Skip to main content
Version: 31.1.0

a9s Consul

This document describes the supported properties for a9s Consul.

tls_min_version and tls_cipher_suites

Consul provides a way to specify the minimum TLS version for HTTP API and RPC via the tls_min_version. Consul also provides a way to configure the supported cipher suites as a comma-separated-list via the tls_cipher_suites.

Caution: As referenced in this Go blog post, for TLS 1.3, the specified tls_cipher_suites will not be used, and Consul will make sure to use the best algorithm possible based on the VM characteristics.

a9s Consul makes these properties configurable via multiple ops files to be used for each component. You must define the values in the IaaS file under the following properties:

iaas:
(...)
consul:
(...)
tls_min_version: <tls-version>
tls_cipher_suites: <cipher-suite>
(...)

You can check the list of ops files and the manifests that they must be applied with in the ops/README.md file in the anynines-deployment under the section a9s Consul TLS Configuration.

Example:

bosh -d postgresql-service deploy \
--ops-file ops/tls_configurations/data-services/add_consul_tls_properties.yml \
--ops-file ops/tls_configurations/a9s-postgresql/add_service_instances_consul_tls_properties.yml \
--vars-file config/iaas-config.yml
(...)

For the a9s-<data-service>, it is necessary to execute the Template Uploader Errand after deploying the ops file, and then run the Deployment Updater Errand to apply the changes to the service instances:

bosh -d <data-service>-service run-errand templates-uploader
bosh -d <data-service>-service run-errand deployment_updater

If the ops files are not applied, a9s Consul fallbacks to the default values used by Consul. You can check the official Consul documentation to know more about this.