docs: how to launch envoy when ACLs enabled (#15497)

This commit is contained in:
Jared Kirschner 2022-12-08 20:15:58 -05:00 committed by GitHub
parent 8950762e35
commit 8991e116fe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 72 additions and 26 deletions

View File

@ -76,10 +76,14 @@ Usage: `consul acl token create [options] [args]`
## Examples ## Examples
Create a new token: The following examples describe how to create ACL tokens for common scenarios.
### Create a token with policy by name
The following example creates a token that includes a policy by its name.
```shell-session ```shell-session
$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 $ consul acl token create -description "Read Nodes and Services" -policy-name node-services-read
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
SecretID: ec15675e-2999-d789-832e-8c4794daa8d7 SecretID: ec15675e-2999-d789-832e-8c4794daa8d7
Description: Read Nodes and Services Description: Read Nodes and Services
@ -89,42 +93,54 @@ Policies:
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read 06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
``` ```
Create a new local token: ### Create a token for a service
The following example creates a token with the privileges necessary
for registering a service named `my-api`.
If `my-api` is in the service mesh, the token also has the privileges necessary
to register its associated sidecar proxy and must be provided to the proxy when
launched with [`consul connect envoy`](/consul/commands/connect/envoy#sidecar-proxy-with-acls-enabled).
```shell-session ```shell-session
$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 -local $ consul acl token create -description 'my-api token' -service-identity 'my-api'
AccessorID: 4fdf0ec8-d251-3865-079c-7247c974fc50 AccessorID: 0c083aca-6c15-f0cc-c4d9-30578db54cd9
SecretID: 02143514-abf2-6c23-0aa1-ec2107e68f6b SecretID: 930dafb6-5c08-040b-23fb-a368a95256f9
Description: Read Nodes and Services Description: api token
Local: true Local: false
Create Time: 2018-10-22 15:34:19.330265 -0400 EDT Create Time: 2019-04-25 16:45:49.337687334 -0500 CDT
Policies: Service Identities:
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read my-api (Datacenters: all)
``` ```
Create a new token and link with policies by name: ### Create a temporary and highly-privileged token
The following example creates a token with a lifetime of 15 minutes that
includes the built-in [`global-management` policy](/consul/docs/security/acl/acl-policies#global-management).
```shell-session ```shell-session
$ consul acl token create -description "Super User" -policy-name global-management $ consul acl token create -description "Temp Super User" -policy-name global-management -expires-ttl '15m'
AccessorID: 59f86a9b-d3b6-166c-32a0-be4ab3f94caa AccessorID: 59f86a9b-d3b6-166c-32a0-be4ab3f94caa
SecretID: ada7f751-f654-8872-7f93-498e799158b6 SecretID: ada7f751-f654-8872-7f93-498e799158b6
Description: Super User Description: Temp Super User
Local: false Local: false
Create Time: 2018-10-22 15:35:28.787003 -0400 EDT Create Time: 2019-04-25 16:45:49.337687334 -0500 CDT
Expiration Time: 2019-04-25 17:00:49.337687334 -0500 CDT
Policies: Policies:
00000000-0000-0000-0000-000000000001 - global-management 00000000-0000-0000-0000-000000000001 - global-management
``` ```
Create a new token with one service identity that expires in 15 minutes: ### Create a local token with policy by ID
The following example creates a token that is only valid in this datacenter
and includes a policy by its UUID.
```shell-session ```shell-session
$ consul acl token create -description 'crawler token' -service-identity 'crawler' -expires-ttl '15m' $ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 -local
AccessorID: 0c083aca-6c15-f0cc-c4d9-30578db54cd9 AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
SecretID: 930dafb6-5c08-040b-23fb-a368a95256f9 SecretID: ec15675e-2999-d789-832e-8c4794daa8d7
Description: crawler token Description: Read Nodes and Services
Local: false Local: true
Create Time: 2019-04-25 16:45:49.337687334 -0500 CDT Create Time: 2018-10-22 15:33:39.01789 -0400 EDT
Expiration Time: 2019-04-25 17:00:49.337687334 -0500 CDT Policies:
Service Identities: 06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
crawler (Datacenters: all)
``` ```

View File

@ -13,6 +13,10 @@ The connect Envoy command is used to generate a bootstrap configuration for
[Envoy proxy](https://envoyproxy.io) for use with [Consul [Envoy proxy](https://envoyproxy.io) for use with [Consul
Connect](/docs/connect/). Connect](/docs/connect/).
Refer to the [examples](#examples) for guidance on common use cases,
such as [launching a service instance's sidecar proxy
when ACLs are enabled](#sidecar-proxy-with-acls-enabled).
The default behavior is to generate the necessary bootstrap configuration for The default behavior is to generate the necessary bootstrap configuration for
Envoy based on the environment variables and options provided and by talking to Envoy based on the environment variables and options provided and by talking to
the local Consul agent. It `exec`s an external Envoy binary with that the local Consul agent. It `exec`s an external Envoy binary with that
@ -215,7 +219,7 @@ service {
} }
``` ```
### Basic Sidecar Proxy ### Basic sidecar proxy
The sidecar Envoy process can be started with. The sidecar Envoy process can be started with.
@ -227,6 +231,32 @@ This example assumes that the correct [environment variables](#api-options) are
used to set the local agent connection information and ACL token, or that the used to set the local agent connection information and ACL token, or that the
agent is using all-default configuration. agent is using all-default configuration.
### Sidecar proxy with ACLs enabled
In secure deployments, Consul's ACL system is enabled with a default `deny` policy.
To access Consul API resources, an API request must present a Consul ACL token
with the necessary privileges. If ACLs are enabled, you must provide an ACL token to the sidecar proxy. The token must grant the proxy privileges to register itself and the service it fronts and to access all potential upstreams of that service.
We recommend [using a service identity](/consul/commands/acl/token/create#create-a-token-for-a-service)
to directly create a token with the privileges necessary for a service and its sidecar proxy,
rather than creating a unique ACL policy for every service.
After creating a token using a service identity, provide the token when
launching the Envoy sidecar proxy instance with the `consul connect envoy` command.
You can provide the token through an environment variable or CLI flag.
Environment variables:
- [`CONSUL_HTTP_TOKEN`](/consul/commands#consul_http_token) or
- [`CONSUL_HTTP_TOKEN_FILE`](/consul/commands#consul_http_token_file)
CLI flags:
- [`-token`](/consul/commands/connect/envoy#token) or
- [`-token-file`](/consul/commands/connect/envoy#token-file)
```shell-session
$ export CONSUL_HTTP_TOKEN="<secret-id-of-token-with-service-identity-for-web>"
$ consul connect envoy -sidecar-for web
```
### Additional Envoy Arguments ### Additional Envoy Arguments
To pass additional arguments directly to Envoy, for example output logging To pass additional arguments directly to Envoy, for example output logging