CTS management of HCP Terraform workspaces. +- `workspaces` - Configure CTS management of Terraform Cloud workspaces. - `prefix` - (string) Specifies a prefix to prepend to the workspace names used for CTS task automation. This prefix will be used by all tasks that use this driver. By default, when no prefix is configured, the workspace name will be the task name. When a prefix is configured, the workspace name will be ``. For example, if you configure the prefix as "cts_", then a task with the name "task_firewall" will have the workspace name "cts_task_firewall". - - `tags` - (list[string]) Tags for CTS to add to all automated workspaces when the workspace is first created or discovered. Tags are added to discovered workspaces only if the workspace meets [automation requirements](/consul/docs/nia/network-drivers/hcp-terraform#remote-workspaces) and satisfies the allowlist and denylist tag options. This option will not affect existing tags. Tags that were manually removed during runtime will be re-tagged when CTS restarts. Compatible with HCP Terraform and Terraform Enterprise v202108-1+ - - `tags_allowlist` - (list[string]) Tag requirement to use as a provision check for CTS automation of workspaces. When configured, HCP Terraform workspaces must have at least one tag from the allow list for CTS to automate the workspace and runs. Compatible with HCP Terraform and Terraform Enterprise v202108-1+. - - `tags_denylist` - (list[string]) Tag restriction to use as a provision check for CTS automation of workspaces. When configured, HCP Terraform workspaces must not have any tag from the deny list for CTS to automate the workspace and runs. Denied tags have higher priority than tags set in the `tags_allowlist` option. Compatible with HCP Terraform and Terraform Enterprise v202108-1+. + - `tags` - (list[string]) Tags for CTS to add to all automated workspaces when the workspace is first created or discovered. Tags are added to discovered workspaces only if the workspace meets [automation requirements](/consul/docs/nia/network-drivers/terraform-cloud#remote-workspaces) and satisfies the allowlist and denylist tag options. This option will not affect existing tags. Tags that were manually removed during runtime will be re-tagged when CTS restarts. Compatible with Terraform Cloud and Terraform Enterprise v202108-1+ + - `tags_allowlist` - (list[string]) Tag requirement to use as a provision check for CTS automation of workspaces. When configured, Terraform Cloud workspaces must have at least one tag from the allow list for CTS to automate the workspace and runs. Compatible with Terraform Cloud and Terraform Enterprise v202108-1+. + - `tags_denylist` - (list[string]) Tag restriction to use as a provision check for CTS automation of workspaces. When configured, Terraform Cloud workspaces must not have any tag from the deny list for CTS to automate the workspace and runs. Denied tags have higher priority than tags set in the `tags_allowlist` option. Compatible with Terraform Cloud and Terraform Enterprise v202108-1+. - `required_providers` - (obj: required) Declare each Terraform provider used across all tasks. This can be configured the same as how you would configure [Terraform `terraform.required_providers`](/terraform/language/providers/requirements#requiring-providers) field to specify the source and version for each provider. CTS will process these requirements when preparing each task that uses the provider. - `tls` - Configure TLS to allow HTTPS connections to [Terraform Enterprise](/terraform/enterprise/install/interactive/installer#tls-key-amp-cert). - `enabled` - (bool) Enable TLS. Providing a value for any of the TLS options will enable this parameter implicitly. @@ -727,11 +747,11 @@ driver "terraform-cloud" { } ``` -CTS generates local artifacts to prepare configuration versions used for workspace runs. The location of the files created can be set with the [`working_dir`](/consul/docs/nia/configuration#working_dir) option or configured per task. When a task is configured with a local module and is run with the HCP Terraform driver, the local module is copied and uploaded as a part of the configuration version. +CTS generates local artifacts to prepare configuration versions used for workspace runs. The location of the files created can be set with the [`working_dir`](/consul/docs/reference/cts/configuration#working_dir) option or configured per task. When a task is configured with a local module and is run with the Terraform Cloud driver, the local module is copied and uploaded as a part of the configuration version. The version of Terraform to use for each workspace can also be set within the [task](#task) configuration. -## Terraform Provider +## Terraform provider A `terraform_provider` block configures the options to interface with network infrastructure. Define a block for each provider required by the set of Terraform modules across all tasks. This block resembles [provider blocks for Terraform configuration](/terraform/language/providers/configuration). To find details on how to configure a provider, refer to the corresponding documentation for the Terraform provider. The main directory of publicly available providers are hosted on the [Terraform Registry](https://registry.terraform.io/browse/providers). @@ -761,15 +781,19 @@ task { } ``` -~> **Note**: Provider arguments configured in CTS configuration files are written in plain text to the generated [`terraform.tfvars`](/consul/docs/nia/network-drivers#terraform-tfvars) file for each Terraform workspace that references the provider. To exclude arguments or dynamic values from rendering to local files in plain text, use [`task_env` in addition to using dynamic configuration](#securely-configure-terraform-providers). + + +Provider arguments configured in CTS configuration files are written in plain text to the generated [`terraform.tfvars`](/consul/docs/nia/network-drivers#terraform-tfvars) file for each Terraform workspace that references the provider. To exclude arguments or dynamic values from rendering to local files in plain text, use [`task_env` in addition to using dynamic configuration](#securely-configure-terraform-providers). -### Securely Configure Terraform Providers + + +### Securely configure Terraform providers The `terraform_provider` block supports dynamically loading arguments and the local environment from other sources. This can be used to securely configure your Terraform provider from the shell environment, Consul KV, or Vault. Using the `task_env` meta-argument and template syntax below, you can avoid exposing sensitive values or credentials in plain text within configuration files for CTS. `task_env` and the template syntax for dynamic values are only supported within the `terraform_provider` block. -#### Provider Environment Variables +#### Provider environment variables Terraform providers may support shell environment variables as values for some of their arguments. When available, we recommend using environment variables as a way to keep credentials out of plain-text configuration files. Refer to the official provider docs hosted on the [Terraform Registry](https://registry.terraform.io/browse/providers) to find supported environment variables for a provider. By default, CTS enables all Terraform workspaces to inherit from its environment. @@ -795,9 +819,13 @@ terraform_provider "foo" { } ``` -!> **Security note**: CTS does not prevent sensitive values from being written to Terraform state files. We recommend securing state files in addition to securely configuring Terraform providers. Options for securing state files can be set within [`driver.backend`](#backend) based on the backend used. For example, Consul KV is the default backend and can be secured with ACLs for KV path. For other backends, we recommend enabling encryption, if applicable. + + +CTS does not prevent sensitive values from being written to Terraform state files. We recommend securing state files in addition to securely configuring Terraform providers. Options for securing state files can be set within [`driver.backend`](#backend) based on the backend used. For example, Consul KV is the default backend and can be secured with ACLs for KV path. For other backends, we recommend enabling encryption, if applicable. + + -#### Load Dynamic Values +#### Load dynamic values Load dynamic values for Terraform providers with integrated template syntax. @@ -835,7 +863,7 @@ terraform_provider "example" { } ``` -##### Vault Configuration +##### Vault configuration - `address` - (string) The URI of the Vault server. This can also be set via the `VAULT_ADDR` environment variable. - `enabled` - (bool) Enabled controls whether the Vault integration is active. @@ -853,9 +881,13 @@ terraform_provider "example" { - `transport` - [(transport block)](#transport) Transport configures the low-level network connection details. - `unwrap_token` - (bool) Unwraps the provided Vault token as a wrapped token. --> Note: Vault credentials are not accessible by tasks and the associated Terraform configurations, including automated Terraform modules. If the task requires Vault, you will need to separately configure the Vault provider and explicitly include it in the `task.providers` list. + + + Vault credentials are not accessible by tasks and the associated Terraform configurations, including automated Terraform modules. If the task requires Vault, you will need to separately configure the Vault provider and explicitly include it in the `task.providers` list. + + -### Multiple Provider Configurations +### Multiple provider configurations CTS supports the [Terraform feature to define multiple configurations](/terraform/language/providers/configuration#alias-multiple-provider-configurations) for the same provider by utilizing the `alias` meta-argument. Define multiple provider blocks with the same provider name and set the `alias` to a unique value across a given provider. Select which provider configuration to use for a task by specifying the configuration with the provider name and alias (`.`) within the list of providers in the [`task.provider`](#task) parameter. A task can use multiple providers, but only one provider instance of a provider is allowed per task. diff --git a/website/content/docs/reference/dataplane.mdx b/website/content/docs/reference/dataplane.mdx new file mode 100644 index 00000000000..dc1fec25109 --- /dev/null +++ b/website/content/docs/reference/dataplane.mdx @@ -0,0 +1,8 @@ +--- +layout: docs +page_title: Consul dataplane configuration reference +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# Consul dataplane configuration reference \ No newline at end of file diff --git a/website/content/docs/reference/dns.mdx b/website/content/docs/reference/dns.mdx new file mode 100644 index 00000000000..516ecdc1339 --- /dev/null +++ b/website/content/docs/reference/dns.mdx @@ -0,0 +1,33 @@ +--- +layout: docs +page_title: Consul DNS reference +description: Find information about Consul’s Domain Name System (DNS). Consul DNS uses a custom syntax to make your services discoverable by Consul regardless of where you deploy them. +--- + +# Consul DNS reference + +This page provides reference information for using Consul’s Domain Name System (DNS). You can use the Consul DNS to format network addresses, lookup information about specific service instances, and configure failover strategies. + +If you run Consul on Kubernetes, you can use KubeDNS instead of Consul DNS. Refer to [onboard services in transparent proxy mode](/register/external/permissive-mtls) for more information. + +## Consul DNS syntax + +The following table lists elements of a Consul DNS address, how to format the element, and their default values. Elements are listed sequentially according to their order in a properly configured DNS address. Unless explicitly modified, all Consul DNS requests address the `.consul` domain by default. + +| Network element | Consul DNS syntax | Default value | Requires Enterprise License | +| :--------------------------- | :-------------------------- | :---------------------------------- | :-------------------------: | +| Service Record (SRV) | `_._` | None | ❌ | +| Custom tag | `.` | None | ❌ | +| Service | `.service` | None | ❌ | +| Service mesh enabled service | `.connect` | None | ✅ | +| Virtual service | `.virtual` | None | ✅ | +| Ingress-enabled service | `.ingress` | None | ✅ | +| Node | `.node` | Node where the DNS query runs | ❌ | +| Namespace | `.ns` | `default` | ✅ | +| Admin partition | `.ap` | `default` | ✅ | +| Prepared query | `.query` | None | ❌ | +| SRV prepared query | `._.query` | None | ❌ | +| Datacenter | `.dc` | Datacenter where the DNS query runs | ❌ | +| Cluster Peer | `.peer` | None | ❌ | +| Sameness group | `.sg` | None | ✅ | +| Domain | `.` | `consul` | ❌ | \ No newline at end of file diff --git a/website/content/docs/ecs/reference/configuration-reference.mdx b/website/content/docs/reference/ecs/index.mdx similarity index 92% rename from website/content/docs/ecs/reference/configuration-reference.mdx rename to website/content/docs/reference/ecs/index.mdx index 3e283e6f12b..aa6461d0032 100644 --- a/website/content/docs/ecs/reference/configuration-reference.mdx +++ b/website/content/docs/reference/ecs/index.mdx @@ -5,15 +5,22 @@ description: >- Use the `consul-ecs` reference guide to manually configure Consul for deployment on Amazon Web Services ECS. Learn how the configuration values correspond to Terraform module input variables and review JSON configuration models for `consulLogin`, `gateway`, `proxy`, and `service` fields. --- -# Consul on AWS Elastic Container Service (ECS) Configuration Reference +# Consul on AWS Elastic Container Service (ECS) configuration reference -This topic describes configuration options for the JSON configuration format used by the `consul-ecs` binary. This configuration is passed to the `consul-ecs` binary as a string using the `CONSUL_ECS_CONFIG_JSON` environment variable. +This topic describes configuration options for the JSON configuration format used +by the `consul-ecs` binary. This configuration is passed to the `consul-ecs` +binary as a string using the `CONSUL_ECS_CONFIG_JSON` environment variable. -This configuration format follows a [JSON schema](https://github.com/hashicorp/consul-ecs/blob/main/config/schema.json) that can be used for validation. +This configuration format follows a [JSON schema](https://github.com/hashicorp/consul-ecs/blob/main/config/schema.json) +that can be used for validation. -## Terraform `mesh-task` module configuration +## Terraform Mesh Task Module Configuration -The `mesh-task` Terraform module provides input variables for commonly used fields. The following table shows which Terraform input variables correspond to each field of the Consul ECS configuration. Refer to the [Terraform registry documentation](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task?tab=inputs) for a complete reference of supported input variables for the `mesh-task` module. +The `mesh-task` Terraform module provides input variables for commonly used fields. +The following table shows which Terraform input variables correspond to each field +of the Consul ECS configuration. Refer to the +[Terraform registry documentation](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task?tab=inputs) +for a complete reference of supported input variables for the `mesh-task` module. | Terraform Input Variable | Consul ECS Config Field | | ------------------------ | ------------------------------------- | @@ -25,7 +32,9 @@ The `mesh-task` Terraform module provides input variables for commonly used fiel | `consul_namespace` | [`service.namespace`](#service) | | `consul_partition` | [`service.partition`](#service) | -Each of these Terraform input variables follows the Consul ECS configuration schema. The remaining fields of the Consul ECS configuration that are not listed in this table can be passed using the `consul_ecs_config` input variable. +Each of these Terraform input variables follow the Consul ECS config schema. +The remaining fields of the Consul ECS configuration not listed in this table can be passed +using the `consul_ecs_config` input variable. # Top-level fields @@ -176,7 +185,7 @@ Defines the Consul checks for the service. Each `check` object may contain the f | `method` | `string` | optional | Specifies the HTTP method to be used for an HTTP check. When no value is specified, `GET` is used. | | `name` | `string` | optional | The name of the check. | | `notes` | `string` | optional | Specifies arbitrary information for humans. This is not used by Consul internally. | -| `os_service` | `string` | optional | Specifies the name of a service on which to perform an [OS service check](/consul/docs/services/usage/checks#osservice-check). The check runs according the frequency specified in the `interval` parameter. | +| `os_service` | `string` | optional | Specifies the name of a service on which to perform an [OS service check](/consul/docs/register/service/vm/health-checks#osservice-check). The check runs according the frequency specified in the `interval` parameter. | | `status` | `string` | optional | Specifies the initial status the health check. Must be one of `passing`, `warning`, `critical`, `maintenance`, or `null`. | | `successBeforePassing` | `integer` | optional | Specifies the number of consecutive successful results required before check status transitions to passing. | | `tcp` | `string` | optional | Specifies this is a TCP check. Must be an IP/hostname plus port to which a TCP connection is made every `interval`. | diff --git a/website/content/docs/ecs/reference/consul-server-json.mdx b/website/content/docs/reference/ecs/server-json.mdx similarity index 78% rename from website/content/docs/ecs/reference/consul-server-json.mdx rename to website/content/docs/reference/ecs/server-json.mdx index 87401bbb2d3..eb6e450c64e 100644 --- a/website/content/docs/ecs/reference/consul-server-json.mdx +++ b/website/content/docs/reference/ecs/server-json.mdx @@ -6,25 +6,25 @@ description: Learn about the fields available in the JSON scheme for configuring # Consul server configuration JSON schema reference -This topic provides reference information about the JSON schema used to build the `config.tf` file. Refer to [Configure Consul server settings](/consul/docs/ecs/deploy/terraform#configure-consul-server-settings) for information about how Consul on ECS uses the JSON schema. +This topic provides reference information about the JSON schema used to build the `config.tf` file. Refer to [Configure Consul server settings](/consul/docs/register/service/ecs/automatic#configure-consul-server-settings) for information about how Consul on ECS uses the JSON schema. ## Configuration model The following list describes the attributes, data types, and default values, if any, in the `config.tf` file. Click on a value to learn more about the attribute. -- [`consulServers`](#consulservers): map +- [`consulServers`](#consulservers): map - [`hosts`](#consulservers-hosts): string - [`skipServerWatch`](#consulservers-hosts): boolean | `false` - - [`defaults`](#consulservers-defaults): map - - [`caCertFile`](#consulservers-defaults): string - - [`tlsServerName`](#consulservers-defaults): string + - [`defaults`](#consulservers-defaults): map + - [`caCertFile`](#consulservers-defaults): string + - [`tlsServerName`](#consulservers-defaults): string - [`tls`](#consulservers-defaults): boolean | `false` - - [`grpc`](#consulservers-grpc): map - - [`port`](#consulservers-grpc): number - - [`caCertFile`](#consulservers-grpc): string - - [`tlsServerName`](#consulservers-grpc): string + - [`grpc`](#consulservers-grpc): map + - [`port`](#consulservers-grpc): number + - [`caCertFile`](#consulservers-grpc): string + - [`tlsServerName`](#consulservers-grpc): string - [`tls`](#consulservers-grpc): boolean | `false` - - [`http`](#consulservers-http): map + - [`http`](#consulservers-http): map - [`https`](#consulservers-http): boolean | `false` - [`port`](#consulservers-http): number - [`caCertFile`](#consulservers-http): string @@ -33,11 +33,11 @@ The following list describes the attributes, data types, and default values, if ## Specification -This section provides details about the attributes in the `config.tf` file. +This section provides details about the attribes in the `config.tf` file. ### `consulServers` -Parent-level attribute containing all of the server configurations. All other configurations in the file are children of the `consulServers` attribute. +Parent-level attribute containing all of the server configurations. All other configuraitons in the file are children of the `consulServers` attribute. #### Values @@ -47,7 +47,7 @@ Parent-level attribute containing all of the server configurations. All other co ### `consulServers.hosts` -Map that contains the `skipServerWatch` configuration for Consul server hosts. +Map that contains the `skipServerWatch` configuration for Consul server hosts. #### Values @@ -56,7 +56,7 @@ Map that contains the `skipServerWatch` configuration for Consul server hosts. ### `consulServers.hosts.skipServerWatch` -Boolean that disables watches on the Consul server. Set to `true` if the Consul server is already behind a load balancer. +Boolean that disables watches on the Consul server. Set to `true` if the Consul server is already behind a load balancer. #### Values @@ -65,7 +65,7 @@ Boolean that disables watches on the Consul server. Set to `true` if the Consul ### `consulServers.defaults` -Map of default server configurations. Defaults apply to gRPC and HTTP traffic. +Map of default server configurations. Defaults apply to gRPC and HTTP traffic. #### Values @@ -83,7 +83,7 @@ The following table describes the attributes available in the `defaults` configu ### `consulServers.grpc` -Map of server configuration for gRPC traffic that override attributes defined in `consulServers.defaults`. +Map of server configuration for gRPC traffic that override attributes defined in `consulServers.defaults`. #### Values @@ -101,7 +101,7 @@ The following table describes the attributes available in the `grpc` configurati ### `consulServers.http` -Map of server configuration for HTTP traffic that override attributes defined in `consulServers.defaults`. +Map of server configuration for HTTP traffic that override attributes defined in `consulServers.defaults`. #### Values diff --git a/website/content/docs/services/configuration/checks-configuration-reference.mdx b/website/content/docs/reference/health-check.mdx similarity index 93% rename from website/content/docs/services/configuration/checks-configuration-reference.mdx rename to website/content/docs/reference/health-check.mdx index c842d334b6b..bad26a83dc9 100644 --- a/website/content/docs/services/configuration/checks-configuration-reference.mdx +++ b/website/content/docs/reference/health-check.mdx @@ -1,7 +1,7 @@ --- layout: docs page_title: Health check configuration reference -description: -> +description: >- Use the health checks to direct safety functions, such as removing failing nodes and replacing secondary services. Learn how to configure health checks. --- @@ -10,9 +10,11 @@ description: -> This topic provides configuration reference information for health checks. For information about the different kinds of health checks and guidance on defining them, refer to [Define Health Checks]. ## Introduction -Health checks perform several safety functions, such as allowing a web balancer to gracefully remove failing nodes and allowing a database to replace a failed secondary. You can configure health checks to monitor the health of the entire node. Refer to [Define Health Checks](/consul/docs/services/usage/checks) for information about how to define the different types of health checks available in Consul. + +Health checks perform several safety functions, such as allowing a web balancer to gracefully remove failing nodes and allowing a database to replace a failed secondary. You can configure health checks to monitor the health of the entire node. Refer to [Define Health Checks](/consul/docs/register/service/vm/health-checks) for information about how to define the different types of health checks available in Consul. ## Check block + Specify health check options in the `check` block. To register two or more heath checks in the same configuration, use the [`checks` block](#checks-block). The following table describes the configuration options contained in the `check` block. | Parameter | Description | Check types | @@ -35,7 +37,7 @@ Specify health check options in the `check` block. To register two or more heath | `h2ping` | String value that specifies the HTTP2 endpoint, including port number, to send HTTP2 requests to. |
  • H2ping
    • | | `h2ping_use_tls` | Boolean value that enables TLS for H2ping checks when set to `true`. |
  • H2ping
    • | | `http` | String value that specifies an HTTP endpoint to send requests to. |
  • HTTP
    • | -| `tls_server_name` | String value that specifies the server name used to verify the hostname on the returned certificates unless `tls_skip_verify` is given. Also included in the client's handshake to support SNI. It is recommended that this field be left unspecified. The TLS client will deduce the server name for SNI from the check address unless it's an IP ([RFC 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3)). There are two common circumstances where supplying a `tls_server_name` can be beneficial:
  • When the check address is an IP, `tls_server_name` can be specified for SNI. Note: setting `tls_server_name` will also override the hostname used to verify the certificate presented by the server being checked.
  • When the hostname in the check address won't be present in the SAN (Subject Alternative Name) field of the certificate presented by the server being checked. Note: setting `tls_server_name` will also override the hostname used for SNI.
    • |
  • HTTP
  • H2Ping
  • gRPC
    • | +| `tls_server_name` | String value that specifies the server name used to verify the hostname on the returned certificates unless `tls_skip_verify` is given. Also included in the client's handshake to support SNI. It is recommended that this field be left unspecified. The TLS client will deduce the server name for SNI from the check address unless it's an IP ([RFC 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3)). There are two common circumstances where supplying a `tls_server_name` can be beneficial:
  • When the check address is an IP, `tls_server_name` can be specified for SNI. Setting `tls_server_name` will also override the hostname used to verify the certificate presented by the server being checked.
  • When the hostname in the check address won't be present in the SAN (Subject Alternative Name) field of the certificate presented by the server being checked. Setting `tls_server_name` will also override the hostname used for SNI.
    • |
  • HTTP
  • H2Ping
  • gRPC
    • | | `tls_skip_verify` | Boolean value that determines if the check verifies the chain and hostname of the certificate that the server presents. Set to `true` to disable verification. We recommend setting to `false` for production use. Default is `false`. |
  • HTTP
  • H2Ping
  • gRPC
  • TCP
    • | | `method` | String value that specifies the request method to send during HTTP checks. Default is `GET`. |
  • HTTP
    • | | `header` | Object that specifies header fields to send in HTTP check requests. Each header specified in `header` object contains a list of string values. |
  • HTTP
    • | @@ -49,7 +51,6 @@ Specify health check options in the `check` block. To register two or more heath | `ttl` | String value that specifies how long to wait for an update from an external process during a TTL check. |
  • TTL
    • | | `alias_service` | String value that specifies a service or node that the service associated with the health check aliases. |
  • Alias
    • | - - ## Checks block + You can define multiple health checks in a single `checks` block. The `checks` block is an array of objects that contain the configuration options described in the [`check` block configuration reference](#check-block). diff --git a/website/content/docs/k8s/annotations-and-labels.mdx b/website/content/docs/reference/k8s/annotation-label.mdx similarity index 88% rename from website/content/docs/k8s/annotations-and-labels.mdx rename to website/content/docs/reference/k8s/annotation-label.mdx index 56e4c4c0fcd..dffd9619a81 100644 --- a/website/content/docs/k8s/annotations-and-labels.mdx +++ b/website/content/docs/reference/k8s/annotation-label.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Annotations and Labels +page_title: Consul on Kubernetes annotations and labels reference description: >- Annotations and labels configure service mesh sidecar properties and injection behavior when scheduling Kubernetes clusters. Learn about the annotations and labels that enable Consul’s service mesh and secure upstream communication on k8s in this reference guide. --- -# Annotations and Labels +# Consul on Kubernetes annotations and labels reference ## Overview @@ -153,7 +153,7 @@ The following Kubernetes resource annotations could be used on a pod to control - Admin partitions: Upstream services may be running in a different partition. When specifying a partition, you must also specify a namespace. Place the partition name after the namespace. If you specify the name of the datacenter, it must be the local datacenter. Communicating across partitions using this method is only supported within a datacenter. For cross partition communication across datacenters, [establish a cluster - peering connection](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering) and set the upstream with a labeled annotation format. + peering connection](/consul/docs/east-west/cluster-peering/establish-connection/k8s) and set the upstream with a labeled annotation format. ```yaml annotations: @@ -221,7 +221,7 @@ The following Kubernetes resource annotations could be used on a pod to control - `consul.hashicorp.com/sidecar-proxy-` - Override default resource settings for the sidecar proxy container. - The defaults are set in Helm config via the [`connectInject.sidecarProxy.resources`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-resources) key. + The defaults are set in Helm config via the [`connectInject.sidecarProxy.resources`](/consul/docs/reference/k8s/helm#v-connectinject-sidecarproxy-resources) key. - `consul.hashicorp.com/sidecar-proxy-cpu-limit` - Override the default CPU limit. - `consul.hashicorp.com/sidecar-proxy-cpu-request` - Override the default CPU request. @@ -233,27 +233,24 @@ The following Kubernetes resource annotations could be used on a pod to control - `consul.hashicorp.com/consul-sidecar-` - Override default resource settings for the `consul-sidecar` container. - The defaults are set in Helm config via the [`global.consulSidecarContainer.resources`](/consul/docs/k8s/helm#v-global-consulsidecarcontainer) key. + The defaults are set in Helm config via the [`global.consulSidecarContainer.resources`](/consul/docs/reference/k8s/helm#v-global-consulsidecarcontainer) key. - `consul.hashicorp.com/consul-sidecar-cpu-limit` - Override the default CPU limit. - `consul.hashicorp.com/consul-sidecar-cpu-request` - Override the default CPU request. - `consul.hashicorp.com/consul-sidecar-memory-limit` - Override the default memory limit. - `consul.hashicorp.com/consul-sidecar-memory-request` - Override the default memory request. -- `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultEnabled`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultenabled) -- `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultenableshutdowndrainlisteners) -- `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultshutdowngraceperiodseconds) -- `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultGracefulPort`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultgracefulport) -- `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultgracefulshutdownpath) - -- `consul.hashicorp.com/sidecar-proxy-startup-failure-seconds` - Override the default Helm value [`connectInject.sidecarProxy.defaultStartupFailureSeconds`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-defaultstartupfailureseconds) -- `consul.hashicorp.com/sidecar-proxy-liveness-failure-seconds` - Override the default Helm value [`connectInject.sidecarProxy.defaultLivenessFailureSeconds`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-defaultlivenessfailureseconds) - -- `consul.hashicorp.com/enable-metrics` - Override the default Helm value [`connectInject.metrics.defaultEnabled`](/consul/docs/k8s/helm#v-connectinject-metrics-defaultenabled). -- `consul.hashicorp.com/enable-metrics-merging` - Override the default Helm value [`connectInject.metrics.defaultEnableMerging`](/consul/docs/k8s/helm#v-connectinject-metrics-defaultenablemerging). -- `consul.hashicorp.com/merged-metrics-port` - Override the default Helm value [`connectInject.metrics.defaultMergedMetricsPort`](/consul/docs/k8s/helm#v-connectinject-metrics-defaultmergedmetricsport). -- `consul.hashicorp.com/prometheus-scrape-port` - Override the default Helm value [`connectInject.metrics.defaultPrometheusScrapePort`](/consul/docs/k8s/helm#v-connectinject-metrics-defaultprometheusscrapeport). -- `consul.hashicorp.com/prometheus-scrape-path` - Override the default Helm value [`connectInject.metrics.defaultPrometheusScrapePath`](/consul/docs/k8s/helm#v-connectinject-metrics-defaultprometheusscrapepath). +- `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultEnabled`](/consul/docs/reference/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultenabled) +- `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners`](/consul/docs/reference/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultenableshutdowndrainlisteners) +- `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds`](/consul/docs/reference/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultshutdowngraceperiodseconds) +- `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultGracefulPort`](/consul/docs/reference/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultgracefulport) +- `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath`](/consul/docs/reference/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultgracefulshutdownpath) + +- `consul.hashicorp.com/enable-metrics` - Override the default Helm value [`connectInject.metrics.defaultEnabled`](/consul/docs/reference/k8s/helm#v-connectinject-metrics-defaultenabled). +- `consul.hashicorp.com/enable-metrics-merging` - Override the default Helm value [`connectInject.metrics.defaultEnableMerging`](/consul/docs/reference/k8s/helm#v-connectinject-metrics-defaultenablemerging). +- `consul.hashicorp.com/merged-metrics-port` - Override the default Helm value [`connectInject.metrics.defaultMergedMetricsPort`](/consul/docs/reference/k8s/helm#v-connectinject-metrics-defaultmergedmetricsport). +- `consul.hashicorp.com/prometheus-scrape-port` - Override the default Helm value [`connectInject.metrics.defaultPrometheusScrapePort`](/consul/docs/reference/k8s/helm#v-connectinject-metrics-defaultprometheusscrapeport). +- `consul.hashicorp.com/prometheus-scrape-path` - Override the default Helm value [`connectInject.metrics.defaultPrometheusScrapePath`](/consul/docs/reference/k8s/helm#v-connectinject-metrics-defaultprometheusscrapepath). - `consul.hashicorp.com/prometheus-ca-file` - Local filesystem path to a CA file for Envoy to use when serving TLS on the Prometheus metrics endpoint. Only applicable when `envoy_prometheus_bind_addr` is set in proxy config. @@ -279,7 +276,7 @@ The following Kubernetes resource annotations could be used on a pod to control annotations: "consul.hashicorp.com/consul-sidecar-user-volume-mount": "[{\"name\": \"secrets-store-mount\", \"mountPath\": \"/mnt/secrets-store\"}]" ``` -- `consul.hashicorp.com/proxy-config-map` - JSON object specifying [Proxy Config Options](/consul/docs/connect/proxies/envoy#proxy-config-options). The proxy config map provides a low-level interface for setting configuration fields on a per-proxy basis during service registration. This configuration field is intended to be used in situations where a field does not exist in [service defaults configuration entries](/consul/docs/connect/config-entries/service-defaults) and another annotation does not provide explicit access to one of the Envoy configuration options. +- `consul.hashicorp.com/proxy-config-map` - JSON object specifying [Proxy Config Options](/consul/docs/reference/proxy/envoy#proxy-config-options). The proxy config map provides a low-level interface for setting configuration fields on a per-proxy basis during service registration. This configuration field is intended to be used in situations where a field does not exist in [service defaults configuration entries](/consul/docs/reference/config-entry/service-default) and another annotation does not provide explicit access to one of the Envoy configuration options. ```yaml annotations: "consul.hashicorp.com/proxy-config-map": "{ \"xds_fetch_timeout_ms\": 30000 }" @@ -300,7 +297,7 @@ Resource labels could be used on a Kubernetes service to control connect-inject ### Annotations -The following Kubernetes resource annotations could be used on a pod to [Service Sync](https://developer.hashicorp.com/consul/docs/k8s/service-sync) behavior: +The following Kubernetes resource annotations could be used on a pod to [Service Sync](/consul/docs/register/service/k8s/service-sync) behavior: - `consul.hashicorp.com/service-sync`: If this is set to `true`, then the Kubernetes service is explicitly configured to be synced to Consul. @@ -309,7 +306,7 @@ The following Kubernetes resource annotations could be used on a pod to [Service 'consul.hashicorp.com/service-sync': 'true' ``` -- `consul.hashicorp.com/service-port`: Configures the port to register to the Consul Catalog for the Kubernetes service. The annotation value may be a name of a port (recommended) or an exact port value. Refer to [service ports](https://developer.hashicorp.com/consul/docs/k8s/service-sync#service-ports) for more information. +- `consul.hashicorp.com/service-port`: Configures the port to register to the Consul Catalog for the Kubernetes service. The annotation value may be a name of a port (recommended) or an exact port value. Refer to [service ports](/consul/docs/register/service/k8s/service-sync#service-ports) for more information. ```yaml annotations: @@ -330,7 +327,7 @@ The following Kubernetes resource annotations could be used on a pod to [Service 'consul.hashicorp.com/service-meta-KEY': 'value' ``` -- `consul.hashicorp.com/service-weight:` - Configures ability to support weighted loadbalancing by service annotation for Catalog Sync. The integer provided will be applied as a weight for the `passing` state for the health of the service. Refer to [weights](/consul/docs/services/configuration/services-configuration-reference#weights) in service configuration for more information on how this is leveraged for services in the Consul catalog. +- `consul.hashicorp.com/service-weight:` - Configures ability to support weighted loadbalancing by service annotation for Catalog Sync. The integer provided will be applied as a weight for the `passing` state for the health of the service. Refer to [weights](/consul/docs/reference/service#weights) in service configuration for more information on how this is leveraged for services in the Consul catalog. ```yaml annotations: diff --git a/website/content/docs/connect/gateways/api-gateway/configuration/gateway.mdx b/website/content/docs/reference/k8s/api-gateway/gateway.mdx similarity index 94% rename from website/content/docs/connect/gateways/api-gateway/configuration/gateway.mdx rename to website/content/docs/reference/k8s/api-gateway/gateway.mdx index 2ea1d1e64ee..f8783877933 100644 --- a/website/content/docs/connect/gateways/api-gateway/configuration/gateway.mdx +++ b/website/content/docs/reference/k8s/api-gateway/gateway.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Gateway Resource Configuration +page_title: Gateway resource configuration reference description: >- Learn how to configure the `Gateway` resource to define how the Consul API Gateway handles incoming service mesh traffic with this configuration model and reference specifications. --- -# Gateway Resource Configuration +# Gateway resource configuration reference This topic provides full details about the `Gateway` resource. @@ -13,7 +13,7 @@ This topic provides full details about the `Gateway` resource. A `Gateway` is an instance of network infrastructure that determines how service traffic should be handled. A `Gateway` contains one or more [`listeners`](#listeners) that bind to a set of IP addresses. An `HTTPRoute` or `TCPRoute` can then attach to a gateway listener to direct traffic from the gateway to a service. -Gateway instances derive their configurations from the [`GatewayClass`](/consul/docs/connect/gateways/api-gateway/configuration/gatewayclass) resource, which acts as a template for individual `Gateway` deployments. Refer to [GatewayClass](/consul/docs/connect/gateways/api-gateway/configuration/gatewayclass) for additional information. +Gateway instances derive their configurations from the [`GatewayClass`](/consul/docs/reference/k8s/api-gateway/gatewayclass) resource, which acts as a template for individual `Gateway` deployments. Refer to [GatewayClass](/consul/docs/reference/k8s/api-gateway/gatewayclass) for additional information. Specify the following parameters to declare a `Gateway`: @@ -57,7 +57,7 @@ The following outline shows how to format the configurations in the `Gateway` ob This topic provides details about the configuration parameters. ### gatewayClassName -Specifies the name of the [`GatewayClass`](/consul/docs/connect/gateways/api-gateway/configuration/gatewayclass) resource used for the `Gateway` instance. Unless you are using a custom [GatewayClass](/consul/docs/connect/gateways/api-gateway/configuration/gatewayclass), this value should be set to `consul`. +Specifies the name of the [`GatewayClass`](/consul/docs/reference/k8s/api-gateway/gatewayclass) resource used for the `Gateway` instance. Unless you are using a custom [GatewayClass](/consul/docs/reference/k8s/api-gateway/gatewayclass), this value should be set to `consul`. * Type: string * Required: required @@ -221,10 +221,10 @@ The following example creates a `Gateway` named `example-gateway` in namespace ` - group: gateway.networking.k8s.io kind: Gateway namespace: gateway-namespace - to: - - group: "" - kind: Secret - name: cert + to: + - group: "" + kind: Secret + name: cert ```     diff --git a/website/content/docs/connect/gateways/api-gateway/configuration/gatewayclass.mdx b/website/content/docs/reference/k8s/api-gateway/gatewayclass.mdx similarity index 95% rename from website/content/docs/connect/gateways/api-gateway/configuration/gatewayclass.mdx rename to website/content/docs/reference/k8s/api-gateway/gatewayclass.mdx index 2111e95e83d..4e6349a5902 100644 --- a/website/content/docs/connect/gateways/api-gateway/configuration/gatewayclass.mdx +++ b/website/content/docs/reference/k8s/api-gateway/gatewayclass.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: GatewayClass Resource Configuration +page_title: GatewayClass resource configuration reference description: >- A `GatewayClass` resource specifies a controller name, controller parameters, and global `Gateway` options for Consul API Gateway. Learn about its configuration model and reference specifications, and review an example configuration. --- -# GatewayClass Resource Configuration +# GatewayClass resource configuration reference This topic provides describes how to configure the `GatewayClass` resource, a generic Kubernetes gateway object used as a template for creating `Gateway` resources. @@ -15,7 +15,7 @@ The `GatewayClass` specification includes the name of the controller (`controlle When gateways are created from a `GatewayClass`, they use the parameters specified in the `GatewayClass` at the time of instantiation. -The `GatewayClass` resource is a generic Kubernetes gateway object. For configuration specific to Consul API Gateway, refer to [GatewayClassConfig](/consul/docs/connect/gateways/api-gateway/configuration/gatewayclassconfig). +The `GatewayClass` resource is a generic Kubernetes gateway object. For configuration specific to Consul API Gateway, refer to [GatewayClassConfig](/consul/docs/reference/k8s/api-gateway/gatewayclassconfig). ## Configuration model The following outline shows how to format the configurations in the `GatewayClass` object. Click on a property name to view details about the configuration. diff --git a/website/content/docs/connect/gateways/api-gateway/configuration/gatewayclassconfig.mdx b/website/content/docs/reference/k8s/api-gateway/gatewayclassconfig.mdx similarity index 94% rename from website/content/docs/connect/gateways/api-gateway/configuration/gatewayclassconfig.mdx rename to website/content/docs/reference/k8s/api-gateway/gatewayclassconfig.mdx index 612875db4f7..f3142e305fb 100644 --- a/website/content/docs/connect/gateways/api-gateway/configuration/gatewayclassconfig.mdx +++ b/website/content/docs/reference/k8s/api-gateway/gatewayclassconfig.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: GatewayClassConfig Resource Configuration +page_title: GatewayClassConfig resource configuration reference description: >- The `GatewayClassConfig` resource specifies connection information and settings that Consul API Gateway uses to connect to Consul. Learn about its configuration model and reference specifications, and review an example configuration. --- -# GatewayClassConfig Resource Configuration +# GatewayClassConfig resource configuration reference This topic provides full details about the `GatewayClassConfig` resource. @@ -71,7 +71,7 @@ Set to `true` to enable deployments to run with managed service accounts created * Default: `false` ### consul.authentication.method -Specifies the [Consul auth method](/consul/docs/security/acl/auth-methods) used for initial authentication by Consul API Gateway. +Specifies the [Consul auth method](/consul/docs/secure-consul/acl/auth-methods) used for initial authentication by Consul API Gateway. * Type: string * Required: optional @@ -155,7 +155,7 @@ You can specify the following strings: * `trace` ### mapPrivilegedContainerPorts -Specifies a value that Consul adds to privileged ports defined in the gateway. Privileged ports are port numbers less than 1024 and some platforms, such as Red Hat OpenShift, explicitly configure Kubernetes to avoid running containers on privileged ports. The total value of the configured port number and the `mapPrivilegedContainerPorts` value must not exceed 65535, which is the highest possible TCP port number allowed. +Specifies a value that Consul adds to privileged ports defined in the gateway. Privileged ports are port numbers less than 1024 and some platforms, such as Red Hat OpenShift, explicitly configure Kubernetes to avoid running containers on privileged ports. The total value of the configured port number and the `mapPriviledgedContainerPorts` value must not exceed 65535, which is the highest possible TCP port number allowed. for gateway containers * Type: Integer * Required: optional @@ -184,7 +184,7 @@ You can specify the following strings: * `NodePort`: The gateway is exposed on each Kubernetes node at a static port. * `LoadBalancer`: The gateway is exposed to external traffic by a load balancer. -For more on Kubernetes services, see [Publishing Services](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). +For more on Kubernetes services, refer to [Publishing Services](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). ### useHostPorts If set to `true`, then the Envoy container ports are mapped to host ports. diff --git a/website/content/docs/connect/gateways/api-gateway/configuration/gatewaypolicy.mdx b/website/content/docs/reference/k8s/api-gateway/gatewaypolicy.mdx similarity index 83% rename from website/content/docs/connect/gateways/api-gateway/configuration/gatewaypolicy.mdx rename to website/content/docs/reference/k8s/api-gateway/gatewaypolicy.mdx index f74a9ed77cd..d3e244f1466 100644 --- a/website/content/docs/connect/gateways/api-gateway/configuration/gatewaypolicy.mdx +++ b/website/content/docs/reference/k8s/api-gateway/gatewaypolicy.mdx @@ -1,10 +1,10 @@ --- layout: docs -page_title: GatewayPolicy configuration reference -description: Learn about the configuration options for the GatewayPolicy configuration resource. GatewayPolicy resources define API gateway policies for Consul service mesh on Kubernetes. +page_title: GatewayPolicy resource configuration reference +description: Learn about the configuration options for the GatewayPolicy configuration resource. GatewayPolicy resources define API gateway polcies for Consul service mesh on Kubernetes. --- -# GatewayPolicy +# GatewayPolicy resource configuration reference This topic provides reference information for the API gateway policy resource. These resources define policies for listeners on API gateways deployed to Kubernetes-orchestrated networks. @@ -15,33 +15,33 @@ The following list outlines field hierarchy, data types, and requirements in a g - [`apiVersion`](#apiversion): string | required | must be set to `consul.hashicorp.com/v1alpha1` - [`kind`](#kind): string | required | must be set to `GatewayPolicy` - [`metadata`](#metadata): map | required - - [`name`](#metadata-name): string | required + - [`name`](#metadata-name): string | required - [`namespace`](#metadata-namespace): string | `default` - [`spec`](#spec): map | required - [`targetRef`](#spec-targetref): map | required - - [`namespace`](#spec-targetref): string | `default` - - [`name`](#spec-targetref): string | required + - [`namespace`](#spec-targetref): string | `default` + - [`name`](#spec-targetref): string | required - [`kind`](#spec-targetref): string | required | must be set to `Gateway` - - [`group`](#spec-targetref): string | required - - [`sectionName`](#spec-targetref): string - - [`override`](#spec-override): map | required - - [`jwt`](#spec-override-jwt): map | required - - [`providers`](#spec-override-providers): list | required - - [`name`](#spec-override-providers): string | required - - [`verifyClaims`](#spec-override-providers): map | required - - [`path`](#spec-override-providers): list of strings | required - - [`value`](#spec-override-providers): string | required - - [`default`](#spec-default): map | required - - [`jwt`](#spec-default-jwt): map | required - - [`providers`](#spec-default-providers): list | required - - [`name`](#spec-default-providers): string | required - - [`verifyClaims`](#spec-default-providers): map | required - - [`path`](#spec-default-providers): list of strings | required - - [`value`](#spec-default-providers): string | required + - [`group`](#spec-targetref): string | required + - [`sectionName`](#spec-targetref): string + - [`override`](#spec-override): map | required + - [`jwt`](#spec-override-jwt): map | required + - [`providers`](#spec-override-providers): list | required + - [`name`](#spec-override-providers): string | required + - [`verifyClaims`](#spec-override-providers): map | required + - [`path`](#spec-override-providers): list of strings | required + - [`value`](#spec-override-providers): string | required + - [`default`](#spec-default): map | required + - [`jwt`](#spec-default-jwt): map | required + - [`providers`](#spec-default-providers): list | required + - [`name`](#spec-default-providers): string | required + - [`verifyClaims`](#spec-default-providers): map | required + - [`path`](#spec-default-providers): list of strings | required + - [`value`](#spec-default-providers): string | required ## Complete configuration -When every field is defined, a gateway policy has the following form: +When every field is defined, a gateway policy has the following form: ```yaml apiVersion: consul.hashicorp.com/v1alpha1 @@ -53,7 +53,7 @@ spec: targetRef: name: gateway kind: Gateway - group: gateway.networking.k8s.io/v1beta1 + group: gateway.networking.kuberenetes.io sectionName: override: jwt: @@ -109,7 +109,7 @@ Map that contains an arbitrary name for the resource and the namespace it applie ### `metadata.name` -Specifies a name for the resource. The name is metadata that you can use to reference the resource when performing Consul operations, such as applying the resource to a specific cluster. +Specifies a name for the resource. The name is metadata that you can use to reference the resource when performing Consul operations, such as applying the resource to a specific cluster. #### Values @@ -117,9 +117,9 @@ Specifies a name for the resource. The name is metadata that you can use to refe - This field is required. - Data type: String -### `metadata.namespace` +### `metadata.namespace` -Specifies the namespace that the configuration applies to. Refer to [namespaces](/consul/docs/enterprise/namespaces) for more information. +Specifies the namespace that the configuration applies to. Refer to [namespaces](/consul/docs/segment/namespace) for more information. #### Values @@ -138,7 +138,7 @@ Map that contains the details about the gateway policy. The `apiVersion`, `kind` ### `targetRef` -Map that contains references to the gateway that the policy applies to. +Map that contains references to the gateway that the policy applies to. #### Values @@ -153,7 +153,7 @@ The following table describes the members of the `targetRef` map: | `namespace` | Specifies the namespace that the target reference is a member of. | String | `default` | | `name` | Specifies the name of the API gateway that the policy attaches to. | String | None | | `kind` | Specifies the type of resource that the policy attaches to. Must be set to `Gateway`. | String | None | -| `group` | Specifies the resource group. Must be set to `gateway.networking.k8s.io/v1beta1`. | String | None | +| `group` | Specifies the resource group. Must be set to `gateway.networking.kuberenetes.io`. | String | None | | `sectionName` | Specifies a part of the gateway that the policy applies to. | String | None | ### `spec.override` @@ -167,7 +167,7 @@ Map that contains configurations to apply to the listener when the policy is att ### `spec.override.jwt` -Map that contains JWT verification configurations to apply to listeners when the policy is attached to the gateway. The override settings have precedence over the [`default` configurations](#listeners-default) as well as any route-specific JWT configurations defined in [`RouteAuthFilter` configurations](/consul/docs/connect/gateways/api-gateway/configuration/routeauthfilter). +Map that contains JWT verification configurations to apply to listeners when the policy is attached to the gateway. The override settings have precedence over the [`default` configurations](#listeners-default) as well as any route-specific JWT configurations defined in [`RouteAuthFilter` configurations](/consul/docs/reference/k8s/api-gateway/routeauthfilter). #### Values @@ -192,7 +192,7 @@ The following table describes the parameters you can specify in a member of the ### `spec.default` -Map that contains default configurations to apply to listeners when the policy is attached to the gateway. All routes attached to the gateway listener inherit the default configurations. You can specify override configurations that have precedence over default configurations. Refer to [`spec.override`](#spec-override) for details. +Map that contains default configurations to apply to listeners when the policy is attached to the gateway. All routes attached to the gateway listener inherit the default configurations. You can specify override configurations that have precedence over default configurations. Refer to [`spec.override`](#spec-override) for details. #### Values @@ -201,7 +201,7 @@ Map that contains default configurations to apply to listeners when the policy i ### `spec.default.jwt` -Specifies default JWT configurations to apply to listeners when the policy is attached to the gateway. Specify configurations that have precedence over the defaults in either the [`spec.override.JWT` block](#spec-override-jwt) or in an [`RouteAuthFilter`](/consul/docs/connect/gateways/api-gateway/configuration/routeauthfilter) attached to an HTTP route. Refer to [Use JWTs to verify requests to API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) for order of precedence and other details about using JWT verification in API gateways. +Specifies default JWT configurations to apply to listeners when the policy is attached to the gateway. Specify configurations that have precedence over the defaults in either the [`spec.override.JWT` block](#spec-override-jwt) or in an [`RouteAuthFilter`](/consul/docs/reference/k8s/api-gateway/routeauthfilter) attached to an HTTP route. Refer to [Use JWTs to verify requests to API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) for order of precedence and other details about using JWT verification in API gateways. #### Values @@ -210,7 +210,7 @@ Specifies default JWT configurations to apply to listeners when the policy is at ### `spec.default.jwt.providers` -Specifies default JWT provider configurations to apply to the listener when the policy is attached to the gateway. A provider configuration contains the name of the provider and claims. Specify configurations that have precedence over the defaults in either the [`spec.override.JWT.providers` block](#spec-override-jwt) or in an [`RouteAuthFilter`](/consul/docs/connect/gateways/api-gateway/configuration/routeauthfilter) attached to an HTTP route configuration. Refer to [Use JWTs to verify requests to API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) for order of precedence and other details about using JWT verification in API gateways. +Specifies default JWT provider configurations to apply to the listener when the policy is attached to the gateway. A provider configuration contains the name of the provider and claims. Specify configurations that have precedence over the defaults in either the [`spec.override.JWT.providers` block](#spec-override-jwt) or in an [`RouteAuthFilter`](/consul/docs/reference/k8s/api-gateway/routeauthfilter) attached to an HTTP route configuration. Refer to [Use JWTs to verify requests to API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) for order of precedence and other details about using JWT verification in API gateways. #### Values @@ -226,7 +226,7 @@ The following table describes the parameters you can specify in a member of the ## Example configuration -In the following example, all requests through the gateway must have the `api.apps.organization.com` audience claim. Additionally, requests through the gateway must have a `user` role by default. +In the following example, all requests through the gateway must have the `api.apps.organization.com` audience claim. Additionally, requests through the gateway must have a `user` role by default. ```yaml apiVersion: consul.hashicorp.com/v1alpha1 @@ -237,7 +237,7 @@ spec: targetRef: name: gateway kind: Gateway - group: gateway.networking.k8s.io/v1beta1 + group: gateway.networking.kuberenetes.io sectionName: to-server override: jwt: @@ -256,4 +256,4 @@ spec: - "roles" - "perm" value: "user" -``` +``` \ No newline at end of file diff --git a/website/content/docs/connect/gateways/api-gateway/configuration/meshservice.mdx b/website/content/docs/reference/k8s/api-gateway/meshservice.mdx similarity index 87% rename from website/content/docs/connect/gateways/api-gateway/configuration/meshservice.mdx rename to website/content/docs/reference/k8s/api-gateway/meshservice.mdx index c5acd9e8706..a7cf93769c2 100644 --- a/website/content/docs/connect/gateways/api-gateway/configuration/meshservice.mdx +++ b/website/content/docs/reference/k8s/api-gateway/meshservice.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: MeshService Resource Configuration +page_title: MeshService resource configuration reference description: >- The `MeshService` resource specifies a service running outside the Kubernetes cluster but in the same datacenter where the Consul API Gateway is deployed. Learn about its configuration model and reference specifications. --- -# MeshService Resource Configuration +# MeshService resource configuration reference This topic provides full details about the `MeshService` resource. @@ -36,7 +36,7 @@ Specifies the name of the service in the Consul service mesh to send traffic to. ### peer Specifies the name of the peered Consul cluster that exported the service. If not specified, Consul defaults to the local datacenter. -You must apply a [`ServiceResolver`](/consul/docs/connect/config-entries/service-resolver) for the referenced service. The `ServiceResolver` configuration entry enables Consul to resolve routes to upstream service instances. +You must apply a [`ServiceResolver`](/consul/docs/reference/config-entry/service-resolver) for the referenced service. The `ServiceResolver` configuration entry enables Consul to resolve routes to upstream service instances. - Type: string - Required: optional @@ -48,7 +48,7 @@ The following example creates a mesh service called `example-mesh-service`. Rout ```yaml hideClipboard -apiVersion: consul.hashicorp.com/v1alpha1 +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 kind: MeshService metadata: name: example-mesh-service diff --git a/website/content/docs/connect/gateways/api-gateway/configuration/routeauthfilter.mdx b/website/content/docs/reference/k8s/api-gateway/routeauthfilter.mdx similarity index 88% rename from website/content/docs/connect/gateways/api-gateway/configuration/routeauthfilter.mdx rename to website/content/docs/reference/k8s/api-gateway/routeauthfilter.mdx index 27c4974d935..999da3cfa88 100644 --- a/website/content/docs/connect/gateways/api-gateway/configuration/routeauthfilter.mdx +++ b/website/content/docs/reference/k8s/api-gateway/routeauthfilter.mdx @@ -1,10 +1,10 @@ --- layout: docs -page_title: RouteAuthFilter configuration reference -description: Learn how to configure the `RouteAuthFilter` resource, which defines behaviors for gateway listeners that are attached to specific HTTP routes. +page_title: RouteAuthFilter resource configuration reference +description: Learn how to configure the `RouteAuthFilter` resource, which defines behaviors for gateway listeners that are attached to specific HTTP routes. Learn how to define a JSON web token provider (JWT) and a claim to match. --- -# RouteAuthFilter configuration reference +# RouteAuthFilter resource configuration reference This topic provides reference information for the HTTP route auth filter resource, which defines authorization filter configurations for specific routes in Consul service mesh on Kubernetes-orchestrated networks. @@ -74,7 +74,7 @@ Specifies a name for the resource. The name is metadata that you can use to refe ### `metadata.namespace` -Specifies the namespace that the configuration applies to. Refer to [Namespaces](/consul/docs/enterprise/namespaces) for more information. +Specifies the namespace that the configuration applies to. Refer to [Namespaces](/consul/docs/segment/namespace) for more information. #### Values @@ -94,7 +94,7 @@ Map that contains the details about the HTTP route auth filter. The `apiVersion` ### `spec.jwt` -Map that contains JWT verification configurations to apply to listeners when the filter is attached to the route. These route-specific settings have precedence over the `default` configurations, but not `override` JWT configurations, that are defined in the [`GatewayPolicy`](/consul/docs/connect/gateways/api-gateway/configuration/gatewaypolicy) resource. +Map that contains JWT verification configurations to apply to listeners when the filter is attached to the route. These route-specific settings have precedence over the `default` configurations, but not `override` JWT configurations, that are defined in the [`GatewayPolicy`](/consul/docs/reference/k8s/api-gateway/gatewaypolicy) resource. #### Values @@ -103,7 +103,7 @@ Map that contains JWT verification configurations to apply to listeners when the ### `spec.jwt.providers` -Specifies a list of JWT provider configurations to apply to listeners when the filter is attached to the route. A provider configuration contains the name of the provider and claims. The route-specific settings have precedence over the `default` configurations, but not `override` configurations, that are defined in the [`GatewayPolicy`](/consul/docs/connect/gateways/api-gateway/configuration/gatewaypolicy) resource. Refer to [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) for additional information. +Specifies a list of JWT provider configurations to apply to listeners when the filter is attached to the route. A provider configuration contains the name of the provider and claims. The route-specific settings have precedence over the `default` configurations, but not `override` configurations, that are defined in the [`GatewayPolicy`](/consul/docs/reference/k8s/api-gateway/gatewaypolicy) resource. Refer to [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) for additional information. #### Values diff --git a/website/content/docs/connect/gateways/api-gateway/configuration/routeretryfilter.mdx b/website/content/docs/reference/k8s/api-gateway/routeretryfilter.mdx similarity index 95% rename from website/content/docs/connect/gateways/api-gateway/configuration/routeretryfilter.mdx rename to website/content/docs/reference/k8s/api-gateway/routeretryfilter.mdx index 669750c0691..34cd6ca28ef 100644 --- a/website/content/docs/connect/gateways/api-gateway/configuration/routeretryfilter.mdx +++ b/website/content/docs/reference/k8s/api-gateway/routeretryfilter.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: RouteRetryFilter configuration reference +page_title: RouteRetryFilter resource configuration reference description: >- Learn how to configure the `RouteRetryFilter` resource, which defines retry settings for specific routes from an API gateway listener to the destination service in Consul service mesh. --- -# RouteRetryFilter configuration reference +# RouteRetryFilter resource configuration reference This topic provides configuration reference information for details about the `RouteRetryFilter` resource, which defines retry settings for specific routes from an API gateway listener to the destination service in Consul service mesh. @@ -13,7 +13,7 @@ This topic provides configuration reference information for details about the ` Define the one or more configurations in the `spec` to define the retry logic for the route. Refer to the [retry logic example configuration](#example) for additional information. -To apply retry settings to a `HTTPRoute`, set the `rules.filters.type` parameter in an route to `extensionRef` and specify the name of the filter in `rules.filters.extensionRef.name` field. Refer to [Route resource configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/routes) for additional information. +To apply retry settings to a `HTTPRoute`, set the `rules.filters.type` parameter in an route to `extensionRef` and specify the name of the filter in `rules.filters.extensionRef.name` field. Refer to [Route resource configuration reference](/consul/docs/reference/k8s/api-gateway/routes) for additional information. ## Configuration Model @@ -91,7 +91,7 @@ Specifies a name for the resource. The name is metadata that you can use to refe ### `metadata.namespace` -Specifies the namespace that the configuration applies to. Refer to [namespaces](/consul/docs/enterprise/namespaces) for more information. +Specifies the namespace that the configuration applies to. Refer to [namespaces](/consul/docs/segment/namespace) for more information. #### Values diff --git a/website/content/docs/connect/gateways/api-gateway/configuration/routes.mdx b/website/content/docs/reference/k8s/api-gateway/routes.mdx similarity index 95% rename from website/content/docs/connect/gateways/api-gateway/configuration/routes.mdx rename to website/content/docs/reference/k8s/api-gateway/routes.mdx index 6723931290e..f513d7f53fb 100644 --- a/website/content/docs/connect/gateways/api-gateway/configuration/routes.mdx +++ b/website/content/docs/reference/k8s/api-gateway/routes.mdx @@ -50,9 +50,9 @@ The following outline shows how to format the configurations for the `Route` obj - [`replacePrefixMatch`](#rules-filters-urlrewrite-path): string | required - [`type`](#rules-filters-urlrewrite-path): string | required - [`extensionRef`](#rules-filters-extensionref): map - - [`group`](#rules-filters-extensionref): string | must be set to `consul.hashicorp.com` - - [`kind`](#rules-filters-extensionref): string | must be set to `RouteAuthFilter` - - [`name`](#rules-filters-extensionref): string | must be set to `consul.hashicorp.com` + - [`group`](#rultes-filters-extensionref): string | must be set to `consul.hashicorp.com` + - [`kind`](#rultes-filters-extensionref): string | must be set to `RouteAuthFilter` + - [`name`](#rultes-filters-extensionref): string | must be set to `consul.hashicorp.com` - [`matches`](#rules-matches): array of objects | optional - [`path`](#rules-matches-path): list of objects | optional - [`type`](#rules-matches-path): string | required @@ -102,7 +102,7 @@ This field specifies backend services that the `Route` references. The following | Parameter | Description | Type | Required | | --- | --- | --- | --- | | `group` | Specifies the Kubernetes API Group of the referenced backend. You can specify the following values:
    • `""`: Specifies the core Kubernetes API group. This value must be used when `kind` is set to `Service`. This is the default value if unspecified.
    • `api-gateway.consul.hashicorp.com`: This value must be used when `kind` is set to `MeshService`.
    | String | Optional | -| `kind` | Specifies the Kubernetes Kind of the referenced backend. You can specify the following values:
    • `Service` (default): Indicates that the `backendRef` references a Service in the Kubernetes cluster.
    • `MeshService`: Indicates that the `backendRef` references a service in the Consul mesh. Refer to the `MeshService` [documentation](/consul/docs/connect/gateways/api-gateway/configuration/meshservice) for additional information.
    | String | Optional | +| `kind` | Specifies the Kubernetes Kind of the referenced backend. You can specify the following values:
    • `Service` (default): Indicates that the `backendRef` references a Service in the Kubernetes cluster.
    • `MeshService`: Indicates that the `backendRef` references a service in the Consul mesh. Refer to the `MeshService` [documentation](/consul/docs/reference/k8s/api-gateway/meshservice) for additional information.
    | String | Optional | | `name` | Specifies the name of the Kubernetes Service or Consul mesh service resource. | String | Required | | `namespace` | Specifies the Kubernetes namespace containing the Kubernetes Service or Consul mesh service resource. You must specify a value if the Service or Consul mesh service is defined in a different namespace from the `Route`. Defaults to the namespace of the `Route`.
    To create a route for a `backendRef` in a different namespace, you must also create a [ReferenceGrant](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.ReferenceGrant). Refer to the [example route](#example-cross-namespace-backendref) configured to reference across namespaces. | String | Optional | | `port` | Specifies the port number for accessing the Kubernetes or Consul service. | Integer | Required | @@ -180,7 +180,7 @@ You can configure the following parameters: | Parameter | Description | Data type | Default | | --- | --- | --- | --- | | `group` | Specifies the resource group. | String | None | -| `kind` | Specifies the type of extension reference. You can specify the following types:
    • `RouteAuthFilter`: Contains JWT verification settings. Refer to [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) for additional information.
    • `RouteRetryFilter`: Defines retry logic for the route if the request is unsuccessful. Refer to [RouteRetryFilter configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/routeretryfilter) for additional information.
    • `RouteTimeoutFilter`: Specifies timeout settings for specific routes. Refer to [RouteTimeoutFilter configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/routetimeoutfilter) for additional information.
    | String | None | +| `kind` | Specifies the type of extension reference. You can specify the following types:
    • `RouteAuthFilter`: Contains JWT verification settings. Refer to [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) for additional information.
    • `RouteRetryFilter`: Defines retry logic for the route if the request is unsuccessful. Refer to [RouteRetryFilter configuration reference](/consul/docs/reference/k8s/api-gateway/routeretryfilter) for additional information.
    • `RouteTimeoutFilter`: Specifies timeout settings for specific routes. Refer to [RouteTimeoutFilter configuration reference](/consul/docs/reference/k8s/api-gateway/routetimeoutfilter) for additional information.
    | String | None | | `name` | Specifies the name of the filter to attach to the route. | String | None | ### `rules.matches` @@ -300,10 +300,10 @@ The following example creates a route named `example-route` in namespace `gatewa - group: gateway.networking.k8s.io kind: HTTPRoute namespace: gateway-namespace - to: - - group: "" - kind: Service - name: echo + to: + - group: "" + kind: Service + name: echo ```     diff --git a/website/content/docs/connect/gateways/api-gateway/configuration/routetimeoutfilter.mdx b/website/content/docs/reference/k8s/api-gateway/routetimeoutfilter.mdx similarity index 80% rename from website/content/docs/connect/gateways/api-gateway/configuration/routetimeoutfilter.mdx rename to website/content/docs/reference/k8s/api-gateway/routetimeoutfilter.mdx index ddb86cde5b1..314add09087 100644 --- a/website/content/docs/connect/gateways/api-gateway/configuration/routetimeoutfilter.mdx +++ b/website/content/docs/reference/k8s/api-gateway/routetimeoutfilter.mdx @@ -1,15 +1,15 @@ --- layout: docs -page_title: RouteTimeoutFilter configuration reference +page_title: RouteTimeoutFilter resource configuration reference description: >- Learn how to configure the `RouteTimeoutFilter` resource, which defines timeout settings for specific routes from an API gateway listener to the destination service in Consul service mesh. --- -# RouteTimeoutFilter configuration reference +# RouteTimeoutFilter resource configuration reference -This topic provides configuration reference information for details about the `RouteTimeoutFilter` resource, which defines timeout settings for specific routes from an API gateway listener to the destination service in Consul service mesh. +This topic provides configuration reference information for details about the `RouteTimeoutFilter` resource, which defines timeout settings for specific routes from an API gateway listener to the destination service in Consul service mesh. -To apply timeout settings to an `HTTPRoute`, set the `rules.filters.type` parameter in the route to `extensionRef` and specify the name of the filter in the `rules.filters.extensionRef.name` field. Refer to [Route resource configuration reference](/consul/docs/connect/gateways/api-gateway/configuration/routes) for additional information. +To apply retry settings to a `HTTPRoute`, set the `rules.filters.type` parameter in an route to `extensionRef` and specify the name of the filter in `rules.filters.extensionRef.name` field. Refer to [Route resource configuration reference](/consul/docs/reference/k8s/api-gateway/routes) for additional information. ## Configuration Model @@ -83,7 +83,7 @@ Specifies a name for the resource. The name is metadata that you can use to refe ### `metadata.namespace` -Specifies the namespace that the configuration applies to. Refer to [namespaces](/consul/docs/enterprise/namespaces) for more information. +Specifies the namespace that the configuration applies to. Refer to [namespaces](/consul/docs/segment/namespace) for more information. #### Values @@ -95,7 +95,7 @@ Specifies the namespace that the configuration applies to. Refer to [namespaces] Map that contains the details about the gateway policy. The `apiVersion`, `kind`, and `metadata` fields are siblings of the `spec` field. All other configurations are children. -### `spec.idleTimeout` +### `spec.idleTimeout Specifies the total amount of time permitted for the request stream to be idle. Must specify a parseable number and a unit, for example "5s". diff --git a/website/content/docs/k8s/helm.mdx b/website/content/docs/reference/k8s/helm.mdx similarity index 90% rename from website/content/docs/k8s/helm.mdx rename to website/content/docs/reference/k8s/helm.mdx index 9315109464f..165bbe0a5a0 100644 --- a/website/content/docs/k8s/helm.mdx +++ b/website/content/docs/reference/k8s/helm.mdx @@ -31,6 +31,7 @@ Use these links to navigate to a particular top-level stanza. - [`meshGateway`](#h-meshgateway) - [`ingressGateways`](#h-ingressgateways) - [`terminatingGateways`](#h-terminatinggateways) +- [`apiGateway`](#h-apigateway) - [`webhookCertManager`](#h-webhookcertmanager) - [`prometheus`](#h-prometheus) - [`tests`](#h-tests) @@ -58,7 +59,7 @@ Use these links to navigate to a particular top-level stanza. the prefix will be `-consul`. - `domain` ((#v-global-domain)) (`string: consul`) - The domain Consul will answer DNS queries for - (Refer to [`-domain`](/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + (Refer to [`-domain`](/consul/docsreference-cli/agent#_domain)) and the domain services synced from Consul into Kubernetes will have, e.g. `service-name.service.consul`. - `peering` ((#v-global-peering)) - Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. @@ -108,9 +109,6 @@ Use these links to navigate to a particular top-level stanza. image that is used for functionality such as catalog sync. This can be overridden per component. - - `imagePullPolicy` ((#v-global-imagepullpolicy)) (`string: ""`) - The image pull policy used globally for images controlled by Consul (consul, consul-dataplane, consul-k8s, consul-telemetry-collector). - One of "IfNotPresent", "Always", "Never", and "". Refer to https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy - - `datacenter` ((#v-global-datacenter)) (`string: dc1`) - The name of the datacenter that the agents should register as. This can't be changed once the Consul cluster is up and running since Consul doesn't support an automatic way to change this value currently: @@ -122,7 +120,7 @@ Use these links to navigate to a particular top-level stanza. - `secretsBackend` ((#v-global-secretsbackend)) - secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled and have necessary secrets, policies and roles created prior to installing Consul. - Refer to [Vault as the Secrets Backend](/consul/docs/k8s/deployment-configurations/vault) + Refer to [Vault as the Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault) documentation for full instructions. The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend @@ -136,9 +134,9 @@ Use these links to navigate to a particular top-level stanza. - `vault` ((#v-global-secretsbackend-vault)) - - `vaultNamespace` ((#v-global-secretsbackend-vault-vaultnamespace)) (`string: ""`) - Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` - agent annotation and [Vault Connect CA namespace](/consul/docs/connect/ca/vault#namespace). - To override one of these values individually, see `agentAnnotations` and `connectCA.additionalConfig`. + - `vaultNamespace` ((#v-global-secretsbackend-vault-vaultnamespace)) (`string: ""`) - Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` + agent annotation and [Vault Connect CA namespace](/consul/docs/secure-mesh/certificate/vault#namespace). + To override one of these values individually, refer to `agentAnnotations` and `connectCA.additionalConfig`. - `enabled` ((#v-global-secretsbackend-vault-enabled)) (`boolean: false`) - Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. @@ -217,7 +215,7 @@ Use these links to navigate to a particular top-level stanza. The provider will be configured to use the Vault Kubernetes auth method and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` to have permissions to the root and intermediate PKI paths. - Please refer to [Vault ACL policies](/consul/docs/connect/ca/vault#vault-acl-policies) + Please refer to [Vault ACL policies](/consul/docs/secure-mesh/certificate/vault#vault-acl-policies) documentation for information on how to configure the Vault policies. - `address` ((#v-global-secretsbackend-vault-connectca-address)) (`string: ""`) - The address of the Vault server. @@ -225,13 +223,13 @@ Use these links to navigate to a particular top-level stanza. - `authMethodPath` ((#v-global-secretsbackend-vault-connectca-authmethodpath)) (`string: kubernetes`) - The mount path of the Kubernetes auth method in Vault. - `rootPKIPath` ((#v-global-secretsbackend-vault-connectca-rootpkipath)) (`string: ""`) - The path to a PKI secrets engine for the root certificate. - For more details, please refer to [Vault Connect CA configuration](/consul/docs/connect/ca/vault#rootpkipath). + For more details, please refer to [Vault Connect CA configuration](/consul/docs/secure-mesh/certificate/vault#rootpkipath). - `intermediatePKIPath` ((#v-global-secretsbackend-vault-connectca-intermediatepkipath)) (`string: ""`) - The path to a PKI secrets engine for the generated intermediate certificate. - For more details, please refer to [Vault Connect CA configuration](/consul/docs/connect/ca/vault#intermediatepkipath). + For more details, please refer to [Vault Connect CA configuration](/consul/docs/secure-mesh/certificate/vault#intermediatepkipath). - `additionalConfig` ((#v-global-secretsbackend-vault-connectca-additionalconfig)) (`string: {}`) - Additional Connect CA configuration in JSON format. - Please refer to [Vault Connect CA configuration](/consul/docs/connect/ca/vault#configuration) + Please refer to [Vault Connect CA configuration](/consul/docs/secure-mesh/certificate/vault#configuration) for all configuration options available for that provider. Example: @@ -264,7 +262,7 @@ Use these links to navigate to a particular top-level stanza. inject webhooks. - `gossipEncryption` ((#v-global-gossipencryption)) - Configures Consul's gossip encryption key. - (Refer to [`-encrypt`](/consul/docs/agent/config/cli-flags#_encrypt)). + (Refer to [`-encrypt`](/consul/docsreference-cli/agent#_encrypt)). By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. The recommended method is to automatically generate the key. To automatically generate and set a gossip encryption key, set autoGenerate to true. @@ -297,17 +295,17 @@ Use these links to navigate to a particular top-level stanza. - `recursors` ((#v-global-recursors)) (`array: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. These values are given as `-recursor` flags to Consul servers and clients. - Refer to [`-recursor`](/consul/docs/agent/config/cli-flags#_recursor) for more details. + Refer to [`-recursor`](/consul/docsreference-cli/agent#_recursor) for more details. If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). - - `tls` ((#v-global-tls)) - Enables [TLS](/consul/tutorials/security/tls-encryption-secure) + - `tls` ((#v-global-tls)) - Enables [TLS](/consul/docs/secure-consul/encryption/tls/builtin) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+. - `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul servers and clients and all consul-k8s-control-plane components, as well as generate certificate authority (optional) and server and client certificates. - This setting is required for [Cluster Peering](/consul/docs/connect/cluster-peering/k8s). + This setting is required for [Cluster Peering](/consul/docs/east-west/cluster-peering/k8s). - `logLevel` ((#v-global-tls-loglevel)) (`string: ""`) - Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". @@ -326,7 +324,7 @@ Use these links to navigate to a particular top-level stanza. - `verify` ((#v-global-tls-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`, and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. Set this to false to incrementally roll out TLS on an existing Consul cluster. - Please refer to [TLS on existing clusters](/consul/docs/k8s/operations/tls-on-existing-cluster) + Please refer to [TLS on existing clusters](/consul/docs/secure-mesh/certificate/existing) for more details. - `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on @@ -425,7 +423,7 @@ Use these links to navigate to a particular top-level stanza. - `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the replication token. - - `resources` ((#v-global-acls-resources)) (`map`) - The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + - `resources` ((#v-global-acls-resources)) (`map`) - The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. This should be a YAML map corresponding to a Kubernetes [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) object. @@ -503,7 +501,7 @@ Use these links to navigate to a particular top-level stanza. - `enabled` ((#v-global-federation-enabled)) (`boolean: false`) - If enabled, this datacenter will be federation-capable. Only federation via mesh gateways is supported. Mesh gateways and servers will be configured to allow federation. - Requires `global.tls.enabled`, `connectInject.enabled`, and one of + Requires `global.tls.enabled`, `connectInject.enabled`, and one of `meshGateway.enabled` or `externalServers.enabled` to be true. Requires Consul 1.8+. @@ -525,9 +523,9 @@ Use these links to navigate to a particular top-level stanza. This address must be reachable from the Consul servers in the primary datacenter. This auth method will be used to provision ACL tokens for Consul components and is different from the one used by the Consul Service Mesh. - Please refer to the [Kubernetes Auth Method documentation](/consul/docs/security/acl/auth-methods/kubernetes). + Please refer to the [Kubernetes Auth Method documentation](/consul/docs/secure-consul/acl/auth-methods/kubernetes). - If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and `externalServers.k8sAuthMethodHost` should be set to the same value. You can retrieve this value from your `kubeconfig` by running: @@ -548,12 +546,6 @@ Use these links to navigate to a particular top-level stanza. - `enableAgentMetrics` ((#v-global-metrics-enableagentmetrics)) (`boolean: false`) - Configures consul agent metrics. Only applicable if `global.metrics.enabled` is true. - - `disableAgentHostName` ((#v-global-metrics-disableagenthostname)) (`boolean: false`) - Set to true to stop prepending the machine's hostname to gauge-type metrics. Default is false. - Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. - - - `enableHostMetrics` ((#v-global-metrics-enablehostmetrics)) (`boolean: false`) - Configures consul agent underlying host metrics. Default is false. - Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. - - `agentMetricsRetentionTime` ((#v-global-metrics-agentmetricsretentiontime)) (`string: 1m`) - Configures the retention time for metrics in Consul clients and servers. This must be greater than 0 for Consul clients and servers to expose any metrics at all. @@ -566,128 +558,65 @@ Use these links to navigate to a particular top-level stanza. - `enableTelemetryCollector` ((#v-global-metrics-enabletelemetrycollector)) (`boolean: false`) - Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the consul-telemetry-collector. This includes gateway metrics and sidecar metrics. - - `prefixFilter` ((#v-global-metrics-prefixfilter)) - Configures the list of filter rules to apply for allowing or blocking - metrics by prefix in the following format: - - A leading "+" will enable any metrics with the given prefix, and a leading "-" will block them. - If there is overlap between two rules, the more specific rule will take precedence. - Blocking will take priority if the same prefix is listed multiple times. - - - `allowList` ((#v-global-metrics-prefixfilter-allowlist)) (`array: []`) - - - `blockList` ((#v-global-metrics-prefixfilter-blocklist)) (`array: []`) - - - `datadog` ((#v-global-metrics-datadog)) - Configures consul integration configurations for datadog on kubernetes. - Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. - - - `enabled` ((#v-global-metrics-datadog-enabled)) (`boolean: false`) - Enables datadog [Consul Autodiscovery Integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized#metric-collection) - by configuring the required `ad.datadoghq.com/consul.checks` annotation. The following _Consul_ agent metrics/health statuses - are monitored by Datadog unless monitoring via OpenMetrics (Prometheus) or DogStatsD: - - Serf events and member flaps - - The Raft protocol - - DNS performance - - API Endpoints scraped: - - `/v1/agent/metrics?format=prometheus` - - `/v1/agent/self` - - `/v1/status/leader` - - `/v1/status/peers` - - `/v1/catalog/services` - - `/v1/health/service` - - `/v1/health/state/any` - - `/v1/coordinate/datacenters` - - `/v1/coordinate/nodes` - - Setting either `global.metrics.datadog.otlp.enabled=true` or `global.metrics.datadog.dogstatsd.enabled=true` disables the above checks - in lieu of metrics data collection via DogStatsD or by a customer OpenMetrics (Prometheus) collection endpoint. - - ~> **Note:** If you have a [dogstatsd_mapper_profile](https://docs.datadoghq.com/integrations/consul/?tab=host#dogstatsd) configured for Consul - residing on either your Datadog NodeAgent or ClusterAgent the default Consul agent metrics/health status checks will fail. If you do not desire - to utilize DogStatsD metrics emission from Consul, remove this configuration file, and restart your Datadog agent to permit the checks to run. + - `imageConsulDataplane` ((#v-global-imageconsuldataplane)) (`string: hashicorp/consul-dataplane:`) - The name (and tag) of the consul-dataplane Docker image used for the + connect-injected sidecar proxies and mesh, terminating, and ingress gateways. - - `openMetricsPrometheus` ((#v-global-metrics-datadog-openmetricsprometheus)) - Configures Kubernetes Prometheus/OpenMetrics auto-discovery annotations for use with Datadog. - This configuration is less common and more for advanced usage with custom metrics monitoring - configurations. Refer to the [Datadog documentation](https://docs.datadoghq.com/containers/kubernetes/prometheus/?tab=kubernetesadv2) for more details. + - `openshift` ((#v-global-openshift)) - Configuration for running this Helm chart on the Red Hat OpenShift platform. + This Helm chart currently supports OpenShift v4.x+. - - `enabled` ((#v-global-metrics-datadog-openmetricsprometheus-enabled)) (`boolean: false`) + - `enabled` ((#v-global-openshift-enabled)) (`boolean: false`) - If true, the Helm chart will create necessary configuration for running + its components on OpenShift. - - `otlp` ((#v-global-metrics-datadog-otlp)) + - `consulAPITimeout` ((#v-global-consulapitimeout)) (`string: 5s`) - The time in seconds that the consul API client will wait for a response from + the API before cancelling the request. - - `enabled` ((#v-global-metrics-datadog-otlp-enabled)) (`boolean: false`) - Enables forwarding of Consul's Telemetry Collector OTLP metrics for - ingestion by Datadog Agent. + - `cloud` ((#v-global-cloud)) - Enables installing an HCP Consul self-managed cluster. + Requires Consul v1.14+. - - `protocol` ((#v-global-metrics-datadog-otlp-protocol)) (`string: "http"`) - Protocol used for DataDog Endpoint OTLP ingestion. + - `enabled` ((#v-global-cloud-enabled)) (`boolean: false`) - If true, the Helm chart will enable the installation of an HCP Consul + self-managed cluster. - Valid protocol options are one of either: + - `resourceId` ((#v-global-cloud-resourceid)) - The name of the Kubernetes secret that holds the HCP resource id. + This is required when global.cloud.enabled is true. - - "http": will forward to DataDog HTTP OTLP Node Agent Endpoint default - "0.0.0.0:4318" - - "grpc": will forward to DataDog gRPC OTLP Node Agent Endpoint default - "0.0.0.0:4317" + - `secretName` ((#v-global-cloud-resourceid-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the resource id. - - `dogstatsd` ((#v-global-metrics-datadog-dogstatsd)) - Configuration settings for DogStatsD metrics aggregation service - that is bundled with the Datadog Agent. - DogStatsD implements the StatsD protocol and adds a few Datadog-specific extensions: - - Histogram metric type - - Service checks - - Events - - Tagging + - `secretKey` ((#v-global-cloud-resourceid-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the resource id. - - `enabled` ((#v-global-metrics-datadog-dogstatsd-enabled)) (`boolean: false`) + - `clientId` ((#v-global-cloud-clientid)) - The name of the Kubernetes secret that holds the HCP cloud client id. + This is required when global.cloud.enabled is true. - - `socketTransportType` ((#v-global-metrics-datadog-dogstatsd-sockettransporttype)) (`string: "UDS"`) - Sets the socket transport type for dogstatsd: - - "UDS" (Unix Domain Socket): prefixes `unix://` to URL and appends path to socket (i.e., "unix:///var/run/datadog/dsd.socket") - If set, this will create the required [hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) mount for - managing [DogStatsD with Unix Domain Socket on Kubernetes](https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=kubernetes). - The volume is mounted using the `DirectoryOrCreate` type, thereby setting `0755` permissions with the same kubelet group ownership. + - `secretName` ((#v-global-cloud-clientid-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the client id. - Applies the following `volumes` and `volumeMounts` to the consul-server stateful set consul containers: + - `secretKey` ((#v-global-cloud-clientid-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the client id. - ```yaml - volumes: - - name: dsdsocket - hostPath: - path: /var/run/datadog - type: DirectoryOrCreate - volumeMounts: - - name: dsdsocket - mountPath: /var/run/datadog - readOnly: true - ``` - - "UDP" (User Datagram Protocol): assigns address to use `hostname/IP:Port` formatted URL for UDP transport to hostIP based - dogstatsd sink (i.e., 127.0.0.1:8125). HostIP of Datadog agent must be reachable and known to Consul server emitting metrics. + - `clientSecret` ((#v-global-cloud-clientsecret)) - The name of the Kubernetes secret that holds the HCP cloud client secret. + This is required when global.cloud.enabled is true. - - `dogstatsdAddr` ((#v-global-metrics-datadog-dogstatsd-dogstatsdaddr)) (`string: "/var/run/datadog/dsd.socket"`) - Sets URL path for dogstatsd: + - `secretName` ((#v-global-cloud-clientsecret-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the client secret. - Can be either a path to unix domain socket or an IP Address or Hostname that's reachable from the - consul-server service, server containers. When using "UDS" the path will be appended. When using "UDP" - the path will be prepended to the specified `dogstatsdPort`. + - `secretKey` ((#v-global-cloud-clientsecret-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the client secret. - - `dogstatsdPort` ((#v-global-metrics-datadog-dogstatsd-dogstatsdport)) (`integer: 0`) - Configures IP based dogstatsd designated port that will be appended to "UDP" based transport socket IP/Hostname URL. + - `apiHost` ((#v-global-cloud-apihost)) - The name of the Kubernetes secret that holds the HCP cloud client id. + This is optional when global.cloud.enabled is true. - If using a kubernetes service based address (i.e., datadog.default.svc.cluster.local), set this to 0 to - mitigate appending a port value to the dogstatsd address field. Resultant address would be "datadog.default.svc.cluster.local" with - default port setting, while appending a non-zero port would result in "172.10.23.6:8125" with a dogstatsdAddr value - of "172.10.23.6". + - `secretName` ((#v-global-cloud-apihost-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the api hostname. - - `dogstatsdTags` ((#v-global-metrics-datadog-dogstatsd-dogstatsdtags)) (`array: ["source:consul","consul_service:consul-server"]`) - Configures datadog [autodiscovery](https://docs.datadoghq.com/containers/kubernetes/log/?tab=operator#autodiscovery) - style [log integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized#log-collection) - configuration for Consul. + - `secretKey` ((#v-global-cloud-apihost-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the api hostname. - The default settings should handle most Consul Kubernetes deployment schemes. The resultant annotation - will reside on the consul-server statefulset as autodiscovery annotations. - (i.e., ad.datadoghq.com/consul.logs: ["source:consul","consul_service:consul-server", ""]) + - `authUrl` ((#v-global-cloud-authurl)) - The name of the Kubernetes secret that holds the HCP cloud authorization url. + This is optional when global.cloud.enabled is true. - - `namespace` ((#v-global-metrics-datadog-namespace)) (`string: "default"`) - Namespace + - `secretName` ((#v-global-cloud-authurl-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the authorization url. - - `imageConsulDataplane` ((#v-global-imageconsuldataplane)) (`string: hashicorp/consul-dataplane:`) - The name (and tag) of the consul-dataplane Docker image used for the - connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + - `secretKey` ((#v-global-cloud-authurl-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the authorization url. - - `openshift` ((#v-global-openshift)) - Configuration for running this Helm chart on the Red Hat OpenShift platform. - This Helm chart currently supports OpenShift v4.x+. + - `scadaAddress` ((#v-global-cloud-scadaaddress)) - The name of the Kubernetes secret that holds the HCP cloud scada address. + This is optional when global.cloud.enabled is true. - - `enabled` ((#v-global-openshift-enabled)) (`boolean: false`) - If true, the Helm chart will create necessary configuration for running - its components on OpenShift. + - `secretName` ((#v-global-cloud-scadaaddress-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the scada address. - - `consulAPITimeout` ((#v-global-consulapitimeout)) (`string: 5s`) - The time in seconds that the consul API client will wait for a response from - the API before cancelling the request. + - `secretKey` ((#v-global-cloud-scadaaddress-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the scada address. - `extraLabels` ((#v-global-extralabels)) (`map`) - Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. @@ -714,11 +643,17 @@ Use these links to navigate to a particular top-level stanza. - `experiments` ((#v-global-experiments)) (`array: []`) - Consul feature flags that will be enabled across components. Supported feature flags: + * `resource-apis`: + _**Danger**_! This feature is under active development. It is not + recommended for production use. Setting this flag during an + upgrade could risk breaking your Consul cluster. + If this flag is set, Consul components will use the + V2 resources APIs for all operations. Example: ```yaml - experiments: [ "" ] + experiments: [ "resource-apis" ] ``` ### server ((#h-server)) @@ -816,17 +751,19 @@ Use these links to navigate to a particular top-level stanza. storage classes, the PersistentVolumeClaims would need to be manually created. A `null` value will use the Kubernetes cluster's default StorageClass. If a default StorageClass does not exist, you will need to create one. - Refer to the [Read/Write Tuning](/consul/docs/install/performance#read-write-tuning) + Refer to the [Read/Write Tuning](/consul/docs/deploy/server/vm/requirements#read-write-tuning) section of the Server Performance Requirements documentation for considerations around choosing a performant storage class. - ~> **Note:** The [Reference Architecture](/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) - contains best practices and recommendations for selecting suitable - hardware sizes for your Consul servers. + + + The [Reference Architecture](/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) contains best practices and recommendations for selecting suitable hardware sizes for your Consul servers. + + - `persistentVolumeClaimRetentionPolicy` ((#v-server-persistentvolumeclaimretentionpolicy)) (`map`) - The [Persistent Volume Claim (PVC) retention policy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention) controls if and how PVCs are deleted during the lifecycle of a StatefulSet. - WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted, + WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted, and WhenScaled specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is scaled down. Example: @@ -843,10 +780,6 @@ Use these links to navigate to a particular top-level stanza. a new CA and set of certificates. Additional service mesh settings can be configured by setting the `server.extraConfig` value or by applying [configuration entries](/consul/docs/connect/config-entries). - - `enableAgentDebug` ((#v-server-enableagentdebug)) (`boolean: false`) - When set to true, enables Consul to report additional debugging information, including runtime profiling (pprof) data. - This setting is only required for clusters without ACL enabled. Sets `enable_debug` in server agent config to `true`. - If you change this setting, you must restart the agent for the change to take effect. Default is false. - - `serviceAccount` ((#v-server-serviceaccount)) - `annotations` ((#v-server-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the server service account. This should be formatted as a multi-line @@ -897,7 +830,7 @@ Use these links to navigate to a particular top-level stanza. control a rolling update of Consul server agents. This value specifies the [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) for performing a rolling update. Please read the linked Kubernetes - and [Upgrade Consul](/consul/docs/k8s/upgrade#upgrading-consul-servers) + and [Upgrade Consul](/consul/docs/upgrade/k8s#upgrading-consul-servers) documentation for more information. - `disruptionBudget` ((#v-server-disruptionbudget)) - This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) @@ -907,19 +840,13 @@ Use these links to navigate to a particular top-level stanza. cluster. If enabled, it only registers the budget so long as the server cluster is enabled. To disable, set to `false`. - - `maxUnavailable` ((#v-server-disruptionbudget-maxunavailable)) (`integer: null`) - The maximum number of unavailable pods. In most cases you should not change this as it is automatically set to - the correct number when left as null. This setting has been kept to preserve backwards compatibility. - - By default, this is set to 1 internally in the chart. When server pods are stopped gracefully, they leave the Raft - consensus pool. When running an odd number of servers, one server leaving the pool does not change the quorum - size, and so fault tolerance is not affected. However, if more than one server were to leave the pool, the quorum - size would change. That's why this is set to 1 internally and should not be changed in most cases. - + - `maxUnavailable` ((#v-server-disruptionbudget-maxunavailable)) (`integer: null`) - The maximum number of unavailable pods. By default, this will be + automatically computed based on the `server.replicas` value to be `(n/2)-1`. If you need to set this to `0`, you will need to add a --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation command because of a limitation in the Helm templating language. - - `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](/consul/docs/agent/config/config-files) for Consul + - `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](/consul/docs/reference/agent) for Consul servers. This will be saved as-is into a ConfigMap that is read by the Consul server agents. This can be used to add additional configuration that isn't directly exposed by the chart. @@ -1128,7 +1055,7 @@ Use these links to navigate to a particular top-level stanza. ... ``` - - `auditLogs` ((#v-server-auditlogs)) - Added in Consul 1.8, the audit object allow users to enable auditing + - `auditLogs` ((#v-server-auditlogs)) - Added in Consul 1.8, the audit object allow users to enable auditing and configure a sink and filters for their audit logs. Please refer to [audit logs](/consul/docs/enterprise/audit-logging) documentation for further information. @@ -1136,7 +1063,7 @@ Use these links to navigate to a particular top-level stanza. - `enabled` ((#v-server-auditlogs-enabled)) (`boolean: false`) - Controls whether Consul logs out each time a user performs an operation. global.acls.manageSystemACLs must be enabled to use this feature. - - `sinks` ((#v-server-auditlogs-sinks)) (`array`) - A single entry of the sink object provides configuration for the destination to which Consul + - `sinks` ((#v-server-auditlogs-sinks)) (`array`) - A single entry of the sink object provides configuration for the destination to which Consul will log auditing events. Example: @@ -1151,7 +1078,7 @@ Use these links to navigate to a particular top-level stanza. rotate_duration: 24h rotate_max_files: 15 rotate_bytes: 25165824 - + ``` The sink object supports the following keys: @@ -1199,14 +1126,14 @@ Use these links to navigate to a particular top-level stanza. queries are allowed to happen. In any large enough time interval, rate limiter limits the rate to RequestLimitsReadRate tokens per second. - See https://en.wikipedia.org/wiki/Token_bucket for more about token + Refer to https://en.wikipedia.org/wiki/Token_bucket for more about token buckets. - `writeRate` ((#v-server-limits-requestlimits-writerate)) (`integer: -1`) - Setting that controls how frequently RPC, gRPC, and HTTP writes are allowed to happen. In any large enough time interval, rate limiter limits the rate to RequestLimitsWriteRate tokens per second. - See https://en.wikipedia.org/wiki/Token_bucket for more about token + Refer to https://en.wikipedia.org/wiki/Token_bucket for more about token buckets. ### externalServers ((#h-externalservers)) @@ -1227,13 +1154,13 @@ Use these links to navigate to a particular top-level stanza. Note: If enabling clients, `client.join` must also be set to the hosts that should be used to join the cluster. In most cases, the `client.join` values should be the same, however, they may be different if you - wish to use separate hosts for the HTTPS connections. `tlsServerName` is required if TLS is enabled and 'hosts' is not a DNS name. + wish to use separate hosts for the HTTPS connections. - `httpsPort` ((#v-externalservers-httpsport)) (`integer: 8501`) - The HTTPS port of the Consul servers. - `grpcPort` ((#v-externalservers-grpcport)) (`integer: 8502`) - The GRPC port of the Consul servers. - - `tlsServerName` ((#v-externalservers-tlsservername)) (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS. This name also appears as the hostname in the server certificate's subject field. + - `tlsServerName` ((#v-externalservers-tlsservername)) (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS. - `useSystemRoots` ((#v-externalservers-usesystemroots)) (`boolean: false`) - If true, consul-k8s-control-plane components will ignore the CA set in `global.tls.caCert` when making HTTPS calls to Consul servers and @@ -1246,9 +1173,9 @@ Use these links to navigate to a particular top-level stanza. - `k8sAuthMethodHost` ((#v-externalservers-k8sauthmethodhost)) (`string: null`) - If you are setting `global.acls.manageSystemACLs` and `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. This address must be reachable from the Consul servers. - Please refer to the [Kubernetes Auth Method documentation](/consul/docs/security/acl/auth-methods/kubernetes). + Please refer to the [Kubernetes Auth Method documentation](/consul/docs/secure-consul/acl/auth-methods/kubernetes). - If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and `externalServers.k8sAuthMethodHost` should be set to the same value. You could retrieve this value from your `kubeconfig` by running: @@ -1274,7 +1201,7 @@ Use these links to navigate to a particular top-level stanza. - `image` ((#v-client-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers running Consul client agents. - - `join` ((#v-client-join)) (`array: null`) - A list of valid [`-retry-join` values](/consul/docs/agent/config/cli-flags#_retry_join). + - `join` ((#v-client-join)) (`array: null`) - A list of valid [`-retry-join` values](/consul/docsreference-cli/agent#_retry_join). If this is `null` (default), then the clients will attempt to automatically join the server cluster running within Kubernetes. This means that with `server.enabled` set to true, clients will automatically @@ -1295,7 +1222,7 @@ Use these links to navigate to a particular top-level stanza. required for Connect. - `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node - (refer to [`-node-meta`](/consul/docs/agent/config/cli-flags#_node_meta)) + (refer to [`-node-meta`](/consul/docsreference-cli/agent#_node_meta)) - `pod-name` ((#v-client-nodemeta-pod-name)) (`string: ${HOSTNAME}`) @@ -1339,7 +1266,7 @@ Use these links to navigate to a particular top-level stanza. - `tlsInit` ((#v-client-containersecuritycontext-tlsinit)) (`map`) - The tls-init initContainer - - `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](/consul/docs/agent/config/config-files) for Consul + - `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](/consul/docs/reference/agent) for Consul clients. This will be saved as-is into a ConfigMap that is read by the Consul client agents. This can be used to add additional configuration that isn't directly exposed by the chart. @@ -1605,16 +1532,16 @@ Use these links to navigate to a particular top-level stanza. will inherit from `global.metrics.enabled` value. - `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. Refer to - [`metrics_provider`](/consul/docs/agent/config/config-files#ui_config_metrics_provider) + [`metrics_provider`](/consul/docs/reference/agent#ui_config_metrics_provider) This value is only used if `ui.enabled` is set to true. - `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL. This value is only used if `ui.enabled` is set to true. - - `dashboardURLTemplates` ((#v-ui-dashboardurltemplates)) - Corresponds to [`dashboard_url_templates`](/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + - `dashboardURLTemplates` ((#v-ui-dashboardurltemplates)) - Corresponds to [`dashboard_url_templates`](/consul/docs/reference/agent#ui_config_dashboard_url_templates) configuration. - - `service` ((#v-ui-dashboardurltemplates-service)) (`string: ""`) - Sets [`dashboardURLTemplates.service`](/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + - `service` ((#v-ui-dashboardurltemplates-service)) (`string: ""`) - Sets [`dashboardURLTemplates.service`](/consul/docs/reference/agent#ui_config_dashboard_url_templates_service). ### syncCatalog ((#h-synccatalog)) @@ -1634,7 +1561,7 @@ Use these links to navigate to a particular top-level stanza. to run the sync program. - `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are - synced by default. If false, the service must be [annotated](/consul/docs/k8s/service-sync#enable-and-disable-sync) + synced by default. If false, the service must be [annotated](/consul/docs/register/service/k8s/service-sync#enable-and-disable-sync) properly to sync. In either case an annotation can override the default. @@ -1732,9 +1659,6 @@ Use these links to navigate to a particular top-level stanza. or may not be broadly accessible depending on your Kubernetes cluster. Set this to false to skip syncing ClusterIP services. - - `syncLoadBalancerEndpoints` ((#v-synccatalog-syncloadbalancerendpoints)) (`boolean: false`) - If true, LoadBalancer service endpoints instead of ingress addresses will be synced to Consul. - If false, LoadBalancer endpoints are not synced to Consul. - - `ingress` ((#v-synccatalog-ingress)) - `enabled` ((#v-synccatalog-ingress-enabled)) (`boolean: false`) - Syncs the hostname from a Kubernetes Ingress resource to service registrations @@ -1871,7 +1795,7 @@ Use these links to navigate to a particular top-level stanza. These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. If this setting is false, you will need to install the Gateway API CRDs manually. - - `manageNonStandardCRDs` ((#v-connectinject-apigateway-managenonstandardcrds)) (`boolean: false`) - Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true + - `manageNonStandardCRDs` ((#v-connectinject-apigateway-managenonstandardcrds)) (`boolean: false`) - Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true then all CRDs will be installed; otherwise, if manageNonStandardCRDs is true then only TCPRoute, GatewayClassConfig and MeshService will be installed. @@ -1905,15 +1829,6 @@ Use these links to navigate to a particular top-level stanza. - external-dns.alpha.kubernetes.io/hostname ``` - - `metrics` ((#v-connectinject-apigateway-managedgatewayclass-metrics)) - Metrics settings for gateways created with this gateway class configuration. - - - `enabled` ((#v-connectinject-apigateway-managedgatewayclass-metrics-enabled)) (`boolean: -`) - This value enables or disables metrics collection on a gateway, overriding the global gateway metrics collection settings. - - - `port` ((#v-connectinject-apigateway-managedgatewayclass-metrics-port)) (`int: null`) - This value sets the port to use for scraping gateway metrics via prometheus, defaults to 20200 if not set. Must be in the port - range of 1024-65535. - - - `path` ((#v-connectinject-apigateway-managedgatewayclass-metrics-path)) (`string: null`) - This value sets the path to use for scraping gateway metrics via prometheus, defaults to /metrics if not set. - - `resources` ((#v-connectinject-apigateway-managedgatewayclass-resources)) (`map`) - The resource settings for Pods handling traffic for Gateway API. - `deployment` ((#v-connectinject-apigateway-managedgatewayclass-deployment)) - This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways @@ -2199,8 +2114,8 @@ Use these links to navigate to a particular top-level stanza. If set to an empty string all service accounts can log in. This only has effect if ACLs are enabled. - Refer to Auth methods [Binding rules](/consul/docs/security/acl/auth-methods#binding-rules) - and [Trusted identiy attributes](/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + Refer to Auth methods [Binding rules](/consul/docs/secure-consul/acl/auth-methods#binding-rules) + and [Trusted identiy attributes](/consul/docs/secure-consul/acl/auth-methods/kubernetes#trusted-identity-attributes) for more details. Requires Consul >= v1.5. @@ -2258,30 +2173,21 @@ Use these links to navigate to a particular top-level stanza. - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` - - `consul.hashicorp.com/sidecar-proxy-lifecycle-startup-grace-period-seconds` - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` - - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-startup-path` - - `defaultEnabled` ((#v-connectinject-sidecarproxy-lifecycle-defaultenabled)) (`boolean: true`) + - `defaultEnabled` ((#v-connectinject-sidecarproxy-lifecycle-defaultenabled)) (`boolean: true`) - - `defaultEnableShutdownDrainListeners` ((#v-connectinject-sidecarproxy-lifecycle-defaultenableshutdowndrainlisteners)) (`boolean: true`) + - `defaultEnableShutdownDrainListeners` ((#v-connectinject-sidecarproxy-lifecycle-defaultenableshutdowndrainlisteners)) (`boolean: true`) - - `defaultShutdownGracePeriodSeconds` ((#v-connectinject-sidecarproxy-lifecycle-defaultshutdowngraceperiodseconds)) (`integer: 30`) + - `defaultShutdownGracePeriodSeconds` ((#v-connectinject-sidecarproxy-lifecycle-defaultshutdowngraceperiodseconds)) (`integer: 30`) - - `defaultStartupGracePeriodSeconds` ((#v-connectinject-sidecarproxy-lifecycle-defaultstartupgraceperiodseconds)) (`integer: 0`) + - `defaultGracefulPort` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulport)) (`integer: 20600`) - - `defaultGracefulPort` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulport)) (`integer: 20600`) + - `defaultGracefulShutdownPath` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulshutdownpath)) (`string: /graceful_shutdown`) - - `defaultGracefulShutdownPath` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulshutdownpath)) (`string: /graceful_shutdown`) - - - `defaultGracefulStartupPath` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulstartuppath)) (`string: /graceful_startup`) - - - `defaultStartupFailureSeconds` ((#v-connectinject-sidecarproxy-defaultstartupfailureseconds)) (`integer: 0`) - Configures how long the k8s startup probe will wait before the proxy is considered to be unhealthy and the container is restarted. - A value of zero disables the probe. - - - `defaultLivenessFailureSeconds` ((#v-connectinject-sidecarproxy-defaultlivenessfailureseconds)) (`integer: 0`) - Configures how long the k8s liveness probe will wait before the proxy is considered to be unhealthy and the container is restarted. - A value of zero disables the probe. + - `defaultStartupFailureSeconds` ((#v-connectinject-sidecarproxy-defaultstartupfailureseconds)) (`integer: 0`) - Enables a startup probe that polls the Envoy sidecar health every second. When a container fails health checks consecutively for this period of time during startup, K8s restarts the container according to its [`restartPolicy`](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy). A value of `0` disables the probe. + - `defaultLivenessFailureSeconds` ((#v-connectinject-sidecarproxy-defaultlivenessfailureseconds)) (`integer: 0`) - Enables a liveness probe that polls the Envoy sidecar health every second. When a container fails health checks for this period of time, K8s restarts the container according to its [`restartPolicy`](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy). A value of `0` disables the probe. - `initContainer` ((#v-connectinject-initcontainer)) (`map`) - The resource settings for the Connect injected init container. If null, the resources won't be set for the initContainer. The defaults are optimized for developer instances of @@ -2303,11 +2209,11 @@ Use these links to navigate to a particular top-level stanza. ### meshGateway ((#h-meshgateway)) -- `meshGateway` ((#v-meshgateway)) - [Mesh Gateways](/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +- `meshGateway` ((#v-meshgateway)) - [Mesh Gateways](/consul/docs/east-west/mesh-gateway/) enable Consul Connect to work across Consul datacenters. - - `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If [mesh gateways](/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + - `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If [mesh gateways](/consul/docs/east-west/mesh-gateway/) are enabled, a Deployment will be created that runs gateways and Consul service mesh will be configured to use gateways. - This setting is required for [Cluster Peering](/consul/docs/connect/cluster-peering/k8s). + This setting is required for [Cluster Peering](/consul/docs/east-west/cluster-peering/k8s). Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. - `logLevel` ((#v-meshgateway-loglevel)) (`string: ""`) - Override global log verbosity level for mesh-gateway-deployment pods. One of "trace", "debug", "info", "warn", or "error". @@ -2589,8 +2495,8 @@ Use these links to navigate to a particular top-level stanza. - `gateways` ((#v-ingressgateways-gateways)) (`array`) - Gateways is a list of gateway objects. The only required field for each is `name`, though they can also contain any of the fields in - `defaults`. You must provide a unique name for each ingress gateway. These names - must be unique across different namespaces. + `defaults`. You must provide a unique name for each ingress gateway. These names + must be unique across different namespaces. Values defined here override the defaults, except in the case of annotations where both will be applied. - `name` ((#v-ingressgateways-gateways-name)) (`string: ingress-gateway`) @@ -2712,6 +2618,123 @@ Use these links to navigate to a particular top-level stanza. - `name` ((#v-terminatinggateways-gateways-name)) (`string: terminating-gateway`) +### apiGateway ((#h-apigateway)) + +- `apiGateway` ((#v-apigateway)) - [DEPRECATED] Use connectInject.apiGateway instead. + Configuration settings for the Consul API Gateway integration + + - `enabled` ((#v-apigateway-enabled)) (`boolean: false`) - When true the helm chart will install the Consul API Gateway controller + + - `image` ((#v-apigateway-image)) (`string: null`) - Image to use for the api-gateway-controller pods and gateway instances + + + + Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + + + + - `imageEnvoy` ((#v-apigateway-imageenvoy)) (`string: envoyproxy/envoy:`) - The name (and tag) of the Envoy Docker image used for the + apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + + - `logLevel` ((#v-apigateway-loglevel)) (`string: info`) - Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + + - `managedGatewayClass` ((#v-apigateway-managedgatewayclass)) - Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + + - `enabled` ((#v-apigateway-managedgatewayclass-enabled)) (`boolean: true`) - When true a GatewayClass is configured to automatically work with Consul as installed by helm. + + - `nodeSelector` ((#v-apigateway-managedgatewayclass-nodeselector)) (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + labels for gateway pod assignment, formatted as a multi-line string. + + Example: + + ```yaml + nodeSelector: | + beta.kubernetes.io/arch: amd64 + ``` + + - `tolerations` ((#v-apigateway-managedgatewayclass-tolerations)) (`string: null`) - Toleration settings for gateway pods created with the managed gateway class. + This should be a multi-line string matching the + [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + + - `serviceType` ((#v-apigateway-managedgatewayclass-servicetype)) (`string: LoadBalancer`) - This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + + - `useHostPorts` ((#v-apigateway-managedgatewayclass-usehostports)) (`boolean: false`) - This value toggles if the gateway ports should be mapped to host ports + + - `copyAnnotations` ((#v-apigateway-managedgatewayclass-copyannotations)) - Configuration settings for annotations to be copied from the Gateway to other child resources. + + - `service` ((#v-apigateway-managedgatewayclass-copyannotations-service)) (`string: null`) - This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + + Example: + + ```yaml + service: + annotations: | + - external-dns.alpha.kubernetes.io/hostname + ``` + + - `deployment` ((#v-apigateway-managedgatewayclass-deployment)) (`map`) - This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + + Example: + + ```yaml + deployment: + defaultInstances: 3 + maxInstances: 8 + minInstances: 1 + ``` + + - `serviceAccount` ((#v-apigateway-serviceaccount)) - Configuration for the ServiceAccount created for the api-gateway component + + - `annotations` ((#v-apigateway-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the client service account. This should be formatted as a multi-line + string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + + - `controller` ((#v-apigateway-controller)) - Configuration for the api-gateway controller component + + - `replicas` ((#v-apigateway-controller-replicas)) (`integer: 1`) - This value sets the number of controller replicas to deploy. + + - `annotations` ((#v-apigateway-controller-annotations)) (`string: null`) - Annotations to apply to the api-gateway-controller pods. + + ```yaml + annotations: | + "annotation-key": "annotation-value" + ``` + + - `priorityClassName` ((#v-apigateway-controller-priorityclassname)) (`string: ""`) - This value references an existing + Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + that can be assigned to api-gateway-controller pods. + + - `nodeSelector` ((#v-apigateway-controller-nodeselector)) (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + labels for api-gateway-controller pod assignment, formatted as a multi-line string. + + Example: + + ```yaml + nodeSelector: | + beta.kubernetes.io/arch: amd64 + ``` + + - `tolerations` ((#v-apigateway-controller-tolerations)) (`string: null`) - This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + + - `service` ((#v-apigateway-controller-service)) - Configuration for the Service created for the api-gateway-controller + + - `annotations` ((#v-apigateway-controller-service-annotations)) (`string: null`) - Annotations to apply to the api-gateway-controller service. + + ```yaml + annotations: | + "annotation-key": "annotation-value" + ``` + + - `resources` ((#v-apigateway-resources)) (`map`) - The resource settings for api gateway pods. + + - `initCopyConsulContainer` ((#v-apigateway-initcopyconsulcontainer)) (`map`) - The resource settings for the `copy-consul-bin` init container. + ### webhookCertManager ((#h-webhookcertmanager)) - `webhookCertManager` ((#v-webhookcertmanager)) - Configuration settings for the webhook-cert-manager @@ -2771,7 +2794,7 @@ Use these links to navigate to a particular top-level stanza. - `service` ((#v-telemetrycollector-service)) - - `annotations` ((#v-telemetrycollector-service-annotations)) (`string: null`) - This value defines additional annotations for the telemetry-collector's service account. This should be formatted as a multi-line + - `annotations` ((#v-telemetrycollector-service-annotations)) (`string: null`) - This value defines additional annotations for the server service account. This should be formatted as a multi-line string. ```yaml @@ -2791,6 +2814,20 @@ Use these links to navigate to a particular top-level stanza. "sample/annotation2": "bar" ``` + - `cloud` ((#v-telemetrycollector-cloud)) + + - `clientId` ((#v-telemetrycollector-cloud-clientid)) + + - `secretName` ((#v-telemetrycollector-cloud-clientid-secretname)) (`string: null`) + + - `secretKey` ((#v-telemetrycollector-cloud-clientid-secretkey)) (`string: null`) + + - `clientSecret` ((#v-telemetrycollector-cloud-clientsecret)) + + - `secretName` ((#v-telemetrycollector-cloud-clientsecret-secretname)) (`string: null`) + + - `secretKey` ((#v-telemetrycollector-cloud-clientsecret-secretkey)) (`string: null`) + - `initContainer` ((#v-telemetrycollector-initcontainer)) - `resources` ((#v-telemetrycollector-initcontainer-resources)) (`map`) - The resource settings for consul-telemetry-collector initContainer. @@ -2799,7 +2836,7 @@ Use these links to navigate to a particular top-level stanza. - `priorityClassName` ((#v-telemetrycollector-priorityclassname)) (`string: ""`) - Optional priorityClassName. - - `extraEnvironmentVars` ((#v-telemetrycollector-extraenvironmentvars)) (`map`) - A list of extra environment variables to set within the deployment. + - `extraEnvironmentVars` ((#v-telemetrycollector-extraenvironmentvars)) (`map`) - A list of extra environment variables to set within the stateful set. These could be used to include proxy settings required for cloud auto-join feature, in case kubernetes cluster is behind egress http proxies. Additionally, it could be used to configure custom consul parameters. @@ -2855,4 +2892,4 @@ If you need to extend the Helm chart with additional options, we recommend using such as [kustomize](https://github.com/kubernetes-sigs/kustomize) or [ship](https://github.com/replicatedhq/ship). Note that the Helm chart heavily relies on Helm lifecycle hooks, and so features like bootstrapping ACLs or TLS will not work as expected. Additionally, we can make changes to the internal implementation (e.g., renaming template files) that -may be backward incompatible with such customizations. +may be backward incompatible with such customizations. \ No newline at end of file diff --git a/website/content/docs/enterprise/namespaces.mdx b/website/content/docs/reference/namespace.mdx similarity index 70% rename from website/content/docs/enterprise/namespaces.mdx rename to website/content/docs/reference/namespace.mdx index d692ee4b9d0..cb75add5a64 100644 --- a/website/content/docs/enterprise/namespaces.mdx +++ b/website/content/docs/reference/namespace.mdx @@ -1,34 +1,42 @@ --- -layout: docs -page_title: Namespaces (Enterprise) -description: >- +page_title: Namespaces definition reference +description: |- Namespaces reduce operational challenges in large deployments. Learn how to define a namespace so that multiple users or teams can access and use the same datacenter without impacting each other. --- -# Consul Enterprise Namespaces +# Namespace definition reference - +Namespaces are managed exclusively through the [HTTP API](/consul/api-docs/namespaces) and the [Consul CLI](/consul/commands/namespace). +The HTTP API accepts only JSON formatted definitions while the CLI will parse either JSON or HCL. -This feature requires -HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. -Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. +## Fields - +- `Name` `(string: )` - The namespaces name must be a valid DNS hostname label. -With Consul Enterprise 1.7.0+, data for different users or teams -can be isolated from each other with the use of namespaces. Namespaces help reduce operational challenges -by removing restrictions around uniqueness of resource names across distinct teams, and enable operators -to provide self-service through delegation of administrative privileges. +- `Description` `(string: "")` - This field is intended to be a human readable description of the + namespace's purpose. It is not used internally. -For more information on how to use namespaces with Consul Enterprise please review the following tutorials: +- `ACLs` `(object: )` - This fields is a nested JSON/HCL object to contain the namespaces + ACL configuration. -- [Register and Discover Services within Namespaces](/consul/tutorials/namespaces/namespaces-share-datacenter-access?utm_source=docs) - Register multiple services within different namespaces in Consul. -- [Setup Secure Namespaces](/consul/tutorials/namespaces/namespaces-secure-shared-access?utm_source=docs) - Secure resources within a namespace and delegate namespace ACL rights via ACL tokens. + - `PolicyDefaults` `(array)` - A list of default policies to be applied to all tokens + created in this namespace. The ACLLink object can contain an `ID` and/or `Name` field. When the + policies ID is omitted Consul will resolve the name to an ID before writing the namespace + definition internally. Note that all policies linked in a namespace definition must be defined + within the `default` namespace, and the ACL token used to create or edit the + namespace must have [`acl:write` access](/consul/docs/security/acl/acl-rules#acl-resource-rules) to the linked policy. -## Namespace Definition + - `RoleDefaults` `(array)` - A list of default roles to be applied to all tokens + created in this namespace. The ACLLink object can contain an `ID` and/or `Name` field. When the + roles' ID is omitted Consul will resolve the name to an ID before writing the namespace + definition internally. Note that all roles linked in a namespace definition must be defined + within the `default` namespace, and the ACL token used to create or edit the + namespace must have [`acl:write` access](/consul/docs/security/acl/acl-rules#acl-resource-rules) to the linked role. -Namespaces are managed exclusively through the [HTTP API](/consul/api-docs/namespaces) and the [Consul CLI](/consul/commands/namespace). -The HTTP API accepts only JSON formatted definitions while the CLI will parse either JSON or HCL. +- `Meta` `(map: )` - Specifies arbitrary KV metadata to associate with + this namespace. + +## Examples An example namespace definition looks like the following: @@ -89,30 +97,3 @@ Meta { ``` - -### Fields - -- `Name` `(string: )` - The namespaces name must be a valid DNS hostname label. - -- `Description` `(string: "")` - This field is intended to be a human readable description of the - namespace's purpose. It is not used internally. - -- `ACLs` `(object: )` - This fields is a nested JSON/HCL object to contain the namespaces - ACL configuration. - - - `PolicyDefaults` `(array)` - A list of default policies to be applied to all tokens - created in this namespace. The ACLLink object can contain an `ID` and/or `Name` field. When the - policies ID is omitted Consul will resolve the name to an ID before writing the namespace - definition internally. Note that all policies linked in a namespace definition must be defined - within the `default` namespace, and the ACL token used to create or edit the - namespace must have [`acl:write` access](/consul/docs/security/acl/acl-rules#acl-resource-rules) to the linked policy. - - - `RoleDefaults` `(array)` - A list of default roles to be applied to all tokens - created in this namespace. The ACLLink object can contain an `ID` and/or `Name` field. When the - roles' ID is omitted Consul will resolve the name to an ID before writing the namespace - definition internally. Note that all roles linked in a namespace definition must be defined - within the `default` namespace, and the ACL token used to create or edit the - namespace must have [`acl:write` access](/consul/docs/security/acl/acl-rules#acl-resource-rules) to the linked role. - -- `Meta` `(map: )` - Specifies arbitrary KV metadata to associate with - this namespace. diff --git a/website/content/docs/connect/proxies/built-in.mdx b/website/content/docs/reference/proxy/built-in.mdx similarity index 72% rename from website/content/docs/connect/proxies/built-in.mdx rename to website/content/docs/reference/proxy/built-in.mdx index 93ec90bcb4e..6eabfafd092 100644 --- a/website/content/docs/connect/proxies/built-in.mdx +++ b/website/content/docs/reference/proxy/built-in.mdx @@ -1,15 +1,19 @@ --- layout: docs -page_title: Built-in Proxy Configuration | Service Mesh +page_title: Built-in proxy configuration reference description: >- Consul includes a built-in L4 proxy with limited capabilities to use for development and testing only. Use the built-in proxy config key reference to learn about the options you can configure. --- -# Built-in Proxy Configuration for Service Mesh +# Built-in proxy configuration reference -~> **Note:** The built-in proxy is not supported for production deployments. It does not + + +The built-in proxy is not supported for production deployments. It does not support many of Consul's service mesh features, and is not under active development. -The [Envoy proxy](/consul/docs/connect/proxies/envoy) should be used for production deployments. +The [Envoy proxy](/consul/docs/reference/proxy/envoy) should be used for production deployments. + + Consul comes with a built-in L4 proxy for testing and development with Consul service mesh. @@ -24,25 +28,23 @@ for the built-in proxy. "service": { "name": "example-service", "connect": { - "sidecar_service": { - "proxy": { - "config": { - "bind_address": "0.0.0.0", - "bind_port": 20000, - "local_service_address": "127.0.0.1:1234", - "local_connect_timeout_ms": 1000, - "handshake_timeout_ms": 10000, - "upstreams": [] - }, - "upstreams": [ - { - "destination_name": "example-upstream", - "config": { - "connect_timeout_ms": 1000 - } + "proxy": { + "config": { + "bind_address": "0.0.0.0", + "bind_port": 20000, + "local_service_address": "127.0.0.1:1234", + "local_connect_timeout_ms": 1000, + "handshake_timeout_ms": 10000, + "upstreams": [] + }, + "upstreams": [ + { + "destination_name": "example-upstream", + "config": { + "connect_timeout_ms": 1000 } - ] - } + } + ] } } } @@ -56,8 +58,8 @@ All fields are optional with a reasonable default. - `bind_port` - The port the proxy will bind its _public_ mTLS listener to. If not provided, the agent will assign a random port from its - configured proxy port range specified by [`sidecar_min_port`](/consul/docs/agent/config/config-files#sidecar_min_port) - and [`sidecar_max_port`](/consul/docs/agent/config/config-files#sidecar_max_port). + configured proxy port range specified by [`sidecar_min_port`](/consul/docs/reference/agent#sidecar_min_port) + and [`sidecar_max_port`](/consul/docs/reference/agent#sidecar_max_port). - `local_service_address`- The `[address]:port` that the proxy should use to connect to the local application instance. By default @@ -79,7 +81,7 @@ All fields are optional with a reasonable default. - `upstreams`- **Deprecated** Upstreams are now specified in the `connect.proxy` definition. Upstreams specified in the opaque config map here will continue to work for compatibility but it's strongly recommended that - you move to using the higher level [upstream configuration](/consul/docs/connect/proxies/proxy-config-reference#upstream-configuration-reference). + you move to using the higher level [upstream configuration](/consul/docs/reference/proxy/connect-proxy#upstream-configuration-reference). ## Proxy Upstream Config Key Reference diff --git a/website/content/docs/connect/proxies/proxy-config-reference.mdx b/website/content/docs/reference/proxy/connect-proxy.mdx similarity index 92% rename from website/content/docs/connect/proxies/proxy-config-reference.mdx rename to website/content/docs/reference/proxy/connect-proxy.mdx index 2d64f0e225b..11904ea4b03 100644 --- a/website/content/docs/connect/proxies/proxy-config-reference.mdx +++ b/website/content/docs/reference/proxy/connect-proxy.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Service mesh proxy configuration reference +page_title: Connect proxy configuration reference description: >- You can register a service mesh sidecar proxy separately from the registration of the service instance it fronts. Learn about proxy configuration options and how to format them with examples. --- -# Service mesh proxy configuration +# Connect proxy configuration reference This topic describes how to declare a service mesh proxy in a service definition. The `kind` must be declared and information about the service they represent must be provided to function as a Consul service mesh proxy. @@ -48,7 +48,7 @@ The following table describes the parameters that must be added to the service d | `port` | Integer value that specifies the port where other services in the mesh can discover and connect to proxied services. | Required | None | | `address` | Specifies the IP address of the proxy. | Optional
    The address will be inherited from the node configuration. | `address` specified in the node configuration. | -You can specify several additional parameters to configure the proxy to meet your requirements. See [Proxy Parameters](#proxy-parameters) for additional information. +You can specify several additional parameters to configure the proxy to meet your requirements. Refer to [Proxy Parameters](#proxy-parameters) for additional information. ### Example @@ -89,7 +89,7 @@ Specify the following parameters in the `proxy` code block to configure a sideca * `local_service_port`: Integer value that specifies the port that the proxy should use to connect to the _local_ service instance. Refer to the [proxy parameters reference](#local-service-port) for details. * `local_service_address`: String value that specifies the IP address or hostname that the proxy should use to connect to the _local_ service. Refer to the [proxy parameters reference](#local-service-address) for details. -Refer to [Deploy sidecar services](/consul/docs/connect/proxies/deploy-sidecar-services) for additional information about configuring service mesh proxies as sidecars. +Refer to [Deploy sidecar services](/consul/docs/reference/proxy/sidecar) for additional information about configuring service mesh proxies as sidecars. ### Complete configuration example @@ -150,8 +150,8 @@ The following table describes all parameters that can be defined in the `proxy` | `local_service_address` | String value that specifies the IP address or hostname that a sidecar proxy should use to connect to the _local_ service. | Optional | `127.0.0.1` | | `destination_service_name` | String value that specifies the _name_ of the service the instance is proxying. The name is used during service discovery to route to the correct proxy instances for a given service name. | Required | None | | `local_service_socket_path` | String value that specifies the path of a Unix domain socket for connecting to the local application instance.
    This parameter value is created by the application and conflicts with `local_service_address` and `local_service_port`.
    Supported when using Envoy for the proxy. | Optional | None | -| `mode` | String value that specifies the proxy mode. See [Proxy Modes](#proxy-modes) for additional information. | Optional | `direct` | -| `transparent_proxy` | Object value that specifies the configuration specific to proxies in `transparent` mode.
    See [Proxy Modes](#proxy-modes) and [Transparent Proxy Configuration Reference](#transparent-proxy-configuration-reference) for additional information.
    This parameter was added in Consul 1.10.0. | Optional | None | +| `mode` | String value that specifies the proxy mode. Refer to [Proxy Modes](#proxy-modes) for additional information. | Optional | `direct` | +| `transparent_proxy` | Object value that specifies the configuration specific to proxies in `transparent` mode.
    Refer to [Proxy Modes](#proxy-modes) and [Transparent Proxy Configuration Reference](#transparent-proxy-configuration-reference) for additional information.
    This parameter was added in Consul 1.10.0. | Optional | None | | `config` | Object value that specifies an opaque JSON configuration. The JSON is stored and returned along with the service instance when called from the API. | Optional | None | | `upstreams` | An array of objects that specify the upstream services that the proxy should create listeners for. Refer to [Upstream Configuration Reference](#upstream-configuration-reference) for details. | Optional | None | | `mesh_gateway` | Object value that specifies the mesh gateway configuration for the proxy. Refer to [Mesh Gateway Configuration Reference](#mesh-gateway-configuration-reference) for details. | Optional | None | @@ -173,7 +173,7 @@ You can configure the service mesh proxy to create listeners for upstream servic | `local_bind_socket_mode` | String value that specifies a Unix octal that configures file permissions for the socket. | Optional | None | | `destination_type` | String value that specifies the type of discovery query the proxy should use for finding service mesh instances. The following values are supported:
  • `service`: Queries for upstream `service` types.
  • `prepared_query`: Queries for upstream prepared queries.
    • | Optional | `service` | | `datacenter` | String value that specifies the datacenter to issue the discovery query to. | Optional | Defaults to the local datacenter. | -| `config` | Object value that specifies opaque configuration options that will be provided to the proxy instance for the upstream.
    Valid JSON objects are also supported.
    The `config` parameter can specify timeouts, retries, and other proxy-specific features for the given upstream.
    See the [built-in proxy configuration reference](/consul/docs/connect/proxies/built-in#proxy-upstream-config-key-reference) for configuration options when using the built-in proxy.
    If using Envoy as a proxy, see [Envoy configuration reference](/consul/docs/connect/proxies/envoy#proxy-upstream-config-options) | Optional | None | +| `config` | Object value that specifies opaque configuration options that will be provided to the proxy instance for the upstream.
    Valid JSON objects are also supported.
    The `config` parameter can specify timeouts, retries, and other proxy-specific features for the given upstream.
    Refer to the [built-in proxy configuration reference](/consul/docs/reference/proxy/built-in#proxy-upstream-config-key-reference) for configuration options when using the built-in proxy.
    If using Envoy as a proxy, refer to [Envoy configuration reference](/consul/docs/reference/proxy/envoy#proxy-upstream-config-options) | Optional | None | | `mesh_gateway` | Object that defines the mesh gateway configuration for the proxy. Refer to the [Mesh Gateway Configuration Reference](#mesh-gateway-configuration-reference) for configuration details. | Optional | None | ### Upstream configuration examples @@ -315,9 +315,12 @@ Note that the examples in this topic use snake case, which is a convention that directly by transparent proxies. Transparent proxies typically dial upstreams using the "virtual" tagged address, which load balances across instances. A database cluster with a leader is an example where dialing individual instances can be helpful. Cannot be used with upstreams which define a `destination_peer`. + + - ~> **Note:** Dynamic routing rules such as failovers and redirects do not apply to services dialed directly. - Additionally, the connection is proxied using a TCP proxy with a connection timeout of 5 seconds. + Dynamic routing rules such as failovers and redirects do not apply to services dialed directly. Additionally, the connection is proxied using a TCP proxy with a connection timeout of 5 seconds. + + ### Mesh gateway configuration reference @@ -433,8 +436,8 @@ The following example expose an HTTP2 listener in Envoy at port `21501` that rou - `checks` `(bool: false)` - If enabled, all HTTP and gRPC checks registered with the agent are exposed through Envoy. Envoy will expose listeners for these checks and will only accept connections originating from localhost or Consul's - [advertise address](/consul/docs/agent/config/config-files#advertise). The port for these listeners are dynamically allocated from - [expose_min_port](/consul/docs/agent/config/config-files#expose_min_port) to [expose_max_port](/consul/docs/agent/config/config-files#expose_max_port). + [advertise address](/consul/docs/reference/agent#advertise). The port for these listeners are dynamically allocated from + [expose_min_port](/consul/docs/reference/agent#expose_min_port) to [expose_max_port](/consul/docs/reference/agent#expose_max_port). This flag is useful when a Consul client cannot reach registered services over localhost. One example is when running Consul on Kubernetes, and Consul agents run in their own pods. - `paths` `array: []` - A list of paths to expose through Envoy. @@ -481,9 +484,11 @@ The `mode` field is optional. When omitted, Envoy uses the default mode. This is [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-pipe) for details. --> These options conflict with the `local_bind_socket_port` and -`local_bind_socket_address` options. For a given upstream the proxy can bind either to an IP port or -a Unix socket, but not both. + + + These options conflict with the `local_bind_socket_port` and `local_bind_socket_address` options. For a given upstream the proxy can bind either to an IP port or a Unix socket, but not both. + + Similarly to expose a service listening on a Unix Domain socket to the service mesh, use either the `socket_path` field in the service definition or the diff --git a/website/content/docs/connect/proxies/envoy.mdx b/website/content/docs/reference/proxy/envoy.mdx similarity index 79% rename from website/content/docs/connect/proxies/envoy.mdx rename to website/content/docs/reference/proxy/envoy.mdx index 927bac2fcdf..8b3e489717d 100644 --- a/website/content/docs/connect/proxies/envoy.mdx +++ b/website/content/docs/reference/proxy/envoy.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Envoy Proxy Configuration | Service Mesh +page_title: Envoy proxy configuration reference description: >- Consul supports Envoy proxies to direct traffic throughout the service mesh. Learn about Consul versions and their Envoy support, and use the reference guide to review options for bootstrap configuration, dynamic configuration, and advanced topics like escape hatch overrides. --- -# Envoy Proxy Configuration for Service Mesh +# Envoy proxy configuration reference Consul service mesh has first class support for using [Envoy](https://www.envoyproxy.io) as a proxy. Consul configures Envoy by @@ -24,125 +24,41 @@ Consul can configure Envoy sidecars to proxy traffic over the following protocol On Consul 1.5.0 and older, Envoy proxies can only proxy TCP traffic at L4. -You can configure some [L7 features](/consul/docs/connect/manage-traffic) in [configuration entries](/consul/docs/agent/config-entries). You can add [custom Envoy configurations](#advanced-configuration) to the [proxy service definition](/consul/docs/connect/proxies/proxy-config-reference), which enables you to leverage Envoy features that are not exposed through configuration entries. You can also use the [Consul Envoy extensions](/consul/docs/connect/proxies/envoy-extensions) to implement Envoy features. +You can configure some [L7 features](/consul/docs/connect/manage-traffic) in [configuration entries](/consul/docs/agent/config-entries). You can add [custom Envoy configurations](#advanced-configuration) to the [proxy service definition](/consul/docs/reference/proxy/connect-proxy), which enables you to leverage Envoy features that are not exposed through configuration entries. You can also use the [Consul Envoy extensions](/consul/docs/reference/proxy/envoy-extensions) to implement Envoy features. -~> **Note:** When using Envoy with Consul and not using the [`consul connect envoy` command](/consul/commands/connect/envoy) -Envoy must be run with the `--max-obj-name-len` option set to `256` or greater for Envoy versions prior to 1.11.0. + + +When using Envoy with Consul and not using the [`consul connect envoy` command](/consul/commands/connect/envoy) Envoy must be run with the `--max-obj-name-len` option set to `256` or greater for Envoy versions prior to 1.11.0. -## Supported Versions + -The following matrix describes Envoy compatibility for the -currently supported major Consul releases: -- The latest (N) release of Consul community edition (CE) and Enterprise -- The 2 preceding major releases (N-1 and N-2) of Consul Enterprise -- The 2 latest [Consul Enterprise LTS](/consul/docs/enterprise/long-term-support) major releases +## Supported Versions -For previous Consul version compatibility, -refer to the previous release's version of this page. +The following matrix describes Envoy compatibility for the currently supported **n-2 major Consul releases**. For previous Consul version compatibility please view the respective versioned docs for this page. ### Envoy and Consul Client Agent -Every major Consul release initially supports **four major Envoy releases**. -However, [Consul Enterprise Long Term Support (LTS)](/consul/docs/enterprise/long-term-support) -releases expand their Envoy version compatibility window in minor releases to -ensure compatibility with a maintained Envoy version. Standard (non-LTS) Consul -Enterprise releases may also expand support to a new major version of Envoy in -order to receive important security fixes, if the previous major Envoy version -has reached end-of-life. - -Every major Consul release maintains and tests compatibility with specific Envoy -patch releases to ensure users can benefit from bug and security fixes in Envoy. - -#### Standard releases - -Unless otherwise noted, rows in the following compatibility table -apply to both Consul Enterprise and Consul community edition (CE). +Consul supports **four major Envoy releases** at the beginning of each major Consul release. Consul maintains compatibility with Envoy patch releases for each major version so that users can benefit from bug and security fixes in Envoy. As a policy, Consul will add support for a new major versions of Envoy in a Consul major release. Support for newer versions of Envoy will not be added to existing releases. -| Consul Version | Compatible Envoy Versions | -| -------------- | -------------------------------------- | -| 1.20.x CE | 1.31.x, 1.30.x, 1.29.x, 1.28.x | -| 1.19.x CE | 1.29.x, 1.28.x, 1.27.x, 1.26.x | -| 1.18.x CE | 1.28.x, 1.27.x, 1.26.x, 1.25.x | -| 1.17.x | 1.27.x, 1.26.x, 1.25.x, 1.24.x | -| 1.16.x | 1.26.x, 1.25.x, 1.24.x, 1.23.x | - -#### Enterprise Long Term Support releases - -Active Consul Enterprise -[Long Term Support (LTS)](/consul/docs/enterprise/long-term-support) -releases expand their Envoy version compatibility window -until the LTS release reaches its end of maintenance. - -| Consul Version | Compatible Envoy Versions | -| -------------- | -----------------------------------------------------------------------------------| -| 1.18.x Ent | 1.29.x, 1.28.x, 1.27.x, 1.26.x, 1.25.x | -| 1.15.x Ent | 1.29.x, 1.28.x, 1.27.x, 1.26.x, 1.25.x, 1.24.x, 1.23.x, 1.22.x | +| Consul Version | Compatible Envoy Versions | +| ------------------- | -----------------------------------------------------------------------------------| +| 1.18.x | 1.28.0, 1.27.2, 1.26.6, 1.25.11 | +| 1.17.x | 1.27.2, 1.26.6, 1.25.11, 1.24.12 | +| 1.16.x | 1.26.6, 1.25.11, 1.24.12, 1.23.12 | ### Envoy and Consul Dataplane -The Consul dataplane component was introduced in Consul v1.14 -as a way to manage Envoy proxies without the use of Consul clients. - -Each major version of Consul is released with a new major version of Consul dataplane, -which packages both Envoy and the `consul-dataplane` binary in a single container image. -To enable seamless upgrades, each major version of Consul also supports -the previous and next Consul dataplane versions. - -Compared to community edition releases, Consul Enterprise releases have -the following differences with Consul dataplane compatibility: -- [LTS-Only: Expanded compatibility window](#enterprise-long-term-support-releases): - Active Consul Enterprise LTS releases expand their Consul dataplane - version compatibility window to include the version of Consul dataplane - aligned with the next Consul LTS release. -- [Maintained Envoy version](#consul-dataplane-releases-that-span-envoy-major-versions): - Major versions of Consul dataplane aligned with a maintained Consul - Enterprise version may contain minor version updates that use a new - major version of Envoy. These minor version updates are necessary to - ensure that maintained versions of Consul dataplane use a maintained - version of Envoy. - -#### Standard releases - -Unless otherwise noted, rows in the following compatibility table -apply to both Consul Enterprise and Consul community edition (CE). - -| Consul Version | Default `consul-dataplane` Version | Other compatible `consul-dataplane` Versions | -| -------------- | -------------------------------------|----------------------------------------------| -| 1.20.x CE | 1.6.x (Envoy 1.31.x) | 1.5.x (Envoy 1.29.x) | -| 1.19.x CE | 1.5.x (Envoy 1.29.x) | 1.4.x (Envoy 1.28.x) | -| 1.18.x CE | 1.4.x (Envoy 1.28.x) | 1.3.x (Envoy 1.27.x) | -| 1.17.x | 1.3.x (Envoy 1.27.x) | 1.4.x (Envoy 1.28.x), 1.2.x (Envoy 1.26.x) | -| 1.16.x | 1.2.x (Envoy 1.26.x) | 1.3.x (Envoy 1.27.x), 1.1.x (Envoy 1.25.x) | - -#### Enterprise Long Term Support releases - -Active Consul Enterprise -[Long Term Support (LTS)](/consul/docs/enterprise/long-term-support) -releases expand their Envoy version compatibility window -until the LTS release reaches its end of maintenance. - -| Consul Version | Default `consul-dataplane` Version | Other compatible `consul-dataplane` Versions | -| -------------- | -------------------------------------|----------------------------------------------| -| 1.18.x Ent | 1.4.x (Envoy 1.28.x) | 1.3.x (Envoy 1.27.x) | -| 1.15.x Ent | 1.1.x (Envoy 1.26.x) | 1.4.x (Envoy 1.28.x) - 1.0.x (Envoy 1.24.x) | - -#### Consul dataplane releases that span Envoy major versions - -Major versions of Consul dataplane aligned with active versions of Consul -may contain minor version updates that use a new major version of Envoy. -These minor version updates are necessary to ensure maintained versions -of Consul dataplane use a maintained version of Envoy including important -security fixes. - -| `consul-dataplane` Version Range | Associated Consul Enterprise version | Contained Envoy Binary Version | -| -------------------------------- | ---------------------------------------- | ------------------------------ | -| 1.1.11 - 1.1.latest | 1.15.x Ent | Envoy 1.27.x | -| 1.1.9 - 1.1.10 | 1.15.x Ent | Envoy 1.26.x | -| 1.1.0 - 1.1.8 | 1.15.x Ent | Envoy 1.25.x | +The Consul dataplane component was introduced in Consul v1.14 as a way to manage Envoy proxies without the use of Consul clients. Each new minor version of Consul is released with a new minor version of Consul dataplane, which packages both Envoy and the `consul-dataplane` binary in a single container image. For backwards compatibility reasons, each new minor version of Consul will also support the previous minor version of Consul dataplane to allow for seamless upgrades. In addition, each minor version of Consul will support the next minor version of Consul dataplane to allow for extended dataplane support via newer versions of Envoy. + +| Consul Version | Default `consul-dataplane` Version | Other compatible `consul-dataplane` Versions | +| ------------------- | ------------------------------------------------------------|----------------------------------------------| +| 1.17.x | 1.3.x (Envoy 1.27.x) | 1.2.x (Envoy 1.26.x) | +| 1.16.x | 1.2.x (Envoy 1.26.x) | 1.3.x (Envoy 1.27.x), 1.1.x (Envoy 1.25.x) | +| 1.15.x | 1.1.x (Envoy 1.25.x) | 1.2.x (Envoy 1.26.x), 1.0.x (Envoy 1.24.x) | ## Getting Started -To get started with Envoy and see a working example you can follow the [Using +To get started with Envoy and refer to a working example you can follow the [Using Envoy with Consul service mesh](/consul/tutorials/developer-mesh/service-mesh-with-envoy-proxy?utm_source=docs) tutorial. ## Configuration @@ -153,7 +69,7 @@ server", in this case Consul. The bootstrap configuration at a minimum needs to configure the proxy with an identity (node id) and the location of its local Consul agent from which it -discovers all of its dynamic configuration. See [Bootstrap +discovers all of its dynamic configuration. Refer to [Bootstrap Configuration](#bootstrap-configuration) for more details. The dynamic configuration Consul service mesh provides to each Envoy instance includes: @@ -164,7 +80,7 @@ The dynamic configuration Consul service mesh provides to each Envoy instance in - Service-discovery results for upstreams to enable each sidecar proxy to load-balance outgoing connections. - L7 configuration including timeouts and protocol-specific options. -- Configuration to [expose specific HTTP paths](/consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference). +- Configuration to [expose specific HTTP paths](/consul/docs/reference/proxy/connect-proxy#expose-paths-configuration-reference). For more information on the parts of the Envoy proxy runtime configuration that are currently controllable via Consul service mesh, refer to [Dynamic @@ -180,14 +96,18 @@ responsibility for correctly configuring Envoy and ensuring version support etc. ## Intention Enforcement -[Intentions](/consul/docs/connect/intentions) are enforced using Envoy's RBAC filters. Depending on the -configured [protocol](/consul/docs/connect/config-entries/service-defaults#protocol) of the proxied service, intentions are either enforced +[Intentions](/consul/docs/secure-mesh/intentions) are enforced using Envoy's RBAC filters. Depending on the +configured [protocol](/consul/docs/reference/config-entry/service-default#protocol) of the proxied service, intentions are either enforced per-connection (L4) using a network filter, or per-request (L7) using an HTTP filter. --> **Note:** Prior to Consul 1.9.0 intentions were exclusively enforced + + +Prior to Consul 1.9.0 intentions were exclusively enforced per-connection (L4) using an `ext_authz` network filter. + + ## Fetching Certificates Envoy will use the [`CONSUL_HTTP_TOKEN`](/consul/commands#consul_http_token) and [`CONSUL_HTTP_ADDR`](/consul/commands#consul_http_addr) environment variables to contact Consul to fetch certificates if the following conditions are met: @@ -218,27 +138,31 @@ For more information about available flags and parameters, refer to the ### Generate the bootstrap file from Consul Dataplane -Consul Dataplane automatically configures and manages an Envoy process. Consul Dataplane generates the Envoy bootstrap configuration file prior to starting Envoy. To configure how Consul Dataplane starts Envoy, refer to the [Consul Dataplane CLI reference](/consul/docs/connect/dataplane/consul-dataplane). +Consul Dataplane automatically configures and manages an Envoy process. Consul Dataplane generates the Envoy bootstrap configuration file prior to starting Envoy. To configure how Consul Dataplane starts Envoy, refer to the [Consul Dataplane CLI reference](/consul/docsreference-cli/consul-dataplane). ### Control bootstrap configuration from proxy configuration Consul service mesh can control some parts of the bootstrap configuration by specifying Envoy proxy configuration options. Add the following configuration items to the [global `proxy-defaults` configuration -entry](/consul/docs/connect/config-entries/proxy-defaults) or override them directly in the `proxy.config` +entry](/consul/docs/reference/config-entry/proxy-defaults) or override them directly in the `proxy.config` field of a [proxy service definition](/consul/docs/proxies/proxy-config-reference). When connected to a Consul client agent, you can place the configuration in the `proxy.config` field of -the [`sidecar_service`](/consul/docs/connect/proxies/deploy-sidecar-services) block. +the [`sidecar_service`](/consul/docs/reference/proxy/sidecar) block. - `envoy_statsd_url` - A URL in the form `udp://ip:port` identifying a UDP StatsD listener that Envoy should deliver metrics to. For example, this may be `udp://127.0.0.1:8125` if every host has a local StatsD listener. In this case users can configure this property once in the [global `proxy-defaults` - configuration entry](/consul/docs/connect/config-entries/proxy-defaults) for convenience. Currently, TCP is not supported. + configuration entry](/consul/docs/reference/config-entry/proxy-defaults) for convenience. Currently, TCP is not supported. - ~> **Note:** currently the url **must use an ip address** not a dns name due + + + Currently the url **must use an ip address** not a dns name due to the way Envoy is setup for StatsD. + + Expansion of the environment variable `HOST_IP` is supported, e.g. `udp://${HOST_IP}:8125`. @@ -248,7 +172,7 @@ the [`sidecar_service`](/consul/docs/connect/proxies/deploy-sidecar-services) bl pod in a Kubernetes cluster to learn of a pod-specific IP address for StatsD when the Envoy instance is bootstrapped while still allowing global configuration of all proxies to use StatsD in the [global `proxy-defaults` - configuration entry](/consul/docs/connect/config-entries/proxy-defaults). The env + configuration entry](/consul/docs/reference/config-entry/proxy-defaults). The env variable must contain a full valid URL value as specified above and nothing else. - `envoy_dogstatsd_url` - The same as `envoy_statsd_url` with the following @@ -264,9 +188,13 @@ the [`sidecar_service`](/consul/docs/connect/proxies/deploy-sidecar-services) bl namespace the proxy runs. Typically the IP would be `0.0.0.0` to bind to all available interfaces or a pod IP address. - -> **Note:** Envoy versions prior to 1.10 do not export timing histograms + + + Envoy versions prior to 1.10 do not export timing histograms using the internal Prometheus endpoint. + + - `envoy_stats_bind_addr` - Specifies that the proxy should expose the /stats prefix to the _public_ network. It must be supplied in the form `ip:port` and the ip/port combination must be free within the network namespace the proxy runs. @@ -353,20 +281,24 @@ To complete the bootstrap process, start Envoy and include the path to `bootstra $ envoy -c bootstrap.json ``` -~> **Security Note**: The bootstrap JSON contains the ACL token and should be handled as a secret. Because this token authorizes the identity of any service it has `service:write` permissions for, it can be used to access upstream services. + + +The bootstrap JSON contains the ACL token and should be handled as a secret. Because this token authorizes the identity of any service it has `service:write` permissions for, it can be used to access upstream services. + + ## Dynamic Configuration Consul automatically generates Envoy's dynamic configuration based on its knowledge of the cluster. Users may specify default configuration options for a service through the available fields in the [`service-defaults` configuration -entry](/consul/docs/connect/config-entries/service-defaults). Consul will use this +entry](/consul/docs/reference/config-entry/service-default). Consul will use this information to configure appropriate proxy settings for that service's proxies and also for the upstream listeners used by the service. One example is how users can define a service's protocol in the `Protocol` field of [`service-defaults` configuration -entry](/consul/docs/connect/config-entries/service-defaults). Agents with -[`enable_central_service_config`](/consul/docs/agent/config/config-files#enable_central_service_config) +entry](/consul/docs/reference/config-entry/service-default). Agents with +[`enable_central_service_config`](/consul/docs/reference/agent#enable_central_service_config) set to true will automatically discover the protocol when configuring a proxy for a service. The proxy will discover the main protocol of the service it represents and use this to configure its main public listener. It will also @@ -375,18 +307,18 @@ automatically configure its upstream listeners appropriately too as below. This automated discovery results in Consul auto-populating the `proxy.config` and `proxy.upstreams[*].config` fields of the [proxy service -definition](/consul/docs/connect/proxies/proxy-config-reference) that is +definition](/consul/docs/reference/proxy/connect-proxy) that is actually registered. -To learn about other options that can be configured centrally see the +To learn about other options that can be configured centrally refer to the [Configuration Entries](/consul/docs/agent/config-entries) docs. ### Proxy Config Options These fields may also be overridden explicitly in `proxy.config` of the [proxy service -definition](/consul/docs/connect/proxies/proxy-config-reference), or defined in +definition](/consul/docs/reference/proxy/connect-proxy), or defined in the [global `proxy-defaults` configuration -entry](/consul/docs/connect/config-entries/proxy-defaults) to act as +entry](/consul/docs/reference/config-entry/proxy-defaults) to act as defaults that are inherited by all services. - `protocol` - The protocol the service speaks. Consul service mesh's Envoy integration @@ -412,14 +344,11 @@ defaults that are inherited by all services. that translates HTTP/1.1 calls into gRPC, and instruments metrics with `gRPC-status` trailer codes. - ~> **Note:** The protocol of a service should ideally be configured via the - [`protocol`](/consul/docs/connect/config-entries/service-defaults#protocol) - field of a - [`service-defaults`](/consul/docs/connect/config-entries/service-defaults) - config entry for the service. Configuring it in a - proxy config will not fully enable some [L7 - features](/consul/docs/connect/manage-traffic). - It is supported here for backwards compatibility with Consul versions prior to 1.6.0. + + + The protocol of a service should ideally be configured via the [`protocol`](/consul/docs/reference/config-entry/service-default#protocol) field of a [`service-defaults`](/consul/docs/reference/config-entry/service-default) config entry for the service. Configuring it in a proxy config will not fully enable some [L7 features](/consul/docs/connect/manage-traffic). It is supported here for backwards compatibility with Consul versions prior to 1.6.0. + + - `bind_address` - Override the address Envoy's public listener binds to. By default Envoy will bind to the service address or 0.0.0.0 if there is not explicit address on the service registration. @@ -458,33 +387,27 @@ defaults that are inherited by all services. The following configuration items may be overridden directly in the `proxy.upstreams[].config` field of a [proxy service -definition](/consul/docs/connect/proxies/proxy-config-reference) or -[`sidecar_service`](/consul/docs/connect/proxies/deploy-sidecar-services) block. +definition](/consul/docs/reference/proxy/connect-proxy) or +[`sidecar_service`](/consul/docs/reference/proxy/sidecar) block. - `protocol` - Same as above in main config but affects the listener setup for the upstream. - ~> **Note:** The protocol of a service should ideally be configured via the - [`protocol`](/consul/docs/connect/config-entries/service-defaults#protocol) - field of a - [`service-defaults`](/consul/docs/connect/config-entries/service-defaults) - config entry for the upstream destination service. Configuring it in a - proxy upstream config will not fully enable some [L7 - features](/consul/docs/connect/manage-traffic). - It is supported here for backwards compatibility with Consul versions prior to 1.6.0. + + + The protocol of a service should ideally be configured via the [`protocol`](/consul/docs/reference/config-entry/service-default#protocol) field of a [`service-defaults`](/consul/docs/reference/config-entry/service-default) config entry for the upstream destination service. Configuring it in a proxy upstream config will not fully enable some [L7 features](/consul/docs/connect/manage-traffic). It is supported here for backwards compatibility with Consul versions prior to 1.6.0. + + - `connect_timeout_ms` - The number of milliseconds to allow when making upstream connections before timing out. Defaults to 5000 (5 seconds). - ~> **Note:** The connection timeout for a service should ideally be - configured via the - [`connect_timeout`](/consul/docs/connect/config-entries/service-resolver#connecttimeout) - field of a - [`service-resolver`](/consul/docs/connect/config-entries/service-resolver) - config entry for the upstream destination service. Configuring it in a - proxy upstream config will override any values defined in config entries. - It is supported here for backwards compatibility with Consul versions prior to 1.6.0. + + + The connection timeout for a service should ideally be configured via the [`connect_timeout`](/consul/docs/reference/config-entry/service-resolver#connecttimeout) field of a [`service-resolver`](/consul/docs/reference/config-entry/service-resolver) config entry for the upstream destination service. Configuring it in a proxy upstream config will override any values defined in config entries. It is supported here for backwards compatibility with Consul versions prior to 1.6.0. + + - `limits` - A set of limits to apply when connecting to the upstream service. These limits are applied on a per-service-instance basis. The following @@ -535,9 +458,9 @@ definition](/consul/docs/connect/proxies/proxy-config-reference) or ### Gateway Options These fields may also be overridden explicitly in the [proxy service -definition](/consul/docs/connect/proxies/proxy-config-reference), or defined in +definition](/consul/docs/reference/proxy/connect-proxy), or defined in the [global `proxy-defaults` configuration -entry](/consul/docs/connect/config-entries/proxy-defaults) to act as +entry](/consul/docs/reference/config-entry/proxy-defaults) to act as defaults that are inherited by all services. Prior to 1.8.0 these settings were specific to Mesh Gateways. The deprecated @@ -547,7 +470,7 @@ will continue to be supported. - `connect_timeout_ms` - The number of milliseconds to allow when making upstream connections before timing out. Defaults to 5000 (5 seconds). If the upstream service has the configuration option - [`connect_timeout_ms`](/consul/docs/connect/config-entries/service-resolver#connecttimeout) + [`connect_timeout_ms`](/consul/docs/reference/config-entry/service-resolver#connecttimeout) set for the `service-resolver`, that timeout value will take precedence over this gateway option. @@ -577,17 +500,17 @@ will continue to be supported. [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-tcpkeepalive). - `envoy_gateway_remote_tcp_keepalive_time` - The number of seconds a connection needs to - be idle before keep-alive probes start being sent. For more information, see the + be idle before keep-alive probes start being sent. For more information, refer to the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-tcpkeepalive). This option only applies to remote upstream connections for mesh and terminating gateways. - `envoy_gateway_remote_tcp_keepalive_interval` - The number of seconds between keep-alive probes. - For more information, see the + For more information, refer to the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-tcpkeepalive). This option only applies to remote upstream connections for mesh and terminating gateways. - `envoy_gateway_remote_tcp_keepalive_probes` - Maximum number of keepalive probes to send without - response before deciding the connection is dead. For more information, see the + response before deciding the connection is dead. For more information, refer to the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-tcpkeepalive). This option only applies to remote upstream connections for mesh and terminating gateways. @@ -606,7 +529,9 @@ commonly need to be set for tasks like configuring tracing. In contrast, escape give almost complete control over the proxy setup, but require operators to manually code the entire configuration in protobuf JSON. -~> **Advanced Topic!** This section covers options that allow users to take almost + + +This section covers options that allow users to take almost complete control of Envoy's configuration. We provide these options so users can experiment or take advantage of features not yet fully supported in Consul service mesh. We plan to retain this ability in the future, but it should still be considered @@ -616,6 +541,8 @@ are outside of Consul's control. Incorrect configuration could prevent all proxies in your mesh from functioning correctly, or bypass the security guarantees Consul service mesh is designed to enforce. + + ### Configuration Formatting All configurations are specified as strings containing the serialized proto3 JSON encoding @@ -707,10 +634,10 @@ EOF Users may add the following configuration items to the [global `proxy-defaults` configuration -entry](/consul/docs/connect/config-entries/proxy-defaults) or +entry](/consul/docs/reference/config-entry/proxy-defaults) or override them directly in the `proxy.config` field of a [proxy service -definition](/consul/docs/connect/proxies/proxy-config-reference) or -[`sidecar_service`](/consul/docs/connect/proxies/deploy-sidecar-services) block. +definition](/consul/docs/reference/proxy/connect-proxy) or +[`sidecar_service`](/consul/docs/reference/proxy/sidecar) block. - `envoy_extra_static_clusters_json` - Specifies one or more [Envoy clusters](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/cluster/v3/cluster.proto) that will be appended to the array of [static @@ -888,10 +815,10 @@ definition](/consul/docs/connect/proxies/proxy-config-reference) or Users may add the following configuration items to the [global `proxy-defaults` configuration -entry](/consul/docs/connect/config-entries/proxy-defaults) or +entry](/consul/docs/reference/config-entry/proxy-defaults) or override them directly in the `proxy.config` field of a [proxy service -definition](/consul/docs/connect/proxies/proxy-config-reference) or -[`sidecar_service`](/consul/docs/connect/proxies/deploy-sidecar-services) block. +definition](/consul/docs/reference/proxy/connect-proxy) or +[`sidecar_service`](/consul/docs/reference/proxy/sidecar) block. - `envoy_bootstrap_json_tpl` - Specifies a template in Go template syntax that is used in place of [the default @@ -1087,15 +1014,14 @@ definition](/consul/docs/connect/proxies/proxy-config-reference) or The following configuration items may be overridden directly in the `proxy.upstreams[].config` field of a [proxy service -definition](/consul/docs/connect/proxies/proxy-config-reference) or +definition](/consul/docs/reference/proxy/connect-proxy) or [`sidecar_service`](/consul/docs/connect/deploy/deploy-sidecar-services) block. -~> **Note:** - When a -[`service-router`](/consul/docs/connect/config-entries/service-router), -[`service-splitter`](/consul/docs/connect/config-entries/service-splitter), or -[`service-resolver`](/consul/docs/connect/config-entries/service-resolver) config -entry exists for a service the below escape hatches are ignored and will log a -warning. + + +When a [`service-router`](/consul/docs/reference/config-entry/service-router), [`service-splitter`](/consul/docs/reference/config-entry/service-splitter), or [`service-resolver`](/consul/docs/reference/config-entry/service-resolver) config entry exists for a service the below escape hatches are ignored and will log a warning. + + - `envoy_listener_json` - Specifies a complete [Listener](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/listener/v3/listener.proto) to be delivered in place of the upstream listener that the proxy exposes to diff --git a/website/content/docs/connect/proxies/envoy-extensions/configuration/ext-authz.mdx b/website/content/docs/reference/proxy/extensions/ext-authz.mdx similarity index 99% rename from website/content/docs/connect/proxies/envoy-extensions/configuration/ext-authz.mdx rename to website/content/docs/reference/proxy/extensions/ext-authz.mdx index ebe7f99a96e..0ae560098cd 100644 --- a/website/content/docs/connect/proxies/envoy-extensions/configuration/ext-authz.mdx +++ b/website/content/docs/reference/proxy/extensions/ext-authz.mdx @@ -6,14 +6,14 @@ description: Learn how to configure the ext-authz Envoy extension, which is a bu # External authorization extension configuration reference -This topic describes how to configure the external authorization Envoy extension, which configures Envoy proxies to request authorization from an external service. Refer to [Delegate authorization to an external service](/consul/docs/connect/proxies/envoy-extensions/usage/ext-authz) for usage information. +This topic describes how to configure the external authorization Envoy extension, which configures Envoy proxies to request authorization from an external service. Refer to [Delegate authorization to an external service](/consul/docs/reference/proxy/envoy-extensions/usage/ext-authz) for usage information. ## Configuration model The following list outlines the field hierarchy, data types, and requirements for the external authorization configuration. Place the configuration inside the `EnvoyExtension.Arguments` field in the proxy defaults or service defaults configuration entry. Refer to the following documentation for additional information: -- [`EnvoyExtensions` in proxy defaults](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions) -- [`EnvoyExtensions` in service defaults](/consul/docs/connect/config-entries/service-defaults#envoyextensions) +- [`EnvoyExtensions` in proxy defaults](/consul/docs/reference/config-entry/proxy-defaults#envoyextensions) +- [`EnvoyExtensions` in service defaults](/consul/docs/reference/config-entry/service-default#envoyextensions) - [Envoy External Authorization documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto) Click on a property name to view additional details, including default values. diff --git a/website/content/docs/connect/proxies/envoy-extensions/configuration/otel-access-logging.mdx b/website/content/docs/reference/proxy/extensions/otel.mdx similarity index 97% rename from website/content/docs/connect/proxies/envoy-extensions/configuration/otel-access-logging.mdx rename to website/content/docs/reference/proxy/extensions/otel.mdx index 9cef3a56365..de2b203df8d 100644 --- a/website/content/docs/connect/proxies/envoy-extensions/configuration/otel-access-logging.mdx +++ b/website/content/docs/reference/proxy/extensions/otel.mdx @@ -6,14 +6,14 @@ description: Learn how to configure the otel-access-logging Envoy extension, whi # OpenTelemetry Access Logging extension configuration reference -This topic describes how to configure the OpenTelemetry access logging Envoy extension, which configures Envoy proxies to send access logs to OpenTelemetry collector service. Refer to [Send access logs to OpenTelemetry collector service](/consul/docs/connect/proxies/envoy-extensions/usage/otel-access-logging) for usage information. +This topic describes how to configure the OpenTelemetry access logging Envoy extension, which configures Envoy proxies to send access logs to OpenTelemetry collector service. Refer to [Send access logs to OpenTelemetry collector service](/consul/docs/reference/proxy/envoy-extensions/usage/otel-access-logging) for usage information. ## Configuration model The following list outlines the field hierarchy, data types, and requirements for the OpenTelemetry access logging configuration. Place the configuration inside the `EnvoyExtension.Arguments` field in the proxy defaults or service defaults configuration entry. Refer to the following documentation for additional information: -- [`EnvoyExtensions` in proxy defaults](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions) -- [`EnvoyExtensions` in service defaults](/consul/docs/connect/config-entries/service-defaults#envoyextensions) +- [`EnvoyExtensions` in proxy defaults](/consul/docs/reference/config-entry/proxy-defaults#envoyextensions) +- [`EnvoyExtensions` in service defaults](/consul/docs/reference/config-entry/service-default#envoyextensions) - [Envoy OpenTelemetry Access Logging Configuration documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto#extensions-access-loggers-open-telemetry-v3-opentelemetryaccesslogconfig) Click on a property name to view additional details, including default values. @@ -310,7 +310,7 @@ Specifies the number of times Envoy retries to fetch plugin data if the initial ### `Arguments.Config.Body` -Specifies OpenTelemetry [LogResource](https://github.com/open-telemetry/opentelemetry-proto/blob/main/opentelemetry/proto/logs/v1/logs.proto) fields, following [Envoy access logging formatting](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage). See ‘body’ in the LogResource proto for more details. +Specifies OpenTelemetry [LogResource](https://github.com/open-telemetry/opentelemetry-proto/blob/main/opentelemetry/proto/logs/v1/logs.proto) fields, following [Envoy access logging formatting](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage). Refer to ‘body’ in the LogResource proto for more details. #### Values diff --git a/website/content/docs/connect/proxies/envoy-extensions/configuration/property-override.mdx b/website/content/docs/reference/proxy/extensions/property-override.mdx similarity index 95% rename from website/content/docs/connect/proxies/envoy-extensions/configuration/property-override.mdx rename to website/content/docs/reference/proxy/extensions/property-override.mdx index 610371b303d..23c5f00d651 100644 --- a/website/content/docs/connect/proxies/envoy-extensions/configuration/property-override.mdx +++ b/website/content/docs/reference/proxy/extensions/property-override.mdx @@ -6,14 +6,14 @@ description: Learn how to configure the property-override plugin, which is a bui # Property override configuration reference -This topic describes how to configure the `property-override` extension so that you can set and remove individual properties on the Envoy resources Consul generates. Refer to [Configure Envoy proxy properties](/consul/docs/connect/proxies/envoy-extensions/usage/property-override) for usage information. +This topic describes how to configure the `property-override` extension so that you can set and remove individual properties on the Envoy resources Consul generates. Refer to [Configure Envoy proxy properties](/consul/docs/reference/proxy/envoy-extensions/usage/property-override) for usage information. ## Configuration model The following list outlines the field hierarchy, data types, and requirements for the `property-override` configuration. Place the configuration inside the `EnvoyExtension.Arguments` field in the proxy defaults or service defaults configuration entry. Refer the following documentation for additional information: -- [`EnvoyExtensions` in proxy defaults](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions) -- [`EnvoyExtensions` in service defaults](/consul/docs/connect/config-entries/service-defaults#envoyextensions) +- [`EnvoyExtensions` in proxy defaults](/consul/docs/reference/config-entry/proxy-defaults#envoyextensions) +- [`EnvoyExtensions` in service defaults](/consul/docs/reference/config-entry/service-default#envoyextensions) Click on a property name to view additional details, including default values. @@ -133,7 +133,7 @@ Specifies the JSON Patch operation to perform when the `ResourceFilter` matches Specifies where the extension performs the associated operation on the specified resource type. Refer to [`ResourceType`](#patches-resourcefilter) for information about specifying a resource type to target. Refer to [`Op`](#patches-op) for information about setting an operation to perform on the resources. -The `Path` field does not support addressing array elements or protobuf map field entries. Refer to [Constructing paths](/consul/docs/connect/proxies/envoy-extensions/usage/property-override#constructing-paths) for information about how to construct paths. +The `Path` field does not support addressing array elements or protobuf map field entries. Refer to [Constructing paths](/consul/docs/reference/proxy/envoy-extensions/usage/property-override#constructing-paths) for information about how to construct paths. When setting fields, the extension sets any unset intermediate fields to their default values. A single operation on a nested field can set multiple intermediate fields. Because Consul sets the intermediate fields to their default values, you may need to configure subsequent patches to satisfy Envoy or Consul validation. @@ -240,7 +240,11 @@ EnvoyExtensions = [ The use of `/seconds` in these examples corresponds to the same field in the [google.protobuf.Duration](https://github.com/protocolbuffers/protobuf/blob/main/src/google/protobuf/duration.proto) proto definition, since the extension does not support JSON serialized string forms of common protobuf types (e.g. `120s`). --> **Note:** Using separate patches per field preserves any existing configuration of other fields in `outlier_detection` that may be directly set by Consul, such as [`enforcing_consecutive_5xx`](https://developer.hashicorp.com/consul/docs/connect/proxies/envoy#enforcing_consecutive_5xx). + + +Using separate patches per field preserves any existing configuration of other fields in `outlier_detection` that may be directly set by Consul, such as [`enforcing_consecutive_5xx`](/consul/docs/reference/proxy/envoy#enforcing_consecutive_5xx). + + ### Replace a message field diff --git a/website/content/docs/connect/proxies/envoy-extensions/configuration/wasm.mdx b/website/content/docs/reference/proxy/extensions/wasm.mdx similarity index 96% rename from website/content/docs/connect/proxies/envoy-extensions/configuration/wasm.mdx rename to website/content/docs/reference/proxy/extensions/wasm.mdx index 6884112aba3..fc98d8b6b71 100644 --- a/website/content/docs/connect/proxies/envoy-extensions/configuration/wasm.mdx +++ b/website/content/docs/reference/proxy/extensions/wasm.mdx @@ -6,14 +6,14 @@ description: Learn how to configure the wasm Envoy extension, which is a builtin # WebAssembly extension configuration reference -This topic describes how to configure the `wasm` extension, which directs Consul to run WebAssembly (Wasm) plugins in Envoy proxies. Refer to [Run WebAssembly plug-ins in Envoy proxy](/consul/docs/connect/proxies/envoy-extensions/usage/wasm) for usage information. +This topic describes how to configure the `wasm` extension, which directs Consul to run WebAssembly (Wasm) plugins in Envoy proxies. Refer to [Run WebAssembly plug-ins in Envoy proxy](/consul/docs/reference/proxy/envoy-extensions/usage/wasm) for usage information. ## Configuration model The following list outlines the field hierarchy, data types, and requirements for the `wasm` configuration. Place the configuration inside the `EnvoyExtension.Arguments` field in the proxy defaults or service defaults configuration entry. Refer the following documentation for additional information: -- [`EnvoyExtensions` in proxy defaults](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions) -- [`EnvoyExtensions` in service defaults](/consul/docs/connect/config-entries/service-defaults#envoyextensions) +- [`EnvoyExtensions` in proxy defaults](/consul/docs/reference/config-entry/proxy-defaults#envoyextensions) +- [`EnvoyExtensions` in service defaults](/consul/docs/reference/config-entry/service-default#envoyextensions) Click on a property name to view additional details, including default values. @@ -102,7 +102,7 @@ PluginConfig = { CapabilityRestrictionConfiguration = { AllowedCapabilities = { "fd_read" = {} - "fd_seek" = {} + "fd_refer to k" = {} "environ_get" = {} "clock_get_time" = {} } @@ -405,7 +405,11 @@ Specifies a configuration for restricting the proxy-Wasm capabilities that are a The `CapabilityRestrictionConfiguration` field is a map that contains a `AllowedCapabilities` parameter. The `AllowedCapabilities` parameter takes a map of string values that correspond to Envoy capability names. Refer to the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-capabilityrestrictionconfig) for additional information. -!> **Security warning**: Consul ignores the value that each capability maps to. You can leave the `AllowedCapabilities` empty to allow all capabilities, but doing so gives the configured plugin full unrestricted access to the runtime API provided by the Wasm VM. You must set this to a non-empty map if you want to restrict access to specific capabilities provided by the Wasm runtime API. + + +Consul ignores the value that each capability maps to. You can leave the `AllowedCapabilities` empty to allow all capabilities, but doing so gives the configured plugin full unrestricted access to the runtime API provided by the Wasm VM. You must set this to a non-empty map if you want to restrict access to specific capabilities provided by the Wasm runtime API. + + #### Values diff --git a/website/content/docs/reference/proxy/sidecar.mdx b/website/content/docs/reference/proxy/sidecar.mdx new file mode 100644 index 00000000000..3ff53390f53 --- /dev/null +++ b/website/content/docs/reference/proxy/sidecar.mdx @@ -0,0 +1,81 @@ +--- +layout: docs +page_title: Sidecar proxy configuration reference +description: >- + Learn about default settings, customizable parameters, limitations, and lifecycle behaviors of the sidecar proxy. +--- + +# Sidecar proxy configuration reference + +The `sidecar_service` block is a service definition that can contain most regular service definition fields. Refer to [Limitations](#limitations) for information about unsupported service definition fields for sidecar proxies. + +Consul treats sidecar proxy service definitions as a root-level service definition. All fields are optional in nested definitions, which default to opinionated settings that are intended to reduce burden of setting up a sidecar proxy. + +## Sidecar service defaults + +The following fields are set by default on a sidecar service registration. With +[the exceptions noted](#limitations) any field may be overridden explicitly in +the `connect.sidecar_service` definition to customize the proxy registration. +The "parent" service refers to the service definition that embeds the sidecar +proxy. + +- `id` - ID defaults to `-sidecar-proxy`. This value cannot + be overridden as it is used to [manage the lifecycle](#lifecycle) of the + registration. +- `name` - Defaults to `-sidecar-proxy`. +- `tags` - Defaults to the tags of the parent service. +- `meta` - Defaults to the service metadata of the parent service. +- `port` - Defaults to being auto-assigned from a configurable + range specified by [`sidecar_min_port`](/consul/docs/reference/agent#sidecar_min_port) + and [`sidecar_max_port`](/consul/docs/reference/agent#sidecar_max_port). +- `kind` - Defaults to `connect-proxy`. This value cannot be overridden. +- `check`, `checks` - By default we add a TCP check on the local address and + port for the proxy, and a [service alias + check](/consul/docs/register/service/vm/health-checks#alias-checks) for the parent service. If either + `check` or `checks` fields are set, only the provided checks are registered. +- `proxy.destination_service_name` - Defaults to the parent service name. +- `proxy.destination_service_id` - Defaults to the parent service ID. +- `proxy.local_service_address` - Defaults to `127.0.0.1`. +- `proxy.local_service_port` - Defaults to the parent service port. + +### Example with overwritten configurations + +In the following example, the `sidecar_service` macro sets baselines configurations for the proxy, but the [proxy +upstreams](/consul/docs/reference/proxy/connect-proxy#upstream-configuration-reference) +and [built-in proxy +configuration](/consul/docs/reference/proxy/built-in) fields contain custom values: + +```json +{ + "name": "web", + "port": 8080, + "connect": { + "sidecar_service": { + "proxy": { + "upstreams": [ + { + "destination_name": "db", + "local_bind_port": 9191 + } + ], + "config": { + "handshake_timeout_ms": 1000 + } + } + } + } +} +``` + +## Limitations + +The following fields are not supported in the `connect.sidecar_service` block: + +- `id` - Sidecar services get an ID assigned and it is an error to override + this value. This ID is required to ensure that the agent can correctly deregister the sidecar service + later when the parent service is removed. +- `kind` - Kind defaults to `connect-proxy` and there is no way to + unset this behavior. +- `connect.sidecar_service` - Service definitions cannot be nested recursively. +- `connect.native` - The `kind` is fixed to `connect-proxy` and it is + an error to register a `connect-proxy` that is also service mesh-native. diff --git a/website/content/docs/services/configuration/services-configuration-reference.mdx b/website/content/docs/reference/service.mdx similarity index 88% rename from website/content/docs/services/configuration/services-configuration-reference.mdx rename to website/content/docs/reference/service.mdx index 59e93da6896..7938f0dd398 100644 --- a/website/content/docs/services/configuration/services-configuration-reference.mdx +++ b/website/content/docs/reference/service.mdx @@ -1,17 +1,19 @@ --- layout: docs -page_title: Service configuration reference -description: Use the service definition to configure and register services to the Consul catalog, including services used as proxies in a Consul service mesh +page_title: Service definition reference +description: >- + Use the service definition to configure and register services to the Consul catalog, including services used as proxies in a Consul service mesh. --- -# Services configuration reference +# Service definition reference This topic describes the options you can use to define services for registering them with Consul. Refer to the following topics for usage information: -- [Define Services](/consul/docs/services/usage/define-services) -- [Register Services and Health Checks](/consul/docs/services/usage/register-services-checks) +- [Define Services](/consul/docs/register/service/vm/define) +- [Register Services and Health Checks](/consul/docs/register/service/vm) ## Configuration model + The following outline shows how to format the configurations in the root `service` block. Click on a property name to view details about the configuration. - [`name`](#name): string | required @@ -49,18 +51,21 @@ The following outline shows how to format the configurations in the root `servic This topic provides details about the configuration parameters. ### `name` + Required value that specifies a name for the service. We recommend using valid DNS labels for service definition names for compatibility with external DNSs. The value for this parameter is used as the ID if the `id` parameter is not specified. - Type: string - Default: none ### `id` + Specifies an ID for the service. Services on the same node must have unique IDs. We recommend specifying unique values if the default name conflicts with other services. - Type: string - Default: Value of the `name` field. ### `address` + String value that specifies a service-specific IP address or hostname. If no value is specified, the IP address of the agent node is used by default. There is no service-side validation of this parameter. @@ -69,21 +74,24 @@ There is no service-side validation of this parameter. - Default: IP address of the agent node ### `port` + Specifies a port number for the service. To improve service discoverability, we recommend specifying the port number, as well as an address in the [`tagged_addresses`](#tagged_addresses) parameter. - Type: integer - Default: Port number of the agent ### `tags` + Specifies a list of string values that add service-level labels. Tag values are opaque to Consul. We recommend using valid DNS labels for service definition IDs for compatibility with external DNSs. In the following example, the service is tagged as `v2` and `primary`: ```hcl tags = ["v2", "primary"] ``` -Consul uses tags as an anti-entropy mechanism to maintain the state of the cluster. You can disable the anti-entropy feature for a service using the [`enable_tag_override`](#enable_tag_override) setting, which enables external agents to modify tags on services in the catalog. Refer to [Modify anti-entropy synchronization](/consul/docs/services/usage/define-services#modify-anti-entropy-synchronization) for additional usage information. +Consul uses tags as an anti-entropy mechanism to maintain the state of the cluster. You can disable the anti-entropy feature for a service using the [`enable_tag_override`](#enable_tag_override) setting, which enables external agents to modify tags on services in the catalog. Refer to [Modify anti-entropy synchronization](/consul/docs/register/service/vm/define#modify-anti-entropy-synchronization) for additional usage information. ### `meta` + The `meta` field contains custom key-value pairs that associate semantic metadata with the service. You can specify up to 64 pairs that meet the following requirements: - Keys and values must be strings. @@ -113,6 +121,7 @@ meta = { ### `tagged_addresses` + The `tagged_address` field is an object that configures additional addresses for a node or service. Remote agents and services can communicate with the service using a tagged address as an alternative to the address specified in the [`address`](#address) field. You can configure multiple addresses for a node or service. The following tags are supported: - [`lan`](#tagged_addresses-lan): IPv4 LAN address where the node or service is accessible. @@ -124,6 +133,7 @@ The `tagged_address` field is an object that configures additional addresses for - [`wan_ipv6`](#tagged_addresses-lan): IPv6 WAN address at which the node or service is accessible when being dialed from a remote data center. ### `tagged_addresses.lan` + Object that specifies either an IPv4 or IPv6 LAN address and port number where the service or node is accessible. You can specify one or more of the following fields: - `lan` @@ -198,7 +208,7 @@ Virtual addresses are not required to be routable IPs within the network. They a If the following conditions are met, connections to virtual addresses are load balanced across available instances of a service, provided the following conditions are satisfied: 1. [Transparent proxy](/consul/docs/connect/transparent-proxy) is enabled for the downstream and upstream services. -1. The upstream service is not configured for individual instances to be [dialed directly](/consul/docs/connect/config-entries/service-defaults#dialeddirectly). +1. The upstream service is not configured for individual instances to be [dialed directly](/consul/docs/reference/config-entry/service-default#dialeddirectly). In the following example, the downstream services in the mesh can connect to the `redis` service at `203.0.113.50` on port `80`: @@ -301,41 +311,47 @@ service { ### `socket_path` + String value that specifies the path to the service socket. Specify this parameter to expose the service to the mesh if the service listens on a Unix Domain socket. - Type: string - Default: none ### `enable_tag_override` + Boolean value that determines if the anti-entropy feature for the service is enabled. Set to `true` to allow external Consul agents modify tags on the services in the Consul catalog. The local Consul agent ignores updated tags during subsequent sync operations. This parameter only applies to the locally-registered service. If multiple nodes register a service with the same `name`, the `enable_tag_override` configuration, and all other service configuration items, operate independently. -Refer to [Modify anti-entropy synchronization](/consul/docs/services/usage/define-services#modify-anti-entropy-synchronization) for additional usage information. +Refer to [Modify anti-entropy synchronization](/consul/docs/register/service/vm/define#modify-anti-entropy-synchronization) for additional usage information. - Type: boolean - Default: `false` ### `checks` -The `checks` block contains an array of objects that define health checks for the service. Health checks perform several safety functions, such as allowing a web balancer to gracefully remove failing nodes and allowing a database to replace a failed secondary. Refer to [Health Check Configuration Reference](/consul/docs/services/configuration/checks-configuration-reference) for information about configuring health checks. + +The `checks` block contains an array of objects that define health checks for the service. Health checks perform several safety functions, such as allowing a web balancer to gracefully remove failing nodes and allowing a database to replace a failed secondary. Refer to [Health Check Configuration Reference](/consul/docs/reference/service/health-checks) for information about configuring health checks. ### `kind` + String value that identifies the service as a proxy and determines its role in the service mesh. Do not configure the `kind` parameter for non-proxy service instances. Refer to [Consul Service Mesh](/consul/docs/connect) for additional information. You can specify the following values: -- `connect-proxy`: Defines the configuration for a service mesh proxy. Refer to [Deploy service mesh proxies](/consul/docs/connect/proxies/deploy-service-mesh-proxies) for details about registering a service as a service mesh proxy. -- `ingress-gateway`: Defines the configuration for an [ingress gateway](/consul/docs/connect/config-entries/ingress-gateway) -- `mesh-gateway`: Defines the configuration for a [mesh gateway](/consul/docs/connect/gateways/mesh-gateway) +- `connect-proxy`: Defines the configuration for a service mesh proxy. Refer to [Deploy service mesh proxies](/consul/docs/deploy/service-mesh/deploy-proxy) for details about registering a service as a service mesh proxy. +- `ingress-gateway`: Defines the configuration for an [ingress gateway](/consul/docs/reference/config-entry/ingress-gateway) +- `mesh-gateway`: Defines the configuration for a [mesh gateway](/consul/docs/east-west/mesh-gateway/) - `terminating-gateway`: Defines the configuration for a [terminating gateway](/consul/docs/connect/gateways/terminating-gateway) For non-service registration roles, the `kind` field has a different context when used to define configuration entries, such as `service-defaults`. Refer to the documentation for the configuration entry you want to implement for additional information. ### `proxy` -Object that specifies proxy configurations when the service is configured to operate as a proxy in a service mesh. Do not configure the `proxy` parameter for non-proxy service instances. Refer to [Service mesh proxies overview](/consul/docs/connect/proxies) for details about registering your service as a service mesh proxy. Refer to [`kind`](#kind) for information about the types of proxies you can define. Services that you assign proxy roles to are registered as services in the catalog. + +Object that specifies proxy configurations when the service is configured to operate as a proxy in a service mesh. Do not configure the `proxy` parameter for non-proxy service instances. Refer to [Service mesh proxies overview](/consul/docs/connect/proxy) for details about registering your service as a service mesh proxy. Refer to [`kind`](#kind) for information about the types of proxies you can define. Services that you assign proxy roles to are registered as services in the catalog. ### `connect` + Object that configures a Consul service mesh connection. You should only configure the `connect` block of parameters if you are using Consul service mesh. Refer to [Consul Service Mesh](/consul/docs/connect) for additional information. The following table describes the parameters that you can place in the `connect` block: @@ -343,7 +359,7 @@ The following table describes the parameters that you can place in the `connect` | Parameter | Description | Default | | --- | --- | --- | | `native` | Boolean value that advertises the service as a native service mesh proxy. Use this parameter to integrate your application with the `connect` API. Refer to [Service Mesh Native App Integration Overview](/consul/docs/connect/native) for additional information. If set to `true`, do not configure a `sidecar_service`. | `false` | -| `sidecar_service` | Object that defines a sidecar proxy for the service. Do not configure if `native` is set to `true`. Refer to [Deploy sidecar services](/consul/docs/connect/proxies/deploy-sidecar-services) for usage and configuration details. | Refer to [Sidecar service defaults](/consul/docs/connect/proxies/deploy-sidecar-services#sidecar-service-defaults). | +| `sidecar_service` | Object that defines a sidecar proxy for the service. Do not configure if `native` is set to `true`. Refer to [Deploy sidecar services](/consul/docs/reference/proxy/sidecar) for usage and configuration details. | Refer to [Sidecar service defaults](/consul/docs/reference/proxy/sidecar#sidecar-service-defaults). | ### `locality` @@ -360,21 +376,23 @@ The following table describes the parameters you can explicitly configure in the | `zone` | Specifies the availability zone where the Consul agent is running. Consul assigns this value to services registered to that agent. When service proxy regions match, Consul is able to prioritize routes between service instances in the same region and zone over instances in other regions and zones. When healthy service instances are available in multiple zones within the most-local region, Consul prioritizes instances that also match the downstream proxy's `zone`. You must specify values that are consistent with how zones are defined in your network, for example `us-west-1a` for networks in AWS. | String | None | ### weights -Object that configures how a service instance is weighted in a DNS SRV request based on the service's health status. Configuring tells DNS clients to direct more traffic to instances with a higher weight. A use case would be adjusting the weight higher for an instance with large capacity. It could also be used to reduce the load on services with checks in `warning` status by favoring passing instances with a higher weight. + +Object that configures how the service responds to DNS SRV requests based on the service's health status. Configuring allows service instances with more capacity to respond to DNS SRV requests. It also reduces the load on services with checks in `warning` status by giving passing instances a higher weight. You can specify one or more of the following states and configure an integer value indicating its weight: - `passing` - `warning` +- `critical` Larger integer values increase the weight state. Services have the following default weights: - `"passing" : 1` - `"warning" : 1` -Services in a `critical` state are excluded from DNS responses. Services with `warning` checks are included in responses by default. Refer to [Perform Static DNS Queries](/consul/docs/services/discovery/dns-static-lookups) for additional information. +Services in a `critical` state are excluded from DNS responses by default. Services with `warning` checks are included in responses by default. Refer to [Perform Static DNS Queries](/consul/docs/services/discovery/dns-static-lookups) for additional information. -In the following example, DNS SRV queries direct more traffic to service instances in a `passing` state, while instances in a `warning` instance are less favored: +In the following example, service instances in a `passing` state respond to DNS SRV requests, while instances in a `critical` instance can still respond at a lower frequency: @@ -385,7 +403,8 @@ service { port = 6379 weights = { passing = 3 - warning = 1 + warning = 2 + critical = 1 } } ``` @@ -398,7 +417,8 @@ service { "port": 6379, "weights": { "passing": 3, - "warning": 1 + "warning": 2, + "critical": 1 } } } @@ -407,6 +427,7 @@ service { ### token + String value that specifies the ACL token to present when registering the service if ACLs are enabled. The token is required for the service to interact with the service catalog. If [ACLs](/consul/docs/security/acl) and [namespaces](/consul/docs/enterprise/namespaces) are enabled, you can register services scoped to the specific [`namespace`](#namespace) associated with the ACL token in a Consul cluster. @@ -417,7 +438,8 @@ Services registered with a service definition do not inherit the namespace assoc - Default: none ### namespace -String value that specifies the namespace in which to register the service. Refer [Namespaces](/consul/docs/enterprise/namespaces) for additional information. + +String value that specifies the namespace in which to register the service. Refer [Namespaces](/consul/docs/segment/namespace) for additional information. - Type: string - Default: none @@ -668,8 +690,4 @@ service { } ``` - - - - - + \ No newline at end of file diff --git a/website/content/docs/register/external/esm.mdx b/website/content/docs/register/external/esm.mdx new file mode 100644 index 00000000000..6dfac51401c --- /dev/null +++ b/website/content/docs/register/external/esm.mdx @@ -0,0 +1,430 @@ +--- +layout: docs +page_title: Consul External Service Monitor (ESM) +description: >- + Register and health check services with Consul, even when they are running on nodes without a co-located Consul agent. +--- + +# Consul External Service Monitor (ESM) + +Consul enables the registration and discovery of services internal to your +infrastructure as well as external services: third-party SaaS services, and +services running in other environments where it is not possible to run the +Consul agent directly. + +In this tutorial, you will compare the process of registering and health checking +internal and external services using Consul and [Consul ESM](https://github.com/hashicorp/consul-esm) +(External Service Monitor). Before you begin you will want to +[download Consul](/consul/install/). This is the only +prerequisite. + +We will cover: + +- Internal service registration and health checks +- External service registration and health checks +- Using Consul ESM to monitor the health of external services +- A discussion of pull vs. push health checking + +~> This tutorial is an illustration of the differences between internal and +external service monitoring, and is not intended for production use. + +## Start the Consul agent + +For this tutorial, you will deploy a Consul agent running locally in `-dev` mode +with the Consul `-ui` enabled. You'll use the +[`-enable-script-checks`](/consul/docs/agent/config/config-files#_enable_script_checks) +flag to allow simple ping-based health checks, and will specify a node name of +`web` rather than the default of `hostname` to make the examples clearer. + +Begin by starting the Consul agent. + +```shell-session +$ consul agent -dev -enable-script-checks -node=web -ui +``` + +Throughout the tutorial, you will use `curl` to interact with Consul's [HTTP API](/consul/api-docs/) +as well as Consul's Web UI, available at http://localhost:8500/ui. + +~> **Security Warning**: Because [`-enable-script-checks`](/consul/docs/agent/config/config-files#_enable_script_checks) +allows script checks to be registered via HTTP API, it may introduce a +[remote execution vulnerability](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations) +known to be targeted by malware. For production environments, we strongly recommend using +[`-enable-local-script-checks`](/consul/docs/agent/config/config-files#_enable_local_script_checks) +instead, which removes that vulnerability by allowing script checks to only be +defined in the Consul agent's [local configuration files](/consul/docs/agent/config/config-files#_config_dir), +not via HTTP API. + +## Register an internal service with a health check + +First you will register an internal service. Internal services run on the same +node (machine) as a Consul agent. You register internal services via +[service definitions](/consul/docs/services/configuration/services-configuration-overview), +which you supply in configuration files that Consul loads from the Consul +agent's data directory, either when the Consul agent starts, or after the agent +has started via the local HTTP API endpoint at +[`/agent/service/register`](/consul/api-docs/agent/service#register-service). +The local Consul agent is responsible for running any health checks registered +for the service and updating the catalog accordingly. + +Create a file called `web.json` that contains the following configuration: + + + +```json +{ + "id": "web1", + "name": "web", + "port": 80, + "check": { + "name": "ping check", + "args": ["ping", "-c1", "learn.hashicorp.com"], + "interval": "30s", + "status": "passing" + } +} +``` + + + +The above web service will have unique id `web1`, logical name `web`, run on +port `80` and have one health check. + +The health check verifies that the web service can connect to the public +internet by pinging hashicorp.com every 30 seconds. In the case of an actual web +service, you should configure a more useful health check. Consul provides +several kinds of [health checks](/consul/docs/services/usage/checks), +including: Script, HTTP, TCP, Time to Live (TTL), Docker, and gPRC. + +Register the example web service by calling the HTTP API with a PUT request: + +```shell-session +$ curl --request PUT --data @web.json localhost:8500/v1/agent/service/register +``` + +-> If you prefer to register services by providing a configuration file and +restarting the Consul agent, check the [Registering Services](/consul/tutorials/get-started-vms/virtual-machine-gs-service-discovery) +tutorial for instructions. + +Verify that the example web service has been registered, by querying the +[`/catalog/service/:service`](/consul/api-docs/catalog#list-nodes-for-service) +endpoint: + +```shell-session +$ curl localhost:8500/v1/catalog/service/web +[ + { + "ID": "a2ebf70e-f912-54b5-2354-c65e2a2808de", + "Node": "web", + "Address": "127.0.0.1", + "Datacenter": "dc1", + "TaggedAddresses": { + "lan": "127.0.0.1", + "wan": "127.0.0.1" + }, + "NodeMeta": { + "consul-network-segment": "" + }, + "ServiceID": "web1", + "ServiceName": "web", + "ServiceAddress": "", + "ServiceMeta": {}, + "ServicePort": 80, + "ServiceEnableTagOverride": false, + "CreateIndex": 7, + "ModifyIndex": 7 + } +] +``` + +Inspect all the health checks configured for services registered with a given +local node using the +[`/agent/checks/`](/consul/api-docs/agent/check#list-checks) +endpoint: + +```shell-session +$ curl localhost:8500/v1/agent/checks +{ + "service:web1": { + "Node": "web", + "CheckID": "service:web1", + "Name": "ping check", + "Status": "passing", + "Notes": "", + "Output": "PING learn.hashicorp.com (172.217.3.164): 56 data bytes\n64 bytes from 172.217.3.164: icmp_seq=0 ttl=52 time=21.902 ms\n\n--- learn.hashicorp.com ping statistics ---\n1 packets transmitted, 1 packets received, 0.0% packet loss\nround-trip min/avg/max/stddev = 21.902/21.902/21.902/0.000 ms\n", + "ServiceID": "web1", + "ServiceName": "web", + "ServiceTags": [ + "rails" + ], + "Definition": {}, + "CreateIndex": 0, + "ModifyIndex": 0 + } +} +``` + +You can also query the health of individual services with +[`/health/service/:service`](/consul/api-docs/health#list-checks-for-service) +and nodes with +[`/health/node/:node`](/consul/api-docs/health#list-checks-for-node). + +Navigate to your web service in the Consul UI and click on the "Health Checks" +tab for a graphical view of your health check. + +## Register an external service with a health check + +In the context of Consul, external services run on nodes where you cannot run a +local Consul agent. These nodes might be inside your infrastructure (e.g. a +mainframe, virtual appliance, or unsupported platform) or outside of it (e.g. a +SaaS platform). + +Because external services by definition don't have a local Consul agent, you +can't register them with that agent or use it for health checking. Instead, you +must register them directly with the catalog using the +[`/catalog/register`](/consul/api-docs/catalog#register-entity) +endpoint. In contrast to service registration where the object context for the +endpoint is a service, the object context for the catalog endpoint is the node. +In other words, using the `/catalog/register` endpoint registers an entire node, +while the `/agent/service/register` endpoint registers individual services in +the context of a node. + +The configuration for an external service registered directly with the catalog +is slightly different than for an internal service registered via an agent: + +- `Node` and `Address` are both required since they cannot be automatically + determined from the local node Consul agent. + +- Services and health checks are defined separately. + +- If a `ServiceID` is provided that matches the ID of a service on that node, + the check is treated as a service level health check, instead of a node level + health check. + +- The `Definition` field can be provided with details for a TCP or HTTP health + check. For more information, check the [Health Checks](/consul/docs/services/usage/checks) + documentation. + +To understand how external service registration works, register an external +learn service provided by HashiCorp. First create the following configuration +file, `external.json`: + + + +```json +{ + "Node": "hashicorp", + "Address": "learn.hashicorp.com", + "NodeMeta": { + "external-node": "true", + "external-probe": "true" + }, + "Service": { + "ID": "learn1", + "Service": "learn", + "Port": 80 + }, + "Checks": [ + { + "Name": "http-check", + "status": "passing", + "Definition": { + "http": "https://learn.hashicorp.com/consul/", + "interval": "30s" + } + } + ] +} +``` + + + +This configuration defines a node named `hashicorp` available at address +`learn.hashicorp.com/consul/` that provides a `learn` service with an ID of +`learn1` running on port 80. When `Address` is defined, Consul will ping the address by default. It also defines an HTTP-type health check to be run +every 30 seconds and sets an initial state for that check of `passing`. + +Typically external services are registered via nodes dedicated for that purpose +so we'll continue our example using the Consul dev agent (localhost) as if it +were running on a different node (e.g. "External Services") from the one where +our internal `web` service is registered. + +This diagram visualizes the differences between how internal and external +services are registered with Consul: + +![Diagram showing difference between how internal and external services are registered with Consul.](https://www.datocms-assets.com/2885/1531780995-consul-registering-services.png 'Registering internal and external services with Consul') + +Use a PUT request to register the external service. + +```shell-session +$ curl --request PUT --data @external.json localhost:8500/v1/catalog/register +true +``` + +Query the `/catalog/service/:service` endpoint to verify that the external +service registered with the catalog, just like you did for the internal service. + +```shell-session +$ curl localhost:8500/v1/catalog/service/learn +[ + { + "ID": "", + "Node": "hashicorp", + "Address": "learn.hashicorp.com", + "Datacenter": "dc1", + "TaggedAddresses": null, + "NodeMeta": { + "external-node": "true", + "external-probe": "true" + }, + "ServiceID": "learn1", + "ServiceName": "learn", + "ServiceTags": [], + "ServiceAddress": "", + "ServiceMeta": {}, + "ServicePort": 80, + "ServiceEnableTagOverride": false, + "CreateIndex": 246, + "ModifyIndex": 246 + } +] +``` + +In the example of an internal web service, you verified your health check was +active by querying the local agent endpoint `/agent/checks`. If you query this +again after adding our external service, you won't get the health check listed +because it was registered with the service catalog not the local agent. Instead, +you'll need to query a catalog-level endpoint such as +[`/health/service/:service`](/consul/api-docs/health#list-nodes-for-service), +[`/health/node/:node`](/consul/api-docs/health#list-checks-for-node), +or +[`/health/state/:state`](/consul/api-docs/health#list-checks-in-state). +You can, however, verify the service and its health check are listed in the Consul UI. +Because the check is listed we know that there is an entry for it in the +catalog, but because this node and service don't have a local agent to run the +check the node's health will not be monitored. + +## Simulate an outage + +To see the difference between internal and external service health checks query +for node health after simulating an outage. + +To simulate an outage, disconnect from the internet, wait a few moments, and +look at your health checks in the Consul UI. You will see a failing check for +the internal web service, but continue to see the passing check for the external +learn service, even though it can't reach learn.hashicorp.com. Health checks for +both services should fail while disconnected from the internet but only the +check for our internal web service is failing. + +The external service's health check doesn't update with the new failing status, +because Consul's health checks rely on the local Consul agent to report status +changes, and external services don't have local agents. An extra component is +required to keep external service health checks up to date. + +## Monitor the external service with Consul ESM + +[Consul ESM](https://github.com/hashicorp/consul-esm) is a daemon that runs +alongside Consul in order to health check external nodes and update their status +in the catalog. It allows externally registered services and checks to access +the same features as if they were registered locally on Consul agents. You can +run multiple instances of ESM for availability. ESM will perform a leader +election by holding a lock in Consul. The leader will then continually watch +Consul for updates to the catalog and perform health checks defined on any +external nodes it discovers. + +The diagram from earlier is updated to show how Consul ESM works with Consul to +monitor the health of external services: + +![Diagram showing how Consul ESM works with Consul to monitor the health of external services.](https://www.datocms-assets.com/2885/1531780984-consul-consul-esm.png 'Monitoring external services with Consul ESM') + +Consul ESM is provided as a single binary. To install, download the latest +[release](https://releases.hashicorp.com/consul-esm) appropriate for your system +and make it available in your PATH. + +Open a new terminal and start Consul ESM with `consul-esm`. + +```shell-session +$ consul-esm + +2018/06/14 12:50:44 [INFO] Connecting to Consul on 127.0.0.1:8500... +Consul ESM running! + Datacenter: (default) + Service: "consul-esm" + Leader Key: "consul-esm/lock" +Node Reconnect Timeout: "72h0m0s" + +Log data will now stream in as it occurs: + +2018/06/14 12:50:44 [INFO] Waiting to obtain leadership... +2018/06/14 12:50:44 [INFO] Obtained leadership +``` + +If your internet provider does not allow UDP pings you may have to set +`ping_type = "socket"` in a config file and launch `consul-esm` with that config +file. If you are using macOS you will need to run with `sudo`: + +```shell-session +$ sudo consul-esm -config-file=./consul-esm.hcl +``` + +The example external service definition you used included the following +`NodeMeta` values that enable health monitoring by Consul ESM: + +- `"external-node"` identifies the node as an external one that Consul ESM + should monitor. +- `"external-probe": "true"` tells Consul ESM to perform regular + pings to the node and maintain an externalNodeHealth check for the node (similar + to the serfHealth check used by Consul agents). + +Once Consul ESM is running, simulate an outage again by disconnecting from the +internet. Now in Consul UI, you will see that the health checks for the external +service are updated to critical as they should be. + +Consul ESM supports HTTP and TCP health checks. Ping health checks are added +automatically with `"external-probe": "true"`. + +## Discussion: push vs. pull health checking + +Traditional health checking uses a pull model; on a regular interval, the +monitoring server asks all the nodes if they are healthy and the nodes respond +with a status. This makes sure that the status of each node stays up to date, +but creates a bottleneck because as the number of nodes scales, so does the +amount of traffic to the monitoring service. This clogs local network traffic +and puts unnecessary load on the datacenter. + +Consul solves this problem using a push-based model, where agents send events +only upon status changes which keeps the number of requests low. The problem +with this edge-triggered monitoring is that there are no liveness heartbeats. In +the absence of any updates Consul assumes that the server is still healthy, even +if it has died. Consul gets around this by using a gossip-based failure +detector. All datacenter members take part in a background gossip, which has a +constant load regardless of datacenter size. The combination of gossip-based +failure detection and edge-triggered updates allows Consul to scale to very +large datacenter sizes without being heavily loaded. + +By definition, external services don't have a local Consul agent to participate +in gossip, so if the node running an external service dies, Consul won't know +about it. This is why ESM is required for monitoring external services. + +## Next steps + +Internal services are those provided by nodes where the Consul agent can run +directly. They are registered with service definitions via the local Consul +agent. The local Consul agent on the node is responsible for running any health +checks registered for the service and updating the catalog accordingly. + +External services run on nodes where the Consul agent cannot be run. They must +be registered directly with the catalog because, by definition, they don't have +a local Consul agent to register with. + +Both internal and external services can have health checks associated with them. +Health checking in Consul uses a push-based model where agents send events only +upon status changes. Because Consul monitoring requires that a Consul agent be +running on the monitored service, health checks are not performed on external +services. To enable health monitoring for external services, use [Consul +External Service Monitor](https://github.com/hashicorp/consul-esm). + +In this tutorial, you registered both internal and external services with heath +checks, using the Consul ESM to monitor health of the external service. Consul +provides several kinds of health checks including: Script , HTTP, TCP, Time to +Live (TTL), Docker, and gPRC. To learn more about health check options in +Consul, please visit the [health check documentation](/consul/docs/services/usage/checks). diff --git a/website/content/docs/register/external/index.mdx b/website/content/docs/register/external/index.mdx new file mode 100644 index 00000000000..d77e29d79cd --- /dev/null +++ b/website/content/docs/register/external/index.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Register external services overview +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# Register external services overview + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/k8s/connect/onboarding-tproxy-mode.mdx b/website/content/docs/register/external/permissive-mtls.mdx similarity index 83% rename from website/content/docs/k8s/connect/onboarding-tproxy-mode.mdx rename to website/content/docs/register/external/permissive-mtls.mdx index 2cb7adfc922..589ed71724d 100644 --- a/website/content/docs/k8s/connect/onboarding-tproxy-mode.mdx +++ b/website/content/docs/register/external/permissive-mtls.mdx @@ -1,20 +1,20 @@ --- layout: docs page_title: Onboard services in transparent proxy mode -description: Learn how to enable permissive mutual transport layer security (permissive mTLS) so that you can safely add services to your service mesh when transparent proxy is enabled in Kubernetes deployments. +description: Learn how to enable permissive mutual transport layer security (permissive mTLS) so that you can safely add services to your service mesh when transparent proxy is enabled in Kubernetes deployments. --- -# Onboard services while in transparent proxy mode +# Onboard services in transparent proxy mode This topic describes how to run Consul in permissive mTLS mode so that you can safely onboard existing applications to Consul service mesh when transparent proxy mode is enabled. ## Background -When [transparent proxy mode](/consul/docs/k8s/connect/transparent-proxy) is enabled, all service-to-service traffic is secured by mTLS. Until the services that you want to add to the network are fully onboarded, your network may have a mix of mTLS and non-mTLS traffic, which can result in broken service-to-service communication. This situation occurs because sidecar proxies for existing mesh services reject traffic from services that are not yet onboarded. +When [transparent proxy mode](/consul/docs/connect/proxy/transparent-proxy) is enabled, all service-to-service traffic is secured by mTLS. Until the services that you want to add to the network are fully onboarded, your network may have a mix of mTLS and non-mTLS traffic, which can result in broken service-to-service communication. This situation occurs because sidecar proxies for existing mesh services reject traffic from services that are not yet onboarded. You can enable the `permissive` mTLS mode to ensure existing non-mTLS service-to-service traffic is allowed during the onboarding phase. The `permissive` mTLS mode enables sidecar proxies to accept both mTLS and non-mTLS traffic to an application. Using this mode enables you to onboard without downtime and without being required to reconfigure or redeploy your application. -We recommend enabling permissive mTLS as a temporary operating mode. After onboarding is complete, you should reconfigure all services to `strict` mTLS mode to ensure all service-to-service communication is automatically secured by Consul service mesh. +We recommend enabling permissive mTLS as a temporary operating mode. After onboarding is complete, you should reconfigure all services to `strict` mTLS mode to ensure all service-to-service communication is automatically secured by Consul service mesh. !> **Security warning**: We recommend that you disable permissive mTLS mode after onboarding services to prevent non-mTLS connections to the service. Intentions are not enforced and encryption is not enabled for non-mTLS connections. @@ -24,18 +24,14 @@ The workflow to configure mTLS settings depends on the applications you are onbo 1. **Configure global settings**: Configure the mesh to allow services to send non-mTLS messages to services outside the mesh. Additionally, configure the mesh to let services in the mesh use permissive mTLS mode. 1. **Enable permissive mTLS mode**: If you are onboarding an upstream service prior to its related downstream services, then enable permissive mTLS mode in the service defaults configuration entry. This allows the upstream service to send encrypted messages from the mesh when you register the service with Consul. -1. **Configure intentions**: Intentions are controls that authorize traffic between services in the mesh. Transparent proxy uses intentions to infer traffic routes between Envoy proxies. Consul does not enforce intentions for non-mTLS connections made while proxies are in permissive mTLS mode, but intentions are necessary for completing the onboarding process. -1. **Register the service**: Create the service definition and configure and deploy its sidecar proxy. +1. **Configure intentions**: Intentions are controls that authorize traffic between services in the mesh. Transparent proxy uses intentions to infer traffic routes between Envoy proxies. Consul does not enforce intentions for non-mTLS connections made while proxies are in permissive mTLS mode, but intentions are necessary for completing the onboarding process. +1. **Register the service**: Create the service definition and configure and deploy its sidecar proxy. 1. **Re-secure the mesh**: If you enabled permissive mTLS mode, switch back to strict mTLS mode and revert the global settings to disable non-mTLS traffic in the service mesh. ## Requirements Permissive mTLS is only supported for services running in transparent proxy mode. Transparent proxy mode is only available on Kubernetes deployments. -## Limitations - -L7 Envoy features such as Intentions and some [Envoy extensions](/consul/docs/connect/proxies/envoy-extensions) are not supported for non-mTLS traffic. - ## Configure global settings Configure Consul to allow services that are already in the mesh to send non-mTLS messages to services outside the mesh. You can also Consul to allow services to run in permissive mTLS mode. Set both configurations in the mesh gateway configuration entry, which is the global configuration that defines service mesh proxy behavior. @@ -79,7 +75,7 @@ spec: -Alternatively, you can selectively allow outgoing traffic on a per-service basis by configuring [outbound port exclusions](/consul/docs/k8s/connect/transparent-proxy/enable-transparent-proxy#exclude-outbound-ports). This setting excludes outgoing traffic from traffic redirection imposed by transparent proxy. When changing this setting, you must redeploy your application. +Alternatively, you can selectively allow outgoing traffic on a per-service basis by configuring [outbound port exclusions](/consul/docs/connect/proxy/transparent-proxy/enable#exclude-outbound-ports). This setting excludes outgoing traffic from traffic redirection imposed by transparent proxy. When changing this setting, you must redeploy your application. ### Allow permissive mTLS modes for incoming traffic @@ -122,13 +118,13 @@ spec: -You can change this setting back to `false` at any time, even if there are services currently running in permissive mode. Doing so allows you to decide at which point during the onboarding process to stop allowing services to use permissive mTLS. When the `MeshDestinationOnly` is set to `false`, you must configure all new services added to the mesh with `MutualTLSMode=strict` for the Consul to securely route traffic throughout the mesh. +You can change this setting back to `false` at any time, even if there are services currently running in permissive mode. Doing so allows you to decide at which point during the onboarding process to stop allowing services to use permissive mTLS. When the `MeshDestinationOnly` is set to `false`, you must configure all new services added to the mesh with `MutualTLSMode=strict` for the Consul to securely route traffic throughout the mesh. -## Enable permissive mTLS mode +## Enable permissive mTLS mode -Depending on the services you are onboarding, you may not need to enable permissive mTLS mode. If the service does not accept incoming traffic or accepts traffic from downstream services that are already part of the service mesh, then permissive mTLS mode is not required to continue. +Depending on the services you are onboarding, you may not need to enable permissive mTLS mode. If the service does not accept incoming traffic or accepts traffic from downstream services that are already part of the service mesh, then permissive mTLS mode is not required to continue. -To enable permissive mTLS mode for the service, set [`MutualTLSMode=permissive`](/consul/docs/connect/config-entries/service-defaults#mutualtlsmode) in the service defaults configuration entry for the service. The following example shows how to configure this setting for a service named `example-service`. +To enable permissive mTLS mode for the service, set [`MutualTLSMode=permissive`](/consul/docs/reference/config-entry/service-default#mutualtlsmode) in the service defaults configuration entry for the service. The following example shows how to configure this setting for a service named `example-service`. @@ -158,19 +154,19 @@ spec: -Refer to the [service defaults configuration reference](/consul/docs/connect/config-entries/service-defaults) for information about all settings. +Refer to the [service defaults configuration reference](/consul/docs/reference/config-entry/service-default) for information about all settings. You can change this setting back to `strict` at any time to ensure mTLS is required for incoming traffic to this service. ## Configure intentions -Service intentions are mechanisms in Consul that control traffic between services in the mesh. +Service intentions are mechanisms in Consul that control traffic between services in the mesh. We recommend creating intentions that restrict services to accepting only necessary traffic. You must identify the downstream services that send messages to the service you want to add to the mesh and then create an intention to allow traffic to the service from its downstreams. When transparent proxy enabled and the `MutualTLSMode` parameter is set to `permissive`, incoming traffic from a downstream service to another upstream service is not secured by mTLS unless that upstream relationship is known to Consul. You must either define an intention so that Consul can infer the upstream relationship from the intention, or you must include an explicit upstream as part of the service definition for the downstream. -Refer to [Service intentions](/consul/docs/connect/intentions) for additional information about how intentions work and how to create them. +Refer to [Service intentions](/consul/docs/secure-mesh/intentions) for additional information about how intentions work and how to create them. ## Add the service to the mesh @@ -178,26 +174,26 @@ Register your service into the catalog and update your application to deploy a s ## Re-secure mesh traffic -If the newly added service was placed in permissive mTLS mode for onboarding, then you should switch to strict mode when it is safe to do so. You should also revert the global settings that allow services to send and receive non-mTLS traffic. +If the newly added service was placed in permissive mTLS mode for onboarding, then you should switch to strict mode when it is safe to do so. You should also revert the global settings that allow services to send and receive non-mTLS traffic. ### Disable permissive mTLS mode Configure the service to operate in strict mTLS mode after the service is no longer receiving incoming non-mTLS traffic. After the downstream services that send messages to this service are all onboarded to the mesh, this service should no longer receive non-mTLS traffic. -Check the following Envoy listener statistics for the sidecar proxy to determine if the sidecar is receiving non-mTLS traffic: +Check the following Envoy listener statistics for the sidecar proxy to determine if the sidecar is receiving non-mTLS traffic: - The `tcp.permissive_public_listener.*` statistics indicate non-mTLS traffic. If these metrics are static over a sufficient period of time, that indicates the sidecar is not receiving non-mTLS traffic. - The `tcp.public_listener.*` statistics indicate mTLS traffic. If incoming traffic is expected to this service and these statistics are changing, then the sidecar is receiving mTLS traffic. -Refer to the [service mesh observability overview](/consul/docs/connect/observability) and [metrics configuration for Consul on Kubernetes documentation](/consul/docs/k8s/connect/observability/metrics) for additional information. +Refer to the [service mesh observability overview](/consul/docs/connect/observability) and [metrics configuration for Consul on Kubernetes documentation](/consul/docs/observe/mesh/k8s) for additional information. If your service is still receiving non-mTLS traffic, complete the following steps to determine the source of the non-mTLS traffic: -1. Verify the list of downstream services. Optionally, you can enable [Envoy access logging](/consul/docs/connect/observability/access-logs) to determine source IP addresses for incoming traffic, and cross-reference those IP addresses with services in your network. +1. Verify the list of downstream services. Optionally, you can enable [Envoy access logging](/consul/docs/observe/access-logs) to determine source IP addresses for incoming traffic, and cross-reference those IP addresses with services in your network. 1. Verify that each downstream is onboarded to the service mesh. If a downstream is not onboarded, consider onboarding it next. 1. Verify that each downstream has an intention that allows it to send traffic to the upstream service. -After you determine it is safe to move the service to strict mode, set `MutualTLSMode=strict` in the service defaults configuration entry. +After you determine it is safe to move the service to strict mode, set `MutualTLSMode=strict` in the service defaults configuration entry. @@ -229,7 +225,7 @@ spec: ### Disable non-mTLS traffic -After all services are onboarded, revert the global settings that allow non-mTLS traffic and verify that permissive mTLS mode is not being used in the mesh. +After all services are onboarded, revert the global settings that allow non-mTLS traffic and verify that permissive mTLS mode is not being used in the mesh. Set `AllowEnablingPermissiveMutualTLS=false` and `MeshDestinationsOnly=true` in the mesh config entry. @@ -270,7 +266,7 @@ spec: -For each namespace, admin partition, and datacenter in your Consul deployment, run the `consul config list` and `consul config read` commands to verify that no services are using `permissive` mTLS mode. +For each namespace, admin partition, and datacenter in your Consul deployment, run the `consul config list` and `consul config read` commands to verify that no services are using `permissive` mTLS mode. The following command returns any service defaults configuration entries that contain `'MutualTLSMode = "permissive"'`: @@ -279,7 +275,7 @@ $ consul config list -kind service-defaults -filter 'MutualTLSMode == "permissiv ``` In each admin partition and datacenter, verify that `MutualTLSMode = "permissive"` is not set in the proxy defaults configuration entry . If `MutualTLSMode` is either empty or if the configuration entry is not found, then the mode is `strict` by default. - + The following command fetches the proxy defaults configuration entry: ```shell-session diff --git a/website/content/docs/register/external/terminating-gateway/deploy.mdx b/website/content/docs/register/external/terminating-gateway/deploy.mdx new file mode 100644 index 00000000000..9f3f11295b5 --- /dev/null +++ b/website/content/docs/register/external/terminating-gateway/deploy.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Deploy terminating gateway +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# Deploy terminating gateway + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/register/external/terminating-gateway/index.mdx b/website/content/docs/register/external/terminating-gateway/index.mdx new file mode 100644 index 00000000000..67da7cfb7e4 --- /dev/null +++ b/website/content/docs/register/external/terminating-gateway/index.mdx @@ -0,0 +1,495 @@ +--- +layout: docs +page_title: Connect external services to Consul with terminating gateways +description: >- + Consul terminating gateways give your services the ability to communicate securely with applications and services outside of your service mesh. +--- + +# Connect external services to Consul with terminating gateways + +Consul terminating gateways give your services the ability to communicate securely with applications and services outside of your service mesh. Common use cases include managed services (such as Amazon RDS), legacy services running on an unsupported OS, and hybrid applications transitioning towards the service mesh that require integration testing or are required to maintain compatibility with other legacy systems. This extends the ability to securely connect your applications on any runtime, any cloud, or on-premises environments with Consul. + +Terminating gateways provide service mesh extendability to these scenarios that would otherwise require alternate security and policy enforcement mechanisms. They terminate service mesh mTLS connections, enforce intentions, and forward requests to the appropriate destination. + +In this tutorial, you will deploy a Consul terminating gateway that provides secure communication with a managed AWS RDS instance. You will connect the front end of the HashiCups demo application to the HashiCups backend database on AWS RDS. In the process you will see how this feature provides you with simplified and secure communication to services external to your service mesh. + +## Scenario overview + +HashiCups is a coffee shop demo application. It has a microservices architecture and uses Consul service mesh to securely connect the services. At the beginning of this tutorial, you will use Terraform to deploy the HashiCups microservices, a self-managed Consul cluster on AWS EKS, and a managed AWS RDS instance that contains the HashiCups database. + +![The architecture diagram of the scenario. This shows the Kubernetes environment and the flow of traffic from the client request through the self-managed Consul service mesh and into AWS RDS.](/img/consul/terminating-gateway-architecture-diagram-dark.png#dark-theme-only) +![The architecture diagram of the scenario. This shows the Kubernetes environment and the flow of traffic from the client request through the self-managed Consul service mesh and into AWS RDS.](/img/consul/terminating-gateway-architecture-diagram-light.png#light-theme-only) + +In this tutorial, you will: + +- Deploy the following resources with Terraform: + - Elastic Kubernetes Service (EKS) cluster + - A self-managed Consul datacenter on EKS + - A managed AWS RDS instance + - HashiCups demo application on EKS +- Perform the following Consul procedures: + - Explore the demo application (broken state) + - Review and enable the terminating gateway feature + - Register the AWS RDS instance as a Consul service + - Configure and link the AWS RDS service to the terminating gateway + - Update the service mesh applications to communicate with AWS RDS + - Explore the demo application (working state) + +## Prerequisites + +The tutorial assumes that you are familiar with Consul and its core functionality. If you are new to Consul, refer to the [Consul Getting Started tutorials collection](/consul/tutorials/get-started-kubernetes). + +For this tutorial, you will need: + +- An [AWS account](https://aws.amazon.com/account/) configured for [use with Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration) +- [terraform >= 1.0](/terraform/tutorials/aws-get-started/install-cli) +- [consul >= 1.17.0](/consul/downloads/) +- [consul-k8s >= 1.2.1](/consul/docs/k8s/installation/install-cli) +- [helm >= 3.0](https://helm.sh/docs/using_helm/) +- [git >= 2.0](https://git-scm.com/downloads) +- [kubectl > 1.24](https://kubernetes.io/docs/tasks/tools/install-kubectl/) + +## Clone GitHub repository + +Clone the [GitHub repository](https://github.com/hashicorp-education/learn-consul-terminating-gateways) containing the configuration files and resources. + +```shell-session +$ git clone https://github.com/hashicorp-education/learn-consul-terminating-gateways.git +``` + +Change into the directory that contains the complete configuration files for this tutorial. + +```shell-session +$ cd learn-consul-terminating-gateways/self-managed/eks +``` + +## Review repository contents + +This repository contains Terraform configuration to spin up the initial infrastructure and all files to deploy Consul, the demo application, and the observability suite resources. + +The `eks` directory contains the following Terraform configuration files: + +- `aws-vpc.tf` defines the AWS VPC resources +- `aws-lambda.tf` defines the AWS Lambda resources +- `aws-rds.tf` defines the AWS RDS resources +- `eks-cluster.tf` defines Amazon EKS cluster deployment resources +- `eks-consul.tf` defines the self-managed Consul deployment +- `eks-hashicups-with-consul.tf` defines the HashiCups resources +- `providers.tf` defines AWS and Kubernetes provider definitions for Terraform +- `variables.tf` defines variables you can use to customize the tutorial + +The directory also contains the following subdirectories: + +- `api-gw` contains the Kubernetes configuration files for the Consul API gateway +- `hashicups` contains the Kubernetes configuration files for HashiCups +- `config` contains the custom Consul ACL configuration file, AWS Lambda database initialization function, and terminating gateway configuration files +- `helm` contains the Helm charts for Consul + +## Deploy infrastructure and demo application + +With these Terraform configuration files, you are ready to deploy your infrastructure. +Initialize your Terraform configuration to download the necessary providers and modules. +```shell-session +$ terraform init +Initializing the backend... +Initializing provider plugins... +## ... +Terraform has been successfully initialized! +## … +``` + +Then, deploy the resources. Confirm the run by entering yes. + +```shell-session +$ terraform apply +## ... +Do you want to perform these actions? +Terraform will perform the actions described above. +Only 'yes' will be accepted to approve. +Enter a value: yes +## ... +Apply complete! Resources: 103 added, 0 changed, 0 destroyed. +``` +The Terraform deployment could take up to 15 minutes to complete. + +### Connect to your infrastructure + +Now that you have deployed the Kubernetes cluster, configure `kubectl` to interact with it. + +```shell-session +$ aws eks --region $(terraform output -raw region) update-kubeconfig --name $(terraform output -raw kubernetes_cluster_id) +``` + +### Configure your CLI to interact with Consul datacenter + +In this section, you will set environment variables in your terminal so your Consul CLI can interact with your Consul datacenter. The Consul CLI reads these environment variables for behavior defaults and will reference these values when you run `consul` commands. + +Set the Consul destination address. + +```shell-session +$ export CONSUL_HTTP_ADDR=https://$(kubectl get services/consul-ui --namespace consul -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') +``` + +Retrieve the ACL bootstrap token from the respective Kubernetes secret and set it as an environment variable. + +```shell-session +$ export CONSUL_HTTP_TOKEN=$(kubectl get --namespace consul secrets/consul-bootstrap-acl-token --template={{.data.token}} | base64 -d) +``` + +Export the Consul CA certificate to use for TLS communication with Consul. + +```shell-session +$ kubectl get --namespace consul secrets/consul-ca-cert -o json | jq -r '.data."tls.crt"' | base64 -d > ca.crt && \ +export CONSUL_CACERT=ca.crt +``` + +Set the server name to use as the SNI host for connecting to Consul via TLS. + +```shell-session +$ export CONSUL_TLS_SERVER_NAME=server.dc1.consul +``` + +Run the `consul catalog services` CLI command to print all known services in your Consul catalog. + +```shell-session +$ consul catalog services +api-gateway +consul +frontend +frontend-sidecar-proxy +nginx +nginx-sidecar-proxy +payments +payments-sidecar-proxy +product-api +product-api-sidecar-proxy +public-api +public-api-sidecar-proxy +``` + +## Explore the demo application (broken state) + +In this section, you will visit your demo application to explore the HashiCups UI. + +Retrieve the Consul API gateway public DNS address. + +```shell-session +$ export CONSUL_APIGW_ADDR=http://$(kubectl get svc/api-gateway -o json | jq -r '.status.loadBalancer.ingress[0].hostname') && echo $CONSUL_APIGW_ADDR +http://a4cc3e77d86854fe4bbcc9c62b8d381d-221509817.us-west-2.elb.amazonaws.com +``` + +Open the Consul API gateway's URL in your browser and explore the HashiCups UI. Notice that HashiCups is in a broken state and unable to retrieve coffees from the backend product database. This behavior is expected since the HashiCups frontend services within the Consul service mesh cannot securely communicate with the external backend product database (on AWS RDS) by default. + +![HashiCups in a dysfunctional state. No coffees are displayed on the screen. A message is displayed in the center of the UI stating "unable to query all coffees". ](/img/consul/hashicups-error-coffees.png) + +## Enable Consul terminating gateway + +Consul terminating gateways are egress proxies that provide your service mesh applications connectivity to external destinations by terminating mTLS connections, enforcing Consul intentions, and forwarding requests to appropriate destination services. + +In this section, you will review the parameters that enable this feature and update your Consul installation to apply the new configuration. + +### Review the Consul values file + +Review the highlighted lines in the values file below to see the parameters that enable terminating gateways. + + + +```yaml +## … +## ... +# Configures and installs the Consul terminating gateway. +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: true +``` + + + +Refer to the [Consul metrics for Kubernetes documentation](/consul/docs/k8s/connect/observability/metrics) and official [Helm chart values](/consul/docs/k8s/helm#configuration-values) to learn more about metrics configuration options and details. + + + + +Update Consul in your Kubernetes cluster with Consul K8S CLI to deploy a terminating gateway. Confirm the run by entering `y`. + +```shell-session +$ consul-k8s upgrade -config-file=helm/consul-v2-terminating-gw.yaml +``` + +Refer to the [Consul K8S CLI documentation](/consul/docs/k8s/k8s-cli) to learn more about additional settings. + + + + +Update Consul in your Kubernetes cluster with Helm to deploy a terminating gateway. + +```shell-session +$ helm upgrade --values consul-v2-terminating-gw.yaml consul hashicorp/consul --namespace consul --version "1.2.1" +``` + + + + +The Consul update could take up to 5 minutes to complete. + +Review the official [Helm chart values](/consul/docs/k8s/helm#configuration-values) to learn more about these settings. + +Verify the Consul terminating gateway successfully deployed in your environment. + +```shell-session +$ kubectl get pods --namespace consul +NAME READY STATUS RESTARTS AGE +consul-connect-injector-7869cf6f69-sqqb4 1/1 Running 0 7m58s +consul-server-0 1/1 Running 0 5m40s +consul-server-1 1/1 Running 0 6m41s +consul-server-2 1/1 Running 0 7m56s +consul-terminating-gateway-d6bfbf5fd-4km4x 1/1 Running 0 7m57s +consul-webhook-cert-manager-7646f7456d-l2z8w 1/1 Running 0 7m57s +``` +## Register the AWS RDS instance as a Consul service + +To reach external services through the Consul terminating gateway, the external service must be registered in the Consul catalog. + +In this section, you will create the Consul service configuration file for your AWS RDS instance and register it in the Consul catalog with the name `managed-aws-rds`. +Retrieve the AWS RDS private DNS address and set it as an environment variable. + +```shell-session +$ export AWS_RDS_ENDPOINT=$(terraform output -raw aws_rds_endpoint) && \ +echo $AWS_RDS_ENDPOINT +``` + +Create a custom Consul service configuration file for `managed-aws-rds` with `envsubst`. This will fill all placeholders with your unique AWS RDS private DNS address. + +```shell-session +$ envsubst < config/external-service.template > config/external-service.json +``` + +Review your unique Consul service configuration file. + + + +```json +{ + "Node": "AWS RDS", + "Address": "learn-consul-4yyx.cvjehh8zzfhg.us-west-2.rds.amazonaws.com", + "NodeMeta": { + "external-node": "true", + "external-probe": "true" + }, + "Service": { + "ID": "managed-aws-rds", + "Service": "managed-aws-rds", + "Tags": ["external", "postgres"], + "Port": 5432 + } +} +``` + + + +Refer to the [Consul services configuration documentation](/consul/docs/services/configuration/services-configuration-reference) to learn more about Consul service configuration options and details. + +Register `managed-aws-rds` as a service in Consul. + +```shell-session +$ curl -k \ + --request PUT \ + --data @config/external-service.json \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + $CONSUL_HTTP_ADDR/v1/catalog/register +``` + +Apply the Consul service defaults for the external `managed-aws-rds`service. The configuration in `service-defaults.yaml` creates a [virtual service](/consul/docs/k8s/l7-traffic/route-to-virtual-services) in Consul, which allows the services within your service mesh to communicate with the external service using Consul DNS. + +```shell-session +$ kubectl apply --filename config/service-defaults.yaml +``` + +Confirm that Consul can successfully resolve your external service. + +```shell-session +$ kubectl exec -it svc/consul-server --namespace consul -- /bin/sh -c "nslookup -port=8600 managed-aws-rds.virtual.consul 127.0.0.1" +Defaulted container "consul" out of: consul, locality-init (init) +Server: 127.0.0.1 +Address: 127.0.0.1:8600 + +Name: managed-aws-rds.virtual.consul +Address: 240.0.0.6 + +Name: managed-aws-rds.virtual.consul +Address: 240.0.0.6 +``` + +Notice that `managed-aws-rds.virtual.consul` resolves to a multicast IP address, which facilitates one-to-many communication for all instances of the `managed-aws-rds` Consul service. + +## Configure and link the AWS RDS service to the terminating gateway + +To begin routing traffic to external services, you must configure the Consul security systems and link your external service to the terminating gateway. + +In this section, you will configure Consul ACLs and intentions to allow secure communication between the services within your mesh, the terminating gateway, and the external `managed-aws-rds` service. You will then link your external `managed-aws-rds` service to the terminating gateway. + +First, create a custom ACL policy that allows the terminating gateway to communicate with the `managed-aws-rds` service. + +```shell-session +$ consul acl policy create -name "managed-aws-rds-write-policy" \ + -datacenter "dc1" \ + -rules @config/write-acl-policy.hcl +``` + +Example output: + + + +```log +ID: 56cd0458-2115-3722-22a5-aee974a4edb8 +Name: managed-aws-rds-write-policy +Description: +Datacenters: +Rules: +# Set write access for external managed-aws-rds service +service "managed-aws-rds" { +policy = "write" +intentions = "read" +} +``` + + + +Review the [Consul ACL Policies](/consul/docs/security/acl/acl-policies) documentation to learn more. + +Retrieve the terminating gateway ACL role ID and set it as an environment variable. + +```shell-session +$ export TGW_ACL_ROLE_ID=$(consul acl role list -format=json | jq --raw-output '[.[] | select(.Name | endswith("-terminating-gateway-acl-role"))] | if (. | length) == 1 then (. | first | .ID) else "Unable to determine the role ID because there are multiple roles matching this name.\n" | halt_error end') +``` + +Attach your custom ACL policy to the terminating gateway role. + +```shell-session +$ consul acl role update -id $TGW_ACL_ROLE_ID \ + -datacenter "dc1" \ + -policy-name managed-aws-rds-write-policy +``` + +Example output: + + + +```log +ID: af87a7bb-660b-8d7b-39ea-e909c13779e7 +Name: consul-terminating-gateway-acl-role +Description: ACL Role for consul-terminating-gateway +Policies: +054eccc4-e379-6aa7-a36d-ebf0fd0ce02f - terminating-gateway-policy +56cd0458-2115-3722-22a5-aee974a4edb8 - managed-aws-rds-write-policy +``` + + + +Create an intention that allows communication from the `product-api` service to the `managed-aws-rds` service. This intention allows traffic to flow from the HashiCups frontend services to the HashiCups backend database service. + +```shell-session +$ kubectl apply --filename config/service-intentions.yaml +serviceintentions.consul.hashicorp.com/managed-aws-rds created +``` + +Deploy the terminating gateway for the `managed-aws-rds` by applying the `terminating-gateway.yaml` CRD to your cluster. + +```shell-session +$ kubectl apply --filename config/terminating-gateway.yaml +terminatinggateway.consul.hashicorp.com/terminating-gateway created +``` + +## Update your service mesh applications to communicate with external services + +To configure your service mesh applications, the respective Consul virtual address must be configured into the relevant application connection parameter. + +In this section, you will deploy the `product-api` service mesh application to communicate with the external `managed-aws-rds` virtual service. + +Open your `config/products-api` deployment configuration file and review the `ConfigMap` section of the deployment. + + + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: db-configmap + namespace: default +data: + config: | + { + "db_connection": "host=managed-aws-rds.virtual.consul port=5432 user=postgres password=password dbname=products sslmode=disable", + "bind_address": ":9090", + "metrics_address": ":9103" + } +##.. +``` + + + +Notice how the database connection string for this HashiCups service includes the `managed-aws-rds.virtual.consul` Consul DNS address. + + + +The placement of the external service's virtual address is unique to the application. This scenario uses PostgreSQL as the HashiCups database. + + + +Deploy the `product-api` service. + +```shell-session +$ kubectl apply -f config/product-api.yaml +configmap/db-configmap created +service/product-api created +serviceaccount/product-api created +servicedefaults.consul.hashicorp.com/product-api created +deployment.apps/product-api created +``` + +## Explore demo application (working state) + +Open the HashiCup's URL in your browser and refresh the HashiCups UI. + +```shell-session +$ echo $CONSUL_APIGW_ADDR +http://a4cc3e77d86854fe4bbcc9c62b8d381d-221509817.us-west-2.elb.amazonaws.com +``` + +![HashiCups in a state where all services are functional. An array of HashiCorp themed coffees are displayed in the UI.](/img/consul/hashicups-consul.png) + +Notice that the HashiCups UI functions correctly. You have successfully connected the HashiCups frontend to the external HashiCups backend database on AWS RDS using Consul terminating gateway. + +## Clean up resources + +Destroy the Terraform resources to clean up your environment. Confirm the destroy operation by inputting `yes`. + +```shell-session +$ terraform destroy + +## ... +Do you really want to destroy all resources? + Terraform will destroy all your managed infrastructure, as shown above. + There is no undo. Only 'yes' will be accepted to confirm. + +Enter a value: yes + +## ... + +Destroy complete! Resources: 0 added, 0 changed, 103 destroyed. +``` + + + +Due to race conditions with the cloud resources in this tutorial, you may need to run the `destroy` operation twice to remove all the resources. + + + +## Next steps + +In this tutorial, you deployed and configured a Consul terminating gateway to extend secure communication to services outside of your Consul service mesh. This integration offers increased simplicity for network, security, and policy uniformity. It also provides reduced operational overhead and ease of adoption for legacy services. + +For more information about the topics covered in this tutorial, refer to the following resources: + +- [Terminating gateway docs](/consul/tutorials/developer-mesh/service-mesh-terminating-gateways) +- [Consul on Kubernetes docs](/consul/docs/k8s) diff --git a/website/content/docs/k8s/connect/terminating-gateways.mdx b/website/content/docs/register/external/terminating-gateway/k8s.mdx similarity index 81% rename from website/content/docs/k8s/connect/terminating-gateways.mdx rename to website/content/docs/register/external/terminating-gateway/k8s.mdx index 4cac88da67b..584c3f2419d 100644 --- a/website/content/docs/k8s/connect/terminating-gateways.mdx +++ b/website/content/docs/register/external/terminating-gateway/k8s.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Configure Terminating Gateways for Consul on Kubernetes +page_title: Terminating gateway Kubernetes overview description: >- Terminating gateways send secure requests from the service mesh to locations outside of the Kubernetes cluster. Learn how to configure terminating gateways for k8s, register external services in Consul’s service catalog, and define external sources as upstreams in your service mesh. --- -# Configure Terminating Gateways for Consul on Kubernetes +# Configure terminating gateway to register an external service on Kubernetes Adding a terminating gateway is a multi-step process: @@ -17,7 +17,7 @@ Adding a terminating gateway is a multi-step process: ## Requirements - [Consul](/consul/docs/install#install-consul) -- [Consul on Kubernetes CLI](/consul/docs/k8s/k8s-cli) +- [Consul on Kubernetes CLI](/consul/docs/reference-cli/consul-k8s) - Familiarity with [Terminating Gateways](/consul/docs/connect/gateways/terminating-gateway) ## Update the Helm chart with terminating gateway configuration options @@ -37,7 +37,7 @@ terminatingGateways: ## Deploying the Helm chart -The Helm chart may be deployed using the [Consul on Kubernetes CLI](/consul/docs/k8s/k8s-cli). +The Helm chart may be deployed using the [Consul on Kubernetes CLI](/consul/docs/reference-cli/consul-k8s). ```shell-session $ consul-k8s install --config-file values.yaml @@ -84,30 +84,24 @@ $ export CONSUL_HTTP_TOKEN=$(kubectl get secret consul-bootstrap-acl-token --tem ## Register external services with Consul - - -Consul on Kubernetes now supports the `Registration` CRD to register services running on external nodes with a terminating gateway. We recommend registering services with this CRD. For more information, refer to [Register services running on external nodes to Consul on Kubernetes](/consul/docs/k8s/deployment-configurations/external-service). - - - Registering the external services with Consul is a multi-step process: - Register external services with Consul - Update the terminating gateway ACL token if ACLs are enabled -- Create a [`TerminatingGateway`](/consul/docs/connect/config-entries/terminating-gateway) resource to configure the terminating gateway -- Create a [`ServiceIntentions`](/consul/docs/connect/config-entries/service-intentions) resource to allow access from services in the mesh to external service +- Create a [`TerminatingGateway`](/consul/docs/reference/config-entry/terminating-gateway) resource to configure the terminating gateway +- Create a [`ServiceIntentions`](/consul/docs/reference/config-entry/service-intention) resource to allow access from services in the mesh to external service - Define upstream annotations for any services that need to talk to the external services ### Register external services with Consul You may register an external service with Consul using `ServiceDefaults` if [`TransparentProxy`](/consul/docs/connect/transparent-proxy) is enabled. Otherwise, -you may register the service as a node in the Consul catalog using the [`Registration` CRD](/consul/docs/connect/config-entries/registration). +you may register the service as a node in the Consul catalog. -The [`destination`](/consul/docs/connect/config-entries/service-defaults#terminating-gateway-destination) field of the `ServiceDefaults` Custom Resource Definition (CRD) allows clients to dial an external service directly. For this method to work, [`TransparentProxy`](/consul/docs/connect/transparent-proxy) must be enabled. +The [`destination`](/consul/docs/reference/config-entry/service-default#terminating-gateway-destination) field of the `ServiceDefaults` Custom Resource Definition (CRD) allows clients to dial an external service directly. For this method to work, [`TransparentProxy`](/consul/docs/connect/transparent-proxy) must be enabled. The following table describes traffic behaviors when using the `destination` field to route traffic through a terminating gateway: @@ -125,7 +119,7 @@ The following table describes traffic behaviors when using the `destination` fie You can provide a `caFile` to secure traffic that connect to external services through the terminating gateway. Refer to [Create the configuration entry for the terminating gateway](#create-the-configuration-entry-for-the-terminating-gateway) for details. --> **Note:** Regardless of the `protocol` specified in the `ServiceDefaults`, [L7 intentions](/consul/docs/connect/config-entries/service-intentions#permissions) are not currently supported with `ServiceDefaults` destinations. +-> **Note:** Regardless of the `protocol` specified in the `ServiceDefaults`, [L7 intentions](/consul/docs/reference/config-entry/service-intention#permissions) are not currently supported with `ServiceDefaults` destinations. Create a `ServiceDefaults` custom resource for the external service: @@ -262,7 +256,7 @@ Policies: ### Create the configuration entry for the terminating gateway -Once the roles have been updated, create the [TerminatingGateway](/consul/docs/connect/config-entries/terminating-gateway) +Once the roles have been updated, create the [TerminatingGateway](/consul/docs/reference/config-entry/terminating-gateway) resource to configure the terminating gateway: @@ -279,9 +273,9 @@ spec: -If TLS is enabled for external services registered through the Consul catalog and you are not using [transparent proxy `destination`](#register-an-external-service-as-a-destination), you must include the [`caFile`](/consul/docs/connect/config-entries/terminating-gateway#cafile) parameter that points to the system trust store of the terminating gateway container. +If TLS is enabled for external services registered through the Consul catalog and you are not using [transparent proxy `destination`](#register-an-external-service-as-a-destination), you must include the [`caFile`](/consul/docs/reference/config-entry/terminating-gateway#cafile) parameter that points to the system trust store of the terminating gateway container. By default, the trust store is located in the `/etc/ssl/certs/ca-certificates.crt` directory. -Configure the [`caFile`](/consul/docs/connect/config-entries/terminating-gateway#cafile) parameter in the `TerminatingGateway` config entry to point to the `/etc/ssl/cert.pem` directory if TLS is enabled and you are using one of the following components: +Configure the [`caFile`](/consul/docs/reference/config-entry/terminating-gateway#cafile) parameter in the `TerminatingGateway` config entry to point to the `/etc/ssl/cert.pem` directory if TLS is enabled and you are using one of the following components: - Consul Helm chart 0.43 or older - An Envoy image with an alpine base image @@ -291,7 +285,7 @@ Apply the `TerminatingGateway` resource with `kubectl apply`: $ kubectl apply --filename terminating-gateway.yaml ``` -If using ACLs and TLS, create a [`ServiceIntentions`](/consul/docs/connect/config-entries/service-intentions) resource to allow access from services in the mesh to the external service: +If using ACLs and TLS, create a [`ServiceIntentions`](/consul/docs/reference/config-entry/service-intention) resource to allow access from services in the mesh to the external service: @@ -310,7 +304,7 @@ spec: --> **NOTE**: [L7 Intentions](/consul/docs/connect/config-entries/service-intentions#permissions) are not currently supported for `ServiceDefaults` destinations. +-> **NOTE**: [L7 Intentions](/consul/docs/reference/config-entry/service-intention#permissions) are not currently supported for `ServiceDefaults` destinations. Apply the `ServiceIntentions` resource with `kubectl apply`: @@ -323,57 +317,6 @@ $ kubectl apply --filename service-intentions.yaml As a final step, you may define and deploy the external services as upstreams for the internal mesh services that wish to talk to them. An example deployment is provided which will serve as a static client for the terminating gateway service. - - - - - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: static-client -spec: - selector: - app: static-client - ports: - - port: 80 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: static-client ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: static-client -spec: - replicas: 1 - selector: - matchLabels: - app: static-client - template: - metadata: - name: static-client - labels: - app: static-client - annotations: - 'consul.hashicorp.com/connect-inject': 'true' - spec: - containers: - - name: static-client - image: curlimages/curl:latest - command: ['/bin/sh', '-c', '--'] - args: ['while true; do sleep 30; done;'] - serviceAccountName: static-client -``` - - - - - - ```yaml @@ -420,9 +363,6 @@ spec: - - - Deploy the service with `kubectl apply`. ```shell-session @@ -453,5 +393,4 @@ $ kubectl exec deploy/static-client -- curl -vvvs --header "Host: example-https. ``` - - + \ No newline at end of file diff --git a/website/content/docs/services/services.mdx b/website/content/docs/register/index.mdx similarity index 83% rename from website/content/docs/services/services.mdx rename to website/content/docs/register/index.mdx index 116193afe36..4259beaeff1 100644 --- a/website/content/docs/services/services.mdx +++ b/website/content/docs/register/index.mdx @@ -1,15 +1,15 @@ --- layout: docs -page_title: Services overview +page_title: Register services overview description: >- Learn about services and service discovery workflows and concepts for virtual machine environments. --- -# Services overview +# Register services overview This topic provides overview information about services and how to make them discoverable in Consul when your network operates on virtual machines. If service mesh is enabled in your network, refer to the following articles for additional information about connecting services in a mesh: -- [How Service Mesh Works](/consul/docs/connect/connect-internals) +- [How Service Mesh Works](/consul/docs/concepts/service-mesh) - [How Consul Service Mesh Works on Kubernetes](/consul/docs/k8s/connect) ## Introduction @@ -22,28 +22,27 @@ You can define and register services with Consul, which makes them discoverable For service discovery, the core Consul workflow for services consists of three stages: -1. **Define services and health checks**: A service definition lets you define various aspects of the service, including how it is discovered by other services in the network. You can define health checks in the service definitions to verify the health of the service. Refer to [Define Services](/consul/docs/services/usage/define-services) and [Define Health Checks](/consul/docs/services/usage/checks) for additional information. +1. **Define services and health checks**: A service definition lets you define various aspects of the service, including how it is discovered by other services in the network. You can define health checks in the service definitions to verify the health of the service. Refer to [Define Services](/consul/docs/register/service/vm/define) and [Define Health Checks](/consul/docs/register/service/vm/health-checks) for additional information. -1. **Register services and health checks**: After defining your services and health checks, you must register them with a Consul agent. Refer to [Register Services and Health Checks](/consul/docs/services/usage/register-services-checks) for additional information. +1. **Register services and health checks**: After defining your services and health checks, you must register them with a Consul agent. Refer to [Register Services and Health Checks](/consul/docs/register/service/vm) for additional information. 1. **Query for services**: After registering your services and health checks, other services in your network can use the DNS to perform static or dynamic lookups to access your service. Refer to [DNS Usage Overview](/consul/docs/services/discovery/dns-overview) for additional information about the different ways to discover services in your datacenters. - ## Service mesh use cases Consul redirects service traffic through sidecar proxies if you use Consul service mesh. As a result, you must specify upstream configurations in service definitions. The service mesh experience is different for virtual machine (VM) and Kubernetes environments. ### Virtual machines -You must define upstream services in the service definition. Consul uses the upstream configuration to bind the service with its upstreams. After registering the service, you must start a sidecar proxy on the VM to enable mesh connectivity. Refer to [Deploy sidecar services](/consul/docs/connect/proxies/deploy-sidecar-services) for additional information. +You must define upstream services in the service definition. Consul uses the upstream configuration to bind the service with its upstreams. After registering the service, you must start a sidecar proxy on the VM to enable mesh connectivity. Refer to [Deploy sidecar services](/consul/docs/reference/proxy/sidecar) for additional information. ### Kubernetes If you use Consul on Kubernetes, enable the service mesh injector in your Consul Helm chart and Consul automatically adds a sidecar to each of your pods using the Kubernetes `Service` definition as a reference. You can specify upstream annotations in the `Deployment` definition to bind upstream services to the pods. -Refer to [`connectInject`](/consul/docs/k8s/connect#installation-and-configuration) and [the upstreams annotation documentation](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) for additional information. +Refer to [`connectInject`](/consul/docs/k8s/connect#installation-and-configuration) and [the upstreams annotation documentation](/consul/docs/reference/k8s/annotation-label#consul-hashicorp-com-connect-service-upstreams) for additional information. ### Multiple services You can define common characteristics for services in your mesh, such as the admin partition, namespace, or upstreams, by creating and applying a `service-defaults` configuration entry. You can also define override configurations for specific upstreams or service instances. To use `service-defaults` configuration entries, you must enable Consul service mesh in your network. -Refer to [Define Service Defaults](/consul/docs/services/usage/define-services#define-service-defaults) for additional information. +Refer to [Define Service Defaults](/consul/docs/register/service/vm/define#define-service-defaults) for additional information. diff --git a/website/content/docs/ecs/enterprise.mdx b/website/content/docs/register/service/ecs/enterprise.mdx similarity index 100% rename from website/content/docs/ecs/enterprise.mdx rename to website/content/docs/register/service/ecs/enterprise.mdx diff --git a/website/content/docs/ecs/deploy/terraform.mdx b/website/content/docs/register/service/ecs/index.mdx similarity index 89% rename from website/content/docs/ecs/deploy/terraform.mdx rename to website/content/docs/register/service/ecs/index.mdx index 5d5574a967f..27c7d66ab8b 100644 --- a/website/content/docs/ecs/deploy/terraform.mdx +++ b/website/content/docs/register/service/ecs/index.mdx @@ -1,27 +1,27 @@ --- layout: docs -page_title: Deploy Consul to ECS using the Terraform module +page_title: Register services on ECS automatically with Terraform description: >- - Terraform modules simplify the process to install Consul on Amazon Web Services ECS. Learn how to create task definitions, schedule tasks for your service mesh, and configure routes with example configurations so that you can Deploy Consul to ECS using Terraform. + Consul documentation provides reference material for all features and options available in Consul. --- -# Deploy Consul to ECS using the Terraform module +# Register services on ECS automatically with Terraform This topic describes how to create a Terraform configuration that deploys Consul service mesh to your ECS cluster workloads. Consul server agents do not run on ECS and must be deployed to another runtime, such as EKS, and connected to your ECS workloads. Refer [Consul on AWS Elastic Container Service overview](/consul/docs/ecs) for additional information. ## Overview -Create a Terraform configuration file that includes the ECS task definition and Terraform modules that build the Consul service mesh components. The task definition is the ECS blueprint for your software services on AWS. Refer to the [ECS task definitions documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html) for additional information. +Create a Terraform configuration file that includes the ECS task definition and Terraform modules that build the Consul service mesh components. The task definition is the ECS blueprint for your software services on AWS. Refer to the [ECS task definitions documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html) for additional information. You can add the following modules and resources to your Terraform configuration: -- `mesh-task` module: Adds the Consul ECS control-plane and Consul dataplane containers to the task definition along with your application container. Envoy runs as a subprocess within the Consul dataplane container. +- `mesh-task` module: Adds the Consul ECS control-plane and Consul dataplane containers to the task definition along with your application container. Envoy runs as a subprocess within the Consul dataplane container. - `aws_ecs_service` resource: Adds an ECS service to run and maintain your task instance. - `gateway-task` module: Adds mesh gateway containers to the cluster. Mesh gateways enable service-to-service communication across different types of network areas. -To enable Consul security features for your production workloads, you must also deploy the `controller` module, which provisions ACL tokens for service mesh tasks. +To enable Consul security features for your production workloads, you must also deploy the `controller` module, which provisions ACL tokens for service mesh tasks. -After defining your Terraform configuration, use `terraform apply` to deploy Consul to your ECS cluster. +After defining your Terraform configuration, use `terraform apply` to deploy Consul to your ECS cluster. ## Requirements @@ -33,16 +33,15 @@ After defining your Terraform configuration, use `terraform apply` to deploy Con You must meet the following requirements and prerequisites to enable security features in Consul service mesh: -- Enable [TLS encryption](/consul/docs/security/encryption#rpc-encryption-with-tls) on your Consul servers so that they can communicate securely with Consul containers over gRPC. -- Enable [access control lists (ACLs)](/consul/docs/security/acl) on your Consul servers. ACLs provide authentication and authorization for access to Consul servers on the mesh. +- Enable [TLS encryption](/consul/docs/secure-consul/encryption#rpc-encryption-with-tls) on your Consul servers so that they can communicate securely with Consul containers over gRPC. +- Enable [access control lists (ACLs)](/consul/docs/secure-consul/acl) on your Consul servers. ALCs provide authentication and authorization for access to Consul servers on the mesh. - You should be familiar with specifying sensitive data on ECS. Refer to [Passing sensitive data to a container](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the AWS documentation for additional information. -Additionally, Consul requires a unique IAM role for each ECS task family. Task IAM roles cannot be shared by different task families because the task family is unique to each Consul service. +Additionally, Consul requires a unique IAM role for each ECS task family. Task IAM roles cannot be shared by different task families because the task family is unique to each Consul service. You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the following resources for additional information: -- [Create a service token](/consul/docs/security/acl/tokens/create/create-a-service-token) -- [Day 1: Security tutorial](https://developer.hashicorp.com/consul/tutorials/security) +- [Create a service token](/consul/docs/secure-consul/acl/token/service-token) ## Create the task definition @@ -53,7 +52,7 @@ Create a Terraform configuration file and add your ECS task definition. The task Add a `module` block to your Terraform configuration and specify the following fields: - `source`: Specifies the location of the `mesh-task` module. This field must be set to `hashicorp/consul-ecs/aws//modules/mesh-task`. The `mesh-task` module automatically adds the Consul service mesh infrastructure when you apply the Terraform configuration. -- `version`: Specifies the version of the `mesh-task` module to use. +- `version`: Specifies the version of the `mesh-task` module to use. - `family`: Specifies the [ECS task definition family](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#family). Consul also uses the `family` value as the Consul service name by default. - `container_definitions`: Specifies a list of [container definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definitions) for the task definition. This field is where you include your application containers. @@ -99,7 +98,7 @@ The following fields are required. Refer to the [module reference documentation] ## Configure Consul server settings -Provide Consul server connection settings to the mesh task module so that the module can configure the control-plane and ECS controller containers to connect to the servers. +Provide Consul server connection settings to the mesh task module so that the module can configure the control-plane and ECS controller containers to connect to the servers. 1. In your `variables.tf` file, define variables for the host URL and the TLS settings for gRPC and HTTP traffic. Refer to the [mesh task module reference](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/gateway-task?tab=inputs) for information about the variables you can define. In the following example, the Consul server address is defined in the `consul_server_hosts` variable: @@ -121,13 +120,13 @@ Provide Consul server connection settings to the mesh task module so that the mo ] ``` - When you apply the configuration, the mesh task module interpolates the server configuration variables, builds a `config.tf` file, and injects the settings into the appropriate containers. For additional information about the `config.tf` file, refer to the [JSON schema reference documentation](/consul/docs/ecs/reference/consul-server-json). + When you apply the configuration, the mesh task module interpolates the server configuration variables, builds a `config.tf` file, and injects the settings into the appropriate containers. For additional information about the `config.tf` file, refer to the [JSON schema reference documentation](/consul/docs/reference/ecs/server-json). ## Configure an ECS service to run your task instances To start a task using the task definition, add the `aws_ecs_service` resource to your configuration to create an ECS service. [ECS services](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html) are one of the most common ways to start tasks using a task definition. -Reference the `mesh-task` module's `task_definition_arn` output value in your `aws_ecs_service` resource. The following example adds an ECS service for a task definition referenced in as `module.my_task.task_definition_arn`: +Reference the `mesh-task` module's `task_definition_arn` output value in your `aws_ecs_service` resource. The following example adds an ECS service for a task definition referenced in as `module.my_task.task_defintion_arn`: @@ -154,21 +153,21 @@ If you are deploying a test instance of your ECS application, you can apply your If you intend to leverage multi-datacenter Consul features, such as WAN federation and cluster peering, then you must add the `gateway-task` module for each Consul datacenter in your network. Refer to [Configure the gateway task module](#configure-the-gateway-task-module) for instructions. -## Configure the gateway task module +## Configure the gateway task module The `gateway-task` module deploys a mesh gateway, which enables service-to-service communication across network areas. Mesh gateways detect the server name indication (SNI) header from the service mesh session and route the connection to the appropriate destination. Refer to the following documentation for additional information: -- [WAN Federation via Mesh Gateways](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways) -- [Service-to-service Traffic Across Datacenters](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters) +- [WAN Federation via Mesh Gateways](/consul/docs/east-west/mesh-gateway/enable) +- [Service-to-service Traffic Across Datacenters](/consul/docs/east-west/mesh-gateway/federation) -To use mesh gateways, TLS must be enabled in your cluster. Refer to the [requirements section](#requirements) for additional information. +To use mesh gateways, TLS must be enabled in your cluster. Refer to the [requirements section](#requirements) for additional information. 1. Add a `module` block to your Terraform configuration file and specify a label. The label is a unique identifier for the gateway. 1. Add a `source` to the `module` and specify the location of the `gateway-task`. The value must be `hashicorp/consul-ecs/aws//modules/gateway-task`. 1. Specify the following required inputs: - - `ecs_cluster_arn`: The ARN of the ECS cluster for the gateway. + - `ecs_cluster_arn`: The ARN of the ECS cluster for the gateway. - `family`: Specifies a name for multiple versions of the task. Refer to the [AWS documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#family) for details. - `kind`: Set to `mesh-gateway` - `subnets`: Specifies a list of subnet IDs where the gateway task should be deployed. @@ -200,9 +199,9 @@ Refer to [gateway-task module in the Terraform registry](https://registry.terraf Refer to the [gateway task configuration examples](#gateway-task-configuration-examples) for additional example configurations. -## Configure the ECS controller +## Configure the ECS controller -Deploy the ECS controller container to its own ECS task in the cluster. Refer to [ECS controller container](/consul/docs/ecs/reference/architecture#ecs-controller) for details about the container. +Deploy the ECS controller container to its own ECS task in the cluster. Refer to [ECS controller container](/consul/docs/ecs/reference/architecture#ecs-controller) for details about the container. Verify that you have completed the prerequisites described in [Secure configuration requirements](#secure-configuration-requirements) and complete the following steps to configure the controller container. @@ -211,16 +210,16 @@ Verify that you have completed the prerequisites described in [Secure configurat 1. On the Consul server, create a policy that grants the following access for the controller: - `acl:write` - - `operator:write` + - `operator:write` - `node:write` - `service:write` - - The policy allows Consul to generate a token linked to the policy. Refer to [Create a service token](/consul/docs/security/acl/tokens/create/create-a-service-token) for instructions. -1. Create a token and link it to the ACL controller policy. Refer to the [ACL tokens documentation](/consul/docs/security/acl/tokens) for instructions. + + The policy allows Consul to generate a token linked to the policy. Refer to [Create a service token](/consul/docs/secure-consul/acl/token/service-token) for instructions. +1. Create a token and link it to the ACL controller policy. Refer to the [ACL tokens documentation](/consul/docs/secure-consul/acl/tokens) for instructions. ### Configure an AWS secrets manager secret -Add the `aws_secretsmanager_secret` resource to your Terraform configuration and specify values for retrieving the CA and TLS certificates. The resource enables services to communicate over TLS and present ACL tokens. The ECS controller also uses the secret manager to retrieve the value of the bootstrap token. +Add the `aws_secretsmanager_secret` resource to your Terraform configuration and specify values for retrieving the CA and TLS certificates. The resource enables services to communicate over TLS and present ACL tokens. The ECS controller also uses the secret manager to retrieve the value of the bootstrap token. In the following example, Terraform creates the CA certificates for gRPC and HTTPS in the secrets manager. Consul retrieves the CA certificate PEM file from the secret manager so that the mesh task can use TLS for HTTP and gRPC traffic: @@ -323,7 +322,7 @@ module "my_task" { ### Complete configuration examples -The [terraform-aws-consul-ecs GitHub repository](https://github.com/hashicorp/terraform-aws-consul-ecs/tree/main/examples) contains examples that you can reference to help you deploy Consul service mesh to your ECS workloads. +The [terraform-aws-consul-ecs GitHub repository](https://github.com/hashicorp/terraform-aws-consul-ecs/tree/main/multi) contains examples that you can reference to help you deploy Consul service mesh to your ECS workloads. ## Apply your Terraform configuration @@ -375,11 +374,11 @@ Terraform reads all files in the current directory that have a `.tf` file extens Refer to the [Terraform documentation](/terraform/docs) for more information and Terraform best practices. ## Next steps - + After deploying the Consul service mesh infrastructure, you must still define routes between service instances as well as configure the bind address for your applications so that they only receive traffic through the mesh. Refer to the following topics: -- [Configure routes between ECS tasks](/consul/docs/ecs/deploy/configure-routes) -- [Configure the ECS task bind address](/consul/docs/ecs/deploy/bind-addresses) +- [Configure routes between ECS tasks](/consul/docs/connect/ecs) +- [Configure the ECS task bind address](/consul/docs/register/service/ecs/configure-task-bind-address) ## Gateway task configuration examples @@ -453,7 +452,7 @@ module "my_mesh_gateway" { ### WAN federation -Configure the following options in the `gateway-task` to enable [WAN federation through mesh gateways](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways). +Configure the following options in the `gateway-task` to enable [WAN federation through mesh gateways](/consul/docs/east-west/mesh-gateway/enable). | Option | Type | Description | | --- | --- | --- | @@ -476,4 +475,4 @@ module "my_mesh_gateway" { -When federating Consul datacenters over the WAN with ACLs enabled, [ACL Token replication](/consul/docs/security/acl/acl-federated-datacenters) must be enabled on all server and client agents in all datacenters. +When federating Consul datacenters over the WAN with ACLs enabled, enable [ACL Token replication](/consul/docs/secure-consul/acl/federation) on all server and client agents in all datacenters. diff --git a/website/content/docs/ecs/deploy/manual.mdx b/website/content/docs/register/service/ecs/manual.mdx similarity index 90% rename from website/content/docs/ecs/deploy/manual.mdx rename to website/content/docs/register/service/ecs/manual.mdx index 9b54aa05792..4f7928116a8 100644 --- a/website/content/docs/ecs/deploy/manual.mdx +++ b/website/content/docs/register/service/ecs/manual.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Deploy Consul to ECS manually +page_title: Register services on ECS manually description: >- Manually install Consul on Amazon Web Services ECS by using the Docker `consul-ecs` image to create task definitions that include required containers. Learn how to configure task definitions with example configurations. --- -# Deploy Consul to ECS manually +# Register services on ECS manually The following instructions describe how to use the `consul-ecs` Docker image to manually create the ECS task definition without Terraform. If you intend to peer the service mesh to multiple Consul datacenters or partitions, you must use the Consul ECS Terraform module to install your service mesh on ECS. There is no manual process for deploying a mesh gateway to an ECS cluster. @@ -17,25 +17,25 @@ You should have some familiarity with AWS ECS. Refer to [What is Amazon Elastic You must meet the following requirements and prerequisites to enable security features in Consul service mesh: -- Enable [TLS encryption](https://developer.hashicorp.com/consul/docs/security/encryption#rpc-encryption-with-tls) on your Consul servers so that they can communicate security with Consul dataplane containers over gRPC. -- Enable [access control lists (ACLs)](/consul/docs/security/acl) on your Consul servers. ACLs provide authentication and authorization for access to Consul servers on the mesh. +- Enable [TLS encryption](/consul/docs/secure-consul/encryption#rpc-encryption-with-tls) on your Consul servers so that they can communicate security with Consul dataplane containers over gRPC. +- Enable [access control lists (ACLs)](/consul/docs/secure-consul/acl) on your Consul servers. ALCs provide authentication and authorization for access to Consul servers on the mesh. - You should be familiar with specifying sensitive data on ECS. Refer to [Passing sensitive data to a container](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the AWS documentation for additional information. -You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the following resources: -- [Create a service token](/consul/docs/security/acl/tokens/create/create-a-service-token) -- [Day 1: Security tutorial](https://developer.hashicorp.com/consul/tutorials/security) for additional information. +You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the following resources: ' -Consul requires a unique IAM role for each ECS task family. Task IAM roles cannot be shared by different task families because the task family is unique to each Consul service. +- [Create a service token](/consul/docs/secure-consul/acl/token/service-token) + +Consul requires a unique IAM role for each ECS task family. Task IAM roles cannot be shared by different task families because the task family is unique to each Consul service. ## Configure ECS task definition file -Create a JSON file for the task definition. The task definition is the ECS blueprint for your software services on AWS. Refer to the [ECS task definitions in the AWS documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html) for additional information. +Create a JSON file for the task definition. The task definition is the ECS blueprint for your software services on AWS. Refer to the [ECS task definitions in the AWS documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html) for additional information. In addition to your application container, add configurations to your task definition that creates the following Consul containers: - Dataplane container - Control-plane container -- ECS controller container +- ECS controller container ## Top-level fields @@ -46,7 +46,7 @@ The following table describes the top-level fields you must include in the task | `family` | The task family name. This is used as the Consul service name by default. | string | | `networkMode` | Must be `awsvpc`, which is the only network mode supported by Consul on ECS. | string | | `volumes` | Volumes on the host for sharing configuration between containers for initial task setup. You must define a `consul_data` and `consul_binary` bind mount. Bind mounts can be mounted into one or more containers in order to share files among containers. For Consul on ECS, certain binaries and configuration are shared among containers during task startup. | list | -| `containerDefinitions` | Defines the application container that runs in the task. Refer to [Define your application container](#define-your-application-container). | list | +| `containerDefinitions` | Defines the application container that runs in the task. Refer to [Define your application container](#define-your-application-container). | list | The following example shows the top-level fields: @@ -78,10 +78,10 @@ The following example shows the top-level fields: ## Configure task tags -The `tags` list must include the following tags if you are using the ECS controller in a [secure configuration](/consul/docs/ecs/deploy/manual#secure-configuration-requirements). +The `tags` list must include the following tags if you are using the ECS controller in a [secure configuration](/consul/docs/register/service/ecs/manual#secure-configuration-requirements). Without these tags, the ACL controller is unable to provision a service token for the task. -| Tag | Description | Type | Default | +| Tag | Description | Type | Default | | --- | --- | --- | --- | | `consul.hashicorp.com/mesh` | Enables the ECS controller. Set to `false` to disable the ECS controller. | String | `true` | | `consul.hashicorp.com/service-name` | Specifies the name of the Consul service associated with this task. Required if the service name is different than the task `family`. | String | None | @@ -96,7 +96,7 @@ Specify your application container configurations in the `containerDefinitions` | --- | --- | --- | | `name` | The name of your application container. | string | | `image` | The container image used to run your application. | string | -| `essential` | Must be `true` to ensure the health of your application container affects the health status of the task. | boolean | +| `essential` | Must be `true` to ensure the health of your application container affects the health status of the task. | boolean | | `dependsOn` | Specifies container dependencies that ensure your application container starts after service mesh setup is complete. Refer to [Application container dependency configuration](#application-container-dependency-configuration) for details. | list | Refer to the [ECS Task Definition](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html) documentation for a complete reference. @@ -120,14 +120,14 @@ The `dependsOn` list must include the following maps: } ``` -## Configure the dataplane container +## Configure the dataplane container The dataplane container runs Envoy proxy for Consul service mesh. Specify the fields described in the following table to declare a dataplane container: | Field name | Description | Type | | --- | --- | --- | | `name` | Specifies the name of the container. This must be `consul-dataplane`. | string | -| `image` | Specifies the Envoy image. This must be a [supported version of Envoy](/consul/docs/connect/proxies/envoy#supported-versions). | string | +| `image` | Specifies the Envoy image. This must be a [supported version of Envoy](/consul/docs/reference/proxy/envoy#supported-versions). | string | | `dependsOn` | Specifies container dependencies that ensure the dataplane container starts after the control-pane container has written the Envoy bootstrap configuration file. Refer to [Dataplane container dependency configuration](#dataplane-container-dependency-configuration) for details. | list | | `healthCheck` | Must be set as shown above to monitor the health of Envoy's primary listener port, which ties into container dependencies and startup ordering. | map | | `mountPoints` | Specifies a shared volume so that the dataplane container can access and consume the Envoy configuration file that the control-plane container generates. The keys and values in this configuration must be defined as described in [Dataplane container dependency configuration](#dataplane-container-dependency-configuration). | list | @@ -174,7 +174,7 @@ Specify the fields described in the following table to declare the control-plane | --- | --- | --- | | `name` | Specifies the name of the container. This must be `control-plane`. | string | | `image` | Specifies the `consul-ecs` image. Specify the following public AWS registry to avoid rate limits: `public.ecr.aws/hashicorp/consul-ecs` | string | -| `mountPoints` | Specifies a shared volume to store the Envoy bootstrap configuration file that the dataplane container can access and consume. The keys and values in this configuration must be defined as described in [Control-plane shared volume configuration](#control-plane-shared-volume-configuration). | list | +| `mountPoints` | Specifies a shared volume to store the Envoy bootstrap configuration file that the dataplane container can access and consume. The keys and values in this configuration must be defined as described in [Control-plane shared volume configuration](#control-plane-shared-volume-configuration). | list | | `command` | Set to `["control-plane"]` so that the container runs the `control-plane` command. | list | | `environment` | Specifies the `CONSUL_ECS_CONFIG_JSON` environment variable, which configures the container to connect to the Consul servers. Refer to [Control-plane to Consul servers configuration](#control-plane-to-Consul-servers-configuration) for details. | list | @@ -199,7 +199,7 @@ The `mountPoints` configuration defines a volume and path where the control-plan ### Control-plane to Consul servers configuration -Provide Consul server connection settings to the mesh task module so that the module can configure the control-plane and ECS controller containers to connect to the servers. +Provide Consul server connection settings to the mesh task module so that the module can configure the control-plane and ECS controller containers to connect to the servers. 1. In your `variables.tf` file, define variables for the host URL and TLS settings for gRPC and HTTP traffic. Refer to the [mesh task module reference](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task?tab=inputs) for information about the variables you can define. In the following example, the Consul server address is defined in the `consul_server_hosts` variable: @@ -210,7 +210,7 @@ Provide Consul server connection settings to the mesh task module so that the mo } ``` -1. Add an `environment` block to the control-plane and ECS controller containers definition. +1. Add an `environment` block to the control-plane and ECS controller containers definition 1. Set the `environment.name` field to the `CONSUL_ECS_CONFIG_JSON` environment variable and the value to `local.encoded_config`. ```hcl @@ -223,7 +223,7 @@ Provide Consul server connection settings to the mesh task module so that the mo ``` When you apply the configuration, the mesh task module interpolates the server configuration variables, builds a `config.tf` file, and injects the settings into the appropriate containers. -For additional information about the `config.tf` file, refer to the [JSON schema reference documentation](/consul/docs/ecs/reference/config-json-schema). +For additional information about the `config.tf` file, refer to the [JSON schema reference documentation](/consul/docs/ecs/reference/config-json-schema). ## Register the task definition configuration @@ -245,22 +245,22 @@ Verify that you have completed the prerequisites described in [Secure configurat On the Consul server, create a policy that grants the following access for the controller: -- `acl:write` -- `operator:write` +- `acl:write` +- `operator:write` - `node:write` - `service:write` -The policy allows Consul to generate a token linked to the policy. Refer to [Create a service token](/consul/docs/security/acl/tokens/create/create-a-service-token) for instructions. +The policy allows Consul to generate a token linked to the policy. Refer to [Create a service token](/consul/docs/secure-consul/acl/token/service-token) for instructions. ### ECS task role -1. Create an ECS task role and configure an `iam:GetRole` permission so that it can fetch itself. Refer to [IAM Policies](/consul/docs/security/acl/auth-methods/aws-iam#iam-policies) for instructions. +1. Create an ECS task role and configure an `iam:GetRole` permission so that it can fetch itself. Refer to [IAM Policies](/consul/docs/secure-consul/acl/auth-methods/aws-iam#iam-policies) for instructions. 1. Add an `consul.hashicorp.com.service-name` tag to the task role that contains the Consul service name for the application in the task. 1. When using Consul Enterprise, you must also include the `consul.hashicorp.com.namespace` tag to specify the namespace to register the service in. ### Configure the auth method for service tokens -Run the `consul acl auth-method create` command on a Consul server to create an instance of the auth method for service tokens. +Run the `consul acl auth-method create` command on a Consul server to create an instance of the auth method for service tokens. The following example command configures the auth method to associate a service identity to each token created during login to this auth method instance. @@ -301,11 +301,11 @@ You must specify the following configuration in the `-config` flag: | `EnableIAMEntityDetails` | Must be `true` so that the auth method can retrieve IAM role details, such as the role path and role tags. | Boolean | | `IAMEntityTags` | Specifies a list of IAM role tags to make available to binding rules. Must include the service name tag. | List | -Refer to the [auth method configuration parameters documentation](/consul/docs/security/acl/auth-methods/aws-iam#config-parameters) for additional information. +Refer to the [auth method configuration parameters documentation](/consul/docs/secure-consul/acl/auth-methods/aws-iam#config-parameters) for additional information. -### Create the binding rule +### Create the binding rule -Run the `consul acl binding-rule create` command on a Consul server to create a binding rule. The rule associates a service identity with each token created on successful login to this instance of the auth method. +Run the `consul acl binding-rule create` command on a Consul server to create a binding rule. The rule associates a service identity with each token created on successful login to this instance of the auth method. In the following example, Consul takes the service identity name from the `consul.hashicorp.com.service-name` tag specified for authenticating IAM role identity. @@ -336,8 +336,8 @@ You can reference stored secrets using their ARN. The examples show ARNs for sec You can configure Consul servers connected to your ECS workloads to capture a log of authenticated events. Refer to [Audit Logging](/consul/docs/enterprise/audit-logging) for details. ## Next steps - + After deploying the Consul service mesh infrastructure, you must still define routes between service instances as well as configure the bind address for your applications so that they only receive traffic through the mesh. Refer to the following topics: -- [Configure routes between ECS tasks](/consul/docs/ecs/deploy/configure-routes) -- [Configure the ECS task bind address](/consul/docs/ecs/deploy/bind-addresses) +- [Configure routes between ECS tasks](/consul/docs/connect/ecs) +- [Configure the ECS task bind address](/consul/docs/register/service/ecs/configure-task-bind-address) diff --git a/website/content/docs/ecs/deploy/migrate-existing-tasks.mdx b/website/content/docs/register/service/ecs/migrate.mdx similarity index 90% rename from website/content/docs/ecs/deploy/migrate-existing-tasks.mdx rename to website/content/docs/register/service/ecs/migrate.mdx index cb405e518af..20df22457b3 100644 --- a/website/content/docs/ecs/deploy/migrate-existing-tasks.mdx +++ b/website/content/docs/register/service/ecs/migrate.mdx @@ -1,17 +1,17 @@ --- layout: docs -page_title: Migrate existing tasks to Consul service mesh +page_title: Register existing ECS tasks with Terraform description: >- You can migrate tasks in existing Amazon Web Services ECS deployments to a service mesh deployed with Terraform. Learn how to convert a task specified as an ECS task definition into a `mesh-task` Terraform module. --- -# Migrate existing tasks to Consul on ECS with Terraform +# Register existing ECS tasks with Terraform -To migrate existing tasks to Consul, rewrite the existing Terraform code for your tasks so that the container definitions include the [`mesh-task` Terraform module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task). +To migrate existing tasks to Consul, rewrite the existing Terraform code for your tasks so that the container definitions include the [`mesh-task` Terraform module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task). Your tasks must already be defined in Terraform using the `ecs_task_definition` resource so that they can then be converted to use the `mesh-task` module. -## Example +## Example The following example shows an existing task definition configured in Terraform: @@ -55,7 +55,6 @@ resource "aws_ecs_service" "my_task" { } ``` - Replace the `aws_ecs_task_definition` resource with the `mesh-task` module so that Consul adds the necessary dataplane containers that enable your task to join the mesh. The `mesh-task` module uses inputs similar to your old ECS task definition but creates a new version of the task definition with additional containers. The following Terraform configuration uses the `mesh-task` module to replace the previous example's task definition: @@ -93,7 +92,7 @@ module "my_task" { Note the following differences: - The `execution_role_arn` and `task_role_arn` fields are removed. The `mesh-task` module creates the task and execution roles by default. If you need to use existing IAM roles, set the `task_role` and `execution_role` fields to pass in existing roles. -- The `port` field specifies the port that your application listens on. If your application has no listening port, set `outbound_only = true` and remove the `port` field. +- The `port` field specifes the port that your application listens on. If your application has no listening port, set `outbound_only = true` and remove the `port` field. - The `jsonencode()` function is removed from the `container_definitions` field. -The `mesh-task` module creates a new version of your task definition with the necessary dataplane containers so you can delete your existing `aws_ecs_task_definition` resource. +The `mesh-task` module creates a new version of your task definition with the necessary dataplane containers so you can delete your existing `aws_ecs_task_definition` resource. \ No newline at end of file diff --git a/website/content/docs/ecs/tech-specs.mdx b/website/content/docs/register/service/ecs/requirements.mdx similarity index 52% rename from website/content/docs/ecs/tech-specs.mdx rename to website/content/docs/register/service/ecs/requirements.mdx index d5fa5b399f5..3f963e2c210 100644 --- a/website/content/docs/ecs/tech-specs.mdx +++ b/website/content/docs/register/service/ecs/requirements.mdx @@ -9,26 +9,20 @@ description: >- This topic describes the supported runtimes and environments for using Consul service mesh for your ECS workloads. -For requirements associated with using the Terraform `mesh-task` module to deploy Consul service mesh, refer [Deploy Consul with the Terraform module](/consul/docs/ecs/deploy/terraform). For requirements associated with manually deploying Consul service mesh to your ECS cluster, refer [Deploy Consul manually](/consul/docs/ecs/deploy/manual). +For requirements associated with using the Terraform `mesh-task` module to deploy Consul service mesh, refer [Deploy Consul with the Terraform module](/consul/docs/register/service/ecs/automatic). For requirements associated with manually deploying Consul service mesh to your ECS cluster, refer [Deploy Consul manually](/consul/docs/register/service/ecs/manual). -## Supported environments, runtimes, and capabilities +## Supported environments and runtimes -Consul on ECS supports the following environments, runtimes, and capabilities: +Consul on ECS supports the following environments and runtimes: -- **Launch Types:** Fargate and EC2 -- **Network Modes:** `awsvpc` -- **Subnets:** Private and public subnets. Tasks must have network access to Amazon ECR or other public container registries to pull images. -- **Consul servers:** You can use your own Consul servers running on virtual machines or [use HCP Consul Dedicated to host the servers for you](/hcp/docs/consul/dedicated). -- **ECS controller:** The ECS controller assists with reconciling state back to Consul and facilitates Consul security features. -- **Admin partitions:** Enable ACLs and configure the ECS controller to use admin partitions. You must deploy one controller for each admin partition. -- **Namespaces:** Enable ACLs and configure the ECS controller to use namespaces. -- **Dataplane containers:** To manage proxies using Consul dataplane, you must use the Terraform `mesh-task` module to install Consul service mesh. -- **Transparent proxy:** Consul on ECS 0.8.x supports transparent proxy for ECS on EC2 tasks. Transparent proxy in ECS requires the host to have `NET_ADMIN` capabilities, which ECS Fargate does not currently support. You can enable transparent proxy with the `enable_transparent_proxy` parameter in the `mesh-task` Terraform module or through `ecs_config_json`. The `enable_transparent_proxy` parameter has precedence over `ecs_config_json`. - - Refer to the [`terraform-aws-consul-ecs`](https://github.com/hashicorp/terraform-aws-consul-ecs/tree/main/examples/dev-server-ec2-transparent-proxy) for an example. -- **API Gateway:** Consul on ECS 0.8.x supports API gateway. Refer to the [`terraform-aws-consul-ecs`](https://github.com/hashicorp/terraform-aws-consul-ecs/tree/main/examples/api-gateway) for an example. - - Refer to the [Consul ECS GitHub repository](https://github.com/hashicorp/terraform-aws-consul-ecs/tree/main/examples/dev-server-ec2-transparent-proxy) for examples of how to use transparent proxy with Consul on ECS. +- **Launch Types**: Fargate and EC2 +- **Network Modes**: `awsvpc` +- **Subnets**: Private and public subnets. Tasks must have network access to Amazon ECR or other public container registries to pull images. +- **Consul servers**: You can use your own Consul servers running on virtual machines or [use HCP Consul to host the servers for you](/hcp/docs/consul/hcp-managed). +- **ECS controller**: The ECS controller assists with reconciling state back to Consul and facilitates Consul security features. +- **Admin partitions**: Enable ACLs and configure the ECS controller to use admin partitions. You must deploy one controller for each admin partition. +- **Namespaces**: Enable ACLs and configure the ECS controller to use namespaces. +- **Dataplane containers**: To manage proxies using Consul dataplane, you must use the Terraform `mesh-task` module to install Consul service mesh. ## Resource usage diff --git a/website/content/docs/ecs/deploy/bind-addresses.mdx b/website/content/docs/register/service/ecs/task-bind-address.mdx similarity index 89% rename from website/content/docs/ecs/deploy/bind-addresses.mdx rename to website/content/docs/register/service/ecs/task-bind-address.mdx index acee9209ea7..ad09dd62e36 100644 --- a/website/content/docs/ecs/deploy/bind-addresses.mdx +++ b/website/content/docs/register/service/ecs/task-bind-address.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Configure the ECS task bind address +page_title: Configure ECS task bind address description: >- Learn how to bind workloads to the loopback address, also called localhost and 127.0.0.1, so that your applications only send and receive traffic through Consul service mesh. --- -# Configure the ECS task bind address +# Configure ECS task bind address This topic describes how to configure the bind address for your workloads to the loopback address. @@ -17,8 +17,8 @@ Binding workloads to the loopback address ensures that your application only rec Consul service mesh must be deployed to ECS before you can bind a network address. For more information, refer to the following topics: -- [Deploy Consul to ECS using the Terraform module](/consul/docs/ecs/deploy/terraform) -- [Deploy Consul to ECS manually](/consul/docs/ecs/deploy/manual) +- [Deploy Consul to ECS using the Terraform module](/consul/docs/ecs/deploy/install-terraform) +- [Deploy Consul to ECS manually](/consul/docs/ecs/deploy/install-manual) ## Change the listening address diff --git a/website/content/docs/register/service/k8s/annotations.mdx b/website/content/docs/register/service/k8s/annotations.mdx new file mode 100644 index 00000000000..b4d9bc1bcbd --- /dev/null +++ b/website/content/docs/register/service/k8s/annotations.mdx @@ -0,0 +1,45 @@ +--- +layout: docs +page_title: Service Sync annotations and labels +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# Service Sync annotations and labels + +The following Kubernetes resource annotations could be used on a pod to [Service Sync](https://developer.hashicorp.com/consul/docs/k8s/service-sync) behavior: + +- `consul.hashicorp.com/service-sync`: If this is set to `true`, then the Kubernetes service is explicitly configured to be synced to Consul. + + ```yaml + annotations: + 'consul.hashicorp.com/service-sync': 'true' + ``` + +- `consul.hashicorp.com/service-port`: Configures the port to register to the Consul Catalog for the Kubernetes service. The annotation value may be a name of a port (recommended) or an exact port value. Refer to [service ports](https://developer.hashicorp.com/consul/docs/k8s/service-sync#service-ports) for more information. + + ```yaml + annotations: + 'consul.hashicorp.com/service-port': 'http' + ``` + +- `consul.hashicorp.com/service-tags`: A comma separated list of strings (without whitespace) to use for registering tags to the service registered to Consul. These custom tags automatically include the `k8s` tag which can't be disabled. + + ```yaml + annotations: + 'consul.hashicorp.com/service-tags': 'primary,foo' + ``` + +- `consul.hashicorp.com/service-meta-KEY`: A map for specifying service metadata for Consul services. The "KEY" below can be set to any key. This allows you to set multiple meta values. + + ```yaml + annotations: + 'consul.hashicorp.com/service-meta-KEY': 'value' + ``` + +- `consul.hashicorp.com/service-weight:` - Configures ability to support weighted loadbalancing by service annotation for Catalog Sync. The integer provided will be applied as a weight for the `passing` state for the health of the service. Refer to [weights](/consul/docs/services/configuration/services-configuration-reference#weights) in service configuration for more information on how this is leveraged for services in the Consul catalog. + + ```yaml + annotations: + consul.hashicorp.com/service-weight: 10 + ``` \ No newline at end of file diff --git a/website/content/docs/register/service/k8s/index.mdx b/website/content/docs/register/service/k8s/index.mdx new file mode 100644 index 00000000000..072ff0eacfc --- /dev/null +++ b/website/content/docs/register/service/k8s/index.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Register services on Kubernetes overview +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# Register services on Kubernetes overview + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/k8s/service-sync.mdx b/website/content/docs/register/service/k8s/service-sync.mdx similarity index 94% rename from website/content/docs/k8s/service-sync.mdx rename to website/content/docs/register/service/k8s/service-sync.mdx index daf03396f21..7055a554942 100644 --- a/website/content/docs/k8s/service-sync.mdx +++ b/website/content/docs/register/service/k8s/service-sync.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Service Sync for Consul on Kubernetes +page_title: Service sync description: >- Service sync is a Consul on Kubernetes feature that makes Kubernetes and Consul services available to each other. Learn how to configure Helm values so services can communicate and make Kubernetes services appear in the Consul UI. --- -# Service Sync for Consul on Kubernetes +# Service sync The services in Kubernetes and Consul can be automatically synced so that Kubernetes services are available to Consul agents and services in Consul can be available @@ -29,9 +29,9 @@ service discovery, including hosted services like databases. ## Installation and configuration -~> Enabling both Service Mesh and Service Sync on the same Kubernetes services is not supported, as Service Mesh also registers Kubernetes service instances to Consul. Ensure that Service Sync is only enabled for namespaces and services that are not injected with the Consul sidecar for Service Mesh as described in [Sync Enable/Disable](/consul/docs/k8s/service-sync#sync-enable-disable). +~> Enabling both Service Mesh and Service Sync on the same Kubernetes services is not supported, as Service Mesh also registers Kubernetes service instances to Consul. Ensure that Service Sync is only enabled for namespaces and services that are not injected with the Consul sidecar for Service Mesh as described in [Sync Enable/Disable](/consul/docs/register/service/k8s/service-sync#sync-enable-disable). -The service sync feature deploys a long-running process which can run either inside or outside of a Kubernetes cluster. However, running this process within the Kubernetes cluster is generally easier since it is automated using the [Helm chart](/consul/docs/k8s/helm). +The service sync feature deploys a long-running process which can run either inside or outside of a Kubernetes cluster. However, running this process within the Kubernetes cluster is generally easier since it is automated using the [Helm chart](/consul/docs/reference/k8s/helm). The Consul server cluster can run either in or out of a Kubernetes cluster. The Consul server cluster does not need to be running on the same machine @@ -40,7 +40,7 @@ with the address to a Consul agent as well as any additional access information such as ACL tokens. To install the sync process, enable the catalog sync feature using -[Helm values](/consul/docs/k8s/helm#configuration-values) and +[Helm values](/consul/docs/reference/k8s/helm#configuration-values) and upgrade the installation using `helm upgrade` for existing installs or `helm install` for a fresh install. @@ -69,7 +69,7 @@ syncCatalog: toK8S: false ``` -Refer to the [Helm configuration](/consul/docs/k8s/helm#v-synccatalog) +Refer to the [Helm configuration](/consul/docs/reference/k8s/helm#v-synccatalog) for more information. ### Authentication @@ -85,7 +85,7 @@ for both in-cluster and out-of-cluster authentication. If `kubectl` works, then the sync program should work. If ACLs are configured on the Consul cluster, you need to provide a Consul -[ACL token](/consul/tutorials/security/access-control-setup-production). Review the [ACL rules](/consul/docs/security/acl/acl-rules) +[ACL token](/consul/docs/secure-consul/acl/token). Review the [ACL rules](/consul/docs/secure-consul/acl/rules) when creating this token so that it only allows the necessary privileges. The catalog sync process accepts this token by using the [`CONSUL_HTTP_TOKEN`](/consul/commands#consul_http_token) environment variable. This token should be set as a @@ -123,10 +123,10 @@ node that has the representative pod running. While Kubernetes configures a static port on all nodes in the cluster, this limits the number of service instances to be equal to the nodes running the target pods. By default it uses the external IP of the node but this can be configured through -the [`nodePortSyncType` helm option](/consul/docs/k8s/helm#v-synccatalog-nodeportsynctype). +the [`nodePortSyncType` helm option](/consul/docs/reference/k8s/helm#v-synccatalog-nodeportsynctype). The service instance's port is set to the first defined node port of the service unless -set specifically in the `consul.hashicorp.com/service-port` annotation. Refer to [Service Ports](/consul/docs/k8s/service-sync#service-ports) for more information. +set specifically in the `consul.hashicorp.com/service-port` annotation. Refer to [Service Ports](/consul/docs/register/service/k8s/service-sync#service-ports) for more information. #### LoadBalancer @@ -136,7 +136,7 @@ balancer, only one service instance is registered with Consul rather than registering each individual pod endpoint. The service instance's port is set to the first defined port of the -service unless set specifically in the `consul.hashicorp.com/service-port` annotation. Refer to [Service Ports](/consul/docs/k8s/service-sync#service-ports) for more information. +service unless set specifically in the `consul.hashicorp.com/service-port` annotation. Refer to [Service Ports](/consul/docs/register/service/k8s/service-sync#service-ports) for more information. #### External IPs @@ -151,7 +151,7 @@ for each external IP. It is assumed that if an external IP is present that it is routable and configured by some other system. The service instance's port is set to the _first_ defined port of the -service unless set specifically with the `consul.hashicorp.com/service-port` annotation. Refer to [Service Ports](/consul/docs/k8s/service-sync#service-ports) for more information. +service unless set specifically with the `consul.hashicorp.com/service-port` annotation. Refer to [Service Ports](/consul/docs/register/service/k8s/service-sync#service-ports) for more information. #### ClusterIP @@ -159,11 +159,11 @@ ClusterIP services are synced by default as of `consul-k8s` version 0.3.0. Each pod that is an endpoint for the service is synced as a Consul service instance with its IP set to the pod IP and its port set to the `targetPort`. -The service instance's port can be overridden with the `consul.hashicorp.com/service-port` annotation. Refer to [Service Ports](/consul/docs/k8s/service-sync#service-ports) for more information. +The service instance's port can be overridden with the `consul.hashicorp.com/service-port` annotation. Refer to [Service Ports](/consul/docs/register/service/k8s/service-sync#service-ports) for more information. -> In Kubernetes clusters where pod IPs are not accessible outside the cluster, the services registered in Consul may not be routable. To -skip syncing ClusterIP services, set [`syncClusterIPServices`](/consul/docs/k8s/helm#v-synccatalog-syncclusteripservices) +skip syncing ClusterIP services, set [`syncClusterIPServices`](/consul/docs/reference/k8s/helm#v-synccatalog-syncclusteripservices) to `false` in the Helm chart values file. ### Enable and disable sync diff --git a/website/content/docs/lambda/registration/automate.mdx b/website/content/docs/register/service/lambda/automatic.mdx similarity index 95% rename from website/content/docs/lambda/registration/automate.mdx rename to website/content/docs/register/service/lambda/automatic.mdx index 62f4aa700df..609b99ce4dd 100644 --- a/website/content/docs/lambda/registration/automate.mdx +++ b/website/content/docs/register/service/lambda/automatic.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Automate Lambda function registration +page_title: Register services on Lambda automatically with Terraform description: >- Register AWS Lambda functions with Consul service mesh using the Consul Lambda registrator. The Consul Lambda registrator automates Lambda function registration. --- -# Automate Lambda function registration +# Register services on Lambda automatically with Terraform This topic describes how to automate Lambda function registration using Consul's Lambda registrator module for Terraform. @@ -60,7 +60,7 @@ resource "aws_ssm_parameter" "ca-cert" { ### Optional: Store the ACL token in Parameter Store -If [Consul access control lists (ACLs)](/consul/docs/security/acl) are enabled, Lambda registrator must present an ACL token stored in Parameter Store to access resources. You can use the Consul CLI, API, or the Terraform provider to facilitate the ACL workflow. The following procedure describes how to create and store a token from the command line: +If [Consul access control lists (ACLs)](/consul/docs/secure-consul/acl) are enabled, Lambda registrator must present an ACL token stored in Parameter Store to access resources. You can use the Consul CLI, API, or the Terraform provider to facilitate the ACL workflow. The following procedure describes how to create and store a token from the command line: 1. Create an ACL policy that includes the following rule: @@ -134,7 +134,7 @@ The registrator also requires the following IAM permissions to access the parame ## Deploy the Lambda registrator -1. Create a Terraform configuration and specify the `lambda-registrator` module. In the following example, the Lambda registrator is deployed to `https://consul.example.com:8501`. Refer to [the Lambda registrator module documentation](https://registry.terraform.io/modules/hashicorp/consul-lambda-registrator/aws/0.1.0-beta5/submodules/lambda-registrator) for additional usage information: +1. Create a Terraform configuration and specify the `lambda-registrator` module. In the following example, the Lambda registrator is deployed to `https://consul.example.com:8501`. Refer to [the Lambda registrator module documentation](https://registry.terraform.io/modules/hashicorp/consul-lambda-registrator/aws/0.1.0-beta1/submodules/lambda-registrator) for additional usage information: ```hcl module "lambda-registrator" { source = "hashicorp/consul-lambda/consul-lambda-registrator" diff --git a/website/content/docs/register/service/lambda/index.mdx b/website/content/docs/register/service/lambda/index.mdx new file mode 100644 index 00000000000..0aee7cf7a7f --- /dev/null +++ b/website/content/docs/register/service/lambda/index.mdx @@ -0,0 +1,36 @@ +--- +layout: docs +page_title: Register services on Lambda overview +description: >- + Consul supports Amazon Web Services Lambda functions, which are event-driven programs and scripts. Learn about Consul's requirements for registering and invoking AWS Lambda functions in your service mesh. +--- + +# Register services on Lambda overview + +You can configure Consul to allow services in your mesh to invoke Lambda functions, as well as allow Lambda functions to invoke services in your mesh. Lambda functions are programs or scripts that run in AWS Lambda. Refer to the [AWS Lambda website](https://aws.amazon.com/lambda/) for additional information. + +## Register Lambda functions into Consul + +The first step is to register your Lambda functions into Consul. We recommend using the [Lambda registrator module](https://github.com/hashicorp/terraform-aws-consul-lambda/tree/main/modules/lambda-registrator) to automatically synchronize Lambda functions into Consul. You can also manually register Lambda functions into Consul if you are unable to use the Lambda registrator. + +Refer to [Lambda Function Registration Requirements](/consul/docs/lambda/registration) for additional information about registering Lambda functions into Consul. + +## Invoke Lambda functions from Consul service mesh + +After registering AWS Lambda functions, you can invoke Lambda functions from the Consul service mesh through terminating gateways (recommended) or directly from connected proxies. + +Refer to [Invoke Lambda Functions from Services](/consul/docs/connect/lambda/invoke-function) for details. + +## Invoke mesh services from Lambda function + +~> **Lambda-to-mesh functionality is currently in beta**: Functionality associated with beta features are subject to change. You should never use the beta release in secure environments or production scenarios. Features in beta may have performance issues, scaling issues, and limited support. + +You can also add the `consul-lambda-extension` plugin as a layer in your Lambda functions, which enables them to send requests to services in the mesh. The plugin starts a lightweight sidecar proxy that directs requests from Lambda functions to [mesh gateways](/consul/docs/connect/gateways#mesh-gateways). The gateways route traffic to the destination service to complete the request. + +![Invoke mesh service from Lambda function](/img/invoke-service-from-lambda-flow.svg) + +Refer to [Invoke Services from Lambda Functions](/consul/docs/lambda/invoke-from-lambda) for additional information about registering Lambda functions into Consul. + +Consul mesh gateways are required to send requests from Lambda functions to mesh services. Refer to [Mesh Gateways](/consul/docs/east-west/mesh-gateway/) for additional information. + +Note that L7 traffic management features are not supported. As a result, requests from Lambda functions ignore service routes and splitters. diff --git a/website/content/docs/lambda/registration/manual.mdx b/website/content/docs/register/service/lambda/manual.mdx similarity index 91% rename from website/content/docs/lambda/registration/manual.mdx rename to website/content/docs/register/service/lambda/manual.mdx index fbb07dba364..2615b1f2f8a 100644 --- a/website/content/docs/lambda/registration/manual.mdx +++ b/website/content/docs/register/service/lambda/manual.mdx @@ -1,19 +1,19 @@ --- layout: docs -page_title: Manual Lambda Function Registration +page_title: Register services on Lambda manually description: >- Register AWS Lambda functions with Consul service mesh using the Consul Lambda registrator. The Consul Lambda registrator automates Lambda function registration. --- -# Manual Lambda Function Registration +# Register services on Lambda manually -This topic describes how to manually register Lambda functions into Consul. Refer to [Automate Lambda Function Registration](/consul/docs/lambda/registration/automate) for information about using the Lambda registrator to automate registration. +This topic describes how to manually register Lambda functions into Consul. Refer to [Automate Lambda Function Registration](/consul/docs/register/service/lambda/automatic) for information about using the Lambda registrator to automate registration. ## Requirements Verify that your environment meets the requirements specified in [Lambda Function Registration Requirements](/consul/docs/lambda/registration). -To manually register Lambda functions so that mesh services can invoke them, you must create and apply a service registration configuration for the Lambda function and write a [service defaults configuration entry](/consul/docs/connect/config-entries/service-defaults) for the function. +To manually register Lambda functions so that mesh services can invoke them, you must create and apply a service registration configuration for the Lambda function and write a [service defaults configuration entry](/consul/docs/reference/config-entry/service-default) for the function. ## Register a Lambda function diff --git a/website/content/docs/register/service/nomad.mdx b/website/content/docs/register/service/nomad.mdx new file mode 100644 index 00000000000..1745018f3f4 --- /dev/null +++ b/website/content/docs/register/service/nomad.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Register services on Nomad overview +description: >- + Consul documentation provides reference material for all features and options available in Consul. +--- + +# Register services on Nomad overview + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. \ No newline at end of file diff --git a/website/content/docs/services/usage/define-services.mdx b/website/content/docs/register/service/vm/define.mdx similarity index 90% rename from website/content/docs/services/usage/define-services.mdx rename to website/content/docs/register/service/vm/define.mdx index 493ca6e08b4..07b18def622 100644 --- a/website/content/docs/services/usage/define-services.mdx +++ b/website/content/docs/register/service/vm/define.mdx @@ -2,32 +2,34 @@ layout: docs page_title: Define services description: >- - Learn how to define services so that they are discoverable in your network. + Learn how to define services so that they are discoverable in your network. --- # Define services -This topic describes how to define services so that they can be discovered by other services. Refer to [Services Overview](/consul/docs/services/services) for additional information. +This topic describes how to define services so that they can be discovered by other services. Refer to [Services Overview](/consul/docs/register) for additional information. ## Overview -You must tell Consul about the services deployed to your network if you want them to be discoverable. You can define services in a configuration file or send the service definition parameters as a payload to the `/agent/service/register` API endpoint. Refer to [Register Services and Health Checks](/consul/docs/services/usage/register-services-checks) for details about how to register services with Consul. +You must tell Consul about the services deployed to your network if you want them to be discoverable. You can define services in a configuration file or send the service definition parameters as a payload to the `/agent/service/register` API endpoint. Refer to [Register Services and Health Checks](/consul/docs/register/service/vm) for details about how to register services with Consul. You can define multiple services individually using `service` blocks or group multiple services into the same `services` configuration block. Refer to [Define multiple services in a single file](#define-multiple-services-in-a-single-file) for additional information. -If Consul service mesh is enabled in your network, you can use the [service defaults configuration entry](/consul/docs/connect/config-entries/service-defaults) to specify default global values for services. The configuration entry lets you define common service parameter, such as upstreams, namespaces, and partitions. Refer to [Define service defaults](#define-service-defaults) for additional information. +If Consul service mesh is enabled in your network, you can use the [service defaults configuration entry](/consul/docs/reference/config-entry/service-default) to specify default global values for services. The configuration entry lets you define common service parameter, such as upstreams, namespaces, and partitions. Refer to [Define service defaults](#define-service-defaults) for additional information. ## Requirements The core service discovery features are available in all versions of Consul. ### Service defaults + To use the [service defaults configuration entry](#define-service-defaults), verify that your installation meets the following requirements: - Consul 1.5.0+ - Consul 1.8.4+ is required to use the `ServiceDefaults` custom resource on Kubernetes ### ACLs + If ACLs are enabled, resources in your network must present a token with `service:read` access to read a service defaults configuration entry. You must also present a token with `service:write` access to create, update, or delete a service defaults configuration entry. @@ -37,7 +39,7 @@ Service configurations must also contain and present an ACL token to perform ant On Consul Enterprise, you can register services with specific namespaces if the services' ACL tokens are scoped to the namespace. Services registered with a service definition do not inherit the namespace associated with the ACL token specified in the `token` field. The `namespace` and the `token` parameters must be included in the service definition for the service to be registered to the namespace that the ACL token is scoped to. ## Define a service -Create a file for your service configurations and add a `service` block. The `service` block contains the parameters that configure various aspects of the service, including how it is discovered by other services in the network. The only required parameter is `name`. Refer to [Service Definition Reference](/consul/docs/services/configuration/services-configuration-reference) for details about the configuration options. +Create a file for your service configurations and add a `service` block. The `service` block contains the parameters that configure various aspects of the service, including how it is discovered by other services in the network. The only required parameter is `name`. Refer to [Service Definition Reference](/consul/docs/reference/service) for details about the configuration options. For Kubernetes environments, you can enable the [`connectInject`](/consul/docs/k8s/connect#installation-and-configuration) configuration in your Consul Helm chart so that Consul automatically adds a sidecar to each of your pods. Consul uses the Kubernetes `Service` definition as a reference. @@ -114,16 +116,16 @@ service { ### Health checks -You can add a `check` or `checks` block to your service configuration to define one or more health checks that monitor the health of your services. Refer to [Define Health Checks](/consul/docs/services/usage/checks) for additional information. +You can add a `check` or `checks` block to your service configuration to define one or more health checks that monitor the health of your services. Refer to [Define Health Checks](/consul/docs/register/service/vm/health-checks) for additional information. ### Register a service -You can register your service using the [`consul services` command](/consul/commands/services) or by calling the [`/agent/services` API endpoint](/consul/api-docs/agent/service). Refer to [Register Services and Health Checks](/consul/docs/services/usage/register-services-checks) for details. +You can register your service using the [`consul services` command](/consul/commands/services) or by calling the [`/agent/services` API endpoint](/consul/api-docs/agent/service). Refer to [Register Services and Health Checks](/consul/docs/register/service/vm) for details. ## Define service defaults -If Consul service mesh is enabled in your network, you can define default values for services in your mesh by creating and applying a `service-defaults` configuration entry containing. Refer to [Service Mesh Configuration Overview](/consul/docs/connect/configuration) for additional information. +If Consul service mesh is enabled in your network, you can define default values for services in your mesh by creating and applying a `service-defaults` configuration entry containing. Refer to [Service Mesh Configuration Overview](/consul/docs/connect/configuration-entries) for additional information. -Create a file for the configuration entry and specify the required fields. If you are authoring `service-defaults` in HCL or JSON, the `Kind` and `Name` fields are required. On Kubernetes, the `apiVersion`, `kind`, and `metadata.name` fields are required. Refer to [Service Defaults Reference](/consul/docs/connect/config-entries/service-defaults) for details about the configuration options. +Create a file for the configuration entry and specify the required fields. If you are authoring `service-defaults` in HCL or JSON, the `Kind` and `Name` fields are required. On Kubernetes, the `apiVersion`, `kind`, and `metadata.name` fields are required. Refer to [Service Defaults Reference](/consul/docs/reference/config-entry/service-default) for details about the configuration options. If you use Consul Enterprise, you can also specify the `Namespace` and `Partition` fields to apply the configuration to services in a specific namespace or partition. For Kubernetes environments, the configuration entry is always created in the same partition as the Kubernetes cluster. @@ -206,6 +208,7 @@ spec: ### Consul Enterprise example + The following example instructs services named `counting` in the `prod` namespace to send up to `512` concurrent requests to a mesh gateway: @@ -426,13 +429,16 @@ service { This configuration only applies to the locally registered service. Nodes that register the same service apply the `enable_tag_override` and other service configurations independently. The tags for a service registered on one node update are not affected by operations performed on services with the same name registered on other nodes. -Refer to [`enable_tag_override`](/consul/docs/services/configuration/services-configuration-reference#enable_tag_override) for additional configuration information. +Refer to [`enable_tag_override`](/consul/docs/reference/service#enable_tag_override) for additional configuration information. ## Services in service mesh environments + Defining services for service mesh environments on virtual machines and in Kubernetes requires a different workflow. ### Define service mesh proxies + You can register services to function as service mesh or sidecar proxies so that they can facilitate communication between other services across your network. Refer to [Service Mesh Proxy Overview](/consul/docs/connect/registration) for additional information. ### Define services in Kubernetes -You can enable the services running in Kubernetes and Consul to sync automatically. Doing so ensures that Kubernetes services are available to Consul agents and services in Consul can be available as first-class Kubernetes services. Refer to [Service Sync for Consul on Kubernetes](/consul/docs/k8s/service-sync) for details. + +You can enable the services running in Kubernetes and Consul to sync automatically. Doing so ensures that Kubernetes services are available to Consul agents and services in Consul can be available as first-class Kubernetes services. Refer to [Service Sync for Consul on Kubernetes](/consul/docs/register/service/k8s/service-sync) for details. diff --git a/website/content/docs/services/usage/checks.mdx b/website/content/docs/register/service/vm/health-check.mdx similarity index 89% rename from website/content/docs/services/usage/checks.mdx rename to website/content/docs/register/service/vm/health-check.mdx index b4fcca2b8b4..0b6d1c30a43 100644 --- a/website/content/docs/services/usage/checks.mdx +++ b/website/content/docs/register/service/vm/health-check.mdx @@ -1,16 +1,17 @@ --- layout: docs page_title: Define health checks -description: -> - Learn how to configure different types of health checks for services you register with Consul. +description: >- + Learn how to configure different types of health checks for services you register with Consul. --- -# Define health checks -This topic describes how to create different types of health checks for your services. +# Define health checks +This topic describes how to create different types of health checks for your services. ## Overview -Health checks are configurations that verifies the health of a service or node. Health checks configurations are nested in the `service` block. Refer to [Define Services](/consul/docs/services/usage/define-services) for information about specifying other service parameters. + +Health checks are configurations that verifies the health of a service or node. Health checks configurations are nested in the `service` block. Refer to [Define Services](/consul/docs/register/service/vm/define) for information about specifying other service parameters. You can define individual health checks for your service in separate `check` blocks or define multiple checks in a `checks` block. Refer to [Define multiple checks](#define-multiple-checks) for additional information. @@ -30,7 +31,7 @@ If your network runs in a Kubernetes environment, you can sync service health in ### Registration -After defining health checks, you must register the service containing the checks with Consul. Refer to [Register Services and Health Checks](/consul/docs/services/usage/register-services-checks) for additional information. If the service is already registered, you can reload the service configuration file to implement your health check. Refer to [Reload](/consul/commands/reload) for additional information. +After defining health checks, you must register the service containing the checks with Consul. Refer to [Register Services and Health Checks](/consul/docs/register/service/vm) for additional information. If the service is already registered, you can reload the service configuration file to implement your health check. Refer to [Reload](/consul/commands/reload) for additional information. ## Define multiple checks @@ -130,8 +131,8 @@ Script checks timeout after 30 seconds by default, but you can configure a custo To enable script checks, you must first enable the agent to send external requests, then configure the health check settings in the service definition: 1. Add one of the following configurations to your agent configuration file to enable a script check: - - [`enable_local_script_checks`](/consul/docs/agent/config/cli-flags#enable_local_script_checks): Enable script checks defined in local configuration files. Script checks registered using the HTTP API are not allowed. - - [`enable_script_checks`](/consul/docs/agent/config/cli-flags#enable_script_checks): Enable script checks no matter how they are registered. + - [`enable_local_script_checks`](/consul/docsreference-cli/agent#enable_local_script_checks): Enable script checks defined in local configuration files. Script checks registered using the HTTP API are not allowed. + - [`enable_script_checks`](/consul/docsreference-cli/agent#enable_script_checks): Enable script checks no matter how they are registered. !> **Security warning:** Enabling non-local script checks in some configurations may introduce a known remote execution vulnerability targeted by malware. We strongly recommend `enable_local_script_checks` instead. @@ -168,7 +169,7 @@ To enable script checks, you must first enable the agent to send external reques ``` -Refer to [Health Checks Configuration Reference](/consul/docs/services/configuration/checks-configuration-reference) for information about all health check configurations. +Refer to [Health Checks Configuration Reference](/consul/docs/reference/service/health-checks) for information about all health check configurations. ### Script check exit codes The following exit codes returned by the script check determine the health check status: @@ -183,7 +184,7 @@ Any output of the script is captured and made available in the `Output` field of _HTTP_ checks send an HTTP request to the specified URL and report the service health based on the [HTTP response code](#http-check-response-codes). We recommend using HTTP checks over [script checks](#script-checks) that use cURL or another external process to check an HTTP operation. ### HTTP check configuration -Add an `http` field to the `check` block in your service definition file and specify the HTTP address, including port number, for the check to call. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/services/configuration/checks-configuration-reference) for information about all health check configurations. +Add an `http` field to the `check` block in your service definition file and specify the HTTP address, including port number, for the check to call. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/reference/service/health-checks) for information about all health check configurations. In the following example, an HTTP check named `HTTP API on port 5000` sends a `POST` request to the `health` endpoint every 10 seconds: @@ -243,7 +244,7 @@ Responses larger than 4KB are truncated. The HTTP response determines the status TCP checks establish connections to the specified IPs or hosts. If the check successfully establishes a connection, the service status is reported as `success`. If the IP or host does not accept the connection, the service status is reported as `critical`. We recommend TCP checks over [script checks](#script-checks) that use netcat or another external process to check a socket operation. ### TCP check configuration -Add a `tcp` field to the `check` block in your service definition file and specify the address, including port number, for the check to call. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/services/configuration/checks-configuration-reference) for information about all health check configurations. +Add a `tcp` field to the `check` block in your service definition file and specify the address, including port number, for the check to call. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/reference/service/health-checks) for information about all health check configurations. In the following example, a TCP check named `SSH TCP on port 22` attempts to connect to `localhost:22` every 10 seconds: @@ -282,7 +283,7 @@ By default, TCP check requests timeout at 10 seconds, but you can specify a cust UDP checks direct the Consul agent to send UDP datagrams to the specified IP or hostname and port. The check status is set to `success` if any response is received from the targeted UDP server. Any other result sets the status to `critical`. ### UDP check configuration -Add a `udp` field to the `check` block in your service definition file and specify the address, including port number, for sending datagrams. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/services/configuration/checks-configuration-reference) for information about all health check configurations. +Add a `udp` field to the `check` block in your service definition file and specify the address, including port number, for sending datagrams. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/reference/service/health-checks) for information about all health check configurations. In the following example, a UDP check named `DNS UDP on port 53` sends datagrams to `localhost:53` every 10 seconds: @@ -318,7 +319,7 @@ By default, UDP checks timeout at 10 seconds, but you can specify a custom timeo OSService checks if an OS service is running on the host. OSService checks support Windows services on Windows hosts or SystemD services on Unix hosts. The check logs the service as `healthy` if it is running. If the service is not running, the status is logged as `critical`. All other results are logged with `warning`. A `warning` status indicates that the check is not reliable because an issue is preventing it from determining the health of the service. ### OSService check configurations -Add an `os_service` field to the `check` block in your service definition file and specify the name of the service to check. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/services/configuration/checks-configuration-reference) for information about all health check configurations. +Add an `os_service` field to the `check` block in your service definition file and specify the name of the service to check. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/reference/service/health-checks) for information about all health check configurations. In the following example, an OSService check named `svcname-001 Windows Service Health` verifies that the `myco-svctype-svcname-001` service is running every 10 seconds: @@ -361,7 +362,7 @@ TTL checks also persist their last known status to disk so that the Consul agent You can manually mark a service as unhealthy using the [`consul maint` CLI command](/consul/commands/maint) or [`agent/maintenance` HTTP API endpoint](/consul/api-docs/agent#enable-maintenance-mode), rather than waiting for a TTL health check if the `ttl` duration is high. ### TTL check configuration -Add a `ttl` field to the `check` block in your service definition file and specify how long to wait for an update from the external process. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/services/configuration/checks-configuration-reference) for information about all health check configurations. +Add a `ttl` field to the `check` block in your service definition file and specify how long to wait for an update from the external process. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/reference/service/health-checks) for information about all health check configurations. In the following example, a TTL check named `Web App Status` logs the application as `critical` if a status update is not received every 30 seconds: @@ -402,9 +403,9 @@ To enable Docker checks, you must first enable the agent to send external reques 1. Add one of the following configurations to your agent configuration file to enable a Docker check: - - [`enable_local_script_checks`](/consul/docs/agent/config/cli-flags#enable_local_script_checks): Enable script checks defined in local config files. Script checks registered using the HTTP API are not allowed. + - [`enable_local_script_checks`](/consul/docsreference-cli/agent#enable_local_script_checks): Enable script checks defined in local config files. Script checks registered using the HTTP API are not allowed. - - [`enable_script_checks`](/consul/docs/agent/config/cli-flags#enable_script_checks): Enable script checks no matter how they are registered. + - [`enable_script_checks`](/consul/docsreference-cli/agent#enable_script_checks): Enable script checks no matter how they are registered. !> **Security warning**: Enabling non-local script checks in some configurations may introduce a known remote execution vulnerability targeted by malware. We strongly recommend `enable_local_script_checks` instead. 1. Configure the following fields in the `check` block in your service definition file: @@ -448,7 +449,7 @@ check = { gRPC checks send a request to the specified endpoint. These checks are intended for applications that support the standard [gRPC health checking protocol](https://github.com/grpc/grpc/blob/master/doc/health-checking.md). ### gRPC check configuration -Add a `grpc` field to the `check` block in your service definition file and specify the endpoint, including port number, for sending requests. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/services/configuration/checks-configuration-reference) for information about all health check configurations. +Add a `grpc` field to the `check` block in your service definition file and specify the endpoint, including port number, for sending requests. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/reference/service/health-checks) for information about all health check configurations. In the following example, a gRPC check named `Service health status` probes the entire application by sending requests to `127.0.0.1:12345` every 10 seconds: @@ -517,7 +518,7 @@ By default, gRPC checks timeout after 10 seconds, but you can specify a custom d H2ping checks test an endpoint that uses HTTP2 by connecting to the endpoint and sending a ping frame. If the endpoint sends a response within the specified interval, the check status is set to `success`. ### H2ping check configuration -Add an `h2ping` field to the `check` block in your service definition file and specify the HTTP2 endpoint, including port number, for the check to ping. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/services/configuration/checks-configuration-reference) for information about all health check configurations. +Add an `h2ping` field to the `check` block in your service definition file and specify the HTTP2 endpoint, including port number, for the check to ping. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/reference/service/health-checks) for information about all health check configurations. In the following example, an H2ping check named `h2ping` pings the endpoint at `localhost:22222` every 10 seconds: @@ -559,10 +560,10 @@ Alias checks continuously report the health state of another registered node or For aliased services on the same agent, the check monitors the local state without consuming additional network resources. For services and nodes on different agents, the check maintains a blocking query over the agent's connection with a current server and allows stale requests. ### ACLs -For the blocking query, the alias check presents the ACL token set on the actual service or the token configured in the check definition. If neither are available, the alias check falls back to the default ACL token set for the agent. Refer to [`acl.tokens.default`](/consul/docs/agent/config/config-files#acl_tokens_default) for additional information about the default ACL token. +For the blocking query, the alias check presents the ACL token set on the actual service or the token configured in the check definition. If neither are available, the alias check falls back to the default ACL token set for the agent. Refer to [`acl.tokens.default`](/consul/docs/reference/agent#acl_tokens_default) for additional information about the default ACL token. ### Alias checks configuration -Add an `alias_service` field to the `check` block in your service definition file and specify the name of the service or node to alias. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/services/configuration/checks-configuration-reference) for information about all health check configurations. +Add an `alias_service` field to the `check` block in your service definition file and specify the name of the service or node to alias. All other fields are optional. Refer to [Health Checks Configuration Reference](/consul/docs/reference/service/health-checks) for information about all health check configurations. In the following example, an alias check with the ID `web-alias` reports the health state of the `web` service: diff --git a/website/content/docs/services/usage/register-services-checks.mdx b/website/content/docs/register/service/vm/index.mdx similarity index 89% rename from website/content/docs/services/usage/register-services-checks.mdx rename to website/content/docs/register/service/vm/index.mdx index 3cfe03c852e..306da1ecb5c 100644 --- a/website/content/docs/services/usage/register-services-checks.mdx +++ b/website/content/docs/register/service/vm/index.mdx @@ -2,27 +2,29 @@ layout: docs page_title: Register services and health checks description: -> - Learn how to register services and health checks with Consul agents. + Learn how to register services and health checks with Consul agents. --- # Register services and health checks -This topic describes how to register services and health checks with Consul in networks running on virtual machines (VM). Refer to [Define Services](/consul/docs/services/usage/define-services) and [Define Health Checks](/consul/docs/services/usage/checks) for information about how to define services and health checks. +This topic describes how to register services and health checks with Consul in networks running on virtual machines (VM). Refer to [Define Services](/consul/docs/register/service/vm/define) and [Define Health Checks](/consul/docs/register/service/vm/health-checks) for information about how to define services and health checks. ## Overview + Register services and health checks in VM environments by providing the service definition to a Consul agent. You can use several different methods to register services and health checks. - Start a Consul agent and pass the service definition in the [agent's configuration directory](/consul/docs/agent#configuring-consul-agents). - Reload the a running Consul agent and pass the service definition in the [agent's configuration directory](/consul/docs/agent#configuring-consul-agents). Use this method when implementing changes to an existing service or health check definition. -- Use the [`consul services register` command](/consul/commands/services/register) to register new service and health checks with a running Consul agent. -- Call the [`/agent/service/register`](/consul/api-docs/agent/service#register-service) HTTP API endpoint to register new service and health checks with a running Consul agent. +- Use the [`consul services register` command](/consul/commands/services/register) to register new service and health checks with a running Consul agent. +- Call the [`/agent/service/register`](/consul/api-docs/agent/service#register-service) HTTP API endpoint to to register new service and health checks with a running Consul agent. - Call the [`/agent/check/register`](/consul/api-docs/agent/check#register-check) HTTP API endpoint to register a health check independent from the service. -When a service is registered using the HTTP API endpoint or CLI command, the checks persist in the Consul data folder. If the agent restarts, Consul uses the service and check configurations in the configuration directory to start the services. +When a service is registered using the HTTP API endpoint or CLI command, the checks persist in the Consul data folder. If the agent restarts, Consul uses the service and check configurations in the configuration directory to start the services. -Note that health checks associated with a service are application-level checks. +Note that health checks associated with a service are application-level checks. ## Start an agent + We recommend registering services on startup because the service persists if the agent fails. Specify the directory containing the service definition with the `-config-dir` option on startup. When the Consul agent starts, it processes all configurations in the directory and registers any services contained in the configurations. In the following example, the Consul agent starts and loads the configurations contained in the `configs` directory: ```shell-session @@ -32,9 +34,11 @@ $ consul agent -config-dir configs Refer to [Starting the Consul Agent](/consul/docs/agent#starting-the-consul-agent) for additional information. ## Reload an agent + Store your service definition file in the directory containing your Consul configuration files and either send a `SIGHUP` signal to the Consul agent service or run the `consul reload` command. Refer to [Consul Reload](/consul/commands/reload) for additional information. ## Register using the CLI + Run the `consul services register` command and specify the service definition file to register the services and health checks defined in the file. In the following example, a service named `web` is registered: ```shell-session @@ -48,7 +52,8 @@ Refer to [Consul Agent Service Registration](/consul/commands/services/register) Use the following methods to register services and health checks using the HTTP API. ### Register services -Send a `PUT` request to the `/agent/service/register` API endpoint to dynamically register a service and its associated health checks. To register health checks independently, [call the checks API endpoint](#call-the-checks-http-api-endpoint). + +Send a `PUT` request to the `/agent/service/register` API endpoint to dynamically register a service and its associated health checks. To register health checks independently, [call the checks API endpoint](#call-the-checks-http-api-endpoint). The following example request registers the service defined in the `service.json` file. @@ -59,6 +64,7 @@ $ curl --request PUT --data @service.json http://localhost:8500/v1/agent/service Refer to [Service - Agent HTTP API](/consul/api-docs/agent/service) for additional information about the `services` endpoint. ### Register health checks + Send a `PUT` request to the `/agent/check/register` API endpoint to dynamically register a health check to the local Consul agent. The following example request registers a health check defined in a `payload.json` file. ```shell-session diff --git a/website/content/docs/release-notes/index.mdx b/website/content/docs/release-notes/index.mdx index 4b31ad91968..179cce2fc29 100644 --- a/website/content/docs/release-notes/index.mdx +++ b/website/content/docs/release-notes/index.mdx @@ -1,12 +1,16 @@ --- layout: docs -page_title: Release Notes +page_title: Release notes description: |- - Release notes for the major software packages in the Consul product line + Release notes for the major software packages in the Consul product line. --- -# Release Notes +# Release notes + +This page provides an overview of the major Consul software packages and includes release notes. + +For a full software changelog, refer to the [release notes in the product's GitHub repository](https://github.com/hashicorp/consul/releases). Choose a version from the navigation sidebar to view the release notes for each of the major software packages in the Consul product line. -Documentation for maintenance releases (e.g., 0.1.x) is on the bottom of each release notes page. +Documentation for maintenance releases is on the bottom of each release notes page. diff --git a/website/content/docs/connect/ca/aws.mdx b/website/content/docs/secure-mesh/certificate/acm.mdx similarity index 94% rename from website/content/docs/connect/ca/aws.mdx rename to website/content/docs/secure-mesh/certificate/acm.mdx index cac5cb46e65..de69c79ccec 100644 --- a/website/content/docs/connect/ca/aws.mdx +++ b/website/content/docs/secure-mesh/certificate/acm.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Service Mesh Certificate Authority - AWS Certificate Manager +page_title: Use AWS Certificate Manager as a service mesh certificate authority description: >- You can use the AWS Certificate Manager Private Certificate Authority as the Consul service mesh's certificate authority to secure your service mesh. Learn how to configure the AWS ACM Private CA, its limitations in Consul, and cost planning considerations. --- -# AWS Certificate Manager as a Service Mesh Certificate Authority +# Use AWS Certificate Manager as a service mesh certificate authority Consul can be used with [AWS Certificate Manager (ACM) Private Certificate Authority @@ -13,7 +13,7 @@ Authority to manage and sign certificates. -> This page documents the specifics of the AWS ACM Private CA provider. -Please read the [certificate management overview](/consul/docs/connect/ca) +Please read the [certificate management overview](/consul/docs/secure-mesh/certificate) page first to understand how Consul manages certificates with configurable CA providers. @@ -131,7 +131,7 @@ For now, the limitation means that once ACM Private CA is configured as the CA provider, it is not possible to reconfigure a different CA provider, or rotate the root CA key without potentially observing some transient connection failures. See the section on [forced rotation without -cross-signing](/consul/docs/connect/ca#forced-rotation-without-cross-signing) for +cross-signing](/consul/docs/secure-mesh/certificate#forced-rotation-without-cross-signing) for more details. ### Primary DC Must be a Root CA @@ -172,7 +172,7 @@ So monthly cost would be calculated as: - 500 ⨉ 13.3 = 6,650 certificates issued in dc3 The number of certificates issued could be reduced by increasing -[`leaf_cert_ttl`](/consul/docs/agent/config/config-files#ca_leaf_cert_ttl) in the CA Provider +[`leaf_cert_ttl`](/consul/docs/reference/agent#ca_leaf_cert_ttl) in the CA Provider configuration if the longer lived credentials are an acceptable risk tradeoff against the cost. diff --git a/website/content/docs/secure-mesh/certificate/bootstrap/k8s.mdx b/website/content/docs/secure-mesh/certificate/bootstrap/k8s.mdx new file mode 100644 index 00000000000..dadf81fb470 --- /dev/null +++ b/website/content/docs/secure-mesh/certificate/bootstrap/k8s.mdx @@ -0,0 +1,8 @@ +--- +layout: docs +page_title: Bootstrap certificate authority on Kubernetes (K8s) +description: >- + Consul uses a certificate authority (CA) to generate, use, manage, sign, and store certificates for your service mesh. Learn how to bootstrap the certificate authority on k8s. +--- + +# Bootstrap certificate authority on Kubernetes \ No newline at end of file diff --git a/website/content/docs/secure-mesh/certificate/bootstrap/vm.mdx b/website/content/docs/secure-mesh/certificate/bootstrap/vm.mdx new file mode 100644 index 00000000000..696f8c3b421 --- /dev/null +++ b/website/content/docs/secure-mesh/certificate/bootstrap/vm.mdx @@ -0,0 +1,34 @@ +--- +layout: docs +page_title: Bootstrap certificate authority on virtual machines (VM) +description: >- + Consul uses a certificate authority (CA) to generate, use, manage, sign, and store certificates for your service mesh. Learn how to bootstrap the certificate authority on VMs. +--- + +# Bootstrap certificate authority on virtual machines (VM) + +Consul service mesh comes with a built-in Certificate Authority (CA) that will +bootstrap by default when you first [enable](/consul/docs/reference/agent#connect_enabled) Consul service mesh on your servers. + +To use the built-in CA, enable it in the server's configuration. + +```hcl +connect { + enabled = true +} +``` + +This configuration change requires a Consul server restart, which you can perform one server at a time +to maintain availability in an existing datacenter. + +When a server is enabled with Consul Service mesh and becomes the leader, it will +bootstrap a new CA and generate it's own private key which is written to the +Raft state. + +Alternatively, an external private key can be provided via the [CA +configuration](/consul/docs/secure-mesh/certificate/built-in#specifying-a-custom-private-key-and-root-certificate). + +~> External CAs: Consul has been designed with a pluggable CA component so external CAs can be +integrated. For production workloads we recommend using [Vault or another external +CA](/consul/docs/secure-mesh/certificate/vault) once +available such that the root key is not stored within Consul state at all. diff --git a/website/content/docs/connect/ca/consul.mdx b/website/content/docs/secure-mesh/certificate/built-in.mdx similarity index 93% rename from website/content/docs/connect/ca/consul.mdx rename to website/content/docs/secure-mesh/certificate/built-in.mdx index 870bea4fe43..38fdaf1ebff 100644 --- a/website/content/docs/connect/ca/consul.mdx +++ b/website/content/docs/secure-mesh/certificate/built-in.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Certificate Authority - Built-in Service Mesh CA +page_title: Use Consul's built-in certificate authority description: >- Consul has a built-in service mesh certificate authority that can be used to secure your service mesh without needing a separate CA system. Learn how to configure the built-in service mesh CA as a root CA or an intermediate CA connected to an existing PKI system. --- -# Built-In Certificate Authority for Service Mesh +# Use Consul's built-in certificate authority Consul ships with a built-in CA system so that service mesh can be easily enabled out of the box. The built-in CA generates and stores the @@ -14,11 +14,11 @@ configured with a custom certificate and private key if needed. If service mesh is enabled and no CA provider is specified, the built-in CA is the default provider used. The provider can be -[updated and rotated](/consul/docs/connect/ca#root-certificate-rotation) +[updated and rotated](/consul/docs/secure-mesh/certificate#root-certificate-rotation) at any point to migrate to a new provider. -> This page documents the specifics of the built-in CA provider. -Please read the [certificate management overview](/consul/docs/connect/ca) +Please read the [certificate management overview](/consul/docs/secure-mesh/certificate) page first to understand how Consul manages certificates with configurable CA providers. @@ -89,7 +89,7 @@ service mesh is enabled - the PrivateKey and RootCert fields have not been set, been generated (as seen above in the roots list). There are two ways to have the Consul CA use a custom private key and root certificate: -either through the `ca_config` section of the [Agent configuration](/consul/docs/agent/config/config-files#connect_ca_config) (which can only be used during the cluster's +either through the `ca_config` section of the [Agent configuration](/consul/docs/reference/agent#connect_ca_config) (which can only be used during the cluster's initial bootstrap) or through the [Update CA Configuration endpoint](/consul/api-docs/connect/ca#update-ca-configuration). Currently Consul requires that root certificates are valid [SPIFFE SVID Signing certificates](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md) and that the URI encoded diff --git a/website/content/docs/k8s/operations/tls-on-existing-cluster.mdx b/website/content/docs/secure-mesh/certificate/existing.mdx similarity index 92% rename from website/content/docs/k8s/operations/tls-on-existing-cluster.mdx rename to website/content/docs/secure-mesh/certificate/existing.mdx index 32b89d326cd..fabc019d103 100644 --- a/website/content/docs/k8s/operations/tls-on-existing-cluster.mdx +++ b/website/content/docs/secure-mesh/certificate/existing.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Rolling Updates to TLS for Existing Clusters on Kubernetes +page_title: Configure TLS on an existing cluster on Kubernetes description: >- Consul Helm chart 0.16.0 and later supports TLS communication within clusters. Follow the instructions to trigger rolling updates for consul-k8s without causing downtime. --- -# Rolling Updates to TLS for Existing Clusters on Kubernetes +# Configure TLS on an existing cluster on Kubernetes As of Consul Helm version `0.16.0`, the chart supports TLS for communication within the cluster. If you already have a Consul cluster deployed on Kubernetes, @@ -34,7 +34,7 @@ If you do not use a service mesh, follow this process. This upgrade trigger a rolling update of `consul-k8s` components. 1. Perform a rolling upgrade of the servers, as described in - [Upgrade Consul Servers](/consul/docs/k8s/upgrade#upgrading-consul-servers). + [Upgrade Consul Servers](/consul/docs/upgrade/k8s#upgrading-consul-servers). 1. Repeat steps 1 and 2, turning on TLS verification by setting `global.tls.verify` to `true`. @@ -71,7 +71,7 @@ applications to it. ``` In this configuration, we're setting `server.updatePartition` to the number of - server replicas as described in [Upgrade Consul Servers](/consul/docs/k8s/upgrade#upgrading-consul-servers). + server replicas as described in [Upgrade Consul Servers](/consul/docs/upgrade/k8s#upgrading-consul-servers). 1. Run `helm upgrade` with the above config file. @@ -84,7 +84,7 @@ applications to it. the sidecar proxy. Also, Kubernetes should schedule these applications on the new node pool. 1. Perform a rolling upgrade of the servers described in - [Upgrade Consul Servers](/consul/docs/k8s/upgrade#upgrading-consul-servers). + [Upgrade Consul Servers](/consul/docs/upgrade/k8s#upgrading-consul-servers). 1. If everything is healthy, delete the old node pool. diff --git a/website/content/docs/secure-mesh/certificate/index.mdx b/website/content/docs/secure-mesh/certificate/index.mdx new file mode 100644 index 00000000000..a6295db3bc4 --- /dev/null +++ b/website/content/docs/secure-mesh/certificate/index.mdx @@ -0,0 +1,156 @@ +--- +layout: docs +page_title: Service Mesh Certificate Authority Overview +description: >- + Consul uses a certificate authority (CA) to generate, use, manage, sign, and store certificates for your service mesh. Learn about certificate management, including configuration, root cert rotation, cross-signing, and regenerating the CA. +--- + +# Service Mesh Certificate Authority overview + +Service mesh certificate management is done centrally through the Consul +servers using the configured service mesh CA (Certificate Authority) provider. A CA provider +manages root and intermediate certificates and performs certificate signing +operations. The Consul leader orchestrates CA provider operations as necessary, +such as when a service needs a new certificate or during CA rotation events. + +The CA provider abstraction enables Consul to support multiple systems for +storing and signing certificates. Consul ships with a +[built-in CA](/consul/docs/secure-mesh/certificate/built-in) which generates and stores the +root certificate and private key on the Consul servers. Consul also has +support for using +[Vault as a CA](/consul/docs/secure-mesh/certificate/vault). With Vault, the root certificate +and private key material remain with the Vault cluster. + +## CA and Certificate relationship + +This diagram shows the relationship between the CA certificates in a Consul primary datacenter and a +secondary Consul datacenter. + +![CA relationship](/img/cert-relationship.svg) + +Leaf certificates are created for two purposes: +- the Leaf Cert Service is used by envoy proxies in the mesh to perform mTLS with other +services. +- the Leaf Cert Client Agent is created by auto-encrypt and auto-config. It is used by +client agents for HTTP API TLS, and for mTLS for RPC requests to servers. + +Any secondary datacenters use their CA provider to generate an intermediate certificate +signing request (CSR) to be signed by the primary root CA. They receive an intermediate +CA certificate, which is used to sign leaf certificates in the secondary datacenter. + +You can use different providers across primary and secondary datacenters. +For example, an operator may use a Vault CA provider for extra security in the primary +datacenter but choose to use the built-in CA provider in the secondary datacenter, which +may not have a reachable Vault cluster. The following table compares the built-in and Vault providers. + +## CA Provider Comparison + +| | Consul built-in | Vault | +|------------|------------------------------------|-----------------------------------------------------------------------------------| +| Security | CA private keys are stored on disk | CA private keys are stored in Vault and are never exposed to Consul server agents | +| Resiliency | No dependency on external systems. If Consul is available, it can sign certificates | Dependent on Vault availability | +| Latency | Consul signs certificates locally | A network call to Vault is required to sign certificates | + +## CA Bootstrapping + +CA initialization happens automatically when a new Consul leader is elected +as long as +[service mesh is enabled](/consul/docs/connect/configuration-entries#agent-configuration), +and the CA system has not already been initialized. This initialization process +will generate the initial root certificates and setup the internal Consul server +state. + +For the initial bootstrap, the CA provider can be configured through the +[Agent configuration](/consul/docs/reference/agent#connect_ca_config). After +initialization, the CA can only be updated through the +[Update CA Configuration API endpoint](/consul/api-docs/connect/ca#update-ca-configuration). +If a CA is already initialized, any changes to the CA configuration in the +agent configuration file (including removing the configuration completely) +will have no effect. + +If no specific provider is configured when service mesh is enabled, the built-in +Consul CA provider will be used and a private key and root certificate will +be generated automatically. + +## Viewing Root Certificates + +Root certificates can be queried with the +[list CA Roots endpoint](/consul/api-docs/connect/ca#list-ca-root-certificates). +With this endpoint, you can see the list of currently trusted root certificates. +When a cluster first initializes, this will only list one trusted root. Multiple +roots may appear as part of +[rotation](#root-certificate-rotation). + +```shell-session +$ curl http://localhost:8500/v1/connect/ca/roots +{ + "ActiveRootID": "31:6c:06:fb:49:94:42:d5:e4:55:cc:2e:27:b3:b2:2e:96:67:3e:7e", + "TrustDomain": "36cb52cd-4058-f811-0432-6798a240c5d3.consul", + "Roots": [ + { + "ID": "31:6c:06:fb:49:94:42:d5:e4:55:cc:2e:27:b3:b2:2e:96:67:3e:7e", + "Name": "Consul CA Root Cert", + "SerialNumber": 7, + "SigningKeyID": "19:45:8b:30:a1:45:84:ae:23:52:db:8d:1b:ff:a9:09:db:fc:2a:72:39:ae:da:11:53:f4:37:5c:de:d1:68:d8", + "ExternalTrustDomain": "a1499528-fbf6-df7b-05e5-ae81e1873fc4", + "NotBefore": "2018-06-06T17:35:25Z", + "NotAfter": "2028-06-03T17:35:25Z", + "RootCert": "-----BEGIN CERTIFICATE-----\nMIICmDCCAj6gAwIBAgIBBzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtDb25zdWwg\nQ0EgNzAeFw0xODA2MDYxNzM1MjVaFw0yODA2MDMxNzM1MjVaMBYxFDASBgNVBAMT\nC0NvbnN1bCBDQSA3MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgo09lpx63bHw\ncSXeeoSpHpHgyzX1Q8ewJ3RUg6Ie8Howbs/QBz1y/kGxsF35HXij3YrqhgQyPPx4\nbQ8FH2YR4aOCAXswggF3MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/\nMGgGA1UdDgRhBF8xOTo0NTo4YjozMDphMTo0NTo4NDphZToyMzo1MjpkYjo4ZDox\nYjpmZjphOTowOTpkYjpmYzoyYTo3MjozOTphZTpkYToxMTo1MzpmNDozNzo1Yzpk\nZTpkMTo2ODpkODBqBgNVHSMEYzBhgF8xOTo0NTo4YjozMDphMTo0NTo4NDphZToy\nMzo1MjpkYjo4ZDoxYjpmZjphOTowOTpkYjpmYzoyYTo3MjozOTphZTpkYToxMTo1\nMzpmNDozNzo1YzpkZTpkMTo2ODpkODA/BgNVHREEODA2hjRzcGlmZmU6Ly8zNmNi\nNTJjZC00MDU4LWY4MTEtMDQzMi02Nzk4YTI0MGM1ZDMuY29uc3VsMD0GA1UdHgEB\n/wQzMDGgLzAtgiszNmNiNTJjZC00MDU4LWY4MTEtMDQzMi02Nzk4YTI0MGM1ZDMu\nY29uc3VsMAoGCCqGSM49BAMCA0gAMEUCIHl6UDdouw8Fzn/oDHputAxt3UFbVg/U\nvC6jWPuqqMwmAiEAkvMadtwjtNU7m/AQRJrj1LeG3eXw7dWO8SlI2fEs0yY=\n-----END CERTIFICATE-----\n", + "IntermediateCerts": null, + "Active": true, + "PrivateKeyType": "", + "PrivateKeyBits": 0, + "CreateIndex": 8, + "ModifyIndex": 8 + } + ] +} +``` + +## CA Configuration + +After initialization, the CA provider configuration can be viewed with the +[Get CA Configuration API endpoint](/consul/api-docs/connect/ca#get-ca-configuration). +Consul will filter sensitive values from this endpoint depending on the +provider in use, so the configuration may not be complete. + +```shell-session +$ curl http://localhost:8500/v1/connect/ca/configuration +{ + "Provider": "consul", + "Config": { + "LeafCertTTL": "72h", + "IntermediateCertTTL": "8760h" + }, + "CreateIndex": 5, + "ModifyIndex": 5 +} +``` + +The CA provider can be reconfigured using the +[Update CA Configuration API endpoint](/consul/api-docs/connect/ca#update-ca-configuration). +Specific options for reconfiguration can be found in the specific +CA provider documentation in the sidebar to the left. + + + +### Recovering From Expired Certificates +If the built-in CA provider is misconfigured or unavailable, Consul service mesh requests eventually +stop functioning due to expiration of intermediate and root certificates. To recover manually, use the +[CLI helper](/consul/commands/tls/ca#consul-tls-ca-create) to generate CA certificates. + + +#### Example - Regenerating the built in CA +```shell-session +$ consul tls ca create -cluster-id test -common-name "Consul Agent CA" -days=365 -domain consul + ==> Saved consul-agent-ca.pem + ==> Saved consul-agent-ca-key.pem +``` +The example above generates a new CA with a validity of 365 days. The cluster-id argument is specific +to each cluster and can be looked up by examining the `TrustDomain` field in +the [List CA Roots](/consul/api-docs/connect/ca#list-ca-root-certificates) endpoint. + +The contents of the generated cert and private key files from the above step should then be used with +the [Update CA Configuration](/consul/api-docs/connect/ca#update-ca-configuration) endpoint. Once the CA configuration is +updated on the primary datacenter, all secondary datacenters will pick up the changes and regenerate their intermediate +and leaf certificates, after which any new requests that require certificate verification will succeed. diff --git a/website/content/docs/secure-mesh/certificate/permissive-mtls.mdx b/website/content/docs/secure-mesh/certificate/permissive-mtls.mdx new file mode 100644 index 00000000000..5816764d30b --- /dev/null +++ b/website/content/docs/secure-mesh/certificate/permissive-mtls.mdx @@ -0,0 +1,44 @@ +--- +layout: docs +page_title: Enable permissive mTLS mode +description: >- + Learn how to enable permissive mutual transport layer security (permissive mTLS) so that you can safely add services to your service mesh when transparent proxy is enabled in Kubernetes deployments. +--- + +# Enable permissive mTLS mode + +Depending on the services you are onboarding, you may not need to enable permissive mTLS mode. If the service does not accept incoming traffic or accepts traffic from downstream services that are already part of the service mesh, then permissive mTLS mode is not required to continue. + +To enable permissive mTLS mode for the service, set [`MutualTLSMode=permissive`](/consul/docs/reference/config-entry/service-default#mutualtlsmode) in the service defaults configuration entry for the service. The following example shows how to configure this setting for a service named `example-service`. + + + +```hcl +Kind = "service-defaults" +Name = "example-service" + +MutualTLSMode = "permissive" +``` + +```yaml +apiVersion: consul.hashicorp.com/v1alpha1 +kind: ServiceDefaults +metadata: + name: example-service +spec: + mutualTLSMode: "permissive" +``` + +```json +{ + "Kind": "service-defaults", + "Name": "example-service", + "MutualTLSMode": "permissive" +} +``` + + + +Refer to the [service defaults configuration reference](/consul/docs/reference/config-entry/service-default) for information about all settings. + +You can change this setting back to `strict` at any time to ensure mTLS is required for incoming traffic to this service. diff --git a/website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx b/website/content/docs/secure-mesh/certificate/rotate/gossip.mdx similarity index 56% rename from website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx rename to website/content/docs/secure-mesh/certificate/rotate/gossip.mdx index df49d79b18d..6058ae4ed38 100644 --- a/website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx +++ b/website/content/docs/secure-mesh/certificate/rotate/gossip.mdx @@ -1,15 +1,201 @@ --- layout: docs -page_title: Rotate Gossip Encryption Keys for Consul on Kubernetes +page_title: Rotate gossip encryption keys description: >- Consul agents use encryption keys to secure their gossip communication, and you must rotate the keys periodically to maintain network security. Learn how to use `keygen` and `keyring` commands to rotate keys for agents on k8s clusters. --- -# Rotate Gossip Encryption Keys for Consul on Kubernetes +# Rotate gossip encryption keys -The following instructions provides a step-by-step manual process for rotating [gossip encryption](/consul/docs/security/encryption#gossip-encryption) keys on Consul clusters that are deployed onto a Kubernetes cluster with Consul on Kubernetes. +The `consul keyring` command is used to examine and modify the encryption keys used in Consul’s gossip pools. It is capable of distributing new encryption keys to the agents, retiring old encryption keys, and changing the keys used by the agents to encrypt messages. -The following steps need only be performed once in any single datacenter if your Consul clusters are [federated](/consul/docs/k8s/deployment-configurations/multi-cluster/kubernetes). Rotating the gossip encryption key in one datacenter will automatically rotate the gossip encryption key for all the other datacenters. +In this tutorial, you interact with the Consul keyring and change the gossip encryption key used by your datacenter. + +## Prerequisites + +In order to complete the steps listed in this tutorial, you need a running Consul datacenter with gossip encryption enabled. Refer to [Enable gossip communication](/consul/docs/secure-consul/encryption/gossip/enable) to configure gossip encryption on a new datacenter. + +## Required steps + +The steps to rotate the gossip key in use by your datacenter are the following: + +1. Check keyring content +1. Generate a new encryption key +1. Add new key to the keyring +1. Verify that the key was installed +1. Promote the new key to primary +1. Remove the old key from the keyring + +## Check keyring content + +List your current keys, and verify that all nodes have the proper key. + +```shell-session +$ consul keyring -list + +==> Gathering installed encryption keys... +WAN: + J5+gaLwt5cshalq0HLlGmhgxoqwXO5506MMxp16oiHQ= [3/3] +dc1 (LAN): + J5+gaLwt5cshalq0HLlGmhgxoqwXO5506MMxp16oiHQ= [11/11] +``` + +## Generate a new encryption key + +You can generate a new gossip key using any method that can creates 16 random bytes encoded in base64. + + + + + +Generate a new key using `consul keygen`: + +```shell-session +$ consul keygen | tee encryption.key + +FfRV9j6NXU9LlCI4zLZjjpZdj4Nrqsdm7R8YgzSHzHw= +``` + + + + + +Generate a new key using `openssl`: + +```shell-session +$ openssl rand -base64 16 | tee encryption.key + +22Br/DzyKMBuH5VjhakYEA== +``` + + + + + +Generate a new key using `dd`: + +```shell-session +$ dd if=/dev/urandom bs=16 count=1 status=none | base64 | tee encryption.key + +DYT6KCxb6ZxhryYRb6WdYw== +``` + + + + + +Store the new gossip key in an environment variable. + +```shell-session +$ export CONSUL_GOSSIP_KEY=$(cat encryption.key) +``` + +## Add new key to the keyring + +Add your newly generated key to the keyring. + +```shell-session +$ consul keyring -install ${CONSUL_GOSSIP_KEY} + +==> Installing new gossip encryption key... +``` + +## Verify that the key was installed + +Once you have added the key to one of the Consul agents, it will be propagated across the whole datacenter. You do not need to repeat the command on other agents. + +You can ensure that the key has been propagated to all agents by verifying the number of agents that recognize the key over the number of total agents in the datacenter. + +```shell-session +$ consul keyring -list + +==> Gathering installed encryption keys... +WAN: + J5+gaLwt5cshalq0HLlGmhgxoqwXO5506MMxp16oiHQ= [3/3] + FfRV9j6NXU9LlCI4zLZjjpZdj4Nrqsdm7R8YgzSHzHw= [3/3] +dc1 (LAN): + J5+gaLwt5cshalq0HLlGmhgxoqwXO5506MMxp16oiHQ= [11/11] + FfRV9j6NXU9LlCI4zLZjjpZdj4Nrqsdm7R8YgzSHzHw= [11/11] +``` + +You must check that the two keys are installed in the datacenter, and are recognized by all 11 agents, as well as by all 3 server agents. Do not proceed to the next step unless all agents have the new key. + +## Promote the new key to primary + +Once all agents have received the key and are able to use it as the primary encryption key, it is possible to promote the new key to primary. + +```shell-session +$ consul keyring -use ${CONSUL_GOSSIP_KEY} + +==> Changing primary gossip encryption key... +``` + +## Remove the old key from the keyring + +To avoid unused keys remaining in the keyring, we recommended you remove the old primary from the keyring once a new key is installed. + +```shell-session +$ consul keyring -remove J5+gaLwt5cshalq0HLlGmhgxoqwXO5506MMxp16oiHQ= + +==> Removing gossip encryption key... +``` + +Verify that the keyring contains only one key. + +```shell-session +$ consul keyring -list + +==> Gathering installed encryption keys... +WAN: + FfRV9j6NXU9LlCI4zLZjjpZdj4Nrqsdm7R8YgzSHzHw= [3/3] +dc1 (LAN): + FfRV9j6NXU9LlCI4zLZjjpZdj4Nrqsdm7R8YgzSHzHw= [11/11] +``` + +## Create a script for rotating the gossip key + +Once you have learned the process for changing the gossip encryption key, you can automate it using whatever tool you prefer. + +One way is to create a script that does it for you that you can run against one Consul server. + +```shell +#!/usr/bin/env bash + +# Setup Consul address info +export CONSUL_HTTP_ADDR="http://localhost:8500" + +# Generate the new key +NEW_KEY=`consul keygen` + +# Install the key +consul keyring -install ${NEW_KEY} + +# Set as primary +consul keyring -use ${NEW_KEY} + +# Retrieve all keys used by Consul +KEYS=`curl -s ${CONSUL_HTTP_ADDR}/v1/operator/keyring` + +ALL_KEYS=`echo ${KEYS} | jq -r '.[].Keys| to_entries[].key' | sort | uniq` + +for i in `echo ${ALL_KEYS}`; do + if [ $i != ${NEW_KEY} ] ; then + consul keyring -remove $i + fi +done +``` + +## Next steps + +In this tutorial you learned how to rotate the gossip key saved in the keyring for your Consul datacenter. + +To learn how to automate gossip key rotation using HashiCorp Vault and consul-template, refer to the [Generate gossip keys for Consul using Vault](/consul/tutorials/vault-secure/vault-kv-consul-secure-gossip) tutorial. + +## Rotate gossip encryption keys for Consul on Kubernetes + +The following instructions provides a step-by-step manual process for rotating [gossip encryption](/consul/docs/secure-consul/encryption/gossip/existing) keys on Consul clusters that are deployed onto a Kubernetes cluster with Consul on Kubernetes. + +The following steps need only be performed once in any single datacenter if your Consul clusters are [federated](/consul/docs/east-west/wan-federation/k8s). Rotating the gossip encryption key in one datacenter will automatically rotate the gossip encryption key for all the other datacenters. -> **Note:** Careful precaution should be taken to prohibit new clients from joining during the gossip encryption rotation process, otherwise the new clients will join the gossip pool without knowledge of the new primary gossip encryption key. In addition, deletion of a gossip encryption key from the keyring should occur only after clients have safely migrated to utilizing the new gossip encryption key for communication. @@ -128,7 +314,7 @@ The following steps need only be performed once in any single datacenter if your - -> **Note:** These Vault instructions assume that you have integrated your [Gossip encryption key](/consul/docs/k8s/deployment-configurations/vault/data-integration/gossip) using [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault). + -> **Note:** These Vault instructions assume that you have integrated your [Gossip encryption key](/consul/docs/deploy/server/k8s/multi/vault/data-integration/gossip-encryption-key) using [Vault as a Secrets Backend](/consul/docs/deploy/server/k8s/multi/vault). Update the gossip encryption Vault Secret with the value of the new gossip encryption key to ensure that subsequent `helm upgrades` commands execute successfully. The name of the secret that stores the value of the gossip encryption key can be found in the Helm values file: diff --git a/website/content/docs/connect/ca/index.mdx b/website/content/docs/secure-mesh/certificate/rotate/tls.mdx similarity index 50% rename from website/content/docs/connect/ca/index.mdx rename to website/content/docs/secure-mesh/certificate/rotate/tls.mdx index c49e07516fa..9d5383b5e57 100644 --- a/website/content/docs/connect/ca/index.mdx +++ b/website/content/docs/secure-mesh/certificate/rotate/tls.mdx @@ -1,138 +1,15 @@ --- layout: docs -page_title: Service Mesh Certificate Authority - Overview +page_title: Rotate TLS certificate description: >- - Consul uses a certificate authority (CA) to generate, use, manage, sign, and store certificates for your service mesh. Learn about certificate management, including configuration, root cert rotation, cross-signing, and regenerating the CA. + Learn how to retate TLS certificates. --- -# Service Mesh Certificate Authority Overview +# Rotate TLS certificates -Service mesh certificate management is done centrally through the Consul -servers using the configured service mesh CA (Certificate Authority) provider. A CA provider -manages root and intermediate certificates and performs certificate signing -operations. The Consul leader orchestrates CA provider operations as necessary, -such as when a service needs a new certificate or during CA rotation events. +This page describes -The CA provider abstraction enables Consul to support multiple systems for -storing and signing certificates. Consul ships with a -[built-in CA](/consul/docs/connect/ca/consul) which generates and stores the -root certificate and private key on the Consul servers. Consul also has -support for using -[Vault as a CA](/consul/docs/connect/ca/vault). With Vault, the root certificate -and private key material remain with the Vault cluster. - -## CA and Certificate relationship - -This diagram shows the relationship between the CA certificates in a Consul primary datacenter and a -secondary Consul datacenter. - -![CA relationship](/img/cert-relationship.svg) - -Leaf certificates are created for two purposes: -- the Leaf Cert Service is used by envoy proxies in the mesh to perform mTLS with other -services. -- the Leaf Cert Client Agent is created by auto-encrypt and auto-config. It is used by -client agents for HTTP API TLS, and for mTLS for RPC requests to servers. - -Any secondary datacenters use their CA provider to generate an intermediate certificate -signing request (CSR) to be signed by the primary root CA. They receive an intermediate -CA certificate, which is used to sign leaf certificates in the secondary datacenter. - -You can use different providers across primary and secondary datacenters. -For example, an operator may use a Vault CA provider for extra security in the primary -datacenter but choose to use the built-in CA provider in the secondary datacenter, which -may not have a reachable Vault cluster. The following table compares the built-in and Vault providers. - -## CA Provider Comparison - -| | Consul built-in | Vault | -|------------|------------------------------------|-----------------------------------------------------------------------------------| -| Security | CA private keys are stored on disk | CA private keys are stored in Vault and are never exposed to Consul server agents | -| Resiliency | No dependency on external systems. If Consul is available, it can sign certificates | Dependent on Vault availability | -| Latency | Consul signs certificates locally | A network call to Vault is required to sign certificates | - -## CA Bootstrapping - -CA initialization happens automatically when a new Consul leader is elected -as long as -[service mesh is enabled](/consul/docs/connect/configuration#agent-configuration), -and the CA system has not already been initialized. This initialization process -will generate the initial root certificates and setup the internal Consul server -state. - -For the initial bootstrap, the CA provider can be configured through the -[Agent configuration](/consul/docs/agent/config/config-files#connect_ca_config). After -initialization, the CA can only be updated through the -[Update CA Configuration API endpoint](/consul/api-docs/connect/ca#update-ca-configuration). -If a CA is already initialized, any changes to the CA configuration in the -agent configuration file (including removing the configuration completely) -will have no effect. - -If no specific provider is configured when service mesh is enabled, the built-in -Consul CA provider will be used and a private key and root certificate will -be generated automatically. - -## Viewing Root Certificates - -Root certificates can be queried with the -[list CA Roots endpoint](/consul/api-docs/connect/ca#list-ca-root-certificates). -With this endpoint, you can see the list of currently trusted root certificates. -When a cluster first initializes, this will only list one trusted root. Multiple -roots may appear as part of -[rotation](#root-certificate-rotation). - -```shell-session -$ curl http://localhost:8500/v1/connect/ca/roots -{ - "ActiveRootID": "31:6c:06:fb:49:94:42:d5:e4:55:cc:2e:27:b3:b2:2e:96:67:3e:7e", - "TrustDomain": "36cb52cd-4058-f811-0432-6798a240c5d3.consul", - "Roots": [ - { - "ID": "31:6c:06:fb:49:94:42:d5:e4:55:cc:2e:27:b3:b2:2e:96:67:3e:7e", - "Name": "Consul CA Root Cert", - "SerialNumber": 7, - "SigningKeyID": "19:45:8b:30:a1:45:84:ae:23:52:db:8d:1b:ff:a9:09:db:fc:2a:72:39:ae:da:11:53:f4:37:5c:de:d1:68:d8", - "ExternalTrustDomain": "a1499528-fbf6-df7b-05e5-ae81e1873fc4", - "NotBefore": "2018-06-06T17:35:25Z", - "NotAfter": "2028-06-03T17:35:25Z", - "RootCert": "-----BEGIN CERTIFICATE-----\nMIICmDCCAj6gAwIBAgIBBzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtDb25zdWwg\nQ0EgNzAeFw0xODA2MDYxNzM1MjVaFw0yODA2MDMxNzM1MjVaMBYxFDASBgNVBAMT\nC0NvbnN1bCBDQSA3MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgo09lpx63bHw\ncSXeeoSpHpHgyzX1Q8ewJ3RUg6Ie8Howbs/QBz1y/kGxsF35HXij3YrqhgQyPPx4\nbQ8FH2YR4aOCAXswggF3MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/\nMGgGA1UdDgRhBF8xOTo0NTo4YjozMDphMTo0NTo4NDphZToyMzo1MjpkYjo4ZDox\nYjpmZjphOTowOTpkYjpmYzoyYTo3MjozOTphZTpkYToxMTo1MzpmNDozNzo1Yzpk\nZTpkMTo2ODpkODBqBgNVHSMEYzBhgF8xOTo0NTo4YjozMDphMTo0NTo4NDphZToy\nMzo1MjpkYjo4ZDoxYjpmZjphOTowOTpkYjpmYzoyYTo3MjozOTphZTpkYToxMTo1\nMzpmNDozNzo1YzpkZTpkMTo2ODpkODA/BgNVHREEODA2hjRzcGlmZmU6Ly8zNmNi\nNTJjZC00MDU4LWY4MTEtMDQzMi02Nzk4YTI0MGM1ZDMuY29uc3VsMD0GA1UdHgEB\n/wQzMDGgLzAtgiszNmNiNTJjZC00MDU4LWY4MTEtMDQzMi02Nzk4YTI0MGM1ZDMu\nY29uc3VsMAoGCCqGSM49BAMCA0gAMEUCIHl6UDdouw8Fzn/oDHputAxt3UFbVg/U\nvC6jWPuqqMwmAiEAkvMadtwjtNU7m/AQRJrj1LeG3eXw7dWO8SlI2fEs0yY=\n-----END CERTIFICATE-----\n", - "IntermediateCerts": null, - "Active": true, - "PrivateKeyType": "", - "PrivateKeyBits": 0, - "CreateIndex": 8, - "ModifyIndex": 8 - } - ] -} -``` - -## CA Configuration - -After initialization, the CA provider configuration can be viewed with the -[Get CA Configuration API endpoint](/consul/api-docs/connect/ca#get-ca-configuration). -Consul will filter sensitive values from this endpoint depending on the -provider in use, so the configuration may not be complete. - -```shell-session -$ curl http://localhost:8500/v1/connect/ca/configuration -{ - "Provider": "consul", - "Config": { - "LeafCertTTL": "72h", - "IntermediateCertTTL": "8760h" - }, - "CreateIndex": 5, - "ModifyIndex": 5 -} -``` - -The CA provider can be reconfigured using the -[Update CA Configuration API endpoint](/consul/api-docs/connect/ca#update-ca-configuration). -Specific options for reconfiguration can be found in the specific -CA provider documentation in the sidebar to the left. - -## Root Certificate Rotation +## Root certificate rotation Whenever the CA's configuration is updated in a way that causes the root key to change, a special rotation process will be triggered in order to smoothly @@ -241,23 +118,24 @@ Currently both Consul and Vault CA providers _do_ support cross signing. As more providers are added this documentation will list any that this section applies to. -### Recovering From Expired Certificates -If the built-in CA provider is misconfigured or unavailable, Consul service mesh requests eventually -stop functioning due to expiration of intermediate and root certificates. To recover manually, use the -[CLI helper](/consul/commands/tls/ca#consul-tls-ca-create) to generate CA certificates. +## Rotate TLS certificates for Consul on Kubernetes +As of Consul Helm version `0.29.0`, if TLS is enabled, new TLS certificates for the Consul Server +are issued every time the Helm chart is upgraded. These certificates are signed by the same CA and will +continue to work as expected in the existing cluster. -#### Example - Regenerating the built in CA -```shell-session -$ consul tls ca create -cluster-id test -common-name "Consul Agent CA" -days=365 -domain consul - ==> Saved consul-agent-ca.pem - ==> Saved consul-agent-ca-key.pem -``` -The example above generates a new CA with a validity of 365 days. The cluster-id argument is specific -to each cluster and can be looked up by examining the `TrustDomain` field in -the [List CA Roots](/consul/api-docs/connect/ca#list-ca-root-certificates) endpoint. +Consul servers read the certificates from Kubernetes secrets during start-up and keep them in memory. In order to ensure the +servers use the newer certificate, the server pods need to be [restarted explicitly](/consul/docs/upgrade/k8s#upgrading-consul-servers) in +a situation where `helm upgrade` does not restart the server pods. + +To explicitly perform server certificate rotation, follow these steps: + +1. Perform a `helm upgrade`: + + ```shell-session + $ helm upgrade consul hashicorp/consul --values /path/to/my/values.yaml + ``` + + This should run the `tls-init` job that will generate new Server certificates. -The contents of the generated cert and private key files from the above step should then be used with -the [Update CA Configuration](/consul/api-docs/connect/ca#update-ca-configuration) endpoint. Once the CA configuration is -updated on the primary datacenter, all secondary datacenters will pick up the changes and regenerate their intermediate -and leaf certificates, after which any new requests that require certificate verification will succeed. +1. Restart the Server pods following the steps [here](/consul/docs/upgrade/k8s#upgrading-consul-servers). diff --git a/website/content/docs/connect/ca/vault.mdx b/website/content/docs/secure-mesh/certificate/vault.mdx similarity index 95% rename from website/content/docs/connect/ca/vault.mdx rename to website/content/docs/secure-mesh/certificate/vault.mdx index a172a693a04..6d464339470 100644 --- a/website/content/docs/connect/ca/vault.mdx +++ b/website/content/docs/secure-mesh/certificate/vault.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Service Mesh Certificate Authority - Vault +page_title: Use Vault as a service mesh certificate authority description: >- You can use a Vault PKI secrets engine as the Consul service mesh's certificate authority to secure your service mesh. Learn how to configure the Vault CA as a root CA or an intermediate CA connected to an existing PKI system, and how to manage PKI paths with either Vault or Consul. --- -# Vault as a Service Mesh Certificate Authority +# Use Vault as a service mesh certificate authority You can configure Consul to use [Vault](/vault) as the certificate authority (CA) so that Vault can manage and sign certificates distributed to services in the mesh. The Vault CA provider uses the [Vault PKI secrets engine](/vault/docs/secrets/pki) to generate and sign certificates. @@ -21,22 +21,17 @@ This page describes how configure the Vault CA provider. ## Recommendations -- Refer to [Service Mesh Certificate Authority Overview](/consul/docs/connect/ca) for important background information about how Consul manages certificates with configurable CA providers. +- Refer to [Service Mesh Certificate Authority Overview](/consul/docs/secure-mesh/certificate) for important background information about how Consul manages certificates with configurable CA providers. - For best performance and resiliency, every datacenter should have a Vault cluster local to its Consul cluster. - If your Consul datacenters are WAN-federated and the secondary datacenter uses Vault Enterprise [performance secondaries](/vault/docs/enterprise/replication#performance-replication), we recommend - configuring [`local`](/vault/docs/enterprise/replication#local) mounts for their [`intermediate_pki_path`](/consul/docs/connect/ca/vault#intermediatepkipath). + configuring [`local`](/vault/docs/enterprise/replication#local) mounts for their [`intermediate_pki_path`](/consul/docs/secure-mesh/certificate/vault#intermediatepkipath). ## Enable Vault as the CA -You can enable Vault as the CA by configuring Consul to use `"vault"` as the CA provider -and including the required provider configuration options. -You can provide the CA configuration in the server agents' configuration file -or in the body of a `PUT` request to the -[`/connect/ca/configuration`](/consul/api-docs/connect/ca#update-ca-configuration) API endpoint. -Refer to the [Configuration Reference](#configuration-reference) for details about configuration options and for example use cases. +You can enable Vault as the CA by configuring Consul to use `"vault"` as the CA provider and including the required provider configuration options. You can provide the CA configuration in the server agents' configuration file or in the body of a `PUT` request to the [`/connect/ca/configuration`](/consul/api-docs/connect/ca#update-ca-configuration) API endpoint. Refer to the [Configuration Reference](#configuration-reference) for details about configuration options and for example use cases. The following example shows the required configurations for a default implementation: diff --git a/website/content/docs/secure-mesh/index.mdx b/website/content/docs/secure-mesh/index.mdx new file mode 100644 index 00000000000..ef7181fcad6 --- /dev/null +++ b/website/content/docs/secure-mesh/index.mdx @@ -0,0 +1,36 @@ +--- +layout: docs +page_title: Secure service mesh overview +description: >- + This topic provides an overview of Consul's features for securing service mesh communication, including a built-in mTLS certificate authority (CA) and service intentions. +--- + +# Secure service mesh overview + +This topic provides an overview for securing service-to-service communication within a service mesh using Consul. You can configure an mTLS certificate authority and intentions based on service identity to secure intra-mesh communication. + +For information about gossip encryption and securing your Consul deployment with the Access Control List (ACL) system, refer to [Secure Consul](/consul/secure) in the Consul Operations section. + +## Introduction + +With Consul, a fully configured service mesh is one that enforces _zero-trust security_ by securing service-to-service communication in the following ways: + +- Sidecar proxies encrypt and decrypt a service's traffic using an mTLS certificate signed by Consul +- Sidecar proxies deny incoming requests by default +- Sidecar proxies authorize incoming requests according to explicitly defined service intentions + +## Certificate authority + +@include 'text/descriptions/certificate-authority.mdx' + +## Service intentions + +@include 'text/descriptions/service-intentions.mdx' + +## Guidance + +@include 'text/guidance/secure-mesh.mdx' + +### Constraints, limitations, and troubleshooting + +@include 'text/limitations/secure-mesh.mdx' diff --git a/website/content/docs/connect/intentions/create-manage-intentions.mdx b/website/content/docs/secure-mesh/intention/create.mdx similarity index 62% rename from website/content/docs/connect/intentions/create-manage-intentions.mdx rename to website/content/docs/secure-mesh/intention/create.mdx index 46ec146824f..a563ed2da24 100644 --- a/website/content/docs/connect/intentions/create-manage-intentions.mdx +++ b/website/content/docs/secure-mesh/intention/create.mdx @@ -11,20 +11,20 @@ This topic describes how to create and manage service intentions, which are conf ## Overview -You can create single intentions or create them in batches using the Consul API, CLI, or UI. You can also define a service intention configuration entry that sets default intentions for all services in the mesh. Refer to [Service intentions overview](/consul/docs/connect/intentions/) for additional background information about intentions. +You can create single intentions or create them in batches using the Consul API, CLI, or UI. You can also define a service intention configuration entry that sets default intentions for all services in the mesh. Refer to [Service intentions overview](/consul/docs/secure-mesh/intentions/) for additional background information about intentions. ## Requirements - At least two services must be registered in the datacenter. -- TLS must be enabled to enforce L4 intentions. Refer to [Encryption](/consul/docs/security/encryption) for additional information. +- TLS must be enabled to enforce L4 intentions. Refer to [Encryption](/consul/docs/secure-consul/encryption) for additional information. ### ACL requirements Consul grants permissions for creating and managing intentions based on the destination, not the source. When ACLs are enabled, services and operators must present a token linked to a policy that grants read and write permissions to the destination service. -Consul implicitly grants `intentions:read` permissions to destination services when they are configured with `service:read` or `service:write` permissions. This is so that the services can allow or deny inbound connections when they attempt to join the service mesh. Refer to [Service rules](/consul/docs/security/acl/acl-rules#service-rules) for additional information about configuring ACLs for intentions. +Consul implicitly grants `intentions:read` permissions to destination services when they are configured with `service:read` or `service:write` permissions. This is so that the services can allow or deny inbound connections when they attempt to join the service mesh. Refer to [Service rules](/consul/docs/secure-consul/acl/rules#service-rules) for additional information about configuring ACLs for intentions. -The default ACL policy configuration determines the default behavior for intentions. If the policy is set to `deny`, then all connections or requests are denied and you must enable them explicitly. Refer to [`default_policy`](/consul/docs/agent/config/config-files#acl_default_policy) for details. +The default ACL policy configuration determines the default behavior for intentions. If the policy is set to `deny`, then all connections or requests are denied and you must enable them explicitly. Refer to [`default_policy`](/consul/docs/reference/agent#acl_default_policy) for details. ## Create an intention @@ -76,7 +76,7 @@ For L7 intentions, specify the `Permissions` in the request payload to configure -The `Permissions` object specifies a list of permissions for L7 traffic sources. The list contains one or more actions and a set of match criteria for each action. Refer to the [`Sources[].Permissions[]` parameter](/consul/docs/connect/config-entries/service-intentions#sources-permissions) in the service intentions configuration entry reference for configuration details. +The `Permissions` object specifies a list of permissions for L7 traffic sources. The list contains one or more actions and a set of match criteria for each action. Refer to the [`Sources[].Permissions[]` parameter](/consul/docs/reference/config-entry/service-intention#sources-permissions) in the service intentions configuration entry reference for configuration details. To apply the intention, call the endpoint and pass the configuration file containing the attributes to the endpoint: @@ -99,7 +99,7 @@ The following example creates an intention that allows `web` service instances t $ consul intention create -allow web db ``` -You can use the asterisk (`*`) wildcard to specify multiple destination services. Refer to [Precedence and match order](/consul/docs/connect/intentions/create-manage-intentions#precedence-and-match-order) for additional information. +You can use the asterisk (`*`) wildcard to specify multiple destination services. Refer to [Precedence and match order](/consul/docs/secure-mesh/intentions/create#precedence-and-match-order) for additional information. ### Consul UI @@ -121,7 +121,7 @@ You can use the Consul UI to configure L7 permissions. 1. Click **Add permission** to open the permission editor. 1. Enable the **Allow** or **Deny** option. -1. You can specify a path, request method, and request headers to match. All criteria must be satisfied for Consul to enforce the permission. Refer to the [`Sources[].Permissions[]` parameter](/consul/docs/connect/config-entries/service-intentions#sources-permissions) in the service intentions configuration entry reference for information about the available configuration fields. +1. You can specify a path, request method, and request headers to match. All criteria must be satisfied for Consul to enforce the permission. Refer to the [`Sources[].Permissions[]` parameter](/consul/docs/reference/config-entry/service-intention#sources-permissions) in the service intentions configuration entry reference for information about the available configuration fields. 1. Click **Save**. Repeat the procedure as necessary to create additional permissions. @@ -138,35 +138,35 @@ Configure the following fields: -- [`Kind`](/consul/docs/connect/config-entries/service-intentions#kind): Declares the type of configuration entry. Must be set to `service-intentions`. -- [`Name`](/consul/docs/connect/config-entries/service-intentions#kind): Specifies the name of the destination service for intentions defined in the configuration entry. You can use a wildcard character (*) to set L4 intentions for all services that are not protected by specific intentions. Wildcards are not supported for L7 intentions. -- [`Sources`](/consul/docs/connect/config-entries/service-intentions#sources): Specifies an unordered list of all intention sources and the authorizations granted to those sources. Consul stores and evaluates the list in reverse order sorted by intention precedence. -- [`Sources.Action`](/consul/docs/connect/config-entries/service-intentions#sources-action) or [`Sources.Permissions`](/consul/docs/connect/config-entries/service-intentions#sources-permissions): For L4 intentions, set the `Action` field to "allow" or "deny" so that Consul can enforce intentions that match the source service. For L7 intentions, configure the `Permissions` settings, which define a set of application-aware attributes for dynamically matching incoming requests. The `Actions` and `Permissions` settings are mutually exclusive. +- [`Kind`](/consul/docs/reference/config-entry/service-intention#kind): Declares the type of configuration entry. Must be set to `service-intentions`. +- [`Name`](/consul/docs/reference/config-entry/service-intention#kind): Specifies the name of the destination service for intentions defined in the configuration entry. You can use a wildcard character (*) to set L4 intentions for all services that are not protected by specific intentions. Wildcards are not supported for L7 intentions. +- [`Sources`](/consul/docs/reference/config-entry/service-intention#sources): Specifies an unordered list of all intention sources and the authorizations granted to those sources. Consul stores and evaluates the list in reverse order sorted by intention precedence. +- [`Sources.Action`](/consul/docs/reference/config-entry/service-intention#sources-action) or [`Sources.Permissions`](/consul/docs/reference/config-entry/service-intention#sources-permissions): For L4 intentions, set the `Action` field to "allow" or "deny" so that Consul can enforce intentions that match the source service. For L7 intentions, configure the `Permissions` settings, which define a set of application-aware attributes for dynamically matching incoming requests. The `Actions` and `Permissions` settings are mutually exclusive. -- [`apiVersion`](/consul/docs/connect/config-entries/service-intentions#apiversion): Specifies the Consul API version. Must be set to `consul.hashicorp.com/v1alpha1`. -- [`kind`](/consul/docs/connect/config-entries/service-intentions#kind): Declares the type of configuration entry. Must be set to `ServiceIntentions`. -- [`spec.destination.name`](/consul/docs/connect/config-entries/service-intentions#spec-destination-name): Specifies the name of the destination service for intentions defined in the configuration entry. You can use a wildcard character (*) to set L4 intentions for all services that are not protected by specific intentions. Wildcards are not supported for L7 intentions. -- [`spec.sources`](/consul/docs/connect/config-entries/service-intentions#spec-sources): Specifies an unordered list of all intention sources and the authorizations granted to those sources. Consul stores and evaluates the list in reverse order sorted by intention precedence. -- [`spec.sources.action`](/consul/docs/connect/config-entries/service-intentions#spec-sources-action) or [`spec.sources.permissions`](/consul/docs/connect/config-entries/service-intentions#spec-sources-permissions): For L4 intentions, set the `action` field to "allow" or "deny" so that Consul can enforce intentions that match the source service. For L7 intentions, configure the `permissions` settings, which define a set of application-aware attributes for dynamically matching incoming requests. The `actions` and `permissions` settings are mutually exclusive. +- [`apiVersion`](/consul/docs/reference/config-entry/service-intention#apiversion): Specifies the Consul API version. Must be set to `consul.hashicorp.com/v1alpha1`. +- [`kind`](/consul/docs/reference/config-entry/service-intention#kind): Declares the type of configuration entry. Must be set to `ServiceIntentions`. +- [`spec.destination.name`](/consul/docs/reference/config-entry/service-intention#spec-destination-name): Specifies the name of the destination service for intentions defined in the configuration entry. You can use a wildcard character (*) to set L4 intentions for all services that are not protected by specific intentions. Wildcards are not supported for L7 intentions. +- [`spec.sources`](/consul/docs/reference/config-entry/service-intention#spec-sources): Specifies an unordered list of all intention sources and the authorizations granted to those sources. Consul stores and evaluates the list in reverse order sorted by intention precedence. +- [`spec.sources.action`](/consul/docs/reference/config-entry/service-intention#spec-sources-action) or [`spec.sources.permissions`](/consul/docs/reference/config-entry/service-intention#spec-sources-permissions): For L4 intentions, set the `action` field to "allow" or "deny" so that Consul can enforce intentions that match the source service. For L7 intentions, configure the `permissions` settings, which define a set of application-aware attributes for dynamically matching incoming requests. The `actions` and `permissions` settings are mutually exclusive. -Refer to the [service intentions configuration entry](/consul/docs/connect/config-entries/service-intentions) reference documentation for details about all configuration options. +Refer to the [service intentions configuration entry](/consul/docs/reference/config-entry/service-intention) reference documentation for details about all configuration options. -Refer to the [example service intentions configurations](/consul/docs/connect/config-entries/service-intentions#examples) for additional guidance. +Refer to the [example service intentions configurations](/consul/docs/reference/config-entry/service-intention#examples) for additional guidance. #### Interaction with other configuration entries L7 intentions defined in a configuration entry are restricted to destination services configured with an HTTP-based protocol as defined in a corresponding -[service defaults configuration entry](/consul/docs/connect/config-entries/service-defaults) -or globally in a [proxy defaults configuration entry](/consul/docs/connect/config-entries/proxy-defaults). +[service defaults configuration entry](/consul/docs/reference/config-entry/service-default) +or globally in a [proxy defaults configuration entry](/consul/docs/reference/config-entry/proxy-defaults). ### Apply the service intentions configuration entry diff --git a/website/content/docs/connect/intentions/index.mdx b/website/content/docs/secure-mesh/intention/index.mdx similarity index 82% rename from website/content/docs/connect/intentions/index.mdx rename to website/content/docs/secure-mesh/intention/index.mdx index 8d6364638a0..f0924214f12 100644 --- a/website/content/docs/connect/intentions/index.mdx +++ b/website/content/docs/secure-mesh/intention/index.mdx @@ -17,30 +17,26 @@ Intentions control traffic communication between services at the network layer, ### L4 traffic intentions -If the destination service uses TCP or any non-HTTP-based protocol, then intentions can control traffic based on identities encoded in mTLS certificates. Refer to [Mutual transport layer security (mTLS)](/consul/docs/connect/connect-internals#mutual-transport-layer-security-mtls) for additional information. +If the destination service uses TCP or any non-HTTP-based protocol, then intentions can control traffic based on identities encoded in mTLS certificates. Refer to [Mutual transport layer security (mTLS)](/consul/docs/concepts/service-mesh#mutual-transport-layer-security-mtls) for additional information. This implementation allows broad all-or-nothing access control between pairs of services. The only requirement is that the service is aware of the TLS handshake that wraps the opaque TCP connection. ### L7 traffic intentions -If the destination service uses an HTTP-based protocol, then intentions can enforce access based on application-aware request attributes, in addition to identity-based enforcement, to control traffic between services. Refer to [Service intentions configuration reference](/consul/docs/connect/config-entries/service-intentions#permissions) for additional information. +If the destination service uses an HTTP-based protocol, then intentions can enforce access based on application-aware request attributes, in addition to identity-based enforcement, to control traffic between services. Refer to [Service intentions configuration reference](/consul/docs/reference/config-entry/service-intention#permissions) for additional information. ## Workflow -You can manually create intentions from the Consul UI, API, or CLI. You can also enable Consul to dynamically create them by defining traffic routes in service intention configuration entries. Refer to [Create and manage intentions](/consul/docs/connect/intentions/create-manage-intentions) for details. +You can manually create intentions from the Consul UI, API, or CLI. You can also enable Consul to dynamically create them by defining traffic routes in service intention configuration entries. Refer to [Create and manage intentions](/consul/docs/secure-mesh/intentions/create) for details. ### Enforcement -The [proxy](/consul/docs/connect/proxies) or [natively-integrated +The [proxy](/consul/docs/connect/proxy) or [natively-integrated application](/consul/docs/connect/native) enforces intentions on inbound connections or requests. Only one intention can control authorization between a pair of services at any single point in time. L4 intentions mediate the ability to establish new connections. Modifying an intention does not have an effect on existing connections. As a result, changing a connection from `allow` to `deny` does not sever the connection. -L7 intentions mediate the ability to issue new requests. When an intention is modified, requests received after the modification use the latest intention rules to enforce access. Changing a connection from `allow` to `deny` does not sever the connection, but doing so blocks new requests from being processed. - -When using L7 intentions, we recommend that you review and update the [Mesh request normalization configuration](/consul/docs/connect/security#request-normalization-and-configured) to avoid unintended match rule circumvention. More details are available in the [Mesh configuration entry reference](/consul/docs/connect/config-entries/mesh#request-normalization). - -When you use L7 intentions with header matching and it is possible for a header to contain multiple values, we recommend using `contains` or `regex` instead of `exact`, `prefix`, or `suffix`. For more information, refer to the [service intentions configuration entry reference](/consul/docs/connect/config-entries/service-intentions#spec-sources-permissions-http-header). +L7 intentions mediate the ability to issue new requests. When an intention is modified, requests received after the modification use the latest intention rules to enforce access. Changing a connection from `allow` to `deny` does not sever the connection, but doing so blocks new requests from being processed. ### Caching @@ -58,7 +54,7 @@ Services should periodically call the [intention match API](/consul/api-docs/con ## Precedence and match order -Consul processes criteria defined in the service intention configuration entry to match incoming requests. When Consul finds a match, it applies the corresponding action specified in the configuration entry. The match criteria may include specific HTTP headers, request methods, or other attributes. Additionally, you can use regular expressions to programmatically match attributes. Refer to [Service intention configuration entry reference](/consul/docs/connect/config-entries/service-intentions) for details. +Consul processes criteria defined in the service intention configuration entry to match incoming requests. When Consul finds a match, it applies the corresponding action specified in the configuration entry. The match criteria may include specific HTTP headers, request methods, or other attributes. Additionally, you can use regular expressions to programmatically match attributes. Refer to [Service intention configuration entry reference](/consul/docs/reference/config-entry/service-intention) for details. Consul orders the matches based the following factors: @@ -80,7 +76,7 @@ The following table shows match precedence in descending order: | 1 | `*` | `*` | `*` | `*` | Consul prints the precedence value to the service intentions configuration entry after it processes the matching criteria. The value is read-only. Refer to -[`Precedence`](/consul/docs/connect/config-entries/service-intentions#precedence) for additional information. +[`Precedence`](/consul/docs/reference/config-entry/service-intention#precedence) for additional information. Namespaces are an Enterprise feature. In Consul CE, the only allowable value for either namespace field is `"default"`. Other rows in the table are not applicable. @@ -90,6 +86,6 @@ target destination. After verifying the TLS client certificate, the cached intentions should be consulted for each incoming connection/request to determine if it should be accepted or rejected. -The default intention behavior is defined by the [`default_policy`](/consul/docs/agent/config/config-files#acl_default_policy) configuration. +The default intention behavior is defined by the [`default_policy`](/consul/docs/reference/agent#acl_default_policy) configuration. If the configuration is set `allow`, then all service-to-service connections in the mesh will be allowed by default. If is set to `deny`, then all connections or requests will be denied by default. diff --git a/website/content/docs/connect/intentions/jwt-authorization.mdx b/website/content/docs/secure-mesh/intention/jwt.mdx similarity index 88% rename from website/content/docs/connect/intentions/jwt-authorization.mdx rename to website/content/docs/secure-mesh/intention/jwt.mdx index 1c1c0f994e8..6b471d9335a 100644 --- a/website/content/docs/connect/intentions/jwt-authorization.mdx +++ b/website/content/docs/secure-mesh/intention/jwt.mdx @@ -1,14 +1,14 @@ --- -page_title: JWT authorization overview +page_title: Use JWT authorization with service intentions description: |- Consul can use service mesh proxies to check and validate JSON Web Tokens (JWT) to enable additional identify-based access security for both human and machine users. Learn how to configure a JWT provider configuration entry and a service intentions configuration entry to authorize requests. --- # Use JWT authorization with service intentions -JSON Web Tokens (JWT) are a method for identity-based access to services for both humans and machines. The [JWT provider configuration entry](/consul/docs/connect/config-entries/jwt-provider) enables you to define JWTs as part of a JSON Web Key Set (JWKS), which contains the information necessary for Consul to validate access and configure behavior for requests that include JWTs. +JSON Web Tokens (JWT) are a method for identity-based access to services for both humans and machines. The [JWT provider configuration entry](/consul/docs/reference/config-entry/jwt-provider) enables you to define JWTs as part of a JSON Web Key Set (JWKS), which contains the information necessary for Consul to validate access and configure behavior for requests that include JWTs. -By specifying a JSON Web Key Set (JWKS) in the configuration entry and referencing the key set in a service intention, Consul can enforce service intentions based on the presence of a JWT. This security configuration is not related to the [JSON Web Token Auth Method](/consul/docs/security/acl/auth-methods/jwt), which associates JWTs with the Consul ACLs instead of service intentions. +By specifying a JSON Web Key Set (JWKS) in the configuration entry and referencing the key set in a service intention, Consul can enforce service intentions based on the presence of a JWT. This security configuration is not related to the [JSON Web Token Auth Method](/consul/docs/secure-consul/acl/auth-methods/jwt), which associates JWTs with the Consul ACLs instead of service intentions. ## Workflow @@ -20,7 +20,7 @@ The process to configure your network to enforce service intentions based on JSO ### Wildcards and intention defaults -Because intentions without tokens are authorized when they arrive at the destination proxy, a [common pattern for the service-intentions configuration entry](/consul/docs/connect/config-entries/service-intentions#l4-intentions-for-all-destinations) sets the entry’s `Name` field as a wildcard, `*`. This pattern enables you to apply incoming requests from specific services to every service in the datacenter. +Because intentions without tokens are authorized when they arrive at the destination proxy, a [common pattern for the service-intentions configuration entry](/consul/docs/reference/config-entry/service-intention#l4-intentions-for-all-destinations) sets the entry’s `Name` field as a wildcard, `*`. This pattern enables you to apply incoming requests from specific services to every service in the datacenter. When configuring your deployment to enforce service intentions with JSON Web Tokens, it is possible for multiple tokens with different permissions to apply to a single service’s incoming request based on attributes such as HTTP path or the request method. Because the `service-intentions` configuration entry applies the intention that most closely matches the request, using the `Name` wildcard with specific JWT authorization configurations can lead to unintended results. @@ -72,7 +72,7 @@ Forwarding = { } ``` -Refer to [JWT provider configuration entry](/consul/docs/connect/config-entries/jwt-provider) for more information about the fields you can configure. +Refer to [JWT provider configuration entry](/consul/docs/reference/config-entry/jwt-provider) for more information about the fields you can configure. To write the configuration entry to Consul, use the [`consul config write` command](/consul/commands/config/write): @@ -96,7 +96,7 @@ JWT = { } ``` -You can include additional configuration information to require the token to match specific claims. You can also configure the `JWT` field to apply only to requests that come from certain HTTP paths. Refer to [JWT validations with intentions](/consul/docs/connect/config-entries/service-intentions#jwt-validations-with-intentions) for an example configuration. +You can include additional configuration information to require the token to match specific claims. You can also configure the `JWT` field to apply only to requests that come from certain HTTP paths. Refer to [JWT validations with intentions](/consul/docs/reference/config-entry/service-intention#jwt-validations-with-intentions) for an example configuration. After you update the service intention, write the configuration to Consul so that it takes effect: diff --git a/website/content/docs/secure-mesh/k8s.mdx b/website/content/docs/secure-mesh/k8s.mdx new file mode 100644 index 00000000000..5bdf0db444a --- /dev/null +++ b/website/content/docs/secure-mesh/k8s.mdx @@ -0,0 +1,48 @@ +--- +layout: docs +page_title: Secure service mesh on Kubernetes overview +description: >- + This topic provides an overview of Consul's features for securing service mesh communication when running Consul on Kubernetes (k8s). Consul enforces zero-trust security using a built-in mTLS certificate authority (CA) and service intentions. +--- + +# Secure service mesh overview + +This topic provides an overview for securing service-to-service communication within a service mesh when running Consul on Kubernetes. You can configure an mTLS certificate authority and intentions based on service identity to secure intra-mesh communication. + +For information about gossip encryption and securing your Consul deployment with the Access Control List (ACL) system, refer to [Secure Consul](/consul/secure) in the Consul Operations section. + +## Introduction + +With Consul, a fully configured service mesh is one that enforces _zero-trust security_ by securing service-to-service communication in the following ways: + +- Sidecar proxies encrypt and decrypt a service's traffic using an mTLS certificate signed by Consul +- Sidecar proxies deny incoming requests by default +- Sidecar proxies authorize incoming requests according to explicitly defined service intentions + +## Certificate authority + +@include 'text/descriptions/certificate-authority.mdx' + +## Service intentions + +@include 'text/descriptions/service-intentions.mdx' + +## Traffic Permissions + +@include 'text/descriptions/v2/traffic-permissions.mdx' + +## Tutorials + +To learn more about the workflows described in this topic, refer to the [Securely connect your services with Consul service mesh on Kubernetes tutorial](/consul/tutorials/get-started-kubernetes/kubernetes-gs-service-mesh). + +## Reference documentation + +For reference material related to Consul's service mesh security options on Kubernetes, refer to the following pages: + +- [Helm chart reference](/consul/docs/reference/k8s/helm) +- [`ServiceIntentions` custom resource definition (CRD) reference](/consul/docs/reference/config-entry/service-intentions) +- [`TrafficPermissions` v2 resource reference](/consul/docs/resource/trafficpermissions) + +### Constraints, limitations, and troubleshooting + +@include 'text/limitations/secure-mesh.mdx' diff --git a/website/content/docs/secure-mesh/vm.mdx b/website/content/docs/secure-mesh/vm.mdx new file mode 100644 index 00000000000..8728150a37c --- /dev/null +++ b/website/content/docs/secure-mesh/vm.mdx @@ -0,0 +1,47 @@ +--- +layout: docs +page_title: Secure service mesh overview +description: >- + This topic provides an overview of Consul's features for securing service mesh communication when running Consul on virtual machines (VMs). Consul enforces zero-trust security using a built-in mTLS certificate authority (CA) and service intentions. +--- + +# Secure service mesh on VMs overview + +This topic provides an overview for securing service-to-service communication within a service mesh when running Consul on VMs. You can configure an mTLS certificate authority and intentions based on service identity to secure intra-mesh communication. + +For information about gossip encryption and securing your Consul deployment with the Access Control List (ACL) system, refer to [Secure Consul](/consul/secure) in the Consul Operations section. + +## Introduction + +With Consul, a fully configured service mesh is one that enforces _zero-trust security_ by securing service-to-service communication in the following ways: + +- Sidecar proxies encrypt and decrypt a service's traffic using an mTLS certificate signed by Consul +- Sidecar proxies deny incoming requests by default +- Sidecar proxies authorize incoming requests according to explicitly defined service intentions + +## Certificate authority + +@include 'text/descriptions/certificate-authority.mdx' + +## Service intentions + +@include 'text/descriptions/service-intentions.mdx' + +## Tutorials + +To learn more about the workflows described in this topic, refer to the [Securely connect your services with Consul service mesh on VMs tutorial](/consul/tutorials/get-started-vms/virtual-machine-gs-service-mesh). + +## Reference documentation + +For reference material related to Consul's service mesh security options on VMs, refer to the following pages: + +- [`/connect/ca` HTTP API endpoint reference](/consul/api-docs/connect/ca) +- [`/connect/intentions` HTTP API endpoint reference](/consul/api-docs/connect/intentions) +- [`consul connect ca` CLI command reference](/consul/commands/connect/ca) +- [`consul intention` CLI command reference](/consul/commands/intention) +- [Consul agent configuration reference](/consul/docs/reference/agent) +- [`service-intentions` configuration entry reference](/consul/docs/reference/config-entry/service-intentions) + +### Constraints, limitations, and troubleshooting + +@include 'text/limitations/secure-mesh.mdx' \ No newline at end of file diff --git a/website/content/docs/security/acl/auth-methods/aws-iam.mdx b/website/content/docs/secure/acl/auth-method/aws-iam.mdx similarity index 99% rename from website/content/docs/security/acl/auth-methods/aws-iam.mdx rename to website/content/docs/secure/acl/auth-method/aws-iam.mdx index bf4433a1a18..467db3201a0 100644 --- a/website/content/docs/security/acl/auth-methods/aws-iam.mdx +++ b/website/content/docs/secure/acl/auth-method/aws-iam.mdx @@ -14,7 +14,7 @@ a Consul token. This page assumes general knowledge of [AWS IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) and the concepts described in the main [auth method -documentation](/consul/docs/security/acl/auth-methods). +documentation](/consul/docs/secure-consul/acl/auth-methods). ## Overview diff --git a/website/content/docs/security/acl/auth-methods/index.mdx b/website/content/docs/secure/acl/auth-method/index.mdx similarity index 88% rename from website/content/docs/security/acl/auth-methods/index.mdx rename to website/content/docs/secure/acl/auth-method/index.mdx index decab071088..0b2592a4b27 100644 --- a/website/content/docs/security/acl/auth-methods/index.mdx +++ b/website/content/docs/secure/acl/auth-method/index.mdx @@ -34,10 +34,10 @@ with minimal operator intervention. | Types | Consul Version | | ------------------------------------------------- | --------------------------------- | -| [`kubernetes`](/consul/docs/security/acl/auth-methods/kubernetes) | 1.5.0+ | -| [`jwt`](/consul/docs/security/acl/auth-methods/jwt) | 1.8.0+ | -| [`oidc`](/consul/docs/security/acl/auth-methods/oidc) | 1.8.0+ | -| [`aws-iam`](/consul/docs/security/acl/auth-methods/aws-iam) | 1.12.0+ | +| [`kubernetes`](/consul/docs/secure-consul/acl/auth-methods/kubernetes) | 1.5.0+ | +| [`jwt`](/consul/docs/secure-consul/acl/auth-methods/jwt) | 1.8.0+ | +| [`oidc`](/consul/docs/secure-consul/acl/auth-methods/oidc) | 1.8.0+ | +| [`aws-iam`](/consul/docs/secure-consul/acl/auth-methods/aws-iam) | 1.12.0+ | ## Operator Configuration @@ -59,7 +59,7 @@ using the API or command line before they can be used by applications. endpoints](/consul/api-docs/acl/binding-rules). -> **Note** - To configure auth methods in any connected secondary datacenter, -[ACL token replication](/consul/docs/agent/config/config-files#acl_enable_token_replication) +[ACL token replication](/consul/docs/reference/agent#acl_enable_token_replication) must be enabled. Auth methods require the ability to create local tokens which is restricted to the primary datacenter and any secondary datacenters with ACL token replication enabled. @@ -67,8 +67,8 @@ token replication enabled. ## Binding Rules Binding rules allow an operator to express a systematic way of automatically -linking [roles](/consul/docs/security/acl/acl-roles) and [service -identities](/consul/docs/security/acl/acl-roles#service-identities) to newly created +linking [roles](/consul/docs/reference/acl/rule) and [service +identities](/consul/docs/reference/acl/rule#service-identities) to newly created tokens without operator intervention. Successful authentication with an auth method returns a set of trusted @@ -86,8 +86,8 @@ Each binding rule is composed of two portions: `"serviceaccount.namespace==default and serviceaccount.name!=vault"` - **Bind Type and Name** - A binding rule can bind a token to a - [role](/consul/docs/security/acl/acl-roles) or to a [service - identity](/consul/docs/security/acl/acl-roles#service-identities) by name. The name + [role](/consul/docs/reference/acl/rule) or to a [service + identity](/consul/docs/reference/acl/rule#service-identities) by name. The name can be specified with a plain string or the bind name can be lightly templated using [HIL syntax](https://github.com/hashicorp/hil) to interpolate the same values that are usable by the `Selector` syntax. For example: diff --git a/website/content/docs/security/acl/auth-methods/jwt.mdx b/website/content/docs/secure/acl/auth-method/jwt.mdx similarity index 96% rename from website/content/docs/security/acl/auth-methods/jwt.mdx rename to website/content/docs/secure/acl/auth-method/jwt.mdx index c019ad18ff0..13f76e12013 100644 --- a/website/content/docs/security/acl/auth-methods/jwt.mdx +++ b/website/content/docs/secure/acl/auth-method/jwt.mdx @@ -15,10 +15,10 @@ cryptographically verified using locally-provided keys, or, if configured, an OIDC Discovery service can be used to fetch the appropriate keys. This page assumes general knowledge of JWTs and the concepts described in the -main [auth method documentation](/consul/docs/security/acl/auth-methods). +main [auth method documentation](/consul/docs/secure-consul/acl/auth-methods). -Both the [`jwt`](/consul/docs/security/acl/auth-methods/jwt) and the -[`oidc`](/consul/docs/security/acl/auth-methods/oidc) auth method types allow additional +Both the [`jwt`](/consul/docs/secure-consul/acl/auth-methods/jwt) and the +[`oidc`](/consul/docs/secure-consul/acl/auth-methods/oidc) auth method types allow additional processing of the claims data in the JWT. @include 'jwt_or_oidc.mdx' diff --git a/website/content/docs/security/acl/auth-methods/kubernetes.mdx b/website/content/docs/secure/acl/auth-method/k8s.mdx similarity index 96% rename from website/content/docs/security/acl/auth-methods/kubernetes.mdx rename to website/content/docs/secure/acl/auth-method/k8s.mdx index a5505f5d0ba..e12fc970a24 100644 --- a/website/content/docs/security/acl/auth-methods/kubernetes.mdx +++ b/website/content/docs/secure/acl/auth-method/k8s.mdx @@ -15,7 +15,7 @@ easy to introduce a Consul token into a Kubernetes pod. This page assumes general knowledge of [Kubernetes](https://kubernetes.io/) and the concepts described in the main [auth method -documentation](/consul/docs/security/acl/auth-methods). +documentation](/consul/docs/secure-consul/acl/auth-methods). ## Config Parameters @@ -75,7 +75,7 @@ parameters are required to properly configure an auth method of type ## RBAC The Kubernetes service account corresponding to the configured -[`ServiceAccountJWT`](/consul/docs/security/acl/auth-methods/kubernetes#serviceaccountjwt) +[`ServiceAccountJWT`](/consul/docs/secure-consul/acl/auth-methods/kubernetes#serviceaccountjwt) needs to have access to two Kubernetes APIs: - [**TokenReview**](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) @@ -135,7 +135,7 @@ roleRef: ## Kubernetes Authentication Details Initially the -[`ServiceAccountJWT`](/consul/docs/security/acl/auth-methods/kubernetes#serviceaccountjwt) +[`ServiceAccountJWT`](/consul/docs/secure-consul/acl/auth-methods/kubernetes#serviceaccountjwt) given to the Consul leader uses the TokenReview API to validate the provided JWT. The trusted attributes of `serviceaccount.namespace`, `serviceaccount.name`, and `serviceaccount.uid` are populated directly from the diff --git a/website/content/docs/security/acl/auth-methods/oidc.mdx b/website/content/docs/secure/acl/auth-method/oidc.mdx similarity index 97% rename from website/content/docs/security/acl/auth-methods/oidc.mdx rename to website/content/docs/secure/acl/auth-method/oidc.mdx index 677db04ffcd..915f32d082c 100644 --- a/website/content/docs/security/acl/auth-methods/oidc.mdx +++ b/website/content/docs/secure/acl/auth-method/oidc.mdx @@ -23,10 +23,10 @@ This method may be initiated from the Consul UI or the command line. This page assumes general knowledge of [OIDC concepts](https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1) and the concepts described in the main [auth method -documentation](/consul/docs/security/acl/auth-methods). +documentation](/consul/docs/secure-consul/acl/auth-methods). -Both the [`jwt`](/consul/docs/security/acl/auth-methods/jwt) and the -[`oidc`](/consul/docs/security/acl/auth-methods/oidc) auth method types allow additional +Both the [`jwt`](/consul/docs/secure-consul/acl/auth-methods/jwt) and the +[`oidc`](/consul/docs/secure-consul/acl/auth-methods/oidc) auth method types allow additional processing of the claims data in the JWT. @include 'jwt_or_oidc.mdx' diff --git a/website/content/docs/secure/acl/bootstrap.mdx b/website/content/docs/secure/acl/bootstrap.mdx new file mode 100644 index 00000000000..2b592f22066 --- /dev/null +++ b/website/content/docs/secure/acl/bootstrap.mdx @@ -0,0 +1,358 @@ +--- +layout: docs +page_title: Bootstrap Access Control List (ACL) system +description: >- + A Consul datacenter's ACL system requires a bootstrap procedure before use. Learn how to enable the ACL system for a server agent and create the initial bootstrap token. +--- + +# Bootstrap Access Control List (ACL) system + +This page details the process to bootstrap the ACL system and create tokens with minimum privileges for the Consul server agents, client agents, and services. Refer to [ACL overview](/secure-consul/acl) for more information about how the ACL system secures access to Consul operations, as well as service and agent communications. + +## Overview + +Complete the following steps to bootstrap the ACL system: + +1. Enable ACLs on the agent. +1. Create the initial bootstrap token. + +After creating the bootstrap token, you can create and add ACL tokens for server agents, client agents, and services. Then, you can authorize or deny specific agent and service interactions by associating rules, policies, and roles with ACL tokens. + +## Requirements + +For best results, we recommend bootstrapping your ACL system after deploying your initial Consul cluster and registering services. + +## Enable ACLs on the agents + +Add [parameters for the ACL system](/consul/docs/reference/agent#acl) to the agent's configuration file and then restart the Consul service. You must apply the same parameters to every server and client in your Consul datacenter for Consul to correctly enable the ACL configuration. You should update the configuration files on all of your servers first, and then initiate a rolling restart. + +The following example enables Consul's ACLs and sets the default policy to `deny`. This setting means that only explicitly named resources are allowed to access Consul. The configuration also enables token persistence, which persists the token to disk and reloads it when an agent restarts. + + + +```hcl +acl = { + enabled = true + default_policy = "deny" + enable_token_persistence = true +} +``` + + + +The following table describes common agent configuration fields where ACLs are applicable and whether the configurations apply to servers, clients, or both. Refer to the [Agent reference docs](/consul/docs/reference/agent#acl) for a full list of configurable fields. + +| Configuration option | Servers | Clients | Description | +| -------------------- | ---------- | ---------- | ----------- | +| [`acl.enabled`](/consul/docs/reference/agent#acl_enabled) | `required` | `required` | Controls whether ACLs are enabled | +| [`acl.default_policy`](/consul/docs/reference/agent#acl_default_policy) | `optional` | `N/A` | Determines `allowlist` or `denylist` mode | +| [`acl.down_policy`](/consul/docs/reference/agent#acl_down_policy) | `optional` | `optional` | Determines what to do when the remote token or policy resolution fails | +| [`acl.role_ttl`](/consul/docs/reference/agent#acl_role_ttl) | `optional` | `optional` | Determines time-to-live for cached ACL roles | +| [`acl.policy_ttl`](/consul/docs/reference/agent#acl_policy_ttl) | `optional` | `optional` | Determines time-to-live for cached ACL policies | +| [`acl.token_ttl`](/consul/docs/reference/agent#acl_token_ttl) | `optional` | `optional` | Determines time-to-live for cached ACL tokens | + +If you want to reduce Consul client restarts, you can enable the ACLs on them when [you apply the token to agents](#apply-individual-tokens-to-agents). + + + +If you bootstrap ACLs on an existing datacenter, enable the ACLs on the agents first with `default_policy = "allow"` to reduce downtime. This approach enables ACLs but still allows all operations, letting Consul function normally while you create the tokens and apply them during the bootstrap process. + + + +## Create the initial bootstrap token + +Use the `acl bootstrap` command on one of the Consul servers. + +```shell-session +$ consul acl bootstrap +``` + +The output gives you important information about the token, including the associated policy `global-management` and `SecretID`. The value of the `SecretID` is also known as the ACL token. This token is an opaque UUID that identifies the requester so that the ACL system can determine whether it should grant or deny access to the requested resource. + +By default, Consul assigns the `global-management` policy to the bootstrap token, which has unrestricted privileges. While it is important to have a token with unrestricted privileges in case of emergencies, only a small number of ACL administrators should have access to it. + +When you are setting up the ACL system, temporarily set the `CONSUL_HTTP_TOKEN` environment variable to the bootstrap token on one Consul server agent. This gives you the necessary privileges to interact with Consul to create additional ACL tokens and policies. + +```shell-session +$ export CONSUL_HTTP_TOKEN= +``` + +## Apply individual tokens to agents + +Every server and client agent requires an ACL token. Complete the following steps for each server and client agent in your Consul datacenter. + +1. [Create the agent token](#create-the-agent-token) +1. [Add token to agents](#add-token-to-agents) + +### Create the agent token + +Create an individual token for each Consul agent by specifying a [node identity](/consul/docs/secure-consul/acl#node-identities) with the node's name and datacenter. A node identity grants the privileges necessary to register a node by that name and read any service in the catalog. + +```shell-session +$ consul acl token create -description " agent token" \ + -node-identity ":" +``` + +This command returns the token information, including the description and node identity information. + +Repeat this process for each agent. It is the ACL administrator's responsibility to save tokens in a secure location. We recommend using Vault to save these tokens. + +### Add token to agents + +Apply the agent token to your Consul servers and ensure they are working correctly before applying the agent token to your Consul clients. + +You can add the token to the Consul agent with any of the following methods: + +- Add the token to the agent configuration file +- Use the Consul CLI +- Use the Consul HTTP API + +We recommend using the agent configuration file. That way if your agent restarts, it reloads the token from the agent configuration file. + + + + +To set the token in the [agent configuration file](/consul/docs/reference/agent#acl_tokens_agent), add the following snippet to your existing Consul configuration or create a new file in the Consul configuration directory. + +```hcl +acl { + tokens { + agent = "" + } +} +``` + +Set `CONSUL_HTTP_TOKEN` to the same token on the agent environment to reload Consul configuration. + +```shell-session +$ export CONSUL_HTTP_TOKEN="" +``` + +Reload the agent's configuration. + +```shell-session +$ consul reload +``` + + + + +Use the [`set-agent-token`](/consul/commands/acl/set-agent-token) sub-command to set the agent token. + +Set `CONSUL_HTTP_TOKEN` to a token with `acl:write` permission. You can use the bootstrap token or create a new token using the `global-management` policy. + +```shell-session +$ export CONSUL_HTTP_TOKEN="" +``` + +Then, apply the token to the agent. + +```shell-session +$ consul acl set-agent-token agent "" +``` + + + + +Use the [`/agent/token/agent`](/consul/api-docs/agent#update-acl-tokens) API endpoint to set the agent token. + +Set the `X-Consul-Token` to a token with `acl:write` permission. You can use the bootstrap token or create a new token using the `global-management` policy. + +Create a payload for the API request. + + + +```json +{ + "Token": "" +} +``` + + + +Then, apply the token to the agent. Replace `` with the IP address of the Consul agent. + +```shell-session +$ curl \ + --request PUT \ + --data @payload.json \ + --header "X-Consul-Token: <" \ + http://:8500/v1/agent/token/acl_token +``` + + + + +You must to complete this process for every agent. + +Once complete, every agent should have a token that has read and write permissions to Consul, but only for node-related actions. Actions for individual services are not yet allowed. + + + +If bootstrapping ACLs on an existing datacenter, remember to update the default policy to `default_policy = "deny"` and initiate another rolling restart after applying the token. + + + +You must always add agent tokens to server agents using this process. However, Consul can automatically apply the agent tokens required by client agents with its auto-config feature. Auto-config involves issuing and validating secure JWTs using an OIDC identity provider (IdP). + +## Apply individual tokens to agents Add tokens to services + +Service tokens are necessary for managing the service's information in the catalog, including registration and health checks. + +The process to create and apply tokens to services is similar to agents. + +1. [Create the service token](#create-the-service-token) +1. [Add token to service definition](#add-token-to-service-definition). If you are using service mesh, you must also provide the token to the Envoy sidecar proxy. + +### Create the service token + +Create an individual token for each Consul service by specifying a [service identity](/consul/docs/secure-consul/acl#service-identities) with the service's name and datacenter. A service identity grants the privileges necessary to register a service instance by that name and an associated service mesh sidecar proxy, and to read any service in the catalog. + +```shell-session +$ consul acl token create -description "Token for " \ + -service-identity "" +``` + +The command returns information about the token, including the description and service identity information. Save the token to a secure location. We recommend using Vault to save these tokens. + +Alternatively, you can automate service token creation using Consul [auth methods](/consul/docs/secure-consul/acl/auth-methods). Auth methods map attributes from a trusted source of identity such as Kubernetes, JWT, OIDC, or AWS-IAM to ACL tokens with properly scoped policies. For example, you can use a verified JWT to generate a service token by mapping a JWT attribute to a service identity through an auth method with a [service-type binding rule](/consul/api-docs/acl/binding-rules#bindtype-service). The ACL administrator is still responsible for setting up external automation to provide the service ACL tokens generated by Consul auth methods to [the services](#add-token-to-service-definition) and their sidecar proxies. + +### Add token to service definition + +The following example service definition file that specifies the service token for both service mesh and service discovery (non-mesh) use cases. Refer to [Service definition reference](/consul/docs/reference/service#token) for a full list of service attributes. + + + + + + + + +```hcl +service { + name = "dashboard", + port = 9002, + + # This service instance's sidecar proxy should be given the same ACL token + # when launched with "consul connect envoy". + token = "57c5d69a-5f19-469b-0543-12a487eecc66", + + connect { + sidecar_service {} + } + + check { + id = "dashboard-check", + http = "http://localhost:9002/health", + method = "GET", + interval = "1s", + timeout = "1s" + } +} +``` + + + + + +```json +{ + "service": { + "name": "dashboard", + "port": 9002, + + "token": "57c5d69a-5f19-469b-0543-12a487eecc66", + + "connect": { + "sidecar_service": {} + }, + + "check": { + "id": "dashboard-check", + "http": "http://localhost:9002/health", + "method": "GET", + "interval": "1s", + "timeout": "1s" + } + } +} +``` + + + + +If the service is registered in [Consul's service mesh](/consul/docs/connect), its sidecar proxy requires the service token. You must provide the token directly to the sidecar proxy; Consul cannot retrieved the token from the service definition. + +Provide the service token when launching the Envoy sidecar proxy instance with [`consul connect envoy`](/consul/commands/connect/envoy) through either environment variables or CLI flags. + +1. Environment variables: [`CONSUL_HTTP_TOKEN`](/consul/commands#consul_http_token) or [`CONSUL_HTTP_TOKEN_FILE`](/consul/commands#consul_http_token_file) +1. CLI flags: [`-token`](/consul/commands/connect/envoy#token) or [`-token-file`](/consul/commands/connect/envoy#token-file) + + + + + + + +```hcl +service { + name = "dashboard", + port = 9002, + + token = "57c5d69a-5f19-469b-0543-12a487eecc66", + + check { + id = "dashboard-check", + http = "http://localhost:9002/health", + method = "GET", + interval = "1s", + timeout = "1s" + } +} +``` + + + + +```json +{ + "service": { + "name": "dashboard", + "port": 9002, + + "token": "57c5d69a-5f19-469b-0543-12a487eecc66", + + "check": { + "id": "dashboard-check", + "http": "http://localhost:9002/health", + "method": "GET", + "interval": "1s", + "timeout": "1s" + } + } +} +``` + + + + + + + +Refer to [Register services and health checks](/consul/docs/register/service) for instructions on registering services. If the service is already registered, re-register it with the token. + +## Next steps + +Now that you have bootstrapped the ACL system and created tokens for agents and services, you can create additional ACL tokens and policies to restrict access to Consul operations, service interactions, and agent communications. Refer to the following resources for more information: + +- [Create service token](/consul/docs/secure-consul/acl/create/service) +- [Create agent token](/consul/docs/secure-consul/acl/create/agent) +- [Create UI token](/consul/docs/secure-consul/acl/create/ui) +- [Create mesh gateway token](/consul/docs/secure-consul/acl/create/mesh-gateway) +- [Create ingress gateway token](/consul/docs/secure-consul/acl/create/ingress-gateway) +- [Create terminating gateway token](/consul/docs/secure-consul/acl/create/terminating-gateway) +- [Create DNS token](/consul/docs/secure-consul/acl/create/dns) +- [Create replication token](/consul/docs/secure-consul/acl/create/replication) +- [Create snapshot agent token](/consul/docs/secure-consul/acl/create/snapshot-agent) +- [Create Vault Consul storage backend token](/consul/docs/secure-consul/acl/create/vault-storage-backend) +- [Create Consul ESM token](/consul/docs/secure-consul/acl/create/esm) \ No newline at end of file diff --git a/website/content/docs/security/acl/tokens/create/create-an-agent-token.mdx b/website/content/docs/secure/acl/create-token/agent.mdx similarity index 90% rename from website/content/docs/security/acl/tokens/create/create-an-agent-token.mdx rename to website/content/docs/secure/acl/create-token/agent.mdx index 253d5710be6..04ede1f7dd6 100644 --- a/website/content/docs/security/acl/tokens/create/create-an-agent-token.mdx +++ b/website/content/docs/secure/acl/create-token/agent.mdx @@ -13,11 +13,11 @@ This topic describes how to create a token that you can use to register an agent Consul agents must present a token linked to policies that grant the appropriate set of permissions in order to register into the catalog and to discover services and nodes in the catalog. -Specify the [`agent`](/consul/docs/agent/config/config-files#acl_tokens_agent) token to the Consul agent so that it can present the token when it registers into the catalog. +Specify the [`agent`](/consul/docs/reference/agent#acl_tokens_agent) token to the Consul agent so that it can present the token when it registers into the catalog. ### Node identities versus custom policies -You can create tokens linked to custom policies or to node identities. [Node identities](/consul/docs/security/acl#node-identities) are constructs in Consul that enable you to quickly grant permissions for a group of agents, rather than create similar policies for each agent. +You can create tokens linked to custom policies or to node identities. [Node identities](/consul/docs/secure-consul/acl#node-identities) are constructs in Consul that enable you to quickly grant permissions for a group of agents, rather than create similar policies for each agent. We recommend using a node identity to grant permissions to the agent rather than creating a custom policy. This is because node identities automatically grant the node `node:write` and `service:read` permission. @@ -36,12 +36,11 @@ The agent token must be linked to policies that grant the following permissions: ## Node identity in Consul CE -Refer to [Node identities](/consul/docs/security/acl#node-identities) for information about node identities that you can link to tokens. +Refer to [Node identities](/consul/docs/secure-consul/acl#node-identities) for information about node identities that you can link to tokens. -You can manually create tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +You can manually create tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). - Run the `consul acl token create` command and specify the policy or node identity to link to create a token. Refer to [Consul ACL Token Create](/consul/commands/acl/token/create) for details about the `consul acl token create` command. @@ -81,9 +80,9 @@ $ curl --request PUT http://127.0.0.1:8500/v1/acl/token \ ## Node identity in Consul Enterprise -Refer to [Node identities](/consul/docs/security/acl#node-identities) for information about node identities that you can link to tokens. +Refer to [Node identities](/consul/docs/secure-consul/acl#node-identities) for information about node identities that you can link to tokens. -You can manually create tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +You can manually create tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -131,7 +130,7 @@ When you are unable to link tokens to a node identity, you can define policies, ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy grants `write` permission for node `node1` so that the Consul agent can register into the catalog. It grants `read` permissions to discover services in the catalog. @@ -205,7 +204,7 @@ Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional inf ### Link the policy to a token -After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -253,7 +252,7 @@ When you are unable to link tokens to a node identity, you can define policies, ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy grants the `write` permission for node `node1` in partition `ptn1` so that the Consul agent can register into the catalog. It grants `read` permissions to discover services in any namespace in the `ptn1` partition. @@ -340,7 +339,7 @@ Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional inf ### Link the policy to a token -After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -385,7 +384,7 @@ Configure the Consul agent to present the token by either specifying the token i ### Apply the token in a file -Specify the token in the [`acl.token.agent`](/consul/docs/agent/config/config-files#acl_tokens_agent) field of the agent configuration file so that the agent can present it and register into the catalog on startup. +Specify the token in the [`acl.token.agent`](/consul/docs/reference/agent#acl_tokens_agent) field of the agent configuration file so that the agent can present it and register into the catalog on startup. ```hcl acl = { diff --git a/website/content/docs/secure/acl/create-token/dns.mdx b/website/content/docs/secure/acl/create-token/dns.mdx new file mode 100644 index 00000000000..60587ae8631 --- /dev/null +++ b/website/content/docs/secure/acl/create-token/dns.mdx @@ -0,0 +1,343 @@ +--- +layout: docs +page_title: Create tokens for service registration +description: >- + Learn how to create ACL tokens to enable Consul DNS. +--- + +# Create a DNS token + +This topic describes how to create a token that enables the Consul DNS to query services in the network when ACLs are enabled. + +## Introduction + +The Consul binary ships with a DNS server that you can use for service discovery in your network. The agent that fulfills DNS lookups requires appropriate ACL permissions to discover services, nodes, and prepared queries registered in Consul. + +A Consul agent must be configured with a token linked to policies that grant the appropriate set of permissions. + +Specify the [`default`](/consul/docs/reference/agent#acl_tokens_default) token to the Consul agent to authorize the agent to respond to DNS queries. Refer to [DNS usage overview](/consul/docs/services/discovery/dns-overview) for details on configuring and using Consul DNS. + +## Requirements + +Core ACL functionality is available in all versions of Consul. + +The DNS token must be linked to policies that grant the following permissions: + +* `service:read`: Enables the agent to perform service lookups for DNS +* `node:read`: Enables node lookups over DNS +* `query:read`: Enables the agent to perform prepared query lookups for DNS + +@include 'create-token-requirements.mdx' + +## DNS token in Consul CE + +To create a token for DNS, you must define a policy, register the policy with Consul, and link the policy to a token. + +### Define a policy + +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. + +The following example policy is defined in a file. The policy grants the appropriate permissions to enable a Consul agent to respond to DNS queries. + + + +```hcl +node_prefix "" { + policy = "read" +} +service_prefix "" { + policy = "read" +} +query_prefix "" { + policy = "read" +} +``` + +```json +{ + "node_prefix": { + "": [{ + "policy": "read" + }] + }, + "query_prefix": { + "": [{ + "policy": "read" + }] + }, + "service_prefix": { + "": [{ + "policy": "read" + }] + } +} +``` + + + +### Register the policy with Consul + +After defining the policy, you can register the policy with Consul using the command line or API endpoint. + + + + + +Run the `consul acl policy create` command and specify the policy rules to create a policy. Refer to [Consul ACL Policy Create](/consul/commands/acl/policy/create) for details about the `consul acl policy create` command. + +The following example registers a policy defined in `dns-access.hcl`. + +```shell-session +$ consul acl policy create \ + -name "dns-access" -rules @dns-access.hcl \ + -description "DNS Policy" +``` + + + + + +Send a PUT request to the `/acl/policy` endpoint and specify the policy rules in the request body to create a policy. Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional information about using the API endpoint. + +The following example registers the policy defined in `dns-access.hcl`. You must embed policy rules in the `Rules` field of the request body. + +```shell-session +$ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + --data '{ + "Name": "dns-access", + "Description": "DNS Policy", + "Rules": "node_prefix \"\" {\n policy = \"read\"\n}\nservice_prefix \"\" {\n policy = \"read\"\n}\nquery_prefix \"\" {\n policy = \"read\"\n}\n" +}' +``` + + + + + +### Link the policy to a token + +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). + + + + + +Run the `consul acl token create` command and specify the policy name or ID to create a token linked to the policy. Refer to [Consul ACL Token Create](/consul/commands/acl/token/create) for details about the `consul acl token create` command. + +The following command creates the ACL token linked to the policy `dns-access`. + +```shell-session +$ consul acl token create \ + -description "DNS token" \ + -policy-name "dns-access" +``` + + + + + +Send a PUT request to the `/acl/token` endpoint and specify the policy name or ID in the request to create an ACL token linked to the policy. Refer to [ACL Token HTTP API](/consul/api-docs/acl/tokens) for additional information about using the API endpoint. + +The following example creates the ACL token linked to the policy `dns-access`. + +```shell-session +$ curl --request PUT http://127.0.0.1:8500/v1/acl/token \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + --data '{ + "Policies": [ + { + "Name": "dns-access" + } + ] +}' +``` + + + + + +## DNS token in Consul Enterprise + +To create a token for DNS, you must define a policy, register the policy with Consul, and link the policy to a token. + +### Define a policy + +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. + +The following example policy is defined in a file. The policy grants the appropriate permissions to enable a Consul agent to respond to DNS queries for resources in any namespace in any partition. + + + +```hcl +partition "default" { + namespace "default" { + query_prefix "" { + policy = "read" + } + } +} +partition_prefix "" { + namespace_prefix "" { + node_prefix "" { + policy = "read" + } + service_prefix "" { + policy = "read" + } + } +} +``` + +```json +{ + "partition": { + "default": [{ + "namespace": { + "default": [{ + "query_prefix": { + "": [{ + "policy": "read" + }] + } + }] + } + }] + }, + "partition_prefix": { + "": [{ + "namespace_prefix": { + "": [{ + "node_prefix": { + "": [{ + "policy": "read" + }] + }, + "service_prefix": { + "": [{ + "policy": "read" + }] + } + }] + } + }] + } +} +``` + + + +### Register the policy with Consul + +After defining the policy, you can register the policy with Consul using the command line or API endpoint. + +You can specify an admin partition when creating policies in Consul Enterprise. The policy is only valid in the specified admin partition. The example policy contains permissions for multiple namespaces in multiple partitions. You must create ACL policies that grant permissions for multiple namespaces in multiple partitions in the `default` namespace and the `default` partition. + + + + + + +Run the `consul acl policy create` command and specify the policy rules to create a policy. Refer to [Consul ACL Policy Create](/consul/commands/acl/policy/create) for details about the `consul acl policy create` command. + +```shell-session +consul acl policy create -partition "default" -namespace "default" \ + -name dns-access -rules @dns-access.hcl \ + -description "DNS Policy" +``` + + + + + +Send a PUT request to the `/acl/policy` endpoint and specify the policy rules in the request body to create a policy. Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional information about using the API endpoint. + +The following example registers the policy defined in `dns-access.hcl`. You must embed policy rules in the `Rules` field of the request body. + +```shell-session +$ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + --data '{ + "Name": "dns-access", + "Description": "DNS Policy", + "Partition": "default", + "Namespace": "default", + "Rules": "partition_prefix \"\" {\n namespace_prefix \"\" {\n node_prefix \"\" {\n policy = \"read\"\n }\n service_prefix \"\" {\n policy = \"read\"\n }\n query_prefix \"\" {\n policy = \"read\"\n }\n }\n}\n" +}' +``` + + + + + +### Link the policy to a token + +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). + + + + + +Run the `consul acl token create` command and specify the policy name or ID to create a token linked to the policy. Refer to [Consul ACL Token Create](/consul/commands/acl/token/create) for details about the `consul acl token create` command. + +The following command creates the ACL token linked to the policy `dns-access`. + +```shell-session +$ consul acl token create -partition "default" -namespace "default" \ + -description "DNS token" \ + -policy-name "dns-access" +``` + + + + + +Send a PUT request to the `/acl/token` endpoint and specify the policy name or ID in the request to create an ACL token linked to the policy. Refer to [ACL Token HTTP API](/consul/api-docs/acl/tokens) for additional information about using the API endpoint. + +The following example creates the ACL token linked to the policy `dns-access`. + +```shell-session +$ curl --request PUT http://127.0.0.1:8500/v1/acl/token \ + --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + --data '{ + "Policies": [ + { + "Name": "dns-access" + } + ], + "Partition": "default", + "Namespace": "default" +}' +``` + + + + + +## Apply the token + +Configure the Consul agent with the token by either specifying the token in the agent configuration file or by using the `consul set-agent-token` command. + +### Apply the token in a file + +Specify the token in the [`default`](/consul/docs/reference/agent#acl_tokens_default) field of the agent configuration file so that the agent can present it and register into the catalog on startup. + +```hcl +acl = { + enabled = true + tokens = { + default = "" + ... + } + ... +} +``` + +### Apply the token with a command + +Set the `default` token using the [`acl.token.default`](/consul/docs/reference/agent#acl_tokens_default) command. The following command configures a running Consul agent token with the specified token. + +```shell-session +$ consul set-agent-token default +``` + diff --git a/website/content/docs/security/acl/tokens/create/create-a-consul-esm-token.mdx b/website/content/docs/secure/acl/create-token/esm.mdx similarity index 96% rename from website/content/docs/security/acl/tokens/create/create-a-consul-esm-token.mdx rename to website/content/docs/secure/acl/create-token/esm.mdx index e899a96c8b8..f8d9e546c98 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-consul-esm-token.mdx +++ b/website/content/docs/secure/acl/create-token/esm.mdx @@ -38,7 +38,7 @@ To create a token for Consul ESM, you must define a policy, register the policy ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy grants the appropriate permissions for Consul ESM running on an agent with the node name `agent1` to monitor two nodes named `node1` and `node2`. It allows Consul ESM to register into the catalog as the `consul-esm` service and write keys with the prefix `consul-esm/` in the Consul KV store. @@ -150,7 +150,7 @@ $ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \ ### Link the policy to a token -After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -197,7 +197,7 @@ To create a token for Consul ESM, you must define a policy, register the policy ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy grants the appropriate permissions for Consul ESM running on an agent named `agent1` to monitor two nodes named `node1` and `node2`. It allows Consul ESM to register into the catalog as the `consul-esm` service, to write keys with the prefix `consul-esm/` in the Consul KV store, and to scan the `default` and `ns1` namespaces for nodes and health checks to monitor. @@ -336,7 +336,7 @@ $ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \ ### Link the policy to a token -After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). You can specify an admin partition and namespace when creating tokens in Consul Enterprise. The token must be created in the partition and namespace where the policy was created. The following example creates an ACL token in the `default` namespace in the `default` partition. diff --git a/website/content/docs/security/acl/tokens/create/create-an-ingress-gateway-token.mdx b/website/content/docs/secure/acl/create-token/ingress-gateway.mdx similarity index 96% rename from website/content/docs/security/acl/tokens/create/create-an-ingress-gateway-token.mdx rename to website/content/docs/secure/acl/create-token/ingress-gateway.mdx index 526b51bef0d..37d371afdc4 100644 --- a/website/content/docs/security/acl/tokens/create/create-an-ingress-gateway-token.mdx +++ b/website/content/docs/secure/acl/create-token/ingress-gateway.mdx @@ -31,7 +31,7 @@ To create a token for the ingress gateway, you must define a policy, register th ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy grants the ingress gateway the appropriate permissions to register as a service named `ingress-gateway` and to operate as an ingress gateway. @@ -123,7 +123,7 @@ Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional inf ### Link the policy to a token -After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -167,7 +167,7 @@ To create a token for the ingress gateway, you must define a policy, register th ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. You can specify an admin partition and namespace when creating policies in Consul Enterprise. The policy is only valid in the specified scopes. @@ -283,7 +283,7 @@ Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional inf ### Link the policy to a token -After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). diff --git a/website/content/docs/security/acl/tokens/create/create-a-mesh-gateway-token.mdx b/website/content/docs/secure/acl/create-token/mesh-gateway.mdx similarity index 96% rename from website/content/docs/security/acl/tokens/create/create-a-mesh-gateway-token.mdx rename to website/content/docs/secure/acl/create-token/mesh-gateway.mdx index d7de158b30d..8d7641340d8 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-mesh-gateway-token.mdx +++ b/website/content/docs/secure/acl/create-token/mesh-gateway.mdx @@ -43,7 +43,7 @@ To create a token for the mesh gateway, you must define a policy, register the p ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy grants the appropriate permissions to register as a service named `mesh-gateway` and to operate as a mesh gateway. @@ -138,7 +138,7 @@ Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional inf ### Link the policy to a token -After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -182,7 +182,7 @@ To create a token for the mesh gateway, you must define a policy, register the p ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. You can specify an admin partition and namespace when using Consul Enterprise. Mesh gateways must register into the `default` namespace. @@ -308,7 +308,7 @@ Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional inf ### Link the policy to a token -After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -355,7 +355,7 @@ To create a token for the mesh gateway, you must define a policy, register the p ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. You can specify an admin partition and namespace when using Consul Enterprise. Mesh gateways must register into the `default` namespace. To register a mesh gateway in a non-default partition, create the ACL policy and token in the partition where the mesh gateway registers. @@ -466,7 +466,7 @@ Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional inf ### Link the policy to a token -After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). diff --git a/website/content/docs/security/acl/tokens/create/create-a-replication-token.mdx b/website/content/docs/secure/acl/create-token/replication.mdx similarity index 91% rename from website/content/docs/security/acl/tokens/create/create-a-replication-token.mdx rename to website/content/docs/secure/acl/create-token/replication.mdx index c6b546100a3..7f32c3b575b 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-replication-token.mdx +++ b/website/content/docs/secure/acl/create-token/replication.mdx @@ -7,12 +7,12 @@ description: >- # Create a replication token -This topic describes how to configure an ACL token for ACL replication between WAN-federated datacenters. If your Consul clusters are connected through peer connections, ACL replication is not required. To learn more about cluster peering, refer to the [comparison between WAN federation and cluster peering](/consul/docs/connect/cluster-peering#compared-with-wan-federation). +This topic describes how to configure an ACL token for ACL replication between WAN-federated datacenters. If your Consul clusters are connected through peer connections, ACL replication is not required. To learn more about cluster peering, refer to the [comparison between WAN federation and cluster peering](/consul/docs/east-west/cluster-peering#compared-with-wan-federation). ## Introduction Consul agents must present a token linked to policies that grant the appropriate set of permissions. -Specify the [`replication`](/consul/docs/agent/config/config-files#acl_tokens_replication) token on each server in a non-primary datacenter. For hands-on instructions on how to configure ACL replication across datacenters, refer to the [ACL Replication for Multiple Datacenters](/consul/tutorials/security-operations/access-control-replication-multiple-datacenters) tutorial. +Specify the [`replication`](/consul/docs/reference/agent#acl_tokens_replication) token on each server in a non-primary datacenter. For hands-on instructions on how to configure ACL replication across datacenters, refer to [Enable ACLs in WAN federated datacenters](/consul/docs/secure-consul/acl/enable-federated-datacenters). ## Requirements @@ -33,7 +33,7 @@ To create a token for ACL replication, you must define a policy, register the po ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy grants the appropriate permissions for ACL replication. @@ -151,7 +151,7 @@ To create a token for ACL replication, you must define a policy, register the po ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The following example policy grants the appropriate permissions for ACL replication. @@ -243,7 +243,7 @@ $ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \ ### Link the policy to a token -After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -289,7 +289,7 @@ Configure the Consul agent with the token by either specifying the token in the ### Apply the token in a file -Specify the token in the [`replication`](/consul/docs/agent/config/config-files#acl_tokens_replication) field of the agent configuration file so that the agent can present it and register into the catalog on startup. +Specify the token in the [`replication`](/consul/docs/reference/agent#acl_tokens_replication) field of the agent configuration file so that the agent can present it and register into the catalog on startup. ```hcl acl = { diff --git a/website/content/docs/security/acl/tokens/create/create-a-service-token.mdx b/website/content/docs/secure/acl/create-token/service.mdx similarity index 93% rename from website/content/docs/security/acl/tokens/create/create-a-service-token.mdx rename to website/content/docs/secure/acl/create-token/service.mdx index 8f17df702d8..041a05fa99b 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-service-token.mdx +++ b/website/content/docs/secure/acl/create-token/service.mdx @@ -15,7 +15,7 @@ Services must present a token linked to policies that grant the appropriate set ### Templated policies versus custom policies -You can create tokens linked to custom policies or to templated policies. [Templated policies](/consul/docs/security/acl#templated-policies) are constructs in Consul that enable you to quickly grant permissions for common use cases, rather than creating similar policies. +You can create tokens linked to custom policies or to templated policies. [Templated policies](/consul/docs/secure-consul/acl#templated-policies) are constructs in Consul that enable you to quickly grant permissions for common use cases, rather than creating similar policies. We recommend using the `builtin/service` templated policy to grant permissions for service discovery and service mesh use cases rather than creating a custom policy. This is because the `builtin/service` templated policy automatically grant the service and its sidecar proxy `service:write`, `service:read`, and `node:read`. @@ -27,7 +27,7 @@ Core ACL functionality is available in all versions of Consul. The service token must be linked to policies that grant the following permissions: -* `service:write`: Enables the service to update the catalog. If service mesh is enabled, the service's sidecar proxy can also update the catalog. Note that this permission implicitly grants `intention:read` permission to sidecar proxies so that they can read and enforce intentions. Refer to [Intention Management Permissions](/consul/docs/connect/intentions#intention-management-permissions) for details. +* `service:write`: Enables the service to update the catalog. If service mesh is enabled, the service's sidecar proxy can also update the catalog. Note that this permission implicitly grants `intention:read` permission to sidecar proxies so that they can read and enforce intentions. Refer to [Intention Management Permissions](/consul/docs/secure-mesh/intentions#intention-management-permissions) for details. * `service:read`: Enables the service to learn about other services in the network. If service mesh is enabled, the service's sidecar proxy can also learn about other services in the network. * `node:read`: Enables the sidecar proxy to discover and route traffic to other services in the catalog if service mesh is enabled. @@ -35,9 +35,9 @@ The service token must be linked to policies that grant the following permission ## Templated policies in Consul CE -Refer to [Templated policies](/consul/docs/security/acl#templated-policies) for information about creating templated policies that you can link to tokens. +Refer to [Templated policies](/consul/docs/secure-consul/acl#templated-policies) for information about creating templated policies that you can link to tokens. -You can manually create tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +You can manually create tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -83,9 +83,9 @@ $ curl --request PUT http://127.0.0.1:8500/v1/acl/token \ ## Templated policies in Consul Enterprise -Refer to [Templated policies](/consul/docs/security/acl#templated-policies) for information about the use of templated policies in tokens and roles. +Refer to [Templated policies](/consul/docs/secure-consul/acl#templated-policies) for information about the use of templated policies in tokens and roles. -You can manually create tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +You can manually create tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -137,7 +137,7 @@ When you are unable to link tokens to a templated policy, you can define policie ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy grants the `svc1` service `write` permissions so that it can register into the catalog. For service mesh, the policy grants the `svc1-sidecar-proxy` service `write` permissions so that the sidecar proxy can register into the catalog. It grants service and node `read` permissions to discover and route to other services. @@ -227,7 +227,7 @@ Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional inf ### Link the policy to a token -After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -273,7 +273,7 @@ When you are unable to link tokens to a templated policy, you can define policie ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. You can specify an admin partition and namespace when creating policies in Consul Enterprise. The policy is only valid in the specified scopes. @@ -379,7 +379,7 @@ Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional inf ### Link the policy to a token -After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). diff --git a/website/content/docs/security/acl/tokens/create/create-a-snapshot-agent-token.mdx b/website/content/docs/secure/acl/create-token/snapshot-agent.mdx similarity index 96% rename from website/content/docs/security/acl/tokens/create/create-a-snapshot-agent-token.mdx rename to website/content/docs/secure/acl/create-token/snapshot-agent.mdx index 26801ddfba2..0afc0566d41 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-snapshot-agent-token.mdx +++ b/website/content/docs/secure/acl/create-token/snapshot-agent.mdx @@ -41,7 +41,7 @@ To create a token for the snapshot agent, you must define a policy, register the ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy grants the appropriate permissions for a snapshot agent running on a node named `server-1234` to register into the catalog as the `consul-snapshot` service. It uses the key `consul-snapshot/lock` for a leader election lock. @@ -129,7 +129,7 @@ $ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \ ### Link the policy to a token -After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). You can specify an admin partition and namespace when creating tokens in Consul Enterprise. Tokens are only valid in the specified scopes. The snapshot agent token must be created in the `default` namespace in the `default` partition. diff --git a/website/content/docs/security/acl/tokens/create/create-a-terminating-gateway-token.mdx b/website/content/docs/secure/acl/create-token/terminating-gateway.mdx similarity index 97% rename from website/content/docs/security/acl/tokens/create/create-a-terminating-gateway-token.mdx rename to website/content/docs/secure/acl/create-token/terminating-gateway.mdx index 82d15e0982d..d14de821b9c 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-terminating-gateway-token.mdx +++ b/website/content/docs/secure/acl/create-token/terminating-gateway.mdx @@ -35,7 +35,7 @@ To create a token for the terminating gateway, you must define a policy, registe ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy grants the appropriate permissions to register as a service named `terminating-gateway` and to operate as a terminating gateway. For this example, the terminating gateway forwards traffic for two services named `external-service-1` and `external-service-2`. The policy examples include `service:write` permissions for these services. If you have additional services, your policy must include `service:write` permissions for the additional services to be included in the policy rules. @@ -132,7 +132,7 @@ Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional inf ### Link the policy to a token -After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -176,7 +176,7 @@ To create a token for the terminating gateway, you must define a policy, registe ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. You can specify an admin partition and namespace when creating policies in Consul Enterprise. The policy is only valid in the specified scopes. @@ -311,7 +311,7 @@ Refer to [ACL Policy HTTP API](/consul/api-docs/acl/policies) for additional inf ### Link the policy to a token -After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). You can specify an admin partition when creating tokens in Consul Enterprise. The token is only valid in the specified admin partition. You must create the token in the partition where the terminating gateway is registered. If the terminating gateway requires permissions for multiple namespaces, then the token must be created in the `default` namespace. The following example creates the token in the `default` namespace in the `ptn1` partition because the example policy contains permissions for multiple namespaces. diff --git a/website/content/docs/security/acl/tokens/create/create-a-ui-token.mdx b/website/content/docs/secure/acl/create-token/ui.mdx similarity index 94% rename from website/content/docs/security/acl/tokens/create/create-a-ui-token.mdx rename to website/content/docs/secure/acl/create-token/ui.mdx index 8faefd2d1da..53541c73334 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-ui-token.mdx +++ b/website/content/docs/secure/acl/create-token/ui.mdx @@ -25,7 +25,7 @@ This section describes how to create a token that grants read-only access to the ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy allows users that login with the token to view all services and nodes in the catalog. @@ -97,7 +97,7 @@ $ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \ ### Link the policy to a token -After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -143,7 +143,7 @@ This section describes how to create a token that grants read-only access to the ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The following policy allows users that log in with the token to view services and nodes in the catalog in any partition and in any namespace. The `operator:read` permission is needed to list partitions. Without this permission, you can still view resources within a partition but cannot easily navigate to other partitions in the Consul UI. @@ -198,7 +198,7 @@ After defining the policies, you can register them with Consul using the command Run the `consul acl policy create` command and specify the policy rules to create a policy. The following example registers a policy defined in `ui-view-catalog.hcl`. -You can specify an admin partition and namespace when registering policies in Consul Enterprise. Policies are only valid in the scopes specified during registration, but you can grant tokens registered in the `default` partition permission to access resources in a different partition than where the token was registered. Refer to the [admin partition documentation](/consul/docs/enterprise/admin-partitions#default-admin-partition) for additional information. +You can specify an admin partition and namespace when registering policies in Consul Enterprise. Policies are only valid in the scopes specified during registration, but you can grant tokens registered in the `default` partition permission to access resources in a different partition than where the token was registered. Refer to the [admin partition documentation](/consul/docs/segment/admin-partition#default-admin-partition) for additional information. The following example registers the policy in the `default` partition and the `default` namespace because the policy grants cross-partition and cross-namespace access. @@ -234,7 +234,7 @@ $ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \ ### Link the policy to a token -After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -254,7 +254,7 @@ $ consul acl token create -partition "default" -namespace "default" \ Send a PUT request to the `/acl/token` endpoint and specify the policy name or ID in the request to create an ACL token linked to the policy. Refer to [ACL Token HTTP API](/consul/api-docs/acl/tokens) for additional information about using the API endpoint. -You can specify an admin partition and namespace when registering policies in Consul Enterprise. Policies are only valid in the scopes specified during registration, but you can grant tokens registered in the `default` partition permission to access resources in a different partition than where the token was registered. Refer to the [admin partition documentation](/consul/docs/enterprise/admin-partitions#default-admin-partition) for additional information. +You can specify an admin partition and namespace when registering policies in Consul Enterprise. Policies are only valid in the scopes specified during registration, but you can grant tokens registered in the `default` partition permission to access resources in a different partition than where the token was registered. Refer to the [admin partition documentation](/consul/docs/segment/admin-partition#default-admin-partition) for additional information. The following example registers the policy in the `default` partition and the `default` namespace because the policy grants cross-partition and cross-namespace access. @@ -282,7 +282,7 @@ This section describes how to create a token with read-only access to all resour ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy allows users that log in with the token to view all services and nodes in the catalog, all objects in the key/value store, all intentions, and all ACL resources. The `acl:read` permission does not allow viewing the token secret ids. @@ -368,7 +368,7 @@ $ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \ ### Link the policy to a token -After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). @@ -414,7 +414,7 @@ This section describes how to create a token with read-only access to all resour ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy allows users that log in with the token to view all services and nodes in the catalog, all objects in the key-value store, all intentions, and all ACL resources in any namespace and any partition. The `acl:read` permission does not allow viewing the token secret ids. @@ -516,7 +516,7 @@ $ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \ ### Link the policy to a token -After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). diff --git a/website/content/docs/security/acl/tokens/create/create-a-token-for-vault-consul-storage.mdx b/website/content/docs/secure/acl/create-token/vault-storage-backend.mdx similarity index 93% rename from website/content/docs/security/acl/tokens/create/create-a-token-for-vault-consul-storage.mdx rename to website/content/docs/secure/acl/create-token/vault-storage-backend.mdx index ab2c0406149..6c0f1742123 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-token-for-vault-consul-storage.mdx +++ b/website/content/docs/secure/acl/create-token/vault-storage-backend.mdx @@ -10,7 +10,7 @@ This topic describes how to create a token for Vault’s Consul storage backend. ## Introduction -If you are using Vault to manage secrets in your infrastructure, you can configure Vault to use Consul's key/value (KV) store as backend storage to persist Vault's data. Refer to the [Consul KV documentation](/consul/docs/dynamic-app-config/kv) and the [Vault storage documentation](/vault/docs/configuration/storage) for additional information. +If you are using Vault to manage secrets in your infrastructure, you can configure Vault to use Consul's key/value (KV) store as backend storage to persist Vault's data. Refer to the [Consul KV documentation](/consul/docs/dynamic-app/kv) and the [Vault storage documentation](/vault/docs/configuration/storage) for additional information. ## Requirements @@ -31,7 +31,7 @@ To create a token for Vault’s Consul storage backend, you must define a policy ### Define a policy -You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. +You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/secure-consul/acl/rules) for details about all of the rules you can use in your policies. The following example policy is defined in a file. The policy grants the appropriate permissions to enable Vault to register as a service named `vault` and provides access to the `vault/` path in Consul's KV store. @@ -122,7 +122,7 @@ $ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \ ### Link the policy to a token -After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/security/acl/auth-methods). +After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an [auth method](/consul/docs/secure-consul/acl/auth-methods). diff --git a/website/content/docs/secure/acl/enable-federated-datacenters.mdx b/website/content/docs/secure/acl/enable-federated-datacenters.mdx new file mode 100644 index 00000000000..6004addb471 --- /dev/null +++ b/website/content/docs/secure/acl/enable-federated-datacenters.mdx @@ -0,0 +1,306 @@ +--- +layout: docs +page_title: Enable ACLs in WAN federated datacenters +description: >- + Consul's access control list (ACL) system can span multiple datacenters that are WAN federated. Learn how to replicate the ACL system from the primary datacenter to secondary datacenters using a replication token. +--- + +# Enable ACLs in WAN federated datacenters + +This page describes how to set up Consul's access control list (ACL) system in WAN-federated Consul datacenters. You can configure tokens, policies, and roles to work across multiple datacenters. ACL replication has several benefits: + +- It enables authentication of nodes and services between multiple datacenters. +- The secondary datacenter can provide failover for all ACL components created in the primary datacenter. +- Sharing policies reduces redundancy for the operator. + +## Workflow overview + +The overall process to setup ACL replication for multiple datacenters that are connected through WAN federation consists of the following steps: + +1. Set the `primary_datacenter` parameter on all Consul agents in the primary datacenter. +1. Create the replication token. +1. Configure the `primary_datacenter` and `enable_token_replication` parameters on all Consul servers in the secondary datacenter. +1. Apply the replication token to all the servers in the secondary datacenter. +1. Configure the `primary_datacenter` and `enable_token_replication` parameters on all Consul clients in the secondary datacenter. + +## Requirements + +Consul v1.4.0 or later + + +## Configure ACLs in the primary datacenter + +In a [federated Consul deployment](/consul/docs/deploy/server/k8s/multi/federation), one of the datacenters is designated the primary datacenter. You should add the `acl` configuration block to the primary datacenter server's configuration file as shown in the following example. + + + + + + + +```hcl +datacenter = "dc1", +primary_datacenter= "dc1", +acl { + enabled = true, + default_policy = "deny", + down_policy = "extend-cache", + enable_token_persistence = true +} +``` + + + + +```json +{ + "datacenter": "dc1", + "primary_datacenter": "dc1", + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + "enable_token_persistence": true + } +} +``` + + + + + +Refer to the [ACL stanza in the Agent](/consul/docs/reference/agent#acl) reference docs for more detailed descriptions of each attribute. + + + +Most enterprise deployments have security requirements that prevent specifying tokens in configuration files. The configuration example also sets the `enable_token_persistence` attribute so that the token is stored to disk in the agent's [data directory](/consul/docs/reference/agent#_data_dir). Any changes to the token through the [Consul HTTP API](/consul/api-docs/agent#update-acl-tokens) persists to the same location, and the value in the configuration file is ignored. + + + +The `primary_datacenter` parameter sets the primary datacenter to have authority for all ACL information. You should also set this parameter on the Consul clients, so that the they can forward API requests to the servers. + +Start the agent. If your Consul servers are already up, you need to restart the Consul agents for ACL related configuration changes to take effect. + +```shell-session +$ consul agent -config-file=server.hcl +``` + +Complete this process on all server agents. If you are configuring ACLs for the first time, you must [bootstrap the ACL system](/consul/docs/secure-consul/acl/bootstrap) for the cluster first. + +## Create the replication token + +You must configure servers in secondary datacenters to point to the primary datacenter. You need to provide the ACL replication token to the secondary datacenters. Replication tokens are required to replicate ACL tokens and to create [configuration entries](/consul/docs/agent/config-entries) and [auth methods](/consul/docs/secure-consul/acl/auth-methods) in connected secondary datacenters. + +Replication tokens require the following permissions: + +| Permission | Description | +| -------------------- | ----------------------------------- | +| `acl = "write"` | The permission allows you to replicate tokens. | +| `operator = "write"` | This permission enables the `proxy-default` configuration entries to be replicated and enables CA certificate signing in the secondary datacenter. | +| `policy = "read"` and `intentions = "read"` in the `service_prefix` field | These permissions enable `service-default` configuration entries, CA, and intention data to be replicated for all services. | + + + + + + +```hcl +acl = "write" + +operator = "write" + +service_prefix "" { + policy = "read" + intentions = "read" +} +``` + + + + + +```hcl +operator = "write" + +service_prefix "" { + policy = "read" + intentions = "read" +} + +namespace_prefix "" { + acl = "write" + + service_prefix "" { + policy = "read" + intentions = "read" + } +} + +``` + + + + + +Now that you have defined the ACL rules, create a replication policy. + +```shell-session +$ consul acl policy create -name replication -rules @replication-policy.hcl +ID: 240f1d01-6517-78d3-ec32-1d237f92ab58 +Name: replication +Description: Datacenters: +Rules: acl = "write" + +operator = "write" + +service_prefix "" { policy = "read" intentions = "read" } +``` + +Create the replication token with your newly created replication policy. + +```shell-session +$ consul acl token create -description "replication token" -policy-name replication +AccessorID: 67d55dc1-b667-1835-42ab-64658d64a2ff +SecretID: fc48e84d-3f4d-3646-4b6a-2bff7c4aaffb +Description: replication token +Local: false +Create Time: 2023-05-09 18:34:23.288392523 +0000 UTC +Policies: + 240f1d01-6517-78d3-ec32-1d237f92ab58 - replication +``` + +## Configure Consul servers in the secondary datacenter + +Set the `primary_datacenter` parameter to the name of your primary datacenter and `enable_token_replication` to true on all the servers. + + + + + +```hcl +datacenter = "dc2", +primary_datacenter= "dc1", +acl { + enabled = true, + default_policy = "deny", + down_policy = "extend-cache", + enable_token_persistence = true, + enable_token_replication = true +} +``` + + + + +```json +{ + "datacenter": "dc2", + "primary_datacenter": "dc1", + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + "enable_token_persistence": true, + "enable_token_replication": true + } +} +``` + + + + + +Start the servers on the secondary datacenter. + +```shell-session +consul agent -config-file=server.hcl +``` + +Repeat this process on all the servers in the secondary datacenter. + + + +When enabling ACL token replication in secondary datacenters, global tokens present in the secondary datacenter are lost. For production environments, we recommend configuring ACL replication when you initially bootstrap your datacenter. + + + +If you are using [Consul Enterprise](/consul/docs/enterprise) and the [admin partitions](/consul/docs/enterprise/admin-partitions), only ACL tokens in the default partition are replicated to other datacenters. + +## Apply the replication token to Consul servers + +Apply the replication token to all Consul servers in the secondary datacenter with the CLI. Replace `` with the replication token's secret ID value you created earlier. + +```shell-session +$ consul acl set-agent-token replication +ACL token "replication" set successfully +``` + +Repeat this process on all servers the secondary datacenter. If you are configuring ACLs for the first time, you must also set the agent token. + +## Configure clients in secondary datacenters + +Set the `primary_datacenter` parameter to the name of your primary datacenter and `enable_token_replication` to true on all the servers. + + + + + +```hcl +datacenter = "dc2", +primary_datacenter= "dc1", +acl { + enabled = true, + default_policy = "deny", + down_policy = "extend-cache", + enable_token_persistence = true, + enable_token_replication = true +} +``` + + + + +```json +{ + "datacenter": "dc2", + "primary_datacenter": "dc1", + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + "enable_token_persistence": true, + "enable_token_replication": true + } +} +``` + + + + +Start the agent. If your Consul servers are already up, you need to restart the Consul agents for ACL related configuration changes to take effect. + +```shell-session +$ consul agent -config-file=client.hcl +``` + +Repeat this process on all clients. If you are configuring ACLs for the first time, you must also set the agent token on all clients. + +## Check replication + +Now that you have set up ACL replication, use the [HTTP API](/consul/api-docs/acl#check-acl-replication) to check the configuration in the secondary datacenter. + +```shell-session +$ curl http://localhost:8500/v1/acl/replication?pretty +{ + "Enabled": true, + "Running": true, + "SourceDatacenter": "primary_dc", + "ReplicationType": "tokens", + "ReplicatedIndex": 19, + "ReplicatedTokenIndex": 22, + "LastSuccess": "2019-05-09T18:54:09Z", + "LastError": "0001-01-01T00:00:00Z" +} +``` + +Notice `ReplicationType` is set to `tokens`. This means tokens, policies, and roles are replicated from the primary datacenter to the secondary one. You can call the `/v1/acl/replication` endpoint in the primary datacenter, but it does not return replication configuration. \ No newline at end of file diff --git a/website/content/docs/secure/acl/index.mdx b/website/content/docs/secure/acl/index.mdx new file mode 100644 index 00000000000..03f155c1245 --- /dev/null +++ b/website/content/docs/secure/acl/index.mdx @@ -0,0 +1,93 @@ +--- +layout: docs +page_title: Access control list (ACL) overview +description: >- + Consul's ACL system secures communication and controls access to the API, CLI, and UI. Learn about ACL components and how they interact to authenticate requests and authorize access for your network. +--- + +# Access control list (ACL) overview + +This topic describes core concepts associated with the optional access control list (ACL) system shipped with Consul. ACLs authenticate requests and authorize access to resources. They also control access to the Consul UI, API, and CLI, as well as secure service-to-service and agent-to-agent communication. + +Refer to the [ACL API reference](/consul/api-docs/acl) and [ACL CLI reference](/consul/commands/acl) for more usage information. + +## Workflow overview + +There are two workflows for administrating and using ACLs, depending on whether you are the _ACL administrator_ or the _ACL consumer_. + +The ACL administrator configures and manages the ACL system. This role includes creating all of the artifacts required for ACLs, such as rules and policies, generating the ACL tokens, and distributing the tokens. The ACL consumers are users and services that use the token to authenticate to Consul. + +The ACL administrator needs to complete the following steps to manage the ACLs system: + +1. Create a [policy](#policies) by specifying one or more authentication rules. +1. Create a [token](#tokens) and link it one or more policies. The following diagram illustrates the relationship between rules, policies, and tokens: + + ![ACL system component relationships](/img/acl-token-policy-rule-relationship.png) + + For complex requirements, you can link additional artifacts to tokens, such as [templated policies](#templated-policies), [service identities](#service-identities), [node identities](#node-identities), and [roles](#roles). + +1. Distribute tokens to end users so they can incorporate the tokens into their services. + +ACL consumers must present the token when making requests through the CLI or API, when logging into the UI. Consul evaluates the token to determine if the request has permission to interact with the requested resource. + +Refer to the [Troubleshoot](#troubleshooting) page if you do not observe the expected behavior. + +## Tokens + +ACL tokens are the core method of authentication in Consul. The ACL token contains a value in its `SecretID` field that identifies users and services when making the request. If ACLs are enabled in Consul, you must include the ACL token to authenticate any requests you make. The ACL administrator can also use the token's `AccessorID` for audit logging purposes. + +Refer to the following topics for details about tokens: + +- [Tokens](/docs/secure-consul/acl/token) +- [ACL token command line](/consul/commands/acl/token) +- [ACL tokens API](/consul/api-docs/acl/tokens) + +## Policies + +An ACL policy is a set of rules that grant or deny access to resources in the network. The ACL administrator creates policies and links them to tokens. You can assign multiple policies to an ACL token. You also can configure policies to grant tokens different scopes. + +Refer to the following topics for details about policies: + +- [Policies](/consul/docs/secure-consul/acl/policy) +- [ACL policy command line](/consul/commands/acl/policy) +- [ACL policy API](/consul/api-docs/acl/policies) + +## Roles + +An ACL role is a collection of policies that your ACL administrator can link to a token. Roles let you decouple individual policies from the tokens. When you link tokens to roles, you can update the policies attached to the role without needing to redistribute new tokens to users. Roles can simplify the ACL authentication workflow because you do not need to create unique policies and tokens for each requester. + +Refer to the [Roles](/consul/docs/secure-consul/acl/role) page for more information. + +## Templated policies + +Templated policies are configuration blocks that you can add to token and role configurations. Consul uses them to generate a policy. Consul links the generated policy to the role or token, which provides the required access to a particular resource. + +You can use them during the authorization process to automatically generate a policy for common use cases, rather than creating multiple identical policies. + +Refer to the following topics for details about templated policies: + +- [API documentation for templated policies](/consul/api-docs/acl/templated-policies) +- [API documentation for roles](/consul/api-docs/acl/roles#sample-payload) +- [API documentation for tokens](/consul/api-docs/acl/tokens#sample-payload) + +## Service identities + +Service identities are configuration blocks that you can add to role configurations or specify when linking tokens to policies. You can use them during the authorization process to automatically generate a policy for specific services. The generated policy is linked to the role or token, allowing the services to be discovered and to discover other healthy service instances. + +Service identities let you quickly construct policies for services, rather than creating identical policies for each service. + +Refer to the following topics for details about service identities: + +- [Service Identities](/consul/docs/reference/acl/rule#service-identities) +- [API documentation for roles](/consul/api-docs/acl/roles#sample-payload) + +## Node identities + +Node identities are configuration blocks that you can add to role configurations or specify when linking tokens to policies. You can use them during the authorization process to automatically generate a policy for specific nodes. When you configure the agent, you can specify the token linked to the policy with [`acl_tokens_agent`](/consul/docs/reference/agent#acl_tokens_agent). + +Node identities let you quickly construct policies for multiple nodes, rather than creating identical polices for each individual node. + +Refer to the following topics for details about node identities: + +- [Node Identities](/consul/docs/reference/acl/rule#node-identities) +- [API documentation for roles](/consul/api-docs/acl/roles#sample-payload) diff --git a/website/content/docs/secure/acl/legacy.mdx b/website/content/docs/secure/acl/legacy.mdx new file mode 100644 index 00000000000..1eab921279d --- /dev/null +++ b/website/content/docs/secure/acl/legacy.mdx @@ -0,0 +1,323 @@ +--- +layout: docs +page_title: Migrate Access Control List (ACL) tokens +description: >- + Consul 1.4.0 introduced a new ACL system. Learn how to migrate your legacy ACL tokens if you have a Consul cluster that uses a version older than 1.4. +--- + +# Migrate Access Control List (ACL) tokens + +This page describes how to migrate your legacy ACL tokens if you have a Consul cluster that uses a version older than 1.4.0. Specifically, you will learn to: + +- manually migrate an agent token and get familiar with the CLI commands for ACL +- automate the token migration for tokens and policies that don't require tuning +- identify opportunities for improvement in your ACL configuration thanks to the new ACL system improvements. + +There are three different ways to migrate tokens: single token, simple policy mapping, and combine policy updates. Single token updates are a manual process for sensitive tokens. You can use simple policy mapping and combine policy updates to automate updating multiple tokens. + +## Requirements + +Before starting the token migration process, all Consul agents, servers, and clients must be running at least version 1.4.0. Additionally, you must ensure the datacenter is in a healthy state including a functioning leader. Once the leader has determined that all servers in the datacenter are capable of using the new ACL system, the leader will transition itself. Then, the other servers will transition themselves to the new system, followed by the client agents. You can use `consul info` to investigate the datacenter health. + +This process assumes that the 1.4.0 upgrade is complete, including all legacy ACLs having their accessor IDs populated. Accessor IDs are new to the 1.4 ACL system. This process can take up to several minutes after the servers upgrade. Ensure your tokens have an `AccessorID` before starting the migration. If the following command shows any blank `AccessorIDs`, wait until Consul has finished the upgrade. + +```shell-session +$ consul acl token list +AccessorID: 00000000-0000-0000-0000-000000000002 +Description: Anonymous Token +Local: false +Create Time: 0001-01-01 00:00:00 +0000 UTC +Legacy: false + +AccessorID: dd40ea2f-ff15-e7cb-8249-5d5e95b7ee75 +Description: foo-service-token_1 +Local: false +Create Time: 0001-01-01 00:00:00 +0000 UTC +Legacy: true + +AccessorID: 905755a7-0872-746a-8aee-e9bff2936c11 +Description: Agent Token +Local: false +Create Time: 0001-01-01 00:00:00 +0000 UTC +Legacy: true + +AccessorID: 5c72a103-d94e-a379-797c-2b418adec88b +Description: Master Token +Local: false +Create Time: 0001-01-01 00:00:00 +0000 UTC +Legacy: false +Policies: + 00000000-0000-0000-0000-000000000001 - global-management +## ... +``` + +From the output, you can notice that two tokens already exist in the new system, the master token and the anonymous token. All the other tokens present in the list are supported as "legacy" as you can verify by the `Legacy: true` setting. + +You need to configure `CONSUL_HTTP_TOKEN` with a token that has management privileges. + +```shell-session +$ export CONSUL_HTTP_TOKEN= +``` + +## Single token upgrade + +While legacy tokens will continue to work until Consul v1.6.x, we recommend migrating existing tokens as soon as possible. Migrating also enables using the new policy management improvements, stricter policy syntax rules, and other features of the new system without re-issuing all the secrets in use. + +You can upgrade a legacy token in three steps: + +1. Identify the token that needs to be upgraded +1. Create a new policy or policies that grant the required access +1. Update the existing token to use those policies + +### Identify token + +Pick a legacy token from the output of `consul acl token list` command. You can identify legacy tokens by the `Legacy: true` setting in the output. + +```shell-session +$ consul acl token list +## ... +AccessorID: 905755a7-0872-746a-8aee-e9bff2936c11 +Description: Agent Token +Local: false +Create Time: 0001-01-01 00:00:00 +0000 UTC +Legacy: true +## ... +``` + +The instructions on this page will use the legacy "Agent Token" token as an example. + +### Create a new policy + +For the selected token, use the `acl translate-rules` command to check the proposed rules for the policy you want to migrate. + +```shell-session +$ consul acl translate-rules -token-accessor "905755a7-0872-746a-8aee-e9bff2936c11" +node_prefix "" { + policy = "write" +} + +service_prefix "" { + policy = "read" +} +``` + +Notice the new policy has a `service_prefix` rule and not the original `service`. Since the legacy ACL syntax had an implicit prefix match, the `_prefix` was applied to all rules without needing to be specified. Now that `_prefix` is no longer implicit, you will need to add it to ensure any clients relying on prefix matching behavior will still work. You can use the Consul CLI to update the policy, without needing to edit the policy file. + + + +It might be beneficial for security to translate prefix matches into exact matches. However, this requires the operator knowing that clients using the token really don't rely on the prefix matching semantics of the old ACL system. + + + +Once you have verified the set of rules for the new policy, generate the new policy. + +```shell-session +$ consul acl policy create -name "migrated-Agent-policy" -from-token 905755a7-0872-746a-8aee-e9bff2936c11 -description "Migrated from legacy ACL agent token"; +ID: dcd37998-a564-b26a-dd8a-89414926d015 +Name: migrated-Agent-policy +Description: Migrated from legacy ACL agent token +Datacenters: +Rules: +node_prefix "" { + policy = "write" +} +service_prefix "" { + policy = "read" +} +``` + +Note, the use of the `-from-token` option to specify the rules for the new policy will be based on the rules embedded in the legacy token. + +Verify the new policy is in place. + +```shell-session +$ consul acl policy list +migrated-Agent-policy: + ID: dcd37998-a564-b26a-dd8a-89414926d015 + Description: Migrated from legacy ACL agent token + Datacenters: +## ... +``` + +### Update the token + +Finally, update the token to use the new policy. + +```shell-session +$ consul acl token update -id 905755a7-0872-746a-8aee-e9bff2936c11 -policy-name "migrated-Agent-policy" -upgrade-legacy +Token updated successfully. +AccessorID: 905755a7-0872-746a-8aee-e9bff2936c11 +SecretID: dbb88e67-817d-7eb7-f03b-af570462ae6f +Description: Agent Token +Local: false +Create Time: 0001-01-01 00:00:00 +0000 UTC +Policies: + dcd37998-a564-b26a-dd8a-89414926d015 - migrated-Agent-policy +``` + +For the upgrade to succeed, you need to use the `-upgrade-legacy` option to ensure that legacy rules are removed and the new policies added. + +If not specified, the migration will result in an error: + +```shell-session +$ consul acl token update -id 905755a7-0872-746a-8aee-e9bff2936c11 -policy-name "migrated-Agent-policy" +Failed to update token 905755a7-0872-746a-8aee-e9bff2936c11: Unexpected response code: 500 (Rules cannot be specified for this token) +``` + +After updating, the token is no longer considered "legacy" and will have all the properties of a new token, however it keeps its `SecretID` (the secret part of the token used in API calls) so clients already using that token will continue to work. These instructions assume that the policies you attach continue to grant the necessary access for existing clients. However, you need to verify this. + +You can also perform the upgrade using the [PUT `/v1/acl/token/:AccessorID`](/consul/api-docs/acl/tokens#update-a-token) endpoint. Specifically, ensure that the `Rules` field is omitted or empty. Empty `Rules` indicates that this is now treated as a new token. + +## Simple policy mapping + +If you have multiple tokens, migrating them manually might not be a viable option. + +One fast alternative to manual migration is to write an automation script to create a different policy with the same rules set, per legacy token, and then upgrade them. This approach is easy to automate, but may result in a lot of policies with exactly the same rules and with non-human-readable names which will make managing policies more difficult. + +### Identify existing legacy tokens + +Retrieve the `AccessorID` of every legacy token from the API. For example, using `curl` and `jq` in bash. + +```shell-session +$ LEGACY_IDS=$(curl -sH "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ + 'localhost:8500/v1/acl/tokens' | jq -r '.[] | select (.Legacy) | .AccessorID') +``` + +List the legacy token's `AccessorID`. + +```shell-session +$ echo "$LEGACY_IDS" +7dff8907-eace-b403-1966-51ba92189ac7 +3d288b1c-ff11-47fa-e010-42d15a117534 +dd40ea2f-ff15-e7cb-8249-5d5e95b7ee75 +``` + +### Create policies from legacy tokens + +To create a policy for each token you can use a loop to iterate the `AccessorID` list and migrate the policy. + +```shell-session +$ for id in $LEGACY_IDS; do \ + consul acl policy create -name "migrated-$id" -from-token $id \ + -description "Migrated from legacy ACL token"; \ +done +``` + +This will return something similar to the following. + +```plaintext hideClipboard +ID: 95acbf71-9795-174d-d8fb-fef338c780ca +Name: migrated-7dff8907-eace-b403-1966-51ba92189ac7 +Description: Migrated from legacy ACL token +Datacenters: +Rules: +service_prefix "bar" { + policy = "write" +} +ID: 31189810-9503-eae7-9c09-01eb7c1346af +Name: migrated-3d288b1c-ff11-47fa-e010-42d15a117534 +Description: Migrated from legacy ACL token +Datacenters: +Rules: +service_prefix "bar" { + policy = "write" +} +ID: 06435a7b-59c2-585f-ae8e-b49a576b9c71 +Name: migrated-dd40ea2f-ff15-e7cb-8249-5d5e95b7ee75 +Description: Migrated from legacy ACL token +Datacenters: +Rules: +service_prefix "foo" { + policy = "write" +} +## ... +``` + +Each policy now has an equivalent set of rules to the original token. This means that the newly created policy grants the same effective permissions as the legacy token rules did. + +### Update tokens + +With the policies you previously created, you can automatically upgrade all legacy tokens. + +```shell-session +$ for id in $LEGACY_IDS; do \ + consul acl token update -id $id -policy-name "migrated-$id" -upgrade-legacy; \ +done +``` + +This will return something similar to the following. + +```plaintext hideClipboard +Token updated successfully. +AccessorID: 7dff8907-eace-b403-1966-51ba92189ac7 +SecretID: 1532ab31-f7aa-41f7-4989-5da3d537456a +Description: bar-service-token_1 +Local: false +Create Time: 0001-01-01 00:00:00 +0000 UTC +Policies: + 95acbf71-9795-174d-d8fb-fef338c780ca - migrated-7dff8907-eace-b403-1966-51ba92189ac7 +Token updated successfully. +AccessorID: 3d288b1c-ff11-47fa-e010-42d15a117534 +SecretID: 87a185c6-f42a-be80-e72e-d5489d68ddc4 +Description: bar-service-token_2 +Local: false +Create Time: 0001-01-01 00:00:00 +0000 UTC +Policies: + 31189810-9503-eae7-9c09-01eb7c1346af - migrated-3d288b1c-ff11-47fa-e010-42d15a117534 +Token updated successfully. +AccessorID: dd40ea2f-ff15-e7cb-8249-5d5e95b7ee75 +SecretID: c6aedb37-9600-a3b4-1ce1-d70aee04abc1 +Description: foo-service-token_1 +Local: false +Create Time: 0001-01-01 00:00:00 +0000 UTC +Policies: + 06435a7b-59c2-585f-ae8e-b49a576b9c71 - migrated-dd40ea2f-ff15-e7cb-8249-5d5e95b7ee75 +... +``` + +The update is now complete, all legacy tokens are now new tokens with identical secrets and enforcement rules. + +## Combine policies + +We recommend an automatic batch upgrade for legacy tokens when policies are relatively simple and specific for each token. With the combined policies method, you will use the same policy for multiple tokens. + +If policies are complex or you have overlapping rules across multiple tokens, we recommend using the migration process to re-engineer the ACL rules in your Consul deployment. This lets you to end up with a minimal set of policies and to take advantage of the flexibility of the new system. + +There are a variety of options for how to do this, however you will need to consider the trade-offs. Mainly, increased operator involvement will result in better clarity and re-usability of the resulting policies. + +In the following examples, you have two tokens associated to identical policies. + +```shell-session +$ for id in $LEGACY_IDS; do \ + echo "Policy for $id:"; \ + consul acl translate-rules -token-accessor "$id"; \ +done +``` + +This will return something similar to the following. + +```plaintext hideClipboard +## ... +Policy for 7dff8907-eace-b403-1966-51ba92189ac7: +service_prefix "bar" { + policy = "write" +} +Policy for 3d288b1c-ff11-47fa-e010-42d15a117534: +service_prefix "bar" { + policy = "write" +} +Policy for dd40ea2f-ff15-e7cb-8249-5d5e95b7ee75: +service_prefix "foo" { + policy = "write" +} +``` + +In these cases, you can generate only one policy and then upgrade both the legacy tokens to use the same policy. + +## Enforce the use of new ACLs + +These instructions assumes that all clients that need to create ACL tokens (for example, Vault's Consul secrets engine) have been updated to use the [new ACL APIs](/consul/api-docs/acl/tokens). + +Specifically if you are using Vault's Consul secrets engine, you need to be running Vault 1.0.0 or higher and you must update all roles defined in Vault to specify a list of policy names rather than an inline policy (which causes Vault to use the legacy API). + +If you have systems still creating "legacy" tokens with the old APIs, the following migration steps will still work, however you need to keep re-running them until nothing is creating legacy tokens to ensure all tokens are migrated. \ No newline at end of file diff --git a/website/content/docs/secure/acl/policy.mdx b/website/content/docs/secure/acl/policy.mdx new file mode 100644 index 00000000000..de78f7c2db2 --- /dev/null +++ b/website/content/docs/secure/acl/policy.mdx @@ -0,0 +1,536 @@ +--- +layout: docs +page_title: ACL Policies +description: >- + ACL policies define access control rules for resources in Consul. When an ACL token is submitted with a request, Consul authorizes access based on the token's associated policies. Learn how to format and combine rules into policies and apply them to tokens. +--- + +# ACL Policies + +This topic describes policies, which are components in Consul's access control list (ACL) system. Policies define which services and agents are authorized to interact with resources in the network. + +## Introduction + +A policy is a group of one or more ACL rules that are linked to [ACL tokens](/consul/docs/secure-consul/acl/token). The following diagram describes the relationships between rules, policies, and tokens: + +![ACL system component relationships](/img/acl-token-policy-rule-relationship.png) + +The term "policy" should not be confused with the keyword [`policy`](#policy-dispositions). The keyword is a rule-level element that determines access to a resource. + +## Define policies with rules + +Rules are one of several [policy attributes](#policy-attributes). They are building blocks that define access to resources. + +This section describes about how to assemble rules into policies. Refer to the [ACL Rules Reference](/consul/docs/secure-consul/acl/rules) for additional details about how to configure rules and how they affect access to resources. + +### Policy format + +You can define policies using [HCL](https://github.com/hashicorp/hcl/). HCL is human readable and interoperable with JSON, making it easy to automate policy generation. The following examples show the same policy formatted in HCL and JSON: + + + +```hcl +# These control access to the key/value store. +key_prefix "" { + policy = "read" +} +key_prefix "foo/" { + policy = "write" +} +key_prefix "foo/private/" { + policy = "deny" +} +# Or for exact key matches +key "foo/bar/secret" { + policy = "deny" +} + +# This rule controls access to cluster-wide Consul operator information. +operator = "read" +``` + +```json +{ + "key_prefix": { + "": { + "policy": "read" + }, + "foo/": { + "policy": "write" + }, + "foo/private/": { + "policy": "deny" + } + }, + "key": { + "foo/bar/secret": { + "policy": "deny" + } + }, + "operator": "read" +} +``` + + + +### Rule specification + +A rule is composed of a resource declaration and an access level defined with the `policy` keyword and a [policy disposition](#policy-dispositions). The following syntax describes the basic structure of a rule: + + + +```hcl + { + policy = "" +} +``` + +```json +{ + "": { + "policy": "" + } +} +``` + + + +Access to the specified resource is granted or denied based on the policy disposition. + +### Resource labels + +Many resources take an additional value that limits the scope of the rule to resources with the same label. A resource label can be the name of a specific set of resources, such as nodes configured with the same `name` value. + +The following syntax describes how to include a resource label in the rule: + + + +```hcl + " + +Labels provide operators with more granular control over access to the resource, but the following resource types do not take a label: + +- `acl` +- `keyring` +- `mesh` +- `operator` + +Use the following syntax to create rules for these resources: + + + +```hcl + = "" +``` + +```json +{ + "": "" +} +``` + + + +### Policy dispositions + +Use the `policy` keyword and one of the following access levels to set a policy disposition: + +- `read`: Allows the resource to be read but not modified. +- `write`: Allows the resource to be read and modified. +- `deny`: Denies read and write access to the resource. + +The special `list` access level provides access to all keys with the specified resource label in the [Consul KV](/consul/commands/kv/). The `list` access level can only be used with the `key_prefix` resource. The [`acl.enable_key_list_policy`](/consul/docs/reference/agent#acl_enable_key_list_policy) setting must be set to `true`. + +### Matching and prefix values + +You can define rules for labeled resources based on exact matches or by using resource prefixes to match several resource labels beginning with the same value. The [Resource Labels](#resource-labels) section describes matching resource labels on exact values. + +The following example rule is an exact match that denies access to services labeled `web-prod`: + + + +```hcl +service "web-prod" { + policy = "deny" +} +``` + +```json +{ + "service": { + "web-prod": { + "policy": "deny" + } + } +} +``` + + + +You can append the resource with `_prefix` to match all resource labels beginning with the same value. The following example rule allows `write` access to all services with labels that begin with "web": + + + +```hcl +service_prefix "web" { + policy = "write" +} +``` + +```json +{ + "service_prefix": { + "web": { + "policy": "write" + } + } +} +``` + + + +Prefix-based resource labels can also contain an empty string, which configures the rule to apply to all resources of the declared type. The following example rule allows `read` access to all `service` resources: + + + +```hcl +service_prefix "" { + policy = "read" +} +``` + +```json +{ + "service_prefix": { + "": { + "policy":"read" + } + } +} +``` + + + +When using prefix-based rules, the most specific prefix match determines the action. In a real-world scenario, you would combinen a combination of rules to create a flexible policy. Each team or business unit would use tokens based on policies that enforce several rules, for example: + +- A rule that denies access to a specific resource label +- A prefix-based rule that allows write access to a class of resources +- An empty prefix that grants read-only access to all resources within the declared class + +#### Matching precedence + +Exact matching rules will only apply to the exact resource specified. The order of precedence for matching rules are: + +1. `deny` (highest priority) +1. `write` +1. `read` + +### Rule scope + +A token's effective rule set includes the rules from all linked policies, including from roles and service identities. You can define policy rules in either an `allowlist` or `denylist` mode, depending on the configuration of the [`acl_default_policy`](/consul/docs/reference/agent#acl_default_policy). + +If you have configured the default policy to deny access to all resources (recommended), you can specify `allowlist` in policy rules to explicitly allow access to resources. Conversely, if you have configured the default policy to allow access to all resources, you can specify `denylist` in policy rules to explicitly deny access to resources. + +## Implement policies + +After you have defined policies, the ACLs administrator can implement them through the CLI or HTTP API. + + + + +Use the `consul acl policy` command to manage policies. Refer to the [ACL command line documentation](/consul/commands/acl/policy) for details. + +The following example creates a policy called `my-app-policy` and applies the rules defined in `rules.hcl`. You must pass a token with `write` permissions the ACL system with the command. + +```shell-session +$ consul acl policy create -name "my-app-policy" -description "Human-readable description of my policy" -rules @rules.hcl -token "" +ID: +Name: my-app-policy +Description: Human-readable description of my policy +Datacenters: +Rules: + +``` + +You can define several attributes to attach additional metadata and specify the scope of the policy. Refer to [Policy attributes](#policy-attributes) for details. + + + + +The endpoint takes data formatted in HCL or JSON. Refer to the [ACL HTTP API endpoint documentation](/consul/api-docs/acl/policies) for details about the API. + +The following example adds a set of rules to a policy called `my-app-policy`. The policy defines access to the `key` resource (Consul K/V). The rules are formatted in HCL, but they are wrapped in JSON so that the data can be sent using cURL: + + + + +```shell-session +$ curl \ + --request PUT \ + --header "X-Consul-Token: " \ + --data \ +'{ + "Name": "my-app-policy", + "Rules": "key \"\" { policy = \"read\" } key \"foo/\" { policy = \"write\" } key \"foo/private/\" { policy = \"deny\" } operator = \"read\"" +}' http://127.0.0.1:8500/v1/acl/policy +``` + + + + +```shell-session +$ curl \ + --request PUT \ + --header "X-Consul-Token: " \ + --data \ +'{ + "Name": "my-app-policy", + "Rules": "{\"key\":{\"\":{\"policy\":\"read\"},\"foo/\":{\"policy\":\"write\"},\"foo/private\":{\"policy\":\"deny\"}},\"operator\":\"read\"}" +}' http://127.0.0.1:8500/v1/acl/policy +``` + + + + +The ACL endpoint returns the policy configuration when the call is successfully performed: + +```json +{ + "CreateIndex": 7, + "Hash": "UMG6QEbV40Gs7Cgi6l/ZjYWUwRS0pIxxusFKyKOt8qI=", + "ID": "5f423562-aca1-53c3-e121-cb0eb2ea1cd3", + "ModifyIndex": 7, + "Name": "my-app-policy", + "Rules": "key \"\" { policy = \"read\" } key \"foo/\" { policy = \"write\" } key \"foo/private/\" { policy = \"deny\" } operator = \"read\"" +} +``` + + + + +## Link policies to tokens + +After you create a policy, you must link it to a token before the policy has an effect. A service or agent presents the token when interacting with resources in the network. The ACL system evaluates the policies linked to the token to determine if the requester has access to the requested resource. + +The ACLs administrator can use the CLI or API to link policies to tokens. You can also generate the tokens dynamically from an external system using Consul [auth methods](/consul/docs/secure-consul/acl/auth-methods). Refer to the [tokens documentation](/consul/docs/secure-consul/acl/token) for details about creating and linking policies to tokens. + +## Policy attributes + +Policies may have several attributes that enable you to perform specific functions. For example, you can configure the policy's scope by specifying the name of a datacenter, namespace (Consul Enterprise), or administrative partition (Consul Enterprise) when interacting or creating policies. + +Additional metadata, such as the values of the `ID` and `name` fields, provide handles for updating and managing policies. + +Refer to the following topics for additional information: + +- [Namespaces](/consul/docs/enterprise/namespaces) +- [Admin partitions](/consul/docs/enterprise/admin-partitions) + +ACL policies can have the following attributes: + +| Attribute | Description | Required | Default | +| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------- | --------- | +| `ID` | The policy's public identifier. Present the `ID` (or the `name`) value when interacting with policies. You can specify a value when creating policies or use the value auto-generated by Consul. | N/A | N/A | +| `name` | Unique name for the policy. | Required | none | +| `description` | Human readable description of the policy. | Optional | none | +| `rules` | Set of rules granting or denying permissions. Refer to the [Rule Specification](/consul/docs/secure-consul/acl/rules#rule-specification) documentation for more details. | Optional | none | +| `datacenter` | Datacenter in which the policy is valid. More than one datacenter can be specified. | Optional | none | +| `namespace` | Namespace in which the policy is valid. Added in Consul Enterprise 1.7.0. | Optional | `default` | +| `partition` | Admin partition in which the policy is valid. Added in Consul Enterprise 1.11.0 | Optional | `default` | + + + +Rules defined in a policy tied to an namespace or admin partition other than `default` can only grant a subset of privileges that affect the namespace or partition. Refer to [Namespace rules](/consul/docs/secure-consul/acl/rules#namespace-rules) and [Admin partition rules](/consul/docs/secure-consul/acl/rules#admin-partition-rules) for more details. + + + +You can view the current ACL policies through the CLI or API. The following command lists the current ACL policies: + +```shell-session +$ consul acl policy list -format json -token +[ + { + "ID": "56595ec1-52e4-d6de-e566-3b78696d5459", + "Name": "b-policy", + "Description": "", + "Datacenters": null, + "Hash": "ULwaXlI6Ecqb9YSPegXWgVL1LlwctY9TeeAOhp5HGBA=", + "CreateIndex": 126, + "ModifyIndex": 126, + "Namespace": "default", + "Partition": "default" + }, + { + "ID": "00000000-0000-0000-0000-000000000001", + "Name": "global-management", + "Description": "Builtin Policy that grants unlimited access", + "Datacenters": null, + "Hash": "W1bQuDAlAlxEb4ZWwnVHplnt3I5oPKOZJQITh79Xlog=", + "CreateIndex": 70, + "ModifyIndex": 70, + "Namespace": "default", + "Partition": "default" + } +] +``` + +The `Hash`, `CreateIndex`, and `ModifyIndex` attributes are also printed. These attributes are printed for all responses and are not specific to ACL policies. + +## Required privileges for datacenter operations + +The following table with the minimum required privileges for a set of common operations. You can also use exact match rules when creating specific policies that are less flexible. + +| CLI operation | Required privilege(s_ | +| ------------------------------------------ | ------------------------------------------------------------------------ | +| `consul reload` | `agent_prefix "": policy = "write"` | +| `consul monitor` | `agent_prefix "": policy = "read"` | +| `consul leave` | `agent_prefix "": policy = "write"` | +| `consul members` | `node_prefix "": policy = "read"` | +| `consul acl` | `acl = "write"` | +| `consul catalog services` | `service_prefix "": policy = "read"` | +| `consul catalog nodes` | `node_prefix "": policy = "read"` | +| `consul services register` | `service_prefix "": policy = "write"` | +| `consul services register` (Connect proxy) | `service_prefix "": policy = "write"`, `node_prefix "": policy = "read"` | +| `consul connect intention` | `service_prefix "": intention = "write"` | +| `consul kv get` | `key_prefix "": policy = "read"` | +| `consul kv put` | `key_prefix "": policy = "write"` | + + +## Built-in policies + +New Consul deployments have the following built-in policies. + +### Global management + +The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope. + +### Global read-only + +The `builtin/global-read-only` policy grants unrestricted _read-only_ privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000002`. You can rename the global read-only policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope. + +### Namespace management + +The `namespace-management` policy will be injected into all namespaces you create. The policy will be assigned a randomized UUID and can be managed as a normal, user-defined policy within the namespace. This feature was added in Consul Enterprise 1.7.0. + +## Example policies + +This section includes example policy configurations for achieving specific use-cases. + +### Enable the snapshot agent to run on a specific node + +The `consul snapshot agent` command starts a process that takes snapshots of the state of the Consul servers and either saves them locally or pushes them to a remote storage service. Refer to [Consul Snapshot Agent](/consul/commands/snapshot/agent) for additional information. + +In the following example, the ACL policy enables the snapshot agent to run on a node named `server-1234`. + + + +```hcl +# Required to read and snapshot ACL data +acl = "write" +# Allow the snapshot agent to create the key consul-snapshot/lock which will +# serve as a leader election lock when multiple snapshot agents are running in +# an environment +key "consul-snapshot/lock" { + policy = "write" +} +# Allow the snapshot agent to create sessions on the specified node +session "server-1234" { + policy = "write" +} +# Allow the snapshot agent to register itself into the catalog +service "consul-snapshot" { + policy = "write" +} +``` + +```json +{ + "acl": "write", + "key": { + "consul-snapshot/lock": { + "policy": "write" + } + }, + "session": { + "server-1234": { + "policy": "write" + } + }, + "service": { + "consul-snapshot": { + "policy": "write" + } + } +} +``` + + + +### Enable Vault to access the Consul storage backend + +If you are using [Vault](/vault/docs) to manage secrets in your infrastructure, you can configure Vault to use Consul's key/value (KV) store as backend storage to persist Vault's data. Refer to the [Consul KV documentation](/consul/docs/dynamic-app/kv) and the [Vault storage documentation](/vault/docs/configuration/storage) for more details. + +In the following example, the ACL policy enables Vault to register as a service +and provides access to the `vault/` path in Consul's KV store. + + + +```hcl +# Provide KV visibility to all agents. +agent_prefix "" { + policy = "read" +} +# Enable resources prefixed with 'vault/' to write to the KV +key_prefix "vault/" { + policy = "write" +} +# Enable the vault service to write to the KV +service "vault" { + policy = "write" +} +# Enable the agent to initialize a new session. +session_prefix "" { + policy = "write" +} +``` + +```json +{ + "agent_prefix": { + "": { + "policy": "read" + } + }, + "key_prefix": { + "vault/": { + "policy": "write" + } + }, + "service": { + "vault": { + "policy": "write" + } + }, + "session_prefix": { + "": { + "policy": "write" + } + } +} +``` + + diff --git a/website/content/docs/secure/acl/role.mdx b/website/content/docs/secure/acl/role.mdx new file mode 100644 index 00000000000..5d3450681a0 --- /dev/null +++ b/website/content/docs/secure/acl/role.mdx @@ -0,0 +1,413 @@ +--- +layout: docs +page_title: ACL Roles +description: >- + Roles are a named collection of ACL policies, service identities, and node identities. Learn how roles allow you to reuse and update access control policies without needing to distribute new tokens to users. +--- + +# ACL Roles + +A role is a collection of policies that your ACL administrator can link to a token. They enable you to reuse policies by decoupling the policies from the token distributed to team members. Instead, the token is linked to the role, which is able to hold several policies that can be updated asynchronously without distributing new tokens to users. As a result, roles can provide a more convenient authentication infrastructure than creating unique policies and tokens for each requester. + +## Workflow overview + +Roles are configurations linking several policies to a token. The following procedure describes the workflow for implementing roles. + +1. Assemble rules into [policies](/consul/docs/secure-consul/acl/policies) and register them in Consul. +1. Define a role and include the policy IDs or names. +1. Register the role in Consul and link it to a token. +1. Distribute the tokens to users for implementation. + +## Create roles + +Creating roles is commonly the responsibility of the Consul ACLs administrator. Roles have several attributes, including service identities and node identities. Refer to the following documentation for details: + +- [Role attributes](#role-attributes) +- [Templated policies](#templated-policies) +- [Service identities](#service-identities) +- [Node identities](#node-identities) + +Use the Consul CLI or API endpoint to create roles. + + + + +Issue the `consul acl role create` command to create roles. In the following example, a role named `crawler` is created that contains a policy named `crawler-kv` and a policy named `crawler-key`. + +```shell-session +$ consul acl role create -name "crawler" -description "web crawler role" -policy-name "crawler-kv" -policy-name "crawler-key" +``` + +Refer to the [CLI documentation](/consul/commands/acl/role) for details. + + + + +Make a `PUT` call to the `acl/role` endpoint and specify the role configuration in the payload to create roles. You can save the role definition in a JSON file or use escaped JSON in the call. In the following example call, the payload is defined externally. + +```shell-session +$ curl --request PUT --data @payload.json http://127.0.0.1:8500/v1/acl/role +``` + +Refer to the [API documentation](/consul/api-docs/acl/roles) for details. + + + + +## Role attributes + +Roles may contain the following attributes: + +- `ID`: The `ID` is an auto-generated public identifier. You can specify the role `ID` when linking it to tokens. +- `Name`: A unique meaningful name for the role. You can specify the role `Name` when linking it to tokens. +- `Description`: (Optional) A human-readable description of the role. +- `Policies`: Specifies a the list of policies that are applicable for the role. The object can reference the policy `ID` or `Name` attribute. +- `TemplatedPolicies`: Specifies a list of templated polcicies that are applicable for the role. See [Templated Policies](#templated-policies) for details. +- `ServiceIdentities`: Specifies a list of services that are applicable for the role. See [Service Identities](#service-identities) for details. +- `NodeIdentities`: Specifies a list of nodes that are applicable for the role. See [Node Identities](#node-identities) for details. +- `Namespace`: The namespace that the policy resides in. Roles can only be linked to policies that are defined in the same namespace. See [Namespaces](/consul/docs/segment/namespace) for additional information. Requires Consul Enterprise 1.7.0+ +- `Partition`: The admin partition that the policy resides in. Roles can only be linked to policies that are defined in the same admin partition. See [Admin Partitions](/consul/docs/segment/admin-partition) for additional information. Requires Consul Enterprise 1.10.0+. + +## Templated policies + +You can specify a templated policy when configuring roles or linking tokens to policies. Templated policies enable you to quickly construct policies for common Consul use cases, rather than creating identical policies for each use cases. + +Consul uses templated policies during the authorization process to automatically generate a policy for the use case specified. Consul links the generated policy to the role or token so that it will have permission for the specific use case. + +### Templated policy specification + +The following templated policy example configuration uses the `builtin/service` templated policy to give a service named `api` and its sidecar proxy the required permissions to register into the catalog. + +```json +{ + "TemplatedPolicies": [ + { + "TemplateName": "builtin/service", + "TemplateVariables": { + "Name": "api" + } + } + ] +} +``` + +- `TemplatedPolicies`: Declares a templated policy block. +- `TemplatedPolicies.TemplateName`: String value that specifies the name of the templated policy you want to use. +- `TemplatedPolicies.TemplateVariables`: Map that specifies the required variables for the templated policies. This field is optional as not all templated policies require variables. + +Refer to the [API documentation for roles](/consul/api-docs/acl/roles#sample-payload) for additional information and examples. + + + +In Consul Enterprise, templated policies inherit the namespace or admin partition scope of the corresponding ACL token or role. + + + +The `builtin/service` sample templated policy generates the following policy for a service named `api`: + +```hcl +# Allow the service and its sidecar proxy to register into the catalog. +service "api" { + policy = "write" +} +service "api-sidecar-proxy" { + policy = "write" +} + +# Allow for any potential upstreams to be resolved. +service_prefix "" { + policy = "read" +} +node_prefix "" { + policy = "read" +} +``` + +Refer to the [rules reference](/consul/docs/secure-consul/acl/rules) for information about the rules in the policy. + +### Example role configuration with templated policies + +The following role configuration contains a templated policy that gives the role required permission for a service named `web` to register itself and its sidecar into the catalog. + + + +```json +{ + "Name": "example-role", + "Description": "Showcases all input parameters", + "TemplatedPolicies": [ + { + "TemplateName": "builtin/service", + "TemplateVariables": { + "Name": "web" + } + } + ] +} +``` + + + +During the authorization process, Consul generates the following policies for the `web` services and links it to the token: + + + +```hcl +# Allow the service and its sidecar proxy to register into the catalog. +service "web" { + policy = "write" +} +service "web-sidecar-proxy" { + policy = "write" +} + +# Allow for any potential upstreams to be resolved. +service_prefix "" { + policy = "read" +} +node_prefix "" { + policy = "read" +} +``` + + +## Service identities + +You can specify a service identity when configuring roles or linking tokens to policies. Service identities enable you to quickly construct policies for services, rather than creating identical polices for each service. + +Consul uses service identities during the authorization process to automatically generate a policy for the specified service. The policy is linked to the role or token so that services can _be discovered_ and _discover other healthy service instances_ in a service mesh. Refer to the [service mesh](/consul/docs/connect) topic for additional information about Consul service mesh. + +### Service identity specification + +Use the following syntax to define a service identity: + +```json +{ + "ServiceIdentities": [ + { + "ServiceName": "", + "Datacenters": [""] + } + ] +} +``` + +- `ServiceIdentities`: Declares a service identity block. +- `ServiceIdentities.ServiceName`: String value that specifies the name of the service you want to associate with the policy. +- `ServiceIdentities.Datacenters`: Array that specifies the names of datacenters in which the service identity applies. This field is optional. + +Refer to the [API documentation for roles](/consul/api-docs/acl/roles#sample-payload) for additional information and examples. + + + +In Consul Enterprise, service identities inherit the namespace or admin partition scope of the corresponding ACL token or role. + + + +Consul generates the following policy for each service when you declare a service identity: + +```hcl +# Allow the service and its sidecar proxy to register into the catalog. +service "" { + policy = "write" +} +service "-sidecar-proxy" { + policy = "write" +} + +# Allow for any potential upstreams to be resolved. +service_prefix "" { + policy = "read" +} +node_prefix "" { + policy = "read" +} +``` + +Refer to the [rules reference](/consul/docs/secure-consul/acl/rules) for information about the rules in the policy. + +### Example role configuration with service identities + +The following role configuration contains service identities for the `web` and `db` services. Note that the `db` service is also scoped to the `dc1` datacenter so that the policy will only be applied to instances of `db` in `dc1`. + + + +```json +{ + "Name": "example-role", + "Description": "Showcases all input parameters", + "Policies": [ + { + "ID": "783beef3-783f-f41f-7422-7087dc272765" + }, + { + "Name": "node-read" + } + ], + "ServiceIdentities": [ + { + "ServiceName": "web" + }, + { + "ServiceName": "db", + "Datacenters": ["dc1"] + } + ], + "NodeIdentities": [ + { + "NodeName": "node-1", + "Datacenter": "dc2" + } + ] +} +``` + + + +During the authorization process, Consul generates the following policies for the `web` and `db` services and links them to the token: + + + +```hcl +# Allow the service and its sidecar proxy to register into the catalog. +service "web" { + policy = "write" +} +service "web-sidecar-proxy" { + policy = "write" +} + +# Allow for any potential upstreams to be resolved. +service_prefix "" { + policy = "read" +} +node_prefix "" { + policy = "read" +} +``` + + + +Per the `ServiceIdentities.Datacenters` configuration, the `db` policy is scoped to resources in the `dc1` datacenter. + + + +```hcl +# Allow the service and its sidecar proxy to register into the catalog. +service "db" { + policy = "write" +} +service "db-sidecar-proxy" { + policy = "write" +} + +# Allow for any potential upstreams to be resolved. +service_prefix "" { + policy = "read" +} +node_prefix "" { + policy = "read" +} +``` + + + +## Node identities + +You can specify a node identity when configuring roles or linking tokens to policies. _Node_ commonly refers to a Consul agent, but a node can also be a physical server, cloud instance, virtual machine, or container. + +Node identities enable you to quickly construct policies for nodes, rather than manually creating identical polices for each node. They are used during the authorization process to automatically generate a policy for the node(s) specified. You can specify the token linked to the policy in the [`acl_tokens_agent`](/consul/docs/reference/agent#acl_tokens_agent) field when configuring the agent. + +### Node identity specification + +Use the following syntax to define a node identity: + +```json +{ + "NodeIdentities": [ + { + "NodeName": "", + "Datacenter": "" + } + ] +} +``` + +- `NodeIdentities`: Declares a node identity block. +- `NodeIdentities.NodeName`: String value that specifies the name of the node you want to associate with the policy. +- `NodeIdentities.Datacenter`: String value that specifies the name of the datacenter in which the node identity applies. + +Refer to the [API documentation for roles](/consul/api-docs/acl/roles#sample-payload) for additional information and examples. + + + +You can only apply node identities to tokens and roles in the `default` namespace. The generated policy rules allow for `service:read` permissions on all services in all namespaces. + + + +Consul generates the following policy for each node when you declare a node identity: + +```hcl +# Allow the agent to register its own node in the Catalog and update its network coordinates +node "" { + policy = "write" +} + +# Allows the agent to detect and diff services registered to itself. This is used during +# anti-entropy to reconcile difference between the agents knowledge of registered +# services and checks in comparison with what is known in the Catalog. +service_prefix "" { + policy = "read" +} +``` + +Refer to the [rules reference](/consul/docs/secure-consul/acl/rules) for information about the rules in the policy. + +### Example role configuration with node identities + +The following role configuration contains a node identity for `node-1`. Note that the node identity is also scoped to the `dc2` datacenter. As a result, the policy will only be applied to nodes named `node-1` in `dc2`. + + + +```json +{ + "Name": "example-role", + "Description": "Showcases all input parameters", + "Policies": [ + { + "ID": "783beef3-783f-f41f-7422-7087dc272765" + }, + { + "Name": "node-read" + } + ], + "NodeIdentities": [ + { + "NodeName": "node-1", + "Datacenter": "dc2" + } + ] +} +``` + + + +During the authorization process, Consul generates the following policy andl links it to the token: + + + +```hcl +# Allow the agent to register its own node in the Catalog and update its network coordinates +node "node-1" { + policy = "write" +} + +# Allows the agent to detect and diff services registered to itself. This is used during +# anti-entropy to reconcile differences between the agent's knowledge of registered +# services and checks in comparison with what is known in the Catalog. +service_prefix "" { + policy = "read" +} +``` + + \ No newline at end of file diff --git a/website/content/docs/secure/acl/token.mdx b/website/content/docs/secure/acl/token.mdx new file mode 100644 index 00000000000..dd4ec7d7066 --- /dev/null +++ b/website/content/docs/secure/acl/token.mdx @@ -0,0 +1,254 @@ +--- +layout: docs +page_title: ACL Tokens +description: >- + Tokens are used to authenticate users, services, and agents and authorize their access to resources in Consul. Learn about token attributes, special-purpose and built-in tokens, and how to pass a token's SecretID in the CLI and API. +--- + +# ACL Tokens + +This topic describes access control list (ACL) tokens, which are the core method of authentication in Consul. + +## Introduction + +Tokens are artifacts in the ACL system used to authenticate users, services, and Consul agents. When ACLs are enabled, entities requesting access to a resource must include a token that has been linked with a policy, service identity, or node identity that grants permission to the resource. The ACL system checks the token and grants or denies access to resource based on the associated permissions. + +Refer to the [ACL workflow overview](/consul/docs/secure-consul/acl#workflow-overview) for information about tokens' role in the ACL system. + +## Create tokens + +The ACLs administrator can use the HTTP API or CLI to create and link tokens to entities that enable permissions to resources. + + + + +```shell-session +$ consul acl token create -description "Read nodes and services" -policy-name node-services-read +``` + + + + +```shell-session +$ curl --request PUT --data @payload.json http://127.0.0.1:8500/v1/acl/token +``` + + + + +Refer to the [ACL API](/consul/api-docs/acl/tokenscl) and [ACL CLI](/consul/commands/acl/token/create) documentation for more details on how to create and link tokens. Tokens can also be created dynamically from trusted external system using an [auth method](/consul/docs/secure-consul/acl/auth-methods). + +## Pass tokens + +Users performing Consul operations or deploying their services into the network need to include an ACL token with the necessary policies to perform the action. ACL token is the value of the token's `SecretID` attribute. This token is an opaque string that identifies the requester so that the ACL system can determine whether it should grant or deny access to the requested resource. + +Refer to [ACL token reference](/consul/docs/reference/acl/token) for a full list of token attributes. + +### Perform Consul operations + +When ACLs are enabled, you must pass an ACLs token with your request to interact with Consul. + + + + +There are two ways to pass an ACL token when using the Consul CLI. + +1. Specify the ACL token with the [`-token`](/consul/commands#authentication) command line flag. The following example passes an ACL token so the user can create an intention: + + ```shell-session + $ consul intention create -file one.hcl -token "" + ``` + +1. Set the ACL token as an environment variable named `CONSUL_HTTP_TOKEN`. This will let you omit the `-token` flag when performing operations with the CLI. + + ```shell-session + $ export CONSUL_HTTP_TOKEN="" + ``` + + + + +Specify the token in the HTTP `X-Consul-Token` header field to make an API request. Refer to the [HTTP API documentation](/consul/api-docs/api-structure#authentication) for details. + +The following example shows the header for a `GET` request to the `agent/members` endpoint. + +```shell-session +$ curl --header "X-Consul-Token: " "http://127.0.0.1:8500/v1/agent/members" +``` + + + + +### Configure services with ACLs + +Specify the value of the `SecretID` attribute with the `token` parameter when configuring your services. The following example service configuration includes a sample ACL token to the `redis` service. This ACL token must have read and write rules to interact with Consul catalog. + + + + +```hcl +service = { + id = "redis" + name = "redis" + namespace = "foo" + token = "" +} +``` + + + + +```json +{ + "service": { + "id": "redis", + "name": "redis", + "namespace": "foo", + "token": "" + } +} +``` + + + + +Refer to [service definition reference](/consul/docs/reference/service) for more information. + +### Configure agents with ACLs + +You can configure Consul agents to hold several ACL tokens ([`acl.tokens`](#special-purpose-tokens)) to accommodate several use cases, such as bootstrapping the ACL system or accessing Consul under specific conditions. + +In the following example, the agent is configured to use a default token: + + + +```hcl +acls { + tokens = { + default = "00000000-0000-0000-0000-000000000000" + } +} +``` + +```json +{ + "acls": { + "tokens": { + "default": "00000000-0000-0000-0000-000000000000" + } + } +} +``` + + + +Refer to the [agent configuration reference](/consul/docs/reference/agent#acl) for more information. + +# Rotate token + +We recommend rotating tokens on a regular basis to ensure the security of your deployment. + +To rotate a token, you must create a new token, update any configuration that references the old token with the new token, and then delete the old token. You can rotate tokens used to register services and agents, query DNS, and access Consul data. + +To keep the same privileges as the previous token, use the clone command with the existing token's `AccessorID`. + +```shell-session +$ consul acl token clone -description "Clone of " -id +Token cloned successfully. +AccessorID: dcfa52ed-9288-b3ff-056d-255ef69d2d88 +SecretID: 0005d17e-5bb2-7e8b-7bfa-15f2eee9ad14 +Description: Clone of Super User +Local: false +Create Time: 2018-10-22 16:26:02.909096 -0400 EDT +Policies: + 00000000-0000-0000-0000-000000000001 - global-management +``` + +Apply tokens to [the agent](/consul/docs/secure-consul/acl/bootstrap#add-token-to-agents) or to [the services](/consul/docs/secure-consul/acl/bootstrap#add-token-to-service-definition) as needed. + +Finally, delete the old token from Consul. Alternatively, you can delete ACL tokens using the [`acl` endpoint on the HTTP API](/consul/api-docs/acl/tokens#delete-a-token). + +```shell-session +$ consul acl token delete -id 6a1253d2-1785-24fd-91c2-f8e78c745511 +``` + +## Special-purpose tokens + +The following table describes a subset of special purpose tokens. Refer to [`acl.tokens`](#special-purpose-tokens)) for a full set of special purpose tokens you can configure. + +| Token | Servers | Clients | Description | +| ----------------------------- | ---------- | ---------- | ----------- | +| [`acl.tokens.agent`](/consul/docs/reference/agent#acl_tokens_agent) | `optional` | `optional` | Used for internal agent operations. Refer to [ACL agent token](#acl-agent-token) for details. | +| [`acl.tokens.agent_recovery`](/consul/docs/reference/agent#acl_tokens_agent_recovery) | `optional` | `optional` | Enables access to the [`agent/` HTTP API endpoint](/consul/api-docs/agent) when remote bearer token resolution fails.
    Used for setting up the cluster and performing initial join operations.
    Refer to [ACL agent recovery token](#acl-agent-recovery-token) for details. | +| [`acl.tokens.default`](/consul/docs/reference/agent#acl_tokens_default) | `optional` | `optional` | Specifies a default token to use for client requests if no token is supplied. This token is commonly configured with read-only access to services to enable DNS service discovery on agents. | +| [`acl.tokens.initial_management`](/consul/docs/reference/agent#acl_tokens_initial_management) | `optional` | `n/a` | Used to bootstrap the ACL system. Refer to [Initial management token](#initial-management-token). | +| [`acl.tokens.replication`](/consul/docs/reference/agent#acl_tokens_replication) | `optional` | `n/a` | Authorizes secondary datacenters to replicate data from the primary datacenter. | + +You can use the [`/v1/agent/token` endpoint](/consul/api-docs/agent#update-acl-tokens) to create or update all reserved tokens except the `initial_management` token. + +### Snapshot tokens + +Snapshots are artifacts created with the [snapshot API](/consul/api-docs/snapshot) for backup and recovery purposes. Snapshots contain ACL tokens and interacting with them requires a token with `acl:write` privileges. + +### ACL agent token + +The ACL agent token ([`acl.tokens.agent`](/consul/docs/reference/agent#acl_tokens_agent)) is a special token that Consul uses for internal agent operations. Consul does not use this token directly for any user-initiated operations like the default ACL token ([`acl.tokens.default`](/consul/docs/reference/agent#acl_tokens_default). However, if you do not define the ACL agent token, Consul will use the default ACL token for internal agent operations. Consul uses the ACL agent token for the following agent operations: + +1. Updating the agent's node entry using the [Catalog API](/consul/api-docs/catalog). This includes updating its node metadata, tagged addresses, and network coordinates. +2. Performing [anti-entropy](/consul/docs/architecture/anti-entropy) syncing, in particular reading the node metadata and services registered with the catalog. +3. Reading and writing the special `_rexec` section of the KV store when executing [`consul exec`](/consul/commands/exec) commands. + +The following example is the minimum policy required to perform the internal agent operations for a node called `mynode`. The `service_prefix` policy needs read access to any services that can be registered on the agent. If [remote execution is disabled](/consul/docs/reference/agent#disable_remote_exec) (default behavior), you can omit the `key_prefix` policy. + + + +```hcl +node "mynode" { + policy = "write" +} +service_prefix "" { + policy = "read" +} +key_prefix "_rexec" { + policy = "write" +} +``` + + + +## Built-in tokens + +Consul includes a built-in anonymous token and initial management token. Both tokens are injected during when you [bootstrap](/consul/docs/secure-consul/acl/bootstrap) the cluster. + +### Anonymous token + +The anonymous token is used when a request is made to Consul without specifying a bearer token. This token has the following attributes. Refer to the [Token](/consul/docs/reference/acl/token) reference docs for more information about each attribute. + +| Attribute | Value | +| ------------ | ------------------------------------- | +| `AccessorID` | `00000000-0000-0000-0000-000000000002` | +| `SecretID` | `anonymous` | + +You may update the anonymous token's description and policies, however you cannot delete the token. + +### Initial management token + +There are two ways for you to create an initial management token. + +1. Bootstrap the ACL system with `consul acl bootstrap`. Consul automatically generates a token for you. Refer to [Bootstrap ACLs](/consul/docs/secure-consul/acl/bootstrap) for more details. +1. Define an initial management token in the Consul agent configuration ([`acl.token.initial_management`](/consul/docs/reference/agent#acl_tokens_initial_management)). This method lets ACL administrators to bootstrap the ACL system with a known value. + +Consul links the management token to the built-in [global management](/consul/docs/secure-consul/acl/policy#global-management) policy. This token has unrestricted privileges to resources and APIs. + +### ACL agent recovery token + +You can use the ACL agent recovery token ([`acl.tokens.agent_recovery`](/consul/docs/reference/agent#acl_tokens_agent_recovery)) when your Consul servers are unavailable. The policy linked to the token is managed locally on the agent and does not require a token to be defined on the Consul servers. Once set, it implicitly has the following policy associated with it. + +```hcl hideClipboard +agent "" { + policy = "write" +} +node_prefix "" { + policy = "read" +} +``` diff --git a/website/content/docs/secure/acl/troubleshoot.mdx b/website/content/docs/secure/acl/troubleshoot.mdx new file mode 100644 index 00000000000..b58f9b07202 --- /dev/null +++ b/website/content/docs/secure/acl/troubleshoot.mdx @@ -0,0 +1,162 @@ +--- +layout: docs +page_title: Troubleshoot ACLs +description: >- + Learn how to troubleshoot Consul's ACL system with the Consul CLI. You can check datacenter members and list available tokens to debug issues when agents and services don't appear in Consul. +--- + +# Troubleshoot ACLs + +This page describes how to troubleshoot your Consul access control list (ACL) system using the Consul CLI and the ACL system reset procedure. + +## Requirements + +These instructions assume an existing datacenter running Consul 1.4 or later. + +All commands on this page require a valid token with `write` permissions to the ACL system. If you do not have one, you can temporarily use the initial management token since it has unlimited privileges. + +## `consul members` + +You can use the `consul members` [command](/consul/commands/members) when configuring agents with tokens to check that they have the necessary privileges to join the datacenter. + +If an agent, server, or client, is missing from the list of members, then ACLs were not configured correctly on that agent or the token does not have the correct privileges. Only agents that have privileges to register themselves in the catalog are included in the member list. + +```shell-session +$ consul members +Node Address Status Type Build Protocol DC Segment +server-1 172.17.0.2:8301 alive server 1.4.4 2 dc1 +server-2 172.17.0.3:8301 alive server 1.4.4 2 dc1 +server-3 172.17.0.4:8301 alive server 1.4.4 2 dc1 +``` + +Use the `consul acl` commands listed in the following sections to help troubleshoot token privileges. + +## `consul catalog` + +The [`consul catalog nodes -detailed` command](/consul/commands/catalog/nodes) displays node information, including tagged addresses. If the "TaggedAddresses" field is null for any of the agents, that agent's ACLs are not configured correctly. To start debugging, review the Consul logs on all the servers. If ACLs are enabled correctly, you should investigate the agent's token. + +```shell-session +$ consul catalog nodes -detailed +Node ID Address DC TaggedAddresses +server-1 a82c7db3-fdc3 192.168.1.191 kc lan=192.168.1.191, wan=192.168.1.190 +server-2 a82c7db3-fdc3 192.168.1.192 kc lan=192.168.1.192, wan=192.168.1.190 +server-3 a82c7db3-fdc3 192.168.1.193 kc lan=192.168.1.193, wan=192.168.1.190 +``` + +Use the `consul acl` commands listed below to help troubleshoot token privileges. + +## `consul acl` + +After you confirm the issue is not due to misconfiguration, you can use the following commands to help troubleshoot token or policy issues. + +### `consul acl policy list` + +The [`consul acl policy list` command](/consul/commands/acl/policy/list) outputs all available policies. This command is useful when you first set up policies so you can verify your Consul policies and their respective rules. In +the following example, there are two policies: the built-in `global-management` policy and a user-created policy named `server-one-policy`. + +```shell-session +$ consul acl policy list +global-management: + ID: 00000000-0000-0000-0000-000000000001 + Description: Builtin Policy that grants unlimited access + Datacenters: +server-one-policy: + ID: 0bcee22c-6602-9dd6-b147-964958069426 + Description: policy for server one + Datacenters: +``` + +You can use `consul acl policy read -id ` to investigate individual policies. In the following example, the `server-one-policy` policy has node write privileges for node "consul-server-one". + +```shell-session +$ consul acl policy read -id 0bcee22c-6602-9dd6-b147-964958069426 +ID: 0bcee22c-6602-9dd6-b147-964958069426 +Name: server-one-policy +Description: policy for server one +Datacenters: +Rules: +node "consul-server-one" { + policy = "write" +} +``` + +### `consul acl token list` + +The [`consul acl token list` command](/consul/commands/acl/policy/list) lists all tokens. Verify that this list includes the tokens in use. It is important for the security of your datacenter to remove old tokens that are no longer in use. Because tokens do not expire, it is the ACL administrator's responsibility to [delete ACL tokens](/consul/commands/acl/token#delete) when they are not in use. + +In the following example, there are three tokens. + +1. The first token is created by Consul during the bootstrap process. +1. The second token is user generated and was created with the `server-one-policy` policy. +1. The third token is also created by Consul, but it has no privileges. + +```shell-session +$ consul acl token list +AccessorID: cf827c04-fb7d-ea75-da64-84e1dd2d5dfe +SecretID: af410085-8bf6-80d6-08ad-2bfaa6526256 +Description: Bootstrap Token (Global Management) +Local: false +Create Time: 2019-05-20 11:08:27.253096 -0500 CDT +Legacy: false +Policies: + 00000000-0000-0000-0000-000000000001 - global-management + +AccessorID: 5d3c3a03-e627-a749-444c-2984101190c0 +SecretID: d203592e-3960-cf7e-801e-5b805825d359 +Description: token for server one +Local: false +Create Time: 2019-10-17 11:46:27.106158 -0500 CDT +Legacy: false +Policies: + 0bcee22c-6602-9dd6-b147-964958069426 - server-one-policy + +AccessorID: 00000000-0000-0000-0000-000000000002 +SecretID: anonymous +Description: Anonymous Token +Local: false +Create Time: 2019-05-20 11:08:27.253959 -0500 CDT +Legacy: false +``` + +### `consul acl token read` + +The [`consul acl token read` command](/consul/commands/acl/policy/read) provides information about the specified token. Verify the privileges of the token are expected. This command is useful when checking a node or service has the correct privileges to add itself to the catalog. + +The following example includes the same information that is returned with the `consul acl token list` command, but is useful when you do not want to view all tokens. + +```shell-session +$ consul acl token read -id 5d3c3a03-e627-a749-444c-2984101190c0 +AccessorID: 5d3c3a03-e627-a749-444c-2984101190c0 +SecretID: 547a969c-5dff-f9a8-6b84-fb1d23f9a5cb +Description: token for server one +Local: false +Create Time: 2019-10-17 11:46:27.106158 -0500 CDT +Policies: + 0bcee22c-6602-9dd6-b147-964958069426 - server-one-policy +``` + +Use the `consul acl token read` command first if the `consul catalog` or `consul members` commands return unexpected results. + +## Reset the ACL system + +If you encounter issues that are unresolvable or misplace the bootstrap token, you can reset the ACL system by updating the index. First, find the leader using the `/v1/status/leader` endpoint on any node. You must reset ACL on the leader. The following example shows the leader is at IP `172.17.0.3`. + +```shell-session +$ curl 172.17.0.1:8500/v1/status/leader +"172.17.0.3:8300"% +``` + +On the leader node, re-run the bootstrap command to get the index number. The output shows the reset index is `13`. + +```shell-session +$ consul acl bootstrap +Failed ACL bootstrapping: Unexpected response code: 403 (Permission denied: ACL bootstrap no longer allowed (reset index: 13)) +``` + +Then, write the reset index into the bootstrap reset file. + +```shell-session +$ echo 13 >> /acl-bootstrap-reset +``` + +After you have written the reset index, re-run the bootstrap command to recreate the bootstrap token. \ No newline at end of file diff --git a/website/content/docs/secure/encryption/gossip/enable.mdx b/website/content/docs/secure/encryption/gossip/enable.mdx new file mode 100644 index 00000000000..7499c561950 --- /dev/null +++ b/website/content/docs/secure/encryption/gossip/enable.mdx @@ -0,0 +1,79 @@ +--- +layout: docs +page_title: Enable gossip communication +description: >- + Consul encrypts communication between agents in the LAN gossip pool. Learn how to generate a gossip encryption key and distribute it to agents in a Consul datacenter. +--- + +# Enable gossip communication + +This page describes how to enable gossip encryption for Consul. Gossip encryption is used to encrypt all communication between Consul agents in the LAN gossip pool. This pool includes communication between servers, between clients, and between servers and clients. + +This page provides instructions for enabling gossip encryption for new Consul datacenters. If you are adding gossip encryption to an existing Consul datacenter, refer to [Enable gossip encryption for existing datacenters](/consul/docs/secure-consul/encryption/gossip/existing). + +## Workflow + +The following steps describe the general workflow for enabling gossip encryption for new Consul datacenters: + +1. Generate an encryption key. +1. Start the Consul agent with the encryption key. + +## Generate an encryption key + +The encryption key must be 32-bytes and base64 encoded. Consul provides the [`consul keygen`](/consul/commands/keygen) command to generate a cryptographically suitable key. + +```shell-session +$ consul keygen +pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s= +``` + +## Start the Consul agent with the encryption key + +Add the encryption key to your Consul agent configuration file. The following example sets the [`encrypt`](/consul/docs/reference/agent#encrypt) to the newly generated encrypt key. + + + + +```hcl +data_dir = "/opt/consul" +log_level = "INFO" +node_name = "bulldog" +server = true +encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" +``` + + + + +```json +{ + "data_dir": "/opt/consul", + "log_level": "INFO", + "node_name": "bulldog", + "server": true, + "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" +} +``` + + + + +Alternatively, you can set the encrypt key in a separate configuration file with only the `encrypt` field, since the Consul agent can merge multiple configuration files. + +Start the Consul agent and pass the configuration directory that includes agent configuration with the encryption key. + +```shell-session +$ consul agent -config-dir=/etc/consul.d/ +==> Starting Consul agent... +## ... + Node name: 'bulldog' + Datacenter: 'dc1' (Segment: '') + Server: true (Bootstrap: false) + Client Addr: [127.0.0.1] (HTTP: 8500, HTTPS: -1, gRPC: 8502, DNS: 8600) + Cluster Addr: 127.0.0.1 (LAN: 8301, WAN: 8302) + Encrypt: Gossip: true, TLS-Outgoing: false, TLS-Incoming: false, Auto-Encrypt-TLS: false +``` + +If encryption is enabled, the output of [`consul agent`](/consul/commands/agent) includes `"Encrypt: true":` + +All server and client agents within a Consul cluster must share the same encryption key to send and receive cluster information. If you join multiple datacenters in a WAN-federated deployment, you must use the same encryption key in all of the federated datacenters. \ No newline at end of file diff --git a/website/content/docs/secure/encryption/gossip/existing.mdx b/website/content/docs/secure/encryption/gossip/existing.mdx new file mode 100644 index 00000000000..6c5925aa0d4 --- /dev/null +++ b/website/content/docs/secure/encryption/gossip/existing.mdx @@ -0,0 +1,141 @@ +--- +layout: docs +page_title: Enable gossip encryption for existing datacenters +description: >- + Consul encrypts communication between agents in the LAN gossip pool. Learn how to generate a gossip encryption key and distribute it to agents in an existing Consul datacenter. +--- + +# Enable gossip encryption for existing datacenters + +This page describes how to enable gossip encryption for Consul. Gossip encryption is used to secure all communication between Consul agents in the LAN gossip pool. This pool includes communication between servers, between clients, and between servers and clients. + +This page provides instructions for enabling gossip encryption for existing Consul datacenters. If you are adding gossip encryption to a new Consul datacenter, refer to [Enable gossip communication](/consul/docs/secure-consul/encryption/gossip/enable.mdx). + +## Workflow + +The following steps describe the general workflow for enabling gossip encryption for existing Consul datacenters: + +1. Generate an encryption key. +1. Start the Consul agent with the encryption key. Disable `encrypt_verify_incoming` and `encrypt_verify_outgoing` in the agent configuration file. +1. Start the Consul agent with `encrypt_verify_outgoing` enabled. +1. Start the Consul agent with both `encrypt_verify_incoming` and `encrypt_verify_outgoing` enabled. + +These steps are similar to enabling gossip encryption on new datacenters, but require you to configure the [`encrypt_verify_incoming`](/consul/docs/reference/agent#encrypt_verify_incoming) and [`encrypt_verify_outgoing`](/consul/docs/reference/agent#encrypt_verify_outgoing) agent configuration parameters. + +## Generate an encryption key + +The encryption key must be 32-bytes and base64 encoded. Consul provides the [`consul keygen`](/consul/commands/keygen) command to generate a cryptographically suitable key. + +```shell-session +$ consul keygen +pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s= +``` + +## Disable verify encryption + +Set the [`encrypt`](/consul/docs/reference/agent#_encrypt) key, and set `encrypt_verify_incoming` and `encrypt_verify_outgoing` to `false` in the agent configuration file. Then initiate a rolling update of all the agents with these new values. After this step, the agents will be able to decrypt gossip but will not yet be able to send encrypted traffic. + + + + +```hcl +data_dir = "/opt/consul" +log_level = "INFO" +node_name = "bulldog" +server = true +encrypt = "BYX6EPaUiUI0TDdm6gAMmmLnpJSwePJ33Xwh6rjCYbg=" +encrypt_verify_incoming = false +encrypt_verify_outgoing = false +``` + + + + +```json +{ + "data_dir": "/opt/consul", + "log_level": "INFO", + "node_name": "bulldog", + "server": true, + "encrypt": "BYX6EPaUiUI0TDdm6gAMmmLnpJSwePJ33Xwh6rjCYbg=", + "encrypt_verify_incoming": false, + "encrypt_verify_outgoing": false +} +``` + + + + +You can trigger a rolling update by restarting the Consul server and client agents in turn. Commands such as `consul reload` and `kill -HUP ` _are not sufficient_ to change the gossip configuration. + +## Enable `encrypt_verify_outgoing` + +Update the `encrypt_verify_outgoing` setting to `true` and perform another rolling update of all the agents by restarting Consul on each agent. The agents can send encrypted gossip but still allow incoming unencrypted traffic. + + + + +```hcl +data_dir = "/opt/consul" +log_level = "INFO" +node_name = "bulldog" +server = true +encrypt = "BYX6EPaUiUI0TDdm6gAMmmLnpJSwePJ33Xwh6rjCYbg=" +encrypt_verify_incoming = false +encrypt_verify_outgoing = true +``` + + + + +```json +{ + "data_dir": "/opt/consul", + "log_level": "INFO", + "node_name": "bulldog", + "server": true, + "encrypt": "BYX6EPaUiUI0TDdm6gAMmmLnpJSwePJ33Xwh6rjCYbg=", + "encrypt_verify_incoming": false, + "encrypt_verify_outgoing": true +} +``` + + + + +## Enable verify encryption + +After you enable `verify_outgoing`, update the `encrypt_verify_incoming` setting to `true` and then perform a final rolling update on all the agents. + + + + +```hcl +data_dir = "/opt/consul" +log_level = "INFO" +node_name = "bulldog" +server = true, +encrypt = "BYX6EPaUiUI0TDdm6gAMmmLnpJSwePJ33Xwh6rjCYbg=", +encrypt_verify_incoming = true, +encrypt_verify_outgoing = true +``` + + + + +```json +{ + "data_dir": "/opt/consul", + "log_level": "INFO", + "node_name": "bulldog", + "server": true, + "encrypt": "BYX6EPaUiUI0TDdm6gAMmmLnpJSwePJ33Xwh6rjCYbg=", + "encrypt_verify_incoming": true, + "encrypt_verify_outgoing": true +} +``` + + + + +All the agents are configured to strictly enforce encrypted gossip. The default behavior of both `encrypt_verify_incoming` and `encrypt_verify_outgoing` is `true`. \ No newline at end of file diff --git a/website/content/docs/secure/encryption/index.mdx b/website/content/docs/secure/encryption/index.mdx new file mode 100644 index 00000000000..a88a27ce2a9 --- /dev/null +++ b/website/content/docs/secure/encryption/index.mdx @@ -0,0 +1,69 @@ +--- +layout: docs +page_title: Encryption systems +description: >- + Consul supports encrypting all of its network traffic. Remote Process Calls (RPCs) between client and server agents can be encrypted with TLS and authenticated with certificates. Gossip communication between all agents can also be encrypted. +--- + +# Encryption + +The Consul agent supports encrypting all of its network traffic. There are two separate encryption systems, one for agent communication in the LAN gossip pool and one for HTTP and RPC traffic. Gossip encryption is used to encrypt all communication between agents and participates in replication of the state machine. RPC encryption is used to encrypt all communication between clients and servers. + + +There are two different systems that need to be configured separately to encrypt communication within the datacenter: gossip encryption and TLS. TLS is used to secure the RPC calls between agents. Gossip communication is secured with a symmetric key because gossip between agents is done over UDP. + +## Gossip encryption + +Enabling gossip encryption only requires that you set an encryption key when starting the Consul agent. The key can be set via the `encrypt` parameter. + +~> **WAN Joined Datacenters Note:** If using multiple WAN joined datacenters, be sure to use _the same encryption key_ in all datacenters. + +The key must be 32-bytes, Base64 encoded. As a convenience, Consul provides the [`consul keygen`](/consul/commands/keygen) command to generate a cryptographically suitable key: + +```shell-session +$ consul keygen +pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s= +``` + +With that key, you can enable encryption on the agent. If encryption is enabled, the output of [`consul agent`](/consul/commands/agent) will include "Encrypt: true": + +```shell-session +$ cat encrypt.json +{"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="} + +$ consul agent -data-dir=/tmp/consul -config-file=encrypt.json +==> WARNING: LAN keyring exists but -encrypt given, using keyring +==> WARNING: WAN keyring exists but -encrypt given, using keyring +==> Starting Consul agent... +==> Starting Consul agent RPC... +==> Consul agent running! + Node name: 'Armons-MacBook-Air.local' + Datacenter: 'dc1' + Server: false (bootstrap: false) + Client Addr: 127.0.0.1 (HTTP: 8500, HTTPS: -1, DNS: 8600, RPC: 8400) + Cluster Addr: 10.1.10.12 (LAN: 8301, WAN: 8302) + Gossip encrypt: true, RPC-TLS: false, TLS-Incoming: false +... +``` + +All nodes within a Consul cluster must share the same encryption key in order to send and receive cluster information. + +## RPC encryption with TLS + +Consul supports using TLS to verify the authenticity of servers and clients. To enable this, Consul requires that all clients and servers have key pairs that are generated by a single certificate authority. It can be a private CA used only internally. The CA then signs keys for each of the agents, as demonstrated in [this tutorial on generating both a CA and signing keys](/consul/docs/secure-consul/encryption/tls/builtin?utm_source=docs). + +~> Certificates need to be created with x509v3 extendedKeyUsage attributes for both clientAuth and serverAuth since Consul uses a single cert/key pair for both server and client communications. + +TLS can be used to verify the authenticity of the servers or verify the authenticity of clients. These modes are controlled by the [`verify_outgoing`](/consul/docs/reference/agent#tls_internal_rpc_verify_outgoing), [`verify_server_hostname`](/consul/docs/reference/agent#tls_internal_rpc_verify_server_hostname), and [`verify_incoming`](/consul/docs/reference/agent#tls_internal_rpc_verify_incoming) options, respectively. + +If [`verify_outgoing`](/consul/docs/reference/agent#tls_internal_rpc_verify_outgoing) is set, agents verify the authenticity of Consul for outgoing connections. Server nodes must present a certificate signed by a common certificate authority present on all agents, set via the agent's [`ca_file`](/consul/docs/reference/agent#tls_internal_rpc_ca_file) and [`ca_path`](/consul/docs/reference/agent#tls_internal_rpc_ca_path) options. All server nodes must have an appropriate key pair set using [`cert_file`](/consul/docs/reference/agent#tls_internal_rpc_cert_file) and [`key_file`](/consul/docs/reference/agent#tls_internal_rpc_key_file). + +If [`verify_server_hostname`](/consul/docs/reference/agent#tls_internal_rpc_verify_server_hostname) is set, then outgoing connections perform hostname verification. All servers must have a certificate valid for `server..` or the client will reject the handshake. This is a new configuration as of 0.5.1, and it is used to prevent a compromised client from being able to restart in server mode and perform a MITM (Man-In-The-Middle) attack. New deployments should set this to true, and generate the proper certificates, but this is defaulted to false to avoid breaking existing deployments. + +If [`verify_incoming`](/consul/docs/reference/agent#tls_internal_rpc_verify_incoming) is set, the servers verify the authenticity of all incoming connections. All clients must have a valid key pair set using [`cert_file`](/consul/docs/reference/agent#tls_internal_rpc_cert_file) and [`key_file`](/consul/docs/reference/agent#tls_internal_rpc_key_file). Servers will also disallow any non-TLS connections. To force clients to use TLS, [`verify_outgoing`](/consul/docs/reference/agent#tls_internal_rpc_verify_outgoing) must also be set. + +TLS is used to secure the RPC calls between agents, but gossip between nodes is done over UDP and is secured using a symmetric key. See above for enabling gossip encryption. + +Securing your datacenter with TLS encryption is an important step for production deployments. TLS configuration is also a prerequisite of the [Consul security model](/consul/docs/secure-consul/security-model). [Secure HTTP communication](/consul/docs/secure-consul/encryption/tls/openssl#configure-the-consul-ui-for-https) for the CLI and UI separately. + +Consul supports using TLS to verify the authenticity of servers and clients. To enable TLS, Consul requires that all servers have certificates that are signed by a single certificate authority (CA). Clients should also have certificates that are authenticated with the same CA. \ No newline at end of file diff --git a/website/content/docs/secure/encryption/tls/builtin.mdx b/website/content/docs/secure/encryption/tls/builtin.mdx new file mode 100644 index 00000000000..ea6b4f7c06c --- /dev/null +++ b/website/content/docs/secure/encryption/tls/builtin.mdx @@ -0,0 +1,283 @@ +--- +layout: docs +page_title: Enable TLS encryption with built-in CA +description: >- + Learn how to create and distribute TLS certificates to server and client agents using Consul's built-in certificate authority (CA). +--- + +# Enable TLS encryption with built-in certificate authority + +This page describes how to enable TLS encryption to secure Consul agent communication. Consul supports using TLS to verify the authenticity of servers and clients. To enable TLS, Consul requires that all servers have certificates that are signed by a single certificate authority (CA). Clients should also have certificates that are authenticated with the same CA. + +This page provides instructions for enabling TLS encryption for new Consul datacenters. If you are adding TLS encryption to an existing Consul datacenter, refer to [Enable TLS encryption for existing datacenters](/consul/docs/secure-consul/encryption/gossip/existing). + +## Workflow + +The following steps describe the general workflow for enabling TLS encryption for new Consul datacenters: + +1. Initialize the built-in CA +1. Create the server certificates +1. Distribute the server certificates +1. Distribute client certificate +1. Start Consul + +## Initialize the built-in CA + +To configure TLS for Consul, you must generate the certificates. Consul requires all certificates be signed by the same CA to prevent unauthorized datacenter access. Use a private CA, since any certificate signed by this CA can communicate with Consul. + +There are many tools to manage your own CA, like [Vault PKI secret backend](/vault/docs/secrets/pki). These steps on this page use Consul's built-in TLS helpers to create a CA. You need to create one CA for the datacenter. You should generate all certificates on the same node or workstation that you used to create the CA. This node or workstation should be stable, preferably not a Consul agent or a cloud server. + +Create the CA and certificates. + +```shell-session +$ consul tls ca create +==> Saved consul-agent-ca.pem +==> Saved consul-agent-ca-key.pem +``` + +This command generates two files: + +- The CA certificate, `consul-agent-ca.pem`, contains the public key necessary to validate Consul certificates and therefore must be distributed to every node that runs a Consul agent. + +- The CA key, `consul-agent-ca-key.pem`, is used to sign certificates for Consul nodes and must be kept private. Possession of this key allows anyone to run Consul as a trusted server or generate new valid certificates for the datacenter and obtain access to all Consul data, including ACL tokens. + +## Create the server certificates + +Create a server certificate for your datacenter and domain. The following example uses the default values `dc1` and `consul`. + +Repeat this process on the same node where you created the CA until there is an individual certificate for each server. You can use the `consul tls cert create` command repeatedly because it automatically increases the certificate and key numbers. Distribute the certificates to the servers. + + + + +The following example creates a server certificate for a single Consul datacenter named `dc1`. + +```shell-session +$ consul tls cert create -server -dc dc1 +==> WARNING: Server Certificates grants authority to become a + server and access all state in the cluster including root keys + and all ACL tokens. Do not distribute them to production hosts + that are not server nodes. Store them as securely as CA keys. +==> Using consul-agent-ca.pem and consul-agent-ca-key.pem +==> Saved dc1-server-consul-0.pem +==> Saved dc1-server-consul-0-key.pem +``` + + + + +A federated Consul environment requires the server certificate to include the names of all Consul datacenters that are within the federated environment. + +The `-additional-dnsname` flag lets you provide an additional DNS name for Subject Alternative Names. `localhost` is always included. You may use this flag multiple times. + +The following example creates a server certificate for federated environment that contains two Consul datacenters. + +```shell-session +$ consul tls cert create -server -dc dc1 -additional-dnsname="*.dc2.consul" +==> WARNING: Server Certificates grants authority to become a + server and access all state in the cluster including root keys + and all ACL tokens. Do not distribute them to production hosts + that are not server nodes. Store them as securely as CA keys. +==> Using consul-agent-ca.pem and consul-agent-ca-key.pem +==> Saved dc1-server-consul-0.pem +==> Saved dc1-server-consul-0-key.pem +``` + + + + +Refer to the [`consul tls cert`](/consul/commands/tls/cert) CLI documentation to learn more about TLS certificate creation options. + +To authenticate Consul servers, you must provide servers with a certificate that contains `server.dc1.consul` in the `Common Name` and in the `Subject Alternative Name`. If you enable [`verify_server_hostname`](/consul/docs/reference/agent#verify_server_hostname), only agents that provide such certificate are allowed to boot as a server. Without `verify_server_hostname = true`, an attacker could compromise a Consul client agent and restart the agent as a server in order to get access to all the data in your datacenter. These server certificates are special, and only servers should have them provisioned. + + + + Server keys, like the CA key, must be kept private. They effectively allow access to all Consul data. + + + +## Distribute the server certificates + +After generating the server certificates, you need to distribute them to the Consul servers and put their on-disk location in the agent configuration file. + +You need to copy the following files to your Consul server: + +- `consul-agent-ca.pem`: CA public certificate. +- `dc1-server-consul-0.pem`: Consul server node public certificate for the `dc1` datacenter. +- `dc1-server-consul-0-key.pem`: Consul server node private key for the `dc1` datacenter. + +Repeat this process until all servers have these three files. + +## Distribute client certificate + +There are two methods for distributing client certificates: + +1. **Auto-encryption method.** We recommend the [auto-encryption method](/consul/docs/reference/agent#auto_encrypt) to alleviate the client certificate generation and distribution step for operators. This method uses the Connect CA to generate client certificates, which are automatically distributed to all Consul clients. + +1. **Operator method.** Use this method if you need to use a third-party CA or need more fine-grained control over certificate management. + +### Configure the servers + + + + +To use auto-encryption to distribute the client certificates, enable the `auto_encrypt` feature. The following example configuration sets the certificate files and enable auto-encrypt. + +Because Consul loads all files in the configuration directory, you can add the following configuration as new files. You can also add them to an existing configuration file. Verify that the syntax is valid using [`consul validate`](/consul/commands/validate). + + + +```hcl +verify_incoming = true +verify_outgoing = true +verify_server_hostname = true +ca_file = "consul-agent-ca.pem" +cert_file = "dc1-server-consul-0.pem" +key_file = "dc1-server-consul-0-key.pem" +auto_encrypt { + allow_tls = true +} +``` + +```json +{ + "verify_incoming": true, + "verify_outgoing": true, + "verify_server_hostname": true, + "ca_file": "consul-agent-ca.pem", + "cert_file": "dc1-server-consul-0.pem", + "key_file": "dc1-server-consul-0-key.pem", + "auto_encrypt": { + "allow_tls": true + } +} +``` + + + +In addition to the `verify` settings, you need to enable `allow_tls`. The `verify` settings ensure that all communication between servers and clients is verified. When [`auto_encrypt`](/consul/docs/reference/agent#allow_tls) is enabled, `verify_outgoing` is enabled by default. + + + + +Configure the servers with the following options, including the agent TLS configuration for Consul servers and copied certificate files. + + + +```hcl +verify_incoming = true +verify_outgoing = true +verify_server_hostname = true +ca_file = "consul-agent-ca.pem" +cert_file = "dc1-server-consul-0.pem" +key_file = "dc1-server-consul-0-key.pem" +``` + +```json +{ + "verify_incoming": true, + "verify_outgoing": true, + "verify_server_hostname": true, + "ca_file": "consul-agent-ca.pem", + "cert_file": "dc1-server-consul-0.pem", + "key_file": "dc1-server-consul-0-key.pem" +} +``` + + + +Consul uses TLS to verify the authenticity of the servers with [`verify_outgoing`](/consul/docs/reference/agent#verify_outgoing) and [`verify_server_hostname`](/consul/docs/reference/agent#verify_server_hostname). You can also use TLS to also optionally verify client certificates when using [`verify_incoming`](/consul/docs/reference/agent#verify_incoming). + + + + +### Configure the clients + + + + +With auto-encryption, you can configure the Consul servers to automatically distribute certificates to the clients. To use this feature, configure the clients to automatically get the certificates from the server. + +This method stores the certificates in memory, but they are not persisted. + +Configure the clients with the following options. + + + +```hcl +verify_incoming = false +verify_outgoing = true +verify_server_hostname = true +ca_file = "consul-agent-ca.pem" +auto_encrypt = { + tls = true +} +``` + +```json +{ + "verify_incoming": false, + "verify_outgoing": true, + "verify_server_hostname": true, + "ca_file": "consul-agent-ca.pem", + "auto_encrypt": { + "tls": true + } +} +``` + + + + + + + +To encrypt client communication, distribute the CA certificate, a client certificate, and its private key to each client. + +First, generate a client certificate. On the node where you created the CA and server certificates, generate a client certificate. + +```shell-session +$ consul tls cert create -client +==> Using consul-agent-ca.pem and consul-agent-ca-key.pem +==> Saved dc1-client-consul-0.pem +==> Saved dc1-client-consul-0-key.pem +``` + +You should also sign the client certificate with your CA. However, your CA does not have the special `Subject Alternative Name` which means that if `verify_server_hostname` is enabled, you cannot start the server. + +Now that you have created the client certificate, configure the client agents with the newly generated client certificates. + + + +```hcl +verify_incoming = true +verify_outgoing = true +verify_server_hostname = true +ca_file = "consul-agent-ca.pem" +cert_file = "dc1-client-consul-0.pem" +key_file = "dc1-client-consul-0-key.pem" +``` + +```json +{ + "verify_incoming": true, + "verify_outgoing": true, + "verify_server_hostname": true, + "ca_file": "consul-agent-ca.pem", + "cert_file": "dc1-client-consul-0.pem", + "key_file": "dc1-client-consul-0-key.pem" +} +``` + + + + + + +## Start Consul + +Now that you have configured your servers and clients, you can start Consul. + +```shell-session +$ systemctl start consul +``` \ No newline at end of file diff --git a/website/content/docs/secure/encryption/tls/existing.mdx b/website/content/docs/secure/encryption/tls/existing.mdx new file mode 100644 index 00000000000..d9bccd0ec74 --- /dev/null +++ b/website/content/docs/secure/encryption/tls/existing.mdx @@ -0,0 +1,341 @@ +--- +layout: docs +page_title: Enable TLS encryption for existing datacenters +description: >- + TODO +--- + +# Enable TLS encryption for existing datacenters + +This page describes how to enable TLS encryption to secure Consul agent communication. Consul supports using TLS to verify the authenticity of servers and clients. To enable TLS, Consul requires that all servers have certificates that are signed by a single certificate authority (CA). Clients should also have certificates that are authenticated with the same CA. + +This page provides instructions for enabling TLS encryption for existing Consul datacenters. If you are adding TLS encryption to an new Consul datacenter, refer to [Enable TLS encryption with built-in CA](/consul/docs/secure-consul/encryption/gossip/builtin.mdx). + +## Workflow + +The following steps describe the general workflow for enabling TLS encryption for existing Consul datacenters: + +1. Generate server certificates. Generate a client certificate if you are using the operator method. +1. Distribute certificates, including the CA and private key files to every agent. +1. Configure the servers, allowing encrypted traffic. Restart each server, one at a time. +1. Configure the clients to communicate only with TLS Restart each client. +1. Reconfigure servers to only allow TLS communication. Reload each server, one at a time. + + + +Failing to perform the steps in the following order may lead to unplanned cluster outages due to failures in authenticating RPC TLS Communication. Complete each step in its entirety before moving to the next one. + + + +## Generate the certificates + +To configure TLS for Consul, you must generate the certificates. Consul requires all certificates be signed by the same CA to prevent unauthorized datacenter access. This should be a _private_ CA and not a public one since any certificate signed by this CA can communicate with Consul. + +There are many tools to manage your own CA, like [Vault PKI secret backend](/vault/docs/secrets/pki). These instructions will use Consul's built-in TLS helpers to create a CA. You will only need to create one CA for the datacenter. You should generate all certificates on the same node or workstation that you used to create the CA. This node or workstation should be stable, preferably not a Consul agent or a cloud server. + +Create the CA and certificates. + +```shell-session +$ consul tls ca create +==> Saved consul-agent-ca.pem +==> Saved consul-agent-ca-key.pem +``` + +This will generate two files: + +- The CA certificate, `consul-agent-ca.pem`, contains the public key necessary to validate Consul certificates and therefore must be distributed to **every** node that runs a consul agent. + +- The CA key, `consul-agent-ca-key.pem`, will be used to sign certificates for Consul nodes and must be kept private. Possession of this key allows anyone to run Consul as a trusted server or generate new valid certificates for the datacenter and obtain access to all Consul data, including ACL tokens. + +## Distribute the certificates + +Before configuring the agents, you need to distribute the certificate and key files. + +### Server certificates + +Distribute the following certificates and key files to each of your servers. + +- `consul-agent-ca.pem` +- `dc1-server-consul-0.pem` +- `dc1-server-consul-0-key.pem` + +The CA certificate may have different names if you are not using Consul's built-in CA. The server certificate and key file should be unique for each server. + +### Client certificate for operator method + +If you are using the operator method, you must also distribute the client certificate and key file to all your clients. Refer to [operator method](/consul/docs/secure-consul/encryption/tls/builtin#distribute-client-certificate) for more details. All clients should have the following certificates and key file. + +- `consul-agent-ca.pem` +- `dc1-client-consul-0.pem` +- `dc1-client-consul-0-key.pem` + +The CA certificate may have different names if you are not using Consul's built-in CA. The client certificate and key file should be unique for each client. + +## Configure the servers + +Now that you have created the certificates, you can enable TLS on your agents, starting with the servers. + +The following example server agent configuration enable TLS. Since Consul will load all files in the configuration directory, you can add the following configuration as new files. You can also add them to an existing configuration file. Verify that the syntax is valid using [`consul validate`](/consul/commands/validate). + + + + +For the auto encryption method, set `auto_encrypt` to `true`. + + + + +```hcl +verify_incoming = false +verify_outgoing = false +verify_server_hostname = false +ca_file = "consul-agent-ca.pem" +cert_file = "dc1-server-consul-0.pem" +key_file = "dc1-server-consul-0-key.pem" +auto_encrypt { + allow_tls = true +} +``` + + + + +```json +{ + "verify_incoming": false, + "verify_outgoing": false, + "verify_server_hostname": false, + "ca_file": "consul-agent-ca.pem", + "cert_file": "dc1-server-consul-0.pem", + "key_file": "dc1-server-consul-0-key.pem", + "auto_encrypt": { + "allow_tls": true + } +} +``` + + + + +Setting the `verify` options to `false` on the servers allows you to update all the agents without any downtime since authenticity verification is not enforced. However, leaving the `verify` settings as false will create an insecure configuration. + + + + + + +```hcl +verify_incoming = false +verify_outgoing = false +verify_server_hostname = false +ca_file = "consul-agent-ca.pem" +cert_file = "dc1-server-consul-0.pem" +key_file = "dc1-server-consul-0-key.pem" +``` + +```json +{ + "verify_incoming": false, + "verify_outgoing": false, + "verify_server_hostname": false, + "ca_file": "consul-agent-ca.pem", + "cert_file": "dc1-server-consul-0.pem", + "key_file": "dc1-server-consul-0-key.pem" +} +``` + + + +When you distribute client certificate, you must set the following options to `false` to allow existing communication to continue uninterrupted. + +- `verify_incoming` +- `verify_outgoing` +- `verify_server_hostname` + +This will require a rolling restart on all the servers. Once you have configured your clients, you can then enable `verify_incoming`, `verify_outgoing`, and `verify_server_hostname` on the servers. In addition to the `verify` options, set the certificates and key file the agent should use. + + + + +After you have updated the server configuration, initiate a rolling restart of the servers. + +Restart one server at a time and ensure it properly functions before restarting the next. Restart the leader last to avoid downtime. + +```shell-session +$ systemctl restart consul +``` + +## Configure the clients + +Now that you have enabled TLS communication on the servers and distributed the certificates, you can configure the clients. + + + + +For the auto encryption method, enable `auto_encrypt`. + + + + +```hcl +verify_incoming = false +verify_outgoing = true +verify_server_hostname = true +ca_file = "consul-agent-ca.pem" +auto_encrypt = { + tls = true +} +``` + + + + +```json +{ + "verify_incoming": false, + "verify_outgoing": true, + "verify_server_hostname": true, + "ca_file": "consul-agent-ca.pem", + "auto_encrypt": { + "tls": true + } +} +``` + + + + + + + +For the operator method, configure the clients to use the operator distributed certificates and key file. + + + +```hcl +verify_incoming = false +verify_outgoing = true +verify_server_hostname = true +ca_file = "consul-agent-ca.pem" +cert_file = "dc1-client-consul-0.pem" +key_file = "dc1-client-consul-0-key.pem" +``` + +```json +{ + "verify_incoming": false, + "verify_outgoing": true, + "verify_server_hostname": true, + "ca_file": "consul-agent-ca.pem", + "cert_file": "dc1-client-consul-0.pem", + "key_file": "dc1-client-consul-0-key.pem" +} +``` + + + + + + +You do not need to distribute client certificate using the auto encryption method. Consul service mesh will manage certificate distribution for you. + +### Restart the Consul clients + +Finally, restart the clients. You only need to restart the clients once. + +```shell-session +$ systemctl restart consul +``` + + + +Restarting your Consul server agents with the `consul reload` command may lead to an outage since this will cause the clients to lose communication to cluster server nodes. To prevent this, adjust the TLS verification settings as prescribed in the following steps. + + + +## Reconfigure and reload the servers + + + + +For the auto encryption method, update `verify_incoming`,`verify_outgoing`, and `verify_server_hostname` to `true`. + + + + +```hcl +verify_incoming = true +verify_outgoing = true +verify_server_hostname = true +ca_file = "consul-agent-ca.pem" +cert_file = "dc1-server-consul-0.pem" +key_file = "dc1-server-consul-0-key.pem" +auto_encrypt { + allow_tls = true +} +``` + + + + +```json +{ + "verify_incoming": true, + "verify_outgoing": true, + "verify_server_hostname": true, + "ca_file": "consul-agent-ca.pem", + "cert_file": "dc1-server-consul-0.pem", + "key_file": "dc1-server-consul-0-key.pem", + "auto_encrypt": { + "allow_tls": true + } +} +``` + + + + + + + +For the operator method, update `verify_incoming`, `verify_outgoing`, and `verify_server_hostname` to `true`. + + + + +```hcl +verify_incoming = true +verify_outgoing = true +verify_server_hostname = true +ca_file = "consul-agent-ca.pem" +cert_file = "dc1-server-consul-0.pem" +key_file = "dc1-server-consul-0-key.pem" +``` + + + + +```json +{ + "verify_incoming": true, + "verify_outgoing": true, + "verify_server_hostname": true, + "ca_file": "consul-agent-ca.pem", + "cert_file": "dc1-server-consul-0.pem", + "key_file": "dc1-server-consul-0-key.pem" +} +``` + + + + + + + +After you reloaded the last Consul agent, your agents will only communicating with TLS. + +```shell-session +$ consul reload +``` + +You have configured your Consul agents to communicate over TLS. \ No newline at end of file diff --git a/website/content/docs/secure/encryption/tls/openssl.mdx b/website/content/docs/secure/encryption/tls/openssl.mdx new file mode 100644 index 00000000000..e1c9926109c --- /dev/null +++ b/website/content/docs/secure/encryption/tls/openssl.mdx @@ -0,0 +1,486 @@ +--- +layout: docs +page_title: Enable TLS encryption with OpenSSL +description: >- + Learn how to create and distribute TLS certificates to server and client agents using OpenSSL as your certificate authority (CA). +--- + +# Enable TLS encryption with OpenSSL + +This page describes how to use OpenSSL to enable TLS encryption to secure Consul agent communication. Consul supports using TLS to verify the authenticity of servers and clients. To enable TLS, Consul requires that all servers have certificates that are signed by a single certificate authority (CA). Clients should also have certificates that are authenticated with the same CA. + +This page provides instructions for enabling TLS encryption for OpenSSL. If you are interesting in using Consul's built in CA, refer to [Enable TLS encryption with built-in CA](/consul/docs/secure-consul/encryption/gossip/builtin). + +## Workflow + +The following steps describe the general workflow for enabling TLS encryption for new Consul datacenters: + +1. Create certificates +1. Configure agents +1. Distribute the server certificates +1. Distribute client certificate +1. Configure SANs for server and client certificates + +After you have enabled TLS encryption, you can configure the Consul CLI and UI to use HTTPS. + +## Create certificates + +To enable TLS encryption for a Consul datacenter, you need to configure each agent to expose a certificate. + +You can create these certificates on any machine with `openssl`. The examples in these instructions use, `server.dc1.consul` for Consul agents and `client.dc1.consul` for clients. + +### Create server certificate signing requests + +To authenticate Consul servers, servers are provided with a special certificate that contains `server.dc1.consul` in the `Common Name`. If you enable [`verify_server_hostname`](/consul/docs/reference/agent#verify_server_hostname), only agents that provide this certificate are allowed to boot as a server. Without `verify_server_hostname = true`, an attacker could compromise a Consul client agent and restart the agent as a server in order to get access to all the data in your datacenter. These server certificates are special and only servers should provision them. + +Create a certificate signing request with the private key. The following command generates a CSR that has Common Name `server.dc1.consul`. Configure the CSR to use the [name of your datacenter](/consul/docs/reference/agent#_datacenter) and your [domain](/consul/docs/reference/agent#_domain). + +```shell-session +$ openssl req -new -newkey rsa:2048 -nodes -keyout server1.dc1.consul.key -out server1.dc1.consul.csr -subj '/CN=server.dc1.consul' +Generating a RSA private key +.......................................................................+++++ +...................+++++ +writing new private key to 'server1.dc1.consul.key' +----- +``` + +This command creates two files. + +```shell-session +$ ls -1 +server1.dc1.consul.csr +server1.dc1.consul.key +``` + +### Sign the CSR + + + +These signing commands are based on default parameters and configurations that might not apply to your infrastructure. If you are issuing production certificates, reach out to your organization's CA admins or to your internal processes to get the request signed. + + + +Sign the request. Use the `-CA` and `-CAkey` parameters to provide the certification authority certificate and key to sign the certificate. + +If this is the first time you are using your CA to sign a certificate, you can use the `-CAcreateserial` option. This option creates a file with `.srl` extension that contains a serial number. The next time you sign a request, use the `-CAserial` option followed with the name of the file containing your serial number. + +```shell-session +$ openssl x509 -req -in server1.dc1.consul.csr -CA consul-agent-ca.pem -CAkey consul-agent-ca-key.pem -CAcreateserial -out server1.dc1.consul.crt +Signature ok +subject=CN = server.dc1.consul +Getting CA Private Key +``` + +This command creates a new file `*.cst`. + +```shell-session +$ ls -1 +``` + +```plaintext hideClipboard +server.dc1.consul.crt +server1.dc1.consul.csr +server1.dc1.consul.key +``` + +Verify the certificate information is correct. + +```shell-session +$ openssl x509 -text -noout -in server1.dc1.consul.crt +Certificate: + Data: + Version: 1 (0x0) + Serial Number: + 08:11:59:bf:1f:a7:fd:f3:46:1c:fc:cb:a3:86:73:59:ee:6f:40:0b + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = CA, L = San Francisco, street = 101 Second Street, postalCode = 94105, O = HashiCorp Inc., CN = Consul Agent CA 110700113239230823036492076258083826915 + Validity + Not Before: Jan 10 13:16:54 2020 GMT + Not After : Feb 9 13:16:54 2020 GMT + Subject: CN = server.dc1.consul + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + ## ... + Signature Algorithm: ecdsa-with-SHA256 + ## ... +``` + +By default, the generated certificate is valid for one month. You can change this value by using the `-days` parameter in the signing command. + +Repeat this process on the same server where you created the CA until there is an individual certificate for each server. + +### Create clients certificate + +The following example creates a single client certificate that can be shared across multiple clients. If you require a more granular certificate policy, repeat the steps below to create multiple client certificates. + +Create the CSR. + +```shell-session +$ openssl req -new -newkey rsa:2048 -nodes -keyout client.dc1.consul.key -out client.dc1.consul.csr -subj '/CN=client.dc1.consul' +Generating a RSA private key +............................................................+++++ +.........................................................+++++ +writing new private key to 'client.dc1.consul.key' +----- +``` + +Sign the certificate. + +```shell-session +$ openssl x509 -req -in client.dc1.consul.csr -CA consul-agent-ca.pem -CAkey consul-agent-ca-key.pem -out client.dc1.consul.crt +Signature ok +subject=CN = client.dc1.consul +Getting CA Private Key +``` + +## Configure agents + +Now that you have created the certificates, you need to enable TLS in your datacenter. The next steps detail how to configure TLS for a new Consul deployment. + +### Distribute the certificates + +For Consul to use the certificate you created, copy them to the agents you want to secure with TLS. + +Every Consul agent needs 3 files to complete the configuration: + +1. CA public certificate: defined by [`ca_file`](/consul/docs/reference/agent#ca_file) parameter is used to verify the identity of the other nodes. For these instructions, the CA public certificate is named `consul-agent-ca.pem`. +1. Consul agent public certificate: defined by [`cert_file`](/consul/docs/reference/agent#cert_file) parameter. +1. Consul agent private key: defined by [`key_file`](/consul/docs/reference/agent#key_file) parameter. + +Consul looks for these certificate files in the start directory. If you stored the files there, you can add them to the agent configuration file by their name only. When the certificate files are not located in the start directory, you must specify the path in the agent configuration file. + +### Configure servers + +You can add the suggested parameter as a separate file in the [`-config-dir`](/consul/docs/reference/agent#_config_dir) directory from where Consul loads the configuration. This approach helps you keep configurations separate, but you can also include the options in a single configuration file. + +The following example of an agent TLS configuration for Consul servers shows the distributed certificate files. + + + +```hcl +verify_incoming = true +verify_outgoing = true +verify_server_hostname = true +ca_file = "consul-agent-ca.pem" +cert_file = "server.dc1.consul.crt" +key_file = "server.dc1.consul.key" +ports { + http = -1 + https = 8501 +} +``` + +```json +{ + "verify_incoming": true, + "verify_outgoing": true, + "verify_server_hostname": true, + "ca_file": "consul-agent-ca.pem", + "cert_file": "server.dc1.consul.crt", + "key_file": "server.dc1.consul.key", + "ports": { + "http": -1, + "https": 8501 + } +} +``` + + + +Consul can use TLS to verify the authenticity of the servers with [`verify_outgoing`](/consul/docs/reference/agent#verify_outgoing) and [`verify_server_hostname`](/consul/docs/reference/agent#verify_server_hostname). It can also optionally verify client certificates when using [`verify_incoming`](/consul/docs/reference/agent#verify_incoming). + +The example configuration also disables the HTTP port to ensure that there is only encrypted communication. With HTTPS enabled, all CLI, API, and UI communication needs to verify their identity with a certificate. This affects built-in tooling like `consul members` and the UI. + +### Configure clients + +Enable the client configuration to use the certificates and key generated. The following is an example agent TLS configuration. + + + +```hcl +verify_incoming = true +verify_outgoing = true +verify_server_hostname = true +ca_file = "consul-agent-ca.pem" +cert_file = "client.dc1.consul.crt" +key_file = "client.dc1.consul.key" +ports { + http = -1 + https = 8501 +} +``` + +```json +{ + "verify_incoming": true, + "verify_outgoing": true, + "verify_server_hostname": true, + "ca_file": "consul-agent-ca.pem", + "cert_file": "client.dc1.consul.crt", + "key_file": "client.dc1.consul.key", + "ports": { + "http": -1, + "https": 8501 + } +} +``` + + + +This example configuration disables the HTTP port to ensure there is only encrypted communication. Existing clients that are not prepared to use HTTPS cannot connect afterwards. + +### Start Consul agents + +Now that you have configured your Consul agents, start the Consul servers. The startup logs confirm that TLS is enabled: `TLS-Outgoing: true` and `TLS-Incoming: true`. + +```shell-session +$ consul agent -config-dir=/etc/consul.d/ +==> Starting Consul agent... + Version: 'v1.6.2+ent' + Node ID: '80933b30-f4ba-5ba2-64e0-4cf48014904e' + Node name: 'server-dc1-2' + Datacenter: 'dc1' (Segment: '') + Server: true (Bootstrap: true) + Client Addr: [0.0.0.0] (HTTP: -1, HTTPS: 8501, gRPC: -1, DNS: 8600) + Cluster Addr: 10.20.10.12 (LAN: 8301, WAN: 8302) + Encrypt: Gossip: false, TLS-Outgoing: true, TLS-Incoming: true, Auto-Encrypt-TLS: false +``` + +## Configure SANs for server and client certificates + +It is common practice to use `localhost` and `127.0.0.1` as `Subject Alternative Names` in server and client certificates so tools like `curl` can communicate with Consul's HTTPS API when running on the same host. To add one or more SANs in your certificate signing request, append a `-config` option to the command: + +```shell-session +$ openssl req -new -newkey rsa:2048 -nodes -keyout server1.dc1.consul.key -out server1.dc1.consul.csr -subj '/CN=server.dc1.consul' -config <( +cat <<-EOF +[req] +req_extensions = req_ext +distinguished_name = dn +[ dn ] +CN = *.dc1.consul +[ req_ext ] +basicConstraints=CA:FALSE +subjectAltName = @alt_names +[ alt_names ] +DNS.1 = consul.example.com +DNS.2 = localhost +IP.1 = 127.0.0.1 +EOF +) +``` + +Signing a request containing SANs could require different steps and different configurations based on the CA you are using. Refer to your CA admins or to your internal processes to get the request signed. + +Once signed, inspect the certificate to ensure DN and SANs are correctly listed under the `Subject: CN` and `X509v3 Subject Alternative Name` certificate fields. + +```shell-session +$ openssl x509 -text -noout -in server1.dc1.consul.crt +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2e:fa:94:75:21:c6:f7:d9:83:ad:3a:93:65:a8:98:0d:ed:2f:ae:5c + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = CA, L = San Francisco, street = 101 Second Street, postalCode = 94105, O = HashiCorp Inc., CN = Consul Agent CA 110700113239230823036492076258083826915 + Validity + Not Before: Jan 13 11:07:49 2020 GMT + Not After : Jan 12 11:07:49 2021 GMT + Subject: CN = server.dc1.consul + Subject Public Key Info: + ## ... + X509v3 extensions: + ## ... + + X509v3 Subject Alternative Name: + DNS:consul.example.com, DNS:localhost, IP Address:127.0.0.1 + Signature Algorithm: ecdsa-with-SHA256 + ##... +``` + + + +If your infrastructure requires SANs, you need to include the `-config` flag with all your domain names to all the certificate signature request commands. + + + +If your certificate is improperly configured with the proper SANs, you may receive errors when trying to execute commands. + +```shell-session +$ consul members -http-addr="https://localhost:8501" +Error retrieving members: Get https://localhost:8501/v1/agent/members?segment=_all: x509: certificate is valid for server.dc1.consul, not localhost +``` + +## Configure the Consul CLI + +If your datacenter is configured to only communicate using HTTPS, you need to create an additional certificate to continue to access the API and Consul CLI commands. + +First, generate a new certificate. + +```shell-session +$ openssl req -new -newkey rsa:2048 -nodes -keyout cli.client.dc1.consul.key -out cli.client.dc1.consul.csr -subj '/CN=cli.client.dc1.consul' +Generating a RSA private key +....................................................+++++ +...........................+++++ +writing new private key to 'cli.client.dc1.consul.key' +----- +``` + +If you fail to provide the certificate, the Consul CLI returns an error. + +```shell-session +$ consul members -http-addr="https://server.dc1.consul:8501" +Error retrieving members: Get https://server.dc1.consul:8501/v1/agent/members?segment=_all: remote error: tls: bad certificate +``` + +Use the certificates you just created to query Consul. + +```shell-session +$ consul members \ + -http-addr="https://server.dc1.consul:8501" \ + -ca-file="consul-agent-ca.pem" \ + -client-cert="cli.client.dc1.consul.crt" \ + -client-key="cli.client.dc1.consul.key" +``` + +The command returns a list of agents. + +```plaintext hideClipboard +Node Address Status Type Build Protocol DC Segment +server-dc1-1 10.20.10.11:8301 alive server 1.6.2+ent 2 dc1 +server-dc1-2 10.20.10.12:8301 alive server 1.6.2+ent 2 dc1 +client-dc1-1 10.20.10.21:8301 alive client 1.6.2+ent 2 dc1 +``` + +You can also set the following environment variables to avoid having to specify the certificate information with every command + +- Set `CONSUL_HTTP_ADDR` to the URL of the Consul agent and sets the default for `-http-addr`. + + ```shell-session + $ export CONSUL_HTTP_ADDR=https://server.dc1.consul:8501 + ``` + +- Set `CONSUL_CACERT` to the location of your CA certificate and sets the default for `-ca-file`. + + ```shell-session + $ export CONSUL_CACERT=consul-agent-ca.pem + ``` + +- Set `CONSUL_CLIENT_CERT` to the location of your CLI certificate and sets the default for `-client-cert`. + + ```shell-session + $ export CONSUL_CLIENT_CERT=cli.client.dc1.consul.crt + ``` + +- Set `CONSUL_CLIENT_KEY` to the location of your CLI key and sets the default for `-client-key`. + + ```shell-session + $ export CONSUL_CLIENT_KEY=cli.client.dc1.consul.key + ``` + +You need to specify the certificates with all Consul CLI and API commands, including registering services and starting sidecar proxies for Consul service mesh. + +## Configure the Consul UI for HTTPS + +When HTTPS is enabled, you cannot access the UI anymore. We recommend that you pick two Consul agents you want to run the UI on and follow the instructions to get the UI up and running again after creating a new certificate. + +```shell-session +$ openssl req -new -newkey rsa:2048 -nodes -keyout cli.client.dc1.consul.key -out cli.client.dc1.consul.csr -subj '/CN=cli.client.dc1.consul' +Generating a RSA private key +....................................................+++++ +...........................+++++ +writing new private key to 'cli.client.dc1.consul.key' +----- +``` + +### Select an interface to bind to + +Depending on your setup, you might need to change to which interface you are binding. By default, the UI binds to `127.0.0.1`. + +Use [`addresses.https`](/consul/docs/reference/agent#https) or [`client_addr`](/consul/docs/reference/agent#client_addr) to update the interface. Be mindful when updating these values because it also impacts the DNS server. + +We recommend binding to `0.0.0.0`. + + + + +```hcl +ui = true +client_addr = "0.0.0.0" +enable_script_checks = false +disable_remote_exec = true +``` + + + + +```json +{ + "ui": true, + "client_addr": "0.0.0.0", + "enable_script_checks": false, + "disable_remote_exec": true +} +``` + + + + + +Since your Consul agent is now available to the network, verify that [`enable_script_checks`](/consul/docs/reference/agent#_enable_script_checks) is `false` and [`disable_remote_exec`](/consul/docs/reference/agent#disable_remote_exec) is `true`. + +## Access the Consul UI + +There are two ways for you to access the Consul UI. + +1. Add a client certificate to your browser and trust the CA certificate. +1. Enable `verify_incoming_rpc` and disable `verify_incoming`. + +### Add a client certificate to your browser + +If you also want the UI traffic to use mutual TLS, add a client certificate to your browser. This limits UI access to browsers where the certificate is present. If you fail to provide the Consul CA, you cannot access the Consul UI. + + Trust your Consul CA (`consul-agent-ca.pem`) on your machine to resolve this issue. After you trust the CA, you can access the UI. + +```shell-session +$ curl https://consul.example.com:8501/ui/ --resolve 'consul.example.com:8501:127.0.0.1' -I +HTTP/2 200 +## ... +``` + +### Enable `verify_incoming_rpc` and disable `verify_incoming` +When `verify_incoming` is enabled, Consul requires that all incoming connections make use of TLS and that the client provides a certificate signed by a CA from the `ca_file` or `ca_path`. This restriction applies to both server RPC and to the HTTPS API. + +Because the browser does not present a certificate signed by your CA, you cannot access the UI. If you `curl` your HTTPS UI, it returns an error. + +```shell-session +$ curl https://server.dc1.consul:8501/ui/ --cacert consul-agent-ca.pem -I +curl: (35) error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate +``` + +The Consul HTTPS server denys your connection because you are not presenting a client certificate signed by your Consul CA. You can configure Consul to use `verify_incoming` for RPC, but not for HTTPS. + + + +```hcl +verify_incoming = false +verify_incoming_rpc = true +``` + +```json +{ + "verify_incoming": false, + "verify_incoming_rpc": true +} +``` + + + +When you apply this example configuration, you can access the UI. + +```shell-session +$ curl https://server.dc1.consul:8501/ui/ --cacert consul-agent-ca.pem -I +HTTP/2 200 +## ... +``` diff --git a/website/content/docs/secure/index.mdx b/website/content/docs/secure/index.mdx new file mode 100644 index 00000000000..9e8e8808449 --- /dev/null +++ b/website/content/docs/secure/index.mdx @@ -0,0 +1,22 @@ +--- +layout: docs +page_title: Secure Consul +description: >- + This topic provides an overview of securing Consul. You can control access Consul with access control lists (ACLs), encrypt its network traffic with gossip encryption/TLS, or learn more about its security model. +--- + +# Secure Consul + +This page describes tools and processes to secure Consul operations. + +## Access control list (ACLs) + +Consul provides an optional access control list (ACL) system that you can use to control access to data and APIs. Refer to the [ACLs documentation](/consul/docs/secure/acl) for more information. + +## Encryption + +The Consul agent supports encrypting all of its network traffic. There are two separate encryption systems, one for gossip traffic and one for HTTP and RPC. Refer to the [Encryption page](/consul/docs/secure/encryption) for more information. + +## Security models + +Requirements and recommendations for operating a secure Consul deployment may vary drastically depending on your intended workloads, operating system, and environment. Refer to [Security models](/consul/docs/secure-consul/security-model) to find detailed information about the various personas, recommendations, requirements, and threats. diff --git a/website/content/docs/secure/security-model/core.mdx b/website/content/docs/secure/security-model/core.mdx new file mode 100644 index 00000000000..0d44d662abf --- /dev/null +++ b/website/content/docs/secure/security-model/core.mdx @@ -0,0 +1,270 @@ +--- +layout: docs +page_title: Consul Core security model +description: >- + The security model for Consul Core details requirements and recommendations for securing your deployment of Consul. Learn about potential threats and how to protect Consul from malicious actors. +--- + +# Consul Core security model + +Consul enables automation of network configurations, service discovery, and secure network connectivity across any cloud or runtime. + +Consul uses a lightweight gossip and RPC system which provides various essential features. You can use both systems to enable confidentiality, integrity and authentication. + +Using defense in depth is crucial for Consul security, and deployment requirements may differ drastically depending on your use case. Some security features for multi-tenant deployments are offered exclusively in the [Enterprise](/consul/docs/enterprise) version. This documentation may need to be adapted to your environment, but the general mechanisms for a secure Consul deployment revolve around: + +- **mTLS** - Mutual authentication of both the TLS server and client x509 certificates prevents internal abuse from unauthorized access to network components within the cluster. + +- **ACLs** - Enable role-based access controls for authenticated connections by granting capabilities for an individual human, or machine operator identity via an ACL token to authorize actions within a cluster. Optionally, custom [authentication methods](/consul/docs/secure-consul/acl/auth-methods) can be used to enable trusted external parties to authorize ACL token creation. + +- **Namespaces** - Read and write operations can be scoped to a logical namespace to restrict access to Consul components within a multi-tenant environment. + +- **Sentinel policies** - Sentinel policies enable policy-as-code for granular control over the built-in key-value store. + +## Personas + +It helps to consider the following types of personas when managing the security requirements of a Consul deployment. The granularity may change depending on your team's requirements. + +- **System administrator** - They have access to the underlying infrastructure to the Consul cluster. Often they have access to SSH or RDP directly into a server within a cluster through a bastion host. Ultimately they have read, write and execute permissions for the actual Consul binary. This binary is the same for server and client agents using different configuration files. These users potentially have sudo, administrative, or some other super-user access to the underlying compute resource. They have access to all persisted data on disk, or in memory. This would include ACL tokens, certificates, and other secrets stored on the system. Users like these are essentially totally trusted, as they have administrative rights to the underlying operating-system with the ability to configure, start, and stop the agent. + +- **Consul administrator** - They have access to define the Consul agent configurations for servers and clients, and/or have a Consul management ACL token. They also have total rights to all of the parts in the Consul system including the ability to manage all services within a cluster. For some organizations, this role and the system administrator role may be the same person. + +- **Consul operator** - They likely have restricted capabilities to use their namespace within a cluster. + +- **Developer** - They are responsible for creating, and possibly deploying applications connected, or configured with Consul. In some cases they may have no access, or limited capabilities to view Consul information, such as through metrics, or logs. + +- **User** - They are the end user, using applications backed by services managed by Consul. In some cases services may be public facing on the internet such as a web server, typically through a load-balancer, or ingress gateway. This is someone who should not have any network access to the Consul agent APIs. + +## Secure configuration + +Consul's security model is applicable only if all parts of the system are running with a secure configuration; **Consul is not secure-by-default.** Without the following mechanisms enabled in Consul's configuration, it may be possible to abuse access to a cluster. Like all security considerations, administrators must determine what is appropriate for their environment and adapt these configurations accordingly. + +### Requirements + +- **mTLS** - Mutual authentication of both the TLS server and client x509 certificates prevents internal abuse through unauthorized access to Consul agents within the cluster. + + - [`tls.defaults.verify_incoming`](/consul/docs/reference/agent#tls_defaults_verify_incoming) - By default this is false, and should almost always be set to true to require TLS verification for incoming client connections. This applies to the internal RPC, HTTPS and gRPC APIs. + + - [`tls.https.verify_incoming`](/consul/docs/reference/agent#tls_https_verify_incoming) - By default this is false, and should be set to true to require clients to provide a valid TLS certificate when the Consul HTTPS API is enabled. TLS for the API may be not be necessary if it is exclusively served over a loopback interface such as `localhost`. + + - [`tls.internal_rpc.verify_incoming`](/consul/docs/reference/agent#tls_internal_rpc_verify_incoming) - By default this is false, and should almost always be set to true to require clients to provide a valid TLS certificate for Consul agent RPCs. + + - [`tls.grpc.verify_incoming`](/consul/docs/reference/agent#tls_grpc_verify_incoming) - By default this is false, and should be set to true to require clients to provide a valid TLS certificate when the Consul gRPC API is enabled. TLS for the API may be not be necessary if it is exclusively served over a loopback interface such as `localhost`. + + - [`tls.internal_rpc.verify_outgoing`](/consul/docs/reference/agent#tls_internal_rpc_verify_outgoing) - By default this is false, and should be set to true to require TLS for outgoing connections from server or client agents. Servers that specify `verify_outgoing = true` will always talk to other servers over TLS, but they still accept non-TLS connections to allow for a transition of all clients to TLS. Currently the only way to enforce that no client can communicate with a server unencrypted is to also enable `verify_incoming` which requires client certificates too. + + - [`enable_agent_tls_for_checks`](/consul/docs/reference/agent#enable_agent_tls_for_checks) - By default this is false, and should almost always be set to true to require mTLS to set up the client for HTTP or gRPC health checks. This was added in Consul 1.0.1. + + - [`tls.internal_rpc.verify_server_hostname`](/consul/docs/reference/agent#tls_internal_rpc_verify_server_hostname) - By default this is false, and should be set to true to require that the TLS certificate presented by the servers matches `server..` hostname for outgoing TLS connections. The default configuration does not verify the hostname of the certificate, only that it is signed by a trusted CA. This setting is critical to prevent a compromised client agent from being restarted as a server and having all cluster state including all ACL tokens and service mesh CA root keys replicated to it. This setting was introduced in 0.5.1. From version 0.5.1 to 1.4.0 we documented that `verify_server_hostname` being true implied verify_outgoing however due to a bug this was not the case so setting only `verify_server_hostname` results in plaintext communication between client and server. See [CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653) for more details. This is fixed in 1.4.1. + + - [`auto_encrypt`](/consul/docs/reference/agent#auto_encrypt) - Enables automated TLS certificate distribution for client agent RPC communication using the service mesh CA. Using this configuration a [`ca_file`](/consul/docs/reference/agent#tls_defaults_ca_file) and ACL token would still need to be distributed to client agents. + + - [`allow_tls`](/consul/docs/reference/agent#allow_tls) - By default this is false, and should be set to true on server agents to allow certificates to be automatically generated and distributed from the service mesh CA to client agents. + + - [`tls`](/consul/docs/reference/agent#tls) - By default this is false, and should be set to true on client agents to automatically request a client TLS certificate from the server's service mesh CA. + + + + + ```hcl + tls { + defaults { + verify_incoming = true + verify_outgoing = true + ca_file = "consul-agent-ca.pem" + cert_file = "dc1-server-consul-0.pem" + key_file = "dc1-server-consul-0-key.pem" + verify_server_hostname = true + } + } + + auto_encrypt { + allow_tls = true + } + ``` + + + + + ```hcl + tls { + defaults { + verify_incoming = false + verify_outgoing = true + ca_file = "consul-agent-ca.pem" + verify_server_hostname = true + } + } + + auto_encrypt { + tls = true + } + ``` + + + + + + The example client agent TLS configuration sets [`verify_incoming`](/consul/docs/reference/agent#tls_defaults_verify_incoming) to false which assumes all incoming traffic is restricted to `localhost`. The primary benefit for this configuration is to avoid provisioning client TLS certificates (in addition to ACL tokens) for all tools or applications using the local Consul agent. In this case, ACLs should be enabled to provide authorization and only ACL tokens would need to be distributed. + + + +- **ACLs** - The access control list (ACL) system provides a security mechanism for Consul administrators to grant capabilities tied to an individual human, or machine operator identity. To ultimately secure the ACL system, administrators should configure the [`default_policy`](/consul/docs/reference/agent#acl_default_policy) to "deny". + + The [ACL system](/consul/docs/secure-consul/acl) is comprised of five major components: + + 1. **🗝 Token** - API key associated with policies, roles, or service identities. + + 1. **📜 Policy** - Set of rules to grant or deny access to various Consul resources. + + 1. **🎭 Role** - Grouping of policies, and service identities. + + 1. **👤 Service or Node Identity** - Synthetic policy granting a predefined set of permissions typical for services deployed within Consul. + + 1. **🏷 Namespace** - a named, logical scoping of Consul Enterprise resources, typically to enable multi-tenant environments. Consul CE clusters always operate within the "default" namespace. + +- **Gossip encryption** - A shared, base64-encoded 32-byte symmetric key is required to [encrypt Serf gossip communication](/consul/docs/secure-consul/encryption/gossip) within a cluster using AES GCM. The key size determines which AES encryption types to use; 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256 respectively. 32-byte keys are ultimately preferable and is the default size generated by the [`keygen`](/consul/commands/keygen) command. This key should be [regularly rotated](https://support.hashicorp.com/hc/en-us/articles/360044051754-Consul-Gossip-Key-Rotation) using the builtin [keyring management](/consul/commands/keyring) features of Consul. + + Two optional gossip encryption options enable Consul servers without gossip encryption to safely upgrade. After upgrading, the verification options should be enabled, or removed to set them to their default state: + + - [`encrypt_verify_incoming`](/consul/docs/reference/agent#encrypt_verify_incoming) - By default this is true to enforce encryption on _incoming_ gossip communications. + + - [`encrypt_verify_outgoing`](/consul/docs/reference/agent#encrypt_verify_outgoing) - By default this is true to enforce encryption on _outgoing_ gossip communications. + +- **Namespaces** - Read and write operations should be scoped to logical namespaces to restrict access to Consul components within a multi-tenant environment. Furthermore, this feature can be used to enable a self-service approach to Consul ACL administration for teams within a scoped namespace. + +- **Sentinel policies** - Sentinel policies allow for granular control over the builtin key-value store. + +- **Ensure script checks are disabled** - Consul's agent optionally has an HTTP API, which can be exposed beyond `localhost`. If this is the case, `enable_script_checks` must be false otherwise, even with ACLs configured, script checks present a remote code execution threat. `enable_local_script_checks` provides a secure alternative if the HTTP API must be exposed and is available from 1.3.0 on. This feature was also back-ported to patch releases 0.9.4, 1.1.1, and 1.2.4 as described here. This is not enabled by default. + +- **Ensure remote execution is disabled** - Consul includes a consul exec feature allowing execution of arbitrary commands across the cluster. This is disabled by default since 0.8.0. We recommend leaving it disabled. If enabled, extreme care must be taken to ensure correct ACLs restrict access to execute arbitrary code on the cluster. + +### Recommendations + +- **Rotate credentials** - Using short-lived credentials and rotating them frequently is highly recommended for production environments to limit the blast radius from potentially compromised secrets, and enabling basic auditing. + + - **ACL tokens** - Consul APIs require an ACL token to authorize actions within a cluster. + + - **X.509 certificates** - Rotate certificates used by the Consul agent; e.g. integrate with Vault's PKI secret engine to automatically generate and renew dynamic, unique X.509 certificates for each Consul node with a short TTL. Client certificates can be automatically rotated by Consul when using `auto_encrypt` such that only server certificates would be managed by Vault. + + - **Gossip keys** - Rotating the encryption keys used by the internal gossip protocol for Consul agents can be regularly rotated using the builtin keyring management features. + +- **Running without root** - Consul agents can be run as unprivileged users that only require access to the data directory. + +- **Linux security modules** - Use of security modules that can be directly integrated into operating systems such as AppArmor, SElinux, and Seccomp on Consul agent hosts. + +- **Customize TLS settings** - TLS settings such as the [available cipher suites](/consul/docs/reference/agent#tls_defaults_tls_cipher_suites), should be tuned to fit the needs of your environment. + + - [`tls_min_version`](/consul/docs/reference/agent#tls_defaults_tls_min_version) - Used to specify the minimum TLS version to use. + + - [`tls_cipher_suites`](/consul/docs/reference/agent#tls_defaults_tls_cipher_suites) - Used to specify which TLS cipher suites are allowed. + +- **Customize HTTP response headers** - Additional security headers, such as [`X-XSS-Protection`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection), can be [configured](/consul/docs/reference/agent#response_headers) for HTTP API responses. + + ```hcl + http_config { + response_headers { + "X-Frame-Options" = "DENY" + } + } + ``` + +- **Customize default limits** - Consul has builtin features with default connection limits that should be tuned to fit your environment. + + - [`http_max_conns_per_client`](/consul/docs/reference/agent#http_max_conns_per_client) - Used to limit concurrent access from a single client to the HTTP(S) endpoint on Consul agents. + + - [`https_handshake_timeout`](/consul/docs/reference/agent#https_handshake_timeout) - Used to timeout TLS connection for the HTTP(S) endpoint for Consul agents. + + - [`rpc_handshake_timeout`](/consul/docs/reference/agent#rpc_handshake_timeout) - Used to timeout TLS connections for the RPC endpoint for Consul agents. + + - [`rpc_max_conns_per_client`](/consul/docs/reference/agent#rpc_max_conns_per_client) - Used to limit concurrent access from a single client to the RPC endpoint on Consul agents. + + - [`rpc_rate`](/consul/docs/reference/agent#rpc_rate) - Disabled by default, this is used to limit (requests/second) for client agents making RPC calls to server agents. + + - [`rpc_max_burst`](/consul/docs/reference/agent#rpc_max_burst) - Used as the token bucket size for client agents making RPC calls to server agents. + + - [`kv_max_value_size`](/consul/docs/reference/agent#kv_max_value_size) - Used to configure the max number of bytes in a key-value API request. + + - [`txn_max_req_len`](/consul/docs/reference/agent#txn_max_req_len) - Used to configure the max number of bytes in a transaction API request. + +- **Secure UI access** - Access to Consul's builtin UI can be secured in various ways: + + - **mTLS** - Enabling the HTTPS with mutual TLS authentication is recommended, but requires extra tooling to terminate the mTLS connection, preferably on an operator's local machine using a proxy script. To do this, refer to [Configure the Consul UI for HTTPS](/consul/docs/secure-consul/encryption/tls/openssl#configure-the-consul-ui-for-https). + + - **TLS** - Enabling the HTTPS is recommended where mTLS may not be required for UI access, such as when ACLs are configured with a default deny. To do this, refer to [Configure the Consul UI for HTTPS](/consul/docs/secure-consul/encryption/tls/openssl#configure-the-consul-ui-for-https). + + - **ACL** - ACLs with a default deny policy enables safer UI access by preventing unauthorized access to sensitive components within the cluster. Refer to [ACLs](/consul/docs/secure/acl) documentation to learn more about ACLs and how to [bootstrap](/consul/docs/secure-consul/acl/bootstrap) the ACLs system. + + - **Restrict HTTP writes** - Using the [`allow_write_http_from`](/consul/docs/reference/agent#allow_write_http_from) configuration option to restrict write access for agent endpoints to hosts on the specified list of CIDRs. + + + + ```hcl + http_config { + allow_write_http_from = ["127.0.0.0/8"] + } + ``` + + + +## Threat model + +The following are parts of the core Consul threat model: + +- **Consul agent-to-agent communication** - Communication between Consul agents should be secure from eavesdropping. This requires transport encryption to be enabled on the cluster and covers both TCP and UDP traffic. + +- **Consul agent-to-CA communication** - Communication between the Consul server and the configured certificate authority provider for service mesh is always encrypted. + +- **Tampering of data in transit** - Any tampering should be detectable and cause Consul to avoid processing the request. + +- **Access to data without authentication or authorization** - All requests must be authenticated and authorized. This requires that ACLs are enabled on the cluster with a default deny mode. + +- **State modification or corruption due to malicious messages** - Ill-formatted messages are discarded and well-formatted messages require authentication and authorization. + +- **Non-server members accessing raw data** - All servers must join the cluster (with proper authentication and authorization) to begin participating in Raft. Raft data is transmitted over TLS. + +- **Denial of Service against a node** - DoS attacks against a node should not compromise the security stance of the software. + +- **Communication between mesh services** - Communications between two mesh-enabled services (natively or by sidecar proxy) should be secure from eavesdropping and provide authentication. This is achieved via mutual TLS. + +The following are not part of the threat model for server agents: + +- **Access (read or write) to the Consul data directory** - All Consul servers, including non-leaders, persist the full set of Consul state to this directory. The data includes all KV, service registrations, ACL tokens, service mesh CA configuration, and more. Any read or write to this directory allows an attacker to access and tamper with that data. + +- **Access (read or write) to the Consul configuration directory** - Consul configuration can enable or disable the ACL system, modify data directory paths, and more. Any read or write of this directory allows an attacker to reconfigure many aspects of Consul. By disabling the ACL system, this may give an attacker access to all Consul data. + +- **Memory access to a running Consul server agent** - If an attacker is able to inspect the memory state of a running Consul server agent the confidentiality of almost all Consul data may be compromised. If you're using an external service mesh CA, the root private key material is never available to the Consul process and can be considered safe. Service service mesh TLS certificates should be considered compromised; they are never persisted by server agents but do exist in-memory during at least the duration of a Sign request. + +The following are not part of the threat model for client agents: + +- **Access (read or write) to the Consul data directory** - Consul clients will use the data directory to cache local state. This includes local services, associated ACL tokens, service mesh TLS certificates, and more. Read or write access to this directory will allow an attacker to access this data. This data is typically a smaller subset of the full data of the cluster. + +- **Access (read or write) to the Consul configuration directory** - Consul client configuration files contain the address and port information of services, default ACL tokens for the agent, and more. Access to Consul configuration could enable an attacker to change the port of a service to a malicious port, register new services, and more. Further, some service definitions have ACL tokens attached that could be used cluster-wide to impersonate that service. An attacker cannot change cluster-wide configurations such as disabling the ACL system. + +- **Memory access to a running Consul client agent** - The blast radius of this is much smaller than a server agent but the confidentiality of a subset of data can still be compromised. Particularly, any data requested against the agent's API including services, KV, and service mesh information may be compromised. If a particular set of data on the server was never requested by the agent, it never enters the agent's memory since replication only exists between servers. An attacker could also potentially extract ACL tokens used for service registration on this agent, since the tokens must be stored in-memory alongside the registered service. + +- **Network access to a local service mesh proxy or service** - Communications between a service and a mesh-aware proxy are generally unencrypted and must happen over a trusted network. This is typically a loopback device. This requires that other processes on the same machine are trusted, or more complex isolation mechanisms are used such as network namespaces. This also requires that external processes cannot communicate to the mesh service or sidecar proxy (except on the inbound port). Therefore, non-native service mesh applications should only bind to non-public addresses. + +- **Improperly Implemented service mesh proxy or service** - A service mesh proxy or natively integrated service must correctly serve a valid leaf certificate, verify the inbound TLS client certificate, and call the Consul agent-local authorized endpoint. If any of this isn't performed correctly, the proxy or service may allow unauthenticated or unauthorized connections. + +### Internal threats + +- **Operator** - A malicious internal Consul operator with a valid mTLS certificate and ACL token may still be a threat to your cluster in certain situations, especially in multi-team deployments. They may accidentally or intentionally abuse access to Consul components which can help be protected against using Namespace, and Sentinel policies. + +- **Application** - A malicious internal application, such as a compromised third-party dependency with access to a Consul agent, along with the TLS certificate or ACL token used by the local agent, could effectively do anything the token permits. Consider enabling HTTPS for the local Consul agent API, enforcing full mutual TLS verification, segmenting services using namespaces, as well as configuring OS users, groups, and file permissions to build a defense-in-depth approach. + +- **RPC** - Malicious actors with access to a Consul agent RPC endpoint may be able to impersonate Consul server agents if mTLS is not properly configured to verify the client TLS certificate identity. Consul should also have ACLs enabled with a default policy explicitly set to deny to require authorization. + +- **HTTP** - Malicious actors with access to a Consul agent HTTP(S) endpoint may be able to impersonate the agent's configured identity, and extract information from Consul when ACLs are disabled. + +- **DNS** - Malicious actors with access to a Consul agent DNS endpoint may be able to extract service catalog information. + +- **Gossip** - Malicious actors with access to a Consul agent Serf gossip endpoint may be able to impersonate agents within a datacenter. Gossip encryption should be enabled, with a regularly rotated gossip key. + +- **Proxy (xDS)** - Malicious actors with access to a Consul agent xDS endpoint may be able to extract Envoy service information. When ACLs and HTTPS are enabled, the gRPC endpoint serving up the xDS service requires (m)TLS and a valid ACL token. + +### External threats + +- **Agents** - External access to the Consul agent's various network endpoints should be considered including the gossip, HTTP, RPC, and gRPC ports. Furthermore, access through other services like SSH or `exec` functionality in orchestration systems such as Nomad and Kubernetes may expose unencrypted information persisted to disk including TLS certificates or ACL tokens. Access to the Consul agent directory is explicitly outside the scope of Consul's threat model and should only be exposed to authenticated and authorized users. + +- **Gateways** - Consul supports a variety of [gateways](/consul/docs/connect/gateways) to allow traffic in-and-out of the service mesh to support a variety of workloads. When using an internet-exposed gateway, you should be sure to harden your Consul agent and host configurations. In most configurations, ACLS, gossip encryption, and mTLS should be enforced. If an [escape hatch override](/consul/docs/reference/proxy/envoy#escape-hatch-overrides) is required, the proxy configuration should be audited to ensure security configurations remain intact, and do not violate Consul's security model. diff --git a/website/content/docs/secure/security-model/cts.mdx b/website/content/docs/secure/security-model/cts.mdx new file mode 100644 index 00000000000..074b64bd8c1 --- /dev/null +++ b/website/content/docs/secure/security-model/cts.mdx @@ -0,0 +1,103 @@ +--- +layout: docs +page_title: Consul-Terraform-Sync (CTS) security model +description: >- + The Consul-Terraform-Sync (CTS) security model details requirements and recommendations for securing your CTS deployment. Learn about potential threats and how to protect CTS from malicious actors. +--- + +# Consul-Terraform-Sync (CTS) security model + +Network Infrastructure Automation (NIA) enables dynamic updates to network infrastructure devices triggered by service changes using the [Consul-Terraform-Sync](https://github.com/hashicorp/consul-terraform-sync) (`consul-terraform-sync`) daemon. This daemon uses Consul's catalog to monitor networking information about services along with [Terraform](https://www.terraform.io/)'s provider ecosystem to apply relevant changes to network infrastructure. + +Complete the [Automate your network configuration with Consul-Terraform-Sync](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync) tutorial for hands-on guidance for deploying a secure Consul-Terraform-Sync installation for a production environment. + +## Personas + +When considering Consul NIA's security model, it helps to think of the following personas. + +- **System administrators** - They have access to the underlying infrastructure of the `consul-terraform-sync` daemon, and possibly the core Consul service. Often they have access to SSH directly into a server within a cluster through a bastion host. Ultimately they have read, write, and execute permissions for the `consul-terraform-sync` binary. These users potentially have sudo, administrative, or some other privileged access to the underlying compute resource. +- **Consul NIA operators** - They have access to define the `consul-terraform-sync` configuration, a Consul ACL token, and other secrets used to interact with various network infrastructure APIs. They have full access to all parts of `consul-terraform-sync` including the ability to configure, start, and stop the daemon. +- **Developers** - They are responsible for creating and deploying applications connected or configured with Consul. In some cases, they may have no access or limited capabilities to view Consul information, such as through metrics, or logs. +- **Users** - They are the end-user who consumes the applications and other services managed by the NIA daemon, and should have no knowledge or access to the daemon's API endpoints, ACL tokens, certificates, or any other piece of the system. + +## Secure configuration + +Consul NIA's security model is applicable only if all parts of the system are running with a secure configuration; `consul-terraform-sync` is not secure-by-default. Without the following mechanisms enabled in the daemon's configuration, it may be possible to abuse access to the daemon. Like all security considerations, one must determine what concerns are appropriate for their environment, and adapt these security concerns accordingly. + +### Requirements + +- **Protect configuration files and directories** - A dedicated NIA user and group with limited permissions should be created for production, along with directory, and file permissions appropriately scoped for your operating environment. + + The following example commands to illustrate creating a dedicated `consul-nia` system user, along with the supporting directories, configuration file, and securing those permissions using [`chown`](https://en.wikipedia.org/wiki/Chown) and [`chmod`](https://en.wikipedia.org/wiki/Chmod): + + ```shell-session hideClipboard + $ useradd --system --shell /bin/false consul-nia + $ mkdir -p /consul-nia/data + $ mkdir -p /consul-nia/config + $ echo "{ ... }" > /consul-nia/config/file.hcl + $ chown --recursive consul-nia:consul-nia /consul-nia + $ chmod -R 0750 consul-nia/ + ``` + +- **Protect Consul KV path or namespaces** - The daemon can monitor Consul services in other Namespaces. This can be limited based on the ACL token used for the daemon. + +- **Use Consul ACLs** - The access control list (ACL) system within Consul can be used to restrict access to only the required parts of Consul for the NIA daemon to operate. + - **Read and write** permission for Consul KV to the specified path, and namespace. + - **Read** permission for Consul Catalog for all of the selected services to be monitored, and their namespaces. + - **Read and write** permission to update health checks, when using NIA health monitoring. + +### Recommendations + +- **Use Dedicated Host** - The NIA daemon will potentially have access to critical secrets for your environment's network infrastructure. Using a hardened, dedicated host, for supporting these sensitive operations is highly recommended. + +- **Run without Root** - The NIA daemon does not require root or other administrative privileges to operate. + +- **Protect NIA Daemon API Endpoint** - Any network endpoints provided by, or exposed to the NIA Daemon should be protected using Consul service mesh and appropriate firewall rules. + +- **Use a centralized logging solution** - Export log entries within [syslog](https://en.wikipedia.org/wiki/Syslog) generated from `consul-terraform-sync` to a centralized logging solution. + +- **Audit used Terraform providers** - [Terraform providers](/terraform/language/providers) that are configured with the NIA daemon should be audited to ensure you're only using providers from sources that you trust. + +## Threat model + +The following are the parts of the NIA threat model: + +- **Consul agent communication** - In order to monitor the Consul Catalog for changes, the NIA daemon interacts with Consul's HTTP API on a local or remote server agent. This communication requires TLS transport encryption, preferably using mTLS for mutual authentication. + +- **NIA Terraform communication** - Network connectivity to downstream infrastructure APIs managed by the NIA daemon's Terraform runs will need to be properly configured for secure access. + +- **Tampering of data in transit** - Any tampering should be detectable and cause the daemon to avoid processing the request. + +- **Access to data without authentication or authorization** - Requests to the Consul agent should be authenticated and authorized using (m)TLS and ACLs respectively. ACLs should be configured with the minimal permissions required for your environment. + +- **Denial-of-Service (DoS)** - DoS attacks against the NIA Daemon should not compromise the security of Consul, or Terraform, but may impact any networking components relying on updates from the daemon to properly handle traffic within the network. Access to the daemon should be prevented using firewall rules. + +The following are not a part of the threat model, as the NIA Daemon expects a secure configuration, while always providing the default options for testing in local environments which cannot be automatically configured to be both secure, and easily usable. However, these are valid concerns for Administrators and Operators to evaluate when hardening a production deployment: + +- **Access (read or write) to the Consul NIA configuration files or directory** - Necessary configuration for the daemon process can be loaded from a single file or a directory of files. These configurations may contain secrets and can enable/disable insecure features, or Terraform providers. + +- **Access (read or write) to the Consul NIA Consul KV path** - Access to the daemon's Consul KV path may leak sensitive information such as usernames, passwords, certificates, and tokens used by Terraform to provision infrastructure. + +- **Memory access to a running Consul-Terraform-Sync process** - Direct access to the memory of running the daemon process allows an attacker to extract sensitive information. + +- **Memory access to a running Terraform process** - Direct access to the memory of running the Terraform process managed by the daemon process allows an attacker to extract sensitive information. + +- **Access to the Terraform binary** - Direct access to the Terraform binary used by the NIA daemon can allow an attacker to extract sensitive information. + +- **Access to the Consul-Terraform-Sync binary** - Direct access to the system binary used to start the NIA daemon can allow an attacker to extract sensitive information. + +### Internal threats + +- **NIA operator** - Someone with access to the NIA Host, and it's related binaries or configuration files may be a threat to your deployment, especially considering multi-team deployments. They may accidentally or intentionally use a malicious Terraform provider, or extract various secrets to cause harm to the network. Access to the NIA host should be guarded. + +- **Consul operator** - Someone with access to the backend Consul cluster, similar to the NIA Operator, which can perform actions that may trigger Terraform runs. They may also have access to the namespace and KV path of the NIA daemon, which could give unintended access to Terraform's state file, which contains sensitive information. ACL permissions for Consul should be carefully audited to ensure that no policies may be leaking the state file containing sensitive information to other Consul operators unintentionally within the cluster. + +- **System-bound attackers** - Multi-tenant environments, especially container orchestrators, can introduce a number of security concerns. These may include shared secrets, host volume access, and other sources of potential pivoting, or privilege escalation from attackers with operating system-level access, or side-car container access, through various means. Extra steps to configuring OS, cluster, service, user, directory, and file permissions are essential steps for implementing defense-in-depth within a production environment. + +### External Threats + +- **Terraform providers and modules** - Potentially malicious providers or modules, or any malicious dependencies part of the Terraform ecosystem could cause harm to the network, and may have access to secrets in order to make necessary network changes. Terraform provider configuration should be audited, pinned to a version, and audited for potential typo-squatting issues from the Terraform Registry. + +- **Network-bound attackers** - Whenever a service is exposed to the open internet, which may be the case, you really need to consider external network attackers which may seek-out hidden, unauthenticated, or otherwise vulnerable endpoints. This can lead to larger security concerns when able to pivot to internal resources from an external one. + +- **Leaking secrets** - TLS certificates and tokens used by the Consul NIA daemon can enable external attackers to access Consul, or Terraform resources. These secrets shouldn't be hardcoded into configs uploaded to public places like GitHub. diff --git a/website/content/docs/secure/security-model/index.mdx b/website/content/docs/secure/security-model/index.mdx new file mode 100644 index 00000000000..2d94d7e57ef --- /dev/null +++ b/website/content/docs/secure/security-model/index.mdx @@ -0,0 +1,18 @@ +--- +layout: docs +page_title: Security Models - Overview +description: >- + Security models are the set of requirements and recommendations for securely operating a Consul deployment. Learn about security models and how they differ between environments. +--- + +# Security models overview + +Requirements and recommendations for operating a secure Consul deployment may vary drastically depending on your intended workloads, operating system, and environment. Consul is not secure by default, but can be configured to satisfy the security requirements for a wide-range of use cases from local developer environments without any configuration to container orchestrators in-production with ACL authorization, and mTLS authentication. + +### Core + +The core Consul product provides several options for enabling encryption, authentication, and authorization controls for a cluster. Refer to [Consul Core security model](/consul/docs/secure-consul/security-model/core) to learn more about the various personas, recommendations, requirements, and threats. + +### Consul-Terraform-Sync (CTS) + +[Consul-Terraform-Sync](/consul/docs/cts) (CTS) enables dynamic updates to network infrastructure devices triggered by service changes. Both the core Consul product's configuration and the configuration for the `consul-terraform-sync` daemon used by CTS can affect the security of your deployment. Refer to [CTS security model](/consul/docs/secure-consul/security-model/cts) to learn more about the various personas, recommendations, requirements, and threats. diff --git a/website/content/docs/security/acl/acl-federated-datacenters.mdx b/website/content/docs/security/acl/acl-federated-datacenters.mdx deleted file mode 100644 index 80a5ad3b933..00000000000 --- a/website/content/docs/security/acl/acl-federated-datacenters.mdx +++ /dev/null @@ -1,238 +0,0 @@ ---- -layout: docs -page_title: ACL Setup for WAN Federated Datacenters -description: >- - Consul's access control list (ACL) system can span multiple datacenters that are WAN federated. Learn how to replicate the ACL system from the primary datacenter to secondary datacenters using a replication token. ---- - -# ACLs in Federated Datacenters - -This topic describes how to set up Consul's access control list (ACL) system -in cluster deployments that span multiple data centers. This documentation is applicable -to new clusters rather than existing clusters. - -# Requirements - -Consul versions 1.4.0 and later - -## Configure ACLs in the Primary Datacenter - -In a [federated Consul deployment](/consul/docs/k8s/deployment-configurations/multi-cluster), one of the datacenters is marked as the primary datacenter. -The `acl` configuration block should be added to the primary datacenter server's configuration file -as shown in the following example. - -See the [ACL Config Stanza](/consul/docs/agent/config/config-files#acl) for more detailed descriptions of each option. - --> **Versions before 1.11.0:** The `initial_management` token was called the `master` token in versions -prior to 1.11.0 - - - -```hcl -bootstrap_expect = 3 -primary_datacenter = "PRIMARY_DATACENTER_VALUE" -acl = { - enabled = true - default_policy = "deny" - down_policy = "deny" - enable_token_persistence = true - enable_token_replication = true - tokens = { - initial_management = "ACL_MANAGEMENT_TOKEN" - agent = "YOUR_ACL_AGENT_TOKEN" - } -} - -``` - -```json -{ - "bootstrap_expect": 3, - "primary_datacenter": "PRIMARY_DATACENTER_VALUE", - "acl": { - "enabled": true, - "default_policy": "deny", - "down_policy": "deny", - "enable_token_persistence": true, - "enable_token_replication": true, - "tokens": { - "initial_management": "ACL_MANAGEMENT_TOKEN", - "agent": "ACL_AGENT_TOKEN" - } - } -} -``` - - - -~> **Warning:** Note that most enterprise deployments have security requirements that prevent specifying tokens in configuration files. -The `enable_token_persistence` flag is also set in the configuration example so that the token is stored to disk in the agent's -[data directory](/consul/docs/agent/config/config-files#_data_dir). Any future changes to the token that are made through the [API](/consul/api-docs/agent#update-acl-tokens) will -be persisted to the same location, and the value in the config file will be ignored. - -The ACL agent token can also be set using the [`consul acl set-agent-token`](/consul/commands/acl/set-agent-token) CLI as shown below. - -```shell-session -$ consul acl set-agent-token agent "" -``` - -## Configure Servers in Secondary Datacenters - -Servers in secondary data centers must be configured to point to the primary data center -as shown in the following example. Secondary data centers also need the ACL replication token -provided to them. - -### Create the replication token for ACL Management - -Replication tokens are needed for ACL token replication and -to create both [configuration entries](/consul/docs/agent/config-entries) and [auth methods](/consul/docs/security/acl/auth-methods) -in connected secondary datacenters. - -Replication tokens require the following permissions: - -- `acl = "write"`: The permission allows you to replicate tokens. -- `operator = "write"`: This permission enables the `proxy-default` configuration entries to be replicated and enables CA certificate signing in the secondary datacenter. -- `policy = "read"` and `intentions = "read"` in the `service_prefix` field: These permissions enable `service-default` configuration entries, CA, and intention data to be replicated for all services. - - - - - -```hcl -acl = "write" -operator = "write" -service_prefix "" { - policy = "read" - intentions = "read" -} -``` - - - - -Create a replication policy with the following command: - -```shell-session -$ consul acl policy create -name replication -rules @replication-policy.hcl -``` - -Use your newly created policy to create the replication token. - -```shell-session -$ consul acl token create -description "replication token" -policy-name replication -``` - -### Configure the replication token in Secondary Datacenters - -Add the replication token generated above, to the ACL stanza in secondary datacenters. - - - -```hcl -primary_datacenter = "PRIMARY_DATACENTER_NAME" -acl = { - enabled = true - default_policy = "deny" - down_policy = "deny" - tokens = { - agent = "ACL_AGENT_TOKEN" - replication = "ACL_REPLICATION_TOKEN" - } -} -``` - -```json -{ - "primary_datacenter": "PRIMARY_DATACENTER_VALUE", - "acl": { - "enabled": true, - "default_policy": "deny", - "down_policy": "deny", - "tokens": { - "agent": "ACL_AGENT_TOKEN", - "replication": "ACL_REPLICATION_TOKEN" - } - } -} -``` - - - -~> **Warning:** When enabling ACL token replication in secondary datacenters, -global tokens already present in the secondary datacenter will be lost. For -production environments, consider configuring ACL replication in your initial -datacenter bootstrapping process. - -~> **Warning:** If you are using [Consul Enterprise](/consul/docs/enterprise) and -the [Admin Partitions](/consul/docs/enterprise/admin-partitions) -feature, only ACL tokens in the default partition are replicated to other datacenters. - -## WAN Join Servers - -This step is needed for new federated cluster deployments in order for -servers in each federated datacenter to discover each other. - -Run the following command from one of the server nodes. - -```shell-session -$ consul join -token="ACL_MANAGEMENT_TOKEN" -wan [server 1, server 2, ...] -``` - -## Configure Clients in Secondary Datacenters - -When ACLs are enabled, client agents need a special token known as the [`agent token`](/consul/docs/security/acl/tokens#acl-agent-token) to perform internal operations. Agent tokens need to have the right policies for node related actions, including -registering itself in the catalog, updating node level health checks, and performing [anti-entropy](/consul/docs/architecture/anti-entropy) syncing. - -### Generate Agent ACL Token - -[ACL Node Identities](/consul/docs/security/acl#node-identities) were introduced -in Consul 1.8.1 and enable easily creating agent tokens with appropriately scoped policies. - -To generate the ACL token using node identity, run the following command: - -```shell-session -$ consul acl token create -node-identity=: -``` - -### Configure clients to use the ACL agent token - -Update the client agents to include the token value from the previous step. Replace -the `ACL_AGENT_TOKEN` value below with the secret ID value from the command output. - - - -```hcl -primary_datacenter = "PRIMARY_DATACENTER_NAME" -acl = { - enabled = true - default_policy = "deny" - down_policy = "deny" - tokens = { - agent = "ACL_AGENT_TOKEN" - } -} -``` - -```json -{ - "primary_datacenter": "PRIMARY_DATACENTER_VALUE", - "acl": { - "enabled": true, - "default_policy": "deny", - "down_policy": "deny", - "tokens": { - "agent": "ACL_AGENT_TOKEN" - } - } -} -``` - - - -Note that client agents have to be restarted for ACL related configuration changes to take effect. - -## Summary - -After completing the above steps, a federated Consul cluster can be used with ACLs. Refer to -[ACL Replication Guide](/consul/tutorials/security-operations/access-control-replication-multiple-datacenters) -for more on this topic. diff --git a/website/content/docs/security/acl/index.mdx b/website/content/docs/security/acl/index.mdx deleted file mode 100644 index f8b8b97ec85..00000000000 --- a/website/content/docs/security/acl/index.mdx +++ /dev/null @@ -1,93 +0,0 @@ ---- -layout: docs -page_title: Access Control List (ACL) - Overview -description: >- - Consul's ACL system secures communication and controls access to the API, CLI, and UI. Learn about ACL components and how they interact to authenticate requests and authorize access for your network. ---- - -# Access Control List (ACL) overview - -This topic describes core concepts associated with the optional access control list (ACL) system shipped with Consul. ACLs authenticate requests and authorize access to resources. They also control access to the Consul UI, API, and CLI, as well as secure service-to-service and agent-to-agent communication. - -Refer to the [ACL API reference](/consul/api-docs/acl) and [ACL CLI reference](/consul/commands/acl) for additional usage information. - -## Workflow overview - -Implementations may vary depending on the needs of the organization, but the following procedure describes the basic workflow for creating and implementing ACLs: - -1. The person responsible for administrating ACLs in your organization specifies one or more authentication rules to define a [policy](#policies). -1. The ACL administrator uses the Consul API to generate and link a [token](#tokens) to one or more policies. The following diagram illustrates the relationship between rules, policies, and tokens: - - ![ACL system component relationships](/img/acl-token-policy-rule-relationship.png) - - The ACL administrator can create and link additional artifacts to tokens, such as [templated policies](#templated-policies), [service identities](#service-identities), [node identities](#node-identities), and [roles](#roles) that enable policies to accommodate more complex requirements. - -1. Tokens are distributed to end users and incorporated into their services. -1. Agents and services present the token when making requests. -1. Consul evaluates the token to determine if the request has permission to interact with the requested resource. - -## Tokens - -ACL tokens are the core method of authentication in Consul. Tokens contain several attributes, but the value of the `SecretID` field (sometimes referred to as the ACL token) is the attribute that you or your service must include to identify the person or system making the request. Your ACL administrator may also use the token's `AccessorID` for audit logging purposes. - -Refer to the following topics for details about tokens: - -- [Tokens](/consul/docs/security/acl/tokens) -- [ACL token command line](/consul/commands/acl/token) -- [ACL tokens API](/consul/api-docs/acl/tokens) - -## Policies - -An ACL policy is a set of rules that grant or deny access to resources in the network. -The person responsible for administrating ACLs in your organization will assemble and create policies and link them to tokens. -Tokens are the artifacts distributed to users so that they can be implemented. -In addition to the rules that authenticate access to services, several attributes may be assigned policies that determine their scope. - -Refer to the following topics for details about policies: - -- [Policies](/consul/docs/security/acl/acl-policies) -- [ACL policy command line](/consul/commands/acl/policy) -- [ACL policy API](/consul/api-docs/acl/policies) - -## Roles - -A role is a collection of policies that your ACL administrator can link to a token. -They enable you to reuse policies by decoupling the policies from the token distributed to team members. -Instead, the token is linked to the role, which is able to hold several policies that can be updated asynchronously without distributing new tokens to users. -As a result, roles can provide a more convenient authentication infrastructure than creating unique policies and tokens for each requester. - -Refer to the [Roles](/consul/docs/security/acl/acl-roles) topic for additional information. - -## Templated policies - -Templated policies are configuration blocks that you can add to token and role configurations. Consul uses them to generate a policy. Consul links the generated policy to the role or token, which provides the required access to a particular resource. - -You can use them during the authorization process to automatically generate a policy for common use-cases, rather than creating multiple identical policies or digging through the permission system to understand permissions. - -Refer to the following topics for more details about policies: - -- [API documentation for templated policies](/consul/api-docs/acl/templated-policies) -- [API documentation for roles](/consul/api-docs/acl/roles#sample-payload) -- [API documentation for tokens](/consul/api-docs/acl/tokens#sample-payload) - -## Service identities - -Service identities are configuration blocks that you can add to role configurations or specify when linking tokens to policies. You can use them during the authorization process to automatically generate a policy for specific services. The policy is linked to the role or token, allowing the services to be discovered and to discover other healthy service instances in a service mesh. - -Service identities enable you to quickly construct policies for services, rather than creating identical policies for each service. - -Refer to the following topics for additional information about service identities: - -- [Service Identities](/consul/docs/security/acl/acl-roles#service-identities) -- [API documentation for roles](/consul/api-docs/acl/roles#sample-payload) - -## Node identities - -Node identities are configuration blocks that you can add to role configurations or specify when linking tokens to policies. You can use them during the authorization process to automatically generate a policy for specific nodes. When you configure the agent, you can specify the token linked to the policy with [`acl_tokens_agent`](/consul/docs/agent/config/config-files#acl_tokens_agent). - -Use node identities to quickly construct policies for multiple nodes, rather than creating identical polices for each individual node. - -Refer to the following topics for additional information about node identities: - -- [Node Identities](/consul/docs/security/acl/acl-roles#node-identities) -- [API documentation for roles](/consul/api-docs/acl/roles#sample-payload) diff --git a/website/content/docs/security/acl/tokens/create/create-a-dns-token.mdx b/website/content/docs/security/acl/tokens/create/create-a-dns-token.mdx deleted file mode 100644 index 3a59de03261..00000000000 --- a/website/content/docs/security/acl/tokens/create/create-a-dns-token.mdx +++ /dev/null @@ -1,65 +0,0 @@ ---- -layout: docs -page_title: Create tokens for service registration -description: >- - Learn how to create ACL tokens to enable Consul DNS. ---- - -# Create a DNS token - -This topic describes how to create a token that enables the Consul DNS to query services in the network when ACLs are enabled. - -## Introduction - -The Consul binary ships with a DNS server that you can use for service discovery in your network. The agent that fulfills DNS lookups requires appropriate ACL permissions to discover services, nodes, and prepared queries registered in Consul. - -A Consul agent must be configured with a token linked to policies that grant the appropriate set of permissions. - -Specify the [`default`](/consul/docs/agent/config/config-files#acl_tokens_default) token to the Consul agent to authorize the agent to respond to DNS queries. Refer to [DNS usage overview](/consul/docs/services/discovery/dns-overview) for details on configuring and using Consul DNS. - -## Requirements - -Core ACL functionality is available in all versions of Consul. - -The DNS token must be linked to policies that grant the following permissions: - -* `service:read`: Enables the agent to perform service lookups for DNS -* `node:read`: Enables node lookups over DNS -* `query:read`: Enables the agent to perform prepared query lookups for DNS - -@include 'create-token-requirements.mdx' - -## Create a DNS token - -Run the `consul acl token create` CLI command and specify the `builtin/dns` templated policy to create a DNS token. - -```shell-session -$ consul acl token create -name "dns-token" -templated-policy "builtin/dns" -``` - -## Apply the token - -Configure the Consul agent with the token by either specifying the token in the agent configuration file or by using the `consul set-agent-token` command. - -### Apply the token in a file - -Specify the token in the [`dns`](/consul/docs/agent/config/config-files#acl_tokens_dns) field of the agent configuration file so that the agent can present it and register into the catalog on startup. - -```hcl -acl = { - enabled = true - tokens = { - dns = "" - ... - } - ... -} -``` - -### Apply the token with a command - -Set the `dns` token using the [`set-agent-token`](/consul/commands/acl/set-agent-token) command. The following command configures a running Consul agent token with the specified token. - -```shell-session -$ consul set-agent-token dns -``` diff --git a/website/content/docs/security/acl/tokens/index.mdx b/website/content/docs/security/acl/tokens/index.mdx deleted file mode 100644 index 45df06d3900..00000000000 --- a/website/content/docs/security/acl/tokens/index.mdx +++ /dev/null @@ -1,239 +0,0 @@ ---- -layout: docs -page_title: ACL Tokens -description: >- - Tokens are used to authenticate users, services, and agents and authorize their access to resources in Consul. Learn about token attributes, special-purpose and built-in tokens, and how to pass a token’s SecretID in the CLI and API. ---- - -# ACL Tokens - -This topic describes access control list (ACL) tokens, which are the core method of authentication in Consul. - -## Introduction - -Tokens are artifacts in the ACL system used to authenticate users, services, and Consul agents. When ACLs are enabled, entities requesting access to a resource must include a token that has been linked with a policy, service identity, or node identity that grants permission to the resource. The ACL system checks the token and grants or denies access to resource based on the associated permissions. - -Refer to the [ACL system workflow overview](/consul/docs/security/acl#workflow-overview) for information about tokens' role in the ACL system. - -## Creating tokens - -The person responsible for administrating ACLs can use the API or CLI to create and link tokens to entities that enable permissions to resources. -Refer to the [ACL API](/consul/api-docs/acl) and [ACL CLI](/consul/commands/acl) documentation for instructions on how to create and link tokens. Tokens can also be created dynamically from trusted external system using an -[auth method](/consul/docs/security/acl/auth-methods). - -Refer to the [Secure Consul with Access Control Lists (ACLs)](/consul/tutorials/security/access-control-setup-production) tutorial for help getting started with creating tokens. The tutorial includes an interactive sandbox so that you can perform the procedures without configuring your local environment. - -## Passing Tokens - -Users deploying their services into the network or performing some operations in the Consul command line or GUI will need to include the value of the token's `SecretID` attribute. The `SecretID` is often referred to as the ACL token. It is an opaque string that identifies the requester so that the ACL system can determine if access to the requested resource should be granted or denied. - -Tokens have several additional attributes. Refer to [Token Attributes](#token-attributes) for details. - -### Service requests - -Specify the value of the `SecretID` attribute with the `token` parameter when configuring your services. In the following example service configuration, the `token` has been included as a string parameter to the `redis` service: - - - - - -```hcl -service = { - id = "redis" - name = "redis" - namespace = "foo" - token = "233b604b-b92e-48c8-a253-5f11514e4b50" -} -``` - - - - -```json -{ - "service": { - "id": "redis", - "name": "redis", - "namespace": "foo", - "token": "233b604b-b92e-48c8-a253-5f11514e4b50" - } -} -``` - - - - - -Refer to [Services Configuration Reference](/consul/docs/services/configuration/services-configuration-reference) for additional information. - -### Agent requests - -Consul agents can be configured to hold several ACL tokens (see [`tokens`](/consul/docs/agent/config/config-files#acl_tokens_default)) to accommodate several use cases. The following table describes agent configuration fields where ACLs are applicable and whether the configurations apply to servers, clients, or both. - -| Configuration Option | Servers | Clients | Purpose | -| -------------------------------------------------------------- | ---------- | ---------- | ---------------------------------------------------------------------- | -| [`acl.enabled`](/consul/docs/agent/config/config-files#acl_enabled) | `REQUIRED` | `REQUIRED` | Controls whether ACLs are enabled | -| [`acl.default_policy`](/consul/docs/agent/config/config-files#acl_default_policy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode | -| [`acl.down_policy`](/consul/docs/agent/config/config-files#acl_down_policy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the remote token or policy resolution fails | -| [`acl.role_ttl`](/consul/docs/agent/config/config-files#acl_role_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Roles | -| [`acl.policy_ttl`](/consul/docs/agent/config/config-files#acl_policy_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Policies | -| [`acl.token_ttl`](/consul/docs/agent/config/config-files#acl_token_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Tokens | - -In the following example, the agent is configured to use a default token: - - - -```hcl -tokens = { - default = "233b604b-b92e-48c8-a253-5f11514e4b50" -} -``` - -```json -{ - "tokens": { - "default": "233b604b-b92e-48c8-a253-5f11514e4b50" - } -} -``` - - - -Refer to the [agent configurations documentation](/consul/docs/agent/config/config-files) for additional information. - -### Command line requests - -To make a request on the command line, specify the ACL token with the [`-token` command line flag](/consul/commands#authentication). -In the following example, a token is included to enable the user to create an intention on the command line: - -```shell-session -$ consul intention create -file one.json two.json -token "233b604b-b92e-48c8-a253-5f11514e4b50" -``` - -Refer to the documentation for the command line operations you want to perform for additional information. - -#### Environment variables - -You can export tokens to environment variables on the local machine, which enable you to omit the `-token` flag when performing operations on the Consul command line. Refer to the [Consul command line documentation](/consul/commands#environment-variables) for details. - -### API requests - -Specify the token in the HTTP `X-Consul-Token` header field to make an API request. Refer to the [HTTP API documentation](/consul/api-docs/api-structure#authentication) for details. - -The following example shows the header for a GET request to the `agent/members` endpoint. - -```shell-session -$ curl --header "X-Consul-Token: " "http://127.0.0.1:8500/v1/agent/members" -``` - -## Token attributes - -The following table is a partial list of attributes that a token may contain. -Refer to the [API](/consul/api-docs/acl/tokens) or [command line](/consul/commands/acl/token) documentation for all attributes that can be assigned or generated for a token: - -| Attribute | Description | Type | Default | -| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------- | -| `AccessorID` | Used for [audit logging](/consul/docs/enterprise/audit-logging). The accessor ID is also returned in API responses to identify the token without revealing the secret ID. | String | auto-generated | -| `SecretID` | Used to request access to resources, data, and APIs. | String | auto-generated | -| `Partition` | Specifies the name of the admin partition in which the token is valid. See [Admin Partitions](/consul/docs/enterprise/admin-partitions) for additional information. | String | `default` | -| `Namespace` | Specifies the name of the Consul namespace in which the token is valid. See [Namespaces](/consul/docs/enterprise/namespaces) for additional information. | String | `default` | -| `Description` | Human-readable description for documenting the purpose of the token. | String | none | -| `Local` | Indicates whether the token should be replicated globally or local to the datacenter.
    Set to `false` to replicate globally across all reachable datacenters.
    Setting to `true` configures the token to functional in the local datacenter only. | Boolean | `false` | -| `TemplatedPolicies` | Specifies a list of templated policies to apply to the token. See [Templated Policies](/consul/docs/security/acl/acl-roles#templated-policies) in the "Roles" topic for additional information. | Array | none | -| `ServiceIdentities` | Specifies a list of service identities to apply to the token. See [Service Identities](/consul/docs/security/acl/acl-roles#service-identities) in the "Roles" topic for additional information. | Array | none | -| `NodeIdentities` | Specifies a list of node identities to apply to the token. See [Node Identities](/consul/docs/security/acl/acl-roles#node-identities) in the "Roles" topic for additional information. | Array | none | -| `Policies` | List of policies linked to the token, including the policy ID and name. | String | none | -| `Roles` | List of roles linked to the token, including the role ID and name. | String | none | - -## Special-purpose tokens - -Your ACL administrator can configure several tokens that enable specific functions, such as bootstrapping the ACL -system or accessing Consul under specific conditions. The following table describes the special-purpose tokens: - -| Token | Servers | Clients | Description | -| ------------------------------------------------------------------------------------ | ---------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [`acl.tokens.agent_recovery`](/consul/docs/agent/config/config-files#acl_tokens_agent_recovery) | `OPTIONAL` | `OPTIONAL` | Enables access to the [Agent API](/consul/api-docs/agent) when remote bearer token resolution fails.
    Used for setting up the cluster and performing initial join operations.
    See [ACL Agent Recovery Token](#acl-agent-recovery-token) for details. | -| [`acl.tokens.agent`](/consul/docs/agent/config/config-files#acl_tokens_agent) | `OPTIONAL` | `OPTIONAL` | Used for internal agent operations. See [ACL Agent Token](#acl-agent-token) for details. | -| [`acl.tokens.initial_management`](/consul/docs/agent/config/config-files#acl_tokens_initial_management) | `OPTIONAL` | `N/A` | Used to bootstrap the ACL system. See [Initial Management Token](#initial-management-token). | -| [`acl.tokens.default`](/consul/docs/agent/config/config-files#acl_tokens_default) | `OPTIONAL` | `OPTIONAL` | Specifies a default token to use for client requests if no token is supplied. This is commonly configured with read-only access to services to enable DNS service discovery on agents. | -| [`acl.tokens.replication`](/consul/docs/agent/config/config-files#acl_tokens_replication) | `OPTIONAL` | `N/A` | Authorizes secondary datacenters to replicate data from the primary datacenter. | -| [`acl.tokens.config_file_service_registration`](/consul/docs/agent/config/config-files#acl_tokens_config_file_service_registration) | `OPTIONAL` | `OPTIONAL` | Registers services and checks from service and check definitions specified in configuration files or fragments passed to the agent using the `-hcl` flag. | -| [`acl.tokens.dns`](/consul/docs/agent/config/config-files#acl_tokens_dns) | `OPTIONAL` | `OPTIONAL` | Enables the agent to answer DNS queries about services and nodes. | - -All reserved tokens except the `initial_management` token can be created or updated using the [/v1/agent/token API](/consul/api-docs/agent#update-acl-tokens). - -### Snapshot tokens - -Snapshots are artifacts created with the [snapshot API](/consul/api-docs/snapshot) for backup and recovery purposes. Snapshots contain ACL tokens and interacting with them requires a token with `acl:write` privileges. - -### ACL agent token - -The [`acl.tokens.agent`](/consul/docs/agent/config/config-files#acl_tokens_agent) is a special token that is used for an agent's internal operations. It isn't used directly for any user-initiated operations like the [`acl.tokens.default`](/consul/docs/agent/config/config-files#acl_tokens_default), though if the `acl.tokens.agent` isn't configured the `acl.tokens.default` will be used. The ACL agent token is used for the following operations by the agent: - -1. Updating the agent's node entry using the [Catalog API](/consul/api-docs/catalog), including updating its node metadata, tagged addresses, and network coordinates -2. Performing [anti-entropy](/consul/docs/architecture/anti-entropy) syncing, in particular reading the node metadata and services registered with the catalog -3. Reading and writing the special `_rexec` section of the KV store when executing [`consul exec`](/consul/commands/exec) commands - -Here's an example policy sufficient to accomplish the above for a node called `mynode`: - - - -```hcl -node "mynode" { - policy = "write" -} -service_prefix "" { - policy = "read" -} -key_prefix "_rexec" { - policy = "write" -} -``` - - - -The `service_prefix` policy needs read access for any services that can be registered on the agent. If [remote exec is disabled](/consul/docs/agent/config/config-files#disable_remote_exec), the default, then the `key_prefix` policy can be omitted. - -## Built-in tokens - -Consul includes a built-in anonymous token and initial management token. Both tokens are injected during when you bootstrap the cluster. - -### Anonymous token - -The anonymous token is used when a request is made to Consul without specifying a bearer token. -This token has the following attributes (see [Token Attributes](#token-attributes) for additional information): - -- `AccessorID`: `00000000-0000-0000-0000-000000000002` -- `SecretID`: `anonymous` - -The description and policies may be updated, but the anonymous token cannot be deleted. - -### Initial management token - -Including an initial management token in the Consul configuration creates the -token and links it with the built-in [global management](/consul/docs/security/acl/acl-policies#global-management) policy. -The bearer will have have unrestricted privileges to resources and APIs. -The `SecretID` attribute will be set to the value of the configuration entry. - -See the [Bootstrapping ACLs tutorial](/consul/tutorials/security/access-control-setup-production) for guidance on bootstrapping. - - - -### ACL agent recovery token - -The [`acl.tokens.agent_recovery`](/consul/docs/agent/config/config-files#acl_tokens_agent_recovery) is designed to be used when the Consul servers are not available. The policy linked to the token is managed locally on the agent and does not require a token to be defined on the Consul servers. Once set, it implicitly has the following policy associated with it - - - -```hcl -agent "" { - policy = "write" -} -node_prefix "" { - policy = "read" -} -``` diff --git a/website/content/docs/security/encryption/gossip.mdx b/website/content/docs/security/encryption/gossip.mdx deleted file mode 100644 index 4a04e16bd7c..00000000000 --- a/website/content/docs/security/encryption/gossip.mdx +++ /dev/null @@ -1,302 +0,0 @@ ---- -layout: docs -page_title: Manage gossip encryption -description: >- - Consul supports encrypting all of its network traffic. Learn how to secure gossip communication between all agents by creating and rotating a symmetric key. ---- - -# Manage gossip encryption - -This topic describes the steps to enable gossip encryption on a Consul datacenter and rotate the gossip encryption key to maintain secure communication between agents. - -## Workflows - -We recommend enabling gossip encryption to all new deployed Consul datacenters. You can also update the agents in an existing datacenter to use gossip encryption. - -The workflow to enable gossip encryption changes depending on whether your datacenter has client agents running. - -To [enable gossip encryption on a new datacenter](#enable-gossip-encryption-on-a-new-datacenter): - -1. Use `consul keygen` to generate a new gossip encryption key. -1. Create a configuration file that sets the `encrypt` parameter to the newly generated key. -1. Distribute the configuration file to all agent nodes that are part of the datacenter. Then start the Consul agent on all the nodes. - -To [enable gossip encryption on an existing datacenter](#enable-gossip-encryption-on-an-existing-datacenter): - -1. Use `consul keygen` to generate a new gossip encryption key. -1. Create a configuration file that sets the `encrypt` parameter to the newly generated key and sets `encrypt_verify_incoming` and `encrypt_verify_outgoing` to `false`. -1. Distribute the configuration file to all agent nodes that are part of the datacenter. Then perform a rolling restart of all Consul agents. -1. Update the `encrypt_verify_outgoing` setting to `true` and perform a rolling restart of all Consul agents. -1. Update the `encrypt_verify_incoming` setting to `true` and perform a rolling restart of all Consul agents. - -If you have multiple datacenters joined in WAN federation, be sure to use _the same encryption key_ in all datacenters. - -## Enable gossip encryption on a new datacenter - -We recommend enabling gossip encryption on all new Consul datacenters. - -### Generate a gossip encryption key - -First, generate an encryption key on a Consul server. The Consul CLI includes a `consul keygen` command to generate a key. - -```shell-session -$ consul keygen -YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA= -``` - -You can generate a new gossip key using any method that can create 32 random bytes encoded in base64. For example, you can use `openssl` or `dd` to create a key on Linux with one of the following commands: - -- `openssl rand -base64 32` -- `dd if=/dev/urandom bs=32 count=1 status=none | base64` - -### Add the key to the agent configuration - -Create a configuration that sets `encrypt` parameter to the newly generated key. You can edit the existing agent configuration, or you can add a file to the configuration directory. For more information, refer to [configuring Consul agents](/consul/docs/agent#configuring-consul-agents). - - - -```hcl -encrypt = "YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA=" -``` - -```json -{ - "encrypt": "YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA=" -} -``` - - - -### Add the key to all agent configurations - -Distribute the gossip key to all the agent nodes that need to be pert of the datacenter. Then start the Consul agent on all the nodes. - -When gossip encryption is properly configured, `Gossip Encryption: true` appears in the Consul logs at startup. - - - -```log -==> Starting Consul agent... - Version: '1.19.0' -Build Date: '2024-06-12 13:59:10 +0000 UTC' - Node ID: 'e74b1ade-e932-1707-cdf1-6579b8b2536c' - Node name: 'consul-server-0' -Datacenter: 'dc1' (Segment: '') -Server: true (Bootstrap: false) - Client Addr: [127.0.0.1] (HTTP: 8500, HTTPS: 8443, gRPC: -1, gRPC-TLS: 8503, DNS: 53) - Cluster Addr: 172.19.0.7 (LAN: 8301, WAN: 8302) - Gossip Encryption: true - Auto-Encrypt-TLS: true - ACL Enabled: true - Reporting Enabled: false -ACL Default Policy: deny - HTTPS TLS: Verify Incoming: false, Verify Outgoing: true, Min Version: TLSv1_2 - gRPC TLS: Verify Incoming: false, Min Version: TLSv1_2 - Internal RPC TLS: Verify Incoming: true, Verify Outgoing: true (Verify Hostname: true), Min Version: TLSv1_2 -## ... -``` - - - -## Enable gossip encryption on an existing datacenter - -You can also enable gossip encryption on existing Consul datacenters. - -### Generate a gossip encryption key - -First, generate an encryption key on a Consul server. The Consul CLI includes a `consul keygen` command to generate a key. - -```shell-session -$ consul keygen -YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA= -``` - -### Add the key to the agent configuration - -Create a configuration that sets the `encrypt` parameter to the newly generated key and sets the `encrypt_verify_incoming` and `encrypt_verify_outgoing` parameters to `false`. You can edit the existing agent configuration, or you can add a file to the configuration directory. For more information, refer to [configuring Consul agents](/consul/docs/agent#configuring-consul-agents). - - - - - -```hcl -encrypt = "YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA=" -encrypt_verify_incoming = false -encrypt_verify_outgoing = false -``` - - - - - -```json -{ -"encrypt": "YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA=", -"encrypt_verify_incoming" : false, -"encrypt_verify_outgoing" : false -} -``` - - - - - -### Add the configuration to all agents - -Distribute the configuration to all the agent nodes that need to be part of the datacenter, and then initiate a rolling update that restarts each agent. - -You must restart all of the agents. The `consul reload` and `kill -HUP ` commands are not sufficient when changing the gossip configuration. - -### Update outgoing encryption - -The agents can decrypt gossip communication with the `encrypt` parameter set, but they are not able to send encrypted traffic. - -Update the `encrypt_verify_outgoing` setting to `true` and then perform another rolling update of all Consul agents. Complete the process on all the nodes before you begin [updates to incoming encryption](#update-the-incoming-encryption). - - - - - -```hcl -encrypt = "YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA=" -encrypt_verify_incoming = false -encrypt_verify_outgoing = true - ``` - - - - - -```json -{ -"encrypt": "YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA=", -"encrypt_verify_incoming": false, -"encrypt_verify_outgoing": true -} -``` - - - - - -### Update incoming encryption - -The agents can send encrypted gossip but still allow unencrypted incoming traffic. Update the `encrypt_verify_incoming` setting to `true` and then perform a final rolling update on all the agents. - - - - - -```hcl -encrypt = "YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA=" -encrypt_verify_incoming = true -encrypt_verify_outgoing = true -``` - - - - - -```json -{ -"encrypt": "YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA=", -"encrypt_verify_incoming": true, -"encrypt_verify_outgoing": true -} -``` - - - - - -## Rotate the gossip encryption key - -It is important to periodically rotate the gossip encryption key your Consul datacenter uses. - -The process of rotating the gossip encryption key is centralized so that you can perform it on a single datacenter node. - -The process to rotate a gossip encryption key consists of the following steps: - -1. Generate a new encryption key using the `consul keygen` command. -1. Install the new encryption key using the `consul keyring -install` command. -1. Verify the new key is installed in your Consul datacenter with the `consul keyring -list` command. -1. Instruct Consul to use the new key with the `consul keyring -use` command. -1. Remove the old key using the `consul keyring -remove` command. - -### Generate a new encryption key - -Generate a new key using `consul keygen`: - -```shell-session -$ consul keygen -FfRV9j6NXU9LlCI4zLZjjpZdj4Nrqsdm7R8YgzSHzHw= -``` - -### Add new key to the keyring - -Add your newly generated key to the keyring. - -```shell-session -$ consul keyring -install FfRV9j6NXU9LlCI4zLZjjpZdj4Nrqsdm7R8YgzSHzHw= -==> Installing new gossip encryption key... -``` - -### Verify that the new key is installed - -After you add the key to one of the Consul agents, Consul propagates it across the entire datacenter. You do not need to repeat the command on other agents. - -To ensure that the key has been propagated to all agents, list the installed encryption keys and verify that the number of agents that recognize the key is equal to the total number of agents in the datacenter. - -```shell-session -$ consul keyring -list -==> Gathering installed encryption keys... - -WAN: - FfRV9j6NXU9LlCI4zLZjjpZdj4Nrqsdm7R8YgzSHzHw= [1/1] - YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA= [1/1] - -dc1 (LAN): - YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA= [7/7] - FfRV9j6NXU9LlCI4zLZjjpZdj4Nrqsdm7R8YgzSHzHw= [7/7] -``` - -Confirm that the two keys are installed in the datacenter and recognized by all agents, including server agents. The server agents are listed in the `WAN` section. Do not proceed to the next step unless all agents have the new key. - -### Promote the new key to primary - -After all agents recognize the key, it is possible to promote it to be the new primary encryption key. - -```shell-session -$ consul keyring -use FfRV9j6NXU9LlCI4zLZjjpZdj4Nrqsdm7R8YgzSHzHw= -==> Changing primary gossip encryption key... -``` - -### Remove the old key from the keyring - -Unused keys in the keyring are a potential security risk to your Consul cluster. We recommended that you remove the former primary key from the keyring after a new key is installed. - -```shell-session -$ consul keyring -remove YwgWlBvicJN17UOYcutXLpJSZsw5aWpLEEWqgK635zA= -==> Removing gossip encryption key... -``` - -Verify that the keyring contains only one key. - -```shell-session -$ consul keyring -list -==> Gathering installed encryption keys... - -WAN: - FfRV9j6NXU9LlCI4zLZjjpZdj4Nrqsdm7R8YgzSHzHw= [1/1] - -dc1 (LAN): - FfRV9j6NXU9LlCI4zLZjjpZdj4Nrqsdm7R8YgzSHzHw= [7/7] -``` - -## Next steps - -Documentation for the commands used in this topic is available at [Consul agent configuration - Encryption Parameters](/consul/docs/agent/config/config-files#encryption-parameters). You can find more information over the gossip protocol used by Consul at [Gossip Protocol](/consul/docs/architecture/gossip). - -After you enable gossip encryption, you can continue to process to secure your Consul datacenter by enabling mutual TLS encryption. For more information, refer to [Mutual TLS (mTLS) Encryption](/consul/docs/security/encryption/mtls). - -To learn how to automate gossip key rotation using HashiCorp Vault and consul-template, refer to the [Automatically Rotate Gossip Encryption Keys Secured in Vault tutorial](/consul/tutorials/operate-consul/vault-kv-consul-secure-gossip). \ No newline at end of file diff --git a/website/content/docs/security/encryption/index.mdx b/website/content/docs/security/encryption/index.mdx deleted file mode 100644 index 60a5352b8a6..00000000000 --- a/website/content/docs/security/encryption/index.mdx +++ /dev/null @@ -1,55 +0,0 @@ ---- -layout: docs -page_title: Encrypted communication between Consul agents -description: >- - Consul supports encrypting all of its network traffic. Remote Procedure Calls (RPCs) between client and server agents can be encrypted with TLS and authenticated with certificates. Gossip communication between all agents can also be encrypted. ---- - -# Encrypted communication between Consul agents - -This topic provides an overview of the two distinct encryption systems available in Consul. [Gossip encryption](/consul/docs/security/encryption#gossip-encryption) and [Mutual TLS encryption](/consul/docs/security/encryption#mutual-tls-mtls-encryption) are the foundations of a secure Consul datacenter. - -The guidelines in the [Consul security model](/consul/docs/security/security-models/core) for operating a secure Consul deployment recommends using both encryption systems. - -## Gossip Encryption - -Consul uses a [gossip protocol](/consul/docs/architecture/gossip) to perform the following cluster operations: - -- Identify datacenter members. -- Quickly detect failed members and notify the rest of the cluster. -- Broadcast events and queries that can trigger custom workflows. - -The gossip protocol, as well as its membership management and message broadcasting features, use the [Serf library](https://github.com/hashicorp/serf/). - -In a default Consul configuration, the gossip protocol uses [port `8301`](/consul/docs/install/ports#lan-serf) for LAN communications and [port `8302`](/consul/docs/install/ports#lan-serf) for WAN communications between federated datacenters. Enabling gossip encryption on a Consul datacenter is required to secure traffic on these two ports. - -Gossip encryption is symmetric and based on a single key that is shared across all members of the datacenter. You can configure gossip encryption in Consul using the following parameters: - -- [`encrypt`](/consul/docs/agent/config/config-files#encrypt). -- [`encrypt_verify_incoming`](/consul/docs/agent/config/config-files#encrypt_verify_incoming). Only used when upshifting from unencrypted to encrypted gossip on a running cluster. -- [`encrypt_verify_outgoing`](/consul/docs/agent/config/config-files#encrypt_verify_outgoing). Only used when upshifting from unencrypted to encrypted gossip on a running cluster. - -To learn more about enabling gossip encryption on your Consul datacenter and rotating gossip keys, refer to [manage gossip encryption](/consul/docs/security/encryption/gossip). - -## Mutual TLS (mTLS) Encryption - -Consul uses several communication protocols over different ports that you can secure using mTLS: - -- A [consensus protocol](/consul/docs/architecture/consensus) provides data consistency between Consul servers. It typically uses [port `8300`](/consul/docs/install/ports#server-rpc). -- Remote Procedure Calls (RPC) forward requests from client agents to server agents. They use the same port the consensus protocol uses. -- An HTTP or HTTPS interface permits client communication with the Consul API, CLI, and UI. It typically uses [port `8500`](/consul/docs/install/ports#http) and [port `8501`](/consul/docs/install/ports#https). -- A gRPC interface receives incoming traffic from the gateways and Envoy proxies registered to the agent node. It typically uses [port `8502`](/consul/docs/install/ports#client-grpc) and [port `8503`](/consul/docs/install/ports#client-grpc-tls). - -Consul uses mTLS to verify the authenticity of server and client agents. It requires that all clients and servers have key pairs that are generated by a single Certification Authority (CA). We recommend using a private CA that is not shared with other applications. - -You can configure mTLS in Consul using the [`tls` stanza in agent configuration files](/consul/docs/agent/config/config-files#tls-1). - -You can configure mTLS encryption for each protocol separately using the following parameters in the agent configuration file: - -- [`tls.defaults`](/consul/docs/agent/config/config-files#tls_defaults) provides default settings that Consul applies to every interface unless explicitly overridden by protocol-specific configurations. -- [`tls.internal_rpc`](/consul/docs/agent/config/config-files#tls_internal_rpc) provides settings for the internal server RPC interface. -- [`tls.https`](/consul/docs/agent/config/config-files#tls_https) provides settings for the HTTP/HTTPS interface. -- [`tls.grpc`](/consul/docs/agent/config/config-files#tls_grpc) provides settings for the gRPC/xDS interface. - -To learn more about enabling mTLS on your Consul datacenter, refer to [Manage mTLS encryption](/consul/docs/security/encryption/mTLS). - diff --git a/website/content/docs/security/encryption/mtls.mdx b/website/content/docs/security/encryption/mtls.mdx deleted file mode 100644 index 5017c7b509f..00000000000 --- a/website/content/docs/security/encryption/mtls.mdx +++ /dev/null @@ -1,553 +0,0 @@ ---- -layout: docs -page_title: Manage agent mTLS encryption -description: >- - Consul supports encrypting all of its network traffic. Learn how to encrypt and authenticate Remote Process Calls (RPCs) between client and server agents with TLS certificates. ---- - -# Manage agent mTLS encryption - -This topic describes mutual TLS (mTLS) encryption between agents in a Consul datacenter. - -This mTLS encryption is distinct from Consul service mesh mTLS encryption. To learn about encrypted mTLS communication between services, refer to [service mesh certificate authority](/consul/docs/connect/ca). - -## Benefits of TLS encryption - -Consul supports TLS certificates that verify the authenticity of servers and clients to secure `RCP`, `gRPC`, and `HTTP` traffic. - -Implementing TLS encryption in Consul datacenters improves your deployment's security in the following ways: - -- **Encrypt data in transit:** TLS encrypts data transmitted between Consul datacenter nodes and user interfaces such as the UI or CLI to ensure that sensitive information is not exposed to unauthorized parties. - -- **Agent authentication:** TLS ensures that only verified parties can communicate with each other using certificates. This security measure prevents unauthorized nodes, services, and users from interacting with your Consul datacenter. - -- **Prevent man-in-the-middle (MITM) attacks:** Without TLS, attackers may intercept and change communications within your Consul deployments. TLS mitigates this risk by encrypting data and verifying the identity of the communication participants. - -- **Comply with security regulations and standards:** Compliance frameworks and regulations like PCI-DSS and HIPAA mandate the encryption of data in transit, which makes TLS a requirement for Consul deployments in regulated environments. - -Mutual TLS (mTLS) requires that all clients and servers have key pairs that are generated by a single Certification Authority (CA). We recommend using a private CA that is not shared with other applications. - -The following parameters in agent configuration files define the agent verification behavior: - -- [`tls.defaults.verify_incoming`](/consul/docs/agent/config/config-files#tls_defaults_verify_incoming) -- [`tls.defaults.verify_outgoing`](/consul/docs/agent/config/config-files#tls_defaults_verify_outgoing) -- [`tls.defaults.verify_server_hostname`](/consul/docs/agent/config/config-files#tls_default_verify_server_hostname) - -## Workflow - -The process to enable TLS encryption in Consul deployments consists of the following steps: - -1. [Initialize the built-in CA](/consul/docs/security/encryption/mtls#initialize-the-built-in-ca) used to sign all certificates. -1. [Create server certificates](/consul/docs/security/encryption/mtls#create-server-certificates) to secure Consul servers. -1. [Configure server agents](/consul/docs/security/encryption/mtls#configure-server-agents) for TLS encryption. -1. [Start server agents](/consul/docs/security/encryption/mtls#start-consul-servers). -1. [Configure Consul client agents](/consul/docs/security/encryption/mtls#configure-client-agents). -1. [Start client agents](/consul/docs/security/encryption/mtls#start-consul-clients). - -## Initialize the built-in CA - -The first step to configure mTLS for Consul is to initialize the certificate authority (CA) that signs the certificates. To prevent unauthorized datacenter access, Consul requires that all certificates are signed by the same CA. We recommend using a private CA because any certificate it signs will be allowed to communicate with the Consul datacenter. - -Consul supports a variety of tools for creating and managing your own CA, like the [PKI secrets engine in Vault](/vault/docs/secrets/pki) or the [Terraform TLS provider](https://registry.terraform.io/providers/hashicorp/tls/latest/docs). Consul also ships with built-in TLS tools to create and manage certificates. - -If you have the Consul binary installed on your path, you can create the CA and certificates, even before you start a Consul server agent. - -```shell-session -$ consul tls ca create -domain=consul -==> Saved consul-agent-ca.pem -==> Saved consul-agent-ca-key.pem -``` - -The command generates two files, `-agent-ca.pem` and `-agent-ca-key.pem`. In this example, the domain used to generate the certificates is the default one, `consul`. - -The CA certificate, `consul-agent-ca.pem`, contains the public key necessary to validate Consul certificates. You must distribute this certificate to every node where a Consul agent runs. - -The CA key, `consul-agent-ca-key.pem`, signs certificates for Consul nodes. You must keep this key private. Possession of this key allows anyone to run Consul as a trusted server or generate new valid certificates for the datacenter. Malicious actors may use this key to obtain access to all Consul data, including ACL tokens. - -## Create server certificates - -To authenticate Consul servers, servers are provided with a special certificate that lists `server..` in the `Common Name` and `Subject Alternative Name` fields. When you enable [`tls.defaults.verify_server_hostname`](/consul/docs/agent/config/config-files#tls_default_verify_server_hostname), only agents that provide this certificate are allowed to boot as a server. - -Without `tls.defaults.verify_server_hostname = true`, an attacker who compromises a Consul client agent can restart the agent as a server to get access to all the data in your datacenter. You must keep the server key private to protect your Consul data. - -The following example creates a server certificate for datacenter `dc1` in the `consul` domain. If your datacenter or domain is different, modify the command to use the appropriate flag values. - -```shell-session -$ consul tls cert create -server -dc=dc1 -domain=consul -==> WARNING: Server Certificates grants authority to become a - server and access all state in the cluster including root keys - and all ACL tokens. Do not distribute them to production hosts - that are not server nodes. Store them as securely as CA keys. -==> Using consul-agent-ca.pem and consul-agent-ca-key.pem -==> Saved dc1-server-consul-0.pem -==> Saved dc1-server-consul-0-key.pem -``` - -Repeat this process on the same node where you created the CA until the number of certificates is equal to the number of servers in the datacenter. You can run the command multiple times in a row, and it automatically increases the certificate and key numbers each time. - -### Federated Consul datacenter - -A federated Consul environment requires the server certificate to include the names of all Consul datacenters that are within the federated environment. - -Use the `-additional-dnsname` flag to provide an additional DNS names for Subject Alternative Names. `localhost` is always included. You can provide this flag multiple times in a single command. - -The following example creates a certificate for a federated environment containing two Consul datacenters named `dc1` and `dc2`. - -```shell-session -$ consul tls cert create -server -dc dc1 -domain=consul -additional-dnsname="server.dc2.consul" -==> WARNING: Server Certificates grants authority to become a - server and access all state in the cluster including root keys - and all ACL tokens. Do not distribute them to production hosts - that are not server nodes. Store them as securely as CA keys. -==> Using consul-agent-ca.pem and consul-agent-ca-key.pem -==> Saved dc1-server-consul-0.pem -==> Saved dc1-server-consul-0-key.pem -``` - -## Configure server agents - -After you generate the server certificates, distribute them to the Consul servers and modify the agent configuration file to include their local location. - -Copy the following files to each Consul server: - -- `consul-agent-ca.pem`: CA public certificate. -- `dc1-server-consul-0.pem`: Consul server node public certificate for first server node in the `dc1` datacenter in the `consul` domain. -- `dc1-server-consul-0-key.pem`: Consul server node private key for first server node in the `dc1` datacenter in the `consul` domain. - -There are two methods for configuring Consul server agents depending on the way you want to distribute certificates to the client agents: - -- The _auto encryption method_ uses the Consul Connect CA to generate client certificates and then automatically distributes them to all Consul clients. -- The _operator method_ requires you to manually generate client certificates and distribute them to each client agent individually. - -We recommend using the auto-encryption method with the built-in CA because Consul can then automatically rotate certificates without requiring operator intervention. - -Use the operator method if you need to use a third-party CA or need more fine-grained control over certificate management. - - - - - - -```hcl -addresses = { - https = "0.0.0.0" -} -ports { - https = 8501 -} -tls { - defaults { - ca_file = "consul-agent-ca.pem" - cert_file = "dc1-server-consul-0.pem" - key_file = "dc1-server-consul-0-key.pem" - verify_incoming = true - verify_outgoing = true - verify_server_hostname = true - } -} -auto_encrypt { - allow_tls = true -} -``` - -```json -{ - "addresses": { - "https" : "0.0.0.0" - }, - "ports": { - "https" : 8501 - }, - "tls" : { - "defaults": { - "ca_file": "consul-agent-ca.pem", - "cert_file": "dc1-server-consul-0.pem", - "key_file": "dc1-server-consul-0-key.pem", - "verify_incoming": true, - "verify_outgoing": true, - "verify_server_hostname": true - } - }, - "auto_encrypt" : { - "allow_tls" : true - } -} -``` - - - - - - - - - -```hcl -addresses = { - https = "0.0.0.0" -} -ports { - https = 8501 -} -tls { - defaults { - ca_file = "consul-agent-ca.pem" - cert_file = "dc1-server-consul-0.pem" - key_file = "dc1-server-consul-0-key.pem" - verify_incoming = true - verify_outgoing = true - verify_server_hostname = true - } -} -``` - -```json -{ - "addresses": { - "https": "0.0.0.0" - }, - "ports": { - "https": 8501 - }, - "tls": { - "defaults": { - "ca_file": "consul-agent-ca.pem", - "cert_file": "dc1-server-consul-0.pem", - "key_file": "dc1-server-consul-0-key.pem", - "verify_incoming": true, - "verify_outgoing": true, - "verify_server_hostname": true - } - } -} -``` - - - - - - - -Consul does not enable TLS for HTTP unless the `https` port is assigned a port number greater than `0`. We recommend using `8501`, the default number for the `https` port, because this default is designed to work automatically with other tools. - -## Start Consul servers - -After you configure your servers, start the Consul process. - -```shell-session -$ systemctl start consul -``` - -Your Consul servers can now communicate with TLS encryption for RPC and consensus. - -## Configure client agents - -Next, configure your client agents with the same method you used to [configure the server agent](#distribute-the-server-certificates) - - - - -The only file you need on the local disk to configure the Consul client agents using auto-encryption is the CA certificate `consul-agent-ca-.pem`. - - - -```hcl -addresses = { - https = "0.0.0.0" -} -ports { - https = 8501 -} -tls { - defaults { - ca_file = "consul-agent-ca.pem" - verify_incoming = true - verify_outgoing = true - verify_server_hostname = true - } -} -auto_encrypt = { - tls = true -} -``` - -```json -{ - "addresses": { - "https": "0.0.0.0" - }, - "ports": { - "https": 8501 - }, - "tls": { - "defaults": { - "ca_file": "consul-agent-ca.pem", - "verify_incoming": true, - "verify_outgoing": true, - "verify_server_hostname": true - } - }, - "auto_encrypt" : { - "tls" : true - } -} -``` - - - - - - - -On the node where you created the CA and server certificates, generate a client certificate with `consul tls cert create -client` command. - -```shell-session -$ consul tls cert create -client -dc=dc1 -domain=consul -==> Using consul-agent-ca.pem and consul-agent-ca-key.pem -==> Saved dc1-client-consul-0.pem -==> Saved dc1-client-consul-0-key.pem -``` - -The client certificate is also signed by the same CA used for the server certificates, but it does not contain `server..` in the `Common Name` and in the `Subject Alternative Name`. Because `verify_server_hostname` is enabled, a compromised client cannot use this certificate to start as a server and access datacenter data. - -Distribute the client certificates and the CA certificate `consul-agent-ca.pem` to every Consul client in the datacenter. Then add them to the client agent configuration. - - - -```hcl -addresses = { - https = "0.0.0.0" -} -ports { - https = 8501 -} -tls { - defaults { - ca_file = "consul-agent-ca.pem" - cert_file = "dc1-client-consul-0.pem" - key_file = "dc1-client-consul-0-key.pem" - verify_incoming = true - verify_outgoing = true - verify_server_hostname = true - } -} -``` - -```json -{ - "addresses": { - "https": "0.0.0.0" - }, - "ports": { - "https": 8501 - }, - "tls": { - "defaults": { - "ca_file": "consul-agent-ca.pem", - "cert_file": "dc1-client-consul-0.pem", - "key_file": "dc1-client-consul-0-key.pem", - "verify_incoming": true, - "verify_outgoing": true, - "verify_server_hostname": true - } - } -} -``` - - - - - - - -## Start Consul clients - -After you configure each client, start the Consul process on the node. - -```shell-session -$ systemctl start consul -``` - -Your client agents now communicate using mutual TLS encryption. - -## Rotate TLS certificates - -To maintain the security offered by TLS encryption, we recommend that you rotate TLS certificates often. - -TLS certificates are part of [Consul's reloadable configuration](/consul/docs/agent/config#reloadable-configuration), so you do not need to restart the Consul agents when you renew certificates. As a result, there is no risk of downtime. - -To rotate certificates for Consul server agents complete the following steps: -1. [Generate new certificates for all server agents](/consul/docs/security/encryption/mtls#create-server-certificates) to replace the old ones. -1. Distribute the new certificates to the server nodes. -1. Reload Consul configuration on each server with the `consul reload` command. - -To rotate certificates for Consul client agents complete the following steps: - - - - -When using the auto-encryption method, Consul automatically rotates the client certificates without operator intervention. - - - - - -1. [Generate new certificates for all client agents](/consul/docs/security/encryption/mtls#configure-client-agents) to replace the old ones. -1. Distribute the new certificates to the client nodes. -1. Reload Consul configuration on all clients with `consul reload` command. - - - - - -## API, CLI, and UI interactions - -The configuration snippets provided in this page are valid to configure complete mTLS for your Consul datacenter. This means that all interfaces require the client to provide a valid certificate in order to communicate with the Consul agent. This is valid for all requests, API, CLI, and UI. - -Since Consul v1.12 it is possible to have different settings for: - - - the HTTP protocol, used for the Consul's REST API, the CLI integration, and the UI - - the RPC protocol, used for internal communications between the Consul agents. - -### Interact with Consul without a client certificate - -If you want to avoid the need to present a valid client certificate every time you interact with Consul using the HTTP API, CLI, or UI, configure Consul to trust all incoming HTTPS connections by setting `tls.https.verify_incoming` to `false`. RPC communications are still mTLS encrypted. - - - -```hcl -addresses = { - https = "0.0.0.0" -} -ports { - https = 8501 - http = -1 -} -tls { - https { - ca_file = "/etc/consul.d/consul-agent-ca.pem" - cert_file = "/etc/consul.d/consul-agent.pem" - key_file = "/etc/consul.d/consul-agent-key.pem" - verify_incoming = false - verify_outgoing = true - } - internal_rpc { - ca_file = "/etc/consul.d/consul-agent-ca.pem" - cert_file = "/etc/consul.d/consul-agent.pem" - key_file = "/etc/consul.d/consul-agent-key.pem" - verify_incoming = true - verify_outgoing = true - verify_server_hostname = true - } -} -``` - -```json -{ - "addresses": { - "https": "0.0.0.0", - "http": "127.0.0.1", - }, - "ports": { - "https": 8501, - "http": 8500 - }, - "tls": { - "https": { - "ca_file": "consul-agent-ca.pem", - "cert_file": "consul-agent.pem", - "key_file": "consul-agent-key.pem", - "verify_incoming": false, - "verify_outgoing": true - }, - "internal_rpc": { - "ca_file": "consul-agent-ca.pem", - "cert_file": "consul-agent.pem", - "key_file": "consul-agent-key.pem", - "verify_incoming": true, - "verify_outgoing": true, - "verify_server_hostname": true - } - } -} -``` - - - - -### Use HTTP for local client interaction - -If you want to avoid the need to present a valid client certificate or to use the CA certificate every time you interact with the local Consul agent, configure Consul to keep the HTTP listener active on the `localhost` interface only and set `tls.https.verify_incoming` to `false`. External requests to the API or UI are still protected by TLS encryption, but requests that originate locally do not need to present a client certificate. RPC communications are still mTLS encrypted. - - - -```hcl -addresses = { - https = "0.0.0.0" - http = "127.0.0.1" -} -ports { - https = 8501 - http = 8500 -} -tls { - https { - ca_file = "/etc/consul.d/consul-agent-ca.pem" - cert_file = "/etc/consul.d/consul-agent.pem" - key_file = "/etc/consul.d/consul-agent-key.pem" - verify_incoming = false - verify_outgoing = true - } - internal_rpc { - ca_file = "/etc/consul.d/consul-agent-ca.pem" - cert_file = "/etc/consul.d/consul-agent.pem" - key_file = "/etc/consul.d/consul-agent-key.pem" - verify_incoming = true - verify_outgoing = true - verify_server_hostname = true - } -} -``` - -```json -{ - "addresses": { - "https": "0.0.0.0", - "http": "127.0.0.1", - }, - "ports": { - "https": 8501, - "http": 8500 - }, - "tls": { - "https": { - "ca_file": "consul-agent-ca.pem", - "cert_file": "consul-agent.pem", - "key_file": "consul-agent-key.pem", - "verify_incoming": false, - "verify_outgoing": true - }, - "internal_rpc": { - "ca_file": "consul-agent-ca.pem", - "cert_file": "consul-agent.pem", - "key_file": "consul-agent-key.pem", - "verify_incoming": true, - "verify_outgoing": true, - "verify_server_hostname": true - } - } -} -``` - - - -## Next steps - -Your agents are now configured with mTLS for encrypted communication. With the auto encryption method, your -client certificates are managed by the server. With the operator method, you distributed all the certificates manually, but have a more flexible configuration. - -Documentation for the commands used in this topic is available at [Consul agent configuration - TLS configuration reference](/consul/docs/agent/config/config-files#tls-configuration-reference) and the [`consul tls` CLI command reference](/consul/commands/tls). - -To learn how to automate TLS certificate generation and rotation, refer to the [Generate mTLS Certificates for Consul with Vault](/consul/tutorials/operate-consul/vault-pki-consul-secure-tls) tutorial. - -To continue securing your Consul deployment, add [gossip encryption](/consul/docs/security/encryption/gossip) and enable [Access Control Lists (ACLs)](/consul/docs/security/acl) with the default deny policy. diff --git a/website/content/docs/security/index.mdx b/website/content/docs/security/index.mdx deleted file mode 100644 index 1f89ad104d2..00000000000 --- a/website/content/docs/security/index.mdx +++ /dev/null @@ -1,30 +0,0 @@ ---- -layout: docs -page_title: Security - Overview -description: >- - Security requirements and recommendations for Consul vary depending on workloads and environments. Learn how ACLs and encryption can protect access to and communication within your datacenter. ---- - -# Consul security - -This topic describes the security requirements and recommendations for a Consul deployment. - -## Security Models - -Requirements and recommendations for operating a secure Consul deployment may vary drastically depending on your -intended workloads, operating system, and environment. You can find detailed information about the various personas, -recommendations, requirements, and threats in the [Security Models](/consul/docs/security/security-models) section. - -## ACLs - -Consul provides an optional [Access Control List (ACL) system](/consul/docs/security/acl) which can be used to control access -to data and APIs. - -## Encryption - -The Consul agent supports encryption for all of its network traffic. There are two separate encryption systems: - -- A gossip encryption system -- An mTLS encryption system for HTTP and RPC - -For more information about these two different encryption systems, as well as configuration guidance, refer to [Consul encryption](/consul/docs/security/encryption). diff --git a/website/content/docs/security/security-models/core.mdx b/website/content/docs/security/security-models/core.mdx deleted file mode 100644 index 9b0da86089c..00000000000 --- a/website/content/docs/security/security-models/core.mdx +++ /dev/null @@ -1,440 +0,0 @@ ---- -layout: docs -page_title: Security Models - Consul -description: >- - The security model for Consul Core details requirements and recommendations for securing your deployment of Consul. Learn about potential threats and how to protect Consul from malicious actors. ---- - -# Consul security model overview - -Consul enables automation of network configurations, service discovery, and secure network connectivity across any -cloud or runtime. - -Consul uses a lightweight gossip and RPC system which provides various essential features. Both of these systems -provide security mechanisms which should be used to enable confidentiality, integrity and authentication. - -Using defense in depth is crucial for Consul security, and deployment requirements may differ drastically depending on -your use case. Some security features for multi-tenant deployments are offered exclusively in the -[Enterprise](/consul/docs/enterprise) version. This documentation may need to be adapted to your -environment, but the general mechanisms for a secure Consul deployment revolve around: - -- **mTLS** - Mutual authentication of both the TLS server and client x509 certificates prevents internal abuse from - unauthorized access to network components within the cluster. - -- **ACLs** - Enable role-based access controls for authenticated connections by granting capabilities for an individual - human, or machine operator identity via an ACL token to authorize actions within a cluster. Optionally, custom - [authentication methods](/consul/docs/security/acl/auth-methods) can be used to enable trusted external parties to authorize - ACL token creation. - -- **Intentions** - If in use, configure service intentions to use a default-deny policy. If L7 intentions are - in use, enable [Mesh request normalization](/consul/docs/connect/config-entries/mesh#request-normalization) - and review your [header match rules](/consul/docs/connect/config-entries/service-intentions#spec-sources-permissions-http-header) to prevent malformed requests from bypassing intentions. - -- **Namespaces** - Read and write operations can be scoped to a logical namespace to restrict - access to Consul components within a multi-tenant environment. - -- **Sentinel Policies** - Sentinel policies enable policy-as-code for granular control over - the built-in key-value store. - -## Personas - -It helps to consider the following types of personas when managing the security requirements of a Consul deployment. -The granularity may change depending on your team's requirements. - -- **System Administrator** - This is someone who has access to the underlying infrastructure to the Consul cluster. - Often they have access to SSH or RDP directly into a server within a cluster through a bastion host. Ultimately they - have read, write and execute permissions for the actual Consul binary. This binary is the same for server and client - agents using different configuration files. These users potentially have sudo, administrative, or some other - super-user access to the underlying compute resource. They have access to all persisted data on disk, or in memory. - This would include ACL tokens, certificates, and other secrets stored on the system. Users like these are essentially - totally trusted, as they have administrative rights to the underlying operating-system with the ability to configure, - start, and stop the agent. - -- **Consul Administrator** - This is someone (probably the same System Administrator) who has access to define the - Consul agent configurations for servers and clients, and/or have a Consul management ACL token. They also have total - rights to all of the parts in the Consul system including the ability to manage all services within a cluster. - -- **Consul Operator** - This is someone who likely has restricted capabilities to use their namespace within a cluster. - -- **Developer** - This is someone who is responsible for creating, and possibly deploying applications connected, or - configured with Consul. In some cases they may have no access, or limited capabilities to view Consul information, - such as through metrics, or logs. - -- **User** - This is the end user, using applications backed by services managed by Consul. In some cases services may - be public facing on the internet such as a web server, typically through a load-balancer, or ingress gateway. This is - someone who should not have any network access to the Consul agent APIs. - -## Secure Configuration - -Consul's security model is applicable only if all parts of the system are running with a secure configuration; **Consul -is not secure-by-default.** Without the following mechanisms enabled in Consul's configuration, it may be possible to -abuse access to a cluster. Like all security considerations, administrators must determine what is appropriate for their -environment and adapt these configurations accordingly. - -## Requirements - -- **mTLS** - Mutual authentication of both the TLS server and client x509 certificates prevents internal abuse through - unauthorized access to Consul agents within the cluster. - - - [`tls.defaults.verify_incoming`](/consul/docs/agent/config/config-files#tls_defaults_verify_incoming) - By default this is false, and - should almost always be set to true to require TLS verification for incoming client connections. This applies to the - internal RPC, HTTPS and gRPC APIs. - - - [`tls.https.verify_incoming`](/consul/docs/agent/config/config-files#tls_https_verify_incoming) - By default this is false, and should - be set to true to require clients to provide a valid TLS certificate when the Consul HTTPS API is enabled. TLS for - the API may be not be necessary if it is exclusively served over a loopback interface such as `localhost`. - - - [`tls.internal_rpc.verify_incoming`](/consul/docs/agent/config/config-files#tls_internal_rpc_verify_incoming) - By default this is false, - and should almost always be set to true to require clients to provide a valid TLS certificate for Consul agent RPCs. - - - [`tls.grpc.verify_incoming`](/consul/docs/agent/config/config-files#tls_grpc_verify_incoming) - By default this is false, and should - be set to true to require clients to provide a valid TLS certificate when the Consul gRPC API is enabled. TLS for - the API may be not be necessary if it is exclusively served over a loopback interface such as `localhost`. - - - [`tls.internal_rpc.verify_outgoing`](/consul/docs/agent/config/config-files#tls_internal_rpc_verify_outgoing) - By default this is false, - and should be set to true to require TLS for outgoing connections from server or client agents. Servers that specify - `verify_outgoing = true` will always talk to other servers over TLS, but they still accept non-TLS connections to allow - for a transition of all clients to TLS. Currently the only way to enforce that no client can communicate with a server - unencrypted is to also enable `verify_incoming` which requires client certificates too. - - - [`enable_agent_tls_for_checks`](/consul/docs/agent/config/config-files#enable_agent_tls_for_checks) - By default this is false, and - should almost always be set to true to require mTLS to set up the client for HTTP or gRPC health checks. This was - added in Consul 1.0.1. - - - [`tls.internal_rpc.verify_server_hostname`](/consul/docs/agent/config/config-files#tls_internal_rpc_verify_server_hostname) - By default - this is false, and should be set to true to require that the TLS certificate presented by the servers matches - `server..` hostname for outgoing TLS connections. The default configuration does not verify the - hostname of the certificate, only that it is signed by a trusted CA. This setting is critical to prevent a - compromised client agent from being restarted as a server and having all cluster state including all ACL tokens and - service mesh CA root keys replicated to it. This setting was introduced in 0.5.1. From version 0.5.1 to 1.4.0 we - documented that `verify_server_hostname` being true implied verify_outgoing however due to a bug this was not the - case so setting only `verify_server_hostname` results in plaintext communication between client and server. See - [CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653) for more details. This is fixed - in 1.4.1. - - - [`auto_encrypt`](/consul/docs/agent/config/config-files#auto_encrypt) - Enables automated TLS certificate distribution for client - agent RPC communication using the service mesh CA. Using this configuration a [`ca_file`](/consul/docs/agent/config/config-files#tls_defaults_ca_file) - and ACL token would still need to be distributed to client agents. - - - [`allow_tls`](/consul/docs/agent/config/config-files#allow_tls) - By default this is false, and should be set to true on server - agents to allow certificates to be automatically generated and distributed from the service mesh CA to client agents. - - - [`tls`](/consul/docs/agent/config/config-files#tls) - By default this is false, and should be set to true on client agents to - automatically request a client TLS certificate from the server's service mesh CA. - - **Example Server Agent TLS Configuration** - - ```hcl - tls { - defaults { - verify_incoming = true - verify_outgoing = true - ca_file = "consul-agent-ca.pem" - cert_file = "dc1-server-consul-0.pem" - key_file = "dc1-server-consul-0-key.pem" - verify_server_hostname = true - } - } - - auto_encrypt { - allow_tls = true - } - ``` - - **Example Client Agent TLS Configuration** - - ```hcl - tls { - defaults { - verify_incoming = false - verify_outgoing = true - ca_file = "consul-agent-ca.pem" - verify_server_hostname = true - } - } - - auto_encrypt { - tls = true - } - ``` - - -> **Note**: The client agent TLS configuration from above sets [`verify_incoming`](/consul/docs/agent/config/config-files#tls_defaults_verify_incoming) - to false which assumes all incoming traffic is restricted to `localhost`. The primary benefit for this configuration - would be to avoid provisioning client TLS certificates (in addition to ACL tokens) for all tools or applications - using the local Consul agent. In this case ACLs should be enabled to provide authorization and only ACL tokens would - need to be distributed. - -- **ACLs** - The access control list (ACL) system provides a security mechanism for Consul administrators to grant - capabilities tied to an individual human, or machine operator identity. To ultimately secure the ACL system, - administrators should configure the [`default_policy`](/consul/docs/agent/config/config-files#acl_default_policy) to "deny". - - The [system](/consul/docs/security/acl) is comprised of five major components: - - - **🗝 Token** - API key associated with policies, roles, or service identities. - - - **📜 Policy** - Set of rules to grant or deny access to various Consul resources. - - - **🎭 Role** - Grouping of policies, and service identities. - - - **👤 Service or Node Identity** - Synthetic policy granting a predefined set of permissions typical for services - deployed within Consul. - - - **🏷 Namespace** - a named, logical scoping of Consul Enterprise resources, typically to - enable multi-tenant environments. Consul CE clusters always operate within the "default" namespace. - -- **Intentions** - Service intentions control traffic communication between services at the network layer (L4) and - application layer (L7). If in use, we strongly recommend configuring intentions to use a default-deny policy. - When L7 intentions are in use, review your configuration for [Mesh request normalization](/consul/docs/connect/config-entries/mesh#request-normalization) - and use the strictest set of options suitable to your environment. At minimum, we - recommend keeping path normalization enabled, because this default setting prevents requests that do not conform to [RFC 3986]( - https://tools.ietf.org/html/rfc3986#section-6) from bypassing path match rules. - -- **Gossip Encryption** - A shared, base64-encoded 32-byte symmetric key is required to [encrypt Serf gossip - communication](/consul/tutorials/security/gossip-encryption-secure?utm_source=consul.io&utm_medium=docs) within a cluster using - AES GCM. The key size determines which AES encryption types to use; 16, 24, or 32 bytes to select AES-128, AES-192, - or AES-256 respectively. 32-byte keys are ultimately preferable and is the default size generated by the - [`keygen`](/consul/commands/keygen) command. This key should be - [regularly rotated](https://support.hashicorp.com/hc/en-us/articles/360044051754-Consul-Gossip-Key-Rotation) using - the builtin [keyring management](/consul/commands/keyring) features of Consul. - - Two optional gossip encryption options enable Consul servers without gossip encryption to safely upgrade. After - upgrading, the verification options should be enabled, or removed to set them to their default state: - - - [`encrypt_verify_incoming`](/consul/docs/agent/config/config-files#encrypt_verify_incoming) - By default this is true to enforce - encryption on _incoming_ gossip communications. - - - [`encrypt_verify_outgoing`](/consul/docs/agent/config/config-files#encrypt_verify_outgoing) - By default this is true to enforce - encryption on _outgoing_ gossip communications. - -- **Namespaces** - Read and write operations should be scoped to logical namespaces to - restrict access to Consul components within a multi-tenant environment. Furthermore, this feature can be used to - enable a self-service approach to Consul ACL administration for teams within a scoped namespace. - -- **Sentinel Policies** - Sentinel policies allow for granular control over the builtin - key-value store. - -- **Ensure Script Checks are Disabled** - Consul's agent optionally has an HTTP API, which can be exposed beyond - `localhost`. If this is the case, `enable_script_checks` must be false otherwise, even with ACLs configured, script - checks present a remote code execution threat. `enable_local_script_checks` provides a secure alternative if the - HTTP API must be exposed and is available from 1.3.0 on. This feature was also back-ported to patch releases 0.9.4, - 1.1.1, and 1.2.4 as described here. This is not enabled by default. - -- **Ensure Remote Execution is Disabled** - Consul includes a consul exec feature allowing execution of arbitrary - commands across the cluster. This is disabled by default since 0.8.0. We recommend leaving it disabled. If enabled, - extreme care must be taken to ensure correct ACLs restrict access to execute arbitrary code on the cluster. - -## Recommendations - -- **Rotate Credentials** - Using short-lived credentials and rotating them frequently is highly recommended for - production environments to limit the blast radius from potentially compromised secrets, and enabling basic auditing. - - - **ACL Tokens** - Consul APIs require an ACL token to authorize actions within a cluster. - - - **X.509 Certificates** - Rotate certificates used by the Consul agent; e.g. integrate with Vault's PKI secret engine - to automatically generate and renew dynamic, unique X.509 certificates for each Consul node with a short TTL. Client - certificates can be automatically rotated by Consul when using `auto_encrypt` such that only server certificates - would be managed by Vault. - - - **Gossip Keys** - Rotating the encryption keys used by the internal gossip protocol for Consul agents can be - regularly rotated using the builtin keyring management features. - -- **Running without Root** - Consul agents can be run as unprivileged users that only require access to the - data directory. - -- **Linux Security Modules** - Use of security modules that can be directly integrated into operating systems such as - AppArmor, SElinux, and Seccomp on Consul agent hosts. - -- **Customize TLS Settings** - TLS settings such as the [available cipher suites](/consul/docs/agent/config/config-files#tls_defaults_tls_cipher_suites), - should be tuned to fit the needs of your environment. - - - [`tls_min_version`](/consul/docs/agent/config/config-files#tls_defaults_tls_min_version) - Used to specify the minimum TLS version to use. - - - [`tls_cipher_suites`](/consul/docs/agent/config/config-files#tls_defaults_tls_cipher_suites) - Used to specify which TLS cipher suites are allowed. - -- **Customize HTTP Response Headers** - Additional security headers, such as - [`X-XSS-Protection`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection), can be - [configured](/consul/docs/agent/config/config-files#response_headers) for HTTP API responses. - - ```hcl - http_config { - response_headers { - "X-Frame-Options" = "DENY" - } - } - ``` - -- **Customize Mesh HTTP Request Normalization** - If L7 intentions are in use, we recommend configuring request normalization to - avoid match rule circumvention. Other normalization options, such as dropping or rejecting headers with underscores, - may also be appropriate depending on your requirements. Review the options in the [Mesh configuration entry](/consul/docs/connect/config-entries/mesh#request-normalization) to determine the appropriate settings for your use case. - -- **Customize Default Limits** - Consul has a number of builtin features with default connection limits that should be - tuned to fit your environment. - - - [`http_max_conns_per_client`](/consul/docs/agent/config/config-files#http_max_conns_per_client) - Used to limit concurrent access from - a single client to the HTTP(S) endpoint on Consul agents. - - - [`https_handshake_timeout`](/consul/docs/agent/config/config-files#https_handshake_timeout) - Used to timeout TLS connection for the - HTTP(S) endpoint for Consul agents. - - - [`rpc_handshake_timeout`](/consul/docs/agent/config/config-files#rpc_handshake_timeout) - Used to timeout TLS connections for the RPC - endpoint for Consul agents. - - - [`rpc_max_conns_per_client`](/consul/docs/agent/config/config-files#rpc_max_conns_per_client) - Used to limit concurrent access from a - single client to the RPC endpoint on Consul agents. - - - [`rpc_rate`](/consul/docs/agent/config/config-files#rpc_rate) - Disabled by default, this is used to limit (requests/second) for client - agents making RPC calls to server agents. - - - [`rpc_max_burst`](/consul/docs/agent/config/config-files#rpc_max_burst) - Used as the token bucket size for client agents making RPC - calls to server agents. - - - [`kv_max_value_size`](/consul/docs/agent/config/config-files#kv_max_value_size) - Used to configure the max number of bytes in a - key-value API request. - - - [`txn_max_req_len`](/consul/docs/agent/config/config-files#txn_max_req_len) - Used to configure the max number of bytes in a - transaction API request. - -- **Secure UI Access** - Access to Consul's builtin UI can be secured in various ways: - - - **mTLS** - Enabling the HTTPS with mutual TLS authentication is recommended, but requires extra tooling to terminate - the mTLS connection, preferably on an operator's local machine using a proxy script. To do this, follow the tutorial on - [Configuring the Consul UI for HTTPS](/consul/tutorials/security-operations/tls-encryption-openssl-secure#configure-the-consul-ui-for-https) - and in Step 2 use "Option 1: add a client certificate to your browser". - - - **TLS** - Enabling the HTTPS is recommended where mTLS may not be required for UI access, such as when ACLs are - configured with a default deny. To do this, follow the tutorial on - [Configuring the Consul UI for HTTPS](/consul/tutorials/security-operations/tls-encryption-openssl-secure#configure-the-consul-ui-for-https) - and in Step 2 use "Option 2: verify_incoming_rpc". - - - **ACL** - ACLs with a default deny policy enables safer UI access by preventing unauthorized access to sensitive - components within the cluster. To do this, follow the tutorial on - [Securing Consul with Access Control Lists (ACLs)](/consul/tutorials/security/access-control-setup-production), - which includes a section on [creating ACL tokens that provide a desired level UI access](/consul/tutorials/security/access-control-setup-production#consul-ui-token). - - - **Restrict HTTP Writes** - Using the [`allow_write_http_from`](/consul/docs/agent/config/config-files#allow_write_http_from) - configuration option to restrict write access for agent endpoints to hosts on the specified list of CIDRs. - - **Example Agent Configuration** - - ```hcl - http_config { - allow_write_http_from = ["127.0.0.0/8"] - } - ``` - -## Threat Model - -The following are parts of the core Consul threat model: - -- **Consul agent-to-agent communication** - Communication between Consul agents should be secure from eavesdropping. - This requires transport encryption to be enabled on the cluster and covers both TCP and UDP traffic. - -- **Consul agent-to-CA communication** - Communication between the Consul server and the configured certificate - authority provider for service mesh is always encrypted. - -- **Tampering of data in transit** - Any tampering should be detectable and cause Consul to avoid processing - the request. - -- **Access to data without authentication or authorization** - All requests must be authenticated and authorized. This - requires that ACLs are enabled on the cluster with a default deny mode. - -- **State modification or corruption due to malicious messages** - Ill-formatted messages are discarded and - well-formatted messages require authentication and authorization. - -- **Non-server members accessing raw data** - All servers must join the cluster (with proper authentication and - authorization) to begin participating in Raft. Raft data is transmitted over TLS. - -- **Denial of Service against a node** - DoS attacks against a node should not compromise the security stance of - the software. - -- **Communication between mesh services** - Communications between two mesh-enabled services (natively or - by sidecar proxy) should be secure from eavesdropping and provide authentication. This is achieved via mutual TLS. - -The following are not part of the threat model for server agents: - -- **Access (read or write) to the Consul data directory** - All Consul servers, including non-leaders, persist the full - set of Consul state to this directory. The data includes all KV, service registrations, ACL tokens, service mesh CA - configuration, and more. Any read or write to this directory allows an attacker to access and tamper with that data. - -- **Access (read or write) to the Consul configuration directory** - Consul configuration can enable or disable the ACL - system, modify data directory paths, and more. Any read or write of this directory allows an attacker to reconfigure - many aspects of Consul. By disabling the ACL system, this may give an attacker access to all Consul data. - -- **Memory access to a running Consul server agent** - If an attacker is able to inspect the memory state of a running - Consul server agent the confidentiality of almost all Consul data may be compromised. If you're using an external - service mesh CA, the root private key material is never available to the Consul process and can be considered safe. Service - service mesh TLS certificates should be considered compromised; they are never persisted by server agents but do exist - in-memory during at least the duration of a Sign request. - -The following are not part of the threat model for client agents: - -- **Access (read or write) to the Consul data directory** - Consul clients will use the data directory to cache local - state. This includes local services, associated ACL tokens, service mesh TLS certificates, and more. Read or write access - to this directory will allow an attacker to access this data. This data is typically a smaller subset of the full data - of the cluster. -- **Access (read or write) to the Consul configuration directory** - Consul client configuration files contain the - address and port information of services, default ACL tokens for the agent, and more. Access to Consul configuration - could enable an attacker to change the port of a service to a malicious port, register new services, and more. - Further, some service definitions have ACL tokens attached that could be used cluster-wide to impersonate that - service. An attacker cannot change cluster-wide configurations such as disabling the ACL system. - -- **Memory access to a running Consul client agent** - The blast radius of this is much smaller than a server agent but - the confidentiality of a subset of data can still be compromised. Particularly, any data requested against the agent's - API including services, KV, and service mesh information may be compromised. If a particular set of data on the server was - never requested by the agent, it never enters the agent's memory since replication only exists between servers. An - attacker could also potentially extract ACL tokens used for service registration on this agent, since the tokens must - be stored in-memory alongside the registered service. - -- **Network access to a local service mesh proxy or service** - Communications between a service and a mesh-aware proxy - are generally unencrypted and must happen over a trusted network. This is typically a loopback device. This requires - that other processes on the same machine are trusted, or more complex isolation mechanisms are used such as network - namespaces. This also requires that external processes cannot communicate to the mesh service or sidecar proxy (except on - the inbound port). Therefore, non-native service mesh applications should only bind to non-public addresses. - -- **Improperly Implemented service mesh proxy or service** - A service mesh proxy or natively integrated service must correctly - serve a valid leaf certificate, verify the inbound TLS client certificate, and call the Consul agent-local authorized - endpoint. If any of this isn't performed correctly, the proxy or service may allow unauthenticated or unauthorized - connections. - -## Internal Threats - -- **Operator** - A malicious internal Consul operator with a valid mTLS certificate and ACL token may still be a threat - to your cluster in certain situations, especially in multi-team deployments. They may accidentally or intentionally - abuse access to Consul components which can help be protected against using Namespace, and Sentinel policies. - -- **Application** - A malicious internal application, such as a compromised third-party dependency with access to a - Consul agent, along with the TLS certificate or ACL token used by the local agent, could effectively do anything the - token permits. Consider enabling HTTPS for the local Consul agent API, enforcing full mutual TLS verification, - segmenting services using namespaces, as well as configuring OS users, groups, and file permissions to build a defense-in-depth approach. - -- **RPC** - Malicious actors with access to a Consul agent RPC endpoint may be able to impersonate Consul server agents - if mTLS is not properly configured to verify the client TLS certificate identity. Consul should also have ACLs enabled - with a default policy explicitly set to deny to require authorization. - -- **HTTP** - Malicious actors with access to a Consul agent HTTP(S) endpoint may be able to impersonate the agent's - configured identity, and extract information from Consul when ACLs are disabled. - -- **DNS** - Malicious actors with access to a Consul agent DNS endpoint may be able to extract service catalog - information. - -- **Gossip** - Malicious actors with access to a Consul agent Serf gossip endpoint may be able to impersonate - agents within a datacenter. Gossip encryption should be enabled, with a regularly rotated gossip key. - -- **Proxy (xDS)** - Malicious actors with access to a Consul agent xDS endpoint may be able to extract Envoy service - information. When ACLs and HTTPS are enabled, the gRPC endpoint serving up the xDS service requires (m)TLS and a - valid ACL token. - -## External Threats - -- **Agents** - External access to the Consul agent's various network endpoints should be considered including the - gossip, HTTP, RPC, and gRPC ports. Furthermore, access through other services like SSH or `exec` functionality in - orchestration systems such as Nomad and Kubernetes may expose unencrypted information persisted to disk including - TLS certificates or ACL tokens. Access to the Consul agent directory is explicitly outside the scope of Consul's - threat model and should only be exposed to authenticated and authorized users. - -- **Gateways** - Consul supports a variety of [gateways](/consul/docs/connect/gateways) to allow traffic in-and-out of the - service mesh to support a variety of workloads. When using an internet-exposed gateway, you should be sure to harden - your Consul agent and host configurations. In most configurations, ACLS, gossip encryption, and mTLS should be - enforced. If an [escape hatch override](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) is - required, the proxy configuration should be audited to ensure security configurations remain intact, and do not - violate Consul's security model. diff --git a/website/content/docs/security/security-models/index.mdx b/website/content/docs/security/security-models/index.mdx deleted file mode 100644 index eea5cd6ab29..00000000000 --- a/website/content/docs/security/security-models/index.mdx +++ /dev/null @@ -1,26 +0,0 @@ ---- -layout: docs -page_title: Security Models - Overview -description: >- - Security models are the set of requirements and recommendations for securely operating a Consul deployment. Learn about security models and how they differ between environments. ---- - -# Security models overview - -Requirements and recommendations for operating a secure Consul deployment may vary drastically depending on your -intended workloads, operating system, and environment. Consul is not secure by default, but can be configured to satisfy -the security requirements for a wide-range of use cases from local developer environments without any configuration to -container orchestrators in-production with ACL authorization, and mTLS authentication. - -## Core - -The core Consul product provides several options for enabling encryption, authentication, and authorization -controls for a cluster. You can read more about the various personas, recommendations, requirements, and threats -[here](/consul/docs/security/security-models/core). - -## NIA - -[Network Infrastructure Automation](/consul/docs/nia) (NIA) enables dynamic updates to network infrastructure devices triggered -by service changes. Both the core Consul product's configuration and the configuration for the `consul-terraform-sync` -daemon used by NIA can affect the security of your deployment. You can read more about the various personas, -recommendations, requirements, and threats [here](/consul/docs/security/security-models/nia). diff --git a/website/content/docs/security/security-models/nia.mdx b/website/content/docs/security/security-models/nia.mdx deleted file mode 100644 index 6770890654d..00000000000 --- a/website/content/docs/security/security-models/nia.mdx +++ /dev/null @@ -1,166 +0,0 @@ ---- -layout: docs -page_title: Security Models - Network Infrastructure Automation (NIA) -description: >- - The NIA security model details requirements and recommendations for securing your Consul-Terraform-Sync (CTS) deployment. Learn about potential threats and how to protect CTS from malicious actors. ---- - -# Network Infrastructure Automation (NIA) overview - -Network Infrastructure Automation (NIA) enables dynamic updates to network infrastructure devices triggered by service changes using the [Consul Terraform Sync](https://github.com/hashicorp/consul-terraform-sync) (`consul-terraform-sync`) daemon. This daemon uses Consul's catalog to monitor networking information about services along with [Terraform](https://www.terraform.io/)'s provider ecosystem to apply relevant changes to network infrastructure. - -The [Secure Consul-Terraform-Sync for Production](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-secure?utm_source=docs) -tutorial contains a checklist of best practices to secure your -Consul-Terraform-Sync installation for a production environment. - -## Personas - -When considering Consul NIA's security model, it helps to think of the following personas. - -- **System Administrator** - This is someone who has access to the underlying infrastructure of the - NIA daemon ([`consul-terraform-sync`](https://github.com/hashicorp/consul-terraform-sync)), and possibly the core Consul service. Often she has access to SSH directly - into a server within a cluster through a bastion host. Ultimately they have read, write, and - execute permissions for the `consul-terraform-sync` binary. These users potentially have sudo, - administrative, or some other privileged access to the underlying compute resource. Users like - these are essentially totally trusted by NIA as they have administrative rights to the system. -- **Consul NIA Operator** - This is someone who has access - to define the `consul-terraform-sync` configuration, and possibly a Consul ACL token, and other secrets used to interact with various network infrastructure APIs. They have full access to all parts of `consul-terraform-sync` including the ability to configure, start, and stop the daemon. -- **Developer** - This is someone who is responsible for creating, and possibly deploying applications - connected, or configured with Consul. In some cases they may have no access, or limited capabilities - to view Consul information, such as through metrics, or logs. -- **User** - The end-user using the applications and other services managed by the NIA daemon, and should - have no knowledge or access to the daemon's API endpoints, ACL tokens, certificates, or any other - piece of the system. - -## Secure Configuration - -Consul NIA's security model is applicable only if all parts of the system are running with a secure -configuration; `consul-terraform-sync` is not secure-by-default. Without the following mechanisms enabled in the -daemon's configuration, it may be possible to abuse access to the daemon. Like all security -considerations, one must determine what concerns are appropriate for their environment, and adapt these -security concerns accordingly. - -## Requirements - -- **Protect Configuration Files and Directories** - A dedicated NIA user and group with limited - permissions should be created for production, along with directory, and file permissions appropriately - scoped for your operating environment. - - Example commands to illustrate creating a dedicated `consul-nia` system user, along with the supporting - directories, configuration file, and securing those permissions using - [`chown`](https://en.wikipedia.org/wiki/Chown) and [`chmod`](https://en.wikipedia.org/wiki/Chmod): - - ```shell-session - $ useradd --system --shell /bin/false consul-nia - $ mkdir -p /consul-nia/data - $ mkdir -p /consul-nia/config - $ echo "{ ... }" > /consul-nia/config/file.hcl - $ chown --recursive consul-nia:consul-nia /consul-nia - $ chmod -R 0750 consul-nia/ - ``` - -- **Protect Consul KV Path or Namespaces** - Note the daemon can monitor Consul services in other Namespaces. - This can be limited based on the ACL token used for the daemon. - -- **Use Consul ACLs** - The Access Control List (ACL) system within Consul can be used to restrict access to - only the required parts of Consul for the NIA daemon to operate. - - **Read + Write** permission for Consul KV to the specified path, and namespace. - - **Read** permission for Consul Catalog for all of the selected services to be monitored, and their namespaces. - - **Read + Write** permission to update health checks, when using NIA health monitoring. - -## Recommendations - -- **Use Dedicated Host** - The NIA daemon will potentially have access to critical secrets for your environment's - network infrastructure. Using a hardened, dedicated host, for supporting these sensitive operations is highly recommended. - -- **Run without Root** - The NIA daemon does not require root or other administrative privileges to operate. - -- **Protect NIA Daemon API Endpoint** - Any network endpoints provided by, or exposed to the NIA Daemon should be - protected using Consul service mesh and appropriate firewall rules. - -- **Use a centralized logging solution** - Export log entries within [syslog](https://en.wikipedia.org/wiki/Syslog) - generated from `consul-terraform-sync` to a centralized logging solution. - -- **Audit used Terraform providers** - [Terraform providers](/terraform/language/providers) that - are configured with the NIA daemon should be audited to ensure you're only using providers from sources that - you trust. - -## Threat Model - -The following are the parts of the NIA threat model: - -- **Consul agent communication** - In order to monitor the Consul Catalog for changes, the NIA daemon interacts with - Consul's HTTP API on a local or remote server agent. This communication requires TLS transport encryption, preferably - using mTLS for mutual authentication. - -- **NIA Terraform communication** - Network connectivity to downstream infrastructure APIs managed by the NIA daemon's - Terraform runs will need to be properly configured for secure access. - -- **Tampering of data in transit** - Any tampering should be detectable and cause the daemon to avoid processing the - request. - -- **Access to data without authentication or authorization** - Requests to the Consul agent should be authenticated and - authorized using (m)TLS and ACLs respectively. ACLs should be configured with the minimal permissions required for - your environment. - -- **Denial-of-Service** - DoS attacks against the NIA Daemon should not compromise the security of Consul, or Terraform, - but may impact any networking components relying on updates from the daemon to properly handle traffic within the - network. Access to the daemon should be prevented using firewall rules. - -The following are not a part of the threat model, as the NIA Daemon expects a secure configuration, while always -providing the default options for testing in local environments which cannot be automatically configured to be both -secure, and easily usable. However, these are valid concerns for Administrators and Operators to evaluate when hardening -a production deployment: - -- **Access (read or write) to the Consul NIA Configuration Files or Directory** - Necessary configuration for the daemon - process can be loaded from a single file or a directory of files. These configurations may contain secrets and can - enable/disable insecure features, or Terraform providers. - -- **Access (read or write) to the Consul NIA Consul KV Path** - Access to the daemon's Consul KV path may leak sensitive - information such as usernames, passwords, certificates, and tokens used by Terraform to provision infrastructure. - -- **Memory Access to a Running Consul-Terraform-Sync Process** - Direct access to the memory of running the daemon process - allows an attacker to extract sensitive information. - -- **Memory Access to a Running Terraform Process** - Direct access to the memory of running the Terraform process - managed by the daemon process allows an attacker to extract sensitive information. - -- **Access to the Terraform Binary** - Direct access to the Terraform binary used by the NIA daemon can allow an - attacker to extract sensitive information. - -- **Access to the Consul-Terraform-Sync Binary** - Direct access to the system binary used to start the NIA daemon can allow - an attacker to extract sensitive information. - -## Internal Threats - -- **NIA Operator** - Someone with access to the NIA Host, and it's related binaries or configuration files may be a - threat to your deployment, especially considering multi-team deployments. They may accidentally or intentionally use a - malicious Terraform provider, or extract various secrets to cause harm to the network. Access to the NIA host should - be guarded. - -- **Consul Operator** - Someone with access to the backend Consul cluster, similar to the NIA Operator, which can - perform actions that may trigger Terraform runs. They may also have access to the namespace and KV path of the NIA - daemon, which could give unintended access to Terraform's state file, which contains sensitive information. ACL - permissions for Consul should be carefully audited to ensure that no policies may be leaking the state file containing - sensitive information to other Consul operators unintentionally within the cluster. - -- **System-bound Attackers** - Multi-tenant environments, especially container orchestrators, can introduce a number of - security concerns. These may include shared secrets, host volume access, and other sources of potential pivoting, or - privilege escalation from attackers with operating system-level access, or side-car container access, through various - means. Extra steps to configuring OS, cluster, service, user, directory, and file permissions are essential steps for - implementing defense-in-depth within a production environment. - -## External Threats - -- **Terraform Providers and Modules** - Potentially malicious providers or modules, or any malicious dependencies part - of the Terraform ecosystem could cause harm to the network, and may have access to secrets in order to make necessary - network changes. Terraform provider configuration should be audited, pinned to a version, and audited for potential - typo-squatting issues from the Terraform Registry. - -- **Network-bound Attackers** - Whenever a service is exposed to the open internet, which may be the case, you really - need to consider external network attackers which may seek-out hidden, unauthenticated, or otherwise vulnerable - endpoints. This can lead to larger security concerns when able to pivot to internal resources from an external one. - -- **Leaking Secrets** - TLS certificates and tokens used by the Consul NIA daemon can enable external attackers to - access Consul, or Terraform resources. These secrets shouldn't be hardcoded into configs uploaded to public - places like GitHub. diff --git a/website/content/docs/services/configuration/services-configuration-overview.mdx b/website/content/docs/services/configuration/services-configuration-overview.mdx deleted file mode 100644 index 3c01f05ae7c..00000000000 --- a/website/content/docs/services/configuration/services-configuration-overview.mdx +++ /dev/null @@ -1,29 +0,0 @@ ---- -layout: docs -page_title: Services configuration overview -description: -> - This topic provides introduces the configuration items that enable you to register services with Consul so that they can connect to other services and nodes registered with Consul. ---- - -# Services configuration overview - -This topic provides introduces the configuration items that enable you to register services with Consul so that they can connect to other services and nodes registered with Consul. - -## Service definitions -A service definition contains a set of parameters that specify various aspects of the service, including how it is discovered by other services in the network. The service definition may also contain health check configurations. Refer to [Health Check Configuration Reference](/consul/docs/services/configuration/checks-configuration-reference) for configuration details about health checks. - -Configure individual services and health checks by specifying parameters in the `service` block of a service definition file. Refer to [Define Services](/consul/docs/services/usage/define-services) for information about defining services. - -To register a service, provide the service definition to the Consul agent. Refer to [Register Services and Health Checks](/consul/docs/services/usage/register-services-checks) for information about registering services. - -Consul supports service definitions written in JSON and HCL. - -## Service defaults -Use the `service-defaults` configuration entry to define the default parameters for service definitions. This enables you to configure common settings, such as namespace or partition for Consul Enterprise deployments, in a single definition. - -You can use `service-defaults` configuration entries on virtual machines and in Kubernetes environments. - -## ACLs -Services registered in Consul clusters where both Consul Namespaces and the ACL system are enabled can be registered to specific namespaces that are associated with ACL tokens scoped to the namespace. Services registered with a service definition will not inherit the namespace associated with the ACL token specified in the token field. The namespace and the token parameters must be included in the service definition for the service to be registered to the namespace that the ACL token is scoped to. - - diff --git a/website/content/docs/services/discovery/dns-cache.mdx b/website/content/docs/services/discovery/dns-cache.mdx deleted file mode 100644 index 68b531d1b69..00000000000 --- a/website/content/docs/services/discovery/dns-cache.mdx +++ /dev/null @@ -1,250 +0,0 @@ ---- -layout: docs -page_title: Scale Consul DNS -description: -> - You tune Consul DNS query handling to balance between current information and reducing request response time. Learn how to enable caching by modifying TTL values, how to return stale results from the DNS cache, and how to configure Consul for negative response caching. ---- - -# Scale Consul DNS - -This page describes the process to return cached results in response to DNS lookups. Consul agents can use DNS caching to reduce response time, but might provide stale information in the process. - -## Scaling techniques - -By default, Consul serves all DNS results with a `0` TTL value so that it returns the most recent information. When operating at scale, this configuration may result in additional latency because servers must respond to every DNS query. There are several strategies for distributing this burden in your datacenter: - -- [Allow Stale Reads](#stale-reads). Allows other servers besides the leader to answer the query rather than forwarding it to the leader. -- [Configure DNS TTLs](#ttl-values). Configure DNS time-to-live (TTL) values for nodes or services so that the DNS subsystem on the container’s operating system can cache responses. Services then resolve DNS queries locally without any external requests. -- [Add Read Replicas](/consul/docs/enterprise/read-scale). Enterprise users can use read replicas, which are additional Consul servers that replicate cluster data without participating in the Raft quorum. -- [Use Cache to prevent server requests](/consul/docs/agent/config/config-files#dns_use_cache). Configure the Consul client to use its agent cache to subscribe to events about a service or node. After you establish the watch, the local Consul client agent can resolve DNS queries about the service or node without querying Consul servers. - -The following table describes the availability of each scaling technique depending on whether you configure Consul to offload DNS requests from the cluster leader to a client agent, dataplane, or DNS proxy. - -| Scaling technique | Supported by client agents | Supported by dataplanes | Supported by Consul DNS Proxy | -| :---------------------------------- | :---------------------------: | :---------------------------: | :---------------------------: | -| Configure DNS TTLs | ✅ | ✅ | ✅ | -| Allow Stale Reads | ✅ | ✅ | ✅ | -| Add Read Replicas | ✅ | ✅ | ✅ | -| Use Cache to prevent server request | ✅ | ❌ | ❌ | - -For more information about considerations for Consul deployments that operate at scale, refer to [Operating Consul at Scale](/consul/docs/architecture/scale). - -## TTL values ((#ttl)) - -You can configure TTL values in the [agent configuration file](/consul/docs/agent/config/config-files) to allow DNS results to be cached downstream of Consul. -Higher TTL values reduce the number of lookups on the Consul servers and speed -lookups for clients, at the cost of increasingly stale results. By default, all -TTLs are zero, preventing any caching. - - - -```hcl -dns_config { - service_ttl { - "*" = "0s" - } - node_ttl = "0s" -} -``` - -```json -{ - "dns_config": { - "service_ttl": { - "*": "0s" - }, - "node_ttl": "0s" - } -} -``` - - - -### Enable caching - -To enable caching of node lookups, set the -[`dns_config.node_ttl`](/consul/docs/agent/config/config-files#node_ttl) -value. This can be set to `10s` for example, and all node lookups will serve -results with a 10 second TTL. - -Service TTLs can be specified in a more granular fashion. You can set TTLs -per-service, with a wildcard TTL as the default. This is specified using the -[`dns_config.service_ttl`](/consul/docs/agent/config/config-files#service_ttl) -map. The `*` is supported at the end of any prefix and has a lower precedence -than strict match, so `my-service-x` has precedence over `my-service-*`. When -performing wildcard match, the longest path is taken into account, thus -`my-service-*` TTL will be used instead of `my-*` or `*`. With the same rule, -`*` is the default value when nothing else matches. If no match is found the TTL -defaults to 0. - -For example, a [`dns_config`](/consul/docs/agent/config/config-files#dns_config) -that provides a wildcard TTL and a specific TTL for a service might look like this: - - - -```hcl -dns_config { - service_ttl { - "*" = "5s" - "web" = "30s" - "db*" = "10s" - "db-master" = "3s" - } -} -``` - -```json -{ - "dns_config": { - "service_ttl": { - "*": "5s", - "web": "30s", - "db*": "10s", - "db-master": "3s" - } - } -} -``` - - - -This sets all lookups to "web.service.consul" to use a 30 second TTL -while lookups to "api.service.consul" will use the 5 second TTL from the wildcard. -All lookups matching "db\*" would get a 10 seconds TTL except "db-master" that -would have a 3 seconds TTL. - -### Prepared queries - -[Prepared Queries](/consul/api-docs/query) provide an additional -level of control over TTL. They allow for the TTL to be defined along with -the query, and they can be changed on the fly by updating the query definition. -If a TTL is not configured for a prepared query, then it will fall back to the -service-specific configuration defined in the Consul agent as described above, -and ultimately to 0 if no TTL is configured for the service in the Consul agent. - -     - -## Stale reads - -Stale reads can be used to reduce latency and increase the throughput of DNS -queries. The [settings](/consul/docs/agent/config/config-files) used to -control stale reads of DNS queries are: - -- [`dns_config.allow_stale`](/consul/docs/agent/config/config-files#allow_stale) must be - set to true to enable stale reads. -- [`dns_config.max_stale`](/consul/docs/agent/config/config-files#max_stale) limits how stale results - are allowed to be when querying DNS. - -With these two settings you can allow or prevent stale reads. Below we will -discuss the advantages and disadvantages of both. - -### Allow stale reads - -Since Consul 0.7.1, `allow_stale` is enabled by default and uses a `max_stale` -value that defaults to a near-indefinite threshold (10 years). This allows DNS -queries to continue to be served in the event of a long outage with no leader. A -new telemetry counter has also been added at `consul.dns.stale_queries` to track -when agents serve DNS queries that are stale by more than 5 seconds. - - - -```hcl -dns_config { - allow_stale = true - max_stale = "87600h" -} -``` - -```json -{ - "dns_config": { - "allow_stale": true, - "max_stale": "87600h" - } -} -``` - - - - - - - The above example is the default setting. You do not need to set it explicitly. - - - -Doing a stale read allows any Consul server to service a query, but non-leader -nodes may return data that is out-of-date. By allowing data to be slightly -stale, you get horizontal read scalability. Now any Consul server can service -the request, so you increase throughput by the number of servers in a datacenter. - -### Prevent stale reads - -If you want to prevent stale reads or limit how stale they can be, you can set -`allow_stale` to false or use a lower value for `max_stale`. Doing the first -will ensure that all reads are serviced by a -[single leader node](/consul/docs/architecture/consensus). -The reads will then be strongly consistent but will be limited by the throughput -of a single node. - - - -```hcl -dns_config { - allow_stale = false -} -``` - -```json -{ - "dns_config": { - "allow_stale": false - } -} -``` - - - -## Negative response caching - -Although DNS clients cache negative responses, Consul returns a "not -found" style response when a service exists but there are no healthy -endpoints. When using DNS for service discovery, cached negative responses may -cause a service to appear down for longer than it is actually unavailable. - -### Configure SOA - -In Consul v1.3.0 and newer, it is now possible to tune SOA responses and modify -the negative TTL cache for some resolvers. It can be achieved using the -[`soa.min_ttl`](/consul/docs/agent/config/config-files#soa_min_ttl) -configuration within the [`soa`](/consul/docs/agent/config/config-files#soa) configuration. - - - -```hcl -dns_config { - soa { - min_ttl = 60 - } -} -``` - -```json -{ - "dns_config": { - "soa": { - "min_ttl": 60 - } - } -} -``` - - - -One common example is that Windows will default to caching negative responses -for 15 minutes. DNS forwarders may also cache negative responses, with the same -effect. To avoid this problem, check the negative response cache defaults for -your client operating system and any DNS forwarder on the path between the -client and Consul and set the cache values appropriately. In many cases -"appropriately" means turning negative response caching off to get the best -recovery time when a service becomes available again. diff --git a/website/content/docs/services/discovery/dns-configuration.mdx b/website/content/docs/services/discovery/dns-configuration.mdx deleted file mode 100644 index 5e78494ce72..00000000000 --- a/website/content/docs/services/discovery/dns-configuration.mdx +++ /dev/null @@ -1,71 +0,0 @@ ---- -layout: docs -page_title: Configure Consul DNS behavior -description: -> - Learn how to modify the default DNS behavior so that services and nodes can easily discover other services and nodes in your network. ---- - -# Configure Consul DNS behavior - -This topic describes the default behavior of the Consul DNS functionality and how to customize how Consul performs queries. - -## Introduction -The Consul DNS is the primary interface for querying records when Consul service mesh is disabled and your network runs in a non-Kubernetes environment. The DNS enables you to look up services and nodes registered with Consul using terminal commands instead of making HTTP API requests to Consul. Refer to the [Discover Consul Nodes and Services Overview](/consul/docs/services/discovery/dns-overview) for additional information. - -## Configure DNS behaviors -By default, the Consul DNS listens for queries at `127.0.0.1:8600` and uses the `consul` domain. Specify the following parameters in the agent configuration to determine DNS behavior when querying services: - -- [`client_addr`](/consul/docs/agent/config/config-files#client_addr) -- [`ports.dns`](/consul/docs/agent/config/config-files#dns_port) : Consul does not use port `53`, which is typically reserved for the default port for DNS resolvers, by default because it requires an escalated privilege to bind to. -- [`recursors`](/consul/docs/agent/config/config-files#recursors) -- [`domain`](/consul/docs/agent/config/config-files#domain) -- [`alt_domain`](/consul/docs/agent/config/config-files#alt_domain) -- [`dns_config`](/consul/docs/agent/config/config-files#dns_config) - -### Configure WAN address translation -By default, Consul DNS queries return a node's local address, even when being queried from a remote datacenter. You can configure the DNS to reach a node from outside its datacenter by specifying the address in the following configuration fields in the Consul agent: - -- [advertise-wan](/consul/docs/agent/config/cli-flags#_advertise-wan) -- [translate_wan_addrs](/consul/docs/agent/config/config-files#translate_wan_addrs) - -### Use a custom DNS resolver library -You can specify a list of addresses in the agent's [`recursors`](/consul/docs/agent/config/config-files#recursors) field to provide upstream DNS servers that recursively resolve queries that are outside the service domain for Consul. - -Nodes that query records outside the `consul.` domain resolve to an upstream DNS. You can specify IP addresses or use `go-sockaddr` templates. Consul resolves IP addresses in the specified order and ignores duplicates. - -We recommend that you configure DNS resolvers to point the `consul.` domain towards your Consul DNS servers. Misconfigurations may cause other DNS infrastructure to route queries for the `consul.` domain outside of your network instead, leaking DNS queries to root DNS servers. Refer to [Forward DNS for Consul Service Discovery](/consul/tutorials/networking/dns-forwarding) for instructions. - -### Enable non-Consul queries -You enable non-Consul queries to be resolved by setting Consul as the DNS server for a node and providing a [`recursors`](/consul/docs/agent/config/config-files#recursors) configuration. - -### Forward queries to an agent -You can forward all queries sent to the `consul.` domain from the existing DNS server to a Consul agent. Refer to [Forward DNS for Consul Service Discovery](/consul/tutorials/networking/dns-forwarding) for instructions. - -### Query an alternate domain -By default, Consul responds to DNS queries in the `consul` domain, but you can set a specific domain for responding to DNS queries by configuring the [`domain`](/consul/docs/agent/config/config-files#domain) parameter. - -You can also specify an additional domain in the [`alt_domain`](/consul/docs/agent/config/config-files#alt_domain) agent configuration option, which configures Consul to respond to queries in a secondary domain. Configuring an alternate domain may be useful during a DNS migration or to distinguish between internal and external queries, for example. - -Consul's DNS response uses the same domain as the query. - -In the following example, the `alt_domain` parameter in the agent configuration is set to `test-domain`, which enables operators to query the domain: - -```shell-session -$ dig @127.0.0.1 -p 8600 consul.service.test-domain SRV - -;; QUESTION SECTION: -;consul.service.test-domain. IN SRV - -;; ANSWER SECTION: -consul.service.test-domain. 0 IN SRV 1 1 8300 machine.node.dc1.test-domain. - -;; ADDITIONAL SECTION: -machine.node.dc1.test-domain. 0 IN A 127.0.0.1 -machine.node.dc1.test-domain. 0 IN TXT "consul-network-segment=" -``` -#### PTR queries -Responses to pointer record (PTR) queries, such as `.in-addr.arpa.`, always use the [primary domain](/consul/docs/agent/config/config-files#domain) and not the alternative domain. - -### Caching - -By default, DNS results served by Consul are not cached. Refer to [DNS caching](/consul/docs/services/discovery/dns-cache) for instructions on how to enable caching. diff --git a/website/content/docs/services/discovery/dns-forwarding/enable.mdx b/website/content/docs/services/discovery/dns-forwarding/enable.mdx deleted file mode 100644 index e7def0b4bc2..00000000000 --- a/website/content/docs/services/discovery/dns-forwarding/enable.mdx +++ /dev/null @@ -1,420 +0,0 @@ ---- -layout: docs -page_title: Enable DNS forwarding -description: -> - Learn how to configure different DNS servers to perform DNS forwarding to Consul servers. ---- - -# Enable DNS forwarding - -This page describes the process to enable DNS forwarding to Consul servers. - -You can apply these operations on every node where a Consul agent is running. - -## Requirements - -To enable DNS forwarding, your deployment must have the following: - -- A running Consul server instance -- One or more Consul client nodes with registered services in the Consul catalog -- The `iptables` command available, or one of the following local DNS servers: - - [systemd-resolved](#systemd-resolved) - - [BIND](#bind) - - [Dnsmasq](#dnsmasq) - - [Unbound](#unbound) - - [macOS system resolver](#macos) - -### Network address configuration - -The example configurations on this page assumes Consul's DNS server is listening on the loopback interface on the same node of the local DNS server. - -If Consul is not listening on the loopback IP, replace the references to `localhost` and `120.0.0.1` in the configuration and commands with the appropriate IP address for your environment. - -## systemd-resolved - -[`systemd-resolved`](https://www.freedesktop.org/software/systemd/man/latest/systemd-resolved.service.html) is a system service that provides network name resolution to local applications. It is the default local DNS server for many Linux distributions. - -To configure the `systemd-resolved` service so that it sends `.consul` domain queries to Consul, create a `consul.conf` file located in the `/etc/systemd/resolved.conf.d/` directory. - - - - -Add a `[Resolve]` section to your resolved configuration. - - - -```ini -[Resolve] -DNS=127.0.0.1 -DNSSEC=false -Domains=~consul -``` - - - -### Define port for Consul DNS server - -When using systemd 245 and older, you cannot specify port numbers in the `DNS` configuration field. systemd-resolved only uses port `53`, which is a privileged port. - -When you cannot specify ports for the system's configuration, there are two workarounds: - - [Configure Consul DNS service to listen on port `53`](/consul/docs/agent/config/config-files#dns_port) instead of `8600`. - - Map port `53` to `8600` using `iptables`. - -Binding to port `53` usually requires running Consul as a privileged user or running Linux with the `CAP_NET_BIND_SERVICE` capability. -When using the Consul Docker image, add the following to the environment to allow Consul to use the port: `CONSUL_ALLOW_PRIVILEGED_PORTS=yes`. - -To avoid running Consul as a privileged user, the following `iptables` commands are sufficient to map port `53` to `8600` and redirect DNS queries to Consul. - -```shell-session -# iptables --table nat --append OUTPUT --destination localhost --protocol udp --match udp --dport 53 --jump REDIRECT --to-ports 8600 && \ - iptables --table nat --append OUTPUT --destination localhost --protocol tcp --match tcp --dport 53 --jump REDIRECT --to-ports 8600 -``` - - - - - -Systemd 246 and newer allow you to specify the DNS port directly in the `systemd-resolved` configuration file. -Previous versions of systemd required iptables rules to direct DNS traffic to Consul. - -Add a `[Resolve]` section to your resolved configuration. - - - -```ini -[Resolve] -DNS=127.0.0.1:8600 -DNSSEC=false -Domains=~consul -``` - - - - - - -PTR record queries are still sent to the other configured resolvers, in addition to Consul. - -After creating the resolved configuration, restart `systemd-resolved`. - -```shell-session -# systemctl restart systemd-resolved -``` - -The command produces no output. - -### Validate the systemd-resolved configuration - -Validate that `systemd-resolved` is active. - -```shell-session -# systemctl is-active systemd-resolved -active -``` - -Verify that `systemd-resolved` is configured to forward queries for the `consul` domain to Consul. - -```shell-session -# resolvectl domain -Global: ~consul -Link 2 (eth0): -``` - -Verify that `systemd-resolved` is able to resolve the Consul server address. - -```shell-session -# resolvectl query consul.service.consul -consul.service.consul: 127.0.0.1 - --- Information acquired via protocol DNS in 6.6ms. --- Data is authenticated: no -``` - -Confirm that `/etc/resolv.conf` points to the `stub-resolv.conf` file managed by `systemd-resolved`. - -```shell-session -$ ls -l /etc/resolv.conf -lrwxrwxrwx 1 root root 37 Jul 14 10:10 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf -``` - -Confirm that the IP address for `systemd-resolved`'s stub resolver is the configured `nameserver`. - - - -```shell-session -$ cat /etc/resolv.conf -## This file is managed by man:systemd-resolved(8). Do not edit. -## -## This is a dynamic resolv.conf file for connecting local clients to the -## internal DNS stub resolver of systemd-resolved. This file lists all -## configured search domains. -## -## Run "resolvectl status" to see details about the uplink DNS servers -## currently in use. -## -## Third party programs must not access this file directly, but only through the -## symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way, -## replace this symlink by a static file or a different symlink. -## -## See man:systemd-resolved.service(8) for details about the supported modes of -## operation for /etc/resolv.conf. - -nameserver 127.0.0.53 -options edns0 -``` - - - -Ensure that the operating system can resolve DNS queries to the `.consul` domain. - -```shell-session -$ host consul.service.consul -consul.service.consul has address 127.0.0.1 -``` - -### Using any local resolver with systemd - -By default, the local resolver stub in the `resolved.conf` file is configured to listen for UDP and TCP requests at `127.0.0.53:53`. However, you can set the `DNSStubListener` option to `false` so that your system can use any DNS configuration, as long as it loads earlier than `resolved`. - - - -```plaintext -DNSStubListener=false -``` - - - -## Dnsmasq - -Use [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) if you have a small network and need a lightweight DNS solution. - - - -If your distribution uses systemd, disable `systemd-resolved` before you follow these steps. - - - -Configure the `dnsmasq.conf` file or a series of files in the `/etc/dnsmasq.d` directory. Add server settings to your configuration file so that requests for the `consul` domain are forwarded to Consul DNS. - - - -```plaintext -# Enable forward lookup of the 'consul' domain: -server=/consul/127.0.0.1#8600 - -# Uncomment and modify as appropriate to enable reverse DNS lookups for -# common netblocks found in RFC 1918, 5735, and 6598: -#rev-server=0.0.0.0/8,127.0.0.1#8600 -#rev-server=10.0.0.0/8,127.0.0.1#8600 -#rev-server=100.64.0.0/10,127.0.0.1#8600 -#rev-server=127.0.0.1/8,127.0.0.1#8600 -#rev-server=169.254.0.0/16,127.0.0.1#8600 -#rev-server=172.16.0.0/12,127.0.0.1#8600 -#rev-server=192.168.0.0/16,127.0.0.1#8600 -#rev-server=224.0.0.0/4,127.0.0.1#8600 -#rev-server=240.0.0.0/4,127.0.0.1#8600 -# Accept DNS queries only from hosts whose address is on a local subnet. -#local-service -# Don't poll /etc/resolv.conf for changes. -#no-poll -# Don't read /etc/resolv.conf. Get upstream servers only from the command -# line or the dnsmasq configuration file (see the "server" directive below). -#no-resolv -# Specify IP address(es) of other DNS servers for queries not handled -# directly by consul. There is normally one 'server' entry set for every -# 'nameserver' parameter found in '/etc/resolv.conf'. See dnsmasq(8)'s -# 'server' configuration option for details. -#server=1.2.3.4 -#server=208.67.222.222 -#server=8.8.8.8 -# Set the size of dnsmasq's cache. The default is 150 names. Setting the -# cache size to zero disables caching. -#cache-size=65536 -``` - - - -Restart the `dnsmasq` service after creating the configuration. - -Refer to [`dnsmasq(8)`](http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) for additional configuration settings such as specifying IP addresses for queries not handled directly by Consul. - - -## BIND - -[BIND](https://www.isc.org/bind/) is a robust DNS system. Its most prominent component, `named`, performs both of the main DNS server roles, acts as an authoritative name server for DNS zones, and is a recursive resolver in the network. - - - -If your distribution uses systemd, disable `systemd-resolved` before you follow these steps. - - - -To configure the BIND service to send `.consul` domain queries to Consul: - -1. Create a `named` configuration file with `DNSSEC` disabled. -1. Create a zone configuration file to manage the `.consul` domain. - -### Named configuration file - -Edit the `/etc/named.conf` to configure your BIND instance. Remember to disable `DNSSEC` so that Consul and BIND can communicate. Add an `include` section to include the zone file that you create in the next step. - -The following example shows a BIND configuration with `DNSSEC` disabled. - - - -```plaintext -options { - listen-on port 53 { 127.0.0.1; }; - listen-on-v6 port 53 { ::1; }; - directory "/var/named"; - dump-file "/var/named/data/cache_dump.db"; - statistics-file "/var/named/data/named_stats.txt"; - memstatistics-file "/var/named/data/named_mem_stats.txt"; - allow-query { localhost; }; - recursion yes; - - dnssec-enable no; - dnssec-validation no; - - /* Path to ISC DLV key */ - bindkeys-file "/etc/named.iscdlv.key"; - - managed-keys-directory "/var/named/dynamic"; -}; - -include "/etc/named/consul.conf"; -``` - - - -### Zone configuration file - -Set up a zone for your Consul-managed records in `consul.conf`. - - - -```dns-zone-file -zone "consul" IN { - type forward; - forward only; - forwarders { 127.0.0.1 port 8600; }; -}; -``` - - - -## Unbound - -Use [Unbound](https://www.unbound.net/) when you need a fast and lean DNS resolver for Linux and macOS. - - - -If your distribution uses systemd, disable `systemd-resolved` before you follow these steps. - - - - -The following example demonstrates a configuration for the `consul.conf` file in the `/etc/unbound/unbound.conf.d` directory. - -Add `server` and `stub-zone` settings to your Unbound configuration file. - - - -```plaintext -#Allow insecure queries to local resolvers -server: - do-not-query-localhost: no - domain-insecure: "consul" - -#Add consul as a stub-zone -stub-zone: - name: "consul" - stub-addr: 127.0.0.1@8600 -``` - - - -You may have to add the following line to the bottom of your `/etc/unbound/unbound.conf` file for the new configuration to be included. - - - -```plaintext -include: "/etc/unbound/unbound.conf.d/*.conf" -``` - - - -## iptables - -[iptables](https://www.netfilter.org/projects/iptables/index.html) is a generic firewalling software that allows you to define traffic rules for your system. - -If you do not have a local DNS server on the Consul agent node, use `iptables` to forward DNS requests on port `53` to the Consul agent running on the same machine without using a secondary service. - -This configuration realizes full DNS forwarding, which means that all DNS queries for the host are forwarded to Consul, not just the ones for the `.consul` top level domain. Consul's default configuration resolves only the `.consul` top level domain, so you must set the [`recursors`](/consul/docs/agent/config/config-files#recursors) flag if you want your node to be able to resolve other domains when using `iptables` configuration. - -If you use DNS relay hosts in your network, do not place them on the same host as Consul. The redirects may intercept the traffic. - -### Configure Consul recursors - -Add recursors to your Consul configuration. - - - -```hcl -# DNS recursors -recursors = [ "1.1.1.1" ] -``` - - - -Recursors should not include the `localhost` address because the `iptables` redirects would intercept the requests. - -You can replace the `1.1.1.1` address in the example with another DNS server address. This is suitable for situations where an external DNS -service is already running in your infrastructure and is used as the recursor. - -### Create iptables rules - -After you configure Consul to use a valid recursor, add rules to `iptables` to redirect traffic from port `53` to port `8600`. - -```shell-session -# iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 \ - iptables -t nat -A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 \ - iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 \ - iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 -``` - -## macOS - -On macOS systems, use the macOS system resolver to point all `.consul` requests to Consul. -The `man 5 resolver` command describes this feature in more detail. - -The following instructions require `sudo` or root access. - -To configure the macOS system resolver to forward DNS queries to Consul, add a resolver entry in the `/etc/resolver/` directory that points at the Consul agent. - -If you do not have this folder, create it. - -```shell-session -# mkdir -p /etc/resolver -``` - -Create a new file `/etc/resolver/consul` with `nameserver` and `port` entries. - - - -```plaintext -nameserver 127.0.0.1 -port 8600 -``` - - - -The configuration informs the macOS resolver daemon to forward all `.consul` TLD requests to `127.0.0.1` on port `8600`. - -## Next steps - -This instructions on this page helped you configure your node to forward DNS requests to Consul. - -To learn more on how to query Consul DNS once forwarding is enabled, refer to [DNS forwarding workflow](/consul/docs/services/discovery/dns-forwarding#workflow). - -For more information on other DNS features and configurations available in Consul, refer to [DNS usage overview](/consul/docs/services/discovery/dns-overview). diff --git a/website/content/docs/services/discovery/dns-forwarding/index.mdx b/website/content/docs/services/discovery/dns-forwarding/index.mdx deleted file mode 100644 index d47638bdfac..00000000000 --- a/website/content/docs/services/discovery/dns-forwarding/index.mdx +++ /dev/null @@ -1,187 +0,0 @@ ---- -layout: docs -page_title: DNS forwarding -description: -> - Learn how to configure your local DNS servers to perform DNS forwarding to Consul servers. ---- - -# DNS forwarding - -This topic describes the process to configure different DNS servers to enable DNS forwarding to Consul servers. - -You can apply these operations on every node where a Consul agent is running. - -## Introduction - -You deployed a Consul datacenter and want to use Consul DNS interface for name resolution. - -When configured with default values, Consul exposes the DNS interface on port `8600`. By default, DNS is served from port `53`. On most operating systems, this requires elevated privileges. It is also common, for most operating systems, to have a local DNS server already running on port `53`. - -Instead of running Consul with an administrative or root account, you can forward appropriate queries to Consul, running on an unprivileged port, from another DNS server or using port redirect. - -There are two configurations for a node's DNS forwarding behavior: - - - **Conditional DNS forwarding**: the local DNS servers are configured to forward to Consul only queries relative to the `.consul` zone. All other queries are still served via the default DNS server in the node. - - **Full DNS forwarding**: Consul serves all DNS queries and forwards to a remote DNS server the ones outside `.consul` domain. - -### Conditional DNS forwarding - -We recommend the conditional DNS forwarding approach. This configuration lowers the Consul agent's resource consumption by limiting the number of DNS requests it handles. - -![Consul DNS conditional forwarding - Only .consul requests are routed to Consul](/img/consul-dns-conditional-forwarding.png#light-theme-only) -![Consul DNS conditional forwarding - Only .consul requests are routed to Consul](/img/consul-dns-conditional-forwarding-dark.png#dark-theme-only) - -In this configuration, Consul only serves queries relative to the `.consul` domain. There is no unnecessary load on Consul servers to serve queries from different domains. - -This behavior is not enabled by default. - -### Full DNS forwarding - -This approach can be useful in scenarios where the Consul agent's node is allocated limited resources and you want to avoid the overhead of running a local DNS server. In this configuration, Consul serves all DNS queries for all domains and forwards the ones outside the `.consul` domain to one or more configured forwarder servers. - -![Consul DNS forwarding - All requests are routed to Consul](/img/consul-dns-forwarding.png#light-theme-only) -![Consul DNS forwarding - All requests are routed to Consul](/img/consul-dns-forwarding-dark.png#dark-theme-only) - -This behavior is not enabled by default. Consul standard configuration only resolves DNS records inside the `.consul` zone. To enable DNS forwarding, you need to set the [recursors](/consul/docs/agent/config/config-files#recursors) option in your Consul configuration. - -In this scenario, if a Consul DNS reply includes a `CNAME` record pointing outside the `.consul` top level domain, then the DNS reply only includes `CNAME` records by default. - -When `recursors` is set and the upstream resolver is functioning correctly, Consul tries to resolve CNAMEs and include any records (for example, A, AAAA, PTR) for them in its DNS reply. In these scenarios, Consul is used for full DNS forwarding and is able to serve queries for all domains. - -## Workflow - -To use DNS forwarding in Consul deployments, complete the following steps: - -1. Configure the local DNS service to enable DNS forwarding to Consul. Follow the instructions for one of the following services: - - - [systemd-resolved](/consul/docs/services/discovery/dns-forwarding/enable#systemd-resolved) - - [BIND](/consul/docs/services/discovery/dns-forwarding/enable#bind) - - [Dnsmasq](/consul/docs/services/discovery/dns-forwarding/enable#dnsmasq) - - [Unbound](/consul/docs/services/discovery/dns-forwarding/enable#unbound) - - [iptables](/consul/docs/services/discovery/dns-forwarding/enable#iptables) - - [macOS system resolver](/consul/docs/services/discovery/dns-forwarding/enable#macOS) - -1. Query the Consul DNS to confirm that DNS forwarding functions correctly. - - ```shell-session - $ dig consul.service.consul A - - ; <<>> DiG 9.16.48-Debian <<>> consul.service.consul A - ;; global options: +cmd - ;; Got answer: - ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51736 - ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 - - ;; OPT PSEUDOSECTION: - ; EDNS: version: 0, flags:; udp: 65494 - ;; QUESTION SECTION: - ;consul.service.consul. IN A - - ;; ANSWER SECTION: - consul.service.consul. 0 IN A 10.0.4.140 - consul.service.consul. 0 IN A 10.0.4.121 - consul.service.consul. 0 IN A 10.0.4.9 - - ;; Query time: 4 msec - ;; SERVER: 127.0.0.53#53(127.0.0.53) - ;; WHEN: Wed Jun 26 20:47:05 UTC 2024 - ;; MSG SIZE rcvd: 98 - - ``` - -1. Optionally, verify reverse DNS. - - ```shell-session - $ dig 140.4.0.10.in-addr.arpa. PTR - - ; <<>> DiG 9.16.48-Debian <<>> 140.4.0.10.in-addr.arpa. PTR - ;; global options: +cmd - ;; Got answer: - ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35085 - ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 - - ;; OPT PSEUDOSECTION: - ; EDNS: version: 0, flags:; udp: 65494 - ;; QUESTION SECTION: - ;140.4.0.10.in-addr.arpa. IN PTR - - ;; ANSWER SECTION: - 140.4.0.10.in-addr.arpa. 0 IN PTR consul-server-0.node.dc1.consul. - - ;; Query time: 0 msec - ;; SERVER: 127.0.0.53#53(127.0.0.53) - ;; WHEN: Wed Jun 26 20:47:57 UTC 2024 - ;; MSG SIZE rcvd: 97 - - ``` - - You can use the `short` option for `dig` to only get the node name instead of the full output. - - ```shell-session - $ dig +short -x 10.0.4.140 - consul-server-0.node.dc1.consul. - ``` - -## Troubleshooting - -If your DNS server does not respond but you do get an answer from Consul, turn on your DNS server's query log to check for errors. - -### systemd-resolved - -Enable query logging for `systemd-resolved`: - -```shell-session -# resolvectl log-level debug -``` - -Check query log: - -```shell-session -# journalctl -r -u systemd-resolved -``` - -Disable query logging: - -```shell-session -# resolvectl log-level info -``` - -DNS forwarding may fail if you use the default `systemd-resolved` configuration and attempt to bind to `0.0.0.0`. The default configuration uses a DNS stub that listens for UDP and TCP requests at `127.0.0.53`. As a result, attempting to bind to `127.0.0.53` conflicts with the running stub. You can disable the stub as described in the [Using any local resolver with systemd](/consul/docs/services/discovery/dns-forwarding/enable#using-any-local-resolver-with-systemd) section to troubleshoot this problem. - -### Dnsmasq - -To enable query log refer to [Dnsmasq documentation](https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html). - -In particular, look for the `log-queries` and `log-facility` configuration option. - -When query log is enabled, it is possible to force Dnsmasq to emit a full cache dump using the `SIGUSR1` signal. - -### BIND - -Enable query log: - -```shell-session -$ rndc querylog -``` - -Check logs: - -```shell-session -$ tail -f /var/log/messages -``` - -The log may show errors like this: - - - -```plaintext -error (no valid RRSIG) resolving -error (no valid DS) resolving -``` - - - -This error indicates that `DNSSEC` is not disabled properly. - -If you receive errors about network connections, verify that there are no firewall -or routing problems between the servers running BIND and Consul. diff --git a/website/content/docs/troubleshoot/common-errors.mdx b/website/content/docs/troubleshoot/common-errors.mdx deleted file mode 100644 index b2d41b6314f..00000000000 --- a/website/content/docs/troubleshoot/common-errors.mdx +++ /dev/null @@ -1,277 +0,0 @@ ---- -layout: docs -page_title: Common Error Messages - Troubleshoot -description: >- - Troubleshoot issues based on the error message. Common errors result from failed actions, timeouts, multiple entries, bad and expired certificates, invalid characters, syntax parsing, malformed responses, and exceeded deadlines. ---- - -# Common error messages - -This topic describes common messages that may appear when installing and running Consul. Errors usually they indicate an issue in your network or in your server's configuration. Refer to the [Troubleshooting Guide][troubleshooting] for help resolving error messages that do not appear on this page. - -For common errors messages related to Kubernetes, refer to [Common errors on Kubernetes](#common-errors-on-kubernetes). - -## Configuration file errors - -The following errors are related to misconfigured files. - -### Multiple network interfaces - -```text -Multiple private IPv4 addresses found. Please configure one with 'bind' and/or 'advertise'. -``` - -Your server has multiple active network interfaces. Consul needs to know which interface to use for local LAN communications. Add the [`bind`][bind] option to your configuration. - --> **Tip**: If your server does not have a static IP address, you can use a [go-sockaddr template][go-sockaddr] as the argument to the `bind` option, e.g. `"bind_addr": "{{GetInterfaceIP \"eth0\"}}"`. - -### Configuration syntax errors - -```text -Error parsing config.hcl: At 1:12: illegal char -``` - -```text -Error parsing config.hcl: At 1:32: key 'foo' expected start of object ('{') or assignment ('=') -``` - -```text -Error parsing server.json: invalid character '`' looking for beginning of value -``` - -There is a syntax error in your configuration file. If the error message doesn't identify the exact location in the file where the problem is, try using [jq] to find it, for example: - -```shell-session -$ consul agent -server -config-file server.json -==> Error parsing server.json: invalid character '`' looking for beginning of value -$ jq . server.json -parse error: Invalid numeric literal at line 3, column 29 -``` - -## Invalid host name - -```text -Node name "consul_client.internal" will not be discoverable via DNS due to invalid characters. -``` - -Add the [`node name`][node_name] option to your agent configuration and provide a valid DNS name. - -## I/O timeouts - -```text -Failed to join 10.0.0.99: dial tcp 10.0.0.99:8301: i/o timeout -``` - -```text -Failed to sync remote state: No cluster leader -``` - -If the Consul client and server are on the same LAN, then most likely, a firewall is blocking connections to the Consul server. - -If they are not on the same LAN, check the [`retry_join`][retry_join] settings in the Consul client configuration. The client should be configured to join a cluster inside its local network. - -## Deadline exceeded - -```text -Error getting server health from "XXX": context deadline exceeded -``` - -These error messages indicate a general performance problem on the Consul server. Make sure you are monitoring Consul telemetry and system metrics according to our [monitoring guide][monitoring]. Increase the CPU or memory allocation to the server if needed. Check the performance of the network between Consul nodes. - -## Too many open files - -```text -Error accepting TCP connection: accept tcp [::]:8301: too many open files in system -``` - -```text -Get http://localhost:8500/: dial tcp 127.0.0.1:31643: socket: too many open files -``` - -On a busy cluster, the operating system may not provide enough file descriptors to the Consul process. You will need to increase the limit for the Consul user, and maybe the system-wide limit as well. A good guide for Linux can be found [here][files]. - -Or, if you are starting Consul from `systemd`, you could add `LimitNOFILE=65536` to the unit file for Consul. You can see our example unit file [here][systemd]. - -## Snapshot close error - -Our RPC protocol requires support for a TCP half-close in order to signal the other side that they are done reading the stream, since we don't know the size in advance. This saves us from having to buffer just to calculate the size. - -If a host does not properly implement half-close you may see an error message `[ERR] consul: Failed to close snapshot: write tcp ->: write: broken pipe` when saving snapshots. This should not affect saving and restoring snapshots. - -This has been a [known issue](https://github.com/docker/libnetwork/issues/1204) in Docker, but may manifest in other environments as well. - -## ACL not found - -```text -RPC error making call: rpc error making call: ACL not found -``` - -This indicates that you have ACL enabled in your cluster, but you aren't passing a valid token. Make sure that when creating your tokens that they have the correct permissions set. In addition, you would want to make sure that an agent token is provided on each call. - -## TLS and certificates - -The follow errors are related to TLS and certificate issues. - -### Incorrect certificate or certificate name - -```text -Remote error: tls: bad certificate -``` - -```text -X509: certificate signed by unknown authority -``` - -Make sure that your Consul clients and servers are using the correct certificates, and that they've been signed by the same CA. The easiest way to do this is to follow [our guide][certificates]. - -If you generate your own certificates, make sure the server certificates include the special name `server.dc1.consul` in the Subject Alternative Name (SAN) field. (If you change the values of `datacenter` or `domain` in your configuration, update the SAN accordingly.) - -### HTTP instead of HTTPS - -```text -Error querying agent: malformed HTTP response -``` - -```text -Net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02" -``` - -You are attempting to connect to a Consul agent with HTTP on a port that has been configured for HTTPS. - -If you are using the Consul CLI, make sure you are specifying "https" in the `-http-addr` flag or the `CONSUL_HTTP_ADDR` environment variable. - -If you are interacting with the API, change the URI scheme to "https". - -## License warnings - -```text -License: expiration time: YYYY-MM-DD HH:MM:SS -0500 EST, time left: 29m0s -``` - -You have installed an Enterprise version of Consul. If you are an Enterprise customer, [provide a license key][license] to Consul before it shuts down. Otherwise, install the open-source Consul binary instead. - --> **Note:** Enterprise binaries can be identified on our [download site][releases] by the `+ent` suffix. - -## Rate limit reached on the server - -You may receive a `RESOURCE_EXHAUSTED` error from the Consul server if the maximum number of read or write requests per second have been reached. Refer to [Set a global limit on traffic rates](/consul/docs/agent/limits/set-global-traffic-rate-limits) for additional information. You can retry another server unless the number of retries is exhausted. If the number of retries is exhausted, you should implement an exponential backoff. - -The RESOURCE_EXHAUSTED RPC response is translated into a `429 Too Many Requests` error code on the HTTP interface. - -The server may respond as `UNAVAILABLE` if it is the leader node and the global write request rate limit is reached. The solution is to apply an exponential backoff until the leader has capacity to serve those requests. - -The `UNAVAILABLE` RPC response is translated into a `503 Service Unavailable` error code on the RPC requests sent through HTTP interface. - -## Common errors on Kubernetes - -The following error messages are specific to Kubernetes issues. - -### Unable to connect to the Consul client on the same host - -If the pods are unable to connect to a Consul client running on the same host, -first check if the Consul clients are up and running with `kubectl get pods`. - -```shell-session -$ kubectl get pods --selector="component=client" -NAME READY STATUS RESTARTS AGE -consul-kzws6 1/1 Running 0 58s -``` - -If you are still unable to connect -and see `i/o timeout` or `connection refused` errors when connecting to the Consul client on the Kubernetes worker, -this could be because the CNI (Container Networking Interface) -does not [support](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#support-hostport) -the use of `hostPort`. - -```text -Put http://10.0.0.10:8500/v1/catalog/register: dial tcp 10.0.0.10:8500: connect: connection refused -``` - -```text -Put http://10.0.0.10:8500/v1/agent/service/register: dial tcp 10.0.0.10:8500: connect: connection refused -``` - -```text -Get http://10.0.0.10:8500/v1/status/leader: dial tcp 10.0.0.10:8500: i/o timeout -``` - -The IP `10.0.0.10` above refers to the IP of the host where the Consul client pods are running. - -To work around this issue, -enable [`hostNetwork`](/consul/docs/k8s/helm#v-client-hostnetwork) in your Helm values. -Using the host network will enable the pod to use the host's network namespace without -the need for CNI to support port mappings between containers and the host. - -```yaml -client: - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet -``` - --> **Note:** Using host network has security implications -as doing so gives the Consul client unnecessary access to all network traffic on the host. -We recommend raising an issue with the CNI you're using to add support for `hostPort` -and switching back to `hostPort` eventually. - -### consul-server-connection-manager: ACL auth method login failed: error="rpc error: code = PermissionDenied desc = Permission denied" - -If you see this error in the init container logs of service mesh pods, check that the pod has a service account name that matches its Service. -For example, this deployment: - -``` -apiVersion: v1 -kind: Service -metadata: - # This name will be the service name in Consul. - name: static-server -spec: - selector: - app: static-server - ports: - - protocol: TCP - port: 80 - targetPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: static-server -spec: - replicas: 1 - selector: - matchLabels: - app: static-server - template: - metadata: - name: static-server - labels: - app: static-server - annotations: - 'consul.hashicorp.com/connect-inject': 'true' - spec: - containers: - - name: static-server - image: hashicorp/http-echo:latest - args: - - -text="hello world" - - -listen=:8080 - ports: - - containerPort: 8080 - name: http - serviceAccountName: does-not-match -``` - -Will fail because the `serviceAccountName` is `does-not-match` instead of `static-server`. - -[troubleshooting]: /consul/tutorials/datacenter-operations/troubleshooting -[node_name]: /consul/docs/agent/config/config-files#node_name -[retry_join]: /consul/docs/agent/config/cli-flags#retry-join -[license]: /consul/commands/license -[releases]: https://releases.hashicorp.com/consul/ -[files]: https://easyengine.io/tutorials/linux/increase-open-files-limit -[certificates]: /consul/tutorials/security/tls-encryption-secure -[systemd]: /consul/tutorials/production-deploy/deployment-guide#configure-systemd -[monitoring]: /consul/tutorials/day-2-operations/monitor-datacenter-health -[bind]: /consul/docs/agent/config/cli-flags#_bind -[jq]: https://stedolan.github.io/jq/ -[go-sockaddr]: https://godoc.org/github.com/hashicorp/go-sockaddr/template diff --git a/website/content/docs/troubleshoot/faq.mdx b/website/content/docs/troubleshoot/faq.mdx deleted file mode 100644 index 5e733f1cd1a..00000000000 --- a/website/content/docs/troubleshoot/faq.mdx +++ /dev/null @@ -1,202 +0,0 @@ ---- -layout: docs -page_title: Common Error Messages | Troubleshoot -description: >- - Troubleshoot issues based on the error message. Common errors result from failed actions, timeouts, multiple entries, bad and expired certificates, invalid characters, syntax parsing, malformed responses, and exceeded deadlines. ---- - -# Frequently Asked Questions - -## Consul on Kubernetes - -### Q: Can I upgrade directly to a specific Helm chart version or should I upgrade one patch release at a time? - -It is safe to upgrade directly to a specific version. Be sure to read the release notes for all versions you're upgrading -through and look for any breaking changes. - -### Q: Can I upgrade in place or should I spin up a new Kubernetes cluster? - -It is always safer to spin up a new Kubernetes cluster but that is not an -option for most teams. Consul supports [upgrading in place](/consul/docs/k8s/upgrade). - -Non-production environments should be upgraded first. If upgrading -a Consul version, Consul data should be [backed up](/consul/tutorials/kubernetes-production/kubernetes-disaster-recovery). - -### Q: How can I run tcpdump on Consul servers? - -First, add the following to your `values.yaml` file so you can `kubectl exec` into -the Consul server containers as root: - -```yaml -server: - securityContext: - runAsNonRoot: false - runAsGroup: 0 - runAsUser: 0 - fsGroup: 0 -``` - -Run a `helm upgrade` (see [Upgrade Consul on Kubernetes](/consul/docs/k8s/upgrade) for full upgrade instructions). - -Now, `kubectl exec` into a server pod: - -```shell-session -$ kubectl exec -it consul-server-0 -- sh -``` - -Install `tcpdump`: - -```shell-session -$ apk add --no-cache tcpdump -$ which tcpdump -/usr/bin/tcpdump -``` - -## Generic Consul Questions - -### Q: What is Checkpoint? / Does Consul call home? - -Consul makes use of a HashiCorp service called [Checkpoint](http://checkpoint.hashicorp.com) -which is used to check for updates and critical security bulletins. -Only anonymous information, which cannot be used to identify the user or host, -is sent to Checkpoint. An anonymous ID is sent which helps de-duplicate warning -messages. -This anonymous ID can be disabled. In fact, using the Checkpoint service is -optional and can be disabled. - -See [`disable_anonymous_signature`](/consul/docs/agent/config/config-files#disable_anonymous_signature) -and [`disable_update_check`](/consul/docs/agent/config/config-files#disable_update_check). - -### Q: Does Consul rely on UDP Broadcast or Multicast? - -Consul uses the [Serf](https://github.com/hashicorp/serf/) gossip protocol which relies on -TCP and UDP unicast. Broadcast and Multicast are rarely available in a -multi-tenant or cloud network environment. For that reason, Consul and Serf -were both designed to avoid any dependence on those capabilities. - -### Q: Is Consul eventually or strongly consistent? - -Consul has two important subsystems, the service catalog and the gossip -protocol. -The service catalog stores all the nodes, service instances, health check data, -ACLs, and KV information. It is strongly consistent, and replicated -using the [consensus protocol](/consul/docs/architecture/consensus). - -The [gossip protocol](/consul/docs/architecture/gossip) is used to track which -nodes are part of the cluster and to detect a node or agent failure. This -information is eventually consistent by nature. When the servers detects a -change in membership, or receive a health update, they update the service -catalog appropriately. - -Because of this split, the answer to the question is subtle. Almost all client -APIs interact with the service catalog and are strongly consistent. Updates to -the catalog may come via the gossip protocol which is eventually consistent -meaning the current state of the catalog can lag behind until the state is -reconciled. - -### Q: Are _failed_ or _left_ nodes ever removed? - -To prevent an accumulation of dead nodes (nodes in either _failed_ or _left_ -states), Consul will automatically remove dead nodes out of the catalog. This -process is called _reaping_. This is currently done on a configurable -interval of 72 hours. Reaping is similar to leaving, causing all associated -services to be deregistered. Changing the reap interval for aesthetic -reasons to trim the number of _failed_ or _left_ nodes is not advised (nodes -in the _failed_ or _left_ state do not cause any additional burden on -Consul). - -### Q: Does Consul support delta updates for watchers or blocking queries? - -Consul does not currently support sending a delta or a change only response -to a watcher or a blocking query. The API simply allows for an edge-trigger -return with the full result. A client should keep the results of their last -read and compute the delta client side. - -By design, Consul offloads this to clients instead of attempting to support -the delta calculation. This avoids expensive state maintenance on the servers -as well as race conditions between data updates and watch registrations. - -### Q: What network ports does Consul use? - -The [Ports Used](/consul/docs/agent/config/config-files#ports) section of the Configuration -documentation lists all ports that Consul uses. - -### Q: Does Consul require certain user process resource limits? - -There should be only a small number of open file descriptors required for a -Consul client agent. The gossip layers perform transient connections with -other nodes, each connection to the client agent (such as for a blocking -query) will open a connection, and there will typically be connections to one -of the Consul servers. A small number of file descriptors are also required -for watch handlers, health checks, log files, and so on. - -For a Consul server agent, you should plan on the above requirements and -an additional incoming connection from each of the nodes in the cluster. This -should not be the common case, but in the worst case if there is a problem -with the other servers you would expect the other client agents to all -connect to a single server and so preparation for this possibility is helpful. - -The default ulimits are usually sufficient for Consul, but you should closely -scrutinize your own environment's specific needs and identify the root cause -of any excessive resource utilization before arbitrarily increasing the limits. - -### Q: What is the per-key value size limitation for Consul's key/value store? - -The default recommended limit on a key's value size is 512KB. This is strictly -enforced and an HTTP 413 status will be returned to any client that attempts to -store more than that limit in a value. The limit can be increased by using the -[`kv_max_value_size`](/consul/docs/agent/config/config-files#kv_max_value_size) configuration option. - -It should be noted that the Consul key/value store is not designed to be used as -a general purpose database. See -[Server Performance](/consul/docs/install/performance) for more details. - -### Q: What data is replicated between Consul datacenters? - -In general, data is not replicated between different Consul datacenters. When a -request is made for a resource in another datacenter, the local Consul servers -forward an RPC request to the remote Consul servers for that resource and -return the results. -If the remote datacenter is not available, then those resources will also not be -available from that datacenter. That will not affect the requests to the local -datacenter. There are some special situations where a limited subset of data -can be replicated, such as with Consul's built-in -[ACL replication](/consul/tutorials/security-operations/access-control-replication-multiple-datacenters) -capability, or external tools like -[consul-replicate](https://github.com/hashicorp/consul-replicate). - -### Q: Can Consul natively handle protecting against other processes accessing Consul's memory state? - -Consul does not provide built-in memory access protections, and doesn't -interact with the host system to change or manipulate -viewing and doesn't interact with the host system to change or manipulate -application security. - -We recommend taking any precautions or remediation steps that you would -normally do for individual processes, based on your operating system. - -Please see our -[Security Model](/consul/docs/security) for more information. - -### Q: Are the Consul Docker Images OCI Compliant? - -The official [Consul Docker image](https://hub.docker.com/_/consul/) uses -[Docker image schema](https://docs.docker.com/registry/spec/manifest-v2-2/) V2, -which is OCI Compliant. To check the docker images on Docker Hub, use the -command `docker manifest inspect consul` to inspect the manifest payload. The -`docker manifest inspect` may require you to enable experimental features to -use. - -### Q: What browsers are supported by the Consul UI? - -Consul currently supports all 'evergreen' browsers, as they are generally on -up-to-date versions. This means we support: - -- Chrome -- Firefox -- Safari -- Microsoft Edge - -We do not support Internet Explorer 11 (IE 11). Consul follows a similar -alignment with Microsoft's own stance on IE 11, found on their -[support website](https://support.microsoft.com/en-us/help/17454/lifecycle-faq-internet-explorer-and-edge). diff --git a/website/content/docs/connect/gateways/api-gateway/upgrades-k8s.mdx b/website/content/docs/upgrade/api-gateway.mdx similarity index 96% rename from website/content/docs/connect/gateways/api-gateway/upgrades-k8s.mdx rename to website/content/docs/upgrade/api-gateway.mdx index 5b514340268..d32f0f43e5a 100644 --- a/website/content/docs/connect/gateways/api-gateway/upgrades-k8s.mdx +++ b/website/content/docs/upgrade/api-gateway.mdx @@ -7,13 +7,13 @@ description: >- # Upgrade API gateway for Kubernetes -Since Consul v1.15, the Consul API gateway is a native feature within the Consul binary and is installed during the normal Consul installation process. Since Consul on Kubernetes v1.2 (Consul v1.16), the CRDs necessary for using the Consul API gateway for Kubernetes are also included. You can install Consul v1.16 using the Consul Helm chart v1.2 and later. Refer to [Install API gateway for Kubernetes](/consul/docs/connect/gateways/api-gateway/deploy/install-k8s) for additional information. +This topic describes how to upgrade to a version of Consul on Kubernetes that includes native API gateway functionality. ## Introduction -Because Consul API gateway releases as part of Consul, it no longer has an independent version number. Instead, the API gateway inherits the same version number as the Consul binary. Refer to the [release notes](/consul/docs/release-notes) for additional information. +Since Consul v1.15, the Consul API gateway is a native feature within the Consul binary and is installed during the normal Consul installation process. Since Consul on Kubernetes v1.2 (Consul v1.16), the CRDs necessary for using the Consul API gateway for Kubernetes are also included. Refer to the [release notes](/consul/docs/release-notes) for additional information. -To begin using the native API gateway, complete one of the following upgrade paths: +Because Consul API gateway releases as part of Consul, it no longer has an independent version number. Instead, the API gateway inherits the same version number as the Consul binary. You can install Consul v1.16 using the Consul Helm chart v1.2 and later. Refer to [Install API gateway for Kubernetes](/consul/docs/north-south/api-gateway/install) for additional information. ### Upgrade from Consul on Kubernetes v1.1.x @@ -65,9 +65,9 @@ If you are able to tolerate downtime for your applications, you should delete pr $ consul-k8s install -config-file values.yaml ``` -1. Create `ServiceIntentions` allowing `Gateways` to communicate with any backend services that they route to. Refer to [Service intentions configuration entry reference](/consul/docs/connect/config-entries/service-intentions) for additional information. +1. Create `ServiceIntentions` allowing `Gateways` to communicate with any backend services that they route to. Refer to [Service intentions configuration entry reference](/consul/docs/reference/config-entry/service-intention) for additional information. -1. Change any existing `Gateways` to reference the new `GatewayClass` `consul`. Refer to [gatewayClass](/consul/docs/connect/gateways/api-gateway/configuration/gateway#gatewayclassname) for additional information. +1. Change any existing `Gateways` to reference the new `GatewayClass` `consul`. Refer to [gatewayClass](/consul/docs/reference/k8s/api-gateway/gateway#gatewayclassname) for additional information. 1. After updating all of your `gateway` configurations to use the new controller, you can remove the `apiGateway` block from the Helm chart and upgrade your Consul cluster. This completely removes the old gateway controller. @@ -128,9 +128,9 @@ If you are unable to tolerate any downtime, you can complete the following steps $ consul-k8s install -config-file values.yaml ``` -1. Create `ServiceIntentions` allowing `Gateways` to communicate with any backend services that they route to. Refer to [Service intentions configuration entry reference](/consul/docs/connect/config-entries/service-intentions) for additional information. +1. Create `ServiceIntentions` allowing `Gateways` to communicate with any backend services that they route to. Refer to [Service intentions configuration entry reference](/consul/docs/reference/config-entry/service-intention) for additional information. -1. Change any existing `Gateways` to reference the new `GatewayClass` `consul`. Refer to [gatewayClass](/consul/docs/connect/gateways/api-gateway/configuration/gateway#gatewayclassname) for additional information. +1. Change any existing `Gateways` to reference the new `GatewayClass` `consul`. Refer to [gatewayClass](/consul/docs/reference/k8s/api-gateway/gateway#gatewayclassname) for additional information. 1. After updating all of your `gateway` configurations to use the new controller, you can remove the `apiGateway` block from the Helm chart and upgrade your Consul cluster. This completely removes the old gateway controller. diff --git a/website/content/docs/enterprise/upgrades.mdx b/website/content/docs/upgrade/automated.mdx similarity index 100% rename from website/content/docs/enterprise/upgrades.mdx rename to website/content/docs/upgrade/automated.mdx diff --git a/website/content/docs/upgrading/compatibility.mdx b/website/content/docs/upgrade/compatibility-promise.mdx similarity index 94% rename from website/content/docs/upgrading/compatibility.mdx rename to website/content/docs/upgrade/compatibility-promise.mdx index 60ed902dc72..466f8daf71c 100644 --- a/website/content/docs/upgrading/compatibility.mdx +++ b/website/content/docs/upgrade/compatibility-promise.mdx @@ -28,7 +28,7 @@ The ability for an agent to speak an earlier protocol is to ensure that any agen can be upgraded without cluster disruption. Consul agents can be updated one at a time, one version at a time. -For more details on the specifics of upgrading, see the [upgrading page](/consul/docs/upgrading). +For more details on the specifics of upgrading, see the [upgrading page](/consul/docs/upgrade). ## Protocol Compatibility Table @@ -40,4 +40,4 @@ For more details on the specifics of upgrading, see the [upgrading page](/consul | 0.6 | 1, 2, 3 | | >= 0.7 | 2, 3. Will automatically use protocol > 2 when speaking to compatible agents | --> **Note:** Raft Protocol is versioned separately, but maintains compatibility with at least one prior version. See [here](/consul/docs/upgrading/upgrade-specific#raft-protocol-version-compatibility) for details. +-> **Note:** Raft Protocol is versioned separately, but maintains compatibility with at least one prior version. See [here](/consul/docs/upgrade/version-specific#raft-protocol-version-compatibility) for details. diff --git a/website/content/docs/ecs/upgrade-to-dataplanes.mdx b/website/content/docs/upgrade/ecs/dataplane.mdx similarity index 95% rename from website/content/docs/ecs/upgrade-to-dataplanes.mdx rename to website/content/docs/upgrade/ecs/dataplane.mdx index c0a788dc666..577feb32501 100644 --- a/website/content/docs/ecs/upgrade-to-dataplanes.mdx +++ b/website/content/docs/upgrade/ecs/dataplane.mdx @@ -6,7 +6,7 @@ description: Learn how to upgrade your existing Consul service mesh on ECS workl # Upgrade to Consul dataplane architecture -This topic describes how to manually upgrade a live installation of Consul on ECS to the dataplane-based architecture with zero downtime. Since v0.7.0, Consul service mesh on ECS uses [Consul dataplanes](/consul/docs/connect/dataplane), which are lightweight processes for managing Envoy proxies in containerized networks. Refer to the [release notes](/consul/docs/release-notes/consul-ecs/v0_7_x) for additional information about the switch to Consul dataplanes. +This topic describes how to manually upgrade a live installation of Consul on ECS to the dataplane-based architecture with zero downtime. Since v0.7.0, Consul service mesh on ECS uses [Consul dataplanes](/consul/docs/connect/dataplane), which are lightweight processes for managing Envoy proxies in containerized networks. Refer to the [release notes](/consul/docs/release-notes/ecs/v0_7_x) for additional information about the switch to Consul dataplanes. ## Requirements diff --git a/website/content/docs/ecs/reference/compatibility.mdx b/website/content/docs/upgrade/ecs/index.mdx similarity index 84% rename from website/content/docs/ecs/reference/compatibility.mdx rename to website/content/docs/upgrade/ecs/index.mdx index cc99996866b..0baaf4c1d11 100644 --- a/website/content/docs/ecs/reference/compatibility.mdx +++ b/website/content/docs/upgrade/ecs/index.mdx @@ -11,9 +11,8 @@ For every release of Consul on ECS, the `consul-ecs` binary and `consul-ecs` Ter ## Supported Consul versions -| `consul` version | Compatible `consul-ecs` version | +| Consul Version | Compatible consul-ecs Version | |----------------------- | ----------------------------- | -| 1.18.x | 0.8.x | | 1.16.x 1.17.x | 0.7.x | | 1.15.x, 1.14.x, 1.13.x | 0.6.x | | 1.14.x, 1.13.x, 1.12.x | 0.5.2+ | @@ -23,4 +22,4 @@ For every release of Consul on ECS, the `consul-ecs` binary and `consul-ecs` Ter ## Supported Envoy versions -Refer to [Envoy - Supported Versions](/consul/docs/connect/proxies/envoy#supported-versions) for information about which versions of Envoy are supported for each version of Consul. As a best practice, we recommend using the default version of Envoy that is provided in the Terraform module. This is because we test the default versions with Consul ECS binaries for the given version. +Refer to [Envoy - Supported Versions](/consul/docs/reference/proxy/envoy#supported-versions) for information about which versions of Envoy are supported for each version of Consul. As a best practice, we recommend using the default version of Envoy that is provided in the Terraform module. This is because we test the default versions with Consul ECS binaries for the given version. diff --git a/website/content/docs/upgrade/index.mdx b/website/content/docs/upgrade/index.mdx new file mode 100644 index 00000000000..d6498819041 --- /dev/null +++ b/website/content/docs/upgrade/index.mdx @@ -0,0 +1,83 @@ +--- +layout: docs +page_title: Upgrade Consul +description: >- + Consul is meant to be a long-running agent on any nodes participating in a + Consul cluster. These nodes consistently communicate with each other. As such, + protocol level compatibility and ease of upgrades is an important thing to + keep in mind when using Consul. +--- + +# Upgrading Consul + +Consul is meant to be a long-running agent on any nodes participating in a Consul cluster. These nodes consistently communicate with each other. As such, protocol level compatibility and ease of upgrades is an important thing to keep in mind when using Consul. + +This page documents how to upgrade Consul when a new version is released. + +-> **Tip:** For Consul Enterprise, see the [Automated Upgrades documentation](/consul/docs/upgrade/automated). + +## Standard Upgrades + +For upgrades we strive to ensure backwards compatibility. To support this, nodes gossip their protocol version and builds. This enables clients and servers to intelligently enable new features when available, or to gracefully fallback to a backward compatible mode of operation otherwise. Visit the [General Upgrade Process](/consul/docs/upgrade/instructions/general) for a detailed upgrade guide. + +For most upgrades, the process is simple. Assuming the current version of Consul is A, and version B is released. + +1. Check the [version's upgrade notes](/consul/docs/upgrade/version-specific) to ensure there are no compatibility issues that will affect your workload. If there are plan accordingly before continuing. + +2. On each Consul server agent, install version B of Consul. + +3. One Consul server agent at a time, use a service management system (e.g., systemd, upstart, etc.) to restart the Consul service with version B. Wait until the server agent is healthy and has rejoined the cluster before moving on to the next server agent. + +4. Once all the server agents are upgraded, begin a rollout of client agents following the same process. + + -> **Upgrade Envoy proxies:** If a client agent has associated Envoy proxies (e.g., sidecars, gateways), install a [compatible Envoy version](/consul/docs/reference/proxy/envoy#supported-versions) for Consul version B. After stopping client agent version A, stop its associated Envoy proxies. After restarting the client agent with version B, restart its associated Envoy proxies with the compatible Envoy version. + +5. You are now running the latest Consul agent. You can verify this by running `consul members` to make sure all members have the latest build and highest protocol version. + +## Large Version Jumps + +Operating a Consul datacenter that is multiple major versions behind the current major version can increase the risk incurred during upgrades. We encourage our users to remain no more than two major versions behind (i.e., if 1.8.x is the current release, do not use versions older than 1.6.x). If you find yourself in a situation where you are many major versions behind, and need to upgrade, please review our [Upgrade Instructions page](/consul/docs/upgrade/instructions) for information on how to perform those upgrades. + +## Backward Incompatible Upgrades + +In some cases, a backwards incompatible update may be released. This has not been an issue yet, but to support upgrades we support setting an explicit protocol version. This disables incompatible features and enables a 2-phase upgrade. + +For the steps below, assume you're running version A of Consul, and then version B comes out. + +1. On each node, install version B of Consul. + +2. One server at a time, shut down version A via `consul leave` and start version B with the `-protocol=PREVIOUS` flag, where "PREVIOUS" is the protocol version of version A (which can be discovered by running `consul -v` or `consul members`). Wait until the server is healthy and has rejoined the cluster before moving on to the next server. + +3. Once all nodes are running version B, go through every node and restart the version B agent _without_ the `-protocol` flag, again wait for each server to rejoin the cluster before continuing. + +4. You're now running the latest Consul agent speaking the latest protocol. You can verify this is the case by running `consul members` to make sure all members are speaking the same, latest protocol version. + +The key to making this work is the [protocol compatibility](/consul/docs/upgrade/compatibility-promise) of Consul. The protocol version system is discussed below. + +## Protocol Versions + +By default, Consul agents speak the latest protocol they can. However, each new version of Consul is also able to speak the previous protocol, if there were any protocol changes. + +You can see what protocol versions your version of Consul understands by running `consul -v`. You'll see output similar to that below: + +```shell-session +$ consul -v +Consul v0.7.0 +Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents) +``` + +This says the version of Consul as well as the protocol versions this agent speaks and can understand. + +Sometimes Consul will default to speak a lower protocol version than it understands, in order to ease compatibility with older agents. For example, Consul agents that understand version 3 claim to speak version 2, and only send version 3 messages to agents that understand version 3. This allows features to upshift automatically as agents are upgraded, and is the strategy used whenever possible. If this is not possible, then you will need to do a backward incompatible upgrade using the instructions above, and such a requirement will be clearly outlined in the notes for a given release. + +By specifying the `-protocol` flag on `consul agent`, you can tell the Consul agent to speak any protocol version that it can understand. This only specifies the protocol version to _speak_. Every Consul agent can always understand the entire range of protocol versions it claims to on `consul -v`. + +~> **By running a previous protocol version**, some features of Consul, especially newer features, may not be available. If this is the case, Consul will typically warn you. In general, you should always upgrade your cluster so that you can run the latest protocol version. + +## Upgrading on Kubernetes + +See the dedicated [Upgrading Consul on Kubernetes](/consul/docs/upgrade/k8s) page. + +## Upgrading federated datacenters + +If you need to upgrade a federated environment with multiple datacenters you can refer to the [Upgrade Multiple Federated Consul Datacenters](/consul/tutorials/datacenter-operations/upgrade-federated-environment) tutorial. diff --git a/website/content/docs/upgrading/instructions/general-process.mdx b/website/content/docs/upgrade/instructions/general-process.mdx similarity index 99% rename from website/content/docs/upgrading/instructions/general-process.mdx rename to website/content/docs/upgrade/instructions/general-process.mdx index 6606c2d881d..a30975d1595 100644 --- a/website/content/docs/upgrading/instructions/general-process.mdx +++ b/website/content/docs/upgrade/instructions/general-process.mdx @@ -1,12 +1,12 @@ --- layout: docs -page_title: General Upgrade Process +page_title: General upgrade process description: >- Specific versions of Consul may have additional information about the upgrade process beyond the standard flow. --- -# General Upgrade Process +# General upgrade process This pages describes the overall process and best practices that you should follow when upgrading Consul. Some versions also have steps that are specific to that diff --git a/website/content/docs/upgrading/instructions/index.mdx b/website/content/docs/upgrade/instructions/index.mdx similarity index 95% rename from website/content/docs/upgrading/instructions/index.mdx rename to website/content/docs/upgrade/instructions/index.mdx index 05a9ee761f8..279761ae92e 100644 --- a/website/content/docs/upgrading/instructions/index.mdx +++ b/website/content/docs/upgrade/instructions/index.mdx @@ -1,6 +1,6 @@ --- layout: docs -page_title: Upgrade Instructions +page_title: Upgrade instructions description: >- Specific versions of Consul may have additional information about the upgrade process beyond the standard flow. @@ -8,7 +8,7 @@ description: >- # Upgrade instructions -This document is intended to help users who find themselves many versions behind to upgrade safely. +This page describes the process to update the version of Consul that runs in your datacenter. ## General upgrade path diff --git a/website/content/docs/upgrading/instructions/upgrade-to-1-10-x.mdx b/website/content/docs/upgrade/instructions/upgrade-to-1-10-x.mdx similarity index 98% rename from website/content/docs/upgrading/instructions/upgrade-to-1-10-x.mdx rename to website/content/docs/upgrade/instructions/upgrade-to-1-10-x.mdx index b7b749b0377..566eac5329d 100644 --- a/website/content/docs/upgrading/instructions/upgrade-to-1-10-x.mdx +++ b/website/content/docs/upgrade/instructions/upgrade-to-1-10-x.mdx @@ -1,12 +1,14 @@ --- layout: docs -page_title: Upgrading to Latest 1.10.x +page_title: Upgrade Consul to v1.10.x description: >- Specific versions of Consul may have additional information about the upgrade process beyond the standard flow. --- -# Upgrading to Latest 1.10.x +# Upgrade Consul to v1.10.x + +The page describes the process to update a Consul deployment to v1.10.x and maintain replication data. ## Introduction diff --git a/website/content/docs/upgrading/instructions/upgrade-to-1-2-x.mdx b/website/content/docs/upgrade/instructions/upgrade-to-1-2-x.mdx similarity index 96% rename from website/content/docs/upgrading/instructions/upgrade-to-1-2-x.mdx rename to website/content/docs/upgrade/instructions/upgrade-to-1-2-x.mdx index 93f2451f8d6..d775a6d8ba5 100644 --- a/website/content/docs/upgrading/instructions/upgrade-to-1-2-x.mdx +++ b/website/content/docs/upgrade/instructions/upgrade-to-1-2-x.mdx @@ -1,12 +1,14 @@ --- layout: docs -page_title: Upgrading to Latest 1.2.x +page_title: Upgrade Consul to v1.2.x description: >- Specific versions of Consul may have additional information about the upgrade process beyond the standard flow. --- -# Upgrading to Latest 1.2.x +# Upgrade Consul to v1.2.x + +The page describes the process to update a Consul deployment to v1.2.x and maintain replication data. ## Introduction diff --git a/website/content/docs/upgrading/instructions/upgrade-to-1-6-x.mdx b/website/content/docs/upgrade/instructions/upgrade-to-1-6-x.mdx similarity index 98% rename from website/content/docs/upgrading/instructions/upgrade-to-1-6-x.mdx rename to website/content/docs/upgrade/instructions/upgrade-to-1-6-x.mdx index d88560260eb..7d50b94f314 100644 --- a/website/content/docs/upgrading/instructions/upgrade-to-1-6-x.mdx +++ b/website/content/docs/upgrade/instructions/upgrade-to-1-6-x.mdx @@ -1,12 +1,14 @@ --- layout: docs -page_title: Upgrading to Latest 1.6.x +page_title: Upgrade Consul to v1.6.x description: >- Specific versions of Consul may have additional information about the upgrade process beyond the standard flow. --- -# Upgrading to Latest 1.6.x +# Upgrade Consul to v1.6.x + +The page describes the process to update a Consul deployment to v1.6.x and maintain replication data. ## Introduction diff --git a/website/content/docs/upgrading/instructions/upgrade-to-1-8-x.mdx b/website/content/docs/upgrade/instructions/upgrade-to-1-8-x.mdx similarity index 95% rename from website/content/docs/upgrading/instructions/upgrade-to-1-8-x.mdx rename to website/content/docs/upgrade/instructions/upgrade-to-1-8-x.mdx index 7df5626c42c..d565fc5ea8a 100644 --- a/website/content/docs/upgrading/instructions/upgrade-to-1-8-x.mdx +++ b/website/content/docs/upgrade/instructions/upgrade-to-1-8-x.mdx @@ -1,12 +1,14 @@ --- layout: docs -page_title: Upgrading to Latest 1.8.x +page_title: Upgrade Consul to v1.8.x description: >- Specific versions of Consul may have additional information about the upgrade process beyond the standard flow. --- -# Upgrading to Latest 1.8.x +# Upgrade Consul to v1.8.x + +The page describes the process to update a Consul deployment to v1.8.x and maintain replication data. ## Introduction diff --git a/website/content/docs/k8s/compatibility.mdx b/website/content/docs/upgrade/k8s/compatibility.mdx similarity index 56% rename from website/content/docs/k8s/compatibility.mdx rename to website/content/docs/upgrade/k8s/compatibility.mdx index a786ed513ad..04876daaefd 100644 --- a/website/content/docs/k8s/compatibility.mdx +++ b/website/content/docs/upgrade/k8s/compatibility.mdx @@ -11,50 +11,23 @@ For every release of Consul on Kubernetes, a Helm chart, `consul-k8s-control-pla ## Supported Consul and Kubernetes versions -Consul Kubernetes versions all of its components (`consul-k8s` CLI, `consul-k8s-control-plane`, and Helm chart) with a single semantic version. When installing or upgrading to a specific version, ensure that you are using the correct Consul version with the compatible Helm chart or `consul-k8s` CLI. +Consul Kubernetes versions all of its components (`consul-k8s` CLI, `consul-k8s-control-plane`, and Helm chart) with a single semantic version. When installing or upgrading to a specific versions, ensure that you are using the correct Consul version with the compatible Helm chart or `consul-k8s` CLI. -### Compatibility matrix - -The following sections describe the compatibility matrix for -Consul Kubernetes components and dependencies. -Some releases of Consul Enterprise receive -[Long Term Support (LTS)](/consul/docs/enterprise/long-term-support) -and have an [extended compatibility window](#enterprise-long-term-support-releases) -compared to non-LTS Enterprise and community edition releases. - -#### Standard releases - -Unless otherwise noted, rows in the following compatibility table -apply to both Consul Enterprise and Consul community edition (CE). - -| Consul version | Compatible `consul-k8s` versions | Compatible Kubernetes versions | Compatible OpenShift versions | -| -------------- | -------------------------------- | -------------------------------| ------------------------------| -| 1.20.x | 1.6.x | 1.28.x - 1.30.x | 4.13.x - 4.15.x | -| 1.19.x | 1.5.x | 1.27.x - 1.29.x | 4.13.x - 4.15.x | -| 1.18.x CE | 1.4.x | 1.26.x - 1.29.x | 4.13.x - 4.15.x | -| 1.17.x | 1.3.x | 1.25.x - 1.28.x | 4.12.x - 4.15.x | - -#### Enterprise Long Term Support releases - -Active Consul Enterprise -[Long Term Support (LTS)](/consul/docs/enterprise/long-term-support) -releases expand their Kubernetes version compatibility window -until the LTS release reaches its end of maintenance. - -| Consul version | Compatible `consul-k8s` versions | Compatible Kubernetes versions | Compatible OpenShift versions | -| -------------- | -------------------------------- | -------------------------------| ------------------------------| -| 1.18.x Ent | 1.4.x | 1.26.x - 1.29.x | 4.13.x - 4.15.x | -| 1.15.x Ent | 1.1.x | 1.23.x - 1.28.x | 4.10.x - 4.15.x | +| Consul version | Compatible `consul-k8s` versions | Compatible Kubernetes versions | Compatible OpenShift versions | +| -------------- | -------------------------------- | -------------------------------| -------------------------------------- | +| 1.17.x | 1.3.x | 1.25.x - 1.28.x | 4.12.x - 4.14.x (4.15.x not available) | +| 1.16.x | 1.2.x | 1.24.x - 1.27.x | 4.11.x - 4.14.x | +| 1.15.x | 1.1.x | 1.23.x - 1.26.x | 4.10.x - 4.13.x | ### Version-specific upgrade requirements -As of Consul v1.14.0, Kubernetes deployments use [Consul Dataplane](/consul/docs/connect/dataplane) instead of client agents. If you upgrade Consul from a version that uses client agents to a version that uses dataplanes, you must follow specific steps to update your Helm chart and remove client agents from the existing deployment. Refer to [Upgrading to Consul Dataplane](/consul/docs/k8s/upgrade#upgrading-to-consul-dataplane) for more information. +As of Consul v1.14.0, Kubernetes deployments use [Consul Dataplane](/consul/docs/connect/dataplane) instead of client agents. If you upgrade Consul from a version that uses client agents to a version that uses dataplanes, you must follow specific steps to update your Helm chart and remove client agents from the existing deployment. Refer to [Upgrading to Consul Dataplane](/consul/docs/upgrade/k8s#upgrading-to-consul-dataplane) for more information. -The v1.0.0 release of the Consul on Kubernetes Helm chart also introduced a change to the [`externalServers[].hosts` parameter](/consul/docs/k8s/helm#v-externalservers-hosts). Previously, you were able to enter a provider lookup as a string in this field. Now, you must include `exec=` at the start of a string containing a provider lookup. Otherwise, the string is treated as a DNS name. Refer to the [`go-netaddrs`](https://github.com/hashicorp/go-netaddrs) library and command line tool for more information. +The v1.0.0 release of the Consul on Kubernetes Helm chart also introduced a change to the [`externalServers[].hosts` parameter](/consul/docs/reference/k8s/helm#v-externalservers-hosts). Previously, you were able to enter a provider lookup as a string in this field. Now, you must include `exec=` at the start of a string containing a provider lookup. Otherwise, the string is treated as a DNS name. Refer to the [`go-netaddrs`](https://github.com/hashicorp/go-netaddrs) library and command line tool for more information. ## Supported Envoy versions -Supported versions of Envoy and `consul-dataplane` (for Consul K8s 1.0 and above) for Consul versions are also found in [Envoy - Supported Versions](/consul/docs/connect/proxies/envoy#supported-versions). Starting with `consul-k8s` 1.0, `consul-dataplane` will include a bundled version of Envoy. The recommended best practice is to use the default version of Envoy or `consul-dataplane` that is provided in the Helm `values.yaml` file, as that is the version that has been tested with the default Consul and Consul Kubernetes binaries for a given Helm chart. +Supported versions of Envoy and `consul-dataplane` (for Consul K8s 1.0 and above) for Consul versions are also found in [Envoy - Supported Versions](/consul/docs/reference/proxy/envoy#supported-versions). Starting with `consul-k8s` 1.0, `consul-dataplane` will include a bundled version of Envoy. The recommended best practice is to use the default version of Envoy or `consul-dataplane` that is provided in the Helm `values.yaml` file, as that is the version that has been tested with the default Consul and Consul Kubernetes binaries for a given Helm chart. ## Vault as a Secrets Backend compatibility @@ -68,7 +41,7 @@ Starting with Consul K8s 0.39.0 and Consul 1.11.x, Consul Kubernetes supports th ### Red Hat OpenShift -You can enable support for Red Hat OpenShift by setting `enabled: true` in the `global.openshift` stanza. Refer to the [Deploy Consul on RedHat OpenShift tutorial](https://developer.hashicorp.com/consul/tutorials/kubernetes/kubernetes-openshift-red-hat) for instructions on deploying to OpenShift. +You can enable support for Red Hat OpenShift by setting `enabled: true` in the `global.openshift` stanza. Refer to the [Deploy Consul on RedHat OpenShift tutorial](/consul/deploy/server/k8s/platform/openshift) for instructions on deploying to OpenShift. ### VMware Tanzu Kubernetes Grid and Tanzu Kubernetes Grid Integrated Edition diff --git a/website/content/docs/k8s/upgrade/upgrade-cli.mdx b/website/content/docs/upgrade/k8s/consul-k8s.mdx similarity index 95% rename from website/content/docs/k8s/upgrade/upgrade-cli.mdx rename to website/content/docs/upgrade/k8s/consul-k8s.mdx index 36b30e4a3ff..707019130d4 100644 --- a/website/content/docs/k8s/upgrade/upgrade-cli.mdx +++ b/website/content/docs/upgrade/k8s/consul-k8s.mdx @@ -11,7 +11,7 @@ Consul K8s CLI is a tool for quickly installing and interacting with Consul on K ## Upgrade the CLI -These instructions describe how to upgrade the current installed version of the CLI to the latest version. If you are looking to upgrade to a specific version, please follow [Install a specific version of the CLI](/consul/docs/k8s/installation/install-cli#install-a-specific-version-of-the-cli). +These instructions describe how to upgrade the current installed version of the CLI to the latest version. If you are looking to upgrade to a specific version, please follow [Install a specific version of the CLI](/consul/docs/reference-cli/consul-k8s#install-the-cli). diff --git a/website/content/docs/k8s/crds/upgrade-to-crds.mdx b/website/content/docs/upgrade/k8s/crds.mdx similarity index 97% rename from website/content/docs/k8s/crds/upgrade-to-crds.mdx rename to website/content/docs/upgrade/k8s/crds.mdx index 0c09102a33e..978bc352dab 100644 --- a/website/content/docs/k8s/crds/upgrade-to-crds.mdx +++ b/website/content/docs/upgrade/k8s/crds.mdx @@ -53,7 +53,7 @@ connectInject: Now you must use [custom resources](/consul/docs/k8s/crds) to manage the protocol for new and existing services: -1. To upgrade, first ensure you're running Consul >= 1.9.0. See [Consul Version Upgrade](/consul/docs/k8s/upgrade#consul-version-upgrade) +1. To upgrade, first ensure you're running Consul >= 1.9.0. See [Consul Version Upgrade](/consul/docs/upgrade/k8s#consul-version-upgrade) for more information on how to upgrade Consul versions. This version is required to support custom resources. @@ -61,7 +61,7 @@ new and existing services: 1. Next, modify your Helm values: 1. Remove the `defaultProtocol` config. This won't affect existing services. 1. Now you can upgrade your Helm chart to the latest version with the new Helm values. -1. From now on, any new service will require a [`ServiceDefaults`](/consul/docs/connect/config-entries/service-defaults) +1. From now on, any new service will require a [`ServiceDefaults`](/consul/docs/reference/config-entry/service-default) resource to set its protocol: ```yaml @@ -122,7 +122,7 @@ You will need to perform the following steps to upgrade: effect on your existing cluster because this config is only read when the cluster is **first created**. 1. You can then upgrade the Helm chart. -1. If you later wish to _change_ the mode or any other setting in [`proxy-defaults`](/consul/docs/connect/config-entries/proxy-defaults), you will need +1. If you later wish to _change_ the mode or any other setting in [`proxy-defaults`](/consul/docs/reference/config-entry/proxy-defaults), you will need to follow the [Migrating Config Entries](#migrating-config-entries) instructions to migrate your `proxy-defaults` config entry to a `ProxyDefaults` resource. @@ -151,7 +151,7 @@ spec: You will need to perform the following steps to upgrade: -1. Ensure you're running Consul >= 1.9.0. See [Consul Version Upgrade](/consul/docs/k8s/upgrade#consul-version-upgrade) +1. Ensure you're running Consul >= 1.9.0. See [Consul Version Upgrade](/consul/docs/upgrade/k8s#consul-version-upgrade) for more information on how to upgrade Consul versions. This version is required to support custom resources. @@ -160,7 +160,7 @@ You will need to perform the following steps to upgrade: effect on the deployments because the annotation was only used when the service was first created. 1. Now you can upgrade your Helm chart to the latest version. -1. From now on, any new service will require a [`ServiceDefaults`](/consul/docs/connect/config-entries/service-defaults) +1. From now on, any new service will require a [`ServiceDefaults`](/consul/docs/reference/config-entry/service-default) resource to set its protocol: ```yaml diff --git a/website/content/docs/k8s/upgrade/index.mdx b/website/content/docs/upgrade/k8s/index.mdx similarity index 66% rename from website/content/docs/k8s/upgrade/index.mdx rename to website/content/docs/upgrade/k8s/index.mdx index 690ed380f36..6816076b4e6 100644 --- a/website/content/docs/k8s/upgrade/index.mdx +++ b/website/content/docs/upgrade/k8s/index.mdx @@ -11,11 +11,9 @@ This topic describes considerations and strategies for upgrading Consul deployme ## Version-specific upgrade requirements -As of Consul v1.14.0 and the corresponding Helm chart version v1.0.0, Kubernetes deployments use [Consul Dataplane](/consul/docs/connect/dataplane) instead of client agents. If you upgrade Consul from a version that uses client agents to a version that uses dataplanes, you must follow specific steps to update your Helm chart and remove client agents from the existing deployment. Refer to [Upgrading to Consul Dataplane](/consul/docs/k8s/upgrade#upgrading-to-consul-dataplane) for more information. +As of Consul v1.14.0, Kubernetes deployments use [Consul Dataplane](/consul/docs/connect/dataplane) instead of client agents. If you upgrade Consul from a version that uses client agents to a version that uses dataplanes, you must follow specific steps to update your Helm chart and remove client agents from the existing deployment. Refer to [Upgrading to Consul Dataplane](/consul/docs/upgrade/k8s#upgrading-to-consul-dataplane) for more information. -The v1.0.0 release of the Consul on Kubernetes Helm chart also introduced a change to the [`externalServers[].hosts` parameter](/consul/docs/k8s/helm#v-externalservers-hosts). Previously, you were able to enter a provider lookup as a string in this field. Now, you must include `exec=` at the start of a string containing a provider lookup. Otherwise, the string is treated as a DNS name. Refer to the [`go-netaddrs`](https://github.com/hashicorp/go-netaddrs) library and command line tool for more information. - -If you configured your Consul agents to use [`ports.grpc_tls`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#grpc_tls_port) instead of [`ports.grpc`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#grpc_port) and you want to upgrade a multi-datacenter deployment with Consul servers running outside of the Kubernetes cluster to v1.0.0 or higher, set [`externalServers.tlsServerName`](/consul/docs/k8s/helm#v-externalservers-tlsservername) to `server..domain`. +The v1.0.0 release of the Consul on Kubernetes Helm chart also introduced a change to the [`externalServers[].hosts` parameter](/consul/docs/reference/k8s/helm#v-externalservers-hosts). Previously, you were able to enter a provider lookup as a string in this field. Now, you must include `exec=` at the start of a string containing a provider lookup. Otherwise, the string is treated as a DNS name. Refer to the [`go-netaddrs`](https://github.com/hashicorp/go-netaddrs) library and command line tool for more information. ## Upgrade types @@ -110,10 +108,10 @@ certain Helm chart version. If a new version of Consul is released, you need to perform a Helm upgrade to update to the new version. Before you upgrade to a new version: -1. Read the [Upgrading Consul](/consul/docs/upgrading) documentation. -1. Read any [specific instructions](/consul/docs/upgrading/upgrade-specific) for the version you want to upgrade +1. Read the [Upgrading Consul](/consul/docs/upgrade) documentation. +1. Read any [specific instructions](/consul/docs/upgrade/version-specific) for the version you want to upgrade to, as well as the Consul [changelog](https://github.com/hashicorp/consul/blob/main/CHANGELOG.md) for that version. -1. Read our [Compatibility Matrix](/consul/docs/k8s/compatibility) to ensure +1. Read our [Compatibility Matrix](/consul/docs/deploy/server/k8s/requirements) to ensure your current Helm chart version supports this Consul version. If it does not, you may need to also upgrade your Helm chart version at the same time. 1. Set `global.image` in your `values.yaml` to the desired version: @@ -147,10 +145,88 @@ Consul version you want to upgrade to. ~> Note: If you don't pass the `--version` flag when upgrading a Helm chart, Helm uses the most up-to-date version of the chart in its local cache, which may result in an unintended version upgrade. -## Consul server restarts and upgrades +## Determine scope of changes + +Before upgrading, it is important to understand the changes that affect your +cluster. For example, you need to take more care if your upgrade results +in the Consul server StatefulSet being redeployed. + +There is no built-in functionality in Helm that shows what a helm upgrade +changes. There is, however, a Helm plugin [helm-diff](https://github.com/databus23/helm-diff) +that can be used. + +1. Install `helm-diff` with: + + ```shell-session + $ helm plugin install https://github.com/databus23/helm-diff + ``` + +1. If you are updating your `values.yaml` file, do so now. +1. Take the same `helm upgrade` command you were planning to issue but perform `helm diff upgrade` instead of `helm upgrade`: + + ```shell-session + $ helm diff upgrade consul hashicorp/consul --namespace consul --version 0.40.0 --values /path/to/your/values.yaml + ``` + + This command prints out the manifests that will be updated and their diffs. + +1. To see only updated objects, add `| grep "has changed"`: + + ```shell-session + $ helm diff upgrade consul hashicorp/consul --namespace consul --version 0.40.0 --values /path/to/your/values.yaml | + grep "has changed" + ``` + +1. Take specific note if `consul-server, StatefulSet` is listed, as it means your Consul server statefulset will be redeployed. + + If your Consul server statefulset needs to be redeployed, follow the same pattern for upgrades as + on other platforms by redeploying servers one by one. Refer tp [Upgrading Consul](/consul/docs/upgrading) for more information. + + If neither the server statefulset is not being redeployed, + then you can continue with the Helm upgrade without any specific sequence to follow. + +## Upgrade Consul servers + +Initiate the server upgrade: + +1. Change the `global.image` value to the desired Consul version. +1. Set the `server.updatePartition` value to the number of server replicas. By default, there are 3 servers, so you would set this value to `3`. +1. Set the `updateStrategy` for clients to `OnDelete`. + + + + ```yaml + global: + image: 'consul:123.456' + server: + updatePartition: 3 + ``` + + + + The `updatePartition` value controls how many instances of the server + cluster are updated. Only instances with an index _greater than_ the + `updatePartition` value are updated (zero-indexed). Therefore, by setting + it equal to replicas, updates should not occur immediately. + +1. Next, perform the upgrade: + + ```shell-session + $ helm upgrade consul hashicorp/consul --namespace consul --version --values /path/to/your/values.yaml + ``` + + This command does not cause the servers to redeploy, although the resource is updated. If + everything is stable, decrease the `updatePartition` value by one + and performing `helm upgrade` again. This will cause the first Consul server + to be stopped and restarted with the new image. + +1. Wait until the Consul server cluster is healthy again (30s to a few minutes). + This can be confirmed by issuing `consul members` on one of the previous servers, + and ensuring that all servers are listed and are `alive`. -Note that for versions of Consul on Kubernetes prior to `1.4.0`, we recommended using the `server.updatePartition` setting to gradually upgrade -Consul servers. Refer to an older version of the documentation for instructions on upgrading to a version of the chart older than `v1.4.0`. Use the version drop-down at the top of this page to select a version older than or equal to `v1.17.0`. Consul documentation versions correspond to the Consul version in your chart, not the chart version, that contains the instructions. +1. Decrease `updatePartition` by one and upgrade again. Continue until + `updatePartition` is `0`. At this point, you may remove the + `updatePartition` configuration. Your server upgrade is complete. ## Upgrading to Consul Dataplane @@ -168,7 +244,7 @@ If you upgrade Consul from a version that uses client agents to a version the us prepareDataplanesUpgrade: true ``` -1. Consul dataplanes disables Consul clients by default, but during an upgrade you need to ensure Consul clients continue to run. Edit your Helm chart configuration and set the [`client.enabled`](/consul/docs/k8s/helm#v-client-enabled) field to `true` and specify an action for Consul to take during the upgrade process in the [`client.updateStrategy`](/consul/docs/k8s/helm#v-client-updatestrategy) field: +1. Consul dataplanes disables Consul clients by default, but during an upgrade you need to ensure Consul clients continue to run. Edit your Helm chart configuration and set the [`client.enabled`](/consul/docs/reference/k8s/helm#v-client-enabled) field to `true` and specify an action for Consul to take during the upgrade process in the [`client.updateStrategy`](/consul/docs/reference/k8s/helm#v-client-updatestrategy) field: ```yaml filename="values.yaml" client: @@ -196,4 +272,4 @@ If you upgrade Consul from a version that uses client agents to a version the us If you already have a Consul cluster deployed on Kubernetes and would like to turn on TLS for internal Consul communication, -refer to [Configuring TLS on an Existing Cluster](/consul/docs/k8s/operations/tls-on-existing-cluster). +refer to [Configuring TLS on an Existing Cluster](/consul/docs/secure-mesh/certificate/existing). diff --git a/website/content/docs/enterprise/long-term-support.mdx b/website/content/docs/upgrade/lts.mdx similarity index 98% rename from website/content/docs/enterprise/long-term-support.mdx rename to website/content/docs/upgrade/lts.mdx index ff73a4cc925..8bba497e729 100644 --- a/website/content/docs/enterprise/long-term-support.mdx +++ b/website/content/docs/upgrade/lts.mdx @@ -1,122 +1,122 @@ ---- -layout: docs -page_title: Long Term Support (LTS) -description: >- - Consul Enterprise offers a Long Term Support (LTS) release program. Learn about benefits and terms, including which versions receive extended support, for how long, and fix eligibility. ---- - -# Long Term Support (LTS) - - - This program requires Consul Enterprise. - - -Consul Enterprise offers annual Long Term Support (LTS) releases starting with version v1.15. LTS releases maintain longer fix eligibility and support larger upgrade jumps. - -This page describes the LTS program, its benefits for Enterprise users, and the support the program includes. - -## Overview - -Many Enterprise organizations want to minimize their operational risk by operating a maintained Consul version that is eligible for critical fixes and does not require frequent upgrades. - -Annual Consul Enterprise LTS releases enable organizations to receive critical fixes without upgrading their major version more than once per year. - -The following table lists the lifecycle for each existing LTS release, including expected end of maintenance (EOM). - -| LTS release | Release date | Estimated EOM date | -| ----------- | ------------- | --------------------------------- | -| v1.18 Ent | Feb 27, 2024 | Feb 28, 2026 (v1.24 Ent release) | -| v1.15 Ent | Feb 23, 2023 | Feb 28, 2025 (v1.21 Ent release) | - -## Release lifecycle - -Consul Enterprise LTS releases are maintained for longer than other Consul releases, -as described in the following sections. - -### Standard Term Support lifecycle - -All major releases of Consul Enterprise receive _Standard Term Support_ (STS) -for approximately one year, per HashiCorp's -[Support Period Policy](https://support.hashicorp.com/hc/en-us/articles/360021185113-Support-Period-and-End-of-Life-EOL-Policy). - -With STS, each major release branch is maintained until it is -three (3) releases from the latest major release. -For example, Consul v1.14.x is maintained until the release of Consul v1.17.0. - -### Long Term Support lifecycle - -Starting with Consul Enterprise v1.15, the first major release of the calendar year -receives _Long Term Support_ (LTS) for approximately 2 years. -The first major release of the calendar year typically occurs in late February. - -![Consul Enterprise Long Term Support lifecycle diagram](/img/long-term-support/consul-enterprise-long-term-support-lifecycle.png#light-theme-only) -![Consul Enterprise Long Term Support lifecycle diagram](/img/long-term-support/consul-enterprise-long-term-support-lifecycle-dark.png#dark-theme-only) - -An LTS release is maintained until it is six (6) releases from the latest major release. -For example, Consul Enterprise v1.15.x is maintained until the release of Consul Enterprise v1.21.0. - -During the LTS window, [eligible LTS fixes](#fix-eligibility) are provided through -a new minor release on the affected LTS release branch. - -## Annual upgrade to next LTS release - -We recommend upgrading your Consul LTS version once per year to the next LTS version -in order to receive the full benefit of LTS. This upgrade pattern ensures the -organization is always operating a maintained release with minimal upgrades. - -Only Consul Enterprise LTS versions support direct upgrades to the next 3 major versions, -enabling direct upgrades from one LTS release to the subsequent LTS release. -For example, Consul Enterprise v1.15.x supports upgrading directly to Consul Enterprise v1.18.x. - -Because Consul has 3 major version releases per year, -LTS enables you to catch up on a year's worth of Consul releases in a single upgrade. - -STS releases of Consul support direct upgrades to the next 2 major versions, -as described in the [standard upgrade instructions](/consul/docs/upgrading/instructions). -Without LTS, catching up on a year's worth of releases requires two upgrades. -For example, upgrading from Consul Enterprise v1.14.x to Consul Enterprise v1.17.x -requires an intermediate upgrade to v1.15.x or v1.16.x. - -## Fix eligibility - -Eligibility for an LTS fix is subject to the following criteria: -- A non-security bug must be a Severity 1 (Urgent) or Severity 2 (High) issue - as defined in [HashiCorp Support's Severity Definitions](https://support.hashicorp.com/hc/en-us/articles/115011286028). -- A security bug (CVE) is considered eligible in accordance with - HashiCorp's standard practices for security bugs on supported products. - Refer to the standard - [Support Period Policy](https://support.hashicorp.com/hc/en-us/articles/360021185113-Support-Period-and-End-of-Life-EOL-Policy) - for more information. -- The bug must be present in built artifacts intended for use in production - created from one of the following HashiCorp repositories: - - hashicorp/consul-enterprise - - hashicorp/consul-k8s - - hashicorp/consul-dataplane -- The bug must be applicable for at least one of the following - computer architecture and operating system combinations: - - linux_386 - - linux_amd64 - - linux_arm - - linux_arm64 - - windows_386 - - windows_amd64 - -Eligibility for a fix does not guarantee that a fix will be issued. -For example, some fixes may not be technically possible on a given release branch, -or they may present an undue burden or risk relative to the benefit of the fix. - -HashiCorp may, in its sole discretion, include fixes in a minor release -on an LTS release branch that do not meet the eligibility criteria above. - -## Version compatibility with dependencies - -Consul integrates with Envoy and Kubernetes releases that are maintained for less time -than Consul Enterprise LTS. - -HashiCorp will make a reasonable effort to keep each Consul Enterprise LTS release branch -compatible with a maintained release branch of Envoy and Kubernetes until the LTS release branch -approaches its end of maintenance. - -For more details on LTS version compatibility with dependencies, refer to the following topics: -- [Kubernetes version compatibility with Consul](/consul/docs/k8s/compatibility) -- [Envoy and Consul dataplane version compatibility with Consul](/consul/docs/connect/proxies/envoy) +--- +layout: docs +page_title: Long Term Support (LTS) +description: >- + Consul Enterprise offers a Long Term Support (LTS) release program. Learn about benefits and terms, including which versions receive extended support, for how long, and fix eligibility. +--- + +# Long Term Support (LTS) + + + This program requires Consul Enterprise. + + +Consul Enterprise offers annual Long Term Support (LTS) releases starting with version v1.15. LTS releases maintain longer fix eligibility and support larger upgrade jumps. + +This page describes the LTS program, its benefits for Enterprise users, and the support the program includes. + +## Overview + +Many Enterprise organizations want to minimize their operational risk by operating a maintained Consul version that is eligible for critical fixes and does not require frequent upgrades. + +Annual Consul Enterprise LTS releases enable organizations to receive critical fixes without upgrading their major version more than once per year. + +The following table lists the lifecycle for each existing LTS release, including expected end of maintenance (EOM). + +| LTS release | Release date | Estimated EOM date | +| ----------- | ------------- | --------------------------------- | +| v1.18 Ent | Feb 27, 2024 | Feb 28, 2026 (v1.24 Ent release) | +| v1.15 Ent | Feb 23, 2023 | Feb 28, 2025 (v1.21 Ent release) | + +## Release lifecycle + +Consul Enterprise LTS releases are maintained for longer than other Consul releases, +as described in the following sections. + +### Standard Term Support lifecycle + +All major releases of Consul Enterprise receive _Standard Term Support_ (STS) +for approximately one year, per HashiCorp's +[Support Period Policy](https://support.hashicorp.com/hc/en-us/articles/360021185113-Support-Period-and-End-of-Life-EOL-Policy). + +With STS, each major release branch is maintained until it is +three (3) releases from the latest major release. +For example, Consul v1.14.x is maintained until the release of Consul v1.17.0. + +### Long Term Support lifecycle + +Starting with Consul Enterprise v1.15, the first major release of the calendar year +receives _Long Term Support_ (LTS) for approximately 2 years. +The first major release of the calendar year typically occurs in late February. + +![Consul Enterprise Long Term Support lifecycle diagram](/img/long-term-support/consul-enterprise-long-term-support-lifecycle.png#light-theme-only) +![Consul Enterprise Long Term Support lifecycle diagram](/img/long-term-support/consul-enterprise-long-term-support-lifecycle-dark.png#dark-theme-only) + +An LTS release is maintained until it is six (6) releases from the latest major release. +For example, Consul Enterprise v1.15.x is maintained until the release of Consul Enterprise v1.21.0. + +During the LTS window, [eligible LTS fixes](#fix-eligibility) are provided through +a new minor release on the affected LTS release branch. + +## Annual upgrade to next LTS release + +We recommend upgrading your Consul LTS version once per year to the next LTS version +in order to receive the full benefit of LTS. This upgrade pattern ensures the +organization is always operating a maintained release with minimal upgrades. + +Only Consul Enterprise LTS versions support direct upgrades to the next 3 major versions, +enabling direct upgrades from one LTS release to the subsequent LTS release. +For example, Consul Enterprise v1.15.x supports upgrading directly to Consul Enterprise v1.18.x. + +Because Consul has 3 major version releases per year, +LTS enables you to catch up on a year's worth of Consul releases in a single upgrade. + +STS releases of Consul support direct upgrades to the next 2 major versions, +as described in the [standard upgrade instructions](/consul/docs/upgrading/instructions). +Without LTS, catching up on a year's worth of releases requires two upgrades. +For example, upgrading from Consul Enterprise v1.14.x to Consul Enterprise v1.17.x +requires an intermediate upgrade to v1.15.x or v1.16.x. + +## Fix eligibility + +Eligibility for an LTS fix is subject to the following criteria: +- A non-security bug must be a Severity 1 (Urgent) or Severity 2 (High) issue + as defined in [HashiCorp Support's Severity Definitions](https://support.hashicorp.com/hc/en-us/articles/115011286028). +- A security bug (CVE) is considered eligible in accordance with + HashiCorp's standard practices for security bugs on supported products. + Refer to the standard + [Support Period Policy](https://support.hashicorp.com/hc/en-us/articles/360021185113-Support-Period-and-End-of-Life-EOL-Policy) + for more information. +- The bug must be present in built artifacts intended for use in production + created from one of the following HashiCorp repositories: + - hashicorp/consul-enterprise + - hashicorp/consul-k8s + - hashicorp/consul-dataplane +- The bug must be applicable for at least one of the following + computer architecture and operating system combinations: + - linux_386 + - linux_amd64 + - linux_arm + - linux_arm64 + - windows_386 + - windows_amd64 + +Eligibility for a fix does not guarantee that a fix will be issued. +For example, some fixes may not be technically possible on a given release branch, +or they may present an undue burden or risk relative to the benefit of the fix. + +HashiCorp may, in its sole discretion, include fixes in a minor release +on an LTS release branch that do not meet the eligibility criteria above. + +## Version compatibility with dependencies + +Consul integrates with Envoy and Kubernetes releases that are maintained for less time +than Consul Enterprise LTS. + +HashiCorp will make a reasonable effort to keep each Consul Enterprise LTS release branch +compatible with a maintained release branch of Envoy and Kubernetes until the LTS release branch +approaches its end of maintenance. + +For more details on LTS version compatibility with dependencies, refer to the following topics: +- [Kubernetes version compatibility with Consul](/consul/docs/k8s/compatibility) +- [Envoy and Consul dataplane version compatibility with Consul](/consul/docs/connect/proxies/envoy) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrade/version-specific.mdx similarity index 77% rename from website/content/docs/upgrading/upgrade-specific.mdx rename to website/content/docs/upgrade/version-specific.mdx index 4ff5eb8c303..f098cab38e9 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrade/version-specific.mdx @@ -8,94 +8,44 @@ description: >- # Upgrading Specific Versions -The [upgrading page](/consul/docs/upgrading) covers the details of doing a +The [upgrading page](/consul/docs/upgrade) covers the details of doing a standard upgrade. However, specific versions of Consul may have more details provided for their upgrades as a result of new features or changed behavior. This page is used to document those details separately from the standard upgrade flow. -## Consul 1.20.x - -### Mesh traffic request path normalization enabled by default - -As of Consul v1.20.1, inbound traffic to mesh proxies will have Envoy request [path normalization](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) applied by default. This should not interfere with the majority of service traffic, but can be disabled if needed by setting `http.incoming.request_normalization.insecure_disable_path_normalization` to `true` in the [global `mesh` configuration entry](/consul/docs/connect/config-entries/mesh#request-normalization). This setting is generally safe to change if not using L7 intentions with path matching. - -## Consul v1.19.x - -### Health endpoint status filtering is now processed on the server side when using client agents -In previous versions of Consul, client agents responded to health queries by requesting all results from the Consul servers and then locally filtering out service nodes with a `critical` status. The client agent also processed the `?passing` parameter by filtering node results locally. This process was not resource efficient in large deployments because large numbers of services and health check results must propagate to many clients before Consul can return a healthy node. - -In this release, the Consul server is responsible for filtering services according to their health status before it sends the data to a client agent. When upgrading the version of Consul your deployment runs to this release, you must upgrade the Consul servers before you upgrade the client agents. We recommend this upgrade order to avoid a scenario where Consul returns results for an unhealthy service because the client agent no longer filters nodes but the servers do not yet understand the `?passing` query argument. - -### Metrics removal - -In previous versions, Consul emitted redundant state store usage metrics that contained two instances of `consul` in the metric name. As an example, config entry usage counts were emitted as both: - -- `consul.state.config_entries` -- `consul.consul.state.config_entries` - -As of Consul v1.19, Consul does not emit the redundant metric with the double `consul.consul` in its name. Any monitoring alerts and dashboards that you may have utilizing these metrics may require edits to update to the simplified metric name. - -### Legacy API Gateway Removal -The Consul Kubernetes Helm chart stanza -[`.apiGateway`](/consul/docs/v1.16.x/k8s/helm#apigateway-1) -is removed in Consul v1.19.0. If using that stanza, migrate to the -[`connectInject.apiGateway`](/consul/docs/k8s/helm#v-connectinject-apigateway) -stanza before upgrading to Consul v1.19 or later. - -The `.apiGateway` stanza is associated with the legacy API gateway that was -[deprecated in Consul v1.16.0](https://developer.hashicorp.com/consul/docs/release-notes/consul/v1_16_x#what-s-deprecated). -The Kubernetes-only legacy API gateway is superseded by the modern, multi-runtime -[API gateway](/consul/docs/connect/config-entries/api-gateway). -On Kubernetes, the modern API gateway is associated with the `connectInject.apiGateway` stanza. - -### Mesh traffic request path normalization enabled by default - -As of Consul v1.19.3, inbound traffic to mesh proxies will have Envoy request [path normalization](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) applied by default. This should not interfere with the majority of service traffic, but can be disabled if needed by setting `http.incoming.request_normalization.insecure_disable_path_normalization` to `true` in the [global `mesh` configuration entry](/consul/docs/connect/config-entries/mesh#request-normalization). This setting is generally safe to change if not using L7 intentions with path matching. - -## Consul 1.18.x - -### Mesh traffic request path normalization enabled by default - -As of Consul v1.18.5, inbound traffic to mesh proxies will have Envoy request [path normalization](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) applied by default. This should not interfere with the majority of service traffic, but can be disabled if needed by setting `http.incoming.request_normalization.insecure_disable_path_normalization` to `true` in the [global `mesh` configuration entry](/consul/docs/connect/config-entries/mesh#request-normalization). This setting is generally safe to change if not using L7 intentions with path matching. - ## Consul 1.17.x - -### Known issues - -Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)]. - #### Audit Log naming changes (Enterprise) Prior to Consul 1.17.0, audit logs contained timestamps on both the original log file names as well as rotated log file names. After Consul 1.17.0, only timestamps will be included in rotated log file names. #### Service-defaults upstream config (Enterprise) + Prior to Consul v1.17.0, [Kubernetes annotations for upstream services](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) -that did not explicitly specify a namespace or partition incorrectly used service-defaults configurations, such as [default protocol](https://developer.hashicorp.com/consul/docs/connect/config-entries/service-defaults#set-the-default-protocol), from the default partition and namespace instead of the local partition and namespace. +that did not explicitly specify a namespace or partition incorrectly used service-defaults configurations, such as [default protocol](/consul/docs/connect/config-entries/service-defaults#set-the-default-protocol), from the default partition and namespace instead of the local partition and namespace. This bug is fixed starting in Consul v1.17.0. Now service-defaults configurations from the local partition and namespace are fetched when not specified in annotations. If you are using non-default partitions and namespaces with Consul-k8s, we recommend explicitly defining these fields for all upstreams in addition to ensuring that accurate service-defaults are configured in each partition and namespace before upgrading. Doing so ensures that no unexpected protocol changes occur during the upgrade. #### ACL tokens with templated policies -[ACL templated policies](/consul/docs/security/acl#templated-policies) were added to 1.17.0 to simplify obtaining the right permissions for ACL tokens. When performing a [rolling upgrade](/consul/tutorials/datacenter-operations/upgrade-federated-environment#server-rolling-upgrade) and a version of Consul prior to 1.17.x is presented with a token created Consul v1.17.x or newer that contains templated policies, the templated policies field is not recognized. As a result, the token might not have the expected permissions on the older version of Consul. + +[ACL templated policies](/consul/docs/secure-consul/acl#templated-policies) were added to 1.17.0 to simplify obtaining the right permissions for ACL tokens. When performing a [rolling upgrade](/consul/tutorials/datacenter-operations/upgrade-federated-environment#server-rolling-upgrade) and a version of Consul prior to 1.17.x is presented with a token created Consul v1.17.x or newer that contains templated policies, the templated policies field is not recognized. As a result, the token might not have the expected permissions on the older version of Consul. ## Consul 1.16.x ### Known issues -Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)]. - Service mesh in Consul versions 1.16.0 and 1.16.1 may have issues when a snapshot restore is performed and the servers are hosting xDS streams. When this bug triggers, it causes Envoy to incorrectly populate upstream endpoints. To prevent this issue, service mesh users who run agent-less workloads should upgrade Consul to v1.16.2 or later. #### Vault Enterprise as CA ((#vault-enterprise-as-ca-1-16)) -Using Vault as CA with Consul version 1.16.2 will fail to initialize the CA if [`namespace`](/consul/docs/connect/ca/vault#namespace) is set -but [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) or [`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) +Using Vault as CA with Consul version 1.16.2 will fail to initialize the CA if [`namespace`](/consul/docs/secure-mesh/certificate/vault#namespace) is set +but [`intermediate_pki_namespace`](/consul/docs/secure-mesh/certificate/vault#intermediatepkinamespace) or [`root_pki_namespace`](/consul/docs/secure-mesh/certificate/vault#rootpkinamespace) are empty. This is a bug which will be fixed in a future version. -To work around this issue, users must explicitly set [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) and -[`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) to the same value as [`namespace`](/consul/docs/connect/ca/vault#namespace). +To work around this issue, users must explicitly set [`intermediate_pki_namespace`](/consul/docs/secure-mesh/certificate/vault#intermediatepkinamespace) and +[`root_pki_namespace`](/consul/docs/secure-mesh/certificate/vault#rootpkinamespace) to the same value as [`namespace`](/consul/docs/secure-mesh/certificate/vault#namespace). Set your configuration by calling [set-config](/consul/commands/connect/ca#set-config) then use [get-config](/consul/commands/connect/ca#get-config) to check. #### API health endpoints return different status code @@ -110,8 +60,8 @@ Before upgrading, ensure that all of your applications can handle this new API b #### Remove deprecated service-defaults peer upstream override behavior -When configuring a service defaults configuration entry, the [`UpstreamConfig.Overrides` configuration](/consul/docs/connect/config-entries/service-defaults#upstreamconfig-overrides) -does not apply to peer upstreams unless the [`Peer`](/consul/docs/connect/config-entries/service-defaults#upstreamconfig-overrides-peer) field is explicitly provided. +When configuring a service defaults configuration entry, the [`UpstreamConfig.Overrides` configuration](/consul/docs/reference/config-entry/service-default#upstreamconfig-overrides) +does not apply to peer upstreams unless the [`Peer`](/consul/docs/reference/config-entry/service-default#upstreamconfig-overrides-peer) field is explicitly provided. This change removes the backward-compatibility behavior introduced in Consul 1.15.x. Refer to the [upgrade instructions for 1.15.x](#service-defaults-overrides-for-upstream-peered-services) for more information. ## Consul 1.15.x @@ -123,18 +73,18 @@ If using [Vault Enterprise as CA](#vault-enterprise-as-ca-1-15), **avoid Consul Consul versions 1.15.0 - 1.15.1 contain a race condition that can cause some service instances to lose their ability to communicate in the mesh after -[72 hours (LeafCertTTL)](/consul/docs/connect/ca/consul#leafcertttl) +[72 hours (LeafCertTTL)](/consul/docs/secure-mesh/certificate/built-in#leafcertttl) due to a problem with leaf certificate rotation. This bug is fixed in Consul versions 1.15.2 and newer. #### Vault Enterprise as CA ((#vault-enterprise-as-ca-1-15)) -Using Vault as CA with Consul version 1.15.6 will fail to initialize the CA if [`namespace`](/consul/docs/connect/ca/vault#namespace) is set -but [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) or [`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) +Using Vault as CA with Consul version 1.15.6 will fail to initialize the CA if [`namespace`](/consul/docs/secure-mesh/certificate/vault#namespace) is set +but [`intermediate_pki_namespace`](/consul/docs/secure-mesh/certificate/vault#intermediatepkinamespace) or [`root_pki_namespace`](/consul/docs/secure-mesh/certificate/vault#rootpkinamespace) are empty. This is a bug which will be fixed in a future version. -To work around this issue, users must explicitly set [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) and -[`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) to the same value as [`namespace`](/consul/docs/connect/ca/vault#namespace). +To work around this issue, users must explicitly set [`intermediate_pki_namespace`](/consul/docs/secure-mesh/certificate/vault#intermediatepkinamespace) and +[`root_pki_namespace`](/consul/docs/secure-mesh/certificate/vault#rootpkinamespace) to the same value as [`namespace`](/consul/docs/secure-mesh/certificate/vault#namespace). Set your configuration by calling [set-config](/consul/commands/connect/ca#set-config) then use [get-config](/consul/commands/connect/ca#get-config) to check. #### Removing configuration options @@ -210,8 +160,8 @@ In Consul v1.15 and higher: #### `service-defaults` Overrides for Upstream Peered Services -In Consul 1.14.x, `service-defaults` upstream [`overrides`](/consul/docs/connect/config-entries/service-defaults#overrides) apply to both local and peered services as long as the `name` field matches. -Consul 1.15.0 is backward compatible with 1.14 if the [`peer`](/consul/docs/connect/config-entries/service-defaults#peer) is not set in any override. +In Consul 1.14.x, `service-defaults` upstream [`overrides`](/consul/docs/reference/config-entry/service-default#overrides) apply to both local and peered services as long as the `name` field matches. +Consul 1.15.0 is backward compatible with 1.14 if the [`peer`](/consul/docs/reference/config-entry/service-default#peer) is not set in any override. We recommend converting any upstream peer service overrides as a 1.15.x post-upgrade step. Before Consul v1.15: @@ -256,21 +206,17 @@ In Consul v1.15 and higher: -### Mesh traffic request path normalization enabled by default - -As of Consul v1.15.15, inbound traffic to mesh proxies will have Envoy request [path normalization](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) applied by default. This should not interfere with the majority of service traffic, but can be disabled if needed by setting `http.incoming.request_normalization.insecure_disable_path_normalization` to `true` in the [global `mesh` configuration entry](/consul/docs/connect/config-entries/mesh#request-normalization). This setting is generally safe to change if not using L7 intentions with path matching. - ## Consul 1.14.x ### Service Mesh Compatibility Prior to Consul 1.14, cluster peering and Consul service mesh were disabled by default. A breaking change was made in Consul 1.14 that: -- [Cluster Peering is enabled by default.](/consul/docs/connect/cluster-peering) +- [Cluster Peering is enabled by default.](/consul/docs/east-west/cluster-peering) Cluster peering and WAN federation can coexist, so there is no need to disable cluster peering to upgrade existing WAN federated datacenters. - To disable cluster peering nonetheless, set [`peering.enabled`](/consul/docs/agent/config/config-files#peering_enabled) to `false`. + To disable cluster peering nonetheless, set [`peering.enabled`](/consul/docs/reference/agent#peering_enabled) to `false`. - [Consul service mesh is enabled by default.](/consul/docs/connect) - To disable, set [`connect.enabled`](/consul/docs/agent/config/config-files#connect_enabled) to `false`. + To disable, set [`connect.enabled`](/consul/docs/reference/agent#connect_enabled) to `false`. The changes to Consul service mesh in version 1.14 are incompatible with Nomad 1.4.3 and earlier. If you operate Consul service mesh using Nomad 1.4.3 or earlier, do not upgrade to @@ -283,33 +229,33 @@ Users should not upgrade to 1.14.0 if they are using plaintext gRPC connections conjunction with TLS-encrypted HTTP APIs. #### Vault Enterprise as CA ((#vault-enterprise-as-ca-1-14)) -Using Vault as CA with Consul version 1.14.10 will fail to initialize the CA if [`namespace`](/consul/docs/connect/ca/vault#namespace) is set -but [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) or [`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) +Using Vault as CA with Consul version 1.14.10 will fail to initialize the CA if [`namespace`](/consul/docs/secure-mesh/certificate/vault#namespace) is set +but [`intermediate_pki_namespace`](/consul/docs/secure-mesh/certificate/vault#intermediatepkinamespace) or [`root_pki_namespace`](/consul/docs/secure-mesh/certificate/vault#rootpkinamespace) are empty. This is a bug which will be fixed in a future version. -To work around this issue, users must explicitly set [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) and -[`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) to the same value as [`namespace`](/consul/docs/connect/ca/vault#namespace). +To work around this issue, users must explicitly set [`intermediate_pki_namespace`](/consul/docs/secure-mesh/certificate/vault#intermediatepkinamespace) and +[`root_pki_namespace`](/consul/docs/secure-mesh/certificate/vault#rootpkinamespace) to the same value as [`namespace`](/consul/docs/secure-mesh/certificate/vault#namespace). Set your configuration by calling [set-config](/consul/commands/connect/ca#set-config) then use [get-config](/consul/commands/connect/ca#get-config) to check. #### Changes to gRPC TLS configuration -**Make configuration changes** if using [`ports.grpc`](/consul/docs/agent/config/config-files#grpc_port) in conjunction with any of the following settings that enables encryption: -1. [`tls.grpc`](/consul/docs/agent/config/config-files#tls_grpc) -1. [`tls.defaults`](/consul/docs/agent/config/config-files#tls_defaults) -1. [`auto_encrypt`](/consul/docs/agent/config/config-files#auto_encrypt) -1. [`auto_config`](/consul/docs/agent/config/config-files#auto_config) +**Make configuration changes** if using [`ports.grpc`](/consul/docs/reference/agent#grpc_port) in conjunction with any of the following settings that enables encryption: +1. [`tls.grpc`](/consul/docs/reference/agent#tls_grpc) +1. [`tls.defaults`](/consul/docs/reference/agent#tls_defaults) +1. [`auto_encrypt`](/consul/docs/reference/agent#auto_encrypt) +1. [`auto_config`](/consul/docs/reference/agent#auto_config) Prior to Consul 1.14, it was possible to encrypt communication between Consul and Envoy over `ports.grpc` using these settings. -Consul 1.14 introduces [`ports.grpc_tls`](/consul/docs/agent/config/config-files#grpc_tls_port), a new configuration -for encrypting communication over gRPC. The existing [`ports.grpc`](/consul/docs/agent/config/config-files#grpc_port) configuration **no longer supports encryption**. As of version 1.14, -[`ports.grpc_tls`](/consul/docs/agent/config/config-files#grpc_tls_port) is the only port that serves encrypted gRPC traffic. +Consul 1.14 introduces [`ports.grpc_tls`](/consul/docs/reference/agent#grpc_tls_port), a new configuration +for encrypting communication over gRPC. The existing [`ports.grpc`](/consul/docs/reference/agent#grpc_port) configuration **no longer supports encryption**. As of version 1.14, +[`ports.grpc_tls`](/consul/docs/reference/agent#grpc_tls_port) is the only port that serves encrypted gRPC traffic. The default value for the gRPC TLS port is 8503 for Consul servers. To disable the gRPC TLS port, use value -1. If you already use gRPC encryption, change the following fields to ensure compatibility: -+ Change `ports.grpc` to `ports.grpc_tls`. Refer to the [`grpc_tls_port` documentation](/consul/docs/agent/config/config-files#grpc_tls_port) for details. -+ Change `addresses.grpc` to `addresses.grpc_tls`. Refer to the [`grpc_tls` documentation](/consul/docs/agent/config/config-files#grpc_tls) for details. ++ Change `ports.grpc` to `ports.grpc_tls`. Refer to the [`grpc_tls_port` documentation](/consul/docs/reference/agent#grpc_tls_port) for details. ++ Change `addresses.grpc` to `addresses.grpc_tls`. Refer to the [`grpc_tls` documentation](/consul/docs/reference/agent#grpc_tls) for details. + Update `consul connect envoy` command invocations to specify gRPC CA certificates with one of the new configuration options: [`-grpc-ca-file`](/consul/commands/connect/envoy#grpc-ca-file) or [`-grpc-ca-path`](/consul/commands/connect/envoy#grpc-ca-path) @@ -317,10 +263,10 @@ If you already use gRPC encryption, change the following fields to ensure compat #### Changes to peering -[Cluster peering](/consul/docs/connect/cluster-peering) was released in Consul 1.13 as an experimental feature. +[Cluster peering](/consul/docs/east-west/cluster-peering) was released in Consul 1.13 as an experimental feature. In Consul 1.14, cluster peering has been improved and is now considered stable. All experimental peering connections created by 1.13 should be -[deleted](/consul/docs/connect/cluster-peering/usage/manage-connections#delete-peering-connections) +[deleted](/consul/docs/east-west/cluster-peering/manage-connection/vm#delete-peering-connections) prior to upgrading, as they will no longer be compatible with 1.14. ## Consul 1.13.x @@ -349,8 +295,8 @@ This bug is fixed in Consul versions 1.13.1 and newer. #### Service mesh deployments using auto-encrypt or auto-config Upgrade to **Consul version 1.13.2 or later** if using -[auto-encrypt](/consul/docs/agent/config/config-files#auto_encrypt) or -[auto-config](/consul/docs/agent/config/config-files#auto_config). +[auto-encrypt](/consul/docs/reference/agent#auto_encrypt) or +[auto-config](/consul/docs/reference/agent#auto_config). In Consul 1.13.0 - 1.13.1, auto-encrypt and auto-config both cause Consul to require TLS for gRPC communication with Envoy proxies. @@ -359,7 +305,7 @@ to use TLS for gRPC, upgrading to Consul 1.13.0 - 1.13.1 will cause Envoy proxies to disconnect from the control plane (Consul agents). If upgrading to version 1.13.2 or later, you must enable -[tls.grpc.use_auto_cert](/consul/docs/agent/config/config-files#use_auto_cert) +[tls.grpc.use_auto_cert](/consul/docs/reference/agent#use_auto_cert) if you currently rely on Consul agents presenting the auto-encrypt or auto-config certs as the TLS server certs on the gRPC port. The new `use_auto_cert` flag enables TLS for gRPC based on the presence @@ -368,7 +314,7 @@ of auto-encrypt certs. #### Service mesh deployments without the HTTPS port enabled on Consul agents ((#grpc-tls)) If the HTTPS port is not enabled -([`ports { https = POSITIVE_INTEGER }`](/consul/docs/agent/config/config-files#https_port)) +([`ports { https = POSITIVE_INTEGER }`](/consul/docs/reference/agent#https_port)) on a pre-1.13 Consul agent, **[modify the agent's TLS configuration before upgrading](#modify-the-consul-agent-s-tls-configuration)** to avoid Envoy proxies disconnecting from the control plane (Consul agents). @@ -384,7 +330,7 @@ Envoy proxies when using Consul service mesh. A Consul agent's gRPC traffic is often loopback-only, which TLS encryption is not important for. -Prior to Consul 1.13, if [`ports { https = POSITIVE_INTEGER }`](/consul/docs/agent/config/config-files#https_port) +Prior to Consul 1.13, if [`ports { https = POSITIVE_INTEGER }`](/consul/docs/reference/agent#https_port) was configured, TLS was enabled for both HTTP *and* gRPC. This was inconvenient for deployments that needed TLS for HTTP, but not for gRPC. @@ -394,15 +340,15 @@ with its Consul agent via TLS over gRPC. Consul 1.13 addresses this inconvenience by fully decoupling the TLS configuration for HTTP and gRPC interfaces. TLS for gRPC is no longer enabled by setting -[`ports { https = POSITIVE_INTEGER }`](/consul/docs/agent/config/config-files#https_port). +[`ports { https = POSITIVE_INTEGER }`](/consul/docs/reference/agent#https_port). TLS configuration for gRPC is now determined exclusively by: -1. [`tls.grpc`](/consul/docs/agent/config/config-files#tls_grpc), which overrides -1. [`tls.defaults`](/consul/docs/agent/config/config-files#tls_defaults), which overrides -1. [Deprecated TLS options](/consul/docs/agent/config/config-files#tls_deprecated_options) such as - [`ca_file`](/consul/docs/agent/config/config-files#ca_file-4), - [`cert_file`](/consul/docs/agent/config/config-files#cert_file-4), and - [`key_file`](/consul/docs/agent/config/config-files#key_file-4). +1. [`tls.grpc`](/consul/docs/reference/agent#tls_grpc), which overrides +1. [`tls.defaults`](/consul/docs/reference/agent#tls_defaults), which overrides +1. [Deprecated TLS options](/consul/docs/reference/agent#tls_deprecated_options) such as + [`ca_file`](/consul/docs/reference/agent#ca_file-4), + [`cert_file`](/consul/docs/reference/agent#cert_file-4), and + [`key_file`](/consul/docs/reference/agent#key_file-4). This decoupling has a side effect that requires a [TLS configuration change](#modify-the-consul-agent-s-tls-configuration) @@ -414,37 +360,37 @@ that continue to use gRPC *without* TLS. ##### Modify the Consul agent's TLS configuration -If [`tls.grpc`](/consul/docs/agent/config/config-files#tls_grpc), -[`tls.defaults`](/consul/docs/agent/config/config-files#tls_defaults), -or the [deprecated TLS options](/consul/docs/agent/config/config-files#tls_deprecated_options) +If [`tls.grpc`](/consul/docs/reference/agent#tls_grpc), +[`tls.defaults`](/consul/docs/reference/agent#tls_defaults), +or the [deprecated TLS options](/consul/docs/reference/agent#tls_deprecated_options) define TLS material in their `ca_file`, `ca_path`, `cert_file`, or `key_file` fields, TLS for gRPC will be enabled in Consul 1.13, even if -[`ports { https = POSITIVE_INTEGER }`](/consul/docs/agent/config/config-files#https_port) +[`ports { https = POSITIVE_INTEGER }`](/consul/docs/reference/agent#https_port) is not set. This will cause Envoy proxies to disconnect from the control plane after upgrading to Consul 1.13 if associated pre-1.13 Consul agents have **not** set -[`ports { https = POSITIVE_INTEGER }`](/consul/docs/agent/config/config-files#https_port). +[`ports { https = POSITIVE_INTEGER }`](/consul/docs/reference/agent#https_port). To avoid this problem, make the following agent configuration changes: 1. Remove TLS material from the Consul agents' interface-generic TLS configuration options: - [`tls.defaults`](/consul/docs/agent/config/config-files#tls_grpc) and - [deprecated TLS options](/consul/docs/agent/config/config-files#tls_deprecated_options) + [`tls.defaults`](/consul/docs/reference/agent#tls_grpc) and + [deprecated TLS options](/consul/docs/reference/agent#tls_deprecated_options) 1. Reapply TLS material to the non-gRPC interfaces that need it with the interface-specific TLS configuration stanzas - [introduced in Consul 1.12](/consul/docs/upgrading/upgrade-specific#tls-configuration): - [`tls.https`](/consul/docs/agent/config/config-files#tls_https) and - [`tls.internal_rpc`](/consul/docs/agent/config/config-files#tls_internal_rpc). + [introduced in Consul 1.12](/consul/docs/upgrade/version-specific#tls-configuration): + [`tls.https`](/consul/docs/reference/agent#tls_https) and + [`tls.internal_rpc`](/consul/docs/reference/agent#tls_internal_rpc). If upgrading directly from pre-1.12 Consul, the above configuration change cannot be made before upgrading. Therefore, consider upgrading agents to Consul 1.12 before upgrading to 1.13. If pre-1.13 Consul agents have set -[`ports { https = POSITIVE_INTEGER }`](/consul/docs/agent/config/config-files#https_port), +[`ports { https = POSITIVE_INTEGER }`](/consul/docs/reference/agent#https_port), this configuration change is not required to upgrade. That setting means the pre-1.13 Consul agent requires TLS for gRPC *already*, and will continue to do so after upgrading to 1.13. @@ -462,12 +408,12 @@ modify the Vault policy used by Consul to interact with Vault to ensure that certificates required for service mesh operation can still be generated. The policy must include the `update` capability on the intermediate PKI's tune mount configuration endpoint at path `/sys/mounts//tune`. -Refer to the [Vault CA provider documentation](/consul/docs/connect/ca/vault#vault-acl-policies) +Refer to the [Vault CA provider documentation](/consul/docs/secure-mesh/certificate/vault#vault-acl-policies) for updated example Vault policies for use with Vault-managed or Consul-managed PKI paths. You are using the Vault CA provider if either of the following configurations exists: -- The Consul server agent configuration option [`connect.ca_provider`](/consul/docs/agent/config/config-files#connect_ca_provider) is set to `vault`, or -- The Consul on Kubernetes Helm Chart [`global.secretsBackend.vault.connectCA`](/consul/docs/k8s/helm#v-global-secretsbackend-vault-connectca) value is configured. +- The Consul server agent configuration option [`connect.ca_provider`](/consul/docs/reference/agent#connect_ca_provider) is set to `vault`, or +- The Consul on Kubernetes Helm Chart [`global.secretsBackend.vault.connectCA`](/consul/docs/reference/k8s/helm#v-global-secretsbackend-vault-connectca) value is configured. Though this guidance is listed in the 1.13.x section, it applies to several release series. Affected Consul versions contain a @@ -493,7 +439,7 @@ to ensure the operation of your service mesh and to enable CA TTL modification. #### Removing configuration options -The [`disable_compat_19`](/consul/docs/agent/config/config-files#telemetry-disable_compat_1.9) telemetry configuration option is now removed. +The [`disable_compat_19`](/consul/docs/reference/agent#telemetry-disable_compat_1.9) telemetry configuration option is now removed. In prior Consul versions (1.10.x through 1.11.x), the config defaulted to `false`. In 1.12.x it defaulted to `true`. If you were using this flag, you must remove it before upgrading. @@ -527,7 +473,7 @@ to Consul 1.12.6 or later to avoid the breaking nature of that change. #### Changing the default behavior for option -The [`disable_compat_19`](/consul/docs/agent/config/config-files#telemetry-disable_compat_1.9) telemetry configuration option now defaults +The [`disable_compat_19`](/consul/docs/reference/agent#telemetry-disable_compat_1.9) telemetry configuration option now defaults to `true`. In prior Consul versions (1.10.x through 1.11.x), the config defaulted to `false`. If you require 1.9 style `consul.http...` metrics, you may enable them by setting the flag to `false`. However, be advised that these metrics, as well as the flag will be removed in upcoming Consul 1.13. We recommend changing your instrumentation to use 1.10 and later @@ -545,7 +491,7 @@ The Consul Enterprise codebase was updated with a fix for this issue in version You can now configure TLS differently for each of Consul's exposed ports. As a result, the following top-level configuration fields are deprecated and should -be replaced with the new [`tls` stanza](/consul/docs/agent/config/config-files#tls-configuration-reference): +be replaced with the new [`tls` stanza](/consul/docs/reference/agent#tls-configuration-reference): - `cert_file` - `key_file` @@ -588,7 +534,7 @@ Due to this rename the following endpoint is also deprecated: These config keys are now deprecated: - `audit.sink[].name` - - [`dns_config.dns_prefer_namespace`](/consul/docs/agent/config/config-files#dns_prefer_namespace) + - [`dns_config.dns_prefer_namespace`](/consul/docs/reference/agent#dns_prefer_namespace) ### Deprecated CLI Subcommands @@ -649,7 +595,7 @@ cause issues during the upgrade that could result in agents failing to start due Consul Enterprise 1.10 has removed temporary licensing capabilities from the binaries found on https://releases.hashicorp.com. Servers will no longer load a license previously set through the CLI or API. Instead the license must be present in the server's configuration -or environment prior to starting. See the [licensing documentation](/consul/docs/enterprise/license/overview) +or environment prior to starting. See the [licensing documentation](/consul/docs/enterprise/license) for more information about how to configure the license. Client agents previously retrieved their license from the servers in the cluster within 30 minutes of starting and the snapshot agent would similarly retrieve its license from the server or client agent it was configured to use. As @@ -658,12 +604,12 @@ have a license loaded from a configuration file or from their environment the sa agents must have the license specified. Both agents can still perform automatic retrieval of their license but with a few extra stipulations. First, license auto-retrieval now requires that ACLs are on and that the client or snapshot agent is configured with a valid ACL token. Secondly, client -agents require that either the [`start_join`](/consul/docs/agent/config/config-files#start_join) or -[`retry_join`](/consul/docs/agent/config/config-files#retry_join) configurations are set and that they resolve to server +agents require that either the [`start_join`](/consul/docs/reference/agent#start_join) or +[`retry_join`](/consul/docs/reference/agent#retry_join) configurations are set and that they resolve to server agents. If those stipulations are not met, attempting to start the client or snapshot agent will result in it immediately shutting down. -For the step by step upgrade procedures see the [Upgrading to 1.10.0](/consul/docs/upgrading/instructions/upgrade-to-1-10-x) documentation. +For the step by step upgrade procedures see the [Upgrading to 1.10.0](/consul/docs/upgrade/instructions/1-10-x) documentation. For answers to common licensing questions please refer to the [FAQ](/consul/docs/enterprise/license/faq) ### Envoy xDS Protocol Upgrades @@ -688,7 +634,7 @@ In [Consul 1.11](#consul-1-11-0) the v2 State of the World protocol support will #### Escape Hatches -Any [escape hatches](/consul/docs/connect/proxies/envoy#advanced-configuration) that +Any [escape hatches](/consul/docs/reference/proxy/envoy#advanced-configuration) that are defined will likely need to be switched from using xDS v2 to xDS v3 structures. Mostly this involves migrating off of deprecated (and now removed) fields and switching untyped config to [typed config](https://www.envoyproxy.io/docs/envoy/v1.17.2/configuration/overview/extension) @@ -706,10 +652,10 @@ and [after](https://github.com/hashicorp/consul/blob/71d45a34601423abdfc0a64d44c #### Stairstep Upgrade Path 1. Upgrade Envoy sidecars to the latest version of Envoy that is - [supported](/consul/docs/connect/proxies/envoy#supported-versions) by the currently + [supported](/consul/docs/reference/proxy/envoy#supported-versions) by the currently running version of Consul as well as Consul 1.10.0. -1. Determine if you are using the [escape hatch](/consul/docs/connect/proxies/envoy#advanced-configuration) +1. Determine if you are using the [escape hatch](/consul/docs/reference/proxy/envoy#advanced-configuration) feature. If so, rewrite the escape hatch to use the xDS v3 syntax and update the service registration to reflect the updated escape hatch configuration by re-registering. This should purge v2 elements from any configs. @@ -753,7 +699,7 @@ to Consul 1.9.0. ### Changes to Configuration Defaults -The [`enable_central_service_config`](/consul/docs/agent/config/config-files#enable_central_service_config) +The [`enable_central_service_config`](/consul/docs/reference/agent#enable_central_service_config) configuration now defaults to `true`. ### Changes to Intentions @@ -771,8 +717,8 @@ namespace with a query parameter of `?ns=*`. #### Migration Upgrading to Consul 1.9.0 will trigger a one-time background migration of -[intentions](/consul/docs/connect/intentions) into an equivalent set of -[`service-intentions`](/consul/docs/connect/config-entries/service-intentions) config +[intentions](/consul/docs/secure-mesh/intentions) into an equivalent set of +[`service-intentions`](/consul/docs/reference/config-entry/service-intention) config entries. This process will wait until all of the Consul servers in the primary datacenter are running Consul 1.9.0+. @@ -800,29 +746,29 @@ re-created via the old endpoints. Fields that are being removed or changing behavior: - `Intention.ID` after migration is stored in the - [`LegacyID`](/consul/docs/connect/config-entries/service-intentions#legacyid) field. + [`LegacyID`](/consul/docs/reference/config-entry/service-intention#legacyid) field. After transitioning this field is cleared. - `Intention.CreatedAt` after migration is stored in the - [`LegacyCreateTime`](/consul/docs/connect/config-entries/service-intentions#legacycreatetime) + [`LegacyCreateTime`](/consul/docs/reference/config-entry/service-intention#legacycreatetime) field. After transitioning this field is cleared. - `Intention.UpdatedAt` after migration is stored in the - [`LegacyUpdateTime`](/consul/docs/connect/config-entries/service-intentions#legacyupdatetime) + [`LegacyUpdateTime`](/consul/docs/reference/config-entry/service-intention#legacyupdatetime) field. After transitioning this field is cleared. - `Intention.Meta` after migration is stored in the - [`LegacyMeta`](/consul/docs/connect/config-entries/service-intentions#legacymeta) + [`LegacyMeta`](/consul/docs/reference/config-entry/service-intention#legacymeta) field. To complete the transition, this field **must be cleared manually** and the metadata moved up to the enclosing config entry's - [`Meta`](/consul/docs/connect/config-entries/service-intentions#meta) field. This is + [`Meta`](/consul/docs/reference/config-entry/service-intention#meta) field. This is not done automatically since it is potentially a lossy operation. ## Consul 1.8.0 #### Removal of Deprecated Features -The [`acl_enforce_version_8`](/consul/docs/agent/config/config-files#acl_enforce_version_8) +The [`acl_enforce_version_8`](/consul/docs/reference/agent#acl_enforce_version_8) configuration has been removed (with version 8 ACL support by being on by default). @@ -865,7 +811,7 @@ to more precisely capture the view of _active_ blocking queries. ### Vault: default `http_max_conns_per_client` too low to run Vault properly -Consul 1.7.0 introduced [limiting of connections per client](/consul/docs/agent/config/config-files#http_max_conns_per_client). The default value +Consul 1.7.0 introduced [limiting of connections per client](/consul/docs/reference/agent#http_max_conns_per_client). The default value was 100, but Vault could use up to 128, which caused problems. If you want to use Vault with Consul 1.7.0, you should change the value to 200. Starting with Consul 1.7.1 this is the new default. @@ -873,7 +819,7 @@ Starting with Consul 1.7.1 this is the new default. ### Vault: default `http_max_conns_per_client` too low to run Vault properly -Consul 1.6.3 introduced [limiting of connections per client](/consul/docs/agent/config/config-files#http_max_conns_per_client). The default value +Consul 1.6.3 introduced [limiting of connections per client](/consul/docs/reference/agent#http_max_conns_per_client). The default value was 100, but Vault could use up to 128, which caused problems. If you want to use Vault with Consul 1.6.3 through 1.7.0, you should change the value to 200. Starting with Consul 1.7.1 this is the new default. @@ -882,9 +828,9 @@ Starting with Consul 1.7.1 this is the new default. #### Removal of Deprecated Features Managed proxies, which are deprecated since Consul v1.3.0, have now been -[removed](/consul/docs/connect/proxies). Before upgrading, you must +[removed](/consul/docs/connect/proxy). Before upgrading, you must migrate any managed proxy usage to [sidecar service -registrations](/consul/docs/connect/proxies/deploy-sidecar-services). +registrations](/consul/docs/reference/proxy/sidecar). ## Consul 1.4.0 @@ -894,8 +840,7 @@ service mesh](#multi-datacenter-service-mesh) in the Enterprise version. ### ACL Upgrade -Consul 1.4.0 includes a [new ACL -system](/consul/tutorials/security/access-control-setup-production) +Consul 1.4.0 includes an [ACL system](/consul/docs/secure/acl) that is designed to have a smooth upgrade path but requires care to upgrade components in the right order. @@ -912,14 +857,14 @@ datacenter". All configuration is backwards compatible and shouldn't need to change prior to upgrade although it's strongly recommended to migrate ACL configuration to the new syntax soon after upgrade. This includes moving to `primary_datacenter` rather than `acl_datacenter` and `acl_*` to the new [ACL -block](/consul/docs/agent/config/config-files#acl). +block](/consul/docs/reference/agent#acl). Datacenters can be upgraded in any order although secondaries will remain in [Legacy ACL mode](#legacy-acl-mode) until the primary datacenter is fully upgraded. Each datacenter should follow the [standard rolling upgrade -procedure](/consul/docs/upgrading#standard-upgrades). +procedure](/consul/docs/upgrade#standard-upgrades). #### Legacy ACL Mode @@ -975,7 +920,7 @@ with the new ACL [Token](/consul/api-docs/acl/tokens) and This only applies to users upgrading from an older version of Consul Enterprise to Consul Enterprise 1.4.0 (all license types). -In addition, this upgrade will only affect clusters where [service mesh is enabled](/consul/docs/connect/configuration) on your servers before the migration. +In addition, this upgrade will only affect clusters where [service mesh is enabled](/consul/docs/connect/configuration-entries) on your servers before the migration. Multi-datacenter service mesh uses the same primary/secondary approach as ACLs and will use the same [primary_datacenter](#primary-datacenter). When a secondary @@ -1026,7 +971,7 @@ The following previously deprecated fields and config options have been removed: - `CheckID` has been removed from config file check definitions (use `id` instead). - `script` has been removed from config file check definitions (use `args` instead). - `enableTagOverride` is no longer valid in service definitions (use `enable_tag_override` instead). -- The [deprecated set of metric names](/consul/docs/upgrading/upgrade-specific#metric-names-updated) (beginning with `consul.consul.`) has been removed +- The [deprecated set of metric names](/consul/docs/upgrade/version-specific#metric-names-updated) (beginning with `consul.consul.`) has been removed along with the `enable_deprecated_names` option from the metrics configuration. #### New defaults for Raft Snapshot Creation @@ -1034,11 +979,11 @@ The following previously deprecated fields and config options have been removed: Consul 1.0.1 (and earlier versions of Consul) checked for raft snapshots every 5 seconds, and created new snapshots for every 8192 writes. These defaults cause constant disk IO in large busy clusters. Consul 1.1.0 increases these to larger values, -and makes them tunable via the [raft_snapshot_interval](/consul/docs/agent/config/config-files#_raft_snapshot_interval) and -[raft_snapshot_threshold](/consul/docs/agent/config/config-files#_raft_snapshot_threshold) parameters. We recommend +and makes them tunable via the [raft_snapshot_interval](/consul/docs/reference/agent#_raft_snapshot_interval) and +[raft_snapshot_threshold](/consul/docs/reference/agent#_raft_snapshot_threshold) parameters. We recommend keeping the new defaults. However, operators can go back to the old defaults by changing their -config if they prefer more frequent snapshots. See the documentation for [raft_snapshot_interval](/consul/docs/agent/config/config-files#_raft_snapshot_interval) -and [raft_snapshot_threshold](/consul/docs/agent/config/config-files#_raft_snapshot_threshold) to understand the trade-offs +config if they prefer more frequent snapshots. See the documentation for [raft_snapshot_interval](/consul/docs/reference/agent#_raft_snapshot_interval) +and [raft_snapshot_threshold](/consul/docs/reference/agent#_raft_snapshot_threshold) to understand the trade-offs when tuning these. ## Consul 1.0.7 @@ -1066,7 +1011,7 @@ before proceeding. #### Carefully Check and Remove Stale Servers During Rolling Upgrades Consul 1.0 (and earlier versions of Consul when running with [Raft protocol -3](/consul/docs/agent/config/config-files#_raft_protocol) had an issue where performing +3](/consul/docs/reference/agent#_raft_protocol) had an issue where performing rolling updates of Consul servers could result in an outage from old servers remaining in the cluster. [Autopilot](/consul/tutorials/datacenter-operations/autopilot-datacenter-operations) @@ -1087,7 +1032,7 @@ Please be sure to read over all the details here before upgrading. #### Raft Protocol Now Defaults to 3 -The [`-raft-protocol`](/consul/docs/agent/config/cli-flags#_raft_protocol) default has +The [`-raft-protocol`](/consul/docsreference-cli/agent#_raft_protocol) default has been changed from 2 to 3, enabling all [Autopilot](/consul/tutorials/datacenter-operations/autopilot-datacenter-operations) features by default. @@ -1096,7 +1041,7 @@ Raft protocol version 3 requires Consul running 0.8.0 or newer on all servers in order to work, so if you are upgrading with older servers in a cluster then you will need to set this back to 2 in order to upgrade. See [Raft Protocol Version -Compatibility](/consul/docs/upgrading/upgrade-specific#raft-protocol-version-compatibility) +Compatibility](/consul/docs/upgrade/version-specific#raft-protocol-version-compatibility) for more details. Also the format of `peers.json` used for outage recovery is different when running with the latest Raft protocol. Review [Manual Recovery Using @@ -1104,7 +1049,7 @@ peers.json](/consul/tutorials/datacenter-operations/recovery-outage#manual-recov for a description of the required format. Please note that the Raft protocol is different from Consul's internal protocol -as described on the [Protocol Compatibility Promise](/consul/docs/upgrading/compatibility) +as described on the [Protocol Compatibility Promise](/consul/docs/upgrade/compatibility-promise) page, and as is shown in commands like `consul members` and `consul version`. To see the version of the Raft protocol in use on each server, use the `consul operator raft list-peers` command. @@ -1116,7 +1061,7 @@ servers, and then slowly stand down each of the older servers in a similar fashion. When using Raft protocol version 3, servers are identified by their -[`-node-id`](/consul/docs/agent/config/cli-flags#_node_id) instead of their IP address +[`-node-id`](/consul/docsreference-cli/agent#_node_id) instead of their IP address when Consul makes changes to its internal Raft quorum configuration. This means that once a cluster has been upgraded with servers all running Raft protocol version 3, it will no longer allow servers running any older Raft protocol @@ -1131,7 +1076,7 @@ to map the server to its node ID in the Raft quorum configuration. As part of supporting the [HCL](https://github.com/hashicorp/hcl#syntax) format for Consul's config files, an `.hcl` or `.json` extension is required for all config files loaded by Consul, even when using the -[`-config-file`](/consul/docs/agent/config/cli-flags#_config_file) argument to specify a +[`-config-file`](/consul/docsreference-cli/agent#_config_file) argument to specify a file directly. #### Use Snake Case for Service Definition Parameters @@ -1146,31 +1091,31 @@ upgrading. Here's the complete list of removed options and their equivalents: | Removed Option | Equivalent | | ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `-dc` | [`-datacenter`](/consul/docs/agent/config/cli-flags#_datacenter) | -| `-retry-join-azure-tag-name` | [`-retry-join`](/consul/docs/agent/config/cli-flags#_retry_join) | -| `-retry-join-azure-tag-value` | [`-retry-join`](/consul/docs/agent/config/cli-flags#_retry_join) | -| `-retry-join-ec2-region` | [`-retry-join`](/consul/docs/agent/config/cli-flags#_retry_join) | -| `-retry-join-ec2-tag-key` | [`-retry-join`](/consul/docs/agent/config/cli-flags#_retry_join) | -| `-retry-join-ec2-tag-value` | [`-retry-join`](/consul/docs/agent/config/cli-flags#_retry_join) | -| `-retry-join-gce-credentials-file` | [`-retry-join`](/consul/docs/agent/config/cli-flags#_retry_join) | -| `-retry-join-gce-project-name` | [`-retry-join`](/consul/docs/agent/config/cli-flags#_retry_join) | -| `-retry-join-gce-tag-name` | [`-retry-join`](/consul/docs/agent/config/cli-flags#_retry_join) | -| `-retry-join-gce-zone-pattern` | [`-retry-join`](/consul/docs/agent/config/cli-flags#_retry_join) | +| `-dc` | [`-datacenter`](/consul/docsreference-cli/agent#_datacenter) | +| `-retry-join-azure-tag-name` | [`-retry-join`](/consul/docsreference-cli/agent#_retry_join) | +| `-retry-join-azure-tag-value` | [`-retry-join`](/consul/docsreference-cli/agent#_retry_join) | +| `-retry-join-ec2-region` | [`-retry-join`](/consul/docsreference-cli/agent#_retry_join) | +| `-retry-join-ec2-tag-key` | [`-retry-join`](/consul/docsreference-cli/agent#_retry_join) | +| `-retry-join-ec2-tag-value` | [`-retry-join`](/consul/docsreference-cli/agent#_retry_join) | +| `-retry-join-gce-credentials-file` | [`-retry-join`](/consul/docsreference-cli/agent#_retry_join) | +| `-retry-join-gce-project-name` | [`-retry-join`](/consul/docsreference-cli/agent#_retry_join) | +| `-retry-join-gce-tag-name` | [`-retry-join`](/consul/docsreference-cli/agent#_retry_join) | +| `-retry-join-gce-zone-pattern` | [`-retry-join`](/consul/docsreference-cli/agent#_retry_join) | | `addresses.rpc` | None, the RPC server for CLI commands is no longer supported. | -| `advertise_addrs` | [`ports`](/consul/docs/agent/config/config-files#ports) with [`advertise_addr`](/consul/docs/agent/config/config-files#advertise_addr) and/or [`advertise_addr_wan`](/consul/docs/agent/config/config-files#advertise_addr_wan) | -| `dogstatsd_addr` | [`telemetry.dogstatsd_addr`](/consul/docs/agent/config/config-files#telemetry-dogstatsd_addr) | -| `dogstatsd_tags` | [`telemetry.dogstatsd_tags`](/consul/docs/agent/config/config-files#telemetry-dogstatsd_tags) | -| `http_api_response_headers` | [`http_config.response_headers`](/consul/docs/agent/config/config-files#response_headers) | +| `advertise_addrs` | [`ports`](/consul/docs/reference/agent#ports) with [`advertise_addr`](/consul/docs/reference/agent#advertise_addr) and/or [`advertise_addr_wan`](/consul/docs/reference/agent#advertise_addr_wan) | +| `dogstatsd_addr` | [`telemetry.dogstatsd_addr`](/consul/docs/reference/agent#telemetry-dogstatsd_addr) | +| `dogstatsd_tags` | [`telemetry.dogstatsd_tags`](/consul/docs/reference/agent#telemetry-dogstatsd_tags) | +| `http_api_response_headers` | [`http_config.response_headers`](/consul/docs/reference/agent#response_headers) | | `ports.rpc` | None, the RPC server for CLI commands is no longer supported. | -| `recursor` | [`recursors`](/consul/docs/agent/config/config-files#recursors) | -| `retry_join_azure` | [`retry-join`](/consul/docs/agent/config/config-files#retry_join) | -| `retry_join_ec2` | [`retry-join`](/consul/docs/agent/config/config-files#retry_join) | -| `retry_join_gce` | [`retry-join`](/consul/docs/agent/config/config-files#retry_join) | -| `statsd_addr` | [`telemetry.statsd_address`](/consul/docs/agent/config/config-files#telemetry-statsd_address) | -| `statsite_addr` | [`telemetry.statsite_address`](/consul/docs/agent/config/config-files#telemetry-statsite_address) | -| `statsite_prefix` | [`telemetry.metrics_prefix`](/consul/docs/agent/config/config-files#telemetry-metrics_prefix) | -| `telemetry.statsite_prefix` | [`telemetry.metrics_prefix`](/consul/docs/agent/config/config-files#telemetry-metrics_prefix) | +| `recursor` | [`recursors`](/consul/docs/reference/agent#recursors) | +| `retry_join_azure` | [`retry-join`](/consul/docs/reference/agent#retry_join) | +| `retry_join_ec2` | [`retry-join`](/consul/docs/reference/agent#retry_join) | +| `retry_join_gce` | [`retry-join`](/consul/docs/reference/agent#retry_join) | +| `statsd_addr` | [`telemetry.statsd_address`](/consul/docs/reference/agent#telemetry-statsd_address) | +| `statsite_addr` | [`telemetry.statsite_address`](/consul/docs/reference/agent#telemetry-statsite_address) | +| `statsite_prefix` | [`telemetry.metrics_prefix`](/consul/docs/reference/agent#telemetry-metrics_prefix) | +| `telemetry.statsite_prefix` | [`telemetry.metrics_prefix`](/consul/docs/reference/agent#telemetry-metrics_prefix) | | (service definitions) `serviceid` | [`id`](/consul/api-docs/agent/service#id) | | (service definitions) `dockercontainerid` | [`docker_container_id`](/consul/api-docs/agent/check#dockercontainerid) | | (service definitions) `tlsskipverify` | [`tls_skip_verify`](/consul/api-docs/agent/check#tlsskipverify) | @@ -1180,7 +1125,7 @@ upgrading. Here's the complete list of removed options and their equivalents: Since the `statsite_prefix` configuration option applied to all telemetry providers, `statsite_prefix` was renamed to -[`metrics_prefix`](/consul/docs/agent/config/config-files#telemetry-metrics_prefix). +[`metrics_prefix`](/consul/docs/reference/agent#telemetry-metrics_prefix). Configuration files will need to be updated when upgrading to this version of Consul. @@ -1192,8 +1137,8 @@ wrongly stated that you could configure both host and port. #### Escaping Behavior Changed for go-discover Configs -The format for [`-retry-join`](/consul/docs/agent/config/cli-flags#retry-join) and -[`-retry-join-wan`](/consul/docs/agent/config/cli-flags#retry-join-wan) values that use +The format for [`-retry-join`](/consul/docsreference-cli/agent#retry-join) and +[`-retry-join-wan`](/consul/docsreference-cli/agent#retry-join-wan) values that use [go-discover](https://github.com/hashicorp/go-discover) cloud auto joining has changed. Values in `key=val` sequences must no longer be URL encoded and can be provided as literals as long as they do not contain spaces, backslashes `\` or @@ -1311,18 +1256,14 @@ invalid health checks would get skipped. #### Script Checks Are Now Opt-In -A new [`enable_script_checks`](/consul/docs/agent/config/cli-flags#_enable_script_checks) +A new [`enable_script_checks`](/consul/docsreference-cli/agent#_enable_script_checks) configuration option was added, and defaults to `false`, meaning that in order to allow an agent to run health checks that execute scripts, this will need to be configured and set to `true`. This provides a safer out-of-the-box configuration for Consul where operators must opt-in to allow script-based health checks. -If your cluster uses script health checks please be sure to set this to `true` -as part of upgrading agents. If this is set to `true`, you should also enable -[ACLs](/consul/tutorials/security/access-control-setup-production) -to provide control over which users are allowed to register health checks that -could potentially execute scripts on the agent machines. +If your cluster uses script health checks please be sure to set this to `true` as part of upgrading agents. If this is set to `true`, you should also enable [ACLs](/consul/docs/secure/acl) to provide control over which users are allowed to register health checks that could potentially execute scripts on the agent machines. !> **Security Warning:** Using `enable_script_checks` without ACLs and without `allow_write_http_from` is _DANGEROUS_. Use the `enable_local_script_checks` setting @@ -1333,10 +1274,10 @@ for more information. Consul releases will no longer include a `web_ui.zip` file with the compiled web assets. These have been built in to the Consul binary since the 0.7.x -series and can be enabled with the [`-ui`](/consul/docs/agent/config/cli-flags#_ui) +series and can be enabled with the [`-ui`](/consul/docsreference-cli/agent#_ui) configuration option. These built-in web assets have always been identical to the contents of the `web_ui.zip` file for each release. The -[`-ui-dir`](/consul/docs/agent/config/cli-flags#_ui_dir) option is still available for +[`-ui-dir`](/consul/docsreference-cli/agent#_ui_dir) option is still available for hosting customized versions of the web assets, but the vast majority of Consul users can just use the built in web assets. @@ -1368,12 +1309,12 @@ to the following commands: #### Version 8 ACLs Are Now Opt-Out -The [`acl_enforce_version_8`](/consul/docs/agent/config/config-files#acl_enforce_version_8) +The [`acl_enforce_version_8`](/consul/docs/reference/agent#acl_enforce_version_8) configuration now defaults to `true` to enable full version 8 ACL support by default. If you are upgrading an existing cluster with ACLs enabled, you will need to set this to `false` during the upgrade on **both Consul agents and Consul servers**. Version 8 ACLs were also changed so that -[`acl_datacenter`](/consul/docs/agent/config/config-files#acl_datacenter) must be set on +[`acl_datacenter`](/consul/docs/reference/agent#acl_datacenter) must be set on agents in order to enable the agent-side enforcement of ACLs. This makes for a smoother experience in clusters where ACLs aren't enabled at all, but where the agents would have to wait to contact a Consul server before learning that. @@ -1381,14 +1322,14 @@ agents would have to wait to contact a Consul server before learning that. #### Remote Exec Is Now Opt-In The default for -[`disable_remote_exec`](/consul/docs/agent/config/config-files#disable_remote_exec) was +[`disable_remote_exec`](/consul/docs/reference/agent#disable_remote_exec) was changed to "true", so now operators need to opt-in to having agents support running commands remotely via [`consul exec`](/consul/commands/exec). #### Raft Protocol Version Compatibility When upgrading to Consul 0.8.0 from a version lower than 0.7.0, users will need -to set the [`-raft-protocol`](/consul/docs/agent/config/cli-flags#_raft_protocol) option +to set the [`-raft-protocol`](/consul/docsreference-cli/agent#_raft_protocol) option to 1 in order to maintain backwards compatibility with the old servers during the upgrade. After the servers have been migrated to version 0.8.0, `-raft-protocol` can be moved up to 2 and the servers restarted to match the @@ -1423,7 +1364,7 @@ process to reap child processes. #### DNS Resiliency Defaults -The default for [`max_stale`](/consul/docs/agent/config/config-files#max_stale) has been +The default for [`max_stale`](/consul/docs/reference/agent#max_stale) has been increased from 5 seconds to a near-indefinite threshold (10 years) to allow DNS queries to continue to be served in the event of a long outage with no leader. A new telemetry counter was added at `consul.dns.stale_queries` to track when @@ -1437,7 +1378,7 @@ to be aware of during an upgrade are categorized below. #### Performance Timing Defaults and Tuning Consul 0.7 now defaults the DNS configuration to allow for stale queries by -defaulting [`allow_stale`](/consul/docs/agent/config/config-files#allow_stale) to true for +defaulting [`allow_stale`](/consul/docs/reference/agent#allow_stale) to true for better utilization of available servers. If you want to retain the previous behavior, set the following configuration: @@ -1450,9 +1391,9 @@ behavior, set the following configuration: ``` Consul also 0.7 introduced support for tuning Raft performance using a new -[performance configuration block](/consul/docs/agent/config/config-files#performance). Also, +[performance configuration block](/consul/docs/reference/agent#performance). Also, the default Raft timing is set to a lower-performance mode suitable for -[minimal Consul servers](/consul/docs/install/performance#minimum). +[minimal Consul servers](/consul/docs/deploy/server/vm/requirements#minimum). To continue to use the high-performance settings that were the default prior to Consul 0.7 (recommended for production servers), add the following @@ -1466,12 +1407,12 @@ configuration to all Consul servers when upgrading: } ``` -See the [Server Performance](/consul/docs/install/performance) guide for more details. +See the [Server Performance](/consul/docs/deploy/server/vm/requirements) guide for more details. #### Leave-Related Configuration Defaults -The default behavior of [`leave_on_terminate`](/consul/docs/agent/config/config-files#leave_on_terminate) -and [`skip_leave_on_interrupt`](/consul/docs/agent/config/config-files#skip_leave_on_interrupt) +The default behavior of [`leave_on_terminate`](/consul/docs/reference/agent#leave_on_terminate) +and [`skip_leave_on_interrupt`](/consul/docs/reference/agent#skip_leave_on_interrupt) are now dependent on whether or not the agent is acting as a server or client: - For servers, `leave_on_terminate` defaults to "false" and `skip_leave_on_interrupt` @@ -1510,7 +1451,7 @@ using this feature. #### WAN Address Translation in HTTP Endpoints Consul version 0.7 added support for translating WAN addresses in certain -[HTTP endpoints](/consul/docs/agent/config/config-files#translate_wan_addrs). The servers +[HTTP endpoints](/consul/docs/reference/agent#translate_wan_addrs). The servers and the agents need to be running version 0.7 or later in order to use this feature. @@ -1541,7 +1482,7 @@ require any ACL to manage them, and prepared queries with a `Name` defined are now governed by a new `query` ACL policy that will need to be configured after the upgrade. -See the [ACL rules documentation](/consul/docs/security/acl/acl-rules#prepared-query-rules) for more details +Refer to the [ACL rules documentation](/consul/docs/secure-consul/acl/rules#prepared-query-rules) for more details about the new behavior and how it compares to previous versions of Consul. ## Consul 0.6 @@ -1592,7 +1533,7 @@ which require it: } When the DNS interface is queried, the agent's -[`acl_token`](/consul/docs/agent/config/config-files#acl_token) is used, so be sure +[`acl_token`](/consul/docs/reference/agent#acl_token) is used, so be sure that token has sufficient privileges to return the DNS records you expect to retrieve from it. @@ -1649,7 +1590,7 @@ this: This automatic upgrade will only exist in Consul 0.5.1+ and it will be removed starting with Consul 0.6.0+. It will still be possible to upgrade directly from pre-0.5.1 versions by using the consul-migrate utility, which is available on the -[Consul Tools page](/consul/docs/integrate/download-tools). +[Consul Tools page](/consul/docs/integrate/consul-tools). ## Consul 0.5 diff --git a/website/content/docs/upgrading/index.mdx b/website/content/docs/upgrading/index.mdx deleted file mode 100644 index 50ef68deda5..00000000000 --- a/website/content/docs/upgrading/index.mdx +++ /dev/null @@ -1,167 +0,0 @@ ---- -layout: docs -page_title: Upgrade Consul -description: >- - Consul is meant to be a long-running agent on any nodes participating in a - Consul cluster. These nodes consistently communicate with each other. As such, - protocol level compatibility and ease of upgrades is an important thing to - keep in mind when using Consul. ---- - -# Upgrading Consul - -Consul is meant to be a long-running agent on any nodes participating in a -Consul cluster. These nodes consistently communicate with each other. As such, -protocol level compatibility and ease of upgrades is an important thing to -keep in mind when using Consul. - -This page documents how to upgrade Consul when a new version is released. - --> **Tip:** For Consul Enterprise, see the [Automated Upgrades documentation](/consul/docs/enterprise/upgrades). - -## Standard Upgrades - -For upgrades we strive to ensure backwards compatibility. To support this, -nodes gossip their protocol version and builds. This enables clients and -servers to intelligently enable new features when available, or to gracefully -fallback to a backward compatible mode of operation otherwise. -Visit the [General Upgrade Process](/consul/docs/upgrading/instructions/general-process) for a detailed upgrade guide. - -For most upgrades, the process is simple. Assuming the current version of -Consul is A, and version B is released. - -1. Check the [version's upgrade notes](/consul/docs/upgrading/upgrade-specific) to ensure - there are no compatibility issues that will affect your workload. If there - are plan accordingly before continuing. - -2. On each Consul server agent, install version B of Consul. - -3. One Consul server agent at a time, use a service management system - (e.g., systemd, upstart, etc.) to restart the Consul service with version B. Wait until - the server agent is healthy and has rejoined the cluster before moving on to the - next server agent. - -4. Once all the server agents are upgraded, begin a rollout of client agents following - the same process. - - -> **Upgrade Envoy proxies:** If a client agent has associated Envoy proxies (e.g., sidecars, gateways), - install a [compatible Envoy version](/consul/docs/connect/proxies/envoy#supported-versions) - for Consul version B. - After stopping client agent version A, - stop its associated Envoy proxies. - After restarting the client agent with version B, - restart its associated Envoy proxies with the compatible Envoy version. - -5. Done! You are now running the latest Consul agent. You can verify this - by running `consul members` to make sure all members have the latest - build and highest protocol version. - -## Upgrade recommendation - -We encourage organizations to use a maintained version of Consul -so that they benefit from bug and security fixes in minor releases. - -### Consul community edition - -For Consul community edition users, -consistently operating a maintained version requires upgrading -every 4 months to the latest major release. - -### Consul Enterprise - -Standard major releases of Consul Enterprise are maintained for approximately 1 year. -[Consul Enterprise Long Term Support (LTS)](/consul/docs/enterprise/long-term-support) -releases are maintained for approximately 2 years. - -For Consul Enterprise customers, -consistently operating a maintained version requires a major upgrade every 12 months -on average when using [LTS](/consul/docs/enterprise/long-term-support) releases. -LTS releases support an upgrade jump of at most 3 major versions. -For more details, refer to -[Long Term Support upgrade recommendation](/consul/docs/enterprise/long-term-support#annual-upgrade-to-next-lts-release). - -## Large Version Jumps - -If your Consul deployment is many major versions behind the latest release -and you need to upgrade, review our -[upgrade instructions](/consul/docs/upgrading/instructions) -for more information about how to perform those upgrades. - -After upgrading to a maintained version of Consul, refer to our -[upgrade recommendation](#upgrade-recommendation) -to inform planning for future upgrades. - -## Backward Incompatible Upgrades - -In some cases, a backwards incompatible update may be released. This has not -been an issue yet, but to support upgrades we support setting an explicit -protocol version. This disables incompatible features and enables a 2-phase upgrade. - -For the steps below, assume you're running version A of Consul, and then -version B comes out. - -1. On each node, install version B of Consul. - -2. One server at a time, shut down version A via `consul leave` and start version B with the - `-protocol=PREVIOUS` flag, where "PREVIOUS" is the protocol version of - version A (which can be discovered by running `consul -v` or `consul members`). Wait until the server is healthy and has rejoined the cluster - before moving on to the next server. - -3. Once all nodes are running version B, go through every node and restart the - version B agent _without_ the `-protocol` flag, again wait for each server to - rejoin the cluster before continuing. - -4. Done! You're now running the latest Consul agent speaking the latest protocol. - You can verify this is the case by running `consul members` to - make sure all members are speaking the same, latest protocol version. - -The key to making this work is the [protocol compatibility](/consul/docs/upgrading/compatibility) -of Consul. The protocol version system is discussed below. - -## Protocol Versions - -By default, Consul agents speak the latest protocol they can. However, each -new version of Consul is also able to speak the previous protocol, if there -were any protocol changes. - -You can see what protocol versions your version of Consul understands by -running `consul -v`. You'll see output similar to that below: - -```shell-session -$ consul -v -Consul v0.7.0 -Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents) -``` - -This says the version of Consul as well as the protocol versions this -agent speaks and can understand. - -Sometimes Consul will default to speak a lower protocol version -than it understands, in order to ease compatibility with older agents. For -example, Consul agents that understand version 3 claim to speak version 2, -and only send version 3 messages to agents that understand version 3. This -allows features to upshift automatically as agents are upgraded, and is the -strategy used whenever possible. If this is not possible, then you will need -to do a backward incompatible upgrade using the instructions above, and such -a requirement will be clearly outlined in the notes for a given release. - -By specifying the `-protocol` flag on `consul agent`, you can tell the -Consul agent to speak any protocol version that it can understand. This -only specifies the protocol version to _speak_. Every Consul agent can -always understand the entire range of protocol versions it claims to -on `consul -v`. - -~> **By running a previous protocol version**, some features -of Consul, especially newer features, may not be available. If this is the -case, Consul will typically warn you. In general, you should always upgrade -your cluster so that you can run the latest protocol version. - -## Upgrading on Kubernetes - -See the dedicated [Upgrading Consul on Kubernetes](/consul/docs/k8s/upgrade) page. - -## Upgrading federated datacenters - -If you need to upgrade a federated environment with multiple datacenters you can -refer to the [Upgrade Multiple Federated Consul Datacenters](/consul/tutorials/datacenter-operations/upgrade-federated-environment) -tutorial. diff --git a/website/content/docs/vm.mdx b/website/content/docs/vm.mdx new file mode 100644 index 00000000000..8fa75f7f934 --- /dev/null +++ b/website/content/docs/vm.mdx @@ -0,0 +1,10 @@ +--- +layout: docs +page_title: Consul on virtual machines +description: >- + PLACEHOLDER +--- + +# Consul on virtual machines + +Editor's Note: This empty page represents a known content gap between our existing documentation and the refreshed documentation. diff --git a/website/content/partials/cli-http-api-partition-options.mdx b/website/content/partials/cli-http-api-partition-options.mdx deleted file mode 100644 index eb96310a37b..00000000000 --- a/website/content/partials/cli-http-api-partition-options.mdx +++ /dev/null @@ -1 +0,0 @@ -- `-partition=` - Specifies the admin partition to query. If not provided, the partition is inferred from the request's ACL token, or defaults to the `default` partition. diff --git a/website/content/partials/create-token-auth-methods.mdx b/website/content/partials/create-token-auth-methods.mdx deleted file mode 100644 index 91287072850..00000000000 --- a/website/content/partials/create-token-auth-methods.mdx +++ /dev/null @@ -1,3 +0,0 @@ -### Auth methods - -Auth methods are components that perform authentication against a trusted external party to authorize the creation of ACL tokens for use within the local datacenter. Refer to the [auth methods documentation](/consul/docs/security/acl/auth-methods) for details about how to leverage auth methods in your network. diff --git a/website/content/partials/create-token-requirements.mdx b/website/content/partials/create-token-requirements.mdx deleted file mode 100644 index bf4742719e8..00000000000 --- a/website/content/partials/create-token-requirements.mdx +++ /dev/null @@ -1,22 +0,0 @@ -### Authentication - -You must provide an ACL token linked to a policy with `acl:write` permissions to create and modify ACL tokens and policies using the CLI or API. - -You can provide the token manually using the `-token` option on the command line, but we recommend setting the `CONSUL_HTTP_TOKEN` environment variable to simplify your workflow: - -```shell-session -$ export CONSUL_HTTP_TOKEN= -``` - -The Consul CLI automatically reads the `CONSUL_HTTP_TOKEN` environment variable so that you do not have to pass the token to every Consul CLI command. - -To authenticate calls to the Consul HTTP API, you must provide the token in the `X-Consul-Token` header for each call: - -```shell-session -$ curl --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" ... -``` - -To learn about alternative ways to authenticate, refer to the following documentation: - -* [CLI Authentication](/consul/commands#authentication) -* [API Authentication](/consul/api-docs/api-structure#authentication) diff --git a/website/content/partials/envoy_ext_rule_matcher.mdx b/website/content/partials/envoy_ext_rule_matcher.mdx deleted file mode 100644 index 1d97c34e4b8..00000000000 --- a/website/content/partials/envoy_ext_rule_matcher.mdx +++ /dev/null @@ -1,9 +0,0 @@ - -| Rule | Description | Data type | Default | -| --- | --- | --- | --- | -| `Contains` | Specifies a string that the input string must contain. | String | N/A | -| `Exact` | Specifies a string that the input string must match exactly. | String | N/A | -| `IgnoreCase` | Directs Envoy to ignore capitalization. If set to `true`, the other matching rules in the configuration are not case sensitive. This rule does not affect `SafeRegex`. | Boolean | `false` | -| `Prefix` | Specifies a string that the input string must begin with. | String | N/A | -| `SafeRegex` | Specifies a regular expression for matching the input string programmatically. Envoy supports [Google's RE2 regex engine](https://github.com/google/re2/wiki/Syntax). | String | N/A | -| `Suffix` | Specifies a string that the input string must end with. | String | N/A | \ No newline at end of file diff --git a/website/content/partials/http-api-body-options-partition.mdx b/website/content/partials/http-api-body-options-partition.mdx deleted file mode 100644 index cf2acd813ca..00000000000 --- a/website/content/partials/http-api-body-options-partition.mdx +++ /dev/null @@ -1,2 +0,0 @@ - -- `Partition` `(string: "")` - The admin partition to use. If not provided, the partition is inferred from the request's ACL token, or defaults to the `default` partition. \ No newline at end of file diff --git a/website/content/partials/http-api-query-parms-partition.mdx b/website/content/partials/http-api-query-parms-partition.mdx deleted file mode 100644 index 8d954d86c53..00000000000 --- a/website/content/partials/http-api-query-parms-partition.mdx +++ /dev/null @@ -1 +0,0 @@ -- `partition` `(string: "")` - The admin partition to use. If not provided, the partition is inferred from the request's ACL token, or defaults to the `default` partition. \ No newline at end of file diff --git a/website/content/partials/http_api_and_cli_characteristics_links.mdx b/website/content/partials/http_api_and_cli_characteristics_links.mdx deleted file mode 100644 index 85534c56d94..00000000000 --- a/website/content/partials/http_api_and_cli_characteristics_links.mdx +++ /dev/null @@ -1,6 +0,0 @@ - - -[Required ACLs]: /consul/docs/security/acl -[Blocking queries]: /consul/api-docs/features/blocking -[Consistency modes]: /consul/api-docs/features/consistency -[Agent caching]: /consul/api-docs/features/caching diff --git a/website/content/partials/http_api_connect_ca_common_options.mdx b/website/content/partials/http_api_connect_ca_common_options.mdx deleted file mode 100644 index b6d269bee86..00000000000 --- a/website/content/partials/http_api_connect_ca_common_options.mdx +++ /dev/null @@ -1,88 +0,0 @@ -#### Common CA Config Options - -The following configuration options are supported by all CA providers: - -- `CSRMaxConcurrent` / `csr_max_concurrent` (`int: 0`) - Sets a limit on the - number of Certificate Signing Requests that can be processed concurrently. Defaults - to 0 (disabled). This is useful when you want to limit the number of CPU cores - available to the server for certificate signing operations. For example, on an - 8 core server, setting this to 1 will ensure that no more than one CPU core - will be consumed when generating or rotating certificates. Setting this is - recommended **instead** of `csr_max_per_second` when you want to limit the - number of cores consumed since it is simpler to reason about limiting CSR - resources this way without artificially slowing down rotations. Added in 1.4.1. - -- `CSRMaxPerSecond` / `csr_max_per_second` (`float: 50`) - Sets a rate limit - on the maximum number of Certificate Signing Requests (CSRs) the servers will - accept. This is used to prevent CA rotation from causing unbounded CPU usage - on servers. It defaults to 50 which is conservative – a 2017 MacBook can process - about 100 per second using only ~40% of one CPU core – but sufficient for deployments - up to ~1500 service instances before the time it takes to rotate is impacted. - For larger deployments we recommend increasing this based on the expected number - of server instances and server resources, or use `csr_max_concurrent` instead - if servers have more than one CPU core. Setting this to zero disables rate limiting. - Added in 1.4.1. - -- `LeafCertTTL` / `leaf_cert_ttl` (`duration: "72h"`) - The upper bound on the lease - duration of a leaf certificate issued for a service. In most cases a new leaf - certificate will be requested by a proxy before this limit is reached. This - is also the effective limit on how long a server outage can last (with no leader) - before network connections will start being rejected. Defaults to `72h`. This - value cannot be lower than 1 hour or higher than 1 year. - - This value is also used when rotating out old root certificates from - the cluster. When a root certificate has been inactive (rotated out) - for more than twice the _current_ `leaf_cert_ttl`, it will be removed - from the trusted list. - -- `RootCertTTL` / `root_cert_ttl` (`duration: "87600h"`) The time to live (TTL) for a root certificate. - Defaults to 10 years as `87600h`. This value, if provided, needs to be higher than the - intermediate certificate TTL. - - This setting applies to all Consul CA providers. - - For the Vault provider, this value is only used if the backend is not initialized at first. - -- `IntermediateCertTTL` / `intermediate_cert_ttl` (`duration: "8760h"`) The time to live (TTL) for - any intermediate certificates signed by root certificate of the primary datacenter. *This field is only - valid in the primary datacenter*. - Defaults to 1 year as `8760h`. - - This setting applies to all Consul CA providers. - - For the Vault provider, this value is only used if the backend is not initialized at first. - -- `PrivateKeyType` / `private_key_type` (`string: "ec"`) - The type of key to generate - for this CA. This is only used when the provider is generating a new key. If - `private_key` is set for the Consul provider, or existing root or intermediate - PKI paths given for Vault then this will be ignored. Currently supported options - are `ec` or `rsa`. Default is `ec`. - - It is required that all servers in a datacenter have - the same config for the CA. It is recommended that servers in - different datacenters use the same key type and size, although the built-in CA - and Vault provider will both allow mixed CA key types. - - Some CA providers (currently Vault) will not allow cross-signing a - new CA certificate with a different key type. This means that if you - migrate from an RSA-keyed Vault CA to an EC-keyed CA from any - provider, you may have to proceed without cross-signing which risks - temporary connection issues for workloads during the new certificate - rollout. We highly recommend testing this outside of production to - understand the impact, and suggest sticking to same key type where - possible. - - -> **Note**: This only affects _CA_ keys generated by the provider. - Leaf certificate keys are always EC 256 regardless of the CA - configuration. - -- `PrivateKeyBits` / `private_key_bits` (`string: ""`) - The length of key to - generate for this CA. This is only used when the provider is generating a new - key. If `private_key` is set for the Consul provider, or existing root or intermediate - PKI paths given for Vault then this will be ignored. - - Currently supported values are: - - - `private_key_type = ec` (default): `224, 256, 384, 521` - corresponding to the NIST P-\* curves of the same name. - - `private_key_type = rsa`: `2048, 4096` diff --git a/website/content/partials/http_api_namespace_options.mdx b/website/content/partials/http_api_namespace_options.mdx deleted file mode 100644 index cf29537ba7e..00000000000 --- a/website/content/partials/http_api_namespace_options.mdx +++ /dev/null @@ -1 +0,0 @@ -- `-namespace=` - Specifies the namespace to query. If not provided, the namespace will be inferred from the request's ACL token, or will default to the `default` namespace. Namespaces are a Consul Enterprise feature added in v1.7.0. diff --git a/website/content/partials/http_api_options_client.mdx b/website/content/partials/http_api_options_client.mdx deleted file mode 100644 index 32ac2633393..00000000000 --- a/website/content/partials/http_api_options_client.mdx +++ /dev/null @@ -1,36 +0,0 @@ -- `-ca-file=` - Path to a CA file to use for TLS when communicating with Consul. - This can also be specified via the `CONSUL_CACERT` environment variable. - -- `-ca-path=` - Path to a directory of CA certificates to use for TLS when - communicating with Consul. This can also be specified via the `CONSUL_CAPATH` - environment variable. - -- `-client-cert=` - Path to a client cert file to use for TLS when - `verify_incoming` is enabled. This can also be specified via the `CONSUL_CLIENT_CERT` - environment variable. - -- `-client-key=` - Path to a client key file to use for TLS when - `verify_incoming` is enabled. This can also be specified via the `CONSUL_CLIENT_KEY` - environment variable. - -- `-http-addr=` - Address of the Consul agent with the port. This can be - an IP address or DNS address, but it must include the port. This can also be - specified via the `CONSUL_HTTP_ADDR` environment variable. In Consul 0.8 and - later, the default value is http://127.0.0.1:8500, and https can optionally be - used instead. The scheme can also be set to HTTPS by setting the environment - variable `CONSUL_HTTP_SSL=true`. This may be a unix domain socket using - `unix:///path/to/socket` if the [agent is configured to - listen](/consul/docs/agent/config/config-files#addresses) that way. - -- `-tls-server-name=` - The server name to use as the SNI host when - connecting via TLS. This can also be specified via the `CONSUL_TLS_SERVER_NAME` - environment variable. - -- `-token=` - ACL token to use in the request. This can also be specified - via the `CONSUL_HTTP_TOKEN` environment variable. If unspecified, the query - will default to the token of the Consul agent at the HTTP address. - -- `-token-file=` - File containing the ACL token to use in the request - instead of one specified via the `-token` argument or `CONSUL_HTTP_TOKEN` - environment variable. This can also be specified via the - `CONSUL_HTTP_TOKEN_FILE` environment variable. diff --git a/website/content/partials/http_api_options_server.mdx b/website/content/partials/http_api_options_server.mdx deleted file mode 100644 index 2490d8f52cd..00000000000 --- a/website/content/partials/http_api_options_server.mdx +++ /dev/null @@ -1,7 +0,0 @@ -- `-datacenter=` - Name of the datacenter to query. If unspecified, the - query will default to the datacenter of the Consul agent at the HTTP address. - -- `-stale` - Permit any Consul server (non-leader) to respond to this request. - This allows for lower latency and higher throughput, but can result in stale - data. This option has no effect on non-read operations. The default value is - false. diff --git a/website/content/partials/http_api_results_filtered_by_acls.mdx b/website/content/partials/http_api_results_filtered_by_acls.mdx deleted file mode 100644 index 8e951c4066d..00000000000 --- a/website/content/partials/http_api_results_filtered_by_acls.mdx +++ /dev/null @@ -1,3 +0,0 @@ -The HTTP response includes the `X-Consul-Results-Filtered-By-ACLs: true` header -if the response array excludes results due to ACL policy configuration. -Refer to the [HTTP API documentation](/consul/api-docs/api-structure#results-filtered-by-acls) for more information. diff --git a/website/content/partials/jwt_claim_mapping_details.mdx b/website/content/partials/jwt_claim_mapping_details.mdx deleted file mode 100644 index 5d0131471b9..00000000000 --- a/website/content/partials/jwt_claim_mapping_details.mdx +++ /dev/null @@ -1,82 +0,0 @@ -## Trusted Identity Attributes via Claim Mappings - -Data from JWT claims can be returned from the authentication step as trusted -identity attributes for use in binding rule selectors and bind name -interpolation. - -Control of which claims are mapped to which identity attributes is governed by -the [`ClaimMappings`](#claimmappings) and -[`ListClaimMappings`](#listclaimmappings). These are both maps of items to copy -with elements of the form: `"":""`. - -The only difference between these two types of mappings is that `ClaimMappings` -is used to map singular values (such as a name, department, or team) while -`ListClaimMappings` is used to map lists of values. - -The singular values mapped by `ClaimMappings` can be interpolated in a binding -rule, and the lists of values mapped by `ListClaimMappings` cannot. - -Assume this is your config snippet: - -```json -{ - "Name": "example-auth-method", - "Type": "", - "Description": "Example auth method", - "Config": { - "ClaimMappings": { - "givenName": "first_name", - "surname": "last_name" - }, - "ListClaimMappings": { - "groups": "groups" - } - } -} -``` - -This specifies that the values in the JWT claims `"givenName"` and `"surname"` -should be copied to attributes named `"value.first_name"` and -`"value.last_name"` respectively. Additionally the list of values in the JWT -claim `"groups"` should be copied to an attribute named `"list.groups"`. - -The following table shows the resulting attributes that will be extracted, and -the ways they may be used in Rule Bindings: - -| Attributes | Supported Selector Operations | Can be Interpolated | -| ------------------ | -------------------------------------------------- | ------------------- | -| `value.first_name` | Equal, Not Equal, In, Not In, Matches, Not Matches | yes | -| `value.last_name` | Equal, Not Equal, In, Not In, Matches, Not Matches | yes | -| `list.groups` | In, Not In, Is Empty, Is Not Empty | no | - -### Claim Specifications and JSON Pointer - -The [`ClaimMappings`](#claimmappings) and -[`ListClaimMappings`](#listclaimmappings) fields are used to point to data -within the JWT. If the desired key is at the top of level of the JWT, the name -can be provided directly. If it is nested at a lower level, a JSON Pointer may -be used. - -Assume the following JWT claims are decoded: - -```json -{ - "division": "North America", - "groups": { - "primary": "Engineering", - "secondary": "Software" - }, - "iss": "https://my-corp-app-name.auth0.com/", - "sub": "auth0|eiw7OWoh5ieSh7ieyahC3ief0uyuraphaengae9d", - "aud": "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt", - "iat": 1589224148, - "exp": 1589260148, - "nonce": "eKiihooH3Fah8Ieshah4leeti6ien3" -} -``` - -A parameter of `"division"` will reference `"North America"`, as this is a top -level key. A parameter `"/groups/primary"` uses JSON Pointer syntax to -reference `"Engineering"` at a lower level. Any valid JSON Pointer can be used -as a selector. Refer to the [JSON Pointer -RFC](https://tools.ietf.org/html/rfc6901) for a full description of the syntax diff --git a/website/content/partials/jwt_or_oidc.mdx b/website/content/partials/jwt_or_oidc.mdx deleted file mode 100644 index c84579a3a40..00000000000 --- a/website/content/partials/jwt_or_oidc.mdx +++ /dev/null @@ -1,18 +0,0 @@ -## JWT vs OIDC Auth Methods - -Since both the `oidc` and `jwt` auth methods ultimately operate on JWTs as -bearer tokens, it may be confusing to know which is right for a given use case. - -- **JWT**: The user or application performing the Consul login must already be - in possession of a valid JWT to begin. There is no browser interaction - required. This is ideal for machine-oriented headless login where an operator - may have already arranged for a valid JWT to be dropped on a VM or provided - to a container. - -- **OIDC**: The user performing the Consul login does not have a JWT nor do - they even need to know what that means. This is ideal for human-oriented - interactive login where an operator or administrator may have deployed SSO - widely and doesn't want to have the burden of tracking and distributing - Consul ACL tokens to any authorized coworker who may need to have access to a - Consul instance. Browser interaction is required. **This is only available in - [Consul Enterprise](https://www.hashicorp.com/products/consul/)**. diff --git a/website/content/partials/text/descriptions/access-log.mdx b/website/content/partials/text/descriptions/access-log.mdx new file mode 100644 index 00000000000..abdfadc1f7c --- /dev/null +++ b/website/content/partials/text/descriptions/access-log.mdx @@ -0,0 +1,3 @@ +Consul can emit access logs to record application connections and requests that pass through proxies in a service mesh, including sidecar proxies and gateways. When you enable access logs in your proxy defaults, you can use it to diagnose and troubleshoot network issues, detect threats to your network, and audit traffic for security compliance. + +You can also [configure the OpenTelemetry Envoy extension](/consul/docs/envoy-extension/otel-access-logginh) to capture and stream access logs. Refer to [access logs](/consul/docs/observe/access-log) for more information on enabling access logs in Consul. \ No newline at end of file diff --git a/website/content/partials/text/descriptions/admin-partition.mdx b/website/content/partials/text/descriptions/admin-partition.mdx new file mode 100644 index 00000000000..31209411911 --- /dev/null +++ b/website/content/partials/text/descriptions/admin-partition.mdx @@ -0,0 +1,3 @@ +Admin partitions define one or more administrative boundaries for a Consul deployment. They exist one level above namespaces in Consul's identity hierarchy. Server clusters that manage multiple admin partitions require a [Consul Enterprise license](/consul/docs/enterprise/license). + +Admin partitions enable [cluster peering connections](/consul/docs/east-west/cluster-peering) and [sameness groups](/consul/docs/segment/sameness-group) between Consul datacenters deployed in different regions or cloud environments. Refer to the [admin partition documentation](/consul/docs/segment/admin-partition) for more information. \ No newline at end of file diff --git a/website/content/partials/text/descriptions/certificate-authority.mdx b/website/content/partials/text/descriptions/certificate-authority.mdx new file mode 100644 index 00000000000..4c705693bd0 --- /dev/null +++ b/website/content/partials/text/descriptions/certificate-authority.mdx @@ -0,0 +1,5 @@ +Consul servers include a built-in certificate authority (CA) provider to centrally manage mTLS certificates and perform signing operations. When using the CA, sidecar proxies confirm that an incoming request includes a signed mTLS certificate before it forwards the request to a service. + +To use the built-in CA, you must bootstrap it by generating a private key and root certificate that you can distribute to agents. You can also configure Consul agents to use other certificate authorities, such as [HashiCorp Vault](/consul/docs/secure-mesh/certificate/vault). + +For more information, refer to [certificate authority overview](/consul/docs/secure-mesh/certificate). \ No newline at end of file diff --git a/website/content/partials/text/descriptions/cluster-peering.mdx b/website/content/partials/text/descriptions/cluster-peering.mdx new file mode 100644 index 00000000000..017369cadfc --- /dev/null +++ b/website/content/partials/text/descriptions/cluster-peering.mdx @@ -0,0 +1,5 @@ +Cluster peering connects two or more independent Consul clusters so that services deployed to different datacenters can communicate. The process to establish a connection generates and exchanges peering tokens between admin partitions in each datacenter. + +Peering topologies that include more than one admin partition in a single Consul datacenter require [Consul Enterprise](/consul/docs/enterprise). HCP Consul enables additional support for cluster peering lifecycle operations through [HCP Consul Central](/hcp/docs/consul/concepts/consul-central). + +Cluster peering in your service mesh enables [sameness groups](/consul/docs/segment/sameness-group), [service failover](/consul/docs/manage-traffic/failover), and connections between Consul clusters owned by different operators. Refer to the [Cluster peering documentation](/consul/docs/east-west/cluster-peering#guidance) for more information. \ No newline at end of file diff --git a/website/content/partials/text/descriptions/consul-dns.mdx b/website/content/partials/text/descriptions/consul-dns.mdx new file mode 100644 index 00000000000..082115f12c3 --- /dev/null +++ b/website/content/partials/text/descriptions/consul-dns.mdx @@ -0,0 +1,3 @@ +Consul DNS is the primary interface for querying records when Consul service mesh is disabled and your network runs in a non-Kubernetes environment. Consul DNS lets you look up services and nodes registered with Consul without making HTTP API requests to Consul. + +Refer to the [Consul DNS overview](/consul/docs/services/discovery/dns-overview) for additional information. \ No newline at end of file diff --git a/website/content/partials/text/descriptions/consul-template.mdx b/website/content/partials/text/descriptions/consul-template.mdx new file mode 100644 index 00000000000..b8cd54e9962 --- /dev/null +++ b/website/content/partials/text/descriptions/consul-template.mdx @@ -0,0 +1,3 @@ +Consul Template is a tool that enables you to programmatically render configuration files according to data in Consul's KV store and the services registered to the catalog. It updates configuration files according to relevant changes in the datacenter. This tool requires a separate download and installation becuase it is not part of Consul's binary. + +For more information, refer to [Consul Template overview](/consul/docs/dynamic-app/consul-template). \ No newline at end of file diff --git a/website/content/partials/text/descriptions/distributed-tracing.mdx b/website/content/partials/text/descriptions/distributed-tracing.mdx new file mode 100644 index 00000000000..5a3428ad727 --- /dev/null +++ b/website/content/partials/text/descriptions/distributed-tracing.mdx @@ -0,0 +1,3 @@ +Distributed tracing tracks and correlates requests between microservices, including proxies and gateways, in your service mesh. By implementing a tracing library such as Jaeger or Zipkin, you can trace the spans a request follows to investigate failures between service calls. + +Refer to [distributed tracing](/consul/docs/observe/distributed-tracing) for more information. \ No newline at end of file diff --git a/website/content/partials/text/descriptions/kv/session.mdx b/website/content/partials/text/descriptions/kv/session.mdx new file mode 100644 index 00000000000..0008b7239c2 --- /dev/null +++ b/website/content/partials/text/descriptions/kv/session.mdx @@ -0,0 +1,3 @@ +Consul provides a session mechanism you can use to build distributed locks. When the services in an application's service mesh operate across multiple nodes, distributed locks can restrict traffic between nodes to prevent resource exhaustion and application failure. Sessions can be configured to use data from Consul's KV store. + +For more information, refer to [Sessions overview](/consul/docs/dynamic-config/sessions). \ No newline at end of file diff --git a/website/content/partials/text/descriptions/kv/store.mdx b/website/content/partials/text/descriptions/kv/store.mdx new file mode 100644 index 00000000000..a913677d0e2 --- /dev/null +++ b/website/content/partials/text/descriptions/kv/store.mdx @@ -0,0 +1,3 @@ +Consul includes a built-in key/value store that stores indexed objects on Consul servers and makes them accessible by any Consul agent. Advanced deployment strategies leverage Consul's KV store to watch for changes, create distributed semaphors, and dynamically generate configuration files for automated deployments. Consul's KV store is enabled by default. The Consul KV API, CLI, and UI are now considered feature complete and no new feature development is planned for future releases. + +For more information, refer to [Consul key/value (KV) store overview](/consul/docs/dynamic-app/kv). \ No newline at end of file diff --git a/website/content/partials/text/descriptions/kv/watch.mdx b/website/content/partials/text/descriptions/kv/watch.mdx new file mode 100644 index 00000000000..bda8136bee0 --- /dev/null +++ b/website/content/partials/text/descriptions/kv/watch.mdx @@ -0,0 +1,3 @@ +Watches can monitor a datacenter's key/value (KV) store, services, nodes, health checks, and events for updates. You can configure a view of data to watch in an agent configuration file so that when the data changes, Consul invokes a handler that can call an HTTP endpoint or run an executable. + +For more information, refer to [Watches overview](/consul/docs/dynamic-config/watch). \ No newline at end of file diff --git a/website/content/partials/text/descriptions/load-balancer.mdx b/website/content/partials/text/descriptions/load-balancer.mdx new file mode 100644 index 00000000000..bbb5f4dc7ca --- /dev/null +++ b/website/content/partials/text/descriptions/load-balancer.mdx @@ -0,0 +1,3 @@ +A load balancer accepts incoming traffic requests and routes them to service instances in a distributed network so that resource consumption is spread between available instances and individual nodes are not overworked. Consul functions as a load balancer by directing traffic to healthy service instances using information registered to the catalog and Consul DNS. Consul can also integrate with external load balancers such as NGINX and HAProxy. + +Load balancing is a core component of Consul's service discovery functionality. For more information, refer to [load balancing overview](/consul/docs/discover/load-balancer). \ No newline at end of file diff --git a/website/content/partials/text/descriptions/mesh-gateway.mdx b/website/content/partials/text/descriptions/mesh-gateway.mdx new file mode 100644 index 00000000000..49c832e8c7a --- /dev/null +++ b/website/content/partials/text/descriptions/mesh-gateway.mdx @@ -0,0 +1,3 @@ +Mesh gateways route service mesh traffic between Consul datacenters that reside in different cloud or runtime environments where general interconnectivity between all services in all datacenters is not feasible. In hybrid or multi-cloud production environments, mesh gateways secure communication between datacenters deployed to different cloud regions or platforms. + +After you register a mesh gateway with Consul, you can configure a service's sidecar proxy to enable the mesh gateway as a service upstream. Refer to the [Mesh gateway documentation](/consul/docs/east-west/mesh-gateway) for more information. \ No newline at end of file diff --git a/website/content/partials/text/descriptions/namespace.mdx b/website/content/partials/text/descriptions/namespace.mdx new file mode 100644 index 00000000000..380fa8da751 --- /dev/null +++ b/website/content/partials/text/descriptions/namespace.mdx @@ -0,0 +1,3 @@ +Namespaces isolate data for different users or teams. They exist one level below admin partitions in Consul's identity hierarchy. Server clusters register services to multiple namespaces require a [Consul Enterprise license](/consul/docs/enterprise/license). + +Namespaces can help reduce operational challenges by removing restrictions around uniqueness of resource names across distinct teams. You can secure namespace resources with Consul's Access Control List (ACL) system. Refer to the [namespace documentation](/consul/docs/segment/namespace) for more information. \ No newline at end of file diff --git a/website/content/partials/text/descriptions/network-area.mdx b/website/content/partials/text/descriptions/network-area.mdx new file mode 100644 index 00000000000..d46d700b783 --- /dev/null +++ b/website/content/partials/text/descriptions/network-area.mdx @@ -0,0 +1,3 @@ +Network areas specify a relationship between a pair of Consul datacenters. Operators create reciprocal areas on each side of the relationship and then joins them together. This networking strategy allows for more flexible relationships between Consul datacenters, such as hub/spoke or more general tree structures. Because traffic between network areas uses server RPC (8300/tcp), you can secure it using only TLS. + +Refer to the [Network area documentation](/consul/docs/east-west/network-area) for more information. \ No newline at end of file diff --git a/website/content/partials/text/descriptions/network-segment.mdx b/website/content/partials/text/descriptions/network-segment.mdx new file mode 100644 index 00000000000..b16a1420d53 --- /dev/null +++ b/website/content/partials/text/descriptions/network-segment.mdx @@ -0,0 +1,3 @@ +Network segments enable Consul deployments for organizations with network rules or firewalls that prevent full connectivity between all agents in a datacenter's gossip pool. Establishing communication boundaries with Consul network segments limits Consul's connectivity requirements to an individual segment. + +Network segments are defined in agent configuration files and require a [Consul Enterprise license](/consul/docs/enterprise/license). Refer to the [network segments documentation](/consul/docs/segment/network-segment) for more information. \ No newline at end of file diff --git a/website/content/partials/text/descriptions/prepared-query.mdx b/website/content/partials/text/descriptions/prepared-query.mdx new file mode 100644 index 00000000000..88b68226d4a --- /dev/null +++ b/website/content/partials/text/descriptions/prepared-query.mdx @@ -0,0 +1,3 @@ +Prepared queries are configurations that enable you to register a complex service query and perform dynamic lookups on services using Consul DNS. Prepared queries enable advanced lookup scenarios such filtering by multiple tags and returning services that match a prefix. You can also use prepared queries to implement service failover scenarios between datacenters. + +For more information, refer to [Perform dynamic service lookups with prepared queries](/consul/docs/discover/prepared-query). \ No newline at end of file diff --git a/website/content/partials/text/descriptions/sameness-group.mdx b/website/content/partials/text/descriptions/sameness-group.mdx new file mode 100644 index 00000000000..201c8fb1e2c --- /dev/null +++ b/website/content/partials/text/descriptions/sameness-group.mdx @@ -0,0 +1,3 @@ +Sameness groups are a user-defined set of admin partitions with identical configurations, including namespaces and configuration entries. By establishing cluster peering connections and exporting services between these partitions when creating a sameness group, operators can manage groups of services across regions, runtimes, and cloud environments, and implement automated service failover strategies. + +Sameness groups require a [Consul Enterprise license](/consul/docs/enterprise/license). Refer to [create sameness groups](/consul/docs/segment/sameness-group) for more information. \ No newline at end of file diff --git a/website/content/partials/text/descriptions/service-intention.mdx b/website/content/partials/text/descriptions/service-intention.mdx new file mode 100644 index 00000000000..14520aec955 --- /dev/null +++ b/website/content/partials/text/descriptions/service-intention.mdx @@ -0,0 +1,3 @@ +Service intentions control communication between services at the L4 (network) layer and the L7 (application) layer, depending on the protocol the services use to communicate. You can define service intentions in a configuration entry to automatically deny all service-to-service communication, and then configure more specific intentions to allow only defined traffic within the service mesh. You can also configure service intentions so that sidecar proxies must present a JSON Web Token (JWT) for authorization. + +For more information, refer to [service mesh intentions overview](/consul/docs/secure-mesh/intention). \ No newline at end of file diff --git a/website/content/partials/text/descriptions/static-query.mdx b/website/content/partials/text/descriptions/static-query.mdx new file mode 100644 index 00000000000..6f85b504a0e --- /dev/null +++ b/website/content/partials/text/descriptions/static-query.mdx @@ -0,0 +1,3 @@ +To lookup details about registered services and specific service instances, perform a static query using Consul DNS to return A and SRV records for your deployment. Consul DNS enables you to return results from across your Consul deployment, including the number of healthy instances and network addresses of nodes that match service names or custom tags. + +Consul Enterprise enables static lookups for Enterprise features such as virtual services and sameness groups. Refer to [Perform static DNS queries](/consul/docs/discover/static-query) for more information. \ No newline at end of file diff --git a/website/content/partials/text/descriptions/telemetry.mdx b/website/content/partials/text/descriptions/telemetry.mdx new file mode 100644 index 00000000000..48c21ffb483 --- /dev/null +++ b/website/content/partials/text/descriptions/telemetry.mdx @@ -0,0 +1,3 @@ +Consul agents, dataplanes, gateways, and sidecar proxies emit metrics that you can access and visualize using tools such as Prometheus and Grafana. Consul's UI can display visualizations of service mesh topologies and L7 metrics when they are enabled and configured in Consul. [HCP Consul Central](/hcp/docs/consul/concepts/central) enables additional visualizations of cluster insights using dashboards and configurations managed by HashiCorp. + +Refer to [service mesh telemetry on virtual machines (VMs)](/consul/docs/observe/telemetry/vms) or [service mesh telemetry on Kubernetes](/consul/docs/observe/telemetry/k8s) for more information. \ No newline at end of file diff --git a/website/content/partials/text/descriptions/wan-federation.mdx b/website/content/partials/text/descriptions/wan-federation.mdx new file mode 100644 index 00000000000..904ddec797b --- /dev/null +++ b/website/content/partials/text/descriptions/wan-federation.mdx @@ -0,0 +1,3 @@ +Wide Area Network (WAN) federation joins two or more Consul datacenters. When you enable WAN federation in each server cluster and declare one of them the primary datacenter, Consul agents can communicate using WAN gossip to function as if they were a single datacenter. + +WAN federation in your service mesh enables service-to-service communication across cloud regions, key/value store replication, and advanced strategies for traffic management such as [service failover](/consul/docs/manage-traffic/failover). Refer to the [WAN federation documentation](/consul/docs/east-west/wan-federation#guidance) for more information. \ No newline at end of file diff --git a/website/content/partials/text/guidance/automate.mdx b/website/content/partials/text/guidance/automate.mdx new file mode 100644 index 00000000000..9ccd498d287 --- /dev/null +++ b/website/content/partials/text/guidance/automate.mdx @@ -0,0 +1,9 @@ +To learn how to dynamically configure applications using Consul's KV store, complete the tutorials in the [Integrate your Applications with Consul collection](/consul/tutorials/developer-configuration). + +## Reference documentation + +The most experienced users want to quickly find the reference information for specific parts of the component they are using. List all relevant reference pages for the topic. + +- [`consul kv` CLI command reference](/consul/commands/kv) +- [`/kv` HTTP API endpoint reference](/consul/api-docs/kv) +- [Agent configuration reference](/consul/docs/reference/agent) \ No newline at end of file diff --git a/website/content/partials/text/guidance/discover.mdx b/website/content/partials/text/guidance/discover.mdx new file mode 100644 index 00000000000..c15b5d64ac7 --- /dev/null +++ b/website/content/partials/text/guidance/discover.mdx @@ -0,0 +1,25 @@ +To get started with the service discovery features described on this page, refer to the following tutorials: + +- [Register your services to Consul](/consul/tutorials/get-started-vms/virtual-machine-gs-service-discovery) includes service queries on VMs +- [Ensure only healthy services are discoverable](/consul/tutorials/developer-discovery/service-registration-health-checks) +- [DNS caching](/consul/tutorials/networking/dns-caching) +- [Forward DNS for Consul service discovery](/consul/tutorials/networking/dns-forwarding) +- [Register external services with Consul service discovery](/consul/tutorials/developer-discovery/service-registration-external-services) +- [Integrate Consul with Ambassador Edge Stack on Kubernetes](/consul/tutorials/developer-mesh/service-mesh-gateway-ambassador) +- [Load Balancing with NGINX Plus' Service Discovery Integration](/consul/tutorials/load-balancing/load-balancing-nginx-plus) +- [Load Balancing with NGINX and Consul Template](/consul/tutorials/load-balancing/load-balancing-nginx) +- [Load Balancing with HAProxy Service Discovery Integration](/consul/tutorials/load-balancing/load-balancing-haproxy) +- [Load balancing with F5 and Consul](/consul/tutorials/load-balancing/load-balancing-f5) + +## Runtime specific usage documentation + +For runtime-specific guidance, refer to the following pages: + +- [Consul service discovery on virtual machines](/consul/docs/discover/kvm) +- [Consul service discovery on Kubernetes](/consul/docs/discover/k8s) + +## Reference documentation + +For reference material related to Consul's service discovery functions, refer to the following pages: + +- [Consul DNS reference](/consul/docs/reference/dns) \ No newline at end of file diff --git a/website/content/partials/text/guidance/east-west.mdx b/website/content/partials/text/guidance/east-west.mdx new file mode 100644 index 00000000000..22db5e3505f --- /dev/null +++ b/website/content/partials/text/guidance/east-west.mdx @@ -0,0 +1,17 @@ +For runtime specific guidance, including federating clusters across runtimes, refer to the following topics: + +- [Extend network east/west on virtual machines](/consul/docs/east-west/vm#guidance) +- [Extend network east/west on Kubernetes](/consul/docs/east-west/k8s#guidance) +- [WAN federation between virtual machines and Kubernetes clusters](/consul/docs/east-west/wan-federation/k8s-vm) + +## Reference documentation + +For reference material related to the processes for extending your service mesh by linking segments of your network, refer to the following pages: + +- [CLI reference: `consul join` command](/consul/commands/join) +- [CLI reference: `consul operator area` command](/consul/commands/operator/area) +- [CLI reference: `peering` command](/consul/commands/peering) +- [HTTP API reference: `/operator/area` endpoint](/consul/api-docs/operator/area) +- [HTTP API reference: `/peering` endpoint](/consul/api-docs/peering) +- [Mesh gateway configuration reference](/consul/docs/reference/proxy/connect-proxy) +- [Proxy defaults configuration reference](/consul/docs/reference/config-entry/proxy-defaults) \ No newline at end of file diff --git a/website/content/partials/text/guidance/multi-tenant.mdx b/website/content/partials/text/guidance/multi-tenant.mdx new file mode 100644 index 00000000000..b20d2cd0e1b --- /dev/null +++ b/website/content/partials/text/guidance/multi-tenant.mdx @@ -0,0 +1,23 @@ +## Tutorials + +To get started with the features described on this page, refer to the following tutorials: + +- [Multi-Tenancy with Administrative Partitions](/consul/tutorials/enterprise/consul-admin-partitions?utm_source=docs) +- [Multi Cluster Applications with Consul Enterprise Admin Partitions](/consul/tutorials/kubernetes/kubernetes-admin-partitions?utm_source=docs) +- [Setup secure namespaces](/consul/tutorials/namespaces/namespaces-secure-shared-access) +- [Register and discover services within namespaces](/consul/tutorials/namespaces/namespaces-share-datacenter-access) + +## Runtime-specific usage documentation + +For runtime-specific guidance, refer to the following pages: + +- [Configure partitions on Kubernetes](/consul/segment/admin-partition/k8s) +- [Use Consul and Kubernetes namespaces](/consul/segment/namespace/k8s) +- [Create network segments on virtual machines (VMs)](/consul/segment/namespace/vm) + +## Reference documentation + +For reference material related to Consul's multi-tenancy capabilities, refer to the following pages: + +- [Namespace reference](/consul/docs/reference/namespace) +- [Sameness group configuration entry](/reference/config-entry/sameness-group) \ No newline at end of file diff --git a/website/content/partials/text/guidance/north-south.mdx b/website/content/partials/text/guidance/north-south.mdx new file mode 100644 index 00000000000..2a995278905 --- /dev/null +++ b/website/content/partials/text/guidance/north-south.mdx @@ -0,0 +1,4 @@ +Refer to the following topics for information about deploying API and ingress gateways: + +- [API gateway resources](/consul/docs/north-south/api-gateway#guidance) +- [Ingress gateway resources](/consul/docs/north-south/ingress-gateway#guidance) \ No newline at end of file diff --git a/website/content/partials/text/guidance/observe.mdx b/website/content/partials/text/guidance/observe.mdx new file mode 100644 index 00000000000..ec6b34cc250 --- /dev/null +++ b/website/content/partials/text/guidance/observe.mdx @@ -0,0 +1,26 @@ +To get started with the features described on this page, refer to the tutorials in the [Observability tutorial collection](/consul/tutorials/service-mesh-observability): + +- [Monitor application health and performance with Consul proxy metrics](/consul/tutorials/service-mesh-observability/proxy-metrics) +- [Debug service mesh events and errors with Consul proxy access logs](/consul/tutorials/service-mesh-observability/proxy-access-logs) +- [Monitor Consul server health and performance with metrics and logs](/consul/tutorials/service-mesh-observability/server-metrics-and-logs#enable-consul-server-metrics-and-logging) +- [Visualize Service Mesh Communication in the Consul UI](/consul/tutorials/service-mesh-observability/service-mesh-visualization) +- [Observe Consul service mesh traffic with Prometheus](/consul/tutorials/service-mesh-observability/service-mesh-observability) +- [Layer 7 observability with Prometheus, Grafana, and Kubernetes](/consul/tutorials/service-mesh-observability/kubernetes-layer7-observability) +- HashiConf 2023 Learn Lab: [Deep observability insights at any scale with Consul](/consul/tutorials/service-mesh-observability/hashiconf-2023) + +### Runtime specific usage documentation + +For runtime-specific guidance, refer to the following pages: + +- [Observe service mesh telemetry on virtual machines (VMs)](/consul/docs/observe/telemetry/vm) +- [Observe service mesh telemetry on Kubernetes](/consul/docs/observe/telemetry/k8s) + +### Reference documentation + +For reference material related to Consul's observability functions, refer to the following pages: + +- [Telemetry parameters in Consul agent configuration reference](/consul/docs/reference/agent#telemetry-parameters) +- [`global.metrics` parameters in Kubernetes Helm chart reference](/consul/docs/reference/k8s/helm#v-global-metrics) +- [Proxy defaults configuration reference](/consul/docs/reference/config-entry/proxy-defaults) +- [Envoy proxy configuration reference](/consul/docs/reference/proxy/envoy) +- [OpenTelemetry Access Logging extension configuration reference](/consul/docs/reference/proxy/extensions/otel) \ No newline at end of file diff --git a/website/content/partials/text/guidance/secure-mesh.mdx b/website/content/partials/text/guidance/secure-mesh.mdx new file mode 100644 index 00000000000..340674b2b47 --- /dev/null +++ b/website/content/partials/text/guidance/secure-mesh.mdx @@ -0,0 +1,22 @@ +To learn more about the workflows described in this topic, refer to the following tutorials: + - [Securely connect your services with Consul service mesh on VMs](/consul/tutorials/get-started-vms/virtual-machine-gs-service-mesh) + - [Securely connect your services with Consul service mesh on Kubernetes](/consul/tutorials/get-started-kubernetes/kubernetes-gs-service-mesh) + +## Runtime-specific usage documentation + +For runtime-specific guidance, refer to the following pages: + +- [Bootstrap Consul's certificate authority on VMs](/consul/docs/secure-mesh/certificate/bootstrap/vm) +- [Bootstrap Consul's certificate authority on Kubernetes](/consul/docs/secure-mesh/certificate/bootstrap/k8s) + +## Reference documentation + +For reference material related to Consul's service mesh security options, refer to the following pages: + +- [`/connect/ca` HTTP API endpoint reference](/consul/api-docs/connect/ca) +- [`/connect/intentions` HTTP API endpoint reference](/consul/api-docs/connect/intentions) +- [`consul connect ca` CLI command reference](/consul/commands/connect/ca) +- [`consul intention` CLI command reference](/consul/commands/intention) +- [Consul agent configuration reference](/consul/docs/reference/agent) +- [`service-intentions` configuration entry reference](/consul/docs/reference/config-entry/service-intentions) +- [`TrafficPermissions` v2 resource reference](/consul/docs/resource/trafficpermissions) \ No newline at end of file diff --git a/website/content/partials/text/limitations/discover.mdx b/website/content/partials/text/limitations/discover.mdx new file mode 100644 index 00000000000..153bdec1f73 --- /dev/null +++ b/website/content/partials/text/limitations/discover.mdx @@ -0,0 +1,6 @@ +If you experience errors when using Consul's service discovery features, refer to the following list of technical constraints. + +- Consul's DNS and service discovery features are enabled by default. When Consul service mesh is enabled, you can use an existing DNS such as CoreDNS by configuring Consul's transparent proxy. Refer to [transparent proxy](/consul/docs/connect/proxy/transparent-proxy) for more information. +- When Consul's service mesh is enabled, you can use configuration entries that have additional impacts on Consul's service discovery behavior: + - You can customize Consul's load balancing policy using a [service resolver configuration entry](/consul/docs/reference/config-entry/service-resolver#loadbalancer). + - You can adjust the request rate for services using a [service defaults configuration entry](/consul/docs/reference/config-entry/service-defaults). \ No newline at end of file diff --git a/website/content/partials/text/limitations/east-west.mdx b/website/content/partials/text/limitations/east-west.mdx new file mode 100644 index 00000000000..d367a5bfd82 --- /dev/null +++ b/website/content/partials/text/limitations/east-west.mdx @@ -0,0 +1,4 @@ +If you experience errors when linking segments of your network, refer to the following list of technical constraints. + +- Consul does not support deployments that use WAN federation and cluster peering simultaneously. +- The Consul UI does not support the creation of cluster peering connections, WAN-federated datacenters, federated network areas, or mesh gateways. A dedicated user interface to view, create, and manage cluster peering connections is available through [HCP Consul Central](/hcp/docs/consul/monitor/consul-central/network-views#cluster-peering). \ No newline at end of file diff --git a/website/content/partials/text/limitations/kv.mdx b/website/content/partials/text/limitations/kv.mdx new file mode 100644 index 00000000000..ef86b430d13 --- /dev/null +++ b/website/content/partials/text/limitations/kv.mdx @@ -0,0 +1,3 @@ +If you experience errors when using the Consul KV store, refer to the following list of technical constraints. + +- The Consul KV and its API, CLI, and UI controls are considered feature complete. New feature development is not planned for future Consul releases. \ No newline at end of file diff --git a/website/content/partials/text/limitations/multi-tenant.mdx b/website/content/partials/text/limitations/multi-tenant.mdx new file mode 100644 index 00000000000..55e06de23c6 --- /dev/null +++ b/website/content/partials/text/limitations/multi-tenant.mdx @@ -0,0 +1,4 @@ +If you experience errors when implementing multi-tenancy on Consul deployments, refer to the following list of technical constraints. + +- WAN-federated Consul deployments support the `default` admin partition only. +- Samneness groups must be configured on each partition that is a member of the group. \ No newline at end of file diff --git a/website/content/partials/text/limitations/observe.mdx b/website/content/partials/text/limitations/observe.mdx new file mode 100644 index 00000000000..84d7c7adb5c --- /dev/null +++ b/website/content/partials/text/limitations/observe.mdx @@ -0,0 +1,4 @@ +If you experience errors when configuring Consul's observability features, refer to the following list of technical constraints. + +- Consul's observability features are not enabled by default on Community and Enterprise deployments. A HashiCorp-managed observability service is available through [HCP Consul Central](/hcp/docs/consul/concepts/central). +- Consul deploys Envoy proxies by default. Tracing spans that are incompatible with Envoy proxies do not function with Consul. \ No newline at end of file diff --git a/website/content/partials/text/limitations/secure-mesh.mdx b/website/content/partials/text/limitations/secure-mesh.mdx new file mode 100644 index 00000000000..ca91c201429 --- /dev/null +++ b/website/content/partials/text/limitations/secure-mesh.mdx @@ -0,0 +1,3 @@ +If you experience errors when securing service mesh communication, refer to the following list of technical constraints. + +- You must bootstrap Consul's built-in certificate authority in order to use it. diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 1276feaa025..290ef2b2cb0 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -1,148 +1,753 @@ [ { - "title": "What is Consul?", - "path": "intro" + "heading": "Get started" }, { - "title": "Why Choose Consul?", + "title": "Quickstart", "routes": [ { - "title": "Overview", - "path": "consul-vs-other" + "title": "Consul on VMs", + "href": "/consul/tutorials/get-started-vms" }, { - "title": "Service Meshes", - "path": "consul-vs-other/service-mesh-compare" + "title": "Consul on Kubernetes", + "href": "/consul/tutorials/get-started-kubernetes" }, { - "title": "DNS Tools", - "path": "consul-vs-other/dns-tools-compare" + "title": "HCP Consul Dedicated", + "href": "/consul/tutorials/get-started-hcp" + } + ] + }, + { + "divider": true + }, + { + "heading": "Consul operations" + }, + { + "title": "Deploy Consul", + "routes": [ + { + "title": "Overview", + "path": "deploy" }, { - "title": "Configuration Management Tools", - "path": "consul-vs-other/config-management-compare" + "title": "Deploy server cluster", + "routes": [ + { + "title": "Overview", + "path": "deploy/server" + }, + { + "title": "Required ports", + "path": "deploy/server/ports" + }, + { + "title": "FIPS 140-2 compliance", + "path": "deploy/server/fips" + }, + { + "title": "WAL LogStore", + "routes": [ + { + "title": "Overview", + "path": "deploy/server/wal" + }, + { + "title": "Enable WAL LogStore backend", + "path": "deploy/server/wal/enable" + }, + { + "title": "Monitor Raft metrics and logs", + "path": "deploy/server/wal/monitor-raft" + }, + { + "title": "Revert to BoltDB", + "path": "deploy/server/wal/revert-boltdb" + } + ] + }, + { + "title": "HCP Consul Dedicated", + "path": "deploy/server/hcp" + }, + { + "title": "Virtual machine (VM)", + "routes": [ + { + "title": "Overview", + "path": "deploy/server/vm" + }, + { + "title": "Bootstrap a datacenter", + "path": "deploy/server/vm/bootstrap" + }, + { + "title": "Automatic agent discovery", + "path": "deploy/server/vm/cloud-auto-join" + }, + { + "title": "Server requirements", + "path": "deploy/server/vm/requirements" + } + ] + }, + { + "title": "Kubernetes", + "routes": [ + { + "title": "Overview", + "path": "deploy/server/k8s" + }, + { + "title": "Kubernetes requirements", + "path": "deploy/server/k8s/requirements" + }, + { + "title": "Deploy with Helm", + "path": "deploy/server/k8s/helm" + }, + { + "title": "Deploy with consul-k8s", + "path": "deploy/server/k8s/consul-k8s" + }, + { + "title": "Deploy Consul Enterprise", + "path": "deploy/server/k8s/enterprise" + }, + { + "title": "Platform guides", + "routes": [ + { + "title": "Minikube", + "path": "deploy/server/k8s/platform/minikube" + }, + { + "title": "Kind", + "path": "deploy/server/k8s/platform/kind" + }, + { + "title": "AKS (Azure)", + "path": "deploy/server/k8s/platform/aks" + }, + { + "title": "EKS (AWS)", + "path": "deploy/server/k8s/platform/eks" + }, + { + "title": "GKE (Google Cloud)", + "path": "deploy/server/k8s/platform/gke" + }, + { + "title": "Red Hat OpenShift", + "path": "deploy/server/k8s/platform/openshift" + }, + { + "title": "Self-hosted Kubernetes", + "path": "deploy/server/k8s/platform/self-hosted" + } + ] + }, + { + "title": "Multi-cluster guides", + "routes": [ + { + "title": "Servers outside Kubernetes", + "path": "deploy/server/k8s/multi/servers-outside" + }, + { + "title": "Consul in multiple Kubernetes clusters", + "path": "deploy/server/k8s/multi/multiple-clusters" + }, + { + "title": "Multi-cluster federation", + "routes": [ + { + "title": "Overview", + "path": "deploy/server/k8s/multi/federation" + }, + { + "title": "Federate Kubernetes clusters", + "path": "deploy/server/k8s/multi/federation/k8s" + }, + { + "title": "Federate VM and Kubernetes clusters", + "path": "deploy/server/k8s/multi/federation/k8s-vm" + } + ] + }, + { + "title": "Vault as a secrets backend", + "routes": [ + { + "title": "Overview", + "path": "deploy/server/k8s/multi/vault" + }, + { + "title": "System integration", + "path": "deploy/server/k8s/multi/vault/system-integration" + }, + { + "title": "Data integration", + "routes": [ + { + "title": "Overview", + "path": "deploy/server/k8s/multi/vault/data-integration" + }, + { + "title": "Bootstrap token", + "path": "deploy/server/k8s/multi/vault/data-integration/bootstrap-token" + }, + { + "title": "Enterprise license", + "path": "deploy/server/k8s/multi/vault/data-integration/enterprise-license" + }, + { + "title": "Gossip encryption key", + "path": "deploy/server/k8s/multi/vault/data-integration/gossip-encryption-key" + }, + { + "title": "Partition token", + "path": "deploy/server/k8s/multi/vault/data-integration/partition-token" + }, + { + "title": "Replication token", + "path": "deploy/server/k8s/multi/vault/data-integration/replication-token" + }, + { + "title": "Server TLS", + "path": "deploy/server/k8s/multi/vault/data-integration/server-tls" + }, + { + "title": "Service mesh certificates", + "path": "deploy/server/k8s/multi/vault/data-integration/service-mesh-certificate" + }, + { + "title": "Snapshot agent config", + "path": "deploy/server/k8s/multi/vault/data-integration/snapshot-agent-config" + }, + { + "title": "Webhook certificates", + "path": "deploy/server/k8s/multi/vault/data-integration/webhook-certificates" + } + ] + }, + { + "title": "WAN federation", + "path": "deploy/server/k8s/multi/vault/wan" + } + ] + } + ] + }, + { + "title": "Uninstall Consul on Kubernetes", + "path": "deploy/server/k8s/uninstall" + } + ] + }, + { + "title": "AWS ECS", + "path": "deploy/server/ecs" + } + ] }, { - "title": "API Gateways", - "path": "consul-vs-other/api-gateway-compare" + "title": "Deploy Consul clients or dataplanes", + "routes": [ + { + "title": "Overview", + "path": "deploy/workload" + }, + { + "title": "Client agents", + "routes": [ + { + "title": "Virtual machines", + "path": "deploy/workload/client/vm" + }, + { + "title": "Kubernetes", + "path": "deploy/workload/client/k8s" + } + ] + }, + { + "title": "Dataplanes", + "routes": [ + { + "title": "Kubernetes", + "path": "deploy/workload/dataplane/k8s" + }, + { + "title": "ECS", + "path": "deploy/workload/dataplane/ecs" + } + ] + } + ] } ] }, { - "title": "Core Concepts", + "title": "Secure Consul", "routes": [ { - "title": "Service Discovery", - "path": "concepts/service-discovery" + "title": "Overview", + "path": "secure" }, { - "title": "Service Mesh", - "path": "concepts/service-mesh" + "title": "Access Control Lists (ACLs)", + "routes": [ + { + "title": "Overview", + "path": "secure/acl" + }, + + { + "title": "Tokens", + "path": "secure/acl/token" + }, + { + "title": "Policies", + "path": "secure/acl/policy" + }, + { + "title": "Roles", + "path": "secure/acl/role" + }, + { + "title": "Rules", + "href": "reference/acl/rule" + }, + { + "title": "Auth methods", + "routes": [ + { + "title": "Overview", + "path": "secure/acl/auth-method" + }, + { + "title": "Kubernetes", + "path": "secure/acl/auth-method/k8s" + }, + { + "title": "JWT", + "path": "secure/acl/auth-method/jwt" + }, + { + "title": "OIDC (ENT)", + "path": "secure/acl/auth-method/oidc" + }, + { + "title": "AWS IAM", + "path": "secure/acl/auth-method/aws-iam" + } + ] + }, + { + "title": "Bootstrap ACL system", + "path": "secure/acl/bootstrap" + }, + { + "title": "Create common policies and tokens", + "routes": [ + { + "title": "Agent token", + "path": "secure/acl/create-token/agent" + }, + { + "title": "DNS token", + "path": "secure/acl/create-token/dns" + }, + { + "title": "External Service Monitor (ESM) token", + "path": "secure/acl/create-token/esm" + }, + { + "title": "Ingress gateway token", + "path": "secure/acl/create-token/ingress-gateway" + }, + { + "title": "Mesh gateway token", + "path": "secure/acl/create-token/mesh-gateway" + }, + { + "title": "Replication token", + "path": "secure/acl/create-token/replication" + }, + { + "title": "Service token", + "path": "secure/acl/create-token/service" + }, + { + "title": "Snapshot agent token", + "path": "secure/acl/create-token/snapshot-agent" + }, + { + "title": "Terminating gateway token", + "path": "secure/acl/create-token/terminating-gateway" + }, + { + "title": "UI token", + "path": "secure/acl/create-token/ui" + }, + { + "title": "Vault as storage backend", + "path": "secure/acl/create-token/vault-storage-backend" + } + ] + }, + { + "title": "Enable ACLs in federated datacenters", + "path": "secure/acl/enable-federated-datacenters" + }, + { + "title": "Migrate legacy tokens", + "path": "secure/acl/legacy" + }, + { + "title": "Troubleshoot", + "path": "secure/acl/troubleshoot" + } + ] + }, + { + "title": "Encryption", + "routes": [ + { + "title": "Overview", + "path": "secure/encryption" + }, + { + "title": "Encrypt gossip traffic", + "routes": [ + { + "title": "Enable on new datacenters", + "path": "secure/encryption/gossip/enable" + }, + { + "title": "Enable on existing datacenters", + "path": "secure/encryption/gossip/existing" + } + ] + }, + { + "title": "Encrypt RPC traffic (TLS)", + "routes": [ + { + "title": "Built-in", + "path": "secure/encryption/tls/builtin" + }, + { + "title": "OpenSSL", + "path": "secure/encryption/tls/openssl" + }, + { + "title": "Enable on existing datacenters", + "path": "secure/encryption/tls/existing" + } + ] + } + ] + }, + { + "title": "Security model", + "routes": [ + { + "title": "Overview", + "path": "secure/security-model" + }, + { + "title": "Consul Core", + "path": "secure/security-model/core" + }, + { + "title": "Consul-Terraform-Sync (CTS)", + "path": "secure/security-model/cts" + } + ] } ] }, { - "title": "Get Started", + "title": "Manage multi-tenancy", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, "routes": [ { - "title": "Install Consul", - "path": "install" + "title": "Overview", + "path": "multi-tenant" }, { - "title": "Learn HCP Consul Dedicated", - "href": "https://developer.hashicorp.com/consul/tutorials/get-started-hcp" + "title": "Admin partitions", + "routes": [ + { + "title": "Overview", + "path": "multi-tenant/admin-partition" + }, + { + "title": "Configure partitions on Kubernetes", + "path": "multi-tenant/admin-partition/k8s" + } + ] }, { - "title": "Learn Consul on Kubernetes", - "href": "https://developer.hashicorp.com/consul/tutorials/get-started-kubernetes" + "title": "Namespaces", + "routes": [ + { + "title": "Overview", + "path": "multi-tenant/namespace" + }, + { + "title": "Configure namespaces on Kubernetes", + "path": "multi-tenant/namespace/k8s" + } + ] }, { - "title": "Learn Consul on VMs", - "href": "https://developer.hashicorp.com/consul/tutorials/get-started-vms" + "title": "Network segments", + "routes": [ + { + "title": "Overview", + "path": "multi-tenant/network-segment" + }, + { + "title": "Create network segments (VM)", + "path": "multi-tenant/network-segment/vm" + } + ] }, { - "title": "Manual Bootstrap", - "path": "install/manual-bootstrap", - "hidden": true - }, + "title": "Sameness groups", + "path": "multi-tenant/sameness-group" + } + ] + }, + { + "title": "Manage Consul", + "routes": [ { - "title": "Consul Agent", - "href": "/docs/agent" + "title": "Overview", + "path": "manage" }, { - "title": "Glossary", - "path": "install/glossary" + "title": "Agent rate limits", + "routes": [ + { + "title": "Overview", + "path": "manage/agent-rate-limit" + }, + { + "title": "Initialize rate limit settings", + "path": "manage/agent-rate-limit/initialize" + }, + { + "title": "Monitor traffic rate limits", + "path": "manage/agent-rate-limit/monitor" + }, + { + "title": "Set global traffic rate limits", + "path": "manage/agent-rate-limit/set-global" + }, + { + "title": "Limit traffic rates from source IP address", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, + "path": "manage/agent-rate-limit/source-ip-address" + } + ] }, { - "title": "Required Ports", - "path": "install/ports" + "title": "Automated backups", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, + "path": "manage/automated-backup" }, { - "title": "Bootstrapping a Datacenter", - "path": "install/bootstrapping" + "title": "Redundancy zones", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, + "path": "manage/redundancy-zone" }, { - "title": "Cloud Auto-join", - "path": "install/cloud-auto-join" + "title": "Read replicas", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, + "path": "manage/read-replica" }, { - "title": "Server Performance", - "path": "install/performance" + "title": "Consul at Scale", + "path": "manage/scale" }, { - "title": "Kubernetes", - "href": "/docs/k8s" + "title": "Snapshot", + "path": "manage/snapshot" } ] }, { - "title": "Architecture", + "title": "Monitor Consul", "routes": [ { "title": "Overview", - "path": "architecture" + "path": "monitor" }, { - "title": "v1 Catalog", - "path": "architecture/catalog" + "title": "Consul telemetry", + "routes": [ + { + "title": "Overview", + "path": "monitor/telemetry" + }, + { + "title": "Agent telemetry", + "path": "monitor/telemetry/agent" + }, + { + "title": "Dataplane telemetry", + "path": "monitor/telemetry/dataplane" + } + ] }, { - "title": "Improving Consul Resilience", - "path": "architecture/improving-consul-resilience" + "title": "Consul logs", + "routes": [ + { + "title": "Consul agent logs", + "path": "monitor/log/agent" + }, + { + "title": "Audit logs", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, + "path": "monitor/log/audit" + } + ] + } + ] + }, + { + "title": "Upgrade Consul", + "routes": [ + { + "title": "Overview", + "path": "upgrade" }, { - "title": "Anti-Entropy", - "path": "architecture/anti-entropy" + "title": "Automated upgrades", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, + "path": "upgrade/automated" }, { - "title": "Consensus Protocol", - "path": "architecture/consensus" + "title": "Compatibility promise", + "path": "upgrade/compatibility-promise" }, { - "title": "Gossip Protocol", - "path": "architecture/gossip" + "title": "Long Term Support (LTS)", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, + "path": "upgrade/lts" }, { - "title": "Jepsen Testing", - "path": "architecture/jepsen" + "title": "Specific version details", + "path": "upgrade/version-specific" }, { - "title": "Network Coordinates", - "path": "architecture/coordinates" + "title": "Upgrade instructions", + "routes": [ + { + "title": "Overview", + "path": "upgrade/instructions" + }, + { + "title": "General Process", + "path": "upgrade/instructions/general-process" + }, + { + "title": "Upgrade to Consul v1.2.x", + "path": "upgrade/instructions/upgrade-to-1-2-x" + }, + { + "title": "Upgrade to Consul v1.6.x", + "path": "upgrade/instructions/upgrade-to-1-6-x" + }, + { + "title": "Upgrade to Consul v1.8.x", + "path": "upgrade/instructions/upgrade-to-1-8-x" + }, + { + "title": "Upgrade to Consul v1.10.x", + "path": "upgrade/instructions/upgrade-to-1-10-x" + } + ] }, { - "title": "Consul at Scale", - "path": "architecture/scale" + "title": "Consul on Kubernetes", + "routes": [ + { + "title": "Overview", + "path": "upgrade/k8s" + }, + { + "title": "Compatibility", + "path": "upgrade/k8s/compatibility" + }, + { + "title": "consul-k8s", + "path": "upgrade/k8s/consul-k8s" + }, + { + "title": "Upgrade cluster to use CRDs", + "path": "upgrade/k8s/crds" + } + ] + }, + { + "title": "ECS", + "routes": [ + { + "title": "Overview", + "path": "upgrade/ecs" + }, + { + "title": "Upgrade to Consul dataplane", + "path": "upgrade/ecs/dataplane" + } + ] }, { - "title": "Consul Capacity Planning", - "path": "architecture/capacity-planning" + "title": "API gateway", + "path": "upgrade/api-gateway" } ] }, - { - "divider": true - }, { "title": "Release Notes", "routes": [ @@ -314,1096 +919,972 @@ ] }, { - "title": "Upgrade", - "routes": [ - { - "title": "Overview", - "path": "upgrading" - }, - { - "title": "Compatibility Promise", - "path": "upgrading/compatibility" - }, - { - "title": "Specific Version Details", - "path": "upgrading/upgrade-specific" - }, - { - "title": "Upgrade Instructions", - "routes": [ - { - "title": "Overview", - "path": "upgrading/instructions" - }, - { - "title": "General Process", - "path": "upgrading/instructions/general-process" - }, - { - "title": "Upgrading to Latest 1.2.x", - "path": "upgrading/instructions/upgrade-to-1-2-x" - }, - { - "title": "Upgrading to Latest 1.6.x", - "path": "upgrading/instructions/upgrade-to-1-6-x" - }, - { - "title": "Upgrading to Latest 1.8.x", - "path": "upgrading/instructions/upgrade-to-1-8-x" - }, - { - "title": "Upgrading to Latest 1.10.x", - "path": "upgrading/instructions/upgrade-to-1-10-x" - } - ] - } - ] + "divider": true }, { - "divider": true + "heading": "Service networking" }, { - "title": "Services", + "title": "Register services", "routes": [ { "title": "Overview", - "path": "services/services" + "path": "register" }, { - "title": "Usage", + "title": "Services and health checks", "routes": [ { - "title": "Define services", - "path": "services/usage/define-services" - }, - { - "title": "Define health checks", - "path": "services/usage/checks" - }, - { - "title": "Register services and health checks", - "path": "services/usage/register-services-checks" - } - ] - }, - { - "title": "Discover services with DNS", - "routes": [ - { - "title": "Overview", - "path": "services/discovery/dns-overview" - }, - { - "title": "Configure DNS behavior", - "path": "services/discovery/dns-configuration" - }, - { - "title": "DNS forwarding", + "title": "Virtual machine (VM)", "routes": [ { - "title": "Overview", - "path": "services/discovery/dns-forwarding" + "title": "Define services", + "path": "register/service/vm/define" }, { - "title": "Enable DNS forwarding", - "path": "services/discovery/dns-forwarding/enable" + "title": "Define health checks", + "path": "register/service/vm/health-check" + }, + { + "title": "Register services and health checks", + "path": "register/service/vm" } ] }, { - "title": "Perform static DNS lookups", - "path": "services/discovery/dns-static-lookups" - }, - { - "title": "Cache DNS lookups", - "path": "services/discovery/dns-cache" - }, - { - "title": "Enable dynamic DNS lookups", - "path": "services/discovery/dns-dynamic-lookups" - } - ] - }, - { - "title": "Configuration", - "routes": [ - { - "title": "Overview", - "path": "services/configuration/services-configuration-overview" - }, - { - "title": "Services", - "path": "services/configuration/services-configuration-reference" - }, - { - "title": "Health checks", - "path": "services/configuration/checks-configuration-reference" - }, - { - "title": "Service defaults", - "href": "connect/config-entries/service-defaults" - } - ] - } - ] - }, - { - "title": "Service Mesh", - "routes": [ - { - "title": "Overview", - "path": "connect" - }, - { - "title": "How Service Mesh Works", - "path": "connect/connect-internals" - }, - { - "title": "Configuration", - "path": "connect/configuration" - }, - { - "title": "Configuration entries", - "routes": [ - { - "title": "Overview", - "path": "connect/config-entries" - }, - { - "title": "API gateway", - "path": "connect/config-entries/api-gateway" - }, - { - "title": "HTTP route", - "path": "connect/config-entries/http-route" - }, - { - "title": "TCP route", - "path": "connect/config-entries/tcp-route" - }, - { - "title": "File system certificate", - "path": "connect/config-entries/file-system-certificate" - }, - { - "title": "Inline certificate", - "path": "connect/config-entries/inline-certificate" - }, - { - "title": "Ingress gateway", - "path": "connect/config-entries/ingress-gateway" - }, - { - "title": "JWT Provider", - "path": "connect/config-entries/jwt-provider" - }, - { - "title": "Mesh", - "path": "connect/config-entries/mesh" - }, - { - "title": "Exported services", - "path": "connect/config-entries/exported-services" - }, - { - "title": "Proxy defaults", - "path": "connect/config-entries/proxy-defaults" - }, - { - "title": "Registration", - "path": "connect/config-entries/registration" - }, - { - "title": "Sameness Group", - "path": "connect/config-entries/sameness-group" - }, - { - "title": "Service Defaults", - "path": "connect/config-entries/service-defaults" - }, - { - "title": "Service intentions", - "path": "connect/config-entries/service-intentions" - }, - { - "title": "Service resolver", - "path": "connect/config-entries/service-resolver" - }, - { - "title": "Service router", - "path": "connect/config-entries/service-router" + "title": "Kubernetes", + "routes": [ + { + "title": "Overview", + "path": "register/service/k8s" + }, + { + "title": "Register services with service sync", + "path": "register/service/k8s/service-sync" + }, + { + "title": "Annotations and labels", + "path": "register/service/k8s/annotations" + } + ] }, { - "title": "Service splitter", - "path": "connect/config-entries/service-splitter" + "title": "ECS", + "routes": [ + { + "title": "Requirements", + "path": "register/service/ecs/requirements" + }, + { + "title": "Consul Enterprise configuration", + "path": "register/service/ecs/enterprise" + }, + { + "title": "Register tasks with Terraform", + "path": "register/service/ecs" + }, + { + "title": "Register tasks manually", + "path": "register/service/ecs/manual" + }, + { + "title": "Register existing tasks with Terraform", + "path": "register/service/ecs/migrate" + }, + { + "title": "Configure ECS task bind address", + "path": "register/service/ecs/task-bind-address" + } + ] }, { - "title": "Terminating gateway", - "path": "connect/config-entries/terminating-gateway" + "title": "Lambda", + "routes": [ + { + "title": "Overview", + "path": "register/service/lambda" + }, + { + "title": "Register functions with Terraform", + "path": "register/service/lambda/automatic" + }, + { + "title": "Register functions manually", + "path": "register/service/lambda/manual" + } + ] }, { - "title": "Control plane request limit", - "path": "connect/config-entries/control-plane-request-limit" + "title": "Register Nomad jobs", + "path": "register/service/nomad" } ] }, { - "title": "Proxies", + "title": "External services", "routes": [ { "title": "Overview", - "path": "connect/proxies" + "path": "register/external" }, { - "title": "Deploy service mesh proxies", - "path": "connect/proxies/deploy-service-mesh-proxies" + "title": "External service monitoring (ESM)", + "path": "register/external/esm" }, { - "title": "Deploy sidecar services", - "path": "connect/proxies/deploy-sidecar-services" - }, - { - "title": "Envoy Extensions", + "title": "Terminating gateways", "routes": [ { "title": "Overview", - "path": "connect/proxies/envoy-extensions" + "path": "register/external/terminating-gateway" }, { - "title": "Usage", - "routes": [ - { - "title": "Delegate authorization to Apigee", - "path": "connect/proxies/envoy-extensions/usage/apigee-ext-authz" - }, - { - "title": "Delegate authorization to external services", - "path": "connect/proxies/envoy-extensions/usage/ext-authz" - }, - { - "title": "Run Lua scripts in Envoy proxies", - "path": "connect/proxies/envoy-extensions/usage/lua" - }, - { - "title": "Invoke Lambda functions in Envoy proxies", - "path": "connect/proxies/envoy-extensions/usage/lambda" - }, - { - "title": "Send access logs to OpenTelemetry collector service", - "path": "connect/proxies/envoy-extensions/usage/otel-access-logging" - }, - { - "title": "Configure Envoy proxy properties", - "path": "connect/proxies/envoy-extensions/usage/property-override" - }, - { - "title": "Run WebAssembly plug-ins in Envoy proxies", - "path": "connect/proxies/envoy-extensions/usage/wasm" - } - ] + "title": "Deploy terminating gateway", + "path": "register/external/terminating-gateway/deploy" }, { - "title": "Configuration", - "routes": [ - { - "title": "External authorization", - "path": "connect/proxies/envoy-extensions/configuration/ext-authz" - }, - { - "title": "OpenTelemetry Access Logging", - "path": "connect/proxies/envoy-extensions/configuration/otel-access-logging" - }, - { - "title": "Property override", - "path": "connect/proxies/envoy-extensions/configuration/property-override" - }, - { - "title": "WebAssembly", - "path": "connect/proxies/envoy-extensions/configuration/wasm" - } - ] + "title": "Kubernetes", + "path": "register/external/terminating-gateway/k8s" } ] }, { - "title": "Proxy integration", - "path": "connect/proxies/integrate" - }, - { - "title": "Proxy defaults configuration reference", - "href": "/consul/docs/connect/config-entries/proxy-defaults" - }, + "title": "Onboarding services in transparent proxy mode", + "path": "register/external/permissive-mtls" + } + ] + } + ] + }, + { + "title": "Discover services", + "routes": [ + { + "title": "Overview", + "path": "discover" + }, + { + "title": "DNS", + "routes": [ { - "title": "Envoy proxies reference", - "path": "connect/proxies/envoy" + "title": "Overview", + "path": "discover/dns" }, { - "title": "Built-in proxy reference", - "path": "connect/proxies/built-in" + "title": "Configure DNS behavior", + "path": "discover/dns/configure" }, { - "title": "Service mesh proxy configuration reference", - "path": "connect/proxies/proxy-config-reference" + "title": "Resolve Consul DNS in Kubernetes", + "path": "discover/dns/k8s" } ] }, { - "title": "Service intentions", + "title": "Load balancing", "routes": [ { "title": "Overview", - "path": "connect/intentions" + "path": "discover/load-balancer" }, { - "title": "Create and manage service intentions", - "path": "connect/intentions/create-manage-intentions" + "title": "Envoy", + "path": "discover/load-balancer/envoy" }, { - "title": "JWT authorization for intentions", - "path": "connect/intentions/jwt-authorization" + "title": "NGINX", + "path": "discover/load-balancer/nginx" }, { - "title": "Service intentions legacy mode", - "path": "connect/intentions/legacy" - }, - { - "title": "Configuration", - "href": "/consul/docs/connect/config-entries/service-intentions" + "title": "F5 BIG-IP AS3", + "path": "discover/load-balancer/f5" } ] }, { - "title": "Observability", + "title": "Lookup services", "routes": [ { - "title": "Overview", - "path": "connect/observability" + "title": "Static lookups", + "path": "discover/service/static" }, { - "title": "Access Logs", - "path": "connect/observability/access-logs" - }, + "title": "Dynamic lookups with prepared queries", + "path": "discover/service/dynamic" + } + ] + }, + { + "title": "Virtual machine (VM)", + "path": "discover/vm" + }, + { + "title": "Kubernetes", + "path": "discover/k8s" + } + ] + }, + { + "title": "Connect service mesh", + "routes": [ + { + "title": "Overview", + "path": "connect" + }, + { + "title": "Configuration entries", + "path": "connect/config-entry" + }, + { + "title": "Enable service mesh", + "path": "connect/enable" + }, + { + "title": "Lambda", + "routes": [ { - "title": "Monitor service-to-service communication", - "path": "connect/observability/service" + "title": "Overview", + "path": "connect/lambda" }, { - "title": "UI Visualization", - "path": "connect/observability/ui-visualization" + "title": "Invoke Lambda functions from services", + "path": "connect/lambda/invoke-function" }, { - "title": "Grafana Dashboards", - "routes": [ - { - "title": "Overview", - "path": "connect/observability/grafanadashboards" - }, - { - "title": "Service to Service Dashboard", - "path": "connect/observability/grafanadashboards/service-to-servicedashboard" - }, - { - "title": "Service Dashboard", - "path": "connect/observability/grafanadashboards/servicedashboard" - }, - { - "title": "Consul Dataplane Dashboard", - "path": "connect/observability/grafanadashboards/consuldataplanedashboard" - }, - { - "title": "Consul K8s Dashboard", - "path": "connect/observability/grafanadashboards/consulk8sdashboard" - }, - { - "title": "Consul Server Dashboard", - "path": "connect/observability/grafanadashboards/consulserverdashboard" - } - ] + "title": "Invoke services from Lambda functions", + "path": "connect/lambda/invoke-service" } ] }, { - "title": "Manage traffic", + "title": "Proxy", "routes": [ { "title": "Overview", - "path": "connect/manage-traffic" + "path": "connect/proxy" + }, + { + "title": "Deploy service mesh proxy", + "path": "connect/proxy/mesh" }, { - "title": "Route traffic to local upstreams", - "path": "connect/manage-traffic/route-to-local-upstreams" + "title": "Deploy sidecar proxy", + "path": "connect/proxy/sidecar" }, { - "title": "Limit request rates to services", - "path": "connect/manage-traffic/limit-request-rates" + "title": "Envoy extensions", + "href": "envoy-extension" }, { - "title": "Fault Injection", - "path": "connect/manage-traffic/fault-injection" + "title": "Proxy integrations", + "href": "integrate/proxy" }, { - "title": "Failover", + "title": "Transparent proxy", "routes": [ { "title": "Overview", - "path": "connect/manage-traffic/failover" - }, - { - "title": "Configure failover services for Kubernetes", - "href": "/docs/k8s/l7-traffic/failover-tproxy" + "path": "connect/proxy/transparent-proxy" }, { - "title": "Automate geo-failover with prepared queries", - "href": "/tutorials/developer-discovery/automate-geo-failover" + "title": "Enable transparent proxy", + "path": "connect/proxy/transparent-proxy/enable" }, { - "title": "Failover with sameness groups", - "path": "connect/manage-traffic/failover/sameness" + "title": "Kubernetes", + "path": "connect/proxy/transparent-proxy/k8s" }, { - "title": "Configuration", - "routes": [ - { - "title": "Service resolver", - "href": "/consul/docs/connect/config-entries/service-resolver" - }, - { - "title": "Service intentions", - "href": "/consul/docs/connect/config-entries/service-intentions" - } - ] + "title": "ECS", + "path": "connect/proxy/transparent-proxy/ecs" } ] + } + ] + }, + { + "title": "Troubleshoot", + "routes": [ + { + "title": "Overview", + "path": "connect/troubleshoot" + }, + { + "title": "Develop and debug", + "path": "connect/troubleshoot/develop-debug" }, { - "title": "Discovery chain reference", - "path": "connect/manage-traffic/discovery-chain" + "title": "Service-to-service troubleshooting", + "path": "connect/troubleshoot/service-to-service" } ] }, { - "title": "Connectivity Tasks", - "path": "connect/connectivity-tasks" + "title": "Virtual machine (VM)", + "path": "connect/vm" + }, + { + "title": "Kubernetes", + "path": "connect/k8s" + }, + { + "title": "ECS", + "path": "connect/ecs" }, { - "title": "Distributed Tracing", - "path": "connect/distributed-tracing" + "title": "Nomad", + "path": "connect/nomad" + } + ] + }, + { + "title": "Secure network north/south", + "routes": [ + { + "title": "Overview", + "path": "north-south" }, { - "title": "Gateways", + "title": "API gateway", "routes": [ { "title": "Overview", - "path": "connect/gateways" + "path": "north-south/api-gateway" }, { - "title": "API Gateways", + "title": "Technical specifications", "routes": [ { - "title": "Overview", - "path": "connect/gateways/api-gateway" - }, + "title": "Kubernetes", + "path": "north-south/api-gateway/tech-specs/k8s" + } + ] + }, + { + "title": "Enable API gateway", + "routes": [ { - "title": "Technical specifications for Kubernetes", - "path": "connect/gateways/api-gateway/tech-specs" - }, + "title": "Kubernetes", + "path": "north-south/api-gateway/enable/k8s" + } + ] + }, + { + "title": "Deploy listener", + "routes": [ { - "title": "Install on Kubernetes", - "path": "connect/gateways/api-gateway/install-k8s" + "title": "VMs", + "path": "north-south/api-gateway/deploy-listener/vm" }, { - "title": "Upgrade on Kubernetes", - "path": "connect/gateways/api-gateway/upgrades-k8s" - }, + "title": "Kubernetes", + "path": "north-south/api-gateway/deploy-listener/k8s" + } + ] + }, + { + "title": "Define route", + "routes": [ { - "title": "Deploy listeners", - "routes": [ - { - "title": "Deploy listeners to VMs", - "path": "connect/gateways/api-gateway/deploy/listeners-vms" - }, - { - "title": "Deploy listeners to Kubernetes", - "path": "connect/gateways/api-gateway/deploy/listeners-k8s" - } - ] + "title": "VMs", + "path": "north-south/api-gateway/define-route/vm" }, { - "title": "Define routes", + "title": "Kubernetes", "routes": [ { - "title": "Define routes on VMs", - "path": "connect/gateways/api-gateway/define-routes/routes-vms" + "title": "Define route", + "path": "north-south/api-gateway/define-route/k8s" }, { - "title": "Define routes on Kubernetes", - "path": "connect/gateways/api-gateway/define-routes/routes-k8s" + "title": "Reroute traffic", + "path": "north-south/api-gateway/define-route/k8s/reroute" }, { - "title": "Reroute traffic in Kubernetes", - "path": "connect/gateways/api-gateway/define-routes/reroute-http-requests" - }, - { - "title": "Route to peered services in Kubernetes", - "path": "connect/gateways/api-gateway/define-routes/route-to-peered-services" + "title": "Route to peered services", + "path": "north-south/api-gateway/define-route/k8s/peer" } ] - }, + } + ] + }, + { + "title": "Upgrade", + "href": "upgrade/api-gateway/" + }, + { + "title": "Secure traffic", + "routes": [ { - "title": "Secure traffic", - "routes": [ - { - "title": "Encrypt traffic on virtual machines", - "path": "connect/gateways/api-gateway/secure-traffic/encrypt-vms" - }, - { - "title": "Verify incoming requests with JWTs on virtual machines", - "path": "connect/gateways/api-gateway/secure-traffic/verify-jwts-vms" - }, - { - "title": "Verify incoming requests with JWTs on Kubernetes", - "path": "connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s" - } - ] + "title": "Encrypt traffic on VMs", + "path": "north-south/api-gateway/secure-traffic/encrypt" }, { - "title": "Configuration", + "title": "Verify requests with JWTs", "routes": [ { - "title": "Overview", - "path": "connect/gateways/api-gateway/configuration" - }, - { - "title": "Gateway", - "path": "connect/gateways/api-gateway/configuration/gateway" + "title": "Verify requests with JWTS on VMs", + "path": "north-south/api-gateway/secure-traffic/jwt/vm" }, { - "title": "GatewayClass", - "path": "connect/gateways/api-gateway/configuration/gatewayclass" - }, - { - "title": "GatewayClassConfig", - "path": "connect/gateways/api-gateway/configuration/gatewayclassconfig" - }, - { - "title": "GatewayPolicy", - "path": "connect/gateways/api-gateway/configuration/gatewaypolicy" - }, - { - "title": "RouteAuthFilter", - "path": "connect/gateways/api-gateway/configuration/routeauthfilter" - }, - { - "title": "Routes", - "path": "connect/gateways/api-gateway/configuration/routes" - }, - { - "title": "RouteRetryFilter", - "path": "connect/gateways/api-gateway/configuration/routeretryfilter" - }, - { - "title": "RouteTimeoutFilter", - "path": "connect/gateways/api-gateway/configuration/routetimeoutfilter" - }, - { - "title": "MeshService", - "path": "connect/gateways/api-gateway/configuration/meshservice" + "title": "Verify requests with JWTS on Kubernetes", + "path": "north-south/api-gateway/secure-traffic/jwt/k8s" } ] - }, - { - "title": "Error Messages", - "path": "connect/gateways/api-gateway/errors" } ] - }, + } + ] + }, + { + "title": "Ingress gateway", + "routes": [ { - "title": "Mesh Gateways", - "routes": [ - { - "title": "Overview", - "path": "connect/gateways/mesh-gateway" - }, - { - "title": "Enabling WAN Federation Control Plane Traffic", - "path": "connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways" - }, - { - "title": "Enabling Service-to-service Traffic Across WAN Federated Datacenters", - "path": "connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters" - }, - { - "title": "Enabling Service-to-service Traffic Across Admin Partitions", - "path": "connect/gateways/mesh-gateway/service-to-service-traffic-partitions" - }, - { - "title": "Enabling Peering Control Plane Traffic", - "path": "connect/gateways/mesh-gateway/peering-via-mesh-gateways" - } - ] + "title": "Overview", + "path": "north-south/ingress-gateway" }, - { - "title": "Ingress Gateways", - "routes": [ - { - "title": "Overview", - "path": "connect/gateways/ingress-gateway" - }, - { - "title": "Implement an ingress gateway", - "path": "connect/gateways/ingress-gateway/usage" - }, - { - "title": "Serve TLS certificates from an external service", - "path": "connect/gateways/ingress-gateway/tls-external-service" - }, - { - "title": "Configuration", - "href": "/consul/docs/connect/config-entries/ingress-gateway" - } - ] + { + "title": "Create ingress gateways on VMs", + "path": "north-south/ingress-gateway/vm" + }, + { + "title": "Create ingress gateways on K8s", + "path": "north-south/ingress-gateway/k8s" }, { - "title": "Terminating Gateways", - "path": "connect/gateways/terminating-gateway" + "title": "Serve TLS certificate from external service", + "path": "north-south/ingress-gateway/external" } ] }, { - "title": "Cluster Peering", + "title": "Virtual machine (VM)", + "path": "north-south/vm" + }, + { + "title": "Kubernetes", + "path": "north-south/k8s" + } + ] + }, + { + "title": "Link network east/west", + "routes": [ + { + "title": "Overview", + "path": "east-west" + }, + { + "title": "Cluster peering", "routes": [ { "title": "Overview", - "path": "connect/cluster-peering" + "path": "east-west/cluster-peering" }, { - "title": "Technical Specifications", - "path": "connect/cluster-peering/tech-specs" + "title": "Technical specifications", + "path": "east-west/cluster-peering/tech-specs" }, { - "title": "Usage", + "title": "Establish connections", "routes": [ { - "title": "Establish Cluster Peering Connections", - "path": "connect/cluster-peering/usage/establish-cluster-peering" + "title": "Virtual machine (VM)", + "path": "east-west/cluster-peering/establish/vm" }, { - "title": "Manage Cluster Peering Connections", - "path": "connect/cluster-peering/usage/manage-connections" - }, + "title": "Kubernetes", + "path": "east-west/cluster-peering/establish/k8s" + } + ] + }, + { + "title": "Manage connections", + "routes": [ { - "title": "Manage L7 Traffic With Cluster Peering", - "path": "connect/cluster-peering/usage/peering-traffic-management" + "title": "Virtual machine (VM)", + "path": "east-west/cluster-peering/manage/vm" }, { - "title": "Create Sameness Groups", - "path": "connect/cluster-peering/usage/create-sameness-groups" + "title": "Kubernetes", + "path": "east-west/cluster-peering/manage/k8s" } ] } ] }, { - "title": "Nomad", - "path": "connect/nomad" - }, - { - "title": "Kubernetes", - "href": "/docs/k8s/connect" - }, - { - "title": "Native App Integration", - "routes": [ - { - "title": "Overview", - "path": "connect/native" - }, - { - "title": "Go Integration", - "path": "connect/native/go" - } - ] + "title": "Network area", + "path": "east-west/network-area" }, { - "title": "Certificate Management", + "title": "WAN federation", "routes": [ { "title": "Overview", - "path": "connect/ca" + "path": "east-west/wan-federation" }, { - "title": "Built-In CA", - "path": "connect/ca/consul" + "title": "Create and manage federation connections", + "path": "east-west/wan-federation/create" }, { - "title": "Vault", - "path": "connect/ca/vault" + "title": "Federate Kubernetes clusters", + "path": "east-west/wan-federation/k8s" }, { - "title": "ACM Private CA", - "path": "connect/ca/aws" + "title": "Federate Kubernetes and VM", + "path": "east-west/wan-federation/k8s-vm" } ] }, { - "title": "Develop and Debug", - "path": "connect/dev" - }, - { - "title": "Security", - "path": "connect/security", - "hidden": true - }, - { - "title": "Consul Dataplane", + "title": "Mesh gateway", "routes": [ { "title": "Overview", - "path": "connect/dataplane" + "path": "east-west/mesh-gateway" }, { - "title": "CLI Reference", - "path": "connect/dataplane/consul-dataplane" + "title": "Enable WAN federation control plane traffic", + "path": "east-west/mesh-gateway/enable" }, { - "title": "Telemetry", - "path": "connect/dataplane/telemetry" - } - ] - } - ] - }, - { - "title": "Dynamic App Configuration", - "routes": [ - { - "title": "Consul KV", - "routes": [ + "title": "Enable traffic across WAN federated datacenters", + "path": "east-west/mesh-gateway/federation" + }, { - "title": "Overview", - "path": "dynamic-app-config/kv" + "title": "Enable peering control plane traffic", + "path": "east-west/mesh-gateway/cluster-peer" }, { - "title": "Store keys and values", - "path": "dynamic-app-config/kv/store" + "title": "Enable traffic across admin partition", + "path": "east-west/mesh-gateway/admin-partition" } ] }, { - "title": "Sessions", - "routes": [ - { - "title": "Overview", - "path": "dynamic-app-config/sessions" - }, - { - "title": "Application leader election", - "path": "dynamic-app-config/sessions/application-leader-election" - } - ] + "title": "Virtual machine (VM)", + "path": "east-west/vm" }, { - "title": "Watches", - "path": "dynamic-app-config/watches" + "title": "Kubernetes", + "path": "east-west/k8s" } ] }, { - "title": "Security", + "title": "Secure mesh traffic", "routes": [ { "title": "Overview", - "path": "security" + "path": "secure-mesh" }, { - "title": "Security Models", + "title": "Service intentions", "routes": [ { "title": "Overview", - "path": "security/security-models" + "path": "secure-mesh/intention" }, { - "title": "Core", - "path": "security/security-models/core" + "title": "Create and manage intentions", + "path": "secure-mesh/intention/create" }, { - "title": "Network Infrastructure Automation", - "path": "security/security-models/nia" + "title": "JWT authorization", + "path": "secure-mesh/intention/jwt" } ] }, { - "title": "Access Control (ACLs)", + "title": "Certificate (mTLS)", "routes": [ { - "title": "ACL System Overview", - "path": "security/acl" + "title": "Overview", + "path": "secure-mesh/certificate" }, { - "title": "Tokens", + "title": "Bootstrap certificate authority (CA)", "routes": [ { - "title": "Overview", - "path": "security/acl/tokens" + "title": "Virtual machine (VM)", + "path": "secure-mesh/certificate/bootstrap/vm" }, { - "title": "Create ACL Tokens", - "routes": [ - { - "title": "Create a service token", - "path": "security/acl/tokens/create/create-a-service-token" - }, - { - "title": "Create an agent token", - "path": "security/acl/tokens/create/create-an-agent-token" - }, - { - "title": "Create a UI token", - "path": "security/acl/tokens/create/create-a-ui-token" - }, - { - "title": "Create a mesh gateway token", - "path": "security/acl/tokens/create/create-a-mesh-gateway-token" - }, - { - "title": "Create an ingress gateway token", - "path": "security/acl/tokens/create/create-an-ingress-gateway-token" - }, - { - "title": "Create a terminating gateway token", - "path": "security/acl/tokens/create/create-a-terminating-gateway-token" - }, - { - "title": "Create a DNS token", - "path": "security/acl/tokens/create/create-a-dns-token" - }, - { - "title": "Create a replication token", - "path": "security/acl/tokens/create/create-a-replication-token" - }, - { - "title": "Create a snapshot agent token", - "path": "security/acl/tokens/create/create-a-snapshot-agent-token" - }, - { - "title": "Create a token for Vault's Consul storage backend", - "path": "security/acl/tokens/create/create-a-token-for-vault-consul-storage" - }, - { - "title": "Create a Consul ESM token", - "path": "security/acl/tokens/create/create-a-consul-esm-token" - } - ] + "title": "Kubernetes", + "path": "secure-mesh/certificate/bootstrap/k8s" } ] }, { - "title": "Policies", - "path": "security/acl/acl-policies" + "title": "Rotate certificate", + "routes": [ + { + "title": "Rotate TLS keys", + "path": "secure-mesh/certificate/rotate/tls" + }, + { + "title": "Rotate gossip keys", + "path": "secure-mesh/certificate/rotate/gossip" + } + ] }, { - "title": "Roles", - "path": "security/acl/acl-roles" + "title": "Configure TLS on an existing cluster", + "path": "secure-mesh/certificate/existing" }, { - "title": "Rules Reference", - "path": "security/acl/acl-rules" + "title": "Use built-in CA", + "path": "secure-mesh/certificate/built-in" }, { - "title": "ACLs in Federated Datacenters", - "path": "security/acl/acl-federated-datacenters" + "title": "Use Vault for service mesh CA", + "path": "secure-mesh/certificate/vault" }, { - "title": "Auth Methods", - "routes": [ - { - "title": "Overview", - "path": "security/acl/auth-methods" - }, - { - "title": "Kubernetes", - "path": "security/acl/auth-methods/kubernetes" - }, - { - "title": "JWT", - "path": "security/acl/auth-methods/jwt" - }, - { - "title": "OIDC", - "path": "security/acl/auth-methods/oidc" - }, - { - "title": "AWS IAM", - "path": "security/acl/auth-methods/aws-iam" - } - ] + "title": "Use AWS certificate manager", + "path": "secure-mesh/certificate/acm" + }, + { + "title": "Enable permissive mTLS", + "path": "secure-mesh/certificate/permissive-mtls" } ] }, { - "title": "Encryption", + "title": "Virtual machine (VM)", + "path": "secure-mesh/vm" + }, + { + "title": "Kubernetes", + "path": "secure-mesh/k8s" + } + ] + }, + { + "title": "Manage service traffic", + "routes": [ + { + "title": "Overview", + "path": "manage-traffic" + }, + { + "title": "Route local traffic", + "path": "manage-traffic/route-local" + }, + { + "title": "Rate limit service mesh traffic", + "path": "manage-traffic/rate-limit" + }, + { + "title": "Split TCP traffic between multi-port services", + "path": "manage-traffic/split-multi-port-traffic" + }, + { + "title": "Manage traffic for peered clusters", + "routes": [ + { + "title": "Overview", + "path": "manage-traffic/cluster-peering/vm" + }, + { + "title": "Kubernetes", + "path": "manage-traffic/cluster-peering/k8s" + } + ] + }, + { + "title": "Failover", "routes": [ { "title": "Overview", - "path": "security/encryption" + "path": "manage-traffic/failover" }, { - "title": "Gossip encryption", - "path": "security/encryption/gossip" + "title": "Configure failover services for Kubernetes", + "path": "manage-traffic/failover/configure-k8s" }, { - "title": "mTLS", - "path": "security/encryption/mtls" + "title": "Automate geo-failover with prepared queries", + "path": "manage-traffic/failover/prepared-query" + }, + { + "title": "Route traffic to virtual services", + "path": "manage-traffic/failover/virtual-service" + }, + { + "title": "Failover with sameness groups", + "path": "manage-traffic/failover/sameness-group" } ] + }, + { + "title": "Virtual machine (VM)", + "path": "manage-traffic/vm" + }, + { + "title": "Kubernetes", + "path": "manage-traffic/k8s" } ] }, { - "title": "Agent", + "title": "Observe service mesh", "routes": [ { "title": "Overview", - "path": "agent" + "path": "observe" + }, + { + "title": "Access logs", + "path": "observe/access-log" }, { - "title": "Configuration", + "title": "Distributed tracing", + "path": "observe/distributed-tracing" + }, + { + "title": "Mesh telemetry metrics", "routes": [ { - "title": "General", - "path": "agent/config" - }, - { - "title": "CLI Reference", - "path": "agent/config/cli-flags" + "title": "Virtual Machines (VM)", + "path": "observe/telemetry/vm" }, { - "title": "Configuration Reference", - "path": "agent/config/config-files" + "title": "Kubernetes", + "path": "observe/telemetry/k8s" } ] + } + ] + }, + { + "title": "Automate applications", + "routes": [ + { + "title": "Overview", + "path": "automate" }, { - "title": "Limit traffic rates", + "title": "Key/Value store", "routes": [ { "title": "Overview", - "path": "agent/limits" - }, - { - "title": "Usage", - "routes": [ - { - "title": "Initialize rate limit settings", - "path": "agent/limits/usage/init-rate-limits" - }, - { - "title": "Monitor traffic rate limits", - "path": "agent/limits/usage/monitor-rate-limits" - }, - { - "title": "Set global traffic rate limits", - "path": "agent/limits/usage/set-global-traffic-rate-limits" - }, - { - "title": "Limit traffic rates from source IP addresses", - "path": "agent/limits/usage/limit-request-rates-from-ips" - } - ] + "path": "automate/kv" }, { - "title": "Configuration", - "href": "/docs/connect/config-entries/control-plane-request-limit" + "title": "KV store interactions", + "path": "automate/kv/store" } ] }, { - "title": "Configuration Entries", - "path": "agent/config-entries" + "title": "Consul template", + "path": "automate/consul-template" + }, + { + "title": "Session", + "path": "automate/session" + }, + { + "title": "Watch", + "path": "automate/watch" + } + ] + }, + { + "divider": true + }, + { + "heading": "Enterprise solutions" + }, + { + "title": "Consul Enterprise", + "routes": [ + { + "title": "Overview", + "path": "enterprise" }, { - "title": "Monitor Consul", + "title": "License", "routes": [ { - "title": "Agent telemetry", - "path": "agent/monitor/telemetry" + "title": "Overview", + "path": "enterprise/license" }, { - "title": "Monitor components", - "path": "agent/monitor/components" + "title": "Automated entitlement utilization", + "path": "enterprise/license/automated-entitlement-utilization" }, { - "title": "Recommendations", - "path": "agent/monitor/alerts" + "title": "FAQ", + "path": "enterprise/license/faq" } ] + } + ] + }, + { + "divider": true + }, + { + "heading": "Runtimes and platforms" + }, + { + "title": "Virtual machine (VM)", + "routes": [ + { + "title": "Overview", + "path": "vm" + }, + { + "title": "Deploy Consul", + "href": "deploy/server/vm" + }, + { + "title": "Upgrade Consul", + "href": "upgrade" + }, + { + "title": "Register services", + "href": "register/vm" + }, + { + "title": "Discover services", + "href": "discover/vm" + }, + { + "title": "Connect services", + "href": "connect/vm" + }, + { + "title": "Secure north/south", + "href": "north-south/vm" + }, + { + "title": "Extend east/west", + "href": "east-west/vm" + }, + { + "title": "Secure services", + "href": "secure-mesh/vm" + }, + { + "title": "Manage service traffic", + "href": "manage-traffic/vm" + }, + { + "title": "Observe services", + "href": "observe/telemetry/vm" + } + ] + }, + { + "title": "Kubernetes", + "routes": [ + { + "title": "Overview", + "path": "k8s" + }, + { + "title": "Deploy Consul", + "href": "deploy/server/k8s" + }, + { + "title": "Upgrade Consul", + "href": "upgrade/k8s" + }, + { + "title": "Register services", + "href": "register/k8s" + }, + { + "title": "Discover services", + "href": "discover/k8s" + }, + { + "title": "Connect services", + "href": "connect/k8s" + }, + { + "title": "Secure north/south", + "href": "north-south/k8s" + }, + { + "title": "Extend east/west", + "href": "east-west/k8s" }, { - "title": "Sentinel", - "path": "agent/sentinel" + "title": "Secure service mesh", + "href": "secure-mesh/k8s" }, { - "title": "Experimental WAL LogStore", - "routes": [ - { - "title": "Overview", - "path": "agent/wal-logstore" - }, - { - "title": "Enable WAL LogStore backend", - "path": "agent/wal-logstore/enable" - }, - { - "title": "Monitor Raft metrics and logs for WAL", - "path": "agent/wal-logstore/monitoring" - }, - { - "title": "Revert to BoltDB", - "path": "agent/wal-logstore/revert-to-boltdb" - } - ] + "title": "Manage service traffic", + "href": "manage-traffic/k8s" + }, + { + "title": "Observe services", + "href": "observe/telemetry/k8s" } ] }, { - "title": "Integrations", + "title": "AWS ECS", "routes": [ { - "title": "Consul Integration Program", - "path": "integrate/partnerships" + "title": "Overview", + "path": "ecs" + }, + { + "title": "Deploy Consul", + "href": "deploy/server/ecs" }, { - "title": "NIA Integration Program", - "path": "integrate/nia-integration" + "title": "Upgrade Consul", + "href": "upgrade/ecs" }, { - "title": "Vault Integration", - "href": "/docs/connect/ca/vault" + "title": "Register services", + "href": "register/ecs" + }, + { + "title": "Discover services", + "href": "discover/ecs" + } + ] + }, + { + "title": "AWS Lambda", + "routes": [ + { + "title": "Overview", + "path": "lambda" }, { - "title": "Proxy Integration", - "href": "/docs/connect/proxies/integrate" + "title": "Register services", + "href": "register/lambda" }, { - "title": "Consul Tools", - "path": "integrate/download-tools" + "title": "Connect services", + "href": "connect/lambda" } ] }, { - "title": "Troubleshoot", + "title": "Nomad", "routes": [ { - "title": "Service-to-Service Troubleshooting", - "path": "troubleshoot/troubleshoot-services" + "title": "Overview", + "path": "nomad" }, { - "title": "Common Error Messages", - "path": "troubleshoot/common-errors" + "title": "Register services", + "href": "register/nomad" }, { - "title": "FAQ", - "path": "troubleshoot/faq" + "title": "Connect services", + "href": "connect/nomad" } ] }, @@ -1411,508 +1892,193 @@ "divider": true }, { - "title": "Kubernetes", + "heading": "Plugins, integrations, & extensions" + }, + { + "title": "Integrations", "routes": [ { "title": "Overview", - "path": "k8s" + "path": "integrate" }, { - "title": "Architecture", - "path": "k8s/architecture" + "title": "Consul tools", + "path": "integrate/consul-tools" }, { - "title": "Installation", - "routes": [ - { - "title": "Install from Consul K8s CLI", - "path": "k8s/installation/install-cli" - }, - { - "title": "Install from Helm Chart", - "path": "k8s/installation/install" - } - ] + "title": "Consul integration program", + "path": "integrate/consul" }, { - "title": "Deployment Configurations", - "routes": [ - { - "title": "Consul Clients Outside Kubernetes", - "path": "k8s/deployment-configurations/clients-outside-kubernetes" - }, - { - "title": "Consul Servers Outside Kubernetes", - "path": "k8s/deployment-configurations/servers-outside-kubernetes" - }, - { - "title": "Single Consul Datacenter in Multiple Kubernetes Clusters", - "path": "k8s/deployment-configurations/single-dc-multi-k8s" - }, - { - "title": "Consul Enterprise", - "path": "k8s/deployment-configurations/consul-enterprise" - }, - { - "title": "Argo Rollouts Progressive Delivery", - "path": "k8s/deployment-configurations/argo-rollouts-configuration" - }, - { - "title": "Multi-Cluster Federation", - "routes": [ - { - "title": "Overview", - "path": "k8s/deployment-configurations/multi-cluster" - }, - { - "title": "Federation Between Kubernetes Clusters", - "path": "k8s/deployment-configurations/multi-cluster/kubernetes" - }, - { - "title": "Federation Between VMs and Kubernetes", - "path": "k8s/deployment-configurations/multi-cluster/vms-and-kubernetes" - } - ] - }, - { - "title": "Vault as Secrets Backend", - "routes": [ - { - "title": "Overview", - "path": "k8s/deployment-configurations/vault" - }, - { - "title": "Systems Integration", - "path": "k8s/deployment-configurations/vault/systems-integration" - }, - { - "title": "Data Integration", - "routes": [ - { - "title": "Overview", - "path": "k8s/deployment-configurations/vault/data-integration" - }, - { - "title": "Bootstrap Token", - "path": "k8s/deployment-configurations/vault/data-integration/bootstrap-token" - }, - { - "title": "Enterprise License", - "path": "k8s/deployment-configurations/vault/data-integration/enterprise-license" - }, - { - "title": "Gossip Encryption Key", - "path": "k8s/deployment-configurations/vault/data-integration/gossip" - }, - { - "title": "Partition Token", - "path": "k8s/deployment-configurations/vault/data-integration/partition-token" - }, - { - "title": "Replication Token", - "path": "k8s/deployment-configurations/vault/data-integration/replication-token" - }, - { - "title": "Server TLS", - "path": "k8s/deployment-configurations/vault/data-integration/server-tls" - }, - { - "title": "Service Mesh Certificates", - "path": "k8s/deployment-configurations/vault/data-integration/connect-ca" - }, - { - "title": "Snapshot Agent Config", - "path": "k8s/deployment-configurations/vault/data-integration/snapshot-agent-config" - }, - { - "title": "Webhook Certificates", - "path": "k8s/deployment-configurations/vault/data-integration/webhook-certs" - } - ] - }, - { - "title": "WAN Federation", - "path": "k8s/deployment-configurations/vault/wan-federation" - } - ] - }, - { - "title": "Datadog metrics", - "path": "k8s/deployment-configurations/datadog" - }, - { - "title": "Register external services", - "path": "k8s/deployment-configurations/external-service" - } - ] + "title": "NIA integration program", + "path": "integrate/nia" }, { - "title": "Platform Guides", - "routes": [ - { - "title": "Minikube", - "href": "https://learn.hashicorp.com/tutorials/consul/kubernetes-minikube?utm_source=consul.io&utm_medium=docs&utm_content=k8s&utm_term=mk" - }, - { - "title": "Kind", - "href": "https://learn.hashicorp.com/tutorials/consul/kubernetes-kind?utm_source=consul.io&utm_medium=docs&utm_content=k8s&utm_term=kind" - }, - { - "title": "AKS (Azure)", - "href": "https://learn.hashicorp.com/tutorials/consul/kubernetes-aks-azure?utm_source=consul.io&utm_medium=docs&utm_content=k8s&utm_term=aks" - }, - { - "title": "EKS (AWS)", - "href": "https://learn.hashicorp.com/tutorials/consul/kubernetes-eks-aws?utm_source=consul.io&utm_medium=docs&utm_content=k8s&utm_term=eks" - }, - { - "title": "GKE (Google Cloud)", - "href": "https://learn.hashicorp.com/tutorials/consul/kubernetes-gke-google?utm_source=consul.io&utm_medium=docs&utm_content=k8s&utm_term=gke" - }, - { - "title": "Red Hat OpenShift", - "href": "https://learn.hashicorp.com/tutorials/consul/kubernetes-openshift-red-hat?utm_source=consul.io&utm_medium=docs&utm_content=k8s&utm_term=openshift" - }, - { - "title": "Self Hosted Kubernetes", - "path": "k8s/platforms/self-hosted-kubernetes" - } - ] + "title": "Proxy integration", + "path": "integrate/proxy" + } + ] + }, + { + "title": "Envoy extensions", + "routes": [ + { + "title": "Overview", + "path": "envoy-extension" }, { - "title": "Service Mesh", - "routes": [ - { - "title": "Overview", - "path": "k8s/connect" - }, - { - "title": "Admin Partitions", - "href": "/docs/enterprise/admin-partitions" - }, - { - "title": "Cluster Peering", - "routes": [ - { - "title": "Technical Specifications", - "path": "k8s/connect/cluster-peering/tech-specs" - }, - { - "title": "Usage", - "routes": [ - { - "title": "Establish Cluster Peering Connections", - "path": "k8s/connect/cluster-peering/usage/establish-peering" - }, - { - "title": "Manage Cluster Peering Connections", - "path": "k8s/connect/cluster-peering/usage/manage-peering" - }, - { - "title": "Manage L7 Traffic With Cluster Peering", - "path": "k8s/connect/cluster-peering/usage/l7-traffic" - }, - { - "title": "Create Sameness Groups", - "path": "k8s/connect/cluster-peering/usage/create-sameness-groups" - } - ] - } - ] - }, - { - "title": "Transparent Proxy", - "routes": [ - { - "title": "Overview", - "path": "k8s/connect/transparent-proxy" - }, - { - "title": "Enable transparent proxy", - "path": "k8s/connect/transparent-proxy/enable-transparent-proxy" - }, - { - "title": "Route traffic to virtual services", - "href": "/docs/k8s/l7-traffic/route-to-virtual-services" - } - ] - }, - { - "title": "Onboarding services in transparent proxy mode", - "path": "k8s/connect/onboarding-tproxy-mode" - }, - { - "title": "Ingress Gateways", - "path": "k8s/connect/ingress-gateways" - }, - { - "title": "Terminating Gateways", - "path": "k8s/connect/terminating-gateways" - }, - { - "title": "Ingress Controllers", - "path": "k8s/connect/ingress-controllers" - }, - { - "title": "Configuring a Connect CA Provider", - "path": "k8s/connect/connect-ca-provider" - }, - { - "title": "Health Checks", - "path": "k8s/connect/health" - }, - { - "title": "Observability", - "routes": [ - { - "title": "Metrics", - "path": "k8s/connect/observability/metrics" - } - ] - } - ] + "title": "Authorize with Apigee", + "path": "envoy-extension/apigee-external-authz" }, { - "title": "L7 traffic management", - "routes": [ - { - "title": "Overview", - "href": "/docs/connect/manage-traffic" - }, - { - "title": "Configure failover services", - "path": "k8s/l7-traffic/failover-tproxy" - }, - { - "title": "Route traffic to virtual services", - "path": "k8s/l7-traffic/route-to-virtual-services" - } - ] + "title": "Authorize with external services", + "path": "envoy-extension/external-authz" }, { - "title": "Service Sync", - "path": "k8s/service-sync" + "title": "Run Lua scripts", + "path": "envoy-extension/lua" }, { - "title": "Custom Resource Definitions", - "routes": [ - { - "title": "Overview", - "path": "k8s/crds" - }, - { - "title": "Upgrade An Existing Cluster to CRDs", - "path": "k8s/crds/upgrade-to-crds" - } - ] + "title": "Invoke Lambda functions", + "path": "envoy-extension/lambda" }, { - "title": "Annotations and Labels", - "path": "k8s/annotations-and-labels" + "title": "Configure Envoy proxy properties", + "path": "envoy-extension/property-override" }, { - "title": "Consul DNS", - "routes": [ - { - "title": "DNS proxy for service discovery", - "routes": [ - { - "title": "Overview", - "path": "k8s/dns/views" - }, - { - "title": "Enable Consul DNS proxy", - "path": "k8s/dns/views/enable" - } - ] - }, - { - "title": "Enable on dataplanes", - "path": "k8s/dns/enable" - } - ] + "title": "Send access logs to OpenTelemetry", + "path": "envoy-extension/otel-access-logging" }, { - "title": "Upgrade", - "routes": [ - { - "title": "Upgrading Consul on Kubernetes", - "path": "k8s/upgrade" - }, - { - "title": "Upgrading Consul K8s CLI", - "path": "k8s/upgrade/upgrade-cli" - } - ] + "title": "Run WebAssembly plug-ins", + "path": "envoy-extension/wasm" + } + ] + }, + { + "title": "Consul-Terraform-Sync (CTS)", + "routes": [ + { + "title": "Overview", + "path": "cts" }, { - "title": "Consul Dataplane", - "routes": [ - { - "title": "Overview", - "href": "/docs/connect/dataplane" - }, - { - "title": "CLI Reference", - "href": "/docs/connect/dataplane/consul-dataplane" - } - ] + "title": "Architecture", + "path": "cts/architecture" }, { - "title": "Operations", - "routes": [ - { - "title": "Uninstall", - "path": "k8s/operations/uninstall" - }, - { - "title": "Certificate Rotation", - "path": "k8s/operations/certificate-rotation" - }, - { - "title": "Gossip Encryption Key Rotation", - "path": "k8s/operations/gossip-encryption-key-rotation" - }, - { - "title": "Configure TLS on an Existing Cluster", - "path": "k8s/operations/tls-on-existing-cluster" - } - ] + "title": "Requirements", + "path": "cts/requirements" }, { - "title": "Troubleshoot", - "routes": [ - { - "title": "Common Error Messages", - "href": "/docs/troubleshoot/common-errors#common-errors-on-kubernetes" - }, - { - "title": "FAQ", - "href": "/docs/troubleshoot/faq#consul-on-kubernetes" - } - ] + "title": "Compatibility", + "path": "cts/compatibility" }, { - "title": "Compatibility Matrix", - "path": "k8s/compatibility" + "title": "Security model", + "href": "secure/security-model/cts" }, { - "title": "Helm Chart Configuration", - "path": "k8s/helm" + "title": "Install CTS", + "path": "cts/install" }, { - "title": "Consul K8s CLI Reference", - "path": "k8s/k8s-cli" - } - ] - }, - { - "title": "Nomad", - "path": "nomad" - }, - { - "title": "AWS ECS", - "routes": [ + "title": "Configure CTS", + "path": "cts/configure" + }, { - "title": "Overview", - "path": "ecs" + "title": "Run CTS", + "path": "cts/run" }, { - "title": "Architecture", - "path": "ecs/architecture" + "title": "Configure CTS task", + "path": "cts/task" }, { - "title": "Technical specifications", - "path": "ecs/tech-specs" + "title": "Create Terraform module", + "path": "cts/terraform-module" }, { - "title": "Deploy Consul to ECS", + "title": "Network drivers", "routes": [ { - "title": "Deploy using the Terraform module", - "path": "ecs/deploy/terraform" + "title": "Overview", + "path": "cts/network-drivers" }, { - "title": "Deploy manually", - "path": "ecs/deploy/manual" + "title": "Terraform", + "path": "cts/network-drivers/terraform" }, { - "title": "Configure the ECS task bind address", - "path": "ecs/deploy/bind-addresses" + "title": "Terraform Cloud", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + }, + "path": "cts/network-drivers/terraform-cloud" + } + ] + }, + { + "title": "Enterprise", + "routes": [ + { + "title": "Overview", + "path": "cts/enterprise" }, { - "title": "Configure routes between ECS tasks", - "path": "ecs/deploy/configure-routes" + "title": "License", + "path": "cts/enterprise/license" }, { - "title": "Migrate existing tasks", - "path": "ecs/deploy/migrate-existing-tasks" + "title": "Terraform Cloud", + "href": "cts/network-drivers/terraform-cloud" } ] }, { - "title": "Upgrade to Consul dataplane architecture", - "path": "ecs/upgrade-to-dataplanes" + "title": "Configuration reference", + "href": "reference/cts" }, { - "title": "Consul Enterprise", - "path": "ecs/enterprise" - }, - { - "title": "Reference", + "title": "API", "routes": [ { - "title": "ECS configuration reference", - "path": "ecs/reference/configuration-reference" + "title": "Overview", + "href": "reference/cts/api" + }, + { + "title": "Status", + "href": "reference/cts/api/status" }, { - "title": "ECS compatibility matrix", - "path": "ecs/reference/compatibility" + "title": "Tasks", + "href": "reference/cts/api/tasks" }, { - "title": "ECS Consul server JSON schema", - "path": "ecs/reference/consul-server-json" + "title": "Health", + "href": "reference/cts/api/health" } ] - } - ] - }, - { - "title": "AWS Lambda", - "routes": [ - { - "title": "Overview", - "path": "lambda" }, { - "title": "Register Lambda Functions", + "title": "CLI", "routes": [ { - "title": "Requirements", - "path": "lambda/registration" + "title": "Overview", + "href": "reference/cts/cli" }, { - "title": "Automate Registration", - "path": "lambda/registration/automate" + "title": "task", + "href": "reference/cts/cli/task" }, { - "title": "Manual Registration", - "path": "lambda/registration/manual" + "title": "start", + "href": "reference/cts/cli/start" } ] - }, - { - "title": "Invoke Lambda Functions from Services", - "path": "lambda/invocation" - }, - { - "title": "Invoke Services from Lambda Functions", - "path": "lambda/invoke-from-lambda", - "badge": { - "text": "BETA", - "type": "outlined", - "color": "neutral" - } } ] }, @@ -1920,259 +2086,365 @@ "divider": true }, { - "title": "HCP Consul Dedicated", - "href": "https://cloud.hashicorp.com/docs/consul" + "heading": "Reference docs" }, { - "title": "Consul Enterprise", + "title": "CLI Reference", "routes": [ { "title": "Overview", - "path": "enterprise" - }, - { - "title": "Long Term Support (LTS)", - "path": "enterprise/long-term-support" - }, - { - "title": "Admin Partitions", - "path": "enterprise/admin-partitions" + "path": "reference-cli" }, { - "title": "Audit Logging", - "path": "enterprise/audit-logging" + "title": "Agent", + "path": "reference-cli/agent" }, { - "title": "Automated Backups", - "path": "enterprise/backups" - }, - { - "title": "Automated Upgrades", - "path": "enterprise/upgrades" + "title": "Consul", + "href": "/consul/commands" }, { - "title": "Enhanced Read Scalability", - "path": "enterprise/read-scale" + "title": "consul-k8s", + "path": "reference-cli/consul-k8s" }, { - "title": "Fault injection", - "href": "/docs/connect/manage-traffic/fault-injection" - }, + "title": "consul-dataplane", + "path": "reference-cli/consul-dataplane" + } + ] + }, + { + "title": "Error messages", + "routes": [ { - "title": "FIPS", - "path": "enterprise/fips" + "title": "Consul", + "path": "error-messages/consul" }, { - "title": "Single sign-on - OIDC", - "href": "/docs/security/acl/auth-methods/oidc" + "title": "Consul on Kubernetes", + "path": "error-messages/k8s" }, { - "title": "Redundancy Zones", - "path": "enterprise/redundancy" + "title": "Consul-Terraform-Sync (CTS)", + "path": "error-messages/cts" }, { - "title": "Advanced Federation", - "path": "enterprise/federation" - }, + "title": "API gateway", + "path": "error-messages/api-gateway" + } + ] + }, + { + "title": "Configuration reference", + "routes": [ { - "title": "Network Segments", + "title": "Access control lists (ACLs)", "routes": [ { - "title": "Network Segments Overview", - "path": "enterprise/network-segments/network-segments-overview" + "title": "Auth methods", + "routes": [ + { + "title": "AWS IAM", + "path": "reference/acl/auth-method/aws-iam" + }, + { + "title": "JWT", + "path": "reference/acl/auth-method/jwt" + }, + { + "title": "Kubernetes", + "path": "reference/acl/auth-method/k8s" + }, + { + "title": "OIDC", + "path": "reference/acl/auth-method/oidc" + } + ] }, { - "title": "Create a Network Segment", - "path": "enterprise/network-segments/create-network-segment" - } - ] - }, - { - "title": "Namespaces", - "path": "enterprise/namespaces" - }, - { - "title": "NIA with TFE", - "href": "/docs/nia/enterprise" - }, - { - "title": "License", - "routes": [ + "title": "Tokens", + "path": "reference/acl/token" + }, { - "title": "Overview", - "path": "enterprise/license/overview" + "title": "Rules", + "path": "reference/acl/rule" }, { - "title": "Automated entitlement utilization reporting", - "path": "enterprise/license/utilization-reporting" + "title": "Roles", + "path": "reference/acl/role" }, { - "title": "FAQ", - "path": "enterprise/license/faq" + "title": "Policies", + "path": "reference/acl/policy" } ] }, { - "title": "Enterprise to CE downgrade", - "path": "enterprise/ent-to-ce-downgrades" - } - ] - }, - { - "divider": true - }, - { - "title": "Network Infrastructure Automation", - "routes": [ - { - "title": "Overview", - "path": "nia" - }, - { - "title": "Get Started", + "title": "Agent", "routes": [ { - "title": "Installation", - "path": "nia/installation/install" + "title": "Configuration reference", + "path": "reference/agent" }, { - "title": "Configuration", - "path": "nia/installation/configure" + "title": "Telemetry reference", + "path": "reference/agent/telemetry" } ] }, { - "title": "Usage", + "title": "Service", + "path": "reference/service" + }, + { + "title": "Configuration entries", "routes": [ { - "title": "Requirements", - "path": "nia/usage/requirements" + "title": "API gateway", + "path": "reference/config-entry/api-gateway" }, { - "title": "Run Consul-Terraform-Sync", - "path": "nia/usage/run" + "title": "Control plane request limit", + "path": "reference/config-entry/control-plane-request-limit" }, { - "title": "Run Consul-Terraform-Sync with High Availability", - "path": "nia/usage/run-ha" + "title": "Exported services", + "path": "reference/config-entry/exported-services" }, { - "title": "Error Messages", - "path": "nia/usage/errors-ref" - } - ] - }, - { - "title": "Architecture", - "path": "nia/architecture" - }, - { - "title": "API", - "routes": [ + "title": "HTTP route", + "path": "reference/config-entry/http-route" + }, { - "title": "Overview", - "path": "nia/api" + "title": "Ingress gateway", + "path": "reference/config-entry/ingress-gateway" }, { - "title": "Status", - "path": "nia/api/status" + "title": "Inline certificate", + "path": "reference/config-entry/inline-certificate" }, { - "title": "Tasks", - "path": "nia/api/tasks" + "title": "JWT provider", + "path": "reference/config-entry/jwt-provider" }, { - "title": "Health", - "path": "nia/api/health" + "title": "Mesh", + "path": "reference/config-entry/mesh" + }, + { + "title": "Proxy defaults", + "path": "reference/config-entry/proxy-defaults" + }, + { + "title": "Sameness group", + "path": "reference/config-entry/sameness-group" + }, + { + "title": "Service defaults", + "path": "reference/config-entry/service-defaults" + }, + { + "title": "Service intentions", + "path": "reference/config-entry/service-intentions" + }, + { + "title": "Service resolver", + "path": "reference/config-entry/service-resolver" + }, + { + "title": "Service router", + "path": "reference/config-entry/service-router" + }, + { + "title": "Service splitter", + "path": "reference/config-entry/service-splitter" + }, + { + "title": "TCP route", + "path": "reference/config-entry/tcp-route" + }, + { + "title": "Terminating gateways", + "path": "reference/config-entry/terminating-gateway" } ] }, { - "title": "CLI", + "title": "Consul-Terraform-Sync (CTS)", "routes": [ { - "title": "Overview", - "path": "nia/cli" + "title": "Configuration reference", + "path": "reference/cts" }, { - "title": "task", - "path": "nia/cli/task" + "title": "API", + "routes": [ + { + "title": "Overview", + "path": "reference/cts/api" + }, + { + "title": "Status", + "path": "reference/cts/api/status" + }, + { + "title": "Tasks", + "path": "reference/cts/api/tasks" + }, + { + "title": "Health", + "path": "reference/cts/api/health" + } + ] }, { - "title": "start", - "path": "nia/cli/start" + "title": "CLI", + "routes": [ + { + "title": "Overview", + "path": "reference/cts/cli" + }, + { + "title": "task", + "path": "reference/cts/cli/task" + }, + { + "title": "start", + "path": "reference/cts/cli/start" + } + ] } ] }, { - "title": "Configuration", - "path": "nia/configuration" - }, - { - "title": "Tasks", - "path": "nia/tasks" + "title": "Dataplanes", + "path": "reference/dataplane" }, { - "title": "Terraform Modules", - "path": "nia/terraform-modules" + "title": "DNS", + "path": "reference/dns" }, { - "title": "Enterprise", + "title": "ECS", "routes": [ { - "title": "Overview", - "path": "nia/enterprise" - }, - { - "title": "License", - "path": "nia/enterprise/license" + "title": "Task module", + "path": "reference/ecs" }, { - "title": "HCP Terraform Driver", - "href": "/docs/nia/network-drivers/terraform-cloud" + "title": "Server JSON schema", + "path": "reference/ecs/server-json" } ] }, { - "title": "Network Drivers", + "title": "Health checks", + "path": "reference/health-check" + }, + { + "title": "Consul on Kubernetes", "routes": [ { - "title": "Overview", - "path": "nia/network-drivers" + "title": "Annotations and labels", + "path": "reference/k8s/annotation-label" }, { - "title": "Terraform", - "path": "nia/network-drivers/terraform" + "title": "API gateway resources", + "routes": [ + { + "title": "Gateway", + "path": "reference/k8s/api-gateway/gateway" + }, + { + "title": "GatewayClass", + "path": "reference/k8s/api-gateway/gatewayclass" + }, + { + "title": "GatewayClassConfig", + "path": "reference/k8s/api-gateway/gatewayclassconfig" + }, + { + "title": "GatewayPolicy", + "path": "reference/k8s/api-gateway/gatewaypolicy" + }, + { + "title": "RouteAuthFilter", + "path": "reference/k8s/api-gateway/routeauthfilter" + }, + { + "title": "Routes", + "path": "reference/k8s/api-gateway/routes" + }, + { + "title": "RouteRetryFilter", + "path": "reference/k8s/api-gateway/routeretryfilter" + }, + { + "title": "RouteTimeoutFilter", + "path": "reference/k8s/api-gateway/routetimeoutfilter" + }, + { + "title": "MeshService", + "path": "reference/k8s/api-gateway/meshservice" + } + ] }, { - "title": "HCP Terraform", - "path": "nia/network-drivers/hcp-terraform" + "title": "Consul Helm chart", + "path": "reference/k8s/helm" } ] }, { - "title": "Compatibility", - "path": "nia/compatibility" - } - ] - }, - { - "title": "Internals", - "hidden": true, - "routes": [ - { - "title": "Overview", - "path": "internals" + "title": "Namespaces", + "path": "reference/namespace" }, { - "title": "ACL", - "path": "internals/acl" + "title": "Proxies", + "routes": [ + { + "title": "Built-in proxy configuration", + "path": "reference/proxy/built-in" + }, + { + "title": "Connect proxy configuration", + "path": "reference/proxy/connect-proxy" + }, + { + "title": "Envoy configuration", + "path": "reference/proxy/envoy" + }, + { + "title": "Envoy extensions", + "routes": [ + { + "title": "External authorization", + "path": "reference/proxy/extensions/ext-authz" + }, + { + "title": "Open Telemetry", + "path": "reference/proxy/extensions/otel" + }, + { + "title": "Property override", + "path": "reference/proxy/extensions/property-override" + }, + { + "title": "WebAssembly", + "path": "reference/proxy/extensions/wasm" + } + ] + }, + { + "title": "Sidecar proxy configuration", + "path": "reference/proxy/sidecar" + } + ] } ] }, { - "title": "Guides", - "path": "guides", - "hidden": true + "title": "Glossary", + "path": "glossary" } ]