status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-01-11 06:16:08 +00:00
Code Issues Projects Releases Wiki Activity

Update ingress/terminating gateway ACL docs (#7891)

Browse Source
This commit is contained in:
Freddy 2020-05-20 09:27:25 -06:00 committed by GitHub
parent 82c391b75d
commit 3dd8b66aa2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
website/pages/docs/connect/ingress_gateway.mdx
View File

@ -74,9 +74,11 @@ Connect proxy service, to define opaque configuration parameters useful for the
For Envoy there are some supported [gateway options](/docs/connect/proxies/envoy#gateway-options) as well as
[escape-hatch overrides](/docs/connect/proxies/envoy#escape-hatch-overrides).
-> **Note:** If ACLs are enabled, a token granting `service:write` for the gateway's service name
and `service:read` for all services in the datacenter. These permissions authorize the token to route
communications for other Connect services.
-> **Note:** If ACLs are enabled, ingress gateways must be registered with a token granting `service:write` for the ingress gateway's service name,
`service:read` for all services in the ingress gateway's configuration entry, and `node:read` for all nodes of the services
in the ingress gateway's configuration entry. These privileges authorize the token to route communications to other Connect services.
If the Consul client agent on the gateway's node is not configured to use the default gRPC port, 8502, then the gateway's token
must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies.
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different

9
website/pages/docs/connect/terminating_gateway.mdx
View File

@ -100,9 +100,12 @@ Connect proxy service, to define opaque configuration parameters useful for the
For Envoy there are some supported [gateway options](/docs/connect/proxies/envoy#gateway-options) as well as
[escape-hatch overrides](/docs/connect/proxies/envoy#escape-hatch-overrides).
-> **Note:** If ACLs are enabled, the terminating gateways must be registered with a token granting `service:write`
for the gateway's service name **and** all linked services. These privileges will authorize the gateway
to terminate mTLS connections on behalf of the linked services.
-> **Note:** If ACLs are enabled, terminating gateways must be registered with a token granting `node:read` on the nodes
of all services in its configuration entry. The token must also grant `service:write` for the terminating gateway's service name **and**
the names of all services in the terminating gateway's configuration entry. These privileges will authorize the gateway
to terminate mTLS connections on behalf of the linked services and then route the traffic to its final destination.
If the Consul client agent on the gateway's node is not configured to use the default gRPC port, 8502, then the gateway's token
must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies.
Linking services to a terminating gateway is done with a `terminating-gateway`
[configuration entry](/docs/agent/config-entries/terminating-gateway). This config entry can be applied via the