mirror of https://github.com/hashicorp/consul
commit
ecc406562a
|
@ -39,7 +39,11 @@ export default function BasicHero({
|
|||
</div>
|
||||
{links[2] && (
|
||||
<div className="third-link">
|
||||
<a href={links[2].url} rel="noopener" target="_blank">
|
||||
<a
|
||||
href={links[2].url}
|
||||
rel="noopener noreferrer"
|
||||
target="_blank"
|
||||
>
|
||||
<span className="g-type-buttons-and-standalone-links">
|
||||
{links[2].text}
|
||||
</span>
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -4,55 +4,51 @@
|
|||
"version": "0.0.1",
|
||||
"author": "HashiCorp",
|
||||
"dependencies": {
|
||||
"@hashicorp/nextjs-scripts": "^10.0.2",
|
||||
"@hashicorp/react-alert": "^2.0.1",
|
||||
"@hashicorp/react-alert-banner": "^3.1.0",
|
||||
"@hashicorp/react-button": "^2.2.0",
|
||||
"@hashicorp/react-call-to-action": "^0.2.0",
|
||||
"@hashicorp/react-case-study-slider": "^2.1.0",
|
||||
"@hashicorp/react-code-block": "^1.2.7",
|
||||
"@hashicorp/react-content": "3.0.0-0",
|
||||
"@hashicorp/react-docs-page": "^3.0.0",
|
||||
"@hashicorp/react-docs-sidenav": "^3.2.3",
|
||||
"@hashicorp/react-featured-slider": "^1.1.0",
|
||||
"@hashicorp/react-global-styles": "^4.4.0",
|
||||
"@hashicorp/react-head": "^1.1.1",
|
||||
"@hashicorp/react-image": "^2.0.1",
|
||||
"@hashicorp/react-inline-svg": "^1.0.0",
|
||||
"@hashicorp/react-logo-grid": "^2.1.0",
|
||||
"@hashicorp/react-mega-nav": "^4.0.1-2",
|
||||
"@hashicorp/react-product-downloader": "^4.0.0",
|
||||
"@hashicorp/react-product-features-list": "^1.0.1",
|
||||
"@hashicorp/react-section-header": "^2.0.0",
|
||||
"@hashicorp/react-subnav": "^3.2.2",
|
||||
"@hashicorp/react-text-and-content": "^4.1.0",
|
||||
"@hashicorp/react-text-split": "^0.3.0",
|
||||
"@hashicorp/react-text-split-with-code": "0.1.0",
|
||||
"@hashicorp/react-text-split-with-image": "^1.3.0",
|
||||
"@hashicorp/react-text-split-with-logo-grid": "^1.1.0",
|
||||
"@hashicorp/react-use-cases": "^1.0.4",
|
||||
"@hashicorp/react-vertical-text-block-list": "^2.0.1",
|
||||
"algoliasearch": "^4.3.0",
|
||||
"babel-plugin-import-glob-array": "^0.2.0",
|
||||
"dotenv": "^8.2.0",
|
||||
"gray-matter": "^4.0.2",
|
||||
"imagemin-mozjpeg": "^9.0.0",
|
||||
"imagemin-optipng": "^8.0.0",
|
||||
"imagemin-svgo": "^8.0.0",
|
||||
"@hashicorp/nextjs-scripts": "11.1.0",
|
||||
"@hashicorp/react-alert": "2.0.1",
|
||||
"@hashicorp/react-alert-banner": "3.1.0",
|
||||
"@hashicorp/react-button": "2.2.1",
|
||||
"@hashicorp/react-call-to-action": "0.2.1",
|
||||
"@hashicorp/react-case-study-slider": "2.1.1",
|
||||
"@hashicorp/react-code-block": "1.2.7",
|
||||
"@hashicorp/react-content": "4.0.0",
|
||||
"@hashicorp/react-docs-page": "4.0.0",
|
||||
"@hashicorp/react-docs-sidenav": "3.2.5",
|
||||
"@hashicorp/react-featured-slider": "1.1.1",
|
||||
"@hashicorp/react-global-styles": "4.4.0",
|
||||
"@hashicorp/react-head": "1.1.1",
|
||||
"@hashicorp/react-image": "2.0.1",
|
||||
"@hashicorp/react-inline-svg": "1.0.0",
|
||||
"@hashicorp/react-logo-grid": "2.1.1",
|
||||
"@hashicorp/react-mega-nav": "4.0.1-2",
|
||||
"@hashicorp/react-product-downloader": "4.0.2",
|
||||
"@hashicorp/react-product-features-list": "1.0.1",
|
||||
"@hashicorp/react-section-header": "2.0.0",
|
||||
"@hashicorp/react-subnav": "3.2.3",
|
||||
"@hashicorp/react-text-and-content": "4.1.1",
|
||||
"@hashicorp/react-text-split": "0.3.1",
|
||||
"@hashicorp/react-text-split-with-code": "0.1.1",
|
||||
"@hashicorp/react-text-split-with-image": "1.3.1",
|
||||
"@hashicorp/react-text-split-with-logo-grid": "1.1.1",
|
||||
"@hashicorp/react-use-cases": "1.0.4",
|
||||
"@hashicorp/react-vertical-text-block-list": "2.0.1",
|
||||
"algoliasearch": "4.3.0",
|
||||
"babel-plugin-import-glob-array": "0.2.0",
|
||||
"dotenv": "8.2.0",
|
||||
"gray-matter": "4.0.2",
|
||||
"next": "9.4.4",
|
||||
"nuka-carousel": "^4.7.0",
|
||||
"react": "^16.13.1",
|
||||
"react-device-detect": "^1.12.1",
|
||||
"react-dom": "^16.13.1",
|
||||
"remark": "^12.0.0",
|
||||
"unist-util-visit": "^2.0.2"
|
||||
"nuka-carousel": "4.7.0",
|
||||
"react": "16.13.1",
|
||||
"react-device-detect": "1.13.1",
|
||||
"react-dom": "16.13.1",
|
||||
"remark": "12.0.0",
|
||||
"unist-util-visit": "2.0.2"
|
||||
},
|
||||
"devDependencies": {
|
||||
"dart-linkcheck": "^2.0.15",
|
||||
"glob": "^7.1.6",
|
||||
"husky": "^4.2.5",
|
||||
"inquirer": "^7.1.0",
|
||||
"prettier": "^2.0.5"
|
||||
"dart-linkcheck": "2.0.15",
|
||||
"glob": "7.1.6",
|
||||
"husky": "4.2.5",
|
||||
"prettier": "2.0.5"
|
||||
},
|
||||
"husky": {
|
||||
"hooks": {
|
||||
|
|
|
@ -63,7 +63,7 @@ The table below shows this endpoint's support for
|
|||
]
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
- `BindType=node` - The computed bind name value is used as an
|
||||
`ACLNodeIdentity.NodeName` field in the token that is created.
|
||||
|
||||
|
@ -243,7 +243,7 @@ The table below shows this endpoint's support for
|
|||
]
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
- `BindType=node` - The computed bind name value is used as an
|
||||
`ACLNodeIdentity.NodeName` field in the token that is created.
|
||||
|
||||
|
@ -254,7 +254,7 @@ The table below shows this endpoint's support for
|
|||
]
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
- `BindType=role` - The computed bind name value is used as a `RoleLink.Name`
|
||||
field in the token that is created. This binding rule will only apply if a
|
||||
role with the given name exists at login-time. If it does not then this
|
||||
|
|
|
@ -338,7 +338,7 @@ The table below shows this endpoint's support for
|
|||
- `NodeIdentities` `(array<NodeIdentity>)` - The list of [node
|
||||
identities](/docs/acl/acl-system#acl-node-identities) that should be
|
||||
applied to the role. Added in Consul 1.8.1.
|
||||
|
||||
|
||||
- `Namespace` `(string: "")` <EnterpriseAlert inline /> - Specifies the namespace of
|
||||
the role to update. If not provided in the JSON body, the value of
|
||||
the `ns` URL query parameter or in the `X-Consul-Namespace` header will be used.
|
||||
|
|
|
@ -908,8 +908,8 @@ top level object. The following selectors and filter operations are supported:
|
|||
|
||||
This endpoint returns the services associated with an ingress gateway or terminating gateway.
|
||||
|
||||
| Method | Path | Produces |
|
||||
| ------ | ------------------------------ | ------------------ |
|
||||
| Method | Path | Produces |
|
||||
| ------ | ------------------------------------ | ------------------ |
|
||||
| `GET` | `/catalog/gateway-services/:gateway` | `application/json` |
|
||||
|
||||
The table below shows this endpoint's support for
|
||||
|
@ -918,8 +918,8 @@ The table below shows this endpoint's support for
|
|||
[agent caching](/api/features/caching), and
|
||||
[required ACLs](/api#authentication).
|
||||
|
||||
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||
| ---------------- | ----------------- | ------------- | ------------------------ |
|
||||
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||
| ---------------- | ----------------- | ------------- | -------------- |
|
||||
| `YES` | `all` | `none` | `service:read` |
|
||||
|
||||
### Parameters
|
||||
|
@ -964,7 +964,7 @@ $ curl \
|
|||
"SNI": "api.my-domain",
|
||||
"CreateIndex": 16,
|
||||
"ModifyIndex": 16
|
||||
},
|
||||
},
|
||||
{
|
||||
"Gateway": {
|
||||
"Name": "my-terminating-gateway",
|
||||
|
@ -995,7 +995,7 @@ $ curl \
|
|||
"GatewayKind": "ingress-gateway",
|
||||
"Port": 8888,
|
||||
"Protocol": "http",
|
||||
"Hosts": ["api.mydomain.com"],
|
||||
"Hosts": ["api.mydomain.com"],
|
||||
"CreateIndex": 15,
|
||||
"ModifyIndex": 15
|
||||
},
|
||||
|
|
|
@ -39,7 +39,7 @@ The table below shows this endpoint's support for
|
|||
</p>
|
||||
|
||||
| Config Entry Kind | Required ACL |
|
||||
| ----------------- | ---------------- |
|
||||
| ------------------- | ---------------- |
|
||||
| ingress-gateway | `operator:write` |
|
||||
| proxy-defaults | `operator:write` |
|
||||
| service-defaults | `service:write` |
|
||||
|
@ -104,15 +104,15 @@ The table below shows this endpoint's support for
|
|||
|
||||
<sup>1</sup> The ACL required depends on the config entry kind being read:
|
||||
|
||||
| Config Entry Kind | Required ACL |
|
||||
| ----------------- | ---------------- |
|
||||
| ingress-gateway | `service:read` |
|
||||
| proxy-defaults | `<none>` |
|
||||
| service-defaults | `service:read` |
|
||||
| service-resolver | `service:read` |
|
||||
| service-router | `service:read` |
|
||||
| service-splitter | `service:read` |
|
||||
| terminating-gateway | `service:read` |
|
||||
| Config Entry Kind | Required ACL |
|
||||
| ------------------- | -------------- |
|
||||
| ingress-gateway | `service:read` |
|
||||
| proxy-defaults | `<none>` |
|
||||
| service-defaults | `service:read` |
|
||||
| service-resolver | `service:read` |
|
||||
| service-router | `service:read` |
|
||||
| service-splitter | `service:read` |
|
||||
| terminating-gateway | `service:read` |
|
||||
|
||||
### Parameters
|
||||
|
||||
|
@ -171,15 +171,15 @@ The table below shows this endpoint's support for
|
|||
|
||||
<sup>1</sup> The ACL required depends on the config entry kind being read:
|
||||
|
||||
| Config Entry Kind | Required ACL |
|
||||
| ----------------- | ---------------- |
|
||||
| ingress-gateway | `service:read` |
|
||||
| proxy-defaults | `<none>` |
|
||||
| service-defaults | `service:read` |
|
||||
| service-resolver | `service:read` |
|
||||
| service-router | `service:read` |
|
||||
| service-splitter | `service:read` |
|
||||
| terminating-gateway | `service:read` |
|
||||
| Config Entry Kind | Required ACL |
|
||||
| ------------------- | -------------- |
|
||||
| ingress-gateway | `service:read` |
|
||||
| proxy-defaults | `<none>` |
|
||||
| service-defaults | `service:read` |
|
||||
| service-resolver | `service:read` |
|
||||
| service-router | `service:read` |
|
||||
| service-splitter | `service:read` |
|
||||
| terminating-gateway | `service:read` |
|
||||
|
||||
### Parameters
|
||||
|
||||
|
@ -245,7 +245,7 @@ The table below shows this endpoint's support for
|
|||
<sup>1</sup> The ACL required depends on the config entry kind being deleted:
|
||||
|
||||
| Config Entry Kind | Required ACL |
|
||||
| ----------------- | ---------------- |
|
||||
| ------------------- | ---------------- |
|
||||
| ingress-gateway | `operator:write` |
|
||||
| proxy-defaults | `operator:write` |
|
||||
| service-defaults | `service:write` |
|
||||
|
|
|
@ -51,14 +51,14 @@ The table below shows this endpoint's support for
|
|||
service doesn't need to be registered.
|
||||
|
||||
- `SourceNS` `(string: "")` <EnterpriseAlert inline /> - The namespace for the
|
||||
`SourceName` parameter.
|
||||
`SourceName` parameter.
|
||||
|
||||
- `DestinationName` `(string: <required>)` - The destination of the intention.
|
||||
The intention destination is always a Consul service, unlike the source.
|
||||
The service doesn't need to be registered.
|
||||
|
||||
- `DestinationNS` `(string: "")` <EnterpriseAlert inline /> - The namespace for the
|
||||
`DestinationName` parameter.
|
||||
`DestinationName` parameter.
|
||||
|
||||
- `SourceType` `(string: <required>)` - The type for the `SourceName` value.
|
||||
This can be only "consul" today to represent a Consul service.
|
||||
|
@ -75,9 +75,9 @@ The table below shows this endpoint's support for
|
|||
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the default
|
||||
namespace to use when `SourceNS` or `DestinationNS` are omitted or empty.
|
||||
If not provided at all, the default namespace will be inherited from the
|
||||
request's ACL token or will default to the `default` namespace.
|
||||
request's ACL token or will default to the `default` namespace.
|
||||
This value may be provided by either the `ns` URL query parameter or in the
|
||||
`X-Consul-Namespace` header.
|
||||
`X-Consul-Namespace` header.
|
||||
Added in Consul 1.9.0.
|
||||
|
||||
### Sample Payload
|
||||
|
@ -208,9 +208,9 @@ The table below shows this endpoint's support for
|
|||
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the default
|
||||
namespace to use when `source` or `destination` parameters lack namespaces.
|
||||
If not provided at all, the default namespace will be inherited from the
|
||||
request's ACL token or will default to the `default` namespace.
|
||||
request's ACL token or will default to the `default` namespace.
|
||||
This value may be provided by either the `ns` URL query parameter or in the
|
||||
`X-Consul-Namespace` header.
|
||||
`X-Consul-Namespace` header.
|
||||
Added in Consul 1.9.0.
|
||||
|
||||
### Sample Request
|
||||
|
@ -273,13 +273,13 @@ The table below shows this endpoint's support for
|
|||
- `filter` `(string: "")` - Specifies the expression used to filter the
|
||||
queries results prior to returning the data.
|
||||
|
||||
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the
|
||||
namespace to list intentions from.
|
||||
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the
|
||||
namespace to list intentions from.
|
||||
The `*` wildcard may be used to list intentions from all namespaces.
|
||||
If not provided at all, the default namespace will be inherited from the
|
||||
request's ACL token or will default to the `default` namespace.
|
||||
request's ACL token or will default to the `default` namespace.
|
||||
This value may be provided by either the `ns` URL query parameter or in the
|
||||
`X-Consul-Namespace` header.
|
||||
`X-Consul-Namespace` header.
|
||||
Added in Consul 1.9.0.
|
||||
|
||||
### Sample Request
|
||||
|
@ -471,9 +471,9 @@ The table below shows this endpoint's support for
|
|||
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the default
|
||||
namespace to use when `source` or `destination` parameters lack namespaces.
|
||||
If not provided at all, the default namespace will be inherited from the
|
||||
request's ACL token or will default to the `default` namespace.
|
||||
request's ACL token or will default to the `default` namespace.
|
||||
This value may be provided by either the `ns` URL query parameter or in the
|
||||
`X-Consul-Namespace` header.
|
||||
`X-Consul-Namespace` header.
|
||||
Added in Consul 1.9.0.
|
||||
|
||||
### Sample Request
|
||||
|
@ -533,9 +533,9 @@ The table below shows this endpoint's support for
|
|||
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the default
|
||||
namespace to use when `name` parameter lacks namespaces.
|
||||
If not provided at all, the default namespace will be inherited from the
|
||||
request's ACL token or will default to the `default` namespace.
|
||||
request's ACL token or will default to the `default` namespace.
|
||||
This value may be provided by either the `ns` URL query parameter or in the
|
||||
`X-Consul-Namespace` header.
|
||||
`X-Consul-Namespace` header.
|
||||
Added in Consul 1.9.0.
|
||||
|
||||
### Sample Request
|
||||
|
|
|
@ -199,7 +199,7 @@ as to whether they are set on servers, clients, or both.
|
|||
| Configuration Option | Servers | Clients | Purpose |
|
||||
| --------------------------------------------------------------------- | ---------- | ---------- | ----------------------------------------------------------------------------------------- |
|
||||
| [`acl_datacenter`](/docs/agent/options#acl_datacenter) | `REQUIRED` | `REQUIRED` | Master control that enables ACLs by defining the authoritative Consul datacenter for ACLs |
|
||||
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
|
||||
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
|
||||
| [`acl_down_policy`](/docs/agent/options#acl_down_policy_legacy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the ACL datacenter is offline |
|
||||
| [`acl_ttl`](/docs/agent/options#acl_ttl_legacy) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACLs |
|
||||
|
||||
|
@ -276,8 +276,8 @@ datacenter. In this example, we are configuring the following:
|
|||
1. An ACL datacenter of "dc1", which is where these servers are
|
||||
2. An ACL master token of "b1gs33cr3t"; see below for an alternative using the [/v1/acl/bootstrap API](/api/acl/acl#bootstrap-acls)
|
||||
3. A default policy of "deny" which means we are in allowlist mode
|
||||
4. A down policy of "extend-cache" which means that we will ignore token TTLs
|
||||
during an outage
|
||||
4. A down policy of "extend-cache" which means that we will ignore token TTLs
|
||||
during an outage
|
||||
|
||||
Here's the corresponding JSON configuration file:
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ may benefit from additional components in the ACL system:
|
|||
additional policy was attached, the contents of which are described further
|
||||
below. These are directly attached to tokens and roles and are not
|
||||
independently configured. (Added in Consul 1.5.0)
|
||||
|
||||
|
||||
- **ACL Node Identities** - Node identities are a policy template for
|
||||
expressing a link to a policy suitable for use as an [Consul `agent` token
|
||||
](/docs/agent/options#acl_tokens_agent). At authorization time this acts like an
|
||||
|
@ -279,7 +279,7 @@ as to whether they are set on servers, clients, or both.
|
|||
| Configuration Option | Servers | Clients | Purpose |
|
||||
| -------------------------------------------------------------- | ---------- | ---------- | ---------------------------------------------------------------------- |
|
||||
| [`acl.enabled`](/docs/agent/options#acl_enabled) | `REQUIRED` | `REQUIRED` | Controls whether ACLs are enabled |
|
||||
| [`acl.default_policy`](/docs/agent/options#acl_default_policy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
|
||||
| [`acl.default_policy`](/docs/agent/options#acl_default_policy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
|
||||
| [`acl.down_policy`](/docs/agent/options#acl_down_policy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the remote token or policy resolution fails |
|
||||
| [`acl.role_ttl`](/docs/agent/options#acl_role_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Roles |
|
||||
| [`acl.policy_ttl`](/docs/agent/options#acl_policy_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Policies |
|
||||
|
|
|
@ -35,11 +35,11 @@ service mesh with minimal operator intervention.
|
|||
|
||||
## Supported Types
|
||||
|
||||
| Types | Consul Version |
|
||||
| ----- | -------------- |
|
||||
| [`kubernetes`](/docs/acl/auth-methods/kubernetes) | 1.5.0+ |
|
||||
| [`jwt`](/docs/acl/auth-methods/jwt) | 1.8.0+ |
|
||||
| [`oidc`](/docs/acl/auth-methods/oidc) | 1.8.0+ <EnterpriseAlert inline /> |
|
||||
| Types | Consul Version |
|
||||
| ------------------------------------------------- | --------------------------------- |
|
||||
| [`kubernetes`](/docs/acl/auth-methods/kubernetes) | 1.5.0+ |
|
||||
| [`jwt`](/docs/acl/auth-methods/jwt) | 1.8.0+ |
|
||||
| [`oidc`](/docs/acl/auth-methods/oidc) | 1.8.0+ <EnterpriseAlert inline /> |
|
||||
|
||||
## Operator Configuration
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ description: >-
|
|||
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer.
|
||||
|
||||
The `jwt` auth method can be used to authenticate with Consul by providing a
|
||||
[JWT](https://en.wikipedia.org/wiki/JSON_Web_Token) directly. The JWT is
|
||||
[JWT](https://en.wikipedia.org/wiki/JSON_Web_Token) directly. The JWT is
|
||||
cryptographically verified using locally-provided keys, or, if configured, an
|
||||
OIDC Discovery service can be used to fetch the appropriate keys.
|
||||
|
||||
|
@ -55,7 +55,7 @@ parameters are required to properly configure an auth method of type
|
|||
used to talk with the JWKS URL. NOTE: Every line must end with a newline
|
||||
(`\n`). If not set, system certificates are used.
|
||||
|
||||
- `ClaimMappings` `(map[string]string)` - Mappings of claims (key) that
|
||||
- `ClaimMappings` `(map[string]string)` - Mappings of claims (key) that
|
||||
[will be copied to a metadata field](#trusted-identity-attributes-via-claim-mappings)
|
||||
(value). Use this if the claim you are capturing is singular (such as an attribute).
|
||||
|
||||
|
@ -79,15 +79,15 @@ parameters are required to properly configure an auth method of type
|
|||
claim in a JWT.
|
||||
|
||||
- `ExpirationLeeway` `(duration: 0s)` - Duration in seconds of leeway when
|
||||
validating expiration of a token to account for clock skew. Defaults to 150
|
||||
validating expiration of a token to account for clock skew. Defaults to 150
|
||||
(2.5 minutes) if set to 0 and can be disabled if set to -1.
|
||||
|
||||
- `NotBeforeLeeway` `(duration: 0s)` - Duration in seconds of leeway when
|
||||
validating not before values of a token to account for clock skew. Defaults
|
||||
validating not before values of a token to account for clock skew. Defaults
|
||||
to 150 (2.5 minutes) if set to 0 and can be disabled if set to -1.
|
||||
|
||||
- `ClockSkewLeeway` `(duration: 0s)` - Duration in seconds of leeway when
|
||||
validating all claims to account for clock skew. Defaults to 60 (1 minute)
|
||||
validating all claims to account for clock skew. Defaults to 60 (1 minute)
|
||||
if set to 0 and can be disabled if set to -1.
|
||||
|
||||
### Sample Configs
|
||||
|
|
|
@ -11,35 +11,36 @@ description: >-
|
|||
|
||||
-> **1.8.0+:** This config entry is available in Consul versions 1.8.0 and newer.
|
||||
|
||||
The `ingress-gateway` config entry kind allows you to configure ingress gateways
|
||||
with listeners that expose a set of services outside the Consul service mesh.
|
||||
See [Ingress Gateway](/docs/connect/ingress-gateway) for more information.
|
||||
The `ingress-gateway` config entry kind allows you to configure ingress gateways
|
||||
with listeners that expose a set of services outside the Consul service mesh.
|
||||
See [Ingress Gateway](/docs/connect/ingress-gateway) for more information.
|
||||
|
||||
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
|
||||
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
|
||||
sets of services within their datacenter then the ingress gateways **must** be registered with different names.
|
||||
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
|
||||
sets of services within their datacenter then the ingress gateways **must** be registered with different names.
|
||||
|
||||
See [Ingress Gateway](/docs/connect/ingress-gateway) for more information.
|
||||
See [Ingress Gateway](/docs/connect/ingress-gateway) for more information.
|
||||
|
||||
## Wildcard service specification
|
||||
|
||||
Ingress gateways can optionally target all services within a Consul namespace by
|
||||
specifying a wildcard `*` as the service name. A wildcard specifier allows
|
||||
for a single listener to route traffic to all available services on the
|
||||
Consul service mesh, differentiating between the services by their host/authority
|
||||
header.
|
||||
Ingress gateways can optionally target all services within a Consul namespace by
|
||||
specifying a wildcard `*` as the service name. A wildcard specifier allows
|
||||
for a single listener to route traffic to all available services on the
|
||||
Consul service mesh, differentiating between the services by their host/authority
|
||||
header.
|
||||
|
||||
A wildcard specifier provides the following properties for an ingress
|
||||
gateway:
|
||||
- All services with the same
|
||||
[protocol](/docs/agent/config-entries/ingress-gateway#protocol) as the
|
||||
listener will be routable.
|
||||
- The ingress gateway will route traffic based on the host/authority header,
|
||||
expecting a value matching `<service-name>.ingress.*`, or if using namespaces,
|
||||
`<service-name>.ingress.<namespace>.*`. This matches the [Consul DNS
|
||||
ingress subdomain](/docs/agent/dns#ingress-service-lookups).
|
||||
A wildcard specifier provides the following properties for an ingress
|
||||
gateway:
|
||||
|
||||
A wildcard specifier cannot be set on a listener of protocol `tcp`.
|
||||
- All services with the same
|
||||
[protocol](/docs/agent/config-entries/ingress-gateway#protocol) as the
|
||||
listener will be routable.
|
||||
- The ingress gateway will route traffic based on the host/authority header,
|
||||
expecting a value matching `<service-name>.ingress.*`, or if using namespaces,
|
||||
`<service-name>.ingress.<namespace>.*`. This matches the [Consul DNS
|
||||
ingress subdomain](/docs/agent/dns#ingress-service-lookups).
|
||||
|
||||
A wildcard specifier cannot be set on a listener of protocol `tcp`.
|
||||
|
||||
## Sample Config Entries
|
||||
|
||||
|
@ -325,16 +326,16 @@ Also make two services in the frontend namespace available over a custom port wi
|
|||
|
||||
- `Namespace` `(string: "default")` - <EnterpriseAlert inline /> Specifies
|
||||
the namespace the config entry will apply to. This must be the namespace
|
||||
the gateway is registered in. If omitted, the namespace will be inherited
|
||||
the gateway is registered in. If omitted, the namespace will be inherited
|
||||
from [the request](/api/config#ns) or will default to the `default` namespace.
|
||||
|
||||
- `TLS` `(TLSConfig: <optional>)` - TLS configuration for this gateway.
|
||||
|
||||
- `Enabled` `(bool: false)` - Set this configuration to enable TLS for
|
||||
every listener on the gateway.
|
||||
- `Enabled` `(bool: false)` - Set this configuration to enable TLS for
|
||||
every listener on the gateway.
|
||||
|
||||
If TLS is enabled, then each host defined in the `Host` field will be added
|
||||
as a DNSSAN to the gateway's x509 certificate.
|
||||
If TLS is enabled, then each host defined in the `Host` field will be added
|
||||
as a DNSSAN to the gateway's x509 certificate.
|
||||
|
||||
- `Listeners` `(array<IngressListener>: <optional>)` - A list of listeners that
|
||||
the ingress gateway should setup, uniquely identified by their port number.
|
||||
|
|
|
@ -11,35 +11,36 @@ description: >-
|
|||
|
||||
-> **1.8.0+:** This config entry is available in Consul versions 1.8.0 and newer.
|
||||
|
||||
The `terminating-gateway` config entry kind you to configure terminating gateways
|
||||
to proxy traffic from services in the Consul service mesh to services registered with Consul that do not have a
|
||||
[Connect service sidecar proxy](/docs/connect/proxies). The configuration is associated with the name of a gateway service
|
||||
and will apply to all instances of the gateway with that name.
|
||||
The `terminating-gateway` config entry kind you to configure terminating gateways
|
||||
to proxy traffic from services in the Consul service mesh to services registered with Consul that do not have a
|
||||
[Connect service sidecar proxy](/docs/connect/proxies). The configuration is associated with the name of a gateway service
|
||||
and will apply to all instances of the gateway with that name.
|
||||
|
||||
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
|
||||
across all federated Consul datacenters. If terminating gateways in different Consul datacenters need to route to different
|
||||
sets of services within their datacenter then the terminating gateways **must** be registered with different names.
|
||||
across all federated Consul datacenters. If terminating gateways in different Consul datacenters need to route to different
|
||||
sets of services within their datacenter then the terminating gateways **must** be registered with different names.
|
||||
|
||||
See [Terminating Gateway](/docs/connect/terminating-gateway) for more information.
|
||||
See [Terminating Gateway](/docs/connect/terminating-gateway) for more information.
|
||||
|
||||
## TLS Origination
|
||||
By specifying a path to a [CA file](/docs/agent/config-entries/terminating-gateway#cafile) connections
|
||||
from the terminating gateway will be encrypted using one-way TLS authentication. If a path to a
|
||||
[client certificate](/docs/agent/config-entries/terminating-gateway#certfile)
|
||||
and [private key](/docs/agent/config-entries/terminating-gateway#keyfile) are also specified connections
|
||||
from the terminating gateway will be encrypted using mutual TLS authentication.
|
||||
|
||||
If none of these are provided, Consul will **only** encrypt connections to the gateway and not
|
||||
from the gateway to the destination service.
|
||||
By specifying a path to a [CA file](/docs/agent/config-entries/terminating-gateway#cafile) connections
|
||||
from the terminating gateway will be encrypted using one-way TLS authentication. If a path to a
|
||||
[client certificate](/docs/agent/config-entries/terminating-gateway#certfile)
|
||||
and [private key](/docs/agent/config-entries/terminating-gateway#keyfile) are also specified connections
|
||||
from the terminating gateway will be encrypted using mutual TLS authentication.
|
||||
|
||||
If none of these are provided, Consul will **only** encrypt connections to the gateway and not
|
||||
from the gateway to the destination service.
|
||||
|
||||
## Wildcard service specification
|
||||
|
||||
Terminating gateways can optionally target all services within a Consul namespace by specifying a wildcard "*"
|
||||
as the service name. Configuration options set on the wildcard act as defaults that can be overridden
|
||||
by options set on a specific service name.
|
||||
Terminating gateways can optionally target all services within a Consul namespace by specifying a wildcard "\*"
|
||||
as the service name. Configuration options set on the wildcard act as defaults that can be overridden
|
||||
by options set on a specific service name.
|
||||
|
||||
Note that if the wildcard specifier is used, and some services in that namespace have a Connect sidecar proxy,
|
||||
traffic from the mesh to those services will be evenly load-balanced between the gateway and their sidecars.
|
||||
Note that if the wildcard specifier is used, and some services in that namespace have a Connect sidecar proxy,
|
||||
traffic from the mesh to those services will be evenly load-balanced between the gateway and their sidecars.
|
||||
|
||||
## Sample Config Entries
|
||||
|
||||
|
@ -310,7 +311,7 @@ Services = [
|
|||
</Tab>
|
||||
<Tab heading="HCL (Consul Enterprise)">
|
||||
|
||||
Link gateway named "us-west-gateway" in the default namespace with all services in the finance namespace,
|
||||
Link gateway named "us-west-gateway" in the default namespace with all services in the finance namespace,
|
||||
and configure default certificates for mutual TLS. Also override the SNI and CA file used for connections to the billing service:
|
||||
|
||||
```hcl
|
||||
|
@ -336,7 +337,7 @@ Services = [
|
|||
```
|
||||
|
||||
</Tab>
|
||||
<Tab heading="JSON">
|
||||
<Tab heading="JSON">
|
||||
|
||||
Link gateway named "us-west-gateway" with all services in the datacenter, and configure default certificates for mutual TLS.
|
||||
Also override the SNI and CA file used for connections to the billing service:
|
||||
|
@ -351,21 +352,21 @@ Also override the SNI and CA file used for connections to the billing service:
|
|||
"CAFile": "/etc/billing-ca/ca-chain.cert.pem",
|
||||
"KeyFile": "/etc/certs/gateway.key.pem",
|
||||
"CertFile": "/etc/certs/gateway.cert.pem",
|
||||
"SNI": "billing.service.com"
|
||||
"SNI": "billing.service.com"
|
||||
},
|
||||
{
|
||||
"Name": "billing",
|
||||
"CAFile": "/etc/billing-ca/ca-chain.cert.pem",
|
||||
"SNI": "billing.service.com"
|
||||
"SNI": "billing.service.com"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</Tab>
|
||||
<Tab heading="JSON (Consul Enterprise)">
|
||||
<Tab heading="JSON (Consul Enterprise)">
|
||||
|
||||
Link gateway named "us-west-gateway" in the default namespace with all services in the finance namespace,
|
||||
Link gateway named "us-west-gateway" in the default namespace with all services in the finance namespace,
|
||||
and configure default certificates for mutual TLS. Also override the SNI and CA file used for connections to the billing service:
|
||||
|
||||
```json
|
||||
|
@ -374,19 +375,19 @@ and configure default certificates for mutual TLS. Also override the SNI and CA
|
|||
"Name": "us-west-gateway",
|
||||
"Namespace": "default",
|
||||
"Services": [
|
||||
{
|
||||
{
|
||||
"Namespace": "finance",
|
||||
"Name": "*",
|
||||
"CAFile": "/etc/billing-ca/ca-chain.cert.pem",
|
||||
"KeyFile": "/etc/certs/gateway.key.pem",
|
||||
"CertFile": "/etc/certs/gateway.cert.pem",
|
||||
"SNI": "billing.service.com"
|
||||
"SNI": "billing.service.com"
|
||||
},
|
||||
{
|
||||
{
|
||||
"Namespace": "finance",
|
||||
"Name": "billing",
|
||||
"CAFile": "/etc/billing-ca/ca-chain.cert.pem",
|
||||
"SNI": "billing.service.com"
|
||||
"SNI": "billing.service.com"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -402,37 +403,37 @@ and configure default certificates for mutual TLS. Also override the SNI and CA
|
|||
- `Name` `(string: <required>)` - Set to the name of the gateway being configured.
|
||||
|
||||
- `Namespace` `(string: "default")` - <EnterpriseAlert inline /> Specifies the namespace
|
||||
the config entry will apply to. This must be the namespace the gateway is registered in.
|
||||
If omitted, the namespace will be inherited from [the request](/api/config#ns)
|
||||
or will default to the `default` namespace.
|
||||
the config entry will apply to. This must be the namespace the gateway is registered in.
|
||||
If omitted, the namespace will be inherited from [the request](/api/config#ns)
|
||||
or will default to the `default` namespace.
|
||||
|
||||
- `Services` `(array<LinkedService>: <optional>)` - A list of services to link
|
||||
with the gateway. The gateway will proxy traffic to these services. These linked services
|
||||
must be registered with Consul for the gateway to discover their addresses. They must also
|
||||
be registered in the same Consul datacenter as the terminating gateway.
|
||||
with the gateway. The gateway will proxy traffic to these services. These linked services
|
||||
must be registered with Consul for the gateway to discover their addresses. They must also
|
||||
be registered in the same Consul datacenter as the terminating gateway.
|
||||
|
||||
- `Name` `(string: "")` - The name of the service to link with the gateway.
|
||||
- `Name` `(string: "")` - The name of the service to link with the gateway.
|
||||
If the wildcard specifier, `*`, is provided, then ALL services within the namespace
|
||||
will be linked with the gateway.
|
||||
|
||||
- `Namespace` `(string: "")` - <EnterpriseAlert inline /> The namespace of the service.
|
||||
- `Namespace` `(string: "")` - <EnterpriseAlert inline /> The namespace of the service.
|
||||
If omitted, the namespace will be inherited from the config entry.
|
||||
|
||||
- `CAFile` `(string: "")` - A file path to a PEM-encoded certificate authority.
|
||||
- `CAFile` `(string: "")` - A file path to a PEM-encoded certificate authority.
|
||||
The file must be present on the proxy's filesystem.
|
||||
The certificate authority is used to verify the authenticity of the service linked with the gateway.
|
||||
It can be provided along with a CertFile and KeyFile for mutual TLS authentication, or on its own
|
||||
for one-way TLS authentication. If none is provided the gateway **will not** encrypt the traffic to the destination.
|
||||
|
||||
- `CertFile` `(string: "")` - A file path to a PEM-encoded certificate.
|
||||
- `CertFile` `(string: "")` - A file path to a PEM-encoded certificate.
|
||||
The file must be present on the proxy's filesystem.
|
||||
The certificate is provided servers to verify the gateway's authenticity. It must be provided if a KeyFile was specified.
|
||||
|
||||
- `KeyFile` `(string: "")` - A file path to a PEM-encoded private key.
|
||||
The file must be present on the proxy's filesystem.
|
||||
The key is used with the certificate to verify the gateway's authenticity. It must be provided along if a CertFile was specified.
|
||||
- `KeyFile` `(string: "")` - A file path to a PEM-encoded private key.
|
||||
The file must be present on the proxy's filesystem.
|
||||
The key is used with the certificate to verify the gateway's authenticity. It must be provided along if a CertFile was specified.
|
||||
|
||||
- `SNI` `(string: "")` - An optional hostname or domain name to specify during the TLS handshake.
|
||||
- `SNI` `(string: "")` - An optional hostname or domain name to specify during the TLS handshake.
|
||||
|
||||
## ACLs
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ information, registers services, runs checks, responds to queries,
|
|||
and more. The agent must run on every node that is part of a Consul cluster.
|
||||
|
||||
Any agent may run in one of two modes: client or server. A server
|
||||
node takes on the additional responsibility of being part of the
|
||||
node takes on the additional responsibility of being part of the
|
||||
[consensus quorum](/docs/internals/consensus).
|
||||
These nodes take part in Raft and provide strong consistency and availability in
|
||||
the case of failure. The higher burden on the server nodes means that usually
|
||||
|
@ -27,11 +27,11 @@ operations and maintain very little state of their own.
|
|||
## Running an Agent
|
||||
|
||||
The agent is started with the [`consul agent`](/docs/commands/agent) command.
|
||||
This command blocks, running forever or until told to quit. You can test a
|
||||
local agent by following the
|
||||
This command blocks, running forever or until told to quit. You can test a
|
||||
local agent by following the
|
||||
[Getting Started guides](https://learn.hashicorp.com/consul/getting-started/install?utm_source=consul.io&utm_medium=docs).
|
||||
|
||||
The agent command takes a variety of
|
||||
The agent command takes a variety of
|
||||
[`configuration options`](/docs/agent/options#command-line-options), but most
|
||||
have sane defaults.
|
||||
|
||||
|
@ -54,22 +54,22 @@ $ consul agent -data-dir=/tmp/consul
|
|||
...
|
||||
```
|
||||
|
||||
There are several important messages that
|
||||
There are several important messages that
|
||||
[`consul agent`](/docs/commands/agent) outputs:
|
||||
|
||||
- **Node name**: This is a unique name for the agent. By default, this
|
||||
is the hostname of the machine, but you may customize it using the
|
||||
[`-node`](/docs/agent/options#_node) flag.
|
||||
|
||||
- **Datacenter**: This is the datacenter in which the agent is configured to
|
||||
run.
|
||||
- **Datacenter**: This is the datacenter in which the agent is configured to
|
||||
run.
|
||||
Consul has first-class support for multiple datacenters; however, to work
|
||||
efficiently, each node must be configured to report its datacenter. The
|
||||
[`-datacenter`](/docs/agent/options#_datacenter) flag can be used to set the
|
||||
efficiently, each node must be configured to report its datacenter. The
|
||||
[`-datacenter`](/docs/agent/options#_datacenter) flag can be used to set the
|
||||
datacenter. For single-DC configurations, the agent will default to "dc1".
|
||||
|
||||
- **Server**: This indicates whether the agent is running in server or client
|
||||
mode.
|
||||
mode.
|
||||
Server nodes have the extra burden of participating in the consensus quorum,
|
||||
storing cluster state, and handling queries. Additionally, a server may be
|
||||
in ["bootstrap"](/docs/agent/options#_bootstrap_expect) mode. Multiple servers
|
||||
|
@ -97,7 +97,7 @@ service definition file has to have `Type=notify` set.
|
|||
|
||||
An agent can be stopped in two ways: gracefully or forcefully. Servers and
|
||||
Clients both behave differently depending on the leave that is performed. There
|
||||
are two potential states a process can be in after a system signal is sent:
|
||||
are two potential states a process can be in after a system signal is sent:
|
||||
_left_ and _failed_.
|
||||
|
||||
To gracefully halt an agent, send the process an _interrupt signal_ (usually
|
||||
|
@ -111,7 +111,7 @@ cluster that the node has _left_.
|
|||
|
||||
When a Server is gracefully exited, the server will not be marked as _left_.
|
||||
This is to minimally impact the consensus quorum. Instead, the Server will be
|
||||
marked as _failed_. To remove a server from the cluster, the
|
||||
marked as _failed_. To remove a server from the cluster, the
|
||||
[`force-leave`](/docs/commands/force-leave) command is used. Using
|
||||
`force-leave` will put the server instance in a _left_ state so long as the
|
||||
Server agent is not alive.
|
||||
|
|
|
@ -825,51 +825,51 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
- `serf_wan_allowed_cidrs` ((#serf_wan_allowed_cidrs)) Equivalent to the [`-serf-wan-allowed-cidrs` command-line flag](#_serf_wan_allowed_cidrs).
|
||||
|
||||
- `audit` <EnterpriseAlert inline /> - Added in Consul 1.8, the audit object allow users to enable auditing
|
||||
and configure a sink and filters for their audit logs.
|
||||
and configure a sink and filters for their audit logs.
|
||||
|
||||
```hcl
|
||||
audit {
|
||||
enabled = true
|
||||
sink "My sink" {
|
||||
type = "file"
|
||||
format = "json"
|
||||
path = "data/audit/audit.json"
|
||||
delivery_guarantee = "best-effort"
|
||||
rotate_duration = "24h"
|
||||
rotate_max_files = 15
|
||||
rotate_bytes = 25165824
|
||||
}
|
||||
}
|
||||
```
|
||||
```hcl
|
||||
audit {
|
||||
enabled = true
|
||||
sink "My sink" {
|
||||
type = "file"
|
||||
format = "json"
|
||||
path = "data/audit/audit.json"
|
||||
delivery_guarantee = "best-effort"
|
||||
rotate_duration = "24h"
|
||||
rotate_max_files = 15
|
||||
rotate_bytes = 25165824
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
The following sub-keys are available:
|
||||
The following sub-keys are available:
|
||||
|
||||
- `enabled` - Controls whether Consul logs out each time a user
|
||||
- `enabled` - Controls whether Consul logs out each time a user
|
||||
performs an operation. ACLs must be enabled to use this feature. Defaults to `false`.
|
||||
|
||||
- `sink` - This object provides configuration for the destination to which
|
||||
Consul will log auditing events. Sink is an object containing keys to sink objects, where the key is the name of the sink.
|
||||
- `sink` - This object provides configuration for the destination to which
|
||||
Consul will log auditing events. Sink is an object containing keys to sink objects, where the key is the name of the sink.
|
||||
|
||||
- `type` - Type specifies what kind of sink this is.
|
||||
The following keys are valid:
|
||||
- `file` - Currently only file sinks are available, they take the following keys.
|
||||
- `format` - Format specifies what format the events will
|
||||
be emitted with.
|
||||
The following keys are valid:
|
||||
- `json` - Currently only json events are offered.
|
||||
- `path` - The directory and filename to write audit events to.
|
||||
- `delivery_guarantee` - Specifies
|
||||
the rules governing how audit events are written.
|
||||
The following keys are valid:
|
||||
- `best-effort` - Consul only supports `best-effort` event delivery.
|
||||
- `rotate_duration` - Specifies the
|
||||
interval by which the system rotates to a new log file. At least one of `rotate_duration` or `rotate_bytes`
|
||||
must be configured to enable audit logging.
|
||||
- `rotate_max_files` - Defines the
|
||||
limit that Consul should follow before it deletes old log files.
|
||||
- `rotate_bytes` - Specifies how large an
|
||||
individual log file can grow before Consul rotates to a new file. At least one of `rotate_bytes` or
|
||||
`rotate_duration` must be configured to enable audit logging.
|
||||
- `type` - Type specifies what kind of sink this is.
|
||||
The following keys are valid:
|
||||
- `file` - Currently only file sinks are available, they take the following keys.
|
||||
- `format` - Format specifies what format the events will
|
||||
be emitted with.
|
||||
The following keys are valid:
|
||||
- `json` - Currently only json events are offered.
|
||||
- `path` - The directory and filename to write audit events to.
|
||||
- `delivery_guarantee` - Specifies
|
||||
the rules governing how audit events are written.
|
||||
The following keys are valid:
|
||||
- `best-effort` - Consul only supports `best-effort` event delivery.
|
||||
- `rotate_duration` - Specifies the
|
||||
interval by which the system rotates to a new log file. At least one of `rotate_duration` or `rotate_bytes`
|
||||
must be configured to enable audit logging.
|
||||
- `rotate_max_files` - Defines the
|
||||
limit that Consul should follow before it deletes old log files.
|
||||
- `rotate_bytes` - Specifies how large an
|
||||
individual log file can grow before Consul rotates to a new file. At least one of `rotate_bytes` or
|
||||
`rotate_duration` must be configured to enable audit logging.
|
||||
|
||||
- `autopilot` Added in Consul 0.8, this object allows a
|
||||
number of sub-keys to be set which can configure operator-friendly settings for
|
||||
|
@ -1763,7 +1763,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
- `prefix_filter` ((#telemetry-prefix_filter))
|
||||
This is a list of filter rules to apply for allowing/blocking metrics by
|
||||
prefix in the following format:
|
||||
|
||||
|
||||
```json
|
||||
["+consul.raft.apply", "-consul.http", "+consul.http.GET"]
|
||||
```
|
||||
|
@ -1814,7 +1814,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
|
||||
- `tls_cipher_suites` Added in Consul 0.8.2, this specifies the list of
|
||||
supported ciphersuites as a comma-separated-list. The list of all supported
|
||||
ciphersuites is available through
|
||||
ciphersuites is available through
|
||||
[this search](https://github.com/hashicorp/consul/search?q=cipherMap+%3A%3D+map&unscoped_q=cipherMap+%3A%3D+map).
|
||||
|
||||
- `tls_prefer_server_cipher_suites` Added in Consul 0.8.2, this
|
||||
|
|
|
@ -147,9 +147,9 @@ This is a full list of metrics emitted by Consul.
|
|||
| `consul.client.api.catalog_register.` | This increments whenever a Consul agent receives a catalog register request. | requests | counter |
|
||||
| `consul.client.api.success.catalog_register.` | This increments whenever a Consul agent successfully responds to a catalog register request. | requests | counter |
|
||||
| `consul.client.rpc.error.catalog_register.` | This increments whenever a Consul agent receives an RPC error for a catalog register request. | errors | counter |
|
||||
| `consul.client.api.catalog_deregister.` | This increments whenever a Consul agent receives a catalog deregister request. | requests | counter |
|
||||
| `consul.client.api.success.catalog_deregister.` | This increments whenever a Consul agent successfully responds to a catalog deregister request. | requests | counter |
|
||||
| `consul.client.rpc.error.catalog_deregister.` | This increments whenever a Consul agent receives an RPC error for a catalog deregister request. | errors | counter |
|
||||
| `consul.client.api.catalog_deregister.` | This increments whenever a Consul agent receives a catalog deregister request. | requests | counter |
|
||||
| `consul.client.api.success.catalog_deregister.` | This increments whenever a Consul agent successfully responds to a catalog deregister request. | requests | counter |
|
||||
| `consul.client.rpc.error.catalog_deregister.` | This increments whenever a Consul agent receives an RPC error for a catalog deregister request. | errors | counter |
|
||||
| `consul.client.api.catalog_datacenters.` | This increments whenever a Consul agent receives a request to list datacenters in the catalog. | requests | counter |
|
||||
| `consul.client.api.success.catalog_datacenters.` | This increments whenever a Consul agent successfully responds to a request to list datacenters. | requests | counter |
|
||||
| `consul.client.rpc.error.catalog_datacenters.` | This increments whenever a Consul agent receives an RPC error for a request to list datacenters. | errors | counter |
|
||||
|
@ -163,11 +163,11 @@ This is a full list of metrics emitted by Consul.
|
|||
| `consul.client.api.success.catalog_service_nodes.` | This increments whenever a Consul agent successfully responds to a request to list nodes offering a service. | requests | counter |
|
||||
| `consul.client.rpc.error.catalog_service_nodes.` | This increments whenever a Consul agent receives an RPC error for a request to list nodes offering a service. | errors | counter |
|
||||
| `consul.client.api.catalog_node_services.` | This increments whenever a Consul agent receives a request to list services registered in a node. | requests | counter |
|
||||
| `consul.client.api.success.catalog_node_services.` | This increments whenever a Consul agent successfully responds to a request to list services in a node. | requests | counter |
|
||||
| `consul.client.rpc.error.catalog_node_services.` | This increments whenever a Consul agent receives an RPC error for a request to list services in a node. | errors | counter |
|
||||
| `consul.client.api.catalog_gateway_services.` | This increments whenever a Consul agent receives a request to list services associated with a gateway. | requests | counter |
|
||||
| `consul.client.api.success.catalog_gateway_services.` | This increments whenever a Consul agent successfully responds to a request to list services associated with a gateway. | requests | counter |
|
||||
| `consul.client.rpc.error.catalog_gateway_services.` | This increments whenever a Consul agent receives an RPC error for a request to list services associated with a gateway. | errors | counter |
|
||||
| `consul.client.api.success.catalog_node_services.` | This increments whenever a Consul agent successfully responds to a request to list services in a node. | requests | counter |
|
||||
| `consul.client.rpc.error.catalog_node_services.` | This increments whenever a Consul agent receives an RPC error for a request to list services in a node. | errors | counter |
|
||||
| `consul.client.api.catalog_gateway_services.` | This increments whenever a Consul agent receives a request to list services associated with a gateway. | requests | counter |
|
||||
| `consul.client.api.success.catalog_gateway_services.` | This increments whenever a Consul agent successfully responds to a request to list services associated with a gateway. | requests | counter |
|
||||
| `consul.client.rpc.error.catalog_gateway_services.` | This increments whenever a Consul agent receives an RPC error for a request to list services associated with a gateway. | errors | counter |
|
||||
| `consul.runtime.num_goroutines` | This tracks the number of running goroutines and is a general load pressure indicator. This may burst from time to time but should return to a steady state value. | number of goroutines | gauge |
|
||||
| `consul.runtime.alloc_bytes` | This measures the number of bytes allocated by the Consul process. This may burst from time to time but should return to a steady state value. | bytes | gauge |
|
||||
| `consul.runtime.heap_objects` | This measures the number of objects allocated on the heap and is a general memory pressure indicator. This may burst from time to time but should return to a steady state value. | number of objects | gauge |
|
||||
|
|
|
@ -12,7 +12,7 @@ description: >
|
|||
|
||||
Command: `consul connect expose`
|
||||
|
||||
The connect expose subcommand is used to expose a Connect-enabled service
|
||||
The connect expose subcommand is used to expose a Connect-enabled service
|
||||
through an Ingress gateway by modifying the gateway's configuration and adding
|
||||
an intention to allow traffic from the gateway to the service. See the
|
||||
[Ingress gateway documentation](/docs/connect/ingress-gateway) for more information
|
||||
|
@ -46,7 +46,7 @@ Usage: consul connect expose [options]
|
|||
|
||||
- `-protocol` - The protocol for the service. Defaults to 'tcp'.
|
||||
|
||||
- `-host` - Additional DNS hostname to use for routing to this service. Can be
|
||||
- `-host` - Additional DNS hostname to use for routing to this service. Can be
|
||||
specified multiple times.
|
||||
|
||||
## Examples
|
||||
|
|
|
@ -248,8 +248,8 @@ scheme should be used, or `CONSUL_HTTP_SSL` set.
|
|||
### `CONSUL_NAMESPACE`
|
||||
|
||||
**Enterprise only**
|
||||
If you're using Consul Enterprise namespaces you can set this for the CLI to
|
||||
explicitly use a single namespace. This is common across all Hashicorp
|
||||
If you're using Consul Enterprise namespaces you can set this for the CLI to
|
||||
explicitly use a single namespace. This is common across all Hashicorp
|
||||
products that support Enterprise namespaces.
|
||||
|
||||
```
|
||||
|
|
|
@ -70,10 +70,10 @@ $ consul intention match db
|
|||
Intention commands commonly take positional arguments referred to as `SRC` and
|
||||
`DST` in the command documentation. These can take several forms:
|
||||
|
||||
| Format | Meaning |
|
||||
| ----------------------- | -----------------------------------------------------------------------|
|
||||
| `<service>` | the named service in the current namespace |
|
||||
| `*` | any service in the current namespace |
|
||||
| `<namespace>/<service>` | <EnterpriseAlert inline /> the named service in a specific namespace |
|
||||
| `<namespace>/*` | <EnterpriseAlert inline /> any service in the specified namespace |
|
||||
| `*/*` | <EnterpriseAlert inline /> any service in any namespace |
|
||||
| Format | Meaning |
|
||||
| ----------------------- | -------------------------------------------------------------------- |
|
||||
| `<service>` | the named service in the current namespace |
|
||||
| `*` | any service in the current namespace |
|
||||
| `<namespace>/<service>` | <EnterpriseAlert inline /> the named service in a specific namespace |
|
||||
| `<namespace>/*` | <EnterpriseAlert inline /> any service in the specified namespace |
|
||||
| `*/*` | <EnterpriseAlert inline /> any service in any namespace |
|
||||
|
|
|
@ -42,7 +42,7 @@ Usage: consul license <subcommand> [options] [args]
|
|||
Retrieve the current license:
|
||||
|
||||
$ consul license get
|
||||
|
||||
|
||||
Reset the current license:
|
||||
|
||||
$ consul license reset
|
||||
|
@ -117,7 +117,7 @@ Licensed Features:
|
|||
|
||||
## reset
|
||||
|
||||
Resets license for the datacenter to the one builtin in Consul binary, if it is still valid.
|
||||
Resets license for the datacenter to the one builtin in Consul binary, if it is still valid.
|
||||
If the builtin license is invalid, the current one stays active.
|
||||
|
||||
Usage: `consul license reset [options]`
|
||||
|
|
|
@ -59,7 +59,7 @@ but may be upgraded to a GUID in a future version of Consul.
|
|||
Raft configuration.
|
||||
|
||||
`Voter` is "true" or "false", indicating if the server has a vote in the Raft
|
||||
configuration.
|
||||
configuration.
|
||||
|
||||
## remove-peer
|
||||
|
||||
|
|
|
@ -15,8 +15,8 @@ but will help you build a mental model of what's going on under the hood, which
|
|||
may help you reason about Connect's behavior in more complex deployment
|
||||
scenarios.
|
||||
|
||||
To try Connect locally, complete the [Getting Started with Consul service
|
||||
mesh](https://learn.hashicorp.com/consul/gs-consul-service-mesh/understand-consul-service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
To try Connect locally, complete the [Getting Started with Consul service
|
||||
mesh](https://learn.hashicorp.com/consul/gs-consul-service-mesh/understand-consul-service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
guide.
|
||||
|
||||
## Mutual Transport Layer Security (mTLS)
|
||||
|
|
|
@ -10,7 +10,7 @@ description: >-
|
|||
|
||||
# Ingress Gateways
|
||||
|
||||
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer.
|
||||
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer.
|
||||
|
||||
Ingress gateways enable ingress traffic from services outside the Consul
|
||||
service mesh to services inside the Consul service mesh. An ingress gateway is
|
||||
|
@ -68,5 +68,5 @@ If the Consul client agent on the gateway's node is not configured to use the de
|
|||
must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies.
|
||||
|
||||
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
|
||||
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
|
||||
sets of services within their datacenter then the ingress gateways **must** be registered with different names.
|
||||
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
|
||||
sets of services within their datacenter then the ingress gateways **must** be registered with different names.
|
||||
|
|
|
@ -68,7 +68,7 @@ All fields are optional with a sane default.
|
|||
or `[::]` in which case this defaults to `127.0.0.1` and assumes the agent can
|
||||
dial the proxy over loopback. For more complex configurations where agent and proxy
|
||||
communicate over a bridge for example, this configuration can be used to specify
|
||||
a different *address* (but not port) for the agent to use for health checks if
|
||||
a different _address_ (but not port) for the agent to use for health checks if
|
||||
it can't talk to the proxy over localhost or it's publicly advertised port. The
|
||||
check always uses the same port that the proxy is bound to.
|
||||
|
||||
|
|
|
@ -287,7 +287,6 @@ definition](/docs/connect/registration/service-registration) or
|
|||
- `max_failures` - The number of consecutive failures which cause a host to be
|
||||
removed from the load balancer.
|
||||
|
||||
|
||||
### Gateway Options
|
||||
|
||||
These fields may also be overridden explicitly in the [proxy service
|
||||
|
@ -319,7 +318,7 @@ will continue to be supported.
|
|||
- `envoy_gateway_no_default_bind` - Prevents binding to the default address
|
||||
of the gateway service. This should be used with one of the other options
|
||||
to configure the gateway's bind addresses.
|
||||
|
||||
|
||||
- `envoy_dns_discovery_type` - Determines how Envoy will resolve hostnames. Defaults to `LOGICAL_DNS`.
|
||||
Must be one of `STRICT_DNS` or `LOGICAL_DNS`. Details for each type are available in
|
||||
the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/v1.14.1/intro/arch_overview/upstream/service_discovery).
|
||||
|
|
|
@ -8,7 +8,7 @@ description: |-
|
|||
|
||||
# WAN Federation via Mesh Gateways
|
||||
|
||||
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher
|
||||
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher
|
||||
|
||||
~> This topic requires familiarity with [mesh gateways](/docs/connect/mesh-gateway).
|
||||
|
||||
|
@ -28,11 +28,11 @@ the WAN.
|
|||
|
||||
Sometimes this prerequisite is difficult or undesirable to meet:
|
||||
|
||||
* **Difficult:** The datacenters may exist in multiple Kubernetes clusters that
|
||||
- **Difficult:** The datacenters may exist in multiple Kubernetes clusters that
|
||||
unfortunately have overlapping pod IP subnets, or may exist in different
|
||||
cloud provider VPCs that have overlapping subnets.
|
||||
|
||||
* **Undesirable:** Network security teams may not approve of granting so many
|
||||
- **Undesirable:** Network security teams may not approve of granting so many
|
||||
firewall rules. When using platform autoscaling, keeping rules up to date becomes untenable.
|
||||
|
||||
Operators looking to simplify their WAN deployment and minimize the exposed
|
||||
|
@ -44,17 +44,16 @@ gateways](/docs/connect/mesh-gateways.html) to do so.
|
|||
There are two main kinds of communication that occur over the WAN link spanning
|
||||
the gulf between disparate Consul datacenters:
|
||||
|
||||
* **WAN gossip:** We leverage the serf and memberlist libraries to gossip
|
||||
- **WAN gossip:** We leverage the serf and memberlist libraries to gossip
|
||||
around failure detector knowledge about Consul servers in each datacenter.
|
||||
By default this operates point to point between servers over `8302/udp` with
|
||||
a fallback to `8302/tcp` (which logs a warning indicating the network is
|
||||
misconfigured).
|
||||
|
||||
* **Cross-datacenter RPCs:** Consul servers expose a special multiplexed port
|
||||
- **Cross-datacenter RPCs:** Consul servers expose a special multiplexed port
|
||||
over `8300/tcp`. Several distinct kinds of messages can be received on this
|
||||
port, such as RPC requests forwarded from servers in other datacenters.
|
||||
|
||||
|
||||
In this network topology individual Consul client agents on a LAN in one
|
||||
datacenter never need to directly dial servers in other datacenters. This
|
||||
means you could introduce a set of firewall rules prohibiting `10.0.0.0/24`
|
||||
|
@ -80,8 +79,7 @@ these SAN fields:
|
|||
server.<this_datacenter>.<domain> (normal)
|
||||
<node_name>.server.<this_datacenter>.<domain> (needed for wan federation)
|
||||
|
||||
This can be achieved using any number of tools, including `consul tls cert
|
||||
create` with the `-node` flag.
|
||||
This can be achieved using any number of tools, including `consul tls cert create` with the `-node` flag.
|
||||
|
||||
### Mesh Gateways
|
||||
|
||||
|
@ -157,7 +155,6 @@ follow this general procedure:
|
|||
resolve ACL tokens from the secondary, at which time it should be possible
|
||||
to launch the mesh gateways in the secondary datacenter.
|
||||
|
||||
|
||||
### Existing secondary
|
||||
|
||||
1. Upgrade to the desired version of the consul binary for all servers,
|
||||
|
@ -175,9 +172,9 @@ follow this general procedure:
|
|||
From any two datacenters joined together double check the following give you an
|
||||
expected result:
|
||||
|
||||
* Check that `consul members -wan` lists all servers in all datacenters with
|
||||
- Check that `consul members -wan` lists all servers in all datacenters with
|
||||
their _local_ ip addresses and are listed as `alive`.
|
||||
|
||||
* Ensure any API request that activates datacenter request forwarding. such as
|
||||
- Ensure any API request that activates datacenter request forwarding. such as
|
||||
[`/v1/catalog/services?dc=<OTHER_DATACENTER_NAME>`](/api/catalog.html#dc-1)
|
||||
succeeds.
|
||||
|
|
|
@ -11,7 +11,8 @@ description: >-
|
|||
# Automated Backups
|
||||
|
||||
<EnterpriseAlert>
|
||||
This feature is available in all versions of <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>.
|
||||
This feature is available in all versions of{' '}
|
||||
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>.
|
||||
</EnterpriseAlert>
|
||||
|
||||
Consul Enterprise enables you to run
|
||||
|
|
|
@ -11,7 +11,9 @@ description: >-
|
|||
# Consul Enterprise Advanced Federation
|
||||
|
||||
<EnterpriseAlert>
|
||||
This feature requires <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a> with the Global Visibility, Routing, and Scale module.
|
||||
This feature requires{' '}
|
||||
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
|
||||
with the Global Visibility, Routing, and Scale module.
|
||||
</EnterpriseAlert>
|
||||
|
||||
Consul's core federation capability uses the same gossip mechanism that is used
|
||||
|
|
|
@ -8,7 +8,9 @@ description: Consul Enterprise enables data isolation with Namespaces.
|
|||
# Consul Enterprise Namespaces
|
||||
|
||||
<EnterpriseAlert>
|
||||
This feature requires <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a> with the Governance and Policy module.
|
||||
This feature requires{' '}
|
||||
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
|
||||
with the Governance and Policy module.
|
||||
</EnterpriseAlert>
|
||||
|
||||
With Consul Enterprise v1.7.0, data for different users or teams
|
||||
|
|
|
@ -10,7 +10,9 @@ description: |-
|
|||
# Network Segments
|
||||
|
||||
<EnterpriseAlert>
|
||||
This feature requires <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a> with the Global Visibility, Routing, and Scale module.
|
||||
This feature requires{' '}
|
||||
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
|
||||
with the Global Visibility, Routing, and Scale module.
|
||||
</EnterpriseAlert>
|
||||
|
||||
Consul Network Segments enables operators to create separate LAN gossip segments
|
||||
|
|
|
@ -12,7 +12,9 @@ description: >-
|
|||
# Enhanced Read Scalability with Non-Voting Servers
|
||||
|
||||
<EnterpriseAlert>
|
||||
This feature requires <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a> with the Global Visibility, Routing, and Scale module.
|
||||
This feature requires{' '}
|
||||
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
|
||||
with the Global Visibility, Routing, and Scale module.
|
||||
</EnterpriseAlert>
|
||||
|
||||
Consul Enterprise provides the ability to scale clustered Consul servers
|
||||
|
|
|
@ -10,7 +10,9 @@ description: >-
|
|||
# Redundancy Zones
|
||||
|
||||
<EnterpriseAlert>
|
||||
This feature requires <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a> with the Global Visibility, Routing, and Scale module.
|
||||
This feature requires{' '}
|
||||
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
|
||||
with the Global Visibility, Routing, and Scale module.
|
||||
</EnterpriseAlert>
|
||||
|
||||
Consul Enterprise redundancy zones provide
|
||||
|
|
|
@ -11,7 +11,9 @@ description: >-
|
|||
# Sentinel in Consul
|
||||
|
||||
<EnterpriseAlert>
|
||||
This feature requires <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a> with the Governance and Policy module.
|
||||
This feature requires{' '}
|
||||
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
|
||||
with the Governance and Policy module.
|
||||
</EnterpriseAlert>
|
||||
|
||||
Sentinel policies extend the ACL system in Consul beyond static "read", "write",
|
||||
|
|
|
@ -11,7 +11,8 @@ description: >-
|
|||
# Automated Upgrades
|
||||
|
||||
<EnterpriseAlert>
|
||||
This feature is available in all versions of <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>.
|
||||
This feature is available in all versions of{' '}
|
||||
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>.
|
||||
</EnterpriseAlert>
|
||||
|
||||
Consul Enterprise enables the capability of automatically upgrading a cluster of Consul servers to a new
|
||||
|
|
|
@ -108,9 +108,9 @@ forward an RPC request to the remote Consul servers for that resource and
|
|||
return the results.
|
||||
If the remote datacenter is not available, then those resources will also not be
|
||||
available from that datacenter. That will not affect the requests to the local
|
||||
datacenter. There are some special situations where a limited subset of data
|
||||
datacenter. There are some special situations where a limited subset of data
|
||||
can be replicated, such as with Consul's built-in
|
||||
[ACL replication](https://learn.hashicorp.com/consul/day-2-operations/acl-replication)
|
||||
[ACL replication](https://learn.hashicorp.com/consul/day-2-operations/acl-replication)
|
||||
capability, or external tools like
|
||||
[consul-replicate](https://github.com/hashicorp/consul-replicate).
|
||||
|
||||
|
@ -129,10 +129,10 @@ Please see our
|
|||
|
||||
## Q: Are the Consul Docker Images OCI Compliant?
|
||||
|
||||
The official [Consul Docker image](https://hub.docker.com/_/consul/) uses
|
||||
The official [Consul Docker image](https://hub.docker.com/_/consul/) uses
|
||||
[Docker image schema](https://docs.docker.com/registry/spec/manifest-v2-2/) V2,
|
||||
which is OCI Compliant. To check the docker images on Docker Hub, use the
|
||||
command `docker manifest inspect consul` to inspect the manifest payload. The
|
||||
which is OCI Compliant. To check the docker images on Docker Hub, use the
|
||||
command `docker manifest inspect consul` to inspect the manifest payload. The
|
||||
`docker manifest inspect` may require you to enable experimental features to
|
||||
use.
|
||||
|
||||
|
|
|
@ -187,7 +187,7 @@ as to whether they are set on servers, clients, or both.
|
|||
| Configuration Option | Servers | Clients | Purpose |
|
||||
| --------------------------------------------------------------------- | ---------- | ---------- | ----------------------------------------------------------------------------------------- |
|
||||
| [`primary_datacenter`](/docs/agent/options#primary_datacenter) | `REQUIRED` | `REQUIRED` | Master control that enables ACLs by defining the authoritative Consul datacenter for ACLs |
|
||||
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
|
||||
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
|
||||
| [`acl_down_policy`](/docs/agent/options#acl_down_policy_legacy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the ACL datacenter is offline |
|
||||
| [`acl_ttl`](/docs/agent/options#acl_ttl_legacy) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACLs |
|
||||
|
||||
|
|
|
@ -2,10 +2,7 @@
|
|||
layout: docs
|
||||
page_title: Network Coordinates
|
||||
sidebar_title: Network Coordinates
|
||||
description: ''
|
||||
Serf uses a network tomography system to compute network coordinates for nodes in the cluster. These coordinates are useful for easily calculating the estimated network round trip time between any two nodes in the cluster. This page documents the details of this system. The core of the network tomography system us based on Vivaldi: >-
|
||||
A Decentralized Network Coordinate System, with several improvements based on
|
||||
several follow-on papers.
|
||||
description: A Decentralized Network Coordinate System, with several improvements based on several follow-on papers.
|
||||
---
|
||||
|
||||
# Network Coordinates
|
||||
|
|
|
@ -789,36 +789,36 @@ and consider if they're appropriate for your deployment.
|
|||
- `wanAddress` ((#v-meshgateway-wanaddress)) - What gets registered as WAN (wide area network) address for the gateway.
|
||||
|
||||
- `source` ((#v-meshgateway-wanaddress-source)) (`string: "Service"`) - source configures where to retrieve the WAN address (and possibly port)
|
||||
for the mesh gateway from.
|
||||
Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. See the behavior of each below:
|
||||
for the mesh gateway from.
|
||||
Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. See the behavior of each below:
|
||||
|
||||
* `Service` - Determine the address based on the service type.
|
||||
- `Service` - Determine the address based on the service type.
|
||||
|
||||
If `service.type=LoadBalancer` use the external IP or hostname of
|
||||
the service. Use the port set by `service.port`.
|
||||
If `service.type=LoadBalancer` use the external IP or hostname of
|
||||
the service. Use the port set by `service.port`.
|
||||
|
||||
If `service.type=NodePort` use the Node IP. The port will be set to
|
||||
`service.nodePort` so `service.nodePort` cannot be null.
|
||||
If `service.type=NodePort` use the Node IP. The port will be set to
|
||||
`service.nodePort` so `service.nodePort` cannot be null.
|
||||
|
||||
If `service.type=ClusterIP` use the ClusterIP. The port will be set to
|
||||
`service.port`.
|
||||
If `service.type=ClusterIP` use the ClusterIP. The port will be set to
|
||||
`service.port`.
|
||||
|
||||
`service.type=ExternalName` is not supported.
|
||||
`service.type=ExternalName` is not supported.
|
||||
|
||||
* `NodeIP` - The node IP as provided by the Kubernetes downward API.
|
||||
- `NodeIP` - The node IP as provided by the Kubernetes downward API.
|
||||
|
||||
* `NodeName` - The name of the node as provided by the Kubernetes downward
|
||||
API. This is useful if the node names are DNS entries that
|
||||
are routable from other datacenters.
|
||||
- `NodeName` - The name of the node as provided by the Kubernetes downward
|
||||
API. This is useful if the node names are DNS entries that
|
||||
are routable from other datacenters.
|
||||
|
||||
* `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`.
|
||||
- `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`.
|
||||
|
||||
- `port` ((#v-meshgateway-wanaddress-port)) (`integer: 443`) - Port that gets registered for WAN traffic.
|
||||
If source is set to "Service" then this setting will have no effect.
|
||||
See the documentation for `source` as to which port will be used in that
|
||||
case.
|
||||
|
||||
- `static` ((#v-meshgateway-wanaddress-static)) (`string: ""`) - If source is set to "Static" then this value will be used as the WAN
|
||||
- `static` ((#v-meshgateway-wanaddress-static)) (`string: ""`) - If source is set to "Static" then this value will be used as the WAN
|
||||
address of the mesh gateways. This is useful if you've configured a
|
||||
DNS entry to point to your mesh gateways.
|
||||
|
||||
|
@ -851,8 +851,8 @@ and consider if they're appropriate for your deployment.
|
|||
- `dnsPolicy` ((#v-meshgateway-dnspolicy)) (`string: null`) - `dnsPolicy` to use.
|
||||
|
||||
- `consulServiceName` ((#v-meshgateway-consulservicename)) (`string: "mesh-gateway"`) - Consul service name for the mesh gateways.
|
||||
Cannot be set to anything other than `"mesh-gateway"` if `global.acls.manageSystemACLs` is true since the ACL token
|
||||
generated is only for the name "mesh-gateway".
|
||||
Cannot be set to anything other than `"mesh-gateway"` if `global.acls.manageSystemACLs` is true since the ACL token
|
||||
generated is only for the name "mesh-gateway".
|
||||
|
||||
- `containerPort` ((#v-meshgateway-containerPort)) (`integer: 8443`) - Port that the gateway will run on inside the container.
|
||||
|
||||
|
@ -920,8 +920,8 @@ and consider if they're appropriate for your deployment.
|
|||
"annotation-key": "annotation-value"
|
||||
```
|
||||
|
||||
- `consulNamespace` ((#v-ingressgateways-defaults-consulnamespace)) (`string: "default"`) <EnterpriseAlert inline /> - Defines the Consul namespace to register the gateway into. Requires `global.enableConsulNamespaces` to be true and
|
||||
Consul Enterprise v1.7+ with a valid Consul Enterprise license. Note: The Consul namespace MUST exist before the gateway is deployed.
|
||||
- `consulNamespace` ((#v-ingressgateways-defaults-consulnamespace)) (`string: "default"`) <EnterpriseAlert inline /> - Defines the Consul namespace to register the gateway into. Requires `global.enableConsulNamespaces` to be true and
|
||||
Consul Enterprise v1.7+ with a valid Consul Enterprise license. Note: The Consul namespace MUST exist before the gateway is deployed.
|
||||
|
||||
- `gateways` ((#v-ingressgateways-gateways)) - Gateways is a list of gateway objects. The only required field for each is `name`, though they can also contain any of the fields in `ingressGateways.defaults`. Values defined here override the defaults except in the case of annotations where both will be applied.
|
||||
|
||||
|
@ -941,9 +941,9 @@ and consider if they're appropriate for your deployment.
|
|||
extraVolumes:
|
||||
- type: 'secret'
|
||||
name: 'my-secret'
|
||||
items: # optional items array
|
||||
items: # optional items array
|
||||
- key: key
|
||||
path: path # secret will now mount to /consul/userconfig/my-secret/path
|
||||
path: path # secret will now mount to /consul/userconfig/my-secret/path
|
||||
```
|
||||
|
||||
- `resources` ((#v-terminatinggateways-defaults-resources)) (`string`) - Resources for gateway pods. See values file for default.
|
||||
|
@ -963,7 +963,7 @@ and consider if they're appropriate for your deployment.
|
|||
"annotation-key": "annotation-value"
|
||||
```
|
||||
|
||||
- `consulNamespace` ((#v-terminatinggateways-defaults-consulnamespace)) (`string: "default"`) <EnterpriseAlert inline /> - Defines the Consul namespace to register the gateway into. Requires `global.enableConsulNamespaces` to be true and Consul Enterprise v1.7+ with a valid Consul Enterprise license. Note: The Consul namespace MUST exist before the gateway is deployed.
|
||||
- `consulNamespace` ((#v-terminatinggateways-defaults-consulnamespace)) (`string: "default"`) <EnterpriseAlert inline /> - Defines the Consul namespace to register the gateway into. Requires `global.enableConsulNamespaces` to be true and Consul Enterprise v1.7+ with a valid Consul Enterprise license. Note: The Consul namespace MUST exist before the gateway is deployed.
|
||||
|
||||
- `gateways` ((#v-terminatinggateways-gateways)) - Gateways is a list of gateway objects. The only required field for each is `name`, though they can also contain any of the fields in `terminatingGateways.defaults`. Values defined here override the defaults except in the case of annotations where both will be applied.
|
||||
|
||||
|
|
|
@ -195,16 +195,14 @@ export default function HomePage() {
|
|||
title: 'Getting Started',
|
||||
category: 'Step-by-Step Guides',
|
||||
time: '48 mins',
|
||||
link:
|
||||
'https://learn.hashicorp.com/consul/getting-started/install',
|
||||
link: 'https://learn.hashicorp.com/consul/getting-started/install',
|
||||
image: require('./img/learn/getting-started.svg?url'),
|
||||
},
|
||||
{
|
||||
title: 'Run Consul on Kubernetes',
|
||||
category: 'Step-by-Step Guides',
|
||||
time: '142 mins',
|
||||
link:
|
||||
'https://learn.hashicorp.com/consul/kubernetes/minikube',
|
||||
link: 'https://learn.hashicorp.com/consul/kubernetes/minikube',
|
||||
image: require('./img/learn/kubernetes.svg?url'),
|
||||
},
|
||||
]}
|
||||
|
|
|
@ -7,7 +7,7 @@ bearer tokens, it may be confusing to know which is right for a given use case.
|
|||
in possession of a valid JWT to begin. There is no browser interaction
|
||||
required. This is ideal for machine-oriented headless login where an operator
|
||||
may have already arranged for a valid JWT to be dropped on a VM or provided
|
||||
to a container.
|
||||
to a container.
|
||||
|
||||
- **OIDC**: The user performing the Consul login does not have a JWT nor do
|
||||
they even need to know what that means. This is ideal for human-oriented
|
||||
|
|
Loading…
Reference in New Issue