From 0d4b11c01be208d360ad46296c4df8a7602cac62 Mon Sep 17 00:00:00 2001 From: freddygv Date: Tue, 18 Oct 2022 09:38:16 -0600 Subject: [PATCH 1/9] Update upgrade docs for 1.13.2. In 1.13.2 we added a new flag called use_auto_cert to address issues previously documented in the upgrade guide. Originally there was no way to disable TLS for gRPC when auto-encrypt was in use, because TLS was enabled for gRPC due to the presence of auto-encrypt certs. As of 1.13.2, using auto-encrypt certs as the signal to enable TLS for gRPC is opt-in only. Meaning that if anyone who had upgraded to 1.13 relied on that side-effect, they now need to explicitly configure it. --- .../docs/upgrading/upgrade-specific.mdx | 33 +++++++++---------- 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index d9baf4f4ec..0423e49a1b 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -27,9 +27,9 @@ upgrade flow. Prior to Consul 1.14, it was possible to encrypt communication between Consul and Envoy over `ports.grpc` using these settings. -Consul 1.14 introduces [`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port), a new configuration -for encrypting communication over gRPC. The existing [`ports.grpc`](/docs/agent/config/config- -files#grpc_port) configuration **will stop supporting encryption in a future release**. As of version 1.14, +Consul 1.14 introduces [`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port), a new configuration +for encrypting communication over gRPC. The existing [`ports.grpc`](/docs/agent/config/config- +files#grpc_port) configuration **will stop supporting encryption in a future release**. As of version 1.14, `ports.grpc_tls` is the recommended configuration to encrypt gRPC traffic. For most environments, the Envoy communication to Consul is loop-back only and does not benefit from encryption. @@ -51,7 +51,7 @@ review the following guidances relevant to your deployment: Upgrade to **Consul version 1.13.1 or later**. -Consul 1.13.0 contains a bug that prevents Consul server agents from restoring +Consul 1.13.0 contains a bug that prevents Consul server agents from restoring saved state on startup if the state 1. was generated before Consul 1.13 (such as during an upgrade), and @@ -61,25 +61,22 @@ This bug is fixed in Consul versions 1.13.1 and newer. #### Service mesh deployments using auto-encrypt or auto-config -**Do not upgrade to Consul 1.13 yet** if using -[auto-encrypt](/docs/agent/config/config-files#auto_encrypt) or -[auto-config](/docs/agent/config/config-files#auto_config). +Upgrade to **Consul version 1.13.2 or later**. -In Consul 1.13, auto-encrypt and auto-config both cause Consul +In Consul 1.13.1, auto-encrypt and auto-config both cause Consul to require TLS for gRPC communication with Envoy proxies. In environments where Envoy proxies are not already configured -to use TLS for gRPC, upgrading Consul 1.13 will cause +to use TLS for gRPC, upgrading Consul 1.13.1 will cause Envoy proxies to disconnect from the control plane (Consul agents). -The underlying cause is the same as discussed in -[deployments without the HTTPS port enabled on Consul agents](#service-mesh-deployments-without-the-https-port-enabled-on-consul-agents). -However, when using auto-encrypt or auto-config, -the problem **cannot** currently be avoided by -[modifying the agent's TLS configuration](#modify-the-consul-agent-s-tls-configuration) -because auto-encrypt and auto-config automatically set -interface-generic TLS configuration in a manner similar to -[`tls.defaults`](/docs/agent/config/config-files#tls_defaults). -We are working to address this problem in an upcoming 1.13 patch release. +If upgrading to version 1.13.2 from 1.13.1 you must enable +[tls.grpc.use_auto_cert](https://developer.hashicorp.com/consul/docs/agent/config/config-files#use_auto_cert) +if you currently use the Connect CA and auto-encrypt certs for TLS +on the gRPC port, and do not have certificates configured via +[tls.grpc](https://developer.hashicorp.com/consul/docs/agent/config/config-files#tls_grpc) +or [tls.defaults](https://developer.hashicorp.com/consul/docs/agent/config/config-files#tls_defaults). +The new `use_auto_cert` flag enables TLS for gRPC based on the presence +of auto-encrypt certs. #### Service mesh deployments without the HTTPS port enabled on Consul agents ((#grpc-tls)) From ef2127ec5138617ddfc267fd8106d328cecbf721 Mon Sep 17 00:00:00 2001 From: freddygv Date: Tue, 18 Oct 2022 10:12:45 -0600 Subject: [PATCH 2/9] Fixup links --- website/content/docs/upgrading/upgrade-specific.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 0423e49a1b..140f5e7ab5 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -70,11 +70,11 @@ to use TLS for gRPC, upgrading Consul 1.13.1 will cause Envoy proxies to disconnect from the control plane (Consul agents). If upgrading to version 1.13.2 from 1.13.1 you must enable -[tls.grpc.use_auto_cert](https://developer.hashicorp.com/consul/docs/agent/config/config-files#use_auto_cert) +[tls.grpc.use_auto_cert](/docs/agent/config/config-files#use_auto_cert) if you currently use the Connect CA and auto-encrypt certs for TLS on the gRPC port, and do not have certificates configured via -[tls.grpc](https://developer.hashicorp.com/consul/docs/agent/config/config-files#tls_grpc) -or [tls.defaults](https://developer.hashicorp.com/consul/docs/agent/config/config-files#tls_defaults). +[tls.grpc](/docs/agent/config/config-files#tls_grpc) +or [tls.defaults](/docs/agent/config/config-files#tls_defaults). The new `use_auto_cert` flag enables TLS for gRPC based on the presence of auto-encrypt certs. From 8c6a8f0b2808e4e0d472c4c29ee02bd6a347c08c Mon Sep 17 00:00:00 2001 From: Freddy Date: Fri, 21 Oct 2022 15:15:22 -0600 Subject: [PATCH 3/9] Update website/content/docs/upgrading/upgrade-specific.mdx Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> --- website/content/docs/upgrading/upgrade-specific.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 140f5e7ab5..33d75e8a9d 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -61,7 +61,9 @@ This bug is fixed in Consul versions 1.13.1 and newer. #### Service mesh deployments using auto-encrypt or auto-config -Upgrade to **Consul version 1.13.2 or later**. +Upgrade to **Consul version 1.13.2 or later** if using +[auto-encrypt](/docs/agent/config/config-files#auto_encrypt) or +[auto-config](/docs/agent/config/config-files#auto_config). In Consul 1.13.1, auto-encrypt and auto-config both cause Consul to require TLS for gRPC communication with Envoy proxies. From 5944c28dd657d7cb0a0d457c70f1b2e687cd34a5 Mon Sep 17 00:00:00 2001 From: Freddy Date: Fri, 21 Oct 2022 15:15:29 -0600 Subject: [PATCH 4/9] Update website/content/docs/upgrading/upgrade-specific.mdx Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> --- website/content/docs/upgrading/upgrade-specific.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 33d75e8a9d..206d71c4f1 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -65,7 +65,7 @@ Upgrade to **Consul version 1.13.2 or later** if using [auto-encrypt](/docs/agent/config/config-files#auto_encrypt) or [auto-config](/docs/agent/config/config-files#auto_config). -In Consul 1.13.1, auto-encrypt and auto-config both cause Consul +In Consul 1.13.0 - 1.13.1, auto-encrypt and auto-config both cause Consul to require TLS for gRPC communication with Envoy proxies. In environments where Envoy proxies are not already configured to use TLS for gRPC, upgrading Consul 1.13.1 will cause From 21c6edcdc7be748e1035018fc22eb33bafa3ab01 Mon Sep 17 00:00:00 2001 From: Freddy Date: Fri, 21 Oct 2022 15:15:35 -0600 Subject: [PATCH 5/9] Update website/content/docs/upgrading/upgrade-specific.mdx Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> --- website/content/docs/upgrading/upgrade-specific.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 206d71c4f1..3cc0a264de 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -68,7 +68,7 @@ Upgrade to **Consul version 1.13.2 or later** if using In Consul 1.13.0 - 1.13.1, auto-encrypt and auto-config both cause Consul to require TLS for gRPC communication with Envoy proxies. In environments where Envoy proxies are not already configured -to use TLS for gRPC, upgrading Consul 1.13.1 will cause +to use TLS for gRPC, upgrading Consul Consul 1.13.0 - 1.13.1 will cause Envoy proxies to disconnect from the control plane (Consul agents). If upgrading to version 1.13.2 from 1.13.1 you must enable From 50709e60d4d18eca1ad202cdec77a63026c82d45 Mon Sep 17 00:00:00 2001 From: freddygv Date: Fri, 21 Oct 2022 15:27:39 -0600 Subject: [PATCH 6/9] Relax start version requirement --- website/content/docs/upgrading/upgrade-specific.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 3cc0a264de..40a6891b84 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -71,7 +71,7 @@ In environments where Envoy proxies are not already configured to use TLS for gRPC, upgrading Consul Consul 1.13.0 - 1.13.1 will cause Envoy proxies to disconnect from the control plane (Consul agents). -If upgrading to version 1.13.2 from 1.13.1 you must enable +If upgrading to version 1.13.2 you must also enable [tls.grpc.use_auto_cert](/docs/agent/config/config-files#use_auto_cert) if you currently use the Connect CA and auto-encrypt certs for TLS on the gRPC port, and do not have certificates configured via From d47006d27eee1faf3432df52595860c707ba288b Mon Sep 17 00:00:00 2001 From: Freddy Date: Fri, 21 Oct 2022 18:12:13 -0600 Subject: [PATCH 7/9] Update website/content/docs/upgrading/upgrade-specific.mdx Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> --- website/content/docs/upgrading/upgrade-specific.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 40a6891b84..c09f71bd06 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -68,7 +68,7 @@ Upgrade to **Consul version 1.13.2 or later** if using In Consul 1.13.0 - 1.13.1, auto-encrypt and auto-config both cause Consul to require TLS for gRPC communication with Envoy proxies. In environments where Envoy proxies are not already configured -to use TLS for gRPC, upgrading Consul Consul 1.13.0 - 1.13.1 will cause +to use TLS for gRPC, upgrading to Consul 1.13.0 - 1.13.1 will cause Envoy proxies to disconnect from the control plane (Consul agents). If upgrading to version 1.13.2 you must also enable From 415e4a501222d0d3461beab29e44d8d9371635ab Mon Sep 17 00:00:00 2001 From: Freddy Date: Fri, 21 Oct 2022 18:12:25 -0600 Subject: [PATCH 8/9] Update website/content/docs/upgrading/upgrade-specific.mdx Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> --- website/content/docs/upgrading/upgrade-specific.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index c09f71bd06..521fe5f4bb 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -71,7 +71,7 @@ In environments where Envoy proxies are not already configured to use TLS for gRPC, upgrading to Consul 1.13.0 - 1.13.1 will cause Envoy proxies to disconnect from the control plane (Consul agents). -If upgrading to version 1.13.2 you must also enable +If upgrading to version 1.13.2 or later, you must enable [tls.grpc.use_auto_cert](/docs/agent/config/config-files#use_auto_cert) if you currently use the Connect CA and auto-encrypt certs for TLS on the gRPC port, and do not have certificates configured via From 94ff34bbe47897482ec673fda96b2d37022be232 Mon Sep 17 00:00:00 2001 From: Freddy Date: Sat, 22 Oct 2022 15:49:57 -0600 Subject: [PATCH 9/9] Update website/content/docs/upgrading/upgrade-specific.mdx --- website/content/docs/upgrading/upgrade-specific.mdx | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 521fe5f4bb..77d61e4ff8 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -73,10 +73,8 @@ Envoy proxies to disconnect from the control plane (Consul agents). If upgrading to version 1.13.2 or later, you must enable [tls.grpc.use_auto_cert](/docs/agent/config/config-files#use_auto_cert) -if you currently use the Connect CA and auto-encrypt certs for TLS -on the gRPC port, and do not have certificates configured via -[tls.grpc](/docs/agent/config/config-files#tls_grpc) -or [tls.defaults](/docs/agent/config/config-files#tls_defaults). +if you currently rely on Consul agents presenting the auto-encrypt or +auto-config certs as the TLS server certs on the gRPC port. The new `use_auto_cert` flag enables TLS for gRPC based on the presence of auto-encrypt certs.