Doc changes for 1.4 Final (#4870)

* website: add multi-dc enterprise landing page * website: switch all 1.4.0 alerts/RC warnings * website: connect product wording Co-Authored-By: pearkes <jackpearkes@gmail.com> * website: remove RC notification * commmand/acl: fix usage docs for ACL tokens * agent: remove comment, OperatorRead * website: improve multi-dc docs Still not happy with this but tried to make it slightly more informative. * website: put back acl guide warning for 1.4.0 * website: simplify multi-dc page and respond to feedback * Fix Multi-DC typos on connect index page. * Improve Multi-DC overview. A full guide is a WIP and will be added post-release. * Fixes typo avaiable > available
2018-11-13 05:43:53 -08:00 · 2018-11-13 05:43:53 -08:00 · 5faa61a906
parent f9abffb340
commit 5faa61a906
10 changed files with 91 additions and 27 deletions
--- a/agent/agent_endpoint.go
+++ b/agent/agent_endpoint.go
@ -1480,8 +1480,7 @@ func (s *HTTPServer) AgentHost(resp http.ResponseWriter, req *http.Request) (int
 	if err != nil {
 		return nil, err
 	}
-	// TODO(pearkes): Is agent:read appropriate here? There could be relatively
-	// sensitive information made available in this API
+
 	if rule != nil && !rule.OperatorRead() {
 		return nil, acl.ErrPermissionDenied
 	}
--- a/command/acl/token/token.go
+++ b/command/acl/token/token.go
@ -27,11 +27,30 @@ const synopsis = "Manage Consul's ACL Tokens"
 const help = `
 Usage: consul acl token <subcommand> [options] [args]

-  This command has subcommands for managing Consul's ACL Policies.
+  This command has subcommands for managing Consul ACL tokens.
  Here are some simple examples, and more detailed examples are available
  in the subcommands or the documentation.

-  TODO - more docs
+  Create a new ACL Token:
+
+      $ consul acl token create \
+                                 -description "This is an example token" \
+                                 -policy-id 06acc965
+  List all tokens:
+
+      $ consul acl token list
+
+  Update a token:
+
+      $ consul acl token update -id 986193 -description "WonderToken"
+
+  Read a token with an accessor ID:
+
+    $ consul acl token read -id 986193
+
+  Delete a token
+
+    $ consul acl token delete -id 986193

  For more examples, ask for subcommand help or view the documentation.
 `
--- a/website/source/docs/commands/debug.html.markdown.erb
+++ b/website/source/docs/commands/debug.html.markdown.erb
@ -6,8 +6,6 @@ sidebar_current: "docs-commands-debug"

 # Consul Debug

-> **1.4.0+:** This command is only available in Consul versions 1.4.0 and later.
-
 Command: `consul debug`

 The `consul debug` command monitors a Consul agent for the specified period of
--- a/website/source/docs/connect/index.html.md
+++ b/website/source/docs/connect/index.html.md
@ -124,14 +124,15 @@ a long period of inactivity (3 days by default), the cache will empty itself.

 ## Multi-Datacenter

-Connect currently only works for service-to-service connections within a
-single Consul datacenter. Connect may be enabled on multiple Consul datacenters,
-but only services within the same datacenters can establish Connect-based
-connections.
-CA configurations and intentions are both local to their respective datacenters;
+Using Connect for service-to-service communications across multiple datacenters 
+requires Consul Enterprise. 
+
+With Open Source Consul, Connect may be enabled on multiple Consul datacenters, 
+but only services within the same datacenter can establish Connect-based, 
+Authenticated and Authorized connections. In this version, Certificate Authority
+configurations and intentions are both local to their respective datacenters; 
 they are not replicated across datacenters.

-Multi-datacenter support for Connect is under development and will be
-released as a feature of Consul Enterprise in late 2018. This feature will
-facilitate intention replication, datacenter constraints on intentions,
-CA state replication, multi-datacenter certificate rotations, and more.
+Full multi-datacenter support for Connect is available in
+[Consul Enterprise](/docs/enterprise/connect-multi-datacenter/index.html).
+
--- a/website/source/docs/enterprise/connect-multi-datacenter/index.html.md
+++ b/website/source/docs/enterprise/connect-multi-datacenter/index.html.md
@ -0,0 +1,53 @@
+---
+layout: "docs"
+page_title: "Consul Enterprise Multi-Datacenter Connect"
+sidebar_current: "docs-enterprise-connect-multi-datacenter"
+description: |-
+  Consul Enterprise supports cross datacenter connections using Consul Connect.
+---
+
+# Consul Connect Multi-Datacenter
+
+[Consul Enterprise](https://www.hashicorp.com/consul.html) enables service-to-service
+connections across multiple Consul datacenters. This includes replication of intentions
+and federation of Certificate Authority trust.
+
+Sidecar proxy's [upstream configuration](/docs/connect/proxies.html#upstream-configuration-reference) 
+may specify an alternative datacenter or a prepared query that can address services 
+in multiple datacenters (such as the [geo failover](/docs/guides/geo-failover.html) pattern).
+
+[Intentions](/docs/connect/intentions.html) verify connections between services by 
+source and destination name seamlessly across datacenters. Support for constraining Intentions 
+by source or destination datacenter is planned for the near future.
+
+It is assumed that workloads can communicate between datacenters via existing network 
+routes and VPN tunnels, potentially using Consul's 
+[`translate_wan_addrs`](/docs/agent/options.html#translate_wan_addrs) to ensure remote 
+workloads discover an externally routable IP.
+
+# Replication
+
+Intention replication happens automatically but requires the [`primary_datacenter`](/docs/agent/options.html#primary_datacenter)
+configuration to be set to specify a datacenter that is authorative
+for intentions. In production setups with ACLs enabled, the [replication token](/docs/agent/options.html#acl_tokens_replication)
+must also be set in secondary datacenter server's configuration.
+
+# Certificate Authority Federation
+
+The primary datacenter also acts as the root Certificate Authority (CA) for Connect. 
+The primary datacenter generates a trust-domain UUID and obtains a root certificate 
+from the configured CA provider which defaults to the built-in one. 
+
+Secondary datacenters fetch the root CA public key and trust-domain ID from the primary and 
+generate their own key and Certificate Signing Request (CSR) for an intermediate CA certificate. 
+This CSR is signed by the root in the primary datacenter and the certificate is returned. 
+The secondary datacenter can now use this intermediate to sign new Connect certificates 
+in the secondary datacenter without WAN communication. CA keys are never replicated between 
+datacenters.
+
+The secondary maintains watches on the root CA certificate in the primary. If the CA root
+changes for any reason such as rotation or migration to a new CA, the secondary automatically
+generates new keys and has them signed by the primary datacenter's new root before initiating
+an automatic rotation of all issued certificates in use throughout the secondary datacenter. 
+This makes CA root key rotation fully automatic and with zero downtime across multiple data 
+centers.
--- a/website/source/docs/guides/acl-legacy.html.md
+++ b/website/source/docs/guides/acl-legacy.html.md
@ -6,7 +6,7 @@ description: |-
  Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways.
 ---

-> **1.3.0 and earlier:** This guide only applies in Consul versions 1.3.0 and before. If you are using the 1.4.0 RC please use the updated guide [here](/docs/guides/acl.html)
+-> **1.3.0 and earlier:** This guide only applies in Consul versions 1.3.0 and before. If you are using the 1.4.0 or later please use the updated guide [here](/docs/guides/acl.html)


 # Deprecation Notice
--- a/website/source/docs/guides/acl.html.md
+++ b/website/source/docs/guides/acl.html.md
@ -6,7 +6,7 @@ description: |-
  Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways.
 ---

-> **1.4.0+:** This guide only applies in Consul versions 1.4.0 and later. The documentation for the legacy ACL system [here](/docs/guides/acl-legacy.html)
+-> **1.4.0 and later:** This guide only applies in Consul versions 1.4.0 and later. The documentation for the legacy ACL system is [here](/docs/guides/acl-legacy.html)

 # ACL System

--- a/website/source/downloads.html.erb
+++ b/website/source/downloads.html.erb
@ -8,12 +8,6 @@ description: |-

 <h1>Download Consul</h1>

-<div class="alert alert-info" id="rc-1-4" role="alert">
-  <p><strong>1.4.0 RC Available:</strong> Read more about the new features coming in 1.4.0 in the
-  <a href="https://groups.google.com/forum/#!topic/consul-tool/bqEiL5EcnlA">announcement post</a>. Binaries can be accessed on <a href="https://releases.hashicorp.com/consul/">releases.hashicorp.com</a>.
-  </p>
-</div>
-
 <section class="downloads">
  <div class="description row">
    <div class="col-md-12">
--- a/website/source/index.html.erb
+++ b/website/source/index.html.erb
@ -11,9 +11,6 @@ description: |-
      <div>
        <div>
          <div>
-            <a class='notification' href='https://groups.google.com/forum/#!topic/consul-tool/bqEiL5EcnlA'>
-              <span>New</span> HashiCorp Consul 1.4: Connect out of Beta. Try the RC now <span><svg xmlns='http://www.w3.org/2000/svg' width='6' height='10' viewBox='0 0 6 10'><path fill='#650D34' d='M1.138.529a.666.666 0 1 0-.942.943L3.724 5 .195 8.53a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z'/></svg><span>
-            </a>
            <h1>Service Mesh Made Easy</h1>
            <p>Consul is a distributed service mesh to connect, secure, and configure services across any runtime platform and public or private cloud</p>
            <a href='/downloads.html' class='g-btn download'>
--- a/website/source/layouts/docs.erb
+++ b/website/source/layouts/docs.erb
@ -287,7 +287,7 @@
      </li>

      <li<%= sidebar_current("docs-connect") %>>
-        <a href="/docs/connect/index.html">Connect (Beta)</a>
+        <a href="/docs/connect/index.html">Connect</a>
        <ul class="nav">
          <li<%= sidebar_current("docs-connect-config") %>>
            <a href="/docs/connect/configuration.html">Configuration</a>
@ -477,6 +477,9 @@
          <li<%= sidebar_current("docs-enterprise-federation") %>>
            <a href="/docs/enterprise/federation/index.html">Advanced Federation</a>
          </li>
+          <li<%= sidebar_current("docs-enterprise-connect-multi-datacenter") %>>
+            <a href="/docs/enterprise/connect-multi-datacenter/index.html">Connect Multi-Datacenter</a>
+          </li>
          <li<%= sidebar_current("docs-enterprise-network-segments") %>>
            <a href="/docs/enterprise/network-segments/index.html">Network Segments</a>
          </li>