Add documentation and changelog entry.

This commit is contained in:
Derek Menteer 2022-08-23 12:11:56 -05:00
parent 0ceec9017b
commit ce99ccd390
3 changed files with 37 additions and 1 deletions

6
.changelog/14294.txt Normal file
View File

@ -0,0 +1,6 @@
```release-note:breaking-change
config: Add new `ports.grpc_tls` configuration option.
Introduce a new port to better separate TLS config from the existing `ports.grpc` config.
The new `ports.grpc_tls` only supports TLS encrypted communication.
The existing `ports.grpc` currently supports both plain-text and tls communication, but tls support will be removed in a future release.
```

View File

@ -608,6 +608,10 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
automatically with this. This is set to `8502` by default when the agent runs automatically with this. This is set to `8502` by default when the agent runs
in `-dev` mode. Currently gRPC is only used to expose Envoy xDS API to Envoy in `-dev` mode. Currently gRPC is only used to expose Envoy xDS API to Envoy
proxies. proxies.
- `grpc_tls` ((#grpc_tls_port)) - The gRPC API with TLS connections, -1 to disable. Default -1 (disabled).
**We recommend using `8502`** for `grpc_tls` by convention as some tooling will work
automatically with this. Usually only one of the `grpc_tls` or `grpc` ports should be defined.
Currently gRPC is only used to expose Envoy xDS API to Envoy proxies.
- `serf_lan` ((#serf_lan_port)) - The Serf LAN port. Default 8301. TCP - `serf_lan` ((#serf_lan_port)) - The Serf LAN port. Default 8301. TCP
and UDP. Equivalent to the [`-serf-lan-port` command line flag](/docs/agent/config/cli-flags#_serf_lan_port). and UDP. Equivalent to the [`-serf-lan-port` command line flag](/docs/agent/config/cli-flags#_serf_lan_port).
- `serf_wan` ((#serf_wan_port)) - The Serf WAN port. Default 8302. - `serf_wan` ((#serf_wan_port)) - The Serf WAN port. Default 8302.
@ -2003,7 +2007,7 @@ specially crafted certificate signed by the CA can be used to gain full access t
interface. interface.
- `grpc` ((#tls_grpc)) Provides settings for the gRPC/xDS interface. To enable - `grpc` ((#tls_grpc)) Provides settings for the gRPC/xDS interface. To enable
the gRPC interface you must define a port via [`ports.grpc`](#grpc_port). the gRPC interface you must define a port via [`ports.grpc_tls`](#grpc_tls_port).
- `ca_file` ((#tls_grpc_ca_file)) Overrides [`tls.defaults.ca_file`](#tls_defaults_ca_file). - `ca_file` ((#tls_grpc_ca_file)) Overrides [`tls.defaults.ca_file`](#tls_defaults_ca_file).

View File

@ -14,6 +14,32 @@ provided for their upgrades as a result of new features or changed behavior.
This page is used to document those details separately from the standard This page is used to document those details separately from the standard
upgrade flow. upgrade flow.
## Consul 1.14.x
### Service Mesh Compatibility
##### Changes to gRPC TLS configuration
**Configuration changes should be made** if using sidecar proxies or gateways
in conjunction with any of the following:
1. [`ports.https`](/docs/agent/config/config-files#https_port) - Encrypts gRPC in Consul 1.12 and prior
2. [`auto_encrypt`](/docs/agent/config/config-files#auto_encrypt) - Encrypts gRPC in Consul 1.13 and prior
3. [`auto_config`](/docs/agent/config/config-files#auto_config) - Encrypts gRPC in Consul 1.13 and prior
Prior to Consul 1.14, it was possible for communication between Consul and Envoy over `ports.grpc`
to be encrypted by one of these features.
In Consul 1.14, a new [`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port) configuration
is introduced. The existing [`ports.grpc`](/docs/agent/config/config-files#grpc_port) configuration
**will stop supporting encryption in a future release**. Now, the recommended way to encrypt gRPC
traffic is only via `ports.grpc_tls`.
For most environments, the Envoy communication to Consul is loop-back only and does not benefit from encryption.
If you would like to continue utilizing encryption for gRPC, change the existing `ports.grpc` to `ports.grpc_tls` in
your configuration during the upgrade to ensure compatibility with future releases.
## Consul 1.13.x ## Consul 1.13.x
### Service Mesh Compatibility ### Service Mesh Compatibility