All Versions
87
Latest Version
Avg Release Cycle
36 days
Latest Release
8 days ago

Changelog History
Page 1

  • v1.8.1

    July 30, 2020

    1.8.1 (July 30, 2020)

    πŸ”‹ FEATURES:

    πŸ‘Œ IMPROVEMENTS:

    • acl: allow auth methods created in the primary datacenter to optionally create global tokens [GH-7899]
    • agent: Allow to restrict servers that can join a given Serf Consul cluster. [GH-7628]
    • agent: new configuration options allow ratelimiting of the agent-cache: cache.entry_fetch_rate and cache.entry_fetch_max_burst. [GH-8226]
    • cli: Output message on success when writing/deleting config entries. [GH-7806]
    • connect: Append port number to expected ingress hosts [GH-8190]
    • dns: Improve RCODE of response when query targets a non-existent datacenter. [GH-8102],[GH-8218]
    • version: The version CLI subcommand was altered to always show the git revision the binary was built from on the second line of output. Additionally the command gained a -format flag with the option now of outputting the version information in JSON form. NOTE This change has the potential to break any parsing done by users of the version commands output. In many cases nothing will need to be done but it is possible depending on how the output is parsed. [GH-8268]

    πŸ›  BUGFIXES:

    • πŸ›  agent: Fixed a bug where Consul could crash when verify_outgoing was set to true but no client certificate was used. [GH-8211]
    • πŸ”’ agent: Fixed an issue with lock contention during RPCs when under load while using the Prometheus metrics sink. [GH-8372]
    • πŸ›  auto_encrypt: Fixed an issue where auto encrypt certificate signing wasn't using the connect signing rate limiter. [GH-8211]
    • πŸ›  auto_encrypt: Fixed several issues around retrieving the first TLS certificate where it would have the wrong CN and SANs. This was being masked by a second bug (also fixed) causing that certificate to immediately be discarded with a second certificate request being made afterwards. [GH-8211]
    • ⚑️ auto_encrypt: Fixed an issue that caused auto encrypt certificates to not be updated properly if the agents token was changed and the old token was deleted. [GH-8311]
    • connect: fix crash that would result if a mesh or terminating gateway's upstream has a hostname as an address and no healthy service instances available [GH-8158]
    • πŸ›  connect: Fixed issue where specifying a prometheus bind address would cause ingress gateways to fail to start up [GH-8371]
    • gossip: Avoid issue where two unique leave events for the same node could lead to infinite rebroadcast storms [GH-8343]
    • snapshot: (Consul Enterprise only) Fixed a regression when using Azure blob storage.
    • xds: version sniff envoy and switch regular expressions from 'regex' to 'safe_regex' on newer envoy versions [GH-8265]
  • v1.8.0

    June 15, 2020

    πŸ’₯ BREAKING CHANGES:

    • acl: Remove deprecated acl_enforce_version_8 option [GH-7991]

    πŸ”‹ FEATURES:

    • Terminating Gateway: Envoy can now be run as a gateway to enable services in a Consul service mesh to connect to external services through their local proxy. Terminating gateways unlock several of the benefits of a service mesh in the cases where a sidecar proxy cannot be deployed alongside services such as legacy applications or managed cloud databases.
    • Ingress Gateway: Envoy can now be run as a gateway to ingress traffic into the Consul service mesh, enabling a more incremental transition for applications.
    • WAN Federation over Mesh Gateways: Allows Consul datacenters to federate by forwarding WAN gossip and RPC traffic through Mesh Gateways rather than requiring the servers to be exposed to the WAN directly.
    • 🌐 JSON Web Token (JWT) Auth Method: Allows exchanging a signed JWT from a trusted external identity provider for a Consul ACL token.
    • Single Sign-On (SSO) [Enterprise]: Lets an operator configure Consul to use an external OpenID Connect (OIDC) provider to automatically handle the lifecycle of creating, distributing and managing ACL tokens for performing CLI operations or accessing the UI.
    • 🌲 Audit Logging [Enterprise]: Adds instrumentation to record a trail of events (both attempted and authorized) by users of Consul’s HTTP API for purposes of regulatory compliance.

    • acl: add DisplayName field to auth methods [GH-7769]

    • acl: add MaxTokenTTL field to auth methods [GH-7779]

    • πŸ”§ agent/xds: add support for configuring passive health checks [GH-7713]

    • ⚑️ cli: Add -config flag to "acl authmethod update/create" [GH-7776]

    • serf: allow to restrict servers that can join a given Serf Consul cluster. [GH-7628]

    • πŸ“š ui: Help menu to provide further documentation/learn links [GH-7310]

    • ui: (Consul Enterprise only) SSO support [GH-7742] [GH-7771] [GH-7790]

    • πŸ’» ui: Support for termininating and ingress gateways [GH-7858] [GH-7865]

    πŸ‘Œ IMPROVEMENTS:

    • acl: change authmethod.Validator to take a logger [GH-7758]
    • agent: show warning when enable_script_checks is enabled without safety net [GH-7437]
    • πŸ‘ api: Added filtering support to the v1/connect/intentions endpoint. [GH-7478]
    • auto_encrypt: add validations for auto_encrypt.{tls,allow_tls} [GH-7704]
    • πŸ— build: switched to compile with Go 1.14.1 [GH-7481]
    • config: validate system limits against limits.http_max_conns_per_client [GH-7434]
    • πŸ‘ connect: support envoy 1.12.3, 1.13.1, and 1.14.1. Envoy 1.10 is no longer officially supported. [GH-7380],[GH-7624]
    • connect: add DNSSAN and IPSAN to cache key for ConnectCALeafRequest [GH-7597]
    • connect: Added a new expose CLI command for ingress gateways [GH-8099]
    • license: (Consul Enterprise only) Update licensing to align with the current modules licensing structure.
    • 🌲 logging: catch problems with the log destination earlier by creating the file immediately [GH-7469]
    • πŸ‘ proxycfg: support path exposed with non-HTTP2 protocol [GH-7510]
    • 🚚 tls: remove old ciphers [GH-7282]
    • πŸ’» ui: Show the last 8 characters of AccessorIDs in listing views [GH-7327]
    • πŸ’» ui: Make all tabs within the UI linkable/bookmarkable and include in history [GH-7592]
    • πŸ’» ui: Redesign of all service pages [GH-7605] [GH-7632] [GH-7655] [GH-7683]
    • πŸ’» ui: Show intentions per individual service [GH-7615]
    • πŸ’» ui: Improved login/logout flow [GH-7790]
    • βͺ ui: Revert search to search as you type, add sort control for the service listing page [GH-7489]
    • πŸ’» ui: Omit proxy services from the service listing view and mark services as being proxied [GH-7820]
    • πŸ’» ui: Display proxies in a proxy info tab with the service instance detail page [GH-7745]
    • ⚑️ ui: Add live updates/blocking queries to gateway listings [GH-7967]
    • πŸ’» ui: Improved 'empty states' [GH-7940]
    • πŸ’» ui: Add ability to sort services based on health [GH-7989]
    • πŸ’» ui: Add explanatory tooltip panels for gateway services [GH-8048]
    • πŸ’» ui: Reduce discovery-chain log errors [GH-8065]

    πŸ›  BUGFIXES:

    • agent: (Consul Enterprise only) Fixed several bugs related to Network Area and Network Segment compatibility with other features caused by incorrectly doing version or serf tag checking. [GH-7491]
    • agent: rewrite checks with proxy address, not local service address [GH-7518]
    • agent: Preserve ModifyIndex for unchanged entry in KV transaciton [GH-7832]
    • 0️⃣ agent: use default resolver scheme for gRPC dialing [GH-7617]
    • cache: Fix go routine leak in the agent cache. [GH-8092]
    • cli: enable TLS when CONSUL_HTTP_ADDR has an https scheme [GH-7608]
    • ♻️ connect: Internal refactoring to allow Connect proxy config to contain lists of structured configuration [GH-7963][GH-7964]
    • license: (Consul Enterprise only) Fixed a bug that would cause a license reset request to only be applied on the leader server.
    • sdk: Fix race condition in freeport [GH-7567]
    • server: strip local ACL tokens from RPCs during forwarding if crossing datacenters [GH-7419]
    • πŸ’» ui: Quote service names when filtering intentions to prevent 500 errors when accessing a service [GH-7896] [GH-7888]
    • πŸ’» ui: Miscellaneous amends for Safari and Firefox [GH-7904] [GH-7907]
    • ui: Ensure a value is always passed to CONSUL_SSO_ENABLED [GH-7913]
  • v1.8.0-rc1

    June 15, 2020

    1.8.0-rc1 (June 15, 2020)

    πŸ’₯ BREAKING CHANGES:

    • acl: Remove deprecated acl_enforce_version_8 option [GH-7991]

    πŸ‘Œ IMPROVEMENTS:

    • ⚑️ ui: Add live updates/blocking queries to gateway listings [GH-7967]
    • πŸ’» ui: Improved 'empty states' [GH-7940]
    • πŸ’» ui: Add ability to sort services based on health [GH-7989]
    • πŸ’» ui: Add explanatory tooltip panels for gateway services [GH-8048]
    • πŸ’» ui: Reduce discovery-chain log errors [GH-8065]
    • connect: Enable mesh and terminating gateways to resolve hostnames to IPv4 addresses using system resolver [GH-7999]
    • connect: Always require Host headers when serving L7 traffic through ingress gateways [GH-7990]
    • connect: Allow users to specify wildcard host for ingress when TLS is disabled [GH-8083]
    • connect: New end point to return healthy ingress gateway instances [GH-8081]
    • connect: Added a new expose CLI command for ingress gateways [GH-8099]

    πŸ› BUG FIXES:

    • cache: Fix go routine leak in the agent cache. [GH-8092]
    • ♻️ connect: Internal refactoring to allow Connect proxy config to contain lists of structured configuration [GH-7963][GH-7964]
    • connect: Handle re-bootstrapping scenario for WAN federation over mesh gateways. [GH-7931]
    • server: don't activate federation state replication or anti-entropy until all servers are running 1.8.0 [GH-8014]
  • v1.8.0-beta2

    May 21, 2020

    1.8.0-beta2 (May 21, 2020)

    πŸ‘Œ IMPROVEMENTS:

    • xds: Ingress gateways now respect the same binding options as mesh and terminating gateways [GH-7924]

    πŸ›  BUGFIXES:

    • πŸ”§ xds: Fixed bug where deleting a gateway config entry did not correctly remove xDS configuration from the envoy proxy [GH-7898]
    • πŸ’» ui: Quote service names when filtering intentions to prevent 500 errors when accessing a service [GH-7896] [GH-7888]
    • πŸ’» ui: Miscellaneous amends for Safari and Firefox [GH-7904] [GH-7907]
    • ui: Ensure a value is always passed to CONSUL_SSO_ENABLED [GH-7913]
    • agent: Preserve ModifyIndex for unchanged entry in KV transaciton [GH-7832]
    • 0️⃣ agent: use default resolver scheme for gRPC dialing [GH-7617]
  • v1.8.0-beta1

    May 14, 2020

    πŸ”‹ FEATURES:

    • Terminating Gateway: Envoy can now be run as a gateway to enable services in a Consul service mesh to connect to external services through their local proxy. Terminating gateways unlock several of the benefits of a service mesh in the cases where a sidecar proxy cannot be deployed alongside services such as legacy applications or managed cloud databases.
    • Ingress Gateway: Envoy can now be run as a gateway to ingress traffic into the Consul service mesh, enabling a more incremental transition for applications.
    • WAN Federation over Mesh Gateways: Allows Consul datacenters to federate by forwarding WAN gossip and RPC traffic through Mesh Gateways rather than requiring the servers to be exposed to the WAN directly.
    • 🌐 JSON Web Token (JWT) Auth Method: Allows exchanging a signed JWT from a trusted external identity provider for a Consul ACL token.
    • Single Sign-On (SSO) [Enterprise]: Lets an operator configure Consul to use an external OpenID Connect (OIDC) provider to automatically handle the lifecycle of creating, distributing and managing ACL tokens for performing CLI operations or accessing the UI.
    • 🌲 Audit Logging [Enterprise]: Adds instrumentation to record a trail of events (both attempted and authorized) by users of Consul’s HTTP API for purposes of regulatory compliance.

    • acl: add DisplayName field to auth methods [GH-7769]

    • acl: add MaxTokenTTL field to auth methods [GH-7779]

    • πŸ”§ agent/xds: add support for configuring passive health checks [GH-7713]

    • ⚑️ cli: Add -config flag to "acl authmethod update/create" [GH-7776]

    • πŸ“š ui: Help menu to provide further documentation/learn links [GH-7310]

    • ui: (Consul Enterprise only) SSO support [GH-7742] [GH-7771] [GH-7790]

    • πŸ’» ui: Support for termininating and ingress gateways [GH-7858] [GH-7865]

    πŸ‘Œ IMPROVEMENTS:

    • acl: change authmethod.Validator to take a logger [GH-7758]
    • agent: show warning when enable_script_checks is enabled without safety net [GH-7437]
    • πŸ‘ api: Added filtering support to the v1/connect/intentions endpoint. [GH-7478]
    • auto_encrypt: add validations for auto_encrypt.{tls,allow_tls} [GH-7704]
    • πŸ— build: switched to compile with Go 1.14.1 [GH-7481]
    • config: validate system limits against limits.http_max_conns_per_client [GH-7434]
    • πŸ‘ connect: support envoy 1.12.3, 1.13.1, and 1.14.1. Envoy 1.10 is no longer officially supported. [GH-7380],[GH-7624]
    • connect: add DNSSAN and IPSAN to cache key for ConnectCALeafRequest [GH-7597]
    • license: (Consul Enterprise only) Update licensing to align with the current modules licensing structure.
    • 🌲 logging: catch problems with the log destination earlier by creating the file immediately [GH-7469]
    • πŸ‘ proxycfg: support path exposed with non-HTTP2 protocol [GH-7510]
    • 🚚 tls: remove old ciphers [GH-7282]
    • πŸ’» ui: Show the last 8 characters of AccessorIDs in listing views [GH-7327]
    • πŸ’» ui: Make all tabs within the UI linkable/bookmarkable and include in history [GH-7592]
    • πŸ’» ui: Redesign of all service pages [GH-7605] [GH-7632] [GH-7655] [GH-7683]
    • πŸ’» ui: Show intentions per individual service [GH-7615]
    • πŸ’» ui: Improved login/logout flow [GH-7790]
    • βͺ ui: Revert search to search as you type, add sort control for the service listing page [GH-7489]
    • πŸ’» ui: Omit proxy services from the service listing view and mark services as being proxied [GH-7820]
    • πŸ’» ui: Display proxies in a proxy info tab with the service instance detail page [GH-7745]

    πŸ›  BUGFIXES:

    • agent: (Consul Enterprise only) Fixed several bugs related to Network Area and Network Segment compatibility with other features caused by incorrectly doing version or serf tag checking. [GH-7491]
    • agent: rewrite checks with proxy address, not local service address [GH-7518]
    • cli: enable TLS when CONSUL_HTTP_ADDR has an https scheme [GH-7608]
    • license: (Consul Enterprise only) Fixed a bug that would cause a license reset request to only be applied on the leader server.
    • sdk: Fix race condition in freeport [GH-7567]
    • server: strip local ACL tokens from RPCs during forwarding if crossing datacenters [GH-7419]

    KNOWN ISSUES:

    • πŸ’» ui: service pages in the UI for services with non-alphanumeric characters will not render. They instead show a page that says The backend responded with an error and Error 500. [GH-7896]
  • v1.7.5

    July 30, 2020

    1.7.5 (July 30, 2020)

    πŸ› BUG FIXES:

    • πŸ”’ agent: Fixed an issue with lock contention during RPCs when under load while using the Prometheus metrics sink. [GH-8372]
    • gossip: Avoid issue where two unique leave events for the same node could lead to infinite rebroadcast storms [GH-8353]
    • snapshot: (Consul Enterprise only) Fixed a regression when using Azure blob storage.
    • Return a service splitter's weight or a zero [GH-8355]
  • v1.7.4

    June 10, 2020

    πŸ”’ SECURITY:

    • Adding an option http_config.use_cache to disable agent caching for http endpoints, because Consul’s DNS and HTTP API expose a caching feature susceptible to DoS. CVE-2020-13250 [GH-8023]
    • Propagate and enforce changes to legacy ACL tokens rules in secondary data centers. CVE-2020-12797 [GH-8047]
    • Only resolve local acl token in the datacenter it belongs to. CVE-2020-13170 [GH-8068]
    • Requiring service:write permissions, a service-router entry without a destination no longer crashes Consul servers. CVE-2020-12758 [GH-7783]

    πŸ› BUG FIXES:

    • πŸ›  acl: Fixed an issue where legacy management tokens could not be used in secondary datacenters. [GH-7908]
    • πŸ›  agent: Fixed a race condition that could cause an agent to crash when first starting. [GH-7955]
    • 0️⃣ connect: ensure proxy-defaults protocol is used for upstreams [GH-7938]
    • connect: setup intermediate_pki_path on secondary when using vault [GH-8001]
  • v1.7.3

    May 05, 2020

    πŸ‘Œ IMPROVEMENTS:

    • acl: (Consul Enterprise only) - Disable the ACL.Bootstrap RPC endpoints when managed service provider tokens are in use. [GH-7614]
    • acl: (Consul Enterprise only) - Consul agents will now use the first managed service provider token for the agents token when any are present.
    • acl: Added a v1/acl/policy/name/:name HTTP endpoint to read a policy by name. [GH-6615]
    • acl: Added JSON format output to all of the ACL CLI commands. [GH-7141]
    • ⚑️ agent/xds: Update mesh gateway to use the service resolver connect timeout when configured [GH-6370]
    • 🌲 cli: Log "newer version available" message at INFO level [GH-7457]
    • πŸ”§ config: Consul Enterprise specific configuration are now parseable in OSS but will emit warnings about them not being used. [GH-7714
    • network areas: (Consul Enterprise only) - Network areas are using memberlist with TCP and for every message a new connection was established. Now the connections multiplexed with yamux, which means that way fewer connections are created.
    • network segments: (Consul Enterprise only) - The segment configuration is no longer stored in serf node tags. There is now an RPC endpoint for the same information, which means that the number of network segment is no longer limited by node meta tag size.
    • snapshot agent: (Consul Enterprise only) - Azure has different environments, of which it was only possible to use the public one so far. A new flag was added so that every other environment can be used as well, like Azure China.

    πŸ›  BUGFIXES:

    • agent: don't let left nodes hold onto their node-id [GH-7775]
    • agent: (Consul Enterprise only) Fixed several bugs related to Network Area ann Network Segment compatibility with other features caused by incorrectly doing version or serf tag checking. [GH-7491]
    • cli: ensure that 'snapshot save' is fsync safe and also only writes to the requested file on success [GH-7698]
    • βͺ cli: fix usage of gzip.Reader to better detect corrupt snapshots during save/restore [GH-7697]
    • connect: Fix panic when validating a service-router config entry with no destination [GH-7783]
    • namespace: (Consul Enterprise only) Fixed several bugs where results from multiple namespaces would be returned when only a single namespace was being queried when the token making the request had permissions to see all of them.
    • snapshot agent (Consul Enterprise only): Ensure snapshots persisted with the local backend are fsync safe and also only writes to the requested file on success.
    • snapshot agent (Consul Enterprise only): Verify integrity of snapshots locally before storing with the configured backend.
    • πŸ’» ui: Ensure blocking queries are used in the service instance page instead of polling [GH-7543]
    • πŸ’» ui: Fix a refreshing/rescrolling issue for the healthcheck listings [GH-7550] [GH-7365]
    • πŸ’» ui: Fix token duplication action bug [GH-7552]
    • πŸ’» ui: Lazily detect HTTP protocol along with a fallback for non-detection [GH-7644] [GH-7643]
    • 0️⃣ ui: Ensure KV names using 'special' terms within the default namespace are editable when the URL doesn't include the default namespace [GH-7734]
    • xds: Fix flapping of mesh gateway connect-service watches [GH-7575]
  • v1.7.2

    March 16, 2020

    πŸ‘Œ IMPROVEMENTS:

    • πŸ”§ agent: add option to configure max request length for /v1/txn endpoint [GH-7388]
    • πŸ— build: bump the expected go language version of the main module to 1.13 [GH-7429]
    • πŸ’» agent: add http_config.response header to the UI headers [GH-7369]
    • agent: Added documentation and error messages related to kv_max_value_size option [GH-7405]]
    • agent: Take Prometheus MIME-type header into account [GH-7371]]

    πŸ›  BUGFIXES:

    • ⚑️ acl: Updated token resolution so managed service provider token applies to all endpoints. [GH-7431]
    • πŸ›  agent: Fixed error output when agent crashes early [GH-7411]
    • agent: Handle bars in node names when displaying lists in CLI like consul members [GH-6652]]
    • agent: Avoid discarding health check status on consul reload [GH-7345]]
    • network areas: (Consul Enterprise only) - Fixed compatibility issues with network areas and v1.4.0+ ACLs as well as network areas and namespaces. The issue was that secondary datacenters connected to the primary via a network area were not properly detecting that the primary DC supported those other features.
    • πŸ›  sessions: Fixed backwards incompatibility with 1.6.x and earlier [GH-7395][GH-7399]
    • πŸ›  sessions: Fixed backwards incompatibility with 1.6.x and earlier [GH-7395][GH-7398]
    • πŸ’» ui: Fixed a DOM refreshing bug on the node detail page which forced an scroll reset [GH-7365][GH-7377]
    • πŸ’» ui: Fix blocking query requests for the coordinates API requests [GH-7378]
    • πŸ’» ui: Enable recovery from an unreachable datacenter [GH-7404]
  • v1.7.1

    February 20, 2020

    πŸ‘Œ IMPROVEMENTS:

    • agent: sensible keyring error [GH-7272]
    • agent: add server raft.{last,applied}_index gauges [GH-6694]
    • πŸ— build: Switched to compile with Go 1.13.7 [GH-7262]
    • config: increase http_max_conns_per_client default to 200 [GH-7289]
    • πŸ‘ tls: support TLS 1.3 [GH-7325]

    πŸ›  BUGFIXES:

    • acl: (Consul Enterprise only) Fixed an issue that prevented remote policy and role resolution from working when namespace policy or role defaults were configured.
    • πŸ“œ dns: Fixed an issue that could cause the DNS server to consume excessive CPU resources when trying to parse IPv6 recursor addresses: [GH-6120]
    • πŸ”§ dns: Fixed an issue that caused Consul to setup a root zone handler when no alt_domain was configured. [GH-7323]
    • πŸ›  sessions: Fixed an issue that was causing deletions of a non-existent session to return a 500 when ACLs were enabled. [GH-6840]
    • πŸ”§ xds: Fix envoy retryOn behavior when multiple behaviors are configured [GH-7280]
    • πŸ”§ xds: Mesh Gateway fixes to prevent configuring extra clusters and for properly handling a service-resolvers default subset. [GH-7294]
    • πŸ’» ui: Gracefully cope with errors in discovery-chain when connect is disabled [GH-7291]