Doc changes for 1.4 Final (#4870)

* website: add multi-dc enterprise landing page

* website: switch all 1.4.0 alerts/RC warnings

* website: connect product wording

Co-Authored-By: pearkes <jackpearkes@gmail.com>

* website: remove RC notification

* commmand/acl: fix usage docs for ACL tokens

* agent: remove comment, OperatorRead

* website: improve multi-dc docs

Still not happy with this but tried to make it slightly more informative.

* website: put back acl guide warning for 1.4.0

* website: simplify multi-dc page and respond to feedback

* Fix Multi-DC typos on connect index page.

* Improve Multi-DC overview.

A full guide is a WIP and will be added post-release.

* Fixes typo avaiable > available

agent/agent_endpoint.go

@@ -1480,8 +1480,7 @@ func (s *HTTPServer) AgentHost(resp http.ResponseWriter, req *http.Request) (int
 	if err != nil {
 		return nil, err
 	}
-	// TODO(pearkes): Is agent:read appropriate here? There could be relatively
+
-	// sensitive information made available in this API
 	if rule != nil && !rule.OperatorRead() {
 		return nil, acl.ErrPermissionDenied
 	}

command/acl/token/token.go

@@ -27,11 +27,30 @@ const synopsis = "Manage Consul's ACL Tokens"
 const help = `
 Usage: consul acl token <subcommand> [options] [args]
 
-  This command has subcommands for managing Consul's ACL Policies.
+  This command has subcommands for managing Consul ACL tokens.
   Here are some simple examples, and more detailed examples are available
   in the subcommands or the documentation.
 
-  TODO - more docs
+  Create a new ACL Token:
+
+      $ consul acl token create \
+                                 -description "This is an example token" \
+                                 -policy-id 06acc965
+  List all tokens:
+
+      $ consul acl token list
+
+  Update a token:
+
+      $ consul acl token update -id 986193 -description "WonderToken"
+
+  Read a token with an accessor ID:
+
+    $ consul acl token read -id 986193
+
+  Delete a token
+
+    $ consul acl token delete -id 986193
 
   For more examples, ask for subcommand help or view the documentation.
 `

website/source/docs/commands/debug.html.markdown.erb

@@ -6,8 +6,6 @@ sidebar_current: "docs-commands-debug"
 
 # Consul Debug
 
--> **1.4.0+:** This command is only available in Consul versions 1.4.0 and later.
-
 Command: `consul debug`
 
 The `consul debug` command monitors a Consul agent for the specified period of

website/source/docs/connect/index.html.md

@@ -124,14 +124,15 @@ a long period of inactivity (3 days by default), the cache will empty itself.
 
 ## Multi-Datacenter
 
-Connect currently only works for service-to-service connections within a
+Using Connect for service-to-service communications across multiple datacenters 
-single Consul datacenter. Connect may be enabled on multiple Consul datacenters,
+requires Consul Enterprise. 
-but only services within the same datacenters can establish Connect-based
+
-connections.
+With Open Source Consul, Connect may be enabled on multiple Consul datacenters, 
-CA configurations and intentions are both local to their respective datacenters;
+but only services within the same datacenter can establish Connect-based, 
+Authenticated and Authorized connections. In this version, Certificate Authority
+configurations and intentions are both local to their respective datacenters; 
 they are not replicated across datacenters.
 
-Multi-datacenter support for Connect is under development and will be
+Full multi-datacenter support for Connect is available in
-released as a feature of Consul Enterprise in late 2018. This feature will
+[Consul Enterprise](/docs/enterprise/connect-multi-datacenter/index.html).
-facilitate intention replication, datacenter constraints on intentions,
+
-CA state replication, multi-datacenter certificate rotations, and more.

website/source/docs/enterprise/connect-multi-datacenter/index.html.md

@@ -0,0 +1,53 @@
+---
+layout: "docs"
+page_title: "Consul Enterprise Multi-Datacenter Connect"
+sidebar_current: "docs-enterprise-connect-multi-datacenter"
+description: |-
+  Consul Enterprise supports cross datacenter connections using Consul Connect.
+---
+
+# Consul Connect Multi-Datacenter
+
+[Consul Enterprise](https://www.hashicorp.com/consul.html) enables service-to-service
+connections across multiple Consul datacenters. This includes replication of intentions
+and federation of Certificate Authority trust.
+
+Sidecar proxy's [upstream configuration](/docs/connect/proxies.html#upstream-configuration-reference) 
+may specify an alternative datacenter or a prepared query that can address services 
+in multiple datacenters (such as the [geo failover](/docs/guides/geo-failover.html) pattern).
+
+[Intentions](/docs/connect/intentions.html) verify connections between services by 
+source and destination name seamlessly across datacenters. Support for constraining Intentions 
+by source or destination datacenter is planned for the near future.
+
+It is assumed that workloads can communicate between datacenters via existing network 
+routes and VPN tunnels, potentially using Consul's 
+[`translate_wan_addrs`](/docs/agent/options.html#translate_wan_addrs) to ensure remote 
+workloads discover an externally routable IP.
+
+# Replication
+
+Intention replication happens automatically but requires the [`primary_datacenter`](/docs/agent/options.html#primary_datacenter)
+configuration to be set to specify a datacenter that is authorative
+for intentions. In production setups with ACLs enabled, the [replication token](/docs/agent/options.html#acl_tokens_replication)
+must also be set in secondary datacenter server's configuration.
+
+# Certificate Authority Federation
+
+The primary datacenter also acts as the root Certificate Authority (CA) for Connect. 
+The primary datacenter generates a trust-domain UUID and obtains a root certificate 
+from the configured CA provider which defaults to the built-in one. 
+
+Secondary datacenters fetch the root CA public key and trust-domain ID from the primary and 
+generate their own key and Certificate Signing Request (CSR) for an intermediate CA certificate. 
+This CSR is signed by the root in the primary datacenter and the certificate is returned. 
+The secondary datacenter can now use this intermediate to sign new Connect certificates 
+in the secondary datacenter without WAN communication. CA keys are never replicated between 
+datacenters.
+
+The secondary maintains watches on the root CA certificate in the primary. If the CA root
+changes for any reason such as rotation or migration to a new CA, the secondary automatically
+generates new keys and has them signed by the primary datacenter's new root before initiating
+an automatic rotation of all issued certificates in use throughout the secondary datacenter. 
+This makes CA root key rotation fully automatic and with zero downtime across multiple data 
+centers.

website/source/docs/guides/acl-legacy.html.md

@@ -6,7 +6,7 @@ description: |-
   Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways.
 ---
 
--> **1.3.0 and earlier:** This guide only applies in Consul versions 1.3.0 and before. If you are using the 1.4.0 RC please use the updated guide [here](/docs/guides/acl.html)
+-> **1.3.0 and earlier:** This guide only applies in Consul versions 1.3.0 and before. If you are using the 1.4.0 or later please use the updated guide [here](/docs/guides/acl.html)
 
 
 # Deprecation Notice

website/source/docs/guides/acl.html.md

@@ -6,7 +6,7 @@ description: |-
   Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways.
 ---
 
--> **1.4.0+:** This guide only applies in Consul versions 1.4.0 and later. The documentation for the legacy ACL system [here](/docs/guides/acl-legacy.html)
+-> **1.4.0 and later:** This guide only applies in Consul versions 1.4.0 and later. The documentation for the legacy ACL system is [here](/docs/guides/acl-legacy.html)
 
 # ACL System
 

website/source/downloads.html.erb

@@ -8,12 +8,6 @@ description: |-
 
 <h1>Download Consul</h1>
 
-<div class="alert alert-info" id="rc-1-4" role="alert">
-  <p><strong>1.4.0 RC Available:</strong> Read more about the new features coming in 1.4.0 in the
-  <a href="https://groups.google.com/forum/#!topic/consul-tool/bqEiL5EcnlA">announcement post</a>. Binaries can be accessed on <a href="https://releases.hashicorp.com/consul/">releases.hashicorp.com</a>.
-  </p>
-</div>
-
 <section class="downloads">
   <div class="description row">
     <div class="col-md-12">

website/source/index.html.erb

@@ -11,9 +11,6 @@ description: |-
       <div>
         <div>
           <div>
-            <a class='notification' href='https://groups.google.com/forum/#!topic/consul-tool/bqEiL5EcnlA'>
-              <span>New</span> HashiCorp Consul 1.4: Connect out of Beta. Try the RC now <span><svg xmlns='http://www.w3.org/2000/svg' width='6' height='10' viewBox='0 0 6 10'><path fill='#650D34' d='M1.138.529a.666.666 0 1 0-.942.943L3.724 5 .195 8.53a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z'/></svg><span>
-            </a>
             <h1>Service Mesh Made Easy</h1>
             <p>Consul is a distributed service mesh to connect, secure, and configure services across any runtime platform and public or private cloud</p>
             <a href='/downloads.html' class='g-btn download'>

website/source/layouts/docs.erb

@@ -287,7 +287,7 @@
       </li>
 
       <li<%= sidebar_current("docs-connect") %>>
-        <a href="/docs/connect/index.html">Connect (Beta)</a>
+        <a href="/docs/connect/index.html">Connect</a>
         <ul class="nav">
           <li<%= sidebar_current("docs-connect-config") %>>
             <a href="/docs/connect/configuration.html">Configuration</a>
@@ -477,6 +477,9 @@
           <li<%= sidebar_current("docs-enterprise-federation") %>>
             <a href="/docs/enterprise/federation/index.html">Advanced Federation</a>
           </li>
+          <li<%= sidebar_current("docs-enterprise-connect-multi-datacenter") %>>
+            <a href="/docs/enterprise/connect-multi-datacenter/index.html">Connect Multi-Datacenter</a>
+          </li>
           <li<%= sidebar_current("docs-enterprise-network-segments") %>>
             <a href="/docs/enterprise/network-segments/index.html">Network Segments</a>
           </li>