mirror of https://github.com/status-im/consul.git
Fix regression with gateway registration and update docs (#7582)
This commit is contained in:
parent
8aec09aa8f
commit
b61214ef24
|
@ -130,13 +130,13 @@ func (c *cmd) init() {
|
||||||
"Sets the envoy-version that the envoy binary has.")
|
"Sets the envoy-version that the envoy binary has.")
|
||||||
|
|
||||||
c.flags.BoolVar(&c.register, "register", false,
|
c.flags.BoolVar(&c.register, "register", false,
|
||||||
"Register a new Mesh Gateway service before configuring and starting Envoy")
|
"Register a new gateway service before configuring and starting Envoy")
|
||||||
|
|
||||||
c.flags.Var(&c.lanAddress, "address",
|
c.flags.Var(&c.lanAddress, "address",
|
||||||
"LAN address to advertise in the Mesh Gateway service registration")
|
"LAN address to advertise in the gateway service registration")
|
||||||
|
|
||||||
c.flags.Var(&c.wanAddress, "wan-address",
|
c.flags.Var(&c.wanAddress, "wan-address",
|
||||||
"WAN address to advertise in the Mesh Gateway service registration")
|
"WAN address to advertise in the gateway service registration")
|
||||||
|
|
||||||
c.flags.Var(&c.bindAddresses, "bind-address", "Bind "+
|
c.flags.Var(&c.bindAddresses, "bind-address", "Bind "+
|
||||||
"address to use instead of the default binding rules given as `<name>=<ip>:<port>` "+
|
"address to use instead of the default binding rules given as `<name>=<ip>:<port>` "+
|
||||||
|
@ -229,18 +229,21 @@ func (c *cmd) Run(args []string) int {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if c.register {
|
// Gateway kind is set so that it is available even if not auto-registering the gateway
|
||||||
if c.gateway == "" {
|
if c.gateway != "" {
|
||||||
c.UI.Error("Auto-Registration can only be used for gateways")
|
|
||||||
return 1
|
|
||||||
}
|
|
||||||
|
|
||||||
kind, ok := supportedGateways[c.gateway]
|
kind, ok := supportedGateways[c.gateway]
|
||||||
if !ok {
|
if !ok {
|
||||||
c.UI.Error("Gateway must be one of: terminating or mesh")
|
c.UI.Error("Gateway must be one of: terminating or mesh")
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
c.gatewayKind = kind
|
c.gatewayKind = kind
|
||||||
|
}
|
||||||
|
|
||||||
|
if c.register {
|
||||||
|
if c.gateway == "" {
|
||||||
|
c.UI.Error("Auto-Registration can only be used for gateways")
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
if c.gatewaySvcName == "" {
|
if c.gatewaySvcName == "" {
|
||||||
c.gatewaySvcName = string(c.gatewayKind)
|
c.gatewaySvcName = string(c.gatewayKind)
|
||||||
|
|
|
@ -98,34 +98,35 @@ proxy configuration needed.
|
||||||
This token authorizes the proxy to obtain TLS certificates representing the
|
This token authorizes the proxy to obtain TLS certificates representing the
|
||||||
target service.
|
target service.
|
||||||
|
|
||||||
#### Envoy Mesh Gateway Options
|
#### Envoy Gateway Options
|
||||||
|
|
||||||
* `-mesh-gateway` - Flag to indicate that Envoy should be configured as a Mesh
|
* `-gateway` - Flag to indicate that Envoy should be configured as a Gateway.
|
||||||
Gateway. If multiple mesh gateways are managed by the same local agent then
|
Must be one of: `terminating` or `mesh`.
|
||||||
|
If multiple gateways are managed by the same local agent then
|
||||||
`-proxy-id` should be used as well to specify the instance this represents.
|
`-proxy-id` should be used as well to specify the instance this represents.
|
||||||
|
|
||||||
* `-register` - Indicates that the mesh gateway service should be registered
|
* `-register` - Indicates that the gateway service should be registered
|
||||||
with the local agent instead of expecting it to already exist. This flag
|
with the local agent instead of expecting it to already exist. This flag
|
||||||
is unused for traditional sidecar proxies.
|
is unused for traditional sidecar proxies.
|
||||||
|
|
||||||
* `-address` - The address to advertise for services within the local datacenter
|
* `-address` - The address to advertise for services within the local datacenter
|
||||||
to use to reach the mesh gateway instance. This flag is used in combination with
|
to use to reach the gateway instance. This flag is used in combination with
|
||||||
`-register`. This takes the form of `<ip address>:<port>` but also supports go-sockaddr
|
`-register`. This takes the form of `<ip address>:<port>` but also supports go-sockaddr
|
||||||
templates.
|
templates.
|
||||||
|
|
||||||
* `-wan-address` - The address to advertise for services within remote datacenters
|
* `-wan-address` - The address to advertise for services within remote datacenters
|
||||||
to use to reach the mesh gateway instance. This flag is used in combination with
|
to use to reach the gateway instance. This flag is used in combination with
|
||||||
`-register`. This takes the form of `<ip address>:<port>` but also supports go-sockaddr
|
`-register`. This takes the form of `<ip address>:<port>` but also supports go-sockaddr
|
||||||
templates.
|
templates.
|
||||||
|
|
||||||
* `-service` - The name of the mesh gateway service to register. This flag is used
|
* `-service` - The name of the gateway service to register. This flag is used
|
||||||
in combination with `-register`.
|
in combination with `-register`.
|
||||||
|
|
||||||
* `-deregister-after-critical` - The amount of time the gateway services health check can
|
* `-deregister-after-critical` - The amount of time the gateway services health check can
|
||||||
be failing before being deregistered. This flag is used in combination with `-register`
|
be failing before being deregistered. This flag is used in combination with `-register`
|
||||||
|
|
||||||
-> **Note:** If ACLs are enabled, a token granting `service:write` for the
|
-> **Note:** If ACLs are enabled, a token granting `service:write` for the
|
||||||
mesh gateway's service name must be passed using the `-token` option or
|
gateway's service name must be passed using the `-token` option or
|
||||||
`CONSUL_HTTP_TOKEN` environment variable. This token authorizes the proxy
|
`CONSUL_HTTP_TOKEN` environment variable. This token authorizes the proxy
|
||||||
to obtain receive and route communications for other Connect services but
|
to obtain receive and route communications for other Connect services but
|
||||||
does not allow decrypting any of their communications.
|
does not allow decrypting any of their communications.
|
||||||
|
@ -180,11 +181,20 @@ $ consul connect envoy -sidecar-for db -admin-bind localhost:19001
|
||||||
The mesh gateway Envoy process can be started with.
|
The mesh gateway Envoy process can be started with.
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
$ consul connect envoy -mesh-gateway -register \
|
$ consul connect envoy -gateway=mesh -register \
|
||||||
-address '{{ GetInterfaceIP "eth0" }}:8443' \
|
-address '{{ GetInterfaceIP "eth0" }}:8443' \
|
||||||
-wan-address '{{ GetInterfaceIP "eth1" }}:8443'
|
-wan-address '{{ GetInterfaceIP "eth1" }}:8443'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Terminating Gateways
|
||||||
|
|
||||||
|
The terminating gateway Envoy process can be started with.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul connect envoy -gateway=terminating -register \
|
||||||
|
-address '{{ GetInterfaceIP "eth0" }}:8443'
|
||||||
|
```
|
||||||
|
|
||||||
## Exec Security Details
|
## Exec Security Details
|
||||||
|
|
||||||
The command needs to pass the bootstrap config through to Envoy. Envoy currently
|
The command needs to pass the bootstrap config through to Envoy. Envoy currently
|
||||||
|
|
Loading…
Reference in New Issue