From 6ec7c296b5510f5e744e8a385a8d4b8b19e5df2e Mon Sep 17 00:00:00 2001 From: "Chris S. Kim" Date: Wed, 4 Oct 2023 16:12:30 -0400 Subject: [PATCH] Update upgrade-specific.mdx --- website/content/docs/upgrading/upgrade-specific.mdx | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 79b0285d63cfa..16ad36519ef29 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -19,6 +19,7 @@ upgrade flow. #### Service mesh compatibility ((#service-mesh-compatibility-1-15)) Upgrade to **Consul version 1.15.2 or later**. +If using [Vault Enterprise as CA](#vault-enterprise-as-ca-1-15), **avoid Consul version 1.15.6**. Consul versions 1.15.0 - 1.15.1 contain a race condition that can cause some service instances to lose their ability to communicate in the mesh after @@ -27,6 +28,15 @@ due to a problem with leaf certificate rotation. This bug is fixed in Consul versions 1.15.2 and newer. +#### Vault Enterprise as CA ((#vault-enterprise-as-ca-1-15)) +Using Vault as CA with Consul version 1.15.6 will fail to initialize the CA if [`namespace`](/consul/docs/connect/ca/vault#namespace) is set +but [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) or [`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) +are empty. This is a bug which will be fixed in a future version. + +To work around this issue, users must explicitly set [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) and +[`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) to the same value as [`namespace`](/consul/docs/connect/ca/vault#namespace). +Set your configuration by calling [set-config](/consul/commands/connect/ca#set-config) then use [get-config](/consul/commands/connect/ca#get-config) to check. + #### Removing configuration options The `connect.enable_serverless_plugin` configuration option was removed. Lambda integration is now enabled by default.