mirror of https://github.com/hashicorp/consul
Update ingress/terminating gateway ACL docs (#7891)
parent
82c391b75d
commit
3dd8b66aa2
|
@ -74,9 +74,11 @@ Connect proxy service, to define opaque configuration parameters useful for the
|
||||||
For Envoy there are some supported [gateway options](/docs/connect/proxies/envoy#gateway-options) as well as
|
For Envoy there are some supported [gateway options](/docs/connect/proxies/envoy#gateway-options) as well as
|
||||||
[escape-hatch overrides](/docs/connect/proxies/envoy#escape-hatch-overrides).
|
[escape-hatch overrides](/docs/connect/proxies/envoy#escape-hatch-overrides).
|
||||||
|
|
||||||
-> **Note:** If ACLs are enabled, a token granting `service:write` for the gateway's service name
|
-> **Note:** If ACLs are enabled, ingress gateways must be registered with a token granting `service:write` for the ingress gateway's service name,
|
||||||
and `service:read` for all services in the datacenter. These permissions authorize the token to route
|
`service:read` for all services in the ingress gateway's configuration entry, and `node:read` for all nodes of the services
|
||||||
communications for other Connect services.
|
in the ingress gateway's configuration entry. These privileges authorize the token to route communications to other Connect services.
|
||||||
|
If the Consul client agent on the gateway's node is not configured to use the default gRPC port, 8502, then the gateway's token
|
||||||
|
must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies.
|
||||||
|
|
||||||
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
|
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
|
||||||
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
|
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
|
||||||
|
|
|
@ -100,9 +100,12 @@ Connect proxy service, to define opaque configuration parameters useful for the
|
||||||
For Envoy there are some supported [gateway options](/docs/connect/proxies/envoy#gateway-options) as well as
|
For Envoy there are some supported [gateway options](/docs/connect/proxies/envoy#gateway-options) as well as
|
||||||
[escape-hatch overrides](/docs/connect/proxies/envoy#escape-hatch-overrides).
|
[escape-hatch overrides](/docs/connect/proxies/envoy#escape-hatch-overrides).
|
||||||
|
|
||||||
-> **Note:** If ACLs are enabled, the terminating gateways must be registered with a token granting `service:write`
|
-> **Note:** If ACLs are enabled, terminating gateways must be registered with a token granting `node:read` on the nodes
|
||||||
for the gateway's service name **and** all linked services. These privileges will authorize the gateway
|
of all services in its configuration entry. The token must also grant `service:write` for the terminating gateway's service name **and**
|
||||||
to terminate mTLS connections on behalf of the linked services.
|
the names of all services in the terminating gateway's configuration entry. These privileges will authorize the gateway
|
||||||
|
to terminate mTLS connections on behalf of the linked services and then route the traffic to its final destination.
|
||||||
|
If the Consul client agent on the gateway's node is not configured to use the default gRPC port, 8502, then the gateway's token
|
||||||
|
must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies.
|
||||||
|
|
||||||
Linking services to a terminating gateway is done with a `terminating-gateway`
|
Linking services to a terminating gateway is done with a `terminating-gateway`
|
||||||
[configuration entry](/docs/agent/config-entries/terminating-gateway). This config entry can be applied via the
|
[configuration entry](/docs/agent/config-entries/terminating-gateway). This config entry can be applied via the
|
||||||
|
|
Loading…
Reference in New Issue