From 31c928cefdd6c411ac8163128b6e668c64279fbf Mon Sep 17 00:00:00 2001 From: hc-github-team-consul-core Date: Thu, 17 Aug 2023 11:33:01 -0500 Subject: [PATCH] Backport of docs: Update K8s TGW tutorial to reliably obtain role ID into release/1.15.x (#18507) backport of commit 1673852b390338325d307681a0ecb2d5e2ec7ff1 Co-authored-by: Blake Covarrubias --- .../docs/k8s/connect/terminating-gateways.mdx | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/website/content/docs/k8s/connect/terminating-gateways.mdx b/website/content/docs/k8s/connect/terminating-gateways.mdx index 1da48d0a5425..319fedf71dd3 100644 --- a/website/content/docs/k8s/connect/terminating-gateways.mdx +++ b/website/content/docs/k8s/connect/terminating-gateways.mdx @@ -40,7 +40,7 @@ terminatingGateways: The Helm chart may be deployed using the [Consul on Kubernetes CLI](/consul/docs/k8s/k8s-cli). ```shell-session -$ consul-k8s install -f values.yaml +$ consul-k8s install --config-file values.yaml ``` ## Accessing the Consul agent @@ -52,7 +52,7 @@ You can access the Consul server directly from your host by running `kubectl por ```shell-session -$ kubectl port-forward consul-server-0 8500 & +$ kubectl port-forward service/consul-server 8500 & ``` ```shell-session @@ -65,7 +65,7 @@ $ export CONSUL_HTTP_ADDR=http://localhost:8500 If TLS is enabled use port 8501: ```shell-session -$ kubectl port-forward consul-server-0 8501 & +$ kubectl port-forward service/consul-server 8501 & ``` ```shell-session @@ -102,6 +102,7 @@ you may register the service as a node in the Consul catalog. The [`destination`](/consul/docs/connect/config-entries/service-defaults#terminating-gateway-destination) field of the `ServiceDefaults` Custom Resource Definition (CRD) allows clients to dial an external service directly. For this method to work, [`TransparentProxy`](/consul/docs/connect/transparent-proxy) must be enabled. + The following table describes traffic behaviors when using the `destination` field to route traffic through a terminating gateway: | External Services Layer | Client dials | Client uses TLS | Allowed | Notes | @@ -205,7 +206,7 @@ true ### Update terminating gateway ACL role if ACLs are enabled -If ACLs are enabled, update the terminating gateway acl role to have `service: write` permissions on all of the services +If ACLs are enabled, update the terminating gateway ACL role to have `service:write` permissions on all of the services being represented by the gateway. Create a new policy that includes the write permission for the service you created. @@ -232,15 +233,14 @@ service "example-https" { } ``` -Fetch the ID of the terminating gateway token. +Obtain the ID of the terminating gateway role. ```shell-session -consul acl role list | grep -B 6 -- "- RELEASE_NAME-terminating-gateway-policy" | grep ID - -ID: +$ consul acl role list -format=json | jq --raw-output '[.[] | select(.Name | endswith("-terminating-gateway-acl-role"))] | if (. | length) == 1 then (. | first | .ID) else "Unable to determine the role ID because there are multiple roles matching this name.\n" | halt_error end' + ``` -Update the terminating gateway ACL token with the new policy. +Update the terminating gateway ACL role with the new policy. ```shell-session $ consul acl role update -id -policy-name example-https-write-policy @@ -379,7 +379,7 @@ deployment "static-client" successfully rolled out You can verify connectivity of the static-client and terminating gateway via a curl command. - + ```shell-session $ kubectl exec deploy/static-client -- curl -vvvs https://example.com/