update config defaults, add docs (#15302)
* update config defaults, add docs * update grpc tls port for non-default values * add changelog * Update website/content/docs/upgrading/upgrade-specific.mdx Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com> * Update website/content/docs/agent/config/config-files.mdx Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com> * update logic for setting grpc tls port value * move default config to default.go, update changelog * update docs * Fix config tests. * Fix linter error. * Fix ConnectCA tests. * Cleanup markdown on upgrade notes. Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com> Co-authored-by: Derek Menteer <derek.menteer@hashicorp.com>
This commit is contained in:
parent
69914f59f7
commit
b823d79fcf
|
@ -0,0 +1,7 @@
|
|||
```release-note:breaking-change
|
||||
config: update 1.14 config defaults: Enable `peering` and `connect` by default.
|
||||
```
|
||||
|
||||
```release-note:breaking-change
|
||||
config: update 1.14 config defaults: Set gRPC TLS port default value to 8503
|
||||
```
|
|
@ -436,6 +436,10 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
|
|||
serverPort := b.portVal("ports.server", c.Ports.Server)
|
||||
grpcPort := b.portVal("ports.grpc", c.Ports.GRPC)
|
||||
grpcTlsPort := b.portVal("ports.grpc_tls", c.Ports.GRPCTLS)
|
||||
// default gRPC TLS port for servers is 8503
|
||||
if c.Ports.GRPCTLS == nil && boolVal(c.ServerMode) {
|
||||
grpcTlsPort = 8503
|
||||
}
|
||||
serfPortLAN := b.portVal("ports.serf_lan", c.Ports.SerfLAN)
|
||||
serfPortWAN := b.portVal("ports.serf_wan", c.Ports.SerfWAN)
|
||||
proxyMinPort := b.portVal("ports.proxy_min_port", c.Ports.ProxyMinPort)
|
||||
|
|
|
@ -139,6 +139,14 @@ func DefaultSource() Source {
|
|||
xds {
|
||||
update_max_per_second = 250
|
||||
}
|
||||
|
||||
connect = {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
peering = {
|
||||
enabled = true
|
||||
}
|
||||
`,
|
||||
}
|
||||
}
|
||||
|
@ -176,6 +184,11 @@ func DevSource() Source {
|
|||
connect = {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
peering = {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
performance = {
|
||||
raft_multiplier = 1
|
||||
}
|
||||
|
|
|
@ -5,6 +5,7 @@ package config
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
|
@ -70,6 +71,8 @@ func TestLoad_IntegrationWithFlags_OSS(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
|
@ -9,6 +9,7 @@ import (
|
|||
"fmt"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"net/netip"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"reflect"
|
||||
|
@ -57,6 +58,8 @@ func (tc testCase) source(format string) []string {
|
|||
return tc.json
|
||||
}
|
||||
|
||||
var defaultGrpcTlsAddr = net.TCPAddrFromAddrPort(netip.MustParseAddrPort("127.0.0.1:8503"))
|
||||
|
||||
// TestConfigFlagsAndEdgecases tests the command line flags and
|
||||
// edgecases for the config parsing. It provides a test structure which
|
||||
// checks for warnings on deprecated fields and flags. These tests
|
||||
|
@ -184,6 +187,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
expectedWarnings: []string{"bootstrap = true: do not enable unless necessary"},
|
||||
})
|
||||
|
@ -202,6 +207,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
expectedWarnings: []string{"bootstrap_expect > 0: expecting 3 servers"},
|
||||
})
|
||||
|
@ -348,6 +355,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.GRPCPort = 8502
|
||||
rt.GRPCAddrs = []net.Addr{tcpAddr("127.0.0.1:8502")}
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -669,6 +678,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -853,6 +864,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -1893,6 +1906,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
expectedWarnings: []string{"BootstrapExpect is set to 1; this is the same as Bootstrap mode.", "bootstrap = true: do not enable unless necessary"},
|
||||
})
|
||||
|
@ -1911,6 +1926,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
expectedWarnings: []string{
|
||||
`bootstrap_expect = 2: A cluster with 2 servers will provide no failure tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`,
|
||||
|
@ -1932,6 +1949,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
expectedWarnings: []string{
|
||||
`bootstrap_expect is even number: A cluster with an even number of servers does not achieve optimum fault tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`,
|
||||
|
@ -3106,6 +3125,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -3138,6 +3159,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -3167,6 +3190,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -3193,6 +3218,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -3239,6 +3266,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.TLS.ServerMode = true
|
||||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
run(t, testCase{
|
||||
|
@ -3658,6 +3687,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
|
||||
|
@ -5082,6 +5113,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
|||
rt.SkipLeaveOnInt = true
|
||||
rt.TLS.InternalRPC.CertFile = "foo"
|
||||
rt.RPCConfig.EnableStreaming = true
|
||||
rt.GRPCTLSPort = 8503
|
||||
rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
|
||||
},
|
||||
})
|
||||
// UI Config tests
|
||||
|
|
|
@ -1615,7 +1615,10 @@ func TestAPI_AgentConnectCARoots_empty(t *testing.T) {
|
|||
t.Parallel()
|
||||
|
||||
c, s := makeClientWithConfig(t, nil, func(c *testutil.TestServerConfig) {
|
||||
c.Connect = nil // disable connect to prevent CA being bootstrapped
|
||||
// Explicitly disable Connect to prevent CA being bootstrapped
|
||||
c.Connect = map[string]interface{}{
|
||||
"enabled": false,
|
||||
}
|
||||
})
|
||||
defer s.Stop()
|
||||
|
||||
|
|
|
@ -14,8 +14,10 @@ func TestAPI_ConnectCARoots_empty(t *testing.T) {
|
|||
t.Parallel()
|
||||
|
||||
c, s := makeClientWithConfig(t, nil, func(c *testutil.TestServerConfig) {
|
||||
// Don't bootstrap CA
|
||||
c.Connect = nil
|
||||
// Explicitly disable Connect to prevent CA being bootstrapped
|
||||
c.Connect = map[string]interface{}{
|
||||
"enabled": false,
|
||||
}
|
||||
})
|
||||
defer s.Stop()
|
||||
|
||||
|
|
|
@ -556,7 +556,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
|
||||
The following sub-keys are available:
|
||||
|
||||
- `enabled` ((#peering_enabled)) (Defaults to `false`) Controls whether cluster peering is enabled.
|
||||
- `enabled` ((#peering_enabled)) (Defaults to `true`) Controls whether cluster peering is enabled.
|
||||
When disabled, the UI won't show peering, all peering APIs will return
|
||||
an error, any peerings stored in Consul already will be ignored (but they will not be deleted),
|
||||
and all peering connections from other clusters will be rejected. This was added in Consul 1.13.0.
|
||||
|
@ -610,8 +610,8 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
in `-dev` mode. The `grpc` port currently supports either plaintext or TLS traffic for
|
||||
backwards-compatibility, but TLS support is deprecated and will be removed in a future
|
||||
release. Refer to `grpc_tls` for more information on configuring a TLS-enabled port.
|
||||
- `grpc_tls` ((#grpc_tls_port)) - The gRPC API with TLS connections, -1 to disable. Default -1 (disabled).
|
||||
**We recommend using `8502` for `grpc_tls`** as your conventional gRPC port number, as it allows some
|
||||
- `grpc_tls` ((#grpc_tls_port)) - The gRPC API with TLS connections, -1 to disable. gRPC_TLS is enabled by default on port 8503 for Consul servers.
|
||||
**We recommend using `8503` for `grpc_tls`** as your conventional gRPC port number, as it allows some
|
||||
tools to work automatically. `grpc_tls` is always guaranteed to be encrypted. Both `grpc` and `grpc_tls`
|
||||
can be configured at the same time, but they may not utilize the same port number. If both `grpc` and
|
||||
`grpc_tls` are defined, then `grpc` will always be plaintext. This field was added in Consul 1.14.
|
||||
|
@ -1061,7 +1061,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
|
||||
The following sub-keys are available:
|
||||
|
||||
- `enabled` ((#connect_enabled)) (Defaults to `false`) Controls whether Connect features are
|
||||
- `enabled` ((#connect_enabled)) (Defaults to `true`) Controls whether Connect features are
|
||||
enabled on this agent. Should be enabled on all servers in the cluster
|
||||
in order for Connect to function properly.
|
||||
Will be set to `true` automatically if `auto_config.enabled` or `auto_encrypt.allow_tls` is `true`.
|
||||
|
|
|
@ -17,6 +17,12 @@ upgrade flow.
|
|||
## Consul 1.14.x
|
||||
|
||||
### Service Mesh Compatibility
|
||||
Prior to Consul 1.14, cluster peering or Consul connect were disabled by default.
|
||||
A breaking change was made in Consul 1.14 that:
|
||||
- [Cluster Peering is enabled by default.](/docs/connect/cluster-peering) To disable, set
|
||||
[`peering.enabled`](/docs/agent/config/config-files#peering_enabled) to `false`.
|
||||
- [Consul Connect is enabled by default.](/docs/connect) To disable, set
|
||||
[`connect.enabled`](/docs/agent/config/config-files#connect_enabled) to `false`.
|
||||
|
||||
##### Changes to gRPC TLS configuration
|
||||
|
||||
|
@ -30,7 +36,8 @@ Prior to Consul 1.14, it was possible to encrypt communication between Consul an
|
|||
Consul 1.14 introduces [`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port), a new configuration
|
||||
for encrypting communication over gRPC. The existing [`ports.grpc`](/docs/agent/config/config-
|
||||
files#grpc_port) configuration **will stop supporting encryption in a future release**. As of version 1.14,
|
||||
`ports.grpc_tls` is the recommended configuration to encrypt gRPC traffic.
|
||||
[`ports.grpc_tls`](/docs/agent/config/config-files#grpc_tls_port) is the recommended configuration to encrypt gRPC traffic.
|
||||
The default value for gRPC TLS port is 8503 for Consul servers. To disable the gRPC TLS port, use value -1.
|
||||
|
||||
For most environments, the Envoy communication to Consul is loop-back only and does not benefit from encryption.
|
||||
|
||||
|
|
Loading…
Reference in New Issue