-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Envoy Bootstrap Config Support TLSv1_3 #21777
base: main
Are you sure you want to change the base?
Conversation
When Consul agent runs with `tls_min_version` set to TLSv1_3, the Envoy proxies talking to the agent fails with `TLSV1_ALERT_PROTOCOL_VERSION` error. This PR updates the Envoy static local_agent cluster to have TLS maximum protocol version to use to be TLSv1_3. Originally reported at: https://discuss.hashicorp.com/t/consul-tls-min-version-1-3-error/70100
b7ed4de
to
441426c
Compare
Generally this LGTM, thanks @Ranjandas ! ❓ is there a reason for only backporting this fix through 1.18 instead of all active CE + Ent versions ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving CE change to unblock since code LGTM.
Pending decision on backports but I think we'll want backport/all
for this PR.
Following merge of this PR, we'll want to update consul-dataplane
as well for agentless using make copy-bootstrap-config
in that repo.
Updated labels post-1.20 for equivalence, just in case we don't want @Ranjandas FYI, patches are planned for end of next week, so if you want this in I'd make sure to merge soon. |
Description
When the Consul agent runs with
tls_min_version
set toTLSv1_3
, the Envoy proxies talking to the agent fails with theTLSV1_ALERT_PROTOCOL_VERSION
error.This PR updates the Envoy static
local_agent
cluster to use TLSv1_3 as the maximum protocol version.Issue reported at: https://discuss.hashicorp.com/t/consul-tls-min-version-1-3-error/70100
Testing & Reproduction steps
This should work without throwing the reported error.
Alternatively, inspect the bootstrap config
Links
Fixes: #21767
PR Checklist