website: update docs for leaf cert TTL option

2018-07-16 02:46:23 -07:00 · 2018-07-16 02:46:23 -07:00 · 6465b13b7d
parent d6ca015a42
commit 6465b13b7d
4 changed files with 18 additions and 2 deletions
--- a/website/source/api/connect/ca.html.md
+++ b/website/source/api/connect/ca.html.md
@ -91,8 +91,7 @@ $ curl \
 {
    "Provider": "consul",
    "Config": {
-        "PrivateKey": null,
-        "RootCert": null,
+        "LeafCertTTL": "72h",
        "RotationPeriod": "2160h"
    },
    "CreateIndex": 5,
@ -133,8 +132,10 @@ providers, see [Provider Config](/docs/connect/ca.html).
 {
    "Provider": "consul",
    "Config": {
+        "LeafCertTTL": "72h",
        "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----...",
        "RootCert": "-----BEGIN CERTIFICATE-----...",
+        "RotationPeriod": "2160h"
    }
 }
 ```
--- a/website/source/docs/agent/options.html.md
+++ b/website/source/docs/agent/options.html.md
@ -717,6 +717,14 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
        `write` access to this backend, as well as permission to mount the backend at this path if it is not 
        already mounted.

+        #### Common CA Config Options
+
+        <p>There are also a number of common configuration options supported by all providers:</p>
+        
+        * <a name="ca_leaf_cert_ttl"></a><a href="#ca_leaf_cert_ttl">`leaf_cert_ttl`</a> The lease duration of
+        a leaf certificate issued for a service, after which a new certificate will be requested by the proxy.
+        Defaults to `72h`.
+
    * <a name="connect_proxy"></a><a href="#connect_proxy">`proxy`</a> This object allows setting options for the Connect proxies. The following sub-keys are available:

        * <a name="connect_proxy_allow_managed_registration"></a><a href="#connect_proxy_allow_managed_registration">`allow_managed_api_registration`</a> Allows managed proxies to be configured with services that are registered via the Agent HTTP API. Enabling this would allow anyone with permission to register a service to define a command to execute for the proxy. By default, this is false to protect against arbitrary process execution.
--- a/website/source/docs/connect/ca.html.md
+++ b/website/source/docs/connect/ca.html.md
@ -88,6 +88,7 @@ $ curl http://localhost:8500/v1/connect/ca/configuration
 {
    "Provider": "consul",
    "Config": {
+        "LeafCertTTL": "72h",
        "RotationPeriod": "2160h"
    },
    "CreateIndex": 5,
--- a/website/source/docs/connect/ca/consul.html.md
+++ b/website/source/docs/connect/ca/consul.html.md
@ -53,6 +53,9 @@ is used if configuring in an agent configuration file.
    bootstrap with the ".consul" TLD. The cluster identifier can be found
    using the [CA List Roots endpoint](/api/connect/ca.html#list-ca-root-certificates).

+There are also [common CA configuration options](/docs/agent/options.html#common-ca-config-options)
+that are supported by all CA providers.
+
 ## Specifying a Custom Private Key and Root Certificate

 By default, a root certificate and private key will be automatically
@ -69,6 +72,7 @@ $ curl localhost:8500/v1/connect/ca/configuration
 {
    "Provider": "consul",
    "Config": {
+        "LeafCertTTL": "72h",
        "RotationPeriod": "2160h"
    },
    "CreateIndex": 5,
@ -99,6 +103,7 @@ $ jq -n --arg key "$(cat root.key)"  --arg cert "$(cat root.crt)" '
 {
    "Provider": "consul",
    "Config": {
+        "LeafCertTTL": "72h",
        "PrivateKey": $key,
        "RootCert": $cert,
        "RotationPeriod": "2160h"
@ -113,6 +118,7 @@ $ cat ca_config.json
 {
  "Provider": "consul",
  "Config": {
+    "LeafCertTTL": "72h",
    "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEArqiy1c3pbT3cSkjdEM1APALUareU...",
    "RootCert": "-----BEGIN CERTIFICATE-----\nMIIDijCCAnKgAwIBAgIJAOFZ66em1qC7MA0GCSqGSIb3...",
    "RotationPeriod": "2160h"