diff --git a/GNUmakefile b/GNUmakefile index e874fa0eb706..3443b71db7b7 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -337,7 +337,7 @@ fmt: $(foreach mod,$(GO_MODULES),fmt/$(mod)) .PHONY: fmt/% fmt/%: @echo "--> Running go fmt ($*)" - @cd $* && go fmt ./... + @cd $* && gofmt -s -l -w . .PHONY: lint lint: $(foreach mod,$(GO_MODULES),lint/$(mod)) lint-container-test-deps diff --git a/agent/config/builder.go b/agent/config/builder.go index 063771b0f7d0..665688b8c864 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -828,6 +828,7 @@ func (b *builder) build() (rt RuntimeConfig, err error) { Version: stringVal(c.Version), VersionPrerelease: stringVal(c.VersionPrerelease), VersionMetadata: stringVal(c.VersionMetadata), + Experiments: c.Experiments, // What is a sensible default for BuildDate? BuildDate: timeValWithDefault(c.BuildDate, time.Date(1970, 1, 00, 00, 00, 01, 0, time.UTC)), diff --git a/agent/config/config.go b/agent/config/config.go index d8d7149afebf..8917a60858d6 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -183,6 +183,7 @@ type Config struct { EncryptKey *string `mapstructure:"encrypt" json:"encrypt,omitempty"` EncryptVerifyIncoming *bool `mapstructure:"encrypt_verify_incoming" json:"encrypt_verify_incoming,omitempty"` EncryptVerifyOutgoing *bool `mapstructure:"encrypt_verify_outgoing" json:"encrypt_verify_outgoing,omitempty"` + Experiments []string `mapstructure:"experiments" json:"experiments,omitempty"` GossipLAN GossipLANConfig `mapstructure:"gossip_lan" json:"-"` GossipWAN GossipWANConfig `mapstructure:"gossip_wan" json:"-"` HTTPConfig HTTPConfig `mapstructure:"http_config" json:"-"` diff --git a/agent/config/default.go b/agent/config/default.go index 3af8d0867d4c..536ac7ac3340 100644 --- a/agent/config/default.go +++ b/agent/config/default.go @@ -209,6 +209,9 @@ func DevSource() Source { ports = { grpc = 8502 } + experiments = [ + "resource-apis" + ] `, } } diff --git a/agent/config/runtime.go b/agent/config/runtime.go index dca9abe0e7f9..1a8dc13794d3 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -1498,6 +1498,9 @@ type RuntimeConfig struct { Reporting ReportingConfig + // List of experiments to enable + Experiments []string + EnterpriseRuntimeConfig } diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 3b1a77b2cb95..c1cd85ac502f 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -325,6 +325,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.DisableAnonymousSignature = true rt.DisableKeyringFile = true rt.EnableDebug = true + rt.Experiments = []string{"resource-apis"} rt.UIConfig.Enabled = true rt.LeaveOnTerm = false rt.Logging.LogLevel = "DEBUG" @@ -6355,6 +6356,7 @@ func TestLoad_FullConfig(t *testing.T) { EnableRemoteScriptChecks: true, EnableLocalScriptChecks: true, EncryptKey: "A4wELWqH", + Experiments: []string{"foo"}, StaticRuntimeConfig: StaticRuntimeConfig{ EncryptVerifyIncoming: true, EncryptVerifyOutgoing: true, diff --git a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden index 334f5f8c8ff5..b6ee9a98129f 100644 --- a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden +++ b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden @@ -199,6 +199,7 @@ "EnableRemoteScriptChecks": false, "EncryptKey": "hidden", "EnterpriseRuntimeConfig": {}, + "Experiments": [], "ExposeMaxPort": 0, "ExposeMinPort": 0, "GRPCAddrs": [], diff --git a/agent/config/testdata/full-config.hcl b/agent/config/testdata/full-config.hcl index 660e1036086d..6029d2ea2e6b 100644 --- a/agent/config/testdata/full-config.hcl +++ b/agent/config/testdata/full-config.hcl @@ -285,6 +285,9 @@ enable_syslog = true encrypt = "A4wELWqH" encrypt_verify_incoming = true encrypt_verify_outgoing = true +experiments = [ + "foo" +] http_config { block_endpoints = [ "RBvAFcGD", "fWOWFznh" ] allow_write_http_from = [ "127.0.0.1/8", "22.33.44.55/32", "0.0.0.0/0" ] diff --git a/agent/config/testdata/full-config.json b/agent/config/testdata/full-config.json index 52dab37bfa53..cd407d3e5dae 100644 --- a/agent/config/testdata/full-config.json +++ b/agent/config/testdata/full-config.json @@ -327,6 +327,9 @@ "encrypt": "A4wELWqH", "encrypt_verify_incoming": true, "encrypt_verify_outgoing": true, + "experiments": [ + "foo" + ], "http_config": { "block_endpoints": [ "RBvAFcGD", @@ -407,17 +410,17 @@ "raft_snapshot_interval": "30s", "raft_trailing_logs": 83749, "raft_logstore": { - "backend" : "wal", - "disable_log_cache": true, + "backend": "wal", + "disable_log_cache": true, "verification": { - "enabled": true, - "interval":"12345s" + "enabled": true, + "interval": "12345s" }, "boltdb": { - "no_freelist_sync": true + "no_freelist_sync": true }, "wal": { - "segment_size_mb": 15 + "segment_size_mb": 15 } }, "read_replica": true, @@ -927,4 +930,4 @@ "xds": { "update_max_per_second": 9526.2 } -} +} \ No newline at end of file diff --git a/agent/consul/options.go b/agent/consul/options.go index ac6bfc41065b..26cb2471a89b 100644 --- a/agent/consul/options.go +++ b/agent/consul/options.go @@ -39,6 +39,8 @@ type Deps struct { // HCP contains the dependencies required when integrating with the HashiCorp Cloud Platform HCP hcp.Deps + Experiments []string + EnterpriseDeps } diff --git a/agent/consul/server.go b/agent/consul/server.go index 418db2da1ffe..6bb424c67535 100644 --- a/agent/consul/server.go +++ b/agent/consul/server.go @@ -79,6 +79,7 @@ import ( raftstorage "github.com/hashicorp/consul/internal/storage/raft" "github.com/hashicorp/consul/lib" "github.com/hashicorp/consul/lib/routine" + "github.com/hashicorp/consul/lib/stringslice" "github.com/hashicorp/consul/logging" "github.com/hashicorp/consul/proto-public/pbresource" "github.com/hashicorp/consul/proto/private/pbsubscribe" @@ -131,6 +132,8 @@ const ( reconcileChSize = 256 LeaderTransferMinVersion = "1.6.0" + + catalogResourceExperimentName = "resource-apis" ) const ( @@ -807,7 +810,7 @@ func NewServer(config *Config, flat Deps, externalGRPCServer *grpc.Server, incom s.internalResourceServiceClient, logger.Named(logging.ControllerRuntime), ) - s.registerResources() + s.registerResources(flat) go s.controllerManager.Run(&lib.StopChannelContext{StopCh: shutdownCh}) go s.trackLeaderChanges() @@ -858,11 +861,14 @@ func NewServer(config *Config, flat Deps, externalGRPCServer *grpc.Server, incom return s, nil } -func (s *Server) registerResources() { - catalog.RegisterTypes(s.typeRegistry) - catalog.RegisterControllers(s.controllerManager, catalog.DefaultControllerDependencies()) +func (s *Server) registerResources(deps Deps) { + if stringslice.Contains(deps.Experiments, catalogResourceExperimentName) { + catalog.RegisterTypes(s.typeRegistry) + catalog.RegisterControllers(s.controllerManager, catalog.DefaultControllerDependencies()) + + mesh.RegisterTypes(s.typeRegistry) + } - mesh.RegisterTypes(s.typeRegistry) reaper.RegisterControllers(s.controllerManager) if s.config.DevMode { diff --git a/agent/setup.go b/agent/setup.go index fba5c2b5dd6c..6a9efb5f7442 100644 --- a/agent/setup.go +++ b/agent/setup.go @@ -73,6 +73,7 @@ func NewBaseDeps(configLoader ConfigLoader, logOut io.Writer, providedLogger hcl return d, err } d.WatchedFiles = result.WatchedFiles + d.Experiments = result.RuntimeConfig.Experiments cfg := result.RuntimeConfig logConf := cfg.Logging logConf.Name = logging.Agent diff --git a/agent/xds/resources_test.go b/agent/xds/resources_test.go index 4687c4a7d637..29743c060bfd 100644 --- a/agent/xds/resources_test.go +++ b/agent/xds/resources_test.go @@ -415,6 +415,19 @@ func getAPIGatewayGoldenTestCases(t *testing.T) []goldenTestCase { Kind: structs.HTTPRoute, Name: "route", Rules: []structs.HTTPRouteRule{{ + Filters: structs.HTTPFilters{ + Headers: []structs.HTTPHeaderFilter{ + { + Add: map[string]string{ + "X-Header-Add": "added", + }, + Set: map[string]string{ + "X-Header-Set": "set", + }, + Remove: []string{"X-Header-Remove"}, + }, + }, + }, Services: []structs.HTTPService{{ Name: "service", }}, diff --git a/agent/xds/routes.go b/agent/xds/routes.go index dbd74f511ed0..a86747a9c080 100644 --- a/agent/xds/routes.go +++ b/agent/xds/routes.go @@ -477,8 +477,6 @@ func (s *ResourceGenerator) routesForAPIGateway(cfgSnap *proxycfg.ConfigSnapshot return nil, err } - addHeaderFiltersToVirtualHost(&reformatedRoute, virtualHost) - defaultRoute.VirtualHosts = append(defaultRoute.VirtualHosts, virtualHost) } @@ -1097,16 +1095,6 @@ func injectHeaderManipToRoute(dest *structs.ServiceRouteDestination, r *envoy_ro return nil } -func addHeaderFiltersToVirtualHost(dest *structs.HTTPRouteConfigEntry, vh *envoy_route_v3.VirtualHost) { - for _, rule := range dest.Rules { - for _, header := range rule.Filters.Headers { - vh.RequestHeadersToAdd = append(vh.RequestHeadersToAdd, makeHeadersValueOptions(header.Add, true)...) - vh.RequestHeadersToAdd = append(vh.RequestHeadersToAdd, makeHeadersValueOptions(header.Set, false)...) - vh.RequestHeadersToRemove = append(vh.RequestHeadersToRemove, header.Remove...) - } - } -} - func injectHeaderManipToVirtualHost(dest *structs.IngressService, vh *envoy_route_v3.VirtualHost) error { if !dest.RequestHeaders.IsZero() { vh.RequestHeadersToAdd = append( diff --git a/agent/xds/testdata/routes/api-gateway-with-http-route-and-inline-certificate.latest.golden b/agent/xds/testdata/routes/api-gateway-with-http-route-and-inline-certificate.latest.golden index 6abc6f2946b4..a1669268ec4e 100644 --- a/agent/xds/testdata/routes/api-gateway-with-http-route-and-inline-certificate.latest.golden +++ b/agent/xds/testdata/routes/api-gateway-with-http-route-and-inline-certificate.latest.golden @@ -1,31 +1,50 @@ { - "versionInfo": "00000001", - "resources": [ + "versionInfo": "00000001", + "resources": [ { - "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", - "name": "8080", - "virtualHosts": [ + "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "name": "8080", + "virtualHosts": [ { - "name": "api-gateway-listener-9b9265b", - "domains": [ + "name": "api-gateway-listener-9b9265b", + "domains": [ "*", "*:8080" ], - "routes": [ + "routes": [ { - "match": { - "prefix": "/" + "match": { + "prefix": "/" }, - "route": { - "cluster": "service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" - } + "route": { + "cluster": "service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + }, + "requestHeadersToAdd": [ + { + "header": { + "key": "X-Header-Add", + "value": "added" + }, + "append": true + }, + { + "header": { + "key": "X-Header-Set", + "value": "set" + }, + "append": false + } + ], + "requestHeadersToRemove": [ + "X-Header-Remove" + ] } ] } ], - "validateClusters": true + "validateClusters": true } ], - "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", - "nonce": "00000001" + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "nonce": "00000001" } \ No newline at end of file diff --git a/command/agent/agent.go b/command/agent/agent.go index c2d0dcea0962..c241fa2b7bc8 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -231,6 +231,9 @@ func (c *cmd) run(args []string) int { ui.Info(fmt.Sprintf(" Gossip Encryption: %t", config.EncryptKey != "")) ui.Info(fmt.Sprintf(" Auto-Encrypt-TLS: %t", config.AutoEncryptTLS || config.AutoEncryptAllowTLS)) ui.Info(fmt.Sprintf(" ACL Enabled: %t", config.ACLsEnabled)) + if config.ServerMode { + ui.Info(fmt.Sprintf(" Reporting Enabled: %t", config.Reporting.License.Enabled)) + } ui.Info(fmt.Sprintf("ACL Default Policy: %s", config.ACLResolverSettings.ACLDefaultPolicy)) ui.Info(fmt.Sprintf(" HTTPS TLS: Verify Incoming: %t, Verify Outgoing: %t, Min Version: %s", config.TLS.HTTPS.VerifyIncoming, config.TLS.HTTPS.VerifyOutgoing, config.TLS.HTTPS.TLSMinVersion)) diff --git a/website/content/api-docs/config.mdx b/website/content/api-docs/config.mdx index 96e6a7b4de77..a79e024fa46f 100644 --- a/website/content/api-docs/config.mdx +++ b/website/content/api-docs/config.mdx @@ -215,6 +215,7 @@ The corresponding CLI command is [`consul config list`](/consul/commands/config/ ### Path Parameters - `kind` `(string: )` - Specifies the kind of the entry to list. +- `filter` `(string: "")` - Specifies an expression to use for filtering the results. ### Query Parameters diff --git a/website/content/commands/config/list.mdx b/website/content/commands/config/list.mdx index 1a70af178725..e453b1194319 100644 --- a/website/content/commands/config/list.mdx +++ b/website/content/commands/config/list.mdx @@ -44,6 +44,7 @@ Usage: `consul config list [options]` #### Command Options - `-kind` - Specifies the kind of the config entry to list. +- `-filter` - Specifies an expression to use for filtering the results. #### Enterprise Options @@ -57,7 +58,16 @@ Usage: `consul config list [options]` ## Examples +To list all service-defaults config entries: + $ consul config list -kind service-defaults billing db web + +The following lists service-defaults with a filter expression: + + $ consul config list -kind service-defaults -filter 'MutualTLSMode == "permissive"' + db + web + diff --git a/website/content/docs/connect/config-entries/mesh.mdx b/website/content/docs/connect/config-entries/mesh.mdx index f65ed6162287..a323a6d90f17 100644 --- a/website/content/docs/connect/config-entries/mesh.mdx +++ b/website/content/docs/connect/config-entries/mesh.mdx @@ -338,6 +338,12 @@ Note that the Kubernetes example does not include a `partition` field. Configura }, ], }, + { + name: 'AllowEnablingPermissiveMutualTLS', + type: 'bool: false', + description: + 'Controls whether `MutualTLSMode=permissive` can be set in the `proxy-defaults` and `service-defaults` configuration entries. ' + }, { name: 'TLS', type: 'TLSConfig: ', diff --git a/website/content/docs/connect/config-entries/proxy-defaults.mdx b/website/content/docs/connect/config-entries/proxy-defaults.mdx index 917bc0504494..1d94a79389b6 100644 --- a/website/content/docs/connect/config-entries/proxy-defaults.mdx +++ b/website/content/docs/connect/config-entries/proxy-defaults.mdx @@ -53,6 +53,7 @@ TransparentProxy { OutboundListenerPort = DialedDirectly = } +MutualTLSMode = "" MeshGateway { Mode = "" } @@ -92,6 +93,7 @@ spec: transparentProxy: outboundListenerPort: dialedDirectly: + mutualTLSMode: meshGateway: mode: expose: @@ -120,6 +122,7 @@ spec: "Config": { "": }, + "MutualTLSMode": "", "Mode": "", "TransparentProxy": { "OutboundListenerPort": , @@ -175,6 +178,7 @@ TransparentProxy { OutboundListenerPort = DialedDirectly = } +MutualTLSMode = "" MeshGateway { Mode = "" } @@ -215,6 +219,7 @@ spec: transparentProxy: outboundListenerPort: dialedDirectly: + mutualTLSMode: meshGateway: mode: expose: @@ -249,6 +254,7 @@ spec: "OutboundListenerPort": , "DialedDirectly": }, + "MutualTLSMode": "", "MeshGateway": { "Mode": = "" }, @@ -405,6 +411,17 @@ spec: }, ], }, + { + name: 'MutualTLSMode', + type: 'string: ""', + description: `Controls the default mutual TLS mode for all proxies. This setting is only + supported for services with transparent proxy enabled. One of \`""\`, \`strict\`, or \`permissive\`. + When unset or \`""\`, the mode defaults to \`strict\`. When set to \`strict\`, the sidecar proxy + requires mutual TLS for incoming traffic. When set to \`permissive\`, the sidecar proxy accepts + mutual TLS traffic on the sidecar proxy service port and accepts any traffic on the destination + service port. We recommend only using \`permissive\` mode if necessary while onboarding services to + the service mesh. `, + }, { name: 'MeshGateway', type: 'MeshGatewayConfig: ', diff --git a/website/content/docs/connect/config-entries/service-defaults.mdx b/website/content/docs/connect/config-entries/service-defaults.mdx index 000b63246c4e..507176506f4f 100644 --- a/website/content/docs/connect/config-entries/service-defaults.mdx +++ b/website/content/docs/connect/config-entries/service-defaults.mdx @@ -10,7 +10,7 @@ This topic describes how to configure service defaults configuration entries. Th ## Configuration model -The following outline shows how to format the service splitter configuration entry. Click on a property name to view details about the configuration. +The following outline shows how to format the service defaults configuration entry. Click on a property name to view details about the configuration. @@ -58,6 +58,7 @@ The following outline shows how to format the service splitter configuration ent - [`TransparentProxy`](#transparentproxy): map | no default - [`OutboundListenerPort`](#transparentproxy): integer | `15001` - [`DialedDirectly`](#transparentproxy ): boolean | `false` +- [`MutualTLSMode`](#mutualtlsmode): string | `""` - [`EnvoyExtensions`](#envoyextensions): list | no default - [`Name`](#envoyextensions): string | `""` - [`Required`](#envoyextensions): string | `""` @@ -126,6 +127,7 @@ The following outline shows how to format the service splitter configuration ent - [`transparentProxy`](#transparentproxy): map | no default - [`outboundListenerPort`](#transparentproxy): integer | `15001` - [`dialedDirectly`](#transparentproxy): boolean | `false` + - [`mutualTLSMode`](#mutualtlsmode): string | `""` - [`envoyExtensions`](#envoyextensions): list | no default - [`name`](#envoyextensions): string | `""` - [`required`](#envoyextensions): string | `""` @@ -152,7 +154,7 @@ The following outline shows how to format the service splitter configuration ent ## Complete configuration -When every field is defined, a service splitter configuration entry has the following form: +When every field is defined, a service-defaults configuration entry has the following form: @@ -213,6 +215,7 @@ TransparentProxy = { OutboundListenerPort = 15002 DialedDirectly = true } +MutualTLSMode = "strict" Destination = { Addresses = [ "First IP address", @@ -288,6 +291,7 @@ spec: transparentProxy: outboundListenerPort: 15001 dialedDirectly: false + mutualTLSMode: strict destination: addresses: - @@ -370,6 +374,7 @@ spec: "outboundListenerPort": 15001, "dialedDirectly": false }, + "mutualTLSMode": "strict", "destination": { "addresses": [ "", @@ -697,6 +702,19 @@ You can configure the following parameters in the `TransparentProxy` block: | `OutboundListenerPort` | Specifies the port that the proxy listens on for outbound traffic. This must be the same port number where outbound application traffic is redirected. | integer | `15001` | | `DialedDirectly` | Enables transparent proxies to dial the proxy instance's IP address directly when set to `true`. Transparent proxies commonly dial upstreams at the `"virtual"` tagged address, which load balances across instances. Dialing individual instances can be helpful for stateful services, such as a database cluster with a leader. | boolean | `false` | +### `MutualTLSMode` + +Controls whether mutual TLS is required for incoming connections to this service. This setting is +only supported for services with transparent proxy enabled. We recommend only using `permissive` +mode if necessary while onboarding services to the service mesh. + +You can specify the following string values for the `MutualTLSMode` field: + +- `""`: When this field is empty, the value is inherited from the `proxy-defaults` config entry. +- `strict`: The sidecar proxy requires mutual TLS for incoming traffic. +- `permissive`: The sidecar proxy accepts mutual TLS traffic on the sidecar proxy service port, + and accepts any traffic on the destination service's port. + ### `EnvoyExtensions` List of extensions to modify Envoy proxy configuration. Refer to [Envoy Extensions](/consul/docs/connect/proxies/envoy-extensions) for additional information. @@ -1089,6 +1107,21 @@ You can configure the following parameters in the `TransparentProxy` block: | `outboundListenerPort` | Specifies the port that the proxy listens on for outbound traffic. This must be the same port number where outbound application traffic is redirected. | integer | `15001` | | `dialedDirectly` | Enables transparent proxies to dial the proxy instance's IP address directly when set to `true`. Transparent proxies commonly dial upstreams at the `"virtual"` tagged address, which load balances across instances. Dialing individual instances can be helpful for stateful services, such as a database cluster with a leader. | boolean | `false` | +### `spec.mutualTLSMode` + +Controls whether mutual TLS is required for incoming connections to this service. This setting is +only supported for services with transparent proxy enabled. We recommend only using `permissive` +mode if necessary while onboarding services to the service mesh. + +#### Values + +You can specify the following string values for the `MutualTLSMode` field: + +- `""`: When this field is empty, the value is inherited from the `proxy-defaults` config entry. +- `strict`: The sidecar proxy requires mutual TLS for incoming traffic. +- `permissive`: The sidecar proxy accepts mutual TLS traffic on the sidecar proxy service port, + and accepts any traffic on the destination service's port. + ### `spec.envoyExtensions` List of extensions to modify Envoy proxy configuration. Refer to [Envoy Extensions](/consul/docs/connect/proxies/envoy-extensions) for additional information. diff --git a/website/content/docs/release-notes/consul/v1_13_x.mdx b/website/content/docs/release-notes/consul/v1_13_x.mdx index dd3f7cfe3090..f0c4f586a906 100644 --- a/website/content/docs/release-notes/consul/v1_13_x.mdx +++ b/website/content/docs/release-notes/consul/v1_13_x.mdx @@ -15,7 +15,7 @@ description: >- - **Enables TLS on the Envoy Prometheus endpoint**: The Envoy prometheus endpoint can be enabled when `envoy_prometheus_bind_addr` is set and then secured over TLS using new CLI flags for the `consul connect envoy` command. These commands are: `-prometheus-ca-file`, `-prometheus-ca-path`, `-prometheus-cert-file` and `-prometheus-key-file`. The CA, cert, and key can be provided to Envoy by a Kubernetes mounted volume so that Envoy can watch the files and dynamically reload the certs when the volume is updated. -- **UDP Health Checks**: Adds the ability to register service discovery health checks that periodically send UDP datagrams to the specified IP/hostname and port. Refer to [UDP checks](/consul/docs//services/usage/checks#udp-checks). +- **UDP Health Checks**: Adds the ability to register service discovery health checks that periodically send UDP datagrams to the specified IP/hostname and port. Refer to [UDP checks](/consul/docs/services/usage/checks#udp-checks). ## What's Changed @@ -46,4 +46,4 @@ The changelogs for this major release version and any maintenance versions are l - [1.13.3](https://github.com/hashicorp/consul/releases/tag/v1.13.3) - [1.13.4](https://github.com/hashicorp/consul/releases/tag/v1.13.4) - [1.13.5](https://github.com/hashicorp/consul/releases/tag/v1.13.5) -- [1.13.6](https://github.com/hashicorp/consul/releases/tag/v1.13.6) \ No newline at end of file +- [1.13.6](https://github.com/hashicorp/consul/releases/tag/v1.13.6) diff --git a/website/content/docs/services/discovery/dns-configuration.mdx b/website/content/docs/services/discovery/dns-configuration.mdx index 794be43a206a..0a10edecdd9d 100644 --- a/website/content/docs/services/discovery/dns-configuration.mdx +++ b/website/content/docs/services/discovery/dns-configuration.mdx @@ -1,7 +1,7 @@ --- layout: docs -page_title: Configure Consul DNS behavior -description: -> +page_title: Configure Consul DNS behavior +description: -> Learn how to modify the default DNS behavior so that services and nodes can easily discover other services and nodes in your network. --- @@ -12,29 +12,29 @@ This topic describes the default behavior of the Consul DNS functionality and ho ## Introduction The Consul DNS is the primary interface for querying records when Consul service mesh is disabled and your network runs in a non-Kubernetes environment. The DNS enables you to look up services and nodes registered with Consul using terminal commands instead of making HTTP API requests to Consul. Refer to the [Discover Consul Nodes and Services Overview](/consul/docs/services/discovery/dns-overview) for additional information. -## Configure DNS behaviors +## Configure DNS behaviors By default, the Consul DNS listens for queries at `127.0.0.1:8600` and uses the `consul` domain. Specify the following parameters in the agent configuration to determine DNS behavior when querying services: - [`client_addr`](/consul/docs/agent/config/config-files#client_addr) - [`ports.dns`](/consul/docs/agent/config/config-files#dns_port) - [`recursors`](/consul/docs/agent/config/config-files#recursors) -- [`domain`](/consul/docs/agent/config/config-files#domain) +- [`domain`](/consul/docs/agent/config/config-files#domain) - [`alt_domain`](/consul/docs/agent/config/config-files#alt_domain) -- [`dns_config`](/consul/docs/agent/config/config-files#dns_config) +- [`dns_config`](/consul/docs/agent/config/config-files#dns_config) ### Configure WAN address translation By default, Consul DNS queries return a node's local address, even when being queried from a remote datacenter. You can configure the DNS to reach a node from outside its datacenter by specifying the address in the following configuration fields in the Consul agent: -- [advertise-wan](/consul/docs/agent/config/cli-flags#_advertise-wan) -- [translate_wan_addrs](/consul//docs/agent/config/config-files#translate_wan_addrs) +- [advertise-wan](/consul/docs/agent/config/cli-flags#_advertise-wan) +- [translate_wan_addrs](/consul/docs/agent/config/config-files#translate_wan_addrs) ### Use a custom DNS resolver library You can specify a list of addresses in the agent's [`recursors`](/consul/docs/agent/config/config-files#recursors) field to provide upstream DNS servers that recursively resolve queries that are outside the service domain for Consul. - -Nodes that query records outside the `consul.` domain resolve to an upstream DNS. You can specify IP addresses or use `go-sockaddr` templates. Consul resolves IP addresses in the specified order and ignores duplicates. + +Nodes that query records outside the `consul.` domain resolve to an upstream DNS. You can specify IP addresses or use `go-sockaddr` templates. Consul resolves IP addresses in the specified order and ignores duplicates. ### Enable non-Consul queries -You enable non-Consul queries to be resolved by setting Consul as the DNS server for a node and providing a [`recursors`](/consul/docs/agent/config/config-files#recursors) configuration. +You enable non-Consul queries to be resolved by setting Consul as the DNS server for a node and providing a [`recursors`](/consul/docs/agent/config/config-files#recursors) configuration. ### Forward queries to an agent You can forward all queries sent to the `consul.` domain from the existing DNS server to a Consul agent. Refer to [Forward DNS for Consul Service Discovery](/consul/tutorials/networking/dns-forwarding) for instructions. @@ -42,7 +42,7 @@ You can forward all queries sent to the `consul.` domain from the existing DNS s ### Query an alternate domain By default, Consul responds to DNS queries in the `consul` domain, but you can set a specific domain for responding to DNS queries by configuring the [`domain`](/consul/docs/agent/config/config-files#domain) parameter. -You can also specify an additional domain in the [`alt_domain`](/consul/docs/agent/config/config-files#alt_domain) agent configuration option, which configures Consul to respond to queries in a secondary domain. Configuring an alternate domain may be useful during a DNS migration or to distinguish between internal and external queries, for example. +You can also specify an additional domain in the [`alt_domain`](/consul/docs/agent/config/config-files#alt_domain) agent configuration option, which configures Consul to respond to queries in a secondary domain. Configuring an alternate domain may be useful during a DNS migration or to distinguish between internal and external queries, for example. Consul's DNS response uses the same domain as the query. @@ -62,7 +62,7 @@ machine.node.dc1.test-domain. 0 IN A 127.0.0.1 machine.node.dc1.test-domain. 0 IN TXT "consul-network-segment=" ``` #### PTR queries -Responses to pointer record (PTR) queries, such as `.in-addr.arpa.`, always use the [primary domain](/consul/docs/agent/config/config-files#domain) and not the alternative domain. +Responses to pointer record (PTR) queries, such as `.in-addr.arpa.`, always use the [primary domain](/consul/docs/agent/config/config-files#domain) and not the alternative domain. ### Caching By default, DNS results served by Consul are not cached. Refer to the [DNS Caching tutorial](/consul/tutorials/networking/dns-caching) for instructions on how to enable caching.