From f019457815e308664e19855015e3628706dda885 Mon Sep 17 00:00:00 2001 From: Samantha Date: Wed, 28 Jun 2023 12:24:51 -0400 Subject: [PATCH 1/3] tlsutil: Fix check TLS configuration (#17481) * tlsutil: Fix check TLS configuration * Rewording docs. * Update website/content/docs/services/configuration/checks-configuration-reference.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Fix typos and add changelog entry. --------- Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- .changelog/17481.txt | 3 +++ tlsutil/config.go | 25 +++++++++++++------ tlsutil/config_test.go | 8 +++--- .../checks-configuration-reference.mdx | 4 +-- 4 files changed, 26 insertions(+), 14 deletions(-) create mode 100644 .changelog/17481.txt diff --git a/.changelog/17481.txt b/.changelog/17481.txt new file mode 100644 index 0000000000..89ad16998e --- /dev/null +++ b/.changelog/17481.txt @@ -0,0 +1,3 @@ +```release-note:bug +tlsutil: Default setting of ServerName field in outgoing TLS configuration for checks now handled by crypto/tls. +``` diff --git a/tlsutil/config.go b/tlsutil/config.go index 5cdaf7633e..a52d6b6ad8 100644 --- a/tlsutil/config.go +++ b/tlsutil/config.go @@ -857,10 +857,23 @@ func (c *Configurator) IncomingHTTPSConfig() *tls.Config { return config } -// OutgoingTLSConfigForCheck generates a *tls.Config for outgoing TLS connections -// for checks. This function is separated because there is an extra flag to -// consider for checks. EnableAgentTLSForChecks and InsecureSkipVerify has to -// be checked for checks. +// OutgoingTLSConfigForCheck creates a client *tls.Config for executing checks. +// It is RECOMMENDED that the serverName be left unspecified. The crypto/tls +// client will deduce the ServerName (for SNI) from the check address unless +// it's an IP (RFC 6066, Section 3). However, there are two instances where +// supplying a serverName is useful: +// +// 1. When the check address is an IP, a serverName can be supplied for SNI. +// Note: setting serverName will also override the hostname used to verify +// the certificate presented by the server being checked. +// +// 2. When the hostname in the check address won't be present in the SAN +// (Subject Alternative Name) field of the certificate presented by the +// server being checked. Note: setting serverName will also override the +// ServerName used for SNI. +// +// Setting skipVerify will disable verification of the server's certificate +// chain and hostname, which is generally not suitable for production use. func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName string) *tls.Config { c.log("OutgoingTLSConfigForCheck") @@ -875,13 +888,9 @@ func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName str } } - if serverName == "" { - serverName = c.serverNameOrNodeName() - } config := c.internalRPCTLSConfig(false) config.InsecureSkipVerify = skipVerify config.ServerName = serverName - return config } diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go index 30ebd62c20..721198afe8 100644 --- a/tlsutil/config_test.go +++ b/tlsutil/config_test.go @@ -1376,7 +1376,7 @@ func TestConfigurator_OutgoingTLSConfigForCheck(t *testing.T) { }, }, { - name: "agent tls, default server name", + name: "agent tls, default consul server name, no override", conf: func() (*Configurator, error) { return NewConfigurator(Config{ InternalRPC: ProtocolConfig{ @@ -1389,11 +1389,11 @@ func TestConfigurator_OutgoingTLSConfigForCheck(t *testing.T) { }, expected: &tls.Config{ MinVersion: tls.VersionTLS12, - ServerName: "servername", + ServerName: "", }, }, { - name: "agent tls, skip verify, node name for server name", + name: "agent tls, skip verify, consul node name for server name, no override", conf: func() (*Configurator, error) { return NewConfigurator(Config{ InternalRPC: ProtocolConfig{ @@ -1407,7 +1407,7 @@ func TestConfigurator_OutgoingTLSConfigForCheck(t *testing.T) { expected: &tls.Config{ InsecureSkipVerify: true, MinVersion: tls.VersionTLS12, - ServerName: "nodename", + ServerName: "", }, }, { diff --git a/website/content/docs/services/configuration/checks-configuration-reference.mdx b/website/content/docs/services/configuration/checks-configuration-reference.mdx index fee071de51..c0d3e24cfd 100644 --- a/website/content/docs/services/configuration/checks-configuration-reference.mdx +++ b/website/content/docs/services/configuration/checks-configuration-reference.mdx @@ -35,8 +35,8 @@ Specify health check options in the `check` block. To register two or more heath | `h2ping` | String value that specifies the HTTP2 endpoint, including port number, to send HTTP2 requests to. |
  • H2ping
    • | | `h2ping_use_tls` | Boolean value that enables TLS for H2ping checks when set to `true`. |
  • H2ping
    • | | `http` | String value that specifies an HTTP endpoint to send requests to. |
  • HTTP
    • | -| `tls_server_name` | String value that specifies the name of the TLS server that issues certificates. Defaults to the SNI determined by the address specified in the `http` field. Set the `tls_skip_verify` to `false` to disable this field. |
  • HTTP
    • | -| `tls_skip_verify` | Boolean value that disbles TLS for HTTP checks when set to `true`. Default is `false`. |
  • HTTP
    • | +| `tls_server_name` | String value that specifies the server name used to verify the hostname on the returned certificates unless `tls_skip_verify` is given. Also included in the client's handshake to support SNI. It is recommended that this field be left unspecified. The TLS client will deduce the server name for SNI from the check address unless it's an IP ([RFC 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3)). There are two common circumstances where supplying a `tls_server_name` can be beneficial:
  • When the check address is an IP, `tls_server_name` can be specified for SNI. Note: setting `tls_server_name` will also override the hostname used to verify the certificate presented by the server being checked.
  • When the hostname in the check address won't be present in the SAN (Subject Alternative Name) field of the certificate presented by the server being checked. Note: setting `tls_server_name` will also override the hostname used for SNI.
    • |
  • HTTP
  • H2Ping
  • gRPC
    • | +| `tls_skip_verify` | Boolean value that determines if the check verifies the chain and hostname of the certificate that the server presents. Set to `true` to disable verification. We recommend setting to `false` for production use. Default is `false`. |
  • HTTP
  • H2Ping
  • gRPC
    • | | `method` | String value that specifies the request method to send during HTTP checks. Default is `GET`. |
  • HTTP
    • | | `header` | Object that specifies header fields to send in HTTP check requests. Each header specified in `header` object contains a list of string values. |
  • HTTP
    • | | `body` | String value that contains JSON attributes to send in HTTP check requests. You must escap the quotation marks around the keys and values for each attribute. |
  • HTTP
    • | From 6f660e5e258157201fed2f118f5a845a1082cd55 Mon Sep 17 00:00:00 2001 From: David Yu Date: Wed, 28 Jun 2023 12:45:46 -0700 Subject: [PATCH 2/3] docs: Deprecations for connect-native SDK and specific connect native APIs (#17937) * Update v1_16_x.mdx * Update connect native golang page --------- Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- website/content/docs/connect/native/go.mdx | 7 +++++++ website/content/docs/connect/native/index.mdx | 15 +++++++++++---- .../content/docs/connect/proxies/integrate.mdx | 11 +++++++++++ .../content/docs/release-notes/consul/v1_16_x.mdx | 11 ++++++++++- 4 files changed, 39 insertions(+), 5 deletions(-) diff --git a/website/content/docs/connect/native/go.mdx b/website/content/docs/connect/native/go.mdx index df9080f17f..e3068058fd 100644 --- a/website/content/docs/connect/native/go.mdx +++ b/website/content/docs/connect/native/go.mdx @@ -7,6 +7,13 @@ description: >- # Service Mesh Native Integration for Go Applications + + +The Connect Native golang SDK is currently deprecated and will be removed in a future Consul release. +The SDK will be removed when the long term replacement to native application integration (such as a proxyless gRPC service mesh integration) is delivered. Refer to [GH-10339](https://github.com/hashicorp/consul/issues/10339) for additional information and to track progress toward one potential solution that is tracked as replacement functionality. + + + We provide a library that makes it drop-in simple to integrate Consul service mesh with most [Go](https://golang.org/) applications. This page shows examples of integrating this library for accepting or establishing mesh-based diff --git a/website/content/docs/connect/native/index.mdx b/website/content/docs/connect/native/index.mdx index e8cc421af8..3cf64f346c 100644 --- a/website/content/docs/connect/native/index.mdx +++ b/website/content/docs/connect/native/index.mdx @@ -7,10 +7,17 @@ description: >- # Service Mesh Native App Integration Overview -~> **Note:** The Native App Integration does not support many of the Consul's service -mesh features, and is not under active development. -The [Envoy proxy](/consul/docs/connect/proxies/envoy) should be used for most production -environments. + + +The Connect Native Golang SDK and `v1/agent/connect/authorize`, `v1/agent/connect/ca/leaf`, +and `v1/agent/connect/ca/roots` APIs are deprecated and will be removed in a future release. Although Connect Native +will still operate as designed, we do not recommend leveraging this feature because it is deprecated and will be removed +removed when the long term replacement to native application integration (such as a proxyless gRPC service mesh integration) is delivered. Refer to [GH-10339](https://github.com/hashicorp/consul/issues/10339) for additional information and to track progress toward one potential solution that is tracked as replacement functionality. + +The Native App Integration does not support many of the Consul's service mesh features, and is not under active development. +The [Envoy proxy](/consul/docs/connect/proxies/envoy) should be used for most production environments. + + Applications can natively integrate with Consul's service mesh API to support accepting and establishing connections to other mesh services without the overhead of a diff --git a/website/content/docs/connect/proxies/integrate.mdx b/website/content/docs/connect/proxies/integrate.mdx index 1ad9f4b911..d00e01d1bd 100644 --- a/website/content/docs/connect/proxies/integrate.mdx +++ b/website/content/docs/connect/proxies/integrate.mdx @@ -7,6 +7,17 @@ description: >- # Custom Proxy Configuration for Service Mesh + + + The Connect Native Golang SDK and `v1/agent/connect/authorize`, `v1/agent/connect/ca/leaf`, + and `v1/agent/connect/ca/roots` APIs are deprecated and will be removed in a future release. Although Connect Native + will still operate as designed, we do not recommend leveraging this feature because it is deprecated and will be removed when the long term replacement to native application integration (such as a proxyless gRPC service mesh integration) is delivered. Refer to [GH-10339](https://github.com/hashicorp/consul/issues/10339) for additional information and to track progress toward one potential solution that is tracked as replacement functionality. + + The Native App Integration does not support many of the Consul's service mesh features, and is not under active development. + The [Envoy proxy](/consul/docs/connect/proxies/envoy) should be used for most production environments. + + + This topic describes the process and API endpoints you can use to extend proxies for integration with Consul. ## Overview diff --git a/website/content/docs/release-notes/consul/v1_16_x.mdx b/website/content/docs/release-notes/consul/v1_16_x.mdx index 33241b6b84..616104a709 100644 --- a/website/content/docs/release-notes/consul/v1_16_x.mdx +++ b/website/content/docs/release-notes/consul/v1_16_x.mdx @@ -51,6 +51,15 @@ We are pleased to announce the following Consul updates. Consul's API gateway is the recommended alternative to ingress gateway. For ingress gateway features not currently supported by API gateway, equivalent functionality will be added to API gateway over the next several releases of Consul. +- **Connect Native Golang SDK:** The Connect Native [Golang SDK](https://github.com/hashicorp/consul/tree/main/connect) is deprecated and will be removed in a future release. No further enhancements or maintenance is expected in the future releases. We will remove the SDK when the long term replacement to native application integration (such as a proxyless gRPC service mesh integration) is delivered. Refer to [GH-10339](https://github.com/hashicorp/consul/issues/10339) for additional information and to track progress toward one potential solution that is tracked as replacement functionality. + +- **Connect Native APIs:** The following APIs for Connect Native are deprecated: + - `v1/agent/connect/authorize` - used by the SDK to perform intention based authorization checks + - `v1/agent/connect/ca/leaf` - used by the SDK to get a leaf cert for a locally registered service + - `v1/agent/connect/ca/roots` - use to retrieved cached CA roots form the local client agent + + The `v1/agent/connect/authorize` and `v1/agent/connect/ca/leaf` endpoints have corresponding gRPC APIs. We will remove these APIs when the gRPC API for `v1/agent/connect/ca/roots` and HTTP endpoints for all three APIs are available. + ## Upgrading For more detailed information, please refer to the [upgrade details page](/consul/docs/upgrading/upgrade-specific) and the changelogs. @@ -61,4 +70,4 @@ The changelogs for this major release version and any maintenance versions are l These links take you to the changelogs on the GitHub website. -- [1.16.0](https://github.com/hashicorp/consul/releases/tag/v1.16.0) \ No newline at end of file +- [1.16.0](https://github.com/hashicorp/consul/releases/tag/v1.16.0) From bdf4fad7c5a56a32d85aa9a1772e290b6a03e1e8 Mon Sep 17 00:00:00 2001 From: John Murret Date: Wed, 28 Jun 2023 14:18:53 -0600 Subject: [PATCH 3/3] Revert "Add workflow to verify linux release packages (#17904)" (#17942) This reverts commit 3368f14fab500ebe9f6aeab5631dd1d5f5a453e5. --- .github/workflows/verify-release-linux.yaml | 78 ------------------- .../docker/Verify-Release-Amazon.dockerfile | 10 --- .../docker/Verify-Release-CentOS.dockerfile | 10 --- .../docker/Verify-Release-Debian.dockerfile | 12 --- .../docker/Verify-Release-Fedora.dockerfile | 10 --- .../Verify-Release-Ubunt-i386.dockerfile | 12 --- .../docker/Verify-Release-Ubuntu.dockerfile | 12 --- 7 files changed, 144 deletions(-) delete mode 100644 .github/workflows/verify-release-linux.yaml delete mode 100644 build-support/docker/Verify-Release-Amazon.dockerfile delete mode 100644 build-support/docker/Verify-Release-CentOS.dockerfile delete mode 100644 build-support/docker/Verify-Release-Debian.dockerfile delete mode 100644 build-support/docker/Verify-Release-Fedora.dockerfile delete mode 100644 build-support/docker/Verify-Release-Ubunt-i386.dockerfile delete mode 100644 build-support/docker/Verify-Release-Ubuntu.dockerfile diff --git a/.github/workflows/verify-release-linux.yaml b/.github/workflows/verify-release-linux.yaml deleted file mode 100644 index a86da7f05f..0000000000 --- a/.github/workflows/verify-release-linux.yaml +++ /dev/null @@ -1,78 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -name: Verify Release - Linux - -on: - workflow_dispatch: - inputs: - packageName: - description: 'Name of consul release package (consul vs consul-enterprise)' - required: true - default: 'consul' - type: choice - options: - - consul - - consul-enterprise - version: - description: The x.y.z version (also need to specify applicable suffixes like +ent and -dev)' - required: true - type: string - -jobs: - verify-ubuntu-amd64: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - name: docker build with version - run: | - docker build \ - --build-arg PACKAGE=${{ inputs.packageName }} \ - --build-arg VERSION=${{ inputs.version }} \ - --build-arg TARGETARCH=amd64 \ - -f ./build-support/docker/Verify-Release-Ubuntu.dockerfile . - - verify-debian-amd64: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - name: docker build with version - run: | - docker build \ - --build-arg PACKAGE=${{ inputs.packageName }} \ - --build-arg VERSION=${{ inputs.version }} \ - --build-arg TARGETARCH=amd64 \ - -f ./build-support/docker/Verify-Release-Debian.dockerfile . - - verify-fedora: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - name: docker build with version - run: | - docker build \ - --build-arg PACKAGE=${{ inputs.packageName }} \ - --build-arg VERSION=${{ inputs.version }} \ - -f ./build-support/docker/Verify-Release-Fedora.dockerfile . - - verify-centos: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - name: docker build with version - run: | - docker build \ - --build-arg PACKAGE=${{ inputs.packageName }} \ - --build-arg VERSION=${{ inputs.version }} \ - -f ./build-support/docker/Verify-Release-CentOS.dockerfile . - - verify-amazon: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - name: docker build with version - run: | - docker build \ - --build-arg PACKAGE=${{ inputs.packageName }} \ - --build-arg VERSION=${{ inputs.version }} \ - -f ./build-support/docker/Verify-Release-Amazon.dockerfile . diff --git a/build-support/docker/Verify-Release-Amazon.dockerfile b/build-support/docker/Verify-Release-Amazon.dockerfile deleted file mode 100644 index 591b234c3b..0000000000 --- a/build-support/docker/Verify-Release-Amazon.dockerfile +++ /dev/null @@ -1,10 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -FROM amazonlinux:latest -RUN yum install -y yum-utils shadow-utils -RUN yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo -ARG PACKAGE=consul \ -ARG VERSION \ -ARG SUFFIX=1 -RUN yum install -y ${PACKAGE}-${VERSION}-${SUFFIX} diff --git a/build-support/docker/Verify-Release-CentOS.dockerfile b/build-support/docker/Verify-Release-CentOS.dockerfile deleted file mode 100644 index a2be67ac77..0000000000 --- a/build-support/docker/Verify-Release-CentOS.dockerfile +++ /dev/null @@ -1,10 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -FROM centos:7 -RUN yum install -y yum-utils -RUN yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo -ARG PACKAGE=consul \ -ARG VERSION \ -ARG SUFFIX=1 -RUN yum install -y ${PACKAGE}-${VERSION}-${SUFFIX} \ No newline at end of file diff --git a/build-support/docker/Verify-Release-Debian.dockerfile b/build-support/docker/Verify-Release-Debian.dockerfile deleted file mode 100644 index 533890bca4..0000000000 --- a/build-support/docker/Verify-Release-Debian.dockerfile +++ /dev/null @@ -1,12 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -FROM debian:bullseye -RUN apt update && apt install -y software-properties-common curl gnupg -RUN curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - -ARG TARGETARCH=amd64 -RUN apt-add-repository "deb [arch=${TARGETARCH}] https://apt.releases.hashicorp.com $(lsb_release -cs) main" -ARG PACKAGE=consul \ -ARG VERSION \ -ARG SUFFIX=1 -RUN apt-get update && apt-get install -y ${PACKAGE}=${VERSION}-${SUFFIX} \ No newline at end of file diff --git a/build-support/docker/Verify-Release-Fedora.dockerfile b/build-support/docker/Verify-Release-Fedora.dockerfile deleted file mode 100644 index 601751a911..0000000000 --- a/build-support/docker/Verify-Release-Fedora.dockerfile +++ /dev/null @@ -1,10 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -FROM fedora:latest -RUN dnf install -y dnf-plugins-core -RUN dnf config-manager --add-repo https://rpm.releases.hashicorp.com/fedora/hashicorp.repo -ARG PACKAGE=consul \ -ARG VERSION \ -ARG SUFFIX=1 -RUN dnf install -y ${PACKAGE}-${VERSION}-${SUFFIX} diff --git a/build-support/docker/Verify-Release-Ubunt-i386.dockerfile b/build-support/docker/Verify-Release-Ubunt-i386.dockerfile deleted file mode 100644 index 82913b4f72..0000000000 --- a/build-support/docker/Verify-Release-Ubunt-i386.dockerfile +++ /dev/null @@ -1,12 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -FROM i386/ubuntu:latest -RUN apt update && apt install -y software-properties-common curl -RUN curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - -ARG TARGETARCH=amd64 -RUN apt-add-repository "deb [arch=${TARGETARCH}] https://apt.releases.hashicorp.com $(lsb_release -cs) main" -ARG PACKAGE=consul \ -ARG VERSION \ -ARG SUFFIX=1 -RUN apt-get update && apt-get install -y ${PACKAGE}=${VERSION}-${SUFFIX} diff --git a/build-support/docker/Verify-Release-Ubuntu.dockerfile b/build-support/docker/Verify-Release-Ubuntu.dockerfile deleted file mode 100644 index ddeffc40c5..0000000000 --- a/build-support/docker/Verify-Release-Ubuntu.dockerfile +++ /dev/null @@ -1,12 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -FROM ubuntu:latest -RUN apt update && apt install -y software-properties-common curl -RUN curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - -ARG TARGETARCH=amd64 -RUN apt-add-repository "deb [arch=${TARGETARCH}] https://apt.releases.hashicorp.com $(lsb_release -cs) main" -ARG PACKAGE=consul \ -ARG VERSION \ -ARG SUFFIX=1 -RUN apt-get update && apt-get install -y ${PACKAGE}=${VERSION}-${SUFFIX}