status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-03-02 06:10:44 +00:00
Code Issues Projects Releases Wiki Activity

Add docs for using namespaces with intentions (#8594)

Browse Source
This commit is contained in:
Freddy 2020-09-01 12:29:41 -06:00 committed by GitHub
parent 8036981dcb
commit f88f5105bd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 72 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
website/pages/api-docs/connect/intentions.mdx
View File

@ -50,17 +50,23 @@ The table below shows this endpoint's support for
For a `SourceType` of `consul` this is the name of a Consul service. The For a `SourceType` of `consul` this is the name of a Consul service. The
service doesn't need to be registered. service doesn't need to be registered.
- `SourceNS` `(string: "")` <EnterpriseAlert inline /> - The namespace for the
`SourceName` parameter.
- `DestinationName` `(string: <required>)` - The destination of the intention. - `DestinationName` `(string: <required>)` - The destination of the intention.
The intention destination is always a Consul service, unlike the source. The intention destination is always a Consul service, unlike the source.
The service doesn't need to be registered. The service doesn't need to be registered.
- `DestinationNS` `(string: "")` <EnterpriseAlert inline /> - The namespace for the
`DestinationName` parameter.
- `SourceType` `(string: <required>)` - The type for the `SourceName` value. - `SourceType` `(string: <required>)` - The type for the `SourceName` value.
This can be only "consul" today to represent a Consul service. This can be only "consul" today to represent a Consul service.
- `Action` `(string: <required>)` - This is one of "allow" or "deny" for - `Action` `(string: <required>)` - This is one of "allow" or "deny" for
the action that should be taken if this intention matches a request. the action that should be taken if this intention matches a request.
- `Description` `(string: nil)` - Description for the intention. This is not - `Description` `(string: "")` - Description for the intention. This is not
used for anything by Consul, but is presented in API responses to assist used for anything by Consul, but is presented in API responses to assist
tooling. tooling.
@ -79,7 +85,7 @@ The table below shows this endpoint's support for
### Sample Request ### Sample Request
```text ```shell-session
$ curl \ $ curl \
--request POST \ --request POST \
--data @payload.json \ --data @payload.json \
@ -128,7 +134,7 @@ The table below shows this endpoint's support for
### Sample Request ### Sample Request
```text ```shell-session
$ curl \ $ curl \
http://127.0.0.1:8500/v1/connect/intentions/e9ebc19f-d481-42b1-4871-4d298d3acd5c http://127.0.0.1:8500/v1/connect/intentions/e9ebc19f-d481-42b1-4871-4d298d3acd5c
``` ```
@ -190,7 +196,7 @@ The table below shows this endpoint's support for
### Sample Request ### Sample Request
```text ```shell-session
$ curl \ $ curl \
'http://127.0.0.1:8500/v1/connect/intentions?filter=SourceName==web' 'http://127.0.0.1:8500/v1/connect/intentions?filter=SourceName==web'
``` ```
@ -288,7 +294,7 @@ The table below shows this endpoint's support for
### Sample Request ### Sample Request
```text ```shell-session
$ curl \ $ curl \
--request PUT \ --request PUT \
--data @payload.json \ --data @payload.json \
@ -329,7 +335,7 @@ The table below shows this endpoint's support for
### Sample Request ### Sample Request
```text ```shell-session
$ curl \ $ curl \
--request DELETE \ --request DELETE \
http://127.0.0.1:8500/v1/connect/intentions/e9ebc19f-d481-42b1-4871-4d298d3acd5c http://127.0.0.1:8500/v1/connect/intentions/e9ebc19f-d481-42b1-4871-4d298d3acd5c
@ -372,13 +378,15 @@ The table below shows this endpoint's support for
- `source` `(string: <required>)` - Specifies the source service. This - `source` `(string: <required>)` - Specifies the source service. This
is specified as part of the URL. is specified as part of the URL.
This can take [several forms](/docs/commands/intention#source-and-destination-naming).
- `destination` `(string: <required>)` - Specifies the destination service. This - `destination` `(string: <required>)` - Specifies the destination service. This
is specified as part of the URL. is specified as part of the URL.
This can take [several forms](/docs/commands/intention#source-and-destination-naming).
### Sample Request ### Sample Request
```text ```shell-session
$ curl \ $ curl \
http://127.0.0.1:8500/v1/connect/intentions/check?source=web&destination=db http://127.0.0.1:8500/v1/connect/intentions/check?source=web&destination=db
``` ```
@ -428,10 +436,11 @@ The table below shows this endpoint's support for
- `name` `(string: <required>)` - Specifies a name to match. This parameter - `name` `(string: <required>)` - Specifies a name to match. This parameter
can be repeated for batching multiple matches. can be repeated for batching multiple matches.
This can take [several forms](/docs/commands/intention#source-and-destination-naming).
### Sample Request ### Sample Request
```text ```shell-session
$ curl \ $ curl \
http://127.0.0.1:8500/v1/connect/intentions/match?by=source&name=web http://127.0.0.1:8500/v1/connect/intentions/match?by=source&name=web
``` ```

8
website/pages/docs/commands/intention/check.mdx
View File

@ -22,13 +22,19 @@ intention read permissions and don't evaluate the result.
Usage: `consul intention check [options] SRC DST` Usage: `consul intention check [options] SRC DST`
`SRC` and `DST` can both take [several forms](/docs/commands/intention#source-and-destination-naming).
#### API Options #### API Options
@include 'http_api_options_client.mdx' @include 'http_api_options_client.mdx'
#### Enterprise Options
@include 'http_api_namespace_options.mdx'
## Examples ## Examples
```text ```shell-session
$ consul intention check web db $ consul intention check web db
Denied Denied

12
website/pages/docs/commands/intention/create.mdx
View File

@ -15,10 +15,16 @@ The `intention create` command creates or updates an intention.
Usage: `consul intention create [options] SRC DST` Usage: `consul intention create [options] SRC DST`
Usage: `consul intention create [options] -f FILE...` Usage: `consul intention create [options] -f FILE...`
`SRC` and `DST` can both take [several forms](/docs/commands/intention#source-and-destination-naming).
#### API Options #### API Options
@include 'http_api_options_client.mdx' @include 'http_api_options_client.mdx'
#### Enterprise Options
@include 'http_api_namespace_options.mdx'
#### Intention Create Options #### Intention Create Options
- `-allow` - Set the action to "allow" for intentions. This is the default. - `-allow` - Set the action to "allow" for intentions. This is the default.
@ -39,18 +45,18 @@ Usage: `consul intention create [options] -f FILE...`
Create an intention `web => db`: Create an intention `web => db`:
```shell ```shell-session
$ consul intention create web db $ consul intention create web db
``` ```
Create intentions from a set of files: Create intentions from a set of files:
```shell ```shell-session
$ consul intention create -file one.json two.json $ consul intention create -file one.json two.json
``` ```
Create intentions from a directory using shell expansion: Create intentions from a directory using shell expansion:
```shell ```shell-session
$ consul intention create -file intentions/*.json $ consul intention create -file intentions/*.json
``` ```

10
website/pages/docs/commands/intention/delete.mdx
View File

@ -17,20 +17,26 @@ Usage:
- `consul intention delete [options] SRC DST` - `consul intention delete [options] SRC DST`
- `consul intention delete [options] ID` - `consul intention delete [options] ID`
`SRC` and `DST` can both take [several forms](/docs/commands/intention#source-and-destination-naming).
#### API Options #### API Options
@include 'http_api_options_client.mdx' @include 'http_api_options_client.mdx'
#### Enterprise Options
@include 'http_api_namespace_options.mdx'
## Examples ## Examples
Delete an intention from "web" to "db" with any action: Delete an intention from "web" to "db" with any action:
```text ```shell-session
$ consul intention delete web db $ consul intention delete web db
``` ```
Delete an intention by unique ID: Delete an intention by unique ID:
```text ```shell-session
$ consul intention delete 4ffed935-439c-695d-4f51-f4fc0b12a7a7 $ consul intention delete 4ffed935-439c-695d-4f51-f4fc0b12a7a7
``` ```

8
website/pages/docs/commands/intention/get.mdx
View File

@ -17,13 +17,19 @@ Usage:
- `consul intention get [options] SRC DST` - `consul intention get [options] SRC DST`
- `consul intention get [options] ID` - `consul intention get [options] ID`
`SRC` and `DST` can both take [several forms](/docs/commands/intention#source-and-destination-naming).
#### API Options #### API Options
@include 'http_api_options_client.mdx' @include 'http_api_options_client.mdx'
#### Enterprise Options
@include 'http_api_namespace_options.mdx'
## Examples ## Examples
```text ```shell-session
$ consul intention get web db $ consul intention get web db
Source: web Source: web
Destination: db Destination: db

21
website/pages/docs/commands/intention/index.mdx
View File

@ -42,25 +42,38 @@ of the subcommand in the sidebar.
Create an intention to allow "web" to talk to "db": Create an intention to allow "web" to talk to "db":
```shell ```shell-session
$ consul intention create web db $ consul intention create web db
``` ```
Create an intention to deny "db" from initiating connections to _any_ service: Create an intention to deny "db" from initiating connections to _any_ service:
```shell ```shell-session
$ consul intention create -deny db '*' $ consul intention create -deny db '*'
Created: db => * (deny) Created: db => * (deny)
``` ```
Test whether a "web" is allowed to connect to "db": Test whether a "web" is allowed to connect to "db":
```shell ```shell-session
$ consul intention check web db $ consul intention check web db
``` ```
Find all intentions for communicating to the "db" service: Find all intentions for communicating to the "db" service:
```shell ```shell-session
$ consul intention match db $ consul intention match db
``` ```
## Source and Destination Naming
Intention commands commonly take positional arguments referred to as `SRC` and
`DST` in the command documentation. These can take several forms:
| Format | Meaning |
| ----------------------- | -----------------------------------------------------------------------|
| `<service>` | the named service in the current namespace |
| `*` | any service in the current namespace |
| `<namespace>/<service>` | <EnterpriseAlert inline /> the named service in a specific namespace |
| `<namespace>/*` | <EnterpriseAlert inline /> any service in the specified namespace |
| `*/*` | <EnterpriseAlert inline /> any service in any namespace |

8
website/pages/docs/commands/intention/match.mdx
View File

@ -19,10 +19,16 @@ check whether a connection would be authorized between any two services.
Usage: `consul intention match [options] SRC_OR_DST` Usage: `consul intention match [options] SRC_OR_DST`
`SRC` and `DST` can both take [several forms](/docs/commands/intention#source-and-destination-naming).
#### API Options #### API Options
@include 'http_api_options_client.mdx' @include 'http_api_options_client.mdx'
#### Enterprise Options
@include 'http_api_namespace_options.mdx'
#### Intention Match Options #### Intention Match Options
- `-destination` - Match by destination. - `-destination` - Match by destination.
@ -31,7 +37,7 @@ Usage: `consul intention match [options] SRC_OR_DST`
## Examples ## Examples
```text ```shell-session
$ consul intention match -source web $ consul intention match -source web
web => db (deny) web => db (deny)
web => * (allow) web => * (allow)