diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 31792c8a54..a8d75773f5 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -27,9 +27,9 @@ upgrade flow. Prior to Consul 1.14, it was possible to encrypt communication between Consul and Envoy over `ports.grpc` using these settings. -Consul 1.14 introduces [`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port), a new configuration -for encrypting communication over gRPC. The existing [`ports.grpc`](/docs/agent/config/config- -files#grpc_port) configuration **will stop supporting encryption in a future release**. As of version 1.14, +Consul 1.14 introduces [`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port), a new configuration +for encrypting communication over gRPC. The existing [`ports.grpc`](/docs/agent/config/config- +files#grpc_port) configuration **will stop supporting encryption in a future release**. As of version 1.14, `ports.grpc_tls` is the recommended configuration to encrypt gRPC traffic. For most environments, the Envoy communication to Consul is loop-back only and does not benefit from encryption. @@ -51,7 +51,7 @@ review the following guidances relevant to your deployment: Upgrade to **Consul version 1.13.1 or later**. -Consul 1.13.0 contains a bug that prevents Consul server agents from restoring +Consul 1.13.0 contains a bug that prevents Consul server agents from restoring saved state on startup if the state 1. was generated before Consul 1.13 (such as during an upgrade), and @@ -61,25 +61,22 @@ This bug is fixed in Consul versions 1.13.1 and newer. #### Service mesh deployments using auto-encrypt or auto-config -**Do not upgrade to Consul 1.13 yet** if using +Upgrade to **Consul version 1.13.2 or later** if using [auto-encrypt](/docs/agent/config/config-files#auto_encrypt) or [auto-config](/docs/agent/config/config-files#auto_config). -In Consul 1.13, auto-encrypt and auto-config both cause Consul +In Consul 1.13.0 - 1.13.1, auto-encrypt and auto-config both cause Consul to require TLS for gRPC communication with Envoy proxies. In environments where Envoy proxies are not already configured -to use TLS for gRPC, upgrading Consul 1.13 will cause +to use TLS for gRPC, upgrading to Consul 1.13.0 - 1.13.1 will cause Envoy proxies to disconnect from the control plane (Consul agents). -The underlying cause is the same as discussed in -[deployments without the HTTPS port enabled on Consul agents](#service-mesh-deployments-without-the-https-port-enabled-on-consul-agents). -However, when using auto-encrypt or auto-config, -the problem **cannot** currently be avoided by -[modifying the agent's TLS configuration](#modify-the-consul-agent-s-tls-configuration) -because auto-encrypt and auto-config automatically set -interface-generic TLS configuration in a manner similar to -[`tls.defaults`](/docs/agent/config/config-files#tls_defaults). -We are working to address this problem in an upcoming 1.13 patch release. +If upgrading to version 1.13.2 or later, you must enable +[tls.grpc.use_auto_cert](/docs/agent/config/config-files#use_auto_cert) +if you currently rely on Consul agents presenting the auto-encrypt or +auto-config certs as the TLS server certs on the gRPC port. +The new `use_auto_cert` flag enables TLS for gRPC based on the presence +of auto-encrypt certs. #### Service mesh deployments without the HTTPS port enabled on Consul agents ((#grpc-tls))