website: address feedback

This commit is contained in:
Mitchell Hashimoto 2018-06-06 11:44:10 -07:00 committed by Jack Pearkes
parent 85d6502ab3
commit 6ea59241d1
2 changed files with 13 additions and 6 deletions

View File

@ -19,13 +19,19 @@ can easily integrate with Connect. There is no custom protocol in use;
any language that supports TLS can accept and establish Connect-based
connections.
We currently provide an easy-to-use [Go integration](/docs/connect/native/go.html)
to assist with the getting the proper certificates, verifying connections,
etc. We plan to add helper libraries for other languages in the future.
However, without library support, it is still possible for any major language
to integrate with Connect.
## Overview
The primary work involved in natively integrating with Connect is
[acquiring the proper TLS certificate](/api/agent/connect.html#service-leaf-certificate),
[verifying TLS certificates](/api/agent/connect.html#certificate-authority-ca-roots),
and [authorizing inbound connections](/api/agent/connect.html#authorize).
All of this is done using Consul's HTTP API using the previously-linked APIs.
All of this is done using the Consul HTTP APIs linked above.
An overview of the sequence is shown below. The diagram and the following
details may seem complex, but this is a _regular mutual TLS connection_ with

View File

@ -66,7 +66,8 @@ func main() {
The first step is to create a Consul API client. This is almost always the
default configuration with an ACL token set, since you want to communicate
to the local agent. The Go library will use this client to request certificates,
to the local agent. The default configuration will also read the ACL token
from environment variables if set. The Go library will use this client to request certificates,
authorize connections, and more.
Next, `connect.NewService` is called to create a service structure representing
@ -77,8 +78,8 @@ create one service and reuse that one service for all servers and clients.
Finally, a standard `*http.Server` is created. The magic line is the `TLSConfig`
value. This is set to a TLS configuration returned by the service structure.
This TLS configuration is configured to automatically load certificates
in the background, cache them, and authorize inbound connections. This
also automatically handles maintaining blocking queries to update certificates
in the background, cache them, and authorize inbound connections. The service
structure automatically handles maintaining blocking queries to update certificates
in the background if they change.
Since the service returns a standard `*tls.Config`, _any_ server that supports
@ -151,7 +152,7 @@ Next, we call `svc.HTTPClient()` to return a specially configured
`*http.Client`. This client will automatically established Connect-based
connections using Consul service discovery.
Finally, we perform an HTTP `GET` request to a hypothetical user service.
Finally, we perform an HTTP `GET` request to a hypothetical userinfo service.
The HTTP client configuration automatically sends the correct client
certificate, verifies the server certificate, and manages background
goroutines for updating our certificates as necessary.