From 27c55aa8b514f835a71f878b3d939330467ba989 Mon Sep 17 00:00:00 2001 From: "Chris S. Kim" Date: Wed, 4 Oct 2023 16:12:30 -0400 Subject: [PATCH] Update upgrade-specific.mdx --- .../docs/upgrading/upgrade-specific.mdx | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 79b0285d63cf..47c40b5b1f46 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -19,6 +19,7 @@ upgrade flow. #### Service mesh compatibility ((#service-mesh-compatibility-1-15)) Upgrade to **Consul version 1.15.2 or later**. +If using [Vault Enterprise as CA](#vault-enterprise-as-ca-1-15), **avoid Consul version 1.15.6**. Consul versions 1.15.0 - 1.15.1 contain a race condition that can cause some service instances to lose their ability to communicate in the mesh after @@ -27,6 +28,15 @@ due to a problem with leaf certificate rotation. This bug is fixed in Consul versions 1.15.2 and newer. +#### Vault Enterprise as CA ((#vault-enterprise-as-ca-1-15)) +Using Vault as CA with Consul version 1.15.6 will fail to initialize the CA if [`namespace`](/consul/docs/connect/ca/vault#namespace) is set +but [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) or [`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) +are empty. This is a bug which will be fixed in a future version. + +To work around this issue, users must explicitly set [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) and +[`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) to the same value as [`namespace`](/consul/docs/connect/ca/vault#namespace). +Set your configuration by calling [set-config](/consul/commands/connect/ca#set-config) then use [get-config](/consul/commands/connect/ca#get-config) to check. + #### Removing configuration options The `connect.enable_serverless_plugin` configuration option was removed. Lambda integration is now enabled by default. @@ -134,7 +144,7 @@ In Consul v1.15 and higher: UpstreamConfig = { Overrides = [ { - Name = foo # Applies to local service `foo` + Name = foo # Applies to local service `foo` }, { Name = foo # Applies to `foo` imported from peered cluster `bar` @@ -168,6 +178,14 @@ to use TLS for contacting the HTTP API, it will also incorrectly enable TLS for Users should not upgrade to 1.14.0 if they are using plaintext gRPC connections in conjunction with TLS-encrypted HTTP APIs. +#### Vault Enterprise as CA ((#vault-enterprise-as-ca-1-14)) +Using Vault as CA with Consul version 1.14.10 will fail to initialize the CA if [`namespace`](/consul/docs/connect/ca/vault#namespace) is set +but [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) or [`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) +are empty. This is a bug which will be fixed in a future version. + +To work around this issue, users must explicitly set [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) and +[`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) to the same value as [`namespace`](/consul/docs/connect/ca/vault#namespace). +Set your configuration by calling [set-config](/consul/commands/connect/ca#set-config) then use [get-config](/consul/commands/connect/ca#get-config) to check. #### Changes to gRPC TLS configuration