Fix regression with gateway registration and update docs (#7582)

This commit is contained in:
Freddy 2020-04-02 12:52:11 -06:00 committed by GitHub
parent 8aec09aa8f
commit b61214ef24
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 18 deletions

View File

@ -130,13 +130,13 @@ func (c *cmd) init() {
"Sets the envoy-version that the envoy binary has.") "Sets the envoy-version that the envoy binary has.")
c.flags.BoolVar(&c.register, "register", false, c.flags.BoolVar(&c.register, "register", false,
"Register a new Mesh Gateway service before configuring and starting Envoy") "Register a new gateway service before configuring and starting Envoy")
c.flags.Var(&c.lanAddress, "address", c.flags.Var(&c.lanAddress, "address",
"LAN address to advertise in the Mesh Gateway service registration") "LAN address to advertise in the gateway service registration")
c.flags.Var(&c.wanAddress, "wan-address", c.flags.Var(&c.wanAddress, "wan-address",
"WAN address to advertise in the Mesh Gateway service registration") "WAN address to advertise in the gateway service registration")
c.flags.Var(&c.bindAddresses, "bind-address", "Bind "+ c.flags.Var(&c.bindAddresses, "bind-address", "Bind "+
"address to use instead of the default binding rules given as `<name>=<ip>:<port>` "+ "address to use instead of the default binding rules given as `<name>=<ip>:<port>` "+
@ -229,18 +229,21 @@ func (c *cmd) Run(args []string) int {
} }
} }
if c.register { // Gateway kind is set so that it is available even if not auto-registering the gateway
if c.gateway == "" { if c.gateway != "" {
c.UI.Error("Auto-Registration can only be used for gateways")
return 1
}
kind, ok := supportedGateways[c.gateway] kind, ok := supportedGateways[c.gateway]
if !ok { if !ok {
c.UI.Error("Gateway must be one of: terminating or mesh") c.UI.Error("Gateway must be one of: terminating or mesh")
return 1 return 1
} }
c.gatewayKind = kind c.gatewayKind = kind
}
if c.register {
if c.gateway == "" {
c.UI.Error("Auto-Registration can only be used for gateways")
return 1
}
if c.gatewaySvcName == "" { if c.gatewaySvcName == "" {
c.gatewaySvcName = string(c.gatewayKind) c.gatewaySvcName = string(c.gatewayKind)

View File

@ -98,34 +98,35 @@ proxy configuration needed.
This token authorizes the proxy to obtain TLS certificates representing the This token authorizes the proxy to obtain TLS certificates representing the
target service. target service.
#### Envoy Mesh Gateway Options #### Envoy Gateway Options
* `-mesh-gateway` - Flag to indicate that Envoy should be configured as a Mesh * `-gateway` - Flag to indicate that Envoy should be configured as a Gateway.
Gateway. If multiple mesh gateways are managed by the same local agent then Must be one of: `terminating` or `mesh`.
If multiple gateways are managed by the same local agent then
`-proxy-id` should be used as well to specify the instance this represents. `-proxy-id` should be used as well to specify the instance this represents.
* `-register` - Indicates that the mesh gateway service should be registered * `-register` - Indicates that the gateway service should be registered
with the local agent instead of expecting it to already exist. This flag with the local agent instead of expecting it to already exist. This flag
is unused for traditional sidecar proxies. is unused for traditional sidecar proxies.
* `-address` - The address to advertise for services within the local datacenter * `-address` - The address to advertise for services within the local datacenter
to use to reach the mesh gateway instance. This flag is used in combination with to use to reach the gateway instance. This flag is used in combination with
`-register`. This takes the form of `<ip address>:<port>` but also supports go-sockaddr `-register`. This takes the form of `<ip address>:<port>` but also supports go-sockaddr
templates. templates.
* `-wan-address` - The address to advertise for services within remote datacenters * `-wan-address` - The address to advertise for services within remote datacenters
to use to reach the mesh gateway instance. This flag is used in combination with to use to reach the gateway instance. This flag is used in combination with
`-register`. This takes the form of `<ip address>:<port>` but also supports go-sockaddr `-register`. This takes the form of `<ip address>:<port>` but also supports go-sockaddr
templates. templates.
* `-service` - The name of the mesh gateway service to register. This flag is used * `-service` - The name of the gateway service to register. This flag is used
in combination with `-register`. in combination with `-register`.
* `-deregister-after-critical` - The amount of time the gateway services health check can * `-deregister-after-critical` - The amount of time the gateway services health check can
be failing before being deregistered. This flag is used in combination with `-register` be failing before being deregistered. This flag is used in combination with `-register`
-> **Note:** If ACLs are enabled, a token granting `service:write` for the -> **Note:** If ACLs are enabled, a token granting `service:write` for the
mesh gateway's service name must be passed using the `-token` option or gateway's service name must be passed using the `-token` option or
`CONSUL_HTTP_TOKEN` environment variable. This token authorizes the proxy `CONSUL_HTTP_TOKEN` environment variable. This token authorizes the proxy
to obtain receive and route communications for other Connect services but to obtain receive and route communications for other Connect services but
does not allow decrypting any of their communications. does not allow decrypting any of their communications.
@ -180,11 +181,20 @@ $ consul connect envoy -sidecar-for db -admin-bind localhost:19001
The mesh gateway Envoy process can be started with. The mesh gateway Envoy process can be started with.
```sh ```sh
$ consul connect envoy -mesh-gateway -register \ $ consul connect envoy -gateway=mesh -register \
-address '{{ GetInterfaceIP "eth0" }}:8443' \ -address '{{ GetInterfaceIP "eth0" }}:8443' \
-wan-address '{{ GetInterfaceIP "eth1" }}:8443' -wan-address '{{ GetInterfaceIP "eth1" }}:8443'
``` ```
### Terminating Gateways
The terminating gateway Envoy process can be started with.
```sh
$ consul connect envoy -gateway=terminating -register \
-address '{{ GetInterfaceIP "eth0" }}:8443'
```
## Exec Security Details ## Exec Security Details
The command needs to pass the bootstrap config through to Envoy. Envoy currently The command needs to pass the bootstrap config through to Envoy. Envoy currently