update config defaults, add docs (#15302)

* update config defaults, add docs

* update grpc tls port for non-default values

* add changelog

* Update website/content/docs/upgrading/upgrade-specific.mdx

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>

* Update website/content/docs/agent/config/config-files.mdx

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>

* update logic for setting grpc tls port value

* move default config to default.go, update changelog

* update docs

* Fix config tests.

* Fix linter error.

* Fix ConnectCA tests.

* Cleanup markdown on upgrade notes.

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
Co-authored-by: Derek Menteer <derek.menteer@hashicorp.com>
This commit is contained in:
malizz 2022-11-09 09:29:55 -08:00 committed by GitHub
parent c340922991
commit b9a9e1219c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 83 additions and 11 deletions

7
.changelog/15302.txt Normal file
View File

@ -0,0 +1,7 @@
```release-note:breaking-change
config: update 1.14 config defaults: Enable `peering` and `connect` by default.
```
```release-note:breaking-change
config: update 1.14 config defaults: Set gRPC TLS port default value to 8503
```

View File

@ -436,6 +436,10 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
serverPort := b.portVal("ports.server", c.Ports.Server)
grpcPort := b.portVal("ports.grpc", c.Ports.GRPC)
grpcTlsPort := b.portVal("ports.grpc_tls", c.Ports.GRPCTLS)
// default gRPC TLS port for servers is 8503
if c.Ports.GRPCTLS == nil && boolVal(c.ServerMode) {
grpcTlsPort = 8503
}
serfPortLAN := b.portVal("ports.serf_lan", c.Ports.SerfLAN)
serfPortWAN := b.portVal("ports.serf_wan", c.Ports.SerfWAN)
proxyMinPort := b.portVal("ports.proxy_min_port", c.Ports.ProxyMinPort)

View File

@ -139,6 +139,14 @@ func DefaultSource() Source {
xds {
update_max_per_second = 250
}
connect = {
enabled = true
}
peering = {
enabled = true
}
`,
}
}
@ -176,6 +184,11 @@ func DevSource() Source {
connect = {
enabled = true
}
peering = {
enabled = true
}
performance = {
raft_multiplier = 1
}

View File

@ -5,6 +5,7 @@ package config
import (
"fmt"
"net"
"os"
"testing"
@ -70,6 +71,8 @@ func TestLoad_IntegrationWithFlags_OSS(t *testing.T) {
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
},
}

View File

@ -9,6 +9,7 @@ import (
"fmt"
"io/ioutil"
"net"
"net/netip"
"os"
"path/filepath"
"reflect"
@ -57,6 +58,8 @@ func (tc testCase) source(format string) []string {
return tc.json
}
var defaultGrpcTlsAddr = net.TCPAddrFromAddrPort(netip.MustParseAddrPort("127.0.0.1:8503"))
// TestConfigFlagsAndEdgecases tests the command line flags and
// edgecases for the config parsing. It provides a test structure which
// checks for warnings on deprecated fields and flags. These tests
@ -184,6 +187,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.SkipLeaveOnInt = true
rt.DataDir = dataDir
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
expectedWarnings: []string{"bootstrap = true: do not enable unless necessary"},
})
@ -202,6 +207,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.SkipLeaveOnInt = true
rt.DataDir = dataDir
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
expectedWarnings: []string{"bootstrap_expect > 0: expecting 3 servers"},
})
@ -348,6 +355,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.GRPCPort = 8502
rt.GRPCAddrs = []net.Addr{tcpAddr("127.0.0.1:8502")}
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
})
run(t, testCase{
@ -669,6 +678,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
})
run(t, testCase{
@ -853,6 +864,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.SkipLeaveOnInt = true
rt.DataDir = dataDir
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
})
run(t, testCase{
@ -1893,6 +1906,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.SkipLeaveOnInt = true
rt.DataDir = dataDir
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
expectedWarnings: []string{"BootstrapExpect is set to 1; this is the same as Bootstrap mode.", "bootstrap = true: do not enable unless necessary"},
})
@ -1911,6 +1926,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.SkipLeaveOnInt = true
rt.DataDir = dataDir
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
expectedWarnings: []string{
`bootstrap_expect = 2: A cluster with 2 servers will provide no failure tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`,
@ -1932,6 +1949,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.SkipLeaveOnInt = true
rt.DataDir = dataDir
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
expectedWarnings: []string{
`bootstrap_expect is even number: A cluster with an even number of servers does not achieve optimum fault tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`,
@ -3106,6 +3125,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
})
run(t, testCase{
@ -3138,6 +3159,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
})
run(t, testCase{
@ -3167,6 +3190,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
})
run(t, testCase{
@ -3193,6 +3218,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
})
run(t, testCase{
@ -3239,6 +3266,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.TLS.ServerMode = true
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
})
run(t, testCase{
@ -3658,6 +3687,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
})
@ -5082,6 +5113,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
rt.SkipLeaveOnInt = true
rt.TLS.InternalRPC.CertFile = "foo"
rt.RPCConfig.EnableStreaming = true
rt.GRPCTLSPort = 8503
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
},
})
// UI Config tests

View File

@ -1615,7 +1615,10 @@ func TestAPI_AgentConnectCARoots_empty(t *testing.T) {
t.Parallel()
c, s := makeClientWithConfig(t, nil, func(c *testutil.TestServerConfig) {
c.Connect = nil // disable connect to prevent CA being bootstrapped
// Explicitly disable Connect to prevent CA being bootstrapped
c.Connect = map[string]interface{}{
"enabled": false,
}
})
defer s.Stop()

View File

@ -14,8 +14,10 @@ func TestAPI_ConnectCARoots_empty(t *testing.T) {
t.Parallel()
c, s := makeClientWithConfig(t, nil, func(c *testutil.TestServerConfig) {
// Don't bootstrap CA
c.Connect = nil
// Explicitly disable Connect to prevent CA being bootstrapped
c.Connect = map[string]interface{}{
"enabled": false,
}
})
defer s.Stop()

View File

@ -556,7 +556,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
The following sub-keys are available:
- `enabled` ((#peering_enabled)) (Defaults to `false`) Controls whether cluster peering is enabled.
- `enabled` ((#peering_enabled)) (Defaults to `true`) Controls whether cluster peering is enabled.
When disabled, the UI won't show peering, all peering APIs will return
an error, any peerings stored in Consul already will be ignored (but they will not be deleted),
and all peering connections from other clusters will be rejected. This was added in Consul 1.13.0.
@ -610,8 +610,8 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
in `-dev` mode. The `grpc` port currently supports either plaintext or TLS traffic for
backwards-compatibility, but TLS support is deprecated and will be removed in a future
release. Refer to `grpc_tls` for more information on configuring a TLS-enabled port.
- `grpc_tls` ((#grpc_tls_port)) - The gRPC API with TLS connections, -1 to disable. Default -1 (disabled).
**We recommend using `8502` for `grpc_tls`** as your conventional gRPC port number, as it allows some
- `grpc_tls` ((#grpc_tls_port)) - The gRPC API with TLS connections, -1 to disable. gRPC_TLS is enabled by default on port 8503 for Consul servers.
**We recommend using `8503` for `grpc_tls`** as your conventional gRPC port number, as it allows some
tools to work automatically. `grpc_tls` is always guaranteed to be encrypted. Both `grpc` and `grpc_tls`
can be configured at the same time, but they may not utilize the same port number. If both `grpc` and
`grpc_tls` are defined, then `grpc` will always be plaintext. This field was added in Consul 1.14.
@ -1061,7 +1061,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
The following sub-keys are available:
- `enabled` ((#connect_enabled)) (Defaults to `false`) Controls whether Connect features are
- `enabled` ((#connect_enabled)) (Defaults to `true`) Controls whether Connect features are
enabled on this agent. Should be enabled on all servers in the cluster
in order for Connect to function properly.
Will be set to `true` automatically if `auto_config.enabled` or `auto_encrypt.allow_tls` is `true`.
@ -2212,10 +2212,10 @@ default will automatically work with some tooling.
- `xds`: This object allows you to configure the behavior of Consul's
[xDS protocol](https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol)
server.
server.
- `update_max_per_second`: Specifies the number of proxy configuration updates across all connected xDS streams that are allowed per second. This configuration prevents updates to global resources, such as wildcard intentions, from consuming system resources at the expense of other processes, such as Raft and Gossip, which could cause general cluster instability.
The default value is `250`. It is based on a load test of 5,000 streams connected to a single server with two CPU cores.
The default value is `250`. It is based on a load test of 5,000 streams connected to a single server with two CPU cores.
If necessary, you can lower or increase the limit without a rolling restart by using the `consul reload` command or by sending the server a `SIGHUP`.
If necessary, you can lower or increase the limit without a rolling restart by using the `consul reload` command or by sending the server a `SIGHUP`.

View File

@ -17,6 +17,12 @@ upgrade flow.
## Consul 1.14.x
### Service Mesh Compatibility
Prior to Consul 1.14, cluster peering or Consul connect were disabled by default.
A breaking change was made in Consul 1.14 that:
- [Cluster Peering is enabled by default.](/docs/connect/cluster-peering) To disable, set
[`peering.enabled`](/docs/agent/config/config-files#peering_enabled) to `false`.
- [Consul Connect is enabled by default.](/docs/connect) To disable, set
[`connect.enabled`](/docs/agent/config/config-files#connect_enabled) to `false`.
##### Changes to gRPC TLS configuration
@ -30,7 +36,8 @@ Prior to Consul 1.14, it was possible to encrypt communication between Consul an
Consul 1.14 introduces [`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port), a new configuration
for encrypting communication over gRPC. The existing [`ports.grpc`](/docs/agent/config/config-
files#grpc_port) configuration **will stop supporting encryption in a future release**. As of version 1.14,
`ports.grpc_tls` is the recommended configuration to encrypt gRPC traffic.
[`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port) is the recommended configuration to encrypt gRPC traffic.
The default value for gRPC TLS port is 8503 for Consul servers. To disable the gRPC TLS port, use value -1.
For most environments, the Envoy communication to Consul is loop-back only and does not benefit from encryption.