Merge pull request #14357 from hashicorp/replace-learn-links
Update Learn links in prep for DevDot
This commit is contained in:
commit
6ca0680f95
|
@ -14,7 +14,7 @@ The `/acl/auth-method` endpoints [create](#create-an-auth-method),
|
|||
ACL auth methods in Consul.
|
||||
|
||||
For more information on how to setup ACLs, please check
|
||||
the [ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production).
|
||||
the [ACL tutorial](/consul/tutorials/security/access-control-setup-production?utm_source=docs).
|
||||
|
||||
## Create an Auth Method
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ The `/acl/binding-rule` endpoints [create](#create-a-binding-rule),
|
|||
rules in Consul.
|
||||
|
||||
For more information on how to setup ACLs, please check
|
||||
the [ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production).
|
||||
the [ACL tutorial](/consul/tutorials/security/access-control-setup-production?utm_source=docs).
|
||||
|
||||
## Create a Binding Rule
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ description: The /acl endpoints manage the Consul's ACL system.
|
|||
The `/acl` endpoints are used to manage ACL tokens and policies in Consul, [bootstrap the ACL system](#bootstrap-acls), [check ACL replication status](#check-acl-replication), and [translate rules](#translate-rules). There are additional pages for managing [tokens](/api-docs/acl/tokens) and [policies](/api-docs/acl/policies) with the `/acl` endpoints.
|
||||
|
||||
For more information on how to setup ACLs, please check
|
||||
the [ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production).
|
||||
the [ACL tutorial](/consul/tutorials/security/access-control-setup-production?utm_source=docs).
|
||||
|
||||
## Bootstrap ACLs
|
||||
|
||||
|
@ -80,7 +80,7 @@ consider the cluster in a potentially compromised state.
|
|||
|
||||
The returned token will have unrestricted privileges to manage all details of the system.
|
||||
It can then be used to further configure the ACL system. Please check the
|
||||
[ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production) for more details.
|
||||
[ACL tutorial](/consul/tutorials/security/access-control-setup-production?utm_source=docs) for more details.
|
||||
|
||||
## Check ACL Replication
|
||||
|
||||
|
@ -88,7 +88,7 @@ This endpoint returns the status of the ACL replication processes in the
|
|||
datacenter. This is intended to be used by operators or by automation checking
|
||||
to discover the health of ACL replication.
|
||||
|
||||
Please check the [ACL Replication tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-replication-multiple-datacenters)
|
||||
Please check the [ACL Replication tutorial](/consul/tutorials/security-operations/access-control-replication-multiple-datacenters?utm_source=docs)
|
||||
for more details.
|
||||
|
||||
| Method | Path | Produces |
|
||||
|
|
|
@ -14,7 +14,7 @@ the new ACL [Token](/api-docs/acl/tokens) and [Policy](/api-docs/acl/policies) A
|
|||
|
||||
The legacy `/acl` endpoints to create, update, destroy, and query legacy ACL tokens in Consul.
|
||||
|
||||
For more information about ACLs, please check the [ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production).
|
||||
For more information about ACLs, please check the [ACL tutorial](/consul/tutorials/security/access-control-setup-production?utm_source=docs).
|
||||
|
||||
## Create ACL Token
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ The `/acl/policy` endpoints [create](#create-a-policy), [read](#read-a-policy),
|
|||
[delete](#delete-a-policy) ACL policies in Consul.
|
||||
|
||||
For more information on how to setup ACLs, please check
|
||||
the [ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production).
|
||||
the [ACL tutorial](/consul/tutorials/security/access-control-setup-production?utm_source=docs).
|
||||
|
||||
## Create a Policy
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@ The `/acl/role` endpoints [create](#create-a-role), [read](#read-a-role),
|
|||
[update](#update-a-role), [list](#list-roles) and [delete](#delete-a-role) ACL roles in Consul.
|
||||
|
||||
For more information on how to setup ACLs, please check
|
||||
the [ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production).
|
||||
the [ACL tutorial](/consul/tutorials/security/access-control-setup-production?utm_source=docs).
|
||||
|
||||
## Create a Role
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@ The `/acl/token` endpoints [create](#create-a-token), [read](#read-a-token),
|
|||
[update](#update-a-token), [list](#list-tokens), [clone](#clone-a-token) and [delete](#delete-a-token) ACL tokens in Consul.
|
||||
|
||||
For more information on how to setup ACLs, please check
|
||||
the [ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production).
|
||||
the [ACL tutorial](/consul/tutorials/security/access-control-setup-production?utm_source=docs).
|
||||
|
||||
## Create a Token
|
||||
|
||||
|
|
|
@ -210,7 +210,7 @@ The corresponding CLI command is [`consul kv put`](/commands/kv/put).
|
|||
session has locked the key.**
|
||||
|
||||
For an example of how to use the lock feature, check the
|
||||
[Leader Election tutorial](https://learn.hashicorp.com/tutorials/consul/application-leader-elections).
|
||||
[Leader Election tutorial](/consul/tutorials/developer-configuration/application-leader-elections?utm_source=docs).
|
||||
|
||||
- `release` `(string: "")` - Supply a session ID to use in a release operation. This is
|
||||
useful when paired with `?acquire=` as it allows clients to yield a lock. This
|
||||
|
|
|
@ -24,7 +24,7 @@ datacenters, so not all servers need to be fully connected. This allows for
|
|||
complex topologies among Consul datacenters like hub/spoke and more general
|
||||
trees.
|
||||
|
||||
Please check the [Network Areas tutorial](https://learn.hashicorp.com/tutorials/consul/federation-network-areas) for more details.
|
||||
Please check the [Network Areas tutorial](/consul/tutorials/datacenter-operations/federation-network-areas?utm_source=docs) for more details.
|
||||
|
||||
## Create Network Area
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ The `/operator/autopilot` endpoints allow for automatic operator-friendly
|
|||
management of Consul servers including cleanup of dead servers, monitoring
|
||||
the state of the Raft cluster, and stable server introduction.
|
||||
|
||||
Please check the [Autopilot tutorial](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations) for more details.
|
||||
Please check the [Autopilot tutorial](/consul/tutorials/datacenter-operations/autopilot-datacenter-operations?utm_source=docs) for more details.
|
||||
|
||||
## Read Configuration
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ If ACLs are enabled then a token with operator privileges may be required in
|
|||
order to use this interface. Check the [ACL Rules documentation](/docs/security/acl/acl-rules#operator-rules)
|
||||
for more information.
|
||||
|
||||
Check the [Outage Recovery](https://learn.hashicorp.com/tutorials/consul/recovery-outage) tutorial for some examples of
|
||||
Check the [Outage Recovery](/consul/tutorials/datacenter-operations/recovery-outage?utm_source=docs) tutorial for some examples of
|
||||
how these capabilities are used.
|
||||
|
||||
Please choose a sub-section in the navigation for more information.
|
||||
|
|
|
@ -18,7 +18,7 @@ The network area functionality described here is available only in
|
|||
later. Network segments are operator-defined sections of agents on the LAN, typically
|
||||
isolated from other segments by network configuration.
|
||||
|
||||
Please check the [Network Segments tutorial](https://learn.hashicorp.com/tutorials/consul/network-partition-datacenters) for more details.
|
||||
Please check the [Network Segments tutorial](/consul/tutorials/datacenter-operations/network-partition-datacenters?utm_source=docs) for more details.
|
||||
|
||||
## List Network Segments
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ service. This is particularly useful in combination with Consul's
|
|||
[DNS Interface](/docs/discovery/dns#prepared-query-lookups) as it allows for much richer queries than
|
||||
would be possible given the limited entry points exposed by DNS.
|
||||
|
||||
Check the [Geo Failover tutorial](https://learn.hashicorp.com/tutorials/consul/automate-geo-failover) for details and
|
||||
Check the [Geo Failover tutorial](/consul/tutorials/developer-discovery/automate-geo-failover?utm_source=docs) for details and
|
||||
examples for using prepared queries to implement geo failover for services.
|
||||
|
||||
Check the [prepared query rules](/docs/security/acl/acl-rules#prepared-query-rules)
|
||||
|
|
|
@ -77,7 +77,7 @@ The table below shows this endpoint's support for
|
|||
86400s). If provided, the session is invalidated if it is not renewed before
|
||||
the TTL expires. The lowest practical TTL should be used to keep the number of
|
||||
managed sessions low. When locks are forcibly expired, such as when following
|
||||
the [leader election pattern](https://learn.hashicorp.com/tutorials/consul/application-leader-elections) in an application,
|
||||
the [leader election pattern](/consul/tutorials/developer-configuration/application-leader-elections?utm_source=docs) in an application,
|
||||
sessions may not be reaped for up to double this TTL, so long TTL
|
||||
values (> 1 hour) should be avoided. Valid time units include "s", "m" and "h".
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/bootstrap](/api-docs/acl#boots
|
|||
The `acl bootstrap` command will request Consul to generate a new token with unlimited privileges to use
|
||||
for management purposes and output its details. This can only be done once and afterwards bootstrapping
|
||||
will be disabled. If all tokens are lost and you need to bootstrap again you can follow the bootstrap
|
||||
[reset procedure](https://learn.hashicorp.com/consul/security-networking/acl-troubleshooting?utm_source=consul.io&utm_medium=docs#reset-the-acl-system).
|
||||
[reset procedure](/consul/tutorials/security/access-control-troubleshoot?utm_source=docs#reset-the-acl-system).
|
||||
|
||||
The table below shows this command's [required ACLs](/api#authentication). Configuration of
|
||||
[blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching)
|
||||
|
|
|
@ -66,7 +66,7 @@ Usage: `consul acl token update [options]`
|
|||
specified grant equivalent or appropriate access for the existing clients using
|
||||
this token. You can find examples on how to use the parameter in the [legacy
|
||||
token
|
||||
migration](https://learn.hashicorp.com/consul/day-2-agent-authentication/migrate-acl-tokens)
|
||||
migration](/consul/tutorials/security-operations/access-control-token-migration?utm_source=docs)
|
||||
guide.
|
||||
|
||||
- `-format={pretty|json}` - Command output format. The default value is `pretty`.
|
||||
|
|
|
@ -57,7 +57,7 @@ consul force-leave ec2-001-staging
|
|||
```
|
||||
|
||||
When run on a server that is part of a
|
||||
[WAN gossip pool](https://learn.hashicorp.com/consul/security-networking/datacenters),
|
||||
[WAN gossip pool](/consul/tutorials/networking/federation-gossip-wan?utm_source=docs),
|
||||
`force-leave` can remove failed servers in other datacenters from the WAN pool.
|
||||
|
||||
The identifying node-name in a WAN pool is `[node-name].[datacenter]`.
|
||||
|
|
|
@ -132,7 +132,7 @@ Success! Data written to: leaderboard/scores
|
|||
```
|
||||
|
||||
~> **Warning**: For secret and sensitive values, you should consider using a
|
||||
secret management solution like **[HashiCorp's Vault](https://learn.hashicorp.com/tutorials/vault/static-secrets?in=vault/secrets-management)**.
|
||||
secret management solution like **[HashiCorp's Vault](/vault/tutorials/secrets-management/static-secrets?utm_source=docs)**.
|
||||
While it is possible to encrypt data before writing it to Consul's KV store,
|
||||
Consul provides no built-in support for encryption at-rest.
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@ Consul Enterprise license management.
|
|||
If ACLs are enabled then a token with operator privileges may be required in
|
||||
order to use this command. Requests are forwarded internally to the leader
|
||||
if required, so this can be run from any Consul node in a cluster. See the
|
||||
[ACL Guide](https://learn.hashicorp.com/consul/security-networking/production-acls) for more information.
|
||||
[ACL Guide](/consul/tutorials/security/access-control-setup-production?utm_source=docs) for more information.
|
||||
|
||||
```text
|
||||
Usage: consul license <subcommand> [options] [args]
|
||||
|
|
|
@ -18,11 +18,11 @@ communication is disrupted, the child process is terminated.
|
|||
|
||||
The number of lock holders is configurable with the `-n` flag. By default,
|
||||
a single holder is allowed, and a lock is used for mutual exclusion. This
|
||||
uses the [leader election algorithm](https://learn.hashicorp.com/consul/developer-configuration/elections).
|
||||
uses the [leader election algorithm](/consul/tutorials/developer-configuration/application-leader-elections?utm_source=docs).
|
||||
|
||||
If the lock holder count is more than one, then a semaphore is used instead.
|
||||
A semaphore allows more than a single holder, but this is less efficient than
|
||||
a simple lock. This follows the [semaphore algorithm](https://learn.hashicorp.com/consul/developer-configuration/semaphore).
|
||||
a simple lock. This follows the [semaphore algorithm](/consul/tutorials/developer-configuration/distributed-semaphore?utm_source=docs).
|
||||
|
||||
All locks using the same prefix must agree on the value of `-n`. If conflicting
|
||||
values of `-n` are provided, an error will be returned.
|
||||
|
|
|
@ -21,7 +21,7 @@ and relationships can be made between independent pairs of datacenters, so not a
|
|||
need to be fully connected. This allows for complex topologies among Consul datacenters like
|
||||
hub/spoke and more general trees.
|
||||
|
||||
See the [Network Areas Guide](https://learn.hashicorp.com/consul/day-2-operations/advanced-federation) for more details.
|
||||
See the [Network Areas Guide](/consul/tutorials/datacenter-operations/federation-network-areas?utm_source=docs) for more details.
|
||||
|
||||
```text
|
||||
Usage: consul operator area <subcommand> [options]
|
||||
|
|
|
@ -12,7 +12,7 @@ Command: `consul operator autopilot`
|
|||
|
||||
The Autopilot operator command is used to interact with Consul's Autopilot subsystem. The
|
||||
command can be used to view or modify the current Autopilot configuration. See the
|
||||
[Autopilot Guide](https://learn.hashicorp.com/consul/day-2-operations/autopilot) for more information about Autopilot.
|
||||
[Autopilot Guide](/consul/tutorials/datacenter-operations/autopilot-datacenter-operations?utm_source=docs) for more information about Autopilot.
|
||||
|
||||
```text
|
||||
Usage: consul operator autopilot <subcommand> [options]
|
||||
|
|
|
@ -18,9 +18,9 @@ outage and even loss of data.
|
|||
If ACLs are enabled then a token with operator privileges may be required in
|
||||
order to use this command. Requests are forwarded internally to the leader
|
||||
if required, so this can be run from any Consul node in a cluster. See the
|
||||
[ACL Guide](https://learn.hashicorp.com/consul/security-networking/production-acls) for more information.
|
||||
[ACL Guide](/consul/tutorials/security/access-control-setup-production?utm_source=docs) for more information.
|
||||
|
||||
See the [Outage Recovery](https://learn.hashicorp.com/consul/day-2-operations/outage) guide for some examples of how
|
||||
See the [Outage Recovery](/consul/tutorials/datacenter-operations/recovery-outage?utm_source=docs) guide for some examples of how
|
||||
this command is used. For an API to perform these operations programmatically,
|
||||
please see the documentation for the [Operator](/api-docs/operator)
|
||||
endpoint.
|
||||
|
|
|
@ -106,7 +106,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
- `alt_domain` Equivalent to the [`-alt-domain` command-line flag](/docs/agent/config/cli-flags#_alt_domain)
|
||||
|
||||
- `audit` <EnterpriseAlert inline /> - Added in Consul 1.8, the audit object allow users to enable auditing
|
||||
and configure a sink and filters for their audit logs. For more information, review the [audit log tutorial](https://learn.hashicorp.com/tutorials/consul/audit-logging).
|
||||
and configure a sink and filters for their audit logs. For more information, review the [audit log tutorial](/consul/tutorials/datacenter-operations/audit-logging?utm_source=docs).
|
||||
|
||||
<CodeTabs heading="Example audit configuration">
|
||||
|
||||
|
@ -182,7 +182,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
respected on bootstrapping. If they are not provided, the defaults will be used.
|
||||
In order to change the value of these options after bootstrapping, you will need
|
||||
to use the [Consul Operator Autopilot](/commands/operator/autopilot)
|
||||
command. For more information about Autopilot, review the [Autopilot tutorial](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations).
|
||||
command. For more information about Autopilot, review the [Autopilot tutorial](/consul/tutorials/datacenter-operations/autopilot-datacenter-operations?utm_source=docs).
|
||||
|
||||
The following sub-keys are available:
|
||||
|
||||
|
@ -495,7 +495,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
only works with API endpoints, not `/ui` or `/debug`, those must be disabled
|
||||
with their respective configuration options. Any CLI commands that use disabled
|
||||
endpoints will no longer function as well. For more general access control, Consul's
|
||||
[ACL system](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production)
|
||||
[ACL system](/consul/tutorials/security/access-control-setup-production?utm_source=docs)
|
||||
should be used, but this option is useful for removing access to HTTP API endpoints
|
||||
completely, or on specific agents. This is available in Consul 0.9.0 and later.
|
||||
|
||||
|
@ -940,7 +940,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
|
||||
This designates the datacenter which is authoritative for ACL information. It must be provided to enable ACLs. All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all you need for cluster-level enforcement, but for the APIs to forward properly from the clients,
|
||||
it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement
|
||||
of ACLs. Please review the [ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production) for more details.
|
||||
of ACLs. Please review the [ACL tutorial](/consul/tutorials/security/access-control-setup-production?utm_source=docs) for more details.
|
||||
|
||||
- `acl_default_policy` ((#acl_default_policy_legacy)) - **Deprecated in Consul 1.4.0. See the [`acl.default_policy`](#acl_default_policy) field instead.**
|
||||
Either "allow" or "deny"; defaults to "allow". The default policy controls the
|
||||
|
@ -990,7 +990,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
- `acl_replication_token` ((#acl_replication_token_legacy)) - **Deprecated
|
||||
in Consul 1.4.0. See the [`acl.tokens.replication`](#acl_tokens_replication) field
|
||||
instead.** Only used for servers outside the [`primary_datacenter`](#primary_datacenter)
|
||||
running Consul 0.7 or later. When provided, this will enable [ACL replication](https://learn.hashicorp.com/tutorials/consul/access-control-replication-multiple-datacenters)
|
||||
running Consul 0.7 or later. When provided, this will enable [ACL replication](/consul/tutorials/security-operations/access-control-replication-multiple-datacenters?utm_source=docs)
|
||||
using this ACL replication using this token to retrieve and replicate the ACLs
|
||||
to the non-authoritative local datacenter. In Consul 0.9.1 and later you can enable
|
||||
ACL replication using [`acl.enable_token_replication`](#acl_enable_token_replication) and then
|
||||
|
@ -1225,7 +1225,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
## DNS and Domain Parameters
|
||||
|
||||
- `dns_config` This object allows a number of sub-keys
|
||||
to be set which can tune how DNS queries are serviced. Check the tutorial on [DNS caching](https://learn.hashicorp.com/tutorials/consul/dns-caching) for more detail.
|
||||
to be set which can tune how DNS queries are serviced. Check the tutorial on [DNS caching](/consul/tutorials/networking/dns-caching?utm_source=docs) for more detail.
|
||||
|
||||
The following sub-keys are available:
|
||||
|
||||
|
|
|
@ -40,7 +40,7 @@ documented below in the
|
|||
configuration reload.
|
||||
|
||||
You can test the following configuration options by following the
|
||||
[Getting Started](https://learn.hashicorp.com/tutorials/consul/get-started-install?utm_source=consul.io&utm_medium=docs)
|
||||
[Getting Started](/consul/tutorials/getting-started/get-started-install?utm_source=docs)
|
||||
tutorials to install a local agent.
|
||||
|
||||
## Ports Used
|
||||
|
|
|
@ -73,11 +73,11 @@ Refer to the following sections for information about host, port, memory, and ot
|
|||
- [Server Performance](/docs/install/performance)
|
||||
- [Required Ports](/docs/install/ports)
|
||||
|
||||
The [Datacenter Deploy tutorial](https://learn.hashicorp.com/tutorials/consul/reference-architecture?in=consul/production-deploy#deployment-system-requirements) contains additional information, including licensing configuration, environment variables, and other details.
|
||||
The [Datacenter Deploy tutorial](/consul/tutorials/production-deploy/reference-architecture?utm_source=docs) contains additional information, including licensing configuration, environment variables, and other details.
|
||||
|
||||
### Maximum Latency Network requirements
|
||||
|
||||
Consul uses the gossip protocol to share information across agents. To function properly, you cannot exceed the protocol’s maximum latency threshold. The latency threshold is calculated according to the total round trip time (RTT) for communication between all agents. Other network usages outside of Gossip are not bound by these latency requirements (i.e. client to server RPCs, HTTP API requests, xDS proxy configuration, DNS).
|
||||
Consul uses the gossip protocol to share information across agents. To function properly, you cannot exceed the protocol's maximum latency threshold. The latency threshold is calculated according to the total round trip time (RTT) for communication between all agents. Other network usages outside of Gossip are not bound by these latency requirements (i.e. client to server RPCs, HTTP API requests, xDS proxy configuration, DNS).
|
||||
|
||||
For data sent between all Consul agents the following latency requirements must be met:
|
||||
|
||||
|
@ -97,7 +97,7 @@ The `-dev` flag is provided for learning purposes only.
|
|||
We strongly advise against using it for production environments.
|
||||
|
||||
-> **Getting Started Tutorials**: You can test a local agent by following the
|
||||
[Getting Started tutorials](https://learn.hashicorp.com/tutorials/consul/get-started-install?utm_source=consul.io&utm_medium=docs).
|
||||
[Getting Started tutorials](/consul/tutorials/getting-started/get-started-install?utm_source=docs).
|
||||
|
||||
When starting Consul with the `-dev` flag, the only additional information Consul needs to run is the location of a directory for storing agent state data.
|
||||
You can specify the location with the `-data-dir` flag or define the location in an external file and point the file with the `-config-file` flag.
|
||||
|
|
|
@ -27,13 +27,13 @@ it will dump the current telemetry information to the agent's `stderr`.
|
|||
|
||||
This telemetry information can be used for debugging or otherwise
|
||||
getting a better view of what Consul is doing. Review the [Monitoring and
|
||||
Metrics tutorial](https://learn.hashicorp.com/tutorials/consul/monitor-datacenter-health?utm_source=consul.io&utm_medium=docs) to learn how collect and interpret Consul data.
|
||||
Metrics tutorial](/consul/tutorials/day-2-operations/monitor-datacenter-health?utm_source=docs) to learn how collect and interpret Consul data.
|
||||
|
||||
Additionally, if the [`telemetry` configuration options](/docs/agent/config/config-files#telemetry)
|
||||
are provided, the telemetry information will be streamed to a
|
||||
[statsite](http://github.com/armon/statsite) or [statsd](http://github.com/etsy/statsd) server where
|
||||
it can be aggregated and flushed to Graphite or any other metrics store.
|
||||
For a configuration example for Telegraf, review the [Monitoring with Telegraf tutorial](https://learn.hashicorp.com/tutorials/consul/monitor-health-telegraf?utm_source=consul.io&utm_medium=docs).
|
||||
For a configuration example for Telegraf, review the [Monitoring with Telegraf tutorial](/consul/tutorials/day-2-operations/monitor-health-telegraf?utm_source=docs).
|
||||
|
||||
This
|
||||
information can also be viewed with the [metrics endpoint](/api-docs/agent#view-metrics) in JSON
|
||||
|
@ -456,7 +456,7 @@ These metrics are used to monitor the health of the Consul servers.
|
|||
| `consul.raft.leader.dispatchNumLogs` | Measures the number of logs committed to disk in a batch. | logs | gauge |
|
||||
| `consul.raft.leader.lastContact` | Measures the time since the leader was last able to contact the follower nodes when checking its leader lease. It can be used as a measure for how stable the Raft timing is and how close the leader is to timing out its lease.The lease timeout is 500 ms times the [`raft_multiplier` configuration](/docs/agent/config/config-files#raft_multiplier), so this telemetry value should not be getting close to that configured value, otherwise the Raft timing is marginal and might need to be tuned, or more powerful servers might be needed. See the [Server Performance](/docs/install/performance) guide for more details. | ms | timer |
|
||||
| `consul.raft.leader.oldestLogAge` | The number of milliseconds since the _oldest_ log in the leader's log store was written. This can be important for replication health where write rate is high and the snapshot is large as followers may be unable to recover from a restart if restoring takes longer than the minimum value for the current leader. Compare this with `consul.raft.fsm.lastRestoreDuration` and `consul.raft.rpc.installSnapshot` to monitor. In normal usage this gauge value will grow linearly over time until a snapshot completes on the leader and the log is truncated. Note: this metric won't be emitted until the leader writes a snapshot. After an upgrade to Consul 1.10.0 it won't be emitted until the oldest log was written after the upgrade. | ms | gauge |
|
||||
| `consul.raft.replication.heartbeat` | Measures the time taken to invoke appendEntries on a peer, so that it doesn’t timeout on a periodic basis. | ms | timer |
|
||||
| `consul.raft.replication.heartbeat` | Measures the time taken to invoke appendEntries on a peer, so that it doesn't timeout on a periodic basis. | ms | timer |
|
||||
| `consul.raft.replication.appendEntries` | Measures the time it takes to replicate log entries to followers. This is a general indicator of the load pressure on the Consul servers, as well as the performance of the communication between the servers. | ms | timer |
|
||||
| `consul.raft.replication.appendEntries.rpc` | Measures the time taken by the append entries RFC, to replicate the log entries of a leader agent onto its follower agent(s) | ms | timer |
|
||||
| `consul.raft.replication.appendEntries.logs` | Measures the number of logs replicated to an agent, to bring it up to speed with the leader's logs. | logs appended/ interval | counter |
|
||||
|
|
|
@ -15,7 +15,7 @@ Consul API Gateway is an add-on for Consul that helps users control access to se
|
|||
|
||||
Consul API Gateway solves the following primary use cases:
|
||||
|
||||
- **Controlling access at the point of entry**: Consul API Gateway allows users to set the protocols of external connection requests and provide clients with TLS certificates from trusted providers (e.g., Verisign, Let’s Encrypt).
|
||||
- **Controlling access at the point of entry**: Consul API Gateway allows users to set the protocols of external connection requests and provide clients with TLS certificates from trusted providers (e.g., Verisign, Let's Encrypt).
|
||||
- **Simplifying traffic management**: The Consul API Gateway can load balance requests across services and route traffic to the appropriate service by matching one or more criteria, such as hostname, path, header presence or value, and HTTP Method type (e.g., GET, POST, PATCH).
|
||||
|
||||
## How Does Consul API Gateway Work?
|
||||
|
@ -42,4 +42,4 @@ are used, see the [documentation in our GitHub repo](https://github.com/hashicor
|
|||
|
||||
## Additional Resources
|
||||
|
||||
You can learn more about using Consul API Gateway by completing the [Consul API Gateway tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-api-gateway).
|
||||
You can learn more about using Consul API Gateway by completing the [Consul API Gateway tutorial](/consul/tutorials/developer-mesh/kubernetes-api-gateway?utm_source=docs).
|
||||
|
|
|
@ -31,7 +31,7 @@ Network coordinates manifest in several ways inside Consul:
|
|||
|
||||
- [Prepared queries](/api-docs/query) can automatically fail over services
|
||||
to other Consul datacenters based on network round trip times. See the
|
||||
[Geo Failover](https://learn.hashicorp.com/tutorials/consul/automate-geo-failover) for some examples.
|
||||
[Geo Failover](/consul/tutorials/developer-discovery/automate-geo-failover?utm_source=docs) for some examples.
|
||||
|
||||
- The [Coordinate endpoint](/api-docs/coordinate) exposes raw network
|
||||
coordinates for use in other applications.
|
||||
|
|
|
@ -36,7 +36,7 @@ Without a quorum, Consul experiences an outage:
|
|||
it cannot provide most of its capabilities because they rely on
|
||||
the availability of this state information.
|
||||
If Consul has an outage, normal operation can be restored by following the
|
||||
[outage recovery guide](https://learn.hashicorp.com/tutorials/consul/recovery-outage).
|
||||
[outage recovery guide](/consul/tutorials/datacenter-operations/recovery-outage?utm_source=docs).
|
||||
|
||||
If Consul is deployed with 3 servers, the quorum size is 2. The deployment can lose 1
|
||||
server and still maintain quorum, so it has a fault tolerance of 1.
|
||||
|
@ -80,7 +80,7 @@ to protect your Consul datacenter from a single zone-level failure.
|
|||
For example, if deploying 5 Consul servers across 3 availability zones, place no more than 2 servers in each zone.
|
||||
If one zone fails, at most 2 servers are lost and quorum will be maintained by the 3 remaining servers.
|
||||
|
||||
To distribute your Consul servers across availability zones, modify your infrastructure configuration with your infrastructure provider. No change is needed to your Consul server’s agent configuration.
|
||||
To distribute your Consul servers across availability zones, modify your infrastructure configuration with your infrastructure provider. No change is needed to your Consul server's agent configuration.
|
||||
|
||||
Additionally, you should leverage resources that can automatically restore your compute instance,
|
||||
such as autoscaling groups, virtual machine scale sets, or compute engine autoscaler.
|
||||
|
@ -135,5 +135,5 @@ However, Consul redundancy zones can be used even without the backing of infrast
|
|||
For more information on redundancy zones, refer to:
|
||||
- [Redundancy zone documentation](/docs/enterprise/redundancy)
|
||||
for a more detailed explanation
|
||||
- [Redundancy zone tutorial](https://learn.hashicorp.com/tutorials/consul/redundancy-zones?in=consul/enterprise)
|
||||
- [Redundancy zone tutorial](/consul/tutorials/datacenter-operations/redundancy-zones?utm_source=docs)
|
||||
to learn how to use them
|
||||
|
|
|
@ -17,7 +17,7 @@ page documents the system architecture.
|
|||
[glossary](/docs/install/glossary) of terms to help
|
||||
clarify what is being discussed.
|
||||
|
||||
The architecture concepts in this document can be used with the [Reference Architecture guide](https://learn.hashicorp.com/tutorials/consul/reference-architecture?utm_source=consul.io&utm_medium=docs) when deploying Consul in production.
|
||||
The architecture concepts in this document can be used with the [Reference Architecture guide](/consul/tutorials/production-deploy/reference-architecture?utm_source=docs) when deploying Consul in production.
|
||||
|
||||
## 10,000 foot view
|
||||
|
||||
|
@ -27,7 +27,7 @@ From a 10,000 foot altitude the architecture of Consul looks like this:
|
|||
|
||||
Let's break down this image and describe each piece. First of all, we can see
|
||||
that there are two datacenters, labeled "one" and "two". Consul has first
|
||||
class support for [multiple datacenters](https://learn.hashicorp.com/tutorials/consul/federation-gossip-wan) and
|
||||
class support for [multiple datacenters](/consul/tutorials/networking/federation-gossip-wan?utm_source=docs) and
|
||||
expects this to be the common case.
|
||||
|
||||
Within each datacenter, we have a mixture of clients and servers. It is expected
|
||||
|
@ -67,7 +67,7 @@ an RPC request to the remote Consul servers for that resource and return the res
|
|||
If the remote datacenter is not available, then those resources will also not be
|
||||
available, but that won't otherwise affect the local datacenter. There are some special
|
||||
situations where a limited subset of data can be replicated, such as with Consul's built-in
|
||||
[ACL replication](https://learn.hashicorp.com/tutorials/consul/access-control-replication-multiple-datacenters) capability, or
|
||||
[ACL replication](/consul/tutorials/security-operations/access-control-replication-multiple-datacenters?utm_source=docs) capability, or
|
||||
external tools like [consul-replicate](https://github.com/hashicorp/consul-replicate).
|
||||
|
||||
In some places, client agents may cache data from the servers to make it
|
||||
|
|
|
@ -24,7 +24,7 @@ Service discovery provides benefits for all organizations, ranging from simplifi
|
|||
|
||||
## How does a service mesh work?
|
||||
|
||||
Service discovery uses a service's identity instead of traditional access information (IP address and port). This allows you to dynamically map services and track any changes within a service catalog. Service consumers (users or other services) then use DNS to dynamically retrieve other service’s access information from the service catalog. The lifecycle of a service may look like the following:
|
||||
Service discovery uses a service's identity instead of traditional access information (IP address and port). This allows you to dynamically map services and track any changes within a service catalog. Service consumers (users or other services) then use DNS to dynamically retrieve other service's access information from the service catalog. The lifecycle of a service may look like the following:
|
||||
|
||||
A service consumer communicates with the “Web” service via a unique Consul DNS entry provided by the service catalog.
|
||||
|
||||
|
@ -79,7 +79,7 @@ You can implement service discovery systems across any type of infrastructure, w
|
|||
|
||||
Consul is a service networking solution that lets you automate network configurations, discover services, and enable secure connectivity across any cloud or runtime. With these features, Consul helps you solve the complex networking and security challenges of operating microservices and cloud infrastructure (multi-cloud and hybrid cloud). You can use these features independently or together to achieve [zero trust](https://www.hashicorp.com/solutions/zero-trust-security) security.
|
||||
|
||||
Consul’s service discovery capabilities help you discover, track, and monitor the health of services within a network. Consul acts as a single source of truth that allows your services to query and communicate with each other.
|
||||
Consul's service discovery capabilities help you discover, track, and monitor the health of services within a network. Consul acts as a single source of truth that allows your services to query and communicate with each other.
|
||||
|
||||
You can use Consul with virtual machines (VMs), containers, serverless technologies, or with container orchestration platforms, such as [Nomad](https://www.nomadproject.io/) and Kubernetes. Consul is platform agnostic which makes it a great fit for all environments, including legacy platforms.
|
||||
|
||||
|
@ -91,6 +91,6 @@ Get started with service discovery today by leveraging Consul on HCP, Consul on
|
|||
|
||||
Feel free to get started with Consul by exploring one of these Consul Learn tutorials:
|
||||
|
||||
[Getting Started with Consul on VMs](https://learn.hashicorp.com/collections/consul/getting-started)
|
||||
[Getting Started with Consul on HCP](https://learn.hashicorp.com/collections/consul/cloud-get-started)
|
||||
[Getting Started with Consul on Kubernetes](https://learn.hashicorp.com/collections/consul/gs-consul-service-mesh)
|
||||
[Getting Started with Consul on VMs](/consul/tutorials/getting-started?utm_source=docs)
|
||||
[Getting Started with Consul on HCP](/consul/tutorials/cloud-get-started?utm_source=docs)
|
||||
[Getting Started with Consul on Kubernetes](/consul/tutorials/gs-consul-service-mesh?utm_source=docs)
|
|
@ -111,7 +111,7 @@ Consul is platform agnostic which makes it a great fit for all environments, inc
|
|||
Consul is available as a [self-install](/downloads) project or as a fully managed service mesh solution called [HCP Consul](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs).
|
||||
HCP Consul enables users to discover and securely connect services without the added operational burden of maintaining a service mesh on their own.
|
||||
|
||||
You can learn more about Consul by visiting the Consul Learn [tutorials](https://learn.hashicorp.com/consul).
|
||||
You can learn more about Consul by visiting the Consul Learn [tutorials](/consul/tutorials?utm_source=docs).
|
||||
|
||||
## Next
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ Please read the [certificate management overview](/docs/connect/ca)
|
|||
page first to understand how Consul manages certificates with configurable
|
||||
CA providers.
|
||||
|
||||
-> **NOTE**: A Learn [tutorial](https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-connect-ca?in=consul/vault-secure) is available to help you configure Vault as the Consul Connect service mesh Certification Authority.
|
||||
-> **NOTE**: A Learn [tutorial](/consul/tutorials/vault-secure/vault-pki-consul-connect-ca?utm_source=docs) is available to help you configure Vault as the Consul Connect service mesh Certification Authority.
|
||||
|
||||
## Requirements
|
||||
|
||||
|
|
|
@ -159,7 +159,7 @@ Sources = [
|
|||
|
||||
</CodeBlockConfig>
|
||||
|
||||
If the peer’s name is not specified in `Peer`, then Consul assumes that the service is in the local cluster.
|
||||
If the peer's name is not specified in `Peer`, then Consul assumes that the service is in the local cluster.
|
||||
|
||||
Then, add the configuration entry to your cluster.
|
||||
|
||||
|
|
|
@ -74,7 +74,7 @@ via API.
|
|||
|
||||
!> **Security note:** Enabling Connect is enough to try the feature but doesn't
|
||||
automatically ensure complete security. Please read the [Connect production
|
||||
tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-production-checklist) to understand the additional steps
|
||||
tutorial](/consul/tutorials/developer-mesh/service-mesh-production-checklist?utm_source=docs) to understand the additional steps
|
||||
needed for a secure deployment.
|
||||
|
||||
## Centralized Proxy and Service Configuration
|
||||
|
|
|
@ -15,7 +15,7 @@ but this information will help you understand how Consul service mesh behaves in
|
|||
Consul Connect is the component shipped with Consul that enables service mesh functionality. The terms _Consul Connect_ and _Consul service mesh_ are used interchangeably throughout this documentation.
|
||||
|
||||
To try service mesh locally, complete the [Getting Started with Consul service
|
||||
mesh](https://learn.hashicorp.com/tutorials/consul/service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
mesh](/consul/tutorials/gs-consul-service-mesh/service-mesh?utm_source=docs)
|
||||
tutorial.
|
||||
|
||||
## Mutual Transport Layer Security (mTLS)
|
||||
|
@ -97,7 +97,7 @@ a long period of inactivity (3 days by default), the cache will empty itself.
|
|||
|
||||
A sidecar proxy's [upstream configuration](/docs/connect/registration/service-registration#upstream-configuration-reference)
|
||||
may specify an alternative datacenter or a prepared query that can address services
|
||||
in multiple datacenters (such as the [geo failover](https://learn.hashicorp.com/tutorials/consul/automate-geo-failover) pattern).
|
||||
in multiple datacenters (such as the [geo failover](/consul/tutorials/developer-discovery/automate-geo-failover?utm_source=docs) pattern).
|
||||
|
||||
[Intentions](/docs/connect/intentions) verify connections between services by
|
||||
source and destination name seamlessly across datacenters.
|
||||
|
|
|
@ -7,7 +7,7 @@ description: >-
|
|||
|
||||
# Connectivity Tasks
|
||||
|
||||
~> **Note**: The features shown below are extensions of Consul’s service mesh capabilities. If you are not utilizing
|
||||
~> **Note**: The features shown below are extensions of Consul's service mesh capabilities. If you are not utilizing
|
||||
Consul service mesh then these features will not be relevant to your task.
|
||||
|
||||
## Service-to-service traffic between Consul datacenters
|
||||
|
@ -26,7 +26,7 @@ As of Consul 1.8.0, mesh gateways can also forward gossip and RPC traffic betwee
|
|||
This is enabled by [WAN federation via mesh gateways](/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways).
|
||||
|
||||
For more information about mesh gateways, review the [complete documentation](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters)
|
||||
and the [mesh gateway tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateways).
|
||||
and the [mesh gateway tutorial](/consul/tutorials/developer-mesh/service-mesh-gateways?utm_source=docs).
|
||||
|
||||
![Mesh Gateway Architecture](/img/mesh-gateways.png)
|
||||
|
||||
|
@ -40,11 +40,11 @@ services outside the Consul service mesh to services inside the service mesh.
|
|||
These gateways allow you to define what services should be exposed, on what port, and by what hostname. You configure
|
||||
an ingress gateway by defining a set of listeners that can map to different sets of backing services.
|
||||
|
||||
Ingress gateways are tightly integrated with Consul’s L7 configuration and enable dynamic routing of HTTP requests by
|
||||
Ingress gateways are tightly integrated with Consul's L7 configuration and enable dynamic routing of HTTP requests by
|
||||
attributes like the request path.
|
||||
|
||||
For more information about ingress gateways, review the [complete documentation](/docs/connect/gateways/ingress-gateway)
|
||||
and the [ingress gateway tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateways).
|
||||
and the [ingress gateway tutorial](/consul/tutorials/developer-mesh/service-mesh-gateways?utm_source=docs).
|
||||
|
||||
![Ingress Gateway Architecture](/img/ingress-gateways.png)
|
||||
|
||||
|
@ -60,11 +60,11 @@ infrastructure you do not control.
|
|||
Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate Connect
|
||||
mTLS connections, enforce Consul intentions, and forward requests to the appropriate destination.
|
||||
|
||||
These gateways also simplify authorization from dynamic service addresses. Consul’s intentions determine whether
|
||||
These gateways also simplify authorization from dynamic service addresses. Consul's intentions determine whether
|
||||
connections through the gateway are authorized. Then traditional tools like firewalls or IAM roles can authorize the
|
||||
connections from the known gateway nodes to the destination services.
|
||||
|
||||
For more information about terminating gateways, review the [complete documentation](/docs/connect/gateways/terminating-gateway)
|
||||
and the [terminating gateway tutorial](https://learn.hashicorp.com/tutorials/consul/teminating-gateways-connect-external-services).
|
||||
and the [terminating gateway tutorial](/consul/tutorials/developer-mesh/terminating-gateways-connect-external-services?utm_source=docs).
|
||||
|
||||
![Terminating Gateway Architecture](/img/terminating-gateways.png)
|
||||
|
|
|
@ -31,7 +31,7 @@ Mesh gateways enable the following scenarios:
|
|||
- **Service-to-service communication across datacenters**. Refer to [Enabling Service-to-service Traffic Across Datacenters](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters) for additional information.
|
||||
- **Service-to-service communication across admin partitions**. Since Consul 1.11.0, you can create administrative boundaries for single Consul deployments called "admin partitions". You can use mesh gateways to facilitate cross-partition communication. Refer to [Enabling Service-to-service Traffic Across Admin Partitions](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions) for additional information.
|
||||
|
||||
-> **Mesh gateway tutorial**: Follow the [mesh gateway tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateways) to learn concepts associated with mesh gateways.
|
||||
-> **Mesh gateway tutorial**: Follow the [mesh gateway tutorial](/consul/tutorials/developer-mesh/service-mesh-gateways?utm_source=docs) to learn concepts associated with mesh gateways.
|
||||
|
||||
## Ingress Gateways
|
||||
|
||||
|
@ -44,11 +44,11 @@ to services in the mesh. To accept ingress traffic from the public internet, use
|
|||
These gateways allow you to define what services should be exposed, on what port, and by what hostname. You configure
|
||||
an ingress gateway by defining a set of listeners that can map to different sets of backing services.
|
||||
|
||||
Ingress gateways are tightly integrated with Consul’s L7 configuration and enable dynamic routing of HTTP requests by
|
||||
Ingress gateways are tightly integrated with Consul's L7 configuration and enable dynamic routing of HTTP requests by
|
||||
attributes like the request path.
|
||||
|
||||
For more information about ingress gateways, review the [complete documentation](/docs/connect/gateways/ingress-gateway)
|
||||
and the [ingress gateway tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-ingress-gateways).
|
||||
and the [ingress gateway tutorial](/consul/tutorials/developer-mesh/service-mesh-ingress-gateways?utm_source=docs).
|
||||
|
||||
![Ingress Gateway Architecture](/img/ingress-gateways.png)
|
||||
|
||||
|
@ -65,11 +65,11 @@ infrastructure you do not control.
|
|||
Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate Connect
|
||||
mTLS connections, enforce Consul intentions, and forward requests to the appropriate destination.
|
||||
|
||||
These gateways also simplify authorization from dynamic service addresses. Consul’s intentions determine whether
|
||||
These gateways also simplify authorization from dynamic service addresses. Consul's intentions determine whether
|
||||
connections through the gateway are authorized. Then traditional tools like firewalls or IAM roles can authorize the
|
||||
connections from the known gateway nodes to the destination services.
|
||||
|
||||
For more information about terminating gateways, review the [complete documentation](/docs/connect/gateways/terminating-gateway)
|
||||
and the [terminating gateway tutorial](https://learn.hashicorp.com/tutorials/consul/teminating-gateways-connect-external-services).
|
||||
and the [terminating gateway tutorial](/consul/tutorials/developer-mesh/terminating-gateways-connect-external-services?utm_source=docs).
|
||||
|
||||
![Terminating Gateway Architecture](/img/terminating-gateways.png)
|
||||
|
|
|
@ -48,7 +48,7 @@ Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with ingress ga
|
|||
## Running and Using an Ingress Gateway
|
||||
|
||||
For a complete example of how to allow external traffic inside your Consul service mesh,
|
||||
review the [ingress gateway tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-ingress-gateways).
|
||||
review the [ingress gateway tutorial](/consul/tutorials/developer-mesh/service-mesh-ingress-gateways?utm_source=docs).
|
||||
|
||||
## Ingress Gateway Configuration
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@ The following diagram describes the architecture for using mesh gateways for cro
|
|||
|
||||
![Mesh Gateway Architecture](/img/mesh-gateways.png)
|
||||
|
||||
-> **Mesh Gateway Tutorial**: Follow the [mesh gateway tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateways) to learn important concepts associated with using mesh gateways for connecting services across datacenters.
|
||||
-> **Mesh Gateway Tutorial**: Follow the [mesh gateway tutorial](/consul/tutorials/developer-mesh/service-mesh-gateways?utm_source=docs) to learn important concepts associated with using mesh gateways for connecting services across datacenters.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
|
@ -32,7 +32,7 @@ Ensure that your Consul environment meets the following requirements.
|
|||
* A local Consul agent is required to manage its configuration.
|
||||
* Consul [Connect](/docs/agent/config/config-files#connect) must be enabled in both datacenters.
|
||||
* Each [datacenter](/docs/agent/config/config-files#datacenter) must have a unique name.
|
||||
* Each datacenters must be [WAN joined](https://learn.hashicorp.com/tutorials/consul/federation-gossip-wan).
|
||||
* Each datacenters must be [WAN joined](/consul/tutorials/networking/federation-gossip-wan?utm_source=docs).
|
||||
* The [primary datacenter](/docs/agent/config/config-files#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for Connect certificates and is required for services in all datacenters to establish mutual TLS with each other.
|
||||
* [gRPC](/docs/agent/config/config-files#grpc_port) must be enabled.
|
||||
* If you want to [enable gateways globally](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters#enabling-gateways-globally) you must enable [centralized configuration](/docs/agent/config/config-files#enable_central_service_config).
|
||||
|
|
|
@ -15,7 +15,7 @@ WAN federation via mesh gateways allows for Consul servers in different datacent
|
|||
to be federated exclusively through mesh gateways.
|
||||
|
||||
When setting up a
|
||||
[multi-datacenter](https://learn.hashicorp.com/tutorials/consul/federation-gossip-wan)
|
||||
[multi-datacenter](/consul/tutorials/networking/federation-gossip-wan?utm_source=docs)
|
||||
Consul cluster, operators must ensure that all Consul servers in every
|
||||
datacenter must be directly connectable over their WAN-advertised network
|
||||
address from each other.
|
||||
|
@ -63,7 +63,7 @@ means you could introduce a set of firewall rules prohibiting `10.0.0.0/24`
|
|||
from sending any traffic at all to `10.1.2.0/24` for security isolation.
|
||||
|
||||
You may already have configured [mesh
|
||||
gateways](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateways)
|
||||
gateways](/consul/tutorials/developer-mesh/service-mesh-gateways?utm_source=docs)
|
||||
to allow for services in the service mesh to freely connect between datacenters
|
||||
regardless of the lateral connectivity of the nodes hosting the Consul client
|
||||
agents.
|
||||
|
@ -102,7 +102,7 @@ each datacenter otherwise the WAN will become only partly connected.
|
|||
|
||||
There are a few necessary additional pieces of configuration beyond those
|
||||
required for standing up a
|
||||
[multi-datacenter](https://learn.hashicorp.com/tutorials/consul/federation-gossip-wan)
|
||||
[multi-datacenter](/consul/tutorials/networking/federation-gossip-wan?utm_source=docs)
|
||||
Consul cluster.
|
||||
|
||||
Consul servers in the _primary_ datacenter should add this snippet to the
|
||||
|
|
|
@ -19,7 +19,7 @@ and forward requests to the appropriate destination.
|
|||
![Terminating Gateway Architecture](/img/terminating-gateways.png)
|
||||
|
||||
For additional use cases and usage patterns, review the tutorial for
|
||||
[understanding terminating gateways](https://learn.hashicorp.com/tutorials/consul/service-mesh-terminating-gateways).
|
||||
[understanding terminating gateways](/consul/tutorials/developer-mesh/service-mesh-terminating-gateways?utm_source=docs).
|
||||
|
||||
~> **Known limitations:** Terminating gateways currently do not support targeting service subsets with
|
||||
[L7 configuration](/docs/connect/l7-traffic). They route to all instances of a service with no capabilities
|
||||
|
@ -79,7 +79,7 @@ a terminating gateway as long as they discover upstreams with the
|
|||
## Running and Using a Terminating Gateway
|
||||
|
||||
For a complete example of how to enable connections from services in the Consul service mesh to
|
||||
services outside the mesh, review the [terminating gateway tutorial](https://learn.hashicorp.com/tutorials/consul/teminating-gateways-connect-external-services).
|
||||
services outside the mesh, review the [terminating gateway tutorial](/consul/tutorials/developer-mesh/terminating-gateways-connect-external-services?utm_source=docs).
|
||||
|
||||
## Terminating Gateway Configuration
|
||||
|
||||
|
@ -129,4 +129,4 @@ After you define a service-defaults configuration entry for each destination, yo
|
|||
If a service and a destination service-defaults have the same name, the terminating gateway will use the service.
|
||||
|
||||
For a complete example of how to register external services review the
|
||||
[external services tutorial](https://learn.hashicorp.com/tutorials/consul/service-registration-external-services).
|
||||
[external services tutorial](/consul/tutorials/developer-discovery/service-registration-external-services?utm_source=docs).
|
||||
|
|
|
@ -51,24 +51,24 @@ applications can also send open tracing data through Envoy.
|
|||
|
||||
There are several ways to try Connect in different environments.
|
||||
|
||||
- The [Getting Started with Consul Service Mesh collection](https://learn.hashicorp.com/tutorials/consul/service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
- The [Getting Started with Consul Service Mesh collection](/consul/tutorials/gs-consul-service-mesh/service-mesh?utm_source=docs)
|
||||
walks you through installing Consul as service mesh for Kubernetes using the Helm
|
||||
chart, deploying services in the service mesh, and using intentions to secure service
|
||||
communications.
|
||||
|
||||
- The [Getting Started With Consul Service Mesh for Kubernetes](https://learn.hashicorp.com/tutorials/consul/service-mesh-deploy?in=consul/gs-consul-service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) guide walks you through installing Consul on Kubernetes to set up a service mesh for establishing communication between Kubernetes services.
|
||||
- The [Getting Started With Consul Service Mesh for Kubernetes](/consul/tutorials/gs-consul-service-mesh/service-mesh-deploy?utm_source=docs) guide walks you through installing Consul on Kubernetes to set up a service mesh for establishing communication between Kubernetes services.
|
||||
|
||||
- The [Secure Service-to-Service Communication tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-with-envoy-proxy?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
- The [Secure Service-to-Service Communication tutorial](/consul/tutorials/developer-mesh/service-mesh-with-envoy-proxy?utm_source=docs)
|
||||
is a simple walk through of connecting two services on your local machine
|
||||
using Consul Connect's built-in proxy and configuring your first intention. The guide also includes an introduction to
|
||||
using Envoy as the Connect sidecar proxy.
|
||||
|
||||
- The [Kubernetes tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-minikube?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
- The [Kubernetes tutorial](/consul/tutorials/kubernetes/kubernetes-minikube?utm_source=docs)
|
||||
walks you through configuring Consul Connect in Kubernetes using the Helm
|
||||
chart, and using intentions. You can run the guide on Minikube or an existing
|
||||
Kubernetes cluster.
|
||||
|
||||
- The [observability tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-layer7-observability?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
- The [observability tutorial](/consul/tutorials/service-mesh-observability/kubernetes-layer7-observability?utm_source=docs)
|
||||
shows how to deploy a basic metrics collection and visualization pipeline on
|
||||
a Minikube or Kubernetes cluster using the official Helm charts for Consul,
|
||||
Prometheus, and Grafana.
|
||||
|
|
|
@ -46,7 +46,7 @@ Envoy 1.16.x and older releases are no longer supported (see [HCSEC-2022-07](htt
|
|||
## Getting Started
|
||||
|
||||
To get started with Envoy and see a working example you can follow the [Using
|
||||
Envoy with Connect](https://learn.hashicorp.com/tutorials/consul/service-mesh-with-envoy-proxy) tutorial.
|
||||
Envoy with Connect](/consul/tutorials/developer-mesh/service-mesh-with-envoy-proxy?utm_source=docs) tutorial.
|
||||
|
||||
## Configuration
|
||||
|
||||
|
|
|
@ -16,9 +16,6 @@ To simplify the configuration experience when deploying a sidecar for a service
|
|||
instance, Consul 1.3 introduced a new field in the Connect block of the [service
|
||||
definition](/docs/discovery/services).
|
||||
|
||||
To deploy a service and sidecar proxy locally, complete the
|
||||
[Getting Started guide](https://learn.hashicorp.com/tutorials/consul/get-started-service-networking?utm_source=consul.io&utm_medium=docs).
|
||||
|
||||
The `connect.sidecar_service` field is a complete nested service definition on
|
||||
which almost any regular service definition field can be set. The exceptions are
|
||||
[noted below](#limitations). If used, the service definition is treated
|
||||
|
|
|
@ -12,9 +12,9 @@ description: |-
|
|||
Connect enables secure service-to-service communication over mutual TLS. This
|
||||
provides both in-transit data encryption as well as authorization. This page
|
||||
will document how to secure Connect. To try Connect locally, complete the
|
||||
[Getting Started guide](https://learn.hashicorp.com/tutorials/consul/service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) or for a full security model reference,
|
||||
[Getting Started guide](/consul/tutorials/gs-consul-service-mesh/service-mesh?utm_source=docs) or for a full security model reference,
|
||||
see the dedicated [Consul security model](/docs/security) page. When
|
||||
setting up Connect in production, review this [tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-production-checklist?utm_source=consul.io&utm_medium=docs).
|
||||
setting up Connect in production, review this [tutorial](/consul/tutorials/developer-mesh/service-mesh-production-checklist?utm_source=docs).
|
||||
|
||||
Connect will function in any Consul configuration. However, unless the checklist
|
||||
below is satisfied, Connect is not providing the security guarantees it was
|
||||
|
@ -36,7 +36,7 @@ configuration also forces all service-to-service communication to be explicitly
|
|||
allowed via an allow [intention](/docs/connect/intentions).
|
||||
|
||||
To learn how to enable ACLs, please see the
|
||||
[tutorial on ACLs](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production).
|
||||
[tutorial on ACLs](/consul/tutorials/security/access-control-setup-production?utm_source=docs).
|
||||
|
||||
**If ACLs are enabled but are in default allow mode**, then services will be
|
||||
able to communicate by default. Additionally, if a proper anonymous token
|
||||
|
|
|
@ -13,8 +13,148 @@ description: >-
|
|||
One of the primary roles of the agent is management of system-level and application-level health
|
||||
checks. A health check is considered to be application-level if it is associated with a
|
||||
service. If not associated with a service, the check monitors the health of the entire node.
|
||||
Review the [health checks tutorial](/consul/tutorials/developer-discovery/service-registration-health-checks?utm_source=docs)
|
||||
to get a more complete example on how to leverage health check capabilities in Consul.
|
||||
|
||||
Review the [service health checks tutorial](https://learn.hashicorp.com/tutorials/consul/service-registration-health-checks)
|
||||
A check is defined in a configuration file or added at runtime over the HTTP interface. Checks
|
||||
created via the HTTP interface persist with that node.
|
||||
|
||||
There are several different kinds of checks:
|
||||
|
||||
- Script + Interval - These checks depend on invoking an external application
|
||||
that performs the health check, exits with an appropriate exit code, and potentially
|
||||
generates some output. A script is paired with an invocation interval (e.g.
|
||||
every 30 seconds). This is similar to the Nagios plugin system. The output of
|
||||
a script check is limited to 4KB. Output larger than this will be truncated.
|
||||
By default, Script checks will be configured with a timeout equal to 30 seconds.
|
||||
It is possible to configure a custom Script check timeout value by specifying the
|
||||
`timeout` field in the check definition. When the timeout is reached on Windows,
|
||||
Consul will wait for any child processes spawned by the script to finish. For any
|
||||
other system, Consul will attempt to force-kill the script and any child processes
|
||||
it has spawned once the timeout has passed.
|
||||
In Consul 0.9.0 and later, script checks are not enabled by default. To use them you
|
||||
can either use :
|
||||
|
||||
- [`enable_local_script_checks`](/docs/agent/config/cli-flags#_enable_local_script_checks):
|
||||
enable script checks defined in local config files. Script checks defined via the HTTP
|
||||
API will not be allowed.
|
||||
- [`enable_script_checks`](/docs/agent/config/cli-flags#_enable_script_checks): enable
|
||||
script checks regardless of how they are defined.
|
||||
|
||||
~> **Security Warning:** Enabling script checks in some configurations may
|
||||
introduce a remote execution vulnerability which is known to be targeted by
|
||||
malware. We strongly recommend `enable_local_script_checks` instead. See [this
|
||||
blog post](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations)
|
||||
for more details.
|
||||
|
||||
- `HTTP + Interval` - These checks make an HTTP `GET` request to the specified URL,
|
||||
waiting the specified `interval` amount of time between requests (eg. 30 seconds).
|
||||
The status of the service depends on the HTTP response code: any `2xx` code is
|
||||
considered passing, a `429 Too ManyRequests` is a warning, and anything else is
|
||||
a failure. This type of check
|
||||
should be preferred over a script that uses `curl` or another external process
|
||||
to check a simple HTTP operation. By default, HTTP checks are `GET` requests
|
||||
unless the `method` field specifies a different method. Additional header
|
||||
fields can be set through the `header` field which is a map of lists of
|
||||
strings, e.g. `{"x-foo": ["bar", "baz"]}`. By default, HTTP checks will be
|
||||
configured with a request timeout equal to 10 seconds.
|
||||
|
||||
It is possible to configure a custom HTTP check timeout value by
|
||||
specifying the `timeout` field in the check definition. The output of the
|
||||
check is limited to roughly 4KB. Responses larger than this will be truncated.
|
||||
HTTP checks also support TLS. By default, a valid TLS certificate is expected.
|
||||
Certificate verification can be turned off by setting the `tls_skip_verify`
|
||||
field to `true` in the check definition. When using TLS, the SNI will be set
|
||||
automatically from the URL if it uses a hostname (as opposed to an IP address);
|
||||
the value can be overridden by setting `tls_server_name`.
|
||||
|
||||
Consul follows HTTP redirects by default. Set the `disable_redirects` field to
|
||||
`true` to disable redirects.
|
||||
|
||||
- `TCP + Interval` - These checks make a TCP connection attempt to the specified
|
||||
IP/hostname and port, waiting `interval` amount of time between attempts
|
||||
(e.g. 30 seconds). If no hostname
|
||||
is specified, it defaults to "localhost". The status of the service depends on
|
||||
whether the connection attempt is successful (ie - the port is currently
|
||||
accepting connections). If the connection is accepted, the status is
|
||||
`success`, otherwise the status is `critical`. In the case of a hostname that
|
||||
resolves to both IPv4 and IPv6 addresses, an attempt will be made to both
|
||||
addresses, and the first successful connection attempt will result in a
|
||||
successful check. This type of check should be preferred over a script that
|
||||
uses `netcat` or another external process to check a simple socket operation.
|
||||
By default, TCP checks will be configured with a request timeout of 10 seconds.
|
||||
It is possible to configure a custom TCP check timeout value by specifying the
|
||||
`timeout` field in the check definition.
|
||||
|
||||
- `UDP + Interval` - These checks direct the client to periodically send UDP datagrams
|
||||
to the specified IP/hostname and port. The duration specified in the `interval` field sets the amount of time
|
||||
between attempts, such as `30s` to indicate 30 seconds. The check is logged as healthy if any response from the UDP server is received. Any other result sets the status to `critical`.
|
||||
The default interval for, UDP checks is `10s`, but you can configure a custom UDP check timeout value by specifying the
|
||||
`timeout` field in the check definition. If any timeout on read exists, the check is still considered healthy.
|
||||
|
||||
- `Time to Live (TTL)` ((#ttl)) - These checks retain their last known state
|
||||
for a given TTL. The state of the check must be updated periodically over the HTTP
|
||||
interface. If an external system fails to update the status within a given TTL,
|
||||
the check is set to the failed state. This mechanism, conceptually similar to a
|
||||
dead man's switch, relies on the application to directly report its health. For
|
||||
example, a healthy app can periodically `PUT` a status update to the HTTP endpoint;
|
||||
if the app fails, the TTL will expire and the health check enters a critical state.
|
||||
The endpoints used to update health information for a given check are: [pass](/api-docs/agent/check#ttl-check-pass),
|
||||
[warn](/api-docs/agent/check#ttl-check-warn), [fail](/api-docs/agent/check#ttl-check-fail),
|
||||
and [update](/api-docs/agent/check#ttl-check-update). TTL checks also persist their
|
||||
last known status to disk. This allows the Consul agent to restore the last known
|
||||
status of the check across restarts. Persisted check status is valid through the
|
||||
end of the TTL from the time of the last check.
|
||||
|
||||
- `Docker + Interval` - These checks depend on invoking an external application which
|
||||
is packaged within a Docker Container. The application is triggered within the running
|
||||
container via the Docker Exec API. We expect that the Consul agent user has access
|
||||
to either the Docker HTTP API or the unix socket. Consul uses `$DOCKER_HOST` to
|
||||
determine the Docker API endpoint. The application is expected to run, perform a health
|
||||
check of the service running inside the container, and exit with an appropriate exit code.
|
||||
The check should be paired with an invocation interval. The shell on which the check
|
||||
has to be performed is configurable which makes it possible to run containers which
|
||||
have different shells on the same host. Check output for Docker is limited to
|
||||
4KB. Any output larger than this will be truncated. In Consul 0.9.0 and later, the agent
|
||||
must be configured with [`enable_script_checks`](/docs/agent/config/cli-flags#_enable_script_checks)
|
||||
set to `true` in order to enable Docker health checks.
|
||||
|
||||
- `gRPC + Interval` - These checks are intended for applications that support the standard
|
||||
[gRPC health checking protocol](https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
|
||||
The state of the check will be updated by probing the configured endpoint, waiting `interval`
|
||||
amount of time between probes (eg. 30 seconds). By default, gRPC checks will be configured
|
||||
with a default timeout of 10 seconds.
|
||||
It is possible to configure a custom timeout value by specifying the `timeout` field in
|
||||
the check definition. gRPC checks will default to not using TLS, but TLS can be enabled by
|
||||
setting `grpc_use_tls` in the check definition. If TLS is enabled, then by default, a valid
|
||||
TLS certificate is expected. Certificate verification can be turned off by setting the
|
||||
`tls_skip_verify` field to `true` in the check definition.
|
||||
To check on a specific service instead of the whole gRPC server, add the service identifier after the `gRPC` check's endpoint in the following format `/:service_identifier`.
|
||||
|
||||
- `H2ping + Interval` - These checks test an endpoint that uses http2
|
||||
by connecting to the endpoint and sending a ping frame. TLS is assumed to be configured by default.
|
||||
To disable TLS and use h2c, set `h2ping_use_tls` to `false`. If the ping is successful
|
||||
within a specified timeout, then the check is updated as passing.
|
||||
The timeout defaults to 10 seconds, but is configurable using the `timeout` field. If TLS is enabled a valid
|
||||
certificate is required, unless `tls_skip_verify` is set to `true`.
|
||||
The check will be run on the interval specified by the `interval` field.
|
||||
|
||||
- `Alias` - These checks alias the health state of another registered
|
||||
node or service. The state of the check will be updated asynchronously, but is
|
||||
nearly instant. For aliased services on the same agent, the local state is monitored
|
||||
and no additional network resources are consumed. For other services and nodes,
|
||||
the check maintains a blocking query over the agent's connection with a current
|
||||
server and allows stale requests. If there are any errors in watching the aliased
|
||||
node or service, the check state will be critical. For the blocking query, the
|
||||
check will use the ACL token set on the service or check definition or otherwise
|
||||
will fall back to the default ACL token set with the agent (`acl_token`).
|
||||
|
||||
## Check Definition
|
||||
|
||||
A script check:
|
||||
=======
|
||||
|
||||
Review the [service health checks tutorial](/consul/tutorials/developer-discovery/service-registration-health-checks?utm_source=docs)
|
||||
to get a more complete example on how to leverage health check capabilities in Consul.
|
||||
|
||||
## Registering a health check
|
||||
|
|
|
@ -35,7 +35,7 @@ as the DNS server for a node and provide a
|
|||
[`recursors`](/docs/agent/config/config-files#recursors) configuration so that non-Consul queries
|
||||
can also be resolved. The last method is to forward all queries for the "consul."
|
||||
domain to a Consul agent from the existing DNS server. Review the
|
||||
[DNS Forwarding tutorial](https://learn.hashicorp.com/tutorials/consul/dns-forwarding?utm_source=consul.io&utm_medium=docs) for examples.
|
||||
[DNS Forwarding tutorial](/consul/tutorials/networking/dns-forwarding?utm_source=docs) for examples.
|
||||
|
||||
You can experiment with Consul's DNS server on the command line using tools such as `dig`:
|
||||
|
||||
|
@ -469,7 +469,7 @@ as there is no way for the query to specify a domain.
|
|||
By default, all DNS results served by Consul set a 0 TTL value. This disables
|
||||
caching of DNS results. However, there are many situations in which caching is
|
||||
desirable for performance and scalability. This is discussed more in the tutorial
|
||||
for [DNS caching](https://learn.hashicorp.com/tutorials/consul/dns-caching).
|
||||
for [DNS caching](/consul/tutorials/networking/dns-caching?utm_source=docs).
|
||||
|
||||
## WAN Address Translation
|
||||
|
||||
|
@ -540,5 +540,5 @@ DNS lookups and required policies when ACLs are enabled:
|
|||
For guidance on how to configure an appropriate token for DNS, refer to the
|
||||
securing Consul with ACLs guides for:
|
||||
|
||||
- [Production Environments](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production#token-for-dns)
|
||||
- [Development Environments](https://learn.hashicorp.com/tutorials/consul/access-control-setup#additional-acl-configuration)
|
||||
- [Production Environments](/consul/tutorials/security/access-control-setup-production?utm_source=docs#token-for-dns)
|
||||
- [Development Environments](/consul/tutorials/day-0/access-control-setup?utm_source=docs#enable-acls-on-consul-clients)
|
||||
|
|
|
@ -19,7 +19,7 @@ a health check. A health check associated with a service is considered to be an
|
|||
application-level check. Define services in a configuration file or add it at
|
||||
runtime using the HTTP interface.
|
||||
|
||||
Complete the [Getting Started tutorials](https://learn.hashicorp.com/tutorials/consul/get-started-service-discovery?utm_source=consul.io&utm_medium=docs) to get hands-on experience registering a simple service with a health check on your local machine.
|
||||
Complete the [Getting Started tutorials](/consul/tutorials/getting-started/get-started-service-discovery?utm_source=docs) to get hands-on experience registering a simple service with a health check on your local machine.
|
||||
|
||||
## Service Definition
|
||||
|
||||
|
|
|
@ -16,13 +16,13 @@ similarities to one.
|
|||
The Consul KV datastore is located on the servers, but can be accessed by any
|
||||
agent (client or server). The natively integrated [RPC
|
||||
functionality](/docs/architecture) allows clients to forward
|
||||
requests to servers, including key/value reads and writes. Part of Consul’s
|
||||
requests to servers, including key/value reads and writes. Part of Consul's
|
||||
core design allows data to be replicated automatically across all the servers.
|
||||
Having a quorum of servers will decrease the risk of data loss if an outage
|
||||
occurs.
|
||||
|
||||
If you have not used Consul KV, check out this [Getting Started
|
||||
tutorial](https://learn.hashicorp.com/tutorials/consul/get-started-key-value-store?utm_source=consul.io&utm_medium=docs) on HashiCorp
|
||||
tutorial](/consul/tutorials/getting-started/get-started-key-value-store?utm_source=docs) on HashiCorp
|
||||
Learn.
|
||||
|
||||
## Accessing the KV store
|
||||
|
@ -30,7 +30,7 @@ Learn.
|
|||
The KV store can be accessed by the [consul kv CLI
|
||||
subcommands](/commands/kv), [HTTP API](/api-docs/kv), and Consul UI.
|
||||
To restrict access, enable and configure
|
||||
[ACLs](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production).
|
||||
[ACLs](/consul/tutorials/security/access-control-setup-production?utm_source=docs).
|
||||
Once the ACL system has been bootstrapped, users and services, will need a
|
||||
valid token with KV [privileges](/docs/security/acl/acl-rules#key-value-rules) to
|
||||
access the the data store, this includes even reads. We recommend creating a
|
||||
|
@ -67,7 +67,7 @@ using the API and in shell scripts.
|
|||
|
||||
If you plan to use Consul KV as part of your configuration management process
|
||||
review the [Consul
|
||||
Template](https://learn.hashicorp.com/tutorials/consul/consul-template)
|
||||
Template](/consul/tutorials/developer-configuration/consul-template?utm_source=docs)
|
||||
tutorial on how to update configuration based on value updates in the KV. Consul
|
||||
Template is based on Go Templates and allows for a series of scripted actions
|
||||
to be initiated on value changes to a Consul key.
|
||||
|
@ -89,10 +89,10 @@ increment to the `LockIndex` and the session value is updated to reflect the
|
|||
session holding the lock. Review the session documentation for more information
|
||||
on the [integration](/docs/dynamic-app-config/sessions#k-v-integration).
|
||||
|
||||
Review the following tutorials to learn how to use Consul sessions for [application leader election](https://learn.hashicorp.com/tutorials/consul/application-leader-elections) and
|
||||
to [build distributed semaphores](https://learn.hashicorp.com/tutorials/consul/distributed-semaphore).
|
||||
Review the following tutorials to learn how to use Consul sessions for [application leader election](/consul/tutorials/developer-configuration/application-leader-elections?utm_source=docs) and
|
||||
to [build distributed semaphores](/consul/tutorials/developer-configuration/distributed-semaphore?utm_source=docs).
|
||||
|
||||
### Vault
|
||||
|
||||
If you plan to use Consul KV as a backend for Vault, please review [this
|
||||
tutorial](https://learn.hashicorp.com/tutorials/vault/ha-with-consul).
|
||||
tutorial](/vault/tutorials/day-one-consul/ha-with-consul?utm_source=docs).
|
||||
|
|
|
@ -139,7 +139,7 @@ the goal of Consul to protect against misbehaving clients.
|
|||
|
||||
The primitives provided by sessions and the locking mechanisms of the KV
|
||||
store can be used to build client-side leader election algorithms.
|
||||
These are covered in more detail in the [Leader Election guide](https://learn.hashicorp.com/tutorials/consul/application-leader-elections).
|
||||
These are covered in more detail in the [Leader Election guide](/consul/tutorials/developer-configuration/application-leader-elections?utm_source=docs).
|
||||
|
||||
## Prepared Query Integration
|
||||
|
||||
|
|
|
@ -52,7 +52,7 @@ This diagram shows the timeline of a task starting up and all its containers:
|
|||
permissions for the service and its sidecar proxy. This token is written to a shared
|
||||
volume for use by the `health-sync` container.
|
||||
- It registers the service for the current task and its sidecar proxy with Consul.
|
||||
- It runs `consul connect envoy -bootstrap` to generate Envoy’s bootstrap JSON file and
|
||||
- It runs `consul connect envoy -bootstrap` to generate Envoy's bootstrap JSON file and
|
||||
writes it to a shared volume.
|
||||
- **T1:** The following containers start:
|
||||
- `sidecar-proxy` starts using a custom entrypoint command, `consul-ecs envoy-entrypoint`.
|
||||
|
|
|
@ -31,8 +31,8 @@ For a detailed architecture overview, see the [Architecture](/docs/ecs/architect
|
|||
|
||||
There are several ways to get started with Consul with ECS.
|
||||
|
||||
* The [Serverless Consul Service Mesh with ECS and HCP](https://learn.hashicorp.com/tutorials/cloud/consul-ecs-hcp?in=consul/cloud-integrations) learn guide shows how to use Terraform to run Consul service mesh applications on ECS with managed Consul servers running in HashiCorp Cloud Platform (HCP).
|
||||
* The [Service Mesh with ECS and Consul on EC2](https://learn.hashicorp.com/tutorials/consul/consul-ecs-ec2?in=consul/cloud-integrations) learn guide shows how to use Terraform to run Consul service mesh applications on ECS with Consul servers running on EC2 instances.
|
||||
* The [Serverless Consul Service Mesh with ECS and HCP](/consul/tutorials/cloud-integrations/consul-ecs-hcp?utm_source=docs) learn guide shows how to use Terraform to run Consul service mesh applications on ECS with managed Consul servers running in HashiCorp Cloud Platform (HCP).
|
||||
* The [Service Mesh with ECS and Consul on EC2](/consul/tutorials/cloud-integrations/consul-ecs-ec2?utm_source=docs) learn guide shows how to use Terraform to run Consul service mesh applications on ECS with Consul servers running on EC2 instances.
|
||||
* The [Consul with Dev Server on Fargate](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-fargate) example installation deploys a sample application in ECS using the Fargate launch type.
|
||||
* The [Consul with Dev Server on EC2](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-ec2) example installation deploys a sample application in ECS using the EC2 launch type.
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ This topic describes how to manually deploy the ACL controller, which will autom
|
|||
|
||||
* Your application tasks must include certain tags to be compatible with the ACL controller.
|
||||
Refer to the [Task Tags](/docs/ecs/manual/install#task-tags) section of the installation page.
|
||||
* You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the [Learn Guides about Consul Security](https://learn.hashicorp.com/collections/consul/security) for an introduction and the [ACL system](/docs/security/acl) documentation for more information.
|
||||
* You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the [Learn Guides about Consul Security](/consul/tutorials/security?utm_source=docs) for an introduction and the [ACL system](/docs/security/acl) documentation for more information.
|
||||
* If you are using Consul with multiple ECS clusters, each cluster requires its own instance of the ACL controller.
|
||||
|
||||
## Set Up Secrets
|
||||
|
|
|
@ -21,7 +21,7 @@ You should already have followed the [manual installation instructions](/docs/ec
|
|||
|
||||
You should be familiar with [specifying sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) on ECS.
|
||||
|
||||
You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the [ACL system documentation](/docs/security/acl) and [Day 1: Security tutorials](https://learn.hashicorp.com/collections/consul/security) for an introduction and additional information.
|
||||
You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the [ACL system documentation](/docs/security/acl) and [Day 1: Security tutorials](/consul/tutorials/security?utm_source=docs) for an introduction and additional information.
|
||||
|
||||
## Auth Method
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ description: >-
|
|||
|
||||
# Installation with Terraform
|
||||
|
||||
This topic describes how to use HashiCorp’s Terraform modules to launch your application in AWS ECS as part of Consul service mesh. If you do not use Terraform, refer to the [Manual Installation](/docs/ecs/manual/install) page to install Consul on ECS without Terraform.
|
||||
This topic describes how to use HashiCorp's Terraform modules to launch your application in AWS ECS as part of Consul service mesh. If you do not use Terraform, refer to the [Manual Installation](/docs/ecs/manual/install) page to install Consul on ECS without Terraform.
|
||||
|
||||
This topic does not include instructions for creating all AWS resources necessary to install Consul, such as a VPC or the ECS cluster. Refer to the guides in the [Getting Started](/docs/ecs#getting-started) section for complete and runnable examples.
|
||||
|
||||
|
|
|
@ -24,8 +24,8 @@ Admin partitions exist a level above namespaces in the identity hierarchy. They
|
|||
|
||||
There are Learn tutorials available to help you get started with admin partitions.
|
||||
|
||||
- [Multi-Tenancy with Administrative Partitions](https://learn.hashicorp.com/tutorials/consul/consul-admin-partitions?in=consul/enterprise)
|
||||
- [Multi Cluster Applications with Consul Enterprise Admin Partitions](https://learn.hashicorp.com/tutorials/consul/kubernetes-admin-partitions?in=consul/kubernetes)
|
||||
- [Multi-Tenancy with Administrative Partitions](/consul/tutorials/enterprise/consul-admin-partitions?utm_source=docs)
|
||||
- [Multi Cluster Applications with Consul Enterprise Admin Partitions](/consul/tutorials/kubernetes/kubernetes-admin-partitions?utm_source=docs)
|
||||
|
||||
### Default Admin Partition
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
layout: docs
|
||||
page_title: Consul Enterprise Audit Logging
|
||||
description: >-
|
||||
Consul Enterprise provides the ability to write events of user behavior with Consul’s API so operations and security users can perform legal compliance auditing.
|
||||
Consul Enterprise provides the ability to write events of user behavior with Consul's API so operations and security users can perform legal compliance auditing.
|
||||
---
|
||||
|
||||
# Audit Logging
|
||||
|
@ -24,7 +24,7 @@ Audit logging enables security and compliance teams within an organization to ge
|
|||
greater insight into Consul access and usage patterns.
|
||||
|
||||
For more experience leveraging Consul's audit logging functionality, explore our
|
||||
HashiCorp Learn tutorial [Capture Consul Events with Audit Logging](https://learn.hashicorp.com/tutorials/consul/audit-logging).
|
||||
HashiCorp Learn tutorial [Capture Consul Events with Audit Logging](/consul/tutorials/datacenter-operations/audit-logging?utm_source=docs).
|
||||
|
||||
For detailed configuration information on configuring the Consul Enterprise's audit
|
||||
logging, review the Consul [Audit Log](/docs/agent/config/config-files#audit)
|
||||
|
|
|
@ -36,6 +36,6 @@ datacenter backups include (but are not limited to):
|
|||
- Namespaces
|
||||
|
||||
For more experience leveraging Consul's snapshot functionality, we suggest you look through our HashiCorp
|
||||
Learn tutorial for [Datacenter Backups in Consul](https://learn.hashicorp.com/tutorials/consul/backup-and-restore).
|
||||
Learn tutorial for [Datacenter Backups in Consul](/consul/tutorials/production-deploy/backup-and-restore?utm_source=docs).
|
||||
For detailed configuration information on configuring the Consul Enterprise's snapshot agent, review the
|
||||
[Consul Snapshot Agent documentation](/commands/snapshot/agent).
|
||||
|
|
|
@ -26,7 +26,7 @@ desirable to have topologies like hub-and-spoke with central management
|
|||
datacenters and "spoke" datacenters that can't interact with each other.
|
||||
|
||||
[Consul Enterprise](https://www.hashicorp.com/consul) offers a [network
|
||||
area mechanism](https://learn.hashicorp.com/tutorials/consul/federation-network-areas) that allows operators to
|
||||
area mechanism](/consul/tutorials/datacenter-operations/federation-network-areas?utm_source=docs) that allows operators to
|
||||
federate Consul datacenters together on a pairwise basis, enabling
|
||||
partially-connected network topologies. Once a link is created, Consul agents
|
||||
can make queries to the remote datacenter in service of both API and DNS
|
||||
|
|
|
@ -29,7 +29,7 @@ Refer to the instructions on [upgrading to 1.10.x](/docs/upgrading/instructions/
|
|||
|
||||
## Q: Is there a tutorial available for the license configuration steps?
|
||||
|
||||
Please visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise).
|
||||
Please visit the [Enterprise License Tutorial](/consul/tutorials/enterprise/hashicorp-enterprise-license?utm_source=docs).
|
||||
|
||||
## Q: What resources are available?
|
||||
|
||||
|
@ -41,7 +41,7 @@ The list below is a great starting point for learning more about the license cha
|
|||
|
||||
- [License configuration values documentation](/docs/enterprise/license/overview#binaries-without-built-in-licenses)
|
||||
|
||||
- [Install a HashiCorp Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise)
|
||||
- [Install a HashiCorp Enterprise License Tutorial](/consul/tutorials/enterprise/hashicorp-enterprise-license?utm_source=docs)
|
||||
|
||||
## Q: Do these changes impact all customers/licenses?
|
||||
|
||||
|
@ -142,7 +142,7 @@ Please see the [upgrade requirements](faq#q-what-are-the-upgrade-requirements).
|
|||
|
||||
1. Run [`consul license get -signed`](/commands/license#get) to extract the license from their running cluster. Store the license in a secure location on disk.
|
||||
1. Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable.
|
||||
1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key.
|
||||
1. Visit the [Enterprise License Tutorial](/consul/tutorials/enterprise/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key.
|
||||
1. Follow the Consul upgrade [documentation](/docs/upgrading).
|
||||
|
||||
### Kubernetes
|
||||
|
@ -163,14 +163,14 @@ Once you have the license then create a Kubernetes secret containing the license
|
|||
1. Acquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license.
|
||||
1. Store the license in a secure location on disk.
|
||||
1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable.
|
||||
Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key.
|
||||
Visit the [Enterprise License Tutorial](/consul/tutorials/enterprise/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key.
|
||||
1. Follow the Consul upgrade [documentation](/docs/upgrading).
|
||||
|
||||
### Kubernetes
|
||||
|
||||
1. Acquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license.
|
||||
1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable.
|
||||
Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key.
|
||||
Visit the [Enterprise License Tutorial](/consul/tutorials/enterprise/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key.
|
||||
1. Proceed with the `helm` [upgrade instructions](/docs/k8s/upgrade)
|
||||
|
||||
## Q: Will Consul downgrades/rollbacks work?
|
||||
|
|
|
@ -19,7 +19,7 @@ agent's configuration or environment. Also, prior to 1.10.0, server agents would
|
|||
the license between themselves. This no longer occurs and the license must be present on each server agent
|
||||
when it is started.
|
||||
|
||||
-> Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key.
|
||||
-> Visit the [Enterprise License Tutorial](/consul/tutorials/enterprise/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key.
|
||||
|
||||
### Applying a License
|
||||
|
||||
|
|
|
@ -21,8 +21,8 @@ to provide self-service through delegation of administrative privileges.
|
|||
|
||||
For more information on how to use namespaces with Consul Enterprise please review the following HashiCorp Learn Guides:
|
||||
|
||||
- [Register and Discover Services within Namespaces](https://learn.hashicorp.com/tutorials/consul/namespaces-share-datacenter-access) - Register multiple services within different namespaces in Consul.
|
||||
- [Setup Secure Namespaces](https://learn.hashicorp.com/tutorials/consul/namespaces-secure-shared-access) - Secure resources within a namespace and delegate namespace ACL rights via ACL tokens.
|
||||
- [Register and Discover Services within Namespaces](/consul/tutorials/namespaces/namespaces-share-datacenter-access?utm_source=docs) - Register multiple services within different namespaces in Consul.
|
||||
- [Setup Secure Namespaces](/consul/tutorials/namespaces/namespaces-secure-shared-access?utm_source=docs) - Secure resources within a namespace and delegate namespace ACL rights via ACL tokens.
|
||||
|
||||
## Namespace Definition
|
||||
|
||||
|
|
|
@ -34,7 +34,7 @@ connectivity between agent members on the same segment.
|
|||
![Consul datacenter agent connectivity with network segments](/img/network-segments/consul-network-segments-multiple.png)
|
||||
|
||||
To get started with network segments you can review the tutorial on HashiCorp
|
||||
Learn for [Network Segments](https://learn.hashicorp.com/tutorials/consul/network-partition-datacenters).
|
||||
Learn for [Network Segments](/consul/tutorials/datacenter-operations/network-partition-datacenters?utm_source=docs).
|
||||
|
||||
-> **Info:** Network segments enable you to operate a Consul datacenter without full
|
||||
mesh (LAN) connectivity between agents. To federate multiple Consul datacenters
|
||||
|
@ -59,8 +59,8 @@ over the WAN. Consul clients make use of resources in federated clusters by
|
|||
forwarding RPCs through the Consul servers in their local cluster, but they
|
||||
never interact with remote Consul servers directly. There are currently two
|
||||
inter-cluster network models which can be viewed on HashiCorp Learn:
|
||||
[WAN gossip (OSS)](https://learn.hashicorp.com/tutorials/consul/federation-gossip-wan)
|
||||
and [Network Areas (Enterprise)](https://learn.hashicorp.com/tutorials/consul/federation-network-areas).
|
||||
[WAN gossip (OSS)](/consul/tutorials/networking/federation-gossip-wan?utm_source=docs)
|
||||
and [Network Areas (Enterprise)](/consul/tutorials/datacenter-operations/federation-network-areas?utm_source=docs).
|
||||
|
||||
**LAN Gossip Pool**: A set of Consul agents that have full mesh connectivity
|
||||
among themselves, and use Serf to maintain a shared view of the members of the
|
||||
|
@ -83,7 +83,7 @@ Each additional segment is defined by:
|
|||
Serf LAN listener on the server
|
||||
|
||||
~> **Note:** Prior to Consul 1.7.3, a Consul server agent configured with too
|
||||
many network segments may not be able to start due to [limitations](https://learn.hashicorp.com/tutorials/consul/network-partition-datacenters#network-segments-limitations)
|
||||
many network segments may not be able to start due to [limitations](/consul/tutorials/datacenter-operations/network-partition-datacenters?utm_source=docs#network-segments-limitations)
|
||||
in Serf.
|
||||
|
||||
### Example Server Configuration
|
||||
|
|
|
@ -31,5 +31,5 @@ for server nodes while also providing (and expanding) the capabilities of
|
|||
capabilities.
|
||||
|
||||
For more information, review the HashiCorp Learn tutorial on
|
||||
[Redundancy Zones](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations#redundancy-zones),
|
||||
[Redundancy Zones](/consul/tutorials/datacenter-operations/autopilot-datacenter-operations?utm_source=docs#redundancy-zones),
|
||||
as well as the documentation for [Consul Autopilot](/commands/operator/autopilot).
|
||||
|
|
|
@ -23,4 +23,4 @@ currently in a cluster. When an equal amount of new server nodes are joined runn
|
|||
will be demoted to non voting members. Demotion of legacy server nodes will not occur until the voting members on the new version match.
|
||||
Once this demotion occurs, the previous versioned servers can be removed from the cluster safely.
|
||||
|
||||
You can review more information about this functionality in the [Consul operator autopilot](/commands/operator/autopilot) documentation as well as on the HashiCorp Learn [Automated Upgrade](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations#upgrade-migrations) tutorial.
|
||||
You can review more information about this functionality in the [Consul operator autopilot](/commands/operator/autopilot) documentation as well as on the HashiCorp Learn [Automated Upgrade](/consul/tutorials/datacenter-operations/autopilot-datacenter-operations?utm_source=docs#upgrade-migrations) tutorial.
|
||||
|
|
|
@ -9,9 +9,9 @@ description: |-
|
|||
|
||||
# Consul Guides
|
||||
|
||||
~> The Consul guides have moved to the [HashiCorp Learn platform](https://learn.hashicorp.com/consul?utm_source=consul.io&utm_medium=docs&utm_content=guide-index).
|
||||
~> The Consul guides have moved to the [HashiCorp Learn platform](/consul/tutorials?utm_source=docs&utm_content=guide-index).
|
||||
|
||||
[Guides](https://learn.hashicorp.com/consul?utm_source=consul.io&utm_medium=docs&utm_content=guide-index) are step by step command-line
|
||||
[Guides](/consul/tutorials?utm_source=docs&utm_content=guide-index) are step by step command-line
|
||||
walkthroughs that demonstrate how to perform common operations using Consul, and
|
||||
complement the feature-focused Consul documentation.
|
||||
|
||||
|
@ -37,4 +37,4 @@ Tracks include:
|
|||
- Service Configuration and Consul KV
|
||||
- Cloud and Load Balancer Integrations
|
||||
|
||||
[**Explore the Learn platform**](https://learn.hashicorp.com/consul?utm_source=consul.io&utm_medium=docs&utm_content=guide-index)
|
||||
[**Explore the Learn platform**](/consul/tutorials?utm_source=docs&utm_content=guide-index)
|
||||
|
|
|
@ -17,4 +17,4 @@ guides are located on the HashiCorp Learn site.
|
|||
|
||||
- Follow [the documentation](/docs/install) to install Consul either with a precompiled binary or from source.
|
||||
- Read more about the [configuration options](/docs/agent/config) for Consul servers and clients.
|
||||
- Get started using Consul with our step-by-step guides at [HashiCorp Learn](https://learn.hashicorp.com/consul).
|
||||
- Get started using Consul with our step-by-step guides at [HashiCorp Learn](/consul/tutorials?utm_source=docs).
|
||||
|
|
|
@ -20,7 +20,7 @@ Downloading a precompiled binary is easiest, and we provide downloads over TLS
|
|||
along with SHA256 sums to verify the binary. We also distribute a PGP signature
|
||||
with the SHA256 sums that can be verified.
|
||||
|
||||
The [Getting Started guides](https://learn.hashicorp.com/tutorials/consul/get-started-install?utm_source=consul.io&utm_medium=docs) provide a quick walkthrough of installing and using Consul on your local machine.
|
||||
The [Getting Started guides](/consul/tutorials/getting-started/get-started-install?utm_source=docs) provide a quick walkthrough of installing and using Consul on your local machine.
|
||||
|
||||
## Precompiled Binaries
|
||||
|
||||
|
|
|
@ -112,9 +112,9 @@ Here are some general recommendations:
|
|||
- For DNS-heavy workloads, configuring all Consul agents in a cluster with the
|
||||
[`allow_stale`](/docs/agent/config/config-files#allow_stale) configuration option will allow reads to
|
||||
scale across all Consul servers, not just the leader. Consul 0.7 and later enables stale reads
|
||||
for DNS by default. See [Stale Reads](https://learn.hashicorp.com/tutorials/consul/dns-caching#stale-reads) in the
|
||||
[DNS Caching](https://learn.hashicorp.com/tutorials/consul/dns-caching) guide for more details. It's also good to set
|
||||
reasonable, non-zero [DNS TTL values](https://learn.hashicorp.com/tutorials/consul/dns-caching#ttl-values) if your clients will
|
||||
for DNS by default. See [Stale Reads](/consul/tutorials/networking/dns-caching?utm_source=docs#stale-reads) in the
|
||||
[DNS Caching](/consul/tutorials/networking/dns-caching?utm_source=docs) guide for more details. It's also good to set
|
||||
reasonable, non-zero [DNS TTL values](/consul/tutorials/networking/dns-caching?utm_source=docs#ttl-values) if your clients will
|
||||
respect them.
|
||||
|
||||
- In other applications that perform high volumes of reads against Consul, consider using the
|
||||
|
@ -146,7 +146,7 @@ set size. You can determine the working set size by noting the value of
|
|||
|
||||
## Read/Write Tuning
|
||||
|
||||
Consul is write limited by disk I/O and read limited by CPU. Memory requirements will be dependent on the total size of KV pairs stored and should be sized according to that data (as should the hard drive storage). The limit on a key’s value size is `512KB`.
|
||||
Consul is write limited by disk I/O and read limited by CPU. Memory requirements will be dependent on the total size of KV pairs stored and should be sized according to that data (as should the hard drive storage). The limit on a key's value size is `512KB`.
|
||||
|
||||
-> Consul is write limited by disk I/O and read limited by CPU.
|
||||
|
||||
|
@ -166,7 +166,7 @@ It should be noted that `stale` is not appropriate for coordination where strong
|
|||
|
||||
**Read-heavy** clusters may take advantage of the [enhanced reading](/docs/enterprise/read-scale) feature (Enterprise) for better scalability. This feature allows additional servers to be introduced as non-voters. Being a non-voter, the server will still participate in data replication, but it will not block the leader from committing log entries.
|
||||
|
||||
Consul’s agents use network sockets for communicating with the other nodes (gossip) and with the server agent. In addition, file descriptors are also opened for watch handlers, health checks, and log files. For a **write heavy** cluster, the `ulimit` size must be increased from the default value (`1024`) to prevent the leader from running out of file descriptors.
|
||||
Consul's agents use network sockets for communicating with the other nodes (gossip) and with the server agent. In addition, file descriptors are also opened for watch handlers, health checks, and log files. For a **write heavy** cluster, the `ulimit` size must be increased from the default value (`1024`) to prevent the leader from running out of file descriptors.
|
||||
|
||||
To prevent any CPU spikes from a misconfigured client, RPC requests to the server should be [rate limited](/docs/agent/config/config-files#limits)
|
||||
|
||||
|
|
|
@ -16,14 +16,14 @@ These Consul tools are created and managed by the dedicated engineers at HashiCo
|
|||
|
||||
- [Envconsul](https://github.com/hashicorp/envconsul) - Read and set environmental variables for processes from Consul.
|
||||
- [Consul API Gateway](https://github.com/hashicorp/consul-api-gateway/) - dedicated ingress solution for intelligently routing traffic to applications running on a Consul Service Mesh.
|
||||
- [Consul ESM](https://github.com/hashicorp/consul-esm) - Provides external service monitoring for Consul. A tutorial is available on [HashiCorp Learn](https://learn.hashicorp.com/tutorials/consul/service-registration-external-services).
|
||||
- [Consul ESM](https://github.com/hashicorp/consul-esm) - Provides external service monitoring for Consul. A tutorial is available on [HashiCorp Learn](/consul/tutorials/developer-discovery/service-registration-external-services?utm_source=docs).
|
||||
- [Consul Migrate](https://github.com/hashicorp/consul-migrate) - Data migration tool to handle Consul upgrades to 0.5.1+
|
||||
- [Consul Replicate](https://github.com/hashicorp/consul-replicate) - Consul cross-DC KV replication daemon.
|
||||
- [Consul Template](https://github.com/hashicorp/consul-template) - Generic template rendering and notifications with Consul. A step by step tutorial is available on [HashiCorp Learn](https://learn.hashicorp.com/tutorials/consul/consul-template).
|
||||
- [Consul Template](https://github.com/hashicorp/consul-template) - Generic template rendering and notifications with Consul. A step by step tutorial is available on [HashiCorp Learn](/consul/tutorials/developer-configuration/consul-template?utm_source=docs).
|
||||
- [Consul-Terraform Sync](https://github.com/hashicorp/consul-terraform-sync) -
|
||||
enables dynamic updates to network infrastructure devices triggered by service
|
||||
changes. A tutorial is available on [HashiCorp
|
||||
Learn](https://learn.hashicorp.com/collections/consul/network-infrastructure-automation?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
Learn](/consul/tutorials/network-infrastructure-automation?utm_source=docs)
|
||||
|
||||
## Community Tools
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ description: Guide to partnership integrations for Consul NIA
|
|||
|
||||
# Network Infrastructure Automation Integration Program
|
||||
|
||||
HashiCorp’s Network Infrastructure Automation (NIA) Integration Program allows partners to build integrations that allow customers to automate dynamic application workflows leveraging network and security infrastructure at runtime. Detailed below is the approach to integrate your networking technology along with the clearly defined steps, links to information sources, and checkpoints.
|
||||
HashiCorp's Network Infrastructure Automation (NIA) Integration Program allows partners to build integrations that allow customers to automate dynamic application workflows leveraging network and security infrastructure at runtime. Detailed below is the approach to integrate your networking technology along with the clearly defined steps, links to information sources, and checkpoints.
|
||||
|
||||
## Network Infrastructure Automation
|
||||
|
||||
|
@ -43,13 +43,13 @@ Consul-Terraform-Sync compatible Terraform module development process is fairly
|
|||
|
||||
- Consul [documentation](/docs)
|
||||
- Consul-Terraform-Sync [documentation](/docs/nia)
|
||||
- Writing Consul-Terraform-Sync compatible Terraform modules using our [guide](/docs/nia/terraform-modules) and [tutorial](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-module?in=consul/network-infrastructure-automation)
|
||||
- Writing Consul-Terraform-Sync compatible Terraform modules using our [guide](/docs/nia/terraform-modules) and [tutorial](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-module?utm_source=docs)
|
||||
- Example Terraform Modules for reference: [PAN-OS](https://registry.terraform.io/modules/PaloAltoNetworks/dag-nia/panos/latest), [Simple Print Module](https://registry.terraform.io/modules/findkim/print/cts/latest) and a [Template to structure your Terraform Modules](https://github.com/hashicorp/consul-terraform-sync-template-module)
|
||||
- Publishing to the Terraform Registry [guidelines](https://www.terraform.io/docs/registry/modules/publish.html)
|
||||
|
||||
### 3. Develop & Test
|
||||
|
||||
Terraform modules are written in HashiCorp Configuration Language (HCL). Writing [Terraform modules](https://www.terraform.io/docs/modules/index.html) or a [tutorial to build a module](https://learn.hashicorp.com/tutorials/terraform/module-create) are good resources to begin writing a new module.
|
||||
Terraform modules are written in HashiCorp Configuration Language (HCL). Writing [Terraform modules](https://www.terraform.io/docs/modules/index.html) or a [tutorial to build a module](/terraform/tutorials/modules/module-create?utm_source=docs) are good resources to begin writing a new module.
|
||||
Consul-Terraform-Sync compatible modules follow the [standard module structure](https://www.terraform.io/docs/modules/index.html#standard-module-structure). Modules can use syntax supported by Terraform version 0.13, or higher. Consul-Terraform-Sync is designed to integrate with any module that satisfies these [specifications](/docs/nia/terraform-modules#module-specifications). The guide will give you an introduction of the code structure and the basics of authoring a plugin that Terraform can interact with.
|
||||
|
||||
It is recommended that partners develop modules that cater to specific workflows on an individual platform in their product portfolio rather than having overarching modules that try to cover multiple workflows across different platforms. This is to keep the automation modular and adoptable by a broad set of users with varying network infrastructure topologies. Partners are encouraged to test the functionality of the modules against their supported platforms.
|
||||
|
@ -78,7 +78,7 @@ All Consul-Terraform-Sync compatible modules follow a naming convention: `terraf
|
|||
|
||||
During the review process, HashiCorp will provide feedback on the newly developed Consul-Terraform-Sync compatible Terraform module. Please engage in the review process once one or two sample modules have been developed. Begin the process by emailing nia-integration-dev@hashicorp.com with a URL to the public GitHub repo containing the code.
|
||||
|
||||
HashiCorp will then review the module, and the documentation. The documentation should clearly indicate the compatibility with Consul-Terraform-Sync software version(s) and partner platform’s software version(s).
|
||||
HashiCorp will then review the module, and the documentation. The documentation should clearly indicate the compatibility with Consul-Terraform-Sync software version(s) and partner platform's software version(s).
|
||||
|
||||
Once the module development has been completed another email should be sent to nia-integration-dev@hashicorp.com along with a URL to the public GitHub repo containing the code requesting the final code review. HashiCorp will review the module and provide feedback about any changes that may be required. This is often an iterative process and can take some time to get done.
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ The program is intended to be largely self-service with links to resources, code
|
|||
|
||||
## Categories of Consul Integrations
|
||||
|
||||
By leveraging Consul’s RESTful HTTP API system, prospective partners are able to build extensible integrations at the data plane, platform, and the infrastructure layer to extend Consul’s functionalities. These integrations can be performed both with the open source version of Consul, Consul Enterprise, and HCP Consul.
|
||||
By leveraging Consul's RESTful HTTP API system, prospective partners are able to build extensible integrations at the data plane, platform, and the infrastructure layer to extend Consul's functionalities. These integrations can be performed both with the open source version of Consul, Consul Enterprise, and HCP Consul.
|
||||
|
||||
**The Consul ecosystem of integrations:**
|
||||
|
||||
|
@ -26,19 +26,19 @@ By leveraging Consul’s RESTful HTTP API system, prospective partners are able
|
|||
|
||||
</ImageConfig>
|
||||
|
||||
**Data Plane**: These integrations extend Consul’s certificate management, secure ACL configuration, observability metrics and logging, and service discovery that allows for dynamic service mapping APM and logging tools, extend sidecar proxies to support Consul connect, and extend API gateways to allow Consul to route incoming traffic to the proxies for Connect-enabled services.
|
||||
**Data Plane**: These integrations extend Consul's certificate management, secure ACL configuration, observability metrics and logging, and service discovery that allows for dynamic service mapping APM and logging tools, extend sidecar proxies to support Consul connect, and extend API gateways to allow Consul to route incoming traffic to the proxies for Connect-enabled services.
|
||||
|
||||
**Control Plane**: Consul has a client-server architecture and is the control plane for the service mesh.
|
||||
|
||||
**Platform**: These integrations leverage automation of Consul agent deployment, configuration, and management. Designed to be platform agnostic, Consul can be deployed in a variety of form factors, including major Public Cloud providers (AWS, GCP, Azure) as well as in bare-metal, virtual machine, and container (Docker, Kubernetes) environments. They include the Consul agent running in both client and server mode.
|
||||
|
||||
**Infrastructure**: There are two integration options in this category: natively through a direct integration with Consul or via Consul-Terraform-Sync (CTS). By leveraging Consul’s powerful **Network Infrastructure Automation (NIA)*** capabilities through CTS, changes in an infrastructure are seamlessly automated when Consul detects a change in its service catalog. For example, these integrations could be used to automate IP updates of load balancers or firewall security policies by leveraging Consul service discovery.
|
||||
**Infrastructure**: There are two integration options in this category: natively through a direct integration with Consul or via Consul-Terraform-Sync (CTS). By leveraging Consul's powerful **Network Infrastructure Automation (NIA)*** capabilities through CTS, changes in an infrastructure are seamlessly automated when Consul detects a change in its service catalog. For example, these integrations could be used to automate IP updates of load balancers or firewall security policies by leveraging Consul service discovery.
|
||||
|
||||
-> **Network Infrastructure Automation (NIA)***: These integrations leverage Consul’s service catalog to seamlessly integrate with Consul-Terraform-Sync (CTS) to automate changes in network infrastructure via a publisher-subscriber method. More details can be found [here](/docs/integrate/nia-integration).
|
||||
-> **Network Infrastructure Automation (NIA)***: These integrations leverage Consul's service catalog to seamlessly integrate with Consul-Terraform-Sync (CTS) to automate changes in network infrastructure via a publisher-subscriber method. More details can be found [here](/docs/integrate/nia-integration).
|
||||
|
||||
**HCP Consul**: HCP Consul is secure by default and offers an enterprise-level service level agreement (SLA) to deploy an organization’s most important applications. Sign up for HCP Consul is free and available [here](https://cloud.hashicorp.com/products/consul).
|
||||
**HCP Consul**: HCP Consul is secure by default and offers an enterprise-level service level agreement (SLA) to deploy an organization's most important applications. Sign up for HCP Consul is free and available [here](https://cloud.hashicorp.com/products/consul).
|
||||
|
||||
**Consul integration verification badges**: Partners will be issued the Consul Enterprise badge for integrations that work with [Consul Enterprise features](https://www.consul.io/docs/enterprise) such as namespaces. Partners will be issued the HCP Consul badge for integrations validated to work with [HCP Consul](https://cloud.hashicorp.com/docs/consul/features). Each badge would be displayed on HashiCorp’s partner page as well as be available for posting on the partner’s own website to provide better visibility and differentiation of the integration for joint customers.
|
||||
**Consul integration verification badges**: Partners will be issued the Consul Enterprise badge for integrations that work with [Consul Enterprise features](https://www.consul.io/docs/enterprise) such as namespaces. Partners will be issued the HCP Consul badge for integrations validated to work with [HCP Consul](https://cloud.hashicorp.com/docs/consul/features). Each badge would be displayed on HashiCorp's partner page as well as be available for posting on the partner's own website to provide better visibility and differentiation of the integration for joint customers.
|
||||
|
||||
<span style={{display:'block', textAlign:'center'}}>
|
||||
<ImageConfig inline height={192} width={192}>
|
||||
|
@ -89,7 +89,7 @@ Here are links to resources, documentation, examples and best practices to guide
|
|||
|
||||
**API Gateway**
|
||||
|
||||
- [Ambassador Integration documentation](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateway-ambassador)
|
||||
- [Ambassador Integration documentation](/consul/tutorials/developer-mesh/service-mesh-gateway-ambassador?utm_source=docs)
|
||||
- [F5 Terminating Gateway Integration Documentation](https://www.hashicorp.com/integrations/f5-networks/consul)
|
||||
- [Traefik Integration with Consul Service Mesh](https://traefik.io/blog/integrating-consul-connect-service-mesh-with-traefik-2-5/)
|
||||
- [Kong's Ingress Controller Integration with Consul](https://www.hashicorp.com/integrations/kong/consul)
|
||||
|
@ -108,14 +108,14 @@ Here are links to resources, documentation, examples and best practices to guide
|
|||
|
||||
#### Platform:
|
||||
|
||||
- [Consul-AWS for AWS Cloud Map](https://learn.hashicorp.com/tutorials/consul/sync-aws-services)
|
||||
- [Consul-AWS for AWS Cloud Map](/consul/tutorials/cloud-integrations/sync-aws-services?utm_source=docs)
|
||||
- [Consul Integration with AWS ECS](/docs/ecs/get-started/install)
|
||||
- [Consul Integration with Layer5 Meshery](https://www.hashicorp.com/integrations/layer5-io/consul)
|
||||
- [Consul Integration with VMware Tanzu Application Service](https://learn.hashicorp.com/tutorials/consul/sync-pivotal-cloud-services)
|
||||
- [Consul Integration with VMware Tanzu Application Service](/consul/tutorials/cloud-integrations/sync-pivotal-cloud-services?utm_source=docs)
|
||||
|
||||
#### Infrastructure:
|
||||
|
||||
-> **Note**: The types of integration areas below could be developed to natively work with Consul or through leveraging Consul-Terraform-Sync and Consul’s network automation capabilities.
|
||||
-> **Note**: The types of integration areas below could be developed to natively work with Consul or through leveraging Consul-Terraform-Sync and Consul's network automation capabilities.
|
||||
|
||||
**Firewalls**
|
||||
|
||||
|
@ -132,32 +132,32 @@ Here are links to resources, documentation, examples and best practices to guide
|
|||
|
||||
**Load Balancer**
|
||||
|
||||
- [Load Balancing with NGINX and Consul Template](https://learn.hashicorp.com/tutorials/consul/load-balancing-nginx)
|
||||
- [Load Balancing with HAProxy Service Discovery](https://learn.hashicorp.com/tutorials/consul/load-balancing-haproxy)
|
||||
- [Load Balancing with NGINX and Consul Template](/consul/tutorials/load-balancing/load-balancing-nginx?utm_source=docs)
|
||||
- [Load Balancing with HAProxy Service Discovery](/consul/tutorials/load-balancing/load-balancing-haproxy?utm_source=docs)
|
||||
|
||||
**Network Infrastructure Automation \(using CTS\):**
|
||||
|
||||
- [Automate F5 BIG-IP with Consul NIA](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-f5-bigip-fast?in=consul/network-infrastructure-automation)
|
||||
- [Automate F5 BIG-IP with Consul NIA](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-f5-bigip-fast?utm_source=docs)
|
||||
- [Automate VMware Advanced Load Balancers (Avi) with Consul NIA](https://www.hashicorp.com/integrations/_vmware/consul)
|
||||
|
||||
**Application Delivery Controllers \(ADC\):**
|
||||
|
||||
- [Automate A10 ADC with Consul NIA](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-a10-adc?in=consul/network-infrastructure-automation)
|
||||
- [Automate A10 ADC with Consul NIA](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-a10-adc?utm_source=docs)
|
||||
- [Automate Citrix ADC with Consul NIA](https://www.hashicorp.com/integrations/citrix-adc/consul)
|
||||
|
||||
### 3. Develop and Test
|
||||
|
||||
The only knowledge necessary to write a plugin is basic command-line skills and knowledge of the [Go programming language](http://www.golang.org). Use the plugin interface to develop your integration. All integrations should contain unit and acceptance testing.
|
||||
|
||||
**HCP Consul**: The process to configure a testing instance of HCP consul [is very simple](https://learn.hashicorp.com/tutorials/cloud/get-started-consul). HCP has been designed as a HashiCorp managed service so configuration is minimal as only Consul client agents need to be installed. Furthermore, HashiCorp provides all new users an initial credit which should last approximately 2 months using a [development cluster](https://cloud.hashicorp.com/pricing/consul). When deployed with AWS free tier services, there should be no cost beyond the time spent by the designated tester.
|
||||
**HCP Consul**: The process to configure a testing instance of HCP consul [is very simple](/consul/tutorials/cloud-get-started/get-started-consul?utm_source=docs). HCP has been designed as a HashiCorp managed service so configuration is minimal as only Consul client agents need to be installed. Furthermore, HashiCorp provides all new users an initial credit which should last approximately 2 months using a [development cluster](https://cloud.hashicorp.com/pricing/consul). When deployed with AWS free tier services, there should be no cost beyond the time spent by the designated tester.
|
||||
|
||||
Please note that HCP Consul is currently only deployed on AWS so the partner’s application should be able to be deployed or run in AWS. For more information, please refer to [Peering an HVN to an AWS VPC for HCP Consul](https://www.youtube.com/watch?v=vuKjkIGYZlU).
|
||||
Please note that HCP Consul is currently only deployed on AWS so the partner's application should be able to be deployed or run in AWS. For more information, please refer to [Peering an HVN to an AWS VPC for HCP Consul](https://www.youtube.com/watch?v=vuKjkIGYZlU).
|
||||
|
||||
#### HCP Consul Resource Links:
|
||||
|
||||
- [Getting Started with HCP Consul](https://learn.hashicorp.com/tutorials/cloud/get-started-consul?in=consul/cloud-get-started)
|
||||
- [Getting Started with HCP Consul](/consul/tutorials/cloud-get-started/get-started-consul?utm_source=docs)
|
||||
- [Peering an HVN to a VPC for HCP Consul](https://www.youtube.com/watch?v=vuKjkIGYZlU)
|
||||
- [Connecting a Consul Client to HCP Consul](https://learn.hashicorp.com/tutorials/cloud/consul-client-virtual-machines?in=consul/cloud-get-started)
|
||||
- [Connecting a Consul Client to HCP Consul](/consul/tutorials/cloud-get-started/consul-client-aws-ec2?utm_source=docs)
|
||||
- [Monitoring HCP Consul with Datadog](https://docs.datadoghq.com/integrations/guide/hcp-consul/)
|
||||
|
||||
**Consul Enterprise**: An integration qualifies for Consul Enterprise when it is tested and compatible with Consul Enterprise Namespaces.
|
||||
|
|
|
@ -10,7 +10,7 @@ description: >-
|
|||
|
||||
# ACL System ((#version_8_acls))
|
||||
|
||||
This content has been moved into the [ACL Guide](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production).
|
||||
This content has been moved into the [ACL Guide](/consul/tutorials/security/access-control-setup-production?utm_source=docs).
|
||||
|
||||
See [Complete ACL Coverage in Consul 0.8](/docs/security/acl/acl-legacy) for details
|
||||
about ACL changes in Consul 0.8 and later.
|
||||
|
|
|
@ -17,7 +17,7 @@ to existing software, and how you can get started using it. If you are familiar
|
|||
with the basics of Consul, the [documentation](/docs) provides a more
|
||||
detailed reference of available features. If you're ready to get hands-on
|
||||
experience, deploy Consul locally with our
|
||||
[HashiCorp Learn tutorial](https://learn.hashicorp.com/tutorials/consul/get-started-install).
|
||||
[HashiCorp Learn tutorial](/consul/tutorials/getting-started/get-started-install?utm_source=docs).
|
||||
|
||||
## Why Consul?
|
||||
|
||||
|
@ -115,5 +115,5 @@ forward the request to the remote datacenter and return the result.
|
|||
|
||||
## Next Steps
|
||||
|
||||
Continue onwards with [HashiCorp Learn](https://learn.hashicorp.com/tutorials/consul/get-started-install)
|
||||
Continue onwards with [HashiCorp Learn](/consul/tutorials/getting-started/get-started-install?utm_source=docs)
|
||||
to learn more about Consul and how to get Consul up and running.
|
||||
|
|
|
@ -10,7 +10,7 @@ description: >-
|
|||
|
||||
This topic describes the architecture, components, and resources associated with Consul deployments to Kubernetes. Consul employs the same architectural design on Kubernetes as it does with other platforms (see [Architecture](/docs/architecture)), but Kubernetes provides additional benefits that make operating a Consul cluster easier.
|
||||
|
||||
Refer to the standard [production deployment guide](https://learn.hashicorp.com/consul/datacenter-deploy/deployment-guide) for important information, regardless of the deployment platform.
|
||||
Refer to the standard [production deployment guide](/consul/tutorials?utm_source=docs/datacenter-deploy/deployment-guide) for important information, regardless of the deployment platform.
|
||||
|
||||
## Server Agents
|
||||
|
||||
|
|
|
@ -178,7 +178,7 @@ $ kubectl apply --filename service-intentions.yaml
|
|||
serviceintentions.consul.hashicorp.com/ingress-gateway created
|
||||
```
|
||||
|
||||
For detailed instructions on how to configure zero-trust networking with intentions please refer to this [guide](https://learn.hashicorp.com/tutorials/consul/service-mesh-zero-trust-network).
|
||||
For detailed instructions on how to configure zero-trust networking with intentions please refer to this [guide](/consul/tutorials/service-mesh-security/service-mesh-zero-trust-network?utm_source=docs).
|
||||
|
||||
## Deploying your application to Kubernetes
|
||||
|
||||
|
|
|
@ -108,7 +108,7 @@ global:
|
|||
|
||||
## Metrics in the UI Topology Visualization
|
||||
|
||||
Consul’s built-in UI has a topology visualization for services part of the Consul Service Mesh. The topology visualization has the ability to fetch basic metrics from a metrics provider for each service and display those metrics as part of the [topology visualization](/docs/connect/observability/ui-visualization).
|
||||
Consul's built-in UI has a topology visualization for services part of the Consul Service Mesh. The topology visualization has the ability to fetch basic metrics from a metrics provider for each service and display those metrics as part of the [topology visualization](/docs/connect/observability/ui-visualization).
|
||||
|
||||
The diagram below illustrates how the UI displays service metrics for a sample application:
|
||||
|
||||
|
@ -137,7 +137,7 @@ The Prometheus deployment is designed to allow quick bootstrapping for trial and
|
|||
Prometheus will be installed in the same namespace as Consul, and will be installed
|
||||
and uninstalled along with the Consul installation.
|
||||
|
||||
Grafana can optionally be utilized with Prometheus to display metrics. The installation and configuration of Grafana must be managed separately from the Consul Helm chart. The [Layer 7 Observability with Prometheus, Grafana, and Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-layer7-observability?in=consul/kubernetes)) tutorial provides an installation walkthrough using Helm.
|
||||
Grafana can optionally be utilized with Prometheus to display metrics. The installation and configuration of Grafana must be managed separately from the Consul Helm chart. The [Layer 7 Observability with Prometheus, Grafana, and Kubernetes](/consul/tutorials/service-mesh-observability/kubernetes-layer7-observability?utm_source=docs?in=consul/kubernetes)) tutorial provides an installation walkthrough using Helm.
|
||||
|
||||
```yaml
|
||||
prometheus:
|
||||
|
|
|
@ -360,7 +360,7 @@ Use these links to navigate to a particular top-level stanza.
|
|||
See https://www.consul.io/docs/agent/config/cli-flags#_recursor for more details.
|
||||
If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`).
|
||||
|
||||
- `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure)
|
||||
- `tls` ((#v-global-tls)) - Enables TLS (/consul/tutorials/security/tls-encryption-secure?utm_source=docs)
|
||||
across the cluster to verify authenticity of the Consul servers and clients.
|
||||
Requires Consul v1.4.1+.
|
||||
|
||||
|
@ -527,7 +527,7 @@ Use these links to navigate to a particular top-level stanza.
|
|||
|
||||
- `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh
|
||||
|
||||
- `enabled` ((#v-global-metrics-enabled)) (`boolean: false`) - Configures the Helm chart’s components
|
||||
- `enabled` ((#v-global-metrics-enabled)) (`boolean: false`) - Configures the Helm chart's components
|
||||
to expose Prometheus metrics for the Consul service mesh. By default
|
||||
this includes gateway metrics and sidecar metrics.
|
||||
|
||||
|
@ -621,8 +621,7 @@ Use these links to navigate to a particular top-level stanza.
|
|||
Vault Secrets backend:
|
||||
If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]`
|
||||
capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`.
|
||||
Please see the following guide for steps to generate a compatible certificate:
|
||||
https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-secure-tls
|
||||
Please refer the [Consul and Vault tutorial](/consul/tutorials/vault-secure/vault-pki-consul-secure-tls?utm_source=docs) for steps to generate a compatible certificate.
|
||||
Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine
|
||||
must be provided.
|
||||
|
||||
|
|
|
@ -40,33 +40,33 @@ There are several ways to try Consul with Kubernetes in different environments.
|
|||
|
||||
**Tutorials**
|
||||
|
||||
- The [Getting Started with Consul Service Mesh track](https://learn.hashicorp.com/tutorials/consul/service-mesh-deploy?in=consul/gs-consul-service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
- The [Getting Started with Consul Service Mesh track](/consul/tutorials/gs-consul-service-mesh/service-mesh-deploy?utm_source=docs)
|
||||
provides guidance for installing Consul as service mesh for Kubernetes using the Helm
|
||||
chart, deploying services in the service mesh, and using intentions to secure service
|
||||
communications.
|
||||
|
||||
- The [Migrate to Microservices with Consul Service Mesh on Kubernetes](https://learn.hashicorp.com/collections/consul/microservices?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
- The [Migrate to Microservices with Consul Service Mesh on Kubernetes](/consul/tutorials/microservices?utm_source=docs)
|
||||
collection uses an example application written by a fictional company to illustrate why and how organizations can
|
||||
migrate from monolith to microservices using Consul service mesh on Kubernetes. The case study in this collection
|
||||
should provide information valuable for understanding how to develop services that leverage Consul during any stage
|
||||
of your microservices journey.
|
||||
|
||||
- The [Consul and Minikube guide](https://learn.hashicorp.com/tutorials/consul/kubernetes-minikube?utm_source=consul.io&utm_medium=docs) is a quick step-by-step guide for deploying Consul with the official Helm chart on a local instance of Minikube.
|
||||
- The [Consul and Minikube guide](/consul/tutorials/kubernetes/kubernetes-minikube?utm_source=docs) is a quick step-by-step guide for deploying Consul with the official Helm chart on a local instance of Minikube.
|
||||
|
||||
- Review production best practices and cloud-specific configurations for deploying Consul on managed Kubernetes runtimes.
|
||||
|
||||
- The [Consul on Azure Kubernetes Service (AKS) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-aks-azure?utm_source=consul.io&utm_medium=docs) is a complete step-by-step guide on how to deploy Consul on AKS. The guide also allows you to practice deploying two microservices.
|
||||
- The [Consul on Amazon Elastic Kubernetes Service (EKS) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-eks-aws?utm_source=consul.io&utm_medium=docs) is a complete step-by-step guide on how to deploy Consul on EKS. Additionally, it provides guidance on interacting with your datacenter with the Consul UI, CLI, and API.
|
||||
- The [Consul on Google Kubernetes Engine (GKE) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-gke-google?utm_source=consul.io&utm_medium=docs) is a complete step-by-step guide on how to deploy Consul on GKE. Additionally, it provides guidance on interacting with your datacenter with the Consul UI, CLI, and API.
|
||||
- The [Consul on Azure Kubernetes Service (AKS) tutorial](/consul/tutorials/kubernetes/kubernetes-aks-azure?utm_source=docs) is a complete step-by-step guide on how to deploy Consul on AKS. The guide also allows you to practice deploying two microservices.
|
||||
- The [Consul on Amazon Elastic Kubernetes Service (EKS) tutorial](/consul/tutorials/kubernetes/kubernetes-eks-aws?utm_source=docs) is a complete step-by-step guide on how to deploy Consul on EKS. Additionally, it provides guidance on interacting with your datacenter with the Consul UI, CLI, and API.
|
||||
- The [Consul on Google Kubernetes Engine (GKE) tutorial](/consul/tutorials/kubernetes/kubernetes-gke-google?utm_source=docs) is a complete step-by-step guide on how to deploy Consul on GKE. Additionally, it provides guidance on interacting with your datacenter with the Consul UI, CLI, and API.
|
||||
|
||||
- The [Consul and Kubernetes Reference Architecture](https://learn.hashicorp.com/tutorials/consul/kubernetes-reference-architecture?utm_source=consul.io&utm_medium=docs) guide provides recommended practices for production.
|
||||
- The [Consul and Kubernetes Reference Architecture](/consul/tutorials/kubernetes/kubernetes-reference-architecture?utm_source=docs) guide provides recommended practices for production.
|
||||
|
||||
- The [Consul and Kubernetes Deployment](https://learn.hashicorp.com/tutorials/consul/kubernetes-deployment-guide?utm_source=consul.io&utm_medium=docs) tutorial covers the necessary steps to install and configure a new Consul cluster on Kubernetes in production.
|
||||
- The [Consul and Kubernetes Deployment](/consul/tutorials/kubernetes/kubernetes-deployment-guide?utm_source=docs) tutorial covers the necessary steps to install and configure a new Consul cluster on Kubernetes in production.
|
||||
|
||||
- The [Secure Consul and Registered Services on Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-secure-agents?in=consul/kubernetes) tutorial covers
|
||||
- The [Secure Consul and Registered Services on Kubernetes](/consul/tutorials/kubernetes/kubernetes-secure-agents?utm_source=docs) tutorial covers
|
||||
the necessary steps to secure a Consul cluster running on Kubernetes in production.
|
||||
|
||||
- The [Layer 7 Observability with Consul Service Mesh](https://learn.hashicorp.com/tutorials/consul/kubernetes-layer7-observability) tutorial covers monitoring a
|
||||
- The [Layer 7 Observability with Consul Service Mesh](/consul/tutorials/service-mesh-observability/kubernetes-layer7-observability?utm_source=docs) tutorial covers monitoring a
|
||||
Consul service mesh running on Kubernetes with Prometheus and Grafana.
|
||||
|
||||
**Documentation**
|
||||
|
|
|
@ -23,7 +23,7 @@ You can install Consul on Kubernetes using the following methods:
|
|||
Refer to the [architecture](/docs/k8s/installation/install#architecture) section to learn more about the general architecture of Consul on Kubernetes.
|
||||
For a hands-on experience with Consul as a service mesh
|
||||
for Kubernetes, follow the [Getting Started with Consul service
|
||||
mesh](https://learn.hashicorp.com/tutorials/consul/service-mesh-deploy?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) tutorial.
|
||||
mesh](/consul/tutorials/gs-consul-service-mesh/service-mesh-deploy?utm_source=docs) tutorial.
|
||||
|
||||
## Consul K8s CLI Installation
|
||||
|
||||
|
@ -103,7 +103,7 @@ The [Homebrew](https://brew.sh) package manager is required to complete the foll
|
|||
We recommend using the Consul Helm chart to install Consul on Kubernetes for multi-cluster installations that involve cross-partition of cross datacenter communication. The Helm chart installs and configures all necessary components to run Consul. The configuration enables you to run a server cluster, a client cluster, or both.
|
||||
|
||||
Step-by-step tutorials for how to deploy Consul to Kubernetes, please see
|
||||
our [Deploy to Kubernetes](https://learn.hashicorp.com/collections/consul/kubernetes-deploy)
|
||||
our [Deploy to Kubernetes](/consul/tutorials/kubernetes-deploy?utm_source=docs)
|
||||
collection. This collection includes configuration caveats for single-node deployments.
|
||||
|
||||
The Helm chart exposes several useful configurations and automatically
|
||||
|
@ -380,7 +380,7 @@ spec:
|
|||
|
||||
## Next Steps
|
||||
|
||||
If you are still considering a move to Kubernetes, or to Consul on Kubernetes specifically, our [Migrate to Microservices with Consul Service Mesh on Kubernetes](https://learn.hashicorp.com/collections/consul/microservices?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
If you are still considering a move to Kubernetes, or to Consul on Kubernetes specifically, our [Migrate to Microservices with Consul Service Mesh on Kubernetes](/consul/tutorials/microservices?utm_source=docs)
|
||||
collection uses an example application written by a fictional company to illustrate why and how organizations can
|
||||
migrate from monolith to microservices using Consul service mesh on Kubernetes. The case study in this collection
|
||||
should provide information valuable for understanding how to develop services that leverage Consul during any stage
|
||||
|
|
|
@ -11,7 +11,7 @@ description: >-
|
|||
|
||||
~> This topic requires familiarity with [Mesh Gateways](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters) and [WAN Federation Via Mesh Gateways](/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways).
|
||||
|
||||
-> Looking for a step-by-step guide? Please follow our Learn tutorial: [Secure and Route Service Mesh Communication Across Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways).
|
||||
-> Looking for a step-by-step guide? Please follow our Learn tutorial: [Secure and Route Service Mesh Communication Across Kubernetes](/consul/tutorials/kubernetes/kubernetes-mesh-gateways?utm_source=docs).
|
||||
|
||||
This page describes how to federate multiple Kubernetes clusters. See [Multi-Cluster Overview](/docs/k8s/installation/multi-cluster)
|
||||
for more information on use-cases and how it works.
|
||||
|
@ -466,11 +466,11 @@ in the top left:
|
|||
## Next Steps
|
||||
|
||||
With your Kubernetes clusters federated, try out using Consul service mesh to
|
||||
route between services deployed on each cluster by following our Learn tutorial: [Secure and Route Service Mesh Communication Across Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways#deploy-microservices).
|
||||
route between services deployed on each cluster by following our Learn tutorial: [Secure and Route Service Mesh Communication Across Kubernetes](/consul/tutorials/kubernetes/kubernetes-mesh-gateways?utm_source=docs#deploy-microservices).
|
||||
|
||||
You can also read our in-depth documentation on [Consul Service Mesh In Kubernetes](/docs/k8s/connect).
|
||||
|
||||
If you are still considering a move to Kubernetes, or to Consul on Kubernetes specifically, our [Migrate to Microservices with Consul Service Mesh on Kubernetes](https://learn.hashicorp.com/collections/consul/microservices?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
If you are still considering a move to Kubernetes, or to Consul on Kubernetes specifically, our [Migrate to Microservices with Consul Service Mesh on Kubernetes](/consul/tutorials/microservices?utm_source=docs)
|
||||
collection uses an example application written by a fictional company to illustrate why and how organizations can
|
||||
migrate from monolith to microservices using Consul service mesh on Kubernetes. The case study in this collection
|
||||
should provide information valuable for understanding how to develop services that leverage Consul during any stage
|
||||
|
|
|
@ -144,7 +144,7 @@ acls {
|
|||
```
|
||||
|
||||
-> **NOTE:** You'll also need to set up additional ACL tokens as needed by the
|
||||
ACL system. See tutorial [Secure Consul with Access Control Lists (ACLs)](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production#apply-individual-tokens-to-agents)
|
||||
ACL system. See tutorial [Secure Consul with Access Control Lists (ACLs)](/consul/tutorials/security/access-control-setup-production?utm_source=docs#apply-individual-tokens-to-agents)
|
||||
for more information.
|
||||
|
||||
### Gossip Encryption Key
|
||||
|
|
|
@ -36,7 +36,7 @@ The two data centers will federated using mesh gateways. This communication top
|
|||
|
||||
In this setup, you will deploy Vault server in the primary datacenter (dc1) Kubernetes cluster, which is also the primary Consul datacenter. You will configure your Vault Helm installation in the secondary datacenter (dc2) Kubernetes cluster to use it as an external server. This way there will be a single vault server cluster that will be used by both Consul datacenters.
|
||||
|
||||
~> **Note**: For demonstration purposes, you will deploy a Vault server in dev mode. For production installations, this is not recommended. Please visit the [Vault Deployment Guide](https://learn.hashicorp.com/tutorials/vault/raft-deployment-guide?in=vault/day-one-raft) for guidance on how to install Vault in a production setting.
|
||||
~> **Note**: For demonstration purposes, you will deploy a Vault server in dev mode. For production installations, this is not recommended. Please visit the [Vault Deployment Guide](/vault/tutorials/raft/raft-deployment-guide?utm_source=docs) for guidance on how to install Vault in a production setting.
|
||||
|
||||
1. Change your current Kubernetes context to target the primary datacenter (dc1).
|
||||
|
||||
|
|
|
@ -93,7 +93,7 @@ for both in-cluster and out-of-cluster authentication. If `kubectl` works,
|
|||
then the sync program should work.
|
||||
|
||||
For Consul, if ACLs are configured on the cluster, a Consul
|
||||
[ACL token](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production)
|
||||
[ACL token](/consul/tutorials/security/access-control-setup-production?utm_source=docs)
|
||||
will need to be provided. Review the [ACL rules](/docs/security/acl/acl-rules)
|
||||
when creating this token so that it only allows the necessary privileges. The catalog
|
||||
sync process accepts this token by using the [`CONSUL_HTTP_TOKEN`](/commands#consul_http_token)
|
||||
|
|
|
@ -64,7 +64,7 @@ If you intend to invoke Lambda services through a terminating gateway, the gatew
|
|||
|
||||
* [Terminating gateways documentation](/docs/connect/gateways#terminating-gateways)
|
||||
* [Terminating gateways on Kubernetes documentation](/docs/k8s/connect/terminating-gateways)
|
||||
* [Connect External Services to Consul With Terminating Gateways tutorial](https://learn.hashicorp.com/tutorials/consul/terminating-gateways-connect-external-services)
|
||||
* [Connect External Services to Consul With Terminating Gateways tutorial](/consul/tutorials/developer-mesh/terminating-gateways-connect-external-services?utm_source=docs)
|
||||
|
||||
To register a Lambda service with a terminating gateway, add the service to the
|
||||
`Services` field of the terminating gateway's `terminating-gateway`
|
||||
|
@ -75,8 +75,8 @@ configuration entry.
|
|||
You can set up a mesh gateway so that you can invoke Lambda services across datacenters and admin partitions. The mesh gateway must be running and registered in the relevant Consul datacenters and partitions. Refer to the following documentation and tutorials for instructions on how to set up mesh gateways:
|
||||
|
||||
* [Mesh gateway documentation](/docs/connect/gateways#mesh-gateways)
|
||||
* [Connect Services Across Datacenters with Mesh Gateways tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateways)
|
||||
* [Secure Service Mesh Communication Across Kubernetes Clusters tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways?in=consul/kubernetes)
|
||||
* [Connect Services Across Datacenters with Mesh Gateways tutorial](/consul/tutorials/developer-mesh/service-mesh-gateways?utm_source=docs)
|
||||
* [Secure Service Mesh Communication Across Kubernetes Clusters tutorial](/consul/tutorials/kubernetes/kubernetes-mesh-gateways?utm_source=docs?in=consul/kubernetes)
|
||||
|
||||
When using admin partitions, you must add Lambda services to the `Services`
|
||||
field of [the `exported-services` configuration
|
||||
|
@ -124,7 +124,7 @@ The following diagram shows the flow of events from EventBridge into Consul:
|
|||
|
||||
#### Optional: Store the CA Certificate in Parameter Store
|
||||
|
||||
When Lambda registrator makes a request to Consul's [HTTP API](/api-docs) over HTTPS and the Consul API is signed by a custom CA, Lambda registrator uses the CA certificate stored in AWS Parameter Store (refer to the [Parameter Store documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) for additional information) to verify the authenticity of the Consul API. You can apply the following Terraform configuration to store Consul’s server CA in Parameter Store:
|
||||
When Lambda registrator makes a request to Consul's [HTTP API](/api-docs) over HTTPS and the Consul API is signed by a custom CA, Lambda registrator uses the CA certificate stored in AWS Parameter Store (refer to the [Parameter Store documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) for additional information) to verify the authenticity of the Consul API. You can apply the following Terraform configuration to store Consul's server CA in Parameter Store:
|
||||
|
||||
```hcl
|
||||
resource "aws_ssm_parameter" "ca-cert" {
|
||||
|
@ -278,6 +278,6 @@ The following tags are supported. In all cases, the `<PREFIX>` should be
|
|||
| - | - |
|
||||
| `<PREFIX>/enabled` | Determines if Consul configures the service as an AWS Lambda. |
|
||||
| `<PREFIX>/payload-passthrough` | Determines if the body Envoy receives is converted to JSON or directly passed to Lambda. |
|
||||
| `<PREFIX>/arn` | Specifies the [AWS ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) for the service’s Lambda. |
|
||||
| `<PREFIX>/arn` | Specifies the [AWS ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) for the service's Lambda. |
|
||||
| `<PREFIX>/invocation-mode` | Determines if Consul configures the Lambda to be invoked using the `synchronous` or `asynchronous` [invocation mode](https://docs.aws.amazon.com/lambda/latest/operatorguide/invocation-modes.html). |
|
||||
| `<PREFIX>/region` | Specifies the AWS region the Lambda is running in. |
|
||||
|
|
|
@ -55,6 +55,6 @@ Each driver includes a set of providers that [enables support](/docs/nia/terrafo
|
|||
|
||||
## Security Guidelines
|
||||
|
||||
The [Secure Consul-Terraform-Sync for Production](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-secure?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
The [Secure Consul-Terraform-Sync for Production](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-secure?utm_source=docs)
|
||||
tutorial contains a checklist of best practices to secure your
|
||||
CTS installation for a production environment.
|
||||
|
|
|
@ -128,7 +128,7 @@ consul {
|
|||
| `service_registration` | Optional| [service_registration](/docs/nia/configuration#service-registration) | Options for how CTS will register itself as a service with a health check to Consul. ||
|
||||
|
||||
##### ACL Requirements
|
||||
The following table describes the ACL policies required by CTS. For more information, refer to the [Secure Consul-Terraform-Sync for Production](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-secure?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS#configure-acl-privileges-for-consul-terraform-sync) tutorial.
|
||||
The following table describes the ACL policies required by CTS. For more information, refer to the [Secure Consul-Terraform-Sync for Production](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-secure?utm_source=docs#configure-acl-privileges-for-consul-terraform-sync) tutorial.
|
||||
|
||||
| Policy | Resources |
|
||||
| ------ | --------- |
|
||||
|
@ -271,7 +271,7 @@ task {
|
|||
- `source` - (string: required) **Deprecated in CTS 0.5.0 and will be removed in a future major release. See the `module` field instead.**
|
||||
- `module` - (string: required) Module is the location the driver uses to discover the Terraform module used for automation. The module's source can be local or remote on the [Terraform Registry](https://registry.terraform.io/) or private module registry. Read more on [Terraform module source and other supported types here](https://www.terraform.io/docs/modules/sources.html).
|
||||
|
||||
- To use a private module with the [`terraform` driver](#terraform-driver), run the command [`terraform login [hostname]`](https://learn.hashicorp.com/tutorials/terraform/cloud-login) to authenticate the local Terraform CLI prior to starting CTS.
|
||||
- To use a private module with the [`terraform` driver](#terraform-driver), run the command [`terraform login [hostname]`](/terraform/tutorials/cloud/cloud-login?utm_source=docs) to authenticate the local Terraform CLI prior to starting CTS.
|
||||
- To use a private module with the [`terraform_cloud` driver](#terraform-cloud-driver), no extra steps are needed.
|
||||
|
||||
```hcl
|
||||
|
@ -622,7 +622,7 @@ driver "terraform" {
|
|||
|
||||
- `backend` - (obj) The backend stores [Terraform state files](https://www.terraform.io/docs/state/index.html) for each task. This option is similar to the [Terraform backend configuration](https://www.terraform.io/docs/configuration/backend.html). CTS supports Terraform backends used as a state store.
|
||||
- Supported backend options: [azurerm](https://www.terraform.io/docs/backends/types/azurerm.html), [consul](https://www.terraform.io/docs/backends/types/consul.html), [cos](https://www.terraform.io/docs/backends/types/cos.html), [gcs](https://www.terraform.io/docs/backends/types/gcs.html), [kubernetes](https://www.terraform.io/docs/backends/types/kubernetes.html), [local](https://www.terraform.io/docs/backends/types/local.html), [manta](https://www.terraform.io/docs/backends/types/manta.html), [pg](https://www.terraform.io/docs/backends/types/pg.html) (Terraform v0.14+), [s3](https://www.terraform.io/docs/backends/types/s3.html). Visit the Terraform documentation links for details on backend configuration options.
|
||||
- If omitted, CTS will generate default values and use configurations from the [`consul` block](#consul) to configure [Consul as the backend](https://www.terraform.io/docs/backends/types/consul.html), which stores Terraform statefiles in the Consul KV. The [ACL token provided for Consul authentication](#consul) is used to read and write to the KV store and requires [Consul KV privileges](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-secure?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS#configure-acl-privileges-for-consul-terraform-sync). The Consul KV path is the base path to store state files for tasks. The full path of each state file will have the task identifier appended to the end of the path, e.g. `consul-terraform-sync/terraform-env:task-name`.
|
||||
- If omitted, CTS will generate default values and use configurations from the [`consul` block](#consul) to configure [Consul as the backend](https://www.terraform.io/docs/backends/types/consul.html), which stores Terraform statefiles in the Consul KV. The [ACL token provided for Consul authentication](#consul) is used to read and write to the KV store and requires [Consul KV privileges](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-secure?utm_source=docs#configure-acl-privileges-for-consul-terraform-sync). The Consul KV path is the base path to store state files for tasks. The full path of each state file will have the task identifier appended to the end of the path, e.g. `consul-terraform-sync/terraform-env:task-name`.
|
||||
- The remote enhanced backend is not supported with the Terraform driver to run operations in Terraform Cloud. Use the [Terraform Cloud driver](#terraform-cloud-driver) to integrate CTS with Terraform Cloud for remote workspaces and remote operations.
|
||||
- `log` - (bool) Enable all Terraform output (stderr and stdout) to be included in the CTS log. This is useful for debugging and development purposes. It may be difficult to work with log aggregators that expect uniform log format.
|
||||
- `path` - (string) The file path to install Terraform or discover an existing Terraform binary. If omitted, Terraform will be installed in the same directory as the CTS daemon. To resolve an incompatible Terraform version or to change versions will require removing the existing binary or change to a different path.
|
||||
|
|
|
@ -53,7 +53,7 @@ If a license needs to be manually set, choose one of the following methods (in o
|
|||
```
|
||||
|
||||
~> **Note**: the [options to set the license and the order of precedence](/docs/enterprise/license/overview#binaries-without-built-in-licenses) are the same as Consul Enterprise server agents.
|
||||
Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key.
|
||||
Visit the [Enterprise License Tutorial](/consul/tutorials/enterprise/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key.
|
||||
|
||||
### Updating the License Manually
|
||||
To update the license when it expires or is near the expiration date and automatic license retrieval is disabled:
|
||||
|
|
|
@ -11,7 +11,7 @@ Network Infrastructure Automation (NIA) enables dynamic updates to network infra
|
|||
|
||||
CTS executes one or more automation tasks with the most recent service variable values from the Consul service catalog. Each task consists of a runbook automation written as a CTS compatible Terraform module using resources and data sources for the underlying network infrastructure. The `consul-terraform-sync` daemon runs on the same node as a Consul agent.
|
||||
|
||||
CTS is available as an open source and enterprise distribution. Follow the [Network Infrastructure Automation introduction tutorial](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-intro?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) to get started with CTS OSS or read more about [CTS Enterprise](/docs/nia/enterprise).
|
||||
CTS is available as an open source and enterprise distribution. Follow the [Network Infrastructure Automation introduction tutorial](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-intro?utm_source=docs) to get started with CTS OSS or read more about [CTS Enterprise](/docs/nia/enterprise).
|
||||
|
||||
## Use Cases
|
||||
|
||||
|
@ -61,7 +61,7 @@ CTS is available as an open source and enterprise distribution. Follow the [Netw
|
|||
|
||||
## Getting Started With Network Infrastructure Automation
|
||||
|
||||
The [Network Infrastructure Automation (NIA)](https://learn.hashicorp.com/collections/consul/network-infrastructure-automation?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
|
||||
The [Network Infrastructure Automation (NIA)](/consul/tutorials/network-infrastructure-automation?utm_source=docs)
|
||||
collection contains examples on how to configure CTS to
|
||||
perform Network Infrastructure Automation. The collection contains also a
|
||||
tutorial to secure your CTS configuration for a production
|
||||
|
|
|
@ -7,7 +7,7 @@ description: >-
|
|||
|
||||
# Install Consul-Terraform-Sync
|
||||
|
||||
Refer to the [introduction](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-intro?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) tutorial for details about installing, configuring, and running Consul-Terraform-Sync (CTS) on your local machine with the Terraform driver.
|
||||
Refer to the [introduction](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-intro?utm_source=docs) tutorial for details about installing, configuring, and running Consul-Terraform-Sync (CTS) on your local machine with the Terraform driver.
|
||||
|
||||
## Install Consul-Terraform-Sync
|
||||
|
||||
|
|
|
@ -25,13 +25,13 @@ Below are several steps towards a minimum Consul setup required for running CTS.
|
|||
|
||||
CTS is a daemon that runs alongside Consul, similar to other Consul ecosystem tools like Consul Template. CTS is not included with the Consul binary and needs to be installed separately.
|
||||
|
||||
To install a local Consul agent, refer to the [Getting Started: Install Consul Tutorial](https://learn.hashicorp.com/tutorials/consul/get-started-install).
|
||||
To install a local Consul agent, refer to the [Getting Started: Install Consul Tutorial](/consul/tutorials/getting-started/get-started-install?utm_source=docs).
|
||||
|
||||
For information on compatible Consul versions, refer to the [Consul compatibility matrix](/docs/nia/compatibility#consul).
|
||||
|
||||
### Run an Agent
|
||||
|
||||
The Consul agent must be running in order to dynamically update network devices. To run the local Consul agent, you can run Consul in development mode which can be started with `consul agent -dev` for simplicity. For more details on running Consul agent, refer to the [Getting Started: Run the Consul Agent Tutorial](https://learn.hashicorp.com/tutorials/consul/get-started-agent?in=consul/getting-started).
|
||||
The Consul agent must be running in order to dynamically update network devices. To run the local Consul agent, you can run Consul in development mode which can be started with `consul agent -dev` for simplicity. For more details on running Consul agent, refer to the [Getting Started: Run the Consul Agent Tutorial](/consul/tutorials/getting-started/get-started-agent?utm_source=docs).
|
||||
|
||||
When running a Consul agent with CTS in production, we suggest to keep a few considerations in mind. CTS uses [blocking queries](/api-docs/features/blocking) to monitor task dependencies, like changes to registered services. This results in multiple long running TCP connections between CTS and the agent to poll changes for each dependency. Monitoring a high number of services may quickly hit the default Consul agent connection limits.
|
||||
|
||||
|
@ -58,13 +58,13 @@ The above example registers a service named "web" with your Consul agent. This r
|
|||
|
||||
For more details on registering a service by HTTP API request, refer to the [register service API docs](/api-docs/agent/service#register-service).
|
||||
|
||||
For more details on registering a service by loading a service definition, refer to the [Getting Started: Register a Service with Consul Service Discovery Tutorial](https://learn.hashicorp.com/tutorials/consul/get-started-service-discovery?in=consul/getting-started).
|
||||
For more details on registering a service by loading a service definition, refer to the [Getting Started: Register a Service with Consul Service Discovery Tutorial](/consul/tutorials/getting-started/get-started-service-discovery?utm_source=docs?in=consul/getting-started).
|
||||
|
||||
### Run a Cluster
|
||||
|
||||
The previous steps of installing and running a single Consul agent then registering a single service is sufficient to meaningfully start running CTS.
|
||||
|
||||
If you would like to run a Consul cluster rather than a single agent, refer to [Getting Started: Create a Local Consul Datacenter](https://learn.hashicorp.com/tutorials/consul/get-started-create-datacenter?in=consul/getting-started). This will walk you through the steps of running multiple Consul agents and then joining them together into a cluster.
|
||||
If you would like to run a Consul cluster rather than a single agent, refer to [Getting Started: Create a Local Consul Datacenter](/consul/tutorials/getting-started/get-started-create-datacenter?utm_source=docs). This will walk you through the steps of running multiple Consul agents and then joining them together into a cluster.
|
||||
|
||||
## Network Infrastructure (using a Terraform Provider)
|
||||
|
||||
|
@ -76,7 +76,7 @@ To find providers for the infrastructure platforms you use, browse the providers
|
|||
|
||||
### How to Create a Provider
|
||||
|
||||
If there is no existing Terraform provider, a new Terraform provider can be [created](https://learn.hashicorp.com/tutorials/terraform/provider-setup) and [published](https://www.terraform.io/docs/registry/providers/publishing.html). The provider can then be used within a network integration task by authoring a compatible Terraform module.
|
||||
If there is no existing Terraform provider, a new Terraform provider can be [created](/terraform/tutorials/providers/provider-setup?utm_source=docs) and [published](https://www.terraform.io/docs/registry/providers/publishing.html). The provider can then be used within a network integration task by authoring a compatible Terraform module.
|
||||
|
||||
## Network Integration (using a Terraform Module)
|
||||
|
||||
|
|
|
@ -31,4 +31,4 @@ description: >-
|
|||
|
||||
CTS allows you to inspect your configuration before applying any change and to run in once mode, meaning that you can verify the changes are correctly applied in a test run before running it in unsupervised daemon mode.
|
||||
|
||||
To learn more on these options check the [Consul-Terraform-Sync Run Modes and Status Inspection](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-run-and-inspect?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) tutorial.
|
||||
To learn more on these options check the [Consul-Terraform-Sync Run Modes and Status Inspection](/consul/tutorials/network-infrastructure-automation/consul-terraform-sync-run-and-inspect?utm_source=docs) tutorial.
|
||||
|
|
|
@ -120,7 +120,7 @@ The services module input operates by monitoring the [Health List Nodes For Serv
|
|||
| `node_tagged_addresses` | List of explicit LAN and WAN IP addresses for the agent |
|
||||
| `node_meta` | List of user-defined metadata key/value pairs for the node |
|
||||
|
||||
Below is an example configuration for a task that will execute on a schedule and provide information about the services matching the `regexp` parameter to the task’s module.
|
||||
Below is an example configuration for a task that will execute on a schedule and provide information about the services matching the `regexp` parameter to the task's module.
|
||||
|
||||
```hcl
|
||||
task {
|
||||
|
@ -228,7 +228,7 @@ task {
|
|||
|
||||
## How to Create a Compatible Terraform Module
|
||||
|
||||
You can read more on how to [create a module](https://www.terraform.io/docs/modules/index.html) or work through a [tutorial to build a module](https://learn.hashicorp.com/tutorials/terraform/module-create). CTS is designed to integrate with any module that satisfies the specifications in the following section.
|
||||
You can read more on how to [create a module](https://www.terraform.io/docs/modules/index.html) or work through a [tutorial to build a module](/terraform/tutorials/modules/module-create?utm_source=docs). CTS is designed to integrate with any module that satisfies the specifications in the following section.
|
||||
|
||||
The repository [hashicorp/consul-terraform-sync-template-module](https://github.com/hashicorp/consul-terraform-sync-template-module) can be cloned and used as a starting point for structuring a compatible Terraform module. The template repository has the files described in the next steps prepared.
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ This release includes the following features and capabilities:
|
|||
1. Deploy 1 or more logical API Gateways per Kubernetes cluster
|
||||
1. Support for HTTP, HTTPS, TCP, and TCP+TLS
|
||||
1. Support for HTTP versions 1.1 and 2
|
||||
1. Load balance across a service’s instances
|
||||
1. Load balance across a service's instances
|
||||
1. Listeners load TLS certificates, signed by any CA, from Kubernetes secret storage
|
||||
1. Route HTTP/S traffic to Services based on matching:
|
||||
- Hostname
|
||||
|
|
|
@ -15,7 +15,7 @@ description: >-
|
|||
releases of Consul API Gateway, users could route requests from the API
|
||||
Gateway across various namespaces without providing any sort of explicit
|
||||
permissions. While this meant that any service connected to the service mesh
|
||||
was reachable, it didn’t allow users to set the more granular restrictions or
|
||||
was reachable, it didn't allow users to set the more granular restrictions or
|
||||
permissions that they may expect.
|
||||
|
||||
This version of API Gateway implements Cross Namespace Reference Policies
|
||||
|
|
|
@ -15,9 +15,9 @@ description: >-
|
|||
|
||||
- **Streaming Enabled by Default for Service Health:** Streaming is a major architectural enhancement in how update notifications for blocking queries are delivered within the cluster which significantly reduces CPU and network bandwidth usage for large-scale Consul deployments. In Consul 1.10, streaming is now available for the service health HTTP endpoint and is enabled by default.
|
||||
|
||||
- **Redesigned UI and Observability Enhancements:** The Consul UI has been redesigned with a new sidebar layout. Additionally, Kubernetes users now have the ability to deploy Prometheus via the Consul Helm chart which automatically integrates it with Consul’s Service Visualization UI for displaying traffic metrics between services. Lastly, Pod and Envoy metrics can now be exposed to Prometheus using Kubernetes annotations via a single aggregated endpoint.
|
||||
- **Redesigned UI and Observability Enhancements:** The Consul UI has been redesigned with a new sidebar layout. Additionally, Kubernetes users now have the ability to deploy Prometheus via the Consul Helm chart which automatically integrates it with Consul's Service Visualization UI for displaying traffic metrics between services. Lastly, Pod and Envoy metrics can now be exposed to Prometheus using Kubernetes annotations via a single aggregated endpoint.
|
||||
|
||||
- **Deprecation of Legacy ACL System:** In Consul 1.4, we upgraded to a new Access Controls (ACLs) system. This upgrade made improvements in Consul’s ACL system handles the API, Tokens, and Policies. With Consul 1.10, the legacy system is officially deprecated, and will be removed from Consul in a later release. We strongly recommend that users begin the process of migrating to the newer ACL system.
|
||||
- **Deprecation of Legacy ACL System:** In Consul 1.4, we upgraded to a new Access Controls (ACLs) system. This upgrade made improvements in Consul's ACL system handles the API, Tokens, and Policies. With Consul 1.10, the legacy system is officially deprecated, and will be removed from Consul in a later release. We strongly recommend that users begin the process of migrating to the newer ACL system.
|
||||
|
||||
## What's Changed
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ description: >-
|
|||
|
||||
## What's Changed
|
||||
|
||||
- The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that all tokens and policies have been migrated to the newer ACL system. See the [Migrate Legacy ACL Tokens Learn Guide](https://learn.hashicorp.com/tutorials/consul/access-control-token-migration) for more information.
|
||||
- The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that all tokens and policies have been migrated to the newer ACL system. See the [Migrate Legacy ACL Tokens Learn Guide](/consul/tutorials/security-operations/access-control-token-migration?utm_source=docs) for more information.
|
||||
|
||||
- The `agent_master` ACL token has been renamed to `agent_recovery` ACL token. In addition, the `consul acl set-agent-token master` command has been replaced with `consul acl set-agent-token recovery`. See [ACL Agent Recovery Token](/docs/security/acl/acl-tokens#acl-agent-recovery-token) and [Consul ACL Set Agent Token](/commands/acl/set-agent-token) for more information.
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ description: >-
|
|||
|
||||
## Release Highlights
|
||||
|
||||
- **Application-Aware Intentions:** A new set of capabilities that extends Consul’s intentions model to support Layer 7 request information. Intentions now provide the ability for operators to construct policies which evaluate application-layer information such as HTTP Path, Headers, or Method – in addition to service identity – when authorizing HTTP-based (HTTP/1.1, HTTP/2, gRPC) service-to-service communication.
|
||||
- **Application-Aware Intentions:** A new set of capabilities that extends Consul's intentions model to support Layer 7 request information. Intentions now provide the ability for operators to construct policies which evaluate application-layer information such as HTTP Path, Headers, or Method – in addition to service identity – when authorizing HTTP-based (HTTP/1.1, HTTP/2, gRPC) service-to-service communication.
|
||||
|
||||
- **Service Mesh Visualization:** This addition provides a new topology tab to the Consul UI which displays topology diagrams and key service mesh metrics like request, error rates, and timing metrics. These new features will assist developers and operators in verifying configuration and troubleshooting issues within the service mesh. The UI also supports deep linking into your external metrics dashboards.
|
||||
|
||||
|
@ -17,7 +17,7 @@ description: >-
|
|||
|
||||
- **Custom Resources for Kubernetes:** Consul now provides a Kubernetes-first experience through CRDs to allow practitioners to easily configure Consul service mesh via Kubernetes-style objects.
|
||||
|
||||
- **Deploy Consul in OpenShift:** Enable installing Consul via Helm chart in OpenShift. We’ve now ensured that Consul Kubernetes runs on OpenShift securely by ensuring that Consul runs as non-root and also provided a set of SecurityContextConstraints to deploy Consul securely.
|
||||
- **Deploy Consul in OpenShift:** Enable installing Consul via Helm chart in OpenShift. We've now ensured that Consul Kubernetes runs on OpenShift securely by ensuring that Consul runs as non-root and also provided a set of SecurityContextConstraints to deploy Consul securely.
|
||||
- Installing Consul on OpenShift should now be as simple as running a Helm install with the `global.openshift.enabled` set to `true`.
|
||||
|
||||
- **Active Health Checks for Consul on Kubernetes:** Consul service mesh now integrates with Kubernetes Readiness probes. This provides the ability to natively detect health status from Kubernetes via Readiness probe, and is then used for directing service mesh traffic.
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue