update config defaults, add docs (#15302)

* update config defaults, add docs

* update grpc tls port for non-default values

* add changelog

* Update website/content/docs/upgrading/upgrade-specific.mdx

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>

* Update website/content/docs/agent/config/config-files.mdx

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>

* update logic for setting grpc tls port value

* move default config to default.go, update changelog

* update docs

* Fix config tests.

* Fix linter error.

* Fix ConnectCA tests.

* Cleanup markdown on upgrade notes.

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
Co-authored-by: Derek Menteer <derek.menteer@hashicorp.com>

.changelog/15302.txt

@@ -0,0 +1,7 @@
+```release-note:breaking-change
+config: update 1.14 config defaults: Enable `peering` and `connect` by default.
+```
+
+```release-note:breaking-change
+config: update 1.14 config defaults: Set gRPC TLS port default value to 8503
+```

agent/config/builder.go

@@ -436,6 +436,10 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 	serverPort := b.portVal("ports.server", c.Ports.Server)
 	grpcPort := b.portVal("ports.grpc", c.Ports.GRPC)
 	grpcTlsPort := b.portVal("ports.grpc_tls", c.Ports.GRPCTLS)
+	// default gRPC TLS port for servers is 8503
+	if c.Ports.GRPCTLS == nil && boolVal(c.ServerMode) {
+		grpcTlsPort = 8503
+	}
 	serfPortLAN := b.portVal("ports.serf_lan", c.Ports.SerfLAN)
 	serfPortWAN := b.portVal("ports.serf_wan", c.Ports.SerfWAN)
 	proxyMinPort := b.portVal("ports.proxy_min_port", c.Ports.ProxyMinPort)

agent/config/default.go

@@ -139,6 +139,14 @@ func DefaultSource() Source {
 		xds {
 			update_max_per_second = 250
 		}
+
+		connect = {
+			enabled = true
+		}
+
+		peering = {
+			enabled = true
+		}
 	`,
 	}
 }
@@ -176,6 +184,11 @@ func DevSource() Source {
 		connect = {
 			enabled = true
 		}
+
+		peering = {
+			enabled = true
+		}
+
 		performance = {
 			raft_multiplier = 1
 		}

agent/config/runtime_oss_test.go

@@ -5,6 +5,7 @@ package config
 
 import (
 	"fmt"
+	"net"
 	"os"
 	"testing"
 
@@ -70,6 +71,8 @@ func TestLoad_IntegrationWithFlags_OSS(t *testing.T) {
 				rt.LeaveOnTerm = false
 				rt.SkipLeaveOnInt = true
 				rt.RPCConfig.EnableStreaming = true
+				rt.GRPCTLSPort = 8503
+				rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 			},
 		},
 	}

agent/config/runtime_test.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -57,6 +58,8 @@ func (tc testCase) source(format string) []string {
 	return tc.json
 }
 
+var defaultGrpcTlsAddr = net.TCPAddrFromAddrPort(netip.MustParseAddrPort("127.0.0.1:8503"))
+
 // TestConfigFlagsAndEdgecases tests the command line flags and
 // edgecases for the config parsing. It provides a test structure which
 // checks for warnings on deprecated fields and flags.  These tests
@@ -184,6 +187,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.SkipLeaveOnInt = true
 			rt.DataDir = dataDir
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 		expectedWarnings: []string{"bootstrap = true: do not enable unless necessary"},
 	})
@@ -202,6 +207,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.SkipLeaveOnInt = true
 			rt.DataDir = dataDir
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 		expectedWarnings: []string{"bootstrap_expect > 0: expecting 3 servers"},
 	})
@@ -348,6 +355,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.GRPCPort = 8502
 			rt.GRPCAddrs = []net.Addr{tcpAddr("127.0.0.1:8502")}
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 	})
 	run(t, testCase{
@@ -669,6 +678,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.LeaveOnTerm = false
 			rt.SkipLeaveOnInt = true
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 	})
 	run(t, testCase{
@@ -853,6 +864,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.SkipLeaveOnInt = true
 			rt.DataDir = dataDir
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 	})
 	run(t, testCase{
@@ -1893,6 +1906,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.SkipLeaveOnInt = true
 			rt.DataDir = dataDir
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 		expectedWarnings: []string{"BootstrapExpect is set to 1; this is the same as Bootstrap mode.", "bootstrap = true: do not enable unless necessary"},
 	})
@@ -1911,6 +1926,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.SkipLeaveOnInt = true
 			rt.DataDir = dataDir
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 		expectedWarnings: []string{
 			`bootstrap_expect = 2: A cluster with 2 servers will provide no failure tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`,
@@ -1932,6 +1949,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.SkipLeaveOnInt = true
 			rt.DataDir = dataDir
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 		expectedWarnings: []string{
 			`bootstrap_expect is even number: A cluster with an even number of servers does not achieve optimum fault tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`,
@@ -3106,6 +3125,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.LeaveOnTerm = false
 			rt.SkipLeaveOnInt = true
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 	})
 	run(t, testCase{
@@ -3138,6 +3159,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.LeaveOnTerm = false
 			rt.SkipLeaveOnInt = true
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 	})
 	run(t, testCase{
@@ -3167,6 +3190,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.LeaveOnTerm = false
 			rt.SkipLeaveOnInt = true
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 	})
 	run(t, testCase{
@@ -3193,6 +3218,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.LeaveOnTerm = false
 			rt.SkipLeaveOnInt = true
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 	})
 	run(t, testCase{
@@ -3239,6 +3266,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.TLS.ServerMode = true
 			rt.LeaveOnTerm = false
 			rt.SkipLeaveOnInt = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 	})
 	run(t, testCase{
@@ -3658,6 +3687,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.LeaveOnTerm = false
 			rt.SkipLeaveOnInt = true
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 	})
 
@@ -5082,6 +5113,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.SkipLeaveOnInt = true
 			rt.TLS.InternalRPC.CertFile = "foo"
 			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
 		},
 	})
 	// UI Config tests

api/agent_test.go

@@ -1615,7 +1615,10 @@ func TestAPI_AgentConnectCARoots_empty(t *testing.T) {
 	t.Parallel()
 
 	c, s := makeClientWithConfig(t, nil, func(c *testutil.TestServerConfig) {
-		c.Connect = nil // disable connect to prevent CA being bootstrapped
+		// Explicitly disable Connect to prevent CA being bootstrapped
+		c.Connect = map[string]interface{}{
+			"enabled": false,
+		}
 	})
 	defer s.Stop()
 

api/connect_ca_test.go

@@ -14,8 +14,10 @@ func TestAPI_ConnectCARoots_empty(t *testing.T) {
 	t.Parallel()
 
 	c, s := makeClientWithConfig(t, nil, func(c *testutil.TestServerConfig) {
-		// Don't bootstrap CA
+		// Explicitly disable Connect to prevent CA being bootstrapped
-		c.Connect = nil
+		c.Connect = map[string]interface{}{
+			"enabled": false,
+		}
 	})
 	defer s.Stop()
 

website/content/docs/agent/config/config-files.mdx

@@ -556,7 +556,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
 
   The following sub-keys are available:
 
-  - `enabled` ((#peering_enabled)) (Defaults to `false`) Controls whether cluster peering is enabled.
+  - `enabled` ((#peering_enabled)) (Defaults to `true`) Controls whether cluster peering is enabled.
     When disabled, the UI won't show peering, all peering APIs will return
     an error, any peerings stored in Consul already will be ignored (but they will not be deleted),
     and all peering connections from other clusters will be rejected. This was added in Consul 1.13.0.
@@ -610,8 +610,8 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
     in `-dev` mode. The `grpc` port currently supports either plaintext or TLS traffic for
     backwards-compatibility, but TLS support is deprecated and will be removed in a future
     release. Refer to `grpc_tls` for more information on configuring a TLS-enabled port.
-  - `grpc_tls` ((#grpc_tls_port)) - The gRPC API with TLS connections, -1 to disable. Default -1 (disabled).
+  - `grpc_tls` ((#grpc_tls_port)) - The gRPC API with TLS connections, -1 to disable. gRPC_TLS is enabled by default on port 8503 for Consul servers.
-    **We recommend using `8502` for `grpc_tls`** as your conventional gRPC port number, as it allows some
+    **We recommend using `8503` for `grpc_tls`** as your conventional gRPC port number, as it allows some
     tools to work automatically. `grpc_tls` is always guaranteed to be encrypted. Both `grpc` and `grpc_tls`
     can be configured at the same time, but they may not utilize the same port number. If both `grpc` and
     `grpc_tls` are defined, then `grpc` will always be plaintext. This field was added in Consul 1.14.
@@ -1061,7 +1061,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
 
   The following sub-keys are available:
 
-  - `enabled` ((#connect_enabled)) (Defaults to `false`) Controls whether Connect features are
+  - `enabled` ((#connect_enabled)) (Defaults to `true`) Controls whether Connect features are
     enabled on this agent. Should be enabled on all servers in the cluster
     in order for Connect to function properly.
     Will be set to `true` automatically if `auto_config.enabled` or `auto_encrypt.allow_tls` is `true`.

website/content/docs/upgrading/upgrade-specific.mdx

@@ -17,6 +17,12 @@ upgrade flow.
 ## Consul 1.14.x
 
 ### Service Mesh Compatibility
+Prior to Consul 1.14, cluster peering or Consul connect were disabled by default.
+A breaking change was made in Consul 1.14 that:
+- [Cluster Peering is enabled by default.](/docs/connect/cluster-peering) To disable, set
+[`peering.enabled`](/docs/agent/config/config-files#peering_enabled) to `false`.
+- [Consul Connect is enabled by default.](/docs/connect) To disable, set
+[`connect.enabled`](/docs/agent/config/config-files#connect_enabled) to `false`.
 
 ##### Changes to gRPC TLS configuration
 
@@ -30,7 +36,8 @@ Prior to Consul 1.14, it was possible to encrypt communication between Consul an
 Consul 1.14 introduces [`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port), a new configuration
 for encrypting communication over gRPC. The existing [`ports.grpc`](/docs/agent/config/config-
 files#grpc_port) configuration **will stop supporting encryption in a future release**. As of version 1.14,
-`ports.grpc_tls` is the recommended configuration to encrypt gRPC traffic.
+[`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port) is the recommended configuration to encrypt gRPC traffic.
+The default value for gRPC TLS port is 8503 for Consul servers. To disable the gRPC TLS port, use value -1.
 
 For most environments, the Envoy communication to Consul is loop-back only and does not benefit from encryption.