Add known issue for GH-20360. (#20420)

This commit is contained in:
Derek Menteer 2024-02-01 15:29:46 -06:00 committed by GitHub
parent 24a7b17a6f
commit 70575760c7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 30 additions and 0 deletions

View File

@ -1,4 +1,9 @@
## 1.17.2 (January 23, 2024) ## 1.17.2 (January 23, 2024)
KNOWN ISSUES:
* connect: Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6. [[GH-20360](https://github.com/hashicorp/consul/issues/20360)]
SECURITY: SECURITY:
* Upgrade OpenShift container images to use `ubi9-minimal:9.3` as the base image. [[GH-20014](https://github.com/hashicorp/consul/issues/20014)] * Upgrade OpenShift container images to use `ubi9-minimal:9.3` as the base image. [[GH-20014](https://github.com/hashicorp/consul/issues/20014)]
@ -163,6 +168,10 @@ BUG FIXES:
## 1.16.5 (January 23, 2024) ## 1.16.5 (January 23, 2024)
KNOWN ISSUES:
* connect: Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
SECURITY: SECURITY:
* Update RSA key generation to use a key size of at least 2048 bits. [[GH-20112](https://github.com/hashicorp/consul/issues/20112)] * Update RSA key generation to use a key size of at least 2048 bits. [[GH-20112](https://github.com/hashicorp/consul/issues/20112)]

View File

@ -68,6 +68,11 @@ For more detailed information, please refer to the [upgrade details page](/consu
The following issues are known to exist in the v1.16.x releases: The following issues are known to exist in the v1.16.x releases:
- v1.16.5 - Excessively strict TLS SAN verification is performed by terminating gateways,
which prevents connections outside of the mesh to upstream services. Terminating gateway
users are advised to avoid deploying these Consul versions. A fix will be present in a future
release of Consul 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
- v1.16.0 - v1.16.1 may have issues when a snapshot restore is performed - v1.16.0 - v1.16.1 may have issues when a snapshot restore is performed
and the servers are hosting xDS streams. When this bug triggers, it and the servers are hosting xDS streams. When this bug triggers, it
will cause Envoy to incorrectly populate upstream endpoints. It is will cause Envoy to incorrectly populate upstream endpoints. It is

View File

@ -74,6 +74,15 @@ We are pleased to announce the following Consul updates.
For more detailed information, please refer to the [upgrade details page](/consul/docs/upgrading/upgrade-specific) and the changelogs. For more detailed information, please refer to the [upgrade details page](/consul/docs/upgrading/upgrade-specific) and the changelogs.
## Known Issues
The following issues are known to exist in the v1.17.x releases:
- v1.17.2 - Excessively strict TLS SAN verification is performed by terminating gateways,
which prevents connections outside of the mesh to upstream services. Terminating gateway
users are advised to avoid deploying these Consul versions. A fix will be present in a future
release of Consul 1.17.3 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
## Changelogs ## Changelogs
The changelogs for this major release version and any maintenance versions are listed below. The changelogs for this major release version and any maintenance versions are listed below.

View File

@ -15,6 +15,11 @@ This page is used to document those details separately from the standard
upgrade flow. upgrade flow.
## Consul 1.17.x ## Consul 1.17.x
### Known issues
Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
#### Audit Log naming changes (Enterprise) #### Audit Log naming changes (Enterprise)
Prior to Consul 1.17.0, audit logs contained timestamps on both the original log file names as well as rotated log file names. Prior to Consul 1.17.0, audit logs contained timestamps on both the original log file names as well as rotated log file names.
After Consul 1.17.0, only timestamps will be included in rotated log file names. After Consul 1.17.0, only timestamps will be included in rotated log file names.
@ -34,6 +39,8 @@ service-defaults are configured in each partition and namespace before upgrading
### Known issues ### Known issues
Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
Service mesh in Consul versions 1.16.0 and 1.16.1 may have issues when a snapshot restore is performed and the servers are hosting xDS streams. Service mesh in Consul versions 1.16.0 and 1.16.1 may have issues when a snapshot restore is performed and the servers are hosting xDS streams.
When this bug triggers, it causes Envoy to incorrectly populate upstream endpoints. To prevent this issue, service mesh users who run agent-less workloads should upgrade Consul to v1.16.2 or later. When this bug triggers, it causes Envoy to incorrectly populate upstream endpoints. To prevent this issue, service mesh users who run agent-less workloads should upgrade Consul to v1.16.2 or later.