Backport of Fix issue where TLS configuration was ignored for unix sockets in consul connect envoy. into release/1.14.x #15934
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hc-github-team-consul-core
force-pushed
the
backport/derekm/NET-1990/unix-tls/quickly-sweet-javelin
branch
from
67a264c
to
dc274b3
Compare
hc-github-team-consul-core
force-pushed
the
backport/derekm/NET-1990/unix-tls/quickly-sweet-javelin
branch
from
dc274b3
to
67a264c
Compare
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
github-actions
bot
added
the
theme/cli
github-team-consul-core-pr-approver
approved these changes
Jan 6, 2023
hashi-derek
deleted the
backport/derekm/NET-1990/unix-tls/quickly-sweet-javelin
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #15913 to be assessed for backporting due to the inclusion of the label backport/1.14.
WARNING automatic cherry-pick of commits failed. Commits will require human attention.
The below text is copied from the body of the original PR.
When using
consul connect envoy, TLS configuration was not applied to local unix sockets, even when flags were specified that provided certificates.Notably, this affects Nomad deployments, which rely on unix sockets + encryption for certain configurations.
hashicorp/nomad#15360
Before this change, the only way TLS was enabled was if
https://was a prefix for the-grpc-addrflag. This allowed users to configure the certificates via environment variables / flags on clients and slowly adopt grpc+tls over time (the-grpc-addrvalue is also discoverable via an API call to/v1/agent/self, but the certificate is not).After this change, TLS will be enabled only if either of the following are true:
-grpc-addrstarts withhttps://-grpc-addrstarts withunix://AND grpc certificates are configuredThis ensures that the existing ability for users to roll out HTTP -> HTTPS conversions is not affected, while users of unix sockets can encrypt traffic, if desired.
Finally, there was some logic added recently that attempted to dial the gRPC connection prior to launching envoy to help users debug issues. However, this would be run during bootstrap mode, which would cause an undesired early return (Nomad generates the bootstrap on one host with Consul CLI and then passes that into a container). To fix this, the check has been swapped to a warning only (instead of returning) and the check also no longer runs during bootstrap mode.
Overview of commits