Add new Consul 1.16 docs (#17651)

* Merge pull request #5773 from hashicorp/docs/rate-limiting-from-ip-addresses-1.16 updated docs for rate limiting for IP addresses - 1.16 * Merge pull request #5609 from hashicorp/docs/enterprise-utilization-reporting Add docs for enterprise utilization reporting * Merge pull request #5734 from hashicorp/docs/envoy-ext-1.16 Docs/envoy ext 1.16 * Merge pull request #5773 from hashicorp/docs/rate-limiting-from-ip-addresses-1.16 updated docs for rate limiting for IP addresses - 1.16 * Merge pull request #5609 from hashicorp/docs/enterprise-utilization-reporting Add docs for enterprise utilization reporting * Merge pull request #5734 from hashicorp/docs/envoy-ext-1.16 Docs/envoy ext 1.16 * fix build errors --------- Co-authored-by: trujillo-adam <[email protected]>
hashicorp · Jun 12, 2023 · 862e78f · 862e78f
1 parent f8d3721
commit 862e78f
Show file tree

Hide file tree

Showing 19 changed files with 2,765 additions and 158 deletions.
diff --git a/website/content/docs/agent/config/config-files.mdx b/website/content/docs/agent/config/config-files.mdx
@@ -711,6 +711,10 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
     servers in all federated datacenters must have this enabled before any client can use
     [`use_streaming_backend`](#use_streaming_backend).
 
+- `reporting`<EnterpriseAlert inline /> - This option allows options for HashiCorp reporting.
+    - `license` - The license object allows users to control automatic reporting of license utilization metrics to HashiCorp.
+      - `enabled`: (Defaults to `true`) Enables automatic license utilization reporting.
+
 - `segment` <EnterpriseAlert inline /> - Equivalent to the [`-segment` command-line flag](/consul/docs/agent/config/cli-flags#_segment).
 
   ~> **Warning:** The `segment` option cannot be used with the [`partition`](#partition-1) option.

diff --git a/website/content/docs/agent/config/index.mdx b/website/content/docs/agent/config/index.mdx
@@ -73,6 +73,7 @@ The following agent configuration options are reloadable at runtime:
     them without a restart provides a recovery path that doesn't involve
     downtime. They generally shouldn't be changed otherwise.
 - [RPC rate limits](/consul/docs/agent/config/config-files#limits)
+- [Reporting](/consul/docs/agent/config/config-files#reporting)
 - [HTTP Maximum Connections per Client](/consul/docs/agent/config/config-files#http_max_conns_per_client)
 - Services
 - TLS Configuration

diff --git a/website/content/docs/agent/limits/index.mdx b/website/content/docs/agent/limits/index.mdx
@@ -2,32 +2,51 @@
 layout: docs
 page_title: Limit Traffic Rates Overview
 description: Rate limiting is a set of Consul server agent configurations that you can use to mitigate the risks to Consul servers when clients send excessive requests to Consul resources. 
-
 ---
 
 # Traffic rate limiting overview
 
-This topic provides an overview of the rates limits you can configure for Consul servers.
+
+This topic provides overview information about the traffic rates limits you can configure for Consul datacenters. 
 
 ## Introduction
-You can configure global RPC rate limits to mitigate the risks to Consul servers when clients send excessive read or write requests to Consul resources. A _read request_ is defined as any request that does not modify Consul internal state. A _write request_ is defined as any request that modifies Consul internal state. Rate limits for read and write requests are configured separately.
 
-## Rate limit modes
+Configuring rate limits on RPC and gRPC traffic mitigates the risks to Consul servers when client agents or services send excessive read or write requests to Consul resources. A _read_ request is defined as any request that does not modify Consul internal state. A _write_ request is defined as any request that modifies Consul internal state. Configure read and write request limits independently.
+
+## Workflow 
+
+You can set global limits on the rate of read and write requests that affect individual servers in the datacenter. You can set limits for all source IP addresses, which enables you to specify a budget for read and write requests to prevent any single source IP from overwhelming the Consul server and negatively affecting the network. The following steps describe the general process for setting global read and write rate limits:
+
+1. Set arbitrary limits to begin understanding the upper boundary of RPC and gRPC loads in your network. Refer to [Initialize rate limit settings](/consul/docs/agent/limits/usage/init-rate-limits) for additional information.    
 
-You can set one of the following modes to determine how Consul servers react when exceeding request limits.
-
-- **Enforcing mode**: The rate limiter denies requests to a server once they exceed the configured rate. In this mode, Consul generates metrics and logs to help you understand your network's load and configure limits accordingly. 
-- **Permissive mode**: The rate limiter allows requests to a server once they exceed the configured rate. In this mode, Consul generates metrics and logs to help you understand your Consul load and configure limits accordingly. Use this mode to help you debug specific issues as you configure limits.
-- **Disabled mode**: Disables the rate limiter. This mode allows all requests Consul does not generate logs or metrics. This is the default mode. 
+1. Monitor the metrics and logs and readjust the initial configurations as necessary. Refer to [Monitor rate limit data](/consul/docs/agent/limits/usage/monitor-rate-limit-data)  
 
-Refer to [`rate_limits`](/consul/docs/agent/config/config-files#request_limits) for additional configuration information.
+1. Define your final operational limits based on your observations. If you are defining global rate limits, refer to [Set global traffic rate limits](/consul/docs/agent/limits/usage/set-global-rate-limits) for additional information. For information about setting limits based on source IP, refer to [Limit traffic rates for a source IP](/consul/docs/agent/limits/usage/set-source-ip-rate-limits).
 
-## Request denials
+### Order of operations
 
-When an HTTP request is denied for rate limiting reason, Consul returns one of the following errors:
+You can define request rate limits in the agent configuration and in the control plane request limit configuration entry. The configuration entry also supports rate limit configurations for Consul resources. Consul perfroms the following order of operations when determing request rate limits:
 
-- **429 Resource Exhausted**: Indicates that a server is not able to perform the request but that another server could potentially fulfill it. This error is most common on stale reads because any server may fulfill stale read requests. To resolve this type of error,  we recommend immediately retrying the request to another server. If the request came from a Consul client agent, the agent automatically retries the request up to the limit set in the [`rpc_hold_timeout`](/consul/docs/agent/config/config-files#rpc_hold_timeout) configuration .
+1. Parse request.
+1. Does the request reach a global server limit?
+   - No: Proceed to the next stage.
+   - Yes: Return an error that the requested resource has been exhausted.
+1. Does the request reach a limit associated with its source IP address?
+   - No: Proceed to the next stage.
+   - Yes: Return an error that the requested resource has been exhausted.
+1. Resolve the Consul Enterprise metadata.
+1. Does the request reach a limit associated with the source partition?
+   - No: Proceed to the next stage.
+   - Yes: Return an error that the requested resource has been exhausted.
+1. Does the request reach a limit associated with the source namespace?
+   - No: Proceed to the next stage.
+   - Yes: Return an error that the requested resource has been exhausted.
+1. Resolve the ACL identity associated with the request.
+1. Does the request reach a limit associated with its identity?
+   - No: Proceed to the next stage.
+   - Yes: Return an error that the requested resource has been exhausted.
+1. Handle the request.
 
-- **503 Service Unavailable**: Indicates that server is unable to perform the request and that no other server can fulfill the request, either. This usually occurs on consistent reads or for writes. In this case we recommend retrying according to an exponential backoff schedule. If the request came from a Consul client agent, the agent automatically retries the request according to the [`rpc_hold_timeout`](/consul/docs/agent/config/config-files#rpc_hold_timeout) configuration. 
+## Kubernetes
 
-Refer to [Rate limit reached on the server](/consul/docs/troubleshoot/common-errors#rate-limit-reached-on-the-server) for additional information.
+To define global rate limits, configure the `request_limits` settings in the Consul Helm chart. Refer to the [Helm chart reference](/consul/docs/k8s/helm) for additional information. Refer to the [control plane request limit configuration entry reference](/consul/docs/connect/config-entries/control-plane-request-limit) for information about applying a CRD for limiting traffic rates from source IPs. 
diff --git a/website/content/docs/agent/limits/set-global-traffic-rate-limits.mdx b/website/content/docs/agent/limits/set-global-traffic-rate-limits.mdx
diff --git a/...nt/docs/agent/limits/init-rate-limits.mdx → ...s/agent/limits/usage/init-rate-limits.mdx b/...nt/docs/agent/limits/init-rate-limits.mdx → ...s/agent/limits/usage/init-rate-limits.mdx
@@ -1,6 +1,6 @@
 ---
 layout: docs
-page_title: Initialize Rate Limit Settings
+page_title: Initialize rate limit settings
 description: Learn how to determine regular and peak loads in your network so that you can set the initial global rate limit configurations.
 ---
 
@@ -14,17 +14,16 @@ Because each network has different needs and application, you need to find out w
     - Number of servers and the projected load
     - Existing metrics expressing requests per second
 
-1. Set the `mode` to `permissive`. In the following example, the configuration allows up to 1000 reads and 500 writes per second for each Consul agent:
+1. Set the [`limits.request_limits.mode`](/consul/docs/agent/config/config-files#mode-1) parameter in the agent configuration to `permissive`. In the following example, the configuration allows up to 1000 reads and 500 writes per second for each Consul agent:
 
     ```hcl
     request_limits { 
 	    mode = "permissive"
 	    read_rate = 1000.0
 	    write_rate = 500.0
     }
-    ```
-
-1. Observe the logs and metrics for your application's typical cycle, such as a 24 hour period. Refer to [`log_file`](/consul/docs/agent/config/config-files#log_file) for information about where to retrieve logs. Call the [`/agent/metrics`](/consul/api-docs/agent#view-metrics) HTTP API endpoint and check the data for the following metrics:  
+    ``` 
+1. Observe the logs and metrics for your application's typical cycle, such as a 24 hour period. Refer to [Monitor traffic rate limit data](/consul/docs/agent/limits/usage/monitor-rate-limit) for additional information. Call the [`/agent/metrics`](/consul/api-docs/agent#view-metrics) HTTP API endpoint and check the data for the following metrics:  
 
     - `rpc.rate_limit.exceeded` with value `global/read` for label `limit_type`
     - `rpc.rate_limit.exceeded` with value `global/write` for label `limit_type`

diff --git a/website/content/docs/agent/limits/usage/limit-request-rates-from-ips.mdx b/website/content/docs/agent/limits/usage/limit-request-rates-from-ips.mdx
@@ -0,0 +1,66 @@
+---
+layout: docs
+page_title: Limit traffic rates for a source IP address
+description: Learn how to set read and request rate limits on RPC and gRPC traffic from all source IP addresses to a Consul resource.
+---
+
+# Limit traffic rates from source IP addresses 
+
+This topic describes how to configure RPC and gRPC traffic rate limits for source IP addresses. This enables you to specify a budget for read and write requests to prevent any single source IP from overwhelming the Consul server and negatively affecting the network. For information about setting global traffic rate limits, refer to [Set a global limit on traffic rates](/consul/docs/agent/limits/usage/set-glogal-traffic-rate-limits). For an overview of Consul's server rate limiting capabilities, refer to [Limit traffic rates overview](/consul/docs/agent/limits/overview). 
+
+## Overview
+
+You can set limits on the rate of read and write requests from source IP addresses to specific resources, which mitigates the risks to Consul servers when consul clients send excessive requests to a specific resource type. Before configuring traffic rate limits, you should complete the initialization process to understand normal traffic loads in your network. Refer to [Initialize rate limit settings](/consul/docs/agent/limits/init-rate-limits) for additional information.
+
+Complete the following steps to configure traffic rate limits from a source IP address:
+
+1. Define rate limits in a control plan request limit configuration entry. You can set limits for different types of resources calls.
+
+1. Apply the configuration entry to enact the limits.
+
+You should also monitor read and write rate activity and make any necessary adjustments. Refer to [Monitor rate limit data](/consul/docs/agent/limits/usage/monitor-rate-limits) for additional information.
+
+## Define rate limits
+
+Create a control plane request limit configuration entry in the `default` partition. The configuration entry applies to all client requests targeting any partition. Refer to the [control plane request limit configuration entry](/consul/docs/connect/config-entries/control-plan-request-limit) reference documentation for details about the available configuration parameters. 
+
+Specify the following parameters:
+
+- `kind`: This must be set to `control-plane-request-limit`.
+- `name`: Specify the name of the service that you want to limit read and write operations to.
+-  `read_rate`: Specify overall number of read operations per second allowed from the service.
+-  `write_rate`: Specify overall number of write operations per second allowed from the service.
+
+You can also configure limits on calls to the key-value store, ACL system, and Consul catalog. 
+
+## Apply the configuration entry 
+
+If your network is deployed to virtual machines, use the `consul config write` command and specify the control plane request limit configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command. 
+
+<Tabs>
+<Tab heading="HCL" group="hcl">
+
+```shell-session
+$ consul config write control-plane-request-limit.hcl
+```
+
+</Tab>
+<Tab heading="JSON" group="json">
+
+```shell-session
+$ consul config write control-plane-request-limit.json
+```
+
+</Tab>
+<Tab heading="Kubernetes" group="kubernetes">
+
+```shell-session
+$ kubectl apply control-plane-request-limit.yaml
+```
+
+</Tab>
+</Tabs>
+
+## Disable request rate limits
+
+Set the [limits.request_limits.mode](/consul/docs/agent/config/config-files#mode-1) in the agent configuration to `disabled` to allow services to exceed the specified read and write requests limits. The `disabled` mode applies to all request rate limits, even limits specifed in the [control plane request limits configuration entry](/consul/docs/connect/config-entries/control-plane-request-limits).  Note that any other mode specified in the agent configuration only applies to global traffic rate limits.