[DO NOT MERGE] Senario with Consul 1.14 and new TLS config

[danielehc]

Test scenario with Consul 1.14 and new TLS configuration for Consul DC

Configuration reference:

• Server:

    "tls": {
        "defaults": {
            "ca_file"   : "/consul/config/certs/consul-agent-ca.pem",
            "cert_file" : "/consul/config/certs/dc1-server-consul-0.pem",
            "key_file"  : "/consul/config/certs/dc1-server-consul-0-key.pem",
        
            "verify_outgoing"        : true,
            "verify_incoming"        : true
        },

        "https": {
            "verify_incoming"        : false
        },
        "internal_rpc": {
            "verify_server_hostname" : true
        }
    },

    "auto_encrypt": {
        "allow_tls" : true
    }

• Client:

    "tls": {
        "defaults": {
            "ca_file"   : "/consul/config/certs/consul-agent-ca.pem",
            "verify_outgoing"        : true,
            "verify_incoming"        : true
        },
        "https": {
            "verify_incoming"        : false
        },
        "internal_rpc": {
            "verify_server_hostname" : true
        }
    },

    "auto_encrypt": {
        "tls" : true
    }

[eddie-rowe]

The scenario worked great - nice work!

A few notes before merging:

• Make sure the tutorial content is updated (terminal content, any notes/docs on the legacy TLS, screenshots as needed, etc).
• By default the generated certs have a TTL of one year, which means this scenario will break in a year for practitioners (this happened to a few of my other ones). Not sure how you generated these, but there is a command that lets you create the certs with a TTL of 3 years, which could give you a little more time before having to create new certs.

[krastin]

I tested the scenario and it works for me too!
If you would like to automate the certificate creation, take a look at this repo here:

https://github.com/hashicorp-demoapp/hashicups-setups/blob/7b8a0738c8a73b95aaebd71e0fd4ce5d385ba31a/docker-compose-consul/build_images.sh#L3

It basically builds a Consul image that runs the tls commands and then copies the certs off the container into the working dir.

[hashicorp-cla]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}