CE-654 - TLS Encryption docs + CE-713 - Gossip Encryption key rotation #21509
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
boruszak
reviewed
Sep 11, 2024
Comment on lines
25
to
26
| The Consul agent supports encryption for all of its network traffic. There are two separate encryption systems, one for gossip | ||
| traffic and one for HTTP + RPC. The [Encryption](/consul/docs/security/encryption) section describes the logic behind these two different encryption systems and provides configuration guidance for them. |
There was a problem hiding this comment.
Suggested change
| The Consul agent supports encryption for all of its network traffic. There are two separate encryption systems, one for gossip | |
| traffic and one for HTTP + RPC. The [Encryption](/consul/docs/security/encryption) section describes the logic behind these two different encryption systems and provides configuration guidance for them. | |
| The Consul agent supports encryption for all of its network traffic. There are two separate encryption systems: | |
| - A gossip encryption system | |
| - An mTLS encryption system for HTTP and RPC | |
| For more information about these two different encryption systems, as well as configuration guidance, refer to [Consul encryption](/consul/docs/security/encryption). |
I think the unordered list is appropriate here to help emphasize the two encryption systems.
| Consul supports encrypting all of its network traffic. Remote Procedure Calls (RPCs) between client and server agents can be encrypted with TLS and authenticated with certificates. Gossip communication between all agents can also be encrypted. | ||
| --- | ||
|
|
||
| # Encryption |
There was a problem hiding this comment.
Match page title after responding to suggestion.
Comment on lines
10
to
14
| This topic describes the two different encryption systems available in Consul to secure network traffic, Gossip encryption and mTLS. | ||
|
|
||
| [Consul security model](/consul/docs/security/security-models/core) defines the guidelines for operating a secure Consul deployment. Its recommendations are applicable only if all parts of the system are running with a secure configuration. | ||
|
|
||
| [Gossip Encryption](/consul/docs/security/encryption#gossip-encryption) and [Mutual TLS Encryption](/consul/docs/security/encryption#mutual-tls-mtls-encryption) are the foundations for a secure Consul datacenter. |
There was a problem hiding this comment.
Suggested change
| This topic describes the two different encryption systems available in Consul to secure network traffic, Gossip encryption and mTLS. | |
| [Consul security model](/consul/docs/security/security-models/core) defines the guidelines for operating a secure Consul deployment. Its recommendations are applicable only if all parts of the system are running with a secure configuration. | |
| [Gossip Encryption](/consul/docs/security/encryption#gossip-encryption) and [Mutual TLS Encryption](/consul/docs/security/encryption#mutual-tls-mtls-encryption) are the foundations for a secure Consul datacenter. | |
| This topic provides an overview of the two distinct encryption systems available in Consul. [Gossip encryption](/consul/docs/security/encryption#gossip-encryption) and [Mutual TLS encryption](/consul/docs/security/encryption#mutual-tls-mtls-encryption) are the foundations of a secure Consul datacenter. | |
| The guidelines in the [Consul security model](/consul/docs/security/security-models/core) for operating a secure Consul deployment recommends using both encryption systems. |
Re-orders sentences to avoid the jump back and forth between the security model and the encryption systems
|
|
||
| ## Gossip Encryption | ||
|
|
||
| Consul uses a [gossip protocol](https://en.wikipedia.org/wiki/Gossip_protocol) to manage membership and broadcast messages to the cluster. |
There was a problem hiding this comment.
Suggested change
| Consul uses a [gossip protocol](https://en.wikipedia.org/wiki/Gossip_protocol) to manage membership and broadcast messages to the cluster. | |
| Consul uses a [gossip protocol](/consul/docs/architecture/gossip) to perform the following cluster operations: |
|
|
||
| ### Promote the new key to primary | ||
|
|
||
| Once all agents have received the key and are able to use it as the primary encryption key, it is possible to promote the new key to primary. |
There was a problem hiding this comment.
Suggested change
| Once all agents have received the key and are able to use it as the primary encryption key, it is possible to promote the new key to primary. | |
| After all agents recognize the key, it is possible to promote it to be the new primary encryption key. |
|
|
||
| ### Remove the old key from the keyring | ||
|
|
||
| To avoid unused keys remaining in the keyring, we recommended you remove the old primary from the keyring once a new key is installed. |
There was a problem hiding this comment.
Suggested change
| To avoid unused keys remaining in the keyring, we recommended you remove the old primary from the keyring once a new key is installed. | |
| Unused keys in the keyring are a potential security risk to your Consul cluster. We recommended that you remove the former primary key from the keyring after a new key is installed. |
Comment on lines
+280
to
+281
| Documentation for the commands used in this topic is available at [Consul agent configuration - Encryption Parameters](/consul/docs/agent/config/config-files#encryption-parameters). You can find more information over the gossip protocol used by Consul at [Gossip Protocol](/consul/docs/architecture/gossip). | ||
|
|
There was a problem hiding this comment.
Suggested change
| Documentation for the commands used in this topic is available at [Consul agent configuration - Encryption Parameters](/consul/docs/agent/config/config-files#encryption-parameters). You can find more information over the gossip protocol used by Consul at [Gossip Protocol](/consul/docs/architecture/gossip). |
Not really "next steps" - I suggest removing this sentence.
There was a problem hiding this comment.
I see your point but I think is always useful to have a place where some links to the documentation/reference for the commands shown is located.
|
|
||
| Documentation for the commands used in this topic is available at [Consul agent configuration - Encryption Parameters](/consul/docs/agent/config/config-files#encryption-parameters). You can find more information over the gossip protocol used by Consul at [Gossip Protocol](/consul/docs/architecture/gossip). | ||
|
|
||
| After enabling gossip encryption, to continue securing your Consul datacenter, enable mutual TLS encryption. Read more on [Mutual TLS (mTLS) Encryption](/consul/docs/security/encryption/mtls). |
There was a problem hiding this comment.
Suggested change
| After enabling gossip encryption, to continue securing your Consul datacenter, enable mutual TLS encryption. Read more on [Mutual TLS (mTLS) Encryption](/consul/docs/security/encryption/mtls). | |
| After you enable gossip encryption, you can continue to process to secure your Consul datacenter by enabling mutual TLS encryption. For more information, refer to [Mutual TLS (mTLS) Encryption](/consul/docs/security/encryption/mtls). |
|
|
||
| After enabling gossip encryption, to continue securing your Consul datacenter, enable mutual TLS encryption. Read more on [Mutual TLS (mTLS) Encryption](/consul/docs/security/encryption/mtls). | ||
|
|
||
| To learn how to automate gossip key rotation using HashiCorp Vault and consul-template, refer to the [Automatically Rotate Gossip Encryption Keys Secured in Vault](/consul/tutorials/operate-consul/vault-kv-consul-secure-gossip) tutorial. |
There was a problem hiding this comment.
Suggested change
| To learn how to automate gossip key rotation using HashiCorp Vault and consul-template, refer to the [Automatically Rotate Gossip Encryption Keys Secured in Vault](/consul/tutorials/operate-consul/vault-kv-consul-secure-gossip) tutorial. | |
| To learn how to automate gossip key rotation using HashiCorp Vault and consul-template, refer to the [Automatically Rotate Gossip Encryption Keys Secured in Vault tutorial](/consul/tutorials/operate-consul/vault-kv-consul-secure-gossip). |
boruszak
reviewed
Sep 12, 2024
| layout: docs | ||
| page_title: mTLS Encryption | ||
| description: >- | ||
| Consul supports encrypting all of its network traffic. Remote Process Calls (RPCs) between client and server agents can be encrypted with TLS and authenticated with certificates. |
There was a problem hiding this comment.
Suggested change
| Consul supports encrypting all of its network traffic. Remote Process Calls (RPCs) between client and server agents can be encrypted with TLS and authenticated with certificates. | |
| Consul supports encrypting all of its network traffic. Learn how to encrypt and authenticate Remote Process Calls (RPCs) between client and server agents with TLS certificates. |
Comment on lines
10
to
12
| This topics describes how to enable Mutual TLS (mTLS) encryption on a Consul datacenter. | ||
|
|
||
| The content in this page is not referred to Consul service mesh mTLS encryption. For documentation about Consul service mesh Certification authority refer to [Service Mesh Certificate Authority](/consul/docs/connect/ca) documentation. |
There was a problem hiding this comment.
Suggested change
| This topics describes how to enable Mutual TLS (mTLS) encryption on a Consul datacenter. | |
| The content in this page is not referred to Consul service mesh mTLS encryption. For documentation about Consul service mesh Certification authority refer to [Service Mesh Certificate Authority](/consul/docs/connect/ca) documentation. | |
| This topic describes mutual TLS (mTLS) encryption between agents in a Consul datacenter. | |
| This mTLS encryption is distinct from Consul service mesh mTLS encryption. To learn about encrypted mTLS communication between services, refer to [service mesh certificate authority](/consul/docs/connect/ca). |
|
|
||
| ## Benefits of TLS encryption | ||
|
|
||
| Consul supports the use of TLS certificates to secure the traffic related to the `RCP`, `gRPC`, and `HTTP` communications and to verify the authenticity of servers and clients. |
There was a problem hiding this comment.
Suggested change
| Consul supports the use of TLS certificates to secure the traffic related to the `RCP`, `gRPC`, and `HTTP` communications and to verify the authenticity of servers and clients. | |
| Consul supports TLS certificates that verify the authenticity of servers and clients to secure `RCP`, `gRPC`, and `HTTP` traffic. |
Simplifying sentence
|
|
||
| ### Interact with Consul without a client certificate | ||
|
|
||
| If you want to avoid the need to present a valid client certificate every time you need to interact with Consul API, CLI, or UI, it is possible to configure Consul to trust all incoming HTTPs connections. Setting `tls.https.verify_incoming` to `false` removes the need to present a client certificate. RCP communications are still mTLS encrypted. |
There was a problem hiding this comment.
Suggested change
| If you want to avoid the need to present a valid client certificate every time you need to interact with Consul API, CLI, or UI, it is possible to configure Consul to trust all incoming HTTPs connections. Setting `tls.https.verify_incoming` to `false` removes the need to present a client certificate. RCP communications are still mTLS encrypted. | |
| If you want to avoid the need to present a valid client certificate every time you interact with Consul using the HTTP API, CLI, or UI, configure Consul to trust all incoming HTTPS connections by seting `tls.https.verify_incoming` to `false`. RPC communications are still mTLS encrypted. |
|
|
||
| ### Use HTTP for local client interaction | ||
|
|
||
| If you want to avoid the need to present a valid client certificate or to use the CA certificate every time you need to interact with your local Consul agent, it is possible to configure Consul to keep the HTTP listener only active on the `localhost` interface. External requests to the API or the UI will still be TLS protected but setting `tls.https.verify_incoming` to `false` removes the need to present a client certificate. RCP communications are still mTLS encrypted. |
There was a problem hiding this comment.
Suggested change
| If you want to avoid the need to present a valid client certificate or to use the CA certificate every time you need to interact with your local Consul agent, it is possible to configure Consul to keep the HTTP listener only active on the `localhost` interface. External requests to the API or the UI will still be TLS protected but setting `tls.https.verify_incoming` to `false` removes the need to present a client certificate. RCP communications are still mTLS encrypted. | |
| If you want to avoid the need to present a valid client certificate or to use the CA certificate every time you interact with the local Consul agent, configure Consul to keep the HTTP listener active on the `localhost` interface only and set `tls.https.verify_incoming` to `false`. External requests to the API or UI are still protected by TLS encryption, requests that originate locally do not need to present a client certificate. RPC communications are still mTLS encrypted. |
Comment on lines
580
to
581
| After completing the steps in this topic, your agents will be configured with TLS for encrypted communication. With the auto encryption method, your | ||
| client certificates are managed by the server. With the operator method, you distributed all the certificates, but have a more flexible configuration. |
There was a problem hiding this comment.
Suggested change
| After completing the steps in this topic, your agents will be configured with TLS for encrypted communication. With the auto encryption method, your | |
| client certificates are managed by the server. With the operator method, you distributed all the certificates, but have a more flexible configuration. | |
| Your agents are now configured with mTLS for encrypted communication. With the auto encryption method, your | |
| client certificates are managed by the server. With the operator method, you distributed all the certificates manually, but have a more flexible configuration. |
| After completing the steps in this topic, your agents will be configured with TLS for encrypted communication. With the auto encryption method, your | ||
| client certificates are managed by the server. With the operator method, you distributed all the certificates, but have a more flexible configuration. | ||
|
|
||
| Documentation for the commands used in this topic is available at [Consul agent configuration - TLS configuration reference](/consul/docs/agent/config/config-files#tls-configuration-reference) documentation and at the [`consul tls` CLI command reference](/consul/commands/tls). |
There was a problem hiding this comment.
Suggested change
| Documentation for the commands used in this topic is available at [Consul agent configuration - TLS configuration reference](/consul/docs/agent/config/config-files#tls-configuration-reference) documentation and at the [`consul tls` CLI command reference](/consul/commands/tls). | |
| Documentation for the commands used in this topic is available at [Consul agent configuration - TLS configuration reference](/consul/docs/agent/config/config-files#tls-configuration-reference) and the [`consul tls` CLI command reference](/consul/commands/tls). |
|
|
||
| To learn how to automate TLS certificate generation and rotation, refer to the [Generate mTLS Certificates for Consul with Vault](/consul/tutorials/operate-consul/vault-pki-consul-secure-tls) tutorial. | ||
|
|
||
| The other prerequisites for a secure Consul deployment are [gossip encryption](/consul/docs/security/encryption/gossip) and [Access Control Lists (ACLs)](/consul/docs/security/acl) with default deny policy. |
There was a problem hiding this comment.
Suggested change
| The other prerequisites for a secure Consul deployment are [gossip encryption](/consul/docs/security/encryption/gossip) and [Access Control Lists (ACLs)](/consul/docs/security/acl) with default deny policy. | |
| To continue securing your Consul deployment, add [gossip encryption](/consul/docs/security/encryption/gossip) and enable [Access Control Lists (ACLs)](/consul/docs/security/acl) with the default deny policy. |
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
danielehc
commented
Sep 17, 2024
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
danielehc
commented
Sep 18, 2024
boruszak
approved these changes
Sep 18, 2024
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
boruszak
added a commit
that referenced
this pull request
Oct 2, 2024
#21509) * New proposed structure * Fix structure and add some content * Fix structure and add some content * Fix structure and add some content * Add content * Add content * mtls steps * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * spacing fixes * Replace <CodeTabs> * <CodeBlockConfig> alignment * indent fixes * spacing * More Code tabs fixes * Structure chenges * Structure chenges * Extra content and CE-713 migration * Extra content * Extra content * Extra content * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * Apply suggestions from code review * Test CodeTabs * Test CodeTabs * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --------- Co-authored-by: boruszak <jeffrey.boruszak@hashicorp.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
4 tasks
boruszak
added a commit
that referenced
this pull request
Oct 2, 2024
CE-654 - TLS Encryption docs + CE-713 - Gossip Encryption key rotation (#21509) * New proposed structure * Fix structure and add some content * Fix structure and add some content * Fix structure and add some content * Add content * Add content * mtls steps * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * spacing fixes * Replace <CodeTabs> * <CodeBlockConfig> alignment * indent fixes * spacing * More Code tabs fixes * Structure chenges * Structure chenges * Extra content and CE-713 migration * Extra content * Extra content * Extra content * Apply suggestions from code review * Apply suggestions from code review * Apply suggestions from code review * Test CodeTabs * Test CodeTabs * Apply suggestions from code review --------- Co-authored-by: danielehc <40759828+danielehc@users.noreply.github.com>
This was referenced Oct 16, 2024
Vikramarjuna
added a commit
that referenced
this pull request
May 12, 2025
* ci: fix CI skip script hole (#21741) In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. * Initialize 1.20 Release (#21746) * init release branch * init 1.20 nightly tests * drop 1.17 nightly tests for new release cycle * drop 1.17 from test matrix * Update nightly-test-integrations-1.20.x.yml * ci: update the security-scanner gha token (#21748) * ci: fix versions.hcl parsing by removing extraneous comma (#21752) Commas are not expected after HCL blocks. This is causing parsing in BPA to fail and may interfere w/ other release-related workflows. * Upgrade ubi image to 9.4 (#21750) * upgrade go to 1.23.1, upgrade ubi image to 9.4 * add changelog * revert go version upgrade * Update test-integrations.yml to capture latest versions of Nomad and Vault (#21749) * Update test-integrations.yml Update Vault/Nomad versions to ensure we're testing the latest versions . * Update test to test latest available CE versions * Adds initial sg documentation for the health API (#21763) Adds initial sg documentation * CE-654 - TLS Encryption docs + CE-713 - Gossip Encryption key rotation (#21509) * New proposed structure * Fix structure and add some content * Fix structure and add some content * Fix structure and add some content * Add content * Add content * mtls steps * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * Encryption docs structure change * spacing fixes * Replace <CodeTabs> * <CodeBlockConfig> alignment * indent fixes * spacing * More Code tabs fixes * Structure chenges * Structure chenges * Extra content and CE-713 migration * Extra content * Extra content * Extra content * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * Apply suggestions from code review * Test CodeTabs * Test CodeTabs * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --------- Co-authored-by: boruszak <jeffrey.boruszak@hashicorp.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * fix spacing of bash scripts (#21760) * fix spacing of bash scripts * shellcheck all the things * cat filename rather than concatenating pr number * Stage rc release (#21770) stage rc release * chore: Update VERSION for next major release (#21756) This should be set to the next major version now that `release/1.20.x` has been created. * Update raft to 1.7.0 and add configuration for prevote (#21758) * update raft to 1.7.0 * add config to disable raft prevote * add changelog * api: remove dependency on proto-public, protobuf, and grpc (#21780) * [NET-11150] ci: fix conditional skip and add safeguard (#21781) ci: fix conditional skip and add safeguard Adopt a third-party action to avoid script bugs, and to fix a current issue where the script fails to detect all changes when processing push events on PR branches. Adapted from hashicorp/consul-dataplane#637. See that PR for testing details and background context. * Fix changelog for 1.20-rc1 (#21776) fix changelog * Add partition field for catalog deregister docs (#21788) * Add partition field for catalog deregister docs * Update website/content/api-docs/catalog.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --------- Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * update serf links (#21797) * update serf links * add .markdown file extension * update serf links to use /blob/master/ * fix broken links --------- Co-authored-by: github-team-consul-core <github-team-consul-core@hashicorp.com> * docs: Add missing `&&` in DNS forwading tutorial (#21804) Add missing `&&` to iptables command. The original commands fail when being directly pasted into a shell. * Adds grafana dashboards (#21806) * Upgrade test improvements for 1.20.x (#21813) * Bump Envoy version used for 1.20.x upgrade tests * Improve README + docstrings * Update ENVOY_VERSIONS (#21820) No new minor versions, just incrementing the patches for hygiene's sake * ci: ensure int test docker pull goes through proxy (#21819) * docs: Consul DNS views on Kubernetes (#21802) * Backport of ci: update the security-scanner gha token into release/1.20.x (#21754) backport of commit eb9dbc9 Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com> * Backport of Initialize 1.20 Release into release/1.20.x (#21753) * backport of commit a33e903 * backport of commit 37163dc * backport of commit 38f0907 * backport of commit 6ab7ec2 * backport of commit 7ac4178 * backport of commit 5dfebb2 * backport of commit 316d68c --------- Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * Backport of Stage rc release into release/1.20.x (#21772) backport of commit d311f2b Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> * Backport of Upgrade ubi image to 9.4 into release/1.20.x (#21773) * backport of commit 888e302 * backport of commit 17499dc * backport of commit d933d37 --------- Co-authored-by: Dhia Ayachi <dhia.ayachi@gmail.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * Backport of security: update alpine base image to 3.20 into release/1.20.x (#21774) * backport of commit 4421ce1 * Upgrade ubi image to 9.4 (#21750) --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * Backport of fix spacing of bash scripts into release/1.20.x (#21769) * backport of commit 1e97297 * backport of commit b7053f5 * backport of commit a391f2f --------- Co-authored-by: jm96441n <john.maguire@hashicorp.com> * Backport of [NET-11150] ci: fix conditional skip and add safeguard into release/1.20.x (#21783) backport of commit c3db6c9 Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * initial commit * Initial pages * Edits to other pages + nav & redirects * minor fixes * Backport of security: update alpine base image to 3.20 into release/1.20.x (#21774) * backport of commit 4421ce1 * Upgrade ubi image to 9.4 (#21750) --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * CE-679 * align with main * Content updates * minor edit * Apply suggestions from code review Co-authored-by: Aimee Ukasick <aimee.ukasick@hashicorp.com> Co-authored-by: Blake Covarrubias <blake@covarrubi.as> * CoreDNS config update * small edits * typo fix --------- Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com> Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Dhia Ayachi <dhia.ayachi@gmail.com> Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: jm96441n <john.maguire@hashicorp.com> Co-authored-by: Aimee Ukasick <aimee.ukasick@hashicorp.com> Co-authored-by: Blake Covarrubias <blake@covarrubi.as> * Post-release updates for 1.20.0 (#21829) * Update active version list in .release/versions.hcl * Remove nightly tests for 1.17.x * Add nightly tests for 1.20.x * Gate nightly tests for 1.19.x to Enterprise only * Update CHANGELOG.md * docs: Consul v1.20 release notes (#21826) * Page creation * DNS views description * Catalog sync and openshift * Grafana + consul-k8s release notes * nav update * Fix known issues language * chore: remove unintentionally committed consul-k8s submodule (#21833) Also prevent future re-commits of this submodule path by adding to .gitignore. * [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass (#21816) mesh: add options for HTTP incoming request normalization Expose global mesh configuration to enforce inbound HTTP request normalization on mesh traffic via Envoy xDS config. mesh: enable inbound URL path normalization by default mesh: add support for L7 header match contains and ignore_case Enable partial string and case-insensitive matching in L7 intentions header match rules. ui: support L7 header match contains and ignore_case Co-authored-by: Phil Renaud <phil@riotindustries.com> test: add request normalization integration bats tests Add both "positive" and "negative" test suites, showing normalization in action as well as expected results when it is not enabled, for the same set of test cases. Also add some alternative service container test helpers for verifying raw HTTP request paths, which is difficult to do with Fortio. docs: update security and reference docs for L7 intentions bypass prevention - Update security docs with best practices for service intentions configuration - Update configuration entry references for mesh and intentions to reflect new values and add guidance on usage * Suppress CVE-2024-9143 (#21848) Update security-scan.hcl * docs: clarify Envoy and dataplane LTS support policy (#21337) Update matrices and clarify statements as to when Consul expands support to new major versions of Envoy and Consul dataplane in light of Consul LTS or Envoy EOL status. * Update compatibility matrix to include 1.20.x (#21843) * Update compatibility matrix to include 1.20.x * Update compatibility.mdx * Update Envoy compatibility matrices to include consul 1.20.x and dataplane 1.6.x (#21852) * Update Envoy compatibility matrices to include consul 1.20.x and dataplane 1.6.x * Remove non-LTS version from LTS table * Fix incorrect version in dataplane release matrix * Remove releases that don't span versions from the matrix of releases that span versions * Upgrade envoy version in nightly integration tests (#21864) Update nightly-test-integrations.yml * chore: retain retracted api submodule version (#21861) * [NET-1151 NET-11046] docs: clarify request normalization and L7 headers feature availability (#21855) docs: clarify request normalization and L7 headers feature availability - Add notes on feature availability tied to specific fix versions - Add missing 1.20 upgrade entry - Remove erroneous 1.17 upgrade entry (version DNE) - Add missing HCL variant for service intentions config * Allow multiple endpoints in Envoy clusters configured with hostnames (#21655) * xds: allow multiple endpoints for strict_dns * xds: fixes typo in multi hostname warning * docs: add missing slash in redirect (#21881) missing slash * Update changelog (#21896) * ci(security-scanner): add support for Red Hat UBI images and fix typo (#21912) * ci(security-scanner): add support for Red Hat UBI images and fix typo * hclfmt * clean-up comments Co-authored-by: Kent Gruber <kent@hashicorp.com> --------- Co-authored-by: Kent Gruber <kent@hashicorp.com> * Docs/CE-749-remove-references-from-consul (#21914) * delete HCP Consul Central references * Path correction * missed listing * Nav update * Added the docs for all the grafana dashboards. (#21795) * Added the docs for all the grafana dashboards. Author: Yasmin Lorin Kaygalak <ykaygala@villanova.edu> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Blake Covarrubias <blake@covarrubi.as> * v2: remove HCP Link integration (#21883) Also prevent de-registered retired v2 types from being restored from a snapshot, such as these hcp resources. Without doing this, anyone with any of these types in their state store will retain them forever with no avenue to remove them. * [Security] Secvuln 8633 Consul configuration allowed repeated keys (#21908) * upgrade hcl package and account for possiblity of duplicates existing already in the cache * upgrade to new tag * add defensive line to prevent potential forever loop * o mod tidy and changelog * Update acl/policy.go * fix raft reversion * go mod tidy * fix test * remove duplicate key in test * remove duplicates from test cases * clean up * go mod tidy * go mod tidy * pull in new hcl tag * Update CODEOWNER (#21947) * update code owners * Update JWT to resolve CVE-2024-51744 (#21951) * update jwt package * add changelog * Fix PeerUpstreamEndpoints and UpstreamPeerTrustBundles to only Cancel watch when needed, otherwise keep the watch active (#21871) * fix to only reset peering watches when no other target need watching * remove unused logger * add changelog * Update .changelog/21871.txt Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> --------- Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> * NET-11737 - sec vulnerability - remediate ability to use bexpr to filter results without ACL read on endpoint (#21950) * NET-11737 - sec vulnerability - remediate ability to use bexpr to filter results without ACL read on endpoint * add changelog * update test descriptions to make more sense * Update API Group under backendRefs (#21961) * Update routes.mdx Currently backendRefs refers to api-gateway.consul.hashicorp.com as the API Group that should be used when kind is set to Mesh Service. Based on mesh service template, it should just be consul.hashicorp.com. * Update backendRefs in route to peered doc * state: ensure that identical manual virtual IP updates result in not bumping the modify indexes (#21909) The consul-k8s endpoints controller issues catalog register and manual virtual ip updates without first checking to see if the updates would be effectively not changing anything. This is supposed to be reasonable because the state store functions do the check for a no-op update and should discard repeat updates so that downstream blocking queries watching one of the resources don't fire pointlessly (and CPU wastefully). While this is true for the check/service/node catalog updates, it is not true for the "manual virtual ip" updates triggered by the PUT /v1/internal/service-virtual-ip. Forcing the connect injector pod to recycle while watching some lightly modified FSM code can show that a lot of updates are of the update list of ips from [A] to [A]. Immediately following this stray update you can see a lot of activity in proxycfg and xds packages waking up due to blocking queries triggered by this. This PR skips updates that change nothing both: - at the RPC layer before passing it to raft (ideally) - if the write does make it through raft and get applied to the FSM (failsafe) * Add alpine image cves to suppress list (#21964) add alpine image cves to suppress list * [Security] SECVULN-8621: Fix XSS Vulnerability where content-type header wasn't explicitly set in API requests (#21930) * Fix XSS Vulnerability where content-type header wasn't explicitly set in API requests * fix failing unit test * docs: fix broken link (#21971) * [Security] Bump envoy versions (#22002) bump envoy versions * [Security] Bump crypto libraries (#22001) * update crypto libraries * update crypto libraries * add changelog, suppress vulnerability that hasn't been fixed yet * Bump alpine image (#22009) bump alpine image * Update UBI Image (#22011) * update image * change log * Suppress redhat linux CVEs (#22015) suppress redhat linux CVEs * Bump golang.org/x/crypto from 0.22.0 to 0.31.0 in /testing/deployer (#22008) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.22.0 to 0.31.0. - [Commits](golang/crypto@v0.22.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: remove staff codeowners now that it requires mandatory review (#22020) * [Security] Bump net packages to resolve GO-2024-3333 (#22021) * bump net packages * add changelog * sec: bump envoy patch versions (#22024) * Added labels for redhat validation (#22047) Update Dockerfile * NET-11798: Set APIGateway TLSConfig if unset or empty (#21984) * NET-11798: Set APIGateway TLSConfig if unset or empty * add changelog * update golden file tests * add missing golden files * Update .changelog/21984.txt Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * remove use of reflect library and check if object is empty instead --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * sec: bump go and deps versions (#22084) * security: bump go and deps versions * add changelog * fix go toolchained version * update changelog message * chore: Updated the changelogs for 1.20.2, 1.19.4, 1.18.6, 1.15.16 (#22093) Updated the changelog * Let education and web presence merge PRs to website directory files. (#21991) * add consul education and web presence ability to merge PRs to relavent website directory files * change edu approvers to consul-docs * let education also edit the docs side navigation * fix spacing and punctuation * one more try to fix spacing * Consume latest version of consul-awsauth dependency (#22109) * Consume latest version of consul-awsauth dependency * Add changelog entry * metadata: memoize the parsed build versions (#22113) There will only be a small set of consul build versions that a single consul server will witness. Inside of metadata.IsConsulServer we use a very expensive function in the hashicorp/go-version library to parse these into read-only *version.Version structs all over Consul. Memoize these in a package cache map. Likely the thing will only have like 2 keys in it ever over the life of the process. * chore: Update changelog for patch releases (#22128) update changelog for patch releases * security: Upgrade go version to 1.22.12 (#22132) * security: Upgrade go version to 1.22.12 * Added changelog * Fix lint issues * Update golangci-lint to 1.56.1 (#22134) * fix logging time arch and os (#22120) * fix logging time arch and os * fix logging time for bsd * added changelog entry * added changelog file --------- Co-authored-by: nitin-sachdev-29 <nitin.sachdev@hashicorp.com> * chore: Update supported Envoy versions in ENVOY_VERSIONS file (#22138) * chore: Update supported Envoy versions in ENVOY_VERSIONS file * added changelog file --------- Co-authored-by: Abhishek Sahu <abhishek.sahu@hashicorp.com> * Changed log level for retryable error Scenarios (#22141) * Changed log level : 1- xDS DeltaDiscoveryRequest context cancelled set to INFO on stream cancelled as it is retrieable 2- subscription failed logging on ACL change is set to INFO as is also retriable * Added change log file and updated code for PR comments * fixing error logging with key, value, updating changelog * security: Suppress redhat linux CVEs (#22147) * chore: Update the changelog for 1.20.3, 1.19.5, 1.18.8 (#22159) Update the changelog for 1.20.3, 1.19.5, 1.18.6 * docs: namespace ACL permissions for exported services (#22162) * Exported services config entry page updated * Dataplanes index update * fix bsd time log implementation part 2 (#22170) * fix bsd time log implementation * split freebsd and openbsd * retracting api submodule version 1.31.1 (#22172) * retracting api submodule version 1.31.1 * added changelog * fixed changelog and added comment in go.mod * upgraded consul/api submodule to v1.31.2 (#22174) * upgraded consul/api submodule to v1.31.2 * added changelog * docs: namespace ACL config typo fix (#22166) typo fix * feature: Send SNI in RemoteJWKS over TLS (#22177) * update: send hostname in SNI for RemoteJWKS envoy request over TLS * update: add sni in golden files for JWT * add: UseSNI flag in JWT Provider Config entry * add: testcases for SNI in JWT provider * update: add UseSNI for JWKS in website doc * [ui] Read from localStorage to display a copyable access token and secret (#22105) * Read from localStorage to display a copyable access token and secret * Error when loading handled * logging fix for netbsd os (#22184) * logging fix for netbsd os * logging fix for netbsd os * added chengelog entry * Initialise release for consul 1.21 (#22195) * Init release 1.21 * Create nightly-test-integrations-1.21.x.yml * Remove comma * Upgrade go version to 1.23 (#22204) * Upgrade go version * Added changelog * Update config.deepcopy.go * Update .golangci.yml * fix lint * security: Upgrade crypto, oauth, go-jose (#22207) * Upgrade crypto to 0.35.0 * Upgrade oauth and go-jose * upgrade oauth and jose * Added changelog * Add the missing Service TaggedAddresses and Check Type fields to Txn API (#22220) * Add the missing Service TaggedAddresses and Check Type fields to Txn API * added changelog * [Feature] Invalidate session check if associated session is deleted (#22227) * Add session health check management and tests * Refactor session health check management and update related tests * Cleanup --------- Co-authored-by: srahul3 <rahulsharma@hashicorp.com> * build(deps): bump go version to go1.23.7 (#22237) * build(deps): bump go version to go1.24.1 * update: use 1.23.7 instead * add changelog * Fixes a couple of DNS token example commands (#22224) * Fixes a couple of example commands The `-name` option is not available `-description` is used in it's place. set-agent-token is a sub-command of the acl command. * This feature works with federated services only This command does not work with peered clusters so needs to be clarified. * Refactor Txn API to use AgentService and add TaggedAddresses support (#22248) * Add the missing Service TaggedAddresses and Check Type fields to Txn API * added changelog * Refactor Txn API to use AgentService and add TaggedAddresses support * Document Azure service principal auth in snapshot/agent.mdx (#21942) * Update agent.mdx Starting from Consul v1.20.1+ent, Consul supports using Azure Blob Storage for the snapshot agent via Azure Service Principal ID and Secret authentication. I've successfully tested this configuration in my lab environment and have added the relevant parameters to this documentation for completeness. * Update website/content/commands/snapshot/agent.mdx Co-authored-by: Blake Covarrubias <blake@covarrubi.as> * Update website/content/commands/snapshot/agent.mdx Co-authored-by: Blake Covarrubias <blake@covarrubi.as> * Update website/content/commands/snapshot/agent.mdx Co-authored-by: Blake Covarrubias <blake@covarrubi.as> * Update website/content/commands/snapshot/agent.mdx Co-authored-by: Blake Covarrubias <blake@covarrubi.as> --------- Co-authored-by: Blake Covarrubias <blake@covarrubi.as> * Fix catalog service endpoint when querying for a peer service (#22189) * Fix catalog service endpoint when querying for a peer service * Add changelog file * Add changes to docs. Add test * Update website/content/api-docs/catalog.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --------- Co-authored-by: Sreeram Narayanan <sreeram.narayanan@hashicorp.com> Co-authored-by: nitin-sachdev-29 <nitin.sachdev@hashicorp.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * Update lock.mdx (Node Health Check and TTL) (#22258) * Update lock.mdx (Node Health Check and TTL) Consul `lock` command update that captures why consul lock can act indefinitely when node checks are in place and how users can work around it by creating/managing their own session. * Update website/content/commands/lock.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --------- Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * CVE Fix (#22268) * Fixed following CVEs: GHSA-vvgc-356p-c3xw in golang.org/x/net@v0.37.0 GO-2025-3595 in golang.org/x/net@v0.37.0 GO-2025-3553 in github.com/golang-jwt/jwt/v4@v4.5.1 GHSA-mh63-6h87-95cp in github.com/golang-jwt/jwt/v4@v4.5.1 stdlib in Go GO-2025-3563@1.23.7 * added changelog * Upgraded go to 1.23.8 (#22273) * Fixed following CVEs: GHSA-vvgc-356p-c3xw in golang.org/x/net@v0.37.0 GO-2025-3595 in golang.org/x/net@v0.37.0 GO-2025-3553 in github.com/golang-jwt/jwt/v4@v4.5.1 GHSA-mh63-6h87-95cp in github.com/golang-jwt/jwt/v4@v4.5.1 stdlib in Go GO-2025-3563@1.23.7 * added changelog * upgraded go to 1.23.8 * suppressing alpine CVEs as there is no fix yet (#22278) * feature: Adding configurable value to disable XDS Load balancing feature: Adding configurable value to disable XDS Load balancing Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --------- Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * suppressing staticcheck lint warning * backport of commit b3039bd * backport of commit bcdde50 * backport of commit 245cbd8 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com> Co-authored-by: Dhia Ayachi <dhia@hashicorp.com> Co-authored-by: NicoletaPopoviciu <87660255+NicoletaPopoviciu@users.noreply.github.com> Co-authored-by: Nick Wales <588472+nickwales@users.noreply.github.com> Co-authored-by: danielehc <40759828+danielehc@users.noreply.github.com> Co-authored-by: boruszak <jeffrey.boruszak@hashicorp.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: John Maguire <john.maguire@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: John Murret <john.murret@hashicorp.com> Co-authored-by: Lens0021 / Leslie <lorentz0021@gmail.com> Co-authored-by: Yasmin Lorin Kaygalak <ykaygala@villanova.edu> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: Dhia Ayachi <dhia.ayachi@gmail.com> Co-authored-by: Aimee Ukasick <aimee.ukasick@hashicorp.com> Co-authored-by: Blake Covarrubias <blake@covarrubi.as> Co-authored-by: Tom Davies <tom@t-davies.com> Co-authored-by: Kent Gruber <kent@hashicorp.com> Co-authored-by: Yasmin Lorin Kaygalak <lorin.kaygalak@hashicorp.com> Co-authored-by: xwa153 <xinyi.wang@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> Co-authored-by: Mark Campbell-Vincent <mnmvincent@gmail.com> Co-authored-by: Anita Akaeze <anita.akaeze@hashicorp.com> Co-authored-by: Bhautik <bhautikrchudasama@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Abhishek Sahu <abhishek.sahu@hashicorp.com> Co-authored-by: Judith Malnick <judith@hashicorp.com> Co-authored-by: nitin-sachdev-29 <nitin.sachdev@hashicorp.com> Co-authored-by: Mukul Anand <mukul.anand@hashicorp.com> Co-authored-by: Sreeram Narayanan <sreeram.narayanan@hashicorp.com> Co-authored-by: Phil Renaud <phil.renaud@hashicorp.com> Co-authored-by: Rahul <srahul3@gmail.com> Co-authored-by: srahul3 <rahulsharma@hashicorp.com> Co-authored-by: SuyashHashiCorp <92308220+SuyashHashiCorp@users.noreply.github.com> Co-authored-by: Jorge Marey <6938602+jorgemarey@users.noreply.github.com> Co-authored-by: natemollica-dev <57850649+natemollica-nm@users.noreply.github.com> Co-authored-by: Vikramarjuna <vkrmrjun@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Jira tickets reference
Description
encryptionsection.🎪 Preview