From c547ff5c8d5fa291791cf82a91def32a43701677 Mon Sep 17 00:00:00 2001 From: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> Date: Thu, 30 Mar 2023 17:23:19 -0400 Subject: [PATCH] docs: raise awareness of GH-16779 (#16823) --- CHANGELOG.md | 4 ++++ .../docs/release-notes/consul/v1_15_x.mdx | 11 ++++++++++- .../content/docs/upgrading/upgrade-specific.mdx | 16 ++++++++++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee7c6d4bb..b1a39cdd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -68,6 +68,10 @@ BUG FIXES: ## 1.15.0 (February 23, 2023) +KNOWN ISSUES: + +* connect: An issue with leaf certificate rotation can cause some service instances to lose their ability to communicate in the mesh after 72 hours (LeafCertTTL). This issue is not consistently reproducible. We are working to address this issue in an upcoming patch release. To err on the side of caution, service mesh deployments should not upgrade to Consul v1.15 at this time. Refer to [[GH-16779](https://github.com/hashicorp/consul/issues/16779)] for the latest information. + BREAKING CHANGES: * acl errors: Delete and get requests now return descriptive errors when the specified resource cannot be found. Other ACL request errors provide more information about when a resource is missing. Add error for when the ACL system has not been bootstrapped. diff --git a/website/content/docs/release-notes/consul/v1_15_x.mdx b/website/content/docs/release-notes/consul/v1_15_x.mdx index dbd639246..5611caf33 100644 --- a/website/content/docs/release-notes/consul/v1_15_x.mdx +++ b/website/content/docs/release-notes/consul/v1_15_x.mdx @@ -66,7 +66,16 @@ For more detailed information, please refer to the [upgrade details page](/consu ## Known Issues -The following issues are known to exist in the v1.15.0 release: +The following issues are known to exist in the v1.15.x releases: + +- All current 1.15.x versions are under investigation for a not-consistently-reproducible + issue that can cause some service instances to lose their ability to communicate in the mesh after + [72 hours (LeafCertTTL)](/consul/docs/connect/ca/consul#leafcertttl) + due to a problem with leaf certificate rotation. + We will update this section with more information as our investigation continues, + including the target availability for a fix. + Refer to [GH-16779](https://github.com/hashicorp/consul/issues/16779) + for the latest information. - For v1.15.0, Consul is reporting newer releases of Envoy (for example, v1.25.1) as not supported, even though these versions are listed as valid in the [Envoy compatilibity matrix](/consul/docs/connect/proxies/envoy#envoy-and-consul-client-agent). The following error would result for newer versions of Envoy: diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 06997760e..936a4cec4 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -16,6 +16,22 @@ upgrade flow. ## Consul 1.15.x +#### Service mesh known issue + +To err on the side of caution, +service mesh deployments should not upgrade to Consul v1.15 at this time. + +We are currently investigating a not-consistently-reproducible issue that can cause +some service instances to lose their ability to communicate in the mesh after +[72 hours (LeafCertTTL)](/consul/docs/connect/ca/consul#leafcertttl) +due to a problem with leaf certificate rotation. +We will update this section with more information as our investigation continues, +including the target availability for a fix. + +If you are already operating Consul v1.15, refer to discussion of this issue on +[GH-16779](https://github.com/hashicorp/consul/issues/16779) +for potential workarounds and to share your observations. + #### Removing configuration options The `connect.enable_serverless_plugin` configuration option was removed. Lambda integration is now enabled by default.