前言: 最早是因为我在试用consul 1.14.3 的时候遇到8503端口占用的问题。尝试查找问题,能查到的比较少。最后还是在consul官网的一个角落发现grpc_tls 8503的内容。 这里插播一下,consul官网ports table 中对于grpc_tls的端口也没有提及,关于这个我还进行了反馈
https://developer.hashicorp.com/consul/docs/upgrading/upgrade-specific
Consul 1.14.x
Service Mesh Compatibility
Prior to Consul 1.14, cluster peering or Consul connect were disabled by default. A breaking change was made in Consul 1.14 that:
Service Mesh 兼容性
在Consul 1.14之前,默认情况下禁用cluster peering或Consul连接。Consul 1.14做出了一个突破性的改变:
Cluster Peering is enabled by default. Cluster peering and WAN federation can coexist, so there is no need to disable cluster peering to upgrade existing WAN federated datacenters. To disable cluster peering nonetheless, set peering.enabled to false.
默认情况下已启用cluster peering。cluster peering和WAN联盟可以共存,因此无需禁用cluster peering来升级现有的WAN联盟数据中心。要禁用cluster peering,请将peering.enabled设置为false。
Consul Connect is enabled by default. To disable, set connect.enabled to false.
默认情况下,Consul Connect已启用。要禁用,请将connect.enabled设置为false。
The changes to Consul service mesh in version 1.14 are incompatible with Nomad 1.4.2 and earlier. If you operate Consul service mesh using Nomad 1.4.2 or earlier, do not upgrade to Consul 1.14 until hashicorp/nomad#15266 is fixed.
1.14版中对Consul service mesh的更改与Nomad 1.4.2及更早版本不兼容。如果您使用Nomad 1.4.2或更早版本运行Consul服务网格,请在修复hashicorp/nomad#15266之前不要升级到Consul 1.14。
For 1.14.0, there is a known issue with consul connect envoy. If the command is configured to use TLS for contacting the HTTP API, it will also incorrectly enable TLS for gRPC. Users should not upgrade to 1.14.0 if they are using plaintext gRPC connections in conjunction with TLS-encrypted HTTP APIs.
对于1.14.0,consul connect envoy存在已知问题。如果该命令被配置为使用TLS联系HTTP API,那么它也会错误地为gRPC启用TLS。如果用户将明文gRPC连接与TLS加密的HTTP API结合使用,则不应升级到1.14.0。
Changes to gRPC TLS configuration
Make configuration changes if using ports.grpc in conjunction with any of the following settings that enables encryption:
对gRPC TLS配置的更改
如果将ports.grpc与以下任何启用加密的设置一起使用,请进行配置更改:
tls.grpc
tls.defaults
auto_encrypt
auto_config
Prior to Consul 1.14, it was possible to encrypt communication between Consul and Envoy over ports.grpc using these settings.
在Consul 1.14之前,可以使用这些设置通过ports.grpc加密Consul和Envoy之间的通信。
Consul 1.14 introduces ports.grpc_tls, a new configuration for encrypting communication over gRPC. The existing ports.grpc configuration no longer supports encryption. As of version 1.14, ports.grpc_tls is the only port that serves encrypted gRPC traffic. The default value for the gRPC TLS port is 8503 for Consul servers. To disable the gRPC TLS port, use value -1.
Consul 1.14引入了ports.grpc_tls,这是一种用于通过grpc加密通信的新配置。现有ports.grpc配置不再支持加密。从1.14版起,ports.grpc_tls是唯一一个为加密grpc流量提供服务的端口。对于Consul服务器,gRPC TLS端口的默认值为8503。要禁用gRPC TLS端口,请使用值-1。
If you already use gRPC encryption, change the following fields to ensure compatibility:
如果已使用gRPC加密,请更改以下字段以确保兼容性:
Change ports.grpc to ports.grpc_tls. Refer to the grpc_tls_port documentation for details.
将ports.grpc更改为ports.grpc_tls。有关详细信息,请参阅grpc_tls_port文档。
Change addresses.grpc to addresses.grpc_tls. Refer to the grpc_tls documentation for details.
将addresses.grpc更改为addresses.grpc_tls。有关详细信息,请参阅grpc_tls文档。
Update consul connect envoy command
invocations to specify gRPC CA certificates with one of the new configuration options: -grpc-ca-file or -grpc-ca-path (or their corresponding environment variables).
更新consul connect特使命令调用,以使用一个新的配置选项指定gRPC CA证书:-gRPC CA file或-gRPC CA path(或其相应的环境变量)。
Changes to peering
peering 的更新
Cluster peering was released in Consul 1.13 as an experimental feature. In Consul 1.14, cluster peering has been improved and is now considered stable. All experimental peering connections created by 1.13 should be deleted prior to upgrading, as they will no longer be compatible with 1.14.
集群对等在Consul 1.13中作为实验性功能发布。在Consul 1.14中,集群对等得到了改进,现在被认为是稳定的。1.13创建的所有实验性对等连接应在升级之前删除,因为它们将不再与1.14兼容。
