From 55d2b6dc23a241ca05598eb3b4695a6cc3b65339 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 18 Jul 2023 14:32:30 -0700 Subject: [PATCH 01/12] Update index.mdx --- website/content/docs/enterprise/index.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/website/content/docs/enterprise/index.mdx b/website/content/docs/enterprise/index.mdx index ac7a1c62d52e..7e8467209f28 100644 --- a/website/content/docs/enterprise/index.mdx +++ b/website/content/docs/enterprise/index.mdx @@ -45,7 +45,6 @@ The following features are [available in several forms of Consul Enterprise](#co - [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc): Manage user access to Consul through an OIDC identity provider instead of Consul ACL tokens directly - [Audit Logging](/consul/docs/enterprise/audit-logging): Understand Consul access and usage patterns by reviewing access to the Consul HTTP API -- [Sentinel for KV](/consul/docs/enterprise/sentinel): Policy-as-code framework for defining advanced key-value storage access control policies ### Regulatory compliance @@ -177,4 +176,4 @@ Consul Enterprise feature availability can change depending on your server and c | [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | ✅ | ✅ | ✅ | - \ No newline at end of file + From 098a717a374869c6d00f6e03a2403b93dd29f5b7 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 18 Jul 2023 14:36:38 -0700 Subject: [PATCH 02/12] Update kv.mdx --- website/content/docs/dynamic-app-config/kv.mdx | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/website/content/docs/dynamic-app-config/kv.mdx b/website/content/docs/dynamic-app-config/kv.mdx index 62406e019dfa..23954ac804d5 100644 --- a/website/content/docs/dynamic-app-config/kv.mdx +++ b/website/content/docs/dynamic-app-config/kv.mdx @@ -61,6 +61,23 @@ and when recursively searching within the data store. We also recommend that you avoid the use of `*`, `?`, `'`, and `%` because they can cause issues when using the API and in shell scripts. + + + +This feature requires +HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. + + + +[Sentinel](/consul/docs/enterprise/sentinel) could also be leverage as a Policy-as-code framework for defining advanced key-value storage access control policies. Sentinel policies extend the ACL system in Consul beyond static "read", "write", +and "deny" policies to support full conditional logic and integration with +external systems. Reference the [Sentinel documentation](https://docs.hashicorp.com/sentinel/concepts) for high-level Sentinel concepts. + +To get started with Sentinel in Consul, +[read the general documentation](https://docs.hashicorp.com/sentinel/consul) or +[Consul documentation](/consul/docs/agent/sentinel). + + ## Extending Consul KV ### Consul Template From 6832d895ee1b92ce55f4103459286c009f0a004b Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 18 Jul 2023 14:39:02 -0700 Subject: [PATCH 03/12] Update docs-nav-data.json --- website/data/docs-nav-data.json | 4 ---- 1 file changed, 4 deletions(-) diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 7149dfebb299..90ddb493ef56 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -1678,10 +1678,6 @@ "title": "NIA with TFE", "href": "/docs/nia/enterprise" }, - { - "title": "Sentinel", - "path": "enterprise/sentinel" - }, { "title": "License", "routes": [ From 3703d1754acc3b17cecba8bad8e012cf9ec518d3 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 18 Jul 2023 14:39:51 -0700 Subject: [PATCH 04/12] delete sentinel.mdx --- website/content/docs/enterprise/sentinel.mdx | 24 -------------------- 1 file changed, 24 deletions(-) delete mode 100644 website/content/docs/enterprise/sentinel.mdx diff --git a/website/content/docs/enterprise/sentinel.mdx b/website/content/docs/enterprise/sentinel.mdx deleted file mode 100644 index 3fea0c8a9d50..000000000000 --- a/website/content/docs/enterprise/sentinel.mdx +++ /dev/null @@ -1,24 +0,0 @@ ---- -layout: docs -page_title: Sentinel in Consul (Enterprise) -description: >- - Sentinel is an access-control-policy-as-code framework and language. Learn how Consul can use Sentinel policies to extend the ACL system's capabilities and further secure your clusters by controlling key-value (KV) store write access. ---- - -# Sentinel in Consul - - - -This feature requires -HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. -Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. - - - -Sentinel policies extend the ACL system in Consul beyond static "read", "write", -and "deny" policies to support full conditional logic and integration with -external systems. Reference the [Sentinel documentation](https://docs.hashicorp.com/sentinel/concepts) for high-level Sentinel concepts. - -To get started with Sentinel in Consul, -[read the general documentation](https://docs.hashicorp.com/sentinel/consul) or -[Consul documentation](/consul/docs/agent/sentinel). From ec073e7bc4c62984551a180e41cee3d539ef0843 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 18 Jul 2023 14:46:15 -0700 Subject: [PATCH 05/12] Update index.mdx --- website/content/docs/enterprise/index.mdx | 4 ---- 1 file changed, 4 deletions(-) diff --git a/website/content/docs/enterprise/index.mdx b/website/content/docs/enterprise/index.mdx index 7e8467209f28..5d0f2eedd39b 100644 --- a/website/content/docs/enterprise/index.mdx +++ b/website/content/docs/enterprise/index.mdx @@ -101,7 +101,6 @@ Available Enterprise features per Consul form and license include: | [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | No | Yes | Yes | | [Redundancy Zones](/consul/docs/enterprise/redundancy) | Not applicable | Yes | With Global Visibility, Routing, and Scale module | | [Sameness Groups](/consul/docs/connect/config-entries/samenes-group) | No | Yes | N/A | -| [Sentinel for KV](/consul/docs/enterprise/sentinel) | All tiers | Yes | With Governance and Policy module | | [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | All tiers | Yes | With Governance and Policy module | @@ -130,7 +129,6 @@ Consul Enterprise feature availability can change depending on your server and c | [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ✅ | ✅ | ✅ | | [Redundancy Zones](/consul/docs/enterprise/redundancy) | ✅ | ✅ | ✅ | | [Sameness Groups](/consul/docs/connect/config-entries/samenes-group) | ✅ | ✅ | ✅ | -| [Sentinel ](/consul/docs/enterprise/sentinel) | ✅ | ✅ | ✅ | | [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | ✅ | ✅ | ✅ | @@ -151,7 +149,6 @@ Consul Enterprise feature availability can change depending on your server and c | [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ✅ | ✅ | ✅ | | [Redundancy Zones](/consul/docs/enterprise/redundancy) | ❌ | ❌ | ❌ | | [Sameness Groups](/consul/docs/connect/config-entries/samenes-group) | ✅ | ✅ | ✅ | -| [Sentinel ](/consul/docs/enterprise/sentinel) | ✅ | ✅ | ✅ | | [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | ✅ | ✅ | ✅ | @@ -172,7 +169,6 @@ Consul Enterprise feature availability can change depending on your server and c | [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ❌ | ❌ | ❌ | | [Redundancy Zones](/consul/docs/enterprise/redundancy) | n/a | n/a | n/a | | [Sameness Groups](/consul/docs/connect/config-entries/samenes-group) | ✅ | ✅ | ✅ | -| [Sentinel ](/consul/docs/enterprise/sentinel) | ✅ | ✅ | ✅ | | [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips) | ✅ | ✅ | ✅ | From 26c356d1819b6168f36d4e73c525eea0012ca9e2 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 18 Jul 2023 15:19:11 -0700 Subject: [PATCH 06/12] Update kv.mdx --- website/content/docs/dynamic-app-config/kv.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/website/content/docs/dynamic-app-config/kv.mdx b/website/content/docs/dynamic-app-config/kv.mdx index 23954ac804d5..b76903cc8662 100644 --- a/website/content/docs/dynamic-app-config/kv.mdx +++ b/website/content/docs/dynamic-app-config/kv.mdx @@ -61,6 +61,7 @@ and when recursively searching within the data store. We also recommend that you avoid the use of `*`, `?`, `'`, and `%` because they can cause issues when using the API and in shell scripts. +## Using Sentinel to apply policies for Consul KV From 5bea248210caa03bb4ae9fa50b43390dcadc5f15 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 18 Jul 2023 15:43:35 -0700 Subject: [PATCH 07/12] Update index.mdx --- website/content/docs/enterprise/index.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/website/content/docs/enterprise/index.mdx b/website/content/docs/enterprise/index.mdx index 5d0f2eedd39b..7557b2c09040 100644 --- a/website/content/docs/enterprise/index.mdx +++ b/website/content/docs/enterprise/index.mdx @@ -26,6 +26,7 @@ The following features are [available in several forms of Consul Enterprise](#co - [Automated Backups](/consul/docs/enterprise/backups): Configure the automatic backup of Consul state - [Redundancy Zones](/consul/docs/enterprise/redundancy): Deploy backup voting Consul servers to efficiently improve Consul fault tolerance +- [Server request rate limits per source IP](/consul/docs/agent/limits/usage/limit-request-rates-from-ips): Limit gRPC and RPC traffic to servers for source IP addresses. ### Scalability From 1ea87c8d657f8855a19865a214773628f6df803b Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 18 Jul 2023 16:42:19 -0700 Subject: [PATCH 08/12] Update website/content/docs/dynamic-app-config/kv.mdx Co-authored-by: Tu Nguyen --- website/content/docs/dynamic-app-config/kv.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/dynamic-app-config/kv.mdx b/website/content/docs/dynamic-app-config/kv.mdx index b76903cc8662..b985eea1584a 100644 --- a/website/content/docs/dynamic-app-config/kv.mdx +++ b/website/content/docs/dynamic-app-config/kv.mdx @@ -70,7 +70,7 @@ HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. -[Sentinel](/consul/docs/enterprise/sentinel) could also be leverage as a Policy-as-code framework for defining advanced key-value storage access control policies. Sentinel policies extend the ACL system in Consul beyond static "read", "write", +You can also use [Sentinel](/consul/docs/enterprise/sentinel) as a Policy-as-code framework for defining advanced key-value storage access control policies. Sentinel policies extend the ACL system in Consul beyond static "read", "write", and "deny" policies to support full conditional logic and integration with external systems. Reference the [Sentinel documentation](https://docs.hashicorp.com/sentinel/concepts) for high-level Sentinel concepts. From 15f5ab1cbe1e74726665a39f1b9bcb7a7ad02995 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 18 Jul 2023 16:42:28 -0700 Subject: [PATCH 09/12] Update website/content/docs/dynamic-app-config/kv.mdx Co-authored-by: Tu Nguyen --- website/content/docs/dynamic-app-config/kv.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/dynamic-app-config/kv.mdx b/website/content/docs/dynamic-app-config/kv.mdx index b985eea1584a..5be2fc259611 100644 --- a/website/content/docs/dynamic-app-config/kv.mdx +++ b/website/content/docs/dynamic-app-config/kv.mdx @@ -75,7 +75,7 @@ and "deny" policies to support full conditional logic and integration with external systems. Reference the [Sentinel documentation](https://docs.hashicorp.com/sentinel/concepts) for high-level Sentinel concepts. To get started with Sentinel in Consul, -[read the general documentation](https://docs.hashicorp.com/sentinel/consul) or +refer to the [Sentinel documentation](https://docs.hashicorp.com/sentinel/consul) or [Consul documentation](/consul/docs/agent/sentinel). From 66036a2984775e18ef490a5d31dc4c73735b9f89 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 18 Jul 2023 16:45:17 -0700 Subject: [PATCH 10/12] Update kv.mdx --- website/content/docs/dynamic-app-config/kv.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/dynamic-app-config/kv.mdx b/website/content/docs/dynamic-app-config/kv.mdx index 5be2fc259611..5986cb0741a9 100644 --- a/website/content/docs/dynamic-app-config/kv.mdx +++ b/website/content/docs/dynamic-app-config/kv.mdx @@ -70,7 +70,7 @@ HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise. -You can also use [Sentinel](/consul/docs/enterprise/sentinel) as a Policy-as-code framework for defining advanced key-value storage access control policies. Sentinel policies extend the ACL system in Consul beyond static "read", "write", +You can also use Sentinel as a Policy-as-code framework for defining advanced key-value storage access control policies. Sentinel policies extend the ACL system in Consul beyond static "read", "write", and "deny" policies to support full conditional logic and integration with external systems. Reference the [Sentinel documentation](https://docs.hashicorp.com/sentinel/concepts) for high-level Sentinel concepts. From 59023217ece8bc00fab846b556b5c161ec0e5053 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 18 Jul 2023 16:51:41 -0700 Subject: [PATCH 11/12] Update redirects.js --- website/redirects.js | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/website/redirects.js b/website/redirects.js index 517c73bbfa5a..bdad1457b68c 100644 --- a/website/redirects.js +++ b/website/redirects.js @@ -60,4 +60,11 @@ module.exports = [ '/consul/docs/connect/cluster-peering/usage/establish-cluster-peering', permanent: true, }, + { + source: + '/consul/docs/enterprise/sentinel', + destination: + '/consul/docs/dynamic-app-config/kv#using-sentinel-to-apply-policies-for-consul-kv', + permanent: true, + }, ] From 9117803daa578574e6320b3c9754fcc87a907ef1 Mon Sep 17 00:00:00 2001 From: David Yu Date: Tue, 18 Jul 2023 16:59:03 -0700 Subject: [PATCH 12/12] Update index.mdx Fix typo in link --- website/content/docs/enterprise/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/index.mdx b/website/content/docs/enterprise/index.mdx index 7557b2c09040..00829e9ef69a 100644 --- a/website/content/docs/enterprise/index.mdx +++ b/website/content/docs/enterprise/index.mdx @@ -20,7 +20,7 @@ The following features are [available in several forms of Consul Enterprise](#co - [Admin Partitions](/consul/docs/enterprise/admin-partitions): Define administrative boundaries between tenants within a single Consul datacenter - [Namespaces](/consul/docs/enterprise/namespaces): Define resource boundaries within a single admin partition for further organizational flexibility -- [Sameness Groups](/consul/docs/connect/config-entries/samenes-group): Define partitions and cluster peers as members of a group with identical services +- [Sameness Groups](/consul/docs/connect/config-entries/sameness-group): Define partitions and cluster peers as members of a group with identical services ### Resiliency