docs: add Consul policy for Consul Namespace support (#9014)

Co-authored-by: Seth Hoenig <[email protected]>
hashicorp · Oct 7, 2020 · 638f493 · 638f493
1 parent 5a4fe99
commit 638f493
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,7 @@ IMPROVEMENTS:
  * api: Added support for cancellation contexts to HTTP API. [[GH-8836](https://github.com/hashicorp/nomad/issues/8836)]
  * client: Added support for Azure fingerprinting. [[GH-8979](https://github.com/hashicorp/nomad/issues/8979)]
  * client: Updated consul-template to v0.25.0 - config function_blacklist deprecated and replaced with function_denylist [[GH-8988](https://github.com/hashicorp/nomad/pull/8988)]
- * consul: Support consul namespace (consul enterprise) in client configuration. [[GH-8849](https://github.com/hashicorp/nomad/pull/8849)]
+ * consul: Support Consul namespace (Consul Enterprise) in client configuration. [[GH-8849](https://github.com/hashicorp/nomad/pull/8849)]
  * driver/docker: Upgrade pause container and detect architecture [[GH-8957](https://github.com/hashicorp/nomad/pull/8957)]
  * jobspec: Lowered minimum CPU allowed from 10 to 1. [[GH-8996](https://github.com/hashicorp/nomad/issues/8996)]
 

diff --git a/website/pages/docs/configuration/consul.mdx b/website/pages/docs/configuration/consul.mdx
@@ -180,5 +180,37 @@ consul {
 }
 ```
 
+### Consul Namespace
+
+Consul does not allow ACL policies associated with namespaces to use agent
+permissions. Nomad requires `agent:read` permissions. In order to use the
+`consul_namespace` feature, Nomad will need a token generated in Consul's
+default namespace. That token should be created with `agent:read` as well
+as a `namespace` block with the other relevant permissions for running Nomad
+in the intended namespace. The Consul policy below shows an example policy
+configuration for a Nomad server:
+
+```
+agent_prefix "" {
+  policy = "read"
+}
+
+namespace "nomad-ns" {
+  acl = "write"
+
+  key_prefix "" {
+    policy = "read"
+  }
+
+  node_prefix "" {
+    policy = "read"
+  }
+
+  service_prefix "" {
+    policy = "write"
+  }
+}
+```
+
 [consul]: https://www.consul.io/ 'Consul by HashiCorp'
 [bootstrap]: https://learn.hashicorp.com/tutorials/nomad/clustering 'Automatic Bootstrapping'