luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Update the notes about Consul Connect CA issue (#18444)

This commit is contained in:
Yoko Hyakuna 2022-12-16 10:52:42 -08:00 committed by GitHub
parent 53e73ceba2
commit fc79152c48
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
website/content/docs/release-notes/1.11.0.mdx
View File

@ -104,17 +104,9 @@ Previously, KMIP did not support certain operations such as import, decrypt, enc
## Known issues
If any version of Consul attempts to use Vault 1.11.0 or later as Consuls Connect CA provider, the intermediate CA will become unable to issue the leaf certificates needed by:
When you use Vault 1.11.0+ as a Consul's Connect CA, you may encounter an issue generating the leaf certificates ([GH-15525](https://github.com/hashicorp/consul/pull/15525)). Upgrade your [Consul version that includes the fix](https://support.hashicorp.com/hc/en-us/articles/11308460105491#01GMC24E6PPGXMRX8DMT4HZYTW) to avoid running into this problem.
- Service mesh: Services in the mesh to communicate with mTLS
- All use cases: Consul client agents if using [auto-encrypt](/consul/docs/agent/config/config-files#auto_encrypt) or [auto-config](/consul/docs/agent/config/config-files#auto_config), and using [TLS to communicate with Consul server agents](/consul/docs/agent/config/config-files#tls-configuration-reference)
You are using the Vault CA provider if either of the following configurations exists:
- The Consul server agent configuration option [connect.ca_provider](/consul/docs/agent/config/config-files#connect_ca_provider) is set to “vault”, or
- The Consul on Kubernetes Helm Chart [global.secretsBackend.vault.connectCA](/consul/docs/k8s/helm#v-global-secretsbackend-vault-connectca) value is configured.
-> **NOTE:** Refer to the [Knowledge Base article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for more information about the underlying cause and recommended workaround.
-> Refer to this [Knowledge Base article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for more details.
## Feature Deprecations and EOL

8
website/content/docs/secrets/pki/index.mdx
View File

@ -8,13 +8,7 @@ description: The PKI secrets engine for Vault generates TLS certificates.
@include 'x509-sha1-deprecation.mdx'
!> **Vault 1.11.0+ incompatible as Consul CA provider:** Do not use [Vault
v1.11.0+](/vault/docs/release-notes/1.11.0#known-issues) as Consuls Connect CA
provider — the intermediate CA will become unable to issue the leaf nodes required by service mesh,
and by Consul client agents if using auto-encrypt or auto-config and using TLS for agent communication.
If you are already using Vault 1.11+ as a Connect CA, refer to this [Knowledge Base
article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for
more information about the underlying cause and recommended workaround.
-> **Vault as Consul CA provider:** If you are using Vault 1.11.0+ as a Connect CA, run a Consul version which includese the fix for [GH-15525](https://github.com/hashicorp/consul/pull/15525). Refer to this [Knowledge Base article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for more details.
The PKI secrets engine generates dynamic X.509 certificates. With this secrets
engine, services can get certificates without going through the usual manual