All Versions
183
Latest Version
Avg Release Cycle
29 days
Latest Release
187 days ago
Changelog History
Page 1
Changelog History
Page 1
-
v1.13.2 Changes
September 20, 2022๐ฅ BREAKING CHANGES:
- ๐ ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the
update
capability on the intermediate PKI's tune mount configuration endpoint, such as/sys/mounts/connect_inter/tune
. The breaking nature of this change will be resolved in an upcoming 1.13 patch release. Refer to upgrade guidance for more information.
๐ SECURITY:
- auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the
AutoConfig.InitialConfiguration
endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [GH-14577] - connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the
ConnectCA.Sign
endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [GH-14579]
๐ FEATURES:
- ๐ cli: Adds new subcommands for
peering
workflows. Refer to the CLI docs for more information. [GH-14423] - connect: Server address changes are streamed to peers [GH-14285]
- service-defaults: Added support for
local_request_timeout_ms
andlocal_connect_timeout_ms
in servicedefaults config entry [GH-14395]
๐ IMPROVEMENTS:
- โ connect: Bump latest Envoy to 1.23.1 in test matrix [GH-14573]
- ๐ง connect: expose new tracing configuration on envoy [GH-13998]
- ๐ง envoy: adds additional Envoy outlier ejection parameters to passive health check configurations. [GH-14238]
- metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [GH-14161]
- peering: Validate peering tokens for server name conflicts [GH-14563]
- snapshot agent: (Enterprise only) Add support for path-based addressing when using s3 backend.
- ๐ป ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/ [GH-14521]
๐ BUG FIXES:
- ๐ agent: Fixes an issue where an agent that fails to start due to bad addresses won't clean up any existing listeners [GH-14081]
- api: Fix a breaking change caused by renaming
QueryDatacenterOptions
toQueryFailoverOptions
. This addsQueryDatacenterOptions
back as an alias to ๐QueryFailoverOptions
and marks it as deprecated. [GH-14378] - โก๏ธ ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed. [GH-14516]
- cli: When launching a sidecar proxy with
consul connect envoy
orconsul connect proxy
, the-sidecar-for
service ID argument is now treated as case-insensitive. [GH-14034] - connect: Fix issue where
auto_config
andauto_encrypt
could unintentionally enable TLS for gRPC xDS connections. [GH-14269] - ๐ connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster. [GH-14598]
- ๐ connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring. [GH-14429]
- ๐ connect: Fixed some spurious issues during peering establishment when a follower is dialed [GH-14119]
- ๐ง envoy: validate name before deleting proxy default configurations. [GH-14290]
- peering: Fix issue preventing deletion and recreation of peerings in TERMINATED state. [GH-14364]
- rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries [GH-14233]
- tls: undo breaking change that prevented setting TLS for gRPC when using config flags available in Consul v1.11. [GH-14668]
- ๐ ui: Removed Overview page from HCP instalations [GH-14606]
- ๐ ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the
-
v1.13.1 Changes
August 11, 2022 -
v1.13.0 Changes
August 09, 2022๐ฅ BREAKING CHANGES:
- config-entry: Exporting a specific service name across all namespace is invalid.
- ๐ connect: contains an upgrade compatibility issue when restoring snapshots containing service mesh proxy registrations from pre-1.13 versions of Consul [GH-14107]. Fixed in 1.13.1 [GH-14149]. Refer to 1.13 upgrade guidance for more information.
- ๐ connect: if using auto-encrypt or auto-config, TLS is required for gRPC communication between Envoy and Consul as of 1.13.0; this TLS for gRPC requirement will be removed in a future 1.13 patch release. Refer to 1.13 upgrade guidance for more information.
- โฌ๏ธ connect: if a pre-1.13 Consul agent's HTTPS port was not enabled, upgrading to 1.13 may turn on TLS for gRPC communication for Envoy and Consul depending on the agent's TLS configuration. Refer to 1.13 upgrade guidance for more information.
- ๐ connect: Removes support for Envoy 1.19 [GH-13807]
- telemetry: config flag
telemetry { disable_compat_1.9 = (true|false) }
has been removed. Before upgrading you should remove this flag from your config if the flag is being used. [GH-13532]
๐ FEATURES:
- Cluster Peering (Beta) This version adds a new model to federate Consul clusters for both service mesh and traditional service discovery. Cluster peering allows for service interconnectivity with looser coupling than the existing WAN federation. For more information refer to the cluster peering documentation.
- Transparent proxying through terminating gateways This version adds egress traffic control to destinations outside of Consul's catalog, such as APIs on the public internet. Transparent proxies can dial destinations defined in service-defaults and have the traffic routed through terminating gateways. For more information refer to the terminating gateway documentation.
- acl: It is now possible to login and logout using the gRPC API [GH-12935]
- ๐ agent: Added information about build date alongside other version information for Consul. Extended /agent/self endpoint and
consul version
commands ๐ to report this. Agent also reports build date in log on startup. [GH-13357] - ca: Leaf certificates can now be obtained via the gRPC API:
Sign
[GH-12787] - checks: add UDP health checks.. [GH-12722]
- cli: A new flag for config delete to delete a config entry in a valid config file, e.g., config delete -filename intention-allow.hcl [GH-13677]
- 0๏ธโฃ connect: Adds a new
destination
field to theservice-default
config entry that allows routing egress traffic through a terminating gateway in transparent proxy mode without modifying the catalog. [GH-13613] - grpc: New gRPC endpoint to return envoy bootstrap parameters. [GH-12825]
- grpc: New gRPC endpoint to return envoy bootstrap parameters. [GH-1717]
- ๐ grpc: New gRPC service and endpoint to return the list of supported consul dataplane features [GH-12695]
- โก๏ธ server: broadcast the public grpc port using lan serf and update the consul service in the catalog with the same data [GH-13687]
- โก๏ธ streaming: Added topic that can be used to consume updates about the list of services in a datacenter [GH-13722]
- streaming: Added topics for
ingress-gateway
,mesh
,service-intentions
andservice-resolver
config entry events. [GH-13658]
๐ IMPROVEMENTS:
- ๐ api:
merge-central-config
query parameter support added to/catalog/node-services/:node-name
API, to view a fully resolved service definition (especially when not written into the catalog that way). [GH-13450] - ๐ api:
merge-central-config
query parameter support added to/catalog/node-services/:node-name
API, to view a fully resolved service definition (especially when not written into the catalog that way). [GH-2046] - ๐ api:
merge-central-config
query parameter support added to some catalog and health endpoints to view a fully resolved service definition (especially when not written into the catalog that way). [GH-13001] - api: add the ability to specify a path prefix for when consul is behind a reverse proxy or API gateway [GH-12914]
- catalog: Add per-node indexes to reduce watchset firing for unrelated nodes and services. [GH-12399]
- connect: add validation to ensure connect native services have a port or socketpath specified on catalog registration. This was the only missing piece to ensure all mesh services are validated for a port (or socketpath) specification on catalog registration. [GH-12881]
- ๐ป ui: Add new CopyableCode component and use it in certain pre-existing areas [GH-13686]
- acl: Clarify node/service identities must be lowercase [GH-12807]
- ๐ command: Add support for enabling TLS in the Envoy Prometheus endpoint via the
consul connect envoy
command. โ Adds the-prometheus-ca-file
,-prometheus-ca-path
,-prometheus-cert-file
and-prometheus-key-file
flags. [GH-13481] - ๐ connect: Add Envoy 1.23.0 to support matrix [GH-13807]
- connect: Added a
max_inbound_connections
setting to service-defaults for limiting the number of concurrent inbound connections to each service instance. [GH-13143] - grpc: Add a new ServerDiscovery.WatchServers gRPC endpoint for being notified when the set of ready servers has changed. [GH-12819]
- telemetry: Added
consul.raft.thread.main.saturation
andconsul.raft.thread.fsm.saturation
metrics to measure approximate saturation of the Raft goroutines [GH-12865] - ๐ฑ ui: removed external dependencies for serving UI assets in favor of Go's native embed capabilities [GH-10996]
- โฌ๏ธ ui: upgrade ember-composable-helpers to v5.x [GH-13394]
๐ BUG FIXES:
- ๐ acl: Fixed a bug where the ACL down policy wasn't being applied on remote errors from the primary datacenter. [GH-12885]
- cli: when
acl token read
is used with the-self
and-expanded
flags, return an error instead of panicking [GH-13787] - ๐ connect: Fixed a goroutine/memory leak that would occur when using the ingress gateway. [GH-13847]
- connect: Ingress gateways with a wildcard service entry should no longer pick up non-connect services as upstreams. connect: Terminating gateways with a wildcard service entry should no longer pick up connect services as upstreams. [GH-13958]
- ๐ง proxycfg: Fixed a minor bug that would cause configuring a terminating gateway to watch too many service resolvers and waste resources doing filtering. [GH-13012]
- โฌ๏ธ raft: upgrade to v1.3.8 which fixes a bug where non cluster member can still be able to participate in an election. [GH-12844]
- rpc: Adds a deadline to client RPC calls, so that streams will no longer hang indefinitely in unstable network conditions. [GH-8504] [GH-11500]
- โฌ๏ธ serf: upgrade serf to v0.9.8 which fixes a bug that crashes Consul when serf keyrings are listed [GH-13062]
- ๐ป ui: Fixes an issue where client side validation errors were not showing in certain areas [GH-14021]
-
v1.13.0-alpha2 Changes
June 21, 2022๐ IMPROVEMENTS:
- ๐ api:
merge-central-config
query parameter support added to/catalog/node-services/:node-name
API, to view a fully resolved service definition (especially when not written into the catalog that way). [GH-13450] - ๐ connect: Update Envoy support matrix to latest patch releases (1.22.2, 1.21.3, 1.20.4, 1.19.5) [GH-13431]
๐ BUG FIXES:
- ๐ป ui: Fix incorrect text on certain page empty states [GH-13409]
- ๐ api:
-
v1.13.0-alpha1 Changes
June 15, 2022๐ฅ BREAKING CHANGES:
- config-entry: Exporting a specific service name across all namespace is invalid.
๐ FEATURES:
- acl: It is now possible to login and logout using the gRPC API [GH-12935]
- ๐ agent: Added information about build date alongside other version information for Consul. Extended /agent/self endpoint and
consul version
commands ๐ to report this. Agent also reports build date in log on startup. [GH-13357] - ca: Leaf certificates can now be obtained via the gRPC API:
Sign
[GH-12787] - checks: add UDP health checks.. [GH-12722]
- grpc: New gRPC endpoint to return envoy bootstrap parameters. [GH-12825]
- grpc: New gRPC endpoint to return envoy bootstrap parameters. [GH-1717]
- ๐ grpc: New gRPC service and endpoint to return the list of supported consul dataplane features [GH-12695]
๐ IMPROVEMENTS:
- ๐ api:
merge-central-config
query parameter support added to some catalog and health endpoints to view a fully resolved service definition (especially when not written into the catalog that way). [GH-13001] - api: add the ability to specify a path prefix for when consul is behind a reverse proxy or API gateway [GH-12914]
- connect: add validation to ensure connect native services have a port or socketpath specified on catalog registration. This was the only missing piece to ensure all mesh services are validated for a port (or socketpath) specification on catalog registration. [GH-12881]
- ๐ Support Vault namespaces in Connect CA by adding RootPKINamespace and IntermediatePKINamespace fields to the config. [GH-12904]
- acl: Clarify node/service identities must be lowercase [GH-12807]
- connect: Added a
max_inbound_connections
setting to service-defaults for limiting the number of concurrent inbound connections to each service instance. [GH-13143] - ๐ dns: Added support for specifying admin partition in node lookups. [GH-13421]
- grpc: Add a new ServerDiscovery.WatchServers gRPC endpoint for being notified when the set of ready servers has changed. [GH-12819]
- telemetry: Added
consul.raft.thread.main.saturation
andconsul.raft.thread.fsm.saturation
metrics to measure approximate saturation of the Raft goroutines [GH-12865] - telemetry: Added a
consul.server.isLeader
metric to track if a server is a leader or not. [GH-13304] - ๐ฑ ui: removed external dependencies for serving UI assets in favor of Go's native embed capabilities [GH-10996]
- โฌ๏ธ ui: upgrade ember-composable-helpers to v5.x [GH-13394]
๐ BUG FIXES:
- ๐ acl: Fixed a bug where the ACL down policy wasn't being applied on remote errors from the primary datacenter. [GH-12885]
- ๐ agent: Fixed a bug in HTTP handlers where URLs were being decoded twice [GH-13256]
- โก๏ธ deps: Update go-grpc/grpc, resolving connection memory leak [GH-13051]
- ๐ fix a bug that caused an error when creating
grpc
orhttp2
ingress gateway listeners with multiple services [GH-13127] - ๐ง proxycfg: Fixed a minor bug that would cause configuring a terminating gateway to watch too many service resolvers and waste resources doing filtering. [GH-13012]
- โฌ๏ธ raft: upgrade to v1.3.8 which fixes a bug where non cluster member can still be able to participate in an election. [GH-12844]
- โฌ๏ธ serf: upgrade serf to v0.9.8 which fixes a bug that crashes Consul when serf keyrings are listed [GH-13062]
-
v1.12.5 Changes
September 20, 2022๐ฅ BREAKING CHANGES:
- ๐ ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the
update
capability on the intermediate PKI's tune mount configuration endpoint, such as/sys/mounts/connect_inter/tune
. The breaking nature of this change will be resolved in an upcoming 1.12 patch release. Refer to upgrade guidance for more information.
๐ SECURITY:
- auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the
AutoConfig.InitialConfiguration
endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [GH-14577] - connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the
ConnectCA.Sign
endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [GH-14579]
๐ IMPROVEMENTS:
- ๐ง envoy: adds additional Envoy outlier ejection parameters to passive health check configurations. [GH-14238]
- metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [GH-14161]
- snapshot agent: (Enterprise only) Add support for path-based addressing when using s3 backend.
- ๐ป ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/ [GH-14521]
๐ BUG FIXES:
- โก๏ธ ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed. [GH-14516]
- cli: When launching a sidecar proxy with
consul connect envoy
orconsul connect proxy
, the-sidecar-for
service ID argument is now treated as case-insensitive. [GH-14034] - ๐ connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster. [GH-14598]
- ๐ connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring. [GH-14429]
- ๐ง envoy: validate name before deleting proxy default configurations. [GH-14290]
- rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries [GH-14233]
- ๐ ui: Removed Overview page from HCP instalations [GH-14606]
- ๐ ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the
-
v1.12.4 Changes
August 11, 2022๐ BUG FIXES:
- cli: when
acl token read
is used with the-self
and-expanded
flags, return an error instead of panicking [GH-13787] - ๐ connect: Fixed a goroutine/memory leak that would occur when using the ingress gateway. [GH-13847]
- connect: Ingress gateways with a wildcard service entry should no longer pick up non-connect services as upstreams. connect: Terminating gateways with a wildcard service entry should no longer pick up connect services as upstreams. [GH-13958]
- ๐ป ui: Fixes an issue where client side validation errors were not showing in certain areas [GH-14021]
- cli: when
-
v1.12.3 Changes
July 13, 2022๐ IMPROVEMENTS:
- ๐ Support Vault namespaces in Connect CA by adding RootPKINamespace and IntermediatePKINamespace fields to the config. [GH-12904]
- ๐ connect: Update Envoy support matrix to latest patch releases (1.22.2, 1.21.3, 1.20.4, 1.19.5) [GH-13431]
- ๐ dns: Added support for specifying admin partition in node lookups. [GH-13421]
- telemetry: Added a
consul.server.isLeader
metric to track if a server is a leader or not. [GH-13304]
๐ BUG FIXES:
- ๐ agent: Fixed a bug in HTTP handlers where URLs were being decoded twice [GH-13256]
- โก๏ธ deps: Update go-grpc/grpc, resolving connection memory leak [GH-13051]
- ๐ fix a bug that caused an error when creating
grpc
orhttp2
ingress gateway listeners with multiple services [GH-13127] - ๐ป ui: Fix incorrect text on certain page empty states [GH-13409]
- ๐ฐ xds: Fix a bug that resulted in Lambda services not using the payload-passthrough option as expected. [GH-13607]
- ๐ง xds: Fix a bug where terminating gateway upstream clusters weren't configured properly when the service protocol was
http2
. [GH-13699]
-
v1.12.2 Changes
June 03, 2022๐ BUG FIXES:
- ๐ kvs: Fixed a bug where query options were not being applied to KVS.Get RPC operations. [GH-13344]
-
v1.12.1 Changes
May 25, 2022๐ FEATURES:
- xds: Add the ability to invoke AWS Lambdas through sidecar proxies. [GH-12956]
๐ IMPROVEMENTS:
- config: introduce
telemetry.retry_failed_connection
in agent configuration to retry on failed connection to any telemetry backend. This prevents the agent from exiting if the given DogStatsD DNS name is unresolvable, for example. [GH-13091] - sentinel: (Enterprise Only) Sentinel now uses SHA256 to generate policy ids
- xds: Envoy now inserts x-forwarded-client-cert for incoming proxy connections [GH-12878]
๐ BUG FIXES:
- ๐ Fix a bug when configuring an
add_headers
directive namedHost
the header is not set forv1/internal/ui/metrics-proxy/
endpoint. [GH-13071] - api: Fix a bug that causes partition to be ignored when creating a namespace [GH-12845]
- api: agent/self now returns version with +ent suffix for Enterprise Consul [GH-12961]
- areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time. [GH-1368]
- ca: fix a bug that caused a non blocking leaf cert query after a blocking leaf cert query to block [GH-12820]
- ๐ config: fix backwards compatibility bug where setting the (deprecated) top-level
verify_incoming
option would enable TLS client authentication on the gRPC port [GH-13118] - health: ensure /v1/health/service/:service endpoint returns the most recent results when a filter is used with streaming #12640 [GH-12640]
- rpc: Adds a deadline to client RPC calls, so that streams will no longer hang indefinitely in unstable network conditions. [GH-8504] [GH-11500]
- snapshot-agent: (Enterprise only) Fix a bug where providing the ACL token to the snapshot agent via a CLI or ENV variable without a license configured results in an error during license auto-retrieval.
- ๐ป ui: Re-instate '...' icon for row actions [GH-13183]
NOTES:
- ci: change action to pull v1 instead of main [GH-12846]