luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Backport of Add upgrade warnings into release/1.16.x (#19062) 

* backport of commit ebdb3f117e2f5634c68beeecb03bb6d63d971bf4

* backport of commit 86ff649f9d711ef7c5d4fe1df81206ebd0daacf3

---------

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
This commit is contained in:
hc-github-team-consul-core 2023-10-04 16:16:45 -04:00 committed by GitHub
parent d5da2485a4
commit fbfc7090a2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
website/content/docs/upgrading/upgrade-specific.mdx
View File

@ -16,11 +16,20 @@ upgrade flow.
## Consul 1.16.x
#### Known issues
### Known issues
Service mesh in Consul versions 1.16.0 and 1.16.1 may have issues when a snapshot restore is performed and the servers are hosting xDS streams.
When this bug triggers, it causes Envoy to incorrectly populate upstream endpoints. To prevent this issue, service mesh users who run agent-less workloads should upgrade Consul to v1.16.2 or later.
#### Vault Enterprise as CA ((#vault-enterprise-as-ca-1-16))
Using Vault as CA with Consul version 1.16.2 will fail to initialize the CA if [`namespace`](/consul/docs/connect/ca/vault#namespace) is set
but [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) or [`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace)
are empty. This is a bug which will be fixed in a future version.
To work around this issue, users must explicitly set [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) and
[`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) to the same value as [`namespace`](/consul/docs/connect/ca/vault#namespace).
Set your configuration by calling [set-config](/consul/commands/connect/ca#set-config) then use [get-config](/consul/commands/connect/ca#get-config) to check.
#### API health endpoints return different status code
Consul versions 1.16.0+ now return an error 403 "Permission denied" status
@ -39,9 +48,10 @@ This change removes the backward-compatibility behavior introduced in Consul 1.1
## Consul 1.15.x
#### Service mesh compatibility ((#service-mesh-compatibility-1-15))
### Service mesh compatibility ((#service-mesh-compatibility-1-15))
Upgrade to **Consul version 1.15.2 or later**.
If using [Vault Enterprise as CA](#vault-enterprise-as-ca-1-15), **avoid Consul version 1.15.6**.
Consul versions 1.15.0 - 1.15.1 contain a race condition that can cause
some service instances to lose their ability to communicate in the mesh after
@ -50,6 +60,15 @@ due to a problem with leaf certificate rotation.
This bug is fixed in Consul versions 1.15.2 and newer.
#### Vault Enterprise as CA ((#vault-enterprise-as-ca-1-15))
Using Vault as CA with Consul version 1.15.6 will fail to initialize the CA if [`namespace`](/consul/docs/connect/ca/vault#namespace) is set
but [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) or [`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace)
are empty. This is a bug which will be fixed in a future version.
To work around this issue, users must explicitly set [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) and
[`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) to the same value as [`namespace`](/consul/docs/connect/ca/vault#namespace).
Set your configuration by calling [set-config](/consul/commands/connect/ca#set-config) then use [get-config](/consul/commands/connect/ca#get-config) to check.
#### Removing configuration options
The `connect.enable_serverless_plugin` configuration option was removed. Lambda integration is now enabled by default.
@ -191,6 +210,14 @@ to use TLS for contacting the HTTP API, it will also incorrectly enable TLS for
Users should not upgrade to 1.14.0 if they are using plaintext gRPC connections in
conjunction with TLS-encrypted HTTP APIs.
#### Vault Enterprise as CA ((#vault-enterprise-as-ca-1-14))
Using Vault as CA with Consul version 1.14.10 will fail to initialize the CA if [`namespace`](/consul/docs/connect/ca/vault#namespace) is set
but [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) or [`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace)
are empty. This is a bug which will be fixed in a future version.
To work around this issue, users must explicitly set [`intermediate_pki_namespace`](/consul/docs/connect/ca/vault#intermediatepkinamespace) and
[`root_pki_namespace`](/consul/docs/connect/ca/vault#rootpkinamespace) to the same value as [`namespace`](/consul/docs/connect/ca/vault#namespace).
Set your configuration by calling [set-config](/consul/commands/connect/ca#set-config) then use [get-config](/consul/commands/connect/ca#get-config) to check.
#### Changes to gRPC TLS configuration