Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DO NOT MERGE] Senario with Consul 1.14 and new TLS config #12

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[DO NOT MERGE] Senario with Consul 1.14 and new TLS config #12

wants to merge 1 commit into from

Conversation

danielehc
Copy link
Contributor

@danielehc danielehc commented Nov 17, 2022
edited
Loading

Test scenario with Consul 1.14 and new TLS configuration for Consul DC

Configuration reference:

  • Server:
    "tls": {
        "defaults": {
            "ca_file"   : "/consul/config/certs/consul-agent-ca.pem",
            "cert_file" : "/consul/config/certs/dc1-server-consul-0.pem",
            "key_file"  : "/consul/config/certs/dc1-server-consul-0-key.pem",
        
            "verify_outgoing"        : true,
            "verify_incoming"        : true
        },

        "https": {
            "verify_incoming"        : false
        },
        "internal_rpc": {
            "verify_server_hostname" : true
        }
    },

    "auto_encrypt": {
        "allow_tls" : true
    }
  • Client:
    "tls": {
        "defaults": {
            "ca_file"   : "/consul/config/certs/consul-agent-ca.pem",
            "verify_outgoing"        : true,
            "verify_incoming"        : true
        },
        "https": {
            "verify_incoming"        : false
        },
        "internal_rpc": {
            "verify_server_hostname" : true
        }
    },

    "auto_encrypt": {
        "tls" : true
    }

@danielehc danielehc self-assigned this Nov 17, 2022
@danielehc danielehc changed the title Senario with Consul 1.14 and new TLS config [DO NOT MERGE] Senario with Consul 1.14 and new TLS config Nov 17, 2022
eddie-rowe
eddie-rowe approved these changes Dec 7, 2022
View reviewed changes
Copy link
Contributor

@eddie-rowe eddie-rowe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The scenario worked great - nice work!

A few notes before merging:

  • Make sure the tutorial content is updated (terminal content, any notes/docs on the legacy TLS, screenshots as needed, etc).
  • By default the generated certs have a TTL of one year, which means this scenario will break in a year for practitioners (this happened to a few of my other ones). Not sure how you generated these, but there is a command that lets you create the certs with a TTL of 3 years, which could give you a little more time before having to create new certs.

@krastin
Copy link

krastin commented Dec 8, 2022

I tested the scenario and it works for me too!
If you would like to automate the certificate creation, take a look at this repo here:

https://github.com/hashicorp-demoapp/hashicups-setups/blob/7b8a0738c8a73b95aaebd71e0fd4ce5d385ba31a/docker-compose-consul/build_images.sh#L3

It basically builds a Consul image that runs the tls commands and then copies the certs off the container into the working dir.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eddie-rowe eddie-rowe eddie-rowe approved these changes

@im2nguyen im2nguyen Awaiting requested review from im2nguyen

Assignees

@danielehc danielehc

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@danielehc @krastin @eddie-rowe