Update docs for tls commands (#16077)

2023-01-30 12:26:56 -05:00 · 2023-01-30 12:26:56 -05:00 · 90041639fc
parent 9da61c1cec
commit 90041639fc
4 changed files with 37 additions and 26 deletions
--- a/command/tls/ca/create/tls_ca_create.go
+++ b/command/tls/ca/create/tls_ca_create.go
@ -4,11 +4,12 @@ import (
 	"flag"
 	"fmt"

+	"github.com/mitchellh/cli"
+
 	"github.com/hashicorp/consul/command/flags"
 	"github.com/hashicorp/consul/command/tls"
 	"github.com/hashicorp/consul/lib/file"
 	"github.com/hashicorp/consul/tlsutil"
-	"github.com/mitchellh/cli"
 )

 func New(ui cli.Ui) *cmd {
@ -32,13 +33,14 @@ type cmd struct {
 func (c *cmd) init() {
 	c.flags = flag.NewFlagSet("", flag.ContinueOnError)
 	// TODO: perhaps add a -years arg to better capture user intent given that leap years are a thing
-	c.flags.IntVar(&c.days, "days", 1825, "Provide number of days the CA is valid for from now on. Defaults to 5 years.")
-	c.flags.BoolVar(&c.constraint, "name-constraint", false, "Add name constraints for the CA. Results in rejecting "+
-		"certificates for other DNS than specified. If turned on localhost and -domain will be added to the allowed "+
-		"DNS. If the UI is going to be served over HTTPS its DNS has to be added with -additional-constraint. It is not "+
-		"possible to add that after the fact! Defaults to false.")
-	c.flags.StringVar(&c.domain, "domain", "consul", "Domain of consul cluster. Only used in combination with -name-constraint. Defaults to consul.")
-	c.flags.StringVar(&c.clusterID, "cluster-id", "", "ClusterID of the consul cluster, requires -domain to be set as well. When used will set URIs with spiffeid.")
+	c.flags.IntVar(&c.days, "days", 1825, "Number of days the CA is valid for. Defaults to 1825 days (approximately 5 years).")
+	c.flags.BoolVar(&c.constraint, "name-constraint", false, "Enables X.509 name constraints for the CA. "+
+		"If used, the CA only signs certificates for localhost and the domains specified by -domain and -additional-name-constraint. "+
+		"If Consul's UI is served over HTTPS in your deployment, add its DNS name with -additional-constraint. Defaults to false.")
+	c.flags.StringVar(&c.domain, "domain", "consul", "The DNS domain of the Consul cluster that agents are configured with. "+
+		"Defaults to consul. Only used when -name-constraint is set. "+
+		"Additional domains can be passed with -additional-name-constraint.")
+	c.flags.StringVar(&c.clusterID, "cluster-id", "", "ID of the Consul cluster. Sets the CA's URI with the SPIFFEID composed of the cluster ID and domain  (specified by -domain or 'consul' by default).")
 	c.flags.StringVar(&c.commonName, "common-name", "", "Common Name of CA. Defaults to Consul Agent CA.")
 	c.flags.Var(&c.additionalConstraints, "additional-name-constraint", "Add name constraints for the CA. Results in rejecting certificates "+
 		"for other DNS than specified. Can be used multiple times. Only used in combination with -name-constraint.")
--- a/command/tls/ca/tls_ca.go
+++ b/command/tls/ca/tls_ca.go
@ -1,8 +1,9 @@
 package ca

 import (
-	"github.com/hashicorp/consul/command/flags"
 	"github.com/mitchellh/cli"
+
+	"github.com/hashicorp/consul/command/flags"
 )

 func New() *cmd {
@ -25,7 +26,7 @@ func (c *cmd) Help() string {

 const synopsis = `Helpers for CAs`
 const help = `
-Usage: consul tls ca <subcommand> [options] filename-prefix
+Usage: consul tls ca <subcommand> [options]

  This command has subcommands for interacting with Certificate Authorities.

--- a/command/tls/cert/tls_cert.go
+++ b/command/tls/cert/tls_cert.go
@ -1,8 +1,9 @@
 package cert

 import (
-	"github.com/hashicorp/consul/command/flags"
 	"github.com/mitchellh/cli"
+
+	"github.com/hashicorp/consul/command/flags"
 )

 func New() *cmd {
@ -25,7 +26,7 @@ func (c *cmd) Help() string {

 const synopsis = `Helpers for certificates`
 const help = `
-Usage: consul tls cert <subcommand> [options] [filename-prefix]
+Usage: consul tls cert <subcommand> [options]

  This command has subcommands for interacting with certificates

--- a/website/content/commands/tls/ca.mdx
+++ b/website/content/commands/tls/ca.mdx
@ -9,11 +9,11 @@ description: |

 Command: `consul tls ca create`

-This command create a self signed CA to be used for Consul TLS setup.
+This command creates a self-signed CA to be used for Consul TLS setup.

-## Example
+## Examples

-Create CA:
+Create a CA:

 ```shell-session
 $ consul tls ca create
@ -21,9 +21,17 @@ $ consul tls ca create
 ==> Saved consul-ca-key.pem
 ```

+Create a CA that signs certificates exclusively for the example.com domain:
+
+```shell-session
+$ consul tls ca create -name-constraint -domain example.com
+==> Saved example.com-ca.pem
+==> Saved example.com-ca-key.pem
+```
+
 ## Usage

-Usage: `consul tls ca create [filename-prefix] [options]`
+Usage: `consul tls ca create [options]`

 #### Command Options

@ -31,18 +39,17 @@ Usage: `consul tls ca create [filename-prefix] [options]`
  Results in rejecting certificates for other DNS than specified. Can be used
  multiple times. Only used in combination with `-name-constraint`.

- `-days=<int>` - Provide number of days the CA is valid for from now on, defaults to 5 years.
+- `-days=<int>` - Number of days the CA is valid for. Defaults to 1825 days (approximately 5 years).

- `-domain=<string>` - Domain of consul cluster. Only used in combination with
-  `-name-constraint`. Defaults to `consul`.
+- `-domain=<string>` - The DNS domain of the Consul cluster that agents are [configured](/consul/docs/agent/config/cli-flags#_domain) with.
+  Defaults to `consul`. Only used when `-name-constraint` is set.
+  Additional domains can be passed with `-additional-name-constraint`.

- `-name-constraint` - Add name constraints for the CA. Results in rejecting
-  certificates for other DNS than specified. If turned on localhost and -domain
-  will be added to the allowed DNS. If the UI is going to be served over HTTPS
-  its DNS has to be added with `-additional-constraint`. It is not possible to
-  add that after the fact! Defaults to false.
+- `-name-constraint` - Enables [X.509 name constraints](https://www.rfc-editor.org/rfc/rfc5280#page-40) for the CA.
+  If used, the CA only signs certificates for localhost and the domains specified by `-domain` and `-additional-name-constraint`.
+  If Consul's UI is served over HTTPS in your deployment, add its DNS name with `-additional-constraint` as well. Defaults to `false`.

- `cluster-id` - ClusterID of the consul cluster, requires `-domain` to be set as well.
-   When used this will cause URIs to be set with spiffeid.
+- `cluster-id` - ID of the Consul cluster. Sets the CA's URI with the SPIFFEID composed of the cluster ID and domain
+  (specified by `-domain` or `consul` by default).

 - `common-name` - Common Name of CA. Defaults to Consul Agent CA.