Apply suggestions from code review
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
This commit is contained in:
parent
d149311cee
commit
15ece49126
|
@ -810,26 +810,26 @@ spec:
|
||||||
type: 'bool: false',
|
type: 'bool: false',
|
||||||
description: {
|
description: {
|
||||||
hcl:
|
hcl:
|
||||||
"Set this configuration to enable built-in TLS for every listener on the gateway.<br><br>If TLS is enabled, then each host defined in each service's `Hosts` fields will be added as a DNSSAN to the gateway's x509 certificate.",
|
"Set this configuration to `true` to enable built-in TLS for every listener on the gateway.<br><br>If TLS is enabled, then each host defined in each service's `Hosts` fields will be added as a DNSSAN to the gateway's x509 certificate.",
|
||||||
yaml:
|
yaml:
|
||||||
"Set this configuration to enable built-in TLS for every listener on the gateway.<br><br>If TLS is enabled, then each host defined in each service's `hosts` fields will be added as a DNSSAN to the gateway's x509 certificate.",
|
"Set this configuration to `true` to enable built-in TLS for every listener on the gateway.<br><br>If TLS is enabled, then each host defined in each service's `hosts` fields will be added as a DNSSAN to the gateway's x509 certificate.",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: 'SDS',
|
name: 'SDS',
|
||||||
yaml: false,
|
yaml: false,
|
||||||
type: 'SDSConfig: <optional>',
|
type: 'SDSConfig: <optional>',
|
||||||
description: "Configures the gateway to load TLS certificates from an external SDS service. See [SDS](/docs/connect/gateways/ingress-gateway#sds) for more details on usage.<br><br>SDS properties set here will be used as defaults for all listeners on the gateway.",
|
description: "Defines a set of parameters that configures the gateway to load TLS certificates from an external SDS service. See [SDS](/docs/connect/gateways/ingress-gateway#sds) for more details on usage.<br><br>SDS properties defined in this field are used as defaults for all listeners on the gateway.",
|
||||||
children: [
|
children: [
|
||||||
{
|
{
|
||||||
name: 'ClusterName',
|
name: 'ClusterName',
|
||||||
type: 'string',
|
type: 'string',
|
||||||
description: "The SDS cluster name to connect to to retrieve certificates. This cluster must be [specified in the Gateway's bootstrap configuration](/docs/connect/gateways/ingress-gateway#sds).",
|
description: "Specifies the name of the SDS cluster from which Consul should retrieve certificates. This cluster must be [specified in the Gateway's bootstrap configuration](/docs/connect/gateways/ingress-gateway#sds).",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: 'CertResource',
|
name: 'CertResource',
|
||||||
type: 'string',
|
type: 'string',
|
||||||
description: "The SDS resource name to request when fetching the certificate from the SDS service. Setting this causes all listeners to be served exclusively over TLS with this certificate unless overridden by listener-specific TLS configuration.",
|
description: "Specifies an SDS resource name. Consul will request the SDS resource name when fetching the certificate from the SDS service. Setting this causes all listeners to be served exclusively over TLS with this certificate unless overridden by listener-specific TLS configuration.",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
|
@ -924,9 +924,9 @@ spec:
|
||||||
{
|
{
|
||||||
name: 'SDS',
|
name: 'SDS',
|
||||||
type: 'SDSConfig: <optional>',
|
type: 'SDSConfig: <optional>',
|
||||||
description: `Configures the SDS source for the certificate for this specific service.
|
description: `Defines a set of parameters that configures the SDS source for the certificate for this specific service.
|
||||||
At least one custom host must be specified in \`Hosts\`.
|
At least one custom host must be specified in \`Hosts\`.
|
||||||
This certificate will be served to all requests identifying one of the
|
The certificate retrieved from SDS will be served for all requests identifying one of the
|
||||||
\`Hosts\` values in the TLS Server Name Indication (SNI) header.`,
|
\`Hosts\` values in the TLS Server Name Indication (SNI) header.`,
|
||||||
children: [
|
children: [
|
||||||
{
|
{
|
||||||
|
@ -956,15 +956,15 @@ spec:
|
||||||
type: 'bool: false',
|
type: 'bool: false',
|
||||||
description: {
|
description: {
|
||||||
hcl:
|
hcl:
|
||||||
"Set this configuration to enable built-in TLS for this listener.<br><br>If TLS is enabled, then each host defined in each service's `Hosts` field will be added as a DNSSAN to the gateway's x509 certificate. Note that even hosts from other listeners with TLS disabled will be added.",
|
"Set this configuration to `true` to enable built-in TLS for this listener.<br><br>If TLS is enabled, then each host defined in each service's `Hosts` field will be added as a DNSSAN to the gateway's x509 certificate. Note that even hosts from other listeners with TLS disabled will be added.",
|
||||||
yaml:
|
yaml:
|
||||||
"Set this configuration to enable built-in TLS for this listener.<br><br>If TLS is enabled, then each host defined in the `hosta` field will be added as a DNSSAN to the gateway's x509 certificate. Note that even hosts from other listeners with TLS disabled will be added.",
|
"Set this configuration to `true` to enable built-in TLS for this listener.<br><br>If TLS is enabled, then each host defined in the `hosts` field will be added as a DNSSAN to the gateway's x509 certificate. Note that even hosts from other listeners with TLS disabled will be added.",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: 'SDS',
|
name: 'SDS',
|
||||||
type: 'SDSConfig: <optional>',
|
type: 'SDSConfig: <optional>',
|
||||||
description: "Configures the listener to load TLS certificates from an external SDS service. See [SDS](/docs/connect/gateways/ ingress-gateway#sds) for more details on usage.<br><br>SDS properties set here will be used as defaults for all services on this listener.",
|
description: "Defines a set of parameters that configures the listener to load TLS certificates from an external SDS service. See [SDS](/docs/connect/gateways/ingress-gateway#sds) for more details on usage.<br><br>SDS properties set here will be used as defaults for all services on this listener.",
|
||||||
children: [
|
children: [
|
||||||
{
|
{
|
||||||
name: 'ClusterName',
|
name: 'ClusterName',
|
||||||
|
|
|
@ -85,17 +85,13 @@ must implement Envoy's [gRPC Secret Discovery
|
||||||
Service](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret)
|
Service](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret)
|
||||||
(or SDS) API.
|
(or SDS) API.
|
||||||
|
|
||||||
The steps below are necessary to fully configure an Ingress Gateway with TLS
|
The following procedure describes how to configure an ingress gateway with TLS certificates from an SDS source. The instructions assume that you are familiar with Envoy configuration and the SDS protocol.
|
||||||
certificates from an SDS source. They assume the operator is familiar with Envoy
|
|
||||||
configuration and the SDS protocol.
|
|
||||||
|
|
||||||
### 1. Configure Static SDS Cluster(s).
|
### 1. Configure Static SDS Cluster(s)
|
||||||
|
|
||||||
Each Ingress Gateway Envoy instance must have one or more additional [static
|
Each Envoy proxy that makes up this Ingress Gateway must define one or more additional [static
|
||||||
clusters](/docs/connect/proxies/envoy#envoy_extra_static_clusters_json) defined
|
clusters](/docs/connect/proxies/envoy#envoy_extra_static_clusters_json) when registering. These additional clusters define how Envoy should connect to the required SDS service(s). Defining extra clusters in Envoy's bootstrap configuration requires a manual registration of the Ingress Gateway with Consul proxy.
|
||||||
when registering the ingress gateway to specify how to connect to the external
|
It's not possible to use the `-register` flag with `consul connect envoy -gateway=ingress` to automatically register the proxy in this case.
|
||||||
service. This requires a manual registration of the Ingress Gateway proxy rather
|
|
||||||
than relying on `-register` flag to `consul connect envoy -gateway=ingress`.
|
|
||||||
|
|
||||||
The cluster(s) must provide connection information and any necessary
|
The cluster(s) must provide connection information and any necessary
|
||||||
authentication information such as mTLS credentials.
|
authentication information such as mTLS credentials.
|
||||||
|
@ -238,7 +234,7 @@ options.
|
||||||
$ consul connect envoy -gateway=ingress -service public-ingress
|
$ consul connect envoy -gateway=ingress -service public-ingress
|
||||||
```
|
```
|
||||||
|
|
||||||
### 2. Configure the Ingress Gateway to use certificates from SDS
|
### 2. Configure the Ingress Gateway to Use Certificates from SDS
|
||||||
|
|
||||||
SDS certificates may now be configured in the `ingress-gateway` Config Entry.
|
SDS certificates may now be configured in the `ingress-gateway` Config Entry.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue