mirror of https://github.com/status-im/consul.git
docs: vault ca provider patch upgrade guidance
This commit is contained in:
parent
1ade1de38b
commit
2603c0da52
12
CHANGELOG.md
12
CHANGELOG.md
|
@ -6,6 +6,10 @@ BUG FIXES:
|
||||||
|
|
||||||
## 1.13.2 (September 20, 2022)
|
## 1.13.2 (September 20, 2022)
|
||||||
|
|
||||||
|
BREAKING CHANGES:
|
||||||
|
|
||||||
|
* ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the `update` capability on the intermediate PKI's tune mount configuration endpoint, such as `/sys/mounts/connect_inter/tune`. The breaking nature of this change will be resolved in an upcoming 1.13 patch release. Refer to [upgrade guidance](https://www.consul.io/docs/upgrading/upgrade-specific#modify-vault-policy-for-vault-ca-provider) for more information.
|
||||||
|
|
||||||
SECURITY:
|
SECURITY:
|
||||||
|
|
||||||
* auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [[GH-14577](https://github.com/hashicorp/consul/issues/14577)]
|
* auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [[GH-14577](https://github.com/hashicorp/consul/issues/14577)]
|
||||||
|
@ -48,6 +52,10 @@ BUG FIXES:
|
||||||
|
|
||||||
## 1.12.5 (September 20, 2022)
|
## 1.12.5 (September 20, 2022)
|
||||||
|
|
||||||
|
BREAKING CHANGES:
|
||||||
|
|
||||||
|
* ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the `update` capability on the intermediate PKI's tune mount configuration endpoint, such as `/sys/mounts/connect_inter/tune`. The breaking nature of this change will be resolved in an upcoming 1.12 patch release. Refer to [upgrade guidance](https://www.consul.io/docs/upgrading/upgrade-specific#modify-vault-policy-for-vault-ca-provider) for more information.
|
||||||
|
|
||||||
SECURITY:
|
SECURITY:
|
||||||
|
|
||||||
* auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [[GH-14577](https://github.com/hashicorp/consul/issues/14577)]
|
* auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [[GH-14577](https://github.com/hashicorp/consul/issues/14577)]
|
||||||
|
@ -72,6 +80,10 @@ BUG FIXES:
|
||||||
|
|
||||||
## 1.11.9 (September 20, 2022)
|
## 1.11.9 (September 20, 2022)
|
||||||
|
|
||||||
|
BREAKING CHANGES:
|
||||||
|
|
||||||
|
* ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the `update` capability on the intermediate PKI's tune mount configuration endpoint, such as `/sys/mounts/connect_inter/tune`. The breaking nature of this change will be resolved in an upcoming 1.11 patch release. Refer to [upgrade guidance](https://www.consul.io/docs/upgrading/upgrade-specific#modify-vault-policy-for-vault-ca-provider) for more information.
|
||||||
|
|
||||||
SECURITY:
|
SECURITY:
|
||||||
|
|
||||||
* auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [[GH-14577](https://github.com/hashicorp/consul/issues/14577)]
|
* auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [[GH-14577](https://github.com/hashicorp/consul/issues/14577)]
|
||||||
|
|
|
@ -227,6 +227,11 @@ path "/sys/mounts/connect_inter" {
|
||||||
capabilities = [ "read" ]
|
capabilities = [ "read" ]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Needed for Consul 1.11+
|
||||||
|
path "/sys/mounts/connect_inter/tune" {
|
||||||
|
capabilities = [ "update" ]
|
||||||
|
}
|
||||||
|
|
||||||
path "/connect_root/" {
|
path "/connect_root/" {
|
||||||
capabilities = [ "read" ]
|
capabilities = [ "read" ]
|
||||||
}
|
}
|
||||||
|
@ -275,6 +280,11 @@ path "/sys/mounts/connect_inter" {
|
||||||
capabilities = [ "create", "read", "update", "delete", "list" ]
|
capabilities = [ "create", "read", "update", "delete", "list" ]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Needed for Consul 1.11+
|
||||||
|
path "/sys/mounts/connect_inter/tune" {
|
||||||
|
capabilities = [ "update" ]
|
||||||
|
}
|
||||||
|
|
||||||
path "/connect_root/*" {
|
path "/connect_root/*" {
|
||||||
capabilities = [ "create", "read", "update", "delete", "list" ]
|
capabilities = [ "create", "read", "update", "delete", "list" ]
|
||||||
}
|
}
|
||||||
|
|
|
@ -45,6 +45,7 @@ review the following guidances relevant to your deployment:
|
||||||
- [All service mesh deployments](#all-service-mesh-deployments)
|
- [All service mesh deployments](#all-service-mesh-deployments)
|
||||||
- [Service mesh deployments using auto-encrypt or auto-config](#service-mesh-deployments-using-auto-encrypt-or-auto-config)
|
- [Service mesh deployments using auto-encrypt or auto-config](#service-mesh-deployments-using-auto-encrypt-or-auto-config)
|
||||||
- [Service mesh deployments without the HTTPS port enabled on Consul agents](#service-mesh-deployments-without-the-https-port-enabled-on-consul-agents)
|
- [Service mesh deployments without the HTTPS port enabled on Consul agents](#service-mesh-deployments-without-the-https-port-enabled-on-consul-agents)
|
||||||
|
- [All service mesh deployments using the Vault CA provider](#modify-vault-policy-for-vault-ca-provider)
|
||||||
|
|
||||||
#### All service mesh deployments
|
#### All service mesh deployments
|
||||||
|
|
||||||
|
@ -170,6 +171,38 @@ such as with flags or environment variables like
|
||||||
[`-ca-file`](/commands/connect/envoy#ca-file) and
|
[`-ca-file`](/commands/connect/envoy#ca-file) and
|
||||||
[`CONSUL_CACERT`](/commands#consul_cacert).
|
[`CONSUL_CACERT`](/commands#consul_cacert).
|
||||||
|
|
||||||
|
#### Modify Vault policy for Vault CA provider
|
||||||
|
|
||||||
|
If using the Vault CA provider,
|
||||||
|
you must modify the Vault policy used by Consul to interact with Vault
|
||||||
|
so that certificates required for service mesh operation can still be generated.
|
||||||
|
The policy must include the `update` capability on the intermediate PKI's tune mount configuration endpoint
|
||||||
|
at path `/sys/mounts/<intermediate_pki_mount_name>/tune`.
|
||||||
|
Refer to the [Vault CA provider documentation](/docs/connect/ca/vault#vault-acl-policies)
|
||||||
|
for updated example Vault policies for use with Vault-managed or Consul-managed PKI paths.
|
||||||
|
|
||||||
|
You are using the Vault CA provider if either of the following configurations exists:
|
||||||
|
- The Consul server agent configuration option [`connect.ca_provider`](/docs/agent/config/config-files#connect_ca_provider) is set to `vault`, or
|
||||||
|
- The Consul on Kubernetes Helm Chart [`global.secretsBackend.vault.connectCA`](/docs/k8s/helm#v-global-secretsbackend-vault-connectca) value is configured.
|
||||||
|
|
||||||
|
Though this guidance is listed in the 1.13.x section, it applies to all of the following release series:
|
||||||
|
- Consul 1.13.x: applies to 1.13.2+
|
||||||
|
- Consul 1.12.x: applies to 1.12.5+
|
||||||
|
- Consul 1.11.x: applies to 1.11.9+
|
||||||
|
|
||||||
|
Those affected Consul versions contain a
|
||||||
|
[bugfix that allows the intermediate CA's TTL configuration to be modified](https://github.com/hashicorp/consul/pull/14516).
|
||||||
|
The bugfix requires the `update` capability to tune that configuration.
|
||||||
|
Without the `update` capability, those affected Consul versions
|
||||||
|
cannot provide services with the certificates they need to participate in the mesh.
|
||||||
|
In an upcoming patch for each of those release series,
|
||||||
|
we will restore the intermediate CA's ability to provide certificates even without the `update` capability on the tune configuration endpoint,
|
||||||
|
though the `update` capability will still be needed to modify the CA's TTL configuration.
|
||||||
|
|
||||||
|
We recommend modifying the Vault policy before upgrading to Consul 1.11 or later
|
||||||
|
to ensure your organization does not accidentally miss this guidance when performing subsequent upgrades,
|
||||||
|
such as to the latest patch within a release series.
|
||||||
|
|
||||||
### 1.9 Telemetry Compatibility
|
### 1.9 Telemetry Compatibility
|
||||||
|
|
||||||
#### Removing configuration options
|
#### Removing configuration options
|
||||||
|
@ -178,7 +211,17 @@ The [`disable_compat_19`](/docs/agent/options#telemetry-disable_compat_1.9) tele
|
||||||
In prior Consul versions (1.10.x through 1.11.x), the config defaulted to `false`. In 1.12.x it defaulted to `true`.
|
In prior Consul versions (1.10.x through 1.11.x), the config defaulted to `false`. In 1.12.x it defaulted to `true`.
|
||||||
If you were using this flag, you must remove it before upgrading.
|
If you were using this flag, you must remove it before upgrading.
|
||||||
|
|
||||||
## Consul 1.12.0
|
### Modify Vault Policy for Vault CA Provider
|
||||||
|
|
||||||
|
Follow the same guidance as provided in the
|
||||||
|
[1.13 upgrade section for modifying the Vault policy if using the Vault CA provider](#modify-vault-policy-for-vault-ca-provider).
|
||||||
|
|
||||||
|
## Consul 1.12.x ((#consul-1-12-0))
|
||||||
|
|
||||||
|
### Modify Vault Policy for Vault CA Provider
|
||||||
|
|
||||||
|
Follow the same guidance as provided in the
|
||||||
|
[1.13 upgrade section for modifying the Vault policy if using the Vault CA provider](#modify-vault-policy-for-vault-ca-provider).
|
||||||
|
|
||||||
### 1.9 Telemetry Compatibility
|
### 1.9 Telemetry Compatibility
|
||||||
|
|
||||||
|
@ -216,7 +259,7 @@ be replaced with the new [`tls` stanza](/docs/agent/config/config-files#tls-conf
|
||||||
- `verify_outgoing`
|
- `verify_outgoing`
|
||||||
- `verify_server_hostname`
|
- `verify_server_hostname`
|
||||||
|
|
||||||
## Consul 1.11.0
|
## Consul 1.11.x ((#consul-1-11-0))
|
||||||
|
|
||||||
### 1.10 Compatibility <EnterpriseAlert inline />
|
### 1.10 Compatibility <EnterpriseAlert inline />
|
||||||
Consul Enterprise versions 1.10.0 through 1.10.4 contain a latent bug that
|
Consul Enterprise versions 1.10.0 through 1.10.4 contain a latent bug that
|
||||||
|
@ -291,6 +334,11 @@ When upgrading to Consul 1.10, you must ensure that the Envoy sidecars are
|
||||||
restarted and bootstrapped using a version of the Consul CLI >= 1.10. This
|
restarted and bootstrapped using a version of the Consul CLI >= 1.10. This
|
||||||
ensures your sidecars are supported by Consul 1.11.
|
ensures your sidecars are supported by Consul 1.11.
|
||||||
|
|
||||||
|
### Modify Vault Policy for Vault CA Provider
|
||||||
|
|
||||||
|
Follow the same guidance as provided in the
|
||||||
|
[1.13 upgrade section for modifying the Vault policy if using the Vault CA provider](#modify-vault-policy-for-vault-ca-provider).
|
||||||
|
|
||||||
## Consul 1.10.0
|
## Consul 1.10.0
|
||||||
|
|
||||||
### Licensing Changes <EnterpriseAlert inline />
|
### Licensing Changes <EnterpriseAlert inline />
|
||||||
|
|
Loading…
Reference in New Issue