luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Merge pull request #8230 from hashicorp/je.pin-deps 

📌 Hard Pin Website Dependencies
This commit is contained in:
Jeff Escalante 2020-07-15 18:45:19 -04:00 committed by GitHub
parent 03164822ee 6c2a9bf913
commit 3d91a21d44
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
41 changed files with 1213 additions and 1406 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
website/components/basic-hero/index.jsx
View File

@ -39,7 +39,11 @@ export default function BasicHero({
</div>
{links[2] && (
<div className="third-link">
<a href={links[2].url} rel="noopener" target="_blank">
<a
href={links[2].url}
rel="noopener noreferrer"
target="_blank"
>
<span className="g-type-buttons-and-standalone-links">
{links[2].text}
</span>

1982
website/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

88
website/package.json
View File

@ -4,55 +4,51 @@
"version": "0.0.1",
"author": "HashiCorp",
"dependencies": {
"@hashicorp/nextjs-scripts": "^10.0.2",
"@hashicorp/react-alert": "^2.0.1",
"@hashicorp/react-alert-banner": "^3.1.0",
"@hashicorp/react-button": "^2.2.0",
"@hashicorp/react-call-to-action": "^0.2.0",
"@hashicorp/react-case-study-slider": "^2.1.0",
"@hashicorp/react-code-block": "^1.2.7",
"@hashicorp/react-content": "3.0.0-0",
"@hashicorp/react-docs-page": "^3.0.0",
"@hashicorp/react-docs-sidenav": "^3.2.3",
"@hashicorp/react-featured-slider": "^1.1.0",
"@hashicorp/react-global-styles": "^4.4.0",
"@hashicorp/react-head": "^1.1.1",
"@hashicorp/react-image": "^2.0.1",
"@hashicorp/react-inline-svg": "^1.0.0",
"@hashicorp/react-logo-grid": "^2.1.0",
"@hashicorp/react-mega-nav": "^4.0.1-2",
"@hashicorp/react-product-downloader": "^4.0.0",
"@hashicorp/react-product-features-list": "^1.0.1",
"@hashicorp/react-section-header": "^2.0.0",
"@hashicorp/react-subnav": "^3.2.2",
"@hashicorp/react-text-and-content": "^4.1.0",
"@hashicorp/react-text-split": "^0.3.0",
"@hashicorp/react-text-split-with-code": "0.1.0",
"@hashicorp/react-text-split-with-image": "^1.3.0",
"@hashicorp/react-text-split-with-logo-grid": "^1.1.0",
"@hashicorp/react-use-cases": "^1.0.4",
"@hashicorp/react-vertical-text-block-list": "^2.0.1",
"algoliasearch": "^4.3.0",
"babel-plugin-import-glob-array": "^0.2.0",
"dotenv": "^8.2.0",
"gray-matter": "^4.0.2",
"imagemin-mozjpeg": "^9.0.0",
"imagemin-optipng": "^8.0.0",
"imagemin-svgo": "^8.0.0",
"@hashicorp/nextjs-scripts": "11.1.0",
"@hashicorp/react-alert": "2.0.1",
"@hashicorp/react-alert-banner": "3.1.0",
"@hashicorp/react-button": "2.2.1",
"@hashicorp/react-call-to-action": "0.2.1",
"@hashicorp/react-case-study-slider": "2.1.1",
"@hashicorp/react-code-block": "1.2.7",
"@hashicorp/react-content": "4.0.0",
"@hashicorp/react-docs-page": "4.0.0",
"@hashicorp/react-docs-sidenav": "3.2.5",
"@hashicorp/react-featured-slider": "1.1.1",
"@hashicorp/react-global-styles": "4.4.0",
"@hashicorp/react-head": "1.1.1",
"@hashicorp/react-image": "2.0.1",
"@hashicorp/react-inline-svg": "1.0.0",
"@hashicorp/react-logo-grid": "2.1.1",
"@hashicorp/react-mega-nav": "4.0.1-2",
"@hashicorp/react-product-downloader": "4.0.2",
"@hashicorp/react-product-features-list": "1.0.1",
"@hashicorp/react-section-header": "2.0.0",
"@hashicorp/react-subnav": "3.2.3",
"@hashicorp/react-text-and-content": "4.1.1",
"@hashicorp/react-text-split": "0.3.1",
"@hashicorp/react-text-split-with-code": "0.1.1",
"@hashicorp/react-text-split-with-image": "1.3.1",
"@hashicorp/react-text-split-with-logo-grid": "1.1.1",
"@hashicorp/react-use-cases": "1.0.4",
"@hashicorp/react-vertical-text-block-list": "2.0.1",
"algoliasearch": "4.3.0",
"babel-plugin-import-glob-array": "0.2.0",
"dotenv": "8.2.0",
"gray-matter": "4.0.2",
"next": "9.4.4",
"nuka-carousel": "^4.7.0",
"react": "^16.13.1",
"react-device-detect": "^1.12.1",
"react-dom": "^16.13.1",
"remark": "^12.0.0",
"unist-util-visit": "^2.0.2"
"nuka-carousel": "4.7.0",
"react": "16.13.1",
"react-device-detect": "1.13.1",
"react-dom": "16.13.1",
"remark": "12.0.0",
"unist-util-visit": "2.0.2"
},
"devDependencies": {
"dart-linkcheck": "^2.0.15",
"glob": "^7.1.6",
"husky": "^4.2.5",
"inquirer": "^7.1.0",
"prettier": "^2.0.5"
"dart-linkcheck": "2.0.15",
"glob": "7.1.6",
"husky": "4.2.5",
"prettier": "2.0.5"
},
"husky": {
"hooks": {

6
website/pages/api-docs/acl/binding-rules.mdx
View File

@ -63,7 +63,7 @@ The table below shows this endpoint's support for
]
}
```
- `BindType=node` - The computed bind name value is used as an
`ACLNodeIdentity.NodeName` field in the token that is created.
@ -243,7 +243,7 @@ The table below shows this endpoint's support for
]
}
```
- `BindType=node` - The computed bind name value is used as an
`ACLNodeIdentity.NodeName` field in the token that is created.
@ -254,7 +254,7 @@ The table below shows this endpoint's support for
]
}
```
- `BindType=role` - The computed bind name value is used as a `RoleLink.Name`
field in the token that is created. This binding rule will only apply if a
role with the given name exists at login-time. If it does not then this

2
website/pages/api-docs/acl/roles.mdx
View File

@ -338,7 +338,7 @@ The table below shows this endpoint's support for
- `NodeIdentities` `(array<NodeIdentity>)` - The list of [node
identities](/docs/acl/acl-system#acl-node-identities) that should be
applied to the role. Added in Consul 1.8.1.
- `Namespace` `(string: "")` <EnterpriseAlert inline /> - Specifies the namespace of
the role to update. If not provided in the JSON body, the value of
the `ns` URL query parameter or in the `X-Consul-Namespace` header will be used.

12
website/pages/api-docs/catalog.mdx
View File

@ -908,8 +908,8 @@ top level object. The following selectors and filter operations are supported:
This endpoint returns the services associated with an ingress gateway or terminating gateway.
| Method | Path | Produces |
| ------ | ------------------------------ | ------------------ |
| Method | Path | Produces |
| ------ | ------------------------------------ | ------------------ |
| `GET` | `/catalog/gateway-services/:gateway` | `application/json` |
The table below shows this endpoint's support for
@ -918,8 +918,8 @@ The table below shows this endpoint's support for
[agent caching](/api/features/caching), and
[required ACLs](/api#authentication).
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
| ---------------- | ----------------- | ------------- | ------------------------ |
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
| ---------------- | ----------------- | ------------- | -------------- |
| `YES` | `all` | `none` | `service:read` |
### Parameters
@ -964,7 +964,7 @@ $ curl \
"SNI": "api.my-domain",
"CreateIndex": 16,
"ModifyIndex": 16
},
},
{
"Gateway": {
"Name": "my-terminating-gateway",
@ -995,7 +995,7 @@ $ curl \
"GatewayKind": "ingress-gateway",
"Port": 8888,
"Protocol": "http",
"Hosts": ["api.mydomain.com"],
"Hosts": ["api.mydomain.com"],
"CreateIndex": 15,
"ModifyIndex": 15
},

40
website/pages/api-docs/config.mdx
View File

@ -39,7 +39,7 @@ The table below shows this endpoint's support for
</p>
| Config Entry Kind | Required ACL |
| ----------------- | ---------------- |
| ------------------- | ---------------- |
| ingress-gateway | `operator:write` |
| proxy-defaults | `operator:write` |
| service-defaults | `service:write` |
@ -104,15 +104,15 @@ The table below shows this endpoint's support for
<sup>1</sup> The ACL required depends on the config entry kind being read:
| Config Entry Kind | Required ACL |
| ----------------- | ---------------- |
| ingress-gateway | `service:read` |
| proxy-defaults | `<none>` |
| service-defaults | `service:read` |
| service-resolver | `service:read` |
| service-router | `service:read` |
| service-splitter | `service:read` |
| terminating-gateway | `service:read` |
| Config Entry Kind | Required ACL |
| ------------------- | -------------- |
| ingress-gateway | `service:read` |
| proxy-defaults | `<none>` |
| service-defaults | `service:read` |
| service-resolver | `service:read` |
| service-router | `service:read` |
| service-splitter | `service:read` |
| terminating-gateway | `service:read` |
### Parameters
@ -171,15 +171,15 @@ The table below shows this endpoint's support for
<sup>1</sup> The ACL required depends on the config entry kind being read:
| Config Entry Kind | Required ACL |
| ----------------- | ---------------- |
| ingress-gateway | `service:read` |
| proxy-defaults | `<none>` |
| service-defaults | `service:read` |
| service-resolver | `service:read` |
| service-router | `service:read` |
| service-splitter | `service:read` |
| terminating-gateway | `service:read` |
| Config Entry Kind | Required ACL |
| ------------------- | -------------- |
| ingress-gateway | `service:read` |
| proxy-defaults | `<none>` |
| service-defaults | `service:read` |
| service-resolver | `service:read` |
| service-router | `service:read` |
| service-splitter | `service:read` |
| terminating-gateway | `service:read` |
### Parameters
@ -245,7 +245,7 @@ The table below shows this endpoint's support for
<sup>1</sup> The ACL required depends on the config entry kind being deleted:
| Config Entry Kind | Required ACL |
| ----------------- | ---------------- |
| ------------------- | ---------------- |
| ingress-gateway | `operator:write` |
| proxy-defaults | `operator:write` |
| service-defaults | `service:write` |

28
website/pages/api-docs/connect/intentions.mdx
View File

@ -51,14 +51,14 @@ The table below shows this endpoint's support for
service doesn't need to be registered.
- `SourceNS` `(string: "")` <EnterpriseAlert inline /> - The namespace for the
`SourceName` parameter.
`SourceName` parameter.
- `DestinationName` `(string: <required>)` - The destination of the intention.
The intention destination is always a Consul service, unlike the source.
The service doesn't need to be registered.
- `DestinationNS` `(string: "")` <EnterpriseAlert inline /> - The namespace for the
`DestinationName` parameter.
`DestinationName` parameter.
- `SourceType` `(string: <required>)` - The type for the `SourceName` value.
This can be only "consul" today to represent a Consul service.
@ -75,9 +75,9 @@ The table below shows this endpoint's support for
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the default
namespace to use when `SourceNS` or `DestinationNS` are omitted or empty.
If not provided at all, the default namespace will be inherited from the
request's ACL token or will default to the `default` namespace.
request's ACL token or will default to the `default` namespace.
This value may be provided by either the `ns` URL query parameter or in the
`X-Consul-Namespace` header.
`X-Consul-Namespace` header.
Added in Consul 1.9.0.
### Sample Payload
@ -208,9 +208,9 @@ The table below shows this endpoint's support for
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the default
namespace to use when `source` or `destination` parameters lack namespaces.
If not provided at all, the default namespace will be inherited from the
request's ACL token or will default to the `default` namespace.
request's ACL token or will default to the `default` namespace.
This value may be provided by either the `ns` URL query parameter or in the
`X-Consul-Namespace` header.
`X-Consul-Namespace` header.
Added in Consul 1.9.0.
### Sample Request
@ -273,13 +273,13 @@ The table below shows this endpoint's support for
- `filter` `(string: "")` - Specifies the expression used to filter the
queries results prior to returning the data.
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the
namespace to list intentions from.
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the
namespace to list intentions from.
The `*` wildcard may be used to list intentions from all namespaces.
If not provided at all, the default namespace will be inherited from the
request's ACL token or will default to the `default` namespace.
request's ACL token or will default to the `default` namespace.
This value may be provided by either the `ns` URL query parameter or in the
`X-Consul-Namespace` header.
`X-Consul-Namespace` header.
Added in Consul 1.9.0.
### Sample Request
@ -471,9 +471,9 @@ The table below shows this endpoint's support for
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the default
namespace to use when `source` or `destination` parameters lack namespaces.
If not provided at all, the default namespace will be inherited from the
request's ACL token or will default to the `default` namespace.
request's ACL token or will default to the `default` namespace.
This value may be provided by either the `ns` URL query parameter or in the
`X-Consul-Namespace` header.
`X-Consul-Namespace` header.
Added in Consul 1.9.0.
### Sample Request
@ -533,9 +533,9 @@ The table below shows this endpoint's support for
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the default
namespace to use when `name` parameter lacks namespaces.
If not provided at all, the default namespace will be inherited from the
request's ACL token or will default to the `default` namespace.
request's ACL token or will default to the `default` namespace.
This value may be provided by either the `ns` URL query parameter or in the
`X-Consul-Namespace` header.
`X-Consul-Namespace` header.
Added in Consul 1.9.0.
### Sample Request

6
website/pages/docs/acl/acl-legacy.mdx
View File

@ -199,7 +199,7 @@ as to whether they are set on servers, clients, or both.
| Configuration Option | Servers | Clients | Purpose |
| --------------------------------------------------------------------- | ---------- | ---------- | ----------------------------------------------------------------------------------------- |
| [`acl_datacenter`](/docs/agent/options#acl_datacenter) | `REQUIRED` | `REQUIRED` | Master control that enables ACLs by defining the authoritative Consul datacenter for ACLs |
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
| [`acl_down_policy`](/docs/agent/options#acl_down_policy_legacy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the ACL datacenter is offline |
| [`acl_ttl`](/docs/agent/options#acl_ttl_legacy) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACLs |
@ -276,8 +276,8 @@ datacenter. In this example, we are configuring the following:
1. An ACL datacenter of "dc1", which is where these servers are
2. An ACL master token of "b1gs33cr3t"; see below for an alternative using the [/v1/acl/bootstrap API](/api/acl/acl#bootstrap-acls)
3. A default policy of "deny" which means we are in allowlist mode
4. A down policy of "extend-cache" which means that we will ignore token TTLs
during an outage
4. A down policy of "extend-cache" which means that we will ignore token TTLs
during an outage
Here's the corresponding JSON configuration file:

4
website/pages/docs/acl/acl-system.mdx
View File

@ -45,7 +45,7 @@ may benefit from additional components in the ACL system:
additional policy was attached, the contents of which are described further
below. These are directly attached to tokens and roles and are not
independently configured. (Added in Consul 1.5.0)
- **ACL Node Identities** - Node identities are a policy template for
expressing a link to a policy suitable for use as an [Consul `agent` token
](/docs/agent/options#acl_tokens_agent). At authorization time this acts like an
@ -279,7 +279,7 @@ as to whether they are set on servers, clients, or both.
| Configuration Option | Servers | Clients | Purpose |
| -------------------------------------------------------------- | ---------- | ---------- | ---------------------------------------------------------------------- |
| [`acl.enabled`](/docs/agent/options#acl_enabled) | `REQUIRED` | `REQUIRED` | Controls whether ACLs are enabled |
| [`acl.default_policy`](/docs/agent/options#acl_default_policy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
| [`acl.default_policy`](/docs/agent/options#acl_default_policy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
| [`acl.down_policy`](/docs/agent/options#acl_down_policy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the remote token or policy resolution fails |
| [`acl.role_ttl`](/docs/agent/options#acl_role_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Roles |
| [`acl.policy_ttl`](/docs/agent/options#acl_policy_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Policies |

10
website/pages/docs/acl/auth-methods/index.mdx
View File

@ -35,11 +35,11 @@ service mesh with minimal operator intervention.
## Supported Types
| Types | Consul Version |
| ----- | -------------- |
| [`kubernetes`](/docs/acl/auth-methods/kubernetes) | 1.5.0+ |
| [`jwt`](/docs/acl/auth-methods/jwt) | 1.8.0+ |
| [`oidc`](/docs/acl/auth-methods/oidc) | 1.8.0+ <EnterpriseAlert inline /> |
| Types | Consul Version |
| ------------------------------------------------- | --------------------------------- |
| [`kubernetes`](/docs/acl/auth-methods/kubernetes) | 1.5.0+ |
| [`jwt`](/docs/acl/auth-methods/jwt) | 1.8.0+ |
| [`oidc`](/docs/acl/auth-methods/oidc) | 1.8.0+ <EnterpriseAlert inline /> |
## Operator Configuration

10
website/pages/docs/acl/auth-methods/jwt.mdx
View File

@ -14,7 +14,7 @@ description: >-
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer.
The `jwt` auth method can be used to authenticate with Consul by providing a
[JWT](https://en.wikipedia.org/wiki/JSON_Web_Token) directly. The JWT is
[JWT](https://en.wikipedia.org/wiki/JSON_Web_Token) directly. The JWT is
cryptographically verified using locally-provided keys, or, if configured, an
OIDC Discovery service can be used to fetch the appropriate keys.
@ -55,7 +55,7 @@ parameters are required to properly configure an auth method of type
used to talk with the JWKS URL. NOTE: Every line must end with a newline
(`\n`). If not set, system certificates are used.
- `ClaimMappings` `(map[string]string)` - Mappings of claims (key) that
- `ClaimMappings` `(map[string]string)` - Mappings of claims (key) that
[will be copied to a metadata field](#trusted-identity-attributes-via-claim-mappings)
(value). Use this if the claim you are capturing is singular (such as an attribute).
@ -79,15 +79,15 @@ parameters are required to properly configure an auth method of type
claim in a JWT.
- `ExpirationLeeway` `(duration: 0s)` - Duration in seconds of leeway when
validating expiration of a token to account for clock skew. Defaults to 150
validating expiration of a token to account for clock skew. Defaults to 150
(2.5 minutes) if set to 0 and can be disabled if set to -1.
- `NotBeforeLeeway` `(duration: 0s)` - Duration in seconds of leeway when
validating not before values of a token to account for clock skew. Defaults
validating not before values of a token to account for clock skew. Defaults
to 150 (2.5 minutes) if set to 0 and can be disabled if set to -1.
- `ClockSkewLeeway` `(duration: 0s)` - Duration in seconds of leeway when
validating all claims to account for clock skew. Defaults to 60 (1 minute)
validating all claims to account for clock skew. Defaults to 60 (1 minute)
if set to 0 and can be disabled if set to -1.
### Sample Configs

53
website/pages/docs/agent/config-entries/ingress-gateway.mdx
View File

@ -11,35 +11,36 @@ description: >-
-> **1.8.0+:** This config entry is available in Consul versions 1.8.0 and newer.
The `ingress-gateway` config entry kind allows you to configure ingress gateways
with listeners that expose a set of services outside the Consul service mesh.
See [Ingress Gateway](/docs/connect/ingress-gateway) for more information.
The `ingress-gateway` config entry kind allows you to configure ingress gateways
with listeners that expose a set of services outside the Consul service mesh.
See [Ingress Gateway](/docs/connect/ingress-gateway) for more information.
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
sets of services within their datacenter then the ingress gateways **must** be registered with different names.
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
sets of services within their datacenter then the ingress gateways **must** be registered with different names.
See [Ingress Gateway](/docs/connect/ingress-gateway) for more information.
See [Ingress Gateway](/docs/connect/ingress-gateway) for more information.
## Wildcard service specification
Ingress gateways can optionally target all services within a Consul namespace by
specifying a wildcard `*` as the service name. A wildcard specifier allows
for a single listener to route traffic to all available services on the
Consul service mesh, differentiating between the services by their host/authority
header.
Ingress gateways can optionally target all services within a Consul namespace by
specifying a wildcard `*` as the service name. A wildcard specifier allows
for a single listener to route traffic to all available services on the
Consul service mesh, differentiating between the services by their host/authority
header.
A wildcard specifier provides the following properties for an ingress
gateway:
- All services with the same
[protocol](/docs/agent/config-entries/ingress-gateway#protocol) as the
listener will be routable.
- The ingress gateway will route traffic based on the host/authority header,
expecting a value matching `<service-name>.ingress.*`, or if using namespaces,
`<service-name>.ingress.<namespace>.*`. This matches the [Consul DNS
ingress subdomain](/docs/agent/dns#ingress-service-lookups).
A wildcard specifier provides the following properties for an ingress
gateway:
A wildcard specifier cannot be set on a listener of protocol `tcp`.
- All services with the same
[protocol](/docs/agent/config-entries/ingress-gateway#protocol) as the
listener will be routable.
- The ingress gateway will route traffic based on the host/authority header,
expecting a value matching `<service-name>.ingress.*`, or if using namespaces,
`<service-name>.ingress.<namespace>.*`. This matches the [Consul DNS
ingress subdomain](/docs/agent/dns#ingress-service-lookups).
A wildcard specifier cannot be set on a listener of protocol `tcp`.
## Sample Config Entries
@ -325,16 +326,16 @@ Also make two services in the frontend namespace available over a custom port wi
- `Namespace` `(string: "default")` - <EnterpriseAlert inline /> Specifies
the namespace the config entry will apply to. This must be the namespace
the gateway is registered in. If omitted, the namespace will be inherited
the gateway is registered in. If omitted, the namespace will be inherited
from [the request](/api/config#ns) or will default to the `default` namespace.
- `TLS` `(TLSConfig: <optional>)` - TLS configuration for this gateway.
- `Enabled` `(bool: false)` - Set this configuration to enable TLS for
every listener on the gateway.
- `Enabled` `(bool: false)` - Set this configuration to enable TLS for
every listener on the gateway.
If TLS is enabled, then each host defined in the `Host` field will be added
as a DNSSAN to the gateway's x509 certificate.
If TLS is enabled, then each host defined in the `Host` field will be added
as a DNSSAN to the gateway's x509 certificate.
- `Listeners` `(array<IngressListener>: <optional>)` - A list of listeners that
the ingress gateway should setup, uniquely identified by their port number.

87
website/pages/docs/agent/config-entries/terminating-gateway.mdx
View File

@ -11,35 +11,36 @@ description: >-
-> **1.8.0+:** This config entry is available in Consul versions 1.8.0 and newer.
The `terminating-gateway` config entry kind you to configure terminating gateways
to proxy traffic from services in the Consul service mesh to services registered with Consul that do not have a
[Connect service sidecar proxy](/docs/connect/proxies). The configuration is associated with the name of a gateway service
and will apply to all instances of the gateway with that name.
The `terminating-gateway` config entry kind you to configure terminating gateways
to proxy traffic from services in the Consul service mesh to services registered with Consul that do not have a
[Connect service sidecar proxy](/docs/connect/proxies). The configuration is associated with the name of a gateway service
and will apply to all instances of the gateway with that name.
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
across all federated Consul datacenters. If terminating gateways in different Consul datacenters need to route to different
sets of services within their datacenter then the terminating gateways **must** be registered with different names.
across all federated Consul datacenters. If terminating gateways in different Consul datacenters need to route to different
sets of services within their datacenter then the terminating gateways **must** be registered with different names.
See [Terminating Gateway](/docs/connect/terminating-gateway) for more information.
See [Terminating Gateway](/docs/connect/terminating-gateway) for more information.
## TLS Origination
By specifying a path to a [CA file](/docs/agent/config-entries/terminating-gateway#cafile) connections
from the terminating gateway will be encrypted using one-way TLS authentication. If a path to a
[client certificate](/docs/agent/config-entries/terminating-gateway#certfile)
and [private key](/docs/agent/config-entries/terminating-gateway#keyfile) are also specified connections
from the terminating gateway will be encrypted using mutual TLS authentication.
If none of these are provided, Consul will **only** encrypt connections to the gateway and not
from the gateway to the destination service.
By specifying a path to a [CA file](/docs/agent/config-entries/terminating-gateway#cafile) connections
from the terminating gateway will be encrypted using one-way TLS authentication. If a path to a
[client certificate](/docs/agent/config-entries/terminating-gateway#certfile)
and [private key](/docs/agent/config-entries/terminating-gateway#keyfile) are also specified connections
from the terminating gateway will be encrypted using mutual TLS authentication.
If none of these are provided, Consul will **only** encrypt connections to the gateway and not
from the gateway to the destination service.
## Wildcard service specification
Terminating gateways can optionally target all services within a Consul namespace by specifying a wildcard "*"
as the service name. Configuration options set on the wildcard act as defaults that can be overridden
by options set on a specific service name.
Terminating gateways can optionally target all services within a Consul namespace by specifying a wildcard "\*"
as the service name. Configuration options set on the wildcard act as defaults that can be overridden
by options set on a specific service name.
Note that if the wildcard specifier is used, and some services in that namespace have a Connect sidecar proxy,
traffic from the mesh to those services will be evenly load-balanced between the gateway and their sidecars.
Note that if the wildcard specifier is used, and some services in that namespace have a Connect sidecar proxy,
traffic from the mesh to those services will be evenly load-balanced between the gateway and their sidecars.
## Sample Config Entries
@ -310,7 +311,7 @@ Services = [
</Tab>
<Tab heading="HCL (Consul Enterprise)">
Link gateway named "us-west-gateway" in the default namespace with all services in the finance namespace,
Link gateway named "us-west-gateway" in the default namespace with all services in the finance namespace,
and configure default certificates for mutual TLS. Also override the SNI and CA file used for connections to the billing service:
```hcl
@ -336,7 +337,7 @@ Services = [
```
</Tab>
<Tab heading="JSON">
<Tab heading="JSON">
Link gateway named "us-west-gateway" with all services in the datacenter, and configure default certificates for mutual TLS.
Also override the SNI and CA file used for connections to the billing service:
@ -351,21 +352,21 @@ Also override the SNI and CA file used for connections to the billing service:
"CAFile": "/etc/billing-ca/ca-chain.cert.pem",
"KeyFile": "/etc/certs/gateway.key.pem",
"CertFile": "/etc/certs/gateway.cert.pem",
"SNI": "billing.service.com"
"SNI": "billing.service.com"
},
{
"Name": "billing",
"CAFile": "/etc/billing-ca/ca-chain.cert.pem",
"SNI": "billing.service.com"
"SNI": "billing.service.com"
}
]
}
```
</Tab>
<Tab heading="JSON (Consul Enterprise)">
<Tab heading="JSON (Consul Enterprise)">
Link gateway named "us-west-gateway" in the default namespace with all services in the finance namespace,
Link gateway named "us-west-gateway" in the default namespace with all services in the finance namespace,
and configure default certificates for mutual TLS. Also override the SNI and CA file used for connections to the billing service:
```json
@ -374,19 +375,19 @@ and configure default certificates for mutual TLS. Also override the SNI and CA
"Name": "us-west-gateway",
"Namespace": "default",
"Services": [
{
{
"Namespace": "finance",
"Name": "*",
"CAFile": "/etc/billing-ca/ca-chain.cert.pem",
"KeyFile": "/etc/certs/gateway.key.pem",
"CertFile": "/etc/certs/gateway.cert.pem",
"SNI": "billing.service.com"
"SNI": "billing.service.com"
},
{
{
"Namespace": "finance",
"Name": "billing",
"CAFile": "/etc/billing-ca/ca-chain.cert.pem",
"SNI": "billing.service.com"
"SNI": "billing.service.com"
}
]
}
@ -402,37 +403,37 @@ and configure default certificates for mutual TLS. Also override the SNI and CA
- `Name` `(string: <required>)` - Set to the name of the gateway being configured.
- `Namespace` `(string: "default")` - <EnterpriseAlert inline /> Specifies the namespace
the config entry will apply to. This must be the namespace the gateway is registered in.
If omitted, the namespace will be inherited from [the request](/api/config#ns)
or will default to the `default` namespace.
the config entry will apply to. This must be the namespace the gateway is registered in.
If omitted, the namespace will be inherited from [the request](/api/config#ns)
or will default to the `default` namespace.
- `Services` `(array<LinkedService>: <optional>)` - A list of services to link
with the gateway. The gateway will proxy traffic to these services. These linked services
must be registered with Consul for the gateway to discover their addresses. They must also
be registered in the same Consul datacenter as the terminating gateway.
with the gateway. The gateway will proxy traffic to these services. These linked services
must be registered with Consul for the gateway to discover their addresses. They must also
be registered in the same Consul datacenter as the terminating gateway.
- `Name` `(string: "")` - The name of the service to link with the gateway.
- `Name` `(string: "")` - The name of the service to link with the gateway.
If the wildcard specifier, `*`, is provided, then ALL services within the namespace
will be linked with the gateway.
- `Namespace` `(string: "")` - <EnterpriseAlert inline /> The namespace of the service.
- `Namespace` `(string: "")` - <EnterpriseAlert inline /> The namespace of the service.
If omitted, the namespace will be inherited from the config entry.
- `CAFile` `(string: "")` - A file path to a PEM-encoded certificate authority.
- `CAFile` `(string: "")` - A file path to a PEM-encoded certificate authority.
The file must be present on the proxy's filesystem.
The certificate authority is used to verify the authenticity of the service linked with the gateway.
It can be provided along with a CertFile and KeyFile for mutual TLS authentication, or on its own
for one-way TLS authentication. If none is provided the gateway **will not** encrypt the traffic to the destination.
- `CertFile` `(string: "")` - A file path to a PEM-encoded certificate.
- `CertFile` `(string: "")` - A file path to a PEM-encoded certificate.
The file must be present on the proxy's filesystem.
The certificate is provided servers to verify the gateway's authenticity. It must be provided if a KeyFile was specified.
- `KeyFile` `(string: "")` - A file path to a PEM-encoded private key.
The file must be present on the proxy's filesystem.
The key is used with the certificate to verify the gateway's authenticity. It must be provided along if a CertFile was specified.
- `KeyFile` `(string: "")` - A file path to a PEM-encoded private key.
The file must be present on the proxy's filesystem.
The key is used with the certificate to verify the gateway's authenticity. It must be provided along if a CertFile was specified.
- `SNI` `(string: "")` - An optional hostname or domain name to specify during the TLS handshake.
- `SNI` `(string: "")` - An optional hostname or domain name to specify during the TLS handshake.
## ACLs

24
website/pages/docs/agent/index.mdx
View File

@ -15,7 +15,7 @@ information, registers services, runs checks, responds to queries,
and more. The agent must run on every node that is part of a Consul cluster.
Any agent may run in one of two modes: client or server. A server
node takes on the additional responsibility of being part of the
node takes on the additional responsibility of being part of the
[consensus quorum](/docs/internals/consensus).
These nodes take part in Raft and provide strong consistency and availability in
the case of failure. The higher burden on the server nodes means that usually
@ -27,11 +27,11 @@ operations and maintain very little state of their own.
## Running an Agent
The agent is started with the [`consul agent`](/docs/commands/agent) command.
This command blocks, running forever or until told to quit. You can test a
local agent by following the
This command blocks, running forever or until told to quit. You can test a
local agent by following the
[Getting Started guides](https://learn.hashicorp.com/consul/getting-started/install?utm_source=consul.io&utm_medium=docs).
The agent command takes a variety of
The agent command takes a variety of
[`configuration options`](/docs/agent/options#command-line-options), but most
have sane defaults.
@ -54,22 +54,22 @@ $ consul agent -data-dir=/tmp/consul
...
```
There are several important messages that
There are several important messages that
[`consul agent`](/docs/commands/agent) outputs:
- **Node name**: This is a unique name for the agent. By default, this
is the hostname of the machine, but you may customize it using the
[`-node`](/docs/agent/options#_node) flag.
- **Datacenter**: This is the datacenter in which the agent is configured to
run.
- **Datacenter**: This is the datacenter in which the agent is configured to
run.
Consul has first-class support for multiple datacenters; however, to work
efficiently, each node must be configured to report its datacenter. The
[`-datacenter`](/docs/agent/options#_datacenter) flag can be used to set the
efficiently, each node must be configured to report its datacenter. The
[`-datacenter`](/docs/agent/options#_datacenter) flag can be used to set the
datacenter. For single-DC configurations, the agent will default to "dc1".
- **Server**: This indicates whether the agent is running in server or client
mode.
mode.
Server nodes have the extra burden of participating in the consensus quorum,
storing cluster state, and handling queries. Additionally, a server may be
in ["bootstrap"](/docs/agent/options#_bootstrap_expect) mode. Multiple servers
@ -97,7 +97,7 @@ service definition file has to have `Type=notify` set.
An agent can be stopped in two ways: gracefully or forcefully. Servers and
Clients both behave differently depending on the leave that is performed. There
are two potential states a process can be in after a system signal is sent:
are two potential states a process can be in after a system signal is sent:
_left_ and _failed_.
To gracefully halt an agent, send the process an _interrupt signal_ (usually
@ -111,7 +111,7 @@ cluster that the node has _left_.
When a Server is gracefully exited, the server will not be marked as _left_.
This is to minimally impact the consensus quorum. Instead, the Server will be
marked as _failed_. To remove a server from the cluster, the
marked as _failed_. To remove a server from the cluster, the
[`force-leave`](/docs/commands/force-leave) command is used. Using
`force-leave` will put the server instance in a _left_ state so long as the
Server agent is not alive.

82
website/pages/docs/agent/options.mdx
View File

@ -825,51 +825,51 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
- `serf_wan_allowed_cidrs` ((#serf_wan_allowed_cidrs)) Equivalent to the [`-serf-wan-allowed-cidrs` command-line flag](#_serf_wan_allowed_cidrs).
- `audit` <EnterpriseAlert inline /> - Added in Consul 1.8, the audit object allow users to enable auditing
and configure a sink and filters for their audit logs.
and configure a sink and filters for their audit logs.
```hcl
audit {
enabled = true
sink "My sink" {
type = "file"
format = "json"
path = "data/audit/audit.json"
delivery_guarantee = "best-effort"
rotate_duration = "24h"
rotate_max_files = 15
rotate_bytes = 25165824
}
}
```
```hcl
audit {
enabled = true
sink "My sink" {
type = "file"
format = "json"
path = "data/audit/audit.json"
delivery_guarantee = "best-effort"
rotate_duration = "24h"
rotate_max_files = 15
rotate_bytes = 25165824
}
}
```
The following sub-keys are available:
The following sub-keys are available:
- `enabled` - Controls whether Consul logs out each time a user
- `enabled` - Controls whether Consul logs out each time a user
performs an operation. ACLs must be enabled to use this feature. Defaults to `false`.
- `sink` - This object provides configuration for the destination to which
Consul will log auditing events. Sink is an object containing keys to sink objects, where the key is the name of the sink.
- `sink` - This object provides configuration for the destination to which
Consul will log auditing events. Sink is an object containing keys to sink objects, where the key is the name of the sink.
- `type` - Type specifies what kind of sink this is.
The following keys are valid:
- `file` - Currently only file sinks are available, they take the following keys.
- `format` - Format specifies what format the events will
be emitted with.
The following keys are valid:
- `json` - Currently only json events are offered.
- `path` - The directory and filename to write audit events to.
- `delivery_guarantee` - Specifies
the rules governing how audit events are written.
The following keys are valid:
- `best-effort` - Consul only supports `best-effort` event delivery.
- `rotate_duration` - Specifies the
interval by which the system rotates to a new log file. At least one of `rotate_duration` or `rotate_bytes`
must be configured to enable audit logging.
- `rotate_max_files` - Defines the
limit that Consul should follow before it deletes old log files.
- `rotate_bytes` - Specifies how large an
individual log file can grow before Consul rotates to a new file. At least one of `rotate_bytes` or
`rotate_duration` must be configured to enable audit logging.
- `type` - Type specifies what kind of sink this is.
The following keys are valid:
- `file` - Currently only file sinks are available, they take the following keys.
- `format` - Format specifies what format the events will
be emitted with.
The following keys are valid:
- `json` - Currently only json events are offered.
- `path` - The directory and filename to write audit events to.
- `delivery_guarantee` - Specifies
the rules governing how audit events are written.
The following keys are valid:
- `best-effort` - Consul only supports `best-effort` event delivery.
- `rotate_duration` - Specifies the
interval by which the system rotates to a new log file. At least one of `rotate_duration` or `rotate_bytes`
must be configured to enable audit logging.
- `rotate_max_files` - Defines the
limit that Consul should follow before it deletes old log files.
- `rotate_bytes` - Specifies how large an
individual log file can grow before Consul rotates to a new file. At least one of `rotate_bytes` or
`rotate_duration` must be configured to enable audit logging.
- `autopilot` Added in Consul 0.8, this object allows a
number of sub-keys to be set which can configure operator-friendly settings for
@ -1763,7 +1763,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
- `prefix_filter` ((#telemetry-prefix_filter))
This is a list of filter rules to apply for allowing/blocking metrics by
prefix in the following format:
```json
["+consul.raft.apply", "-consul.http", "+consul.http.GET"]
```
@ -1814,7 +1814,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
- `tls_cipher_suites` Added in Consul 0.8.2, this specifies the list of
supported ciphersuites as a comma-separated-list. The list of all supported
ciphersuites is available through
ciphersuites is available through
[this search](https://github.com/hashicorp/consul/search?q=cipherMap+%3A%3D+map&unscoped_q=cipherMap+%3A%3D+map).
- `tls_prefer_server_cipher_suites` Added in Consul 0.8.2, this

16
website/pages/docs/agent/telemetry.mdx
View File

@ -147,9 +147,9 @@ This is a full list of metrics emitted by Consul.
| `consul.client.api.catalog_register.` | This increments whenever a Consul agent receives a catalog register request. | requests | counter |
| `consul.client.api.success.catalog_register.` | This increments whenever a Consul agent successfully responds to a catalog register request. | requests | counter |
| `consul.client.rpc.error.catalog_register.` | This increments whenever a Consul agent receives an RPC error for a catalog register request. | errors | counter |
| `consul.client.api.catalog_deregister.` | This increments whenever a Consul agent receives a catalog deregister request. | requests | counter |
| `consul.client.api.success.catalog_deregister.` | This increments whenever a Consul agent successfully responds to a catalog deregister request. | requests | counter |
| `consul.client.rpc.error.catalog_deregister.` | This increments whenever a Consul agent receives an RPC error for a catalog deregister request. | errors | counter |
| `consul.client.api.catalog_deregister.` | This increments whenever a Consul agent receives a catalog deregister request. | requests | counter |
| `consul.client.api.success.catalog_deregister.` | This increments whenever a Consul agent successfully responds to a catalog deregister request. | requests | counter |
| `consul.client.rpc.error.catalog_deregister.` | This increments whenever a Consul agent receives an RPC error for a catalog deregister request. | errors | counter |
| `consul.client.api.catalog_datacenters.` | This increments whenever a Consul agent receives a request to list datacenters in the catalog. | requests | counter |
| `consul.client.api.success.catalog_datacenters.` | This increments whenever a Consul agent successfully responds to a request to list datacenters. | requests | counter |
| `consul.client.rpc.error.catalog_datacenters.` | This increments whenever a Consul agent receives an RPC error for a request to list datacenters. | errors | counter |
@ -163,11 +163,11 @@ This is a full list of metrics emitted by Consul.
| `consul.client.api.success.catalog_service_nodes.` | This increments whenever a Consul agent successfully responds to a request to list nodes offering a service. | requests | counter |
| `consul.client.rpc.error.catalog_service_nodes.` | This increments whenever a Consul agent receives an RPC error for a request to list nodes offering a service. | errors | counter |
| `consul.client.api.catalog_node_services.` | This increments whenever a Consul agent receives a request to list services registered in a node. | requests | counter |
| `consul.client.api.success.catalog_node_services.` | This increments whenever a Consul agent successfully responds to a request to list services in a node. | requests | counter |
| `consul.client.rpc.error.catalog_node_services.` | This increments whenever a Consul agent receives an RPC error for a request to list services in a node. | errors | counter |
| `consul.client.api.catalog_gateway_services.` | This increments whenever a Consul agent receives a request to list services associated with a gateway. | requests | counter |
| `consul.client.api.success.catalog_gateway_services.` | This increments whenever a Consul agent successfully responds to a request to list services associated with a gateway. | requests | counter |
| `consul.client.rpc.error.catalog_gateway_services.` | This increments whenever a Consul agent receives an RPC error for a request to list services associated with a gateway. | errors | counter |
| `consul.client.api.success.catalog_node_services.` | This increments whenever a Consul agent successfully responds to a request to list services in a node. | requests | counter |
| `consul.client.rpc.error.catalog_node_services.` | This increments whenever a Consul agent receives an RPC error for a request to list services in a node. | errors | counter |
| `consul.client.api.catalog_gateway_services.` | This increments whenever a Consul agent receives a request to list services associated with a gateway. | requests | counter |
| `consul.client.api.success.catalog_gateway_services.` | This increments whenever a Consul agent successfully responds to a request to list services associated with a gateway. | requests | counter |
| `consul.client.rpc.error.catalog_gateway_services.` | This increments whenever a Consul agent receives an RPC error for a request to list services associated with a gateway. | errors | counter |
| `consul.runtime.num_goroutines` | This tracks the number of running goroutines and is a general load pressure indicator. This may burst from time to time but should return to a steady state value. | number of goroutines | gauge |
| `consul.runtime.alloc_bytes` | This measures the number of bytes allocated by the Consul process. This may burst from time to time but should return to a steady state value. | bytes | gauge |
| `consul.runtime.heap_objects` | This measures the number of objects allocated on the heap and is a general memory pressure indicator. This may burst from time to time but should return to a steady state value. | number of objects | gauge |

4
website/pages/docs/commands/connect/expose.mdx
View File

@ -12,7 +12,7 @@ description: >
Command: `consul connect expose`
The connect expose subcommand is used to expose a Connect-enabled service
The connect expose subcommand is used to expose a Connect-enabled service
through an Ingress gateway by modifying the gateway's configuration and adding
an intention to allow traffic from the gateway to the service. See the
[Ingress gateway documentation](/docs/connect/ingress-gateway) for more information
@ -46,7 +46,7 @@ Usage: consul connect expose [options]
- `-protocol` - The protocol for the service. Defaults to 'tcp'.
- `-host` - Additional DNS hostname to use for routing to this service. Can be
- `-host` - Additional DNS hostname to use for routing to this service. Can be
specified multiple times.
## Examples

4
website/pages/docs/commands/index.mdx
View File

@ -248,8 +248,8 @@ scheme should be used, or `CONSUL_HTTP_SSL` set.
### `CONSUL_NAMESPACE`
**Enterprise only**
If you're using Consul Enterprise namespaces you can set this for the CLI to
explicitly use a single namespace. This is common across all Hashicorp
If you're using Consul Enterprise namespaces you can set this for the CLI to
explicitly use a single namespace. This is common across all Hashicorp
products that support Enterprise namespaces.
```

14
website/pages/docs/commands/intention/index.mdx
View File

@ -70,10 +70,10 @@ $ consul intention match db
Intention commands commonly take positional arguments referred to as `SRC` and
`DST` in the command documentation. These can take several forms:
| Format | Meaning |
| ----------------------- | -----------------------------------------------------------------------|
| `<service>` | the named service in the current namespace |
| `*` | any service in the current namespace |
| `<namespace>/<service>` | <EnterpriseAlert inline /> the named service in a specific namespace |
| `<namespace>/*` | <EnterpriseAlert inline /> any service in the specified namespace |
| `*/*` | <EnterpriseAlert inline /> any service in any namespace |
| Format | Meaning |
| ----------------------- | -------------------------------------------------------------------- |
| `<service>` | the named service in the current namespace |
| `*` | any service in the current namespace |
| `<namespace>/<service>` | <EnterpriseAlert inline /> the named service in a specific namespace |
| `<namespace>/*` | <EnterpriseAlert inline /> any service in the specified namespace |
| `*/*` | <EnterpriseAlert inline /> any service in any namespace |

4
website/pages/docs/commands/license.mdx
View File

@ -42,7 +42,7 @@ Usage: consul license <subcommand> [options] [args]
Retrieve the current license:
$ consul license get
Reset the current license:
$ consul license reset
@ -117,7 +117,7 @@ Licensed Features:
## reset
Resets license for the datacenter to the one builtin in Consul binary, if it is still valid.
Resets license for the datacenter to the one builtin in Consul binary, if it is still valid.
If the builtin license is invalid, the current one stays active.
Usage: `consul license reset [options]`

2
website/pages/docs/commands/operator/raft.mdx
View File

@ -59,7 +59,7 @@ but may be upgraded to a GUID in a future version of Consul.
Raft configuration.
`Voter` is "true" or "false", indicating if the server has a vote in the Raft
configuration.
configuration.
## remove-peer

4
website/pages/docs/connect/connect-internals.mdx
View File

@ -15,8 +15,8 @@ but will help you build a mental model of what's going on under the hood, which
may help you reason about Connect's behavior in more complex deployment
scenarios.
To try Connect locally, complete the [Getting Started with Consul service
mesh](https://learn.hashicorp.com/consul/gs-consul-service-mesh/understand-consul-service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
To try Connect locally, complete the [Getting Started with Consul service
mesh](https://learn.hashicorp.com/consul/gs-consul-service-mesh/understand-consul-service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
guide.
## Mutual Transport Layer Security (mTLS)

6
website/pages/docs/connect/ingress-gateway.mdx
View File

@ -10,7 +10,7 @@ description: >-
# Ingress Gateways
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer.
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer.
Ingress gateways enable ingress traffic from services outside the Consul
service mesh to services inside the Consul service mesh. An ingress gateway is
@ -68,5 +68,5 @@ If the Consul client agent on the gateway's node is not configured to use the de
must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies.
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
sets of services within their datacenter then the ingress gateways **must** be registered with different names.
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
sets of services within their datacenter then the ingress gateways **must** be registered with different names.

2
website/pages/docs/connect/proxies/built-in.mdx
View File

@ -68,7 +68,7 @@ All fields are optional with a sane default.
or `[::]` in which case this defaults to `127.0.0.1` and assumes the agent can
dial the proxy over loopback. For more complex configurations where agent and proxy
communicate over a bridge for example, this configuration can be used to specify
a different *address* (but not port) for the agent to use for health checks if
a different _address_ (but not port) for the agent to use for health checks if
it can't talk to the proxy over localhost or it's publicly advertised port. The
check always uses the same port that the proxy is bound to.

3
website/pages/docs/connect/proxies/envoy.mdx
View File

@ -287,7 +287,6 @@ definition](/docs/connect/registration/service-registration) or
- `max_failures` - The number of consecutive failures which cause a host to be
removed from the load balancer.
### Gateway Options
These fields may also be overridden explicitly in the [proxy service
@ -319,7 +318,7 @@ will continue to be supported.
- `envoy_gateway_no_default_bind` - Prevents binding to the default address
of the gateway service. This should be used with one of the other options
to configure the gateway's bind addresses.
- `envoy_dns_discovery_type` - Determines how Envoy will resolve hostnames. Defaults to `LOGICAL_DNS`.
Must be one of `STRICT_DNS` or `LOGICAL_DNS`. Details for each type are available in
the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/v1.14.1/intro/arch_overview/upstream/service_discovery).

19
website/pages/docs/connect/wan-federation-via-mesh-gateways.mdx
View File

@ -8,7 +8,7 @@ description: |-
# WAN Federation via Mesh Gateways
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher
~> This topic requires familiarity with [mesh gateways](/docs/connect/mesh-gateway).
@ -28,11 +28,11 @@ the WAN.
Sometimes this prerequisite is difficult or undesirable to meet:
* **Difficult:** The datacenters may exist in multiple Kubernetes clusters that
- **Difficult:** The datacenters may exist in multiple Kubernetes clusters that
unfortunately have overlapping pod IP subnets, or may exist in different
cloud provider VPCs that have overlapping subnets.
* **Undesirable:** Network security teams may not approve of granting so many
- **Undesirable:** Network security teams may not approve of granting so many
firewall rules. When using platform autoscaling, keeping rules up to date becomes untenable.
Operators looking to simplify their WAN deployment and minimize the exposed
@ -44,17 +44,16 @@ gateways](/docs/connect/mesh-gateways.html) to do so.
There are two main kinds of communication that occur over the WAN link spanning
the gulf between disparate Consul datacenters:
* **WAN gossip:** We leverage the serf and memberlist libraries to gossip
- **WAN gossip:** We leverage the serf and memberlist libraries to gossip
around failure detector knowledge about Consul servers in each datacenter.
By default this operates point to point between servers over `8302/udp` with
a fallback to `8302/tcp` (which logs a warning indicating the network is
misconfigured).
* **Cross-datacenter RPCs:** Consul servers expose a special multiplexed port
- **Cross-datacenter RPCs:** Consul servers expose a special multiplexed port
over `8300/tcp`. Several distinct kinds of messages can be received on this
port, such as RPC requests forwarded from servers in other datacenters.
In this network topology individual Consul client agents on a LAN in one
datacenter never need to directly dial servers in other datacenters. This
means you could introduce a set of firewall rules prohibiting `10.0.0.0/24`
@ -80,8 +79,7 @@ these SAN fields:
server.<this_datacenter>.<domain> (normal)
<node_name>.server.<this_datacenter>.<domain> (needed for wan federation)
This can be achieved using any number of tools, including `consul tls cert
create` with the `-node` flag.
This can be achieved using any number of tools, including `consul tls cert create` with the `-node` flag.
### Mesh Gateways
@ -157,7 +155,6 @@ follow this general procedure:
resolve ACL tokens from the secondary, at which time it should be possible
to launch the mesh gateways in the secondary datacenter.
### Existing secondary
1. Upgrade to the desired version of the consul binary for all servers,
@ -175,9 +172,9 @@ follow this general procedure:
From any two datacenters joined together double check the following give you an
expected result:
* Check that `consul members -wan` lists all servers in all datacenters with
- Check that `consul members -wan` lists all servers in all datacenters with
their _local_ ip addresses and are listed as `alive`.
* Ensure any API request that activates datacenter request forwarding. such as
- Ensure any API request that activates datacenter request forwarding. such as
[`/v1/catalog/services?dc=<OTHER_DATACENTER_NAME>`](/api/catalog.html#dc-1)
succeeds.

3
website/pages/docs/enterprise/backups.mdx
View File

@ -11,7 +11,8 @@ description: >-
# Automated Backups
<EnterpriseAlert>
This feature is available in all versions of <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>.
This feature is available in all versions of{' '}
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>.
</EnterpriseAlert>
Consul Enterprise enables you to run

4
website/pages/docs/enterprise/federation.mdx
View File

@ -11,7 +11,9 @@ description: >-
# Consul Enterprise Advanced Federation
<EnterpriseAlert>
This feature requires <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a> with the Global Visibility, Routing, and Scale module.
This feature requires{' '}
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
with the Global Visibility, Routing, and Scale module.
</EnterpriseAlert>
Consul's core federation capability uses the same gossip mechanism that is used

4
website/pages/docs/enterprise/namespaces.mdx
View File

@ -8,7 +8,9 @@ description: Consul Enterprise enables data isolation with Namespaces.
# Consul Enterprise Namespaces
<EnterpriseAlert>
This feature requires <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a> with the Governance and Policy module.
This feature requires{' '}
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
with the Governance and Policy module.
</EnterpriseAlert>
With Consul Enterprise v1.7.0, data for different users or teams

4
website/pages/docs/enterprise/network-segments.mdx
View File

@ -10,7 +10,9 @@ description: |-
# Network Segments
<EnterpriseAlert>
This feature requires <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a> with the Global Visibility, Routing, and Scale module.
This feature requires{' '}
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
with the Global Visibility, Routing, and Scale module.
</EnterpriseAlert>
Consul Network Segments enables operators to create separate LAN gossip segments

4
website/pages/docs/enterprise/read-scale.mdx
View File

@ -12,7 +12,9 @@ description: >-
# Enhanced Read Scalability with Non-Voting Servers
<EnterpriseAlert>
This feature requires <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a> with the Global Visibility, Routing, and Scale module.
This feature requires{' '}
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
with the Global Visibility, Routing, and Scale module.
</EnterpriseAlert>
Consul Enterprise provides the ability to scale clustered Consul servers

4
website/pages/docs/enterprise/redundancy.mdx
View File

@ -10,7 +10,9 @@ description: >-
# Redundancy Zones
<EnterpriseAlert>
This feature requires <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a> with the Global Visibility, Routing, and Scale module.
This feature requires{' '}
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
with the Global Visibility, Routing, and Scale module.
</EnterpriseAlert>
Consul Enterprise redundancy zones provide

4
website/pages/docs/enterprise/sentinel.mdx
View File

@ -11,7 +11,9 @@ description: >-
# Sentinel in Consul
<EnterpriseAlert>
This feature requires <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a> with the Governance and Policy module.
This feature requires{' '}
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
with the Governance and Policy module.
</EnterpriseAlert>
Sentinel policies extend the ACL system in Consul beyond static "read", "write",

3
website/pages/docs/enterprise/upgrades.mdx
View File

@ -11,7 +11,8 @@ description: >-
# Automated Upgrades
<EnterpriseAlert>
This feature is available in all versions of <a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>.
This feature is available in all versions of{' '}
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>.
</EnterpriseAlert>
Consul Enterprise enables the capability of automatically upgrading a cluster of Consul servers to a new

10
website/pages/docs/faq.mdx
View File

@ -108,9 +108,9 @@ forward an RPC request to the remote Consul servers for that resource and
return the results.
If the remote datacenter is not available, then those resources will also not be
available from that datacenter. That will not affect the requests to the local
datacenter. There are some special situations where a limited subset of data
datacenter. There are some special situations where a limited subset of data
can be replicated, such as with Consul's built-in
[ACL replication](https://learn.hashicorp.com/consul/day-2-operations/acl-replication)
[ACL replication](https://learn.hashicorp.com/consul/day-2-operations/acl-replication)
capability, or external tools like
[consul-replicate](https://github.com/hashicorp/consul-replicate).
@ -129,10 +129,10 @@ Please see our
## Q: Are the Consul Docker Images OCI Compliant?
The official [Consul Docker image](https://hub.docker.com/_/consul/) uses
The official [Consul Docker image](https://hub.docker.com/_/consul/) uses
[Docker image schema](https://docs.docker.com/registry/spec/manifest-v2-2/) V2,
which is OCI Compliant. To check the docker images on Docker Hub, use the
command `docker manifest inspect consul` to inspect the manifest payload. The
which is OCI Compliant. To check the docker images on Docker Hub, use the
command `docker manifest inspect consul` to inspect the manifest payload. The
`docker manifest inspect` may require you to enable experimental features to
use.

2
website/pages/docs/guides/acl-legacy.mdx
View File

@ -187,7 +187,7 @@ as to whether they are set on servers, clients, or both.
| Configuration Option | Servers | Clients | Purpose |
| --------------------------------------------------------------------- | ---------- | ---------- | ----------------------------------------------------------------------------------------- |
| [`primary_datacenter`](/docs/agent/options#primary_datacenter) | `REQUIRED` | `REQUIRED` | Master control that enables ACLs by defining the authoritative Consul datacenter for ACLs |
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
| [`acl_down_policy`](/docs/agent/options#acl_down_policy_legacy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the ACL datacenter is offline |
| [`acl_ttl`](/docs/agent/options#acl_ttl_legacy) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACLs |

5
website/pages/docs/internals/coordinates.mdx
View File

@ -2,10 +2,7 @@
layout: docs
page_title: Network Coordinates
sidebar_title: Network Coordinates
description: ''
Serf uses a network tomography system to compute network coordinates for nodes in the cluster. These coordinates are useful for easily calculating the estimated network round trip time between any two nodes in the cluster. This page documents the details of this system. The core of the network tomography system us based on Vivaldi: >-
A Decentralized Network Coordinate System, with several improvements based on
several follow-on papers.
description: A Decentralized Network Coordinate System, with several improvements based on several follow-on papers.
---
# Network Coordinates

46
website/pages/docs/k8s/helm.mdx
View File

@ -789,36 +789,36 @@ and consider if they're appropriate for your deployment.
- `wanAddress` ((#v-meshgateway-wanaddress)) - What gets registered as WAN (wide area network) address for the gateway.
- `source` ((#v-meshgateway-wanaddress-source)) (`string: "Service"`) - source configures where to retrieve the WAN address (and possibly port)
for the mesh gateway from.
Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. See the behavior of each below:
for the mesh gateway from.
Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. See the behavior of each below:
* `Service` - Determine the address based on the service type.
- `Service` - Determine the address based on the service type.
If `service.type=LoadBalancer` use the external IP or hostname of
the service. Use the port set by `service.port`.
If `service.type=LoadBalancer` use the external IP or hostname of
the service. Use the port set by `service.port`.
If `service.type=NodePort` use the Node IP. The port will be set to
`service.nodePort` so `service.nodePort` cannot be null.
If `service.type=NodePort` use the Node IP. The port will be set to
`service.nodePort` so `service.nodePort` cannot be null.
If `service.type=ClusterIP` use the ClusterIP. The port will be set to
`service.port`.
If `service.type=ClusterIP` use the ClusterIP. The port will be set to
`service.port`.
`service.type=ExternalName` is not supported.
`service.type=ExternalName` is not supported.
* `NodeIP` - The node IP as provided by the Kubernetes downward API.
- `NodeIP` - The node IP as provided by the Kubernetes downward API.
* `NodeName` - The name of the node as provided by the Kubernetes downward
API. This is useful if the node names are DNS entries that
are routable from other datacenters.
- `NodeName` - The name of the node as provided by the Kubernetes downward
API. This is useful if the node names are DNS entries that
are routable from other datacenters.
* `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`.
- `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`.
- `port` ((#v-meshgateway-wanaddress-port)) (`integer: 443`) - Port that gets registered for WAN traffic.
If source is set to "Service" then this setting will have no effect.
See the documentation for `source` as to which port will be used in that
case.
- `static` ((#v-meshgateway-wanaddress-static)) (`string: ""`) - If source is set to "Static" then this value will be used as the WAN
- `static` ((#v-meshgateway-wanaddress-static)) (`string: ""`) - If source is set to "Static" then this value will be used as the WAN
address of the mesh gateways. This is useful if you've configured a
DNS entry to point to your mesh gateways.
@ -851,8 +851,8 @@ and consider if they're appropriate for your deployment.
- `dnsPolicy` ((#v-meshgateway-dnspolicy)) (`string: null`) - `dnsPolicy` to use.
- `consulServiceName` ((#v-meshgateway-consulservicename)) (`string: "mesh-gateway"`) - Consul service name for the mesh gateways.
Cannot be set to anything other than `"mesh-gateway"` if `global.acls.manageSystemACLs` is true since the ACL token
generated is only for the name "mesh-gateway".
Cannot be set to anything other than `"mesh-gateway"` if `global.acls.manageSystemACLs` is true since the ACL token
generated is only for the name "mesh-gateway".
- `containerPort` ((#v-meshgateway-containerPort)) (`integer: 8443`) - Port that the gateway will run on inside the container.
@ -920,8 +920,8 @@ and consider if they're appropriate for your deployment.
"annotation-key": "annotation-value"
```
- `consulNamespace` ((#v-ingressgateways-defaults-consulnamespace)) (`string: "default"`) <EnterpriseAlert inline /> - Defines the Consul namespace to register the gateway into. Requires `global.enableConsulNamespaces` to be true and
Consul Enterprise v1.7+ with a valid Consul Enterprise license. Note: The Consul namespace MUST exist before the gateway is deployed.
- `consulNamespace` ((#v-ingressgateways-defaults-consulnamespace)) (`string: "default"`) <EnterpriseAlert inline /> - Defines the Consul namespace to register the gateway into. Requires `global.enableConsulNamespaces` to be true and
Consul Enterprise v1.7+ with a valid Consul Enterprise license. Note: The Consul namespace MUST exist before the gateway is deployed.
- `gateways` ((#v-ingressgateways-gateways)) - Gateways is a list of gateway objects. The only required field for each is `name`, though they can also contain any of the fields in `ingressGateways.defaults`. Values defined here override the defaults except in the case of annotations where both will be applied.
@ -941,9 +941,9 @@ and consider if they're appropriate for your deployment.
extraVolumes:
- type: 'secret'
name: 'my-secret'
items: # optional items array
items: # optional items array
- key: key
path: path # secret will now mount to /consul/userconfig/my-secret/path
path: path # secret will now mount to /consul/userconfig/my-secret/path
```
- `resources` ((#v-terminatinggateways-defaults-resources)) (`string`) - Resources for gateway pods. See values file for default.
@ -963,7 +963,7 @@ and consider if they're appropriate for your deployment.
"annotation-key": "annotation-value"
```
- `consulNamespace` ((#v-terminatinggateways-defaults-consulnamespace)) (`string: "default"`) <EnterpriseAlert inline /> - Defines the Consul namespace to register the gateway into. Requires `global.enableConsulNamespaces` to be true and Consul Enterprise v1.7+ with a valid Consul Enterprise license. Note: The Consul namespace MUST exist before the gateway is deployed.
- `consulNamespace` ((#v-terminatinggateways-defaults-consulnamespace)) (`string: "default"`) <EnterpriseAlert inline /> - Defines the Consul namespace to register the gateway into. Requires `global.enableConsulNamespaces` to be true and Consul Enterprise v1.7+ with a valid Consul Enterprise license. Note: The Consul namespace MUST exist before the gateway is deployed.
- `gateways` ((#v-terminatinggateways-gateways)) - Gateways is a list of gateway objects. The only required field for each is `name`, though they can also contain any of the fields in `terminatingGateways.defaults`. Values defined here override the defaults except in the case of annotations where both will be applied.

6
website/pages/home/index.jsx
View File

@ -195,16 +195,14 @@ export default function HomePage() {
title: 'Getting Started',
category: 'Step-by-Step Guides',
time: '48 mins',
link:
'https://learn.hashicorp.com/consul/getting-started/install',
link: 'https://learn.hashicorp.com/consul/getting-started/install',
image: require('./img/learn/getting-started.svg?url'),
},
{
title: 'Run Consul on Kubernetes',
category: 'Step-by-Step Guides',
time: '142 mins',
link:
'https://learn.hashicorp.com/consul/kubernetes/minikube',
link: 'https://learn.hashicorp.com/consul/kubernetes/minikube',
image: require('./img/learn/kubernetes.svg?url'),
},
]}

2
website/pages/partials/jwt_or_oidc.mdx
View File

@ -7,7 +7,7 @@ bearer tokens, it may be confusing to know which is right for a given use case.
in possession of a valid JWT to begin. There is no browser interaction
required. This is ideal for machine-oriented headless login where an operator
may have already arranged for a valid JWT to be dropped on a VM or provided
to a container.
to a container.
- **OIDC**: The user performing the Consul login does not have a JWT nor do
they even need to know what that means. This is ideal for human-oriented