diff --git a/website/content/api-docs/agent/connect.mdx b/website/content/api-docs/agent/connect.mdx index 68944b404b..c45eae3499 100644 --- a/website/content/api-docs/agent/connect.mdx +++ b/website/content/api-docs/agent/connect.mdx @@ -2,18 +2,18 @@ layout: api page_title: Connect - Agent - HTTP API description: >- - The /agent/connect endpoints interact with Connect with agent-local + The /agent/connect endpoints interact with agent-local service mesh operations. --- # Connect - Agent HTTP API -The `/agent/connect` endpoints interact with [Connect](/consul/docs/connect) -with agent-local operations. +The `/agent/connect` endpoints interact with +with agent-local [service mesh](/consul/docs/connect) operations. -These endpoints may mirror the [non-agent Connect endpoints](/consul/api-docs/connect) -in some cases. Almost all agent-local Connect endpoints perform local caching -to optimize performance of Connect without having to make requests to the server. +These endpoints may mirror the [non-agent service mesh endpoints](/consul/api-docs/connect) +in some cases. Almost all agent-local service mesh endpoints perform local caching +to optimize performance of the mesh without having to make requests to the server. ## Authorize @@ -29,7 +29,7 @@ This endpoint tests whether a connection attempt is authorized between two services. This is the primary API that must be implemented by [proxies](/consul/docs/connect/proxies) or [native integrations](/consul/docs/connect/native) -that wish to integrate with Connect. Prior to calling this API, it is expected +that wish to integrate with the service mesh. Prior to calling this API, it is expected that the client TLS certificate has been properly verified against the current CA roots. @@ -108,7 +108,7 @@ This is used by [proxies](/consul/docs/connect/proxies) or [native integrations](/consul/docs/connect/native) to verify served client or server certificates are valid. -This is equivalent to the [non-Agent Connect endpoint](/consul/api-docs/connect), +This is equivalent to the [non-Agent service mesh endpoint](/consul/api-docs/connect), but the response of this request is cached locally at the agent. This allows for very fast response times and for fail open behavior if the server is unavailable. This endpoint should be used by proxies and native integrations. @@ -248,7 +248,7 @@ $ curl \ ## Methods to Specify Namespace -Local agent connect endpoints +Local agent service mesh endpoints support several methods for specifying the namespace of resources with the following order of precedence: 1. `Namespace` field of the JSON request body - diff --git a/website/content/api-docs/agent/service.mdx b/website/content/api-docs/agent/service.mdx index 38eedad353..acaa2e8d0f 100644 --- a/website/content/api-docs/agent/service.mdx +++ b/website/content/api-docs/agent/service.mdx @@ -130,7 +130,7 @@ following selectors and filter operations being supported: This endpoint was added in Consul 1.3.0 and returns the full service definition for a single service instance registered on the local agent. It is used by -[Connect proxies](/consul/docs/connect/proxies) to discover the embedded proxy +[service mesh proxies](/consul/docs/connect/proxies) to discover the embedded proxy configuration that was registered with the instance. It is important to note that the services known by the agent may be different @@ -632,18 +632,18 @@ The `/agent/service/register` endpoint supports camel case and _snake case_ for - `Kind` `(string: "")` - The kind of service. Defaults to "" which is a typical Consul service. This value may also be "connect-proxy" for - [Connect](/consul/docs/connect) proxies representing another service, - "mesh-gateway" for instances of a [mesh gateway](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration), + [service mesh](/consul/docs/connect) proxies representing another service, + "mesh-gateway" for instances of a [mesh gateway](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration), "terminating-gateway" for instances of a [terminating gateway](/consul/docs/connect/gateways/terminating-gateway), or "ingress-gateway" for instances of a [ingress gateway](/consul/docs/connect/gateways/ingress-gateway). - `Proxy` `(Proxy: nil)` - From 1.2.3 on, specifies the configuration for a - Connect service proxy instance. This is only valid if `Kind` defines a proxy or gateway. + service mesh proxy instance. This is only valid if `Kind` defines a proxy or gateway. See the [Proxy documentation](/consul/docs/connect/registration/service-registration) for full details. - `Connect` `(Connect: nil)` - Specifies the - [configuration for Connect](/consul/docs/connect/configuration). See the + [configuration for service mesh](/consul/docs/connect/configuration). The connect subsystem provides Consul's service mesh capabilities. Refer to the [Connect Structure](#connect-structure) section below for supported fields. - `Check` `(Check: nil)` - Specifies a check. Please see the @@ -689,12 +689,12 @@ The `/agent/service/register` endpoint supports camel case and _snake case_ for For the `Connect` field, the parameters are: - `Native` `(bool: false)` - Specifies whether this service supports - the [Connect](/consul/docs/connect) protocol [natively](/consul/docs/connect/native). - If this is true, then Connect proxies, DNS queries, etc. will be able to + the [Consul service mesh](/consul/docs/connect) protocol [natively](/consul/docs/connect/native). + If this is true, then service mesh proxies, DNS queries, etc. will be able to service discover this service. - `Proxy` `(Proxy: nil)` - [**Deprecated**](/consul/docs/connect/proxies/managed-deprecated) Specifies that - a managed Connect proxy should be started for this service instance, and + a managed service mesh proxy should be started for this service instance, and optionally provides configuration for the proxy. The format is as documented in [Managed Proxy Deprecation](/consul/docs/connect/proxies/managed-deprecated). - `SidecarService` `(ServiceDefinition: nil)` - Specifies an optional nested diff --git a/website/content/api-docs/catalog.mdx b/website/content/api-docs/catalog.mdx index 2b470dd578..c7f715849c 100644 --- a/website/content/api-docs/catalog.mdx +++ b/website/content/api-docs/catalog.mdx @@ -650,9 +650,9 @@ $ curl \ [service registration API](/consul/api-docs/agent/service#kind) for more information. - `ServiceProxy` is the proxy config as specified in - [Connect Proxies](/consul/docs/connect/proxies). + [service mesh Proxies](/consul/docs/connect/proxies). -- `ServiceConnect` are the [Connect](/consul/docs/connect) settings. The +- `ServiceConnect` are the [service mesh](/consul/docs/connect) settings. The value of this struct is equivalent to the `Connect` field for service registration. @@ -704,13 +704,13 @@ following selectors and filter operations being supported: | `TaggedAddresses.` | Equal, Not Equal, In, Not In, Matches, Not Matches | | `TaggedAddresses` | Is Empty, Is Not Empty, In, Not In | -## List Nodes for Connect-capable Service +## List Nodes for Mesh-capable Service This endpoint returns the nodes providing a -[Connect-capable](/consul/docs/connect) service in a given datacenter. +[mesh-capable](/consul/docs/connect) service in a given datacenter. This will include both proxies and native integrations. A service may -register both Connect-capable and incapable services at the same time, -so this endpoint may be used to filter only the Connect-capable endpoints. +register both mesh-capable and incapable services at the same time, +so this endpoint may be used to filter only the mesh-capable endpoints. @include 'http_api_results_filtered_by_acls.mdx' diff --git a/website/content/api-docs/connect/ca.mdx b/website/content/api-docs/connect/ca.mdx index 75a1e2ab91..ad808c13df 100644 --- a/website/content/api-docs/connect/ca.mdx +++ b/website/content/api-docs/connect/ca.mdx @@ -8,7 +8,7 @@ description: |- # Certificate Authority (CA) - Connect HTTP API -The `/connect/ca` endpoints provide tools for interacting with Connect's +The `/connect/ca` endpoints provide tools for interacting with the service mesh's Certificate Authority mechanism. ## List CA Root Certificates @@ -33,7 +33,7 @@ The table below shows this endpoint's support for ### Query Parameters - `pem` `(boolean: false)` - Specifies that the return body should be a PEM encoded - certificate chain suitable for use by applications needing to trust Connect CA + certificate chain suitable for use by applications needing to trust service mesh CA signed certificates. The Content-Type will be set to `application/pem-certificate-chain` to indicate the format of the response. @@ -181,7 +181,7 @@ The corresponding CLI command is [`consul connect ca set-config`](/consul/comman - `Provider` `(string: )` - Specifies the CA provider type to use. - `Config` `(map[string]string: )` - The raw configuration to use - for the chosen provider. For more information on configuring the Connect CA + for the chosen provider. For more information on configuring the service mesh CA providers, see [Provider Config](/consul/docs/connect/ca). - `ForceWithoutCrossSigning` `(bool: false)` - Indicates that the CA change diff --git a/website/content/api-docs/connect/index.mdx b/website/content/api-docs/connect/index.mdx index 3324ec14e7..609a8d4f08 100644 --- a/website/content/api-docs/connect/index.mdx +++ b/website/content/api-docs/connect/index.mdx @@ -2,20 +2,25 @@ layout: api page_title: Connect - HTTP API description: >- - The `/connect` endpoints provide access to Connect-related operations for + The `/connect` endpoints provide access to service mesh-related operations for intentions and the certificate authority. --- # Connect HTTP Endpoint The `/connect` endpoints provide access to -[Connect-related](/consul/docs/connect) operations for +[service mesh-related](/consul/docs/connect) operations for intentions and the certificate authority. -There are also Connect-related endpoints in the +There are also service mesh-related endpoints in the [Agent](/consul/api-docs/agent) and [Catalog](/consul/api-docs/catalog) APIs. For example, the API for requesting a TLS certificate for a service is part of the agent -APIs. And the catalog API has an endpoint for finding all Connect-capable +APIs. And the catalog API has an endpoint for finding all mesh-capable services in the catalog. +The noun _connect_ is used throughout this documentation to refer to the connect +subsystem that provides Consul's service mesh capabilities. +Where you encounter the _noun_ connect, it is usually functionality specific to +service mesh. + Please choose a sub-section in the navigation for more information. diff --git a/website/content/api-docs/connect/intentions.mdx b/website/content/api-docs/connect/intentions.mdx index 1658b16992..cdfeb463cd 100644 --- a/website/content/api-docs/connect/intentions.mdx +++ b/website/content/api-docs/connect/intentions.mdx @@ -672,7 +672,7 @@ $ curl \ ## Methods to Specify Namespace -Connect intention endpoints +Intention endpoints support several methods for specifying the namespace of intention resources with the following order of precedence: 1. `ns` query parameter diff --git a/website/content/api-docs/discovery-chain.mdx b/website/content/api-docs/discovery-chain.mdx index a96f0e89fe..ba222116ec 100644 --- a/website/content/api-docs/discovery-chain.mdx +++ b/website/content/api-docs/discovery-chain.mdx @@ -9,7 +9,7 @@ description: The /discovery-chain endpoints are for interacting with the discove -> **1.6.0+:** The discovery chain API is available in Consul versions 1.6.0 and newer. ~> This is a low-level API primarily targeted at developers building external -[Connect proxy integrations](/consul/docs/connect/proxies/integrate). Future +[service mesh proxy integrations](/consul/docs/connect/proxies/integrate). Future high-level proxy integration APIs may obviate the need for this API over time. The `/discovery-chain` endpoint returns the compiled [discovery @@ -17,7 +17,7 @@ chain](/consul/docs/connect/l7-traffic/discovery-chain) for a service. This will fetch all related [configuration entries](/consul/docs/agent/config-entries) and render them into a form suitable -for use by a [connect proxy](/consul/docs/connect/proxies) implementation. This +for use by a [service mesh proxy](/consul/docs/connect/proxies) implementation. This is a key component of [L7 Traffic Management](/consul/docs/connect/l7-traffic). diff --git a/website/content/api-docs/health.mdx b/website/content/api-docs/health.mdx index 645381a209..cb8ef9f4ea 100644 --- a/website/content/api-docs/health.mdx +++ b/website/content/api-docs/health.mdx @@ -410,13 +410,13 @@ following selectors and filter operations being supported: | `Service.Weights.Passing` | Equal, Not Equal | | `Service.Weights.Warning` | Equal, Not Equal | -## List Service Instances for Connect-enabled Service +## List Service Instances for Mesh-enabled Service This endpoint returns the service instances providing a -[Connect-capable](/consul/docs/connect) service in a given datacenter. +[mesh-capable](/consul/docs/connect) service in a given datacenter. This will include both proxies and native integrations. A service may -register both Connect-capable and incapable services at the same time, -so this endpoint may be used to filter only the Connect-capable endpoints. +register both mesh-capable and incapable services at the same time, +so this endpoint may be used to filter only the mesh-capable endpoints. @include 'http_api_results_filtered_by_acls.mdx' diff --git a/website/content/api-docs/operator/usage.mdx b/website/content/api-docs/operator/usage.mdx index 75298e32b2..b1dc75c39e 100644 --- a/website/content/api-docs/operator/usage.mdx +++ b/website/content/api-docs/operator/usage.mdx @@ -3,14 +3,14 @@ layout: api page_title: Usage - Operator - HTTP API description: |- The /operator/usage endpoint returns usage information about the number of - services, service instances and Connect-enabled service instances by + services, service instances and mesh-enabled service instances by datacenter. --- # Usage Operator HTTP API The `/operator/usage` endpoint returns usage information about the number of -services, service instances and Connect-enabled service instances by datacenter. +services, service instances and mesh-enabled service instances by datacenter. | Method | Path | Produces | | ------ | ----------------- | ------------------ | @@ -142,12 +142,12 @@ $ curl \ - `ServiceInstances` is the total number of service instances registered in the datacenter. -- `ConnectServiceInstances` is the total number of Connect service instances +- `ConnectServiceInstances` is the total number of mesh service instances registered in the datacenter. - `BillableServiceInstances` is the total number of billable service instances registered in the datacenter. This is only relevant in Consul Enterprise - and is the total service instance count, not including any Connect service + and is the total service instance count, not including any mesh service instances or any Consul server instances. - `PartitionNamespaceServices` is the total number @@ -163,5 +163,5 @@ $ curl \ by partition and namespace. - `PartitionNamespaceConnectServiceInstances` is - the total number of Connect service instances registered in the datacenter, + the total number of mesh service instances registered in the datacenter, by partition and namespace. diff --git a/website/content/api-docs/query.mdx b/website/content/api-docs/query.mdx index 3a46b383d4..f8c71bfb06 100644 --- a/website/content/api-docs/query.mdx +++ b/website/content/api-docs/query.mdx @@ -266,12 +266,12 @@ The table below shows this endpoint's support for key/value pairs that will be used for filtering the query results to services with the given metadata values present. -* `Connect` `(bool: false)` - If true, only [Connect-capable](/consul/docs/connect) services +* `Connect` `(bool: false)` - If true, only [mesh-capable](/consul/docs/connect) services for the specified service name will be returned. This includes both natively integrated services and proxies. For proxies, the proxy name may not match `Service`, because the proxy destination will. Any - constrains beyond the service name such as `Near`, `Tags`, and `NodeMeta` - are applied to Connect-capable service. + constraints beyond the service name such as `Near`, `Tags`, and `NodeMeta` + are applied to mesh-capable service. * `DNS` `(DNS: nil)` - Specifies DNS configuration @@ -550,8 +550,8 @@ be used. This is applied after any sorting or shuffling. - `connect` `(bool: false)` - If true, limit results to nodes that are - Connect-capable only. This parameter can also be specified directly on the template - itself to force all executions of a query to be Connect-only. See the + mesh-capable only. This parameter can also be specified directly on the template + itself to force all executions of a query to be mesh-only. See the template documentation for more information. ### Sample Request diff --git a/website/content/commands/config/write.mdx b/website/content/commands/config/write.mdx index 24e17aa34a..bb98d8e498 100644 --- a/website/content/commands/config/write.mdx +++ b/website/content/commands/config/write.mdx @@ -79,8 +79,9 @@ supported config entries. #### Service defaults -Service defaults control default global values for a service, such as the -protocol and Connect fields. +Service defaults control default global values for a service in the service mesh. +For example, the following configuration defines that all instances of the `web` +service use the `http` protocol. ```json { @@ -90,33 +91,23 @@ protocol and Connect fields. } ``` -- `Name` - Sets the name of the config entry. For service defaults, this must be - the name of the service being configured. - -- `Protocol` - Sets the protocol of the service. This is used by Connect proxies - for things like observability features. - -- `Connect` - This block contains Connect-related fields for the service. - - - `SidecarProxy` - Sets whether or not instances of this service should get a - sidecar proxy by default. +For more information, refer to the [service defaults configuration reference](/consul/docs/connect/config-entries/service-defaults). #### Proxy defaults -Proxy defaults allow for configuring global config defaults across all services -for Connect proxy config. Currently, only one global entry is supported. +Proxy defaults lets you configure global config defaults across all proxies +in the service mesh. Currently, it supports only one global entry. +For example, the following configuration overrides a default timeout for all +Envoy proxies. ```json { "Kind": "proxy-defaults", "Name": "global", "Config": { - "foo": 1 + "local_idle_timeout_ms": 20000 } } ``` -- `Name` - Sets the name of the config entry. Currently, only a single `proxy-defaults` - entry with the name `global` is supported. - -* `Config` - An arbitrary map of configuration values used by Connect proxies. +For more information, refer to the [proxy defaults configuration reference](/consul/docs/connect/config-entries/proxy-defaults). diff --git a/website/content/commands/connect/ca.mdx b/website/content/commands/connect/ca.mdx index 17a76a6222..350d18e6d3 100644 --- a/website/content/commands/connect/ca.mdx +++ b/website/content/commands/connect/ca.mdx @@ -10,14 +10,15 @@ description: > Command: `consul connect ca` -The CA connect command is used to interact with Consul Connect's Certificate Authority -subsystem. The command can be used to view or modify the current CA configuration. See the -[Connect CA documentation](/consul/docs/connect/ca) for more information. +This command is used to interact with Consul service mesh's Certificate Authority +managed by the connect subsystem. +It can be used to view or modify the current CA configuration. Refer to the +[service mesh CA documentation](/consul/docs/connect/ca) for more information. ```text Usage: consul connect ca [options] [args] - This command has subcommands for interacting with Consul Connect's + This command has subcommands for interacting with Consul service mesh's Certificate Authority (CA). Here are some simple examples, and more detailed examples are available @@ -34,8 +35,8 @@ Usage: consul connect ca [options] [args] For more examples, ask for subcommand help or view the documentation. Subcommands: - get-config Display the current Connect Certificate Authority (CA) configuration - set-config Modify the current Connect CA configuration + get-config Display the current service mesh Certificate Authority (CA) configuration + set-config Modify the current service mesh CA configuration ``` ## get-config diff --git a/website/content/commands/connect/envoy.mdx b/website/content/commands/connect/envoy.mdx index c9e0ffb2e9..8d60e69965 100644 --- a/website/content/commands/connect/envoy.mdx +++ b/website/content/commands/connect/envoy.mdx @@ -11,7 +11,7 @@ Command: `consul connect envoy` The connect Envoy command is used to generate a bootstrap configuration for [Envoy proxy](https://envoyproxy.io) for use with [Consul -Connect](/consul/docs/connect/). +service mesh](/consul/docs/connect/). Refer to the [examples](#examples) for guidance on common use cases, such as [launching a service instance's sidecar proxy diff --git a/website/content/commands/connect/expose.mdx b/website/content/commands/connect/expose.mdx index 97ca3910fc..79be1e0e60 100644 --- a/website/content/commands/connect/expose.mdx +++ b/website/content/commands/connect/expose.mdx @@ -2,7 +2,7 @@ layout: commands page_title: 'Commands: Connect Expose' description: > - The connect expose subcommand is used to expose a Connect-enabled service + The connect expose subcommand is used to expose a mesh-enabled service through an Ingress gateway by modifying the gateway's configuration and adding an intention to allow traffic from the gateway to the service. --- @@ -11,7 +11,7 @@ description: > Command: `consul connect expose` -The connect expose subcommand is used to expose a Connect-enabled service +The connect expose subcommand is used to expose a mesh-enabled service through an Ingress gateway by modifying the gateway's configuration and adding an intention to allow traffic from the gateway to the service. See the [Ingress gateway documentation](/consul/docs/connect/gateways/ingress-gateway) for more information @@ -20,7 +20,7 @@ about Ingress gateways. ```text Usage: consul connect expose [options] - Exposes a Connect-enabled service through the given ingress gateway, using the + Exposes a mesh-enabled service through the given ingress gateway, using the given protocol and port. ``` diff --git a/website/content/commands/connect/index.mdx b/website/content/commands/connect/index.mdx index b390f18993..8ebf11a7be 100644 --- a/website/content/commands/connect/index.mdx +++ b/website/content/commands/connect/index.mdx @@ -9,10 +9,10 @@ description: >- Command: `consul connect` -The `connect` command is used to interact with Consul -[service mesh](/consul/docs/connect) subsystems. It exposes commands for -running the built-in mTLS proxy and viewing/updating the Certificate Authority -(CA) configuration. This command is available in Consul 1.2 and later. +The `connect` command is used to interact with the connect subsystem +that provides Consul's [service mesh](/consul/docs/connect) capabilities. +It exposes commands for running service mesh proxies and +for viewing/updating the service mesh Certificate Authority (CA) configuration. ## Usage @@ -24,22 +24,22 @@ the complete list of subcommands. ```text Usage: consul connect [options] [args] - This command has subcommands for interacting with Consul Connect. + This command has subcommands for interacting with Consul service mesh. Here are some simple examples, and more detailed examples are available in the subcommands or the documentation. - Run the built-in Connect mTLS proxy + Run the production service mesh proxy - $ consul connect proxy + $ consul connect envoy For more examples, ask for subcommand help or view the documentation. Subcommands: - ca Interact with the Consul Connect Certificate Authority (CA) - envoy Runs or Configures Envoy as a Connect proxy - expose Expose a Connect-enabled service through an Ingress gateway - proxy Runs a Consul Connect proxy + ca Interact with the Consul service mesh Certificate Authority (CA) + envoy Runs or configures Envoy as a service mesh proxy + expose Expose a mesh-enabled service through an Ingress gateway + proxy Runs a non-production, built-in service mesh sidecar proxy redirect-traffic Applies iptables rules for traffic redirection ``` diff --git a/website/content/commands/connect/proxy.mdx b/website/content/commands/connect/proxy.mdx index 2bdfb2a9a2..db3192dbee 100644 --- a/website/content/commands/connect/proxy.mdx +++ b/website/content/commands/connect/proxy.mdx @@ -3,7 +3,7 @@ layout: commands page_title: 'Commands: Connect Proxy' description: > The connect proxy subcommand is used to run the built-in mTLS proxy for - Connect. + Consul service mesh. --- # Consul Connect Proxy @@ -11,9 +11,9 @@ description: > Command: `consul connect proxy` The connect proxy command is used to run Consul's built-in mTLS proxy for -use with Connect. This can be used in production to enable a Connect-unaware -application to accept and establish Connect-based connections. This proxy -can also be used in development to connect to Connect-enabled services. +use with Consul service mesh. This can be used in production to enable a mesh-unaware +application to accept and establish mesh-based connections. This proxy +can also be used in development to connect to mesh-enabled services. ## Usage @@ -49,7 +49,7 @@ Usage: `consul connect proxy [options]` - `-upstream` - Upstream service to support connecting to. The format should be 'name:addr', such as 'db:8181'. This will make 'db' available on port 8181. When a regular TCP connection is made to port 8181, the proxy will service - discover "db" and establish a Connect mTLS connection identifying as + discover "db" and establish a Consul service mesh mTLS connection identifying as the `-service` value. This flag can be repeated multiple times. - `-listen` - Address to listen for inbound connections to the proxied service. @@ -60,7 +60,7 @@ Usage: `consul connect proxy [options]` `-listen`. - `-register` - Self-register with the local Consul agent, making this - proxy available as Connect-capable service in the catalog. This is only + proxy available as mesh-capable service in the catalog. This is only useful with `-listen`. - `-register-id` - Optional ID suffix for the service when `-register` is set to diff --git a/website/content/commands/connect/redirect-traffic.mdx b/website/content/commands/connect/redirect-traffic.mdx index ded81c4a94..44decfef40 100644 --- a/website/content/commands/connect/redirect-traffic.mdx +++ b/website/content/commands/connect/redirect-traffic.mdx @@ -13,7 +13,7 @@ Command: `consul connect redirect-traffic` The connect redirect-traffic command is used to apply traffic redirection rules to enforce all traffic to go through the [Envoy proxy](https://envoyproxy.io) when using [Consul -Service Mesh](/consul/docs/connect/) in the Transparent Proxy mode. +service mesh](/consul/docs/connect/) in the Transparent Proxy mode. This command requires `iptables` command line utility to be installed, and as a result, this command can currently only run on linux. diff --git a/website/content/commands/index.mdx b/website/content/commands/index.mdx index 415fc551d3..a3e5008110 100644 --- a/website/content/commands/index.mdx +++ b/website/content/commands/index.mdx @@ -31,13 +31,13 @@ Available commands are: acl Interact with Consul's ACLs agent Runs a Consul agent catalog Interact with the catalog - connect Interact with Consul Connect + connect Interact with service mesh functionality debug Records a debugging archive for operators event Fire a new event exec Executes a command on Consul nodes force-leave Forces a member of the cluster to enter the "left" state info Provides debugging information for operators. - intention Interact with Connect service intentions + intention Interact with service mesh intentions join Tell Consul agent to join cluster keygen Generates a new encryption key keyring Manages gossip layer encryption keys diff --git a/website/content/commands/intention/index.mdx b/website/content/commands/intention/index.mdx index d3e4fc56c4..f7ea711a27 100644 --- a/website/content/commands/intention/index.mdx +++ b/website/content/commands/intention/index.mdx @@ -9,7 +9,7 @@ description: >- Command: `consul intention` -The `intention` command is used to interact with Connect +The `intention` command is used to interact with service mesh [intentions](/consul/docs/connect/intentions). It exposes commands for creating, updating, reading, deleting, checking, and managing intentions. This command is available in Consul 1.2 and later. diff --git a/website/content/commands/operator/usage.mdx b/website/content/commands/operator/usage.mdx index b0d7d03db2..56d3648626 100644 --- a/website/content/commands/operator/usage.mdx +++ b/website/content/commands/operator/usage.mdx @@ -97,4 +97,4 @@ Total 3 - `-billable` - Display only billable service information. Default is `false`. -- `-connect` - Display only Connect service information. Default is `false`. +- `-connect` - Display only Consul service mesh component information. Default is `false`. diff --git a/website/content/docs/agent/config/cli-flags.mdx b/website/content/docs/agent/config/cli-flags.mdx index 863b05f2c6..82d44d0252 100644 --- a/website/content/docs/agent/config/cli-flags.mdx +++ b/website/content/docs/agent/config/cli-flags.mdx @@ -82,7 +82,7 @@ information. - `-dev` ((#\_dev)) - Enable development server mode. This is useful for quickly starting a Consul agent with all persistence options turned off, enabling an in-memory server which can be used for rapid prototyping or developing against - the API. In this mode, [Connect is enabled](/consul/docs/connect/configuration) and + the API. In this mode, [service mesh is enabled](/consul/docs/connect/configuration) and will by default create a new root CA certificate on startup. This mode is **not** intended for production use as it does not write any data to disk. The gRPC port is also defaulted to `8502` in this mode. diff --git a/website/content/docs/agent/config/config-files.mdx b/website/content/docs/agent/config/config-files.mdx index 4ba7ba5431..e13cd6b4e3 100644 --- a/website/content/docs/agent/config/config-files.mdx +++ b/website/content/docs/agent/config/config-files.mdx @@ -245,8 +245,8 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati The initial RPC uses a JWT specified with either `intro_token`, `intro_token_file` or the `CONSUL_INTRO_TOKEN` environment variable to authorize the request. How the JWT token is verified is controlled by the `auto_config.authorizer` - object available for use on Consul servers. Enabling this option also turns - on Connect because it is vital for `auto_config`, more specifically the CA + object available for use on Consul servers. Enabling this option also enables + service mesh because it is vital for `auto_config`, more specifically the service mesh CA and certificates infrastructure. ~> **Warning:** Enabling `auto_config` conflicts with the [`auto_encrypt.tls`](#tls) feature. @@ -651,7 +651,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `primary_datacenter` - This designates the datacenter which is authoritative for ACL information, intentions and is the root Certificate - Authority for Connect. It must be provided to enable ACLs. All servers and datacenters + Authority for service mesh. It must be provided to enable ACLs. All servers and datacenters must agree on the primary datacenter. Setting it on the servers is all you need for cluster-level enforcement, but for the APIs to forward properly from the clients, it must be set on them too. In Consul 0.8 and later, this also enables agent-level @@ -946,7 +946,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `replication` ((#acl_tokens_replication)) - The ACL token used to authorize secondary datacenters with the primary datacenter for replication - operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) when ACLs are enabled. This token may be provided later using the [agent token API](/consul/api-docs/agent#update-acl-tokens) on each server. This token must have at least "read" permissions on ACL data but if ACL token replication is enabled then it must have "write" permissions. This also enables Connect replication, for which the token will require both operator "write" and intention "read" permissions for replicating CA and Intention data. + operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) when ACLs are enabled. This token may be provided later using the [agent token API](/consul/api-docs/agent#update-acl-tokens) on each server. This token must have at least "read" permissions on ACL data but if ACL token replication is enabled then it must have "write" permissions. This also enables service mesh data replication, for which the token will require both operator "write" and intention "read" permissions for replicating CA and Intention data. ~> **Warning:** When enabling ACL token replication on the secondary datacenter, policies and roles already present in the secondary datacenter will be lost. For @@ -1088,7 +1088,10 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `bootstrap_expect` Equivalent to the [`-bootstrap-expect` command-line flag](/consul/docs/agent/config/cli-flags#_bootstrap_expect). -## Connect Parameters +## Service Mesh Parameters ((#connect-parameters)) + +The noun _connect_ is used throughout this documentation to refer to the connect +subsystem that provides Consul's service mesh capabilities. - `connect` This object allows setting options for the Connect feature. @@ -1096,14 +1099,14 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `enabled` ((#connect_enabled)) (Defaults to `true`) Controls whether Connect features are enabled on this agent. Should be enabled on all servers in the cluster - in order for Connect to function properly. + in order for service mesh to function properly. Will be set to `true` automatically if `auto_config.enabled` or `auto_encrypt.allow_tls` is `true`. - `enable_mesh_gateway_wan_federation` ((#connect_enable_mesh_gateway_wan_federation)) (Defaults to `false`) Controls whether cross-datacenter federation traffic between servers is funneled through mesh gateways. This was added in Consul 1.8.0. - `ca_provider` ((#connect_ca_provider)) Controls which CA provider to - use for Connect's CA. Currently only the `aws-pca`, `consul`, and `vault` providers are supported. + use for the service mesh's CA. Currently only the `aws-pca`, `consul`, and `vault` providers are supported. This is only used when initially bootstrapping the cluster. For an existing cluster, use the [Update CA Configuration Endpoint](/consul/api-docs/connect/ca#update-ca-configuration). @@ -1140,13 +1143,13 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `root_pki_path` ((#vault_ca_root_pki)) The path to use for the root CA pki backend in Vault. This can be an existing backend with a CA already - configured, or a blank/unmounted backend in which case Connect will automatically + configured, or a blank/unmounted backend in which case Consul will automatically mount/generate the CA. The Vault token given above must have `sudo` access to this backend, as well as permission to mount the backend at this path if it is not already mounted. - `intermediate_pki_path` ((#vault_ca_intermediate_pki)) - The path to use for the temporary intermediate CA pki backend in Vault. **Connect + The path to use for the temporary intermediate CA pki backend in Vault. **Consul will overwrite any data at this path in order to generate a temporary intermediate CA**. The Vault token given above must have `write` access to this backend, as well as permission to mount the backend at this path if it is not already @@ -1391,14 +1394,14 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `allow_tls` (Defaults to `false`) This option enables `auto_encrypt` on the servers and allows them to automatically distribute certificates - from the Connect CA to the clients. If enabled, the server can accept incoming - connections from both the built-in CA and the Connect CA, as well as their certificates. + from the service mesh CA to the clients. If enabled, the server can accept incoming + connections from both the built-in CA and the service mesh CA, as well as their certificates. Note, the server will only present the built-in CA and certificate, which the client can verify using the CA it received from `auto_encrypt` endpoint. If disabled, a client configured with `auto_encrypt.tls` will be unable to start. - `tls` (Defaults to `false`) Allows the client to request the - Connect CA and certificates from the servers, for encrypting RPC communication. + service mesh CA and certificates from the servers, for encrypting RPC communication. The client will make the request to any servers listed in the `-retry-join` option. This requires that every server to have `auto_encrypt.allow_tls` enabled. When both `auto_encrypt` options are used, it allows clients to receive certificates @@ -2186,7 +2189,7 @@ specially crafted certificate signed by the CA can be used to gain full access t ~> **Security Note:** `verify_server_hostname` *must* be set to true to prevent a compromised client from gaining full read and write access to all cluster - data *including all ACL tokens and Connect CA root keys*. + data *including all ACL tokens and service mesh CA root keys*. - `server_name` When provided, this overrides the [`node_name`](#_node) for the TLS certificate. It can be used to ensure that the certificate name matches diff --git a/website/content/docs/agent/index.mdx b/website/content/docs/agent/index.mdx index 7d06a6b599..ec68e0a1ce 100644 --- a/website/content/docs/agent/index.mdx +++ b/website/content/docs/agent/index.mdx @@ -201,7 +201,7 @@ The following settings are commonly used in the configuration file (also called ### Server node in a service mesh The following example configuration is for a server agent named "`consul-server`". The server is [bootstrapped](/consul/docs/agent/config/cli-flags#_bootstrap) and the Consul GUI is enabled. -The reason this server agent is configured for a service mesh is that the `connect` configuration is enabled. Connect is Consul's service mesh component that provides service-to-service connection authorization and encryption using mutual Transport Layer Security (TLS). Applications can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections without being aware of Connect at all. See [Connect](/consul/docs/connect) for details. +The reason this server agent is configured for a service mesh is that the `connect` configuration is enabled. The connect subsystem provides Consul's service mesh capabilities, including service-to-service connection authorization and encryption using mutual Transport Layer Security (TLS). Applications can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections without being aware of Consul service mesh at all. Refer to [Consul Service Mesh](/consul/docs/connect) for details. diff --git a/website/content/docs/agent/telemetry.mdx b/website/content/docs/agent/telemetry.mdx index 7e5e208a66..27626d9be8 100644 --- a/website/content/docs/agent/telemetry.mdx +++ b/website/content/docs/agent/telemetry.mdx @@ -413,7 +413,7 @@ This is a full list of metrics emitted by Consul. | `consul.state.services` | Measures the current number of unique services registered with Consul, based on service name. It is only emitted by Consul servers. Added in v1.9.0. | number of objects | gauge | | `consul.state.service_instances` | Measures the current number of unique service instances registered with Consul. It is only emitted by Consul servers. Added in v1.9.0. | number of objects | gauge | | `consul.state.kv_entries` | Measures the current number of entries in the Consul KV store. It is only emitted by Consul servers. Added in v1.10.3. | number of objects | gauge | -| `consul.state.connect_instances` | Measures the current number of unique connect service instances registered with Consul labeled by Kind (e.g. connect-proxy, connect-native, etc). Added in v1.10.4 | number of objects | gauge | +| `consul.state.connect_instances` | Measures the current number of unique mesh service instances registered with Consul labeled by Kind (e.g. connect-proxy, connect-native, etc). Added in v1.10.4 | number of objects | gauge | | `consul.state.config_entries` | Measures the current number of configuration entries registered with Consul labeled by Kind (e.g. service-defaults, proxy-defaults, etc). See [Configuration Entries](/consul/docs/connect/config-entries) for more information. Added in v1.10.4 | number of objects | gauge | | `consul.members.clients` | Measures the current number of client agents registered with Consul. It is only emitted by Consul servers. Added in v1.9.6. | number of clients | gauge | | `consul.members.servers` | Measures the current number of server agents registered with Consul. It is only emitted by Consul servers. Added in v1.9.6. | number of servers | gauge | @@ -687,14 +687,14 @@ are allowed for . | `consul.catalog.service.query-tag` | Increments for each catalog query for the given service with the given tag. | queries | counter | | `consul.catalog.service.query-tags` | Increments for each catalog query for the given service with the given tags. | queries | counter | | `consul.catalog.service.not-found` | Increments for each catalog query where the given service could not be found. | queries | counter | -| `consul.catalog.connect.query` | Increments for each connect-based catalog query for the given service. | queries | counter | -| `consul.catalog.connect.query-tag` | Increments for each connect-based catalog query for the given service with the given tag. | queries | counter | -| `consul.catalog.connect.query-tags` | Increments for each connect-based catalog query for the given service with the given tags. | queries | counter | -| `consul.catalog.connect.not-found` | Increments for each connect-based catalog query where the given service could not be found. | queries | counter | +| `consul.catalog.connect.query` | Increments for each mesh-based catalog query for the given service. | queries | counter | +| `consul.catalog.connect.query-tag` | Increments for each mesh-based catalog query for the given service with the given tag. | queries | counter | +| `consul.catalog.connect.query-tags` | Increments for each mesh-based catalog query for the given service with the given tags. | queries | counter | +| `consul.catalog.connect.not-found` | Increments for each mesh-based catalog query where the given service could not be found. | queries | counter | -## Connect Built-in Proxy Metrics +## Service Mesh Built-in Proxy Metrics -Consul Connect's built-in proxy is by default configured to log metrics to the +Consul service mesh's built-in proxy is by default configured to log metrics to the same sink as the agent that starts it. When running in this mode it emits some basic metrics. These will be expanded diff --git a/website/content/docs/architecture/scale.mdx b/website/content/docs/architecture/scale.mdx index da2031fd95..1cf31162da 100644 --- a/website/content/docs/architecture/scale.mdx +++ b/website/content/docs/architecture/scale.mdx @@ -257,7 +257,7 @@ Consul ESM enables health checks and monitoring for external services. When usin Because Consul’s service mesh uses service discovery subsystems, service mesh performance is also optimized by deploying multiple small clusters with consistent numbers of service instances and watches. Service mesh performance is influenced by the following additional factors: - The [transparent proxy](/consul/docs/connect/transparent-proxy) feature causes client agents to listen for service instance updates across all services instead of a subset. To prevent performance issues, we recommend that you do not use the permissive intention, `default: allow`, with the transparent proxy feature. When combined, every service instance update propagates to every proxy, which causes additional server load. -- When you use the [built in CA provider](/consul/docs/connect/ca/consul#built-in-ca), Consul leaders are responsible for signing certificates used for mTLS across the service mesh. The impact on CPU utilization depends on the total number of service instances and configured certificate TTLs. You can use the [CA provider configuration options](/consul/docs/agent/config/config-files#common-ca-config-options) to control the number of requests a server processes. We recommend adjusting [`csr_max_concurrent`](/consul/docs/agent/config/config-files#ca_csr_max_concurrent) and [`csr_max_per_second`](/consul/docs/agent/config/config-files#ca_csr_max_concurrent) to suit your environment. +- When you use the [built-in service mesh CA provider](/consul/docs/connect/ca/consul#built-in-ca), Consul leaders are responsible for signing certificates used for mTLS across the service mesh. The impact on CPU utilization depends on the total number of service instances and configured certificate TTLs. You can use the [CA provider configuration options](/consul/docs/agent/config/config-files#common-ca-config-options) to control the number of requests a server processes. We recommend adjusting [`csr_max_concurrent`](/consul/docs/agent/config/config-files#ca_csr_max_concurrent) and [`csr_max_per_second`](/consul/docs/agent/config/config-files#ca_csr_max_concurrent) to suit your environment. ### K/V store diff --git a/website/content/docs/connect/ca/aws.mdx b/website/content/docs/connect/ca/aws.mdx index e10a8f5cfa..cac5cb46e6 100644 --- a/website/content/docs/connect/ca/aws.mdx +++ b/website/content/docs/connect/ca/aws.mdx @@ -49,7 +49,7 @@ optional configuration value. Example configurations are shown below: - + @@ -116,7 +116,7 @@ ACM Private CA has several that restrict how fast certificates can be issued. This may impact how quickly large clusters can rotate all issued certificates. -Currently, the ACM Private CA provider for Connect has some additional +Currently, the ACM Private CA provider for service mesh has some additional limitations described below. ### Unable to Cross-sign Other CAs @@ -150,7 +150,7 @@ CA](https://aws.amazon.com/certificate-manager/pricing/) for actual cost information. Assume the following Consul datacenters exist and are configured to use ACM -Private CA as their Connect CA with the default leaf certificate lifetime of +Private CA as their service mesh CA with the default leaf certificate lifetime of 72 hours: | Datacenter | Primary | CA Resource Created | Number of service instances | diff --git a/website/content/docs/connect/ca/consul.mdx b/website/content/docs/connect/ca/consul.mdx index 23d7f2ab4d..8d36c00121 100644 --- a/website/content/docs/connect/ca/consul.mdx +++ b/website/content/docs/connect/ca/consul.mdx @@ -7,12 +7,12 @@ description: >- # Built-In Certificate Authority for Service Mesh -Consul ships with a built-in CA system so that Connect can be +Consul ships with a built-in CA system so that service mesh can be easily enabled out of the box. The built-in CA generates and stores the root certificate and private key on Consul servers. It can also be configured with a custom certificate and private key if needed. -If Connect is enabled and no CA provider is specified, the built-in +If service mesh is enabled and no CA provider is specified, the built-in CA is the default provider used. The provider can be [updated and rotated](/consul/docs/connect/ca#root-certificate-rotation) at any point to migrate to a new provider. @@ -24,7 +24,7 @@ CA providers. ## Configuration -The built-in CA provider has no required configuration. Enabling Connect +The built-in CA provider has no required configuration. Enabling service mesh alone will configure the built-in CA provider, and will automatically generate a root certificate and private key: @@ -84,8 +84,8 @@ $ curl localhost:8500/v1/connect/ca/configuration } ``` -This is the default Connect CA configuration if nothing is explicitly set when -Connect is enabled - the PrivateKey and RootCert fields have not been set, so those have +This is the default service mesh CA configuration if nothing is explicitly set when +service mesh is enabled - the PrivateKey and RootCert fields have not been set, so those have been generated (as seen above in the roots list). There are two ways to have the Consul CA use a custom private key and root certificate: diff --git a/website/content/docs/connect/ca/index.mdx b/website/content/docs/connect/ca/index.mdx index 03502a7395..13cc56c72d 100644 --- a/website/content/docs/connect/ca/index.mdx +++ b/website/content/docs/connect/ca/index.mdx @@ -7,8 +7,8 @@ description: >- # Service Mesh Certificate Authority Overview -Certificate management in Connect is done centrally through the Consul -servers using the configured CA (Certificate Authority) provider. A CA provider +Service mesh certificate management is done centrally through the Consul +servers using the configured service mesh CA (Certificate Authority) provider. A CA provider manages root and intermediate certificates and performs certificate signing operations. The Consul leader orchestrates CA provider operations as necessary, such as when a service needs a new certificate or during CA rotation events. @@ -42,7 +42,7 @@ datacenter. CA initialization happens automatically when a new Consul leader is elected as long as -[Connect is enabled](/consul/docs/connect/configuration#agent-configuration), +[service mesh is enabled](/consul/docs/connect/configuration#agent-configuration), and the CA system has not already been initialized. This initialization process will generate the initial root certificates and setup the internal Consul server state. @@ -55,7 +55,7 @@ If a CA is already initialized, any changes to the CA configuration in the agent configuration file (including removing the configuration completely) will have no effect. -If no specific provider is configured when Connect is enabled, the built-in +If no specific provider is configured when service mesh is enabled, the built-in Consul CA provider will be used and a private key and root certificate will be generated automatically. @@ -133,7 +133,7 @@ Cross-Signing](#forced-rotation-without-cross-signing). This also automatically occurs when a completely different CA provider is configured (since this changes the root key). Therefore, this automatic rotation process can also be used to cleanly transition between CA providers. For example, -updating Connect to use Vault instead of the built-in CA. +updating the service mesh to use Vault instead of the built-in CA. During rotation, an intermediate CA certificate is requested from the new root, which is then cross-signed by the old root. This cross-signed certificate is diff --git a/website/content/docs/connect/ca/vault.mdx b/website/content/docs/connect/ca/vault.mdx index 708e3e8dd2..ce35744e92 100644 --- a/website/content/docs/connect/ca/vault.mdx +++ b/website/content/docs/connect/ca/vault.mdx @@ -19,7 +19,7 @@ This page describes how configure the Vault CA provider. - Vault 0.10.3 to 1.10.x. -~> **Compatibility note:** If you use Vault 1.11.0+ as Consul's Connect CA, versions of Consul released before Dec 13, 2022 will develop an issue with Consul control plane or service mesh communication ([GH-15525](https://github.com/hashicorp/consul/pull/15525)). Use or upgrade to a [Consul version that includes the fix](https://support.hashicorp.com/hc/en-us/articles/11308460105491#01GMC24E6PPGXMRX8DMT4HZYTW) to avoid this problem. +~> **Compatibility note:** If you use Vault 1.11.0+ as Consul's service mesh CA, versions of Consul released before Dec 13, 2022 will develop an issue with Consul control plane or service mesh communication ([GH-15525](https://github.com/hashicorp/consul/pull/15525)). Use or upgrade to a [Consul version that includes the fix](https://support.hashicorp.com/hc/en-us/articles/11308460105491#01GMC24E6PPGXMRX8DMT4HZYTW) to avoid this problem. ## Enable Vault as the CA @@ -32,7 +32,7 @@ Refer to the [Configuration Reference](#configuration-reference) for details abo The following example shows the required configurations for a default implementation: - + diff --git a/website/content/docs/connect/config-entries/index.mdx b/website/content/docs/connect/config-entries/index.mdx index 6d29a27cc3..de5acd1bce 100644 --- a/website/content/docs/connect/config-entries/index.mdx +++ b/website/content/docs/connect/config-entries/index.mdx @@ -7,7 +7,7 @@ description: >- # Configuration Entry Overview -Configuration entries can be used to configure the behavior of Consul Connect. +Configuration entries can be used to configure the behavior of Consul service mesh. The following configuration entries are supported: diff --git a/website/content/docs/connect/config-entries/mesh.mdx b/website/content/docs/connect/config-entries/mesh.mdx index 7900a8104a..f65ed61622 100644 --- a/website/content/docs/connect/config-entries/mesh.mdx +++ b/website/content/docs/connect/config-entries/mesh.mdx @@ -333,7 +333,7 @@ Note that the Kubernetes example does not include a `partition` field. Configura type: 'bool: false', description: `Determines whether sidecar proxies operating in transparent mode can proxy traffic to IP addresses not registered in Consul's mesh. If enabled, traffic will only be proxied - to upstream proxies or Connect-native services. If disabled, requests will be proxied as-is to the + to upstream proxies or mesh-native services. If disabled, requests will be proxied as-is to the original destination IP address. Consul will not encrypt the connection.`, }, ], diff --git a/website/content/docs/connect/config-entries/proxy-defaults.mdx b/website/content/docs/connect/config-entries/proxy-defaults.mdx index bf75c130d2..917bc05044 100644 --- a/website/content/docs/connect/config-entries/proxy-defaults.mdx +++ b/website/content/docs/connect/config-entries/proxy-defaults.mdx @@ -342,8 +342,8 @@ spec: { name: 'Config', type: 'map[string]arbitrary', - description: `An arbitrary map of configuration values used by Connect proxies. - The available configurations depend on the Connect proxy you use. + description: `An arbitrary map of configuration values used by service mesh proxies. + The available configurations depend on the mesh proxy you use. Any values that your proxy allows can be configured globally here. To explore these options please see the documentation for your chosen proxy.
  • [Envoy](/consul/docs/connect/proxies/envoy#proxy-config-options)
  • [Consul's built-in proxy](/consul/docs/connect/proxies/built-in#proxy-config-key-reference)
`, @@ -409,7 +409,7 @@ spec: name: 'MeshGateway', type: 'MeshGatewayConfig: ', description: `Controls the default - [mesh gateway configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration) + [mesh gateway configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) for all proxies. Added in v1.6.0.`, children: [ { @@ -426,7 +426,7 @@ spec: [expose path configuration](/consul/docs/connect/registration/service-registration#expose-paths-configuration-reference) for Envoy. Added in v1.6.2.

Exposing paths through Envoy enables a service to protect itself by only listening on localhost, while still allowing - non-Connect-enabled applications to contact an HTTP endpoint. + non-mesh-enabled applications to contact an HTTP endpoint. Some examples include: exposing a \`/metrics\` path for Prometheus or \`/healthz\` for kubelet liveness checks.`, children: [ { diff --git a/website/content/docs/connect/config-entries/service-defaults.mdx b/website/content/docs/connect/config-entries/service-defaults.mdx index d15ac43735..000b63246c 100644 --- a/website/content/docs/connect/config-entries/service-defaults.mdx +++ b/website/content/docs/connect/config-entries/service-defaults.mdx @@ -570,7 +570,7 @@ We recommend configuring the upstream timeout in the [`connection_timeout`](/con ### `UpstreamConfig.Overrides[].MeshGateway` -Map that contains the default mesh gateway `mode` field for the upstream. Refer to [Connect Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration) in the mesh gateway documentation for additional information. +Map that contains the default mesh gateway `mode` field for the upstream. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. #### Values @@ -651,7 +651,7 @@ For non-Kubernetes environments, we recommend configuring the upstream timeout i ### `UpstreamConfig.Defaults.MeshGateway` -Specifies the default mesh gateway `mode` field for all upstreams. Refer to [Connect Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration) in the mesh gateway documentation for additional information. +Specifies the default mesh gateway `mode` field for all upstreams. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. You can specify the following string values for the `mode` field: @@ -743,7 +743,7 @@ Specifies the timeout for HTTP requests to the local application instance. Appli ### `MeshGateway` -Specifies the default mesh gateway `mode` field for the service. Refer to [Connect Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration) in the mesh gateway documentation for additional information. +Specifies the default mesh gateway `mode` field for the service. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. You can specify the following string values for the `mode` field: @@ -1030,7 +1030,7 @@ We recommend configuring the upstream timeout in the [`connectTimeout`](/consul/ ### `spec.upstreamConfig.defaults.meshGateway.mode` -Specifies the default mesh gateway `mode` field for all upstreams. Refer to [Connect Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration) in the mesh gateway documentation for additional information. +Specifies the default mesh gateway `mode` field for all upstreams. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. #### Values @@ -1144,7 +1144,7 @@ Specifies the timeout for HTTP requests to the local application instance. Appli - Data type: string ### `spec.meshGateway.mode` -Specifies the default mesh gateway `mode` field for the service. Refer to [Connect Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration) in the mesh gateway documentation for additional information. +Specifies the default mesh gateway `mode` field for the service. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information. #### Values @@ -1532,7 +1532,7 @@ represents a location outside the Consul cluster. Services can dial destinations name: 'Protocol', type: `string: "tcp"`, description: `Sets the protocol of the service. This is used - by Connect proxies for things like observability features and to unlock usage + by service mesh proxies for things like observability features and to unlock usage of the [\`service-splitter\`](/consul/docs/connect/config-entries/service-splitter) and [\`service-router\`](/consul/docs/connect/config-entries/service-router) config entries for a service. It also unlocks the ability to define L7 intentions via @@ -2012,7 +2012,7 @@ represents a location outside the Consul cluster. Services can dial destinations type: 'string: ""', description: `This is an optional setting that allows for the TLS [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) value to - be changed to a non-connect value when federating with an external system. + be changed to a non-mesh value when federating with an external system. Added in v1.6.0.`, }, { @@ -2022,7 +2022,7 @@ represents a location outside the Consul cluster. Services can dial destinations [expose path configuration](/consul/docs/connect/registration/service-registration#expose-paths-configuration-reference) for Envoy. Added in v1.6.2.

Exposing paths through Envoy enables a service to protect itself by only listening on localhost, while still allowing - non-Connect-enabled applications to contact an HTTP endpoint. + non-mesh-enabled applications to contact an HTTP endpoint. Some examples include: exposing a \`/metrics\` path for Prometheus or \`/healthz\` for kubelet liveness checks.`, children: [ { diff --git a/website/content/docs/connect/config-entries/service-resolver.mdx b/website/content/docs/connect/config-entries/service-resolver.mdx index 1136c15cfe..766467235f 100644 --- a/website/content/docs/connect/config-entries/service-resolver.mdx +++ b/website/content/docs/connect/config-entries/service-resolver.mdx @@ -11,7 +11,7 @@ description: >- **v1.6.0+:** On other platforms, this config entry is supported in Consul versions 1.6.0+. The `service-resolver` config entry kind (`ServiceResolver` on Kubernetes) controls which service instances -should satisfy Connect upstream discovery requests for a given service name. +should satisfy service mesh upstream discovery requests for a given service name. If no resolver config is defined the chain assumes 100% of traffic goes to the healthy instances of the default service in the current datacenter+namespace diff --git a/website/content/docs/connect/config-entries/service-router.mdx b/website/content/docs/connect/config-entries/service-router.mdx index 1a12e3cdf9..64d0a11b53 100644 --- a/website/content/docs/connect/config-entries/service-router.mdx +++ b/website/content/docs/connect/config-entries/service-router.mdx @@ -7,7 +7,7 @@ description: >- # Service Router Configuration Entry -The `service-router` config entry kind (`ServiceRouter` on Kubernetes) controls Connect traffic routing and +The `service-router` config entry kind (`ServiceRouter` on Kubernetes) controls service mesh traffic routing and manipulation at networking layer 7 (e.g. HTTP). If a router is not explicitly configured or is configured with no routes then @@ -16,7 +16,7 @@ service of the same name. ## Requirements -- Consul [service mesh connect](/consul/docs/connect/configuration) enabled services +- Consul [service mesh](/consul/docs/connect/configuration) enabled services - Service to service communication over the protocol `http` ## Interaction with other Config Entries diff --git a/website/content/docs/connect/config-entries/terminating-gateway.mdx b/website/content/docs/connect/config-entries/terminating-gateway.mdx index b7e0f38b7c..e0c1ff6032 100644 --- a/website/content/docs/connect/config-entries/terminating-gateway.mdx +++ b/website/content/docs/connect/config-entries/terminating-gateway.mdx @@ -12,7 +12,7 @@ description: >- The `terminating-gateway` config entry kind (`TerminatingGateway` on Kubernetes) allows you to configure terminating gateways to proxy traffic from services in the Consul service mesh to services registered with Consul that do not have a -[Connect service sidecar proxy](/consul/docs/connect/proxies). The configuration is associated with the name of a gateway service +[service mesh sidecar proxy](/consul/docs/connect/proxies). The configuration is associated with the name of a gateway service and will apply to all instances of the gateway with that name. ~> [Configuration entries](/consul/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies @@ -41,7 +41,7 @@ Terminating gateways can optionally target all services within a Consul namespac as the service name. Configuration options set on the wildcard act as defaults that can be overridden by options set on a specific service name. -Note that if the wildcard specifier is used, and some services in that namespace have a Connect sidecar proxy, +Note that if the wildcard specifier is used, and some services in that namespace have a service mesh sidecar proxy, traffic from the mesh to those services will be evenly load-balanced between the gateway and their sidecars. ## Sample Config Entries diff --git a/website/content/docs/connect/configuration.mdx b/website/content/docs/connect/configuration.mdx index e336946885..5edf02886b 100644 --- a/website/content/docs/connect/configuration.mdx +++ b/website/content/docs/connect/configuration.mdx @@ -2,7 +2,7 @@ layout: docs page_title: Service Mesh Configuration - Overview description: >- - Learn how to enable and configure Consul's service mesh capabilities in agent configurations, and how to integrate with schedulers like Kubernetes and Nomad. ""Connect"" is the subsystem that provides Consul’s service mesh capabilities. + Learn how to enable and configure Consul's service mesh capabilities in agent configurations, and how to integrate with schedulers like Kubernetes and Nomad. Consul's service mesh capabilities are provided by the ""connect"" subsystem. --- # Service Mesh Configuration Overview @@ -11,14 +11,17 @@ There are many configuration options exposed for Consul service mesh. The only o that must be set is the `connect.enabled` option on Consul servers to enable Consul service mesh. All other configurations are optional and have defaults suitable for many environments. -The terms _Consul Connect_ and _Consul service mesh_ are used interchangeably throughout this documentation. +The noun _connect_ is used throughout this documentation to refer to the connect +subsystem that provides Consul's service mesh capabilities. +Where you encounter the _noun_ connect, it is usually functionality specific to +service mesh. ## Agent configuration -Begin by enabling Connect for your Consul -cluster. By default, Connect is disabled. Enabling Connect requires changing +Begin by enabling service mesh for your Consul +cluster. By default, service is disabled. Enabling service mesh requires changing the configuration of only your Consul _servers_ (not client agents). To enable -Connect, add the following to a new or existing +service mesh, add the following to a new or existing [server configuration file](/consul/docs/agent/config/config-files). In an existing cluster, this configuration change requires a Consul server restart, which you can perform one server at a time to maintain availability. In HCL: @@ -37,17 +40,17 @@ connect { ```
-This will enable Connect and configure your Consul cluster to use the +This will enable service mesh and configure your Consul cluster to use the built-in certificate authority for creating and managing certificates. You may also configure Consul to use an external [certificate management system](/consul/docs/connect/ca), such as [Vault](https://www.vaultproject.io/). -Services and proxies may always register with Connect settings, but they will -fail to retrieve or verify any TLS certificates. This causes all Connect-based -connection attempts to fail until Connect is enabled on the server agents. +Services and proxies may always register with service mesh settings, but unless +service mesh is enabled on the server agents, their attempts to communicate will fail +because they have no means to obtain or verify service mesh TLS certificates. -Other optional Connect configurations that you can set in the server +Other optional service mesh configurations that you can set in the server configuration file include: - [certificate authority settings](/consul/docs/agent/config/config-files#connect) @@ -55,10 +58,10 @@ configuration file include: - [dev mode](/consul/docs/agent/config/cli-flags#_dev) - [server host name verification](/consul/docs/agent/config/config-files#tls_internal_rpc_verify_server_hostname) -If you would like to use Envoy as your Connect proxy you will need to [enable +If you would like to use Envoy as your service mesh proxy you will need to [enable gRPC](/consul/docs/agent/config/config-files#grpc_port). -Additionally if you plan on using the observability features of Connect, it can +Additionally if you plan on using the observability features of Consul service mesh, it can be convenient to configure your proxies and services using [configuration entries](/consul/docs/agent/config-entries) which you can interact with using the CLI or API, or by creating configuration entry files. You will want to enable @@ -67,8 +70,8 @@ configuration](/consul/docs/agent/config/config-files#enable_central_service_con clients, which allows each service's proxy configuration to be managed centrally via API. -!> **Security note:** Enabling Connect is enough to try the feature but doesn't -automatically ensure complete security. Please read the [Connect production +!> **Security note:** Enabling service mesh is enough to try the feature but doesn't +automatically ensure complete security. Please read the [service mesh production tutorial](/consul/tutorials/developer-mesh/service-mesh-production-checklist) to understand the additional steps needed for a secure deployment. @@ -81,7 +84,7 @@ definitions](/consul/docs/services/usage/define-services). ## Schedulers -Consul Connect is especially useful if you are using an orchestrator like Nomad +Consul service mesh is especially useful if you are using an orchestrator like Nomad or Kubernetes, because these orchestrators can deploy thousands of service instances which frequently move hosts. Sidecars for each service can be configured through these schedulers, and in some cases they can automate Consul configuration, @@ -89,16 +92,16 @@ sidecar deployment, and service registration. ### Nomad -Connect can be used with Nomad to provide secure service-to-service +Consul service mesh can be used with Nomad to provide secure service-to-service communication between Nomad jobs and task groups. The ability to use the dynamic -port feature of Nomad makes Connect particularly easy to use. Learn about how to -configure Connect on Nomad by reading the +port feature of Nomad makes Consul service mesh particularly easy to use. Learn about how to +configure Consul service mesh on Nomad by reading the [integration documentation](/consul/docs/connect/nomad). ### Kubernetes -The Consul Helm chart can automate much of Consul Connect's configuration, and +The Consul Helm chart can automate much of Consul's service mesh configuration, and makes it easy to automatically inject Envoy sidecars into new pods when they are deployed. Learn about the [Helm chart](/consul/docs/k8s/helm) in general, or if you are already familiar with it, check out its -[connect specific configurations](/consul/docs/k8s/connect). +[service mesh specific configurations](/consul/docs/k8s/connect). diff --git a/website/content/docs/connect/connect-internals.mdx b/website/content/docs/connect/connect-internals.mdx index 826a2bde22..73a3cc1e89 100644 --- a/website/content/docs/connect/connect-internals.mdx +++ b/website/content/docs/connect/connect-internals.mdx @@ -11,7 +11,10 @@ This topic describes how many of the core features of Consul's service mesh func It is not a prerequisite, but this information will help you understand how Consul service mesh behaves in more complex scenarios. -Consul Connect is the component shipped with Consul that enables service mesh functionality. The terms _Consul Connect_ and _Consul service mesh_ are used interchangeably throughout this documentation. +The noun _connect_ is used throughout this documentation to refer to the connect +subsystem that provides Consul's service mesh capabilities. +Where you encounter the _noun_ connect, it is usually functionality specific to +service mesh. To try service mesh locally, complete the [Getting Started with Consul service mesh](/consul/tutorials/kubernetes-deploy/service-mesh?utm_source=docs) @@ -59,7 +62,7 @@ in-memory data. ## Agent Caching and Performance -To enable fast responses on endpoints such as the [agent Connect +To enable fast responses on endpoints such as the [agent connect API](/consul/api-docs/agent/connect), the Consul agent locally caches most Consul service mesh-related data and sets up background [blocking queries](/consul/api-docs/features/blocking) against the server to update the cache in the background. This allows most API calls diff --git a/website/content/docs/connect/connectivity-tasks.mdx b/website/content/docs/connect/connectivity-tasks.mdx index c81c0ebda5..bd5a4bc66f 100644 --- a/website/content/docs/connect/connectivity-tasks.mdx +++ b/website/content/docs/connect/connectivity-tasks.mdx @@ -59,7 +59,7 @@ Services outside the mesh do not have sidecar proxies or are not [integrated nat These may be services running on legacy infrastructure or managed cloud services running on infrastructure you do not control. -Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate Connect +Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate service mesh mTLS connections, enforce Consul intentions, and forward requests to the appropriate destination. These gateways also simplify authorization from dynamic service addresses. Consul's intentions determine whether diff --git a/website/content/docs/connect/dev.mdx b/website/content/docs/connect/dev.mdx index 6f494bc375..6a4eddec5c 100644 --- a/website/content/docs/connect/dev.mdx +++ b/website/content/docs/connect/dev.mdx @@ -8,17 +8,17 @@ description: >- # Service Mesh Debugging It is often necessary to connect to a service for development or debugging. -If a service only exposes a Connect listener, then we need a way to establish +If a service only exposes a service mesh listener, then we need a way to establish a mutual TLS connection to the service. The [`consul connect proxy` command](/consul/commands/connect/proxy) can be used for this task on any machine with access to a Consul agent (local or remote). -Restricting access to services only via Connect ensures that the only way to +Restricting access to services only via servoce ,esj ensures that the only way to connect to a service is through valid authorization of the [intentions](/consul/docs/connect/intentions). This can extend to developers and operators, too. -## Connecting to Connect-only Services +## Connecting to Mesh-only Services As an example, let's assume that we have a PostgreSQL database running that we want to connect to via `psql`, but the only non-loopback listener is diff --git a/website/content/docs/connect/gateways/api-gateway/usage.mdx b/website/content/docs/connect/gateways/api-gateway/usage.mdx index a5fea6e817..9f314fd2f4 100644 --- a/website/content/docs/connect/gateways/api-gateway/usage.mdx +++ b/website/content/docs/connect/gateways/api-gateway/usage.mdx @@ -12,7 +12,7 @@ in a Kubernetes environment, refer to [API Gateway for Kubernetes](/consul/docs/ ## Introduction -Consul API gateways provide a configurable ingress points for requests into a Consul network. Usethe following configuration entries to set up API gateways: +Consul API gateways provide a configurable ingress points for requests into a Consul network. Use the following configuration entries to set up API gateways: - [API gateway](/consul/docs/connect/gateways/api-gateway/configuration/api-gateway): Provides an endpoint for requests to enter the network. Define listeners that expose ports on the endpoint for ingress. - [HTTP routes](/consul/docs/connect/gateways/api-gateway/configuration/http-route) and [TCP routes](/consul/docs/connect/gateways/api-gateway/configuration/tcp-route): The routes attach to listeners defined in the gateway and control how requests route to services in the network. diff --git a/website/content/docs/connect/gateways/index.mdx b/website/content/docs/connect/gateways/index.mdx index fb04a9e549..344b63dd0a 100644 --- a/website/content/docs/connect/gateways/index.mdx +++ b/website/content/docs/connect/gateways/index.mdx @@ -64,7 +64,7 @@ Services outside the mesh do not have sidecar proxies or are not [integrated nat These may be services running on legacy infrastructure or managed cloud services running on infrastructure you do not control. -Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate Connect +Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate service mesh mTLS connections, enforce Consul intentions, and forward requests to the appropriate destination. These gateways also simplify authorization from dynamic service addresses. Consul's intentions determine whether diff --git a/website/content/docs/connect/gateways/ingress-gateway.mdx b/website/content/docs/connect/gateways/ingress-gateway.mdx index 2ba36b3d79..b5a8cc213f 100644 --- a/website/content/docs/connect/gateways/ingress-gateway.mdx +++ b/website/content/docs/connect/gateways/ingress-gateway.mdx @@ -39,7 +39,7 @@ the [hosts](/consul/docs/connect/config-entries/ingress-gateway#hosts) field. Ingress gateways also require that your Consul datacenters are configured correctly: - You'll need to use Consul version 1.8.0 or newer. -- Consul [Connect](/consul/docs/agent/config/config-files#connect) must be enabled on the datacenter's Consul servers. +- Consul [service mesh](/consul/docs/agent/config/config-files#connect) must be enabled on the datacenter's Consul servers. - [gRPC](/consul/docs/agent/config/config-files#grpc_port) must be enabled on all client agents. Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with ingress gateway capabilities in Consul. @@ -54,13 +54,13 @@ review the [ingress gateway tutorial](/consul/tutorials/developer-mesh/service-m Ingress gateways are configured in service definitions and registered with Consul like other services, with two exceptions. The first is that the [kind](/consul/api-docs/agent/service#kind) must be "ingress-gateway". Second, the ingress gateway service definition may contain a `Proxy.Config` entry just like a -Connect proxy service, to define opaque configuration parameters useful for the actual proxy software. +service mesh proxy service, to define opaque configuration parameters useful for the actual proxy software. For Envoy there are some supported [gateway options](/consul/docs/connect/proxies/envoy#gateway-options) as well as [escape-hatch overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides). -> **Note:** If ACLs are enabled, ingress gateways must be registered with a token granting `service:write` for the ingress gateway's service name, `service:read` for all services in the ingress gateway's configuration entry, and `node:read` for all nodes of the services -in the ingress gateway's configuration entry. These privileges authorize the token to route communications to other Connect services. +in the ingress gateway's configuration entry. These privileges authorize the token to route communications to other mesh services. If the Consul client agent on the gateway's node is not configured to use the default gRPC port, 8502, then the gateway's token must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies. diff --git a/website/content/docs/connect/gateways/mesh-gateway/index.mdx b/website/content/docs/connect/gateways/mesh-gateway/index.mdx index e5c5229dfc..89d64b8d1e 100644 --- a/website/content/docs/connect/gateways/mesh-gateway/index.mdx +++ b/website/content/docs/connect/gateways/mesh-gateway/index.mdx @@ -57,17 +57,17 @@ Configure the following settings to register the mesh gateway as a service in Co Each upstream associated with a service mesh proxy can be configured so that it is routed through a mesh gateway. Depending on your network, the proxy's connection to the gateway can operate in one of the following modes: -* `none` - No gateway is used and a service mesh connect proxy makes its outbound connections directly +* `none` - No gateway is used and a service mesh sidecar proxy makes its outbound connections directly to the destination services. This is the default for WAN federation. This setting is invalid for peered clusters and will be treated as remote instead. -* `local` - The service mesh connect proxy makes an outbound connection to a gateway running in the +* `local` - The service mesh sidecar proxy makes an outbound connection to a gateway running in the same datacenter. That gateway is responsible for ensuring that the data is forwarded to gateways in the destination datacenter. -* `remote` - The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter. +* `remote` - The service mesh sidecar proxy makes an outbound connection to a gateway running in the destination datacenter. The gateway forwards the data to the final destination service. This is the default for peered clusters. -### Connect Proxy Configuration +### Service Mesh Proxy Configuration Set the proxy to the preferred [mode](#modes) to configure the service mesh proxy. You can specify the mode globally or within child configurations to control proxy behaviors at a lower level. Consul recognizes the following order of precedence if the gateway mode is configured in multiple locations the order of precedence: @@ -82,7 +82,7 @@ Use the following example configurations to help you understand some of the comm ### Enabling Gateways Globally -The following `proxy-defaults` configuration will enable gateways for all Connect services in the `local` mode. +The following `proxy-defaults` configuration will enable gateways for all mesh services in the `local` mode. @@ -104,7 +104,7 @@ Name: global ### Enabling Gateways Per Service -The following `service-defaults` configuration will enable gateways for all Connect services with the name `web`. +The following `service-defaults` configuration will enable gateways for all mesh services with the name `web`. diff --git a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx index d993b70f69..4e269d00fd 100644 --- a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx +++ b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx @@ -36,7 +36,7 @@ Consul can only translate mesh gateway registration information into Envoy confi Sidecar proxies that send traffic to an upstream service through a gateway need to know the location of that gateway. They discover the gateway based on their sidecar proxy registrations. Consul can only translate the gateway registration information into Envoy configuration. -Sidecar proxies that do not send upstream traffic through a gateway are not affected when you deploy gateways. If you are using Consul's built-in proxy as a Connect sidecar it will continue to work for intra-datacenter traffic and will receive incoming traffic even if that traffic has passed through a gateway. +Sidecar proxies that do not send upstream traffic through a gateway are not affected when you deploy gateways. If you are using Consul's built-in proxy as a service mesh sidecar it will continue to work for intra-datacenter traffic and will receive incoming traffic even if that traffic has passed through a gateway. ## Configuration @@ -61,7 +61,7 @@ Depending on your network, the proxy's connection to the gateway can operate in * `remote` - The service mesh connect proxy makes an outbound connection to a gateway running in the destination datacenter. The gateway forwards the data to the final destination service. -### Connect Proxy Configuration +### Service Mesh Proxy Configuration Set the proxy to the preferred [mode](#modes) to configure the service mesh proxy. You can specify the mode globally or within child configurations to control proxy behaviors at a lower level. Consul recognizes the following order of precedence if the gateway mode is configured in multiple locations the order of precedence: @@ -76,7 +76,7 @@ Use the following example configurations to help you understand some of the comm ### Enabling Gateways Globally -The following `proxy-defaults` configuration will enable gateways for all Connect services in the `local` mode. +The following `proxy-defaults` configuration will enable gateways for all mesh services in the `local` mode. @@ -99,7 +99,7 @@ Name: global ### Enabling Gateways Per Service -The following `service-defaults` configuration will enable gateways for all Connect services with the name `web`. +The following `service-defaults` configuration will enable gateways for all mesh services with the name `web`. diff --git a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx index 520f6c01ff..5a764c4372 100644 --- a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx +++ b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx @@ -29,10 +29,10 @@ Ensure that your Consul environment meets the following requirements. * Consul version 1.6.0 or newer. * A local Consul agent is required to manage its configuration. -* Consul [Connect](/consul/docs/agent/config/config-files#connect) must be enabled in both datacenters. +* Consul [service mesh](/consul/docs/agent/config/config-files#connect) must be enabled in both datacenters. * Each [datacenter](/consul/docs/agent/config/config-files#datacenter) must have a unique name. * Each datacenters must be [WAN joined](/consul/tutorials/networking/federation-gossip-wan). -* The [primary datacenter](/consul/docs/agent/config/config-files#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for Connect certificates and is required for services in all datacenters to establish mutual TLS with each other. +* The [primary datacenter](/consul/docs/agent/config/config-files#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for service mesh certificates and is required for services in all datacenters to establish mutual TLS with each other. * [gRPC](/consul/docs/agent/config/config-files#grpc_port) must be enabled. * If you want to [enable gateways globally](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters#enabling-gateways-globally) you must enable [centralized configuration](/consul/docs/agent/config/config-files#enable_central_service_config). @@ -50,7 +50,7 @@ Consul can only translate mesh gateway registration information into Envoy confi Sidecar proxies that send traffic to an upstream service through a gateway need to know the location of that gateway. They discover the gateway based on their sidecar proxy registrations. Consul can only translate the gateway registration information into Envoy configuration. -Sidecar proxies that do not send upstream traffic through a gateway are not affected when you deploy gateways. If you are using Consul's built-in proxy as a Connect sidecar it will continue to work for intra-datacenter traffic and will receive incoming traffic even if that traffic has passed through a gateway. +Sidecar proxies that do not send upstream traffic through a gateway are not affected when you deploy gateways. If you are using Consul's built-in proxy as a service mesh sidecar it will continue to work for intra-datacenter traffic and will receive incoming traffic even if that traffic has passed through a gateway. ## Configuration @@ -66,18 +66,18 @@ Configure the following settings to register the mesh gateway as a service in Co Each upstream associated with a service mesh proxy can be configured so that it is routed through a mesh gateway. Depending on your network, the proxy's connection to the gateway can operate in one of the following modes (refer to the [mesh-architecture-diagram](#mesh-architecture-diagram)): -* `none` - (Default) No gateway is used and a service mesh connect proxy makes its outbound connections directly +* `none` - (Default) No gateway is used and a service mesh sidecar proxy makes its outbound connections directly to the destination services. -* `local` - The service mesh connect proxy makes an outbound connection to a gateway running in the +* `local` - The service mesh sidecar proxy makes an outbound connection to a gateway running in the same datacenter. That gateway is responsible for ensuring that the data is forwarded to gateways in the destination datacenter. Refer to the flow labeled `local` in the [mesh-architecture-diagram](#mesh-architecture-diagram). -* `remote` - The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter. +* `remote` - The service mesh sidecar proxy makes an outbound connection to a gateway running in the destination datacenter. The gateway forwards the data to the final destination service. Refer to the flow labeled `remote` in the [mesh-architecture-diagram](#mesh-architecture-diagram). -### Connect Proxy Configuration +### Service Mesh Proxy Configuration Set the proxy to the preferred [mode](#modes) to configure the service mesh proxy. You can specify the mode globally or within child configurations to control proxy behaviors at a lower level. Consul recognizes the following order of precedence if the gateway mode is configured in multiple locations the order of precedence: @@ -92,7 +92,7 @@ Use the following example configurations to help you understand some of the comm ### Enabling Gateways Globally -The following `proxy-defaults` configuration will enable gateways for all Connect services in the `local` mode. +The following `proxy-defaults` configuration will enable gateways for all mesh services in the `local` mode. @@ -114,7 +114,7 @@ Name: global ### Enabling Gateways Per Service -The following `service-defaults` configuration will enable gateways for all Connect services with the name `web`. +The following `service-defaults` configuration will enable gateways for all mesh services with the name `web`. diff --git a/website/content/docs/connect/gateways/terminating-gateway.mdx b/website/content/docs/connect/gateways/terminating-gateway.mdx index 05f48eee5f..17a926c0cd 100644 --- a/website/content/docs/connect/gateways/terminating-gateway.mdx +++ b/website/content/docs/connect/gateways/terminating-gateway.mdx @@ -10,8 +10,8 @@ description: >- -> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer. Terminating gateways enable connectivity within your organizational network from services in the Consul service mesh to -services and [destinations](/consul/docs/connect/config-entries/service-defaults#terminating-gateway-destination) outside the mesh. These gateways effectively act as Connect proxies that can -represent more than one service. They terminate Connect mTLS connections, enforce intentions, +services and [destinations](/consul/docs/connect/config-entries/service-defaults#terminating-gateway-destination) outside the mesh. These gateways effectively act as service mesh proxies that can +represent more than one service. They terminate service mesh mTLS connections, enforce intentions, and forward requests to the appropriate destination. ![Terminating Gateway Architecture](/img/terminating-gateways.png) @@ -26,7 +26,7 @@ for filtering by instance. ## Security Considerations ~> We recommend that terminating gateways are not exposed to the WAN or open internet. This is because terminating gateways -hold certificates to decrypt Consul Connect traffic directed at them and may be configured with credentials to connect +hold certificates to decrypt Consul service mesh traffic directed at them and may be configured with credentials to connect to linked services. Connections over the WAN or open internet should flow through [mesh gateways](/consul/docs/connect/gateways/mesh-gateway) whenever possible since they are not capable of decrypting traffic or connecting directly to services. @@ -58,7 +58,7 @@ Each terminating gateway needs: Terminating gateways also require that your Consul datacenters are configured correctly: - You'll need to use Consul version 1.8.0 or newer. -- Consul [Connect](/consul/docs/agent/config/config-files#connect) must be enabled on the datacenter's Consul servers. +- Consul [service mesh](/consul/docs/agent/config/config-files#connect) must be enabled on the datacenter's Consul servers. - [gRPC](/consul/docs/agent/config/config-files#grpc_port) must be enabled on all client agents. Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with terminating gateway capabilities in Consul. @@ -68,9 +68,9 @@ Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with terminatin can only translate terminating gateway registration information into Envoy configuration, therefore the proxies acting as terminating gateways must be Envoy. -Connect proxies that send upstream traffic through a gateway aren't +Service mesh proxies that send upstream traffic through a gateway aren't affected when you deploy terminating gateways. If you are using non-Envoy proxies as -Connect proxies they will continue to work for traffic directed at services linked to +Service mesh proxies they will continue to work for traffic directed at services linked to a terminating gateway as long as they discover upstreams with the [/health/connect](/consul/api-docs/health#list-nodes-for-connect-capable-service) endpoint. @@ -84,7 +84,7 @@ services outside the mesh, review the [terminating gateway tutorial](/consul/tut Terminating gateways are configured in service definitions and registered with Consul like other services, with two exceptions. The first is that the [kind](/consul/api-docs/agent/service#kind) must be "terminating-gateway". Second, the terminating gateway service definition may contain a `Proxy.Config` entry just like a -Connect proxy service, to define opaque configuration parameters useful for the actual proxy software. +service mesh proxy service, to define opaque configuration parameters useful for the actual proxy software. For Envoy there are some supported [gateway options](/consul/docs/connect/proxies/envoy#gateway-options) as well as [escape-hatch overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides). diff --git a/website/content/docs/connect/index.mdx b/website/content/docs/connect/index.mdx index 7c7235569d..6bdc9989f5 100644 --- a/website/content/docs/connect/index.mdx +++ b/website/content/docs/connect/index.mdx @@ -7,15 +7,20 @@ description: >- # Consul service mesh -Consul Service Mesh provides service-to-service connection authorization and -encryption using mutual Transport Layer Security (TLS). Consul Connect is used interchangeably -with the name Consul Service Mesh and is what this document will use to refer to for Service Mesh functionality within Consul. -Applications can use [sidecar proxies](/consul/docs/connect/proxies) in a service mesh configuration to -establish TLS connections for inbound and outbound connections without being aware of Connect at all. -Applications may also [natively integrate with Connect](/consul/docs/connect/native) for optimal performance and security. -Connect can help you secure your services and provide data about service-to-service communications. +Consul service mesh provides service-to-service connection authorization and +encryption using mutual Transport Layer Security (TLS). -Review the video below to learn more about Consul Connect from HashiCorp's co-founder Armon. +Applications can use [sidecar proxies](/consul/docs/connect/proxies) in a service mesh configuration to +establish TLS connections for inbound and outbound connections without being aware of the service mesh at all. +Applications may also [natively integrate with Consul service mesh](/consul/docs/connect/native) for optimal performance and security. +Consul service mesh can help you secure your services and provide data about service-to-service communications. + +The noun _connect_ is used throughout this documentation to refer to the connect +subsystem that provides Consul's service mesh capabilities. +Where you encounter the _noun_ connect, it is usually functionality specific to +service mesh. + +Review the video below to learn more about Consul service mesh from HashiCorp's co-founder Armon.