mirror of https://github.com/status-im/consul.git
Add documentation and changelog entry.
This commit is contained in:
parent
0ceec9017b
commit
ce99ccd390
|
@ -0,0 +1,6 @@
|
||||||
|
```release-note:breaking-change
|
||||||
|
config: Add new `ports.grpc_tls` configuration option.
|
||||||
|
Introduce a new port to better separate TLS config from the existing `ports.grpc` config.
|
||||||
|
The new `ports.grpc_tls` only supports TLS encrypted communication.
|
||||||
|
The existing `ports.grpc` currently supports both plain-text and tls communication, but tls support will be removed in a future release.
|
||||||
|
```
|
|
@ -608,6 +608,10 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
||||||
automatically with this. This is set to `8502` by default when the agent runs
|
automatically with this. This is set to `8502` by default when the agent runs
|
||||||
in `-dev` mode. Currently gRPC is only used to expose Envoy xDS API to Envoy
|
in `-dev` mode. Currently gRPC is only used to expose Envoy xDS API to Envoy
|
||||||
proxies.
|
proxies.
|
||||||
|
- `grpc_tls` ((#grpc_tls_port)) - The gRPC API with TLS connections, -1 to disable. Default -1 (disabled).
|
||||||
|
**We recommend using `8502`** for `grpc_tls` by convention as some tooling will work
|
||||||
|
automatically with this. Usually only one of the `grpc_tls` or `grpc` ports should be defined.
|
||||||
|
Currently gRPC is only used to expose Envoy xDS API to Envoy proxies.
|
||||||
- `serf_lan` ((#serf_lan_port)) - The Serf LAN port. Default 8301. TCP
|
- `serf_lan` ((#serf_lan_port)) - The Serf LAN port. Default 8301. TCP
|
||||||
and UDP. Equivalent to the [`-serf-lan-port` command line flag](/docs/agent/config/cli-flags#_serf_lan_port).
|
and UDP. Equivalent to the [`-serf-lan-port` command line flag](/docs/agent/config/cli-flags#_serf_lan_port).
|
||||||
- `serf_wan` ((#serf_wan_port)) - The Serf WAN port. Default 8302.
|
- `serf_wan` ((#serf_wan_port)) - The Serf WAN port. Default 8302.
|
||||||
|
@ -2003,7 +2007,7 @@ specially crafted certificate signed by the CA can be used to gain full access t
|
||||||
interface.
|
interface.
|
||||||
|
|
||||||
- `grpc` ((#tls_grpc)) Provides settings for the gRPC/xDS interface. To enable
|
- `grpc` ((#tls_grpc)) Provides settings for the gRPC/xDS interface. To enable
|
||||||
the gRPC interface you must define a port via [`ports.grpc`](#grpc_port).
|
the gRPC interface you must define a port via [`ports.grpc_tls`](#grpc_tls_port).
|
||||||
|
|
||||||
- `ca_file` ((#tls_grpc_ca_file)) Overrides [`tls.defaults.ca_file`](#tls_defaults_ca_file).
|
- `ca_file` ((#tls_grpc_ca_file)) Overrides [`tls.defaults.ca_file`](#tls_defaults_ca_file).
|
||||||
|
|
||||||
|
|
|
@ -14,6 +14,32 @@ provided for their upgrades as a result of new features or changed behavior.
|
||||||
This page is used to document those details separately from the standard
|
This page is used to document those details separately from the standard
|
||||||
upgrade flow.
|
upgrade flow.
|
||||||
|
|
||||||
|
## Consul 1.14.x
|
||||||
|
|
||||||
|
### Service Mesh Compatibility
|
||||||
|
|
||||||
|
##### Changes to gRPC TLS configuration
|
||||||
|
|
||||||
|
**Configuration changes should be made** if using sidecar proxies or gateways
|
||||||
|
in conjunction with any of the following:
|
||||||
|
1. [`ports.https`](/docs/agent/config/config-files#https_port) - Encrypts gRPC in Consul 1.12 and prior
|
||||||
|
2. [`auto_encrypt`](/docs/agent/config/config-files#auto_encrypt) - Encrypts gRPC in Consul 1.13 and prior
|
||||||
|
3. [`auto_config`](/docs/agent/config/config-files#auto_config) - Encrypts gRPC in Consul 1.13 and prior
|
||||||
|
|
||||||
|
Prior to Consul 1.14, it was possible for communication between Consul and Envoy over `ports.grpc`
|
||||||
|
to be encrypted by one of these features.
|
||||||
|
|
||||||
|
In Consul 1.14, a new [`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port) configuration
|
||||||
|
is introduced. The existing [`ports.grpc`](/docs/agent/config/config-files#grpc_port) configuration
|
||||||
|
**will stop supporting encryption in a future release**. Now, the recommended way to encrypt gRPC
|
||||||
|
traffic is only via `ports.grpc_tls`.
|
||||||
|
|
||||||
|
For most environments, the Envoy communication to Consul is loop-back only and does not benefit from encryption.
|
||||||
|
|
||||||
|
If you would like to continue utilizing encryption for gRPC, change the existing `ports.grpc` to `ports.grpc_tls` in
|
||||||
|
your configuration during the upgrade to ensure compatibility with future releases.
|
||||||
|
|
||||||
|
|
||||||
## Consul 1.13.x
|
## Consul 1.13.x
|
||||||
|
|
||||||
### Service Mesh Compatibility
|
### Service Mesh Compatibility
|
||||||
|
|
Loading…
Reference in New Issue