All Versions
174
Latest Version
Avg Release Cycle
31 days
Latest Release
53 days ago

Changelog History
Page 1

  • v1.13.0-alpha2 Changes

    June 21, 2022

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ”€ api: merge-central-config query parameter support added to /catalog/node-services/:node-name API, to view a fully resolved service definition (especially when not written into the catalog that way). [GH-13450]
    • ๐Ÿš€ connect: Update Envoy support matrix to latest patch releases (1.22.2, 1.21.3, 1.20.4, 1.19.5) [GH-13431]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ’ป ui: Fix incorrect text on certain page empty states [GH-13409]
  • v1.13.0-alpha1 Changes

    June 15, 2022

    ๐Ÿ’ฅ BREAKING CHANGES:

    • config-entry: Exporting a specific service name across all namespace is invalid.

    ๐Ÿ”‹ FEATURES:

    • acl: It is now possible to login and logout using the gRPC API [GH-12935]
    • ๐Ÿ— agent: Added information about build date alongside other version information for Consul. Extended /agent/self endpoint and consul version commands ๐Ÿ— to report this. Agent also reports build date in log on startup. [GH-13357]
    • ca: Leaf certificates can now be obtained via the gRPC API: Sign [GH-12787]
    • checks: add UDP health checks.. [GH-12722]
    • grpc: New gRPC endpoint to return envoy bootstrap parameters. [GH-12825]
    • grpc: New gRPC endpoint to return envoy bootstrap parameters. [GH-1717]
    • ๐Ÿ‘ grpc: New gRPC service and endpoint to return the list of supported consul dataplane features [GH-12695]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ”€ api: merge-central-config query parameter support added to some catalog and health endpoints to view a fully resolved service definition (especially when not written into the catalog that way). [GH-13001]
    • api: add the ability to specify a path prefix for when consul is behind a reverse proxy or API gateway [GH-12914]
    • connect: add validation to ensure connect native services have a port or socketpath specified on catalog registration. This was the only missing piece to ensure all mesh services are validated for a port (or socketpath) specification on catalog registration. [GH-12881]
    • ๐Ÿ‘Œ Support Vault namespaces in Connect CA by adding RootPKINamespace and IntermediatePKINamespace fields to the config. [GH-12904]
    • acl: Clarify node/service identities must be lowercase [GH-12807]
    • connect: Added a max_inbound_connections setting to service-defaults for limiting the number of concurrent inbound connections to each service instance. [GH-13143]
    • ๐Ÿ‘ dns: Added support for specifying admin partition in node lookups. [GH-13421]
    • grpc: Add a new ServerDiscovery.WatchServers gRPC endpoint for being notified when the set of ready servers has changed. [GH-12819]
    • telemetry: Added consul.raft.thread.main.saturation and consul.raft.thread.fsm.saturation metrics to measure approximate saturation of the Raft goroutines [GH-12865]
    • telemetry: Added a consul.server.isLeader metric to track if a server is a leader or not. [GH-13304]
    • ๐Ÿฑ ui: removed external dependencies for serving UI assets in favor of Go's native embed capabilities [GH-10996]
    • โฌ†๏ธ ui: upgrade ember-composable-helpers to v5.x [GH-13394]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  acl: Fixed a bug where the ACL down policy wasn't being applied on remote errors from the primary datacenter. [GH-12885]
    • ๐Ÿ›  agent: Fixed a bug in HTTP handlers where URLs were being decoded twice [GH-13256]
    • โšก๏ธ deps: Update go-grpc/grpc, resolving connection memory leak [GH-13051]
    • ๐Ÿ›  fix a bug that caused an error when creating grpc or http2 ingress gateway listeners with multiple services [GH-13127]
    • ๐Ÿ”ง proxycfg: Fixed a minor bug that would cause configuring a terminating gateway to watch too many service resolvers and waste resources doing filtering. [GH-13012]
    • โฌ†๏ธ raft: upgrade to v1.3.8 which fixes a bug where non cluster member can still be able to participate in an election. [GH-12844]
    • โฌ†๏ธ serf: upgrade serf to v0.9.8 which fixes a bug that crashes Consul when serf keyrings are listed [GH-13062]
  • v1.12.3 Changes

    July 13, 2022

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ‘Œ Support Vault namespaces in Connect CA by adding RootPKINamespace and IntermediatePKINamespace fields to the config. [GH-12904]
    • ๐Ÿš€ connect: Update Envoy support matrix to latest patch releases (1.22.2, 1.21.3, 1.20.4, 1.19.5) [GH-13431]
    • ๐Ÿ‘ dns: Added support for specifying admin partition in node lookups. [GH-13421]
    • telemetry: Added a consul.server.isLeader metric to track if a server is a leader or not. [GH-13304]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  agent: Fixed a bug in HTTP handlers where URLs were being decoded twice [GH-13256]
    • โšก๏ธ deps: Update go-grpc/grpc, resolving connection memory leak [GH-13051]
    • ๐Ÿ›  fix a bug that caused an error when creating grpc or http2 ingress gateway listeners with multiple services [GH-13127]
    • ๐Ÿ’ป ui: Fix incorrect text on certain page empty states [GH-13409]
    • ๐Ÿ›ฐ xds: Fix a bug that resulted in Lambda services not using the payload-passthrough option as expected. [GH-13607]
    • ๐Ÿ”ง xds: Fix a bug where terminating gateway upstream clusters weren't configured properly when the service protocol was http2. [GH-13699]
  • v1.12.2 Changes

    June 03, 2022

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  kvs: Fixed a bug where query options were not being applied to KVS.Get RPC operations. [GH-13344]
  • v1.12.1 Changes

    May 25, 2022

    ๐Ÿ”‹ FEATURES:

    • xds: Add the ability to invoke AWS Lambdas through sidecar proxies. [GH-12956]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • config: introduce telemetry.retry_failed_connection in agent configuration to retry on failed connection to any telemetry backend. This prevents the agent from exiting if the given DogStatsD DNS name is unresolvable, for example. [GH-13091]
    • sentinel: (Enterprise Only) Sentinel now uses SHA256 to generate policy ids
    • xds: Envoy now inserts x-forwarded-client-cert for incoming proxy connections [GH-12878]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  Fix a bug when configuring an add_headers directive named Host the header is not set for v1/internal/ui/metrics-proxy/ endpoint. [GH-13071]
    • api: Fix a bug that causes partition to be ignored when creating a namespace [GH-12845]
    • api: agent/self now returns version with +ent suffix for Enterprise Consul [GH-12961]
    • areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time. [GH-1368]
    • ca: fix a bug that caused a non blocking leaf cert query after a blocking leaf cert query to block [GH-12820]
    • ๐Ÿ—„ config: fix backwards compatibility bug where setting the (deprecated) top-level verify_incoming option would enable TLS client authentication on the gRPC port [GH-13118]
    • health: ensure /v1/health/service/:service endpoint returns the most recent results when a filter is used with streaming #12640 [GH-12640]
    • snapshot-agent: (Enterprise only) Fix a bug where providing the ACL token to the snapshot agent via a CLI or ENV variable without a license configured results in an error during license auto-retrieval.
    • ๐Ÿ’ป ui: Re-instate '...' icon for row actions [GH-13183]

    NOTES:

    • ci: change action to pull v1 instead of main [GH-12846]
  • v1.12.0 Changes

    April 20, 2022

    ๐Ÿ’ฅ BREAKING CHANGES:

    • ๐Ÿšš connect: Removes support for Envoy 1.17.4 [GH-12777]
    • ๐Ÿšš connect: Removes support for Envoy 1.18.6 [GH-12805]
    • ๐Ÿ”ง sdk: several changes to the testutil configuration structs (removed ACLMasterToken, renamed Master to InitialManagement, and AgentMaster to AgentRecovery) [GH-11827]
    • telemetry: the disable_compat_1.9 option now defaults to true. 1.9 style consul.http... metrics can still be enabled by setting disable_compat_1.9 = false. However, we will remove these metrics in 1.13. [GH-12675]

    ๐Ÿ”‹ FEATURES:

    • acl: Add token information to PermissionDeniedErrors [GH-12567]
    • acl: Added an AWS IAM auth method that allows authenticating to Consul using AWS IAM identities [GH-12583]
    • ca: Root certificates can now be consumed from a gRPC streaming endpoint: WatchRoots [GH-12678]
    • ๐Ÿ‘ cli: The token read command now supports the -expanded flag to display detailed role and policy information for the token. [GH-12670]
    • config: automatically reload config when a file changes using the auto-reload-config CLI flag or auto_reload_config config option. [GH-12329]
    • 0๏ธโƒฃ server: Ensure that service-defaults Meta is returned with the response to the ConfigEntry.ResolveServiceConfig RPC. [GH-12529]
    • 0๏ธโƒฃ server: discovery chains now include a response field named "Default" to indicate if they were not constructed from any service-resolver, service-splitter, or service-router config entries [GH-12511]
    • 0๏ธโƒฃ server: ensure that service-defaults meta is incorporated into the discovery chain response [GH-12511]
    • ๐Ÿ”ง tls: it is now possible to configure TLS differently for each of Consul's listeners (i.e. HTTPS, gRPC and the internal multiplexed RPC listener) using the tls stanza [GH-12504]
    • ๐Ÿ’ป ui: Added support for AWS IAM Auth Methods [GH-12786]
    • ๐Ÿ’ป ui: Support connect-native services in the Topology view. [GH-12098]
    • xds: Add the ability to invoke AWS Lambdas through terminating gateways. [GH-12681]
    • xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry [GH-12601]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ”จ Refactor ACL denied error code and start improving error details [GH-12308]
    • acl: Provide fuller detail in the error messsage when an ACL denies access. [GH-12470]
    • agent: Allow client agents to perform keyring operations [GH-12442]
    • agent: add additional validation to TLS config [GH-12522]
    • agent: add support for specifying TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suites [GH-12522]
    • 0๏ธโƒฃ agent: bump default min version for connections to TLS 1.2 [GH-12522]
    • api: add QueryBackend to QueryMeta so an api user can determine if a query was served using which backend (streaming or blocking query). [GH-12791]
    • ci: include 'enhancement' entry type in IMPROVEMENTS section of changelog. [GH-12376]
    • ๐Ÿ’ป ui: Exclude Service Instance Health from Health Check reporting on the Node listing page. The health icons on each individual row now only reflect Node health. [GH-12248]
    • โš  ui: Improve usability of Topology warning/information panels [GH-12305]
    • ๐Ÿ’ป ui: Slightly improve usability of main navigation [GH-12334]
    • ๐Ÿ’ป ui: Use @hashicorp/flight icons for all our icons. [GH-12209]
    • โœ‚ Removed impediments to using a namespace prefixed IntermediatePKIPath in a CA definition. [GH-12655]
    • ๐Ÿšš acl: Improve handling of region-specific endpoints in the AWS IAM auth method. As part of this, the STSRegion field was removed from the auth method config. [GH-12774]
    • api: Improve error message if service or health check not found by stating that the entity must be referred to by ID, not name [GH-10894]
    • autopilot: Autopilot state is now tracked on Raft followers in addition to the leader. Stale queries may be used to query for the non-leaders state. [GH-12617]
    • autopilot: The autopilot.healthy and autopilot.failure_tolerance metrics are now regularly emitted by all servers. [GH-12617]
    • ๐Ÿ”’ ci: Enable security scanning for CRT [GH-11956]
    • ๐Ÿšš connect: Add Envoy 1.21.1 to support matrix, remove 1.17.4 [GH-12777]
    • ๐Ÿšš connect: Add Envoy 1.22.0 to support matrix, remove 1.18.6 [GH-12805]
    • ๐Ÿ”ง connect: reduce raft apply on CA configuration when no change is performed [GH-12298]
    • โšก๏ธ deps: update to latest go-discover to fix vulnerable transitive jwt-go dependency [GH-12739]
    • ๐ŸŒฒ grpc, xds: improved reliability of grpc and xds servers by adding recovery-middleware to return and log error in case of panic. [GH-10895]
    • โš  http: if a GET request has a non-empty body, log a warning that suggests a possible problem (parameters were meant for the query string, but accidentally placed in the body) [GH-11821]
    • metrics: The consul.raft.boltdb.writeCapacity metric was added and indicates a theoretical number of writes/second that can be performed to Consul. [GH-12646]
    • โœ… sdk: Add support for Partition and RetryJoin to the TestServerConfig struct. [GH-12126]
    • telemetry: Add new leader label to consul.rpc.server.call and optional target_datacenter, locality, allow_stale, and blocking optional labels. [GH-12727]
    • ๐Ÿ’ป ui: In the datacenter selector order Datacenters by Primary, Local then alpanumerically [GH-12478]
    • ๐Ÿ’ป ui: Include details on ACL policy dispositions required for unauthorized views [GH-12354]
    • ๐Ÿšš ui: Move icons away from depending on a CSS preprocessor [GH-12461]
    • ๐Ÿ”– version: Improved performance of the version.GetHumanVersion function by 50% on memory allocation. [GH-11507]

    ๐Ÿ—„ DEPRECATIONS:

    • acl: The consul.acl.ResolveTokenToIdentity metric is no longer reported. The values that were previous reported as part of this metric will now be part of the consul.acl.ResolveToken metric. [GH-12166]
    • ๐Ÿ—„ agent: deprecate older syntax for specifying TLS min version values [GH-12522]
    • agent: remove support for specifying insecure TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher suites [GH-12522]
    • config: setting cert_file, key_file, ca_file, ca_path, tls_min_version, tls_cipher_suites, verify_incoming, verify_incoming_rpc, verify_incoming_https, verify_outgoing and verify_server_hostname at the top-level is now deprecated, use the tls stanza instead [GH-12504]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ“œ acl: Fix parsing of IAM user and role tags in IAM auth method [GH-12797]
    • dns: allow max of 63 character DNS labels instead of 64 per RFC 1123 [GH-12535]
    • ๐ŸŒฒ logging: fix a bug with incorrect severity syslog messages (all messages were sent with NOTICE severity). [GH-12079]
    • ๐Ÿ’ป ui: Added Tags tab to gateways(just like exists for non-gateway services) [GH-12400]

    NOTES:

  • v1.11.7 Changes

    July 13, 2022

    ๐Ÿ‘Œ IMPROVEMENTS:

    • โšก๏ธ connect: Update supported Envoy versions to 1.20.4, 1.19.5, 1.18.6, 1.17.4 [GH-13434]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  agent: Fixed a bug in HTTP handlers where URLs were being decoded twice [GH-13265]
    • ๐Ÿ›  fix a bug that caused an error when creating grpc or http2 ingress gateway listeners with multiple services [GH-13127]
    • ๐Ÿ”ง xds: Fix a bug where terminating gateway upstream clusters weren't configured properly when the service protocol was http2. [GH-13699]
  • v1.11.6 Changes

    May 25, 2022

    ๐Ÿ‘Œ IMPROVEMENTS:

    • sentinel: (Enterprise Only) Sentinel now uses SHA256 to generate policy ids

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  Fix a bug when configuring an add_headers directive named Host the header is not set for v1/internal/ui/metrics-proxy/ endpoint. [GH-13071]
    • areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time. [GH-1368]
    • ca: fix a bug that caused a non blocking leaf cert query after a blocking leaf cert query to block [GH-12820]
    • health: ensure /v1/health/service/:service endpoint returns the most recent results when a filter is used with streaming #12640 [GH-12640]
    • snapshot-agent: (Enterprise only) Fix a bug where providing the ACL token to the snapshot agent via a CLI or ENV variable without a license configured results in an error during license auto-retrieval.

    NOTES:

    • ci: change action to pull v1 instead of main [GH-12846]
  • v1.11.5 Changes

    April 13, 2022

    ๐Ÿ”’ SECURITY:

    • ๐Ÿš€ agent: Added a new check field, disable_redirects, that allows for disabling the following of redirects for HTTP checks. The intention is to default this to true in a future release so that redirects must explicitly be enabled. [GH-12685]
    • ๐Ÿ”ง connect: Properly set SNI when configured for services behind a terminating gateway. [GH-12672]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿš‘ agent: improve log messages when a service with a critical health check is deregistered due to exceeding the deregister_critical_service_after timeout [GH-12725]
    • โฑ xds: ensure that all connect timeout configs can apply equally to tproxy direct dial connections [GH-12711]

    ๐Ÿ› BUG FIXES:

    • acl: (Enterprise Only) fixes a bug preventing ACL policies configured with datacenter restrictions from being created if the cluster had been upgraded to Consul 1.11+ from an earlier version.
    • ๐Ÿ”ง connect/ca: cancel old Vault renewal on CA configuration. Provide a 1 - 6 second backoff on repeated token renewal requests to prevent overwhelming Vault. [GH-12607]
    • namespace: (Enterprise Only) Unreserve consul namespace to allow K8s namespace mirroring when deploying in consul K8s namespace .
    • โฌ†๏ธ raft: upgrade to v1.3.6 which fixes a bug where a read replica node could attempt bootstrapping raft and prevent other nodes from bootstrapping at all [GH-12496]
    • ๐Ÿ›  replication: Fixed a bug which could prevent ACL replication from continuing successfully after a leader election. [GH-12565]
    • server: fix spurious blocking query suppression for discovery chains [GH-12512]
    • ๐Ÿ’ป ui: Fixes a visual bug where our loading icon can look cut off [GH-12479]
    • usagemetrics: (Enterprise only) Fix a bug where Consul usage metrics stopped being reported when upgrading servers from 1.10 to 1.11 or later.
  • v1.11.4 Changes

    February 28, 2022

    ๐Ÿ”‹ FEATURES:

    • ๐Ÿ‘ ca: support using an external root CA with the vault CA provider [GH-11910]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • โšก๏ธ connect: Update supported Envoy versions to include 1.19.3 and 1.18.6 [GH-12449]
    • โšก๏ธ connect: update Envoy supported version of 1.20 to 1.20.2 [GH-12433]
    • โšก๏ธ connect: update Envoy supported version of 1.20 to 1.20.2 [GH-12443]
    • debug: reduce the capture time for trace to only a single interval instead of the full duration to make trace.out easier to open without running into OOM errors. [GH-12359]
    • โช raft: add additional logging of snapshot restore progress [GH-12325]
    • โฑ rpc: improve blocking queries for items that do not exist, by continuing to block until they exist (or the timeout). [GH-12110]
    • sentinel: (Enterprise Only) Sentinel now uses SHA256 to generate policy ids
    • server: conditionally avoid writing a config entry to raft if it was already the same [GH-12321]
    • server: suppress spurious blocking query returns where multiple config entries are involved [GH-12362]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ“œ agent: Parse datacenter from Create/Delete requests for AuthMethods and BindingRules. [GH-12370]
    • areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time. [GH-1368]
    • catalog: compare node names case insensitively in more places [GH-12444]
    • โฑ checks: populate interval and timeout when registering services [GH-11138]
    • ๐Ÿ”€ local: fixes a data race in anti-entropy sync that could cause the wrong tags to be applied to a service when EnableTagOverride is used [GH-12324]
    • ๐Ÿ›  raft: fixed a race condition in leadership transfer that could result in reelection of the current leader [GH-12325]
    • server: (Enterprise only) Namespace deletion will now attempt to delete as many namespaced config entries as possible instead of halting on the first deletion that failed.
    • server: partly fix config entry replication issue that prevents replication in some circumstances [GH-12307]
    • โช state: fix bug blocking snapshot restore when a node check and node differed in casing of the node string [GH-12444]
    • 0๏ธโƒฃ ui: Ensure we always display the Policy default preview in the Namespace editing form [GH-12316]
    • ๐Ÿ’ป ui: Fix missing helper javascript error [GH-12358]
    • ๐Ÿ›  xds: Fixed Envoy http features such as outlier detection and retry policy not working correctly with transparent proxy. [GH-12385]