mirror of
https://github.com/status-im/consul.git
synced 2025-01-16 00:35:33 +00:00
Reformatting suggestions from review
This commit is contained in:
parent
d5a93d6b88
commit
1d85afeed4
@ -863,7 +863,8 @@ spec:
|
|||||||
type: 'array<IngressService>: <optional>',
|
type: 'array<IngressService>: <optional>',
|
||||||
description: `A list of services to be exposed via this listener.
|
description: `A list of services to be exposed via this listener.
|
||||||
For \`tcp\` listeners, only a single service is allowed.
|
For \`tcp\` listeners, only a single service is allowed.
|
||||||
Each service must have a unique name (and namespace in Enterprise).`,
|
Each service must have a unique name. A namespace is also required for
|
||||||
|
Consul Enterprise.`,
|
||||||
children: [
|
children: [
|
||||||
{
|
{
|
||||||
name: 'Name',
|
name: 'Name',
|
||||||
|
@ -76,10 +76,10 @@ sets of services within their datacenter, then the ingress gateways **must** be
|
|||||||
|
|
||||||
## Custom TLS Certificates via Secret Discovery Service (SDS)
|
## Custom TLS Certificates via Secret Discovery Service (SDS)
|
||||||
|
|
||||||
~> **Advanced Topic** This is a low-level feature designed for developers
|
~> **Advanced Topic:** This topic describes a low-level feature designed for
|
||||||
building integrations with custom TLS management solutions.
|
developers building integrations with custom TLS management solutions.
|
||||||
|
|
||||||
Consul 1.11 added support for Ingress Gateways to serve TLS certificates to
|
Consul 1.11 added support for ingress gateways to serve TLS certificates to
|
||||||
inbound traffic that are sourced from an external service. The external service
|
inbound traffic that are sourced from an external service. The external service
|
||||||
must implement Envoy's [gRPC Secret Discovery
|
must implement Envoy's [gRPC Secret Discovery
|
||||||
Service](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret)
|
Service](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret)
|
||||||
@ -87,7 +87,7 @@ Service](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secr
|
|||||||
|
|
||||||
The following procedure describes how to configure an ingress gateway with TLS certificates from an SDS source. The instructions assume that you are familiar with Envoy configuration and the SDS protocol.
|
The following procedure describes how to configure an ingress gateway with TLS certificates from an SDS source. The instructions assume that you are familiar with Envoy configuration and the SDS protocol.
|
||||||
|
|
||||||
### 1. Configure Static SDS Cluster(s)
|
### Configure Static SDS Cluster(s)
|
||||||
|
|
||||||
Each Envoy proxy that makes up this Ingress Gateway must define one or more additional [static
|
Each Envoy proxy that makes up this Ingress Gateway must define one or more additional [static
|
||||||
clusters](/docs/connect/proxies/envoy#envoy_extra_static_clusters_json) when registering. These additional clusters define how Envoy should connect to the required SDS service(s). Defining extra clusters in Envoy's bootstrap configuration requires a manual registration of the Ingress Gateway with Consul proxy.
|
clusters](/docs/connect/proxies/envoy#envoy_extra_static_clusters_json) when registering. These additional clusters define how Envoy should connect to the required SDS service(s). Defining extra clusters in Envoy's bootstrap configuration requires a manual registration of the Ingress Gateway with Consul proxy.
|
||||||
@ -96,29 +96,30 @@ It's not possible to use the `-register` flag with `consul connect envoy -gatewa
|
|||||||
The cluster(s) must provide connection information and any necessary
|
The cluster(s) must provide connection information and any necessary
|
||||||
authentication information such as mTLS credentials.
|
authentication information such as mTLS credentials.
|
||||||
|
|
||||||
In this example we will show:
|
The following example will demonstrate how to use:
|
||||||
- A DNS name to discover the SDS service addresses
|
- A DNS name to discover the SDS service addresses
|
||||||
- Local certificate files for TLS client authentication with the SDS server
|
- Local certificate files for TLS client authentication with the SDS server.
|
||||||
(the certificates are assumed to be created and managed by some other
|
The certificates are assumed to be created and managed by some other
|
||||||
process)
|
process.
|
||||||
|
|
||||||
#### 1.1 Registering the Proxy Service
|
1. **Register the proxy service.**
|
||||||
|
|
||||||
The following Proxy Service Definition defines the bootstrap overrides needed to
|
The following Proxy Service Definition defines the additional cluster
|
||||||
add this configuration to Envoy when it starts. With this TLS configuration,
|
configuration that will be provided to Envoy when it starts. With this TLS
|
||||||
Envoy will detect changes to the certificate and key files on disk so an
|
configuration, Envoy will detect changes to the certificate and key files on
|
||||||
external process may maintain and rotate them without needing an Envoy restart.
|
disk so an external process may maintain and rotate them without needing an
|
||||||
|
Envoy restart.
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
// public-ingress.hcl
|
// public-ingress.hcl
|
||||||
Services {
|
Services {
|
||||||
Name = "public-ingress"
|
Name = "public-ingress"
|
||||||
Kind = "ingress-gateway"
|
Kind = "ingress-gateway"
|
||||||
|
|
||||||
Proxy {
|
Proxy {
|
||||||
Config {
|
Config {
|
||||||
envoy_extra_static_clusters_json = <<EOF
|
envoy_extra_static_clusters_json = <<EOF
|
||||||
{
|
{
|
||||||
"name": "sds-cluster",
|
"name": "sds-cluster",
|
||||||
"connect_timeout": "5s",
|
"connect_timeout": "5s",
|
||||||
"http2_protocol_options": {},
|
"http2_protocol_options": {},
|
||||||
@ -164,35 +165,44 @@ Services {
|
|||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
**Run `consul services register public-ingress.hcl`** to create the
|
1. **Issue the following command to create the registration.**
|
||||||
registration. The command must be executed on the node where the Envoy proxy will register the proxy with the local Consul agent.
|
|
||||||
|
|
||||||
#### 1.2 Setup TLS Client Authentication for SDS
|
```
|
||||||
|
consul services register public-ingress.hcl
|
||||||
|
```
|
||||||
|
|
||||||
This configuration relies on files like the following being present on disk
|
The command must be executed against the Consul agent on the Envoy proxy's node.
|
||||||
where the Envoy proxy will run, along with the actual certificates and keys
|
|
||||||
referenced.
|
|
||||||
|
|
||||||
* `sds-client-auth.{crt,key}` are the PEM-encoded certificate and key
|
#### Setup TLS Client Authentication for SDS
|
||||||
files to be used for TLS Client Authentication with the SDS service.
|
|
||||||
* `sds-ca.crt` is the Certificate Authority certificate used to validate the the
|
|
||||||
SDS server's TLS credentials.
|
|
||||||
|
|
||||||
Please refer to [Envoy's
|
Configuration files similar to the following examples must be available on the
|
||||||
documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/bootstrap/bootstrap)
|
disk where the Envoy proxy will run. The actual certificates and keys referenced
|
||||||
for more details on this configuration and other possible authentication
|
in the configuration files must also be present.
|
||||||
options.
|
|
||||||
|
|
||||||
```json
|
1. **Configure TLS client authentication for SDS.**
|
||||||
// /certs/sds-auth-cert.json
|
|
||||||
{
|
The certificates and keys must be saved to the same disk where the Envoy
|
||||||
|
proxy will run. The following example files reference the PEM-encoded
|
||||||
|
certificate and key files to be used for TLS Client Authentication with the
|
||||||
|
SDS service (`sds-client-auth.{crt,key}`) and the certificate authority
|
||||||
|
certificate used to validate the SDS server's TLS credentials
|
||||||
|
(`sds-ca.crt`).
|
||||||
|
|
||||||
|
Refer to [Envoy's documentation]
|
||||||
|
https://www.envoyproxy.io/docs/envoy/latest/api-v3/bootstrap/bootstrap) for
|
||||||
|
more details on this configuration and other possible authentication
|
||||||
|
options.
|
||||||
|
|
||||||
|
```json
|
||||||
|
// /certs/sds-auth-cert.json
|
||||||
|
{
|
||||||
"resources": [
|
"resources": [
|
||||||
{
|
{
|
||||||
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",
|
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",
|
||||||
@ -207,11 +217,11 @@ options.
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
```json
|
```json
|
||||||
// /certs/sds-validation.json
|
// /certs/sds-validation.json
|
||||||
{
|
{
|
||||||
"resources": [
|
"resources": [
|
||||||
{
|
{
|
||||||
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",
|
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",
|
||||||
@ -223,18 +233,16 @@ options.
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
#### 1.3 Start Envoy
|
1. **Issue the following command to start Envoy.**
|
||||||
|
|
||||||
**Start Envoy** with:
|
```bash
|
||||||
|
$ consul connect envoy -gateway=ingress -service public-ingress
|
||||||
|
```
|
||||||
|
|
||||||
```bash
|
### Configure the Ingress Gateway to Use Certificates from SDS
|
||||||
$ consul connect envoy -gateway=ingress -service public-ingress
|
|
||||||
```
|
|
||||||
|
|
||||||
### 2. Configure the Ingress Gateway to Use Certificates from SDS
|
|
||||||
|
|
||||||
SDS certificates may now be configured in the `ingress-gateway` Config Entry.
|
SDS certificates may now be configured in the `ingress-gateway` Config Entry.
|
||||||
|
|
||||||
@ -265,10 +273,10 @@ Listeners = [
|
|||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Run `consul config write public-ingress-cfg.hcl` to write this configuration.
|
1. **Run `consul config write public-ingress-cfg.hcl` to write this configuration.**
|
||||||
|
|
||||||
The Envoy instance will now start a listener on port 8443 and attempt to fetch
|
The Envoy instance will now start a listener on port 8443 and attempt to fetch
|
||||||
the TLS certificate named from the SDS server.
|
the TLS certificate named from the SDS server.
|
||||||
|
|
||||||
Separate certificates may be loaded per listener or per-service with hostname
|
Separate certificates may be loaded per listener or per-service with hostname
|
||||||
(SNI) switching. See the [Config Entry
|
(SNI) switching. See the [Config Entry
|
||||||
|
Loading…
x
Reference in New Issue
Block a user