Fix issue where TLS configuration was ignored for unix sockets in consul connect envoy. #15913
+259
−20
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
theme/cli
hashi-derek
force-pushed
the
derekm/NET-1990/unix-tls
branch
from
de6b1df to
8327e25
Compare
…sul connect envoy.
hashi-derek
force-pushed
the
derekm/NET-1990/unix-tls
branch
from
8327e25 to
f27c077
Compare
hashi-derek
requested review from
a team,
erichaberkorn and
wilkermichael
and removed request for
a team
hashi-derek
force-pushed
the
derekm/NET-1990/unix-tls
branch
from
0bdd70b to
cfa3393
Compare
shoenig
added a commit
to hashicorp/nomad
that referenced
this pull request
Jan 9, 2023
…ul 1.14+ This PR adds client config to Nomad for specifying consul.grpc_ca_file These changes combined with hashicorp/consul#15913 should finally enable Nomad users to upgrade to Consul 1.14+ and use tls grpc connections.
shoenig
added a commit
to hashicorp/nomad
that referenced
this pull request
Jan 11, 2023
* [no ci] first pass at plumbing grpc_ca_file * consul: add support for grpc_ca_file for tls grpc connections in consul 1.14+ This PR adds client config to Nomad for specifying consul.grpc_ca_file These changes combined with hashicorp/consul#15913 should finally enable Nomad users to upgrade to Consul 1.14+ and use tls grpc connections. * consul: add cl entgry for grpc_ca_file * docs: mention grpc_tls changes due to Consul 1.14
This was referenced Jan 11, 2023
shoenig
added a commit
to hashicorp/nomad
that referenced
this pull request
Jan 11, 2023
* [no ci] first pass at plumbing grpc_ca_file * consul: add support for grpc_ca_file for tls grpc connections in consul 1.14+ This PR adds client config to Nomad for specifying consul.grpc_ca_file These changes combined with hashicorp/consul#15913 should finally enable Nomad users to upgrade to Consul 1.14+ and use tls grpc connections. * consul: add cl entgry for grpc_ca_file * docs: mention grpc_tls changes due to Consul 1.14
shoenig
added a commit
to hashicorp/nomad
that referenced
this pull request
Jan 11, 2023
* [no ci] first pass at plumbing grpc_ca_file * consul: add support for grpc_ca_file for tls grpc connections in consul 1.14+ This PR adds client config to Nomad for specifying consul.grpc_ca_file These changes combined with hashicorp/consul#15913 should finally enable Nomad users to upgrade to Consul 1.14+ and use tls grpc connections. * consul: add cl entgry for grpc_ca_file * docs: mention grpc_tls changes due to Consul 1.14 Co-authored-by: Seth Hoenig <shoenig@duck.com>
skpratt
pushed a commit
that referenced
this pull request
Jan 25, 2023
…sul connect envoy. (#15913) Fix issue where TLS configuration was ignored for unix sockets in consul connect envoy. Disable xds check on bootstrap mode and change check to warn only.
vzell
pushed a commit
to vzell/ansible-nomad
that referenced
this pull request
Sep 5, 2023
See: - Consul Connect sidecar proxies require additional configuration for gRPC-TLS listener - hashicorp/nomad#15360 - client: accommodate Consul 1.14.0 gRPC and agent self changes - hashicorp/nomad#15309 - consul: add client configuration for grpc_ca_file - hashicorp/nomad#15701 - Fix issue where TLS configuration was ignored for unix sockets in consul connect envoy. - hashicorp/consul#15913 - Envoy -> consul “upstream connect error or disconnect/reset before headers. reset reason: connection termination” - https://discuss.hashicorp.com/t/envoy-consul-upstream-connect-error-or-disconnect-reset-before-headers-reset-reason-connection-termination/48303
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When using
consul connect envoy, TLS configuration was not applied to local unix sockets, even when flags were specified that provided certificates.Notably, this affects Nomad deployments, which rely on unix sockets + encryption for certain configurations.
hashicorp/nomad#15360
Before this change, the only way TLS was enabled was if
https://was a prefix for the-grpc-addrflag. This allowed users to configure the certificates via environment variables / flags on clients and slowly adopt grpc+tls over time (the-grpc-addrvalue is also discoverable via an API call to/v1/agent/self, but the certificate is not).After this change, TLS will be enabled only if either of the following are true:
-grpc-addrstarts withhttps://-grpc-addrstarts withunix://AND grpc certificates are configuredThis ensures that the existing ability for users to roll out HTTP -> HTTPS conversions is not affected, while users of unix sockets can encrypt traffic, if desired.
Finally, there was some logic added recently that attempted to dial the gRPC connection prior to launching envoy to help users debug issues. However, this would be run during bootstrap mode, which would cause an undesired early return (Nomad generates the bootstrap on one host with Consul CLI and then passes that into a container). To fix this, the check has been swapped to a warning only (instead of returning) and the check also no longer runs during bootstrap mode.