Fix issue where TLS configuration was ignored for unix sockets in consul connect envoy.#15913
Merged
hashi-derek merged 2 commits intomainfrom Jan 6, 2023
Merged
Fix issue where TLS configuration was ignored for unix sockets in consul connect envoy.#15913hashi-derek merged 2 commits intomainfrom
hashi-derek merged 2 commits intomainfrom
Conversation
de6b1df to
8327e25
Compare
…sul connect envoy.
8327e25 to
f27c077
Compare
0bdd70b to
cfa3393
Compare
shoenig
added a commit
to hashicorp/nomad
that referenced
this pull request
Jan 9, 2023
…ul 1.14+ This PR adds client config to Nomad for specifying consul.grpc_ca_file These changes combined with hashicorp/consul#15913 should finally enable Nomad users to upgrade to Consul 1.14+ and use tls grpc connections.
shoenig
added a commit
to hashicorp/nomad
that referenced
this pull request
Jan 11, 2023
* [no ci] first pass at plumbing grpc_ca_file * consul: add support for grpc_ca_file for tls grpc connections in consul 1.14+ This PR adds client config to Nomad for specifying consul.grpc_ca_file These changes combined with hashicorp/consul#15913 should finally enable Nomad users to upgrade to Consul 1.14+ and use tls grpc connections. * consul: add cl entgry for grpc_ca_file * docs: mention grpc_tls changes due to Consul 1.14
This was referenced Jan 11, 2023
shoenig
added a commit
to hashicorp/nomad
that referenced
this pull request
Jan 11, 2023
* [no ci] first pass at plumbing grpc_ca_file * consul: add support for grpc_ca_file for tls grpc connections in consul 1.14+ This PR adds client config to Nomad for specifying consul.grpc_ca_file These changes combined with hashicorp/consul#15913 should finally enable Nomad users to upgrade to Consul 1.14+ and use tls grpc connections. * consul: add cl entgry for grpc_ca_file * docs: mention grpc_tls changes due to Consul 1.14
shoenig
added a commit
to hashicorp/nomad
that referenced
this pull request
Jan 11, 2023
* [no ci] first pass at plumbing grpc_ca_file * consul: add support for grpc_ca_file for tls grpc connections in consul 1.14+ This PR adds client config to Nomad for specifying consul.grpc_ca_file These changes combined with hashicorp/consul#15913 should finally enable Nomad users to upgrade to Consul 1.14+ and use tls grpc connections. * consul: add cl entgry for grpc_ca_file * docs: mention grpc_tls changes due to Consul 1.14 Co-authored-by: Seth Hoenig <shoenig@duck.com>
vzell
pushed a commit
to vzell/ansible-nomad
that referenced
this pull request
Sep 5, 2023
See: - Consul Connect sidecar proxies require additional configuration for gRPC-TLS listener - hashicorp/nomad#15360 - client: accommodate Consul 1.14.0 gRPC and agent self changes - hashicorp/nomad#15309 - consul: add client configuration for grpc_ca_file - hashicorp/nomad#15701 - Fix issue where TLS configuration was ignored for unix sockets in consul connect envoy. - hashicorp/consul#15913 - Envoy -> consul “upstream connect error or disconnect/reset before headers. reset reason: connection termination” - https://discuss.hashicorp.com/t/envoy-consul-upstream-connect-error-or-disconnect-reset-before-headers-reset-reason-connection-termination/48303
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When using
consul connect envoy, TLS configuration was not applied to local unix sockets, even when flags were specified that provided certificates.Notably, this affects Nomad deployments, which rely on unix sockets + encryption for certain configurations.
hashicorp/nomad#15360
Before this change, the only way TLS was enabled was if
https://was a prefix for the-grpc-addrflag. This allowed users to configure the certificates via environment variables / flags on clients and slowly adopt grpc+tls over time (the-grpc-addrvalue is also discoverable via an API call to/v1/agent/self, but the certificate is not).After this change, TLS will be enabled only if either of the following are true:
-grpc-addrstarts withhttps://-grpc-addrstarts withunix://AND grpc certificates are configuredThis ensures that the existing ability for users to roll out HTTP -> HTTPS conversions is not affected, while users of unix sockets can encrypt traffic, if desired.
Finally, there was some logic added recently that attempted to dial the gRPC connection prior to launching envoy to help users debug issues. However, this would be run during bootstrap mode, which would cause an undesired early return (Nomad generates the bootstrap on one host with Consul CLI and then passes that into a container). To fix this, the check has been swapped to a warning only (instead of returning) and the check also no longer runs during bootstrap mode.