Just like standard upstreams the order of applicability in descending precedence:
1. caller's `service-defaults` upstream override for destination
2. caller's `service-defaults` upstream defaults
3. destination's `service-resolver` ConnectTimeout
4. system default of 5s
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* docs: Updating Gossip EncryptionKey Rotation page with Vault use case
* Adding a note to the vault instructions linking to the gossip key encryption using Vault page.
* Correcting Vault guide for storing the rotated gossip key.
* adding $ to shell sessions where it is missing on the gossip rotation page
* adding $ to more shell sessions where it is missing on the gossip rotation page
* Fixes a lint warning about t.Errorf not supporting %w
* Enable running autopilot on all servers
On the non-leader servers all they do is update the state and do not attempt any modifications.
* Fix the RPC conn limiting tests
Technically they were relying on racey behavior before. Now they should be reliable.
* k8s docs - ACLs refactor - Updating terminating gateway documentation to call out updating the role rather than the token with the policy
* Modifying role and policy names based on naming convention change.
The list of supported annotations for Consul service mesh were moved
from /docs/k8s/connect to /docs/k8s/annotations-and-labels in PR
#12323.
This commit updates various across the site to point to the new
URL for these annotations.
* Updating helm docs with additionalVault and ACLs refactor funtionality.
* PR Feedback corrections.
- Fix indentation.
- Fix description of secretName and secretKey to be consistent
- Change description of manageACLsRole to be more clear.
- Make the added vault role field descriptions consistent
* PR Feedback - correcting description for adminPartitionsRole
* Fixing broken shell sessions
* Fixing broken shell sessions by changing shell-session tobecloser tocomment marker
* add config watcher to the config package
* add logging to watcher
* add test and refactor to add WatcherEvent.
* add all API calls and fix a bug with recreated files
* add tests for watcher
* remove the unnecessary use of context
* Add debug log and a test for file rename
* use inode to detect if the file is recreated/replaced and only listen to create events.
* tidy ups (#1535)
* tidy ups
* Add tests for inode reconcile
* fix linux vs windows syscall
* fix linux vs windows syscall
* fix windows compile error
* increase timeout
* use ctime ID
* remove remove/creation test as it's a use case that fail in linux
* fix linux/windows to use Ino/CreationTime
* fix the watcher to only overwrite current file id
* fix linter error
* fix remove/create test
* set reconcile loop to 200 Milliseconds
* fix watcher to not trigger event on remove, add more tests
* on a remove event try to add the file back to the watcher and trigger the handler if success
* fix race condition
* fix flaky test
* fix race conditions
* set level to info
* fix when file is removed and get an event for it after
* fix to trigger handler when we get a remove but re-add fail
* fix error message
* add tests for directory watch and fixes
* detect if a file is a symlink and return an error on Add
* rename Watcher to FileWatcher and remove symlink deref
* add fsnotify@v1.5.1
* fix go mod
* do not reset timer on errors, rename OS specific files
* rename New func
* events trigger on write and rename
* add missing test
* fix flaking tests
* fix flaky test
* check reconcile when removed
* delete invalid file
* fix test to create files with different mod time.
* back date file instead of sleeping
* add watching file in agent command.
* fix watcher call to use new API
* add configuration and stop watcher when server stop
* add certs as watched files
* move FileWatcher to the agent start instead of the command code
* stop watcher before replacing it
* save watched files in agent
* add add and remove interfaces to the file watcher
* fix remove to not return an error
* use `Add` and `Remove` to update certs files
* fix tests
* close events channel on the file watcher even when the context is done
* extract `NotAutoReloadableRuntimeConfig` is a separate struct
* fix linter errors
* add Ca configs and outgoing verify to the not auto reloadable config
* add some logs and fix to use background context
* add tests to auto-config reload
* remove stale test
* add tests to changes to config files
* add check to see if old cert files still trigger updates
* rename `NotAutoReloadableRuntimeConfig` to `StaticRuntimeConfig`
* fix to re add both key and cert file. Add test to cover this case.
* review suggestion
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
* add check to static runtime config changes
* fix test
* add changelog file
* fix review comments
* Apply suggestions from code review
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
* update flag description
Co-authored-by: FFMMM <FFMMM@users.noreply.github.com>
* fix compilation error
* add static runtime config support
* fix test
* fix review comments
* fix log test
* Update .changelog/12329.txt
Co-authored-by: Dan Upton <daniel@floppy.co>
* transfer tests to runtime_test.go
* fix filewatcher Replace to not deadlock.
* avoid having lingering locks
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
* split ReloadConfig func
* fix warning message
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
* convert `FileWatcher` into an interface
* fix compilation errors
* fix tests
* extract func for adding and removing files
* add a coalesceTimer with a very small timer
* extract coaelsce Timer and add a shim for testing
* add tests to coalesceTimer fix to send remaining events
* set `coalesceTimer` to 1 Second
* support symlink, fix a nil deref.
* fix compile error
* fix compile error
* refactor file watcher rate limiting to be a Watcher implementation
* fix linter issue
* fix runtime config
* fix runtime test
* fix flaky tests
* fix compile error
* Apply suggestions from code review
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
* fix agent New to return an error if File watcher New return an error
* add a coalesceTimer with a very small timer
* extract coaelsce Timer and add a shim for testing
* set `coalesceTimer` to 1 Second
* add flag description to agent command docs
* fix link
* add Static runtime config docs
* fix links and alignment
* fix typo
* Revert "add a coalesceTimer with a very small timer"
This reverts commit d9db2fcb8213a81ac761f04b458091409c5fb1ee.
* Revert "extract coaelsce Timer and add a shim for testing"
This reverts commit 0ab86012a415ffeb452acf58e52c9f37c9f49254.
* Apply suggestions from code review
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: FFMMM <FFMMM@users.noreply.github.com>
Co-authored-by: Daniel Upton <daniel@floppy.co>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
- `tls.incoming`: applies to the inbound mTLS targeting the public
listener on `connect-proxy` and `terminating-gateway` envoy instances
- `tls.outgoing`: applies to the outbound mTLS dialing upstreams from
`connect-proxy` and `ingress-gateway` envoy instances
Fixes#11966
* website: api-gateway helm install consul namespace
To mirror instructions at https://learn.hashicorp.com/tutorials/consul/kubernetes-api-gateway
* website(api-gateway): add notes on where to find available versions
* website(api-gateway): fixup link to more clearly indicate Consul Helm chart releases
* Update website/content/docs/api-gateway/api-gateway-usage.mdx
* tlsutil: initial implementation of types/TLSVersion
tlsutil: add test for parsing deprecated agent TLS version strings
tlsutil: return TLSVersionInvalid with error
tlsutil: start moving tlsutil cipher suite lookups over to types/tls
tlsutil: rename tlsLookup to ParseTLSVersion, add cipherSuiteLookup
agent: attempt to use types in runtime config
agent: implement b.tlsVersion validation in config builder
agent: fix tlsVersion nil check in builder
tlsutil: update to renamed ParseTLSVersion and goTLSVersions
tlsutil: fixup TestConfigurator_CommonTLSConfigTLSMinVersion
tlsutil: disable invalid config parsing tests
tlsutil: update tests
auto_config: lookup old config strings from base.TLSMinVersion
auto_config: update endpoint tests to use TLS types
agent: update runtime_test to use TLS types
agent: update TestRuntimeCinfig_Sanitize.golden
agent: update config runtime tests to expect TLS types
* website: update Consul agent tls_min_version values
* agent: fixup TLS parsing and compilation errors
* test: fixup lint issues in agent/config_runtime_test and tlsutil/config_test
* tlsutil: add CHACHA20_POLY1305 cipher suites to goTLSCipherSuites
* test: revert autoconfig tls min version fixtures to old format
* types: add TLSVersions public function
* agent: add warning for deprecated TLS version strings
* agent: move agent config specific logic from tlsutil.ParseTLSVersion into agent config builder
* tlsutil(BREAKING): change default TLS min version to TLS 1.2
* agent: move ParseCiphers logic from tlsutil into agent config builder
* tlsutil: remove unused CipherString function
* agent: fixup import for types package
* Revert "tlsutil: remove unused CipherString function"
This reverts commit 6ca7f6f58d268e617501b7db9500113c13bae70c.
* agent: fixup config builder and runtime tests
* tlsutil: fixup one remaining ListenerConfig -> ProtocolConfig
* test: move TLS cipher suites parsing test from tlsutil into agent config builder tests
* agent: remove parseCiphers helper from auto_config_endpoint_test
* test: remove unused imports from tlsutil
* agent: remove resolved FIXME comment
* tlsutil: remove TODO and FIXME in cipher suite validation
* agent: prevent setting inherited cipher suite config when TLS 1.3 is specified
* changelog: add entry for converting agent config to TLS types
* agent: remove FIXME in runtime test, this is covered in builder tests with invalid tls9 value now
* tlsutil: remove config tests for values checked at agent config builder boundary
* tlsutil: remove tls version check from loadProtocolConfig
* tlsutil: remove tests and TODOs for logic checked in TestBuilder_tlsVersion and TestBuilder_tlsCipherSuites
* website: update search link for supported Consul agent cipher suites
* website: apply review suggestions for tls_min_version description
* website: attempt to clean up markdown list formatting for tls_min_version
* website: moar linebreaks to fix tls_min_version formatting
* Revert "website: moar linebreaks to fix tls_min_version formatting"
This reverts commit 38585927422f73ebf838a7663e566ac245f2a75c.
* autoconfig: translate old values for TLSMinVersion
* agent: rename var for translated value of deprecated TLS version value
* Update agent/config/deprecated.go
Co-authored-by: Dan Upton <daniel@floppy.co>
* agent: fix lint issue
* agent: fixup deprecated config test assertions for updated warning
Co-authored-by: Dan Upton <daniel@floppy.co>
Introduces the capability to configure TLS differently for Consul's
listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC
port) which is useful in scenarios where you may want the HTTPS or
gRPC interfaces to present a certificate signed by a well-known/public
CA, rather than the certificate used for internal communication which
must have a SAN in the form `server.<dc>.consul`.
* Update Kubernetes related YAML config examples to document supported
syntax in the latest version of the Helm chart.
* Fix syntax in JSON example configs.
Resolves#12403
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
Recently there have been a handful of GitHub issues and Discuss posts
where users have expected the `consul` CLI to make use of config
options defined in the agent configuration files, and are confused
when it does not honor those config options.
This change clarifies that command-line and configuration file options
documented on the /agent/options page only apply to the Consul agent,
instead of the Consul CLI.
* docs/nia: new configuration for services condition & source_input (#11646)
* docs/nia: new configuration for services condition
* docs/nia: new configuration for services source_input
* reword filter and cts_user_defined_meta
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* Update service block config to table format
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* Remove deprecated driver.working_dir (#11831)
* Deprecate workspace_prefix for now workspaces.prefix (#11836)
* docs/nia: new config field names for services condition/source_input (#11896)
* docs/nia: new config field `names` for services condition/source_input
* Remove language about 'default condition' and services condition relation to services list
Context:
- Added a new `names` field to condition/source_input "services"
- `names` or `regexp` must be configured for condition/source_input "services"
This therefore:
- Removed relationship between condition/source_input "services" and
task.services list
- Removed concept of "default condition" i.e. condition "services" must be
configured with `names` or `regexp`, there is no meaningful unconfigured default
Change: remove language regarding "default condition" and relationship with services list
* docs/nia: Update paramters to table format
Changes from a bulleted list to a table. Also adds the possible response codes
and fixes the update example response to include the inspect object.
* docs/nia: Delete task API and CLI
* docs/nia: Update wording for run values
Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com>
* docs/nia: require condition "catalog-services" block's regexp to be configured (#11915)
Changes:
- Update Catalog Services Condition configuration docs to new table format
- Rewrite `regexp` field docs to be required, no longer optional
- Remove details about `regexp` field's original default behavior when the
field was optional
* docs/nia: Update status API docs to table format
* Cleaner wording for response descriptions
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* docs/nia - 'source_includes_var' changes (#11939)
* docs/nia - condition "services" new field source_includes_var
- Add new configuration details for condition "services" block's
`source_includes_var` field.
- Note: this field's description is worded differently from condition type's
`source_includes_var` since a services variable is always required (unlike
other vars) for CTS modules.
- Also worded in a way to anticipate renaming to `use_as_module_input`
* docs/nia - change 'source_includes_var' default value from false to true
- Update configs
- Table-ify Consul-KV condition (reuse wording from Consul-KV source input)
* docs/nia - reword task execution page for source_includes_var changes
- Note: switched to using "module input" language over "source input" language.
Separate PR will make a mass change across docs
- Slim down general task condition section to have fewer details on module input
- Updated services, catalog-services, and consul-kv condition sections for
source_includes_var
- Add config page links for details
* Improve CTS acronym usage
- Use Consul-Terraform-Sync at the first instance with CTS in brackets - Consul-Terraform-Sync (CTS) and then CTS for all following instances on a per-page basis.
- some exceptions: left usage of the term `Consul-Terraform-Sync` in config examples and where it made sense for hyperlinking
* Improve CTS acronym usage (part 2) (#11991)
Per page:
- At first instance in text, use "Consul-Terraform-Sync (CTS)"
- Subsequent instances in text, use "CTS"
* Update schedule condition config to table format
* Update config tables with type column
* docs/nia: Update required fields values
Standardizing Required/Optional over boolean values.
* docs/nia: Standardize order of columns
Updated Required to come before Type, which is how the configurations are formatted. Also
changed the empty strings to "none" for default values.
* Deprecate port CLI option for CTS and updated example usage
* docs/nia cts multiple source input configuration updates (#12158)
* docs/nia cts multiple source input configuration updates
CTS expanded its usage of `source_input` block configurations and added
some restrictions. This change accounts for the following changes:
- `source_input` block can be configured for a task. No longer restricting to
scheduled task
- Multiple `source_input` blocks can be configured for a task. No longer
restricting to one
- Task cannot have multiple configurations defining the same variable type
Future work: We're planning to do some renaming from "source" to "module" for
v0.5. These changes are made in the code and not yet in the docs. These will be
taken care of across our docs in a separate PR. Perpetuating "source" in this
PR to reduce confusion.
* Apply suggestions from code review
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* Apply suggestions from code review
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* code review feedback
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* Add "Consul object" glossary entry
Changes:
- Add "Consul object" to CTS glossary
- Format glossary terms so that they can be linked
- Add link to "Consul object" glossary entry
* Reorganize source_input limitations section
Co-authored-by: findkim <6362111+findkim@users.noreply.github.com>
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: findkim <6362111+findkim@users.noreply.github.com>
* docs/nia: overview of config streamlining deprecations (#12193)
* docs/nia: overview of config streamlining deprecations
* Update config snippets to use CodeTabs
* Apply code review feedback suggestions
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* Apply suggestions from code review
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* Clarify source table language
* Add use_as_module_input callout
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* docs/nia: deprecate "services" field and "service" block (#12234)
* Deprecate `services` field
Did a search on "`services`", "`task.services`", "services list", and "services
field"
Changes:
- In config docs, mark `services` field as deprecated and `condition` block
as required.
- For necessary references to `services` field, mark with "(deprecated)" e.g.
when listing all options for source input
- Remove unnecessary references to `services` field from docs e.g. any docs
encouraging use of `services`
- Replace `services` field with `condition` / `module_input` "services" in
config snippets and explanations
* Deprecate `service` block
Did a search for "service block", "`service`", and "service {"
Changes:
- In config docs, mark `service` block as deprecated
- For necessary references to `service` block, mark with "(deprecated)"
- Remove unnecessary references to `service` block from docs
* Fix service block typos in config snippet
service block is singular and not plural
* docs/nia: deprecate "source includes var" and "source input" (#12244)
* Deprecate `source_includes_var` field
Did a search for "source_includes_var" and an audit of "include"
Changes
- In config docs, mark `source_includes_var` field as deprecated
- In config docs, add new field for `use_as_module_input`
- For necessary references to `source_includes_var`, mark with "(deprecated)"
- Audit and update "include" language
* Deprecate `source_input` field and language
Did a search and replace for "source_input", "source-input", "source input"
Changes:
- In config docs, mark `source_input` field as deprecated
- In config docs, add new entry for `module_input`
- For necessary references to `source_input`, mark with "(deprecated)"
- Remove or replace "source*input" with "module*input"
Note: added an anchor link alias e.g. `# Module Input ((#source-input))` for
headers that were renamed from "Source Input" so that bookmarked links won't
break
* Update config streamlining release removal version to 0.8
* remove duplicate bullet
* docs/nia: deprecate `source` (#12245)
* Update "source" field in config snippets to "module"
* Deprecate task config `source` field
Did a search and replace for "source" and "src"
Changes:
- In config docs, mark `source` field as deprecated
- In config docs, add new entry for `module`
- Remove or replace "source" with "module"
* Deprecate Status API Event `source` field
Changes:
- Mark `source` field as deprecated
- Add new entry for `module`
* docs/nia - Get Task API docs & Task Status API deprecations (#12303)
* docs/nia - Get Task API
Added a Task Object section intended to be shared with the Create Task API
* docs/nia - Deprecate non-status fields from Task Status API
Deprecate the fields that Get Task API replaces
* docs/nia - Align API docs on `:task_name` request resource
Followed a convention found in Nomad docs
* docs/nia - misc fixes
Context for some:
- remove "" from license_path for consistency - do not specify the default
value when empty string
- remove "optional" language from task condition. we want to move towards it
being required
* docs/nia - add new columns to API Task Object
* Added Create Task API documentation
* Added create task CLI documentation
* addressed code review comments
* fixed example
* docs/nia: Update task delete with async behavior
CTS delete task command is now asynchronous, so updating docs to reflect
this new behavior.
* update create task CLI with new changes from code
* update create task api and cli
- update curl command to include the json header
- update example task names to use 'task_a' to conform with other examples
* docs/nia: Fix hyphens in CTS CLI output
* docs/nia: Add auto-approve option in CLI
* docs/nia: Clarify infrastructure is not destroyed on task deletion
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Kim Ngo <6362111+findkim@users.noreply.github.com>
Co-authored-by: Melissa Kam <mkam@hashicorp.com>
Co-authored-by: Melissa Kam <3768460+mkam@users.noreply.github.com>
Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com>
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com>
Co-authored-by: AJ Jwair <aj.jwair@hashicorp.com>
* Separate Annotations and Labels and add service-ignore label
* changes to structure and call out for pod
* add description and TOC
* Update annotations-and-labels.mdx
Co-authored-by: David Yu <dyu@hashicorp.com>
Remove incorrect sidecar port range on docs for built-in proxy.
Updates the bind_port/port fields on the built-in proxy and sidecar
service registration pages to link to the `sidecar_min_port` and
`sidecar_max_port` configuration options for the defined port range.
Fixes#12253
Rephrase the comment about specifying multiple join addresses to
clarify that it pertains to joining a single cluster by attempting to
contact one or more nodes.
Document the new TLS cipher and version parameters that were added to
ingress gateways in #11576.
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
Remove statement about service-defaults and proxy-defaults being the
only supported configuration entry types. Update the sentence to point
to the configuration entry documentation for a list of supported
types.
Consul's ingress and terminating gateways are meant to enable connectivity
within your organizational network between services outside the Consul service
mesh and those within. They are not meant to connect to the public internet.
* adding changes to move compat matrix
* add back compat matrix
* add Vault versions
* adding details around monorepo
* add note about secrets backend
* small refactors
* Slight update with OpenShift notes
* Add note about OpenShift 4.4.x
* Update website/content/docs/k8s/installation/compatibility.mdx
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
* small formatting
* Removing Consul image column from Vault as secrets backend section
Since we already imply that default consul-k8s image should be used for support
* formating changes
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Use long form of CLI flags in all example commands.
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
* add diagram and text to explain certificates in consul
* use bullet points instead of enumeration
* Apply suggestions from code review
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* remove non needed text and improve image
* fix cert naming
* move section to the right place
* rename DC
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
It is not clear that this page is to configure an external CA for Connect CA. Added line to clarify that this page is for configuring external CA's for the Connect CA. For the built-in CA, no config is needed.
* docs: Update uninstall to ensure CRDs are deleted
* Update website/content/docs/k8s/operations/uninstall.mdx
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
* add more details around CRD deletion
* move around crd deletion to before unsintall
* slight wording
* move deletion of CRDs to first line
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
* Clarify CTS monitoring of service and instances
Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* Add overview example for multiple interfaces with go-sockaddr
* Include go-sockaddr examples in agent configuration
* Add changelog entry
* Make suggested changes
* Simplify hcl comment
* Update link and fix gRPC
* Switch index.mdx from Tabs to CodeTabs
* Reformat new links for screen readers
* Apply suggestions from code review
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* Fix spacing in code block
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
This section was actually about authentication (not authorization).
We already have sections in our api and cli docs. This commit removes the section and replaces
it with a short paragraph in the Tokens section which links to the existing docs.
- Split examples into sections with headers
- Hide the clipboard on examples as the copied text isn't useful
- Format inline flags as code using backticks
- Split examples into sections with headers
- Hide the clipboard on examples as the copied text isn't useful
- Add an example of supplying data in a heredoc
- Move the flags section to the bottom to clearly separate it from CAS
which also mentions "flags" of a different kind
- Slight re-wording for clarity
K8s Vault CA config docs:
* Re-add filename label on K8s Connect CA config.
* Remove call to `jq` when retrieving CA configuration.
* Clarify `connect.ca_config` and `connect.ca_provider` agent configs
are only used at cluster initialization.
Admin Partitions tutorial:
* Fix Helm client values filename.
* Use kubectl's template output to base64 decode Consul bootstrap token.
* Add documentation for the consul with vault integration that covers Server TLS, Connect CA and gossip encryption
Co-authored-by: David Yu <dyu@hashicorp.com>
Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
* Documenting the new raft_boltdb configuration options
* Add documentation around new boltdb metrics.
* Correct documentation for the consul.raft.fsm.apply metric
* update connect ca leaf endpoint docs
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
* pr feedback
* Update website/content/api-docs/agent/connect.mdx
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
* nia/docs: Add TLS options for the CTS API
* docs: Add workspace tags (#11564)
* nia/docs: Change CLI options to table format
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com>
* nia/docs: Update TLS CLI defaults
Also clarifies some behavior for the CLI options.
Co-authored-by: Melissa Kam <mkam@hashicorp.com>
Co-authored-by: Kim Ngo <6362111+findkim@users.noreply.github.com>
Co-authored-by: Melissa Kam <3768460+mkam@users.noreply.github.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com>
* Support vault auth methods for the Vault connect CA provider
* Rotate the token (re-authenticate to vault using auth method) when the token can no longer be renewed
changed 'segments' in this page to 'resource labels' to disambiguate from 'network segments
updated the code snippets to use CodeBlock component and to include JSON
* Support Vault Namespaces explicitly in CA config
If there is a Namespace entry included in the Vault CA configuration,
set it as the Vault Namespace on the Vault client
Currently the only way to support Vault namespaces in the Consul CA
config is by doing one of the following:
1) Set the VAULT_NAMESPACE environment variable which will be picked up
by the Vault API client
2) Prefix all Vault paths with the namespace
Neither of these are super pleasant. The first requires direct access
and modification to the Consul runtime environment. It's possible and
expected, not super pleasant.
The second requires more indepth knowledge of Vault and how it uses
Namespaces and could be confusing for anyone without that context. It
also infers that it is not supported
* Add changelog
* Remove fmt.Fprint calls
* Make comment clearer
* Add next consul version to website docs
* Add new test for default configuration
* go mod tidy
* Add skip if vault not present
* Tweak changelog text
* docs: consul-k8s uninstall with namespace
Uninstall with namespace
* change release name to consul in uninstall
* Update website/content/docs/k8s/operations/uninstall.mdx
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* add --create-namespace command to install for custom values file
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
The Consul UI topology view has an icon with the text
"Configure metrics dashboard" that links to this page. Add a notice at
the top of the page that links them directly to the relevant section.
The UpstreamConfig.Defaults field does not support setting Name or
Namespace because the purpose is to apply defaults to all upstreams.
I think this was just missed in the docs since those fields would
error if set under Defaults.
i.e. this is not supported:
```
UpstreamConfig {
Defaults {
Name = "foo"
Namespace = "bar"
# Defaults config here
}
}
```
* add root_cert_ttl option for consul connect, vault ca providers
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
* add changelog, pr feedback
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
* Update .changelog/11428.txt, more docs
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
* Update website/content/docs/agent/options.mdx
Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>
* docs: revised Helm install to create namespace and install on dedicated Consul namespace
* Update website/content/docs/k8s/installation/install.mdx
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* Update install.mdx
* changing to Helm 3.2+ as a pre-req to make it easier to follow
* might as well bump to latest version
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
Add changelog to document what changed.
Add entry to telemetry section of the website to document what changed
Add docs to the usagemetric endpoint to help document the metrics in code
Replace it with an implementation that returns an error, and rename some symbols
to use a Deprecated suffix to make it clear.
Also remove the ACLRequest struct, which is no longer referenced.
* docs/nia: Add Consul KV condition
* docs/nia: Clarify boolean Consul KV condition options
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* nia/docs: Remove TFE-only restriction
Also updates Terraform Enterprise references to the more
general Terraform Cloud term.
* nia/docs: Update Terraform Cloud features
* nia/docs: Callouts for v0.4.0-beta
* docs/nia: Indicate version for removal of tag field
Clarifying when this tag will be removed so there is no confusion
when it is not present in the v0.4.0-beta release.
Co-authored-by: Melissa Kam <mkam@hashicorp.com>
Co-authored-by: Melissa Kam <3768460+mkam@users.noreply.github.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Use kubectl's base64decode template function (added in K8s 1.11) to
decode values in Secrets. Removes external call to `base64` utility on
the host system.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
* agent: add failures_before_warning setting
The new setting allows users to specify the number of check failures
that have to happen before a service status us updated to be `warning`.
This allows for more visibility for detected issues without creating
alerts and pinging administrators. Unlike the previous behavior, which
caused the service status to not update until it reached the configured
`failures_before_critical` setting, now Consul updates the Web UI view
with the `warning` state and the output of the service check when
`failures_before_warning` is breached.
The default value of `FailuresBeforeWarning` is the same as the value of
`FailuresBeforeCritical`, which allows for retaining the previous default
behavior of not triggering a warning.
When `FailuresBeforeWarning` is set to a value higher than that of
`FailuresBeforeCritical it has no effect as `FailuresBeforeCritical`
takes precedence.
Resolves: https://github.com/hashicorp/consul/issues/10680
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Co-authored-by: Jakub Sokołowski <jakub@status.im>
Co-authored-by: Kim Ngo <6362111+findkim@users.noreply.github.com>
Co-authored-by: Melissa Kam <mkam@hashicorp.com>
Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
It can only work if there is a running service instance in the local DC,
so this is a bit misleading, since failover and redirects are typically
used when there is not an instance in the local DC.
Add the list of common Connect CA configuration options to the
provider-specific CA docs.
Previously these options were only documented under the agent
configuration options. This change makes it so that all supported CA
provider configuration options are available from a single location.
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
The current suggests the option expects a string of either "enabled" or "disabled" but this results in an error `'acl.enable_key_list_policy' expected type 'bool', got unconvertible type 'string', value: 'enabled'`. Setting to a boolean value resolves this, also had a quick look at the code (d2b58cd0d6/agent/config/runtime.go (L109)) and it suggests this too
Add a section to the Connect Security page which highlights the risks
of exposing Envoy's administration interface outside of localhost.
Resolves#5692
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Kent 'picat' Gruber <kent@hashicorp.com>
Add section for tagged addresses on service definition documentation.
Resolves#6989
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Clarify the function of `-address` flag when instantiating an ingress
gateway.
Resolves#9849
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Missed the need to add support for unix domain socket config via
api/command line. This is a variant of the problems described in
it is easy to drop one.
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
This was necessary in older versions of Consul, but was obsoleted by
making Consul add the port number itself when constructing the Envoy
configuration.
* Use CodeTabs for examples in multiple formats.
* Ensure correct language on code fences.
* Use CodeBlockConfig for examples with filenames, or which need
highlighted content.
This commit adds example JSON configs for several config entry
resources were missing examples in this language.
The examples have been updated to use the new CodeTabs resource
instead of the Tab component.
The ServiceChecks parameter was incorrectly documented in e515c9d44 to
state that it accepted a list of string values, when actually the API
requires an array of ServiceCheck objects.
This commit updates the docs for the parameter to correctly reflect
the fields required by the API.
Resolves#10752
Add a note to the docs for the service defaults config entry which
informs users that the service protocol can be configured for all
services using the proxy defaults config entry.
Resolves#8279
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
Document the namespace parameter can be specified on HTTP Check,
Connect CA leaf, and Discovery Chain API endpoints.
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
The base64 CLI utility has two different short flag arguments for decode
depending on the platform: -D and -d.
Previously, the docs used the -D flag exclusively with the base64 utility.
Luckily, the long form of the flag is the same across platforms: --decode.
All uses of the base64 -D flag have been replaced with --decode.
Update output for /v1/session/ endpoints to match output post Consul
1.7.0.
Documents new `NodeChecks` and `ServiceChecks` parameters which were
added in that release.
Resolves#7341, resolves#10095
This change adds a new `dns_config.recursor_strategy` option which
controls how Consul queries DNS resolvers listed in the `recursors`
config option. The supported options are `sequential` (default), and
`random`.
Closes#8807
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
Co-authored-by: Priyanka Sengupta <psengupta@flatiron.com>
* add intermediate ca metric routine
* add Gauge config for intermediate cert
* Stop metrics routine when stopping leader
* add changelog entry
* updage changelog
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
* use variables instead of a map
* go imports sort
* Add metrics for primary and secondary ca
* start metrics routine in the right DC
* add telemetry documentation
* update docs
* extract expiry fetching in a func
* merge metrics for primary and secondary into signing ca metric
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
Add high level documentation on how to enable ingress controllers in consul on k8s.
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
The docs note an alpha pre-release version on K8s observability. Updating to only reference the GA 1.10.0 version of Consul for observability on k8s and metrics merging.
The main branch is being renamed from master->main. This commit should
update all references to the main branch to the new name.
Co-Authored-By: Mike Morris <mikemorris@users.noreply.github.com>
* docs: Add info on using cloud auto-join with Network Segments
Resolves hashicorp/go-discover#57
* Add note about joining network segments
Specifically call out that agents can be configured to join a network
segment by either specifying the Serf LAN port in the join address,
changing the agent's default Serf LAN port by configuring
`ports.serf_lan`, or specifying the port in the `-serf-lan-port`
command line flag.
Resolves#9972
* docs: Remove Helm 2 mention in Consul K8s install and uninstall
Helm 2 is no longer supported via Consul K8s. Helm 3 is now the supported version for Consul K8s.
The query metrics are actually reported for all read queries, not only
ones that use a MinIndex to block for updates.
Also clarify the raft.apply metric is only on the leader.
* docs: Removal of Consul vs ZooKeeper
Although Consul does have a KV, we are not positioning Consul as a first class KV store versus other alternatives such as etcd or Zookeeper. Will remove this since this has not been updated with further analysis since this content was created.
* Removing from Zookeeper analysis Navbar
* Removing Zookeeper analysis from redirects
* docs/nia: Add section on upgrading Terraform in CTS
* docs/nia: Add service filter configuration, deprecate tag
* docs/nia: Add version to deprecated note, use path to reference
* docs/nia: catalog-services condition
Co-authored-by: Melissa Kam <mkam@hashicorp.com>
Co-authored-by: Melissa Kam <3768460+mkam@users.noreply.github.com>
CatalogDestinationsOnly is a passthrough that would enable dialing
addresses outside of Consul's catalog. However, when this flag is set to
true only _connect_ endpoints for services can be dialed.
This flag is being renamed to signal that non-Connect endpoints can't be
dialed by transparent proxies when the value is set to true.
Previously if you were to follow these docs and register two external
services, you would set the Address field on the node. The second
registered service would change the address of the node for the first
service.
Now the docs explain the address key and how to register more than one
external service.
* debug: remove the CLI check for debug_enabled
The API allows collecting profiles even debug_enabled=false as long as
ACLs are enabled. Remove this check from the CLI so that users do not
need to set debug_enabled=true for no reason.
Also:
- fix the API client to return errors on non-200 status codes for debug
endpoints
- improve the failure messages when pprof data can not be collected
Co-Authored-By: Dhia Ayachi <dhia@hashicorp.com>
* remove parallel test runs
parallel runs create a race condition that fail the debug tests
* snapshot the timestamp at the beginning of the capture
- timestamp used to create the capture sub folder is snapshot only at the beginning of the capture and reused for subsequent captures
- capture append to the file if it already exist
* Revert "snapshot the timestamp at the beginning of the capture"
This reverts commit c2d03346
* Refactor captureDynamic to extract capture logic for each item in a different func
* snapshot the timestamp at the beginning of the capture
- timestamp used to create the capture sub folder is snapshot only at the beginning of the capture and reused for subsequent captures
- capture append to the file if it already exist
* Revert "snapshot the timestamp at the beginning of the capture"
This reverts commit c2d03346
* Refactor captureDynamic to extract capture logic for each item in a different func
* extract wait group outside the go routine to avoid a race condition
* capture pprof in a separate go routine
* perform a single capture for pprof data for the whole duration
* add missing vendor dependency
* add a change log and fix documentation to reflect the change
* create function for timestamp dir creation and simplify error handling
* use error groups and ticker to simplify interval capture loop
* Logs, profile and traces are captured for the full duration. Metrics, Heap and Go routines are captured every interval
* refactor Logs capture routine and add log capture specific test
* improve error reporting when log test fail
* change test duration to 1s
* make time parsing in log line more robust
* refactor log time format in a const
* test on log line empty the earliest possible and return
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
* rename function to captureShortLived
* more specific changelog
Co-authored-by: Paul Banks <banks@banksco.de>
* update documentation to reflect current implementation
* add test for behavior when invalid param is passed to the command
* fix argument line in test
* a more detailed description of the new behaviour
Co-authored-by: Paul Banks <banks@banksco.de>
* print success right after the capture is done
* remove an unnecessary error check
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
* upgraded github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57 => v0.0.0-20210601050228-01bbb1931b22
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
Co-authored-by: Paul Banks <banks@banksco.de>
* Docs for Unix Domain Sockets
There are a number of cases where a user might wish to either 1)
expose a service through a Unix Domain Socket in the filesystem
('downstream') or 2) connect to an upstream service by a local unix
domain socket (upstream).
As of Consul (1.10-beta2) we've added new syntax and support to configure
the Envoy proxy to support this
To connect to a service via local Unix Domain Socket instead of a
port, add local_bind_socket_path and optionally local_bind_socket_mode
to the upstream config for a service:
upstreams = [
{
destination_name = "service-1"
local_bind_socket_path = "/tmp/socket_service_1"
local_bind_socket_mode = "0700"
...
}
...
]
This will cause Envoy to create a socket with the path and mode
provided, and connect that to service-1
The mode field is optional, and if omitted will use the default mode
for Envoy. This is not applicable for abstract sockets. See
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-pipe
for details
NOTE: These options conflict the local_bind_socket_port and
local_bind_socket_address options. We can bind to an port or we can
bind to a socket, but not both.
To expose a service listening on a Unix Domain socket to the service
mesh use either the 'socket_path' field in the service definition or the
'local_service_socket_path' field in the proxy definition. These
fields are analogous to the 'port' and 'service_port' fields in their
respective locations.
services {
name = "service-2"
socket_path = "/tmp/socket_service_2"
...
}
OR
proxy {
local_service_socket_path = "/tmp/socket_service_2"
...
}
There is no mode field since the service is expected to create the
socket it is listening on, not the Envoy proxy.
Again, the socket_path and local_service_socket_path fields conflict
with address/port and local_service_address/local_service_port
configuration entries.
Set up a simple service mesh with dummy services:
socat -d UNIX-LISTEN:/tmp/downstream.sock,fork UNIX-CONNECT:/tmp/upstream.sock
socat -v tcp-l:4444,fork exec:/bin/cat
services {
name = "sock_forwarder"
id = "sock_forwarder.1"
socket_path = "/tmp/downstream.sock"
connect {
sidecar_service {
proxy {
upstreams = [
{
destination_name = "echo-service"
local_bind_socket_path = "/tmp/upstream.sock"
config {
passive_health_check {
interval = "10s"
max_failures = 42
}
}
}
]
}
}
}
}
services {
name = "echo-service"
port = 4444
connect = { sidecar_service {} }
Kind = "ingress-gateway"
Name = "ingress-service"
Listeners = [
{
Port = 8080
Protocol = "tcp"
Services = [
{
Name = "sock_forwarder"
}
]
}
]
consul agent -dev -enable-script-checks -config-dir=./consul.d
consul connect envoy -sidecar-for sock_forwarder.1
consul connect envoy -sidecar-for echo-service -admin-bind localhost:19001
consul config write ingress-gateway.hcl
consul connect envoy -gateway=ingress -register -service ingress-service -address '{{ GetInterfaceIP "eth0" }}:8888' -admin-bind localhost:19002
netcat 127.0.0.1 4444
netcat 127.0.0.1 8080
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* fixup Unix capitalization
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* Update website/content/docs/connect/registration/service-registration.mdx
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
* Provide examples in hcl and json
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* Apply suggestions from code review
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
* One more fixup for docs
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
This PR adds cluster members to the metrics API. The number of members per
segment are reported as well as the total number of members.
Tested by running a multi-node cluster locally and ensuring the numbers were
correct. Also added unit test coverage to add the new expected gauges to
existing test cases.
Adds more clear indicators that the collections on the learn.hashicorp.com sites have specific instructions for single node deployments.
Co-Authored by: soonoo <qpseh2m7@gmail.com>
* Update glossary.mdx
1. Update header to the first section to "Consul Vocabulary" since these are the terms used in the context of Consul conversations.
2. Kept the header "Consul Glossary" since these are the terms useful for practitioners in the consul space.
3. Removed interlinking to terms on the same page.
Co-authored-by: Hans Hasselberg <me@hans.io>
Co-authored-by: Swarna Podila <swarnap@users.noreply.github.com>
Update register check documentation clarify that Id returns as CheckId in the response
Co-Authored-By: Shaker Islam <shaqq@users.noreply.github.com>
Co-authored-by: Shaker Islam <shaqq@users.noreply.github.com>