github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #15028 from hashicorp/docs/auto-cert-1-13-2 

Update upgrade docs for 1.13.2.
pull/15125/head
Jared Kirschner 2022-10-24 11:39:29 -04:00 committed by GitHub
parent d714003dda 94ff34bbe4
commit 61b60a79e1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
website/content/docs/upgrading/upgrade-specific.mdx
View File

@ -61,25 +61,22 @@ This bug is fixed in Consul versions 1.13.1 and newer.
#### Service mesh deployments using auto-encrypt or auto-config
**Do not upgrade to Consul 1.13 yet** if using
Upgrade to **Consul version 1.13.2 or later** if using
[auto-encrypt](/docs/agent/config/config-files#auto_encrypt) or
[auto-config](/docs/agent/config/config-files#auto_config).
In Consul 1.13, auto-encrypt and auto-config both cause Consul
In Consul 1.13.0 - 1.13.1, auto-encrypt and auto-config both cause Consul
to require TLS for gRPC communication with Envoy proxies.
In environments where Envoy proxies are not already configured
to use TLS for gRPC, upgrading Consul 1.13 will cause
to use TLS for gRPC, upgrading to Consul 1.13.0 - 1.13.1 will cause
Envoy proxies to disconnect from the control plane (Consul agents).
The underlying cause is the same as discussed in
[deployments without the HTTPS port enabled on Consul agents](#service-mesh-deployments-without-the-https-port-enabled-on-consul-agents).
However, when using auto-encrypt or auto-config,
the problem **cannot** currently be avoided by
[modifying the agent's TLS configuration](#modify-the-consul-agent-s-tls-configuration)
because auto-encrypt and auto-config automatically set
interface-generic TLS configuration in a manner similar to
[`tls.defaults`](/docs/agent/config/config-files#tls_defaults).
We are working to address this problem in an upcoming 1.13 patch release.
If upgrading to version 1.13.2 or later, you must enable
[tls.grpc.use_auto_cert](/docs/agent/config/config-files#use_auto_cert)
if you currently rely on Consul agents presenting the auto-encrypt or
auto-config certs as the TLS server certs on the gRPC port.
The new `use_auto_cert` flag enables TLS for gRPC based on the presence
of auto-encrypt certs.
#### Service mesh deployments without the HTTPS port enabled on Consul agents ((#grpc-tls))