docs: how to launch envoy when ACLs enabled

2022-11-19 15:40:23 -08:00 · 2022-11-19 15:40:23 -08:00 · 80ce1d80b9
parent 1153779677
commit 80ce1d80b9
2 changed files with 57 additions and 25 deletions
--- a/website/content/commands/acl/token/create.mdx
+++ b/website/content/commands/acl/token/create.mdx
@ -76,10 +76,10 @@ Usage: `consul acl token create [options] [args]`
 ## Examples
-Create a new token:
+### Create a token with policy by name
 ```shell-session
-$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965
+$ consul acl token create -description "Read Nodes and Services" -policy-name node-services-read
 AccessorID:   986193b5-e2b5-eb26-6264-b524ea60cc6d
 SecretID:     ec15675e-2999-d789-832e-8c4794daa8d7
 Description:  Read Nodes and Services
@ -89,42 +89,47 @@ Policies:
   06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
 ```
-Create a new local token:
+### Create a token for a service
 This creates a token with the privileges necessary to register the service `my-api`.
 If `my-api` is in the service mesh, this token also has the privileges necessary
 to register its associated sidecar proxy and should be passed to the proxy when
 launched with [`consul connect envoy`](/consul/commands/connect/envoy).
 ```shell-session
-$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 -local
+$ consul acl token create -description 'my-api token' -service-identity 'my-api'
-AccessorID:   4fdf0ec8-d251-3865-079c-7247c974fc50
+AccessorID:       0c083aca-6c15-f0cc-c4d9-30578db54cd9
-SecretID:     02143514-abf2-6c23-0aa1-ec2107e68f6b
+SecretID:         930dafb6-5c08-040b-23fb-a368a95256f9
-Description:  Read Nodes and Services
+Description:      api token
-Local:        true
+Local:            false
-Create Time:  2018-10-22 15:34:19.330265 -0400 EDT
+Create Time:      2019-04-25 16:45:49.337687334 -0500 CDT
-Policies:
+Service Identities:
-   06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
+   my-api (Datacenters: all)
 ```
-Create a new token and link with policies by name:
+### Create a short-lived, highly privileged token
 ```shell-session
-$ consul acl token create -description "Super User" -policy-name global-management
+$ consul acl token create -description "Temp Super User" -policy-name global-management -expires-ttl '15m'
 AccessorID:   59f86a9b-d3b6-166c-32a0-be4ab3f94caa
 SecretID:     ada7f751-f654-8872-7f93-498e799158b6
-Description:  Super User
+Description:  Temp Super User
 Local:        false
-Create Time:  2018-10-22 15:35:28.787003 -0400 EDT
+Create Time:      2019-04-25 16:45:49.337687334 -0500 CDT
 Expiration Time:  2019-04-25 17:00:49.337687334 -0500 CDT
 Policies:
   00000000-0000-0000-0000-000000000001 - global-management
 ```
-Create a new token with one service identity that expires in 15 minutes:
+### Create a local token with policy by ID
 ```shell-session
-$ consul acl token create -description 'crawler token' -service-identity 'crawler' -expires-ttl '15m'
+$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 -local
-AccessorID:       0c083aca-6c15-f0cc-c4d9-30578db54cd9
+AccessorID:   986193b5-e2b5-eb26-6264-b524ea60cc6d
-SecretID:         930dafb6-5c08-040b-23fb-a368a95256f9
+SecretID:     ec15675e-2999-d789-832e-8c4794daa8d7
-Description:      crawler token
+Description:  Read Nodes and Services
-Local:            false
+Local:        true
-Create Time:      2019-04-25 16:45:49.337687334 -0500 CDT
+Create Time:  2018-10-22 15:33:39.01789 -0400 EDT
-Expiration Time:  2019-04-25 17:00:49.337687334 -0500 CDT
+Policies:
-Service Identities:
+   06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
   crawler (Datacenters: all)
 ```
--- a/website/content/commands/connect/envoy.mdx
+++ b/website/content/commands/connect/envoy.mdx
@ -13,6 +13,10 @@ The connect Envoy command is used to generate a bootstrap configuration for
 [Envoy proxy](https://envoyproxy.io) for use with [Consul
 Connect](/docs/connect/).
 Refer to the [examples](#examples) for guidance on common use cases,
 such as [launching a service instance's sidecar proxy
 when ACLs are enabled](#sidecar-proxy-with-acls-enabled).
 The default behavior is to generate the necessary bootstrap configuration for
 Envoy based on the environment variables and options provided and by talking to
 the local Consul agent. It `exec`s an external Envoy binary with that
@ -227,6 +231,29 @@ This example assumes that the correct [environment variables](#api-options) are
 used to set the local agent connection information and ACL token, or that the
 agent is using all-default configuration.
 ### Sidecar Proxy with ACLs Enabled
 In secure deployments, Consul's ACL system is enabled with a default `deny` policy.
 Nothing can access Consul API resources unless it presents a Consul ACL token with the
 necessary privileges. A sidecar proxy must have a Consul ACL token to act as itself and
 the service it fronts, and to access all that service's potential upstreams.
 The best way to generate such a token is to
 [use a service identity](/consul/commands/acl/token/create#create-a-token-for-a-service).
 Then, provide that token when launching the Envoy sidecar proxy instance with
 the `consul connect envoy` command through either:
 - Environment variables
  [`CONSUL_HTTP_TOKEN`](/consul/commands#consul_http_token) or
  [`CONSUL_HTTP_TOKEN_FILE`](/consul/commands#consul_http_token_file)
 - CLI flags
  [`-token`](/consul/commands/connect/envoy#token) or
  [`-token-file`](/consul/commands/connect/envoy#token-file)
 ```shell-session
 $ export CONSUL_HTTP_TOKEN="<secret-id-of-token-with-service-identity-for-web>"
 $ consul connect envoy -sidecar-for web
 ```
 ### Additional Envoy Arguments
 To pass additional arguments directly to Envoy, for example output logging