From 97bcee3be638931a3b884a356d941e611bb1d425 Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Wed, 9 Jun 2021 12:08:45 -1000 Subject: [PATCH 1/8] docs: adding an faq in preperation for Consul Enterprise 1.10.0 --- website/content/docs/enterprise/index.mdx | 62 ----------------- .../content/docs/enterprise/license/faq.mdx | 50 ++++++++++++++ .../docs/enterprise/license/overview.mdx | 69 +++++++++++++++++++ website/data/docs-nav-data.json | 13 ++++ website/redirects.next.js | 5 ++ 5 files changed, 137 insertions(+), 62 deletions(-) create mode 100644 website/content/docs/enterprise/license/faq.mdx create mode 100644 website/content/docs/enterprise/license/overview.mdx diff --git a/website/content/docs/enterprise/index.mdx b/website/content/docs/enterprise/index.mdx index 0903b522cc..15c51bad91 100644 --- a/website/content/docs/enterprise/index.mdx +++ b/website/content/docs/enterprise/index.mdx @@ -25,65 +25,3 @@ Features include: These features are part of [Consul Enterprise](https://www.hashicorp.com/consul). - -## Licensing - -All Consul Enterprise agents must be licensed when they are started. Where that license comes from will depend -on which binary is in use, whether the agent is a server, client or snapshot agent and whether ACLs have been -enabled for the cluster. - --> ** Consul Enterprise v1.10.0 removed temporary licensing.** In previous versions Consul Enterprise -agents could start without a license and then have a license applied to them later on via the CLI -or API. That functionality has been removed and replaced with the ability to load licenses from the -agent's configuration or environment. Also prior to v1.10.0 server agents would automatically propagate -the license between themselves. This no longer occurs and the license must be present on each server -when they are started. - -### Binaries with Built In Licenses - -If you are downloading Consul from Amazon S3, then the license is included -in the binary and you do not need to take further action. This is the -most common use case. - -In the S3 bucket you will find three Enterprise zip packages. The packages with `+pro` and -`+prem` in the name, are the binaries that include the license. The package -with `+ent` in the name does not include the license. - -When using these binaries no further action is necessary to configure the license. - -### Binaries Without Built In Licenses - -For binaries that do not include built in licenses a license must be available at the time the agent starts. -For server agents this means that they must either have the [`license_path`](/docs/agent/opts#license_path) -configuration set or have a license configured in the servers environment with the `CONSUL_LICENSE` or -`CONSUL_LICENSE_PATH` environment variables. Both the configuration item and the `CONSUL_LICENSE_PATH` -environment variable point to a file containing the license whereas the `CONSUL_LICENSE` environment -variable should contain the license as the value. If multiple of these are set the order of precedence is: - -1. `CONSUL_LICENSE` environment variable -2. `CONSUL_LICENSE_PATH` environment variable -3. `license_path` configuration item. - -Both client agents and the snapshot agent may also be licensed in the very same manner. However to prevent -the need to configure the license on many client agents and snapshot agents those agents have the capability -to retrieve the license automatically under specific circumstances. - -#### Client Agent License Retrieval - -When a client agent starts without a license in its configuration or environment, it will try to retrieve the -license from the servers via RPCs. That RPC always requires a valid non-anonymous ACL token to authorize the -request but the token doesn't need any particular permissions. As the license is required before the client -actually joins the cluster, where to make those RPC requests to is inferred from the [`start_join`](/docs/agent/opts#start_join) -or [`retry_join`](/docs/agent/opts#retry_join) configurations. If those are both unset or no -[`agent` token](/docs/agent/opts#acl_tokens_agent) is set then the client agent will immediately shut itself down. -If all preliminary checks pass the client agent will attempt to reach out to any server on its RPC port to -request the license. These requests will be retried for up to 5 minutes and if it is unable to retrieve a -license within that time frame it will shut itself down. - -#### Snapshot Agent License Retrieval - -The snapshot agent has similar functionality to the client agent for automatically retrieving the license. However, -instead of requiring a server agent to talk to, the snapshot agent can request the license from the server or -client agent it would use for all other operations. It still requires an ACL token to authorize the request. Also -like client agents, the snapshot agent will shut itself down after being unable to retrieve the license for 5 -minutes. \ No newline at end of file diff --git a/website/content/docs/enterprise/license/faq.mdx b/website/content/docs/enterprise/license/faq.mdx new file mode 100644 index 0000000000..2147b2f1f6 --- /dev/null +++ b/website/content/docs/enterprise/license/faq.mdx @@ -0,0 +1,50 @@ +--- +layout: docs +page_title: Consul Enterprise License FAQ +description: Frequently Asked Questions pertaining to Consul Enterprise Licensing. +--- + +# Frequently Asked Questions (FAQ) + +This FAQ is for the license changes introduced in Consul Enterprise version v1.10.0+ent. +Consul Enterprise automatically load Consul licenses when a Consul server agent starts using Consul Enterprise. + +## Q: Can I get a quick summary of the Consul changes? + +Starting with Consul Enterprise v1.10.0, the license enablement process is different. + +HashiCorp Enterprise servers will no longer start without a license. When the server instance initializes the license watcher, the server reads from either an environment variable or file. +If the license is missing, invalid, or expired, the server will immediately exit. +This check is part of the server boot-up process. + +In previous versions of HashiCorp enterprise products, one server could distribute a license to other servers via the Raft protocol. +This will no longer work since each server must be able to find a valid license during the startup process. + +## Q: What resources are available? + +The list below is a great starting point for learning more about the license changes introduced in Consul Enterprise v1.10.0+ent. + +- [Consul Enterprise Upgrade Documentation](https://www.consul.io/docs/enterprise/upgrades) + +- [Consul License Documentation](http://localhost:3000/docs/enterprise/license) + + + +- [Install a HashiCorp Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) + +## Q: Do these changes impact all customers/licenses? + +The license changes introduced in v1.10.0 only affect Consul Enterprise. +This impacts customers that have an enterprise binarie (EVAL / non-EVAL licenses) downloaded from releases.hashicorp.com. +The license changes do not, at this time, impact customers with the baked-in licensed binaries (Pro/Premium). In a later release of Consul Enterprise, baked-in binaries will be deprecated. + +## Q: What is the product behavior change introduced by the licensing changes? + +Starting with Consul Enterprise 1.10.0+ent, a valid license is required on-disk (auto-loading) or as an environment variable for Consul Enterprise to successfully boot-up. +The in-storage license feature will not be supported starting with Consul Enteprise 1.10.0+ent. All Consul Enterprise clusters using v1.10.0+ent must ensure that there is a valid license on-disk (auto-loaded) or as an environment variable. + +## Q: What is the impact on EVAL licenses due to this change? + +The 6-hour trial period for EVAL licenses will be deprecated as of Consul Enterprise 1.10.0. +This means that any clusters deployed with Consul 1.10.0+ent binaries will need to have a valid license on the disk (auto-loaded) or as an environment variable. +Failure in providing a valid license key will result in the Consul server agent not starting. diff --git a/website/content/docs/enterprise/license/overview.mdx b/website/content/docs/enterprise/license/overview.mdx new file mode 100644 index 0000000000..09ba358c5a --- /dev/null +++ b/website/content/docs/enterprise/license/overview.mdx @@ -0,0 +1,69 @@ +--- +layout: docs +page_title: Consul Enterprise License +description: Consul Enterprise License Overview. +--- + +# Consul Enterprise License + +## Licensing + +All Consul Enterprise agents must be licensed when they are started. Where that license comes from will depend +on which binary is in use, whether the agent is a server, client or snapshot agent and whether ACLs have been +enabled for the cluster. + +-> ** Consul Enterprise v1.10.0 removed temporary licensing.** In previous versions Consul Enterprise +agents could start without a license and then have a license applied to them later on via the CLI +or API. That functionality has been removed and replaced with the ability to load licenses from the +agent's configuration or environment. Also prior to v1.10.0 server agents would automatically propagate +the license between themselves. This no longer occurs and the license must be present on each server +when they are started. + +### Binaries with Built In Licenses + +If you are downloading Consul from Amazon S3, then the license is included +in the binary and you do not need to take further action. This is the +most common use case. + +In the S3 bucket you will find three Enterprise zip packages. The packages with `+pro` and +`+prem` in the name, are the binaries that include the license. The package +with `+ent` in the name does not include the license. + +When using these binaries no further action is necessary to configure the license. + +### Binaries Without Built In Licenses + +For binaries that do not include built in licenses a license must be available at the time the agent starts. +For server agents this means that they must either have the [`license_path`](/docs/agent/opts#license_path) +configuration set or have a license configured in the servers environment with the `CONSUL_LICENSE` or +`CONSUL_LICENSE_PATH` environment variables. Both the configuration item and the `CONSUL_LICENSE_PATH` +environment variable point to a file containing the license whereas the `CONSUL_LICENSE` environment +variable should contain the license as the value. If multiple of these are set the order of precedence is: + +1. `CONSUL_LICENSE` environment variable +2. `CONSUL_LICENSE_PATH` environment variable +3. `license_path` configuration item. + +Both client agents and the snapshot agent may also be licensed in the very same manner. However to prevent +the need to configure the license on many client agents and snapshot agents those agents have the capability +to retrieve the license automatically under specific circumstances. + +#### Client Agent License Retrieval + +When a client agent starts without a license in its configuration or environment, it will try to retrieve the +license from the servers via RPCs. That RPC always requires a valid non-anonymous ACL token to authorize the +request but the token doesn't need any particular permissions. As the license is required before the client +actually joins the cluster, where to make those RPC requests to is inferred from the [`start_join`](/docs/agent/opts#start_join) +or [`retry_join`](/docs/agent/opts#retry_join) configurations. If those are both unset or no +[`agent` token](/docs/agent/opts#acl_tokens_agent) is set then the client agent will immediately shut itself down. +If all preliminary checks pass the client agent will attempt to reach out to any server on its RPC port to +request the license. These requests will be retried for up to 5 minutes and if it is unable to retrieve a +license within that time frame it will shut itself down. + +#### Snapshot Agent License Retrieval + +The snapshot agent has similar functionality to the client agent for automatically retrieving the license. However, +instead of requiring a server agent to talk to, the snapshot agent can request the license from the server or +client agent it would use for all other operations. It still requires an ACL token to authorize the request. Also +like client agents, the snapshot agent will shut itself down after being unable to retrieve the license for 5 +minutes. diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index a87da54f2c..75791414d8 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -830,6 +830,19 @@ { "title": "Sentinel", "path": "enterprise/sentinel" + }, + { + "title": "License", + "routes": [ + { + "title": "Overview", + "path": "enterprise/license/overview" + }, + { + "title": "FAQ", + "path": "enterprise/license/faq" + } + ] } ] }, diff --git a/website/redirects.next.js b/website/redirects.next.js index bae01767a8..74bc816cfa 100644 --- a/website/redirects.next.js +++ b/website/redirects.next.js @@ -81,6 +81,11 @@ module.exports = [ destination: '/docs/connect/registration/sidecar-service', permanent: true, }, + { + source: '/docs/enterprise/license', + destination: '/docs/enterprise/license/overview', + permanent: true, + }, { source: '/docs/enterprise/connect-multi-datacenter', destination: '/docs/enterprise', From c3e23c1ec9f347f46b18392c6ab31794535ef522 Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Thu, 10 Jun 2021 10:16:56 -1000 Subject: [PATCH 2/8] docs: added more questions and marking ready for review --- .../content/docs/enterprise/license/faq.mdx | 86 +++++++++++++++++-- 1 file changed, 80 insertions(+), 6 deletions(-) diff --git a/website/content/docs/enterprise/license/faq.mdx b/website/content/docs/enterprise/license/faq.mdx index 2147b2f1f6..746ff6c190 100644 --- a/website/content/docs/enterprise/license/faq.mdx +++ b/website/content/docs/enterprise/license/faq.mdx @@ -7,7 +7,7 @@ description: Frequently Asked Questions pertaining to Consul Enterprise Licensin # Frequently Asked Questions (FAQ) This FAQ is for the license changes introduced in Consul Enterprise version v1.10.0+ent. -Consul Enterprise automatically load Consul licenses when a Consul server agent starts using Consul Enterprise. +Consul Enterprise automatically load Consul licenses when a Consul server agent starts. ## Q: Can I get a quick summary of the Consul changes? @@ -20,6 +20,10 @@ This check is part of the server boot-up process. In previous versions of HashiCorp enterprise products, one server could distribute a license to other servers via the Raft protocol. This will no longer work since each server must be able to find a valid license during the startup process. +## Q: Is there a tutorial available for the license configuration steps? + +Please visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise). + ## Q: What resources are available? The list below is a great starting point for learning more about the license changes introduced in Consul Enterprise v1.10.0+ent. @@ -28,7 +32,7 @@ The list below is a great starting point for learning more about the license cha - [Consul License Documentation](http://localhost:3000/docs/enterprise/license) - +- [License configuration values documentation](http://localhost:3000/docs/enterprise/license/overview#binaries-without-built-in-licenses) - [Install a HashiCorp Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) @@ -36,15 +40,85 @@ The list below is a great starting point for learning more about the license cha The license changes introduced in v1.10.0 only affect Consul Enterprise. This impacts customers that have an enterprise binarie (EVAL / non-EVAL licenses) downloaded from releases.hashicorp.com. -The license changes do not, at this time, impact customers with the baked-in licensed binaries (Pro/Premium). In a later release of Consul Enterprise, baked-in binaries will be deprecated. +The license changes do not impact customers with the baked-in licensed binaries. In a later release of Consul Enterprise, baked-in binaries will be deprecated. ## Q: What is the product behavior change introduced by the licensing changes? -Starting with Consul Enterprise 1.10.0+ent, a valid license is required on-disk (auto-loading) or as an environment variable for Consul Enterprise to successfully boot-up. -The in-storage license feature will not be supported starting with Consul Enteprise 1.10.0+ent. All Consul Enterprise clusters using v1.10.0+ent must ensure that there is a valid license on-disk (auto-loaded) or as an environment variable. +Starting with Consul Enterprise v1.10.0+ent, a valid license is required on-disk (auto-loading) or as an environment variable for Consul Enterprise to successfully boot-up. +The in-storage license feature will not be supported starting with Consul Enteprise v1.10.0+ent. All Consul Enterprise clusters using v1.10.0+ent must ensure that there is a valid license on-disk (auto-loaded) or as an environment variable. ## Q: What is the impact on EVAL licenses due to this change? The 6-hour trial period for EVAL licenses will be deprecated as of Consul Enterprise 1.10.0. -This means that any clusters deployed with Consul 1.10.0+ent binaries will need to have a valid license on the disk (auto-loaded) or as an environment variable. +This means that any clusters deployed with Consul v1.10.0+ent binaries will need to have a valid license on the disk (auto-loaded) or as an environment variable. Failure in providing a valid license key will result in the Consul server agent not starting. + +## Q: Is there a grace period when licenses expire? + +A license includes an `expiration_date` and a `termination_date`. An enteprise binary will cease to function once the `termination_date` has passed. +Licenses will now have a 24 hrs grace period. The grace period is the time between license expiry till it terminates. +As Consul Enterprise approaches the expiration date, warnings will be issued in the system logs. + +## Q: Does this affect client agents? + +For existing clusters, if the clients agents are using ACLs and have a valid token, then they will be able to retrieve the license from the server. +If the client agents are not using ACLs, then the client agents will be need to have the license on-disk (auto-loading) or as an environment variable. +For new Consul clusters using Consul v1.10.0+ent, customers must ensure that there is a valid license on-disk (auto-loaded) or as an environment variable. + +## Q: Does this affect snapshot agents? + +Same behavior as Consul clients. See answer for [Does this affect snapshot agents? ](faq#q-does-this-affect-client-agents) + +## Q: What is the behavior is the license is missing? + +Consul server agents will detect the absence of the license and immediately exit. + +Consul client agents will attempt to retrieve the license from servers if certain conditions are met: ACLs are enabled, a ACL token is provided to the client agent, the client agents configuration contains `start_join/retry_join` addresses, the start/retry join addresses are addresses of the Consul servers. + +Consul snapshot agents will attempt to retrieve the license from servers if certain conditions are met: ACLs are enabled, a ACL token is provided to the client agent, the client agents configuration contains `start_join/retry_join` addresses, the start/retry join addresses are addresses of the Consul servers. + +## Q: Where can users get a trial license for Consul Enterprise? + +Visit https://www.consul.io/trial for a free 30-day trial license. + +## Q: Are the license files locked to a specific cluster? + +The license files are not locked to a specific cluster or cluster node. The above changes apply to all nodes in a cluster. + +## Q: Will this impact HCP Consul? + +This will not impact HCP Consul. + +## Q: Does this need to happen every time a node restarts, or is this a one-time check? + +Consul Enterprise binaries starting with v1.10.0+ent, will be subject to EULA check. Release v1.10.0+ent introduces the EULA check for eval licenses (non-EVAL licenses already go through EULA check during contractual agreement). + +The agreement to a EULA happens only once (when the user gets their license), Consul Enterprise **will check for the presence of a valid license every time a node restarts**. + +When a customer upgrades existing clusters to a v1.10.0+ent release, they need to have a valid license to successfully upgrade. This valid license must be auto-loaded. + +When a customer deploys new clusters to a v1.10.0+ent release, they need to have a valid license to successfully upgrade. This valid license must be on-disk (auto-loaded). + +## Q: What are the scenarios that a customer must plan for because of these changes? + +New Consul cluster deployments using v1.10.0+ent will need to have a valid license to successfully deploy. +This valid license must be on-disk (auto-loaded) or as an environment variable. + +## Q: What is the migration path for customers who want to migrate from their existing license-as-applied-via-the-CLI flow to the license on disk flow? + +Run consul `license get -signed` to extract the license from their running cluster. Store the license in a secure location on disk. +Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable. +Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. +Proceed with the upgrade as normal. + +## Q: What is the migration path for customers who want to migrate from their existing perpetually-licensed binaries to the license on disk flow? + +Aquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license. +Store the license in a secure location on disk. +Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable. +Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. +Proceed with the upgrade as normal. + +## Q: Will Consul downgrades/rollbacks work? + +When downgrading to a version of Consul before v1.10.0+ent, customers will need to follow the previous process for applying an enterprise licenses to Consul Enterprise. From 7688e9e257f5dd1478d6fd2128dabe48966d2a4a Mon Sep 17 00:00:00 2001 From: mrspanishviking Date: Fri, 11 Jun 2021 06:55:41 -1000 Subject: [PATCH 3/8] Apply suggestions from code review Applying suggestions Co-authored-by: Blake Covarrubias Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> --- .../content/docs/enterprise/license/faq.mdx | 49 ++++++++++--------- .../docs/enterprise/license/overview.mdx | 2 +- 2 files changed, 28 insertions(+), 23 deletions(-) diff --git a/website/content/docs/enterprise/license/faq.mdx b/website/content/docs/enterprise/license/faq.mdx index 746ff6c190..f7384d42c9 100644 --- a/website/content/docs/enterprise/license/faq.mdx +++ b/website/content/docs/enterprise/license/faq.mdx @@ -4,16 +4,16 @@ page_title: Consul Enterprise License FAQ description: Frequently Asked Questions pertaining to Consul Enterprise Licensing. --- -# Frequently Asked Questions (FAQ) +# Licensing Frequently Asked Questions (FAQ) -This FAQ is for the license changes introduced in Consul Enterprise version v1.10.0+ent. -Consul Enterprise automatically load Consul licenses when a Consul server agent starts. +This FAQ is for the license changes introduced in Consul Enterprise version 1.10.0. +Consul Enterprise automatically loads Consul licenses when the server agent starts. ## Q: Can I get a quick summary of the Consul changes? Starting with Consul Enterprise v1.10.0, the license enablement process is different. -HashiCorp Enterprise servers will no longer start without a license. When the server instance initializes the license watcher, the server reads from either an environment variable or file. +HashiCorp Enterprise servers will no longer start without a license. Servers require licenses to be provided from either an environment variable or file. If the license is missing, invalid, or expired, the server will immediately exit. This check is part of the server boot-up process. @@ -39,24 +39,24 @@ The list below is a great starting point for learning more about the license cha ## Q: Do these changes impact all customers/licenses? The license changes introduced in v1.10.0 only affect Consul Enterprise. -This impacts customers that have an enterprise binarie (EVAL / non-EVAL licenses) downloaded from releases.hashicorp.com. +This impacts customers that have an enterprise binary (evaluation or non-evaluation licenses) downloaded from . The license changes do not impact customers with the baked-in licensed binaries. In a later release of Consul Enterprise, baked-in binaries will be deprecated. ## Q: What is the product behavior change introduced by the licensing changes? -Starting with Consul Enterprise v1.10.0+ent, a valid license is required on-disk (auto-loading) or as an environment variable for Consul Enterprise to successfully boot-up. +Starting with Consul Enterprise 1.10.0, a valid license is required on-disk (auto-loading) or as an environment variable for Consul Enterprise to successfully boot-up. The in-storage license feature will not be supported starting with Consul Enteprise v1.10.0+ent. All Consul Enterprise clusters using v1.10.0+ent must ensure that there is a valid license on-disk (auto-loaded) or as an environment variable. -## Q: What is the impact on EVAL licenses due to this change? +## Q: What is the impact on evaluation licenses due to this change? -The 6-hour trial period for EVAL licenses will be deprecated as of Consul Enterprise 1.10.0. +The 6-hour trial period for evaluation licenses will be deprecated as of Consul Enterprise 1.10.0. This means that any clusters deployed with Consul v1.10.0+ent binaries will need to have a valid license on the disk (auto-loaded) or as an environment variable. -Failure in providing a valid license key will result in the Consul server agent not starting. +Failure to provide a valid license key will result in the Consul server agent not starting. ## Q: Is there a grace period when licenses expire? A license includes an `expiration_date` and a `termination_date`. An enteprise binary will cease to function once the `termination_date` has passed. -Licenses will now have a 24 hrs grace period. The grace period is the time between license expiry till it terminates. +Licenses will now have a 24 hrs grace period. The grace period is the time between license expiry until the time it terminates. As Consul Enterprise approaches the expiration date, warnings will be issued in the system logs. ## Q: Does this affect client agents? @@ -69,11 +69,16 @@ For new Consul clusters using Consul v1.10.0+ent, customers must ensure that the Same behavior as Consul clients. See answer for [Does this affect snapshot agents? ](faq#q-does-this-affect-client-agents) -## Q: What is the behavior is the license is missing? +## Q: What is the behavior if the license is missing? Consul server agents will detect the absence of the license and immediately exit. -Consul client agents will attempt to retrieve the license from servers if certain conditions are met: ACLs are enabled, a ACL token is provided to the client agent, the client agents configuration contains `start_join/retry_join` addresses, the start/retry join addresses are addresses of the Consul servers. +Consul client agents will attempt to retrieve the license from servers if certain conditions are met: + +* ACLs are enabled. +* An ACL token is provided to the client agent. +* The client agents configuration contains `start_join/retry_join` addresses. +* The start/retry join addresses are addresses of the Consul servers. Consul snapshot agents will attempt to retrieve the license from servers if certain conditions are met: ACLs are enabled, a ACL token is provided to the client agent, the client agents configuration contains `start_join/retry_join` addresses, the start/retry join addresses are addresses of the Consul servers. @@ -91,7 +96,7 @@ This will not impact HCP Consul. ## Q: Does this need to happen every time a node restarts, or is this a one-time check? -Consul Enterprise binaries starting with v1.10.0+ent, will be subject to EULA check. Release v1.10.0+ent introduces the EULA check for eval licenses (non-EVAL licenses already go through EULA check during contractual agreement). +Consul Enterprise binaries starting with v1.10.0+ent, will be subject to EULA check. Release v1.10.0+ent introduces the EULA check for evaluation licenses (non-evaluation licenses already go through EULA check during contractual agreement). The agreement to a EULA happens only once (when the user gets their license), Consul Enterprise **will check for the presence of a valid license every time a node restarts**. @@ -106,18 +111,18 @@ This valid license must be on-disk (auto-loaded) or as an environment variable. ## Q: What is the migration path for customers who want to migrate from their existing license-as-applied-via-the-CLI flow to the license on disk flow? -Run consul `license get -signed` to extract the license from their running cluster. Store the license in a secure location on disk. -Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable. -Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. -Proceed with the upgrade as normal. +1. Run [`consul license get -signed`](/commands/license#get) to extract the license from their running cluster. Store the license in a secure location on disk. +1. Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable. +1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. +1. Proceed with the upgrade as normal. ## Q: What is the migration path for customers who want to migrate from their existing perpetually-licensed binaries to the license on disk flow? -Aquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license. -Store the license in a secure location on disk. -Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable. -Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. -Proceed with the upgrade as normal. +1. Acquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license. +1. Store the license in a secure location on disk. +1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable. +1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. +1. Proceed with the upgrade as normal. ## Q: Will Consul downgrades/rollbacks work? diff --git a/website/content/docs/enterprise/license/overview.mdx b/website/content/docs/enterprise/license/overview.mdx index 09ba358c5a..6d2277fa7e 100644 --- a/website/content/docs/enterprise/license/overview.mdx +++ b/website/content/docs/enterprise/license/overview.mdx @@ -34,7 +34,7 @@ When using these binaries no further action is necessary to configure the licens ### Binaries Without Built In Licenses For binaries that do not include built in licenses a license must be available at the time the agent starts. -For server agents this means that they must either have the [`license_path`](/docs/agent/opts#license_path) +For server agents this means that they must either have the [`license_path`](/docs/agent/options#license_path) configuration set or have a license configured in the servers environment with the `CONSUL_LICENSE` or `CONSUL_LICENSE_PATH` environment variables. Both the configuration item and the `CONSUL_LICENSE_PATH` environment variable point to a file containing the license whereas the `CONSUL_LICENSE` environment From be72c5f851058fc576e8f595f5759cd213d65d35 Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Fri, 11 Jun 2021 07:46:14 -1000 Subject: [PATCH 4/8] docs: updated content in the overview page and faq --- .../content/docs/enterprise/license/faq.mdx | 51 +++++++++++++------ .../docs/enterprise/license/overview.mdx | 16 ++++-- 2 files changed, 48 insertions(+), 19 deletions(-) diff --git a/website/content/docs/enterprise/license/faq.mdx b/website/content/docs/enterprise/license/faq.mdx index f7384d42c9..120a5205cf 100644 --- a/website/content/docs/enterprise/license/faq.mdx +++ b/website/content/docs/enterprise/license/faq.mdx @@ -11,7 +11,7 @@ Consul Enterprise automatically loads Consul licenses when the server agent star ## Q: Can I get a quick summary of the Consul changes? -Starting with Consul Enterprise v1.10.0, the license enablement process is different. +Starting with Consul Enterprise 1.10.0, the license enablement process is different. HashiCorp Enterprise servers will no longer start without a license. Servers require licenses to be provided from either an environment variable or file. If the license is missing, invalid, or expired, the server will immediately exit. @@ -26,7 +26,7 @@ Please visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutor ## Q: What resources are available? -The list below is a great starting point for learning more about the license changes introduced in Consul Enterprise v1.10.0+ent. +The list below is a great starting point for learning more about the license changes introduced in Consul Enterprise 1.10.0+ent. - [Consul Enterprise Upgrade Documentation](https://www.consul.io/docs/enterprise/upgrades) @@ -38,19 +38,19 @@ The list below is a great starting point for learning more about the license cha ## Q: Do these changes impact all customers/licenses? -The license changes introduced in v1.10.0 only affect Consul Enterprise. -This impacts customers that have an enterprise binary (evaluation or non-evaluation licenses) downloaded from . +The license changes introduced in 1.10.0 only affect Consul Enterprise. +This impacts customers that have an enterprise binary (evaluation or non-evaluation licenses) downloaded from https://releases.hashicorp.com. The license changes do not impact customers with the baked-in licensed binaries. In a later release of Consul Enterprise, baked-in binaries will be deprecated. ## Q: What is the product behavior change introduced by the licensing changes? Starting with Consul Enterprise 1.10.0, a valid license is required on-disk (auto-loading) or as an environment variable for Consul Enterprise to successfully boot-up. -The in-storage license feature will not be supported starting with Consul Enteprise v1.10.0+ent. All Consul Enterprise clusters using v1.10.0+ent must ensure that there is a valid license on-disk (auto-loaded) or as an environment variable. +The in-storage license feature will not be supported starting with Consul Enteprise 1.10.0+ent. All Consul Enterprise clusters using 1.10.0+ent must ensure that there is a valid license on-disk (auto-loaded) or as an environment variable. ## Q: What is the impact on evaluation licenses due to this change? The 6-hour trial period for evaluation licenses will be deprecated as of Consul Enterprise 1.10.0. -This means that any clusters deployed with Consul v1.10.0+ent binaries will need to have a valid license on the disk (auto-loaded) or as an environment variable. +This means that any clusters deployed with Consul 1.10.0+ent binaries will need to have a valid license on the disk (auto-loaded) or as an environment variable. Failure to provide a valid license key will result in the Consul server agent not starting. ## Q: Is there a grace period when licenses expire? @@ -63,7 +63,7 @@ As Consul Enterprise approaches the expiration date, warnings will be issued in For existing clusters, if the clients agents are using ACLs and have a valid token, then they will be able to retrieve the license from the server. If the client agents are not using ACLs, then the client agents will be need to have the license on-disk (auto-loading) or as an environment variable. -For new Consul clusters using Consul v1.10.0+ent, customers must ensure that there is a valid license on-disk (auto-loaded) or as an environment variable. +For new Consul clusters using Consul 1.10.0+ent, customers must ensure that there is a valid license on-disk (auto-loaded) or as an environment variable. ## Q: Does this affect snapshot agents? @@ -75,10 +75,10 @@ Consul server agents will detect the absence of the license and immediately exit Consul client agents will attempt to retrieve the license from servers if certain conditions are met: -* ACLs are enabled. -* An ACL token is provided to the client agent. -* The client agents configuration contains `start_join/retry_join` addresses. -* The start/retry join addresses are addresses of the Consul servers. +- ACLs are enabled. +- An ACL token is provided to the client agent. +- The client agents configuration contains `start_join/retry_join` addresses. +- The start/retry join addresses are addresses of the Consul servers. Consul snapshot agents will attempt to retrieve the license from servers if certain conditions are met: ACLs are enabled, a ACL token is provided to the client agent, the client agents configuration contains `start_join/retry_join` addresses, the start/retry join addresses are addresses of the Consul servers. @@ -96,34 +96,53 @@ This will not impact HCP Consul. ## Q: Does this need to happen every time a node restarts, or is this a one-time check? -Consul Enterprise binaries starting with v1.10.0+ent, will be subject to EULA check. Release v1.10.0+ent introduces the EULA check for evaluation licenses (non-evaluation licenses already go through EULA check during contractual agreement). +Consul Enterprise binaries starting with 1.10.0+ent, will be subject to EULA check. Release 1.10.0+ent introduces the EULA check for evaluation licenses (non-evaluation licenses already go through EULA check during contractual agreement). The agreement to a EULA happens only once (when the user gets their license), Consul Enterprise **will check for the presence of a valid license every time a node restarts**. -When a customer upgrades existing clusters to a v1.10.0+ent release, they need to have a valid license to successfully upgrade. This valid license must be auto-loaded. +When a customer upgrades existing clusters to a 1.10.0+ent release, they need to have a valid license to successfully upgrade. This valid license must be auto-loaded. -When a customer deploys new clusters to a v1.10.0+ent release, they need to have a valid license to successfully upgrade. This valid license must be on-disk (auto-loaded). +When a customer deploys new clusters to a 1.10.0+ent release, they need to have a valid license to successfully upgrade. This valid license must be on-disk (auto-loaded). ## Q: What are the scenarios that a customer must plan for because of these changes? -New Consul cluster deployments using v1.10.0+ent will need to have a valid license to successfully deploy. +New Consul cluster deployments using 1.10.0+ent will need to have a valid license to successfully deploy. This valid license must be on-disk (auto-loaded) or as an environment variable. ## Q: What is the migration path for customers who want to migrate from their existing license-as-applied-via-the-CLI flow to the license on disk flow? +### VM + 1. Run [`consul license get -signed`](/commands/license#get) to extract the license from their running cluster. Store the license in a secure location on disk. 1. Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable. 1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. 1. Proceed with the upgrade as normal. +### Kubernetes + +1. Run [`consul license get -signed`](/commands/license#get) to extract the license from their running cluster. Store the license in a secure location on disk. +1. Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable. +1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. +1. Proceed with the `helm` [upgrade instructions](/docs/k8s/upgrade) + ## Q: What is the migration path for customers who want to migrate from their existing perpetually-licensed binaries to the license on disk flow? +### VM + 1. Acquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license. 1. Store the license in a secure location on disk. 1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable. 1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. 1. Proceed with the upgrade as normal. +### Kubernetes + +1. Acquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license. +1. Store the license in a secure location on disk. +1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable. +1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. +1. Proceed with the `helm` [upgrade instructions](/docs/k8s/upgrade) + ## Q: Will Consul downgrades/rollbacks work? -When downgrading to a version of Consul before v1.10.0+ent, customers will need to follow the previous process for applying an enterprise licenses to Consul Enterprise. +When downgrading to a version of Consul before 1.10.0+ent, customers will need to follow the previous process for applying an enterprise licenses to Consul Enterprise. diff --git a/website/content/docs/enterprise/license/overview.mdx b/website/content/docs/enterprise/license/overview.mdx index 6d2277fa7e..14daacf971 100644 --- a/website/content/docs/enterprise/license/overview.mdx +++ b/website/content/docs/enterprise/license/overview.mdx @@ -12,13 +12,15 @@ All Consul Enterprise agents must be licensed when they are started. Where that on which binary is in use, whether the agent is a server, client or snapshot agent and whether ACLs have been enabled for the cluster. --> ** Consul Enterprise v1.10.0 removed temporary licensing.** In previous versions Consul Enterprise +-> ** Consul Enterprise 1.10.0 removed temporary licensing.** In previous versions Consul Enterprise agents could start without a license and then have a license applied to them later on via the CLI or API. That functionality has been removed and replaced with the ability to load licenses from the -agent's configuration or environment. Also prior to v1.10.0 server agents would automatically propagate +agent's configuration or environment. Also prior to 1.10.0 server agents would automatically propagate the license between themselves. This no longer occurs and the license must be present on each server when they are started. +-> Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. + ### Binaries with Built In Licenses If you are downloading Consul from Amazon S3, then the license is included @@ -33,7 +35,7 @@ When using these binaries no further action is necessary to configure the licens ### Binaries Without Built In Licenses -For binaries that do not include built in licenses a license must be available at the time the agent starts. +For Consul Enterprise 1.10.0 or greater, binaries that do not include built in licenses a license must be available at the time the agent starts. For server agents this means that they must either have the [`license_path`](/docs/agent/options#license_path) configuration set or have a license configured in the servers environment with the `CONSUL_LICENSE` or `CONSUL_LICENSE_PATH` environment variables. Both the configuration item and the `CONSUL_LICENSE_PATH` @@ -56,10 +58,18 @@ request but the token doesn't need any particular permissions. As the license is actually joins the cluster, where to make those RPC requests to is inferred from the [`start_join`](/docs/agent/opts#start_join) or [`retry_join`](/docs/agent/opts#retry_join) configurations. If those are both unset or no [`agent` token](/docs/agent/opts#acl_tokens_agent) is set then the client agent will immediately shut itself down. + If all preliminary checks pass the client agent will attempt to reach out to any server on its RPC port to request the license. These requests will be retried for up to 5 minutes and if it is unable to retrieve a license within that time frame it will shut itself down. +If ACLs are disabled then the license must be provided to the client agent through one of the three methods listed below. +Failure in providing the client agent with a licence will prevent the client agent from joining the cluster. + +1. `CONSUL_LICENSE` environment variable +2. `CONSUL_LICENSE_PATH` environment variable +3. `license_path` configuration item. + #### Snapshot Agent License Retrieval The snapshot agent has similar functionality to the client agent for automatically retrieving the license. However, From 737f48f723f2e65ac1cee3f5f2142eb54b5ed3dc Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Tue, 15 Jun 2021 06:02:51 -1000 Subject: [PATCH 5/8] docs: adding new content for review --- .../content/docs/enterprise/license/faq.mdx | 29 ++++++++++++++----- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/website/content/docs/enterprise/license/faq.mdx b/website/content/docs/enterprise/license/faq.mdx index 120a5205cf..5d5503ae43 100644 --- a/website/content/docs/enterprise/license/faq.mdx +++ b/website/content/docs/enterprise/license/faq.mdx @@ -116,14 +116,14 @@ This valid license must be on-disk (auto-loaded) or as an environment variable. 1. Run [`consul license get -signed`](/commands/license#get) to extract the license from their running cluster. Store the license in a secure location on disk. 1. Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable. 1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. -1. Proceed with the upgrade as normal. +1. Follow the Consul upgrade [docummentation](/docs/upgrading). ### Kubernetes -1. Run [`consul license get -signed`](/commands/license#get) to extract the license from their running cluster. Store the license in a secure location on disk. +1. Acquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license. 1. Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable. -1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. -1. Proceed with the `helm` [upgrade instructions](/docs/k8s/upgrade) + Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. +1. Proceed with the `helm` [upgrade instructions](/docs/k8s/upgrade). ## Q: What is the migration path for customers who want to migrate from their existing perpetually-licensed binaries to the license on disk flow? @@ -132,17 +132,30 @@ This valid license must be on-disk (auto-loaded) or as an environment variable. 1. Acquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license. 1. Store the license in a secure location on disk. 1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable. -1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. -1. Proceed with the upgrade as normal. + Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. +1. Follow the Consul upgrade [docummentation](/docs/upgrading). ### Kubernetes 1. Acquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license. -1. Store the license in a secure location on disk. 1. Set up the necessary configuration so that when Consul Enterprise reboots it will have the required license. This could be via the client agent configuration file or an environment variable. -1. Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. + Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. 1. Proceed with the `helm` [upgrade instructions](/docs/k8s/upgrade) ## Q: Will Consul downgrades/rollbacks work? When downgrading to a version of Consul before 1.10.0+ent, customers will need to follow the previous process for applying an enterprise licenses to Consul Enterprise. + +## Q: Are there potential pitfalls when downgrading or upgrading? + +Assume a scenario where there are three Consul server nodes: + +- Node A: v1.9.5 +- Node B: v1.10.0 [Leader] +- Node C: v1.9.5 + +The command `consul license put` is issued from Node A. This will result in an error due to how Consul routes calls to the server node, Node B in this example. +Because Node A is a follower when the call `consul license put` is issued, the call will be redirected to Node B (leader). +The `consul license put` operation will fail due to being removed from v1.10.0. +This is a scenario that could occur if a customer downgrades from 1.10.0+ and the Consul leadership has not transferred back over to a node not running 1.10.0+. +This also has the potential of occurring when upgrading if scheduled license updates or autoscaling groups recoveries are in place. From 1daf92356323dec69de9443be36f08c68ad7031c Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Wed, 16 Jun 2021 10:08:28 -1000 Subject: [PATCH 6/8] docs: added question pertaining to Consul Kubernetes and Helm chart --- website/content/docs/enterprise/license/faq.mdx | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/license/faq.mdx b/website/content/docs/enterprise/license/faq.mdx index 5d5503ae43..d5015ee584 100644 --- a/website/content/docs/enterprise/license/faq.mdx +++ b/website/content/docs/enterprise/license/faq.mdx @@ -156,6 +156,17 @@ Assume a scenario where there are three Consul server nodes: The command `consul license put` is issued from Node A. This will result in an error due to how Consul routes calls to the server node, Node B in this example. Because Node A is a follower when the call `consul license put` is issued, the call will be redirected to Node B (leader). -The `consul license put` operation will fail due to being removed from v1.10.0. +The `consul license put` operation will fail due to being removed from 1.10.0. This is a scenario that could occur if a customer downgrades from 1.10.0+ and the Consul leadership has not transferred back over to a node not running 1.10.0+. This also has the potential of occurring when upgrading if scheduled license updates or autoscaling groups recoveries are in place. + +## Q: Any impacts to Consul Kubernetes? + +If you are using a Consul Enterprise version prior to 1.10.0 and decide to upgrade the Helm chart to version 0.32.0 or newer, but not the Consul version. +You will need to add the following configuration. + +``` +server: + enterpriseLicense: + enableLicenseAutoload: false +``` From 5435f2309ad1f54940e708a0e530c2dc8a99c531 Mon Sep 17 00:00:00 2001 From: mrspanishviking Date: Wed, 16 Jun 2021 10:17:56 -1000 Subject: [PATCH 7/8] Update website/content/docs/enterprise/license/faq.mdx Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> --- website/content/docs/enterprise/license/faq.mdx | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/website/content/docs/enterprise/license/faq.mdx b/website/content/docs/enterprise/license/faq.mdx index d5015ee584..f1bbf4e32f 100644 --- a/website/content/docs/enterprise/license/faq.mdx +++ b/website/content/docs/enterprise/license/faq.mdx @@ -120,11 +120,13 @@ This valid license must be on-disk (auto-loaded) or as an environment variable. ### Kubernetes -1. Acquire a valid Consul Enterprise license. If you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license. -1. Set up the necessary configuration so that when Consul Enterprise reboots it will have access to the required license. This could be via the client agent configuration file or an environment variable. - Visit the [Enterprise License Tutorial](https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=consul/enterprise) for detailed steps on how to install the license key. -1. Proceed with the `helm` [upgrade instructions](/docs/k8s/upgrade). +**NOTE:** If you are not upgrading Consul or your Helm chart version then no action is required. +1. In order to use Consul Enterprise 1.10.0 or greater on Kubernetes you must use version 0.32.0 or greater of the Helm chart. +1. You should already have a Consul Enterprise license set as a Kubernetes secret. If you do not, then if you are an existing HashiCorp enterprise customer you may contact your organization's customer success manager (CSM) or email support-softwaredelivery@hashicorp.com for information on how to get your organization's enterprise license. Once you have the license then create a Kubernetes secret containing the license as described in [Kubernetes - Consul Enterprise](/docs/k8s/installation/deployment-configurations/consul-enterprise). +1. Follow the [Kubernetes Upgrade Docs](/docs/k8s/upgrade) to upgrade. No changes to your `values.yaml` file are needed to enable enterprise autoloading since this support is built in to consul-helm 0.32.0 and greater. + +~> **WARNING:** If you are upgrading the Helm chart but **not** upgrading the Consul version, you must set `server.enterpriseLicense.enableLicenseAutoload: false`. See [Kubernetes - Consul Enterprise](/docs/k8s/installation/deployment-configurations/consul-enterprise) for more details. ## Q: What is the migration path for customers who want to migrate from their existing perpetually-licensed binaries to the license on disk flow? ### VM From 0fcf9289994876d56078945c5e49e04e9e71eac0 Mon Sep 17 00:00:00 2001 From: mrspanishviking Date: Thu, 17 Jun 2021 11:39:24 -1000 Subject: [PATCH 8/8] Update website/content/docs/enterprise/license/overview.mdx Merged Co-authored-by: Blake Covarrubias --- website/content/docs/enterprise/license/overview.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/enterprise/license/overview.mdx b/website/content/docs/enterprise/license/overview.mdx index 14daacf971..67947e273d 100644 --- a/website/content/docs/enterprise/license/overview.mdx +++ b/website/content/docs/enterprise/license/overview.mdx @@ -55,9 +55,9 @@ to retrieve the license automatically under specific circumstances. When a client agent starts without a license in its configuration or environment, it will try to retrieve the license from the servers via RPCs. That RPC always requires a valid non-anonymous ACL token to authorize the request but the token doesn't need any particular permissions. As the license is required before the client -actually joins the cluster, where to make those RPC requests to is inferred from the [`start_join`](/docs/agent/opts#start_join) -or [`retry_join`](/docs/agent/opts#retry_join) configurations. If those are both unset or no -[`agent` token](/docs/agent/opts#acl_tokens_agent) is set then the client agent will immediately shut itself down. +actually joins the cluster, where to make those RPC requests to is inferred from the [`start_join`](/docs/agent/options#start_join) +or [`retry_join`](/docs/agent/options#retry_join) configurations. If those are both unset or no +[`agent` token](/docs/agent/options#acl_tokens_agent) is set then the client agent will immediately shut itself down. If all preliminary checks pass the client agent will attempt to reach out to any server on its RPC port to request the license. These requests will be retried for up to 5 minutes and if it is unable to retrieve a