Update docs for tls commands (#16077)
This commit is contained in:
parent
c3f518405a
commit
3680e2a020
|
@ -4,11 +4,12 @@ import (
|
|||
"flag"
|
||||
"fmt"
|
||||
|
||||
"github.com/mitchellh/cli"
|
||||
|
||||
"github.com/hashicorp/consul/command/flags"
|
||||
"github.com/hashicorp/consul/command/tls"
|
||||
"github.com/hashicorp/consul/lib/file"
|
||||
"github.com/hashicorp/consul/tlsutil"
|
||||
"github.com/mitchellh/cli"
|
||||
)
|
||||
|
||||
func New(ui cli.Ui) *cmd {
|
||||
|
@ -32,13 +33,14 @@ type cmd struct {
|
|||
func (c *cmd) init() {
|
||||
c.flags = flag.NewFlagSet("", flag.ContinueOnError)
|
||||
// TODO: perhaps add a -years arg to better capture user intent given that leap years are a thing
|
||||
c.flags.IntVar(&c.days, "days", 1825, "Provide number of days the CA is valid for from now on. Defaults to 5 years.")
|
||||
c.flags.BoolVar(&c.constraint, "name-constraint", false, "Add name constraints for the CA. Results in rejecting "+
|
||||
"certificates for other DNS than specified. If turned on localhost and -domain will be added to the allowed "+
|
||||
"DNS. If the UI is going to be served over HTTPS its DNS has to be added with -additional-constraint. It is not "+
|
||||
"possible to add that after the fact! Defaults to false.")
|
||||
c.flags.StringVar(&c.domain, "domain", "consul", "Domain of consul cluster. Only used in combination with -name-constraint. Defaults to consul.")
|
||||
c.flags.StringVar(&c.clusterID, "cluster-id", "", "ClusterID of the consul cluster, requires -domain to be set as well. When used will set URIs with spiffeid.")
|
||||
c.flags.IntVar(&c.days, "days", 1825, "Number of days the CA is valid for. Defaults to 1825 days (approximately 5 years).")
|
||||
c.flags.BoolVar(&c.constraint, "name-constraint", false, "Enables X.509 name constraints for the CA. "+
|
||||
"If used, the CA only signs certificates for localhost and the domains specified by -domain and -additional-name-constraint. "+
|
||||
"If Consul's UI is served over HTTPS in your deployment, add its DNS name with -additional-constraint. Defaults to false.")
|
||||
c.flags.StringVar(&c.domain, "domain", "consul", "The DNS domain of the Consul cluster that agents are configured with. "+
|
||||
"Defaults to consul. Only used when -name-constraint is set. "+
|
||||
"Additional domains can be passed with -additional-name-constraint.")
|
||||
c.flags.StringVar(&c.clusterID, "cluster-id", "", "ID of the Consul cluster. Sets the CA's URI with the SPIFFEID composed of the cluster ID and domain (specified by -domain or 'consul' by default).")
|
||||
c.flags.StringVar(&c.commonName, "common-name", "", "Common Name of CA. Defaults to Consul Agent CA.")
|
||||
c.flags.Var(&c.additionalConstraints, "additional-name-constraint", "Add name constraints for the CA. Results in rejecting certificates "+
|
||||
"for other DNS than specified. Can be used multiple times. Only used in combination with -name-constraint.")
|
||||
|
|
|
@ -1,8 +1,9 @@
|
|||
package ca
|
||||
|
||||
import (
|
||||
"github.com/hashicorp/consul/command/flags"
|
||||
"github.com/mitchellh/cli"
|
||||
|
||||
"github.com/hashicorp/consul/command/flags"
|
||||
)
|
||||
|
||||
func New() *cmd {
|
||||
|
@ -25,7 +26,7 @@ func (c *cmd) Help() string {
|
|||
|
||||
const synopsis = `Helpers for CAs`
|
||||
const help = `
|
||||
Usage: consul tls ca <subcommand> [options] filename-prefix
|
||||
Usage: consul tls ca <subcommand> [options]
|
||||
|
||||
This command has subcommands for interacting with Certificate Authorities.
|
||||
|
||||
|
|
|
@ -1,8 +1,9 @@
|
|||
package cert
|
||||
|
||||
import (
|
||||
"github.com/hashicorp/consul/command/flags"
|
||||
"github.com/mitchellh/cli"
|
||||
|
||||
"github.com/hashicorp/consul/command/flags"
|
||||
)
|
||||
|
||||
func New() *cmd {
|
||||
|
@ -25,7 +26,7 @@ func (c *cmd) Help() string {
|
|||
|
||||
const synopsis = `Helpers for certificates`
|
||||
const help = `
|
||||
Usage: consul tls cert <subcommand> [options] [filename-prefix]
|
||||
Usage: consul tls cert <subcommand> [options]
|
||||
|
||||
This command has subcommands for interacting with certificates
|
||||
|
||||
|
|
|
@ -9,11 +9,11 @@ description: |
|
|||
|
||||
Command: `consul tls ca create`
|
||||
|
||||
This command create a self signed CA to be used for Consul TLS setup.
|
||||
This command creates a self-signed CA to be used for Consul TLS setup.
|
||||
|
||||
## Example
|
||||
## Examples
|
||||
|
||||
Create CA:
|
||||
Create a CA:
|
||||
|
||||
```shell-session
|
||||
$ consul tls ca create
|
||||
|
@ -21,9 +21,17 @@ $ consul tls ca create
|
|||
==> Saved consul-ca-key.pem
|
||||
```
|
||||
|
||||
Create a CA that signs certificates exclusively for the example.com domain:
|
||||
|
||||
```shell-session
|
||||
$ consul tls ca create -name-constraint -domain example.com
|
||||
==> Saved example.com-ca.pem
|
||||
==> Saved example.com-ca-key.pem
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
Usage: `consul tls ca create [filename-prefix] [options]`
|
||||
Usage: `consul tls ca create [options]`
|
||||
|
||||
#### Command Options
|
||||
|
||||
|
@ -31,18 +39,17 @@ Usage: `consul tls ca create [filename-prefix] [options]`
|
|||
Results in rejecting certificates for other DNS than specified. Can be used
|
||||
multiple times. Only used in combination with `-name-constraint`.
|
||||
|
||||
- `-days=<int>` - Provide number of days the CA is valid for from now on, defaults to 5 years.
|
||||
- `-days=<int>` - Number of days the CA is valid for. Defaults to 1825 days (approximately 5 years).
|
||||
|
||||
- `-domain=<string>` - Domain of consul cluster. Only used in combination with
|
||||
`-name-constraint`. Defaults to `consul`.
|
||||
- `-domain=<string>` - The DNS domain of the Consul cluster that agents are [configured](/consul/docs/agent/config/cli-flags#_domain) with.
|
||||
Defaults to `consul`. Only used when `-name-constraint` is set.
|
||||
Additional domains can be passed with `-additional-name-constraint`.
|
||||
|
||||
- `-name-constraint` - Add name constraints for the CA. Results in rejecting
|
||||
certificates for other DNS than specified. If turned on localhost and -domain
|
||||
will be added to the allowed DNS. If the UI is going to be served over HTTPS
|
||||
its DNS has to be added with `-additional-constraint`. It is not possible to
|
||||
add that after the fact! Defaults to false.
|
||||
- `-name-constraint` - Enables [X.509 name constraints](https://www.rfc-editor.org/rfc/rfc5280#page-40) for the CA.
|
||||
If used, the CA only signs certificates for localhost and the domains specified by `-domain` and `-additional-name-constraint`.
|
||||
If Consul's UI is served over HTTPS in your deployment, add its DNS name with `-additional-constraint` as well. Defaults to `false`.
|
||||
|
||||
- `cluster-id` - ClusterID of the consul cluster, requires `-domain` to be set as well.
|
||||
When used this will cause URIs to be set with spiffeid.
|
||||
- `cluster-id` - ID of the Consul cluster. Sets the CA's URI with the SPIFFEID composed of the cluster ID and domain
|
||||
(specified by `-domain` or `consul` by default).
|
||||
|
||||
- `common-name` - Common Name of CA. Defaults to Consul Agent CA.
|
||||
|
|
Loading…
Reference in New Issue