diff --git a/website/data/api-navigation.js b/website/data/api-navigation.js new file mode 100644 index 0000000000..3099cf799b --- /dev/null +++ b/website/data/api-navigation.js @@ -0,0 +1,50 @@ +// The root folder for this documentation category is `pages/guides` +// +// - A string refers to the name of a file +// - A "category" value refers to the name of a directory +// - All directories must have an "index.mdx" file to serve as +// the landing page for the category + +export default [ + 'index', + { + category: 'features', + content: ['consistency', 'blocking', 'filtering', 'caching'], + }, + '--------', + { + category: 'acl', + content: [ + 'tokens', + 'legacy', + 'policies', + 'roles', + 'auth-methods', + 'binding-rules', + ], + }, + { + category: 'agent', + content: ['check', 'service', 'connect'], + }, + 'catalog', + 'config', + { category: 'connect', content: ['ca', 'intentions'] }, + 'coordinate', + 'discovery-chain', + 'event', + 'health', + 'kv', + { + category: 'operator', + content: ['area', 'autopilot', 'keyring', 'license', 'raft', 'segment'], + }, + 'namespaces', + 'query', + 'session', + 'snapshot', + 'status', + 'txn', + '-------', + 'libraries-and-sdks', +] diff --git a/website/data/guides-navigation.js b/website/data/guides-navigation.js deleted file mode 100644 index 4e57f80a7b..0000000000 --- a/website/data/guides-navigation.js +++ /dev/null @@ -1,8 +0,0 @@ -// The root folder for this documentation category is `pages/guides` -// -// - A string refers to the name of a file -// - A "category" value refers to the name of a directory -// - All directories must have an "index.mdx" file to serve as -// the landing page for the category - -export default [] diff --git a/website/data/intro-navigation.js b/website/data/intro-navigation.js index 706fe114a6..61c5bc0d7a 100644 --- a/website/data/intro-navigation.js +++ b/website/data/intro-navigation.js @@ -5,4 +5,22 @@ // - All directories must have an "index.mdx" file to serve as // the landing page for the category -export default [] +export default [ + 'index', + { + category: 'vs', + content: [ + 'zookeeper', + 'chef-puppet', + 'nagios-sensu', + 'skydns', + 'smartstack', + 'serf', + 'eureka', + 'istio', + 'proxies', + 'custom', + ], + }, + 'getting-started', +] diff --git a/website/layouts/api-docs.jsx b/website/layouts/api.jsx similarity index 94% rename from website/layouts/api-docs.jsx rename to website/layouts/api.jsx index 7be82acd9b..c26d574714 100644 --- a/website/layouts/api-docs.jsx +++ b/website/layouts/api.jsx @@ -1,5 +1,5 @@ import DocsPage from '@hashicorp/react-docs-page' -import order from '../data/api-docs-navigation.js' +import order from '../data/api-navigation.js' import { frontMatter as data } from '../pages/api-docs/**/*.mdx' import Head from 'next/head' import Link from 'next/link' diff --git a/website/pages/api-docs/acl-legacy.html.md b/website/pages/api-docs/acl-legacy.mdx similarity index 99% rename from website/pages/api-docs/acl-legacy.html.md rename to website/pages/api-docs/acl-legacy.mdx index 43a50913ef..d4e56e6072 100644 --- a/website/pages/api-docs/acl-legacy.html.md +++ b/website/pages/api-docs/acl-legacy.mdx @@ -2,8 +2,9 @@ layout: api page_title: Legacy ACLs - HTTP API sidebar_current: api-acls-legacy -description: |- - The /acl endpoints create, update, destroy, and query Legacy ACL tokens in Consul. +description: >- + The /acl endpoints create, update, destroy, and query Legacy ACL tokens in + Consul. --- -> **Consul 1.4.0 deprecates the legacy ACL system completely.** It's _strongly_ diff --git a/website/pages/api-docs/acl/auth-methods.html.md b/website/pages/api-docs/acl/auth-methods.mdx similarity index 99% rename from website/pages/api-docs/acl/auth-methods.html.md rename to website/pages/api-docs/acl/auth-methods.mdx index 8af43fd299..ccbcb12377 100644 --- a/website/pages/api-docs/acl/auth-methods.html.md +++ b/website/pages/api-docs/acl/auth-methods.mdx @@ -1,15 +1,15 @@ --- layout: api page_title: ACL Auth Methods - HTTP API +sidebar_title: 'Auth Methods' sidebar_current: api-acl-auth-methods -description: |- - The /acl/auth-method endpoints manage Consul's ACL Auth Methods. +description: The /acl/auth-method endpoints manage Consul's ACL Auth Methods. --- --> **1.5.0+:** The auth method APIs are available in Consul versions 1.5.0 and newer. - # ACL Auth Method HTTP API +-> **1.5.0+:** The auth method APIs are available in Consul versions 1.5.0 and newer. + The `/acl/auth-method` endpoints [create](#create-an-auth-method), [read](#read-an-auth-method), [update](#update-an-auth-method), [list](#list-auth-methods) and [delete](#delete-an-auth-method) diff --git a/website/pages/api-docs/acl/binding-rules.html.md b/website/pages/api-docs/acl/binding-rules.mdx similarity index 99% rename from website/pages/api-docs/acl/binding-rules.html.md rename to website/pages/api-docs/acl/binding-rules.mdx index 3537a7fe2b..15ac50d159 100644 --- a/website/pages/api-docs/acl/binding-rules.html.md +++ b/website/pages/api-docs/acl/binding-rules.mdx @@ -1,15 +1,15 @@ --- layout: api page_title: ACL Binding Rules - HTTP API +sidebar_title: 'Binding Rules' sidebar_current: api-acl-binding-rules -description: |- - The /acl/binding-rule endpoints manage Consul's ACL Binding Rules. +description: The /acl/binding-rule endpoints manage Consul's ACL Binding Rules. --- --> **1.5.0+:** The binding rule APIs are available in Consul versions 1.5.0 and newer. - # ACL Binding Rule HTTP API +-> **1.5.0+:** The binding rule APIs are available in Consul versions 1.5.0 and newer. + The `/acl/binding-rule` endpoints [create](#create-a-binding-rule), [read](#read-a-binding-rule), [update](#update-a-binding-rule), [list](#list-binding-rules) and [delete](#delete-a-binding-rule) ACL binding diff --git a/website/pages/api-docs/acl/acl.html.md b/website/pages/api-docs/acl/index.mdx similarity index 99% rename from website/pages/api-docs/acl/acl.html.md rename to website/pages/api-docs/acl/index.mdx index 9c2783e86c..c0fed2d29d 100644 --- a/website/pages/api-docs/acl/acl.html.md +++ b/website/pages/api-docs/acl/index.mdx @@ -1,15 +1,15 @@ --- layout: api page_title: ACLs - HTTP API +sidebar_title: 'ACLs' sidebar_current: api-acl -description: |- - The /acl endpoints manage the Consul's ACL system. +description: The /acl endpoints manage the Consul's ACL system. --- --> **1.4.0+:** This API documentation is for Consul versions 1.4.0 and later. The documentation for the legacy ACL API is [here](/api/acl/legacy.html) - # ACL HTTP API +-> **1.4.0+:** This API documentation is for Consul versions 1.4.0 and later. The documentation for the legacy ACL API is [here](/api/acl/legacy.html) + The `/acl` endpoints are used to manage ACL tokens and policies in Consul, [bootstrap the ACL system](#bootstrap-acls), [check ACL replication status](#check-acl-replication), and [translate rules](#translate-rules). There are additional pages for managing [tokens](/api/acl/tokens.html) and [policies](/api/acl/policies.html) with the `/acl` endpoints. For more information on how to setup ACLs, please see diff --git a/website/pages/api-docs/acl/legacy.html.md b/website/pages/api-docs/acl/legacy.mdx similarity index 99% rename from website/pages/api-docs/acl/legacy.html.md rename to website/pages/api-docs/acl/legacy.mdx index 6e61b4ba97..751cef2ff2 100644 --- a/website/pages/api-docs/acl/legacy.html.md +++ b/website/pages/api-docs/acl/legacy.mdx @@ -1,17 +1,19 @@ --- layout: api page_title: Legacy ACLs - HTTP API +sidebar_title: 'Legacy Tokens' sidebar_current: api-acl-tokens-legacy -description: |- - The /acl endpoints create, update, destroy, and query Legacy ACL tokens in Consul. +description: >- + The /acl endpoints create, update, destroy, and query Legacy ACL tokens in + Consul. --- +# ACL HTTP API + -> **Consul 1.4.0 deprecates the legacy ACL system completely.** It's _strongly_ recommended you do not build anything using the legacy system and consider using the new ACL [Token](/api/acl/tokens.html) and [Policy](/api/acl/policies.html) APIs instead. -# ACL HTTP API - The `/acl` endpoints create, update, destroy, and query ACL tokens in Consul. For more information about ACLs, please see the [ACL Guide](https://learn.hashicorp.com/consul/security-networking/production-acls). diff --git a/website/pages/api-docs/acl/policies.html.md b/website/pages/api-docs/acl/policies.mdx similarity index 99% rename from website/pages/api-docs/acl/policies.html.md rename to website/pages/api-docs/acl/policies.mdx index d59b3ffcfe..bea7ca4750 100644 --- a/website/pages/api-docs/acl/policies.html.md +++ b/website/pages/api-docs/acl/policies.mdx @@ -1,15 +1,15 @@ --- layout: api page_title: ACL Policies - HTTP API +sidebar_title: 'Policies' sidebar_current: api-acl-policies -description: |- - The /acl/policy endpoints manage Consul's ACL policies. +description: The /acl/policy endpoints manage Consul's ACL policies. --- --> **1.4.0+:** The APIs are available in Consul versions 1.4.0 and later. The documentation for the legacy ACL API is [here](/api/acl/legacy.html) - # ACL Policy HTTP API +-> **1.4.0+:** The APIs are available in Consul versions 1.4.0 and later. The documentation for the legacy ACL API is [here](/api/acl/legacy.html) + The `/acl/policy` endpoints [create](#create-a-policy), [read](#read-a-policy), [update](#update-a-policy), [list](#list-policies) and [delete](#delete-a-policy) ACL policies in Consul. diff --git a/website/pages/api-docs/acl/roles.html.md b/website/pages/api-docs/acl/roles.mdx similarity index 99% rename from website/pages/api-docs/acl/roles.html.md rename to website/pages/api-docs/acl/roles.mdx index 438044a3b1..9cf2904332 100644 --- a/website/pages/api-docs/acl/roles.html.md +++ b/website/pages/api-docs/acl/roles.mdx @@ -1,15 +1,15 @@ --- layout: api page_title: ACL Roles - HTTP API +sidebar_title: 'Roles' sidebar_current: api-acl-roles -description: |- - The /acl/role endpoints manage Consul's ACL Roles. +description: The /acl/role endpoints manage Consul's ACL Roles. --- --> **1.5.0+:** The role APIs are available in Consul versions 1.5.0 and newer. - # ACL Role HTTP API +-> **1.5.0+:** The role APIs are available in Consul versions 1.5.0 and newer. + The `/acl/role` endpoints [create](#create-a-role), [read](#read-a-role), [update](#update-a-role), [list](#list-roles) and [delete](#delete-a-role) ACL roles in Consul. diff --git a/website/pages/api-docs/acl/tokens.html.md b/website/pages/api-docs/acl/tokens.mdx similarity index 99% rename from website/pages/api-docs/acl/tokens.html.md rename to website/pages/api-docs/acl/tokens.mdx index f8b6f65b74..f27a122767 100644 --- a/website/pages/api-docs/acl/tokens.html.md +++ b/website/pages/api-docs/acl/tokens.mdx @@ -1,15 +1,15 @@ --- layout: api page_title: ACL Tokens - HTTP API +sidebar_title: 'Tokens' sidebar_current: api-acl-tokens -description: |- - The /acl/token endpoints manage Consul's ACL Tokens. +description: The /acl/token endpoints manage Consul's ACL Tokens. --- --> **1.4.0+:** The APIs are available in Consul versions 1.4.0 and later. The documentation for the legacy ACL API is [here](/api/acl/legacy.html) - # ACL Token HTTP API +-> **1.4.0+:** The APIs are available in Consul versions 1.4.0 and later. The documentation for the legacy ACL API is [here](/api/acl/legacy.html) + The `/acl/token` endpoints [create](#create-a-token), [read](#read-a-token), [update](#update-a-token), [list](#list-tokens), [clone](#clone-a-token) and [delete](#delete-a-token) ACL tokens in Consul. diff --git a/website/pages/api-docs/agent/check.html.md b/website/pages/api-docs/agent/check.mdx similarity index 99% rename from website/pages/api-docs/agent/check.html.md rename to website/pages/api-docs/agent/check.mdx index 0a199e59a6..be14befbdf 100644 --- a/website/pages/api-docs/agent/check.html.md +++ b/website/pages/api-docs/agent/check.mdx @@ -1,9 +1,9 @@ --- layout: api page_title: Check - Agent - HTTP API +sidebar_title: 'Checks' sidebar_current: api-agent-check -description: |- - The /agent/check endpoints interact with checks on the local agent in Consul. +description: The /agent/check endpoints interact with checks on the local agent in Consul. --- # Check - Agent HTTP API diff --git a/website/pages/api-docs/agent/connect.html.md b/website/pages/api-docs/agent/connect.mdx similarity index 99% rename from website/pages/api-docs/agent/connect.html.md rename to website/pages/api-docs/agent/connect.mdx index 7edef94dfa..af406ba427 100644 --- a/website/pages/api-docs/agent/connect.html.md +++ b/website/pages/api-docs/agent/connect.mdx @@ -1,9 +1,11 @@ --- layout: api page_title: Connect - Agent - HTTP API +sidebar_title: 'Connect' sidebar_current: api-agent-connect -description: |- - The /agent/connect endpoints interact with Connect with agent-local operations. +description: >- + The /agent/connect endpoints interact with Connect with agent-local + operations. --- # Connect - Agent HTTP API diff --git a/website/pages/api-docs/agent.html.md b/website/pages/api-docs/agent/index.mdx similarity index 99% rename from website/pages/api-docs/agent.html.md rename to website/pages/api-docs/agent/index.mdx index 07049adc0f..892e6c6382 100644 --- a/website/pages/api-docs/agent.html.md +++ b/website/pages/api-docs/agent/index.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Agent - HTTP API +sidebar_title: 'Agent' sidebar_current: api-agent description: |- The /agent endpoints interact with the local Consul agent to register diff --git a/website/pages/api-docs/agent/service.html.md b/website/pages/api-docs/agent/service.mdx similarity index 99% rename from website/pages/api-docs/agent/service.html.md rename to website/pages/api-docs/agent/service.mdx index ac09049bed..6cfd755836 100644 --- a/website/pages/api-docs/agent/service.html.md +++ b/website/pages/api-docs/agent/service.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Service - Agent - HTTP API +sidebar_title: 'Services' sidebar_current: api-agent-service description: |- The /agent/service endpoints interact with services on the local agent in @@ -145,8 +146,8 @@ The table below shows this endpoint's support for | ----------------- | ----------------- | ------------- | -------------- | | `YES`1 | `none` | `none` | `service:read` | -1 Supports [hash-based -blocking](/api/features/blocking.html#hash-based-blocking-queries) only. +1 Supports [hash-based blocking](/api/features/blocking.html#hash-based-blocking-queries) +only. ### Parameters diff --git a/website/pages/api-docs/catalog.html.md b/website/pages/api-docs/catalog.mdx similarity index 99% rename from website/pages/api-docs/catalog.html.md rename to website/pages/api-docs/catalog.mdx index cfd7198bed..112f396419 100644 --- a/website/pages/api-docs/catalog.html.md +++ b/website/pages/api-docs/catalog.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Catalog - HTTP API +sidebar_title: 'Catalog' sidebar_current: api-catalog description: |- The /catalog endpoints register and deregister nodes, services, and checks in diff --git a/website/pages/api-docs/config.html.md b/website/pages/api-docs/config.mdx similarity index 95% rename from website/pages/api-docs/config.html.md rename to website/pages/api-docs/config.mdx index 195fa675df..a8219986a2 100644 --- a/website/pages/api-docs/config.html.md +++ b/website/pages/api-docs/config.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Config - HTTP API +sidebar_title: 'Config' sidebar_current: api-config description: |- The /config endpoints are for managing centralized configuration @@ -30,11 +31,13 @@ The table below shows this endpoint's support for [agent caching](/api/features/caching.html), and [required ACLs](/api/index.html#authentication). -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | ----------------------------------------------- | -| `NO` | `none` | `none` | `service:write`
`operator:write`1 | +| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | +| ---------------- | ----------------- | ------------- | ------------------------------------------------- | +| `NO` | `none` | `none` | `service:write`
`operator:write`1 | -1 The ACL required depends on the config entry kind being updated: +

+ 1 The ACL required depends on the config entry kind being updated: +

| Config Entry Kind | Required ACL | | ----------------- | ---------------- | @@ -221,9 +224,9 @@ The table below shows this endpoint's support for [agent caching](/api/features/caching.html), and [required ACLs](/api/index.html#authentication). -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | ----------------------------------------------- | -| `NO` | `none` | `none` | `service:write`
`operator:write`1 | +| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | +| ---------------- | ----------------- | ------------- | ------------------------------------------------- | +| `NO` | `none` | `none` | `service:write`
`operator:write`1 | 1 The ACL required depends on the config entry kind being deleted: diff --git a/website/pages/api-docs/connect/ca.html.md b/website/pages/api-docs/connect/ca.mdx similarity index 99% rename from website/pages/api-docs/connect/ca.html.md rename to website/pages/api-docs/connect/ca.mdx index 14d7a48c1f..62052e89d5 100644 --- a/website/pages/api-docs/connect/ca.html.md +++ b/website/pages/api-docs/connect/ca.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Certificate Authority - Connect - HTTP API +sidebar_title: 'Certificate Authority (CA)' sidebar_current: api-connect-ca description: |- The /connect/ca endpoints provide tools for interacting with Connect's diff --git a/website/pages/api-docs/connect.html.md b/website/pages/api-docs/connect/index.mdx similarity index 87% rename from website/pages/api-docs/connect.html.md rename to website/pages/api-docs/connect/index.mdx index 95ea596b19..d4c4276b9e 100644 --- a/website/pages/api-docs/connect.html.md +++ b/website/pages/api-docs/connect/index.mdx @@ -1,9 +1,11 @@ --- layout: api page_title: Connect - HTTP API +sidebar_title: 'Connect' sidebar_current: api-connect -description: |- - The `/connect` endpoints provide access to Connect-related operations for intentions and the certificate authority. +description: >- + The `/connect` endpoints provide access to Connect-related operations for + intentions and the certificate authority. --- # Connect HTTP Endpoint diff --git a/website/pages/api-docs/connect/intentions.html.md b/website/pages/api-docs/connect/intentions.mdx similarity index 88% rename from website/pages/api-docs/connect/intentions.html.md rename to website/pages/api-docs/connect/intentions.mdx index 5b7f92b8bc..d77674e701 100644 --- a/website/pages/api-docs/connect/intentions.html.md +++ b/website/pages/api-docs/connect/intentions.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Intentions - Connect - HTTP API +sidebar_title: 'Intentions' sidebar_current: api-connect-intentions description: |- The /connect/intentions endpoint provide tools for managing intentions via @@ -35,8 +36,14 @@ The table below shows this endpoint's support for | ---------------- | ----------------- | ------------- | ------------------------------ | | `NO` | `none` | `none` | `intentions:write`1 | -1 Intention ACL rules are specified as part of a `service` rule. -See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. +

+ 1 Intention ACL rules are specified as part of a `service` rule. + See{' '} + + Intention Management Permissions + {' '} + for more details. +

### Parameters @@ -106,8 +113,14 @@ The table below shows this endpoint's support for | ---------------- | ----------------- | ------------- | ----------------------------- | | `YES` | `all` | `none` | `intentions:read`1 | -1 Intention ACL rules are specified as part of a `service` rule. -See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. +

+ 1 Intention ACL rules are specified as part of a `service` rule. + See{' '} + + Intention Management Permissions + {' '} + for more details. +

### Parameters @@ -162,8 +175,14 @@ The table below shows this endpoint's support for | ---------------- | ----------------- | ------------- | ----------------------------- | | `YES` | `all` | `none` | `intentions:read`1 | -1 Intention ACL rules are specified as part of a `service` rule. -See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. +

+ 1 Intention ACL rules are specified as part of a `service` rule. + See{' '} + + Intention Management Permissions + {' '} + for more details. +

### Parameters @@ -241,8 +260,14 @@ The table below shows this endpoint's support for | ---------------- | ----------------- | ------------- | ------------------------------ | | `NO` | `none` | `none` | `intentions:write`1 | -1 Intention ACL rules are specified as part of a `service` rule. -See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. +

+ 1 Intention ACL rules are specified as part of a `service` rule. + See{' '} + + Intention Management Permissions + {' '} + for more details. +

### Parameters @@ -289,8 +314,14 @@ The table below shows this endpoint's support for | ---------------- | ----------------- | ------------- | ------------------------------ | | `NO` | `none` | `none` | `intentions:write`1 | -1 Intention ACL rules are specified as part of a `service` rule. -See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. +

+ 1 Intention ACL rules are specified as part of a `service` rule. + See{' '} + + Intention Management Permissions + {' '} + for more details. +

### Parameters @@ -329,8 +360,14 @@ The table below shows this endpoint's support for | ---------------- | ----------------- | ------------- | ----------------------------- | | `NO` | `none` | `none` | `intentions:read`1 | -1 Intention ACL rules are specified as part of a `service` rule. -See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. +

+ 1 Intention ACL rules are specified as part of a `service` rule. + See{' '} + + Intention Management Permissions + {' '} + for more details. +

### Parameters @@ -376,8 +413,14 @@ The table below shows this endpoint's support for | ---------------- | ----------------- | ------------- | ----------------------------- | | `NO` | `none` | `none` | `intentions:read`1 | -1 Intention ACL rules are specified as part of a `service` rule. -See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. +

+ 1 Intention ACL rules are specified as part of a `service` rule. + See{' '} + + Intention Management Permissions + {' '} + for more details. +

### Parameters diff --git a/website/pages/api-docs/coordinate.html.md b/website/pages/api-docs/coordinate.mdx similarity index 99% rename from website/pages/api-docs/coordinate.html.md rename to website/pages/api-docs/coordinate.mdx index ffe485ce08..e64737adbf 100644 --- a/website/pages/api-docs/coordinate.html.md +++ b/website/pages/api-docs/coordinate.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Coordinate - HTTP API +sidebar_title: 'Coordinates' sidebar_current: api-coordinate description: |- The /coordinate endpoints query for the network coordinates for nodes in the diff --git a/website/pages/api-docs/discovery-chain.html.md b/website/pages/api-docs/discovery-chain.mdx similarity index 98% rename from website/pages/api-docs/discovery-chain.html.md rename to website/pages/api-docs/discovery-chain.mdx index bfc9045b72..acff9f7379 100644 --- a/website/pages/api-docs/discovery-chain.html.md +++ b/website/pages/api-docs/discovery-chain.mdx @@ -1,9 +1,9 @@ --- layout: api page_title: Discovery Chain - HTTP API +sidebar_title: 'Discovery Chain' sidebar_current: api-discovery-chain -description: |- - The /discovery-chain endpoints are for interacting with the discovery chain. +description: The /discovery-chain endpoints are for interacting with the discovery chain. --- -> **1.6.0+:** The discovery chain API is available in Consul versions 1.6.0 and newer. @@ -33,8 +33,11 @@ the `POST` method must be used, otherwise `GET` is sufficient. | `GET` | `/discovery-chain/:service` | `application/json` | | `POST`1 | `/discovery-chain/:service` | `application/json` | -1 Both GET and POST are for **read** operations. GET requests do not -permit request bodies so a POST is required if override parameters are needed. +

+ 1 Both GET and POST are for read operations. GET + requests do not permit request bodies so a POST is required if override + parameters are needed. +

The table below shows this endpoint's support for [blocking queries](/api/features/blocking.html), diff --git a/website/pages/api-docs/event.html.md b/website/pages/api-docs/event.mdx similarity index 99% rename from website/pages/api-docs/event.html.md rename to website/pages/api-docs/event.mdx index a13a1cafa6..b2027cd60f 100644 --- a/website/pages/api-docs/event.html.md +++ b/website/pages/api-docs/event.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Events - HTTP API +sidebar_title: 'Events' sidebar_current: api-event description: |- The /event endpoints fire new events and to query the available events in diff --git a/website/pages/api-docs/features/blocking.html.md b/website/pages/api-docs/features/blocking.mdx similarity index 99% rename from website/pages/api-docs/features/blocking.html.md rename to website/pages/api-docs/features/blocking.mdx index 1b314aa155..ec87428966 100644 --- a/website/pages/api-docs/features/blocking.html.md +++ b/website/pages/api-docs/features/blocking.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Blocking Queries +sidebar_title: 'Blocking Queries' sidebar_current: api-features-blocking description: |- Many endpoints in Consul support a feature known as "blocking queries". A diff --git a/website/pages/api-docs/features/caching.html.md b/website/pages/api-docs/features/caching.mdx similarity index 99% rename from website/pages/api-docs/features/caching.html.md rename to website/pages/api-docs/features/caching.mdx index 1d77e3596c..4b951d2d33 100644 --- a/website/pages/api-docs/features/caching.html.md +++ b/website/pages/api-docs/features/caching.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Agent Caching +sidebar_title: 'Agent Caching' sidebar_current: api-features-caching description: |- Some read endpoints support agent caching. They are clearly marked in the diff --git a/website/pages/api-docs/features/consistency.html.md b/website/pages/api-docs/features/consistency.mdx similarity index 91% rename from website/pages/api-docs/features/consistency.html.md rename to website/pages/api-docs/features/consistency.mdx index 695e4f5624..51d223022e 100644 --- a/website/pages/api-docs/features/consistency.html.md +++ b/website/pages/api-docs/features/consistency.mdx @@ -1,9 +1,13 @@ --- layout: api page_title: Consistency Modes +sidebar_title: 'API Features' sidebar_current: api-features-consistency -description: |- - Most of the read query endpoints support multiple levels of consistency. Since no policy will suit all clients' needs, these consistency modes allow the user to have the ultimate say in how to balance the trade-offs inherent in a distributed system. +description: >- + Most of the read query endpoints support multiple levels of consistency. Since + no policy will suit all clients' needs, these consistency modes allow the user + to have the ultimate say in how to balance the trade-offs inherent in a + distributed system. --- # Consistency Modes diff --git a/website/pages/api-docs/features/filtering.html.md b/website/pages/api-docs/features/filtering.mdx similarity index 99% rename from website/pages/api-docs/features/filtering.html.md rename to website/pages/api-docs/features/filtering.mdx index caccae200a..de01645796 100644 --- a/website/pages/api-docs/features/filtering.html.md +++ b/website/pages/api-docs/features/filtering.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Filtering +sidebar_title: 'Filtering' sidebar_current: api-features-filtering description: |- Consul exposes a RESTful HTTP API to control almost every aspect of the diff --git a/website/pages/api-docs/features/index.mdx b/website/pages/api-docs/features/index.mdx new file mode 100644 index 0000000000..384f5b678c --- /dev/null +++ b/website/pages/api-docs/features/index.mdx @@ -0,0 +1,7 @@ +--- +layout: api +page_title: API Features +sidebar_title: 'API Features' +--- + +Placeholder diff --git a/website/pages/api-docs/health.html.md b/website/pages/api-docs/health.mdx similarity index 99% rename from website/pages/api-docs/health.html.md rename to website/pages/api-docs/health.mdx index b7acee6d70..92cbf31c2c 100644 --- a/website/pages/api-docs/health.html.md +++ b/website/pages/api-docs/health.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Health - HTTP API +sidebar_title: 'Health' sidebar_current: api-health description: |- The /health endpoints query health-related information for services and checks diff --git a/website/pages/api-docs/index.html.md b/website/pages/api-docs/index.mdx similarity index 98% rename from website/pages/api-docs/index.html.md rename to website/pages/api-docs/index.mdx index a17eadb13b..30ea286593 100644 --- a/website/pages/api-docs/index.html.md +++ b/website/pages/api-docs/index.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: HTTP API +sidebar_title: 'API Introduction' sidebar_current: api-introduction description: |- Consul exposes a RESTful HTTP API to control almost every aspect of the diff --git a/website/pages/api-docs/kv.html.md b/website/pages/api-docs/kv.mdx similarity index 99% rename from website/pages/api-docs/kv.html.md rename to website/pages/api-docs/kv.mdx index 64f7be17b0..73560980ce 100644 --- a/website/pages/api-docs/kv.html.md +++ b/website/pages/api-docs/kv.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: KV Store - HTTP API +sidebar_title: 'KV Store' sidebar_current: api-kv-store description: |- The /kv endpoints access Consul's simple key/value store, useful for storing diff --git a/website/pages/api-docs/libraries-and-sdks.html.md b/website/pages/api-docs/libraries-and-sdks.mdx similarity index 56% rename from website/pages/api-docs/libraries-and-sdks.html.md rename to website/pages/api-docs/libraries-and-sdks.mdx index 71f82e1348..e202c343ca 100644 --- a/website/pages/api-docs/libraries-and-sdks.html.md +++ b/website/pages/api-docs/libraries-and-sdks.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Libraries and SDKs - HTTP API +sidebar_title: 'Libraries & SDKs' sidebar_current: api-libraries-and-sdks description: |- There are many third-party libraries for interacting with Consul's HTTP API. @@ -16,76 +17,112 @@ the community. diff --git a/website/pages/api-docs/namespaces.html.md b/website/pages/api-docs/namespaces.mdx similarity index 98% rename from website/pages/api-docs/namespaces.html.md rename to website/pages/api-docs/namespaces.mdx index 15630c617a..805bc4a0e4 100644 --- a/website/pages/api-docs/namespaces.html.md +++ b/website/pages/api-docs/namespaces.mdx @@ -1,9 +1,9 @@ --- layout: api page_title: Namespace - HTTP API +sidebar_title: 'Namespaces' sidebar_current: api-namespaces -description: |- - The /namespace endpoints allow for managing Consul Enterprise Namespaces. +description: The /namespace endpoints allow for managing Consul Enterprise Namespaces. --- # Namespace - HTTP API @@ -153,9 +153,9 @@ The table below shows this endpoint's support for [agent caching](/api/features/caching.html), and [required ACLs](/api/index.html#authentication). -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | ------------------------------------------------ | -| `YES` | `all` | `none` | `operator:read` or `namespace:*:read`1 | +| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | +| ---------------- | ----------------- | ------------- | ------------------------------------------------- | +| `YES` | `all` | `none` | `operator:read` or `namespace:*:read`1 | 1 Access can be granted to list the Namespace if the token used when making the request has been granted any access in the namespace (read, list or write). diff --git a/website/pages/api-docs/operator/area.html.md b/website/pages/api-docs/operator/area.mdx similarity index 99% rename from website/pages/api-docs/operator/area.html.md rename to website/pages/api-docs/operator/area.mdx index e78d29021c..c9c50dcf48 100644 --- a/website/pages/api-docs/operator/area.html.md +++ b/website/pages/api-docs/operator/area.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Network Areas - Operator - HTTP API +sidebar_title: 'Area' sidebar_current: api-operator-area description: |- The /operator/area endpoints expose the network tomography information via diff --git a/website/pages/api-docs/operator/autopilot.html.md b/website/pages/api-docs/operator/autopilot.mdx similarity index 99% rename from website/pages/api-docs/operator/autopilot.html.md rename to website/pages/api-docs/operator/autopilot.mdx index 9c46890a6c..f91fd27fb7 100644 --- a/website/pages/api-docs/operator/autopilot.html.md +++ b/website/pages/api-docs/operator/autopilot.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Autopilot - Operator - HTTP API +sidebar_title: 'Autopilot' sidebar_current: api-operator-autopilot description: |- The /operator/autopilot endpoints allow for automatic operator-friendly diff --git a/website/pages/api-docs/operator.html.md b/website/pages/api-docs/operator/index.mdx similarity index 97% rename from website/pages/api-docs/operator.html.md rename to website/pages/api-docs/operator/index.mdx index e0cb7cf0cb..2f180b55c3 100644 --- a/website/pages/api-docs/operator.html.md +++ b/website/pages/api-docs/operator/index.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Operator - HTTP API +sidebar_title: 'Operator' sidebar_current: api-operator description: |- The /operator endpoints provide cluster-level tools for Consul operators, diff --git a/website/pages/api-docs/operator/keyring.html.md b/website/pages/api-docs/operator/keyring.mdx similarity index 99% rename from website/pages/api-docs/operator/keyring.html.md rename to website/pages/api-docs/operator/keyring.mdx index e5871861ea..826e0a242c 100644 --- a/website/pages/api-docs/operator/keyring.html.md +++ b/website/pages/api-docs/operator/keyring.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Keyring - Operator - HTTP API +sidebar_title: 'Keyring' sidebar_current: api-operator-keyring description: |- The /operator/keyring endpoints allow for management of the gossip encryption diff --git a/website/pages/api-docs/operator/license.html.md b/website/pages/api-docs/operator/license.mdx similarity index 99% rename from website/pages/api-docs/operator/license.html.md rename to website/pages/api-docs/operator/license.mdx index 2eb961be49..d9683fe12b 100644 --- a/website/pages/api-docs/operator/license.html.md +++ b/website/pages/api-docs/operator/license.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: License - Operator - HTTP API +sidebar_title: 'License' sidebar_current: api-operator-license description: |- The /operator/license endpoints allow for setting and retrieving the Consul diff --git a/website/pages/api-docs/operator/raft.html.md b/website/pages/api-docs/operator/raft.mdx similarity index 99% rename from website/pages/api-docs/operator/raft.html.md rename to website/pages/api-docs/operator/raft.mdx index 5564f8f960..9273f60b52 100644 --- a/website/pages/api-docs/operator/raft.html.md +++ b/website/pages/api-docs/operator/raft.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Raft - Operator - HTTP API +sidebar_title: 'Raft' sidebar_current: api-operator-raft description: |- The /operator/raft endpoints provide tools for management of Raft the diff --git a/website/pages/api-docs/operator/segment.html.md b/website/pages/api-docs/operator/segment.mdx similarity index 98% rename from website/pages/api-docs/operator/segment.html.md rename to website/pages/api-docs/operator/segment.mdx index 4a37223934..d60431b8fa 100644 --- a/website/pages/api-docs/operator/segment.html.md +++ b/website/pages/api-docs/operator/segment.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Network Segments - Operator - HTTP API +sidebar_title: 'Segment' sidebar_current: api-operator-segment description: |- The /operator/segment endpoint exposes the network segment information via diff --git a/website/pages/api-docs/query.html.md b/website/pages/api-docs/query.mdx similarity index 99% rename from website/pages/api-docs/query.html.md rename to website/pages/api-docs/query.mdx index 77af2cb6d2..5f44363a36 100644 --- a/website/pages/api-docs/query.html.md +++ b/website/pages/api-docs/query.mdx @@ -1,9 +1,9 @@ --- layout: api page_title: Prepared Queries - HTTP API +sidebar_title: 'Prepared Queries' sidebar_current: api-query -description: |- - The /query endpoints manage and execute prepared queries in Consul. +description: The /query endpoints manage and execute prepared queries in Consul. --- # Prepared Query HTTP Endpoint @@ -491,9 +491,9 @@ The table below shows this endpoint's support for | ---------------- | ----------------- | ------------- | --------------------- | | `NO` | `none` | `simple` | `depends`1 | -1 If an ACL Token was bound to the query when it was defined then it -will be used when executing the request. Otherwise, the client's supplied ACL -Token will be used. +1 If an ACL Token was bound to the query when it was defined then it will +be used when executing the request. Otherwise, the client's supplied ACL Token will +be used. ### Parameters diff --git a/website/pages/api-docs/session.html.md b/website/pages/api-docs/session.mdx similarity index 99% rename from website/pages/api-docs/session.html.md rename to website/pages/api-docs/session.mdx index d32799aae9..2c8bb1ba7f 100644 --- a/website/pages/api-docs/session.html.md +++ b/website/pages/api-docs/session.mdx @@ -1,9 +1,9 @@ --- layout: api page_title: Session - HTTP API +sidebar_title: 'Sessions' sidebar_current: api-session -description: |- - The /session endpoints create, destroy, and query sessions in Consul. +description: 'The /session endpoints create, destroy, and query sessions in Consul.' --- # Session HTTP Endpoint diff --git a/website/pages/api-docs/snapshot.html.md b/website/pages/api-docs/snapshot.mdx similarity index 99% rename from website/pages/api-docs/snapshot.html.md rename to website/pages/api-docs/snapshot.mdx index 04f22ea1bd..f9e97723fd 100644 --- a/website/pages/api-docs/snapshot.html.md +++ b/website/pages/api-docs/snapshot.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Snapshot - HTTP API +sidebar_title: 'Snapshots' sidebar_current: api-snapshot description: |- The /snapshot endpoints save and restore Consul's server state for disaster diff --git a/website/pages/api-docs/status.html.md b/website/pages/api-docs/status.mdx similarity index 99% rename from website/pages/api-docs/status.html.md rename to website/pages/api-docs/status.mdx index 588631ccf8..e8e3d7cb41 100644 --- a/website/pages/api-docs/status.html.md +++ b/website/pages/api-docs/status.mdx @@ -1,6 +1,7 @@ --- layout: api page_title: Status - HTTP API +sidebar_title: 'Status' sidebar_current: api-status description: |- The /status endpoints return information about the status of the Consul diff --git a/website/pages/api-docs/txn.html.md b/website/pages/api-docs/txn.mdx similarity index 96% rename from website/pages/api-docs/txn.html.md rename to website/pages/api-docs/txn.mdx index 2bc197996a..5a383e46fa 100644 --- a/website/pages/api-docs/txn.html.md +++ b/website/pages/api-docs/txn.mdx @@ -1,9 +1,12 @@ --- layout: api page_title: Transaction - HTTP API +sidebar_title: 'Transactions' sidebar_current: api-txn -description: |- - The /txn endpoint manages multiple operations in Consul, including catalog updates and fetches of multiple KV entries inside a single, atomic transaction. +description: >- + The /txn endpoint manages multiple operations in Consul, including catalog + updates and fetches of multiple KV entries inside a single, atomic + transaction. --- # Transactions HTTP API @@ -40,13 +43,15 @@ The table below shows this endpoint's support for [agent caching](/api/features/caching.html), and [required ACLs](/api/index.html#authentication). -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | ------------------------------------------------------------------------------------------ | -| `NO` | `all`1 | `none` | `key:read,key:write`
`node:read,node:write`
`service:read,service:write`2 | +| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | +| ---------------- | ----------------- | ------------- | ---------------------------------------------------------------------------------------------- | +| `NO` | `all`1 | `none` | `key:read,key:write`
`node:read,node:write`
`service:read,service:write`2 | -1 For read-only transactions -
-2 The ACL required depends on the operations in the transaction. +

+ 1 For read-only transactions +
+ 2 The ACL required depends on the operations in the transaction. +

### Parameters @@ -109,7 +114,7 @@ The table below shows this endpoint's support for The body of the request should be a list of operations to perform inside the atomic transaction. Up to 64 operations may be present in a single transaction. -```javascript +```json [ { "KV": { @@ -182,7 +187,7 @@ was successfully applied, or a status code of 409 will be returned if it was rolled back. If either of these status codes are returned, the response will look like this: -```javascript +```json { "Results": [ { diff --git a/website/pages/docs/acl/acl-auth-methods.html.md b/website/pages/docs/acl/acl-auth-methods.mdx similarity index 96% rename from website/pages/docs/acl/acl-auth-methods.html.md rename to website/pages/docs/acl/acl-auth-methods.mdx index 8ba1a5466a..415f77ff4b 100644 --- a/website/pages/docs/acl/acl-auth-methods.html.md +++ b/website/pages/docs/acl/acl-auth-methods.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'ACL Auth Methods' -sidebar_current: 'docs-acl-auth-methods' -description: |- - An auth method is a component in Consul that performs authentication against a trusted external party to authorize the creation of an ACL tokens usable within the local datacenter. +layout: docs +page_title: ACL Auth Methods +sidebar_current: docs-acl-auth-methods +description: >- + An auth method is a component in Consul that performs authentication against a + trusted external party to authorize the creation of an ACL tokens usable + within the local datacenter. --- -> **1.5.0+:** This guide only applies in Consul versions 1.5.0 and newer. diff --git a/website/pages/docs/acl/acl-legacy.html.md b/website/pages/docs/acl/acl-legacy.mdx similarity index 93% rename from website/pages/docs/acl/acl-legacy.html.md rename to website/pages/docs/acl/acl-legacy.mdx index 7487625872..be552cce08 100644 --- a/website/pages/docs/acl/acl-legacy.html.md +++ b/website/pages/docs/acl/acl-legacy.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'ACL System (Legacy Mode)' -sidebar_current: 'docs-acl-legacy' -description: |- - Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways. +layout: docs +page_title: ACL System (Legacy Mode) +sidebar_current: docs-acl-legacy +description: >- + Consul provides an optional Access Control List (ACL) system which can be used + to control access to data and APIs. The ACL system is a Capability-based + system that relies on tokens which can have fine grained rules applied to + them. It is very similar to AWS IAM in many ways. --- -> **1.3.0 and earlier:** This document only applies in Consul versions 1.3.0 and before. If you are using version 1.4.0 or later please use the updated documentation [here](/docs/acl/acl-system.html) @@ -988,43 +991,14 @@ prepared query namespace. These differences are outlined in the table below: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OperationVersion <= 0.6.3 Version > 0.6.3
Create static query without `Name`The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query.No ACL policies are used as long as no `Name` is defined. No `Token` is captured by default unless specifically supplied by the client when creating the query.
Create static query with `Name`The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query.The client token's `query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query.
Manage static query without `Name`The ACL Token used to create the query, or a management token must be supplied in order to perform these operations.Any client with the ID of the query can perform these operations.
Manage static query with a `Name`The ACL token used to create the query, or a management token must be supplied in order to perform these operations.Similar to create, the client token's `query` ACL policy is used to determine if these operations are allowed.
List queriesA management token is required to list any queries.The client token's `query` ACL policy is used to determine which queries they can see. Only management tokens can see prepared queries without `Name`.
Execute querySince a `Token` is always captured when a query is created, that is used to check access to the service being queried. Any token supplied by the client is ignored.The captured token, client's token, or anonymous token is used to filter the results, as described above.
+| Operation | Version <= 0.6.3 | Version > 0.6.3 | +| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Create static query without `Name` | The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query. | No ACL policies are used as long as no `Name` is defined. No `Token` is captured by default unless specifically supplied by the client when creating the query. | +| Create static query with `Name` | The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query. | The client token's `query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query. | +| Manage static query without `Name` | The ACL Token used to create the query, or a management token must be supplied in order to perform these operations. | Any client with the ID of the query can perform these operations. | +| Manage static query with a `Name` | The ACL token used to create the query, or a management token must be supplied in order to perform these operations. | Similar to create, the client token's `query` ACL policy is used to determine if these operations are allowed. | +| List queries | A management token is required to list any queries. | The client token's `query` ACL policy is used to determine which queries they can see. Only management tokens can see prepared queries without `Name`. | +| Execute query | Since a `Token` is always captured when a query is created, that is used to check access to the service being queried. Any token supplied by the client is ignored. | The captured token, client's token, or anonymous token is used to filter the results, as described above. | #### Service Rules diff --git a/website/pages/docs/acl/acl-migrate-tokens.html.md b/website/pages/docs/acl/acl-migrate-tokens.mdx similarity index 99% rename from website/pages/docs/acl/acl-migrate-tokens.html.md rename to website/pages/docs/acl/acl-migrate-tokens.mdx index cb5247323d..5d508fddbd 100644 --- a/website/pages/docs/acl/acl-migrate-tokens.html.md +++ b/website/pages/docs/acl/acl-migrate-tokens.mdx @@ -1,10 +1,13 @@ --- -layout: 'docs' -page_title: 'ACL Token Migration' -sidebar_current: 'docs-acl-migrate-tokens' -description: |- - Consul 1.4.0 introduces a new ACL system with improvements for the security and +layout: docs +page_title: ACL Token Migration +sidebar_current: docs-acl-migrate-tokens +description: >- + Consul 1.4.0 introduces a new ACL system with improvements for the security + and + management of ACL tokens and policies. This guide documents how to upgrade + existing (now called "legacy") tokens after upgrading to 1.4.0. --- diff --git a/website/pages/docs/acl/acl-rules.html.md.erb b/website/pages/docs/acl/acl-rules.mdx similarity index 79% rename from website/pages/docs/acl/acl-rules.html.md.erb rename to website/pages/docs/acl/acl-rules.mdx index b941ab1765..ed326bcf44 100644 --- a/website/pages/docs/acl/acl-rules.html.md.erb +++ b/website/pages/docs/acl/acl-rules.mdx @@ -1,22 +1,25 @@ --- -layout: "docs" -page_title: "ACL Rules" -sidebar_current: "docs-acl-rules" -description: |- - Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways. +layout: docs +page_title: ACL Rules +sidebar_current: docs-acl-rules +description: >- + Consul provides an optional Access Control List (ACL) system which can be used + to control access to data and APIs. The ACL system is a Capability-based + system that relies on tokens which can have fine grained rules applied to + them. It is very similar to AWS IAM in many ways. --- -> **1.4.0 and later:** This document only applies in Consul versions 1.4.0 and later. The documentation for the legacy ACL system is [here](/docs/acl/acl-legacy.html) # ACL Rules -Consul provides an optional Access Control List (ACL) system which can be used +Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. To learn more about Consul's ACL review the [ACL system documentation](/docs/acl/acl-system.html) A core part of the ACL system is the rule language, which is used to describe the policy that must be enforced. There are two types of rules: prefix based rules and exact matching -rules. +rules. ## Rule Specification @@ -38,17 +41,17 @@ Note that not all resource areas are segmented such as the `keyring`, `operator` Policies can have several control levels: -* `read`: allow the resource to be read but not modified. -* `write`: allow the resource to be read and modified. -* `deny`: do not allow the resource to be read or modified. -* `list`: allows access to all the keys under a segment in the Consul KV. Note, this policy can only be used with the `key_prefix` resource and [`acl.enable_key_list_policy`](/docs/agent/options.html#acl_enable_key_list) must be set to true. +- `read`: allow the resource to be read but not modified. +- `write`: allow the resource to be read and modified. +- `deny`: do not allow the resource to be read or modified. +- `list`: allows access to all the keys under a segment in the Consul KV. Note, this policy can only be used with the `key_prefix` resource and [`acl.enable_key_list_policy`](/docs/agent/options.html#acl_enable_key_list) must be set to true. When using prefix-based rules, the most specific prefix match determines the action. This allows for flexible rules like an empty prefix to allow read-only access to all resources, along with some specific prefixes that allow write access or that are denied all access. Exact matching rules will only apply to the exact resource specified. -The order of precedence for matching rules are, DENY has priority over WRITE or READ and - WRITE has priority over READ. +The order of precedence for matching rules are, DENY has priority over WRITE or READ and +WRITE has priority over READ. We make use of the [HashiCorp Configuration Language (HCL)](https://github.com/hashicorp/hcl/) to specify @@ -92,9 +95,9 @@ This is equivalent to the following JSON input: "policy": "deny" } }, - "key" : { - "foo/bar/secret" : { - "policy" : "deny" + "key": { + "foo/bar/secret": { + "policy": "deny" } }, "operator": "read" @@ -132,20 +135,20 @@ On success, the Policy is returned: ```json { - "CreateIndex": 7, - "Hash": "UMG6QEbV40Gs7Cgi6l/ZjYWUwRS0pIxxusFKyKOt8qI=", - "ID": "5f423562-aca1-53c3-e121-cb0eb2ea1cd3", - "ModifyIndex": 7, - "Name": "my-app-policy", - "Rules": "key \"\" { policy = \"read\" } key \"foo/\" { policy = \"write\" } key \"foo/private/\" { policy = \"deny\" } operator = \"read\"" + "CreateIndex": 7, + "Hash": "UMG6QEbV40Gs7Cgi6l/ZjYWUwRS0pIxxusFKyKOt8qI=", + "ID": "5f423562-aca1-53c3-e121-cb0eb2ea1cd3", + "ModifyIndex": 7, + "Name": "my-app-policy", + "Rules": "key \"\" { policy = \"read\" } key \"foo/\" { policy = \"write\" } key \"foo/private/\" { policy = \"deny\" } operator = \"read\"" } ``` -The created policy can now be specified either by name or by ID when +The created policy can now be specified either by name or by ID when [creating a token](https://learn.hashicorp.com/consul/security-networking/production-acls#create-the-agent-token). This will grant the rules provided to the [bearer of that token](/api/index.html#authentication). -Below is a breakdown of each rule type. +Below is a breakdown of each rule type. #### ACL Resource Rules @@ -183,9 +186,9 @@ agent_prefix "bar" { ``` Agent rules are keyed by the node name they apply to. In the example above the rules -allow read-only access to any node name by using the empty prefix, read-write access to +allow read-only access to any node name by using the empty prefix, read-write access to the node with the _exact_ name `foo`, and denies all access to any node name that starts -with `bar`. +with `bar`. Since [Agent API](/api/agent.html) utility operations may be required before an agent is joined to a cluster, or during an outage of the Consul servers or ACL datacenter, a special token may be @@ -211,7 +214,7 @@ event "deploy" { Event rules are segmented by the event name they apply to. In the example above, the rules allow read-only access to any event, and firing of the "deploy" event. -The [`consul exec`](/docs/commands/exec.html) command uses events with the "_rexec" prefix during +The [`consul exec`](/docs/commands/exec.html) command uses events with the "\_rexec" prefix during operation, so to enable this feature in a Consul environment with ACLs enabled, you will need to give agents a token with access to this event prefix, in addition to configuring [`disable_remote_exec`](/docs/agent/options.html#disable_remote_exec) to `false`. @@ -391,7 +394,7 @@ There are a few variations when using ACLs with prepared queries, each of which ways: open, protected by unguessable IDs or closed, managed by ACL policies. These variations are covered here, with examples: -* Static queries with no `Name` defined are not controlled by any ACL policies. +- Static queries with no `Name` defined are not controlled by any ACL policies. These types of queries are meant to be ephemeral and not shared to untrusted clients, and they are only reachable if the prepared query ID is known. Since these IDs are generated using the same random ID scheme as ACL Tokens, it is @@ -401,7 +404,7 @@ here, with examples: startup script, tied to a session, and written to a configuration file for a process to use via DNS. -* Static queries with a `Name` defined are controlled by the `query` and `query_prefix` +- Static queries with a `Name` defined are controlled by the `query` and `query_prefix` ACL resources. Clients are required to have an ACL token with permissions on to access that query name. Clients can list or read queries for which they have "read" access based on their prefix, and similar they can @@ -410,7 +413,7 @@ here, with examples: that is used and known by many clients to provide geo-failover behavior for a database. -* [Template queries](/api/query.html#templates) +- [Template queries](/api/query.html#templates) queries work like static queries with a `Name` defined, except that a catch-all template with an empty `Name` requires an ACL token that can write to any query prefix. @@ -420,14 +423,14 @@ checks are run against the service being queried, similar to how ACLs work with other service lookups. There are several ways the ACL token is selected for this check: -* If an ACL Token was captured when the prepared query was defined, it will be +- If an ACL Token was captured when the prepared query was defined, it will be used to perform the service lookup. This allows queries to be executed by clients with lesser or even no ACL Token, so this should be used with care. -* If no ACL Token was captured, then the client's ACL Token will be used to +- If no ACL Token was captured, then the client's ACL Token will be used to perform the service lookup. -* If no ACL Token was captured and the client has no ACL Token, then the +- If no ACL Token was captured and the client has no ACL Token, then the anonymous token will be used to perform the service lookup. In the common case, the ACL Token of the invoker is used @@ -446,43 +449,14 @@ prepared query namespace. These differences are outlined in the table below: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OperationVersion <= 0.6.3 Version > 0.6.3
Create static query without `Name`The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query.No ACL policies are used as long as no `Name` is defined. No `Token` is captured by default unless specifically supplied by the client when creating the query.
Create static query with `Name`The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query.The client token's `query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query.
Manage static query without `Name`The ACL Token used to create the query or a token with management privileges must be supplied in order to perform these operations.Any client with the ID of the query can perform these operations.
Manage static query with a `Name`The ACL token used to create the query or a token with management privileges must be supplied in order to perform these operations.Similar to create, the client token's `query` ACL policy is used to determine if these operations are allowed.
List queriesA token with management privileges is required to list any queries.The client token's `query` ACL policy is used to determine which queries they can see. Only tokens with management privileges can see prepared queries without `Name`.
Execute querySince a `Token` is always captured when a query is created, that is used to check access to the service being queried. Any token supplied by the client is ignored.The captured token, client's token, or anonymous token is used to filter the results, as described above.
+| Operation | Version <= 0.6.3 | Version > 0.6.3 | +| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Create static query without `Name` | The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query. | No ACL policies are used as long as no `Name` is defined. No `Token` is captured by default unless specifically supplied by the client when creating the query. | +| Create static query with `Name` | The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query. | The client token's `query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query. | +| Manage static query without `Name` | The ACL Token used to create the query or a token with management privileges must be supplied in order to perform these operations. | Any client with the ID of the query can perform these operations. | +| Manage static query with a `Name` | The ACL token used to create the query or a token with management privileges must be supplied in order to perform these operations. | Similar to create, the client token's `query` ACL policy is used to determine if these operations are allowed. | +| List queries | A token with management privileges is required to list any queries. | The client token's `query` ACL policy is used to determine which queries they can see. Only tokens with management privileges can see prepared queries without `Name`. | +| Execute query | Since a `Token` is always captured when a query is created, that is used to check access to the service being queried. Any token supplied by the client is ignored. | The captured token, client's token, or anonymous token is used to filter the results, as described above. | #### Service Rules @@ -565,19 +539,19 @@ and deny all access to any sessions on the "admin" node. #### Namespace Rules Enterprise -[Consul Enterprise](https://www.hashicorp.com/consul.html) 1.7.0 adds support for namespacing many +[Consul Enterprise](https://www.hashicorp.com/consul.html) 1.7.0 adds support for namespacing many Consul resources. ACL rules themselves can then be defined to only to apply to specific namespaces. A Namespace specific rule would look like this: ```hcl namespace_prefix "" { - + # grant service:read for all services in all namespaces service_prefix "" { policy = "read" } - + # grant node:read for all nodes in all namespaces node_prefix "" { policy = "read" @@ -587,22 +561,22 @@ namespace_prefix "" { namespace "foo" { # grants permission to manage ACLs only for the foo namespace acl = "write" - + # grants write permissions to the KV for namespace foo key_prefix "" { policy = "write" } - + # grants write permissions for sessions for namespace foo session_prefix "" { policy = "write" } - + # grants service:write for all services in the foo namespace service_prefix "" { policy = "write" } - + # grants node:read for all nodes node_prefix "" { policy = "read" @@ -618,11 +592,11 @@ Note, when a rule is defined in any user created namespace, the following restri 4. `query` rules are not allowed. 5. `node` rules that attempt to grant `write` privileges are not allowed. -These restrictions do not apply to the `default` namespace created by Consul. In general all of the +These restrictions do not apply to the `default` namespace created by Consul. In general all of the above are permissions that only an operator should have and thus granting these permissions can only be done within the default namespace. --> **Implicit namespacing:** Rules and policies created within a namespace will inherit the namespace configuration. -This means that rules and policies will be implicitly namespaced and do not need additional configuration. -The restrictions outlined above will apply to these rules and policies. Additionally, rules and policies within a +-> **Implicit namespacing:** Rules and policies created within a namespace will inherit the namespace configuration. +This means that rules and policies will be implicitly namespaced and do not need additional configuration. +The restrictions outlined above will apply to these rules and policies. Additionally, rules and policies within a specific namespace are prevented from accessing resources in another namespace. diff --git a/website/pages/docs/acl/acl-system.html.md b/website/pages/docs/acl/acl-system.mdx similarity index 98% rename from website/pages/docs/acl/acl-system.html.md rename to website/pages/docs/acl/acl-system.mdx index ad4b2c457b..0673e2c55b 100644 --- a/website/pages/docs/acl/acl-system.html.md +++ b/website/pages/docs/acl/acl-system.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'ACL System' -sidebar_current: 'docs-acl-system' -description: |- - Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways. +layout: docs +page_title: ACL System +sidebar_current: docs-acl-system +description: >- + Consul provides an optional Access Control List (ACL) system which can be used + to control access to data and APIs. The ACL system is a Capability-based + system that relies on tokens which can have fine grained rules applied to + them. It is very similar to AWS IAM in many ways. --- -> **1.4.0 and later:** This guide only applies in Consul versions 1.4.0 and later. The documentation for the legacy ACL system is [here](/docs/acl/acl-legacy.html) diff --git a/website/pages/docs/acl/auth-methods/kubernetes.html.md b/website/pages/docs/acl/auth-methods/kubernetes.mdx similarity index 95% rename from website/pages/docs/acl/auth-methods/kubernetes.html.md rename to website/pages/docs/acl/auth-methods/kubernetes.mdx index e8702ed60b..cd28ae6c83 100644 --- a/website/pages/docs/acl/auth-methods/kubernetes.html.md +++ b/website/pages/docs/acl/auth-methods/kubernetes.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Kubernetes Auth Method' -sidebar_current: 'docs-acl-auth-methods-kubernetes' -description: |- - The Kubernetes auth method type allows for a Kubernetes service account token to be used to authenticate to Consul. This method of authentication makes it easy to introduce a Consul token into a Kubernetes pod. +layout: docs +page_title: Kubernetes Auth Method +sidebar_current: docs-acl-auth-methods-kubernetes +description: >- + The Kubernetes auth method type allows for a Kubernetes service account token + to be used to authenticate to Consul. This method of authentication makes it + easy to introduce a Consul token into a Kubernetes pod. --- -> **1.5.0+:** This guide only applies in Consul versions 1.5.0 and newer. diff --git a/website/pages/docs/acl/index.html.md b/website/pages/docs/acl/index.mdx similarity index 93% rename from website/pages/docs/acl/index.html.md rename to website/pages/docs/acl/index.mdx index 7ce4364c25..5498ab3ffc 100644 --- a/website/pages/docs/acl/index.html.md +++ b/website/pages/docs/acl/index.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'ACL Guides' -sidebar_current: 'docs-acl-index' -description: |- - Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. Select the following guide for your use case. +layout: docs +page_title: ACL Guides +sidebar_current: docs-acl-index +description: >- + Consul provides an optional Access Control List (ACL) system which can be used + to control access to data and APIs. Select the following guide for your use + case. --- # ACL Documentation and Guides diff --git a/website/pages/docs/agent/basics.html.md b/website/pages/docs/agent/basics.mdx similarity index 96% rename from website/pages/docs/agent/basics.html.md rename to website/pages/docs/agent/basics.mdx index 174b58b825..71a6b5c50f 100644 --- a/website/pages/docs/agent/basics.html.md +++ b/website/pages/docs/agent/basics.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Agent' -sidebar_current: 'docs-agent-running' -description: |- - The Consul agent is the core process of Consul. The agent maintains membership information, registers services, runs checks, responds to queries, and more. The agent must run on every node that is part of a Consul cluster. +layout: docs +page_title: Agent +sidebar_current: docs-agent-running +description: >- + The Consul agent is the core process of Consul. The agent maintains membership + information, registers services, runs checks, responds to queries, and more. + The agent must run on every node that is part of a Consul cluster. --- # Consul Agent diff --git a/website/pages/docs/agent/checks.html.md b/website/pages/docs/agent/checks.mdx similarity index 88% rename from website/pages/docs/agent/checks.html.md rename to website/pages/docs/agent/checks.mdx index 3131c6e976..93b4963859 100644 --- a/website/pages/docs/agent/checks.html.md +++ b/website/pages/docs/agent/checks.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Check Definition' -sidebar_current: 'docs-agent-checks' -description: |- - One of the primary roles of the agent is management of system- and application-level health checks. A health check is considered to be application-level if it is associated with a service. A check is defined in a configuration file or added at runtime over the HTTP interface. +layout: docs +page_title: Check Definition +sidebar_current: docs-agent-checks +description: >- + One of the primary roles of the agent is management of system- and + application-level health checks. A health check is considered to be + application-level if it is associated with a service. A check is defined in a + configuration file or added at runtime over the HTTP interface. --- # Checks @@ -77,23 +80,19 @@ There are several different kinds of checks: It is possible to configure a custom TCP check timeout value by specifying the `timeout` field in the check definition. -- Time to Live (TTL) - These checks retain their last known - state for a given TTL. The state of the check must be updated periodically - over the HTTP interface. If an external system fails to update the status - within a given TTL, the check is set to the failed state. This mechanism, - conceptually similar to a dead man's switch, relies on the application to - directly report its health. For example, a healthy app can periodically `PUT` a - status update to the HTTP endpoint; if the app fails, the TTL will expire and - the health check enters a critical state. The endpoints used to update health - information for a given check are: - [pass](/api/agent/check.html#ttl-check-pass), - [warn](/api/agent/check.html#ttl-check-warn), - [fail](/api/agent/check.html#ttl-check-fail), and - [update](/api/agent/check.html#ttl-check-update). TTL - checks also persist their last known status to disk. This allows the Consul - agent to restore the last known status of the check across restarts. Persisted - check status is valid through the end of the TTL from the time of the last - check. +- Time to Live (TTL) - These checks retain their last known state + for a given TTL. The state of the check must be updated periodically over the HTTP + interface. If an external system fails to update the status within a given TTL, + the check is set to the failed state. This mechanism, conceptually similar to a + dead man's switch, relies on the application to directly report its health. For + example, a healthy app can periodically `PUT` a status update to the HTTP endpoint; + if the app fails, the TTL will expire and the health check enters a critical state. + The endpoints used to update health information for a given check are: [pass](/api/agent/check.html#ttl-check-pass), + [warn](/api/agent/check.html#ttl-check-warn), [fail](/api/agent/check.html#ttl-check-fail), + and [update](/api/agent/check.html#ttl-check-update). TTL checks also persist their + last known status to disk. This allows the Consul agent to restore the last known + status of the check across restarts. Persisted check status is valid through the + end of the TTL from the time of the last check. - Docker + Interval - These checks depend on invoking an external application which is packaged within a Docker Container. The application is triggered within the running @@ -121,15 +120,14 @@ There are several different kinds of checks: To check on a specific service instead of the whole gRPC server, add the service identifier after the `gRPC` check's endpoint in the following format `/:service_identifier`. - Alias - These checks alias the health state of another registered - node or service. The state of the check will be updated asynchronously, - but is nearly instant. For aliased services on the same agent, the local - state is monitored and no additional network resources are consumed. For - other services and nodes, the check maintains a blocking query over the - agent's connection with a current server and allows stale requests. If there - are any errors in watching the aliased node or service, the check state will be - critical. For the blocking query, the check will use the ACL token set - on the service or check definition or otherwise will fall back to the default ACL - token set with the agent (`acl_token`). + node or service. The state of the check will be updated asynchronously, but is + nearly instant. For aliased services on the same agent, the local state is monitored + and no additional network resources are consumed. For other services and nodes, + the check maintains a blocking query over the agent's connection with a current + server and allows stale requests. If there are any errors in watching the aliased + node or service, the check state will be critical. For the blocking query, the + check will use the ACL token set on the service or check definition or otherwise + will fall back to the default ACL token set with the agent (`acl_token`). ## Check Definition diff --git a/website/pages/docs/agent/cloud-auto-join.html.md b/website/pages/docs/agent/cloud-auto-join.mdx similarity index 98% rename from website/pages/docs/agent/cloud-auto-join.html.md rename to website/pages/docs/agent/cloud-auto-join.mdx index 25cbb34869..d438be7ec5 100644 --- a/website/pages/docs/agent/cloud-auto-join.html.md +++ b/website/pages/docs/agent/cloud-auto-join.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Cloud Auto-join' -sidebar_current: 'docs-agent-cloud-auto-join' -description: |- - Consul supports automatically joining a Consul datacenter using cloud metadata on various providers. +layout: docs +page_title: Cloud Auto-join +sidebar_current: docs-agent-cloud-auto-join +description: >- + Consul supports automatically joining a Consul datacenter using cloud metadata + on various providers. --- # Cloud Auto-join @@ -180,7 +181,10 @@ $ consul agent -retry-join "provider=softlayer datacenter=... tag_value=... user ``` - `provider` (required) - the name of the provider ("softlayer" in this case). -- datacenter (required) - the name of the datacenter to auto-join in. +- + + datacenter + (required) - the name of the datacenter to auto-join in. - `tag_value` (required) - the value of the tag to auto-join on. - `username` (required) - the username to use for auth. - `api_key` (required) - the api key to use for auth. diff --git a/website/pages/docs/agent/config-entries/proxy-defaults.html.md b/website/pages/docs/agent/config-entries/proxy-defaults.mdx similarity index 94% rename from website/pages/docs/agent/config-entries/proxy-defaults.html.md rename to website/pages/docs/agent/config-entries/proxy-defaults.mdx index 6db5e35a5e..e6d793529c 100644 --- a/website/pages/docs/agent/config-entries/proxy-defaults.html.md +++ b/website/pages/docs/agent/config-entries/proxy-defaults.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' +layout: docs page_title: 'Configuration Entry Kind: Proxy Defaults' -sidebar_current: 'docs-agent-cfg_entries-proxy_defaults' -description: |- - The proxy-defaults config entry kind allows for configuring global config defaults across all services for Connect proxy configuration. Currently, only one global entry is supported. +sidebar_current: docs-agent-cfg_entries-proxy_defaults +description: >- + The proxy-defaults config entry kind allows for configuring global config + defaults across all services for Connect proxy configuration. Currently, only + one global entry is supported. --- # Proxy Defaults diff --git a/website/pages/docs/agent/config-entries/service-defaults.html.md b/website/pages/docs/agent/config-entries/service-defaults.mdx similarity index 96% rename from website/pages/docs/agent/config-entries/service-defaults.html.md rename to website/pages/docs/agent/config-entries/service-defaults.mdx index 6a04f4b7ad..e9456ffccd 100644 --- a/website/pages/docs/agent/config-entries/service-defaults.html.md +++ b/website/pages/docs/agent/config-entries/service-defaults.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' +layout: docs page_title: 'Configuration Entry Kind: Service Defaults' -sidebar_current: 'docs-agent-cfg_entries-service_defaults' -description: |- - The service-defaults config entry kind controls default global values for a service, such as its protocol. +sidebar_current: docs-agent-cfg_entries-service_defaults +description: >- + The service-defaults config entry kind controls default global values for a + service, such as its protocol. --- # Service Defaults diff --git a/website/pages/docs/agent/config-entries/service-resolver.html.md b/website/pages/docs/agent/config-entries/service-resolver.mdx similarity index 97% rename from website/pages/docs/agent/config-entries/service-resolver.html.md rename to website/pages/docs/agent/config-entries/service-resolver.mdx index c5781c3426..0259e1df50 100644 --- a/website/pages/docs/agent/config-entries/service-resolver.html.md +++ b/website/pages/docs/agent/config-entries/service-resolver.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' +layout: docs page_title: 'Configuration Entry Kind: Service Resolver' -sidebar_current: 'docs-agent-cfg_entries-service_resolver' -description: |- - The `service-resolver` config entry kind controls which service instances should satisfy Connect upstream discovery requests for a given service name. +sidebar_current: docs-agent-cfg_entries-service_resolver +description: >- + The `service-resolver` config entry kind controls which service instances + should satisfy Connect upstream discovery requests for a given service name. --- -> **1.6.0+:** This config entry is available in Consul versions 1.6.0 and newer. diff --git a/website/pages/docs/agent/config-entries/service-router.html.md b/website/pages/docs/agent/config-entries/service-router.mdx similarity index 98% rename from website/pages/docs/agent/config-entries/service-router.html.md rename to website/pages/docs/agent/config-entries/service-router.mdx index d47ca4d311..d023b6b70a 100644 --- a/website/pages/docs/agent/config-entries/service-router.html.md +++ b/website/pages/docs/agent/config-entries/service-router.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' +layout: docs page_title: 'Configuration Entry Kind: Service Router' -sidebar_current: 'docs-agent-cfg_entries-service_router' -description: |- - The service-router config entry kind controls Connect traffic routing and manipulation at networking layer 7 (e.g. HTTP). +sidebar_current: docs-agent-cfg_entries-service_router +description: >- + The service-router config entry kind controls Connect traffic routing and + manipulation at networking layer 7 (e.g. HTTP). --- -> **1.6.0+:** This config entry is available in Consul versions 1.6.0 and newer. diff --git a/website/pages/docs/agent/config-entries/service-splitter.html.md b/website/pages/docs/agent/config-entries/service-splitter.mdx similarity index 91% rename from website/pages/docs/agent/config-entries/service-splitter.html.md rename to website/pages/docs/agent/config-entries/service-splitter.mdx index c744d0ff68..584600f77a 100644 --- a/website/pages/docs/agent/config-entries/service-splitter.html.md +++ b/website/pages/docs/agent/config-entries/service-splitter.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' +layout: docs page_title: 'Configuration Entry Kind: Service Splitter' -sidebar_current: 'docs-agent-cfg_entries-service_splitter' -description: |- - The service-splitter config entry kind controls how to split incoming Connect requests across different subsets of a single service (like during staged canary rollouts), or perhaps across different services (like during a v2 rewrite or other type of codebase migration). +sidebar_current: docs-agent-cfg_entries-service_splitter +description: >- + The service-splitter config entry kind controls how to split incoming Connect + requests across different subsets of a single service (like during staged + canary rollouts), or perhaps across different services (like during a v2 + rewrite or other type of codebase migration). --- -> **1.6.0+:** This config entry is available in Consul versions 1.6.0 and newer. diff --git a/website/pages/docs/agent/config_entries.html.md b/website/pages/docs/agent/config_entries.mdx similarity index 96% rename from website/pages/docs/agent/config_entries.html.md rename to website/pages/docs/agent/config_entries.mdx index 404c770b09..7cf15f47dc 100644 --- a/website/pages/docs/agent/config_entries.html.md +++ b/website/pages/docs/agent/config_entries.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Configuration Entry Definitions' -sidebar_current: 'docs-agent-cfg_entries' -description: |- - Consul allows storing configuration entries centrally to be used as defaults for configuring other aspects of Consul. +layout: docs +page_title: Configuration Entry Definitions +sidebar_current: docs-agent-cfg_entries +description: >- + Consul allows storing configuration entries centrally to be used as defaults + for configuring other aspects of Consul. --- # Configuration Entries diff --git a/website/pages/docs/agent/dns.html.md b/website/pages/docs/agent/dns.mdx similarity index 95% rename from website/pages/docs/agent/dns.html.md rename to website/pages/docs/agent/dns.mdx index 0c2bffbe38..d9684be692 100644 --- a/website/pages/docs/agent/dns.html.md +++ b/website/pages/docs/agent/dns.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'DNS Interface' -sidebar_current: 'docs-agent-dns' -description: |- - One of the primary query interfaces for Consul is DNS. The DNS interface allows applications to make use of service discovery without any high-touch integration with Consul. +layout: docs +page_title: DNS Interface +sidebar_current: docs-agent-dns +description: >- + One of the primary query interfaces for Consul is DNS. The DNS interface + allows applications to make use of service discovery without any high-touch + integration with Consul. --- # DNS Interface @@ -48,7 +50,9 @@ To resolve names, Consul relies on a very specific format for queries. There are fundamentally two types of queries: node lookups and service lookups. A node lookup, a simple query for the address of a named node, looks like this: - .node[.datacenter]. +```text +.node[.datacenter]. +``` For example, if we have a `foo` node with default settings, we could look for `foo.node.dc1.consul.` The datacenter is an optional part of @@ -115,7 +119,9 @@ it is recommended to use the HTTP API to retrieve the list of nodes. The format of a standard service lookup is: - [tag.].service[.datacenter]. +```text +[tag.].service[.datacenter]. +``` The `tag` is optional, and, as with node lookups, the `datacenter` is as well. If no tag is provided, no filtering is done on tag. If no @@ -204,7 +210,9 @@ Again, note that the SRV record returns the port of the service as well as its I The format of a prepared query lookup is: - .query[.datacenter]. +```text +.query[.datacenter]. +``` The `datacenter` is optional, and if not provided, the datacenter of this Consul agent is assumed. @@ -227,7 +235,9 @@ only served if the client specifically requests them. To find Connect-capable services: - .connect. +```text +.connect. +``` This will find all [Connect-capable](/docs/connect/index.html) endpoints for the given `service`. A Connect-capable endpoint may be @@ -274,7 +284,9 @@ services via DNS. To maintain backwards compatibility existing queries can be us and these will resolve services within the `default` namespace. However, for resolving services from other namespaces the following form can be used: - [tag.].service... +```text +[tag.].service... +``` This is the canonical name of a Consul Enterprise service with all parts present. Like Consul OSS some parts may be omitted but which parts depend on the value of the @@ -283,12 +295,16 @@ Consul OSS some parts may be omitted but which parts depend on the value of the With `prefer_namespace` set to `true` the datacenter may be omitted and will be defaulted to the local agents datacenter: - [tag.].service.. +```text +[tag.].service.. +``` With `prefer_namespace` set to `false` the namespace may be omitted and will be defaulted to the `default` namespace: - [tag.].service. +```text +[tag.].service. +``` Finally, both the namespace and datacenter may be omitted and the service will be resolved in the `default` namespace and in the datacenter of the local agent. diff --git a/website/pages/docs/agent/encryption.html.md b/website/pages/docs/agent/encryption.mdx similarity index 95% rename from website/pages/docs/agent/encryption.html.md rename to website/pages/docs/agent/encryption.mdx index 4887ff5033..5c1366e63a 100644 --- a/website/pages/docs/agent/encryption.html.md +++ b/website/pages/docs/agent/encryption.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Encryption' -sidebar_current: 'docs-agent-encryption' -description: |- - The Consul agent supports encrypting all of its network traffic. The exact method of encryption is described on the encryption internals page. There are two separate encryption systems, one for gossip traffic and one for RPC. +layout: docs +page_title: Encryption +sidebar_current: docs-agent-encryption +description: >- + The Consul agent supports encrypting all of its network traffic. The exact + method of encryption is described on the encryption internals page. There are + two separate encryption systems, one for gossip traffic and one for RPC. --- # Encryption diff --git a/website/pages/docs/agent/kv.html.md b/website/pages/docs/agent/kv.mdx similarity index 96% rename from website/pages/docs/agent/kv.html.md rename to website/pages/docs/agent/kv.mdx index 6e8f1559df..862cdc743e 100644 --- a/website/pages/docs/agent/kv.html.md +++ b/website/pages/docs/agent/kv.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Consul KV' -sidebar_current: 'docs-agent-kv' -description: |- - Consul KV is a core feature of Consul and is installed with the Consul agent. +layout: docs +page_title: Consul KV +sidebar_current: docs-agent-kv +description: Consul KV is a core feature of Consul and is installed with the Consul agent. --- # Consul KV diff --git a/website/pages/docs/agent/options.html.md b/website/pages/docs/agent/options.html.md deleted file mode 100644 index aef9836823..0000000000 --- a/website/pages/docs/agent/options.html.md +++ /dev/null @@ -1,2020 +0,0 @@ ---- -layout: 'docs' -page_title: 'Configuration' -sidebar_current: 'docs-agent-config' -description: |- - The agent has various configuration options that can be specified via the command-line or via configuration files. All of the configuration options are completely optional. Defaults are specified with their descriptions. ---- - -# Configuration - -The agent has various configuration options that can be specified via -the command-line or via configuration files. All of the configuration -options are completely optional. Defaults are specified with their -descriptions. - -Configuration precedence is evaluated in the following order: - -1. Command line arguments -2. Configuration files - -When loading configuration, Consul loads the configuration from files and -directories in lexical order. For example, configuration file -`basic_config.json` will be processed before `extra_config.json`. Configuration -can be in either [HCL](https://github.com/hashicorp/hcl#syntax) or JSON format. -Available in Consul 1.0 and later, the HCL support now requires an `.hcl` or -`.json` extension on all configuration files in order to specify their format. - -Configuration specified later will be merged into configuration specified -earlier. In most cases, "merge" means that the later version will override the -earlier. In some cases, such as event handlers, merging appends the handlers to -the existing configuration. The exact merging behavior is specified for each -option below. - -Consul also supports reloading configuration when it receives the -SIGHUP signal. Not all changes are respected, but those that are -documented below in the -[Reloadable Configuration](#reloadable-configuration) section. The -[reload command](/docs/commands/reload.html) can also be used to trigger a -configuration reload. - -You can test the following configuration options by following the [Getting Started](https://learn.hashicorp.com/consul/getting-started/install?utm_source=consul.io&utm_medium=docs) guides to install a local agent. - -## Environment Variables - -Environment variables **cannot** be used to configure the Consul client. They -_can_ be used when running other `consul` CLI commands that connect with a -running agent, e.g. `CONSUL_HTTP_ADDR=192.168.0.1:8500 consul members`. - -See [Consul Commands](/docs/commands/index.html#environment-variables) for more -information. - -## Command-line Options - -The options below are all specified on the command-line. - -- `-advertise` - The - advertise address is used to change the address that we advertise to other - nodes in the cluster. By default, the [`-bind`](#_bind) address is advertised. - However, in some cases, there may be a routable address that cannot be bound. - This flag enables gossiping a different address to support this. If this - address is not routable, the node will be in a constant flapping state as - other nodes will treat the non-routability as a failure. In Consul 1.0 and - later this can be set to a - [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) - template. - -- `-advertise-wan` - The - advertise WAN address is used to change the address that we advertise to server nodes - joining through the WAN. This can also be set on client agents when used in combination - with the `translate_wan_addrs` configuration - option. By default, the [`-advertise`](#_advertise) address is advertised. However, in some - cases all members of all datacenters cannot be on the same physical or virtual network, - especially on hybrid setups mixing cloud and private datacenters. This flag enables server - nodes gossiping through the public network for the WAN while using private VLANs for gossiping - to each other and their client agents, and it allows client agents to be reached at this - address when being accessed from a remote datacenter if the remote datacenter is configured - with `translate_wan_addrs`. In Consul 1.0 and - later this can be set to a - [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) - template - -- `-bootstrap` - This flag is used to control if a - server is in "bootstrap" mode. It is important that - no more than one server _per_ datacenter be running in this mode. Technically, a server in bootstrap mode - is allowed to self-elect as the Raft leader. It is important that only a single node is in this mode; - otherwise, consistency cannot be guaranteed as multiple nodes are able to self-elect. - It is not recommended to use this flag after a cluster has been bootstrapped. - -- `-bootstrap-expect` - This flag - provides the number of expected servers in the datacenter. - Either this value should not be provided or the value must agree with other servers in - the cluster. When provided, Consul waits until the specified number of servers are - available and then bootstraps the cluster. This allows an initial leader to be elected - automatically. This cannot be used in conjunction with the legacy [`-bootstrap`](#_bootstrap) flag. - This flag requires [`-server`](#_server) mode. - -- `-bind` - The address that should be bound to - for internal cluster communications. - This is an IP address that should be reachable by all other nodes in the cluster. - By default, this is "0.0.0.0", meaning Consul will bind to all addresses on - the local machine and will [advertise](/docs/agent/options.html#_advertise) - the private IPv4 address to the rest of the cluster. If there - are multiple private IPv4 addresses available, Consul will exit with an error - at startup. If you specify "[::]", Consul will [advertise](/docs/agent/options.html#_advertise) - the public IPv6 address. - If there are multiple public IPv6 addresses available, Consul will exit with an error at startup. - Consul uses both TCP and UDP and the same port for both. If you have any firewalls, - be sure to allow both protocols. In Consul 1.0 and later this can be set to a - [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) - template that needs to resolve to a single address. Some example templates: - - ```sh - # Using address within a specific CIDR - $ consul agent -bind '{{ GetPrivateInterfaces | include "network" "10.0.0.0/8" | attr "address" }}' - ``` - - ```sh - # Using a static network interface name - $ consul agent -bind '{{ GetInterfaceIP "eth0" }}' - ``` - - ```sh - # Using regular expression matching for network interface name that is forwardable and up - $ consul agent -bind '{{ GetAllInterfaces | include "name" "^eth" | include "flags" "forwardable|up" | attr "address" }}' - ``` - -- `-serf-wan-bind` - - The address that should be bound to for Serf WAN gossip communications. By - default, the value follows the same rules as [`-bind` command-line - flag](#_bind), and if this is not specified, the `-bind` option is used. This - is available in Consul 0.7.1 and later. In Consul 1.0 and later this can be - set to a - [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) - template - -- `-serf-lan-bind` - - The address that should be bound to for Serf LAN gossip communications. This - is an IP address that should be reachable by all other LAN nodes in the - cluster. By default, the value follows the same rules as [`-bind` command-line - flag](#_bind), and if this is not specified, the `-bind` option is used. This - is available in Consul 0.7.1 and later. In Consul 1.0 and later this can be - set to a - [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) - template - -- `-check_output_max_size` - - Override the default limit of 4k for maximum size of checks, this is a positive - value. - By limiting this size, it allows to put less pressure on Consul servers when - many checks are having a very large output in their checks. - In order to completely disable check output capture, it is possible to - use `discard_check_output`. - -- `-client` - The address to which - Consul will bind client interfaces, including the HTTP and DNS servers. By - default, this is "127.0.0.1", allowing only loopback connections. In Consul - 1.0 and later this can be set to a space-separated list of addresses to bind - to, or a - [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) - template that can potentially resolve to multiple addresses. - -- `-config-file` - A configuration file - to load. For more information on - the format of this file, read the [Configuration Files](#configuration_files) section. - This option can be specified multiple times to load multiple configuration - files. If it is specified multiple times, configuration files loaded later - will merge with configuration files loaded earlier. During a config merge, - single-value keys (string, int, bool) will simply have their values replaced - while list types will be appended together. - -- `-config-dir` - A directory of - configuration files to load. Consul will - load all files in this directory with the suffix ".json" or ".hcl". The load order - is alphabetical, and the the same merge routine is used as with the - [`config-file`](#_config_file) option above. This option can be specified multiple times - to load multiple directories. Sub-directories of the config directory are not loaded. - For more information on the format of the configuration files, see the - [Configuration Files](#configuration_files) section. - -- `-config-format` - The format - of the configuration files to load. Normally, Consul detects the format of the - config files from the ".json" or ".hcl" extension. Setting this option to - either "json" or "hcl" forces Consul to interpret any file with or without - extension to be interpreted in that format. - -- `-data-dir` - This flag - provides a data directory for the agent to store state. This is required for - all agents. The directory should be durable across reboots. This is especially - critical for agents that are running in server mode as they must be able to - persist cluster state. Additionally, the directory must support the use of - filesystem locking, meaning some types of mounted folders (e.g. VirtualBox - shared folders) may not be suitable. **Note:** both server and non-server - agents may store ACL tokens in the state in this directory so read access may - grant access to any tokens on servers and to any tokens used during service - registration on non-servers. On Unix-based platforms the files are written - with 0600 permissions so you should ensure only trusted processes can execute - as the same user as Consul. On Windows, you should ensure the directory has - suitable permissions configured as these will be inherited. - -- `-datacenter` - This flag controls the datacenter in - which the agent is running. If not provided, - it defaults to "dc1". Consul has first-class support for multiple datacenters, but - it relies on proper configuration. Nodes in the same datacenter should be on a single - LAN. - -- `-dev` - Enable development server - mode. This is useful for quickly starting a Consul agent with all persistence - options turned off, enabling an in-memory server which can be used for rapid - prototyping or developing against the API. In this mode, [Connect is - enabled](/docs/connect/configuration.html) and will by default create a new - root CA certificate on startup. This mode is **not** intended for production - use as it does not write any data to disk. The gRPC port is also defaulted to - `8502` in this mode. - -- `-disable-host-node-id` - Setting - this to true will prevent Consul from using information from the host to generate a deterministic node ID, - and will instead generate a random node ID which will be persisted in the data directory. This is useful - when running multiple Consul agents on the same host for testing. This defaults to false in Consul prior - to version 0.8.5 and in 0.8.5 and later defaults to true, so you must opt-in for host-based IDs. Host-based - IDs are generated using https://github.com/shirou/gopsutil/tree/master/host, which is shared with HashiCorp's - [Nomad](https://www.nomadproject.io/), so if you opt-in to host-based IDs then Consul and Nomad will use - information on the host to automatically assign the same ID in both systems. - -- `-disable-keyring-file` - If set, - the keyring will not be persisted to a file. Any installed keys will be lost on shutdown, and only the given - `-encrypt` key will be available on startup. This defaults to false. - -- `-dns-port` - the DNS port to listen on. - This overrides the default port 8600. This is available in Consul 0.7 and later. - -- `-domain` - By default, Consul responds to DNS queries - in the "consul." domain. This flag can be used to change that domain. All queries in this domain - are assumed to be handled by Consul and will not be recursively resolved. - -- `-alt-domain` - This flag allows Consul to respond to - DNS queries in an alternate domain, in addition to the primary domain. If unset, no alternate domain is used. - -- `-enable-script-checks` This controls - whether [health checks that execute scripts](/docs/agent/checks.html) are - enabled on this agent, and defaults to `false` so operators must opt-in to - allowing these. This was added in Consul 0.9.0. - - ~> **Security Warning:** Enabling script checks in some configurations may - introduce a remote execution vulnerability which is known to be targeted by - malware. We strongly recommend `-enable-local-script-checks` instead. See [this - blog post](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations) - for more details. - -- `-enable-local-script-checks` - Like [`enable_script_checks`](#_enable_script_checks), but only enable them when they are defined in the local - configuration files. Script checks defined in HTTP API registrations will still not be allowed. - -- `-encrypt` - Specifies the secret key to - use for encryption of Consul - network traffic. This key must be 32-bytes that are Base64-encoded. The - easiest way to create an encryption key is to use - [`consul keygen`](/docs/commands/keygen.html). All - nodes within a cluster must share the same encryption key to communicate. - The provided key is automatically persisted to the data directory and loaded - automatically whenever the agent is restarted. This means that to encrypt - Consul's gossip protocol, this option only needs to be provided once on each - agent's initial startup sequence. If it is provided after Consul has been - initialized with an encryption key, then the provided key is ignored and - a warning will be displayed. - -- `-grpc-port` - the gRPC API - port to listen on. Default -1 (gRPC disabled). See [ports](#ports) - documentation for more detail. - -- `-hcl` - A HCL configuration fragment. - This HCL configuration fragment is appended to the configuration and allows - to specify the full range of options of a config file on the command line. - This option can be specified multiple times. This was added in Consul 1.0. - -- `-http-port` - the HTTP API port to listen on. - This overrides the default port 8500. This option is very useful when deploying Consul - to an environment which communicates the HTTP port through the environment e.g. PaaS like CloudFoundry, allowing - you to set the port directly via a Procfile. - -- `-https-port` - the HTTPS API - port to listen on. Default -1 (https disabled). See [ports](#ports) - documentation for more detail. - -- `-log-file` - writes all the Consul agent log messages to a file. This value is used as a prefix for the log file name. The current timestamp is appended to the file name. If the value ends in a path separator, `consul-` will be appened to the value. If the file name is missing an extension, `.log` is appended. For example, setting `log-file` to `/var/log/` would result in a log file path of `/var/log/consul-{timestamp}.log`. `log-file` can be combined with -log-rotate-bytes and -log-rotate-duration for a fine-grained log rotation experience. - -- `-log-rotate-bytes` - to specify the number of bytes that should be written to a log before it needs to be rotated. Unless specified, there is no limit to the number of bytes that can be written to a log file. - -- `-log-rotate-duration` - to specify the maximum duration a log should be written to before it needs to be rotated. Must be a duration value such as 30s. Defaults to 24h. - -- `-log-rotate-max-files` - to specify the maximum number of older log file archives to keep. Defaults to 0 (no files are ever deleted). Set to -1 to discard old log files when a new one is created. - -- `-default-query-time` - This flag controls the - amount of time a blocking query will wait before Consul will force a response. - This value can be overridden by the `wait` query parameter. Note that Consul - applies some jitter on top of this time. Defaults to 300s. - -- `-max-query-time` - - this flag controls the maximum amount of time a blocking query can wait before - Consul will force a response. Consul applies jitter to the wait time. The jittered - time will be capped to this time. Defaults to 600s. - -- `-join` - Address of another agent - to join upon starting up. This can be - specified multiple times to specify multiple agents to join. If Consul is - unable to join with any of the specified addresses, agent startup will - fail. By default, the agent won't join any nodes when it starts up. - Note that using - `retry_join` could be more appropriate to help - mitigate node startup race conditions when automating a Consul cluster - deployment. - - In Consul 1.1.0 and later this can be set to a - [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) - template - - - -- `-retry-join` - Similar to [`-join`](#_join) but allows retrying a join until - it is successful. Once it joins successfully to a member in a list of members - it will never attempt to join again. Agents will then solely maintain their - membership via gossip. This is useful for cases where you know the address will - eventually be available. This option can be specified multiple times to - specify multiple agents to join. The value can contain IPv4, IPv6, or DNS - addresses. In Consul 1.1.0 and later this can be set to a - [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) - template. If Consul is running on the non-default Serf LAN port, this must be - specified as well. IPv6 must use the "bracketed" syntax. If multiple values - are given, they are tried and retried in the order listed until the first - succeeds. Here are some examples: - - ```sh - # Using a DNS entry - $ consul agent -retry-join "consul.domain.internal" - ``` - - ```sh - # Using IPv4 - $ consul agent -retry-join "10.0.4.67" - ``` - - ```sh - # Using IPv6 - $ consul agent -retry-join "[::1]:8301" - ``` - - ```sh - # Using multiple addresses - $ consul agent -retry-join "consul.domain.internal" -retry-join "10.0.4.67" - ``` - - ### Cloud Auto-Joining - - As of Consul 0.9.1, `retry-join` accepts a unified interface using the - [go-discover](https://github.com/hashicorp/go-discover) library for doing - automatic cluster joining using cloud metadata. For more information, see - the [Cloud Auto-join page](/docs/agent/cloud-auto-join.html). - - ```sh - # Using Cloud Auto-Joining - $ consul agent -retry-join "provider=aws tag_key=..." - ``` - -- `-retry-interval` - Time - to wait between join attempts. Defaults to 30s. - -- `-retry-max` - The maximum number - of [`-join`](#_join) attempts to be made before exiting - with return code 1. By default, this is set to 0 which is interpreted as infinite - retries. - -- `-join-wan` - Address of - another wan agent to join upon starting up. This can be specified multiple - times to specify multiple WAN agents to join. If Consul is unable to join with - any of the specified addresses, agent startup will fail. By default, the agent - won't [`-join-wan`](#_join_wan) any nodes when it starts up. - - In Consul 1.1.0 and later this can be set to a - [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) - template. - -- `-retry-join-wan` - Similar - to [`retry-join`](#_retry_join) but allows retrying a wan join if the first attempt fails. - This is useful for cases where we know the address will become available eventually. - As of Consul 0.9.3 [Cloud Auto-Joining](#cloud-auto-joining) is supported as well. - - In Consul 1.1.0 and later this can be set to a - [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) - template - -- `-retry-interval-wan` - Time - to wait between [`-join-wan`](#_join_wan) attempts. - Defaults to 30s. - -- `-retry-max-wan` - The maximum - number of [`-join-wan`](#_join_wan) attempts to be made before exiting with return code 1. - By default, this is set to 0 which is interpreted as infinite retries. - -- `-log-level` - The level of logging to - show after the Consul agent has started. This defaults to "info". The available log levels are - "trace", "debug", "info", "warn", and "err". You can always connect to an - agent via [`consul monitor`](/docs/commands/monitor.html) and use any log level. Also, the - log level can be changed during a config reload. - -- `-log-json` - This flag - enables the agent to output logs in a JSON format. By default this is false. - -- `-node` - The name of this node in the cluster. - This must be unique within the cluster. By default this is the hostname of the machine. - -- `-node-id` - Available in Consul 0.7.3 and later, this - is a unique identifier for this node across all time, even if the name of the node or address - changes. This must be in the form of a hex string, 36 characters long, such as - `adf4238a-882b-9ddc-4a9d-5b6758e4159e`. If this isn't supplied, which is the most common case, then - the agent will generate an identifier at startup and persist it in the data directory - so that it will remain the same across agent restarts. Information from the host will be used to - generate a deterministic node ID if possible, unless [`-disable-host-node-id`](#_disable_host_node_id) is - set to true. - -- `-node-meta` - Available in Consul 0.7.3 and later, - this specifies an arbitrary metadata key/value pair to associate with the node, of the form `key:value`. - This can be specified multiple times. Node metadata pairs have the following restrictions: - - - A maximum of 64 key/value pairs can be registered per node. - - Metadata keys must be between 1 and 128 characters (inclusive) in length - - Metadata keys must contain only alphanumeric, `-`, and `_` characters. - - Metadata keys must not begin with the `consul-` prefix; that is reserved for internal use by Consul. - - Metadata values must be between 0 and 512 (inclusive) characters in length. - - Metadata values for keys beginning with `rfc1035-` are encoded verbatim in DNS TXT requests, otherwise - the metadata kv-pair is encoded according [RFC1464](https://www.ietf.org/rfc/rfc1464.txt). - -- `-pid-file` - This flag provides the file - path for the agent to store its PID. This is useful for sending signals (for example, `SIGINT` - to close the agent or `SIGHUP` to update check definite - -- `-protocol` - The Consul protocol version to use. Consul agents speak protocol 2 by default, - however agents will automatically use protocol >2 when speaking to compatible agents. This should be set only when - [upgrading](/docs/upgrading.html). You can view the protocol versions supported by Consul by running `consul -v`. - -- `-primary-gateway` - Similar - to [`retry-join-wan`](#_retry_join_wan) but allows retrying discovery of fallback addresses - for the mesh gateways in the primary datacenter if the first attempt fails. - This is useful for cases where we know the address will become available eventually. - [Cloud Auto-Joining](#cloud-auto-joining) is supported as well as [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) - templates. - This was added in Consul 1.8.x **TODO(wanfed)**. - -- `-raft-protocol` - This controls the internal - version of the Raft consensus protocol used for server communications. This must be set to 3 in order to - gain access to Autopilot features, with the exception of [`cleanup_dead_servers`](#cleanup_dead_servers). - Defaults to 3 in Consul 1.0.0 and later (defaulted to 2 previously). See - [Raft Protocol Version Compatibility](/docs/upgrade-specific.html#raft-protocol-version-compatibility) - for more details. - -- `-recursor` - Specifies the address of an upstream DNS - server. This option may be provided multiple times, and is functionally - equivalent to the [`recursors` configuration option](#recursors). - -- `-rejoin` - When provided, Consul will ignore a - previous leave and attempt to rejoin the cluster when starting. By default, Consul treats leave - as a permanent intent and does not attempt to join the cluster again when starting. This flag - allows the previous state to be used to rejoin the cluster. - -- `-segment` - (Enterprise-only) This flag is used to set - the name of the network segment the agent belongs to. An agent can only join and communicate with other agents - within its network segment. See the [Network Segments Guide](https://learn.hashicorp.com/consul/day-2-operations/network-segments) for more details. - By default, this is an empty string, which is the default network segment. - -- `-serf-lan-port` - the Serf LAN port to listen on. - This overrides the default Serf LAN port 8301. This is available in Consul 1.2.2 and later. - -- `-serf-wan-port` - the Serf WAN port to listen on. - This overrides the default Serf WAN port 8302. This is available in Consul 1.2.2 and later. - -- `-server` - This flag is used to control if an - agent is in server or client mode. When provided, - an agent will act as a Consul server. Each Consul cluster must have at least one server and ideally - no more than 5 per datacenter. All servers participate in the Raft consensus algorithm to ensure that - transactions occur in a consistent, linearizable manner. Transactions modify cluster state, which - is maintained on all server nodes to ensure availability in the case of node failure. Server nodes also - participate in a WAN gossip pool with server nodes in other datacenters. Servers act as gateways - to other datacenters and forward traffic as appropriate. - -- `-server-port` - the server RPC port to listen on. - This overrides the default server RPC port 8300. This is available in Consul 1.2.2 and later. - -- `-non-voting-server` - (Enterprise-only) - This flag is used to make the server not participate in the Raft quorum, and have it only receive the data - replication stream. This can be used to add read scalability to a cluster in cases where a high volume of - reads to servers are needed. - -- `-syslog` - This flag enables logging to syslog. This - is only supported on Linux and OSX. It will result in an error if provided on Windows. - -- `-ui` - Enables the built-in web UI - server and the required HTTP routes. This eliminates the need to maintain the - Consul web UI files separately from the binary. - -- `-ui-dir` - This flag provides the directory containing - the Web UI resources for Consul. This will automatically enable the Web UI. The directory must be - readable to the agent. Starting with Consul version 0.7.0 and later, the Web UI assets are included in the binary so this flag is no longer necessary; specifying only the `-ui` flag is enough to enable the Web UI. Specifying both the '-ui' and '-ui-dir' flags will result in an error. - -- `-ui-content-path` - This flag provides the option to change the path the Consul UI loads from and will be displayed in the browser. By default, the path is `/ui/`, for example `http://localhost:8500/ui/`. Only alphanumerics, `-`, and `_` are allowed in a custom path. `/v1/` is not allowed as it would overwrite the API endpoint. - -## Configuration Files - -In addition to the command-line options, configuration can be put into -files. This may be easier in certain situations, for example when Consul is -being configured using a configuration management system. - -The configuration files are JSON formatted, making them easily readable -and editable by both humans and computers. The configuration is formatted -as a single JSON object with configuration within it. - -Configuration files are used for more than just setting up the agent, -they are also used to provide check and service definitions. These are used -to announce the availability of system servers to the rest of the cluster. -They are documented separately under [check configuration](/docs/agent/checks.html) and -[service configuration](/docs/agent/services.html) respectively. The service and check -definitions support being updated during a reload. - -#### Example Configuration File - -```javascript -{ - "datacenter": "east-aws", - "data_dir": "/opt/consul", - "log_level": "INFO", - "node_name": "foobar", - "server": true, - "watches": [ - { - "type": "checks", - "handler": "/usr/bin/health-check-handler.sh" - } - ], - "telemetry": { - "statsite_address": "127.0.0.1:2180" - } -} -``` - -#### Example Configuration File, with TLS - -```javascript -{ - "datacenter": "east-aws", - "data_dir": "/opt/consul", - "log_level": "INFO", - "node_name": "foobar", - "server": true, - "addresses": { - "https": "0.0.0.0" - }, - "ports": { - "https": 8501 - }, - "key_file": "/etc/pki/tls/private/my.key", - "cert_file": "/etc/pki/tls/certs/my.crt", - "ca_file": "/etc/pki/tls/certs/ca-bundle.crt" -} -``` - -See, especially, the use of the `ports` setting: - -```javascript -"ports": { - "https": 8501 -} -``` - -Consul will not enable TLS for the HTTP API unless the `https` port has been -assigned a port number `> 0`. We recommend using `8501` for `https` as this -default will automatically work with some tooling. - -#### Configuration Key Reference - --> **Note:** All the TTL values described below are parsed by Go's `time` package, and have the following -[formatting specification](https://golang.org/pkg/time/#ParseDuration): "A -duration string is a possibly signed sequence of decimal numbers, each with -optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. -Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'." - -- `acl` - This object allows a number - of sub-keys to be set which controls the ACL system. Configuring the - ACL system within the ACL stanza was added in Consul 1.4.0 - - The following sub-keys are available: - - - `enabled` - Enables ACLs. - - - `policy_ttl` - Used to control - Time-To-Live caching of ACL policies. By default, this is 30 seconds. This setting has a - major performance impact: reducing it will cause more frequent refreshes while increasing - it reduces the number of refreshes. However, because the caches are not actively invalidated, - ACL policy may be stale up to the TTL value. - - - `role_ttl` - Used to control - Time-To-Live caching of ACL roles. By default, this is 30 seconds. This setting has a - major performance impact: reducing it will cause more frequent refreshes while increasing - it reduces the number of refreshes. However, because the caches are not actively invalidated, - ACL role may be stale up to the TTL value. - - - `token_ttl` - Used to control - Time-To-Live caching of ACL tokens. By default, this is 30 seconds. This setting has a - major performance impact: reducing it will cause more frequent refreshes while increasing - it reduces the number of refreshes. However, because the caches are not actively invalidated, - ACL token may be stale up to the TTL value. - - - `down_policy` - Either - "allow", "deny", "extend-cache" or "async-cache"; "extend-cache" is the default. In the case that a - policy or token cannot be read from the [`primary_datacenter`](#primary_datacenter) or leader - node, the down policy is applied. In "allow" mode, all actions are permitted, "deny" restricts - all operations, and "extend-cache" allows any cached objects to be used, ignoring their TTL - values. If a non-cached ACL is used, "extend-cache" acts like "deny". - The value "async-cache" acts the same way as "extend-cache" but performs updates - asynchronously when ACL is present but its TTL is expired, thus, if latency is bad between - the primary and secondary datacenters, latency of operations is not impacted. - - - `default_policy` - Either - "allow" or "deny"; defaults to "allow" but this will be changed in a future major release. - The default policy controls the behavior of a token when there is no matching rule. In "allow" mode, - ACLs are a blacklist: any operation not specifically prohibited is allowed. In "deny" mode, ACLs are - a whitelist: any operation not specifically allowed is blocked. _Note_: this will not take effect until - you've enabled ACLs. - - - `enable_key_list_policy` - Either "enabled" or "disabled", defaults to "disabled". When enabled, the `list` permission will be required on the prefix being recursively read from the KV store. Regardless of being enabled, the full set of KV entries under the prefix will be filtered to remove any entries that the request's ACL token does not grant at least read permissions. This option is only available in Consul 1.0 and newer. - - - `enable_token_replication` - By - default secondary Consul datacenters will perform replication of only ACL policies and roles. - Setting this configuration will will enable ACL token replication and - allow for the creation of both [local tokens](/api/acl/tokens.html#local) - and [auth methods](/docs/acl/acl-auth-methods.html) in connected secondary - datacenters. - - - `enable_token_persistence` - Either - `true` or `false`. When `true` tokens set using the API will be persisted to disk and reloaded when an agent restarts. - - - `tokens` - This object holds - all of the configured ACL tokens for the agents usage. - - - `master` - Only used - for servers in the [`primary_datacenter`](#primary_datacenter). This token will be created with management-level - permissions if it does not exist. It allows operators to bootstrap the ACL system - with a token Secret ID that is well-known. -

- The `master` token is only installed when a server acquires cluster leadership. If - you would like to install or change the `acl_master_token`, set the new value for `master` - in the configuration for all servers. Once this is done, restart the current leader to force a - leader election. If the `master` token is not supplied, then the servers do not create a master - token. When you provide a value, it should be a UUID. To maintain backwards compatibility - and an upgrade path this restriction is not currently enforced but will be in a future major - Consul release. - - - `default` - When provided, - the agent will use this token when making requests to the Consul servers. Clients can - override this token on a per-request basis by providing the "?token" query parameter. - When not provided, the empty token, which maps to the 'anonymous' ACL token, is used. - - - `agent` - Used for clients - and servers to perform internal operations. If this isn't specified, then the - `default` will be used. -

- This token must at least have write access to the node name it will register as in order to set any - of the node-level information in the catalog such as metadata, or the node's tagged addresses. - - - `agent_master` - - Used to access agent endpoints that require agent read - or write privileges, or node read privileges, even if Consul servers aren't present to validate - any tokens. This should only be used by operators during outages, regular ACL tokens should normally - be used by applications. - - - `replication` - - The ACL token used to authorize secondary datacenters with the primary datacenter for replication - operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) when - ACLs are enabled. This token may be provided later using the [agent token API](/api/agent.html#update-acl-tokens) - on each server. This token must have at least "read" permissions on ACL data but if ACL - token replication is enabled then it must have "write" permissions. This also enables - Connect replication, for which the token will require both operator - "write" and intention "read" permissions for replicating CA and Intention data. - - - `managed_service_provider` - - **(Enterprise Only)** An array of ACL tokens used by Consul managed service providers for cluster operations. - - ```javascript - "managed_service_provider": [ - { - "accessor_id": "ed22003b-0832-4e48-ac65-31de64e5c2ff", - "secret_id": "cb6be010-bba8-4f30-a9ed-d347128dde17" - } - ] - ``` - -- `acl_datacenter` - **This field is - deprecated in Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.** - - This designates the datacenter which is authoritative for ACL information. It must be provided to enable ACLs. All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all you need for cluster-level enforcement, but for the APIs to forward properly from the clients, - it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement - of ACLs. Please see the [ACL Guide](https://learn.hashicorp.com/consul/security-networking/production-acls) for more details. - -- `acl_default_policy` - **Deprecated in Consul 1.4.0. - See the [`acl.default_policy`](#acl_default_policy) field instead.** Either - "allow" or "deny"; defaults to "allow". The default policy controls the behavior of a token when - there is no matching rule. In "allow" mode, ACLs are a blacklist: any operation not specifically - prohibited is allowed. In "deny" mode, ACLs are a whitelist: any operation not - specifically allowed is blocked. _Note_: this will not take effect until you've set `primary_datacenter` - to enable ACL support. - -- `acl_down_policy` - **Deprecated in Consul 1.4.0. - See the [`acl.down_policy`](#acl_down_policy) field instead.**Either - "allow", "deny", "extend-cache" or "async-cache"; "extend-cache" is the default. In the case that the - policy for a token cannot be read from the [`primary_datacenter`](#primary_datacenter) or leader - node, the down policy is applied. In "allow" mode, all actions are permitted, "deny" restricts - all operations, and "extend-cache" allows any cached ACLs to be used, ignoring their TTL - values. If a non-cached ACL is used, "extend-cache" acts like "deny". - The value "async-cache" acts the same way as "extend-cache" but performs updates - asynchronously when ACL is present but its TTL is expired, thus, if latency is bad between - ACL authoritative and other datacenters, latency of operations is not impacted. - -- `acl_agent_master_token` - - **Deprecated in Consul 1.4.0. See the [`acl.tokens.agent_master`](#acl_tokens_agent_master) field instead.** - Used to access agent endpoints that require agent read - or write privileges, or node read privileges, even if Consul servers aren't present to validate - any tokens. This should only be used by operators during outages, regular ACL tokens should normally - be used by applications. This was added in Consul 0.7.2 and is only used when - `acl_enforce_version_8` is set to true. - -- `acl_agent_token` - - **Deprecated in Consul 1.4.0. See the [`acl.tokens.agent`](#acl_tokens_agent) field instead.** - Used for clients and servers to perform internal operations. If this isn't specified, then the - `acl_token` will be used. This was added in Consul 0.7.2. - - This token must at least have write access to the node name it will register as in order to set any - of the node-level information in the catalog such as metadata, or the node's tagged addresses. - -- `acl_enforce_version_8` - - **Deprecated in Consul 1.4.0** - Used for clients and servers to determine if enforcement should occur for new ACL policies being - previewed before Consul 0.8. Added in Consul 0.7.2, this defaults to false in versions of - Consul prior to 0.8, and defaults to true in Consul 0.8 and later. This helps ease the - transition to the new ACL features by allowing policies to be in place before enforcement begins. - -* `acl_master_token` - - **Deprecated in Consul 1.4.0. See the [`acl.tokens.master`](#acl_tokens_master) field instead.** Only used - for servers in the [`primary_datacenter`](#primary_datacenter). This token will be created with management-level - permissions if it does not exist. It allows operators to bootstrap the ACL system - with a token ID that is well-known. - - The `acl_master_token` is only installed when a server acquires cluster leadership. If - you would like to install or change the `acl_master_token`, set the new value for `acl_master_token` - in the configuration for all servers. Once this is done, restart the current leader to force a - leader election. If the `acl_master_token` is not supplied, then the servers do not create a master - token. When you provide a value, it can be any string value. Using a UUID would ensure that it looks - the same as the other tokens, but isn't strictly necessary. - -* `acl_replication_token` - - **Deprecated in Consul 1.4.0. See the [`acl.tokens.replication`](#acl_tokens_replication) field instead.** - Only used for servers outside the [`primary_datacenter`](#primary_datacenter) running Consul 0.7 or later. - When provided, this will enable [ACL replication](https://learn.hashicorp.com/consul/day-2-operations/acl-replication) using this - ACL replication using this - token to retrieve and replicate the ACLs to the non-authoritative local datacenter. In Consul 0.9.1 - and later you can enable ACL replication using [`enable_acl_replication`](#enable_acl_replication) - and then set the token later using the [agent token API](/api/agent.html#update-acl-tokens) on each - server. If the `acl_replication_token` is set in the config, it will automatically set - [`enable_acl_replication`](#enable_acl_replication) to true for backward compatibility. - - If there's a partition or other outage affecting the authoritative datacenter, and the - [`acl_down_policy`](/docs/agent/options.html#acl_down_policy) is set to "extend-cache", tokens not - in the cache can be resolved during the outage using the replicated set of ACLs. - -* `acl_token` - - **Deprecated in Consul 1.4.0. See the [`acl.tokens.default`](#acl_tokens_default) field instead.** - When provided, the agent will use this - token when making requests to the Consul servers. Clients can override this token on a per-request - basis by providing the "?token" query parameter. When not provided, the empty token, which maps to - the 'anonymous' ACL policy, is used. - -* `acl_ttl` - - **Deprecated in Consul 1.4.0. See the [`acl.token_ttl`](#acl_token_ttl) field instead.**Used to control Time-To-Live caching of ACLs. - By default, this is 30 seconds. This setting has a major performance impact: reducing it will cause - more frequent refreshes while increasing it reduces the number of refreshes. However, because the caches - are not actively invalidated, ACL policy may be stale up to the TTL value. - -* `addresses` - This is a nested object that allows - setting bind addresses. In Consul 1.0 and later these can be set to a space-separated list of - addresses to bind to, or a [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) - template that can potentially resolve to multiple addresses. - - `http`, `https` and `grpc` all support binding to a Unix domain socket. A - socket can be specified in the form `unix:///path/to/socket`. A new domain - socket will be created at the given path. If the specified file path already - exists, Consul will attempt to clear the file and create the domain socket - in its place. The permissions of the socket file are tunable via the - [`unix_sockets` config construct](#unix_sockets). - - When running Consul agent commands against Unix socket interfaces, use the - `-http-addr` argument to specify the path to the socket. You can also place - the desired values in the `CONSUL_HTTP_ADDR` environment variable. - - For TCP addresses, the environment variable value should be an IP address - _with the port_. For example: `10.0.0.1:8500` and not `10.0.0.1`. However, - ports are set separately in the `ports` structure when - defining them in a configuration file. - - The following keys are valid: - - - `dns` - The DNS server. Defaults to `client_addr` - - `http` - The HTTP API. Defaults to `client_addr` - - `https` - The HTTPS API. Defaults to `client_addr` - - `grpc` - The gRPC API. Defaults to `client_addr` - -* `advertise_addr` Equivalent to - the [`-advertise` command-line flag](#_advertise). - -* `serf_wan` Equivalent to - the [`-serf-wan-bind` command-line flag](#_serf_wan_bind). - -* `serf_lan` Equivalent to - the [`-serf-lan-bind` command-line flag](#_serf_lan_bind). - -* `advertise_addr_wan` Equivalent to - the [`-advertise-wan` command-line flag](#_advertise-wan). - -* `autopilot` Added in Consul 0.8, this object - allows a number of sub-keys to be set which can configure operator-friendly settings for Consul servers. - When these keys are provided as configuration, they will only be respected on bootstrapping. If they are not - provided, the defaults will be used. In order to change the value of these options after bootstrapping, you will - need to use the [Consul Operator Autopilot](https://www.consul.io/docs/commands/operator/autopilot.html) command. - For more information about Autopilot, see the [Autopilot Guide](https://learn.hashicorp.com/consul/day-2-operations/autopilot). - - The following sub-keys are available: - - - `cleanup_dead_servers` - This controls - the automatic removal of dead server nodes periodically and whenever a new server is added to the cluster. - Defaults to `true`. - - - `last_contact_threshold` - Controls - the maximum amount of time a server can go without contact from the leader before being considered unhealthy. - Must be a duration value such as `10s`. Defaults to `200ms`. - - - `max_trailing_logs` - Controls - the maximum number of log entries that a server can trail the leader by before being considered unhealthy. Defaults - to 250. - - - `min_quorum` - Sets the minimum number of servers necessary in a cluster - before autopilot can prune dead servers. There is no default. - - - `server_stabilization_time` - - Controls the minimum amount of time a server must be stable in the 'healthy' state before being added to the - cluster. Only takes effect if all servers are running Raft protocol version 3 or higher. Must be a duration value - such as `30s`. Defaults to `10s`. - - - `redundancy_zone_tag` - (Enterprise-only) - This controls the [`-node-meta`](#_node_meta) key to use when Autopilot is separating servers into zones for - redundancy. Only one server in each zone can be a voting member at one time. If left blank (the default), this - feature will be disabled. - - - `disable_upgrade_migration` - (Enterprise-only) - If set to `true`, this setting will disable Autopilot's upgrade migration strategy in Consul Enterprise of waiting - until enough newer-versioned servers have been added to the cluster before promoting any of them to voters. Defaults - to `false`. - - - `upgrade_version_tag` - (Enterprise-only) - The node_meta tag to use for version info when performing upgrade migrations. If this is not set, the Consul - version will be used. - -* `auto_encrypt` - This object allows setting options for the `auto_encrypt` feature. - - The following sub-keys are available: - - - `allow_tls` (Defaults to `false`) This option enables `auto_encrypt` on the servers and allows them to automatically distribute certificates from the Connect CA to the clients. If enabled, the server can accept incoming connections from both the built-in CA and the Connect CA, as well as their certificates. Note, the server will only present the built-in CA and certificate, which the client can verify using the CA it received from `auto_encrypt` endpoint. If disabled, a client configured with `auto_encrypt.tls` will be unable to start. - - - `tls` (Defaults to `false`) Allows the client to request the Connect CA and certificates from the servers, for encrypting RPC communication. The client will make the request to any servers listed in the `-join` or `-retry-join` option. This requires that every server to have `auto_encrypt.allow_tls` enabled. When both `auto_encrypt` options are used, it allows clients to receive certificates that are generated on the servers. If the `-server-port` is not the default one, it has to be provided to the client as well. Usually this is discovered through LAN gossip, but `auto_encrypt` provision happens before the information can be distributed through gossip. The most secure `auto_encrypt` setup is when the client is provided with the built-in CA, `verify_server_hostname` is turned on, and when an ACL token with `node.write` permissions is setup. It is also possible to use `auto_encrypt` with a CA and ACL, but without `verify_server_hostname`, or only with a ACL enabled, or only with CA and `verify_server_hostname`, or only with a CA, or finally without a CA and without ACL enabled. In any case, the communication to the `auto_encrypt` endpoint is always TLS encrypted. - - - `dns_san` (Defaults to `[]`) When this option is being used, the certificates requested by `auto_encrypt` from the server have these `dns_san` set as DNS SAN. - - - `ip_san` (Defaults to `[]`) When this option is being used, the certificates requested by `auto_encrypt` from the server have these `ip_san` set as IP SAN. - -* `bootstrap` Equivalent to the - [`-bootstrap` command-line flag](#_bootstrap). - -* `bootstrap_expect` Equivalent - to the [`-bootstrap-expect` command-line flag](#_bootstrap_expect). - -* `bind_addr` Equivalent to the - [`-bind` command-line flag](#_bind). - -* `ca_file` This provides a file path to a PEM-encoded - certificate authority. The certificate authority is used to check the authenticity of client and - server connections with the appropriate [`verify_incoming`](#verify_incoming) or - [`verify_outgoing`](#verify_outgoing) flags. - -* `ca_path` This provides a path to a directory of PEM-encoded - certificate authority files. These certificate authorities are used to check the authenticity of client and - server connections with the appropriate [`verify_incoming`](#verify_incoming) or - [`verify_outgoing`](#verify_outgoing) flags. - -* `cert_file` This provides a file path to a - PEM-encoded certificate. The certificate is provided to clients or servers to verify the agent's - authenticity. It must be provided along with [`key_file`](#key_file). - -* `check_update_interval` - This interval controls how often check output from - checks in a steady state is synchronized with the server. By default, this is - set to 5 minutes ("5m"). Many checks which are in a steady state produce - slightly different output per run (timestamps, etc) which cause constant writes. - This configuration allows deferring the sync of check output for a given interval to - reduce write pressure. If a check ever changes state, the new state and associated - output is synchronized immediately. To disable this behavior, set the value to "0s". - -* `client_addr` Equivalent to the - [`-client` command-line flag](#_client). - -* `config_entries` - This object allows setting options for centralized config entries. - - The following sub-keys are available: - - - `bootstrap` - This is a list of inlined config entries to insert into the state store when the Consul server - gains leadership. This option is only applicable to server nodes. Each bootstrap - entry will be created only if it does not exist. When reloading, any new entries - that have been added to the configuration will be processed. See the - [configuration entry docs](/docs/agent/config_entries.html) for more details about the - contents of each entry. - -- `connect` - This object allows setting options for the Connect feature. - - The following sub-keys are available: - - - `enabled` Controls whether - Connect features are enabled on this agent. Should be enabled on all clients and - servers in the cluster in order for Connect to function properly. Defaults to false. - - - `enable_mesh_gateway_wan_federation` - Controls whether cross-datacenter federation traffic between servers is - funneled through mesh gateways. Defaults to false. - This was added in Consul 1.8.x **TODO(wanfed)**. - - - `ca_provider` Controls - which CA provider to use for Connect's CA. Currently only the `consul` and `vault` providers - are supported. This is only used when initially bootstrapping the cluster. For an existing - cluster, use the [Update CA Configuration Endpoint](/api/connect/ca.html#update-ca-configuration). - - - `ca_config` An object which - allows setting different config options based on the CA provider chosen. This is only - used when initially bootstrapping the cluster. For an existing cluster, use the [Update CA - Configuration Endpoint](/api/connect/ca.html#update-ca-configuration). - - The following providers are supported: - - #### Consul CA Provider (`ca_provider = "consul"`) - - - `private_key` The - PEM contents of the private key to use for the CA. - - - `root_cert` The - PEM contents of the root certificate to use for the CA. - - #### Vault CA Provider (`ca_provider = "vault"`) - - - `address` The address of the Vault - server to connect to. - - - `token` The Vault token to use. - - - `root_pki_path` The - path to use for the root CA pki backend in Vault. This can be an existing backend with a CA already - configured, or a blank/unmounted backend in which case Connect will automatically mount/generate the CA. - The Vault token given above must have `sudo` access to this backend, as well as permission to mount - the backend at this path if it is not already mounted. - - - `intermediate_pki_path` - The path to use for the temporary intermediate CA pki backend in Vault. _Connect will overwrite any data - at this path in order to generate a temporary intermediate CA_. The Vault token given above must have - `write` access to this backend, as well as permission to mount the backend at this path if it is not - already mounted. - - #### Common CA Config Options - -

There are also a number of common configuration options supported by all providers:

- - - `csr_max_concurrent` Sets a limit - on how many Certificate Signing Requests will be processed - concurrently. Defaults to 0 (disabled). This is useful when you have - more than one or two cores available to the server. For example on an - 8 core server, setting this to 1 will ensure that even during a CA - rotation no more than one server core on the leader will be consumed - at a time with generating new certificates. Setting this is - recommended _instead_ of `csr_max_per_second` where you know there are - multiple cores available since it is simpler to reason about limiting - CSR resources this way without artificially slowing down rotations. - Added in 1.4.1. - - - `csr_max_per_second` Sets a rate - limit on the maximum number of Certificate Signing Requests (CSRs) the - servers will accept. This is used to prevent CA rotation from causing - unbounded CPU usage on servers. It defaults to 50 which is - conservative - a 2017 Macbook can process about 100 per second using - only ~40% of one CPU core - but sufficient for deployments up to ~1500 - service instances before the time it takes to rotate is impacted. For - larger deployments we recommend increasing this based on the expected - number of server instances and server resources, or use - `csr_max_concurrent` instead if servers have more than one core. - Setting this to zero disables rate limiting. Added in 1.4.1. - - - `leaf_cert_ttl` The upper bound on the - lease duration of a leaf certificate issued for a service. In most - cases a new leaf certificate will be requested by a proxy before this - limit is reached. This is also the effective limit on how long a - server outage can last (with no leader) before network connections - will start being rejected, and as a result the defaults is `72h` to - last through a weekend without intervention. This value cannot be - lower than 1 hour or higher than 1 year. - - This value is also used when rotating out old root certificates from - the cluster. When a root certificate has been inactive (rotated out) - for more than twice the _current_ `leaf_cert_ttl`, it will be removed - from the trusted list. - - - `private_key_type` The type of key to - generate for this CA. This is only used when the provider is - generating a new key. If `private_key` is set for the Consul provider, - or existing root or intermediate PKI paths given for Vault then this - will be ignored. Currently supported options are `ec` or `rsa`. - Default is `ec`. - - It is required that all servers in a Datacenter have - the same config for the CA. It is recommended that servers in - different Datacenters have the same CA config for key type and size - although the built-in CA and Vault provider will both allow mixed CA - key types. - - Some CA providers (currently Vault) will not allow cross-signing a - new CA certificate with a different key type. This means that if you - migrate from an RSA-keyed Vault CA to an EC-keyed CA from any - provider, you may have to proceed without cross-signing which risks - temporary connection issues for workloads during the new certificate - rollout. We highly recommend testing this outside of production to - understand the impact and suggest sticking to same key type where - possible. - - Note that this only affects _CA_ keys generated by the provider. - Leaf certificate keys are always EC 256 regardless of the CA - configuration. - - - `private_key_bits` The length of key - to generate for this CA. This is only used when the provider is - generating a new key. If `private_key` is set for the Consul provider, - or existing root or intermediate PKI paths given for Vault then this - will be ignored. - - Currently supported values are: - - - `private_key_type = ec` (default): `224, 256, 384, 521` - corresponding to the NIST P-\* curves of the same name. - - `private_key_type = rsa`: `2048, 4096` - -- `datacenter` Equivalent to the - [`-datacenter` command-line flag](#_datacenter). - -- `data_dir` Equivalent to the - [`-data-dir` command-line flag](#_data_dir). - -- - `disable_anonymous_signature` Disables providing an anonymous signature for de-duplication - with the update check. See [`disable_update_check`](#disable_update_check). - -- `disable_host_node_id` - Equivalent to the [`-disable-host-node-id` command-line flag](#_disable_host_node_id). - -- `disable_http_unprintable_char_filter` - Defaults to false. Consul 1.0.3 fixed a potential security vulnerability where - malicious users could craft KV keys with unprintable chars that would confuse - operators using the CLI or UI into taking wrong actions. Users who had data - written in older versions of Consul that did not have this restriction will be - unable to delete those values by default in 1.0.3 or later. This setting - enables those users to _temporarily_ disable the filter such that delete - operations can work on those keys again to get back to a healthy state. It is - strongly recommended that this filter is not disabled permanently as it - exposes the original security vulnerability. - -- `disable_remote_exec` - Disables support for remote execution. When set to true, the agent will ignore any incoming - remote exec requests. In versions of Consul prior to 0.8, this defaulted to false. In Consul - 0.8 the default was changed to true, to make remote exec opt-in instead of opt-out. - -- `disable_update_check` - Disables automatic checking for security bulletins and new version releases. This is disabled in - Consul Enterprise. - -- `discard_check_output` - Discards the output of health checks before storing them. This reduces the number of writes - to the Consul raft log in environments where health checks have volatile output like - timestamps, process ids, ... - -- `discovery_max_stale` - Enables - stale requests for all service discovery HTTP endpoints. This is equivalent to the - [`max_stale`](#max_stale) configuration for DNS requests. If this value is zero (default), all service - discovery HTTP endpoints are forwarded to the leader. If this value is greater than zero, any Consul server - can handle the service discovery request. If a Consul server is behind the leader by more than `discovery_max_stale`, - the query will be re-evaluated on the leader to get more up-to-date results. Consul agents also add a new - `X-Consul-Effective-Consistency` response header which indicates if the agent did a stale read. `discover-max-stale` - was introduced in Consul 1.0.7 as a way for Consul operators to force stale requests from clients at the agent level, - and defaults to zero which matches default consistency behavior in earlier Consul versions. - -- `dns_config` This object allows a number - of sub-keys to be set which can tune how DNS queries are serviced. See this guide on - [DNS caching](https://learn.hashicorp.com/consul/security-networking/dns-caching) for more detail. - - The following sub-keys are available: - - - `allow_stale` - Enables a stale query - for DNS information. This allows any Consul server, rather than only the leader, to service - the request. The advantage of this is you get linear read scalability with Consul servers. - In versions of Consul prior to 0.7, this defaulted to false, meaning all requests are serviced - by the leader, providing stronger consistency but less throughput and higher latency. In Consul - 0.7 and later, this defaults to true for better utilization of available servers. - - - `max_stale` - When [`allow_stale`](#allow_stale) - is specified, this is used to limit how stale results are allowed to be. If a Consul server is - behind the leader by more than `max_stale`, the query will be re-evaluated on the leader to get - more up-to-date results. Prior to Consul 0.7.1 this defaulted to 5 seconds; in Consul 0.7.1 - and later this defaults to 10 years ("87600h") which effectively allows DNS queries to be answered - by any server, no matter how stale. In practice, servers are usually only milliseconds behind the - leader, so this lets Consul continue serving requests in long outage scenarios where no leader can - be elected. - - - `node_ttl` - By default, this is "0s", so all - node lookups are served with a 0 TTL value. DNS caching for node lookups can be enabled by - setting this value. This should be specified with the "s" suffix for second or "m" for minute. - - - `service_ttl` - This is a sub-object - which allows for setting a TTL on service lookups with a per-service policy. The "\*" wildcard - service can be used when there is no specific policy available for a service. By default, all - services are served with a 0 TTL value. DNS caching for service lookups can be enabled by - setting this value. - - - `enable_truncate` - If set to - true, a UDP DNS query that would return more than 3 records, or more than would fit into a valid - UDP response, will set the truncated flag, indicating to clients that they should re-query - using TCP to get the full set of records. - - - `only_passing` - If set to true, any - nodes whose health checks are warning or critical will be excluded from DNS results. If false, - the default, only nodes whose healthchecks are failing as critical will be excluded. For - service lookups, the health checks of the node itself, as well as the service-specific checks - are considered. For example, if a node has a health check that is critical then all services on - that node will be excluded because they are also considered critical. - - - `recursor_timeout` - Timeout used - by Consul when recursively querying an upstream DNS server. See `recursors` - for more details. Default is 2s. This is available in Consul 0.7 and later. - - - `disable_compression` - If - set to true, DNS responses will not be compressed. Compression was added and enabled by default - in Consul 0.7. - - - `udp_answer_limit` - Limit the number of - resource records contained in the answer section of a UDP-based DNS - response. This parameter applies only to UDP DNS queries that are less than 512 bytes. This setting is deprecated - and replaced in Consul 1.0.7 by `a_record_limit`. - - - `a_record_limit` - Limit the number of - resource records contained in the answer section of a A, AAAA or ANY DNS response (both TCP and UDP). - When answering a question, Consul will use the complete list of - matching hosts, shuffle the list randomly, and then limit the number of - answers to `a_record_limit` (default: no limit). This limit does not apply to SRV records. - - In environments where [RFC 3484 Section 6](https://tools.ietf.org/html/rfc3484#section-6) Rule 9 - is implemented and enforced (i.e. DNS answers are always sorted and - therefore never random), clients may need to set this value to `1` to - preserve the expected randomized distribution behavior (note: - [RFC 3484](https://tools.ietf.org/html/rfc3484) has been obsoleted by - [RFC 6724](https://tools.ietf.org/html/rfc6724) and as a result it should - be increasingly uncommon to need to change this value with modern - resolvers). - - - `enable_additional_node_meta_txt` - - When set to true, Consul will add TXT records for Node metadata into the Additional section of the DNS responses for several - query types such as SRV queries. When set to false those records are not emitted. This does not impact the behavior of those - same TXT records when they would be added to the Answer section of the response like when querying with type TXT or ANY. This - defaults to true. - - - `soa` Allow to tune the setting set up in SOA. - Non specified values fallback to their default values, all values are integers and - expressed as seconds. -

- The following settings are available: - - - `expire` - - Configure SOA Expire duration in seconds, default value is 86400, ie: 24 hours. - - - `min_ttl` - - Configure SOA DNS minimum TTL. - As explained in [RFC-2308](https://tools.ietf.org/html/rfc2308) this also controls - negative cache TTL in most implementations. Default value is 0, ie: no minimum - delay or negative TTL. - - - `refresh` - - Configure SOA Refresh duration in seconds, default value is `3600`, ie: 1 hour. - - - `retry` - - Configures the Retry duration expressed in seconds, default value is - 600, ie: 10 minutes. - - - `use_cache` - When set to true, DNS resolution will use the agent cache described - in [agent caching](/api/features/caching.html). This setting affects all service and prepared queries DNS requests. Implies [`allow_stale`](#allow_stale) - - - `cache_max_age` - When [use_cache](#dns_use_cache) is enabled, the agent - will attempt to re-fetch the result from the servers if the cached value is older than this duration. See: [agent caching](/api/features/caching.html). - - - `prefer_namespace` - **(Enterprise Only)** When - set to true, in a DNS query for a service, the label between the domain and the `service` label will be treated as a - namespace name instead of a datacenter. When set to false, the default, the behavior will be the same as non-Enterprise - versions and will assume the label is the datacenter. See: [this section](/docs/agent/dns.html#namespaced-services-enterprise) for more details. - -* `domain` Equivalent to the - [`-domain` command-line flag](#_domain). - -* `enable_acl_replication` When - set on a Consul server, enables ACL replication without having to set - the replication token via [`acl_replication_token`](#acl_replication_token). Instead, enable ACL replication - and then introduce the token using the [agent token API](/api/agent.html#update-acl-tokens) on each server. - See [`acl_replication_token`](#acl_replication_token) for more details. - -* `enable_agent_tls_for_checks` - When set, uses a subset of the agent's TLS configuration (`key_file`, `cert_file`, `ca_file`, `ca_path`, and - `server_name`) to set up the client for HTTP or gRPC health checks. This allows services requiring 2-way TLS to - be checked using the agent's credentials. This was added in Consul 1.0.1 and defaults to false. - -* `enable_central_service_config` - When set, the Consul agent will look for any centralized service configurations that match a registering service instance. - If it finds any, the agent will merge the centralized defaults with the service instance configuration. This allows for - things like service protocol or proxy configuration to be defined centrally and inherited by any - affected service registrations. - -* `enable_debug` When set, enables some - additional debugging features. Currently, this is only used to access runtime profiling HTTP endpoints, which - are available with an `operator:read` ACL regardless of the value of `enable_debug`. - -* `enable_script_checks` Equivalent to the - [`-enable-script-checks` command-line flag](#_enable_script_checks). - - ~> **Security Warning:** Enabling script checks in some configurations may - introduce a remote execution vulnerability which is known to be targeted by - malware. We strongly recommend `enable_local_script_checks` instead. See [this - blog post](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations) - for more details. - -* `enable_local_script_checks` Equivalent to the - [`-enable-local-script-checks` command-line flag](#_enable_local_script_checks). - -* `enable_syslog` Equivalent to - the [`-syslog` command-line flag](#_syslog). - -* `encrypt` Equivalent to the - [`-encrypt` command-line flag](#_encrypt). - -* `encrypt_verify_incoming` - - This is an optional parameter that can be used to disable enforcing encryption for incoming gossip in order - to upshift from unencrypted to encrypted gossip on a running cluster. See [this section](/docs/agent/encryption.html#configuring-gossip-encryption-on-an-existing-cluster) for more information. - Defaults to true. - -* `encrypt_verify_outgoing` - - This is an optional parameter that can be used to disable enforcing encryption for outgoing gossip in order - to upshift from unencrypted to encrypted gossip on a running cluster. See [this section](/docs/agent/encryption.html#configuring-gossip-encryption-on-an-existing-cluster) for more information. - Defaults to true. - -* `disable_keyring_file` - Equivalent to the - [`-disable-keyring-file` command-line flag](#_disable_keyring_file). - -* `gossip_lan` - **(Advanced)** This object contains a number of sub-keys - which can be set to tune the LAN gossip communications. These are only provided for users running especially large - clusters that need fine tuning and are prepared to spend significant effort correctly tuning them for their - environment and workload. **Tuning these improperly can cause Consul to fail in unexpected ways**. - The default values are appropriate in almost all deployments. - - - `gossip_nodes` - The number of random nodes to send - gossip messages to per gossip_interval. Increasing this number causes the gossip messages to propagate - across the cluster more quickly at the expense of increased bandwidth. The default is 3. - - - `gossip_interval` - The interval between sending - messages that need to be gossiped that haven't been able to piggyback on probing messages. If this is set to - zero, non-piggyback gossip is disabled. By lowering this value (more frequent) gossip messages are propagated - across the cluster more quickly at the expense of increased bandwidth. The default is 200ms. - - - `probe_interval` - The interval between random node - probes. Setting this lower (more frequent) will cause the cluster to detect failed nodes more quickly - at the expense of increased bandwidth usage. The default is 1s. - - - `probe_timeout` - The timeout to wait for an ack from - a probed node before assuming it is unhealthy. This should be at least the 99-percentile of RTT (round-trip time) on - your network. The default is 500ms and is a conservative value suitable for almost all realistic deployments. - - - `retransmit_mult` - The multiplier for the number - of retransmissions that are attempted for messages broadcasted over gossip. The number of retransmits is scaled - using this multiplier and the cluster size. The higher the multiplier, the more likely a failed broadcast is to - converge at the expense of increased bandwidth. The default is 4. - - - `suspicion_mult` - The multiplier for determining the - time an inaccessible node is considered suspect before declaring it dead. The timeout is scaled with the cluster - size and the probe_interval. This allows the timeout to scale properly with expected propagation delay with a - larger cluster size. The higher the multiplier, the longer an inaccessible node is considered part of the - cluster before declaring it dead, giving that suspect node more time to refute if it is indeed still alive. The - default is 4. - -* `gossip_wan` - **(Advanced)** This object contains a number of sub-keys - which can be set to tune the WAN gossip communications. These are only provided for users running especially large - clusters that need fine tuning and are prepared to spend significant effort correctly tuning them for their - environment and workload. **Tuning these improperly can cause Consul to fail in unexpected ways**. - The default values are appropriate in almost all deployments. - - - `gossip_nodes` - The number of random nodes to send - gossip messages to per gossip_interval. Increasing this number causes the gossip messages to propagate - across the cluster more quickly at the expense of increased bandwidth. The default is 3. - - - `gossip_interval` - The interval between sending - messages that need to be gossiped that haven't been able to piggyback on probing messages. If this is set to - zero, non-piggyback gossip is disabled. By lowering this value (more frequent) gossip messages are propagated - across the cluster more quickly at the expense of increased bandwidth. The default is 200ms. - - - `probe_interval` - The interval between random node - probes. Setting this lower (more frequent) will cause the cluster to detect failed nodes more quickly - at the expense of increased bandwidth usage. The default is 1s. - - - `probe_timeout` - The timeout to wait for an ack from - a probed node before assuming it is unhealthy. This should be at least the 99-percentile of RTT (round-trip time) on - your network. The default is 500ms and is a conservative value suitable for almost all realistic deployments. - - - `retransmit_mult` - The multiplier for the number - of retransmissions that are attempted for messages broadcasted over gossip. The number of retransmits is scaled - using this multiplier and the cluster size. The higher the multiplier, the more likely a failed broadcast is to - converge at the expense of increased bandwidth. The default is 4. - - - `suspicion_mult` - The multiplier for determining the - time an inaccessible node is considered suspect before declaring it dead. The timeout is scaled with the cluster - size and the probe_interval. This allows the timeout to scale properly with expected propagation delay with a - larger cluster size. The higher the multiplier, the longer an inaccessible node is considered part of the - cluster before declaring it dead, giving that suspect node more time to refute if it is indeed still alive. The - default is 4. - -* `key_file` This provides a the file path to a - PEM-encoded private key. The key is used with the certificate to verify the agent's authenticity. - This must be provided along with [`cert_file`](#cert_file). - -* `http_config` - This object allows setting options for the HTTP API and UI. - - The following sub-keys are available: - - - `block_endpoints` - This object is a list of HTTP API endpoint prefixes to block on the agent, and defaults to - an empty list, meaning all endpoints are enabled. Any endpoint that has a common prefix - with one of the entries on this list will be blocked and will return a 403 response code - when accessed. For example, to block all of the V1 ACL endpoints, set this to - `["/v1/acl"]`, which will block `/v1/acl/create`, `/v1/acl/update`, and the other ACL - endpoints that begin with `/v1/acl`. This only works with API endpoints, not `/ui` or - `/debug`, those must be disabled with their respective configuration options. Any CLI - commands that use disabled endpoints will no longer function as well. For more general - access control, Consul's [ACL system](https://learn.hashicorp.com/consul/security-networking/production-acls) should be used, but this option - is useful for removing access to HTTP API endpoints completely, or on specific agents. This - is available in Consul 0.9.0 and later. - - - `response_headers` - This object allows adding headers to the HTTP API and UI responses. - For example, the following config can be used to enable - [CORS](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) on - the HTTP API endpoints: - - ```javascript - { - "http_config": { - "response_headers": { - "Access-Control-Allow-Origin": "*" - } - } - } - ``` - - - `allow_write_http_from` - This object is a list of networks in CIDR notation (eg "127.0.0.0/8") that are allowed - to call the agent write endpoints. It defaults to an empty list, which means all networks - are allowed. - This is used to make the agent read-only, except for select ip ranges. - - To block write calls from anywhere, use `[ "255.255.255.255/32" ]`. - - To only allow write calls from localhost, use `[ "127.0.0.0/8" ]` - - To only allow specific IPs, use `[ "10.0.0.1/32", "10.0.0.2/32" ]` - -* `leave_on_terminate` If - enabled, when the agent receives a TERM signal, it will send a `Leave` message to the rest - of the cluster and gracefully leave. The default behavior for this feature varies based on - whether or not the agent is running as a client or a server (prior to Consul 0.7 the default - value was unconditionally set to `false`). On agents in client-mode, this defaults to `true` - and for agents in server-mode, this defaults to `false`. - -* `limits` Available in Consul 0.9.3 - and later, this is a nested object that configures limits that are enforced by - the agent. Prior to Consul 1.5.2, this only applied to agents in client mode, - not Consul servers. The following parameters are available: - - - `http_max_conns_per_client` - - Configures a limit of how many concurrent TCP connections a single - client IP address is allowed to open to the agent's HTTP(S) server. This - affects the HTTP(S) servers in both client and server agents. Default - value is `200`. - - `https_handshake_timeout` - - Configures the limit for how long the HTTPS server in both client and - server agents will wait for a client to complete a TLS handshake. This - should be kept conservative as it limits how many connections an - unauthenticated attacker can open if `verify_incoming` is being using to - authenticate clients (strongly recommended in production). Default value - is `5s`. - - `rpc_handshake_timeout` - Configures - the limit for how long servers will wait after a client TCP connection - is established before they complete the connection handshake. When TLS - is used, the same timeout applies to the TLS handshake separately from - the initial protocol negotiation. All Consul clients should perform this - immediately on establishing a new connection. This should be kept - conservative as it limits how many connections an unauthenticated - attacker can open if `verify_incoming` is being using to authenticate - clients (strongly recommended in production). When `verify_incoming` is - true on servers, this limits how long the connection socket and - associated goroutines will be held open before the client successfully - authenticates. Default value is `5s`. - - `rpc_max_conns_per_client` - - Configures a limit of how many concurrent TCP connections a single - source IP address is allowed to open to a single server. It affects both - clients connections and other server connections. In general Consul - clients multiplex many RPC calls over a single TCP connection so this - can typically be kept low. It needs to be more than one though since - servers open at least one additional connection for raft RPC, possibly - more for WAN federation when using network areas, and snapshot requests - from clients run over a separate TCP conn. A reasonably low limit - significantly reduces the ability of an unauthenticated attacker to - consume unbounded resources by holding open many connections. You may - need to increase this if WAN federated servers connect via proxies or - NAT gateways or similar causing many legitimate connections from a - single source IP. Default value is `100` which is designed to be - extremely conservative to limit issues with certain deployment patterns. - Most deployments can probably reduce this safely. 100 connections on - modern server hardware should not cause a significant impact on resource - usage from an unauthenticated attacker though. - - `rpc_rate` - Configures - the RPC rate limiter on Consul _clients_ by setting the maximum request - rate that this agent is allowed to make for RPC requests to Consul - servers, in requests per second. Defaults to infinite, which disables - rate limiting. - - `rpc_max_burst` - - The size of the token bucket used to recharge the RPC rate limiter on - Consul _clients_ . Defaults to 1000 tokens, and each token is good for a - single RPC call to a Consul server. See - https://en.wikipedia.org/wiki/Token_bucket for more details about how - token bucket rate limiters operate. - - - `kv_max_value_size` - **(Advanced)** Configures the maximum number of - bytes for a kv request body to the [`/v1/kv`](/api/kv.html) endpoint. - This limit defaults to [raft's](https://github.com/hashicorp/raft) - suggested max size(512KB). **Note that tuning these improperly can cause - Consul to fail in unexpected ways**, it may potentially affect - leadership stability and prevent timely heartbeat signals by increasing - RPC IO duration. - This option affects the txn endpoint too, but Consul 1.7.2 introduced - `txn_max_req_len` which is the preferred way to set the limit for the - txn endpoint. If both limits are set, the higher one takes precedence. - - - `txn_max_req_len` - **(Advanced)** Configures the maximum number of - bytes for a transaction request body to the [`/v1/txn`](/api/txn.html) - endpoint. This limit defaults to [raft's](https://github.com/hashicorp/raft) - suggested max size(512KB). **Note that tuning these improperly can cause - Consul to fail in unexpected ways**, it may potentially affect - leadership stability and prevent timely heartbeat signals by - increasing RPC IO duration. - -* `log_file` Equivalent to the - [`-log-file` command-line flag](#_log_file). - -* `log_rotate_duration` Equivalent to the - [`-log-rotate-duration` command-line flag](#_log_rotate_duration). - -* `log_rotate_bytes` Equivalent to the - [`-log-rotate-bytes` command-line flag](#_log_rotate_bytes). - -* `log_rotate_max_files` Equivalent to the - [`-log-rotate-max-files` command-line flag](#_log_rotate_max_files). - -* `log_level` Equivalent to the - [`-log-level` command-line flag](#_log_level). - -* `log_json` Equivalent to the - [`-log-json` command-line flag](#_log_json). - -* `default_query_time` - Equivalent to the [`-default-query-time` command-line flag](#_default_query_time). - -* `max_query_time` - Equivalent to the [`-max-query-time` command-line flag](#_max_query_time). - -* `node_id` Equivalent to the - [`-node-id` command-line flag](#_node_id). - -* `node_name` Equivalent to the - [`-node` command-line flag](#_node). - -* `node_meta` Available in Consul 0.7.3 and later, - This object allows associating arbitrary metadata key/value pairs with the local node, which can - then be used for filtering results from certain catalog endpoints. See the - [`-node-meta` command-line flag](#_node_meta) for more information. - - ```javascript - { - "node_meta": { - "instance_type": "t2.medium" - } - } - ``` - -* `performance` Available in Consul 0.7 and - later, this is a nested object that allows tuning the performance of different subsystems in - Consul. See the [Server Performance](/docs/install/performance.html) documentation for more details. The - following parameters are available: - - - `leave_drain_time` - A duration - that a server will dwell during a graceful leave in order to allow requests to be retried against - other Consul servers. Under normal circumstances, this can prevent clients from experiencing - "no leader" errors when performing a rolling update of the Consul servers. This was added in - Consul 1.0. Must be a duration value such as 10s. Defaults to 5s. - - - `raft_multiplier` - An integer - multiplier used by Consul servers to scale key Raft timing parameters. Omitting this value - or setting it to 0 uses default timing described below. Lower values are used to tighten - timing and increase sensitivity while higher values relax timings and reduce sensitivity. - Tuning this affects the time it takes Consul to detect leader failures and to perform - leader elections, at the expense of requiring more network and CPU resources for better - performance. - - By default, Consul will use a lower-performance timing that's suitable - for [minimal Consul servers](/docs/install/performance.html#minimum), currently equivalent - to setting this to a value of 5 (this default may be changed in future versions of Consul, - depending if the target minimum server profile changes). Setting this to a value of 1 will - configure Raft to its highest-performance mode, equivalent to the default timing of Consul - prior to 0.7, and is recommended for [production Consul servers](/docs/install/performance.html#production). - See the note on [last contact](/docs/install/performance.html#last-contact) timing for more - details on tuning this parameter. The maximum allowed value is 10. - - - `rpc_hold_timeout` - A duration - that a client or server will retry internal RPC requests during leader elections. Under normal - circumstances, this can prevent clients from experiencing "no leader" errors. This was added in - Consul 1.0. Must be a duration value such as 10s. Defaults to 7s. - -* `ports` This is a nested object that allows setting - the bind ports for the following keys: - - - `dns` - The DNS server, -1 to disable. Default 8600. TCP and UDP. - - `http` - The HTTP API, -1 to disable. Default 8500. TCP only. - - `https` - The HTTPS - API, -1 to disable. Default -1 (disabled). **We recommend using `8501`** for - `https` by convention as some tooling will work automatically with this. - - `grpc` - The gRPC API, -1 - to disable. Default -1 (disabled). **We recommend using `8502`** for - `grpc` by convention as some tooling will work automatically with this. - This is set to `8502` by default when the agent runs in `-dev` mode. - Currently gRPC is only used to expose Envoy xDS API to Envoy proxies. - - `serf_lan` - The Serf LAN port. Default 8301. TCP and UDP. - - `serf_wan` - The Serf WAN port. Default 8302. Set to -1 - to disable. **Note**: this will disable WAN federation which is not recommended. Various catalog and WAN related - endpoints will return errors or empty results. TCP and UDP. - - `server` - Server RPC address. Default 8300. TCP only. - - `sidecar_min_port` - Inclusive minimum port - number to use for automatically assigned [sidecar service - registrations](/docs/connect/registration/sidecar-service.html). Default 21000. - Set to `0` to disable automatic port assignment. - - `sidecar_max_port` - Inclusive maximum port - number to use for automatically assigned [sidecar service - registrations](/docs/connect/registration/sidecar-service.html). Default 21255. - Set to `0` to disable automatic port assignment. - - `expose_min_port` - Inclusive minimum port - number to use for automatically assigned - [exposed check listeners](/docs/connect/registration/service-registration.html#expose-paths-configuration-reference). - Default 21500. Set to `0` to disable automatic port assignment. - - `expose_max_port` - Inclusive maximum port - number to use for automatically assigned - [exposed check listeners](/docs/connect/registration/service-registration.html#expose-paths-configuration-reference). - Default 21755. Set to `0` to disable automatic port assignment. - -* `primary_datacenter` - This - designates the datacenter which is authoritative for ACL information, intentions and is the root - Certificate Authority for Connect. It must be provided to enable ACLs. All servers and datacenters - must agree on the primary datacenter. Setting it on the servers is all you need for cluster-level enforcement, but for the APIs to forward properly from the clients, it must be set on them too. In - Consul 0.8 and later, this also enables agent-level enforcement of ACLs. - -* `primary_gateways` Equivalent to the - [`-primary-gateway` command-line flag](#_primary_gateway). Takes a list - of addresses to use as the mesh gateways for the primary datacenter when authoritative - replicated catalog data is not present. Discovery happens every [`primary_gateways_interval`](#_primary_gateways_interval) until at least one - primary mesh gateway is discovered. - This was added in Consul 1.8.x **TODO(wanfed)**. - -* `primary_gateways_interval` Time - to wait between [`primary_gateways`](#primary_gateways) discovery attempts. - Defaults to 30s. - This was added in Consul 1.8.x **TODO(wanfed)**. - -* `protocol` Equivalent to the - [`-protocol` command-line flag](#_protocol). - -* `raft_protocol` Equivalent to the - [`-raft-protocol` command-line flag](#_raft_protocol). - - - -- - `raft_snapshot_threshold` This controls - the minimum number of raft commit entries between snapshots that are saved to - disk. This is a low-level parameter that should rarely need to be changed. - Very busy clusters experiencing excessive disk IO may increase this value to - reduce disk IO, and minimize the chances of all servers taking snapshots at - the same time. Increasing this trades off disk IO for disk space since the log - will grow much larger and the space in the raft.db file can't be reclaimed - till the next snapshot. Servers may take longer to recover from crashes or - failover if this is increased significantly as more logs will need to be - replayed. In Consul 1.1.0 and later this defaults to 16384, and in prior - versions it was set to 8192. - -- `raft_snapshot_interval` This controls how - often servers check if they need to save a snapshot to disk. his is a - low-level parameter that should rarely need to be changed. Very busy clusters - experiencing excessive disk IO may increase this value to reduce disk IO, and - minimize the chances of all servers taking snapshots at the same time. - Increasing this trades off disk IO for disk space since the log will grow much - larger and the space in th e raft.db file can't be reclaimed till the next - snapshot. Servers may take longer to recover from crashes or failover if this - is increased significantly as more logs will need to be replayed. In Consul - 1.1.0 and later this defaults to `30s`, and in prior versions it was set to - `5s`. - -- `raft_trailing_logs` - This controls how many - log entries are left in the log store on disk after a snapshot is made. This - should only be adjusted when followers cannot catch up to the leader due to a - very large snapshot size that and high write throughput causing log truncation - before an snapshot can be fully installed. If you need to use this to recover - a cluster, consider reducing write throughput or the amount of data stored on - Consul as it is likely under a load it is not designed to handle. The default - value is 10000 which is suitable for all normal workloads. Added in Consul - 1.5.3. - -- `reap` This controls Consul's automatic reaping of child processes, - which is useful if Consul is running as PID 1 in a Docker container. If this isn't specified, then Consul will - automatically reap child processes if it detects it is running as PID 1. If this is set to true or false, then - it controls reaping regardless of Consul's PID (forces reaping on or off, respectively). This option was removed - in Consul 0.7.1. For later versions of Consul, you will need to reap processes using a wrapper, please see the - [Consul Docker image entry point script](https://github.com/hashicorp/docker-consul/blob/master/0.X/docker-entrypoint.sh) - for an example. If you are using Docker 1.13.0 or later, you can use the new `--init` option of the `docker run` command - and docker will enable an init process with PID 1 that reaps child processes for the container. - More info on [Docker docs](https://docs.docker.com/engine/reference/commandline/run/#options). - -- `reconnect_timeout` This controls - how long it takes for a failed node to be completely removed from the cluster. This defaults to - 72 hours and it is recommended that this is set to at least double the maximum expected recoverable - outage time for a node or network partition. WARNING: Setting this time too low could cause Consul - servers to be removed from quorum during an extended node failure or partition, which could complicate - recovery of the cluster. The value is a time with a unit suffix, which can be "s", "m", "h" for seconds, - minutes, or hours. The value must be >= 8 hours. - -- `reconnect_timeout_wan` This - is the WAN equivalent of the `reconnect_timeout` parameter, which - controls how long it takes for a failed server to be completely removed from the WAN pool. This also - defaults to 72 hours, and must be >= 8 hours. - -- `recursors` This flag provides addresses of - upstream DNS servers that are used to recursively resolve queries if they are not inside the service - domain for Consul. For example, a node can use Consul directly as a DNS server, and if the record is - outside of the "consul." domain, the query will be resolved upstream. As of Consul 1.0.1 recursors - can be provided as IP addresses or as go-sockaddr templates. IP addresses are resolved in order, - and duplicates are ignored. - -- `rejoin_after_leave` Equivalent - to the [`-rejoin` command-line flag](#_rejoin). - -- `retry_join` - Equivalent to the [`-retry-join`](#retry-join) command-line flag. - -- `retry_interval` Equivalent to the - [`-retry-interval` command-line flag](#_retry_interval). - -- `retry_join_wan` Equivalent to the - [`-retry-join-wan` command-line flag](#_retry_join_wan). Takes a list - of addresses to attempt joining to WAN every [`retry_interval_wan`](#_retry_interval_wan) until at least one - join works. - -- `retry_interval_wan` Equivalent to the - [`-retry-interval-wan` command-line flag](#_retry_interval_wan). - -- `segment` (Enterprise-only) Equivalent to the - [`-segment` command-line flag](#_segment). - -- `segments` (Enterprise-only) This is a list of nested objects that allows setting - the bind/advertise information for network segments. This can only be set on servers. See the - [Network Segments Guide](https://learn.hashicorp.com/consul/day-2-operations/network-segments) for more details. - - - `name` - The name of the segment. Must be a string between - 1 and 64 characters in length. - - `bind` - The bind address to use for the segment's gossip layer. - Defaults to the [`-bind`](#_bind) value if not provided. - - `port` - The port to use for the segment's gossip layer (required). - - `advertise` - The advertise address to use for the - segment's gossip layer. Defaults to the [`-advertise`](#_advertise) value if not provided. - - `rpc_listener` - If true, a separate RPC listener will - be started on this segment's [`-bind`](#_bind) address on the rpc port. Only valid if the segment's bind address differs from the - [`-bind`](#_bind) address. Defaults to false. - -- `server` Equivalent to the - [`-server` command-line flag](#_server). - -- `non_voting_server` - Equivalent to the - [`-non-voting-server` command-line flag](#_non_voting_server). - -- `server_name` When provided, this overrides - the [`node_name`](#_node) for the TLS certificate. It can be used to ensure that the certificate - name matches the hostname we declare. - -- `session_ttl_min` - The minimum allowed session TTL. This ensures sessions are not created with - TTL's shorter than the specified limit. It is recommended to keep this limit - at or above the default to encourage clients to send infrequent heartbeats. - Defaults to 10s. - -- `skip_leave_on_interrupt` This is - similar to [`leave_on_terminate`](#leave_on_terminate) but only affects - interrupt handling. When Consul receives an interrupt signal (such as - hitting Control-C in a terminal), Consul will gracefully leave the cluster. - Setting this to `true` disables that behavior. The default behavior for - this feature varies based on whether or not the agent is running as a - client or a server (prior to Consul 0.7 the default value was - unconditionally set to `false`). On agents in client-mode, this defaults - to `false` and for agents in server-mode, this defaults to `true` - (i.e. Ctrl-C on a server will keep the server in the cluster and therefore - quorum, and Ctrl-C on a client will gracefully leave). - -- `start_join` An array of strings specifying addresses - of nodes to [`-join`](#_join) upon startup. Note that using - `retry_join` could be more appropriate to help - mitigate node startup race conditions when automating a Consul cluster - deployment. - -- `start_join_wan` An array of strings specifying - addresses of WAN nodes to [`-join-wan`](#_join_wan) upon startup. - -- `telemetry` This is a nested object that configures where Consul - sends its runtime telemetry, and contains the following keys: - - - `circonus_api_token` - A valid API Token used to create/manage check. If provided, metric management is enabled. - - - `circonus_api_app` - A valid app name associated with the API token. By default, this is set to "consul". - - - `circonus_api_url` - The base URL to use for contacting the Circonus API. By default, this is set to "https://api.circonus.com/v2". - - - `circonus_submission_interval` - The interval at which metrics are submitted to Circonus. By default, this is set to "10s" (ten seconds). - - - `circonus_submission_url` - The `check.config.submission_url` field, of a Check API object, from a previously created HTTPTRAP check. - - - `circonus_check_id` - The Check ID (not **check bundle**) from a previously created HTTPTRAP check. The numeric portion of the `check._cid` field in the Check API object. - - - `circonus_check_force_metric_activation` - Force activation of metrics which already exist and are not currently active. If check management is enabled, the default behavior is to add new metrics as they are encountered. If the metric already exists in the check, it will **not** be activated. This setting overrides that behavior. By default, this is set to false. - - - `circonus_check_instance_id` - Uniquely identifies the metrics coming from this _instance_. It can be used to maintain metric continuity with transient or ephemeral instances as they move around within an infrastructure. By default, this is set to hostname:application name (e.g. "host123:consul"). - - - `circonus_check_search_tag` - A special tag which, when coupled with the instance id, helps to narrow down the search results when neither a Submission URL or Check ID is provided. By default, this is set to service:application name (e.g. "service:consul"). - - - `circonus_check_display_name` - Specifies a name to give a check when it is created. This name is displayed in the Circonus UI Checks list. Available in Consul 0.7.2 and later. - - - `circonus_check_tags` - Comma separated list of additional tags to add to a check when it is created. Available in Consul 0.7.2 and later. - - - `circonus_broker_id` - The ID of a specific Circonus Broker to use when creating a new check. The numeric portion of `broker._cid` field in a Broker API object. If metric management is enabled and neither a Submission URL nor Check ID is provided, an attempt will be made to search for an existing check using Instance ID and Search Tag. If one is not found, a new HTTPTRAP check will be created. By default, this is not used and a random Enterprise Broker is selected, or the default Circonus Public Broker. - - - `circonus_broker_select_tag` - A special tag which will be used to select a Circonus Broker when a Broker ID is not provided. The best use of this is to as a hint for which broker should be used based on _where_ this particular instance is running (e.g. a specific geo location or datacenter, dc:sfo). By default, this is left blank and not used. - - - `disable_hostname` - This controls whether or not to prepend runtime telemetry with the machine's hostname, defaults to false. - - - `dogstatsd_addr` This provides the - address of a DogStatsD instance in the format `host:port`. DogStatsD is a protocol-compatible flavor of - statsd, with the added ability to decorate metrics with tags and event information. If provided, Consul will - send various telemetry information to that instance for aggregation. This can be used to capture runtime - information. - - - `dogstatsd_tags` This provides a list of global tags - that will be added to all telemetry packets sent to DogStatsD. It is a list of strings, where each string - looks like "my_tag_name:my_tag_value". - - - `filter_default` - This controls whether to allow metrics that have not been specified by the filter. Defaults to `true`, which will - allow all metrics when no filters are provided. When set to `false` with no filters, no metrics will be sent. - - - `metrics_prefix` - The prefix used while writing all telemetry data. By default, this is set to "consul". This was added - in Consul 1.0. For previous versions of Consul, use the config option `statsite_prefix` in this - same structure. This was renamed in Consul 1.0 since this prefix applied to all telemetry providers, - not just statsite. - - - `prefix_filter` - This is a list of filter rules to apply for allowing/blocking metrics by prefix in the following format: - - ```javascript - ;['+consul.raft.apply', '-consul.http', '+consul.http.GET'] - ``` - - A leading "+" will enable any metrics with the given prefix, and a leading "-" will block them. If there - is overlap between two rules, the more specific rule will take precedence. Blocking will take priority if the same - prefix is listed multiple times. - - - prometheus_retention_time - If the value is greater than `0s` (the default), this enables [Prometheus](https://prometheus.io/) export of metrics. - The duration can be expressed using the duration semantics and will aggregates all counters for the duration specified - (it might have an impact on Consul's memory usage). A good value for this parameter is at least 2 times the interval of scrape - of Prometheus, but you might also put a very high retention time such as a few days (for instance 744h to enable retention - to 31 days). - Fetching the metrics using prometheus can then be performed using the [`/v1/agent/metrics?format=prometheus`](/api/agent.html#view-metrics) endpoint. - The format is compatible natively with prometheus. When running in this mode, it is recommended to also enable the option - `disable_hostname` to avoid having prefixed metrics with hostname. - Consul does not use the default Prometheus path, so Prometheus must be configured as follows. - Note that using ?format=prometheus in the path won't work as ? will be escaped, so it must be specified as a parameter. - - ```yaml - metrics_path: '/v1/agent/metrics' - params: - format: ['prometheus'] - ``` - - - `statsd_address` This provides the - address of a statsd instance in the format `host:port`. If provided, Consul will send various telemetry information to that instance for - aggregation. This can be used to capture runtime information. This sends UDP packets only and can be used with - statsd or statsite. - - - `statsite_address` This provides - the address of a statsite instance in the format `host:port`. If provided, Consul will stream various telemetry information to that instance - for aggregation. This can be used to capture runtime information. This streams via TCP and can only be used with - statsite. - -- `syslog_facility` When - [`enable_syslog`](#enable_syslog) is provided, this controls to which - facility messages are sent. By default, `LOCAL0` will be used. - -- `tls_min_version` Added in Consul - 0.7.4, this specifies the minimum supported version of TLS. Accepted values are "tls10", "tls11", - "tls12", or "tls13". This defaults to "tls12". WARNING: TLS 1.1 and lower are generally considered less - secure; avoid using these if possible. - -- `tls_cipher_suites` Added in Consul - 0.8.2, this specifies the list of supported ciphersuites as a comma-separated-list. The list of all - supported ciphersuites is available in the [source code](https://github.com/hashicorp/consul/blob/master/tlsutil/config.go#L363). - -- - `tls_prefer_server_cipher_suites` Added in Consul 0.8.2, this will cause Consul to prefer the - server's ciphersuite over the client ciphersuites. - -- `translate_wan_addrs` If - set to true, Consul will prefer a node's configured WAN address - when servicing DNS and HTTP requests for a node in a remote datacenter. This allows the node to - be reached within its own datacenter using its local address, and reached from other datacenters - using its WAN address, which is useful in hybrid setups with mixed networks. This is disabled by - default. - - Starting in Consul 0.7 and later, node addresses in responses to HTTP requests will also prefer a - node's configured WAN address when querying for a node in a remote - datacenter. An [`X-Consul-Translate-Addresses`](/api/index.html#translated-addresses) header - will be present on all responses when translation is enabled to help clients know that the addresses - may be translated. The `TaggedAddresses` field in responses also have a `lan` address for clients that - need knowledge of that address, regardless of translation. - - The following endpoints translate addresses: - - - [`/v1/catalog/nodes`](/api/catalog.html#catalog_nodes) - - [`/v1/catalog/node/`](/api/catalog.html#catalog_node) - - [`/v1/catalog/service/`](/api/catalog.html#catalog_service) - - [`/v1/health/service/`](/api/health.html#health_service) - - [`/v1/query//execute`](/api/query.html#execute) - -- `ui` - Equivalent to the [`-ui`](#_ui) - command-line flag. - -- `ui_dir` - Equivalent to the - [`-ui-dir`](#_ui_dir) command-line flag. This configuration key is not required as of Consul version 0.7.0 and later. Specifying this configuration key will enable the web UI. There is no need to specify both ui-dir and ui. Specifying both will result in an error. - -- `unix_sockets` - This - allows tuning the ownership and permissions of the - Unix domain socket files created by Consul. Domain sockets are only used if - the HTTP address is configured with the `unix://` prefix. - - It is important to note that this option may have different effects on - different operating systems. Linux generally observes socket file permissions - while many BSD variants ignore permissions on the socket file itself. It is - important to test this feature on your specific distribution. This feature is - currently not functional on Windows hosts. - - The following options are valid within this construct and apply globally to all - sockets created by Consul: - - - `user` - The name or ID of the user who will own the socket file. - - `group` - The group ID ownership of the socket file. This option - currently only supports numeric IDs. - - `mode` - The permission bits to set on the file. - -- `verify_incoming` - - If set to true, Consul requires that all incoming connections make use of TLS - and that the client provides a certificate signed by a Certificate Authority - from the [`ca_file`](#ca_file) or [`ca_path`](#ca_path). This applies to - both server RPC and to the HTTPS API. By default, this is false, and Consul - will not enforce the use of TLS or verify a client's authenticity. Turning - on `verify_incoming` on consul clients protects the HTTPS endpoint, by ensuring - that the certificate that is presented by a 3rd party tool to the HTTPS - endpoint was created by the CA that the consul client was setup with. If the - UI is served, the same checks are performed. - -* `verify_incoming_rpc` - If - set to true, Consul requires that all incoming RPC - connections make use of TLS and that the client provides a certificate signed - by a Certificate Authority from the [`ca_file`](#ca_file) or [`ca_path`](#ca_path). By default, - this is false, and Consul will not enforce the use of TLS or verify a client's authenticity. - -* `verify_incoming_https` - If - set to true, Consul requires that all incoming HTTPS - connections make use of TLS and that the client provides a certificate signed - by a Certificate Authority from the [`ca_file`](#ca_file) or [`ca_path`](#ca_path). By default, - this is false, and Consul will not enforce the use of TLS or verify a client's authenticity. To - enable the HTTPS API, you must define an HTTPS port via the [`ports`](#ports) configuration. By - default, HTTPS is disabled. - -* `verify_outgoing` - If set to - true, Consul requires that all outgoing connections from this agent - make use of TLS and that the server provides a certificate that is signed by - a Certificate Authority from the [`ca_file`](#ca_file) or [`ca_path`](#ca_path). By default, - this is false, and Consul will not make use of TLS for outgoing connections. This applies to clients - and servers as both will make outgoing connections. - - ~> **Security Note:** Note that servers that specify `verify_outgoing = true` will always talk to other servers over TLS, but they still _accept_ - non-TLS connections to allow for a transition of all clients to TLS. - Currently the only way to enforce that no client can communicate with a - server unencrypted is to also enable `verify_incoming` which requires client - certificates too. - -* `verify_server_hostname` - If set to true, - Consul verifies for all outgoing TLS connections that the TLS certificate - presented by the servers matches `server..` - hostname. By default, this is false, and Consul does not verify the hostname - of the certificate, only that it is signed by a trusted CA. This setting is - _critical_ to prevent a compromised client from being restarted as a server - and having all cluster state _including all ACL tokens and Connect CA root keys_ - replicated to it. This is new in 0.5.1. - - ~> **Security Note:** From versions 0.5.1 to 1.4.0, due to a bug, setting - this flag alone _does not_ imply `verify_outgoing` and leaves client to server - and server to server RPCs unencrypted despite the documentation stating otherwise. See - [CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653) - for more details. For those versions you **must also set `verify_outgoing = true`** to ensure encrypted RPC connections. - -* `watches` - Watches is a list of watch - specifications which allow an external process to be automatically invoked when a - particular data view is updated. See the - [watch documentation](/docs/agent/watches.html) for more detail. Watches can be - modified when the configuration is reloaded. - -## Ports Used - -Consul requires up to 6 different ports to work properly, some on -TCP, UDP, or both protocols. - -Review the [required ports](/docs/install/ports.html) table for a list of -required ports and their default settings. - -## Reloadable Configuration - -Reloading configuration does not reload all configuration items. The -items which are reloaded include: - -- Log level -- Checks -- Services -- Watches -- HTTP Client Address -- TLS Configuration - - Please be aware that this is currently limited to reload a configuration that is already TLS enabled. You cannot enable or disable TLS only with reloading. -- Node Metadata -- Metric Prefix Filter -- Discard Check Output -- RPC rate limiting diff --git a/website/pages/docs/agent/options.mdx b/website/pages/docs/agent/options.mdx new file mode 100644 index 0000000000..6f5446ee35 --- /dev/null +++ b/website/pages/docs/agent/options.mdx @@ -0,0 +1,2399 @@ +--- +layout: docs +page_title: Configuration +sidebar_current: docs-agent-config +description: >- + The agent has various configuration options that can be specified via the + command-line or via configuration files. All of the configuration options are + completely optional. Defaults are specified with their descriptions. +--- + +# Configuration + +The agent has various configuration options that can be specified via +the command-line or via configuration files. All of the configuration +options are completely optional. Defaults are specified with their +descriptions. + +Configuration precedence is evaluated in the following order: + +1. Command line arguments +2. Configuration files + +When loading configuration, Consul loads the configuration from files and +directories in lexical order. For example, configuration file +`basic_config.json` will be processed before `extra_config.json`. Configuration +can be in either [HCL](https://github.com/hashicorp/hcl#syntax) or JSON format. +Available in Consul 1.0 and later, the HCL support now requires an `.hcl` or +`.json` extension on all configuration files in order to specify their format. + +Configuration specified later will be merged into configuration specified +earlier. In most cases, "merge" means that the later version will override the +earlier. In some cases, such as event handlers, merging appends the handlers to +the existing configuration. The exact merging behavior is specified for each +option below. + +Consul also supports reloading configuration when it receives the +SIGHUP signal. Not all changes are respected, but those that are +documented below in the +[Reloadable Configuration](#reloadable-configuration) section. The +[reload command](/docs/commands/reload.html) can also be used to trigger a +configuration reload. + +You can test the following configuration options by following the [Getting Started](https://learn.hashicorp.com/consul/getting-started/install?utm_source=consul.io&utm_medium=docs) guides to install a local agent. + +## Environment Variables + +Environment variables **cannot** be used to configure the Consul client. They +_can_ be used when running other `consul` CLI commands that connect with a +running agent, e.g. `CONSUL_HTTP_ADDR=192.168.0.1:8500 consul members`. + +See [Consul Commands](/docs/commands/index.html#environment-variables) for more +information. + +## Command-line Options ((#commandline_options)) + +The options below are all specified on the command-line. + +- `-advertise` ((#\_advertise)) - The advertise address is used to change + the address that we advertise to other nodes in the cluster. By default, the [`-bind`](#_bind) + address is advertised. However, in some cases, there may be a routable address + that cannot be bound. This flag enables gossiping a different address to support + this. If this address is not routable, the node will be in a constant flapping + state as other nodes will treat the non-routability as a failure. In Consul 1.0 + and later this can be set to a [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) + template. + +- `-advertise-wan` ((#\_advertise-wan)) - The advertise WAN address is used + to change the address that we advertise to server nodes joining through the WAN. + This can also be set on client agents when used in combination with the [`translate_wan_addrs`](#translate_wan_addrs) configuration option. By default, the [`-advertise`](#_advertise) address + is advertised. However, in some cases all members of all datacenters cannot be + on the same physical or virtual network, especially on hybrid setups mixing cloud + and private datacenters. This flag enables server nodes gossiping through the public + network for the WAN while using private VLANs for gossiping to each other and their + client agents, and it allows client agents to be reached at this address when being + accessed from a remote datacenter if the remote datacenter is configured with [`translate_wan_addrs`](#translate_wan_addrs). In Consul 1.0 and later this can be set to a [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) template + +- + `-bootstrap` - This flag is used to control if a server + is in "bootstrap" mode. It is important that no more than one server _per_ datacenter + be running in this mode. Technically, a server in bootstrap mode is allowed to + self-elect as the Raft leader. It is important that only a single node is in this + mode; otherwise, consistency cannot be guaranteed as multiple nodes are able to + self-elect. It is not recommended to use this flag after a cluster has been bootstrapped. + +- + `-bootstrap-expect` - This flag provides the number + of expected servers in the datacenter. Either this value should not be provided + or the value must agree with other servers in the cluster. When provided, Consul + waits until the specified number of servers are available and then bootstraps the + cluster. This allows an initial leader to be elected automatically. This cannot + be used in conjunction with the legacy [`-bootstrap`](#_bootstrap) flag. This flag + requires [`-server`](#_server) mode. + +- + `-bind` - The address that should be bound to for internal + cluster communications. This is an IP address that should be reachable by all other + nodes in the cluster. By default, this is "0.0.0.0", meaning Consul will bind to + all addresses on the local machine and will [advertise](/docs/agent/options.html#_advertise) + the private IPv4 address to the rest of the cluster. If there are multiple private + IPv4 addresses available, Consul will exit with an error at startup. If you specify + `"[::]"`, Consul will [advertise](/docs/agent/options.html#_advertise) the public + IPv6 address. If there are multiple public IPv6 addresses available, Consul will + exit with an error at startup. Consul uses both TCP and UDP and the same port for + both. If you have any firewalls, be sure to allow both protocols. In Consul 1.0 + and later this can be set to a [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) + template that needs to resolve to a single address. Some example templates: + + ```sh + # Using address within a specific CIDR + $ consul agent -bind '{{ GetPrivateInterfaces | include "network" "10.0.0.0/8" | attr "address" }}' + ``` + + ```sh + # Using a static network interface name + $ consul agent -bind '{{ GetInterfaceIP "eth0" }}' + ``` + + ```sh + # Using regular expression matching for network interface name that is forwardable and up + $ consul agent -bind '{{ GetAllInterfaces | include "name" "^eth" | include "flags" "forwardable|up" | attr "address" }}' + ``` + +- + `-serf-wan-bind` - The address that should be bound + to for Serf WAN gossip communications. By default, the value follows the same rules + as [`-bind` command-line flag](#_bind), and if this is not specified, the `-bind` + option is used. This is available in Consul 0.7.1 and later. In Consul 1.0 and + later this can be set to a [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) + template + +- + `-serf-lan-bind` - The address that should be bound + to for Serf LAN gossip communications. This is an IP address that should be reachable + by all other LAN nodes in the cluster. By default, the value follows the same rules + as [`-bind` command-line flag](#_bind), and if this is not specified, the `-bind` + option is used. This is available in Consul 0.7.1 and later. In Consul 1.0 and + later this can be set to a [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) + template + +- + `-check_output_max_size` - Override the default + limit of 4k for maximum size of checks, this is a positive value. By limiting this + size, it allows to put less pressure on Consul servers when many checks are having + a very large output in their checks. In order to completely disable check output + capture, it is possible to use [`discard_check_output`](#discard_check_output). + +- + `-client` - The address to which Consul will bind client + interfaces, including the HTTP and DNS servers. By default, this is "127.0.0.1", + allowing only loopback connections. In Consul 1.0 and later this can be set to + a space-separated list of addresses to bind to, or a [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) + template that can potentially resolve to multiple addresses. + +- + `-config-file` - A configuration file to load. For + more information on the format of this file, read the [Configuration Files](#configuration_files) + section. This option can be specified multiple times to load multiple configuration + files. If it is specified multiple times, configuration files loaded later will + merge with configuration files loaded earlier. During a config merge, single-value + keys (string, int, bool) will simply have their values replaced while list types + will be appended together. + +- + `-config-dir` - A directory of configuration files to + load. Consul will load all files in this directory with the suffix ".json" or ".hcl". + The load order is alphabetical, and the the same merge routine is used as with + the [`config-file`](#_config_file) option above. This option can be specified multiple + times to load multiple directories. Sub-directories of the config directory are + not loaded. For more information on the format of the configuration files, see + the [Configuration Files](#configuration_files) section. + +- + `-config-format` - The format of the configuration + files to load. Normally, Consul detects the format of the config files from the + ".json" or ".hcl" extension. Setting this option to either "json" or "hcl" forces + Consul to interpret any file with or without extension to be interpreted in that + format. + +- + `-data-dir` - This flag provides a data directory for + the agent to store state. This is required for all agents. The directory should + be durable across reboots. This is especially critical for agents that are running + in server mode as they must be able to persist cluster state. Additionally, the + directory must support the use of filesystem locking, meaning some types of mounted + folders (e.g. VirtualBox shared folders) may not be suitable. + + **Note:** both server + and non-server agents may store ACL tokens in the state in this directory so read + access may grant access to any tokens on servers and to any tokens used during + service registration on non-servers. On Unix-based platforms the files are written + with 0600 permissions so you should ensure only trusted processes can execute as + the same user as Consul. On Windows, you should ensure the directory has suitable + permissions configured as these will be inherited. + +- + `-datacenter` - This flag controls the datacenter in + which the agent is running. If not provided, it defaults to "dc1". Consul has first-class + support for multiple datacenters, but it relies on proper configuration. Nodes + in the same datacenter should be on a single LAN. + +- + `-dev` - Enable development server mode. This is useful for + quickly starting a Consul agent with all persistence options turned off, enabling + an in-memory server which can be used for rapid prototyping or developing against + the API. In this mode, [Connect is enabled](/docs/connect/configuration.html) and + will by default create a new root CA certificate on startup. This mode is **not** + intended for production use as it does not write any data to disk. The gRPC port + is also defaulted to `8502` in this mode. + +- + `-disable-host-node-id` - Setting this to + true will prevent Consul from using information from the host to generate a deterministic + node ID, and will instead generate a random node ID which will be persisted in + the data directory. This is useful when running multiple Consul agents on the same + host for testing. This defaults to false in Consul prior to version 0.8.5 and in + 0.8.5 and later defaults to true, so you must opt-in for host-based IDs. Host-based + IDs are generated using https://github.com/shirou/gopsutil/tree/master/host, which + is shared with HashiCorp's [Nomad](https://www.nomadproject.io/), so if you opt-in + to host-based IDs then Consul and Nomad will use information on the host to automatically + assign the same ID in both systems. + +- + `-disable-keyring-file` - If set, the keyring + will not be persisted to a file. Any installed keys will be lost on shutdown, and + only the given `-encrypt` key will be available on startup. This defaults to false. + +- + `-dns-port` - the DNS port to listen on. This overrides + the default port 8600. This is available in Consul 0.7 and later. + +- + `-domain` - By default, Consul responds to DNS queries in + the "consul." domain. This flag can be used to change that domain. All queries + in this domain are assumed to be handled by Consul and will not be recursively + resolved. + +- + `-alt-domain` - This flag allows Consul to respond to + DNS queries in an alternate domain, in addition to the primary domain. If unset, + no alternate domain is used. + +- + `-enable-script-checks` This controls whether + [health checks that execute scripts](/docs/agent/checks.html) are enabled on this + agent, and defaults to `false` so operators must opt-in to allowing these. This + was added in Consul 0.9.0. + + ~> **Security Warning:** Enabling script checks in some configurations may + introduce a remote execution vulnerability which is known to be targeted by + malware. We strongly recommend `-enable-local-script-checks` instead. See [this + blog post](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations) + for more details. + +- + `-enable-local-script-checks` + Like [`enable_script_checks`](#_enable_script_checks), but only enable them when + they are defined in the local configuration files. Script checks defined in HTTP + API registrations will still not be allowed. + +- + `-encrypt` - Specifies the secret key to use for encryption + of Consul network traffic. This key must be 32-bytes that are Base64-encoded. The + easiest way to create an encryption key is to use [`consul keygen`](/docs/commands/keygen.html). + All nodes within a cluster must share the same encryption key to communicate. The + provided key is automatically persisted to the data directory and loaded automatically + whenever the agent is restarted. This means that to encrypt Consul's gossip protocol, + this option only needs to be provided once on each agent's initial startup sequence. + If it is provided after Consul has been initialized with an encryption key, then + the provided key is ignored and a warning will be displayed. + +- + `-grpc-port` - the gRPC API port to listen on. Default + -1 (gRPC disabled). See [ports](#ports) documentation for more detail. + +- + `-hcl` - A HCL configuration fragment. This HCL configuration + fragment is appended to the configuration and allows to specify the full range + of options of a config file on the command line. This option can be specified multiple + times. This was added in Consul 1.0. + +- + `-http-port` - the HTTP API port to listen on. This overrides + the default port 8500. This option is very useful when deploying Consul to an environment + which communicates the HTTP port through the environment e.g. PaaS like CloudFoundry, + allowing you to set the port directly via a Procfile. + +- + `-https-port` - the HTTPS API port to listen on. Default + -1 (https disabled). See [ports](#ports) documentation for more detail. + +- `-log-file` ((#\_log_file)) - writes all the Consul agent log messages + to a file. This value is used as a prefix for the log file name. The current timestamp + is appended to the file name. If the value ends in a path separator, `consul-` + will be appened to the value. If the file name is missing an extension, `.log` + is appended. For example, setting `log-file` to `/var/log/` would result in a log + file path of `/var/log/consul-{timestamp}.log`. `log-file` can be combined with + [`-log-rotate-bytes`](#_log_rotate_bytes) and [-log-rotate-duration](#_log_rotate_duration) + for a fine-grained log rotation experience. + +- + `-log-rotate-bytes` - to specify the number of + bytes that should be written to a log before it needs to be rotated. Unless specified, + there is no limit to the number of bytes that can be written to a log file. + +- + `-log-rotate-duration` - to specify the maximum + duration a log should be written to before it needs to be rotated. Must be a duration + value such as 30s. Defaults to 24h. + +- + `-log-rotate-max-files` - to specify the maximum + number of older log file archives to keep. Defaults to 0 (no files are ever deleted). + Set to -1 to discard old log files when a new one is created. + +- + `-default-query-time` - This flag controls the + amount of time a blocking query will wait before Consul will force a response. + This value can be overridden by the `wait` query parameter. Note that Consul applies + some jitter on top of this time. Defaults to 300s. + +- + `-max-query-time` - this flag controls the maximum + amount of time a blocking query can wait before Consul will force a response. Consul + applies jitter to the wait time. The jittered time will be capped to this time. + Defaults to 600s. + +- + `-join` - Address of another agent to join upon starting up. + This can be specified multiple times to specify multiple agents to join. If Consul + is unable to join with any of the specified addresses, agent startup will fail. + By default, the agent won't join any nodes when it starts up. Note that using [`retry_join`](#retry_join) + could be more appropriate to help mitigate node startup race conditions when automating + a Consul cluster deployment. + + In Consul 1.1.0 and later this can be set to a + [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) + template + + + +- `-retry-join` - Similar to [`-join`](#_join) but allows retrying a join until + it is successful. Once it joins successfully to a member in a list of members + it will never attempt to join again. Agents will then solely maintain their + membership via gossip. This is useful for cases where you know the address will + eventually be available. This option can be specified multiple times to + specify multiple agents to join. The value can contain IPv4, IPv6, or DNS + addresses. In Consul 1.1.0 and later this can be set to a + [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) + template. If Consul is running on the non-default Serf LAN port, this must be + specified as well. IPv6 must use the "bracketed" syntax. If multiple values + are given, they are tried and retried in the order listed until the first + succeeds. Here are some examples: + + ```sh + # Using a DNS entry + $ consul agent -retry-join "consul.domain.internal" + ``` + + ```sh + # Using IPv4 + $ consul agent -retry-join "10.0.4.67" + ``` + + ```sh + # Using IPv6 + $ consul agent -retry-join "[::1]:8301" + ``` + + ```sh + # Using multiple addresses + $ consul agent -retry-join "consul.domain.internal" -retry-join "10.0.4.67" + ``` + + ### Cloud Auto-Joining + + As of Consul 0.9.1, `retry-join` accepts a unified interface using the + [go-discover](https://github.com/hashicorp/go-discover) library for doing + automatic cluster joining using cloud metadata. For more information, see + the [Cloud Auto-join page](/docs/agent/cloud-auto-join.html). + + ```sh + # Using Cloud Auto-Joining + $ consul agent -retry-join "provider=aws tag_key=..." + ``` + +- + `-retry-interval` - Time to wait between join attempts. + Defaults to 30s. + +- + `-retry-max` - The maximum number of [`-join`](#_join) + attempts to be made before exiting with return code 1. By default, this is set + to 0 which is interpreted as infinite retries. + +- + `-join-wan` - Address of another wan agent to join upon + starting up. This can be specified multiple times to specify multiple WAN agents + to join. If Consul is unable to join with any of the specified addresses, agent + startup will fail. By default, the agent won't [`-join-wan`](#_join_wan) any nodes + when it starts up. + + In Consul 1.1.0 and later this can be set to a + [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) + template. + +- + `-retry-join-wan` - Similar to [`retry-join`](#_retry_join) + but allows retrying a wan join if the first attempt fails. This is useful for cases + where we know the address will become available eventually. As of Consul 0.9.3 + [Cloud Auto-Joining](#cloud-auto-joining) is supported as well. + + In Consul 1.1.0 and later this can be set to a + [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) + template + +- + `-retry-interval-wan` - Time to wait between + [`-join-wan`](#_join_wan) attempts. Defaults to 30s. + +- `-retry-max-wan` ((#\_retry_max_wan)) - The maximum number of [`-join-wan`](#_join_wan) + attempts to be made before exiting with return code 1. By default, this is set + to 0 which is interpreted as infinite retries. + +- + `-log-level` - The level of logging to show after the + Consul agent has started. This defaults to "info". The available log levels are + "trace", "debug", "info", "warn", and "err". You can always connect to an agent + via [`consul monitor`](/docs/commands/monitor.html) and use any log level. Also, + the log level can be changed during a config reload. + +- + `-log-json` - This flag enables the agent to output logs + in a JSON format. By default this is false. + +- + `-node` - The name of this node in the cluster. This must + be unique within the cluster. By default this is the hostname of the machine. + +- + `-node-id` - Available in Consul 0.7.3 and later, this + is a unique identifier for this node across all time, even if the name of the node + or address changes. This must be in the form of a hex string, 36 characters long, + such as `adf4238a-882b-9ddc-4a9d-5b6758e4159e`. If this isn't supplied, which is + the most common case, then the agent will generate an identifier at startup and + persist it in the [data directory](#_data_dir) so that it will remain the same + across agent restarts. Information from the host will be used to generate a deterministic + node ID if possible, unless [`-disable-host-node-id`](#_disable_host_node_id) is + set to true. + +- + `-node-meta` - Available in Consul 0.7.3 and later, this + specifies an arbitrary metadata key/value pair to associate with the node, of the + form `key:value`. This can be specified multiple times. Node metadata pairs have + the following restrictions: + + - A maximum of 64 key/value pairs can be registered per node. + - Metadata keys must be between 1 and 128 characters (inclusive) in length + - Metadata keys must contain only alphanumeric, `-`, and `_` characters. + - Metadata keys must not begin with the `consul-` prefix; that is reserved for internal use by Consul. + - Metadata values must be between 0 and 512 (inclusive) characters in length. + - Metadata values for keys beginning with `rfc1035-` are encoded verbatim in DNS TXT requests, otherwise + the metadata kv-pair is encoded according [RFC1464](https://www.ietf.org/rfc/rfc1464.txt). + +- + `-pid-file` - This flag provides the file path for the + agent to store its PID. This is useful for sending signals (for example, `SIGINT` + to close the agent or `SIGHUP` to update check definite + +- + `-protocol` - The Consul protocol version to use. Consul + agents speak protocol 2 by default, however agents will automatically use protocol + >2 when speaking to compatible agents. This should be set only when [upgrading](/docs/upgrading.html). + You can view the protocol versions supported by Consul by running `consul -v`. + +- `-primary-gateway` ((#\_primary_gateway)) - Similar to [`retry-join-wan`](#_retry_join_wan) + but allows retrying discovery of fallback addresses for the mesh gateways in the + primary datacenter if the first attempt fails. This is useful for cases where we + know the address will become available eventually. [Cloud Auto-Joining](#cloud-auto-joining) + is supported as well as [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) + templates. This was added in Consul 1.8.x **TODO(wanfed)**. + +- + `-raft-protocol` - This controls the internal version + of the Raft consensus protocol used for server communications. This must be set + to 3 in order to gain access to Autopilot features, with the exception of [`cleanup_dead_servers`](#cleanup_dead_servers). + Defaults to 3 in Consul 1.0.0 and later (defaulted to 2 previously). See [Raft + Protocol Version Compatibility](/docs/upgrade-specific.html#raft-protocol-version-compatibility) + for more details. + +- + `-recursor` - Specifies the address of an upstream DNS + server. This option may be provided multiple times, and is functionally equivalent + to the [`recursors` configuration option](#recursors). + +- + `-rejoin` - When provided, Consul will ignore a previous + leave and attempt to rejoin the cluster when starting. By default, Consul treats + leave as a permanent intent and does not attempt to join the cluster again when + starting. This flag allows the previous state to be used to rejoin the cluster. + +- + `-segment` - (Enterprise-only) This flag is used to set + the name of the network segment the agent belongs to. An agent can only join and + communicate with other agents within its network segment. See the [Network Segments + Guide](https://learn.hashicorp.com/consul/day-2-operations/network-segments) for + more details. By default, this is an empty string, which is the default network + segment. + +- + `-serf-lan-port` - the Serf LAN port to listen on. + This overrides the default Serf LAN port 8301. This is available in Consul 1.2.2 + and later. + +- + `-serf-wan-port` - the Serf WAN port to listen on. + This overrides the default Serf WAN port 8302. This is available in Consul 1.2.2 + and later. + +- + `-server` - This flag is used to control if an agent is + in server or client mode. When provided, an agent will act as a Consul server. + Each Consul cluster must have at least one server and ideally no more than 5 per + datacenter. All servers participate in the Raft consensus algorithm to ensure that + transactions occur in a consistent, linearizable manner. Transactions modify cluster + state, which is maintained on all server nodes to ensure availability in the case + of node failure. Server nodes also participate in a WAN gossip pool with server + nodes in other datacenters. Servers act as gateways to other datacenters and forward + traffic as appropriate. + +- + `-server-port` - the server RPC port to listen on. + This overrides the default server RPC port 8300. This is available in Consul 1.2.2 + and later. + +- + `-non-voting-server` - (Enterprise-only) This + flag is used to make the server not participate in the Raft quorum, and have it + only receive the data replication stream. This can be used to add read scalability + to a cluster in cases where a high volume of reads to servers are needed. + +- + `-syslog` - This flag enables logging to syslog. This is + only supported on Linux and OSX. It will result in an error if provided on Windows. + +- + `-ui` - Enables the built-in web UI server and the required + HTTP routes. This eliminates the need to maintain the Consul web UI files separately + from the binary. + +- + `-ui-dir` - This flag provides the directory containing + the Web UI resources for Consul. This will automatically enable the Web UI. The + directory must be readable to the agent. Starting with Consul version 0.7.0 and + later, the Web UI assets are included in the binary so this flag is no longer necessary; + specifying only the `-ui` flag is enough to enable the Web UI. Specifying both + the '-ui' and '-ui-dir' flags will result in an error. + +- + `-ui-content-path` - This flag provides the option + to change the path the Consul UI loads from and will be displayed in the browser. + By default, the path is `/ui/`, for example `http://localhost:8500/ui/`. Only alphanumerics, + `-`, and `_` are allowed in a custom path. `/v1/` is not allowed as it would overwrite + the API endpoint. + +## Configuration Files ((#configuration_files)) + +In addition to the command-line options, configuration can be put into +files. This may be easier in certain situations, for example when Consul is +being configured using a configuration management system. + +The configuration files are JSON formatted, making them easily readable +and editable by both humans and computers. The configuration is formatted +as a single JSON object with configuration within it. + +Configuration files are used for more than just setting up the agent, +they are also used to provide check and service definitions. These are used +to announce the availability of system servers to the rest of the cluster. +They are documented separately under [check configuration](/docs/agent/checks.html) and +[service configuration](/docs/agent/services.html) respectively. The service and check +definitions support being updated during a reload. + +#### Example Configuration File + +```javascript +{ + "datacenter": "east-aws", + "data_dir": "/opt/consul", + "log_level": "INFO", + "node_name": "foobar", + "server": true, + "watches": [ + { + "type": "checks", + "handler": "/usr/bin/health-check-handler.sh" + } + ], + "telemetry": { + "statsite_address": "127.0.0.1:2180" + } +} +``` + +#### Example Configuration File, with TLS + +```javascript +{ + "datacenter": "east-aws", + "data_dir": "/opt/consul", + "log_level": "INFO", + "node_name": "foobar", + "server": true, + "addresses": { + "https": "0.0.0.0" + }, + "ports": { + "https": 8501 + }, + "key_file": "/etc/pki/tls/private/my.key", + "cert_file": "/etc/pki/tls/certs/my.crt", + "ca_file": "/etc/pki/tls/certs/ca-bundle.crt" +} +``` + +See, especially, the use of the `ports` setting: + +```javascript +"ports": { + "https": 8501 +} +``` + +Consul will not enable TLS for the HTTP API unless the `https` port has been +assigned a port number `> 0`. We recommend using `8501` for `https` as this +default will automatically work with some tooling. + +#### Configuration Key Reference + +-> **Note:** All the TTL values described below are parsed by Go's `time` package, and have the following +[formatting specification](https://golang.org/pkg/time/#ParseDuration): "A +duration string is a possibly signed sequence of decimal numbers, each with +optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. +Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'." + +- + `acl` - This object allows a number of sub-keys to be set which + controls the ACL system. Configuring the ACL system within the ACL stanza was added + in Consul 1.4.0 + + The following sub-keys are available: + + - + `enabled` - Enables ACLs. + + - + `policy_ttl` - Used to control Time-To-Live caching + of ACL policies. By default, this is 30 seconds. This setting has a major performance + impact: reducing it will cause more frequent refreshes while increasing it reduces + the number of refreshes. However, because the caches are not actively invalidated, + ACL policy may be stale up to the TTL value. + + - + `role_ttl` - Used to control Time-To-Live caching + of ACL roles. By default, this is 30 seconds. This setting has a major performance + impact: reducing it will cause more frequent refreshes while increasing it reduces + the number of refreshes. However, because the caches are not actively invalidated, + ACL role may be stale up to the TTL value. + + - + `token_ttl` - Used to control Time-To-Live caching + of ACL tokens. By default, this is 30 seconds. This setting has a major performance + impact: reducing it will cause more frequent refreshes while increasing it reduces + the number of refreshes. However, because the caches are not actively invalidated, + ACL token may be stale up to the TTL value. + + - + `down_policy` - Either "allow", "deny", "extend-cache" + or "async-cache"; "extend-cache" is the default. In the case that a policy or + token cannot be read from the [`primary_datacenter`](#primary_datacenter) or + leader node, the down policy is applied. In "allow" mode, all actions are permitted, + "deny" restricts all operations, and "extend-cache" allows any cached objects + to be used, ignoring their TTL values. If a non-cached ACL is used, "extend-cache" + acts like "deny". The value "async-cache" acts the same way as "extend-cache" + but performs updates asynchronously when ACL is present but its TTL is expired, + thus, if latency is bad between the primary and secondary datacenters, latency + of operations is not impacted. + + - + `default_policy` - Either "allow" or "deny"; + defaults to "allow" but this will be changed in a future major release. The default + policy controls the behavior of a token when there is no matching rule. In "allow" + mode, ACLs are a blacklist: any operation not specifically prohibited is allowed. + In "deny" mode, ACLs are a whitelist: any operation not specifically allowed + is blocked. _Note_: this will not take effect until you've enabled ACLs. + + - + `enable_key_list_policy` - Either "enabled" + or "disabled", defaults to "disabled". When enabled, the `list` permission will + be required on the prefix being recursively read from the KV store. Regardless + of being enabled, the full set of KV entries under the prefix will be filtered + to remove any entries that the request's ACL token does not grant at least read + permissions. This option is only available in Consul 1.0 and newer. + + - + `enable_token_replication` - By default + secondary Consul datacenters will perform replication of only ACL policies and + roles. Setting this configuration will will enable ACL token replication and + allow for the creation of both [local tokens](/api/acl/tokens.html#local) and + [auth methods](/docs/acl/acl-auth-methods.html) in connected secondary datacenters. + + - + `enable_token_persistence` - Either + `true` or `false`. When `true` tokens set using the API will be persisted to + disk and reloaded when an agent restarts. + + - + `tokens` - This object holds all of the configured + ACL tokens for the agents usage. + + - + `master` - Only used for servers in the [`primary_datacenter`](#primary_datacenter). + This token will be created with management-level permissions if it does not + exist. It allows operators to bootstrap the ACL system with a token Secret + ID that is well-known. +
+
+ The `master` token is only installed when a server acquires cluster + leadership. If you would like to install or change the `acl_master_token`, + set the new value for `master` in the configuration for all servers. Once + this is done, restart the current leader to force a leader election. If + the `master` token is not supplied, then the servers do not create a + master token. When you provide a value, it should be a UUID. To maintain + backwards compatibility and an upgrade path this restriction is not + currently enforced but will be in a future major Consul release. + + - + `default` - When provided, the agent will + use this token when making requests to the Consul servers. Clients can override + this token on a per-request basis by providing the "?token" query parameter. + When not provided, the empty token, which maps to the 'anonymous' ACL token, + is used. + + - + `agent` - Used for clients and servers to perform + internal operations. If this isn't specified, then the + `default` will be used. +
+
+ This token must at least have write access to the node name it will + register as in order to set any of the node-level information in the + catalog such as metadata, or the node's tagged addresses. + + - + `agent_master` - Used to access + agent endpoints + that require agent read or write privileges, or node read privileges, + even if Consul servers aren't present to validate any tokens. This should only + be used by operators during outages, regular ACL tokens should normally be + used by applications. + + - + `replication` - The ACL token used to + authorize secondary datacenters with the primary datacenter for replication + operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) + when ACLs are enabled. This token may be provided later using the [agent token + API](/api/agent.html#update-acl-tokens) on each server. This token must have + at least "read" permissions on ACL data but if ACL token replication is enabled + then it must have "write" permissions. This also enables Connect replication, + for which the token will require both operator "write" and intention "read" + permissions for replicating CA and Intention data. + + - + + `managed_service_provider` + - **(Enterprise Only)** An array of ACL tokens used by Consul managed + service providers for cluster operations. + + ```javascript + "managed_service_provider": [ + { + "accessor_id": "ed22003b-0832-4e48-ac65-31de64e5c2ff", + "secret_id": "cb6be010-bba8-4f30-a9ed-d347128dde17" + } + ] + ``` + +- + `acl_datacenter` - **This field is deprecated in + Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.** + + This designates the datacenter which is authoritative for ACL information. It must be provided to enable ACLs. All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all you need for cluster-level enforcement, but for the APIs to forward properly from the clients, + it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement + of ACLs. Please see the [ACL Guide](https://learn.hashicorp.com/consul/security-networking/production-acls) for more details. + +- + `acl_default_policy` - **Deprecated in + Consul 1.4.0. See the [`acl.default_policy`](#acl_default_policy) field instead.** + Either "allow" or "deny"; defaults to "allow". The default policy controls the + behavior of a token when there is no matching rule. In "allow" mode, ACLs are a + blacklist: any operation not specifically prohibited is allowed. In "deny" mode, + ACLs are a whitelist: any operation not specifically allowed is blocked. _Note_: + this will not take effect until you've set `primary_datacenter` to enable ACL support. + +- + `acl_down_policy` - **Deprecated in Consul + 1.4.0. See the [`acl.down_policy`](#acl_down_policy) field instead.**Either "allow", + "deny", "extend-cache" or "async-cache"; "extend-cache" is the default. In the + case that the policy for a token cannot be read from the [`primary_datacenter`](#primary_datacenter) + or leader node, the down policy is applied. In "allow" mode, all actions are permitted, + "deny" restricts all operations, and "extend-cache" allows any cached ACLs to be + used, ignoring their TTL values. If a non-cached ACL is used, "extend-cache" acts + like "deny". The value "async-cache" acts the same way as "extend-cache" but performs + updates asynchronously when ACL is present but its TTL is expired, thus, if latency + is bad between ACL authoritative and other datacenters, latency of operations is + not impacted. + +- + `acl_agent_master_token` - **Deprecated + in Consul 1.4.0. See the [`acl.tokens.agent_master`](#acl_tokens_agent_master) + field instead.** Used to access agent endpoints that + require agent read or write privileges, or node read privileges, even if Consul + servers aren't present to validate any tokens. This should only be used by operators + during outages, regular ACL tokens should normally be used by applications. This + was added in Consul 0.7.2 and is only used when + `acl_enforce_version_8` is set to true. + +- + `acl_agent_token` - **Deprecated in Consul + 1.4.0. See the [`acl.tokens.agent`](#acl_tokens_agent) field instead.** Used for + clients and servers to perform internal operations. If this isn't specified, then + the + `acl_token` will be used. This was added in Consul 0.7.2. + + This token must at least have write access to the node name it will register as in order to set any + of the node-level information in the catalog such as metadata, or the node's tagged addresses. + +- + `acl_enforce_version_8` - **Deprecated in + Consul 1.4.0** Used for clients and servers to determine if enforcement should + occur for new ACL policies being previewed before Consul 0.8. Added in Consul 0.7.2, + this defaults to false in versions of Consul prior to 0.8, and defaults to true + in Consul 0.8 and later. This helps ease the transition to the new ACL features + by allowing policies to be in place before enforcement begins. + +* + `acl_master_token` - **Deprecated in Consul + 1.4.0. See the [`acl.tokens.master`](#acl_tokens_master) field instead.** Only + used for servers in the [`primary_datacenter`](#primary_datacenter). This token + will be created with management-level permissions if it does not exist. It allows + operators to bootstrap the ACL system with a token ID that is well-known. + + The `acl_master_token` is only installed when a server acquires cluster leadership. If + you would like to install or change the `acl_master_token`, set the new value for `acl_master_token` + in the configuration for all servers. Once this is done, restart the current leader to force a + leader election. If the `acl_master_token` is not supplied, then the servers do not create a master + token. When you provide a value, it can be any string value. Using a UUID would ensure that it looks + the same as the other tokens, but isn't strictly necessary. + +* + `acl_replication_token` - **Deprecated + in Consul 1.4.0. See the [`acl.tokens.replication`](#acl_tokens_replication) field + instead.** Only used for servers outside the [`primary_datacenter`](#primary_datacenter) + running Consul 0.7 or later. When provided, this will enable [ACL replication](https://learn.hashicorp.com/consul/day-2-operations/acl-replication) + using this ACL replication using this token to retrieve and replicate the ACLs + to the non-authoritative local datacenter. In Consul 0.9.1 and later you can enable + ACL replication using [`enable_acl_replication`](#enable_acl_replication) and then + set the token later using the [agent token API](/api/agent.html#update-acl-tokens) + on each server. If the `acl_replication_token` is set in the config, it will automatically + set [`enable_acl_replication`](#enable_acl_replication) to true for backward compatibility. + + If there's a partition or other outage affecting the authoritative datacenter, and the + [`acl_down_policy`](/docs/agent/options.html#acl_down_policy) is set to "extend-cache", tokens not + in the cache can be resolved during the outage using the replicated set of ACLs. + +* + `acl_token` - **Deprecated in Consul 1.4.0. See + the [`acl.tokens.default`](#acl_tokens_default) field instead.** When provided, + the agent will use this token when making requests to the Consul servers. Clients + can override this token on a per-request basis by providing the "?token" query + parameter. When not provided, the empty token, which maps to the 'anonymous' ACL + policy, is used. + +* + `acl_ttl` - **Deprecated in Consul 1.4.0. See the + [`acl.token_ttl`](#acl_token_ttl) field instead.**Used to control Time-To-Live + caching of ACLs. By default, this is 30 seconds. This setting has a major performance + impact: reducing it will cause more frequent refreshes while increasing it reduces + the number of refreshes. However, because the caches are not actively invalidated, + ACL policy may be stale up to the TTL value. + +* + `addresses` - This is a nested object that allows setting + bind addresses. In Consul 1.0 and later these can be set to a space-separated list + of addresses to bind to, or a [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) + template that can potentially resolve to multiple addresses. + + `http`, `https` and `grpc` all support binding to a Unix domain socket. A + socket can be specified in the form `unix:///path/to/socket`. A new domain + socket will be created at the given path. If the specified file path already + exists, Consul will attempt to clear the file and create the domain socket + in its place. The permissions of the socket file are tunable via the + [`unix_sockets` config construct](#unix_sockets). + + When running Consul agent commands against Unix socket interfaces, use the + `-http-addr` argument to specify the path to the socket. You can also place + the desired values in the `CONSUL_HTTP_ADDR` environment variable. + + For TCP addresses, the environment variable value should be an IP address + _with the port_. For example: `10.0.0.1:8500` and not `10.0.0.1`. However, + ports are set separately in the `ports` structure when + defining them in a configuration file. + + The following keys are valid: + + - `dns` - The DNS server. Defaults to `client_addr` + - `http` - The HTTP API. Defaults to `client_addr` + - `https` - The HTTPS API. Defaults to `client_addr` + - `grpc` - The gRPC API. Defaults to `client_addr` + +* + `advertise_addr` Equivalent to the [`-advertise` + command-line flag](#_advertise). + +* + `serf_wan` Equivalent to the [`-serf-wan-bind` command-line + flag](#_serf_wan_bind). + +* + `serf_lan` Equivalent to the [`-serf-lan-bind` command-line + flag](#_serf_lan_bind). + +* + `advertise_addr_wan` Equivalent to the [`-advertise-wan` + command-line flag](#_advertise-wan). + +* + `autopilot` Added in Consul 0.8, this object allows a + number of sub-keys to be set which can configure operator-friendly settings for + Consul servers. When these keys are provided as configuration, they will only be + respected on bootstrapping. If they are not provided, the defaults will be used. + In order to change the value of these options after bootstrapping, you will need + to use the [Consul Operator Autopilot](https://www.consul.io/docs/commands/operator/autopilot.html) + command. For more information about Autopilot, see the [Autopilot Guide](https://learn.hashicorp.com/consul/day-2-operations/autopilot). + + The following sub-keys are available: + + - + `cleanup_dead_servers` - This controls the + automatic removal of dead server nodes periodically and whenever a new server + is added to the cluster. Defaults to `true`. + + - + `last_contact_threshold` - Controls the + maximum amount of time a server can go without contact from the leader before + being considered unhealthy. Must be a duration value such as `10s`. Defaults + to `200ms`. + + - + `max_trailing_logs` - Controls the maximum number + of log entries that a server can trail the leader by before being considered + unhealthy. Defaults to 250. + + - + `min_quorum` - Sets the minimum number of servers necessary + in a cluster before autopilot can prune dead servers. There is no default. + + - + `server_stabilization_time` - Controls + the minimum amount of time a server must be stable in the 'healthy' state before + being added to the cluster. Only takes effect if all servers are running Raft + protocol version 3 or higher. Must be a duration value such as `30s`. Defaults + to `10s`. + + - + `redundancy_zone_tag` - (Enterprise-only) + This controls the [`-node-meta`](#_node_meta) key to use when Autopilot is separating + servers into zones for redundancy. Only one server in each zone can be a voting + member at one time. If left blank (the default), this feature will be disabled. + + - + `disable_upgrade_migration` - (Enterprise-only) + If set to `true`, this setting will disable Autopilot's upgrade migration strategy + in Consul Enterprise of waiting until enough newer-versioned servers have been + added to the cluster before promoting any of them to voters. Defaults to `false`. + + - + `upgrade_version_tag` - (Enterprise-only) + The node_meta tag to use for version info when performing upgrade migrations. + If this is not set, the Consul version will be used. + +* + `auto_encrypt` + This object allows setting options for the `auto_encrypt` feature. + + The following sub-keys are available: + + - + `allow_tls` (Defaults to `false`) This option enables + `auto_encrypt` on the servers and allows them to automatically distribute certificates + from the Connect CA to the clients. If enabled, the server can accept incoming + connections from both the built-in CA and the Connect CA, as well as their certificates. + Note, the server will only present the built-in CA and certificate, which the + client can verify using the CA it received from `auto_encrypt` endpoint. If disabled, + a client configured with `auto_encrypt.tls` will be unable to start. + + - + `tls` (Defaults to `false`) Allows the client to request the + Connect CA and certificates from the servers, for encrypting RPC communication. + The client will make the request to any servers listed in the `-join` or `-retry-join` + option. This requires that every server to have `auto_encrypt.allow_tls` enabled. + When both `auto_encrypt` options are used, it allows clients to receive certificates + that are generated on the servers. If the `-server-port` is not the default one, + it has to be provided to the client as well. Usually this is discovered through + LAN gossip, but `auto_encrypt` provision happens before the information can be + distributed through gossip. The most secure `auto_encrypt` setup is when the + client is provided with the built-in CA, `verify_server_hostname` is turned on, + and when an ACL token with `node.write` permissions is setup. It is also possible + to use `auto_encrypt` with a CA and ACL, but without `verify_server_hostname`, + or only with a ACL enabled, or only with CA and `verify_server_hostname`, or + only with a CA, or finally without a CA and without ACL enabled. In any case, + the communication to the `auto_encrypt` endpoint is always TLS encrypted. + + - + `dns_san` (Defaults to `[]`) When this option is being + used, the certificates requested by `auto_encrypt` from the server have these + `dns_san` set as DNS SAN. + + - + `ip_san` (Defaults to `[]`) When this option is being used, + the certificates requested by `auto_encrypt` from the server have these `ip_san` + set as IP SAN. + +* + `bootstrap` Equivalent to the [`-bootstrap` command-line + flag](#_bootstrap). + +* + `bootstrap_expect` Equivalent to the [`-bootstrap-expect` + command-line flag](#_bootstrap_expect). + +* + `bind_addr` Equivalent to the [`-bind` command-line flag](#_bind). + +* + `ca_file` This provides a file path to a PEM-encoded certificate + authority. The certificate authority is used to check the authenticity of client + and server connections with the appropriate [`verify_incoming`](#verify_incoming) + or [`verify_outgoing`](#verify_outgoing) flags. + +* + `ca_path` This provides a path to a directory of PEM-encoded + certificate authority files. These certificate authorities are used to check the + authenticity of client and server connections with the appropriate [`verify_incoming`](#verify_incoming) + or [`verify_outgoing`](#verify_outgoing) flags. + +* + `cert_file` This provides a file path to a PEM-encoded + certificate. The certificate is provided to clients or servers to verify the agent's + authenticity. It must be provided along with [`key_file`](#key_file). + +* + `check_update_interval` + This interval controls how often check output from checks in a steady state is + synchronized with the server. By default, this is set to 5 minutes ("5m"). Many + checks which are in a steady state produce slightly different output per run (timestamps, + etc) which cause constant writes. This configuration allows deferring the sync + of check output for a given interval to reduce write pressure. If a check ever + changes state, the new state and associated output is synchronized immediately. + To disable this behavior, set the value to "0s". + +* + `client_addr` Equivalent to the [`-client` command-line + flag](#_client). + +* + `config_entries` + This object allows setting options for centralized config entries. + + The following sub-keys are available: + + - + `bootstrap` + This is a list of inlined config entries to insert into the state store when + the Consul server gains leadership. This option is only applicable to server + nodes. Each bootstrap entry will be created only if it does not exist. When reloading, + any new entries that have been added to the configuration will be processed. + See the [configuration entry docs](/docs/agent/config_entries.html) for more + details about the contents of each entry. + +- + `connect` + This object allows setting options for the Connect feature. + + The following sub-keys are available: + + - + `enabled` Controls whether Connect features are + enabled on this agent. Should be enabled on all clients and servers in the cluster + in order for Connect to function properly. Defaults to false. + + - + + `enable_mesh_gateway_wan_federation` + + Controls whether cross-datacenter federation traffic between servers is funneled + through mesh gateways. Defaults to false. This was added in Consul 1.8.x **TODO(wanfed)**. + + - + `ca_provider` Controls which CA provider to + use for Connect's CA. Currently only the `consul` and `vault` providers are supported. + This is only used when initially bootstrapping the cluster. For an existing cluster, + use the [Update CA Configuration Endpoint](/api/connect/ca.html#update-ca-configuration). + + - + `ca_config` An object which allows setting different + config options based on the CA provider chosen. This is only used when initially + bootstrapping the cluster. For an existing cluster, use the [Update CA Configuration + Endpoint](/api/connect/ca.html#update-ca-configuration). + + The following providers are supported: + + #### Consul CA Provider (`ca_provider = "consul"`) + + - + `private_key` The PEM contents of the + private key to use for the CA. + + - + `root_cert` The PEM contents of the root + certificate to use for the CA. + + #### Vault CA Provider (`ca_provider = "vault"`) + + - + `address` The address of the Vault server to + connect to. + + - + `token` The Vault token to use. + + - + `root_pki_path` The path to use for the root + CA pki backend in Vault. This can be an existing backend with a CA already + configured, or a blank/unmounted backend in which case Connect will automatically + mount/generate the CA. The Vault token given above must have `sudo` access + to this backend, as well as permission to mount the backend at this path if + it is not already mounted. + + - + `intermediate_pki_path` + The path to use for the temporary intermediate CA pki backend in Vault. _Connect + will overwrite any data at this path in order to generate a temporary intermediate + CA_. The Vault token given above must have `write` access to this backend, + as well as permission to mount the backend at this path if it is not already + mounted. + + #### Common CA Config Options + + {' '} + +

+ There are also a number of common configuration options supported by all + providers: +

+ + - + `csr_max_concurrent` Sets a limit on how + many Certificate Signing Requests will be processed concurrently. Defaults + to 0 (disabled). This is useful when you have more than one or two cores available + to the server. For example on an 8 core server, setting this to 1 will ensure + that even during a CA rotation no more than one server core on the leader will + be consumed at a time with generating new certificates. Setting this is recommended + _instead_ of `csr_max_per_second` where you know there are multiple cores available + since it is simpler to reason about limiting CSR resources this way without + artificially slowing down rotations. Added in 1.4.1. + + - + `csr_max_per_second` Sets a rate limit + on the maximum number of Certificate Signing Requests (CSRs) the servers will + accept. This is used to prevent CA rotation from causing unbounded CPU usage + on servers. It defaults to 50 which is conservative - a 2017 Macbook can process + about 100 per second using only ~40% of one CPU core - but sufficient for deployments + up to ~1500 service instances before the time it takes to rotate is impacted. + For larger deployments we recommend increasing this based on the expected number + of server instances and server resources, or use `csr_max_concurrent` instead + if servers have more than one core. Setting this to zero disables rate limiting. + Added in 1.4.1. + + - + `leaf_cert_ttl` The upper bound on the lease + duration of a leaf certificate issued for a service. In most cases a new leaf + certificate will be requested by a proxy before this limit is reached. This + is also the effective limit on how long a server outage can last (with no leader) + before network connections will start being rejected, and as a result the defaults + is `72h` to last through a weekend without intervention. This value cannot + be lower than 1 hour or higher than 1 year. + + This value is also used when rotating out old root certificates from + the cluster. When a root certificate has been inactive (rotated out) + for more than twice the _current_ `leaf_cert_ttl`, it will be removed + from the trusted list. + + - + `private_key_type` The type of key to generate + for this CA. This is only used when the provider is generating a new key. If + `private_key` is set for the Consul provider, or existing root or intermediate + PKI paths given for Vault then this will be ignored. Currently supported options + are `ec` or `rsa`. Default is `ec`. + + It is required that all servers in a Datacenter have + the same config for the CA. It is recommended that servers in + different Datacenters have the same CA config for key type and size + although the built-in CA and Vault provider will both allow mixed CA + key types. + + Some CA providers (currently Vault) will not allow cross-signing a + new CA certificate with a different key type. This means that if you + migrate from an RSA-keyed Vault CA to an EC-keyed CA from any + provider, you may have to proceed without cross-signing which risks + temporary connection issues for workloads during the new certificate + rollout. We highly recommend testing this outside of production to + understand the impact and suggest sticking to same key type where + possible. + + Note that this only affects _CA_ keys generated by the provider. + Leaf certificate keys are always EC 256 regardless of the CA + configuration. + + - + `private_key_bits` The length of key to + generate for this CA. This is only used when the provider is generating a new + key. If `private_key` is set for the Consul provider, or existing root or intermediate + PKI paths given for Vault then this will be ignored. + + Currently supported values are: + + - `private_key_type = ec` (default): `224, 256, 384, 521` + corresponding to the NIST P-\* curves of the same name. + - `private_key_type = rsa`: `2048, 4096` + +- + `datacenter` Equivalent to the [`-datacenter` command-line + flag](#_datacenter). + +- + `data_dir` Equivalent to the [`-data-dir` command-line + flag](#_data_dir). + +- + + `disable_anonymous_signature` + Disables providing an anonymous signature for de-duplication with the update + check. See [`disable_update_check`](#disable_update_check). + +- + `disable_host_node_id` + Equivalent to the [`-disable-host-node-id` command-line flag](#_disable_host_node_id). + +- + + `disable_http_unprintable_char_filter` + + Defaults to false. Consul 1.0.3 fixed a potential security vulnerability where + malicious users could craft KV keys with unprintable chars that would confuse operators + using the CLI or UI into taking wrong actions. Users who had data written in older + versions of Consul that did not have this restriction will be unable to delete + those values by default in 1.0.3 or later. This setting enables those users to + _temporarily_ disable the filter such that delete operations can work on those + keys again to get back to a healthy state. It is strongly recommended that this + filter is not disabled permanently as it exposes the original security vulnerability. + +- + `disable_remote_exec` + Disables support for remote execution. When set to true, the agent will ignore + any incoming remote exec requests. In versions of Consul prior to 0.8, this defaulted + to false. In Consul 0.8 the default was changed to true, to make remote exec opt-in + instead of opt-out. + +- + `disable_update_check` + Disables automatic checking for security bulletins and new version releases. This + is disabled in Consul Enterprise. + +- + `discard_check_output` + Discards the output of health checks before storing them. This reduces the number + of writes to the Consul raft log in environments where health checks have volatile + output like timestamps, process ids, ... + +- + `discovery_max_stale` - Enables stale requests + for all service discovery HTTP endpoints. This is equivalent to the [`max_stale`](#max_stale) + configuration for DNS requests. If this value is zero (default), all service discovery + HTTP endpoints are forwarded to the leader. If this value is greater than zero, + any Consul server can handle the service discovery request. If a Consul server + is behind the leader by more than `discovery_max_stale`, the query will be re-evaluated + on the leader to get more up-to-date results. Consul agents also add a new `X-Consul-Effective-Consistency` + response header which indicates if the agent did a stale read. `discover-max-stale` + was introduced in Consul 1.0.7 as a way for Consul operators to force stale requests + from clients at the agent level, and defaults to zero which matches default consistency + behavior in earlier Consul versions. + +- + `dns_config` This object allows a number of sub-keys + to be set which can tune how DNS queries are serviced. See this guide on [DNS caching](https://learn.hashicorp.com/consul/security-networking/dns-caching) + for more detail. + + The following sub-keys are available: + + - + `allow_stale` - Enables a stale query for DNS information. + This allows any Consul server, rather than only the leader, to service the request. + The advantage of this is you get linear read scalability with Consul servers. + In versions of Consul prior to 0.7, this defaulted to false, meaning all requests + are serviced by the leader, providing stronger consistency but less throughput + and higher latency. In Consul 0.7 and later, this defaults to true for better + utilization of available servers. + + - + `max_stale` - When [`allow_stale`](#allow_stale) is + specified, this is used to limit how stale results are allowed to be. If a Consul + server is behind the leader by more than `max_stale`, the query will be re-evaluated + on the leader to get more up-to-date results. Prior to Consul 0.7.1 this defaulted + to 5 seconds; in Consul 0.7.1 and later this defaults to 10 years ("87600h") + which effectively allows DNS queries to be answered by any server, no matter + how stale. In practice, servers are usually only milliseconds behind the leader, + so this lets Consul continue serving requests in long outage scenarios where + no leader can be elected. + + - + `node_ttl` - By default, this is "0s", so all node lookups + are served with a 0 TTL value. DNS caching for node lookups can be enabled by + setting this value. This should be specified with the "s" suffix for second or + "m" for minute. + + - + `service_ttl` - This is a sub-object which allows + for setting a TTL on service lookups with a per-service policy. The "\*" wildcard + service can be used when there is no specific policy available for a service. + By default, all services are served with a 0 TTL value. DNS caching for service + lookups can be enabled by setting this value. + + - + `enable_truncate` - If set to true, a UDP DNS + query that would return more than 3 records, or more than would fit into a valid + UDP response, will set the truncated flag, indicating to clients that they should + re-query using TCP to get the full set of records. + + - + `only_passing` - If set to true, any nodes whose + health checks are warning or critical will be excluded from DNS results. If false, + the default, only nodes whose healthchecks are failing as critical will be excluded. + For service lookups, the health checks of the node itself, as well as the service-specific + checks are considered. For example, if a node has a health check that is critical + then all services on that node will be excluded because they are also considered + critical. + + - + `recursor_timeout` - Timeout used by Consul when + recursively querying an upstream DNS server. See + `recursors` + + for more details. Default is 2s. This is available in Consul 0.7 and later. + + - + `disable_compression` - If set to true, DNS + responses will not be compressed. Compression was added and enabled by default + in Consul 0.7. + + - + `udp_answer_limit` - Limit the number of resource + records contained in the answer section of a UDP-based DNS response. This parameter + applies only to UDP DNS queries that are less than 512 bytes. This setting is + deprecated and replaced in Consul 1.0.7 by + `a_record_limit` + + . + + - + `a_record_limit` - Limit the number of resource + records contained in the answer section of a A, AAAA or ANY DNS response (both + TCP and UDP). When answering a question, Consul will use the complete list of + matching hosts, shuffle the list randomly, and then limit the number of answers + to `a_record_limit` (default: no limit). This limit does not apply to SRV records. + + In environments where [RFC 3484 Section 6](https://tools.ietf.org/html/rfc3484#section-6) Rule 9 + is implemented and enforced (i.e. DNS answers are always sorted and + therefore never random), clients may need to set this value to `1` to + preserve the expected randomized distribution behavior (note: + [RFC 3484](https://tools.ietf.org/html/rfc3484) has been obsoleted by + [RFC 6724](https://tools.ietf.org/html/rfc6724) and as a result it should + be increasingly uncommon to need to change this value with modern + resolvers). + + - + + `enable_additional_node_meta_txt` + - When set to true, Consul will add TXT records for Node metadata into the + Additional section of the DNS responses for several query types such as SRV queries. + When set to false those records are not emitted. This does not impact the behavior + of those same TXT records when they would be added to the Answer section of the + response like when querying with type TXT or ANY. This defaults to true. + + - + `soa` Allow to tune the setting set up in SOA. Non specified + values fallback to their default values, all values are integers and expressed + as seconds. +
+
+ The following settings are available: + + - + `expire` - Configure SOA Expire duration in seconds, + default value is 86400, ie: 24 hours. + + - + `min_ttl` - Configure SOA DNS minimum TTL. As explained + in [RFC-2308](https://tools.ietf.org/html/rfc2308) this also controls negative + cache TTL in most implementations. Default value is 0, ie: no minimum delay + or negative TTL. + + - + `refresh` - Configure SOA Refresh duration in seconds, + default value is `3600`, ie: 1 hour. + + - + `retry` - Configures the Retry duration expressed + in seconds, default value is 600, ie: 10 minutes. + + - + `use_cache` - When set to true, DNS resolution will + use the agent cache described in [agent caching](/api/features/caching.html). + This setting affects all service and prepared queries DNS requests. Implies [`allow_stale`](#allow_stale) + + - + `cache_max_age` - When [use_cache](#dns_use_cache) + is enabled, the agent will attempt to re-fetch the result from the servers if + the cached value is older than this duration. See: [agent caching](/api/features/caching.html). + + - + `prefer_namespace` - **(Enterprise Only)** + When set to true, in a DNS query for a service, the label between the domain + and the `service` label will be treated as a namespace name instead of a datacenter. + When set to false, the default, the behavior will be the same as non-Enterprise + versions and will assume the label is the datacenter. See: [this section](/docs/agent/dns.html#namespaced-services-enterprise) + for more details. + +* `domain` Equivalent to the [`-domain` command-line flag](#_domain). + +* `enable_acl_replication` When set on a Consul server, enables ACL replication without having to set + the replication token via [`acl_replication_token`](#acl_replication_token). Instead, enable ACL replication + and then introduce the token using the [agent token API](/api/agent.html#update-acl-tokens) on each server. + See [`acl_replication_token`](#acl_replication_token) for more details. + +* `enable_agent_tls_for_checks` When set, uses a subset of the agent's TLS configuration (`key_file`, `cert_file`, + `ca_file`, `ca_path`, and `server_name`) to set up the client for HTTP or gRPC health checks. This allows + services requiring 2-way TLS to be checked using the agent's credentials. This was added in Consul 1.0.1 and + defaults to false. + +* `enable_central_service_config` When set, the Consul agent will look for any centralized service configurations + that match a registering service instance. If it finds any, the agent will merge the centralized defaults with + the service instance configuration. This allows for things like service protocol or proxy configuration to be + defined centrally and inherited by any affected service registrations. + +* `enable_debug` When set, enables some additional debugging features. Currently, this is only used to acces + runtime profiling HTTP endpoints, which are available with an `operator:read` ACL regardless of the value o + `enable_debug`. + +* `enable_script_checks` Equivalent to the [`-enable-script-checks` command-line flag](#_enable_script_checks). + + ~> **Security Warning:** Enabling script checks in some configurations may + introduce a remote execution vulnerability which is known to be targeted by + malware. We strongly recommend `enable_local_script_checks` instead. See [this + blog post](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations) + for more details. + +* `enable_local_script_checks` Equivalent to the [`-enable-local-script-checks` command-line flag](#_enable_local_script_checks). + +* `enable_syslog` Equivalent to the [`-syslog` command-line flag](#_syslog). + +* `encrypt` Equivalent to the [`-encrypt` command-line flag](#_encrypt). + +* + `encrypt_verify_incoming` - This is an optional + parameter that can be used to disable enforcing encryption for incoming gossip + in order to upshift from unencrypted to encrypted gossip on a running cluster. + See [this section](/docs/agent/encryption.html#configuring-gossip-encryption-on-an-existing-cluster) + for more information. Defaults to true. + +* + `encrypt_verify_outgoing` - This is an optional + parameter that can be used to disable enforcing encryption for outgoing gossip + in order to upshift from unencrypted to encrypted gossip on a running cluster. + See [this section](/docs/agent/encryption.html#configuring-gossip-encryption-on-an-existing-cluster) + for more information. Defaults to true. + +* + `disable_keyring_file` - Equivalent to the + [`-disable-keyring-file` command-line flag](#_disable_keyring_file). + +* + `gossip_lan` - **(Advanced)** This object contains a + number of sub-keys which can be set to tune the LAN gossip communications. These + are only provided for users running especially large clusters that need fine tuning + and are prepared to spend significant effort correctly tuning them for their environment + and workload. **Tuning these improperly can cause Consul to fail in unexpected + ways**. The default values are appropriate in almost all deployments. + + - + `gossip_nodes` - The number of random nodes to send + gossip messages to per gossip_interval. Increasing this number causes the gossip + messages to propagate across the cluster more quickly at the expense of increased + bandwidth. The default is 3. + + - + `gossip_interval` - The interval between sending + messages that need to be gossiped that haven't been able to piggyback on probing + messages. If this is set to zero, non-piggyback gossip is disabled. By lowering + this value (more frequent) gossip messages are propagated across the cluster + more quickly at the expense of increased bandwidth. The default is 200ms. + + - + `probe_interval` - The interval between random + node probes. Setting this lower (more frequent) will cause the cluster to detect + failed nodes more quickly at the expense of increased bandwidth usage. The default + is 1s. + + - + `probe_timeout` - The timeout to wait for an ack + from a probed node before assuming it is unhealthy. This should be at least the + 99-percentile of RTT (round-trip time) on your network. The default is 500ms + and is a conservative value suitable for almost all realistic deployments. + + - + `retransmit_mult` - The multiplier for the number + of retransmissions that are attempted for messages broadcasted over gossip. The + number of retransmits is scaled using this multiplier and the cluster size. The + higher the multiplier, the more likely a failed broadcast is to converge at the + expense of increased bandwidth. The default is 4. + + - + `suspicion_mult` - The multiplier for determining + the time an inaccessible node is considered suspect before declaring it dead. + The timeout is scaled with the cluster size and the probe_interval. This allows + the timeout to scale properly with expected propagation delay with a larger cluster + size. The higher the multiplier, the longer an inaccessible node is considered + part of the cluster before declaring it dead, giving that suspect node more time + to refute if it is indeed still alive. The default is 4. + +* + `gossip_wan` - **(Advanced)** This object contains a + number of sub-keys which can be set to tune the WAN gossip communications. These + are only provided for users running especially large clusters that need fine tuning + and are prepared to spend significant effort correctly tuning them for their environment + and workload. **Tuning these improperly can cause Consul to fail in unexpected + ways**. The default values are appropriate in almost all deployments. + + - + `gossip_nodes` - The number of random nodes to send + gossip messages to per gossip_interval. Increasing this number causes the gossip + messages to propagate across the cluster more quickly at the expense of increased + bandwidth. The default is 3. + + - + `gossip_interval` - The interval between sending + messages that need to be gossiped that haven't been able to piggyback on probing + messages. If this is set to zero, non-piggyback gossip is disabled. By lowering + this value (more frequent) gossip messages are propagated across the cluster + more quickly at the expense of increased bandwidth. The default is 200ms. + + - + `probe_interval` - The interval between random + node probes. Setting this lower (more frequent) will cause the cluster to detect + failed nodes more quickly at the expense of increased bandwidth usage. The default + is 1s. + + - + `probe_timeout` - The timeout to wait for an ack + from a probed node before assuming it is unhealthy. This should be at least the + 99-percentile of RTT (round-trip time) on your network. The default is 500ms + and is a conservative value suitable for almost all realistic deployments. + + - + `retransmit_mult` - The multiplier for the number + of retransmissions that are attempted for messages broadcasted over gossip. The + number of retransmits is scaled using this multiplier and the cluster size. The + higher the multiplier, the more likely a failed broadcast is to converge at the + expense of increased bandwidth. The default is 4. + + - + `suspicion_mult` - The multiplier for determining + the time an inaccessible node is considered suspect before declaring it dead. + The timeout is scaled with the cluster size and the probe_interval. This allows + the timeout to scale properly with expected propagation delay with a larger cluster + size. The higher the multiplier, the longer an inaccessible node is considered + part of the cluster before declaring it dead, giving that suspect node more time + to refute if it is indeed still alive. The default is 4. + +* + `key_file` This provides a the file path to a PEM-encoded + private key. The key is used with the certificate to verify the agent's authenticity. + This must be provided along with [`cert_file`](#cert_file). + +* + `http_config` + This object allows setting options for the HTTP API and UI. + + The following sub-keys are available: + + - + `block_endpoints` + This object is a list of HTTP API endpoint prefixes to block on the agent, and + defaults to an empty list, meaning all endpoints are enabled. Any endpoint that + has a common prefix with one of the entries on this list will be blocked and + will return a 403 response code when accessed. For example, to block all of the + V1 ACL endpoints, set this to `["/v1/acl"]`, which will block `/v1/acl/create`, + `/v1/acl/update`, and the other ACL endpoints that begin with `/v1/acl`. This + only works with API endpoints, not `/ui` or `/debug`, those must be disabled + with their respective configuration options. Any CLI commands that use disabled + endpoints will no longer function as well. For more general access control, Consul's + [ACL system](https://learn.hashicorp.com/consul/security-networking/production-acls) + should be used, but this option is useful for removing access to HTTP API endpoints + completely, or on specific agents. This is available in Consul 0.9.0 and later. + + - + `response_headers` + This object allows adding headers to the HTTP API and UI responses. For example, + the following config can be used to enable [CORS](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) + on the HTTP API endpoints: + + ```javascript + { + "http_config": { + "response_headers": { + "Access-Control-Allow-Origin": "*" + } + } + } + ``` + + - + `allow_write_http_from` + This object is a list of networks in CIDR notation (eg "127.0.0.0/8") that are + allowed to call the agent write endpoints. It defaults to an empty list, which + means all networks are allowed. This is used to make the agent read-only, except + for select ip ranges. - To block write calls from anywhere, use `[ "255.255.255.255/32" + ]`. - To only allow write calls from localhost, use `[ "127.0.0.0/8" ]` - To + only allow specific IPs, use `[ "10.0.0.1/32", "10.0.0.2/32" ]` + +* + `leave_on_terminate` If enabled, when the agent + receives a TERM signal, it will send a `Leave` message to the rest of the cluster + and gracefully leave. The default behavior for this feature varies based on whether + or not the agent is running as a client or a server (prior to Consul 0.7 the default + value was unconditionally set to `false`). On agents in client-mode, this defaults + to `true` and for agents in server-mode, this defaults to `false`. + +* + `limits` Available in Consul 0.9.3 and later, this is a nested + object that configures limits that are enforced by the agent. Prior to Consul 1.5.2, + this only applied to agents in client mode, not Consul servers. The following parameters + are available: + + - + `http_max_conns_per_client` - Configures + a limit of how many concurrent TCP connections a single client IP address is + allowed to open to the agent's HTTP(S) server. This affects the HTTP(S) servers + in both client and server agents. Default value is `200`. + - + `https_handshake_timeout` - Configures + the limit for how long the HTTPS server in both client and server agents will + wait for a client to complete a TLS handshake. This should be kept conservative + as it limits how many connections an unauthenticated attacker can open if `verify_incoming` + is being using to authenticate clients (strongly recommended in production). + Default value is `5s`. + - + `rpc_handshake_timeout` - Configures the + limit for how long servers will wait after a client TCP connection is established + before they complete the connection handshake. When TLS is used, the same timeout + applies to the TLS handshake separately from the initial protocol negotiation. + All Consul clients should perform this immediately on establishing a new connection. + This should be kept conservative as it limits how many connections an unauthenticated + attacker can open if `verify_incoming` is being using to authenticate clients + (strongly recommended in production). When `verify_incoming` is true on servers, + this limits how long the connection socket and associated goroutines will be + held open before the client successfully authenticates. Default value is `5s`. + - + `rpc_max_conns_per_client` - Configures + a limit of how many concurrent TCP connections a single source IP address is + allowed to open to a single server. It affects both clients connections and other + server connections. In general Consul clients multiplex many RPC calls over a + single TCP connection so this can typically be kept low. It needs to be more + than one though since servers open at least one additional connection for raft + RPC, possibly more for WAN federation when using network areas, and snapshot + requests from clients run over a separate TCP conn. A reasonably low limit significantly + reduces the ability of an unauthenticated attacker to consume unbounded resources + by holding open many connections. You may need to increase this if WAN federated + servers connect via proxies or NAT gateways or similar causing many legitimate + connections from a single source IP. Default value is `100` which is designed + to be extremely conservative to limit issues with certain deployment patterns. + Most deployments can probably reduce this safely. 100 connections on modern server + hardware should not cause a significant impact on resource usage from an unauthenticated + attacker though. + - + `rpc_rate` - Configures the RPC rate limiter on Consul + _clients_ by setting the maximum request rate that this agent is allowed to make + for RPC requests to Consul servers, in requests per second. Defaults to infinite, + which disables rate limiting. + - + `rpc_max_burst` - The size of the token bucket used + to recharge the RPC rate limiter on Consul _clients_ . Defaults to 1000 tokens, + and each token is good for a single RPC call to a Consul server. See https://en.wikipedia.org/wiki/Token_bucket + for more details about how token bucket rate limiters operate. + - + `kv_max_value_size` - **(Advanced)** Configures + the maximum number of bytes for a kv request body to the [`/v1/kv`](/api/kv.html) + endpoint. This limit defaults to [raft's](https://github.com/hashicorp/raft) + suggested max size(512KB). **Note that tuning these improperly can cause Consul + to fail in unexpected ways**, it may potentially affect leadership stability + and prevent timely heartbeat signals by increasing RPC IO duration. This option + affects the txn endpoint too, but Consul 1.7.2 introduced `txn_max_req_len` which + is the preferred way to set the limit for the txn endpoint. If both limits are + set, the higher one takes precedence. + - + `txn_max_req_len` - **(Advanced)** Configures + the maximum number of bytes for a transaction request body to the [`/v1/txn`](/api/txn.html) + endpoint. This limit defaults to [raft's](https://github.com/hashicorp/raft) + suggested max size(512KB). **Note that tuning these improperly can cause Consul + to fail in unexpected ways**, it may potentially affect leadership stability + and prevent timely heartbeat signals by increasing RPC IO duration. + +* + `log_file` Equivalent to the [`-log-file` command-line + flag](#_log_file). + +* + `log_rotate_duration` Equivalent to the [`-log-rotate-duration` + command-line flag](#_log_rotate_duration). + +* + `log_rotate_bytes` Equivalent to the [`-log-rotate-bytes` + command-line flag](#_log_rotate_bytes). + +* + `log_rotate_max_files` Equivalent to the [`-log-rotate-max-files` + command-line flag](#_log_rotate_max_files). + +* + `log_level` Equivalent to the [`-log-level` command-line + flag](#_log_level). + +* + `log_json` Equivalent to the [`-log-json` command-line + flag](#_log_json). + +* + `default_query_time` + Equivalent to the [`-default-query-time` command-line flag](#_default_query_time). + +* + `max_query_time` + Equivalent to the [`-max-query-time` command-line flag](#_max_query_time). + +* + `node_id` Equivalent to the [`-node-id` command-line flag](#_node_id). + +* + `node_name` Equivalent to the [`-node` command-line flag](#_node). + +* + `node_meta` Available in Consul 0.7.3 and later, This + object allows associating arbitrary metadata key/value pairs with the local node, + which can then be used for filtering results from certain catalog endpoints. See + the [`-node-meta` command-line flag](#_node_meta) for more information. + + ```javascript + { + "node_meta": { + "instance_type": "t2.medium" + } + } + ``` + +* + `performance` Available in Consul 0.7 and later, this + is a nested object that allows tuning the performance of different subsystems in + Consul. See the [Server Performance](/docs/install/performance.html) documentation + for more details. The following parameters are available: + + - + `leave_drain_time` - A duration that a server + will dwell during a graceful leave in order to allow requests to be retried against + other Consul servers. Under normal circumstances, this can prevent clients from + experiencing "no leader" errors when performing a rolling update of the Consul + servers. This was added in Consul 1.0. Must be a duration value such as 10s. + Defaults to 5s. + + - + `raft_multiplier` - An integer multiplier used + by Consul servers to scale key Raft timing parameters. Omitting this value or + setting it to 0 uses default timing described below. Lower values are used to + tighten timing and increase sensitivity while higher values relax timings and + reduce sensitivity. Tuning this affects the time it takes Consul to detect leader + failures and to perform leader elections, at the expense of requiring more network + and CPU resources for better performance. + + By default, Consul will use a lower-performance timing that's suitable + for [minimal Consul servers](/docs/install/performance.html#minimum), currently equivalent + to setting this to a value of 5 (this default may be changed in future versions of Consul, + depending if the target minimum server profile changes). Setting this to a value of 1 will + configure Raft to its highest-performance mode, equivalent to the default timing of Consul + prior to 0.7, and is recommended for [production Consul servers](/docs/install/performance.html#production). + See the note on [last contact](/docs/install/performance.html#last-contact) timing for more + details on tuning this parameter. The maximum allowed value is 10. + + - + `rpc_hold_timeout` - A duration that a client + or server will retry internal RPC requests during leader elections. Under normal + circumstances, this can prevent clients from experiencing "no leader" errors. + This was added in Consul 1.0. Must be a duration value such as 10s. Defaults + to 7s. + +* + `ports` This is a nested object that allows setting the bind + ports for the following keys: + + - + `dns` - The DNS server, -1 to disable. Default 8600. + TCP and UDP. + - + `http` - The HTTP API, -1 to disable. Default 8500. + TCP only. + - + `https` - The HTTPS API, -1 to disable. Default -1 + (disabled). **We recommend using `8501`** for `https` by convention as some tooling + will work automatically with this. + - + `grpc` - The gRPC API, -1 to disable. Default -1 (disabled). + **We recommend using `8502`** for `grpc` by convention as some tooling will work + automatically with this. This is set to `8502` by default when the agent runs + in `-dev` mode. Currently gRPC is only used to expose Envoy xDS API to Envoy + proxies. + - + `serf_lan` - The Serf LAN port. Default 8301. TCP + and UDP. + - + `serf_wan` - The Serf WAN port. Default 8302. Set + to -1 to disable. **Note**: this will disable WAN federation which is not recommended. + Various catalog and WAN related endpoints will return errors or empty results. + TCP and UDP. + - + `server` - Server RPC address. Default 8300. TCP + only. + - + `sidecar_min_port` - Inclusive minimum port number + to use for automatically assigned [sidecar service registrations](/docs/connect/registration/sidecar-service.html). + Default 21000. Set to `0` to disable automatic port assignment. + - + `sidecar_max_port` - Inclusive maximum port number + to use for automatically assigned [sidecar service registrations](/docs/connect/registration/sidecar-service.html). + Default 21255. Set to `0` to disable automatic port assignment. + - + `expose_min_port` - Inclusive minimum port number + to use for automatically assigned [exposed check listeners](/docs/connect/registration/service-registration.html#expose-paths-configuration-reference). + Default 21500. Set to `0` to disable automatic port assignment. + - + `expose_max_port` - Inclusive maximum port number + to use for automatically assigned [exposed check listeners](/docs/connect/registration/service-registration.html#expose-paths-configuration-reference). + Default 21755. Set to `0` to disable automatic port assignment. + +* + `primary_datacenter` - This designates the datacenter + which is authoritative for ACL information, intentions and is the root Certificate + Authority for Connect. It must be provided to enable ACLs. All servers and datacenters + must agree on the primary datacenter. Setting it on the servers is all you need + for cluster-level enforcement, but for the APIs to forward properly from the clients, + it must be set on them too. In Consul 0.8 and later, this also enables agent-level + enforcement of ACLs. + +* + `primary_gateways` Equivalent to the [`-primary-gateway` + command-line flag](#_primary_gateway). Takes a list of addresses to use as the + mesh gateways for the primary datacenter when authoritative replicated catalog + data is not present. Discovery happens every [`primary_gateways_interval`](#_primary_gateways_interval) + until at least one primary mesh gateway is discovered. This was added in Consul + 1.8.x **TODO(wanfed)**. + +* + `primary_gateways_interval` Time to wait + between [`primary_gateways`](#primary_gateways) discovery attempts. Defaults to + 30s. This was added in Consul 1.8.x **TODO(wanfed)**. + +* + `protocol` Equivalent to the [`-protocol` command-line + flag](#_protocol). + +* + `raft_protocol` Equivalent to the [`-raft-protocol` + command-line flag](#_raft_protocol). + + + +- + + `raft_snapshot_threshold` This controls + the minimum number of raft commit entries between snapshots that are saved to disk. + This is a low-level parameter that should rarely need to be changed. Very busy + clusters experiencing excessive disk IO may increase this value to reduce disk + IO, and minimize the chances of all servers taking snapshots at the same time. + Increasing this trades off disk IO for disk space since the log will grow much + larger and the space in the raft.db file can't be reclaimed till the next snapshot. + Servers may take longer to recover from crashes or failover if this is increased + significantly as more logs will need to be replayed. In Consul 1.1.0 and later + this defaults to 16384, and in prior versions it was set to 8192. + +- + + `raft_snapshot_interval` + This controls how often servers check if they need to save a snapshot to disk. + his is a low-level parameter that should rarely need to be changed. Very busy clusters + experiencing excessive disk IO may increase this value to reduce disk IO, and minimize + the chances of all servers taking snapshots at the same time. Increasing this trades + off disk IO for disk space since the log will grow much larger and the space in + th e raft.db file can't be reclaimed till the next snapshot. Servers may take longer + to recover from crashes or failover if this is increased significantly as more + logs will need to be replayed. In Consul 1.1.0 and later this defaults to `30s`, + and in prior versions it was set to `5s`. + +- + `raft_trailing_logs` - This controls how many + log entries are left in the log store on disk after a snapshot is made. This should + only be adjusted when followers cannot catch up to the leader due to a very large + snapshot size that and high write throughput causing log truncation before an snapshot + can be fully installed. If you need to use this to recover a cluster, consider + reducing write throughput or the amount of data stored on Consul as it is likely + under a load it is not designed to handle. The default value is 10000 which is + suitable for all normal workloads. Added in Consul 1.5.3. + +- + `reap` This controls Consul's automatic reaping of child processes, + which is useful if Consul is running as PID 1 in a Docker container. If this isn't + specified, then Consul will automatically reap child processes if it detects it + is running as PID 1. If this is set to true or false, then it controls reaping + regardless of Consul's PID (forces reaping on or off, respectively). This option + was removed in Consul 0.7.1. For later versions of Consul, you will need to reap + processes using a wrapper, please see the [Consul Docker image entry point script](https://github.com/hashicorp/docker-consul/blob/master/0.X/docker-entrypoint.sh) + for an example. If you are using Docker 1.13.0 or later, you can use the new `--init` + option of the `docker run` command and docker will enable an init process with + PID 1 that reaps child processes for the container. More info on [Docker docs](https://docs.docker.com/engine/reference/commandline/run/#options). + +- + `reconnect_timeout` This controls how long it + takes for a failed node to be completely removed from the cluster. This defaults + to 72 hours and it is recommended that this is set to at least double the maximum + expected recoverable outage time for a node or network partition. WARNING: Setting + this time too low could cause Consul servers to be removed from quorum during an + extended node failure or partition, which could complicate recovery of the cluster. + The value is a time with a unit suffix, which can be "s", "m", "h" for seconds, + minutes, or hours. The value must be >= 8 hours. + +- + `reconnect_timeout_wan` This is the WAN equivalent + of the `reconnect_timeout` parameter, which controls + how long it takes for a failed server to be completely removed from the WAN pool. + This also defaults to 72 hours, and must be >= 8 hours. + +- + `recursors` This flag provides addresses of upstream DNS + servers that are used to recursively resolve queries if they are not inside the + service domain for Consul. For example, a node can use Consul directly as a DNS + server, and if the record is outside of the "consul." domain, the query will be + resolved upstream. As of Consul 1.0.1 recursors can be provided as IP addresses + or as go-sockaddr templates. IP addresses are resolved in order, and duplicates + are ignored. + +- + `rejoin_after_leave` Equivalent to the [`-rejoin` + command-line flag](#_rejoin). + +- `retry_join` - Equivalent to the [`-retry-join`](#retry-join) command-line flag. + +- + `retry_interval` Equivalent to the [`-retry-interval` + command-line flag](#_retry_interval). + +- + `retry_join_wan` Equivalent to the [`-retry-join-wan` + command-line flag](#_retry_join_wan). Takes a list of addresses to attempt joining + to WAN every [`retry_interval_wan`](#_retry_interval_wan) until at least one join + works. + +- + `retry_interval_wan` Equivalent to the [`-retry-interval-wan` + command-line flag](#_retry_interval_wan). + +- + `segment` (Enterprise-only) Equivalent to the [`-segment` + command-line flag](#_segment). + +- + `segments` (Enterprise-only) This is a list of nested objects + that allows setting the bind/advertise information for network segments. This can + only be set on servers. See the [Network Segments Guide](https://learn.hashicorp.com/consul/day-2-operations/network-segments) + for more details. + + - + `name` - The name of the segment. Must be a string + between 1 and 64 characters in length. + - + `bind` - The bind address to use for the segment's + gossip layer. Defaults to the [`-bind`](#_bind) value if not provided. + - + `port` - The port to use for the segment's gossip + layer (required). + - + `advertise` - The advertise address to use for + the segment's gossip layer. Defaults to the [`-advertise`](#_advertise) value + if not provided. + - + `rpc_listener` - If true, a separate RPC + listener will be started on this segment's [`-bind`](#_bind) address on the rpc + port. Only valid if the segment's bind address differs from the [`-bind`](#_bind) + address. Defaults to false. + +- + `server` Equivalent to the [`-server` command-line flag](#_server). + +- + `non_voting_server` - Equivalent to the [`-non-voting-server` + command-line flag](#_non_voting_server). + +- + `server_name` When provided, this overrides the [`node_name`](#_node) + for the TLS certificate. It can be used to ensure that the certificate name matches + the hostname we declare. + +- + `session_ttl_min` + The minimum allowed session TTL. This ensures sessions are not created with TTL's + shorter than the specified limit. It is recommended to keep this limit at or above + the default to encourage clients to send infrequent heartbeats. Defaults to 10s. + +- + `skip_leave_on_interrupt` This is similar + to [`leave_on_terminate`](#leave_on_terminate) but only affects interrupt handling. + When Consul receives an interrupt signal (such as hitting Control-C in a terminal), + Consul will gracefully leave the cluster. Setting this to `true` disables that + behavior. The default behavior for this feature varies based on whether or not + the agent is running as a client or a server (prior to Consul 0.7 the default value + was unconditionally set to `false`). On agents in client-mode, this defaults to + `false` and for agents in server-mode, this defaults to `true` (i.e. Ctrl-C on + a server will keep the server in the cluster and therefore quorum, and Ctrl-C on + a client will gracefully leave). + +- + `start_join` An array of strings specifying addresses + of nodes to [`-join`](#_join) upon startup. Note that using + `retry_join` could be more appropriate to help mitigate + node startup race conditions when automating a Consul cluster deployment. + +- + `start_join_wan` An array of strings specifying addresses + of WAN nodes to [`-join-wan`](#_join_wan) upon startup. + +- + `telemetry` This is a nested object that configures where + Consul sends its runtime telemetry, and contains the following keys: + + - + `circonus_api_token`A valid API + Token used to create/manage check. If provided, metric management is + enabled. + + - + `circonus_api_app`A valid app name + associated with the API token. By default, this is set to "consul". + + - + `circonus_api_url` + The base URL to use for contacting the Circonus API. By default, this is set + to "https://api.circonus.com/v2". + + - + + `circonus_submission_interval` + + The interval at which metrics are submitted to Circonus. By default, this is + set to "10s" (ten seconds). + + - + `circonus_submission_url` + The `check.config.submission_url` field, of a Check API object, from a previously + created HTTPTRAP check. + + - + `circonus_check_id` + The Check ID (not **check bundle**) from a previously created HTTPTRAP check. + The numeric portion of the `check._cid` field in the Check API object. + + - + + `circonus_check_force_metric_activation` + + Force activation of metrics which already exist and are not currently active. + If check management is enabled, the default behavior is to add new metrics as + they are encountered. If the metric already exists in the check, it will **not** + be activated. This setting overrides that behavior. By default, this is set to + false. + + - + + `circonus_check_instance_id` + + Uniquely identifies the metrics coming from this _instance_. It can be used to + maintain metric continuity with transient or ephemeral instances as they move + around within an infrastructure. By default, this is set to hostname:application + name (e.g. "host123:consul"). + + - + + `circonus_check_search_tag` + + A special tag which, when coupled with the instance id, helps to narrow down + the search results when neither a Submission URL or Check ID is provided. By + default, this is set to service:application name (e.g. "service:consul"). + + - + + `circonus_check_display_name` + + Specifies a name to give a check when it is created. This name is displayed in + the Circonus UI Checks list. Available in Consul 0.7.2 and later. + + - + `circonus_check_tags` + Comma separated list of additional tags to add to a check when it is created. + Available in Consul 0.7.2 and later. + + - + `circonus_broker_id` + The ID of a specific Circonus Broker to use when creating a new check. The numeric + portion of `broker._cid` field in a Broker API object. If metric management is + enabled and neither a Submission URL nor Check ID is provided, an attempt will + be made to search for an existing check using Instance ID and Search Tag. If + one is not found, a new HTTPTRAP check will be created. By default, this is not + used and a random Enterprise Broker is selected, or the default Circonus Public + Broker. + + - + + `circonus_broker_select_tag` + + A special tag which will be used to select a Circonus Broker when a Broker ID + is not provided. The best use of this is to as a hint for which broker should + be used based on _where_ this particular instance is running (e.g. a specific + geo location or datacenter, dc:sfo). By default, this is left blank and not used. + + - + `disable_hostname` + This controls whether or not to prepend runtime telemetry with the machine's + hostname, defaults to false. + + - + `dogstatsd_addr` This provides the address + of a DogStatsD instance in the format `host:port`. DogStatsD is a protocol-compatible + flavor of statsd, with the added ability to decorate metrics with tags and event + information. If provided, Consul will send various telemetry information to that + instance for aggregation. This can be used to capture runtime information. + + - + `dogstatsd_tags` This provides a list + of global tags that will be added to all telemetry packets sent to DogStatsD. + It is a list of strings, where each string looks like "my_tag_name:my_tag_value". + + - + `filter_default` + This controls whether to allow metrics that have not been specified by the filter. + Defaults to `true`, which will allow all metrics when no filters are provided. + When set to `false` with no filters, no metrics will be sent. + + - + `metrics_prefix` + The prefix used while writing all telemetry data. By default, this is set to + "consul". This was added in Consul 1.0. For previous versions of Consul, use + the config option `statsite_prefix` in this same structure. This was renamed + in Consul 1.0 since this prefix applied to all telemetry providers, not just + statsite. + + - + `prefix_filter` + This is a list of filter rules to apply for allowing/blocking metrics by prefix + in the following format: + + ```javascript + ;['+consul.raft.apply', '-consul.http', '+consul.http.GET'] + ``` + + A leading "+" will enable any metrics with the given prefix, and a leading "-" will block them. If there + is overlap between two rules, the more specific rule will take precedence. Blocking will take priority if the same + prefix is listed multiple times. + + - + prometheus_retention_time + If the value is greater than `0s` (the default), this enables [Prometheus](https://prometheus.io/) + export of metrics. The duration can be expressed using the duration semantics + and will aggregates all counters for the duration specified (it might have an + impact on Consul's memory usage). A good value for this parameter is at least + 2 times the interval of scrape of Prometheus, but you might also put a very high + retention time such as a few days (for instance 744h to enable retention to 31 + days). Fetching the metrics using prometheus can then be performed using the + [`/v1/agent/metrics?format=prometheus`](/api/agent.html#view-metrics) endpoint. + The format is compatible natively with prometheus. When running in this mode, + it is recommended to also enable the option + `disable_hostname` to avoid having + prefixed metrics with hostname. Consul does not use the default Prometheus path, + so Prometheus must be configured as follows. Note that using ?format=prometheus + in the path won't work as ? will be escaped, so it must be specified as a parameter. + + ```yaml + metrics_path: '/v1/agent/metrics' + params: + format: ['prometheus'] + ``` + + - + `statsd_address` This provides the address + of a statsd instance in the format `host:port`. If provided, Consul will send + various telemetry information to that instance for aggregation. This can be used + to capture runtime information. This sends UDP packets only and can be used with + statsd or statsite. + + - + `statsite_address` This provides the + address of a statsite instance in the format `host:port`. If provided, Consul + will stream various telemetry information to that instance for aggregation. This + can be used to capture runtime information. This streams via TCP and can only + be used with statsite. + +- + `syslog_facility` When [`enable_syslog`](#enable_syslog) + is provided, this controls to which facility messages are sent. By default, `LOCAL0` + will be used. + +- + `tls_min_version` Added in Consul 0.7.4, this specifies + the minimum supported version of TLS. Accepted values are "tls10", "tls11", "tls12", + or "tls13". This defaults to "tls12". WARNING: TLS 1.1 and lower are generally + considered less secure; avoid using these if possible. + +- + `tls_cipher_suites` Added in Consul 0.8.2, this + specifies the list of supported ciphersuites as a comma-separated-list. The list + of all supported ciphersuites is available in the [source code](https://github.com/hashicorp/consul/blob/master/tlsutil/config.go#L363). + +- + + `tls_prefer_server_cipher_suites` + Added in Consul 0.8.2, this will cause Consul to prefer the server's ciphersuite + over the client ciphersuites. + +- + `translate_wan_addrs` If set to true, Consul + will prefer a node's configured WAN address + when servicing DNS and HTTP requests for a node in a remote datacenter. This allows + the node to be reached within its own datacenter using its local address, and reached + from other datacenters using its WAN address, which is useful in hybrid setups + with mixed networks. This is disabled by default. + + Starting in Consul 0.7 and later, node addresses in responses to HTTP requests will also prefer a + node's configured WAN address when querying for a node in a remote + datacenter. An [`X-Consul-Translate-Addresses`](/api/index.html#translated-addresses) header + will be present on all responses when translation is enabled to help clients know that the addresses + may be translated. The `TaggedAddresses` field in responses also have a `lan` address for clients that + need knowledge of that address, regardless of translation. + + The following endpoints translate addresses: + + - [`/v1/catalog/nodes`](/api/catalog.html#catalog_nodes) + - [`/v1/catalog/node/`](/api/catalog.html#catalog_node) + - [`/v1/catalog/service/`](/api/catalog.html#catalog_service) + - [`/v1/health/service/`](/api/health.html#health_service) + - [`/v1/query//execute`](/api/query.html#execute) + +- + `ui` - Equivalent to the [`-ui`](#_ui) command-line flag. + +- + `ui_dir` - Equivalent to the [`-ui-dir`](#_ui_dir) command-line + flag. This configuration key is not required as of Consul version 0.7.0 and later. + Specifying this configuration key will enable the web UI. There is no need to specify + both ui-dir and ui. Specifying both will result in an error. + +- + `unix_sockets` - This allows tuning the ownership and + permissions of the Unix domain socket files created by Consul. Domain sockets are + only used if the HTTP address is configured with the `unix://` prefix. + + It is important to note that this option may have different effects on + different operating systems. Linux generally observes socket file permissions + while many BSD variants ignore permissions on the socket file itself. It is + important to test this feature on your specific distribution. This feature is + currently not functional on Windows hosts. + + The following options are valid within this construct and apply globally to all + sockets created by Consul: + + - `user` - The name or ID of the user who will own the socket file. + - `group` - The group ID ownership of the socket file. This option + currently only supports numeric IDs. + - `mode` - The permission bits to set on the file. + +- + `verify_incoming`- If set to true, Consul + requires that all incoming connections make use of TLS and that the client + provides a certificate signed by a Certificate Authority from the + [`ca_file`](#ca_file) or [`ca_path`](#ca_path). This applies to both server + RPC and to the HTTPS API. By default, this is false, and Consul will not + enforce the use of TLS or verify a client's authenticity. Turning on + `verify_incoming` on consul clients protects the HTTPS endpoint, by ensuring + that the certificate that is presented by a 3rd party tool to the HTTPS + endpoint was created by the CA that the consul client was setup with. If the + UI is served, the same checks are performed. + +* + `verify_incoming_rpc` - If set to true, Consul + requires that all incoming RPC connections make use of TLS and that the client + provides a certificate signed by a Certificate Authority from the [`ca_file`](#ca_file) + or [`ca_path`](#ca_path). By default, this is false, and Consul will not enforce + the use of TLS or verify a client's authenticity. + +* + `verify_incoming_https` - If set to true, + Consul requires that all incoming HTTPS connections make use of TLS and that the + client provides a certificate signed by a Certificate Authority from the [`ca_file`](#ca_file) + or [`ca_path`](#ca_path). By default, this is false, and Consul will not enforce + the use of TLS or verify a client's authenticity. To enable the HTTPS API, you + must define an HTTPS port via the [`ports`](#ports) configuration. By default, + HTTPS is disabled. + +* + `verify_outgoing` - If set to true, Consul requires + that all outgoing connections from this agent make use of TLS and that the server + provides a certificate that is signed by a Certificate Authority from the [`ca_file`](#ca_file) + or [`ca_path`](#ca_path). By default, this is false, and Consul will not make use + of TLS for outgoing connections. This applies to clients and servers as both will + make outgoing connections. + + ~> **Security Note:** Note that servers that specify `verify_outgoing = true` will always talk to other servers over TLS, but they still _accept_ + non-TLS connections to allow for a transition of all clients to TLS. + Currently the only way to enforce that no client can communicate with a + server unencrypted is to also enable `verify_incoming` which requires client + certificates too. + +* `verify_server_hostname` - If set to true, + Consul verifies for all outgoing TLS connections that the TLS certificate + presented by the servers matches `server..` + hostname. By default, this is false, and Consul does not verify the hostname + of the certificate, only that it is signed by a trusted CA. This setting is + _critical_ to prevent a compromised client from being restarted as a server + and having all cluster state _including all ACL tokens and Connect CA root keys_ + replicated to it. This is new in 0.5.1. + + ~> **Security Note:** From versions 0.5.1 to 1.4.0, due to a bug, setting + this flag alone _does not_ imply `verify_outgoing` and leaves client to server + and server to server RPCs unencrypted despite the documentation stating otherwise. See + [CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653) + for more details. For those versions you **must also set `verify_outgoing = true`** to ensure encrypted RPC connections. + +* `watches` - Watches is a list of watch specifications which + allow an external process to be automatically invoked when a particular data view + is updated. See the [watch documentation](/docs/agent/watches.html) for more detail. + Watches can be modified when the configuration is reloaded. + +## Ports Used + +Consul requires up to 6 different ports to work properly, some on +TCP, UDP, or both protocols. + +Review the [required ports](/docs/install/ports.html) table for a list of +required ports and their default settings. + +## Reloadable Configuration + +Reloading configuration does not reload all configuration items. The +items which are reloaded include: + +- Log level +- Checks +- Services +- Watches +- HTTP Client Address +- TLS Configuration + - Please be aware that this is currently limited to reload a configuration that is already TLS enabled. You cannot enable or disable TLS only with reloading. +- [Node Metadata](#node_meta) +- [Metric Prefix Filter](#telemetry-prefix_filter) +- [Discard Check Output](#discard_check_output) +- [RPC rate limiting](#limits) diff --git a/website/pages/docs/agent/rpc.html.md b/website/pages/docs/agent/rpc.mdx similarity index 95% rename from website/pages/docs/agent/rpc.html.md rename to website/pages/docs/agent/rpc.mdx index ae145c8b14..7cb49e6c60 100644 --- a/website/pages/docs/agent/rpc.html.md +++ b/website/pages/docs/agent/rpc.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'RPC' -sidebar_current: 'docs-agent-rpc' -description: |- - The Consul agent provides a complete RPC mechanism that can be used to control the agent programmatically. This RPC mechanism is the same one used by the CLI but can be used by other applications to easily leverage the power of Consul without directly embedding. +layout: docs +page_title: RPC +sidebar_current: docs-agent-rpc +description: >- + The Consul agent provides a complete RPC mechanism that can be used to control + the agent programmatically. This RPC mechanism is the same one used by the CLI + but can be used by other applications to easily leverage the power of Consul + without directly embedding. --- # RPC Protocol diff --git a/website/pages/docs/agent/sentinel.html.markdown.erb b/website/pages/docs/agent/sentinel.mdx similarity index 66% rename from website/pages/docs/agent/sentinel.html.markdown.erb rename to website/pages/docs/agent/sentinel.mdx index 6d0edb71b4..1017d0b990 100644 --- a/website/pages/docs/agent/sentinel.html.markdown.erb +++ b/website/pages/docs/agent/sentinel.mdx @@ -1,20 +1,24 @@ --- -layout: "docs" -page_title: "Sentinel in Consul" -sidebar_current: "docs-agent-sentinel" -description: |- - Consul Enterprise uses Sentinel to augment the built-in ACL system to provide advanced policy enforcement. Sentinel policies can currently execute on KV modify and service registration. +layout: docs +page_title: Sentinel in Consul +sidebar_current: docs-agent-sentinel +description: >- + Consul Enterprise uses Sentinel to augment the built-in ACL system to provide + advanced policy enforcement. Sentinel policies can currently execute on KV + modify and service registration. --- # Sentinel Overview -[//]: # ( ~> The Sentinel functionality described here is available only in ) -[//]: # ( [Consul Enterprise](https://www.hashicorp.com/products/consul/) version 1.0.0 and later. ) + +[//]: # ' ~> The Sentinel functionality described here is available only in ' + +[//]: # ( [Consul Enterprise](https://www.hashicorp.com/products/consul/) version 1.0.0 and later. ) <%= enterprise_alert :consul %> - Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement. - Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny" - policies to support full conditional logic and integration with external systems. +Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement. +Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny" +policies to support full conditional logic and integration with external systems. ## Sentinel in Consul @@ -47,18 +51,17 @@ Consul passes some context as variables into Sentinel, which are available to us #### Variables injected during KV store writes -| Variable Name | Type | Description | -| ------------- | -------- | ----------- | -| `key` | `string` | Key being written | -| `value` | `string` | Value being written | +| Variable Name | Type | Description | +| ------------- | -------- | --------------------------- | +| `key` | `string` | Key being written | +| `value` | `string` | Value being written | | `flags` | `uint64` | [Flags](/api/kv.html#flags) | - ## Sentinel Examples The following are two examples of ACL policies with Sentinel rules. -### Required Key Suffix +### Required Key Suffix Any values stored under the key prefix "dc1" must end with "dev" diff --git a/website/pages/docs/agent/services.html.md b/website/pages/docs/agent/services.mdx similarity index 96% rename from website/pages/docs/agent/services.html.md rename to website/pages/docs/agent/services.mdx index 2d375fb578..378ab9c7e5 100644 --- a/website/pages/docs/agent/services.html.md +++ b/website/pages/docs/agent/services.mdx @@ -1,9 +1,14 @@ --- -layout: 'docs' -page_title: 'Service Definition' -sidebar_current: 'docs-agent-services' -description: |- - One of the main goals of service discovery is to provide a catalog of available services. To that end, the agent provides a simple service definition format to declare the availability of a service and to potentially associate it with a health check. A health check is considered to be application level if it is associated with a service. A service is defined in a configuration file or added at runtime over the HTTP interface. +layout: docs +page_title: Service Definition +sidebar_current: docs-agent-services +description: >- + One of the main goals of service discovery is to provide a catalog of + available services. To that end, the agent provides a simple service + definition format to declare the availability of a service and to potentially + associate it with a health check. A health check is considered to be + application level if it is associated with a service. A service is defined in + a configuration file or added at runtime over the HTTP interface. --- # Services diff --git a/website/pages/docs/agent/telemetry.html.md b/website/pages/docs/agent/telemetry.html.md deleted file mode 100644 index 9edcc974b6..0000000000 --- a/website/pages/docs/agent/telemetry.html.md +++ /dev/null @@ -1,1115 +0,0 @@ ---- -layout: 'docs' -page_title: 'Telemetry' -sidebar_current: 'docs-agent-telemetry' -description: |- - The Consul agent collects various runtime metrics about the performance of different libraries and subsystems. These metrics are aggregated on a ten second interval and are retained for one minute. ---- - -# Telemetry - -The Consul agent collects various runtime metrics about the performance of -different libraries and subsystems. These metrics are aggregated on a ten -second interval and are retained for one minute. - -To view this data, you must send a signal to the Consul process: on Unix, -this is `USR1` while on Windows it is `BREAK`. Once Consul receives the signal, -it will dump the current telemetry information to the agent's `stderr`. - -This telemetry information can be used for debugging or otherwise -getting a better view of what Consul is doing. Review the [Monitoring and -Metrics guide](https://learn.hashicorp.com/consul/day-2-operations/monitoring?utm_source=consul.io&utm_medium=docs) to learn how collect and interpret Consul data. - -Additionally, if the [`telemetry` configuration options](/docs/agent/options.html#telemetry) -are provided, the telemetry information will be streamed to a -[statsite](http://github.com/armon/statsite) or [statsd](http://github.com/etsy/statsd) server where -it can be aggregated and flushed to Graphite or any other metrics store. -For a configuration example for Telegraf, review the [Monitoring with Telegraf guide](https://learn.hashicorp.com/consul/integrations/telegraf?utm_source=consul.io&utm_medium=docs). - -This -information can also be viewed with the [metrics endpoint](/api/agent.html#view-metrics) in JSON -format or using [Prometheus](https://prometheus.io/) format. - -Below is sample output of a telemetry dump: - -```text -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.num_goroutines': 19.000 -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.alloc_bytes': 755960.000 -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.malloc_count': 7550.000 -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.free_count': 4387.000 -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.heap_objects': 3163.000 -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.total_gc_pause_ns': 1151002.000 -[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.total_gc_runs': 4.000 -[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.agent.ipc.accept': Count: 5 Sum: 5.000 -[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.agent.ipc.command': Count: 10 Sum: 10.000 -[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.serf.events': Count: 5 Sum: 5.000 -[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.serf.events.foo': Count: 4 Sum: 4.000 -[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.serf.events.baz': Count: 1 Sum: 1.000 -[2014-01-29 10:56:50 -0800 PST][S] 'consul-agent.memberlist.gossip': Count: 50 Min: 0.007 Mean: 0.020 Max: 0.041 Stddev: 0.007 Sum: 0.989 -[2014-01-29 10:56:50 -0800 PST][S] 'consul-agent.serf.queue.Intent': Count: 10 Sum: 0.000 -[2014-01-29 10:56:50 -0800 PST][S] 'consul-agent.serf.queue.Event': Count: 10 Min: 0.000 Mean: 2.500 Max: 5.000 Stddev: 2.121 Sum: 25.000 -``` - -# Key Metrics - -These are some metrics emitted that can help you understand the health of your cluster at a glance. For a full list of metrics emitted by Consul, see [Metrics Reference](#metrics-reference) - -### Transaction timing - -| Metric Name | Description | -| :----------------------- | :----------------------------------------------------------------------------------- | -| `consul.kvs.apply` | This measures the time it takes to complete an update to the KV store. | -| `consul.txn.apply` | This measures the time spent applying a transaction operation. | -| `consul.raft.apply` | This counts the number of Raft transactions occurring over the interval. | -| `consul.raft.commitTime` | This measures the time it takes to commit a new entry to the Raft log on the leader. | - -**Why they're important:** Taken together, these metrics indicate how long it takes to complete write operations in various parts of the Consul cluster. Generally these should all be fairly consistent and no more than a few milliseconds. Sudden changes in any of the timing values could be due to unexpected load on the Consul servers, or due to problems on the servers themselves. - -**What to look for:** Deviations (in any of these metrics) of more than 50% from baseline over the previous hour. - -### Leadership changes - -| Metric Name | Description | -| :------------------------------- | :------------------------------------------------------------------------------------------------------------- | -| `consul.raft.leader.lastContact` | Measures the time since the leader was last able to contact the follower nodes when checking its leader lease. | -| `consul.raft.state.candidate` | This increments whenever a Consul server starts an election. | -| `consul.raft.state.leader` | This increments whenever a Consul server becomes a leader. | - -**Why they're important:** Normally, your Consul cluster should have a stable leader. If there are frequent elections or leadership changes, it would likely indicate network issues between the Consul servers, or that the Consul servers themselves are unable to keep up with the load. - -**What to look for:** For a healthy cluster, you're looking for a `lastContact` lower than 200ms, `leader` > 0 and `candidate` == 0. Deviations from this might indicate flapping leadership. - -### Autopilot - -| Metric Name | Description | -| :------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `consul.autopilot.healthy` | This tracks the overall health of the local server cluster. If all servers are considered healthy by Autopilot, this will be set to 1. If any are unhealthy, this will be 0. | - -**Why it's important:** Obviously, you want your cluster to be healthy. - -**What to look for:** Alert if `healthy` is 0. - -### Memory usage - -| Metric Name | Description | -| :--------------------------- | :----------------------------------------------------------------- | -| `consul.runtime.alloc_bytes` | This measures the number of bytes allocated by the Consul process. | -| `consul.runtime.sys_bytes` | This is the total number of bytes of memory obtained from the OS. | - -**Why they're important:** Consul keeps all of its data in memory. If Consul consumes all available memory, it will crash. - -**What to look for:** If `consul.runtime.sys_bytes` exceeds 90% of total available system memory. - -### Garbage collection - -| Metric Name | Description | -| :--------------------------------- | :---------------------------------------------------------------------------------------------------- | -| `consul.runtime.total_gc_pause_ns` | Number of nanoseconds consumed by stop-the-world garbage collection (GC) pauses since Consul started. | - -**Why it's important:** GC pause is a "stop-the-world" event, meaning that all runtime threads are blocked until GC completes. Normally these pauses last only a few nanoseconds. But if memory usage is high, the Go runtime may GC so frequently that it starts to slow down Consul. - -**What to look for:** Warning if `total_gc_pause_ns` exceeds 2 seconds/minute, critical if it exceeds 5 seconds/minute. - -**NOTE:** `total_gc_pause_ns` is a cumulative counter, so in order to calculate rates (such as GC/minute), -you will need to apply a function such as InfluxDB's [`non_negative_difference()`](https://docs.influxdata.com/influxdb/v1.5/query_language/functions/#non-negative-difference). - -### Network activity - RPC Count - -| Metric Name | Description | -| :--------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `consul.client.rpc` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server | -| `consul.client.rpc.exceeded` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/docs/agent/options.html#limits) configuration. | -| `consul.client.rpc.failed` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server and fails. | - -**Why they're important:** These measurements indicate the current load created from a Consul agent, including when the load becomes high enough to be rate limited. A high RPC count, especially from `consul.client.rpcexceeded` meaning that the requests are being rate-limited, could imply a misconfigured Consul agent. - -**What to look for:** -Sudden large changes to the `consul.client.rpc` metrics (greater than 50% deviation from baseline). -`consul.client.rpc.exceeded` or `consul.client.rpc.failed` count > 0, as it implies that an agent is being rate-limited or fails to make an RPC request to a Consul server - -When telemetry is being streamed to an external metrics store, the interval is defined to -be that store's flush interval. Otherwise, the interval can be assumed to be 10 seconds -when retrieving metrics from the built-in store using the above described signals. - -## Metrics Reference - -This is a full list of metrics emitted by Consul. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MetricDescriptionUnitType
`consul.acl.blocked.service.registration`This increments whenever a deregistration fails for a service (blocked by an ACL)requestscounter
`consul.acl.blocked..registration`This increments whenever a registration fails for an entity (check, node or service) is blocked by an ACLrequestscounter
`consul.client.rpc`This increments whenever a Consul agent in client mode makes an RPC request to a Consul server. This gives a measure of how much a given agent is loading the Consul servers. Currently, this is only generated by agents in client mode, not Consul servers.requestscounter
`consul.client.rpc.exceeded`This increments whenever a Consul agent in client mode makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/docs/agent/options.html#limits) configuration. This gives an indication that there's an abusive application making too many requests on the agent, or that the rate limit needs to be increased. Currently, this only applies to agents in client mode, not Consul servers.rejected requestscounter
`consul.client.rpc.failed`This increments whenever a Consul agent in client mode makes an RPC request to a Consul server and fails.requestscounter
`consul.client.api.catalog_register.`This increments whenever a Consul agent receives a catalog register request.requestscounter
`consul.client.api.success.catalog_register.`This increments whenever a Consul agent successfully responds to a catalog register request.requestscounter
`consul.client.rpc.error.catalog_register.`This increments whenever a Consul agent receives an RPC error for a catalog register request.errorscounter
`consul.client.api.catalog_deregister.`This increments whenever a Consul agent receives a catalog de-register request.requestscounter
`consul.client.api.success.catalog_deregister.`This increments whenever a Consul agent successfully responds to a catalog de-register request.requestscounter
`consul.client.rpc.error.catalog_deregister.`This increments whenever a Consul agent receives an RPC error for a catalog de-register request.errorscounter
`consul.client.api.catalog_datacenters.`This increments whenever a Consul agent receives a request to list datacenters in the catalog.requestscounter
`consul.client.api.success.catalog_datacenters.`This increments whenever a Consul agent successfully responds to a request to list datacenters.requestscounter
`consul.client.rpc.error.catalog_datacenters.`This increments whenever a Consul agent receives an RPC error for a request to list datacenters.errorscounter
`consul.client.api.catalog_nodes.`This increments whenever a Consul agent receives a request to list nodes from the catalog.requestscounter
`consul.client.api.success.catalog_nodes.`This increments whenever a Consul agent successfully responds to a request to list nodes.requestscounter
`consul.client.rpc.error.catalog_nodes.`This increments whenever a Consul agent receives an RPC error for a request to list nodes.errorscounter
`consul.client.api.catalog_services.`This increments whenever a Consul agent receives a request to list services from the catalog.requestscounter
`consul.client.api.success.catalog_services.`This increments whenever a Consul agent successfully responds to a request to list services.requestscounter
`consul.client.rpc.error.catalog_services.`This increments whenever a Consul agent receives an RPC error for a request to list services.errorscounter
`consul.client.api.catalog_service_nodes.`This increments whenever a Consul agent receives a request to list nodes offering a service.requestscounter
`consul.client.api.success.catalog_service_nodes.`This increments whenever a Consul agent successfully responds to a request to list nodes offering a service.requestscounter
`consul.client.rpc.error.catalog_service_nodes.`This increments whenever a Consul agent receives an RPC error for a request to list nodes offering a service.errorscounter
`consul.client.api.catalog_node_services.`This increments whenever a Consul agent receives a request to list services registered in a node.requestscounter
`consul.client.api.success.catalog_node_services.`This increments whenever a Consul agent successfully responds to a request to list services in a service.requestscounter
`consul.client.rpc.error.catalog_node_services.`This increments whenever a Consul agent receives an RPC error for a request to list services in a service.errorscounter
`consul.runtime.num_goroutines`This tracks the number of running goroutines and is a general load pressure indicator. This may burst from time to time but should return to a steady state value.number of goroutinesgauge
`consul.runtime.alloc_bytes`This measures the number of bytes allocated by the Consul process. This may burst from time to time but should return to a steady state value.bytesgauge
`consul.runtime.heap_objects`This measures the number of objects allocated on the heap and is a general memory pressure indicator. This may burst from time to time but should return to a steady state value.number of objectsgauge
`consul.acl.cache_hit`The number of ACL cache hits.hitscounter
`consul.acl.cache_miss`The number of ACL cache misses.missescounter
`consul.acl.replication_hit`The number of ACL replication cache hits (when not running in the ACL datacenter).hitscounter
`consul.dns.stale_queries`This increments when an agent serves a query within the allowed stale threshold.queriescounter
`consul.dns.ptr_query.`This measures the time spent handling a reverse DNS query for the given node.mstimer
`consul.dns.domain_query.`This measures the time spent handling a domain query for the given node.mstimer
`consul.http..`This tracks how long it takes to service the given HTTP request for the given verb and path. Paths do not include details like service or key names, for these an underscore will be present as a placeholder (eg. `consul.http.GET.v1.kv._`)mstimer
- -## Server Health - -These metrics are used to monitor the health of the Consul servers. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MetricDescriptionUnitType
`consul.raft.fsm.snapshot`This metric measures the time taken by the FSM to record the current state for the snapshot.mstimer
`consul.raft.fsm.apply`This metric gives the number of logs committed since the last interval. commit logs / intervalcounter
`consul.raft.commitNumLogs`This metric measures the count of logs processed for application to the FSM in a single batch.logsgauge
`consul.raft.fsm.enqueue`This metric measures the amount of time to enqueue a batch of logs for the FSM to apply.mstimer
`consul.raft.fsm.restore`This metric measures the time taken by the FSM to restore its state from a snapshot.mstimer
`consul.raft.snapshot.create`This metric measures the time taken to initialize the snapshot process.mstimer
`consul.raft.snapshot.persist`This metric measures the time taken to dump the current snapshot taken by the Consul agent to the disk.mstimer
`consul.raft.snapshot.takeSnapshot`This metric measures the total time involved in taking the current snapshot (creating one and persisting it) by the Consul agent.mstimer
`consul.raft.replication.heartbeat`This metric measures the time taken to invoke appendEntries on a peer, so that it doesn’t timeout on a periodic basis.mstimer
`consul.serf.snapshot.appendLine`This metric measures the time taken by the Consul agent to append an entry into the existing log.mstimer
`consul.serf.snapshot.compact`This metric measures the time taken by the Consul agent to compact a log. This operation occurs only when the snapshot becomes large enough to justify the compaction .mstimer
`consul.raft.state.leader`This increments whenever a Consul server becomes a leader. If there are frequent leadership changes this may be indication that the servers are overloaded and aren't meeting the soft real-time requirements for Raft, or that there are networking problems between the servers.leadership transitions / intervalcounter
`consul.raft.state.candidate`This increments whenever a Consul server starts an election. If this increments without a leadership change occurring it could indicate that a single server is overloaded or is experiencing network connectivity issues.election attempts / intervalcounter
`consul.raft.apply`This counts the number of Raft transactions occurring over the interval, which is a general indicator of the write load on the Consul servers.raft transactions / intervalcounter
`consul.raft.barrier`This metric counts the number of times the agent has started the barrier i.e the number of times it has - issued a blocking call, to ensure that the agent has all the pending operations that were queued, to be applied to the agent's FSM.blocks / intervalcounter
`consul.raft.verify_leader`This metric counts the number of times an agent checks whether it is still the leader or notchecks / intervalCounter
`consul.raft.restore`This metric counts the number of times the restore operation has been performed by the agent. Here, restore refers to the action of raft consuming an external snapshot to restore its state.operation invoked / intervalcounter
`consul.raft.commitTime`This measures the time it takes to commit a new entry to the Raft log on the leader.mstimer
`consul.raft.leader.dispatchLog`This measures the time it takes for the leader to write log entries to disk.mstimer
`consul.raft.leader.dispatchNumLogs`This metric measures the number of logs committed to disk in a batch.logsgauge
`consul.raft.replication.appendEntries`This measures the time it takes to replicate log entries to followers. This is a general indicator of the load pressure on the Consul servers, as well as the performance of the communication between the servers.mstimer
`consul.raft.state.follower`This metric counts the number of times an agent has entered the follower mode. This happens when a new agent joins the cluster or after the end of a leader election. follower state entered / intervalcounter
`consul.raft.transistion.heartbeat_timeout`This metric gives the number of times an agent has transitioned to the Candidate state, after receive no heartbeat messages from the last known leader.timeouts / intervalcounter
`consul.raft.restoreUserSnapshot`This metric measures the time taken by the agent to restore the FSM state from a user's snapshotmstimer
`consul.raft.rpc.processHeartBeat`This metric measures the time taken to process a heartbeat request.mstimer
`consul.raft.rpc.appendEntries`This metric measures the time taken to process an append entries RPC call from an agent.mstimer
`consul.raft.rpc.appendEntries.storeLogs`This metric measures the time taken to add any outstanding logs for an agent, since the last appendEntries was invokedmstimer
`consul.raft.rpc.appendEntries.processLogs`This metric measures the time taken to process the outstanding log entries of an agent.mstimer
`consul.raft.rpc.requestVote`This metric measures the time taken to process the request vote RPC call.mstimer
`consul.raft.rpc.installSnapshot`This metric measures the time taken to process the installSnapshot RPC call. This metric should only be seen on agents which are currently in the follower state.mstimer
`consul.raft.replication.appendEntries.rpc`This metric measures the time taken by the append entries RFC, to replicate the log entries of a leader agent onto its follower agent(s)mstimer
`consul.raft.replication.appendEntries.logs`This metric measures the number of logs replicated to an agent, to bring it up to speed with the leader's logs.logs appended/ intervalcounter
`consul.raft.leader.lastContact`This will only be emitted by the Raft leader and measures the time since the leader was last able to contact the follower nodes when checking its leader lease. It can be used as a measure for how stable the Raft timing is and how close the leader is to timing out its lease.

The lease timeout is 500 ms times the [`raft_multiplier` configuration](/docs/agent/options.html#raft_multiplier), so this telemetry value should not be getting close to that configured value, otherwise the Raft timing is marginal and might need to be tuned, or more powerful servers might be needed. See the [Server Performance](/docs/install/performance.html) guide for more details.
mstimer
`consul.acl.apply`This measures the time it takes to complete an update to the ACL store.mstimer
`consul.acl.fault`This measures the time it takes to fault in the rules for an ACL during a cache miss.mstimer
`consul.acl.fetchRemoteACLs`This measures the time it takes to fetch remote ACLs during replication.mstimer
`consul.acl.updateLocalACLs`This measures the time it takes to apply replication changes to the local ACL store.mstimer
`consul.acl.replicateACLs`This measures the time it takes to do one pass of the ACL replication algorithm.mstimer
`consul.acl.resolveToken`This measures the time it takes to resolve an ACL token.mstimer
`consul.rpc.accept_conn`This increments when a server accepts an RPC connection.connectionscounter
`consul.catalog.register`This measures the time it takes to complete a catalog register operation.mstimer
`consul.catalog.deregister`This measures the time it takes to complete a catalog deregister operation.mstimer
`consul.fsm.register`This measures the time it takes to apply a catalog register operation to the FSM.mstimer
`consul.fsm.deregister`This measures the time it takes to apply a catalog deregister operation to the FSM.mstimer
`consul.fsm.acl.`This measures the time it takes to apply the given ACL operation to the FSM.mstimer
`consul.fsm.session.`This measures the time it takes to apply the given session operation to the FSM.mstimer
`consul.fsm.kvs.`This measures the time it takes to apply the given KV operation to the FSM.mstimer
`consul.fsm.tombstone.`This measures the time it takes to apply the given tombstone operation to the FSM.mstimer
`consul.fsm.coordinate.batch-update`This measures the time it takes to apply the given batch coordinate update to the FSM.mstimer
`consul.fsm.prepared-query.`This measures the time it takes to apply the given prepared query update operation to the FSM.mstimer
`consul.fsm.txn`This measures the time it takes to apply the given transaction update to the FSM.mstimer
`consul.fsm.autopilot`This measures the time it takes to apply the given autopilot update to the FSM.mstimer
`consul.fsm.persist`This measures the time it takes to persist the FSM to a raft snapshot.mstimer
`consul.kvs.apply`This measures the time it takes to complete an update to the KV store.mstimer
`consul.leader.barrier`This measures the time spent waiting for the raft barrier upon gaining leadership.mstimer
`consul.leader.reconcile`This measures the time spent updating the raft store from the serf member information.mstimer
`consul.leader.reconcileMember`This measures the time spent updating the raft store for a single serf member's information.mstimer
`consul.leader.reapTombstones`This measures the time spent clearing tombstones.mstimer
`consul.prepared-query.apply`This measures the time it takes to apply a prepared query update.mstimer
`consul.prepared-query.explain`This measures the time it takes to process a prepared query explain request.mstimer
`consul.prepared-query.execute`This measures the time it takes to process a prepared query execute request.mstimer
`consul.prepared-query.execute_remote`This measures the time it takes to process a prepared query execute request that was forwarded to another datacenter.mstimer
`consul.rpc.raft_handoff`This increments when a server accepts a Raft-related RPC connection.connectionscounter
`consul.rpc.request_error`This increments when a server returns an error from an RPC request.errorscounter
`consul.rpc.request`This increments when a server receives a Consul-related RPC request.requestscounter
`consul.rpc.query`This increments when a server receives a new blocking RPC request, indicating the rate of new blocking query calls. See consul.rpc.queries_blocking for the current number of in-flight blocking RPC calls. This metric changed in 1.7.0 to only increment on the the start of a query. The rate of queries will appear lower, but is more accurate.queriescounter
`consul.rpc.queries_blocking`This shows the current number of in-flight blocking queries the server is handling.queriesgauge
`consul.rpc.cross-dc`This increments when a server sends a (potentially blocking) cross datacenter RPC query.queriescounter
`consul.rpc.consistentRead`This measures the time spent confirming that a consistent read can be performed.mstimer
`consul.session.apply`This measures the time spent applying a session update.mstimer
`consul.session.renew`This measures the time spent renewing a session.mstimer
`consul.session_ttl.invalidate`This measures the time spent invalidating an expired session.mstimer
`consul.txn.apply`This measures the time spent applying a transaction operation.mstimer
`consul.txn.read`This measures the time spent returning a read transaction.mstimer
- -## Cluster Health - -These metrics give insight into the health of the cluster as a whole. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MetricDescriptionUnitType
`consul.memberlist.degraded.probe`This metric counts the number of times the agent has performed failure detection on another agent at a slower probe rate. The agent uses its own health metric as an indicator to perform this action. (If its health score is low, means that the node is healthy, and vice versa.)probes / intervalcounter
`consul.memberlist.degraded.timeout`This metric counts the number of times an agent was marked as a dead node, whilst not getting enough confirmations from a randomly selected list of agent nodes in an agent's membership.occurrence / intervalcounter
`consul.memberlist.msg.dead`This metric counts the number of times an agent has marked another agent to be a dead node.messages / intervalcounter
`consul.memberlist.health.score`This metric describes a node's perception of its own health based on how well it is meeting the soft real-time requirements of the protocol. This metric ranges from 0 to 8, where 0 indicates "totally healthy". This health score is used to scale the time between outgoing probes, and higher scores translate into longer probing intervals. For more details see section IV of the Lifeguard paper: https://arxiv.org/pdf/1707.00788.pdfscoregauge
`consul.memberlist.msg.suspect`This increments when an agent suspects another as failed when executing random probes as part of the gossip protocol. These can be an indicator of overloaded agents, network problems, or configuration errors where agents can not connect to each other on the [required ports](/docs/agent/options.html#ports).suspect messages received / intervalcounter
`consul.memberlist.tcp.accept`This metric counts the number of times an agent has accepted an incoming TCP stream connection.connections accepted / intervalcounter
`consul.memberlist.udp.sent/received`This metric measures the total number of bytes sent/received by an agent through the UDP protocol.bytes sent or bytes received / intervalcounter
`consul.memberlist.tcp.connect`This metric counts the number of times an agent has initiated a push/pull sync with an other agent.push/pull initiated / intervalcounter
`consul.memberlist.tcp.sent`This metric measures the total number of bytes sent by an agent through the TCP protocolbytes sent / intervalcounter
`consul.memberlist.gossip`This metric gives the number of gossips (messages) broadcasted to a set of randomly selected nodes.messages / Intervalcounter
`consul.memberlist.msg_alive`This metric counts the number of alive agents, that the agent has mapped out so far, based on the message information given by the network layer.nodes / Intervalcounter
`consul.memberlist.msg_dead`This metric gives the number of dead agents, that the agent has mapped out so far, based on the message information given by the network layer.nodes / Intervalcounter
`consul.memberlist.msg_suspect`This metric gives the number of suspect nodes, that the agent has mapped out so far, based on the message information given by the network layer.nodes / Intervalcounter
`consul.memberlist.probeNode`This metric measures the time taken to perform a single round of failure detection on a select agent.nodes / Intervalcounter
`consul.memberlist.pushPullNode`This metric measures the number of agents that have exchanged state with this agent.nodes / Intervalcounter
`consul.serf.member.failed`This increments when an agent is marked dead. This can be an indicator of overloaded agents, network problems, or configuration errors where agents cannot connect to each other on the [required ports](/docs/agent/options.html#ports).failures / intervalcounter
`consul.serf.member.flap`Available in Consul 0.7 and later, this increments when an agent is marked dead and then recovers within a short time period. This can be an indicator of overloaded agents, network problems, or configuration errors where agents cannot connect to each other on the [required ports](/docs/agent/options.html#ports).flaps / intervalcounter
`consul.serf.member.join`This increments when an agent joins the cluster. If an agent flapped or failed this counter also increments when it re-joins.joins / intervalcounter
`consul.serf.member.left`This increments when an agent leaves the cluster.leaves / intervalcounter
`consul.serf.events`This increments when an agent processes an [event](/docs/commands/event.html). Consul uses events internally so there may be additional events showing in telemetry. There are also a per-event counters emitted as `consul.serf.events.`.events / intervalcounter
`consul.autopilot.failure_tolerance`This tracks the number of voting servers that the cluster can lose while continuing to function.serversgauge
`consul.autopilot.healthy`This tracks the overall health of the local server cluster. If all servers are considered healthy by Autopilot, this will be set to 1. If any are unhealthy, this will be 0.booleangauge
`consul.session_ttl.active`This tracks the active number of sessions being tracked.sessionsgauge
`consul.catalog.service.query.`This increments for each catalog query for the given service.queriescounter
`consul.catalog.service.query-tag..`This increments for each catalog query for the given service with the given tag.queriescounter
`consul.catalog.service.query-tags..`This increments for each catalog query for the given service with the given tags.queriescounter
`consul.catalog.service.not-found.`This increments for each catalog query where the given service could not be found.queriescounter
`consul.health.service.query.`This increments for each health query for the given service.queriescounter
`consul.health.service.query-tag..`This increments for each health query for the given service with the given tag.queriescounter
`consul.health.service.query-tags..`This increments for each health query for the given service with the given tags.queriescounter
`consul.health.service.not-found.`This increments for each health query where the given service could not be found.queriescounter
- -## Connect Built-in Proxy Metrics - -Consul Connect's built-in proxy is by default configured to log metrics to the -same sink as the agent that starts it. - -When running in this mode it emits some basic metrics. These will be expanded -upon in the future. - -All metrics are prefixed with `consul.proxy.` to distinguish -between multiple proxies on a given host. The table below use `web` as an -example service name for brevity. - -### Labels - -Most labels have a `dst` label and some have a `src` label. When using metrics -sinks and timeseries stores that support labels or tags, these allow aggregating -the connections by service name. - -Assuming all services are using a managed built-in proxy, you can get a complete -overview of both number of open connections and bytes sent and received between -all services by aggregating over these metrics. - -For example aggregating over all `upstream` (i.e. outbound) connections which -have both `src` and `dst` labels, you can get a sum of all the bandwidth in and -out of a given service or the total number of connections between two services. - -### Metrics Reference - -The standard go runtime metrics are exported by `go-metrics` as with Consul -agent. The table below describes the additional metrics exported by the proxy. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MetricDescriptionUnitType
`consul.proxy.web.runtime.*`The same go runtime metrics as documented for the agent above.mixedmixed
`consul.proxy.web.inbound.conns`Shows the current number of connections open from inbound requests to - the proxy. Where supported a `dst` label is added indicating the - service name the proxy represents.connectionsgauge
`consul.proxy.web.inbound.rx_bytes`This increments by the number of bytes received from an inbound client - connection. Where supported a `dst` label is added indicating the - service name the proxy represents.bytescounter
`consul.proxy.web.inbound.tx_bytes`This increments by the number of bytes transferred to an inbound client - connection. Where supported a `dst` label is added indicating the - service name the proxy represents.bytescounter
`consul.proxy.web.upstream.conns`Shows the current number of connections open from a proxy instance to an - upstream. Where supported a `src` label is added indicating the - service name the proxy represents, and a `dst` label is added indicating the - service name the upstream is connecting to.connectionsgauge
`consul.proxy.web.inbound.rx_bytes`This increments by the number of bytes received from an upstream - connection. Where supported a `src` label is added indicating the - service name the proxy represents, and a `dst` label is added indicating the - service name the upstream is connecting to.bytescounter
`consul.proxy.web.inbound.tx_bytes`This increments by the number of bytes transferred to an upstream - connection. Where supported a `src` label is added indicating the - service name the proxy represents, and a `dst` label is added indicating the - service name the upstream is connecting to.bytescounter
diff --git a/website/pages/docs/agent/telemetry.mdx b/website/pages/docs/agent/telemetry.mdx new file mode 100644 index 0000000000..10a88735b8 --- /dev/null +++ b/website/pages/docs/agent/telemetry.mdx @@ -0,0 +1,338 @@ +--- +layout: docs +page_title: Telemetry +sidebar_current: docs-agent-telemetry +description: >- + The Consul agent collects various runtime metrics about the performance of + different libraries and subsystems. These metrics are aggregated on a ten + second interval and are retained for one minute. +--- + +# Telemetry + +The Consul agent collects various runtime metrics about the performance of +different libraries and subsystems. These metrics are aggregated on a ten +second interval and are retained for one minute. + +To view this data, you must send a signal to the Consul process: on Unix, +this is `USR1` while on Windows it is `BREAK`. Once Consul receives the signal, +it will dump the current telemetry information to the agent's `stderr`. + +This telemetry information can be used for debugging or otherwise +getting a better view of what Consul is doing. Review the [Monitoring and +Metrics guide](https://learn.hashicorp.com/consul/day-2-operations/monitoring?utm_source=consul.io&utm_medium=docs) to learn how collect and interpret Consul data. + +Additionally, if the [`telemetry` configuration options](/docs/agent/options.html#telemetry) +are provided, the telemetry information will be streamed to a +[statsite](http://github.com/armon/statsite) or [statsd](http://github.com/etsy/statsd) server where +it can be aggregated and flushed to Graphite or any other metrics store. +For a configuration example for Telegraf, review the [Monitoring with Telegraf guide](https://learn.hashicorp.com/consul/integrations/telegraf?utm_source=consul.io&utm_medium=docs). + +This +information can also be viewed with the [metrics endpoint](/api/agent.html#view-metrics) in JSON +format or using [Prometheus](https://prometheus.io/) format. + +Below is sample output of a telemetry dump: + +```text +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.num_goroutines': 19.000 +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.alloc_bytes': 755960.000 +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.malloc_count': 7550.000 +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.free_count': 4387.000 +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.heap_objects': 3163.000 +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.total_gc_pause_ns': 1151002.000 +[2014-01-29 10:56:50 -0800 PST][G] 'consul-agent.runtime.total_gc_runs': 4.000 +[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.agent.ipc.accept': Count: 5 Sum: 5.000 +[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.agent.ipc.command': Count: 10 Sum: 10.000 +[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.serf.events': Count: 5 Sum: 5.000 +[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.serf.events.foo': Count: 4 Sum: 4.000 +[2014-01-29 10:56:50 -0800 PST][C] 'consul-agent.serf.events.baz': Count: 1 Sum: 1.000 +[2014-01-29 10:56:50 -0800 PST][S] 'consul-agent.memberlist.gossip': Count: 50 Min: 0.007 Mean: 0.020 Max: 0.041 Stddev: 0.007 Sum: 0.989 +[2014-01-29 10:56:50 -0800 PST][S] 'consul-agent.serf.queue.Intent': Count: 10 Sum: 0.000 +[2014-01-29 10:56:50 -0800 PST][S] 'consul-agent.serf.queue.Event': Count: 10 Min: 0.000 Mean: 2.500 Max: 5.000 Stddev: 2.121 Sum: 25.000 +``` + +# Key Metrics + +These are some metrics emitted that can help you understand the health of your cluster at a glance. For a full list of metrics emitted by Consul, see [Metrics Reference](#metrics-reference) + +### Transaction timing + +| Metric Name | Description | +| :----------------------- | :----------------------------------------------------------------------------------- | +| `consul.kvs.apply` | This measures the time it takes to complete an update to the KV store. | +| `consul.txn.apply` | This measures the time spent applying a transaction operation. | +| `consul.raft.apply` | This counts the number of Raft transactions occurring over the interval. | +| `consul.raft.commitTime` | This measures the time it takes to commit a new entry to the Raft log on the leader. | + +**Why they're important:** Taken together, these metrics indicate how long it takes to complete write operations in various parts of the Consul cluster. Generally these should all be fairly consistent and no more than a few milliseconds. Sudden changes in any of the timing values could be due to unexpected load on the Consul servers, or due to problems on the servers themselves. + +**What to look for:** Deviations (in any of these metrics) of more than 50% from baseline over the previous hour. + +### Leadership changes + +| Metric Name | Description | +| :------------------------------- | :------------------------------------------------------------------------------------------------------------- | +| `consul.raft.leader.lastContact` | Measures the time since the leader was last able to contact the follower nodes when checking its leader lease. | +| `consul.raft.state.candidate` | This increments whenever a Consul server starts an election. | +| `consul.raft.state.leader` | This increments whenever a Consul server becomes a leader. | + +**Why they're important:** Normally, your Consul cluster should have a stable leader. If there are frequent elections or leadership changes, it would likely indicate network issues between the Consul servers, or that the Consul servers themselves are unable to keep up with the load. + +**What to look for:** For a healthy cluster, you're looking for a `lastContact` lower than 200ms, `leader` > 0 and `candidate` == 0. Deviations from this might indicate flapping leadership. + +### Autopilot + +| Metric Name | Description | +| :------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `consul.autopilot.healthy` | This tracks the overall health of the local server cluster. If all servers are considered healthy by Autopilot, this will be set to 1. If any are unhealthy, this will be 0. | + +**Why it's important:** Obviously, you want your cluster to be healthy. + +**What to look for:** Alert if `healthy` is 0. + +### Memory usage + +| Metric Name | Description | +| :--------------------------- | :----------------------------------------------------------------- | +| `consul.runtime.alloc_bytes` | This measures the number of bytes allocated by the Consul process. | +| `consul.runtime.sys_bytes` | This is the total number of bytes of memory obtained from the OS. | + +**Why they're important:** Consul keeps all of its data in memory. If Consul consumes all available memory, it will crash. + +**What to look for:** If `consul.runtime.sys_bytes` exceeds 90% of total available system memory. + +### Garbage collection + +| Metric Name | Description | +| :--------------------------------- | :---------------------------------------------------------------------------------------------------- | +| `consul.runtime.total_gc_pause_ns` | Number of nanoseconds consumed by stop-the-world garbage collection (GC) pauses since Consul started. | + +**Why it's important:** GC pause is a "stop-the-world" event, meaning that all runtime threads are blocked until GC completes. Normally these pauses last only a few nanoseconds. But if memory usage is high, the Go runtime may GC so frequently that it starts to slow down Consul. + +**What to look for:** Warning if `total_gc_pause_ns` exceeds 2 seconds/minute, critical if it exceeds 5 seconds/minute. + +**NOTE:** `total_gc_pause_ns` is a cumulative counter, so in order to calculate rates (such as GC/minute), +you will need to apply a function such as InfluxDB's [`non_negative_difference()`](https://docs.influxdata.com/influxdb/v1.5/query_language/functions/#non-negative-difference). + +### Network activity - RPC Count + +| Metric Name | Description | +| :--------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `consul.client.rpc` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server | +| `consul.client.rpc.exceeded` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/docs/agent/options.html#limits) configuration. | +| `consul.client.rpc.failed` | Increments whenever a Consul agent in client mode makes an RPC request to a Consul server and fails. | + +**Why they're important:** These measurements indicate the current load created from a Consul agent, including when the load becomes high enough to be rate limited. A high RPC count, especially from `consul.client.rpcexceeded` meaning that the requests are being rate-limited, could imply a misconfigured Consul agent. + +**What to look for:** +Sudden large changes to the `consul.client.rpc` metrics (greater than 50% deviation from baseline). +`consul.client.rpc.exceeded` or `consul.client.rpc.failed` count > 0, as it implies that an agent is being rate-limited or fails to make an RPC request to a Consul server + +When telemetry is being streamed to an external metrics store, the interval is defined to +be that store's flush interval. Otherwise, the interval can be assumed to be 10 seconds +when retrieving metrics from the built-in store using the above described signals. + +## Metrics Reference + +This is a full list of metrics emitted by Consul. + +| Metric | Description | Unit | Type | +| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- | ------- | +| `consul.acl.blocked.service.registration` | This increments whenever a deregistration fails for a service (blocked by an ACL) | requests | counter | +| `consul.acl.blocked..registration` | This increments whenever a registration fails for an entity (check, node or service) is blocked by an ACL | requests | counter | +| `consul.client.rpc` | This increments whenever a Consul agent in client mode makes an RPC request to a Consul server. This gives a measure of how much a given agent is loading the Consul servers. Currently, this is only generated by agents in client mode, not Consul servers. | requests | counter | +| `consul.client.rpc.exceeded` | This increments whenever a Consul agent in client mode makes an RPC request to a Consul server gets rate limited by that agent's [`limits`](/docs/agent/options.html#limits) configuration. This gives an indication that there's an abusive application making too many requests on the agent, or that the rate limit needs to be increased. Currently, this only applies to agents in client mode, not Consul servers. | rejected requests | counter | +| `consul.client.rpc.failed` | This increments whenever a Consul agent in client mode makes an RPC request to a Consul server and fails. | requests | counter | +| `consul.client.api.catalog_register.` | This increments whenever a Consul agent receives a catalog register request. | requests | counter | +| `consul.client.api.success.catalog_register.` | This increments whenever a Consul agent successfully responds to a catalog register request. | requests | counter | +| `consul.client.rpc.error.catalog_register.` | This increments whenever a Consul agent receives an RPC error for a catalog register request. | errors | counter | +| `consul.client.api.catalog_deregister.` | This increments whenever a Consul agent receives a catalog de-register request. | requests | counter | +| `consul.client.api.success.catalog_deregister.` | This increments whenever a Consul agent successfully responds to a catalog de-register request. | requests | counter | +| `consul.client.rpc.error.catalog_deregister.` | This increments whenever a Consul agent receives an RPC error for a catalog de-register request. | errors | counter | +| `consul.client.api.catalog_datacenters.` | This increments whenever a Consul agent receives a request to list datacenters in the catalog. | requests | counter | +| `consul.client.api.success.catalog_datacenters.` | This increments whenever a Consul agent successfully responds to a request to list datacenters. | requests | counter | +| `consul.client.rpc.error.catalog_datacenters.` | This increments whenever a Consul agent receives an RPC error for a request to list datacenters. | errors | counter | +| `consul.client.api.catalog_nodes.` | This increments whenever a Consul agent receives a request to list nodes from the catalog. | requests | counter | +| `consul.client.api.success.catalog_nodes.` | This increments whenever a Consul agent successfully responds to a request to list nodes. | requests | counter | +| `consul.client.rpc.error.catalog_nodes.` | This increments whenever a Consul agent receives an RPC error for a request to list nodes. | errors | counter | +| `consul.client.api.catalog_services.` | This increments whenever a Consul agent receives a request to list services from the catalog. | requests | counter | +| `consul.client.api.success.catalog_services.` | This increments whenever a Consul agent successfully responds to a request to list services. | requests | counter | +| `consul.client.rpc.error.catalog_services.` | This increments whenever a Consul agent receives an RPC error for a request to list services. | errors | counter | +| `consul.client.api.catalog_service_nodes.` | This increments whenever a Consul agent receives a request to list nodes offering a service. | requests | counter | +| `consul.client.api.success.catalog_service_nodes.` | This increments whenever a Consul agent successfully responds to a request to list nodes offering a service. | requests | counter | +| `consul.client.rpc.error.catalog_service_nodes.` | This increments whenever a Consul agent receives an RPC error for a request to list nodes offering a service. | errors | counter | +| `consul.client.api.catalog_node_services.` | This increments whenever a Consul agent receives a request to list services registered in a node. | requests | counter | +| `consul.client.api.success.catalog_node_services.` | This increments whenever a Consul agent successfully responds to a request to list services in a service. | requests | counter | +| `consul.client.rpc.error.catalog_node_services.` | This increments whenever a Consul agent receives an RPC error for a request to list services in a service. | errors | counter | +| `consul.runtime.num_goroutines` | This tracks the number of running goroutines and is a general load pressure indicator. This may burst from time to time but should return to a steady state value. | number of goroutines | gauge | +| `consul.runtime.alloc_bytes` | This measures the number of bytes allocated by the Consul process. This may burst from time to time but should return to a steady state value. | bytes | gauge | +| `consul.runtime.heap_objects` | This measures the number of objects allocated on the heap and is a general memory pressure indicator. This may burst from time to time but should return to a steady state value. | number of objects | gauge | +| `consul.acl.cache_hit` | The number of ACL cache hits. | hits | counter | +| `consul.acl.cache_miss` | The number of ACL cache misses. | misses | counter | +| `consul.acl.replication_hit` | The number of ACL replication cache hits (when not running in the ACL datacenter). | hits | counter | +| `consul.dns.stale_queries` | This increments when an agent serves a query within the allowed stale threshold. | queries | counter | +| `consul.dns.ptr_query.` | This measures the time spent handling a reverse DNS query for the given node. | ms | timer | +| `consul.dns.domain_query.` | This measures the time spent handling a domain query for the given node. | ms | timer | +| `consul.http..` | This tracks how long it takes to service the given HTTP request for the given verb and path. Paths do not include details like service or key names, for these an underscore will be present as a placeholder (eg. `consul.http.GET.v1.kv._`) | ms | timer | + +## Server Health + +These metrics are used to monitor the health of the Consul servers. + +| Metric | Description | Unit | Type | +| ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | ------- | +| `consul.raft.fsm.snapshot` | This metric measures the time taken by the FSM to record the current state for the snapshot. | ms | timer | +| `consul.raft.fsm.apply` | This metric gives the number of logs committed since the last interval. | commit logs / interval | counter | +| `consul.raft.commitNumLogs` | This metric measures the count of logs processed for application to the FSM in a single batch. | logs | gauge | +| `consul.raft.fsm.enqueue` | This metric measures the amount of time to enqueue a batch of logs for the FSM to apply. | ms | timer | +| `consul.raft.fsm.restore` | This metric measures the time taken by the FSM to restore its state from a snapshot. | ms | timer | +| `consul.raft.snapshot.create` | This metric measures the time taken to initialize the snapshot process. | ms | timer | +| `consul.raft.snapshot.persist` | This metric measures the time taken to dump the current snapshot taken by the Consul agent to the disk. | ms | timer | +| `consul.raft.snapshot.takeSnapshot` | This metric measures the total time involved in taking the current snapshot (creating one and persisting it) by the Consul agent. | ms | timer | +| `consul.raft.replication.heartbeat` | This metric measures the time taken to invoke appendEntries on a peer, so that it doesn’t timeout on a periodic basis. | ms | timer | +| `consul.serf.snapshot.appendLine` | This metric measures the time taken by the Consul agent to append an entry into the existing log. | ms | timer | +| `consul.serf.snapshot.compact` | This metric measures the time taken by the Consul agent to compact a log. This operation occurs only when the snapshot becomes large enough to justify the compaction . | ms | timer | +| `consul.raft.state.leader` | This increments whenever a Consul server becomes a leader. If there are frequent leadership changes this may be indication that the servers are overloaded and aren't meeting the soft real-time requirements for Raft, or that there are networking problems between the servers. | leadership transitions / interval | counter | +| `consul.raft.state.candidate` | This increments whenever a Consul server starts an election. If this increments without a leadership change occurring it could indicate that a single server is overloaded or is experiencing network connectivity issues. | election attempts / interval | counter | +| `consul.raft.apply` | This counts the number of Raft transactions occurring over the interval, which is a general indicator of the write load on the Consul servers. | raft transactions / interval | counter | +| `consul.raft.barrier` | This metric counts the number of times the agent has started the barrier i.e the number of times it has | +| issued a blocking call, to ensure that the agent has all the pending operations that were queued, to be applied to the agent's FSM. | blocks / interval | counter | +| `consul.raft.verify_leader` | This metric counts the number of times an agent checks whether it is still the leader or not | checks / interval | Counter | +| `consul.raft.restore` | This metric counts the number of times the restore operation has been performed by the agent. Here, restore refers to the action of raft consuming an external snapshot to restore its state. | operation invoked / interval | counter | +| `consul.raft.commitTime` | This measures the time it takes to commit a new entry to the Raft log on the leader. | ms | timer | +| `consul.raft.leader.dispatchLog` | This measures the time it takes for the leader to write log entries to disk. | ms | timer | +| `consul.raft.leader.dispatchNumLogs` | This metric measures the number of logs committed to disk in a batch. | logs | gauge | +| `consul.raft.replication.appendEntries` | This measures the time it takes to replicate log entries to followers. This is a general indicator of the load pressure on the Consul servers, as well as the performance of the communication between the servers. | ms | timer | +| `consul.raft.state.follower` | This metric counts the number of times an agent has entered the follower mode. This happens when a new agent joins the cluster or after the end of a leader election. | follower state entered / interval | counter | +| `consul.raft.transistion.heartbeat_timeout` | This metric gives the number of times an agent has transitioned to the Candidate state, after receive no heartbeat messages from the last known leader. | timeouts / interval | counter | +| `consul.raft.restoreUserSnapshot` | This metric measures the time taken by the agent to restore the FSM state from a user's snapshot | ms | timer | +| `consul.raft.rpc.processHeartBeat` | This metric measures the time taken to process a heartbeat request. | ms | timer | +| `consul.raft.rpc.appendEntries` | This metric measures the time taken to process an append entries RPC call from an agent. | ms | timer | +| `consul.raft.rpc.appendEntries.storeLogs` | This metric measures the time taken to add any outstanding logs for an agent, since the last appendEntries was invoked | ms | timer | +| `consul.raft.rpc.appendEntries.processLogs` | This metric measures the time taken to process the outstanding log entries of an agent. | ms | timer | +| `consul.raft.rpc.requestVote` | This metric measures the time taken to process the request vote RPC call. | ms | timer | +| `consul.raft.rpc.installSnapshot` | This metric measures the time taken to process the installSnapshot RPC call. This metric should only be seen on agents which are currently in the follower state. | ms | timer | +| `consul.raft.replication.appendEntries.rpc` | This metric measures the time taken by the append entries RFC, to replicate the log entries of a leader agent onto its follower agent(s) | ms | timer | +| `consul.raft.replication.appendEntries.logs` | This metric measures the number of logs replicated to an agent, to bring it up to speed with the leader's logs. | logs appended/ interval | counter | +| `consul.raft.leader.lastContact` | This will only be emitted by the Raft leader and measures the time since the leader was last able to contact the follower nodes when checking its leader lease. It can be used as a measure for how stable the Raft timing is and how close the leader is to timing out its lease.The lease timeout is 500 ms times the [`raft_multiplier` configuration](/docs/agent/options.html#raft_multiplier), so this telemetry value should not be getting close to that configured value, otherwise the Raft timing is marginal and might need to be tuned, or more powerful servers might be needed. See the [Server Performance](/docs/install/performance.html) guide for more details. | ms | timer | +| `consul.acl.apply` | This measures the time it takes to complete an update to the ACL store. | ms | timer | +| `consul.acl.fault` | This measures the time it takes to fault in the rules for an ACL during a cache miss. | ms | timer | +| `consul.acl.fetchRemoteACLs` | This measures the time it takes to fetch remote ACLs during replication. | ms | timer | +| `consul.acl.updateLocalACLs` | This measures the time it takes to apply replication changes to the local ACL store. | ms | timer | +| `consul.acl.replicateACLs` | This measures the time it takes to do one pass of the ACL replication algorithm. | ms | timer | +| `consul.acl.resolveToken` | This measures the time it takes to resolve an ACL token. | ms | timer | +| `consul.rpc.accept_conn` | This increments when a server accepts an RPC connection. | connections | counter | +| `consul.catalog.register` | This measures the time it takes to complete a catalog register operation. | ms | timer | +| `consul.catalog.deregister` | This measures the time it takes to complete a catalog deregister operation. | ms | timer | +| `consul.fsm.register` | This measures the time it takes to apply a catalog register operation to the FSM. | ms | timer | +| `consul.fsm.deregister` | This measures the time it takes to apply a catalog deregister operation to the FSM. | ms | timer | +| `consul.fsm.acl.` | This measures the time it takes to apply the given ACL operation to the FSM. | ms | timer | +| `consul.fsm.session.` | This measures the time it takes to apply the given session operation to the FSM. | ms | timer | +| `consul.fsm.kvs.` | This measures the time it takes to apply the given KV operation to the FSM. | ms | timer | +| `consul.fsm.tombstone.` | This measures the time it takes to apply the given tombstone operation to the FSM. | ms | timer | +| `consul.fsm.coordinate.batch-update` | This measures the time it takes to apply the given batch coordinate update to the FSM. | ms | timer | +| `consul.fsm.prepared-query.` | This measures the time it takes to apply the given prepared query update operation to the FSM. | ms | timer | +| `consul.fsm.txn` | This measures the time it takes to apply the given transaction update to the FSM. | ms | timer | +| `consul.fsm.autopilot` | This measures the time it takes to apply the given autopilot update to the FSM. | ms | timer | +| `consul.fsm.persist` | This measures the time it takes to persist the FSM to a raft snapshot. | ms | timer | +| `consul.kvs.apply` | This measures the time it takes to complete an update to the KV store. | ms | timer | +| `consul.leader.barrier` | This measures the time spent waiting for the raft barrier upon gaining leadership. | ms | timer | +| `consul.leader.reconcile` | This measures the time spent updating the raft store from the serf member information. | ms | timer | +| `consul.leader.reconcileMember` | This measures the time spent updating the raft store for a single serf member's information. | ms | timer | +| `consul.leader.reapTombstones` | This measures the time spent clearing tombstones. | ms | timer | +| `consul.prepared-query.apply` | This measures the time it takes to apply a prepared query update. | ms | timer | +| `consul.prepared-query.explain` | This measures the time it takes to process a prepared query explain request. | ms | timer | +| `consul.prepared-query.execute` | This measures the time it takes to process a prepared query execute request. | ms | timer | +| `consul.prepared-query.execute_remote` | This measures the time it takes to process a prepared query execute request that was forwarded to another datacenter. | ms | timer | +| `consul.rpc.raft_handoff` | This increments when a server accepts a Raft-related RPC connection. | connections | counter | +| `consul.rpc.request_error` | This increments when a server returns an error from an RPC request. | errors | counter | +| `consul.rpc.request` | This increments when a server receives a Consul-related RPC request. | requests | counter | +| `consul.rpc.query` | This increments when a server receives a new blocking RPC request, indicating the rate of new blocking query calls. See consul.rpc.queries_blocking for the current number of in-flight blocking RPC calls. This metric changed in 1.7.0 to only increment on the the start of a query. The rate of queries will appear lower, but is more accurate. | queries | counter | +| `consul.rpc.queries_blocking` | This shows the current number of in-flight blocking queries the server is handling. | queries | gauge | +| `consul.rpc.cross-dc` | This increments when a server sends a (potentially blocking) cross datacenter RPC query. | queries | counter | +| `consul.rpc.consistentRead` | This measures the time spent confirming that a consistent read can be performed. | ms | timer | +| `consul.session.apply` | This measures the time spent applying a session update. | ms | timer | +| `consul.session.renew` | This measures the time spent renewing a session. | ms | timer | +| `consul.session_ttl.invalidate` | This measures the time spent invalidating an expired session. | ms | timer | +| `consul.txn.apply` | This measures the time spent applying a transaction operation. | ms | timer | +| `consul.txn.read` | This measures the time spent returning a read transaction. | ms | timer | + +## Cluster Health + +These metrics give insight into the health of the cluster as a whole. + +| Metric | Description | Unit | Type | +| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- | ------- | +| `consul.memberlist.degraded.probe` | This metric counts the number of times the agent has performed failure detection on another agent at a slower probe rate. The agent uses its own health metric as an indicator to perform this action. (If its health score is low, means that the node is healthy, and vice versa.) | probes / interval | counter | +| `consul.memberlist.degraded.timeout` | This metric counts the number of times an agent was marked as a dead node, whilst not getting enough confirmations from a randomly selected list of agent nodes in an agent's membership. | occurrence / interval | counter | +| `consul.memberlist.msg.dead` | This metric counts the number of times an agent has marked another agent to be a dead node. | messages / interval | counter | +| `consul.memberlist.health.score` | This metric describes a node's perception of its own health based on how well it is meeting the soft real-time requirements of the protocol. This metric ranges from 0 to 8, where 0 indicates "totally healthy". This health score is used to scale the time between outgoing probes, and higher scores translate into longer probing intervals. For more details see section IV of the Lifeguard paper: https://arxiv.org/pdf/1707.00788.pdf | score | gauge | +| `consul.memberlist.msg.suspect` | This increments when an agent suspects another as failed when executing random probes as part of the gossip protocol. These can be an indicator of overloaded agents, network problems, or configuration errors where agents can not connect to each other on the [required ports](/docs/agent/options.html#ports). | suspect messages received / interval | counter | +| `consul.memberlist.tcp.accept` | This metric counts the number of times an agent has accepted an incoming TCP stream connection. | connections accepted / interval | counter | +| `consul.memberlist.udp.sent/received` | This metric measures the total number of bytes sent/received by an agent through the UDP protocol. | bytes sent or bytes received / interval | counter | +| `consul.memberlist.tcp.connect` | This metric counts the number of times an agent has initiated a push/pull sync with an other agent. | push/pull initiated / interval | counter | +| `consul.memberlist.tcp.sent` | This metric measures the total number of bytes sent by an agent through the TCP protocol | bytes sent / interval | counter | +| `consul.memberlist.gossip` | This metric gives the number of gossips (messages) broadcasted to a set of randomly selected nodes. | messages / Interval | counter | +| `consul.memberlist.msg_alive` | This metric counts the number of alive agents, that the agent has mapped out so far, based on the message information given by the network layer. | nodes / Interval | counter | +| `consul.memberlist.msg_dead` | This metric gives the number of dead agents, that the agent has mapped out so far, based on the message information given by the network layer. | nodes / Interval | counter | +| `consul.memberlist.msg_suspect` | This metric gives the number of suspect nodes, that the agent has mapped out so far, based on the message information given by the network layer. | nodes / Interval | counter | +| `consul.memberlist.probeNode` | This metric measures the time taken to perform a single round of failure detection on a select agent. | nodes / Interval | counter | +| `consul.memberlist.pushPullNode` | This metric measures the number of agents that have exchanged state with this agent. | nodes / Interval | counter | +| `consul.serf.member.failed` | This increments when an agent is marked dead. This can be an indicator of overloaded agents, network problems, or configuration errors where agents cannot connect to each other on the [required ports](/docs/agent/options.html#ports). | failures / interval | counter | +| `consul.serf.member.flap` | Available in Consul 0.7 and later, this increments when an agent is marked dead and then recovers within a short time period. This can be an indicator of overloaded agents, network problems, or configuration errors where agents cannot connect to each other on the [required ports](/docs/agent/options.html#ports). | flaps / interval | counter | +| `consul.serf.member.join` | This increments when an agent joins the cluster. If an agent flapped or failed this counter also increments when it re-joins. | joins / interval | counter | +| `consul.serf.member.left` | This increments when an agent leaves the cluster. | leaves / interval | counter | +| `consul.serf.events` | This increments when an agent processes an [event](/docs/commands/event.html). Consul uses events internally so there may be additional events showing in telemetry. There are also a per-event counters emitted as `consul.serf.events.`. | events / interval | counter | +| `consul.autopilot.failure_tolerance` | This tracks the number of voting servers that the cluster can lose while continuing to function. | servers | gauge | +| `consul.autopilot.healthy` | This tracks the overall health of the local server cluster. If all servers are considered healthy by Autopilot, this will be set to 1. If any are unhealthy, this will be 0. | boolean | gauge | +| `consul.session_ttl.active` | This tracks the active number of sessions being tracked. | sessions | gauge | +| `consul.catalog.service.query.` | This increments for each catalog query for the given service. | queries | counter | +| `consul.catalog.service.query-tag..` | This increments for each catalog query for the given service with the given tag. | queries | counter | +| `consul.catalog.service.query-tags..` | This increments for each catalog query for the given service with the given tags. | queries | counter | +| `consul.catalog.service.not-found.` | This increments for each catalog query where the given service could not be found. | queries | counter | +| `consul.health.service.query.` | This increments for each health query for the given service. | queries | counter | +| `consul.health.service.query-tag..` | This increments for each health query for the given service with the given tag. | queries | counter | +| `consul.health.service.query-tags..` | This increments for each health query for the given service with the given tags. | queries | counter | +| `consul.health.service.not-found.` | This increments for each health query where the given service could not be found. | queries | counter | + +## Connect Built-in Proxy Metrics + +Consul Connect's built-in proxy is by default configured to log metrics to the +same sink as the agent that starts it. + +When running in this mode it emits some basic metrics. These will be expanded +upon in the future. + +All metrics are prefixed with `consul.proxy.` to distinguish +between multiple proxies on a given host. The table below use `web` as an +example service name for brevity. + +### Labels + +Most labels have a `dst` label and some have a `src` label. When using metrics +sinks and timeseries stores that support labels or tags, these allow aggregating +the connections by service name. + +Assuming all services are using a managed built-in proxy, you can get a complete +overview of both number of open connections and bytes sent and received between +all services by aggregating over these metrics. + +For example aggregating over all `upstream` (i.e. outbound) connections which +have both `src` and `dst` labels, you can get a sum of all the bandwidth in and +out of a given service or the total number of connections between two services. + +### Metrics Reference + +The standard go runtime metrics are exported by `go-metrics` as with Consul +agent. The table below describes the additional metrics exported by the proxy. + +| Metric | Description | Unit | Type | +| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------- | +| `consul.proxy.web.runtime.*` | The same go runtime metrics as documented for the agent above. | mixed | mixed | +| `consul.proxy.web.inbound.conns` | Shows the current number of connections open from inbound requests to the proxy. Where supported a `dst` label is added indicating the service name the proxy represents. | connections | gauge | +| `consul.proxy.web.inbound.rx_bytes` | This increments by the number of bytes received from an inbound client connection. Where supported a `dst` label is added indicating the service name the proxy represents. | bytes | counter | +| `consul.proxy.web.inbound.tx_bytes` | This increments by the number of bytes transferred to an inbound client connection. Where supported a `dst` label is added indicating the service name the proxy represents. | bytes | counter | +| `consul.proxy.web.upstream.conns` | Shows the current number of connections open from a proxy instance to an upstream. Where supported a `src` label is added indicating the service name the proxy represents, and a `dst` label is added indicating the service name the upstream is connecting to. | connections | gauge | +| `consul.proxy.web.inbound.rx_bytes` | This increments by the number of bytes received from an upstream connection. Where supported a `src` label is added indicating the service name the proxy represents, and a `dst` label is added indicating the service name the upstream is connecting to. | bytes | counter | +| `consul.proxy.web.inbound.tx_bytes` | This increments by the number of bytes transferred to an upstream connection. Where supported a `src` label is added indicating the service name the proxy represents, and a `dst` label is added indicating the service name the upstream is connecting to. | bytes | counter | diff --git a/website/pages/docs/agent/watches.html.md b/website/pages/docs/agent/watches.mdx similarity index 96% rename from website/pages/docs/agent/watches.html.md rename to website/pages/docs/agent/watches.mdx index f15f3dc972..fb7293c3c3 100644 --- a/website/pages/docs/agent/watches.html.md +++ b/website/pages/docs/agent/watches.mdx @@ -1,9 +1,13 @@ --- -layout: 'docs' -page_title: 'Watches' -sidebar_current: 'docs-agent-watches' -description: |- - Watches are a way of specifying a view of data (e.g. list of nodes, KV pairs, health checks) which is monitored for updates. When an update is detected, an external handler is invoked. A handler can be any executable. As an example, you could watch the status of health checks and notify an external system when a check is critical. +layout: docs +page_title: Watches +sidebar_current: docs-agent-watches +description: >- + Watches are a way of specifying a view of data (e.g. list of nodes, KV pairs, + health checks) which is monitored for updates. When an update is detected, an + external handler is invoked. A handler can be any executable. As an example, + you could watch the status of health checks and notify an external system when + a check is critical. --- # Watches diff --git a/website/pages/docs/commands/acl.html.md b/website/pages/docs/commands/acl.mdx similarity index 98% rename from website/pages/docs/commands/acl.html.md rename to website/pages/docs/commands/acl.mdx index f20037e145..c1d8b009b9 100644 --- a/website/pages/docs/commands/acl.html.md +++ b/website/pages/docs/commands/acl.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: ACL' -sidebar_current: 'docs-commands-acl' +sidebar_current: docs-commands-acl --- # Consul ACLs diff --git a/website/pages/docs/commands/acl/auth-method.html.md.erb b/website/pages/docs/commands/acl/auth-method.mdx similarity index 90% rename from website/pages/docs/commands/acl/auth-method.html.md.erb rename to website/pages/docs/commands/acl/auth-method.mdx index 825ccea405..89e5dd6555 100644 --- a/website/pages/docs/commands/acl/auth-method.html.md.erb +++ b/website/pages/docs/commands/acl/auth-method.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Auth Methods" -sidebar_current: "docs-commands-acl-auth-method" +layout: docs +page_title: 'Commands: ACL Auth Methods' +sidebar_current: docs-commands-acl-auth-method --- # Consul ACL Auth Methods @@ -15,7 +15,7 @@ This command is available in Consul 1.5.0 and newer. ACL auth methods may also be managed via the [HTTP API](/api/acl/auth-methods.html). -> **Note:** All of the example subcommands in this document will require a valid -Consul token with the appropriate permissions. Either set the +Consul token with the appropriate permissions. Either set the `CONSUL_HTTP_TOKEN` environment variable to the token's secret ID or pass the secret ID as the value of the `-token` parameter. @@ -23,8 +23,7 @@ secret ID as the value of the `-token` parameter. Usage: `consul acl auth-method ` -For the exact documentation for your Consul version, run `consul acl -auth-method -h` to view the complete list of subcommands. +For the exact documentation for your Consul version, run `consul acl auth-method -h` to view the complete list of subcommands. ```text Usage: consul acl auth-method [options] [args] diff --git a/website/pages/docs/commands/acl/auth-method/create.html.md.erb b/website/pages/docs/commands/acl/auth-method/create.mdx similarity index 62% rename from website/pages/docs/commands/acl/auth-method/create.html.md.erb rename to website/pages/docs/commands/acl/auth-method/create.mdx index 1ae30eb4d0..babb0f7373 100644 --- a/website/pages/docs/commands/acl/auth-method/create.html.md.erb +++ b/website/pages/docs/commands/acl/auth-method/create.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Auth Method Create" -sidebar_current: "docs-commands-acl-auth-method-create" +layout: docs +page_title: 'Commands: ACL Auth Method Create' +sidebar_current: docs-commands-acl-auth-method-create --- # Consul ACL Auth Method Create @@ -16,37 +16,37 @@ Usage: `consul acl auth-method create [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-description=` - A description of the auth method. +- `-description=` - A description of the auth method. -* `-meta` - Indicates that auth method metadata such as the raft indices should +- `-meta` - Indicates that auth method metadata such as the raft indices should be shown for each entry. -* `-name=` - The new auth method's name. This flag is required. +- `-name=` - The new auth method's name. This flag is required. -* `-type=` - The new auth method's type. This flag is required. +- `-type=` - The new auth method's type. This flag is required. -* `-kubernetes-ca-cert=` - PEM encoded CA cert for use by the TLS +- `-kubernetes-ca-cert=` - PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. May be prefixed with '@' to indicate that the value is a file path to load the cert from. This flag is required for `-type=kubernetes`. -* `-kubernetes-host=` - Address of the Kubernetes API server. This flag +- `-kubernetes-host=` - Address of the Kubernetes API server. This flag is required for `-type=kubernetes`. -* `-kubernetes-service-account-jwt=` - A Kubernetes service account JWT +- `-kubernetes-service-account-jwt=` - A Kubernetes service account JWT used to access the TokenReview API to validate other JWTs during login. This flag is required for `-type=kubernetes`. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/auth-method/delete.html.md.erb b/website/pages/docs/commands/acl/auth-method/delete.mdx similarity index 54% rename from website/pages/docs/commands/acl/auth-method/delete.html.md.erb rename to website/pages/docs/commands/acl/auth-method/delete.mdx index e3442a3e5c..ebfaa84e68 100644 --- a/website/pages/docs/commands/acl/auth-method/delete.html.md.erb +++ b/website/pages/docs/commands/acl/auth-method/delete.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Auth Method Delete" -sidebar_current: "docs-commands-acl-auth-method-delete" +layout: docs +page_title: 'Commands: ACL Auth Method Delete' +sidebar_current: docs-commands-acl-auth-method-delete --- # Consul ACL Auth Method Delete @@ -16,16 +16,16 @@ Usage: `consul acl auth-method delete [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-name=` - The Name of the auth method to delete. +- `-name=` - The Name of the auth method to delete. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/auth-method/list.html.md.erb b/website/pages/docs/commands/acl/auth-method/list.mdx similarity index 67% rename from website/pages/docs/commands/acl/auth-method/list.html.md.erb rename to website/pages/docs/commands/acl/auth-method/list.mdx index f7f2bbb248..c75078f029 100644 --- a/website/pages/docs/commands/acl/auth-method/list.html.md.erb +++ b/website/pages/docs/commands/acl/auth-method/list.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Auth Method List" -sidebar_current: "docs-commands-acl-auth-method-list" +layout: docs +page_title: 'Commands: ACL Auth Method List' +sidebar_current: docs-commands-acl-auth-method-list --- # Consul ACL Auth Method List @@ -16,19 +16,19 @@ Usage: `consul acl auth-method list` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-meta` - Indicates that auth method metadata such as the raft indices should +- `-meta` - Indicates that auth method metadata such as the raft indices should be shown for each entry. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. - +- `-format={pretty|json}` - Command output format. The default value is `pretty`. + #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/auth-method/read.html.md.erb b/website/pages/docs/commands/acl/auth-method/read.mdx similarity index 60% rename from website/pages/docs/commands/acl/auth-method/read.html.md.erb rename to website/pages/docs/commands/acl/auth-method/read.mdx index 33665ee2eb..bc7bb876f3 100644 --- a/website/pages/docs/commands/acl/auth-method/read.html.md.erb +++ b/website/pages/docs/commands/acl/auth-method/read.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Auth Method Read" -sidebar_current: "docs-commands-acl-auth-method-read" +layout: docs +page_title: 'Commands: ACL Auth Method Read' +sidebar_current: docs-commands-acl-auth-method-read --- # Consul ACL Auth Method Read @@ -16,21 +16,21 @@ Usage: `consul acl auth-method read [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-meta` - Indicates that auth method metadata such as the raft +- `-meta` - Indicates that auth method metadata such as the raft indices should be shown for each entry. -* `-name=` - The name of the auth method to read. +- `-name=` - The name of the auth method to read. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/auth-method/update.html.md.erb b/website/pages/docs/commands/acl/auth-method/update.mdx similarity index 65% rename from website/pages/docs/commands/acl/auth-method/update.html.md.erb rename to website/pages/docs/commands/acl/auth-method/update.mdx index 74bfa0d5ff..7847512364 100644 --- a/website/pages/docs/commands/acl/auth-method/update.html.md.erb +++ b/website/pages/docs/commands/acl/auth-method/update.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Auth Method Update" -sidebar_current: "docs-commands-acl-auth-method-update" +layout: docs +page_title: 'Commands: ACL Auth Method Update' +sidebar_current: docs-commands-acl-auth-method-update --- # Consul ACL Auth Method Update @@ -19,39 +19,39 @@ Usage: `consul acl auth-method update [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-description=` - A description of the auth method. +- `-description=` - A description of the auth method. -* `-kubernetes-ca-cert=` - PEM encoded CA cert for use by the TLS +- `-kubernetes-ca-cert=` - PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. May be prefixed with '@' to indicate that the value is a file path to load the cert from. This flag is required for `-type=kubernetes`. -* `-kubernetes-host=` - Address of the Kubernetes API server. This flag +- `-kubernetes-host=` - Address of the Kubernetes API server. This flag is required for `-type=kubernetes`. -* `-kubernetes-service-account-jwt=` - A Kubernetes service account JWT +- `-kubernetes-service-account-jwt=` - A Kubernetes service account JWT used to access the TokenReview API to validate other JWTs during login. This flag is required for `-type=kubernetes`. -* `-meta` - Indicates that auth method metadata such as the raft +- `-meta` - Indicates that auth method metadata such as the raft indices should be shown for each entry -* `-name=` - The name of the auth method to update. +- `-name=` - The name of the auth method to update. -* `-no-merge` - Do not merge the current auth method information with what is provided +- `-no-merge` - Do not merge the current auth method information with what is provided to the command. Instead overwrite all fields with the exception of the auth method ID which is immutable. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. - +- `-format={pretty|json}` - Command output format. The default value is `pretty`. + #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/binding-rule.html.md.erb b/website/pages/docs/commands/acl/binding-rule.mdx similarity index 90% rename from website/pages/docs/commands/acl/binding-rule.html.md.erb rename to website/pages/docs/commands/acl/binding-rule.mdx index 07eee71109..84dd161e9f 100644 --- a/website/pages/docs/commands/acl/binding-rule.html.md.erb +++ b/website/pages/docs/commands/acl/binding-rule.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Binding Rule" -sidebar_current: "docs-commands-acl-binding-rule" +layout: docs +page_title: 'Commands: ACL Binding Rule' +sidebar_current: docs-commands-acl-binding-rule --- # Consul ACL Binding Rules @@ -15,7 +15,7 @@ This command is available in Consul 1.5.0 and newer. ACL binding rules may also be managed via the [HTTP API](/api/acl/binding-rules.html). -> **Note:** All of the example subcommands in this document will require a valid -Consul token with the appropriate permissions. Either set the +Consul token with the appropriate permissions. Either set the `CONSUL_HTTP_TOKEN` environment variable to the token's secret ID or pass the secret ID as the value of the `-token` parameter. @@ -23,8 +23,7 @@ secret ID as the value of the `-token` parameter. Usage: `consul acl binding-rule ` -For the exact documentation for your Consul version, run `consul acl -binding-rule -h` to view the complete list of subcommands. +For the exact documentation for your Consul version, run `consul acl binding-rule -h` to view the complete list of subcommands. ```text Usage: consul acl binding-rule [options] [args] @@ -88,4 +87,3 @@ Delete a binding rule: ```sh $ consul acl binding-rule delete -id b6b856da-5193-4e78-845a-7d61ca8371ba ``` - diff --git a/website/pages/docs/commands/acl/binding-rule/create.html.md.erb b/website/pages/docs/commands/acl/binding-rule/create.mdx similarity index 66% rename from website/pages/docs/commands/acl/binding-rule/create.html.md.erb rename to website/pages/docs/commands/acl/binding-rule/create.mdx index 006b966acb..2d145023ad 100644 --- a/website/pages/docs/commands/acl/binding-rule/create.html.md.erb +++ b/website/pages/docs/commands/acl/binding-rule/create.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Binding Rule Create" -sidebar_current: "docs-commands-acl-binding-rule-create" +layout: docs +page_title: 'Commands: ACL Binding Rule Create' +sidebar_current: docs-commands-acl-binding-rule-create --- # Consul ACL Binding Rule Create @@ -16,32 +16,32 @@ Usage: `consul acl binding-rule create [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-bind-name=` - Name to bind on match. Can use `${var}` +- `-bind-name=` - Name to bind on match. Can use `${var}` interpolation. This flag is required. -* `-bind-type=` - Type of binding to perform (`"service"` or `"role"`). +- `-bind-type=` - Type of binding to perform (`"service"` or `"role"`). -* `-description=` - A description of the binding rule. +- `-description=` - A description of the binding rule. -* `-meta` - Indicates that binding rule metadata such as the raft - indices should be shown for each entry. +- `-meta` - Indicates that binding rule metadata such as the raft + indices should be shown for each entry. -* `-method=` - The auth method's name for which this binding rule +- `-method=` - The auth method's name for which this binding rule applies. This flag is required. -* `-selector=` - Selector is an expression that matches against +- `-selector=` - Selector is an expression that matches against verified identity attributes returned from the auth method during login. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/binding-rule/delete.html.md.erb b/website/pages/docs/commands/acl/binding-rule/delete.mdx similarity index 60% rename from website/pages/docs/commands/acl/binding-rule/delete.html.md.erb rename to website/pages/docs/commands/acl/binding-rule/delete.mdx index 796db40668..9eb25e0a9f 100644 --- a/website/pages/docs/commands/acl/binding-rule/delete.html.md.erb +++ b/website/pages/docs/commands/acl/binding-rule/delete.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Binding Rule Delete" -sidebar_current: "docs-commands-acl-binding-rule-delete" +layout: docs +page_title: 'Commands: ACL Binding Rule Delete' +sidebar_current: docs-commands-acl-binding-rule-delete --- # Consul ACL Binding Rule Delete @@ -16,17 +16,17 @@ Usage: `consul acl binding-rule delete [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-id=` - The ID of the binding rule to delete. It may be specified as a +- `-id=` - The ID of the binding rule to delete. It may be specified as a unique ID prefix but will error if the prefix matches multiple binding rule IDs. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/binding-rule/list.html.md.erb b/website/pages/docs/commands/acl/binding-rule/list.mdx similarity index 78% rename from website/pages/docs/commands/acl/binding-rule/list.html.md.erb rename to website/pages/docs/commands/acl/binding-rule/list.mdx index 658d9a256b..929b14538c 100644 --- a/website/pages/docs/commands/acl/binding-rule/list.html.md.erb +++ b/website/pages/docs/commands/acl/binding-rule/list.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Binding Rule List" -sidebar_current: "docs-commands-acl-binding-rule-list" +layout: docs +page_title: 'Commands: ACL Binding Rule List' +sidebar_current: docs-commands-acl-binding-rule-list --- # Consul ACL Binding Rule List @@ -16,19 +16,19 @@ Usage: `consul acl binding-rule list` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-meta` - Indicates that binding rule metadata such as the raft indices +- `-meta` - Indicates that binding rule metadata such as the raft indices should be shown for each entry. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/binding-rule/read.html.md.erb b/website/pages/docs/commands/acl/binding-rule/read.mdx similarity index 57% rename from website/pages/docs/commands/acl/binding-rule/read.html.md.erb rename to website/pages/docs/commands/acl/binding-rule/read.mdx index 1cf64eef77..4c8d54eaa8 100644 --- a/website/pages/docs/commands/acl/binding-rule/read.html.md.erb +++ b/website/pages/docs/commands/acl/binding-rule/read.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Binding Rule Read" -sidebar_current: "docs-commands-acl-binding-rule-read" +layout: docs +page_title: 'Commands: ACL Binding Rule Read' +sidebar_current: docs-commands-acl-binding-rule-read --- # Consul ACL Binding Rule Read @@ -16,22 +16,22 @@ Usage: `consul acl binding-rule read [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-id=` - The ID of the binding rule to read. It may be specified as a unique ID - prefix but will error if the prefix matches multiple binding rule IDs. +- `-id=` - The ID of the binding rule to read. It may be specified as a unique ID + prefix but will error if the prefix matches multiple binding rule IDs. -* `-meta` - Indicates that binding rule metadata such as the raft +- `-meta` - Indicates that binding rule metadata such as the raft indices should be shown for each entry. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/binding-rule/update.html.md.erb b/website/pages/docs/commands/acl/binding-rule/update.mdx similarity index 61% rename from website/pages/docs/commands/acl/binding-rule/update.html.md.erb rename to website/pages/docs/commands/acl/binding-rule/update.mdx index f7042fa7e3..726a15b8ac 100644 --- a/website/pages/docs/commands/acl/binding-rule/update.html.md.erb +++ b/website/pages/docs/commands/acl/binding-rule/update.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Binding Rule Update" -sidebar_current: "docs-commands-acl-binding-rule-update" +layout: docs +page_title: 'Commands: ACL Binding Rule Update' +sidebar_current: docs-commands-acl-binding-rule-update --- # Consul ACL Binding Rule Update @@ -19,36 +19,36 @@ Usage: `consul acl binding-rule update [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-bind-name=` - Name to bind on match. Can use `${var}` +- `-bind-name=` - Name to bind on match. Can use `${var}` interpolation. This flag is required. -* `-bind-type=` - Type of binding to perform (`"service"` or `"role"`). +- `-bind-type=` - Type of binding to perform (`"service"` or `"role"`). -* `-description=` - A description of the binding rule. +- `-description=` - A description of the binding rule. -* `-id=` - The ID of the binding rule to update. It may be specified as a +- `-id=` - The ID of the binding rule to update. It may be specified as a unique ID prefix but will error if the prefix matches multiple binding rule IDs -* `-meta` - Indicates that binding rule metadata such as the raft - indices should be shown for each entry. +- `-meta` - Indicates that binding rule metadata such as the raft + indices should be shown for each entry. -* `-no-merge` - Do not merge the current binding rule information with what is +- `-no-merge` - Do not merge the current binding rule information with what is provided to the command. Instead overwrite all fields with the exception of the binding rule ID which is immutable. -* `-selector=` - Selector is an expression that matches against +- `-selector=` - Selector is an expression that matches against verified identity attributes returned from the auth method during login. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/bootstrap.html.md.erb b/website/pages/docs/commands/acl/bootstrap.mdx similarity index 79% rename from website/pages/docs/commands/acl/bootstrap.html.md.erb rename to website/pages/docs/commands/acl/bootstrap.mdx index d31a67229a..0a43f5430c 100644 --- a/website/pages/docs/commands/acl/bootstrap.html.md.erb +++ b/website/pages/docs/commands/acl/bootstrap.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Bootstrap" -sidebar_current: "docs-commands-acl-bootstrap" +layout: docs +page_title: 'Commands: ACL Bootstrap' +sidebar_current: docs-commands-acl-bootstrap --- # Consul ACL Bootstrap @@ -21,11 +21,12 @@ Usage: `consul acl bootstrap [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-format={pretty|json}` - Command output format. The default value is `pretty`. + +- `-format={pretty|json}` - Command output format. The default value is `pretty`. The output looks like this: diff --git a/website/pages/docs/commands/acl/policy.html.md.erb b/website/pages/docs/commands/acl/policy.mdx similarity index 91% rename from website/pages/docs/commands/acl/policy.html.md.erb rename to website/pages/docs/commands/acl/policy.mdx index aa4031097d..9317e54a21 100644 --- a/website/pages/docs/commands/acl/policy.html.md.erb +++ b/website/pages/docs/commands/acl/policy.mdx @@ -1,21 +1,21 @@ --- -layout: "docs" -page_title: "Commands: ACL Policy" -sidebar_current: "docs-commands-acl-policy" +layout: docs +page_title: 'Commands: ACL Policy' +sidebar_current: docs-commands-acl-policy --- # Consul ACL Policies Command: `consul acl policy` -The `acl policy` command is used to manage Consul's ACL policies. +The `acl policy` command is used to manage Consul's ACL policies. It exposes commands for creating, updating, reading, deleting, and listing policies. This command is available in Consul 1.4.0 and newer. ACL policies may also be managed via the [HTTP API](/api/acl/policies.html). -> **Note:** All of the example subcommands in this document will require a valid -Consul token with the appropriate permissions. Either set the +Consul token with the appropriate permissions. Either set the `CONSUL_HTTP_TOKEN` environment variable to the token's secret ID or pass the secret ID as the value of the `-token` parameter. @@ -23,8 +23,7 @@ secret ID as the value of the `-token` parameter. Usage: `consul acl policy ` -For the exact documentation for your Consul version, run `consul acl -policy -h` to view the complete list of subcommands. +For the exact documentation for your Consul version, run `consul acl policy -h` to view the complete list of subcommands. ```text Usage: consul acl policy [options] [args] diff --git a/website/pages/docs/commands/acl/policy/create.html.md.erb b/website/pages/docs/commands/acl/policy/create.mdx similarity index 67% rename from website/pages/docs/commands/acl/policy/create.html.md.erb rename to website/pages/docs/commands/acl/policy/create.mdx index 18a92acd21..8e3e46cd76 100644 --- a/website/pages/docs/commands/acl/policy/create.html.md.erb +++ b/website/pages/docs/commands/acl/policy/create.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Policy Create" -sidebar_current: "docs-commands-acl-policy-create" +layout: docs +page_title: 'Commands: ACL Policy Create' +sidebar_current: docs-commands-acl-policy-create --- # Consul ACL Policy Create @@ -28,38 +28,38 @@ Usage: `consul acl policy create [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-description=` - A description of the policy. +- `-description=` - A description of the policy. -* `-from-token=` - The legacy token to retrieve the rules for when creating this - policy. When this is specified no other rules should be given. - Similar to the -rules option the token to use can be loaded from - stdin or from a file. +- `-from-token=` - The legacy token to retrieve the rules for when creating this + policy. When this is specified no other rules should be given. + Similar to the -rules option the token to use can be loaded from + stdin or from a file. -* `-meta` - Indicates that policy metadata such as the content hash and raft - indices should be shown for each entry. +- `-meta` - Indicates that policy metadata such as the content hash and raft + indices should be shown for each entry. -* `-name=` - The new policy's name. This flag is required. +- `-name=` - The new policy's name. This flag is required. -* `-rules=` - The policy rules. May be prefixed with '@' to indicate that the - value is a file path to load the rules from. '-' may also be given - to indicate that the rules are available on stdin. +- `-rules=` - The policy rules. May be prefixed with '@' to indicate that the + value is a file path to load the rules from. '-' may also be given + to indicate that the rules are available on stdin. -* `-token-secret` - Indicates the token provided with -from-token is a SecretID and not - an AccessorID. +- `-token-secret` - Indicates the token provided with -from-token is a SecretID and not + an AccessorID. -* `-valid-datacenter=` - Datacenter that the policy should be valid within. - This flag may be specified multiple times. +- `-valid-datacenter=` - Datacenter that the policy should be valid within. + This flag may be specified multiple times. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/policy/delete.html.md.erb b/website/pages/docs/commands/acl/policy/delete.mdx similarity index 56% rename from website/pages/docs/commands/acl/policy/delete.html.md.erb rename to website/pages/docs/commands/acl/policy/delete.mdx index 56fac5c330..b915ff5b88 100644 --- a/website/pages/docs/commands/acl/policy/delete.html.md.erb +++ b/website/pages/docs/commands/acl/policy/delete.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Policy Delete" -sidebar_current: "docs-commands-acl-policy-delete" +layout: docs +page_title: 'Commands: ACL Policy Delete' +sidebar_current: docs-commands-acl-policy-delete --- # Consul ACL Policy Delete @@ -16,19 +16,19 @@ Usage: `consul acl policy delete [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-id=` - The ID of the policy to delete. It may be specified as a - unique ID prefix but will error if the prefix matches multiple policy IDs. +- `-id=` - The ID of the policy to delete. It may be specified as a + unique ID prefix but will error if the prefix matches multiple policy IDs. -* `-name=` - The Name of the policy to delete. +- `-name=` - The Name of the policy to delete. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/policy/list.html.md.erb b/website/pages/docs/commands/acl/policy/list.mdx similarity index 77% rename from website/pages/docs/commands/acl/policy/list.html.md.erb rename to website/pages/docs/commands/acl/policy/list.mdx index de67004bbf..16e3082d10 100644 --- a/website/pages/docs/commands/acl/policy/list.html.md.erb +++ b/website/pages/docs/commands/acl/policy/list.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Policy List" -sidebar_current: "docs-commands-acl-policy-list" +layout: docs +page_title: 'Commands: ACL Policy List' +sidebar_current: docs-commands-acl-policy-list --- # Consul ACL Policy List @@ -16,19 +16,19 @@ Usage: `consul acl policy list` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-meta` - Indicates that policy metadata such as the content hash and - Raft indices should be shown for each entry. +- `-meta` - Indicates that policy metadata such as the content hash and + Raft indices should be shown for each entry. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/policy/read.html.md.erb b/website/pages/docs/commands/acl/policy/read.mdx similarity index 78% rename from website/pages/docs/commands/acl/policy/read.html.md.erb rename to website/pages/docs/commands/acl/policy/read.mdx index 65118ce01d..a3f28ed138 100644 --- a/website/pages/docs/commands/acl/policy/read.html.md.erb +++ b/website/pages/docs/commands/acl/policy/read.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Policy Read" -sidebar_current: "docs-commands-acl-policy-read" +layout: docs +page_title: 'Commands: ACL Policy Read' +sidebar_current: docs-commands-acl-policy-read --- # Consul ACL Policy Read @@ -16,24 +16,24 @@ Usage: `consul acl policy read [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-id=` - The ID of the policy to read. It may be specified as a unique ID - prefix but will error if the prefix matches multiple policy IDs. +- `-id=` - The ID of the policy to read. It may be specified as a unique ID + prefix but will error if the prefix matches multiple policy IDs. -* `-meta` - Indicates that policy metadata such as the content hash and raft +- `-meta` - Indicates that policy metadata such as the content hash and raft indices should be shown for each entry. -* `-name=` - The name of the policy to read. +- `-name=` - The name of the policy to read. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/policy/update.html.md.erb b/website/pages/docs/commands/acl/policy/update.mdx similarity index 58% rename from website/pages/docs/commands/acl/policy/update.html.md.erb rename to website/pages/docs/commands/acl/policy/update.mdx index c002bcdf63..4d420c7def 100644 --- a/website/pages/docs/commands/acl/policy/update.html.md.erb +++ b/website/pages/docs/commands/acl/policy/update.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Policy Update" -sidebar_current: "docs-commands-acl-policy-update" +layout: docs +page_title: 'Commands: ACL Policy Update' +sidebar_current: docs-commands-acl-policy-update --- # Consul ACL Policy Update @@ -20,37 +20,37 @@ Usage: `consul acl policy update [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-description=` - A description of the policy. +- `-description=` - A description of the policy. -* `-id=` - The ID of the policy to update. It may be specified as a - unique ID prefix but will error if the prefix matches multiple policy IDs +- `-id=` - The ID of the policy to update. It may be specified as a + unique ID prefix but will error if the prefix matches multiple policy IDs -* `-meta` - Indicates that policy metadata such as the content hash and raft +- `-meta` - Indicates that policy metadata such as the content hash and raft indices should be shown for each entry -* `-name=` - The policy's name. +- `-name=` - The policy's name. -* `-no-merge` - Do not merge the current policy information with what is provided - to the command. Instead overwrite all fields with the exception of - the policy ID which is immutable. +- `-no-merge` - Do not merge the current policy information with what is provided + to the command. Instead overwrite all fields with the exception of + the policy ID which is immutable. -* `-rules=` - The policy rules. May be prefixed with `@` to indicate that - the value is a file path to load the rules from. `-` may also be given to - indicate that the rules are available on stdin. +- `-rules=` - The policy rules. May be prefixed with `@` to indicate that + the value is a file path to load the rules from. `-` may also be given to + indicate that the rules are available on stdin. -* `-valid-datacenter=` - Datacenter that the policy should be valid within. - This flag may be specified multiple times. +- `-valid-datacenter=` - Datacenter that the policy should be valid within. + This flag may be specified multiple times. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/role.html.md.erb b/website/pages/docs/commands/acl/role.mdx similarity index 90% rename from website/pages/docs/commands/acl/role.html.md.erb rename to website/pages/docs/commands/acl/role.mdx index c9689d7d4f..d1f398e286 100644 --- a/website/pages/docs/commands/acl/role.html.md.erb +++ b/website/pages/docs/commands/acl/role.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Role" -sidebar_current: "docs-commands-acl-role" +layout: docs +page_title: 'Commands: ACL Role' +sidebar_current: docs-commands-acl-role --- # Consul ACL Roles @@ -15,7 +15,7 @@ This command is available in Consul 1.5.0 and newer. ACL roles may also be managed via the [HTTP API](/api/acl/roles.html). -> **Note:** All of the example subcommands in this document will require a valid -Consul token with the appropriate permissions. Either set the +Consul token with the appropriate permissions. Either set the `CONSUL_HTTP_TOKEN` environment variable to the token's secret ID or pass the secret ID as the value of the `-token` parameter. @@ -23,8 +23,7 @@ secret ID as the value of the `-token` parameter. Usage: `consul acl role ` -For the exact documentation for your Consul version, run `consul acl -role -h` to view the complete list of subcommands. +For the exact documentation for your Consul version, run `consul acl role -h` to view the complete list of subcommands. ```text Usage: consul acl role [options] [args] diff --git a/website/pages/docs/commands/acl/role/create.html.md.erb b/website/pages/docs/commands/acl/role/create.mdx similarity index 59% rename from website/pages/docs/commands/acl/role/create.html.md.erb rename to website/pages/docs/commands/acl/role/create.mdx index 0f7eac554b..20636fc1d6 100644 --- a/website/pages/docs/commands/acl/role/create.html.md.erb +++ b/website/pages/docs/commands/acl/role/create.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Role Create" -sidebar_current: "docs-commands-acl-role-create" +layout: docs +page_title: 'Commands: ACL Role Create' +sidebar_current: docs-commands-acl-role-create --- # Consul ACL Role Create @@ -16,33 +16,33 @@ Usage: `consul acl role create [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-description=` - A description of the role. +- `-description=` - A description of the role. -* `-meta` - Indicates that role metadata such as the content hash and raft - indices should be shown for each entry. +- `-meta` - Indicates that role metadata such as the content hash and raft + indices should be shown for each entry. -* `-name=` - The new role's name. This flag is required. +- `-name=` - The new role's name. This flag is required. -* `-policy-id=` - ID of a policy to use for this role. May be specified +- `-policy-id=` - ID of a policy to use for this role. May be specified multiple times -* `-policy-name=` - Name of a policy to use for this role. May be +- `-policy-name=` - Name of a policy to use for this role. May be specified multiple times -* `-service-identity=` - Name of a service identity to use for this +- `-service-identity=` - Name of a service identity to use for this role. May be specified multiple times. Format is the `SERVICENAME` or `SERVICENAME:DATACENTER1,DATACENTER2,...` -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/role/delete.html.md.erb b/website/pages/docs/commands/acl/role/delete.mdx similarity index 62% rename from website/pages/docs/commands/acl/role/delete.html.md.erb rename to website/pages/docs/commands/acl/role/delete.mdx index 3383b69948..d1a3da1ca0 100644 --- a/website/pages/docs/commands/acl/role/delete.html.md.erb +++ b/website/pages/docs/commands/acl/role/delete.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Role Delete" -sidebar_current: "docs-commands-acl-role-delete" +layout: docs +page_title: 'Commands: ACL Role Delete' +sidebar_current: docs-commands-acl-role-delete --- # Consul ACL Role Delete @@ -16,19 +16,19 @@ Usage: `consul acl role delete [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-id=` - The ID of the role to delete. It may be specified as a +- `-id=` - The ID of the role to delete. It may be specified as a unique ID prefix but will error if the prefix matches multiple role IDs. -* `-name=` - The Name of the role to delete. +- `-name=` - The Name of the role to delete. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/role/list.html.md.erb b/website/pages/docs/commands/acl/role/list.mdx similarity index 76% rename from website/pages/docs/commands/acl/role/list.html.md.erb rename to website/pages/docs/commands/acl/role/list.mdx index 36fca09ef4..e999dc683e 100644 --- a/website/pages/docs/commands/acl/role/list.html.md.erb +++ b/website/pages/docs/commands/acl/role/list.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Role List" -sidebar_current: "docs-commands-acl-role-list" +layout: docs +page_title: 'Commands: ACL Role List' +sidebar_current: docs-commands-acl-role-list --- # Consul ACL Role List @@ -16,19 +16,19 @@ Usage: `consul acl role list` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-meta` - Indicates that role metadata such as the content hash and - Raft indices should be shown for each entry. +- `-meta` - Indicates that role metadata such as the content hash and + Raft indices should be shown for each entry. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/role/read.html.md.erb b/website/pages/docs/commands/acl/role/read.mdx similarity index 59% rename from website/pages/docs/commands/acl/role/read.html.md.erb rename to website/pages/docs/commands/acl/role/read.mdx index ad97fe4cef..e025bab750 100644 --- a/website/pages/docs/commands/acl/role/read.html.md.erb +++ b/website/pages/docs/commands/acl/role/read.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Role Read" -sidebar_current: "docs-commands-acl-role-read" +layout: docs +page_title: 'Commands: ACL Role Read' +sidebar_current: docs-commands-acl-role-read --- # Consul ACL Role Read @@ -16,24 +16,24 @@ Usage: `consul acl role read [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-id=` - The ID of the role to read. It may be specified as a unique ID - prefix but will error if the prefix matches multiple role IDs. +- `-id=` - The ID of the role to read. It may be specified as a unique ID + prefix but will error if the prefix matches multiple role IDs. -* `-meta` - Indicates that role metadata such as the content hash and raft +- `-meta` - Indicates that role metadata such as the content hash and raft indices should be shown for each entry. -* `-name=` - The name of the role to read. +- `-name=` - The name of the role to read. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/role/update.html.md.erb b/website/pages/docs/commands/acl/role/update.mdx similarity index 69% rename from website/pages/docs/commands/acl/role/update.html.md.erb rename to website/pages/docs/commands/acl/role/update.mdx index 2d13fe69f9..abd59f7251 100644 --- a/website/pages/docs/commands/acl/role/update.html.md.erb +++ b/website/pages/docs/commands/acl/role/update.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Role Update" -sidebar_current: "docs-commands-acl-role-update" +layout: docs +page_title: 'Commands: ACL Role Update' +sidebar_current: docs-commands-acl-role-update --- # Consul ACL Role Update @@ -20,40 +20,40 @@ Usage: `consul acl role update [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-description=` - A description of the role. +- `-description=` - A description of the role. -* `-id=` - The ID of the role to update. It may be specified as a +- `-id=` - The ID of the role to update. It may be specified as a unique ID prefix but will error if the prefix matches multiple role IDs -* `-meta` - Indicates that role metadata such as the content hash and raft +- `-meta` - Indicates that role metadata such as the content hash and raft indices should be shown for each entry -* `-name=` - The role name. +- `-name=` - The role name. -* `-no-merge` - Do not merge the current role information with what is provided +- `-no-merge` - Do not merge the current role information with what is provided to the command. Instead overwrite all fields with the exception of the role ID which is immutable. -* `-policy-id=` - ID of a policy to use for this role. May be specified +- `-policy-id=` - ID of a policy to use for this role. May be specified multiple times -* `-policy-name=` - Name of a policy to use for this role. May be +- `-policy-name=` - Name of a policy to use for this role. May be specified multiple times -* `-service-identity=` - Name of a service identity to use for this +- `-service-identity=` - Name of a service identity to use for this role. May be specified multiple times. Format is the `SERVICENAME` or `SERVICENAME:DATACENTER1,DATACENTER2,...` -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/set-agent-token.html.md.erb b/website/pages/docs/commands/acl/set-agent-token.html.md.erb deleted file mode 100644 index 302bd379f1..0000000000 --- a/website/pages/docs/commands/acl/set-agent-token.html.md.erb +++ /dev/null @@ -1,49 +0,0 @@ ---- -layout: "docs" -page_title: "Commands: ACL Set Agent Token" -sidebar_current: "docs-commands-acl-set-agent-token" ---- - -# Consul ACL Set Agent Token - -Command: `consul acl set-agent-token` - -This command updates the ACL tokens currently in use by the agent. It can be used to introduce -ACL tokens to the agent for the first time, or to update tokens that were initially loaded from -the agent's configuration. Tokens are not persisted, so will need to be updated again if the -agent is restarted. - -## Usage - -Usage: consul acl set-agent-token [options] TYPE TOKEN - - -### Token Types - -* `default` - The default token is the token that the agent will use for - both internal agent operations and operations initiated by the HTTP - and DNS interfaces when no specific token is provided. If not set the - agent will use the anonymous token. - -* `agent` - The token that the agent will use for internal agent operations. - If not given then the default token is used for these operations. - -* `master` - This sets the token that can be used to access the Agent APIs in - the event that the ACL datacenter cannot be reached. - -* `replication` - This is the token that the agent will use for replication - operations. This token will need to be configured with read access to - whatever data is being replicated. - -### API Options - -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> - -## Examples - -Set the `default` token: - -``` -$ consul acl set-agent-token default c4d0f8df-3aba-4ab6-a7a0-35b760dc29a1 -``` \ No newline at end of file diff --git a/website/pages/docs/commands/acl/set-agent-token.mdx b/website/pages/docs/commands/acl/set-agent-token.mdx new file mode 100644 index 0000000000..beca97fd6d --- /dev/null +++ b/website/pages/docs/commands/acl/set-agent-token.mdx @@ -0,0 +1,48 @@ +--- +layout: docs +page_title: 'Commands: ACL Set Agent Token' +sidebar_current: docs-commands-acl-set-agent-token +--- + +# Consul ACL Set Agent Token + +Command: `consul acl set-agent-token` + +This command updates the ACL tokens currently in use by the agent. It can be used to introduce +ACL tokens to the agent for the first time, or to update tokens that were initially loaded from +the agent's configuration. Tokens are not persisted, so will need to be updated again if the +agent is restarted. + +## Usage + +Usage: consul acl set-agent-token [options] TYPE TOKEN + +### Token Types + +- `default` - The default token is the token that the agent will use for + both internal agent operations and operations initiated by the HTTP + and DNS interfaces when no specific token is provided. If not set the + agent will use the anonymous token. + +- `agent` - The token that the agent will use for internal agent operations. + If not given then the default token is used for these operations. + +- `master` - This sets the token that can be used to access the Agent APIs in + the event that the ACL datacenter cannot be reached. + +- `replication` - This is the token that the agent will use for replication + operations. This token will need to be configured with read access to + whatever data is being replicated. + +### API Options + +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' + +## Examples + +Set the `default` token: + +``` +$ consul acl set-agent-token default c4d0f8df-3aba-4ab6-a7a0-35b760dc29a1 +``` diff --git a/website/pages/docs/commands/acl/token.html.md.erb b/website/pages/docs/commands/acl/token.mdx similarity index 83% rename from website/pages/docs/commands/acl/token.html.md.erb rename to website/pages/docs/commands/acl/token.mdx index 3128386937..1e14e4638b 100644 --- a/website/pages/docs/commands/acl/token.html.md.erb +++ b/website/pages/docs/commands/acl/token.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Token" -sidebar_current: "docs-commands-acl-token" +layout: docs +page_title: 'Commands: ACL Token' +sidebar_current: docs-commands-acl-token --- # Consul ACL Tokens @@ -15,7 +15,7 @@ This command is available in Consul 1.4.0 and newer. ACL tokens may also be managed via the [HTTP API](/api/acl/tokens.html). -> **Note:** All of the example subcommands in this document will require a valid -Consul token with the appropriate permissions. Either set the +Consul token with the appropriate permissions. Either set the `CONSUL_HTTP_TOKEN` environment variable to the token's secret ID or pass the secret ID as the value of the `-token` parameter. @@ -23,8 +23,7 @@ secret ID as the value of the `-token` parameter. Usage: `consul acl token ` -For the exact documentation for your Consul version, run `consul acl -token -h` to view the complete list of subcommands. +For the exact documentation for your Consul version, run `consul acl token -h` to view the complete list of subcommands. ```text Usage: consul acl token [options] [args] @@ -54,9 +53,9 @@ builtin token names will be accepted as the value of the `-id`. Builtin Tokens: -| Token UUID | Token Name | -| ------------------------------------ | ----------------- | -| 00000000-0000-0000-0000-000000000002 | anonymous | +| Token UUID | Token Name | +| ------------------------------------ | ---------- | +| 00000000-0000-0000-0000-000000000002 | anonymous | ## Basic Examples diff --git a/website/pages/docs/commands/acl/token/clone.html.md.erb b/website/pages/docs/commands/acl/token/clone.mdx similarity index 50% rename from website/pages/docs/commands/acl/token/clone.html.md.erb rename to website/pages/docs/commands/acl/token/clone.mdx index 9872ad874c..380c2e5900 100644 --- a/website/pages/docs/commands/acl/token/clone.html.md.erb +++ b/website/pages/docs/commands/acl/token/clone.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Token Clone" -sidebar_current: "docs-commands-acl-token-clone" +layout: docs +page_title: 'Commands: ACL Token Clone' +sidebar_current: docs-commands-acl-token-clone --- # Consul ACL Token Clone @@ -16,23 +16,23 @@ Usage: `consul acl token clone [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-description=` - A description of the new cloned token. +- `-description=` - A description of the new cloned token. -* `-id=` - The Accessor ID of the token to clone. It may be specified - as a unique ID prefix but will error if the prefix matches multiple token - Accessor IDs. The special value of 'anonymous' may be provided instead of - the anonymous tokens accessor ID +- `-id=` - The Accessor ID of the token to clone. It may be specified + as a unique ID prefix but will error if the prefix matches multiple token + Accessor IDs. The special value of 'anonymous' may be provided instead of + the anonymous tokens accessor ID -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/token/create.html.md.erb b/website/pages/docs/commands/acl/token/create.mdx similarity index 67% rename from website/pages/docs/commands/acl/token/create.html.md.erb rename to website/pages/docs/commands/acl/token/create.mdx index 084bcaee51..70bcb6dfef 100644 --- a/website/pages/docs/commands/acl/token/create.html.md.erb +++ b/website/pages/docs/commands/acl/token/create.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Token Create" -sidebar_current: "docs-commands-acl-token-create" +layout: docs +page_title: 'Commands: ACL Token Create' +sidebar_current: docs-commands-acl-token-create --- # Consul ACL Token Create @@ -18,45 +18,45 @@ Usage: `consul acl token create [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-accessor=` - Create the token with this Accessor ID. It must be a UUID. If not - specified one will be auto-generated +- `-accessor=` - Create the token with this Accessor ID. It must be a UUID. If not + specified one will be auto-generated -* `-description=` - A description of the token. +- `-description=` - A description of the token. -* `-expires-ttl=` - Duration of time this token should be valid for. +- `-expires-ttl=` - Duration of time this token should be valid for. -* `-local` - Create this as a datacenter local token. +- `-local` - Create this as a datacenter local token. -* `-meta` - Indicates that token metadata such as the content hash and raft indices should be shown - for each entry. +- `-meta` - Indicates that token metadata such as the content hash and raft indices should be shown + for each entry. -* `-policy-id=` - ID of a policy to use for this token. May be specified multiple times. +- `-policy-id=` - ID of a policy to use for this token. May be specified multiple times. -* `-policy-name=` - Name of a policy to use for this token. May be specified multiple times. +- `-policy-name=` - Name of a policy to use for this token. May be specified multiple times. -* `-role-id=` - ID of a role to use for this token. May be specified multiple times. +- `-role-id=` - ID of a role to use for this token. May be specified multiple times. -* `-role-name=` - Name of a role to use for this token. May be specified multiple times. +- `-role-name=` - Name of a role to use for this token. May be specified multiple times. -* `-service-identity=` - Name of a service identity to use for this +- `-service-identity=` - Name of a service identity to use for this token. May be specified multiple times. Format is the `SERVICENAME` or `SERVICENAME:DATACENTER1,DATACENTER2,...` -* `-secret=` - Create the token with this Secret ID. It must be a UUID. If not - specified one will be auto-generated. - **Note**: The SecretID is used to authorize operations against Consul and should - be generated from an appropriate cryptographic source. +- `-secret=` - Create the token with this Secret ID. It must be a UUID. If not + specified one will be auto-generated. + **Note**: The SecretID is used to authorize operations against Consul and should + be generated from an appropriate cryptographic source. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/token/delete.html.md.erb b/website/pages/docs/commands/acl/token/delete.html.md.erb deleted file mode 100644 index 88a1de4cae..0000000000 --- a/website/pages/docs/commands/acl/token/delete.html.md.erb +++ /dev/null @@ -1,38 +0,0 @@ ---- -layout: "docs" -page_title: "Commands: ACL Token Delete" -sidebar_current: "docs-commands-acl-token-delete" ---- - -# Consul ACL Token Delete - -Command: `consul acl token delete` - -The `acl token delete` command deletes a token. - -## Usage - -Usage: `consul acl token delete [options]` - -#### API Options - -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> - -#### Command Options - -* `-id=` - The ID of the token to delete. It may be specified as a - unique ID prefix but will error if the prefix matches multiple token IDs. - -#### Enterprise Options - -<%= partial "docs/commands/http_api_namespace_options" %> - -## Examples - -Delete a token: - -```sh -$ consul acl token delete -id 35b8 -Token "35b8ecb0-707c-ee18-2002-81b238b54b38" deleted successfully -``` diff --git a/website/pages/docs/commands/acl/token/delete.mdx b/website/pages/docs/commands/acl/token/delete.mdx new file mode 100644 index 0000000000..9e741d1d15 --- /dev/null +++ b/website/pages/docs/commands/acl/token/delete.mdx @@ -0,0 +1,38 @@ +--- +layout: docs +page_title: 'Commands: ACL Token Delete' +sidebar_current: docs-commands-acl-token-delete +--- + +# Consul ACL Token Delete + +Command: `consul acl token delete` + +The `acl token delete` command deletes a token. + +## Usage + +Usage: `consul acl token delete [options]` + +#### API Options + +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' + +#### Command Options + +- `-id=` - The ID of the token to delete. It may be specified as a + unique ID prefix but will error if the prefix matches multiple token IDs. + +#### Enterprise Options + +@include 'http_api_namespace_options.mdx' + +## Examples + +Delete a token: + +```sh +$ consul acl token delete -id 35b8 +Token "35b8ecb0-707c-ee18-2002-81b238b54b38" deleted successfully +``` diff --git a/website/pages/docs/commands/acl/token/list.html.md.erb b/website/pages/docs/commands/acl/token/list.mdx similarity index 74% rename from website/pages/docs/commands/acl/token/list.html.md.erb rename to website/pages/docs/commands/acl/token/list.mdx index 8d26a6c5b5..f44c310dec 100644 --- a/website/pages/docs/commands/acl/token/list.html.md.erb +++ b/website/pages/docs/commands/acl/token/list.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Token List" -sidebar_current: "docs-commands-acl-token-list" +layout: docs +page_title: 'Commands: ACL Token List' +sidebar_current: docs-commands-acl-token-list --- # Consul ACL Token List @@ -16,19 +16,19 @@ Usage: `consul acl token list` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-meta` - Indicates that token metadata such as the content hash and - Raft indices should be shown for each entry. +- `-meta` - Indicates that token metadata such as the content hash and + Raft indices should be shown for each entry. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/token/read.html.md.erb b/website/pages/docs/commands/acl/token/read.mdx similarity index 68% rename from website/pages/docs/commands/acl/token/read.html.md.erb rename to website/pages/docs/commands/acl/token/read.mdx index d1bc816299..b2998e04a6 100644 --- a/website/pages/docs/commands/acl/token/read.html.md.erb +++ b/website/pages/docs/commands/acl/token/read.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Token Read" -sidebar_current: "docs-commands-acl-token-read" +layout: docs +page_title: 'Commands: ACL Token Read' +sidebar_current: docs-commands-acl-token-read --- # Consul ACL Token Read @@ -16,25 +16,25 @@ Usage: `consul acl token read [options] [args]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-id=` - The ID of the policy to read. It may be specified as a unique ID - prefix but will error if the prefix matches multiple policy IDs. +- `-id=` - The ID of the policy to read. It may be specified as a unique ID + prefix but will error if the prefix matches multiple policy IDs. -* `-meta` - Indicates that policy metadata such as the content hash and raft +- `-meta` - Indicates that policy metadata such as the content hash and raft indices should be shown for each entry. -* `-self` - Indicates that the current HTTP token should be read by secret ID - instead of expecting a -id option. +- `-self` - Indicates that the current HTTP token should be read by secret ID + instead of expecting a -id option. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/token/update.html.md.erb b/website/pages/docs/commands/acl/token/update.mdx similarity index 59% rename from website/pages/docs/commands/acl/token/update.html.md.erb rename to website/pages/docs/commands/acl/token/update.mdx index f563caf420..2d1728dbe6 100644 --- a/website/pages/docs/commands/acl/token/update.html.md.erb +++ b/website/pages/docs/commands/acl/token/update.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Token Update" -sidebar_current: "docs-commands-acl-token-update" +layout: docs +page_title: 'Commands: ACL Token Update' +sidebar_current: docs-commands-acl-token-update --- # Consul ACL Token Update @@ -17,40 +17,39 @@ Usage: `consul acl token update [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-description=` - A description of the token +- `-description=` - A description of the token -* `-id=` - The Accessor ID of the token to read. It may be specified as a - unique ID prefix but will error if the prefix matches multiple token Accessor IDs +- `-id=` - The Accessor ID of the token to read. It may be specified as a + unique ID prefix but will error if the prefix matches multiple token Accessor IDs -* `-merge-policies` - Merge the new policies with the existing policies. +- `-merge-policies` - Merge the new policies with the existing policies. -* `-merge-roles` - Merge the new roles with the existing roles. +- `-merge-roles` - Merge the new roles with the existing roles. -* `-merge-service-identities` - Merge the new service identities with the existing service identities. +- `-merge-service-identities` - Merge the new service identities with the existing service identities. -* `-meta` - Indicates that token metadata such as the content hash and Raft indices should be - shown for each entry. +- `-meta` - Indicates that token metadata such as the content hash and Raft indices should be + shown for each entry. -* `-policy-id=` - ID of a policy to use for this token. May be specified multiple times. +- `-policy-id=` - ID of a policy to use for this token. May be specified multiple times. -* `-policy-name=` - Name of a policy to use for this token. May be specified multiple times. +- `-policy-name=` - Name of a policy to use for this token. May be specified multiple times. -* `-role-id=` - ID of a role to use for this token. May be specified multiple times. +- `-role-id=` - ID of a role to use for this token. May be specified multiple times. -* `-role-name=` - Name of a role to use for this token. May be specified multiple times. +- `-role-name=` - Name of a role to use for this token. May be specified multiple times. -* `-service-identity=` - Name of a service identity to use for this +- `-service-identity=` - Name of a service identity to use for this token. May be specified multiple times. Format is the `SERVICENAME` or `SERVICENAME:DATACENTER1,DATACENTER2,...` - -* `-upgrade-legacy` - Add new polices to a legacy token replacing all existing - rules. This will cause the legacy token to behave exactly like a new token -but keep the same secret. +- `-upgrade-legacy` - Add new polices to a legacy token replacing all existing + rules. This will cause the legacy token to behave exactly like a new token + but keep the same secret. ~> When upgrading a legacy token you must ensure that the new policy or policies specified grant equivalent or appropriate access for the existing clients using @@ -59,11 +58,11 @@ token migration](https://learn.hashicorp.com/consul/day-2-agent-authentication/migrate-acl-tokens) guide. -* `-format={pretty|json}` - Command output format. The default value is `pretty`. +- `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/acl/translate-rules.html.md.erb b/website/pages/docs/commands/acl/translate-rules.mdx similarity index 56% rename from website/pages/docs/commands/acl/translate-rules.html.md.erb rename to website/pages/docs/commands/acl/translate-rules.mdx index 5d6b980a4c..0bca7673e2 100644 --- a/website/pages/docs/commands/acl/translate-rules.html.md.erb +++ b/website/pages/docs/commands/acl/translate-rules.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: ACL Translate Rules" -sidebar_current: "docs-commands-acl-translate-rules" +layout: docs +page_title: 'Commands: ACL Translate Rules' +sidebar_current: docs-commands-acl-translate-rules --- -> **Deprecated:** This command exists only as a convenience to make legacy ACL migration easier. @@ -17,28 +17,28 @@ This command translates the legacy ACL rule syntax into the new syntax. Usage: `consul acl translate rules [options] TRANSLATE` - #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `TRANSLATE` - The rules to translate. If `-` is used, then - the rules will be read from stdin. If `@` is prefixed to - the value then the value is considered to be a file and - the rules will be read from that file. +- `TRANSLATE` - The rules to translate. If `-` is used, then + the rules will be read from stdin. If `@` is prefixed to + the value then the value is considered to be a file and + the rules will be read from that file. -* `-token-secret` - Specifies that what the `TRANSLATE` argument - holds is not a rule set but rather the token secret ID of a - legacy ACL token that holds the rule set. +- `-token-secret` - Specifies that what the `TRANSLATE` argument + holds is not a rule set but rather the token secret ID of a + legacy ACL token that holds the rule set. -* `-token-accessor` - Specifies that what the `TRANSLATE` argument - holds is not a rule set but rather the token accessor ID of a - legacy ACL token that holds the rule set. +- `-token-accessor` - Specifies that what the `TRANSLATE` argument + holds is not a rule set but rather the token accessor ID of a + legacy ACL token that holds the rule set. ### Examples + Translate rules within a file: ```sh diff --git a/website/pages/docs/commands/agent.html.md b/website/pages/docs/commands/agent.mdx similarity index 72% rename from website/pages/docs/commands/agent.html.md rename to website/pages/docs/commands/agent.mdx index dbf03aba21..386297a9fd 100644 --- a/website/pages/docs/commands/agent.html.md +++ b/website/pages/docs/commands/agent.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: Agent' -sidebar_current: 'docs-commands-agent' -description: |- - The `consul agent` command is the heart of Consul: it runs the agent that performs the important task of maintaining membership information, running checks, announcing services, handling queries, etc. +sidebar_current: docs-commands-agent +description: >- + The `consul agent` command is the heart of Consul: it runs the agent that + performs the important task of maintaining membership information, running + checks, announcing services, handling queries, etc. --- # Consul Agent diff --git a/website/pages/docs/commands/catalog.html.md b/website/pages/docs/commands/catalog.mdx similarity index 96% rename from website/pages/docs/commands/catalog.html.md rename to website/pages/docs/commands/catalog.mdx index e17a3ae30d..4e4124019f 100644 --- a/website/pages/docs/commands/catalog.html.md +++ b/website/pages/docs/commands/catalog.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: Catalog' -sidebar_current: 'docs-commands-catalog' +sidebar_current: docs-commands-catalog --- # Consul Catalog diff --git a/website/pages/docs/commands/catalog/datacenters.html.md.erb b/website/pages/docs/commands/catalog/datacenters.mdx similarity index 57% rename from website/pages/docs/commands/catalog/datacenters.html.md.erb rename to website/pages/docs/commands/catalog/datacenters.mdx index 7a9843025d..51e4136e11 100644 --- a/website/pages/docs/commands/catalog/datacenters.html.md.erb +++ b/website/pages/docs/commands/catalog/datacenters.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Catalog List Datacenters" -sidebar_current: "docs-commands-catalog-datacenters" +layout: docs +page_title: 'Commands: Catalog List Datacenters' +sidebar_current: docs-commands-catalog-datacenters --- # Consul Catalog List Datacenters @@ -27,5 +27,5 @@ Usage: `consul catalog datacenters [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' diff --git a/website/pages/docs/commands/catalog/nodes.html.md.erb b/website/pages/docs/commands/catalog/nodes.mdx similarity index 83% rename from website/pages/docs/commands/catalog/nodes.html.md.erb rename to website/pages/docs/commands/catalog/nodes.mdx index b8bd602a5f..d09bea3881 100644 --- a/website/pages/docs/commands/catalog/nodes.html.md.erb +++ b/website/pages/docs/commands/catalog/nodes.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Catalog List Nodes" -sidebar_current: "docs-commands-catalog-nodes" +layout: docs +page_title: 'Commands: Catalog List Nodes' +sidebar_current: docs-commands-catalog-nodes --- # Consul Catalog List Nodes @@ -53,8 +53,8 @@ Usage: `consul catalog nodes [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Catalog List Nodes Options @@ -73,6 +73,6 @@ Usage: `consul catalog nodes [options]` which are providing the given service will be returned. - `-filter=` - Expression to use for filtering the results. Can be passed - via stdin by using `-` for the value or from a file by passing `@`. - See the [`/catalog/nodes` API documentation](/api/catalog.html#filtering) for a - description of what is filterable. + via stdin by using `-` for the value or from a file by passing `@`. + See the [`/catalog/nodes` API documentation](/api/catalog.html#filtering) for a + description of what is filterable. diff --git a/website/pages/docs/commands/catalog/services.html.md.erb b/website/pages/docs/commands/catalog/services.mdx similarity index 80% rename from website/pages/docs/commands/catalog/services.html.md.erb rename to website/pages/docs/commands/catalog/services.mdx index 73261ba3f5..85277e2d8f 100644 --- a/website/pages/docs/commands/catalog/services.html.md.erb +++ b/website/pages/docs/commands/catalog/services.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Catalog List Services" -sidebar_current: "docs-commands-catalog-services" +layout: docs +page_title: 'Commands: Catalog List Services' +sidebar_current: docs-commands-catalog-services --- # Consul Catalog List Services @@ -40,19 +40,18 @@ consul redis ``` - ## Usage Usage: `consul catalog services [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' #### Catalog List Nodes Options diff --git a/website/pages/docs/commands/config.html.md b/website/pages/docs/commands/config.mdx similarity index 96% rename from website/pages/docs/commands/config.html.md rename to website/pages/docs/commands/config.mdx index 155c48aee0..8aeaaca2b5 100644 --- a/website/pages/docs/commands/config.html.md +++ b/website/pages/docs/commands/config.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: Config' -sidebar_current: 'docs-commands-config' +sidebar_current: docs-commands-config --- # Consul Config diff --git a/website/pages/docs/commands/config/delete.html.md.erb b/website/pages/docs/commands/config/delete.mdx similarity index 58% rename from website/pages/docs/commands/config/delete.html.md.erb rename to website/pages/docs/commands/config/delete.mdx index fcd209090f..e4c8a0132c 100644 --- a/website/pages/docs/commands/config/delete.html.md.erb +++ b/website/pages/docs/commands/config/delete.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Config Delete" -sidebar_current: "docs-commands-config-delete" +layout: docs +page_title: 'Commands: Config Delete' +sidebar_current: docs-commands-config-delete --- # Consul Config Delete @@ -18,17 +18,17 @@ Usage: `consul config delete [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' #### Config Delete Options -* `-kind` - Specifies the kind of the config entry to read. +- `-kind` - Specifies the kind of the config entry to read. -* `-name` - Specifies the name of the config entry to read. +- `-name` - Specifies the name of the config entry to read. ## Examples diff --git a/website/pages/docs/commands/config/list.html.md.erb b/website/pages/docs/commands/config/list.mdx similarity index 63% rename from website/pages/docs/commands/config/list.html.md.erb rename to website/pages/docs/commands/config/list.mdx index cc6e8ae66d..a7e7891e8a 100644 --- a/website/pages/docs/commands/config/list.html.md.erb +++ b/website/pages/docs/commands/config/list.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Config List" -sidebar_current: "docs-commands-config-list" +layout: docs +page_title: 'Commands: Config List' +sidebar_current: docs-commands-config-list --- # Consul Config List @@ -18,15 +18,15 @@ Usage: `consul config list [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' #### Config List Options -* `-kind` - Specifies the kind of the config entry to read. +- `-kind` - Specifies the kind of the config entry to read. ## Examples diff --git a/website/pages/docs/commands/config/read.html.md.erb b/website/pages/docs/commands/config/read.mdx similarity index 66% rename from website/pages/docs/commands/config/read.html.md.erb rename to website/pages/docs/commands/config/read.mdx index 196af9edde..d0f854a52d 100644 --- a/website/pages/docs/commands/config/read.html.md.erb +++ b/website/pages/docs/commands/config/read.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Config Read" -sidebar_current: "docs-commands-config-read" +layout: docs +page_title: 'Commands: Config Read' +sidebar_current: docs-commands-config-read --- # Consul Config Read @@ -19,17 +19,17 @@ Usage: `consul config read [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' #### Config Read Options -* `-kind` - Specifies the kind of the config entry to read. +- `-kind` - Specifies the kind of the config entry to read. -* `-name` - Specifies the name of the config entry to read. +- `-name` - Specifies the name of the config entry to read. ## Examples diff --git a/website/pages/docs/commands/config/write.html.md.erb b/website/pages/docs/commands/config/write.mdx similarity index 66% rename from website/pages/docs/commands/config/write.html.md.erb rename to website/pages/docs/commands/config/write.mdx index 7327181dc2..afa25fa02d 100644 --- a/website/pages/docs/commands/config/write.html.md.erb +++ b/website/pages/docs/commands/config/write.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Config Write" -sidebar_current: "docs-commands-config-write" +layout: docs +page_title: 'Commands: Config Write' +sidebar_current: docs-commands-config-write --- # Consul Config Write @@ -18,15 +18,15 @@ Usage: `consul config write [options] FILE` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' #### Config Write Options -* `-cas` - Specifies to use a Check-And-Set operation. If the index is +- `-cas` - Specifies to use a Check-And-Set operation. If the index is 0, Consul will only store the entry if it does not already exist. If the index is non-zero, the entry is only set if the current index matches the `ModifyIndex` of that entry. @@ -41,7 +41,6 @@ From stdin: $ consul config write - - ### Config Entry examples All config entries must have a `Kind` when registered. Currently, the only @@ -54,21 +53,21 @@ protocol and Connect fields. ```json { - "Kind": "service-defaults", - "Name": "web", - "Protocol": "http", + "Kind": "service-defaults", + "Name": "web", + "Protocol": "http" } ``` -* `Name` - Sets the name of the config entry. For service defaults, this must be +- `Name` - Sets the name of the config entry. For service defaults, this must be the name of the service being configured. -* `Protocol` - Sets the protocol of the service. This is used by Connect proxies +- `Protocol` - Sets the protocol of the service. This is used by Connect proxies for things like observability features. -* `Connect` - This block contains Connect-related fields for the service. +- `Connect` - This block contains Connect-related fields for the service. - * `SidecarProxy` - Sets whether or not instances of this service should get a + - `SidecarProxy` - Sets whether or not instances of this service should get a sidecar proxy by default. #### Proxy defaults @@ -78,16 +77,15 @@ for Connect proxy config. Currently, only one global entry is supported. ```json { - "Kind": "proxy-defaults", - "Name": "global", - "Config": { - "foo": 1 - } + "Kind": "proxy-defaults", + "Name": "global", + "Config": { + "foo": 1 + } } ``` -* `Name` - Sets the name of the config entry. Currently, only a single `proxy-defaults` +- `Name` - Sets the name of the config entry. Currently, only a single `proxy-defaults` entry with the name `global` is supported. - * `Config` - An arbitrary map of configuration values used by Connect proxies. diff --git a/website/pages/docs/commands/connect.html.md b/website/pages/docs/commands/connect.mdx similarity index 95% rename from website/pages/docs/commands/connect.html.md rename to website/pages/docs/commands/connect.mdx index 26af393d7d..f4ec710900 100644 --- a/website/pages/docs/commands/connect.html.md +++ b/website/pages/docs/commands/connect.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: Connect' -sidebar_current: 'docs-commands-connect' +sidebar_current: docs-commands-connect --- # Consul Connect diff --git a/website/pages/docs/commands/connect/ca.html.md.erb b/website/pages/docs/commands/connect/ca.mdx similarity index 77% rename from website/pages/docs/commands/connect/ca.html.md.erb rename to website/pages/docs/commands/connect/ca.mdx index 296cacc4e2..5622f28a0b 100644 --- a/website/pages/docs/commands/connect/ca.html.md.erb +++ b/website/pages/docs/commands/connect/ca.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Connect CA" -sidebar_current: "docs-commands-connect-ca" +layout: docs +page_title: 'Commands: Connect CA' +sidebar_current: docs-commands-connect-ca description: > The connect CA subcommand is used to view and modify the Connect Certificate Authority (CA) configuration. @@ -47,8 +47,8 @@ Usage: `consul connect ca get-config [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' The output looks like this: @@ -71,14 +71,14 @@ Usage: `consul connect ca set-config [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-config-file` - (required) Specifies a JSON-formatted file to use for the new configuration. - The format of this config file matches the request payload documented in the - [Update CA Configuration API](/api/connect/ca.html#update-ca-configuration). +- `-config-file` - (required) Specifies a JSON-formatted file to use for the new configuration. + The format of this config file matches the request payload documented in the + [Update CA Configuration API](/api/connect/ca.html#update-ca-configuration). The output looks like this: diff --git a/website/pages/docs/commands/connect/envoy.html.md.erb b/website/pages/docs/commands/connect/envoy.mdx similarity index 65% rename from website/pages/docs/commands/connect/envoy.html.md.erb rename to website/pages/docs/commands/connect/envoy.mdx index 50106fbcf4..fa89e6fb64 100644 --- a/website/pages/docs/commands/connect/envoy.html.md.erb +++ b/website/pages/docs/commands/connect/envoy.mdx @@ -1,9 +1,10 @@ --- -layout: "docs" -page_title: "Commands: Connect Proxy" -sidebar_current: "docs-commands-connect-envoy" +layout: docs +page_title: 'Commands: Connect Proxy' +sidebar_current: docs-commands-connect-envoy description: > - The connect proxy subcommand is used to run the built-in mTLS proxy for Connect. + The connect proxy subcommand is used to run the built-in mTLS proxy for + Connect. --- # Consul Connect Envoy @@ -36,55 +37,55 @@ Usage: `consul connect envoy [options] [-- pass-through options]` The standard API options are used to connect to the local agent to discover the proxy configuration needed. - - `-grpc-addr=` - Address of the Consul agent with `grpc` port. This can - be an IP address or DNS address, but it must include the port. This can also - be specified via the CONSUL_GRPC_ADDR environment variable. In Consul 1.3 and - later, the default value is 127.0.0.1:8502, and https can optionally - be used instead. The scheme can also be set to HTTPS by setting the - environment variable CONSUL_HTTP_SSL=true. This may be a unix domain socket - using `unix:///path/to/socket` if the [agent is configured to - listen](/docs/agent/options.html#addresses) that way. +- `-grpc-addr=` - Address of the Consul agent with `grpc` port. This can + be an IP address or DNS address, but it must include the port. This can also + be specified via the CONSUL_GRPC_ADDR environment variable. In Consul 1.3 and + later, the default value is 127.0.0.1:8502, and https can optionally + be used instead. The scheme can also be set to HTTPS by setting the + environment variable CONSUL_HTTP_SSL=true. This may be a unix domain socket + using `unix:///path/to/socket` if the [agent is configured to + listen](/docs/agent/options.html#addresses) that way. -> **Note:** gRPC uses the same TLS - settings as the HTTPS API. If HTTPS is enabled then gRPC will require HTTPS - as well. + settings as the HTTPS API. If HTTPS is enabled then gRPC will require HTTPS + as well. - <%= partial "docs/commands/http_api_options_client" %> + @include 'http_api_options_client.mdx' #### Envoy Options for both Sidecars and Gateways - * `-proxy-id` - The [proxy service](/docs/connect/registration/service-registration.html) ID on the - local agent. This must already be present on the local agent. +- `-proxy-id` - The [proxy service](/docs/connect/registration/service-registration.html) ID on the + local agent. This must already be present on the local agent. - * `-envoy-binary` - The full path to a specific Envoy binary to exec. By - default the current `$PATH` is searched for `envoy`. +- `-envoy-binary` - The full path to a specific Envoy binary to exec. By + default the current `$PATH` is searched for `envoy`. - * `-admin-bind` - The `host:port` to bind Envoy's admin HTTP API. Default is - `localhost:19000`. Envoy requires that this be enabled. The host part must be - resolvable DNS name or IP address. +- `-admin-bind` - The `host:port` to bind Envoy's admin HTTP API. Default is + `localhost:19000`. Envoy requires that this be enabled. The host part must be + resolvable DNS name or IP address. - * `-bootstrap` - If present, the command will simply output the generated - bootstrap config to stdout in JSON protobuf form. This can be directed to a - file and used to start Envoy with `envoy -c bootstrap.json`. +- `-bootstrap` - If present, the command will simply output the generated + bootstrap config to stdout in JSON protobuf form. This can be directed to a + file and used to start Envoy with `envoy -c bootstrap.json`. - ~> **Security Note:** If ACLs are enabled the bootstrap JSON will contain the - ACL token from `-token` or the environment and so should be handled as a secret. - This token grants the identity of any service it has `service:write` permission - for and so can be used to access any upstream service that that service is - allowed to access by [Connect intentions](/docs/connect/intentions.html). + ~> **Security Note:** If ACLs are enabled the bootstrap JSON will contain the + ACL token from `-token` or the environment and so should be handled as a secret. + This token grants the identity of any service it has `service:write` permission + for and so can be used to access any upstream service that that service is + allowed to access by [Connect intentions](/docs/connect/intentions.html). - * `-envoy-version` - The version of envoy that is being started. Default is - `1.13.0`. This is required so that the correct configuration can be generated. +- `-envoy-version` - The version of envoy that is being started. Default is + `1.13.0`. This is required so that the correct configuration can be generated. - * `-- [pass-through options]` - Any options given after a double dash are passed - directly through to the `envoy` invocation. See [Envoy's - documentation](https://www.envoyproxy.io/docs) for more details. The command - always specifies `--config-file` and `--v2-config-only` and by default passes - `--disable-hot-restart` see [hot restart](#hot-restart). +- `-- [pass-through options]` - Any options given after a double dash are passed + directly through to the `envoy` invocation. See [Envoy's + documentation](https://www.envoyproxy.io/docs) for more details. The command + always specifies `--config-file` and `--v2-config-only` and by default passes + `--disable-hot-restart` see [hot restart](#hot-restart). #### Envoy Sidecar Proxy Options -* `-sidecar-for` - The _ID_ (not name if they differ) of the service instance +- `-sidecar-for` - The _ID_ (not name if they differ) of the service instance this proxy will represent. The target service doesn't need to exist on the local agent yet but a [sidecar proxy registration](/docs/connect/registration/service-registration.html) with @@ -92,44 +93,44 @@ proxy configuration needed. multiple proxy registrations targeting the same local service instance are present the command will error and `-proxy-id` should be used instead. - -> **Note:** If ACLs are enabled, a token granting `service:write` for the - _target_ service (configured in `proxy.destination_service_name`) must be - passed using the `-token` option or `CONSUL_HTTP_TOKEN` environment variable. - This token authorizes the proxy to obtain TLS certificates representing the - target service. + -> **Note:** If ACLs are enabled, a token granting `service:write` for the + _target_ service (configured in `proxy.destination_service_name`) must be + passed using the `-token` option or `CONSUL_HTTP_TOKEN` environment variable. + This token authorizes the proxy to obtain TLS certificates representing the + target service. #### Envoy Gateway Options -* `-gateway` - Flag to indicate that Envoy should be configured as a Gateway. +- `-gateway` - Flag to indicate that Envoy should be configured as a Gateway. Must be one of: `terminating` or `mesh`. If multiple gateways are managed by the same local agent then `-proxy-id` should be used as well to specify the instance this represents. -* `-register` - Indicates that the gateway service should be registered +- `-register` - Indicates that the gateway service should be registered with the local agent instead of expecting it to already exist. This flag is unused for traditional sidecar proxies. -* `-address` - The address to advertise for services within the local datacenter +- `-address` - The address to advertise for services within the local datacenter to use to reach the gateway instance. This flag is used in combination with `-register`. This takes the form of `:` but also supports go-sockaddr templates. -* `-wan-address` - The address to advertise for services within remote datacenters +- `-wan-address` - The address to advertise for services within remote datacenters to use to reach the gateway instance. This flag is used in combination with `-register`. This takes the form of `:` but also supports go-sockaddr templates. -* `-service` - The name of the gateway service to register. This flag is used +- `-service` - The name of the gateway service to register. This flag is used in combination with `-register`. -* `-deregister-after-critical` - The amount of time the gateway services health check can +- `-deregister-after-critical` - The amount of time the gateway services health check can be failing before being deregistered. This flag is used in combination with `-register` -> **Note:** If ACLs are enabled, a token granting `service:write` for the - gateway's service name must be passed using the `-token` option or - `CONSUL_HTTP_TOKEN` environment variable. This token authorizes the proxy - to obtain receive and route communications for other Connect services but - does not allow decrypting any of their communications. +gateway's service name must be passed using the `-token` option or +`CONSUL_HTTP_TOKEN` environment variable. This token authorizes the proxy +to obtain receive and route communications for other Connect services but +does not allow decrypting any of their communications. ## Examples diff --git a/website/pages/docs/commands/connect/proxy.html.md.erb b/website/pages/docs/commands/connect/proxy.mdx similarity index 76% rename from website/pages/docs/commands/connect/proxy.html.md.erb rename to website/pages/docs/commands/connect/proxy.mdx index 6fcecda131..061245ee70 100644 --- a/website/pages/docs/commands/connect/proxy.html.md.erb +++ b/website/pages/docs/commands/connect/proxy.mdx @@ -1,9 +1,10 @@ --- -layout: "docs" -page_title: "Commands: Connect Proxy" -sidebar_current: "docs-commands-connect-proxy" +layout: docs +page_title: 'Commands: Connect Proxy' +sidebar_current: docs-commands-connect-proxy description: > - The connect proxy subcommand is used to run the built-in mTLS proxy for Connect. + The connect proxy subcommand is used to run the built-in mTLS proxy for + Connect. --- # Consul Connect Proxy @@ -15,19 +16,18 @@ use with Connect. This can be used in production to enable a Connect-unaware application to accept and establish Connect-based connections. This proxy can also be used in development to connect to Connect-enabled services. - ## Usage Usage: `consul connect proxy [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Proxy Options -* `-sidecar-for` - The _ID_ (not name if they differ) of the service instance +- `-sidecar-for` - The _ID_ (not name if they differ) of the service instance this proxy will represent. The target service doesn't need to exist on the local agent yet but a [sidecar proxy registration](/docs/connect/registration/service-registration.html) with @@ -35,40 +35,40 @@ Usage: `consul connect proxy [options]` multiple proxy registrations targeting the same local service instance are present the command will error and `-proxy-id` should be used instead. -* `-proxy-id` - The [proxy +- `-proxy-id` - The [proxy service](/docs/connect/registration/service-registration.html) ID on the local agent. This must already be present on the local agent. -* `-log-level` - Specifies the log level. +- `-log-level` - Specifies the log level. -* `-pprof-addr` - Enable debugging via pprof. Providing a host:port (or just ':port') +- `-pprof-addr` - Enable debugging via pprof. Providing a host:port (or just ':port') enables profiling HTTP endpoints on that address. -* `-service` - Name of the service this proxy is representing. This service +- `-service` - Name of the service this proxy is representing. This service doesn't need to actually exist in the Consul catalog, but proper ACL permissions (`service:write`) are required. This and the remaining options can be used to setup a proxy that is not registered already with local config [useful for development](/docs/connect/dev.html). -* `-upstream` - Upstream service to support connecting to. The format should be +- `-upstream` - Upstream service to support connecting to. The format should be 'name:addr', such as 'db:8181'. This will make 'db' available on port 8181. When a regular TCP connection is made to port 8181, the proxy will service discover "db" and establish a Connect mTLS connection identifying as the `-service` value. This flag can be repeated multiple times. -* `-listen` - Address to listen for inbound connections to the proxied service. +- `-listen` - Address to listen for inbound connections to the proxied service. Must be specified with -service and -service-addr. If this isn't specified, an inbound listener is not started. -* `-service-addr` - Address of the local service to proxy. Required for +- `-service-addr` - Address of the local service to proxy. Required for `-listen`. -* `-register` - Self-register with the local Consul agent, making this +- `-register` - Self-register with the local Consul agent, making this proxy available as Connect-capable service in the catalog. This is only useful with `-listen`. -* `-register-id` - Optional ID suffix for the service when `-register` is set to - disambiguate the service ID. By default the service ID is "-proxy" +- `-register-id` - Optional ID suffix for the service when `-register` is set to + disambiguate the service ID. By default the service ID is `-proxy` where `` is the `-service` value. In most cases it is now preferable to use [`consul services register`](/docs/commands/services/register.html) to register a fully configured proxy instance rather than specify config and diff --git a/website/pages/docs/commands/debug.html.markdown.erb b/website/pages/docs/commands/debug.mdx similarity index 63% rename from website/pages/docs/commands/debug.html.markdown.erb rename to website/pages/docs/commands/debug.mdx index 2f1457b19a..1252b562f8 100644 --- a/website/pages/docs/commands/debug.html.markdown.erb +++ b/website/pages/docs/commands/debug.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Debug" -sidebar_current: "docs-commands-debug" +layout: docs +page_title: 'Commands: Debug' +sidebar_current: docs-commands-debug --- # Consul Debug @@ -48,23 +48,23 @@ all targets for 2 minutes. #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Command Options -* `-duration` - Optional, the total time to capture data for from the target agent. Must +- `-duration` - Optional, the total time to capture data for from the target agent. Must be greater than the interval and longer than 10 seconds. Defaults to 2 minutes. -* `-interval` - Optional, the interval at which to capture dynamic data, such as logs +- `-interval` - Optional, the interval at which to capture dynamic data, such as logs and metrics. Must be longer than 5 seconds. Defaults to 30 seconds. -* `-capture` - Optional, can be specified multiple times for each [capture target](#capture-targets) +- `-capture` - Optional, can be specified multiple times for each [capture target](#capture-targets) and will only record that information in the archive. -* `-output` - Optional, the full path of where to write the directory of data and +- `-output` - Optional, the full path of where to write the directory of data and resulting archive. Defaults to the current directory. -* `-archive` - Optional, if the tool show archive the directory of data into a +- `-archive` - Optional, if the tool show archive the directory of data into a compressed tar file. Defaults to true. ## Capture Targets @@ -72,14 +72,14 @@ all targets for 2 minutes. The `-capture` flag can be specified multiple times to capture specific information when `debug` is running. By default, it captures all information. -| Target | Description | -| ------ | ---------------------------- | -| `agent` | Version and configuration information about the agent. | -| `host` | Information about resources on the host running the target agent such as CPU, memory, and disk. | -| `cluster` | A list of all the WAN and LAN members in the cluster. | -| `metrics` | Metrics from the in-memory metrics endpoint in the target, captured at the interval. | -| `logs` | `DEBUG` level logs for the target agent, captured for the interval. | -| `pprof` | Golang heap, CPU, goroutine, and trace profiling. This information is not retrieved unless [`enable_debug`](/docs/agent/options.html#enable_debug) is set to `true` on the target agent. | +| Target | Description | +| --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `agent` | Version and configuration information about the agent. | +| `host` | Information about resources on the host running the target agent such as CPU, memory, and disk. | +| `cluster` | A list of all the WAN and LAN members in the cluster. | +| `metrics` | Metrics from the in-memory metrics endpoint in the target, captured at the interval. | +| `logs` | `DEBUG` level logs for the target agent, captured for the interval. | +| `pprof` | Golang heap, CPU, goroutine, and trace profiling. This information is not retrieved unless [`enable_debug`](/docs/agent/options.html#enable_debug) is set to `true` on the target agent. | ## Examples @@ -119,4 +119,4 @@ and `-duration` flags. ```text $ consul debug -interval=15s -duration=1m ... -``` \ No newline at end of file +``` diff --git a/website/pages/docs/commands/event.html.markdown.erb b/website/pages/docs/commands/event.mdx similarity index 72% rename from website/pages/docs/commands/event.html.markdown.erb rename to website/pages/docs/commands/event.mdx index 799cd9140a..8c1961ee55 100644 --- a/website/pages/docs/commands/event.html.markdown.erb +++ b/website/pages/docs/commands/event.mdx @@ -1,9 +1,13 @@ --- -layout: "docs" -page_title: "Commands: Event" -sidebar_current: "docs-commands-event" -description: |- - The event command provides a mechanism to fire a custom user event to an entire datacenter. These events are opaque to Consul, but they can be used to build scripting infrastructure to do automated deploys, restart services, or perform any other orchestration action. Events can be handled by using a watch. +layout: docs +page_title: 'Commands: Event' +sidebar_current: docs-commands-event +description: >- + The event command provides a mechanism to fire a custom user event to an + entire datacenter. These events are opaque to Consul, but they can be used to + build scripting infrastructure to do automated deploys, restart services, or + perform any other orchestration action. Events can be handled by using a + watch. --- # Consul Event @@ -41,18 +45,17 @@ payload can be provided as the final argument. #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-name` - The name of the event. +- `-name` - The name of the event. -* `-node` - Regular expression to filter nodes which should evaluate the event. +- `-node` - Regular expression to filter nodes which should evaluate the event. -* `-service` - Regular expression to filter to only nodes with matching services. +- `-service` - Regular expression to filter to only nodes with matching services. -* `-tag` - Regular expression to filter to only nodes with a service that has +- `-tag` - Regular expression to filter to only nodes with a service that has a matching tag. This must be used with `-service`. As an example, you may do `-service mysql -tag secondary`. - diff --git a/website/pages/docs/commands/exec.html.markdown.erb b/website/pages/docs/commands/exec.mdx similarity index 73% rename from website/pages/docs/commands/exec.html.markdown.erb rename to website/pages/docs/commands/exec.mdx index 4d5c9f29eb..234161e6b8 100644 --- a/website/pages/docs/commands/exec.html.markdown.erb +++ b/website/pages/docs/commands/exec.mdx @@ -1,9 +1,11 @@ --- -layout: "docs" -page_title: "Commands: Exec" -sidebar_current: "docs-commands-exec" -description: |- - The exec command provides a mechanism for remote execution. For example, this can be used to run the `uptime` command across all machines providing the `web` service. +layout: docs +page_title: 'Commands: Exec' +sidebar_current: docs-commands-exec +description: >- + The exec command provides a mechanism for remote execution. For example, this + can be used to run the `uptime` command across all machines providing the + `web` service. --- # Consul Exec @@ -33,7 +35,7 @@ The table below shows the [required ACLs](/api/index.html#authentication) in ord execute this command. | ACL Required | Scope | -| ------------ | ------------ | +| --------------- | ----------------- | | `agent:read` | local agent | | `session:write` | local agent | | `key:write` | `"_rexec"` prefix | @@ -49,31 +51,31 @@ completion as a script to evaluate. #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-prefix` - Key prefix in the KV store to use for storing request data. +- `-prefix` - Key prefix in the KV store to use for storing request data. Defaults to `_rexec`. -* `-node` - Regular expression to filter nodes which should evaluate the event. +- `-node` - Regular expression to filter nodes which should evaluate the event. -* `-service` - Regular expression to filter to only nodes with matching services. +- `-service` - Regular expression to filter to only nodes with matching services. -* `-shell` - Optional, use a shell to run the command. The default value is true. +- `-shell` - Optional, use a shell to run the command. The default value is true. -* `-tag` - Regular expression to filter to only nodes with a service that has +- `-tag` - Regular expression to filter to only nodes with a service that has a matching tag. This must be used with `-service`. As an example, you may do `-service mysql -tag secondary`. -* `-wait` - Specifies the period of time in which no agent's respond before considering +- `-wait` - Specifies the period of time in which no agent's respond before considering the job finished. This is basically the quiescent time required to assume completion. This period is not a hard deadline, and the command will wait longer depending on various heuristics. -* `-wait-repl` - Period to wait after writing the job specification for replication. +- `-wait-repl` - Period to wait after writing the job specification for replication. This is a heuristic value and enables agents to do a stale read of the job. Defaults to 200 msec. -* `-verbose` - Enables verbose output. +- `-verbose` - Enables verbose output. diff --git a/website/pages/docs/commands/force-leave.html.markdown.erb b/website/pages/docs/commands/force-leave.mdx similarity index 80% rename from website/pages/docs/commands/force-leave.html.markdown.erb rename to website/pages/docs/commands/force-leave.mdx index 3296e0c631..9f40857801 100644 --- a/website/pages/docs/commands/force-leave.html.markdown.erb +++ b/website/pages/docs/commands/force-leave.mdx @@ -1,9 +1,11 @@ --- -layout: "docs" -page_title: "Commands: Force Leave" -sidebar_current: "docs-commands-forceleave" -description: |- - The `force-leave` command forces a member of a Consul cluster to enter the left state. If the member is still actually alive, it will eventually rejoin the cluster. The true purpose of this method is to force remove failed nodes. +layout: docs +page_title: 'Commands: Force Leave' +sidebar_current: docs-commands-forceleave +description: >- + The `force-leave` command forces a member of a Consul cluster to enter the + left state. If the member is still actually alive, it will eventually rejoin + the cluster. The true purpose of this method is to force remove failed nodes. --- # Consul Force Leave @@ -11,7 +13,7 @@ description: |- Command: `consul force-leave` The `force-leave` command forces a member of a Consul cluster to enter the -"left" state. The purpose of this method is to force-remove a node that has failed or +"left" state. The purpose of this method is to force-remove a node that has failed or was shutdown without a [graceful leave](https://www.consul.io/docs/commands/leave.html). Consul periodically tries to reconnect to "failed" nodes in case failure was due @@ -35,7 +37,7 @@ Usage: `consul force-leave [options] node` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' ## Examples @@ -51,12 +53,13 @@ When run on a server that is part of a The identifying node-name in a WAN pool is `[node-name].[datacenter]`. Therefore, to remove a failed server node named `server1` from -datacenter `us-east1`, run: +datacenter `us-east1`, run: ``` consul force-leave server1.us-east1 ``` + #### Command Options -* `-prune` - Removes failed or left agent from the list of -members entirely +- `-prune` - Removes failed or left agent from the list of + members entirely diff --git a/website/pages/docs/commands/index.html.md b/website/pages/docs/commands/index.mdx similarity index 96% rename from website/pages/docs/commands/index.html.md rename to website/pages/docs/commands/index.mdx index 7e427fadca..4c304a79c6 100644 --- a/website/pages/docs/commands/index.html.md +++ b/website/pages/docs/commands/index.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Commands' -sidebar_current: 'docs-commands' -description: |- - Consul is controlled via a very easy to use command-line interface (CLI). Consul is only a single command-line application: `consul`. This application then takes a subcommand such as agent or members. The complete list of subcommands is in the navigation to the left. +layout: docs +page_title: Commands +sidebar_current: docs-commands +description: >- + Consul is controlled via a very easy to use command-line interface (CLI). + Consul is only a single command-line application: `consul`. This application + then takes a subcommand such as agent or members. The complete list of + subcommands is in the navigation to the left. --- # Consul Commands (CLI) diff --git a/website/pages/docs/commands/info.html.markdown.erb b/website/pages/docs/commands/info.mdx similarity index 68% rename from website/pages/docs/commands/info.html.markdown.erb rename to website/pages/docs/commands/info.mdx index e4adf95bc2..399b26f4a5 100644 --- a/website/pages/docs/commands/info.html.markdown.erb +++ b/website/pages/docs/commands/info.mdx @@ -1,9 +1,11 @@ --- -layout: "docs" -page_title: "Commands: Info" -sidebar_current: "docs-commands-info" -description: |- - The `info` command provides various debugging information that can be useful to operators. Depending on if the agent is a client or server, information about different sub-systems will be returned. +layout: docs +page_title: 'Commands: Info' +sidebar_current: docs-commands-info +description: >- + The `info` command provides various debugging information that can be useful + to operators. Depending on if the agent is a client or server, information + about different sub-systems will be returned. --- # Consul Info @@ -16,11 +18,11 @@ information about different sub-systems will be returned. There are currently the top-level keys for: -* agent: Provides information about the agent -* consul: Information about the consul library (client or server) -* raft: Provides info about the Raft [consensus library](/docs/internals/consensus.html) -* serf_lan: Provides info about the LAN [gossip pool](/docs/internals/gossip.html) -* serf_wan: Provides info about the WAN [gossip pool](/docs/internals/gossip.html) +- agent: Provides information about the agent +- consul: Information about the consul library (client or server) +- raft: Provides info about the Raft [consensus library](/docs/internals/consensus.html) +- serf_lan: Provides info about the LAN [gossip pool](/docs/internals/gossip.html) +- serf_wan: Provides info about the WAN [gossip pool](/docs/internals/gossip.html) Here is an example output: @@ -74,4 +76,4 @@ Usage: `consul info` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' diff --git a/website/pages/docs/commands/intention.html.md b/website/pages/docs/commands/intention.mdx similarity index 95% rename from website/pages/docs/commands/intention.html.md rename to website/pages/docs/commands/intention.mdx index 9afab0b926..f4b19c19d2 100644 --- a/website/pages/docs/commands/intention.html.md +++ b/website/pages/docs/commands/intention.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: Intention' -sidebar_current: 'docs-commands-intention' +sidebar_current: docs-commands-intention --- # Consul Intention diff --git a/website/pages/docs/commands/intention/check.html.md.erb b/website/pages/docs/commands/intention/check.mdx similarity index 83% rename from website/pages/docs/commands/intention/check.html.md.erb rename to website/pages/docs/commands/intention/check.mdx index 48a4b3c9b5..09aef04c64 100644 --- a/website/pages/docs/commands/intention/check.html.md.erb +++ b/website/pages/docs/commands/intention/check.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Intention Check" -sidebar_current: "docs-commands-intention-check" +layout: docs +page_title: 'Commands: Intention Check' +sidebar_current: docs-commands-intention-check --- # Consul Intention Check @@ -24,7 +24,7 @@ Usage: `consul intention check [options] SRC DST` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' ## Examples diff --git a/website/pages/docs/commands/intention/create.html.md.erb b/website/pages/docs/commands/intention/create.mdx similarity index 61% rename from website/pages/docs/commands/intention/create.html.md.erb rename to website/pages/docs/commands/intention/create.mdx index d127baaf98..247a93c504 100644 --- a/website/pages/docs/commands/intention/create.html.md.erb +++ b/website/pages/docs/commands/intention/create.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Intention Create" -sidebar_current: "docs-commands-intention-create" +layout: docs +page_title: 'Commands: Intention Create' +sidebar_current: docs-commands-intention-create --- # Consul Intention Create @@ -17,22 +17,22 @@ Usage: `consul intention create [options] -f FILE...` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Intention Create Options -* `-allow` - Set the action to "allow" for intentions. This is the default. +- `-allow` - Set the action to "allow" for intentions. This is the default. -* `-deny` - Set the action to "deny" for intentions. This cannot be specified +- `-deny` - Set the action to "deny" for intentions. This cannot be specified with `-allow`. -* `-file` - Read intention data one or more files specified by the command +- `-file` - Read intention data one or more files specified by the command line arguments, instead of source/destination pairs. -* `-meta key=value` - Specify arbitrary KV metadata to associate with the +- `-meta key=value` - Specify arbitrary KV metadata to associate with the intention. -* `-replace` - Replace any matching intention. The replacement is done +- `-replace` - Replace any matching intention. The replacement is done atomically per intention. ## Examples @@ -48,4 +48,3 @@ Create intentions from a set of files: Create intentions from a directory using shell expansion: $ consul intention create -file intentions/*.json - diff --git a/website/pages/docs/commands/intention/delete.html.md.erb b/website/pages/docs/commands/intention/delete.mdx similarity index 61% rename from website/pages/docs/commands/intention/delete.html.md.erb rename to website/pages/docs/commands/intention/delete.mdx index 7f93ffc741..5878c049f7 100644 --- a/website/pages/docs/commands/intention/delete.html.md.erb +++ b/website/pages/docs/commands/intention/delete.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Intention Delete" -sidebar_current: "docs-commands-intention-delete" +layout: docs +page_title: 'Commands: Intention Delete' +sidebar_current: docs-commands-intention-delete --- # Consul Intention Delete @@ -14,12 +14,12 @@ The `intention delete` command deletes a matching intention. Usage: - * `consul intention delete [options] SRC DST` - * `consul intention delete [options] ID` +- `consul intention delete [options] SRC DST` +- `consul intention delete [options] ID` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' ## Examples diff --git a/website/pages/docs/commands/intention/get.html.md.erb b/website/pages/docs/commands/intention/get.mdx similarity index 60% rename from website/pages/docs/commands/intention/get.html.md.erb rename to website/pages/docs/commands/intention/get.mdx index fb2ae5e454..6db6adba76 100644 --- a/website/pages/docs/commands/intention/get.html.md.erb +++ b/website/pages/docs/commands/intention/get.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Intention Get" -sidebar_current: "docs-commands-intention-get" +layout: docs +page_title: 'Commands: Intention Get' +sidebar_current: docs-commands-intention-get --- # Consul Intention Get @@ -14,12 +14,12 @@ The `intention get` command shows a single intention. Usage: - * `consul intention get [options] SRC DST` - * `consul intention get [options] ID` +- `consul intention get [options] SRC DST` +- `consul intention get [options] ID` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' ## Examples diff --git a/website/pages/docs/commands/intention/match.html.md.erb b/website/pages/docs/commands/intention/match.mdx similarity index 73% rename from website/pages/docs/commands/intention/match.html.md.erb rename to website/pages/docs/commands/intention/match.mdx index d422803807..fc2bc8cf2e 100644 --- a/website/pages/docs/commands/intention/match.html.md.erb +++ b/website/pages/docs/commands/intention/match.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Intention Match" -sidebar_current: "docs-commands-intention-match" +layout: docs +page_title: 'Commands: Intention Match' +sidebar_current: docs-commands-intention-match --- # Consul Intention Match @@ -21,13 +21,13 @@ Usage: `consul intention match [options] SRC_OR_DST` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Intention Match Options -* `-destination` - Match by destination. +- `-destination` - Match by destination. -* `-source` - Match by source. +- `-source` - Match by source. ## Examples diff --git a/website/pages/docs/commands/join.html.markdown.erb b/website/pages/docs/commands/join.mdx similarity index 70% rename from website/pages/docs/commands/join.html.markdown.erb rename to website/pages/docs/commands/join.mdx index 69c1448e4c..c80be629da 100644 --- a/website/pages/docs/commands/join.html.markdown.erb +++ b/website/pages/docs/commands/join.mdx @@ -1,12 +1,12 @@ --- -layout: "docs" -page_title: "Commands: Join" -sidebar_current: "docs-commands-join" +layout: docs +page_title: 'Commands: Join' +sidebar_current: docs-commands-join description: >- - The `join` command tells a Consul agent to join an existing cluster. - A new Consul agent may join any node in the existing cluster. After joining - with one member, the gossip communication will propagate the updated membership - state across the cluster. + The `join` command tells a Consul agent to join an existing cluster. A new + Consul agent may join any node in the existing cluster. After joining with one + member, the gossip communication will propagate the updated membership state + across the cluster. --- # Consul Join @@ -31,12 +31,10 @@ command will fail only if Consul was unable to join with any. #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Command Options -* `-wan` - For agents running in server mode, the agent will attempt to join +- `-wan` - For agents running in server mode, the agent will attempt to join other servers gossiping in a WAN cluster. This is used to form a bridge between multiple datacenters. - - diff --git a/website/pages/docs/commands/keygen.html.md b/website/pages/docs/commands/keygen.mdx similarity index 64% rename from website/pages/docs/commands/keygen.html.md rename to website/pages/docs/commands/keygen.mdx index eb7a3f5eeb..960ac81112 100644 --- a/website/pages/docs/commands/keygen.html.md +++ b/website/pages/docs/commands/keygen.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: Keygen' -sidebar_current: 'docs-commands-keygen' -description: |- - The `keygen` command generates an encryption key that can be used for Consul agent traffic encryption. The keygen command uses a cryptographically strong pseudo-random number generator to generate the key. +sidebar_current: docs-commands-keygen +description: >- + The `keygen` command generates an encryption key that can be used for Consul + agent traffic encryption. The keygen command uses a cryptographically strong + pseudo-random number generator to generate the key. --- # Consul Keygen diff --git a/website/pages/docs/commands/keyring.html.markdown.erb b/website/pages/docs/commands/keyring.mdx similarity index 86% rename from website/pages/docs/commands/keyring.html.markdown.erb rename to website/pages/docs/commands/keyring.mdx index 80bdde3e00..731d9d35da 100644 --- a/website/pages/docs/commands/keyring.html.markdown.erb +++ b/website/pages/docs/commands/keyring.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Keyring" -sidebar_current: "docs-commands-keyring" +layout: docs +page_title: 'Commands: Keyring' +sidebar_current: docs-commands-keyring --- # Consul Keyring @@ -21,8 +21,8 @@ are installed on the cluster. You can review the installed keys using the All operations performed by this command can only be run against server nodes, and affect both the LAN and WAN keyrings in lock-step. The only exception to this -is for the `-list` operation, you may set the `-local-only` flag to only query -against local server nodes. +is for the `-list` operation, you may set the `-local-only` flag to only query +against local server nodes. All variations of the `keyring` command return 0 if all nodes reply and there are no errors. If any node fails to reply or reports failure, the exit code @@ -37,26 +37,26 @@ Only one actionable argument may be specified per run, including `-list`, #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Command Options -* `-list` - List all keys currently in use within the cluster. +- `-list` - List all keys currently in use within the cluster. -* `-install` - Install a new encryption key. This will broadcast the new key to +- `-install` - Install a new encryption key. This will broadcast the new key to all members in the cluster. -* `-use` - Change the primary encryption key, which is used to encrypt messages. +- `-use` - Change the primary encryption key, which is used to encrypt messages. The key must already be installed before this operation can succeed. -* `-remove` - Remove the given key from the cluster. This operation may only be +- `-remove` - Remove the given key from the cluster. This operation may only be performed on keys which are not currently the primary key. -* `-relay-factor` - Added in Consul 0.7.4, setting this to a non-zero value will +- `-relay-factor` - Added in Consul 0.7.4, setting this to a non-zero value will cause nodes to relay their response to the operation through this many randomly-chosen other nodes in the cluster. The maximum allowed value is 5. -* `-local-only` - Setting this to true will force a keyring list query to only hit +- `-local-only` - Setting this to true will force a keyring list query to only hit local servers (no WAN traffic). Setting `local-only` is only allowed for list queries. diff --git a/website/pages/docs/commands/kv.html.md b/website/pages/docs/commands/kv.mdx similarity index 97% rename from website/pages/docs/commands/kv.html.md rename to website/pages/docs/commands/kv.mdx index 8e4023db8e..c97b7d31db 100644 --- a/website/pages/docs/commands/kv.html.md +++ b/website/pages/docs/commands/kv.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: KV' -sidebar_current: 'docs-commands-kv' +sidebar_current: docs-commands-kv --- # Consul KV diff --git a/website/pages/docs/commands/kv/delete.html.markdown.erb b/website/pages/docs/commands/kv/delete.mdx similarity index 82% rename from website/pages/docs/commands/kv/delete.html.markdown.erb rename to website/pages/docs/commands/kv/delete.mdx index 971b3e6e40..27f1c37bfe 100644 --- a/website/pages/docs/commands/kv/delete.html.markdown.erb +++ b/website/pages/docs/commands/kv/delete.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: KV Delete" -sidebar_current: "docs-commands-kv-delete" +layout: docs +page_title: 'Commands: KV Delete' +sidebar_current: docs-commands-kv-delete --- # Consul KV Delete @@ -17,22 +17,22 @@ Usage: `consul kv delete [options] KEY_OR_PREFIX` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' #### KV Delete Options -* `-cas` - Perform a Check-And-Set operation. Specifying this value also +- `-cas` - Perform a Check-And-Set operation. Specifying this value also requires the -modify-index flag to be set. The default value is false. -* `-modify-index=` - Unsigned integer representing the ModifyIndex of the +- `-modify-index=` - Unsigned integer representing the ModifyIndex of the key. This is used in combination with the -cas flag. -* `-recurse` - Recursively delete all keys with the path. The default value is +- `-recurse` - Recursively delete all keys with the path. The default value is false. ## Examples diff --git a/website/pages/docs/commands/kv/export.html.markdown.erb b/website/pages/docs/commands/kv/export.mdx similarity index 66% rename from website/pages/docs/commands/kv/export.html.markdown.erb rename to website/pages/docs/commands/kv/export.mdx index 72834b4206..be178ea962 100644 --- a/website/pages/docs/commands/kv/export.html.markdown.erb +++ b/website/pages/docs/commands/kv/export.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: KV Export" -sidebar_current: "docs-commands-kv-export" +layout: docs +page_title: 'Commands: KV Export' +sidebar_current: docs-commands-kv-export --- # Consul KV Export @@ -19,12 +19,12 @@ Usage: `consul kv export [options] [PREFIX]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/kv/get.html.markdown.erb b/website/pages/docs/commands/kv/get.mdx similarity index 84% rename from website/pages/docs/commands/kv/get.html.markdown.erb rename to website/pages/docs/commands/kv/get.mdx index cbe7cd9e11..f4f84d2abb 100644 --- a/website/pages/docs/commands/kv/get.html.markdown.erb +++ b/website/pages/docs/commands/kv/get.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: KV Get" -sidebar_current: "docs-commands-kv-get" +layout: docs +page_title: 'Commands: KV Get' +sidebar_current: docs-commands-kv-get --- # Consul KV Get @@ -19,31 +19,31 @@ Usage: `consul kv get [options] [KEY_OR_PREFIX]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' #### KV Get Options -* `-base64` - Base 64 encode the value. The default value is false. +- `-base64` - Base 64 encode the value. The default value is false. -* `-detailed` - Provide additional metadata about the key in addition to the +- `-detailed` - Provide additional metadata about the key in addition to the value such as the ModifyIndex and any flags that may have been set on the key. The default value is false. -* `-keys` - List keys which start with the given prefix, but not their values. +- `-keys` - List keys which start with the given prefix, but not their values. This is especially useful if you only need the key names themselves. This option is commonly combined with the -separator option. The default value is false. -* `-recurse` - Recursively look at all keys prefixed with the given path. The +- `-recurse` - Recursively look at all keys prefixed with the given path. The default value is false. -* `-separator=` - String to use as a separator for recursive lookups. The - default value is "/", and only used when paired with the `-keys` flag. This will +- `-separator=` - String to use as a separator for recursive lookups. The + default value is "/", and only used when paired with the `-keys` flag. This will limit the prefix of keys returned, only up to the given separator. ## Examples diff --git a/website/pages/docs/commands/kv/import.html.markdown.erb b/website/pages/docs/commands/kv/import.mdx similarity index 71% rename from website/pages/docs/commands/kv/import.html.markdown.erb rename to website/pages/docs/commands/kv/import.mdx index 786101ff4d..154ce2e786 100644 --- a/website/pages/docs/commands/kv/import.html.markdown.erb +++ b/website/pages/docs/commands/kv/import.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: KV Import" -sidebar_current: "docs-commands-kv-import" +layout: docs +page_title: 'Commands: KV Import' +sidebar_current: docs-commands-kv-import --- # Consul KV Import @@ -17,12 +17,12 @@ Usage: `consul kv import [options] [DATA]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' ## Examples diff --git a/website/pages/docs/commands/kv/put.html.markdown.erb b/website/pages/docs/commands/kv/put.mdx similarity index 84% rename from website/pages/docs/commands/kv/put.html.markdown.erb rename to website/pages/docs/commands/kv/put.mdx index 388d37b79a..d6336dbefb 100644 --- a/website/pages/docs/commands/kv/put.html.markdown.erb +++ b/website/pages/docs/commands/kv/put.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: KV Put" -sidebar_current: "docs-commands-kv-put" +layout: docs +page_title: 'Commands: KV Put' +sidebar_current: docs-commands-kv-put --- # Consul KV Put @@ -16,36 +16,36 @@ Usage: `consul kv put [options] KEY [DATA]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' #### KV Put Options -* `-acquire` - Obtain a lock on the key. If the key does not exist, this +- `-acquire` - Obtain a lock on the key. If the key does not exist, this operation will create the key and obtain the lock. The session must already exist and be specified via the -session flag. The default value is false. -* `-base64` - Treat the data as base 64 encoded. The default value is false. +- `-base64` - Treat the data as base 64 encoded. The default value is false. -* `-cas` - Perform a Check-And-Set operation. Specifying this value also +- `-cas` - Perform a Check-And-Set operation. Specifying this value also requires the -modify-index flag to be set. The default value is false. -* `-flags=` - Unsigned integer value to assign to this KV pair. This +- `-flags=` - Unsigned integer value to assign to this KV pair. This value is not read by Consul, so clients can use this value however makes sense for their use case. The default value is 0 (no flags). -* `-modify-index=` - Unsigned integer representing the ModifyIndex of the +- `-modify-index=` - Unsigned integer representing the ModifyIndex of the key. This is used in combination with the -cas flag. -* `-release` - Forfeit the lock on the key at the given path. This requires the +- `-release` - Forfeit the lock on the key at the given path. This requires the -session flag to be set. The key must be held by the session in order to be unlocked. The default value is false. -* `-session=` - User-defined identifier for this session as a string. +- `-session=` - User-defined identifier for this session as a string. This is commonly used with the -acquire and -release operations to build robust locking, but it can be set on any key. The default value is empty (no session). diff --git a/website/pages/docs/commands/leave.html.markdown.erb b/website/pages/docs/commands/leave.mdx similarity index 72% rename from website/pages/docs/commands/leave.html.markdown.erb rename to website/pages/docs/commands/leave.mdx index b99d7296b0..4ceca76f45 100644 --- a/website/pages/docs/commands/leave.html.markdown.erb +++ b/website/pages/docs/commands/leave.mdx @@ -1,9 +1,11 @@ --- -layout: "docs" -page_title: "Commands: Leave" -sidebar_current: "docs-commands-leave" -description: |- - The `leave` command triggers a graceful leave and shutdown of the agent. It is used to ensure other nodes see the agent as left instead of failed. Nodes that leave will not attempt to re-join the cluster on restarting with a snapshot. +layout: docs +page_title: 'Commands: Leave' +sidebar_current: docs-commands-leave +description: >- + The `leave` command triggers a graceful leave and shutdown of the agent. It is + used to ensure other nodes see the agent as left instead of failed. Nodes that + leave will not attempt to re-join the cluster on restarting with a snapshot. --- # Consul Leave @@ -19,7 +21,7 @@ For nodes in server mode, the node is removed from the Raft peer set in a graceful manner. This is critical, as in certain situations a non-graceful leave can affect cluster availability. -Running `consul leave` on a server explicitly will reduce the quorum size. Even if the cluster used `bootstrap_expect` to set a quorum size initially, issuing `consul leave` on a server will reconfigure the cluster to have fewer servers. +Running `consul leave` on a server explicitly will reduce the quorum size. Even if the cluster used `bootstrap_expect` to set a quorum size initially, issuing `consul leave` on a server will reconfigure the cluster to have fewer servers. This means you could end up with just one server that is still able to commit writes because quorum is only 1, but those writes might be lost if that server fails before more are added. ## Usage @@ -28,4 +30,4 @@ Usage: `consul leave [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' diff --git a/website/pages/docs/commands/license.html.markdown.erb b/website/pages/docs/commands/license.mdx similarity index 87% rename from website/pages/docs/commands/license.html.markdown.erb rename to website/pages/docs/commands/license.mdx index e397a13492..b862680991 100644 --- a/website/pages/docs/commands/license.html.markdown.erb +++ b/website/pages/docs/commands/license.mdx @@ -1,9 +1,10 @@ --- -layout: "docs" -page_title: "Commands: License" -sidebar_current: "docs-commands-license" +layout: docs +page_title: 'Commands: License' +sidebar_current: docs-commands-license description: > - The license command provides datacenter-level management of the Consul Enterprise license. + The license command provides datacenter-level management of the Consul + Enterprise license. --- # Consul License @@ -19,7 +20,6 @@ order to use this command. Requests are forwarded internally to the leader if required, so this can be run from any Consul node in a cluster. See the [ACL Guide](https://learn.hashicorp.com/consul/security-networking/production-acls) for more information. - ```text Usage: consul license [options] [args] @@ -58,8 +58,8 @@ Usage: `consul license put [options] LICENSE` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' The output looks like this: @@ -87,8 +87,8 @@ Usage: `consul license get [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' The output looks like this: @@ -106,4 +106,4 @@ Licensed Features: Network Segments Redundancy Zone Advanced Network Federation -``` \ No newline at end of file +``` diff --git a/website/pages/docs/commands/lock.html.markdown.erb b/website/pages/docs/commands/lock.mdx similarity index 72% rename from website/pages/docs/commands/lock.html.markdown.erb rename to website/pages/docs/commands/lock.mdx index b60ae092b5..fabb664bb5 100644 --- a/website/pages/docs/commands/lock.html.markdown.erb +++ b/website/pages/docs/commands/lock.mdx @@ -1,9 +1,11 @@ --- -layout: "docs" -page_title: "Commands: Lock" -sidebar_current: "docs-commands-lock" -description: |- - The lock command provides a mechanism for leader election, mutual exclusion, or worker pools. For example, this can be used to ensure a maximum number of services running at once across a cluster. +layout: docs +page_title: 'Commands: Lock' +sidebar_current: docs-commands-lock +description: >- + The lock command provides a mechanism for leader election, mutual exclusion, + or worker pools. For example, this can be used to ensure a maximum number of + services running at once across a cluster. --- # Consul Lock @@ -47,43 +49,44 @@ Windows has no POSIX compatible notion for `SIGTERM`. #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-child-exit-code` - Exit 2 if the child process exited with an error +- `-child-exit-code` - Exit 2 if the child process exited with an error if this is true, otherwise this doesn't propagate an error from the child. The default value is false. -* `-monitor-retry` - Retry up to this number of times if Consul returns a 500 error - while monitoring the lock. This allows riding out brief periods of unavailability - without causing leader elections, but increases the amount of time required - to detect a lost lock in some cases. Defaults to 3, with a 1s wait between retries. - Set to 0 to disable. +- `-monitor-retry` - Retry up to this number of times if Consul returns a 500 error + while monitoring the lock. This allows riding out brief periods of unavailability + without causing leader elections, but increases the amount of time required + to detect a lost lock in some cases. Defaults to 3, with a 1s wait between retries. + Set to 0 to disable. -* `-n` - Optional, limit of lock holders. Defaults to 1. The underlying +- `-n` - Optional, limit of lock holders. Defaults to 1. The underlying implementation switches from a lock to a semaphore when increased past one. All locks on the same prefix must use the same value. -* `-name` - Optional name to associate with the underlying session. +- `-name` - Optional name to associate with the underlying session. If not provided, one is generated based on the child command. -* `-shell` - Optional, use a shell to run the command (can set a custom shell via the +- `-shell` - Optional, use a shell to run the command (can set a custom shell via the SHELL environment variable). The default value is true. -* `-pass-stdin` - Pass stdin to child process. +- `-pass-stdin` - Pass stdin to child process. -* `-timeout` - Maximum amount of time to wait to acquire the lock, specified - as a duration like `1s` or `3h`. The default value is 0. +- `-timeout` - Maximum amount of time to wait to acquire the lock, specified + as a duration like `1s` or `3h`. The default value is 0. -* `-timeout` - Attempt to acquire the lock up to the given timeout. The timeout is a +- `-timeout` - Attempt to acquire the lock up to the given timeout. The timeout is a positive decimal number, with unit suffix, such as "500ms". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". -* `-verbose` - Enables verbose output. +- `-verbose` - Enables verbose output. ## SHELL + Consul lock launches its children in a shell. By default, Consul will use the shell defined in the environment variable `SHELL`. If `SHELL` is not defined, it will default to `/bin/sh`. It should be noted that not all shells terminate child diff --git a/website/pages/docs/commands/login.html.md.erb b/website/pages/docs/commands/login.mdx similarity index 65% rename from website/pages/docs/commands/login.html.md.erb rename to website/pages/docs/commands/login.mdx index 5feee68d81..7f711191fc 100644 --- a/website/pages/docs/commands/login.html.md.erb +++ b/website/pages/docs/commands/login.mdx @@ -1,9 +1,10 @@ --- -layout: "docs" -page_title: "Commands: Login" -sidebar_current: "docs-commands-login" +layout: docs +page_title: 'Commands: Login' +sidebar_current: docs-commands-login description: > - The `login` command will exchange the provided third party credentials with the requested auth method for a newly minted Consul ACL token. + The `login` command will exchange the provided third party credentials with + the requested auth method for a newly minted Consul ACL token. --- # Consul Login @@ -21,19 +22,19 @@ Usage: `consul login [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Command Options -* `-bearer-token-file=` - Path to a file containing a secret bearer +- `-bearer-token-file=` - Path to a file containing a secret bearer token to use with this auth method. -* `-meta=` - Metadata to set on the token, formatted as `key=value`. This +- `-meta=` - Metadata to set on the token, formatted as `key=value`. This flag may be specified multiple times to set multiple meta fields. -* `-method=` - Name of the auth method to login to. +- `-method=` - Name of the auth method to login to. -* `-token-sink-file=` - The most recent token's SecretID is kept up to +- `-token-sink-file=` - The most recent token's SecretID is kept up to date in this file. ### Examples diff --git a/website/pages/docs/commands/logout.html.md.erb b/website/pages/docs/commands/logout.mdx similarity index 77% rename from website/pages/docs/commands/logout.html.md.erb rename to website/pages/docs/commands/logout.mdx index 1d8993d7b5..9d0601b624 100644 --- a/website/pages/docs/commands/logout.html.md.erb +++ b/website/pages/docs/commands/logout.mdx @@ -1,9 +1,10 @@ --- -layout: "docs" -page_title: "Commands: Logout" -sidebar_current: "docs-commands-logout" +layout: docs +page_title: 'Commands: Logout' +sidebar_current: docs-commands-logout description: > - The `logout` command will destroy the provided token if it was created from `consul login`. + The `logout` command will destroy the provided token if it was created from + `consul login`. --- # Consul Logout @@ -23,7 +24,7 @@ Usage: `consul logout [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' ### Examples diff --git a/website/pages/docs/commands/maint.html.markdown.erb b/website/pages/docs/commands/maint.mdx similarity index 75% rename from website/pages/docs/commands/maint.html.markdown.erb rename to website/pages/docs/commands/maint.mdx index eea23e66b6..77cf9ad26a 100644 --- a/website/pages/docs/commands/maint.html.markdown.erb +++ b/website/pages/docs/commands/maint.mdx @@ -1,8 +1,8 @@ --- -layout: "docs" -page_title: "Commands: Maint" -sidebar_current: "docs-commands-maint" -description: > +layout: docs +page_title: 'Commands: Maint' +sidebar_current: docs-commands-maint +description: | The `maint` command provides control of both service and node maintenance mode --- @@ -13,7 +13,7 @@ Command: `consul maint` The `maint` command provides control of service maintenance mode. Using the command, it is possible to mark a service provided by a node or all the services on the node as a whole as "under maintenance". In this mode of operation, the service - will not appear in DNS query results, or API results. This effectively +will not appear in DNS query results, or API results. This effectively takes the service out of the pool of available "healthy" nodes of a service. Under the hood, maintenance mode is activated by registering a health check in @@ -26,21 +26,21 @@ Usage: `consul maint [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Command Options -* `-enable` - Enable maintenance mode on all services on a node. If +- `-enable` - Enable maintenance mode on all services on a node. If combined with the `-service` flag, we operate on a specific service ID. -* `-disable` - Disable maintenance mode on all services on a node. If +- `-disable` - Disable maintenance mode on all services on a node. If combined with the `-service` flag, we operate on a specific service ID. -* `-reason` - An optional reason for placing the service into +- `-reason` - An optional reason for placing the service into maintenance mode. If provided, this reason will be visible in the newly- registered critical check's "Notes" field. -* `-service` - An optional service ID to control maintenance mode for a given service. By +- `-service` - An optional service ID to control maintenance mode for a given service. By providing this flag, the `-enable` and `-disable` flags functionality is modified to operate on the given service ID. diff --git a/website/pages/docs/commands/members.html.markdown.erb b/website/pages/docs/commands/members.mdx similarity index 61% rename from website/pages/docs/commands/members.html.markdown.erb rename to website/pages/docs/commands/members.mdx index 41c6e2412f..ebead4ae78 100644 --- a/website/pages/docs/commands/members.html.markdown.erb +++ b/website/pages/docs/commands/members.mdx @@ -1,9 +1,11 @@ --- -layout: "docs" -page_title: "Commands: Members" -sidebar_current: "docs-commands-members" -description: |- - The `members` command outputs the current list of members that a Consul agent knows about, along with their state. The state of a node can only be alive, left, or failed. +layout: docs +page_title: 'Commands: Members' +sidebar_current: docs-commands-members +description: >- + The `members` command outputs the current list of members that a Consul agent + knows about, along with their state. The state of a node can only be alive, + left, or failed. --- # Consul Members @@ -24,20 +26,19 @@ Usage: `consul members [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Command Options -* `-detailed` - If provided, output shows more detailed information +- `-detailed` - If provided, output shows more detailed information about each node. -* `-segment` - (Enterprise-only) The segment to show members in. If not provided, members +- `-segment` - (Enterprise-only) The segment to show members in. If not provided, members in all segments visible to the agent will be listed. -* `-status` - If provided, output is filtered to only nodes matching +- `-status` - If provided, output is filtered to only nodes matching the regular expression for status -* `-wan` - For agents in Server mode, this will return the list of nodes +- `-wan` - For agents in Server mode, this will return the list of nodes in the WAN gossip pool. These are generally all the server nodes in each datacenter. - diff --git a/website/pages/docs/commands/monitor.html.markdown.erb b/website/pages/docs/commands/monitor.mdx similarity index 64% rename from website/pages/docs/commands/monitor.html.markdown.erb rename to website/pages/docs/commands/monitor.mdx index 99e27d0785..0883f4fea8 100644 --- a/website/pages/docs/commands/monitor.html.markdown.erb +++ b/website/pages/docs/commands/monitor.mdx @@ -1,9 +1,11 @@ --- -layout: "docs" -page_title: "Commands: Monitor" -sidebar_current: "docs-commands-monitor" -description: |- - The `monitor` command is used to connect and follow the logs of a running Consul agent. Monitor will show the recent logs and then continue to follow the logs, not exiting until interrupted or until the remote agent quits. +layout: docs +page_title: 'Commands: Monitor' +sidebar_current: docs-commands-monitor +description: >- + The `monitor` command is used to connect and follow the logs of a running + Consul agent. Monitor will show the recent logs and then continue to follow + the logs, not exiting until interrupted or until the remote agent quits. --- # Consul Monitor @@ -24,13 +26,13 @@ Usage: `consul monitor [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Command Options -* `-log-level` - The log level of the messages to show. By default this +- `-log-level` - The log level of the messages to show. By default this is "info". This log level can be more verbose than what the agent is configured to run at. Available log levels are "trace", "debug", "info", "warn", and "err". -* `-log-json` - Toggles whether the messages are streamed in JSON format. +- `-log-json` - Toggles whether the messages are streamed in JSON format. By default this is false. diff --git a/website/pages/docs/commands/namespace.html.md.erb b/website/pages/docs/commands/namespace.mdx similarity index 89% rename from website/pages/docs/commands/namespace.html.md.erb rename to website/pages/docs/commands/namespace.mdx index c94980c663..5783e91c21 100644 --- a/website/pages/docs/commands/namespace.html.md.erb +++ b/website/pages/docs/commands/namespace.mdx @@ -1,21 +1,20 @@ --- -layout: "docs" -page_title: "Commands: Namespace" -sidebar_current: "docs-commands-namespace" -description: > +layout: docs +page_title: 'Commands: Namespace' +sidebar_current: docs-commands-namespace +description: | The namespace command provides management of Consul Enterprise namespaces. --- <%= enterprise_alert :consul %> -# Consul Namespace +# Consul Namespace Command: `consul namespace` - The `namespace` command provides management of Consul Enterprise namespaces. This was added in Consul Enterprise 1.7.0. -If ACLs are enabled then a token with operator privileges may be required in order to use this command. Write +If ACLs are enabled then a token with operator privileges may be required in order to use this command. Write requests are forwarded to the leader in the primary datacenter. Therefore these commands can be run against any agent in any datacenter. @@ -43,7 +42,7 @@ Subcommands: write Create or update a Namespace from its full definition ``` -For more information, examples, and usage about a subcommand, click on the name +For more information, examples, and usage about a subcommand, click on the name of the subcommand in the sidebar. ## Basic Examples @@ -82,4 +81,4 @@ Delete a Namespace: ```sh $ consul namespace delete team1 -``` \ No newline at end of file +``` diff --git a/website/pages/docs/commands/namespace/create.html.md.erb b/website/pages/docs/commands/namespace/create.mdx similarity index 52% rename from website/pages/docs/commands/namespace/create.html.md.erb rename to website/pages/docs/commands/namespace/create.mdx index 917a1414aa..d7c0143f71 100644 --- a/website/pages/docs/commands/namespace/create.html.md.erb +++ b/website/pages/docs/commands/namespace/create.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Namespace Create" -sidebar_current: "docs-commands-namespace-create" +layout: docs +page_title: 'Commands: Namespace Create' +sidebar_current: docs-commands-namespace-create --- <%= enterprise_alert :consul %> @@ -10,7 +10,7 @@ sidebar_current: "docs-commands-namespace-create" Command: `consul namespace create` -This `namespace create` command creates a namespaces using the CLI parameters provided. +This `namespace create` command creates a namespaces using the CLI parameters provided. This was added in Consul Enterprise 1.7.2. ## Usage @@ -22,34 +22,34 @@ from the CLI arguments. #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-default-policy-id=` - ID of a policy from the default namespace to inject for all tokens - in this namespace. May be specified multiple times. +- `-default-policy-id=` - ID of a policy from the default namespace to inject for all tokens + in this namespace. May be specified multiple times. -* `-default-policy-name=` - Name of a policy from the default namespace to inject for all - tokens in this namespace. May be specified multiple times. +- `-default-policy-name=` - Name of a policy from the default namespace to inject for all + tokens in this namespace. May be specified multiple times. -* `-default-role-id=` - ID of a role from the default namespace to inject for all tokens in - this namespace. May be specified multiple times. +- `-default-role-id=` - ID of a role from the default namespace to inject for all tokens in + this namespace. May be specified multiple times. -* `-default-role-name=` - Name of a role from the default namespace to inject for all tokens - in this namespace. May be specified multiple times. +- `-default-role-name=` - Name of a role from the default namespace to inject for all tokens + in this namespace. May be specified multiple times. -* `-description=` - A description of the namespace. +- `-description=` - A description of the namespace. -* `-format=` - How to output the results. The choices are: pretty or json +- `-format=` - How to output the results. The choices are: pretty or json -* `-meta=` - Metadata to set on the namespace, formatted as key=value. This flag - may be specified multiple times to set multiple meta fields +- `-meta=` - Metadata to set on the namespace, formatted as key=value. This flag + may be specified multiple times to set multiple meta fields -* `-name=` - The namespace's name. This flag is required. +- `-name=` - The namespace's name. This flag is required. -* `-show-meta` - Indicates that namespace metadata such as the raft indices should - be shown for the namespace +- `-show-meta` - Indicates that namespace metadata such as the raft indices should + be shown for the namespace ## Examples diff --git a/website/pages/docs/commands/namespace/delete.html.md.erb b/website/pages/docs/commands/namespace/delete.mdx similarity index 67% rename from website/pages/docs/commands/namespace/delete.html.md.erb rename to website/pages/docs/commands/namespace/delete.mdx index 3c31537050..1b0418bc7c 100644 --- a/website/pages/docs/commands/namespace/delete.html.md.erb +++ b/website/pages/docs/commands/namespace/delete.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Namespace Delete" -sidebar_current: "docs-commands-namespace-delete" +layout: docs +page_title: 'Commands: Namespace Delete' +sidebar_current: docs-commands-namespace-delete --- <%= enterprise_alert :consul %> @@ -19,8 +19,8 @@ Usage: `consul namespace delete ` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' ## Examples diff --git a/website/pages/docs/commands/namespace/list.html.md.erb b/website/pages/docs/commands/namespace/list.mdx similarity index 82% rename from website/pages/docs/commands/namespace/list.html.md.erb rename to website/pages/docs/commands/namespace/list.mdx index f5968f544e..6ce9d266b3 100644 --- a/website/pages/docs/commands/namespace/list.html.md.erb +++ b/website/pages/docs/commands/namespace/list.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Namespace List" -sidebar_current: "docs-commands-namespace-list" +layout: docs +page_title: 'Commands: Namespace List' +sidebar_current: docs-commands-namespace-list --- <%= enterprise_alert :consul %> @@ -21,16 +21,16 @@ Usage: `consul namespace list` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-format=` - How to output the results. The choices are: pretty or json +- `-format=` - How to output the results. The choices are: pretty or json -* `-meta` - Indicates that namespace metadata such as the raft indices should be +- `-meta` - Indicates that namespace metadata such as the raft indices should be shown for the namespace - + ## Examples List Namespaces: diff --git a/website/pages/docs/commands/namespace/read.html.md.erb b/website/pages/docs/commands/namespace/read.mdx similarity index 74% rename from website/pages/docs/commands/namespace/read.html.md.erb rename to website/pages/docs/commands/namespace/read.mdx index b9e28346ac..adce36a720 100644 --- a/website/pages/docs/commands/namespace/read.html.md.erb +++ b/website/pages/docs/commands/namespace/read.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Namespace Read" -sidebar_current: "docs-commands-namespace-read" +layout: docs +page_title: 'Commands: Namespace Read' +sidebar_current: docs-commands-namespace-read --- <%= enterprise_alert :consul %> @@ -20,16 +20,16 @@ Usage: `consul namespace read ` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-format=` - How to output the results. The choices are: pretty or json +- `-format=` - How to output the results. The choices are: pretty or json -* `-meta` - Indicates that namespace metadata such as the raft indices should be +- `-meta` - Indicates that namespace metadata such as the raft indices should be shown for the namespace - + ## Examples Read a Namespace: diff --git a/website/pages/docs/commands/namespace/update.html.md.erb b/website/pages/docs/commands/namespace/update.mdx similarity index 55% rename from website/pages/docs/commands/namespace/update.html.md.erb rename to website/pages/docs/commands/namespace/update.mdx index 1a1d75a55d..1b61999b16 100644 --- a/website/pages/docs/commands/namespace/update.html.md.erb +++ b/website/pages/docs/commands/namespace/update.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Namespace Update" -sidebar_current: "docs-commands-namespace-update" +layout: docs +page_title: 'Commands: Namespace Update' +sidebar_current: docs-commands-namespace-update --- <%= enterprise_alert :consul %> @@ -10,7 +10,7 @@ sidebar_current: "docs-commands-namespace-update" Command: `consul namespace update` -This `namespace update` command updates a namespaces using the CLI parameters provided. +This `namespace update` command updates a namespaces using the CLI parameters provided. This was added in Consul Enterprise 1.7.2. ## Usage @@ -23,38 +23,38 @@ with the existing namespace definition. #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-default-policy-id=` - ID of a policy from the default namespace to inject for all tokens - in this namespace. May be specified multiple times. +- `-default-policy-id=` - ID of a policy from the default namespace to inject for all tokens + in this namespace. May be specified multiple times. -* `-default-policy-name=` - Name of a policy from the default namespace to inject for all - tokens in this namespace. May be specified multiple times. +- `-default-policy-name=` - Name of a policy from the default namespace to inject for all + tokens in this namespace. May be specified multiple times. -* `-default-role-id=` - ID of a role from the default namespace to inject for all tokens in - this namespace. May be specified multiple times. +- `-default-role-id=` - ID of a role from the default namespace to inject for all tokens in + this namespace. May be specified multiple times. -* `-default-role-name=` - Name of a role from the default namespace to inject for all tokens - in this namespace. May be specified multiple times. +- `-default-role-name=` - Name of a role from the default namespace to inject for all tokens + in this namespace. May be specified multiple times. -* `-description=` - A description of the namespace. +- `-description=` - A description of the namespace. -* `-format=` - How to output the results. The choices are: pretty or json +- `-format=` - How to output the results. The choices are: pretty or json -* `-merge-acls` - Merge the new ACL policies and roles with the existing values. +- `-merge-acls` - Merge the new ACL policies and roles with the existing values. -* `-merge-meta` - Merge new meta values with existing meta. +- `-merge-meta` - Merge new meta values with existing meta. -* `-meta=` - Metadata to set on the namespace, formatted as key=value. This flag - may be specified multiple times to set multiple meta fields +- `-meta=` - Metadata to set on the namespace, formatted as key=value. This flag + may be specified multiple times to set multiple meta fields -* `-name=` - The namespace's name. This flag is required. +- `-name=` - The namespace's name. This flag is required. -* `-show-meta` - Indicates that namespace metadata such as the raft indices should - be shown for the namespace +- `-show-meta` - Indicates that namespace metadata such as the raft indices should + be shown for the namespace ## Examples diff --git a/website/pages/docs/commands/namespace/write.html.md.erb b/website/pages/docs/commands/namespace/write.mdx similarity index 79% rename from website/pages/docs/commands/namespace/write.html.md.erb rename to website/pages/docs/commands/namespace/write.mdx index a36e4c68de..c5dd3aef30 100644 --- a/website/pages/docs/commands/namespace/write.html.md.erb +++ b/website/pages/docs/commands/namespace/write.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Namespace Write" -sidebar_current: "docs-commands-namespace-write" +layout: docs +page_title: 'Commands: Namespace Write' +sidebar_current: docs-commands-namespace-write --- <%= enterprise_alert :consul %> @@ -22,17 +22,16 @@ or HCL format. See [here](/docs/enterprise/namespaces/index.html#namespace-defin #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-format=` - How to output the results. The choices are: pretty or json +- `-format=` - How to output the results. The choices are: pretty or json -* `-meta` - Indicates that namespace metadata such as the raft indices should be +- `-meta` - Indicates that namespace metadata such as the raft indices should be shown for the namespace - - + ## Examples Create a new Namespace: diff --git a/website/pages/docs/commands/operator.html.markdown.erb b/website/pages/docs/commands/operator.mdx similarity index 83% rename from website/pages/docs/commands/operator.html.markdown.erb rename to website/pages/docs/commands/operator.mdx index 3f1e75b597..42ae29dd1c 100644 --- a/website/pages/docs/commands/operator.html.markdown.erb +++ b/website/pages/docs/commands/operator.mdx @@ -1,8 +1,8 @@ --- -layout: "docs" -page_title: "Commands: Operator" -sidebar_current: "docs-commands-operator" -description: > +layout: docs +page_title: 'Commands: Operator' +sidebar_current: docs-commands-operator +description: | The operator command provides cluster-level tools for Consul operators. --- @@ -14,7 +14,7 @@ The `operator` command provides cluster-level tools for Consul operators, such as interacting with the Raft subsystem. This was added in Consul 0.7. ~> Use this command with extreme caution, as improper use could lead to a Consul - outage and even loss of data. +outage and even loss of data. If ACLs are enabled then a token with operator privileges may be required in order to use this command. Requests are forwarded internally to the leader @@ -43,6 +43,6 @@ Subcommands: For more information, examples, and usage about a subcommand, click on the name of the subcommand in the sidebar or one of the links below: -- [area] (/docs/commands/operator/area.html) -- [autopilot] (/docs/commands/operator/autopilot.html) -- [raft] (/docs/commands/operator/raft.html) +- [area](/docs/commands/operator/area.html) +- [autopilot](/docs/commands/operator/autopilot.html) +- [raft](/docs/commands/operator/raft.html) diff --git a/website/pages/docs/commands/operator/area.html.markdown.erb b/website/pages/docs/commands/operator/area.mdx similarity index 68% rename from website/pages/docs/commands/operator/area.html.markdown.erb rename to website/pages/docs/commands/operator/area.mdx index 166b8c171d..a4ab11ec33 100644 --- a/website/pages/docs/commands/operator/area.html.markdown.erb +++ b/website/pages/docs/commands/operator/area.mdx @@ -1,17 +1,19 @@ --- -layout: "docs" -page_title: "Commands: Operator Area" -sidebar_current: "docs-commands-operator-area" +layout: docs +page_title: 'Commands: Operator Area' +sidebar_current: docs-commands-operator-area description: > - The operator area command is used to interact with Consul's network area subsystem. + The operator area command is used to interact with Consul's network area + subsystem. --- # Consul Operator Area Command: `consul operator area` -[//]: # ( ~> The network area functionality described here is available only in ) -[//]: # ( [Consul Enterprise](https://www.hashicorp.com/products/consul/) version 0.8.0 and later. ) +[//]: # ' ~> The network area functionality described here is available only in ' + +[//]: # ( [Consul Enterprise](https://www.hashicorp.com/products/consul/) version 0.8.0 and later. ) <%= enterprise_alert :consul %> @@ -56,20 +58,20 @@ Usage: `consul operator area create [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-peer-datacenter=` - Declares the peer Consul datacenter that will make up the other -side of this network area. Network areas always involve a pair of datacenters: the datacenter -where the area was created, and the peer datacenter. This is required. +- `-peer-datacenter=` - Declares the peer Consul datacenter that will make up the other + side of this network area. Network areas always involve a pair of datacenters: the datacenter + where the area was created, and the peer datacenter. This is required. -* `-retry-join=` Specifies the address of a Consul server to join to, such as an IP -or hostname with an optional port number. This is optional and can be specified multiple times. +- `-retry-join=` Specifies the address of a Consul server to join to, such as an IP + or hostname with an optional port number. This is optional and can be specified multiple times. -* `-use-tls=` Specifies whether gossip over this area should be encrypted with -TLS if possible. Must be either `true` or `false`. +- `-use-tls=` Specifies whether gossip over this area should be encrypted with + TLS if possible. Must be either `true` or `false`. The output looks like this, displaying the ID of the newly-created network area: @@ -87,16 +89,16 @@ Usage: `consul operator area delete [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-id=` - Looks up the area to operate on by its ID. This can be given -instead of a peer datacenter. +- `-id=` - Looks up the area to operate on by its ID. This can be given + instead of a peer datacenter. -* `-peer-datacenter=` - Looks up the area to operate on by its peer -datacenter. This can be given instead of an ID. +- `-peer-datacenter=` - Looks up the area to operate on by its peer + datacenter. This can be given instead of an ID. The output looks like this: @@ -115,16 +117,16 @@ Usage: `consul operator area join [options] ADDRESSES` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-id=` - Looks up the area to operate on by its ID. This can be given -instead of a peer datacenter. +- `-id=` - Looks up the area to operate on by its ID. This can be given + instead of a peer datacenter. -* `-peer-datacenter=` - Looks up the area to operate on by its peer -datacenter. This can be given instead of an ID. +- `-peer-datacenter=` - Looks up the area to operate on by its peer + datacenter. This can be given instead of an ID. The output looks like this: @@ -148,8 +150,8 @@ Usage: `consul operator area list [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' The output looks like this: @@ -176,16 +178,16 @@ Usage: `consul operator area members [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-id=` - Looks up the area to operate on by its ID. This can be given -instead of a peer datacenter. +- `-id=` - Looks up the area to operate on by its ID. This can be given + instead of a peer datacenter. -* `-peer-datacenter=` - Looks up the area to operate on by its peer -datacenter. This can be given instead of an ID. +- `-peer-datacenter=` - Looks up the area to operate on by its peer + datacenter. This can be given instead of an ID. The output looks like this: @@ -229,20 +231,20 @@ Usage: `consul operator area update [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-id=` - Looks up the area to operate on by its ID. This can be given -instead of a peer datacenter. +- `-id=` - Looks up the area to operate on by its ID. This can be given + instead of a peer datacenter. -* `-peer-datacenter=` - Declares the peer Consul datacenter that will make up the other -side of this network area. Network areas always involve a pair of datacenters: the datacenter -where the area was created, and the peer datacenter. This is required. +- `-peer-datacenter=` - Declares the peer Consul datacenter that will make up the other + side of this network area. Network areas always involve a pair of datacenters: the datacenter + where the area was created, and the peer datacenter. This is required. -* `-use-tls=` Specifies whether gossip over this area should be encrypted with -TLS if possible. Must be either `true` or `false`. +- `-use-tls=` Specifies whether gossip over this area should be encrypted with + TLS if possible. Must be either `true` or `false`. The output looks like this: diff --git a/website/pages/docs/commands/operator/autopilot.html.markdown.erb b/website/pages/docs/commands/operator/autopilot.mdx similarity index 51% rename from website/pages/docs/commands/operator/autopilot.html.markdown.erb rename to website/pages/docs/commands/operator/autopilot.mdx index 5cbf645df3..06eb9df72a 100644 --- a/website/pages/docs/commands/operator/autopilot.html.markdown.erb +++ b/website/pages/docs/commands/operator/autopilot.mdx @@ -1,9 +1,10 @@ --- -layout: "docs" -page_title: "Commands: Operator Autopilot" -sidebar_current: "docs-commands-operator-autopilot" +layout: docs +page_title: 'Commands: Operator Autopilot' +sidebar_current: docs-commands-operator-autopilot description: > - The operator autopilot subcommand is used to view and modify Consul's Autopilot configuration. + The operator autopilot subcommand is used to view and modify Consul's + Autopilot configuration. --- # Consul Operator Autopilot @@ -34,8 +35,8 @@ Usage: `consul operator autopilot get-config [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' The output looks like this: @@ -57,35 +58,35 @@ Usage: `consul operator autopilot set-config [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' #### Command Options -* `-cleanup-dead-servers` - Specifies whether to enable automatic removal of dead servers -upon the successful joining of new servers to the cluster. Must be one of `[true|false]`. +- `-cleanup-dead-servers` - Specifies whether to enable automatic removal of dead servers + upon the successful joining of new servers to the cluster. Must be one of `[true|false]`. -* `-last-contact-threshold` - Controls the maximum amount of time a server can go without contact -from the leader before being considered unhealthy. Must be a duration value such as `200ms`. +- `-last-contact-threshold` - Controls the maximum amount of time a server can go without contact + from the leader before being considered unhealthy. Must be a duration value such as `200ms`. -* `-max-trailing-logs` - Controls the maximum number of log entries that a server can trail -the leader by before being considered unhealthy. +- `-max-trailing-logs` - Controls the maximum number of log entries that a server can trail + the leader by before being considered unhealthy. -* `-min-quorum` - Sets the minimum number of servers required in a cluster -before autopilot is allowed to prune dead servers. +- `-min-quorum` - Sets the minimum number of servers required in a cluster + before autopilot is allowed to prune dead servers. -* `-server-stabilization-time` - Controls the minimum amount of time a server must be stable in -the 'healthy' state before being added to the cluster. Only takes effect if all servers are -running Raft protocol version 3 or higher. Must be a duration value such as `10s`. +- `-server-stabilization-time` - Controls the minimum amount of time a server must be stable in + the 'healthy' state before being added to the cluster. Only takes effect if all servers are + running Raft protocol version 3 or higher. Must be a duration value such as `10s`. -* `-disable-upgrade-migration` - (Enterprise-only) Controls whether Consul will avoid promoting -new servers until it can perform a migration. Must be one of `[true|false]`. +- `-disable-upgrade-migration` - (Enterprise-only) Controls whether Consul will avoid promoting + new servers until it can perform a migration. Must be one of `[true|false]`. -* `-redundancy-zone-tag`- (Enterprise-only) Controls the [`-node-meta`](/docs/agent/options.html#_node_meta) -key name used for separating servers into different redundancy zones. +- `-redundancy-zone-tag`- (Enterprise-only) Controls the [`-node-meta`](/docs/agent/options.html#_node_meta) + key name used for separating servers into different redundancy zones. -* `-upgrade-version-tag` - (Enterprise-only) Controls the [`-node-meta`](/docs/agent/options.html#_node_meta) -tag to use for version info when performing upgrade migrations. If left blank, the Consul version will be used. +- `-upgrade-version-tag` - (Enterprise-only) Controls the [`-node-meta`](/docs/agent/options.html#_node_meta) + tag to use for version info when performing upgrade migrations. If left blank, the Consul version will be used. The output looks like this: diff --git a/website/pages/docs/commands/operator/raft.html.markdown.erb b/website/pages/docs/commands/operator/raft.mdx similarity index 81% rename from website/pages/docs/commands/operator/raft.html.markdown.erb rename to website/pages/docs/commands/operator/raft.mdx index 8ee1621f18..f2bf3f325c 100644 --- a/website/pages/docs/commands/operator/raft.html.markdown.erb +++ b/website/pages/docs/commands/operator/raft.mdx @@ -1,9 +1,10 @@ --- -layout: "docs" -page_title: "Commands: Operator Raft" -sidebar_current: "docs-commands-operator-raft" +layout: docs +page_title: 'Commands: Operator Raft' +sidebar_current: docs-commands-operator-raft description: > - The operator raft subcommand is used to view and modify Consul's Raft configuration. + The operator raft subcommand is used to view and modify Consul's Raft + configuration. --- # Consul Operator Raft @@ -33,9 +34,9 @@ This command displays the current Raft peer configuration. Usage: `consul operator raft list-peers -stale=[true|false]` -* `-stale` - Optional and defaults to "false" which means the leader provides -the result. If the cluster is in an outage state without a leader, you may need -to set this to "true" to get the configuration from a non-leader server. +- `-stale` - Optional and defaults to "false" which means the leader provides + the result. If the cluster is in an outage state without a leader, you may need + to set this to "true" to get the configuration from a non-leader server. The output looks like this: @@ -50,7 +51,7 @@ carol 127.0.0.3:8300 127.0.0.3:8300 follower true 2 the node is stale and not known. `ID` is the ID of the server. This is the same as the `Address` in Consul 0.7 -but may be upgraded to a GUID in a future version of Consul. +but may be upgraded to a GUID in a future version of Consul. `Address` is the IP:port for the server. @@ -75,9 +76,9 @@ instead of this command. Usage: `consul operator raft remove-peer -address="IP:port"` -* `-address` - "IP:port" for the server to remove. The port number is usually -8300, unless configured otherwise. +- `-address` - "IP:port" for the server to remove. The port number is usually + 8300, unless configured otherwise. -* `-id` - ID of the server to remove. +- `-id` - ID of the server to remove. The return code will indicate success or failure. diff --git a/website/pages/docs/commands/reload.html.markdown.erb b/website/pages/docs/commands/reload.mdx similarity index 76% rename from website/pages/docs/commands/reload.html.markdown.erb rename to website/pages/docs/commands/reload.mdx index 8dac42d5ec..6623231e7e 100644 --- a/website/pages/docs/commands/reload.html.markdown.erb +++ b/website/pages/docs/commands/reload.mdx @@ -1,9 +1,8 @@ --- -layout: "docs" -page_title: "Commands: Reload" -sidebar_current: "docs-commands-reload" -description: |- - The `reload` command triggers a reload of configuration files for the agent. +layout: docs +page_title: 'Commands: Reload' +sidebar_current: docs-commands-reload +description: The `reload` command triggers a reload of configuration files for the agent. --- # Consul Reload @@ -31,4 +30,4 @@ Usage: `consul reload` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' diff --git a/website/pages/docs/commands/rtt.html.markdown.erb b/website/pages/docs/commands/rtt.mdx similarity index 83% rename from website/pages/docs/commands/rtt.html.markdown.erb rename to website/pages/docs/commands/rtt.mdx index 746b510fc3..5129ae94d5 100644 --- a/website/pages/docs/commands/rtt.html.markdown.erb +++ b/website/pages/docs/commands/rtt.mdx @@ -1,8 +1,8 @@ --- -layout: "docs" -page_title: "Commands: RTT" -sidebar_current: "docs-commands-rtt" -description: > +layout: docs +page_title: 'Commands: RTT' +sidebar_current: docs-commands-rtt +description: | The rtt command estimates the network round trip time between two nodes. --- @@ -26,11 +26,11 @@ Consul as the `consul members` command would show, not IP addresses. #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Command Options -* `-wan` - Instructs the command to use WAN coordinates instead of LAN +- `-wan` - Instructs the command to use WAN coordinates instead of LAN coordinates. By default, the two nodes are assumed to be nodes in the local datacenter and the LAN coordinates are used. If the -wan option is given, then the WAN coordinates are used, and the node names must be suffixed by a period @@ -39,8 +39,8 @@ Consul as the `consul members` command would show, not IP addresses. The following environment variables control accessing the HTTP server via SSL: -* `CONSUL_HTTP_SSL` Set this to enable SSL -* `CONSUL_HTTP_SSL_VERIFY` Set this to disable certificate checking (not recommended) +- `CONSUL_HTTP_SSL` Set this to enable SSL +- `CONSUL_HTTP_SSL_VERIFY` Set this to disable certificate checking (not recommended) ## Output diff --git a/website/pages/docs/commands/services.html.md b/website/pages/docs/commands/services.mdx similarity index 96% rename from website/pages/docs/commands/services.html.md rename to website/pages/docs/commands/services.mdx index 727b0e040f..46253ae87a 100644 --- a/website/pages/docs/commands/services.html.md +++ b/website/pages/docs/commands/services.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: Services' -sidebar_current: 'docs-commands-services' +sidebar_current: docs-commands-services --- # Consul Agent Services diff --git a/website/pages/docs/commands/services/deregister.html.markdown.erb b/website/pages/docs/commands/services/deregister.mdx similarity index 85% rename from website/pages/docs/commands/services/deregister.html.markdown.erb rename to website/pages/docs/commands/services/deregister.mdx index f01d24f19a..e5787a6c08 100644 --- a/website/pages/docs/commands/services/deregister.html.markdown.erb +++ b/website/pages/docs/commands/services/deregister.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Services Deregister" -sidebar_current: "docs-commands-services-deregister" +layout: docs +page_title: 'Commands: Services Deregister' +sidebar_current: docs-commands-services-deregister --- # Consul Agent Service Deregistration @@ -31,11 +31,11 @@ This flexibility makes it easy to pair the command with the #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' #### Service Deregistration Flags @@ -43,7 +43,7 @@ The flags below should only be set if _no arguments_ are given. If no arguments are given, the flags below can be used to deregister a single service. -* `-id` - The ID of the service. +- `-id` - The ID of the service. ## Examples diff --git a/website/pages/docs/commands/services/register.html.markdown.erb b/website/pages/docs/commands/services/register.mdx similarity index 83% rename from website/pages/docs/commands/services/register.html.markdown.erb rename to website/pages/docs/commands/services/register.mdx index 780f247180..ab371520c6 100644 --- a/website/pages/docs/commands/services/register.html.markdown.erb +++ b/website/pages/docs/commands/services/register.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Services Register" -sidebar_current: "docs-commands-services-register" +layout: docs +page_title: 'Commands: Services Register' +sidebar_current: docs-commands-services-register --- # Consul Agent Service Registration @@ -50,11 +50,11 @@ or lost, services registered with this command will need to be reregistered. #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Enterprise Options -<%= partial "docs/commands/http_api_namespace_options" %> +@include 'http_api_namespace_options.mdx' #### Service Registration Flags @@ -66,19 +66,19 @@ Note that the behavior of each of the fields below is exactly the same as when constructing a standard [service definition](/docs/agent/services.html). Please refer to that documentation for full details. -* `-id` - The ID of the service. This will default to `-name` if not set. +- `-id` - The ID of the service. This will default to `-name` if not set. -* `-name` - The name of the service to register. +- `-name` - The name of the service to register. -* `-address` - The address of the service. If this isn't specified, +- `-address` - The address of the service. If this isn't specified, it will default to the address registered with the local agent. -* `-port` - The port of the service. +- `-port` - The port of the service. -* `-meta key=value` - Specify arbitrary KV metadata to associate with the +- `-meta key=value` - Specify arbitrary KV metadata to associate with the service instance. This can be specified multiple times. -* `-tag value` - Associate a tag with the service instance. This flag can +- `-tag value` - Associate a tag with the service instance. This flag can be specified multiples times. ## Examples diff --git a/website/pages/docs/commands/snapshot.html.md b/website/pages/docs/commands/snapshot.mdx similarity index 97% rename from website/pages/docs/commands/snapshot.html.md rename to website/pages/docs/commands/snapshot.mdx index 0085622fae..07b1dfd15c 100644 --- a/website/pages/docs/commands/snapshot.html.md +++ b/website/pages/docs/commands/snapshot.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: Snapshot' -sidebar_current: 'docs-commands-snapshot' +sidebar_current: docs-commands-snapshot --- # Consul Snapshot diff --git a/website/pages/docs/commands/snapshot/agent.html.markdown.erb b/website/pages/docs/commands/snapshot/agent.mdx similarity index 74% rename from website/pages/docs/commands/snapshot/agent.html.markdown.erb rename to website/pages/docs/commands/snapshot/agent.mdx index 75f00e3445..ed186de7ba 100644 --- a/website/pages/docs/commands/snapshot/agent.html.markdown.erb +++ b/website/pages/docs/commands/snapshot/agent.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Snapshot Agent" -sidebar_current: "docs-commands-snapshot-agent" +layout: docs +page_title: 'Commands: Snapshot Agent' +sidebar_current: docs-commands-snapshot-agent --- # Consul Snapshot Agent @@ -9,9 +9,9 @@ sidebar_current: "docs-commands-snapshot-agent" Command: `consul snapshot agent` ~> The [`agent`](/docs/commands/snapshot/agent.html) subcommand described here is - available only in [Consul Enterprise](https://www.hashicorp.com/products/consul/) - version 0.7.1 and later. All other [snapshot subcommands](/docs/commands/snapshot.html) - are available in the open source version of Consul. +available only in [Consul Enterprise](https://www.hashicorp.com/products/consul/) +version 0.7.1 and later. All other [snapshot subcommands](/docs/commands/snapshot.html) +are available in the open source version of Consul. The `snapshot agent` subcommand starts a process that takes snapshots of the state of the Consul servers and saves them locally, or pushes them to an @@ -53,12 +53,12 @@ the [HTTP API](/api/snapshot.html). If ACLs are enabled the following privileges are required: -| Resource | Segment | Permission | Explanation | -| --------- | ---------------- | ---------- | ----------- | -| `acl` | N/A | `write` | All snapshotting operations require this privilege due to snapshots containing ACL tokens including unredacted secrets. | -| `key` | `` | `write` | The lock key (which defaults to `consul-snapshot/lock`) is used during snapshot agent leader election. | +| Resource | Segment | Permission | Explanation | +| --------- | ---------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `acl` | N/A | `write` | All snapshotting operations require this privilege due to snapshots containing ACL tokens including unredacted secrets. | +| `key` | `` | `write` | The lock key (which defaults to `consul-snapshot/lock`) is used during snapshot agent leader election. | | `session` | `` | `write` | The session used for locking during leader election is created against the agent name of the Consul agent that the Snapshot agent is registering itself with. | -| `service` | `` | `write` | The Snapshot agent registers itself with the local Consul agent and must have write privileges on its service name which is configured with `-service`. | +| `service` | `` | `write` | The Snapshot agent registers itself with the local Consul agent and must have write privileges on its service name which is configured with `-service`. | ## Usage @@ -66,16 +66,16 @@ Usage: `consul snapshot agent [options]` #### API Options -<%= partial "docs/commands/http_api_options_client" %> +@include 'http_api_options_client.mdx' #### Config File Options: -* `-config-dir` - Directory to look for JSON config files. Files will be read in +- `-config-dir` - Directory to look for JSON config files. Files will be read in alphabetical order and must end with the extension ".json". This won't recursively descend directories. This can be specified multiple times on the command line. -* `-config-file` - File to read JSON configuration from. Files must end with the +- `-config-file` - File to read JSON configuration from. Files must end with the extension ".json". This can be specified multiple times on the command line. Config files referenced using `-config-dir` and `-config-file` have the following @@ -138,93 +138,94 @@ if desired. #### Snapshot Options -* `-interval` - Interval at which to perform snapshots - as a time with a unit suffix, which can be "s", "m", "h" for seconds, minutes, - or hours. If 0 is provided, the agent will take a single snapshot and then exit, - which is useful for running snapshots via batch jobs. Defaults to "1h" +- `-interval` - Interval at which to perform snapshots as + a time with a unit suffix, which can be "s", "m", "h" for seconds, minutes, or + hours. If 0 is provided, the agent will take a single snapshot and then exit, which + is useful for running snapshots via batch jobs. Defaults to "1h" -* `-lock-key` - A prefix in Consul's KV store used to coordinate between +- `-lock-key` - A prefix in Consul's KV store used to coordinate between different instances of the snapshot agent order to only have one active instance at a time. For highly available operation of the snapshot agent, simply run multiple instances. All instances must be configured with the same lock key in order to properly coordinate. Defaults to "consul-snapshot/lock". -* `-max-failures` - Number of snapshot failures after which the snapshot agent +- `-max-failures` - Number of snapshot failures after which the snapshot agent will give up leadership. In a highly available operation with multiple snapshot agents available, this gives another agent a chance to take over if an agent is experiencing issues, such as running out of disk space for snapshots. Defaults to 3. -* `-retain` - Number of snapshots to retain. After each snapshot is taken, the +- `-retain` - Number of snapshots to retain. After each snapshot is taken, the oldest snapshots will start to be deleted in order to retain at most this many snapshots. If this is set to 0, the agent will not perform this and snapshots will accumulate forever. Defaults to 30. - #### Agent Options -* `-deregister-after` - An interval, after which if the agent is unhealthy it will be +- `-deregister-after` - An interval, after which if the agent is unhealthy it will be automatically deregistered from Consul service discovery. This is a time with a unit suffix, which can be "s", "m", "h" for seconds, minutes, or hours. If 0 is provided, this will be disabled. Defaults to "72h". -* `-log-level` - Controls verbosity of snapshot agent logs. Valid options are +- `-log-level` - Controls verbosity of snapshot agent logs. Valid options are "TRACE", "DEBUG", "INFO", "WARN", "ERR". Defaults to "INFO". -* `-service` - The service name to used when registering the agent with Consul. +- `-service` - The service name to used when registering the agent with Consul. Registering helps monitor running agents and the leader registers an additional health check to monitor that snapshots are taking place. Defaults to "consul-snapshot". -* `-syslog` - This enables forwarding logs to syslog. Defaults to false. +- `-syslog` - This enables forwarding logs to syslog. Defaults to false. -* `-syslog-facility` - Sets the facility to use for forwarding logs to syslog. +- `-syslog-facility` - Sets the facility to use for forwarding logs to syslog. Defaults to "LOCAL0". #### Local Storage Options -* `-local-path` - Location to store snapshots locally. The default behavior +- `-local-path` - Location to store snapshots locally. The default behavior of the snapshot agent is to store snapshots locally in this directory. Defaults to "." to use the current working directory. If an alternate storage option is configured, then local storage will be disabled and this option will be ignored. #### S3 Storage Options + Note that despite the AWS references, any S3-compatible endpoint can be specified with `-aws-s3-endpoint`. -* `-aws-access-key-id` and `-aws-secret-access-key` - These arguments supply +- `-aws-access-key-id` and `-aws-secret-access-key` - These arguments supply authentication information for connecting to S3. These may also be supplied using - the following alternative methods:
+ the following alternative methods:
+ - `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables - A credentials file (`~/.aws/credentials` or the file at the path specified by the `AWS_SHARED_CREDENTIALS_FILE` environment variable) - ECS task role metadata (container-specific) - EC2 instance role metadata -* `-aws-s3-bucket` - S3 bucket to use. Required for S3 storage, and setting this +- `-aws-s3-bucket` - S3 bucket to use. Required for S3 storage, and setting this disables local storage. This should be only the bucket name without any part of the key prefix. -* `-aws-s3-key-prefix` - Prefix to use for snapshot files in S3. Defaults to - "consul-snapshot". +- `-aws-s3-key-prefix` - Prefix to use for snapshot files in S3. Defaults to + "consul-snapshot". -* `-aws-s3-region` - S3 region to use. Required for S3 storage. +- `-aws-s3-region` - S3 region to use. Required for S3 storage. -* `-aws-s3-endpoint` - Optional S3 endpoint to use. Can also be specified using the +- `-aws-s3-endpoint` - Optional S3 endpoint to use. Can also be specified using the AWS_S3_ENDPOINT environment variable. -* `-aws-s3-server-side-encryption` - Enables saving snapshots to S3 using server side encryption with [Amazon S3-Managed Encryption Keys](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) +- `-aws-s3-server-side-encryption` - Enables saving snapshots to S3 using server side encryption with [Amazon S3-Managed Encryption Keys](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) -* `-aws-s3-static-snapshot-name` - If this is given, all snapshots are saved with the same file name. The agent will not rotate or versionize snapshots, and will save them with the same name each time. - Use this if you want to rely on [S3's versioning capabilities](http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html) instead of the agent handling it for you. +- `-aws-s3-static-snapshot-name` - If this is given, all snapshots are saved with the same file name. The agent will not rotate or versionize snapshots, and will save them with the same name each time. + Use this if you want to rely on [S3's versioning capabilities](http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html) instead of the agent handling it for you. -* `-aws-s3-enable-kms` - Enables using [Amazon KMS](https://aws.amazon.com/kms/) for encrypting snapshots. +- `-aws-s3-enable-kms` - Enables using [Amazon KMS](https://aws.amazon.com/kms/) for encrypting snapshots. -* `-aws-s3-kms-key` - Optional Amazon KMS key to use, if this is not set the default KMS master key will be used. Set this if you want to manage key rotation yourself. +- `-aws-s3-kms-key` - Optional Amazon KMS key to use, if this is not set the default KMS master key will be used. Set this if you want to manage key rotation yourself. + + -> When using a S3-compatible storage exposing a self-signed certificate the agent will not be able to perform + the snapshot operations unless the CA used to sign the storage certificate is trusted by the node running + the agent. You can add the CA root certificate to the OS trust store to have Consul trust the storage endpoint. - -> When using a S3-compatible storage exposing a self-signed certificate the agent will not be able to perform - the snapshot operations unless the CA used to sign the storage certificate is trusted by the node running - the agent. You can add the CA root certificate to the OS trust store to have Consul trust the storage endpoint. - #### S3 Required Permissions Different S3 permissions are required depending on the configuration of the snapshot agent. In particular extra permissions are required when @@ -249,19 +250,13 @@ The following example IAM policy document assumes that the `aws-s3-bucket` is `c { "Sid": "", "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:DeleteObject" - ], + "Action": ["s3:PutObject", "s3:DeleteObject"], "Resource": "arn:aws:s3:::consul-data/consul-snapshots/consul-*.snap" }, { "Sid": "", "Effect": "Allow", - "Action": [ - "s3:ListBucketVersions", - "s3:ListBucket" - ], + "Action": ["s3:ListBucketVersions", "s3:ListBucket"], "Resource": "arn:aws:s3:::consul-data" } ] @@ -274,25 +269,25 @@ The following example IAM policy document assumes that the `aws-s3-bucket` is `c From Consul Enterprise version `1.5.0` onwards, you can store snapshots in Azure Blob storage. -* `-azure-blob-account-name` and `-azure-blob-account-key` - These arguments supply +- `-azure-blob-account-name` and `-azure-blob-account-key` - These arguments supply authentication information for connecting to Azure Blob storage. -* `-azure-blob-container-name` - Container to use. Required for Azure blob storage, and setting this +- `-azure-blob-container-name` - Container to use. Required for Azure blob storage, and setting this disables local storage. #### Google Cloud Storage options From Consul Enterprise version `1.6.1` onwards, you can store snapshots in Google Cloud Storage. Authentication relies on automatic discovery through the sdk as described [here](https://cloud.google.com/docs/authentication/production): -* First, ADC checks to see if the environment variable GOOGLE_APPLICATION_CREDENTIALS is set. If the variable is set, ADC uses the service account file that the variable points to. The next section describes how to set the environment variable. +- First, ADC checks to see if the environment variable GOOGLE_APPLICATION_CREDENTIALS is set. If the variable is set, ADC uses the service account file that the variable points to. The next section describes how to set the environment variable. -* If the environment variable isn't set, ADC uses the default service account that Compute Engine, Kubernetes Engine, App Engine, and Cloud Functions provide, for applications that run on those services. +- If the environment variable isn't set, ADC uses the default service account that Compute Engine, Kubernetes Engine, App Engine, and Cloud Functions provide, for applications that run on those services. -* If ADC can't use either of the above credentials, an error occurs. +- If ADC can't use either of the above credentials, an error occurs. This integration needs the following information: -* `-gcs-bucket` supplies the bucket to use. +- `-gcs-bucket` supplies the bucket to use. ## Examples diff --git a/website/pages/docs/commands/snapshot/inspect.html.markdown.erb b/website/pages/docs/commands/snapshot/inspect.mdx similarity index 58% rename from website/pages/docs/commands/snapshot/inspect.html.markdown.erb rename to website/pages/docs/commands/snapshot/inspect.mdx index 2bed91c019..ef4d4a2546 100644 --- a/website/pages/docs/commands/snapshot/inspect.html.markdown.erb +++ b/website/pages/docs/commands/snapshot/inspect.mdx @@ -1,47 +1,47 @@ ---- -layout: "docs" -page_title: "Commands: Snapshot Inspect" -sidebar_current: "docs-commands-snapshot-inspect" ---- - -# Consul Snapshot Inspect - -Command: `consul snapshot inspect` - -The `snapshot inspect` command is used to inspect an atomic, point-in-time -snapshot of the state of the Consul servers which includes key/value entries, -service catalog, prepared queries, sessions, and ACLs. The snapshot is read -from the given file. - -The following fields are displayed when inspecting a snapshot: - -* `ID` - A unique ID for the snapshot, only used for differentiation purposes. - -* `Size` - The size of the snapshot, in bytes. - -* `Index` - The Raft index of the latest log entry in the snapshot. - -* `Term` - The Raft term of the latest log entry in the snapshot. - -* `Version` - The snapshot format version. This only refers to the structure of - the snapshot, not the data contained within. - -## Usage - -Usage: `consul snapshot inspect [options] FILE` - -## Examples - -To inspect a snapshot from the file "backup.snap": - -```text -$ consul snapshot inspect backup.snap -ID 2-5-1477944140022 -Size 667 -Index 5 -Term 2 -Version 1 -``` - -Please see the [HTTP API](/api/snapshot.html) documentation for -more details about snapshot internals. \ No newline at end of file +--- +layout: docs +page_title: 'Commands: Snapshot Inspect' +sidebar_current: docs-commands-snapshot-inspect +--- + +# Consul Snapshot Inspect + +Command: `consul snapshot inspect` + +The `snapshot inspect` command is used to inspect an atomic, point-in-time +snapshot of the state of the Consul servers which includes key/value entries, +service catalog, prepared queries, sessions, and ACLs. The snapshot is read +from the given file. + +The following fields are displayed when inspecting a snapshot: + +- `ID` - A unique ID for the snapshot, only used for differentiation purposes. + +- `Size` - The size of the snapshot, in bytes. + +- `Index` - The Raft index of the latest log entry in the snapshot. + +- `Term` - The Raft term of the latest log entry in the snapshot. + +- `Version` - The snapshot format version. This only refers to the structure of + the snapshot, not the data contained within. + +## Usage + +Usage: `consul snapshot inspect [options] FILE` + +## Examples + +To inspect a snapshot from the file "backup.snap": + +```text +$ consul snapshot inspect backup.snap +ID 2-5-1477944140022 +Size 667 +Index 5 +Term 2 +Version 1 +``` + +Please see the [HTTP API](/api/snapshot.html) documentation for +more details about snapshot internals. diff --git a/website/pages/docs/commands/snapshot/restore.html.markdown.erb b/website/pages/docs/commands/snapshot/restore.mdx similarity index 82% rename from website/pages/docs/commands/snapshot/restore.html.markdown.erb rename to website/pages/docs/commands/snapshot/restore.mdx index 667b10d1db..b8277fc3a9 100644 --- a/website/pages/docs/commands/snapshot/restore.html.markdown.erb +++ b/website/pages/docs/commands/snapshot/restore.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Snapshot Restore" -sidebar_current: "docs-commands-snapshot-restore" +layout: docs +page_title: 'Commands: Snapshot Restore' +sidebar_current: docs-commands-snapshot-restore --- # Consul Snapshot Restore @@ -27,8 +27,8 @@ Usage: `consul snapshot restore [options] FILE` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' ## Examples diff --git a/website/pages/docs/commands/snapshot/save.html.markdown.erb b/website/pages/docs/commands/snapshot/save.mdx similarity index 86% rename from website/pages/docs/commands/snapshot/save.html.markdown.erb rename to website/pages/docs/commands/snapshot/save.mdx index 3e7f12ab99..1de6704a43 100644 --- a/website/pages/docs/commands/snapshot/save.html.markdown.erb +++ b/website/pages/docs/commands/snapshot/save.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: Snapshot Save" -sidebar_current: "docs-commands-snapshot-save" +layout: docs +page_title: 'Commands: Snapshot Save' +sidebar_current: docs-commands-snapshot-save --- # Consul Snapshot Save @@ -22,8 +22,8 @@ Usage: `consul snapshot save [options] FILE` #### API Options -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' ## Examples diff --git a/website/pages/docs/commands/tls.html.md b/website/pages/docs/commands/tls.mdx similarity index 95% rename from website/pages/docs/commands/tls.html.md rename to website/pages/docs/commands/tls.mdx index 914e3bcb08..9424b30f74 100644 --- a/website/pages/docs/commands/tls.html.md +++ b/website/pages/docs/commands/tls.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: TLS' -sidebar_current: 'docs-commands-tls' +sidebar_current: docs-commands-tls --- # Consul TLS diff --git a/website/pages/docs/commands/tls/ca.html.md.erb b/website/pages/docs/commands/tls/ca.mdx similarity index 76% rename from website/pages/docs/commands/tls/ca.html.md.erb rename to website/pages/docs/commands/tls/ca.mdx index 73edf126b8..242bf7434c 100644 --- a/website/pages/docs/commands/tls/ca.html.md.erb +++ b/website/pages/docs/commands/tls/ca.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: TLS CA Create" -sidebar_current: "docs-commands-tls-ca" +layout: docs +page_title: 'Commands: TLS CA Create' +sidebar_current: docs-commands-tls-ca --- # Consul TLS CA Create @@ -21,8 +21,9 @@ $ consul tls ca create ``` ## Usage + Usage: `consul tls ca create [filename-prefix] [options]` #### TLS CA Create Options -- `-days=` - Provide number of days the CA is valid for from now on, defaults to 5 years. \ No newline at end of file +- `-days=` - Provide number of days the CA is valid for from now on, defaults to 5 years. diff --git a/website/pages/docs/commands/tls/cert.html.md.erb b/website/pages/docs/commands/tls/cert.mdx similarity index 94% rename from website/pages/docs/commands/tls/cert.html.md.erb rename to website/pages/docs/commands/tls/cert.mdx index 2d1f5607d3..c1fa064482 100644 --- a/website/pages/docs/commands/tls/cert.html.md.erb +++ b/website/pages/docs/commands/tls/cert.mdx @@ -1,7 +1,7 @@ --- -layout: "docs" -page_title: "Commands: TLS Cert Create" -sidebar_current: "docs-commands-tls-cert" +layout: docs +page_title: 'Commands: TLS Cert Create' +sidebar_current: docs-commands-tls-cert --- # Consul TLS Cert Create @@ -43,6 +43,7 @@ $ consul tls cert create -cli ==> Saved consul-cli-0.pem ==> Saved consul-cli-0-key.pem ``` + ## Usage Usage: `consul tls cert create [filename-prefix] [options]` diff --git a/website/pages/docs/commands/validate.html.md b/website/pages/docs/commands/validate.mdx similarity index 86% rename from website/pages/docs/commands/validate.html.md rename to website/pages/docs/commands/validate.mdx index fdd4d665f8..9ff780bc25 100644 --- a/website/pages/docs/commands/validate.html.md +++ b/website/pages/docs/commands/validate.mdx @@ -1,11 +1,11 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: Validate' -sidebar_current: 'docs-commands-validate' +sidebar_current: docs-commands-validate description: > - The `consul validate` command tests that config files are valid by - attempting to parse them. Useful to ensure a configuration change will - not cause consul to fail after a restart. + The `consul validate` command tests that config files are valid by attempting + to parse them. Useful to ensure a configuration change will not cause consul + to fail after a restart. --- # Consul Validate diff --git a/website/pages/docs/commands/version.html.md b/website/pages/docs/commands/version.mdx similarity index 77% rename from website/pages/docs/commands/version.html.md rename to website/pages/docs/commands/version.mdx index 1e44cd48b5..bc994fc9ba 100644 --- a/website/pages/docs/commands/version.html.md +++ b/website/pages/docs/commands/version.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' +layout: docs page_title: 'Commands: Version' -sidebar_current: 'docs-commands-version' -description: |- - The `version` command prints the version of Consul and the protocol versions it understands for speaking to other agents. +sidebar_current: docs-commands-version +description: >- + The `version` command prints the version of Consul and the protocol versions + it understands for speaking to other agents. --- # Consul Version diff --git a/website/pages/docs/commands/watch.html.markdown.erb b/website/pages/docs/commands/watch.html.markdown.erb deleted file mode 100644 index 50b29702ac..0000000000 --- a/website/pages/docs/commands/watch.html.markdown.erb +++ /dev/null @@ -1,57 +0,0 @@ ---- -layout: "docs" -page_title: "Commands: Watch" -sidebar_current: "docs-commands-watch" -description: |- - The `watch` command provides a mechanism to watch for changes in a particular data view (list of nodes, service members, key value, etc) and to invoke a process with the latest values of the view. If no process is specified, the current values are dumped to stdout which can be a useful way to inspect data in Consul. ---- - -# Consul Watch - -Command: `consul watch` - -The `watch` command provides a mechanism to watch for changes in a particular -data view (list of nodes, service members, key value, etc) and to invoke -a process with the latest values of the view. If no process is specified, -the current values are dumped to STDOUT which can be a useful way to inspect -data in Consul. - -There is more [documentation on watches here](/docs/agent/watches.html). - -## Usage - -Usage: `consul watch [options] [child...]` - -The only required option is `-type` which specifies the particular -data view. Depending on the type, various options may be required -or optionally provided. There is more documentation on watch -[specifications here](/docs/agent/watches.html). - -#### API Options - -<%= partial "docs/commands/http_api_options_client" %> -<%= partial "docs/commands/http_api_options_server" %> - -#### Command Options - -* `-key` - Key to watch. Only for `key` type. - -* `-name`- Event name to watch. Only for `event` type. - -* `-passingonly=[true|false]` - Should only passing entries be returned. Defaults to - `false` and only applies for `service` type. - -* `-prefix` - Key prefix to watch. Only for `keyprefix` type. - -* `-service` - Service to watch. Required for `service` type, optional for `checks` type. - -* `-shell` - Optional, use a shell to run the command (can set a custom shell via the - SHELL environment variable). The default value is true. - -* `-state` - Check state to filter on. Optional for `checks` type. - -* `-tag` - Service tag to filter on. Optional for `service` type. - -* `-type` - Watch type. Required, one of "`key`, `keyprefix`, `services`, - `nodes`, `service`, `checks`, or `event`. - diff --git a/website/pages/docs/commands/watch.mdx b/website/pages/docs/commands/watch.mdx new file mode 100644 index 0000000000..8d5146eb7f --- /dev/null +++ b/website/pages/docs/commands/watch.mdx @@ -0,0 +1,60 @@ +--- +layout: docs +page_title: 'Commands: Watch' +sidebar_current: docs-commands-watch +description: >- + The `watch` command provides a mechanism to watch for changes in a particular + data view (list of nodes, service members, key value, etc) and to invoke a + process with the latest values of the view. If no process is specified, the + current values are dumped to stdout which can be a useful way to inspect data + in Consul. +--- + +# Consul Watch + +Command: `consul watch` + +The `watch` command provides a mechanism to watch for changes in a particular +data view (list of nodes, service members, key value, etc) and to invoke +a process with the latest values of the view. If no process is specified, +the current values are dumped to STDOUT which can be a useful way to inspect +data in Consul. + +There is more [documentation on watches here](/docs/agent/watches.html). + +## Usage + +Usage: `consul watch [options] [child...]` + +The only required option is `-type` which specifies the particular +data view. Depending on the type, various options may be required +or optionally provided. There is more documentation on watch +[specifications here](/docs/agent/watches.html). + +#### API Options + +@include 'http_api_options_client.mdx' +@include 'http_api_options_server.mdx' + +#### Command Options + +- `-key` - Key to watch. Only for `key` type. + +- `-name`- Event name to watch. Only for `event` type. + +- `-passingonly=[true|false]` - Should only passing entries be returned. Defaults to + `false` and only applies for `service` type. + +- `-prefix` - Key prefix to watch. Only for `keyprefix` type. + +- `-service` - Service to watch. Required for `service` type, optional for `checks` type. + +- `-shell` - Optional, use a shell to run the command (can set a custom shell via the + SHELL environment variable). The default value is true. + +- `-state` - Check state to filter on. Optional for `checks` type. + +- `-tag` - Service tag to filter on. Optional for `service` type. + +- `-type` - Watch type. Required, one of "`key`, `keyprefix`, `services`, + `nodes`, `service`, `checks`, or `event`. diff --git a/website/pages/docs/common-errors.html.md b/website/pages/docs/common-errors.mdx similarity index 98% rename from website/pages/docs/common-errors.html.md rename to website/pages/docs/common-errors.mdx index 04fcb61b98..e5718777d2 100644 --- a/website/pages/docs/common-errors.html.md +++ b/website/pages/docs/common-errors.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Common Error Messages' -sidebar_current: 'docs-common-errors' +layout: docs +page_title: Common Error Messages +sidebar_current: docs-common-errors --- # Common Error Messages diff --git a/website/pages/docs/compatibility.html.md b/website/pages/docs/compatibility.mdx similarity index 80% rename from website/pages/docs/compatibility.html.md rename to website/pages/docs/compatibility.mdx index c79c756078..9d61995671 100644 --- a/website/pages/docs/compatibility.html.md +++ b/website/pages/docs/compatibility.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Consul Protocol Compatibility Promise' -sidebar_current: 'docs-upgrading-compatibility' -description: |- - We expect Consul to run in large clusters of long-running agents. Because safely upgrading agents in this sort of environment relies heavily on backwards compatibility, we have a strong commitment to keeping different Consul versions protocol-compatible with each other. +layout: docs +page_title: Consul Protocol Compatibility Promise +sidebar_current: docs-upgrading-compatibility +description: >- + We expect Consul to run in large clusters of long-running agents. Because + safely upgrading agents in this sort of environment relies heavily on + backwards compatibility, we have a strong commitment to keeping different + Consul versions protocol-compatible with each other. --- # Protocol Compatibility Promise @@ -53,7 +56,10 @@ For more details on the specifics of upgrading, see the [upgrading page](/docs/u >= 0.7 - 2, 3. Will automatically use protocol > 2 when speaking to compatible agents + + 2, 3. Will automatically use protocol > 2 when speaking to compatible + agents + diff --git a/website/pages/docs/connect/ca.html.md b/website/pages/docs/connect/ca.mdx similarity index 98% rename from website/pages/docs/connect/ca.html.md rename to website/pages/docs/connect/ca.mdx index 7c5bcc5e5f..eeb2cc7c53 100644 --- a/website/pages/docs/connect/ca.html.md +++ b/website/pages/docs/connect/ca.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Connect - Certificate Management' -sidebar_current: 'docs-connect-ca' -description: |- - An overview of the Connect Certificate Authority mechanisms. +layout: docs +page_title: Connect - Certificate Management +sidebar_current: docs-connect-ca +description: An overview of the Connect Certificate Authority mechanisms. --- # Connect Certificate Management diff --git a/website/pages/docs/connect/ca/aws.html.md b/website/pages/docs/connect/ca/aws.mdx similarity index 97% rename from website/pages/docs/connect/ca/aws.html.md rename to website/pages/docs/connect/ca/aws.mdx index e8ac4cb4f7..785e1a2775 100644 --- a/website/pages/docs/connect/ca/aws.html.md +++ b/website/pages/docs/connect/ca/aws.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Connect - Certificate Management' -sidebar_current: 'docs-connect-ca-aws' -description: |- - Consul can be used with AWS Certificate Manager Private CA to manage and sign certificates. +layout: docs +page_title: Connect - Certificate Management +sidebar_current: docs-connect-ca-aws +description: >- + Consul can be used with AWS Certificate Manager Private CA to manage and sign + certificates. --- # AWS Certificate Manager Private CA as a Connect CA diff --git a/website/pages/docs/connect/ca/consul.html.md b/website/pages/docs/connect/ca/consul.mdx similarity index 94% rename from website/pages/docs/connect/ca/consul.html.md rename to website/pages/docs/connect/ca/consul.mdx index 1c882ea748..2cb9d989a5 100644 --- a/website/pages/docs/connect/ca/consul.html.md +++ b/website/pages/docs/connect/ca/consul.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Connect - Certificate Management' -sidebar_current: 'docs-connect-ca-consul' -description: |- - Consul ships with a built-in CA system so that Connect can be easily enabled out of the box. The built-in CA generates and stores the root certificate and private key on Consul servers. It can also be configured with a custom certificate and private key if needed. +layout: docs +page_title: Connect - Certificate Management +sidebar_current: docs-connect-ca-consul +description: >- + Consul ships with a built-in CA system so that Connect can be easily enabled + out of the box. The built-in CA generates and stores the root certificate and + private key on Consul servers. It can also be configured with a custom + certificate and private key if needed. --- # Built-In CA diff --git a/website/pages/docs/connect/ca/vault.html.md b/website/pages/docs/connect/ca/vault.mdx similarity index 95% rename from website/pages/docs/connect/ca/vault.html.md rename to website/pages/docs/connect/ca/vault.mdx index 0fc0510f6f..893ece4e07 100644 --- a/website/pages/docs/connect/ca/vault.html.md +++ b/website/pages/docs/connect/ca/vault.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Connect - Certificate Management' -sidebar_current: 'docs-connect-ca-vault' -description: |- - Consul can be used with Vault to manage and sign certificates. The Vault CA provider uses the Vault PKI secrets engine to generate and sign certificates. +layout: docs +page_title: Connect - Certificate Management +sidebar_current: docs-connect-ca-vault +description: >- + Consul can be used with Vault to manage and sign certificates. The Vault CA + provider uses the Vault PKI secrets engine to generate and sign certificates. --- # Vault as a Connect CA diff --git a/website/pages/docs/connect/configuration.html.md b/website/pages/docs/connect/configuration.mdx similarity index 94% rename from website/pages/docs/connect/configuration.html.md rename to website/pages/docs/connect/configuration.mdx index bd0a524d73..7afa1b7e61 100644 --- a/website/pages/docs/connect/configuration.html.md +++ b/website/pages/docs/connect/configuration.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Connect - Configuration' -sidebar_current: 'docs-connect-config' -description: |- - A Connect-aware proxy enables unmodified applications to use Connect. A per-service proxy sidecar transparently handles inbound and outbound service connections, automatically wrapping and verifying TLS connections. +layout: docs +page_title: Connect - Configuration +sidebar_current: docs-connect-config +description: >- + A Connect-aware proxy enables unmodified applications to use Connect. A + per-service proxy sidecar transparently handles inbound and outbound service + connections, automatically wrapping and verifying TLS connections. --- # Connect Configuration diff --git a/website/pages/docs/connect/connect-internals.html.md b/website/pages/docs/connect/connect-internals.mdx similarity index 97% rename from website/pages/docs/connect/connect-internals.html.md rename to website/pages/docs/connect/connect-internals.mdx index 8be33a7d60..29b0016353 100644 --- a/website/pages/docs/connect/connect-internals.html.md +++ b/website/pages/docs/connect/connect-internals.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Connect - Architecture' -sidebar_current: 'docs-connect-internals' -description: |- - This page details the internals of Consul Connect: mutual TLS, agent caching and performance, intention and certificate authority replication. +layout: docs +page_title: Connect - Architecture +sidebar_current: docs-connect-internals +description: >- + This page details the internals of Consul Connect: mutual TLS, agent caching + and performance, intention and certificate authority replication. --- # How Connect Works diff --git a/website/pages/docs/connect/dev.html.md b/website/pages/docs/connect/dev.mdx similarity index 85% rename from website/pages/docs/connect/dev.html.md rename to website/pages/docs/connect/dev.mdx index 2147ae5ba5..05b8cb6bd7 100644 --- a/website/pages/docs/connect/dev.html.md +++ b/website/pages/docs/connect/dev.mdx @@ -1,9 +1,13 @@ --- -layout: 'docs' -page_title: 'Connect - Development and Debugging' -sidebar_current: 'docs-connect-dev' -description: |- - It is often necessary to connect to a service for development or debugging. If a service only exposes a Connect listener, then we need a way to establish a mutual TLS connection to the service. The `consul connect proxy` command can be used for this task on any machine with access to a Consul agent (local or remote). +layout: docs +page_title: Connect - Development and Debugging +sidebar_current: docs-connect-dev +description: >- + It is often necessary to connect to a service for development or debugging. If + a service only exposes a Connect listener, then we need a way to establish a + mutual TLS connection to the service. The `consul connect proxy` command can + be used for this task on any machine with access to a Consul agent (local or + remote). --- # Developing and Debugging Connect Services diff --git a/website/pages/docs/connect/index.html.md b/website/pages/docs/connect/index.mdx similarity index 93% rename from website/pages/docs/connect/index.html.md rename to website/pages/docs/connect/index.mdx index c59f0dce35..0f027ad2e1 100644 --- a/website/pages/docs/connect/index.html.md +++ b/website/pages/docs/connect/index.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Connect (Service Segmentation)' -sidebar_current: 'docs-connect-index' +layout: docs +page_title: Connect (Service Segmentation) +sidebar_current: docs-connect-index description: |- Consul Connect provides service-to-service connection authorization and encryption using mutual TLS. @@ -20,7 +20,13 @@ communications. Review the video below to learn more about Consul Connect from HashiCorp's co-founder Armon. - + ## Application Security diff --git a/website/pages/docs/connect/intentions.html.md b/website/pages/docs/connect/intentions.mdx similarity index 97% rename from website/pages/docs/connect/intentions.html.md rename to website/pages/docs/connect/intentions.mdx index 0cf42ccd6a..1d403f13da 100644 --- a/website/pages/docs/connect/intentions.html.md +++ b/website/pages/docs/connect/intentions.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Connect - Intentions' -sidebar_current: 'docs-connect-intentions' -description: |- - Intentions define access control for services via Connect and are used to control which services may establish connections. Intentions can be managed via the API, CLI, or UI. +layout: docs +page_title: Connect - Intentions +sidebar_current: docs-connect-intentions +description: >- + Intentions define access control for services via Connect and are used to + control which services may establish connections. Intentions can be managed + via the API, CLI, or UI. --- # Intentions diff --git a/website/pages/docs/connect/l7-traffic-management.html.md b/website/pages/docs/connect/l7-traffic-management.mdx similarity index 95% rename from website/pages/docs/connect/l7-traffic-management.html.md rename to website/pages/docs/connect/l7-traffic-management.mdx index a515e9454b..076472eb71 100644 --- a/website/pages/docs/connect/l7-traffic-management.html.md +++ b/website/pages/docs/connect/l7-traffic-management.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Connect - L7 Traffic Management' -sidebar_current: 'docs-connect-l7_traffic_management' -description: |- - Layer 7 traffic management allows operators to divide L7 traffic between different subsets of service instances when using Connect. +layout: docs +page_title: Connect - L7 Traffic Management +sidebar_current: docs-connect-l7_traffic_management +description: >- + Layer 7 traffic management allows operators to divide L7 traffic between + different subsets of service instances when using Connect. --- -> **1.6.0+:** This feature is available in Consul versions 1.6.0 and newer. diff --git a/website/pages/docs/connect/mesh_gateway.html.md b/website/pages/docs/connect/mesh_gateway.mdx similarity index 96% rename from website/pages/docs/connect/mesh_gateway.html.md rename to website/pages/docs/connect/mesh_gateway.mdx index 5bf6cca2d3..e400e62d9f 100644 --- a/website/pages/docs/connect/mesh_gateway.html.md +++ b/website/pages/docs/connect/mesh_gateway.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Connect - Mesh Gateways' -sidebar_current: 'docs-connect-meshgateways' -description: |- - A Mesh Gateway enables better routing of a Connect service's data to upstreams in other datacenters. This section details how to use Envoy and describes how you can plug in a gateway of your choice. +layout: docs +page_title: Connect - Mesh Gateways +sidebar_current: docs-connect-meshgateways +description: >- + A Mesh Gateway enables better routing of a Connect service's data to upstreams + in other datacenters. This section details how to use Envoy and describes how + you can plug in a gateway of your choice. --- -> **1.6.0+:** This feature is available in Consul versions 1.6.0 and newer. diff --git a/website/pages/docs/connect/native.html.md b/website/pages/docs/connect/native.mdx similarity index 95% rename from website/pages/docs/connect/native.html.md rename to website/pages/docs/connect/native.mdx index 2ba1eb0c57..fef18af66e 100644 --- a/website/pages/docs/connect/native.html.md +++ b/website/pages/docs/connect/native.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Connect - Native Application Integration' -sidebar_current: 'docs-connect-native' -description: |- - Applications can natively integrate with the Connect API to support accepting and establishing connections to other Connect services without the overhead of a proxy sidecar. +layout: docs +page_title: Connect - Native Application Integration +sidebar_current: docs-connect-native +description: >- + Applications can natively integrate with the Connect API to support accepting + and establishing connections to other Connect services without the overhead of + a proxy sidecar. --- # Connect-Native App Integration @@ -41,7 +43,7 @@ details may seem complex, but this is a _regular mutual TLS connection_ with an API call to verify the incoming client certificate.
-![Native Integration Overview](connect-native-overview.png) + ![Native Integration Overview](connect-native-overview.png)
Details on the steps are below: diff --git a/website/pages/docs/connect/native/go.html.md b/website/pages/docs/connect/native/go.mdx similarity index 96% rename from website/pages/docs/connect/native/go.html.md rename to website/pages/docs/connect/native/go.mdx index a98f3f1750..1410632cb9 100644 --- a/website/pages/docs/connect/native/go.html.md +++ b/website/pages/docs/connect/native/go.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Connect - Native Application Integration - Go' -sidebar_current: 'docs-connect-native-go' -description: |- - We provide a library that makes it drop-in simple to integrate Connect with most Go applications. For most Go applications, Connect can be natively integrated in just a single line of code excluding imports and struct initialization. +layout: docs +page_title: Connect - Native Application Integration - Go +sidebar_current: docs-connect-native-go +description: >- + We provide a library that makes it drop-in simple to integrate Connect with + most Go applications. For most Go applications, Connect can be natively + integrated in just a single line of code excluding imports and struct + initialization. --- # Connect-Native Integration with Go diff --git a/website/pages/docs/connect/observability.html.md b/website/pages/docs/connect/observability.mdx similarity index 95% rename from website/pages/docs/connect/observability.html.md rename to website/pages/docs/connect/observability.mdx index 54a889cf0c..b21c959c8c 100644 --- a/website/pages/docs/connect/observability.html.md +++ b/website/pages/docs/connect/observability.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Connect - Observability' -sidebar_current: 'docs-connect-observability' +layout: docs +page_title: Connect - Observability +sidebar_current: docs-connect-observability description: |- This page documents the configurations necessary for L7 observability using Consul Connect. diff --git a/website/pages/docs/connect/platform/nomad.html.md b/website/pages/docs/connect/platform/nomad.mdx similarity index 82% rename from website/pages/docs/connect/platform/nomad.html.md rename to website/pages/docs/connect/platform/nomad.mdx index 6efa57891b..9922a78cb1 100644 --- a/website/pages/docs/connect/platform/nomad.html.md +++ b/website/pages/docs/connect/platform/nomad.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Connect - Nomad' -sidebar_current: 'docs-connect-platform-nomad' -description: |- - Connect can be used with [Nomad](https://www.nomadproject.io) to provide secure service-to-service communication between Nomad jobs. The ability to use the dynamic port feature of Nomad makes Connect particularly easy to use. +layout: docs +page_title: Connect - Nomad +sidebar_current: docs-connect-platform-nomad +description: >- + Connect can be used with [Nomad](https://www.nomadproject.io) to provide + secure service-to-service communication between Nomad jobs. The ability to use + the dynamic port feature of Nomad makes Connect particularly easy to use. --- # Connect on Nomad diff --git a/website/pages/docs/connect/proxies.html.md b/website/pages/docs/connect/proxies.mdx similarity index 85% rename from website/pages/docs/connect/proxies.html.md rename to website/pages/docs/connect/proxies.mdx index a3a654774f..bca44140af 100644 --- a/website/pages/docs/connect/proxies.html.md +++ b/website/pages/docs/connect/proxies.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Connect - Proxies' -sidebar_current: 'docs-connect-proxies' -description: |- - A Connect-aware proxy enables unmodified applications to use Connect. This section details how to use either Envoy or Consul's built-in L4 proxy, and describes how you can plug in a proxy of your choice. +layout: docs +page_title: Connect - Proxies +sidebar_current: docs-connect-proxies +description: >- + A Connect-aware proxy enables unmodified applications to use Connect. This + section details how to use either Envoy or Consul's built-in L4 proxy, and + describes how you can plug in a proxy of your choice. --- # Connect Proxies diff --git a/website/pages/docs/connect/proxies/built-in.md b/website/pages/docs/connect/proxies/built-in.md deleted file mode 100644 index a16ae080e1..0000000000 --- a/website/pages/docs/connect/proxies/built-in.md +++ /dev/null @@ -1,115 +0,0 @@ ---- -layout: 'docs' -page_title: 'Connect - Built-in Proxy' -sidebar_current: 'docs-connect-proxies-built-in' -description: |- - Consul Connect comes with a built-in proxy for testing and development. ---- - -# Built-In Proxy Options - -Consul comes with a built-in L4 proxy for testing and development with Consul -Connect. - -~> **Note:** [Envoy](https://www.consul.io/docs/connect/proxies/envoy.html) should be used for production deployments, or when [layer 7 traffic management](https://www.consul.io/docs/connect/l7-traffic-management.html) features are needed. - -## Getting Started - -To get started with the built-in proxy and see a working example you can follow the [Getting Started](https://learn.hashicorp.com/consul/getting-started/connect) guide. - -## Proxy Config Key Reference - -Below is a complete example of all the configuration options available -for the built-in proxy. - -```javascript -{ - "service": { - ... - "connect": { - "proxy": { - "config": { - "bind_address": "0.0.0.0", - "bind_port": 20000, - "tcp_check_address": "192.168.0.1", - "disable_tcp_check": false, - "local_service_address": "127.0.0.1:1234", - "local_connect_timeout_ms": 1000, - "handshake_timeout_ms": 10000, - "upstreams": [...] - }, - "upstreams": [ - { - ... - "config": { - "connect_timeout_ms": 1000 - } - } - ] - } - } - } -} -``` - -All fields are optional with a sane default. - -- `bind_address` - - The address the proxy will bind it's _public_ mTLS listener to. It - defaults to the same address the agent binds to. - -- `bind_port` - The - port the proxy will bind it's _public_ mTLS listener to. If not provided, the - agent will attempt to assign one from its [configured proxy port - range](/docs/agent/options.html#proxy_min_port) if available. By default the - range is [20000, 20255] and the port is selected at random from that range. - -- `tcp_check_address` - The address the agent will - run a [TCP health check](/docs/agent/checks.html) against. By default this is - the same as the proxy's [bind address](#bind_address) except if the - bind*address is `0.0.0.0` or `[::]` in which case this defaults to `127.0.0.1` - and assumes the agent can dial the proxy over loopback. For more complex - configurations where agent and proxy communicate over a bridge for example, - this configuration can be used to specify a different \_address* (but not port) - for the agent to use for health checks if it can't talk to the proxy over - localhost or it's publicly advertised port. The check always uses the same - port that the proxy is bound to. - -- `disable_tcp_check` - If true, this disables a - TCP check being setup for the proxy. Default is false. - -- `local_service_address` - The - `[address]:port` that the proxy should use to connect to the local application - instance. By default it assumes `127.0.0.1` as the address and takes the port - from the service definition's `port` field. Note that allowing the application - to listen on any non-loopback address may expose it externally and bypass - Connect's access enforcement. It may be useful though to allow non-standard - loopback addresses or where an alternative known-private IP is available for - example when using internal networking between containers. - -- `local_connect_timeout_ms` - The number - of milliseconds the proxy will wait to establish a connection to the _local - application_ before giving up. Defaults to `1000` or 1 second. - -- `handshake_timeout_ms` - The - number of milliseconds the proxy will wait for _incoming_ mTLS connections to - complete the TLS handshake. Defaults to `10000` or 10 seconds. - -- `upstreams` - **Deprecated** - Upstreams are now specified in the `connect.proxy` definition. Upstreams - specified in the opaque config map here will continue to work for - compatibility but it's strongly recommended that you move to using the higher - level [upstream - configuration](/docs/connect/registration/service-registration.html#upstream-configuration-reference). - -## Proxy Upstream Config Key Reference - -All fields are optional with a sane default. - -- `connect_timeout_ms` - The number of - milliseconds the proxy will wait to establish a TLS connection to the - discovered upstream instance before giving up. Defaults to `10000` or 10 - seconds. diff --git a/website/pages/docs/connect/proxies/built-in.mdx b/website/pages/docs/connect/proxies/built-in.mdx new file mode 100644 index 0000000000..f2a2a0c40c --- /dev/null +++ b/website/pages/docs/connect/proxies/built-in.mdx @@ -0,0 +1,115 @@ +--- +layout: docs +page_title: Connect - Built-in Proxy +sidebar_current: docs-connect-proxies-built-in +description: Consul Connect comes with a built-in proxy for testing and development. +--- + +# Built-In Proxy Options + +Consul comes with a built-in L4 proxy for testing and development with Consul +Connect. + +~> **Note:** [Envoy](https://www.consul.io/docs/connect/proxies/envoy.html) should be used for production deployments, or when [layer 7 traffic management](https://www.consul.io/docs/connect/l7-traffic-management.html) features are needed. + +## Getting Started + +To get started with the built-in proxy and see a working example you can follow the [Getting Started](https://learn.hashicorp.com/consul/getting-started/connect) guide. + +## Proxy Config Key Reference + +Below is a complete example of all the configuration options available +for the built-in proxy. + +```javascript +{ + "service": { + ... + "connect": { + "proxy": { + "config": { + "bind_address": "0.0.0.0", + "bind_port": 20000, + "tcp_check_address": "192.168.0.1", + "disable_tcp_check": false, + "local_service_address": "127.0.0.1:1234", + "local_connect_timeout_ms": 1000, + "handshake_timeout_ms": 10000, + "upstreams": [...] + }, + "upstreams": [ + { + ... + "config": { + "connect_timeout_ms": 1000 + } + } + ] + } + } + } +} +``` + +All fields are optional with a sane default. + +- + `bind_address` - The address the proxy will bind it's + _public_ mTLS listener to. It defaults to the same address the agent binds to. + +- + `bind_port` - The port the proxy will bind it's _public_ + mTLS listener to. If not provided, the agent will attempt to assign one from its + [configured proxy port range](/docs/agent/options.html#proxy_min_port) if available. + By default the range is [20000, 20255] and the port is selected at random from + that range. + +- + `tcp_check_address` - The address the agent will + run a [TCP health check](/docs/agent/checks.html) against. By default this is the + same as the proxy's [bind address](#bind_address) except if the bind*address is + `0.0.0.0` or `[::]` in which case this defaults to `127.0.0.1` and assumes the + agent can dial the proxy over loopback. For more complex configurations where agent + and proxy communicate over a bridge for example, this configuration can be used + to specify a different \_address* (but not port) for the agent to use for health + checks if it can't talk to the proxy over localhost or it's publicly advertised + port. The check always uses the same port that the proxy is bound to. + +- + `disable_tcp_check` - If true, this disables a + TCP check being setup for the proxy. Default is false. + +- + `local_service_address` - The `[address]:port` + that the proxy should use to connect to the local application instance. By default + it assumes `127.0.0.1` as the address and takes the port from the service definition's + `port` field. Note that allowing the application to listen on any non-loopback + address may expose it externally and bypass Connect's access enforcement. It may + be useful though to allow non-standard loopback addresses or where an alternative + known-private IP is available for example when using internal networking between + containers. + +- + `local_connect_timeout_ms` - The number + of milliseconds the proxy will wait to establish a connection to the _local application_ + before giving up. Defaults to `1000` or 1 second. + +- + `handshake_timeout_ms` - The number of milliseconds + the proxy will wait for _incoming_ mTLS connections to complete the TLS handshake. + Defaults to `10000` or 10 seconds. + +- + `upstreams` - **Deprecated** Upstreams are now specified + in the `connect.proxy` definition. Upstreams specified in the opaque config map + here will continue to work for compatibility but it's strongly recommended that + you move to using the higher level [upstream configuration](/docs/connect/registration/service-registration.html#upstream-configuration-reference). + +## Proxy Upstream Config Key Reference + +All fields are optional with a sane default. + +- + `connect_timeout_ms` - The number of milliseconds + the proxy will wait to establish a TLS connection to the discovered upstream instance + before giving up. Defaults to `10000` or 10 seconds. diff --git a/website/pages/docs/connect/proxies/envoy.md b/website/pages/docs/connect/proxies/envoy.mdx similarity index 99% rename from website/pages/docs/connect/proxies/envoy.md rename to website/pages/docs/connect/proxies/envoy.mdx index f37debd6d0..40a47a89ab 100644 --- a/website/pages/docs/connect/proxies/envoy.md +++ b/website/pages/docs/connect/proxies/envoy.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Connect - Envoy Integration' -sidebar_current: 'docs-connect-proxies-envoy' -description: |- - Consul Connect has first-class support for configuring Envoy proxy. +layout: docs +page_title: Connect - Envoy Integration +sidebar_current: docs-connect-proxies-envoy +description: Consul Connect has first-class support for configuring Envoy proxy. --- # Envoy Integration diff --git a/website/pages/docs/connect/proxies/integrate.html.md b/website/pages/docs/connect/proxies/integrate.mdx similarity index 90% rename from website/pages/docs/connect/proxies/integrate.html.md rename to website/pages/docs/connect/proxies/integrate.mdx index bea0a8aa25..901d35bc23 100644 --- a/website/pages/docs/connect/proxies/integrate.html.md +++ b/website/pages/docs/connect/proxies/integrate.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Connect - Proxy Integration' -sidebar_current: 'docs-connect-proxies-integrate' -description: |- - A Connect-aware proxy enables unmodified applications to use Connect. A per-service proxy sidecar transparently handles inbound and outbound service connections, automatically wrapping and verifying TLS connections. +layout: docs +page_title: Connect - Proxy Integration +sidebar_current: docs-connect-proxies-integrate +description: >- + A Connect-aware proxy enables unmodified applications to use Connect. A + per-service proxy sidecar transparently handles inbound and outbound service + connections, automatically wrapping and verifying TLS connections. --- # Connect Custom Proxy Integration diff --git a/website/pages/docs/connect/proxies/managed-deprecated.html.md b/website/pages/docs/connect/proxies/managed-deprecated.mdx similarity index 99% rename from website/pages/docs/connect/proxies/managed-deprecated.html.md rename to website/pages/docs/connect/proxies/managed-deprecated.mdx index eee4c788f7..8a53f1a39c 100644 --- a/website/pages/docs/connect/proxies/managed-deprecated.html.md +++ b/website/pages/docs/connect/proxies/managed-deprecated.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Connect - Deprecated Managed Proxies' -sidebar_current: 'docs-connect-proxies' +layout: docs +page_title: Connect - Deprecated Managed Proxies +sidebar_current: docs-connect-proxies description: |- Consul 1.2 launched it's Connect Beta period with a feature named Managed Proxies which are now deprecated. This page describes how they worked and why diff --git a/website/pages/docs/connect/registration.html.md b/website/pages/docs/connect/registration.mdx similarity index 85% rename from website/pages/docs/connect/registration.html.md rename to website/pages/docs/connect/registration.mdx index 63531c3de6..8cac83c958 100644 --- a/website/pages/docs/connect/registration.html.md +++ b/website/pages/docs/connect/registration.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Connect - Proxy Registration' -sidebar_current: 'docs-connect-registration' -description: |- - To make connect aware of proxies you will need to register them as Consul services. This section describes the process and options for proxy registration. +layout: docs +page_title: Connect - Proxy Registration +sidebar_current: docs-connect-registration +description: >- + To make connect aware of proxies you will need to register them as Consul + services. This section describes the process and options for proxy + registration. --- # Proxy Registration diff --git a/website/pages/docs/connect/registration/service-registration.html.md b/website/pages/docs/connect/registration/service-registration.mdx similarity index 97% rename from website/pages/docs/connect/registration/service-registration.html.md rename to website/pages/docs/connect/registration/service-registration.mdx index 1388299fef..a6d9515ee2 100644 --- a/website/pages/docs/connect/registration/service-registration.html.md +++ b/website/pages/docs/connect/registration/service-registration.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Connect - Service Registration' -sidebar_current: 'docs-connect-registration-service-registration' -description: |- - A per-service proxy sidecar transparently handles inbound and outbound service connections. You can register these sidecars with sane defaults by nesting their definitions in the service definition. +layout: docs +page_title: Connect - Service Registration +sidebar_current: docs-connect-registration-service-registration +description: >- + A per-service proxy sidecar transparently handles inbound and outbound service + connections. You can register these sidecars with sane defaults by nesting + their definitions in the service definition. --- # Proxy Service Registration diff --git a/website/pages/docs/connect/registration/sidecar-service.md b/website/pages/docs/connect/registration/sidecar-service.mdx similarity index 98% rename from website/pages/docs/connect/registration/sidecar-service.md rename to website/pages/docs/connect/registration/sidecar-service.mdx index 9a43647823..ef58465750 100644 --- a/website/pages/docs/connect/registration/sidecar-service.md +++ b/website/pages/docs/connect/registration/sidecar-service.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Connect - Sidecar Service Registration' -sidebar_current: 'docs-connect-registration-sidecar-service' +layout: docs +page_title: Connect - Sidecar Service Registration +sidebar_current: docs-connect-registration-sidecar-service description: |- Sidecar service registrations provide a convenient shorthand for registering a sidecar proxy inline with a regular service definition. diff --git a/website/pages/docs/connect/security.html.md b/website/pages/docs/connect/security.mdx similarity index 98% rename from website/pages/docs/connect/security.html.md rename to website/pages/docs/connect/security.mdx index 0913748cd5..30000bfb37 100644 --- a/website/pages/docs/connect/security.html.md +++ b/website/pages/docs/connect/security.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Connect - Security' -sidebar_current: 'docs-connect-security' +layout: docs +page_title: Connect - Security +sidebar_current: docs-connect-security description: |- Connect enables secure service-to-service communication over mutual TLS. This provides both in-transit data encryption as well as authorization. This page diff --git a/website/pages/docs/enterprise/backups/index.html.md b/website/pages/docs/enterprise/backups/index.mdx similarity index 83% rename from website/pages/docs/enterprise/backups/index.html.md rename to website/pages/docs/enterprise/backups/index.mdx index dc69dbc22c..ff7a0f7326 100644 --- a/website/pages/docs/enterprise/backups/index.html.md +++ b/website/pages/docs/enterprise/backups/index.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Consul Enterprise Automated Backups' -sidebar_current: 'docs-enterprise-backups' -description: |- - Consul Enterprise provides a highly available service that manages taking snapshots, rotation and sending backup files offsite to Amazon S3 (or S3-compatible endpoints), Google Cloud Storage, or Azure Blob Storage. +layout: docs +page_title: Consul Enterprise Automated Backups +sidebar_current: docs-enterprise-backups +description: >- + Consul Enterprise provides a highly available service that manages taking + snapshots, rotation and sending backup files offsite to Amazon S3 (or + S3-compatible endpoints), Google Cloud Storage, or Azure Blob Storage. --- # Automated Backups diff --git a/website/pages/docs/enterprise/federation/index.html.md b/website/pages/docs/enterprise/federation/index.mdx similarity index 85% rename from website/pages/docs/enterprise/federation/index.html.md rename to website/pages/docs/enterprise/federation/index.mdx index 012b3cf3df..f2eafdfa94 100644 --- a/website/pages/docs/enterprise/federation/index.html.md +++ b/website/pages/docs/enterprise/federation/index.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Consul Enterprise Advanced Federation' -sidebar_current: 'docs-enterprise-federation' -description: |- - Consul Enterprise enables you to federate Consul datacenters together on a pairwise basis, enabling partially-connected network topologies like hub-and-spoke. +layout: docs +page_title: Consul Enterprise Advanced Federation +sidebar_current: docs-enterprise-federation +description: >- + Consul Enterprise enables you to federate Consul datacenters together on a + pairwise basis, enabling partially-connected network topologies like + hub-and-spoke. --- # Consul Enterprise Advanced Federation diff --git a/website/pages/docs/enterprise/index.html.md b/website/pages/docs/enterprise/index.mdx similarity index 94% rename from website/pages/docs/enterprise/index.html.md rename to website/pages/docs/enterprise/index.mdx index 3b2e92a8e4..8bfede15e7 100644 --- a/website/pages/docs/enterprise/index.html.md +++ b/website/pages/docs/enterprise/index.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Consul Enterprise' -sidebar_current: 'docs-enterprise' -description: |- - Consul Enterprise features a number of capabilities beyond the open source offering that may be beneficial in certain workflows. +layout: docs +page_title: Consul Enterprise +sidebar_current: docs-enterprise +description: >- + Consul Enterprise features a number of capabilities beyond the open source + offering that may be beneficial in certain workflows. --- # Consul Enterprise diff --git a/website/pages/docs/enterprise/namespaces/index.html.md b/website/pages/docs/enterprise/namespaces/index.mdx similarity index 94% rename from website/pages/docs/enterprise/namespaces/index.html.md rename to website/pages/docs/enterprise/namespaces/index.mdx index f02743552e..04d1a371cb 100644 --- a/website/pages/docs/enterprise/namespaces/index.html.md +++ b/website/pages/docs/enterprise/namespaces/index.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Consul Enterprise Namespaces' -sidebar_current: 'docs-enterprise-namespaces' -description: |- - Consul Enterprise enables data isolation with Namespaces. +layout: docs +page_title: Consul Enterprise Namespaces +sidebar_current: docs-enterprise-namespaces +description: Consul Enterprise enables data isolation with Namespaces. --- # Consul Enterprise Namespaces diff --git a/website/pages/docs/enterprise/network-segments/index.html.md b/website/pages/docs/enterprise/network-segments/index.mdx similarity index 95% rename from website/pages/docs/enterprise/network-segments/index.html.md rename to website/pages/docs/enterprise/network-segments/index.mdx index ca7550fea3..90879b272a 100644 --- a/website/pages/docs/enterprise/network-segments/index.html.md +++ b/website/pages/docs/enterprise/network-segments/index.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Consul Enterprise Network Segments' -sidebar_current: 'docs-enterprise-network-segments' +layout: docs +page_title: Consul Enterprise Network Segments +sidebar_current: docs-enterprise-network-segments description: |- Consul Enterprise enables you create separate LAN gossip pools within one cluster to segment network groups. diff --git a/website/pages/docs/enterprise/read-scale/index.html.md b/website/pages/docs/enterprise/read-scale/index.mdx similarity index 81% rename from website/pages/docs/enterprise/read-scale/index.html.md rename to website/pages/docs/enterprise/read-scale/index.mdx index 87727097a2..e6e56b0c9c 100644 --- a/website/pages/docs/enterprise/read-scale/index.html.md +++ b/website/pages/docs/enterprise/read-scale/index.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Consul Enterprise Enhanced Read Scalability' -sidebar_current: 'docs-enterprise-read-scale' -description: |- - Consul Enterprise supports increased read scalability without impacting write latency by introducing +layout: docs +page_title: Consul Enterprise Enhanced Read Scalability +sidebar_current: docs-enterprise-read-scale +description: >- + Consul Enterprise supports increased read scalability without impacting write + latency by introducing + non-voting servers. --- diff --git a/website/pages/docs/enterprise/redundancy/index.html.md b/website/pages/docs/enterprise/redundancy/index.mdx similarity index 89% rename from website/pages/docs/enterprise/redundancy/index.html.md rename to website/pages/docs/enterprise/redundancy/index.mdx index 5453fa6a8f..c3c28b9ca0 100644 --- a/website/pages/docs/enterprise/redundancy/index.html.md +++ b/website/pages/docs/enterprise/redundancy/index.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Consul Enterprise Redundancy Zones' -sidebar_current: 'docs-enterprise-redundancy' -description: |- - Consul Enterprise redundancy zones enable hot standby servers on a per availability zone basis. +layout: docs +page_title: Consul Enterprise Redundancy Zones +sidebar_current: docs-enterprise-redundancy +description: >- + Consul Enterprise redundancy zones enable hot standby servers on a per + availability zone basis. --- # Redundancy Zones diff --git a/website/pages/docs/enterprise/sentinel/index.html.markdown.erb b/website/pages/docs/enterprise/sentinel/index.mdx similarity index 69% rename from website/pages/docs/enterprise/sentinel/index.html.markdown.erb rename to website/pages/docs/enterprise/sentinel/index.mdx index 0f1f54f141..24d91c8485 100644 --- a/website/pages/docs/enterprise/sentinel/index.html.markdown.erb +++ b/website/pages/docs/enterprise/sentinel/index.mdx @@ -1,12 +1,15 @@ --- -layout: "docs" -page_title: "Sentinel in Consul" -sidebar_current: "docs-enterprise-sentinel" -description: |- - Consul Enterprise uses Sentinel to augment the built-in ACL system to provide advanced policy enforcement. Sentinel policies can currently execute on KV modify and service registration. +layout: docs +page_title: Sentinel in Consul +sidebar_current: docs-enterprise-sentinel +description: >- + Consul Enterprise uses Sentinel to augment the built-in ACL system to provide + advanced policy enforcement. Sentinel policies can currently execute on KV + modify and service registration. --- # Sentinel in Consul + Sentinel policies extend the ACL system in Consul beyond static "read", "write", and "deny" policies to support full conditional logic and integration with external systems. [Learn more about Sentinel here.](https://docs.hashicorp.com/sentinel/concepts/). @@ -14,5 +17,3 @@ external systems. [Learn more about Sentinel here.](https://docs.hashicorp.com/s To get started with Sentinel in Consul, [read the general documentation](https://docs.hashicorp.com/sentinel/consul/) or [Consul documentation](/docs/agent/sentinel.html). - - diff --git a/website/pages/docs/enterprise/upgrades/index.html.md b/website/pages/docs/enterprise/upgrades/index.mdx similarity index 82% rename from website/pages/docs/enterprise/upgrades/index.html.md rename to website/pages/docs/enterprise/upgrades/index.mdx index 1096ca7a79..ebe5be0ef6 100644 --- a/website/pages/docs/enterprise/upgrades/index.html.md +++ b/website/pages/docs/enterprise/upgrades/index.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Consul Enterprise Automated Upgrades' -sidebar_current: 'docs-enterprise-upgrades' -description: |- - Consul Enterprise supports an upgrade pattern that allows operators to deploy a complete cluster of new servers and then just wait for the upgrade to complete. +layout: docs +page_title: Consul Enterprise Automated Upgrades +sidebar_current: docs-enterprise-upgrades +description: >- + Consul Enterprise supports an upgrade pattern that allows operators to deploy + a complete cluster of new servers and then just wait for the upgrade to + complete. --- # Automated Upgrades diff --git a/website/pages/docs/faq.html.md b/website/pages/docs/faq.mdx similarity index 98% rename from website/pages/docs/faq.html.md rename to website/pages/docs/faq.mdx index 777e72fede..421581e382 100644 --- a/website/pages/docs/faq.html.md +++ b/website/pages/docs/faq.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Frequently Asked Questions' -sidebar_current: 'docs-faq' +layout: docs +page_title: Frequently Asked Questions +sidebar_current: docs-faq --- # Frequently Asked Questions diff --git a/website/pages/docs/glossary.html.md b/website/pages/docs/glossary.mdx similarity index 96% rename from website/pages/docs/glossary.html.md rename to website/pages/docs/glossary.mdx index 642f232fe8..705a6f1b8e 100644 --- a/website/pages/docs/glossary.html.md +++ b/website/pages/docs/glossary.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Consul Glossary' -sidebar_current: 'docs-glossary' -description: |- - This page collects brief definitions of some of the technical terms used in the documentation. +layout: docs +page_title: Consul Glossary +sidebar_current: docs-glossary +description: >- + This page collects brief definitions of some of the technical terms used in + the documentation. --- # Consul Glossary diff --git a/website/pages/docs/guides/acl-index.html.md b/website/pages/docs/guides/acl-index.mdx similarity index 93% rename from website/pages/docs/guides/acl-index.html.md rename to website/pages/docs/guides/acl-index.mdx index 85960bdcda..9dd89cdf01 100644 --- a/website/pages/docs/guides/acl-index.html.md +++ b/website/pages/docs/guides/acl-index.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'ACL Guides' -sidebar_current: 'docs-guides-acl-index' -description: |- - Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. Select the following guide for your use case. +layout: docs +page_title: ACL Guides +sidebar_current: docs-guides-acl-index +description: >- + Consul provides an optional Access Control List (ACL) system which can be used + to control access to data and APIs. Select the following guide for your use + case. --- # ACL Documentation and Guides diff --git a/website/pages/docs/guides/acl-legacy.html.md b/website/pages/docs/guides/acl-legacy.mdx similarity index 93% rename from website/pages/docs/guides/acl-legacy.html.md rename to website/pages/docs/guides/acl-legacy.mdx index 10b06e5ff9..1836a2f4ea 100644 --- a/website/pages/docs/guides/acl-legacy.html.md +++ b/website/pages/docs/guides/acl-legacy.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'ACL System (Legacy)' -sidebar_current: 'docs-acl-legacy' -description: |- - Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways. +layout: docs +page_title: ACL System (Legacy) +sidebar_current: docs-acl-legacy +description: >- + Consul provides an optional Access Control List (ACL) system which can be used + to control access to data and APIs. The ACL system is a Capability-based + system that relies on tokens which can have fine grained rules applied to + them. It is very similar to AWS IAM in many ways. --- -> **1.3.0 and earlier:** This guide only applies in Consul versions 1.3.0 and before. If you are using the 1.4.0 or later please use the updated guide [here](/docs/guides/acl.html) @@ -977,43 +980,14 @@ prepared query namespace. These differences are outlined in the table below: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OperationVersion <= 0.6.3 Version > 0.6.3
Create static query without `Name`The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query.No ACL policies are used as long as no `Name` is defined. No `Token` is captured by default unless specifically supplied by the client when creating the query.
Create static query with `Name`The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query.The client token's `query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query.
Manage static query without `Name`The ACL Token used to create the query, or a management token must be supplied in order to perform these operations.Any client with the ID of the query can perform these operations.
Manage static query with a `Name`The ACL token used to create the query, or a management token must be supplied in order to perform these operations.Similar to create, the client token's `query` ACL policy is used to determine if these operations are allowed.
List queriesA management token is required to list any queries.The client token's `query` ACL policy is used to determine which queries they can see. Only management tokens can see prepared queries without `Name`.
Execute querySince a `Token` is always captured when a query is created, that is used to check access to the service being queried. Any token supplied by the client is ignored.The captured token, client's token, or anonymous token is used to filter the results, as described above.
+| Operation | Version <= 0.6.3 | Version > 0.6.3 | +| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Create static query without `Name` | The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query. | No ACL policies are used as long as no `Name` is defined. No `Token` is captured by default unless specifically supplied by the client when creating the query. | +| Create static query with `Name` | The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query. | The client token's `query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query. | +| Manage static query without `Name` | The ACL Token used to create the query, or a management token must be supplied in order to perform these operations. | Any client with the ID of the query can perform these operations. | +| Manage static query with a `Name` | The ACL token used to create the query, or a management token must be supplied in order to perform these operations. | Similar to create, the client token's `query` ACL policy is used to determine if these operations are allowed. | +| List queries | A management token is required to list any queries. | The client token's `query` ACL policy is used to determine which queries they can see. Only management tokens can see prepared queries without `Name`. | +| Execute query | Since a `Token` is always captured when a query is created, that is used to check access to the service being queried. Any token supplied by the client is ignored. | The captured token, client's token, or anonymous token is used to filter the results, as described above. | #### Service Rules diff --git a/website/pages/docs/guides/acl-replication.md b/website/pages/docs/guides/acl-replication.mdx similarity index 97% rename from website/pages/docs/guides/acl-replication.md rename to website/pages/docs/guides/acl-replication.mdx index 30013f7ac5..9c7c49018b 100644 --- a/website/pages/docs/guides/acl-replication.md +++ b/website/pages/docs/guides/acl-replication.mdx @@ -1,11 +1,10 @@ --- -name: 'ACL Replication for Multiple Datacenters' +name: ACL Replication for Multiple Datacenters content_length: 15 id: acl-replication -layout: content_layout products_used: - Consul -description: Configure tokens, policies, and roles to work across multiple datacenters. +description: 'Configure tokens, policies, and roles to work across multiple datacenters.' --- You can configure tokens, policies and roles to work across multiple datacenters. ACL replication has several benefits. diff --git a/website/pages/docs/guides/acl.html.md b/website/pages/docs/guides/acl.mdx similarity index 98% rename from website/pages/docs/guides/acl.html.md rename to website/pages/docs/guides/acl.mdx index 817b8721a2..e36c0b22fa 100644 --- a/website/pages/docs/guides/acl.html.md +++ b/website/pages/docs/guides/acl.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Bootstrapping ACLs' -sidebar_current: 'docs-guides-acl' -description: |- - Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways. +layout: docs +page_title: Bootstrapping ACLs +sidebar_current: docs-guides-acl +description: >- + Consul provides an optional Access Control List (ACL) system which can be used + to control access to data and APIs. The ACL system is a Capability-based + system that relies on tokens which can have fine grained rules applied to + them. It is very similar to AWS IAM in many ways. --- # Bootstrapping the ACL System diff --git a/website/pages/docs/guides/advanced-federation.html.md b/website/pages/docs/guides/advanced-federation.mdx similarity index 93% rename from website/pages/docs/guides/advanced-federation.html.md rename to website/pages/docs/guides/advanced-federation.mdx index 54911075a7..1184f1f285 100644 --- a/website/pages/docs/guides/advanced-federation.html.md +++ b/website/pages/docs/guides/advanced-federation.mdx @@ -1,9 +1,14 @@ --- -layout: 'docs' -page_title: 'Multiple Datacenters - Advanced Federation with Network Areas' -sidebar_current: 'docs-guides-areas' -description: |- - One of the key features of Consul is its support for multiple datacenters. The architecture of Consul is designed to promote low coupling of datacenters so that connectivity issues or failure of any datacenter does not impact the availability of Consul in other datacenters. This means each datacenter runs independently, each having a dedicated group of servers and a private LAN gossip pool. +layout: docs +page_title: Multiple Datacenters - Advanced Federation with Network Areas +sidebar_current: docs-guides-areas +description: >- + One of the key features of Consul is its support for multiple datacenters. The + architecture of Consul is designed to promote low coupling of datacenters so + that connectivity issues or failure of any datacenter does not impact the + availability of Consul in other datacenters. This means each datacenter runs + independently, each having a dedicated group of servers and a private LAN + gossip pool. --- # [Enterprise] Multiple Datacenters: Advanced Federation with Network Areas diff --git a/website/pages/docs/guides/agent-encryption.html.md b/website/pages/docs/guides/agent-encryption.mdx similarity index 98% rename from website/pages/docs/guides/agent-encryption.html.md rename to website/pages/docs/guides/agent-encryption.mdx index f240dd3b3c..97a824695b 100644 --- a/website/pages/docs/guides/agent-encryption.html.md +++ b/website/pages/docs/guides/agent-encryption.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Agent Communication Encryption' -sidebar_current: 'docs-guides-agent-encryption' -description: |- - This guide covers how to encrypt both gossip and RPC communication. +layout: docs +page_title: Agent Communication Encryption +sidebar_current: docs-guides-agent-encryption +description: This guide covers how to encrypt both gossip and RPC communication. --- # Agent Communication Encryption diff --git a/website/pages/docs/guides/autopilot.html.md b/website/pages/docs/guides/autopilot.mdx similarity index 97% rename from website/pages/docs/guides/autopilot.html.md rename to website/pages/docs/guides/autopilot.mdx index 215565dc15..4e05ffe376 100644 --- a/website/pages/docs/guides/autopilot.html.md +++ b/website/pages/docs/guides/autopilot.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Autopilot' -sidebar_current: 'docs-guides-autopilot' -description: |- - This guide covers how to configure and use Autopilot features. +layout: docs +page_title: Autopilot +sidebar_current: docs-guides-autopilot +description: This guide covers how to configure and use Autopilot features. --- # Autopilot @@ -235,7 +234,9 @@ UpgradeVersionTag = "1.4.0" ## Server Health Checking An internal health check runs on the leader to track the stability of servers. -
A server is considered healthy if all of the following conditions are true. + +
A server is considered healthy if all of the following conditions are +true. - It has a SerfHealth status of 'Alive'. - The time since its last contact with the current leader is below diff --git a/website/pages/docs/guides/backup.html.md b/website/pages/docs/guides/backup.mdx similarity index 97% rename from website/pages/docs/guides/backup.html.md rename to website/pages/docs/guides/backup.mdx index 670c1df0b3..097cf36be3 100644 --- a/website/pages/docs/guides/backup.html.md +++ b/website/pages/docs/guides/backup.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Datacenter Backups' -sidebar_current: 'docs-guides-backups' -description: |- - Consul provide the snapshot tool for backing up and restoring data. In this guide you will learn how to use both. +layout: docs +page_title: Datacenter Backups +sidebar_current: docs-guides-backups +description: >- + Consul provide the snapshot tool for backing up and restoring data. In this + guide you will learn how to use both. --- # Datacenter Backups diff --git a/website/pages/docs/guides/cluster-monitoring-metrics.html.md b/website/pages/docs/guides/cluster-monitoring-metrics.mdx similarity index 98% rename from website/pages/docs/guides/cluster-monitoring-metrics.html.md rename to website/pages/docs/guides/cluster-monitoring-metrics.mdx index 4604e51a52..a6deaeef9d 100644 --- a/website/pages/docs/guides/cluster-monitoring-metrics.html.md +++ b/website/pages/docs/guides/cluster-monitoring-metrics.mdx @@ -1,8 +1,10 @@ --- -layout: 'docs' -page_title: 'Consul Cluster Monitoring & Metrics' -sidebar_current: 'docs-guides-cluster-monitoring-metrics' -description: After setting up your first datacenter, it is an ideal time to make sure your cluster is healthy and establish a baseline. +layout: docs +page_title: Consul Cluster Monitoring & Metrics +sidebar_current: docs-guides-cluster-monitoring-metrics +description: >- + After setting up your first datacenter, it is an ideal time to make sure your + cluster is healthy and establish a baseline. --- # Consul Cluster Monitoring and Metrics diff --git a/website/pages/docs/guides/connect-envoy.md b/website/pages/docs/guides/connect-envoy.mdx similarity index 97% rename from website/pages/docs/guides/connect-envoy.md rename to website/pages/docs/guides/connect-envoy.mdx index 794f7cb92e..823ef401f1 100644 --- a/website/pages/docs/guides/connect-envoy.md +++ b/website/pages/docs/guides/connect-envoy.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Using Envoy with Connect' -sidebar_current: 'docs-guides-connect-envoy' -description: |- - This guide walks though getting started running Envoy as a Connect Proxy. +layout: docs +page_title: Using Envoy with Connect +sidebar_current: docs-guides-connect-envoy +description: This guide walks though getting started running Envoy as a Connect Proxy. --- # Using Connect with Envoy Proxy diff --git a/website/pages/docs/guides/connect-gateways.md b/website/pages/docs/guides/connect-gateways.mdx similarity index 99% rename from website/pages/docs/guides/connect-gateways.md rename to website/pages/docs/guides/connect-gateways.mdx index b949bcf9fb..796407caf2 100644 --- a/website/pages/docs/guides/connect-gateways.md +++ b/website/pages/docs/guides/connect-gateways.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Connecting Services Across Datacenters' -sidebar_current: 'docs-guides-connect-gateways' +layout: docs +page_title: Connecting Services Across Datacenters +sidebar_current: docs-guides-connect-gateways description: |- Connect services and secure inter-service communication across datacenters using Consul Connect and mesh gateways. diff --git a/website/pages/docs/guides/connect-production.md b/website/pages/docs/guides/connect-production.mdx similarity index 97% rename from website/pages/docs/guides/connect-production.md rename to website/pages/docs/guides/connect-production.mdx index fae43e788e..2e4bbf4b2a 100644 --- a/website/pages/docs/guides/connect-production.md +++ b/website/pages/docs/guides/connect-production.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Connect in Production' -sidebar_current: 'docs-guides-connect-production' -description: |- - This guide describes best practices for running Consul Connect in production. +layout: docs +page_title: Connect in Production +sidebar_current: docs-guides-connect-production +description: This guide describes best practices for running Consul Connect in production. --- # Running Connect in Production diff --git a/website/pages/docs/guides/connect-services.html.md b/website/pages/docs/guides/connect-services.mdx similarity index 99% rename from website/pages/docs/guides/connect-services.html.md rename to website/pages/docs/guides/connect-services.mdx index bdb63e352b..5066df80fb 100644 --- a/website/pages/docs/guides/connect-services.html.md +++ b/website/pages/docs/guides/connect-services.mdx @@ -4,8 +4,7 @@ content_length: 12 id: connect-services products_used: - Consul -description: |- - This guide demonstrates Consul Connect using internal proxies as sidecars. +description: This guide demonstrates Consul Connect using internal proxies as sidecars. level: Implementation --- diff --git a/website/pages/docs/guides/consul-aws.html.md b/website/pages/docs/guides/consul-aws.mdx similarity index 97% rename from website/pages/docs/guides/consul-aws.html.md rename to website/pages/docs/guides/consul-aws.mdx index 08433956f5..8103cb36b0 100644 --- a/website/pages/docs/guides/consul-aws.html.md +++ b/website/pages/docs/guides/consul-aws.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Consul-AWS' -sidebar_current: 'docs-guides-consul-aws' -description: |- - Consul-AWS provides a tool, which syncs Consul's and AWS Cloud Map's service catalog +layout: docs +page_title: Consul-AWS +sidebar_current: docs-guides-consul-aws +description: >- + Consul-AWS provides a tool, which syncs Consul's and AWS Cloud Map's service + catalog --- # Consul-AWS diff --git a/website/pages/docs/guides/consul-containers.html.md b/website/pages/docs/guides/consul-containers.mdx similarity index 96% rename from website/pages/docs/guides/consul-containers.html.md rename to website/pages/docs/guides/consul-containers.mdx index dd0bcf0af1..4dd71b85d6 100644 --- a/website/pages/docs/guides/consul-containers.html.md +++ b/website/pages/docs/guides/consul-containers.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Using Consul with Containers' -sidebar_current: 'docs-guides-consul-containers' -description: |- - This guide describes how to run Consul on containers, with Docker as the primary focus. It also describes best practices when running a Consul cluster in production on Docker. +layout: docs +page_title: Using Consul with Containers +sidebar_current: docs-guides-consul-containers +description: >- + This guide describes how to run Consul on containers, with Docker as the + primary focus. It also describes best practices when running a Consul cluster + in production on Docker. --- # Consul with Containers diff --git a/website/pages/docs/guides/consul-f5.md b/website/pages/docs/guides/consul-f5.mdx similarity index 100% rename from website/pages/docs/guides/consul-f5.md rename to website/pages/docs/guides/consul-f5.mdx diff --git a/website/pages/docs/guides/consul-splitting.md b/website/pages/docs/guides/consul-splitting.mdx similarity index 99% rename from website/pages/docs/guides/consul-splitting.md rename to website/pages/docs/guides/consul-splitting.mdx index 40298930e5..9cfc55344e 100644 --- a/website/pages/docs/guides/consul-splitting.md +++ b/website/pages/docs/guides/consul-splitting.mdx @@ -4,9 +4,12 @@ content_length: 15 id: connect-splitting products_used: - Consul -description: |- - In this guide you will split layer-7 traffic, using Envoy proxies configured by +description: >- + In this guide you will split layer-7 traffic, using Envoy proxies configured + by + Consul, to roll out a new version of a service. You can use this method for + zero-downtime, blue-green, and canary deployments. level: Implementation --- diff --git a/website/pages/docs/guides/consul-template.html.md b/website/pages/docs/guides/consul-template.mdx similarity index 97% rename from website/pages/docs/guides/consul-template.html.md rename to website/pages/docs/guides/consul-template.mdx index 3f3ada572f..196b2a3100 100644 --- a/website/pages/docs/guides/consul-template.html.md +++ b/website/pages/docs/guides/consul-template.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Consul Template' -sidebar_current: 'docs-guides-consul-template' -description: |- - Consul template provides a programmatic method for rendering configuration files from Consul data. +layout: docs +page_title: Consul Template +sidebar_current: docs-guides-consul-template +description: >- + Consul template provides a programmatic method for rendering configuration + files from Consul data. --- # Consul Template diff --git a/website/pages/docs/guides/containers-guide.md b/website/pages/docs/guides/containers-guide.mdx similarity index 98% rename from website/pages/docs/guides/containers-guide.md rename to website/pages/docs/guides/containers-guide.mdx index 346aabb2af..8fe85206b1 100644 --- a/website/pages/docs/guides/containers-guide.md +++ b/website/pages/docs/guides/containers-guide.mdx @@ -1,11 +1,12 @@ --- -name: 'Consul with Containers' +name: Consul with Containers content_length: 15 id: containers-guide -layout: content_layout products_used: - Consul -description: HashiCorp provides an official Docker image for running Consul and this guide demonstrates its basic usage. +description: >- + HashiCorp provides an official Docker image for running Consul and this guide + demonstrates its basic usage. level: Implementation --- diff --git a/website/pages/docs/guides/creating-certificates.html.md b/website/pages/docs/guides/creating-certificates.mdx similarity index 98% rename from website/pages/docs/guides/creating-certificates.html.md rename to website/pages/docs/guides/creating-certificates.mdx index 62b8b6b8a8..990c01bc90 100644 --- a/website/pages/docs/guides/creating-certificates.html.md +++ b/website/pages/docs/guides/creating-certificates.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Creating and Configuring TLS Certificates' -sidebar_current: 'docs-guides-creating-certificates' -description: |- - Learn how to create certificates for Consul. +layout: docs +page_title: Creating and Configuring TLS Certificates +sidebar_current: docs-guides-creating-certificates +description: Learn how to create certificates for Consul. --- # Creating and Configuring TLS Certificates diff --git a/website/pages/docs/guides/datacenters.html.md b/website/pages/docs/guides/datacenters.mdx similarity index 93% rename from website/pages/docs/guides/datacenters.html.md rename to website/pages/docs/guides/datacenters.mdx index 961d2f956a..1576729232 100644 --- a/website/pages/docs/guides/datacenters.html.md +++ b/website/pages/docs/guides/datacenters.mdx @@ -1,9 +1,14 @@ --- -layout: 'docs' -page_title: 'Multiple Datacenters - Basic Federation with the WAN Gossip Pool' -sidebar_current: 'docs-guides-datacenters' -description: |- - One of the key features of Consul is its support for multiple datacenters. The architecture of Consul is designed to promote low coupling of datacenters so that connectivity issues or failure of any datacenter does not impact the availability of Consul in other datacenters. This means each datacenter runs independently, each having a dedicated group of servers and a private LAN gossip pool. +layout: docs +page_title: Multiple Datacenters - Basic Federation with the WAN Gossip Pool +sidebar_current: docs-guides-datacenters +description: >- + One of the key features of Consul is its support for multiple datacenters. The + architecture of Consul is designed to promote low coupling of datacenters so + that connectivity issues or failure of any datacenter does not impact the + availability of Consul in other datacenters. This means each datacenter runs + independently, each having a dedicated group of servers and a private LAN + gossip pool. --- # Multiple Datacenters: Basic Federation with the WAN Gossip diff --git a/website/pages/docs/guides/deployment-guide.html.md b/website/pages/docs/guides/deployment-guide.mdx similarity index 99% rename from website/pages/docs/guides/deployment-guide.html.md rename to website/pages/docs/guides/deployment-guide.mdx index d6568d67ce..9be35857d7 100644 --- a/website/pages/docs/guides/deployment-guide.html.md +++ b/website/pages/docs/guides/deployment-guide.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Consul Deployment Guide' -sidebar_current: 'docs-guides-deployment-guide' +layout: docs +page_title: Consul Deployment Guide +sidebar_current: docs-guides-deployment-guide description: |- This deployment guide covers the steps required to install and configure a single HashiCorp Consul cluster as defined in the diff --git a/website/pages/docs/guides/deployment.html.md b/website/pages/docs/guides/deployment.mdx similarity index 99% rename from website/pages/docs/guides/deployment.html.md rename to website/pages/docs/guides/deployment.mdx index 22a5e22f0d..1b4b1e5115 100644 --- a/website/pages/docs/guides/deployment.html.md +++ b/website/pages/docs/guides/deployment.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Consul Reference Architecture' -sidebar_current: 'docs-guides-reference-architecture' +layout: docs +page_title: Consul Reference Architecture +sidebar_current: docs-guides-reference-architecture description: |- This document provides recommended practices and a reference architecture for HashiCorp Consul production deployments. diff --git a/website/pages/docs/guides/discovery-namespaces.html.md b/website/pages/docs/guides/discovery-namespaces.mdx similarity index 98% rename from website/pages/docs/guides/discovery-namespaces.html.md rename to website/pages/docs/guides/discovery-namespaces.mdx index 54e5a1316b..81aff07477 100644 --- a/website/pages/docs/guides/discovery-namespaces.html.md +++ b/website/pages/docs/guides/discovery-namespaces.mdx @@ -4,8 +4,7 @@ content_length: 8 id: discovery-namespaces products_used: - Consul -description: >- - In this guide you will register and discover services within a namespace. +description: In this guide you will register and discover services within a namespace. level: Implementation --- diff --git a/website/pages/docs/guides/dns-cache.html.md b/website/pages/docs/guides/dns-cache.mdx similarity index 97% rename from website/pages/docs/guides/dns-cache.html.md rename to website/pages/docs/guides/dns-cache.mdx index 01264be6b9..0206209ec5 100644 --- a/website/pages/docs/guides/dns-cache.html.md +++ b/website/pages/docs/guides/dns-cache.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'DNS Caching' -sidebar_current: 'docs-guides-dns-cache' -description: |- - One of the main interfaces to Consul is DNS. Using DNS is a simple way to integrate Consul into an existing infrastructure without any high-touch integration. +layout: docs +page_title: DNS Caching +sidebar_current: docs-guides-dns-cache +description: >- + One of the main interfaces to Consul is DNS. Using DNS is a simple way to + integrate Consul into an existing infrastructure without any high-touch + integration. --- # DNS Caching diff --git a/website/pages/docs/guides/external.html.md b/website/pages/docs/guides/external.mdx similarity index 90% rename from website/pages/docs/guides/external.html.md rename to website/pages/docs/guides/external.mdx index bd5b8a304d..db90ad6a2a 100644 --- a/website/pages/docs/guides/external.html.md +++ b/website/pages/docs/guides/external.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'External Services' -sidebar_current: 'docs-guides-external' -description: |- - Very few infrastructures are entirely self-contained. Most rely on a multitude of external service providers. Consul supports this by allowing for the definition of external services, services that are not provided by a local node. +layout: docs +page_title: External Services +sidebar_current: docs-guides-external +description: >- + Very few infrastructures are entirely self-contained. Most rely on a multitude + of external service providers. Consul supports this by allowing for the + definition of external services, services that are not provided by a local + node. --- # Registering an External Service diff --git a/website/pages/docs/guides/forwarding.html.md b/website/pages/docs/guides/forwarding.mdx similarity index 97% rename from website/pages/docs/guides/forwarding.html.md rename to website/pages/docs/guides/forwarding.mdx index a816fb22e6..a0cb3e9c8b 100644 --- a/website/pages/docs/guides/forwarding.html.md +++ b/website/pages/docs/guides/forwarding.mdx @@ -1,9 +1,13 @@ --- -layout: 'docs' -page_title: 'Forwarding' -sidebar_current: 'docs-guides-forwarding' -description: |- - By default, DNS is served from port 53. On most operating systems, this requires elevated privileges. Instead of running Consul with an administrative or root account, it is possible to instead forward appropriate queries to Consul, running on an unprivileged port, from another DNS server or port redirect. +layout: docs +page_title: Forwarding +sidebar_current: docs-guides-forwarding +description: >- + By default, DNS is served from port 53. On most operating systems, this + requires elevated privileges. Instead of running Consul with an administrative + or root account, it is possible to instead forward appropriate queries to + Consul, running on an unprivileged port, from another DNS server or port + redirect. --- # Forwarding DNS diff --git a/website/pages/docs/guides/geo-failover.html.md b/website/pages/docs/guides/geo-failover.mdx similarity index 98% rename from website/pages/docs/guides/geo-failover.html.md rename to website/pages/docs/guides/geo-failover.mdx index 3cde6a2619..586cf21358 100644 --- a/website/pages/docs/guides/geo-failover.html.md +++ b/website/pages/docs/guides/geo-failover.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Geo Failover' -sidebar_current: 'docs-guides-geo-failover' -description: |- - Consul provides a prepared query capability that makes it easy to implement automatic geo failover policies for services. +layout: docs +page_title: Geo Failover +sidebar_current: docs-guides-geo-failover +description: >- + Consul provides a prepared query capability that makes it easy to implement + automatic geo failover policies for services. --- # Geo Failover with Prepared Queries diff --git a/website/pages/docs/guides/index.html.md b/website/pages/docs/guides/index.mdx similarity index 96% rename from website/pages/docs/guides/index.html.md rename to website/pages/docs/guides/index.mdx index e5d7c0bb47..2325eac3c4 100644 --- a/website/pages/docs/guides/index.html.md +++ b/website/pages/docs/guides/index.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Guides' -sidebar_current: 'docs-guides' +layout: docs +page_title: Guides +sidebar_current: docs-guides description: |- This section provides various guides for common actions. Due to the nature of Consul, some of these procedures can be complex, so our goal is to provide diff --git a/website/pages/docs/guides/kuberenetes-deployment.html.md b/website/pages/docs/guides/kuberenetes-deployment.mdx similarity index 97% rename from website/pages/docs/guides/kuberenetes-deployment.html.md rename to website/pages/docs/guides/kuberenetes-deployment.mdx index 18eb9e291e..ad2cba0d59 100644 --- a/website/pages/docs/guides/kuberenetes-deployment.html.md +++ b/website/pages/docs/guides/kuberenetes-deployment.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Deploy Consul with Kubernetes' -sidebar_current: 'docs-guides-kuberntes' -description: |- - Deploy Consul on Kubernetes with the official Helm chart. +layout: docs +page_title: Deploy Consul with Kubernetes +sidebar_current: docs-guides-kuberntes +description: Deploy Consul on Kubernetes with the official Helm chart. --- # Deploy Consul with Kubernetes diff --git a/website/pages/docs/guides/kubernetes-observability.html.md b/website/pages/docs/guides/kubernetes-observability.mdx similarity index 98% rename from website/pages/docs/guides/kubernetes-observability.html.md rename to website/pages/docs/guides/kubernetes-observability.mdx index a0a2ce88e6..37ed82e9a5 100644 --- a/website/pages/docs/guides/kubernetes-observability.html.md +++ b/website/pages/docs/guides/kubernetes-observability.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Layer 7 Observability with Kubernetes and Consul Connect' -sidebar_current: 'docs-guides-kubernetes-observability' +layout: docs +page_title: Layer 7 Observability with Kubernetes and Consul Connect +sidebar_current: docs-guides-kubernetes-observability description: |- Collect and visualize layer 7 metrics from services in your Kubernetes cluster using Consul Connect, Prometheus, and Grafana. diff --git a/website/pages/docs/guides/kubernetes-production-deploy.md b/website/pages/docs/guides/kubernetes-production-deploy.mdx similarity index 98% rename from website/pages/docs/guides/kubernetes-production-deploy.md rename to website/pages/docs/guides/kubernetes-production-deploy.mdx index 00e24e90cc..50a53ad4e8 100644 --- a/website/pages/docs/guides/kubernetes-production-deploy.md +++ b/website/pages/docs/guides/kubernetes-production-deploy.mdx @@ -1,15 +1,13 @@ --- - -name: "Consul-Kubernetes Deployment Guide" +name: Consul-Kubernetes Deployment Guide content_length: 14 id: kubernetes-production-deploy -layout: content_layout products_used: - -- Consul - description: This guide covers the necessary steps to install and configure a new Consul cluster on Kubernetes. - level: Advanced - + - Consul +description: >- + This guide covers the necessary steps to install and configure a new Consul + cluster on Kubernetes. +level: Advanced --- This guide covers the necessary steps to install and configure a new Consul diff --git a/website/pages/docs/guides/kubernetes-reference.html.md b/website/pages/docs/guides/kubernetes-reference.mdx similarity index 97% rename from website/pages/docs/guides/kubernetes-reference.html.md rename to website/pages/docs/guides/kubernetes-reference.mdx index 05f65f2a7e..4d9a0255a4 100644 --- a/website/pages/docs/guides/kubernetes-reference.html.md +++ b/website/pages/docs/guides/kubernetes-reference.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Kubernetes Consul Reference Architecture' -sidebar_current: 'docs-guides-k8s-reference-architecture' -description: |- - This document provides recommended practices and a reference architecture. +layout: docs +page_title: Kubernetes Consul Reference Architecture +sidebar_current: docs-guides-k8s-reference-architecture +description: This document provides recommended practices and a reference architecture. --- # Consul and Kubernetes Reference Architecture diff --git a/website/pages/docs/guides/leader-election.html.md b/website/pages/docs/guides/leader-election.mdx similarity index 95% rename from website/pages/docs/guides/leader-election.html.md rename to website/pages/docs/guides/leader-election.mdx index ab7a291284..a49f55fed8 100644 --- a/website/pages/docs/guides/leader-election.html.md +++ b/website/pages/docs/guides/leader-election.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Application Leader Election with Sessions' -sidebar_current: 'docs-guides-leader' -description: |- - This guide describes how to build client-side leader election using Consul. If you are interested in the leader election used internally to Consul, please refer to the consensus protocol documentation instead. +layout: docs +page_title: Application Leader Election with Sessions +sidebar_current: docs-guides-leader +description: >- + This guide describes how to build client-side leader election using Consul. If + you are interested in the leader election used internally to Consul, please + refer to the consensus protocol documentation instead. --- # Application Leader Election with Sessions diff --git a/website/pages/docs/guides/managing-acl-policies.html.md b/website/pages/docs/guides/managing-acl-policies.mdx similarity index 98% rename from website/pages/docs/guides/managing-acl-policies.html.md rename to website/pages/docs/guides/managing-acl-policies.mdx index 5424bb4d60..7ac30eef4d 100644 --- a/website/pages/docs/guides/managing-acl-policies.html.md +++ b/website/pages/docs/guides/managing-acl-policies.mdx @@ -5,7 +5,9 @@ id: managing-acl-policies products_used: - Consul description: >- - In this guide, you'll learn how to discover the minimum privileges required to complete operations within your Consul datacenter and how to manage access using the operator-only implementation method. + In this guide, you'll learn how to discover the minimum privileges required to + complete operations within your Consul datacenter and how to manage access + using the operator-only implementation method. level: Implementation --- diff --git a/website/pages/docs/guides/minikube.md b/website/pages/docs/guides/minikube.mdx similarity index 92% rename from website/pages/docs/guides/minikube.md rename to website/pages/docs/guides/minikube.mdx index e4508aaa84..16c3ca851b 100644 --- a/website/pages/docs/guides/minikube.md +++ b/website/pages/docs/guides/minikube.mdx @@ -1,15 +1,12 @@ --- -layout: 'docs' -page_title: 'Minikube' -sidebar_current: 'docs-guides-minikube' -description: |- - Consul can be installed to the Kubernetes minikube tool for local development. +layout: docs +page_title: Minikube +sidebar_current: docs-guides-minikube +description: Consul can be installed to the Kubernetes minikube tool for local development. --- # Consul Installation to Minikube via Helm -
- In this guide, you'll start a local Kubernetes cluster with minikube. You'll install Consul with only a few commands, then deploy two custom services that use Consul to discover each other over encrypted TLS via Consul Connect. Finally, you'll tighten down Consul Connect so that only the approved applications can communicate with each other. [Demo code](https://github.com/hashicorp/demo-consul-101) is available. diff --git a/website/pages/docs/guides/monitoring-telegraf.html.md b/website/pages/docs/guides/monitoring-telegraf.mdx similarity index 97% rename from website/pages/docs/guides/monitoring-telegraf.html.md rename to website/pages/docs/guides/monitoring-telegraf.mdx index 6e1fa40ad2..8a0f206bdc 100644 --- a/website/pages/docs/guides/monitoring-telegraf.html.md +++ b/website/pages/docs/guides/monitoring-telegraf.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Monitoring Consul with Telegraf' -sidebar_current: 'docs-guides-monitoring-telegraf' -description: |- - Best practice approaches for monitoring a production Consul cluster with Telegraf +layout: docs +page_title: Monitoring Consul with Telegraf +sidebar_current: docs-guides-monitoring-telegraf +description: >- + Best practice approaches for monitoring a production Consul cluster with + Telegraf --- # Monitoring Consul with Telegraf @@ -198,7 +199,8 @@ Telegraf. Here is an example Grafana dashboard:
-[![Grafana Consul Cluster](/assets/images/grafana-screenshot.png)](/assets/images/grafana-screenshot.png) + [![Grafana Consul + Cluster](/assets/images/grafana-screenshot.png)](/assets/images/grafana-screenshot.png)
## Metric Aggregates and Alerting from Telegraf diff --git a/website/pages/docs/guides/network-segments.html.md b/website/pages/docs/guides/network-segments.mdx similarity index 97% rename from website/pages/docs/guides/network-segments.html.md rename to website/pages/docs/guides/network-segments.mdx index 4a52e428f9..5c28258410 100644 --- a/website/pages/docs/guides/network-segments.html.md +++ b/website/pages/docs/guides/network-segments.mdx @@ -1,12 +1,20 @@ --- -layout: 'docs' -page_title: 'Partial LAN Connectivity - Configuring Network Segments' -sidebar_current: 'docs-guides-segments' -description: |- - Many advanced Consul users have the need to run clusters with segmented networks, meaning that - not all agents can be in a full mesh. This is usually the result of business policies enforced - via network rules or firewalls. Prior to Consul 0.9.3 this was only possible through federation, - which for some users is too heavyweight or expensive as it requires running multiple servers per +layout: docs +page_title: Partial LAN Connectivity - Configuring Network Segments +sidebar_current: docs-guides-segments +description: >- + Many advanced Consul users have the need to run clusters with segmented + networks, meaning that + + not all agents can be in a full mesh. This is usually the result of business + policies enforced + + via network rules or firewalls. Prior to Consul 0.9.3 this was only possible + through federation, + + which for some users is too heavyweight or expensive as it requires running + multiple servers per + segment. --- diff --git a/website/pages/docs/guides/outage.html.md b/website/pages/docs/guides/outage.mdx similarity index 97% rename from website/pages/docs/guides/outage.html.md rename to website/pages/docs/guides/outage.mdx index 2d97d57d20..130c871bc7 100644 --- a/website/pages/docs/guides/outage.html.md +++ b/website/pages/docs/guides/outage.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Outage Recovery' -sidebar_current: 'docs-guides-outage' -description: |- - Don't panic! This is a critical first step. Depending on your deployment configuration, it may take only a single server failure for cluster unavailability. Recovery requires an operator to intervene, but recovery is straightforward. +layout: docs +page_title: Outage Recovery +sidebar_current: docs-guides-outage +description: >- + Don't panic! This is a critical first step. Depending on your deployment + configuration, it may take only a single server failure for cluster + unavailability. Recovery requires an operator to intervene, but recovery is + straightforward. --- # Outage Recovery diff --git a/website/pages/docs/guides/production-acls.html.md b/website/pages/docs/guides/production-acls.mdx similarity index 98% rename from website/pages/docs/guides/production-acls.html.md rename to website/pages/docs/guides/production-acls.mdx index 0508c86629..647c3096af 100644 --- a/website/pages/docs/guides/production-acls.html.md +++ b/website/pages/docs/guides/production-acls.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Securing Consul with ACLs' -sidebar_current: 'docs-guides-acl-production' -description: |- - This guide walks though securing your production Consul datacenter with ACLs. +layout: docs +page_title: Securing Consul with ACLs +sidebar_current: docs-guides-acl-production +description: This guide walks though securing your production Consul datacenter with ACLs. --- The [Bootstrapping the ACL System guide](/advanced/day-1-operations/acl-guide) diff --git a/website/pages/docs/guides/secure-namespaces.html.md b/website/pages/docs/guides/secure-namespaces.mdx similarity index 99% rename from website/pages/docs/guides/secure-namespaces.html.md rename to website/pages/docs/guides/secure-namespaces.mdx index 93347d4a7e..6c22cae702 100644 --- a/website/pages/docs/guides/secure-namespaces.html.md +++ b/website/pages/docs/guides/secure-namespaces.mdx @@ -4,8 +4,7 @@ content_length: 14 id: secure-namespaces products_used: - Consul -description: >- - In this guide you setup secure namespaces with ACLs. +description: In this guide you setup secure namespaces with ACLs. level: Implementation --- diff --git a/website/pages/docs/guides/semaphore.html.md b/website/pages/docs/guides/semaphore.mdx similarity index 97% rename from website/pages/docs/guides/semaphore.html.md rename to website/pages/docs/guides/semaphore.mdx index 3c493e7d3a..8fd92be11b 100644 --- a/website/pages/docs/guides/semaphore.html.md +++ b/website/pages/docs/guides/semaphore.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Semaphore' -sidebar_current: 'docs-guides-semaphore' -description: |- - This guide demonstrates how to implement a distributed semaphore using the Consul KV store. +layout: docs +page_title: Semaphore +sidebar_current: docs-guides-semaphore +description: >- + This guide demonstrates how to implement a distributed semaphore using the + Consul KV store. --- # Semaphore @@ -105,7 +106,7 @@ curl http://localhost:8500/v1/kv/?recurse ``` Within the list of the entries, we should find two keys: the `` and the -contender key ‘/’. +contender key `/`. ```json [ diff --git a/website/pages/docs/guides/servers.html.md b/website/pages/docs/guides/servers.mdx similarity index 93% rename from website/pages/docs/guides/servers.html.md rename to website/pages/docs/guides/servers.mdx index 9e4de9d69f..1e7ca855e5 100644 --- a/website/pages/docs/guides/servers.html.md +++ b/website/pages/docs/guides/servers.mdx @@ -1,9 +1,14 @@ --- -layout: 'docs' -page_title: 'Adding & Removing Servers' -sidebar_current: 'docs-guides-servers' -description: |- - Consul is designed to require minimal operator involvement, however any changes to the set of Consul servers must be handled carefully. To better understand why, reading about the consensus protocol will be useful. In short, the Consul servers perform leader election and replication. For changes to be processed, a minimum quorum of servers (N/2)+1 must be available. That means if there are 3 server nodes, at least 2 must be available. +layout: docs +page_title: Adding & Removing Servers +sidebar_current: docs-guides-servers +description: >- + Consul is designed to require minimal operator involvement, however any + changes to the set of Consul servers must be handled carefully. To better + understand why, reading about the consensus protocol will be useful. In short, + the Consul servers perform leader election and replication. For changes to be + processed, a minimum quorum of servers (N/2)+1 must be available. That means + if there are 3 server nodes, at least 2 must be available. --- # Adding & Removing Servers diff --git a/website/pages/docs/guides/windows-guide.html.md b/website/pages/docs/guides/windows-guide.mdx similarity index 91% rename from website/pages/docs/guides/windows-guide.html.md rename to website/pages/docs/guides/windows-guide.mdx index 534bb238ab..96dfb3f7d1 100644 --- a/website/pages/docs/guides/windows-guide.html.md +++ b/website/pages/docs/guides/windows-guide.mdx @@ -1,11 +1,16 @@ --- -layout: 'docs' -page_title: 'Windows Service' -sidebar_current: 'docs-guides-windows-service' -description: |- +layout: docs +page_title: Windows Service +sidebar_current: docs-guides-windows-service +description: >- By using the _sc_ command either on Powershell or - the Windows command line, you can make Consul run as a service. For more details about the _sc_ command - the Windows page for [sc](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682107(v=vs.85).aspx) + + the Windows command line, you can make Consul run as a service. For more + details about the _sc_ command + + the Windows page for + [sc](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682107(v=vs.85).aspx) + should help you get started. --- diff --git a/website/pages/docs/index.html.erb b/website/pages/docs/index.html.erb deleted file mode 100644 index e0a928ed0e..0000000000 --- a/website/pages/docs/index.html.erb +++ /dev/null @@ -1,39 +0,0 @@ ---- -layout: "docs" -page_title: "Documentation" -sidebar_current: "docs-home" -description: |- - Welcome to the Consul documentation! This documentation is reference material for all available features and options of Consul. ---- - -

Consul Documentation

- -

Welcome to the Consul documentation! The documentation is reference -material for all available features and options of Consul.

- -

In the Quick Links below, you will find the most commonly used documentation -and a link to our guides that walk you through common tasks. Note, the -guides are located on the HashiCorp Learn site. - -

Quick Links

- -
-
-

Install

- -

Follow the documentation to install - Consul either with a precompiled binary or from source.

-
-
-

Configure

- -

Read more about the configuration options - for Consul servers and clients.

-
-
-

Learn

- -

Get started using Consul with our step-by-step guides at - HashiCorp Learn.

-
-
diff --git a/website/pages/docs/index.mdx b/website/pages/docs/index.mdx new file mode 100644 index 0000000000..17b0907c78 --- /dev/null +++ b/website/pages/docs/index.mdx @@ -0,0 +1,47 @@ +--- +layout: docs +page_title: Documentation +sidebar_current: docs-home +description: >- + Welcome to the Consul documentation! This documentation is reference material + for all available features and options of Consul. +--- + +# Consul Documentation + +Welcome to the Consul documentation! The documentation is reference material +for all available features and options of Consul + +In the Quick Links below, you will find the most commonly used documentation +and a link to our guides that walk you through common tasks. Note, the +guides are located on the HashiCorp Learn site. + +## Quick Links + +
+
+

Install

+ +

Follow the documentation to install +Consul either with a precompiled binary or from source.

+
+
+

Configure

+ +

+ Read more about the{' '} + configuration options + for Consul servers and clients. +

+ +
+
+

Learn

+ +

+ Get started using Consul with our step-by-step guides at + HashiCorp Learn. +

+ +
+
diff --git a/website/pages/docs/install/bootstrapping.html.md b/website/pages/docs/install/bootstrapping.mdx similarity index 92% rename from website/pages/docs/install/bootstrapping.html.md rename to website/pages/docs/install/bootstrapping.mdx index 804bfecb3a..5b22529bf4 100644 --- a/website/pages/docs/install/bootstrapping.html.md +++ b/website/pages/docs/install/bootstrapping.mdx @@ -1,9 +1,13 @@ --- -layout: 'docs' -page_title: 'Bootstrapping a Datacenter' -sidebar_current: 'docs-install-bootstrapping' -description: |- - An agent can run in both client and server mode. Server nodes are responsible for running the consensus protocol and storing the cluster state. Before a Consul cluster can begin to service requests, a server node must be elected leader. Thus, the first nodes that are started are generally the server nodes. Bootstrapping is the process of joining these server nodes into a cluster. +layout: docs +page_title: Bootstrapping a Datacenter +sidebar_current: docs-install-bootstrapping +description: >- + An agent can run in both client and server mode. Server nodes are responsible + for running the consensus protocol and storing the cluster state. Before a + Consul cluster can begin to service requests, a server node must be elected + leader. Thus, the first nodes that are started are generally the server nodes. + Bootstrapping is the process of joining these server nodes into a cluster. --- # Bootstrapping a Datacenter diff --git a/website/pages/docs/install/index.html.md b/website/pages/docs/install/index.mdx similarity index 96% rename from website/pages/docs/install/index.html.md rename to website/pages/docs/install/index.mdx index b07b5fb964..0a31f1e8d0 100644 --- a/website/pages/docs/install/index.html.md +++ b/website/pages/docs/install/index.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Install Consul' -sidebar_current: 'docs-install-install' +layout: docs +page_title: Install Consul +sidebar_current: docs-install-install description: |- Installing Consul is simple. You can download a precompiled binary, compile from source or run on Kubernetes. This page details these methods. diff --git a/website/pages/docs/install/manual-bootstrap.html.md b/website/pages/docs/install/manual-bootstrap.mdx similarity index 93% rename from website/pages/docs/install/manual-bootstrap.html.md rename to website/pages/docs/install/manual-bootstrap.mdx index 5e0c0a697c..cda62d740f 100644 --- a/website/pages/docs/install/manual-bootstrap.html.md +++ b/website/pages/docs/install/manual-bootstrap.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Manual Bootstrapping' -sidebar_current: 'docs-install-bootstrapping' -description: |- - When deploying Consul to a datacenter for the first time, there is an initial bootstrapping that must be done. As of Consul 0.4, an automatic bootstrapping is available and is the recommended approach. However, older versions only support a manual bootstrap that is documented here. +layout: docs +page_title: Manual Bootstrapping +sidebar_current: docs-install-bootstrapping +description: >- + When deploying Consul to a datacenter for the first time, there is an initial + bootstrapping that must be done. As of Consul 0.4, an automatic bootstrapping + is available and is the recommended approach. However, older versions only + support a manual bootstrap that is documented here. --- # Manually Bootstrapping a Datacenter diff --git a/website/pages/docs/install/performance.html.md b/website/pages/docs/install/performance.mdx similarity index 93% rename from website/pages/docs/install/performance.html.md rename to website/pages/docs/install/performance.mdx index 2c9ecc964e..05b9e7cbf7 100644 --- a/website/pages/docs/install/performance.html.md +++ b/website/pages/docs/install/performance.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Server Performance' -sidebar_current: 'docs-install-performance' -description: |- - Consul requires different amounts of compute resources, depending on cluster size and expected workload. This guide provides guidance on choosing compute resources. +layout: docs +page_title: Server Performance +sidebar_current: docs-install-performance +description: >- + Consul requires different amounts of compute resources, depending on cluster + size and expected workload. This guide provides guidance on choosing compute + resources. --- # Server Performance @@ -102,14 +104,15 @@ Here are some general recommendations: - Consul will make use of multiple cores, and at least 2 cores are recommended. -- Spurious leader elections can be caused by networking issues between - the servers or insufficient CPU resources. Users in cloud environments often bump their servers - up to the next instance class with improved networking and CPU until leader elections stabilize, - and in Consul 0.7 or later the [performance parameters](/docs/agent/options.html#performance) - configuration now gives you tools to trade off performance instead of upsizing servers. You can - use the [`consul.raft.leader.lastContact` telemetry](/docs/agent/telemetry.html#last-contact) - to observe how the Raft timing is performing and guide the decision to de-tune Raft performance - or add more powerful servers. +- Spurious leader elections can be caused by networking + issues between the servers or insufficient CPU resources. Users in cloud environments + often bump their servers up to the next instance class with improved networking + and CPU until leader elections stabilize, and in Consul 0.7 or later the [performance + parameters](/docs/agent/options.html#performance) configuration now gives you tools + to trade off performance instead of upsizing servers. You can use the [`consul.raft.leader.lastContact` + telemetry](/docs/agent/telemetry.html#last-contact) to observe how the Raft timing + is performing and guide the decision to de-tune Raft performance or add more powerful + servers. - For DNS-heavy workloads, configuring all Consul agents in a cluster with the [`allow_stale`](/docs/agent/options.html#allow_stale) configuration option will allow reads to diff --git a/website/pages/docs/install/ports.html.md b/website/pages/docs/install/ports.mdx similarity index 96% rename from website/pages/docs/install/ports.html.md rename to website/pages/docs/install/ports.mdx index d05cfd50fe..a04c58fd90 100644 --- a/website/pages/docs/install/ports.html.md +++ b/website/pages/docs/install/ports.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Required Ports' -sidebar_current: 'docs-install-ports' -description: |- - Before starting Consul it is important to have the necessary bind ports accessible. +layout: docs +page_title: Required Ports +sidebar_current: docs-install-ports +description: >- + Before starting Consul it is important to have the necessary bind ports + accessible. --- # Required Ports diff --git a/website/pages/docs/internals/acl.html.md b/website/pages/docs/internals/acl.html.md deleted file mode 100644 index a215be2b35..0000000000 --- a/website/pages/docs/internals/acl.html.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -layout: 'docs' -page_title: 'ACL System' -sidebar_current: 'docs-internals-acl' -description: |- - Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways. ---- - -# ACL System - -This content has been moved into the [ACL Guide](https://learn.hashicorp.com/consul/security-networking/production-acls). - - -See [Complete ACL Coverage in Consul 0.8](/docs/acl/acl-legacy.html) -for details about ACL changes in Consul 0.8 and later. diff --git a/website/pages/docs/internals/acl.mdx b/website/pages/docs/internals/acl.mdx new file mode 100644 index 0000000000..1a68cbb262 --- /dev/null +++ b/website/pages/docs/internals/acl.mdx @@ -0,0 +1,18 @@ +--- +layout: docs +page_title: ACL System +sidebar_current: docs-internals-acl +description: >- + Consul provides an optional Access Control List (ACL) system which can be used + to control access to data and APIs. The ACL system is a Capability-based + system that relies on tokens which can have fine grained rules applied to + them. It is very similar to AWS IAM in many ways. +--- + +# ACL System + +This content has been moved into the [ACL Guide](https://learn.hashicorp.com/consul/security-networking/production-acls). + + +See [Complete ACL Coverage in Consul 0.8](/docs/acl/acl-legacy.html) for details +about ACL changes in Consul 0.8 and later. diff --git a/website/pages/docs/internals/anti-entropy.html.md b/website/pages/docs/internals/anti-entropy.mdx similarity index 98% rename from website/pages/docs/internals/anti-entropy.html.md rename to website/pages/docs/internals/anti-entropy.mdx index a73e274977..4edc9f6f52 100644 --- a/website/pages/docs/internals/anti-entropy.html.md +++ b/website/pages/docs/internals/anti-entropy.mdx @@ -1,8 +1,8 @@ --- -layout: 'docs' -page_title: 'Anti-Entropy' -sidebar_current: 'docs-internals-anti-entropy' -description: > +layout: docs +page_title: Anti-Entropy +sidebar_current: docs-internals-anti-entropy +description: | This section details the process and use of anti-entropy in Consul. --- diff --git a/website/pages/docs/internals/architecture.html.md b/website/pages/docs/internals/architecture.mdx similarity index 94% rename from website/pages/docs/internals/architecture.html.md rename to website/pages/docs/internals/architecture.mdx index 393c28e337..5b088a0f9b 100644 --- a/website/pages/docs/internals/architecture.html.md +++ b/website/pages/docs/internals/architecture.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Consul Architecture' -sidebar_current: 'docs-internals-architecture' -description: |- - Consul is a complex system that has many different moving parts. To help users and developers of Consul form a mental model of how it works, this page documents the system architecture. +layout: docs +page_title: Consul Architecture +sidebar_current: docs-internals-architecture +description: >- + Consul is a complex system that has many different moving parts. To help users + and developers of Consul form a mental model of how it works, this page + documents the system architecture. --- # Consul Architecture @@ -23,7 +25,8 @@ The architecture concepts in this document can be used with the [Reference Archi From a 10,000 foot altitude the architecture of Consul looks like this:
-[![Consul Architecture](/assets/images/consul-arch.png)](/assets/images/consul-arch.png) + [![Consul + Architecture](/assets/images/consul-arch.png)](/assets/images/consul-arch.png)
Let's break down this image and describe each piece. First of all, we can see diff --git a/website/pages/docs/internals/consensus.html.md b/website/pages/docs/internals/consensus.mdx similarity index 97% rename from website/pages/docs/internals/consensus.html.md rename to website/pages/docs/internals/consensus.mdx index cb3edf6491..a43523ceb5 100644 --- a/website/pages/docs/internals/consensus.html.md +++ b/website/pages/docs/internals/consensus.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Consensus Protocol' -sidebar_current: 'docs-internals-consensus' -description: |- - Consul uses a consensus protocol to provide Consistency as defined by CAP. The consensus protocol is based on Raft: In search of an Understandable Consensus Algorithm. For a visual explanation of Raft, see The Secret Lives of Data. +layout: docs +page_title: Consensus Protocol +sidebar_current: docs-internals-consensus +description: >- + Consul uses a consensus protocol to provide Consistency as defined by CAP. The + consensus protocol is based on Raft: In search of an Understandable Consensus + Algorithm. For a visual explanation of Raft, see The Secret Lives of Data. --- # Consensus Protocol diff --git a/website/pages/docs/internals/coordinates.html.md b/website/pages/docs/internals/coordinates.mdx similarity index 86% rename from website/pages/docs/internals/coordinates.html.md rename to website/pages/docs/internals/coordinates.mdx index 979f479365..16321a5131 100644 --- a/website/pages/docs/internals/coordinates.html.md +++ b/website/pages/docs/internals/coordinates.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Network Coordinates' -sidebar_current: 'docs-internals-coordinates' -description: |- -Serf uses a network tomography system to compute network coordinates for nodes in the cluster. These coordinates are useful for easily calculating the estimated network round trip time between any two nodes in the cluster. This page documents the details of this system. The core of the network tomography system us based on Vivaldi: A Decentralized Network Coordinate System, with several improvements based on several follow-on papers. +layout: docs +page_title: Network Coordinates +sidebar_current: docs-internals-coordinates +description: '' +? Serf uses a network tomography system to compute network coordinates for nodes in the cluster. These coordinates are useful for easily calculating the estimated network round trip time between any two nodes in the cluster. This page documents the details of this system. The core of the network tomography system us based on Vivaldi +: >- + A Decentralized Network Coordinate System, with several improvements based on + several follow-on papers. --- # Network Coordinates diff --git a/website/pages/docs/internals/discovery-chain.html.md b/website/pages/docs/internals/discovery-chain.mdx similarity index 97% rename from website/pages/docs/internals/discovery-chain.html.md rename to website/pages/docs/internals/discovery-chain.mdx index 22d1890aec..d0b9b32df3 100644 --- a/website/pages/docs/internals/discovery-chain.html.md +++ b/website/pages/docs/internals/discovery-chain.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Discovery Chain' -sidebar_current: 'docs-internals-discovery-chain' -description: |- - The service discovery process can be modeled as a "discovery chain" which passes through three distinct stages: routing, splitting, and resolution. Each of these stages is controlled by a set of configuration entries. +layout: docs +page_title: Discovery Chain +sidebar_current: docs-internals-discovery-chain +description: >- + The service discovery process can be modeled as a "discovery chain" which + passes through three distinct stages: routing, splitting, and resolution. Each + of these stages is controlled by a set of configuration entries. --- -> **1.6.0+:** This feature is available in Consul versions 1.6.0 and newer. diff --git a/website/pages/docs/internals/gossip.html.md b/website/pages/docs/internals/gossip.mdx similarity index 89% rename from website/pages/docs/internals/gossip.html.md rename to website/pages/docs/internals/gossip.mdx index 9030e17ef4..66d2527e06 100644 --- a/website/pages/docs/internals/gossip.html.md +++ b/website/pages/docs/internals/gossip.mdx @@ -1,9 +1,13 @@ --- -layout: 'docs' -page_title: 'Gossip Protocol' -sidebar_current: 'docs-internals-gossip' -description: |- - Consul uses a gossip protocol to manage membership and broadcast messages to the cluster. All of this is provided through the use of the Serf library. The gossip protocol used by Serf is based on SWIM: Scalable Weakly-consistent Infection-style Process Group Membership Protocol, with a few minor adaptations. +layout: docs +page_title: Gossip Protocol +sidebar_current: docs-internals-gossip +description: >- + Consul uses a gossip protocol to manage membership and broadcast messages to + the cluster. All of this is provided through the use of the Serf library. The + gossip protocol used by Serf is based on SWIM: Scalable Weakly-consistent + Infection-style Process Group Membership Protocol, with a few minor + adaptations. --- # Gossip Protocol diff --git a/website/pages/docs/internals/index.html.md b/website/pages/docs/internals/index.mdx similarity index 84% rename from website/pages/docs/internals/index.html.md rename to website/pages/docs/internals/index.mdx index 9ead554a9a..75b1c11a36 100644 --- a/website/pages/docs/internals/index.html.md +++ b/website/pages/docs/internals/index.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Internals' -sidebar_current: 'docs-internals' -description: |- - This section covers some of the internals of Consul, such as the architecture, consensus and gossip protocols, and security model. +layout: docs +page_title: Internals +sidebar_current: docs-internals +description: >- + This section covers some of the internals of Consul, such as the architecture, + consensus and gossip protocols, and security model. --- # Consul Internals diff --git a/website/pages/docs/internals/jepsen.html.md b/website/pages/docs/internals/jepsen.mdx similarity index 99% rename from website/pages/docs/internals/jepsen.html.md rename to website/pages/docs/internals/jepsen.mdx index d22743bdab..db497fe387 100644 --- a/website/pages/docs/internals/jepsen.html.md +++ b/website/pages/docs/internals/jepsen.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Jepsen Testing' -sidebar_current: 'docs-internals-jepsen' -description: |- - Jepsen is a tool, written by Kyle Kingsbury, designed to test the partition tolerance of distributed systems. It creates network partitions while fuzzing the system with random operations. The results are analyzed to see if the system violates any of the consistency properties it claims to have. +layout: docs +page_title: Jepsen Testing +sidebar_current: docs-internals-jepsen +description: >- + Jepsen is a tool, written by Kyle Kingsbury, designed to test the partition + tolerance of distributed systems. It creates network partitions while fuzzing + the system with random operations. The results are analyzed to see if the + system violates any of the consistency properties it claims to have. --- # Jepsen Testing diff --git a/website/pages/docs/internals/security.html.md b/website/pages/docs/internals/security.mdx similarity index 97% rename from website/pages/docs/internals/security.html.md rename to website/pages/docs/internals/security.mdx index 8dde2bc2b4..982d993c53 100644 --- a/website/pages/docs/internals/security.html.md +++ b/website/pages/docs/internals/security.mdx @@ -1,9 +1,13 @@ --- -layout: 'docs' -page_title: 'Security Model' -sidebar_current: 'docs-internals-security' -description: |- - Consul relies on both a lightweight gossip mechanism and an RPC system to provide various features. Both of the systems have different security mechanisms that stem from their designs. However, the security mechanisms of Consul have a common goal: to provide confidentiality, integrity, and authentication. +layout: docs +page_title: Security Model +sidebar_current: docs-internals-security +description: >- + Consul relies on both a lightweight gossip mechanism and an RPC system to + provide various features. Both of the systems have different security + mechanisms that stem from their designs. However, the security mechanisms of + Consul have a common goal: to provide confidentiality, integrity, and + authentication. --- # Security Model diff --git a/website/pages/docs/internals/sessions.html.md b/website/pages/docs/internals/sessions.mdx similarity index 94% rename from website/pages/docs/internals/sessions.html.md rename to website/pages/docs/internals/sessions.mdx index 3f5998874c..e377030686 100644 --- a/website/pages/docs/internals/sessions.html.md +++ b/website/pages/docs/internals/sessions.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Sessions' -sidebar_current: 'docs-internals-sessions' -description: |- - Consul provides a session mechanism which can be used to build distributed locks. Sessions act as a binding layer between nodes, health checks, and key/value data. They are designed to provide granular locking and are heavily inspired by The Chubby Lock Service for Loosely-Coupled Distributed Systems. +layout: docs +page_title: Sessions +sidebar_current: docs-internals-sessions +description: >- + Consul provides a session mechanism which can be used to build distributed + locks. Sessions act as a binding layer between nodes, health checks, and + key/value data. They are designed to provide granular locking and are heavily + inspired by The Chubby Lock Service for Loosely-Coupled Distributed Systems. --- # Sessions @@ -23,9 +26,7 @@ store to acquire locks: advisory mechanisms for mutual exclusion. Below is a diagram showing the relationship between these components: -
-![Consul Sessions](consul-sessions.png) -
+
![Consul Sessions](consul-sessions.png)
The contract that Consul provides is that under any of the following situations, the session will be _invalidated_: diff --git a/website/pages/docs/partnerships/index.html.md b/website/pages/docs/partnerships/index.mdx similarity index 96% rename from website/pages/docs/partnerships/index.html.md rename to website/pages/docs/partnerships/index.mdx index 68e077a4db..52e197415b 100644 --- a/website/pages/docs/partnerships/index.html.md +++ b/website/pages/docs/partnerships/index.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Consul Integration Program' -sidebar_current: 'docs-consul-program' -description: |- - Guide to partnership integrations for Consul. +layout: docs +page_title: Consul Integration Program +sidebar_current: docs-consul-program +description: Guide to partnership integrations for Consul. --- # Consul Integration Program @@ -15,7 +14,8 @@ The HashiCorp Consul Integration Program enables vendors to build integrations w By leveraging Consul’s RESTful HTTP API system, vendors are able to build extensible integrations at the data plane, platform, and the infrastructure layer to extend Consul’s functionalities. These integrations can be performed with the OSS (open source) version of Consul. Integrations with advanced network segmentation, advanced federation, and advanced read scalability need to be tested against Consul Enterprise, since these features are only supported by Consul Enterprise.
-[![Consul Architecture](/assets/images/consul_ecosystem_diagram.png)](/assets/images/consul_ecosystem_diagram.png) + [![Consul + Architecture](/assets/images/consul_ecosystem_diagram.png)](/assets/images/consul_ecosystem_diagram.png)
**Data Plane**: These integrations automate IP updates of load balancers by leveraging Consul service discovery, automate firewall security policy updates by leveraging Consul intentions within a centralized management tool, extend sidecar proxies to support Consul connect, and extend API gateways to allow Consul to route incoming traffic to the proxies for Connect-enabled services. diff --git a/website/pages/docs/platform/k8s/aks.html.md b/website/pages/docs/platform/k8s/aks.mdx similarity index 76% rename from website/pages/docs/platform/k8s/aks.html.md rename to website/pages/docs/platform/k8s/aks.mdx index 6034be0731..537d6b11e1 100644 --- a/website/pages/docs/platform/k8s/aks.html.md +++ b/website/pages/docs/platform/k8s/aks.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Consul on Azure Cloud' -sidebar_current: 'docs-platform-k8s-run-aks' -description: |- - Consul can run directly on Azure Kubernetes Service (AKS). +layout: docs +page_title: Consul on Azure Cloud +sidebar_current: docs-platform-k8s-run-aks +description: Consul can run directly on Azure Kubernetes Service (AKS). --- # Consul on Azure Kubernetes Service diff --git a/website/pages/docs/platform/k8s/ambassador.html.md b/website/pages/docs/platform/k8s/ambassador.mdx similarity index 98% rename from website/pages/docs/platform/k8s/ambassador.html.md rename to website/pages/docs/platform/k8s/ambassador.mdx index e8357c8f0b..98bc508d7b 100644 --- a/website/pages/docs/platform/k8s/ambassador.html.md +++ b/website/pages/docs/platform/k8s/ambassador.mdx @@ -1,7 +1,7 @@ --- -layout: 'docs' -page_title: 'Ambassador Integration - Kubernetes' -sidebar_current: 'docs-platform-k8s-ambassador' +layout: docs +page_title: Ambassador Integration - Kubernetes +sidebar_current: docs-platform-k8s-ambassador description: |- Ambassador is a Kubernetes-native API gateway and ingress controller that integrates well with Consul Connect. diff --git a/website/pages/docs/platform/k8s/clients-outside-kubernetes.html.md b/website/pages/docs/platform/k8s/clients-outside-kubernetes.mdx similarity index 90% rename from website/pages/docs/platform/k8s/clients-outside-kubernetes.html.md rename to website/pages/docs/platform/k8s/clients-outside-kubernetes.mdx index 75049c97eb..cb56243995 100644 --- a/website/pages/docs/platform/k8s/clients-outside-kubernetes.html.md +++ b/website/pages/docs/platform/k8s/clients-outside-kubernetes.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Consul Clients Outside of Kubernetes - Kubernetes' -sidebar_current: 'docs-platform-k8s-run-clients-outside' -description: |- - Consul clients running on non-Kubernetes nodes can join a Consul cluster running within Kubernetes. +layout: docs +page_title: Consul Clients Outside of Kubernetes - Kubernetes +sidebar_current: docs-platform-k8s-run-clients-outside +description: >- + Consul clients running on non-Kubernetes nodes can join a Consul cluster + running within Kubernetes. --- # Consul Clients Outside Kubernetes diff --git a/website/pages/docs/platform/k8s/connect.html.md b/website/pages/docs/platform/k8s/connect.mdx similarity index 97% rename from website/pages/docs/platform/k8s/connect.html.md rename to website/pages/docs/platform/k8s/connect.mdx index 0479e2d5f7..1d77c90acc 100644 --- a/website/pages/docs/platform/k8s/connect.html.md +++ b/website/pages/docs/platform/k8s/connect.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Connect Sidecar - Kubernetes' -sidebar_current: 'docs-platform-k8s-connect' -description: |- - Connect is a feature built into to Consul that enables automatic service-to-service authorization and connection encryption across your Consul services. Connect can be used with Kubernetes to secure pod communication with other services. +layout: docs +page_title: Connect Sidecar - Kubernetes +sidebar_current: docs-platform-k8s-connect +description: >- + Connect is a feature built into to Consul that enables automatic + service-to-service authorization and connection encryption across your Consul + services. Connect can be used with Kubernetes to secure pod communication with + other services. --- # Connect Sidecar on Kubernetes @@ -454,18 +457,20 @@ There are three options available: 1. **Mirror Namespaces** - Register each Kubernetes pod into a Consul namespace with the same name as its Kubernetes namespace. For example, pod `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `ns-1`. If a mirrored namespace does not exist in Consul, it will be created. - - This can be configured with: - - ```yaml + + This can be configured with: + + ````yaml global: enableConsulNamespaces: true - connectInject: - enabled: true - consulNamespaces: - mirroringK8S: true - ``` + connectInject: + enabled: true + consulNamespaces: + mirroringK8S: true + ``` + + ```` 1. **Mirror Namespaces With Prefix** - Register each Kubernetes pod into a Consul namespace with the same name as its Kubernetes namespace **with a prefix**. diff --git a/website/pages/docs/platform/k8s/consul-enterprise.html.md b/website/pages/docs/platform/k8s/consul-enterprise.mdx similarity index 95% rename from website/pages/docs/platform/k8s/consul-enterprise.html.md rename to website/pages/docs/platform/k8s/consul-enterprise.mdx index 36e453694f..0ec994d511 100644 --- a/website/pages/docs/platform/k8s/consul-enterprise.html.md +++ b/website/pages/docs/platform/k8s/consul-enterprise.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Consul Enterprise' -sidebar_current: 'docs-platform-k8s-run-consul-ent' -description: |- - Configuration for running Consul Enterprise +layout: docs +page_title: Consul Enterprise +sidebar_current: docs-platform-k8s-run-consul-ent +description: Configuration for running Consul Enterprise --- # Consul Enterprise diff --git a/website/pages/docs/platform/k8s/dns.html.md b/website/pages/docs/platform/k8s/dns.mdx similarity index 96% rename from website/pages/docs/platform/k8s/dns.html.md rename to website/pages/docs/platform/k8s/dns.mdx index 61cc9fe502..400e8fd3ce 100644 --- a/website/pages/docs/platform/k8s/dns.html.md +++ b/website/pages/docs/platform/k8s/dns.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Consul DNS - Kubernetes' -sidebar_current: 'docs-platform-k8s-dns' -description: |- - One of the primary query interfaces to Consul is the DNS interface. The Consul DNS interface can be exposed for all pods in Kubernetes using a stub-domain configuration. +layout: docs +page_title: Consul DNS - Kubernetes +sidebar_current: docs-platform-k8s-dns +description: >- + One of the primary query interfaces to Consul is the DNS interface. The Consul + DNS interface can be exposed for all pods in Kubernetes using a stub-domain + configuration. --- # Consul DNS on Kubernetes diff --git a/website/pages/docs/platform/k8s/eks.html.md b/website/pages/docs/platform/k8s/eks.mdx similarity index 100% rename from website/pages/docs/platform/k8s/eks.html.md rename to website/pages/docs/platform/k8s/eks.mdx diff --git a/website/pages/docs/platform/k8s/gke.html.md b/website/pages/docs/platform/k8s/gke.mdx similarity index 75% rename from website/pages/docs/platform/k8s/gke.html.md rename to website/pages/docs/platform/k8s/gke.mdx index 050c3c9546..4bb6c4ed49 100644 --- a/website/pages/docs/platform/k8s/gke.html.md +++ b/website/pages/docs/platform/k8s/gke.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Running Consul on Google Cloud' -sidebar_current: 'docs-platform-k8s-run-gke' -description: |- - Consul can run directly on Google Kubernetes Engine (GKE). +layout: docs +page_title: Running Consul on Google Cloud +sidebar_current: docs-platform-k8s-run-gke +description: Consul can run directly on Google Kubernetes Engine (GKE). --- # Consul on Google Kubernetes Engine diff --git a/website/pages/docs/platform/k8s/helm.html.md b/website/pages/docs/platform/k8s/helm.html.md deleted file mode 100644 index b67f3458ff..0000000000 --- a/website/pages/docs/platform/k8s/helm.html.md +++ /dev/null @@ -1,629 +0,0 @@ ---- -layout: 'docs' -page_title: 'Helm Chart Reference - Kubernetes' -sidebar_current: 'docs-platform-k8s-helm' -description: |- - Reference for the Consul Helm chart. ---- - -# Helm Chart Reference - -## Configuration (Values) - -The chart is highly customizable using -[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). -Each value has a sane default tuned for an optimal getting started experience -with Consul. Before going into production, please review the parameters below -and consider if they're appropriate for your deployment. - -- `global`- Holds values that affect - multiple components of the chart. - - - `enabled` (`boolean: true`) - The master enabled/disabled setting. If true, servers, clients, Consul DNS and the Consul UI will be enabled. Each component can override this default via its component-specific "enabled" config. If false, no components will be installed by default and per-component opt-in is required, such as by setting `server.enabled` to true. - - - `name` (`string: null`) - Set the prefix used for all resources in the Helm chart. If not set, the prefix will be `-consul`. - - - `domain` (`string: "consul"`) - The domain Consul will answer DNS queries for (see [-domain](/docs/agent/options.html#_domain)) and the domain services synced from Consul into Kubernetes will have, e.g. `service-name.service.consul`. - - - `image` (`string: "consul:"`) - The name (and tag) of the Consul Docker image for clients and servers. This can be overridden per component. This should be pinned to a specific version tag, otherwise you may inadvertently upgrade your Consul version. - - Examples: - - ```yaml - # Consul 1.5.0 - image: "consul:1.5.0" - # Consul Enterprise 1.5.0 - image: "hashicorp/consul-enterprise:1.5.0-ent" - ``` - - - `imageK8S` (`string: "hashicorp/consul-k8s:"`) - The name (and tag) of the [consul-k8s](https://github.com/hashicorp/consul-k8s) Docker image that is used for functionality such the catalog sync. This can be overridden per component. - - Note: support for the catalog sync's liveness and readiness probes was added to consul-k8s 0.6.0. If using an older consul-k8s version, you may need to remove these checks to make sync work. If using mesh gateways and bootstrapACLs then must be >= 0.9.0. - - - `datacenter` (`string: "dc1"`) - The name of the datacenter that the agents should register as. This can't be changed once the Consul cluster is up and running since Consul doesn't support an automatic way to change this value currently: [https://github.com/hashicorp/consul/issues/1858](https://github.com/hashicorp/consul/issues/1858). - - - `enablePodSecurityPolicies` (`boolean: false`) - - Controls whether pod security policies are created for the Consul components created by this chart. See [https://kubernetes.io/docs/concepts/policy/pod-security-policy/](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). - - - `gossipEncryption` - - Configures which Kubernetes secret to retrieve Consul's gossip encryption key from (see [-encrypt](/docs/agent/options.html#_encrypt)). If secretName or secretKey are not set, gossip encryption will not be enabled. The secret must be in the same namespace that Consul is installed into. - - The secret can be created by running: - - ```bash - $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) - # To reference, use: - # gossipEncryption: - # secretName: consul-gossip-encryption-key - # secretKey: key - ``` - - * `secretName` (`string: ""`) - The name of the Kubernetes secret that holds the gossip encryption key. The secret must be in the same namespace that Consul is installed into. - - * `secretKey` (`string: ""`) - The key within the Kubernetes secret that holds the gossip encryption key. - - * `enableConsulNamespaces` (`boolean: false`) - [Enterprise Only] `enableConsulNamespaces` indicates that you are running Consul Enterprise v1.7+ with a valid Consul Enterprise license and would like to make use of configuration beyond registering everything into the `default` Consul namespace. Requires consul-k8s v0.12+. Additional configuration options are found in the `consulNamespaces` section of both the catalog sync and connect injector. - - * `bootstrapACLs` (`boolean: false`) - **[DEPRECATED]** Use `global.acls.manageSystemACLs` instead. - - * `acls` - Configure ACLs. - - - `manageSystemACLs` (`boolean: false`) - If true, the Helm chart will automatically manage ACL tokens and policies for all Consul and consul-k8s components. This requires servers to be running inside Kubernetes. Additionally requires Consul >= 1.4 and consul-k8s >= 0.10.1. - - * `tls` - Enables TLS [encryption](https://learn.hashicorp.com/consul/security-networking/agent-encryption) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+ and consul-k8s v0.16.2+. - - - `tls` - Enables TLS [encryption](https://learn.hashicorp.com/consul/security-networking/agent-encryption) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+ and consul-k8s v0.16.2+ - - - `enableAutoEncrypt` (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers. It also switches consul-k8s components to retrieve the CA from the servers via the API. Requires Consul 1.7.1+ and consul-k8s 0.13.0+. - - - `serverAdditionalDNSSANs` (`array: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you're using the UI. - - * `serverAdditionalDNSSANs` (`array: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you're using the UI. - - * `serverAdditionalIPSANs` (`array: []`) - A list of additional IP addresses to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you're using the UI. - - * `verify` (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`, and `verify_incoming_rpc` will be set to `true` for Consul servers and clients. - Set this to false to incrementally roll out TLS on an existing Consul cluster. - Please see [Configuring TLS on an Existing Cluster](https://www.consul.io/docs/platform/k8s/tls-on-existing-cluster.html) for more details. - - * `httpsOnly` (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on both clients and servers and to only accept HTTPS connections. - - * `caCert` - A Kubernetes secret containing the certificate of the CA to use for TLS communication within the Consul cluster. - If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret in Kubernetes: - - ```bash - kubectl create secret generic consul-ca-cert \ - --from-file='tls.crt=./consul-agent-ca.pem' - ``` - - * `secretName` (`string: null`) - The name of the Kubernetes secret. - - * `secretKey` (`string: null`) - The key of the Kubernetes secret. - - * `caKey` - A Kubernetes secret containing the private key of the CA to use for TLS communication within the Consul cluster. - If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret in Kubernetes: - - ```bash - kubectl create secret generic consul-ca-key \ - --from-file='tls.key=./consul-agent-ca-key.pem' - ``` - - * `secretName` (`string: null`) - The name of the Kubernetes secret. - - * `secretKey` (`string: null`) - The key of the Kubernetes secret. - -- `server` - Values that configure running a Consul server within Kubernetes. - - - `enabled` (`boolean: global.enabled`) - If true, the chart will install all the resources necessary for a Consul server cluster. If you're running Consul externally and want agents within Kubernetes to join that cluster, this should probably be false. - - - `image` (`string: global.image`) - The name of the Docker image (including any tag) for the containers running Consul server agents. - - - `replicas` (`integer: 3`) -The number of server agents to run. This determines the fault tolerance of the cluster. Please see the [deployment table](/docs/internals/consensus.html#deployment-table) for more information. - - - `bootstrapExpect` (`integer: 3`) - For new clusters, this is the number of servers to wait for before performing the initial leader election and bootstrap of the cluster. This must be less than or equal to `server.replicas`. This value is only used when bootstrapping new clusters, it has no effect during ongoing cluster maintenance. - - - `enterpriseLicense` [Enterprise Only] - This value refers to a Kubernetes secret that you have created that contains your enterprise license. It is required if you are using an enterprise binary. Defining it here applies it to your cluster once a leader has been elected. If you are not using an enterprise image or if you plan to introduce the license key via another route, then set these fields to null. - - - `secretName` (`string: null`) - The name of the Kubernetes secret that holds the enterprise license. The secret must be in the same namespace that Consul is installed into. - - - `secretKey` (`string: null`) - The key within the Kubernetes secret that holds the enterprise license. - - - `storage` (`string: 10Gi`) - This defines the disk size for configuring the servers' StatefulSet storage. For dynamically provisioned storage classes, this is the desired size. For manually defined persistent volumes, this should be set to the disk size of the attached volume. - - - `storageClass` (`string: null`) - The StorageClass to use for the servers' StatefulSet storage. It must be able to be dynamically provisioned if you want the storage to be automatically created. For example, to use [Local](https://kubernetes.io/docs/concepts/storage/storage-classes/#local) storage classes, the PersistentVolumeClaims would need to be manually created. A `null` value will use the Kubernetes cluster's default StorageClass. If a default StorageClass does not exist, you will need to create one. - - - `connect` (`boolean: true`) - This will enable/disable [Connect](/docs/connect/index.html). Setting this to true _will not_ automatically secure pod communication, this setting will only enable usage of the feature. Consul will automatically initialize a new CA and set of certificates. Additional Connect settings can be configured by setting the `server.extraConfig` value. - - - `resources` (`string: null`) - The resource requests (CPU, memory, etc.) for each of the server agents. This should be a multi-line string mapping directly to a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources. **Setting this is highly recommended.** - - ```yaml - # Resources are defined as a formatted multi-line string: - resources: | - requests: - memory: "10Gi" - limits: - memory: "10Gi" - ``` - - - `updatePartition` (`integer: 0`) - This value is used to carefully control a rolling update of Consul server agents. This value specifies the [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) for performing a rolling update. Please read the linked Kubernetes documentation for more information. - - - `disruptionBudget` - This configures the [PodDisruptionBudget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) for the server cluster. - - - `enabled` (`boolean: true`) - - This will enable/disable registering a PodDisruptionBudget for - the server cluster. If this is enabled, it will only register the - budget so long as the server cluster is enabled. - - - `maxUnavailable` (`integer: null`) - - The maximum number of unavailable pods. By default, this will be automatically - computed based on the `server.replicas` value to be `(n/2)-1`. If you need to set - this to `0`, you will need to add a `--set 'server.disruptionBudget.maxUnavailable=0'` - flag to the helm chart installation command because of a limitation in the Helm - templating language. - - - `extraConfig` (`string: "{}"`) - A raw string of extra JSON [configuration](/docs/agent/options.html) for Consul servers. This will be saved as-is into a ConfigMap that is read by the Consul server agents. This can be used to add additional configuration that isn't directly exposed by the chart. - - ```yaml - # ExtraConfig values are formatted as a multi-line string: - extraConfig: | - { - "log_level": "DEBUG" - } - ``` - This can also be set using Helm's `--set` flag (consul-helm v0.7.0 and later), using the following syntax: - - ```shell - --set 'server.extraConfig="{"log_level": "DEBUG"}"' - ``` - - - `extraVolumes` (`array: []`) - A list of extra volumes to mount for server agents. This is useful for bringing in extra data that can be referenced by other configurations at a well known path, such as TLS certificates or Gossip encryption keys. The value of this should be a list of objects. Each object supports the following keys: - - - `type` (`string: required`) - - Type of the volume, must be one of "configMap" or "secret". Case sensitive. - - - `name` (`string: required`) - - Name of the configMap or secret to be mounted. This also controls the path - that it is mounted to. The volume will be mounted to `/consul/userconfig/`. - - - `load` (`boolean: false`) - - If true, then the agent will be configured to automatically load HCL/JSON - configuration files from this volume with `-config-dir`. This defaults - to false. - - ```yaml - extraVolumes: - - type: "secret" - name: "consul-certs" - load: false - ``` - - - `affinity` (`string`) - This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. It defaults to allowing only a single pod on each node, which minimizes risk of the cluster becoming unusable if a node is lost. If you need to run more pods per node (for example, testing on Minikube), set this value to `null`. - - ```yaml - # Recommended default server affinity: - affinity: | - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: {{ template "consul.name" . }} - release: "{{ .Release.Name }}" - component: server - topologyKey: kubernetes.io/hostname - ``` - - - `tolerations` (`string: ""`) - Toleration settings for server pods. This should be a multi-line string matching the [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. - - - `nodeSelector` (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) labels for server pod assignment, formatted as a multi-line string. - - ```yaml - nodeSelector: | - beta.kubernetes.io/arch: amd64 - ``` - - - `priorityClassName` (`string`) - This value references an existing Kubernetes [priorityClassName](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) that can be assigned to server pods. - - - `annotations` (`string`) - This value defines additional annotations for server pods. This should be a formatted as a multi-line string. - - ```yaml - annotations: | - "sample/annotation1": "foo" - "sample/annotation2": "bar" - ``` - - - `service` - Server service properties - - ```yaml - annotations: | - "annotation-key": "annotation-value" - ``` - -* `externalServers` - Configuration for Consul servers running externally. This information is required if Consul servers are running outside of Kubernetes and you’re setting `global.tls.enableAutoEncrypt` to `true`. - - - `enabled` (`boolean: false`) - If true, the chart will talk to external servers configured here. - - - `https` - HTTPS configuration for external servers. Note: HTTP connections to the servers are not supported. - - - `address` (`string: null`) - IP, DNS name, or [cloud auto-join](https://www.consul.io/docs/agent/cloud-auto-join.html) string pointing to the external Consul servers. Note that if you’re providing the cloud auto-join string and multiple addresses can be returned, only the first address will be used. This value is required only if you would like to use a different server address from the one specified in the `client.join` property. - - - `port` (`integer: 443`) - The HTTPS port of the server. - - - `tlsServerName` (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS. This property is useful in case `externalServers.https.address` is not or can not be included in the server certificate’s SANs. - - - `useSystemRoots` (`boolean: false`) - If true, the Helm chart will ignore the CA set in `global.tls.caCert` or generated by the `tls-init` job and will rely on the container's system CAs for TLS verification when talking to Consul servers. - - ```yaml - annotations: | - "annotation-key": "annotation-value" - ``` - -- `client` - Values that configure running a Consul client on Kubernetes nodes. - - - `enabled` (`boolean: global.enabled`) - If true, the chart will install all the resources necessary for a Consul client on every Kubernetes node. This _does not_ require `server.enabled`, since the agents can be configured to join an external cluster. - - - `image` (`string: global.image`) - The name of the Docker image (including any tag) for the containers running Consul client agents. - - - `join` (`array: null`) - A list of valid [`-retry-join` values](/docs/agent/options.html#retry-join). If this is `null` (default), then the clients will attempt to automatically join the server cluster running within Kubernetes. This means that with `server.enabled` set to true, clients will automatically join that cluster. If `server.enabled` is not true, then a value must be specified so the clients can join a valid cluster. - - - `dataDirectoryPath` (`string: null`) - An absolute path to a directory on the host machine to use as the Consul client data directory. If set to the empty string or null, the Consul agent will store its data in the Pod's local filesystem (which will be lost if the Pod is deleted). Security Warning: If setting this, Pod Security Policies _must_ be enabled on your cluster and in this Helm chart (via the global.enablePodSecurityPolicies setting) to prevent other Pods from mounting the same host path and gaining access to all of Consul's data. Consul's data is not encrypted at rest. - - - `grpc` (`boolean: true`) - If true, agents will enable their GRPC listener on port 8502 and expose it to the host. This will use slightly more resources, but is required for [Connect](/docs/platform/k8s/connect.html). - - - `exposeGossipPorts` (`boolean: false`) - If true, the Helm chart will expose the clients' gossip ports as hostPorts. This is only necessary if pod IPs in the k8s cluster are not directly routable and the Consul servers are outside of the k8s cluster. This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. - - - `resources` (`string: null`) - The resource requests (CPU, memory, etc.) for each of the client agents. This should be a multi-line string mapping directly to a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources. - - ```yaml - # Resources are defined as a formatted multi-line string: - resources: | - requests: - memory: "10Gi" - limits: - memory: "10Gi" - ``` - - - `extraConfig` (`string: "{}"`) - A raw string of extra JSON [configuration](/docs/agent/options.html) for Consul clients. This will be saved as-is into a ConfigMap that is read by the Consul agents. This can be used to add additional configuration that isn't directly exposed by the chart. - - ```yaml - # ExtraConfig values are formatted as a multi-line string: - extraConfig: | - { - "log_level": "DEBUG" - } - ``` - This can also be set using Helm's `--set` flag (consul-helm v0.7.0 and later), using the following syntax: - - ```shell - --set 'client.extraConfig="{"log_level": "DEBUG"}"' - ``` - - - `extraVolumes` (`array: []`) - A list of extra volumes to mount for client agents. This is useful for bringing in extra data that can be referenced by other configurations at a well known path, such as TLS certificates or Gossip encryption keys. The value of this should be a list of objects. Each object supports the following keys: - - - `type` (`string: required`) - - Type of the volume, must be one of "configMap" or "secret". Case sensitive. - - - `name` (`string: required`) - - Name of the configMap or secret to be mounted. This also controls the path - that it is mounted to. The volume will be mounted to `/consul/userconfig/`. - - - `load` (`boolean: false`) - - If true, then the agent will be configured to automatically load HCL/JSON - configuration files from this volume with `-config-dir`. This defaults - to false. - - ```yaml - extraVolumes: - - type: 'secret' - name: 'consul-certs' - load: false - ``` - - - `tolerations` (`string: ""`) - Toleration Settings for client pods. This should be a multi-line string matching the Toleration array in a Pod spec. The example below will allow client pods to run on every node regardless of taints. - - ```yaml - tolerations: | - - operator: "Exists" - ``` - - - `nodeSelector` (`string: null`) - Labels for client pod assignment, formatted as a multi-line string. Please see [Kubernetes docs](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more details. - - ```yaml - nodeSelector: | - beta.kubernetes.io/arch: amd64 - ``` - - - `priorityClassName` (`string: ""`) - This value references an existing Kubernetes [priorityClassName](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) that can be assigned to client pods. - - - `annotations` (`string: null`) - This value defines additional annotations for client pods. This should be a formatted as a multi-line string. - - ```yaml - annotations: | - "sample/annotation1": "foo" - "sample/annotation2": "bar" - ``` - - - `dnsPolicy` (`string: null`) - This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for client pods to use. - - - `updateStrategy` (`string: null`) - The [update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) for the client `DaemonSet`. - - ```yaml - updateStrategy: | - rollingUpdate: - maxUnavailable: 5 - type: RollingUpdate - ``` - - - `snapshotAgent` [Enterprise Only] - Values for setting up and running [snapshot agents](https://www.consul.io/docs/commands/snapshot/agent.html) within the Consul clusters. They are required to be co-located with Consul clients, so will inherit the clients' nodeSelector, tolerations and affinity. - - - `enabled` (`boolean: false`) - If true, the chart will install resources necessary to run the snapshot agent. - - - `replicas` (`integer: 2`) - The number of snapshot agents to run. - - - `configSecret` - A Kubernetes secret that should be manually created to contain the entire config to be used on the snapshot agent. This is the preferred method of configuration since there are usually storage credentials present. Please see [Snapshot agent config](https://www.consul.io/docs/commands/snapshot/agent.html#config-file-options-) for details. - - - secretName `(string: null)` - The name of the Kubernetes secret. - - - secretKey `(string: null)` - The key for the Kubernetes secret. - -- `dns` - Values that configure Consul DNS service. - - - `enabled` (`boolean: global.enabled`) - If true, a `consul-dns` service will be created that exposes port 53 for TCP and UDP to the running Consul agents (servers and clients). This can then be used to [configure kube-dns](/docs/platform/k8s/dns.html). The Helm chart _does not_ automatically configure kube-dns. - - - `clusterIP` (`string: null`) - If defined, this value configures the cluster IP of the DNS service. - - - `annotations` (`string: null`) - Extra annotations to attach to the DNS service. This should be a multi-line string of annotations to apply to the DNS service. - -- `syncCatalog` - Values that configure the [service sync](/docs/platform/k8s/service-sync.html) process. - - - `enabled` (`boolean: false`) - If true, the chart will install all the resources necessary for the catalog sync process to run. - - - `image` (`string: global.imageK8S`) - The name of the Docker image (including any tag) for [consul-k8s](/docs/platform/k8s/index.html#quot-consul-k8s-quot-project) - to run the sync program. - - - `default` (`boolean: true`) - If true, all valid services in K8S are synced by default. If false, the service must be [annotated](/docs/platform/k8s/service-sync.html#sync-enable-disable) properly to sync. In either case an annotation can override the default. - - - `toConsul` (`boolean: true`) - If true, will sync Kubernetes services to Consul. This can be disabled to have a one-way sync. - - - `toK8S` (`boolean: true`) - If true, will sync Consul services to Kubernetes. This can be disabled to have a one-way sync. - - - `k8sPrefix` (`string: ""`) - A prefix to prepend to all services registered in Kubernetes from Consul. This defaults to `""` where no prefix is prepended; Consul services are synced with the same name to Kubernetes. (Consul -> Kubernetes sync only) - - - `k8sAllowNamespaces` (`[]string: ["*"]`) - list of k8s namespaces to sync the k8s services from. If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, services in that k8s namespace will not be synced even if they are explicitly annotated. Use `["*"]` to automatically allow all k8s namespaces. - For example, `["namespace1", "namespace2"]` will only allow services in the k8s namespaces `namespace1` and `namespace2` to be synced and registered with Consul. All other k8s namespaces will be ignored. - - Note: `k8sDenyNamespaces` takes precedence over values defined here. Requires consul-k8s v0.12+ - - - `k8sDenyNamespaces` (`[]string: ["kube-system", "kube-public"]` - list of k8s namespaces that should not have their services synced. This list takes precedence over `k8sAllowNamespaces`. `*` is not supported because then nothing would be allowed to sync. Requires consul-k8s v0.12+. - - For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` and `namespace2` will be synced. - - - `k8sSourceNamespace` (`string: ""`) - **[DEPRECATED] Use `k8sAllowNamespaces` and `k8sDenyNamespaces` instead.** `k8sSourceNamespace` is the Kubernetes namespace to watch for service changes and sync to Consul. If this is not set then it will default to all namespaces. - - - `consulNamespaces` - [Enterprise Only] These settings manage the catalog sync's interaction with Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). Also, `global.enableConsulNamespaces` must be true. - - - `consulDestinationNamespace` (`string: "default"`) - Name of the Consul namespace to register all k8s services into. If the Consul namespace does not already exist, it will be created. This will be ignored if `mirroringK8S` is true. - - - `mirroringK8S` (`bool: false`) - causes k8s services to be registered into a Consul namespace of the same name as their k8s namespace, optionally prefixed if `mirroringK8SPrefix` is set below. If the Consul namespace does not already exist, it will be created. Turning this on overrides the `consulDestinationNamespace` setting. `addK8SNamespaceSuffix` may no longer be needed if enabling this option. - - - `mirroringK8SPrefix` (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace to be given a prefix. For example, if `mirroringK8SPrefix` is set to `"k8s-"`, a service in the k8s `staging` namespace will be registered into the `k8s-staging` Consul namespace. - - * `consulPrefix` (`string: ""`) - A prefix to prepend to all services registered in Consul from Kubernetes. This defaults to `""` where no prefix is prepended. Service names within Kubernetes remain unchanged. (Kubernetes -> Consul sync only) - The prefix is ignored if `annotationServiceName` is provided. - - - `consulPrefix` (`string: ""`) - A prefix to prepend to all services registered in Consul from Kubernetes. This defaults to `""` where no prefix is prepended. Service names within Kubernetes remain unchanged. (Kubernetes -> Consul sync only) - - - `k8sTag` (`string: null`) - An optional tag that is applied to all of the Kubernetes services that are synced into Consul. If nothing is set, this defaults to "k8s". (Kubernetes -> Consul sync only) - - - `syncClusterIPServices` (`boolean: true`) - If true, will sync Kubernetes ClusterIP services to Consul. This can be disabled to have the sync ignore ClusterIP-type services. - - - `nodePortSyncType` (`string: ExternalFirst`) - Configures the type of syncing that happens for NodePort services. The only valid options are: `ExternalOnly`, `InternalOnly`, and `ExternalFirst`. `ExternalOnly` will only use a node's ExternalIP address for the sync, otherwise the service will not be synced. `InternalOnly` uses the node's InternalIP address. `ExternalFirst` will preferentially use the node's ExternalIP address, but if it doesn't exist, it will use the node's InternalIP address instead. - - - `aclSyncToken` - references a Kubernetes [secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets) that contains an existing Consul ACL token. This will provide the sync process the correct permissions. This is only needed if ACLs are enabled on the Consul cluster. - - - secretName `(string: null)` - The name of the Kubernetes secret. This defaults to null. - - - secretKey `(string: null)` - The key for the Kubernetes secret. This defaults to null. - - - `nodeSelector` (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) labels for `syncCatalog` pod assignment, formatted as a multi-line string. - - ```yaml - nodeSelector: | - beta.kubernetes.io/arch: amd64 - ``` - - - `logLevel` (`string: info`) - Log verbosity level. One of "trace", "debug", "info", "warn", or "error". - - - `consulWriteInterval` (`string: null`) - Override the default interval to perform syncing operations creating Consul services. - -- `ui` - Values that configure the Consul UI. - - - `enabled` (`boolean: global.enabled`) - If true, the UI will be enabled. This will only _enable_ the UI, it doesn't automatically register any service for external access. The UI will only be enabled on server agents. If `server.enabled` is false, then this setting has no effect. To expose the UI in some way, you must configure `ui.service`. - - - `service` - This configures the `Service` resource registered for the Consul UI. - - - `enabled` (`boolean: true`) - - This will enable/disable registering a Kubernetes Service for the Consul UI. - This value only takes effect if `ui.enabled` is true and taking effect. - - - `type` (`string: null`) - - The service type to register. This defaults to `null` which doesn't set - an explicit service type, which typically is defaulted to "ClusterIP" - by Kubernetes. The available service types are documented on - [the Kubernetes website](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). - - - `annotations` (`string: null`) - Annotations to apply to the UI service. - - ```yaml - annotations: | - "annotation-key": "annotation-value" - ``` - - - `additionalSpec` (`string: null`) - Additional Service spec values. This should be a multi-line string mapping directly to a Kubernetes `Service` object. - -- `connectInject` - Values that configure running the [Connect injector](/docs/platform/k8s/connect.html). - - - `enabled` (`boolean: false`) - If true, the chart will install all the resources necessary for the Connect injector process to run. This will enable the injector but will require pods to opt-in with an annotation by default. - - - `image` (`string: global.imageK8S`) - The name of the Docker image (including any tag) for the [consul-k8s](https://github.com/hashicorp/consul-k8s) binary. - - - `default` (`boolean: false`) - If true, the injector will inject the Connect sidecar into all pods by default. Otherwise, pods must specify the. [injection annotation](/docs/platform/k8s/connect.html#consul-hashicorp-com-connect-inject) to opt-in to Connect injection. If this is true, pods can use the same annotation to explicitly opt-out of injection. - - - `imageConsul` (`string: global.image`) - The name of the Docker image (including any tag) for Consul. This is used for proxy service registration, Envoy configuration, etc. - - - `imageEnvoy` (`string: ""`) - The name of the Docker image (including any tag) for the Envoy sidecar. `envoy` must be on the executable path within this image. This Envoy version must be compatible with the Consul version used by the injector. If not specified this defaults to letting the injector choose the Envoy image. Check [supported Envoy versions](/docs/connect/proxies/envoy.html#supported-versions) to ensure the version you are using is compatible with Consul. - - - `namespaceSelector` (`string: ""`) - A [selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) for restricting injection to only matching namespaces. By default all namespaces except `kube-system` and `kube-public` will have injection enabled. - - ```yaml - namespaceSelector: | - matchLabels: - namespace-label: label-value - ``` - - - `k8sAllowNamespaces` - list of k8s namespaces to allow Connect sidecar injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, pods in that k8s namespace will not be injected even if they are explicitly annotated. Use `["*"]` to automatically allow all k8s namespaces. - - For example, `["namespace1", "namespace2"]` will only allow pods in the k8s namespaces `namespace1` and `namespace2` to have Connect sidecars injected and registered with Consul. All other k8s namespaces will be ignored. - - Note: `k8sDenyNamespaces` takes precedence over values defined here and `namespaceSelector` takes precedence over both since it is applied first. `kube-system` and `kube-public` are never injected, even if included here. Requires consul-k8s v0.12+ - - - `k8sDenyNamespaces` - list of k8s namespaces that should not allow Connect sidecar injection. This list takes precedence over `k8sAllowNamespaces`. `*` is not supported because then nothing would be allowed to be injected. - - For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` and `namespace2` will be injected. - - Note: `namespaceSelector` takes precedence over this since it is applied first. `kube-system` and `kube-public` are never injected. Requires consul-k8s v0.12+. - - - `consulNamespaces` - [Enterprise Only] These settings manage the connect injector's interaction with Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). Also, `global.enableConsulNamespaces` must be true. - - - `consulDestinationNamespace` (`string: "default"`) - Name of the Consul namespace to register all k8s services into. If the Consul namespace does not already exist, it will be created. This will be ignored if `mirroringK8S` is true. - - - `mirroringK8S` (`bool: false`) - causes k8s services to be registered into a Consul namespace of the same name as their k8s namespace, optionally prefixed if `mirroringK8SPrefix` is set below. If the Consul namespace does not already exist, it will be created. Turning this on overrides the `consulDestinationNamespace` setting. - - - `mirroringK8SPrefix` (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace to be given a prefix. For example, if `mirroringK8SPrefix` is set to `"k8s-"`, a service in the k8s `staging` namespace will be registered into the `k8s-staging` Consul namespace. - - - `certs` - The certs section configures how the webhook TLS certs are configured. These are the TLS certs for the Kube apiserver communicating to the webhook. By default, the injector will generate and manage its own certs, but this requires the ability for the injector to update its own `MutatingWebhookConfiguration`. In a production environment, custom certs should probably be used. Configure the values below to enable this. - - - `secretName` (`string: null`) - - secretName is the name of the Kubernetes secret that has the TLS certificate and - private key to serve the injector webhook. If this is null, then the - injector will default to its automatic management mode. - - - `caBundle` (`string: ""`) - - The PEM-encoded CA public certificate bundle for the TLS certificate served by the - injector. This must be specified as a string and can't come from a - secret because it must be statically configured on the Kubernetes - `MutatingAdmissionWebhook` resource. This only needs to be specified - if `secretName` is not null. - - - `certName` (`string: "tls.crt"`) - - The name of the certificate file within the `secretName` secret. - - - `keyName` (`string: "tls.key"`) - - The name of the private key for the certificate file within the - `secretName` secret. - - - `nodeSelector` (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) labels for `connectInject` pod assignment, formatted as a multi-line string. - - ```yaml - nodeSelector: | - beta.kubernetes.io/arch: amd64 - ``` - - - `aclBindingRuleSelector` (`string: "serviceaccount.name!=default"`) - - A [selector](/docs/acl/acl-auth-methods.html#binding-rules) for restricting automatic injection to only matching services based on - their associated service account. By default, services using the `default` Kubernetes service account will be prevented from logging in. - This only has effect if ACLs are enabled. Requires Consul 1.5+ and consul-k8s 0.8.0+. - - * `overrideAuthMethodName` (`string: ""`) - If not using `global.acls.manageSystemACLs` and instead manually setting up an auth method for Connect inject, set this to the name of your Auth method. - - * `aclInjectToken` - Refers to a Kubernetes secret that you have created that contains an ACL token for your Consul cluster which allows the Connect injector the correct permissions. This is only needed if Consul namespaces and ACLs are enabled on the Consul cluster and you are not setting `global.acls.manageSystemACLs` to `true`. This token needs to have `operator = "write"` privileges so that it can create namespaces. - - - secretName `(string: null)` - The name of the Kubernetes secret. - - - secretKey `(string: null)` - The key within the Kubernetes secret that holds the acl token. - - - `aclInjectToken` - Refers to a Kubernetes secret that you have created that contains an ACL token for your Consul cluster which allows the Connect injector the correct permissions. This is only needed if Consul namespaces and ACLs are enabled on the Consul cluster and you are not setting `global.bootstrapACLs` to `true`. This token needs to have `operator = "write"` privileges so that it can create namespaces. - - - secretName `(string: null)` - The name of the Kubernetes secret. - - - secretKey `(string: null)` - The key within the Kubernetes secret that holds the acl token. - - - `centralConfig` - Values that configure - Consul's [central configuration](/docs/agent/config_entries.html) feature (requires Consul v1.5+ and consul-k8s v0.8.1+). - - - `enabled` (`boolean: true`) - - Turns on the central configuration feature. Pods that have a Connect proxy injected will have their service - automatically registered in this central configuration. - - - `defaultProtocol` (`string: null`) - - If defined, this value will be used as the default protocol type for all services registered with the central configuration. - This can be overridden by using the - [protocol annotation](/docs/platform/k8s/connect.html#consul-hashicorp-com-connect-service-protocol) - directly on any pod spec. - - - `proxyDefaults` (`string: "{}"`) - - This value is a raw json string that will be applied to all Connect proxy sidecar pods. It can include any valid configuration - for the configured proxy. - - ```yaml - # proxyDefaults values are formatted as a multi-line string: - proxyDefaults: | - { - "envoy_dogstatsd_url": "udp://127.0.0.1:9125" - } - ``` - -- `tests` - Control whether to enable a test for this Helm chart. - - - `enabled` (`boolean: true`) If true, the test Pod manifest will be generated to be used as a Helm test. - The pod will be created when a `helm test` command is executed. - -## Helm Chart Examples - -The below `config.yaml` results in a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API. - -```yaml -# config.yaml -server: - replicas: 1 - bootstrapExpect: 1 - -ui: - service: - type: LoadBalancer -``` - -The below `config.yaml` results in a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection. - -Note, this would require a secret that contains the enterprise license key. - -```yaml -# config.yaml -global: - image: 'hashicorp/consul-enterprise:1.4.2-ent' - -server: - replicas: 3 - bootstrapExpect: 3 - enterpriseLicense: - secretName: 'consul-license' - secretKey: 'key' - storage: 100Gi - connect: true - -client: - grpc: true - -connectInject: - enabled: true - default: false -``` - -## Customizing the Helm Chart - -Consul within Kubernetes is highly configurable and the Helm chart contains dozens -of the most commonly used configuration options. -If you need to extend the Helm chart with additional options, we recommend using a third-party tool, -such as [kustomize](https://github.com/kubernetes-sigs/kustomize) or [ship](https://github.com/replicatedhq/ship). -Note that the Helm chart heavily relies on Helm lifecycle hooks, and so features like bootstrapping ACLs or TLS -will not work as expected. Additionally, we can make changes to the internal implementation (e.g., renaming template files) that -may be backward incompatible with such customizations. diff --git a/website/pages/docs/platform/k8s/helm.mdx b/website/pages/docs/platform/k8s/helm.mdx new file mode 100644 index 0000000000..be7aa96f8a --- /dev/null +++ b/website/pages/docs/platform/k8s/helm.mdx @@ -0,0 +1,1190 @@ +--- +layout: docs +page_title: Helm Chart Reference - Kubernetes +sidebar_current: docs-platform-k8s-helm +description: Reference for the Consul Helm chart. +--- + +# Helm Chart Reference + +## Configuration (Values) + +The chart is highly customizable using +[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). +Each value has a sane default tuned for an optimal getting started experience +with Consul. Before going into production, please review the parameters below +and consider if they're appropriate for your deployment. + +- `global` ((#v-global)) - Holds values that affect multiple components of the chart. + + - `enabled` ((#v-global-enabled)) (`boolean: true`) - The master enabled/disabled setting. If true, servers, + clients, Consul DNS and the Consul UI will be enabled. Each component can override + this default via its component-specific "enabled" config. If false, no components + will be installed by default and per-component opt-in is required, such as by + setting [`server.enabled`](#v-server-enabled) to true. + + - `name` ((#v-global-name)) (`string: null`) - Set the prefix used for all resources in the Helm chart. If not set, the prefix will be `-consul`. + + - `domain` ((#v-global-domain)) (`string: "consul"`) - The domain Consul will answer DNS queries for (see + [-domain](/docs/agent/options.html#_domain)) and the domain services synced from + Consul into Kubernetes will have, e.g. `service-name.service.consul`. + + - `image` ((#v-global-image)) (`string: "consul:"`) - The name (and tag) of the Consul Docker image for clients and servers. This can be overridden per component. This should be pinned to a specific version tag, otherwise you may inadvertently upgrade your Consul version. + + Examples: + + ```yaml + # Consul 1.5.0 + image: "consul:1.5.0" + # Consul Enterprise 1.5.0 + image: "hashicorp/consul-enterprise:1.5.0-ent" + ``` + + - `imageK8S` ((#v-global-imagek8s)) (`string: "hashicorp/consul-k8s:"`) - The name (and tag) of the [consul-k8s](https://github.com/hashicorp/consul-k8s) Docker image that is used for functionality such the catalog sync. This can be overridden per component. + + Note: support for the catalog sync's liveness and readiness probes was added to consul-k8s 0.6.0. If using an older consul-k8s version, you may need to remove these checks to make sync work. If using mesh gateways and bootstrapACLs then must be >= 0.9.0. + + - `datacenter` ((#v-global-datacenter)) (`string: "dc1"`) - The name of the datacenter that the agents should + register as. This can't be changed once the Consul cluster is up and running since Consul + doesn't support an automatic way to change this value currently: [https://github.com/hashicorp/consul/issues/1858](https://github.com/hashicorp/consul/issues/1858). + + - `enablePodSecurityPolicies` ((#v-global-enablepodsecuritypolicies)) (`boolean: false`) - Controls whether pod + security policies are created for the Consul components created by this chart. See [https://kubernetes.io/docs/concepts/policy/pod-security-policy/](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). + + - `gossipEncryption` ((#v-global-gossipencryption)) - Configures which Kubernetes secret to retrieve Consul's + gossip encryption key from (see [-encrypt](/docs/agent/options.html#_encrypt)). If secretName or + secretKey are not set, gossip encryption will not be enabled. The secret must + be in the same namespace that Consul is installed into. + + The secret can be created by running: + + ```bash + $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # To reference, use: + # gossipEncryption: + # secretName: consul-gossip-encryption-key + # secretKey: key + ``` + + - `secretName` ((#v-global-gossipencryption-secretname)) (`string: ""`) - The name of the Kubernetes secret + that holds the gossip encryption key. The secret must be in the same namespace that Consul is installed + into. + + - `secretKey` ((#v-global-gossipencryption-secretkey)) (`string: ""`) - The key within the Kubernetes secret + that holds the gossip encryption key. + + - `enableConsulNamespaces` ((#v-global-enableconsulnamespaces)) (`boolean: false`) - [Enterprise Only] + `enableConsulNamespaces` indicates that you are running Consul Enterprise v1.7+ with a valid Consul + Enterprise license and would like to make use of configuration beyond registering everything into + the `default` Consul namespace. Requires consul-k8s v0.12+. Additional configuration + options are found in the `consulNamespaces` section of both the catalog sync + and connect injector. + + - `bootstrapACLs` ((#v-global-bootstrapacls)) (`boolean: false`) - **[DEPRECATED]** Use `global.acls.manageSystemACLs` instead. + + - `acls` ((#v-global-acls)) - Configure ACLs. + + - `manageSystemACLs` ((#v-global-acls-managesystemacls)) (`boolean: false`) - If true, the Helm chart will automatically manage ACL tokens and policies for all Consul and consul-k8s components. This requires servers to be running inside Kubernetes. Additionally requires Consul >= 1.4 and consul-k8s >= 0.10.1. + + - `tls` ((#v-global-tls)) - Enables TLS [encryption](https://learn.hashicorp.com/consul/security-networking/agent-encryption) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+ and consul-k8s v0.16.2+ + + - `enabled` ((#v-global-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul + servers and clients and all consul-k8s components, as well as generate certificate + authority (optional) and server and client certificates. + + - `serverAdditionalDNSSANs` ((#v-global-serveradditionaldnsssans)) (`array: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you're using the UI. + + - `serverAdditionalIPSANs` ((#v-global-serveradditionalipsans)) (`array: []`) - A list of additional IP addresses to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you're using the UI. + + - `verify` ((#v-global-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`, + and `verify_incoming_rpc` will be set to `true` for Consul servers and clients. + Set this to false to incrementally roll out TLS on an existing Consul cluster. + Please see [Configuring TLS on an Existing Cluster](https://www.consul.io/docs/platform/k8s/tls-on-existing-cluster.html) + for more details. + + - `httpsOnly` ((#v-global-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul + to disable the HTTP port on both clients and servers and to only accept HTTPS connections. + + - `caCert` ((#v-global-cacert)) - A Kubernetes secret containing the certificate of the CA to use for + TLS communication within the Consul cluster. If you have generated the CA yourself + with the consul CLI, you could use the following command to create the secret + in Kubernetes: + + ```bash + kubectl create secret generic consul-ca-cert \ + --from-file='tls.crt=./consul-agent-ca.pem' + ``` + + - `secretName` ((#v-global-cacert-secretname)) (`string: null`) - The name of the Kubernetes secret. + + - `secretKey` ((#v-global-cacert-secretkey)) (`string: null`) - The key of the Kubernetes secret. + + - `caKey` ((#v-global-cakey)) - A Kubernetes secret containing the private key of the CA to use for + TLS communication within the Consul cluster. If you have generated the CA yourself + with the consul CLI, you could use the following command to create the secret + in Kubernetes: + + ```bash + kubectl create secret generic consul-ca-key \ + --from-file='tls.key=./consul-agent-ca-key.pem' + ``` + + - + `secretName` + (`string: null`) - The name of the Kubernetes secret. + + - + `secretKey` + (`string: null`) - The key of the Kubernetes secret. + +- + `server` + - Values that configure running a Consul server within Kubernetes. + + - + `enabled` + (`boolean: global.enabled`) - If true, the chart will install all the resources + necessary for a Consul server cluster. If you're running Consul externally and + want agents within Kubernetes to join that cluster, this should probably be false. + + - + `image` + (`string: global.image`) - The name of the Docker image (including any tag) + for the containers running Consul server agents. + + - + `replicas` + (`integer: 3`) -The number of server agents to run. This determines the + fault tolerance of the cluster. Please see the [deployment table](/docs/internals/consensus.html#deployment-table) + for more information. + + - + `bootstrapExpect` + (`integer: 3`) - For new clusters, this is the number of servers to wait + for before performing the initial leader election and bootstrap of the cluster. + This must be less than or equal to `server.replicas`. This value is only used + when bootstrapping new clusters, it has no effect during ongoing cluster maintenance. + + - + `enterpriseLicense` + [Enterprise Only] - This value refers to a Kubernetes secret that you have + created that contains your enterprise license. It is required if you are using + an enterprise binary. Defining it here applies it to your cluster once a leader + has been elected. If you are not using an enterprise image or if you plan to + introduce the license key via another route, then set these fields to null. + + - + `secretName` + (`string: null`) - The name of the Kubernetes secret that holds the enterprise + license. The secret must be in the same namespace that Consul is installed + into. + + - + `secretKey` + (`string: null`) - The key within the Kubernetes secret that holds the + enterprise license. + + - + `storage` + (`string: 10Gi`) - This defines the disk size for configuring the servers' + StatefulSet storage. For dynamically provisioned storage classes, this is the + desired size. For manually defined persistent volumes, this should be set to + the disk size of the attached volume. + + - + `storageClass` + (`string: null`) - The StorageClass to use for the servers' StatefulSet + storage. It must be able to be dynamically provisioned if you want the storage + to be automatically created. For example, to use [Local](https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + storage classes, the PersistentVolumeClaims would need to be manually created. + A `null` value will use the Kubernetes cluster's default StorageClass. If a default + StorageClass does not exist, you will need to create one. + + - + `connect` + (`boolean: true`) - This will enable/disable [Connect](/docs/connect/index.html). + Setting this to true _will not_ automatically secure pod communication, this + setting will only enable usage of the feature. Consul will automatically initialize + a new CA and set of certificates. Additional Connect settings can be configured + by setting the `server.extraConfig` value. + + - + `resources` + (`string: null`) - The resource requests (CPU, memory, etc.) for each of + the server agents. This should be a multi-line string mapping directly to a Kubernetes + [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) + object. If this isn't specified, then the pods won't request any specific amount + of resources. **Setting this is highly recommended.** + + ```yaml + # Resources are defined as a formatted multi-line string: + resources: | + requests: + memory: "10Gi" + limits: + memory: "10Gi" + ``` + + - + `updatePartition` + (`integer: 0`) - This value is used to carefully control a rolling update + of Consul server agents. This value specifies the [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + for performing a rolling update. Please read the linked Kubernetes documentation + for more information. + + - + `disruptionBudget` + - This configures the [PodDisruptionBudget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + for the server cluster. + + - + `enabled` + (`boolean: true`) - This will enable/disable registering a PodDisruptionBudget + for the server cluster. If this is enabled, it will only register the budget + so long as the server cluster is enabled. + + - + `maxUnavailable` + (`integer: null`) - The maximum number of unavailable pods. By default, + this will be automatically computed based on the `server.replicas` value to + be `(n/2)-1`. If you need to set this to `0`, you will need to add a `--set + 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + command because of a limitation in the Helm templating language. + + - + `extraConfig` + (`string: "{}"`) - A raw string of extra JSON [configuration](/docs/agent/options.html) + for Consul servers. This will be saved as-is into a ConfigMap that is read by + the Consul server agents. This can be used to add additional configuration that + isn't directly exposed by the chart. + + ```yaml + # ExtraConfig values are formatted as a multi-line string: + extraConfig: | + { + "log_level": "DEBUG" + } + ``` + + This can also be set using Helm's `--set` flag (consul-helm v0.7.0 and later), using the following syntax: + + ```shell + --set 'server.extraConfig="{"log_level": "DEBUG"}"' + ``` + + - + `extraVolumes` + (`array: []`) - A list of extra volumes to mount for server agents. This + is useful for bringing in extra data that can be referenced by other configurations + at a well known path, such as TLS certificates or Gossip encryption keys. The + value of this should be a list of objects. Each object supports the following + keys: + + - + `type` + (`string: required`) - Type of the volume, must be one of "configMap" + or "secret". Case sensitive. + + - + `name` + (`string: required`) - + + Name of the configMap or secret to be mounted. This also controls the path + that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + + - + `load` + (`boolean: false`) - If true, then the agent will be configured to automatically + load HCL/JSON configuration files from this volume with `-config-dir`. This + defaults to false. + + ```yaml + extraVolumes: + - type: "secret" + name: "consul-certs" + load: false + ``` + + - + `affinity` + (`string`) - This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + for server pods. It defaults to allowing only a single pod on each node, which + minimizes risk of the cluster becoming unusable if a node is lost. If you need + to run more pods per node (for example, testing on Minikube), set this value + to `null`. + + ```yaml + # Recommended default server affinity: + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + ``` + + - + `tolerations` + (`string: ""`) - Toleration settings for server pods. This should be a multi-line + string matching the [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + array in a Pod spec. + + - + `nodeSelector` + (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + labels for server pod assignment, formatted as a multi-line string. + + ```yaml + nodeSelector: | + beta.kubernetes.io/arch: amd64 + ``` + + - + `priorityClassName` + (`string`) - This value references an existing Kubernetes [priorityClassName](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + that can be assigned to server pods. + + - + `annotations` + (`string`) - This value defines additional annotations for server pods. + This should be a formatted as a multi-line string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + + - + `service` + - Server service properties + + - + `annotations` + Annotations to apply to the server service. + + ```yaml + annotations: | + "annotation-key": "annotation-value" + ``` + +- + `client` + - Values that configure running a Consul client on Kubernetes nodes. + + - + `enabled` + (`boolean: global.enabled`) - If true, the chart will install all the resources + necessary for a Consul client on every Kubernetes node. This _does not_ require + `server.enabled`, since the agents can be configured to join an external cluster. + + - + `image` + (`string: global.image`) - The name of the Docker image (including any tag) + for the containers running Consul client agents. + + - `join` ((#v-client-join)) (`array: null`) - A list of valid [`-retry-join` values](/docs/agent/options.html#retry-join). If this is `null` (default), then the clients will attempt to automatically join the server cluster running within Kubernetes. This means that with `server.enabled` set to true, clients will automatically join that cluster. If `server.enabled` is not true, then a value must be specified so the clients can join a valid cluster. + + - + `dataDirectoryPath` + (`string: null`) - An absolute path to a directory on the host machine to + use as the Consul client data directory. If set to the empty string or null, + the Consul agent will store its data in the Pod's local filesystem (which will + be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + Policies _must_ be enabled on your cluster and in this Helm chart (via the global.enablePodSecurityPolicies + setting) to prevent other Pods from mounting the same host path and gaining access + to all of Consul's data. Consul's data is not encrypted at rest. + + - + `grpc` + (`boolean: true`) - If true, agents will enable their GRPC listener on port + 8502 and expose it to the host. This will use slightly more resources, but is + required for [Connect](/docs/platform/k8s/connect.html). + + - + `exposeGossipPorts` + (`boolean: false`) - If true, the Helm chart will expose the clients' gossip + ports as hostPorts. This is only necessary if pod IPs in the k8s cluster are + not directly routable and the Consul servers are outside of the k8s cluster. + This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + + - + `resources` + (`string: null`) - The resource requests (CPU, memory, etc.) for each of + the client agents. This should be a multi-line string mapping directly to a Kubernetes + [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) + object. If this isn't specified, then the pods won't request any specific amount + of resources. + + ```yaml + # Resources are defined as a formatted multi-line string: + resources: | + requests: + memory: "10Gi" + limits: + memory: "10Gi" + ``` + + - + `extraConfig` + (`string: "{}"`) - A raw string of extra JSON [configuration](/docs/agent/options.html) + for Consul clients. This will be saved as-is into a ConfigMap that is read by + the Consul agents. This can be used to add additional configuration that isn't + directly exposed by the chart. + + ```yaml + # ExtraConfig values are formatted as a multi-line string: + extraConfig: | + { + "log_level": "DEBUG" + } + ``` + + This can also be set using Helm's `--set` flag (consul-helm v0.7.0 and later), using the following syntax: + + ```shell + --set 'client.extraConfig="{"log_level": "DEBUG"}"' + ``` + + - + `extraVolumes` + (`array: []`) - A list of extra volumes to mount for client agents. This + is useful for bringing in extra data that can be referenced by other configurations + at a well known path, such as TLS certificates or Gossip encryption keys. The + value of this should be a list of objects. Each object supports the following + keys: + + - + `type` + (`string: required`) - Type of the volume, must be one of "configMap" + or "secret". Case sensitive. + + - + `name` + (`string: required`) - + + Name of the configMap or secret to be mounted. This also controls the path + that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + + - + `load` + (`boolean: false`) - If true, then the agent will be configured to automatically + load HCL/JSON configuration files from this volume with `-config-dir`. This + defaults to false. + + ```yaml + extraVolumes: + - type: 'secret' + name: 'consul-certs' + load: false + ``` + + - + `tolerations` + (`string: ""`) - Toleration Settings for client pods. This should be a multi-line + string matching the Toleration array in a Pod spec. The example below will allow + client pods to run on every node regardless of taints. + + ```yaml + tolerations: | + - operator: "Exists" + ``` + + - + `nodeSelector` + (`string: null`) - Labels for client pod assignment, formatted as a multi-line + string. Please see [Kubernetes docs](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + for more details. + + ```yaml + nodeSelector: | + beta.kubernetes.io/arch: amd64 + ``` + + - + `priorityClassName` + (`string: ""`) - This value references an existing Kubernetes [priorityClassName](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + that can be assigned to client pods. + + - + `annotations` + (`string: null`) - This value defines additional annotations for client + pods. This should be a formatted as a multi-line string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + + - + `dnsPolicy` + (`string: null`) - This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + for client pods to use. + + - + `updateStrategy` + (`string: null`) - The [update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + for the client `DaemonSet`. + + ```yaml + updateStrategy: | + rollingUpdate: + maxUnavailable: 5 + type: RollingUpdate + ``` + + - + `snapshotAgent` + [Enterprise Only] - Values for setting up and running [snapshot agents](https://www.consul.io/docs/commands/snapshot/agent.html) + within the Consul clusters. They are required to be co-located with Consul clients, + so will inherit the clients' nodeSelector, tolerations and affinity. + + - + `enabled` + (`boolean: false`) - If true, the chart will install resources necessary + to run the snapshot agent. + + - + `replicas` + (`integer: 2`) - The number of snapshot agents to run. + + - + `configSecret` + - A Kubernetes secret that should be manually created to contain the entire + config to be used on the snapshot agent. This is the preferred method of configuration + since there are usually storage credentials present. Please see [Snapshot agent + config](https://www.consul.io/docs/commands/snapshot/agent.html#config-file-options-) + for details. + + - + secretName{' '} + + `(string: null)` - The name of the Kubernetes secret. + + - + secretKey{' '} + + `(string: null)` - The key for the Kubernetes secret. + +- + `dns` + - Values that configure Consul DNS service. + + - + `enabled` + (`boolean: global.enabled`) - If true, a `consul-dns` service will be created + that exposes port 53 for TCP and UDP to the running Consul agents (servers and + clients). This can then be used to [configure kube-dns](/docs/platform/k8s/dns.html). + The Helm chart _does not_ automatically configure kube-dns. + + - + `clusterIP` + (`string: null`) - If defined, this value configures the cluster IP of the + DNS service. + + - + `annotations` + (`string: null`) - Extra annotations to attach to the DNS service. This + should be a multi-line string of annotations to apply to the DNS service. + +- + `syncCatalog` + - Values that configure the [service sync](/docs/platform/k8s/service-sync.html) + process. + + - + `enabled` + (`boolean: false`) - If true, the chart will install all the resources necessary + for the catalog sync process to run. + + - + `image` + (`string: global.imageK8S`) - The name of the Docker image (including any + tag) for [consul-k8s](/docs/platform/k8s/index.html#quot-consul-k8s-quot-project) + to run the sync program. + + - + `default` + (`boolean: true`) - If true, all valid services in K8S are synced by default. + If false, the service must be [annotated](/docs/platform/k8s/service-sync.html#sync-enable-disable) + properly to sync. In either case an annotation can override the default. + + - + `toConsul` + (`boolean: true`) - If true, will sync Kubernetes services to Consul. This + can be disabled to have a one-way sync. + + - + `toK8S` + (`boolean: true`) - If true, will sync Consul services to Kubernetes. This + can be disabled to have a one-way sync. + + - + `k8sPrefix` + (`string: ""`) - A prefix to prepend to all services registered in Kubernetes + from Consul. This defaults to `""` where no prefix is prepended; Consul services + are synced with the same name to Kubernetes. (Consul -> Kubernetes sync only) + + - + `k8sAllowNamespaces` + (`[]string: ["*"]`) - list of k8s namespaces to sync the k8s services from. + If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + services in that k8s namespace will not be synced even if they are explicitly + annotated. Use `["*"]` to automatically allow all k8s namespaces. For example, + `["namespace1", "namespace2"]` will only allow services in the k8s namespaces + `namespace1` and `namespace2` to be synced and registered with Consul. All other + k8s namespaces will be ignored. Note: `k8sDenyNamespaces` takes precedence over + values defined here. Requires consul-k8s v0.12+ + - + `k8sDenyNamespaces` + (`[]string: ["kube-system", "kube-public"]` - list of k8s namespaces that + should not have their services synced. This list takes precedence over `k8sAllowNamespaces`. + `*` is not supported because then nothing would be allowed to sync. Requires + consul-k8s v0.12+. + + For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` and `namespace2` will be synced. + + - + `k8sSourceNamespace` + (`string: ""`) - **[DEPRECATED] Use `k8sAllowNamespaces` and `k8sDenyNamespaces` + instead.** `k8sSourceNamespace` is the Kubernetes namespace to watch for service + changes and sync to Consul. If this is not set then it will default to all namespaces. + + - + `consulNamespaces` + - [Enterprise Only] These settings manage the catalog sync's interaction + with Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). Also, + `global.enableConsulNamespaces` must be true. + + - + `consulDestinationNamespace` + (`string: "default"`) - Name of the Consul namespace to register all k8s + services into. If the Consul namespace does not already exist, it will be created. + This will be ignored if `mirroringK8S` is true. + + - + `mirroringK8S` + (`bool: false`) - causes k8s services to be registered into a Consul namespace + of the same name as their k8s namespace, optionally prefixed if `mirroringK8SPrefix` + is set below. If the Consul namespace does not already exist, it will be created. + Turning this on overrides the `consulDestinationNamespace` setting. `addK8SNamespaceSuffix` + may no longer be needed if enabling this option. + + - + `mirroringK8SPrefix` + (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` + allows each Consul namespace to be given a prefix. For example, if `mirroringK8SPrefix` + is set to `"k8s-"`, a service in the k8s `staging` namespace will be registered + into the `k8s-staging` Consul namespace. + + - + `addK8SNamespaceSuffix` + (`boolean: true`) - If true, sync catalog will append Kubernetes namespace + suffix to each service name synced to Consul, separated by a dash. For example, + for a service `foo` in the `default` namespace, the sync process will create + a Consul service named `foo-default`. Set this flag to true to avoid registering + services with the same name but in different namespaces as instances for the + same Consul service. Namespace suffix is not added if `annotationServiceName` + is provided. + + - + `consulPrefix` + (`string: ""`) - A prefix to prepend to all services registered in Consul + from Kubernetes. This defaults to `""` where no prefix is prepended. Service + names within Kubernetes remain unchanged. (Kubernetes -> Consul sync only) The + prefix is ignored if `annotationServiceName` is provided. + + - + `k8sTag` + (`string: null`) - An optional tag that is applied to all of the Kubernetes + services that are synced into Consul. If nothing is set, this defaults to "k8s". + (Kubernetes -> Consul sync only) + + - + `syncClusterIPServices` + (`boolean: true`) - If true, will sync Kubernetes ClusterIP services to + Consul. This can be disabled to have the sync ignore ClusterIP-type services. + + - + `nodePortSyncType` + (`string: ExternalFirst`) - Configures the type of syncing that happens + for NodePort services. The only valid options are: `ExternalOnly`, `InternalOnly`, + and `ExternalFirst`. `ExternalOnly` will only use a node's ExternalIP address + for the sync, otherwise the service will not be synced. `InternalOnly` uses the + node's InternalIP address. `ExternalFirst` will preferentially use the node's + ExternalIP address, but if it doesn't exist, it will use the node's InternalIP + address instead. + + - + `aclSyncToken` + - references a Kubernetes [secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets) + that contains an existing Consul ACL token. This will provide the sync process + the correct permissions. This is only needed if ACLs are enabled on the Consul + cluster. + + - + secretName{' '} + + `(string: null)` - The name of the Kubernetes secret. This defaults to null. + + - + secretKey{' '} + + `(string: null)` - The key for the Kubernetes secret. This defaults to null. + + - + `nodeSelector` + (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + labels for `syncCatalog` pod assignment, formatted as a multi-line string. + + ```yaml + nodeSelector: | + beta.kubernetes.io/arch: amd64 + ``` + + - + `logLevel` + (`string: info`) - Log verbosity level. One of "trace", "debug", "info", + "warn", or "error". + + - + `consulWriteInterval` + (`string: null`) - Override the default interval to perform syncing operations + creating Consul services. + +- + `ui` + - Values that configure the Consul UI. + + - + `enabled` + (`boolean: global.enabled`) - If true, the UI will be enabled. This will + only _enable_ the UI, it doesn't automatically register any service for external + access. The UI will only be enabled on server agents. If `server.enabled` is + false, then this setting has no effect. To expose the UI in some way, you must + configure `ui.service`. + + - + `service` + - This configures the `Service` resource registered for the Consul UI. + + - + `enabled` + (`boolean: true`) - This will enable/disable registering a Kubernetes + Service for the Consul UI. This value only takes effect if `ui.enabled` is + true and taking effect. + + - + `type` + (`string: null`) - The service type to register. This defaults to `null` + which doesn't set an explicit service type, which typically is defaulted to + "ClusterIP" by Kubernetes. The available service types are documented on [the + Kubernetes website](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). + + - + `annotations` + (`string: null`) - Annotations to apply to the UI service. + + ```yaml + annotations: | + "annotation-key": "annotation-value" + ``` + + - + `additionalSpec` + (`string: null`) - Additional Service spec values. This should be a multi-line + string mapping directly to a Kubernetes `Service` object. + +- + `connectInject` + - Values that configure running the [Connect injector](/docs/platform/k8s/connect.html). + + - + `enabled` + (`boolean: false`) - If true, the chart will install all the resources necessary + for the Connect injector process to run. This will enable the injector but will + require pods to opt-in with an annotation by default. + + - + `image` + (`string: global.imageK8S`) - The name of the Docker image (including any + tag) for the [consul-k8s](https://github.com/hashicorp/consul-k8s) binary. + + - + `default` + (`boolean: false`) - If true, the injector will inject the Connect sidecar + into all pods by default. Otherwise, pods must specify the. [injection annotation](/docs/platform/k8s/connect.html#consul-hashicorp-com-connect-inject) + to opt-in to Connect injection. If this is true, pods can use the same annotation + to explicitly opt-out of injection. + + - + `imageConsul` + (`string: global.image`) - The name of the Docker image (including any tag) + for Consul. This is used for proxy service registration, Envoy configuration, + etc. + + - + `imageEnvoy` + (`string: ""`) - The name of the Docker image (including any tag) for the + Envoy sidecar. `envoy` must be on the executable path within this image. This + Envoy version must be compatible with the Consul version used by the injector. + If not specified this defaults to letting the injector choose the Envoy image. + Check [supported Envoy versions](/docs/connect/proxies/envoy.html#supported-versions) + to ensure the version you are using is compatible with Consul. + + - + `namespaceSelector` + (`string: ""`) - A [selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + for restricting injection to only matching namespaces. By default all namespaces + except `kube-system` and `kube-public` will have injection enabled. + + ```yaml + namespaceSelector: | + matchLabels: + namespace-label: label-value + ``` + + - + `k8sAllowNamespaces` + - list of k8s namespaces to allow Connect sidecar injection in. If a k8s + namespace is not included or is listed in `k8sDenyNamespaces`, pods in that k8s + namespace will not be injected even if they are explicitly annotated. Use `["*"]` + to automatically allow all k8s namespaces. + + For example, `["namespace1", "namespace2"]` will only allow pods in the k8s namespaces `namespace1` and `namespace2` to have Connect sidecars injected and registered with Consul. All other k8s namespaces will be ignored. + + Note: `k8sDenyNamespaces` takes precedence over values defined here and `namespaceSelector` takes precedence over both since it is applied first. `kube-system` and `kube-public` are never injected, even if included here. Requires consul-k8s v0.12+ + + - + `k8sDenyNamespaces` + - list of k8s namespaces that should not allow Connect sidecar injection. + This list takes precedence over `k8sAllowNamespaces`. `*` is not supported because + then nothing would be allowed to be injected. + + For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` and `namespace2` will be injected. + + Note: `namespaceSelector` takes precedence over this since it is applied first. `kube-system` and `kube-public` are never injected. Requires consul-k8s v0.12+. + + - + `consulNamespaces` + - [Enterprise Only] These settings manage the connect injector's interaction + with Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). Also, + `global.enableConsulNamespaces` must be true. + + - + `consulDestinationNamespace` + (`string: "default"`) - Name of the Consul namespace to register all k8s + services into. If the Consul namespace does not already exist, it will be created. + This will be ignored if `mirroringK8S` is true. + + - + `mirroringK8S` + (`bool: false`) - causes k8s services to be registered into a Consul namespace + of the same name as their k8s namespace, optionally prefixed if `mirroringK8SPrefix` + is set below. If the Consul namespace does not already exist, it will be created. + Turning this on overrides the `consulDestinationNamespace` setting. + + - + `mirroringK8SPrefix` + (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` + allows each Consul namespace to be given a prefix. For example, if `mirroringK8SPrefix` + is set to `"k8s-"`, a service in the k8s `staging` namespace will be registered + into the `k8s-staging` Consul namespace. + + - + `certs` + - The certs section configures how the webhook TLS certs are configured. + These are the TLS certs for the Kube apiserver communicating to the webhook. + By default, the injector will generate and manage its own certs, but this requires + the ability for the injector to update its own `MutatingWebhookConfiguration`. + In a production environment, custom certs should probably be used. Configure + the values below to enable this. + + - + `secretName` + (`string: null`) - secretName is the name of the Kubernetes secret that + has the TLS certificate and private key to serve the injector webhook. If this + is null, then the injector will default to its automatic management mode. + + - + `caBundle` + (`string: ""`) - The PEM-encoded CA public certificate bundle for the + TLS certificate served by the injector. This must be specified as a string + and can't come from a secret because it must be statically configured on the + Kubernetes `MutatingAdmissionWebhook` resource. This only needs to be specified + if `secretName` is not null. + + - + `certName` + (`string: "tls.crt"`) - The name of the certificate file within the `secretName` + secret. + + - + `keyName` + (`string: "tls.key"`) - The name of the private key for the certificate + file within the `secretName` secret. + + - + `nodeSelector` + (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + labels for `connectInject` pod assignment, formatted as a multi-line string. + + ```yaml + nodeSelector: | + beta.kubernetes.io/arch: amd64 + ``` + + - + `aclBindingRuleSelector` + (`string: "serviceaccount.name!=default"`) - A [selector](/docs/acl/acl-auth-methods.html#binding-rules) + for restricting automatic injection to only matching services based on their + associated service account. By default, services using the `default` Kubernetes + service account will be prevented from logging in. This only has effect if ACLs + are enabled. Requires Consul 1.5+ and consul-k8s 0.8.0+. + + - + `overrideAuthMethodName` + (`string: ""`) - If not using `global.acls.manageSystemACLs` and instead + manually setting up an auth method for Connect inject, set this to the name of + your Auth method. + + - + `aclInjectToken` + - Refers to a Kubernetes secret that you have created that contains an ACL + token for your Consul cluster which allows the Connect injector the correct permissions. + This is only needed if Consul namespaces and ACLs are enabled on the Consul cluster + and you are not setting `global.acls.manageSystemACLs` to `true`. This token + needs to have `operator = "write"` privileges so that it can create namespaces. + + - + secretName{' '} + + `(string: null)` - The name of the Kubernetes secret. + + - + secretKey{' '} + + `(string: null)` - The key within the Kubernetes secret that holds the acl + token. + + - + `centralConfig` + - Values that configure Consul's [central configuration](/docs/agent/config_entries.html) + feature (requires Consul v1.5+ and consul-k8s v0.8.1+). + + - + `enabled` + (`boolean: true`) - Turns on the central configuration feature. Pods that + have a Connect proxy injected will have their service automatically registered + in this central configuration. + + - + `defaultProtocol` + (`string: null`) - If defined, this value will be used as the default + protocol type for all services registered with the central configuration. This + can be overridden by using the [protocol annotation](/docs/platform/k8s/connect.html#consul-hashicorp-com-connect-service-protocol) + directly on any pod spec. + + - + `proxyDefaults` + (`string: "{}"`) - This value is a raw json string that will be applied + to all Connect proxy sidecar pods. It can include any valid configuration for + the configured proxy. + + ```yaml + # proxyDefaults values are formatted as a multi-line string: + proxyDefaults: | + { + "envoy_dogstatsd_url": "udp://127.0.0.1:9125" + } + ``` + +- + `tests` + - Control whether to enable a test for this Helm chart. + + - + `enabled` + (`boolean: true`) If true, the test Pod manifest will be generated to be + used as a Helm test. The pod will be created when a `helm test` command is executed. + +## Helm Chart Examples + +The below `config.yaml` results in a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API. + +```yaml +# config.yaml +server: + replicas: 1 + bootstrapExpect: 1 + +ui: + service: + type: LoadBalancer +``` + +The below `config.yaml` results in a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection. + +Note, this would require a secret that contains the enterprise license key. + +```yaml +# config.yaml +global: + image: 'hashicorp/consul-enterprise:1.4.2-ent' + +server: + replicas: 3 + bootstrapExpect: 3 + enterpriseLicense: + secretName: 'consul-license' + secretKey: 'key' + storage: 100Gi + connect: true + +client: + grpc: true + +connectInject: + enabled: true + default: false +``` + +## Customizing the Helm Chart + +Consul within Kubernetes is highly configurable and the Helm chart contains dozens +of the most commonly used configuration options. +If you need to extend the Helm chart with additional options, we recommend using a third-party tool, +such as [kustomize](https://github.com/kubernetes-sigs/kustomize) or [ship](https://github.com/replicatedhq/ship). +Note that the Helm chart heavily relies on Helm lifecycle hooks, and so features like bootstrapping ACLs or TLS +will not work as expected. Additionally, we can make changes to the internal implementation (e.g., renaming template files) that +may be backward incompatible with such customizations. diff --git a/website/pages/docs/platform/k8s/index.html.md b/website/pages/docs/platform/k8s/index.mdx similarity index 93% rename from website/pages/docs/platform/k8s/index.html.md rename to website/pages/docs/platform/k8s/index.mdx index b801d114e6..336f8ef0f8 100644 --- a/website/pages/docs/platform/k8s/index.html.md +++ b/website/pages/docs/platform/k8s/index.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Kubernetes' -sidebar_current: 'docs-platform-k8s-index' -description: |- - Consul has many integrations with Kubernetes. You can deploy Consul to Kubernetes using the Helm chart, sync services between Consul and Kubernetes, automatically secure Pod communication with Connect, and more. This section documents the official integrations between Consul and Kubernetes. +layout: docs +page_title: Kubernetes +sidebar_current: docs-platform-k8s-index +description: >- + Consul has many integrations with Kubernetes. You can deploy Consul to + Kubernetes using the Helm chart, sync services between Consul and Kubernetes, + automatically secure Pod communication with Connect, and more. This section + documents the official integrations between Consul and Kubernetes. --- # Kubernetes diff --git a/website/pages/docs/platform/k8s/minikube.html.md b/website/pages/docs/platform/k8s/minikube.mdx similarity index 74% rename from website/pages/docs/platform/k8s/minikube.html.md rename to website/pages/docs/platform/k8s/minikube.mdx index a27a0ba0d8..21c52856c8 100644 --- a/website/pages/docs/platform/k8s/minikube.html.md +++ b/website/pages/docs/platform/k8s/minikube.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Running Consul on Minikube' -sidebar_current: 'docs-platform-k8s-run-mini' -description: |- - Consul can run directly on Minikube for testing. +layout: docs +page_title: Running Consul on Minikube +sidebar_current: docs-platform-k8s-run-mini +description: Consul can run directly on Minikube for testing. --- # Consul on Minikube diff --git a/website/pages/docs/platform/k8s/operations.html.md b/website/pages/docs/platform/k8s/operations.mdx similarity index 78% rename from website/pages/docs/platform/k8s/operations.html.md rename to website/pages/docs/platform/k8s/operations.mdx index e7ff7affe3..a884684fb2 100644 --- a/website/pages/docs/platform/k8s/operations.html.md +++ b/website/pages/docs/platform/k8s/operations.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Operations' -sidebar_current: 'docs-platform-k8s-ops' -description: |- - Operating Consul on Kubernetes +layout: docs +page_title: Operations +sidebar_current: docs-platform-k8s-ops +description: Operating Consul on Kubernetes --- # Operations diff --git a/website/pages/docs/platform/k8s/predefined-pvcs.html.md b/website/pages/docs/platform/k8s/predefined-pvcs.mdx similarity index 86% rename from website/pages/docs/platform/k8s/predefined-pvcs.html.md rename to website/pages/docs/platform/k8s/predefined-pvcs.mdx index df7e2c2a50..3de42ecb57 100644 --- a/website/pages/docs/platform/k8s/predefined-pvcs.html.md +++ b/website/pages/docs/platform/k8s/predefined-pvcs.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Predefined PVCs' -sidebar_current: 'docs-platform-k8s-run-pvcs' -description: |- - Using predefined Persistent Volume Claims +layout: docs +page_title: Predefined PVCs +sidebar_current: docs-platform-k8s-run-pvcs +description: Using predefined Persistent Volume Claims --- # Predefined Persistent Volume Claims (PVCs) diff --git a/website/pages/docs/platform/k8s/run.html.md b/website/pages/docs/platform/k8s/run.mdx similarity index 97% rename from website/pages/docs/platform/k8s/run.html.md rename to website/pages/docs/platform/k8s/run.mdx index 3588b51dc1..c3bfcf3832 100644 --- a/website/pages/docs/platform/k8s/run.html.md +++ b/website/pages/docs/platform/k8s/run.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Installing Consul on Kubernetes - Kubernetes' -sidebar_current: 'docs-platform-k8s-run' -description: |- - Consul can run directly on Kubernetes, both in server or client mode. For pure-Kubernetes workloads, this enables Consul to also exist purely within Kubernetes. For heterogeneous workloads, Consul agents can join a server running inside or outside of Kubernetes. +layout: docs +page_title: Installing Consul on Kubernetes - Kubernetes +sidebar_current: docs-platform-k8s-run +description: >- + Consul can run directly on Kubernetes, both in server or client mode. For + pure-Kubernetes workloads, this enables Consul to also exist purely within + Kubernetes. For heterogeneous workloads, Consul agents can join a server + running inside or outside of Kubernetes. --- # Installing Consul on Kubernetes diff --git a/website/pages/docs/platform/k8s/servers-outside-kubernetes.html.md b/website/pages/docs/platform/k8s/servers-outside-kubernetes.mdx similarity index 90% rename from website/pages/docs/platform/k8s/servers-outside-kubernetes.html.md rename to website/pages/docs/platform/k8s/servers-outside-kubernetes.mdx index 036ba9e5d2..17e49fa60c 100644 --- a/website/pages/docs/platform/k8s/servers-outside-kubernetes.html.md +++ b/website/pages/docs/platform/k8s/servers-outside-kubernetes.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Consul Servers Outside of Kubernetes - Kubernetes' -sidebar_current: 'docs-platform-k8s-run-servers-outside' -description: |- - Running Consul servers outside of Kubernetes +layout: docs +page_title: Consul Servers Outside of Kubernetes - Kubernetes +sidebar_current: docs-platform-k8s-run-servers-outside +description: Running Consul servers outside of Kubernetes --- # Consul Servers Outside of Kubernetes diff --git a/website/pages/docs/platform/k8s/service-sync.html.md b/website/pages/docs/platform/k8s/service-sync.mdx similarity index 97% rename from website/pages/docs/platform/k8s/service-sync.html.md rename to website/pages/docs/platform/k8s/service-sync.mdx index c22a130eba..0d609c0750 100644 --- a/website/pages/docs/platform/k8s/service-sync.html.md +++ b/website/pages/docs/platform/k8s/service-sync.mdx @@ -1,9 +1,11 @@ --- -layout: 'docs' -page_title: 'Service Sync - Kubernetes' -sidebar_current: 'docs-platform-k8s-service-sync' -description: |- - The services in Kubernetes and Consul can be automatically synced so that Kubernetes services are available to Consul agents and services in Consul can be available as first-class Kubernetes services. +layout: docs +page_title: Service Sync - Kubernetes +sidebar_current: docs-platform-k8s-service-sync +description: >- + The services in Kubernetes and Consul can be automatically synced so that + Kubernetes services are available to Consul agents and services in Consul can + be available as first-class Kubernetes services. --- # Syncing Kubernetes and Consul Services @@ -325,20 +327,22 @@ There are three options available: 1. **Mirror Namespaces** - Each Kubernetes service will be synced to a Consul namespace with the same name as its Kubernetes namespace. For example, service `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `ns-1`. If a mirrored namespace does not exist in Consul, it will be created. - - This can be configured with: - - ```yaml + + This can be configured with: + + ````yaml global: enableConsulNamespaces: true - syncCatalog: - enabled: true - consulNamespaces: - mirroringK8S: true + syncCatalog: + enabled: true + consulNamespaces: + mirroringK8S: true - addK8SNamespaceSuffix: false - ``` + addK8SNamespaceSuffix: false + ``` + + ```` 1. **Mirror Namespaces With Prefix** - Each Kubernetes service will be synced to a Consul namespace with the same name as its Kubernetes namespace **with a prefix**. diff --git a/website/pages/docs/platform/k8s/tls-on-existing-cluster.html.md b/website/pages/docs/platform/k8s/tls-on-existing-cluster.mdx similarity index 95% rename from website/pages/docs/platform/k8s/tls-on-existing-cluster.html.md rename to website/pages/docs/platform/k8s/tls-on-existing-cluster.mdx index 06db93a2d9..be6f9c9397 100644 --- a/website/pages/docs/platform/k8s/tls-on-existing-cluster.html.md +++ b/website/pages/docs/platform/k8s/tls-on-existing-cluster.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Configuring TLS on an Existing Cluster' -sidebar_current: 'docs-platform-k8s-ops-tls-on-existing-cluster' -description: |- - Configuring TLS on an existing Consul cluster running in Kubernetes +layout: docs +page_title: Configuring TLS on an Existing Cluster +sidebar_current: docs-platform-k8s-ops-tls-on-existing-cluster +description: Configuring TLS on an existing Consul cluster running in Kubernetes --- # Configuring TLS on an Existing Cluster diff --git a/website/pages/docs/platform/k8s/uninstalling.html.md b/website/pages/docs/platform/k8s/uninstalling.mdx similarity index 89% rename from website/pages/docs/platform/k8s/uninstalling.html.md rename to website/pages/docs/platform/k8s/uninstalling.mdx index c4345bf8d1..b5c1beab0e 100644 --- a/website/pages/docs/platform/k8s/uninstalling.html.md +++ b/website/pages/docs/platform/k8s/uninstalling.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Uninstalling' -sidebar_current: 'docs-platform-k8s-ops-uninstalling' -description: |- - Uninstalling Consul on Kubernetes +layout: docs +page_title: Uninstalling +sidebar_current: docs-platform-k8s-ops-uninstalling +description: Uninstalling Consul on Kubernetes --- # Uninstalling Consul diff --git a/website/pages/docs/platform/k8s/upgrading.html.md b/website/pages/docs/platform/k8s/upgrading.mdx similarity index 94% rename from website/pages/docs/platform/k8s/upgrading.html.md rename to website/pages/docs/platform/k8s/upgrading.mdx index b768f7aeea..8cd440f1b8 100644 --- a/website/pages/docs/platform/k8s/upgrading.html.md +++ b/website/pages/docs/platform/k8s/upgrading.mdx @@ -1,9 +1,8 @@ --- -layout: 'docs' -page_title: 'Upgrading' -sidebar_current: 'docs-platform-k8s-ops-upgrading' -description: |- - Upgrading Consul on Kubernetes +layout: docs +page_title: Upgrading +sidebar_current: docs-platform-k8s-ops-upgrading +description: Upgrading Consul on Kubernetes --- # Upgrading Consul on Kubernetes diff --git a/website/pages/docs/upgrade-specific.html.md b/website/pages/docs/upgrade-specific.mdx similarity index 99% rename from website/pages/docs/upgrade-specific.html.md rename to website/pages/docs/upgrade-specific.mdx index b48854fc95..bb6f67e1a1 100644 --- a/website/pages/docs/upgrade-specific.html.md +++ b/website/pages/docs/upgrade-specific.mdx @@ -1,9 +1,10 @@ --- -layout: 'docs' -page_title: 'Upgrading Specific Versions' -sidebar_current: 'docs-upgrading-specific' -description: |- - Specific versions of Consul may have additional information about the upgrade process beyond the standard flow. +layout: docs +page_title: Upgrading Specific Versions +sidebar_current: docs-upgrading-specific +description: >- + Specific versions of Consul may have additional information about the upgrade + process beyond the standard flow. --- # Upgrading Specific Versions diff --git a/website/pages/docs/upgrading.html.md b/website/pages/docs/upgrading.mdx similarity index 94% rename from website/pages/docs/upgrading.html.md rename to website/pages/docs/upgrading.mdx index 5f12fb3748..700a3c3cda 100644 --- a/website/pages/docs/upgrading.html.md +++ b/website/pages/docs/upgrading.mdx @@ -1,9 +1,12 @@ --- -layout: 'docs' -page_title: 'Upgrading Consul' -sidebar_current: 'docs-upgrading-upgrading' -description: |- - Consul is meant to be a long-running agent on any nodes participating in a Consul cluster. These nodes consistently communicate with each other. As such, protocol level compatibility and ease of upgrades is an important thing to keep in mind when using Consul. +layout: docs +page_title: Upgrading Consul +sidebar_current: docs-upgrading-upgrading +description: >- + Consul is meant to be a long-running agent on any nodes participating in a + Consul cluster. These nodes consistently communicate with each other. As such, + protocol level compatibility and ease of upgrades is an important thing to + keep in mind when using Consul. --- # Upgrading Consul diff --git a/website/pages/intro/getting-started.html.md b/website/pages/intro/getting-started.mdx similarity index 82% rename from website/pages/intro/getting-started.html.md rename to website/pages/intro/getting-started.mdx index 9b453b4b3b..bfd4406fa6 100644 --- a/website/pages/intro/getting-started.html.md +++ b/website/pages/intro/getting-started.mdx @@ -1,9 +1,11 @@ --- -layout: 'intro' -page_title: 'Getting Started' -sidebar_current: 'start' -description: |- - Welcome to the intro guide to Consul! This guide is the best place to start with Consul. +layout: intro +page_title: Getting Started +sidebar_title: 'Getting Started' +sidebar_current: start +description: >- + Welcome to the intro guide to Consul! This guide is the best place to start + with Consul. --- # Getting Started diff --git a/website/pages/intro/getting-started/agent.html.md b/website/pages/intro/getting-started/agent.mdx similarity index 95% rename from website/pages/intro/getting-started/agent.html.md rename to website/pages/intro/getting-started/agent.mdx index 00813bb02d..38df234945 100644 --- a/website/pages/intro/getting-started/agent.html.md +++ b/website/pages/intro/getting-started/agent.mdx @@ -1,12 +1,12 @@ --- -layout: 'intro' -page_title: 'Run the Agent' -sidebar_current: 'gettingstarted-agent' +layout: intro +page_title: Run the Agent +sidebar_current: gettingstarted-agent description: > - The Consul agent can run in either server or client mode. Each datacenter - must have at least one server, though a cluster of 3 or 5 servers is - recommended. A single server deployment is highly discouraged in production - as data loss is inevitable in a failure scenario. + The Consul agent can run in either server or client mode. Each datacenter must + have at least one server, though a cluster of 3 or 5 servers is recommended. A + single server deployment is highly discouraged in production as data loss is + inevitable in a failure scenario. --- # Run the Consul Agent diff --git a/website/pages/intro/getting-started/checks.html.md b/website/pages/intro/getting-started/checks.mdx similarity index 92% rename from website/pages/intro/getting-started/checks.html.md rename to website/pages/intro/getting-started/checks.mdx index 40fb7c6910..42f4a058a8 100644 --- a/website/pages/intro/getting-started/checks.html.md +++ b/website/pages/intro/getting-started/checks.mdx @@ -1,9 +1,12 @@ --- -layout: 'intro' -page_title: 'Registering Health Checks' -sidebar_current: 'gettingstarted-checks' -description: |- - We've now seen how simple it is to run Consul, add nodes and services, and query those nodes and services. In this step, we will continue our tour by adding health checks to both nodes and services. Health checks are a critical component of service discovery that prevent using services that are unhealthy. +layout: intro +page_title: Registering Health Checks +sidebar_current: gettingstarted-checks +description: >- + We've now seen how simple it is to run Consul, add nodes and services, and + query those nodes and services. In this step, we will continue our tour by + adding health checks to both nodes and services. Health checks are a critical + component of service discovery that prevent using services that are unhealthy. --- # Health Checks diff --git a/website/pages/intro/getting-started/connect.html.md b/website/pages/intro/getting-started/connect.mdx similarity index 96% rename from website/pages/intro/getting-started/connect.html.md rename to website/pages/intro/getting-started/connect.mdx index 9d7714d964..d48dfd768a 100644 --- a/website/pages/intro/getting-started/connect.html.md +++ b/website/pages/intro/getting-started/connect.mdx @@ -1,9 +1,12 @@ --- -layout: 'intro' -page_title: 'Consul Connect' -sidebar_current: 'gettingstarted-connect' -description: |- - Connect is a feature of Consul that provides service-to-service connection authorization and encryption using mutual TLS. This ensures that all service communication in your datacenter is encrypted and that the rules of what services can communicate is centrally managed with Consul. +layout: intro +page_title: Consul Connect +sidebar_current: gettingstarted-connect +description: >- + Connect is a feature of Consul that provides service-to-service connection + authorization and encryption using mutual TLS. This ensures that all service + communication in your datacenter is encrypted and that the rules of what + services can communicate is centrally managed with Consul. --- # Connect diff --git a/website/pages/intro/getting-started/install.html.md b/website/pages/intro/getting-started/install.mdx similarity index 86% rename from website/pages/intro/getting-started/install.html.md rename to website/pages/intro/getting-started/install.mdx index 25aabf4a31..bd98a33543 100644 --- a/website/pages/intro/getting-started/install.html.md +++ b/website/pages/intro/getting-started/install.mdx @@ -1,9 +1,12 @@ --- -layout: 'intro' -page_title: 'Installing Consul' -sidebar_current: 'gettingstarted-install' -description: |- - Consul must first be installed on every node that will be a member of the Consul cluster. To make installation easy, Consul is distributed as a binary package for all supported platforms and architectures. This page will not cover how to compile Consul from source. +layout: intro +page_title: Installing Consul +sidebar_current: gettingstarted-install +description: >- + Consul must first be installed on every node that will be a member of the + Consul cluster. To make installation easy, Consul is distributed as a binary + package for all supported platforms and architectures. This page will not + cover how to compile Consul from source. --- # Install Consul diff --git a/website/pages/intro/getting-started/join.html.md b/website/pages/intro/getting-started/join.mdx similarity index 99% rename from website/pages/intro/getting-started/join.html.md rename to website/pages/intro/getting-started/join.mdx index 778c97956e..499cb9a755 100644 --- a/website/pages/intro/getting-started/join.html.md +++ b/website/pages/intro/getting-started/join.mdx @@ -1,7 +1,7 @@ --- -layout: 'intro' -page_title: 'Consul Cluster' -sidebar_current: 'gettingstarted-join' +layout: intro +page_title: Consul Cluster +sidebar_current: gettingstarted-join description: > When a Consul agent is started, it begins as an isolated cluster of its own. To learn about other cluster members, the agent must join one or more other diff --git a/website/pages/intro/getting-started/kv.html.md b/website/pages/intro/getting-started/kv.mdx similarity index 92% rename from website/pages/intro/getting-started/kv.html.md rename to website/pages/intro/getting-started/kv.mdx index 622565e874..98ac5fccac 100644 --- a/website/pages/intro/getting-started/kv.html.md +++ b/website/pages/intro/getting-started/kv.mdx @@ -1,9 +1,12 @@ --- -layout: 'intro' -page_title: 'KV Data' -sidebar_current: 'gettingstarted-kv' -description: |- - In addition to providing service discovery and integrated health checking, Consul provides an easy to use KV store. This can be used to hold dynamic configuration, assist in service coordination, build leader election, and enable anything else a developer can think to build. +layout: intro +page_title: KV Data +sidebar_current: gettingstarted-kv +description: >- + In addition to providing service discovery and integrated health checking, + Consul provides an easy to use KV store. This can be used to hold dynamic + configuration, assist in service coordination, build leader election, and + enable anything else a developer can think to build. --- # KV Data diff --git a/website/pages/intro/getting-started/next-steps.html.md b/website/pages/intro/getting-started/next-steps.mdx similarity index 81% rename from website/pages/intro/getting-started/next-steps.html.md rename to website/pages/intro/getting-started/next-steps.mdx index e1e0920c22..c1278ef198 100644 --- a/website/pages/intro/getting-started/next-steps.html.md +++ b/website/pages/intro/getting-started/next-steps.mdx @@ -1,9 +1,11 @@ --- -layout: 'intro' -page_title: 'Next Steps' -sidebar_current: 'gettingstarted-nextsteps' -description: |- - That concludes the getting started guide for Consul. Hopefully you're able to see that while Consul is simple to use, it has a powerful set of features. We've covered the basics for all of these features in this guide. +layout: intro +page_title: Next Steps +sidebar_current: gettingstarted-nextsteps +description: >- + That concludes the getting started guide for Consul. Hopefully you're able to + see that while Consul is simple to use, it has a powerful set of features. + We've covered the basics for all of these features in this guide. --- # Next Steps diff --git a/website/pages/intro/getting-started/services.html.md b/website/pages/intro/getting-started/services.mdx similarity index 95% rename from website/pages/intro/getting-started/services.html.md rename to website/pages/intro/getting-started/services.mdx index eb59fdf70d..145d07d7c1 100644 --- a/website/pages/intro/getting-started/services.html.md +++ b/website/pages/intro/getting-started/services.mdx @@ -1,12 +1,12 @@ --- -layout: 'intro' -page_title: 'Registering Services' -sidebar_current: 'gettingstarted-services' +layout: intro +page_title: Registering Services +sidebar_current: gettingstarted-services description: > A service can be registered either by providing a service definition or by - making the appropriate calls to the HTTP API. A configuration file is the - most common, so we will use this approach to register a service, and then - query that service using the REST API and DNS interfaces. + making the appropriate calls to the HTTP API. A configuration file is the most + common, so we will use this approach to register a service, and then query + that service using the REST API and DNS interfaces. --- # Registering Services diff --git a/website/pages/intro/getting-started/ui.html.md b/website/pages/intro/getting-started/ui.mdx similarity index 74% rename from website/pages/intro/getting-started/ui.html.md rename to website/pages/intro/getting-started/ui.mdx index 2e8b318ee2..86f79bc3eb 100644 --- a/website/pages/intro/getting-started/ui.html.md +++ b/website/pages/intro/getting-started/ui.mdx @@ -1,9 +1,12 @@ --- -layout: 'intro' -page_title: 'Web UI' -sidebar_current: 'gettingstarted-ui' -description: |- - Consul comes with support for beautiful, functional web UIs out of the box. UIs can be used for viewing all services and nodes, for viewing all health checks and their current status, and for reading and setting key/value data. The UIs automatically supports multi-datacenter. +layout: intro +page_title: Web UI +sidebar_current: gettingstarted-ui +description: >- + Consul comes with support for beautiful, functional web UIs out of the box. + UIs can be used for viewing all services and nodes, for viewing all health + checks and their current status, and for reading and setting key/value data. + The UIs automatically supports multi-datacenter. --- # Consul Web UI diff --git a/website/pages/intro/index.html.md b/website/pages/intro/index.mdx similarity index 89% rename from website/pages/intro/index.html.md rename to website/pages/intro/index.mdx index 37c1ea44dd..15a397addf 100644 --- a/website/pages/intro/index.html.md +++ b/website/pages/intro/index.mdx @@ -1,9 +1,14 @@ --- -layout: 'intro' -page_title: 'Introduction' -sidebar_current: 'what' -description: |- - Welcome to the intro guide to Consul! This guide is the best place to start with Consul. We cover what Consul is, what problems it can solve, how it compares to existing software, and how you can get started using it. If you are familiar with the basics of Consul, the documentation provides a more detailed reference of available features. +layout: intro +page_title: Introduction +sidebar_title: 'What is Consul?' +sidebar_current: what +description: >- + Welcome to the intro guide to Consul! This guide is the best place to start + with Consul. We cover what Consul is, what problems it can solve, how it + compares to existing software, and how you can get started using it. If you + are familiar with the basics of Consul, the documentation provides a more + detailed reference of available features. --- # Introduction to Consul @@ -26,7 +31,13 @@ supports 3rd party proxy integrations such as Envoy. Review the video below to learn more about Consul from HashiCorp's co-founder Armon. - + The key features of Consul are: diff --git a/website/pages/intro/vs/chef-puppet.html.md b/website/pages/intro/vs/chef-puppet.mdx similarity index 88% rename from website/pages/intro/vs/chef-puppet.html.md rename to website/pages/intro/vs/chef-puppet.mdx index 3cc9ec6d25..35014c2a2b 100644 --- a/website/pages/intro/vs/chef-puppet.html.md +++ b/website/pages/intro/vs/chef-puppet.mdx @@ -1,9 +1,13 @@ --- -layout: 'intro' +layout: intro page_title: 'Consul vs. Chef, Puppet, etc.' -sidebar_current: 'vs-other-chef' -description: |- - It is not uncommon to find people using Chef, Puppet, and other configuration management tools to build service discovery mechanisms. This is usually done by querying global state to construct configuration files on each node during a periodic convergence run. +sidebar_title: 'Chef, Puppet, etc.' +sidebar_current: vs-other-chef +description: >- + It is not uncommon to find people using Chef, Puppet, and other configuration + management tools to build service discovery mechanisms. This is usually done + by querying global state to construct configuration files on each node during + a periodic convergence run. --- # Consul vs. Chef, Puppet, etc. diff --git a/website/pages/intro/vs/custom.html.md b/website/pages/intro/vs/custom.mdx similarity index 62% rename from website/pages/intro/vs/custom.html.md rename to website/pages/intro/vs/custom.mdx index 6d7778d12d..2aa8e824c6 100644 --- a/website/pages/intro/vs/custom.html.md +++ b/website/pages/intro/vs/custom.mdx @@ -1,9 +1,18 @@ --- -layout: 'intro' -page_title: 'Consul vs. Custom Solutions' -sidebar_current: 'vs-other-custom' -description: |- - As a codebase grows, a monolithic app often evolves into a Service Oriented Architecture (SOA). A universal pain point for SOA is service discovery and configuration. In many cases, this leads to organizations building home grown solutions. It is an undisputed fact that distributed systems are hard; building one is error-prone and time-consuming. Most systems cut corners by introducing single points of failure such as a single Redis or RDBMS to maintain cluster state. These solutions may work in the short term, but they are rarely fault tolerant or scalable. Besides these limitations, they require time and resources to build and maintain. +layout: intro +page_title: Consul vs. Custom Solutions +sidebar_title: 'Custom Solutions' +sidebar_current: vs-other-custom +description: >- + As a codebase grows, a monolithic app often evolves into a Service Oriented + Architecture (SOA). A universal pain point for SOA is service discovery and + configuration. In many cases, this leads to organizations building home grown + solutions. It is an undisputed fact that distributed systems are hard; + building one is error-prone and time-consuming. Most systems cut corners by + introducing single points of failure such as a single Redis or RDBMS to + maintain cluster state. These solutions may work in the short term, but they + are rarely fault tolerant or scalable. Besides these limitations, they require + time and resources to build and maintain. --- # Consul vs. Custom Solutions diff --git a/website/pages/intro/vs/eureka.html.md b/website/pages/intro/vs/eureka.mdx similarity index 89% rename from website/pages/intro/vs/eureka.html.md rename to website/pages/intro/vs/eureka.mdx index 60fa60c7ec..6208015664 100644 --- a/website/pages/intro/vs/eureka.html.md +++ b/website/pages/intro/vs/eureka.mdx @@ -1,9 +1,13 @@ --- -layout: 'intro' -page_title: 'Consul vs. Eureka' -sidebar_current: 'vs-other-eureka' -description: |- - Eureka is a service discovery tool that provides a best effort registry and discovery service. It uses central servers and clients which are typically natively integrated with SDKs. Consul provides a super set of features, such as health checking, key/value storage, ACLs, and multi-datacenter awareness. +layout: intro +page_title: Consul vs. Eureka +sidebar_title: 'Eureka' +sidebar_current: vs-other-eureka +description: >- + Eureka is a service discovery tool that provides a best effort registry and + discovery service. It uses central servers and clients which are typically + natively integrated with SDKs. Consul provides a super set of features, such + as health checking, key/value storage, ACLs, and multi-datacenter awareness. --- # Consul vs. Eureka diff --git a/website/pages/intro/vs/index.html.md b/website/pages/intro/vs/index.mdx similarity index 63% rename from website/pages/intro/vs/index.html.md rename to website/pages/intro/vs/index.mdx index e834b09fcd..c7f7cbb015 100644 --- a/website/pages/intro/vs/index.html.md +++ b/website/pages/intro/vs/index.mdx @@ -1,9 +1,13 @@ --- -layout: 'intro' -page_title: 'Consul vs. Other Software' -sidebar_current: 'vs-other' -description: |- - The problems Consul solves are varied, but each individual feature has been solved by many different systems. Although there is no single system that provides all the features of Consul, there are other options available to solve some of these problems. +layout: intro +page_title: Consul vs. Other Software +sidebar_title: 'Consul vs. Other Software' +sidebar_current: vs-other +description: >- + The problems Consul solves are varied, but each individual feature has been + solved by many different systems. Although there is no single system that + provides all the features of Consul, there are other options available to + solve some of these problems. --- # Consul vs. Other Software diff --git a/website/pages/intro/vs/istio.html.md b/website/pages/intro/vs/istio.mdx similarity index 95% rename from website/pages/intro/vs/istio.html.md rename to website/pages/intro/vs/istio.mdx index fcdd401fbb..ffdf3b7201 100644 --- a/website/pages/intro/vs/istio.html.md +++ b/website/pages/intro/vs/istio.mdx @@ -1,9 +1,11 @@ --- -layout: 'intro' -page_title: 'Consul vs. Istio' -sidebar_current: 'vs-other-istio' -description: |- - Istio is a platform for connecting and securing microservices. This page describes the similarities and differences between Istio and Consul. +layout: intro +page_title: Consul vs. Istio +sidebar_title: 'Istio' +sidebar_current: vs-other-istio +description: >- + Istio is a platform for connecting and securing microservices. This page + describes the similarities and differences between Istio and Consul. --- # Consul vs. Istio diff --git a/website/pages/intro/vs/nagios-sensu.html.md b/website/pages/intro/vs/nagios-sensu.mdx similarity index 94% rename from website/pages/intro/vs/nagios-sensu.html.md rename to website/pages/intro/vs/nagios-sensu.mdx index d63e2261eb..27d1eea125 100644 --- a/website/pages/intro/vs/nagios-sensu.html.md +++ b/website/pages/intro/vs/nagios-sensu.mdx @@ -1,9 +1,11 @@ --- -layout: 'intro' +layout: intro page_title: 'Consul vs. Nagios, Sensu' -sidebar_current: 'vs-other-nagios-sensu' -description: |- - Nagios and Sensu are both tools built for monitoring. They are used to quickly notify operators when an issue occurs. +sidebar_title: 'Nagios, Sensu' +sidebar_current: vs-other-nagios-sensu +description: >- + Nagios and Sensu are both tools built for monitoring. They are used to quickly + notify operators when an issue occurs. --- # Consul vs. Nagios, Sensu diff --git a/website/pages/intro/vs/proxies.html.md b/website/pages/intro/vs/proxies.mdx similarity index 89% rename from website/pages/intro/vs/proxies.html.md rename to website/pages/intro/vs/proxies.mdx index 3aad4d3996..c3c2968a30 100644 --- a/website/pages/intro/vs/proxies.html.md +++ b/website/pages/intro/vs/proxies.mdx @@ -1,9 +1,13 @@ --- -layout: 'intro' -page_title: 'Consul vs. Envoy and Other Proxies' -sidebar_current: 'vs-other-proxies' -description: |- - Modern service proxies provide high-level service routing, authentication, telemetry, and more for microservice and cloud environments. Envoy is a popular and feature rich proxy. This page describes how Consul relates to proxies such as Envoy. +layout: intro +page_title: Consul vs. Envoy and Other Proxies +sidebar_title: 'Envoy and Other Proxies' +sidebar_current: vs-other-proxies +description: >- + Modern service proxies provide high-level service routing, authentication, + telemetry, and more for microservice and cloud environments. Envoy is a + popular and feature rich proxy. This page describes how Consul relates to + proxies such as Envoy. --- # Consul vs. Envoy and Other Proxies diff --git a/website/pages/intro/vs/serf.html.md b/website/pages/intro/vs/serf.mdx similarity index 82% rename from website/pages/intro/vs/serf.html.md rename to website/pages/intro/vs/serf.mdx index 163c26d9d7..89d453e35f 100644 --- a/website/pages/intro/vs/serf.html.md +++ b/website/pages/intro/vs/serf.mdx @@ -1,9 +1,16 @@ --- -layout: 'intro' -page_title: 'Consul vs. Serf' -sidebar_current: 'vs-other-serf' -description: |- - Serf is a node discovery and orchestration tool and is the only tool discussed so far that is built on an eventually-consistent gossip model with no centralized servers. It provides a number of features, including group membership, failure detection, event broadcasts, and a query mechanism. However, Serf does not provide any high-level features such as service discovery, health checking or key/value storage. Consul is a complete system providing all of those features. +layout: intro +page_title: Consul vs. Serf +sidebar_title: 'Serf' +sidebar_current: vs-other-serf +description: >- + Serf is a node discovery and orchestration tool and is the only tool discussed + so far that is built on an eventually-consistent gossip model with no + centralized servers. It provides a number of features, including group + membership, failure detection, event broadcasts, and a query mechanism. + However, Serf does not provide any high-level features such as service + discovery, health checking or key/value storage. Consul is a complete system + providing all of those features. --- # Consul vs. Serf diff --git a/website/pages/intro/vs/skydns.html.md b/website/pages/intro/vs/skydns.mdx similarity index 86% rename from website/pages/intro/vs/skydns.html.md rename to website/pages/intro/vs/skydns.mdx index 44c193da75..1bc1cc8b74 100644 --- a/website/pages/intro/vs/skydns.html.md +++ b/website/pages/intro/vs/skydns.mdx @@ -1,9 +1,13 @@ --- -layout: 'intro' -page_title: 'Consul vs. SkyDNS' -sidebar_current: 'vs-other-skydns' -description: |- - SkyDNS is a tool designed to provide service discovery. It uses multiple central servers that are strongly-consistent and fault-tolerant. Nodes register services using an HTTP API, and queries can be made over HTTP or DNS to perform discovery. +layout: intro +page_title: Consul vs. SkyDNS +sidebar_title: 'SkyDNS' +sidebar_current: vs-other-skydns +description: >- + SkyDNS is a tool designed to provide service discovery. It uses multiple + central servers that are strongly-consistent and fault-tolerant. Nodes + register services using an HTTP API, and queries can be made over HTTP or DNS + to perform discovery. --- # Consul vs. SkyDNS diff --git a/website/pages/intro/vs/smartstack.html.md b/website/pages/intro/vs/smartstack.mdx similarity index 81% rename from website/pages/intro/vs/smartstack.html.md rename to website/pages/intro/vs/smartstack.mdx index 4b8d8a3460..080d70e8b4 100644 --- a/website/pages/intro/vs/smartstack.html.md +++ b/website/pages/intro/vs/smartstack.mdx @@ -1,9 +1,18 @@ --- -layout: 'intro' -page_title: 'Consul vs. SmartStack' -sidebar_current: 'vs-other-smartstack' -description: |- - SmartStack is a tool which tackles the service discovery problem. It has a rather unique architecture and has 4 major components: ZooKeeper, HAProxy, Synapse, and Nerve. The ZooKeeper servers are responsible for storing cluster state in a consistent and fault-tolerant manner. Each node in the SmartStack cluster then runs both Nerves and Synapses. The Nerve is responsible for running health checks against a service and registering with the ZooKeeper servers. Synapse queries ZooKeeper for service providers and dynamically configures HAProxy. Finally, clients speak to HAProxy, which does health checking and load balancing across service providers. +layout: intro +page_title: Consul vs. SmartStack +sidebar_title: 'SmartStack' +sidebar_current: vs-other-smartstack +description: >- + SmartStack is a tool which tackles the service discovery problem. It has a + rather unique architecture and has 4 major components: ZooKeeper, HAProxy, + Synapse, and Nerve. The ZooKeeper servers are responsible for storing cluster + state in a consistent and fault-tolerant manner. Each node in the SmartStack + cluster then runs both Nerves and Synapses. The Nerve is responsible for + running health checks against a service and registering with the ZooKeeper + servers. Synapse queries ZooKeeper for service providers and dynamically + configures HAProxy. Finally, clients speak to HAProxy, which does health + checking and load balancing across service providers. --- # Consul vs. SmartStack diff --git a/website/pages/intro/vs/zookeeper.html.md b/website/pages/intro/vs/zookeeper.mdx similarity index 91% rename from website/pages/intro/vs/zookeeper.html.md rename to website/pages/intro/vs/zookeeper.mdx index db368c3964..46a49981b7 100644 --- a/website/pages/intro/vs/zookeeper.html.md +++ b/website/pages/intro/vs/zookeeper.mdx @@ -1,9 +1,14 @@ --- -layout: 'intro' +layout: intro page_title: 'Consul vs. ZooKeeper, doozerd, etcd' -sidebar_current: 'vs-other-zk' -description: |- - ZooKeeper, doozerd, and etcd are all similar in their architecture. All three have server nodes that require a quorum of nodes to operate (usually a simple majority). They are strongly-consistent and expose various primitives that can be used through client libraries within applications to build complex distributed systems. +sidebar_title: 'ZooKeeper, doozerd, etcd' +sidebar_current: vs-other-zk +description: >- + ZooKeeper, doozerd, and etcd are all similar in their architecture. All three + have server nodes that require a quorum of nodes to operate (usually a simple + majority). They are strongly-consistent and expose various primitives that can + be used through client libraries within applications to build complex + distributed systems. --- # Consul vs. ZooKeeper, doozerd, etcd diff --git a/website/pages/docs/commands/_http_api_namespace_options.html.md b/website/pages/partials/http_api_namespace_options.mdx similarity index 100% rename from website/pages/docs/commands/_http_api_namespace_options.html.md rename to website/pages/partials/http_api_namespace_options.mdx diff --git a/website/pages/docs/commands/_http_api_options_client.html.md b/website/pages/partials/http_api_options_client.mdx similarity index 100% rename from website/pages/docs/commands/_http_api_options_client.html.md rename to website/pages/partials/http_api_options_client.mdx diff --git a/website/pages/docs/commands/_http_api_options_server.html.md b/website/pages/partials/http_api_options_server.mdx similarity index 100% rename from website/pages/docs/commands/_http_api_options_server.html.md rename to website/pages/partials/http_api_options_server.mdx diff --git a/website/raw-assets/README b/website/raw-assets/README new file mode 100644 index 0000000000..c8d862c814 --- /dev/null +++ b/website/raw-assets/README @@ -0,0 +1,3 @@ +The files in this directory are source material for files in the source/assets directory. + +Files that end in *.fig are usable in: https://www.figma.com \ No newline at end of file diff --git a/website/raw-assets/auth-methods.fig b/website/raw-assets/auth-methods.fig new file mode 100644 index 0000000000..05b596433a Binary files /dev/null and b/website/raw-assets/auth-methods.fig differ diff --git a/website/raw-assets/l7-traffic-stages.fig b/website/raw-assets/l7-traffic-stages.fig new file mode 100644 index 0000000000..7907af8e2b Binary files /dev/null and b/website/raw-assets/l7-traffic-stages.fig differ diff --git a/website/scripts/_temp_rename.sh b/website/scripts/_temp_rename.sh index 5c5f766178..7cb2882abc 100644 --- a/website/scripts/_temp_rename.sh +++ b/website/scripts/_temp_rename.sh @@ -6,4 +6,5 @@ find $1 -name "*.html.md" -exec rename 's/\.html.md$/.mdx/' '{}' \; find $1 -name "*.html.markdown" -exec rename 's/\.html.markdown$/.mdx/' '{}' \; find $1 -name "*.html.md.erb" -exec rename 's/\.html.md.erb$/.mdx/' '{}' \; +find $1 -name "*.html.markdown.erb" -exec rename 's/\.html.markdown.erb$/.mdx/' '{}' \; find $1 -name "*.md" -exec rename 's/\.md$/.mdx/' '{}' \; diff --git a/website/scripts/changelog.md b/website/scripts/changelog.md index f230cb4cd2..777b62a795 100644 --- a/website/scripts/changelog.md +++ b/website/scripts/changelog.md @@ -1,27 +1,10 @@ # changes -- `/intro/getting-started/install` redirects to `/intro/getting-started` -- `/guides/hcl` folders with only index changed to named individual files -- `/docs/install/index.html` to `docs/install.html` -- `/docs/other` dumped to root -- `/docs/basics/terminology` -> `/docs/terminology` -- `/docs/configuration/from-1.5` -> `/docs/from-1.5` -- `/docs/from-1.5/functions.html` -> `/docs/from-1.5/functions/index.html` -- [BREAKING] `/docs/from-1.5/functions/collection/index.html` -> `/docs/from-1.5/functions/collection/index-fn.html` -- `/docs/from-1.5/functions/*/overview.html` -> `/docs/from-1.5/functions/*/index.html` -- `/docs/builders/amazon-*` -> `/docs/builders/amazon/*` -- `/docs/builders/azure-*` -> `/docs/builders/azure/*` -- `/docs/builders/hyperv-*` -> `/docs/builders/hyperv/*` -- `/docs/builders/oracle-*` -> `/docs/builders/oracle/*` -- `/docs/builders/osc-*` -> `/docs/builders/outscale/*` -- `/docs/builders/outscale.html` -> `/docs/builders/outscale/index.html` -- `/docs/builders/parallels-*` -> `/docs/builders/parallels/*` -- `/docs/builders/virtualbox-*` -> `/docs/builders/virtualbox/*` -- `/docs/builders/vmware-*` -> `/docs/builders/vmware/*` -- `/docs/builders/vsphere-*` -> `/docs/builders/vmware/vsphere-*` +- docs/commands partials moved to /partials +- index page added at /api/features (TODO: fix, placeholder) +- api/acl/acl.html -> api/acl/index.html \* +- api/agent.html -> api/agent/index.html \* +- api/connect.html -> api/connect/index.html \* +- api/operator.html -> api/operator/index.html \* -# notes: - -- empty index files on all `from-1.5/functions/*` -- how do the generated docs work? can we keep it even with changes? -- should any of the other builders be nested under a subdirectory? like `alicloud-ecs`, `tencent-cvm` or `ucloud-uhost`? +* = add redirect pending