diff --git a/website/content/api-docs/agent/connect.mdx b/website/content/api-docs/agent/connect.mdx
index 68944b404bde..c45eae34999f 100644
--- a/website/content/api-docs/agent/connect.mdx
+++ b/website/content/api-docs/agent/connect.mdx
@@ -2,18 +2,18 @@
layout: api
page_title: Connect - Agent - HTTP API
description: >-
- The /agent/connect endpoints interact with Connect with agent-local
+ The /agent/connect endpoints interact with agent-local service mesh
operations.
---
# Connect - Agent HTTP API
-The `/agent/connect` endpoints interact with [Connect](/consul/docs/connect)
-with agent-local operations.
+The `/agent/connect` endpoints interact with
+with agent-local [service mesh](/consul/docs/connect) operations.
-These endpoints may mirror the [non-agent Connect endpoints](/consul/api-docs/connect)
-in some cases. Almost all agent-local Connect endpoints perform local caching
-to optimize performance of Connect without having to make requests to the server.
+These endpoints may mirror the [non-agent service mesh endpoints](/consul/api-docs/connect)
+in some cases. Almost all agent-local service mesh endpoints perform local caching
+to optimize performance of the mesh without having to make requests to the server.
## Authorize
@@ -29,7 +29,7 @@ This endpoint tests whether a connection attempt is authorized between
two services. This is the primary API that must be implemented by
[proxies](/consul/docs/connect/proxies) or
[native integrations](/consul/docs/connect/native)
-that wish to integrate with Connect. Prior to calling this API, it is expected
+that wish to integrate with the service mesh. Prior to calling this API, it is expected
that the client TLS certificate has been properly verified against the
current CA roots.
@@ -108,7 +108,7 @@ This is used by [proxies](/consul/docs/connect/proxies) or
[native integrations](/consul/docs/connect/native) to verify served client
or server certificates are valid.
-This is equivalent to the [non-Agent Connect endpoint](/consul/api-docs/connect),
+This is equivalent to the [non-Agent service mesh endpoint](/consul/api-docs/connect),
but the response of this request is cached locally at the agent. This allows
for very fast response times and for fail open behavior if the server is
unavailable. This endpoint should be used by proxies and native integrations.
@@ -248,7 +248,7 @@ $ curl \
## Methods to Specify Namespace
-Local agent connect endpoints
+Local agent service mesh endpoints
support several methods for specifying the namespace of resources
with the following order of precedence:
1. `Namespace` field of the JSON request body -
diff --git a/website/content/api-docs/agent/service.mdx b/website/content/api-docs/agent/service.mdx
index 38eedad35362..acaa2e8d0fb1 100644
--- a/website/content/api-docs/agent/service.mdx
+++ b/website/content/api-docs/agent/service.mdx
@@ -130,7 +130,7 @@ following selectors and filter operations being supported:
This endpoint was added in Consul 1.3.0 and returns the full service definition
for a single service instance registered on the local agent. It is used by
-[Connect proxies](/consul/docs/connect/proxies) to discover the embedded proxy
+[service mesh proxies](/consul/docs/connect/proxies) to discover the embedded proxy
configuration that was registered with the instance.
It is important to note that the services known by the agent may be different
@@ -632,18 +632,18 @@ The `/agent/service/register` endpoint supports camel case and _snake case_ for
- `Kind` `(string: "")` - The kind of service. Defaults to "" which is a
typical Consul service. This value may also be "connect-proxy" for
- [Connect](/consul/docs/connect) proxies representing another service,
- "mesh-gateway" for instances of a [mesh gateway](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration),
+ [service mesh](/consul/docs/connect) proxies representing another service,
+ "mesh-gateway" for instances of a [mesh gateway](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration),
"terminating-gateway" for instances of a [terminating gateway](/consul/docs/connect/gateways/terminating-gateway),
or "ingress-gateway" for instances of a [ingress gateway](/consul/docs/connect/gateways/ingress-gateway).
- `Proxy` `(Proxy: nil)` - From 1.2.3 on, specifies the configuration for a
- Connect service proxy instance. This is only valid if `Kind` defines a proxy or gateway.
+ service mesh proxy instance. This is only valid if `Kind` defines a proxy or gateway.
See the [Proxy documentation](/consul/docs/connect/registration/service-registration)
for full details.
- `Connect` `(Connect: nil)` - Specifies the
- [configuration for Connect](/consul/docs/connect/configuration). See the
+ [configuration for service mesh](/consul/docs/connect/configuration). The connect subsystem provides Consul's service mesh capabilities. Refer to the
[Connect Structure](#connect-structure) section below for supported fields.
- `Check` `(Check: nil)` - Specifies a check. Please see the
@@ -689,12 +689,12 @@ The `/agent/service/register` endpoint supports camel case and _snake case_ for
For the `Connect` field, the parameters are:
- `Native` `(bool: false)` - Specifies whether this service supports
- the [Connect](/consul/docs/connect) protocol [natively](/consul/docs/connect/native).
- If this is true, then Connect proxies, DNS queries, etc. will be able to
+ the [Consul service mesh](/consul/docs/connect) protocol [natively](/consul/docs/connect/native).
+ If this is true, then service mesh proxies, DNS queries, etc. will be able to
service discover this service.
- `Proxy` `(Proxy: nil)` -
[**Deprecated**](/consul/docs/connect/proxies/managed-deprecated) Specifies that
- a managed Connect proxy should be started for this service instance, and
+ a managed service mesh proxy should be started for this service instance, and
optionally provides configuration for the proxy. The format is as documented
in [Managed Proxy Deprecation](/consul/docs/connect/proxies/managed-deprecated).
- `SidecarService` `(ServiceDefinition: nil)` - Specifies an optional nested
diff --git a/website/content/api-docs/catalog.mdx b/website/content/api-docs/catalog.mdx
index 2b470dd57886..c7f715849ccf 100644
--- a/website/content/api-docs/catalog.mdx
+++ b/website/content/api-docs/catalog.mdx
@@ -650,9 +650,9 @@ $ curl \
[service registration API](/consul/api-docs/agent/service#kind) for more information.
- `ServiceProxy` is the proxy config as specified in
- [Connect Proxies](/consul/docs/connect/proxies).
+ [service mesh Proxies](/consul/docs/connect/proxies).
-- `ServiceConnect` are the [Connect](/consul/docs/connect) settings. The
+- `ServiceConnect` are the [service mesh](/consul/docs/connect) settings. The
value of this struct is equivalent to the `Connect` field for service
registration.
@@ -704,13 +704,13 @@ following selectors and filter operations being supported:
| `TaggedAddresses.` | Equal, Not Equal, In, Not In, Matches, Not Matches |
| `TaggedAddresses` | Is Empty, Is Not Empty, In, Not In |
-## List Nodes for Connect-capable Service
+## List Nodes for Mesh-capable Service
This endpoint returns the nodes providing a
-[Connect-capable](/consul/docs/connect) service in a given datacenter.
+[mesh-capable](/consul/docs/connect) service in a given datacenter.
This will include both proxies and native integrations. A service may
-register both Connect-capable and incapable services at the same time,
-so this endpoint may be used to filter only the Connect-capable endpoints.
+register both mesh-capable and incapable services at the same time,
+so this endpoint may be used to filter only the mesh-capable endpoints.
@include 'http_api_results_filtered_by_acls.mdx'
diff --git a/website/content/api-docs/connect/ca.mdx b/website/content/api-docs/connect/ca.mdx
index 75a1e2ab9159..ad808c13df44 100644
--- a/website/content/api-docs/connect/ca.mdx
+++ b/website/content/api-docs/connect/ca.mdx
@@ -8,7 +8,7 @@ description: |-
# Certificate Authority (CA) - Connect HTTP API
-The `/connect/ca` endpoints provide tools for interacting with Connect's
+The `/connect/ca` endpoints provide tools for interacting with the service mesh's
Certificate Authority mechanism.
## List CA Root Certificates
@@ -33,7 +33,7 @@ The table below shows this endpoint's support for
### Query Parameters
- `pem` `(boolean: false)` - Specifies that the return body should be a PEM encoded
- certificate chain suitable for use by applications needing to trust Connect CA
+ certificate chain suitable for use by applications needing to trust service mesh CA
signed certificates. The Content-Type will be set to `application/pem-certificate-chain`
to indicate the format of the response.
@@ -181,7 +181,7 @@ The corresponding CLI command is [`consul connect ca set-config`](/consul/comman
- `Provider` `(string: )` - Specifies the CA provider type to use.
- `Config` `(map[string]string: )` - The raw configuration to use
- for the chosen provider. For more information on configuring the Connect CA
+ for the chosen provider. For more information on configuring the service mesh CA
providers, see [Provider Config](/consul/docs/connect/ca).
- `ForceWithoutCrossSigning` `(bool: false)` - Indicates that the CA change
diff --git a/website/content/api-docs/connect/index.mdx b/website/content/api-docs/connect/index.mdx
index 3324ec14e782..609a8d4f08bf 100644
--- a/website/content/api-docs/connect/index.mdx
+++ b/website/content/api-docs/connect/index.mdx
@@ -2,20 +2,25 @@
layout: api
page_title: Connect - HTTP API
description: >-
- The `/connect` endpoints provide access to Connect-related operations for
+ The `/connect` endpoints provide access to service mesh-related operations for
intentions and the certificate authority.
---
# Connect HTTP Endpoint
The `/connect` endpoints provide access to
-[Connect-related](/consul/docs/connect) operations for
+[service mesh-related](/consul/docs/connect) operations for
intentions and the certificate authority.
-There are also Connect-related endpoints in the
+There are also service mesh-related endpoints in the
[Agent](/consul/api-docs/agent) and [Catalog](/consul/api-docs/catalog) APIs. For example,
the API for requesting a TLS certificate for a service is part of the agent
-APIs. And the catalog API has an endpoint for finding all Connect-capable
+APIs. And the catalog API has an endpoint for finding all mesh-capable
services in the catalog.
+The noun _connect_ is used throughout this documentation to refer to the connect
+subsystem that provides Consul's service mesh capabilities.
+Where you encounter the _noun_ connect, it is usually functionality specific to
+service mesh.
+
Please choose a sub-section in the navigation for more information.
diff --git a/website/content/api-docs/connect/intentions.mdx b/website/content/api-docs/connect/intentions.mdx
index 1658b16992fb..cdfeb463cda0 100644
--- a/website/content/api-docs/connect/intentions.mdx
+++ b/website/content/api-docs/connect/intentions.mdx
@@ -672,7 +672,7 @@ $ curl \
## Methods to Specify Namespace
-Connect intention endpoints
+Intention endpoints
support several methods for specifying the namespace of intention resources
with the following order of precedence:
1. `ns` query parameter
diff --git a/website/content/api-docs/discovery-chain.mdx b/website/content/api-docs/discovery-chain.mdx
index a96f0e89fe5a..ba222116ec65 100644
--- a/website/content/api-docs/discovery-chain.mdx
+++ b/website/content/api-docs/discovery-chain.mdx
@@ -9,7 +9,7 @@ description: The /discovery-chain endpoints are for interacting with the discove
-> **1.6.0+:** The discovery chain API is available in Consul versions 1.6.0 and newer.
~> This is a low-level API primarily targeted at developers building external
-[Connect proxy integrations](/consul/docs/connect/proxies/integrate). Future
+[service mesh proxy integrations](/consul/docs/connect/proxies/integrate). Future
high-level proxy integration APIs may obviate the need for this API over time.
The `/discovery-chain` endpoint returns the compiled [discovery
@@ -17,7 +17,7 @@ chain](/consul/docs/connect/l7-traffic/discovery-chain) for a service.
This will fetch all related [configuration
entries](/consul/docs/agent/config-entries) and render them into a form suitable
-for use by a [connect proxy](/consul/docs/connect/proxies) implementation. This
+for use by a [service mesh proxy](/consul/docs/connect/proxies) implementation. This
is a key component of [L7 Traffic
Management](/consul/docs/connect/l7-traffic).
diff --git a/website/content/api-docs/health.mdx b/website/content/api-docs/health.mdx
index 645381a209be..cb8ef9f4eaf0 100644
--- a/website/content/api-docs/health.mdx
+++ b/website/content/api-docs/health.mdx
@@ -410,13 +410,13 @@ following selectors and filter operations being supported:
| `Service.Weights.Passing` | Equal, Not Equal |
| `Service.Weights.Warning` | Equal, Not Equal |
-## List Service Instances for Connect-enabled Service
+## List Service Instances for Mesh-enabled Service
This endpoint returns the service instances providing a
-[Connect-capable](/consul/docs/connect) service in a given datacenter.
+[mesh-capable](/consul/docs/connect) service in a given datacenter.
This will include both proxies and native integrations. A service may
-register both Connect-capable and incapable services at the same time,
-so this endpoint may be used to filter only the Connect-capable endpoints.
+register both mesh-capable and incapable services at the same time,
+so this endpoint may be used to filter only the mesh-capable endpoints.
@include 'http_api_results_filtered_by_acls.mdx'
diff --git a/website/content/api-docs/operator/usage.mdx b/website/content/api-docs/operator/usage.mdx
index 75298e32b209..b1dc75c39e08 100644
--- a/website/content/api-docs/operator/usage.mdx
+++ b/website/content/api-docs/operator/usage.mdx
@@ -3,14 +3,14 @@ layout: api
page_title: Usage - Operator - HTTP API
description: |-
The /operator/usage endpoint returns usage information about the number of
- services, service instances and Connect-enabled service instances by
+ services, service instances and mesh-enabled service instances by
datacenter.
---
# Usage Operator HTTP API
The `/operator/usage` endpoint returns usage information about the number of
-services, service instances and Connect-enabled service instances by datacenter.
+services, service instances and mesh-enabled service instances by datacenter.
| Method | Path | Produces |
| ------ | ----------------- | ------------------ |
@@ -142,12 +142,12 @@ $ curl \
- `ServiceInstances` is the total number of service instances registered in
the datacenter.
-- `ConnectServiceInstances` is the total number of Connect service instances
+- `ConnectServiceInstances` is the total number of mesh service instances
registered in the datacenter.
- `BillableServiceInstances` is the total number of billable service instances
registered in the datacenter. This is only relevant in Consul Enterprise
- and is the total service instance count, not including any Connect service
+ and is the total service instance count, not including any mesh service
instances or any Consul server instances.
- `PartitionNamespaceServices` is the total number
@@ -163,5 +163,5 @@ $ curl \
by partition and namespace.
- `PartitionNamespaceConnectServiceInstances` is
- the total number of Connect service instances registered in the datacenter,
+ the total number of mesh service instances registered in the datacenter,
by partition and namespace.
diff --git a/website/content/api-docs/query.mdx b/website/content/api-docs/query.mdx
index 09aa867c479f..c71e4c441d26 100644
--- a/website/content/api-docs/query.mdx
+++ b/website/content/api-docs/query.mdx
@@ -251,12 +251,12 @@ The table below shows this endpoint's support for
key/value pairs that will be used for filtering the query results to services
with the given metadata values present.
-* `Connect` `(bool: false)` - If true, only [Connect-capable](/consul/docs/connect) services
+* `Connect` `(bool: false)` - If true, only [mesh-capable](/consul/docs/connect) services
for the specified service name will be returned. This includes both
natively integrated services and proxies. For proxies, the proxy name
may not match `Service`, because the proxy destination will. Any
- constrains beyond the service name such as `Near`, `Tags`, and `NodeMeta`
- are applied to Connect-capable service.
+ constraints beyond the service name such as `Near`, `Tags`, and `NodeMeta`
+ are applied to mesh-capable service.
* `DNS` `(DNS: nil)` - Specifies DNS configuration
@@ -535,8 +535,8 @@ be used.
This is applied after any sorting or shuffling.
- `connect` `(bool: false)` - If true, limit results to nodes that are
- Connect-capable only. This parameter can also be specified directly on the template
- itself to force all executions of a query to be Connect-only. See the
+ mesh-capable only. This parameter can also be specified directly on the template
+ itself to force all executions of a query to be mesh-only. See the
template documentation for more information.
### Sample Request
diff --git a/website/content/commands/config/write.mdx b/website/content/commands/config/write.mdx
index 24e17aa34ae4..bb98d8e49888 100644
--- a/website/content/commands/config/write.mdx
+++ b/website/content/commands/config/write.mdx
@@ -79,8 +79,9 @@ supported config entries.
#### Service defaults
-Service defaults control default global values for a service, such as the
-protocol and Connect fields.
+Service defaults control default global values for a service in the service mesh.
+For example, the following configuration defines that all instances of the `web`
+service use the `http` protocol.
```json
{
@@ -90,33 +91,23 @@ protocol and Connect fields.
}
```
-- `Name` - Sets the name of the config entry. For service defaults, this must be
- the name of the service being configured.
-
-- `Protocol` - Sets the protocol of the service. This is used by Connect proxies
- for things like observability features.
-
-- `Connect` - This block contains Connect-related fields for the service.
-
- - `SidecarProxy` - Sets whether or not instances of this service should get a
- sidecar proxy by default.
+For more information, refer to the [service defaults configuration reference](/consul/docs/connect/config-entries/service-defaults).
#### Proxy defaults
-Proxy defaults allow for configuring global config defaults across all services
-for Connect proxy config. Currently, only one global entry is supported.
+Proxy defaults lets you configure global config defaults across all proxies
+in the service mesh. Currently, it supports only one global entry.
+For example, the following configuration overrides a default timeout for all
+Envoy proxies.
```json
{
"Kind": "proxy-defaults",
"Name": "global",
"Config": {
- "foo": 1
+ "local_idle_timeout_ms": 20000
}
}
```
-- `Name` - Sets the name of the config entry. Currently, only a single `proxy-defaults`
- entry with the name `global` is supported.
-
-* `Config` - An arbitrary map of configuration values used by Connect proxies.
+For more information, refer to the [proxy defaults configuration reference](/consul/docs/connect/config-entries/proxy-defaults).
diff --git a/website/content/commands/connect/ca.mdx b/website/content/commands/connect/ca.mdx
index 17a76a622214..350d18e6d318 100644
--- a/website/content/commands/connect/ca.mdx
+++ b/website/content/commands/connect/ca.mdx
@@ -10,14 +10,15 @@ description: >
Command: `consul connect ca`
-The CA connect command is used to interact with Consul Connect's Certificate Authority
-subsystem. The command can be used to view or modify the current CA configuration. See the
-[Connect CA documentation](/consul/docs/connect/ca) for more information.
+This command is used to interact with Consul service mesh's Certificate Authority
+managed by the connect subsystem.
+It can be used to view or modify the current CA configuration. Refer to the
+[service mesh CA documentation](/consul/docs/connect/ca) for more information.
```text
Usage: consul connect ca [options] [args]
- This command has subcommands for interacting with Consul Connect's
+ This command has subcommands for interacting with Consul service mesh's
Certificate Authority (CA).
Here are some simple examples, and more detailed examples are available
@@ -34,8 +35,8 @@ Usage: consul connect ca [options] [args]
For more examples, ask for subcommand help or view the documentation.
Subcommands:
- get-config Display the current Connect Certificate Authority (CA) configuration
- set-config Modify the current Connect CA configuration
+ get-config Display the current service mesh Certificate Authority (CA) configuration
+ set-config Modify the current service mesh CA configuration
```
## get-config
diff --git a/website/content/commands/connect/envoy.mdx b/website/content/commands/connect/envoy.mdx
index c9e0ffb2e932..8d60e6996516 100644
--- a/website/content/commands/connect/envoy.mdx
+++ b/website/content/commands/connect/envoy.mdx
@@ -11,7 +11,7 @@ Command: `consul connect envoy`
The connect Envoy command is used to generate a bootstrap configuration for
[Envoy proxy](https://envoyproxy.io) for use with [Consul
-Connect](/consul/docs/connect/).
+service mesh](/consul/docs/connect/).
Refer to the [examples](#examples) for guidance on common use cases,
such as [launching a service instance's sidecar proxy
diff --git a/website/content/commands/connect/expose.mdx b/website/content/commands/connect/expose.mdx
index 97ca3910fc06..79be1e0e60ae 100644
--- a/website/content/commands/connect/expose.mdx
+++ b/website/content/commands/connect/expose.mdx
@@ -2,7 +2,7 @@
layout: commands
page_title: 'Commands: Connect Expose'
description: >
- The connect expose subcommand is used to expose a Connect-enabled service
+ The connect expose subcommand is used to expose a mesh-enabled service
through an Ingress gateway by modifying the gateway's configuration and adding
an intention to allow traffic from the gateway to the service.
---
@@ -11,7 +11,7 @@ description: >
Command: `consul connect expose`
-The connect expose subcommand is used to expose a Connect-enabled service
+The connect expose subcommand is used to expose a mesh-enabled service
through an Ingress gateway by modifying the gateway's configuration and adding
an intention to allow traffic from the gateway to the service. See the
[Ingress gateway documentation](/consul/docs/connect/gateways/ingress-gateway) for more information
@@ -20,7 +20,7 @@ about Ingress gateways.
```text
Usage: consul connect expose [options]
- Exposes a Connect-enabled service through the given ingress gateway, using the
+ Exposes a mesh-enabled service through the given ingress gateway, using the
given protocol and port.
```
diff --git a/website/content/commands/connect/index.mdx b/website/content/commands/connect/index.mdx
index b390f1899354..8ebf11a7beaf 100644
--- a/website/content/commands/connect/index.mdx
+++ b/website/content/commands/connect/index.mdx
@@ -9,10 +9,10 @@ description: >-
Command: `consul connect`
-The `connect` command is used to interact with Consul
-[service mesh](/consul/docs/connect) subsystems. It exposes commands for
-running the built-in mTLS proxy and viewing/updating the Certificate Authority
-(CA) configuration. This command is available in Consul 1.2 and later.
+The `connect` command is used to interact with the connect subsystem
+that provides Consul's [service mesh](/consul/docs/connect) capabilities.
+It exposes commands for running service mesh proxies and
+for viewing/updating the service mesh Certificate Authority (CA) configuration.
## Usage
@@ -24,22 +24,22 @@ the complete list of subcommands.
```text
Usage: consul connect [options] [args]
- This command has subcommands for interacting with Consul Connect.
+ This command has subcommands for interacting with Consul service mesh.
Here are some simple examples, and more detailed examples are available
in the subcommands or the documentation.
- Run the built-in Connect mTLS proxy
+ Run the production service mesh proxy
- $ consul connect proxy
+ $ consul connect envoy
For more examples, ask for subcommand help or view the documentation.
Subcommands:
- ca Interact with the Consul Connect Certificate Authority (CA)
- envoy Runs or Configures Envoy as a Connect proxy
- expose Expose a Connect-enabled service through an Ingress gateway
- proxy Runs a Consul Connect proxy
+ ca Interact with the Consul service mesh Certificate Authority (CA)
+ envoy Runs or configures Envoy as a service mesh proxy
+ expose Expose a mesh-enabled service through an Ingress gateway
+ proxy Runs a non-production, built-in service mesh sidecar proxy
redirect-traffic Applies iptables rules for traffic redirection
```
diff --git a/website/content/commands/connect/proxy.mdx b/website/content/commands/connect/proxy.mdx
index 2bdfb2a9a2b3..db3192dbee4f 100644
--- a/website/content/commands/connect/proxy.mdx
+++ b/website/content/commands/connect/proxy.mdx
@@ -3,7 +3,7 @@ layout: commands
page_title: 'Commands: Connect Proxy'
description: >
The connect proxy subcommand is used to run the built-in mTLS proxy for
- Connect.
+ Consul service mesh.
---
# Consul Connect Proxy
@@ -11,9 +11,9 @@ description: >
Command: `consul connect proxy`
The connect proxy command is used to run Consul's built-in mTLS proxy for
-use with Connect. This can be used in production to enable a Connect-unaware
-application to accept and establish Connect-based connections. This proxy
-can also be used in development to connect to Connect-enabled services.
+use with Consul service mesh. This can be used in production to enable a mesh-unaware
+application to accept and establish mesh-based connections. This proxy
+can also be used in development to connect to mesh-enabled services.
## Usage
@@ -49,7 +49,7 @@ Usage: `consul connect proxy [options]`
- `-upstream` - Upstream service to support connecting to. The format should be
'name:addr', such as 'db:8181'. This will make 'db' available on port 8181.
When a regular TCP connection is made to port 8181, the proxy will service
- discover "db" and establish a Connect mTLS connection identifying as
+ discover "db" and establish a Consul service mesh mTLS connection identifying as
the `-service` value. This flag can be repeated multiple times.
- `-listen` - Address to listen for inbound connections to the proxied service.
@@ -60,7 +60,7 @@ Usage: `consul connect proxy [options]`
`-listen`.
- `-register` - Self-register with the local Consul agent, making this
- proxy available as Connect-capable service in the catalog. This is only
+ proxy available as mesh-capable service in the catalog. This is only
useful with `-listen`.
- `-register-id` - Optional ID suffix for the service when `-register` is set to
diff --git a/website/content/commands/connect/redirect-traffic.mdx b/website/content/commands/connect/redirect-traffic.mdx
index ded81c4a9424..44decfef4071 100644
--- a/website/content/commands/connect/redirect-traffic.mdx
+++ b/website/content/commands/connect/redirect-traffic.mdx
@@ -13,7 +13,7 @@ Command: `consul connect redirect-traffic`
The connect redirect-traffic command is used to apply traffic redirection rules to enforce
all traffic to go through the [Envoy proxy](https://envoyproxy.io) when using [Consul
-Service Mesh](/consul/docs/connect/) in the Transparent Proxy mode.
+service mesh](/consul/docs/connect/) in the Transparent Proxy mode.
This command requires `iptables` command line utility to be installed,
and as a result, this command can currently only run on linux.
diff --git a/website/content/commands/index.mdx b/website/content/commands/index.mdx
index 415fc551d331..a3e500811034 100644
--- a/website/content/commands/index.mdx
+++ b/website/content/commands/index.mdx
@@ -31,13 +31,13 @@ Available commands are:
acl Interact with Consul's ACLs
agent Runs a Consul agent
catalog Interact with the catalog
- connect Interact with Consul Connect
+ connect Interact with service mesh functionality
debug Records a debugging archive for operators
event Fire a new event
exec Executes a command on Consul nodes
force-leave Forces a member of the cluster to enter the "left" state
info Provides debugging information for operators.
- intention Interact with Connect service intentions
+ intention Interact with service mesh intentions
join Tell Consul agent to join cluster
keygen Generates a new encryption key
keyring Manages gossip layer encryption keys
diff --git a/website/content/commands/intention/index.mdx b/website/content/commands/intention/index.mdx
index d3e4fc56c431..f7ea711a27fb 100644
--- a/website/content/commands/intention/index.mdx
+++ b/website/content/commands/intention/index.mdx
@@ -9,7 +9,7 @@ description: >-
Command: `consul intention`
-The `intention` command is used to interact with Connect
+The `intention` command is used to interact with service mesh
[intentions](/consul/docs/connect/intentions). It exposes commands for
creating, updating, reading, deleting, checking, and managing intentions.
This command is available in Consul 1.2 and later.
diff --git a/website/content/commands/operator/usage.mdx b/website/content/commands/operator/usage.mdx
index b0d7d03db2f9..56d364862690 100644
--- a/website/content/commands/operator/usage.mdx
+++ b/website/content/commands/operator/usage.mdx
@@ -97,4 +97,4 @@ Total 3
- `-billable` - Display only billable service information. Default is `false`.
-- `-connect` - Display only Connect service information. Default is `false`.
+- `-connect` - Display only Consul service mesh component information. Default is `false`.
diff --git a/website/content/docs/agent/config/cli-flags.mdx b/website/content/docs/agent/config/cli-flags.mdx
index 863b05f2c68b..82d44d02528b 100644
--- a/website/content/docs/agent/config/cli-flags.mdx
+++ b/website/content/docs/agent/config/cli-flags.mdx
@@ -82,7 +82,7 @@ information.
- `-dev` ((#\_dev)) - Enable development server mode. This is useful for
quickly starting a Consul agent with all persistence options turned off, enabling
an in-memory server which can be used for rapid prototyping or developing against
- the API. In this mode, [Connect is enabled](/consul/docs/connect/configuration) and
+ the API. In this mode, [service mesh is enabled](/consul/docs/connect/configuration) and
will by default create a new root CA certificate on startup. This mode is **not**
intended for production use as it does not write any data to disk. The gRPC port
is also defaulted to `8502` in this mode.
diff --git a/website/content/docs/agent/config/config-files.mdx b/website/content/docs/agent/config/config-files.mdx
index 4ba7ba54313e..e13cd6b4e369 100644
--- a/website/content/docs/agent/config/config-files.mdx
+++ b/website/content/docs/agent/config/config-files.mdx
@@ -245,8 +245,8 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
The initial RPC uses a JWT specified with either `intro_token`,
`intro_token_file` or the `CONSUL_INTRO_TOKEN` environment variable to authorize
the request. How the JWT token is verified is controlled by the `auto_config.authorizer`
- object available for use on Consul servers. Enabling this option also turns
- on Connect because it is vital for `auto_config`, more specifically the CA
+ object available for use on Consul servers. Enabling this option also enables
+ service mesh because it is vital for `auto_config`, more specifically the service mesh CA
and certificates infrastructure.
~> **Warning:** Enabling `auto_config` conflicts with the [`auto_encrypt.tls`](#tls) feature.
@@ -651,7 +651,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
- `primary_datacenter` - This designates the datacenter
which is authoritative for ACL information, intentions and is the root Certificate
- Authority for Connect. It must be provided to enable ACLs. All servers and datacenters
+ Authority for service mesh. It must be provided to enable ACLs. All servers and datacenters
must agree on the primary datacenter. Setting it on the servers is all you need
for cluster-level enforcement, but for the APIs to forward properly from the clients,
it must be set on them too. In Consul 0.8 and later, this also enables agent-level
@@ -946,7 +946,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
- `replication` ((#acl_tokens_replication)) - The ACL token used to
authorize secondary datacenters with the primary datacenter for replication
- operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) when ACLs are enabled. This token may be provided later using the [agent token API](/consul/api-docs/agent#update-acl-tokens) on each server. This token must have at least "read" permissions on ACL data but if ACL token replication is enabled then it must have "write" permissions. This also enables Connect replication, for which the token will require both operator "write" and intention "read" permissions for replicating CA and Intention data.
+ operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) when ACLs are enabled. This token may be provided later using the [agent token API](/consul/api-docs/agent#update-acl-tokens) on each server. This token must have at least "read" permissions on ACL data but if ACL token replication is enabled then it must have "write" permissions. This also enables service mesh data replication, for which the token will require both operator "write" and intention "read" permissions for replicating CA and Intention data.
~> **Warning:** When enabling ACL token replication on the secondary datacenter,
policies and roles already present in the secondary datacenter will be lost. For
@@ -1088,7 +1088,10 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
- `bootstrap_expect` Equivalent to the [`-bootstrap-expect` command-line flag](/consul/docs/agent/config/cli-flags#_bootstrap_expect).
-## Connect Parameters
+## Service Mesh Parameters ((#connect-parameters))
+
+The noun _connect_ is used throughout this documentation to refer to the connect
+subsystem that provides Consul's service mesh capabilities.
- `connect` This object allows setting options for the Connect feature.
@@ -1096,14 +1099,14 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
- `enabled` ((#connect_enabled)) (Defaults to `true`) Controls whether Connect features are
enabled on this agent. Should be enabled on all servers in the cluster
- in order for Connect to function properly.
+ in order for service mesh to function properly.
Will be set to `true` automatically if `auto_config.enabled` or `auto_encrypt.allow_tls` is `true`.
- `enable_mesh_gateway_wan_federation` ((#connect_enable_mesh_gateway_wan_federation)) (Defaults to `false`) Controls whether cross-datacenter federation traffic between servers is funneled
through mesh gateways. This was added in Consul 1.8.0.
- `ca_provider` ((#connect_ca_provider)) Controls which CA provider to
- use for Connect's CA. Currently only the `aws-pca`, `consul`, and `vault` providers are supported.
+ use for the service mesh's CA. Currently only the `aws-pca`, `consul`, and `vault` providers are supported.
This is only used when initially bootstrapping the cluster. For an existing cluster,
use the [Update CA Configuration Endpoint](/consul/api-docs/connect/ca#update-ca-configuration).
@@ -1140,13 +1143,13 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
- `root_pki_path` ((#vault_ca_root_pki)) The path to use for the root
CA pki backend in Vault. This can be an existing backend with a CA already
- configured, or a blank/unmounted backend in which case Connect will automatically
+ configured, or a blank/unmounted backend in which case Consul will automatically
mount/generate the CA. The Vault token given above must have `sudo` access
to this backend, as well as permission to mount the backend at this path if
it is not already mounted.
- `intermediate_pki_path` ((#vault_ca_intermediate_pki))
- The path to use for the temporary intermediate CA pki backend in Vault. **Connect
+ The path to use for the temporary intermediate CA pki backend in Vault. **Consul
will overwrite any data at this path in order to generate a temporary intermediate
CA**. The Vault token given above must have `write` access to this backend,
as well as permission to mount the backend at this path if it is not already
@@ -1391,14 +1394,14 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
- `allow_tls` (Defaults to `false`) This option enables
`auto_encrypt` on the servers and allows them to automatically distribute certificates
- from the Connect CA to the clients. If enabled, the server can accept incoming
- connections from both the built-in CA and the Connect CA, as well as their certificates.
+ from the service mesh CA to the clients. If enabled, the server can accept incoming
+ connections from both the built-in CA and the service mesh CA, as well as their certificates.
Note, the server will only present the built-in CA and certificate, which the
client can verify using the CA it received from `auto_encrypt` endpoint. If disabled,
a client configured with `auto_encrypt.tls` will be unable to start.
- `tls` (Defaults to `false`) Allows the client to request the
- Connect CA and certificates from the servers, for encrypting RPC communication.
+ service mesh CA and certificates from the servers, for encrypting RPC communication.
The client will make the request to any servers listed in the `-retry-join`
option. This requires that every server to have `auto_encrypt.allow_tls` enabled.
When both `auto_encrypt` options are used, it allows clients to receive certificates
@@ -2186,7 +2189,7 @@ specially crafted certificate signed by the CA can be used to gain full access t
~> **Security Note:** `verify_server_hostname` *must* be set to true to prevent a
compromised client from gaining full read and write access to all cluster
- data *including all ACL tokens and Connect CA root keys*.
+ data *including all ACL tokens and service mesh CA root keys*.
- `server_name` When provided, this overrides the [`node_name`](#_node)
for the TLS certificate. It can be used to ensure that the certificate name matches
diff --git a/website/content/docs/agent/index.mdx b/website/content/docs/agent/index.mdx
index 51c5b713ef5e..c7bf699f87c1 100644
--- a/website/content/docs/agent/index.mdx
+++ b/website/content/docs/agent/index.mdx
@@ -202,7 +202,7 @@ The following settings are commonly used in the configuration file (also called
### Server node in a service mesh
The following example configuration is for a server agent named "`consul-server`". The server is [bootstrapped](/consul/docs/agent/config/cli-flags#_bootstrap) and the Consul GUI is enabled.
-The reason this server agent is configured for a service mesh is that the `connect` configuration is enabled. Connect is Consul's service mesh component that provides service-to-service connection authorization and encryption using mutual Transport Layer Security (TLS). Applications can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections without being aware of Connect at all. See [Connect](/consul/docs/connect) for details.
+The reason this server agent is configured for a service mesh is that the `connect` configuration is enabled. The connect subsystem provides Consul's service mesh capabilities, including service-to-service connection authorization and encryption using mutual Transport Layer Security (TLS). Applications can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections without being aware of Consul service mesh at all. Refer to [Consul Service Mesh](/consul/docs/connect) for details.
diff --git a/website/content/docs/agent/telemetry.mdx b/website/content/docs/agent/telemetry.mdx
index df8fdef15dc4..fd9444024bc3 100644
--- a/website/content/docs/agent/telemetry.mdx
+++ b/website/content/docs/agent/telemetry.mdx
@@ -392,7 +392,7 @@ This is a full list of metrics emitted by Consul.
| `consul.state.services` | Measures the current number of unique services registered with Consul, based on service name. It is only emitted by Consul servers. Added in v1.9.0. | number of objects | gauge |
| `consul.state.service_instances` | Measures the current number of unique service instances registered with Consul. It is only emitted by Consul servers. Added in v1.9.0. | number of objects | gauge |
| `consul.state.kv_entries` | Measures the current number of entries in the Consul KV store. It is only emitted by Consul servers. Added in v1.10.3. | number of objects | gauge |
-| `consul.state.connect_instances` | Measures the current number of unique connect service instances registered with Consul labeled by Kind (e.g. connect-proxy, connect-native, etc). Added in v1.10.4 | number of objects | gauge |
+| `consul.state.connect_instances` | Measures the current number of unique mesh service instances registered with Consul labeled by Kind (e.g. connect-proxy, connect-native, etc). Added in v1.10.4 | number of objects | gauge |
| `consul.state.config_entries` | Measures the current number of configuration entries registered with Consul labeled by Kind (e.g. service-defaults, proxy-defaults, etc). See [Configuration Entries](/consul/docs/connect/config-entries) for more information. Added in v1.10.4 | number of objects | gauge |
| `consul.members.clients` | Measures the current number of client agents registered with Consul. It is only emitted by Consul servers. Added in v1.9.6. | number of clients | gauge |
| `consul.members.servers` | Measures the current number of server agents registered with Consul. It is only emitted by Consul servers. Added in v1.9.6. | number of servers | gauge |
@@ -666,17 +666,17 @@ are allowed for .
| `consul.catalog.service.query-tag` | Increments for each catalog query for the given service with the given tag. | queries | counter |
| `consul.catalog.service.query-tags` | Increments for each catalog query for the given service with the given tags. | queries | counter |
| `consul.catalog.service.not-found` | Increments for each catalog query where the given service could not be found. | queries | counter |
-| `consul.catalog.connect.query` | Increments for each connect-based catalog query for the given service. | queries | counter |
-| `consul.catalog.connect.query-tag` | Increments for each connect-based catalog query for the given service with the given tag. | queries | counter |
-| `consul.catalog.connect.query-tags` | Increments for each connect-based catalog query for the given service with the given tags. | queries | counter |
-| `consul.catalog.connect.not-found` | Increments for each connect-based catalog query where the given service could not be found. | queries | counter |
+| `consul.catalog.connect.query` | Increments for each mesh-based catalog query for the given service. | queries | counter |
+| `consul.catalog.connect.query-tag` | Increments for each mesh-based catalog query for the given service with the given tag. | queries | counter |
+| `consul.catalog.connect.query-tags` | Increments for each mesh-based catalog query for the given service with the given tags. | queries | counter |
+| `consul.catalog.connect.not-found` | Increments for each mesh-based catalog query where the given service could not be found. | queries | counter |
| `consul.mesh.active-root-ca.expiry` | The number of seconds until the root CA expires, updated every hour. | seconds | gauge |
| `consul.mesh.active-signing-ca.expiry` | The number of seconds until the signing CA expires, updated every hour. | seconds | gauge |
| `consul.agent.tls.cert.expiry` | The number of seconds until the Agent TLS certificate expires, updated every hour. | seconds | gauge |
-## Connect Built-in Proxy Metrics
+## Service Mesh Built-in Proxy Metrics
-Consul Connect's built-in proxy is by default configured to log metrics to the
+Consul service mesh's built-in proxy is by default configured to log metrics to the
same sink as the agent that starts it.
When running in this mode it emits some basic metrics. These will be expanded
diff --git a/website/content/docs/architecture/scale.mdx b/website/content/docs/architecture/scale.mdx
index da2031fd95ba..1cf31162da86 100644
--- a/website/content/docs/architecture/scale.mdx
+++ b/website/content/docs/architecture/scale.mdx
@@ -257,7 +257,7 @@ Consul ESM enables health checks and monitoring for external services. When usin
Because Consul’s service mesh uses service discovery subsystems, service mesh performance is also optimized by deploying multiple small clusters with consistent numbers of service instances and watches. Service mesh performance is influenced by the following additional factors:
- The [transparent proxy](/consul/docs/connect/transparent-proxy) feature causes client agents to listen for service instance updates across all services instead of a subset. To prevent performance issues, we recommend that you do not use the permissive intention, `default: allow`, with the transparent proxy feature. When combined, every service instance update propagates to every proxy, which causes additional server load.
-- When you use the [built in CA provider](/consul/docs/connect/ca/consul#built-in-ca), Consul leaders are responsible for signing certificates used for mTLS across the service mesh. The impact on CPU utilization depends on the total number of service instances and configured certificate TTLs. You can use the [CA provider configuration options](/consul/docs/agent/config/config-files#common-ca-config-options) to control the number of requests a server processes. We recommend adjusting [`csr_max_concurrent`](/consul/docs/agent/config/config-files#ca_csr_max_concurrent) and [`csr_max_per_second`](/consul/docs/agent/config/config-files#ca_csr_max_concurrent) to suit your environment.
+- When you use the [built-in service mesh CA provider](/consul/docs/connect/ca/consul#built-in-ca), Consul leaders are responsible for signing certificates used for mTLS across the service mesh. The impact on CPU utilization depends on the total number of service instances and configured certificate TTLs. You can use the [CA provider configuration options](/consul/docs/agent/config/config-files#common-ca-config-options) to control the number of requests a server processes. We recommend adjusting [`csr_max_concurrent`](/consul/docs/agent/config/config-files#ca_csr_max_concurrent) and [`csr_max_per_second`](/consul/docs/agent/config/config-files#ca_csr_max_concurrent) to suit your environment.
### K/V store
diff --git a/website/content/docs/connect/ca/aws.mdx b/website/content/docs/connect/ca/aws.mdx
index e10a8f5cfac0..cac5cb46e650 100644
--- a/website/content/docs/connect/ca/aws.mdx
+++ b/website/content/docs/connect/ca/aws.mdx
@@ -49,7 +49,7 @@ optional configuration value.
Example configurations are shown below:
-
+
@@ -116,7 +116,7 @@ ACM Private CA has several
that restrict how fast certificates can be issued. This may impact how quickly
large clusters can rotate all issued certificates.
-Currently, the ACM Private CA provider for Connect has some additional
+Currently, the ACM Private CA provider for service mesh has some additional
limitations described below.
### Unable to Cross-sign Other CAs
@@ -150,7 +150,7 @@ CA](https://aws.amazon.com/certificate-manager/pricing/) for actual cost
information.
Assume the following Consul datacenters exist and are configured to use ACM
-Private CA as their Connect CA with the default leaf certificate lifetime of
+Private CA as their service mesh CA with the default leaf certificate lifetime of
72 hours:
| Datacenter | Primary | CA Resource Created | Number of service instances |
diff --git a/website/content/docs/connect/ca/consul.mdx b/website/content/docs/connect/ca/consul.mdx
index 23d7f2ab4d49..8d36c001211f 100644
--- a/website/content/docs/connect/ca/consul.mdx
+++ b/website/content/docs/connect/ca/consul.mdx
@@ -7,12 +7,12 @@ description: >-
# Built-In Certificate Authority for Service Mesh
-Consul ships with a built-in CA system so that Connect can be
+Consul ships with a built-in CA system so that service mesh can be
easily enabled out of the box. The built-in CA generates and stores the
root certificate and private key on Consul servers. It can also be
configured with a custom certificate and private key if needed.
-If Connect is enabled and no CA provider is specified, the built-in
+If service mesh is enabled and no CA provider is specified, the built-in
CA is the default provider used. The provider can be
[updated and rotated](/consul/docs/connect/ca#root-certificate-rotation)
at any point to migrate to a new provider.
@@ -24,7 +24,7 @@ CA providers.
## Configuration
-The built-in CA provider has no required configuration. Enabling Connect
+The built-in CA provider has no required configuration. Enabling service mesh
alone will configure the built-in CA provider, and will automatically generate
a root certificate and private key:
@@ -84,8 +84,8 @@ $ curl localhost:8500/v1/connect/ca/configuration
}
```
-This is the default Connect CA configuration if nothing is explicitly set when
-Connect is enabled - the PrivateKey and RootCert fields have not been set, so those have
+This is the default service mesh CA configuration if nothing is explicitly set when
+service mesh is enabled - the PrivateKey and RootCert fields have not been set, so those have
been generated (as seen above in the roots list).
There are two ways to have the Consul CA use a custom private key and root certificate:
diff --git a/website/content/docs/connect/ca/index.mdx b/website/content/docs/connect/ca/index.mdx
index 03502a7395a4..13cc56c72d35 100644
--- a/website/content/docs/connect/ca/index.mdx
+++ b/website/content/docs/connect/ca/index.mdx
@@ -7,8 +7,8 @@ description: >-
# Service Mesh Certificate Authority Overview
-Certificate management in Connect is done centrally through the Consul
-servers using the configured CA (Certificate Authority) provider. A CA provider
+Service mesh certificate management is done centrally through the Consul
+servers using the configured service mesh CA (Certificate Authority) provider. A CA provider
manages root and intermediate certificates and performs certificate signing
operations. The Consul leader orchestrates CA provider operations as necessary,
such as when a service needs a new certificate or during CA rotation events.
@@ -42,7 +42,7 @@ datacenter.
CA initialization happens automatically when a new Consul leader is elected
as long as
-[Connect is enabled](/consul/docs/connect/configuration#agent-configuration),
+[service mesh is enabled](/consul/docs/connect/configuration#agent-configuration),
and the CA system has not already been initialized. This initialization process
will generate the initial root certificates and setup the internal Consul server
state.
@@ -55,7 +55,7 @@ If a CA is already initialized, any changes to the CA configuration in the
agent configuration file (including removing the configuration completely)
will have no effect.
-If no specific provider is configured when Connect is enabled, the built-in
+If no specific provider is configured when service mesh is enabled, the built-in
Consul CA provider will be used and a private key and root certificate will
be generated automatically.
@@ -133,7 +133,7 @@ Cross-Signing](#forced-rotation-without-cross-signing).
This also automatically occurs when a completely different CA provider is
configured (since this changes the root key). Therefore, this automatic rotation
process can also be used to cleanly transition between CA providers. For example,
-updating Connect to use Vault instead of the built-in CA.
+updating the service mesh to use Vault instead of the built-in CA.
During rotation, an intermediate CA certificate is requested from the new root,
which is then cross-signed by the old root. This cross-signed certificate is
diff --git a/website/content/docs/connect/ca/vault.mdx b/website/content/docs/connect/ca/vault.mdx
index 54fe5f4b674e..9c9abf8724fc 100644
--- a/website/content/docs/connect/ca/vault.mdx
+++ b/website/content/docs/connect/ca/vault.mdx
@@ -19,7 +19,7 @@ This page describes how configure the Vault CA provider.
- Vault 0.10.3 to 1.10.x.
-~> **Compatibility note:** If you use Vault 1.11.0+ as Consul's Connect CA, versions of Consul released before Dec 13, 2022 will develop an issue with Consul control plane or service mesh communication ([GH-15525](https://github.com/hashicorp/consul/pull/15525)). Use or upgrade to a [Consul version that includes the fix](https://support.hashicorp.com/hc/en-us/articles/11308460105491#01GMC24E6PPGXMRX8DMT4HZYTW) to avoid this problem.
+~> **Compatibility note:** If you use Vault 1.11.0+ as Consul's service mesh CA, versions of Consul released before Dec 13, 2022 will develop an issue with Consul control plane or service mesh communication ([GH-15525](https://github.com/hashicorp/consul/pull/15525)). Use or upgrade to a [Consul version that includes the fix](https://support.hashicorp.com/hc/en-us/articles/11308460105491#01GMC24E6PPGXMRX8DMT4HZYTW) to avoid this problem.
## Enable Vault as the CA
@@ -32,7 +32,7 @@ Refer to the [Configuration Reference](#configuration-reference) for details abo
The following example shows the required configurations for a default implementation:
-
+
diff --git a/website/content/docs/connect/config-entries/index.mdx b/website/content/docs/connect/config-entries/index.mdx
index 6d29a27cc387..de5acd1bce96 100644
--- a/website/content/docs/connect/config-entries/index.mdx
+++ b/website/content/docs/connect/config-entries/index.mdx
@@ -7,7 +7,7 @@ description: >-
# Configuration Entry Overview
-Configuration entries can be used to configure the behavior of Consul Connect.
+Configuration entries can be used to configure the behavior of Consul service mesh.
The following configuration entries are supported:
diff --git a/website/content/docs/connect/config-entries/mesh.mdx b/website/content/docs/connect/config-entries/mesh.mdx
index 7900a8104a9b..f65ed6162287 100644
--- a/website/content/docs/connect/config-entries/mesh.mdx
+++ b/website/content/docs/connect/config-entries/mesh.mdx
@@ -333,7 +333,7 @@ Note that the Kubernetes example does not include a `partition` field. Configura
type: 'bool: false',
description: `Determines whether sidecar proxies operating in transparent mode can
proxy traffic to IP addresses not registered in Consul's mesh. If enabled, traffic will only be proxied
- to upstream proxies or Connect-native services. If disabled, requests will be proxied as-is to the
+ to upstream proxies or mesh-native services. If disabled, requests will be proxied as-is to the
original destination IP address. Consul will not encrypt the connection.`,
},
],
diff --git a/website/content/docs/connect/config-entries/proxy-defaults.mdx b/website/content/docs/connect/config-entries/proxy-defaults.mdx
index cb9b9991712f..043d99263727 100644
--- a/website/content/docs/connect/config-entries/proxy-defaults.mdx
+++ b/website/content/docs/connect/config-entries/proxy-defaults.mdx
@@ -342,8 +342,8 @@ spec:
{
name: 'Config',
type: 'map[string]arbitrary',
- description: `An arbitrary map of configuration values used by Connect proxies.
- The available configurations depend on the Connect proxy you use.
+ description: `An arbitrary map of configuration values used by service mesh proxies.
+ The available configurations depend on the mesh proxy you use.
Any values that your proxy allows can be configured globally here. To explore these options please see the documentation for your chosen proxy.
`,
@@ -409,7 +409,7 @@ spec:
name: 'MeshGateway',
type: 'MeshGatewayConfig: ',
description: `Controls the default
- [mesh gateway configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration)
+ [mesh gateway configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration)
for all proxies. Added in v1.6.0.`,
children: [
{
@@ -426,7 +426,7 @@ spec:
[expose path configuration](/consul/docs/connect/registration/service-registration#expose-paths-configuration-reference)
for Envoy. Added in v1.6.2.
Exposing paths through Envoy enables a service to protect itself by only listening on localhost, while still allowing
- non-Connect-enabled applications to contact an HTTP endpoint.
+ non-mesh-enabled applications to contact an HTTP endpoint.
Some examples include: exposing a \`/metrics\` path for Prometheus or \`/healthz\` for kubelet liveness checks.`,
children: [
{
diff --git a/website/content/docs/connect/config-entries/service-defaults.mdx b/website/content/docs/connect/config-entries/service-defaults.mdx
index 35cd72bf31fc..6c57560864e8 100644
--- a/website/content/docs/connect/config-entries/service-defaults.mdx
+++ b/website/content/docs/connect/config-entries/service-defaults.mdx
@@ -556,7 +556,7 @@ We recommend configuring the upstream timeout in the [`connection_timeout`](/con
### `UpstreamConfig.Overrides[].MeshGateway`
-Map that contains the default mesh gateway `mode` field for the upstream. Refer to [Connect Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration) in the mesh gateway documentation for additional information.
+Map that contains the default mesh gateway `mode` field for the upstream. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information.
#### Values
@@ -637,7 +637,7 @@ For non-Kubernetes environments, we recommend configuring the upstream timeout i
### `UpstreamConfig.Defaults.MeshGateway`
-Specifies the default mesh gateway `mode` field for all upstreams. Refer to [Connect Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration) in the mesh gateway documentation for additional information.
+Specifies the default mesh gateway `mode` field for all upstreams. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information.
You can specify the following string values for the `mode` field:
@@ -729,7 +729,7 @@ Specifies the timeout for HTTP requests to the local application instance. Appli
### `MeshGateway`
-Specifies the default mesh gateway `mode` field for the service. Refer to [Connect Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration) in the mesh gateway documentation for additional information.
+Specifies the default mesh gateway `mode` field for the service. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information.
You can specify the following string values for the `mode` field:
@@ -1007,7 +1007,7 @@ We recommend configuring the upstream timeout in the [`connectTimeout`](/consul/
### `spec.upstreamConfig.defaults.meshGateway.mode`
-Specifies the default mesh gateway `mode` field for all upstreams. Refer to [Connect Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration) in the mesh gateway documentation for additional information.
+Specifies the default mesh gateway `mode` field for all upstreams. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information.
#### Values
@@ -1121,7 +1121,7 @@ Specifies the timeout for HTTP requests to the local application instance. Appli
- Data type: string
### `spec.meshGateway.mode`
-Specifies the default mesh gateway `mode` field for the service. Refer to [Connect Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#connect-proxy-configuration) in the mesh gateway documentation for additional information.
+Specifies the default mesh gateway `mode` field for the service. Refer to [Service Mesh Proxy Configuration](/consul/docs/connect/gateways/mesh-gateway#service-mesh-proxy-configuration) in the mesh gateway documentation for additional information.
#### Values
@@ -1509,7 +1509,7 @@ represents a location outside the Consul cluster. Services can dial destinations
name: 'Protocol',
type: `string: "tcp"`,
description: `Sets the protocol of the service. This is used
- by Connect proxies for things like observability features and to unlock usage
+ by service mesh proxies for things like observability features and to unlock usage
of the [\`service-splitter\`](/consul/docs/connect/config-entries/service-splitter) and
[\`service-router\`](/consul/docs/connect/config-entries/service-router) config entries
for a service. It also unlocks the ability to define L7 intentions via
@@ -1965,7 +1965,7 @@ represents a location outside the Consul cluster. Services can dial destinations
type: 'string: ""',
description: `This is an optional setting that allows for
the TLS [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) value to
- be changed to a non-connect value when federating with an external system.
+ be changed to a non-mesh value when federating with an external system.
Added in v1.6.0.`,
},
{
@@ -1975,7 +1975,7 @@ represents a location outside the Consul cluster. Services can dial destinations
[expose path configuration](/consul/docs/connect/registration/service-registration#expose-paths-configuration-reference)
for Envoy. Added in v1.6.2.
Exposing paths through Envoy enables a service to protect itself by only listening on localhost, while still allowing
- non-Connect-enabled applications to contact an HTTP endpoint.
+ non-mesh-enabled applications to contact an HTTP endpoint.
Some examples include: exposing a \`/metrics\` path for Prometheus or \`/healthz\` for kubelet liveness checks.`,
children: [
{
diff --git a/website/content/docs/connect/config-entries/service-resolver.mdx b/website/content/docs/connect/config-entries/service-resolver.mdx
index 89147a24af3c..c8e98b6614d1 100644
--- a/website/content/docs/connect/config-entries/service-resolver.mdx
+++ b/website/content/docs/connect/config-entries/service-resolver.mdx
@@ -11,7 +11,7 @@ description: >-
**v1.6.0+:** On other platforms, this config entry is supported in Consul versions 1.6.0+.
The `service-resolver` config entry kind (`ServiceResolver` on Kubernetes) controls which service instances
-should satisfy Connect upstream discovery requests for a given service name.
+should satisfy service mesh upstream discovery requests for a given service name.
If no resolver config is defined the chain assumes 100% of traffic goes to the
healthy instances of the default service in the current datacenter+namespace
diff --git a/website/content/docs/connect/config-entries/service-router.mdx b/website/content/docs/connect/config-entries/service-router.mdx
index 1a12e3cdf9fa..64d0a11b53de 100644
--- a/website/content/docs/connect/config-entries/service-router.mdx
+++ b/website/content/docs/connect/config-entries/service-router.mdx
@@ -7,7 +7,7 @@ description: >-
# Service Router Configuration Entry
-The `service-router` config entry kind (`ServiceRouter` on Kubernetes) controls Connect traffic routing and
+The `service-router` config entry kind (`ServiceRouter` on Kubernetes) controls service mesh traffic routing and
manipulation at networking layer 7 (e.g. HTTP).
If a router is not explicitly configured or is configured with no routes then
@@ -16,7 +16,7 @@ service of the same name.
## Requirements
-- Consul [service mesh connect](/consul/docs/connect/configuration) enabled services
+- Consul [service mesh](/consul/docs/connect/configuration) enabled services
- Service to service communication over the protocol `http`
## Interaction with other Config Entries
diff --git a/website/content/docs/connect/config-entries/terminating-gateway.mdx b/website/content/docs/connect/config-entries/terminating-gateway.mdx
index b7e0f38b7c48..e0c1ff6032cf 100644
--- a/website/content/docs/connect/config-entries/terminating-gateway.mdx
+++ b/website/content/docs/connect/config-entries/terminating-gateway.mdx
@@ -12,7 +12,7 @@ description: >-
The `terminating-gateway` config entry kind (`TerminatingGateway` on Kubernetes) allows you to configure terminating gateways
to proxy traffic from services in the Consul service mesh to services registered with Consul that do not have a
-[Connect service sidecar proxy](/consul/docs/connect/proxies). The configuration is associated with the name of a gateway service
+[service mesh sidecar proxy](/consul/docs/connect/proxies). The configuration is associated with the name of a gateway service
and will apply to all instances of the gateway with that name.
~> [Configuration entries](/consul/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
@@ -41,7 +41,7 @@ Terminating gateways can optionally target all services within a Consul namespac
as the service name. Configuration options set on the wildcard act as defaults that can be overridden
by options set on a specific service name.
-Note that if the wildcard specifier is used, and some services in that namespace have a Connect sidecar proxy,
+Note that if the wildcard specifier is used, and some services in that namespace have a service mesh sidecar proxy,
traffic from the mesh to those services will be evenly load-balanced between the gateway and their sidecars.
## Sample Config Entries
diff --git a/website/content/docs/connect/configuration.mdx b/website/content/docs/connect/configuration.mdx
index e33694688598..5edf02886ba1 100644
--- a/website/content/docs/connect/configuration.mdx
+++ b/website/content/docs/connect/configuration.mdx
@@ -2,7 +2,7 @@
layout: docs
page_title: Service Mesh Configuration - Overview
description: >-
- Learn how to enable and configure Consul's service mesh capabilities in agent configurations, and how to integrate with schedulers like Kubernetes and Nomad. ""Connect"" is the subsystem that provides Consul’s service mesh capabilities.
+ Learn how to enable and configure Consul's service mesh capabilities in agent configurations, and how to integrate with schedulers like Kubernetes and Nomad. Consul's service mesh capabilities are provided by the ""connect"" subsystem.
---
# Service Mesh Configuration Overview
@@ -11,14 +11,17 @@ There are many configuration options exposed for Consul service mesh. The only o
that must be set is the `connect.enabled` option on Consul servers to enable Consul service mesh.
All other configurations are optional and have defaults suitable for many environments.
-The terms _Consul Connect_ and _Consul service mesh_ are used interchangeably throughout this documentation.
+The noun _connect_ is used throughout this documentation to refer to the connect
+subsystem that provides Consul's service mesh capabilities.
+Where you encounter the _noun_ connect, it is usually functionality specific to
+service mesh.
## Agent configuration
-Begin by enabling Connect for your Consul
-cluster. By default, Connect is disabled. Enabling Connect requires changing
+Begin by enabling service mesh for your Consul
+cluster. By default, service is disabled. Enabling service mesh requires changing
the configuration of only your Consul _servers_ (not client agents). To enable
-Connect, add the following to a new or existing
+service mesh, add the following to a new or existing
[server configuration file](/consul/docs/agent/config/config-files). In an existing cluster, this configuration change requires a Consul server restart, which you can perform one server at a time to maintain availability. In HCL:
@@ -37,17 +40,17 @@ connect {
```
-This will enable Connect and configure your Consul cluster to use the
+This will enable service mesh and configure your Consul cluster to use the
built-in certificate authority for creating and managing certificates.
You may also configure Consul to use an external
[certificate management system](/consul/docs/connect/ca), such as
[Vault](https://www.vaultproject.io/).
-Services and proxies may always register with Connect settings, but they will
-fail to retrieve or verify any TLS certificates. This causes all Connect-based
-connection attempts to fail until Connect is enabled on the server agents.
+Services and proxies may always register with service mesh settings, but unless
+service mesh is enabled on the server agents, their attempts to communicate will fail
+because they have no means to obtain or verify service mesh TLS certificates.
-Other optional Connect configurations that you can set in the server
+Other optional service mesh configurations that you can set in the server
configuration file include:
- [certificate authority settings](/consul/docs/agent/config/config-files#connect)
@@ -55,10 +58,10 @@ configuration file include:
- [dev mode](/consul/docs/agent/config/cli-flags#_dev)
- [server host name verification](/consul/docs/agent/config/config-files#tls_internal_rpc_verify_server_hostname)
-If you would like to use Envoy as your Connect proxy you will need to [enable
+If you would like to use Envoy as your service mesh proxy you will need to [enable
gRPC](/consul/docs/agent/config/config-files#grpc_port).
-Additionally if you plan on using the observability features of Connect, it can
+Additionally if you plan on using the observability features of Consul service mesh, it can
be convenient to configure your proxies and services using [configuration
entries](/consul/docs/agent/config-entries) which you can interact with using the
CLI or API, or by creating configuration entry files. You will want to enable
@@ -67,8 +70,8 @@ configuration](/consul/docs/agent/config/config-files#enable_central_service_con
clients, which allows each service's proxy configuration to be managed centrally
via API.
-!> **Security note:** Enabling Connect is enough to try the feature but doesn't
-automatically ensure complete security. Please read the [Connect production
+!> **Security note:** Enabling service mesh is enough to try the feature but doesn't
+automatically ensure complete security. Please read the [service mesh production
tutorial](/consul/tutorials/developer-mesh/service-mesh-production-checklist) to understand the additional steps
needed for a secure deployment.
@@ -81,7 +84,7 @@ definitions](/consul/docs/services/usage/define-services).
## Schedulers
-Consul Connect is especially useful if you are using an orchestrator like Nomad
+Consul service mesh is especially useful if you are using an orchestrator like Nomad
or Kubernetes, because these orchestrators can deploy thousands of service instances
which frequently move hosts. Sidecars for each service can be configured through
these schedulers, and in some cases they can automate Consul configuration,
@@ -89,16 +92,16 @@ sidecar deployment, and service registration.
### Nomad
-Connect can be used with Nomad to provide secure service-to-service
+Consul service mesh can be used with Nomad to provide secure service-to-service
communication between Nomad jobs and task groups. The ability to use the dynamic
-port feature of Nomad makes Connect particularly easy to use. Learn about how to
-configure Connect on Nomad by reading the
+port feature of Nomad makes Consul service mesh particularly easy to use. Learn about how to
+configure Consul service mesh on Nomad by reading the
[integration documentation](/consul/docs/connect/nomad).
### Kubernetes
-The Consul Helm chart can automate much of Consul Connect's configuration, and
+The Consul Helm chart can automate much of Consul's service mesh configuration, and
makes it easy to automatically inject Envoy sidecars into new pods when they are
deployed. Learn about the [Helm chart](/consul/docs/k8s/helm) in general,
or if you are already familiar with it, check out its
-[connect specific configurations](/consul/docs/k8s/connect).
+[service mesh specific configurations](/consul/docs/k8s/connect).
diff --git a/website/content/docs/connect/connect-internals.mdx b/website/content/docs/connect/connect-internals.mdx
index 826a2bde2226..73a3cc1e8980 100644
--- a/website/content/docs/connect/connect-internals.mdx
+++ b/website/content/docs/connect/connect-internals.mdx
@@ -11,7 +11,10 @@ This topic describes how many of the core features of Consul's service mesh func
It is not a prerequisite,
but this information will help you understand how Consul service mesh behaves in more complex scenarios.
-Consul Connect is the component shipped with Consul that enables service mesh functionality. The terms _Consul Connect_ and _Consul service mesh_ are used interchangeably throughout this documentation.
+The noun _connect_ is used throughout this documentation to refer to the connect
+subsystem that provides Consul's service mesh capabilities.
+Where you encounter the _noun_ connect, it is usually functionality specific to
+service mesh.
To try service mesh locally, complete the [Getting Started with Consul service
mesh](/consul/tutorials/kubernetes-deploy/service-mesh?utm_source=docs)
@@ -59,7 +62,7 @@ in-memory data.
## Agent Caching and Performance
-To enable fast responses on endpoints such as the [agent Connect
+To enable fast responses on endpoints such as the [agent connect
API](/consul/api-docs/agent/connect), the Consul agent locally caches most Consul service mesh-related
data and sets up background [blocking queries](/consul/api-docs/features/blocking) against
the server to update the cache in the background. This allows most API calls
diff --git a/website/content/docs/connect/connectivity-tasks.mdx b/website/content/docs/connect/connectivity-tasks.mdx
index c81c0ebda544..bd5a4bc66f66 100644
--- a/website/content/docs/connect/connectivity-tasks.mdx
+++ b/website/content/docs/connect/connectivity-tasks.mdx
@@ -59,7 +59,7 @@ Services outside the mesh do not have sidecar proxies or are not [integrated nat
These may be services running on legacy infrastructure or managed cloud services running on
infrastructure you do not control.
-Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate Connect
+Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate service mesh
mTLS connections, enforce Consul intentions, and forward requests to the appropriate destination.
These gateways also simplify authorization from dynamic service addresses. Consul's intentions determine whether
diff --git a/website/content/docs/connect/dev.mdx b/website/content/docs/connect/dev.mdx
index 6f494bc37518..e31a2f423a61 100644
--- a/website/content/docs/connect/dev.mdx
+++ b/website/content/docs/connect/dev.mdx
@@ -8,17 +8,17 @@ description: >-
# Service Mesh Debugging
It is often necessary to connect to a service for development or debugging.
-If a service only exposes a Connect listener, then we need a way to establish
+If a service only exposes a service mesh listener, then we need a way to establish
a mutual TLS connection to the service. The
[`consul connect proxy` command](/consul/commands/connect/proxy) can be used
for this task on any machine with access to a Consul agent (local or remote).
-Restricting access to services only via Connect ensures that the only way to
+Restricting access to services only via service mesh ensures that the only way to
connect to a service is through valid authorization of the
[intentions](/consul/docs/connect/intentions). This can extend to developers
and operators, too.
-## Connecting to Connect-only Services
+## Connecting to Mesh-only Services
As an example, let's assume that we have a PostgreSQL database running that
we want to connect to via `psql`, but the only non-loopback listener is
diff --git a/website/content/docs/connect/gateways/api-gateway/usage.mdx b/website/content/docs/connect/gateways/api-gateway/usage.mdx
index a5fea6e8176c..9f314fd2f4e3 100644
--- a/website/content/docs/connect/gateways/api-gateway/usage.mdx
+++ b/website/content/docs/connect/gateways/api-gateway/usage.mdx
@@ -12,7 +12,7 @@ in a Kubernetes environment, refer to [API Gateway for Kubernetes](/consul/docs/
## Introduction
-Consul API gateways provide a configurable ingress points for requests into a Consul network. Usethe following configuration entries to set up API gateways:
+Consul API gateways provide a configurable ingress points for requests into a Consul network. Use the following configuration entries to set up API gateways:
- [API gateway](/consul/docs/connect/gateways/api-gateway/configuration/api-gateway): Provides an endpoint for requests to enter the network. Define listeners that expose ports on the endpoint for ingress.
- [HTTP routes](/consul/docs/connect/gateways/api-gateway/configuration/http-route) and [TCP routes](/consul/docs/connect/gateways/api-gateway/configuration/tcp-route): The routes attach to listeners defined in the gateway and control how requests route to services in the network.
diff --git a/website/content/docs/connect/gateways/index.mdx b/website/content/docs/connect/gateways/index.mdx
index fb04a9e54943..344b63dd0ad2 100644
--- a/website/content/docs/connect/gateways/index.mdx
+++ b/website/content/docs/connect/gateways/index.mdx
@@ -64,7 +64,7 @@ Services outside the mesh do not have sidecar proxies or are not [integrated nat
These may be services running on legacy infrastructure or managed cloud services running on
infrastructure you do not control.
-Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate Connect
+Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate service mesh
mTLS connections, enforce Consul intentions, and forward requests to the appropriate destination.
These gateways also simplify authorization from dynamic service addresses. Consul's intentions determine whether
diff --git a/website/content/docs/connect/gateways/ingress-gateway.mdx b/website/content/docs/connect/gateways/ingress-gateway.mdx
index 2ba36b3d79bd..b5a8cc213f9a 100644
--- a/website/content/docs/connect/gateways/ingress-gateway.mdx
+++ b/website/content/docs/connect/gateways/ingress-gateway.mdx
@@ -39,7 +39,7 @@ the [hosts](/consul/docs/connect/config-entries/ingress-gateway#hosts) field.
Ingress gateways also require that your Consul datacenters are configured correctly:
- You'll need to use Consul version 1.8.0 or newer.
-- Consul [Connect](/consul/docs/agent/config/config-files#connect) must be enabled on the datacenter's Consul servers.
+- Consul [service mesh](/consul/docs/agent/config/config-files#connect) must be enabled on the datacenter's Consul servers.
- [gRPC](/consul/docs/agent/config/config-files#grpc_port) must be enabled on all client agents.
Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with ingress gateway capabilities in Consul.
@@ -54,13 +54,13 @@ review the [ingress gateway tutorial](/consul/tutorials/developer-mesh/service-m
Ingress gateways are configured in service definitions and registered with Consul like other services, with two exceptions.
The first is that the [kind](/consul/api-docs/agent/service#kind) must be "ingress-gateway". Second,
the ingress gateway service definition may contain a `Proxy.Config` entry just like a
-Connect proxy service, to define opaque configuration parameters useful for the actual proxy software.
+service mesh proxy service, to define opaque configuration parameters useful for the actual proxy software.
For Envoy there are some supported [gateway options](/consul/docs/connect/proxies/envoy#gateway-options) as well as
[escape-hatch overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides).
-> **Note:** If ACLs are enabled, ingress gateways must be registered with a token granting `service:write` for the ingress gateway's service name,
`service:read` for all services in the ingress gateway's configuration entry, and `node:read` for all nodes of the services
-in the ingress gateway's configuration entry. These privileges authorize the token to route communications to other Connect services.
+in the ingress gateway's configuration entry. These privileges authorize the token to route communications to other mesh services.
If the Consul client agent on the gateway's node is not configured to use the default gRPC port, 8502, then the gateway's token
must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies.
diff --git a/website/content/docs/connect/gateways/mesh-gateway/index.mdx b/website/content/docs/connect/gateways/mesh-gateway/index.mdx
index e5c5229dfcf8..89d64b8d1ebe 100644
--- a/website/content/docs/connect/gateways/mesh-gateway/index.mdx
+++ b/website/content/docs/connect/gateways/mesh-gateway/index.mdx
@@ -57,17 +57,17 @@ Configure the following settings to register the mesh gateway as a service in Co
Each upstream associated with a service mesh proxy can be configured so that it is routed through a mesh gateway.
Depending on your network, the proxy's connection to the gateway can operate in one of the following modes:
-* `none` - No gateway is used and a service mesh connect proxy makes its outbound connections directly
+* `none` - No gateway is used and a service mesh sidecar proxy makes its outbound connections directly
to the destination services. This is the default for WAN federation. This setting is invalid for peered clusters
and will be treated as remote instead.
-* `local` - The service mesh connect proxy makes an outbound connection to a gateway running in the
+* `local` - The service mesh sidecar proxy makes an outbound connection to a gateway running in the
same datacenter. That gateway is responsible for ensuring that the data is forwarded to gateways in the destination datacenter.
-* `remote` - The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.
+* `remote` - The service mesh sidecar proxy makes an outbound connection to a gateway running in the destination datacenter.
The gateway forwards the data to the final destination service. This is the default for peered clusters.
-### Connect Proxy Configuration
+### Service Mesh Proxy Configuration
Set the proxy to the preferred [mode](#modes) to configure the service mesh proxy. You can specify the mode globally or within child configurations to control proxy behaviors at a lower level. Consul recognizes the following order of precedence if the gateway mode is configured in multiple locations the order of precedence:
@@ -82,7 +82,7 @@ Use the following example configurations to help you understand some of the comm
### Enabling Gateways Globally
-The following `proxy-defaults` configuration will enable gateways for all Connect services in the `local` mode.
+The following `proxy-defaults` configuration will enable gateways for all mesh services in the `local` mode.
@@ -104,7 +104,7 @@ Name: global
### Enabling Gateways Per Service
-The following `service-defaults` configuration will enable gateways for all Connect services with the name `web`.
+The following `service-defaults` configuration will enable gateways for all mesh services with the name `web`.
diff --git a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx
index d993b70f6983..4e269d00fd48 100644
--- a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx
+++ b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx
@@ -36,7 +36,7 @@ Consul can only translate mesh gateway registration information into Envoy confi
Sidecar proxies that send traffic to an upstream service through a gateway need to know the location of that gateway. They discover the gateway based on their sidecar proxy registrations. Consul can only translate the gateway registration information into Envoy configuration.
-Sidecar proxies that do not send upstream traffic through a gateway are not affected when you deploy gateways. If you are using Consul's built-in proxy as a Connect sidecar it will continue to work for intra-datacenter traffic and will receive incoming traffic even if that traffic has passed through a gateway.
+Sidecar proxies that do not send upstream traffic through a gateway are not affected when you deploy gateways. If you are using Consul's built-in proxy as a service mesh sidecar it will continue to work for intra-datacenter traffic and will receive incoming traffic even if that traffic has passed through a gateway.
## Configuration
@@ -61,7 +61,7 @@ Depending on your network, the proxy's connection to the gateway can operate in
* `remote` - The service mesh connect proxy makes an outbound connection to a gateway running in the destination datacenter.
The gateway forwards the data to the final destination service.
-### Connect Proxy Configuration
+### Service Mesh Proxy Configuration
Set the proxy to the preferred [mode](#modes) to configure the service mesh proxy. You can specify the mode globally or within child configurations to control proxy behaviors at a lower level. Consul recognizes the following order of precedence if the gateway mode is configured in multiple locations the order of precedence:
@@ -76,7 +76,7 @@ Use the following example configurations to help you understand some of the comm
### Enabling Gateways Globally
-The following `proxy-defaults` configuration will enable gateways for all Connect services in the `local` mode.
+The following `proxy-defaults` configuration will enable gateways for all mesh services in the `local` mode.
@@ -99,7 +99,7 @@ Name: global
### Enabling Gateways Per Service
-The following `service-defaults` configuration will enable gateways for all Connect services with the name `web`.
+The following `service-defaults` configuration will enable gateways for all mesh services with the name `web`.
diff --git a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx
index 520f6c01ff2b..5a764c437248 100644
--- a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx
+++ b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx
@@ -29,10 +29,10 @@ Ensure that your Consul environment meets the following requirements.
* Consul version 1.6.0 or newer.
* A local Consul agent is required to manage its configuration.
-* Consul [Connect](/consul/docs/agent/config/config-files#connect) must be enabled in both datacenters.
+* Consul [service mesh](/consul/docs/agent/config/config-files#connect) must be enabled in both datacenters.
* Each [datacenter](/consul/docs/agent/config/config-files#datacenter) must have a unique name.
* Each datacenters must be [WAN joined](/consul/tutorials/networking/federation-gossip-wan).
-* The [primary datacenter](/consul/docs/agent/config/config-files#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for Connect certificates and is required for services in all datacenters to establish mutual TLS with each other.
+* The [primary datacenter](/consul/docs/agent/config/config-files#primary_datacenter) must be set to the same value in both datacenters. This specifies which datacenter is the authority for service mesh certificates and is required for services in all datacenters to establish mutual TLS with each other.
* [gRPC](/consul/docs/agent/config/config-files#grpc_port) must be enabled.
* If you want to [enable gateways globally](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters#enabling-gateways-globally) you must enable [centralized configuration](/consul/docs/agent/config/config-files#enable_central_service_config).
@@ -50,7 +50,7 @@ Consul can only translate mesh gateway registration information into Envoy confi
Sidecar proxies that send traffic to an upstream service through a gateway need to know the location of that gateway. They discover the gateway based on their sidecar proxy registrations. Consul can only translate the gateway registration information into Envoy configuration.
-Sidecar proxies that do not send upstream traffic through a gateway are not affected when you deploy gateways. If you are using Consul's built-in proxy as a Connect sidecar it will continue to work for intra-datacenter traffic and will receive incoming traffic even if that traffic has passed through a gateway.
+Sidecar proxies that do not send upstream traffic through a gateway are not affected when you deploy gateways. If you are using Consul's built-in proxy as a service mesh sidecar it will continue to work for intra-datacenter traffic and will receive incoming traffic even if that traffic has passed through a gateway.
## Configuration
@@ -66,18 +66,18 @@ Configure the following settings to register the mesh gateway as a service in Co
Each upstream associated with a service mesh proxy can be configured so that it is routed through a mesh gateway.
Depending on your network, the proxy's connection to the gateway can operate in one of the following modes (refer to the [mesh-architecture-diagram](#mesh-architecture-diagram)):
-* `none` - (Default) No gateway is used and a service mesh connect proxy makes its outbound connections directly
+* `none` - (Default) No gateway is used and a service mesh sidecar proxy makes its outbound connections directly
to the destination services.
-* `local` - The service mesh connect proxy makes an outbound connection to a gateway running in the
+* `local` - The service mesh sidecar proxy makes an outbound connection to a gateway running in the
same datacenter. That gateway is responsible for ensuring that the data is forwarded to gateways in the destination datacenter.
Refer to the flow labeled `local` in the [mesh-architecture-diagram](#mesh-architecture-diagram).
-* `remote` - The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.
+* `remote` - The service mesh sidecar proxy makes an outbound connection to a gateway running in the destination datacenter.
The gateway forwards the data to the final destination service.
Refer to the flow labeled `remote` in the [mesh-architecture-diagram](#mesh-architecture-diagram).
-### Connect Proxy Configuration
+### Service Mesh Proxy Configuration
Set the proxy to the preferred [mode](#modes) to configure the service mesh proxy. You can specify the mode globally or within child configurations to control proxy behaviors at a lower level. Consul recognizes the following order of precedence if the gateway mode is configured in multiple locations the order of precedence:
@@ -92,7 +92,7 @@ Use the following example configurations to help you understand some of the comm
### Enabling Gateways Globally
-The following `proxy-defaults` configuration will enable gateways for all Connect services in the `local` mode.
+The following `proxy-defaults` configuration will enable gateways for all mesh services in the `local` mode.
@@ -114,7 +114,7 @@ Name: global
### Enabling Gateways Per Service
-The following `service-defaults` configuration will enable gateways for all Connect services with the name `web`.
+The following `service-defaults` configuration will enable gateways for all mesh services with the name `web`.
diff --git a/website/content/docs/connect/gateways/terminating-gateway.mdx b/website/content/docs/connect/gateways/terminating-gateway.mdx
index 05f48eee5f45..17a926c0cd98 100644
--- a/website/content/docs/connect/gateways/terminating-gateway.mdx
+++ b/website/content/docs/connect/gateways/terminating-gateway.mdx
@@ -10,8 +10,8 @@ description: >-
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer.
Terminating gateways enable connectivity within your organizational network from services in the Consul service mesh to
-services and [destinations](/consul/docs/connect/config-entries/service-defaults#terminating-gateway-destination) outside the mesh. These gateways effectively act as Connect proxies that can
-represent more than one service. They terminate Connect mTLS connections, enforce intentions,
+services and [destinations](/consul/docs/connect/config-entries/service-defaults#terminating-gateway-destination) outside the mesh. These gateways effectively act as service mesh proxies that can
+represent more than one service. They terminate service mesh mTLS connections, enforce intentions,
and forward requests to the appropriate destination.
@@ -26,7 +26,7 @@ for filtering by instance.
## Security Considerations
~> We recommend that terminating gateways are not exposed to the WAN or open internet. This is because terminating gateways
-hold certificates to decrypt Consul Connect traffic directed at them and may be configured with credentials to connect
+hold certificates to decrypt Consul service mesh traffic directed at them and may be configured with credentials to connect
to linked services. Connections over the WAN or open internet should flow through [mesh gateways](/consul/docs/connect/gateways/mesh-gateway)
whenever possible since they are not capable of decrypting traffic or connecting directly to services.
@@ -58,7 +58,7 @@ Each terminating gateway needs:
Terminating gateways also require that your Consul datacenters are configured correctly:
- You'll need to use Consul version 1.8.0 or newer.
-- Consul [Connect](/consul/docs/agent/config/config-files#connect) must be enabled on the datacenter's Consul servers.
+- Consul [service mesh](/consul/docs/agent/config/config-files#connect) must be enabled on the datacenter's Consul servers.
- [gRPC](/consul/docs/agent/config/config-files#grpc_port) must be enabled on all client agents.
Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with terminating gateway capabilities in Consul.
@@ -68,9 +68,9 @@ Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with terminatin
can only translate terminating gateway registration information into Envoy
configuration, therefore the proxies acting as terminating gateways must be Envoy.
-Connect proxies that send upstream traffic through a gateway aren't
+Service mesh proxies that send upstream traffic through a gateway aren't
affected when you deploy terminating gateways. If you are using non-Envoy proxies as
-Connect proxies they will continue to work for traffic directed at services linked to
+Service mesh proxies they will continue to work for traffic directed at services linked to
a terminating gateway as long as they discover upstreams with the
[/health/connect](/consul/api-docs/health#list-nodes-for-connect-capable-service) endpoint.
@@ -84,7 +84,7 @@ services outside the mesh, review the [terminating gateway tutorial](/consul/tut
Terminating gateways are configured in service definitions and registered with Consul like other services, with two exceptions.
The first is that the [kind](/consul/api-docs/agent/service#kind) must be "terminating-gateway". Second,
the terminating gateway service definition may contain a `Proxy.Config` entry just like a
-Connect proxy service, to define opaque configuration parameters useful for the actual proxy software.
+service mesh proxy service, to define opaque configuration parameters useful for the actual proxy software.
For Envoy there are some supported [gateway options](/consul/docs/connect/proxies/envoy#gateway-options) as well as
[escape-hatch overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides).
diff --git a/website/content/docs/connect/index.mdx b/website/content/docs/connect/index.mdx
index 7c7235569d3e..6bdc9989f52b 100644
--- a/website/content/docs/connect/index.mdx
+++ b/website/content/docs/connect/index.mdx
@@ -7,15 +7,20 @@ description: >-
# Consul service mesh
-Consul Service Mesh provides service-to-service connection authorization and
-encryption using mutual Transport Layer Security (TLS). Consul Connect is used interchangeably
-with the name Consul Service Mesh and is what this document will use to refer to for Service Mesh functionality within Consul.
+Consul service mesh provides service-to-service connection authorization and
+encryption using mutual Transport Layer Security (TLS).
+
Applications can use [sidecar proxies](/consul/docs/connect/proxies) in a service mesh configuration to
-establish TLS connections for inbound and outbound connections without being aware of Connect at all.
-Applications may also [natively integrate with Connect](/consul/docs/connect/native) for optimal performance and security.
-Connect can help you secure your services and provide data about service-to-service communications.
+establish TLS connections for inbound and outbound connections without being aware of the service mesh at all.
+Applications may also [natively integrate with Consul service mesh](/consul/docs/connect/native) for optimal performance and security.
+Consul service mesh can help you secure your services and provide data about service-to-service communications.
+
+The noun _connect_ is used throughout this documentation to refer to the connect
+subsystem that provides Consul's service mesh capabilities.
+Where you encounter the _noun_ connect, it is usually functionality specific to
+service mesh.
-Review the video below to learn more about Consul Connect from HashiCorp's co-founder Armon.
+Review the video below to learn more about Consul service mesh from HashiCorp's co-founder Armon.