All Versions
183
Latest Version
Avg Release Cycle
29 days
Latest Release
620 days ago

Changelog History
Page 1

  • v1.13.2 Changes

    September 20, 2022

    ๐Ÿ’ฅ BREAKING CHANGES:

    • ๐Ÿš€ ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the update capability on the intermediate PKI's tune mount configuration endpoint, such as /sys/mounts/connect_inter/tune. The breaking nature of this change will be resolved in an upcoming 1.13 patch release. Refer to upgrade guidance for more information.

    ๐Ÿ”’ SECURITY:

    • auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the AutoConfig.InitialConfiguration endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [GH-14577]
    • connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the ConnectCA.Sign endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [GH-14579]

    ๐Ÿ”‹ FEATURES:

    • ๐Ÿ“„ cli: Adds new subcommands for peering workflows. Refer to the CLI docs for more information. [GH-14423]
    • connect: Server address changes are streamed to peers [GH-14285]
    • service-defaults: Added support for local_request_timeout_ms and local_connect_timeout_ms in servicedefaults config entry [GH-14395]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • โœ… connect: Bump latest Envoy to 1.23.1 in test matrix [GH-14573]
    • ๐Ÿ”ง connect: expose new tracing configuration on envoy [GH-13998]
    • ๐Ÿ”ง envoy: adds additional Envoy outlier ejection parameters to passive health check configurations. [GH-14238]
    • metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [GH-14161]
    • peering: Validate peering tokens for server name conflicts [GH-14563]
    • snapshot agent: (Enterprise only) Add support for path-based addressing when using s3 backend.
    • ๐Ÿ’ป ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/ [GH-14521]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  agent: Fixes an issue where an agent that fails to start due to bad addresses won't clean up any existing listeners [GH-14081]
    • api: Fix a breaking change caused by renaming QueryDatacenterOptions to QueryFailoverOptions. This adds QueryDatacenterOptions back as an alias to ๐Ÿ—„ QueryFailoverOptions and marks it as deprecated. [GH-14378]
    • โšก๏ธ ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed. [GH-14516]
    • cli: When launching a sidecar proxy with consul connect envoy or consul connect proxy, the -sidecar-for service ID argument is now treated as case-insensitive. [GH-14034]
    • connect: Fix issue where auto_config and auto_encrypt could unintentionally enable TLS for gRPC xDS connections. [GH-14269]
    • ๐Ÿšš connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster. [GH-14598]
    • ๐Ÿ— connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring. [GH-14429]
    • ๐Ÿ›  connect: Fixed some spurious issues during peering establishment when a follower is dialed [GH-14119]
    • ๐Ÿ”ง envoy: validate name before deleting proxy default configurations. [GH-14290]
    • peering: Fix issue preventing deletion and recreation of peerings in TERMINATED state. [GH-14364]
    • rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries [GH-14233]
    • tls: undo breaking change that prevented setting TLS for gRPC when using config flags available in Consul v1.11. [GH-14668]
    • ๐Ÿšš ui: Removed Overview page from HCP instalations [GH-14606]

  • v1.13.1 Changes

    August 11, 2022

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  agent: Fixed a compatibility issue when restoring snapshots from pre-1.13.0 versions of Consul [GH-14107] [GH-14149]
    • ๐Ÿ›  connect: Fixed some spurious issues during peering establishment when a follower is dialed [GH-14119]

  • v1.13.0 Changes

    August 09, 2022

    ๐Ÿ’ฅ BREAKING CHANGES:

    • config-entry: Exporting a specific service name across all namespace is invalid.
    • ๐Ÿš€ connect: contains an upgrade compatibility issue when restoring snapshots containing service mesh proxy registrations from pre-1.13 versions of Consul [GH-14107]. Fixed in 1.13.1 [GH-14149]. Refer to 1.13 upgrade guidance for more information.
    • ๐Ÿš€ connect: if using auto-encrypt or auto-config, TLS is required for gRPC communication between Envoy and Consul as of 1.13.0; this TLS for gRPC requirement will be removed in a future 1.13 patch release. Refer to 1.13 upgrade guidance for more information.
    • โฌ†๏ธ connect: if a pre-1.13 Consul agent's HTTPS port was not enabled, upgrading to 1.13 may turn on TLS for gRPC communication for Envoy and Consul depending on the agent's TLS configuration. Refer to 1.13 upgrade guidance for more information.
    • ๐Ÿšš connect: Removes support for Envoy 1.19 [GH-13807]
    • telemetry: config flag telemetry { disable_compat_1.9 = (true|false) } has been removed. Before upgrading you should remove this flag from your config if the flag is being used. [GH-13532]

    ๐Ÿ”‹ FEATURES:

    • Cluster Peering (Beta) This version adds a new model to federate Consul clusters for both service mesh and traditional service discovery. Cluster peering allows for service interconnectivity with looser coupling than the existing WAN federation. For more information refer to the cluster peering documentation.
    • Transparent proxying through terminating gateways This version adds egress traffic control to destinations outside of Consul's catalog, such as APIs on the public internet. Transparent proxies can dial destinations defined in service-defaults and have the traffic routed through terminating gateways. For more information refer to the terminating gateway documentation.
    • acl: It is now possible to login and logout using the gRPC API [GH-12935]
    • ๐Ÿ— agent: Added information about build date alongside other version information for Consul. Extended /agent/self endpoint and consul version commands ๐Ÿ— to report this. Agent also reports build date in log on startup. [GH-13357]
    • ca: Leaf certificates can now be obtained via the gRPC API: Sign [GH-12787]
    • checks: add UDP health checks.. [GH-12722]
    • cli: A new flag for config delete to delete a config entry in a valid config file, e.g., config delete -filename intention-allow.hcl [GH-13677]
    • 0๏ธโƒฃ connect: Adds a new destination field to the service-default config entry that allows routing egress traffic through a terminating gateway in transparent proxy mode without modifying the catalog. [GH-13613]
    • grpc: New gRPC endpoint to return envoy bootstrap parameters. [GH-12825]
    • grpc: New gRPC endpoint to return envoy bootstrap parameters. [GH-1717]
    • ๐Ÿ‘ grpc: New gRPC service and endpoint to return the list of supported consul dataplane features [GH-12695]
    • โšก๏ธ server: broadcast the public grpc port using lan serf and update the consul service in the catalog with the same data [GH-13687]
    • โšก๏ธ streaming: Added topic that can be used to consume updates about the list of services in a datacenter [GH-13722]
    • streaming: Added topics for ingress-gateway, mesh, service-intentions and service-resolver config entry events. [GH-13658]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ”€ api: merge-central-config query parameter support added to /catalog/node-services/:node-name API, to view a fully resolved service definition (especially when not written into the catalog that way). [GH-13450]
    • ๐Ÿ”€ api: merge-central-config query parameter support added to /catalog/node-services/:node-name API, to view a fully resolved service definition (especially when not written into the catalog that way). [GH-2046]
    • ๐Ÿ”€ api: merge-central-config query parameter support added to some catalog and health endpoints to view a fully resolved service definition (especially when not written into the catalog that way). [GH-13001]
    • api: add the ability to specify a path prefix for when consul is behind a reverse proxy or API gateway [GH-12914]
    • catalog: Add per-node indexes to reduce watchset firing for unrelated nodes and services. [GH-12399]
    • connect: add validation to ensure connect native services have a port or socketpath specified on catalog registration. This was the only missing piece to ensure all mesh services are validated for a port (or socketpath) specification on catalog registration. [GH-12881]
    • ๐Ÿ’ป ui: Add new CopyableCode component and use it in certain pre-existing areas [GH-13686]
    • acl: Clarify node/service identities must be lowercase [GH-12807]
    • ๐Ÿ‘ command: Add support for enabling TLS in the Envoy Prometheus endpoint via the consul connect envoy command. โž• Adds the -prometheus-ca-file, -prometheus-ca-path, -prometheus-cert-file and -prometheus-key-file flags. [GH-13481]
    • ๐Ÿ‘ connect: Add Envoy 1.23.0 to support matrix [GH-13807]
    • connect: Added a max_inbound_connections setting to service-defaults for limiting the number of concurrent inbound connections to each service instance. [GH-13143]
    • grpc: Add a new ServerDiscovery.WatchServers gRPC endpoint for being notified when the set of ready servers has changed. [GH-12819]
    • telemetry: Added consul.raft.thread.main.saturation and consul.raft.thread.fsm.saturation metrics to measure approximate saturation of the Raft goroutines [GH-12865]
    • ๐Ÿฑ ui: removed external dependencies for serving UI assets in favor of Go's native embed capabilities [GH-10996]
    • โฌ†๏ธ ui: upgrade ember-composable-helpers to v5.x [GH-13394]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  acl: Fixed a bug where the ACL down policy wasn't being applied on remote errors from the primary datacenter. [GH-12885]
    • cli: when acl token read is used with the -self and -expanded flags, return an error instead of panicking [GH-13787]
    • ๐Ÿ›  connect: Fixed a goroutine/memory leak that would occur when using the ingress gateway. [GH-13847]
    • connect: Ingress gateways with a wildcard service entry should no longer pick up non-connect services as upstreams. connect: Terminating gateways with a wildcard service entry should no longer pick up connect services as upstreams. [GH-13958]
    • ๐Ÿ”ง proxycfg: Fixed a minor bug that would cause configuring a terminating gateway to watch too many service resolvers and waste resources doing filtering. [GH-13012]
    • โฌ†๏ธ raft: upgrade to v1.3.8 which fixes a bug where non cluster member can still be able to participate in an election. [GH-12844]
    • rpc: Adds a deadline to client RPC calls, so that streams will no longer hang indefinitely in unstable network conditions. [GH-8504] [GH-11500]
    • โฌ†๏ธ serf: upgrade serf to v0.9.8 which fixes a bug that crashes Consul when serf keyrings are listed [GH-13062]
    • ๐Ÿ’ป ui: Fixes an issue where client side validation errors were not showing in certain areas [GH-14021]

  • v1.13.0-alpha2 Changes

    June 21, 2022

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ”€ api: merge-central-config query parameter support added to /catalog/node-services/:node-name API, to view a fully resolved service definition (especially when not written into the catalog that way). [GH-13450]
    • ๐Ÿš€ connect: Update Envoy support matrix to latest patch releases (1.22.2, 1.21.3, 1.20.4, 1.19.5) [GH-13431]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ’ป ui: Fix incorrect text on certain page empty states [GH-13409]

  • v1.13.0-alpha1 Changes

    June 15, 2022

    ๐Ÿ’ฅ BREAKING CHANGES:

    • config-entry: Exporting a specific service name across all namespace is invalid.

    ๐Ÿ”‹ FEATURES:

    • acl: It is now possible to login and logout using the gRPC API [GH-12935]
    • ๐Ÿ— agent: Added information about build date alongside other version information for Consul. Extended /agent/self endpoint and consul version commands ๐Ÿ— to report this. Agent also reports build date in log on startup. [GH-13357]
    • ca: Leaf certificates can now be obtained via the gRPC API: Sign [GH-12787]
    • checks: add UDP health checks.. [GH-12722]
    • grpc: New gRPC endpoint to return envoy bootstrap parameters. [GH-12825]
    • grpc: New gRPC endpoint to return envoy bootstrap parameters. [GH-1717]
    • ๐Ÿ‘ grpc: New gRPC service and endpoint to return the list of supported consul dataplane features [GH-12695]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ”€ api: merge-central-config query parameter support added to some catalog and health endpoints to view a fully resolved service definition (especially when not written into the catalog that way). [GH-13001]
    • api: add the ability to specify a path prefix for when consul is behind a reverse proxy or API gateway [GH-12914]
    • connect: add validation to ensure connect native services have a port or socketpath specified on catalog registration. This was the only missing piece to ensure all mesh services are validated for a port (or socketpath) specification on catalog registration. [GH-12881]
    • ๐Ÿ‘Œ Support Vault namespaces in Connect CA by adding RootPKINamespace and IntermediatePKINamespace fields to the config. [GH-12904]
    • acl: Clarify node/service identities must be lowercase [GH-12807]
    • connect: Added a max_inbound_connections setting to service-defaults for limiting the number of concurrent inbound connections to each service instance. [GH-13143]
    • ๐Ÿ‘ dns: Added support for specifying admin partition in node lookups. [GH-13421]
    • grpc: Add a new ServerDiscovery.WatchServers gRPC endpoint for being notified when the set of ready servers has changed. [GH-12819]
    • telemetry: Added consul.raft.thread.main.saturation and consul.raft.thread.fsm.saturation metrics to measure approximate saturation of the Raft goroutines [GH-12865]
    • telemetry: Added a consul.server.isLeader metric to track if a server is a leader or not. [GH-13304]
    • ๐Ÿฑ ui: removed external dependencies for serving UI assets in favor of Go's native embed capabilities [GH-10996]
    • โฌ†๏ธ ui: upgrade ember-composable-helpers to v5.x [GH-13394]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  acl: Fixed a bug where the ACL down policy wasn't being applied on remote errors from the primary datacenter. [GH-12885]
    • ๐Ÿ›  agent: Fixed a bug in HTTP handlers where URLs were being decoded twice [GH-13256]
    • โšก๏ธ deps: Update go-grpc/grpc, resolving connection memory leak [GH-13051]
    • ๐Ÿ›  fix a bug that caused an error when creating grpc or http2 ingress gateway listeners with multiple services [GH-13127]
    • ๐Ÿ”ง proxycfg: Fixed a minor bug that would cause configuring a terminating gateway to watch too many service resolvers and waste resources doing filtering. [GH-13012]
    • โฌ†๏ธ raft: upgrade to v1.3.8 which fixes a bug where non cluster member can still be able to participate in an election. [GH-12844]
    • โฌ†๏ธ serf: upgrade serf to v0.9.8 which fixes a bug that crashes Consul when serf keyrings are listed [GH-13062]

  • v1.12.5 Changes

    September 20, 2022

    ๐Ÿ’ฅ BREAKING CHANGES:

    • ๐Ÿš€ ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the update capability on the intermediate PKI's tune mount configuration endpoint, such as /sys/mounts/connect_inter/tune. The breaking nature of this change will be resolved in an upcoming 1.12 patch release. Refer to upgrade guidance for more information.

    ๐Ÿ”’ SECURITY:

    • auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the AutoConfig.InitialConfiguration endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [GH-14577]
    • connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the ConnectCA.Sign endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [GH-14579]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ”ง envoy: adds additional Envoy outlier ejection parameters to passive health check configurations. [GH-14238]
    • metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [GH-14161]
    • snapshot agent: (Enterprise only) Add support for path-based addressing when using s3 backend.
    • ๐Ÿ’ป ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/ [GH-14521]

    ๐Ÿ› BUG FIXES:

    • โšก๏ธ ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed. [GH-14516]
    • cli: When launching a sidecar proxy with consul connect envoy or consul connect proxy, the -sidecar-for service ID argument is now treated as case-insensitive. [GH-14034]
    • ๐Ÿšš connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster. [GH-14598]
    • ๐Ÿ— connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring. [GH-14429]
    • ๐Ÿ”ง envoy: validate name before deleting proxy default configurations. [GH-14290]
    • rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries [GH-14233]
    • ๐Ÿšš ui: Removed Overview page from HCP instalations [GH-14606]

  • v1.12.4 Changes

    August 11, 2022

    ๐Ÿ› BUG FIXES:

    • cli: when acl token read is used with the -self and -expanded flags, return an error instead of panicking [GH-13787]
    • ๐Ÿ›  connect: Fixed a goroutine/memory leak that would occur when using the ingress gateway. [GH-13847]
    • connect: Ingress gateways with a wildcard service entry should no longer pick up non-connect services as upstreams. connect: Terminating gateways with a wildcard service entry should no longer pick up connect services as upstreams. [GH-13958]
    • ๐Ÿ’ป ui: Fixes an issue where client side validation errors were not showing in certain areas [GH-14021]

  • v1.12.3 Changes

    July 13, 2022

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ‘Œ Support Vault namespaces in Connect CA by adding RootPKINamespace and IntermediatePKINamespace fields to the config. [GH-12904]
    • ๐Ÿš€ connect: Update Envoy support matrix to latest patch releases (1.22.2, 1.21.3, 1.20.4, 1.19.5) [GH-13431]
    • ๐Ÿ‘ dns: Added support for specifying admin partition in node lookups. [GH-13421]
    • telemetry: Added a consul.server.isLeader metric to track if a server is a leader or not. [GH-13304]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  agent: Fixed a bug in HTTP handlers where URLs were being decoded twice [GH-13256]
    • โšก๏ธ deps: Update go-grpc/grpc, resolving connection memory leak [GH-13051]
    • ๐Ÿ›  fix a bug that caused an error when creating grpc or http2 ingress gateway listeners with multiple services [GH-13127]
    • ๐Ÿ’ป ui: Fix incorrect text on certain page empty states [GH-13409]
    • ๐Ÿ›ฐ xds: Fix a bug that resulted in Lambda services not using the payload-passthrough option as expected. [GH-13607]
    • ๐Ÿ”ง xds: Fix a bug where terminating gateway upstream clusters weren't configured properly when the service protocol was http2. [GH-13699]

  • v1.12.2 Changes

    June 03, 2022

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  kvs: Fixed a bug where query options were not being applied to KVS.Get RPC operations. [GH-13344]

  • v1.12.1 Changes

    May 25, 2022

    ๐Ÿ”‹ FEATURES:

    • xds: Add the ability to invoke AWS Lambdas through sidecar proxies. [GH-12956]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • config: introduce telemetry.retry_failed_connection in agent configuration to retry on failed connection to any telemetry backend. This prevents the agent from exiting if the given DogStatsD DNS name is unresolvable, for example. [GH-13091]
    • sentinel: (Enterprise Only) Sentinel now uses SHA256 to generate policy ids
    • xds: Envoy now inserts x-forwarded-client-cert for incoming proxy connections [GH-12878]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  Fix a bug when configuring an add_headers directive named Host the header is not set for v1/internal/ui/metrics-proxy/ endpoint. [GH-13071]
    • api: Fix a bug that causes partition to be ignored when creating a namespace [GH-12845]
    • api: agent/self now returns version with +ent suffix for Enterprise Consul [GH-12961]
    • areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time. [GH-1368]
    • ca: fix a bug that caused a non blocking leaf cert query after a blocking leaf cert query to block [GH-12820]
    • ๐Ÿ—„ config: fix backwards compatibility bug where setting the (deprecated) top-level verify_incoming option would enable TLS client authentication on the gRPC port [GH-13118]
    • health: ensure /v1/health/service/:service endpoint returns the most recent results when a filter is used with streaming #12640 [GH-12640]
    • rpc: Adds a deadline to client RPC calls, so that streams will no longer hang indefinitely in unstable network conditions. [GH-8504] [GH-11500]
    • snapshot-agent: (Enterprise only) Fix a bug where providing the ACL token to the snapshot agent via a CLI or ENV variable without a license configured results in an error during license auto-retrieval.
    • ๐Ÿ’ป ui: Re-instate '...' icon for row actions [GH-13183]

    NOTES:

    • ci: change action to pull v1 instead of main [GH-12846]