From 80ce1d80b9a76d9b8db73bc347523eeaf37f8a65 Mon Sep 17 00:00:00 2001 From: Jared Kirschner Date: Sat, 19 Nov 2022 15:40:23 -0800 Subject: [PATCH] docs: how to launch envoy when ACLs enabled --- website/content/commands/acl/token/create.mdx | 55 ++++++++++--------- website/content/commands/connect/envoy.mdx | 27 +++++++++ 2 files changed, 57 insertions(+), 25 deletions(-) diff --git a/website/content/commands/acl/token/create.mdx b/website/content/commands/acl/token/create.mdx index 189f7beac8..a4acf77118 100644 --- a/website/content/commands/acl/token/create.mdx +++ b/website/content/commands/acl/token/create.mdx @@ -76,10 +76,10 @@ Usage: `consul acl token create [options] [args]` ## Examples -Create a new token: +### Create a token with policy by name ```shell-session -$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 +$ consul acl token create -description "Read Nodes and Services" -policy-name node-services-read AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d SecretID: ec15675e-2999-d789-832e-8c4794daa8d7 Description: Read Nodes and Services @@ -89,42 +89,47 @@ Policies: 06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read ``` -Create a new local token: +### Create a token for a service + +This creates a token with the privileges necessary to register the service `my-api`. +If `my-api` is in the service mesh, this token also has the privileges necessary +to register its associated sidecar proxy and should be passed to the proxy when +launched with [`consul connect envoy`](/consul/commands/connect/envoy). ```shell-session -$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 -local -AccessorID: 4fdf0ec8-d251-3865-079c-7247c974fc50 -SecretID: 02143514-abf2-6c23-0aa1-ec2107e68f6b -Description: Read Nodes and Services -Local: true -Create Time: 2018-10-22 15:34:19.330265 -0400 EDT -Policies: - 06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read +$ consul acl token create -description 'my-api token' -service-identity 'my-api' +AccessorID: 0c083aca-6c15-f0cc-c4d9-30578db54cd9 +SecretID: 930dafb6-5c08-040b-23fb-a368a95256f9 +Description: api token +Local: false +Create Time: 2019-04-25 16:45:49.337687334 -0500 CDT +Service Identities: + my-api (Datacenters: all) ``` -Create a new token and link with policies by name: +### Create a short-lived, highly privileged token ```shell-session -$ consul acl token create -description "Super User" -policy-name global-management +$ consul acl token create -description "Temp Super User" -policy-name global-management -expires-ttl '15m' AccessorID: 59f86a9b-d3b6-166c-32a0-be4ab3f94caa SecretID: ada7f751-f654-8872-7f93-498e799158b6 -Description: Super User +Description: Temp Super User Local: false -Create Time: 2018-10-22 15:35:28.787003 -0400 EDT +Create Time: 2019-04-25 16:45:49.337687334 -0500 CDT +Expiration Time: 2019-04-25 17:00:49.337687334 -0500 CDT Policies: 00000000-0000-0000-0000-000000000001 - global-management ``` -Create a new token with one service identity that expires in 15 minutes: +### Create a local token with policy by ID ```shell-session -$ consul acl token create -description 'crawler token' -service-identity 'crawler' -expires-ttl '15m' -AccessorID: 0c083aca-6c15-f0cc-c4d9-30578db54cd9 -SecretID: 930dafb6-5c08-040b-23fb-a368a95256f9 -Description: crawler token -Local: false -Create Time: 2019-04-25 16:45:49.337687334 -0500 CDT -Expiration Time: 2019-04-25 17:00:49.337687334 -0500 CDT -Service Identities: - crawler (Datacenters: all) +$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 -local +AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d +SecretID: ec15675e-2999-d789-832e-8c4794daa8d7 +Description: Read Nodes and Services +Local: true +Create Time: 2018-10-22 15:33:39.01789 -0400 EDT +Policies: + 06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read ``` diff --git a/website/content/commands/connect/envoy.mdx b/website/content/commands/connect/envoy.mdx index aa4d5fa840..9b686f0de4 100644 --- a/website/content/commands/connect/envoy.mdx +++ b/website/content/commands/connect/envoy.mdx @@ -13,6 +13,10 @@ The connect Envoy command is used to generate a bootstrap configuration for [Envoy proxy](https://envoyproxy.io) for use with [Consul Connect](/docs/connect/). +Refer to the [examples](#examples) for guidance on common use cases, +such as [launching a service instance's sidecar proxy +when ACLs are enabled](#sidecar-proxy-with-acls-enabled). + The default behavior is to generate the necessary bootstrap configuration for Envoy based on the environment variables and options provided and by talking to the local Consul agent. It `exec`s an external Envoy binary with that @@ -227,6 +231,29 @@ This example assumes that the correct [environment variables](#api-options) are used to set the local agent connection information and ACL token, or that the agent is using all-default configuration. +### Sidecar Proxy with ACLs Enabled + +In secure deployments, Consul's ACL system is enabled with a default `deny` policy. +Nothing can access Consul API resources unless it presents a Consul ACL token with the +necessary privileges. A sidecar proxy must have a Consul ACL token to act as itself and +the service it fronts, and to access all that service's potential upstreams. +The best way to generate such a token is to +[use a service identity](/consul/commands/acl/token/create#create-a-token-for-a-service). + +Then, provide that token when launching the Envoy sidecar proxy instance with +the `consul connect envoy` command through either: +- Environment variables + [`CONSUL_HTTP_TOKEN`](/consul/commands#consul_http_token) or + [`CONSUL_HTTP_TOKEN_FILE`](/consul/commands#consul_http_token_file) +- CLI flags + [`-token`](/consul/commands/connect/envoy#token) or + [`-token-file`](/consul/commands/connect/envoy#token-file) + +```shell-session +$ export CONSUL_HTTP_TOKEN="" +$ consul connect envoy -sidecar-for web +``` + ### Additional Envoy Arguments To pass additional arguments directly to Envoy, for example output logging