mirror of https://github.com/status-im/consul.git
updated configuration entry params for admin partitions 1.11
This commit is contained in:
parent
bd011ab7b6
commit
85e86bd316
|
@ -8,21 +8,162 @@ description: >-
|
|||
|
||||
# Ingress Gateway
|
||||
|
||||
-> **v1.8.4+:** On Kubernetes, the `IngressGateway` custom resource is supported in Consul versions 1.8.4+.<br />
|
||||
**v1.8.0+:** On other platforms, this config entry is supported in Consul versions 1.8.0+.
|
||||
This topic provides reference information for the `ingress-gateway` configuration entry.
|
||||
|
||||
The `ingress-gateway` config entry kind (`IngressGateway` on Kubernetes) allows you to configure ingress gateways
|
||||
with listeners that expose a set of services outside the Consul service mesh.
|
||||
## Introduction
|
||||
|
||||
You can define an `ingress-gateway` configuration entry to connect the Consul service mesh to a set of external services. The specification for ingress gateways include a `listeners` configuration, which exposes the service mesh to the external services. Use camel case (`IngressGateway`) to declare an ingress gateway configuration entry on Kubernetes.
|
||||
|
||||
Refer to the [Kubernetes Ingress Gateway](/docs/k8s/connect/ingress-gateways) documentation for information about configuring ingress gateways on Kubernetes.
|
||||
|
||||
For Kubernetes, see [Kubernetes Ingress Gateway](/docs/k8s/connect/ingress-gateways) for more information.
|
||||
For other platforms, see [Ingress Gateway](/docs/connect/ingress-gateway).
|
||||
|
||||
~> **Note:** [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
|
||||
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
|
||||
sets of services within their datacenter then the ingress gateways **must** be registered with different names.<br />
|
||||
See [Ingress Gateway](/docs/connect/ingress-gateway) for more information.
|
||||
## Requirements
|
||||
|
||||
## Wildcard service specification
|
||||
* Consul versions 1.8.4+ is required to use the `IngressGateway` custom resource on Kubernetes.
|
||||
* Consul versions 1.8.0+ is required to use the `ingress-gateway` custom resource on all other platforms.
|
||||
|
||||
## Usage
|
||||
|
||||
1. Verify that your datacenter meets the conditions specified in the [Requirements](#requirements).
|
||||
1. Specify the `ingress-gateway` (`IngressGateway`) configuration in the agent configuration file (see [config_entries](/docs/agent/options#config_entries)) as described in [Configuration](#configuration).
|
||||
1. Apply the configuration using one of the following methods:
|
||||
* Kubernetes CRD: Refer to the [Custom Resource Definitions](/docs/k8s/crds) documentation for details.
|
||||
* Issue the `consul config write` command: Refer to the [Consul Config Write](/commands/config/write) documentation for details.
|
||||
|
||||
## Configuration
|
||||
|
||||
Use the following syntax to configure an ingress gateway.
|
||||
|
||||
<Tabs>
|
||||
<Tab heading="Consul OSS">
|
||||
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
||||
|
||||
```hcl
|
||||
Kind = "ingress-gateway"
|
||||
Name = "<name for the gateway>"
|
||||
|
||||
Listeners = [
|
||||
{
|
||||
Port = <external service port>
|
||||
Protocol = "<protocol used by external service>"
|
||||
Services = [
|
||||
{
|
||||
Name = "<name of external service>"
|
||||
}
|
||||
]
|
||||
|
||||
}
|
||||
]
|
||||
|
||||
```
|
||||
|
||||
```yaml
|
||||
apiVersion: consul.hashicorp.com/v1alpha1
|
||||
kind: IngressGateway
|
||||
metadata:
|
||||
name: <name for the gateway>
|
||||
spec:
|
||||
listeners:
|
||||
- port: <external service port>
|
||||
protocol: <protocol used by external service>
|
||||
services:
|
||||
- name: <name of external service>
|
||||
```
|
||||
|
||||
```json
|
||||
{
|
||||
"Kind": "ingress-gateway",
|
||||
"Name": "<name for the gateway>",
|
||||
"Listeners": [
|
||||
{
|
||||
"Port": <external service port>,
|
||||
"Protocol": "<protocol used by external service>",
|
||||
"Services": [
|
||||
{
|
||||
"Name": "<name of external service>"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
</CodeTabs>
|
||||
</Tab>
|
||||
|
||||
<Tab heading="Consul Enterprise">
|
||||
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
||||
|
||||
```hcl
|
||||
Kind = "ingress-gateway"
|
||||
Name = "<name for the gateway>"
|
||||
Namespace = "<namespace containing the gateway>"
|
||||
Partition = "<partition containing the gateway namespace>"
|
||||
|
||||
Listeners = [
|
||||
{
|
||||
Port = <external service port>
|
||||
Protocol = "<protocol used by external service>"
|
||||
Services = [
|
||||
{
|
||||
Name = "<name of external service>"
|
||||
}
|
||||
]
|
||||
|
||||
}
|
||||
]
|
||||
|
||||
```
|
||||
|
||||
```yaml
|
||||
apiVersion: consul.hashicorp.com/v1alpha1
|
||||
kind: IngressGateway
|
||||
metadata:
|
||||
name: <name for the gateway>
|
||||
namespace: <namespace containing the gateway>
|
||||
partition: <partition containing the gateway namespace>
|
||||
|
||||
spec:
|
||||
listeners:
|
||||
- port: <external service port>
|
||||
protocol: <protocol used by external service>
|
||||
services:
|
||||
- name: <name of external service>
|
||||
```
|
||||
|
||||
```json
|
||||
{
|
||||
"Kind": "ingress-gateway",
|
||||
"Name": "<name for the gateway>",
|
||||
"Namespace": "<namespace containing the gateway>",
|
||||
"Partition": "<partition containing the gateway namespace>",
|
||||
|
||||
"Listeners": [
|
||||
{
|
||||
"Port": <external service port>,
|
||||
"Protocol": "<protocol used by external service>",
|
||||
"Services": [
|
||||
{
|
||||
"Name": "<name of external service>"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
</CodeTabs>
|
||||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
Refer to the [Available Fields](#available-fields) section for complete information about all ingress gateway configuraiton entry options and to the [Example Configurations](#example-configurations) section for example use-cases.
|
||||
|
||||
### Scope
|
||||
|
||||
[Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different sets of services within their datacenter then the ingress gateways **must** be registered with different names. See [Ingress Gateway](/docs/connect/ingress-gateway) for more information.
|
||||
|
||||
### Wildcard Service Specification
|
||||
|
||||
Ingress gateways can optionally target all services within a Consul namespace by
|
||||
specifying a wildcard `*` as the service name. A wildcard specifier allows
|
||||
|
@ -43,15 +184,27 @@ gateway:
|
|||
|
||||
A wildcard specifier cannot be set on a listener of protocol `tcp`.
|
||||
|
||||
## Sample Config Entries
|
||||
### ACLs
|
||||
|
||||
Configuration entries may be protected by [ACLs](/docs/security/acl).
|
||||
|
||||
Reading an `ingress-gateway` config entry requires `service:read` on the `Name`
|
||||
field of the config entry.
|
||||
|
||||
Creating, updating, or deleting an `ingress-gateway` config entry requires
|
||||
`operator:write`.
|
||||
|
||||
### Example Configurations
|
||||
|
||||
The following examples describe possible use-cases for ingress gateway configuration entries.
|
||||
|
||||
#### TCP listener
|
||||
|
||||
The following example sets up a TCP listener on an ingress gateway named `us-east-ingress` to proxy traffic to the `db` service. The Consul Enterprise version also posits the gateway listener inside the `default` [namespace](/docs/enterprise/namespaces) and the `team-frontend` [admin partition](/docs/enterprise/admin-partitions):
|
||||
|
||||
### TCP listener
|
||||
|
||||
<Tabs>
|
||||
<Tab heading="Consul OSS">
|
||||
|
||||
Set up a TCP listener on an ingress gateway named "us-east-ingress" to proxy traffic to the "db" service:
|
||||
|
||||
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
||||
|
||||
```hcl
|
||||
|
@ -106,16 +259,13 @@ spec:
|
|||
|
||||
</Tab>
|
||||
<Tab heading="Consul Enterprise">
|
||||
|
||||
Set up a TCP listener on an ingress gateway named "us-east-ingress" in the default namespace
|
||||
to proxy traffic to the "db" service in the ops namespace:
|
||||
|
||||
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
||||
|
||||
```hcl
|
||||
Kind = "ingress-gateway"
|
||||
Name = "us-east-ingress"
|
||||
Namespace = "default"
|
||||
Partition = "team-frontend"
|
||||
|
||||
Listeners = [
|
||||
{
|
||||
|
@ -137,6 +287,7 @@ kind: IngressGateway
|
|||
metadata:
|
||||
name: us-east-ingress
|
||||
namespace: default
|
||||
partition: team-frontend
|
||||
spec:
|
||||
listeners:
|
||||
- port: 3456
|
||||
|
@ -151,6 +302,7 @@ spec:
|
|||
"Kind": "ingress-gateway",
|
||||
"Name": "us-east-ingress",
|
||||
"Namespace": "default",
|
||||
"Partition": "team-frontend",
|
||||
"Listeners": [
|
||||
{
|
||||
"Port": 3456,
|
||||
|
@ -171,14 +323,21 @@ spec:
|
|||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
### Wildcard HTTP listener
|
||||
#### Wildcard HTTP Listener
|
||||
|
||||
In the following example, two listeners are configured on an ingress gateway named `us-east-ingress`:
|
||||
|
||||
* The first listener is configred to listen on port `8080` and uses a wildcard (`*`) to proxy traffic to all services in the datacenter.
|
||||
* The second listener exposes the `api` and `web` services on port `4567` at user-provided hosts.
|
||||
* TLS is enabled on every listener.
|
||||
|
||||
The Consul Enterprise version implements the following additional configurations:
|
||||
|
||||
* The ingress gateway is set up in the `default` [namespace](/docs/enterprise/namespaces) and proxies traffic to all services in the `frontend` namespace.
|
||||
* The `api` and `web` services are proxied to team-specific [admin partitions](/docs/enterprise/admin-partitions):
|
||||
|
||||
<Tabs>
|
||||
<Tab heading="Consul OSS">
|
||||
|
||||
Set up a wildcard HTTP listener on an ingress gateway named "us-east-ingress" to proxy traffic to all services in the datacenter.
|
||||
Also make two services available over a custom port with user-provided hosts, and enable TLS on every listener:
|
||||
|
||||
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
||||
|
||||
```hcl
|
||||
|
@ -277,10 +436,6 @@ spec:
|
|||
|
||||
</Tab>
|
||||
<Tab heading="Consul Enterprise">
|
||||
|
||||
Set up a wildcard HTTP listener on an ingress gateway named "us-east-ingress" to proxy traffic to all services in the frontend namespace.
|
||||
Also make two services in the frontend namespace available over a custom port with user-provided hosts, and enable TLS on every listener:
|
||||
|
||||
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
||||
|
||||
```hcl
|
||||
|
@ -311,11 +466,13 @@ Listeners = [
|
|||
Namespace = "frontend"
|
||||
Name = "api"
|
||||
Hosts = ["foo.example.com"]
|
||||
Partition = "api-team"
|
||||
},
|
||||
{
|
||||
Namespace = "frontend"
|
||||
Name = "web"
|
||||
Hosts = ["website.example.com"]
|
||||
Partition = "web-team"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -343,9 +500,11 @@ spec:
|
|||
- name: api
|
||||
namespace: frontend
|
||||
hosts: ['foo.example.com']
|
||||
partition: api-team
|
||||
- name: web
|
||||
namespace: frontend
|
||||
hosts: ['website.example.com']
|
||||
partition: web-team
|
||||
```
|
||||
|
||||
```json
|
||||
|
@ -374,12 +533,14 @@ spec:
|
|||
{
|
||||
"Namespace": "frontend",
|
||||
"Name": "api",
|
||||
"Hosts": ["foo.example.com"]
|
||||
"Hosts": ["foo.example.com"],
|
||||
"Partition": "api-team"
|
||||
},
|
||||
{
|
||||
"Namespace": "frontend",
|
||||
"Name": "web",
|
||||
"Hosts": ["website.example.com"]
|
||||
"Hosts": ["website.example.com"],
|
||||
"Partition": "web-team"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -392,18 +553,16 @@ spec:
|
|||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
### HTTP listener with path-based routing
|
||||
#### HTTP listener with Path-based Routing
|
||||
|
||||
The following example sets up an HTTP listener on an ingress gateway named `us-east-ingress` to proxy
|
||||
traffic to a virtual service named `api`. In the Consul Enterprise version, `us-east-ingress` is set up in the `default` namespace and `default` partition.
|
||||
|
||||
In this use-case, internal-only debug headers should be stripped before responding to external clients.
|
||||
Requests to internal services should also be labelled to indicate which gateway they came through.
|
||||
|
||||
<Tabs>
|
||||
<Tab heading="Consul OSS">
|
||||
|
||||
Set up an HTTP listener on an ingress gateway named "us-east-ingress" to proxy
|
||||
traffic to a virtual service named "api".
|
||||
|
||||
Additionally, ensure internal-only debug headers are stripped before responding
|
||||
to external clients, and that requests to internal services are labelled to
|
||||
indicate which gateway they came through.
|
||||
|
||||
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
||||
|
||||
```hcl
|
||||
|
@ -442,7 +601,7 @@ spec:
|
|||
protocol: http
|
||||
services:
|
||||
- name: api
|
||||
# HTTP Header manipulation is not yet supported in Kubernetes CRD
|
||||
# HTTP Header manipulation is not supported in Kubernetes CRD
|
||||
```
|
||||
|
||||
```json
|
||||
|
@ -475,20 +634,13 @@ spec:
|
|||
|
||||
</Tab>
|
||||
<Tab heading="Consul Enterprise">
|
||||
|
||||
Set up an HTTP listener on an ingress gateway named "us-east-ingress" in the
|
||||
default namespace to proxy traffic to a virtual service named "api".
|
||||
|
||||
Additionally, ensure internal-only debug headers are stripped before responding
|
||||
to external clients, and that requests to internal services are labelled to
|
||||
indicate which gateway they came through.
|
||||
|
||||
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
||||
|
||||
```hcl
|
||||
Kind = "ingress-gateway"
|
||||
Name = "us-east-ingress"
|
||||
Namespace = "default"
|
||||
Partition = "default"
|
||||
|
||||
Listeners = [
|
||||
{
|
||||
|
@ -518,6 +670,7 @@ kind: IngressGateway
|
|||
metadata:
|
||||
name: us-east-ingress
|
||||
namespace: default
|
||||
partition: default
|
||||
spec:
|
||||
listeners:
|
||||
- port: 80
|
||||
|
@ -525,7 +678,7 @@ spec:
|
|||
services:
|
||||
- name: api
|
||||
namespace: frontend
|
||||
# HTTP Header manipulation is not yet supported in Kubernetes CRD
|
||||
# HTTP Header manipulation is not supported in Kubernetes CRD
|
||||
```
|
||||
|
||||
```json
|
||||
|
@ -533,6 +686,7 @@ spec:
|
|||
"Kind": "ingress-gateway",
|
||||
"Name": "us-east-ingress",
|
||||
"Namespace": "default",
|
||||
"Partition": "default",
|
||||
"Listeners": [
|
||||
{
|
||||
"Port": 80,
|
||||
|
@ -561,10 +715,7 @@ spec:
|
|||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
The `api` service is not an actual registered service. It exist as a "virtual"
|
||||
service for L7 configuration only. A `service-router` (`ServiceRouter` on Kubernetes) is defined for this
|
||||
virtual service which uses path-based routing to route requests to different
|
||||
backend services:
|
||||
For this use-case, the `api` service is not an actual registered service. It exists as a virtual service for L7 configuration only. A `service-router` (`ServiceRouter` on Kubernetes) is defined for the virtual service that uses path-based routing to route requests to different backend services:
|
||||
|
||||
<Tabs>
|
||||
<Tab heading="Consul OSS">
|
||||
|
@ -659,6 +810,7 @@ spec:
|
|||
Kind = "service-router"
|
||||
Name = "api"
|
||||
Namespace = "default"
|
||||
Partition = "default"
|
||||
Routes = [
|
||||
{
|
||||
Match {
|
||||
|
@ -693,6 +845,7 @@ kind: ServiceRouter
|
|||
metadata:
|
||||
name: api
|
||||
namespace: default
|
||||
partition: default
|
||||
spec:
|
||||
routes:
|
||||
- match:
|
||||
|
@ -714,6 +867,7 @@ spec:
|
|||
"Kind": "service-router",
|
||||
"Name": "api",
|
||||
"Namespace": "default",
|
||||
"Partition": "default",
|
||||
"Routes": [
|
||||
{
|
||||
"Match": {
|
||||
|
@ -748,6 +902,8 @@ spec:
|
|||
|
||||
## Available Fields
|
||||
|
||||
You can specify the following parameters to configure ingress gateway configuration entries.
|
||||
|
||||
<ConfigEntryReference
|
||||
keys={[
|
||||
{
|
||||
|
@ -770,11 +926,11 @@ spec:
|
|||
},
|
||||
{
|
||||
name: 'Namespace',
|
||||
type: `string: "default"`,
|
||||
type: 'string: `default`',
|
||||
enterprise: true,
|
||||
description:
|
||||
'Specifies the namespace the config entry will apply to. This must be the namespace the gateway is registered in.' +
|
||||
' If omitted, the namespace will be inherited from [the request](/api/config#ns)' +
|
||||
'Specifies the namespace in which the configuration entry will apply. The value must match the namespace in which the gateway is registered.' +
|
||||
' If omitted, the namespace will be inherited from the `ns` request parameter (refer to the [`config` API endpoint documentation](/api/config#ns)).' +
|
||||
' or will default to the `default` namespace.',
|
||||
yaml: false,
|
||||
},
|
||||
|
@ -785,6 +941,16 @@ spec:
|
|||
'Specifies arbitrary KV metadata pairs. Added in Consul 1.8.4.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description:
|
||||
'Specifies the admin partition in which the configuration will apply. The value must match the partition in which the gateway is registered.' +
|
||||
' If omitted, the partition will be inhereited from the request (refer to the [`config` API endpoint documentation](/api/config)).' +
|
||||
' See [Admin Partitions](/docs/enterprise/admin-partitions) for additional information.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'metadata',
|
||||
children: [
|
||||
|
@ -794,8 +960,15 @@ spec:
|
|||
},
|
||||
{
|
||||
name: 'namespace',
|
||||
enterprise: true,
|
||||
description:
|
||||
'If running Consul Open Source, the namespace is ignored (see [Kubernetes Namespaces in Consul OSS](/docs/k8s/crds#consul-oss)). If running Consul Enterprise see [Kubernetes Namespaces in Consul Enterprise](/docs/k8s/crds#consul-enterprise) for more details.',
|
||||
'Refer to the [Kubernetes Namespaces documentation for Consul Enterprise](/docs/k8s/crds#consul-enterprise). The `namespace` parameter is not supported in Consul OSS (see [Kubernetes Namespaces in Consul OSS](/docs/k8s/crds#consul-oss)).',
|
||||
},
|
||||
{
|
||||
name: 'partition',
|
||||
enterprise: true,
|
||||
description:
|
||||
'Specifies the admin partition in which the configuration will apply. The value must match the partition in which the gateway is registered. Refer to the [Admin Partitions documentation](/docs/enterprise/admin-partitions) for additional information. The `partitions` parameter is not supported in Consul OSS.',
|
||||
},
|
||||
],
|
||||
hcl: false,
|
||||
|
@ -880,7 +1053,14 @@ spec:
|
|||
type: 'string: ""',
|
||||
enterprise: true,
|
||||
description:
|
||||
'The namespace to resolve the service from instead of the current namespace. If empty the current namespace is assumed.',
|
||||
'The namespace from which to resolve the service if different than the existing namespace. The current namespace is used if unspecified.',
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: 'string: ""',
|
||||
enterprise: true,
|
||||
description:
|
||||
'The admin partition from which to resolve the service if different than the existing partition. The current partition is used if unspecified.',
|
||||
},
|
||||
{
|
||||
name: 'Hosts',
|
||||
|
@ -986,12 +1166,3 @@ spec:
|
|||
]}
|
||||
/>
|
||||
|
||||
## ACLs
|
||||
|
||||
Configuration entries may be protected by [ACLs](/docs/security/acl).
|
||||
|
||||
Reading an `ingress-gateway` config entry requires `service:read` on the `Name`
|
||||
field of the config entry.
|
||||
|
||||
Creating, updating, or deleting an `ingress-gateway` config entry requires
|
||||
`operator:write`.
|
||||
|
|
|
@ -10,13 +10,12 @@ description: >-
|
|||
|
||||
# Mesh
|
||||
|
||||
-> **v1.10.0+:** This config entry is supported in Consul versions 1.10.0+.
|
||||
-> **v1.10.0+:** This configuration entry is supported in Consul versions 1.10.0+.
|
||||
|
||||
The `mesh` config entry kind allows for globally defining
|
||||
default configuration that applies to all service mesh proxies.
|
||||
The `mesh` configuration entry allows you to define a global default configuration that applies to all service mesh proxies.
|
||||
Settings in this config entry apply across all namespaces and federated datacenters.
|
||||
|
||||
## Sample Config Entries
|
||||
## Sample Configuration Entries
|
||||
|
||||
### Mesh Destinations Only
|
||||
|
||||
|
@ -58,14 +57,14 @@ spec:
|
|||
</Tab>
|
||||
<Tab heading="Consul Enterprise">
|
||||
|
||||
-> **Note**: The `mesh` config entry can only be created in the `default`
|
||||
namespace and it will apply to proxies across **all** namespaces.
|
||||
The `mesh` configuration entry can only be created in the `default` namespace and will apply to proxies across **all** namespaces.
|
||||
|
||||
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
||||
|
||||
```hcl
|
||||
Kind = "mesh"
|
||||
Namespace = "default" # Can only be set to "default".
|
||||
Partition = "default"
|
||||
|
||||
TransparentProxy {
|
||||
MeshDestinationsOnly = true
|
||||
|
@ -77,6 +76,8 @@ apiVersion: consul.hashicorp.com/v1alpha1
|
|||
kind: Mesh
|
||||
metadata:
|
||||
name: mesh
|
||||
namespace: default
|
||||
partition: default
|
||||
spec:
|
||||
transparentProxy:
|
||||
meshDestinationsOnly: true
|
||||
|
@ -86,6 +87,7 @@ spec:
|
|||
{
|
||||
"Kind": "mesh",
|
||||
"Namespace": "default",
|
||||
"Partition": "default",
|
||||
"TransparentProxy": {
|
||||
"MeshDestinationsOnly": true
|
||||
}
|
||||
|
@ -118,7 +120,15 @@ spec:
|
|||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description:
|
||||
'Must be set to default. Config will apply to all namespaces.',
|
||||
'Must be set to `default`. The configuration will apply to all namespaces.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description:
|
||||
'Specifies the name of the admin partition in which the configuration entry applies. Refer to the [Admin Partitions documentation](/docs/enterprise/admin-partitions) for additional information.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
|
@ -137,8 +147,15 @@ spec:
|
|||
},
|
||||
{
|
||||
name: 'namespace',
|
||||
enterprise: true,
|
||||
description:
|
||||
'If running Consul Open Source, the namespace is ignored (see [Kubernetes Namespaces in Consul OSS](/docs/k8s/crds#consul-oss)). If running Consul Enterprise see [Kubernetes Namespaces in Consul Enterprise](/docs/k8s/crds#consul-enterprise) for more details.',
|
||||
'Must be set tot `default`. If running Consul Open Source, the namespace is ignored (see [Kubernetes Namespaces in Consul OSS](/docs/k8s/crds#consul-oss)). If running Consul Enterprise see [Kubernetes Namespaces in Consul Enterprise](/docs/k8s/crds#consul-enterprise) for additional information.',
|
||||
},
|
||||
{
|
||||
name: 'partition',
|
||||
enterprise: true,
|
||||
description:
|
||||
'Specifies the admin partition in which the configuration will apply. The current partition is used if unspecified. Refer to the [Admin Partitions documentation](/docs/enterprise/admin-partitions) for details. The partitions parameter is not supported in Consul OSS.',
|
||||
},
|
||||
],
|
||||
hcl: false,
|
||||
|
|
|
@ -203,7 +203,15 @@ spec:
|
|||
name: 'Namespace',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description: 'Specifies the namespace the config entry will apply to.',
|
||||
description: 'Must be set to `default`. The configuration will apply to all namespaces.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description:
|
||||
'Specifies the name of the admin partition in which the configuration entry applies. Refer to the [Admin Partitions documentation](/docs/enterprise/admin-partitions) for additional information.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
|
@ -222,9 +230,16 @@ spec:
|
|||
},
|
||||
{
|
||||
name: 'namespace',
|
||||
enterprise: true,
|
||||
description:
|
||||
'If running Consul Open Source, the namespace is ignored (see [Kubernetes Namespaces in Consul OSS](/docs/k8s/crds#consul-oss)). If running Consul Enterprise see [Kubernetes Namespaces in Consul Enterprise](/docs/k8s/crds#consul-enterprise) for more details.',
|
||||
},
|
||||
{
|
||||
name: 'partition',
|
||||
enterprise: true,
|
||||
description:
|
||||
'Specifies the admin partition in which the configuration will apply. The current partition is used if unspecified. Refer to the [Admin Partitions documentation](/docs/enterprise/admin-partitions) for details. The partitions parameter is not supported in Consul OSS.',
|
||||
},
|
||||
],
|
||||
hcl: false,
|
||||
},
|
||||
|
|
|
@ -265,6 +265,15 @@ spec:
|
|||
description: 'Specifies the namespace the config entry will apply to.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description:
|
||||
'Specifies the name of the admin partition in which the configuration entry applies. Refer to the [Admin Partitions documentation](/docs/enterprise/admin-partitions) for additional information.',
|
||||
yaml: false,
|
||||
},
|
||||
|
||||
{
|
||||
name: 'Meta',
|
||||
type: 'map<string|string>: nil',
|
||||
|
@ -284,6 +293,12 @@ spec:
|
|||
description:
|
||||
'If running Consul Open Source, the namespace is ignored (see [Kubernetes Namespaces in Consul OSS](/docs/k8s/crds#consul-oss)). If running Consul Enterprise see [Kubernetes Namespaces in Consul Enterprise](/docs/k8s/crds#consul-enterprise) for more details.',
|
||||
},
|
||||
{
|
||||
name: 'partition',
|
||||
enterprise: true,
|
||||
description:
|
||||
'Specifies the admin partition in which the configuration will apply. The current partition is used if unspecified. Refer to the [Admin Partitions documentation](/docs/enterprise/admin-partitions) for details. The partitions parameter is not supported in Consul OSS.',
|
||||
},
|
||||
],
|
||||
hcl: false,
|
||||
},
|
||||
|
|
|
@ -34,9 +34,11 @@ or globally via [`proxy-defaults`](/docs/connect/config-entries/proxy-defaults)
|
|||
|
||||
## Sample Config Entries
|
||||
|
||||
The following examples demonstrate potential use-cases for the `service-intentions` configuration entry.
|
||||
|
||||
### REST Access
|
||||
|
||||
Grant some clients more REST access than others:
|
||||
In the following example, the `admin-dashboard` and `report-generator` services have different levels of access when making REST calls:
|
||||
|
||||
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
||||
|
||||
|
@ -134,9 +136,8 @@ spec:
|
|||
|
||||
### gRPC
|
||||
|
||||
Selectively deny some gRPC service methods. Since gRPC method calls [are
|
||||
HTTP/2](https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md), we can
|
||||
use an HTTP path match rule to control traffic:
|
||||
In the following use-case, access to the `IssueRefund` gRPC service method is set to `deny`. Because gRPC method calls [are
|
||||
HTTP/2](https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md), an HTTP path-matching rule can be used to control traffic:
|
||||
|
||||
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
|
||||
|
||||
|
@ -367,6 +368,14 @@ spec:
|
|||
"Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description:
|
||||
"Specifies the admin partition on which the configuration entry will apply. Wildcard characters (`*`) are not supported. Admin partitions must specified explicitly.",
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Meta',
|
||||
type: 'map<string|string>: nil',
|
||||
|
@ -438,6 +447,7 @@ spec:
|
|||
},
|
||||
{
|
||||
name: 'Namespace',
|
||||
enterprise: true,
|
||||
type: 'string',
|
||||
description: {
|
||||
hcl:
|
||||
|
@ -445,8 +455,18 @@ spec:
|
|||
yaml:
|
||||
'The namespace of the source service. Defaults to the namespace of the destination service (i.e. `spec.destination.namespace`)',
|
||||
},
|
||||
enterprise: true,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
enterprise: true,
|
||||
type: 'string',
|
||||
description: {
|
||||
hcl:
|
||||
"Specifies the admin partition of the source service. Defaults to the destination service's partition, i.e., the configuration entry's partition",
|
||||
yaml:
|
||||
"Specifies the admin partiation of the source service. Defaults to the destination service's partition, i.e. `spec.destination.namespace`",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: 'Action',
|
||||
type: 'string: ""',
|
||||
|
|
|
@ -246,7 +246,14 @@ spec:
|
|||
name: 'Namespace',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description: 'Specifies the namespace the config entry will apply to.',
|
||||
description: 'Specifies the namespace in which the configuration entry will apply.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description: 'Specifies the admin partition in which the configuration entry will apply.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
|
@ -348,13 +355,20 @@ spec:
|
|||
enterprise: true,
|
||||
type: 'string: ""',
|
||||
description:
|
||||
'The namespace to resolve the service from instead of the current one.',
|
||||
'Specifies the source namespace to resolve the service from.',
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
enterprise: true,
|
||||
type: 'string: ""',
|
||||
description:
|
||||
'Specifies the source admin partition to resolve the service from.',
|
||||
},
|
||||
{
|
||||
name: 'Datacenter',
|
||||
type: 'string: ""',
|
||||
description:
|
||||
'The datacenter to resolve the service from instead of the current one.',
|
||||
'Specifies the source datacenter to resolve the service from.',
|
||||
},
|
||||
],
|
||||
},
|
||||
|
|
|
@ -302,7 +302,14 @@ spec:
|
|||
name: 'Namespace',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description: 'Specifies the namespace the config entry will apply to.',
|
||||
description: 'Specifies the namespace to which the configuration entry will apply.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description: 'Specifies the admin partition to which the configuration will apply.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
|
@ -538,7 +545,14 @@ spec:
|
|||
name: 'Namespace',
|
||||
type: 'string: ""',
|
||||
description:
|
||||
'The Consul namespace to resolve the service from instead of the current namespace. If empty the current namespace is assumed.',
|
||||
'The Consul namespace to resolve the service from instead of the current namespace. If empty, the current namespace is used.',
|
||||
enterprise: true,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: 'string: ""',
|
||||
description:
|
||||
'The Consul admin partition to resolve the service from instead of the current partition. If empty, the current partition is used.',
|
||||
enterprise: true,
|
||||
},
|
||||
{
|
||||
|
|
|
@ -234,7 +234,14 @@ Splits = [
|
|||
name: 'Namespace',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description: 'Specifies the namespace the config entry will apply to.',
|
||||
description: 'Specifies the namespace to which the configuration entry will apply.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description: 'Specifies the admin partition to which the configuration entry will apply.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
|
@ -291,7 +298,14 @@ Splits = [
|
|||
enterprise: true,
|
||||
type: 'string: ""',
|
||||
description:
|
||||
'The namespace to resolve the service from instead of the current namespace. If empty the current namespace is assumed.',
|
||||
'The namespace to resolve the service from instead of the current namespace. If empty, the current namespace is used.',
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
enterprise: true,
|
||||
type: 'string: ""',
|
||||
description:
|
||||
'The admin partition to resolve the service from instead of the current partition. If empty, the current partition is used.',
|
||||
},
|
||||
{
|
||||
yaml: false,
|
||||
|
|
|
@ -567,11 +567,21 @@ spec:
|
|||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description:
|
||||
'Specifies the namespace the config entry will apply to. This must be the namespace the gateway is registered in.' +
|
||||
'Specifies the namespace to which the configuration entry will apply. This must match the namespace in which the gateway is registered.' +
|
||||
' If omitted, the namespace will be inherited from [the request](/api/config#ns)' +
|
||||
' or will default to the `default` namespace.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Partition',
|
||||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description:
|
||||
'Specifies the admin partition to which the configuration entry will apply. This must match the partition in which the gateway is registered.' +
|
||||
' If omitted, the partition will be inherited from [the request](/api/config)' +
|
||||
' or will default to the `default` partition.',
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
name: 'Meta',
|
||||
type: 'map<string|string>: nil',
|
||||
|
|
Loading…
Reference in New Issue