From 70575760c7114c2b9156aba29acee2cd952746c5 Mon Sep 17 00:00:00 2001 From: Derek Menteer <105233703+hashi-derek@users.noreply.github.com> Date: Thu, 1 Feb 2024 15:29:46 -0600 Subject: [PATCH] Add known issue for GH-20360. (#20420) --- CHANGELOG.md | 9 +++++++++ website/content/docs/release-notes/consul/v1_16_x.mdx | 5 +++++ website/content/docs/release-notes/consul/v1_17_x.mdx | 9 +++++++++ website/content/docs/upgrading/upgrade-specific.mdx | 7 +++++++ 4 files changed, 30 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 08d2948af9..3db9807286 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,9 @@ ## 1.17.2 (January 23, 2024) + +KNOWN ISSUES: + +* connect: Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6. [[GH-20360](https://github.com/hashicorp/consul/issues/20360)] + SECURITY: * Upgrade OpenShift container images to use `ubi9-minimal:9.3` as the base image. [[GH-20014](https://github.com/hashicorp/consul/issues/20014)] @@ -163,6 +168,10 @@ BUG FIXES: ## 1.16.5 (January 23, 2024) +KNOWN ISSUES: + +* connect: Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)]. + SECURITY: * Update RSA key generation to use a key size of at least 2048 bits. [[GH-20112](https://github.com/hashicorp/consul/issues/20112)] diff --git a/website/content/docs/release-notes/consul/v1_16_x.mdx b/website/content/docs/release-notes/consul/v1_16_x.mdx index b623ba299c..1d5362d9a9 100644 --- a/website/content/docs/release-notes/consul/v1_16_x.mdx +++ b/website/content/docs/release-notes/consul/v1_16_x.mdx @@ -68,6 +68,11 @@ For more detailed information, please refer to the [upgrade details page](/consu The following issues are known to exist in the v1.16.x releases: +- v1.16.5 - Excessively strict TLS SAN verification is performed by terminating gateways, + which prevents connections outside of the mesh to upstream services. Terminating gateway + users are advised to avoid deploying these Consul versions. A fix will be present in a future + release of Consul 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)]. + - v1.16.0 - v1.16.1 may have issues when a snapshot restore is performed and the servers are hosting xDS streams. When this bug triggers, it will cause Envoy to incorrectly populate upstream endpoints. It is diff --git a/website/content/docs/release-notes/consul/v1_17_x.mdx b/website/content/docs/release-notes/consul/v1_17_x.mdx index caa7c0a1a5..f05576d252 100644 --- a/website/content/docs/release-notes/consul/v1_17_x.mdx +++ b/website/content/docs/release-notes/consul/v1_17_x.mdx @@ -74,6 +74,15 @@ We are pleased to announce the following Consul updates. For more detailed information, please refer to the [upgrade details page](/consul/docs/upgrading/upgrade-specific) and the changelogs. +## Known Issues + +The following issues are known to exist in the v1.17.x releases: + +- v1.17.2 - Excessively strict TLS SAN verification is performed by terminating gateways, + which prevents connections outside of the mesh to upstream services. Terminating gateway + users are advised to avoid deploying these Consul versions. A fix will be present in a future + release of Consul 1.17.3 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)]. + ## Changelogs The changelogs for this major release version and any maintenance versions are listed below. diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 57edda52da..36eaf0b942 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -15,6 +15,11 @@ This page is used to document those details separately from the standard upgrade flow. ## Consul 1.17.x + +### Known issues + +Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)]. + #### Audit Log naming changes (Enterprise) Prior to Consul 1.17.0, audit logs contained timestamps on both the original log file names as well as rotated log file names. After Consul 1.17.0, only timestamps will be included in rotated log file names. @@ -34,6 +39,8 @@ service-defaults are configured in each partition and namespace before upgrading ### Known issues +Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)]. + Service mesh in Consul versions 1.16.0 and 1.16.1 may have issues when a snapshot restore is performed and the servers are hosting xDS streams. When this bug triggers, it causes Envoy to incorrectly populate upstream endpoints. To prevent this issue, service mesh users who run agent-less workloads should upgrade Consul to v1.16.2 or later.