From 1ac7e9a07d0c2ec8892aed97685d02f21a346ba1 Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 24 Jun 2020 16:10:46 -0600 Subject: [PATCH 1/5] Add tabs to config entry examples --- .../agent/config-entries/ingress-gateway.mdx | 228 ++++++++++++- .../config-entries/terminating-gateway.mdx | 308 +++++++++++++++++- 2 files changed, 520 insertions(+), 16 deletions(-) diff --git a/website/pages/docs/agent/config-entries/ingress-gateway.mdx b/website/pages/docs/agent/config-entries/ingress-gateway.mdx index c9ecbd8bd..b55d2ac6c 100644 --- a/website/pages/docs/agent/config-entries/ingress-gateway.mdx +++ b/website/pages/docs/agent/config-entries/ingress-gateway.mdx @@ -43,11 +43,14 @@ description: >- ## Sample Config Entries -Set up a TCP listener for a single service: + + + +Set up a TCP listener on an ingress gateway named "us-east-ingress" to proxy traffic to the "db" service: ```hcl Kind = "ingress-gateway" -Name = "ingress-service" +Name = "us-east-ingress" Listeners = [ { @@ -62,13 +65,92 @@ Listeners = [ ] ``` -Set up a wildcard HTTP listener to proxy traffic to all available services, -make two services available over a custom port with user-provided hosts, and -enable TLS on every listener: + + + +Set up a TCP listener on an ingress gateway named "us-east-ingress" in the default namespace +to proxy traffic to the "db" service in the ops namespace: ```hcl Kind = "ingress-gateway" -Name = "ingress-service" +Name = "us-east-ingress" +Namespace = "default" + +Listeners = [ + { + Port = 3456 + Protocol = "tcp" + Services = [ + { + Namespace = "ops" + Name = "db" + } + ] + } +] +``` + + + + +Set up a TCP listener on an ingress gateway named "us-east-ingress" to proxy traffic to the "db" service: + +```json +{ + "Kind": "ingress-gateway", + "Name": "us-east-ingress", + "Listeners": [ + { + "Port": 3456, + "Protocol": "tcp", + "Services": [ + { + "Name": "db" + } + ] + } + ] +} +``` + + + + +Set up a TCP listener on an ingress gateway named "us-east-ingress" in the default namespace +to proxy traffic to the "db" service in the ops namespace: + +```json +{ + "Kind": "ingress-gateway", + "Name": "us-east-ingress", + "Namespace": "default", + "Listeners": [ + { + "Port": 3456, + "Protocol": "tcp", + "Services": [ + { + "Namespace": "ops", + "Name": "db" + } + ] + } + ] +} +``` + + + + + + + +Set up a wildcard HTTP listener on an ingress gateway named "us-east-ingress" to proxy traffic to all services in the datacenter. +Also make two services available over a custom port with user-provided hosts, and enable TLS on every listener: + +```hcl +Kind = "ingress-gateway" +Name = "us-east-ingress" TLS { Enabled = true @@ -101,6 +183,140 @@ Listeners = [ ] ``` + + + +Set up a wildcard HTTP listener on an ingress gateway named "us-east-ingress" to proxy traffic to all services in the frontend namespace. +Also make two services in the frontend namespace available over a custom port with user-provided hosts, and enable TLS on every listener: + +```hcl +Kind = "ingress-gateway" +Name = "us-east-ingress" +Namespace = "default" + +TLS { + Enabled = true +} + +Listeners = [ + { + Port = 8080 + Protocol = "http" + Services = [ + { + Namespace = "frontend" + Name = "*" + } + ] + }, + { + Port = 4567 + Protocol = "http" + Services = [ + { + Namespace = "frontend" + Name = "api" + Hosts = ["foo.example.com", "foo.example.com:4567"] + }, + { + Namespace = "frontend" + Name = "web" + Hosts = ["website.example.com", "website.example.com:4567"] + } + ] + } +] +``` + + + + +Set up a wildcard HTTP listener on an ingress gateway named "us-east-ingress" to proxy traffic to all services in the datacenter. +Also make two services available over a custom port with user-provided hosts, and enable TLS on every listener: + +```json +{ + "Kind": "ingress-gateway", + "Name": "us-east-ingress", + "TLS": { + "Enabled": true + }, + "Listeners": [ + { + "Port": 8080, + "Protocol": "http", + "Services": [ + { + "Name": "*" + } + ] + }, + { + "Port": 4567, + "Protocol": "http", + "Services": [ + { + "Name": "api", + "Hosts": ["foo.example.com", "foo.example.com:4567"] + }, + { + "Name": "web", + "Hosts": ["website.example.com", "website.example.com:4567"] + } + ] + } + ] +} +``` + + + + +Set up a wildcard HTTP listener on an ingress gateway named "us-east-ingress" to proxy traffic to all services in the frontend namespace. +Also make two services in the frontend namespace available over a custom port with user-provided hosts, and enable TLS on every listener: + +```json +{ + "Kind": "ingress-gateway", + "Name": "us-east-ingress", + "Namespace": "default", + "TLS": { + "Enabled": true + }, + "Listeners": [ + { + "Port": 8080, + "Protocol": "http", + "Services": [ + { + "Namespace": "frontend", + "Name": "*" + } + ] + }, + { + "Port": 4567, + "Protocol": "http", + "Services": [ + { + "Namespace": "frontend", + "Name": "api", + "Hosts": ["foo.example.com", "foo.example.com:4567"] + }, + { + "Namespace": "frontend", + "Name": "web", + "Hosts": ["website.example.com", "website.example.com:4567"] + } + ] + } + ] +} +``` + + + + ## Available Fields - `Kind` - Must be set to `ingress-gateway` diff --git a/website/pages/docs/agent/config-entries/terminating-gateway.mdx b/website/pages/docs/agent/config-entries/terminating-gateway.mdx index 523da9681..77c02c088 100644 --- a/website/pages/docs/agent/config-entries/terminating-gateway.mdx +++ b/website/pages/docs/agent/config-entries/terminating-gateway.mdx @@ -17,8 +17,8 @@ description: >- and will apply to all instances of the gateway with that name. ~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies - across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different - sets of services within their datacenter then the ingress gateways **must** be registered with different names. + across all federated Consul datacenters. If terminating gateways in different Consul datacenters need to route to different + sets of services within their datacenter then the terminating gateways **must** be registered with different names. See [Terminating Gateway](/docs/connect/terminating-gateway) for more information. @@ -43,11 +43,15 @@ description: >- ## Sample Config Entries -Link gateway "us-west-gateway" with the billing service: + + + +Link gateway named "us-west-gateway" with the billing service: ```hcl Kind = "terminating-gateway" Name = "us-west-gateway" + Services = [ { Name = "billing" @@ -55,27 +59,176 @@ Services = [ ] ``` -Link gateway "us-west-gateway" with the api service and specify a CA file for one-way TLS authentication: + + + +Link gateway named "us-west-gateway" in the default namespace with the billing service in the finance namespace: ```hcl Kind = "terminating-gateway" Name = "us-west-gateway" +Namespace = "default" + Services = [ { - Name = "api" + Namespace = "finance" + Name = "billing" + } +] +``` + + + + +Link gateway named "us-west-gateway" with the billing service: + +```json +{ + "Kind": "terminating-gateway", + "Name": "us-west-gateway", + "Services": [ + { + "Name": "billing" + } + ] +} +``` + + + + +Link gateway named "us-west-gateway" in the default namespace with the billing service in the finance namespace: + +```json +{ + "Kind": "terminating-gateway", + "Name": "us-west-gateway", + "Namespace": "default", + "Services": [ + { + "Namespace": "finance", + "Name": "billing" + } + ] +} +``` + + + + + + + +Link gateway named "us-west-gateway" with the billing service and specify a CA file for one-way TLS authentication: + +```hcl +Kind = "terminating-gateway" +Name = "us-west-gateway" + +Services = [ + { + Name = "billing" + CAFile = "/etc/certs/ca-chain.cert.pem" + } +] +``` + + + + +Link gateway named "us-west-gateway" in the default namespace with the billing service in the finance namespace, +and specify a CA file for one-way TLS authentication: + +```hcl +Kind = "terminating-gateway" +Name = "us-west-gateway" +Namespace = "default" + +Services = [ + { + Namespace = "finance" + Name = "billing" CAFile = "/etc/certs/ca-chain.cert.pem" } ] ``` -Link gateway "us-west-gateway" with the payments service and specify a CA file, key file, and cert file for mutual TLS authentication: + + + +Link gateway named "us-west-gateway" with the billing service and specify a CA file for one-way TLS authentication: + +```json +{ + "Kind": "terminating-gateway", + "Name": "us-west-gateway", + "Services": [ + { + "Name": "billing", + "CAFile": "/etc/certs/ca-chain.cert.pem" + } + ] +} +``` + + + + +Link gateway named "us-west-gateway" in the default namespace with the billing service in the finance namespace, +and specify a CA file for one-way TLS authentication: + +```json +{ + "Kind": "terminating-gateway", + "Name": "us-west-gateway", + "Namespace": "default", + "Services": [ + { + "Namespace": "finance", + "Name": "billing", + "CAFile": "/etc/certs/ca-chain.cert.pem" + } + ] +} +``` + + + + + + + +Link gateway named "us-west-gateway" with the payments service and specify a CA file, key file, and cert file for mutual TLS authentication: ```hcl Kind = "terminating-gateway" Name = "us-west-gateway" + Services = [ { - Name = "payments" + Name = "billing" + CAFile = "/etc/certs/ca-chain.cert.pem" + KeyFile = "/etc/certs/gateway.key.pem" + CertFile = "/etc/certs/gateway.cert.pem" + } +] +``` + + + + +Link gateway named "us-west-gateway" in the default namespace with the payments service in the finance namespace. +Also specify a CA file, key file, and cert file for mutual TLS authentication: + +```hcl +Kind = "terminating-gateway" +Name = "us-west-gateway" +Namespace = "default" + +Services = [ + { + Namespace = "finance" + Name = "billing" CAFile = "/etc/certs/ca-chain.cert.pem" KeyFile = "/etc/certs/gateway.key.pem" CertFile = "/etc/certs/gateway.cert.pem" @@ -83,13 +236,88 @@ Services = [ ] ``` -Link gateway "us-west-gateway" with all services in the finance namespace, and configure default certificates for mutual TLS. + + + +Link gateway named "us-west-gateway" with the payments service and specify a CA file, key file, and cert file for mutual TLS authentication: + +```json +{ + "Kind": "terminating-gateway", + "Name": "us-west-gateway", + "Services": [ + { + "Name": "billing", + "CAFile": "/etc/certs/ca-chain.cert.pem", + "KeyFile": "/etc/certs/gateway.key.pem", + "CertFile": "/etc/certs/gateway.cert.pem" + } + ] +} +``` + + + + +Link gateway named "us-west-gateway" in the default namespace with the payments service in the finance namespace. +Also specify a CA file, key file, and cert file for mutual TLS authentication: + +```json +{ + "Kind": "terminating-gateway", + "Name": "us-west-gateway", + "Namespace": "default", + "Services": [ + { + "Namespace": "finance", + "Name": "billing", + "CAFile": "/etc/certs/ca-chain.cert.pem", + "KeyFile": "/etc/certs/gateway.key.pem", + "CertFile": "/etc/certs/gateway.cert.pem" + } + ] +} +``` + + + + + + + +Link gateway named "us-west-gateway" with all services in the datacenter, and configure default certificates for mutual TLS. Also override the SNI and CA file used for connections to the billing service: +```hcl +Kind = "terminating-gateway" +Name = "us-west-gateway" + +Services = [ + { + Name = "*" + CAFile = "/etc/common-certs/ca-chain.cert.pem" + KeyFile = "/etc/common-certs/gateway.key.pem" + CertFile = "/etc/common-certs/gateway.cert.pem" + }, + { + Name = "billing" + CAFile = "/etc/billing-ca/ca-chain.cert.pem", + SNI = "billing.service.com" + } +] +``` + + + + +Link gateway named "us-west-gateway" in the default namespace with all services in the finance namespace, +and configure default certificates for mutual TLS. Also override the SNI and CA file used for connections to the billing service: + ```hcl Kind = "terminating-gateway" Name = "us-west-gateway" Namespace = "default" + Services = [ { Namespace = "finance" @@ -101,12 +329,72 @@ Services = [ { Namespace = "finance" Name = "billing" - CAFile = "/etc/billing-ca/ca-chain.cert.pem" - SNI = "billing.service.com" + CAFile = "/etc/billing-ca/ca-chain.cert.pem", + SNI = "billing.service.com" } ] ``` + + + +Link gateway named "us-west-gateway" with all services in the datacenter, and configure default certificates for mutual TLS. +Also override the SNI and CA file used for connections to the billing service: + +```json +{ + "Kind": "terminating-gateway", + "Name": "us-west-gateway", + "Services": [ + { + "Name": "*", + "CAFile": "/etc/billing-ca/ca-chain.cert.pem", + "KeyFile": "/etc/certs/gateway.key.pem", + "CertFile": "/etc/certs/gateway.cert.pem", + "SNI": "billing.service.com" + }, + { + "Name": "billing", + "CAFile": "/etc/billing-ca/ca-chain.cert.pem", + "SNI": "billing.service.com" + } + ] +} +``` + + + + +Link gateway named "us-west-gateway" in the default namespace with all services in the finance namespace, +and configure default certificates for mutual TLS. Also override the SNI and CA file used for connections to the billing service: + +```json +{ + "Kind": "terminating-gateway", + "Name": "us-west-gateway", + "Namespace": "default", + "Services": [ + { + "Namespace": "finance", + "Name": "*", + "CAFile": "/etc/billing-ca/ca-chain.cert.pem", + "KeyFile": "/etc/certs/gateway.key.pem", + "CertFile": "/etc/certs/gateway.cert.pem", + "SNI": "billing.service.com" + }, + { + "Namespace": "finance", + "Name": "billing", + "CAFile": "/etc/billing-ca/ca-chain.cert.pem", + "SNI": "billing.service.com" + } + ] +} +``` + + + + ## Available Fields - `Kind` - Must be set to `terminating-gateway` From 5f34f9954cf962b9f81bf0469df06fc15fb504cc Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 24 Jun 2020 16:11:44 -0600 Subject: [PATCH 2/5] Add docs for upstream destination's namespace --- .../pages/docs/connect/registration/service-registration.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/website/pages/docs/connect/registration/service-registration.mdx b/website/pages/docs/connect/registration/service-registration.mdx index b6b323e8d..ba71cdf27 100644 --- a/website/pages/docs/connect/registration/service-registration.mdx +++ b/website/pages/docs/connect/registration/service-registration.mdx @@ -171,6 +171,8 @@ followed by documentation for each attribute. - `destination_name` `(string: )` - Specifies the name of the service or prepared query to route connect to. The prepared query should be the name or the ID of the prepared query. +- `destination_namespace` `(string: "")` - + Specifies the namespace of the upstream service. - `local_bind_port` `(int: )` - Specifies the port to bind a local listener to for the application to make outbound connections to this upstream. - `local_bind_address` `(string: "")` - Specifies the address to bind a From 2adf1df079368e0db9b44f99ce2cc0b46d73bbb0 Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 24 Jun 2020 16:12:08 -0600 Subject: [PATCH 3/5] Remove stray instruction --- website/pages/docs/connect/ingress-gateway.mdx | 2 -- 1 file changed, 2 deletions(-) diff --git a/website/pages/docs/connect/ingress-gateway.mdx b/website/pages/docs/connect/ingress-gateway.mdx index 81f9da2d3..449aeb016 100644 --- a/website/pages/docs/connect/ingress-gateway.mdx +++ b/website/pages/docs/connect/ingress-gateway.mdx @@ -52,8 +52,6 @@ Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with ingress ga For a complete example of how to allow external traffic inside your Consul service mesh, review the [ingress gateway guide](https://learn.hashicorp.com/consul/developer-mesh/ingress-gateways). -5. **Optionally** use the [Consul L7 traffic management](/docs/connect/l7-traffic-management) for exposed services to route traffic. - ## Ingress Gateway Configuration Ingress gateways are configured in service definitions and registered with Consul like other services, with two exceptions. From 5b5210e2b740ce3c4ec8245a8b21342ec26e6371 Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 24 Jun 2020 16:12:24 -0600 Subject: [PATCH 4/5] Remove remaining beta tags --- website/pages/docs/acl/auth-methods/jwt.mdx | 4 ++-- website/pages/docs/acl/auth-methods/oidc.mdx | 4 ++-- .../pages/docs/connect/wan-federation-via-mesh-gateways.mdx | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/website/pages/docs/acl/auth-methods/jwt.mdx b/website/pages/docs/acl/auth-methods/jwt.mdx index 88fbe3a75..976bd109f 100644 --- a/website/pages/docs/acl/auth-methods/jwt.mdx +++ b/website/pages/docs/acl/auth-methods/jwt.mdx @@ -1,7 +1,7 @@ --- layout: docs page_title: JWT Auth Method -sidebar_title: JWT Beta +sidebar_title: description: >- The JWT auth method can be used to authenticate with Consul by providing a JWT directly. The JWT is cryptographically verified using locally-provided @@ -9,7 +9,7 @@ description: >- appropriate keys. --- -# JWT Auth Method Beta +# JWT Auth Method -> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer. diff --git a/website/pages/docs/acl/auth-methods/oidc.mdx b/website/pages/docs/acl/auth-methods/oidc.mdx index dd78df231..35d578928 100644 --- a/website/pages/docs/acl/auth-methods/oidc.mdx +++ b/website/pages/docs/acl/auth-methods/oidc.mdx @@ -1,7 +1,7 @@ --- layout: docs page_title: OIDC Auth Method -sidebar_title: OIDC Beta +sidebar_title: OIDC description: >- The OIDC auth method can be used to authenticate with Consul using OpenID Connect (OIDC). This method allows authentication via a configured OIDC @@ -9,7 +9,7 @@ description: >- Consul UI or the command line. --- -# OIDC Auth Method Beta +# OIDC Auth Method diff --git a/website/pages/docs/connect/wan-federation-via-mesh-gateways.mdx b/website/pages/docs/connect/wan-federation-via-mesh-gateways.mdx index 1e6395f54..387abbf7d 100644 --- a/website/pages/docs/connect/wan-federation-via-mesh-gateways.mdx +++ b/website/pages/docs/connect/wan-federation-via-mesh-gateways.mdx @@ -6,7 +6,7 @@ description: |- WAN federation via mesh gateways allows for Consul servers in different datacenters to be federated exclusively through mesh gateways. --- -# WAN Federation via Mesh Gateways Beta +# WAN Federation via Mesh Gateways -> **1.8.0+:** This feature is available in Consul versions 1.8.0 and higher From 36a9bb413360bcff38aa987bdbd99de3005baaf9 Mon Sep 17 00:00:00 2001 From: Freddy Date: Thu, 25 Jun 2020 11:43:42 -0600 Subject: [PATCH 5/5] Update website/pages/docs/acl/auth-methods/jwt.mdx Co-authored-by: Daniel Nephin --- website/pages/docs/acl/auth-methods/jwt.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/pages/docs/acl/auth-methods/jwt.mdx b/website/pages/docs/acl/auth-methods/jwt.mdx index 976bd109f..d4e367cd2 100644 --- a/website/pages/docs/acl/auth-methods/jwt.mdx +++ b/website/pages/docs/acl/auth-methods/jwt.mdx @@ -1,7 +1,7 @@ --- layout: docs page_title: JWT Auth Method -sidebar_title: +sidebar_title: JWT description: >- The JWT auth method can be used to authenticate with Consul by providing a JWT directly. The JWT is cryptographically verified using locally-provided