docs: Update code blocks across website

* Use CodeTabs for examples in multiple formats.
* Ensure correct language on code fences.
* Use CodeBlockConfig for examples with filenames, or which need
highlighted content.
pull/10839/head
Blake Covarrubias 2021-07-30 18:37:33 -07:00 committed by hc-github-team-consul-core
parent c41b6189e8
commit 3e8caa4c17
35 changed files with 279 additions and 111 deletions

View File

@ -210,7 +210,7 @@ $ curl \
### Sample Response
```json
```text
true
```

View File

@ -204,7 +204,7 @@ The table below shows this endpoint's support for
### Sample Payload
```text
```hcl
agent "" {
policy = "read"
}
@ -218,7 +218,7 @@ $ curl -X POST -d @rules.hcl http://127.0.0.1:8500/v1/acl/rules/translate
### Sample Response
```text
```hcl
agent_prefix "" {
policy = "read"
}
@ -257,7 +257,7 @@ $ curl -X GET http://127.0.0.1:8500/v1/acl/rules/translate/4f48f7e6-9359-4890-8e
### Sample Response
```text
```hcl
agent_prefix "" {
policy = "read"
}

View File

@ -601,7 +601,7 @@ $ curl \
### Sample Response
```text
```log
YYYY/MM/DD HH:MM:SS [INFO] raft: Initial configuration (index=1): [{Suffrage:Voter ID:127.0.0.1:8300 Address:127.0.0.1:8300}]
YYYY/MM/DD HH:MM:SS [INFO] raft: Node at 127.0.0.1:8300 [Follower] entering Follower state (Leader: "")
YYYY/MM/DD HH:MM:SS [INFO] serf: EventMemberJoin: machine-osx 127.0.0.1

View File

@ -213,7 +213,7 @@ The table below shows this endpoint's support for
### Sample Payload
```text
```json
{
"Node": "agent-one",
"Segment": "",

View File

@ -33,7 +33,7 @@ leader and starting saving snapshots.
As snapshots are saved, they will be reported in the log produced by the agent:
```text
```log
2016/11/16 21:21:13 [INFO] Snapshot agent running
2016/11/16 21:21:13 [INFO] Waiting to obtain leadership...
2016/11/16 21:21:13 [INFO] Obtained leadership
@ -67,8 +67,7 @@ If ACLs are enabled the following privileges are required:
The following is a example least privilege policy which allows the snapshot agent
to run on a node named `server-1234`.
<Tabs>
<Tab heading="HCL">
<CodeTabs>
```hcl
# Required to read and snapshot ACL data
@ -89,9 +88,6 @@ service "consul-snapshot" {
}
```
</Tab>
<Tab heading="JSON">
```json
{
"acl": "write",
@ -113,8 +109,7 @@ service "consul-snapshot" {
}
```
</Tab>
</Tabs>
</CodeTabs>
Additional `session` rules should be created, or `session_prefix` used, if the
snapshot agent is deployed across more than one host.

View File

@ -63,7 +63,9 @@ create and update configuration entries. This command will load either a JSON or
HCL file holding the configuration entry definition and then will push this
configuration to Consul.
Example HCL Configuration File - `proxy-defaults.hcl`:
Example HCL Configuration File:
<CodeBlockConfig filename="proxy-defaults.hcl">
```hcl
Kind = "proxy-defaults"
@ -74,6 +76,8 @@ Config {
}
```
</CodeBlockConfig>
Then to apply this configuration, run:
```shell-session

View File

@ -534,7 +534,7 @@ definitions support being updated during a reload.
#### Example Configuration File
```javascript
```json
{
"datacenter": "east-aws",
"data_dir": "/opt/consul",
@ -1093,24 +1093,19 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
within a double quoted string value must be escaped with a backslash `\`.
Some example templates:
<Tabs>
<Tab heading="HCL">
<CodeTabs>
```hcl
bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr \"address\" }}"
```
</Tab>
<Tab heading="JSON">
```json
{
"bind_addr": "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr \"address\" }}"
}
```
</Tab>
</Tabs>
</CodeTabs>
- `cache` configuration for client agents. The configurable values are the following:
@ -2295,7 +2290,7 @@ signed by the CA can be used to gain full access to Consul.
encryption and authentication. Failing to set [`verify_incoming`](#verify_incoming) or [`verify_outgoing`](#verify_outgoing)
will result in TLS not being enabled at all, even when specifying a [`ca_file`](#ca_file), [`cert_file`](#cert_file), and [`key_file`](#key_file).
```javascript
```json
{
"datacenter": "east-aws",
"data_dir": "/opt/consul",
@ -2319,7 +2314,7 @@ will result in TLS not being enabled at all, even when specifying a [`ca_file`](
See, especially, the use of the `ports` setting:
```javascript
```json
"ports": {
"https": 8501
}

View File

@ -41,7 +41,7 @@ format or using [Prometheus](https://prometheus.io/) format.
Below is sample output of a telemetry dump:
```text
```log
[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.num_goroutines': 19.000
[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.alloc_bytes': 755960.000
[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.malloc_count': 7550.000

View File

@ -23,7 +23,7 @@ To get started with the built-in proxy and see a working example you can follow
Below is a complete example of all the configuration options available
for the built-in proxy.
```javascript
```json
{
"service": {
...

View File

@ -385,8 +385,7 @@ To connect to a service via local Unix Domain Socket instead of a
port, add `local_bind_socket_path` and optionally `local_bind_socket_mode`
to the upstream config for a service:
<Tabs>
<Tab heading="HCL">
<CodeTabs>
```hcl
upstreams = [
@ -398,9 +397,6 @@ upstreams = [
]
```
</Tab>
<Tab heading="JSON">
```json
"upstreams": [
{
@ -411,8 +407,7 @@ upstreams = [
]
```
</Tab>
</Tabs>
</CodeTabs>
This will cause Envoy to create a socket with the path and mode
provided, and connect that to service-1.
@ -431,8 +426,8 @@ mesh, use either the `socket_path` field in the service definition or the
`local_service_socket_path` field in the proxy definition. These
fields are analogous to the `port` and `service_port` fields in their
respective locations.
<Tabs>
<Tab heading="HCL">
<CodeTabs>
```hcl
services {
@ -441,9 +436,6 @@ services {
}
```
</Tab>
<Tab heading="JSON">
```json
"services": {
"name": "service-2",
@ -451,11 +443,11 @@ services {
}
```
</Tab>
</Tabs>
</CodeTabs>
Or in the proxy definition:
<Tabs>
<Tab heading="HCL">
<CodeTabs>
```hcl
services {
@ -472,9 +464,6 @@ services {
}
```
</Tab>
<Tab heading="JSON">
```json
"services": {
"name": "socket_service_2",
@ -490,8 +479,7 @@ services {
}
```
</Tab>
</Tabs>
</CodeTabs>
There is no mode field since the service is expected to create the
socket it is listening on, not the Envoy proxy.

View File

@ -141,7 +141,7 @@ There are several different kinds of checks:
A script check:
```javascript
```json
{
"check": {
"id": "mem-util",
@ -155,7 +155,7 @@ A script check:
A HTTP check:
```javascript
```json
{
"check": {
"id": "api",
@ -174,7 +174,7 @@ A HTTP check:
A TCP check:
```javascript
```json
{
"check": {
"id": "ssh",
@ -188,7 +188,7 @@ A TCP check:
A TTL check:
```javascript
```json
{
"check": {
"id": "web-app",
@ -201,7 +201,7 @@ A TTL check:
A Docker check:
```javascript
```json
{
"check": {
"id": "mem-util",
@ -216,7 +216,7 @@ A Docker check:
A gRPC check for the whole application:
```javascript
```json
{
"check": {
"id": "mem-util",
@ -230,7 +230,7 @@ A gRPC check for the whole application:
A gRPC check for the specific `my_service` service:
```javascript
```json
{
"check": {
"id": "mem-util",
@ -244,7 +244,7 @@ A gRPC check for the specific `my_service` service:
A h2ping check:
```javascript
```json
{
"check": {
"id": "h2ping-check",
@ -257,7 +257,7 @@ A h2ping check:
An alias check for a local service:
```javascript
```json
{
"check": {
"id": "web-alias",
@ -340,7 +340,7 @@ to be healthy. In certain cases, it may be desirable to specify the initial
state of a health check. This can be done by specifying the `status` field in a
health check definition, like so:
```javascript
```json
{
"check": {
"id": "mem",
@ -361,7 +361,7 @@ that the status of the health check will only affect the health status of the
given service instead of the entire node. Service-bound health checks may be
provided by adding a `service_id` field to a check configuration:
```javascript
```json
{
"check": {
"id": "web-app",
@ -387,7 +387,7 @@ to use the agent's credentials when configured for TLS.
Multiple check definitions can be defined using the `checks` (plural)
key in your configuration file.
```javascript
```json
{
"checks": [
{

View File

@ -33,7 +33,7 @@ using the [HTTP API](/api).
A service definition is a configuration that looks like the following. This
example shows all possible fields, but note that only a few are required.
```javascript
```json
{
"service": {
"id": "redis",
@ -281,7 +281,7 @@ Multiple services definitions can be provided at once when registering services
via the agent configuration by using the plural `services` key (registering
multiple services in this manner is not supported using the HTTP API).
```javascript
```json
{
"services": [
{

View File

@ -126,7 +126,7 @@ This maps to the `/v1/kv/` API internally.
Here is an example configuration:
```javascript
```json
{
"type": "key",
"key": "foo/bar/baz",

View File

@ -45,8 +45,7 @@ The following example configures a destination called "My Sink" which stores aud
events at the file `/tmp/audit.json`. The log file will be rotated either every
24 hours, or when the log file size is greater than 25165824 bytes (24 megabytes).
<Tabs>
<Tab heading="HCL">
<CodeTabs>
```hcl
audit {
@ -62,8 +61,6 @@ audit {
}
}
```
</Tab>
<Tab heading="JSON">
```json
{
@ -83,8 +80,8 @@ audit {
}
}
```
</Tab>
</Tabs>
</CodeTabs>
</Tab>
<Tab heading="Log to standard out">
@ -93,8 +90,7 @@ audit {
The following example configures a destination called "My Sink" which emits audit
logs to standard out.
<Tabs>
<Tab heading="HCL">
<CodeTabs>
```hcl
audit {
@ -107,8 +103,6 @@ audit {
}
}
```
</Tab>
<Tab heading="JSON">
```json
{
@ -126,8 +120,8 @@ audit {
}
```
</Tab>
</Tabs>
</CodeTabs>
</Tab>
</Tabs>
@ -143,6 +137,8 @@ request.
The value of the `payload.auth.accessor_id` field is the accessor ID of the
[ACL token](/docs/security/acl/acl-system#acl-tokens) which issued the request.
<CodeBlockConfig highlight="10">
```json
{
"created_at": "2020-12-08T12:30:29.196365-05:00",
@ -169,10 +165,14 @@ The value of the `payload.auth.accessor_id` field is the accessor ID of the
}
```
</CodeBlockConfig>
After the request is processed, a corresponding log entry is written for the HTTP
response. The `stage` field is set to `OperationComplete` which indicates the agent
has completed processing the request.
<CodeBlockConfig highlight="24">
```json
{
"created_at": "2020-12-08T12:30:29.202935-05:00",
@ -201,3 +201,5 @@ has completed processing the request.
}
}
```
</CodeBlockConfig>

View File

@ -29,7 +29,7 @@ The HTTP API accepts only JSON formatted definitions while the CLI will parse ei
An example namespace definition looks like the following:
JSON:
<CodeTabs>
```json
{
@ -59,8 +59,6 @@ JSON:
}
```
HCL:
```hcl
Name = "team-1"
Description = "Namespace for Team 1"
@ -87,6 +85,8 @@ Meta {
}
```
</CodeTabs>
### Fields
- `Name` `(string: <required>)` - The namespaces name must be a valid DNS hostname label.

View File

@ -45,7 +45,7 @@ or specify no value at all on all the servers. Only servers that specify a value
Suppose we are starting a three server cluster. We can start `Node A`, `Node B`, and `Node C` with each
providing the `-bootstrap-expect 3` flag. Once the nodes are started, you should see a warning message in the service output.
```text
```log
[WARN] raft: EnableSingleNode disabled, and no known peers. Aborting election.
```
@ -82,7 +82,7 @@ Successfully joined cluster by contacting 3 nodes.
Since a join operation is symmetric, it does not matter which node initiates it. Once the join is successful, one of the nodes will output something like:
```text
```log
[INFO] consul: adding server foo (Addr: 127.0.0.2:8300) (DC: dc1)
[INFO] consul: adding server bar (Addr: 127.0.0.1:8300) (DC: dc1)
[INFO] consul: Attempting bootstrap with nodes: [127.0.0.3:8300 127.0.0.2:8300 127.0.0.1:8300]

View File

@ -41,8 +41,9 @@ segment you wish to join.
For example, given the following segment configuration on the server agents:
<CodeBlockConfig filename="server-config.hcl">
```hcl
# server-config.hcl
segments = [
{
name = "alpha"
@ -59,6 +60,8 @@ segments = [
]
```
</CodeBlockConfig>
A Consul client agent wishing to join the "alpha" segment would need to be configured
to use port `8303` as its Serf LAN port prior to attempting to join the cluster.
@ -68,13 +71,16 @@ to use port `8303` as its Serf LAN port prior to attempting to join the cluster.
The following example configuration overrides the default Serf LAN port using the
[`ports.serf_lan`](/docs/agent/options#serf_lan_port) configuration option.
<CodeBlockConfig filename="client-config.hcl">
```hcl
# client-config.hcl
ports {
serf_lan = 8303
}
```
</CodeBlockConfig>
</Tab>
<Tab heading="Command-line flag">

View File

@ -30,7 +30,7 @@ This is necessary because at this point, there are no other servers running in
the datacenter! Lets call this first server `Node A`. When starting `Node A`
something like the following will be logged:
```text
```log
2014/02/22 19:23:32 [INFO] consul: cluster leadership acquired
```
@ -43,7 +43,7 @@ in a failure scenario. We start the next servers **without** specifying
bootstrap mode. Once `Node B` and `Node C` are started, you should see a
message to the effect of:
```text
```log
[WARN] raft: EnableSingleNode disabled, and no known peers. Aborting election.
```
@ -66,7 +66,7 @@ Successfully joined cluster by contacting 2 nodes.
Once the join is successful, `Node A` should output something like:
```text
```log
[INFO] raft: Added peer 127.0.0.2:8300, starting replication
....
[INFO] raft: Added peer 127.0.0.3:8300, starting replication

View File

@ -32,7 +32,7 @@ expense of some performance in leader failure detection and leader election time
The default performance configuration is equivalent to this:
```javascript
```json
{
"performance": {
"raft_multiplier": 5
@ -50,7 +50,7 @@ timeouts by a factor of 5, so it can be quite slow during these events.
The high performance configuration is simple and looks like this:
```javascript
```json
{
"performance": {
"raft_multiplier": 1

View File

@ -89,8 +89,9 @@ $ kubectl create secret generic vault-config --from-file=config=vault-config.jso
We will provide this secret and the Vault CA secret, to the Consul server via the
`server.extraVolumes` Helm value.
<CodeBlockConfig filename="config.yaml" highlight="4-13">
```yaml
# config.yaml
global:
name: consul
server:
@ -108,6 +109,8 @@ connectInject:
enabled: true
```
</CodeBlockConfig>
Finally, [install](/docs/k8s/installation/install#installing-consul) the Helm chart using the above config file:
```shell-session

View File

@ -26,6 +26,8 @@ Adding an ingress gateway is a multi-step process that consists of the following
When deploying the Helm chart you must provide Helm with a custom YAML file that contains your environment configuration.
<CodeBlockConfig filename="config.yaml">
```yaml
global:
name: consul
@ -41,6 +43,8 @@ ingressGateways:
type: LoadBalancer
```
</CodeBlockConfig>
~> **Note:** this will create a public unauthenticated LoadBalancer in your cluster, please take appropriate security considerations.
The YAML snippet is the launching point for a valid configuration that must be supplied when installing using the [official consul-helm chart](https://hub.helm.sh/charts/hashicorp/consul).
@ -66,6 +70,8 @@ you can configure the gateways via the [`IngressGateway`](/docs/connect/config-e
Here is an example `IngressGateway` resource:
<CodeBlockConfig filename="ingress-gateway.yaml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: IngressGateway
@ -79,6 +85,8 @@ spec:
- name: static-server
```
</CodeBlockConfig>
Apply the `IngressGateway` resource with `kubectl apply`:
```shell-session
@ -89,6 +97,8 @@ ingressgateway.consul.hashicorp.com/ingress-gateway created
Since we're using `protocol: http`, we also need to set the protocol of our service
`static-server` to http. To do that, we create a [`ServiceDefaults`](/docs/connect/config-entries/service-defaults) custom resource:
<CodeBlockConfig filename="service-defaults.yaml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
@ -98,6 +108,8 @@ spec:
protocol: http
```
</CodeBlockConfig>
Apply the `ServiceDefaults` resource with `kubectl apply`:
```shell-session
@ -137,6 +149,8 @@ to allow the ingress gateway to route to the upstream services defined in the `I
To create an intention that allows the ingress gateway to route to the service `static-server`, create a [`ServiceIntentions`](/docs/connect/config-entries/service-intentions)
resource:
<CodeBlockConfig filename="service-intentions.yaml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
@ -150,6 +164,8 @@ spec:
action: allow
```
</CodeBlockConfig>
Apply the `ServiceIntentions` resource with `kubectl apply`:
```shell-session
@ -163,6 +179,8 @@ For detailed instructions on how to configure zero-trust networking with intenti
Now you will deploy a sample application which echoes “hello world”
<CodeBlockConfig filename="static-server.yaml">
```yaml
apiVersion: v1
kind: Service
@ -210,6 +228,8 @@ spec:
serviceAccountName: static-server
```
</CodeBlockConfig>
```shell-session
$ kubectl apply -f static-server.yaml
```
@ -233,7 +253,9 @@ $ curl -H "Host: static-server.ingress.consul" "http://$EXTERNAL_IP:8080"
~> **Security Warning:** Please be sure to delete the application and services created here as they represent a security risk through
leaving an open and unauthenticated load balancer alive in your cluster.
To delete the ingress gateway, set enabled to false in your Helm configuration:
To delete the ingress gateway, set enabled to `false` in your Helm configuration:
<CodeBlockConfig filename="config.yaml" highlight="8">
```yaml
global:
@ -250,6 +272,8 @@ ingressGateways:
type: LoadBalancer
```
</CodeBlockConfig>
And run Helm upgrade:
```shell-session

View File

@ -21,6 +21,8 @@ Adding a terminating gateway is a multi-step process:
Minimum required Helm options:
<CodeBlockConfig filename="config.yaml">
```yaml
global:
name: consul
@ -32,6 +34,8 @@ terminatingGateways:
enabled: true
```
</CodeBlockConfig>
## Deploying the Helm chart
Ensure you have the latest consul-helm chart and install Consul via helm using the following
@ -91,6 +95,8 @@ service to that node.
Create a sample external service and register it with Consul.
<CodeBlockConfig filename="external.json">
```json
{
"Node": "example_com",
@ -108,6 +114,8 @@ Create a sample external service and register it with Consul.
}
```
</CodeBlockConfig>
- `"Node": "example_com"` is our made up node name.
- `"Address": "example.com"` is the address of our node. Services registered to that node will use this address if
their own address isn't specified. If you're registering multiple external services, ensure you
@ -141,12 +149,16 @@ being represented by the gateway:
~> The CLI command should be run with the `-merge-policies`, `-merge-roles` and `-merge-service-identities` so
nothing is removed from the terminating gateway token
<CodeBlockConfig filename="write-policy.hcl">
```hcl
service "example-https" {
policy = "write"
}
```
</CodeBlockConfig>
```shell-session
$ consul acl policy create -name "example-https-write-policy" -rules @write-policy.hcl
ID: xxxxxxxxxxxxxxx
@ -186,7 +198,9 @@ Policies:
Once the tokens have been updated, create the [TerminatingGateway](/docs/connect/config-entries/terminating-gateway)
resource to configure the terminating gateway:
```hcl
<CodeBlockConfig filename="terminating-gateway.yaml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: TerminatingGateway
metadata:
@ -197,6 +211,8 @@ spec:
caFile: /etc/ssl/cert.pem
```
</CodeBlockConfig>
~> If TLS is enabled a `caFile` must be provided, it must point to the system trust store of the terminating gateway
container (`/etc/ssl/cert.pem`).
@ -208,6 +224,8 @@ $ kubectl apply -f terminating-gateway.yaml
If using ACLs and TLS, create a [`ServiceIntentions`](/docs/connect/config-entries/service-intentions) resource to allow access from services in the mesh to the external service
<CodeBlockConfig filename="service-intentions.yaml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
@ -221,6 +239,8 @@ spec:
action: allow
```
</CodeBlockConfig>
Apply the `ServiceIntentions` resource with `kubectl apply`:
```shell-session
@ -232,6 +252,8 @@ $ kubectl apply -f service-intentions.yaml
Finally define and deploy the external services as upstreams for the internal mesh services that wish to talk to them.
An example deployment is provided which will serve as a static client for the terminating gateway service.
<CodeBlockConfig filename="static-client.yaml">
```yaml
apiVersion: v1
kind: Service
@ -274,6 +296,8 @@ spec:
serviceAccountName: static-client
```
</CodeBlockConfig>
Run the service via `kubectl apply`:
```shell-session

View File

@ -49,6 +49,8 @@ Update Complete. ⎈Happy Helming!⎈
Next, you must configure consul-helm via your `values.yaml` to install the custom resource definitions
and enable the controller that acts on them:
<CodeBlockConfig filename="values.yaml" highlight="4-5,7-8">
```yaml
global:
name: consul
@ -60,6 +62,8 @@ connectInject:
enabled: true
```
</CodeBlockConfig>
Note that:
1. `controller.enabled: true` installs the CRDs and enables the controller.
@ -215,6 +219,8 @@ name of the resource doesn't matter. For other resources, the name of the resour
determines which service it configures. For example, this resource configures
the service `web`:
<CodeBlockConfig highlight="4">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
@ -224,11 +230,15 @@ spec:
protocol: http
```
</CodeBlockConfig>
For `ServiceIntentions`, because we need to support the ability to create
wildcard intentions (e.g. `foo => * (allow)` meaning that `foo` can talk to **any** service),
and because `*` is not a valid Kubernetes resource name, we instead use the field `spec.destination.name`
to configure the destination service for the intention:
<CodeBlockConfig highlight="6-8,18-20">
```yaml
# foo => * (allow)
apiVersion: consul.hashicorp.com/v1alpha1
@ -255,6 +265,8 @@ spec:
action: allow
```
</CodeBlockConfig>
~> **NOTE:** If two `ServiceIntentions` resources set the same `spec.destination.name`, the
last one created will not be synced.
@ -275,6 +287,8 @@ The details on each configuration are:
This is configured via [`connectInject.consulNamespaces`](/docs/k8s/helm#v-connectinject-consulnamespaces):
<CodeBlockConfig highlight="6-7">
```yaml
global:
name: consul
@ -285,6 +299,8 @@ The details on each configuration are:
mirroringK8S: true
```
</CodeBlockConfig>
1. **Mirroring with prefix** - The Kubernetes namespace will be "mirrored" into Consul
with a prefix added to the Consul namespace, i.e.
if the prefix is `k8s-` then service `web` in Kubernetes namespace `web-ns` will be registered as service `web`
@ -293,6 +309,8 @@ The details on each configuration are:
This is configured via [`connectInject.consulNamespaces`](/docs/k8s/helm#v-connectinject-consulnamespaces):
<CodeBlockConfig highlight="8">
```yaml
global:
name: consul
@ -304,6 +322,8 @@ The details on each configuration are:
mirroringK8SPrefix: k8s-
```
</CodeBlockConfig>
1. **Single destination namespace** - The Kubernetes namespace is ignored and all services
will be registered into the same Consul namespace, i.e. if the destination Consul
namespace is `my-ns` then service `web` in Kubernetes namespace `web-ns` will
@ -317,6 +337,8 @@ The details on each configuration are:
This is configured via [`connectInject.consulNamespaces`](/docs/k8s/helm#v-connectinject-consulnamespaces):
<CodeBlockConfig highlight="7">
```yaml
global:
name: consul
@ -327,6 +349,8 @@ The details on each configuration are:
consulDestinationNamespace: 'my-ns'
```
</CodeBlockConfig>
~> **NOTE:** In this configuration, if two custom resources of the same kind **and** the same name are attempted to
be created in two Kubernetes namespaces, the last one created will not be synced.
@ -337,6 +361,8 @@ name of the resource doesn't matter. For other resources, the name of the resour
determines which service it configures. For example, this resource configures
the service `web`:
<CodeBlockConfig highlight="4">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
@ -346,11 +372,15 @@ spec:
protocol: http
```
</CodeBlockConfig>
For `ServiceIntentions`, because we need to support the ability to create
wildcard intentions (e.g. `foo => * (allow)` meaning that `foo` can talk to **any** service),
and because `*` is not a valid Kubernetes resource name, we instead use the field `spec.destination.name`
to configure the destination service for the intention:
<CodeBlockConfig highlight="6-8,18-20">
```yaml
# foo => * (allow)
apiVersion: consul.hashicorp.com/v1alpha1
@ -377,6 +407,8 @@ spec:
action: allow
```
</CodeBlockConfig>
In addition, we support the field `spec.destination.namespace` to configure
the destination service's Consul namespace. If `spec.destination.namespace`
is empty, then the Consul namespace used will be the same as the other

View File

@ -141,6 +141,8 @@ in full cluster rebuilds.
To verify DNS works, run a simple job to query DNS. Save the following
job to the file `job.yaml` and run it:
<CodeBlockConfig filename="job.yaml">
```yaml
apiVersion: batch/v1
kind: Job
@ -157,6 +159,8 @@ spec:
backoffLimit: 4
```
</CodeBlockConfig>
```shell-session
$ kubectl apply -f job.yaml
```

View File

@ -21,16 +21,20 @@ kubectl create secret generic consul-ent-license --from-literal="key=${secret}"
In your `config.yaml`, change the value of `global.image` to one of the enterprise [release tags](https://hub.docker.com/r/hashicorp/consul-enterprise/tags).
<CodeBlockConfig filename="config.yaml" highlight="2">
```yaml
# config.yaml
global:
image: 'hashicorp/consul-enterprise:1.10.0-ent'
```
</CodeBlockConfig>
Add the name and key of the secret you just created to `server.enterpriseLicense`, if using Consul version 1.10+.
<CodeBlockConfig filename="config.yaml" highlight="4-6">
```yaml
# config.yaml
global:
image: 'hashicorp/consul-enterprise:1.10.0-ent'
server:
@ -39,12 +43,15 @@ server:
secretKey: 'key'
```
</CodeBlockConfig>
If the version of Consul is < 1.10, use the following config with the name and key of the secret you just created.
-> **Note:** The value of `server.enterpriseLicense.enableLicenseAutoload` must be set to `false`.
<CodeBlockConfig filename="config.yaml" highlight="7">
```yaml
# config.yaml
global:
image: 'hashicorp/consul-enterprise:1.8.3-ent'
server:
@ -54,6 +61,8 @@ server:
enableLicenseAutoload: false
```
</CodeBlockConfig>
Now run `helm install`:
```shell-session

View File

@ -27,8 +27,9 @@ example above, a fake [cloud auto-join](/docs/agent/cloud-auto-join)
value is specified. This should be set to resolve to the proper addresses of
your existing Consul cluster.
<CodeBlockConfig filename="config.yaml">
```yaml
# config.yaml
global:
enabled: false
@ -41,6 +42,8 @@ client:
- 'provider=my-cloud config=val ...'
```
</CodeBlockConfig>
-> **Networking:** Note that for the Kubernetes nodes to join an existing
cluster, the nodes (and specifically the agent pods) must be able to connect
to all other server and client agents inside and _outside_ of Kubernetes over [LAN](/docs/glossary#lan-gossip).
@ -63,6 +66,8 @@ If you would like to use this feature with external Consul servers, you need to
so that it can retrieve the clients' CA to use for securing the rest of the cluster.
To do that, you must add the following values, in addition to the values mentioned above:
<CodeBlockConfig filename="config.yaml" highlight="2-8">
```yaml
global:
tls:
@ -74,6 +79,8 @@ externalServers:
- 'provider=my-cloud config=val ...'
```
</CodeBlockConfig>
In most cases, `externalServers.hosts` will be the same as `client.join`, however, both keys must be set because
they are used for different purposes: one for Serf LAN and the other for HTTPS connections.
Please see the [reference documentation](/docs/k8s/helm#v-externalservers-hosts)
@ -99,6 +106,8 @@ kubectl create secret generic bootstrap-token --from-literal='token=<your bootst
Then provide that secret to the Helm chart:
<CodeBlockConfig filename="config.yaml" highlight="4-6">
```yaml
global:
acls:
@ -108,6 +117,8 @@ global:
secretKey: token
```
</CodeBlockConfig>
The bootstrap token requires the following minimal permissions:
- `acl:write`
@ -120,6 +131,8 @@ to create policies, tokens, and an auth method. If you are [enabling Consul Conn
so that the Consul servers can validate a Kubernetes service account token when using the [Kubernetes auth method](/docs/acl/auth-methods/kubernetes)
with `consul login`.
<CodeBlockConfig filename="config.yaml">
```yaml
externalServers:
enabled: true
@ -128,8 +141,12 @@ externalServers:
k8sAuthMethodHost: 'https://kubernetes.example.com:443'
```
</CodeBlockConfig>
Your resulting Helm configuration will end up looking similar to this:
<CodeBlockConfig filename="config.yaml">
```yaml
global:
enabled: false
@ -152,11 +169,15 @@ externalServers:
k8sAuthMethodHost: 'https://kubernetes.example.com:443'
```
</CodeBlockConfig>
### Bootstrapping ACLs via the Helm chart
If you would like the Helm chart to call the bootstrapping API and set the server tokens for you, then the steps are similar.
The only difference is that you don't need to set the bootstrap token. The Helm chart will save the bootstrap token as a Kubernetes secret.
<CodeBlockConfig filename="config.yaml">
```yaml
global:
enabled: false
@ -175,3 +196,5 @@ externalServers:
- 'provider=my-cloud config=val ...'
k8sAuthMethodHost: 'https://kubernetes.example.com:443'
```
</CodeBlockConfig>

View File

@ -21,8 +21,9 @@ to pods or nodes in another.
First, we will deploy the Consul servers with Consul clients in the first cluster.
For that, we will use the following Helm configuration:
<CodeBlockConfig filename="cluster1-config.yaml">
```yaml
# cluster1-config.yaml
global:
datacenter: dc1
tls:
@ -42,6 +43,8 @@ ui:
type: NodePort
```
</CodeBlockConfig>
Note that we are deploying in a secure configuration, with gossip encryption,
TLS for all components, and ACLs. We are enabling the Consul Service Mesh and the controller for CRDs
so that we can use them to later verify that our services can connect with each other across clusters.
@ -88,8 +91,9 @@ $ kubectl apply -f cluster1-credentials.yaml
```
To deploy in the second cluster, we will use the following Helm configuration:
<CodeBlockConfig filename="cluster2-config.yaml" highlight="6-11,15-17">
```yaml
# cluster2-config.yaml
global:
enabled: false
datacenter: dc1
@ -127,6 +131,8 @@ connectInject:
enabled: true
```
</CodeBlockConfig>
Note that we're referencing secrets from the first cluster in ACL, gossip, and TLS configuration.
Next, we need to set up the `externalServers` configuration.
@ -182,13 +188,15 @@ helm install cluster2 -f cluster2-config.yaml hashicorp/consul
## Verifying the Consul Service Mesh works
~> When Transparent proxy is enabled, services in one Kubernetes cluster that need to communicate with a service in another Kubernetes cluster must have a explicit upstream configured through the ["consul.hashicorp.com/connect-service-upstreams"](https://www.consul.io/docs/k8s/connect#consul-hashicorp-com-connect-service-upstreams) annotation.
~> When Transparent proxy is enabled, services in one Kubernetes cluster that need to communicate with a service in another Kubernetes cluster must have a explicit upstream configured through the ["consul.hashicorp.com/connect-service-upstreams"](https://www.consul.io/docs/k8s/connect#consul-hashicorp-com-connect-service-upstreams) annotation.
Now that we have our Consul cluster in multiple k8s clusters up and running, we will
deploy two services and verify that they can connect to each other.
First, we'll deploy `static-server` service in the first cluster:
<CodeBlockConfig filename="static-server.yaml">
```yaml
---
apiVersion: consul.hashicorp.com/v1alpha1
@ -249,10 +257,14 @@ spec:
serviceAccountName: static-server
```
</CodeBlockConfig>
Note that we're defining a Service intention so that our services are allowed to talk to each other.
Then we'll deploy `static-client` in the second cluster with the following configuration:
<CodeBlockConfig filename="static-client.yaml">
```yaml
apiVersion: v1
kind: Service
@ -295,6 +307,8 @@ spec:
serviceAccountName: static-client
```
</CodeBlockConfig>
Once both services are up and running, we can connect to the `static-server` from `static-client`:
```shell

View File

@ -98,8 +98,9 @@ or by reading the [Helm Chart Reference](/docs/k8s/helm).
For example, if you want to enable the [Consul Connect](/docs/k8s/connect) feature,
use the following config file:
<CodeBlockConfig filename="config.yaml">
```yaml
# config.yaml
global:
name: consul
connectInject:
@ -108,6 +109,8 @@ controller:
enabled: true
```
</CodeBlockConfig>
Once you've created your `config.yaml` file, run `helm install` with the `-f` flag:
```shell-session
@ -218,6 +221,8 @@ spec:
An example `Deployment` is also shown below to show how the host IP can
be accessed from nested pod specifications:
<CodeBlockConfig highlight="18-28">
```yaml
apiVersion: apps/v1
kind: Deployment
@ -249,6 +254,8 @@ spec:
consul kv put hello world
```
</CodeBlockConfig>
## Architecture
Consul runs on Kubernetes with the same

View File

@ -34,6 +34,8 @@ support federation, see [Upgrading An Existing Cluster](#upgrading-an-existing-c
You will need to use the following `config.yaml` file for your primary cluster,
with the possible modifications listed below.
<CodeBlockConfig filename="config.yaml">
```yaml
global:
name: consul
@ -77,11 +79,15 @@ meshGateway:
enabled: true
```
</CodeBlockConfig>
Modifications:
1. The Consul datacenter name is `dc1`. The datacenter name in each federated
cluster **must be unique**.
1. ACLs are enabled in the above config file. They can be disabled by setting:
```yaml
global:
acls:
@ -125,6 +131,8 @@ to install Consul on your primary cluster.
If you have an existing cluster, you will need to upgrade it to ensure it has
the following config:
<CodeBlockConfig filename="config.yaml">
```yaml
global:
tls:
@ -139,6 +147,8 @@ meshGateway:
enabled: true
```
</CodeBlockConfig>
1. `global.tls.enabled` must be `true`. See [Configuring TLS on an Existing Cluster](/docs/k8s/operations/tls-on-existing-cluster)
for more information on safely upgrading a cluster to use TLS.
@ -200,12 +210,16 @@ The federation secret is a Kubernetes secret containing information needed
for secondary datacenters/clusters to federate with the primary. This secret is created
automatically by setting:
<CodeBlockConfig highlight="2-3">
```yaml
global:
federation:
createFederationSecret: true
```
</CodeBlockConfig>
After the installation into your primary cluster you will need to export
this secret:
@ -291,6 +305,8 @@ with the possible modifications listed below.
-> **NOTE: ** You must use a separate Helm config file for each cluster (primary and secondaries) since their
settings are different.
<CodeBlockConfig filename="config-cluster2.yaml">
```yaml
global:
name: consul
@ -340,6 +356,8 @@ server:
load: true
```
</CodeBlockConfig>
Modifications:
1. The Consul datacenter name is `dc2`. The primary datacenter's name was `dc1`.

View File

@ -74,13 +74,16 @@ The following sections detail how to export this data.
1. These certificates can be used in your server config file:
<CodeBlockConfig filename="server.hcl">
```hcl
# server.hcl
cert_file = "vm-dc-server-consul-0.pem"
key_file = "vm-dc-server-consul-0-key.pem"
ca_file = "consul-agent-ca.pem"
```
</CodeBlockConfig>
1. For clients, you can generate TLS certs with:
```shell-session

View File

@ -117,11 +117,16 @@ to update to the new version.
1. Read our [Compatibility Matrix](/docs/k8s/upgrade/compatibility) to ensure
your current Helm chart version supports this Consul version. If it does not,
you may need to also upgrade your Helm chart version at the same time.
1. Set `global.consul` in your `values.yaml` to the desired version:
1. Set `global.image` in your `values.yaml` to the desired version:
<CodeBlockConfig filename="values.yaml" highlight="2">
```yaml
global:
image: consul:1.8.3
```
</CodeBlockConfig>
1. Determine your current installed chart version:
```bash

View File

@ -36,6 +36,8 @@ First, create a directory to organize Terraform configuration files that make up
The `main.tf` is the entry point of the module and this is where you can begin authoring your module. It can contain multiple Terraform resources related to an automation task that uses Consul service discovery information, particularly the required [`services` input variable](#services-variable). The code example below shows a resource using the `services` variable. When this example is used in automation with Consul-Terraform-Sync, the content of the local file would dynamically update as Consul service discovery information changes.
<CodeBlockConfig filename="main.tf">
```hcl
# Create a file with service names and their node addresses
resource "local_file" "consul_services" {
@ -46,12 +48,16 @@ resource "local_file" "consul_services" {
}
```
</CodeBlockConfig>
Something important to consider before authoring your module is deciding the [condition under which it will execute](/docs/nia/tasks#task-execution). This will allow you to potentially include other types of Consul-Terraform-Sync provided input variables in your module. It will also help inform your documentation and how users should configure their task for your module.
### Services Variable
To satisfy the specification requirements for a compatible module, copy the `services` variable declaration to the `variables.tf` file. Your module can optionally have other [variable declarations](#module-input-variables) and [Consul-Terraform-Sync provided input variables](/docs/nia/terraform-modules#optional-input-variables) in addition to `var.services`.
<CodeBlockConfig filename="variables.tf">
```hcl
variable "services" {
description = "Consul services monitored by Consul-Terraform-Sync"
@ -80,6 +86,8 @@ variable "services" {
}
```
</CodeBlockConfig>
Keys of the `services` map are unique identifiers of the service across Consul agents and data centers. Keys follow the format `service-id.node.datacenter` (or `service-id.node.namespace.datacenter` for Consul Enterprise). A complete list of attributes available for the `services` variable is included in the [documentation for Consul-Terraform-Sync tasks](/docs/nia/tasks#services-condition).
Terraform variables when passed as module arguments can be [lossy for object types](https://www.terraform.io/docs/configuration/types.html#conversion-of-complex-types). This allows Consul-Terraform-Sync to declare the full variable with every object attribute in the generated root module, and pass the variable to a child module that contains a subset of these attributes for its variable declaration. Modules compatible with Consul-Terraform-Sync may simplify the `var.services` declaration within the module by omitting unused attributes. For example, the following services variable has 4 attributes with the rest omitted.

View File

@ -325,7 +325,7 @@ Once the ACL system is bootstrapped, ACL tokens can be managed through the
After the servers are restarted above, you will see new errors in the logs of the Consul
servers related to permission denied errors:
```text
```log
2017/07/08 23:38:24 [WARN] agent: Node info update blocked by ACLs
2017/07/08 23:38:44 [WARN] agent: Coordinate update blocked by ACLs
```
@ -379,7 +379,7 @@ $ curl \
With that ACL agent token set, the servers will be able to sync themselves with the
catalog:
```text
```log
2017/07/08 23:42:59 [INFO] agent: Synced node info
```
@ -640,7 +640,7 @@ operator = "read"
This is equivalent to the following JSON input:
```javascript
```json
{
"key": {
"": {
@ -784,15 +784,15 @@ recursive reads via [the KV API](/api/kv#recurse) with an invalid token result i
```hcl
key "" {
policy = "deny"
policy = "deny"
}
key "bar" {
policy = "list"
policy = "list"
}
key "baz" {
policy = "read"
policy = "read"
}
```
@ -828,7 +828,7 @@ The `keyring` policy controls access to keyring operations in the
Keyring rules look like this:
```text
```hcl
keyring = "write"
```
@ -900,7 +900,7 @@ The `operator` policy controls access to cluster-level operations in the
Operator rules look like this:
```text
```hcl
operator = "read"
```

View File

@ -125,6 +125,8 @@ Take note of the `ReplicatedIndex` value.
Create a new file containing the payload for creating a new token named `test-ui-token.json`
with the following contents:
<CodeBlockConfig filename="test-ui-token.json">
```json
{
"Name": "UI Token",
@ -133,6 +135,8 @@ with the following contents:
}
```
</CodeBlockConfig>
From a Consul server in DC1, create a new token using that file:
```shell

View File

@ -21,7 +21,7 @@ upgrade flow.
Consul Enterprise 1.10 has removed temporary licensing capabilities from the binaries
found on https://releases.hashicorp.com. Servers will no longer load a license previously
set through the CLI or API. Instead the license must be present in the server's configuration
or environment prior to starting. See the [licensing documentation](/docs/enterprise/license/overview)
or environment prior to starting. See the [licensing documentation](/docs/enterprise/license/overview)
for more information about how to configure the license. Client agents previously retrieved their
license from the servers in the cluster within 30 minutes of starting and the snapshot agent
would similarly retrieve its license from the server or client agent it was configured to use. As
@ -820,7 +820,7 @@ defaulting [`allow_stale`](/docs/agent/options#allow_stale) to true for
better utilization of available servers. If you want to retain the previous
behavior, set the following configuration:
```javascript
```json
{
"dns_config": {
"allow_stale": false
@ -837,7 +837,7 @@ To continue to use the high-performance settings that were the default prior to
Consul 0.7 (recommended for production servers), add the following
configuration to all Consul servers when upgrading:
```javascript
```json
{
"performance": {
"raft_multiplier": 1