Add known issue for GH-20360. (#20420)

2024-02-01 15:29:46 -06:00 · 2024-02-01 15:29:46 -06:00 · 70575760c7
parent 24a7b17a6f
commit 70575760c7
4 changed files with 30 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,4 +1,9 @@
 ## 1.17.2 (January 23, 2024)
+
+KNOWN ISSUES:
+
+* connect: Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6. [[GH-20360](https://github.com/hashicorp/consul/issues/20360)]
+
 SECURITY:

 * Upgrade OpenShift container images to use `ubi9-minimal:9.3` as the base image. [[GH-20014](https://github.com/hashicorp/consul/issues/20014)]
@ -163,6 +168,10 @@ BUG FIXES:

 ## 1.16.5 (January 23, 2024)

+KNOWN ISSUES:
+
+* connect: Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
+
 SECURITY:

 * Update RSA key generation to use a key size of at least 2048 bits. [[GH-20112](https://github.com/hashicorp/consul/issues/20112)]
--- a/website/content/docs/release-notes/consul/v1_16_x.mdx
+++ b/website/content/docs/release-notes/consul/v1_16_x.mdx
@ -68,6 +68,11 @@ For more detailed information, please refer to the [upgrade details page](/consu

 The following issues are known to exist in the v1.16.x releases:

+- v1.16.5 - Excessively strict TLS SAN verification is performed by terminating gateways,
+    which prevents connections outside of the mesh to upstream services. Terminating gateway
+    users are advised to avoid deploying these Consul versions. A fix will be present in a future
+    release of Consul 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
+
 - v1.16.0 - v1.16.1 may have issues when a snapshot restore is performed
    and the servers are hosting xDS streams. When this bug triggers, it
    will cause Envoy to incorrectly populate upstream endpoints. It is
--- a/website/content/docs/release-notes/consul/v1_17_x.mdx
+++ b/website/content/docs/release-notes/consul/v1_17_x.mdx
@ -74,6 +74,15 @@ We are pleased to announce the following Consul updates.

 For more detailed information, please refer to the [upgrade details page](/consul/docs/upgrading/upgrade-specific) and the changelogs.

+## Known Issues
+
+The following issues are known to exist in the v1.17.x releases:
+
+- v1.17.2 - Excessively strict TLS SAN verification is performed by terminating gateways,
+    which prevents connections outside of the mesh to upstream services. Terminating gateway
+    users are advised to avoid deploying these Consul versions. A fix will be present in a future
+    release of Consul 1.17.3 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
+
 ## Changelogs

 The changelogs for this major release version and any maintenance versions are listed below.
--- a/website/content/docs/upgrading/upgrade-specific.mdx
+++ b/website/content/docs/upgrading/upgrade-specific.mdx
@ -15,6 +15,11 @@ This page is used to document those details separately from the standard
 upgrade flow.

 ## Consul 1.17.x
+
+### Known issues
+
+Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
+
 #### Audit Log naming changes (Enterprise)
 Prior to Consul 1.17.0, audit logs contained timestamps on both the original log file names as well as rotated log file names.
 After Consul 1.17.0, only timestamps will be included in rotated log file names.
@ -34,6 +39,8 @@ service-defaults are configured in each partition and namespace before upgrading

 ### Known issues

+Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
+
 Service mesh in Consul versions 1.16.0 and 1.16.1 may have issues when a snapshot restore is performed and the servers are hosting xDS streams.
 When this bug triggers, it causes Envoy to incorrectly populate upstream endpoints. To prevent this issue, service mesh users who run agent-less workloads should upgrade Consul to v1.16.2 or later.