From c6728cfee21ca8fa1e8b5f584626dfbc61c2a219 Mon Sep 17 00:00:00 2001 From: Jared Kirschner Date: Mon, 17 Apr 2023 22:47:44 +0000 Subject: [PATCH 1/3] backport of commit c030771c774929e99c59d8ebc4bde2c7ed0f5fa9 --- CHANGELOG.md | 2 +- .../docs/release-notes/consul/v1_15_x.mdx | 16 +++++++--------- .../content/docs/upgrading/upgrade-specific.mdx | 13 ++++--------- 3 files changed, 12 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b5259a054ee..48ae2b5dfdc8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -58,7 +58,7 @@ BUG FIXES: KNOWN ISSUES: -* connect: An issue with leaf certificate rotation can cause some service instances to lose their ability to communicate in the mesh after 72 hours (LeafCertTTL). This issue is not consistently reproducible. We are working to address this issue in an upcoming patch release. To err on the side of caution, service mesh deployments should not upgrade to Consul v1.15 at this time. Refer to [[GH-16779](https://github.com/hashicorp/consul/issues/16779)] for the latest information. +* connect: A race condition can cause some service instances to lose their ability to communicate in the mesh after 72 hours (LeafCertTTL) due to a problem with leaf certificate rotation. This bug is fixed in Consul v1.15.2 by [[GH-16818](https://github.com/hashicorp/consul/issues/16818)]. BREAKING CHANGES: diff --git a/website/content/docs/release-notes/consul/v1_15_x.mdx b/website/content/docs/release-notes/consul/v1_15_x.mdx index 99c2961bd4ab..28799e79b40f 100644 --- a/website/content/docs/release-notes/consul/v1_15_x.mdx +++ b/website/content/docs/release-notes/consul/v1_15_x.mdx @@ -68,14 +68,11 @@ For more detailed information, please refer to the [upgrade details page](/consu The following issues are known to exist in the v1.15.x releases: -- All current 1.15.x versions are under investigation for a not-consistently-reproducible - issue that can cause some service instances to lose their ability to communicate in the mesh after +- For v1.15.0 - v1.15.1, contain a race condition that can cause + some service instances to lose their ability to communicate in the mesh after [72 hours (LeafCertTTL)](/consul/docs/connect/ca/consul#leafcertttl) due to a problem with leaf certificate rotation. - We will update this section with more information as our investigation continues, - including the target availability for a fix. - Refer to [GH-16779](https://github.com/hashicorp/consul/issues/16779) - for the latest information. + This is resolved in Consul v1.15.2. - For v1.15.0, Consul is reporting newer releases of Envoy (for example, v1.25.1) as not supported, even though these versions are listed as valid in the [Envoy compatilibity matrix](/consul/docs/connect/proxies/envoy#envoy-and-consul-client-agent). The following error would result for newer versions of Envoy: @@ -83,15 +80,16 @@ The following issues are known to exist in the v1.15.x releases: Envoy version 1.25.1 is not supported. If there is a reason you need to use this version of envoy use the ignore-envoy-compatibility flag. Using an unsupported version of Envoy is not recommended and your experience may vary. ``` - The workaround to resolve this issue until Consul v1.15.1 would be to run the client agents with the new `ingore-envoy-compatiblity` flag: + To workaround this issue on Consul v1.15.0, launch sidecar proxies + with the `ignore-envoy-compatiblity` flag: ```shell-session $ consul connect envoy --ignore-envoy-compatibility ``` -- For v1.15.0, there is a known issue where `consul acl token read -self` requires an `-accessor-id`. This is resolved in the uppcoming Consul v1.15.1 patch release. +- For v1.15.0, there is a known issue where `consul acl token read -self` requires an `-accessor-id`. This is resolved in Consul v1.15.1. -- For v1.15.0, there is a known issue where search filters produced errors and resulted in lists not showing full results until being interacted with. This is resolved in the upcoming Consul v1.15.1 patch release. +- For v1.15.0, there is a known issue where search filters produced errors and resulted in lists not showing full results until being interacted with. This is resolved in Consul v1.15.1. ## Changelogs diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index 1c9a73849107..39a15d2f1f27 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -16,21 +16,16 @@ upgrade flow. ## Consul 1.15.x -#### Service mesh known issue +#### Service mesh compatibility ((#service-mesh-compatibility-1-15)) -To err on the side of caution, -service mesh deployments should not upgrade to Consul v1.15 at this time. +Upgrade to **Consul version 1.15.2 or later**. -We are currently investigating a not-consistently-reproducible issue that can cause +Consul versions 1.15.0 - 1.15.1 contain a race condition that can cause some service instances to lose their ability to communicate in the mesh after [72 hours (LeafCertTTL)](/consul/docs/connect/ca/consul#leafcertttl) due to a problem with leaf certificate rotation. -We will update this section with more information as our investigation continues, -including the target availability for a fix. -If you are already operating Consul v1.15, refer to discussion of this issue on -[GH-16779](https://github.com/hashicorp/consul/issues/16779) -for potential workarounds and to share your observations. +This bug is fixed in Consul versions 1.15.2 and newer. #### Removing configuration options From 1709c687dfb5190684189f146d45afabc0269126 Mon Sep 17 00:00:00 2001 From: Jared Kirschner Date: Mon, 17 Apr 2023 22:50:46 +0000 Subject: [PATCH 2/3] backport of commit a12af289cb096f0ad7309a1f7cf76328eae3352b --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 48ae2b5dfdc8..5a306dc2ddc6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -58,7 +58,7 @@ BUG FIXES: KNOWN ISSUES: -* connect: A race condition can cause some service instances to lose their ability to communicate in the mesh after 72 hours (LeafCertTTL) due to a problem with leaf certificate rotation. This bug is fixed in Consul v1.15.2 by [[GH-16818](https://github.com/hashicorp/consul/issues/16818)]. +* connect: A race condition can cause some service instances to lose their ability to communicate in the mesh after 72 hours (LeafCertTTL) due to a problem with leaf certificate rotation. This bug is fixed in Consul v1.15.2 by [GH-16818](https://github.com/hashicorp/consul/issues/16818). BREAKING CHANGES: From 85a558167b8b35b1947c72a5445704562af184a4 Mon Sep 17 00:00:00 2001 From: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> Date: Mon, 17 Apr 2023 23:28:15 +0000 Subject: [PATCH 3/3] backport of commit a4e963b133ae4e2575bd2278ae7ad203c46a4a1a --- website/content/docs/release-notes/consul/v1_15_x.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/release-notes/consul/v1_15_x.mdx b/website/content/docs/release-notes/consul/v1_15_x.mdx index 28799e79b40f..d90f918b6373 100644 --- a/website/content/docs/release-notes/consul/v1_15_x.mdx +++ b/website/content/docs/release-notes/consul/v1_15_x.mdx @@ -68,7 +68,7 @@ For more detailed information, please refer to the [upgrade details page](/consu The following issues are known to exist in the v1.15.x releases: -- For v1.15.0 - v1.15.1, contain a race condition that can cause +- v1.15.0 - v1.15.1 contain a race condition that can cause some service instances to lose their ability to communicate in the mesh after [72 hours (LeafCertTTL)](/consul/docs/connect/ca/consul#leafcertttl) due to a problem with leaf certificate rotation.