Mitchell Hashimoto 097856c515 Starting Docs (#46)
* website: first stab at Connect docs

* website: lots more various stuff (bad commit messages)

* website: getting started page for Connect

* website: intentions

* website: intention APIs

* website: agent API docs

* website: document agent/catalog proxy kind service values

* website: /v1/catalog/connect/:service

* website: intention CLI docs

* website: custom proxy docs

* website: remove dedicated getting started guide

* website: add docs for CA API endpoints

* website: add docs for connect ca commands

* website: add proxy CLI docs

* website: clean up proxy command, add dev docs

* website: todo pages

* website: connect security
2018-06-25 12:24:05 -07:00

2.5 KiB

layout page_title sidebar_current description
docs Connect - Development and Debugging docs-connect-dev It is often necessary to connect to a service for development or debugging. If a service only exposes a Connect listener, then we need a way to establish a mutual TLS connection to the service. The `consul connect proxy` command can be used for this task on any machine with access to a Consul agent (local or remote).

Developing and Debugging Connect Services

It is often necessary to connect to a service for development or debugging. If a service only exposes a Connect listener, then we need a way to establish a mutual TLS connection to the service. The consul connect proxy command can be used for this task on any machine with access to a Consul agent (local or remote).

Restricting access to services only via Connect ensures that the only way to connect to a service is through valid authorization of the intentions. This can extend to developers and operators, too.

Connecting to Connect-only Services

As an example, let's assume that we have a PostgreSQL database running that we want to connect to via psql, but the only non-loopback listener is via Connect. Let's also assume that we have an ACL token to identify as operator-mitchellh. We can start a local proxy:

$ consul connect proxy \
  -service operator-mitchellh \
  -upstream postgresql:8181

This works because the source -service does not need to be registered in the local Consul catalog. However, to retrieve a valid identifying certificate, the ACL token must have service:write permissions. This can be used as a sort of "virtual service" to represent people, too. In the example above, the proxy is identifying as operator-mitchellh.

With the proxy running, we can now use psql like normal:

$ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb
>

This psql session is now happening through our local proxy via an authorized mutual TLS connection to the PostgreSQL service in our Consul catalog.

Masquerading as a Service

You can also easily masquerade as any source service by setting the -service value to any service. Note that the proper ACL permissions are required to perform this task.

For example, if you have an ACL token that allows service:write for web and you want to connect to the postgresql service as "web", you can start a proxy like so:

$ consul connect proxy \
  -service web \
  -upstream postgresql:8181