mirror of https://github.com/status-im/consul.git
update config defaults, add docs (#15302)
* update config defaults, add docs * update grpc tls port for non-default values * add changelog * Update website/content/docs/upgrading/upgrade-specific.mdx Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com> * Update website/content/docs/agent/config/config-files.mdx Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com> * update logic for setting grpc tls port value * move default config to default.go, update changelog * update docs * Fix config tests. * Fix linter error. * Fix ConnectCA tests. * Cleanup markdown on upgrade notes. Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com> Co-authored-by: Derek Menteer <derek.menteer@hashicorp.com>
This commit is contained in:
parent
c340922991
commit
b9a9e1219c
|
@ -0,0 +1,7 @@
|
|||
```release-note:breaking-change
|
||||
config: update 1.14 config defaults: Enable `peering` and `connect` by default.
|
||||
```
|
||||
|
||||
```release-note:breaking-change
|
||||
config: update 1.14 config defaults: Set gRPC TLS port default value to 8503
|
||||
```
|
|
@ -436,6 +436,10 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
|
|||
serverPort := b.portVal("ports.server", c.Ports.Server)
|
||||
grpcPort := b.portVal("ports.grpc", c.Ports.GRPC)
|
||||
grpcTlsPort := b.portVal("ports.grpc_tls", c.Ports.GRPCTLS)
|
||||
// default gRPC TLS port for servers is 8503
|
||||
if c.Ports.GRPCTLS == nil && boolVal(c.ServerMode) {
|
||||
grpcTlsPort = 8503
|
||||
}
|
||||
serfPortLAN := b.portVal("ports.serf_lan", c.Ports.SerfLAN)
|
||||
serfPortWAN := b.portVal("ports.serf_wan", c.Ports.SerfWAN)
|
||||
proxyMinPort := b.portVal("ports.proxy_min_port", c.Ports.ProxyMinPort)
|
||||
|
|
|
@ -139,6 +139,14 @@ func DefaultSource() Source {
|
|||
xds {
|
||||
update_max_per_second = 250
|
||||
}
|
||||
|
||||
connect = {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
peering = {
|
||||
enabled = true
|
||||
}
|
||||
`,
|
||||
}
|
||||
}
|
||||
|
@ -176,6 +184,11 @@ func DevSource() Source {
|
|||
connect = {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
peering = {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
performance = {
|
||||
raft_multiplier = 1
|
||||
}
|
||||
|
|
|
@ -5,6 +5,7 @@ package config
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
|
@ -70,6 +71,8 @@ func TestLoad_IntegrationWithFlags_OSS(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
|
@ -9,6 +9,7 @@ import (
|
|||
"fmt"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"net/netip"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"reflect"
|
||||
|
@ -57,6 +58,8 @@ func (tc testCase) source(format string) []string {
|
|||
return tc.json
|
||||
}
|
||||
|
||||
var defaultGrpcTlsAddr = net.TCPAddrFromAddrPort(netip.MustParseAddrPort("127.0.0.1:8503"))
|
||||
|
||||
// TestConfigFlagsAndEdgecases tests the command line flags and
|
||||
// edgecases for the config parsing. It provides a test structure which
|
||||
// checks for warnings on deprecated fields and flags. These tests
|
||||
|
@ -184,6 +187,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
expectedWarnings: []string{"bootstrap = true: do not enable unless necessary"},
|
||||
})
|
||||
|
@ -202,6 +207,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
expectedWarnings: []string{"bootstrap_expect > 0: expecting 3 servers"},
|
||||
})
|
||||
|
@ -348,6 +355,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.GRPCPort = 8502
|
||||
rt.GRPCAddrs = []net.Addr{tcpAddr("127.0.0.1:8502")}
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -669,6 +678,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -853,6 +864,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -1893,6 +1906,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
expectedWarnings: []string{"BootstrapExpect is set to 1; this is the same as Bootstrap mode.", "bootstrap = true: do not enable unless necessary"},
|
||||
})
|
||||
|
@ -1911,6 +1926,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
expectedWarnings: []string{
|
||||
`bootstrap_expect = 2: A cluster with 2 servers will provide no failure tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`,
|
||||
|
@ -1932,6 +1949,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
expectedWarnings: []string{
|
||||
`bootstrap_expect is even number: A cluster with an even number of servers does not achieve optimum fault tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`,
|
||||
|
@ -3106,6 +3125,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -3138,6 +3159,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -3167,6 +3190,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -3193,6 +3218,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -3239,6 +3266,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.TLS.ServerMode = true
|
||||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -3658,6 +3687,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
|
||||
|
@ -5082,6 +5113,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.TLS.InternalRPC.CertFile = "foo"
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
// UI Config tests
|
||||
|
|
|
@ -1615,7 +1615,10 @@ func TestAPI_AgentConnectCARoots_empty(t *testing.T) {
|
|||
t.Parallel()
|
||||
|
||||
c, s := makeClientWithConfig(t, nil, func(c *testutil.TestServerConfig) {
|
||||
c.Connect = nil // disable connect to prevent CA being bootstrapped
|
||||
// Explicitly disable Connect to prevent CA being bootstrapped
|
||||
c.Connect = map[string]interface{}{
|
||||
"enabled": false,
|
||||
}
|
||||
})
|
||||
defer s.Stop()
|
||||
|
||||
|
|
|
@ -14,8 +14,10 @@ func TestAPI_ConnectCARoots_empty(t *testing.T) {
|
|||
t.Parallel()
|
||||
|
||||
c, s := makeClientWithConfig(t, nil, func(c *testutil.TestServerConfig) {
|
||||
// Don't bootstrap CA
|
||||
c.Connect = nil
|
||||
// Explicitly disable Connect to prevent CA being bootstrapped
|
||||
c.Connect = map[string]interface{}{
|
||||
"enabled": false,
|
||||
}
|
||||
})
|
||||
defer s.Stop()
|
||||
|
||||
|
|
|
@ -556,7 +556,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
|
||||
The following sub-keys are available:
|
||||
|
||||
- `enabled` ((#peering_enabled)) (Defaults to `false`) Controls whether cluster peering is enabled.
|
||||
- `enabled` ((#peering_enabled)) (Defaults to `true`) Controls whether cluster peering is enabled.
|
||||
When disabled, the UI won't show peering, all peering APIs will return
|
||||
an error, any peerings stored in Consul already will be ignored (but they will not be deleted),
|
||||
and all peering connections from other clusters will be rejected. This was added in Consul 1.13.0.
|
||||
|
@ -610,8 +610,8 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
in `-dev` mode. The `grpc` port currently supports either plaintext or TLS traffic for
|
||||
backwards-compatibility, but TLS support is deprecated and will be removed in a future
|
||||
release. Refer to `grpc_tls` for more information on configuring a TLS-enabled port.
|
||||
- `grpc_tls` ((#grpc_tls_port)) - The gRPC API with TLS connections, -1 to disable. Default -1 (disabled).
|
||||
**We recommend using `8502` for `grpc_tls`** as your conventional gRPC port number, as it allows some
|
||||
- `grpc_tls` ((#grpc_tls_port)) - The gRPC API with TLS connections, -1 to disable. gRPC_TLS is enabled by default on port 8503 for Consul servers.
|
||||
**We recommend using `8503` for `grpc_tls`** as your conventional gRPC port number, as it allows some
|
||||
tools to work automatically. `grpc_tls` is always guaranteed to be encrypted. Both `grpc` and `grpc_tls`
|
||||
can be configured at the same time, but they may not utilize the same port number. If both `grpc` and
|
||||
`grpc_tls` are defined, then `grpc` will always be plaintext. This field was added in Consul 1.14.
|
||||
|
@ -1061,7 +1061,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
|
||||
The following sub-keys are available:
|
||||
|
||||
- `enabled` ((#connect_enabled)) (Defaults to `false`) Controls whether Connect features are
|
||||
- `enabled` ((#connect_enabled)) (Defaults to `true`) Controls whether Connect features are
|
||||
enabled on this agent. Should be enabled on all servers in the cluster
|
||||
in order for Connect to function properly.
|
||||
Will be set to `true` automatically if `auto_config.enabled` or `auto_encrypt.allow_tls` is `true`.
|
||||
|
@ -2212,10 +2212,10 @@ default will automatically work with some tooling.
|
|||
|
||||
- `xds`: This object allows you to configure the behavior of Consul's
|
||||
[xDS protocol](https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol)
|
||||
server.
|
||||
server.
|
||||
|
||||
- `update_max_per_second`: Specifies the number of proxy configuration updates across all connected xDS streams that are allowed per second. This configuration prevents updates to global resources, such as wildcard intentions, from consuming system resources at the expense of other processes, such as Raft and Gossip, which could cause general cluster instability.
|
||||
|
||||
The default value is `250`. It is based on a load test of 5,000 streams connected to a single server with two CPU cores.
|
||||
The default value is `250`. It is based on a load test of 5,000 streams connected to a single server with two CPU cores.
|
||||
|
||||
If necessary, you can lower or increase the limit without a rolling restart by using the `consul reload` command or by sending the server a `SIGHUP`.
|
||||
If necessary, you can lower or increase the limit without a rolling restart by using the `consul reload` command or by sending the server a `SIGHUP`.
|
||||
|
|
|
@ -17,6 +17,12 @@ upgrade flow.
|
|||
## Consul 1.14.x
|
||||
|
||||
### Service Mesh Compatibility
|
||||
Prior to Consul 1.14, cluster peering or Consul connect were disabled by default.
|
||||
A breaking change was made in Consul 1.14 that:
|
||||
- [Cluster Peering is enabled by default.](/docs/connect/cluster-peering) To disable, set
|
||||
[`peering.enabled`](/docs/agent/config/config-files#peering_enabled) to `false`.
|
||||
- [Consul Connect is enabled by default.](/docs/connect) To disable, set
|
||||
[`connect.enabled`](/docs/agent/config/config-files#connect_enabled) to `false`.
|
||||
|
||||
##### Changes to gRPC TLS configuration
|
||||
|
||||
|
@ -30,7 +36,8 @@ Prior to Consul 1.14, it was possible to encrypt communication between Consul an
|
|||
Consul 1.14 introduces [`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port), a new configuration
|
||||
for encrypting communication over gRPC. The existing [`ports.grpc`](/docs/agent/config/config-
|
||||
files#grpc_port) configuration **will stop supporting encryption in a future release**. As of version 1.14,
|
||||
`ports.grpc_tls` is the recommended configuration to encrypt gRPC traffic.
|
||||
[`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port) is the recommended configuration to encrypt gRPC traffic.
|
||||
The default value for gRPC TLS port is 8503 for Consul servers. To disable the gRPC TLS port, use value -1.
|
||||
|
||||
For most environments, the Envoy communication to Consul is loop-back only and does not benefit from encryption.
|
||||
|
||||
|
|
Loading…
Reference in New Issue