luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Merge branch 'main' of github.com:hashicorp/consul into what_service_mesh

This commit is contained in:
Karl Cardenas 2022-01-18 15:11:48 -07:00
parent ef39f4e542 ec65890f01
commit 9cfcd1af39
No known key found for this signature in database
GPG Key ID: 0AC61D76B41F1EDC
49 changed files with 4704 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/11895.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
connect: update Envoy supported version of 1.20 to 1.20.1
```

3
.changelog/12057.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
serf: update serf v0.9.7, complete the leave process if broadcasting leave timeout.
```

6
.circleci/config.yml
View File

@ -837,10 +837,10 @@ jobs:
environment:
ENVOY_VERSION: "1.19.1"
envoy-integration-test-1_20_0:
envoy-integration-test-1_20_1:
<<: *ENVOY_TESTS
environment:
ENVOY_VERSION: "1.20.0"
ENVOY_VERSION: "1.20.1"
# run integration tests for the connect ca providers
test-connect-ca-providers:
@ -1091,7 +1091,7 @@ workflows:
- envoy-integration-test-1_19_1:
requires:
- dev-build
- envoy-integration-test-1_20_0:
- envoy-integration-test-1_20_1:
requires:
- dev-build

2
.github/workflows/build.yml vendored
View File

@ -249,4 +249,4 @@ jobs:
arch: ${{matrix.arch}}
tags: |
docker.io/hashicorp/${{env.repo}}:${{env.version}}
ecr.public.aws/hashicorp/${{env.repo}}:${{env.version}}
public.ecr.aws/hashicorp/${{env.repo}}:${{env.version}}

105
CHANGELOG.md
View File

@ -1,3 +1,46 @@
## 1.11.2 (January 12, 2022)
FEATURES:
* ingress: allow setting TLS min version and cipher suites in ingress gateway config entries [[GH-11576](https://github.com/hashicorp/consul/issues/11576)]
IMPROVEMENTS:
* api: Return 404 when de-registering a non-existent check [[GH-11950](https://github.com/hashicorp/consul/issues/11950)]
* connect: Add support for connecting to services behind a terminating gateway when using a transparent proxy. [[GH-12049](https://github.com/hashicorp/consul/issues/12049)]
* http: when a user attempts to access the UI but can't because it's disabled, explain this and how to fix it [[GH-11820](https://github.com/hashicorp/consul/issues/11820)]
* ui: Added a notice for non-primary intention creation [[GH-11985](https://github.com/hashicorp/consul/issues/11985)]
BUG FIXES:
* Mutate `NodeService` struct properly to avoid a data race. [[GH-11940](https://github.com/hashicorp/consul/issues/11940)]
* Upgrade to raft `1.3.3` which fixes a bug where a read replica node can trigger a raft election and become a leader. [[GH-11958](https://github.com/hashicorp/consul/issues/11958)]
* cli: Display assigned node identities in output of `consul acl token list`. [[GH-11926](https://github.com/hashicorp/consul/issues/11926)]
* cli: when creating a private key, save the file with mode 0600 so that only the user has read permission. [[GH-11781](https://github.com/hashicorp/consul/issues/11781)]
* config: include all config errors in the error message, previously some could be hidden. [[GH-11918](https://github.com/hashicorp/consul/issues/11918)]
* memberlist: fixes a bug which prevented members from joining a cluster with
large amounts of churn [[GH-253](https://github.com/hashicorp/memberlist/issues/253)] [[GH-12042](https://github.com/hashicorp/consul/issues/12042)]
* snapshot: the `snapshot save` command now saves the snapshot with read permission for only the current user. [[GH-11918](https://github.com/hashicorp/consul/issues/11918)]
* ui: Differentiate between Service Meta and Node Meta when choosing search fields
in Service Instance listings [[GH-11774](https://github.com/hashicorp/consul/issues/11774)]
* ui: Ensure a login buttons appear for some error states, plus text amends [[GH-11892](https://github.com/hashicorp/consul/issues/11892)]
* ui: Ensure partition query parameter is passed through to all OIDC related API
requests [[GH-11979](https://github.com/hashicorp/consul/issues/11979)]
* ui: Fix an issue where attempting to delete a policy from the policy detail page when
attached to a token would result in the delete button disappearing and no
deletion being attempted [[GH-11868](https://github.com/hashicorp/consul/issues/11868)]
* ui: Fixes a bug where proxy service health checks would sometimes not appear
until refresh [[GH-11903](https://github.com/hashicorp/consul/issues/11903)]
* ui: Fixes a bug with URL decoding within KV area [[GH-11931](https://github.com/hashicorp/consul/issues/11931)]
* ui: Fixes a visual issue with some border colors [[GH-11959](https://github.com/hashicorp/consul/issues/11959)]
* ui: Fixes an issue saving intentions when editing per service intentions [[GH-11937](https://github.com/hashicorp/consul/issues/11937)]
* ui: Fixes an issue where once a 403 page is displayed in some circumstances its
diffcult to click back to where you where before receiving a 403 [[GH-11891](https://github.com/hashicorp/consul/issues/11891)]
* ui: Prevent disconnection notice appearing with auth change on certain pages [[GH-11905](https://github.com/hashicorp/consul/issues/11905)]
* ui: Temporarily remove KV pre-flight check for KV list permissions [[GH-11968](https://github.com/hashicorp/consul/issues/11968)]
* windows: Fixes a bug with empty log files when Consul is run as a Windows Service [[GH-11960](https://github.com/hashicorp/consul/issues/11960)]
* xds: fix a deadlock when the snapshot channel already have a snapshot to be consumed. [[GH-11924](https://github.com/hashicorp/consul/issues/11924)]
## 1.11.1 (December 15, 2021)
SECURITY:
@ -133,6 +176,45 @@ NOTES:
* Renamed the `agent_master` field to `agent_recovery` in the `acl-tokens.json` file in which tokens are persisted on-disk (when `acl.enable_token_persistence` is enabled) [[GH-11744](https://github.com/hashicorp/consul/issues/11744)]
## 1.10.7 (January 12, 2022)
SECURITY:
* namespaces: **(Enterprise only)** Creating or editing namespaces that include default ACL policies or ACL roles now requires `acl:write` permission in the default namespace. This change fixes CVE-2021-41805.
FEATURES:
* ui: Adds visible Consul version information [[GH-11803](https://github.com/hashicorp/consul/issues/11803)]
BUG FIXES:
* Mutate `NodeService` struct properly to avoid a data race. [[GH-11940](https://github.com/hashicorp/consul/issues/11940)]
* Upgrade to raft `1.3.3` which fixes a bug where a read replica node can trigger a raft election and become a leader. [[GH-11958](https://github.com/hashicorp/consul/issues/11958)]
* ca: fixes a bug that caused non blocking leaf cert queries to return the same cached response regardless of ca rotation or leaf cert expiry [[GH-11693](https://github.com/hashicorp/consul/issues/11693)]
* ca: fixes a bug that caused the SigningKeyID to be wrong in the primary DC, when the Vault provider is used, after a CA config creates a new root. [[GH-11672](https://github.com/hashicorp/consul/issues/11672)]
* ca: fixes a bug that caused the intermediate cert used to sign leaf certs to be missing from the /connect/ca/roots API response when the Vault provider was used. [[GH-11671](https://github.com/hashicorp/consul/issues/11671)]
* cli: Display assigned node identities in output of `consul acl token list`. [[GH-11926](https://github.com/hashicorp/consul/issues/11926)]
* cli: when creating a private key, save the file with mode 0600 so that only the user has read permission. [[GH-11781](https://github.com/hashicorp/consul/issues/11781)]
* snapshot: **(Enterprise only)** fixed a bug where the snapshot agent would ignore the `license_path` setting in config files
* structs: **(Enterprise only)** Remove partition field parsing from 1.10 to prevent further 1.11 upgrade compatibility issues.
* ui: Differentiate between Service Meta and Node Meta when choosing search fields
in Service Instance listings [[GH-11774](https://github.com/hashicorp/consul/issues/11774)]
* ui: Ensure we show a readonly designed page for readonly intentions [[GH-11767](https://github.com/hashicorp/consul/issues/11767)]
* ui: Fix an issue where attempting to delete a policy from the policy detail page when
attached to a token would result in the delete button disappearing and no
deletion being attempted [[GH-11868](https://github.com/hashicorp/consul/issues/11868)]
* ui: Fix visual issue with slight table header overflow [[GH-11670](https://github.com/hashicorp/consul/issues/11670)]
* ui: Fixes an issue where once a 403 page is displayed in some circumstances its
diffcult to click back to where you where before receiving a 403 [[GH-11891](https://github.com/hashicorp/consul/issues/11891)]
* ui: Fixes an issue where under some circumstances after logging we present the
data loaded previous to you logging in. [[GH-11681](https://github.com/hashicorp/consul/issues/11681)]
* ui: Include `Service.Namespace` into available variables for `dashboard_url_templates` [[GH-11640](https://github.com/hashicorp/consul/issues/11640)]
* ui: Revert to depending on the backend, 'post-user-action', to report
permissions errors rather than using UI capabilities 'pre-user-action' [[GH-11520](https://github.com/hashicorp/consul/issues/11520)]
* ui: Temporarily remove KV pre-flight check for KV list permissions [[GH-11968](https://github.com/hashicorp/consul/issues/11968)]
* windows: Fixes a bug with empty log files when Consul is run as a Windows Service [[GH-11960](https://github.com/hashicorp/consul/issues/11960)]
* xds: fix a deadlock when the snapshot channel already have a snapshot to be consumed. [[GH-11924](https://github.com/hashicorp/consul/issues/11924)]
## 1.10.6 (December 15, 2021)
SECURITY:
@ -417,6 +499,29 @@ NOTES:
* legal: **(Enterprise only)** Enterprise binary downloads will now include a copy of the EULA and Terms of Evaluation in the zip archive
## 1.9.14 (January 12, 2022)
SECURITY:
* namespaces: **(Enterprise only)** Creating or editing namespaces that include default ACL policies or ACL roles now requires `acl:write` permission in the default namespace. This change fixes CVE-2021-41805.
BUG FIXES:
* ca: fixes a bug that caused non blocking leaf cert queries to return the same cached response regardless of ca rotation or leaf cert expiry [[GH-11693](https://github.com/hashicorp/consul/issues/11693)]
* ca: fixes a bug that caused the intermediate cert used to sign leaf certs to be missing from the /connect/ca/roots API response when the Vault provider was used. [[GH-11671](https://github.com/hashicorp/consul/issues/11671)]
* cli: Display assigned node identities in output of `consul acl token list`. [[GH-11926](https://github.com/hashicorp/consul/issues/11926)]
* cli: when creating a private key, save the file with mode 0600 so that only the user has read permission. [[GH-11781](https://github.com/hashicorp/consul/issues/11781)]
* snapshot: **(Enterprise only)** fixed a bug where the snapshot agent would ignore the `license_path` setting in config files
* ui: Differentiate between Service Meta and Node Meta when choosing search fields
in Service Instance listings [[GH-11774](https://github.com/hashicorp/consul/issues/11774)]
* ui: Fixes an issue where under some circumstances after logging we present the
data loaded previous to you logging in. [[GH-11681](https://github.com/hashicorp/consul/issues/11681)]
* ui: Fixes an issue where under some circumstances the namespace selector could
become 'stuck' on the default namespace [[GH-11830](https://github.com/hashicorp/consul/issues/11830)]
* ui: Include `Service.Namespace` into available variables for `dashboard_url_templates` [[GH-11640](https://github.com/hashicorp/consul/issues/11640)]
* ui: Prevent disconnection notice appearing with auth change on certain pages [[GH-11905](https://github.com/hashicorp/consul/issues/11905)]
* xds: fix a deadlock when the snapshot channel already have a snapshot to be consumed. [[GH-11924](https://github.com/hashicorp/consul/issues/11924)]
## 1.9.13 (December 15, 2021)
SECURITY:

2
agent/xds/envoy_versioning_test.go
View File

@ -126,7 +126,7 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) {
"1.17.0", "1.17.1", "1.17.2", "1.17.3", "1.17.4",
"1.18.0", "1.18.1", "1.18.2", "1.18.3", "1.18.4",
"1.19.0", "1.19.1",
"1.20.0",
"1.20.0", "1.20.1",
} {
cases[v] = testcase{expect: supportedProxyFeatures{}}
}

2
agent/xds/proxysupport/proxysupport.go
View File

@ -7,7 +7,7 @@ package proxysupport
//
// see: https://www.consul.io/docs/connect/proxies/envoy#supported-versions
var EnvoyVersions = []string{
"1.20.0",
"1.20.1",
"1.19.1",
"1.18.4",
"1.17.4",

14
go.mod
View File

@ -14,7 +14,7 @@ require (
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e
github.com/armon/go-metrics v0.3.10
github.com/armon/go-radix v1.0.0
github.com/aws/aws-sdk-go v1.25.41
github.com/aws/aws-sdk-go v1.42.34
github.com/coredns/coredns v1.1.2
github.com/coreos/go-oidc v2.1.0+incompatible
github.com/digitalocean/godo v1.10.0 // indirect
@ -56,21 +56,21 @@ require (
github.com/hashicorp/raft-autopilot v0.1.5
github.com/hashicorp/raft-boltdb v0.0.0-20211202195631-7d34b9fb3f42 // indirect
github.com/hashicorp/raft-boltdb/v2 v2.2.0
github.com/hashicorp/serf v0.9.6
github.com/hashicorp/serf v0.9.7
github.com/hashicorp/vault/api v1.0.5-0.20200717191844-f687267c8086
github.com/hashicorp/vault/sdk v0.1.14-0.20200519221838-e0cfd64bc267
github.com/hashicorp/yamux v0.0.0-20210826001029-26ff87cf9493
github.com/imdario/mergo v0.3.6
github.com/joyent/triton-go v1.7.1-0.20200416154420-6801d15b779f // indirect
github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
github.com/kr/text v0.1.0
github.com/kr/text v0.2.0
github.com/miekg/dns v1.1.41
github.com/mitchellh/cli v1.1.0
github.com/mitchellh/copystructure v1.0.0
github.com/mitchellh/go-testing-interface v1.14.0
github.com/mitchellh/hashstructure v0.0.0-20170609045927-2bca23e0e452
github.com/mitchellh/mapstructure v1.4.1-0.20210112042008-8ebf2d61a8b4
github.com/mitchellh/pointerstructure v1.0.0
github.com/mitchellh/mapstructure v1.4.1
github.com/mitchellh/pointerstructure v1.2.1
github.com/mitchellh/reflectwalk v1.0.1
github.com/patrickmn/go-cache v2.1.0+incompatible
github.com/pierrec/lz4 v2.5.2+incompatible // indirect
@ -78,14 +78,14 @@ require (
github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
github.com/prometheus/client_golang v1.4.0
github.com/rboyer/safeio v0.2.1
github.com/ryanuber/columnize v2.1.0+incompatible
github.com/ryanuber/columnize v2.1.2+incompatible
github.com/shirou/gopsutil/v3 v3.21.10
github.com/stretchr/testify v1.7.0
go.etcd.io/bbolt v1.3.5
go.opencensus.io v0.22.0 // indirect
go.uber.org/goleak v1.1.10
golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
golang.org/x/net v0.0.0-20211209124913-491a49abca63
golang.org/x/net v0.0.0-20211216030914-fe4d6282115f
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
golang.org/x/sys v0.0.0-20211013075003-97ac67df715c

30
go.sum
View File

@ -66,8 +66,9 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
github.com/aws/aws-sdk-go v1.25.41 h1:/hj7nZ0586wFqpwjNpzWiUTwtaMgxAZNZKHay80MdXw=
github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
github.com/aws/aws-sdk-go v1.42.34 h1:fqGAiKmCSRY1rEa4G9VqgkKKbNmLKYq5dKmLtQkvYi8=
github.com/aws/aws-sdk-go v1.42.34/go.mod h1:OGr6lGMAKGlG9CVrYnWYDKIyb829c6EVBRjxqjmPepc=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@ -104,6 +105,7 @@ github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -301,8 +303,9 @@ github.com/hashicorp/raft-boltdb v0.0.0-20211202195631-7d34b9fb3f42 h1:Ye8SofeDH
github.com/hashicorp/raft-boltdb v0.0.0-20211202195631-7d34b9fb3f42/go.mod h1:wcXL8otVu5cpJVLjcmq7pmfdRCdaP+xnvu7WQcKJAhs=
github.com/hashicorp/raft-boltdb/v2 v2.2.0 h1:/CVN9LSAcH50L3yp2TsPFIpeyHn1m3VF6kiutlDE3Nw=
github.com/hashicorp/raft-boltdb/v2 v2.2.0/go.mod h1:SgPUD5TP20z/bswEr210SnkUFvQP/YjKV95aaiTbeMQ=
github.com/hashicorp/serf v0.9.6 h1:uuEX1kLR6aoda1TBttmJQKDLZE1Ob7KN0NPdE7EtCDc=
github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4=
github.com/hashicorp/serf v0.9.7 h1:hkdgbqizGQHuU5IPqYM1JdSMV8nKfpuOnZYXssk9muY=
github.com/hashicorp/serf v0.9.7/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4=
github.com/hashicorp/vault/api v1.0.5-0.20200717191844-f687267c8086 h1:OKsyxKi2sNmqm1Gv93adf2AID2FOBFdCbbZn9fGtIdg=
github.com/hashicorp/vault/api v1.0.5-0.20200717191844-f687267c8086/go.mod h1:R3Umvhlxi2TN7Ex2hzOowyeNb+SfbVWI973N+ctaFMk=
github.com/hashicorp/vault/sdk v0.1.14-0.20200519221838-e0cfd64bc267 h1:e1ok06zGrWJW91rzRroyl5nRNqraaBe4d5hiKcVZuHM=
@ -322,8 +325,11 @@ github.com/jackc/fake v0.0.0-20150926172116-812a484cc733/go.mod h1:WrMFNQdiFJ80s
github.com/jackc/pgx v3.3.0+incompatible/go.mod h1:0ZGrqGqkRlliWnWB4zKnWtjbSWbGkVEFm4TeybAXq+I=
github.com/jarcoal/httpmock v0.0.0-20180424175123-9c70cfe4a1da h1:FjHUJJ7oBW4G/9j1KzlHaXL09LyMVM9rupS39lncbXk=
github.com/jarcoal/httpmock v0.0.0-20180424175123-9c70cfe4a1da/go.mod h1:ks+b9deReOc7jgqp+e7LuFiCBH6Rm5hL32cLcEAArb4=
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
github.com/joyent/triton-go v0.0.0-20180628001255-830d2b111e62/go.mod h1:U+RSyWxWd04xTqnuOQxnai7XGS2PrPY2cfGoDKtMHjA=
github.com/joyent/triton-go v1.7.1-0.20200416154420-6801d15b779f h1:ENpDacvnr8faw5ugQmEF1QYk+f/Y9lXFvuYmRxykago=
@ -347,8 +353,9 @@ github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn
github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/linode/linodego v0.7.1 h1:4WZmMpSA2NRwlPZcc0+4Gyn7rr99Evk9bnr0B3gXRKE=
github.com/linode/linodego v0.7.1/go.mod h1:ga11n3ivecUrPCHN0rANxKmfWBJVkOXfLMZinAbj2sY=
@ -390,10 +397,10 @@ github.com/mitchellh/hashstructure v0.0.0-20170609045927-2bca23e0e452/go.mod h1:
github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
github.com/mitchellh/mapstructure v1.3.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/mitchellh/mapstructure v1.4.1-0.20210112042008-8ebf2d61a8b4 h1:MGwxzM4mdkhmCfDyEmSfng7tE1QRIUGbedKdaMksvjw=
github.com/mitchellh/mapstructure v1.4.1-0.20210112042008-8ebf2d61a8b4/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/mitchellh/pointerstructure v1.0.0 h1:ATSdz4NWrmWPOF1CeCBU4sMCno2hgqdbSrRPFWQSVZI=
github.com/mitchellh/pointerstructure v1.0.0/go.mod h1:k4XwG94++jLVsSiTxo7qdIfXA9pj9EAeo0QsNNJOLZ8=
github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag=
github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/mitchellh/pointerstructure v1.2.1 h1:ZhBBeX8tSlRpu/FFhXH4RC4OJzFlqsQhoHZAz4x7TIw=
github.com/mitchellh/pointerstructure v1.2.1/go.mod h1:BRAsLI5zgXmw97Lf6s25bs8ohIXc3tViBH44KcwB2g4=
github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
github.com/mitchellh/reflectwalk v1.0.1 h1:FVzMWA5RllMAKIdUSC8mdWo3XtwoecrH79BY70sEEpE=
github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
@ -471,8 +478,9 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So
github.com/rs/zerolog v1.4.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/ryanuber/columnize v2.1.0+incompatible h1:j1Wcmh8OrK4Q7GXY+V7SVSY8nUWQxHW5TkBe7YUl+2s=
github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/ryanuber/columnize v2.1.2+incompatible h1:C89EOx/XBWwIXl8wm8OPJBd7kPF25UfsK2X7Ph/zCAk=
github.com/ryanuber/columnize v2.1.2+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
@ -588,8 +596,8 @@ golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY=
golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211216030914-fe4d6282115f h1:hEYJvxw1lSnWIl8X9ofsYMklzaDs90JI2az5YMd4fPM=
golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=

2
test/integration/connect/envoy/run-tests.sh
View File

@ -10,7 +10,7 @@ readonly HASHICORP_DOCKER_PROXY="docker.mirror.hashicorp.services"
DEBUG=${DEBUG:-}
# ENVOY_VERSION to run each test against
ENVOY_VERSION=${ENVOY_VERSION:-"1.20.0"}
ENVOY_VERSION=${ENVOY_VERSION:-"1.20.1"}
export ENVOY_VERSION
if [ ! -z "$DEBUG" ] ; then

12
website/content/api-docs/acl/auth-methods.mdx
View File

@ -34,7 +34,9 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
### Payload Fields
The corresponding CLI command is [`consul acl auth-method create`](/commands/acl/auth-method/create).
### Parameters
- `Name` `(string: <required>)` - Specifies a name for the ACL auth method. The
name can contain alphanumeric characters, dashes `-`, and underscores `_`.
@ -160,6 +162,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl auth-method read`](/commands/acl/auth-method/read).
### Parameters
- `name` `(string: <required>)` - Specifies the name of the ACL auth method to
@ -212,6 +216,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl auth-method update`](/commands/acl/auth-method/update).
### Parameters
- `Name` `(string: <required>)` - Specifies the name of the auth method to
@ -343,6 +349,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl auth-method delete`](/commands/acl/auth-method/delete).
### Parameters
- `name` `(string: <required>)` - Specifies the name of the ACL auth method to
@ -385,6 +393,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl auth-method list`](/commands/acl/auth-method/list).
### Parameters
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the namespace to list

10
website/content/api-docs/acl/binding-rules.mdx
View File

@ -34,6 +34,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl binding-rule create`](/commands/acl/binding-rule/create).
### Parameters
- `Description` `(string: "")` - Free form human readable description of the binding rule.
@ -158,6 +160,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl binding-rule read`](/commands/acl/binding-rule/read).
### Parameters
- `id` `(string: <required>)` - Specifies the UUID of the ACL binding rule
@ -208,6 +212,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl binding-rule update`](/commands/acl/binding-rule/update).
### Parameters
- `ID` `(string: <required>)` - Specifies the ID of the binding rule to update.
@ -338,6 +344,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl binding-rule delete`](/commands/acl/binding-rule/delete).
### Parameters
- `id` `(string: <required>)` - Specifies the UUID of the ACL binding rule to
@ -380,6 +388,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl binding-rule list`](/commands/acl/binding-rule/list).
## Parameters
- `authmethod` `(string: "")` - Filters the binding rule list to those binding

10
website/content/api-docs/acl/index.mdx
View File

@ -38,6 +38,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `none` |
The corresponding CLI command is [`consul acl bootstrap`](/commands/acl/bootstrap).
### Sample Request
```shell-session
@ -206,6 +208,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl translate-rules`](/commands/acl/translate-rules).
### Sample Payload
```hcl
@ -253,6 +257,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl translate-rules`](/commands/acl/translate-rules).
### Sample Request
```shell-session
@ -294,6 +300,8 @@ enabled. Login requires the ability to create local tokens which is restricted
to the primary datacenter and any secondary datacenters with ACL token
replication enabled.
The corresponding CLI command is [`consul login`](/commands/login).
### Parameters
- `AuthMethod` `(string: <required>)` - The name of the auth method to use for login.
@ -380,6 +388,8 @@ The table below shows this endpoint's support for
-> **Note** - This endpoint requires no specific privileges as it is just
deleting a token for which you already must possess its secret.
The corresponding CLI command is [`consul logout`](/commands/logout).
### Sample Request
```shell-session

12
website/content/api-docs/acl/policies.mdx
View File

@ -33,6 +33,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl policy create`](/commands/acl/policy/create).
### Parameters
- `Name` `(string: <required>)` - Specifies a name for the ACL policy. The name
@ -106,6 +108,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl policy read`](/commands/acl/policy/read).
### Parameters
- `id` `(string: <required>)` - Specifies the UUID of the ACL policy to
@ -156,6 +160,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl policy read -name=<string>`](/commands/acl/policy/read#name).
### Parameters
- `name` `(string: <required>)` - Specifies the name of the ACL policy to
@ -206,6 +212,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl policy update`](/commands/acl/policy/update).
### Parameters
- `ID` `(string: <required>)` - Specifies the UUID of the policy to update. This is
@ -285,6 +293,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl policy delete`](/commands/acl/policy/delete).
### Parameters
- `id` `(string: <required>)` - Specifies the UUID of the ACL policy to
@ -327,6 +337,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl policy list`](/commands/acl/policy/list).
### Parameters
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the namespace to list

12
website/content/api-docs/acl/roles.mdx
View File

@ -32,6 +32,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl role create`](/commands/acl/role/create).
### Parameters
- `Name` `(string: <required>)` - Specifies a name for the ACL role. The name
@ -172,6 +174,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl role read`](/commands/acl/role/read).
### Parameters
- `id` `(string: <required>)` - Specifies the UUID of the ACL role to
@ -242,6 +246,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl role read -name=<string>`](/commands/acl/role/read#name).
### Parameters
- `name` `(string: <required>)` - Specifies the Name of the ACL role to
@ -311,6 +317,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl role update`](/commands/acl/role/update).
### Parameters
- `ID` `(string: <required>)` - Specifies the ID of the role to update. This is
@ -427,6 +435,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl role delete`](/commands/acl/role/delete).
### Parameters
- `id` `(string: <required>)` - Specifies the UUID of the ACL role to
@ -469,6 +479,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl role list`](/commands/acl/role/list).
## Parameters
- `policy` `(string: "")` - Filters the role list to those roles that are

14
website/content/api-docs/acl/tokens.mdx
View File

@ -32,6 +32,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl token create`](/commands/acl/token/create).
### Parameters
- `AccessorID` `(string: "")` - Specifies a UUID to use as the token's Accessor ID.
@ -173,6 +175,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl token read`](/commands/acl/token/read).
### Parameters
- `AccessorID` `(string: <required>)` - Specifies the accessor ID of the ACL token to
@ -243,6 +247,8 @@ The table below shows this endpoint's support for
-> **Note** - This endpoint requires no specific privileges as it is just
retrieving the data for a token that you must already possess its secret.
The corresponding CLI command is [`consul acl token read -self`](/commands/acl/token/read#self).
### Sample Request
```shell-session
@ -293,6 +299,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl token update`](/commands/acl/token/update).
### Parameters
- `AccessorID` `(string: "")` - Specifies the accessor ID of the token being updated. This is
@ -441,6 +449,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl token clone`](/commands/acl/token/clone).
### Parameters
- `AccessorID` `(string: <required>)` - The accessor ID of the token to clone. This is required
@ -520,6 +530,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `acl:write` |
The corresponding CLI command is [`consul acl token delete`](/commands/acl/token/delete).
### Parameters
- `AccessorID` `(string: <required>)` - Specifies the accessor ID of the ACL token to
@ -562,6 +574,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `acl:read` |
The corresponding CLI command is [`consul acl token list`](/commands/acl/token/list).
## Parameters
- `policy` `(string: "")` - Filters the token list to those tokens that are

10
website/content/api-docs/admin-partitions.mdx
View File

@ -29,6 +29,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul partition create`](/commands/partition#create).
### Parameters
- `Name` `(string: <required>)` - The partition name. This must be a valid
@ -85,6 +87,8 @@ The table below shows this endpoint's support for
<sup>1</sup> A non-anonymous token can read its own partition.
The corresponding CLI command is [`consul partition read`](/commands/partition#read).
### Parameters
- `name` `(string: <required>)` - Specifies the partition to read. This
@ -126,6 +130,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul partition write`](/commands/partition#write).
### Parameters
- `Name` `(string: <optional>)` - The partition name. This must be a valid
@ -188,6 +194,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul partition delete`](/commands/partition#delete).
### Parameters
- `name` `(string: <required>)` - Specifies the partition to delete. This
@ -231,6 +239,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | --------------- |
| `NO` | `consistent` | `none` | `operator:read` |
The corresponding CLI command is [`consul partition list`](/commands/partition#list).
### Sample Request
```shell-session

14
website/content/api-docs/agent/index.mdx
View File

@ -227,6 +227,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `node:read` |
The corresponding CLI command is [`consul members`](/commands/members).
### Parameters
- `wan` `(bool: false)` - Specifies to list WAN members instead of the LAN
@ -373,6 +375,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------- |
| `NO` | `none` | `none` | `agent:write` |
The corresponding CLI command is [`consul reload`](/commands/reload).
### Sample Request
```shell-session
@ -404,6 +408,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `node:write` |
The corresponding CLI command is [`consul maint`](/commands/maint).
### Parameters
- `enable` `(bool: <required>)` - Specifies whether to enable or disable
@ -629,6 +635,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------- |
| `NO` | `none` | `none` | `agent:write` |
The corresponding CLI command is [`consul join`](/commands/join).
### Parameters
- `address` `(string: <required>)` - Specifies the address of the other agent to
@ -669,6 +677,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------- |
| `NO` | `none` | `none` | `agent:write` |
The corresponding CLI command is [`consul leave`](/commands/leave).
### Sample Request
```shell-session
@ -706,6 +716,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul force-leave`](/commands/force-leave).
### Parameters
- `node` `(string: <required>)` - Specifies the name of the node to be forced into `left` state. This is specified as part of the URL.
@ -780,6 +792,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------- |
| `NO` | `none` | `none` | `agent:write` |
The corresponding CLI command is [`consul acl set-agent-token`](/commands/acl/set-agent-token).
### Parameters
- `Token` `(string: "")` - Specifies the ACL token to set.

4
website/content/api-docs/agent/service.mdx
View File

@ -593,6 +593,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | --------------- |
| `NO` | `none` | `none` | `service:write` |
The corresponding CLI command is [`consul services register`](/commands/services/register).
### Query string parameters
- `replace-existing-checks` - Missing health checks from the request will be deleted from the agent. Using this parameter allows to idempotently register a service and its checks without having to manually deregister checks.
@ -766,6 +768,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | --------------- |
| `NO` | `none` | `none` | `service:write` |
The corresponding CLI command is [`consul services deregister`](/commands/services/deregister).
### Parameters
- `service_id` `(string: <required>)` - Specifies the ID of the service to

6
website/content/api-docs/catalog.mdx
View File

@ -266,6 +266,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `none` |
The corresponding CLI command is [`consul catalog datacenters`](/commands/catalog/datacenters).
### Sample Request
```shell-session
@ -297,6 +299,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `node:read` |
The corresponding CLI command is [`consul catalog nodes`](/commands/catalog/nodes).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to
@ -392,6 +396,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | -------------- |
| `YES` | `all` | `none` | `service:read` |
The corresponding CLI command is [`consul catalog services`](/commands/catalog/services).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to

8
website/content/api-docs/config.mdx
View File

@ -48,6 +48,8 @@ The table below shows this endpoint's support for
| service-splitter | `service:write` |
| terminating-gateway | `operator:write` |
The corresponding CLI command is [`consul config write`](/commands/config/write).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to
@ -115,6 +117,8 @@ The table below shows this endpoint's support for
| service-splitter | `service:read` |
| terminating-gateway | `service:read` |
The corresponding CLI command is [`consul config read`](/commands/config/read).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to
@ -184,6 +188,8 @@ The table below shows this endpoint's support for
| service-splitter | `service:read` |
| terminating-gateway | `service:read` |
The corresponding CLI command is [`consul config list`](/commands/config/list).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to
@ -258,6 +264,8 @@ The table below shows this endpoint's support for
| service-splitter | `service:write` |
| terminating-gateway | `operator:write ` |
The corresponding CLI command is [`consul config delete`](/commands/config/delete).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to

4
website/content/api-docs/connect/ca.mdx
View File

@ -125,6 +125,8 @@ The table below shows this endpoint's support for
<sup>1</sup> ACL required was <code>operator:read</code> prior to versions 1.8.6,
1.7.10, and 1.6.10.
The corresponding CLI command is [`consul connect ca get-config`](/commands/connect/ca#get-config).
### Sample Request
```shell-session
@ -165,6 +167,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul connect ca set-config`](/commands/connect/ca#set-config).
### Parameters
- `Provider` `(string: <required>)` - Specifies the CA provider type to use.

18
website/content/api-docs/connect/intentions.mdx
View File

@ -54,6 +54,8 @@ The table below shows this endpoint's support for
for more details.
</p>
The corresponding CLI command is [`consul intention create -replace`](/commands/intention/create#replace).
### URL Parameters
- `source` `(string: <required>)` - Specifies the source service. This
@ -163,6 +165,8 @@ The table below shows this endpoint's support for
for more details.
</p>
The corresponding CLI command is [`consul intention create`](/commands/intention/create).
### URL Parameters
- `ns` `(string: "")` <EnterpriseAlert inline /> - Specifies the default
@ -315,6 +319,8 @@ The table below shows this endpoint's support for
for more details.
</p>
The corresponding CLI command is [`consul intention get`](/commands/intention/get).
### Parameters
- `source` `(string: <required>)` - Specifies the source service. This
@ -390,6 +396,8 @@ The table below shows this endpoint's support for
for more details.
</p>
The corresponding CLI command is [`consul intention get`](/commands/intention/get).
### Parameters
- `uuid` `(string: <required>)` - Specifies the UUID of the intention to read. This
@ -450,6 +458,8 @@ The table below shows this endpoint's support for
for more details.
</p>
The corresponding CLI command is [`consul intention list`](/commands/intention/list).
### Parameters
- `filter` `(string: "")` - Specifies the expression used to filter the
@ -539,6 +549,8 @@ The table below shows this endpoint's support for
for more details.
</p>
The corresponding CLI command is [`consul intention delete`](/commands/intention/delete).
### Parameters
- `source` `(string: <required>)` - Specifies the source service. This
@ -597,6 +609,8 @@ The table below shows this endpoint's support for
for more details.
</p>
The corresponding CLI command is [`consul intention delete`](/commands/intention/delete).
### Parameters
- `uuid` `(string: <required>)` - Specifies the UUID of the intention to delete. This
@ -652,6 +666,8 @@ The table below shows this endpoint's support for
for more details.
</p>
The corresponding CLI command is [`consul intention check`](/commands/intention/check).
### Parameters
- `source` `(string: <required>)` - Specifies the source service. This
@ -715,6 +731,8 @@ The table below shows this endpoint's support for
for more details.
</p>
The corresponding CLI command is [`consul intention match`](/commands/intention/match).
### Parameters
- `by` `(string: <required>)` - Specifies whether to match the "name" value

4
website/content/api-docs/coordinate.mdx
View File

@ -38,6 +38,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `none` |
The corresponding CLI command is [`consul rtt -wan`](/commands/rtt#wan).
### Sample Request
```shell-session
@ -90,6 +92,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `node:read` |
The corresponding CLI command is [`consul rtt`](/commands/rtt).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to

2
website/content/api-docs/event.mdx
View File

@ -29,6 +29,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------- |
| `NO` | `none` | `none` | `event:write` |
The corresponding CLI command is [`consul event`](/commands/event).
### Parameters
- `name` `(string: <required>)` - Specifies the name of the event to fire. This

6
website/content/api-docs/kv.mdx
View File

@ -43,6 +43,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `YES` | `all` | `none` | `key:read` |
The corresponding CLI command is [`consul kv get`](/commands/kv/get).
### Parameters
- `key` `(string: "")` - Specifies the path of the key to read.
@ -173,6 +175,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `key:write` |
The corresponding CLI command is [`consul kv put`](/commands/kv/put).
### Parameters
- `key` `(string: "")` - Specifies the path of the key.
@ -259,6 +263,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `key:write` |
The corresponding CLI command is [`consul kv delete`](/commands/kv/delete).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to

10
website/content/api-docs/namespaces.mdx
View File

@ -29,6 +29,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul namespace create`](/commands/namespace/create).
### Parameters
- `Name` `(string: <required>)` - The namespaces name. This must be a valid
@ -161,6 +163,8 @@ The table below shows this endpoint's support for
<sup>1</sup> Access can be granted to list the Namespace if the token used when making
the request has been granted any access in the namespace (read, list or write).
The corresponding CLI command is [`consul namespace read`](/commands/namespace/read).
### Parameters
- `name` `(string: <required>)` - Specifies the namespace to read. This
@ -227,6 +231,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul namespace update`](/commands/namespace/update) or [`consul namespace write`](/commands/namespace/write).
### Parameters
- `Name` `(string: <optional>)` - The namespaces name. This must be a valid
@ -364,6 +370,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul namespace delete`](/commands/namespace/delete).
### Parameters
- `name` `(string: <required>)` - Specifies the namespace to delete. This
@ -436,6 +444,8 @@ The table below shows this endpoint's support for
<sup>1</sup> Access can be granted to list the Namespace if the token used when making
the request has been granted any access in the namespace (read, list or write).
The corresponding CLI command is [`consul namespace list`](/commands/namespace/list).
### Sample Request
```shell-session

12
website/content/api-docs/operator/area.mdx
View File

@ -45,6 +45,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul operator area create`](/commands/operator/area#create).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to
@ -111,6 +113,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | --------------- |
| `YES` | `all` | `none` | `operator:read` |
The corresponding CLI command is [`consul operator area list`](/commands/operator/area#list).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to
@ -154,6 +158,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul operator area update`](/commands/operator/area#update).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to
@ -244,6 +250,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul operator area delete`](/commands/operator/area#delete).
### Parameters
- `uuid` `(string: <required>)` - Specifies the UUID of the area to delete. This
@ -280,6 +288,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul operator area join`](/commands/operator/area#join).
### Parameters
- `uuid` `(string: <required>)` - Specifies the UUID of the area to join. This
@ -353,6 +363,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | --------------- |
| `NO` | `none` | `none` | `operator:read` |
The corresponding CLI command is [`consul operator area members`](/commands/operator/area#members).
### Parameters
- `uuid` `(string: <required>)` - Specifies the UUID of the area to list. This

6
website/content/api-docs/operator/autopilot.mdx
View File

@ -33,6 +33,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | --------------- |
| `NO` | `none` | `none` | `operator:read` |
The corresponding CLI command is [`consul operator autopilot get-config`](/commands/operator/autopilot#get-config).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to
@ -87,6 +89,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul operator autopilot set-config`](/commands/operator/autopilot#set-config).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to
@ -269,6 +273,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | --------------- |
| `NO` | `none` | `none` | `operator:read` |
The corresponding CLI command is [`consul operator autopilot state`](/commands/operator/autopilot#state).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to

8
website/content/api-docs/operator/keyring.mdx
View File

@ -35,6 +35,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | -------------- |
| `NO` | `none` | `none` | `keyring:read` |
The corresponding CLI command is [`consul keyring -list`](/commands/keyring#list).
### Parameters
- `relay-factor` `(int: 0)` - Specifies the relay factor. Setting this to a
@ -120,6 +122,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | --------------- |
| `NO` | `none` | `none` | `keyring:write` |
The corresponding CLI command is [`consul keyring -intstall`](/commands/keyring#install).
### Parameters
- `relay-factor` `(int: 0)` - Specifies the relay factor. Setting this to a
@ -166,6 +170,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | --------------- |
| `NO` | `none` | `none` | `keyring:write` |
The corresponding CLI command is [`consul keyring -use`](/commands/keyring#use).
### Parameters
- `relay-factor` `(int: 0)` - Specifies the relay factor. Setting this to a
@ -212,6 +218,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | --------------- |
| `NO` | `none` | `none` | `keyring:write` |
The corresponding CLI command is [`consul keyring -remove`](/commands/keyring#remove).
### Parameters
- `relay-factor` `(int: 0)` - Specifies the relay factor. Setting this to a

6
website/content/api-docs/operator/license.mdx
View File

@ -31,6 +31,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `all` | `none` | `none` |
The corresponding CLI command is [`consul license get`](/commands/license#get).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter whose license should be retrieved.
@ -96,6 +98,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul license put`](/commands/license#put).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter whose license should be updated.
@ -166,6 +170,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul license reset`](/commands/license#reset).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter whose license should be updated.

2
website/content/api-docs/operator/raft.mdx
View File

@ -130,6 +130,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ---------------- |
| `NO` | `none` | `none` | `operator:write` |
The corresponding CLI command is [`consul operator raft remove-peer`](/commands/operator/raft#remove-peer).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to

4
website/content/api-docs/snapshot.mdx
View File

@ -39,6 +39,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `default,stale` | `none` | `management` |
The corresponding CLI command is [`consul snapshot save`](/commands/snapshot/save).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default
@ -94,6 +96,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `management` |
The corresponding CLI command is [`consul snapshot restore`](/commands/snapshot/restore).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default

2
website/content/api-docs/status.mdx
View File

@ -70,6 +70,8 @@ The table below shows this endpoint's support for
| ---------------- | ----------------- | ------------- | ------------ |
| `NO` | `none` | `none` | `none` |
The corresponding CLI command is [`consul operator raft list-peers`](/commands/operator/raft#list-peers).
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to

179
website/content/docs/agent/options.mdx
View File

@ -113,7 +113,7 @@ The options below are all specified on the command-line.
template that must resolve at runtime to a single address. Some example templates:
<CodeBlockConfig heading="Using address within a specific CIDR">
```shell-session
$ consul agent -bind '{{ GetPrivateInterfaces | include "network" "10.0.0.0/8" | attr "address" }}'
```
@ -162,11 +162,11 @@ The options below are all specified on the command-line.
template that can potentially resolve to multiple addresses.
<CodeBlockConfig hideClipboard heading="Bind consul client interfaces to private IPv4 interfaces">
```shell
$ consul agent -dev -client '{{ GetPrivateInterfaces | exclude "type" "ipv6" | join "address" " " }}'
```
</CodeBlockConfig>
<CodeBlockConfig hideClipboard heading="Bind consul client interfaces to private IP addresses and loopback">
@ -275,7 +275,6 @@ The options below are all specified on the command-line.
they are defined in the local configuration files. Script checks defined in HTTP
API registrations will still not be allowed.
- `-encrypt` ((#\_encrypt)) - Specifies the secret key to use for encryption
of Consul network traffic. This key must be 32-bytes that are Base64-encoded. The
easiest way to create an encryption key is to use [`consul keygen`](/commands/keygen).
@ -595,18 +594,36 @@ In addition to the command-line options, configuration can be put into
files. This may be easier in certain situations, for example when Consul is
being configured using a configuration management system.
The configuration files are JSON formatted, making them easily readable
and editable by both humans and computers. The configuration is formatted
as a single JSON object with configuration within it.
The configuration files are formatted as HCL, or JSON. JSON formatted configs are easily readable
and editable by both humans and computers. JSON formatted configuration consists
of a single JSON object with multiple configuration keys specified within it.
Configuration files are used for more than just setting up the agent,
they are also used to provide check and service definitions. These are used
to announce the availability of system servers to the rest of the cluster.
They are documented separately under [check configuration](/docs/agent/checks) and
[service configuration](/docs/agent/services) respectively. The service and check
Configuration files are used for more than just setting up the agent.
They are also used to provide check and service definitions that
announce the availability of system servers to the rest of the cluster.
These definitions are documented separately under [check configuration](/docs/agent/checks) and
[service configuration](/docs/agent/services) respectively. Service and check
definitions support being updated during a reload.
<CodeBlockConfig heading="Example Configuration File">
<CodeTabs heading="Example Configuration File">
```hcl
datacenter = "east-aws"
data_dir = "/opt/consul"
log_level = "INFO"
node_name = "foobar"
server = true
watches = [
{
type = "checks"
handler = "/usr/bin/health-check-handler.sh"
}
]
telemetry {
statsite_address = "127.0.0.1:2180"
}
```
```json
{
@ -627,7 +644,7 @@ definitions support being updated during a reload.
}
```
</CodeBlockConfig>
</CodeTabs>
#### Configuration Key Reference ((#config_key_reference))
@ -764,7 +781,14 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
- `managed_service_provider` ((#acl_tokens_managed_service_provider)) <EnterpriseAlert inline /> - An
array of ACL tokens used by Consul managed service providers for cluster operations.
<CodeBlockConfig heading="Example managed_service_provider configuration">
<CodeTabs heading="Example managed_service_provider configuration">
```hcl
managed_service_provider {
accessor_id = "ed22003b-0832-4e48-ac65-31de64e5c2ff"
secret_id = "cb6be010-bba8-4f30-a9ed-d347128dde17"
}
```
```json
"managed_service_provider": [
@ -775,7 +799,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
]
```
</CodeBlockConfig>
</CodeTabs>
- `acl_datacenter` - **This field is deprecated in Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.**
@ -915,7 +939,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
- `audit` <EnterpriseAlert inline /> - Added in Consul 1.8, the audit object allow users to enable auditing
and configure a sink and filters for their audit logs. For more information, review the [audit log tutorial](https://learn.hashicorp.com/tutorials/consul/audit-logging).
<CodeBlockConfig heading="Example audit configuration">
<CodeTabs heading="Example audit configuration">
```hcl
audit {
@ -932,7 +956,26 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
}
```
</CodeBlockConfig>
```json
{
"audit": {
"enabled": true,
"sink": {
"My sink": {
"type": "file",
"format": "json",
"path": "data/audit/audit.json",
"delivery_guarantee": "best-effort",
"rotate_duration": "24h",
"rotate_max_files": 15,
"rotate_bytes": 25165824
}
}
}
}
```
</CodeTabs>
The following sub-keys are available:
@ -1118,14 +1161,14 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
validating all claims to account for clock skew. Defaults to 60s (1 minute)
if set to 0s and can be disabled if set to -1ns.
- `claim_assertions` (Defaults to []) List of assertions about the mapped
- `claim_assertions` (Defaults to `[]`) List of assertions about the mapped
claims required to authorize the incoming RPC request. The syntax uses
github.com/hashicorp/go-bexpr which is shared with the
[github.com/hashicorp/go-bexpr](https://github.com/hashicorp/go-bexpr) which is shared with the
[API filtering feature](/api/features/filtering). For example, the following
configurations when combined will ensure that the JWT `sub` matches the node
name requested by the client.
<CodeBlockConfig heading="Ensure that the JWT `sub` matches the node name requested by the client">
<CodeTabs heading="Ensure that the JWT sub matches the node name requested by the client">
```hcl
claim_mappings {
@ -1136,7 +1179,16 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
]
```
</CodeBlockConfig>
```json
{
"claim_mappings": {
"sub": "node_name"
},
"claim_assertions": ["value.node_name == \"${node}\""]
}
```
</CodeTabs>
The assertions are lightly templated using [HIL syntax](https://github.com/hashicorp/hil)
to interpolate some values from the RPC request. The list of variables that can be interpolated
@ -1534,7 +1586,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
equivalent to "no max age". To get a fresh value from the cache use a very small value
of `1ns` instead of 0.
- `prefer_namespace` ((#dns_prefer_namespace)) <EnterpriseAlert inline /> **Deprecated in
- `prefer_namespace` ((#dns_prefer_namespace)) <EnterpriseAlert inline /> **Deprecated in
Consul 1.11. Use the [canonical DNS format](/docs/discovery/dns#namespaced-partitioned-services) instead.** -
When set to true, in a DNS query for a service, the label between the domain
and the `service` label will be treated as a namespace name instead of a datacenter.
@ -1702,7 +1754,15 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
- `response_headers` This object allows adding headers to the HTTP API and UI responses. For example, the following config can be used to enable [CORS](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) on the HTTP API endpoints:
<CodeBlockConfig heading="Enable CORS on the HTTP API endpoints">
<CodeTabs heading="Enable CORS on the HTTP API endpoints">
```hcl
http_config {
response_headers {
Access-Control-Allow-Origin = "*"
}
}
```
```json
{
@ -1714,7 +1774,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
}
```
</CodeBlockConfig>
</CodeTabs>
- `allow_write_http_from` This object is a list of networks in CIDR notation (eg "127.0.0.0/8") that are allowed to call the agent write endpoints. It defaults to an empty list, which means all networks are allowed. This is used to make the agent read-only, except for select ip ranges. - To block write calls from anywhere, use `[ "255.255.255.255/32" ]`. - To only allow write calls from localhost, use `[ "127.0.0.0/8" ]` - To only allow specific IPs, use `[ "10.0.0.1/32", "10.0.0.2/32" ]`
@ -1762,7 +1822,13 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
- `node_meta` Available in Consul 0.7.3 and later, This object allows associating arbitrary metadata key/value pairs with the local node, which can then be used for filtering results from certain catalog endpoints. See the [`-node-meta` command-line flag](#_node_meta) for more information.
<CodeBlockConfig heading="Example node_meta configuration">
<CodeTabs heading="Example node_meta configuration">
```hcl
node_meta {
instance_type = "t2.medium"
}
```
```json
{
@ -1772,7 +1838,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
}
```
</CodeBlockConfig>
</CodeTabs>
- `partition` <EnterpriseAlert inline /> - This flag is used to set
the name of the admin partition the agent belongs to. An agent can only join
@ -1782,7 +1848,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
partition. This cannot be set on a server agent.
~> **Warning:** The `partition` option cannot be used either the
[`segment`](#segment-2) option or [`-segment`](#_segment) flag.
[`segment`](#segment-2) option or [`-segment`](#_segment) flag.
- `performance` Available in Consul 0.7 and later, this is a nested object that allows tuning the performance of different subsystems in Consul. See the [Server Performance](/docs/install/performance) documentation for more details. The following parameters are available:
@ -1866,15 +1932,14 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
- `protocol` ((#protocol)) Equivalent to the [`-protocol` command-line
flag](#_protocol).
- `raft_boltdb` ((#raft_boltdb)) This is a nested object that allows configuring
- `raft_boltdb` ((#raft_boltdb)) This is a nested object that allows configuring
options for Raft's BoltDB based log store.
- `NoFreelistSync` ((#NoFreelistSync)) Setting this to `true` will disable
- `NoFreelistSync` ((#NoFreelistSync)) Setting this to `true` will disable
syncing the BoltDB freelist to disk within the raft.db file. Not syncing
the freelist to disk will reduce disk IO required for write operations
at the expense of potentially increasing start up time due to needing
to scan the db to discover where the free space resides within the file.
- `raft_protocol` ((#raft_protocol)) Equivalent to the [`-raft-protocol`
command-line flag](#_raft_protocol).
@ -2119,13 +2184,23 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
This is a list of filter rules to apply for allowing/blocking metrics by
prefix in the following format:
<CodeBlockConfig heading="Example prefix_filter configuration">
<CodeTabs heading="Example prefix_filter configuration">
```json
["+consul.raft.apply", "-consul.http", "+consul.http.GET"]
```hcl
telemetry {
prefix_filter = ["+consul.raft.apply", "-consul.http", "+consul.http.GET"]
}
```
</CodeBlockConfig>
```json
{
"telemetry": {
"prefix_filter": ["+consul.raft.apply", "-consul.http", "+consul.http.GET"]
}
}
```
</CodeTabs>
A leading "**+**" will enable any metrics with the given prefix, and a leading "**-**" will block them. If there is overlap between two rules, the more specific rule will take precedence. Blocking will take priority if the same prefix is listed multiple times.
@ -2141,7 +2216,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
it is recommended to also enable the option [`disable_hostname`](#telemetry-disable_hostname)
to avoid having prefixed metrics with hostname. Consul does not use the default
Prometheus path, so Prometheus must be configured as follows. Note that using
`?format=prometheus` in the path won't work as ? will be escaped, so it must be
`?format=prometheus` in the path won't work as `?` will be escaped, so it must be
specified as a parameter.
<CodeBlockConfig heading="Example Prometheus configuration">
@ -2465,7 +2540,35 @@ will result in TLS not being enabled at all, even when specifying a [`ca_file`](
See, especially, the use of the `ports` setting highlighted below.
<CodeBlockConfig heading="Example configuration with TLS" lineNumbers highlight="10-12">
<CodeTabs heading="Example configuration with TLS">
<CodeBlockConfig lineNumbers highlight="10-12">
```hcl
datacenter = "east-aws"
data_dir = "/opt/consul"
log_level = "INFO"
node_name = "foobar"
server = true
addresses = {
https = "0.0.0.0"
}
ports {
https = 8501
}
key_file = "/etc/pki/tls/private/my.key"
cert_file = "/etc/pki/tls/certs/my.crt"
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
```
</CodeBlockConfig>
<CodeBlockConfig lineNumbers highlight="10-12">
```json
{
@ -2491,6 +2594,8 @@ See, especially, the use of the `ports` setting highlighted below.
</CodeBlockConfig>
</CodeTabs>
Consul will not enable TLS for the HTTP API unless the `https` port has been
assigned a port number `> 0`. We recommend using `8501` for `https` as this
default will automatically work with some tooling.

2
website/content/docs/connect/config-entries/ingress-gateway.mdx
View File

@ -873,7 +873,7 @@ spec:
through this listener. This can be either a service registered in the
catalog, or a service defined only by [other config entries](/docs/connect/l7-traffic-management). If the wildcard specifier,
\`*\`, is provided, then ALL services will be exposed through the listener.
This is not supported for listener's with protocol \`tcp\`.`,
This is not supported for listeners with protocol \`tcp\`.`,
},
{
name: 'Namespace',

4
website/content/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways.mdx
View File

@ -20,6 +20,8 @@ Consul cluster, operators must ensure that all Consul servers in every
datacenter must be directly connectable over their WAN-advertised network
address from each other.
[![WAN federation without mesh gateways](/img/wan-federation-connectivity-traditional.png)](/img/wan-federation-connectivity-traditional.png)
This requires that operators setting up the virtual machines or containers
hosting the servers take additional steps to ensure the necessary routing and
firewall rules are in place to allow the servers to speak to each other over
@ -38,7 +40,7 @@ Operators looking to simplify their WAN deployment and minimize the exposed
security surface area can elect to join these datacenters together using [mesh
gateways](/docs/connect/gateways/mesh-gateway) to do so.
![Mesh Gateway Architecture](/img/mesh-gateways.png)
[![WAN federation with mesh gateways](/img/wan-federation-connectivity-mesh-gateways.png)](/img/wan-federation-connectivity-mesh-gateways.png)
## Architecture

2
website/content/docs/connect/proxies/envoy.mdx
View File

@ -35,7 +35,7 @@ compatible Envoy versions.
| Consul Version | Compatible Envoy Versions |
| ------------------- | ------------------------------------------------------ |
| 1.11.x | 1.20.0, 1.19.1, 1.18.4, 1.17.4 |
| 1.11.x | 1.20.1, 1.19.1, 1.18.4, 1.17.4 |
| 1.10.x | 1.18.4, 1.17.4, 1.16.5, 1.15.5 |
| 1.9.x | 1.16.5, 1.15.5, 1.14.7<sup>1</sup>, 1.13.7<sup>1</sup> |
| 1.8.x | 1.14.7, 1.13.7, 1.12.7, 1.11.2 |

52
website/content/docs/k8s/installation/compatibility.mdx Normal file
View File

@ -0,0 +1,52 @@
---
layout: docs
page_title: Compatibility Matrix
description: Compatibility Matrix for Consul Kubernetes
---
# Compatibility Matrix for Consul on Kubernetes
For every release of Consul on Kubernetes, a Helm chart, `consul-k8s-control-plane` binary and a `consul-k8s` CLI binary is built and distributed through a single version. When deploying via Helm, the recommended best path for upgrading Consul on Kubernetes, is to upgrade using the same `consul-k8s-control-plane` version as the Helm Chart, as the Helm Chart and Control Plane binary are tightly coupled.
## Supported Consul versions
### Version 0.33.0 and above
Starting with Consul Kubernetes 0.33.0, Consul Kubernetes versions all of it components (`consul-k8s` CLI, `consul-k8s-control-plane`, and Helm chart) with a single version.
| Consul Version | Compatible consul-k8s Versions |
| -------------- | ------------------------------- |
| 1.11.x | 0.39.0 - latest |
| 1.10.x | 0.33.0 - 0.38.0 |
### Prior to version 0.33.0
Prior to Consul Kubernetes 0.33.0, a separately versioned Consul Helm chart was distributed to deploy the Consul on Kubernetes binary. The default version of the `consul-k8s` binary specified by the Helm chart should be used to ensure proper compatibility, since the Helm chart is designed and tested with the default `consul-k8s` version. To find the default version for the appropriate Helm chart version, navigate to the corresponding tag (i.e. 0.32.1) in [`values.yaml`](https://github.com/hashicorp/consul-helm/blob/v0.32.1/values.yaml) and retrieve the `imageK8S` global value.
| Consul Version | Compatible Consul Helm Versions (default `consul-k8s` image) |
| -------------- | -----------------------------------------------------------|
| 1.10.x | 0.32.0 (consul-k8s:0.26.0) - 0.32.1 (consul-k8s:0.26.0) |
| 1.9.x | 0.27.0 (consul-k8s:0.21.0) - 0.31.1 (consul-k8s:0.25.0) |
| 1.8.x | 0.22.0 (consul-k8s:0.16.0) - 0.26.0 (consul-k8s:0.20.0) |
| 1.7.x | 0.17.0 (consul-k8s:0.12.0) - 0.21.0 (consul-k8s:0.15.0) |
| 1.6.x | 0.10.0 (consul-k8s:0.9.2) - 0.16.2 (consul-k8s:0.11.0) |
## Supported Envoy versions
Supported versions of Envoy for Consul versions are also found in [Envoy - Supported Versions](https://www.consul.io/docs/connect/proxies/envoy#supported-versions). The recommended best practice is to use the default version of Envoy that is provided in the Helm values.yml file, as that is the version that has been tested with the default Consul and Consul Kubernetes binaries for a given Helm chart.
## Red Hat OpenShift compatability
Consul Kubernetes delivered Red Hat OpenShift support starting with Consul Helm chart version 0.25.0 for Consul 1.8.4 Please note the following details regarding OpenShift support.
- Red Hat OpenShift is only supported for OpenShift 4.4.x and above.
- Only the default CNI Plugin, [OpenShift SDN CNI Plugin](https://docs.openshift.com/container-platform/4.9/networking/openshift_sdn/about-openshift-sdn.html) is currently supported.
## Vault as a Secrets Backend compatibility
Starting with Consul K8s 0.39.0 and Consul 1.11.x, Consul Kubernetes supports the ability to utilize Vault as the secrets backend for all the secrets utilized by Consul Kubernetes.
| `consul-k8s` Versions | Compatible Vault Versions | Compatible Vault K8s Versions |
| ------------------------ | --------------------------| ----------------------------- |
| 0.39.0 - latest | 1.9.0 - latest | 0.14.0 - latest |

26
website/content/docs/k8s/upgrade/compatibility.mdx
View File

@ -1,26 +0,0 @@
---
layout: docs
page_title: Compatibility Matrix
description: Compatibility Matrix for Consul Kubernetes and Consul
---
# Compatibility Matrix for Consul Kubernetes and Consul
Consul Kubernetes (consul-k8s) is managed using Consul Helm. For every release of Consul Kubernetes, a new version of the Consul Kubernetes
Helm chart and Consul Kubernetes binary is released through the HashiCorp Helm repository. The recommended best practice is to upgrade
the Helm chart which will ensure a compatible version of the Consul Kubernetes binary is used.
## Supported Consul versions
| Consul Version | Compatible Consul Helm Versions |
| -------------- | ------------------------------- |
| 1.11.x | 0.39.0 - latest |
| 1.10.x | 0.32.0 - 0.38.0 |
| 1.9.x | 0.27.0 - 0.31.1 |
| 1.8.x | 0.22.0 - 0.26.0 |
| 1.7.x | 0.17.0 - 0.21.0 |
| 1.6.x | 0.10.0 - 0.16.2 |
## Supported Envoy versions
Supported versions of Envoy for Consul versions are also found in [Envoy - Supported Versions](https://www.consul.io/docs/connect/proxies/envoy#supported-versions). The recommended best practice is to use the default version of Envoy that is provided in the Helm values.yml file, as that is the version that has been tested with the default Consul and Consul Kubernetes binaries for a given Helm chart.

3
website/content/docs/nia/compatibility.mdx
View File

@ -21,7 +21,8 @@ Consul-Terraform-Sync is compatible with the following Terraform OSS versions:
| Consul-Terraform-Sync | Compatible Terraform Version |
| --------------------- | ---------------------------- |
| 0.2+ | 0.13 - 1.0 |
| 0.3+ | 0.13 - 1.1 |
| 0.2 | 0.13 - 1.0 |
| 0.1 | 0.13 - 0.14 |
## Terraform Cloud

238
website/content/docs/security/acl/acl-federated-datacenters.mdx Normal file
View File

@ -0,0 +1,238 @@
---
layout: docs
page_title: ACL in Federated Datacenters
description: >-
This topic describes the specific ACL bootstrapping policies that are necessary when ACLs are enabled for federated, multi-datacenter deployments.
---
# ACLs in Federated Datacenters
This topic describes how to set up Consul's access control list (ACL) system
in cluster deployments that span multiple data centers. This documentation is applicable
to new clusters rather than existing clusters.
# Requirements
Consul versions 1.4.0 and later
## Configure ACLs in the Primary Datacenter
In a [federated Consul deployment](/docs/k8s/installation/multi-cluster), one of the datacenters is marked as the primary datacenter.
The `acl` configuration block should be added to the primary datacenter server's configuration file
as shown in the following example.
See the [ACL Config Stanza](/docs/agent/options#acl) for more detailed descriptions of each option.
-> **Versions before 1.11.0:** The `initial_management` token was called the `master` token in versions
prior to 1.11.0
<CodeTabs heading="ACL Configuration in Primary">
```hcl
bootstrap_expect = 3
primary_datacenter = "PRIMARY_DATACENTER_VALUE"
acl = {
enabled = true
default_policy = "deny"
down_policy = "deny"
enable_token_persistence = true
enable_token_replication = true
tokens = {
initial_management = "ACL_MANAGEMENT_TOKEN"
agent = "YOUR_ACL_AGENT_TOKEN"
}
}
```
```json
{
"bootstrap_expect": N,
"primary_datacenter": "PRIMARY_DATACENTER_VALUE",
"acl": {
"enabled": true,
"default_policy": "deny",
"down_policy": "deny",
"enable_token_persistence": true,
"enable_token_replication": true,
"tokens": {
"initial_management": "ACL_MANAGEMENT_TOKEN",
"agent": "ACL_AGENT_TOKEN"
}
}
}
```
</CodeTabs>
~> **Warning:** Note that most enterprise deployments have security requirements that prevent specifying tokens in configuration files.
The `enable_token_persistence` flag is also set in the configuration example so that the token is stored to disk in the agent's
[data directory](/docs/agent/options#_data_dir). Any future changes to the token that are made through the [API](/api/agent#update-acl-tokens) will
be persisted to the same location, and the value in the config file will be ignored.
The ACL agent token can also be set using the [`consul acl set-agent-token`](/commands/acl/set-agent-token) CLI as shown below.
```shell-session
$ consul acl set-agent-token agent "<agent token here>"
```
## Configure Servers in Secondary Datacenters
Servers in secondary data centers must be configured to point to the primary data center
as shown in the following example. Secondary data centers also need the ACL replication token
provided to them.
### Create the replication token for ACL Management
Replication tokens are needed for ACL token replication and
to create both [configuration entries](/docs/agent/config-entries) and [auth methods](/docs/acl/auth-methods)
in connected secondary datacenters.
Replication tokens require the following permissions:
- `acl = "write"`: The permission allows you to replicate tokens.
- `operator = "write"`: This permission enables the `proxy-default` configuration entries to be replicated and enables CA certificate signing in the secondary datacenter.
- `policy = "read"` and `intentions = "read"` in the `service_prefix` field: These permissions enable `service-default` configuration entries, CA, and intention data to be replicated for all services.
<CodeTabs heading="Replication Token Policy">
<CodeBlockConfig filename="replication-policy.hcl">
```hcl
acl = "write"
operator = "write"
service_prefix "" {
policy = "read"
intentions = "read"
}
```
</CodeBlockConfig>
</CodeTabs>
Create a replication policy with the following command:
```shell-session
$ consul acl policy create -name replication -rules @replication-policy.hcl
```
Use your newly created policy to create the replication token.
```shell-session
$ consul acl token create -description "replication token" -policy-name replication
```
### Configure the replication token in Secondary Datacenters
Add the replication token generated above, to the ACL stanza in secondary datacenters.
<CodeTabs heading = "ACL Configuration in Secondaries">
```hcl
primary_datacenter = "PRIMARY_DATACENTER_NAME"
acl = {
enabled = true
default_policy = "deny"
down_policy = "deny"
tokens = {
agent = "ACL_AGENT_TOKEN"
replication = "ACL_REPLICATION_TOKEN"
}
}
```
```json
{
"primary_datacenter": "PRIMARY_DATACENTER_VALUE",
"acl": {
"enabled": true,
"default_policy": "deny",
"down_policy": "deny",
"tokens": {
"agent": "ACL_AGENT_TOKEN",
"replication": "ACL_REPLICATION_TOKEN"
}
}
}
```
</CodeTabs>
~> **Warning:** When enabling ACL token replication in secondary datacenters,
global tokens already present in the secondary datacenter will be lost. For
production environments, consider configuring ACL replication in your initial
datacenter bootstrapping process.
~> **Warning:** If you are using [Consul Enterprise](/docs/enterprise) and
the [Admin Partitions](https://www.consul.io/docs/enterprise/admin-partitions)
feature, only ACL tokens in the default partition are replicated to other datacenters.
## WAN Join Servers
This step is needed for new federated cluster deployments in order for
servers in each federated datacenter to discover each other.
Run the following command from one of the server nodes.
```shell-session
$ consul join -token="ACL_MANAGEMENT_TOKEN" -wan [server 1, server 2, ...]
```
## Configure Clients in Secondary Datacenters
When ACLs are enabled, client agents need a special token known as the [`agent token`](/docs/security/acl/acl-system#acl-agent-token) to perform internal operations. Agent tokens need to have the right policies for node related actions, including
registering itself in the catalog, updating node level health checks, and performing [anti-entropy](/docs/architecture/anti-entropy) syncing.
### Generate Agent ACL Token
[ACL Node Identities](/docs/security/acl/acl-system#acl-node-identities) were introduced
in Consul 1.8.1 and enable easily creating agent tokens with appropriately scoped policies.
To generate the ACL token using node identity, run the following command:
```shell-session
$ consul acl token create -node-identity=<NODE_NAME>:<DATACENTER>
```
### Configure clients to use the ACL agent token
Update the client agents to include the token value from the previous step. Replace
the `ACL_AGENT_TOKEN` value below with the secret ID value from the command output.
<CodeTabs heading = "ACL Configuration in Client Agents">
```hcl
primary_datacenter = "PRIMARY_DATACENTER_NAME"
acl = {
enabled = true
default_policy = "deny"
down_policy = "deny"
tokens = {
agent = "ACL_AGENT_TOKEN"
}
}
```
```json
{
"primary_datacenter": "PRIMARY_DATACENTER_VALUE",
"acl": {
"enabled": true,
"default_policy": "deny",
"down_policy": "deny",
"tokens": {
"agent": "ACL_AGENT_TOKEN"
}
}
}
```
</CodeTabs>
Note that client agents have to be restarted for ACL related configuration changes to take effect.
## Summary
After completing the above steps, a federated Consul cluster can be used with ACLs. Refer to
[ACL Replication Guide](https://learn.hashicorp.com/tutorials/consul/access-control-replication-multiple-datacenters?in=consul/security-operations)
for more on this topic.

2
website/content/docs/upgrading/upgrade-specific.mdx
View File

@ -20,7 +20,7 @@ upgrade flow.
Consul Enterprise versions 1.10.0 through 1.10.4 contain a latent bug that
causes those client or server agents to deregister their own services or health
checks when some of the servers have been upgraded to 1.11. Before upgrading Consul Enterprise servers to 1.11, all Consul agents should first
be upgraded to 1.10.6 or higher to ensure forward compatibility and prevent
be upgraded to 1.10.7 or higher to ensure forward compatibility and prevent
flapping of catalog registrations.
### Deprecated Agent Config Options

12
website/data/docs-nav-data.json
View File

@ -479,6 +479,10 @@
"path": "k8s/installation/vault/connect-ca"
}
]
},
{
"title": "Compatibility Matrix",
"path": "k8s/installation/compatibility"
}
]
},
@ -555,10 +559,6 @@
{
"title": "Overview",
"path": "k8s/upgrade"
},
{
"title": "Compatibility Matrix",
"path": "k8s/upgrade/compatibility"
}
]
},
@ -836,6 +836,10 @@
"title": "Token Migration",
"path": "security/acl/acl-migrate-tokens"
},
{
"title": "ACLs in Federated Datacenters",
"path": "security/acl/acl-federated-datacenters"
},
{
"title": "Auth Methods",
"routes": [

2
website/data/version.js
View File

@ -1 +1 @@
export default '1.11.1'
export default '1.11.2'

BIN
website/public/img/wan-federation-connectivity-mesh-gateways.png (Stored with Git LFS) Executable file
View File

Binary file not shown.

2371
website/public/img/wan-federation-connectivity-mesh-gateways.svg Executable file
View File

File diff suppressed because it is too large Load Diff
Side by Side

After

Width:  |  Height:  |  Size: 185 KiB

BIN
website/public/img/wan-federation-connectivity-traditional.png (Stored with Git LFS) Executable file
View File

Binary file not shown.

1539
website/public/img/wan-federation-connectivity-traditional.svg Executable file
View File

File diff suppressed because it is too large Load Diff
Side by Side

After

Width:  |  Height:  |  Size: 124 KiB