docs: Fix spelling errors across website
This commit is contained in:
parent
901a5cdd8c
commit
4d2bc76d62
|
@ -246,23 +246,23 @@ The table below shows this endpoint's support for
|
||||||
| ---------------- | ----------------- | ------------- | -------------- |
|
| ---------------- | ----------------- | ------------- | -------------- |
|
||||||
| `NO` | `none` | `none` | `service:read` |
|
| `NO` | `none` | `none` | `service:read` |
|
||||||
|
|
||||||
Those endpoints return the aggregated values of all healthchecks for the
|
Those endpoints return the aggregated values of all health checks for the
|
||||||
service instance(s) and will return the corresponding HTTP codes:
|
service instance(s) and will return the corresponding HTTP codes:
|
||||||
|
|
||||||
| Result | Meaning |
|
| Result | Meaning |
|
||||||
| ------ | --------------------------------------------------------------- |
|
| ------ | --------------------------------------------------------------- |
|
||||||
| `200` | All healthchecks of every matching service instance are passing |
|
| `200` | All health checks of every matching service instance are passing |
|
||||||
| `400` | Bad parameter (missing service name of id) |
|
| `400` | Bad parameter (missing service name of id) |
|
||||||
| `404` | No such service id or name |
|
| `404` | No such service id or name |
|
||||||
| `429` | Some healthchecks are passing, at least one is warning |
|
| `429` | Some health checks are passing, at least one is warning |
|
||||||
| `503` | At least one of the healthchecks is critical |
|
| `503` | At least one of the health checks is critical |
|
||||||
|
|
||||||
Those endpoints might be useful for the following use-cases:
|
Those endpoints might be useful for the following use-cases:
|
||||||
|
|
||||||
- a load-balancer wants to check IP connectivity with an agent and retrieve
|
- a load-balancer wants to check IP connectivity with an agent and retrieve
|
||||||
the aggregated status of given service
|
the aggregated status of given service
|
||||||
- create aliases for a given service (thus, the healthcheck of alias uses
|
- create aliases for a given service (thus, the health check of alias uses
|
||||||
http://localhost:8500/v1/agent/service/id/aliased_service_id healthcheck)
|
http://localhost:8500/v1/agent/service/id/aliased_service_id health check)
|
||||||
|
|
||||||
##### Note
|
##### Note
|
||||||
|
|
||||||
|
@ -492,7 +492,7 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Query string parameters
|
### Query string parameters
|
||||||
|
|
||||||
- `replace-existing-checks` - Missing healthchecks from the request will be deleted from the agent. Using this parameter allows to idempotently register a service and its checks without having to manually deregister checks.
|
- `replace-existing-checks` - Missing health checks from the request will be deleted from the agent. Using this parameter allows to idempotently register a service and its checks without having to manually deregister checks.
|
||||||
|
|
||||||
### Parameters
|
### Parameters
|
||||||
|
|
||||||
|
|
|
@ -616,7 +616,7 @@ This endpoint evaluates the intentions for a specific source and destination
|
||||||
and returns whether the connection would be authorized or not given the current
|
and returns whether the connection would be authorized or not given the current
|
||||||
Consul configuration and set of intentions.
|
Consul configuration and set of intentions.
|
||||||
|
|
||||||
-> **Note:** This endpoint will always evaulate intentions with `Permissions`
|
-> **Note:** This endpoint will always evaluate intentions with `Permissions`
|
||||||
defined as _deny_ intentions during. This endpoint is only suited for
|
defined as _deny_ intentions during. This endpoint is only suited for
|
||||||
networking layer 4 (e.g. TCP) integration.
|
networking layer 4 (e.g. TCP) integration.
|
||||||
|
|
||||||
|
|
|
@ -117,7 +117,7 @@ service "consul-snapshot" {
|
||||||
</Tabs>
|
</Tabs>
|
||||||
|
|
||||||
Additional `session` rules should be created, or `session_prefix` used, if the
|
Additional `session` rules should be created, or `session_prefix` used, if the
|
||||||
snapshot agent is deployed across more than one hosts.
|
snapshot agent is deployed across more than one host.
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
|
@ -281,7 +281,7 @@ Note that despite the AWS references, any S3-compatible endpoint can be specifie
|
||||||
|
|
||||||
- `-aws-s3-server-side-encryption` - Enables saving snapshots to S3 using server side encryption with [Amazon S3-Managed Encryption Keys](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html)
|
- `-aws-s3-server-side-encryption` - Enables saving snapshots to S3 using server side encryption with [Amazon S3-Managed Encryption Keys](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html)
|
||||||
|
|
||||||
- `-aws-s3-static-snapshot-name` - If this is given, all snapshots are saved with the same file name. The agent will not rotate or versionize snapshots, and will save them with the same name each time.
|
- `-aws-s3-static-snapshot-name` - If this is given, all snapshots are saved with the same file name. The agent will not rotate or version snapshots, and will save them with the same name each time.
|
||||||
Use this if you want to rely on [S3's versioning capabilities](http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html) instead of the agent handling it for you.
|
Use this if you want to rely on [S3's versioning capabilities](http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html) instead of the agent handling it for you.
|
||||||
|
|
||||||
- `-aws-s3-enable-kms` - Enables using [Amazon KMS](https://aws.amazon.com/kms/) for encrypting snapshots.
|
- `-aws-s3-enable-kms` - Enables using [Amazon KMS](https://aws.amazon.com/kms/) for encrypting snapshots.
|
||||||
|
|
|
@ -265,7 +265,7 @@ The options below are all specified on the command-line.
|
||||||
- `-log-file` ((#\_log_file)) - writes all the Consul agent log messages
|
- `-log-file` ((#\_log_file)) - writes all the Consul agent log messages
|
||||||
to a file. This value is used as a prefix for the log file name. The current timestamp
|
to a file. This value is used as a prefix for the log file name. The current timestamp
|
||||||
is appended to the file name. If the value ends in a path separator, `consul-`
|
is appended to the file name. If the value ends in a path separator, `consul-`
|
||||||
will be appened to the value. If the file name is missing an extension, `.log`
|
will be appended to the value. If the file name is missing an extension, `.log`
|
||||||
is appended. For example, setting `log-file` to `/var/log/` would result in a log
|
is appended. For example, setting `log-file` to `/var/log/` would result in a log
|
||||||
file path of `/var/log/consul-{timestamp}.log`. `log-file` can be combined with
|
file path of `/var/log/consul-{timestamp}.log`. `log-file` can be combined with
|
||||||
[`-log-rotate-bytes`](#_log_rotate_bytes) and [-log-rotate-duration](#_log_rotate_duration)
|
[`-log-rotate-bytes`](#_log_rotate_bytes) and [-log-rotate-duration](#_log_rotate_duration)
|
||||||
|
@ -459,7 +459,7 @@ The options below are all specified on the command-line.
|
||||||
segment.
|
segment.
|
||||||
|
|
||||||
- `-serf-lan-allowed-cidrs` ((#\_serf_lan_allowed_cidrs)) - The Serf LAN allowed CIDRs allow to accept incoming
|
- `-serf-lan-allowed-cidrs` ((#\_serf_lan_allowed_cidrs)) - The Serf LAN allowed CIDRs allow to accept incoming
|
||||||
connections for Serf only from several networks (mutiple values are supported).
|
connections for Serf only from several networks (multiple values are supported).
|
||||||
Those networks are specified with CIDR notation (eg: 192.168.1.0/24).
|
Those networks are specified with CIDR notation (eg: 192.168.1.0/24).
|
||||||
This is available in Consul 1.8 and later.
|
This is available in Consul 1.8 and later.
|
||||||
|
|
||||||
|
@ -468,7 +468,7 @@ The options below are all specified on the command-line.
|
||||||
and later.
|
and later.
|
||||||
|
|
||||||
- `-serf-wan-allowed-cidrs` ((#\_serf_wan_allowed_cidrs)) - The Serf WAN allowed CIDRs allow to accept incoming
|
- `-serf-wan-allowed-cidrs` ((#\_serf_wan_allowed_cidrs)) - The Serf WAN allowed CIDRs allow to accept incoming
|
||||||
connections for Serf only from several networks (mutiple values are supported).
|
connections for Serf only from several networks (multiple values are supported).
|
||||||
Those networks are specified with CIDR notation (eg: 192.168.1.0/24).
|
Those networks are specified with CIDR notation (eg: 192.168.1.0/24).
|
||||||
This is available in Consul 1.8 and later.
|
This is available in Consul 1.8 and later.
|
||||||
|
|
||||||
|
@ -819,7 +819,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
||||||
- `advertise_reconnect_timeout` This is a per-agent setting of the [`reconnect_timeout`](#reconnect_timeout) parameter.
|
- `advertise_reconnect_timeout` This is a per-agent setting of the [`reconnect_timeout`](#reconnect_timeout) parameter.
|
||||||
This agent will advertise to all other nodes in the cluster that after this timeout, the node may be completely
|
This agent will advertise to all other nodes in the cluster that after this timeout, the node may be completely
|
||||||
removed from the cluster. This may only be set on client agents and if unset then other nodes will use the main
|
removed from the cluster. This may only be set on client agents and if unset then other nodes will use the main
|
||||||
`reconnect_timeout` setting when determing when this node may be removed from the cluster.
|
`reconnect_timeout` setting when determining when this node may be removed from the cluster.
|
||||||
|
|
||||||
- `serf_lan` ((#serf_lan_bind)) Equivalent to the [`-serf-lan-bind` command-line flag](#_serf_lan_bind).
|
- `serf_lan` ((#serf_lan_bind)) Equivalent to the [`-serf-lan-bind` command-line flag](#_serf_lan_bind).
|
||||||
|
|
||||||
|
@ -958,7 +958,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
||||||
client agent's TLS certificate. The `localhost` DNS SAN is always requested.
|
client agent's TLS certificate. The `localhost` DNS SAN is always requested.
|
||||||
|
|
||||||
- `ip_sans` (Defaults to `[]`) This is a list of extra IP SANs to request in the
|
- `ip_sans` (Defaults to `[]`) This is a list of extra IP SANs to request in the
|
||||||
client agent's TLS certficate. The `::1` and `127.0.0.1` IP SANs are always requested.
|
client agent's TLS certificate. The `::1` and `127.0.0.1` IP SANs are always requested.
|
||||||
|
|
||||||
- `authorization` This object controls how a Consul server will authorize `auto_config`
|
- `authorization` This object controls how a Consul server will authorize `auto_config`
|
||||||
requests and in particular how to verify the JWT intro token.
|
requests and in particular how to verify the JWT intro token.
|
||||||
|
@ -1094,7 +1094,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
||||||
- `bind_addr` Equivalent to the [`-bind` command-line flag](#_bind).
|
- `bind_addr` Equivalent to the [`-bind` command-line flag](#_bind).
|
||||||
|
|
||||||
This parameter can be set to a go-sockaddr template that resolves to a single
|
This parameter can be set to a go-sockaddr template that resolves to a single
|
||||||
address. Special characters such as blackslashes `\` or double quotes `"`
|
address. Special characters such as backslashes `\` or double quotes `"`
|
||||||
within a double quoted string value must be escaped with a backslash `\`.
|
within a double quoted string value must be escaped with a backslash `\`.
|
||||||
Some example templates:
|
Some example templates:
|
||||||
|
|
||||||
|
@ -1296,7 +1296,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
|
||||||
|
|
||||||
- `disable_host_node_id` Equivalent to the [`-disable-host-node-id` command-line flag](#_disable_host_node_id).
|
- `disable_host_node_id` Equivalent to the [`-disable-host-node-id` command-line flag](#_disable_host_node_id).
|
||||||
|
|
||||||
- `disable_http_unprintable_char_filter` Defaults to false. Consul 1.0.3 fixed a potential security vulnerability where malicious users could craft KV keys with unprintable chars that would confuse operators using the CLI or UI into taking wrong actions. Users who had data written in older versions of Consul that did not have this restriction will be unable to deletethose values by default in 1.0.3 or later. This setting enables those users to **temporarily** disable the filter such that delete operations can work on those keys again to get back to a healthy state. It is strongly recommended that this filter is not disabled permanently as it exposes the original security vulnerability.
|
- `disable_http_unprintable_char_filter` Defaults to false. Consul 1.0.3 fixed a potential security vulnerability where malicious users could craft KV keys with unprintable chars that would confuse operators using the CLI or UI into taking wrong actions. Users who had data written in older versions of Consul that did not have this restriction will be unable to delete those values by default in 1.0.3 or later. This setting enables those users to **temporarily** disable the filter such that delete operations can work on those keys again to get back to a healthy state. It is strongly recommended that this filter is not disabled permanently as it exposes the original security vulnerability.
|
||||||
|
|
||||||
- `disable_remote_exec` Disables support for remote execution. When set to true, the agent will ignore
|
- `disable_remote_exec` Disables support for remote execution. When set to true, the agent will ignore
|
||||||
any incoming remote exec requests. In versions of Consul prior to 0.8, this defaulted
|
any incoming remote exec requests. In versions of Consul prior to 0.8, this defaulted
|
||||||
|
@ -1351,7 +1351,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
|
||||||
|
|
||||||
- `only_passing` - If set to true, any nodes whose
|
- `only_passing` - If set to true, any nodes whose
|
||||||
health checks are warning or critical will be excluded from DNS results. If false,
|
health checks are warning or critical will be excluded from DNS results. If false,
|
||||||
the default, only nodes whose healthchecks are failing as critical will be excluded.
|
the default, only nodes whose health checks are failing as critical will be excluded.
|
||||||
For service lookups, the health checks of the node itself, as well as the service-specific
|
For service lookups, the health checks of the node itself, as well as the service-specific
|
||||||
checks are considered. For example, if a node has a health check that is critical
|
checks are considered. For example, if a node has a health check that is critical
|
||||||
then all services on that node will be excluded because they are also considered
|
then all services on that node will be excluded because they are also considered
|
||||||
|
@ -1603,7 +1603,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
|
||||||
|
|
||||||
- `leave_on_terminate` If enabled, when the agent receives a TERM signal, it will send a `Leave` message to the rest of the cluster and gracefully leave. The default behavior for this feature varies based on whether or not the agent is running as a client or a server (prior to Consul 0.7 the default value was unconditionally set to `false`). On agents in client-mode, this defaults to `true` and for agents in server-mode, this defaults to `false`.
|
- `leave_on_terminate` If enabled, when the agent receives a TERM signal, it will send a `Leave` message to the rest of the cluster and gracefully leave. The default behavior for this feature varies based on whether or not the agent is running as a client or a server (prior to Consul 0.7 the default value was unconditionally set to `false`). On agents in client-mode, this defaults to `true` and for agents in server-mode, this defaults to `false`.
|
||||||
|
|
||||||
- `license_path` <EnterpriseAlert inline /> This specifies the path to a file that contains the Consul Enterprise license. Alternatively the license may also be specified in either the `CONSUL_LICENSE` or `CONSUL_LICENSE_PATH` environment variables. See the [licensing documentation](/docs/enterprise/license/overview) for more information about Consul Enterprise license management. Added in versions 1.10.0, 1.9.7 and 1.8.13. Prior to version 1.10.0 the value may be set for all agents to faciliate forwards compatibility with 1.10 but will only actually be used by client agents.
|
- `license_path` <EnterpriseAlert inline /> This specifies the path to a file that contains the Consul Enterprise license. Alternatively the license may also be specified in either the `CONSUL_LICENSE` or `CONSUL_LICENSE_PATH` environment variables. See the [licensing documentation](/docs/enterprise/license/overview) for more information about Consul Enterprise license management. Added in versions 1.10.0, 1.9.7 and 1.8.13. Prior to version 1.10.0 the value may be set for all agents to facilitate forwards compatibility with 1.10 but will only actually be used by client agents.
|
||||||
|
|
||||||
- `limits` Available in Consul 0.9.3 and later, this is a nested
|
- `limits` Available in Consul 0.9.3 and later, this is a nested
|
||||||
object that configures limits that are enforced by the agent. Prior to Consul 1.5.2,
|
object that configures limits that are enforced by the agent. Prior to Consul 1.5.2,
|
||||||
|
@ -1903,10 +1903,10 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
|
||||||
|
|
||||||
- `circonus_submission_url` ((#telemetry-circonus_submission_url))
|
- `circonus_submission_url` ((#telemetry-circonus_submission_url))
|
||||||
The `check.config.submission_url` field, of a Check API object, from a previously
|
The `check.config.submission_url` field, of a Check API object, from a previously
|
||||||
created HTTPTRAP check.
|
created HTTPTrap check.
|
||||||
|
|
||||||
- `circonus_check_id` ((#telemetry-circonus_check_id))
|
- `circonus_check_id` ((#telemetry-circonus_check_id))
|
||||||
The Check ID (not **check bundle**) from a previously created HTTPTRAP check.
|
The Check ID (not **check bundle**) from a previously created HTTPTrap check.
|
||||||
The numeric portion of the `check._cid` field in the Check API object.
|
The numeric portion of the `check._cid` field in the Check API object.
|
||||||
|
|
||||||
- `circonus_check_force_metric_activation` ((#telemetry-circonus_check_force_metric_activation)) Force activation of metrics which already exist and are not currently active.
|
- `circonus_check_force_metric_activation` ((#telemetry-circonus_check_force_metric_activation)) Force activation of metrics which already exist and are not currently active.
|
||||||
|
@ -1936,7 +1936,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
|
||||||
portion of `broker._cid` field in a Broker API object. If metric management is
|
portion of `broker._cid` field in a Broker API object. If metric management is
|
||||||
enabled and neither a Submission URL nor Check ID is provided, an attempt will
|
enabled and neither a Submission URL nor Check ID is provided, an attempt will
|
||||||
be made to search for an existing check using Instance ID and Search Tag. If
|
be made to search for an existing check using Instance ID and Search Tag. If
|
||||||
one is not found, a new HTTPTRAP check will be created. By default, this is not
|
one is not found, a new HTTPTrap check will be created. By default, this is not
|
||||||
used and a random Enterprise Broker is selected, or the default Circonus Public
|
used and a random Enterprise Broker is selected, or the default Circonus Public
|
||||||
Broker.
|
Broker.
|
||||||
|
|
||||||
|
|
|
@ -98,7 +98,7 @@ These are some metrics emitted that can help you understand the health of your c
|
||||||
|
|
||||||
**What to look for:** Alert if `healthy` is 0. Some other indicators of an unhealthy cluster would be:
|
**What to look for:** Alert if `healthy` is 0. Some other indicators of an unhealthy cluster would be:
|
||||||
- `consul.raft.commitTime` - This can help reflect the speed of state store
|
- `consul.raft.commitTime` - This can help reflect the speed of state store
|
||||||
changes being performmed by the agent. If this number is rising, the server may
|
changes being performed by the agent. If this number is rising, the server may
|
||||||
be experiencing an issue due to degraded resources on the host.
|
be experiencing an issue due to degraded resources on the host.
|
||||||
- [Leadership change metrics](#leadership-changes) - Check for deviation from
|
- [Leadership change metrics](#leadership-changes) - Check for deviation from
|
||||||
the recommended values. This can indicate failed leadership elections or
|
the recommended values. This can indicate failed leadership elections or
|
||||||
|
@ -320,7 +320,7 @@ This is a full list of metrics emitted by Consul.
|
||||||
| `consul.dns.domain_query.` | Measures the time spent handling a domain query for the given node. | ms | timer |
|
| `consul.dns.domain_query.` | Measures the time spent handling a domain query for the given node. | ms | timer |
|
||||||
| `consul.http...` | DEPRECATED IN 1.9: Tracks how long it takes to service the given HTTP request for the given verb and path. Paths do not include details like service or key names, for these an underscore will be present as a placeholder (eg. `consul.http.GET.v1.kv._`) | ms | timer |
|
| `consul.http...` | DEPRECATED IN 1.9: Tracks how long it takes to service the given HTTP request for the given verb and path. Paths do not include details like service or key names, for these an underscore will be present as a placeholder (eg. `consul.http.GET.v1.kv._`) | ms | timer |
|
||||||
| `consul.system.licenseExpiration` | <EnterpriseAlert inline /> This measures the number of hours remaining on the agents license. | hours | gauge |
|
| `consul.system.licenseExpiration` | <EnterpriseAlert inline /> This measures the number of hours remaining on the agents license. | hours | gauge |
|
||||||
| `consul.version` | Measures the count of running agents. | agents | guage |
|
| `consul.version` | Measures the count of running agents. | agents | gauge |
|
||||||
|
|
||||||
## Server Health
|
## Server Health
|
||||||
|
|
||||||
|
@ -373,7 +373,7 @@ These metrics are used to monitor the health of the Consul servers.
|
||||||
| `consul.raft.state.candidate` | Increments whenever a Consul server starts an election. If this increments without a leadership change occurring it could indicate that a single server is overloaded or is experiencing network connectivity issues. | election attempts / interval | counter |
|
| `consul.raft.state.candidate` | Increments whenever a Consul server starts an election. If this increments without a leadership change occurring it could indicate that a single server is overloaded or is experiencing network connectivity issues. | election attempts / interval | counter |
|
||||||
| `consul.raft.state.leader` | Increments whenever a Consul server becomes a leader. If there are frequent leadership changes this may be indication that the servers are overloaded and aren't meeting the soft real-time requirements for Raft, or that there are networking problems between the servers. | leadership transitions / interval | counter |
|
| `consul.raft.state.leader` | Increments whenever a Consul server becomes a leader. If there are frequent leadership changes this may be indication that the servers are overloaded and aren't meeting the soft real-time requirements for Raft, or that there are networking problems between the servers. | leadership transitions / interval | counter |
|
||||||
| `consul.raft.state.follower` | Counts the number of times an agent has entered the follower mode. This happens when a new agent joins the cluster or after the end of a leader election. | follower state entered / interval | counter |
|
| `consul.raft.state.follower` | Counts the number of times an agent has entered the follower mode. This happens when a new agent joins the cluster or after the end of a leader election. | follower state entered / interval | counter |
|
||||||
| `consul.raft.transistion.heartbeat_timeout` | The number of times an agent has transitioned to the Candidate state, after receive no heartbeat messages from the last known leader. | timeouts / interval | counter |
|
| `consul.raft.transition.heartbeat_timeout` | The number of times an agent has transitioned to the Candidate state, after receive no heartbeat messages from the last known leader. | timeouts / interval | counter |
|
||||||
| `consul.raft.verify_leader` | Counts the number of times an agent checks whether it is still the leader or not | checks / interval | Counter |
|
| `consul.raft.verify_leader` | Counts the number of times an agent checks whether it is still the leader or not | checks / interval | Counter |
|
||||||
| `consul.rpc.accept_conn` | Increments when a server accepts an RPC connection. | connections | counter |
|
| `consul.rpc.accept_conn` | Increments when a server accepts an RPC connection. | connections | counter |
|
||||||
| `consul.catalog.register` | Measures the time it takes to complete a catalog register operation. | ms | timer |
|
| `consul.catalog.register` | Measures the time it takes to complete a catalog register operation. | ms | timer |
|
||||||
|
|
|
@ -184,7 +184,7 @@ the following specific limitations:
|
||||||
`domain` configured for its DNS interface. This might be relaxed in the
|
`domain` configured for its DNS interface. This might be relaxed in the
|
||||||
future.
|
future.
|
||||||
- Tag filters for services are not currently supported (i.e.
|
- Tag filters for services are not currently supported (i.e.
|
||||||
`tag1.web.service.consul`) however the same behaviour can be achieved using a
|
`tag1.web.service.consul`) however the same behavior can be achieved using a
|
||||||
prepared query.
|
prepared query.
|
||||||
- External DNS names, raw IP addresses and so on will cause an error and should
|
- External DNS names, raw IP addresses and so on will cause an error and should
|
||||||
be fetched using a separate `HTTPClient`.
|
be fetched using a separate `HTTPClient`.
|
||||||
|
|
|
@ -345,7 +345,7 @@ will continue to be supported.
|
||||||
Must be one of `STRICT_DNS` or `LOGICAL_DNS`. Details for each type are available in
|
Must be one of `STRICT_DNS` or `LOGICAL_DNS`. Details for each type are available in
|
||||||
the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/v1.17.2/intro/arch_overview/upstream/service_discovery).
|
the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/v1.17.2/intro/arch_overview/upstream/service_discovery).
|
||||||
This option applies to terminating gateways that route to services
|
This option applies to terminating gateways that route to services
|
||||||
addressed by a hostname, such as a managed databased. It also applies to mesh gateways,
|
addressed by a hostname, such as a managed database. It also applies to mesh gateways,
|
||||||
such as when gateways in other Consul datacenters are behind a load balancer that is addressed by a hostname.
|
such as when gateways in other Consul datacenters are behind a load balancer that is addressed by a hostname.
|
||||||
|
|
||||||
## Advanced Configuration
|
## Advanced Configuration
|
||||||
|
|
|
@ -88,7 +88,7 @@ restarting them if they crash. The lifecycle of the proxy process is decoupled
|
||||||
from the agent so if the agent crashes or is restarted for an upgrade, the
|
from the agent so if the agent crashes or is restarted for an upgrade, the
|
||||||
managed proxy instances will _not_ be stopped.
|
managed proxy instances will _not_ be stopped.
|
||||||
|
|
||||||
Note that this behaviour while desirable in production might leave proxy
|
Note that this behavior while desirable in production might leave proxy
|
||||||
processes running indefinitely if you manually stop the agent and clear its
|
processes running indefinitely if you manually stop the agent and clear its
|
||||||
data dir during testing.
|
data dir during testing.
|
||||||
|
|
||||||
|
@ -164,7 +164,7 @@ use namespacing techniques provided by your operating system.
|
||||||
|
|
||||||
-> **Deprecation Note:** versions 1.2.0 to 1.3.0 required specifying `upstreams`
|
-> **Deprecation Note:** versions 1.2.0 to 1.3.0 required specifying `upstreams`
|
||||||
as part of the opaque `config` that is passed to the proxy. However, since
|
as part of the opaque `config` that is passed to the proxy. However, since
|
||||||
1.3.0, the `upstreams` configuration is now specified directily under the
|
1.3.0, the `upstreams` configuration is now specified directly under the
|
||||||
`proxy` key. Old service definitions using the nested config will continue to
|
`proxy` key. Old service definitions using the nested config will continue to
|
||||||
work and have the values copied into the new location. This allows the upstreams
|
work and have the values copied into the new location. This allows the upstreams
|
||||||
to be registered centrally rather than being part of the local-only config
|
to be registered centrally rather than being part of the local-only config
|
||||||
|
|
|
@ -54,7 +54,7 @@ connectInject:
|
||||||
|
|
||||||
It can also be enabled on a per namespace basis by setting the label `consul.hashicorp.com/transparent-proxy=true` on the
|
It can also be enabled on a per namespace basis by setting the label `consul.hashicorp.com/transparent-proxy=true` on the
|
||||||
Kubernetes namespace. This will override the Helm value `connectInject.transparentProxy.defaultEnabled` and define the
|
Kubernetes namespace. This will override the Helm value `connectInject.transparentProxy.defaultEnabled` and define the
|
||||||
default behaviour of Pods in the namespace. For example:
|
default behavior of Pods in the namespace. For example:
|
||||||
```bash
|
```bash
|
||||||
kubectl label namespaces my-app "consul.hashicorp.com/transparent-proxy=true"
|
kubectl label namespaces my-app "consul.hashicorp.com/transparent-proxy=true"
|
||||||
```
|
```
|
||||||
|
|
|
@ -64,7 +64,7 @@ There are several different kinds of checks:
|
||||||
Certificate verification can be turned off by setting the `tls_skip_verify`
|
Certificate verification can be turned off by setting the `tls_skip_verify`
|
||||||
field to `true` in the check definition. When using TLS, the SNI will be set
|
field to `true` in the check definition. When using TLS, the SNI will be set
|
||||||
automatically from the URL if it uses a hostname (as opposed to an IP address);
|
automatically from the URL if it uses a hostname (as opposed to an IP address);
|
||||||
the value can be overriden by setting `tls_server_name`.
|
the value can be overridden by setting `tls_server_name`.
|
||||||
|
|
||||||
- `TCP + Interval` - These checks make a TCP connection attempt to the specified
|
- `TCP + Interval` - These checks make a TCP connection attempt to the specified
|
||||||
IP/hostname and port, waiting `interval` amount of time between attempts
|
IP/hostname and port, waiting `interval` amount of time between attempts
|
||||||
|
|
|
@ -42,7 +42,7 @@ These Consul tools are created and managed by the amazing members of the Consul
|
||||||
- [Dropwizard Consul Bundle](https://github.com/smoketurner/dropwizard-consul) - Service discovery and configuration integration with the [Dropwizard](http://www.dropwizard.io/) framework
|
- [Dropwizard Consul Bundle](https://github.com/smoketurner/dropwizard-consul) - Service discovery and configuration integration with the [Dropwizard](http://www.dropwizard.io/) framework
|
||||||
- [Embedded Consul](https://github.com/pszymczyk/embedded-consul) - Library for JVM based applications, provides easy way to run Consul in integration tests
|
- [Embedded Consul](https://github.com/pszymczyk/embedded-consul) - Library for JVM based applications, provides easy way to run Consul in integration tests
|
||||||
- [fabio](https://github.com/eBay/fabio) - Fast, zero-conf, consul-aware load-balancing HTTP/HTTPS router
|
- [fabio](https://github.com/eBay/fabio) - Fast, zero-conf, consul-aware load-balancing HTTP/HTTPS router
|
||||||
- [files-to-consul-kv](https://github.com/bitsofinfo/files-to-consul-kv) - Ultra simple, configuration free CLI tool for syncing a directory structure of key-value files to Consul KV using the transactions API. Docker image available. Integrates easily into any CICD workflow.
|
- [files-to-consul-kv](https://github.com/bitsofinfo/files-to-consul-kv) - Ultra simple, configuration free CLI tool for syncing a directory structure of key-value files to Consul KV using the transactions API. Docker image available. Integrates easily into any CI/CD workflow.
|
||||||
- [file2consul](https://github.com/joeatbayes/file2consul) - Update Consul values from git or files. Config loader with support for multiple environments. Provides variable expansion, interpolation, inheritance with overrides and ability to update multiple consul servers. Reduces cost of maintaining larger configuration sets between environments by reducing restatement and manual editing of similar or predictably changing config properties. MIT license, Written in GO.
|
- [file2consul](https://github.com/joeatbayes/file2consul) - Update Consul values from git or files. Config loader with support for multiple environments. Provides variable expansion, interpolation, inheritance with overrides and ability to update multiple consul servers. Reduces cost of maintaining larger configuration sets between environments by reducing restatement and manual editing of similar or predictably changing config properties. MIT license, Written in GO.
|
||||||
- [Flightpath](https://docs.flightpath.xyz/) - An xDS server that can configure Envoy to act as an Edge proxy for Consul Connect enabled services
|
- [Flightpath](https://docs.flightpath.xyz/) - An xDS server that can configure Envoy to act as an Edge proxy for Consul Connect enabled services
|
||||||
- [git2consul](https://github.com/ryanbreen/git2consul) - Mirror the contents of a Git repository into Consul KVs
|
- [git2consul](https://github.com/ryanbreen/git2consul) - Mirror the contents of a Git repository into Consul KVs
|
||||||
|
|
|
@ -52,7 +52,7 @@ The license changes do not impact customers with the baked-in licensed binaries.
|
||||||
## Q: What is the product behavior change introduced by the licensing changes?
|
## Q: What is the product behavior change introduced by the licensing changes?
|
||||||
|
|
||||||
Starting with Consul Enterprise 1.10.0, a valid license is required on-disk (auto-loading) or as an environment variable for Consul Enterprise to successfully boot-up.
|
Starting with Consul Enterprise 1.10.0, a valid license is required on-disk (auto-loading) or as an environment variable for Consul Enterprise to successfully boot-up.
|
||||||
The in-storage license feature will not be supported starting with Consul Enteprise 1.10.0+ent. All Consul Enterprise clusters using 1.10.0+ent must ensure that there is a valid license on-disk (auto-loaded) or as an environment variable.
|
The in-storage license feature will not be supported starting with Consul Enterprise 1.10.0+ent. All Consul Enterprise clusters using 1.10.0+ent must ensure that there is a valid license on-disk (auto-loaded) or as an environment variable.
|
||||||
|
|
||||||
## Q: What is the impact on evaluation licenses due to this change?
|
## Q: What is the impact on evaluation licenses due to this change?
|
||||||
|
|
||||||
|
@ -62,7 +62,7 @@ Failure to provide a valid license key will result in the Consul server agent no
|
||||||
|
|
||||||
## Q: Is there a grace period when licenses expire?
|
## Q: Is there a grace period when licenses expire?
|
||||||
|
|
||||||
A license includes an `expiration_date` and a `termination_date`. An enteprise binary will cease to function once the `termination_date` has passed.
|
A license includes an `expiration_date` and a `termination_date`. An enterprise binary will cease to function once the `termination_date` has passed.
|
||||||
Licenses will now have a 24 hrs grace period. The grace period is the time between license expiry until the time it terminates.
|
Licenses will now have a 24 hrs grace period. The grace period is the time between license expiry until the time it terminates.
|
||||||
As Consul Enterprise approaches the expiration date, warnings will be issued in the system logs.
|
As Consul Enterprise approaches the expiration date, warnings will be issued in the system logs.
|
||||||
|
|
||||||
|
@ -123,7 +123,7 @@ Please see the [upgrade requirements](faq#q-what-are-the-upgrade-requirements).
|
||||||
1. Run [`consul license get -signed`](/commands/license#get) to extract the license from their running cluster. Store the license in a secure location on disk.
|
1. Run [`consul license get -signed`](/commands/license#get) to extract the license from their running cluster. Store the license in a secure location on disk.
|
||||||
1. Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable.
|
1. Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable.
|
||||||
1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key.
|
1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key.
|
||||||
1. Follow the Consul upgrade [docummentation](/docs/upgrading).
|
1. Follow the Consul upgrade [documentation](/docs/upgrading).
|
||||||
|
|
||||||
### Kubernetes
|
### Kubernetes
|
||||||
|
|
||||||
|
@ -143,7 +143,7 @@ Please see the [upgrade requirements](faq#q-what-are-the-upgrade-requirements).
|
||||||
1. Store the license in a secure location on disk.
|
1. Store the license in a secure location on disk.
|
||||||
1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable.
|
1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable.
|
||||||
Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key.
|
Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key.
|
||||||
1. Follow the Consul upgrade [docummentation](/docs/upgrading).
|
1. Follow the Consul upgrade [documentation](/docs/upgrading).
|
||||||
|
|
||||||
### Kubernetes
|
### Kubernetes
|
||||||
|
|
||||||
|
|
|
@ -265,7 +265,7 @@ multiple cloud providers via APIs.
|
||||||
|
|
||||||
## Mutual Transport Layer Security (mTLS)
|
## Mutual Transport Layer Security (mTLS)
|
||||||
Mutual Transport Layer Security, also known as mTLS, is an authentication
|
Mutual Transport Layer Security, also known as mTLS, is an authentication
|
||||||
mechanishm that ensures network traffic security in both directions between
|
mechanism that ensures network traffic security in both directions between
|
||||||
a client and server.
|
a client and server.
|
||||||
|
|
||||||
## Network Middleware Automation
|
## Network Middleware Automation
|
||||||
|
@ -287,7 +287,7 @@ packet inspection, and application based routing.
|
||||||
|
|
||||||
## Network Visualization
|
## Network Visualization
|
||||||
Network Visualization is the process of visually displaying networks and
|
Network Visualization is the process of visually displaying networks and
|
||||||
connected entitites in a "boxes and lines" kind of a diagram.
|
connected entities in a "boxes and lines" kind of a diagram.
|
||||||
|
|
||||||
In the context of microservices architecture, visualization can provide a clear
|
In the context of microservices architecture, visualization can provide a clear
|
||||||
picture of how services are connected to each other, the service-to-service
|
picture of how services are connected to each other, the service-to-service
|
||||||
|
@ -364,7 +364,7 @@ how to send requests to these service instances.
|
||||||
## Microservice Segmentation
|
## Microservice Segmentation
|
||||||
Microservice segmentation, sometimes visual, of microservices is the
|
Microservice segmentation, sometimes visual, of microservices is the
|
||||||
segmentation in a microservices application architecture that enables
|
segmentation in a microservices application architecture that enables
|
||||||
adminsitrators to view their functions and interactions.
|
administrators to view their functions and interactions.
|
||||||
|
|
||||||
## Service-to-service communication
|
## Service-to-service communication
|
||||||
Service-to-service communication, sometimes referred to as
|
Service-to-service communication, sometimes referred to as
|
||||||
|
|
|
@ -20,7 +20,7 @@ which is the combination of all Kubernetes probes registered with the pod.
|
||||||
1. If the pod is utilizing [Transparent Proxy](/docs/connect/transparent-proxy) mode, the mutating webhook will mutate all `http` based Startup, Liveness, and Readiness probes in the pod to redirect through the Envoy proxy.
|
1. If the pod is utilizing [Transparent Proxy](/docs/connect/transparent-proxy) mode, the mutating webhook will mutate all `http` based Startup, Liveness, and Readiness probes in the pod to redirect through the Envoy proxy.
|
||||||
This is done with [`ExposePaths` configuration](/docs/connect/registration/service-registration#expose-paths-configuration-reference) for each probe so that kubelet can access the endpoint through the Envoy proxy.
|
This is done with [`ExposePaths` configuration](/docs/connect/registration/service-registration#expose-paths-configuration-reference) for each probe so that kubelet can access the endpoint through the Envoy proxy.
|
||||||
|
|
||||||
~> The mutation behaviour can be disabled by either setting the `consul.hashicorp.com/transparent-proxy-overwrite-probes` pod annotation to `false` or the `connectInject.defaultOverwriteProbes` Helm value to `false`.
|
~> The mutation behavior can be disabled by either setting the `consul.hashicorp.com/transparent-proxy-overwrite-probes` pod annotation to `false` or the `connectInject.defaultOverwriteProbes` Helm value to `false`.
|
||||||
|
|
||||||
When readiness probes are set for a pod, the status of the pod will be reflected within Consul and will cause Consul to redirect service
|
When readiness probes are set for a pod, the status of the pod will be reflected within Consul and will cause Consul to redirect service
|
||||||
mesh traffic to the pod based on the pod's health. If the pod has failing health checks, Consul will no longer use
|
mesh traffic to the pod based on the pod's health. If the pod has failing health checks, Consul will no longer use
|
||||||
|
|
|
@ -128,7 +128,7 @@ task {
|
||||||
- `providers` - (list[string]) Providers is the list of provider names the task is dependent on. This is used to map [Terraform provider configuration](#terraform-provider) to the task.
|
- `providers` - (list[string]) Providers is the list of provider names the task is dependent on. This is used to map [Terraform provider configuration](#terraform-provider) to the task.
|
||||||
- `services` - (list[string]) Required depending on [`condition`](#condition) configuration. Services is the list of logical service names or service IDs the task executes on. Consul-Terraform-Sync monitors the Consul Catalog for changes to these services and triggers the task to run. Any service value not explicitly defined by a `service` block with a matching ID is assumed to be a logical service name in the default namespace. Alternative to configuring `services`, a `condition` can be configured so that the task does not trigger on changes to services (default behavior) but instead trigger on a different condition. See [Task Condition](#task-condition) configuration for more details.
|
- `services` - (list[string]) Required depending on [`condition`](#condition) configuration. Services is the list of logical service names or service IDs the task executes on. Consul-Terraform-Sync monitors the Consul Catalog for changes to these services and triggers the task to run. Any service value not explicitly defined by a `service` block with a matching ID is assumed to be a logical service name in the default namespace. Alternative to configuring `services`, a `condition` can be configured so that the task does not trigger on changes to services (default behavior) but instead trigger on a different condition. See [Task Condition](#task-condition) configuration for more details.
|
||||||
- `source` - (string: required) Source is the location the driver uses to fetch task dependencies. The source format is dependent on the driver. For the [Terraform driver](#terraform-driver), the source is the module path (local or remote). Read more on [Terraform module source here](https://www.terraform.io/docs/modules/sources.html).
|
- `source` - (string: required) Source is the location the driver uses to fetch task dependencies. The source format is dependent on the driver. For the [Terraform driver](#terraform-driver), the source is the module path (local or remote). Read more on [Terraform module source here](https://www.terraform.io/docs/modules/sources.html).
|
||||||
- `variable_files` - (list[string]) A list of paths to files containing variables for the task. For the [Terraform driver](#terraform-driver), these are used as Terraform [variable defintion (`.tfvars`) files](https://www.terraform.io/docs/configuration/variables.html#variable-definitions-tfvars-files) and consists of only variable name assignments. The variable assignments must match the corresponding variable declarations available by the Terraform module for the task. Consul-Terraform-Sync will generate the intermediate variable declarations to pass as arguments from the auto-generated root module to the task's module. Variables are loaded in the same order as they appear in the order of the files. Duplicate variables are overwritten with the later value. _Note: unless specified by the module, configure arguments for Terraform providers using [`terraform_provider` blocks](#terraform-provider)._
|
- `variable_files` - (list[string]) A list of paths to files containing variables for the task. For the [Terraform driver](#terraform-driver), these are used as Terraform [variable definition (`.tfvars`) files](https://www.terraform.io/docs/configuration/variables.html#variable-definitions-tfvars-files) and consists of only variable name assignments. The variable assignments must match the corresponding variable declarations available by the Terraform module for the task. Consul-Terraform-Sync will generate the intermediate variable declarations to pass as arguments from the auto-generated root module to the task's module. Variables are loaded in the same order as they appear in the order of the files. Duplicate variables are overwritten with the later value. _Note: unless specified by the module, configure arguments for Terraform providers using [`terraform_provider` blocks](#terraform-provider)._
|
||||||
```hcl
|
```hcl
|
||||||
address_group = "consul-services"
|
address_group = "consul-services"
|
||||||
tags = [
|
tags = [
|
||||||
|
@ -234,7 +234,7 @@ driver "terraform" {
|
||||||
- `path` - (string) The file path to install Terraform or discover an existing Terraform binary. If omitted, Terraform will be installed in the same directory as the Consul-Terraform-Sync daemon. To resolve an incompatible Terraform version or to change versions will require removing the existing binary or change to a different path.
|
- `path` - (string) The file path to install Terraform or discover an existing Terraform binary. If omitted, Terraform will be installed in the same directory as the Consul-Terraform-Sync daemon. To resolve an incompatible Terraform version or to change versions will require removing the existing binary or change to a different path.
|
||||||
- `persist_log` - (bool) Enable trace logging for each Terraform client to disk per task. This is equivalent to setting `TF_LOG_PATH=<work_dir>/terraform.log`. Trace log level results in verbose logging and may be useful for debugging and development purposes. We do not recommend enabling this for production. There is no log rotation and may quickly result in large files.
|
- `persist_log` - (bool) Enable trace logging for each Terraform client to disk per task. This is equivalent to setting `TF_LOG_PATH=<work_dir>/terraform.log`. Trace log level results in verbose logging and may be useful for debugging and development purposes. We do not recommend enabling this for production. There is no log rotation and may quickly result in large files.
|
||||||
- `required_providers` - (obj: required) Declare each Terraform provider used across all tasks. This is similar to the [Terraform `terraform.required_providers`](https://www.terraform.io/docs/configuration/provider-requirements.html#requiring-providers) field to specify the source and version for each provider. Consul-Terraform-Sync will process these requirements when preparing each task that uses the provider.
|
- `required_providers` - (obj: required) Declare each Terraform provider used across all tasks. This is similar to the [Terraform `terraform.required_providers`](https://www.terraform.io/docs/configuration/provider-requirements.html#requiring-providers) field to specify the source and version for each provider. Consul-Terraform-Sync will process these requirements when preparing each task that uses the provider.
|
||||||
- `version` - (string) The Terraform version to install and run in automation for task execution. If omittied, the driver will install the latest official release of Terraform. To change versions, remove the existing binary or change the path to install the desired version. Verify that the desired Terraform version is compatible across all Terraform modules used for Consul-Terraform-Sync automation.
|
- `version` - (string) The Terraform version to install and run in automation for task execution. If omitted, the driver will install the latest official release of Terraform. To change versions, remove the existing binary or change the path to install the desired version. Verify that the desired Terraform version is compatible across all Terraform modules used for Consul-Terraform-Sync automation.
|
||||||
- `working_dir` - (string: "sync-tasks") The base working directory to manage Terraform configurations all tasks. The full path of each working directory will have the task identifier appended to the end of the path, e.g. `./sync-tasks/task-name`.
|
- `working_dir` - (string: "sync-tasks") The base working directory to manage Terraform configurations all tasks. The full path of each working directory will have the task identifier appended to the end of the path, e.g. `./sync-tasks/task-name`.
|
||||||
|
|
||||||
## Terraform Provider
|
## Terraform Provider
|
||||||
|
@ -357,7 +357,7 @@ terraform_provider "example" {
|
||||||
- `transport` - [(transport block)](#transport) Transport configures the low-level network connection details.
|
- `transport` - [(transport block)](#transport) Transport configures the low-level network connection details.
|
||||||
- `unwrap_token` - (bool) Unwraps the provided Vault token as a wrapped token.
|
- `unwrap_token` - (bool) Unwraps the provided Vault token as a wrapped token.
|
||||||
|
|
||||||
-> Note: Vault credentials are not accessible by tasks and the associated Terraform configurations, including automated Terraform modules. If the task requires Vault, you will need to seprately configure the Vault provider and explicitly include it in the `task.providers` list.
|
-> Note: Vault credentials are not accessible by tasks and the associated Terraform configurations, including automated Terraform modules. If the task requires Vault, you will need to separately configure the Vault provider and explicitly include it in the `task.providers` list.
|
||||||
|
|
||||||
### Multiple Provider Configurations
|
### Multiple Provider Configurations
|
||||||
|
|
||||||
|
|
|
@ -25,7 +25,7 @@ Within the Consul-Terraform-Sync configuration for a task, practitioners can sel
|
||||||
|
|
||||||
The root module is simple in structure and proxies Consul information, configuration, and other variables to the Terraform module for the task. The content of the files that make up the root module are sourced from Consul-Terraform-Sync configuration, information for task's module to use as the automation playbook, and information from Consul such as service information.
|
The root module is simple in structure and proxies Consul information, configuration, and other variables to the Terraform module for the task. The content of the files that make up the root module are sourced from Consul-Terraform-Sync configuration, information for task's module to use as the automation playbook, and information from Consul such as service information.
|
||||||
|
|
||||||
Autogenerated root modules for tasks are stored in local subdirectories of the Terraform working directory. By default, the working directory `sync-tasks` is created in the current directory. To configure where Terraform configuration files are stored, set [`working_dir`](/docs/nia/configuration#working_dir) for the Terraform driver to the desired path.
|
Auto-generated root modules for tasks are stored in local subdirectories of the Terraform working directory. By default, the working directory `sync-tasks` is created in the current directory. To configure where Terraform configuration files are stored, set [`working_dir`](/docs/nia/configuration#working_dir) for the Terraform driver to the desired path.
|
||||||
|
|
||||||
A working directory with one task named "my-task" would have the folder structure below.
|
A working directory with one task named "my-task" would have the folder structure below.
|
||||||
|
|
||||||
|
|
|
@ -80,7 +80,7 @@ environment and adapt these configurations accordingly.
|
||||||
to true to require clients to provide a valid TLS certificate when the Consul HTTPS API is enabled. TLS for the API
|
to true to require clients to provide a valid TLS certificate when the Consul HTTPS API is enabled. TLS for the API
|
||||||
may be not be necessary if it is exclusively served over a loopback interface such as `localhost`.
|
may be not be necessary if it is exclusively served over a loopback interface such as `localhost`.
|
||||||
|
|
||||||
- [`verifing_incoming_rpc`](/docs/agent/options#verify_incoming_rpc) - By default this is false, and should almost
|
- [`verify_incoming_rpc`](/docs/agent/options#verify_incoming_rpc) - By default this is false, and should almost
|
||||||
always be set to true to require clients to provide a valid TLS certificate for Consul agent RPCs.
|
always be set to true to require clients to provide a valid TLS certificate for Consul agent RPCs.
|
||||||
|
|
||||||
- [`verify_outgoing`](/docs/agent/options#verify_outgoing) - By default this is false, and should be set to true to
|
- [`verify_outgoing`](/docs/agent/options#verify_outgoing) - By default this is false, and should be set to true to
|
||||||
|
@ -239,7 +239,7 @@ environment and adapt these configurations accordingly.
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
http_config {
|
http_config {
|
||||||
reponse_headers {
|
response_headers {
|
||||||
"X-Frame-Options" = "DENY"
|
"X-Frame-Options" = "DENY"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -374,7 +374,7 @@ The following are not part of the threat model for client agents:
|
||||||
to your cluster in certain situations, especially in multi-team deployments. They may accidentally or intentionally
|
to your cluster in certain situations, especially in multi-team deployments. They may accidentally or intentionally
|
||||||
abuse access to Consul components which can help be protected against using Namespace, and Sentinel policies.
|
abuse access to Consul components which can help be protected against using Namespace, and Sentinel policies.
|
||||||
|
|
||||||
- **Application** - A malicious internal application, suchs as a compromised third-party dependency with access to a
|
- **Application** - A malicious internal application, such as a compromised third-party dependency with access to a
|
||||||
Consul agent, along with the TLS certificate or ACL token used by the local agent, could effectively do anything the
|
Consul agent, along with the TLS certificate or ACL token used by the local agent, could effectively do anything the
|
||||||
token permits. Consider enabling HTTPS for the local Consul agent API, enforcing full mutual TLS verification,
|
token permits. Consider enabling HTTPS for the local Consul agent API, enforcing full mutual TLS verification,
|
||||||
segmenting services using namespaces, as well as configuring OS users, groups, and file permissions to build a defense-in-depth approach.
|
segmenting services using namespaces, as well as configuring OS users, groups, and file permissions to build a defense-in-depth approach.
|
||||||
|
|
|
@ -22,5 +22,5 @@ controls for a cluster. You can read more about the various personas, recommenda
|
||||||
|
|
||||||
[Network Infrastructure Automation](/docs/nia) (NIA) enables dynamic updates to network infrastructure devices triggered
|
[Network Infrastructure Automation](/docs/nia) (NIA) enables dynamic updates to network infrastructure devices triggered
|
||||||
by service changes. Both the core Consul product's configuration and the configuration for the `consul-terraform-sync`
|
by service changes. Both the core Consul product's configuration and the configuration for the `consul-terraform-sync`
|
||||||
daemon used by NIA can affect the security of your deploymnet. You can read more about the various personas,
|
daemon used by NIA can affect the security of your deployment. You can read more about the various personas,
|
||||||
recommendations, requirements, and threats [here](/docs/security/security-models/nia).
|
recommendations, requirements, and threats [here](/docs/security/security-models/nia).
|
||||||
|
|
|
@ -123,7 +123,7 @@ The full list of changes is available here:
|
||||||
- https://www.consul.io/docs/upgrading/upgrade-specific#deprecated-options-have-been-removed
|
- https://www.consul.io/docs/upgrading/upgrade-specific#deprecated-options-have-been-removed
|
||||||
|
|
||||||
You can make sure your config changes are valid by copying your existing configuration files,
|
You can make sure your config changes are valid by copying your existing configuration files,
|
||||||
making the changes, and then verifing them by using `consul validate $CONFIG_FILE1_PATH $CONFIG_FILE2_PATH ...`.
|
making the changes, and then verifying them by using `consul validate $CONFIG_FILE1_PATH $CONFIG_FILE2_PATH ...`.
|
||||||
|
|
||||||
Once your config is passing the validation check, replace your old config files with the new ones
|
Once your config is passing the validation check, replace your old config files with the new ones
|
||||||
and slowly roll your cluster again one server at a time – leaving the leader agent for last in each
|
and slowly roll your cluster again one server at a time – leaving the leader agent for last in each
|
||||||
|
|
|
@ -220,7 +220,7 @@ These are the changes you will need to make:
|
||||||
```
|
```
|
||||||
|
|
||||||
You can make sure your config changes are valid by copying your existing configuration files,
|
You can make sure your config changes are valid by copying your existing configuration files,
|
||||||
making the changes, and then verifing them by using `consul validate $CONFIG_FILE1_PATH $CONFIG_FILE2_PATH ...`.
|
making the changes, and then verifying them by using `consul validate $CONFIG_FILE1_PATH $CONFIG_FILE2_PATH ...`.
|
||||||
|
|
||||||
Once your config is passing the validation check, replace your old config files with the new ones
|
Once your config is passing the validation check, replace your old config files with the new ones
|
||||||
and slowly roll your cluster again one server at a time – leaving the leader agent for last in each
|
and slowly roll your cluster again one server at a time – leaving the leader agent for last in each
|
||||||
|
|
Loading…
Reference in New Issue