- `tls.incoming`: applies to the inbound mTLS targeting the public
listener on `connect-proxy` and `terminating-gateway` envoy instances
- `tls.outgoing`: applies to the outbound mTLS dialing upstreams from
`connect-proxy` and `ingress-gateway` envoy instances
Fixes#11966
* website: api-gateway helm install consul namespace
To mirror instructions at https://learn.hashicorp.com/tutorials/consul/kubernetes-api-gateway
* website(api-gateway): add notes on where to find available versions
* website(api-gateway): fixup link to more clearly indicate Consul Helm chart releases
* Update website/content/docs/api-gateway/api-gateway-usage.mdx
* tlsutil: initial implementation of types/TLSVersion
tlsutil: add test for parsing deprecated agent TLS version strings
tlsutil: return TLSVersionInvalid with error
tlsutil: start moving tlsutil cipher suite lookups over to types/tls
tlsutil: rename tlsLookup to ParseTLSVersion, add cipherSuiteLookup
agent: attempt to use types in runtime config
agent: implement b.tlsVersion validation in config builder
agent: fix tlsVersion nil check in builder
tlsutil: update to renamed ParseTLSVersion and goTLSVersions
tlsutil: fixup TestConfigurator_CommonTLSConfigTLSMinVersion
tlsutil: disable invalid config parsing tests
tlsutil: update tests
auto_config: lookup old config strings from base.TLSMinVersion
auto_config: update endpoint tests to use TLS types
agent: update runtime_test to use TLS types
agent: update TestRuntimeCinfig_Sanitize.golden
agent: update config runtime tests to expect TLS types
* website: update Consul agent tls_min_version values
* agent: fixup TLS parsing and compilation errors
* test: fixup lint issues in agent/config_runtime_test and tlsutil/config_test
* tlsutil: add CHACHA20_POLY1305 cipher suites to goTLSCipherSuites
* test: revert autoconfig tls min version fixtures to old format
* types: add TLSVersions public function
* agent: add warning for deprecated TLS version strings
* agent: move agent config specific logic from tlsutil.ParseTLSVersion into agent config builder
* tlsutil(BREAKING): change default TLS min version to TLS 1.2
* agent: move ParseCiphers logic from tlsutil into agent config builder
* tlsutil: remove unused CipherString function
* agent: fixup import for types package
* Revert "tlsutil: remove unused CipherString function"
This reverts commit 6ca7f6f58d268e617501b7db9500113c13bae70c.
* agent: fixup config builder and runtime tests
* tlsutil: fixup one remaining ListenerConfig -> ProtocolConfig
* test: move TLS cipher suites parsing test from tlsutil into agent config builder tests
* agent: remove parseCiphers helper from auto_config_endpoint_test
* test: remove unused imports from tlsutil
* agent: remove resolved FIXME comment
* tlsutil: remove TODO and FIXME in cipher suite validation
* agent: prevent setting inherited cipher suite config when TLS 1.3 is specified
* changelog: add entry for converting agent config to TLS types
* agent: remove FIXME in runtime test, this is covered in builder tests with invalid tls9 value now
* tlsutil: remove config tests for values checked at agent config builder boundary
* tlsutil: remove tls version check from loadProtocolConfig
* tlsutil: remove tests and TODOs for logic checked in TestBuilder_tlsVersion and TestBuilder_tlsCipherSuites
* website: update search link for supported Consul agent cipher suites
* website: apply review suggestions for tls_min_version description
* website: attempt to clean up markdown list formatting for tls_min_version
* website: moar linebreaks to fix tls_min_version formatting
* Revert "website: moar linebreaks to fix tls_min_version formatting"
This reverts commit 38585927422f73ebf838a7663e566ac245f2a75c.
* autoconfig: translate old values for TLSMinVersion
* agent: rename var for translated value of deprecated TLS version value
* Update agent/config/deprecated.go
Co-authored-by: Dan Upton <daniel@floppy.co>
* agent: fix lint issue
* agent: fixup deprecated config test assertions for updated warning
Co-authored-by: Dan Upton <daniel@floppy.co>
Introduces the capability to configure TLS differently for Consul's
listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC
port) which is useful in scenarios where you may want the HTTPS or
gRPC interfaces to present a certificate signed by a well-known/public
CA, rather than the certificate used for internal communication which
must have a SAN in the form `server.<dc>.consul`.
* Update Kubernetes related YAML config examples to document supported
syntax in the latest version of the Helm chart.
* Fix syntax in JSON example configs.
Resolves#12403
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
Recently there have been a handful of GitHub issues and Discuss posts
where users have expected the `consul` CLI to make use of config
options defined in the agent configuration files, and are confused
when it does not honor those config options.
This change clarifies that command-line and configuration file options
documented on the /agent/options page only apply to the Consul agent,
instead of the Consul CLI.
* docs/nia: new configuration for services condition & source_input (#11646)
* docs/nia: new configuration for services condition
* docs/nia: new configuration for services source_input
* reword filter and cts_user_defined_meta
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* Update service block config to table format
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* Remove deprecated driver.working_dir (#11831)
* Deprecate workspace_prefix for now workspaces.prefix (#11836)
* docs/nia: new config field names for services condition/source_input (#11896)
* docs/nia: new config field `names` for services condition/source_input
* Remove language about 'default condition' and services condition relation to services list
Context:
- Added a new `names` field to condition/source_input "services"
- `names` or `regexp` must be configured for condition/source_input "services"
This therefore:
- Removed relationship between condition/source_input "services" and
task.services list
- Removed concept of "default condition" i.e. condition "services" must be
configured with `names` or `regexp`, there is no meaningful unconfigured default
Change: remove language regarding "default condition" and relationship with services list
* docs/nia: Update paramters to table format
Changes from a bulleted list to a table. Also adds the possible response codes
and fixes the update example response to include the inspect object.
* docs/nia: Delete task API and CLI
* docs/nia: Update wording for run values
Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com>
* docs/nia: require condition "catalog-services" block's regexp to be configured (#11915)
Changes:
- Update Catalog Services Condition configuration docs to new table format
- Rewrite `regexp` field docs to be required, no longer optional
- Remove details about `regexp` field's original default behavior when the
field was optional
* docs/nia: Update status API docs to table format
* Cleaner wording for response descriptions
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* docs/nia - 'source_includes_var' changes (#11939)
* docs/nia - condition "services" new field source_includes_var
- Add new configuration details for condition "services" block's
`source_includes_var` field.
- Note: this field's description is worded differently from condition type's
`source_includes_var` since a services variable is always required (unlike
other vars) for CTS modules.
- Also worded in a way to anticipate renaming to `use_as_module_input`
* docs/nia - change 'source_includes_var' default value from false to true
- Update configs
- Table-ify Consul-KV condition (reuse wording from Consul-KV source input)
* docs/nia - reword task execution page for source_includes_var changes
- Note: switched to using "module input" language over "source input" language.
Separate PR will make a mass change across docs
- Slim down general task condition section to have fewer details on module input
- Updated services, catalog-services, and consul-kv condition sections for
source_includes_var
- Add config page links for details
* Improve CTS acronym usage
- Use Consul-Terraform-Sync at the first instance with CTS in brackets - Consul-Terraform-Sync (CTS) and then CTS for all following instances on a per-page basis.
- some exceptions: left usage of the term `Consul-Terraform-Sync` in config examples and where it made sense for hyperlinking
* Improve CTS acronym usage (part 2) (#11991)
Per page:
- At first instance in text, use "Consul-Terraform-Sync (CTS)"
- Subsequent instances in text, use "CTS"
* Update schedule condition config to table format
* Update config tables with type column
* docs/nia: Update required fields values
Standardizing Required/Optional over boolean values.
* docs/nia: Standardize order of columns
Updated Required to come before Type, which is how the configurations are formatted. Also
changed the empty strings to "none" for default values.
* Deprecate port CLI option for CTS and updated example usage
* docs/nia cts multiple source input configuration updates (#12158)
* docs/nia cts multiple source input configuration updates
CTS expanded its usage of `source_input` block configurations and added
some restrictions. This change accounts for the following changes:
- `source_input` block can be configured for a task. No longer restricting to
scheduled task
- Multiple `source_input` blocks can be configured for a task. No longer
restricting to one
- Task cannot have multiple configurations defining the same variable type
Future work: We're planning to do some renaming from "source" to "module" for
v0.5. These changes are made in the code and not yet in the docs. These will be
taken care of across our docs in a separate PR. Perpetuating "source" in this
PR to reduce confusion.
* Apply suggestions from code review
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* Apply suggestions from code review
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* code review feedback
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* Add "Consul object" glossary entry
Changes:
- Add "Consul object" to CTS glossary
- Format glossary terms so that they can be linked
- Add link to "Consul object" glossary entry
* Reorganize source_input limitations section
Co-authored-by: findkim <6362111+findkim@users.noreply.github.com>
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: findkim <6362111+findkim@users.noreply.github.com>
* docs/nia: overview of config streamlining deprecations (#12193)
* docs/nia: overview of config streamlining deprecations
* Update config snippets to use CodeTabs
* Apply code review feedback suggestions
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* Apply suggestions from code review
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* Clarify source table language
* Add use_as_module_input callout
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
* docs/nia: deprecate "services" field and "service" block (#12234)
* Deprecate `services` field
Did a search on "`services`", "`task.services`", "services list", and "services
field"
Changes:
- In config docs, mark `services` field as deprecated and `condition` block
as required.
- For necessary references to `services` field, mark with "(deprecated)" e.g.
when listing all options for source input
- Remove unnecessary references to `services` field from docs e.g. any docs
encouraging use of `services`
- Replace `services` field with `condition` / `module_input` "services" in
config snippets and explanations
* Deprecate `service` block
Did a search for "service block", "`service`", and "service {"
Changes:
- In config docs, mark `service` block as deprecated
- For necessary references to `service` block, mark with "(deprecated)"
- Remove unnecessary references to `service` block from docs
* Fix service block typos in config snippet
service block is singular and not plural
* docs/nia: deprecate "source includes var" and "source input" (#12244)
* Deprecate `source_includes_var` field
Did a search for "source_includes_var" and an audit of "include"
Changes
- In config docs, mark `source_includes_var` field as deprecated
- In config docs, add new field for `use_as_module_input`
- For necessary references to `source_includes_var`, mark with "(deprecated)"
- Audit and update "include" language
* Deprecate `source_input` field and language
Did a search and replace for "source_input", "source-input", "source input"
Changes:
- In config docs, mark `source_input` field as deprecated
- In config docs, add new entry for `module_input`
- For necessary references to `source_input`, mark with "(deprecated)"
- Remove or replace "source*input" with "module*input"
Note: added an anchor link alias e.g. `# Module Input ((#source-input))` for
headers that were renamed from "Source Input" so that bookmarked links won't
break
* Update config streamlining release removal version to 0.8
* remove duplicate bullet
* docs/nia: deprecate `source` (#12245)
* Update "source" field in config snippets to "module"
* Deprecate task config `source` field
Did a search and replace for "source" and "src"
Changes:
- In config docs, mark `source` field as deprecated
- In config docs, add new entry for `module`
- Remove or replace "source" with "module"
* Deprecate Status API Event `source` field
Changes:
- Mark `source` field as deprecated
- Add new entry for `module`
* docs/nia - Get Task API docs & Task Status API deprecations (#12303)
* docs/nia - Get Task API
Added a Task Object section intended to be shared with the Create Task API
* docs/nia - Deprecate non-status fields from Task Status API
Deprecate the fields that Get Task API replaces
* docs/nia - Align API docs on `:task_name` request resource
Followed a convention found in Nomad docs
* docs/nia - misc fixes
Context for some:
- remove "" from license_path for consistency - do not specify the default
value when empty string
- remove "optional" language from task condition. we want to move towards it
being required
* docs/nia - add new columns to API Task Object
* Added Create Task API documentation
* Added create task CLI documentation
* addressed code review comments
* fixed example
* docs/nia: Update task delete with async behavior
CTS delete task command is now asynchronous, so updating docs to reflect
this new behavior.
* update create task CLI with new changes from code
* update create task api and cli
- update curl command to include the json header
- update example task names to use 'task_a' to conform with other examples
* docs/nia: Fix hyphens in CTS CLI output
* docs/nia: Add auto-approve option in CLI
* docs/nia: Clarify infrastructure is not destroyed on task deletion
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Kim Ngo <6362111+findkim@users.noreply.github.com>
Co-authored-by: Melissa Kam <mkam@hashicorp.com>
Co-authored-by: Melissa Kam <3768460+mkam@users.noreply.github.com>
Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com>
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com>
Co-authored-by: AJ Jwair <aj.jwair@hashicorp.com>
* Separate Annotations and Labels and add service-ignore label
* changes to structure and call out for pod
* add description and TOC
* Update annotations-and-labels.mdx
Co-authored-by: David Yu <dyu@hashicorp.com>
Remove incorrect sidecar port range on docs for built-in proxy.
Updates the bind_port/port fields on the built-in proxy and sidecar
service registration pages to link to the `sidecar_min_port` and
`sidecar_max_port` configuration options for the defined port range.
Fixes#12253
Document the new TLS cipher and version parameters that were added to
ingress gateways in #11576.
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>