Add network area TLS setting to docs

pull/3274/head
Kyle Havlovitz 2017-07-05 23:05:22 -07:00
parent 86918be323
commit 090414db15
No known key found for this signature in database
GPG Key ID: 8A5E6B173056AD6C
3 changed files with 88 additions and 3 deletions

View File

@ -64,12 +64,16 @@ The table below shows this endpoint's support for
If this list is not supplied, joining can be done with a call to the
[join endpoint](#area-join) once the network area is created.
- `UseTLS` `(bool: <optional>)` - Specifies whether gossip over this area should be
encrypted with TLS if possible.
### Sample Payload
```json
{
"PeerDatacenter": "dc2",
"RetryJoin": [ "10.1.2.3", "10.1.2.4", "10.1.2.5" ]
"RetryJoin": [ "10.1.2.3", "10.1.2.4", "10.1.2.5" ],
"UseTLS": false
}
```
@ -132,6 +136,49 @@ $ curl \
]
```
## Update Network Area
This endpoint updates a network area to the given configuration.
| Method | Path | Produces |
| ------ | ---------------------------- | -------------------------- |
| `PUT` | `/operator/area/:uuid` | `application/json` |
The table below shows this endpoint's support for
[blocking queries](/api/index.html#blocking-queries),
[consistency modes](/api/index.html#consistency-modes), and
[required ACLs](/api/index.html#acls).
| Blocking Queries | Consistency Modes | ACL Required |
| ---------------- | ----------------- | ---------------- |
| `NO` | `none` | `operator:write` |
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to
the datacenter of the agent being queried. This is specified as a URL query
parameter.
- `UseTLS` `(bool: <optional>)` - Specifies whether gossip over this area should be
encrypted with TLS if possible.
### Sample Payload
```json
{
"UseTLS": true
}
```
### Sample Request
```text
$ curl \
--request PUT \
--data @payload.json \
https://consul.rocks/v1/operator/area/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
```
## List Specific Network Area
This endpoint lists a specific network area.

View File

@ -123,8 +123,11 @@ options are set to `false`. HTTPS for the API can be enabled at this point by
setting the [`https`](/docs/agent/options.html#http_port) port.
2. Perform a rolling restart of each agent in the cluster. After this step, TLS should be enabled
everywhere but the agents will not yet be enforcing TLS.
3. Change the `verify_incoming` and `verify_outgoing` settings (as well as `verify_server_hostname`
3. (Optional, Enterprise-only) If applicable, set the `UseTLS` setting in any network areas to `true`.
This can be done either through the [`consul operator area update`](/docs/commands/operator/area.html)
command or the [Operator API](api/operator/area.html).
4. Change the `verify_incoming` and `verify_outgoing` settings (as well as `verify_server_hostname`
if applicable) to `true`.
4. Perform another rolling restart of each agent in the cluster.
5. Perform another rolling restart of each agent in the cluster.
At this point, full TLS encryption for RPC communication should be enabled.

View File

@ -42,6 +42,7 @@ Subcommands:
join Join Consul servers into an existing network area
list List network areas
members Display Consul server members present in network areas
update Update the configuration of a network area
```
If ACLs are enabled, the client will need to supply an ACL Token with `operator`
@ -67,6 +68,9 @@ where the area was created, and the peer datacenter. This is required.
* `-retry-join=<value>` Specifies the address of a Consul server to join to, such as an IP
or hostname with an optional port number. This is optional and can be specified multiple times.
* `-use-tls=<value>` Specifies whether gossip over this area should be encrypted with
TLS if possible. Must be either `true` or `false`.
The output looks like this, displaying the ID of the newly-created network area:
```
@ -216,3 +220,34 @@ to the given server, in a human-readable format. This is computed using
[network coordinates](/docs/internals/coordinates.html).
The return code will indicate success or failure.
## update
This command updates the configuration of network area.
Usage: `consul operator area update [options]`
#### API Options
<%= partial "docs/commands/http_api_options_client" %>
<%= partial "docs/commands/http_api_options_server" %>
#### Command Options
* `-id=<value>` - Looks up the area to operate on by its ID. This can be given
instead of a peer datacenter.
* `-peer-datacenter=<value>` - Declares the peer Consul datacenter that will make up the other
side of this network area. Network areas always involve a pair of datacenters: the datacenter
where the area was created, and the peer datacenter. This is required.
* `-use-tls=<value>` Specifies whether gossip over this area should be encrypted with
TLS if possible. Must be either `true` or `false`.
The output looks like this:
```
Updated area "d2872ec5-68ea-b862-b75d-0bee99aca100"
```
The return code will indicate success or failure.