From 8d416f74babdb13f1faed50aaf6bc56ed1e7fd9d Mon Sep 17 00:00:00 2001 From: Bryce Kalow Date: Wed, 14 Sep 2022 17:45:42 -0500 Subject: [PATCH] website: content updates for developer (#14419) Co-authored-by: Ashlee Boyer Co-authored-by: Ashlee M Boyer <43934258+ashleemboyer@users.noreply.github.com> Co-authored-by: Tu Nguyen Co-authored-by: Tu Nguyen Co-authored-by: HashiBot <62622282+hashibot-web@users.noreply.github.com> Co-authored-by: Kevin Wang --- website/Makefile | 3 +- website/content/api-docs/acl/auth-methods.mdx | 10 +- .../content/api-docs/acl/binding-rules.mdx | 10 +- website/content/api-docs/acl/index.mdx | 16 +- website/content/api-docs/acl/legacy.mdx | 12 +- website/content/api-docs/acl/policies.mdx | 12 +- website/content/api-docs/acl/roles.mdx | 12 +- website/content/api-docs/acl/tokens.mdx | 14 +- website/content/api-docs/agent/check.mdx | 14 +- website/content/api-docs/agent/connect.mdx | 6 +- website/content/api-docs/agent/index.mdx | 22 +- website/content/api-docs/agent/service.mdx | 12 +- website/content/api-docs/api-structure.mdx | 161 +++ website/content/api-docs/catalog.mdx | 18 +- website/content/api-docs/config.mdx | 8 +- website/content/api-docs/connect/ca.mdx | 6 +- .../content/api-docs/connect/intentions.mdx | 20 +- website/content/api-docs/coordinate.mdx | 8 +- website/content/api-docs/discovery-chain.mdx | 6 +- website/content/api-docs/event.mdx | 4 +- website/content/api-docs/health.mdx | 8 +- website/content/api-docs/index.mdx | 170 +-- website/content/api-docs/kv.mdx | 6 +- website/content/api-docs/namespaces.mdx | 10 +- website/content/api-docs/operator/area.mdx | 14 +- .../content/api-docs/operator/autopilot.mdx | 8 +- website/content/api-docs/operator/keyring.mdx | 8 +- website/content/api-docs/operator/license.mdx | 6 +- website/content/api-docs/operator/raft.mdx | 4 +- website/content/api-docs/operator/segment.mdx | 2 +- website/content/api-docs/peering.mdx | 10 +- website/content/api-docs/query.mdx | 14 +- website/content/api-docs/session.mdx | 12 +- website/content/api-docs/snapshot.mdx | 4 +- website/content/api-docs/status.mdx | 4 +- website/content/api-docs/txn.mdx | 2 +- .../commands/acl/auth-method/create.mdx | 2 +- .../commands/acl/auth-method/delete.mdx | 2 +- .../content/commands/acl/auth-method/list.mdx | 2 +- .../content/commands/acl/auth-method/read.mdx | 2 +- .../commands/acl/auth-method/update.mdx | 2 +- .../commands/acl/binding-rule/create.mdx | 2 +- .../commands/acl/binding-rule/delete.mdx | 2 +- .../commands/acl/binding-rule/list.mdx | 2 +- .../commands/acl/binding-rule/read.mdx | 2 +- .../commands/acl/binding-rule/update.mdx | 2 +- website/content/commands/acl/bootstrap.mdx | 4 +- .../content/commands/acl/policy/create.mdx | 2 +- .../content/commands/acl/policy/delete.mdx | 2 +- website/content/commands/acl/policy/list.mdx | 2 +- website/content/commands/acl/policy/read.mdx | 2 +- .../content/commands/acl/policy/update.mdx | 2 +- website/content/commands/acl/role/create.mdx | 2 +- website/content/commands/acl/role/delete.mdx | 2 +- website/content/commands/acl/role/list.mdx | 2 +- website/content/commands/acl/role/read.mdx | 2 +- website/content/commands/acl/role/update.mdx | 2 +- .../content/commands/acl/set-agent-token.mdx | 2 +- website/content/commands/acl/token/clone.mdx | 2 +- website/content/commands/acl/token/create.mdx | 2 +- website/content/commands/acl/token/delete.mdx | 2 +- website/content/commands/acl/token/list.mdx | 2 +- website/content/commands/acl/token/read.mdx | 2 +- website/content/commands/acl/token/update.mdx | 2 +- .../content/commands/acl/translate-rules.mdx | 2 +- .../content/commands/catalog/datacenters.mdx | 2 +- website/content/commands/catalog/nodes.mdx | 2 +- website/content/commands/catalog/services.mdx | 2 +- website/content/commands/config/delete.mdx | 2 +- website/content/commands/config/list.mdx | 2 +- website/content/commands/config/read.mdx | 2 +- website/content/commands/config/write.mdx | 2 +- website/content/commands/connect/ca.mdx | 4 +- website/content/commands/event.mdx | 2 +- website/content/commands/exec.mdx | 2 +- website/content/commands/force-leave.mdx | 2 +- website/content/commands/index.mdx | 2 +- website/content/commands/intention/check.mdx | 2 +- website/content/commands/intention/create.mdx | 2 +- website/content/commands/intention/delete.mdx | 2 +- website/content/commands/intention/get.mdx | 2 +- website/content/commands/intention/list.mdx | 2 +- website/content/commands/intention/match.mdx | 2 +- website/content/commands/join.mdx | 2 +- website/content/commands/keyring.mdx | 2 +- website/content/commands/kv/delete.mdx | 2 +- website/content/commands/kv/export.mdx | 2 +- website/content/commands/kv/get.mdx | 2 +- website/content/commands/kv/import.mdx | 2 +- website/content/commands/kv/put.mdx | 2 +- website/content/commands/leave.mdx | 2 +- website/content/commands/license.mdx | 8 +- website/content/commands/lock.mdx | 2 +- website/content/commands/login.mdx | 2 +- website/content/commands/logout.mdx | 2 +- website/content/commands/maint.mdx | 2 +- website/content/commands/members.mdx | 2 +- website/content/commands/namespace/create.mdx | 2 +- website/content/commands/namespace/delete.mdx | 2 +- website/content/commands/namespace/list.mdx | 2 +- website/content/commands/namespace/read.mdx | 2 +- website/content/commands/namespace/update.mdx | 2 +- website/content/commands/namespace/write.mdx | 2 +- website/content/commands/operator/area.mdx | 14 +- .../content/commands/operator/autopilot.mdx | 8 +- website/content/commands/operator/index.mdx | 4 +- website/content/commands/operator/raft.mdx | 4 +- website/content/commands/peering/delete.mdx | 2 +- .../content/commands/peering/establish.mdx | 2 +- .../commands/peering/generate-token.mdx | 2 +- website/content/commands/peering/list.mdx | 2 +- website/content/commands/peering/read.mdx | 2 +- website/content/commands/reload.mdx | 2 +- website/content/commands/rtt.mdx | 2 +- .../content/commands/services/deregister.mdx | 2 +- .../content/commands/services/register.mdx | 2 +- website/content/commands/snapshot/restore.mdx | 2 +- website/content/commands/snapshot/save.mdx | 2 +- .../content/docs/agent/config/cli-flags.mdx | 4 +- .../docs/agent/config/config-files.mdx | 4 +- website/content/docs/agent/config/index.mdx | 2 +- website/content/docs/agent/index.mdx | 10 +- website/content/docs/agent/rpc.mdx | 4 +- website/content/docs/agent/sentinel.mdx | 2 +- website/content/docs/agent/telemetry.mdx | 8 +- website/content/docs/api-gateway/index.mdx | 2 +- website/content/docs/api-gateway/usage.mdx | 2 +- .../improving-consul-resilience.mdx | 2 +- website/content/docs/architecture/index.mdx | 4 +- .../service-discovery.mdx} | 44 +- .../service-mesh.mdx} | 10 +- website/content/docs/connect/ca/vault.mdx | 4 +- .../cluster-peering/create-manage-peering.mdx | 2 +- .../config-entries/ingress-gateway.mdx | 4 +- .../content/docs/connect/configuration.mdx | 6 +- .../docs/connect/connect-internals.mdx | 2 +- .../docs/connect/connectivity-tasks.mdx | 6 +- .../content/docs/connect/gateways/index.mdx | 4 +- ...service-to-service-traffic-datacenters.mdx | 2 +- .../wan-federation-via-mesh-gateways.mdx | 6 +- .../connect/gateways/terminating-gateway.mdx | 2 +- website/content/docs/connect/index.mdx | 10 +- website/content/docs/connect/nomad.mdx | 2 +- .../content/docs/connect/proxies/envoy.mdx | 2 +- .../docs/connect/proxies/integrate.mdx | 5 +- .../connect/registration/sidecar-service.mdx | 3 - website/content/docs/connect/security.mdx | 2 +- .../docs/connect/transparent-proxy.mdx | 2 +- website/content/docs/discovery/checks.mdx | 140 +++ website/content/docs/discovery/dns.mdx | 4 +- website/content/docs/discovery/services.mdx | 6 +- .../content/docs/dynamic-app-config/kv.mdx | 11 +- .../docs/dynamic-app-config/watches.mdx | 4 +- website/content/docs/ecs/architecture.mdx | 2 +- .../docs/ecs/configuration-reference.mdx | 1 - website/content/docs/ecs/enterprise.mdx | 7 +- website/content/docs/ecs/index.mdx | 17 +- .../docs/ecs/manual/acl-controller.mdx | 2 +- website/content/docs/ecs/manual/install.mdx | 2 +- .../content/docs/ecs/terraform/install.mdx | 4 +- .../ecs/terraform/secure-configuration.mdx | 63 +- .../docs/enterprise/admin-partitions.mdx | 6 +- .../content/docs/enterprise/audit-logging.mdx | 5 +- website/content/docs/enterprise/backups.mdx | 3 +- website/content/docs/enterprise/index.mdx | 4 +- .../content/docs/enterprise/license/faq.mdx | 16 +- .../docs/enterprise/license/overview.mdx | 2 +- .../content/docs/enterprise/namespaces.mdx | 6 +- .../docs/enterprise/network-segments.mdx | 12 +- .../content/docs/enterprise/redundancy.mdx | 5 +- website/content/docs/enterprise/sentinel.mdx | 4 +- website/content/docs/enterprise/upgrades.mdx | 4 +- website/content/docs/guides/index.mdx | 6 +- website/content/docs/index.mdx | 5 +- website/content/docs/install/index.mdx | 4 +- website/content/docs/install/performance.mdx | 4 +- .../docs/{ => integrate}/download-tools.mdx | 7 +- .../docs/integrate/nia-integration.mdx | 14 +- .../content/docs/integrate/partnerships.mdx | 36 +- website/content/docs/intro/index.mdx | 7 +- website/content/docs/intro/usecases/index.mdx | 9 - website/content/docs/k8s/architecture.mdx | 2 +- .../docs/k8s/connect/connect-ca-provider.mdx | 2 +- .../docs/k8s/connect/ingress-gateways.mdx | 2 +- .../k8s/connect/observability/metrics.mdx | 4 +- .../multi-cluster/index.mdx | 2 +- .../multi-cluster/kubernetes.mdx | 10 +- .../multi-cluster/vms-and-kubernetes.mdx | 2 +- .../servers-outside-kubernetes.mdx | 4 +- .../data-integration/bootstrap-token.mdx | 4 +- .../vault/data-integration/connect-ca.mdx | 4 +- .../data-integration/enterprise-license.mdx | 4 +- .../vault/data-integration/gossip.mdx | 4 +- .../vault/data-integration/index.mdx | 2 +- .../data-integration/partition-token.mdx | 4 +- .../data-integration/replication-token.mdx | 4 +- .../vault/data-integration/server-tls.mdx | 2 +- .../snapshot-agent-config.mdx | 4 +- .../vault/data-integration/webhook-certs.mdx | 2 +- .../deployment-configurations/vault/index.mdx | 4 +- .../vault/systems-integration.mdx | 2 +- .../vault/wan-federation.mdx | 6 +- website/content/docs/k8s/helm.mdx | 6 +- website/content/docs/k8s/index.mdx | 22 +- .../content/docs/k8s/installation/install.mdx | 2 +- website/content/docs/k8s/k8s-cli.mdx | 4 +- .../gossip-encryption-key-rotation.mdx | 2 +- website/content/docs/k8s/upgrade/index.mdx | 2 +- website/content/docs/lambda/registration.mdx | 107 +- website/content/docs/nia/architecture.mdx | 4 +- website/content/docs/nia/cli/task.mdx | 4 +- website/content/docs/nia/configuration.mdx | 24 +- website/content/docs/nia/enterprise/index.mdx | 6 +- .../content/docs/nia/enterprise/license.mdx | 2 +- website/content/docs/nia/index.mdx | 10 +- .../docs/nia/installation/configure.mdx | 4 +- .../content/docs/nia/installation/install.mdx | 2 +- .../docs/nia/network-drivers/index.mdx | 6 +- .../nia/network-drivers/terraform-cloud.mdx | 28 +- .../docs/nia/network-drivers/terraform.mdx | 6 +- .../content/docs/nia/terraform-modules.mdx | 18 +- .../content/docs/nia/usage/requirements.mdx | 2 +- .../consul-api-gateway/v0_1_x.mdx | 2 +- .../consul-api-gateway/v0_2_x.mdx | 4 +- .../consul-api-gateway/v0_3_x.mdx | 2 +- .../docs/release-notes/consul/v1_10_x.mdx | 4 +- .../docs/release-notes/consul/v1_11_x.mdx | 4 +- .../docs/release-notes/consul/v1_13_x.mdx | 2 +- .../docs/release-notes/consul/v1_9_x.mdx | 4 +- .../acl/acl-federated-datacenters.mdx | 4 +- .../content/docs/security/acl/acl-legacy.mdx | 12 +- .../docs/security/acl/acl-policies.mdx | 2 +- .../content/docs/security/acl/acl-roles.mdx | 2 +- .../content/docs/security/acl/acl-rules.mdx | 6 +- .../content/docs/security/acl/acl-tokens.mdx | 6 +- .../security/acl/auth-methods/aws-iam.mdx | 23 +- website/content/docs/security/acl/index.mdx | 8 +- website/content/docs/security/encryption.mdx | 8 +- .../docs/security/security-models/core.mdx | 16 +- .../docs/security/security-models/nia.mdx | 26 +- .../instructions/general-process.mdx | 2 +- .../docs/upgrading/upgrade-specific.mdx | 10 +- website/data/api-docs-nav-data.json | 9 +- website/data/docs-nav-data.json | 1009 +++++++++-------- website/redirects.js | 20 + website/scripts/website-build.sh | 4 +- website/scripts/website-start.sh | 4 +- 247 files changed, 1597 insertions(+), 1367 deletions(-) create mode 100644 website/content/api-docs/api-structure.mdx rename website/content/docs/{intro/usecases/what-is-service-discovery.mdx => concepts/service-discovery.mdx} (78%) rename website/content/docs/{intro/usecases/what-is-a-service-mesh.mdx => concepts/service-mesh.mdx} (95%) rename website/content/docs/{ => integrate}/download-tools.mdx (93%) delete mode 100644 website/content/docs/intro/usecases/index.mdx diff --git a/website/Makefile b/website/Makefile index 485e1b884..32791cbc0 100644 --- a/website/Makefile +++ b/website/Makefile @@ -13,7 +13,8 @@ DOCKER_RUN_FLAGS=-it \ --volume "$(PWD)/redirects.js:/app/redirects.js" \ --volume "next-dir:/app/website-preview/.next" \ --volume "$(PWD)/.env:/app/.env" \ - -e "REPO=consul" + -e "REPO=consul" \ + -e "PREVIEW_MODE=developer" # Default: run this if working on the website locally to run in watch mode. .PHONY: website diff --git a/website/content/api-docs/acl/auth-methods.mdx b/website/content/api-docs/acl/auth-methods.mdx index 6f1caeb47..20af941e3 100644 --- a/website/content/api-docs/acl/auth-methods.mdx +++ b/website/content/api-docs/acl/auth-methods.mdx @@ -28,7 +28,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -159,7 +159,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -211,7 +211,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -350,7 +350,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -392,7 +392,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/acl/binding-rules.mdx b/website/content/api-docs/acl/binding-rules.mdx index 9c150a350..296ca71df 100644 --- a/website/content/api-docs/acl/binding-rules.mdx +++ b/website/content/api-docs/acl/binding-rules.mdx @@ -28,7 +28,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -157,7 +157,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -207,7 +207,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -345,7 +345,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -387,7 +387,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/acl/index.mdx b/website/content/api-docs/acl/index.mdx index 8c727d54b..44d1c5f42 100644 --- a/website/content/api-docs/acl/index.mdx +++ b/website/content/api-docs/acl/index.mdx @@ -32,7 +32,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -99,7 +99,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -201,7 +201,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -250,7 +250,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -286,7 +286,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -381,7 +381,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -419,7 +419,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -502,7 +502,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/acl/legacy.mdx b/website/content/api-docs/acl/legacy.mdx index c465f6d8e..60c32d557 100644 --- a/website/content/api-docs/acl/legacy.mdx +++ b/website/content/api-docs/acl/legacy.mdx @@ -28,7 +28,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -87,7 +87,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -141,7 +141,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -178,7 +178,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -227,7 +227,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -266,7 +266,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/acl/policies.mdx b/website/content/api-docs/acl/policies.mdx index 2e21c5f9c..90d1d0755 100644 --- a/website/content/api-docs/acl/policies.mdx +++ b/website/content/api-docs/acl/policies.mdx @@ -27,7 +27,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -105,7 +105,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -155,7 +155,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -205,7 +205,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -292,7 +292,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -334,7 +334,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/acl/roles.mdx b/website/content/api-docs/acl/roles.mdx index 7ceab0495..cb5ce78d3 100644 --- a/website/content/api-docs/acl/roles.mdx +++ b/website/content/api-docs/acl/roles.mdx @@ -26,7 +26,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -172,7 +172,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -242,7 +242,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -311,7 +311,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -435,7 +435,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -477,7 +477,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/acl/tokens.mdx b/website/content/api-docs/acl/tokens.mdx index 1a3180257..0d41eceb6 100644 --- a/website/content/api-docs/acl/tokens.mdx +++ b/website/content/api-docs/acl/tokens.mdx @@ -26,7 +26,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -172,7 +172,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -328,7 +328,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -383,7 +383,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -541,7 +541,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -626,7 +626,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -668,7 +668,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/agent/check.mdx b/website/content/api-docs/agent/check.mdx index 785fbce8b..2bc43fbc3 100644 --- a/website/content/api-docs/agent/check.mdx +++ b/website/content/api-docs/agent/check.mdx @@ -34,7 +34,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------ | @@ -112,7 +112,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------------------- | @@ -314,7 +314,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------------------- | @@ -352,7 +352,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------------------- | @@ -391,7 +391,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------------------- | @@ -433,7 +433,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------------------- | @@ -475,7 +475,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------------------- | diff --git a/website/content/api-docs/agent/connect.mdx b/website/content/api-docs/agent/connect.mdx index 62de4e67c..7e97cf162 100644 --- a/website/content/api-docs/agent/connect.mdx +++ b/website/content/api-docs/agent/connect.mdx @@ -46,7 +46,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | -------------------- | --------------- | @@ -121,7 +121,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | -------------------- | ------------ | @@ -189,7 +189,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | -------------------- | --------------- | diff --git a/website/content/api-docs/agent/index.mdx b/website/content/api-docs/agent/index.mdx index 61442236c..86dfa573b 100644 --- a/website/content/api-docs/agent/index.mdx +++ b/website/content/api-docs/agent/index.mdx @@ -34,7 +34,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | @@ -223,7 +223,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -291,7 +291,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -371,7 +371,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------- | @@ -404,7 +404,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -463,7 +463,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -585,7 +585,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -630,7 +630,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------- | @@ -672,7 +672,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------- | @@ -711,7 +711,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -788,7 +788,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------- | diff --git a/website/content/api-docs/agent/service.mdx b/website/content/api-docs/agent/service.mdx index 8c61002d4..02d3af8bb 100644 --- a/website/content/api-docs/agent/service.mdx +++ b/website/content/api-docs/agent/service.mdx @@ -33,7 +33,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------- | @@ -147,7 +147,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ----------------- | ----------------- | ------------- | -------------- | @@ -251,7 +251,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------- | @@ -582,7 +582,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | @@ -758,7 +758,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | @@ -798,7 +798,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | diff --git a/website/content/api-docs/api-structure.mdx b/website/content/api-docs/api-structure.mdx new file mode 100644 index 000000000..5f7ef44df --- /dev/null +++ b/website/content/api-docs/api-structure.mdx @@ -0,0 +1,161 @@ +--- +layout: api +page_title: HTTP API +description: |- + Consul exposes a RESTful HTTP API to control almost every aspect of the + Consul agent. +--- + +# HTTP API Structure + +The main interface to Consul is a RESTful HTTP API. The API can perform basic +CRUD operations on nodes, services, checks, configuration, and more. + +## Authentication + +When authentication is enabled, a Consul token should be provided to API +requests using the `X-Consul-Token` header or with the +Bearer scheme in the authorization header. +This reduces the probability of the +token accidentally getting logged or exposed. When using authentication, +clients should communicate via TLS. + +If no token is provided for an HTTP request then Consul will use the default ACL token +if it has been configured. If no default ACL token was configured then the anonymous +token will be used. + +Below is an example using `curl` with `X-Consul-Token`. + +```shell-session +$ curl \ + --header "X-Consul-Token: " \ + http://127.0.0.1:8500/v1/agent/members +``` + +Below is an example using `curl` with a [RFC6750](https://tools.ietf.org/html/rfc6750) Bearer token. + +```shell-session +$ curl \ + --header "Authorization: Bearer " \ + http://127.0.0.1:8500/v1/agent/members +``` + +Previously this was provided via a `?token=` query parameter. This functionality +exists on many endpoints for backwards compatibility, but its use is **highly +discouraged**, since it can show up in access logs as part of the URL. + +To learn more about the ACL system read the [documentation](/docs/security/acl). + +## Version Prefix + +All API routes are prefixed with `/v1/`. This documentation is only for the v1 API. + +## Formatted JSON Output + +By default, the output of all HTTP API requests is minimized JSON. If the client +passes `pretty` on the query string, formatted JSON will be returned. + +## HTTP Methods + +Consul's API aims to be RESTful, although there are some exceptions. The API +responds to the standard HTTP verbs GET, PUT, and DELETE. Each API method will +clearly document the verb(s) it responds to and the generated response. The same +path with different verbs may trigger different behavior. For example: + +```text +PUT /v1/kv/foo +GET /v1/kv/foo +``` + +Even though these share a path, the `PUT` operation creates a new key whereas +the `GET` operation reads an existing key. + +Here is the same example using `curl`: + +```shell-session +$ curl \ + --request PUT \ + --data 'hello consul' \ + http://127.0.0.1:8500/v1/kv/foo +``` + +## URL-Encoded Resource Names + +Some Consul HTTP API endpoints accept resource names in URL path or query parameters. +To pass a resource name containing URL-invalid characters, such as `/` or ` `, +URL-encode the resource name into the URL. + +However, we generally recommend using resource names that don't require URL-encoding. +Depending on the validation that Consul applies to a resource name, +Consul may still reject a request if it considers the resource name invalid for that endpoint. +And even if Consul considers the resource name valid, it may degrade other functionality, +such as failed [DNS lookups](/docs/discovery/dns) +for nodes or services with names containing invalid DNS characters. + +This HTTP API capability also allows the +[CLI to accept arguments with URL-invalid characters](/commands#arguments-with-url-invalid-characters). + +### Invalid Characters + +The linefeed character (`%0a`) will cause a request to be rejected even if it is URL-encoded. + +## Translated Addresses + +Consul 0.7 added the ability to translate addresses in HTTP response based on +the configuration setting for +[`translate_wan_addrs`](/docs/agent/config/config-files#translate_wan_addrs). In order +to allow clients to know if address translation is in effect, the +`X-Consul-Translate-Addresses` header will be added if translation is enabled, +and will have a value of `true`. If translation is not enabled then this header +will not be present. + +## Default ACL Policy + +All API responses for Consul versions after 1.9 will include an HTTP response +header `X-Consul-Default-ACL-Policy` set to either "allow" or "deny" which +mirrors the current value of the agent's +[`acl.default_policy`](/docs/agent/config/config-files#acl_default_policy) option. + +This is also the default [intention](/docs/connect/intentions) enforcement +action if no intention matches. + +This is returned even if ACLs are disabled. + +## Results Filtered by ACLs + +As of Consul 1.11, most list endpoints support an `X-Consul-Results-Filtered-By-ACLs` +HTTP response header. This indicates that the response contains a partial subset +of results, because some have been filtered out by ACL policies. + +In order to limit information leakage, this header is only present for requests +authenticated by a valid ACL token. + +The following example uses `curl` to view the +`X-Consul-Results-Filtered-By-ACLs` response header. + +```shell-session +$ curl \ + --header "X-Consul-Token: " \ + --include \ + http://127.0.0.1:8500/v1/catalog/services + +HTTP/1.1 200 OK +Content-Type: application/json +... +X-Consul-Default-Acl-Policy: deny +X-Consul-Results-Filtered-By-Acls: true + +{ + "redis": [], + "postgresql": ["primary", "secondary"] +} +``` + +## UUID Format + +UUID-format identifiers generated by the Consul API use the +[hashicorp/go-uuid](https://github.com/hashicorp/go-uuid) library. + +These UUID-format strings are generated using high quality, purely random bytes. +It is not intended to be RFC compliant, merely to use a well-understood string +representation of a 128-bit value. diff --git a/website/content/api-docs/catalog.mdx b/website/content/api-docs/catalog.mdx index 86480ab79..3987e891e 100644 --- a/website/content/api-docs/catalog.mdx +++ b/website/content/api-docs/catalog.mdx @@ -27,7 +27,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------------------- | @@ -179,7 +179,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------------------- | @@ -266,7 +266,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -301,7 +301,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -397,7 +397,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------- | @@ -502,7 +502,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | -------------------- | ------------------------ | @@ -727,7 +727,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------ | @@ -856,7 +856,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------ | @@ -990,7 +990,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------- | diff --git a/website/content/api-docs/config.mdx b/website/content/api-docs/config.mdx index 5b6c44680..fa71dc95f 100644 --- a/website/content/api-docs/config.mdx +++ b/website/content/api-docs/config.mdx @@ -27,7 +27,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------------------------------- | @@ -94,7 +94,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------------------- | @@ -165,7 +165,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------------------- | @@ -239,7 +239,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------------------------------- | diff --git a/website/content/api-docs/connect/ca.mdx b/website/content/api-docs/connect/ca.mdx index 91f333294..7a617c57b 100644 --- a/website/content/api-docs/connect/ca.mdx +++ b/website/content/api-docs/connect/ca.mdx @@ -24,7 +24,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -116,7 +116,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ----------------------------- | @@ -161,7 +161,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | diff --git a/website/content/api-docs/connect/intentions.mdx b/website/content/api-docs/connect/intentions.mdx index 2f8080f5e..716b8533f 100644 --- a/website/content/api-docs/connect/intentions.mdx +++ b/website/content/api-docs/connect/intentions.mdx @@ -39,7 +39,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------------ | @@ -145,7 +145,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------------ | @@ -242,7 +242,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------------ | @@ -296,7 +296,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ----------------------------- | @@ -368,7 +368,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ----------------------------- | @@ -431,7 +431,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ----------------------------- | @@ -518,7 +518,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------------ | @@ -573,7 +573,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------------ | @@ -629,7 +629,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ----------------------------- | @@ -689,7 +689,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | -------------------- | ----------------------------- | diff --git a/website/content/api-docs/coordinate.mdx b/website/content/api-docs/coordinate.mdx index 3b65f0ad3..aecb63859 100644 --- a/website/content/api-docs/coordinate.mdx +++ b/website/content/api-docs/coordinate.mdx @@ -32,7 +32,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -88,7 +88,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -147,7 +147,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -209,7 +209,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/discovery-chain.mdx b/website/content/api-docs/discovery-chain.mdx index 40add5f3f..623726e12 100644 --- a/website/content/api-docs/discovery-chain.mdx +++ b/website/content/api-docs/discovery-chain.mdx @@ -4,10 +4,10 @@ page_title: Discovery Chain - HTTP API description: The /discovery-chain endpoints are for interacting with the discovery chain. --- --> **1.6.0+:** The discovery chain API is available in Consul versions 1.6.0 and newer. - # Discovery Chain HTTP Endpoint +-> **1.6.0+:** The discovery chain API is available in Consul versions 1.6.0 and newer. + ~> This is a low-level API primarily targeted at developers building external [Connect proxy integrations](/docs/connect/proxies/integrate). Future high-level proxy integration APIs may obviate the need for this API over time. @@ -41,7 +41,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | -------------------- | -------------- | diff --git a/website/content/api-docs/event.mdx b/website/content/api-docs/event.mdx index 799f743ea..f11844582 100644 --- a/website/content/api-docs/event.mdx +++ b/website/content/api-docs/event.mdx @@ -23,7 +23,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------- | @@ -101,7 +101,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/health.mdx b/website/content/api-docs/health.mdx index cad74bbad..6723988e1 100644 --- a/website/content/api-docs/health.mdx +++ b/website/content/api-docs/health.mdx @@ -31,7 +31,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------ | @@ -125,7 +125,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------ | @@ -215,7 +215,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | -------------------- | ----------------- | -------------------- | ------------------------ | @@ -453,7 +453,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------ | diff --git a/website/content/api-docs/index.mdx b/website/content/api-docs/index.mdx index 5f7ef44df..cdb940c8e 100644 --- a/website/content/api-docs/index.mdx +++ b/website/content/api-docs/index.mdx @@ -1,161 +1,59 @@ --- layout: api -page_title: HTTP API +page_title: Consul HTTP API Overview description: |- - Consul exposes a RESTful HTTP API to control almost every aspect of the - Consul agent. + Learn about the Consul REST API, which is the primary interface to all functionality available in Consul. --- -# HTTP API Structure +# Consul API Overview -The main interface to Consul is a RESTful HTTP API. The API can perform basic -CRUD operations on nodes, services, checks, configuration, and more. +The Consul HTTP API is a RESTful interface that allows you leverage Consul functionality in your network. This topic provides guidance about the essential API endpoints for different workstreams. Refer to the [HTTP API structure](/api-docs/api-structure) docs to learn how to interact with and authenticate against the Consul HTTP API. -## Authentication +## Connect your services -When authentication is enabled, a Consul token should be provided to API -requests using the `X-Consul-Token` header or with the -Bearer scheme in the authorization header. -This reduces the probability of the -token accidentally getting logged or exposed. When using authentication, -clients should communicate via TLS. +Use the following API endpoints to configure and connect your services. -If no token is provided for an HTTP request then Consul will use the default ACL token -if it has been configured. If no default ACL token was configured then the anonymous -token will be used. +- [`/catalog`](/api-docs/catalog): Register and deregister nodes, services, and health checks. +- [`/health`](/api-docs/health): Query node health when health checks are enabled. +- [`/query`](/api-docs/query): Create and manage prepared queries in Consul. Prepared queries allow you to register a complex service query and send it later. +- [`/coordinate`](/api-docs/coordinate): Query the network coordinates for nodes in the local datacenter and Consul servers in the local datacenter and remote datacenters. -Below is an example using `curl` with `X-Consul-Token`. +The following endpoints are specific to service mesh: -```shell-session -$ curl \ - --header "X-Consul-Token: " \ - http://127.0.0.1:8500/v1/agent/members -``` +- [`/config`](/api-docs/config): Create, update, delete, and query central configuration entries registered with Consul. Configuration entries define the default behavior of resources in the service mesh. +- [`/agent/connect`](/api-docs/agent/connect): Interact with local agents in the service mesh. +- [`/connect`](/api-docs/connect): Manage service mesh-related operations, including service intentions ([`/connect/intentions`](/api-docs/connect/intentions)) and the service mesh Certificate Authority (CA) ([`/connect/ca`](/api-docs/connect/ca)). -Below is an example using `curl` with a [RFC6750](https://tools.ietf.org/html/rfc6750) Bearer token. -```shell-session -$ curl \ - --header "Authorization: Bearer " \ - http://127.0.0.1:8500/v1/agent/members -``` +## Enable zero-trust network security -Previously this was provided via a `?token=` query parameter. This functionality -exists on many endpoints for backwards compatibility, but its use is **highly -discouraged**, since it can show up in access logs as part of the URL. +The following API endpoints give you control over access to services in your network and access to the Consul API. -To learn more about the ACL system read the [documentation](/docs/security/acl). +- [`/acl`](/api-docs/acl): Create and manage tokens that authenticate requests and authorize access to resources in the network. We recommend enabling access control lists (ACL) to secure access to the Consul API, UI, and CLI. +- [`/connect/intentions`](/api-docs/connect/intentions): Create and manage service intentions. -## Version Prefix +## Observe your network -All API routes are prefixed with `/v1/`. This documentation is only for the v1 API. +Use the following API endpoints enable network observability. -## Formatted JSON Output +- [`/status`](/api-docs/status): Debug your Consul datacenter by returning low-level Raft information about Consul server peers. +- [`/agent/metrics`](/api-docs/agent#view-metrics): Retrieve metrics for the most recent finished intervals. For more information about metrics, refere to [Telemetry](/docs/agent/telemetry). -By default, the output of all HTTP API requests is minimized JSON. If the client -passes `pretty` on the query string, formatted JSON will be returned. -## HTTP Methods +## Manage consul -Consul's API aims to be RESTful, although there are some exceptions. The API -responds to the standard HTTP verbs GET, PUT, and DELETE. Each API method will -clearly document the verb(s) it responds to and the generated response. The same -path with different verbs may trigger different behavior. For example: +The following API endpoints help you manage Consul operations. -```text -PUT /v1/kv/foo -GET /v1/kv/foo -``` +- [`/operator`](/api-docs/operator): Perform cluster-level tasks, such as interacting with the Raft subsystem or obtaining license information. +- [`/partition`](/api-docs/partition): Create and manage administrative or admin partitions in Consul. Admin partitions are supersets of Consul namespaces that isolate groups of resources to lower operational overhead. +- [`/namespace`](/api-docs/namespace): Create and manage namespaces in Consul. Namespaces isolate groups of resources to lower operational overhead. +- [`/snapshot`](/api-docs/snapshot): Save and restore Consul server state in the event of a disaster. +- [`/txn`](/api-docs/txn): Apply multiple operations, such as updating the catalog and retrieving multiple KV entries, in a single transaction. -Even though these share a path, the `PUT` operation creates a new key whereas -the `GET` operation reads an existing key. +## Configure your services dynamically -Here is the same example using `curl`: +The following API endpoints enable you to dynamically configure your services. -```shell-session -$ curl \ - --request PUT \ - --data 'hello consul' \ - http://127.0.0.1:8500/v1/kv/foo -``` - -## URL-Encoded Resource Names - -Some Consul HTTP API endpoints accept resource names in URL path or query parameters. -To pass a resource name containing URL-invalid characters, such as `/` or ` `, -URL-encode the resource name into the URL. - -However, we generally recommend using resource names that don't require URL-encoding. -Depending on the validation that Consul applies to a resource name, -Consul may still reject a request if it considers the resource name invalid for that endpoint. -And even if Consul considers the resource name valid, it may degrade other functionality, -such as failed [DNS lookups](/docs/discovery/dns) -for nodes or services with names containing invalid DNS characters. - -This HTTP API capability also allows the -[CLI to accept arguments with URL-invalid characters](/commands#arguments-with-url-invalid-characters). - -### Invalid Characters - -The linefeed character (`%0a`) will cause a request to be rejected even if it is URL-encoded. - -## Translated Addresses - -Consul 0.7 added the ability to translate addresses in HTTP response based on -the configuration setting for -[`translate_wan_addrs`](/docs/agent/config/config-files#translate_wan_addrs). In order -to allow clients to know if address translation is in effect, the -`X-Consul-Translate-Addresses` header will be added if translation is enabled, -and will have a value of `true`. If translation is not enabled then this header -will not be present. - -## Default ACL Policy - -All API responses for Consul versions after 1.9 will include an HTTP response -header `X-Consul-Default-ACL-Policy` set to either "allow" or "deny" which -mirrors the current value of the agent's -[`acl.default_policy`](/docs/agent/config/config-files#acl_default_policy) option. - -This is also the default [intention](/docs/connect/intentions) enforcement -action if no intention matches. - -This is returned even if ACLs are disabled. - -## Results Filtered by ACLs - -As of Consul 1.11, most list endpoints support an `X-Consul-Results-Filtered-By-ACLs` -HTTP response header. This indicates that the response contains a partial subset -of results, because some have been filtered out by ACL policies. - -In order to limit information leakage, this header is only present for requests -authenticated by a valid ACL token. - -The following example uses `curl` to view the -`X-Consul-Results-Filtered-By-ACLs` response header. - -```shell-session -$ curl \ - --header "X-Consul-Token: " \ - --include \ - http://127.0.0.1:8500/v1/catalog/services - -HTTP/1.1 200 OK -Content-Type: application/json -... -X-Consul-Default-Acl-Policy: deny -X-Consul-Results-Filtered-By-Acls: true - -{ - "redis": [], - "postgresql": ["primary", "secondary"] -} -``` - -## UUID Format - -UUID-format identifiers generated by the Consul API use the -[hashicorp/go-uuid](https://github.com/hashicorp/go-uuid) library. - -These UUID-format strings are generated using high quality, purely random bytes. -It is not intended to be RFC compliant, merely to use a well-understood string -representation of a 128-bit value. +- [`/event`](/api-docs/event): Start a custom event that you can use to build scripts and automations. +- [`/kv`](/api-docs/kv): Add, remove, and update metadata stored in the Consul KV store. +- [`/session`](/api-docs/session): Create and manage [sessions](/docs/dynamic-app-config/sessions) in Consul. You can use sessions to build distributed and granular locks to ensure nodes are properly writing to the Consul KV store. diff --git a/website/content/api-docs/kv.mdx b/website/content/api-docs/kv.mdx index abec2bc7a..ba4b1b402 100644 --- a/website/content/api-docs/kv.mdx +++ b/website/content/api-docs/kv.mdx @@ -43,7 +43,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -171,7 +171,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -258,7 +258,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/namespaces.mdx b/website/content/api-docs/namespaces.mdx index ceffdc2d9..79b137705 100644 --- a/website/content/api-docs/namespaces.mdx +++ b/website/content/api-docs/namespaces.mdx @@ -23,7 +23,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -154,7 +154,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------------------------------- | @@ -224,7 +224,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -366,7 +366,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -438,7 +438,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------------------------------- | diff --git a/website/content/api-docs/operator/area.mdx b/website/content/api-docs/operator/area.mdx index 104eda9b2..becf844cc 100644 --- a/website/content/api-docs/operator/area.mdx +++ b/website/content/api-docs/operator/area.mdx @@ -39,7 +39,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -108,7 +108,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | @@ -152,7 +152,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -199,7 +199,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | @@ -245,7 +245,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -283,7 +283,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -358,7 +358,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | diff --git a/website/content/api-docs/operator/autopilot.mdx b/website/content/api-docs/operator/autopilot.mdx index 9841d13e1..87d79f6dc 100644 --- a/website/content/api-docs/operator/autopilot.mdx +++ b/website/content/api-docs/operator/autopilot.mdx @@ -27,7 +27,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | @@ -82,7 +82,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -162,7 +162,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | @@ -266,7 +266,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | diff --git a/website/content/api-docs/operator/keyring.mdx b/website/content/api-docs/operator/keyring.mdx index 17e548766..9a187543a 100644 --- a/website/content/api-docs/operator/keyring.mdx +++ b/website/content/api-docs/operator/keyring.mdx @@ -29,7 +29,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------- | @@ -116,7 +116,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | @@ -165,7 +165,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | @@ -214,7 +214,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | diff --git a/website/content/api-docs/operator/license.mdx b/website/content/api-docs/operator/license.mdx index a7430ce38..580d99c7d 100644 --- a/website/content/api-docs/operator/license.mdx +++ b/website/content/api-docs/operator/license.mdx @@ -25,7 +25,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -91,7 +91,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -162,7 +162,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | diff --git a/website/content/api-docs/operator/raft.mdx b/website/content/api-docs/operator/raft.mdx index 0df5973a1..aef6e6dcd 100644 --- a/website/content/api-docs/operator/raft.mdx +++ b/website/content/api-docs/operator/raft.mdx @@ -26,7 +26,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | --------------------- | ------------- | --------------- | @@ -123,7 +123,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | diff --git a/website/content/api-docs/operator/segment.mdx b/website/content/api-docs/operator/segment.mdx index 65adc134d..d2013b5a8 100644 --- a/website/content/api-docs/operator/segment.mdx +++ b/website/content/api-docs/operator/segment.mdx @@ -32,7 +32,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | diff --git a/website/content/api-docs/peering.mdx b/website/content/api-docs/peering.mdx index 102161319..77a7bb2e2 100644 --- a/website/content/api-docs/peering.mdx +++ b/website/content/api-docs/peering.mdx @@ -26,7 +26,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -93,7 +93,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -156,7 +156,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------- | @@ -212,7 +212,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------- | @@ -264,7 +264,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------- | diff --git a/website/content/api-docs/query.mdx b/website/content/api-docs/query.mdx index 4ad4e2e90..77aa76dfb 100644 --- a/website/content/api-docs/query.mdx +++ b/website/content/api-docs/query.mdx @@ -144,7 +144,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------- | @@ -321,7 +321,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -383,7 +383,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------- | @@ -423,7 +423,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -463,7 +463,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------- | @@ -503,7 +503,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------------- | @@ -632,7 +632,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/session.mdx b/website/content/api-docs/session.mdx index 21d4759cf..55bfaec2a 100644 --- a/website/content/api-docs/session.mdx +++ b/website/content/api-docs/session.mdx @@ -21,7 +21,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | @@ -131,7 +131,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | @@ -177,7 +177,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------- | @@ -240,7 +240,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------- | @@ -303,7 +303,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | -------------- | @@ -361,7 +361,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | --------------- | diff --git a/website/content/api-docs/snapshot.mdx b/website/content/api-docs/snapshot.mdx index 2f3c094ab..aeea63297 100644 --- a/website/content/api-docs/snapshot.mdx +++ b/website/content/api-docs/snapshot.mdx @@ -33,7 +33,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -87,7 +87,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/status.mdx b/website/content/api-docs/status.mdx index a4e8e45b8..f0c6462d4 100644 --- a/website/content/api-docs/status.mdx +++ b/website/content/api-docs/status.mdx @@ -26,7 +26,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | @@ -63,7 +63,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------ | diff --git a/website/content/api-docs/txn.mdx b/website/content/api-docs/txn.mdx index a42176cbb..e3e910e20 100644 --- a/website/content/api-docs/txn.mdx +++ b/website/content/api-docs/txn.mdx @@ -39,7 +39,7 @@ The table below shows this endpoint's support for [blocking queries](/api-docs/features/blocking), [consistency modes](/api-docs/features/consistency), [agent caching](/api-docs/features/caching), and -[required ACLs](/api#authentication). +[required ACLs](/api-docs#authentication). | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ---------------------------------------------------------------------------------------------- | diff --git a/website/content/commands/acl/auth-method/create.mdx b/website/content/commands/acl/auth-method/create.mdx index affecbc4f..e3a3b54b4 100644 --- a/website/content/commands/acl/auth-method/create.mdx +++ b/website/content/commands/acl/auth-method/create.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/auth-method](/api-docs/acl/aut The `acl auth-method create` command creates new auth methods. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/auth-method/delete.mdx b/website/content/commands/acl/auth-method/delete.mdx index 2c35172a5..8d650666c 100644 --- a/website/content/commands/acl/auth-method/delete.mdx +++ b/website/content/commands/acl/auth-method/delete.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[DELETE\] /v1/acl/auth-method/:name](/api-doc The `acl auth-method delete` command deletes an auth method. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/auth-method/list.mdx b/website/content/commands/acl/auth-method/list.mdx index 2c173ce66..89b73b81d 100644 --- a/website/content/commands/acl/auth-method/list.mdx +++ b/website/content/commands/acl/auth-method/list.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/auth-methods](/api-docs/acl/au The `acl auth-method list` command lists all auth methods. By default it will not show metadata. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/auth-method/read.mdx b/website/content/commands/acl/auth-method/read.mdx index adb5b4456..b4a06fedb 100644 --- a/website/content/commands/acl/auth-method/read.mdx +++ b/website/content/commands/acl/auth-method/read.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/auth-method/:name](/api-docs/a The `acl auth-method read` command reads and displays an auth method's details. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/auth-method/update.mdx b/website/content/commands/acl/auth-method/update.mdx index 338a7a5ef..2e0847c59 100644 --- a/website/content/commands/acl/auth-method/update.mdx +++ b/website/content/commands/acl/auth-method/update.mdx @@ -14,7 +14,7 @@ default operations is to merge the current auth method with those values provided to the command invocation. Therefore to update just one field, only the `-name` options and the option to modify must be provided. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/binding-rule/create.mdx b/website/content/commands/acl/binding-rule/create.mdx index 1e10d5da7..764770fcf 100644 --- a/website/content/commands/acl/binding-rule/create.mdx +++ b/website/content/commands/acl/binding-rule/create.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/binding-rule](/api-docs/acl/bi The `acl binding-rule create` command creates new binding rules. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/binding-rule/delete.mdx b/website/content/commands/acl/binding-rule/delete.mdx index 360742eab..3c4bc2674 100644 --- a/website/content/commands/acl/binding-rule/delete.mdx +++ b/website/content/commands/acl/binding-rule/delete.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[DELETE\] /v1/acl/binding-rule/:id](/api-docs The `acl binding-rule delete` command deletes a binding rule. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/binding-rule/list.mdx b/website/content/commands/acl/binding-rule/list.mdx index 89695ec0c..d28377892 100644 --- a/website/content/commands/acl/binding-rule/list.mdx +++ b/website/content/commands/acl/binding-rule/list.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/binding-rules](/api-docs/acl/b The `acl binding-rule list` command lists all binding rules. By default it will not show metadata. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/binding-rule/read.mdx b/website/content/commands/acl/binding-rule/read.mdx index 41ee7f2a3..e2f4771f5 100644 --- a/website/content/commands/acl/binding-rule/read.mdx +++ b/website/content/commands/acl/binding-rule/read.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/binding-rule/:id](/api-docs/ac The `acl binding-rule read` command reads and displays a binding rules details. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/binding-rule/update.mdx b/website/content/commands/acl/binding-rule/update.mdx index 5c292f5bf..de2f5caad 100644 --- a/website/content/commands/acl/binding-rule/update.mdx +++ b/website/content/commands/acl/binding-rule/update.mdx @@ -14,7 +14,7 @@ default operations is to merge the current binding rule with those values provided to the command invocation. Therefore to update just one field, only the `-id` option and the option to modify must be provided. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/bootstrap.mdx b/website/content/commands/acl/bootstrap.mdx index d33c550e6..127009a70 100644 --- a/website/content/commands/acl/bootstrap.mdx +++ b/website/content/commands/acl/bootstrap.mdx @@ -12,9 +12,9 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/bootstrap](/api-docs/acl#boots The `acl bootstrap` command will request Consul to generate a new token with unlimited privileges to use for management purposes and output its details. This can only be done once and afterwards bootstrapping will be disabled. If all tokens are lost and you need to bootstrap again you can follow the bootstrap -[reset procedure](https://learn.hashicorp.com/consul/security-networking/acl-troubleshooting?utm_source=consul.io&utm_medium=docs#reset-the-acl-system). +[reset procedure](https://learn.hashicorp.com/consul/security-networking/acl-troubleshooting?utm_source=docs). -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/policy/create.mdx b/website/content/commands/acl/policy/create.mdx index 14a863b70..fcb52137c 100644 --- a/website/content/commands/acl/policy/create.mdx +++ b/website/content/commands/acl/policy/create.mdx @@ -19,7 +19,7 @@ from stdin, a file or the raw value. To use stdin pass `-` as the value. To load the value from a file prefix the value with an `@`. Any other values will be used directly. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/policy/delete.mdx b/website/content/commands/acl/policy/delete.mdx index 3dc717539..3f190a739 100644 --- a/website/content/commands/acl/policy/delete.mdx +++ b/website/content/commands/acl/policy/delete.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[DELETE\] /v1/acl/policy/:id](/api-docs/acl/p The `acl policy delete` command deletes a policy. Policies may be deleted by their ID or by name. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/policy/list.mdx b/website/content/commands/acl/policy/list.mdx index 4b227c708..7b0d2df88 100644 --- a/website/content/commands/acl/policy/list.mdx +++ b/website/content/commands/acl/policy/list.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/policies](/api-docs/acl/polici The `acl policy list` command lists all policies. By default it will not show metadata. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/policy/read.mdx b/website/content/commands/acl/policy/read.mdx index 859827704..4878be145 100644 --- a/website/content/commands/acl/policy/read.mdx +++ b/website/content/commands/acl/policy/read.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoints: [\[GET\] /v1/acl/policy/:id](/api-docs/acl/pol The `acl policy read` command reads and displays a policies details. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/policy/update.mdx b/website/content/commands/acl/policy/update.mdx index 15c803fee..cd12f5025 100644 --- a/website/content/commands/acl/policy/update.mdx +++ b/website/content/commands/acl/policy/update.mdx @@ -15,7 +15,7 @@ the `-id` or `-name` options and the option to modify must be provided. Note tha policies requires both the `-id` and `-name` as the new name cannot yet be used to lookup the policy. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/role/create.mdx b/website/content/commands/acl/role/create.mdx index 5aff61f1c..2c44ad59a 100644 --- a/website/content/commands/acl/role/create.mdx +++ b/website/content/commands/acl/role/create.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/role](/api-docs/acl/roles#crea The `acl role create` command creates new roles. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/role/delete.mdx b/website/content/commands/acl/role/delete.mdx index a353d09cd..f72b7b204 100644 --- a/website/content/commands/acl/role/delete.mdx +++ b/website/content/commands/acl/role/delete.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[DELETE\] /v1/acl/role/:id](/api-docs/acl/rol The `acl role delete` command deletes a role. Roles may be deleted by their ID or by name. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/role/list.mdx b/website/content/commands/acl/role/list.mdx index f81374b9c..4b43af7f7 100644 --- a/website/content/commands/acl/role/list.mdx +++ b/website/content/commands/acl/role/list.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/roles](/api-docs/acl/roles#lis The `acl role list` command lists all roles. By default it will not show metadata. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/role/read.mdx b/website/content/commands/acl/role/read.mdx index 9ed3d43d9..a0b4132f3 100644 --- a/website/content/commands/acl/role/read.mdx +++ b/website/content/commands/acl/role/read.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoints: [\[GET\] /v1/acl/role/:id](/api-docs/acl/roles The `acl role read` command reads and displays a roles details. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/role/update.mdx b/website/content/commands/acl/role/update.mdx index d1e7768af..d09c7cd20 100644 --- a/website/content/commands/acl/role/update.mdx +++ b/website/content/commands/acl/role/update.mdx @@ -15,7 +15,7 @@ update just one field, only the `-id` or `-name` options and the option to modify must be provided. Note that renaming roles requires both the `-id` and `-name` as the new name cannot yet be used to lookup the role. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/set-agent-token.mdx b/website/content/commands/acl/set-agent-token.mdx index a7178c34b..7161f0f99 100644 --- a/website/content/commands/acl/set-agent-token.mdx +++ b/website/content/commands/acl/set-agent-token.mdx @@ -16,7 +16,7 @@ the agent's configuration. Tokens are not persisted unless is `true`, so tokens will need to be updated again if that option is `false` and the agent is restarted. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/token/clone.mdx b/website/content/commands/acl/token/clone.mdx index 36a871666..847da3e3b 100644 --- a/website/content/commands/acl/token/clone.mdx +++ b/website/content/commands/acl/token/clone.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/token/:AccessorID/clone](/api- The `acl token clone` command clones an existing token. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/token/create.mdx b/website/content/commands/acl/token/create.mdx index 62cbdd6e0..7965fcf0d 100644 --- a/website/content/commands/acl/token/create.mdx +++ b/website/content/commands/acl/token/create.mdx @@ -13,7 +13,7 @@ This command creates new tokens. When creating a new token, policies may be link either the `-policy-id` or the `-policy-name` options. When specifying policies by IDs you may use a unique prefix of the UUID as a shortcut for specifying the entire UUID. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/token/delete.mdx b/website/content/commands/acl/token/delete.mdx index 247828315..fb6dd48c6 100644 --- a/website/content/commands/acl/token/delete.mdx +++ b/website/content/commands/acl/token/delete.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[DELETE\] /v1/acl/token/:AccessorID](/api-doc The `acl token delete` command deletes a token. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/token/list.mdx b/website/content/commands/acl/token/list.mdx index abceb8dce..6534d5bb8 100644 --- a/website/content/commands/acl/token/list.mdx +++ b/website/content/commands/acl/token/list.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/tokens](/api-docs/acl/tokens#l The `acl token list` command lists all tokens. By default it will not show metadata. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/token/read.mdx b/website/content/commands/acl/token/read.mdx index e3472108e..e58a5a288 100644 --- a/website/content/commands/acl/token/read.mdx +++ b/website/content/commands/acl/token/read.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/token/:AccessorID](/api-docs/a The `acl token read` command reads and displays a token details. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/token/update.mdx b/website/content/commands/acl/token/update.mdx index b8360dba2..ba0e1d24c 100644 --- a/website/content/commands/acl/token/update.mdx +++ b/website/content/commands/acl/token/update.mdx @@ -12,7 +12,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/token/:AccessorID](/api-docs/a The `acl token update` command will update a token. Some parts of the token like whether the token is local to the datacenter cannot be changed. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/acl/translate-rules.mdx b/website/content/commands/acl/translate-rules.mdx index 8cdd1104e..95a699a91 100644 --- a/website/content/commands/acl/translate-rules.mdx +++ b/website/content/commands/acl/translate-rules.mdx @@ -14,7 +14,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/rules/translate/:accessor_id]( This command translates the legacy ACL rule syntax into the new syntax. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/catalog/datacenters.mdx b/website/content/commands/catalog/datacenters.mdx index 1f823d1d1..ec00fab2e 100644 --- a/website/content/commands/catalog/datacenters.mdx +++ b/website/content/commands/catalog/datacenters.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/catalog/datacenters](/api-docs/cat The `catalog datacenters` command prints all known datacenters. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/catalog/nodes.mdx b/website/content/commands/catalog/nodes.mdx index efe705010..66d9c3ce8 100644 --- a/website/content/commands/catalog/nodes.mdx +++ b/website/content/commands/catalog/nodes.mdx @@ -13,7 +13,7 @@ The `catalog nodes` command prints all known nodes and metadata about them. It can also query for nodes that match a particular metadata or provide a particular service. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/catalog/services.mdx b/website/content/commands/catalog/services.mdx index ab56251d4..2599acde6 100644 --- a/website/content/commands/catalog/services.mdx +++ b/website/content/commands/catalog/services.mdx @@ -13,7 +13,7 @@ The `catalog services` command prints all known services. It can also query for services that match particular metadata or list the services that a particular node provides. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/config/delete.mdx b/website/content/commands/config/delete.mdx index e082310fd..5fbaeef0f 100644 --- a/website/content/commands/config/delete.mdx +++ b/website/content/commands/config/delete.mdx @@ -13,7 +13,7 @@ The `config delete` command deletes the configuration entry specified by the kind and name. See the [configuration entries docs](/docs/agent/config-entries) for more details about configuration entries. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/config/list.mdx b/website/content/commands/config/list.mdx index 4e5484cb3..906d81ae0 100644 --- a/website/content/commands/config/list.mdx +++ b/website/content/commands/config/list.mdx @@ -13,7 +13,7 @@ The `config list` command lists all given config entries of the given kind. See the [configuration entries docs](/docs/agent/config-entries) for more details about configuration entries. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/config/read.mdx b/website/content/commands/config/read.mdx index 985e0ca9e..4688e3fb1 100644 --- a/website/content/commands/config/read.mdx +++ b/website/content/commands/config/read.mdx @@ -14,7 +14,7 @@ kind and name and outputs its JSON representation. See the [configuration entries docs](/docs/agent/config-entries) for more details about configuration entries. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/config/write.mdx b/website/content/commands/config/write.mdx index 33358cfee..a21bb13a9 100644 --- a/website/content/commands/config/write.mdx +++ b/website/content/commands/config/write.mdx @@ -13,7 +13,7 @@ The `config write` command creates or updates a centralized config entry. See the [configuration entries docs](/docs/agent/config-entries) for more details about configuration entries. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/connect/ca.mdx b/website/content/commands/connect/ca.mdx index 1916fa04e..8a6365325 100644 --- a/website/content/commands/connect/ca.mdx +++ b/website/content/commands/connect/ca.mdx @@ -42,7 +42,7 @@ Subcommands: This command displays the current CA configuration. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. @@ -77,7 +77,7 @@ Modifies the current CA configuration. If this results in a new root certificate being used, the [Root Rotation](/docs/connect/ca#root-certificate-rotation) process will be triggered. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/event.mdx b/website/content/commands/event.mdx index 8bb719530..d3eb08a31 100644 --- a/website/content/commands/event.mdx +++ b/website/content/commands/event.mdx @@ -37,7 +37,7 @@ message. It is hard to give an exact number, as it depends on various parameters of the event, but the payload should be kept very small (< 100 bytes). Specifying too large of an event will return an error. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/exec.mdx b/website/content/commands/exec.mdx index f957c6ef4..b1103cf47 100644 --- a/website/content/commands/exec.mdx +++ b/website/content/commands/exec.mdx @@ -30,7 +30,7 @@ through the Consul servers and the Raft consensus algorithm, so having a large number of nodes in the cluster flow a large amount of data through the KV store could make the cluster unavailable. -The table below shows the [required ACLs](/api#authentication) in order to +The table below shows the [required ACLs](/api-docs#authentication) in order to execute this command. | ACL Required | Scope | diff --git a/website/content/commands/force-leave.mdx b/website/content/commands/force-leave.mdx index 399bf412b..7dd528e9d 100644 --- a/website/content/commands/force-leave.mdx +++ b/website/content/commands/force-leave.mdx @@ -32,7 +32,7 @@ from the datacenter's member list nor from the raft configuration. Additionally, if the agent returns after transitioning to the "left" state, but before it is reaped from the member list, then it will rejoin the cluster. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/index.mdx b/website/content/commands/index.mdx index d805d4eb2..f39894724 100644 --- a/website/content/commands/index.mdx +++ b/website/content/commands/index.mdx @@ -94,7 +94,7 @@ Command Options ## Authentication -When the [ACL system is enabled](/docs/agent/options#acl_enabled) the Consul CLI will +When the [ACL system is enabled](/docs/agent/config/config-files#acl) the Consul CLI will require an [ACL token](/docs/security/acl#tokens) to perform API requests. The ACL token can be provided directly on the command line using the `-token` command line flag, diff --git a/website/content/commands/intention/check.mdx b/website/content/commands/intention/check.mdx index 393075354..909a40c8c 100644 --- a/website/content/commands/intention/check.mdx +++ b/website/content/commands/intention/check.mdx @@ -23,7 +23,7 @@ intention read permissions and don't evaluate the result. defined as _deny_ intentions during evaluation, as this endpoint is only suited for networking layer 4 (e.g. TCP) integration. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/intention/create.mdx b/website/content/commands/intention/create.mdx index 8e5b49d7e..da565552d 100644 --- a/website/content/commands/intention/create.mdx +++ b/website/content/commands/intention/create.mdx @@ -17,7 +17,7 @@ Corresponding HTTP API Endpoint: [\[POST\] /v1/connect/intentions](/api-docs/con The `intention create` command creates or updates an L4 intention. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/intention/delete.mdx b/website/content/commands/intention/delete.mdx index f03948752..d98d7a5a4 100644 --- a/website/content/commands/intention/delete.mdx +++ b/website/content/commands/intention/delete.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoints: [\[DELETE\] /v1/connect/intentions/exact](/api The `intention delete` command deletes a matching intention. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/intention/get.mdx b/website/content/commands/intention/get.mdx index 05bec1bfb..bbd418145 100644 --- a/website/content/commands/intention/get.mdx +++ b/website/content/commands/intention/get.mdx @@ -16,7 +16,7 @@ Consul 1.9.0. Intentions no longer need IDs when represented as [`service-intentions`](/docs/connect/config-entries/service-intentions) config entries. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/intention/list.mdx b/website/content/commands/intention/list.mdx index a4fa999ba..132827e3a 100644 --- a/website/content/commands/intention/list.mdx +++ b/website/content/commands/intention/list.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions](/api-docs/conn The `intention list` command shows all intentions including ID and precedence. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/intention/match.mdx b/website/content/commands/intention/match.mdx index 5208af954..e8a02d8fc 100644 --- a/website/content/commands/intention/match.mdx +++ b/website/content/commands/intention/match.mdx @@ -16,7 +16,7 @@ order: the first intention that matches a request would be evaluated. The [check](/commands/intention/check) command can be used to check whether an L4 connection would be authorized between any two services. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/join.mdx b/website/content/commands/join.mdx index dcfca8962..99e455ab6 100644 --- a/website/content/commands/join.mdx +++ b/website/content/commands/join.mdx @@ -22,7 +22,7 @@ state across the cluster. An agent which is already part of a cluster may join an agent in a different cluster, causing the two clusters to be merged into a single cluster. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/keyring.mdx b/website/content/commands/keyring.mdx index 37cd21944..2184cc7f2 100644 --- a/website/content/commands/keyring.mdx +++ b/website/content/commands/keyring.mdx @@ -29,7 +29,7 @@ All variations of the `keyring` command return 0 if all nodes reply and there are no errors. If any node fails to reply or reports failure, the exit code will be 1. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/kv/delete.mdx b/website/content/commands/kv/delete.mdx index b67745c01..695ea32c9 100644 --- a/website/content/commands/kv/delete.mdx +++ b/website/content/commands/kv/delete.mdx @@ -12,7 +12,7 @@ Corresponding HTTP API Endpoint: [\[DELETE\] /v1/kv/:key](/api-docs/kv#delete-ke The `kv delete` command removes the value from Consul's KV store at the given path. If no key exists at the path, no action is taken. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/kv/export.mdx b/website/content/commands/kv/export.mdx index bfd34c2bd..cddff8d2c 100644 --- a/website/content/commands/kv/export.mdx +++ b/website/content/commands/kv/export.mdx @@ -12,7 +12,7 @@ prefix from Consul's KV store, and write a JSON representation to stdout. This can be used with the command "consul kv import" to move entire trees between Consul clusters. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/kv/get.mdx b/website/content/commands/kv/get.mdx index ba528fba5..338940932 100644 --- a/website/content/commands/kv/get.mdx +++ b/website/content/commands/kv/get.mdx @@ -20,7 +20,7 @@ can be used with [`kv import`](/commands/kv/import) to move entire trees between Consul clusters. Alternatively, the [transaction API](/api-docs/txn) provides support for performing up to 64 KV operations atomically. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/kv/import.mdx b/website/content/commands/kv/import.mdx index e6fc642a2..521217a7a 100644 --- a/website/content/commands/kv/import.mdx +++ b/website/content/commands/kv/import.mdx @@ -10,7 +10,7 @@ Command: `consul kv import` The `kv import` command is used to import KV pairs from the JSON representation generated by the `kv export` command. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/kv/put.mdx b/website/content/commands/kv/put.mdx index daa916f29..b88a37009 100644 --- a/website/content/commands/kv/put.mdx +++ b/website/content/commands/kv/put.mdx @@ -16,7 +16,7 @@ The `kv put` command writes the data to the given path in the KV store. [transaction API](/api-docs/txn) provides support for performing up to 64 KV operations atomically. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/leave.mdx b/website/content/commands/leave.mdx index a987338b8..1a0aef4dc 100644 --- a/website/content/commands/leave.mdx +++ b/website/content/commands/leave.mdx @@ -25,7 +25,7 @@ non-graceful leave can affect cluster availability. Running `consul leave` on a server explicitly will reduce the quorum size. Even if the cluster used `bootstrap_expect` to set a quorum size initially, issuing `consul leave` on a server will reconfigure the cluster to have fewer servers. This means you could end up with just one server that is still able to commit writes because quorum is only 1, but those writes might be lost if that server fails before more are added. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/license.mdx b/website/content/commands/license.mdx index 6c230a470..a7a374e6c 100644 --- a/website/content/commands/license.mdx +++ b/website/content/commands/license.mdx @@ -21,7 +21,7 @@ Consul Enterprise license management. If ACLs are enabled then a token with operator privileges may be required in order to use this command. Requests are forwarded internally to the leader if required, so this can be run from any Consul node in a cluster. See the -[ACL Guide](https://learn.hashicorp.com/consul/security-networking/production-acls) for more information. +[ACL Guide](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production) for more information. ```text Usage: consul license [options] [args] @@ -129,7 +129,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/operator/license](/api-docs/operat This command sets the Consul Enterprise license. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. @@ -169,7 +169,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/operator/license](/api-docs/operat This command gets the Consul Enterprise license. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. @@ -214,7 +214,7 @@ Corresponding HTTP API Endpoint: [\[DELETE\] /v1/operator/license](/api-docs/ope Resets license for the datacenter to the one builtin in Consul binary, if it is still valid. If the builtin license is invalid, the current one stays active. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/lock.mdx b/website/content/commands/lock.mdx index 0c12dff7f..8abf4c12c 100644 --- a/website/content/commands/lock.mdx +++ b/website/content/commands/lock.mdx @@ -18,7 +18,7 @@ communication is disrupted, the child process is terminated. The number of lock holders is configurable with the `-n` flag. By default, a single holder is allowed, and a lock is used for mutual exclusion. This -uses the [leader election algorithm](https://learn.hashicorp.com/consul/developer-configuration/elections). +uses the [leader election algorithm](https://learn.hashicorp.com/tutorials/consul/application-leader-elections). If the lock holder count is more than one, then a semaphore is used instead. A semaphore allows more than a single holder, but this is less efficient than diff --git a/website/content/commands/login.mdx b/website/content/commands/login.mdx index 6af84c64f..4ab444636 100644 --- a/website/content/commands/login.mdx +++ b/website/content/commands/login.mdx @@ -17,7 +17,7 @@ requested auth method for a newly minted Consul ACL token. The companion command `consul logout` should be used to destroy any tokens created this way to avoid a resource leak. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/logout.mdx b/website/content/commands/logout.mdx index 67c39910a..925ac9811 100644 --- a/website/content/commands/logout.mdx +++ b/website/content/commands/logout.mdx @@ -15,7 +15,7 @@ Corresponding HTTP API Endpoint: [\[POST\] /v1/acl/logout](/api-docs/acl#logout- The `logout` command will destroy the provided token if it was created from `consul login`. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/maint.mdx b/website/content/commands/maint.mdx index 81f16f013..692b01265 100644 --- a/website/content/commands/maint.mdx +++ b/website/content/commands/maint.mdx @@ -21,7 +21,7 @@ Under the hood, maintenance mode is activated by registering a health check in critical status against a service, and deactivated by deregistering the health check. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/members.mdx b/website/content/commands/members.mdx index 70dd3eec0..6728872b2 100644 --- a/website/content/commands/members.mdx +++ b/website/content/commands/members.mdx @@ -21,7 +21,7 @@ Nodes in the "failed" state are still listed because Consul attempts to reconnect with failed nodes for a certain amount of time in the case that the failure is actually just a network partition. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/namespace/create.mdx b/website/content/commands/namespace/create.mdx index a497649e1..2caed595a 100644 --- a/website/content/commands/namespace/create.mdx +++ b/website/content/commands/namespace/create.mdx @@ -14,7 +14,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/namespace](/api-docs/namespaces#cr This `namespace create` command creates a namespaces using the CLI parameters provided. This was added in Consul Enterprise 1.7.2. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/namespace/delete.mdx b/website/content/commands/namespace/delete.mdx index 7a230ba14..c812ed566 100644 --- a/website/content/commands/namespace/delete.mdx +++ b/website/content/commands/namespace/delete.mdx @@ -14,7 +14,7 @@ Corresponding HTTP API Endpoint: [\[DELETE\] /v1/namespace/:name](/api-docs/name This `namespace delete` command deletes a namespace. This was added in Consul Enterprise 1.7.0. If ACLs are enabled then this command will require a token with `operator:write` privileges. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/namespace/list.mdx b/website/content/commands/namespace/list.mdx index 9cc1c6073..8a8473266 100644 --- a/website/content/commands/namespace/list.mdx +++ b/website/content/commands/namespace/list.mdx @@ -16,7 +16,7 @@ ACLs are enabled then this command will require a token with `operator:read` pri within the target namespaces. The results will be filtered based on the ACL token and therefore it is possible to see a partial list. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/namespace/read.mdx b/website/content/commands/namespace/read.mdx index 950895d87..5ca34ff61 100644 --- a/website/content/commands/namespace/read.mdx +++ b/website/content/commands/namespace/read.mdx @@ -15,7 +15,7 @@ This `namespace read` command reads a namespaces configuration. This was added i ACLs are enabled then this command will require a token with `operator:read` privileges or any `read` privileges within the target namespace. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/namespace/update.mdx b/website/content/commands/namespace/update.mdx index 16c240c67..fd84ac458 100644 --- a/website/content/commands/namespace/update.mdx +++ b/website/content/commands/namespace/update.mdx @@ -14,7 +14,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/namespace/:name](/api-docs/namespa This `namespace update` command updates a namespaces using the CLI parameters provided. This was added in Consul Enterprise 1.7.2. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/namespace/write.mdx b/website/content/commands/namespace/write.mdx index b0d076586..fc16d8af0 100644 --- a/website/content/commands/namespace/write.mdx +++ b/website/content/commands/namespace/write.mdx @@ -13,7 +13,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/namespace/:name](/api-docs/namespa This `namespace write` command creates or updates a namespace's configuration from its full definition. This was added in Consul Enterprise 1.7.0. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/operator/area.mdx b/website/content/commands/operator/area.mdx index 22a02387b..913d1dbb9 100644 --- a/website/content/commands/operator/area.mdx +++ b/website/content/commands/operator/area.mdx @@ -21,7 +21,7 @@ and relationships can be made between independent pairs of datacenters, so not a need to be fully connected. This allows for complex topologies among Consul datacenters like hub/spoke and more general trees. -See the [Network Areas Guide](https://learn.hashicorp.com/consul/day-2-operations/advanced-federation) for more details. +See the [Network Areas Guide](https://learn.hashicorp.com/tutorials/consul/federation-network-areas) for more details. ```text Usage: consul operator area [options] @@ -51,7 +51,7 @@ Corresponding HTTP API Endpoint: [\[POST\] /v1/operator/area](/api-docs/operator This command creates a new network area. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. @@ -93,7 +93,7 @@ Corresponding HTTP API Endpoint: [\[DELETE\] /v1/operator/area/:uuid](/api-docs/ This command deletes an existing network area. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. @@ -132,7 +132,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/operator/area/:uuid/join](/api-doc This command joins Consul servers into an existing network area by address, such as an IP or hostname with an optional port. Multiple addresses may be given. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. @@ -176,7 +176,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/operator/area](/api-docs/operator/ This command lists all network areas. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. @@ -215,7 +215,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/operator/area/:uuid/members](/api- This command displays Consul server nodes present in a network area, or all areas if no area is specified. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. @@ -279,7 +279,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/operator/area/:uuid](/api-docs/ope This command updates the configuration of network area. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/operator/autopilot.mdx b/website/content/commands/operator/autopilot.mdx index 3d05f7986..5e062cb00 100644 --- a/website/content/commands/operator/autopilot.mdx +++ b/website/content/commands/operator/autopilot.mdx @@ -12,7 +12,7 @@ Command: `consul operator autopilot` The Autopilot operator command is used to interact with Consul's Autopilot subsystem. The command can be used to view or modify the current Autopilot configuration. See the -[Autopilot Guide](https://learn.hashicorp.com/consul/day-2-operations/autopilot) for more information about Autopilot. +[Autopilot Guide](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations) for more information about Autopilot. ```text Usage: consul operator autopilot [options] @@ -32,7 +32,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/operator/autopilot/configuration]( This command displays the current autopilot configuration. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. @@ -67,7 +67,7 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/operator/autopilot/configuration]( Modifies the current Autopilot configuration. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. @@ -125,7 +125,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/operator/autopilot/state](/api-doc This command displays the current autopilot state. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/operator/index.mdx b/website/content/commands/operator/index.mdx index 067632298..af34e1814 100644 --- a/website/content/commands/operator/index.mdx +++ b/website/content/commands/operator/index.mdx @@ -18,9 +18,9 @@ outage and even loss of data. If ACLs are enabled then a token with operator privileges may be required in order to use this command. Requests are forwarded internally to the leader if required, so this can be run from any Consul node in a cluster. See the -[ACL Guide](https://learn.hashicorp.com/consul/security-networking/production-acls) for more information. +[ACL Guide](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production) for more information. -See the [Outage Recovery](https://learn.hashicorp.com/consul/day-2-operations/outage) guide for some examples of how +See the [Outage Recovery](https://learn.hashicorp.com/tutorials/consul/recovery-outage) guide for some examples of how this command is used. For an API to perform these operations programmatically, please see the documentation for the [Operator](/api-docs/operator) endpoint. diff --git a/website/content/commands/operator/raft.mdx b/website/content/commands/operator/raft.mdx index 6c7f23779..8390b447c 100644 --- a/website/content/commands/operator/raft.mdx +++ b/website/content/commands/operator/raft.mdx @@ -33,7 +33,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/status/peers](/api-docs/status#lis This command displays the current Raft peer configuration. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. @@ -88,7 +88,7 @@ clean up by simply running [`consul force-leave`](/commands/force-leave) instead of this command. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/peering/delete.mdx b/website/content/commands/peering/delete.mdx index 04a7e16ba..986e420db 100644 --- a/website/content/commands/peering/delete.mdx +++ b/website/content/commands/peering/delete.mdx @@ -17,7 +17,7 @@ Operators can still read the peering connections while the data is being removed The command adds a `DeletedAt` field to the peering connection object with the timestamp of when the peering was marked for deletion. You can only use a peering token to establish the connection once. If you need to reestablish a peering connection, you must generate a new token. -The table below shows this command's [required ACLs](/api#authentication). +The table below shows this command's [required ACLs](/api-docs#authentication). | ACL Required | | ------------ | diff --git a/website/content/commands/peering/establish.mdx b/website/content/commands/peering/establish.mdx index d9906e068..b285671a4 100644 --- a/website/content/commands/peering/establish.mdx +++ b/website/content/commands/peering/establish.mdx @@ -15,7 +15,7 @@ You can generate cluster peering tokens using the [`consul peering generate-toke You can only use a peering token to establish the connection once. If you need to reestablish a peering connection, you must generate a new token. -The table below shows this command's [required ACLs](/api#authentication). +The table below shows this command's [required ACLs](/api-docs#authentication). | ACL Required | | ------------ | diff --git a/website/content/commands/peering/generate-token.mdx b/website/content/commands/peering/generate-token.mdx index 961122fc6..66f4937b9 100644 --- a/website/content/commands/peering/generate-token.mdx +++ b/website/content/commands/peering/generate-token.mdx @@ -15,7 +15,7 @@ This token should be transferred to the other cluster being peered and consumed Generating a token and specifying the same local name associated with a previously-generated token does not affect active connections established with the original token. If the previously-generated token is not actively being used for a peer connection, however, it will become invalid when the new token with the same local name is generated. -The table below shows this command's [required ACLs](/api#authentication). +The table below shows this command's [required ACLs](/api-docs#authentication). | ACL Required | | ------------ | diff --git a/website/content/commands/peering/list.mdx b/website/content/commands/peering/list.mdx index 27f9f748f..bd66af4ec 100644 --- a/website/content/commands/peering/list.mdx +++ b/website/content/commands/peering/list.mdx @@ -12,7 +12,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/peerings](/api-docs/peering#list-a The `peering list` lists all peering connections. The results are filtered according to ACL policy configuration. -The table below shows this command's [required ACLs](/api#authentication). +The table below shows this command's [required ACLs](/api-docs#authentication). | ACL Required | | ------------ | diff --git a/website/content/commands/peering/read.mdx b/website/content/commands/peering/read.mdx index 59d3cc74f..ae5e6f3fb 100644 --- a/website/content/commands/peering/read.mdx +++ b/website/content/commands/peering/read.mdx @@ -11,7 +11,7 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/peering/:name](/api-docs/peering#r The `peering read` displays information on the status of a peering connection. -The table below shows this command's [required ACLs](/api#authentication). +The table below shows this command's [required ACLs](/api-docs#authentication). | ACL Required | | ------------ | diff --git a/website/content/commands/reload.mdx b/website/content/commands/reload.mdx index 3043a346f..98ab2552c 100644 --- a/website/content/commands/reload.mdx +++ b/website/content/commands/reload.mdx @@ -25,7 +25,7 @@ Not all configuration options are reloadable. See the [Reloadable Configuration](/docs/agent/config#reloadable-configuration) section on the agent options page for details on which options are supported. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/rtt.mdx b/website/content/commands/rtt.mdx index d2d2a46ce..6752ca263 100644 --- a/website/content/commands/rtt.mdx +++ b/website/content/commands/rtt.mdx @@ -17,7 +17,7 @@ Consul's network coordinate model of the cluster. See the [Network Coordinates](/docs/architecture/coordinates) internals guide for more information on how these coordinates are computed. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/services/deregister.mdx b/website/content/commands/services/deregister.mdx index c1af5d831..c9ae2124b 100644 --- a/website/content/commands/services/deregister.mdx +++ b/website/content/commands/services/deregister.mdx @@ -20,7 +20,7 @@ registered with a configuration file, then deleting that file and deregister. See [Service Definition](/docs/discovery/services) for more information about registering services generally. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/services/register.mdx b/website/content/commands/services/register.mdx index dcd8e5cd3..4425ae614 100644 --- a/website/content/commands/services/register.mdx +++ b/website/content/commands/services/register.mdx @@ -22,7 +22,7 @@ configuration management systems that other systems that have access to the configuration directory. Clients may also use the [HTTP API](/api-docs/agent/service) directly. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/snapshot/restore.mdx b/website/content/commands/snapshot/restore.mdx index 8bbe50fe1..e5290660f 100644 --- a/website/content/commands/snapshot/restore.mdx +++ b/website/content/commands/snapshot/restore.mdx @@ -20,7 +20,7 @@ intended to recover from a disaster. It restores your configuration into a fresh cluster of Consul servers as long as your new cluster runs the same Consul version as the cluster that originally took the snapshot. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/commands/snapshot/save.mdx b/website/content/commands/snapshot/save.mdx index f2c2afede..9a01bed42 100644 --- a/website/content/commands/snapshot/save.mdx +++ b/website/content/commands/snapshot/save.mdx @@ -27,7 +27,7 @@ the CLI client attempting to perform a snapshot save will have no effect. It _mu the context of the server process. If you're using Systemd to manage your Consul server processes, then adding `Environment=TMPDIR=/path/to/dir` to your Consul unit file will work. -The table below shows this command's [required ACLs](/api#authentication). Configuration of +The table below shows this command's [required ACLs](/api-docs#authentication). Configuration of [blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. diff --git a/website/content/docs/agent/config/cli-flags.mdx b/website/content/docs/agent/config/cli-flags.mdx index caf3b6444..b85787fc8 100644 --- a/website/content/docs/agent/config/cli-flags.mdx +++ b/website/content/docs/agent/config/cli-flags.mdx @@ -152,7 +152,7 @@ information. - `-raft-protocol` ((#\_raft_protocol)) - This controls the internal version of the Raft consensus protocol used for server communications. This must be set - to 3 in order to gain access to Autopilot features, with the exception of [`cleanup_dead_servers`](/docs/agent/config/config-files#cleanup_dead_servers). Defaults to 3 in Consul 1.0.0 and later (defaulted to 2 previously). See [Raft Protocol Version Compatibility](/docs/upgrade-specific#raft-protocol-version-compatibility) for more details. + to 3 in order to gain access to Autopilot features, with the exception of [`cleanup_dead_servers`](/docs/agent/config/config-files#cleanup_dead_servers). Defaults to 3 in Consul 1.0.0 and later (defaulted to 2 previously). See [Raft Protocol Version Compatibility](/docs/upgrading/upgrade-specific#raft-protocol-version-compatibility) for more details. - `-segment` ((#\_segment)) - This flag is used to set the name of the network segment the agent belongs to. An agent can only join and @@ -390,7 +390,7 @@ information. As of Consul 0.9.1, `retry-join` accepts a unified interface using the [go-discover](https://github.com/hashicorp/go-discover) library for doing automatic cluster joining using cloud metadata. For more information, see - the [Cloud Auto-join page](/docs/agent/cloud-auto-join). + the [Cloud Auto-join page](/docs/install/cloud-auto-join). diff --git a/website/content/docs/agent/config/config-files.mdx b/website/content/docs/agent/config/config-files.mdx index f37621819..c8f333afe 100644 --- a/website/content/docs/agent/config/config-files.mdx +++ b/website/content/docs/agent/config/config-files.mdx @@ -21,8 +21,8 @@ specified within it. Configuration files are used for more than just setting up the agent. They are also used to provide check and service definitions that announce the availability of system servers to the rest of the cluster. -These definitions are documented separately under [check configuration](/docs/agent/checks) and -[service configuration](/docs/agent/services) respectively. Service and check +These definitions are documented separately under [check configuration](/docs/discovery/checks) and +[service configuration](/docs/discovery/services) respectively. Service and check definitions support being updated during a reload. diff --git a/website/content/docs/agent/config/index.mdx b/website/content/docs/agent/config/index.mdx index db77f5dcf..1c6716a37 100644 --- a/website/content/docs/agent/config/index.mdx +++ b/website/content/docs/agent/config/index.mdx @@ -40,7 +40,7 @@ documented below in the configuration reload. You can test the following configuration options by following the -[Getting Started](https://learn.hashicorp.com/tutorials/consul/get-started-install?utm_source=consul.io&utm_medium=docs) +[Getting Started](https://learn.hashicorp.com/tutorials/consul/get-started-install?utm_source=docs) tutorials to install a local agent. ## Ports Used diff --git a/website/content/docs/agent/index.mdx b/website/content/docs/agent/index.mdx index 09ee87915..6d466a23f 100644 --- a/website/content/docs/agent/index.mdx +++ b/website/content/docs/agent/index.mdx @@ -77,7 +77,7 @@ The [Datacenter Deploy tutorial](https://learn.hashicorp.com/tutorials/consul/re ### Maximum Latency Network requirements -Consul uses the gossip protocol to share information across agents. To function properly, you cannot exceed the protocol’s maximum latency threshold. The latency threshold is calculated according to the total round trip time (RTT) for communication between all agents. Other network usages outside of Gossip are not bound by these latency requirements (i.e. client to server RPCs, HTTP API requests, xDS proxy configuration, DNS). +Consul uses the gossip protocol to share information across agents. To function properly, you cannot exceed the protocol's maximum latency threshold. The latency threshold is calculated according to the total round trip time (RTT) for communication between all agents. Other network usages outside of Gossip are not bound by these latency requirements (i.e. client to server RPCs, HTTP API requests, xDS proxy configuration, DNS). For data sent between all Consul agents the following latency requirements must be met: @@ -97,7 +97,7 @@ The `-dev` flag is provided for learning purposes only. We strongly advise against using it for production environments. -> **Getting Started Tutorials**: You can test a local agent by following the -[Getting Started tutorials](https://learn.hashicorp.com/tutorials/consul/get-started-install?utm_source=consul.io&utm_medium=docs). +[Getting Started tutorials](https://learn.hashicorp.com/tutorials/consul/get-started-install?utm_source=docs). When starting Consul with the `-dev` flag, the only additional information Consul needs to run is the location of a directory for storing agent state data. You can specify the location with the `-data-dir` flag or define the location in an external file and point the file with the `-config-file` flag. @@ -153,7 +153,7 @@ $ consul agent -data-dir=/tmp/consul specify a `-http-addr` whenever you run commands such as [`consul members`](/commands/members) to indicate how to reach the agent. Other applications can also use the HTTP address and port - [to control Consul](/api). + [to control Consul](/api-docs). - **Cluster Addr**: This is the address and set of ports used for communication between Consul agents in a cluster. Not all Consul agents in a cluster have to @@ -377,9 +377,9 @@ service { The following example shows how to configure Consul to listen on multiple interfaces or IP addresses using a [go-sockaddr template]. -The `bind_addr` is used for internal RPC and Serf communication ([read the Agent Configuration for more information](/docs/agent/options#bind_addr)). +The `bind_addr` is used for internal RPC and Serf communication ([read the Agent Configuration for more information](/docs/agent/config/config-files#bind_addr)). -The `client_addr` configuration specifies IP addresses used for HTTP, HTTPS, DNS and gRPC servers. ([read the Agent Configuration for more information](/docs/agent/options#client_addr)). +The `client_addr` configuration specifies IP addresses used for HTTP, HTTPS, DNS and gRPC servers. ([read the Agent Configuration for more information](/docs/agent/config/config-files#client_addr)). diff --git a/website/content/docs/agent/rpc.mdx b/website/content/docs/agent/rpc.mdx index 6628117a6..4e7fc7c5d 100644 --- a/website/content/docs/agent/rpc.mdx +++ b/website/content/docs/agent/rpc.mdx @@ -11,7 +11,7 @@ description: >- # RPC Protocol ~> The RPC Protocol is deprecated and support was removed in Consul -0.8. Please use the [HTTP API](/api), which has +0.8. Please use the [HTTP API](/api-docs), which has support for all features of the RPC Protocol. The Consul agent provides a complete RPC mechanism that can @@ -21,7 +21,7 @@ used by other applications to easily leverage the power of Consul without directly embedding. It is important to note that the RPC protocol does not support -all the same operations as the [HTTP API](/api). +all the same operations as the [HTTP API](/api-docs). ## Implementation Details diff --git a/website/content/docs/agent/sentinel.mdx b/website/content/docs/agent/sentinel.mdx index c25da5293..4bffa838e 100644 --- a/website/content/docs/agent/sentinel.mdx +++ b/website/content/docs/agent/sentinel.mdx @@ -42,7 +42,7 @@ If the `enforcementlevel` property is not set, it defaults to "hard-mandatory". ## Imports -Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http/). All functions in these imports are available to be used in policies. +Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http). All functions in these imports are available to be used in policies. ## Injected Variables diff --git a/website/content/docs/agent/telemetry.mdx b/website/content/docs/agent/telemetry.mdx index 1608d9321..3926ada34 100644 --- a/website/content/docs/agent/telemetry.mdx +++ b/website/content/docs/agent/telemetry.mdx @@ -27,13 +27,13 @@ it will dump the current telemetry information to the agent's `stderr`. This telemetry information can be used for debugging or otherwise getting a better view of what Consul is doing. Review the [Monitoring and -Metrics tutorial](https://learn.hashicorp.com/tutorials/consul/monitor-datacenter-health?utm_source=consul.io&utm_medium=docs) to learn how collect and interpret Consul data. +Metrics tutorial](https://learn.hashicorp.com/tutorials/consul/monitor-datacenter-health?utm_source=docs) to learn how collect and interpret Consul data. Additionally, if the [`telemetry` configuration options](/docs/agent/config/config-files#telemetry) are provided, the telemetry information will be streamed to a [statsite](http://github.com/armon/statsite) or [statsd](http://github.com/etsy/statsd) server where it can be aggregated and flushed to Graphite or any other metrics store. -For a configuration example for Telegraf, review the [Monitoring with Telegraf tutorial](https://learn.hashicorp.com/tutorials/consul/monitor-health-telegraf?utm_source=consul.io&utm_medium=docs). +For a configuration example for Telegraf, review the [Monitoring with Telegraf tutorial](https://learn.hashicorp.com/tutorials/consul/monitor-health-telegraf?utm_source=docs). This information can also be viewed with the [metrics endpoint](/api-docs/agent#view-metrics) in JSON @@ -456,7 +456,7 @@ These metrics are used to monitor the health of the Consul servers. | `consul.raft.leader.dispatchNumLogs` | Measures the number of logs committed to disk in a batch. | logs | gauge | | `consul.raft.leader.lastContact` | Measures the time since the leader was last able to contact the follower nodes when checking its leader lease. It can be used as a measure for how stable the Raft timing is and how close the leader is to timing out its lease.The lease timeout is 500 ms times the [`raft_multiplier` configuration](/docs/agent/config/config-files#raft_multiplier), so this telemetry value should not be getting close to that configured value, otherwise the Raft timing is marginal and might need to be tuned, or more powerful servers might be needed. See the [Server Performance](/docs/install/performance) guide for more details. | ms | timer | | `consul.raft.leader.oldestLogAge` | The number of milliseconds since the _oldest_ log in the leader's log store was written. This can be important for replication health where write rate is high and the snapshot is large as followers may be unable to recover from a restart if restoring takes longer than the minimum value for the current leader. Compare this with `consul.raft.fsm.lastRestoreDuration` and `consul.raft.rpc.installSnapshot` to monitor. In normal usage this gauge value will grow linearly over time until a snapshot completes on the leader and the log is truncated. Note: this metric won't be emitted until the leader writes a snapshot. After an upgrade to Consul 1.10.0 it won't be emitted until the oldest log was written after the upgrade. | ms | gauge | -| `consul.raft.replication.heartbeat` | Measures the time taken to invoke appendEntries on a peer, so that it doesn’t timeout on a periodic basis. | ms | timer | +| `consul.raft.replication.heartbeat` | Measures the time taken to invoke appendEntries on a peer, so that it doesn't timeout on a periodic basis. | ms | timer | | `consul.raft.replication.appendEntries` | Measures the time it takes to replicate log entries to followers. This is a general indicator of the load pressure on the Consul servers, as well as the performance of the communication between the servers. | ms | timer | | `consul.raft.replication.appendEntries.rpc` | Measures the time taken by the append entries RFC, to replicate the log entries of a leader agent onto its follower agent(s) | ms | timer | | `consul.raft.replication.appendEntries.logs` | Measures the number of logs replicated to an agent, to bring it up to speed with the leader's logs. | logs appended/ interval | counter | @@ -602,7 +602,7 @@ Here is a Prometheus style example of an RPC metric and its labels: -Any metric in this section can be turned off with the [`prefix_filter`](/docs/agent/options#telemetry-prefix_filter). +Any metric in this section can be turned off with the [`prefix_filter`](/docs/agent/config/config-files#telemetry-prefix_filter). ## Cluster Health diff --git a/website/content/docs/api-gateway/index.mdx b/website/content/docs/api-gateway/index.mdx index 6a811fd71..6702bbc2f 100644 --- a/website/content/docs/api-gateway/index.mdx +++ b/website/content/docs/api-gateway/index.mdx @@ -15,7 +15,7 @@ Consul API Gateway is an add-on for Consul that helps users control access to se Consul API Gateway solves the following primary use cases: -- **Controlling access at the point of entry**: Consul API Gateway allows users to set the protocols of external connection requests and provide clients with TLS certificates from trusted providers (e.g., Verisign, Let’s Encrypt). +- **Controlling access at the point of entry**: Consul API Gateway allows users to set the protocols of external connection requests and provide clients with TLS certificates from trusted providers (e.g., Verisign, Let's Encrypt). - **Simplifying traffic management**: The Consul API Gateway can load balance requests across services and route traffic to the appropriate service by matching one or more criteria, such as hostname, path, header presence or value, and HTTP Method type (e.g., GET, POST, PATCH). ## How Does Consul API Gateway Work? diff --git a/website/content/docs/api-gateway/usage.mdx b/website/content/docs/api-gateway/usage.mdx index 5ba7cfc80..a6b641f55 100644 --- a/website/content/docs/api-gateway/usage.mdx +++ b/website/content/docs/api-gateway/usage.mdx @@ -15,7 +15,7 @@ This topic describes how to use Consul API Gateway. Complete the following steps to use Consul API Gateway in your network. 1. Verify that the [requirements](/docs/api-gateway/tech-specs) have been met. -1. Verify that the Consul API Gateway CRDs and controller have been installed and applied (see [Installation](/docs/api-gateway/consul-api-gateway-install)). +1. Verify that the Consul API Gateway CRDs and controller have been installed and applied (see [Installation](/docs/api-gateway/install)). 1. Configure your [`Gateway`](/docs/api-gateway/configuration/gateway) and [`Routes`](/docs/api-gateway/configuration/routes) . as describe in the [Configuration](/docs/api-gateway/configuration) section. diff --git a/website/content/docs/architecture/improving-consul-resilience.mdx b/website/content/docs/architecture/improving-consul-resilience.mdx index 9d1779ae7..12fbe7c68 100644 --- a/website/content/docs/architecture/improving-consul-resilience.mdx +++ b/website/content/docs/architecture/improving-consul-resilience.mdx @@ -80,7 +80,7 @@ to protect your Consul datacenter from a single zone-level failure. For example, if deploying 5 Consul servers across 3 availability zones, place no more than 2 servers in each zone. If one zone fails, at most 2 servers are lost and quorum will be maintained by the 3 remaining servers. -To distribute your Consul servers across availability zones, modify your infrastructure configuration with your infrastructure provider. No change is needed to your Consul server’s agent configuration. +To distribute your Consul servers across availability zones, modify your infrastructure configuration with your infrastructure provider. No change is needed to your Consul server's agent configuration. Additionally, you should leverage resources that can automatically restore your compute instance, such as autoscaling groups, virtual machine scale sets, or compute engine autoscaler. diff --git a/website/content/docs/architecture/index.mdx b/website/content/docs/architecture/index.mdx index 5ef4d7222..4f970b9ca 100644 --- a/website/content/docs/architecture/index.mdx +++ b/website/content/docs/architecture/index.mdx @@ -17,7 +17,7 @@ page documents the system architecture. [glossary](/docs/install/glossary) of terms to help clarify what is being discussed. -The architecture concepts in this document can be used with the [Reference Architecture guide](https://learn.hashicorp.com/tutorials/consul/reference-architecture?utm_source=consul.io&utm_medium=docs) when deploying Consul in production. +The architecture concepts in this document can be used with the [Reference Architecture guide](https://learn.hashicorp.com/tutorials/consul/reference-architecture?in=consul/production-deploy#deployment-system-requirements) when deploying Consul in production. ## 10,000 foot view @@ -27,7 +27,7 @@ From a 10,000 foot altitude the architecture of Consul looks like this: Let's break down this image and describe each piece. First of all, we can see that there are two datacenters, labeled "one" and "two". Consul has first -class support for [multiple datacenters](https://learn.hashicorp.com/tutorials/consul/federation-gossip-wan) and +class support for [multiple datacenters](https://learn.hashicorp.com/consul/security-networking/datacenters) and expects this to be the common case. Within each datacenter, we have a mixture of clients and servers. It is expected diff --git a/website/content/docs/intro/usecases/what-is-service-discovery.mdx b/website/content/docs/concepts/service-discovery.mdx similarity index 78% rename from website/content/docs/intro/usecases/what-is-service-discovery.mdx rename to website/content/docs/concepts/service-discovery.mdx index 820e5b768..6d67461a5 100644 --- a/website/content/docs/intro/usecases/what-is-service-discovery.mdx +++ b/website/content/docs/concepts/service-discovery.mdx @@ -24,19 +24,19 @@ Service discovery provides benefits for all organizations, ranging from simplifi ## How does a service mesh work? -Service discovery uses a service's identity instead of traditional access information (IP address and port). This allows you to dynamically map services and track any changes within a service catalog. Service consumers (users or other services) then use DNS to dynamically retrieve other service’s access information from the service catalog. The lifecycle of a service may look like the following: +Service discovery uses a service's identity instead of traditional access information (IP address and port). This allows you to dynamically map services and track any changes within a service catalog. Service consumers (users or other services) then use DNS to dynamically retrieve other service's access information from the service catalog. The lifecycle of a service may look like the following: -A service consumer communicates with the “Web” service via a unique Consul DNS entry provided by the service catalog. +A service consumer communicates with the “Web” service via a unique Consul DNS entry provided by the service catalog. -![Example diagram of how service consumers query for services](/img/what_is_service_discovery_1.png) +![Example diagram of how service consumers query for services](/img/what_is_service_discovery\_1.png) A new instance of the “Web” service registers itself to the service catalog with its IP address and port. As new instances of your services are registered to the service catalog, they will participate in the load balancing pool for handling service consumer requests. -![Example diagram of how a service is registered to the service catalog](/img/what_is_service_discovery_2.png) +![Example diagram of how a service is registered to the service catalog](/img/what_is_service_discovery\_2.png) The service catalog is dynamically updated as new instances of the service are added and legacy or unhealthy service instances are removed. Removed services will no longer participate in the load balancing pool for handling service consumer requests. -![Example diagram of how unhealthy services are removed from the service catalog](/img/what_is_service_discovery_3.png) +![Example diagram of how unhealthy services are removed from the service catalog](/img/what_is_service_discovery\_3.png) ## What is service discovery in microservices? @@ -44,30 +44,30 @@ In a microservices application, the set of active service instances changes freq ## What are the two main types of service discovery? -There are two main service‑discovery patterns: _client-side_ discovery and _server-side_ discovery. +There are two main service‑discovery patterns: _client-side_ discovery and _server-side_ discovery. -In systems that use client‑side discovery, the service consumer is responsible for determining the access information of available service instances and load balancing requests between them. +In systems that use client‑side discovery, the service consumer is responsible for determining the access information of available service instances and load balancing requests between them. 1. The service consumer queries the service catalog -2. The service catalog retrieves and returns all access information -3. The service consumer selects a healthy downstream service and makes requests directly to it +1. The service catalog retrieves and returns all access information +1. The service consumer selects a healthy downstream service and makes requests directly to it -![Example diagram of client-side discovery concept](/img/what_is_service_discovery_4.png) +![Example diagram of client-side discovery concept](/img/what_is_service_discovery\_4.png) In systems that use server‑side discovery, the service consumer uses an intermediary to query the service catalog and make requests to them. 1. The service consumer queries an intermediary (Consul) -2. The intermediary queries the service catalog and routes requests to the available service instances. +1. The intermediary queries the service catalog and routes requests to the available service instances. -![Example diagram of server-side discovery concept](/img/what_is_service_discovery_5.png) +![Example diagram of server-side discovery concept](/img/what_is_service_discovery\_5.png) -For modern applications, this discovery method is advantageous because developers can make their applications faster and more lightweight by decoupling and centralizing service discovery logic. +For modern applications, this discovery method is advantageous because developers can make their applications faster and more lightweight by decoupling and centralizing service discovery logic. ## Service discovery vs load balancing -Service discovery and load balancing share a similarity in distributing requests to back end services, but differ in many important ways. +Service discovery and load balancing share a similarity in distributing requests to back end services, but differ in many important ways. -Traditional load balancers are not designed for rapid registration and de-registration of services, nor are they designed for high-availability. By contrast, service discovery systems use multiple nodes that maintain the service registry state and a peer-to-peer state management system for increased resilience across any type of infrastructure. +Traditional load balancers are not designed for rapid registration and de-registration of services, nor are they designed for high-availability. By contrast, service discovery systems use multiple nodes that maintain the service registry state and a peer-to-peer state management system for increased resilience across any type of infrastructure. For modern, cloud-based applications, service discovery is the preferred method for directing traffic to the right service provider due to its ability to scale and remain resilient, independent of infrastructure. @@ -77,20 +77,20 @@ You can implement service discovery systems across any type of infrastructure, w ## What is Consul? -Consul is a service networking solution that lets you automate network configurations, discover services, and enable secure connectivity across any cloud or runtime. With these features, Consul helps you solve the complex networking and security challenges of operating microservices and cloud infrastructure (multi-cloud and hybrid cloud). You can use these features independently or together to achieve [zero trust](https://www.hashicorp.com/solutions/zero-trust-security) security. +Consul is a service networking solution that lets you automate network configurations, discover services, and enable secure connectivity across any cloud or runtime. With these features, Consul helps you solve the complex networking and security challenges of operating microservices and cloud infrastructure (multi-cloud and hybrid cloud). You can use these features independently or together to achieve [zero trust](https://www.hashicorp.com/solutions/zero-trust-security) security. -Consul’s service discovery capabilities help you discover, track, and monitor the health of services within a network. Consul acts as a single source of truth that allows your services to query and communicate with each other. +Consul's service discovery capabilities help you discover, track, and monitor the health of services within a network. Consul acts as a single source of truth that allows your services to query and communicate with each other. You can use Consul with virtual machines (VMs), containers, serverless technologies, or with container orchestration platforms, such as [Nomad](https://www.nomadproject.io/) and Kubernetes. Consul is platform agnostic which makes it a great fit for all environments, including legacy platforms. -Consul is available as a [self-managed](/downloads) project or as a fully managed service mesh solution ([HCP Consul](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs)). HCP Consul enables users to discover and securely connect services without the added operational burden of maintaining a service mesh on their own. +Consul is available as a [self-managed](/install) project or as a fully managed service mesh solution ([HCP Consul](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs)). HCP Consul enables users to discover and securely connect services without the added operational burden of maintaining a service mesh on their own. ## Next steps Get started with service discovery today by leveraging Consul on HCP, Consul on Kubernetes, or Consul on VMs. Prepare your organization for the future of multi-cloud and embrace a [zero-trust](https://www.hashicorp.com/solutions/zero-trust-security) architecture. -Feel free to get started with Consul by exploring one of these Consul Learn tutorials: +Feel free to get started with Consul by exploring one of these Consul tutorials: -[Getting Started with Consul on VMs](https://learn.hashicorp.com/collections/consul/getting-started) -[Getting Started with Consul on HCP](https://learn.hashicorp.com/collections/consul/cloud-get-started) -[Getting Started with Consul on Kubernetes](https://learn.hashicorp.com/collections/consul/gs-consul-service-mesh) \ No newline at end of file +- [Get Started with Consul on VMs](https://learn.hashicorp.com/collections/consul/getting-started) +- [Get Started with Consul on HCP](https://learn.hashicorp.com/collections/consul/cloud-get-started) +- [Get Started with Consul on Kubernetes](https://learn.hashicorp.com/collections/consul/gs-consul-service-mesh) diff --git a/website/content/docs/intro/usecases/what-is-a-service-mesh.mdx b/website/content/docs/concepts/service-mesh.mdx similarity index 95% rename from website/content/docs/intro/usecases/what-is-a-service-mesh.mdx rename to website/content/docs/concepts/service-mesh.mdx index 17fd93e26..fd13c9cb1 100644 --- a/website/content/docs/intro/usecases/what-is-a-service-mesh.mdx +++ b/website/content/docs/concepts/service-mesh.mdx @@ -26,7 +26,7 @@ Some of the benefits of a service mesh include; - authentication and authorization, - network automation -A common use case for leveraging a service mesh is to achieve a [_zero trust_ model](/use-cases/zero-trust-networking). +A common use case for leveraging a service mesh is to achieve a [_zero trust_ model](https://www.consul.io/use-cases/zero-trust-networking). In a zero trust model, applications require identity-based access to ensure all communication within the service mesh is authenticated with TLS certificates and encrypted in transit. In traditional security strategies, protection is primarily focused at the perimeter of a network. @@ -44,7 +44,7 @@ The control plane is responsible for securing the mesh, facilitating service dis The data plane handles communication between services. Many service mesh solutions employ a sidecar proxy to handle data plane communications, and thus limit the level of awareness the services need to have about the network environment. -![Overview of a service mesh](/img/what_is_service_mesh_1.png) +![Overview of a service mesh](/img/what_is_service_mesh\_1.png) ## API gateway vs service mesh @@ -60,7 +60,7 @@ The mesh reduces the load balancer footprint as routing responsibilities are han API gateways can be used with a service mesh to bridge external networks (non-mesh) with a service mesh. --> **API gateways and traffic direction**: API gateways are often used to accept north-south traffic. North-south traffic is networking traffic that either enters or exits a data center or a virtual private network (VPC). +-> **API gateways and traffic direction:** API gateways are often used to accept north-south traffic. North-south traffic is networking traffic that either enters or exits a data center or a virtual private network (VPC). A service mesh is primarily used for handling east-west traffic. East-west traffic traditionally remains inside a data center or a VPC. A service mesh can be connected to another service mesh in another data center or VPC to form a federated mesh. @@ -108,10 +108,10 @@ In simple terms, Consul is the control plane of the service mesh. The data plane You can use Consul with virtual machines (VMs), containers, or with container orchestration platforms, such as [Nomad](https://www.nomadproject.io/) and Kubernetes. Consul is platform agnostic which makes it a great fit for all environments, including legacy platforms. -Consul is available as a [self-install](/downloads) project or as a fully managed service mesh solution called [HCP Consul](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs). +Consul is available as a [self-install](/install) project or as a fully managed service mesh solution called [HCP Consul](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs). HCP Consul enables users to discover and securely connect services without the added operational burden of maintaining a service mesh on their own. -You can learn more about Consul by visiting the Consul Learn [tutorials](https://learn.hashicorp.com/consul). +You can learn more about Consul by visiting the Consul [tutorials](https://learn.hashicorp.com/consul). ## Next diff --git a/website/content/docs/connect/ca/vault.mdx b/website/content/docs/connect/ca/vault.mdx index e563a6d83..05eee301e 100644 --- a/website/content/docs/connect/ca/vault.mdx +++ b/website/content/docs/connect/ca/vault.mdx @@ -19,7 +19,7 @@ Please read the [certificate management overview](/docs/connect/ca) page first to understand how Consul manages certificates with configurable CA providers. --> **NOTE**: A Learn [tutorial](https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-connect-ca?in=consul/vault-secure) is available to help you configure Vault as the Consul Connect service mesh Certification Authority. +-> **Tip:** Complete the [tutorial]https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-connect-ca?in=consul/vault-secure) to learn how to configure Vault as the Consul Connect service mesh Certification Authority. ## Requirements @@ -121,7 +121,7 @@ The configuration options are listed below. If the path does not exist, Consul will mount a new PKI secrets engine at the specified path with the `RootCertTTL` value as the root certificate's TTL. If the `RootCertTTL` is not set, - a [`max_lease_ttl`](https://www.vaultproject.io/api/system/mounts#max_lease_ttl) + a [`max_lease_ttl`](https://www.vaultproject.io/api-docs/system/mounts) of 87600 hours, or 10 years is applied by default as of Consul 1.11 and later. Prior to Consul 1.11, the root certificate TTL was set to 8760 hour, or 1 year, and was not configurable. The root certificate will expire at the end of the specified period. diff --git a/website/content/docs/connect/cluster-peering/create-manage-peering.mdx b/website/content/docs/connect/cluster-peering/create-manage-peering.mdx index 5af8324e2..11857a461 100644 --- a/website/content/docs/connect/cluster-peering/create-manage-peering.mdx +++ b/website/content/docs/connect/cluster-peering/create-manage-peering.mdx @@ -192,7 +192,7 @@ Sources = [ -If the peer’s name is not specified in `Peer`, then Consul assumes that the service is in the local cluster. +If the peer's name is not specified in `Peer`, then Consul assumes that the service is in the local cluster. Then, add the configuration entry to your cluster. diff --git a/website/content/docs/connect/config-entries/ingress-gateway.mdx b/website/content/docs/connect/config-entries/ingress-gateway.mdx index fa95c5b19..8d0e48470 100644 --- a/website/content/docs/connect/config-entries/ingress-gateway.mdx +++ b/website/content/docs/connect/config-entries/ingress-gateway.mdx @@ -16,7 +16,7 @@ You can define an `ingress-gateway` configuration entry to connect the Consul se Refer to the [Kubernetes Ingress Gateway](/docs/k8s/connect/ingress-gateways) documentation for information about configuring ingress gateways on Kubernetes. -For other platforms, see [Ingress Gateway](/docs/connect/ingress-gateway). +For other platforms, see [Ingress Gateway](/docs/connect/gateways/ingress-gateway). ## Requirements @@ -162,7 +162,7 @@ Refer to the [Available Fields](#available-fields) section for complete informat ### Scope -[Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies across the default partition of all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different sets of services within their datacenter then the ingress gateways **must** be registered with different names or partitions. See [Ingress Gateway](/docs/connect/ingress-gateway) for more information. +[Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies across the default partition of all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different sets of services within their datacenter then the ingress gateways **must** be registered with different names or partitions. See [Ingress Gateway](/docs/connect/gateways/ingress-gateway) for more information. ### Wildcard Service Specification diff --git a/website/content/docs/connect/configuration.mdx b/website/content/docs/connect/configuration.mdx index 43d646f22..a765e3f25 100644 --- a/website/content/docs/connect/configuration.mdx +++ b/website/content/docs/connect/configuration.mdx @@ -46,7 +46,7 @@ This will enable Connect and configure your Consul cluster to use the built-in certificate authority for creating and managing certificates. You may also configure Consul to use an external [certificate management system](/docs/connect/ca), such as -[Vault](https://vaultproject.io). +[Vault](https://www.vaultproject.io/). Services and proxies may always register with Connect settings, but they will fail to retrieve or verify any TLS certificates. This causes all Connect-based @@ -104,7 +104,7 @@ Connect can be used with Nomad to provide secure service-to-service communication between Nomad jobs and task groups. The ability to use the dynamic port feature of Nomad makes Connect particularly easy to use. Learn about how to configure Connect on Nomad by reading the -[integration documentation](/docs/connect/nomad) +[integration documentation](/docs/connect/nomad). ### Kubernetes @@ -112,4 +112,4 @@ The Consul Helm chart can automate much of Consul Connect's configuration, and makes it easy to automatically inject Envoy sidecars into new pods when they are deployed. Learn about the [Helm chart](/docs/platform/k8s/helm) in general, or if you are already familiar with it, check out its -[connect specific configurations](/docs/platform/k8s/connect). +[connect specific configurations](/docs/k8s/connect). diff --git a/website/content/docs/connect/connect-internals.mdx b/website/content/docs/connect/connect-internals.mdx index eeadaacc8..dcb7bee6a 100644 --- a/website/content/docs/connect/connect-internals.mdx +++ b/website/content/docs/connect/connect-internals.mdx @@ -15,7 +15,7 @@ but this information will help you understand how Consul service mesh behaves in Consul Connect is the component shipped with Consul that enables service mesh functionality. The terms _Consul Connect_ and _Consul service mesh_ are used interchangeably throughout this documentation. To try service mesh locally, complete the [Getting Started with Consul service -mesh](https://learn.hashicorp.com/tutorials/consul/service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) +mesh](https://learn.hashicorp.com/tutorials/consul/service-mesh?utm_source=docs) tutorial. ## Mutual Transport Layer Security (mTLS) diff --git a/website/content/docs/connect/connectivity-tasks.mdx b/website/content/docs/connect/connectivity-tasks.mdx index dbf77d582..2b9951e56 100644 --- a/website/content/docs/connect/connectivity-tasks.mdx +++ b/website/content/docs/connect/connectivity-tasks.mdx @@ -7,7 +7,7 @@ description: >- # Connectivity Tasks -~> **Note**: The features shown below are extensions of Consul’s service mesh capabilities. If you are not utilizing +~> **Note**: The features shown below are extensions of Consul's service mesh capabilities. If you are not utilizing Consul service mesh then these features will not be relevant to your task. ## Service-to-service traffic between Consul datacenters @@ -40,7 +40,7 @@ services outside the Consul service mesh to services inside the service mesh. These gateways allow you to define what services should be exposed, on what port, and by what hostname. You configure an ingress gateway by defining a set of listeners that can map to different sets of backing services. -Ingress gateways are tightly integrated with Consul’s L7 configuration and enable dynamic routing of HTTP requests by +Ingress gateways are tightly integrated with Consul's L7 configuration and enable dynamic routing of HTTP requests by attributes like the request path. For more information about ingress gateways, review the [complete documentation](/docs/connect/gateways/ingress-gateway) @@ -60,7 +60,7 @@ infrastructure you do not control. Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate Connect mTLS connections, enforce Consul intentions, and forward requests to the appropriate destination. -These gateways also simplify authorization from dynamic service addresses. Consul’s intentions determine whether +These gateways also simplify authorization from dynamic service addresses. Consul's intentions determine whether connections through the gateway are authorized. Then traditional tools like firewalls or IAM roles can authorize the connections from the known gateway nodes to the destination services. diff --git a/website/content/docs/connect/gateways/index.mdx b/website/content/docs/connect/gateways/index.mdx index c7afa6089..995f07d90 100644 --- a/website/content/docs/connect/gateways/index.mdx +++ b/website/content/docs/connect/gateways/index.mdx @@ -44,7 +44,7 @@ to services in the mesh. To accept ingress traffic from the public internet, use These gateways allow you to define what services should be exposed, on what port, and by what hostname. You configure an ingress gateway by defining a set of listeners that can map to different sets of backing services. -Ingress gateways are tightly integrated with Consul’s L7 configuration and enable dynamic routing of HTTP requests by +Ingress gateways are tightly integrated with Consul's L7 configuration and enable dynamic routing of HTTP requests by attributes like the request path. For more information about ingress gateways, review the [complete documentation](/docs/connect/gateways/ingress-gateway) @@ -65,7 +65,7 @@ infrastructure you do not control. Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate Connect mTLS connections, enforce Consul intentions, and forward requests to the appropriate destination. -These gateways also simplify authorization from dynamic service addresses. Consul’s intentions determine whether +These gateways also simplify authorization from dynamic service addresses. Consul's intentions determine whether connections through the gateway are authorized. Then traditional tools like firewalls or IAM roles can authorize the connections from the known gateway nodes to the destination services. diff --git a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters.mdx b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters.mdx index a830fee8f..e712adeab 100644 --- a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters.mdx +++ b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters.mdx @@ -32,7 +32,7 @@ Ensure that your Consul environment meets the following requirements. * A local Consul agent is required to manage its configuration. * Consul [Connect](/docs/agent/config/config-files#connect) must be enabled in both datacenters. * Each [datacenter](/docs/agent/config/config-files#datacenter) must have a unique name. -* Each datacenters must be [WAN joined](https://learn.hashicorp.com/tutorials/consul/federation-gossip-wan). +* Each datacenters must be [WAN joined](https://learn.hashicorp.com/consul/security-networking/datacenters). * The [primary datacenter](/docs/agent/config/config-files#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for Connect certificates and is required for services in all datacenters to establish mutual TLS with each other. * [gRPC](/docs/agent/config/config-files#grpc_port) must be enabled. * If you want to [enable gateways globally](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters#enabling-gateways-globally) you must enable [centralized configuration](/docs/agent/config/config-files#enable_central_service_config). diff --git a/website/content/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways.mdx b/website/content/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways.mdx index fe91882ca..f892592c1 100644 --- a/website/content/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways.mdx +++ b/website/content/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways.mdx @@ -15,7 +15,7 @@ WAN federation via mesh gateways allows for Consul servers in different datacent to be federated exclusively through mesh gateways. When setting up a -[multi-datacenter](https://learn.hashicorp.com/tutorials/consul/federation-gossip-wan) +[multi-datacenter](https://learn.hashicorp.com/consul/security-networking/datacenters) Consul cluster, operators must ensure that all Consul servers in every datacenter must be directly connectable over their WAN-advertised network address from each other. @@ -102,7 +102,7 @@ each datacenter otherwise the WAN will become only partly connected. There are a few necessary additional pieces of configuration beyond those required for standing up a -[multi-datacenter](https://learn.hashicorp.com/tutorials/consul/federation-gossip-wan) +[multi-datacenter](https://learn.hashicorp.com/consul/security-networking/datacenters) Consul cluster. Consul servers in the _primary_ datacenter should add this snippet to the @@ -128,7 +128,7 @@ connect { The [`start_join_wan`](/docs/agent/config/config-files#start_join_wan) or [`retry_join_wan`](/docs/agent/config/config-files#retry_join_wan) are -only used for the [traditional federation process](/docs/k8s/installation/multi-cluster#traditional-wan-federation). +only used for the [traditional federation process](/docs/k8s/deployment-configurations/multi-cluster#traditional-wan-federation). They must be omitted when federating Consul servers via gateways. -> The `primary_gateways` configuration can also use `go-discover` syntax just diff --git a/website/content/docs/connect/gateways/terminating-gateway.mdx b/website/content/docs/connect/gateways/terminating-gateway.mdx index 6a5b557ec..a0afe68c5 100644 --- a/website/content/docs/connect/gateways/terminating-gateway.mdx +++ b/website/content/docs/connect/gateways/terminating-gateway.mdx @@ -19,7 +19,7 @@ and forward requests to the appropriate destination. ![Terminating Gateway Architecture](/img/terminating-gateways.png) For additional use cases and usage patterns, review the tutorial for -[understanding terminating gateways](https://learn.hashicorp.com/tutorials/consul/service-mesh-terminating-gateways). +[understanding terminating gateways](https://learn.hashicorp.com/tutorials/consul/service-mesh-terminating-gateways?utm_source=docs). ~> **Known limitations:** Terminating gateways currently do not support targeting service subsets with [L7 configuration](/docs/connect/l7-traffic). They route to all instances of a service with no capabilities diff --git a/website/content/docs/connect/index.mdx b/website/content/docs/connect/index.mdx index 68a0ee1e7..3d990b69e 100644 --- a/website/content/docs/connect/index.mdx +++ b/website/content/docs/connect/index.mdx @@ -51,24 +51,24 @@ applications can also send open tracing data through Envoy. There are several ways to try Connect in different environments. -- The [Getting Started with Consul Service Mesh collection](https://learn.hashicorp.com/tutorials/consul/service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) +- The [Getting Started with Consul Service Mesh collection](https://learn.hashicorp.com/tutorials/consul/service-mesh?utm_source=docs) walks you through installing Consul as service mesh for Kubernetes using the Helm chart, deploying services in the service mesh, and using intentions to secure service communications. -- The [Getting Started With Consul Service Mesh for Kubernetes](https://learn.hashicorp.com/tutorials/consul/service-mesh-deploy?in=consul/gs-consul-service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) guide walks you through installing Consul on Kubernetes to set up a service mesh for establishing communication between Kubernetes services. +- The [Getting Started With Consul Service Mesh for Kubernetes](https://learn.hashicorp.com/tutorials/consul/service-mesh-deploy?in=consul/gs-consul-service-mesh?utm_source=docs) guide walks you through installing Consul on Kubernetes to set up a service mesh for establishing communication between Kubernetes services. -- The [Secure Service-to-Service Communication tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-with-envoy-proxy?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) +- The [Secure Service-to-Service Communication tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-with-envoy-proxy?utm_source=docs) is a simple walk through of connecting two services on your local machine using Consul Connect's built-in proxy and configuring your first intention. The guide also includes an introduction to using Envoy as the Connect sidecar proxy. -- The [Kubernetes tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-minikube?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) +- The [Kubernetes tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-minikube?utm_source=docs) walks you through configuring Consul Connect in Kubernetes using the Helm chart, and using intentions. You can run the guide on Minikube or an existing Kubernetes cluster. -- The [observability tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-layer7-observability?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) +- The [observability tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-layer7-observability?in=consul/kubernetes) shows how to deploy a basic metrics collection and visualization pipeline on a Minikube or Kubernetes cluster using the official Helm charts for Consul, Prometheus, and Grafana. diff --git a/website/content/docs/connect/nomad.mdx b/website/content/docs/connect/nomad.mdx index d141e30a1..e5f0927d9 100644 --- a/website/content/docs/connect/nomad.mdx +++ b/website/content/docs/connect/nomad.mdx @@ -20,7 +20,7 @@ about using Consul Connect with Nomad, select one of the following resources. For a step-by-step guide on using Consul Connect with Nomad: -- [Nomad Consul Connect Guide](https://nomadproject.io/docs/integrations/consul-connect) +- [Nomad Consul Connect Guide](https://www.nomadproject.io/docs/integrations/consul-connect) For reference information about configuring Nomad jobs to use Consul Connect: diff --git a/website/content/docs/connect/proxies/envoy.mdx b/website/content/docs/connect/proxies/envoy.mdx index 04dfe8a97..c29996ea6 100644 --- a/website/content/docs/connect/proxies/envoy.mdx +++ b/website/content/docs/connect/proxies/envoy.mdx @@ -46,7 +46,7 @@ Envoy 1.16.x and older releases are no longer supported (see [HCSEC-2022-07](htt ## Getting Started To get started with Envoy and see a working example you can follow the [Using -Envoy with Connect](https://learn.hashicorp.com/tutorials/consul/service-mesh-with-envoy-proxy) tutorial. +Envoy with Connect](https://learn.hashicorp.com/tutorials/consul/service-mesh-with-envoy-proxy?utm_source=docs) tutorial. ## Configuration diff --git a/website/content/docs/connect/proxies/integrate.mdx b/website/content/docs/connect/proxies/integrate.mdx index 6b1f64612..1d189d183 100644 --- a/website/content/docs/connect/proxies/integrate.mdx +++ b/website/content/docs/connect/proxies/integrate.mdx @@ -210,9 +210,8 @@ ID for the name specified in `-sidecar-for` flag. -[`/v1/agent/connect/ca/leaf/`]: /api/agent/connect#service-leaf-certificate -[`/v1/agent/connect/ca/roots`]: /api/agent/connect#certificate-authority-ca-roots -[`/v1/health/connect/:service_id`]: /api/health#list-nodes-for-connect-capable-service +[`/v1/agent/connect/ca/leaf/`]: /api-docs/agent/connect#service-leaf-certificate +[`/v1/agent/connect/ca/roots`]: /api-docs/agent/connect#certificate-authority-ca-roots [`api` package]: https://github.com/hashicorp/consul/tree/main/api [`consul/connect/proxy/config.go`]: https://github.com/hashicorp/consul/blob/v1.8.3/connect/proxy/config.go#L187 [`consul/connect/tls.go`]: https://github.com/hashicorp/consul/blob/v1.8.3/connect/tls.go#L232-L237 diff --git a/website/content/docs/connect/registration/sidecar-service.mdx b/website/content/docs/connect/registration/sidecar-service.mdx index 482d49fd8..80c798323 100644 --- a/website/content/docs/connect/registration/sidecar-service.mdx +++ b/website/content/docs/connect/registration/sidecar-service.mdx @@ -16,9 +16,6 @@ To simplify the configuration experience when deploying a sidecar for a service instance, Consul 1.3 introduced a new field in the Connect block of the [service definition](/docs/discovery/services). -To deploy a service and sidecar proxy locally, complete the -[Getting Started guide](https://learn.hashicorp.com/tutorials/consul/get-started-service-networking?utm_source=consul.io&utm_medium=docs). - The `connect.sidecar_service` field is a complete nested service definition on which almost any regular service definition field can be set. The exceptions are [noted below](#limitations). If used, the service definition is treated diff --git a/website/content/docs/connect/security.mdx b/website/content/docs/connect/security.mdx index 7c6e8d009..90c0ca5e5 100644 --- a/website/content/docs/connect/security.mdx +++ b/website/content/docs/connect/security.mdx @@ -12,7 +12,7 @@ description: |- Connect enables secure service-to-service communication over mutual TLS. This provides both in-transit data encryption as well as authorization. This page will document how to secure Connect. To try Connect locally, complete the -[Getting Started guide](https://learn.hashicorp.com/tutorials/consul/service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) or for a full security model reference, +[Getting Started guide](https://learn.hashicorp.com/tutorials/consul/service-mesh?utm_source=docs) or for a full security model reference, see the dedicated [Consul security model](/docs/security) page. When setting up Connect in production, review this [tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-production-checklist?utm_source=consul.io&utm_medium=docs). diff --git a/website/content/docs/connect/transparent-proxy.mdx b/website/content/docs/connect/transparent-proxy.mdx index a60bb72d0..82d98f60c 100644 --- a/website/content/docs/connect/transparent-proxy.mdx +++ b/website/content/docs/connect/transparent-proxy.mdx @@ -234,7 +234,7 @@ The following example configures the service to dial an upstream service called "consul.hashicorp.com/connect-service-upstreams": "my-service:1234:dc2" ``` -If your Consul cluster is deployed to a [single datacenter spanning multiple Kubernetes clusters](/docs/k8s/installation/deployment-configurations/single-dc-multi-k8s), +If your Consul cluster is deployed to a [single datacenter spanning multiple Kubernetes clusters](/docs/k8s/deployment-configurations/single-dc-multi-k8s), then you must configure services in one Kubernetes cluster to explicitly dial a service in another Kubernetes cluster using the [consul.hashicorp.com/connect-service-upstreams](/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) annotation. The following example configures the service to dial an upstream service called `my-service` in another Kubernetes cluster on port `1234`: diff --git a/website/content/docs/discovery/checks.mdx b/website/content/docs/discovery/checks.mdx index 1b4c4faf4..2ee0ea8db 100644 --- a/website/content/docs/discovery/checks.mdx +++ b/website/content/docs/discovery/checks.mdx @@ -13,6 +13,146 @@ description: >- One of the primary roles of the agent is management of system-level and application-level health checks. A health check is considered to be application-level if it is associated with a service. If not associated with a service, the check monitors the health of the entire node. +Review the [health checks tutorial](https://learn.hashicorp.com/tutorials/consul/service-registration-health-checks) +to get a more complete example on how to leverage health check capabilities in Consul. + +A check is defined in a configuration file or added at runtime over the HTTP interface. Checks +created via the HTTP interface persist with that node. + +There are several different kinds of checks: + +- Script + Interval - These checks depend on invoking an external application + that performs the health check, exits with an appropriate exit code, and potentially + generates some output. A script is paired with an invocation interval (e.g. + every 30 seconds). This is similar to the Nagios plugin system. The output of + a script check is limited to 4KB. Output larger than this will be truncated. + By default, Script checks will be configured with a timeout equal to 30 seconds. + It is possible to configure a custom Script check timeout value by specifying the + `timeout` field in the check definition. When the timeout is reached on Windows, + Consul will wait for any child processes spawned by the script to finish. For any + other system, Consul will attempt to force-kill the script and any child processes + it has spawned once the timeout has passed. + In Consul 0.9.0 and later, script checks are not enabled by default. To use them you + can either use : + + - [`enable_local_script_checks`](/docs/agent/config/cli-flags#_enable_local_script_checks): + enable script checks defined in local config files. Script checks defined via the HTTP + API will not be allowed. + - [`enable_script_checks`](/docs/agent/config/cli-flags#_enable_script_checks): enable + script checks regardless of how they are defined. + + ~> **Security Warning:** Enabling script checks in some configurations may + introduce a remote execution vulnerability which is known to be targeted by + malware. We strongly recommend `enable_local_script_checks` instead. See [this + blog post](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations) + for more details. + +- `HTTP + Interval` - These checks make an HTTP `GET` request to the specified URL, + waiting the specified `interval` amount of time between requests (eg. 30 seconds). + The status of the service depends on the HTTP response code: any `2xx` code is + considered passing, a `429 Too ManyRequests` is a warning, and anything else is + a failure. This type of check + should be preferred over a script that uses `curl` or another external process + to check a simple HTTP operation. By default, HTTP checks are `GET` requests + unless the `method` field specifies a different method. Additional header + fields can be set through the `header` field which is a map of lists of + strings, e.g. `{"x-foo": ["bar", "baz"]}`. By default, HTTP checks will be + configured with a request timeout equal to 10 seconds. + + It is possible to configure a custom HTTP check timeout value by + specifying the `timeout` field in the check definition. The output of the + check is limited to roughly 4KB. Responses larger than this will be truncated. + HTTP checks also support TLS. By default, a valid TLS certificate is expected. + Certificate verification can be turned off by setting the `tls_skip_verify` + field to `true` in the check definition. When using TLS, the SNI will be set + automatically from the URL if it uses a hostname (as opposed to an IP address); + the value can be overridden by setting `tls_server_name`. + + Consul follows HTTP redirects by default. Set the `disable_redirects` field to + `true` to disable redirects. + +- `TCP + Interval` - These checks make a TCP connection attempt to the specified + IP/hostname and port, waiting `interval` amount of time between attempts + (e.g. 30 seconds). If no hostname + is specified, it defaults to "localhost". The status of the service depends on + whether the connection attempt is successful (ie - the port is currently + accepting connections). If the connection is accepted, the status is + `success`, otherwise the status is `critical`. In the case of a hostname that + resolves to both IPv4 and IPv6 addresses, an attempt will be made to both + addresses, and the first successful connection attempt will result in a + successful check. This type of check should be preferred over a script that + uses `netcat` or another external process to check a simple socket operation. + By default, TCP checks will be configured with a request timeout of 10 seconds. + It is possible to configure a custom TCP check timeout value by specifying the + `timeout` field in the check definition. + +- `UDP + Interval` - These checks direct the client to periodically send UDP datagrams + to the specified IP/hostname and port. The duration specified in the `interval` field sets the amount of time + between attempts, such as `30s` to indicate 30 seconds. The check is logged as healthy if any response from the UDP server is received. Any other result sets the status to `critical`. + The default interval for, UDP checks is `10s`, but you can configure a custom UDP check timeout value by specifying the + `timeout` field in the check definition. If any timeout on read exists, the check is still considered healthy. + +- `Time to Live (TTL)` ((#ttl)) - These checks retain their last known state + for a given TTL. The state of the check must be updated periodically over the HTTP + interface. If an external system fails to update the status within a given TTL, + the check is set to the failed state. This mechanism, conceptually similar to a + dead man's switch, relies on the application to directly report its health. For + example, a healthy app can periodically `PUT` a status update to the HTTP endpoint; + if the app fails, the TTL will expire and the health check enters a critical state. + The endpoints used to update health information for a given check are: [pass](/api-docs/agent/check#ttl-check-pass), + [warn](/api-docs/agent/check#ttl-check-warn), [fail](/api-docs/agent/check#ttl-check-fail), + and [update](/api-docs/agent/check#ttl-check-update). TTL checks also persist their + last known status to disk. This allows the Consul agent to restore the last known + status of the check across restarts. Persisted check status is valid through the + end of the TTL from the time of the last check. + +- `Docker + Interval` - These checks depend on invoking an external application which + is packaged within a Docker Container. The application is triggered within the running + container via the Docker Exec API. We expect that the Consul agent user has access + to either the Docker HTTP API or the unix socket. Consul uses `$DOCKER_HOST` to + determine the Docker API endpoint. The application is expected to run, perform a health + check of the service running inside the container, and exit with an appropriate exit code. + The check should be paired with an invocation interval. The shell on which the check + has to be performed is configurable which makes it possible to run containers which + have different shells on the same host. Check output for Docker is limited to + 4KB. Any output larger than this will be truncated. In Consul 0.9.0 and later, the agent + must be configured with [`enable_script_checks`](/docs/agent/config/cli-flags#_enable_script_checks) + set to `true` in order to enable Docker health checks. + +- `gRPC + Interval` - These checks are intended for applications that support the standard + [gRPC health checking protocol](https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + The state of the check will be updated by probing the configured endpoint, waiting `interval` + amount of time between probes (eg. 30 seconds). By default, gRPC checks will be configured + with a default timeout of 10 seconds. + It is possible to configure a custom timeout value by specifying the `timeout` field in + the check definition. gRPC checks will default to not using TLS, but TLS can be enabled by + setting `grpc_use_tls` in the check definition. If TLS is enabled, then by default, a valid + TLS certificate is expected. Certificate verification can be turned off by setting the + `tls_skip_verify` field to `true` in the check definition. + To check on a specific service instead of the whole gRPC server, add the service identifier after the `gRPC` check's endpoint in the following format `/:service_identifier`. + +- `H2ping + Interval` - These checks test an endpoint that uses http2 + by connecting to the endpoint and sending a ping frame. TLS is assumed to be configured by default. + To disable TLS and use h2c, set `h2ping_use_tls` to `false`. If the ping is successful + within a specified timeout, then the check is updated as passing. + The timeout defaults to 10 seconds, but is configurable using the `timeout` field. If TLS is enabled a valid + certificate is required, unless `tls_skip_verify` is set to `true`. + The check will be run on the interval specified by the `interval` field. + +- `Alias` - These checks alias the health state of another registered + node or service. The state of the check will be updated asynchronously, but is + nearly instant. For aliased services on the same agent, the local state is monitored + and no additional network resources are consumed. For other services and nodes, + the check maintains a blocking query over the agent's connection with a current + server and allows stale requests. If there are any errors in watching the aliased + node or service, the check state will be critical. For the blocking query, the + check will use the ACL token set on the service or check definition or otherwise + will fall back to the default ACL token set with the agent (`acl_token`). + +## Check Definition + +A script check: +======= Review the [service health checks tutorial](https://learn.hashicorp.com/tutorials/consul/service-registration-health-checks) to get a more complete example on how to leverage health check capabilities in Consul. diff --git a/website/content/docs/discovery/dns.mdx b/website/content/docs/discovery/dns.mdx index f052b0e27..72fe5e208 100644 --- a/website/content/docs/discovery/dns.mdx +++ b/website/content/docs/discovery/dns.mdx @@ -35,7 +35,7 @@ as the DNS server for a node and provide a [`recursors`](/docs/agent/config/config-files#recursors) configuration so that non-Consul queries can also be resolved. The last method is to forward all queries for the "consul." domain to a Consul agent from the existing DNS server. Review the -[DNS Forwarding tutorial](https://learn.hashicorp.com/tutorials/consul/dns-forwarding?utm_source=consul.io&utm_medium=docs) for examples. +[DNS Forwarding tutorial](https://learn.hashicorp.com/tutorials/consul/dns-forwarding?utm_source=docs) for examples. You can experiment with Consul's DNS server on the command line using tools such as `dig`: @@ -562,4 +562,4 @@ For guidance on how to configure an appropriate token for DNS, refer to the securing Consul with ACLs guides for: - [Production Environments](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production#token-for-dns) -- [Development Environments](https://learn.hashicorp.com/tutorials/consul/access-control-setup#additional-acl-configuration) +- [Development Environments](https://learn.hashicorp.com/tutorials/consul/access-control-setup?utm_source=docs#enable-acls-on-consul-clients) diff --git a/website/content/docs/discovery/services.mdx b/website/content/docs/discovery/services.mdx index bb0068b1a..8cc526f4b 100644 --- a/website/content/docs/discovery/services.mdx +++ b/website/content/docs/discovery/services.mdx @@ -19,7 +19,7 @@ a health check. A health check associated with a service is considered to be an application-level check. Define services in a configuration file or add it at runtime using the HTTP interface. -Complete the [Getting Started tutorials](https://learn.hashicorp.com/tutorials/consul/get-started-service-discovery?utm_source=consul.io&utm_medium=docs) to get hands-on experience registering a simple service with a health check on your local machine. +Complete the [Getting Started tutorials](https://learn.hashicorp.com/tutorials/consul/get-started-service-discovery?utm_source=docs) to get hands-on experience registering a simple service with a health check on your local machine. ## Service Definition @@ -30,7 +30,7 @@ Consul can load service definitions saved as `.json` or `.hcl` files. Send a `SIGHUP` to the running agent or use [`consul reload`](/commands/reload) to check for new service definitions or to update existing services. Alternatively, the service can be [registered dynamically](/api-docs/agent/service#register-service) -using the [HTTP API](/api). +using the [HTTP API](/api-docs). A service definition contains a set of parameters that specify various aspects of the service, including how it is discovered by other services in the network. All possible parameters are included in the following example, but only the top-level `service` parameter and its `name` parameter child are required by default. @@ -269,7 +269,7 @@ The following roles are supported for service entries: - `connect-proxy`: Defines the configuration for a connect proxy - `ingress-gateway`: Defines the configuration for an [ingress gateway](/docs/connect/config-entries/ingress-gateway) -- `mesh-gateway`: Defines the configuration for a [mesh gateway](/docs/connect/gateways/mesh-gateway#mesh-gateway-configuration) +- `mesh-gateway`: Defines the configuration for a [mesh gateway](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters#mesh-gateway-configuration) - `terminating-gateway`: Defines the configuration for a [terminating gateway](/docs/connect/config-entries/terminating-gateway#terminating-gateway) In the service definition example described above, the service is registered as a proxy because the `kind` property is set to `connect-proxy`. diff --git a/website/content/docs/dynamic-app-config/kv.mdx b/website/content/docs/dynamic-app-config/kv.mdx index 5d4576066..f94a81c70 100644 --- a/website/content/docs/dynamic-app-config/kv.mdx +++ b/website/content/docs/dynamic-app-config/kv.mdx @@ -16,14 +16,13 @@ similarities to one. The Consul KV datastore is located on the servers, but can be accessed by any agent (client or server). The natively integrated [RPC functionality](/docs/architecture) allows clients to forward -requests to servers, including key/value reads and writes. Part of Consul’s +requests to servers, including key/value reads and writes. Part of Consul's core design allows data to be replicated automatically across all the servers. Having a quorum of servers will decrease the risk of data loss if an outage occurs. -If you have not used Consul KV, check out this [Getting Started -tutorial](https://learn.hashicorp.com/tutorials/consul/get-started-key-value-store?utm_source=consul.io&utm_medium=docs) on HashiCorp -Learn. +If you have not used Consul KV, complete this [Getting Started +tutorial](https://learn.hashicorp.com/tutorials/consul/get-started-key-value-store?utm_source=docs) on HashiCorp. ## Accessing the KV store @@ -67,7 +66,7 @@ using the API and in shell scripts. If you plan to use Consul KV as part of your configuration management process review the [Consul -Template](https://learn.hashicorp.com/tutorials/consul/consul-template) +Template](https://learn.hashicorp.com/tutorials/consul/consul-template?utm_source=docs) tutorial on how to update configuration based on value updates in the KV. Consul Template is based on Go Templates and allows for a series of scripted actions to be initiated on value changes to a Consul key. @@ -90,7 +89,7 @@ session holding the lock. Review the session documentation for more information on the [integration](/docs/dynamic-app-config/sessions#k-v-integration). Review the following tutorials to learn how to use Consul sessions for [application leader election](https://learn.hashicorp.com/tutorials/consul/application-leader-elections) and -to [build distributed semaphores](https://learn.hashicorp.com/tutorials/consul/distributed-semaphore). +to [build distributed semaphores](https://learn.hashicorp.com/consul/developer-configuration/semaphore). ### Vault diff --git a/website/content/docs/dynamic-app-config/watches.mdx b/website/content/docs/dynamic-app-config/watches.mdx index e9d7ba726..2c6ac883b 100644 --- a/website/content/docs/dynamic-app-config/watches.mdx +++ b/website/content/docs/dynamic-app-config/watches.mdx @@ -16,7 +16,7 @@ checks) which is monitored for updates. When an update is detected, an external is invoked. A handler can be any executable or HTTP endpoint. As an example, you could watch the status of health checks and notify an external system when a check is critical. -Watches are implemented using blocking queries in the [HTTP API](/api). +Watches are implemented using blocking queries in the [HTTP API](/api-docs). Agents automatically make the proper API calls to watch for changes and inform a handler when the data view has updated. @@ -41,7 +41,7 @@ with invocation info, following a format that depends on the type of the watch. Each watch type documents the format type. Because they map directly to an HTTP API, handlers should expect the input to match the format of the API. A Consul index is also given, corresponding to the responses from the -[HTTP API](/api). +[HTTP API](/api-docs). ### Executable diff --git a/website/content/docs/ecs/architecture.mdx b/website/content/docs/ecs/architecture.mdx index e09223eaa..8defd7306 100644 --- a/website/content/docs/ecs/architecture.mdx +++ b/website/content/docs/ecs/architecture.mdx @@ -52,7 +52,7 @@ This diagram shows the timeline of a task starting up and all its containers: permissions for the service and its sidecar proxy. This token is written to a shared volume for use by the `health-sync` container. - It registers the service for the current task and its sidecar proxy with Consul. - - It runs `consul connect envoy -bootstrap` to generate Envoy’s bootstrap JSON file and + - It runs `consul connect envoy -bootstrap` to generate Envoy's bootstrap JSON file and writes it to a shared volume. - **T1:** The following containers start: - `sidecar-proxy` starts using a custom entrypoint command, `consul-ecs envoy-entrypoint`. diff --git a/website/content/docs/ecs/configuration-reference.mdx b/website/content/docs/ecs/configuration-reference.mdx index fe57cab1a..d3915cd49 100644 --- a/website/content/docs/ecs/configuration-reference.mdx +++ b/website/content/docs/ecs/configuration-reference.mdx @@ -203,4 +203,3 @@ Configures the weight of the service in terms of its DNS service (SRV) response. | ----- | ---- | -------- | ----------- | | `passing` | `integer` | required | Weight for the service when its health checks are passing. | | `warning` | `integer` | required | Weight for the service when it has health checks in `warning` status. | - diff --git a/website/content/docs/ecs/enterprise.mdx b/website/content/docs/ecs/enterprise.mdx index fb64e6332..a1d10c675 100644 --- a/website/content/docs/ecs/enterprise.mdx +++ b/website/content/docs/ecs/enterprise.mdx @@ -26,7 +26,7 @@ module "my_task" { ## Licensing -~> **Warning:** Consul Enterprise is currently only fully supported when [ACLs are enabled](/docs/ecs/terraform/secure-configuration). +!> **Warning:** Consul Enterprise is currently only fully supported when [ACLs are enabled](/docs/ecs/terraform/secure-configuration). Consul Enterprise [requires a license](/docs/enterprise/license/overview). If running Consul on ECS with ACLs enabled, the license will be automatically pulled down from Consul servers. @@ -46,7 +46,7 @@ If client support is required for any of the features, then you must use a Consu | Feature | Supported | Description | |-----------------------------------|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Automated Backups/Snapshot Agent | Yes* | Running the snapshot agent on ECS is not currently supported but you are able to run the snapshot agent alongside your Consul servers on VMs. | +| Automated Backups/Snapshot Agent | Yes\* | Running the snapshot agent on ECS is not currently supported but you are able to run the snapshot agent alongside your Consul servers on VMs. | | Automated Upgrades | Yes (servers) | This feature runs on Consul servers. | | Enhanced Read Scalability | Yes (servers) | This feature runs on Consul servers. | | Single Sign-On/OIDC | Yes (servers) | This feature runs on Consul servers. | @@ -71,7 +71,7 @@ The ACL controller manages configuration of the AWS IAM auth method on the Consu ensures unused tokens created by tasks are cleaned up. It also creates admin partitions and namespaces if they do not already exist. --> **NOTE:** The ACL controller does not delete admin partitions or namespaces once they are created. +~> **Note:** The ACL controller does not delete admin partitions or namespaces once they are created. Each ACL controller manages a single admin partition. Consul on ECS supports one ACL controller per ECS cluster; therefore, the administrative boundary for admin partitions is one admin partition per ECS cluster. @@ -123,6 +123,7 @@ module "my_task" { ### Audit Logging + Consul on ECS supports [audit logging](/docs/enterprise/audit-logging) when using Consul Enterprise clients. This feature has the following requirements: diff --git a/website/content/docs/ecs/index.mdx b/website/content/docs/ecs/index.mdx index 73c1cbf81..711c9f77b 100644 --- a/website/content/docs/ecs/index.mdx +++ b/website/content/docs/ecs/index.mdx @@ -20,7 +20,7 @@ traffic policy, and more. You can also connect service meshes so that services d ![Consul on ECS Architecture](/img/consul-ecs-arch.png) -Consul on ECS follows an [architecture](/docs/internals/architecture) similar to other platforms, but each ECS task is a +Consul on ECS follows an [architecture](/docs/architecture) similar to other platforms, but each ECS task is a Consul node. An ECS task runs the user application container(s), as well as a Consul client container for control plane communication and an [Envoy](https://envoyproxy.io/) sidecar proxy container to facilitate data plane communication for [Consul Connect](/docs/connect). @@ -31,11 +31,12 @@ For a detailed architecture overview, see the [Architecture](/docs/ecs/architect There are several ways to get started with Consul with ECS. -* The [Serverless Consul Service Mesh with ECS and HCP](https://learn.hashicorp.com/tutorials/cloud/consul-ecs-hcp?in=consul/cloud-integrations) learn guide shows how to use Terraform to run Consul service mesh applications on ECS with managed Consul servers running in HashiCorp Cloud Platform (HCP). -* The [Service Mesh with ECS and Consul on EC2](https://learn.hashicorp.com/tutorials/consul/consul-ecs-ec2?in=consul/cloud-integrations) learn guide shows how to use Terraform to run Consul service mesh applications on ECS with Consul servers running on EC2 instances. -* The [Consul with Dev Server on Fargate](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-fargate) example installation deploys a sample application in ECS using the Fargate launch type. -* The [Consul with Dev Server on EC2](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-ec2) example installation deploys a sample application in ECS using the EC2 launch type. +- The [Serverless Consul Service Mesh with ECS and HCP](https://learn.hashicorp.com/tutorials/consul/consul-ecs-hcp?utm_source=docs) learn guide shows how to use Terraform to run Consul service mesh applications on ECS with managed Consul servers running in HashiCorp Cloud Platform (HCP). +- The [Service Mesh with ECS and Consul on EC2](https://learn.hashicorp.com/tutorials/consul/consul-ecs-ec2?utm_source=docs) learn guide shows how to use Terraform to run Consul service mesh applications on ECS with Consul servers running on EC2 instances. +- The [Consul with Dev Server on Fargate](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-fargate) example installation deploys a sample application in ECS using the Fargate launch type. +- The [Consul with Dev Server on EC2](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-ec2) example installation deploys a sample application in ECS using the EC2 launch type. -Refer to the [Requirements](/docs/ecs/requirements) and use one of the following sets of instructions when you're ready to install Consul on an existing ECS cluster and add tasks to the service mesh: -* [Install with Terraform](/docs/ecs/terraform/install) -* [Install Manually](/docs/ecs/manual/install) +Refer to the [Requirements](/docs/ecs/requirements) and use one of the following sets of instructions when you're ready to install Consul on an existing ECS cluster and add tasks to the service mesh: + +- [Install with Terraform](/docs/ecs/terraform/install) +- [Install Manually](/docs/ecs/manual/install) diff --git a/website/content/docs/ecs/manual/acl-controller.mdx b/website/content/docs/ecs/manual/acl-controller.mdx index 28c91bd97..c3364d656 100644 --- a/website/content/docs/ecs/manual/acl-controller.mdx +++ b/website/content/docs/ecs/manual/acl-controller.mdx @@ -13,7 +13,7 @@ This topic describes how to manually deploy the ACL controller, which will autom * Your application tasks must include certain tags to be compatible with the ACL controller. Refer to the [Task Tags](/docs/ecs/manual/install#task-tags) section of the installation page. -* You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the [Learn Guides about Consul Security](https://learn.hashicorp.com/collections/consul/security) for an introduction and the [ACL system](/docs/security/acl) documentation for more information. +* You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the [Consul Security tutorials](https://learn.hashicorp.com/collections/consul/security) for an introduction and the [ACL system](/docs/security/acl) documentation for more information. * If you are using Consul with multiple ECS clusters, each cluster requires its own instance of the ACL controller. ## Set Up Secrets diff --git a/website/content/docs/ecs/manual/install.mdx b/website/content/docs/ecs/manual/install.mdx index aac1b416b..19dcf6cc4 100644 --- a/website/content/docs/ecs/manual/install.mdx +++ b/website/content/docs/ecs/manual/install.mdx @@ -304,7 +304,7 @@ The following table describes the values that you should use to configure the `c -> **NOTE**: Use `exec` to start the Consul agent so that the Consul agent runs as PID 1. This ensures the Consul agent directly receives signals from ECS, which is important for graceful shutdown of the Consul agent. -Refer to the [Consul Agent documentation](/docs/agent/options#configuration_files) for a complete reference of Consul agent +Refer to the [Consul Agent documentation](/docs/agent/config/config-files#configuration_files) for a complete reference of Consul agent configuration options. ## `consul-ecs-mesh-init` container diff --git a/website/content/docs/ecs/terraform/install.mdx b/website/content/docs/ecs/terraform/install.mdx index 2d520e418..45399f6c3 100644 --- a/website/content/docs/ecs/terraform/install.mdx +++ b/website/content/docs/ecs/terraform/install.mdx @@ -7,7 +7,7 @@ description: >- # Installation with Terraform -This topic describes how to use HashiCorp’s Terraform modules to launch your application in AWS ECS as part of Consul service mesh. If you do not use Terraform, refer to the [Manual Installation](/docs/ecs/manual/install) page to install Consul on ECS without Terraform. +This topic describes how to use HashiCorp's Terraform modules to launch your application in AWS ECS as part of Consul service mesh. If you do not use Terraform, refer to the [Manual Installation](/docs/ecs/manual/install) page to install Consul on ECS without Terraform. This topic does not include instructions for creating all AWS resources necessary to install Consul, such as a VPC or the ECS cluster. Refer to the guides in the [Getting Started](/docs/ecs#getting-started) section for complete and runnable examples. @@ -88,7 +88,7 @@ The following fields are required. Refer to the [module reference documentation] | `container_definitions` | list | This is the list of [container definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definitions) for the task definition. This is where you include your application containers. | | `essential` | boolean | Must be `true` to ensure the health of your application container affects the health status of the task. | | `port` | integer | The port that your application listens on, if any. If your application does not listen on a port, set `outbound_only = true`. | -| `retry_join` | list | This is the [`retry_join`](/docs/agent/options#retry_join) option for the Consul agent, which specifies the locations of your Consul servers. | +| `retry_join` | list | This is the [`retry_join`](/docs/agent/config/config-files#retry_join) option for the Consul agent, which specifies the locations of your Consul servers. | ### Configure an ECS service for the mesh task module [ECS services](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html) are one of the most common diff --git a/website/content/docs/ecs/terraform/secure-configuration.mdx b/website/content/docs/ecs/terraform/secure-configuration.mdx index ef945902f..db180d13e 100644 --- a/website/content/docs/ecs/terraform/secure-configuration.mdx +++ b/website/content/docs/ecs/terraform/secure-configuration.mdx @@ -45,7 +45,7 @@ task IAM role must encode the Consul service name. By default, the `mesh-task` module will create and configure the task IAM role for you. --> **NOTE**: When passing an existing IAM role to the `mesh-task` module using the `task_role` input +~> **Note:** When passing an existing IAM role to the `mesh-task` module using the `task_role` input variable, you must configure the IAM role as described in [ECS Task Role Configuration](/docs/ecs/manual/secure-configuration#ecs-task-role-configuration) to be compatible with the AWS IAM auth method. @@ -56,42 +56,42 @@ the AWS IAM auth method. 1. Create a token and link it to the ACL controller policy. Refer to the [ACL tokens documentation](/docs/security/acl/acl-tokens) for instructions. 1. Create a Secrets Manager secret containing the ACL controller's token and a Secrets Manager secret containing the Consul CA cert. - ```hcl - resource "aws_secretsmanager_secret" "bootstrap_token" { - name = "bootstrap-token" - } +```hcl +resource "aws_secretsmanager_secret" "bootstrap_token" { + name = "bootstrap-token" +} - resource "aws_secretsmanager_secret_version" "bootstrap_token" { - secret_id = aws_secretsmanager_secret.bootstrap_token.id - secret_string = "" - } +resource "aws_secretsmanager_secret_version" "bootstrap_token" { + secret_id = aws_secretsmanager_secret.bootstrap_token.id + secret_string = "" +} - resource "aws_secretsmanager_secret" "ca_cert" { - name = "server-ca-cert" - } +resource "aws_secretsmanager_secret" "ca_cert" { + name = "server-ca-cert" +} - resource "aws_secretsmanager_secret_version" "ca_cert" { - secret_id = aws_secretsmanager_secret.ca_cert.id - secret_string = "" - } - ``` +resource "aws_secretsmanager_secret_version" "ca_cert" { + secret_id = aws_secretsmanager_secret.ca_cert.id + secret_string = "" +} +``` 1. Use the [`acl-controller` terraform module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/acl-controller?tab=inputs) to deploy the controller. You must provide the ARN's for the token and CA cert in the `consul_bootstrap_token_secret_arn` and `consul_server_ca_cert_arn` fields, respectively. - ```hcl - module "acl_controller" { - source = "hashicorp/consul-ecs/aws//modules/acl-controller" - version = "" + ```hcl + module "acl_controller" { + source = "hashicorp/consul-ecs/aws//modules/acl-controller" + version = "" - consul_bootstrap_token_secret_arn = aws_secretsmanager_secret.bootstrap_token.arn - consul_server_http_addr = "https://consul-server.example.com:8501" - consul_server_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn - ecs_cluster_arn = "arn:aws:ecs:us-east-1:111111111111:cluster/consul-ecs" - region = "us-east-1" - subnets = ["subnet-abcdef123456789"] - name_prefix = "consul-ecs" - } - ``` + consul_bootstrap_token_secret_arn = aws_secretsmanager_secret.bootstrap_token.arn + consul_server_http_addr = "https://consul-server.example.com:8501" + consul_server_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn + ecs_cluster_arn = "arn:aws:ecs:us-east-1:111111111111:cluster/consul-ecs" + region = "us-east-1" + subnets = ["subnet-abcdef123456789"] + name_prefix = "consul-ecs" + } + ``` The following table describes the required input variables for the `acl-controller` module. @@ -132,11 +132,12 @@ resource "aws_secretsmanager_secret_version" "gossip_key" { secret_string = "" } ``` + ### Enable secure deployment -To enable secure deployment, add the following configuration to the task module. +To enable secure deployment, add the following configuration to the task module. ```hcl module "my_task" { diff --git a/website/content/docs/enterprise/admin-partitions.mdx b/website/content/docs/enterprise/admin-partitions.mdx index 6d13669d7..cfe962ff9 100644 --- a/website/content/docs/enterprise/admin-partitions.mdx +++ b/website/content/docs/enterprise/admin-partitions.mdx @@ -22,10 +22,10 @@ Admin partitions exist a level above namespaces in the identity hierarchy. They -> **Preexisting resource nodes and namespaces**: Admin partitions were introduced in Consul 1.11. Resource nodes were not namespaced prior to 1.11. After upgrading to Consul 1.11 or later, all resource nodes will be namespaced. -There are Learn tutorials available to help you get started with admin partitions. +There are tutorials available to help you get started with admin partitions. -- [Multi-Tenancy with Administrative Partitions](https://learn.hashicorp.com/tutorials/consul/consul-admin-partitions?in=consul/enterprise) -- [Multi Cluster Applications with Consul Enterprise Admin Partitions](https://learn.hashicorp.com/tutorials/consul/kubernetes-admin-partitions?in=consul/kubernetes) +- [Multi-Tenancy with Administrative Partitions](https://learn.hashicorp.com/tutorials/consul/consul-admin-partitions?utm_source=docs) +- [Multi Cluster Applications with Consul Enterprise Admin Partitions](https://learn.hashicorp.com/tutorials/consul/kubernetes-admin-partitions?utm_source=docs) ### Default Admin Partition diff --git a/website/content/docs/enterprise/audit-logging.mdx b/website/content/docs/enterprise/audit-logging.mdx index 93661d49c..90f876f43 100644 --- a/website/content/docs/enterprise/audit-logging.mdx +++ b/website/content/docs/enterprise/audit-logging.mdx @@ -2,7 +2,7 @@ layout: docs page_title: Consul Enterprise Audit Logging description: >- - Consul Enterprise provides the ability to write events of user behavior with Consul’s API so operations and security users can perform legal compliance auditing. + Consul Enterprise provides the ability to write events of user behavior with Consul's API so operations and security users can perform legal compliance auditing. --- # Audit Logging @@ -23,8 +23,7 @@ and contain a timestamp, the operation performed, and the user who initiated the Audit logging enables security and compliance teams within an organization to get greater insight into Consul access and usage patterns. -For more experience leveraging Consul's audit logging functionality, explore our -HashiCorp Learn tutorial [Capture Consul Events with Audit Logging](https://learn.hashicorp.com/tutorials/consul/audit-logging). +Complete the [Capture Consul Events with Audit Logging](https://learn.hashicorp.com/tutorials/consul/audit-logging) tutorial to learn more about Consul's audit logging functionality, For detailed configuration information on configuring the Consul Enterprise's audit logging, review the Consul [Audit Log](/docs/agent/config/config-files#audit) diff --git a/website/content/docs/enterprise/backups.mdx b/website/content/docs/enterprise/backups.mdx index f019496a9..0a99c68b3 100644 --- a/website/content/docs/enterprise/backups.mdx +++ b/website/content/docs/enterprise/backups.mdx @@ -35,7 +35,6 @@ datacenter backups include (but are not limited to): - Access Control Lists (ACLs) - Namespaces -For more experience leveraging Consul's snapshot functionality, we suggest you look through our HashiCorp -Learn tutorial for [Datacenter Backups in Consul](https://learn.hashicorp.com/tutorials/consul/backup-and-restore). +For more experience leveraging Consul's snapshot functionality, complete the [Datacenter Backups in Consul](https://learn.hashicorp.com/tutorials/consul/backup-and-restore?utm_source=docs) tutorial. For detailed configuration information on configuring the Consul Enterprise's snapshot agent, review the [Consul Snapshot Agent documentation](/commands/snapshot/agent). diff --git a/website/content/docs/enterprise/index.mdx b/website/content/docs/enterprise/index.mdx index 8375a3237..536849ffb 100644 --- a/website/content/docs/enterprise/index.mdx +++ b/website/content/docs/enterprise/index.mdx @@ -61,7 +61,7 @@ To access Consul Enterprise in a self-managed installation, to the Consul Enterprise binary that grants access to the desired features. You can also try out Consul Enterprise before purchasing by -[requesting a 30-day trial license](https://consul.io/trial). +[requesting a 30-day trial license](https://www.hashicorp.com/products/consul/trial). ## Consul Enterprise Feature Availability @@ -82,7 +82,7 @@ Available enterprise features per Consul form and license include: | [Consul-Terraform-Sync Enterprise](/docs/nia/enterprise) | All tiers | Yes | Yes | | [Network Areas](/docs/enterprise/federation) | No | Yes | With Global Visibility, Routing, and Scale module | | [Network Segments](/docs/enterprise/network-segments) | No | Yes | With Global Visibility, Routing, and Scale module | -| [OIDC Auth Method](/docs/acl/auth-methods/oidc) | No | Yes | Yes | +| [OIDC Auth Method](/docs/security/acl/auth-methods/oidc) | No | Yes | Yes | | [Audit Logging](/docs/enterprise/audit-logging) | Standard tier and above | Yes | With Governance and Policy module | | [Sentinel for KV](/docs/enterprise/sentinel) | All tiers | Yes | With Governance and Policy module | diff --git a/website/content/docs/enterprise/license/faq.mdx b/website/content/docs/enterprise/license/faq.mdx index 663a10fcf..167cc5e50 100644 --- a/website/content/docs/enterprise/license/faq.mdx +++ b/website/content/docs/enterprise/license/faq.mdx @@ -29,7 +29,7 @@ Refer to the instructions on [upgrading to 1.10.x](/docs/upgrading/instructions/ ## Q: Is there a tutorial available for the license configuration steps? -Please visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise). +Please visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/consul/hashicorp-enterprise-license?utm_source=docs). ## Q: What resources are available? @@ -41,7 +41,7 @@ The list below is a great starting point for learning more about the license cha - [License configuration values documentation](/docs/enterprise/license/overview#binaries-without-built-in-licenses) -- [Install a HashiCorp Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) +- [Install a HashiCorp Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/consul/hashicorp-enterprise-license?utm_source=docs) ## Q: Do these changes impact all customers/licenses? @@ -95,7 +95,7 @@ Consul snapshot agents will attempt to retrieve the license from servers if cert ## Q: Where can users get a trial license for Consul Enterprise? -Visit [consul.io/trial](/trial) for a free 30-day trial license. +Visit [consul.io/trial](https://www.hashicorp.com/products/consul/trial) for a free 30-day trial license. ~> **Trial install will cease operation 24 hours after 30-day license expiration**: Trial licenses are not meant to be used in production. @@ -142,7 +142,7 @@ Please see the [upgrade requirements](faq#q-what-are-the-upgrade-requirements). 1. Run [`consul license get -signed`](/commands/license#get) to extract the license from their running cluster. Store the license in a secure location on disk. 1. Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable. -1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. +1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/consul/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key. 1. Follow the Consul upgrade [documentation](/docs/upgrading). ### Kubernetes @@ -151,10 +151,10 @@ Please see the [upgrade requirements](faq#q-what-are-the-upgrade-requirements). 1. In order to use Consul Enterprise 1.10.0 or greater on Kubernetes you must use version 0.32.0 or greater of the Helm chart. 1. You should already have a Consul Enterprise license set as a Kubernetes secret. If you do not, refer to [how to obtain a copy of your license](/docs/enterprise/license/faq#q-i-m-an-existing-enterprise-customer-but-don-t-have-my-license-how-can-i-get-it). -Once you have the license then create a Kubernetes secret containing the license as described in [Kubernetes - Consul Enterprise](/docs/k8s/installation/deployment-configurations/consul-enterprise). +Once you have the license then create a Kubernetes secret containing the license as described in [Kubernetes - Consul Enterprise](/docs/k8s/deployment-configurations/consul-enterprise). 1. Follow the [Kubernetes Upgrade Docs](/docs/k8s/upgrade) to upgrade. No changes to your `values.yaml` file are needed to enable enterprise autoloading since this support is built in to consul-helm 0.32.0 and greater. -~> **WARNING:** If you are upgrading the Helm chart but **not** upgrading the Consul version, you must set `server.enterpriseLicense.enableLicenseAutoload: false`. See [Kubernetes - Consul Enterprise](/docs/k8s/installation/deployment-configurations/consul-enterprise) for more details. +!> **Warning:** If you are upgrading the Helm chart but **not** upgrading the Consul version, you must set `server.enterpriseLicense.enableLicenseAutoload: false`. See [Kubernetes - Consul Enterprise](/docs/k8s/deployment-configurations/consul-enterprise) for more details. ## Q: What is the migration path for customers who want to migrate from their existing perpetually-licensed binaries to the license on disk flow? @@ -163,14 +163,14 @@ Once you have the license then create a Kubernetes secret containing the license 1. Acquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license. 1. Store the license in a secure location on disk. 1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable. - Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. + Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/consul/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key. 1. Follow the Consul upgrade [documentation](/docs/upgrading). ### Kubernetes 1. Acquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license. 1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable. - Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. + Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/consul/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key. 1. Proceed with the `helm` [upgrade instructions](/docs/k8s/upgrade) ## Q: Will Consul downgrades/rollbacks work? diff --git a/website/content/docs/enterprise/license/overview.mdx b/website/content/docs/enterprise/license/overview.mdx index 8066240d9..2959ef67f 100644 --- a/website/content/docs/enterprise/license/overview.mdx +++ b/website/content/docs/enterprise/license/overview.mdx @@ -19,7 +19,7 @@ agent's configuration or environment. Also, prior to 1.10.0, server agents would the license between themselves. This no longer occurs and the license must be present on each server agent when it is started. --> Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. +-> Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/consul/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key. ### Applying a License diff --git a/website/content/docs/enterprise/namespaces.mdx b/website/content/docs/enterprise/namespaces.mdx index affc187db..612c47a65 100644 --- a/website/content/docs/enterprise/namespaces.mdx +++ b/website/content/docs/enterprise/namespaces.mdx @@ -19,10 +19,10 @@ can be isolated from each other with the use of namespaces. Namespaces help redu by removing restrictions around uniqueness of resource names across distinct teams, and enable operators to provide self-service through delegation of administrative privileges. -For more information on how to use namespaces with Consul Enterprise please review the following HashiCorp Learn Guides: +For more information on how to use namespaces with Consul Enterprise please review the following tutorials: -- [Register and Discover Services within Namespaces](https://learn.hashicorp.com/tutorials/consul/namespaces-share-datacenter-access) - Register multiple services within different namespaces in Consul. -- [Setup Secure Namespaces](https://learn.hashicorp.com/tutorials/consul/namespaces-secure-shared-access) - Secure resources within a namespace and delegate namespace ACL rights via ACL tokens. +- [Register and Discover Services within Namespaces](https://learn.hashicorp.com/tutorials/consul/namespaces-share-datacenter-access?utm_source=docs) - Register multiple services within different namespaces in Consul. +- [Setup Secure Namespaces](https://learn.hashicorp.com/tutorials/consul/namespaces-secure-shared-access?utm_source=docs) - Secure resources within a namespace and delegate namespace ACL rights via ACL tokens. ## Namespace Definition diff --git a/website/content/docs/enterprise/network-segments.mdx b/website/content/docs/enterprise/network-segments.mdx index 51277ba52..000316c6b 100644 --- a/website/content/docs/enterprise/network-segments.mdx +++ b/website/content/docs/enterprise/network-segments.mdx @@ -33,8 +33,7 @@ connectivity between agent members on the same segment. ![Consul datacenter agent connectivity with network segments](/img/network-segments/consul-network-segments-multiple.png) -To get started with network segments you can review the tutorial on HashiCorp -Learn for [Network Segments](https://learn.hashicorp.com/tutorials/consul/network-partition-datacenters). +Complete the [Network Segments](https://learn.hashicorp.com/tutorials/consul/network-partition-datacenters) tutorial to learn more about network segments. -> **Info:** Network segments enable you to operate a Consul datacenter without full mesh (LAN) connectivity between agents. To federate multiple Consul datacenters @@ -57,10 +56,11 @@ Segments (Enterprise) creates multiple segments within one cluster. **Federated Cluster:** A set of connected clusters, each representing a unique Consul “datacenter”. These Consul servers are federated together over the WAN. Consul clients make use of resources in federated clusters by forwarding RPCs through the Consul servers in their local cluster, but they -never interact with remote Consul servers directly. There are currently two -inter-cluster network models which can be viewed on HashiCorp Learn: -[WAN gossip (OSS)](https://learn.hashicorp.com/tutorials/consul/federation-gossip-wan) -and [Network Areas (Enterprise)](https://learn.hashicorp.com/tutorials/consul/federation-network-areas). +never interact with remote Consul servers directly. There are two tutorials that +will guide you through inter-cluster network models: + +1. [WAN gossip (OSS)](https://learn.hashicorp.com/consul/security-networking/datacenters) +1. [Network Areas (Enterprise)](https://learn.hashicorp.com/tutorials/consul/federation-network-areas). **LAN Gossip Pool**: A set of Consul agents that have full mesh connectivity among themselves, and use Serf to maintain a shared view of the members of the diff --git a/website/content/docs/enterprise/redundancy.mdx b/website/content/docs/enterprise/redundancy.mdx index 56bbcd68e..3a7fa145d 100644 --- a/website/content/docs/enterprise/redundancy.mdx +++ b/website/content/docs/enterprise/redundancy.mdx @@ -30,6 +30,5 @@ for server nodes while also providing (and expanding) the capabilities of [enhanced read scalability](/docs/enterprise/read-scale) by also including recovery capabilities. -For more information, review the HashiCorp Learn tutorial on -[Redundancy Zones](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations#redundancy-zones), -as well as the documentation for [Consul Autopilot](/commands/operator/autopilot). +For more information, complete the [Redundancy Zones](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations#redundancy-zones) tutorial +and reference the [Consul Autopilot](/commands/operator/autopilot) documentation. diff --git a/website/content/docs/enterprise/sentinel.mdx b/website/content/docs/enterprise/sentinel.mdx index e336ba74b..7cb532ebe 100644 --- a/website/content/docs/enterprise/sentinel.mdx +++ b/website/content/docs/enterprise/sentinel.mdx @@ -19,8 +19,8 @@ description: >- Sentinel policies extend the ACL system in Consul beyond static "read", "write", and "deny" policies to support full conditional logic and integration with -external systems. [Learn more about Sentinel here.](https://docs.hashicorp.com/sentinel/concepts/). +external systems. Reference the [Sentinel documentation](https://docs.hashicorp.com/sentinel/concepts/) for high-level Sentinel concepts. To get started with Sentinel in Consul, -[read the general documentation](https://docs.hashicorp.com/sentinel/consul/) or +[read the general documentation](https://docs.hashicorp.com/sentinel/consul) or [Consul documentation](/docs/agent/sentinel). diff --git a/website/content/docs/enterprise/upgrades.mdx b/website/content/docs/enterprise/upgrades.mdx index fc5e844a3..49cecf99c 100644 --- a/website/content/docs/enterprise/upgrades.mdx +++ b/website/content/docs/enterprise/upgrades.mdx @@ -13,7 +13,7 @@ description: >- This feature requires HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. Refer to the{' '} - enterprise feature matrix + enterprise feature matrix {' '}for additional information. @@ -23,4 +23,4 @@ currently in a cluster. When an equal amount of new server nodes are joined runn will be demoted to non voting members. Demotion of legacy server nodes will not occur until the voting members on the new version match. Once this demotion occurs, the previous versioned servers can be removed from the cluster safely. -You can review more information about this functionality in the [Consul operator autopilot](/commands/operator/autopilot) documentation as well as on the HashiCorp Learn [Automated Upgrade](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations#upgrade-migrations) tutorial. +Review the [Consul operator autopilot](/commands/operator/autopilot) documentation and complete the [Automated Upgrade](https://learn.hashicorp.com/tutorials/consul/autopilot-datacenter-operations#upgrade-migrations) tutorial to learn more about automated upgrades. diff --git a/website/content/docs/guides/index.mdx b/website/content/docs/guides/index.mdx index b3d68af99..744cf2ee9 100644 --- a/website/content/docs/guides/index.mdx +++ b/website/content/docs/guides/index.mdx @@ -9,9 +9,9 @@ description: |- # Consul Guides -~> The Consul guides have moved to the [HashiCorp Learn platform](https://learn.hashicorp.com/consul?utm_source=consul.io&utm_medium=docs&utm_content=guide-index). +~> The Consul guides are now Consul [tutorials](https://learn.hashicorp.com/consul). -[Guides](https://learn.hashicorp.com/consul?utm_source=consul.io&utm_medium=docs&utm_content=guide-index) are step by step command-line +[Guides](https://learn.hashicorp.com/consul) are step by step command-line walkthroughs that demonstrate how to perform common operations using Consul, and complement the feature-focused Consul documentation. @@ -36,5 +36,3 @@ Tracks include: - Service Segmentation and Consul Connect - Service Configuration and Consul KV - Cloud and Load Balancer Integrations - -[**Explore the Learn platform**](https://learn.hashicorp.com/consul?utm_source=consul.io&utm_medium=docs&utm_content=guide-index) diff --git a/website/content/docs/index.mdx b/website/content/docs/index.mdx index 6388baf51..ff6de5d2a 100644 --- a/website/content/docs/index.mdx +++ b/website/content/docs/index.mdx @@ -12,9 +12,8 @@ Welcome to the Consul documentation! The documentation is reference material for all available features and options of Consul In the Quick Links below, you will find the most commonly used documentation -and a link to our guides that walk you through common tasks. Note that the -guides are located on the HashiCorp Learn site. +and a link to our guides that guide you through common tasks. - Follow [the documentation](/docs/install) to install Consul either with a precompiled binary or from source. - Read more about the [configuration options](/docs/agent/config) for Consul servers and clients. -- Get started using Consul with our step-by-step guides at [HashiCorp Learn](https://learn.hashicorp.com/consul). +- Get started using Consul by completing the step-by-step [tutorials](https://learn.hashicorp.com/consul). diff --git a/website/content/docs/install/index.mdx b/website/content/docs/install/index.mdx index da8d113fc..251624f08 100644 --- a/website/content/docs/install/index.mdx +++ b/website/content/docs/install/index.mdx @@ -20,11 +20,11 @@ Downloading a precompiled binary is easiest, and we provide downloads over TLS along with SHA256 sums to verify the binary. We also distribute a PGP signature with the SHA256 sums that can be verified. -The [Getting Started guides](https://learn.hashicorp.com/tutorials/consul/get-started-install?utm_source=consul.io&utm_medium=docs) provide a quick walkthrough of installing and using Consul on your local machine. +The [Getting Started guides](https://learn.hashicorp.com/tutorials/consul/get-started-install?utm_source=docs) provide a quick walkthrough of installing and using Consul on your local machine. ## Precompiled Binaries -To install the precompiled binary, [download](/downloads) the appropriate +To install the precompiled binary, [download](/install) the appropriate package for your system. Consul is currently packaged as a zip file. We do not have any near term plans to provide system packages. diff --git a/website/content/docs/install/performance.mdx b/website/content/docs/install/performance.mdx index e5824963c..b3e560316 100644 --- a/website/content/docs/install/performance.mdx +++ b/website/content/docs/install/performance.mdx @@ -146,7 +146,7 @@ set size. You can determine the working set size by noting the value of ## Read/Write Tuning -Consul is write limited by disk I/O and read limited by CPU. Memory requirements will be dependent on the total size of KV pairs stored and should be sized according to that data (as should the hard drive storage). The limit on a key’s value size is `512KB`. +Consul is write limited by disk I/O and read limited by CPU. Memory requirements will be dependent on the total size of KV pairs stored and should be sized according to that data (as should the hard drive storage). The limit on a key's value size is `512KB`. -> Consul is write limited by disk I/O and read limited by CPU. @@ -166,7 +166,7 @@ It should be noted that `stale` is not appropriate for coordination where strong **Read-heavy** clusters may take advantage of the [enhanced reading](/docs/enterprise/read-scale) feature (Enterprise) for better scalability. This feature allows additional servers to be introduced as non-voters. Being a non-voter, the server will still participate in data replication, but it will not block the leader from committing log entries. -Consul’s agents use network sockets for communicating with the other nodes (gossip) and with the server agent. In addition, file descriptors are also opened for watch handlers, health checks, and log files. For a **write heavy** cluster, the `ulimit` size must be increased from the default value (`1024`) to prevent the leader from running out of file descriptors. +Consul's agents use network sockets for communicating with the other nodes (gossip) and with the server agent. In addition, file descriptors are also opened for watch handlers, health checks, and log files. For a **write heavy** cluster, the `ulimit` size must be increased from the default value (`1024`) to prevent the leader from running out of file descriptors. To prevent any CPU spikes from a misconfigured client, RPC requests to the server should be [rate limited](/docs/agent/config/config-files#limits) diff --git a/website/content/docs/download-tools.mdx b/website/content/docs/integrate/download-tools.mdx similarity index 93% rename from website/content/docs/download-tools.mdx rename to website/content/docs/integrate/download-tools.mdx index 51da01366..a42e1c64d 100644 --- a/website/content/docs/download-tools.mdx +++ b/website/content/docs/integrate/download-tools.mdx @@ -16,14 +16,13 @@ These Consul tools are created and managed by the dedicated engineers at HashiCo - [Envconsul](https://github.com/hashicorp/envconsul) - Read and set environmental variables for processes from Consul. - [Consul API Gateway](https://github.com/hashicorp/consul-api-gateway/) - dedicated ingress solution for intelligently routing traffic to applications running on a Consul Service Mesh. -- [Consul ESM](https://github.com/hashicorp/consul-esm) - Provides external service monitoring for Consul. A tutorial is available on [HashiCorp Learn](https://learn.hashicorp.com/tutorials/consul/service-registration-external-services). +- [Consul ESM](https://github.com/hashicorp/consul-esm) - Provides external service monitoring for Consul. Complete the [tutorial]((https://learn.hashicorp.com/tutorials/consul/service-registration-external-services?utm_source=docs)) to learn more. - [Consul Migrate](https://github.com/hashicorp/consul-migrate) - Data migration tool to handle Consul upgrades to 0.5.1+ - [Consul Replicate](https://github.com/hashicorp/consul-replicate) - Consul cross-DC KV replication daemon. -- [Consul Template](https://github.com/hashicorp/consul-template) - Generic template rendering and notifications with Consul. A step by step tutorial is available on [HashiCorp Learn](https://learn.hashicorp.com/tutorials/consul/consul-template). +- [Consul Template](https://github.com/hashicorp/consul-template) - Generic template rendering and notifications with Consul. Complete the [tutorial](https://learn.hashicorp.com/tutorials/consul/consul-template?utm_source=docs) to the learn more. - [Consul-Terraform Sync](https://github.com/hashicorp/consul-terraform-sync) - enables dynamic updates to network infrastructure devices triggered by service -changes. A tutorial is available on [HashiCorp -Learn](https://learn.hashicorp.com/collections/consul/network-infrastructure-automation?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) +changes. Complete the [tutorial](https://learn.hashicorp.com/collections/consul/network-infrastructure-automation?utm_source=docs) to learn more. ## Community Tools diff --git a/website/content/docs/integrate/nia-integration.mdx b/website/content/docs/integrate/nia-integration.mdx index 787c3e18b..73a0f7859 100644 --- a/website/content/docs/integrate/nia-integration.mdx +++ b/website/content/docs/integrate/nia-integration.mdx @@ -6,7 +6,7 @@ description: Guide to partnership integrations for Consul NIA # Network Infrastructure Automation Integration Program -HashiCorp’s Network Infrastructure Automation (NIA) Integration Program allows partners to build integrations that allow customers to automate dynamic application workflows leveraging network and security infrastructure at runtime. Detailed below is the approach to integrate your networking technology along with the clearly defined steps, links to information sources, and checkpoints. +HashiCorp's Network Infrastructure Automation (NIA) Integration Program allows partners to build integrations that allow customers to automate dynamic application workflows leveraging network and security infrastructure at runtime. Detailed below is the approach to integrate your networking technology along with the clearly defined steps, links to information sources, and checkpoints. ## Network Infrastructure Automation @@ -20,7 +20,7 @@ Consul-Terraform-Sync executes one or more automation tasks with an appropriate ## NIA Program Steps -The NIA Integration Program has six steps. By following these steps, Consul-Terraform-Sync compatible Terraform modules can be developed. They are then published as “verified” Consul-Terraform-Sync modules on the [NIA page consul.io](/use-cases/network-infrastructure-automation). +The NIA Integration Program has six steps. By following these steps, Consul-Terraform-Sync compatible Terraform modules can be developed. They are then published as “verified” Consul-Terraform-Sync modules on the [NIA page consul.io](https://www.consul.io/use-cases/network-infrastructure-automation). -> **Note:** A prerequisite to be eligible for NIA Integration program includes having a “verified” provider on Terraform registry for the appropriate technology. Please follow the guidelines to enroll in the Terraform Provider Development Program if you do not presently have a “verified” provider. @@ -43,14 +43,14 @@ Consul-Terraform-Sync compatible Terraform module development process is fairly - Consul [documentation](/docs) - Consul-Terraform-Sync [documentation](/docs/nia) -- Writing Consul-Terraform-Sync compatible Terraform modules using our [guide](/docs/nia/terraform-modules) and [tutorial](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-module?in=consul/network-infrastructure-automation) +- Writing Consul-Terraform-Sync compatible Terraform modules using our [guide](/docs/nia/terraform-modules) and [tutorial](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-module?utm_source=docs) - Example Terraform Modules for reference: [PAN-OS](https://registry.terraform.io/modules/PaloAltoNetworks/dag-nia/panos/latest), [Simple Print Module](https://registry.terraform.io/modules/findkim/print/cts/latest) and a [Template to structure your Terraform Modules](https://github.com/hashicorp/consul-terraform-sync-template-module) -- Publishing to the Terraform Registry [guidelines](https://www.terraform.io/docs/registry/modules/publish.html) +- Publishing to the Terraform Registry [guidelines](https://www.terraform.io/registry/modules/publish) ### 3. Develop & Test -Terraform modules are written in HashiCorp Configuration Language (HCL). Writing [Terraform modules](https://www.terraform.io/docs/modules/index.html) or a [tutorial to build a module](https://learn.hashicorp.com/tutorials/terraform/module-create) are good resources to begin writing a new module. -Consul-Terraform-Sync compatible modules follow the [standard module structure](https://www.terraform.io/docs/modules/index.html#standard-module-structure). Modules can use syntax supported by Terraform version 0.13, or higher. Consul-Terraform-Sync is designed to integrate with any module that satisfies these [specifications](/docs/nia/terraform-modules#module-specifications). The guide will give you an introduction of the code structure and the basics of authoring a plugin that Terraform can interact with. +Terraform modules are written in HashiCorp Configuration Language (HCL). Writing [Terraform modules](https://www.terraform.io/language/modules/develop) or a [tutorial to build a module](https://learn.hashicorp.com/tutorials/terraform/module-create) are good resources to begin writing a new module. +Consul-Terraform-Sync compatible modules follow the [standard module structure](https://www.terraform.io/language/modules/develop). Modules can use syntax supported by Terraform version 0.13, or higher. Consul-Terraform-Sync is designed to integrate with any module that satisfies these [specifications](/docs/nia/terraform-modules#module-specifications). The guide will give you an introduction of the code structure and the basics of authoring a plugin that Terraform can interact with. It is recommended that partners develop modules that cater to specific workflows on an individual platform in their product portfolio rather than having overarching modules that try to cover multiple workflows across different platforms. This is to keep the automation modular and adoptable by a broad set of users with varying network infrastructure topologies. Partners are encouraged to test the functionality of the modules against their supported platforms. @@ -78,7 +78,7 @@ All Consul-Terraform-Sync compatible modules follow a naming convention: `terraf During the review process, HashiCorp will provide feedback on the newly developed Consul-Terraform-Sync compatible Terraform module. Please engage in the review process once one or two sample modules have been developed. Begin the process by emailing nia-integration-dev@hashicorp.com with a URL to the public GitHub repo containing the code. -HashiCorp will then review the module, and the documentation. The documentation should clearly indicate the compatibility with Consul-Terraform-Sync software version(s) and partner platform’s software version(s). +HashiCorp will then review the module, and the documentation. The documentation should clearly indicate the compatibility with Consul-Terraform-Sync software version(s) and partner platform's software version(s). Once the module development has been completed another email should be sent to nia-integration-dev@hashicorp.com along with a URL to the public GitHub repo containing the code requesting the final code review. HashiCorp will review the module and provide feedback about any changes that may be required. This is often an iterative process and can take some time to get done. diff --git a/website/content/docs/integrate/partnerships.mdx b/website/content/docs/integrate/partnerships.mdx index 057e3464c..327a84910 100644 --- a/website/content/docs/integrate/partnerships.mdx +++ b/website/content/docs/integrate/partnerships.mdx @@ -16,7 +16,7 @@ The program is intended to be largely self-service with links to resources, code ## Categories of Consul Integrations -By leveraging Consul’s RESTful HTTP API system, prospective partners are able to build extensible integrations at the data plane, platform, and the infrastructure layer to extend Consul’s functionalities. These integrations can be performed both with the open source version of Consul, Consul Enterprise, and HCP Consul. +By leveraging Consul's RESTful HTTP API system, prospective partners are able to build extensible integrations at the data plane, platform, and the infrastructure layer to extend Consul's functionalities. These integrations can be performed both with the open source version of Consul, Consul Enterprise, and HCP Consul. **The Consul ecosystem of integrations:** @@ -26,19 +26,19 @@ By leveraging Consul’s RESTful HTTP API system, prospective partners are able -**Data Plane**: These integrations extend Consul’s certificate management, secure ACL configuration, observability metrics and logging, and service discovery that allows for dynamic service mapping APM and logging tools, extend sidecar proxies to support Consul connect, and extend API gateways to allow Consul to route incoming traffic to the proxies for Connect-enabled services. +**Data Plane**: These integrations extend Consul's certificate management, secure ACL configuration, observability metrics and logging, and service discovery that allows for dynamic service mapping APM and logging tools, extend sidecar proxies to support Consul connect, and extend API gateways to allow Consul to route incoming traffic to the proxies for Connect-enabled services. **Control Plane**: Consul has a client-server architecture and is the control plane for the service mesh. **Platform**: These integrations leverage automation of Consul agent deployment, configuration, and management. Designed to be platform agnostic, Consul can be deployed in a variety of form factors, including major Public Cloud providers (AWS, GCP, Azure) as well as in bare-metal, virtual machine, and container (Docker, Kubernetes) environments. They include the Consul agent running in both client and server mode. -**Infrastructure**: There are two integration options in this category: natively through a direct integration with Consul or via Consul-Terraform-Sync (CTS). By leveraging Consul’s powerful **Network Infrastructure Automation (NIA)*** capabilities through CTS, changes in an infrastructure are seamlessly automated when Consul detects a change in its service catalog. For example, these integrations could be used to automate IP updates of load balancers or firewall security policies by leveraging Consul service discovery. +**Infrastructure**: There are two integration options in this category: natively through a direct integration with Consul or via Consul-Terraform-Sync (CTS). By leveraging Consul's powerful **Network Infrastructure Automation (NIA)*** capabilities through CTS, changes in an infrastructure are seamlessly automated when Consul detects a change in its service catalog. For example, these integrations could be used to automate IP updates of load balancers or firewall security policies by leveraging Consul service discovery. --> **Network Infrastructure Automation (NIA)***: These integrations leverage Consul’s service catalog to seamlessly integrate with Consul-Terraform-Sync (CTS) to automate changes in network infrastructure via a publisher-subscriber method. More details can be found [here](/docs/integrate/nia-integration). +-> **Network Infrastructure Automation (NIA)***: These integrations leverage Consul's service catalog to seamlessly integrate with Consul-Terraform-Sync (CTS) to automate changes in network infrastructure via a publisher-subscriber method. More details can be found [here](/docs/integrate/nia-integration). -**HCP Consul**: HCP Consul is secure by default and offers an enterprise-level service level agreement (SLA) to deploy an organization’s most important applications. Sign up for HCP Consul is free and available [here](https://cloud.hashicorp.com/products/consul). +**HCP Consul**: HCP Consul is secure by default and offers an enterprise-level service level agreement (SLA) to deploy an organization's most important applications. Sign up for HCP Consul is free and available [here](https://cloud.hashicorp.com/products/consul). -**Consul integration verification badges**: Partners will be issued the Consul Enterprise badge for integrations that work with [Consul Enterprise features](https://www.consul.io/docs/enterprise) such as namespaces. Partners will be issued the HCP Consul badge for integrations validated to work with [HCP Consul](https://cloud.hashicorp.com/docs/consul/features). Each badge would be displayed on HashiCorp’s partner page as well as be available for posting on the partner’s own website to provide better visibility and differentiation of the integration for joint customers. +**Consul integration verification badges**: Partners will be issued the Consul Enterprise badge for integrations that work with [Consul Enterprise features](https://www.consul.io/docs/enterprise) such as namespaces. Partners will be issued the HCP Consul badge for integrations validated to work with [HCP Consul](https://cloud.hashicorp.com/docs/consul/features). Each badge would be displayed on HashiCorp's partner page as well as be available for posting on the partner's own website to provide better visibility and differentiation of the integration for joint customers. @@ -89,7 +89,7 @@ Here are links to resources, documentation, examples and best practices to guide **API Gateway** -- [Ambassador Integration documentation](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateway-ambassador) +- [Ambassador Integration documentation](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateway-ambassador?utm_source=docs) - [F5 Terminating Gateway Integration Documentation](https://www.hashicorp.com/integrations/f5-networks/consul) - [Traefik Integration with Consul Service Mesh](https://traefik.io/blog/integrating-consul-connect-service-mesh-with-traefik-2-5/) - [Kong's Ingress Controller Integration with Consul](https://www.hashicorp.com/integrations/kong/consul) @@ -109,14 +109,14 @@ Here are links to resources, documentation, examples and best practices to guide #### Platform: -- [Consul-AWS for AWS Cloud Map](https://learn.hashicorp.com/tutorials/consul/sync-aws-services) +- [Consul-AWS for AWS Cloud Map](https://learn.hashicorp.com/tutorials/consul/sync-aws-services?utm_source=docs) - [Consul Integration with AWS ECS](/docs/ecs/get-started/install) - [Consul Integration with Layer5 Meshery](https://www.hashicorp.com/integrations/layer5-io/consul) -- [Consul Integration with VMware Tanzu Application Service](https://learn.hashicorp.com/tutorials/consul/sync-pivotal-cloud-services) +- [Consul Integration with VMware Tanzu Application Service](https://learn.hashicorp.com/tutorials/consul/sync-pivotal-cloud-services?utm_source=docs) #### Infrastructure: --> **Note**: The types of integration areas below could be developed to natively work with Consul or through leveraging Consul-Terraform-Sync and Consul’s network automation capabilities. +-> **Note**: The types of integration areas below could be developed to natively work with Consul or through leveraging Consul-Terraform-Sync and Consul's network automation capabilities. **Firewalls** @@ -133,32 +133,32 @@ Here are links to resources, documentation, examples and best practices to guide **Load Balancer** -- [Load Balancing with NGINX and Consul Template](https://learn.hashicorp.com/tutorials/consul/load-balancing-nginx) -- [Load Balancing with HAProxy Service Discovery](https://learn.hashicorp.com/tutorials/consul/load-balancing-haproxy) +- [Load Balancing with NGINX and Consul Template](https://learn.hashicorp.com/tutorials/consul/load-balancing-nginx?utm_source=docs) +- [Load Balancing with HAProxy Service Discovery](https://learn.hashicorp.com/tutorials/consul/load-balancing-haproxy?utm_source=docs) **Network Infrastructure Automation \(using CTS\):** - - [Automate F5 BIG-IP with Consul NIA](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-f5-bigip-fast?in=consul/network-infrastructure-automation) + - [Automate F5 BIG-IP with Consul NIA](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-f5-bigip-fast?utm_source=docs) - [Automate VMware Advanced Load Balancers (Avi) with Consul NIA](https://www.hashicorp.com/integrations/_vmware/consul) **Application Delivery Controllers \(ADC\):** -- [Automate A10 ADC with Consul NIA](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-a10-adc?in=consul/network-infrastructure-automation) +- [Automate A10 ADC with Consul NIA](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-a10-adc?utm_source=docs) - [Automate Citrix ADC with Consul NIA](https://www.hashicorp.com/integrations/citrix-adc/consul) ### 3. Develop and Test The only knowledge necessary to write a plugin is basic command-line skills and knowledge of the [Go programming language](http://www.golang.org). Use the plugin interface to develop your integration. All integrations should contain unit and acceptance testing. -**HCP Consul**: The process to configure a testing instance of HCP consul [is very simple](https://learn.hashicorp.com/tutorials/cloud/get-started-consul). HCP has been designed as a HashiCorp managed service so configuration is minimal as only Consul client agents need to be installed. Furthermore, HashiCorp provides all new users an initial credit which should last approximately 2 months using a [development cluster](https://cloud.hashicorp.com/pricing/consul). When deployed with AWS free tier services, there should be no cost beyond the time spent by the designated tester. +**HCP Consul**: The process to configure a testing instance of HCP consul [is very simple](https://learn.hashicorp.com/tutorials/cloud/consul-introduction?utm_source=docs). HCP has been designed as a HashiCorp managed service so configuration is minimal as only Consul client agents need to be installed. Furthermore, HashiCorp provides all new users an initial credit which should last approximately 2 months using a [development cluster](https://cloud.hashicorp.com/products/consul/pricing). When deployed with AWS free tier services, there should be no cost beyond the time spent by the designated tester. -Please note that HCP Consul is currently only deployed on AWS so the partner’s application should be able to be deployed or run in AWS. For more information, please refer to [Peering an HVN to an AWS VPC for HCP Consul](https://www.youtube.com/watch?v=vuKjkIGYZlU). +Please note that HCP Consul is currently only deployed on AWS so the partner's application should be able to be deployed or run in AWS. For more information, please refer to [Peering an HVN to an AWS VPC for HCP Consul](https://www.youtube.com/watch?v=vuKjkIGYZlU). #### HCP Consul Resource Links: -- [Getting Started with HCP Consul](https://learn.hashicorp.com/tutorials/cloud/get-started-consul?in=consul/cloud-get-started) +- [Getting Started with HCP Consul](https://learn.hashicorp.com/tutorials/cloud/consul-introduction?utm_source=docs) - [Peering an HVN to a VPC for HCP Consul](https://www.youtube.com/watch?v=vuKjkIGYZlU) -- [Connecting a Consul Client to HCP Consul](https://learn.hashicorp.com/tutorials/cloud/consul-client-virtual-machines?in=consul/cloud-get-started) +- [Connecting a Consul Client to HCP Consul](https://learn.hashicorp.com/tutorials/cloud/consul-client-aws-ec2?utm_source=docs) - [Monitoring HCP Consul with Datadog](https://docs.datadoghq.com/integrations/guide/hcp-consul/) **Consul Enterprise**: An integration qualifies for Consul Enterprise when it is tested and compatible with Consul Enterprise Namespaces. diff --git a/website/content/docs/intro/index.mdx b/website/content/docs/intro/index.mdx index 3a14541bd..c1ce0b593 100644 --- a/website/content/docs/intro/index.mdx +++ b/website/content/docs/intro/index.mdx @@ -15,9 +15,8 @@ Welcome to the intro guide to Consul! This guide is the best place to start with Consul. We cover what Consul is, what problems it can solve, how it compares to existing software, and how you can get started using it. If you are familiar with the basics of Consul, the [documentation](/docs) provides a more -detailed reference of available features. If you're ready to get hands-on -experience, deploy Consul locally with our -[HashiCorp Learn tutorial](https://learn.hashicorp.com/tutorials/consul/get-started-install). +detailed reference of available features. Complete the [Get Started](https://learn.hashicorp.com/tutorials/consul/get-started-install?utm_source=docs) tutorials for a step-by-step guide on how +to use Consul. ## Why Consul? @@ -115,5 +114,5 @@ forward the request to the remote datacenter and return the result. ## Next Steps -Continue onwards with [HashiCorp Learn](https://learn.hashicorp.com/tutorials/consul/get-started-install) +Complete the [Get Started](https://learn.hashicorp.com/tutorials/consul/get-started-install?utm_source=docs) tutorials to learn more about Consul and how to get Consul up and running. diff --git a/website/content/docs/intro/usecases/index.mdx b/website/content/docs/intro/usecases/index.mdx deleted file mode 100644 index 2f2b4b324..000000000 --- a/website/content/docs/intro/usecases/index.mdx +++ /dev/null @@ -1,9 +0,0 @@ ---- -layout: docs -page_title: usecases -description: >- - Consul Service Mesh can be deployed on AWS ECS (Elastic Container Service). - This section documents the official installation of Consul on ECS. ---- - -lals diff --git a/website/content/docs/k8s/architecture.mdx b/website/content/docs/k8s/architecture.mdx index 3a6e6ae32..ec020c3e3 100644 --- a/website/content/docs/k8s/architecture.mdx +++ b/website/content/docs/k8s/architecture.mdx @@ -16,7 +16,7 @@ Refer to the standard [production deployment guide](https://learn.hashicorp.com/ The server agents are deployed as a `StatefulSet` and use persistent volume claims to store the server state. This also ensures that the -[node ID](/docs/agent/options#_node_id) is persisted so that servers +[node ID](/docs/agent/config/config-files#node_id) is persisted so that servers can be rescheduled onto new IP addresses without causing issues. The server agents are configured with [anti-affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) diff --git a/website/content/docs/k8s/connect/connect-ca-provider.mdx b/website/content/docs/k8s/connect/connect-ca-provider.mdx index ba89f9e6e..55f082689 100644 --- a/website/content/docs/k8s/connect/connect-ca-provider.mdx +++ b/website/content/docs/k8s/connect/connect-ca-provider.mdx @@ -21,7 +21,7 @@ To configure an external CA provider via the Consul Helm chart, you need to foll 1. Create a Kubernetes secret containing the configuration file. 1. Reference the Kubernetes secret in the [`server.extraVolumes`](/docs/k8s/helm#v-server-extravolumes) value in the Helm chart. -To configure the Vault Connect Provider please see [Vault as the Service Mesh Certificate Provider on Kubernetes](/docs/k8s/installation/vault/data-integration/connect-ca). +To configure the Vault Connect Provider please see [Vault as the Service Mesh Certificate Provider on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca). ~> **NOTE:** The following instructions are only valid for Consul-k8s 0.37.0 and prior. diff --git a/website/content/docs/k8s/connect/ingress-gateways.mdx b/website/content/docs/k8s/connect/ingress-gateways.mdx index ab177934a..5a4fd863d 100644 --- a/website/content/docs/k8s/connect/ingress-gateways.mdx +++ b/website/content/docs/k8s/connect/ingress-gateways.mdx @@ -178,7 +178,7 @@ $ kubectl apply --filename service-intentions.yaml serviceintentions.consul.hashicorp.com/ingress-gateway created ``` -For detailed instructions on how to configure zero-trust networking with intentions please refer to this [guide](https://learn.hashicorp.com/tutorials/consul/service-mesh-zero-trust-network). +For detailed instructions on how to configure zero-trust networking with intentions please refer to this [guide](https://learn.hashicorp.com/tutorials/consul/service-mesh-zero-trust-network?utm_source=docs). ## Deploying your application to Kubernetes diff --git a/website/content/docs/k8s/connect/observability/metrics.mdx b/website/content/docs/k8s/connect/observability/metrics.mdx index 349cd3f49..109c2d3e0 100644 --- a/website/content/docs/k8s/connect/observability/metrics.mdx +++ b/website/content/docs/k8s/connect/observability/metrics.mdx @@ -108,7 +108,7 @@ global: ## Metrics in the UI Topology Visualization -Consul’s built-in UI has a topology visualization for services part of the Consul Service Mesh. The topology visualization has the ability to fetch basic metrics from a metrics provider for each service and display those metrics as part of the [topology visualization](/docs/connect/observability/ui-visualization). +Consul's built-in UI has a topology visualization for services part of the Consul Service Mesh. The topology visualization has the ability to fetch basic metrics from a metrics provider for each service and display those metrics as part of the [topology visualization](/docs/connect/observability/ui-visualization). The diagram below illustrates how the UI displays service metrics for a sample application: @@ -137,7 +137,7 @@ The Prometheus deployment is designed to allow quick bootstrapping for trial and Prometheus will be installed in the same namespace as Consul, and will be installed and uninstalled along with the Consul installation. -Grafana can optionally be utilized with Prometheus to display metrics. The installation and configuration of Grafana must be managed separately from the Consul Helm chart. The [Layer 7 Observability with Prometheus, Grafana, and Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-layer7-observability?in=consul/kubernetes)) tutorial provides an installation walkthrough using Helm. +Grafana can optionally be utilized with Prometheus to display metrics. The installation and configuration of Grafana must be managed separately from the Consul Helm chart. The [Layer 7 Observability with Prometheus, Grafana, and Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-layer7-observability?in=consul/kubernetes?in=consul/kubernetes)) tutorial provides an installation walkthrough using Helm. ```yaml prometheus: diff --git a/website/content/docs/k8s/deployment-configurations/multi-cluster/index.mdx b/website/content/docs/k8s/deployment-configurations/multi-cluster/index.mdx index 9b889557e..f960e6ada 100644 --- a/website/content/docs/k8s/deployment-configurations/multi-cluster/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/multi-cluster/index.mdx @@ -75,5 +75,5 @@ There are three networking requirements: Now that you have an overview of federation, proceed to either the [Federation Between Kubernetes Clusters](/docs/k8s/installation/multi-cluster/kubernetes) -or [Federation Between VMs and Kubernetes](/docs/k8s/installation/multi-cluster/vms-and-kubernetes) +or [Federation Between VMs and Kubernetes](/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes) pages depending on your use case. diff --git a/website/content/docs/k8s/deployment-configurations/multi-cluster/kubernetes.mdx b/website/content/docs/k8s/deployment-configurations/multi-cluster/kubernetes.mdx index 00c0611d9..5954d96e3 100644 --- a/website/content/docs/k8s/deployment-configurations/multi-cluster/kubernetes.mdx +++ b/website/content/docs/k8s/deployment-configurations/multi-cluster/kubernetes.mdx @@ -11,9 +11,9 @@ description: >- ~> This topic requires familiarity with [Mesh Gateways](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters) and [WAN Federation Via Mesh Gateways](/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways). --> Looking for a step-by-step guide? Please follow our Learn tutorial: [Secure and Route Service Mesh Communication Across Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways). +-> Looking for a step-by-step guide? Complete the [Secure and Route Service Mesh Communication Across Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways?utm_source=docs) tutorial to learn more. -This page describes how to federate multiple Kubernetes clusters. See [Multi-Cluster Overview](/docs/k8s/installation/multi-cluster) +This page describes how to federate multiple Kubernetes clusters. See [Multi-Cluster Overview](/docs/k8s/deployment-configurations/multi-cluster) for more information on use-cases and how it works. ## Primary Datacenter @@ -465,12 +465,12 @@ in the top left: ## Next Steps -With your Kubernetes clusters federated, try out using Consul service mesh to -route between services deployed on each cluster by following our Learn tutorial: [Secure and Route Service Mesh Communication Across Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways#deploy-microservices). +With your Kubernetes clusters federated, complete the [Secure and Route Service Mesh Communication Across Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways?utm_source=docs#deploy-microservices) tutorial to learn how to use Consul service mesh to +route between services deployed on each cluster. You can also read our in-depth documentation on [Consul Service Mesh In Kubernetes](/docs/k8s/connect). -If you are still considering a move to Kubernetes, or to Consul on Kubernetes specifically, our [Migrate to Microservices with Consul Service Mesh on Kubernetes](https://learn.hashicorp.com/collections/consul/microservices?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) +If you are still considering a move to Kubernetes, or to Consul on Kubernetes specifically, our [Migrate to Microservices with Consul Service Mesh on Kubernetes](https://learn.hashicorp.com/collections/consul/microservices?utm_source=docs) collection uses an example application written by a fictional company to illustrate why and how organizations can migrate from monolith to microservices using Consul service mesh on Kubernetes. The case study in this collection should provide information valuable for understanding how to develop services that leverage Consul during any stage diff --git a/website/content/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes.mdx b/website/content/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes.mdx index 2df99b16b..60d28bf7f 100644 --- a/website/content/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes.mdx +++ b/website/content/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes.mdx @@ -356,5 +356,5 @@ to allow traffic between datacenters. ## Next Steps -In both cases (Kubernetes as primary or secondary), after installation, follow the [Verifying Federation](/docs/k8s/installation/multi-cluster/kubernetes#verifying-federation) +In both cases (Kubernetes as primary or secondary), after installation, follow the [Verifying Federation](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#verifying-federation) section to verify that federation is working as expected. diff --git a/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx b/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx index 94260ac16..6d0f3bcf0 100644 --- a/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx +++ b/website/content/docs/k8s/deployment-configurations/servers-outside-kubernetes.mdx @@ -23,7 +23,7 @@ their pod IPs (`false`). Finally, `client.join` is set to an array of valid [`-retry-join` values](/docs/agent/config/cli-flags#retry-join). In the -example above, a fake [cloud auto-join](/docs/agent/cloud-auto-join) +example above, a fake [cloud auto-join](/docs/install/cloud-auto-join) value is specified. This should be set to resolve to the proper addresses of your existing Consul cluster. @@ -46,7 +46,7 @@ client: -> **Networking:** Note that for the Kubernetes nodes to join an existing cluster, the nodes (and specifically the agent pods) must be able to connect -to all other server and client agents inside and _outside_ of Kubernetes over [LAN](/docs/glossary#lan-gossip). +to all other server and client agents inside and _outside_ of Kubernetes over [LAN](/docs/install/glossary#lan-gossip). If this isn't possible, consider running a separate Consul cluster inside Kubernetes and federating it with your cluster outside Kubernetes. You may also consider adopting Consul Enterprise for diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx index 3d5a3d39a..29cc159cd 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx @@ -21,8 +21,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Store the Secret in Vault diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx index 46f53ec97..57b002607 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx @@ -25,8 +25,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Create Vault policy diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx index 08d7e16f1..f65c3930f 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx @@ -21,8 +21,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Store the Secret in Vault diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx index 828b19307..6ed5cc50b 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx @@ -22,8 +22,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Store the Secret in Vault First, generate and store the gossip key in Vault. You will only need to perform this action once: diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx index a7669f549..360e1204d 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx @@ -157,7 +157,7 @@ The following secrets can be stored in Vault KV secrets engine, which is meant t The following TLS certificates and keys can generated and managed by Vault the Vault PKI Engine, which is meant to handle things like certificate expiration and rotation: - [Server TLS credentials](/docs/k8s/installation/vault/data-integration/server-tls) - [Service Mesh and Consul client TLS credentials](/docs/k8s/installation/vault/data-integration/connect-ca) -- [Vault as the Webhook Certificate Provider for Consul Controller and Connect Inject on Kubernetes](/docs/k8s/installation/vault/data-integration/webhook-certs) +- [Vault as the Webhook Certificate Provider for Consul Controller and Connect Inject on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs) ## Secrets to Service Account Mapping Read through the [detailed data integration guides](#detailed-data-integration-guides) that are pertinent to your environment. diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx index 98c764fc5..88463e89e 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx @@ -22,8 +22,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Store the Secret in Vault diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx index f17c3fcb7..04d20e0f7 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx @@ -21,8 +21,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Store the Secret in Vault diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/server-tls.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/server-tls.mdx index 382a53ed9..902684365 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/server-tls.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/server-tls.mdx @@ -75,7 +75,7 @@ To use Vault to issue Server TLS certificates, you will need to create the follo $ vault policy write consul-server consul-server-policy.hcl ``` -1. Create a policy that allows `["read"]` access to the [CA URL](https://www.vaultproject.io/api/secret/pki#read-certificate), +1. Create a policy that allows `["read"]` access to the [CA URL](https://www.vaultproject.io/api-docs/secret/pki), this is required for the Consul components to communicate with the Consul servers in order to fetch their auto-encryption certificates. The path to the secret referenced in the `path` resource is the same value that you will configure in the `global.tls.caCert.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)). diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx index 6a0d913cd..3f03b45c3 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx @@ -21,8 +21,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Store the Secret in Vault diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx index 4615a040c..7aa4c016a 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx @@ -72,7 +72,7 @@ Issue the following commands to enable and configure the PKI Secrets Engine to s ``` ## Create Vault Policies 1. Create a policy that allows `["create", "update"]` access to the -[certificate issuing URL](https://www.vaultproject.io/api/secret/pki#generate-certificate) so Consul controller and connect inject can fetch a new certificate/key pair and provide it to the Kubernetes `mutatingwebhookconfiguration`. +[certificate issuing URL](https://www.vaultproject.io/api-docs/secret/pki) so Consul controller and connect inject can fetch a new certificate/key pair and provide it to the Kubernetes `mutatingwebhookconfiguration`. The path to the secret referenced in the `path` resource is the same value that you will configure in the `global.secretsBackend.vault.controller.tlsCert.secretName` and `global.secretsBackend.vault.connectInject.tlsCert.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)). diff --git a/website/content/docs/k8s/deployment-configurations/vault/index.mdx b/website/content/docs/k8s/deployment-configurations/vault/index.mdx index 8a4b0c2fb..1fd1af5c8 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/index.mdx @@ -46,9 +46,9 @@ The following TLS certificates and keys can be generated and managed by the Vaul ## Next Steps The Vault integration with Consul on Kubernetes has two aspects or phases: -- [Systems Integration](/docs/k8s/installation/vault/systems-integration) - Configure Vault and Consul on Kubernetes systems to leverage Vault as the secrets store. +- [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) - Configure Vault and Consul on Kubernetes systems to leverage Vault as the secrets store. - [Data Integration](/docs/k8s/installation/vault/data-integration) - Configure specific secrets to be stored and retrieved from Vault for use with Consul on Kubernetes. -As a next step, please proceed to [Systems Integration](/docs/k8s/installation/vault/systems-integration) overview to understand how to first setup Vault and Consul on Kubernetes to leverage Vault as a secrets backend. +As a next step, please proceed to [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) overview to understand how to first setup Vault and Consul on Kubernetes to leverage Vault as a secrets backend. diff --git a/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx b/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx index a48bcdb45..b51cb5c58 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx @@ -195,7 +195,7 @@ global: ## Next Steps -As a next step, please proceed to Vault integration with Consul on Kubernetes' [Data Integration](/docs/k8s/installation/vault/data-integration). +As a next step, please proceed to Vault integration with Consul on Kubernetes' [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration). ## Troubleshooting diff --git a/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx b/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx index 37a13d64e..ad31da349 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx @@ -36,7 +36,7 @@ The two data centers will federated using mesh gateways. This communication top In this setup, you will deploy Vault server in the primary datacenter (dc1) Kubernetes cluster, which is also the primary Consul datacenter. You will configure your Vault Helm installation in the secondary datacenter (dc2) Kubernetes cluster to use it as an external server. This way there will be a single vault server cluster that will be used by both Consul datacenters. -~> **Note**: For demonstration purposes, you will deploy a Vault server in dev mode. For production installations, this is not recommended. Please visit the [Vault Deployment Guide](https://learn.hashicorp.com/tutorials/vault/raft-deployment-guide?in=vault/day-one-raft) for guidance on how to install Vault in a production setting. +~> **Note**: For demonstration purposes, you will deploy a Vault server in dev mode. For production installations, this is not recommended. Please visit the [Vault Deployment Guide](https://learn.hashicorp.com/tutorials/vault/raft-deployment-guide) for guidance on how to install Vault in a production setting. 1. Change your current Kubernetes context to target the primary datacenter (dc1). @@ -184,7 +184,7 @@ Repeat the following steps for each datacenter in the cluster: $ vault write auth/kubernetes-dc1/config kubernetes_host=https://kubernetes.default.svc ``` -1. Enable Vault as the secrets backend in the primary datacenter (dc1). However, you will not yet apply the Helm install command. You will issue the Helm upgrade command after the [Data Integration](/docs/k8s/installation/vault/wan-federation#setup-per-consul-datacenter-1) section. +1. Enable Vault as the secrets backend in the primary datacenter (dc1). However, you will not yet apply the Helm install command. You will issue the Helm upgrade command after the [Data Integration](/docs/k8s/deployment-configurations/vault/wan-federation#setup-per-consul-datacenter-1) section. @@ -286,7 +286,7 @@ Repeat the following steps for each datacenter in the cluster: kubernetes_ca_cert="${K8S_DC2_CA_CERT}" ``` -1. Enable Vault as the secrets backend in the secondary Consul datacenter (dc2). However, you will not yet apply the Helm install command. You will issue the Helm upgrade command after the [Data Integration](/docs/k8s/installation/vault/wan-federation#setup-per-consul-datacenter-1) section. +1. Enable Vault as the secrets backend in the secondary Consul datacenter (dc2). However, you will not yet apply the Helm install command. You will issue the Helm upgrade command after the [Data Integration](/docs/k8s/deployment-configurations/vault/wan-federation#setup-per-consul-datacenter-1) section. diff --git a/website/content/docs/k8s/helm.mdx b/website/content/docs/k8s/helm.mdx index 00fb721e0..9afceead3 100644 --- a/website/content/docs/k8s/helm.mdx +++ b/website/content/docs/k8s/helm.mdx @@ -360,7 +360,7 @@ Use these links to navigate to a particular top-level stanza. See https://www.consul.io/docs/agent/config/cli-flags#_recursor for more details. If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). - - `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure) + - `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure?utm_source=docs) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+. @@ -515,7 +515,7 @@ Use these links to navigate to a particular top-level stanza. This address must be reachable from the Consul servers in the primary datacenter. This auth method will be used to provision ACL tokens for Consul components and is different from the one used by the Consul Service Mesh. - Please see the [Kubernetes Auth Method documentation](https://consul.io/docs/acl/auth-methods/kubernetes). + Please see the [Kubernetes Auth Method documentation](/docs/security/acl/auth-methods/kubernetes). You can retrieve this value from your `kubeconfig` by running: @@ -526,7 +526,7 @@ Use these links to navigate to a particular top-level stanza. - `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh - - `enabled` ((#v-global-metrics-enabled)) (`boolean: false`) - Configures the Helm chart’s components + - `enabled` ((#v-global-metrics-enabled)) (`boolean: false`) - Configures the Helm chart's components to expose Prometheus metrics for the Consul service mesh. By default this includes gateway metrics and sidecar metrics. diff --git a/website/content/docs/k8s/index.mdx b/website/content/docs/k8s/index.mdx index 8504d6238..492f6eb54 100644 --- a/website/content/docs/k8s/index.mdx +++ b/website/content/docs/k8s/index.mdx @@ -11,7 +11,7 @@ description: >- # Kubernetes Consul has many integrations with Kubernetes. You can deploy Consul -to Kubernetes using the [Helm chart](/docs/k8s/installation/install#helm-chart-installation) or [Consul K8s CLI](/docs/k8s/installation/install#consul-k8s-cli-installation), sync services between Consul and +to Kubernetes using the [Helm chart](/docs/k8s/installation/install#helm-chart-installation) or [Consul K8s CLI](/docs/k8s/installation/install-cli#consul-k8s-cli-installation), sync services between Consul and Kubernetes, run Consul Service Mesh, and more. This section documents the official integrations between Consul and Kubernetes. @@ -40,33 +40,33 @@ There are several ways to try Consul with Kubernetes in different environments. **Tutorials** -- The [Getting Started with Consul Service Mesh track](https://learn.hashicorp.com/tutorials/consul/service-mesh-deploy?in=consul/gs-consul-service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) +- The [Getting Started with Consul Service Mesh track](https://learn.hashicorp.com/tutorials/consul/service-mesh-deploy?in=consul/gs-consul-service-mesh?utm_source=docs) provides guidance for installing Consul as service mesh for Kubernetes using the Helm chart, deploying services in the service mesh, and using intentions to secure service communications. -- The [Migrate to Microservices with Consul Service Mesh on Kubernetes](https://learn.hashicorp.com/collections/consul/microservices?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) +- The [Migrate to Microservices with Consul Service Mesh on Kubernetes](https://learn.hashicorp.com/collections/consul/microservices?utm_source=docs) collection uses an example application written by a fictional company to illustrate why and how organizations can migrate from monolith to microservices using Consul service mesh on Kubernetes. The case study in this collection should provide information valuable for understanding how to develop services that leverage Consul during any stage of your microservices journey. -- The [Consul and Minikube guide](https://learn.hashicorp.com/tutorials/consul/kubernetes-minikube?utm_source=consul.io&utm_medium=docs) is a quick step-by-step guide for deploying Consul with the official Helm chart on a local instance of Minikube. +- The [Consul and Minikube guide](https://learn.hashicorp.com/tutorials/consul/kubernetes-minikube?utm_source=docs) is a quick step-by-step guide for deploying Consul with the official Helm chart on a local instance of Minikube. - Review production best practices and cloud-specific configurations for deploying Consul on managed Kubernetes runtimes. - - The [Consul on Azure Kubernetes Service (AKS) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-aks-azure?utm_source=consul.io&utm_medium=docs) is a complete step-by-step guide on how to deploy Consul on AKS. The guide also allows you to practice deploying two microservices. - - The [Consul on Amazon Elastic Kubernetes Service (EKS) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-eks-aws?utm_source=consul.io&utm_medium=docs) is a complete step-by-step guide on how to deploy Consul on EKS. Additionally, it provides guidance on interacting with your datacenter with the Consul UI, CLI, and API. - - The [Consul on Google Kubernetes Engine (GKE) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-gke-google?utm_source=consul.io&utm_medium=docs) is a complete step-by-step guide on how to deploy Consul on GKE. Additionally, it provides guidance on interacting with your datacenter with the Consul UI, CLI, and API. + - The [Consul on Azure Kubernetes Service (AKS) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-aks-azure?utm_source=docs) is a complete step-by-step guide on how to deploy Consul on AKS. The guide also allows you to practice deploying two microservices. + - The [Consul on Amazon Elastic Kubernetes Service (EKS) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-eks-aws?utm_source=docs) is a complete step-by-step guide on how to deploy Consul on EKS. Additionally, it provides guidance on interacting with your datacenter with the Consul UI, CLI, and API. + - The [Consul on Google Kubernetes Engine (GKE) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-gke-google?utm_source=docs) is a complete step-by-step guide on how to deploy Consul on GKE. Additionally, it provides guidance on interacting with your datacenter with the Consul UI, CLI, and API. -- The [Consul and Kubernetes Reference Architecture](https://learn.hashicorp.com/tutorials/consul/kubernetes-reference-architecture?utm_source=consul.io&utm_medium=docs) guide provides recommended practices for production. +- The [Consul and Kubernetes Reference Architecture](https://learn.hashicorp.com/tutorials/consul/kubernetes-reference-architecture?utm_source=docs) guide provides recommended practices for production. -- The [Consul and Kubernetes Deployment](https://learn.hashicorp.com/tutorials/consul/kubernetes-deployment-guide?utm_source=consul.io&utm_medium=docs) tutorial covers the necessary steps to install and configure a new Consul cluster on Kubernetes in production. +- The [Consul and Kubernetes Deployment](https://learn.hashicorp.com/tutorials/consul/kubernetes-deployment-guide?utm_source=docs) tutorial covers the necessary steps to install and configure a new Consul cluster on Kubernetes in production. -- The [Secure Consul and Registered Services on Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-secure-agents?in=consul/kubernetes) tutorial covers +- The [Secure Consul and Registered Services on Kubernetes](https://learn.hashicorp.com/tutorials/consul/kubernetes-secure-agents?utm_source=docs) tutorial covers the necessary steps to secure a Consul cluster running on Kubernetes in production. -- The [Layer 7 Observability with Consul Service Mesh](https://learn.hashicorp.com/tutorials/consul/kubernetes-layer7-observability) tutorial covers monitoring a +- The [Layer 7 Observability with Consul Service Mesh](https://learn.hashicorp.com/tutorials/consul/kubernetes-layer7-observability?in=consul/kubernetes) tutorial covers monitoring a Consul service mesh running on Kubernetes with Prometheus and Grafana. **Documentation** diff --git a/website/content/docs/k8s/installation/install.mdx b/website/content/docs/k8s/installation/install.mdx index 4d77fa6a8..6c95c8a8f 100644 --- a/website/content/docs/k8s/installation/install.mdx +++ b/website/content/docs/k8s/installation/install.mdx @@ -343,7 +343,7 @@ spec: ## Next Steps -If you are still considering a move to Kubernetes, or to Consul on Kubernetes specifically, our [Migrate to Microservices with Consul Service Mesh on Kubernetes](https://learn.hashicorp.com/collections/consul/microservices?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) +If you are still considering a move to Kubernetes, or to Consul on Kubernetes specifically, our [Migrate to Microservices with Consul Service Mesh on Kubernetes](https://learn.hashicorp.com/collections/consul/microservices?utm_source=docs) collection uses an example application written by a fictional company to illustrate why and how organizations can migrate from monolith to microservices using Consul service mesh on Kubernetes. The case study in this collection should provide information valuable for understanding how to develop services that leverage Consul during any stage diff --git a/website/content/docs/k8s/k8s-cli.mdx b/website/content/docs/k8s/k8s-cli.mdx index 8f6467cbb..d85f56c39 100644 --- a/website/content/docs/k8s/k8s-cli.mdx +++ b/website/content/docs/k8s/k8s-cli.mdx @@ -8,7 +8,7 @@ description: >- # Consul on Kubernetes CLI Reference The Consul on Kubernetes CLI, `consul-k8s`, is a tool for managing Consul -that does not require direct interaction with Helm, the [Consul CLI](/commands/index), +that does not require direct interaction with Helm, the [Consul CLI](/commands), or `kubectl`. For guidance on how to install `consul-k8s`, refer to the @@ -126,7 +126,7 @@ This command lists proxies and their `Type`. Types of proxies include: - `Terminating Gateway`: These pods run a proxy to control connections to external services. Read more about [terminating gateways](/docs/k8s/connect/terminating-gateways). - `Mesh Gateway`: These pods run a proxy to manage connections between - Consul clusters connected using mesh federation. Read more about [Consul Mesh Federation](/docs/k8s/installation/multi-cluster/kubernetes). + Consul clusters connected using mesh federation. Read more about [Consul Mesh Federation](/docs/k8s/deployment-configurations/multi-cluster/kubernetes). #### Example Commands diff --git a/website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx b/website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx index 3f02c449b..bad773f0b 100644 --- a/website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx +++ b/website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx @@ -127,7 +127,7 @@ The following steps need only be performed once in any single datacenter if your - -> **Note:** These Vault instructions assume that you have integrated your [Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip) using [Vault as a Secrets Backend](/docs/k8s/installation/vault). + -> **Note:** These Vault instructions assume that you have integrated your [Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip) using [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). Update the gossip encryption Vault Secret with the value of the new gossip encryption key to ensure that subsequent `helm upgrades` commands execute successfully. The name of the secret that stores the value of the gossip encryption key can be found in the Helm values file: diff --git a/website/content/docs/k8s/upgrade/index.mdx b/website/content/docs/k8s/upgrade/index.mdx index 3e4c947a3..41f283259 100644 --- a/website/content/docs/k8s/upgrade/index.mdx +++ b/website/content/docs/k8s/upgrade/index.mdx @@ -118,7 +118,7 @@ to update to the new version. 1. Ensure you've read the [Upgrading Consul](/docs/upgrading) documentation. 1. Ensure you've read any [specific instructions](/docs/upgrading/upgrade-specific) for the version you're upgrading to and the Consul [changelog](https://github.com/hashicorp/consul/blob/main/CHANGELOG.md) for that version. -1. Read our [Compatibility Matrix](/docs/k8s/installation/compatibility) to ensure +1. Read our [Compatibility Matrix](/docs/k8s/compatibility) to ensure your current Helm chart version supports this Consul version. If it does not, you may need to also upgrade your Helm chart version at the same time. 1. Set `global.image` in your `values.yaml` to the desired version: diff --git a/website/content/docs/lambda/registration.mdx b/website/content/docs/lambda/registration.mdx index d7aae0078..e289475cf 100644 --- a/website/content/docs/lambda/registration.mdx +++ b/website/content/docs/lambda/registration.mdx @@ -19,7 +19,7 @@ We recommend using the Lambda registrator when possible so that you can keep the ## Requirements -* Consul 1.12.1 and later +- Consul 1.12.1 and later ## Prerequisites @@ -38,6 +38,7 @@ Refer to the [`enable_serverless_plugin`](/docs/agent/config/config-files#connec The Envoy proxy that invokes Lambda must have the `lambda:InvokeFunction` AWS IAM permissions. In the following example, the IAM policy enables an IAM user or role to invoke the `example` Lambda function: + ```json { "Version": "2012-10-17", @@ -57,14 +58,13 @@ enables an IAM user or role to invoke the `example` Lambda function: Define AWS IAM credentials in environment variables, EC2 metadata or ECS metadata. On [AWS EKS](https://aws.amazon.com/eks/), associate an IAM role with the proxy's `ServiceAccount`. Refer to the [AWS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) documentation for instructions. - ### Optional: Set up a Terminating Gateway If you intend to invoke Lambda services through a terminating gateway, the gateway must be registered and running in the Consul datacenter. Refer to the following documentation and tutorials for instructions on how to set up a terminating gateway: -* [Terminating gateways documentation](/docs/connect/gateways#terminating-gateways) -* [Terminating gateways on Kubernetes documentation](/docs/k8s/connect/terminating-gateways) -* [Connect External Services to Consul With Terminating Gateways tutorial](https://learn.hashicorp.com/tutorials/consul/terminating-gateways-connect-external-services) +- [Terminating gateways documentation](/docs/connect/gateways#terminating-gateways) +- [Terminating gateways on Kubernetes documentation](/docs/k8s/connect/terminating-gateways) +- [Connect External Services to Consul With Terminating Gateways tutorial](https://learn.hashicorp.com/tutorials/consul/teminating-gateways-connect-external-services) To register a Lambda service with a terminating gateway, add the service to the `Services` field of the terminating gateway's `terminating-gateway` @@ -74,9 +74,9 @@ configuration entry. You can set up a mesh gateway so that you can invoke Lambda services across datacenters and admin partitions. The mesh gateway must be running and registered in the relevant Consul datacenters and partitions. Refer to the following documentation and tutorials for instructions on how to set up mesh gateways: -* [Mesh gateway documentation](/docs/connect/gateways#mesh-gateways) -* [Connect Services Across Datacenters with Mesh Gateways tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateways) -* [Secure Service Mesh Communication Across Kubernetes Clusters tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways?in=consul/kubernetes) +- [Mesh gateway documentation](/docs/connect/gateways#mesh-gateways) +- [Connect Services Across Datacenters with Mesh Gateways tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateways) +- [Secure Service Mesh Communication Across Kubernetes Clusters tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways?utm_source=docs?in=consul/kubernetes) When using admin partitions, you must add Lambda services to the `Services` field of [the `exported-services` configuration @@ -103,7 +103,7 @@ The following diagram shows the flow of events from EventBridge into Consul: 1. EventBridge invokes the Lambda registrator based on CloudTrail Lambda events or a schedule. -2. Lambda registrator determines how to reconcile Lambda's control plane state +1. Lambda registrator determines how to reconcile Lambda's control plane state with Consul state and ensures they are in sync by registering, updating, and deregistering Lambda services. @@ -124,7 +124,7 @@ The following diagram shows the flow of events from EventBridge into Consul: #### Optional: Store the CA Certificate in Parameter Store -When Lambda registrator makes a request to Consul's [HTTP API](/api-docs) over HTTPS and the Consul API is signed by a custom CA, Lambda registrator uses the CA certificate stored in AWS Parameter Store (refer to the [Parameter Store documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) for additional information) to verify the authenticity of the Consul API. You can apply the following Terraform configuration to store Consul’s server CA in Parameter Store: +When Lambda registrator makes a request to Consul's [HTTP API](/api-docs) over HTTPS and the Consul API is signed by a custom CA, Lambda registrator uses the CA certificate stored in AWS Parameter Store (refer to the [Parameter Store documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) for additional information) to verify the authenticity of the Consul API. You can apply the following Terraform configuration to store Consul's server CA in Parameter Store: ```hcl resource "aws_ssm_parameter" "ca-cert" { @@ -139,32 +139,35 @@ resource "aws_ssm_parameter" "ca-cert" { If [Consul access control lists (ACLs)](/docs/security/acl) are enabled, Lambda registrator must present an ACL token stored in Parameter Store to access resources. You can use the Consul CLI, API, or the Terraform provider to facilitate the ACL workflow. The following procedure describes how to create and store a token from the command line: 1. Create an ACL policy that includes the following rule: - - ```hcl - service_prefix "" { - policy = "write" - } - ``` + + + ```hcl + service_prefix "" { + policy = "write" + } + ``` 1. Issue `consul acl policy create` command to create the policy. The following example creates a policy called `lambda-registrator-policy` containing permissions specified in `rules.hcl`: - ```shell-session - $ consul acl policy create -name "lambda-registrator-policy" -rules @rules.hcl - ``` + ```shell-session + $ consul acl policy create -name "lambda-registrator-policy" -rules @rules.hcl + ``` + 1. Issue the `consul acl token create` command to create the token. The following example creates a token linked to the `lambda-registrator-policy` policy: - ```shell-session - $ consul acl token create -policy-name "lambda-registrator-policy" - ``` + ```shell-session + $ consul acl token create -policy-name "lambda-registrator-policy" + ``` + 1. Store the token in Parameter Store by applying the following Terraform: - ```hcl - resource "aws_ssm_parameter" "acl-token" { - name = "/lambda-registrator/acl-token" - type = "SecureString" - value = - } - ``` + ```hcl + resource "aws_ssm_parameter" "acl-token" { + name = "/lambda-registrator/acl-token" + type = "SecureString" + value = + } + ``` #### Lambda Registrator Configuration Options @@ -219,31 +222,35 @@ The following tags are supported. In all cases, the `` should be | `/aliases` | Specifies a `+`-separated string of Lambda aliases that will be registered into Consul. For example, if set to `dev+staging+prod`, the `dev`, `staging`, and `prod` aliases of the Lambda function will be registered into Consul. | ## Manual Configuration -You can manually register Lambda functions if you are unable to automate the process using the Lambda registrator. -1. Create a configuration for registering the service. You can copy the following example and replace `` with your Consul service name for the Lambda function: - - ```json - { - "Node": "lambdas", - "SkipNodeUpdate": true, - "NodeMeta": { - "external-node": "true", - "external-probe": "true" - }, - "Service": { - "Service": "" - } - } - ``` +You can manually register Lambda functions if you are unable to automate the process using the Lambda registrator. + +1. Create a configuration for registering the service. You can copy the following example and replace `` with your Consul service name for the Lambda function: + + + + ```json + { + "Node": "lambdas", + "SkipNodeUpdate": true, + "NodeMeta": { + "external-node": "true", + "external-probe": "true" + }, + "Service": { + "Service": "" + } + } + ``` 1. Save the configuration to `lambda.json`. + 1. Send the configuration to the `catalog/register` API endpoint to register the service, for example: - ```shell-session - $ curl --request PUT --data @lambda.json localhost:8500/v1/catalog/register - ``` + ```shell-session + $ curl --request PUT --data @lambda.json localhost:8500/v1/catalog/register + ``` 1. Create the `service-defaults` configuration entry and include the AWS tags used to invoke the Lambda function in the `Meta` field (see [Supported `Meta` Fields](#supported-meta-fields). The following example creates a `service-defaults` configuration entry named `lambda`: @@ -266,7 +273,7 @@ You can manually register Lambda functions if you are unable to automate the pro 1. Issue the `consul config write` command to store the configuration entry. For example: ```shell-session $ consul config write lambda-service-defaults.hcl - ```` + ``` ### Supported `Meta` Fields @@ -278,6 +285,6 @@ The following tags are supported. In all cases, the `` should be | - | - | | `/enabled` | Determines if Consul configures the service as an AWS Lambda. | | `/payload-passthrough` | Determines if the body Envoy receives is converted to JSON or directly passed to Lambda. | -| `/arn` | Specifies the [AWS ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) for the service’s Lambda. | +| `/arn` | Specifies the [AWS ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) for the service's Lambda. | | `/invocation-mode` | Determines if Consul configures the Lambda to be invoked using the `synchronous` or `asynchronous` [invocation mode](https://docs.aws.amazon.com/lambda/latest/operatorguide/invocation-modes.html). | | `/region` | Specifies the AWS region the Lambda is running in. | diff --git a/website/content/docs/nia/architecture.mdx b/website/content/docs/nia/architecture.mdx index 39ba71f65..d7995e7ab 100644 --- a/website/content/docs/nia/architecture.mdx +++ b/website/content/docs/nia/architecture.mdx @@ -51,7 +51,7 @@ The following types of state information are associated with CTS. ### Terraform state information -By default, CTS stores [Terraform state data](https://www.terraform.io/docs/state/index.html) in the Consul KV, but you can specify where this information is stored by configuring the `backend` setting in the [Terraform driver configuration](/docs/nia/configuration#backend). The data persists if CTS stops and the backend is configured to a remote location. +By default, CTS stores [Terraform state data](https://www.terraform.io/language/state) in the Consul KV, but you can specify where this information is stored by configuring the `backend` setting in the [Terraform driver configuration](/docs/nia/configuration#backend). The data persists if CTS stops and the backend is configured to a remote location. ### CTS task and event data @@ -76,4 +76,4 @@ CTS logs the error message and continues to run when it finds an incompatibility ## Security guidelines -We recommend following the network security guidelines described in the [Secure Consul-Terraform-Sync for Production](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-secure?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) tutorial. The tutorial contains a checklist of best practices to secure your CTS installation for a production environment. +We recommend following the network security guidelines described in the [Secure Consul-Terraform-Sync for Production](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-secure?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) tutorial. The tutorial contains a checklist of best practices to secure your CTS installation for a production environment. \ No newline at end of file diff --git a/website/content/docs/nia/cli/task.mdx b/website/content/docs/nia/cli/task.mdx index 7c9a790a2..d9629f373 100644 --- a/website/content/docs/nia/cli/task.mdx +++ b/website/content/docs/nia/cli/task.mdx @@ -19,7 +19,7 @@ It is not to be used for updating a task and will not create a task if the task **Options:** -In addition to [general options](/docs/nia/cli/cli-overview#general-options) this command also supports the following: +In addition to [general options](/docs/nia/cli#general-options) this command also supports the following: | Name | Required | Type | Description | | ------------ | -------- | ------ | ------------------------------------------------------------------------------------------------------------------- | @@ -187,7 +187,7 @@ $ consul-terraform-sync task disable task_b **Options:** -In addition to [general options](/docs/nia/cli/cli-overview#general-options) this command also supports the following: +In addition to [general options](/docs/nia/cli#general-options) this command also supports the following: | Name | Required | Type | Description | | --------------- | -------- | ------- | ------------------------------- | diff --git a/website/content/docs/nia/configuration.mdx b/website/content/docs/nia/configuration.mdx index 36bff7f2d..e4a39d0b0 100644 --- a/website/content/docs/nia/configuration.mdx +++ b/website/content/docs/nia/configuration.mdx @@ -128,7 +128,7 @@ consul { | `service_registration` | Optional| [service_registration](/docs/nia/configuration#service-registration) | Options for how CTS will register itself as a service with a health check to Consul. || ### ACL requirements -The following table describes the ACL policies required by CTS. For more information, refer to the [Secure Consul-Terraform-Sync for Production](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-secure?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS#configure-acl-privileges-for-consul-terraform-sync) tutorial. +The following table describes the ACL policies required by CTS. For more information, refer to the [Secure Consul-Terraform-Sync for Production](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-secure?utm_source=docs#configure-acl-privileges-for-consul-terraform-sync) tutorial. | Policy | Resources | | ------ | --------- | @@ -299,7 +299,7 @@ task { Service values that are not explicitly defined by a `service` block that have a matching ID are assumed to be logical service names in the `default` namespace. - `source` - (string: required) **Deprecated in CTS 0.5.0 and will be removed in a future major release. See the `module` field instead.** -- `module` - (string: required) Module is the location the driver uses to discover the Terraform module used for automation. The module's source can be local or remote on the [Terraform Registry](https://registry.terraform.io/) or private module registry. Read more on [Terraform module source and other supported types here](https://www.terraform.io/docs/modules/sources.html). +- `module` - (string: required) Module is the location the driver uses to discover the Terraform module used for automation. The module's source can be local or remote on the [Terraform Registry](https://registry.terraform.io/) or private module registry. Read more on [Terraform module source and other supported types here](https://www.terraform.io/language/modules/sources). - To use a private module with the [`terraform` driver](#terraform-driver), run the command [`terraform login [hostname]`](https://learn.hashicorp.com/tutorials/terraform/cloud-login) to authenticate the local Terraform CLI prior to starting CTS. - To use a private module with the [`terraform_cloud` driver](#terraform-cloud-driver), no extra steps are needed. @@ -315,7 +315,7 @@ task { module = "///" ``` -- `variable_files` - (list[string]) Specifies list of paths to [Terraform variable definition files (`.tfvars`)](https://www.terraform.io/docs/configuration/variables.html#variable-definitions-tfvars-files). The content of these files should consist of only variable name assignments. The variable assignments must match the corresponding variable declarations made available by the Terraform module for the task. +- `variable_files` - (list[string]) Specifies list of paths to [Terraform variable definition files (`.tfvars`)](https://www.terraform.io/language/values/variables#variable-definitions-tfvars-files). The content of these files should consist of only variable name assignments. The variable assignments must match the corresponding variable declarations made available by the Terraform module for the task. - Variables are loaded in the order they appear in the files. Duplicate variables are overwritten with the later value. _Unless specified by the module, configure arguments for Terraform providers using [`terraform_provider` blocks](#terraform-provider)._ @@ -650,15 +650,15 @@ driver "terraform" { } ``` -- `backend` - (obj) The backend stores [Terraform state files](https://www.terraform.io/docs/state/index.html) for each task. This option is similar to the [Terraform backend configuration](https://www.terraform.io/docs/configuration/backend.html). CTS supports Terraform backends used as a state store. - - Supported backend options: [azurerm](https://www.terraform.io/docs/backends/types/azurerm.html), [consul](https://www.terraform.io/docs/backends/types/consul.html), [cos](https://www.terraform.io/docs/backends/types/cos.html), [gcs](https://www.terraform.io/docs/backends/types/gcs.html), [kubernetes](https://www.terraform.io/docs/backends/types/kubernetes.html), [local](https://www.terraform.io/docs/backends/types/local.html), [manta](https://www.terraform.io/docs/backends/types/manta.html), [pg](https://www.terraform.io/docs/backends/types/pg.html) (Terraform v0.14+), [s3](https://www.terraform.io/docs/backends/types/s3.html). Visit the Terraform documentation links for details on backend configuration options. - - If omitted, CTS will generate default values and use configurations from the [`consul` block](#consul) to configure [Consul as the backend](https://www.terraform.io/docs/backends/types/consul.html), which stores Terraform statefiles in the Consul KV. The [ACL token provided for Consul authentication](#consul) is used to read and write to the KV store and requires [Consul KV privileges](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-secure?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS#configure-acl-privileges-for-consul-terraform-sync). The Consul KV path is the base path to store state files for tasks. The full path of each state file will have the task identifier appended to the end of the path, e.g. `consul-terraform-sync/terraform-env:task-name`. +- `backend` - (obj) The backend stores [Terraform state files](https://www.terraform.io/language/state) for each task. This option is similar to the [Terraform backend configuration](https://www.terraform.io/language/settings/backends/configuration). CTS supports Terraform backends used as a state store. + - Supported backend options: [azurerm](https://www.terraform.io/language/settings/backends/azurerm), [consul](https://www.terraform.io/language/settings/backends/consul), [cos](https://www.terraform.io/language/settings/backends/cos), [gcs](https://www.terraform.io/language/settings/backends/gcs), [kubernetes](https://www.terraform.io/language/settings/backends/kubernetes), [local](https://www.terraform.io/language/settings/backends/local), [manta](https://www.terraform.io/language/settings/backends/manta), [pg](https://www.terraform.io/language/settings/backends/pg) (Terraform v0.14+), [s3](https://www.terraform.io/language/settings/backends/s3). Visit the Terraform documentation links for details on backend configuration options. + - If omitted, CTS will generate default values and use configurations from the [`consul` block](#consul) to configure [Consul as the backend](https://www.terraform.io/language/settings/backends/consul), which stores Terraform statefiles in the Consul KV. The [ACL token provided for Consul authentication](#consul) is used to read and write to the KV store and requires [Consul KV privileges](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-secure?utm_source=docs#configure-acl-privileges-for-consul-terraform-sync). The Consul KV path is the base path to store state files for tasks. The full path of each state file will have the task identifier appended to the end of the path, e.g. `consul-terraform-sync/terraform-env:task-name`. - The remote enhanced backend is not supported with the Terraform driver to run operations in Terraform Cloud. Use the [Terraform Cloud driver](#terraform-cloud-driver) to integrate CTS with Terraform Cloud for remote workspaces and remote operations. - The `local` backend type is not supported with CTS instances configured for high availability. If high availability is configured and the Terraform backend type is `local`, CTS logs an error and exits. - `log` - (bool) Enable all Terraform output (stderr and stdout) to be included in the CTS log. This is useful for debugging and development purposes. It may be difficult to work with log aggregators that expect uniform log format. - `path` - (string) The file path to install Terraform or discover an existing Terraform binary. If omitted, Terraform will be installed in the same directory as the CTS daemon. To resolve an incompatible Terraform version or to change versions will require removing the existing binary or change to a different path. - `persist_log` - (bool) Enable trace logging for each Terraform client to disk per task. This is equivalent to setting `TF_LOG_PATH=/terraform.log`. Trace log level results in verbose logging and may be useful for debugging and development purposes. We do not recommend enabling this for production. There is no log rotation and may quickly result in large files. -- `required_providers` - (obj: required) Declare each Terraform provider used across all tasks. This can be configured the same as how you would configure [Terraform `terraform.required_providers`](https://www.terraform.io/docs/configuration/provider-requirements.html#requiring-providers) field to specify the source and version for each provider. CTS will process these requirements when preparing each task that uses the provider. +- `required_providers` - (obj: required) Declare each Terraform provider used across all tasks. This can be configured the same as how you would configure [Terraform `terraform.required_providers`](https://www.terraform.io/language/providers/requirements#requiring-providers) field to specify the source and version for each provider. CTS will process these requirements when preparing each task that uses the provider. - `version` - (string) The Terraform version to install and run in automation for task execution. If omitted, the driver will install the latest [compatible release of Terraform](/docs/nia/compatibility#terraform). To change versions, remove the existing binary or change the path to install the desired version. Verify that the desired Terraform version is compatible across all Terraform modules used for CTS automation. ## Terraform Cloud Driver @@ -703,7 +703,7 @@ driver "terraform-cloud" { - `hostname` - (string) The Terraform Cloud hostname to connect to. Can be overridden with the `TFC_HOSTNAME` environment variable. - `organization` - (string) The Terraform Cloud organization that hosts the managed workspaces by CTS. Can be overridden with the `TFC_ORGANIZATION` environment variable. -- `token` - (string) Required [Team API token](https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html#team-api-tokens) used for authentication with Terraform Cloud and workspace management. Only workspace permissions are needed for CTS. The token can also be provided using the `TFC_TOKEN` environment variable. +- `token` - (string) Required [Team API token](https://www.terraform.io/cloud-docs/users-teams-organizations/api-tokens#team-api-tokens) used for authentication with Terraform Cloud and workspace management. Only workspace permissions are needed for CTS. The token can also be provided using the `TFC_TOKEN` environment variable. - We recommend creating a dedicated team and team API token to isolate automation by CTS from other Terraform Cloud operations. - `workspace_prefix` - (string) **Deprecated in CTS 0.5.0**, use the [`workspaces.prefix`](#prefix) option instead. Specifies a prefix to prepend to the automatically-generated workspace names used for automation. This prefix will be used by all tasks that use this driver. By default, when no prefix is configured, the workspace name will be the task name. When a prefix is configured, the workspace name will be `-`, with the character '-' between the workspace prefix and task name. For example, if you configure the prefix as "cts", then a task with the name "task-firewall" will have the workspace name "cts-task-firewall". - `workspaces` - Configure CTS management of Terraform Cloud workspaces. @@ -711,8 +711,8 @@ driver "terraform-cloud" { - `tags` - (list[string]) Tags for CTS to add to all automated workspaces when the workspace is first created or discovered. Tags are added to discovered workspaces only if the workspace meets [automation requirements](/docs/nia/network-drivers/terraform-cloud#remote-workspaces) and satisfies the allowlist and denylist tag options. This option will not affect existing tags. Tags that were manually removed during runtime will be re-tagged when CTS restarts. Compatible with Terraform Cloud and Terraform Enterprise v202108-1+ - `tags_allowlist` - (list[string]) Tag requirement to use as a provision check for CTS automation of workspaces. When configured, Terraform Cloud workspaces must have at least one tag from the allow list for CTS to automate the workspace and runs. Compatible with Terraform Cloud and Terraform Enterprise v202108-1+. - `tags_denylist` - (list[string]) Tag restriction to use as a provision check for CTS automation of workspaces. When configured, Terraform Cloud workspaces must not have any tag from the deny list for CTS to automate the workspace and runs. Denied tags have higher priority than tags set in the `tags_allowlist` option. Compatible with Terraform Cloud and Terraform Enterprise v202108-1+. -- `required_providers` - (obj: required) Declare each Terraform provider used across all tasks. This can be configured the same as how you would configure [Terraform `terraform.required_providers`](https://www.terraform.io/docs/configuration/provider-requirements.html#requiring-providers) field to specify the source and version for each provider. CTS will process these requirements when preparing each task that uses the provider. -- `tls` - Configure TLS to allow HTTPS connections to [Terraform Enterprise](https://www.terraform.io/docs/enterprise/install/installer.html#tls-key-amp-cert). +- `required_providers` - (obj: required) Declare each Terraform provider used across all tasks. This can be configured the same as how you would configure [Terraform `terraform.required_providers`](https://www.terraform.io/language/providers/requirements#requiring-providers) field to specify the source and version for each provider. CTS will process these requirements when preparing each task that uses the provider. +- `tls` - Configure TLS to allow HTTPS connections to [Terraform Enterprise](https://www.terraform.io/enterprise/install/interactive/installer#tls-key-amp-cert). - `enabled` - (bool) Enable TLS. Providing a value for any of the TLS options will enable this parameter implicitly. - `ca_cert` - (string) The path to a PEM-encoded certificate authority file used to verify the authenticity of the connection to Terraform Enterprise over TLS. - `ca_path` - (string) The path to a directory of PEM-encoded certificate authority files used to verify the authenticity of the connection to Terraform Enterprise over TLS. @@ -733,7 +733,7 @@ The version of Terraform to use for each workspace can also be set within the [t ## Terraform Provider -A `terraform_provider` block configures the options to interface with network infrastructure. Define a block for each provider required by the set of Terraform modules across all tasks. This block resembles [provider blocks for Terraform configuration](https://www.terraform.io/docs/configuration/providers.html). To find details on how to configure a provider, refer to the corresponding documentation for the Terraform provider. The main directory of publicly available providers are hosted on the [Terraform Registry](https://registry.terraform.io/browse/providers). +A `terraform_provider` block configures the options to interface with network infrastructure. Define a block for each provider required by the set of Terraform modules across all tasks. This block resembles [provider blocks for Terraform configuration](https://www.terraform.io/language/providers/configuration). To find details on how to configure a provider, refer to the corresponding documentation for the Terraform provider. The main directory of publicly available providers are hosted on the [Terraform Registry](https://registry.terraform.io/browse/providers). The below configuration captures the general design of defining a provider using the [AWS Terraform provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) as an example. @@ -857,7 +857,7 @@ terraform_provider "example" { ### Multiple Provider Configurations -CTS supports the [Terraform feature to define multiple configurations](https://www.terraform.io/docs/configuration/providers.html#alias-multiple-provider-configurations) for the same provider by utilizing the `alias` meta-argument. Define multiple provider blocks with the same provider name and set the `alias` to a unique value across a given provider. Select which provider configuration to use for a task by specifying the configuration with the provider name and alias (`.`) within the list of providers in the [`task.provider`](#task) parameter. A task can use multiple providers, but only one provider instance of a provider is allowed per task. +CTS supports the [Terraform feature to define multiple configurations](https://www.terraform.io/language/providers/configuration#alias-multiple-provider-configurations) for the same provider by utilizing the `alias` meta-argument. Define multiple provider blocks with the same provider name and set the `alias` to a unique value across a given provider. Select which provider configuration to use for a task by specifying the configuration with the provider name and alias (`.`) within the list of providers in the [`task.provider`](#task) parameter. A task can use multiple providers, but only one provider instance of a provider is allowed per task. The example CTS configuration below defines two similar tasks executing the same module with different instances of the AWS provider. diff --git a/website/content/docs/nia/enterprise/index.mdx b/website/content/docs/nia/enterprise/index.mdx index 38f8260f2..81bf5edb3 100644 --- a/website/content/docs/nia/enterprise/index.mdx +++ b/website/content/docs/nia/enterprise/index.mdx @@ -16,13 +16,13 @@ Enterprise features of CTS address organization complexities of collaboration, o | Consul Namespace | Default namespace only | Filter task triggers by any namespace | | Automation Driver | Terraform OSS | Terraform OSS, Terraform Cloud, or Terraform Enterprise | | Terraform Workspaces | Local | Local workspaces with the Terraform driver or [remote workspaces](https://www.terraform.io/cloud-docs/workspaces) with the Terraform Cloud driver | -| Terraform Backend Options | [azurerm](https://www.terraform.io/docs/backends/types/azurerm.html), [consul](https://www.terraform.io/docs/backends/types/consul.html), [cos](https://www.terraform.io/docs/backends/types/cos.html), [gcs](https://www.terraform.io/docs/backends/types/gcs.html), [kubernetes](https://www.terraform.io/docs/backends/types/kubernetes.html), [local](https://www.terraform.io/docs/backends/types/local.html), [manta](https://www.terraform.io/docs/backends/types/manta.html), [pg](https://www.terraform.io/docs/backends/types/pg.html), and [s3](https://www.terraform.io/docs/backends/types/s3.html) with the Terraform driver | The supported backends for CTS with the Terraform driver or Terraform Cloud with the Terraform Cloud driver | +| Terraform Backend Options | [azurerm](https://www.terraform.io/language/settings/backends/azurerm), [consul](https://www.terraform.io/language/settings/backends/consul), [cos](https://www.terraform.io/language/settings/backends/cos), [gcs](https://www.terraform.io/language/settings/backends/gcs), [kubernetes](https://www.terraform.io/language/settings/backends/kubernetes), [local](https://www.terraform.io/language/settings/backends/local), [manta](https://www.terraform.io/language/settings/backends/manta), [pg](https://www.terraform.io/language/settings/backends/pg), and [s3](https://www.terraform.io/language/settings/backends/s3) with the Terraform driver | The supported backends for CTS with the Terraform driver or Terraform Cloud with the Terraform Cloud driver | | Terraform Version | One Terraform version for all tasks | Optional Terraform version per task when using the Terraform Cloud driver | | Terraform Run Output | CTS logs | CTS logs or Terraform output organized by Terraform Cloud remote workspaces | | Credentials and secrets | On disk as `.tfvars` files or in shell environment | Secured variables stored in remote workspace | | Audit | | Terraform audit logs ([Terraform Cloud](https://www.terraform.io/cloud-docs/api-docs/audit-trails) or [Terraform Enterprise](https://www.terraform.io/enterprise/admin/infrastructure/logging)) | -| Collaboration | | Run [history](https://www.terraform.io/docs/cloud/run/manage.html), [triggers](https://www.terraform.io/docs/cloud/workspaces/run-triggers.html), and [notifications](https://www.terraform.io/docs/cloud/workspaces/notifications.html) supported on Terraform Cloud | -| Governance | | [Sentinel](https://www.terraform.io/docs/cloud/sentinel/index.html) to enforce governance policies as code | +| Collaboration | | Run [history](https://www.terraform.io/cloud-docs/run/manage), [triggers](https://www.terraform.io/cloud-docs/workspaces/settings/run-triggers), and [notifications](https://www.terraform.io/cloud-docs/workspaces/settings/notifications) supported on Terraform Cloud | +| Governance | | [Sentinel](https://www.terraform.io/cloud-docs/sentinel) to enforce governance policies as code | The [Terraform Cloud driver](/docs/nia/configuration#terraform-cloud-driver) enables CTS Enterprise to integrate with Terraform Cloud or Terraform Enterprise. The [Terraform Cloud driver](/docs/nia/network-drivers/terraform-cloud) page provides an overview of how the integration works within CTS. diff --git a/website/content/docs/nia/enterprise/license.mdx b/website/content/docs/nia/enterprise/license.mdx index 740d52fbc..59d12ea99 100644 --- a/website/content/docs/nia/enterprise/license.mdx +++ b/website/content/docs/nia/enterprise/license.mdx @@ -53,7 +53,7 @@ If a license needs to be manually set, choose one of the following methods (in o ``` ~> **Note**: the [options to set the license and the order of precedence](/docs/enterprise/license/overview#binaries-without-built-in-licenses) are the same as Consul Enterprise server agents. -Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. +Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/consul/hashicorp-enterprise-license?utm_source=docs) for detailed steps on how to install the license key. ### Updating the License Manually To update the license when it expires or is near the expiration date and automatic license retrieval is disabled: diff --git a/website/content/docs/nia/index.mdx b/website/content/docs/nia/index.mdx index 500e56275..0d6da2782 100644 --- a/website/content/docs/nia/index.mdx +++ b/website/content/docs/nia/index.mdx @@ -11,7 +11,7 @@ Network Infrastructure Automation (NIA) enables dynamic updates to network infra CTS executes one or more automation tasks with the most recent service variable values from the Consul service catalog. Each task consists of a runbook automation written as a CTS compatible Terraform module using resources and data sources for the underlying network infrastructure. The `consul-terraform-sync` daemon runs on the same node as a Consul agent. -CTS is available as an open source and enterprise distribution. Follow the [Network Infrastructure Automation introduction tutorial](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-intro?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) to get started with CTS OSS or read more about [CTS Enterprise](/docs/nia/enterprise). +CTS is available as an open source and enterprise distribution. Follow the [Network Infrastructure Automation introduction tutorial](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-intro?utm_source=docs) to get started with CTS OSS or read more about [CTS Enterprise](/docs/nia/enterprise). ## Use Cases @@ -53,15 +53,15 @@ CTS is available as an open source and enterprise distribution. Follow the [Netw - `Tasks` - A task is the translation of dynamic service information from the Consul Catalog into network infrastructure changes downstream. -- `Terraform Cloud` - Per the [Terraform documentation](https://www.terraform.io/docs/cloud/index.html), "Terraform Cloud" describes both Terraform Cloud and Terraform Enterprise, which are different distributions of the same application. Documentation will apply to both distributions unless specifically stated otherwise. +- `Terraform Cloud` - Per the [Terraform documentation](httphttps://www.terraform.io/cloud-docs), "Terraform Cloud" describes both Terraform Cloud and Terraform Enterprise, which are different distributions of the same application. Documentation will apply to both distributions unless specifically stated otherwise. -- `Terraform Module` - A [Terraform module](https://www.terraform.io/docs/configuration/modules.html) is a container for multiple Terraform resources that are used together. +- `Terraform Module` - A [Terraform module](https://www.terraform.io/language/modules) is a container for multiple Terraform resources that are used together. -- `Terraform Provider` - A [Terraform provider](https://www.terraform.io/docs/providers/index.html) is responsible for understanding API interactions and exposing resources for an infrastructure type. +- `Terraform Provider` - A [Terraform provider](https://www.terraform.io/language/providers) is responsible for understanding API interactions and exposing resources for an infrastructure type. ## Getting Started With Network Infrastructure Automation -The [Network Infrastructure Automation (NIA)](https://learn.hashicorp.com/collections/consul/network-infrastructure-automation?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) +The [Network Infrastructure Automation (NIA)](https://learn.hashicorp.com/collections/consul/network-infrastructure-automation?utm_source=docs) collection contains examples on how to configure CTS to perform Network Infrastructure Automation. The collection contains also a tutorial to secure your CTS configuration for a production diff --git a/website/content/docs/nia/installation/configure.mdx b/website/content/docs/nia/installation/configure.mdx index e5c43796a..bb6f17062 100644 --- a/website/content/docs/nia/installation/configure.mdx +++ b/website/content/docs/nia/installation/configure.mdx @@ -32,7 +32,7 @@ task { ## Terraform Providers -Configuring Terraform providers within CTS requires 2 config components. The first component is required within the [`driver.terraform` block](/docs/nia/configuration#terraform-driver). All providers configured for CTS must be listed within the `required_providers` stanza to satisfy a [Terraform v0.13+ requirement](https://www.terraform.io/docs/configuration/provider-requirements.html#requiring-providers) for Terraform to discover and install them. The providers listed are later organized by CTS to be included in the appropriate Terraform configuration files for each task. +Configuring Terraform providers within CTS requires 2 config components. The first component is required within the [`driver.terraform` block](/docs/nia/configuration#terraform-driver). All providers configured for CTS must be listed within the `required_providers` stanza to satisfy a [Terraform v0.13+ requirement](https://www.terraform.io/language/providers/requirements#requiring-providers) for Terraform to discover and install them. The providers listed are later organized by CTS to be included in the appropriate Terraform configuration files for each task. ```hcl driver "terraform" { @@ -45,7 +45,7 @@ driver "terraform" { } ``` -The second component for configuring a provider is the [`terraform_provider` block](/docs/nia/configuration#terraform-provider). This block resembles [provider blocks for Terraform configuration](https://www.terraform.io/docs/configuration/providers.html) and has the same responsibility for understanding API interactions and exposing resources for a specific infrastructure platform. +The second component for configuring a provider is the [`terraform_provider` block](/docs/nia/configuration#terraform-provider). This block resembles [provider blocks for Terraform configuration](https://www.terraform.io/language/providers/configuration) and has the same responsibility for understanding API interactions and exposing resources for a specific infrastructure platform. Terraform modules configured for task automation may require configuring the referenced providers. For example, configuring the host address and authentication to interface with your network infrastructure. Refer to the Terraform provider documentation hosted on the [Terraform Registry](https://registry.terraform.io/browse/providers) to find available options. The `terraform_provider` block is loaded by CTS during runtime and processed to be included in [autogenerated Terraform configuration files](/docs/nia/network-drivers#provider) used for task automation. Omitting the `terraform_provider` block for a provider will defer to the Terraform behavior assuming an empty default configuration. diff --git a/website/content/docs/nia/installation/install.mdx b/website/content/docs/nia/installation/install.mdx index ea2a3e2f1..1e50955d8 100644 --- a/website/content/docs/nia/installation/install.mdx +++ b/website/content/docs/nia/installation/install.mdx @@ -7,7 +7,7 @@ description: >- # Install Consul-Terraform-Sync -Refer to the [introduction](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-intro?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) tutorial for details about installing, configuring, and running Consul-Terraform-Sync (CTS) on your local machine with the Terraform driver. +Refer to the [introduction](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-intro?utm_source=docs) tutorial for details about installing, configuring, and running Consul-Terraform-Sync (CTS) on your local machine with the Terraform driver. ## Install Consul-Terraform-Sync diff --git a/website/content/docs/nia/network-drivers/index.mdx b/website/content/docs/nia/network-drivers/index.mdx index 801b9954a..33bee29a4 100644 --- a/website/content/docs/nia/network-drivers/index.mdx +++ b/website/content/docs/nia/network-drivers/index.mdx @@ -16,7 +16,7 @@ The following table highlights some of the additional features Terraform and Ter | Network Driver | Description | Features | | -------------- | ----------- | -------- | | [Terraform driver](/docs/nia/network-drivers/terraform) | CTS automates a local installation of the [Terraform CLI](https://www.terraform.io/) | - Local Terraform execution
- Local workspace directories
- [Backend options](/docs/nia/configuration#backend) available for state storage
| -| [Terraform Cloud driver](/docs/nia/network-drivers/terraform-cloud) | CTS Enterprise automates remote workspaces on [Terraform Cloud](https://www.terraform.io/docs/cloud/index.html) | - [Remote Terraform execution](https://www.terraform.io/docs/cloud/run/index.html)
- Concurrent runs
- [Secured variables](https://www.terraform.io/docs/cloud/workspaces/variables.html)
- [State versions](https://www.terraform.io/docs/cloud/workspaces/state.html)
- [Sentinel](https://www.terraform.io/docs/cloud/sentinel/index.html) to enforce governance policies as code
- Audit [logs](https://www.terraform.io/docs/enterprise/admin/logging.html) and [trails](https://www.terraform.io/docs/cloud/api/audit-trails.html)
- Run [history](https://www.terraform.io/docs/cloud/run/manage.html), [triggers](https://www.terraform.io/docs/cloud/workspaces/run-triggers.html), and [notifications](https://www.terraform.io/docs/cloud/workspaces/notifications.html)
- [Terraform Cloud Agents](https://www.terraform.io/docs/cloud/agents/index.html) | +| [Terraform Cloud driver](/docs/nia/network-drivers/terraform-cloud) | CTS Enterprise automates remote workspaces on [Terraform Cloud](https://www.terraform.io/cloud-docs) | - [Remote Terraform execution](https://www.terraform.io/cloud-docs/run/remote-operations)
- Concurrent runs
- [Secured variables](https://www.terraform.io/cloud-docs/workspaces/variables)
- [State versions](https://www.terraform.io/cloud-docs/workspaces/state)
- [Sentinel](https://www.terraform.io/cloud-docs/sentinel) to enforce governance policies as code
- Audit [logs](https://www.terraform.io/enterprise/admin/infrastructure/logging) and [trails](https://www.terraform.io/cloud-docs/api-docs/audit-trails)
- Run [history](https://www.terraform.io/cloud-docs/run/manage), [triggers](https://www.terraform.io/cloud-docs/workspaces/settings/run-triggers), and [notifications](https://www.terraform.io/cloud-docs/workspaces/settings/notifications)
- [Terraform Cloud Agents](https://www.terraform.io/cloud-docs/agents) | ## Understanding Terraform Automation @@ -26,8 +26,8 @@ The network driver for CTS determines how the Terraform automation operates. Vis ### Upgrading Terraform -Upgrading the Terraform version used by CTS may introduce breaking changes that can impact the Terraform modules. Refer to the Terraform [upgrade guides](https://www.terraform.io/upgrade-guides/index.html) for details before upgrading. +Upgrading the Terraform version used by CTS may introduce breaking changes that can impact the Terraform modules. Refer to the Terraform [upgrade guides](https://www.terraform.io/language/upgrade-guides) for details before upgrading. The following versions were identified as containing changes that may impact Terraform modules. -- [Terraform v0.15](https://www.terraform.io/upgrade-guides/0-15.html) +- [Terraform v0.15](https://www.terraform.io/language/v1.1.x/upgrade-guides/0-15) diff --git a/website/content/docs/nia/network-drivers/terraform-cloud.mdx b/website/content/docs/nia/network-drivers/terraform-cloud.mdx index 829bc189e..8bc547baa 100644 --- a/website/content/docs/nia/network-drivers/terraform-cloud.mdx +++ b/website/content/docs/nia/network-drivers/terraform-cloud.mdx @@ -18,14 +18,14 @@ This page describes how the Terraform Cloud driver operates within CTS. ## Terraform Workspace Automation -CTS manages Terraform runs following the [API-driven run workflow](https://www.terraform.io/docs/cloud/run/api.html) for workspaces in Terraform Cloud. +CTS manages Terraform runs following the [API-driven run workflow](https://www.terraform.io/cloud-docs/run/api) for workspaces in Terraform Cloud. On startup, CTS: 1. Creates or discovers Terraform Cloud workspaces corresponding to the configured tasks. 2. Prepares the local environment and generates Terraform configuration files that make up the root module for each task. 3. Packages the generated files and uploads them as a configuration version for the task's workspace on Terraform Cloud. -Once all workspaces are set up, CTS monitors the Consul catalog for service changes. When relevant changes are detected, the Terraform Cloud driver dynamically updates input variables for that task directly as [workspace variables](https://www.terraform.io/docs/cloud/workspaces/variables.html) using the Terraform Cloud API. The driver then queues a run on the workspace, with auto-apply enabled, to update your network infrastructure. +Once all workspaces are set up, CTS monitors the Consul catalog for service changes. When relevant changes are detected, the Terraform Cloud driver dynamically updates input variables for that task directly as [workspace variables](https://www.terraform.io/cloud-docs/workspaces/variables) using the Terraform Cloud API. The driver then queues a run on the workspace, with auto-apply enabled, to update your network infrastructure. ~> **Note:** Although workspaces for tasks are executed in isolated environments, this does not guarantee the infrastructure changes from concurrent task executions are independent. Ensure that modules across all tasks are not modifying the same resource objects or have overlapping changes that may result in race conditions during automation. @@ -52,7 +52,7 @@ Workspaces created by CTS will be configured with the following settings: | Terraform Version | [`task.terraform_cloud_workspace.terraform_version`](/docs/nia/configuration#terraform_version-1), [`task.terraform_version`](/docs/nia/configuration#terraform_version) (deprecated), or the latest [Terraform version compatible with CTS](/docs/nia/compatibility#terraform) available for the organization. | | Tags | `source:cts` and [additional tags](/docs/nia/configuration#tags) set by the CTS operator | -Other workspace settings can be pre-configured or updated, such as setting the workspace to [manual apply](#manual-apply) or adding a [run notification](https://www.terraform.io/docs/cloud/workspaces/notifications.html) to send messages to a Slack channel when CTS updates your network infrastructure. +Other workspace settings can be pre-configured or updated, such as setting the workspace to [manual apply](#manual-apply) or adding a [run notification](https://www.terraform.io/cloud-docs/workspaces/settings/notifications) to send messages to a Slack channel when CTS updates your network infrastructure. ### Manual Apply @@ -64,11 +64,11 @@ There are two approaches to setup manual apply for a workspace managed by CTS ba * For CTS created workspaces, update the apply method from auto to manual via the Terraform Cloud web application or API. * For pre-configured workspaces, create the workspace prior to CTS task automation via the Terraform Cloud web application or API. 1. Create a workspace with the same name as the desired task. - 1. Set the workspace to [API-driven run workflow](https://www.terraform.io/docs/cloud/run/api.html) and the execution mode to remote. + 1. Set the workspace to [API-driven run workflow](https://www.terraform.io/cloud-docs/run/api) and the execution mode to remote. 1. Ensure that the apply method for the workspace is set to manual apply. 1. Configure the task for the workspace and run CTS. --> **Tip**: Setup [run notifications](https://www.terraform.io/docs/cloud/workspaces/notifications.html#creating-a-notification-configuration) for workspaces with manual apply to not miss automated runs by CTS. Look into setting the [buffer period](/docs/nia/configuration#buffer_period-1) or a [schedule condition](/docs/nia/configuration#schedule-condition) to group changes together and reduce runs requiring approval. +-> **Tip**: Setup [run notifications](https://www.terraform.io/cloud-docs/workspaces/settings/notifications#creating-a-notification-configuration) for workspaces with manual apply to not miss automated runs by CTS. Look into setting the [buffer period](/docs/nia/configuration#buffer_period-1) or a [schedule condition](/docs/nia/configuration#schedule-condition) to group changes together and reduce runs requiring approval. ## Configuration Version @@ -86,7 +86,7 @@ sync-tasks/ - `main.tf` - The main file contains the terraform block, provider blocks, and a module block calling the module configured for the task. - `terraform` block - The corresponding provider source and versions for the task from the configuration files are placed into this block for the root module. - `provider` blocks - The provider blocks generated in the root module resemble the `terraform_provider` blocks from the configuration for CTS. They have identical arguments present and are set from the intermediate variable created per provider. - - `module` block - The module block is where the task's module is called as a [child module](https://www.terraform.io/docs/configuration/modules.html#calling-a-child-module). The child module contains the core logic for automation. Required and optional input variables are passed as arguments to the module. + - `module` block - The module block is where the task's module is called as a [child module](https://www.terraform.io/language/modules#calling-a-child-module). The child module contains the core logic for automation. Required and optional input variables are passed as arguments to the module. - `variables.tf` - This file contains three types of variable declarations: - `services` input variable (required) determines module compatibility with Consul-Terraform Sync (read more on [compatible Terraform modules](/docs/nia/terraform-modules) for more details). - Any additional [optional input variables](/docs/nia/terraform-modules#optional-input-variables) provided by CTS that the module may use. @@ -111,28 +111,28 @@ Because a CTS instance can only be configured with one driver, an instance can o ### Required Setup -This section captures requirements for setting up CTS to integrate with your [Terraform Cloud](https://www.hashicorp.com/cloud) solution. +This section captures requirements for setting up CTS to integrate with your [Terraform Cloud](https://www.terraform.io/cloud) solution. 1. Hostname of your Terraform Cloud, self-hosted distribution 1. Name of your organization -1. [Team API token](https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html#team-api-tokens) used for authentication with Terraform Cloud +1. [Team API token](https://www.terraform.io/cloud-docs/users-teams-organizations/api-tokens) used for authentication with Terraform Cloud -Prior to running CTS with a Terraform Cloud driver, you will need an account and organization set up, as well as a dedicated token. We recommend using a team token that is restricted to [Manage Workspaces](https://www.terraform.io/docs/cloud/users-teams-organizations/teams.html#managing-workspace-access)-level permissions. Below are the steps for the recommended setup. +Prior to running CTS with a Terraform Cloud driver, you will need an account and organization set up, as well as a dedicated token. We recommend using a team token that is restricted to [Manage Workspaces](https://www.terraform.io/cloud-docs/users-teams-organizations/teams#managing-workspace-access)-level permissions. Below are the steps for the recommended setup. -The first step is to create an account with your Terraform Cloud service. After creating an account, create a new [organization](https://www.terraform.io/docs/cloud/users-teams-organizations/organizations.html#creating-organizations) or select an existing organization. The address of your Terraform Cloud service will be used to configure the [`hostname`](/docs/nia/configuration#hostname), and the organization name will be used to configure the [`organization`](/docs/nia/configuration#organization) on the Terraform Cloud driver. +The first step is to create an account with your Terraform Cloud service. After creating an account, create a new [organization](https://www.terraform.io/cloud-docs/users-teams-organizations/organizations#creating-organizations) or select an existing organization. The address of your Terraform Cloud service will be used to configure the [`hostname`](/docs/nia/configuration#hostname), and the organization name will be used to configure the [`organization`](/docs/nia/configuration#organization) on the Terraform Cloud driver. -Once you have an account and organization, the next step is to [create a team](https://www.terraform.io/docs/cloud/users-teams-organizations/teams.html). We recommend using a dedicated team and team token to run and authenticate CTS. Using a team token has the benefits of restricting organization permissions as well as associating CTS automated actions with the team rather than an individual. +Once you have an account and organization, the next step is to [create a team](https://www.terraform.io/cloud-docs/users-teams-organizations/teams). We recommend using a dedicated team and team token to run and authenticate CTS. Using a team token has the benefits of restricting organization permissions as well as associating CTS automated actions with the team rather than an individual. After creating a dedicated team, update the team's permissions with "Manage Workspaces" organization access-level. CTS's main work revolves around creating and managing workspaces. Therefore restricting the dedicated team's permission to Manage Workspaces level is sufficient and reduces security risk. [![CTS Terraform Team Setup](/img/nia/cts-tfc-team-setup.png)](/img/nia/cts-tfc-team-setup.png) -After setting the team's permissions, the final setup step is to [generate the associated team token](https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html#team-api-tokens), which can be done on the same team management page. This token will be used by CTS for API authentication and will be used to configure the [`token`](/docs/nia/configuration#token) on the Terraform Cloud driver. +After setting the team's permissions, the final setup step is to [generate the associated team token](https://www.terraform.io/cloud-docs/users-teams-organizations/api-tokens), which can be done on the same team management page. This token will be used by CTS for API authentication and will be used to configure the [`token`](/docs/nia/configuration#token) on the Terraform Cloud driver. ### Recommendations -We recommend configuring workspaces managed by CTS with [run notifications](https://www.terraform.io/docs/cloud/workspaces/notifications.html) through the Terraform web application. Run notifications notify external systems about the progress of runs and could help notify users of CTS events, particularly errored runs. +We recommend configuring workspaces managed by CTS with [run notifications](https://www.terraform.io/cloud-docs/workspaces/settings/notifications) through the Terraform web application. Run notifications notify external systems about the progress of runs and could help notify users of CTS events, particularly errored runs. [![CTS Terraform Cloud Run Notifications](/img/nia/cts-tfc-run-notifications.png)](/img/nia/cts-tfc-run-notifications.png) -In order to configure a run notification, users can [manually create a notification configuration](https://www.terraform.io/docs/cloud/workspaces/notifications.html#creating-a-notification-configuration) for workspaces automated by CTS. A workspace may already exist for a task if the workspace name is identical to the configured task's [`name`](/docs/nia/configuration#name-2). This may occur if CTS has already already run and created the workspace for the task. This may also occur if the workspace is manually created for the task prior to CTS running. +In order to configure a run notification, users can [manually create a notification configuration](https://www.terraform.io/cloud-docs/workspaces/settings/notifications#creating-a-notification-configuration) for workspaces automated by CTS. A workspace may already exist for a task if the workspace name is identical to the configured task's [`name`](/docs/nia/configuration#name-2). This may occur if CTS has already already run and created the workspace for the task. This may also occur if the workspace is manually created for the task prior to CTS running. diff --git a/website/content/docs/nia/network-drivers/terraform.mdx b/website/content/docs/nia/network-drivers/terraform.mdx index 49c13b636..566fb1a75 100644 --- a/website/content/docs/nia/network-drivers/terraform.mdx +++ b/website/content/docs/nia/network-drivers/terraform.mdx @@ -7,13 +7,13 @@ description: >- # Terraform Driver -Consul-Terraform-Sync (CTS) extends the Consul ecosystem to include Terraform as an officially supported tooling project. With the Terraform driver, CTS installs the [Terraform CLI](https://www.terraform.io/downloads.html) locally and runs Terraform commands based on monitored Consul changes. This page details how the Terraform driver operates using local workspaces and templated files. +Consul-Terraform-Sync (CTS) extends the Consul ecosystem to include Terraform as an officially supported tooling project. With the Terraform driver, CTS installs the [Terraform CLI](https://www.terraform.io/downloads) locally and runs Terraform commands based on monitored Consul changes. This page details how the Terraform driver operates using local workspaces and templated files. ## Terraform CLI Automation On startup, CTS: 1. Downloads and installs Terraform -2. Prepares local workspace directories. Terraform configuration and execution for each task is organized as separate [Terraform workspaces](https://www.terraform.io/docs/state/workspaces.html). The state files for tasks are independent of each other. +2. Prepares local workspace directories. Terraform configuration and execution for each task is organized as separate [Terraform workspaces](https://www.terraform.io/language/state/workspaces). The state files for tasks are independent of each other. 3. Generates Terraform configuration files that make up the root module for each task. Once all workspaces are set up, CTS monitors the Consul catalog for service changes. When relevant changes are detected, the Terraform driver dynamically updates input variables for that task using a template to render them to a file named [`terraform.tfvars`](/docs/nia/network-drivers#terraform-tfvars). This file is passed as a parameter to the Terraform CLI when executing `terraform plan` and `terraform apply` to update your network infrastructure with the latest Consul service details. @@ -48,7 +48,7 @@ The following files of the root module are generated for each task. An [example - `main.tf` - The main file contains the terraform block, provider blocks, and a module block calling the module configured for the task. - `terraform` block - The corresponding provider source and versions for the task from the configuration files are placed into this block for the root module. The Terraform backend from the configuration is also templated here. - `provider` blocks - The provider blocks generated in the root module resemble the `terraform_provider` blocks from the configuration for CTS. They have identical arguments present and are set from the intermediate variable created per provider. - - `module` block - The module block is where the task's module is called as a [child module](https://www.terraform.io/docs/configuration/modules.html#calling-a-child-module). The child module contains the core logic for automation. Required and optional input variables are passed as arguments to the module. + - `module` block - The module block is where the task's module is called as a [child module](https://www.terraform.io/language/modules). The child module contains the core logic for automation. Required and optional input variables are passed as arguments to the module. - `variables.tf` - This file contains three types of variable declarations. - `services` input variable (required) determines module compatibility with Consul-Terraform Sync (read more on [compatible Terraform modules](/docs/nia/terraform-modules) for more details). - Any additional [optional input variables](/docs/nia/terraform-modules#optional-input-variables) provided by CTS that the module may use. diff --git a/website/content/docs/nia/terraform-modules.mdx b/website/content/docs/nia/terraform-modules.mdx index 136289250..2ecc8665b 100644 --- a/website/content/docs/nia/terraform-modules.mdx +++ b/website/content/docs/nia/terraform-modules.mdx @@ -11,7 +11,7 @@ Consul-Terraform-Sync (CTS) automates execution of Terraform modules through tas ## Module Specifications -Compatible modules for CTS follow the [standard module](https://www.terraform.io/docs/modules/index.html#standard-module-structure) structure. Modules can use syntax supported by Terraform version 0.13 and newer. +Compatible modules for CTS follow the [standard module](https://www.terraform.io/language/modules/develop#module-structure) structure. Modules can use syntax supported by Terraform version 0.13 and newer. ### Compatibility Requirements @@ -31,7 +31,7 @@ See below sections for more information on [defining module input](#module-input ### Module Input ((#source-input)) -A task monitors [Consul objects](/docs/nia#consul-objects) that are defined by the task's configuration. The Consul objects can be used for the module input that satisfies the requirements defined by the task's Terraform module's [input variables](https://www.terraform.io/docs/language/values/variables.html). +A task monitors [Consul objects](/docs/nia#consul-objects) that are defined by the task's configuration. The Consul objects can be used for the module input that satisfies the requirements defined by the task's Terraform module's [input variables](https://www.terraform.io/language/values/variables). A task's module input is slightly different from the task's condition, even though both monitor defined objects. The task's condition monitors defined objects with a configured criteria. When this criteria is satisfied, the task will trigger. @@ -120,7 +120,7 @@ The services module input operates by monitoring the [Health List Nodes For Serv | `node_tagged_addresses` | List of explicit LAN and WAN IP addresses for the agent | | `node_meta` | List of user-defined metadata key/value pairs for the node | -Below is an example configuration for a task that will execute on a schedule and provide information about the services matching the `regexp` parameter to the task’s module. +Below is an example configuration for a task that will execute on a schedule and provide information about the services matching the `regexp` parameter to the task's module. ```hcl task { @@ -228,7 +228,7 @@ task { ## How to Create a Compatible Terraform Module -You can read more on how to [create a module](https://www.terraform.io/docs/modules/index.html) or work through a [tutorial to build a module](https://learn.hashicorp.com/tutorials/terraform/module-create). CTS is designed to integrate with any module that satisfies the specifications in the following section. +You can read more on how to [create a module](https://www.terraform.io/language/modules/develop) or work through a [tutorial to build a module](https://learn.hashicorp.com/tutorials/terraform/module-create?utm_source=docs). CTS is designed to integrate with any module that satisfies the specifications in the following section. The repository [hashicorp/consul-terraform-sync-template-module](https://github.com/hashicorp/consul-terraform-sync-template-module) can be cloned and used as a starting point for structuring a compatible Terraform module. The template repository has the files described in the next steps prepared. @@ -290,7 +290,7 @@ variable "services" { Keys of the `services` map are unique identifiers of the service across Consul agents and data centers. Keys follow the format `service-id.node.datacenter` (or `service-id.node.namespace.datacenter` for Consul Enterprise). A complete list of attributes available for the `services` variable is included in the [documentation for CTS tasks](/docs/nia/tasks#services-condition). -Terraform variables when passed as module arguments can be [lossy for object types](https://www.terraform.io/docs/configuration/types.html#conversion-of-complex-types). This allows CTS to declare the full variable with every object attribute in the generated root module, and pass the variable to a child module that contains a subset of these attributes for its variable declaration. Modules compatible with CTS may simplify the `var.services` declaration within the module by omitting unused attributes. For example, the following services variable has 4 attributes with the rest omitted. +Terraform variables when passed as module arguments can be [lossy for object types](https://www.terraform.io/language/expressions/type-constraints#conversion-of-complex-types). This allows CTS to declare the full variable with every object attribute in the generated root module, and pass the variable to a child module that contains a subset of these attributes for its variable declaration. Modules compatible with CTS may simplify the `var.services` declaration within the module by omitting unused attributes. For example, the following services variable has 4 attributes with the rest omitted. @@ -351,13 +351,13 @@ If your module contains the `consul_kv` variable, we recommend documenting the u ### Module Input Variables -Network infrastructure differs vastly across teams and organizations, and the automation needs of practitioners are unique based on their existing setup. [Input variables](https://www.terraform.io/docs/configuration/variables.html) can be used to serve as customization parameters to the module for practitioners. +Network infrastructure differs vastly across teams and organizations, and the automation needs of practitioners are unique based on their existing setup. [Input variables](https://www.terraform.io/language/values/variables) can be used to serve as customization parameters to the module for practitioners. 1. Identify areas in the module where practitioners could tailor the automation to fit their infrastructure. 2. Declare input variables and insert the use of variables throughout module resources to expose these options to practitioners. -3. Include descriptions to capture what the variables are and how they are used, and specify [custom validation rules for variables](https://www.terraform.io/docs/configuration/variables.html#custom-validation-rules) to provide context to users the expected format and conditions for the variables. +3. Include descriptions to capture what the variables are and how they are used, and specify [custom validation rules for variables](https://www.terraform.io/language/values/variables#custom-validation-rules) to provide context to users the expected format and conditions for the variables. 4. Set reasonable default values for variables that are optional, or omit default values for variables that are required module arguments. -5. Set the [sensitive argument](https://www.terraform.io/docs/language/values/variables.html#suppressing-values-in-cli-output) for variables that contain secret or sensitive values. When set, Terraform will redact the value from output when Terraform commands are run. +5. Set the [sensitive argument](https://www.terraform.io/language/values/variables) for variables that contain secret or sensitive values. When set, Terraform will redact the value from output when Terraform commands are run. Terraform is an explicit configuration language and requires variables to be declared, typed, and passed explicitly through as module arguments. CTS abstracts this by creating intermediate variables at the root level from the module input. These values are configured by practitioners within the [`task` block](/docs/nia/configuration#variable_files). Value assignments are parsed to interpolate the corresponding variable declaration and are written to the appropriate Terraform files. A few assumptions are made for the intermediate variables: the variables users provide CTS are declared and supported by the module, matching name and type. @@ -375,7 +375,7 @@ Consider authoring modules with low complexity to reduce the run time for Terraf #### Providers -The Terraform module must declare which providers it requires within the [`terraform.required_providers` block](https://www.terraform.io/docs/language/providers/requirements.html#requiring-providers). We suggest to also include a version constraint for the provider to specify which versions the module is compatible with. +The Terraform module must declare which providers it requires within the [`terraform.required_providers` block](https://www.terraform.io/language/providers/requirements#requiring-providers). We suggest to also include a version constraint for the provider to specify which versions the module is compatible with. Aside from the `required_providers` block, provider configurations should not be included within the sharable module for network integrations. End users will configure the providers through CTS, and CTS will then translate provider configuration to the generated root module appropriately. diff --git a/website/content/docs/nia/usage/requirements.mdx b/website/content/docs/nia/usage/requirements.mdx index eeb679664..1a604e203 100644 --- a/website/content/docs/nia/usage/requirements.mdx +++ b/website/content/docs/nia/usage/requirements.mdx @@ -81,7 +81,7 @@ To find providers for the infrastructure platforms you use, browse the providers If a Terraform provider does not exist for your environment, you can create a new Terraform provider and publish it to the registry so that you can use it within a network integration task or create a compatible Terraform module. Refer to the following Terraform tutorial and documentation for additional information on creating and publishing providers: - [Setup and Implement Read](https://learn.hashicorp.com/tutorials/terraform/provider-setup) -- [Publishing Providers](https://www.terraform.io/docs/registry/providers/publishing.html). +- [Publishing Providers](https://www.terraform.io/registry/providers/publishing). ## Network integration using a Terraform module diff --git a/website/content/docs/release-notes/consul-api-gateway/v0_1_x.mdx b/website/content/docs/release-notes/consul-api-gateway/v0_1_x.mdx index b191e77fd..0ef5e5f66 100644 --- a/website/content/docs/release-notes/consul-api-gateway/v0_1_x.mdx +++ b/website/content/docs/release-notes/consul-api-gateway/v0_1_x.mdx @@ -41,7 +41,7 @@ This release includes the following features and capabilities: 1. Deploy 1 or more logical API Gateways per Kubernetes cluster 1. Support for HTTP, HTTPS, TCP, and TCP+TLS 1. Support for HTTP versions 1.1 and 2 -1. Load balance across a service’s instances +1. Load balance across a service's instances 1. Listeners load TLS certificates, signed by any CA, from Kubernetes secret storage 1. Route HTTP/S traffic to Services based on matching: - Hostname diff --git a/website/content/docs/release-notes/consul-api-gateway/v0_2_x.mdx b/website/content/docs/release-notes/consul-api-gateway/v0_2_x.mdx index d7f26e5b1..0ef656cc2 100644 --- a/website/content/docs/release-notes/consul-api-gateway/v0_2_x.mdx +++ b/website/content/docs/release-notes/consul-api-gateway/v0_2_x.mdx @@ -15,7 +15,7 @@ description: >- releases of Consul API Gateway, users could route requests from the API Gateway across various namespaces without providing any sort of explicit permissions. While this meant that any service connected to the service mesh - was reachable, it didn’t allow users to set the more granular restrictions or + was reachable, it didn't allow users to set the more granular restrictions or permissions that they may expect. This version of API Gateway implements Cross Namespace Reference Policies @@ -39,7 +39,7 @@ Supported version of the [Gateway API](https://gateway-api.sigs.k8s.io/) spec: ` ~> **Note**: If your current deployment has routes and and services that cross namespaces, those routes will not be applied to their gateways until cross namespace reference policies are created for them. -For detailed information on upgrading, including how to create the required reference policies, please refer to the [upgrade details page](/docs/api-gateway/upgrade-specific-versions) +For detailed information on upgrading, including how to create the required reference policies, please refer to the [upgrade details page](/docs/api-gateway/upgrades) ## Change logs diff --git a/website/content/docs/release-notes/consul-api-gateway/v0_3_x.mdx b/website/content/docs/release-notes/consul-api-gateway/v0_3_x.mdx index 788564580..660c0add5 100644 --- a/website/content/docs/release-notes/consul-api-gateway/v0_3_x.mdx +++ b/website/content/docs/release-notes/consul-api-gateway/v0_3_x.mdx @@ -47,7 +47,7 @@ Supported version of the [Gateway API](https://gateway-api.sigs.k8s.io/) spec: ` ## Upgrading -For detailed information on upgrading, please refer to the [upgrade details page](/docs/api-gateway/upgrade-specific-versions) +For detailed information on upgrading, please refer to the [upgrade details page](/docs/api-gateway/upgrades) ## Changelogs diff --git a/website/content/docs/release-notes/consul/v1_10_x.mdx b/website/content/docs/release-notes/consul/v1_10_x.mdx index e55b2ce32..5b8f0c19b 100644 --- a/website/content/docs/release-notes/consul/v1_10_x.mdx +++ b/website/content/docs/release-notes/consul/v1_10_x.mdx @@ -15,9 +15,9 @@ description: >- - **Streaming Enabled by Default for Service Health:** Streaming is a major architectural enhancement in how update notifications for blocking queries are delivered within the cluster which significantly reduces CPU and network bandwidth usage for large-scale Consul deployments. In Consul 1.10, streaming is now available for the service health HTTP endpoint and is enabled by default. -- **Redesigned UI and Observability Enhancements:** The Consul UI has been redesigned with a new sidebar layout. Additionally, Kubernetes users now have the ability to deploy Prometheus via the Consul Helm chart which automatically integrates it with Consul’s Service Visualization UI for displaying traffic metrics between services. Lastly, Pod and Envoy metrics can now be exposed to Prometheus using Kubernetes annotations via a single aggregated endpoint. +- **Redesigned UI and Observability Enhancements:** The Consul UI has been redesigned with a new sidebar layout. Additionally, Kubernetes users now have the ability to deploy Prometheus via the Consul Helm chart which automatically integrates it with Consul's Service Visualization UI for displaying traffic metrics between services. Lastly, Pod and Envoy metrics can now be exposed to Prometheus using Kubernetes annotations via a single aggregated endpoint. -- **Deprecation of Legacy ACL System:** In Consul 1.4, we upgraded to a new Access Controls (ACLs) system. This upgrade made improvements in Consul’s ACL system handles the API, Tokens, and Policies. With Consul 1.10, the legacy system is officially deprecated, and will be removed from Consul in a later release. We strongly recommend that users begin the process of migrating to the newer ACL system. +- **Deprecation of Legacy ACL System:** In Consul 1.4, we upgraded to a new Access Controls (ACLs) system. This upgrade made improvements in Consul's ACL system handles the API, Tokens, and Policies. With Consul 1.10, the legacy system is officially deprecated, and will be removed from Consul in a later release. We strongly recommend that users begin the process of migrating to the newer ACL system. ## What's Changed diff --git a/website/content/docs/release-notes/consul/v1_11_x.mdx b/website/content/docs/release-notes/consul/v1_11_x.mdx index aa5e68f80..4b83f0506 100644 --- a/website/content/docs/release-notes/consul/v1_11_x.mdx +++ b/website/content/docs/release-notes/consul/v1_11_x.mdx @@ -17,11 +17,11 @@ description: >- - **TLS Certificates for Ingress Gateways via an SDS source**: Ingress Gateways can now be configured to retrieve TLS certificates from an external SDS Service and load the TLS certificates for Ingress listeners. This configuration is set using the `ingress-gateway` configuration entry via the [SDS](/docs/connect/config-entries/ingress-gateway#sds) stanza within the Ingress Gateway TLS configuration. -- **Vault Auth Method support for Connect CA Vault Provider**: Consul now supports configuring the Connect CA Vault provider to use auth methods for authentication to Vault. Consul supports using any non-deprecated auth method that is available in Vault v1.8.5, including AppRole, AliCloud, AWS, Azure, Cloud Foundry, GitHub, Google Cloud, JWT/OIDC, Kerberos, Kubernetes, LDAP, Oracle Cloud Infrastructure, Okta, Radius, TLS Certificates, and Username & Password. The Vault Auth Method for Connect CA Provider is utilized by default for the [Vault Secrets Backend](/docs/k8s/installation/vault) feature on Consul on Kubernetes. Utilizing a Vault Auth method would no longer require a Vault token to be managed or provisioned ahead of time to be used for authentication to Vault. +- **Vault Auth Method support for Connect CA Vault Provider**: Consul now supports configuring the Connect CA Vault provider to use auth methods for authentication to Vault. Consul supports using any non-deprecated auth method that is available in Vault v1.8.5, including AppRole, AliCloud, AWS, Azure, Cloud Foundry, GitHub, Google Cloud, JWT/OIDC, Kerberos, Kubernetes, LDAP, Oracle Cloud Infrastructure, Okta, Radius, TLS Certificates, and Username & Password. The Vault Auth Method for Connect CA Provider is utilized by default for the [Vault Secrets Backend](/docs/k8s/deployment-configurations/vault) feature on Consul on Kubernetes. Utilizing a Vault Auth method would no longer require a Vault token to be managed or provisioned ahead of time to be used for authentication to Vault. ## What's Changed -- The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that all tokens and policies have been migrated to the newer ACL system. See the [Migrate Legacy ACL Tokens Learn Guide](https://learn.hashicorp.com/tutorials/consul/access-control-token-migration) for more information. +- The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that all tokens and policies have been migrated to the newer ACL system. Complete the [Migrate Legacy ACL Tokens](https://learn.hashicorp.com/consul/day-2-agent-authentication/migrate-acl-tokens) tutorial to learn more. - The `agent_master` ACL token has been renamed to `agent_recovery` ACL token. In addition, the `consul acl set-agent-token master` command has been replaced with `consul acl set-agent-token recovery`. See [ACL Agent Recovery Token](/docs/security/acl/acl-tokens#acl-agent-recovery-token) and [Consul ACL Set Agent Token](/commands/acl/set-agent-token) for more information. diff --git a/website/content/docs/release-notes/consul/v1_13_x.mdx b/website/content/docs/release-notes/consul/v1_13_x.mdx index 268712667..0c6be7329 100644 --- a/website/content/docs/release-notes/consul/v1_13_x.mdx +++ b/website/content/docs/release-notes/consul/v1_13_x.mdx @@ -21,7 +21,7 @@ description: >- - Removes support for Envoy 1.19.x and adds suport for Envoy 1.23. Refer to the [Envoy Compatibility matrix](/docs/connect/proxies/envoy) for more details. -- The [`disable_compat_19`](/docs/agent/options#telemetry-disable_compat_1.9) telemetry configuration option is now removed. In Consul versions 1.10.x through 1.11.x, the config defaulted to `false`. In version 1.12.x it defaulted to `true`. Before upgrading you should remove this flag from your config if the flag is being used. +- The [`disable_compat_19`](/docs/agent/config/config-files#telemetry-disable_compat_1.9) telemetry configuration option is now removed. In Consul versions 1.10.x through 1.11.x, the config defaulted to `false`. In version 1.12.x it defaulted to `true`. Before upgrading you should remove this flag from your config if the flag is being used. ## Upgrading diff --git a/website/content/docs/release-notes/consul/v1_9_x.mdx b/website/content/docs/release-notes/consul/v1_9_x.mdx index 8f095726d..dfc0bd041 100644 --- a/website/content/docs/release-notes/consul/v1_9_x.mdx +++ b/website/content/docs/release-notes/consul/v1_9_x.mdx @@ -9,7 +9,7 @@ description: >- ## Release Highlights -- **Application-Aware Intentions:** A new set of capabilities that extends Consul’s intentions model to support Layer 7 request information. Intentions now provide the ability for operators to construct policies which evaluate application-layer information such as HTTP Path, Headers, or Method – in addition to service identity – when authorizing HTTP-based (HTTP/1.1, HTTP/2, gRPC) service-to-service communication. +- **Application-Aware Intentions:** A new set of capabilities that extends Consul's intentions model to support Layer 7 request information. Intentions now provide the ability for operators to construct policies which evaluate application-layer information such as HTTP Path, Headers, or Method – in addition to service identity – when authorizing HTTP-based (HTTP/1.1, HTTP/2, gRPC) service-to-service communication. - **Service Mesh Visualization:** This addition provides a new topology tab to the Consul UI which displays topology diagrams and key service mesh metrics like request, error rates, and timing metrics. These new features will assist developers and operators in verifying configuration and troubleshooting issues within the service mesh. The UI also supports deep linking into your external metrics dashboards. @@ -17,7 +17,7 @@ description: >- - **Custom Resources for Kubernetes:** Consul now provides a Kubernetes-first experience through CRDs to allow practitioners to easily configure Consul service mesh via Kubernetes-style objects. -- **Deploy Consul in OpenShift:** Enable installing Consul via Helm chart in OpenShift. We’ve now ensured that Consul Kubernetes runs on OpenShift securely by ensuring that Consul runs as non-root and also provided a set of SecurityContextConstraints to deploy Consul securely. +- **Deploy Consul in OpenShift:** Enable installing Consul via Helm chart in OpenShift. We've now ensured that Consul Kubernetes runs on OpenShift securely by ensuring that Consul runs as non-root and also provided a set of SecurityContextConstraints to deploy Consul securely. - Installing Consul on OpenShift should now be as simple as running a Helm install with the `global.openshift.enabled` set to `true`. - **Active Health Checks for Consul on Kubernetes:** Consul service mesh now integrates with Kubernetes Readiness probes. This provides the ability to natively detect health status from Kubernetes via Readiness probe, and is then used for directing service mesh traffic. diff --git a/website/content/docs/security/acl/acl-federated-datacenters.mdx b/website/content/docs/security/acl/acl-federated-datacenters.mdx index 0309452c2..50335a423 100644 --- a/website/content/docs/security/acl/acl-federated-datacenters.mdx +++ b/website/content/docs/security/acl/acl-federated-datacenters.mdx @@ -67,7 +67,7 @@ acl = { ~> **Warning:** Note that most enterprise deployments have security requirements that prevent specifying tokens in configuration files. The `enable_token_persistence` flag is also set in the configuration example so that the token is stored to disk in the agent's -[data directory](/docs/agent/options#_data_dir). Any future changes to the token that are made through the [API](/api-docs/agent#update-acl-tokens) will +[data directory](/docs/agent/config/config-files#_data_dir). Any future changes to the token that are made through the [API](/api-docs/agent#update-acl-tokens) will be persisted to the same location, and the value in the config file will be ignored. The ACL agent token can also be set using the [`consul acl set-agent-token`](/commands/acl/set-agent-token) CLI as shown below. @@ -85,7 +85,7 @@ provided to them. ### Create the replication token for ACL Management Replication tokens are needed for ACL token replication and -to create both [configuration entries](/docs/agent/config-entries) and [auth methods](/docs/acl/auth-methods) +to create both [configuration entries](/docs/agent/config-entries) and [auth methods](/docs/security/acl/auth-methods) in connected secondary datacenters. Replication tokens require the following permissions: diff --git a/website/content/docs/security/acl/acl-legacy.mdx b/website/content/docs/security/acl/acl-legacy.mdx index 051bd2439..0b59ef053 100644 --- a/website/content/docs/security/acl/acl-legacy.mdx +++ b/website/content/docs/security/acl/acl-legacy.mdx @@ -15,7 +15,7 @@ description: >- ~> **Alert: Deprecation Notice** The ACL system described here was Consul's original ACL implementation. The legacy ACL system was deprecated in Consul 1.4.0 and removed in Consul 1.11.0. -The documentation for the new ACL system can be found [here](/docs/security/acl). For information on how to migrate to the new ACL System, please read the [Migrate Legacy ACL Tokens](https://learn.hashicorp.com/tutorials/consul/access-control-token-migration) tutorial. +The documentation for the new ACL system can be found [here](/docs/security/acl). For information on how to migrate to the new ACL System, please read the [Migrate Legacy ACL Tokens](https://learn.hashicorp.com/consul/day-2-agent-authentication/migrate-acl-tokens) tutorial. The legacy documentation has two sections. @@ -114,7 +114,7 @@ The type is either "client" (meaning the token cannot modify ACL rules) or "mana (meaning the token is allowed to perform all actions). The token ID is passed along with each RPC request to the servers. Consul's -[HTTP endpoints](/api) can accept tokens via the `token` +[HTTP endpoints](/api-docs) can accept tokens via the `token` query string parameter, or the `X-Consul-Token` request header, or Authorization Bearer token [RFC6750](https://tools.ietf.org/html/rfc6750). Consul's [CLI commands](/commands) can accept tokens via the @@ -804,7 +804,7 @@ A token with `write` access on a prefix also has `list` access. A token with `li #### Sentinel Integration Consul Enterprise supports additional optional fields for key write policies for -[Sentinel](https://docs.hashicorp.com/sentinel/consul/) integration. An example key rule with a +[Sentinel](https://docs.hashicorp.com/sentinel/consul) integration. An example key rule with a Sentinel code policy looks like this: ```hcl @@ -888,7 +888,7 @@ to use for registration events: of multiple tokens on the same agent. Examples of what this looks like are available for both [services](/docs/discovery/services) and [checks](/docs/discovery/checks). Tokens may also be passed to the - [HTTP API](/api) for operations that require them. + [HTTP API](/api-docs) for operations that require them. In addition to ACLs, in Consul 0.9.0 and later, the agent must be configured with [`enable_script_checks`](/docs/agent/config/config-files#enable_script_checks) set to `true` in order to enable @@ -981,7 +981,7 @@ prepared query was created, the behavior changes and now the captured ACL Token set by the definer of the query is used when looking up a service. Capturing ACL Tokens is analogous to -[PostgreSQL’s](http://www.postgresql.org/docs/current/static/sql-createfunction.html) +[PostgreSQL's](http://www.postgresql.org/docs/current/static/sql-createfunction.html) `SECURITY DEFINER` attribute which can be set on functions, and using the client's ACL Token is similar to the complementary `SECURITY INVOKER` attribute. @@ -1045,7 +1045,7 @@ to use for registration events: tokens on the same agent. Examples of what this looks like are available for both [services](/docs/discovery/services) and [checks](/docs/discovery/checks). Tokens may also be passed to the [HTTP - API](/api) for operations that require them. **Note:** all tokens + API](/api-docs) for operations that require them. **Note:** all tokens passed to an agent are persisted on local disk to allow recovery from restarts. See [`-data-dir` flag documentation](/docs/agent/config/config-files#acl_token) for notes on securing diff --git a/website/content/docs/security/acl/acl-policies.mdx b/website/content/docs/security/acl/acl-policies.mdx index 25af824c6..0099646b9 100644 --- a/website/content/docs/security/acl/acl-policies.mdx +++ b/website/content/docs/security/acl/acl-policies.mdx @@ -349,7 +349,7 @@ ACL policies can have the following attributes: | `namespace` | Namespace in which the policy is valid. Added in Consul Enterprise 1.7.0. | Optional | `default` | | `partition` | Admin partition in which the policy is valid. Added in Consul Enterprise 1.11.0 | Optional | `default` | --> **Non-default Namespaces and Partitions** - Rules defined in a policy tied to an namespace or admin partition other than `default` can only grant a subset of privileges that affect the namespace or partition. See [Namespace Rules](/docs/acl/acl-rules#namespace-rules) and [Admin Partition Rules](/docs/acl/acl-rules#admin-partition-rules) for additional information. +-> **Non-default Namespaces and Partitions** - Rules defined in a policy tied to an namespace or admin partition other than `default` can only grant a subset of privileges that affect the namespace or partition. See [Namespace Rules](/docs/acl/acl-rules#namespace-rules) and [Admin Partition Rules](/docs/security/acl/acl-rules#admin-partition-rules) for additional information. You can view the current ACL policies on the command line or through the API. The following example demonstrates the command line usage: diff --git a/website/content/docs/security/acl/acl-roles.mdx b/website/content/docs/security/acl/acl-roles.mdx index ded89f2d3..31aa98d10 100644 --- a/website/content/docs/security/acl/acl-roles.mdx +++ b/website/content/docs/security/acl/acl-roles.mdx @@ -210,7 +210,7 @@ node_prefix "" { You can specify a node identity when configuring roles or linking tokens to policies. _Node_ commonly refers to a Consul agent, but a node can also be a physical server, cloud instance, virtual machine, or container. -Node identities enable you to quickly construct policies for nodes, rather than manually creating identical polices for each node. They are used during the authorization process to automatically generate a policy for the node(s) specified. You can specify the token linked to the policy in the [`acl_tokens_agent`](/docs/agent/options#acl_tokens_agent) field when configuring the agent. +Node identities enable you to quickly construct policies for nodes, rather than manually creating identical polices for each node. They are used during the authorization process to automatically generate a policy for the node(s) specified. You can specify the token linked to the policy in the [`acl_tokens_agent`](/docs/agent/config/config-files#acl_tokens_agent) field when configuring the agent. ### Node Identity Specification diff --git a/website/content/docs/security/acl/acl-rules.mdx b/website/content/docs/security/acl/acl-rules.mdx index c83611706..d150648a6 100644 --- a/website/content/docs/security/acl/acl-rules.mdx +++ b/website/content/docs/security/acl/acl-rules.mdx @@ -338,7 +338,7 @@ A token with `write` access on a prefix also has `list` access. A token with `li #### Sentinel Integration Consul Enterprise supports additional optional fields for key write policies for -[Sentinel](https://docs.hashicorp.com/sentinel/consul/) integration. +[Sentinel](https://docs.hashicorp.com/sentinel/consul) integration. ```hcl key "foo" { @@ -586,7 +586,7 @@ These actions may required an ACL token to complete. Use the following methods t This allows a single token to be used during all check registration operations. * Provide an ACL token with `service` and `check` definitions at registration time. This allows for greater flexibility and enables the use of multiple tokens on the same agent. - Refer to the [services](/docs/agent/services) and [checks](/docs/agent/checks) documentation for examples. + Refer to the [services](/docs/agent/services) and [checks](/docs/discovery/checks) documentation for examples. Tokens may also be passed to the [HTTP API](/api-docs) for operations that require them. ## Operator Rules @@ -722,7 +722,7 @@ prepared query was created, the behavior changes and now the captured ACL Token set by the definer of the query is used when looking up a service. Capturing ACL Tokens is analogous to -[PostgreSQL’s](http://www.postgresql.org/docs/current/static/sql-createfunction.html) +[PostgreSQL's](http://www.postgresql.org/docs/current/static/sql-createfunction.html) `SECURITY DEFINER` attribute which can be set on functions, and using the client's ACL Token is similar to the complementary `SECURITY INVOKER` attribute. diff --git a/website/content/docs/security/acl/acl-tokens.mdx b/website/content/docs/security/acl/acl-tokens.mdx index 8c80be719..c6d6e9fb3 100644 --- a/website/content/docs/security/acl/acl-tokens.mdx +++ b/website/content/docs/security/acl/acl-tokens.mdx @@ -153,7 +153,7 @@ system or accessing Consul under specific conditions. The following table descri | Token | Servers | Clients | Description | | ------------------------------------------------------------------------------------ | ---------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [`acl.tokens.agent_recovery`](/docs/agent/options#acl_tokens_agent_recovery) | `OPTIONAL` | `OPTIONAL` | Enables access to the [Agent API](/api-docs/agent) when remote bearer token resolution fails.
Used for setting up the cluster and performing initial join operations.
See [ACL Agent Recovery Token](#acl-agent-recovery-token) for details. | +| [`acl.tokens.agent_recovery`](/docs/agent/config/config-files#acl_tokens_agent_recovery) | `OPTIONAL` | `OPTIONAL` | Enables access to the [Agent API](/api-docs/agent) when remote bearer token resolution fails.
Used for setting up the cluster and performing initial join operations.
See [ACL Agent Recovery Token](#acl-agent-recovery-token) for details. | | [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) | `OPTIONAL` | `OPTIONAL` | Used for internal agent operations. See [ACL Agent Token](#acl-agent-token) for details. | | [`acl.tokens.initial_management`](/docs/agent/options#acl_tokens_initial_management) | `OPTIONAL` | `N/A` | Used to bootstrap the ACL system. See [Initial Management Token](#initial-management-token). | | [`acl.tokens.default`](/docs/agent/options#acl_tokens_default) | `OPTIONAL` | `OPTIONAL` | Specifies a default token to use for client requests if no token is supplied. This is commonly configured with read-only access to services to enable DNS service discovery on agents. | @@ -169,7 +169,7 @@ Snapshots are artifacts created with the [snapshot API](/api-docs/snapshot) for The [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) is a special token that is used for an agent's internal operations. It isn't used directly for any user-initiated operations like the [`acl.tokens.default`](/docs/agent/options#acl_tokens_default), though if the `acl.tokens.agent` isn't configured the `acl.tokens.default` will be used. The ACL agent token is used for the following operations by the agent: 1. Updating the agent's node entry using the [Catalog API](/api-docs/catalog), including updating its node metadata, tagged addresses, and network coordinates -2. Performing [anti-entropy](/docs/internals/anti-entropy) syncing, in particular reading the node metadata and services registered with the catalog +2. Performing [anti-entropy](/docs/architecture/anti-entropy) syncing, in particular reading the node metadata and services registered with the catalog 3. Reading and writing the special `_rexec` section of the KV store when executing [`consul exec`](/commands/exec) commands Here's an example policy sufficient to accomplish the above for a node called `mynode`: @@ -221,7 +221,7 @@ In Consul 1.4 - 1.10, this was called the `master` token. It was renamed to `ini ### ACL Agent Recovery Token -The [`acl.tokens.agent_recovery`](/docs/agent/options#acl_tokens_agent_recovery) is designed to be used when the Consul servers are not available. The policy linked to the token is managed locally on the agent and does not require a token to be defined on the Consul servers. Once set, it implicitly has the following policy associated with it +The [`acl.tokens.agent_recovery`](/docs/agent/config/config-files#acl_tokens_agent_recovery) is designed to be used when the Consul servers are not available. The policy linked to the token is managed locally on the agent and does not require a token to be defined on the Consul servers. Once set, it implicitly has the following policy associated with it