status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

website: fix broken links (#14943)

This commit is contained in:
Bryce Kalow 2022-10-11 09:58:52 -05:00 committed by GitHub
parent e0356e1502
commit 6a09b284c9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
50 changed files with 145 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
website/content/api-docs/features/consistency.mdx
View File

@ -273,6 +273,6 @@ semantics as `stale` consistency mode but different trade offs. This behavior is
[agent caching feature documentation](/api-docs/features/caching)
<!-- Common links references -->
[`dns_config.allow_stale`]: /docs/agent/options#allow_stale)
[`dns_config.max_stale`]: /docs/agent/options#max_stale
[`discovery_max_stale`]: /docs/agent/options#discovery_max_stale
[`dns_config.allow_stale`]: /docs/agent/config/config-files#allow_stale
[`dns_config.max_stale`]: /docs/agent/config/config-files#max_stale
[`discovery_max_stale`]: /docs/agent/config/config-files#discovery_max_stale

4
website/content/api-docs/index.mdx
View File

@ -45,8 +45,8 @@ Use the following API endpoints enable network observability.
The following API endpoints help you manage Consul operations.
- [`/operator`](/api-docs/operator): Perform cluster-level tasks, such as interacting with the Raft subsystem or obtaining license information.
- [`/partition`](/api-docs/partition): Create and manage administrative or admin partitions in Consul. Admin partitions are supersets of Consul namespaces that isolate groups of resources to lower operational overhead.
- [`/namespace`](/api-docs/namespace): Create and manage namespaces in Consul. Namespaces isolate groups of resources to lower operational overhead.
- [`/partition`](/api-docs/admin-partitions): Create and manage administrative or admin partitions in Consul. Admin partitions are supersets of Consul namespaces that isolate groups of resources to lower operational overhead.
- [`/namespace`](/api-docs/namespaces): Create and manage namespaces in Consul. Namespaces isolate groups of resources to lower operational overhead.
- [`/snapshot`](/api-docs/snapshot): Save and restore Consul server state in the event of a disaster.
- [`/txn`](/api-docs/txn): Apply multiple operations, such as updating the catalog and retrieving multiple KV entries, in a single transaction.

2
website/content/commands/peering/establish.mdx
View File

@ -11,7 +11,7 @@ Command: `consul peering establish`
Corresponding HTTP API Endpoint: [\[POST\] /v1/peering/establish](/api-docs/peering#establish-a-peering-connection)
The `peering establish` starts a peering connection with the cluster that generated the peering token.
You can generate cluster peering tokens using the [`consul peering generate-token`](/commands/operator/generate-token) command or the [HTTP API](https://www.consul.io/api-docs/peering#generate-a-peering-token).
You can generate cluster peering tokens using the [`consul peering generate-token`](/commands/peering/generate-token) command or the [HTTP API](/api-docs/peering#generate-a-peering-token).
You can only use a peering token to establish the connection once. If you need to reestablish a peering connection, you must generate a new token.

2
website/content/docs/agent/sentinel.mdx
View File

@ -40,7 +40,7 @@ If the `enforcementlevel` property is not set, it defaults to "hard-mandatory".
## Imports
Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http). All functions in these imports are available to be used in policies.
Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http). All functions in these imports are available to be used in policies.
## Injected Variables

6
website/content/docs/agent/telemetry.mdx
View File

@ -294,7 +294,7 @@ This metric should be monitored to ensure that the license doesn't expire to pre
| Metric Name | Description | Unit | Type |
| :-------------------------------- | :--------------------------------------------------------------- | :---- | :---- |
| `consul.raft.boltdb.freelistBytes` | Represents the number of bytes necessary to encode the freelist metadata. When [`raft_boltdb.NoFreelistSync`](/docs/agent/options#NoFreelistSync) is set to `false` these metadata bytes must also be written to disk for each committed log. | bytes | gauge |
| `consul.raft.boltdb.freelistBytes` | Represents the number of bytes necessary to encode the freelist metadata. When [`raft_boltdb.NoFreelistSync`](/docs/agent/config/config-files#NoFreelistSync) is set to `false` these metadata bytes must also be written to disk for each committed log. | bytes | gauge |
| `consul.raft.boltdb.logsPerBatch` | Measures the number of logs being written per batch to the db. | logs | sample |
| `consul.raft.boltdb.storeLogs` | Measures the amount of time spent writing logs to the db. | ms | timer |
| `consul.raft.boltdb.writeCapacity` | Theoretical write capacity in terms of the number of logs that can be written per second. Each sample outputs what the capacity would be if future batched log write operations were similar to this one. This similarity encompasses 4 things: batch size, byte size, disk performance and boltdb performance. While none of these will be static and its highly likely individual samples of this metric will vary, aggregating this metric over a larger time window should provide a decent picture into how this BoltDB store can perform | logs/second | sample |
@ -337,7 +337,7 @@ indicator of an actual issue, this metric can be used to diagnose why the `consu
is high.
If Bolt DB log storage performance becomes an issue and is caused by free list management then setting
[`raft_boltdb.NoFreelistSync`](/docs/agent/options#NoFreelistSync) to `true` in the server's configuration
[`raft_boltdb.NoFreelistSync`](/docs/agent/config/config-files#NoFreelistSync) to `true` in the server's configuration
may help to reduce disk IO and log storage operation times. Disabling free list syncing will however increase
the startup time for a server as it must scan the raft.db file for free space instead of loading the already
populated free list structure.
@ -418,7 +418,7 @@ These metrics are used to monitor the health of the Consul servers.
| `consul.raft.applied_index` | Represents the raft applied index. | index | gauge |
| `consul.raft.apply` | Counts the number of Raft transactions occurring over the interval, which is a general indicator of the write load on the Consul servers. | raft transactions / interval | counter |
| `consul.raft.barrier` | Counts the number of times the agent has started the barrier i.e the number of times it has issued a blocking call, to ensure that the agent has all the pending operations that were queued, to be applied to the agent's FSM. | blocks / interval | counter |
| `consul.raft.boltdb.freelistBytes` | Represents the number of bytes necessary to encode the freelist metadata. When [`raft_boltdb.NoFreelistSync`](/docs/agent/options#NoFreelistSync) is set to `false` these metadata bytes must also be written to disk for each committed log. | bytes | gauge |
| `consul.raft.boltdb.freelistBytes` | Represents the number of bytes necessary to encode the freelist metadata. When [`raft_boltdb.NoFreelistSync`](/docs/agent/config/config-files#NoFreelistSync) is set to `false` these metadata bytes must also be written to disk for each committed log. | bytes | gauge |
| `consul.raft.boltdb.freePageBytes` | Represents the number of bytes of free space within the raft.db file. | bytes | gauge |
| `consul.raft.boltdb.getLog` | Measures the amount of time spent reading logs from the db. | ms | timer |
| `consul.raft.boltdb.logBatchSize` | Measures the total size in bytes of logs being written to the db in a single batch. | bytes | sample |

2
website/content/docs/architecture/index.mdx
View File

@ -25,7 +25,7 @@ The Consul control plane contains one or more _datacenters_. A datacenter is the
### Clusters
A collection of Consul agents that are aware of each other is called a _cluster_. The terms _datacenter_ and _cluster_ are often used interchangeably. In some cases, however, _cluster_ refers only to Consul server agents, such as in [HCP Consul](https://cloud.hashicorp.com/consul). In other contexts, such as the [_admin partitions_](/docs/enterprise/admin-partitions) feature included with Consul Enterprise, a cluster may refer to collection of client agents.
A collection of Consul agents that are aware of each other is called a _cluster_. The terms _datacenter_ and _cluster_ are often used interchangeably. In some cases, however, _cluster_ refers only to Consul server agents, such as in [HCP Consul](https://cloud.hashicorp.com/products/consul). In other contexts, such as the [_admin partitions_](/docs/enterprise/admin-partitions) feature included with Consul Enterprise, a cluster may refer to collection of client agents.
## Agents

2
website/content/docs/connect/ca/vault.mdx
View File

@ -7,7 +7,7 @@ description: >-
# Vault as a Service Mesh Certificate Authority
Consul can be used with [Vault](https://www.vaultproject.io) to
Consul can be used with [Vault](https://www.vaultproject.io/) to
manage and sign certificates.
The Vault CA provider uses the
[Vault PKI secrets engine](https://www.vaultproject.io/docs/secrets/pki)

2
website/content/docs/connect/cluster-peering/create-manage-peering.mdx
View File

@ -60,7 +60,7 @@ Create a JSON file that contains the first cluster's name and the peering token.
<Tab heading="Consul CLI" group="cli">
In `cluster-01`, use the [`consul peering generate-token` command](/commands/operator/generate-token) to issue a request for a peering token.
In `cluster-01`, use the [`consul peering generate-token` command](/commands/peering/generate-token) to issue a request for a peering token.
```shell-session
$ consul peering generate-token -name cluster-02

2
website/content/docs/connect/configuration.mdx
View File

@ -108,6 +108,6 @@ configure Connect on Nomad by reading the
The Consul Helm chart can automate much of Consul Connect's configuration, and
makes it easy to automatically inject Envoy sidecars into new pods when they are
deployed. Learn about the [Helm chart](/docs/platform/k8s/helm) in general,
deployed. Learn about the [Helm chart](/docs/k8s/helm) in general,
or if you are already familiar with it, check out its
[connect specific configurations](/docs/k8s/connect).

2
website/content/docs/connect/dataplane/consul-dataplane.mdx
View File

@ -7,7 +7,7 @@ description: >-
# Consul Dataplane CLI Reference
The `consul-dataplane` command interacts with the binary for [simplified service mesh with Consul Dataplane](/consul/docs/k8s/dataplane/index). Use this command to install Consul Dataplane, configure its Envoy proxies, and secure Dataplane deployments.
The `consul-dataplane` command interacts with the binary for [simplified service mesh with Consul Dataplane](/consul/docs/k8s/dataplane). Use this command to install Consul Dataplane, configure its Envoy proxies, and secure Dataplane deployments.
## Usage

2
website/content/docs/connect/nomad.mdx
View File

@ -7,7 +7,7 @@ description: >-
# Consul and Nomad Integration
Consul Connect can be used with [Nomad](https://www.nomadproject.io) to provide
Consul Connect can be used with [Nomad](https://www.nomadproject.io/) to provide
secure service-to-service communication between Nomad jobs and task groups.
Nomad is a simple, flexible scheduler and workload orchestrator. The ability to
use the [dynamic port](https://www.nomadproject.io/docs/job-specification/network#dynamic-ports)

2
website/content/docs/connect/transparent-proxy.mdx
View File

@ -223,7 +223,7 @@ Refer to [Kubernetes Health Checks in Consul on Kubernetes](/docs/k8s/connect/he
### Dial services across Kubernetes cluster
If your [Consul servers are federated between Kubernetes clusters](/docs/k8s/installation/multi-cluster/kubernetes),
If your [Consul servers are federated between Kubernetes clusters](/docs/k8s/deployment-configurations/multi-cluster/kubernetes),
then you must configure services in one Kubernetes cluster to explicitly dial a service in the datacenter of another Kubernetes cluster using the
[consul.hashicorp.com/connect-service-upstreams](/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) annotation.
The following example configures the service to dial an upstream service called `my-service` in datacenter `dc2` on port `1234`:

2
website/content/docs/ecs/manual/secure-configuration.mdx
View File

@ -34,7 +34,7 @@ There are two types of ACL tokens for Consul on ECS:
* **Client tokens:** used by the `consul-client` containers to join the Consul cluster
* **Service tokens:** used by sidecar containers for service registration and health syncing
This section describes how to manually configure the AWS IAM auth method for Consul on ECS. Alternatively, you can install the ACL controller to ease the burden of creating these resources. The ACL controller can automatically configure ACL resources for Consul on ECS. For additional details, refer to [ACL Controller](/docs/manual/acl-controller) and [Architecture](/docs/ecs/architecture).
This section describes how to manually configure the AWS IAM auth method for Consul on ECS. Alternatively, you can install the ACL controller to ease the burden of creating these resources. The ACL controller can automatically configure ACL resources for Consul on ECS. For additional details, refer to [ACL Controller](/docs/ecs/manual/acl-controller) and [Architecture](/docs/ecs/architecture).
### ECS Task Role Configuration

2
website/content/docs/enterprise/sentinel.mdx
View File

@ -17,7 +17,7 @@ description: >-
Sentinel policies extend the ACL system in Consul beyond static "read", "write",
and "deny" policies to support full conditional logic and integration with
external systems. Reference the [Sentinel documentation](https://docs.hashicorp.com/sentinel/concepts/) for high-level Sentinel concepts.
external systems. Reference the [Sentinel documentation](https://docs.hashicorp.com/sentinel/concepts) for high-level Sentinel concepts.
To get started with Sentinel in Consul,
[read the general documentation](https://docs.hashicorp.com/sentinel/consul) or

4
website/content/docs/integrate/nia-integration.mdx
View File

@ -87,7 +87,7 @@ Once the module development has been completed another email should be sent to n
At this stage, it is expected that the module is fully developed, all tests and documentation are in place, and that HashiCorp has reviewed the module to be compatible with Consul-Terraform-Sync.
Once this is done, HashiCorp will get the new module listed as Consul-Terraform-Sync compatible on [consul.io](/docs/nia/installation/requirements#partner-terraform-modules), and then the partner will be asked to publish the Terraform module to the [Terraform Registry](https://registry.terraform.io/browse/modules).
Once this is done, HashiCorp will get the new module listed as Consul-Terraform-Sync compatible on [consul.io](/docs/nia/usage/requirements#partner-terraform-modules), and then the partner will be asked to publish the Terraform module to the [Terraform Registry](https://registry.terraform.io/browse/modules).
### 6. Support
@ -95,7 +95,7 @@ Many partners view the release step to be the end of the journey, while at Hashi
The expectation is to resolve all critical issues within 48 hours and all other issues within 5 business days. HashiCorp Consul and Terraform have an extremely wide community of users and contributors and we encourage everyone to report issues however small, as well as help resolve them when possible.
Partners who choose to not follow the process of NIA Integration Program for their Consul-Terraform-Sync compatible Terraform modules will not have their modules listed on [consul.io](/docs/nia/installation/requirements#partner-terraform-modules).
Partners who choose to not follow the process of NIA Integration Program for their Consul-Terraform-Sync compatible Terraform modules will not have their modules listed on [consul.io](/docs/nia/usage/requirements#partner-terraform-modules).
### Contact Us

2
website/content/docs/integrate/partnerships.mdx
View File

@ -39,7 +39,7 @@ By leveraging Consul's RESTful HTTP API system, prospective partners are able to
**HCP Consul**: HCP Consul is secure by default and offers an out-of-the-box service mesh solution to streamline operations without the hassle of managing Consul servers. [Sign up for a free HCP Consul account](https://cloud.hashicorp.com/products/consul).
**Consul integration verification badges**: Partners will be issued the Consul Enterprise badge for integrations that work with [Consul Enterprise features](https://www.consul.io/docs/enterprise) such as namespaces. Partners will be issued the HCP Consul badge for integrations validated to work with [HCP Consul](https://cloud.hashicorp.com/docs/consul/features). Each badge would be displayed on HashiCorp's partner page as well as be available for posting on the partner's own website to provide better visibility and differentiation of the integration for joint customers.
**Consul integration verification badges**: Partners will be issued the Consul Enterprise badge for integrations that work with [Consul Enterprise features](https://www.consul.io/docs/enterprise) such as namespaces. Partners will be issued the HCP Consul badge for integrations validated to work with [HCP Consul](https://cloud.hashicorp.com/docs/consul#features). Each badge would be displayed on HashiCorp's partner page as well as be available for posting on the partner's own website to provide better visibility and differentiation of the integration for joint customers.
<span style={{display:'block', textAlign:'center'}}>
<ImageConfig inline height={192} width={192}>

2
website/content/docs/intro/index.mdx
View File

@ -57,7 +57,7 @@ You can also schedule Consul workloads with [HashiCorp Nomad](https://www.nomadp
Microservice architectures are complex and difficult to secure against accidental discloser to malicious actors. Consul provides several mechanisms that enhance network security without any changes to your application code, including mutual transport layer security (mTLS) encryption on all traffic between services and Consul intentions, which are service-to-service permissions that you can manage through the Consul UI, API, and CLI.
When you deploy Consul to Kubernetes clusters, you can also integrate with [HashiCorp Vault](http://vaultproject.io) to manage sensitive data. By default, Consul on Kubernetes leverages Kubernetes secrets as the backend system. Kubernetes secrets are base64 encoded, unencrypted, and lack lease or time-to-live properties. By leveraging Vault as a secrets backend for Consul on Kubernetes, you can manage and store Consul related secrets within a centralized Vault cluster to use across one or many Consul on Kubernetes datacenters. Refer to [Vault as the Secrets Backend](/docs/k8s/installation/vault) for additional information.
When you deploy Consul to Kubernetes clusters, you can also integrate with [HashiCorp Vault](https://www.vaultproject.io/) to manage sensitive data. By default, Consul on Kubernetes leverages Kubernetes secrets as the backend system. Kubernetes secrets are base64 encoded, unencrypted, and lack lease or time-to-live properties. By leveraging Vault as a secrets backend for Consul on Kubernetes, you can manage and store Consul related secrets within a centralized Vault cluster to use across one or many Consul on Kubernetes datacenters. Refer to [Vault as the Secrets Backend](/docs/k8s/deployment-configurations/vault) for additional information.
You can also secure your Consul deployment, itself, by defining security policies in access control lists (ACL) to control access to data and Consul APIs.

2
website/content/docs/k8s/deployment-configurations/consul-enterprise.mdx
View File

@ -10,7 +10,7 @@ You can use this Helm chart to deploy Consul Enterprise by following a few extra
Find the license file that you received in your welcome email. It should have a `.hclic` extension. You will use the contents of this file to create a Kubernetes secret before installing the Helm chart.
-> **Note:** This guide assumes you are storing your license as a Kubernetes Secret. If you would like to store the enterprise license in Vault, please reference [Storing the Enterprise License in Vault](/docs/k8s/installation/vault/enterprise-license).
-> **Note:** This guide assumes you are storing your license as a Kubernetes Secret. If you would like to store the enterprise license in Vault, please reference [Storing the Enterprise License in Vault](/docs/k8s/deployment-configuration/vault/data-integration/enterprise-license).
You can use the following commands to create the secret with name `consul-ent-license` and key `key`:

2
website/content/docs/k8s/deployment-configurations/multi-cluster/index.mdx
View File

@ -74,6 +74,6 @@ There are three networking requirements:
## Next Steps
Now that you have an overview of federation, proceed to either the
[Federation Between Kubernetes Clusters](/docs/k8s/installation/multi-cluster/kubernetes)
[Federation Between Kubernetes Clusters](/docs/k8s/deployment-configurations/multi-cluster/kubernetes)
or [Federation Between VMs and Kubernetes](/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes)
pages depending on your use case.

10
website/content/docs/k8s/deployment-configurations/multi-cluster/vms-and-kubernetes.mdx
View File

@ -13,14 +13,14 @@ description: >-
Consul datacenters running on non-kubernetes platforms like VMs or bare metal can
be federated with Kubernetes datacenters. Just like with Kubernetes, one datacenter
must be the [primary](/docs/k8s/installation/multi-cluster/kubernetes#primary-datacenter).
must be the [primary](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#primary-datacenter).
## Kubernetes as the Primary
If your primary datacenter is running on Kubernetes, use the Helm config from the
[Primary Datacenter](/docs/k8s/installation/multi-cluster/kubernetes#primary-datacenter) section to install Consul.
[Primary Datacenter](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#primary-datacenter) section to install Consul.
Once installed on Kubernetes, and with the `ProxyDefaults` [resource created](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults),
Once installed on Kubernetes, and with the `ProxyDefaults` [resource created](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#proxydefaults),
you'll need to export the following information from the primary Kubernetes cluster:
- Certificate authority cert and key (in order to create SSL certs for VMs)
@ -209,7 +209,7 @@ ports {
## Kubernetes as the Secondary
If you're running your primary datacenter on VMs then you'll need to manually
construct the [Federation Secret](/docs/k8s/installation/multi-cluster/kubernetes#federation-secret) in order to federate
construct the [Federation Secret](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#federation-secret) in order to federate
Kubernetes clusters as secondaries.
-> Your VM cluster must be running mesh gateways, and have mesh gateway WAN
@ -351,7 +351,7 @@ With your config file ready to go, follow our [Installation Guide](/docs/k8s/ins
to install Consul on your secondary cluster(s).
After installation, if you're using consul-helm 0.30.0+, [create the
`ProxyDefaults` resource](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults)
`ProxyDefaults` resource](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#proxydefaults)
to allow traffic between datacenters.
## Next Steps

6
website/content/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token.mdx
View File

@ -9,7 +9,7 @@ description: >-
This topic describes how to configure the Consul Helm chart to use an ACL bootstrap token stored in Vault.
## Overview
To use an ACL bootstrap token stored in Vault, follow the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section.
To use an ACL bootstrap token stored in Vault, follow the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section.
Complete the following steps once:
1. Store the secret in Vault.
@ -21,8 +21,8 @@ Repeat the following steps for each datacenter in the cluster:
## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
## Store the Secret in Vault

6
website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx
View File

@ -14,7 +14,7 @@ Consul allows using Kubernetes auth methods to configure Connect CA.
This allows for automatic token rotation once the renewal is no longer possible.
## Overview
To use Vault as the service mesh certificate provider on Kubernetes, you will complete a modified version of the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section.
To use Vault as the service mesh certificate provider on Kubernetes, you will complete a modified version of the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section.
Complete the following steps once:
1. Create a Vault policy that authorizes the desired level of access to the secret.
@ -25,8 +25,8 @@ Repeat the following steps for each datacenter in the cluster:
## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
## Create Vault policy

6
website/content/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license.mdx
View File

@ -9,7 +9,7 @@ description: >-
This topic describes how to configure the Consul Helm chart to use an enterprise license stored in Vault.
## Overview
Complete the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section to use an enterprise license stored in Vault.
Complete the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section to use an enterprise license stored in Vault.
Complete the following steps once:
1. Store the secret in Vault.
@ -21,8 +21,8 @@ Repeat the following steps for each datacenter in the cluster:
## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
## Store the Secret in Vault

6
website/content/docs/k8s/deployment-configurations/vault/data-integration/gossip.mdx
View File

@ -10,7 +10,7 @@ description: >-
This topic describes how to configure the Consul Helm chart to use TLS certificates issued by Vault in the Consul controller and connect inject webhooks.
## Overview
Complete the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section to use a gossip encryption key stored in Vault.
Complete the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section to use a gossip encryption key stored in Vault.
Complete the following steps once:
1. Store the secret in Vault.
@ -22,8 +22,8 @@ Repeat the following steps for each datacenter in the cluster:
## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
## Store the Secret in Vault
First, generate and store the gossip key in Vault. You will only need to perform this action once:

56
website/content/docs/k8s/deployment-configurations/vault/data-integration/index.mdx
View File

@ -24,11 +24,11 @@ Repeat the following steps for each datacenter in the cluster:
1. Update the Consul on Kubernetes helm chart.
## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault).
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
### Example - Gossip Encryption Key Integration
Following the general integration steps, a more detailed workflow for integration of the [Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip) with the Vault Secrets backend would like the following:
Following the general integration steps, a more detailed workflow for integration of the [Gossip encryption key](/docs/k8s/deployment-configurations/vault/data-integration/gossip) with the Vault Secrets backend would like the following:
Complete the following steps once:
@ -57,15 +57,15 @@ It includes things like terminating gateways, ingress gateways, etc.)
### Primary Datacenter
| Secret | Service Account For | Configurable Role in Consul k8s Helm |
| ------ | ------------------- | ------------------------------------ |
|[ACL Bootstrap token](/docs/k8s/installation/vault/data-integration/bootstrap-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)|
|[ACL Partition token](/docs/k8s/installation/vault/data-integration/partition-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)|
|[ACL Replication token](/docs/k8s/installation/vault/data-integration/replication-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)|
|[Enterprise license](/docs/k8s/installation/vault/data-integration/enterprise-license) | Consul servers<br/>Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)<br/>[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)|
|[Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip) | Consul servers<br/>Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)<br/>[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)|
|[Snapshot Agent config](/docs/k8s/installation/vault/data-integration/snapshot-agent-config) | Consul snapshot agent | [`global.secretsBackend.vault.consulSnapshotAgentRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulsnapshotagentrole)|
|[Server TLS credentials](/docs/k8s/installation/vault/data-integration/server-tls) | Consul servers<br/>Consul clients<br/>Consul components | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)<br/>[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)<br/>[`global.secretsBackend.vault.consulCARole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulcarole)|
|[Service Mesh and Consul client TLS credentials](/docs/k8s/installation/vault/data-integration/connect-ca) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)|
|[Webhook TLS certificates for controller and connect inject](/docs/k8s/installation/vault/data-integration/connect-ca) | Consul controllers<br/>Consul connect inject | [`global.secretsBackend.vault.controllerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)<br />[`global.secretsBackend.vault.connectInjectRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)|
|[ACL Bootstrap token](/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)|
|[ACL Partition token](/docs/k8s/deployment-configurations/vault/data-integration/partition-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)|
|[ACL Replication token](/docs/k8s/deployment-configurations/vault/data-integration/replication-token) | Consul server-acl-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)|
|[Enterprise license](/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license) | Consul servers<br/>Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)<br/>[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)|
|[Gossip encryption key](/docs/k8s/deployment-configurations/vault/data-integration/gossip) | Consul servers<br/>Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)<br/>[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)|
|[Snapshot Agent config](/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config) | Consul snapshot agent | [`global.secretsBackend.vault.consulSnapshotAgentRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulsnapshotagentrole)|
|[Server TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/server-tls) | Consul servers<br/>Consul clients<br/>Consul components | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)<br/>[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)<br/>[`global.secretsBackend.vault.consulCARole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulcarole)|
|[Service Mesh and Consul client TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)|
|[Webhook TLS certificates for controller and connect inject](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) | Consul controllers<br/>Consul connect inject | [`global.secretsBackend.vault.controllerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)<br />[`global.secretsBackend.vault.connectInjectRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)|
### Secondary Datacenters
The mapping for secondary data centers is similar with the following differences:
@ -75,18 +75,18 @@ The mapping for secondary data centers is similar with the following differences
| Secret | Service Account For | Configurable Role in Consul k8s Helm |
| ------ | ------------------- | ------------------------------------ |
|[ACL Partition token](/docs/k8s/installation/vault/data-integration/partition-token) | Consul server-acl-init job<br/>Consul partition-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)<br/>[`global.secretsBackend.vault.adminPartitionsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-adminpartitionsrole)|
|[ACL Replication token](/docs/k8s/installation/vault/data-integration/replication-token) | Consul server-acl-init job<br/>Consul servers | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)<br/>[`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)|
|[Enterprise license](/docs/k8s/installation/vault/data-integration/enterprise-license) | Consul servers<br/>Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)<br/>[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)|
|[Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip) | Consul servers<br/>Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)<br/>[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)|
|[Snapshot Agent config](/docs/k8s/installation/vault/data-integration/snapshot-agent-config) | Consul snapshot agent | [`global.secretsBackend.vault.consulSnapshotAgentRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulsnapshotagentrole)|
|[Server TLS credentials](/docs/k8s/installation/vault/data-integration/server-tls) | Consul servers<br/>Consul clients<br/>Consul components | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)<br/>[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)<br/>[`global.secretsBackend.vault.consulCARole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulcarole)|
|[Service Mesh and Consul client TLS credentials](/docs/k8s/installation/vault/data-integration/connect-ca) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)|
|[Webhook TLS certificates for controller and connect inject](/docs/k8s/installation/vault/data-integration/connect-ca) | Consul controllers<br/>Consul connect inject | [`global.secretsBackend.vault.controllerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)<br />[`global.secretsBackend.vault.connectInjectRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)|
|[ACL Partition token](/docs/k8s/deployment-configurations/vault/data-integration/partition-token) | Consul server-acl-init job<br/>Consul partition-init job | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)<br/>[`global.secretsBackend.vault.adminPartitionsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-adminpartitionsrole)|
|[ACL Replication token](/docs/k8s/deployment-configurations/vault/data-integration/replication-token) | Consul server-acl-init job<br/>Consul servers | [`global.secretsBackend.vault.manageSystemACLsRole`](/docs/k8s/helm#v-global-secretsbackend-vault-managesystemaclsrole)<br/>[`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)|
|[Enterprise license](/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license) | Consul servers<br/>Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)<br/>[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)|
|[Gossip encryption key](/docs/k8s/deployment-configurations/vault/data-integration/gossip) | Consul servers<br/>Consul clients | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)<br/>[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)|
|[Snapshot Agent config](/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config) | Consul snapshot agent | [`global.secretsBackend.vault.consulSnapshotAgentRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulsnapshotagentrole)|
|[Server TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/server-tls) | Consul servers<br/>Consul clients<br/>Consul components | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)<br/>[`global.secretsBackend.vault.consulClientRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulclientrole)<br/>[`global.secretsBackend.vault.consulCARole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulcarole)|
|[Service Mesh and Consul client TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) | Consul servers | [`global.secretsBackend.vault.consulServerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-consulserverrole)|
|[Webhook TLS certificates for controller and connect inject](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca) | Consul controllers<br/>Consul connect inject | [`global.secretsBackend.vault.controllerRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)<br />[`global.secretsBackend.vault.connectInjectRole`](/docs/k8s/helm#v-global-secretsbackend-vault-controllerrole)|
### Combining policies within roles
As you can see in the table above, depending upon your needs, a Consul on Kubernetes service account could have the need to request more than one secret. In these cases, you will want to create one role for the Consul on Kubernetes service account that is mapped to multiple policies, each of which allows it access to a given secret.
For example, if your Consul on Kubernetes servers need access to [Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip), [Consul Server TLS credentials](/docs/k8s/installation/vault/data-integration/server-tls), and [Enterprise license](/docs/k8s/installation/vault/data-integration/enterprise-license), assuming you have already saved the secrets in vault, you would:
For example, if your Consul on Kubernetes servers need access to [Gossip encryption key](/docs/k8s/deployment-configurations/vault/data-integration/gossip), [Consul Server TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/server-tls), and [Enterprise license](/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license), assuming you have already saved the secrets in vault, you would:
1. Create a policy for each secret.
1. Gossip encryption key
@ -147,16 +147,16 @@ For example, if your Consul on Kubernetes servers need access to [Gossip encrypt
## Detailed data integration guides
The following secrets can be stored in Vault KV secrets engine, which is meant to handle arbitrary secrets:
- [ACL Bootstrap token](/docs/k8s/installation/vault/data-integration/bootstrap-token)
- [ACL Partition token](/docs/k8s/installation/vault/data-integration/partition-token)
- [ACL Replication token](/docs/k8s/installation/vault/data-integration/replication-token)
- [Enterprise license](/docs/k8s/installation/vault/data-integration/enterprise-license)
- [Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip)
- [Snapshot Agent config](/docs/k8s/installation/vault/data-integration/snapshot-agent-config)
- [ACL Bootstrap token](/docs/k8s/deployment-configurations/vault/data-integration/bootstrap-token)
- [ACL Partition token](/docs/k8s/deployment-configurations/vault/data-integration/partition-token)
- [ACL Replication token](/docs/k8s/deployment-configurations/vault/data-integration/replication-token)
- [Enterprise license](/docs/k8s/deployment-configurations/vault/data-integration/enterprise-license)
- [Gossip encryption key](/docs/k8s/deployment-configurations/vault/data-integration/gossip)
- [Snapshot Agent config](/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config)
The following TLS certificates and keys can generated and managed by Vault the Vault PKI Engine, which is meant to handle things like certificate expiration and rotation:
- [Server TLS credentials](/docs/k8s/installation/vault/data-integration/server-tls)
- [Service Mesh and Consul client TLS credentials](/docs/k8s/installation/vault/data-integration/connect-ca)
- [Server TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/server-tls)
- [Service Mesh and Consul client TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca)
- [Vault as the Webhook Certificate Provider for Consul Controller and Connect Inject on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs)
## Secrets to Service Account Mapping

6
website/content/docs/k8s/deployment-configurations/vault/data-integration/partition-token.mdx
View File

@ -10,7 +10,7 @@ description: >-
This topic describes how to configure the Consul Helm chart to use an ACL partition token stored in Vault when using [Admin Partitions](/docs/enterprise/admin-partitions) in Consul Enterprise.
## Overview
Complete the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section to use an ACL partition token stored in Vault.
Complete the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section to use an ACL partition token stored in Vault.
Complete the following steps once:
1. Store the secret in Vault.
@ -22,8 +22,8 @@ Repeat the following steps for each datacenter in the cluster:
## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
## Store the Secret in Vault

6
website/content/docs/k8s/deployment-configurations/vault/data-integration/replication-token.mdx
View File

@ -9,7 +9,7 @@ description: >-
This topic describes how to configure the Consul Helm chart to use an ACL replication token stored in Vault.
## Overview
To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section.
To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section.
Complete the following steps once:
1. Store the secret in Vault.
@ -21,8 +21,8 @@ Repeat the following steps for each datacenter in the cluster:
## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
## Store the Secret in Vault

8
website/content/docs/k8s/deployment-configurations/vault/data-integration/server-tls.mdx
View File

@ -8,7 +8,7 @@ description: >-
# Vault as the Server TLS Certificate Provider on Kubernetes
## Overview
To use Vault as the server TLS certificate provider on Kubernetes, complete a modified version of the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section.
To use Vault as the server TLS certificate provider on Kubernetes, complete a modified version of the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section.
Complete the following steps once:
1. Create a Vault policy that authorizes the desired level of access to the secret.
@ -20,8 +20,8 @@ Repeat the following steps for each datacenter in the cluster:
## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault).
2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault).
1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
3. Complete the [Bootstrapping the PKI Engine](#bootstrapping-the-pki-engine) section.
## Bootstrapping the PKI Engine
@ -54,7 +54,7 @@ TLS certificates to Consul.
To use Vault to issue Server TLS certificates, you will need to create the following:
1. Create a policy that allows `["create", "update"]` access to the
[certificate issuing URL](https://www.vaultproject.io/api/secret/pki#generate-certificate) so the Consul servers can
[certificate issuing URL](https://www.vaultproject.io/api-docs/secret/pki#generate-certificate) so the Consul servers can
fetch a new certificate/key pair.
The path to the secret referenced in the `path` resource is the same value that you will configure in the `server.serverCert.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).

6
website/content/docs/k8s/deployment-configurations/vault/data-integration/snapshot-agent-config.mdx
View File

@ -9,7 +9,7 @@ description: >-
This topic describes how to configure the Consul Helm chart to use a snapshot agent config stored in Vault.
## Overview
To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section.
To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section.
Complete the following steps once:
1. Store the secret in Vault.
@ -21,8 +21,8 @@ Repeat the following steps for each datacenter in the cluster:
## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
1. Read and completed the steps in the [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
1. Read and completed the steps in the [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
## Store the Secret in Vault

12
website/content/docs/k8s/deployment-configurations/vault/data-integration/webhook-certs.mdx
View File

@ -19,7 +19,7 @@ When Vault is configured as the controller and connect inject Webhook Certificat
- controller and connect inject each locally update its own `mutatingwebhookconfiguration` so that Kubernetes can relay events.
- Vault manages certificate rotation and rotates certificates to each webhook.
To use Vault as the controller and connect inject Webhook Certificate Provider, we will need to modify the steps outlined in the [Data Integration](/docs/k8s/installation/vault/data-integration) section:
To use Vault as the controller and connect inject Webhook Certificate Provider, we will need to modify the steps outlined in the [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) section:
These following steps will be repeated for each datacenter:
1. Create a Vault policy that authorizes the desired level of access to the secret.
@ -29,10 +29,10 @@ These following steps will be repeated for each datacenter:
## Prerequisites
Complete the following prerequisites prior to implementing the integration described in this topic:
1. Verify that you have completed the steps described in [Systems Integration](/docs/k8s/installation/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault).
1. You should be familiar with the [Data Integration Overview](/docs/k8s/installation/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/installation/vault).
1. Configure [Vault as the Server TLS Certificate Provider on Kubernetes](/docs/k8s/installation/vault/data-integration/server-tls)
1. Configure [Vault as the Service Mesh Certificate Provider on Kubernetes](/docs/k8s/installation/vault/data-integration/connect-ca)
1. Verify that you have completed the steps described in [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
1. You should be familiar with the [Data Integration Overview](/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
1. Configure [Vault as the Server TLS Certificate Provider on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/server-tls)
1. Configure [Vault as the Service Mesh Certificate Provider on Kubernetes](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca)
## Bootstrapping the PKI Engines
Issue the following commands to enable and configure the PKI Secrets Engine to serve TLS certificates for the controller and connect inject webhooks:
@ -92,7 +92,7 @@ Issue the following commands to enable and configure the PKI Secrets Engine to s
EOF
```
1. Create a policy that allows `["read"]` access to the [CA URL](https://www.vaultproject.io/api/secret/pki#read-certificate),
1. Create a policy that allows `["read"]` access to the [CA URL](https://www.vaultproject.io/api-docs/secret/pki#read-certificate),
this is required for the Consul components to communicate with the Consul servers in order to fetch their auto-encryption certificates.
The path to the secret referenced in the `path` resource is the same values that you will configure in the `global.secretsBackend.vault.controller.caCert.secretName` and `global.secretsBackend.vault.connectInject.caCert.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).

2
website/content/docs/k8s/deployment-configurations/vault/index.mdx
View File

@ -47,7 +47,7 @@ The following TLS certificates and keys can be generated and managed by the Vaul
The Vault integration with Consul on Kubernetes has two aspects or phases:
- [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) - Configure Vault and Consul on Kubernetes systems to leverage Vault as the secrets store.
- [Data Integration](/docs/k8s/installation/vault/data-integration) - Configure specific secrets to be stored and
- [Data Integration](/docs/k8s/deployment-configurations/vault/data-integration) - Configure specific secrets to be stored and
retrieved from Vault for use with Consul on Kubernetes.
As a next step, please proceed to [Systems Integration](/docs/k8s/deployment-configurations/vault/systems-integration) overview to understand how to first setup Vault and Consul on Kubernetes to leverage Vault as a secrets backend.

4
website/content/docs/k8s/deployment-configurations/vault/systems-integration.mdx
View File

@ -12,7 +12,7 @@ Integrating Vault with Consul on Kubernetes includes a one-time setup on Vault a
Complete the following steps once:
- Enabling Vault KV Secrets Engine - Version 2 to store arbitrary secrets
- Enabling Vault PKI Engine if you are choosing to store and manage either [Consul Server TLS credentials](/docs/k8s/installation/vault/data-integration/server-tls) or [Service Mesh and Consul client TLS credentials](/docs/k8s/installation/vault/data-integration/connect-ca)
- Enabling Vault PKI Engine if you are choosing to store and manage either [Consul Server TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/server-tls) or [Service Mesh and Consul client TLS credentials](/docs/k8s/deployment-configurations/vault/data-integration/connect-ca)
Repeat the following steps for each datacenter in the cluster:
- Installing the Vault Injector within the Consul datacenter installation
@ -39,7 +39,7 @@ $ vault secrets enable -path=consul kv-v2
## Vault PKI Engine
The Vault PKI Engine must be enabled in order to leverage Vault for issuing Consul Server TLS certificates. More details for configuring the PKI Engine is found in [Bootstrapping the PKI Engine](/docs/k8s/installation/vault/data-integration/server-tls#bootstrapping-the-pki-engine) under the Server TLS section.
The Vault PKI Engine must be enabled in order to leverage Vault for issuing Consul Server TLS certificates. More details for configuring the PKI Engine is found in [Bootstrapping the PKI Engine](/docs/k8s/deployment-configurations/vault/data-integration/server-tls#bootstrapping-the-pki-engine) under the Server TLS section.
```shell-session
$ vault secrets enable pki

6
website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx
View File

@ -9,10 +9,10 @@ description: >-
~> **Note**: This topic requires familiarity with [Mesh Gateways](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters), [WAN Federation Via Mesh Gateways](/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways).
This page describes how you can federate multiple Kubernetes clusters using Vault as the secrets backend. See the [Multi-Cluster Overview](/docs/k8s/installation/multi-cluster) for more information on use cases and how it works.
This page describes how you can federate multiple Kubernetes clusters using Vault as the secrets backend. See the [Multi-Cluster Overview](/docs/k8s/deployment-configurations/multi-cluster) for more information on use cases and how it works.
## Differences Between Using Kubernetes Secrets vs. Vault
The [Federation Between Kubernetes Clusters](/docs/k8s/installation/multi-cluster/kubernetes) page provides an overview of WAN Federation using Mesh Gateways with Kubernetes secrets as the secret backend. When using Vault as the secrets backend, there are different systems and data integration configuration that will be explained in the [Usage](#usage) section of this page. The other main difference is that when using Vault, there is no need for you to export and import a [Federation Secret](/docs/k8s/installation/multi-cluster/kubernetes#federation-secret) in each datacenter.
The [Federation Between Kubernetes Clusters](/docs/k8s/deployment-configurations/multi-cluster/kubernetes) page provides an overview of WAN Federation using Mesh Gateways with Kubernetes secrets as the secret backend. When using Vault as the secrets backend, there are different systems and data integration configuration that will be explained in the [Usage](#usage) section of this page. The other main difference is that when using Vault, there is no need for you to export and import a [Federation Secret](/docs/k8s/deployment-configurations/multi-cluster/kubernetes#federation-secret) in each datacenter.
## Usage
@ -28,7 +28,7 @@ The Vault Agents on each Consul pod will communicate directly with Vault on its
![Vault agent and server communication](/img/k8s/consul-vault-wan-federation-vault-communication.svg 'Vault agent and server communication')
The two data centers will federated using mesh gateways. This communication topology is also described in the [WAN Federation Via Mesh Gateways](/docs/k8s/installation/multi-cluster#wan-federation-via-mesh-gateways) section of [Multi-Cluster Federation Overview](/docs/k8s/installation/multi-cluster).
The two data centers will federated using mesh gateways. This communication topology is also described in the [WAN Federation Via Mesh Gateways](/docs/k8s/deployment-configurations/multi-cluster#wan-federation-via-mesh-gateways) section of [Multi-Cluster Federation Overview](/docs/k8s/deployment-configurations/multi-cluster).
![Mesh Federation via Mesh Gateways](/img/k8s/consul-vault-wan-federation-mesh-communication.svg 'Mesh Federation via Mesh Gateways')

12
website/content/docs/k8s/helm.mdx
View File

@ -516,7 +516,7 @@ Use these links to navigate to a particular top-level stanza.
This address must be reachable from the Consul servers in the primary datacenter.
This auth method will be used to provision ACL tokens for Consul components and is different
from the one used by the Consul Service Mesh.
Please see the [Kubernetes Auth Method documentation](https://consul.io/docs/acl/auth-methods/kubernetes).
Please see the [Kubernetes Auth Method documentation](/docs/security/acl/auth-methods/kubernetes).
You can retrieve this value from your `kubeconfig` by running:
@ -749,7 +749,7 @@ Use these links to navigate to a particular top-level stanza.
--set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
command because of a limitation in the Helm templating language.
- `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul
- `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/config/config-files) for Consul
servers. This will be saved as-is into a ConfigMap that is read by the Consul
server agents. This can be used to add additional configuration that
isn't directly exposed by the chart.
@ -1044,7 +1044,7 @@ Use these links to navigate to a particular top-level stanza.
- `tlsInit` ((#v-client-containersecuritycontext-tlsinit)) (`map`) - The tls-init initContainer
- `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul
- `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/config/config-files) for Consul
clients. This will be saved as-is into a ConfigMap that is read by the Consul
client agents. This can be used to add additional configuration that
isn't directly exposed by the chart.
@ -1356,15 +1356,15 @@ Use these links to navigate to a particular top-level stanza.
will inherit from `global.metrics.enabled` value.
- `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. See
https://www.consul.io/docs/agent/options#ui_config_metrics_provider
https://www.consul.io/docs/agent/config/config-files#ui_config_metrics_provider
This value is only used if `ui.enabled` is set to true.
- `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL.
This value is only used if `ui.enabled` is set to true.
- `dashboardURLTemplates` ((#v-ui-dashboardurltemplates)) - Corresponds to https://www.consul.io/docs/agent/options#ui_config_dashboard_url_templates configuration.
- `dashboardURLTemplates` ((#v-ui-dashboardurltemplates)) - Corresponds to https://www.consul.io/docs/agent/config/config-files#ui_config_dashboard_url_templates configuration.
- `service` ((#v-ui-dashboardurltemplates-service)) (`string: ""`) - Sets https://www.consul.io/docs/agent/options#ui_config_dashboard_url_templates_service.
- `service` ((#v-ui-dashboardurltemplates-service)) (`string: ""`) - Sets https://www.consul.io/docs/agent/config/config-files#ui_config_dashboard_url_templates_service.
### syncCatalog ((#h-synccatalog))

4
website/content/docs/k8s/operations/gossip-encryption-key-rotation.mdx
View File

@ -9,7 +9,7 @@ description: >-
The following instructions provides a step-by-step manual process for rotating [gossip encryption](/docs/security/encryption#gossip-encryption) keys on Consul clusters that are deployed onto a Kubernetes cluster with Consul on Kubernetes.
The following steps need only be performed once in any single datacenter if your Consul clusters are [federated](/docs/k8s/installation/multi-cluster/kubernetes). Rotating the gossip encryption key in one datacenter will automatically rotate the gossip encryption key for all the other datacenters.
The following steps need only be performed once in any single datacenter if your Consul clusters are [federated](/docs/k8s/deployment-configurations/multi-cluster/kubernetes). Rotating the gossip encryption key in one datacenter will automatically rotate the gossip encryption key for all the other datacenters.
-> **Note:** Careful precaution should be taken to prohibit new clients from joining during the gossip encryption rotation process, otherwise the new clients will join the gossip pool without knowledge of the new primary gossip encryption key. In addition, deletion of a gossip encryption key from the keyring should occur only after clients have safely migrated to utilizing the new gossip encryption key for communication.
@ -128,7 +128,7 @@ The following steps need only be performed once in any single datacenter if your
</Tab>
<Tab heading="Vault">
-> **Note:** These Vault instructions assume that you have integrated your [Gossip encryption key](/docs/k8s/installation/vault/data-integration/gossip) using [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
-> **Note:** These Vault instructions assume that you have integrated your [Gossip encryption key](/docs/k8s/deployment-configurations/vault/data-integration/gossip) using [Vault as a Secrets Backend](/docs/k8s/deployment-configurations/vault).
Update the gossip encryption Vault Secret with the value of the new gossip encryption key to ensure that subsequent `helm upgrades` commands execute successfully.
The name of the secret that stores the value of the gossip encryption key can be found in the Helm values file:

2
website/content/docs/lambda/index.mdx
View File

@ -14,7 +14,7 @@ You can configure Consul to allow services in your mesh to invoke Lambda functio
The first step is to register your Lambda functions into Consul. We recommend using the [Lambda registrator module](https://github.com/hashicorp/terraform-aws-consul-lambda/tree/main/modules/lambda-registrator) to automatically synchronize Lambda functions into Consul. You can also manually register Lambda functions into Consul if you are unable to use the Lambda registrator.
Refer to [Lambda Function Registration Requirements](/docs/lambda/registration/index) for additional information about registering Lambda functions into Consul.
Refer to [Lambda Function Registration Requirements](/docs/lambda/registration) for additional information about registering Lambda functions into Consul.
## Invoke Lambda functions from Consul service mesh

2
website/content/docs/lambda/registration/automate.mdx
View File

@ -38,7 +38,7 @@ The following diagram shows the flow of events from EventBridge into Consul:
## Requirements
Verify that your environment meets the requirements specified in [Lambda Function Registration Requirements](/docs/lambda/registration/index).
Verify that your environment meets the requirements specified in [Lambda Function Registration Requirements](/docs/lambda/registration).
## Configuration

2
website/content/docs/lambda/registration/manual.mdx
View File

@ -11,7 +11,7 @@ This topic describes how to manually register Lambda functions into Consul. Refe
## Requirements
Verify that your environment meets the requirements specified in [Lambda Function Registration Requirements](/docs/lambda/registration/index).
Verify that your environment meets the requirements specified in [Lambda Function Registration Requirements](/docs/lambda/registration).
To manually register Lambda functions so that mesh services can invoke them, you must create and apply a service registration configuration for the Lambda function and write a [service defaults configuration entry](/docs/connect/config-entries/service-defaults) for the function.

2
website/content/docs/nia/cli/task.mdx
View File

@ -9,7 +9,7 @@ description: >-
## task create
`task create` command creates a new task so that it will run and update task resources. The command generates and outputs a Terraform plan, similar to [inspect-mode](/docs/nia/cli/cli-overview#inspect-mode), of how resources will be modified if the task is created. The command will then ask for user approval before creating the task.
`task create` command creates a new task so that it will run and update task resources. The command generates and outputs a Terraform plan, similar to [inspect-mode](/docs/nia/cli/start#modes), of how resources will be modified if the task is created. The command will then ask for user approval before creating the task.
It is not to be used for updating a task and will not create a task if the task name already exists.

8
website/content/docs/nia/configuration.mdx
View File

@ -98,7 +98,7 @@ The `consul` block configures the CTS connection with a Consul agent so that CTS
-> **Note:** Use HTTP/2 to improve Consul-Terraform-Sync performance when communicating with the local Consul process. [TLS/HTTPS](/docs/agent/config/config-files) must be configured for the local Consul with the [cert_file](/docs/agent/config/config-files#cert_file) and [key_file](/docs/agent/config/config-files#key_file) parameters set. For the Consul-Terraform-Sync configuration, set `tls.enabled = true` and set the `address` parameter to the HTTPS URL, e.g., `address = example.consul.com:8501`. If using self-signed certificates for Consul, you will also need to set `tls.verify = false` or add the certificate to `ca_cert` or `ca_path`.
To read more on suggestions for configuring the Consul agent, see [run an agent](/docs/nia/installation/requirements#run-an-agent).
To read more on suggestions for configuring the Consul agent, see [run an agent](/docs/nia/usage/requirements#run-an-agent).
```hcl
consul {
@ -245,7 +245,7 @@ The `instance` parameter is an object that contains configurations unique to the
## Service
~> **Note:** Deprecated in CTS 0.5.0 and will be removed in a future major release. `service` blocks are used to define the `task` block's `services` fields, which were also deprecated and replaced with [Services Condition](/docs/nia/configuration#services-condition) and [Services Module Input](/docs/nia/configuration#services-module-input). `service` block configuration can be replaced by configuring the equivalent fields of the corresponding Services Condition and Services Module Input. Refer to [0.5.0 release notes](/docs/nia/release-notes/0-5-0#deprecate-service-block) for examples.
~> **Note:** Deprecated in CTS 0.5.0 and will be removed in a future major release. `service` blocks are used to define the `task` block's `services` fields, which were also deprecated and replaced with [Services Condition](/docs/nia/configuration#services-condition) and [Services Module Input](/docs/nia/configuration#services-module-input). `service` block configuration can be replaced by configuring the equivalent fields of the corresponding Services Condition and Services Module Input. Refer to [0.5.0 release notes](/docs/release-notes/consul-terraform-sync/v0_5_x#deprecate-service-block) for examples.
A `service` block is an optional block to explicitly define the services configured in the `task` block's `services` field (deprecated). `service` blocks do not define services configured in the `task` block's `condition "services"` or `module_input "services` blocks.
@ -292,7 +292,7 @@ task {
- `name` - (string: required) Name is the unique name of the task (required). A task name must start with a letter or underscore and may contain only letters, digits, underscores, and dashes.
- `enabled` - (bool: true) Enable or disable a task from running and managing resources.
- `providers` - (list[string]) Providers is the list of provider names the task is dependent on. This is used to map [Terraform provider configuration](#terraform-provider) to the task.
- `services` - (list[string]) **Deprecated in CTS 0.5.0 and will be removed in a future major release. Use [Services Condition](/docs/nia/configuration#services-condition) or [Services Module Input](/docs/nia/configuration#services-module-input) instead. See [0.5.0 release notes](/docs/nia/release-notes/0-5-0#deprecate-services-field) for examples.** Specifies an optional list of logical service names or service IDs that the task monitors for changes in the Consul catalog. The `services` can act in different ways depending on the configuration of the task's `condition` block:
- `services` - (list[string]) **Deprecated in CTS 0.5.0 and will be removed in a future major release. Use [Services Condition](/docs/nia/configuration#services-condition) or [Services Module Input](/docs/nia/configuration#services-module-input) instead. See [0.5.0 release notes](/docs/release-notes/consul-terraform-sync/v0_5_x#deprecate-services-field) for examples.** Specifies an optional list of logical service names or service IDs that the task monitors for changes in the Consul catalog. The `services` can act in different ways depending on the configuration of the task's `condition` block:
- no `condition` block configured: `services` will act as the task's condition and provide the services information as module input
- the `condition` block configured for type `services`: `services` is incompatible with this type of `condition` because both configure the services module input. CTS will return an error.
- the `condition` block configured for all other types: `services` will act only to provide services module input.
@ -651,7 +651,7 @@ driver "terraform" {
```
- `backend` - (obj) The backend stores [Terraform state files](https://www.terraform.io/language/state) for each task. This option is similar to the [Terraform backend configuration](https://www.terraform.io/language/settings/backends/configuration). CTS supports Terraform backends used as a state store.
- Supported backend options: [azurerm](https://www.terraform.io/language/settings/backends/azurerm), [consul](https://www.terraform.io/language/settings/backends/consul), [cos](https://www.terraform.io/language/settings/backends/cos), [gcs](https://www.terraform.io/language/settings/backends/gcs), [kubernetes](https://www.terraform.io/language/settings/backends/kubernetes), [local](https://www.terraform.io/language/settings/backends/local), [manta](https://www.terraform.io/language/settings/backends/manta), [pg](https://www.terraform.io/language/settings/backends/pg) (Terraform v0.14+), [s3](https://www.terraform.io/language/settings/backends/s3). Visit the Terraform documentation links for details on backend configuration options.
- Supported backend options: [azurerm](https://www.terraform.io/language/settings/backends/azurerm), [consul](https://www.terraform.io/language/settings/backends/consul), [cos](https://www.terraform.io/language/settings/backends/cos), [gcs](https://www.terraform.io/language/settings/backends/gcs), [kubernetes](https://www.terraform.io/language/settings/backends/kubernetes), [local](https://www.terraform.io/language/settings/backends/local), [manta](https://www.terraform.io/language/v1.2.x/settings/backends/manta), [pg](https://www.terraform.io/language/settings/backends/pg) (Terraform v0.14+), [s3](https://www.terraform.io/language/settings/backends/s3). Visit the Terraform documentation links for details on backend configuration options.
- If omitted, CTS will generate default values and use configurations from the [`consul` block](#consul) to configure [Consul as the backend](https://www.terraform.io/language/settings/backends/consul), which stores Terraform statefiles in the Consul KV. The [ACL token provided for Consul authentication](#consul) is used to read and write to the KV store and requires [Consul KV privileges](https://learn.hashicorp.com/tutorials/consul/consul-terraform-sync-secure?utm_source=docs#configure-acl-privileges-for-consul-terraform-sync). The Consul KV path is the base path to store state files for tasks. The full path of each state file will have the task identifier appended to the end of the path, e.g. `consul-terraform-sync/terraform-env:task-name`.
- The remote enhanced backend is not supported with the Terraform driver to run operations in Terraform Cloud. Use the [Terraform Cloud driver](#terraform-cloud-driver) to integrate CTS with Terraform Cloud for remote workspaces and remote operations.
- The `local` backend type is not supported with CTS instances configured for high availability. If high availability is configured and the Terraform backend type is `local`, CTS logs an error and exits.

6
website/content/docs/nia/enterprise/index.mdx
View File

@ -9,20 +9,20 @@ description: >-
Consul-Terraform-Sync (CTS) Enterprise is available with [Consul Enterprise](https://www.hashicorp.com/products/consul) and requires a Consul [license](/docs/nia/enterprise/license) to be applied.
Enterprise features of CTS address organization complexities of collaboration, operations, scale, and governance. CTS Enterprise supports an official integration with [Terraform Cloud](https://www.terraform.io/cloud) and [Terraform Enterprise](https://www.terraform.io/enterprise), the self-hosted distribution, to extend insight into dynamic updates of your network infrastructure.
Enterprise features of CTS address organization complexities of collaboration, operations, scale, and governance. CTS Enterprise supports an official integration with [Terraform Cloud](https://cloud.hashicorp.com/products/terraform) and [Terraform Enterprise](https://www.terraform.io/enterprise), the self-hosted distribution, to extend insight into dynamic updates of your network infrastructure.
| Features | Open Source | Enterprise |
|----------|-------------|------------|
| Consul Namespace | Default namespace only | Filter task triggers by any namespace |
| Automation Driver | Terraform OSS | Terraform OSS, Terraform Cloud, or Terraform Enterprise |
| Terraform Workspaces | Local | Local workspaces with the Terraform driver or [remote workspaces](https://www.terraform.io/cloud-docs/workspaces) with the Terraform Cloud driver |
| Terraform Backend Options | [azurerm](https://www.terraform.io/language/settings/backends/azurerm), [consul](https://www.terraform.io/language/settings/backends/consul), [cos](https://www.terraform.io/language/settings/backends/cos), [gcs](https://www.terraform.io/language/settings/backends/gcs), [kubernetes](https://www.terraform.io/language/settings/backends/kubernetes), [local](https://www.terraform.io/language/settings/backends/local), [manta](https://www.terraform.io/language/settings/backends/manta), [pg](https://www.terraform.io/language/settings/backends/pg), and [s3](https://www.terraform.io/language/settings/backends/s3) with the Terraform driver | The supported backends for CTS with the Terraform driver or Terraform Cloud with the Terraform Cloud driver |
| Terraform Backend Options | [azurerm](https://www.terraform.io/language/settings/backends/azurerm), [consul](https://www.terraform.io/language/settings/backends/consul), [cos](https://www.terraform.io/language/settings/backends/cos), [gcs](https://www.terraform.io/language/settings/backends/gcs), [kubernetes](https://www.terraform.io/language/settings/backends/kubernetes), [local](https://www.terraform.io/language/settings/backends/local), [manta](https://www.terraform.io/language/v1.2.x/settings/backends/manta), [pg](https://www.terraform.io/language/settings/backends/pg), and [s3](https://www.terraform.io/language/settings/backends/s3) with the Terraform driver | The supported backends for CTS with the Terraform driver or Terraform Cloud with the Terraform Cloud driver |
| Terraform Version | One Terraform version for all tasks | Optional Terraform version per task when using the Terraform Cloud driver |
| Terraform Run Output | CTS logs | CTS logs or Terraform output organized by Terraform Cloud remote workspaces |
| Credentials and secrets | On disk as `.tfvars` files or in shell environment | Secured variables stored in remote workspace |
| Audit | | Terraform audit logs ([Terraform Cloud](https://www.terraform.io/cloud-docs/api-docs/audit-trails) or [Terraform Enterprise](https://www.terraform.io/enterprise/admin/infrastructure/logging)) |
| Collaboration | | Run [history](https://www.terraform.io/cloud-docs/run/manage), [triggers](https://www.terraform.io/cloud-docs/workspaces/settings/run-triggers), and [notifications](https://www.terraform.io/cloud-docs/workspaces/settings/notifications) supported on Terraform Cloud |
| Governance | | [Sentinel](https://www.terraform.io/cloud-docs/sentinel) to enforce governance policies as code |
| Governance | | [Sentinel](https://www.terraform.io/cloud-docs/policy-enforcement) to enforce governance policies as code |
The [Terraform Cloud driver](/docs/nia/configuration#terraform-cloud-driver) enables CTS Enterprise to integrate with Terraform Cloud or Terraform Enterprise. The [Terraform Cloud driver](/docs/nia/network-drivers/terraform-cloud) page provides an overview of how the integration works within CTS.

2
website/content/docs/nia/index.mdx
View File

@ -53,7 +53,7 @@ CTS is available as an open source and enterprise distribution. Follow the [Netw
- `Tasks` - A task is the translation of dynamic service information from the Consul Catalog into network infrastructure changes downstream.
- `Terraform Cloud` - Per the [Terraform documentation](httphttps://www.terraform.io/cloud-docs), "Terraform Cloud" describes both Terraform Cloud and Terraform Enterprise, which are different distributions of the same application. Documentation will apply to both distributions unless specifically stated otherwise.
- `Terraform Cloud` - Per the [Terraform documentation](https://www.terraform.io/cloud-docs), "Terraform Cloud" describes both Terraform Cloud and Terraform Enterprise, which are different distributions of the same application. Documentation will apply to both distributions unless specifically stated otherwise.
- `Terraform Module` - A [Terraform module](https://www.terraform.io/language/modules) is a container for multiple Terraform resources that are used together.

2
website/content/docs/nia/network-drivers/index.mdx
View File

@ -16,7 +16,7 @@ The following table highlights some of the additional features Terraform and Ter
| Network Driver | Description | Features |
| -------------- | ----------- | -------- |
| [Terraform driver](/docs/nia/network-drivers/terraform) | CTS automates a local installation of the [Terraform CLI](https://www.terraform.io/) | - Local Terraform execution <br/> - Local workspace directories <br/> - [Backend options](/docs/nia/configuration#backend) available for state storage <br/> |
| [Terraform Cloud driver](/docs/nia/network-drivers/terraform-cloud) | CTS Enterprise automates remote workspaces on [Terraform Cloud](https://www.terraform.io/cloud-docs) | - [Remote Terraform execution](https://www.terraform.io/cloud-docs/run/remote-operations) <br/> - Concurrent runs <br/> - [Secured variables](https://www.terraform.io/cloud-docs/workspaces/variables) <br/> - [State versions](https://www.terraform.io/cloud-docs/workspaces/state) <br/> - [Sentinel](https://www.terraform.io/cloud-docs/sentinel) to enforce governance policies as code <br/> - Audit [logs](https://www.terraform.io/enterprise/admin/infrastructure/logging) and [trails](https://www.terraform.io/cloud-docs/api-docs/audit-trails) <br/> - Run [history](https://www.terraform.io/cloud-docs/run/manage), [triggers](https://www.terraform.io/cloud-docs/workspaces/settings/run-triggers), and [notifications](https://www.terraform.io/cloud-docs/workspaces/settings/notifications) <br/> - [Terraform Cloud Agents](https://www.terraform.io/cloud-docs/agents) |
| [Terraform Cloud driver](/docs/nia/network-drivers/terraform-cloud) | CTS Enterprise automates remote workspaces on [Terraform Cloud](https://www.terraform.io/cloud-docs) | - [Remote Terraform execution](https://www.terraform.io/cloud-docs/run/remote-operations) <br/> - Concurrent runs <br/> - [Secured variables](https://www.terraform.io/cloud-docs/workspaces/variables) <br/> - [State versions](https://www.terraform.io/cloud-docs/workspaces/state) <br/> - [Sentinel](https://www.terraform.io/cloud-docs/policy-enforcement) to enforce governance policies as code <br/> - Audit [logs](https://www.terraform.io/enterprise/admin/infrastructure/logging) and [trails](https://www.terraform.io/cloud-docs/api-docs/audit-trails) <br/> - Run [history](https://www.terraform.io/cloud-docs/run/manage), [triggers](https://www.terraform.io/cloud-docs/workspaces/settings/run-triggers), and [notifications](https://www.terraform.io/cloud-docs/workspaces/settings/notifications) <br/> - [Terraform Cloud Agents](https://www.terraform.io/cloud-docs/agents) |
## Understanding Terraform Automation

4
website/content/docs/nia/network-drivers/terraform-cloud.mdx
View File

@ -12,7 +12,7 @@ description: >-
which is available with <strong>Consul Enterprise</strong>.
</EnterpriseAlert>
Consul-Terraform-Sync (CTS) is more powerful when you integrate it with [Terraform Cloud](https://www.terraform.io/cloud). Integrating with Terraform Cloud provides features, such as enhanced workspaces and insight into Terraform operations as CTS dynamically updates your network infrastructure. CTS is compatible with both the [self-hosted](https://www.hashicorp.com/products/terraform/editions/enterprise) and [managed service](https://www.hashicorp.com/products/terraform/editions/cloud) versions of Terraform Cloud. It also supports all [tiers](https://www.hashicorp.com/products/terraform/pricing) of the Terraform Cloud managed service.
Consul-Terraform-Sync (CTS) is more powerful when you integrate it with [Terraform Cloud](https://cloud.hashicorp.com/products/terraform). Integrating with Terraform Cloud provides features, such as enhanced workspaces and insight into Terraform operations as CTS dynamically updates your network infrastructure. CTS is compatible with both the [self-hosted](https://www.hashicorp.com/products/terraform/editions/enterprise) and [managed service](https://www.hashicorp.com/products/terraform/editions/cloud) versions of Terraform Cloud. It also supports all [tiers](https://www.hashicorp.com/products/terraform/pricing) of the Terraform Cloud managed service.
This page describes how the Terraform Cloud driver operates within CTS.
@ -111,7 +111,7 @@ Because a CTS instance can only be configured with one driver, an instance can o
### Required Setup
This section captures requirements for setting up CTS to integrate with your [Terraform Cloud](https://www.terraform.io/cloud) solution.
This section captures requirements for setting up CTS to integrate with your [Terraform Cloud](https://cloud.hashicorp.com/products/terraform) solution.
1. Hostname of your Terraform Cloud, self-hosted distribution
1. Name of your organization

2
website/content/docs/nia/usage/requirements.mdx
View File

@ -31,7 +31,7 @@ For information on compatible Consul versions, refer to the [Consul compatibilit
### Run an agent
The Consul agent must be running in order to dynamically update network devices. Refer to the [Consul agent documentation](/docs/agent/index) for information about configuring and starting a Consul agent. For hands-on instructions about running Consul agents, refer to the [Getting Started: Run the Consul Agent Tutorial](https://learn.hashicorp.com/tutorials/consul/get-started-agent?in=consul/getting-started).
The Consul agent must be running in order to dynamically update network devices. Refer to the [Consul agent documentation](/docs/agent) for information about configuring and starting a Consul agent. For hands-on instructions about running Consul agents, refer to the [Getting Started: Run the Consul Agent Tutorial](https://learn.hashicorp.com/tutorials/consul/get-started-agent?in=consul/getting-started).
When running a Consul agent with CTS in production, consider that CTS uses [blocking queries](/api-docs/features/blocking) to monitor task dependencies, such as changes to registered services. This results in multiple long-running TCP connections between CTS and the agent to poll changes for each dependency. Consul may quickly reach the agent connection limits if CTS is monitoring a high number of services.

4
website/content/docs/security/acl/acl-federated-datacenters.mdx
View File

@ -17,11 +17,11 @@ Consul versions 1.4.0 and later
## Configure ACLs in the Primary Datacenter
In a [federated Consul deployment](/docs/k8s/installation/multi-cluster), one of the datacenters is marked as the primary datacenter.
In a [federated Consul deployment](/docs/k8s/deployment-configurations/multi-cluster), one of the datacenters is marked as the primary datacenter.
The `acl` configuration block should be added to the primary datacenter server's configuration file
as shown in the following example.
See the [ACL Config Stanza](/docs/agent/options#acl) for more detailed descriptions of each option.
See the [ACL Config Stanza](/docs/agent/config/config-files#acl) for more detailed descriptions of each option.
-> **Versions before 1.11.0:** The `initial_management` token was called the `master` token in versions
prior to 1.11.0

8
website/content/docs/security/acl/acl-policies.mdx
View File

@ -104,7 +104,7 @@ Use the `policy` keyword and one of the following access levels to set a policy
- `write`: Allows the resource to be read and modified.
- `deny`: Denies read and write access to the resource.
The special `list` access level provides access to all keys with the specified resource label in the [Consul KV](/commands/kv/). The `list` access level can only be used with the `key_prefix` resource. The [`acl.enable_key_list_policy`](/docs/agent/options#acl_enable_key_list_policy) setting must be set to `true`.
The special `list` access level provides access to all keys with the specified resource label in the [Consul KV](/commands/kv/). The `list` access level can only be used with the `key_prefix` resource. The [`acl.enable_key_list_policy`](/docs/agent/config/config-files#acl_enable_key_list_policy) setting must be set to `true`.
### Matching and Prefix Values
@ -246,7 +246,7 @@ operator = "read"
## Rule Scope
The rules from all policies, including roles and service identities, linked with a token are combined to form that token's effective rule set.
Policy rules can be defined in either an `allowlist` or `denylist` mode, depending on the configuration of the [`acl_default_policy`](/docs/agent/options#acl_default_policy).
Policy rules can be defined in either an `allowlist` or `denylist` mode, depending on the configuration of the [`acl_default_policy`](/docs/agent/config/config-files#acl_default_policy).
If the default policy is configured to deny access to all resources, then you can specify `allowlist` in policy rules to explicitly allow access to resources.
Conversely, if the default policy is configured to allow access to all resources, then you can specify `denylist` in policy rules to explicitly deny access to resources.
@ -344,12 +344,12 @@ ACL policies can have the following attributes:
| `ID` | The policy's public identifier. Present the `ID` (or the `name`) value when interacting with policies. You can specify a value when creating policies or use the value auto-generated by Consul. | N/A | N/A |
| `name` | Unique name for the policy. | Required | none |
| `description` | Human readable description of the policy. | Optional | none |
| `rules` | Set of rules granting or denying permissions. See the [Rule Specification](/docs/acl/acl-rules#rule-specification) documentation for more details. | Optional | none |
| `rules` | Set of rules granting or denying permissions. See the [Rule Specification](/docs/security/acl/acl-rules#rule-specification) documentation for more details. | Optional | none |
| `datacenter` | Datacenter in which the policy is valid. More than one datacenter can be specified. | Optional | none |
| `namespace` | <EnterpriseAlert inline /> Namespace in which the policy is valid. Added in Consul Enterprise 1.7.0. | Optional | `default` |
| `partition` | <EnterpriseAlert inline /> Admin partition in which the policy is valid. Added in Consul Enterprise 1.11.0 | Optional | `default` |
-> **Non-default Namespaces and Partitions** - Rules defined in a policy tied to an namespace or admin partition other than `default` can only grant a subset of privileges that affect the namespace or partition. See [Namespace Rules](/docs/acl/acl-rules#namespace-rules) and [Admin Partition Rules](/docs/security/acl/acl-rules#admin-partition-rules) for additional information.
-> **Non-default Namespaces and Partitions** - Rules defined in a policy tied to an namespace or admin partition other than `default` can only grant a subset of privileges that affect the namespace or partition. See [Namespace Rules](/docs/security/acl/acl-rules#namespace-rules) and [Admin Partition Rules](/docs/security/acl/acl-rules#admin-partition-rules) for additional information.
You can view the current ACL policies on the command line or through the API. The following example demonstrates the command line usage:

4
website/content/docs/security/acl/acl-rules.mdx
View File

@ -20,7 +20,7 @@ The following table provides an overview of the resources you can use to create
| `agent`<br/>`agent_prefix` | Controls access to the utility operations in the [Agent API](/api-docs/agent), such as `join` and `leave`. <br/>See [Agent Rules](#agent-rules) for details. | Yes |
| `event`<br/>`event_prefix` | Controls access to event operations in the [Event API](/api-docs/event), such as firing and listing events. <br/>See [Event Rules](#event-rules) for details. | Yes |
| `key`<br/>`key_prefix` &nbsp; | Controls access to key/value store operations in the [KV API](/api-docs/kv). <br/>Can also use the `list` access level when setting the policy disposition. <br/>Has additional value options in Consul Enterprise for integrating with [Sentinel](https://docs.hashicorp.com/sentinel/consul). <br/>See [Key/Value Rules](#key-value-rules) for details. | Yes |
| `keyring` &nbsp; &nbsp; &nbsp; | Controls access to keyring operations in the [Keyring API](/api-docs/keyring). <br/>See [Keyring Rules](#keyring-rules) for details. | No |
| `keyring` &nbsp; &nbsp; &nbsp; | Controls access to keyring operations in the [Keyring API](/api-docs/operator/keyring). <br/>See [Keyring Rules](#keyring-rules) for details. | No |
| `mesh` &nbsp; &nbsp; &nbsp; | Provides operator-level permissions for resources in the admin partition, such as ingress gateways or mesh proxy defaults. See [Mesh Rules](#mesh-rules) for details. | No |
| `peering` &nbsp; &nbsp; &nbsp; | Controls access to cluster peerings in the [Cluster Peering API](/api-docs/peering). For more details, refer to [Peering Rules](#peering-rules). | No |
| `namespace`<br/>`namespace_prefix` | <EnterpriseAlert inline /> Controls access to one or more namespaces. <br/>See [Namespace Rules](#namespace-rules) for details. | Yes |
@ -586,7 +586,7 @@ These actions may required an ACL token to complete. Use the following methods t
This allows a single token to be used during all check registration operations.
* Provide an ACL token with `service` and `check` definitions at registration time.
This allows for greater flexibility and enables the use of multiple tokens on the same agent.
Refer to the [services](/docs/agent/services) and [checks](/docs/discovery/checks) documentation for examples.
Refer to the [services](/docs/discovery/services) and [checks](/docs/discovery/checks) documentation for examples.
Tokens may also be passed to the [HTTP API](/api-docs) for operations that require them.
## Operator Rules

28
website/content/docs/security/acl/acl-tokens.mdx
View File

@ -70,16 +70,16 @@ Refer to the [service definitions documentation](/docs/discovery/services#servic
### Agent Requests
Consul agents can be configured to hold several ACL tokens (see [`tokens`](/docs/agent/options#acl_tokens_default)) to accommodate several use cases. The following table describes agent configuration fields where ACLs are applicable and whether the configurations apply to servers, clients, or both.
Consul agents can be configured to hold several ACL tokens (see [`tokens`](/docs/agent/config/config-files#acl_tokens_default)) to accommodate several use cases. The following table describes agent configuration fields where ACLs are applicable and whether the configurations apply to servers, clients, or both.
| Configuration Option | Servers | Clients | Purpose |
| -------------------------------------------------------------- | ---------- | ---------- | ---------------------------------------------------------------------- |
| [`acl.enabled`](/docs/agent/options#acl_enabled) | `REQUIRED` | `REQUIRED` | Controls whether ACLs are enabled |
| [`acl.default_policy`](/docs/agent/options#acl_default_policy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
| [`acl.down_policy`](/docs/agent/options#acl_down_policy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the remote token or policy resolution fails |
| [`acl.role_ttl`](/docs/agent/options#acl_role_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Roles |
| [`acl.policy_ttl`](/docs/agent/options#acl_policy_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Policies |
| [`acl.token_ttl`](/docs/agent/options#acl_token_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Tokens |
| [`acl.enabled`](/docs/agent/config/config-files#acl_enabled) | `REQUIRED` | `REQUIRED` | Controls whether ACLs are enabled |
| [`acl.default_policy`](/docs/agent/config/config-files#acl_default_policy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
| [`acl.down_policy`](/docs/agent/config/config-files#acl_down_policy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the remote token or policy resolution fails |
| [`acl.role_ttl`](/docs/agent/config/config-files#acl_role_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Roles |
| [`acl.policy_ttl`](/docs/agent/config/config-files#acl_policy_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Policies |
| [`acl.token_ttl`](/docs/agent/config/config-files#acl_token_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Tokens |
In the following example, the agent is configured to use a default token:
@ -101,7 +101,7 @@ tokens = {
</CodeTabs>
Refer to the [agent configurations documentation](/docs/agent/options) for additional information.
Refer to the [agent configurations documentation](/docs/agent/config/config-files) for additional information.
### Command Line Requests
@ -131,7 +131,7 @@ $ curl --header "X-Consul-Token: <token>" "http://127.0.0.1:8500/v1/agent/member
## Token Attributes
The following table is a partial list of attributes that a token may contain.
Refer to the [API](/api-docs/acl/token) or [command line](/commands/acl/token) documentation for all attributes that can be assigned or generated for a token:
Refer to the [API](/api-docs/acl/tokens) or [command line](/commands/acl/token) documentation for all attributes that can be assigned or generated for a token:
| Attribute | Description | Type | Default |
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------- |
@ -154,9 +154,9 @@ system or accessing Consul under specific conditions. The following table descri
| Token | Servers | Clients | Description |
| ------------------------------------------------------------------------------------ | ---------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [`acl.tokens.agent_recovery`](/docs/agent/config/config-files#acl_tokens_agent_recovery) | `OPTIONAL` | `OPTIONAL` | Enables access to the [Agent API](/api-docs/agent) when remote bearer token resolution fails. <br/>Used for setting up the cluster and performing initial join operations. <br/>See [ACL Agent Recovery Token](#acl-agent-recovery-token) for details. |
| [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) | `OPTIONAL` | `OPTIONAL` | Used for internal agent operations. See [ACL Agent Token](#acl-agent-token) for details. |
| [`acl.tokens.initial_management`](/docs/agent/options#acl_tokens_initial_management) | `OPTIONAL` | `N/A` | Used to bootstrap the ACL system. See [Initial Management Token](#initial-management-token). |
| [`acl.tokens.default`](/docs/agent/options#acl_tokens_default) | `OPTIONAL` | `OPTIONAL` | Specifies a default token to use for client requests if no token is supplied. This is commonly configured with read-only access to services to enable DNS service discovery on agents. |
| [`acl.tokens.agent`](/docs/agent/config/config-files#acl_tokens_agent) | `OPTIONAL` | `OPTIONAL` | Used for internal agent operations. See [ACL Agent Token](#acl-agent-token) for details. |
| [`acl.tokens.initial_management`](/docs/agent/config/config-files#acl_tokens_initial_management) | `OPTIONAL` | `N/A` | Used to bootstrap the ACL system. See [Initial Management Token](#initial-management-token). |
| [`acl.tokens.default`](/docs/agent/config/config-files#acl_tokens_default) | `OPTIONAL` | `OPTIONAL` | Specifies a default token to use for client requests if no token is supplied. This is commonly configured with read-only access to services to enable DNS service discovery on agents. |
All reserved tokens except the `initial_management` token can be created or updated using the [/v1/agent/token API](/api-docs/agent#update-acl-tokens).
@ -166,7 +166,7 @@ Snapshots are artifacts created with the [snapshot API](/api-docs/snapshot) for
### ACL Agent Token
The [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) is a special token that is used for an agent's internal operations. It isn't used directly for any user-initiated operations like the [`acl.tokens.default`](/docs/agent/options#acl_tokens_default), though if the `acl.tokens.agent` isn't configured the `acl.tokens.default` will be used. The ACL agent token is used for the following operations by the agent:
The [`acl.tokens.agent`](/docs/agent/config/config-files#acl_tokens_agent) is a special token that is used for an agent's internal operations. It isn't used directly for any user-initiated operations like the [`acl.tokens.default`](/docs/agent/config/config-files#acl_tokens_default), though if the `acl.tokens.agent` isn't configured the `acl.tokens.default` will be used. The ACL agent token is used for the following operations by the agent:
1. Updating the agent's node entry using the [Catalog API](/api-docs/catalog), including updating its node metadata, tagged addresses, and network coordinates
2. Performing [anti-entropy](/docs/architecture/anti-entropy) syncing, in particular reading the node metadata and services registered with the catalog
@ -190,7 +190,7 @@ key_prefix "_rexec" {
</CodeBlockConfig>
The `service_prefix` policy needs read access for any services that can be registered on the agent. If [remote exec is disabled](/docs/agent/options#disable_remote_exec), the default, then the `key_prefix` policy can be omitted.
The `service_prefix` policy needs read access for any services that can be registered on the agent. If [remote exec is disabled](/docs/agent/config/config-files#disable_remote_exec), the default, then the `key_prefix` policy can be omitted.
## Built-in Tokens

6
website/content/docs/upgrading/upgrade-specific.mdx
View File

@ -207,7 +207,7 @@ such as to the latest patch within a release series.
#### Removing configuration options
The [`disable_compat_19`](/docs/agent/options#telemetry-disable_compat_1.9) telemetry configuration option is now removed.
The [`disable_compat_19`](/docs/agent/config/config-files#telemetry-disable_compat_1.9) telemetry configuration option is now removed.
In prior Consul versions (1.10.x through 1.11.x), the config defaulted to `false`. In 1.12.x it defaulted to `true`.
If you were using this flag, you must remove it before upgrading.
@ -227,7 +227,7 @@ Follow the same guidance as provided in the
#### Changing the default behavior for option
The [`disable_compat_19`](/docs/agent/options#telemetry-disable_compat_1.9) telemetry configuration option now defaults
The [`disable_compat_19`](/docs/agent/config/config-files#telemetry-disable_compat_1.9) telemetry configuration option now defaults
to `true`. In prior Consul versions (1.10.x through 1.11.x), the config defaulted to `false`. If you require 1.9 style
`consul.http...` metrics, you may enable them by setting the flag to `false`. However, be advised that these metrics, as
well as the flag will be removed in upcoming Consul 1.13. We recommend changing your instrumentation to use 1.10 and later
@ -705,7 +705,7 @@ automatically and without loss of connectivity throughout all datacenters and
workloads.
For more information see [Connect
Multi-datacenter](/docs/enterprise/connect-multi-datacenter).
Multi-datacenter](/docs/enterprise).
## Consul 1.3.0