diff --git a/website/content/docs/connect/proxies/envoy.mdx b/website/content/docs/connect/proxies/envoy.mdx index 86856a6f95..0e7f843227 100644 --- a/website/content/docs/connect/proxies/envoy.mdx +++ b/website/content/docs/connect/proxies/envoy.mdx @@ -112,7 +112,7 @@ Envoy requires an initial bootstrap configuration file. The easiest way to create this is using the [`consul connect envoy` command](/commands/connect/envoy). The command can either output the bootstrap configuration directly to stdout, or generate the configuration and issue an `exec` command -to the Envoy binary as a convenience wrapper. +to the Envoy binary as a convenience wrapper. For more information about using `exec` to bootstrap Envoy, refer to [Exec Security Details](/consul/commands/connect/envoy#exec-security-details). Because some Envoy configuration options, such as metrics and tracing sinks, can only be specified via the bootstrap configuration, Connect as of Consul 1.5.0 adds @@ -174,6 +174,67 @@ definition](/docs/connect/registration/service-registration) or The [Advanced Configuration](#advanced-configuration) section describes additional configurations that allow incremental or complete control over the bootstrap configuration generated. +### Bootstrap Envoy on Windows VMs + +> Complete the [Connect Services on Windows Workloads to Consul Service Mesh tutorial](https://learn.hashicorp.com/tutorials/consul/consul-on-windows-workloads?utm_source=docs) to learn how to deploy Consul and use its service mesh on Windows VMs. + +If you are running Consul on a Windows VM, attempting to bootstrap Envoy with the `consul connect envoy` command returns the following output: + +```shell-session hideClipboard +Directly running Envoy is only supported on linux and macOS since envoy itself doesn't build on other plataforms currently. +Use the -bootstrap option to generate the JSON to use when running envoy on a supported OS or via a container or VM. +``` + +To bootstrap Envoy on Windows VMs, you must generate the bootstrap configuration as a .json file and then manually edit it to add both your ACL token and a valid access log path. + +To generate the bootstrap configuration file, add the `-bootstrap` option to the command and then save the output to a file: + +```shell-session +$ consul connect envoy -bootstrap > bootstrap.json +``` + +Then, open `bootstrap.json` and update the following sections with your ACL token and log path. + + + +```json + "admin": { + "access_log_path": "/dev/null", + "address": { + "socket_address": { + "address": "127.0.0.1", + "port_value": 19000 + } + } + }, + ## ... + "dynamic_resources": { + ## ... + "ads_config": { + ## ... + "grpc_services": { + "initial_metadata": [ + { + "key": "x-consul-token", + "value": "" + } + ], + ## ... + } + } + } +} +``` + + +To complete the bootstrap process, start Envoy and include the path to `bootstrap.json`: + +```shell-session +$ envoy -c bootstrap.json +``` + +~> **Security Note**: The bootstrap JSON contains the ACL token and should be handled as a secret. Because this token authorizes the identity of any service it has `service:write` permissions for, it can be used to access upstream services. + ## Dynamic Configuration Consul automatically generates Envoy's dynamic configuration based on its