Backport of Fix issue where TLS configuration was ignored for unix sockets in consul connect envoy. into release/1.14.x #15934
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #15913 to be assessed for backporting due to the inclusion of the label backport/1.14.
WARNING automatic cherry-pick of commits failed. Commits will require human attention.
The below text is copied from the body of the original PR.
When using
consul connect envoy
, TLS configuration was not applied to local unix sockets, even when flags were specified that provided certificates.Notably, this affects Nomad deployments, which rely on unix sockets + encryption for certain configurations.
hashicorp/nomad#15360
Before this change, the only way TLS was enabled was if
https://
was a prefix for the-grpc-addr
flag. This allowed users to configure the certificates via environment variables / flags on clients and slowly adopt grpc+tls over time (the-grpc-addr
value is also discoverable via an API call to/v1/agent/self
, but the certificate is not).After this change, TLS will be enabled only if either of the following are true:
-grpc-addr
starts withhttps://
-grpc-addr
starts withunix://
AND grpc certificates are configuredThis ensures that the existing ability for users to roll out HTTP -> HTTPS conversions is not affected, while users of unix sockets can encrypt traffic, if desired.
Finally, there was some logic added recently that attempted to dial the gRPC connection prior to launching envoy to help users debug issues. However, this would be run during bootstrap mode, which would cause an undesired early return (Nomad generates the bootstrap on one host with Consul CLI and then passes that into a container). To fix this, the check has been swapped to a warning only (instead of returning) and the check also no longer runs during bootstrap mode.
Overview of commits