Skip to content

Commit

Permalink
Add documentation for file-system-certificate config entry
Browse files Browse the repository at this point in the history
Add new doc to nav
  • Loading branch information
nathancoleman committed Apr 12, 2024
1 parent 2a44afa commit 76483f1
Show file tree
Hide file tree
Showing 5 changed files with 230 additions and 94 deletions.
140 changes: 72 additions & 68 deletions website/content/api-docs/config.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -39,23 +39,24 @@ The corresponding CLI command is [`consul config write`](/consul/commands/config

The ACL required depends on the config entry being written:

| Config Entry Kind | Required ACLs |
| ------------------- | -------------------------------- |
| api-gateway | `mesh:write` or `operator:write` |
| bound-api-gateway | Not writable. |
| exported-services | `mesh:write` or `operator:write` |
| http-route | `mesh:write` or `operator:write` |
| ingress-gateway | `mesh:write` or `operator:write` |
| inline-certificate | `mesh:write` or `operator:write` |
| mesh | `mesh:write` or `operator:write` |
| proxy-defaults | `mesh:write` or `operator:write` |
| service-defaults | `service:write` |
| service-intentions | `intentions:write` |
| service-resolver | `service:write` |
| service-router | `service:write` |
| service-splitter | `service:write` |
| tcp-route | `mesh:write` or `operator:write` |
| terminating-gateway | `mesh:write` or `operator:write` |
| Config Entry Kind | Required ACLs |
| ----------------------- | -------------------------------- |
| api-gateway | `mesh:write` or `operator:write` |
| bound-api-gateway | Not writable. |
| exported-services | `mesh:write` or `operator:write` |
| file-system-certificate | `mesh:write` or `operator:write` |
| http-route | `mesh:write` or `operator:write` |
| ingress-gateway | `mesh:write` or `operator:write` |
| inline-certificate | `mesh:write` or `operator:write` |
| mesh | `mesh:write` or `operator:write` |
| proxy-defaults | `mesh:write` or `operator:write` |
| service-defaults | `service:write` |
| service-intentions | `intentions:write` |
| service-resolver | `service:write` |
| service-router | `service:write` |
| service-splitter | `service:write` |
| tcp-route | `mesh:write` or `operator:write` |
| terminating-gateway | `mesh:write` or `operator:write` |

### Query Parameters

Expand Down Expand Up @@ -114,23 +115,24 @@ The corresponding CLI command is [`consul config read`](/consul/commands/config/

The ACL required depends on the config entry kind being read:

| Config Entry Kind | Required ACLs |
| ------------------- | -------------------------------- |
| api-gateway | `service:read` |
| bound-api-gateway | `service:read` |
| exported-services | `mesh:read` or `operator:read` |
| http-route | `mesh:read` or `operator:read` |
| ingress-gateway | `service:read` |
| inline-certificate | `mesh:read` or `operator:read` |
| mesh | No ACL required |
| proxy-defaults | No ACL required |
| service-defaults | `service:read` |
| service-intentions | `intentions:read` |
| service-resolver | `service:read` |
| service-router | `service:read` |
| service-splitter | `service:read` |
| tcp-route | `mesh:read` or `operator:read` |
| terminating-gateway | `service:read` |
| Config Entry Kind | Required ACLs |
| ----------------------- | -------------------------------- |
| api-gateway | `service:read` |
| bound-api-gateway | `service:read` |
| exported-services | `mesh:read` or `operator:read` |
| file-system-certificate | `mesh:read` or `operator:read` |
| http-route | `mesh:read` or `operator:read` |
| ingress-gateway | `service:read` |
| inline-certificate | `mesh:read` or `operator:read` |
| mesh | No ACL required |
| proxy-defaults | No ACL required |
| service-defaults | `service:read` |
| service-intentions | `intentions:read` |
| service-resolver | `service:read` |
| service-router | `service:read` |
| service-splitter | `service:read` |
| tcp-route | `mesh:read` or `operator:read` |
| terminating-gateway | `service:read` |

### Path Parameters

Expand Down Expand Up @@ -192,23 +194,24 @@ The table below shows this endpoint's support for

The ACL required depends on the config entry kind being read:

| Config Entry Kind | Required ACLs |
| ------------------- | -------------------------------- |
| api-gateway | `service:read` |
| bound-api-gateway | `service:read` |
| exported-services | `mesh:read` or `operator:read` |
| http-route | `mesh:read` or `operator:read` |
| ingress-gateway | `service:read` |
| inline-certificate | `mesh:read` or `operator:read` |
| mesh | No ACL required |
| proxy-defaults | No ACL required |
| service-defaults | `service:read` |
| service-intentions | `intentions:read` |
| service-resolver | `service:read` |
| service-router | `service:read` |
| service-splitter | `service:read` |
| tcp-route | `mesh:read` or `operator:read` |
| terminating-gateway | `service:read` |
| Config Entry Kind | Required ACLs |
| ----------------------- | -------------------------------- |
| api-gateway | `service:read` |
| bound-api-gateway | `service:read` |
| exported-services | `mesh:read` or `operator:read` |
| file-system-certificate | `mesh:read` or `operator:read` |
| http-route | `mesh:read` or `operator:read` |
| ingress-gateway | `service:read` |
| inline-certificate | `mesh:read` or `operator:read` |
| mesh | No ACL required |
| proxy-defaults | No ACL required |
| service-defaults | `service:read` |
| service-intentions | `intentions:read` |
| service-resolver | `service:read` |
| service-router | `service:read` |
| service-splitter | `service:read` |
| tcp-route | `mesh:read` or `operator:read` |
| terminating-gateway | `service:read` |

The corresponding CLI command is [`consul config list`](/consul/commands/config/list).

Expand Down Expand Up @@ -276,23 +279,24 @@ The table below shows this endpoint's support for

The ACL required depends on the config entry kind being deleted:

| Config Entry Kind | Required ACLs |
| ------------------- | -------------------------------- |
| api-gateway | `mesh:write` or `operator:write` |
| bound-api-gateway | Not writable. |
| exported-services | `mesh:write` or `operator:write` |
| http-route | `mesh:write` or `operator:write` |
| ingress-gateway | `mesh:write` or `operator:write` |
| inline-certificate | `mesh:write` or `operator:write` |
| mesh | `mesh:write` or `operator:write` |
| proxy-defaults | `mesh:write` or `operator:write` |
| service-defaults | `service:write` |
| service-intentions | `intentions:write` |
| service-resolver | `service:write` |
| service-router | `service:write` |
| service-splitter | `service:write` |
| tcp-route | `mesh:write` or `operator:write` |
| terminating-gateway | `mesh:write` or `operator:write` |
| Config Entry Kind | Required ACLs |
| ----------------------- | -------------------------------- |
| api-gateway | `mesh:write` or `operator:write` |
| bound-api-gateway | Not writable. |
| exported-services | `mesh:write` or `operator:write` |
| file-system-certificate | `mesh:write` or `operator:write` |
| http-route | `mesh:write` or `operator:write` |
| ingress-gateway | `mesh:write` or `operator:write` |
| inline-certificate | `mesh:write` or `operator:write` |
| mesh | `mesh:write` or `operator:write` |
| proxy-defaults | `mesh:write` or `operator:write` |
| service-defaults | `service:write` |
| service-intentions | `intentions:write` |
| service-resolver | `service:write` |
| service-router | `service:write` |
| service-splitter | `service:write` |
| tcp-route | `mesh:write` or `operator:write` |
| terminating-gateway | `mesh:write` or `operator:write` |

The corresponding CLI command is [`consul config delete`](/consul/commands/config/delete).

Expand Down
44 changes: 22 additions & 22 deletions website/content/docs/connect/config-entries/api-gateway.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -31,19 +31,19 @@ The following list outlines field hierarchy, language-specific data types, and r
- [`MaxVersion`](#listeners-tls-maxversion): string | no default
- [`CipherSuites`](#listeners-tls-ciphersuites): list of strings | Envoy default cipher suites
- [`Certificates`](#listeners-tls-certificates): list of objects | no default
- [`Kind`](#listeners-tls-certificates-kind): string | must be `"inline-certificate"`
- [`Kind`](#listeners-tls-certificates-kind): string | no default
- [`Name`](#listeners-tls-certificates-name): string | no default
- [`Namespace`](#listeners-tls-certificates-namespace): string | no default <EnterpriseAlert inline />
- [`Partition`](#listeners-tls-certificates-partition): string | no default <EnterpriseAlert inline />
- [`default`](#listeners-default): map
- [`JWT`](#listeners-default-jwt): map
- [`JWT`](#listeners-default-jwt): map
- [`Providers`](#listeners-default-jwt-providers): list
- [`Name`](#listeners-default-jwt-providers): string
- [`VerifyClaims`](#listeners-default-jwt-providers): map
- [`Path`](#listeners-default-jwt-providers): list
- [`Value`](#listeners-default-jwt-providers): string
- [`override`](#listeners-override): map
- [`JWT`](#listeners-override-jwt): map
- [`JWT`](#listeners-override-jwt): map
- [`Providers`](#listeners-override-jwt-providers): list
- [`Name`](#listeners-override-jwt-providers): string
- [`VerifyClaims`](#listeners-override-jwt-providers): map
Expand Down Expand Up @@ -81,8 +81,8 @@ Listeners = [
]
Certificates = [
{
Kind = "inline-certificate"
Name = "<name of inline-certificate>"
Kind = "file-system-certificate"
Name = "<name of file-system-certificate>"
Namespace = "<enterprise: namespace of the certificate>"
Partition = "<enterprise: partition of the certificate>"
}
Expand All @@ -97,7 +97,7 @@ Listeners = [
Value = "<value of claim>"
}
]
}
}
}
override = {
JWT = {
Expand All @@ -108,7 +108,7 @@ Listeners = [
Value = "<value of claim>"
}
]
}
}
}
}
]
Expand Down Expand Up @@ -136,8 +136,8 @@ Listeners = [
],
"Certificates": [
{
"Kind": "inline-certificate",
"Name": "<name of inline-certificate>",
"Kind": "file-system-certificate",
"Name": "<name of file-system-certificate>",
"Namespace": "<enterprise: namespace of the certificate>",
"Partition": "<enterprise: partition of the certificate>"
}
Expand Down Expand Up @@ -349,7 +349,7 @@ Specifies a list of cipher suites that the listener supports when negotiating co

### `Listeners[].TLS.Certificates[]`

The list of references to inline certificates that the listener uses for TLS termination.
The list of references to file system or inline certificates that the listener uses for TLS termination.

#### Values

Expand All @@ -362,17 +362,17 @@ The list of references to inline certificates that the listener uses for TLS ter

### `Listeners[].TLS.Certificates[].Kind`

The list of references to inline-certificates that the listener uses for TLS termination.
The list of references to certificates that the listener uses for TLS termination.

#### Values

- Default: None
- This field is required and must be set to `"inline-certificate"`.
- Data type: string
- This field is required.
- The data type is one of the following string values: `"file-system-certificate"` or `"inline-certificate"`.

### `Listeners[].TLS.Certificates[].Name`

The list of references to inline certificates that the listener uses for TLS termination.
Specifies the name of the file system or inline certificate that the listener uses for TLS termination.

#### Values

Expand Down Expand Up @@ -400,7 +400,7 @@ Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partiti

### `Listeners[].default`

Specifies a block of default configurations to apply to the gateway listener. All routes attached to the listener inherit the default configurations. You can specify override configurations that have precedence over default configurations in the [`override` block](#listeners-override) as well as in the `JWT` block in the [HTTP route configuration entry](/consul/docs/connect/config-entries/http-route).
Specifies a block of default configurations to apply to the gateway listener. All routes attached to the listener inherit the default configurations. You can specify override configurations that have precedence over default configurations in the [`override` block](#listeners-override) as well as in the `JWT` block in the [HTTP route configuration entry](/consul/docs/connect/config-entries/http-route).

#### Values

Expand All @@ -409,7 +409,7 @@ Specifies a block of default configurations to apply to the gateway listener. Al

### `Listeners[].default{}.JWT`

Specifies a block of default JWT verification configurations to apply to the gateway listener. Specify configurations that have precedence over the defaults in either the [`override.JWT` block](#listeners-override) or in the [`JWT` block](/consul/docs/connect/config-entries/http-route#rules-filters-jwt) in the HTTP route configuration. Refer to [Use JWTs to verify requests to API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) for order of precedence and other details about using JWT verification in API gateways.
Specifies a block of default JWT verification configurations to apply to the gateway listener. Specify configurations that have precedence over the defaults in either the [`override.JWT` block](#listeners-override) or in the [`JWT` block](/consul/docs/connect/config-entries/http-route#rules-filters-jwt) in the HTTP route configuration. Refer to [Use JWTs to verify requests to API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) for order of precedence and other details about using JWT verification in API gateways.

#### Values

Expand All @@ -418,7 +418,7 @@ Specifies a block of default JWT verification configurations to apply to the gat

### `Listeners[].default{}.JWT{}.Providers`

Specifies a list of default JWT provider configurations to apply to the gateway listener. A provider configuration contains the name of the provider and claims. Specify configurations that have precedence over the defaults in either the [`override.JWT.Providers` block](#listeners-override-providers) or in the [`JWT` block](/consul/docs/connect/config-entries/http-route#rules-filters-jwt-providers) of the HTTP route configuration. Refer to [Use JWTs to verify requests to API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) for order of precedence and other details about using JWT verification in API gateways.
Specifies a list of default JWT provider configurations to apply to the gateway listener. A provider configuration contains the name of the provider and claims. Specify configurations that have precedence over the defaults in either the [`override.JWT.Providers` block](#listeners-override-providers) or in the [`JWT` block](/consul/docs/connect/config-entries/http-route#rules-filters-jwt-providers) of the HTTP route configuration. Refer to [Use JWTs to verify requests to API gateways](/consul/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-vms) for order of precedence and other details about using JWT verification in API gateways.

#### Values

Expand All @@ -432,7 +432,7 @@ The following table describes the parameters you can specify in a member of the
| `Name` | Specifies the name of the provider. | String | None |
| `VerifyClaims` | Specifies a list of paths and a value that define the claim that Consul verifies when it receives a request. The `VerifyClaims` map specifies the following settings: <ul><li>`Path`: Specifies a list of one or more registered or custom claims.</li><li>`Value`: Specifies the expected value of the claim.</li></ul> | Map | None |

Refer to [Configure JWT verification settings](#configure-jwt-verification-settings) for an example configuration.
Refer to [Configure JWT verification settings](#configure-jwt-verification-settings) for an example configuration.

### `Listeners[].override`

Expand All @@ -454,7 +454,7 @@ Specifies a block of JWT verification configurations to apply to the gateway lis

### `Listeners[].override{}.JWT{}.Providers`

Specifies a list of JWT provider configurations to apply to the gateway listener. A provider configuration contains the name of the provider and claims. The override settings have precedence over `Listeners[].defaults{}.JWT{}.Providers` as well as any listener-specific configuration.
Specifies a list of JWT provider configurations to apply to the gateway listener. A provider configuration contains the name of the provider and claims. The override settings have precedence over `Listeners[].defaults{}.JWT{}.Providers` as well as any listener-specific configuration.

#### Values

Expand All @@ -468,7 +468,7 @@ The following table describes the parameters you can specify in a member of the
| `Name` | Specifies the name of the provider. | String | None |
| `VerifyClaims` | Specifies a list of paths and a value that define the claim that Consul verifies when it receives a request. The `VerifyClaims` map specifies the following settings: <ul><li>`Path`: Specifies a list of one or more registered or custom claims.</li><li>`Value`: Specifies the expected value of the claim.</li></ul> | Map | None |

Refer to [Configure JWT verification settings](#configure-jwt-verification-settings) for an example configuration.
Refer to [Configure JWT verification settings](#configure-jwt-verification-settings) for an example configuration.

## Examples

Expand Down Expand Up @@ -530,7 +530,7 @@ Listeners = [
{
"name": "listener-one",
"port": 9001,
"protocol": "http",
"protocol": "http",
"override": {
"JWT": {
"Providers": [{
Expand Down Expand Up @@ -559,4 +559,4 @@ Listeners = [
```

</Tab>
</Tabs>
</Tabs>
Loading

0 comments on commit 76483f1

Please sign in to comment.