Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting TLS for gRPC with deprecated options [1.13.x] #14668

Merged
merged 5 commits into from Sep 16, 2022
Merged

Allow setting TLS for gRPC with deprecated options [1.13.x] #14668

merged 5 commits into from Sep 16, 2022

Conversation

freddygv
Copy link
Contributor

@freddygv freddygv commented Sep 16, 2022
edited

Replaces #14644.

This PR is only being merged against release/1.13.x because it is not needed in Consul 1.14.

Once 1.14 is released we will drop support for configuring TLS for gRPC using the flags available in Consul 1.11.

Description

Currently TLS for gRPC can only be enabled using the options nested in the tls.grpc configuration stanza.

That leads to a breaking change where the TLS options deprecated in 1.12 cannot be used to enable TLS for gRPC.

This commit updates the logic for determining whether TLS should be used on the public gRPC port: If the 1.12 tls stanza is not specified we default to the original behavior, which is to enable TLS for gRPC if the HTTPS port is set.

The change allows for consul-k8s to continue to use TLS flags compatible with 1.11 until 1.14 is released.

Testing & Reproduction steps

  • Unit tests
  • Manual tests:
    • Given multiple config files where some use the TLS stanza and others don't --> used post 1.13 logic to set TLS since at least one specified the new TLS stanza.
    • Given multiple config files where TLS certs were specified with deprecated flags and the HTTPS port was set --> used old logic and enabled TLS

Links

Related to:

PR Checklist

  • updated test coverage
  • external facing docs updated
  • not a security concern

@freddygv
Allow setting TLS for gRPC with deprecated options
d1bc887 
Currently TLS for gRPC can only be enabled using the options nested in
the tls.grpc configuration stanza.

That leads to a breaking change where the TLS options deprecated in 1.12
cannot be used to enable TLS for gRPC.

This commit updates the logic for determining whether TLS should be used
on the public gRPC port: If the 1.12 tls stanza is not specified we
default to the original behavior, which is to enable TLS for gRPC if the
HTTPS port is set.
@freddygv
Add changelog entry
2fcef4e
@freddygv
PR comments
ed39b72
@freddygv freddygv changed the title Allow setting TLS for gRPC with deprecated options Allow setting TLS for gRPC with deprecated options [1.13.x] Sep 16, 2022
@github-actions github-actions bot added theme/api Relating to the HTTP API interface theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/config Relating to Consul Agent configuration, including reloading theme/tls Using TLS (Transport Layer Security) or mTLS (mutual TLS) to secure communication labels Sep 16, 2022
@freddygv freddygv mentioned this pull request Sep 16, 2022
Closed
3 tasks
@freddygv freddygv marked this pull request as ready for review September 16, 2022 22:23
@freddygv freddygv merged commit 15d9715 into release/1.13.x Sep 16, 2022
@freddygv freddygv deleted the grpc-tls-compat-1-13 branch September 16, 2022 22:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kisunji kisunji kisunji approved these changes

Assignees
No one assigned
Labels
theme/api Relating to the HTTP API interface theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/config Relating to Consul Agent configuration, including reloading theme/tls Using TLS (Transport Layer Security) or mTLS (mutual TLS) to secure communication
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@freddygv @kisunji