Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Envoy Bootstrap Config Support TLSv1_3 #21777

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Envoy Bootstrap Config Support TLSv1_3 #21777

wants to merge 3 commits into from

Conversation

Ranjandas
Copy link
Contributor

@Ranjandas Ranjandas commented Sep 20, 2024
edited
Loading

Description

When the Consul agent runs with tls_min_version set to TLSv1_3, the Envoy proxies talking to the agent fails with the TLSV1_ALERT_PROTOCOL_VERSION error.

DeltaAggregatedResources gRPC config stream to local_agent closed since 97s ago: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION

This PR updates the Envoy static local_agent cluster to use TLSv1_3 as the maximum protocol version.

Issue reported at: https://discuss.hashicorp.com/t/consul-tls-min-version-1-3-error/70100

Testing & Reproduction steps

  • Generate Consul CA and Certificates
$ consul tls ca create
$ consul tls cert create -server
  • Create Consul Configuration
$ cat <<EOF > consul.hcl
tls {
  defaults {
    ca_file   = "consul-agent-ca.pem"
    cert_file = "dc1-server-consul-0.pem"
    key_file  = "dc1-server-consul-0-key.pem"

    tls_min_version = "TLSv1_3"
  }
}

ports {
  grpc_tls = 8503
  https = 8501
  http = -1
}
EOF
  • Start a Consul agent
$ consul agent -dev -config-file consul.hcl
  • Set the Consul Environment Variables for the rest of the commands
export CONSUL_CACERT=./consul-agent-ca.pem
export CONSUL_HTTP_ADDR=https://127.0.0.1:8501
  • Start an Envoy proxy (we will launch a gateway to avoid service registrations)
$ consul connect envoy -gateway api -service api-gateway -register

This should work without throwing the reported error.

Alternatively, inspect the bootstrap config

$ consul connect envoy -gateway api -register -service api-gateway -bootstrap | jq '.static_resources.clusters[0].transport_socket.typed_config.common_tls_context.tls_params'
{
  "tls_maximum_protocol_version": "TLSv1_3"
}

Links

Fixes: #21767

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@Ranjandas
Envoy Bootstrap Config Support TLSv1_3
509afb7 
When Consul agent runs with `tls_min_version` set to TLSv1_3, the Envoy proxies talking to the agent
fails with `TLSV1_ALERT_PROTOCOL_VERSION` error.

This PR updates the Envoy static local_agent cluster to have TLS maximum protocol version to use to be TLSv1_3.

Originally reported at: https://discuss.hashicorp.com/t/consul-tls-min-version-1-3-error/70100
@github-actions github-actions bot added the theme/cli Flags and documentation for the CLI interface label Sep 20, 2024
@Ranjandas Ranjandas added backport/1.19 This release series is longer active on CE, use backport/ent/1.19 backport/1.20 Changes are backported to 1.20 backport/ent/1.18 Changes are backported to 1.18 ent labels Sep 20, 2024
@zalimeni zalimeni requested review from zalimeni and removed request for hashi-derek September 24, 2024 20:28
@zalimeni
Copy link
Member

Generally this LGTM, thanks @Ranjandas !

❓ is there a reason for only backporting this fix through 1.18 instead of all active CE + Ent versions (backport/all)? I think this setting is compatible w/ all the supported versions of Envoy through 1.15 LTS, so my thought was we'd backport all the way.

zalimeni
zalimeni approved these changes Sep 25, 2024
View reviewed changes
Copy link
Member

@zalimeni zalimeni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving CE change to unblock since code LGTM.

Pending decision on backports but I think we'll want backport/all for this PR.

Following merge of this PR, we'll want to update consul-dataplane as well for agentless using make copy-bootstrap-config in that repo.

@zalimeni zalimeni added backport/ent/1.19 Changes are backported to 1.19 ent and removed backport/1.19 This release series is longer active on CE, use backport/ent/1.19 labels Oct 17, 2024
@zalimeni
Copy link
Member

zalimeni commented Oct 17, 2024
edited
Loading

Updated labels post-1.20 for equivalence, just in case we don't want backport/all - but I suspect we do want backport/all still.

@Ranjandas FYI, patches are planned for end of next week, so if you want this in I'd make sure to merge soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zalimeni zalimeni zalimeni approved these changes

Assignees
No one assigned
Labels
backport/ent/1.18 Changes are backported to 1.18 ent backport/ent/1.19 Changes are backported to 1.19 ent backport/1.20 Changes are backported to 1.20 theme/cli Flags and documentation for the CLI interface
Projects
None yet
Milestone
No milestone
2 participants
@Ranjandas @zalimeni