From aa21b1232177aabcb4de61cbce34f23f033b4ac3 Mon Sep 17 00:00:00 2001 From: Blake Covarrubias Date: Wed, 16 Aug 2023 13:35:44 -0700 Subject: [PATCH] docs: Update K8s TGW tutorial to reliably obtain role ID (#18474) The `grep` command used to obtain the ID for the terminating gateway role is not reliable in all scenarios. For example, if there is a similarly named role, the command may return the wrong role ID for the active terminating gateway instance. This commit updates the command to use jq to obtain the role ID. If multiple roles are found, jq will raise an error informing the user that it cannot reliably determine the role ID. --- .../docs/k8s/connect/terminating-gateways.mdx | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/website/content/docs/k8s/connect/terminating-gateways.mdx b/website/content/docs/k8s/connect/terminating-gateways.mdx index 1da48d0a5425..319fedf71dd3 100644 --- a/website/content/docs/k8s/connect/terminating-gateways.mdx +++ b/website/content/docs/k8s/connect/terminating-gateways.mdx @@ -40,7 +40,7 @@ terminatingGateways: The Helm chart may be deployed using the [Consul on Kubernetes CLI](/consul/docs/k8s/k8s-cli). ```shell-session -$ consul-k8s install -f values.yaml +$ consul-k8s install --config-file values.yaml ``` ## Accessing the Consul agent @@ -52,7 +52,7 @@ You can access the Consul server directly from your host by running `kubectl por ```shell-session -$ kubectl port-forward consul-server-0 8500 & +$ kubectl port-forward service/consul-server 8500 & ``` ```shell-session @@ -65,7 +65,7 @@ $ export CONSUL_HTTP_ADDR=http://localhost:8500 If TLS is enabled use port 8501: ```shell-session -$ kubectl port-forward consul-server-0 8501 & +$ kubectl port-forward service/consul-server 8501 & ``` ```shell-session @@ -102,6 +102,7 @@ you may register the service as a node in the Consul catalog. The [`destination`](/consul/docs/connect/config-entries/service-defaults#terminating-gateway-destination) field of the `ServiceDefaults` Custom Resource Definition (CRD) allows clients to dial an external service directly. For this method to work, [`TransparentProxy`](/consul/docs/connect/transparent-proxy) must be enabled. + The following table describes traffic behaviors when using the `destination` field to route traffic through a terminating gateway: | External Services Layer | Client dials | Client uses TLS | Allowed | Notes | @@ -205,7 +206,7 @@ true ### Update terminating gateway ACL role if ACLs are enabled -If ACLs are enabled, update the terminating gateway acl role to have `service: write` permissions on all of the services +If ACLs are enabled, update the terminating gateway ACL role to have `service:write` permissions on all of the services being represented by the gateway. Create a new policy that includes the write permission for the service you created. @@ -232,15 +233,14 @@ service "example-https" { } ``` -Fetch the ID of the terminating gateway token. +Obtain the ID of the terminating gateway role. ```shell-session -consul acl role list | grep -B 6 -- "- RELEASE_NAME-terminating-gateway-policy" | grep ID - -ID: +$ consul acl role list -format=json | jq --raw-output '[.[] | select(.Name | endswith("-terminating-gateway-acl-role"))] | if (. | length) == 1 then (. | first | .ID) else "Unable to determine the role ID because there are multiple roles matching this name.\n" | halt_error end' + ``` -Update the terminating gateway ACL token with the new policy. +Update the terminating gateway ACL role with the new policy. ```shell-session $ consul acl role update -id -policy-name example-https-write-policy @@ -379,7 +379,7 @@ deployment "static-client" successfully rolled out You can verify connectivity of the static-client and terminating gateway via a curl command. - + ```shell-session $ kubectl exec deploy/static-client -- curl -vvvs https://example.com/