diff --git a/.changelog/15302.txt b/.changelog/15302.txt new file mode 100644 index 000000000..fad082601 --- /dev/null +++ b/.changelog/15302.txt @@ -0,0 +1,7 @@ +```release-note:breaking-change +config: update 1.14 config defaults: Enable `peering` and `connect` by default. +``` + +```release-note:breaking-change +config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 +``` \ No newline at end of file diff --git a/agent/config/builder.go b/agent/config/builder.go index 6ee7e8d9e..a7f9bcb5e 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -436,6 +436,10 @@ func (b *builder) build() (rt RuntimeConfig, err error) { serverPort := b.portVal("ports.server", c.Ports.Server) grpcPort := b.portVal("ports.grpc", c.Ports.GRPC) grpcTlsPort := b.portVal("ports.grpc_tls", c.Ports.GRPCTLS) + // default gRPC TLS port for servers is 8503 + if c.Ports.GRPCTLS == nil && boolVal(c.ServerMode) { + grpcTlsPort = 8503 + } serfPortLAN := b.portVal("ports.serf_lan", c.Ports.SerfLAN) serfPortWAN := b.portVal("ports.serf_wan", c.Ports.SerfWAN) proxyMinPort := b.portVal("ports.proxy_min_port", c.Ports.ProxyMinPort) diff --git a/agent/config/default.go b/agent/config/default.go index 62f39f6cc..e80a0d6c3 100644 --- a/agent/config/default.go +++ b/agent/config/default.go @@ -139,6 +139,14 @@ func DefaultSource() Source { xds { update_max_per_second = 250 } + + connect = { + enabled = true + } + + peering = { + enabled = true + } `, } } @@ -176,6 +184,11 @@ func DevSource() Source { connect = { enabled = true } + + peering = { + enabled = true + } + performance = { raft_multiplier = 1 } diff --git a/agent/config/runtime_oss_test.go b/agent/config/runtime_oss_test.go index f60a1c740..6274511bc 100644 --- a/agent/config/runtime_oss_test.go +++ b/agent/config/runtime_oss_test.go @@ -5,6 +5,7 @@ package config import ( "fmt" + "net" "os" "testing" @@ -70,6 +71,8 @@ func TestLoad_IntegrationWithFlags_OSS(t *testing.T) { rt.LeaveOnTerm = false rt.SkipLeaveOnInt = true rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, }, } diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 3228dea0e..bf40e774f 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -9,6 +9,7 @@ import ( "fmt" "io/ioutil" "net" + "net/netip" "os" "path/filepath" "reflect" @@ -57,6 +58,8 @@ func (tc testCase) source(format string) []string { return tc.json } +var defaultGrpcTlsAddr = net.TCPAddrFromAddrPort(netip.MustParseAddrPort("127.0.0.1:8503")) + // TestConfigFlagsAndEdgecases tests the command line flags and // edgecases for the config parsing. It provides a test structure which // checks for warnings on deprecated fields and flags. These tests @@ -184,6 +187,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.SkipLeaveOnInt = true rt.DataDir = dataDir rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, expectedWarnings: []string{"bootstrap = true: do not enable unless necessary"}, }) @@ -202,6 +207,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.SkipLeaveOnInt = true rt.DataDir = dataDir rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, expectedWarnings: []string{"bootstrap_expect > 0: expecting 3 servers"}, }) @@ -348,6 +355,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.GRPCPort = 8502 rt.GRPCAddrs = []net.Addr{tcpAddr("127.0.0.1:8502")} rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, }) run(t, testCase{ @@ -669,6 +678,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.LeaveOnTerm = false rt.SkipLeaveOnInt = true rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, }) run(t, testCase{ @@ -853,6 +864,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.SkipLeaveOnInt = true rt.DataDir = dataDir rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, }) run(t, testCase{ @@ -1893,6 +1906,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.SkipLeaveOnInt = true rt.DataDir = dataDir rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, expectedWarnings: []string{"BootstrapExpect is set to 1; this is the same as Bootstrap mode.", "bootstrap = true: do not enable unless necessary"}, }) @@ -1911,6 +1926,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.SkipLeaveOnInt = true rt.DataDir = dataDir rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, expectedWarnings: []string{ `bootstrap_expect = 2: A cluster with 2 servers will provide no failure tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`, @@ -1932,6 +1949,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.SkipLeaveOnInt = true rt.DataDir = dataDir rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, expectedWarnings: []string{ `bootstrap_expect is even number: A cluster with an even number of servers does not achieve optimum fault tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`, @@ -3106,6 +3125,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.LeaveOnTerm = false rt.SkipLeaveOnInt = true rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, }) run(t, testCase{ @@ -3138,6 +3159,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.LeaveOnTerm = false rt.SkipLeaveOnInt = true rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, }) run(t, testCase{ @@ -3167,6 +3190,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.LeaveOnTerm = false rt.SkipLeaveOnInt = true rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, }) run(t, testCase{ @@ -3193,6 +3218,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.LeaveOnTerm = false rt.SkipLeaveOnInt = true rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, }) run(t, testCase{ @@ -3239,6 +3266,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.TLS.ServerMode = true rt.LeaveOnTerm = false rt.SkipLeaveOnInt = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, }) run(t, testCase{ @@ -3658,6 +3687,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.LeaveOnTerm = false rt.SkipLeaveOnInt = true rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, }) @@ -5082,6 +5113,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.SkipLeaveOnInt = true rt.TLS.InternalRPC.CertFile = "foo" rt.RPCConfig.EnableStreaming = true + rt.GRPCTLSPort = 8503 + rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr} }, }) // UI Config tests diff --git a/api/agent_test.go b/api/agent_test.go index 0c1660b1e..5a58a5b8c 100644 --- a/api/agent_test.go +++ b/api/agent_test.go @@ -1615,7 +1615,10 @@ func TestAPI_AgentConnectCARoots_empty(t *testing.T) { t.Parallel() c, s := makeClientWithConfig(t, nil, func(c *testutil.TestServerConfig) { - c.Connect = nil // disable connect to prevent CA being bootstrapped + // Explicitly disable Connect to prevent CA being bootstrapped + c.Connect = map[string]interface{}{ + "enabled": false, + } }) defer s.Stop() diff --git a/api/connect_ca_test.go b/api/connect_ca_test.go index 64b0b2a05..8195a7456 100644 --- a/api/connect_ca_test.go +++ b/api/connect_ca_test.go @@ -14,8 +14,10 @@ func TestAPI_ConnectCARoots_empty(t *testing.T) { t.Parallel() c, s := makeClientWithConfig(t, nil, func(c *testutil.TestServerConfig) { - // Don't bootstrap CA - c.Connect = nil + // Explicitly disable Connect to prevent CA being bootstrapped + c.Connect = map[string]interface{}{ + "enabled": false, + } }) defer s.Stop() diff --git a/website/content/docs/agent/config/config-files.mdx b/website/content/docs/agent/config/config-files.mdx index 68a98503e..ad5c1c6c8 100644 --- a/website/content/docs/agent/config/config-files.mdx +++ b/website/content/docs/agent/config/config-files.mdx @@ -556,7 +556,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'." The following sub-keys are available: - - `enabled` ((#peering_enabled)) (Defaults to `false`) Controls whether cluster peering is enabled. + - `enabled` ((#peering_enabled)) (Defaults to `true`) Controls whether cluster peering is enabled. When disabled, the UI won't show peering, all peering APIs will return an error, any peerings stored in Consul already will be ignored (but they will not be deleted), and all peering connections from other clusters will be rejected. This was added in Consul 1.13.0. @@ -610,8 +610,8 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'." in `-dev` mode. The `grpc` port currently supports either plaintext or TLS traffic for backwards-compatibility, but TLS support is deprecated and will be removed in a future release. Refer to `grpc_tls` for more information on configuring a TLS-enabled port. - - `grpc_tls` ((#grpc_tls_port)) - The gRPC API with TLS connections, -1 to disable. Default -1 (disabled). - **We recommend using `8502` for `grpc_tls`** as your conventional gRPC port number, as it allows some + - `grpc_tls` ((#grpc_tls_port)) - The gRPC API with TLS connections, -1 to disable. gRPC_TLS is enabled by default on port 8503 for Consul servers. + **We recommend using `8503` for `grpc_tls`** as your conventional gRPC port number, as it allows some tools to work automatically. `grpc_tls` is always guaranteed to be encrypted. Both `grpc` and `grpc_tls` can be configured at the same time, but they may not utilize the same port number. If both `grpc` and `grpc_tls` are defined, then `grpc` will always be plaintext. This field was added in Consul 1.14. @@ -1061,7 +1061,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'." The following sub-keys are available: - - `enabled` ((#connect_enabled)) (Defaults to `false`) Controls whether Connect features are + - `enabled` ((#connect_enabled)) (Defaults to `true`) Controls whether Connect features are enabled on this agent. Should be enabled on all servers in the cluster in order for Connect to function properly. Will be set to `true` automatically if `auto_config.enabled` or `auto_encrypt.allow_tls` is `true`. @@ -2212,10 +2212,10 @@ default will automatically work with some tooling. - `xds`: This object allows you to configure the behavior of Consul's [xDS protocol](https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol) -server. +server. - `update_max_per_second`: Specifies the number of proxy configuration updates across all connected xDS streams that are allowed per second. This configuration prevents updates to global resources, such as wildcard intentions, from consuming system resources at the expense of other processes, such as Raft and Gossip, which could cause general cluster instability. - The default value is `250`. It is based on a load test of 5,000 streams connected to a single server with two CPU cores. + The default value is `250`. It is based on a load test of 5,000 streams connected to a single server with two CPU cores. - If necessary, you can lower or increase the limit without a rolling restart by using the `consul reload` command or by sending the server a `SIGHUP`. + If necessary, you can lower or increase the limit without a rolling restart by using the `consul reload` command or by sending the server a `SIGHUP`. diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 57e773376..109600626 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -17,6 +17,12 @@ upgrade flow. ## Consul 1.14.x ### Service Mesh Compatibility +Prior to Consul 1.14, cluster peering or Consul connect were disabled by default. +A breaking change was made in Consul 1.14 that: +- [Cluster Peering is enabled by default.](/docs/connect/cluster-peering) To disable, set +[`peering.enabled`](/docs/agent/config/config-files#peering_enabled) to `false`. +- [Consul Connect is enabled by default.](/docs/connect) To disable, set +[`connect.enabled`](/docs/agent/config/config-files#connect_enabled) to `false`. ##### Changes to gRPC TLS configuration @@ -30,7 +36,8 @@ Prior to Consul 1.14, it was possible to encrypt communication between Consul an Consul 1.14 introduces [`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port), a new configuration for encrypting communication over gRPC. The existing [`ports.grpc`](/docs/agent/config/config- files#grpc_port) configuration **will stop supporting encryption in a future release**. As of version 1.14, -`ports.grpc_tls` is the recommended configuration to encrypt gRPC traffic. +[`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port) is the recommended configuration to encrypt gRPC traffic. +The default value for gRPC TLS port is 8503 for Consul servers. To disable the gRPC TLS port, use value -1. For most environments, the Envoy communication to Consul is loop-back only and does not benefit from encryption.