Properties
This section describes the supported properties of the a9s Consul component.
tls_min_version
and tls_cipher_suites
Consul provides a way to specify the minimum TLS version for HTTP API and RPC via the tls_min_version. Consul also provides a way to configure the supported cipher suites as a comma-separated-list via the tls_cipher_suites.
Caution: As referenced in this Go blog post,
for TLS 1.3, the specified tls_cipher_suites
will not be used, and Consul will make sure to use
the best algorithm possible based on the VM characteristics.
a9s Consul makes these properties configurable via multiple ops files to be used for each component. You must define the values in the IaaS file under the following properties:
iaas:
(...)
consul:
(...)
tls_min_version: <tls-version>
tls_cipher_suites: <cipher-suite>
(...)
You can check the list of ops files and the manifests that they must be applied with
in the ops/README.md
file in the anynines-deployment
under the section
a9s Consul TLS Configuration
.
Example:
bosh -d postgresql-service deploy \
--ops-file ops/tls_configurations/data-services/add_consul_tls_properties.yml \
--ops-file ops/tls_configurations/a9s-postgresql/add_service_instances_consul_tls_properties.yml \
--vars-file config/iaas-config.yml
(...)
For the a9s-<data-service>
, it is necessary to execute the
Template Uploader Errand after deploying the ops file, and then
run the Deployment Updater Errand
to apply the changes to the service instances:
bosh -d <data-service>-service run-errand templates-uploader
bosh -d <data-service>-service run-errand deployment_updater
If the ops files are not applied, a9s Consul fallbacks to the default values used by Consul. You can check the official Consul documentation to know more about this.