From 6a09b284c9b6a841d461ab8d87c4ba90da05c439 Mon Sep 17 00:00:00 2001 From: Bryce Kalow Date: Tue, 11 Oct 2022 09:58:52 -0500 Subject: [PATCH] website: fix broken links (#14943) --- .../content/api-docs/features/consistency.mdx | 6 +- website/content/api-docs/index.mdx | 4 +- .../content/commands/peering/establish.mdx | 2 +- website/content/docs/agent/sentinel.mdx | 2 +- website/content/docs/agent/telemetry.mdx | 6 +- website/content/docs/architecture/index.mdx | 2 +- website/content/docs/connect/ca/vault.mdx | 2 +- .../cluster-peering/create-manage-peering.mdx | 4 +- .../content/docs/connect/configuration.mdx | 2 +- .../connect/dataplane/consul-dataplane.mdx | 2 +- website/content/docs/connect/nomad.mdx | 2 +- .../docs/connect/transparent-proxy.mdx | 2 +- .../docs/ecs/manual/secure-configuration.mdx | 2 +- website/content/docs/enterprise/sentinel.mdx | 2 +- .../docs/integrate/nia-integration.mdx | 4 +- .../content/docs/integrate/partnerships.mdx | 2 +- website/content/docs/intro/index.mdx | 2 +- .../consul-enterprise.mdx | 2 +- .../multi-cluster/index.mdx | 2 +- .../multi-cluster/vms-and-kubernetes.mdx | 10 ++-- .../data-integration/bootstrap-token.mdx | 6 +- .../vault/data-integration/connect-ca.mdx | 6 +- .../data-integration/enterprise-license.mdx | 6 +- .../vault/data-integration/gossip.mdx | 6 +- .../vault/data-integration/index.mdx | 56 +++++++++---------- .../data-integration/partition-token.mdx | 6 +- .../data-integration/replication-token.mdx | 6 +- .../vault/data-integration/server-tls.mdx | 8 +-- .../snapshot-agent-config.mdx | 6 +- .../vault/data-integration/webhook-certs.mdx | 12 ++-- .../deployment-configurations/vault/index.mdx | 2 +- .../vault/systems-integration.mdx | 4 +- .../vault/wan-federation.mdx | 6 +- website/content/docs/k8s/helm.mdx | 12 ++-- .../gossip-encryption-key-rotation.mdx | 4 +- website/content/docs/lambda/index.mdx | 2 +- .../docs/lambda/registration/automate.mdx | 2 +- .../docs/lambda/registration/manual.mdx | 2 +- website/content/docs/nia/cli/task.mdx | 2 +- website/content/docs/nia/configuration.mdx | 8 +-- website/content/docs/nia/enterprise/index.mdx | 6 +- website/content/docs/nia/index.mdx | 2 +- .../docs/nia/network-drivers/index.mdx | 2 +- .../nia/network-drivers/terraform-cloud.mdx | 4 +- .../content/docs/nia/usage/requirements.mdx | 2 +- .../acl/acl-federated-datacenters.mdx | 4 +- .../docs/security/acl/acl-policies.mdx | 8 +-- .../content/docs/security/acl/acl-rules.mdx | 4 +- .../content/docs/security/acl/acl-tokens.mdx | 28 +++++----- .../docs/upgrading/upgrade-specific.mdx | 6 +- 50 files changed, 145 insertions(+), 145 deletions(-) diff --git a/website/content/api-docs/features/consistency.mdx b/website/content/api-docs/features/consistency.mdx index 8feee9a889..692b2e1fb0 100644 --- a/website/content/api-docs/features/consistency.mdx +++ b/website/content/api-docs/features/consistency.mdx @@ -273,6 +273,6 @@ semantics as `stale` consistency mode but different trade offs. This behavior is [agent caching feature documentation](/api-docs/features/caching) -[`dns_config.allow_stale`]: /docs/agent/options#allow_stale) -[`dns_config.max_stale`]: /docs/agent/options#max_stale -[`discovery_max_stale`]: /docs/agent/options#discovery_max_stale +[`dns_config.allow_stale`]: /docs/agent/config/config-files#allow_stale +[`dns_config.max_stale`]: /docs/agent/config/config-files#max_stale +[`discovery_max_stale`]: /docs/agent/config/config-files#discovery_max_stale diff --git a/website/content/api-docs/index.mdx b/website/content/api-docs/index.mdx index 2ccd1cd7d4..4d16ef5128 100644 --- a/website/content/api-docs/index.mdx +++ b/website/content/api-docs/index.mdx @@ -45,8 +45,8 @@ Use the following API endpoints enable network observability. The following API endpoints help you manage Consul operations. - [`/operator`](/api-docs/operator): Perform cluster-level tasks, such as interacting with the Raft subsystem or obtaining license information. -- [`/partition`](/api-docs/partition): Create and manage administrative or admin partitions in Consul. Admin partitions are supersets of Consul namespaces that isolate groups of resources to lower operational overhead. -- [`/namespace`](/api-docs/namespace): Create and manage namespaces in Consul. Namespaces isolate groups of resources to lower operational overhead. +- [`/partition`](/api-docs/admin-partitions): Create and manage administrative or admin partitions in Consul. Admin partitions are supersets of Consul namespaces that isolate groups of resources to lower operational overhead. +- [`/namespace`](/api-docs/namespaces): Create and manage namespaces in Consul. Namespaces isolate groups of resources to lower operational overhead. - [`/snapshot`](/api-docs/snapshot): Save and restore Consul server state in the event of a disaster. - [`/txn`](/api-docs/txn): Apply multiple operations, such as updating the catalog and retrieving multiple KV entries, in a single transaction. diff --git a/website/content/commands/peering/establish.mdx b/website/content/commands/peering/establish.mdx index b285671a4a..cb295d45e8 100644 --- a/website/content/commands/peering/establish.mdx +++ b/website/content/commands/peering/establish.mdx @@ -11,7 +11,7 @@ Command: `consul peering establish` Corresponding HTTP API Endpoint: [\[POST\] /v1/peering/establish](/api-docs/peering#establish-a-peering-connection) The `peering establish` starts a peering connection with the cluster that generated the peering token. -You can generate cluster peering tokens using the [`consul peering generate-token`](/commands/operator/generate-token) command or the [HTTP API](https://www.consul.io/api-docs/peering#generate-a-peering-token). +You can generate cluster peering tokens using the [`consul peering generate-token`](/commands/peering/generate-token) command or the [HTTP API](/api-docs/peering#generate-a-peering-token). You can only use a peering token to establish the connection once. If you need to reestablish a peering connection, you must generate a new token. diff --git a/website/content/docs/agent/sentinel.mdx b/website/content/docs/agent/sentinel.mdx index 071c714828..fde0d479cb 100644 --- a/website/content/docs/agent/sentinel.mdx +++ b/website/content/docs/agent/sentinel.mdx @@ -40,7 +40,7 @@ If the `enforcementlevel` property is not set, it defaults to "hard-mandatory". ## Imports -Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http). All functions in these imports are available to be used in policies. +Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http). All functions in these imports are available to be used in policies. ## Injected Variables diff --git a/website/content/docs/agent/telemetry.mdx b/website/content/docs/agent/telemetry.mdx index e52176c05c..8c5a516eed 100644 --- a/website/content/docs/agent/telemetry.mdx +++ b/website/content/docs/agent/telemetry.mdx @@ -294,7 +294,7 @@ This metric should be monitored to ensure that the license doesn't expire to pre | Metric Name | Description | Unit | Type | | :-------------------------------- | :--------------------------------------------------------------- | :---- | :---- | -| `consul.raft.boltdb.freelistBytes` | Represents the number of bytes necessary to encode the freelist metadata. When [`raft_boltdb.NoFreelistSync`](/docs/agent/options#NoFreelistSync) is set to `false` these metadata bytes must also be written to disk for each committed log. | bytes | gauge | +| `consul.raft.boltdb.freelistBytes` | Represents the number of bytes necessary to encode the freelist metadata. When [`raft_boltdb.NoFreelistSync`](/docs/agent/config/config-files#NoFreelistSync) is set to `false` these metadata bytes must also be written to disk for each committed log. | bytes | gauge | | `consul.raft.boltdb.logsPerBatch` | Measures the number of logs being written per batch to the db. | logs | sample | | `consul.raft.boltdb.storeLogs` | Measures the amount of time spent writing logs to the db. | ms | timer | | `consul.raft.boltdb.writeCapacity` | Theoretical write capacity in terms of the number of logs that can be written per second. Each sample outputs what the capacity would be if future batched log write operations were similar to this one. This similarity encompasses 4 things: batch size, byte size, disk performance and boltdb performance. While none of these will be static and its highly likely individual samples of this metric will vary, aggregating this metric over a larger time window should provide a decent picture into how this BoltDB store can perform | logs/second | sample | @@ -337,7 +337,7 @@ indicator of an actual issue, this metric can be used to diagnose why the `consu is high. If Bolt DB log storage performance becomes an issue and is caused by free list management then setting -[`raft_boltdb.NoFreelistSync`](/docs/agent/options#NoFreelistSync) to `true` in the server's configuration +[`raft_boltdb.NoFreelistSync`](/docs/agent/config/config-files#NoFreelistSync) to `true` in the server's configuration may help to reduce disk IO and log storage operation times. Disabling free list syncing will however increase the startup time for a server as it must scan the raft.db file for free space instead of loading the already populated free list structure. @@ -418,7 +418,7 @@ These metrics are used to monitor the health of the Consul servers. | `consul.raft.applied_index` | Represents the raft applied index. | index | gauge | | `consul.raft.apply` | Counts the number of Raft transactions occurring over the interval, which is a general indicator of the write load on the Consul servers. | raft transactions / interval | counter | | `consul.raft.barrier` | Counts the number of times the agent has started the barrier i.e the number of times it has issued a blocking call, to ensure that the agent has all the pending operations that were queued, to be applied to the agent's FSM. | blocks / interval | counter | -| `consul.raft.boltdb.freelistBytes` | Represents the number of bytes necessary to encode the freelist metadata. When [`raft_boltdb.NoFreelistSync`](/docs/agent/options#NoFreelistSync) is set to `false` these metadata bytes must also be written to disk for each committed log. | bytes | gauge | +| `consul.raft.boltdb.freelistBytes` | Represents the number of bytes necessary to encode the freelist metadata. When [`raft_boltdb.NoFreelistSync`](/docs/agent/config/config-files#NoFreelistSync) is set to `false` these metadata bytes must also be written to disk for each committed log. | bytes | gauge | | `consul.raft.boltdb.freePageBytes` | Represents the number of bytes of free space within the raft.db file. | bytes | gauge | | `consul.raft.boltdb.getLog` | Measures the amount of time spent reading logs from the db. | ms | timer | | `consul.raft.boltdb.logBatchSize` | Measures the total size in bytes of logs being written to the db in a single batch. | bytes | sample | diff --git a/website/content/docs/architecture/index.mdx b/website/content/docs/architecture/index.mdx index e75137ca7b..36b703496d 100644 --- a/website/content/docs/architecture/index.mdx +++ b/website/content/docs/architecture/index.mdx @@ -25,7 +25,7 @@ The Consul control plane contains one or more _datacenters_. A datacenter is the ### Clusters -A collection of Consul agents that are aware of each other is called a _cluster_. The terms _datacenter_ and _cluster_ are often used interchangeably. In some cases, however, _cluster_ refers only to Consul server agents, such as in [HCP Consul](https://cloud.hashicorp.com/consul). In other contexts, such as the [_admin partitions_](/docs/enterprise/admin-partitions) feature included with Consul Enterprise, a cluster may refer to collection of client agents. +A collection of Consul agents that are aware of each other is called a _cluster_. The terms _datacenter_ and _cluster_ are often used interchangeably. In some cases, however, _cluster_ refers only to Consul server agents, such as in [HCP Consul](https://cloud.hashicorp.com/products/consul). In other contexts, such as the [_admin partitions_](/docs/enterprise/admin-partitions) feature included with Consul Enterprise, a cluster may refer to collection of client agents. ## Agents diff --git a/website/content/docs/connect/ca/vault.mdx b/website/content/docs/connect/ca/vault.mdx index 26cc893463..420045ec36 100644 --- a/website/content/docs/connect/ca/vault.mdx +++ b/website/content/docs/connect/ca/vault.mdx @@ -7,7 +7,7 @@ description: >- # Vault as a Service Mesh Certificate Authority -Consul can be used with [Vault](https://www.vaultproject.io) to +Consul can be used with [Vault](https://www.vaultproject.io/) to manage and sign certificates. The Vault CA provider uses the [Vault PKI secrets engine](https://www.vaultproject.io/docs/secrets/pki) diff --git a/website/content/docs/connect/cluster-peering/create-manage-peering.mdx b/website/content/docs/connect/cluster-peering/create-manage-peering.mdx index d410bfc613..a2b08d9ee8 100644 --- a/website/content/docs/connect/cluster-peering/create-manage-peering.mdx +++ b/website/content/docs/connect/cluster-peering/create-manage-peering.mdx @@ -60,7 +60,7 @@ Create a JSON file that contains the first cluster's name and the peering token. -In `cluster-01`, use the [`consul peering generate-token` command](/commands/operator/generate-token) to issue a request for a peering token. +In `cluster-01`, use the [`consul peering generate-token` command](/commands/peering/generate-token) to issue a request for a peering token. ```shell-session $ consul peering generate-token -name cluster-02 @@ -523,4 +523,4 @@ spec: ``` - \ No newline at end of file + diff --git a/website/content/docs/connect/configuration.mdx b/website/content/docs/connect/configuration.mdx index 86e530e9fd..998bb5a0dd 100644 --- a/website/content/docs/connect/configuration.mdx +++ b/website/content/docs/connect/configuration.mdx @@ -108,6 +108,6 @@ configure Connect on Nomad by reading the The Consul Helm chart can automate much of Consul Connect's configuration, and makes it easy to automatically inject Envoy sidecars into new pods when they are -deployed. Learn about the [Helm chart](/docs/platform/k8s/helm) in general, +deployed. Learn about the [Helm chart](/docs/k8s/helm) in general, or if you are already familiar with it, check out its [connect specific configurations](/docs/k8s/connect). diff --git a/website/content/docs/connect/dataplane/consul-dataplane.mdx b/website/content/docs/connect/dataplane/consul-dataplane.mdx index d432aadaee..375f3e5967 100644 --- a/website/content/docs/connect/dataplane/consul-dataplane.mdx +++ b/website/content/docs/connect/dataplane/consul-dataplane.mdx @@ -7,7 +7,7 @@ description: >- # Consul Dataplane CLI Reference -The `consul-dataplane` command interacts with the binary for [simplified service mesh with Consul Dataplane](/consul/docs/k8s/dataplane/index). Use this command to install Consul Dataplane, configure its Envoy proxies, and secure Dataplane deployments. +The `consul-dataplane` command interacts with the binary for [simplified service mesh with Consul Dataplane](/consul/docs/k8s/dataplane). Use this command to install Consul Dataplane, configure its Envoy proxies, and secure Dataplane deployments. ## Usage diff --git a/website/content/docs/connect/nomad.mdx b/website/content/docs/connect/nomad.mdx index c7443c4650..fc88d86c71 100644 --- a/website/content/docs/connect/nomad.mdx +++ b/website/content/docs/connect/nomad.mdx @@ -7,7 +7,7 @@ description: >- # Consul and Nomad Integration -Consul Connect can be used with [Nomad](https://www.nomadproject.io) to provide +Consul Connect can be used with [Nomad](https://www.nomadproject.io/) to provide secure service-to-service communication between Nomad jobs and task groups. Nomad is a simple, flexible scheduler and workload orchestrator. The ability to use the [dynamic port](https://www.nomadproject.io/docs/job-specification/network#dynamic-ports) diff --git a/website/content/docs/connect/transparent-proxy.mdx b/website/content/docs/connect/transparent-proxy.mdx index 41a2a1fd9f..293445a1b1 100644 --- a/website/content/docs/connect/transparent-proxy.mdx +++ b/website/content/docs/connect/transparent-proxy.mdx @@ -223,7 +223,7 @@ Refer to [Kubernetes Health Checks in Consul on Kubernetes](/docs/k8s/connect/he ### Dial services across Kubernetes cluster -If your [Consul servers are federated between Kubernetes clusters](/docs/k8s/installation/multi-cluster/kubernetes), +If your [Consul servers are federated between Kubernetes clusters](/docs/k8s/deployment-configurations/multi-cluster/kubernetes), then you must configure services in one Kubernetes cluster to explicitly dial a service in the datacenter of another Kubernetes cluster using the [consul.hashicorp.com/connect-service-upstreams](/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) annotation. The following example configures the service to dial an upstream service called `my-service` in datacenter `dc2` on port `1234`: diff --git a/website/content/docs/ecs/manual/secure-configuration.mdx b/website/content/docs/ecs/manual/secure-configuration.mdx index ec80419b39..27698bde88 100644 --- a/website/content/docs/ecs/manual/secure-configuration.mdx +++ b/website/content/docs/ecs/manual/secure-configuration.mdx @@ -34,7 +34,7 @@ There are two types of ACL tokens for Consul on ECS: * **Client tokens:** used by the `consul-client` containers to join the Consul cluster * **Service tokens:** used by sidecar containers for service registration and health syncing -This section describes how to manually configure the AWS IAM auth method for Consul on ECS. Alternatively, you can install the ACL controller to ease the burden of creating these resources. The ACL controller can automatically configure ACL resources for Consul on ECS. For additional details, refer to [ACL Controller](/docs/manual/acl-controller) and [Architecture](/docs/ecs/architecture). +This section describes how to manually configure the AWS IAM auth method for Consul on ECS. Alternatively, you can install the ACL controller to ease the burden of creating these resources. The ACL controller can automatically configure ACL resources for Consul on ECS. For additional details, refer to [ACL Controller](/docs/ecs/manual/acl-controller) and [Architecture](/docs/ecs/architecture). ### ECS Task Role Configuration diff --git a/website/content/docs/enterprise/sentinel.mdx b/website/content/docs/enterprise/sentinel.mdx index 3150d5e8be..6041f22aae 100644 --- a/website/content/docs/enterprise/sentinel.mdx +++ b/website/content/docs/enterprise/sentinel.mdx @@ -17,7 +17,7 @@ description: >- Sentinel policies extend the ACL system in Consul beyond static "read", "write", and "deny" policies to support full conditional logic and integration with -external systems. Reference the [Sentinel documentation](https://docs.hashicorp.com/sentinel/concepts/) for high-level Sentinel concepts. +external systems. Reference the [Sentinel documentation](https://docs.hashicorp.com/sentinel/concepts) for high-level Sentinel concepts. To get started with Sentinel in Consul, [read the general documentation](https://docs.hashicorp.com/sentinel/consul) or diff --git a/website/content/docs/integrate/nia-integration.mdx b/website/content/docs/integrate/nia-integration.mdx index 6729ffb5ce..03c67da0fb 100644 --- a/website/content/docs/integrate/nia-integration.mdx +++ b/website/content/docs/integrate/nia-integration.mdx @@ -87,7 +87,7 @@ Once the module development has been completed another email should be sent to n At this stage, it is expected that the module is fully developed, all tests and documentation are in place, and that HashiCorp has reviewed the module to be compatible with Consul-Terraform-Sync. -Once this is done, HashiCorp will get the new module listed as Consul-Terraform-Sync compatible on [consul.io](/docs/nia/installation/requirements#partner-terraform-modules), and then the partner will be asked to publish the Terraform module to the [Terraform Registry](https://registry.terraform.io/browse/modules). +Once this is done, HashiCorp will get the new module listed as Consul-Terraform-Sync compatible on [consul.io](/docs/nia/usage/requirements#partner-terraform-modules), and then the partner will be asked to publish the Terraform module to the [Terraform Registry](https://registry.terraform.io/browse/modules). ### 6. Support @@ -95,7 +95,7 @@ Many partners view the release step to be the end of the journey, while at Hashi The expectation is to resolve all critical issues within 48 hours and all other issues within 5 business days. HashiCorp Consul and Terraform have an extremely wide community of users and contributors and we encourage everyone to report issues however small, as well as help resolve them when possible. -Partners who choose to not follow the process of NIA Integration Program for their Consul-Terraform-Sync compatible Terraform modules will not have their modules listed on [consul.io](/docs/nia/installation/requirements#partner-terraform-modules). +Partners who choose to not follow the process of NIA Integration Program for their Consul-Terraform-Sync compatible Terraform modules will not have their modules listed on [consul.io](/docs/nia/usage/requirements#partner-terraform-modules). ### Contact Us diff --git a/website/content/docs/integrate/partnerships.mdx b/website/content/docs/integrate/partnerships.mdx index 1d58a212a1..b8fbca9e98 100644 --- a/website/content/docs/integrate/partnerships.mdx +++ b/website/content/docs/integrate/partnerships.mdx @@ -39,7 +39,7 @@ By leveraging Consul's RESTful HTTP API system, prospective partners are able to **HCP Consul**: HCP Consul is secure by default and offers an out-of-the-box service mesh solution to streamline operations without the hassle of managing Consul servers. [Sign up for a free HCP Consul account](https://cloud.hashicorp.com/products/consul). -**Consul integration verification badges**: Partners will be issued the Consul Enterprise badge for integrations that work with [Consul Enterprise features](https://www.consul.io/docs/enterprise) such as namespaces. Partners will be issued the HCP Consul badge for integrations validated to work with [HCP Consul](https://cloud.hashicorp.com/docs/consul/features). Each badge would be displayed on HashiCorp's partner page as well as be available for posting on the partner's own website to provide better visibility and differentiation of the integration for joint customers. +**Consul integration verification badges**: Partners will be issued the Consul Enterprise badge for integrations that work with [Consul Enterprise features](https://www.consul.io/docs/enterprise) such as namespaces. Partners will be issued the HCP Consul badge for integrations validated to work with [HCP Consul](https://cloud.hashicorp.com/docs/consul#features). Each badge would be displayed on HashiCorp's partner page as well as be available for posting on the partner's own website to provide better visibility and differentiation of the integration for joint customers. diff --git a/website/content/docs/intro/index.mdx b/website/content/docs/intro/index.mdx index aeeb75123f..89d4f67a88 100644 --- a/website/content/docs/intro/index.mdx +++ b/website/content/docs/intro/index.mdx @@ -57,7 +57,7 @@ You can also schedule Consul workloads with [HashiCorp Nomad](https://www.nomadp Microservice architectures are complex and difficult to secure against accidental discloser to malicious actors. Consul provides several mechanisms that enhance network security without any changes to your application code, including mutual transport layer security (mTLS) encryption on all traffic between services and Consul intentions, which are service-to-service permissions that you can manage through the Consul UI, API, and CLI. -When you deploy Consul to Kubernetes clusters, you can also integrate with [HashiCorp Vault](http://vaultproject.io) to manage sensitive data. By default, Consul on Kubernetes leverages Kubernetes secrets as the backend system. Kubernetes secrets are base64 encoded, unencrypted, and lack lease or time-to-live properties. By leveraging Vault as a secrets backend for Consul on Kubernetes, you can manage and store Consul related secrets within a centralized Vault cluster to use across one or many Consul on Kubernetes datacenters. Refer to [Vault as the Secrets Backend](/docs/k8s/installation/vault) for additional information. +When you deploy Consul to Kubernetes clusters, you can also integrate with [HashiCorp Vault](https://www.vaultproject.io/) to manage sensitive data. By default, Consul on Kubernetes leverages Kubernetes secrets as the backend system. Kubernetes secrets are base64 encoded, unencrypted, and lack lease or time-to-live properties. By leveraging Vault as a secrets backend for Consul on Kubernetes, you can manage and store Consul related secrets within a centralized Vault cluster to use across one or many Consul on Kubernetes datacenters. Refer to [Vault as the Secrets Backend](/docs/k8s/deployment-configurations/vault) for additional information. You can also secure your Consul deployment, itself, by defining security policies in access control lists (ACL) to control access to data and Consul APIs. diff --git a/website/content/docs/k8s/deployment-configurations/consul-enterprise.mdx b/website/content/docs/k8s/deployment-configurations/consul-enterprise.mdx index 251e724716..073b56201a 100644 --- a/website/content/docs/k8s/deployment-configurations/consul-enterprise.mdx +++ b/website/content/docs/k8s/deployment-configurations/consul-enterprise.mdx @@ -10,7 +10,7 @@ You can use this Helm chart to deploy Consul Enterprise by following a few extra Find the license file that you received in your welcome email. It should have a `.hclic` extension. You will use the contents of this file to create a Kubernetes secret before installing the Helm chart. --> **Note:** This guide assumes you are storing your license as a Kubernetes Secret. If you would like to store the enterprise license in Vault, please reference [Storing the Enterprise License in Vault](/docs/k8s/installation/vault/enterprise-license). +-> **Note:** This guide assumes you are storing your license as a Kubernetes Secret. If you would like to store the enterprise license in Vault, please reference [Storing the Enterprise License in Vault](/docs/k8s/deployment-configuration/vault/data-integration/enterprise-license). You can use the following commands to create the secret with name `consul-ent-license` and key `key`: diff --git a/website/content/docs/k8s/deployment-configurations/multi-cluster/index.mdx b/website/content/docs/k8s/deployment-configurations/multi-cluster/index.mdx index f960e6adad..45ea9c376f 100644 --- a/website/content/docs/k8s/deployment-configurations/multi-cluster/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/multi-cluster/index.mdx @@ -74,6 +74,6 @@ There are three networking requirements: ## Next Steps Now that you have an overview of federation, proceed to either the -[Federation Between Kubernetes Clusters](/docs/k8s/installation/multi-cluster/kubernetes) +[Federation Between Kubernetes Clusters](/docs/k8s/deployment-configurations/multi-cluster/kubernetes) or [Federation Between VMs and Kubernetes](/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes) pages depending on your use case. diff --git a/website/content/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes.mdx b/website/content/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes.mdx index 60d28bf7f9..8ebba6330d 100644 --- a/website/content/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes.mdx +++ b/website/content/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes.mdx @@ -13,14 +13,14 @@ description: >- Consul datacenters running on non-kubernetes platforms like VMs or bare metal can be federated with Kubernetes datacenters. Just like with Kubernetes, one datacenter -must be the [primary](/docs/k8s/installation/multi-cluster/kubernetes#primary-datacenter). +must be the [primary](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#primary-datacenter). ## Kubernetes as the Primary If your primary datacenter is running on Kubernetes, use the Helm config from the -[Primary Datacenter](/docs/k8s/installation/multi-cluster/kubernetes#primary-datacenter) section to install Consul. +[Primary Datacenter](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#primary-datacenter) section to install Consul. -Once installed on Kubernetes, and with the `ProxyDefaults` [resource created](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults), +Once installed on Kubernetes, and with the `ProxyDefaults` [resource created](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#proxydefaults), you'll need to export the following information from the primary Kubernetes cluster: - Certificate authority cert and key (in order to create SSL certs for VMs) @@ -209,7 +209,7 @@ ports { ## Kubernetes as the Secondary If you're running your primary datacenter on VMs then you'll need to manually -construct the [Federation Secret](/docs/k8s/installation/multi-cluster/kubernetes#federation-secret) in order to federate +construct the [Federation Secret](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#federation-secret) in order to federate Kubernetes clusters as secondaries. -> Your VM cluster must be running mesh gateways, and have mesh gateway WAN @@ -351,7 +351,7 @@ With your config file ready to go, follow our [Installation Guide](/docs/k8s/ins to install Consul on your secondary cluster(s). After installation, if you're using consul-helm 0.30.0+, [create the -`ProxyDefaults` resource](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults) +`ProxyDefaults` resource](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#proxydefaults) to allow traffic between datacenters. ## Next Steps diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx index 2a05959a9f..666de84610 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx @@ -9,7 +9,7 @@ description: >- This topic describes how to configure the Consul Helm chart to use an ACL bootstrap token stored in Vault. ## Overview -To use an ACL bootstrap token stored in Vault, follow the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section. +To use an ACL bootstrap token stored in Vault, follow the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section. Complete the following steps once: 1. Store the secret in Vault. @@ -21,8 +21,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Store the Secret in Vault diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx index d5da53f87c..188fcdef66 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx @@ -14,7 +14,7 @@ Consul allows using Kubernetes auth methods to configure Connect CA. This allows for automatic token rotation once the renewal is no longer possible. ## Overview -To use Vault as the service mesh certificate provider on Kubernetes, you will complete a modified version of the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section. +To use Vault as the service mesh certificate provider on Kubernetes, you will complete a modified version of the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section. Complete the following steps once: 1. Create a Vault policy that authorizes the desired level of access to the secret. @@ -25,8 +25,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Create Vault policy diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx index f0afb0c9b9..c086c03bfd 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx @@ -9,7 +9,7 @@ description: >- This topic describes how to configure the Consul Helm chart to use an enterprise license stored in Vault. ## Overview -Complete the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section to use an enterprise license stored in Vault. +Complete the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section to use an enterprise license stored in Vault. Complete the following steps once: 1. Store the secret in Vault. @@ -21,8 +21,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Store the Secret in Vault diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx index 52955a100b..187064d9f0 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx @@ -10,7 +10,7 @@ description: >- This topic describes how to configure the Consul Helm chart to use TLS certificates issued by Vault in the Consul controller and connect inject webhooks. ## Overview -Complete the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section to use a gossip encryption key stored in Vault. +Complete the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section to use a gossip encryption key stored in Vault. Complete the following steps once: 1. Store the secret in Vault. @@ -22,8 +22,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Store the Secret in Vault First, generate and store the gossip key in Vault. You will only need to perform this action once: diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx index 360e1204da..735b7d12fa 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx @@ -24,11 +24,11 @@ Repeat the following steps for each datacenter in the cluster: 1. Update the Consul on Kubernetes helm chart. ## Prerequisites -Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). +Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ### Example - Gossip Encryption Key Integration -Following the general integration steps, a more detailed workflow for integration of the [Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip) with the Vault Secrets backend would like the following: +Following the general integration steps, a more detailed workflow for integration of the [Gossip encryption key](/docs/k8s/deployment-configurations/vault/data-integration/gossip) with the Vault Secrets backend would like the following: Complete the following steps once: @@ -57,15 +57,15 @@ It includes things like terminating gateways, ingress gateways, etc.) ### Primary Datacenter | Secret | Service Account For | Configurable Role in Consul k8s Helm | | ------ | ------------------- | ------------------------------------ | -|[ACL Bootstrap token](/docs/k8s/installation/vault/data-integration/bootstrap-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)| -|[ACL Partition token](/docs/k8s/installation/vault/data-integration/partition-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)| -|[ACL Replication token](/docs/k8s/installation/vault/data-integration/replication-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)| -|[Enterprise license](/docs/k8s/installation/vault/data-integration/enterprise-license) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| -|[Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| -|[Snapshot Agent config](/docs/k8s/installation/vault/data-integration/snapshot-agent-config) | Consul snapshot agent | [`global.secretsBackend.vault.consulSnapshotAgentRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulsnapshotagentrole)| -|[Server TLS credentials](/docs/k8s/installation/vault/data-integration/server-tls) | Consul servers
Consul clients
Consul components | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)
[`global.secretsBackend.vault.consulCARole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulcarole)| -|[Service Mesh and Consul client TLS credentials](/docs/k8s/installation/vault/data-integration/connect-ca) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| -|[Webhook TLS certificates for controller and connect inject](/docs/k8s/installation/vault/data-integration/connect-ca) | Consul controllers
Consul connect inject | [`global.secretsBackend.vault.controllerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)
[`global.secretsBackend.vault.connectInjectRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)| +|[ACL Bootstrap token](/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)| +|[ACL Partition token](/docs/k8s/deployment-configurations/vault/data-integration/partition-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)| +|[ACL Replication token](/docs/k8s/deployment-configurations/vault/data-integration/replication-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)| +|[Enterprise license](/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| +|[Gossip encryption key](/docs/k8s/deployment-configurations/vault/data-integration/gossip) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| +|[Snapshot Agent config](/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config) | Consul snapshot agent | [`global.secretsBackend.vault.consulSnapshotAgentRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulsnapshotagentrole)| +|[Server TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/server-tls) | Consul servers
Consul clients
Consul components | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)
[`global.secretsBackend.vault.consulCARole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulcarole)| +|[Service Mesh and Consul client TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| +|[Webhook TLS certificates for controller and connect inject](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) | Consul controllers
Consul connect inject | [`global.secretsBackend.vault.controllerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)
[`global.secretsBackend.vault.connectInjectRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)| ### Secondary Datacenters The mapping for secondary data centers is similar with the following differences: @@ -75,18 +75,18 @@ The mapping for secondary data centers is similar with the following differences | Secret | Service Account For | Configurable Role in Consul k8s Helm | | ------ | ------------------- | ------------------------------------ | -|[ACL Partition token](/docs/k8s/installation/vault/data-integration/partition-token) | Consul server-acl-init job
Consul partition-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)
[`global.secretsBackend.vault.adminPartitionsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-adminpartitionsrole)| -|[ACL Replication token](/docs/k8s/installation/vault/data-integration/replication-token) | Consul server-acl-init job
Consul servers | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)
[`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| -|[Enterprise license](/docs/k8s/installation/vault/data-integration/enterprise-license) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| -|[Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| -|[Snapshot Agent config](/docs/k8s/installation/vault/data-integration/snapshot-agent-config) | Consul snapshot agent | [`global.secretsBackend.vault.consulSnapshotAgentRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulsnapshotagentrole)| -|[Server TLS credentials](/docs/k8s/installation/vault/data-integration/server-tls) | Consul servers
Consul clients
Consul components | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)
[`global.secretsBackend.vault.consulCARole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulcarole)| -|[Service Mesh and Consul client TLS credentials](/docs/k8s/installation/vault/data-integration/connect-ca) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| -|[Webhook TLS certificates for controller and connect inject](/docs/k8s/installation/vault/data-integration/connect-ca) | Consul controllers
Consul connect inject | [`global.secretsBackend.vault.controllerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)
[`global.secretsBackend.vault.connectInjectRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)| +|[ACL Partition token](/docs/k8s/deployment-configurations/vault/data-integration/partition-token) | Consul server-acl-init job
Consul partition-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)
[`global.secretsBackend.vault.adminPartitionsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-adminpartitionsrole)| +|[ACL Replication token](/docs/k8s/deployment-configurations/vault/data-integration/replication-token) | Consul server-acl-init job
Consul servers | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)
[`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| +|[Enterprise license](/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| +|[Gossip encryption key](/docs/k8s/deployment-configurations/vault/data-integration/gossip) | Consul servers
Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)| +|[Snapshot Agent config](/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config) | Consul snapshot agent | [`global.secretsBackend.vault.consulSnapshotAgentRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulsnapshotagentrole)| +|[Server TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/server-tls) | Consul servers
Consul clients
Consul components | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)
[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)
[`global.secretsBackend.vault.consulCARole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulcarole)| +|[Service Mesh and Consul client TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)| +|[Webhook TLS certificates for controller and connect inject](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) | Consul controllers
Consul connect inject | [`global.secretsBackend.vault.controllerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)
[`global.secretsBackend.vault.connectInjectRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)| ### Combining policies within roles As you can see in the table above, depending upon your needs, a Consul on Kubernetes service account could have the need to request more than one secret. In these cases, you will want to create one role for the Consul on Kubernetes service account that is mapped to multiple policies, each of which allows it access to a given secret. -For example, if your Consul on Kubernetes servers need access to [Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip), [Consul Server TLS credentials](/docs/k8s/installation/vault/data-integration/server-tls), and [Enterprise license](/docs/k8s/installation/vault/data-integration/enterprise-license), assuming you have already saved the secrets in vault, you would: +For example, if your Consul on Kubernetes servers need access to [Gossip encryption key](/docs/k8s/deployment-configurations/vault/data-integration/gossip), [Consul Server TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/server-tls), and [Enterprise license](/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license), assuming you have already saved the secrets in vault, you would: 1. Create a policy for each secret. 1. Gossip encryption key @@ -147,16 +147,16 @@ For example, if your Consul on Kubernetes servers need access to [Gossip encrypt ## Detailed data integration guides The following secrets can be stored in Vault KV secrets engine, which is meant to handle arbitrary secrets: -- [ACL Bootstrap token](/docs/k8s/installation/vault/data-integration/bootstrap-token) -- [ACL Partition token](/docs/k8s/installation/vault/data-integration/partition-token) -- [ACL Replication token](/docs/k8s/installation/vault/data-integration/replication-token) -- [Enterprise license](/docs/k8s/installation/vault/data-integration/enterprise-license) -- [Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip) -- [Snapshot Agent config](/docs/k8s/installation/vault/data-integration/snapshot-agent-config) +- [ACL Bootstrap token](/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token) +- [ACL Partition token](/docs/k8s/deployment-configurations/vault/data-integration/partition-token) +- [ACL Replication token](/docs/k8s/deployment-configurations/vault/data-integration/replication-token) +- [Enterprise license](/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license) +- [Gossip encryption key](/docs/k8s/deployment-configurations/vault/data-integration/gossip) +- [Snapshot Agent config](/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config) The following TLS certificates and keys can generated and managed by Vault the Vault PKI Engine, which is meant to handle things like certificate expiration and rotation: -- [Server TLS credentials](/docs/k8s/installation/vault/data-integration/server-tls) -- [Service Mesh and Consul client TLS credentials](/docs/k8s/installation/vault/data-integration/connect-ca) +- [Server TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/server-tls) +- [Service Mesh and Consul client TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) - [Vault as the Webhook Certificate Provider for Consul Controller and Connect Inject on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs) ## Secrets to Service Account Mapping diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx index 5770054faa..a299f0ea3c 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx @@ -10,7 +10,7 @@ description: >- This topic describes how to configure the Consul Helm chart to use an ACL partition token stored in Vault when using [Admin Partitions](/docs/enterprise/admin-partitions) in Consul Enterprise. ## Overview -Complete the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section to use an ACL partition token stored in Vault. +Complete the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section to use an ACL partition token stored in Vault. Complete the following steps once: 1. Store the secret in Vault. @@ -22,8 +22,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Store the Secret in Vault diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx index 04d20e0f71..cc0e244bd1 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx @@ -9,7 +9,7 @@ description: >- This topic describes how to configure the Consul Helm chart to use an ACL replication token stored in Vault. ## Overview -To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section. +To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section. Complete the following steps once: 1. Store the secret in Vault. @@ -21,8 +21,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Store the Secret in Vault diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/server-tls.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/server-tls.mdx index cff4ce4939..02074c48c9 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/server-tls.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/server-tls.mdx @@ -8,7 +8,7 @@ description: >- # Vault as the Server TLS Certificate Provider on Kubernetes ## Overview -To use Vault as the server TLS certificate provider on Kubernetes, complete a modified version of the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section. +To use Vault as the server TLS certificate provider on Kubernetes, complete a modified version of the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section. Complete the following steps once: 1. Create a Vault policy that authorizes the desired level of access to the secret. @@ -20,8 +20,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). 3. Complete the [Bootstrapping the PKI Engine](#bootstrapping-the-pki-engine) section. ## Bootstrapping the PKI Engine @@ -54,7 +54,7 @@ TLS certificates to Consul. To use Vault to issue Server TLS certificates, you will need to create the following: 1. Create a policy that allows `["create", "update"]` access to the - [certificate issuing URL](https://www.vaultproject.io/api/secret/pki#generate-certificate) so the Consul servers can + [certificate issuing URL](https://www.vaultproject.io/api-docs/secret/pki#generate-certificate) so the Consul servers can fetch a new certificate/key pair. The path to the secret referenced in the `path` resource is the same value that you will configure in the `server.serverCert.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)). diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx index 2e1500a680..f632841022 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx @@ -9,7 +9,7 @@ description: >- This topic describes how to configure the Consul Helm chart to use a snapshot agent config stored in Vault. ## Overview -To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section. +To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section. Complete the following steps once: 1. Store the secret in Vault. @@ -21,8 +21,8 @@ Repeat the following steps for each datacenter in the cluster: ## Prerequisites Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have: -1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). -2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). ## Store the Secret in Vault diff --git a/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx b/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx index ec85209eee..867779769a 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx @@ -19,7 +19,7 @@ When Vault is configured as the controller and connect inject Webhook Certificat - controller and connect inject each locally update its own `mutatingwebhookconfiguration` so that Kubernetes can relay events. - Vault manages certificate rotation and rotates certificates to each webhook. -To use Vault as the controller and connect inject Webhook Certificate Provider, we will need to modify the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section: +To use Vault as the controller and connect inject Webhook Certificate Provider, we will need to modify the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section: These following steps will be repeated for each datacenter: 1. Create a Vault policy that authorizes the desired level of access to the secret. @@ -29,10 +29,10 @@ These following steps will be repeated for each datacenter: ## Prerequisites Complete the following prerequisites prior to implementing the integration described in this topic: -1. Verify that you have completed the steps described in [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). -1. You should be familiar with the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault). -1. Configure [Vault as the Server TLS Certificate Provider on Kubernetes](/docs/k8s/installation/vault/data-integration/server-tls) -1. Configure [Vault as the Service Mesh Certificate Provider on Kubernetes](/docs/k8s/installation/vault/data-integration/connect-ca) +1. Verify that you have completed the steps described in [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +1. You should be familiar with the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). +1. Configure [Vault as the Server TLS Certificate Provider on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/server-tls) +1. Configure [Vault as the Service Mesh Certificate Provider on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) ## Bootstrapping the PKI Engines Issue the following commands to enable and configure the PKI Secrets Engine to serve TLS certificates for the controller and connect inject webhooks: @@ -92,7 +92,7 @@ Issue the following commands to enable and configure the PKI Secrets Engine to s EOF ``` -1. Create a policy that allows `["read"]` access to the [CA URL](https://www.vaultproject.io/api/secret/pki#read-certificate), +1. Create a policy that allows `["read"]` access to the [CA URL](https://www.vaultproject.io/api-docs/secret/pki#read-certificate), this is required for the Consul components to communicate with the Consul servers in order to fetch their auto-encryption certificates. The path to the secret referenced in the `path` resource is the same values that you will configure in the `global.secretsBackend.vault.controller.caCert.secretName` and `global.secretsBackend.vault.connectInject.caCert.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)). diff --git a/website/content/docs/k8s/deployment-configurations/vault/index.mdx b/website/content/docs/k8s/deployment-configurations/vault/index.mdx index 1fd1af5c84..c09b517ead 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/index.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/index.mdx @@ -47,7 +47,7 @@ The following TLS certificates and keys can be generated and managed by the Vaul The Vault integration with Consul on Kubernetes has two aspects or phases: - [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) - Configure Vault and Consul on Kubernetes systems to leverage Vault as the secrets store. -- [Data Integration](/docs/k8s/installation/vault/data-integration) - Configure specific secrets to be stored and +- [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) - Configure specific secrets to be stored and retrieved from Vault for use with Consul on Kubernetes. As a next step, please proceed to [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) overview to understand how to first setup Vault and Consul on Kubernetes to leverage Vault as a secrets backend. diff --git a/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx b/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx index 9c5ac5c5ba..9c50d7df0e 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx @@ -12,7 +12,7 @@ Integrating Vault with Consul on Kubernetes includes a one-time setup on Vault a Complete the following steps once: - Enabling Vault KV Secrets Engine - Version 2 to store arbitrary secrets - - Enabling Vault PKI Engine if you are choosing to store and manage either [Consul Server TLS credentials](/docs/k8s/installation/vault/data-integration/server-tls) or [Service Mesh and Consul client TLS credentials](/docs/k8s/installation/vault/data-integration/connect-ca) + - Enabling Vault PKI Engine if you are choosing to store and manage either [Consul Server TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/server-tls) or [Service Mesh and Consul client TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) Repeat the following steps for each datacenter in the cluster: - Installing the Vault Injector within the Consul datacenter installation @@ -39,7 +39,7 @@ $ vault secrets enable -path=consul kv-v2 ## Vault PKI Engine -The Vault PKI Engine must be enabled in order to leverage Vault for issuing Consul Server TLS certificates. More details for configuring the PKI Engine is found in [Bootstrapping the PKI Engine](/docs/k8s/installation/vault/data-integration/server-tls#bootstrapping-the-pki-engine) under the Server TLS section. +The Vault PKI Engine must be enabled in order to leverage Vault for issuing Consul Server TLS certificates. More details for configuring the PKI Engine is found in [Bootstrapping the PKI Engine](/docs/k8s/deployment-configurations/vault/data-integration/server-tls#bootstrapping-the-pki-engine) under the Server TLS section. ```shell-session $ vault secrets enable pki diff --git a/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx b/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx index 5da355201a..92f1f2557b 100644 --- a/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx +++ b/website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx @@ -9,10 +9,10 @@ description: >- ~> **Note**: This topic requires familiarity with [Mesh Gateways](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters), [WAN Federation Via Mesh Gateways](/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways). -This page describes how you can federate multiple Kubernetes clusters using Vault as the secrets backend. See the [Multi-Cluster Overview](/docs/k8s/installation/multi-cluster) for more information on use cases and how it works. +This page describes how you can federate multiple Kubernetes clusters using Vault as the secrets backend. See the [Multi-Cluster Overview](/docs/k8s/deployment-configurations/multi-cluster) for more information on use cases and how it works. ## Differences Between Using Kubernetes Secrets vs. Vault -The [Federation Between Kubernetes Clusters](/docs/k8s/installation/multi-cluster/kubernetes) page provides an overview of WAN Federation using Mesh Gateways with Kubernetes secrets as the secret backend. When using Vault as the secrets backend, there are different systems and data integration configuration that will be explained in the [Usage](#usage) section of this page. The other main difference is that when using Vault, there is no need for you to export and import a [Federation Secret](/docs/k8s/installation/multi-cluster/kubernetes#federation-secret) in each datacenter. +The [Federation Between Kubernetes Clusters](/docs/k8s/deployment-configurations/multi-cluster/kubernetes) page provides an overview of WAN Federation using Mesh Gateways with Kubernetes secrets as the secret backend. When using Vault as the secrets backend, there are different systems and data integration configuration that will be explained in the [Usage](#usage) section of this page. The other main difference is that when using Vault, there is no need for you to export and import a [Federation Secret](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#federation-secret) in each datacenter. ## Usage @@ -28,7 +28,7 @@ The Vault Agents on each Consul pod will communicate directly with Vault on its ![Vault agent and server communication](/img/k8s/consul-vault-wan-federation-vault-communication.svg 'Vault agent and server communication') -The two data centers will federated using mesh gateways. This communication topology is also described in the [WAN Federation Via Mesh Gateways](/docs/k8s/installation/multi-cluster#wan-federation-via-mesh-gateways) section of [Multi-Cluster Federation Overview](/docs/k8s/installation/multi-cluster). +The two data centers will federated using mesh gateways. This communication topology is also described in the [WAN Federation Via Mesh Gateways](/docs/k8s/deployment-configurations/multi-cluster#wan-federation-via-mesh-gateways) section of [Multi-Cluster Federation Overview](/docs/k8s/deployment-configurations/multi-cluster). ![Mesh Federation via Mesh Gateways](/img/k8s/consul-vault-wan-federation-mesh-communication.svg 'Mesh Federation via Mesh Gateways') diff --git a/website/content/docs/k8s/helm.mdx b/website/content/docs/k8s/helm.mdx index 4044106eee..4a5206e548 100644 --- a/website/content/docs/k8s/helm.mdx +++ b/website/content/docs/k8s/helm.mdx @@ -516,7 +516,7 @@ Use these links to navigate to a particular top-level stanza. This address must be reachable from the Consul servers in the primary datacenter. This auth method will be used to provision ACL tokens for Consul components and is different from the one used by the Consul Service Mesh. - Please see the [Kubernetes Auth Method documentation](https://consul.io/docs/acl/auth-methods/kubernetes). + Please see the [Kubernetes Auth Method documentation](/docs/security/acl/auth-methods/kubernetes). You can retrieve this value from your `kubeconfig` by running: @@ -749,7 +749,7 @@ Use these links to navigate to a particular top-level stanza. --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation command because of a limitation in the Helm templating language. - - `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul + - `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/config/config-files) for Consul servers. This will be saved as-is into a ConfigMap that is read by the Consul server agents. This can be used to add additional configuration that isn't directly exposed by the chart. @@ -1044,7 +1044,7 @@ Use these links to navigate to a particular top-level stanza. - `tlsInit` ((#v-client-containersecuritycontext-tlsinit)) (`map`) - The tls-init initContainer - - `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul + - `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/config/config-files) for Consul clients. This will be saved as-is into a ConfigMap that is read by the Consul client agents. This can be used to add additional configuration that isn't directly exposed by the chart. @@ -1356,15 +1356,15 @@ Use these links to navigate to a particular top-level stanza. will inherit from `global.metrics.enabled` value. - `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. See - https://www.consul.io/docs/agent/options#ui_config_metrics_provider + https://www.consul.io/docs/agent/config/config-files#ui_config_metrics_provider This value is only used if `ui.enabled` is set to true. - `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL. This value is only used if `ui.enabled` is set to true. - - `dashboardURLTemplates` ((#v-ui-dashboardurltemplates)) - Corresponds to https://www.consul.io/docs/agent/options#ui_config_dashboard_url_templates configuration. + - `dashboardURLTemplates` ((#v-ui-dashboardurltemplates)) - Corresponds to https://www.consul.io/docs/agent/config/config-files#ui_config_dashboard_url_templates configuration. - - `service` ((#v-ui-dashboardurltemplates-service)) (`string: ""`) - Sets https://www.consul.io/docs/agent/options#ui_config_dashboard_url_templates_service. + - `service` ((#v-ui-dashboardurltemplates-service)) (`string: ""`) - Sets https://www.consul.io/docs/agent/config/config-files#ui_config_dashboard_url_templates_service. ### syncCatalog ((#h-synccatalog)) diff --git a/website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx b/website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx index 15bbe60461..add04dd4a2 100644 --- a/website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx +++ b/website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx @@ -9,7 +9,7 @@ description: >- The following instructions provides a step-by-step manual process for rotating [gossip encryption](/docs/security/encryption#gossip-encryption) keys on Consul clusters that are deployed onto a Kubernetes cluster with Consul on Kubernetes. -The following steps need only be performed once in any single datacenter if your Consul clusters are [federated](/docs/k8s/installation/multi-cluster/kubernetes). Rotating the gossip encryption key in one datacenter will automatically rotate the gossip encryption key for all the other datacenters. +The following steps need only be performed once in any single datacenter if your Consul clusters are [federated](/docs/k8s/deployment-configurations/multi-cluster/kubernetes). Rotating the gossip encryption key in one datacenter will automatically rotate the gossip encryption key for all the other datacenters. -> **Note:** Careful precaution should be taken to prohibit new clients from joining during the gossip encryption rotation process, otherwise the new clients will join the gossip pool without knowledge of the new primary gossip encryption key. In addition, deletion of a gossip encryption key from the keyring should occur only after clients have safely migrated to utilizing the new gossip encryption key for communication. @@ -128,7 +128,7 @@ The following steps need only be performed once in any single datacenter if your - -> **Note:** These Vault instructions assume that you have integrated your [Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip) using [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). + -> **Note:** These Vault instructions assume that you have integrated your [Gossip encryption key](/docs/k8s/deployment-configurations/vault/data-integration/gossip) using [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault). Update the gossip encryption Vault Secret with the value of the new gossip encryption key to ensure that subsequent `helm upgrades` commands execute successfully. The name of the secret that stores the value of the gossip encryption key can be found in the Helm values file: diff --git a/website/content/docs/lambda/index.mdx b/website/content/docs/lambda/index.mdx index 4bb6454852..588dfdc75e 100644 --- a/website/content/docs/lambda/index.mdx +++ b/website/content/docs/lambda/index.mdx @@ -14,7 +14,7 @@ You can configure Consul to allow services in your mesh to invoke Lambda functio The first step is to register your Lambda functions into Consul. We recommend using the [Lambda registrator module](https://github.com/hashicorp/terraform-aws-consul-lambda/tree/main/modules/lambda-registrator) to automatically synchronize Lambda functions into Consul. You can also manually register Lambda functions into Consul if you are unable to use the Lambda registrator. -Refer to [Lambda Function Registration Requirements](/docs/lambda/registration/index) for additional information about registering Lambda functions into Consul. +Refer to [Lambda Function Registration Requirements](/docs/lambda/registration) for additional information about registering Lambda functions into Consul. ## Invoke Lambda functions from Consul service mesh diff --git a/website/content/docs/lambda/registration/automate.mdx b/website/content/docs/lambda/registration/automate.mdx index 45e085b310..31483a15bc 100644 --- a/website/content/docs/lambda/registration/automate.mdx +++ b/website/content/docs/lambda/registration/automate.mdx @@ -38,7 +38,7 @@ The following diagram shows the flow of events from EventBridge into Consul: ## Requirements -Verify that your environment meets the requirements specified in [Lambda Function Registration Requirements](/docs/lambda/registration/index). +Verify that your environment meets the requirements specified in [Lambda Function Registration Requirements](/docs/lambda/registration). ## Configuration diff --git a/website/content/docs/lambda/registration/manual.mdx b/website/content/docs/lambda/registration/manual.mdx index bcf58c4b66..5dd283b83c 100644 --- a/website/content/docs/lambda/registration/manual.mdx +++ b/website/content/docs/lambda/registration/manual.mdx @@ -11,7 +11,7 @@ This topic describes how to manually register Lambda functions into Consul. Refe ## Requirements -Verify that your environment meets the requirements specified in [Lambda Function Registration Requirements](/docs/lambda/registration/index). +Verify that your environment meets the requirements specified in [Lambda Function Registration Requirements](/docs/lambda/registration). To manually register Lambda functions so that mesh services can invoke them, you must create and apply a service registration configuration for the Lambda function and write a [service defaults configuration entry](/docs/connect/config-entries/service-defaults) for the function. diff --git a/website/content/docs/nia/cli/task.mdx b/website/content/docs/nia/cli/task.mdx index d9629f3734..b4316f5dbf 100644 --- a/website/content/docs/nia/cli/task.mdx +++ b/website/content/docs/nia/cli/task.mdx @@ -9,7 +9,7 @@ description: >- ## task create -`task create` command creates a new task so that it will run and update task resources. The command generates and outputs a Terraform plan, similar to [inspect-mode](/docs/nia/cli/cli-overview#inspect-mode), of how resources will be modified if the task is created. The command will then ask for user approval before creating the task. +`task create` command creates a new task so that it will run and update task resources. The command generates and outputs a Terraform plan, similar to [inspect-mode](/docs/nia/cli/start#modes), of how resources will be modified if the task is created. The command will then ask for user approval before creating the task. It is not to be used for updating a task and will not create a task if the task name already exists. diff --git a/website/content/docs/nia/configuration.mdx b/website/content/docs/nia/configuration.mdx index 7cdf4aa4e4..78110b736f 100644 --- a/website/content/docs/nia/configuration.mdx +++ b/website/content/docs/nia/configuration.mdx @@ -98,7 +98,7 @@ The `consul` block configures the CTS connection with a Consul agent so that CTS -> **Note:** Use HTTP/2 to improve Consul-Terraform-Sync performance when communicating with the local Consul process. [TLS/HTTPS](/docs/agent/config/config-files) must be configured for the local Consul with the [cert_file](/docs/agent/config/config-files#cert_file) and [key_file](/docs/agent/config/config-files#key_file) parameters set. For the Consul-Terraform-Sync configuration, set `tls.enabled = true` and set the `address` parameter to the HTTPS URL, e.g., `address = example.consul.com:8501`. If using self-signed certificates for Consul, you will also need to set `tls.verify = false` or add the certificate to `ca_cert` or `ca_path`. -To read more on suggestions for configuring the Consul agent, see [run an agent](/docs/nia/installation/requirements#run-an-agent). +To read more on suggestions for configuring the Consul agent, see [run an agent](/docs/nia/usage/requirements#run-an-agent). ```hcl consul { @@ -245,7 +245,7 @@ The `instance` parameter is an object that contains configurations unique to the ## Service -~> **Note:** Deprecated in CTS 0.5.0 and will be removed in a future major release. `service` blocks are used to define the `task` block's `services` fields, which were also deprecated and replaced with [Services Condition](/docs/nia/configuration#services-condition) and [Services Module Input](/docs/nia/configuration#services-module-input). `service` block configuration can be replaced by configuring the equivalent fields of the corresponding Services Condition and Services Module Input. Refer to [0.5.0 release notes](/docs/nia/release-notes/0-5-0#deprecate-service-block) for examples. +~> **Note:** Deprecated in CTS 0.5.0 and will be removed in a future major release. `service` blocks are used to define the `task` block's `services` fields, which were also deprecated and replaced with [Services Condition](/docs/nia/configuration#services-condition) and [Services Module Input](/docs/nia/configuration#services-module-input). `service` block configuration can be replaced by configuring the equivalent fields of the corresponding Services Condition and Services Module Input. Refer to [0.5.0 release notes](/docs/release-notes/consul-terraform-sync/v0_5_x#deprecate-service-block) for examples. A `service` block is an optional block to explicitly define the services configured in the `task` block's `services` field (deprecated). `service` blocks do not define services configured in the `task` block's `condition "services"` or `module_input "services` blocks. @@ -292,7 +292,7 @@ task { - `name` - (string: required) Name is the unique name of the task (required). A task name must start with a letter or underscore and may contain only letters, digits, underscores, and dashes. - `enabled` - (bool: true) Enable or disable a task from running and managing resources. - `providers` - (list[string]) Providers is the list of provider names the task is dependent on. This is used to map [Terraform provider configuration](#terraform-provider) to the task. -- `services` - (list[string]) **Deprecated in CTS 0.5.0 and will be removed in a future major release. Use [Services Condition](/docs/nia/configuration#services-condition) or [Services Module Input](/docs/nia/configuration#services-module-input) instead. See [0.5.0 release notes](/docs/nia/release-notes/0-5-0#deprecate-services-field) for examples.** Specifies an optional list of logical service names or service IDs that the task monitors for changes in the Consul catalog. The `services` can act in different ways depending on the configuration of the task's `condition` block: +- `services` - (list[string]) **Deprecated in CTS 0.5.0 and will be removed in a future major release. Use [Services Condition](/docs/nia/configuration#services-condition) or [Services Module Input](/docs/nia/configuration#services-module-input) instead. See [0.5.0 release notes](/docs/release-notes/consul-terraform-sync/v0_5_x#deprecate-services-field) for examples.** Specifies an optional list of logical service names or service IDs that the task monitors for changes in the Consul catalog. The `services` can act in different ways depending on the configuration of the task's `condition` block: - no `condition` block configured: `services` will act as the task's condition and provide the services information as module input - the `condition` block configured for type `services`: `services` is incompatible with this type of `condition` because both configure the services module input. CTS will return an error. - the `condition` block configured for all other types: `services` will act only to provide services module input. @@ -651,7 +651,7 @@ driver "terraform" { ``` - `backend` - (obj) The backend stores [Terraform state files](https://www.terraform.io/language/state) for each task. This option is similar to the [Terraform backend configuration](https://www.terraform.io/language/settings/backends/configuration). CTS supports Terraform backends used as a state store. - - Supported backend options: [azurerm](https://www.terraform.io/language/settings/backends/azurerm), [consul](https://www.terraform.io/language/settings/backends/consul), [cos](https://www.terraform.io/language/settings/backends/cos), [gcs](https://www.terraform.io/language/settings/backends/gcs), [kubernetes](https://www.terraform.io/language/settings/backends/kubernetes), [local](https://www.terraform.io/language/settings/backends/local), [manta](https://www.terraform.io/language/settings/backends/manta), [pg](https://www.terraform.io/language/settings/backends/pg) (Terraform v0.14+), [s3](https://www.terraform.io/language/settings/backends/s3). Visit the Terraform documentation links for details on backend configuration options. + - Supported backend options: [azurerm](https://www.terraform.io/language/settings/backends/azurerm), [consul](https://www.terraform.io/language/settings/backends/consul), [cos](https://www.terraform.io/language/settings/backends/cos), [gcs](https://www.terraform.io/language/settings/backends/gcs), [kubernetes](https://www.terraform.io/language/settings/backends/kubernetes), [local](https://www.terraform.io/language/settings/backends/local), [manta](https://www.terraform.io/language/v1.2.x/settings/backends/manta), [pg](https://www.terraform.io/language/settings/backends/pg) (Terraform v0.14+), [s3](https://www.terraform.io/language/settings/backends/s3). Visit the Terraform documentation links for details on backend configuration options. - If omitted, CTS will generate default values and use configurations from the [`consul` block](#consul) to configure [Consul as the backend](https://www.terraform.io/language/settings/backends/consul), which stores Terraform statefiles in the Consul KV. The [ACL token provided for Consul authentication](#consul) is used to read and write to the KV store and requires [Consul KV privileges](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-secure?utm_source=docs#configure-acl-privileges-for-consul-terraform-sync). The Consul KV path is the base path to store state files for tasks. The full path of each state file will have the task identifier appended to the end of the path, e.g. `consul-terraform-sync/terraform-env:task-name`. - The remote enhanced backend is not supported with the Terraform driver to run operations in Terraform Cloud. Use the [Terraform Cloud driver](#terraform-cloud-driver) to integrate CTS with Terraform Cloud for remote workspaces and remote operations. - The `local` backend type is not supported with CTS instances configured for high availability. If high availability is configured and the Terraform backend type is `local`, CTS logs an error and exits. diff --git a/website/content/docs/nia/enterprise/index.mdx b/website/content/docs/nia/enterprise/index.mdx index 81bf5edb3f..9c20fcb71d 100644 --- a/website/content/docs/nia/enterprise/index.mdx +++ b/website/content/docs/nia/enterprise/index.mdx @@ -9,20 +9,20 @@ description: >- Consul-Terraform-Sync (CTS) Enterprise is available with [Consul Enterprise](https://www.hashicorp.com/products/consul) and requires a Consul [license](/docs/nia/enterprise/license) to be applied. -Enterprise features of CTS address organization complexities of collaboration, operations, scale, and governance. CTS Enterprise supports an official integration with [Terraform Cloud](https://www.terraform.io/cloud) and [Terraform Enterprise](https://www.terraform.io/enterprise), the self-hosted distribution, to extend insight into dynamic updates of your network infrastructure. +Enterprise features of CTS address organization complexities of collaboration, operations, scale, and governance. CTS Enterprise supports an official integration with [Terraform Cloud](https://cloud.hashicorp.com/products/terraform) and [Terraform Enterprise](https://www.terraform.io/enterprise), the self-hosted distribution, to extend insight into dynamic updates of your network infrastructure. | Features | Open Source | Enterprise | |----------|-------------|------------| | Consul Namespace | Default namespace only | Filter task triggers by any namespace | | Automation Driver | Terraform OSS | Terraform OSS, Terraform Cloud, or Terraform Enterprise | | Terraform Workspaces | Local | Local workspaces with the Terraform driver or [remote workspaces](https://www.terraform.io/cloud-docs/workspaces) with the Terraform Cloud driver | -| Terraform Backend Options | [azurerm](https://www.terraform.io/language/settings/backends/azurerm), [consul](https://www.terraform.io/language/settings/backends/consul), [cos](https://www.terraform.io/language/settings/backends/cos), [gcs](https://www.terraform.io/language/settings/backends/gcs), [kubernetes](https://www.terraform.io/language/settings/backends/kubernetes), [local](https://www.terraform.io/language/settings/backends/local), [manta](https://www.terraform.io/language/settings/backends/manta), [pg](https://www.terraform.io/language/settings/backends/pg), and [s3](https://www.terraform.io/language/settings/backends/s3) with the Terraform driver | The supported backends for CTS with the Terraform driver or Terraform Cloud with the Terraform Cloud driver | +| Terraform Backend Options | [azurerm](https://www.terraform.io/language/settings/backends/azurerm), [consul](https://www.terraform.io/language/settings/backends/consul), [cos](https://www.terraform.io/language/settings/backends/cos), [gcs](https://www.terraform.io/language/settings/backends/gcs), [kubernetes](https://www.terraform.io/language/settings/backends/kubernetes), [local](https://www.terraform.io/language/settings/backends/local), [manta](https://www.terraform.io/language/v1.2.x/settings/backends/manta), [pg](https://www.terraform.io/language/settings/backends/pg), and [s3](https://www.terraform.io/language/settings/backends/s3) with the Terraform driver | The supported backends for CTS with the Terraform driver or Terraform Cloud with the Terraform Cloud driver | | Terraform Version | One Terraform version for all tasks | Optional Terraform version per task when using the Terraform Cloud driver | | Terraform Run Output | CTS logs | CTS logs or Terraform output organized by Terraform Cloud remote workspaces | | Credentials and secrets | On disk as `.tfvars` files or in shell environment | Secured variables stored in remote workspace | | Audit | | Terraform audit logs ([Terraform Cloud](https://www.terraform.io/cloud-docs/api-docs/audit-trails) or [Terraform Enterprise](https://www.terraform.io/enterprise/admin/infrastructure/logging)) | | Collaboration | | Run [history](https://www.terraform.io/cloud-docs/run/manage), [triggers](https://www.terraform.io/cloud-docs/workspaces/settings/run-triggers), and [notifications](https://www.terraform.io/cloud-docs/workspaces/settings/notifications) supported on Terraform Cloud | -| Governance | | [Sentinel](https://www.terraform.io/cloud-docs/sentinel) to enforce governance policies as code | +| Governance | | [Sentinel](https://www.terraform.io/cloud-docs/policy-enforcement) to enforce governance policies as code | The [Terraform Cloud driver](/docs/nia/configuration#terraform-cloud-driver) enables CTS Enterprise to integrate with Terraform Cloud or Terraform Enterprise. The [Terraform Cloud driver](/docs/nia/network-drivers/terraform-cloud) page provides an overview of how the integration works within CTS. diff --git a/website/content/docs/nia/index.mdx b/website/content/docs/nia/index.mdx index 0d6da2782d..86443faad9 100644 --- a/website/content/docs/nia/index.mdx +++ b/website/content/docs/nia/index.mdx @@ -53,7 +53,7 @@ CTS is available as an open source and enterprise distribution. Follow the [Netw - `Tasks` - A task is the translation of dynamic service information from the Consul Catalog into network infrastructure changes downstream. -- `Terraform Cloud` - Per the [Terraform documentation](httphttps://www.terraform.io/cloud-docs), "Terraform Cloud" describes both Terraform Cloud and Terraform Enterprise, which are different distributions of the same application. Documentation will apply to both distributions unless specifically stated otherwise. +- `Terraform Cloud` - Per the [Terraform documentation](https://www.terraform.io/cloud-docs), "Terraform Cloud" describes both Terraform Cloud and Terraform Enterprise, which are different distributions of the same application. Documentation will apply to both distributions unless specifically stated otherwise. - `Terraform Module` - A [Terraform module](https://www.terraform.io/language/modules) is a container for multiple Terraform resources that are used together. diff --git a/website/content/docs/nia/network-drivers/index.mdx b/website/content/docs/nia/network-drivers/index.mdx index 33bee29a47..bc845f4e0b 100644 --- a/website/content/docs/nia/network-drivers/index.mdx +++ b/website/content/docs/nia/network-drivers/index.mdx @@ -16,7 +16,7 @@ The following table highlights some of the additional features Terraform and Ter | Network Driver | Description | Features | | -------------- | ----------- | -------- | | [Terraform driver](/docs/nia/network-drivers/terraform) | CTS automates a local installation of the [Terraform CLI](https://www.terraform.io/) | - Local Terraform execution
- Local workspace directories
- [Backend options](/docs/nia/configuration#backend) available for state storage
| -| [Terraform Cloud driver](/docs/nia/network-drivers/terraform-cloud) | CTS Enterprise automates remote workspaces on [Terraform Cloud](https://www.terraform.io/cloud-docs) | - [Remote Terraform execution](https://www.terraform.io/cloud-docs/run/remote-operations)
- Concurrent runs
- [Secured variables](https://www.terraform.io/cloud-docs/workspaces/variables)
- [State versions](https://www.terraform.io/cloud-docs/workspaces/state)
- [Sentinel](https://www.terraform.io/cloud-docs/sentinel) to enforce governance policies as code
- Audit [logs](https://www.terraform.io/enterprise/admin/infrastructure/logging) and [trails](https://www.terraform.io/cloud-docs/api-docs/audit-trails)
- Run [history](https://www.terraform.io/cloud-docs/run/manage), [triggers](https://www.terraform.io/cloud-docs/workspaces/settings/run-triggers), and [notifications](https://www.terraform.io/cloud-docs/workspaces/settings/notifications)
- [Terraform Cloud Agents](https://www.terraform.io/cloud-docs/agents) | +| [Terraform Cloud driver](/docs/nia/network-drivers/terraform-cloud) | CTS Enterprise automates remote workspaces on [Terraform Cloud](https://www.terraform.io/cloud-docs) | - [Remote Terraform execution](https://www.terraform.io/cloud-docs/run/remote-operations)
- Concurrent runs
- [Secured variables](https://www.terraform.io/cloud-docs/workspaces/variables)
- [State versions](https://www.terraform.io/cloud-docs/workspaces/state)
- [Sentinel](https://www.terraform.io/cloud-docs/policy-enforcement) to enforce governance policies as code
- Audit [logs](https://www.terraform.io/enterprise/admin/infrastructure/logging) and [trails](https://www.terraform.io/cloud-docs/api-docs/audit-trails)
- Run [history](https://www.terraform.io/cloud-docs/run/manage), [triggers](https://www.terraform.io/cloud-docs/workspaces/settings/run-triggers), and [notifications](https://www.terraform.io/cloud-docs/workspaces/settings/notifications)
- [Terraform Cloud Agents](https://www.terraform.io/cloud-docs/agents) | ## Understanding Terraform Automation diff --git a/website/content/docs/nia/network-drivers/terraform-cloud.mdx b/website/content/docs/nia/network-drivers/terraform-cloud.mdx index 8bc547baac..c0c7d08fde 100644 --- a/website/content/docs/nia/network-drivers/terraform-cloud.mdx +++ b/website/content/docs/nia/network-drivers/terraform-cloud.mdx @@ -12,7 +12,7 @@ description: >- which is available with Consul Enterprise. -Consul-Terraform-Sync (CTS) is more powerful when you integrate it with [Terraform Cloud](https://www.terraform.io/cloud). Integrating with Terraform Cloud provides features, such as enhanced workspaces and insight into Terraform operations as CTS dynamically updates your network infrastructure. CTS is compatible with both the [self-hosted](https://www.hashicorp.com/products/terraform/editions/enterprise) and [managed service](https://www.hashicorp.com/products/terraform/editions/cloud) versions of Terraform Cloud. It also supports all [tiers](https://www.hashicorp.com/products/terraform/pricing) of the Terraform Cloud managed service. +Consul-Terraform-Sync (CTS) is more powerful when you integrate it with [Terraform Cloud](https://cloud.hashicorp.com/products/terraform). Integrating with Terraform Cloud provides features, such as enhanced workspaces and insight into Terraform operations as CTS dynamically updates your network infrastructure. CTS is compatible with both the [self-hosted](https://www.hashicorp.com/products/terraform/editions/enterprise) and [managed service](https://www.hashicorp.com/products/terraform/editions/cloud) versions of Terraform Cloud. It also supports all [tiers](https://www.hashicorp.com/products/terraform/pricing) of the Terraform Cloud managed service. This page describes how the Terraform Cloud driver operates within CTS. @@ -111,7 +111,7 @@ Because a CTS instance can only be configured with one driver, an instance can o ### Required Setup -This section captures requirements for setting up CTS to integrate with your [Terraform Cloud](https://www.terraform.io/cloud) solution. +This section captures requirements for setting up CTS to integrate with your [Terraform Cloud](https://cloud.hashicorp.com/products/terraform) solution. 1. Hostname of your Terraform Cloud, self-hosted distribution 1. Name of your organization diff --git a/website/content/docs/nia/usage/requirements.mdx b/website/content/docs/nia/usage/requirements.mdx index 1a604e203f..9bf9e7294f 100644 --- a/website/content/docs/nia/usage/requirements.mdx +++ b/website/content/docs/nia/usage/requirements.mdx @@ -31,7 +31,7 @@ For information on compatible Consul versions, refer to the [Consul compatibilit ### Run an agent -The Consul agent must be running in order to dynamically update network devices. Refer to the [Consul agent documentation](/docs/agent/index) for information about configuring and starting a Consul agent. For hands-on instructions about running Consul agents, refer to the [Getting Started: Run the Consul Agent Tutorial](https://learn.hashicorp.com/tutorials/consul/get-started-agent?in=consul/getting-started). +The Consul agent must be running in order to dynamically update network devices. Refer to the [Consul agent documentation](/docs/agent) for information about configuring and starting a Consul agent. For hands-on instructions about running Consul agents, refer to the [Getting Started: Run the Consul Agent Tutorial](https://learn.hashicorp.com/tutorials/consul/get-started-agent?in=consul/getting-started). When running a Consul agent with CTS in production, consider that CTS uses [blocking queries](/api-docs/features/blocking) to monitor task dependencies, such as changes to registered services. This results in multiple long-running TCP connections between CTS and the agent to poll changes for each dependency. Consul may quickly reach the agent connection limits if CTS is monitoring a high number of services. diff --git a/website/content/docs/security/acl/acl-federated-datacenters.mdx b/website/content/docs/security/acl/acl-federated-datacenters.mdx index ed3badaf87..dae636025c 100644 --- a/website/content/docs/security/acl/acl-federated-datacenters.mdx +++ b/website/content/docs/security/acl/acl-federated-datacenters.mdx @@ -17,11 +17,11 @@ Consul versions 1.4.0 and later ## Configure ACLs in the Primary Datacenter -In a [federated Consul deployment](/docs/k8s/installation/multi-cluster), one of the datacenters is marked as the primary datacenter. +In a [federated Consul deployment](/docs/k8s/deployment-configurations/multi-cluster), one of the datacenters is marked as the primary datacenter. The `acl` configuration block should be added to the primary datacenter server's configuration file as shown in the following example. -See the [ACL Config Stanza](/docs/agent/options#acl) for more detailed descriptions of each option. +See the [ACL Config Stanza](/docs/agent/config/config-files#acl) for more detailed descriptions of each option. -> **Versions before 1.11.0:** The `initial_management` token was called the `master` token in versions prior to 1.11.0 diff --git a/website/content/docs/security/acl/acl-policies.mdx b/website/content/docs/security/acl/acl-policies.mdx index ce2265155d..22f5dac8b2 100644 --- a/website/content/docs/security/acl/acl-policies.mdx +++ b/website/content/docs/security/acl/acl-policies.mdx @@ -104,7 +104,7 @@ Use the `policy` keyword and one of the following access levels to set a policy - `write`: Allows the resource to be read and modified. - `deny`: Denies read and write access to the resource. -The special `list` access level provides access to all keys with the specified resource label in the [Consul KV](/commands/kv/). The `list` access level can only be used with the `key_prefix` resource. The [`acl.enable_key_list_policy`](/docs/agent/options#acl_enable_key_list_policy) setting must be set to `true`. +The special `list` access level provides access to all keys with the specified resource label in the [Consul KV](/commands/kv/). The `list` access level can only be used with the `key_prefix` resource. The [`acl.enable_key_list_policy`](/docs/agent/config/config-files#acl_enable_key_list_policy) setting must be set to `true`. ### Matching and Prefix Values @@ -246,7 +246,7 @@ operator = "read" ## Rule Scope The rules from all policies, including roles and service identities, linked with a token are combined to form that token's effective rule set. -Policy rules can be defined in either an `allowlist` or `denylist` mode, depending on the configuration of the [`acl_default_policy`](/docs/agent/options#acl_default_policy). +Policy rules can be defined in either an `allowlist` or `denylist` mode, depending on the configuration of the [`acl_default_policy`](/docs/agent/config/config-files#acl_default_policy). If the default policy is configured to deny access to all resources, then you can specify `allowlist` in policy rules to explicitly allow access to resources. Conversely, if the default policy is configured to allow access to all resources, then you can specify `denylist` in policy rules to explicitly deny access to resources. @@ -344,12 +344,12 @@ ACL policies can have the following attributes: | `ID` | The policy's public identifier. Present the `ID` (or the `name`) value when interacting with policies. You can specify a value when creating policies or use the value auto-generated by Consul. | N/A | N/A | | `name` | Unique name for the policy. | Required | none | | `description` | Human readable description of the policy. | Optional | none | -| `rules` | Set of rules granting or denying permissions. See the [Rule Specification](/docs/acl/acl-rules#rule-specification) documentation for more details. | Optional | none | +| `rules` | Set of rules granting or denying permissions. See the [Rule Specification](/docs/security/acl/acl-rules#rule-specification) documentation for more details. | Optional | none | | `datacenter` | Datacenter in which the policy is valid. More than one datacenter can be specified. | Optional | none | | `namespace` | Namespace in which the policy is valid. Added in Consul Enterprise 1.7.0. | Optional | `default` | | `partition` | Admin partition in which the policy is valid. Added in Consul Enterprise 1.11.0 | Optional | `default` | --> **Non-default Namespaces and Partitions** - Rules defined in a policy tied to an namespace or admin partition other than `default` can only grant a subset of privileges that affect the namespace or partition. See [Namespace Rules](/docs/acl/acl-rules#namespace-rules) and [Admin Partition Rules](/docs/security/acl/acl-rules#admin-partition-rules) for additional information. +-> **Non-default Namespaces and Partitions** - Rules defined in a policy tied to an namespace or admin partition other than `default` can only grant a subset of privileges that affect the namespace or partition. See [Namespace Rules](/docs/security/acl/acl-rules#namespace-rules) and [Admin Partition Rules](/docs/security/acl/acl-rules#admin-partition-rules) for additional information. You can view the current ACL policies on the command line or through the API. The following example demonstrates the command line usage: diff --git a/website/content/docs/security/acl/acl-rules.mdx b/website/content/docs/security/acl/acl-rules.mdx index 46d2150d4e..b24ca71e2f 100644 --- a/website/content/docs/security/acl/acl-rules.mdx +++ b/website/content/docs/security/acl/acl-rules.mdx @@ -20,7 +20,7 @@ The following table provides an overview of the resources you can use to create | `agent`
`agent_prefix` | Controls access to the utility operations in the [Agent API](/api-docs/agent), such as `join` and `leave`.
See [Agent Rules](#agent-rules) for details. | Yes | | `event`
`event_prefix` | Controls access to event operations in the [Event API](/api-docs/event), such as firing and listing events.
See [Event Rules](#event-rules) for details. | Yes | | `key`
`key_prefix`   | Controls access to key/value store operations in the [KV API](/api-docs/kv).
Can also use the `list` access level when setting the policy disposition.
Has additional value options in Consul Enterprise for integrating with [Sentinel](https://docs.hashicorp.com/sentinel/consul).
See [Key/Value Rules](#key-value-rules) for details. | Yes | -| `keyring`       | Controls access to keyring operations in the [Keyring API](/api-docs/keyring).
See [Keyring Rules](#keyring-rules) for details. | No | +| `keyring`       | Controls access to keyring operations in the [Keyring API](/api-docs/operator/keyring).
See [Keyring Rules](#keyring-rules) for details. | No | | `mesh`       | Provides operator-level permissions for resources in the admin partition, such as ingress gateways or mesh proxy defaults. See [Mesh Rules](#mesh-rules) for details. | No | | `peering`       | Controls access to cluster peerings in the [Cluster Peering API](/api-docs/peering). For more details, refer to [Peering Rules](#peering-rules). | No | | `namespace`
`namespace_prefix` | Controls access to one or more namespaces.
See [Namespace Rules](#namespace-rules) for details. | Yes | @@ -586,7 +586,7 @@ These actions may required an ACL token to complete. Use the following methods t This allows a single token to be used during all check registration operations. * Provide an ACL token with `service` and `check` definitions at registration time. This allows for greater flexibility and enables the use of multiple tokens on the same agent. - Refer to the [services](/docs/agent/services) and [checks](/docs/discovery/checks) documentation for examples. + Refer to the [services](/docs/discovery/services) and [checks](/docs/discovery/checks) documentation for examples. Tokens may also be passed to the [HTTP API](/api-docs) for operations that require them. ## Operator Rules diff --git a/website/content/docs/security/acl/acl-tokens.mdx b/website/content/docs/security/acl/acl-tokens.mdx index 498ade9320..3de9992005 100644 --- a/website/content/docs/security/acl/acl-tokens.mdx +++ b/website/content/docs/security/acl/acl-tokens.mdx @@ -70,16 +70,16 @@ Refer to the [service definitions documentation](/docs/discovery/services#servic ### Agent Requests -Consul agents can be configured to hold several ACL tokens (see [`tokens`](/docs/agent/options#acl_tokens_default)) to accommodate several use cases. The following table describes agent configuration fields where ACLs are applicable and whether the configurations apply to servers, clients, or both. +Consul agents can be configured to hold several ACL tokens (see [`tokens`](/docs/agent/config/config-files#acl_tokens_default)) to accommodate several use cases. The following table describes agent configuration fields where ACLs are applicable and whether the configurations apply to servers, clients, or both. | Configuration Option | Servers | Clients | Purpose | | -------------------------------------------------------------- | ---------- | ---------- | ---------------------------------------------------------------------- | -| [`acl.enabled`](/docs/agent/options#acl_enabled) | `REQUIRED` | `REQUIRED` | Controls whether ACLs are enabled | -| [`acl.default_policy`](/docs/agent/options#acl_default_policy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode | -| [`acl.down_policy`](/docs/agent/options#acl_down_policy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the remote token or policy resolution fails | -| [`acl.role_ttl`](/docs/agent/options#acl_role_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Roles | -| [`acl.policy_ttl`](/docs/agent/options#acl_policy_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Policies | -| [`acl.token_ttl`](/docs/agent/options#acl_token_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Tokens | +| [`acl.enabled`](/docs/agent/config/config-files#acl_enabled) | `REQUIRED` | `REQUIRED` | Controls whether ACLs are enabled | +| [`acl.default_policy`](/docs/agent/config/config-files#acl_default_policy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode | +| [`acl.down_policy`](/docs/agent/config/config-files#acl_down_policy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the remote token or policy resolution fails | +| [`acl.role_ttl`](/docs/agent/config/config-files#acl_role_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Roles | +| [`acl.policy_ttl`](/docs/agent/config/config-files#acl_policy_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Policies | +| [`acl.token_ttl`](/docs/agent/config/config-files#acl_token_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Tokens | In the following example, the agent is configured to use a default token: @@ -101,7 +101,7 @@ tokens = { -Refer to the [agent configurations documentation](/docs/agent/options) for additional information. +Refer to the [agent configurations documentation](/docs/agent/config/config-files) for additional information. ### Command Line Requests @@ -131,7 +131,7 @@ $ curl --header "X-Consul-Token: " "http://127.0.0.1:8500/v1/agent/member ## Token Attributes The following table is a partial list of attributes that a token may contain. -Refer to the [API](/api-docs/acl/token) or [command line](/commands/acl/token) documentation for all attributes that can be assigned or generated for a token: +Refer to the [API](/api-docs/acl/tokens) or [command line](/commands/acl/token) documentation for all attributes that can be assigned or generated for a token: | Attribute | Description | Type | Default | | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------- | @@ -154,9 +154,9 @@ system or accessing Consul under specific conditions. The following table descri | Token | Servers | Clients | Description | | ------------------------------------------------------------------------------------ | ---------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [`acl.tokens.agent_recovery`](/docs/agent/config/config-files#acl_tokens_agent_recovery) | `OPTIONAL` | `OPTIONAL` | Enables access to the [Agent API](/api-docs/agent) when remote bearer token resolution fails.
Used for setting up the cluster and performing initial join operations.
See [ACL Agent Recovery Token](#acl-agent-recovery-token) for details. | -| [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) | `OPTIONAL` | `OPTIONAL` | Used for internal agent operations. See [ACL Agent Token](#acl-agent-token) for details. | -| [`acl.tokens.initial_management`](/docs/agent/options#acl_tokens_initial_management) | `OPTIONAL` | `N/A` | Used to bootstrap the ACL system. See [Initial Management Token](#initial-management-token). | -| [`acl.tokens.default`](/docs/agent/options#acl_tokens_default) | `OPTIONAL` | `OPTIONAL` | Specifies a default token to use for client requests if no token is supplied. This is commonly configured with read-only access to services to enable DNS service discovery on agents. | +| [`acl.tokens.agent`](/docs/agent/config/config-files#acl_tokens_agent) | `OPTIONAL` | `OPTIONAL` | Used for internal agent operations. See [ACL Agent Token](#acl-agent-token) for details. | +| [`acl.tokens.initial_management`](/docs/agent/config/config-files#acl_tokens_initial_management) | `OPTIONAL` | `N/A` | Used to bootstrap the ACL system. See [Initial Management Token](#initial-management-token). | +| [`acl.tokens.default`](/docs/agent/config/config-files#acl_tokens_default) | `OPTIONAL` | `OPTIONAL` | Specifies a default token to use for client requests if no token is supplied. This is commonly configured with read-only access to services to enable DNS service discovery on agents. | All reserved tokens except the `initial_management` token can be created or updated using the [/v1/agent/token API](/api-docs/agent#update-acl-tokens). @@ -166,7 +166,7 @@ Snapshots are artifacts created with the [snapshot API](/api-docs/snapshot) for ### ACL Agent Token -The [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) is a special token that is used for an agent's internal operations. It isn't used directly for any user-initiated operations like the [`acl.tokens.default`](/docs/agent/options#acl_tokens_default), though if the `acl.tokens.agent` isn't configured the `acl.tokens.default` will be used. The ACL agent token is used for the following operations by the agent: +The [`acl.tokens.agent`](/docs/agent/config/config-files#acl_tokens_agent) is a special token that is used for an agent's internal operations. It isn't used directly for any user-initiated operations like the [`acl.tokens.default`](/docs/agent/config/config-files#acl_tokens_default), though if the `acl.tokens.agent` isn't configured the `acl.tokens.default` will be used. The ACL agent token is used for the following operations by the agent: 1. Updating the agent's node entry using the [Catalog API](/api-docs/catalog), including updating its node metadata, tagged addresses, and network coordinates 2. Performing [anti-entropy](/docs/architecture/anti-entropy) syncing, in particular reading the node metadata and services registered with the catalog @@ -190,7 +190,7 @@ key_prefix "_rexec" { -The `service_prefix` policy needs read access for any services that can be registered on the agent. If [remote exec is disabled](/docs/agent/options#disable_remote_exec), the default, then the `key_prefix` policy can be omitted. +The `service_prefix` policy needs read access for any services that can be registered on the agent. If [remote exec is disabled](/docs/agent/config/config-files#disable_remote_exec), the default, then the `key_prefix` policy can be omitted. ## Built-in Tokens diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index de67ad6d86..d9baf4f4ec 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -207,7 +207,7 @@ such as to the latest patch within a release series. #### Removing configuration options -The [`disable_compat_19`](/docs/agent/options#telemetry-disable_compat_1.9) telemetry configuration option is now removed. +The [`disable_compat_19`](/docs/agent/config/config-files#telemetry-disable_compat_1.9) telemetry configuration option is now removed. In prior Consul versions (1.10.x through 1.11.x), the config defaulted to `false`. In 1.12.x it defaulted to `true`. If you were using this flag, you must remove it before upgrading. @@ -227,7 +227,7 @@ Follow the same guidance as provided in the #### Changing the default behavior for option -The [`disable_compat_19`](/docs/agent/options#telemetry-disable_compat_1.9) telemetry configuration option now defaults +The [`disable_compat_19`](/docs/agent/config/config-files#telemetry-disable_compat_1.9) telemetry configuration option now defaults to `true`. In prior Consul versions (1.10.x through 1.11.x), the config defaulted to `false`. If you require 1.9 style `consul.http...` metrics, you may enable them by setting the flag to `false`. However, be advised that these metrics, as well as the flag will be removed in upcoming Consul 1.13. We recommend changing your instrumentation to use 1.10 and later @@ -705,7 +705,7 @@ automatically and without loss of connectivity throughout all datacenters and workloads. For more information see [Connect -Multi-datacenter](/docs/enterprise/connect-multi-datacenter). +Multi-datacenter](/docs/enterprise). ## Consul 1.3.0