Skip to content

Commit

Permalink
Add release notes 1.16 rc (#17665)
Browse files Browse the repository at this point in the history
* Merge pull request #5773 from hashicorp/docs/rate-limiting-from-ip-addresses-1.16

updated docs for rate limiting for IP addresses - 1.16

* Merge pull request #5609 from hashicorp/docs/enterprise-utilization-reporting

Add docs for enterprise utilization reporting

* Merge pull request #5734 from hashicorp/docs/envoy-ext-1.16

Docs/envoy ext 1.16

* Add release notes for 1.16-rc

* Add consul-e license utlization reporting

* Update with rc absolute links

* Update with rc absolute links

* fix typo

* Apply suggestions from code review

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update to use callout component

* address typo

* docs: FIPS 140-2 Compliance (#17668)

* Page + nav + formatting

* link fix

* Update website/content/docs/enterprise/fips.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/enterprise/fips.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/enterprise/fips.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/enterprise/fips.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/enterprise/fips.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/enterprise/fips.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/enterprise/fips.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/enterprise/fips.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/enterprise/fips.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/enterprise/fips.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* link fix

* Apply suggestions from code review

Co-authored-by: Jeff Apple <79924108+Jeff-Apple@users.noreply.github.com>

* Update website/content/docs/enterprise/fips.mdx

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Jeff Apple <79924108+Jeff-Apple@users.noreply.github.com>

* fix apigw install values file

* fix typos in release notes

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Jeff Apple <79924108+Jeff-Apple@users.noreply.github.com>
  • Loading branch information
4 people committed Jun 13, 2023
1 parent cb0c8ec commit f52d97a
Show file tree
Hide file tree
Showing 5 changed files with 202 additions and 9 deletions.
2 changes: 1 addition & 1 deletion website/content/docs/agent/limits/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -49,4 +49,4 @@ You can define request rate limits in the agent configuration and in the control

## Kubernetes

To define global rate limits, configure the `request_limits` settings in the Consul Helm chart. Refer to the [Helm chart reference](/consul/docs/k8s/helm) for additional information. Refer to the [control plane request limit configuration entry reference](/consul/docs/connect/config-entries/control-plane-request-limit) for information about applying a CRD for limiting traffic rates from source IPs.
To define global rate limits, configure the `request_limits` settings in the Consul Helm chart. Refer to the [Helm chart reference](/consul/docs/k8s/helm) for additional information. Refer to the [control plane request limit configuration entry reference](/consul/docs/connect/config-entries/control-plane-request-limit) for information about applying a CRD for limiting traffic rates from source IPs.
15 changes: 7 additions & 8 deletions website/content/docs/api-gateway/install.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,13 @@ The Consul API gateway ships with Consul and is automatically installed when you

<CodeBlockConfig filename="values.yaml">

```shell
cat <<EOF > values.yaml
global:
name: consul
connectInject:
enabled: true
EOF
```
```yaml
global:
name: consul
connectInject:
enabled: true
```
</CodeBlockConfig>
The Consul Helm chart deploys the API gateway using the configuration specified in the `values.yaml` file. Refer to [Helm Chart Configuration - `connectInject.apiGateway`](/consul/docs/k8s/helm#apigateway) for information about the Helm chart configuration options.
Expand Down
128 changes: 128 additions & 0 deletions website/content/docs/enterprise/fips.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
---
layout: docs
page_title: FIPS 140-2
description: >-
A version of Consul compliant with FIPS 140-2 is available to Enterprise users. Learn about where to find FIPS-compliant versions of Consul, as well as usage restrictions and technical details.
---

# FIPS 140-2

<EnterpriseAlert>

This feature requires requires Consul Enterprise.

</EnterpriseAlert>

Builds of Consul Enterprise marked with a `fips1402` feature name include built-in support for FIPS 140-2 compliance.

To use this feature, you must have an [active or trial license for Consul Enterprise](/consul/docs/enterprise/license/overview). To start a trial, contact HashiCorp sales.

## Using FIPS 140-2 Consul Enterprise

FIPS 140-2 builds of Consul Enterprise behave in the same way as non-FIPS builds. There are no restrictions on Consul algorithms and ensuring that Consul remains in a FIPS-compliant mode of operation is your responsibility. To maintain FIPS-compliant operation, you must [ensure that TLS is enabled](/consul/tutorials/security/tls-encryption-secure) so that communication is encrypted. Consul products surface some helpful warnings where settings are insecure.

Encryption is disabled in Consul Enterprise by default. As a result, Consul may transmit sensitive control plane information. You must ensure that gossip encryption and mTLS is enabled for all agents when running Consul with FIPS-compliant settings. In addition, be aware that TLSv1.3 does not work with FIPS 140-2, as HKDF is not a certified primitive.
HashiCorp is not a NIST-certified testing laboratory and can only provide general guidance about using Consul Enterprise in a FIPS-compliant manner. We recommend consulting an approved auditor for further information.

The FIPS 140-2 variant of Consul uses separate binaries that are available available from the following sources:

- From the [HashiCorp Releases page](https://releases.hashicorp.com/consul), releases ending with the `+ent.fips1402` suffix.
- From the [Docker Hub `hashicorp/consul-enterprise-fips`](https://hub.docker.com/r/hashicorp/consul-enterprise-fips) container repository.
- From the [AWS ECR `hashicorp/consul-enterprise-fips`](https://gallery.ecr.aws/hashicorp/consul-enterprise-fips) container repository.
- From the [Red Hat Access `hashicorp/consul-enterprise-fips`](https://catalog.redhat.com/software/containers/hashicorp/consul-enterprise-fips/628d50e37ff70c66a88517ea) container repository.

The above naming conventions, which append `.fips1402` to binary names and tags, and `-fips` to registry names, also apply to `consul-k8s`, `consul-k8s-control-plane`, `consul-dataplane`, and `consul-ecs`, which are packaged separately from Consul Enterprise.

### Usage restrictions

When using Consul Enterprise with FIPS 140-2, be aware of the following operation restrictions:

#### Migration restrictions

We do not support in-place migrations from non-FIPS builds of Consul to FIPS builds of Consul, regardless of version. A fresh cluster installation is required to support FIPS 140-2. You cannot upgrade directly to a FIPS-compliant build.

#### TLS restrictions
Consul Enterprise's FIPS modifications include restrictions to supported TLS cipher suites and key information. Only the following cipher suites are allowed:

- `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
- `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
- `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
- `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
- `TLS_RSA_WITH_AES_128_GCM_SHA256`
- `TLS_RSA_WITH_AES_256_GCM_SHA384`

In addition, only the following key types are allowed in TLS chains of trust:

- RSA 2048, 3072, and 4096-bit
- ECDSA P-256, P-384, and P-521

Finally, only TLSv1.2 is supported in FIPS mode. These settings are in line with recent NIST guidance and FIPS requirements.

#### Heterogeneous cluster deployments

We do not support mixed deployment scenarios within the same Consul cluster. An example of an unsupported deployment scenario is one that mixes FIPS and non-FIPS Consul binaries. Nodes across the entire cluster must use a single binary or deployment type.

Running a heterogeneous cluster is not permitted by FIPS, as components of the system are not compliant with FIPS. Attempts to join non-FIPS and FIPS nodes or servers may fail.

### Envoy

To enable users to deploy a FIPS compliant service mesh with Consul, HashiCorp provides FIPS compliant versions of Envoy available for download. Contact Hashicorp sales for more information.

## Deployment prerequisites

Depending on your Consul runtime, there are additional requirements for using FIPS 140-2.

### VMs

If using Consul on VMs, you must use a FIPS compliant version of Envoy. Contact HashiCorp sales to learn how to obtain a FIPS compliant version of Envoy.

### Consul-k8s and Helm

When deploying the FIPS builds of Consul on Kubernetes using `consul-k8s` or Helm, you must ensure that the Helm chart is updated to use FIPS builds of Consul Enterprise, Consul Dataplane, and Envoy images.

## Technical details

Consul's FIPS 140-2 Linux products use the BoringCrypto integration in the official Go 1.20+ toolchain, which include a FIPS-validated crypto module.

Consul's FIPS 140-2 products on Windows use the CNGCrypto integration in Microsoft's Go toolchain, which include a FIPS-validated crypto module.

To ensure your build of Consul Enterprise includes FIPS support, confirm that a line with `FIPS: Enabled` appears when you run a `version` command. For example, the following message appears for Linux users

```shell-session
FIPS: FIPS 140-2 Enabled, crypto module boringcrypto
```

The following message appears for Windows users:

```shell-session
FIPS: FIPS 140-2 Enabled, crypto module cngcrypto
```

FIPS 140-2 Linux binaries depend on cgo, which require that a GNU C Library (glibc) Linux distribution be used to run Consul. Refer to [instructions for Windows FIPS mode](https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md#windows-fips-mode-cng) for more information on running CNGCrypto-enabled Go binaries in FIPS mode.

The NIST Cryptographic Module Validation Program certifications and accompanying security policies for BoringCrypto and CNG are available through the following external links:

- [BoringCrypto](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407)
- [CNG](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4515)

### Validating FIPS crypto modules

To validate that a FIPS 140-2 Linux binary correctly includes BoringCrypto, run `go tool nm` on the binary to get a symbol dump. On FIPS-enabled builds, many results appear, as in the following example:

```shell-session
$ go tool nm consul | grep -i goboringcrypto
4014d0 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_cbc_encrypt
4014f0 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_ctr128_encrypt
401520 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_decrypt
401540 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_encrypt
401560 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_set_decrypt_key
```

Similarly, on a FIPS Windows binary, run `go tool nm` on the binary to get a symbol dump, and then search for `go-crypto-winnative`.

On both Linux and Windows non-FIPS builds, the search output yields no results.

### Compliance Validation

A Lab, authorized by the U.S. Government to certify FIPS 140-2 compliance, is in the process of verifying that Consul Enterprise and its related packages are compliant with the requirements of FIPS 140-2 Level 1.

58 changes: 58 additions & 0 deletions website/content/docs/release-notes/consul/v1_16_x.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
---
layout: docs
page_title: 1.16.x
description: >-
Consul release notes for version 1.16.x
---

# Consul 1.16.0

We are pleased to announce the following Consul updates.

## Release Highlights

- **Sameness groups:** Sameness groups are a user-defined set of partitions that Consul uses to identify services in different administrative partitions with the same name as being the same services. You can use sameness groups to create a blanket failover policy for deployments with cluster peering connections. Refer to the [Sameness groups overview](/consul/docs/v1.16.x/connect/cluster-peering/usage/create-sameness-groups) for more information.

<Note> Sameness groups is currently a “Beta” feature in Consul v1.16.0 and is an Enterprise feature. </Note>

- **Permissive mTLS:** You can enable the `permissive` mTLS mode to enable sidecar proxies to accept both mTLS and non-mTLS traffic. Using this mode enables you to onboard services without downtime and without reconfiguring or redeploying your application. Refer to the [Onboard services while in transparent proxy mode](/consul/docs/v1.16.x/k8s/connect/onboarding-tproxy-mode) for more information on how to use permissive mTLS to onboard services to Consul.

- **Transparent proxy enhancements for failover and virtual services:** We have made several internal improvements, such as ensuring that virtual IPs are always available, to reduce the friction associated with operating Consul in transparent proxy mode. Onboarding services, configuring failover redirects, and other operations require less administrative effort and ensure a smoother experience. Refer to the following documentation for additional information:

- [Onboard services while in transparent proxy mode](/consul/docs/v1.16.x/k8s/connect/onboarding-tproxy-mode)
- [Route traffic to virtual services](/consul/docs/v1.16.x/k8s/l7-traffic/route-to-virtual-services)
- [Configure failover services](/consul/docs/v1.16.x/k8s/l7-traffic/failover-tproxy).

- **Granular server-side rate limits:** You can now set limits per source IP address. The following steps describe the general process for setting global read and write rate limits:

1. Set arbitrary limits to begin understanding the upper boundary of RPC and gRPC loads in your network. Refer to [Initialize rate limit settings](/consul/docs/v1.16.x/agent/limits/usage/init-rate-limits) for additional information.
1. Monitor the metrics and logs and readjust the initial configurations as necessary. Refer to [Monitor rate limit data](/consul/docs/v1.16.x/agent/limits/usage/monitor-rate-limits)
1. Define your final operational limits based on your observations. If you are defining global rate limits, refer to [Set global traffic rate limits](/consul/docs/v1.16.x/agent/limits/usage/set-global-traffic-rate-limits) for additional information. For information about setting limits based on source IP, refer to [Limit traffic rates for a source IP](/consul/docs/v1.16.x/agent/limits/usage/limit-request-rates-from-ips).

- **Consul Envoy Extensions:** Consul Envoy extension system enables you to modify Consul-generated Envoy resources. Refer to [Envoy extension overview](/consul/docs/v1.16.x/connect/proxies/envoy-extensions) for more information on how to use these extensions for Consul service mesh.

- **Property Override:** The property override Envoy extension lets you set, remove, or modify individual properties for the Envoy resources Consul generates. Refer to the [Configure Envoy proxy properties](/consul/docs/v1.16.x/connect/proxies/envoy-extensions/usage/property-override) for more information on how to use this extension.

- **Wasm:** The Wasm Envoy extension lets you configure Wasm programs to be used as filters in the service's sidecar proxy. Refer to the [Run WebAssembly plug-ins in Envoy proxy](/consul/docs/v1.16.x/connect/proxies/envoy-extensions/usage/wasm) for more information on how to use this extension.

- **External Authorization:** The external authorization Envoy extension lets you delegate data plane authorization requests to external systems. Refer to the [Delegate authorization to an external service](/consul/docs/v1.16.x/connect/proxies/envoy-extensions/usage/ext-authz) for more information on how to use this extension.

- **Simplified API Gateway installation for Consul on Kubernetes:** API Gateway is now built into Consul. This enables a simplified installation and configuration process for Consul on Kubernetes. Refer to the [API Gateway installation](/consul/docs/v1.16.x/api-gateway/install) for more information on the simplified native installation method.

- **FIPS compliance:** Consul Enterprise now offers FIPS 140-2 compliant builds that meet the security needs of federal agencies protecting sensitive, unclassified information with approved cryptographic measures. These builds use certified cryptographic modules and restrict configuration settings to comply with FIPS 140-2 Level 1 requirements, enabling compliant Consul deployments. Refer to the [Consul Enterprise FIPS](/consul/docs/v1.16.x/enterprise/fips) for more information on FIPS compliance.

- **JWT Authorization with service intentions:** Consul can now authorize connections based on claims present in JSON Web Token (JWT). You can configure Consul to use one or more JWT providers, which lets you control access to services and specific HTTP paths based on the validity of JWT claims embedded in the service traffic. This ensures a uniform and low latency mechanism to validate and authorize communication based on JWT claims across all services in a diverse service-oriented architecture. Refer to the [Use JWT authorization with service intentions](/consul/docs/v1.16.x/connect/intentions/jwt-authorization) for more information.

- **Automated license utilization reporting:** Consul Enteprise now provides automated license utilization reporting, which sends minimal product-license metering data to HashiCorp. You can use these reports to understand how much more you can deploy under your current contract, which can help you protect against overutilization and budget for predicted consumption. Refer to the [Automated license utilization reporting documentation](/consul/docs/v1.16.x/enterprise/license/utilization-reporting) for more information.

## Upgrading

For more detailed information, please refer to the [upgrade details page](/consul/docs/upgrading/upgrade-specific) and the changelogs.

## Changelogs

The changelogs for this major release version and any maintenance versions are listed below.

<Note> These links take you to the changelogs on the GitHub website. </Note>

- [1.16.0-rc1](https://github.com/hashicorp/consul/releases/tag/v1.16.0-rc1)
8 changes: 8 additions & 0 deletions website/data/docs-nav-data.json
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,10 @@
{
"title": "Consul",
"routes": [
{
"title": "v1.16.x",
"path": "release-notes/consul/v1_16_x"
},
{
"title": "v1.15.x",
"path": "release-notes/consul/v1_15_x"
Expand Down Expand Up @@ -1632,6 +1636,10 @@
"title": "Enhanced Read Scalability",
"path": "enterprise/read-scale"
},
{
"title": "FIPS",
"path": "enterprise/fips"
},
{
"title": "Single sign-on - OIDC",
"href": "/docs/security/acl/auth-methods/oidc"
Expand Down

0 comments on commit f52d97a

Please sign in to comment.