website: changes for 1.6.0 beta (#6083)

* website: link to 1.6.0 beta in downloads page

* website: reorganize intention replication/ca federation

* website: remove announcement bar

* Update website/source/docs/connect/connect-internals.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>

* website: update homepage and service mesh page

Aligning messaging to current product.

* website: fix link TODOs

* Add Mesh Gateway to mesh page, update use case wording
This commit is contained in:
Jack Pearkes 2019-07-08 07:12:42 -07:00 committed by Paul Banks
parent 83b929accf
commit 9013bc5199
14 changed files with 151 additions and 126 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 174 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 188 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 57 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 254 KiB

View File

@ -638,7 +638,7 @@ default will automatically work with some tooling.
ACLs are enabled. This token may be provided later using the [agent token API](/api/agent.html#update-acl-tokens)
on each server. This token must have at least "read" permissions on ACL data but if ACL
token replication is enabled then it must have "write" permissions. This also enables
Connect replication in Consul Enterprise, for which the token will require both operator
Connect replication, for which the token will require both operator
"write" and intention "read" permissions for replicating CA and Intention data.
* <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - **This field is

View File

@ -3,7 +3,7 @@ layout: "docs"
page_title: "Connect - Architecture"
sidebar_current: "docs-connect-internals"
description: |-
This page details the internals of Consul Connect: mutual TLS, agent caching and performance, and multi-datacenter Enterprise functionality.
This page details the internals of Consul Connect: mutual TLS, agent caching and performance, intention and certificate authority replication.
---
# How Connect Works
@ -87,16 +87,44 @@ agent may begin failing and eventually crash. Cache entries do have TTLs
associated with them and will evict their entries if they're not used. Given
a long period of inactivity (3 days by default), the cache will empty itself.
## Multi-Datacenter
## Connections Across Datacenters
Using Connect for service-to-service communications across multiple datacenters
requires Consul Enterprise.
Sidecar proxy's [upstream configuration](/docs/connect/registration/service-registration.html#upstream-configuration-reference)
may specify an alternative datacenter or a prepared query that can address services
in multiple datacenters (such as the [geo failover](https://learn.hashicorp.com/consul/developer-discovery/geo-failover) pattern).
With Open Source Consul, Connect may be enabled on multiple Consul datacenters,
but only services within the same datacenter can establish Connect-based,
Authenticated and Authorized connections. In this version, Certificate Authority
configurations and intentions are both local to their respective datacenters;
they are not replicated across datacenters.
[Intentions](/docs/connect/intentions.html) verify connections between services by
source and destination name seamlessly across datacenters.
Full multi-datacenter support for Connect is available in
[Consul Enterprise](/docs/enterprise/connect-multi-datacenter/index.html).
Connections can be made via gateways to enable when communciating across
network topologies allowing connections between services in each datacenter
without externally routable IPs at the service level.
## Intention Replication
Intention replication happens automatically but requires the
[`primary_datacenter`](/docs/agent/options.html#primary_datacenter)
configuration to be set to specify a datacenter that is authoritative
for intentions. In production setups with ACLs enabled, the
[replication token](/docs/agent/options.html#acl_tokens_replication) must also
be set in the secondary datacenter server's configuration.
## Certificate Authority Federation
The primary datacenter also acts as the root Certificate Authority (CA) for Connect.
The primary datacenter generates a trust-domain UUID and obtains a root certificate
from the configured CA provider which defaults to the built-in one.
Secondary datacenters fetch the root CA public key and trust-domain ID from the
primary and generate their own key and Certificate Signing Request (CSR) for an
intermediate CA certificate. This CSR is signed by the root in the primary
datacenter and the certificate is returned. The secondary datacenter can now use
this intermediate to sign new Connect certificates in the secondary datacenter
without WAN communication. CA keys are never replicated between datacenters.
The secondary maintains watches on the root CA certificate in the primary. If the
CA root changes for any reason such as rotation or migration to a new CA, the
secondary automatically generates new keys and has them signed by the primary
datacenter's new root before initiating an automatic rotation of all issued
certificates in use throughout the secondary datacenter. This makes CA root key
rotation fully automatic and with zero downtime across multiple datacenters.

View File

@ -205,12 +205,6 @@ service.
}
```
-> **Note:** Connect does not currently support cross-datacenter
service communication. Therefore, prepared queries with Connect should
only be used to discover services within a single datacenter. See
[Multi-Datacenter Connect](/docs/connect/index.html#multi-datacenter) for
more information.
For full details of the additional configurable options available when using the
built-in proxy see the [built-in proxy configuration
reference](/docs/connect/configuration.html#built-in-proxy-options).

View File

@ -1,53 +0,0 @@
---
layout: "docs"
page_title: "Consul Enterprise Multi-Datacenter Connect"
sidebar_current: "docs-enterprise-connect-multi-datacenter"
description: |-
Consul Enterprise supports cross datacenter connections using Consul Connect.
---
# Consul Connect Multi-Datacenter
[Consul Enterprise](https://www.hashicorp.com/consul.html) enables service-to-service
connections across multiple Consul datacenters. This includes replication of intentions
and federation of Certificate Authority trust.
Sidecar proxy's [upstream configuration](/docs/connect/registration/service-registration.html#upstream-configuration-reference)
may specify an alternative datacenter or a prepared query that can address services
in multiple datacenters (such as the [geo failover](https://learn.hashicorp.com/consul/developer-discovery/geo-failover) pattern).
[Intentions](/docs/connect/intentions.html) verify connections between services by
source and destination name seamlessly across datacenters. Support for constraining Intentions
by source or destination datacenter is planned for the near future.
It is assumed that workloads can communicate between datacenters via existing network
routes and VPN tunnels, potentially using Consul's
[`translate_wan_addrs`](/docs/agent/options.html#translate_wan_addrs) to ensure remote
workloads discover an externally routable IP.
# Replication
Intention replication happens automatically but requires the [`primary_datacenter`](/docs/agent/options.html#primary_datacenter)
configuration to be set to specify a datacenter that is authoritative
for intentions. In production setups with ACLs enabled, the [replication token](/docs/agent/options.html#acl_tokens_replication)
must also be set in secondary datacenter server's configuration.
# Certificate Authority Federation
The primary datacenter also acts as the root Certificate Authority (CA) for Connect.
The primary datacenter generates a trust-domain UUID and obtains a root certificate
from the configured CA provider which defaults to the built-in one.
Secondary datacenters fetch the root CA public key and trust-domain ID from the primary and
generate their own key and Certificate Signing Request (CSR) for an intermediate CA certificate.
This CSR is signed by the root in the primary datacenter and the certificate is returned.
The secondary datacenter can now use this intermediate to sign new Connect certificates
in the secondary datacenter without WAN communication. CA keys are never replicated between
datacenters.
The secondary maintains watches on the root CA certificate in the primary. If the CA root
changes for any reason such as rotation or migration to a new CA, the secondary automatically
generates new keys and has them signed by the primary datacenter's new root before initiating
an automatic rotation of all issued certificates in use throughout the secondary datacenter.
This makes CA root key rotation fully automatic and with zero downtime across multiple data
centers.

View File

@ -8,6 +8,13 @@ description: |-
<h1>Download Consul</h1>
<div class="alert alert-info" id="rc-1-4" role="alert">
<p><strong>1.6.0 beta Available:</strong> Read more about the new features coming in 1.6.0 in the
<a href="https://www.hashicorp.com/blog/hashicorp-consul-1-6">announcement post</a>. Binaries can be accessed on <a href="https://releases.hashicorp.com/consul/">releases.hashicorp.com</a>.
</p>
</div>
<section class="downloads">
<div class="description row">
<div class="col-md-12">

View File

@ -1,8 +1,7 @@
---
description: |-
Consul is a highly available and distributed service discovery and KV
store designed with support for the modern data center to make distributed
systems and configuration easy.
Consul is a service networking solution to connect and secure services across
any runtime platform and public or private cloud
---
<div class='consul-connect'>
@ -11,11 +10,8 @@ description: |-
<div>
<div>
<div>
<a class='notification' href='/downloads.html'>
<span>New</span> HashiCorp Consul 1.5 has been released! Download now <span><svg xmlns='http://www.w3.org/2000/svg' width='6' height='10' viewBox='0 0 6 10'><path fill='#650D34' d='M1.138.529a.666.666 0 1 0-.942.943L3.724 5 .195 8.53a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z'/></svg><span>
</a>
<h1>Service Mesh Made Easy</h1>
<p>Consul is a distributed service mesh to connect, secure, and configure services across any runtime platform and public or private cloud</p>
<h1>Easy Service Networking</h1>
<p>Consul is a service networking solution to connect and secure services across any runtime platform and public or private cloud</p>
<a href='/downloads.html' class='g-btn download'>
<svg xmlns='http://www.w3.org/2000/svg' width='20' height='22' viewBox='0 0 20 22'>
<path d='M9.292 15.706a1 1 0 0 0 1.416 0l3.999-3.999a1 1 0 1 0-1.414-1.414L11 12.586V1a1 1 0 1 0-2 0v11.586l-2.293-2.293a1 1 0 1 0-1.414 1.414l3.999 3.999zM20 16v3c0 1.654-1.346 3-3 3H3c-1.654 0-3-1.346-3-3v-3a1 1 0 1 1 2 0v3c0 .551.448 1 1 1h14c.552 0 1-.449 1-1v-3a1 1 0 1 1 2 0z'/>
@ -77,7 +73,7 @@ description: |-
infrastructure changes the approach to networking from host-based to
service-based. Connectivity moves from the use of static IPs to
dynamic service discovery, and security moves from static firewalls to
dynamic service segmentation.</p>
service identity.</p>
</div>
<div class='g-timeline'>
<div>
@ -108,13 +104,15 @@ description: |-
<div class='g-container'>
<div class='intro'>
<h2>Use Cases</h2>
<p>Consul can be run as a platform to solve a range of use-cases
in service networking.</p>
</div>
<div class='g-use-cases'>
<div>
<div>
<img src='/assets/images/consul-connect/svgs/discovery-simple.svg' alt='Service Discovery'>
<h3>Service Discovery <span>for connectivity</h3>
<p>Service Registry enables services to register and discover each other.</p>
<h3>Service Discovery</h3>
<p>Use the service registry to address and discover services across multiple runtime platforms, cloud providers and regions.</p>
</div>
<div>
<a href='/discovery.html' class='g-btn dark-outline'>Learn more</a>
@ -122,19 +120,19 @@ description: |-
</div>
<div>
<div>
<img src='/assets/images/consul-connect/svgs/segmentation-simple.svg' alt='Service Segmentation'>
<h3>Service Segmentation <span>for security</h3>
<p>Secure service-to-service communication with automatic TLS encryption and identity-based authorization.</p>
<img src='/assets/images/consul-connect/svgs/segmentation-simple.svg' alt='Service Mesh'>
<h3>Service Mesh</h3>
<p>Service discovery, identity-based authorization, and L7 traffic management abstracted from application code with proxies in the service mesh pattern.</p>
</div>
<div>
<a href='/segmentation.html' class='g-btn dark-outline'>Learn more</a>
<a href='/mesh.html' class='g-btn dark-outline'>Learn more</a>
</div>
</div>
<div>
<div>
<img src='/assets/images/consul-connect/svgs/configuration-simple.svg' alt='Service Configuration'>
<h3>Service Configuration <span>for runtime configuration</h3>
<p>Feature rich Key/Value store to easily configure services.</p>
<h3>Service Configuration</h3>
<p>Utilize the distributed Key/Value store to dynamically configure services and manage complex availability requirements.</p>
</div>
<div>
<a href='/configuration.html' class='g-btn dark-outline'>Learn more</a>
@ -212,11 +210,9 @@ description: |-
<div>
<div>
<h3>Extend and Integrate</h3>
<ul>
<li>Provision clusters on any infrastructure.</li>
<li>Connect to services over TLS via proxy integrations.</li>
<li>Serve TLS certificates with pluggable Certificate Authorities.</li>
</ul>
<p>
Provision clusters on any infrastructure, connect to services over TLS via proxy integrations, and Serve TLS certificates with pluggable Certificate Authorities.
</p>
</div>
</div>
<div>

View File

@ -604,9 +604,6 @@
<li<%= sidebar_current("docs-enterprise-federation") %>>
<a href="/docs/enterprise/federation/index.html">Advanced Federation</a>
</li>
<li<%= sidebar_current("docs-enterprise-connect-multi-datacenter") %>>
<a href="/docs/enterprise/connect-multi-datacenter/index.html">Connect Multi-Datacenter</a>
</li>
<li<%= sidebar_current("docs-enterprise-network-segments") %>>
<a href="/docs/enterprise/network-segments/index.html">Network Segments</a>
</li>

View File

@ -72,7 +72,7 @@
<li><span>Use Cases<svg width="9" height="5" xmlns="http://www.w3.org/2000/svg"><path d="M8.811 1.067a.612.612 0 0 0 0-.884.655.655 0 0 0-.908 0L4.5 3.491 1.097.183a.655.655 0 0 0-.909 0 .615.615 0 0 0 0 .884l3.857 3.75a.655.655 0 0 0 .91 0l3.856-3.75z" fill="#252937" fill-rule="evenodd"/></svg></span>
<ul class="dropdown">
<li><a href="/discovery.html">Service Discovery</a></li>
<li><a href="/segmentation.html">Service Segmentation</a></li>
<li><a href="/mesh.html">Service Mesh</a></li>
<li><a href="/configuration.html">Service Configuration</a></li>
</ul>
</li>

View File

@ -1,16 +1,14 @@
---
description: |-
Consul is a highly available and distributed service discovery and KV
store designed with support for the modern data center to make distributed
systems and configuration easy.
Consul is a service networking solution to connect and secure services across
any runtime platform and public or private cloud
---
<div class='consul-connect'>
<section class='g-hero'>
<span>New Feature</span>
<h1>Service segmentation made easy</h1>
<p>Secure service-to-service communication with automatic TLS encryption and identity-based authorization</p>
<h1>Service Mesh made easy</h1>
<p>Service discovery, identity-based authorization, and L7 traffic management abstracted from application code with proxies in the service mesh pattern</p>
<div>
<a href="/downloads.html" class="g-btn download">
<svg xmlns="http://www.w3.org/2000/svg" width="20" height="22" viewBox="0 0 20 22">
@ -34,7 +32,7 @@ description: |-
</span>
<span class='dot'></span>
<h3>The Challenge</h3>
<span class='sub-heading'>Securing service-to-service communication with firewalls doesnt scale in dynamic settings.</span>
<span class='sub-heading'>Network appliances, like load balancers or firewalls with manual processes, don't scale in dynamic settings to support modern applications.</span>
<div id='segmentation-challenge-animation' class='g-animation-block'>
<%= inline_svg 'consul-connect/svgs/segmentation-challenge.svg' %>
</div>
@ -43,20 +41,21 @@ description: |-
machines and machines are frequently created and destroyed, this
perimeter-based approach is difficult to scale as it results in
complex network topologies and a sprawl of short-lived
firewall rules.</p>
firewall rules and proxy configuration.</p>
</div>
<div>
<span class='dot'></span>
<h3>The Solution</h3>
<span class='sub-heading'>Service segmentation for dynamic service authorization.</span>
<span class='sub-heading'>Service mesh as an automated and distributed approach to networking and security that can operate across platforms and private and public cloud</span>
<div id='segmentation-solution-animation' class='g-animation-block'>
<%= inline_svg 'consul-connect/svgs/segmentation-solution.svg' %>
</div>
<p>Service segmentation is a new approach to secure the service itself
rather than relying on the network. Consul uses service policies to
codify which services are allowed to communicate. These policies
scale across datacenters and large fleets without IP-based rules or
networking middleware.</p>
<p>Service mesh is a new approach to secure the service itself
rather than relying on the network. Consul uses centrally
managed service policies and configuration to enable
dynamic routing and security based on sevice identity.
These policies scale across datacenters and large fleets
without IP-based rules or networking middleware.</p>
</div>
</div>
</div>
@ -67,27 +66,60 @@ description: |-
<div class='intro'>
<h2>Features</h2>
</div>
<div class='g-text-asset reverse'>
<div>
<div>
<h3>Layer 7 Traffic Management</h3>
<p>Service-to-service communication policy at Layer 7 can be managed centrally, enabling advanced traffic management patterns such as service failover, path-based routing, and traffic shifting that can be applied across public and private clouds, platforms, and networks.</p>
<p>
<a class="learn-more" href='/docs/agent/config_entries.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div class='code-sample'>
<div>
<span></span>
<div class='code'><code>
Kind = <code class="keyword">"service-splitter"</code>
Name = <code class="keyword">"billing-api"</code>
Splits = [
{
Weight = 10
ServiceSubset = <code class="keyword">"v2"</code>
},
{
Weight = 90
ServiceSubset = <code class="keyword">"v1"</code>
},
]</code>
</div>
</div>
</div>
</div>
</div>
</section>
<section class='g-section border-top'>
<div class='g-container'>
<div class='g-text-asset large'>
<div>
<div>
<h3>Service Access Graph </h3>
<p>Define and enforce service to service communication with a simple Intentions configuration. Service based rules, instead of IP-based rules, make it easy to manage dynamic infrastructure with frequently changing machines and service locations.</p>
<h3>Layer 7 Observability</h3>
<p>Centrally managed service observability at Layer 7 including detailed metrics on all service-to-service communication such as connections, bytes transferred, retries, timeouts, open circuits, and request rates, response codes.</p>
<p>
<a class="learn-more" href='/docs/connect/intentions.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
<a class="learn-more" href='/docs/agent/config_entries.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div>
<picture>
<source type="image/webp" srcset="
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_230.webp 230w,
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_844.webp 844w,
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.webp 1290w" />
<source type="image/jpg" srcset="
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_230.jpg 230w,
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_844.jpg 844w,
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.jpg 1290w" />
<img src='/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.jpg' alt='Service Access Graph'>
<source type="image/png" srcset="
/assets/images/consul-connect/mesh-observability/metrics_300.png 300w,
/assets/images/consul-connect/mesh-observability/metrics_976.png 976w,
/assets/images/consul-connect/mesh-observability/metrics_1200.png 1200w" />
<img src='/assets/images/consul-connect/mesh-observability/metrics_1200.png' alt='Metrics dashboard'>
</source>
</picture>
</div>
</div>
@ -191,6 +223,28 @@ Secure Sockets Layer
</div>
</section>
<section class='g-section border-top'>
<div class='g-container'>
<div class='g-text-asset'>
<div>
<div>
<h3>Mesh Gateway</h3>
<p>Connect between different cloud regions, VPCs and between overlay and underlay networks without complex network tunnels and NAT. Mesh Gateways solve routing at TLS layer while preserving end-to-end encryption and limiting attack surface area at the edge of each network.</p>
<p>
<a class="learn-more" href='https://learn.hashicorp.com/consul'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div>
<picture>
<img src='/assets/images/consul-connect/mesh-gateway/gateway_1200.png' style='width:600px' alt='Mesh gateway diagram'>
</picture>
</div>
</div>
</div>
</section>
<section class='g-section g-cta-section'>
<div>
<h2>Ready to get started?</h2>

View File

@ -49,6 +49,8 @@
/docs/guides/bootstrapping.html /docs/install/bootstrapping.html
/docs/guides/sentinel.html /docs/agent/sentinel.html
/docs/connect/proxies/sidecar-service.html /docs/connect/registration/sidecar-service.html
/docs/enterprise/connect-multi-datacenter/index.html /docs/enterprise/index.html
/segmentation.html /mesh.html
# CLI renames
/docs/commands/acl/acl-bootstrap.html /docs/commands/acl/bootstrap.html