Backport of Fix broken links caught in weekly report into release/1.16.x (#18527)

* backport of commit e7fa8294692de55351dc4dbd17866dc9a4fadfb4

* fix merge conflicts

---------

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
This commit is contained in:
hc-github-team-consul-core 2023-08-29 00:49:37 -05:00 committed by GitHub
parent 5e98e86c3b
commit 523957a881
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 37 additions and 36 deletions

View File

@ -693,10 +693,10 @@ For the `Connect` field, the parameters are:
If this is true, then service mesh proxies, DNS queries, etc. will be able to If this is true, then service mesh proxies, DNS queries, etc. will be able to
service discover this service. service discover this service.
- `Proxy` `(Proxy: nil)` - - `Proxy` `(Proxy: nil)` -
[**Deprecated**](/consul/docs/connect/proxies/managed-deprecated) Specifies that **Deprecated** Specifies that a managed service mesh proxy should be started
a managed service mesh proxy should be started for this service instance, and for this service instance, and optionally provides configuration for the proxy.
optionally provides configuration for the proxy. The format is as documented Managed proxies (which have been deprecated since Consul v1.3.0) have been
in [Managed Proxy Deprecation](/consul/docs/connect/proxies/managed-deprecated). [removed](/consul/docs/connect/proxies) since v1.6.0.
- `SidecarService` `(ServiceDefinition: nil)` - Specifies an optional nested - `SidecarService` `(ServiceDefinition: nil)` - Specifies an optional nested
service definition to register. For more information see service definition to register. For more information see
[Sidecar Service Registration](/consul/docs/connect/registration/sidecar-service). [Sidecar Service Registration](/consul/docs/connect/registration/sidecar-service).

View File

@ -40,7 +40,7 @@ execute this command.
| `key:write` | `"_rexec"` prefix | | `key:write` | `"_rexec"` prefix |
| `event:write` | `"_rexec"` prefix | | `event:write` | `"_rexec"` prefix |
In addition to the above, the policy associated with the [agent token](/consul/docs/security/acl/acl-tokens#acl-agent-token) should have `write` on `"_rexec"` key prefix. This is for the agents to read the `exec` command and write its output back to the KV store. In addition to the above, the policy associated with the [agent token](/consul/docs/security/acl/tokens#acl-agent-token) should have `write` on `"_rexec"` key prefix. This policy permits agents to read the `exec` command and write its output back to the KV store.
## Usage ## Usage

View File

@ -909,7 +909,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
- `default` ((#acl_tokens_default)) - When provided, this agent will - `default` ((#acl_tokens_default)) - When provided, this agent will
use this token by default when making requests to the Consul servers use this token by default when making requests to the Consul servers
instead of the [anonymous token](/consul/docs/security/acl/acl-tokens#anonymous-token). instead of the [anonymous token](/consul/docs/security/acl/tokens#anonymous-token).
Consul HTTP API requests can provide an alternate token in their authorization header Consul HTTP API requests can provide an alternate token in their authorization header
to override the `default` or anonymous token on a per-request basis, to override the `default` or anonymous token on a per-request basis,
as described in [HTTP API Authentication](/consul/api-docs/api-structure#authentication). as described in [HTTP API Authentication](/consul/api-docs/api-structure#authentication).

View File

@ -23,7 +23,7 @@ Because each network has different needs and application, you need to find out w
write_rate = 500.0 write_rate = 500.0
} }
``` ```
1. Observe the logs and metrics for your application's typical cycle, such as a 24 hour period. Refer to [Monitor traffic rate limit data](/consul/docs/agent/limits/usage/monitor-rate-limit) for additional information. Call the [`/agent/metrics`](/consul/api-docs/agent#view-metrics) HTTP API endpoint and check the data for the following metrics: 1. Observe the logs and metrics for your application's typical cycle, such as a 24 hour period. Refer to [Monitor traffic rate limit data](/consul/docs/agent/limits/usage/monitor-rate-limits) for additional information. Call the [`/agent/metrics`](/consul/api-docs/agent#view-metrics) HTTP API endpoint and check the data for the following metrics:
- `rpc.rate_limit.exceeded` with value `global/read` for label `limit_type` - `rpc.rate_limit.exceeded` with value `global/read` for label `limit_type`
- `rpc.rate_limit.exceeded` with value `global/write` for label `limit_type` - `rpc.rate_limit.exceeded` with value `global/write` for label `limit_type`

View File

@ -6,7 +6,7 @@ description: Learn how to set read and request rate limits on RPC and gRPC traff
# Limit traffic rates from source IP addresses # Limit traffic rates from source IP addresses
This topic describes how to configure RPC and gRPC traffic rate limits for source IP addresses. This enables you to specify a budget for read and write requests to prevent any single source IP from overwhelming the Consul server and negatively affecting the network. For information about setting global traffic rate limits, refer to [Set a global limit on traffic rates](/consul/docs/agent/limits/usage/set-global-traffic-rate-limits). For an overview of Consul's server rate limiting capabilities, refer to [Limit traffic rates overview](/consul/docs/agent/limits). This topic describes how to configure RPC and gRPC traffic rate limits for source IP addresses. This enables you to specify a budget for read and write requests to prevent any single source IP from overwhelming the Consul server and negatively affecting the network. For information about setting global traffic rate limits, refer to [Set a global limit on traffic rates](/consul/docs/agent/limits/usage/set-global-traffic-rate-limits). For an overview of Consul's server rate limiting capabilities, refer to [Limit traffic rates overview](/consul/docs/agent/limits).
<EnterpriseAlert> <EnterpriseAlert>
@ -69,4 +69,4 @@ $ kubectl apply control-plane-request-limit.yaml
## Disable request rate limits ## Disable request rate limits
Set the [limits.request_limits.mode](/consul/docs/agent/config/config-files#mode-1) in the agent configuration to `disabled` to allow services to exceed the specified read and write requests limits. The `disabled` mode applies to all request rate limits, even limits specified in the [control plane request limits configuration entry](/consul/docs/connect/config-entries/control-plane-request-limit). Note that any other mode specified in the agent configuration only applies to global traffic rate limits. Set the [`limits.request_limits.mode`](/consul/docs/agent/config/config-files#mode-1) in the agent configuration to `disabled` to allow services to exceed the specified read and write requests limits. The `disabled` mode applies to all request rate limits, even limits specifed in the [control plane request limits configuration entry](/consul/docs/connect/config-entries/control-plane-request-limit). Note that any other mode specified in the agent configuration only applies to global traffic rate limits.

View File

@ -64,7 +64,7 @@ $ curl http://127.0.0.1:8500/v1/agent/metrics
} }
``` ```
Refer to [Telemetry](/consul/docs/telemetry) for additional information. Refer to [Telemetry](/consul/docs/agent/telemetry) for additional information.
## Request denials ## Request denials

View File

@ -59,4 +59,4 @@ You should continue to monitor request traffic to ensure that request rates rema
## Disable request rate limits ## Disable request rate limits
Set the [`limits.request_limits.mode`](/consul/docs/agent/config/config-files#mode-1) to `disabled` to allow services to exceed the specified read and write requests limits, even limits specified in the [control plane request limits configuration entry](/consul/docs/connect/config-entries/control-plane-request-limit). Note that any other mode specified in the agent configuration only applies to global traffic rate limits. Set the [`limits.request_limits.mode`](/consul/docs/agent/config/config-files#mode-1) to `disabled` to allow services to exceed the specified read and write requests limits, even limits specified in the [control plane request limits configuration entry](/consul/docs/connect/config-entries/control-plane-request-limit). Note that any other mode specified in the agent configuration only applies to global traffic rate limits.

View File

@ -99,7 +99,7 @@ The key after the slash refers to the corresponding option name in the agent con
- `MountPath`/ `mount_path` (`string: <AuthMethod.Type>`) - The mount path of the auth method. - `MountPath`/ `mount_path` (`string: <AuthMethod.Type>`) - The mount path of the auth method.
If not provided the auth method type will be used as the mount path. If not provided the auth method type will be used as the mount path.
- `Params`/`params` (`map: nil`) - The parameters to configure the auth method. The configuration parameters needed will depend on which auth type you are using. Please refer to the Vault Agent auto-auth method documentation for details on their configuration options: [AppRole](/vault/docs/agent/autoauth/methods/approle#configuration), [AWS](/vault/docs/agent/autoauth/methods/aws#configuration), [Azure](/vault/docs/agent/autoauth/methods/azure#configuration), [GCP](/vault/docs/agent/autoauth/methods/gcp#configuration), [JWT](/vault/docs/agent/autoauth/methods/jwt#configuration), [Kubernetes](/vault/docs/agent/autoauth/methods/kubernetes#configuration). - `Params`/`params` (`map: nil`) - The parameters to configure the auth method. The required configuration parameters depend on which auth type you are using. Refer to the Vault Agent auto-auth method documentation for details on their configuration options: [AppRole](/vault/docs/agent-and-proxy/autoauth/methods/approle#configuration), [AWS](/vault/docs/agent-and-proxy/autoauth/methods/aws#configuration), [Azure](/vault/docs/agent-and-proxy/autoauth/methods/azure#configuration), [GCP](/vault/docs/agent-and-proxy/autoauth/methods/gcp#configuration), [JWT](/vault/docs/agent-and-proxy/autoauth/methods/jwt#configuration), [Kubernetes](/vault/docs/agent-and-proxy/autoauth/methods/kubernetes#configuration).
Only the authentication related fields (for example, JWT's `path` and `role`) are supported. The optional management fields (for example: `remove_jwt_after_reading`) are not supported. Only the authentication related fields (for example, JWT's `path` and `role`) are supported. The optional management fields (for example: `remove_jwt_after_reading`) are not supported.

View File

@ -116,7 +116,7 @@ This section provides details about the fields you can configure for the `wasm`
### `Protocol` ### `Protocol`
Specifies the type of Wasm filter to apply. You can set either `tcp` or `http`. Set the `Protocol` to the protocol that the Wasm plugin implements when loaded by the filter. For Consul to apply the filter, the protocol must match the services protocol. Specifies the type of Wasm filter to apply. You can set either `tcp` or `http`. Set the `Protocol` to the protocol that the Wasm plugin implements when loaded by the filter. For Consul to apply the filter, the protocol must match the service's protocol.
#### Values #### Values
@ -360,7 +360,7 @@ Specifies the number of times Envoy retries to fetch plugin data if the initial
### `PluginConfig{}.VmConfig{}.Configuration` ### `PluginConfig{}.VmConfig{}.Configuration`
Specifies the configuration Envoy encodes as bytes and passes to the plugin during VM startup. Refer to [`proxy_on_vm_start` in the Proxy Wasm ABI documentation](https://github.com/proxy-wasm/spec/tree/master/abi-versions/vNEXT#proxy_on_vm_start) for additional information. Specifies the configuration Envoy encodes as bytes and passes to the plugin during VM startup. Refer to [`proxy_on_vm_start` in the Proxy Wasm ABI documentation](https://github.com/proxy-wasm/spec/tree/cefc2cbab70eaba2c187523dff0b38fce2f90771/abi-versions/vNEXT#proxy_on_vm_start) for additional information.
#### Values #### Values
@ -370,11 +370,11 @@ Specifies the configuration Envoy encodes as bytes and passes to the plugin duri
### `PluginConfig{}.VmConfig{}.EnvironmentVariables{}` ### `PluginConfig{}.VmConfig{}.EnvironmentVariables{}`
Specifies environment variables for Envoy to inject into this VM so that they are available through WASI's `environ_get` and `environ_get_sizes` system calls. Specifies environment variables for Enovy to inject into this VM so that they are available through WASI's `environ_get` and `environ_get_sizes` system calls.
In most cases, WASI calls the functions implicitly in your language's standard library. As a result, you do not need to call them directly. You can also access environment variables as you would on native platforms. In most cases, WASI calls the functions implicitly in your language's standard library. As a result, you do not need to call them directly. You can also access environment variables as you would on native platforms.
Envoy rejects the configuration if theres conflict of key space. Envoy rejects the configuration if there is a key space conflict.
The `EnvironmentVariables` field is a map containing parameters for setting the keys and values. The `EnvironmentVariables` field is a map containing parameters for setting the keys and values.
@ -387,12 +387,12 @@ The following table describes the parameters contained in the `EnvironmentVariab
| Parameter | Description | Data type | Default | | Parameter | Description | Data type | Default |
| --- | --- | --- | --- | | --- | --- | --- | --- |
| `HostEnvKeys` | Specifies a list of Envoy environment variable keys to expose to the VM. If a key exists in Envoys environment variables, then the key-value pair is injected. Envoy ignores `HostEnvKeys` that do not exist in its environment variables. | List | None | | `HostEnvKeys` | Specifies a list of Envoy environment variable keys to expose to the VM. If a key exists in Envoy's environment variables, then the key-value pair is injected. Envoy ignores `HostEnvKeys` that do not exist in its environment variables. | List | None |
| `KeyValues` | Specifies a map of explicit key-value pairs to inject into the VM. | <nobr>Map of </nobr>string keys and values | None | | `KeyValues` | Specifies a map of explicit key-value pairs to inject into the VM. | <nobr>Map of </nobr>string keys and values | None |
### `PluginConfig{}.Configuration` ### `PluginConfig{}.Configuration`
Specifies the configuration Consul encodes as bytes and passes to the plugin during plugin startup. Refer to [`proxy_on_configure` in the Envoy documentation](https://github.com/proxy-wasm/spec/tree/master/abi-versions/vNEXT#proxy_on_configure) for additional information. Specifies the configuration Consul encodes as bytes and passes to the plugin during plugin startup. Refer to [`proxy_on_configure` in the Envoy documentation](https://github.com/proxy-wasm/spec/tree/cefc2cbab70eaba2c187523dff0b38fce2f90771/abi-versions/vNEXT#proxy_on_configure) for additional information.
#### Values #### Values

View File

@ -53,7 +53,7 @@ the AWS IAM auth method.
## ACL controller ## ACL controller
1. Create a policy that grants `acl:write` and `operator:write` access for the controller. Refer to the [ACL policies documentation](/consul/docs/security/acl/acl-policies) for instructions. 1. Create a policy that grants `acl:write` and `operator:write` access for the controller. Refer to the [ACL policies documentation](/consul/docs/security/acl/acl-policies) for instructions.
1. Create a token and link it to the ACL controller policy. Refer to the [ACL tokens documentation](/consul/docs/security/acl/acl-tokens) for instructions. 1. Create a token and link it to the ACL controller policy. Refer to the [ACL tokens documentation](/consul/docs/security/acl/tokens) for instructions.
1. Create a Secrets Manager secret containing the ACL controller's token and a Secrets Manager secret containing the Consul CA cert. 1. Create a Secrets Manager secret containing the ACL controller's token and a Secrets Manager secret containing the Consul CA cert.
```hcl ```hcl

View File

@ -101,7 +101,7 @@ Available Enterprise features per Consul form and license include:
| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | No | Yes | With Global Visibility, Routing, and Scale module | | [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | No | Yes | With Global Visibility, Routing, and Scale module |
| [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | No | Yes | Yes | | [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | No | Yes | Yes |
| [Redundancy Zones](/consul/docs/enterprise/redundancy) | Not applicable | Yes | With Global Visibility, Routing, and Scale module | | [Redundancy Zones](/consul/docs/enterprise/redundancy) | Not applicable | Yes | With Global Visibility, Routing, and Scale module |
| [Sameness Groups](/consul/docs/connect/config-entries/samenes-group) | No | Yes | N/A | | [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | No | Yes | N/A |
| [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | All tiers | Yes | With Governance and Policy module | | [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | All tiers | Yes | With Governance and Policy module |
@ -129,7 +129,7 @@ Consul Enterprise feature availability can change depending on your server and c
| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | &#9989; | &#10060; | &#10060; | | [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | &#9989; | &#10060; | &#10060; |
| [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | &#9989; | &#9989; | &#9989; | | [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | &#9989; | &#9989; | &#9989; |
| [Redundancy Zones](/consul/docs/enterprise/redundancy) | &#9989; | &#9989; | &#9989; | | [Redundancy Zones](/consul/docs/enterprise/redundancy) | &#9989; | &#9989; | &#9989; |
| [Sameness Groups](/consul/docs/connect/config-entries/samenes-group) | &#9989; | &#9989; | &#9989; | | [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | &#9989; | &#9989; | &#9989; |
| [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | &#9989; | &#9989; | &#9989; | | [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | &#9989; | &#9989; | &#9989; |
</Tab> </Tab>
@ -149,7 +149,7 @@ Consul Enterprise feature availability can change depending on your server and c
| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | &#10060; | &#10060; | &#10060; | | [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | &#10060; | &#10060; | &#10060; |
| [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | &#9989; | &#9989; | &#9989; | | [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | &#9989; | &#9989; | &#9989; |
| [Redundancy Zones](/consul/docs/enterprise/redundancy) | &#10060; | &#10060; | &#10060; | | [Redundancy Zones](/consul/docs/enterprise/redundancy) | &#10060; | &#10060; | &#10060; |
| [Sameness Groups](/consul/docs/connect/config-entries/samenes-group) | &#9989; | &#9989; | &#9989; | | [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | &#9989; | &#9989; | &#9989; |
| [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | &#9989; | &#9989; | &#9989; | | [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | &#9989; | &#9989; | &#9989; |
</Tab> </Tab>
@ -169,7 +169,7 @@ Consul Enterprise feature availability can change depending on your server and c
| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | &#10060; | &#10060; | &#10060; | | [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | &#10060; | &#10060; | &#10060; |
| [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | &#10060; | &#10060; | &#10060; | | [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | &#10060; | &#10060; | &#10060; |
| [Redundancy Zones](/consul/docs/enterprise/redundancy) | n/a | n/a | n/a | | [Redundancy Zones](/consul/docs/enterprise/redundancy) | n/a | n/a | n/a |
| [Sameness Groups](/consul/docs/connect/config-entries/samenes-group) | &#9989; | &#9989; | &#9989; | | [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | &#9989; | &#9989; | &#9989; |
| [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | &#9989; | &#9989; | &#9989; | | [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | &#9989; | &#9989; | &#9989; |
</Tab> </Tab>

View File

@ -10,7 +10,7 @@ This topic describes how to run Consul in permissive mTLS mode so that you can s
## Background ## Background
When [transparent proxy mode](/consul/docs/k8s/transparent-proxy/) is enabled, all service-to-service traffic is secured by mTLS. Until the services that you want to add to the network are fully onboarded, your network may have a mix of mTLS and non-mTLS traffic, which can result in broken service-to-service communication. This situation occurs because sidecar proxies for existing mesh services reject traffic from services that are not yet onboarded. When [transparent proxy mode](/consul/docs/k8s/connect/transparent-proxy) is enabled, all service-to-service traffic is secured by mTLS. Until the services that you want to add to the network are fully onboarded, your network may have a mix of mTLS and non-mTLS traffic, which can result in broken service-to-service communication. This situation occurs because sidecar proxies for existing mesh services reject traffic from services that are not yet onboarded.
You can enable the `permissive` mTLS mode to ensure existing non-mTLS service-to-service traffic is allowed during the onboarding phase. The `permissive` mTLS mode enables sidecar proxies to accept both mTLS and non-mTLS traffic to an application. Using this mode enables you to onboard without downtime and without being required to reconfigure or redeploy your application. You can enable the `permissive` mTLS mode to ensure existing non-mTLS service-to-service traffic is allowed during the onboarding phase. The `permissive` mTLS mode enables sidecar proxies to accept both mTLS and non-mTLS traffic to an application. Using this mode enables you to onboard without downtime and without being required to reconfigure or redeploy your application.

View File

@ -258,7 +258,8 @@ You'll need:
} }
} }
``` ```
1. If ACLs are enabled you'll also need to modify the [anonymous token](/consul/docs/security/acl/acl-tokens#anonymous-token) policy to have the following permissions:
1. If ACLs are enabled you must also modify the [anonymous token](/consul/docs/security/acl/tokens#anonymous-token) policy to have the following permissions:
```hcl ```hcl
node_prefix "" { node_prefix "" {

View File

@ -23,7 +23,7 @@ description: >-
- The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that all tokens and policies have been migrated to the newer ACL system. Complete the [Migrate Legacy ACL Tokens](/consul/tutorials/security-operations/access-control-token-migration) tutorial to learn more. - The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that all tokens and policies have been migrated to the newer ACL system. Complete the [Migrate Legacy ACL Tokens](/consul/tutorials/security-operations/access-control-token-migration) tutorial to learn more.
- The `agent_master` ACL token has been renamed to `agent_recovery` ACL token. In addition, the `consul acl set-agent-token master` command has been replaced with `consul acl set-agent-token recovery`. See [ACL Agent Recovery Token](/consul/docs/security/acl/acl-tokens#acl-agent-recovery-token) and [Consul ACL Set Agent Token](/consul/commands/acl/set-agent-token) for more information. - The `agent_master` ACL token has been renamed to `agent_recovery` ACL token. In addition, the `consul acl set-agent-token master` command has been replaced with `consul acl set-agent-token recovery`. Refer to [ACL Agent Recovery Token](/consul/docs/security/acl/tokens#acl-agent-recovery-token) and [Consul ACL Set Agent Token](/consul/commands/acl/set-agent-token) for more information.
- Drops support for Envoy versions 1.15.x and 1.16.x - Drops support for Envoy versions 1.15.x and 1.16.x

View File

@ -30,7 +30,7 @@ description: >-
- The `disable_compat_1.9` option now defaults to true. Metrics formatted in the style of version 1.9, such as `consul.http...`, can still be enabled by setting disable_compat_1.9 = false. However, these metrics will be removed in 1.13. - The `disable_compat_1.9` option now defaults to true. Metrics formatted in the style of version 1.9, such as `consul.http...`, can still be enabled by setting disable_compat_1.9 = false. However, these metrics will be removed in 1.13.
- The `agent_master` ACL token has been renamed to `agent_recovery` ACL token. In addition, the `consul acl set-agent-token master` command has been replaced with `consul acl set-agent-token recovery`. Refer to [ACL Agent Recovery Token](/consul/docs/security/acl/acl-tokens#acl-agent-recovery-token) and [Consul ACL Set Agent Token](/consul/commands/acl/set-agent-token) for more information. - The `agent_master` ACL token has been renamed to `agent_recovery` ACL token. In addition, the `consul acl set-agent-token master` command has been replaced with `consul acl set-agent-token recovery`. Refer to [ACL Agent Recovery Token](/consul/docs/security/acl/tokens#acl-agent-recovery-token) and [Consul ACL Set Agent Token](/consul/commands/acl/set-agent-token) for more information.
- If TLS min versions and max versions are not specified, the TLS min/max versions default to the following values. For details on how to configure TLS min and max, refer to the [Mesh TLS config entry](/consul/docs/connect/config-entries/mesh#tls) or CRD documentation. - If TLS min versions and max versions are not specified, the TLS min/max versions default to the following values. For details on how to configure TLS min and max, refer to the [Mesh TLS config entry](/consul/docs/connect/config-entries/mesh#tls) or CRD documentation.
- Incoming connections: TLS 1.2 for min0 version, TLS 1.3 for max version - Incoming connections: TLS 1.2 for min0 version, TLS 1.3 for max version

View File

@ -180,7 +180,7 @@ $ consul join -token="ACL_MANAGEMENT_TOKEN" -wan [server 1, server 2, ...]
## Configure Clients in Secondary Datacenters ## Configure Clients in Secondary Datacenters
When ACLs are enabled, client agents need a special token known as the [`agent token`](/consul/docs/security/acl/acl-tokens#acl-agent-token) to perform internal operations. Agent tokens need to have the right policies for node related actions, including When ACLs are enabled, client agents need a special token known as the [`agent token`](/consul/docs/security/acl/tokens#acl-agent-token) to perform internal operations. Agent tokens need to have the right policies for node related actions, including
registering itself in the catalog, updating node level health checks, and performing [anti-entropy](/consul/docs/architecture/anti-entropy) syncing. registering itself in the catalog, updating node level health checks, and performing [anti-entropy](/consul/docs/architecture/anti-entropy) syncing.
### Generate Agent ACL Token ### Generate Agent ACL Token

View File

@ -11,7 +11,7 @@ This topic describes policies, which are components in Consul's access control l
## Introduction ## Introduction
A policy is a group of one or more ACL rules that are linked to [ACL tokens](/consul/docs/security/acl/acl-tokens). The following diagram describes the relationships between rules, policies, and tokens: A policy is a group of one or more ACL rules that are linked to [ACL tokens](/consul/docs/security/acl/tokens). The following diagram describes the relationships between rules, policies, and tokens:
![ACL system component relationships](/img/acl-token-policy-rule-relationship.png) ![ACL system component relationships](/img/acl-token-policy-rule-relationship.png)
@ -326,7 +326,7 @@ A policy that has been implemented must still be linked to a token before the po
The person responsible for administrating ACLs can use the command line or call the API endpoint to link policies to tokens. Tokens can also be generated dynamically from an external system using Consul's [auth methods](/consul/docs/security/acl/auth-methods) functionality. The person responsible for administrating ACLs can use the command line or call the API endpoint to link policies to tokens. Tokens can also be generated dynamically from an external system using Consul's [auth methods](/consul/docs/security/acl/auth-methods) functionality.
Refer to the [tokens documentation](/consul/docs/security/acl/acl-tokens), as well as the [ACL tutorial](/consul/tutorials/security/access-control-setup-production#create-the-agent-token), for details about creating and linking policies to tokens. Refer to the [tokens documentation](/consul/docs/security/acl/tokens), as well as the [ACL tutorial](/consul/tutorials/security/access-control-setup-production#create-the-agent-token), for details about creating and linking policies to tokens.
## Policy Attributes ## Policy Attributes

View File

@ -41,7 +41,7 @@ ACL tokens are the core method of authentication in Consul. Tokens contain sever
Refer to the following topics for details about tokens: Refer to the following topics for details about tokens:
- [Tokens](/consul/docs/security/acl/acl-tokens) - [Tokens](/consul/docs/security/acl/tokens)
- [ACL token command line](/consul/commands/acl/token) - [ACL token command line](/consul/commands/acl/token)
- [ACL tokens API](/consul/api-docs/acl/tokens) - [ACL tokens API](/consul/api-docs/acl/tokens)

View File

@ -18,7 +18,7 @@ All versions of Consul support DNS lookup features.
If ACLs are enabled, you must present a token linked with the necessary policies. We recommend using a separate token in production deployments for querying the DNS. By default, Consul agents resolve DNS requests using the preconfigured tokens in order of precedence: If ACLs are enabled, you must present a token linked with the necessary policies. We recommend using a separate token in production deployments for querying the DNS. By default, Consul agents resolve DNS requests using the preconfigured tokens in order of precedence:
The agent's [`default` token](/consul/docs/agent/config/config-files#acl_tokens_default) The agent's [`default` token](/consul/docs/agent/config/config-files#acl_tokens_default)
The built-in [`anonymous` token](/consul/docs/security/acl/acl-tokens#built-in-tokens). The built-in [`anonymous` token](/consul/docs/security/acl/tokens#built-in-tokens).
The following table describes the available DNS lookups and required policies when ACLs are enabled: The following table describes the available DNS lookups and required policies when ACLs are enabled:

View File

@ -777,9 +777,9 @@ Starting with Consul 1.7.1 this is the new default.
#### Removal of Deprecated Features #### Removal of Deprecated Features
Managed proxies (which have been [deprecated](/consul/docs/connect/proxies/managed-deprecated) Managed proxies, which are deprecated since Consul v1.3.0, have now been
since Consul 1.3.0) have now been [removed](/consul/docs/connect/proxies). Before [removed](/consul/docs/connect/proxies). Before upgrading, you must
upgrading, you will need to migrate any managed proxy usage to [sidecar service migrate any managed proxy usage to [sidecar service
registrations](/consul/docs/connect/registration/sidecar-service). registrations](/consul/docs/connect/registration/sidecar-service).
## Consul 1.4.0 ## Consul 1.4.0