From 59cec0a96ce4b862202809e22b7bb1d71b8a9e89 Mon Sep 17 00:00:00 2001 From: Yoko Hyakuna Date: Thu, 17 Nov 2022 10:09:41 -0800 Subject: [PATCH] Add known issue about PKI secrets engine with Consul (#18003) * Add known issue about PKI secrets engine with Consul * Added KB article URL * Update website/content/docs/secrets/pki/index.mdx Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> --- website/content/docs/release-notes/1.11.0.mdx | 12 +++++++++++- website/content/docs/secrets/pki/index.mdx | 8 ++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/website/content/docs/release-notes/1.11.0.mdx b/website/content/docs/release-notes/1.11.0.mdx index 3bbf03b18..821cf293e 100644 --- a/website/content/docs/release-notes/1.11.0.mdx +++ b/website/content/docs/release-notes/1.11.0.mdx @@ -104,7 +104,17 @@ Previously, KMIP did not support certain operations such as import, decrypt, enc ## Known issues -There are no known issues documented for this release. +If any version of Consul attempts to use Vault 1.11.0 or later as Consul’s Connect CA provider, the intermediate CA will become unable to issue the leaf certificates needed by: + +- Service mesh: Services in the mesh to communicate with mTLS +- All use cases: Consul client agents if using [auto-encrypt](/consul/docs/agent/config/config-files#auto_encrypt) or [auto-config](/consul/docs/agent/config/config-files#auto_config), and using [TLS to communicate with Consul server agents](/consul/docs/agent/config/config-files#tls-configuration-reference) + +You are using the Vault CA provider if either of the following configurations exists: + +- The Consul server agent configuration option [connect.ca_provider](/consul/docs/agent/config/config-files#connect_ca_provider) is set to “vault”, or +- The Consul on Kubernetes Helm Chart [global.secretsBackend.vault.connectCA](/consul/docs/k8s/helm#v-global-secretsbackend-vault-connectca) value is configured. + +-> **NOTE:** Refer to the [Knowledge Base article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for more information about the underlying cause and recommended workaround. ## Feature Deprecations and EOL diff --git a/website/content/docs/secrets/pki/index.mdx b/website/content/docs/secrets/pki/index.mdx index 0cd965b13..fca2a77e7 100644 --- a/website/content/docs/secrets/pki/index.mdx +++ b/website/content/docs/secrets/pki/index.mdx @@ -8,6 +8,14 @@ description: The PKI secrets engine for Vault generates TLS certificates. @include 'x509-sha1-deprecation.mdx' +!> **Vault 1.11.0+ incompatible as Consul CA provider:** Do not use [Vault +v1.11.0+](/vault/docs/release-notes/1.11.0#known-issues) as Consul’s Connect CA +provider — the intermediate CA will become unable to issue the leaf nodes required by service mesh, +and by Consul client agents if using auto-encrypt or auto-config and using TLS for agent communication. +If you are already using Vault 1.11+ as a Connect CA, refer to this [Knowledge Base +article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for +more information about the underlying cause and recommended workaround. + The PKI secrets engine generates dynamic X.509 certificates. With this secrets engine, services can get certificates without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for