Doc changes for 1.4 Final (#4870)
* website: add multi-dc enterprise landing page * website: switch all 1.4.0 alerts/RC warnings * website: connect product wording Co-Authored-By: pearkes <jackpearkes@gmail.com> * website: remove RC notification * commmand/acl: fix usage docs for ACL tokens * agent: remove comment, OperatorRead * website: improve multi-dc docs Still not happy with this but tried to make it slightly more informative. * website: put back acl guide warning for 1.4.0 * website: simplify multi-dc page and respond to feedback * Fix Multi-DC typos on connect index page. * Improve Multi-DC overview. A full guide is a WIP and will be added post-release. * Fixes typo avaiable > available
This commit is contained in:
parent
f9abffb340
commit
5faa61a906
|
@ -1480,8 +1480,7 @@ func (s *HTTPServer) AgentHost(resp http.ResponseWriter, req *http.Request) (int
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// TODO(pearkes): Is agent:read appropriate here? There could be relatively
|
||||
// sensitive information made available in this API
|
||||
|
||||
if rule != nil && !rule.OperatorRead() {
|
||||
return nil, acl.ErrPermissionDenied
|
||||
}
|
||||
|
|
|
@ -27,11 +27,30 @@ const synopsis = "Manage Consul's ACL Tokens"
|
|||
const help = `
|
||||
Usage: consul acl token <subcommand> [options] [args]
|
||||
|
||||
This command has subcommands for managing Consul's ACL Policies.
|
||||
This command has subcommands for managing Consul ACL tokens.
|
||||
Here are some simple examples, and more detailed examples are available
|
||||
in the subcommands or the documentation.
|
||||
|
||||
TODO - more docs
|
||||
Create a new ACL Token:
|
||||
|
||||
$ consul acl token create \
|
||||
-description "This is an example token" \
|
||||
-policy-id 06acc965
|
||||
List all tokens:
|
||||
|
||||
$ consul acl token list
|
||||
|
||||
Update a token:
|
||||
|
||||
$ consul acl token update -id 986193 -description "WonderToken"
|
||||
|
||||
Read a token with an accessor ID:
|
||||
|
||||
$ consul acl token read -id 986193
|
||||
|
||||
Delete a token
|
||||
|
||||
$ consul acl token delete -id 986193
|
||||
|
||||
For more examples, ask for subcommand help or view the documentation.
|
||||
`
|
||||
|
|
|
@ -6,8 +6,6 @@ sidebar_current: "docs-commands-debug"
|
|||
|
||||
# Consul Debug
|
||||
|
||||
-> **1.4.0+:** This command is only available in Consul versions 1.4.0 and later.
|
||||
|
||||
Command: `consul debug`
|
||||
|
||||
The `consul debug` command monitors a Consul agent for the specified period of
|
||||
|
|
|
@ -124,14 +124,15 @@ a long period of inactivity (3 days by default), the cache will empty itself.
|
|||
|
||||
## Multi-Datacenter
|
||||
|
||||
Connect currently only works for service-to-service connections within a
|
||||
single Consul datacenter. Connect may be enabled on multiple Consul datacenters,
|
||||
but only services within the same datacenters can establish Connect-based
|
||||
connections.
|
||||
CA configurations and intentions are both local to their respective datacenters;
|
||||
Using Connect for service-to-service communications across multiple datacenters
|
||||
requires Consul Enterprise.
|
||||
|
||||
With Open Source Consul, Connect may be enabled on multiple Consul datacenters,
|
||||
but only services within the same datacenter can establish Connect-based,
|
||||
Authenticated and Authorized connections. In this version, Certificate Authority
|
||||
configurations and intentions are both local to their respective datacenters;
|
||||
they are not replicated across datacenters.
|
||||
|
||||
Multi-datacenter support for Connect is under development and will be
|
||||
released as a feature of Consul Enterprise in late 2018. This feature will
|
||||
facilitate intention replication, datacenter constraints on intentions,
|
||||
CA state replication, multi-datacenter certificate rotations, and more.
|
||||
Full multi-datacenter support for Connect is available in
|
||||
[Consul Enterprise](/docs/enterprise/connect-multi-datacenter/index.html).
|
||||
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
---
|
||||
layout: "docs"
|
||||
page_title: "Consul Enterprise Multi-Datacenter Connect"
|
||||
sidebar_current: "docs-enterprise-connect-multi-datacenter"
|
||||
description: |-
|
||||
Consul Enterprise supports cross datacenter connections using Consul Connect.
|
||||
---
|
||||
|
||||
# Consul Connect Multi-Datacenter
|
||||
|
||||
[Consul Enterprise](https://www.hashicorp.com/consul.html) enables service-to-service
|
||||
connections across multiple Consul datacenters. This includes replication of intentions
|
||||
and federation of Certificate Authority trust.
|
||||
|
||||
Sidecar proxy's [upstream configuration](/docs/connect/proxies.html#upstream-configuration-reference)
|
||||
may specify an alternative datacenter or a prepared query that can address services
|
||||
in multiple datacenters (such as the [geo failover](/docs/guides/geo-failover.html) pattern).
|
||||
|
||||
[Intentions](/docs/connect/intentions.html) verify connections between services by
|
||||
source and destination name seamlessly across datacenters. Support for constraining Intentions
|
||||
by source or destination datacenter is planned for the near future.
|
||||
|
||||
It is assumed that workloads can communicate between datacenters via existing network
|
||||
routes and VPN tunnels, potentially using Consul's
|
||||
[`translate_wan_addrs`](/docs/agent/options.html#translate_wan_addrs) to ensure remote
|
||||
workloads discover an externally routable IP.
|
||||
|
||||
# Replication
|
||||
|
||||
Intention replication happens automatically but requires the [`primary_datacenter`](/docs/agent/options.html#primary_datacenter)
|
||||
configuration to be set to specify a datacenter that is authorative
|
||||
for intentions. In production setups with ACLs enabled, the [replication token](/docs/agent/options.html#acl_tokens_replication)
|
||||
must also be set in secondary datacenter server's configuration.
|
||||
|
||||
# Certificate Authority Federation
|
||||
|
||||
The primary datacenter also acts as the root Certificate Authority (CA) for Connect.
|
||||
The primary datacenter generates a trust-domain UUID and obtains a root certificate
|
||||
from the configured CA provider which defaults to the built-in one.
|
||||
|
||||
Secondary datacenters fetch the root CA public key and trust-domain ID from the primary and
|
||||
generate their own key and Certificate Signing Request (CSR) for an intermediate CA certificate.
|
||||
This CSR is signed by the root in the primary datacenter and the certificate is returned.
|
||||
The secondary datacenter can now use this intermediate to sign new Connect certificates
|
||||
in the secondary datacenter without WAN communication. CA keys are never replicated between
|
||||
datacenters.
|
||||
|
||||
The secondary maintains watches on the root CA certificate in the primary. If the CA root
|
||||
changes for any reason such as rotation or migration to a new CA, the secondary automatically
|
||||
generates new keys and has them signed by the primary datacenter's new root before initiating
|
||||
an automatic rotation of all issued certificates in use throughout the secondary datacenter.
|
||||
This makes CA root key rotation fully automatic and with zero downtime across multiple data
|
||||
centers.
|
|
@ -6,7 +6,7 @@ description: |-
|
|||
Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways.
|
||||
---
|
||||
|
||||
-> **1.3.0 and earlier:** This guide only applies in Consul versions 1.3.0 and before. If you are using the 1.4.0 RC please use the updated guide [here](/docs/guides/acl.html)
|
||||
-> **1.3.0 and earlier:** This guide only applies in Consul versions 1.3.0 and before. If you are using the 1.4.0 or later please use the updated guide [here](/docs/guides/acl.html)
|
||||
|
||||
|
||||
# Deprecation Notice
|
||||
|
|
|
@ -6,7 +6,7 @@ description: |-
|
|||
Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways.
|
||||
---
|
||||
|
||||
-> **1.4.0+:** This guide only applies in Consul versions 1.4.0 and later. The documentation for the legacy ACL system [here](/docs/guides/acl-legacy.html)
|
||||
-> **1.4.0 and later:** This guide only applies in Consul versions 1.4.0 and later. The documentation for the legacy ACL system is [here](/docs/guides/acl-legacy.html)
|
||||
|
||||
# ACL System
|
||||
|
||||
|
|
|
@ -8,12 +8,6 @@ description: |-
|
|||
|
||||
<h1>Download Consul</h1>
|
||||
|
||||
<div class="alert alert-info" id="rc-1-4" role="alert">
|
||||
<p><strong>1.4.0 RC Available:</strong> Read more about the new features coming in 1.4.0 in the
|
||||
<a href="https://groups.google.com/forum/#!topic/consul-tool/bqEiL5EcnlA">announcement post</a>. Binaries can be accessed on <a href="https://releases.hashicorp.com/consul/">releases.hashicorp.com</a>.
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<section class="downloads">
|
||||
<div class="description row">
|
||||
<div class="col-md-12">
|
||||
|
|
|
@ -11,9 +11,6 @@ description: |-
|
|||
<div>
|
||||
<div>
|
||||
<div>
|
||||
<a class='notification' href='https://groups.google.com/forum/#!topic/consul-tool/bqEiL5EcnlA'>
|
||||
<span>New</span> HashiCorp Consul 1.4: Connect out of Beta. Try the RC now <span><svg xmlns='http://www.w3.org/2000/svg' width='6' height='10' viewBox='0 0 6 10'><path fill='#650D34' d='M1.138.529a.666.666 0 1 0-.942.943L3.724 5 .195 8.53a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z'/></svg><span>
|
||||
</a>
|
||||
<h1>Service Mesh Made Easy</h1>
|
||||
<p>Consul is a distributed service mesh to connect, secure, and configure services across any runtime platform and public or private cloud</p>
|
||||
<a href='/downloads.html' class='g-btn download'>
|
||||
|
|
|
@ -287,7 +287,7 @@
|
|||
</li>
|
||||
|
||||
<li<%= sidebar_current("docs-connect") %>>
|
||||
<a href="/docs/connect/index.html">Connect (Beta)</a>
|
||||
<a href="/docs/connect/index.html">Connect</a>
|
||||
<ul class="nav">
|
||||
<li<%= sidebar_current("docs-connect-config") %>>
|
||||
<a href="/docs/connect/configuration.html">Configuration</a>
|
||||
|
@ -477,6 +477,9 @@
|
|||
<li<%= sidebar_current("docs-enterprise-federation") %>>
|
||||
<a href="/docs/enterprise/federation/index.html">Advanced Federation</a>
|
||||
</li>
|
||||
<li<%= sidebar_current("docs-enterprise-connect-multi-datacenter") %>>
|
||||
<a href="/docs/enterprise/connect-multi-datacenter/index.html">Connect Multi-Datacenter</a>
|
||||
</li>
|
||||
<li<%= sidebar_current("docs-enterprise-network-segments") %>>
|
||||
<a href="/docs/enterprise/network-segments/index.html">Network Segments</a>
|
||||
</li>
|
||||
|
|
Loading…
Reference in New Issue