Remove YAML service registration examples and replace them with JSON.
This is because YAML is not a supported configuration format for the
Consul's agent configuration, nor is it supported by the HTTP API.
This commit replaces the YAML examples with JSON and adds additional
JSON examples where they were missing.
Fixes configuration examples for several Consul Kubernetes CRDs. The
CRDs were missing required fields such as `apiVersion`, `metadata`,
and `spec`.
Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
HCL and JSON configuration examples were being displayed in the same
code block. This commit separates the configurations to properly
display them as independent configuration examples.
This commit fixes syntax errors in HCL, JSON, and YAML example
configurations. In some cases, it replaces the code example with the
proper format for the code block.
Also fixes HCL formatting and misc opportunistic updates to codeblock.
Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
* adding apigee for ext_authz, minor fix
* adding the Apigee docs to nav
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Blake Covarrubias <blake.covarrubias@gmail.com>
* addressing feedback
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
---------
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Blake Covarrubias <blake.covarrubias@gmail.com>
* added consul and envoy version constraints
* fixed Destination configuraiton and added tproxy requirement
* Apply suggestions from code review
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
---------
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
* first commit; reformat PD conf entry
* updated proxies overview page
* added Deploy SM proxy usage and removed reg index
* moved sidecar proxy usage to main proxy folder
* recast sidecar reg page as Deploy sidecar services
* fix typos
* recast SM reg as conf reference- set the sidebar
* add redirects
* fix links
* add PD conf entry usage to appropro pages
* edits to proxy conf ref
* fix links on index page
* example command to write PD conf entry
* updated links to old SM proxy reg page
* updated links to sidecar service reg page
* tryna fix front matter issues
* Apply suggestions from code review
Co-authored-by: Ronald <roncodingenthusiast@users.noreply.github.com>
* added paragraph about SM proxies to overivew
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
---------
Co-authored-by: Ronald <roncodingenthusiast@users.noreply.github.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
* fix broken link caught in weekly report
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
---------
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
The `grep` command used to obtain the ID for the terminating gateway
role is not reliable in all scenarios. For example, if there is a
similarly named role, the command may return the wrong role ID for the
active terminating gateway instance.
This commit updates the command to use jq to obtain the role ID. If
multiple roles are found, jq will raise an error informing the user
that it cannot reliably determine the role ID.
* replaced ordered list of rate limit ops with flow diagram
* made diagram font bigger
* updated colors for dark mode img
* fixed typo
* recentered dark mode image
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
---------
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
* [CC-5719] Add support for builtin global-read-only policy
* Add changelog
* Add read-only to docs
* Fix some minor issues.
* Change from ReplaceAll to Sprintf
* Change IsValidPolicy name to return an error instead of bool
* Fix PolicyList test
* Fix other tests
* Apply suggestions from code review
Co-authored-by: Paul Glass <pglass@hashicorp.com>
* Fix state store test for policy list.
* Fix naming issues
* Update acl/validation.go
Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com>
* Update agent/consul/acl_endpoint.go
---------
Co-authored-by: Paul Glass <pglass@hashicorp.com>
Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com>
Doc guidance for federation with externalServers
Add guidance for proper configuration when joining to a secondary
cluster using WAN fed with external servers also enabled.
Also clarify federation requirements and fix formatting for an
unrelated value.
Update both the Helm chart reference (synced from `consul-k8s`, see
hashicorp/consul-k8s#2583) and the docs on using `externalServers`.
* fix typos and update ecs compat table
* real info for the ecs compat matrix table
* Update website/content/docs/ecs/compatibility.mdx
Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com>
---------
Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com>
* Add FIPS reference to consul enterprise docs
* Update website/content/docs/enterprise/index.mdx
Co-authored-by: David Yu <dyu@hashicorp.com>
* remove support for ecs client (fips)
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
### Description
<!-- Please describe why you're making this change, in plain English.
-->
- Add jwt-provider docs for jwks cluster configuration. The
configuration was added here:
https://github.com/hashicorp/consul/pull/17978
* Docs for dataplane upgrade on k8s
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Static DNS lookups, in addition to explicitly targeting a datacenter,
can target a cluster peer. This was added in 95dc0c7b30 but didn't make the documentation.
The driving function for the change is `parseLocality` here: 0b1299c28d/agent/dns_oss.go (L25)
The biggest change in this is to adjust the standard lookup syntax to tie
`.<datacenter>` to `.dc` as required-together, and to append in the similar `.<cluster-peer>.peer` optional argument, both to A record and SRV record lookups.
Co-authored-by: David Yu <dyu@hashicorp.com>
* Propose new changes to APIgw upgrade instructions
* fix build error
* update callouts to render correctly
* Add hideClipboard to log messages
* Added clarification around consul k8s and crds
Update CA provider docs
Clarify that providers can differ between
primary and secondary datacenters
Provide a comparison chart for consul vs
vault CA providers
Loosen Vault CA provider validation for RootPKIPath
Update Vault CA provider documentation
* Fix formatting for webhook-certs Consul tutorial
* Make a small grammar change to also pick up whitespace changes necessary for formatting
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
- Provide more realistics examples for setting properties not already
supported natively by Consul
- Remove superfluous commas from HCL, correct target service name, and
fix service defaults vs. proxy defaults in examples
- Align existing integration test to updated docs
* add enterprise notes for IP-based rate limits
* Apply suggestions from code review
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
* added bolded 'Enterprise' in list items.
---------
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
* additional feedback
* Update website/content/docs/api-gateway/upgrades.mdx
Co-authored-by: Jeff Apple <79924108+Jeff-Apple@users.noreply.github.com>
---------
Co-authored-by: Jeff Apple <79924108+Jeff-Apple@users.noreply.github.com>
* trimmed CRD step and reqs from installation
* updated tech specs
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Jeff Apple <79924108+Jeff-Apple@users.noreply.github.com>
* added upgrade instruction
* removed tcp port req
* described downtime and DT-less upgrades
* applied additional review feedback
---------
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Jeff Apple <79924108+Jeff-Apple@users.noreply.github.com>
* porting over changes from enterprise repo to oss
* applied feedback on service mesh for k8s overview
* fixed typo
* removed ent-only build script file
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: David Yu <dyu@hashicorp.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
---------
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
* add docs for consul-k8s config read command
This PR adds documentation for the functionality introduced in
https://github.com/hashicorp/consul-k8s/pull/2078.
* add output
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
Fix ACL check on health endpoint
Prior to this change, the service health API would not explicitly return an
error whenever a token with invalid permissions was given, and it would instead
return empty results. With this change, a "Permission denied" error is returned
whenever data is queried. This is done to better support the agent cache, which
performs a fetch backoff sleep whenever ACL errors are encountered. Affected
endpoints are: `/v1/health/connect/` and `/v1/health/ingress/`.
* agent: configure server lastseen timestamp
Signed-off-by: Dan Bond <danbond@protonmail.com>
* use correct config
Signed-off-by: Dan Bond <danbond@protonmail.com>
* add comments
Signed-off-by: Dan Bond <danbond@protonmail.com>
* use default age in test golden data
Signed-off-by: Dan Bond <danbond@protonmail.com>
* add changelog
Signed-off-by: Dan Bond <danbond@protonmail.com>
* fix runtime test
Signed-off-by: Dan Bond <danbond@protonmail.com>
* agent: add server_metadata
Signed-off-by: Dan Bond <danbond@protonmail.com>
* update comments
Signed-off-by: Dan Bond <danbond@protonmail.com>
* correctly check if metadata file does not exist
Signed-off-by: Dan Bond <danbond@protonmail.com>
* follow instructions for adding new config
Signed-off-by: Dan Bond <danbond@protonmail.com>
* add comments
Signed-off-by: Dan Bond <danbond@protonmail.com>
* update comments
Signed-off-by: Dan Bond <danbond@protonmail.com>
* Update agent/agent.go
Co-authored-by: Dan Upton <daniel@floppy.co>
* agent/config: add validation for duration with min
Signed-off-by: Dan Bond <danbond@protonmail.com>
* docs: add new server_rejoin_age_max config definition
Signed-off-by: Dan Bond <danbond@protonmail.com>
* agent: add unit test for checking server last seen
Signed-off-by: Dan Bond <danbond@protonmail.com>
* agent: log continually for 60s before erroring
Signed-off-by: Dan Bond <danbond@protonmail.com>
* pr comments
Signed-off-by: Dan Bond <danbond@protonmail.com>
* remove unneeded todo
* agent: fix error message
Signed-off-by: Dan Bond <danbond@protonmail.com>
---------
Signed-off-by: Dan Bond <danbond@protonmail.com>
Co-authored-by: Dan Upton <daniel@floppy.co>
Remove outdated usage of "Consul Connect" instead of Consul service mesh.
The connect subsystem in Consul provides Consul's service mesh capabilities.
However, the term "Consul Connect" should not be used as an alternative to
the name "Consul service mesh".
* Add MaxEjectionPercent to config entry
* Add BaseEjectionTime to config entry
* Add MaxEjectionPercent and BaseEjectionTime to protobufs
* Add MaxEjectionPercent and BaseEjectionTime to api
* Fix integration test breakage
* Verify MaxEjectionPercent and BaseEjectionTime in integration test upstream confings
* Website docs for MaxEjectionPercent and BaseEjection time
* Add `make docs` to browse docs at http://localhost:3000
* Changelog entry
* so that is the difference between consul-docker and dev-docker
* blah
* update proto funcs
* update proto
---------
Co-authored-by: Maliz <maliheh.monshizadeh@hashicorp.com>
Prior to this change, peer services would be targeted by service-default
overrides as long as the new `peer` field was not found in the config entry.
This commit removes that deprecated backwards-compatibility behavior. Now
it is necessary to specify the `peer` field in order for upstream overrides
to apply to a peer upstream.
* Fix API GW broken link
* Update website/content/docs/api-gateway/upgrades.mdx
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
---------
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
This is part of an effort to raise awareness that you need to monitor
your mesh CA if coming from an external source as you'll need to manage
the rotation.
* converted intentions conf entry to ref CT format
* set up intentions nav
* add page for intentions usage
* final intentions usage page
* final intentions overview page
* fixed old relative links
* updated diagram for overview
* updated links to intentions content
* fixed typo in updated links
* rename intentions overview page file to index
* rollback link updates to intentions overview
* fixed nav
* Updated custom HTML in API and CLI pages to MD
* applied suggestions from review to index page
* moved conf examples from usage to conf ref
* missed custom HTML section
* applied additional feedback
* Apply suggestions from code review
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
* updated headings in usage page
* renamed files and udpated nav
* updated links to new file names
* added redirects and final tweaks
* typo
---------
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
* Fix broken links in Consul docs
* more broken link fixes
* more 404 fixes
* 404 fixes
* broken link fix
---------
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
* First cluster grpc service should be NodePort
This is based on the issue opened here https://github.com/hashicorp/consul-k8s/issues/1903
If you follow the documentation https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/single-dc-multi-k8s exactly as it is, the first cluster will only create the consul UI service on NodePort but not the rest of the services (including for grpc). By default, from the helm chart, they are created as headless services by setting clusterIP None. This will cause an issue for the second cluster to discover consul server on the first cluster over gRPC as it cannot simply cannot through gRPC default port 8502 and it ends up in an error as shown in the issue https://github.com/hashicorp/consul-k8s/issues/1903
As a solution, the grpc service should be exposed using NodePort (or LoadBalancer). I added those changes required in both cluster1-values.yaml and cluster2-values.yaml, and also a description for those changes for the normal users to understand. Kindly review and I hope this PR will be accepted.
* Update website/content/docs/k8s/deployment-configurations/single-dc-multi-k8s.mdx
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* Update website/content/docs/k8s/deployment-configurations/single-dc-multi-k8s.mdx
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* Update website/content/docs/k8s/deployment-configurations/single-dc-multi-k8s.mdx
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
---------
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* fixes for unsupported partitions field in CRD metadata block
* Apply suggestions from code review
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
---------
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>