All Versions
156
Latest Version
Avg Release Cycle
24 days
Latest Release
6 days ago

Changelog History
Page 6

  • v1.8.7 Changes

    December 10, 2020

    1.8.7 (December 10, 2020)

    πŸ› BUG FIXES:

    • acl: global tokens created by auth methods now correctly replicate to secondary datacenters [GH-9351]
    • ⚑️ connect: fixes a case when updating the CA config in a secondary datacenter to correctly trigger the creation of a new intermediate certificate [GH-9009]
    • connect: only unset the active root in a secondary datacenter when a new one is replacing it [GH-9318]
    • πŸ‘€ license: (Enterprise only) Fixed an issue where the UI would see Namespaces and SSO as licensed when they were not.
    • license: (Enterprise only) Fixed an issue where warnings about Namespaces being unlicensed would be emitted erroneously.
    • namespace: (Enterprise Only) Fixed a bug that could case snapshot restoration to fail when it contained a namespace marked for deletion while still containing other resources in that namespace. [GH-9156]
    • namespace: (Enterprise Only) Fixed an issue where namespaced services and checks were not being deleted when the containing namespace was deleted.
    • namespaces: (Enterprise only) Prevent stalling of replication in secondary datacenters due to conflicts between the namespace replicator and other replicators. [GH-9271]
  • v1.8.7-beta1 Changes

    December 03, 2020

    1.8.7-beta1 (December 03, 2020)

    πŸ› BUG FIXES:

    • ⚑️ connect: fixes a case when updating the CA config in a secondary datacenter to correctly trigger the creation of a new intermediate certificate [GH-9009]
    • connect: only unset the active root in a secondary datacenter when a new one is replacing it [GH-9318]
    • πŸ‘€ license: (Enterprise only) Fixed an issue where the UI would see Namespaces and SSO as licensed when they were not.
    • license: (Enterprise only) Fixed an issue where warnings about Namespaces being unlicensed would be emitted erroneously.
    • namespace: (Enterprise Only) Fixed a bug that could case snapshot restoration to fail when it contained a namespace marked for deletion while still containing other resources in that namespace. [GH-9156]
    • namespace: (Enterprise Only) Fixed an issue where namespaced services and checks were not being deleted when the containing namespace was deleted.
  • v1.8.6 Changes

    November 19, 2020

    1.8.6 (November 19, 2020)

    πŸ”’ SECURITY:

    • πŸ”§ Increase the permissions to read from the /connect/ca/configuration endpoint to operator:write. Previously Connect CA configuration, including the private key, set via this endpoint could be read back by an operator with operator:read privileges. CVE-2020-28053 [GH-9240]
  • v1.8.5 Changes

    October 23, 2020

    1.8.5 (October 23, 2020)

    πŸ”’ SECURITY:

    • πŸ›  Fix Consul Enterprise Namespace Config Entry Replication DoS. Previously an operator with service:write ACL permissions in a Consul Enterprise cluster could write a malicious config entry that caused infinite raft writes due to issues with the namespace replication logic. [CVE-2020-25201] [GH-9024]

    πŸ‘Œ IMPROVEMENTS:

    • api: The v1/connect/ca/roots endpoint now accepts a pem=true query parameter and will return a PEM encoded certificate chain of
      all the certificates that would normally be in the JSON version of the response. [GH-8774]
    • πŸ‘ connect: The Vault provider will now automatically renew the lease of the token used, if supported. [GH-8560]
    • πŸš€ connect: update supported envoy releases to 1.14.5, 1.13.6, 1.12.7, 1.11.2 for 1.8.x [GH-8999]

    πŸ› BUG FIXES:

    • agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical [GH-8747]
    • πŸ›  connect: Fixed an issue where the Vault intermediate was not renewed in the primary datacenter. [GH-8784]
    • connect: fix Vault provider not respecting IntermediateCertTTL [GH-8646]
    • connect: fix connect sidecars registered via the API not being automatically deregistered with their parent service after an agent restart by persisting the LocallyRegisteredAsSidecar property. [GH-8924]
    • πŸ›  fixed a bug that caused logs to be flooded with [WARN] agent.router: Non-server in server-only area [GH-8685]
    • πŸ’» ui: show correct datacenter for gateways [GH-8704]
  • v1.8.4 Changes

    September 11, 2020

    1.8.4 (September 11, 2020)

    πŸ”‹ FEATURES:

    • πŸ‘ agent: expose the list of supported envoy versions on /v1/agent/self [GH-8545]
    • cache: Config parameters for cache throttling are now reloaded automatically on agent reload. Restarting the agent is not needed anymore. [GH-8552]
    • connect: all config entries pick up a meta field [GH-8596]

    πŸ‘Œ IMPROVEMENTS:

    • api: Added ACLMode method to the AgentMember type to determine what ACL mode the agent is operating in. [GH-8575]
    • api: Added IsConsulServer method to the AgentMember type to easily determine whether the agent is a server. [GH-8575]
    • api: Added constants for common tag keys and values in the Tags field of the AgentMember struct. [GH-8575]
    • api: Allow for the client to use TLS over a Unix domain socket. [GH-8602]
    • api: GET v1/operator/keyring also lists primary keys. [GH-8522]
    • πŸ‘ connect: Add support for http2 and grpc to ingress gateways [GH-8458]
    • ⚑️ serf: update to v0.9.4 which supports primary keys in the ListKeys operation. [GH-8522]

    πŸ›  BUGFIXES:

    • [backport/1.8.x] connect: use stronger validation that ingress gateways have compatible protocols defined for their upstreams [GH-8494]
    • agent: ensure that we normalize bootstrapped config entries [GH-8547]
    • πŸ›  api: Fixed a panic caused by an api request with Connect=null [GH-8537]
    • connect: connect envoy command now respects the -ca-path flag [GH-8606]
    • connect: fix bug in preventing some namespaced config entry modifications [GH-8601]
    • connect: fix renewing secondary intermediate certificates [GH-8588]
    • πŸ’» ui: fixed a bug related to in-folder KV creation GH-8613
  • v1.8.3 Changes

    August 12, 2020

    πŸ›  BUGFIXES:

    • βͺ catalog: fixed a bug where nodes, services, and checks would not be restored with the correct Create/ModifyIndex when restoring from a snapshot [GH-8485]
    • ⚑️ vendor: update github.com/armon/go-metrics to v0.3.4 to mitigate a potential panic when emitting Prometheus metrics at an interval longer than the metric expiry time [GH-8478]
    • connect: (Consul Enterprise only) Fixed a regression that prevented mesh gateways from routing to services in their local datacenter that reside outside of the default namespace.
  • v1.8.2 Changes

    August 07, 2020

    1.8.2 (August 07, 2020)

    πŸ›  BUGFIXES:

    • πŸ›  auto_config: Fixed an issue where auto-config could be enabled in secondary DCs without enabling token replication when ACLs were enabled. [GH-8451]
    • xds: revert setting set_node_on_first_message_only to true when generating envoy bootstrap config [GH-8440]
  • v1.8.1 Changes

    July 30, 2020

    πŸ”‹ FEATURES:

    πŸ‘Œ IMPROVEMENTS:

    • acl: allow auth methods created in the primary datacenter to optionally create global tokens [GH-7899]
    • agent: Allow to restrict servers that can join a given Serf Consul cluster. [GH-7628]
    • agent: new configuration options allow ratelimiting of the agent-cache: cache.entry_fetch_rate and cache.entry_fetch_max_burst. [GH-8226]
    • api: Added methods to allow passing query options to leader and peers endpoints to mirror HTTP API [GH-8395]
    • πŸ”§ auto_config: when configuring auto_config, connect is turned on automatically [GH-8433]
    • connect: various changes to make namespaces for intentions work more like for other subsystems [GH-8194]
    • connect: Append port number to expected ingress hosts [GH-8190]
    • πŸ‘ connect: add support for envoy 1.15.0 and drop support for 1.11.x [GH-8424]
    • πŸ‘ connect: support Envoy v1.14.4, v1.13.4, v1.12.6 [GH-8216]
    • dns: Improve RCODE of response when query targets a non-existent datacenter. [GH-8102],[GH-8218]
    • version: The version CLI subcommand was altered to always show the git revision the binary was built from on the second line of output. Additionally the command gained a -format flag with the option now of outputting the version information in JSON form. NOTE This change has the potential to break any parsing done by users of the version commands output. In many cases nothing will need to be done but it is possible depending on how the output is parsed. [GH-8268]

    πŸ›  BUGFIXES:

    • πŸ›  agent: Fixed a bug where Consul could crash when verify_outgoing was set to true but no client certificate was used. [GH-8211]
    • πŸ”’ agent: Fixed an issue with lock contention during RPCs when under load while using the Prometheus metrics sink. [GH-8372]
    • πŸ›  auto_encrypt: Fixed an issue where auto encrypt certificate signing wasn't using the connect signing rate limiter. [GH-8211]
    • πŸ›  auto_encrypt: Fixed several issues around retrieving the first TLS certificate where it would have the wrong CN and SANs. This was being masked by a second bug (also fixed) causing that certificate to immediately be discarded with a second certificate request being made afterwards. [GH-8211]
    • ⚑️ auto_encrypt: Fixed an issue that caused auto encrypt certificates to not be updated properly if the agents token was changed and the old token was deleted. [GH-8311]
    • autopilot: (Consul Enterprise only) Fixed an issue where using autopilot with redundancy zones wouldn't demote extra voters in a zone to match the "one voter per zone" desired state when rebalancing.
    • connect: fix crash that would result if a mesh or terminating gateway's upstream has a hostname as an address and no healthy service instances available. [GH-8158]
    • πŸ›  connect: Fixed issue where specifying a prometheus bind address would cause ingress gateways to fail to start up [GH-8371]
    • gossip: Avoid issue where two unique leave events for the same node could lead to infinite rebroadcast storms [GH-8343]
    • router: Mark its own cluster as healthy when rebalancing. [GH-8406]
    • snapshot: (Consul Enterprise only) Fixed a regression when using Azure blob storage.
    • xds: version sniff envoy and switch regular expressions from 'regex' to 'safe_regex' on newer envoy versions [GH-8222]
  • v1.8.0 Changes

    June 15, 2020

    πŸ’₯ BREAKING CHANGES:

    • acl: Remove deprecated acl_enforce_version_8 option [GH-7991]

    πŸ”‹ FEATURES:

    • Terminating Gateway: Envoy can now be run as a gateway to enable services in a Consul service mesh to connect to external services through their local proxy. Terminating gateways unlock several of the benefits of a service mesh in the cases where a sidecar proxy cannot be deployed alongside services such as legacy applications or managed cloud databases.
    • Ingress Gateway: Envoy can now be run as a gateway to ingress traffic into the Consul service mesh, enabling a more incremental transition for applications.
    • WAN Federation over Mesh Gateways: Allows Consul datacenters to federate by forwarding WAN gossip and RPC traffic through Mesh Gateways rather than requiring the servers to be exposed to the WAN directly.
    • 🌐 JSON Web Token (JWT) Auth Method: Allows exchanging a signed JWT from a trusted external identity provider for a Consul ACL token.
    • Single Sign-On (SSO) [Enterprise]: Lets an operator configure Consul to use an external OpenID Connect (OIDC) provider to automatically handle the lifecycle of creating, distributing and managing ACL tokens for performing CLI operations or accessing the UI.
    • 🌲 Audit Logging [Enterprise]: Adds instrumentation to record a trail of events (both attempted and authorized) by users of Consul’s HTTP API for purposes of regulatory compliance.

    • acl: add DisplayName field to auth methods [GH-7769]

    • acl: add MaxTokenTTL field to auth methods [GH-7779]

    • πŸ”§ agent/xds: add support for configuring passive health checks [GH-7713]

    • ⚑️ cli: Add -config flag to "acl authmethod update/create" [GH-7776]

    • serf: allow to restrict servers that can join a given Serf Consul cluster. [GH-7628]

    • πŸ“š ui: Help menu to provide further documentation/learn links [GH-7310]

    • ui: (Consul Enterprise only) SSO support [GH-7742] [GH-7771] [GH-7790]

    • πŸ’» ui: Support for termininating and ingress gateways [GH-7858] [GH-7865]

    πŸ‘Œ IMPROVEMENTS:

    • acl: change authmethod.Validator to take a logger [GH-7758]
    • agent: show warning when enable_script_checks is enabled without safety net [GH-7437]
    • πŸ‘ api: Added filtering support to the v1/connect/intentions endpoint. [GH-7478]
    • auto_encrypt: add validations for auto_encrypt.{tls,allow_tls} [GH-7704]
    • πŸ— build: switched to compile with Go 1.14.1 [GH-7481]
    • config: validate system limits against limits.http_max_conns_per_client [GH-7434]
    • πŸ‘ connect: support envoy 1.12.3, 1.13.1, and 1.14.1. Envoy 1.10 is no longer officially supported. [GH-7380],[GH-7624]
    • connect: add DNSSAN and IPSAN to cache key for ConnectCALeafRequest [GH-7597]
    • connect: Added a new expose CLI command for ingress gateways [GH-8099]
    • license: (Consul Enterprise only) Update licensing to align with the current modules licensing structure.
    • 🌲 logging: catch problems with the log destination earlier by creating the file immediately [GH-7469]
    • πŸ‘ proxycfg: support path exposed with non-HTTP2 protocol [GH-7510]
    • 🚚 tls: remove old ciphers [GH-7282]
    • πŸ’» ui: Show the last 8 characters of AccessorIDs in listing views [GH-7327]
    • πŸ’» ui: Make all tabs within the UI linkable/bookmarkable and include in history [GH-7592]
    • πŸ’» ui: Redesign of all service pages [GH-7605] [GH-7632] [GH-7655] [GH-7683]
    • πŸ’» ui: Show intentions per individual service [GH-7615]
    • πŸ’» ui: Improved login/logout flow [GH-7790]
    • βͺ ui: Revert search to search as you type, add sort control for the service listing page [GH-7489]
    • πŸ’» ui: Omit proxy services from the service listing view and mark services as being proxied [GH-7820]
    • πŸ’» ui: Display proxies in a proxy info tab with the service instance detail page [GH-7745]
    • ⚑️ ui: Add live updates/blocking queries to gateway listings [GH-7967]
    • πŸ’» ui: Improved 'empty states' [GH-7940]
    • πŸ’» ui: Add ability to sort services based on health [GH-7989]
    • πŸ’» ui: Add explanatory tooltip panels for gateway services [GH-8048]
    • πŸ’» ui: Reduce discovery-chain log errors [GH-8065]

    πŸ›  BUGFIXES:

    • agent: (Consul Enterprise only) Fixed several bugs related to Network Area and Network Segment compatibility with other features caused by incorrectly doing version or serf tag checking. [GH-7491]
    • agent: rewrite checks with proxy address, not local service address [GH-7518]
    • agent: Preserve ModifyIndex for unchanged entry in KV transaciton [GH-7832]
    • 0️⃣ agent: use default resolver scheme for gRPC dialing [GH-7617]
    • cache: Fix go routine leak in the agent cache which could cause increasing memory usage. [GH-8092]
    • cli: enable TLS when CONSUL_HTTP_ADDR has an https scheme [GH-7608]
    • ♻️ connect: Internal refactoring to allow Connect proxy config to contain lists of structured configuration [GH-7963][GH-7964]
    • license: (Consul Enterprise only) Fixed a bug that would cause a license reset request to only be applied on the leader server.
    • sdk: Fix race condition in freeport [GH-7567]
    • server: strip local ACL tokens from RPCs during forwarding if crossing datacenters [GH-7419]
    • πŸ’» ui: Quote service names when filtering intentions to prevent 500 errors when accessing a service [GH-7896] [GH-7888]
    • πŸ’» ui: Miscellaneous amends for Safari and Firefox [GH-7904] [GH-7907]
    • ui: Ensure a value is always passed to CONSUL_SSO_ENABLED [GH-7913]
  • v1.8.0-rc1 Changes

    June 15, 2020

    1.8.0-rc1 (June 15, 2020)

    πŸ’₯ BREAKING CHANGES:

    • acl: Remove deprecated acl_enforce_version_8 option [GH-7991]

    πŸ‘Œ IMPROVEMENTS:

    • ⚑️ ui: Add live updates/blocking queries to gateway listings [GH-7967]
    • πŸ’» ui: Improved 'empty states' [GH-7940]
    • πŸ’» ui: Add ability to sort services based on health [GH-7989]
    • πŸ’» ui: Add explanatory tooltip panels for gateway services [GH-8048]
    • πŸ’» ui: Reduce discovery-chain log errors [GH-8065]
    • connect: Enable mesh and terminating gateways to resolve hostnames to IPv4 addresses using system resolver [GH-7999]
    • connect: Always require Host headers when serving L7 traffic through ingress gateways [GH-7990]
    • connect: Allow users to specify wildcard host for ingress when TLS is disabled [GH-8083]
    • connect: New end point to return healthy ingress gateway instances [GH-8081]
    • connect: Added a new expose CLI command for ingress gateways [GH-8099]

    πŸ› BUG FIXES:

    • cache: Fix go routine leak in the agent cache. [GH-8092]
    • ♻️ connect: Internal refactoring to allow Connect proxy config to contain lists of structured configuration [GH-7963][GH-7964]
    • connect: Handle re-bootstrapping scenario for WAN federation over mesh gateways. [GH-7931]
    • server: don't activate federation state replication or anti-entropy until all servers are running 1.8.0 [GH-8014]