From be51211ccf40bdd16f618f9b68351c99c477efeb Mon Sep 17 00:00:00 2001 From: Tu Nguyen Date: Mon, 6 Nov 2023 14:03:04 -0800 Subject: [PATCH] manually backport #19514 --- .../connect/gateways/api-gateway/index.mdx | 4 +- .../secure-traffic/verify-jwts-k8s.mdx | 2 + .../secure-traffic/verify-jwts-vms.mdx | 2 + website/content/docs/enterprise/index.mdx | 75 +++++++++++-------- .../docs/release-notes/consul-ecs/v0_7_x.mdx | 69 +++++++++++++++++ .../docs/release-notes/consul-k8s/v1_3_x.mdx | 51 +++++++++++++ website/data/docs-nav-data.json | 10 ++- 7 files changed, 178 insertions(+), 35 deletions(-) create mode 100644 website/content/docs/release-notes/consul-ecs/v0_7_x.mdx create mode 100644 website/content/docs/release-notes/consul-k8s/v1_3_x.mdx diff --git a/website/content/docs/connect/gateways/api-gateway/index.mdx b/website/content/docs/connect/gateways/api-gateway/index.mdx index a5edc2cf7038..5b29311bbc9b 100644 --- a/website/content/docs/connect/gateways/api-gateway/index.mdx +++ b/website/content/docs/connect/gateways/api-gateway/index.mdx @@ -52,8 +52,8 @@ Refer to the following resources for help setting up and using API gateways: - [Reroute HTTP requests in Kubernetes](/consul/docs/connect/gateways/api-gateway/define-routes/reroute-http-requests) - [Route traffic to peered services in Kubernetes](/consul/docs/connect/gateways/api-gateway/define-routes/route-to-peered-services) - [Encrypt API gateway traffic on VMs](/consul/docs/connect/gateways/api-gateway/secure-traffic/encrypt-vms) -- [Use JWTs to verify requests to API gateways on VMs](/consul/docs/connect/gateways/api-gateway/secure-traffic/jwts-vms) -- [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/jwts-k8s) +- [Use JWTs to verify requests to API gateways on VMs](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) +- [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) ### Reference diff --git a/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx b/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx index dc390baad04b..6e9b9a958587 100644 --- a/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx +++ b/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx @@ -8,6 +8,8 @@ description: Learn how to use JSON web tokens (JWT) to verify requests from exte This topic describes how to use JSON web tokens (JWT) to verify requests to API gateways deployed to Kubernetes-orchestrated containers. If your API gateway is deployed to virtual machines, refer to [Use JWTs to verify requests to API gateways on VMs](/consu/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms). + This feature is available in Consul Enterprise. + ## Overview You can configure API gateways to use JWTs to verify incoming requests so that you can stop unverified traffic at the gateway. You can configure JWT verification at different levels: diff --git a/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms.mdx b/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms.mdx index efb960f580ff..bd10964887d3 100644 --- a/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms.mdx +++ b/website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms.mdx @@ -8,6 +8,8 @@ description: Learn how to use JSON web tokens (JWT) to verify requests from exte This topic describes how to use JSON web tokens (JWT) to verify requests to API gateways on virtual machines (VM). If your services are deployed to Kubernetes-orchestrated containers, refer to [Use JWTs to verify requests to API gateways on Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms). + This feature is available in Consul Enterprise. + ## Overview You can configure API gateways to use JWTs to verify incoming requests so that you can stop unverified traffic at the gateway. You can configure JWT verification at different levels: diff --git a/website/content/docs/enterprise/index.mdx b/website/content/docs/enterprise/index.mdx index 34a8725b4648..dd4c8a600138 100644 --- a/website/content/docs/enterprise/index.mdx +++ b/website/content/docs/enterprise/index.mdx @@ -27,6 +27,8 @@ The following features are [available in several forms of Consul Enterprise](#co - [Automated Backups](/consul/docs/enterprise/backups): Configure the automatic backup of Consul state - [Redundancy Zones](/consul/docs/enterprise/redundancy): Deploy backup voting Consul servers to efficiently improve Consul fault tolerance - [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips): Limit gRPC and RPC traffic to servers for source IP addresses. +- [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates): Limit the rate of HTTP requests a service receives per service instance. +- [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams): Prioritize upstream services in the same region and zone as the downstream service. ### Scalability @@ -46,6 +48,7 @@ The following features are [available in several forms of Consul Enterprise](#co - [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc): Manage user access to Consul through an OIDC identity provider instead of Consul ACL tokens directly - [Audit Logging](/consul/docs/enterprise/audit-logging): Understand Consul access and usage patterns by reviewing access to the Consul HTTP API +- JWT authentication and authorization for API gateway: Prevent unverified traffic at the API gateway using JWTs for authentication and authorization on [VMs](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) and on [Kubernetes](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s): ### Regulatory compliance @@ -116,42 +119,47 @@ Consul Enterprise feature availability can change depending on your server and c -| Enterprise Feature | VM Client | K8s Client | ECS Client | -| ----------------------------------------------------------------------- | :-------: | :--------: | :--------: | -| [Admin Partitions](/consul/docs/enterprise/admin-partitions) | ✅ | ✅ | ✅ | -| [Audit Logging](/consul/docs/enterprise/audit-logging) | ✅ | ✅ | ✅ | -| [Automated Server Backups](/consul/docs/enterprise/backups) | ✅ | ✅ | ✅ | -| [Automated Server Upgrades](/consul/docs/enterprise/upgrades) | ✅ | ✅ | ✅ | -| [Enhanced Read Scalability](/consul/docs/enterprise/read-scale) | ✅ | ✅ | ✅ | -| [FIPS 140-2 Compliance](/consul/docs/enterprise/fips) | ✅ | ✅ | ❌ | -| [Namespaces](/consul/docs/enterprise/namespaces) | ✅ | ✅ | ✅ | -| [Network Areas](/consul/docs/enterprise/federation) | ✅ | ✅ | ✅ | -| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ✅ | ❌ | ❌ | -| [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ✅ | ✅ | ✅ | -| [Redundancy Zones](/consul/docs/enterprise/redundancy) | ✅ | ✅ | ✅ | -| [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | ✅ | ✅ | ✅ | -| [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | ✅ | ✅ | ✅ | +| Enterprise Feature | VM Client | K8s Client | ECS Client | +|----------------------------------------------------------------------------------------------------------|:---------:|:----------:| :--------: | +| [Admin Partitions](/consul/docs/enterprise/admin-partitions) | ✅ | ✅ | ✅ | +| [Audit Logging](/consul/docs/enterprise/audit-logging) | ✅ | ✅ | ✅ | +| [Automated Server Backups](/consul/docs/enterprise/backups) | ✅ | ✅ | ✅ | +| [Automated Server Upgrades](/consul/docs/enterprise/upgrades) | ✅ | ✅ | ✅ | +| [Enhanced Read Scalability](/consul/docs/enterprise/read-scale) | ✅ | ✅ | ✅ | +| [FIPS 140-2 Compliance](/consul/docs/enterprise/fips) | ✅ | ✅ | ✅ | +| [JWT verification for API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) | ✅ | ✅ | ❌ | +| [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams) | ✅ | ✅ | ✅ | +| [Namespaces](/consul/docs/enterprise/namespaces) | ✅ | ✅ | ✅ | +| [Network Areas](/consul/docs/enterprise/federation) | ✅ | ✅ | ✅ | +| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ✅ | ❌ | ❌ | +| [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ✅ | ✅ | ✅ | +| [Redundancy Zones](/consul/docs/enterprise/redundancy) | ✅ | ✅ | ✅ | +| [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | ✅ | ✅ | ✅ | +| [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | ✅ | ✅ | ✅ | +| [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates) | ✅ | ✅ | ✅ | -| Enterprise Feature | VM Client | K8s Client | ECS Client | -| ----------------------------------------------------------------------- | :-------: | :--------: | :--------: | -| [Admin Partitions](/consul/docs/enterprise/admin-partitions) | ✅ | ✅ | ✅ | -| [Audit Logging](/consul/docs/enterprise/audit-logging) | ✅ | ✅ | ✅ | -| [Automated Server Backups](/consul/docs/enterprise/backups) | ✅ | ✅ | ✅ | -| [Automated Server Upgrades](/consul/docs/enterprise/upgrades) | ❌ | ❌ | ❌ | -| [Enhanced Read Scalability](/consul/docs/enterprise/read-scale) | ❌ | ❌ | ❌ | -| [FIPS 140-2 Compliance](/consul/docs/enterprise/fips) | ✅ | ✅ | ❌ | -| [Namespaces](/consul/docs/enterprise/namespaces) | ✅ | ✅ | ✅ | -| [Network Areas](/consul/docs/enterprise/federation) | ✅ | ✅ | ✅ | -| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ❌ | ❌ | ❌ | -| [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ✅ | ✅ | ✅ | -| [Redundancy Zones](/consul/docs/enterprise/redundancy) | ❌ | ❌ | ❌ | -| [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | ✅ | ✅ | ✅ | -| [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | ✅ | ✅ | ✅ | - +| Enterprise Feature | VM Client | K8s Client | ECS Client | +|---------------------------------------------------------------------------------------------------------------| :-------: | :--------: | :--------: | +| [Admin Partitions](/consul/docs/enterprise/admin-partitions) | ✅ | ✅ | ✅ | +| [Audit Logging](/consul/docs/enterprise/audit-logging) | ✅ | ✅ | ✅ | +| [Automated Server Backups](/consul/docs/enterprise/backups) | ✅ | ✅ | ✅ | +| [Automated Server Upgrades](/consul/docs/enterprise/upgrades) | ❌ | ❌ | ❌ | +| [Enhanced Read Scalability](/consul/docs/enterprise/read-scale) | ❌ | ❌ | ❌ | +| [FIPS 140-2 Compliance](/consul/docs/enterprise/fips) | ✅ | ✅ | ✅ | +| [JWT verification for API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s) | ✅ | ✅ | ❌ | +| [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams) | ✅ | ✅ | ✅ | +| [Namespaces](/consul/docs/enterprise/namespaces) | ✅ | ✅ | ✅ | +| [Network Areas](/consul/docs/enterprise/federation) | ✅ | ✅ | ✅ | +| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ❌ | ❌ | ❌ | +| [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ✅ | ✅ | ✅ | +| [Redundancy Zones](/consul/docs/enterprise/redundancy) | ❌ | ❌ | ❌ | +| [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | ✅ | ✅ | ✅ | +| [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | ✅ | ✅ | ✅ | +| [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates) | ✅ | ✅ | ✅ | @@ -164,6 +172,8 @@ Consul Enterprise feature availability can change depending on your server and c | [Automated Server Upgrades](/consul/docs/enterprise/upgrades) | ✅ | ✅ | ✅ | | [Enhanced Read Scalability](/consul/docs/enterprise/read-scale) | ❌ | ❌ | ❌ | | [FIPS 140-2 Compliance](/consul/docs/enterprise/fips) | ❌ | ❌ | ❌ | +| [JWT verification for API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) | ✅ | ✅ | ❌ | +| [Locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams) | ✅ | ✅ | ✅ | | [Namespaces](/consul/docs/enterprise/namespaces) | ✅ | ✅ | ✅ | | [Network Areas](/consul/docs/enterprise/federation) | ❌ | ❌ | ❌ | | [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ❌ | ❌ | ❌ | @@ -171,6 +181,7 @@ Consul Enterprise feature availability can change depending on your server and c | [Redundancy Zones](/consul/docs/enterprise/redundancy) | n/a | n/a | n/a | | [Sameness Groups](/consul/docs/connect/config-entries/sameness-group) | ✅ | ✅ | ✅ | | [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | ✅ | ✅ | ✅ | +| [Traffic rate limiting for services](/consul/docs/connect/manage-traffic/limit-request-rates) | ✅ | ✅ | ✅ | - + \ No newline at end of file diff --git a/website/content/docs/release-notes/consul-ecs/v0_7_x.mdx b/website/content/docs/release-notes/consul-ecs/v0_7_x.mdx new file mode 100644 index 000000000000..be154b746db6 --- /dev/null +++ b/website/content/docs/release-notes/consul-ecs/v0_7_x.mdx @@ -0,0 +1,69 @@ +--- +layout: docs +page_title: 0.7.x +description: >- + Consul ECS release notes for version 0.7.x +--- + +# Consul ECS 0.7.x + +## Release highlights + +- **Consul Dataplane:** Consul on ECS 0.7.x adopts the [Dataplane architecture](/consul/docs/connect/dataplane) to simplify connecting your ECS workloads to Consul. Refer to the documentation to learn more about the updated [ECS components](/consul/docs/ecs/architecture) and how to [deploy Consul to ECS using the Terraform module](/consul/docs/ecs/deploy/terraform). + +- **New `control-plane` command:** The new, unified `control-plane` command combines the capabilities for the deprecated `mesh-init` and `health-sync` commands. The `control-plane` command starts a long running process with the following responsibilities: + - Automatically (re)discover and (re)connect to Consul servers using connection manager. + - Make an ACL Login request to obtain an ACL token when using the Consul AWS IAM auth method. + - Register the service and sidecar proxy with the central catalog on the Consul servers. + - Write the configuration for Consul Dataplane to a file on a shared volume. + - Sync ECS health check statuses for the ECS task into the central catalog on the Consul servers on a periodic basis. + - Gracefully shutdown when an ECS task is stopped. Upon receiving a SIGTERM, mark synced health checks critical and wait for Consul Dataplane to stop. Then remove health checks, services, and perform an ACL Logout if necessary. + +- **New `controller` command:** The new `controller` command replaces the `acl-controller` command with the following changes: + - Remove all CLI flags. Configuration is read from the `ECS_CONFIG_JSON` environment variable. + - Automatically (re)discover and (re)connect to Consul servers, similar to the `control-plane` command. + - Because Consul client agents are no longer used, the controller no longer configures the "client" auth method, policy, role, and binding rule which previously enabled Consul client agents to login. + - Register the ECS cluster as a synthetic node in the central catalog on the Consul servers. The synthetic node is used to register services running in the ECS cluster. + - Ensure leftover tokens and services are removed for ECS tasks that have stopped. + +- **Locality aware routing (Enterprise):** Consul on ECS 0.7.x supports [locality-aware routing](/consul/docs/connect/manage-traffic/route-to-local-upstreams). In your ECS task meta JSON, set the `AWS_REGION` container environment variable and `AvailabilityZone` attributes to set the locality parameters in Consul service and proxy registrations. Consul uses these parameters to perform locality aware routing in Consul Enterprise installations. + +## Breaking changes + +- The new Dataplane architecture comes with the following breaking changes to configuring Consul on ECS. Refer to the [Upgrade to Consul dataplane architecture](https://developer.hashicorp.com/consul/docs/ecs/upgrade-to-dataplanes) documentation for a step-by-step upgrade guide. + - Consul client agents are no longer used. + - Consul Dataplane must be run in place of Envoy in each ECS task. Consul Dataplane manages the Envoy process and proxies xDS requests from Envoy to Consul servers. + - The `consul-ecs` binary now communicates with Consul servers using HTTP(S) and GRPC. + - Services are registered directly with the central catalog on the Consul servers. Services in the same ECS cluster are registered to the same Consul node name. +- Replaced the `mesh-init` and `health-sync` commands with a unified `control-plane`. +- Replaced the `acl-controller` command with `controller`. +- Add the `go-discover` binary to the Consul ECS image to better support [cloud auto-join](/consul/docs/install/cloud-auto-join). +- Changes to `ECS_CONFIG_JSON` schema. + - Remove the `consulHTTPAddr` and `consulCACertFile` fields. + - Add the `consulLogin.datacenter` field. + - Add the `controller` field to support configuring the new `controller` command. + - Add the `consulServers` field to specify the Consul server location and protocol-specific settings. + - The `consulServers.hosts` field is required. This specifies the Consul server location as an IP address, DNS name, or `exec=` string specifying a command that returns a list of IP addresses. To use cloud auto-join, use an `exec=` string to run the `discover` CLI. For example, the following string invokes the discover CLI with a cloud auto-join string: + + ```log + exec=discover -q addrs provider=aws region=us-west-2 tag_key=consul-server tag_value=true + ``` + + By default, Consul ECS and Consul Dataplane images include the `discover` CLI. + - Add the `proxy.healthCheckPort` field which can be hit to determine Envoy's readiness. + - Add the `proxy.upstreams.destinationPeer` field to enable the proxy to hit upstreams present in peer Consul clusters. + - Add the `meshGateway.healthCheckPort` field which can be hit to determine Envoy's readiness. + - Add the `proxy.localServiceAddress` field to configure Envoy to use a different address for the local service. + - Remove the `service.checks` field. Consul agent health checks are no longer supported because Consul client agents are not used. Instead, set the healthSyncContainers field to have consul-ecs sync ECS health checks into Consul. + +## Supported software versions + +- Consul: 1.17.x + +## Changelogs + +The changelogs for this major release version and any maintenance versions are listed below. + +-> **Note**: These links will take you to the changelogs on the GitHub website. + +- [0.7.0](https://github.com/hashicorp/consul-ecs/releases/tag/v0.7.0) diff --git a/website/content/docs/release-notes/consul-k8s/v1_3_x.mdx b/website/content/docs/release-notes/consul-k8s/v1_3_x.mdx new file mode 100644 index 000000000000..5282460674af --- /dev/null +++ b/website/content/docs/release-notes/consul-k8s/v1_3_x.mdx @@ -0,0 +1,51 @@ +--- +layout: docs +page_title: 1.3.x +description: >- + Consul on Kubernetes release notes for version 1.3.x +--- + +# Consul on Kubernetes 1.3.0 + +We are pleased to announce the following Consul updates. + +## Release highlights + +- **Catalog v2:** This release provides the ability to preview Consul's v2 Catalog and Resource API. You must enable this feature. +Catalog v2 supports multi-port application deployments with a single Envoy proxy. Refer to the [v2 Catalog and Resource API](/consul/docs/v1.17.x/k8s/multiport) documentation for more information. + + The v1 and v2 catalogs are not cross compatible, and not all Consul features are available within this v2 feature preview. + + - The Consul UI must be disabled. It does not support multi-port services or the v2 catalog API in this release. + - HCP Consul does not support multi-port services or the v2 catalog API in this release. + - The v2 API only supports transparent proxy mode where services that have permissions to connect to each other can use Kube DNS to connect. + + The v2 Catalog and Resources API is currently in feature preview for Consul on Kubernetes 1.3.0 and should not be used in production environments. + +## Supported software + + Consul 1.15.x and 1.14.x are not supported. Please refer to Supported Consul and Kubernetes versions for more detail on choosing the correct consul-k8s version. + +- Consul 1.17.x. +- Consul Dataplane v1.2.x. Refer to Envoy and Consul Dataplane for details about Consul Dataplane versions and the available packaged Envoy version. +- Kubernetes 1.24.x - 1.27.x +- kubectl 1.24.x - 1.27.x +- Helm 3.6+ + +## Upgrading + +For more detailed information, please refer to the [upgrade details page](/consul/docs/upgrading/upgrade-specific) and the changelogs. + +## Known Issues + +The following issues are known to exist in the v1.3.x releases. Refer to the changelog for more information. + +- When using the v2 API with transparent proxy, Kubernetes pods cannot use L7 liveness, readiness, or startup probes. + +## Changelogs + +The changelogs for this major release version and any maintenance versions are listed below. + + These links take you to the changelogs on the GitHub website. + +- [1.3.0](https://github.com/hashicorp/consul-k8s/releases/tag/v1.3.0) diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 2989c955e646..28c9ba0f07c4 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -186,6 +186,10 @@ { "title": "Consul K8s", "routes": [ + { + "title": "v1.3.x", + "path": "release-notes/consul-k8s/v1_3_x" + }, { "title": "v1.2.x", "path": "release-notes/consul-k8s/v1_2_x" @@ -240,6 +244,10 @@ { "title": "Consul ECS", "routes": [ + { + "title": "v0.7.x", + "path": "release-notes/consul-ecs/v0_7_x" + }, { "title": "v0.5.x", "path": "release-notes/consul-ecs/v0_5_x" @@ -1996,4 +2004,4 @@ "path": "guides", "hidden": true } -] +] \ No newline at end of file