luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Add known issue about PKI secrets engine with Consul (#18003) 

* Add known issue about PKI secrets engine with Consul

* Added KB article URL

* Update website/content/docs/secrets/pki/index.mdx

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
This commit is contained in:
Yoko Hyakuna 2022-11-17 10:09:41 -08:00 committed by GitHub
parent 3775f69f3a
commit 59cec0a96c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
website/content/docs/release-notes/1.11.0.mdx
View File

@ -104,7 +104,17 @@ Previously, KMIP did not support certain operations such as import, decrypt, enc
## Known issues
There are no known issues documented for this release.
If any version of Consul attempts to use Vault 1.11.0 or later as Consuls Connect CA provider, the intermediate CA will become unable to issue the leaf certificates needed by:
- Service mesh: Services in the mesh to communicate with mTLS
- All use cases: Consul client agents if using [auto-encrypt](/consul/docs/agent/config/config-files#auto_encrypt) or [auto-config](/consul/docs/agent/config/config-files#auto_config), and using [TLS to communicate with Consul server agents](/consul/docs/agent/config/config-files#tls-configuration-reference)
You are using the Vault CA provider if either of the following configurations exists:
- The Consul server agent configuration option [connect.ca_provider](/consul/docs/agent/config/config-files#connect_ca_provider) is set to “vault”, or
- The Consul on Kubernetes Helm Chart [global.secretsBackend.vault.connectCA](/consul/docs/k8s/helm#v-global-secretsbackend-vault-connectca) value is configured.
-> **NOTE:** Refer to the [Knowledge Base article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for more information about the underlying cause and recommended workaround.
## Feature Deprecations and EOL

8
website/content/docs/secrets/pki/index.mdx
View File

@ -8,6 +8,14 @@ description: The PKI secrets engine for Vault generates TLS certificates.
@include 'x509-sha1-deprecation.mdx'
!> **Vault 1.11.0+ incompatible as Consul CA provider:** Do not use [Vault
v1.11.0+](/vault/docs/release-notes/1.11.0#known-issues) as Consuls Connect CA
provider — the intermediate CA will become unable to issue the leaf nodes required by service mesh,
and by Consul client agents if using auto-encrypt or auto-config and using TLS for agent communication.
If you are already using Vault 1.11+ as a Connect CA, refer to this [Knowledge Base
article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for
more information about the underlying cause and recommended workaround.
The PKI secrets engine generates dynamic X.509 certificates. With this secrets
engine, services can get certificates without going through the usual manual
process of generating a private key and CSR, submitting to a CA, and waiting for