Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Envoy Bootstrap Config Support TLSv1_3 #21777

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

Ranjandas
Copy link
Contributor

@Ranjandas Ranjandas commented Sep 20, 2024

Description

When the Consul agent runs with tls_min_version set to TLSv1_3, the Envoy proxies talking to the agent fails with the TLSV1_ALERT_PROTOCOL_VERSION error.

DeltaAggregatedResources gRPC config stream to local_agent closed since 97s ago: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION

This PR updates the Envoy static local_agent cluster to use TLSv1_3 as the maximum protocol version.

Issue reported at: https://discuss.hashicorp.com/t/consul-tls-min-version-1-3-error/70100

Testing & Reproduction steps

  • Generate Consul CA and Certificates
$ consul tls ca create
$ consul tls cert create -server
  • Create Consul Configuration
$ cat <<EOF > consul.hcl
tls {
  defaults {
    ca_file   = "consul-agent-ca.pem"
    cert_file = "dc1-server-consul-0.pem"
    key_file  = "dc1-server-consul-0-key.pem"

    tls_min_version = "TLSv1_3"
  }
}

ports {
  grpc_tls = 8503
  https = 8501
  http = -1
}
EOF
  • Start a Consul agent
$ consul agent -dev -config-file consul.hcl
  • Set the Consul Environment Variables for the rest of the commands
export CONSUL_CACERT=./consul-agent-ca.pem
export CONSUL_HTTP_ADDR=https://127.0.0.1:8501
  • Start an Envoy proxy (we will launch a gateway to avoid service registrations)
$ consul connect envoy -gateway api -service api-gateway -register

This should work without throwing the reported error.

Alternatively, inspect the bootstrap config

$ consul connect envoy -gateway api -register -service api-gateway -bootstrap | jq '.static_resources.clusters[0].transport_socket.typed_config.common_tls_context.tls_params'
{
  "tls_maximum_protocol_version": "TLSv1_3"
}

Links

Fixes: #21767

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

When Consul agent runs with `tls_min_version` set to TLSv1_3, the Envoy proxies talking to the agent
fails with `TLSV1_ALERT_PROTOCOL_VERSION` error.

This PR updates the Envoy static local_agent cluster to have TLS maximum protocol version to use to be TLSv1_3.

Originally reported at: https://discuss.hashicorp.com/t/consul-tls-min-version-1-3-error/70100
@github-actions github-actions bot added the theme/cli Flags and documentation for the CLI interface label Sep 20, 2024
@Ranjandas Ranjandas added backport/1.19 This release series is longer active on CE, use backport/ent/1.19 backport/1.20 Changes are backported to 1.20 backport/ent/1.18 Changes are backported to 1.18 ent labels Sep 20, 2024
@zalimeni zalimeni requested review from zalimeni and removed request for hashi-derek September 24, 2024 20:28
@zalimeni
Copy link
Member

Generally this LGTM, thanks @Ranjandas !

❓ is there a reason for only backporting this fix through 1.18 instead of all active CE + Ent versions (backport/all)? I think this setting is compatible w/ all the supported versions of Envoy through 1.15 LTS, so my thought was we'd backport all the way.

Copy link
Member

@zalimeni zalimeni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving CE change to unblock since code LGTM.

Pending decision on backports but I think we'll want backport/all for this PR.

Following merge of this PR, we'll want to update consul-dataplane as well for agentless using make copy-bootstrap-config in that repo.

@zalimeni zalimeni added backport/ent/1.19 Changes are backported to 1.19 ent and removed backport/1.19 This release series is longer active on CE, use backport/ent/1.19 labels Oct 17, 2024
@zalimeni
Copy link
Member

zalimeni commented Oct 17, 2024

Updated labels post-1.20 for equivalence, just in case we don't want backport/all - but I suspect we do want backport/all still.

@Ranjandas FYI, patches are planned for end of next week, so if you want this in I'd make sure to merge soon.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
backport/ent/1.18 Changes are backported to 1.18 ent backport/ent/1.19 Changes are backported to 1.19 ent backport/1.20 Changes are backported to 1.20 theme/cli Flags and documentation for the CLI interface
Projects
None yet
2 participants