Commit graph

2556 commits

Author SHA1 Message Date
Freddy f3ba6a9166
Update force-leave ACL requirement to operator:write (#7033) 2020-01-14 15:40:34 -07:00
Matt Keeler c8294b8595
AuthMethod updates to support alternate namespace logins (#7029) 2020-01-14 10:09:29 -05:00
Matt Keeler baa89c7c65
Intentions ACL enforcement updates (#7028)
* Renamed structs.IntentionWildcard to structs.WildcardSpecifier

* Refactor ACL Config

Get rid of remnants of enterprise only renaming.

Add a WildcardName field for specifying what string should be used to indicate a wildcard.

* Add wildcard support in the ACL package

For read operations they can call anyAllowed to determine if any read access to the given resource would be granted.

For write operations they can call allAllowed to ensure that write access is granted to everything.

* Make v1/agent/connect/authorize namespace aware

* Update intention ACL enforcement

This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior.

Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself.

* Refactor Intention.Apply to make things easier to follow.
2020-01-13 15:51:40 -05:00
danielehc 71eca6330c
added disclaimer about network segments due to Serf limitations (#7004)
* added disclaimer about network segments due to Serf limitations

using work made at https://github.com/hashicorp/consul/pull/6558 by @thepomeranian

* Lowercasing functionality name

* Update website/source/docs/enterprise/network-segments/index.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

Co-authored-by: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2020-01-09 10:41:31 +01:00
danielehc aca0720a0e
Update docs to point to new learn guide (#7003)
* Changed the link to point to new guide
* Removed querystring from link
2020-01-09 10:26:47 +01:00
DevOps Rob 7a4b055f50 Azure MSI for cloud auto-join (#7000)
* Azure MSI documentation

Adding in note about support for Azure MSI authentication method for Cloud auto-join

* fixing text formatting

fixing text formatting

* missing word

missing word - variable

* Update website/source/docs/agent/cloud-auto-join.html.md

Language change to be specific about where the security risk mitigation is concerned

Co-Authored-By: Jack Pearkes <jackpearkes@gmail.com>

Co-authored-by: Jack Pearkes <jackpearkes@gmail.com>
2020-01-08 20:43:45 -05:00
kaitlincarter-hc dcd8153244
updating the ent docs to mention GCP (#7001) 2020-01-07 13:19:34 -08:00
tehmoon 7fead04f2e docs: Fix extraVolumes mount paths in helm.html.md (#7008) 2020-01-07 12:13:09 -08:00
Rémi Lapeyre 6b4050fdbf docs: fix typo in ACL legacy documentation (#7006) 2020-01-07 14:33:56 +01:00
kaitlincarter-hc 21f1e7a1b4
[docs] Managing ACL Policies (#6573)
* New Acl policy guide

* Update website/source/docs/guides/managing-acl-policies.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>

* Update website/source/docs/guides/managing-acl-policies.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>

* Update website/source/docs/guides/managing-acl-policies.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>

* Update website/source/docs/guides/managing-acl-policies.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>

* Update website/source/docs/guides/managing-acl-policies.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>

Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-06 15:44:17 -08:00
kaitlincarter-hc ddaf9e0d44
[docs] New Replication Guide (#5823)
* new replication guide

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: R.B. Boyer <public@richardboyer.net>

* fixing list

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: R.B. Boyer <public@richardboyer.net>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: R.B. Boyer <public@richardboyer.net>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: R.B. Boyer <public@richardboyer.net>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: R.B. Boyer <public@richardboyer.net>

* fixing another list

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: R.B. Boyer <public@richardboyer.net>

* fixing formating

* Updating based on feedback.

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* updating introduction based on feedback

* Update website/source/docs/guides/acl-replication.md

* updating intro based on feedback

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* updating based on feedback

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* Additional note about servers

Co-authored-by: R.B. Boyer <public@richardboyer.net>
Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
Co-authored-by: Judith Malnick <judith@hashicorp.com>
2020-01-06 15:35:59 -08:00
kaitlincarter-hc c3f6d8e4cd
New Connect guide for new users (#6749) 2020-01-06 15:17:24 -08:00
Blake Covarrubias 532d6d0d18 Move bootstrapACLs under global key in Helm docs
The global.bootstrapACLs key in the Helm chart docs was inadvertently
moved to a top-level key in commit 12e6ef8, which is incorrect.

This commit reverts that error.
2019-12-21 18:47:42 -08:00
Matt Keeler 9ea83a749b
Revert "Remove docs refs to NS inference from ACL token" (#6976)
This reverts commit 3a8426de9c76e7d8dd2728e4ae78bc4e5e18626a.

# Conflicts:
#	command/flags/http.go
#	website/source/api/acl/binding-rules.html.md
#	website/source/api/acl/policies.html.md
#	website/source/api/acl/roles.html.md
#	website/source/api/acl/tokens.html.md
#	website/source/api/kv.html.md
#	website/source/api/session.html.md
#	website/source/docs/commands/_http_api_namespace_options.html.md
2019-12-20 11:52:50 -05:00
Blake Covarrubias befb914cf6 Add 'kind = connect-proxy' to mesh_gateway.html 2019-12-18 15:35:42 -08:00
Hans Hasselberg 1bf94b01e2
log: handle discard all logfiles properly (#6945)
* Handle discard all logfiles properly

Fixes https://github.com/hashicorp/consul/issues/6892.

The [docs](https://www.consul.io/docs/agent/options.html#_log_rotate_max_files) are stating:

> -log-rotate-max-files - to specify the maximum number of older log
> file archives to keep. Defaults to 0 (no files are ever deleted). Set to
> -1 to disable rotation and discard all log files.

But the `-1` case was not implemented and led to a panic when being
used.

Co-Authored-By: Freddy <freddygv@users.noreply.github.com>
2019-12-18 22:31:22 +01:00
Kyle MacDonald f0befc3b7a
website: embed yt videos on intro pages (#6871)
- website: embed yt videos on intro pages
- for /docs/connect
- for /intro
- css to handle iframe responding at smaller viewports
- Update consul connect video with introductory description. Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
- Update consul connect intro with introductory description. Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2019-12-18 13:54:39 -05:00
Matt Keeler 5c56aab3be
Change how namespaces are specified for the CLI (#6960) 2019-12-18 11:06:39 -05:00
Blake Covarrubias 1818d55fbb Clarify -retry-join can be provided multiple times
Update -retry-join documentation to explicitly state the option can be
specified multiple times. Add corresponding config example showing
multiple join addresses.
2019-12-17 10:25:14 -08:00
Paul Banks ee100e5d48
Fix formatting and add version info (#6926) 2019-12-13 19:55:48 +00:00
Luke Kysow b7bf7d8ed9
Update Helm docs to match repo 2019-12-13 10:15:58 -08:00
ychuzevi f82e704fa3 docs: Fix documentation for kv store create endpoint (#6940) 2019-12-13 09:12:01 -08:00
Luke Kysow f5b9bc2a00
Document that env vars can't be used for config (#6912)
* Document that env vars can't be used for config

Environment variables are not read for config values when starting the
Consul agent. Document this.
2019-12-12 09:31:24 -08:00
Nate Dobbs aad3bf98b0 docs: Fixed typo for 'consul members' link (#6918)
Quick fix on a small typo I noticed while reading the docs on this command.
2019-12-10 20:42:38 -08:00
Mike Morris 0cf75f495e website: add 1.7.0 Beta announcement to Downloads page (#6911)
* website: add 1.7.0 Beta announcement to Downloads page

* Update downloads.html.erb
2019-12-10 17:09:38 -05:00
freddygv 992dfabd82 Fix typos and add expand wildcard ns docs 2019-12-10 14:04:24 -07:00
freddygv 775ea7af6e Remove docs refs to NS inference from ACL token 2019-12-10 13:50:28 -07:00
Matt Keeler 442924c35a
Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
Iryna Shustava 26cf9e2860
Merge pull request #6902 from hashicorp/k8s-auto-join-min-perms
Clarify the minimum permissions required for k8s auto-join
2019-12-06 13:35:15 -08:00
Iryna Shustava e51e5c0901
Clarify minimum perms required for k8s auto-join 2019-12-06 12:57:47 -08:00
Hans Hasselberg 368d5c643f
tls: auto_encrypt and verify_incoming (#6811) (#6899)
* relax requirements for auto_encrypt on server
* better error message when auto_encrypt and verify_incoming on
* docs: explain verify_incoming on Consul clients.
2019-12-06 21:36:13 +01:00
Luke Kysow 70dc714a48
Link directly to reset 2019-12-06 09:38:52 -08:00
Matt Keeler b9996e6bbe
Add Namespace support to the API module and the CLI commands (#6874)
Also update the Docs and fixup the HTTP API to return proper errors when someone attempts to use Namespaces with an OSS agent.

Add Namespace HTTP API docs

Make all API endpoints disallow unknown fields
2019-12-06 11:14:56 -05:00
Blake Covarrubias da34b90ad8 docs: Fix expose path HTTP listener ports
The listener ports specified in the headings for the HTTP and HTTP2
examples do not match the ports in the corresponding service
registration configurations.

This commit changes the port specified in the heading for the HTTP
listener to match the port used in the service registration example.

In addition, the listener_port specified for the HTTP2 listener is
modified to match the port number specified in the heading.
2019-12-05 09:00:52 -08:00
Li Kexian a013020355 add tencentcloud auto join docs (#6818) 2019-12-05 12:36:44 +00:00
Luke Kysow ce149917e4
Reorg helm chart docs
- Remove duplicate install instructions from the Helm Chart page and
kept them in Running Consul
- Renamed Helm Chart to Helm Chart Reference because that's mostly what
it contains (along with some examples)
- Renamed Running Consul to Installing Consul
- Changed instructions to be for installing using Helm 3 and added
  notes if using Helm 2
- Used release name "hashicorp" so subsequent instructions can be more
concise and pastable, e.g. "port forward to svc/hashicorp-consul-server" vs. "port
forward to svc/<your release name>-consul-server"
- Use config.yaml as the name for the override values file since it
differentiates from the default values.yaml file and its the name of the
file used in the helm docs
(https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing)
2019-12-03 17:49:05 -08:00
Chris Piraino 2a95701341
Allow configuration of upstream connection limits in Envoy (#6829)
* Adds 'limits' field to the upstream configuration of a connect proxy

This allows a user to configure the envoy connect proxy with
'max_connections', 'max_queued_requests', and 'max_concurrent_requests'. These
values are defined in the local proxy on a per-service instance basis
and should thus NOT be thought of as a global-level or even service-level value.
2019-12-03 14:13:33 -06:00
Tyler Ryan 3d46c1a3f5 Docs/consul k8s existing pvc (#6872)
Update docs for using pre-existing PVCs with helm
2019-12-03 11:14:25 -08:00
Luke Kysow ea2570a79b
Merge pull request #6855 from hashicorp/opaque-config-examples
Document how to json encode envoy config
2019-12-02 17:55:07 -08:00
Luke Kysow 841361a0f3
Merge pull request #6798 from hashicorp/namespace-selector-docs
Fix documentation for namespaceSelector
2019-12-02 17:54:04 -08:00
Blake Covarrubias 34914cb76c docs: Rename TTL to Timeout in Script/TCP checks
TTL and Interval options were made mutually exclusive in
https://github.com/hashicorp/consul/pull/3560.

Change to Timeout, which is a correct parameter for HTTP, Script, and
TCP checks.

Resolves #6343
2019-12-02 15:40:49 -08:00
Luke Kysow 8e901d7d4a
Fix documentation for namespaceSelector
Also remove the example for using namespace selector because it requires
labelling a namespace which is harder to explain.
2019-12-02 12:25:38 -08:00
Luke Kysow a0b1cd30a1
Document how to json encode envoy config
It wasn't clear how users should encode their config.
2019-11-29 09:43:42 -08:00
Luke Kysow 87d359bb8c
Fix helm docs bug
If the ServiceAccount isn't applied first, we get an error since the Pod
references a non-existing ServiceAccount
2019-11-29 09:17:56 -08:00
Luke Kysow d7a4347307
Merge pull request #6722 from hashicorp/jump-to-section
Add "jump to section" dropdown
2019-11-26 12:20:26 -08:00
Luke Kysow 21d18471a1
Add "jump to section" dropdown 2019-11-26 11:58:23 -08:00
Matt Keeler 90ae4a1f1e
OSS KV Modifications to Support Namespaces 2019-11-25 12:57:35 -05:00
Matt Keeler 68d79142c4
OSS Modifications necessary for sessions namespacing 2019-11-25 12:07:04 -05:00
rerorero e1c79c69c4 docs: Fix links to K8s L7 observability guide (#6834) 2019-11-22 18:51:33 -08:00
Blake Covarrubias 854a4bbd49 docs: Fix links to Sentinel docs for Consul
Current URL returns a 404 error. Correct links to point to the proper
URL.
2019-11-22 10:41:01 -08:00