All Versions
183
Latest Version
Avg Release Cycle
29 days
Latest Release
576 days ago
Changelog History
Page 6
Changelog History
Page 6
-
v1.9.10 Changes
September 27, 2021๐ FEATURES:
- sso/oidc: (Enterprise only) Add support for providing acr_values in OIDC auth flow [GH-11026]
๐ IMPROVEMENTS:
- audit-logging: (Enterprise Only) Audit logs will now include select HTTP headers in each logs payload. Those headers are:
Forwarded
,Via
,X-Forwarded-For
,X-Forwarded-Host
andX-Forwarded-Proto
. [GH-11107] - โก๏ธ connect: update supported envoy versions to 1.16.5 [GH-10961]
- telemetry: Add new metrics for the count of KV entries in the Consul store. [GH-11090]
๐ BUG FIXES:
-
v1.9.9 Changes
August 27, 2021KNOWN ISSUES:
- ๐ tls: The fix for CVE-2021-37219 introduced an issue that could prevent TLS certificate validation when intermediate CA certificates used to sign server certificates are transmitted in the TLS session but are not present in all Consul server's configured CA certificates. This has the effect of preventing Raft RPCs between the affected servers. As a work around until the next patch releases, ensure that all intermediate CA certificates are present in all Consul server configurations prior to using certificates that they have signed.
๐ SECURITY:
- rpc: authorize raft requests CVE-2021-37219 [GH-10932]
๐ IMPROVEMENTS:
- areas: (Enterprise only) Add 15s timeout to opening streams over pooled connections.
- areas: (Enterprise only) Apply backpressure to area gossip packet ingestion when more than 512 packets are waiting to be ingested.
- areas: (Enterprise only) Make implementation of WriteToAddress non-blocking to avoid slowing down memberlist's packetListen routine.
- โก๏ธ deps: update to gogo/protobuf v1.3.2 [GH-10813]
๐ BUG FIXES:
- 0๏ธโฃ acl: fixes a bug that prevented the default user token from being used to authorize service registration for connect proxies. [GH-10824]
- ๐ ca: fixed a bug when ca provider fail and provider state is stuck in
INITIALIZING
state. [GH-10630] - ca: report an error when setting the ca config fail because of an index check. [GH-10657]
- ๐ง cli: Ensure the metrics endpoint is accessible when Envoy is configured to use 0๏ธโฃ a non-default admin bind address. [GH-10757]
- cli: Fix a bug which prevented initializing a watch when using a namespaced token. [GH-10795]
- connect: proxy upstreams inherit namespace from service if none are defined. [GH-10688]
- ๐ dns: fixes a bug with edns truncation where the response could exceed the size limit in some cases. [GH-10009]
- ๐ txn: fixes Txn.Apply to properly authorize service registrations. [GH-10798]
- ๐ป ui: Fix dropdown option duplication in the new intentions form [GH-10706]
- ๐ป ui: Hide all metrics for ingress gateway services [GH-10858]
- ๐ป ui: Properly encode non-URL safe characters in OIDC responses [GH-10901]
- ๐ป ui: fixes a bug with some service failovers not showing the routing tab visualization [GH-10913]
-
v1.9.8 Changes
July 15, 2021๐ SECURITY:
- xds: ensure envoy verifies the subject alternative name for upstreams CVE-2021-32574 [GH-10621]
- 0๏ธโฃ xds: ensure single L7 deny intention with default deny policy does not result in allow action CVE-2021-36213 [GH-10619]
๐ BUG FIXES:
-
v1.9.7 Changes
June 21, 2021๐ IMPROVEMENTS:
- ๐ debug: capture a single stream of logs, and single pprof profile and trace for the whole duration [GH-10279]
- licensing: (Enterprise Only) In order to have forward compatibility with Consul Enterprise v1.10, the ability to parse licenses from the configuration or environment has been added. This can be specified with the
license_path
configuration, theCONSUL_LICENSE
environment variable or theCONSUL_LICENSE_PATH
environment variable. On server agents this configuration will be ignored. Client agents and the snapshot agent will use the configured license instead of automatically retrieving one. [GH-10441] - โก๏ธ monitoring: optimize the monitoring endpoint to avoid losing logs when under high load. [GH-10368]
๐ BUG FIXES:
-
v1.9.6 Changes
June 04, 2021๐ IMPROVEMENTS:
- acl: Give more descriptive error if auth method not found. [GH-10163]
- areas: (Enterprise only) Use server agent's gossip_wan config when setting memberlist configuration for network areas. Previously they used memberlists WAN defaults.
- cli: added a
-force-without-cross-signing
flag to theca set-config
command. ๐ connect/ca: The ForceWithoutCrossSigning field will now work as expected for CA providers that support cross signing. [GH-9672] - โก๏ธ connect: update supported envoy versions to 1.16.3, 1.15.4, 1.14.7, 1.13.7 [GH-10105]
- โก๏ธ connect: update supported envoy versions to 1.16.4, 1.15.5, 1.14.6, and 1.13.7 [GH-10232]
- telemetry: Add new metrics for status of secondary datacenter replication. [GH-10073]
- telemetry: The usage data in the
metrics
API now includes cluster member counts, reporting clients on a per segment basis. [GH-10340] - ๐ป ui: Added CRD popover 'informed action' for intentions managed by CRDs [GH-10100]
- ๐ ui: Added humanized formatting to lock session durations [GH-10062]
- ๐ป ui: Only show a partial list of intention permissions, with the option to show all [GH-10174]
- โก๏ธ ui: updates the ui with the new consul brand assets [GH-10090]
๐ BUG FIXES:
- ๐ agent: ensure we hash the non-deprecated upstream fields on ServiceConfigRequest [GH-10240]
- ๐ฒ agent: fix logging output by removing leading whitespace from every log line [GH-10338]
- 0๏ธโฃ api: include the default value of raft settings in the output of /v1/agent/self [GH-8812]
- areas: (Enterprise only) Revert to the 10s dial timeout used before connection pooling was introduced in 1.7.3.
- areas: (Enterprise only) Selectively merge gossip_wan config for network areas to avoid attempting to enable gossip encryption where it was not intended or necessary.
- autopilot: (Enterprise only) Fixed an issue where autopilot could cause a new leader to demote the wrong voter when redundancy zones are in use and the previous leader failed. [GH-10306]
- ๐ cli: removes the need to set debug_enabled=true to collect debug data from the CLI. Now the CLI behaves the same way as the API and accepts either an ACL token with operator:read, or debug_enabled=true. [GH-10273]
- cli: snapshot inspect command would panic on invalid input. [GH-10091]
- ๐ envoy: fixes a bug where a large envoy config could cause the
consul connect envoy
command to deadlock when attempting to start envoy. [GH-10324] - http: fix a bug that caused the
X-Consul-Effective-Consistency
header to be missing on request for service health [GH-10189] - 0๏ธโฃ local: agents will no longer persist the default user token along with a service or check. [GH-10188]
- namespaces: (Enterprise only) fixes a problem where the logs would contain many warnings about namespaces not being licensed.
- server: ensure that central service config flattening properly resets the state each time [GH-10239]
- ๐ ui: Add conditionals to lock sessions tab [GH-10121]
- ๐ป ui: De-duplicate tags in rendered tag listings [GH-10186]
- ๐ป ui: Don't render a DOM element for empty namespace descriptions [GH-10157]
- ๐ป ui: Reflect the change of Session API response shape for Checks in post 1.7 Consul [GH-10225]
- ๐ ui: Removes the extra rendering of namespace in service upstream list [GH-10152]
-
v1.9.5 Changes
April 15, 2021๐ SECURITY:
- โ Add content-type headers to raw KV responses to prevent XSS attacks CVE-2020-25864 [GH-10023]
- ๐ audit-logging: Parse endpoint URL to prevent requests from bypassing the audit log CVE-2021-28156
๐ IMPROVEMENTS:
- ๐ api:
AutopilotServerHelath
now handles the 429 status code returned by the v1/operator/autopilot/health endpoint and still returned the parsed reply which will indicate server healthiness [GH-8599] - 0๏ธโฃ client: when a client agent is attempting to dereigster a service, anddoes not have access to the ACL token used to register a service, attempt to use the agent token instead of the default user token. If no agent token is set, fall back to the default user token. [GH-9683]
- connect: Automatically rewrite the Host header for Terminating Gateway HTTP services [GH-9042]
- ๐ ui: support stricter content security policies [GH-9847]
๐ BUG FIXES:
- api: ensure v1/health/ingress/:service endpoint works properly when streaming is enabled [GH-9967]
- ๐ areas: Fixes a bug which would prevent newer servers in a network areas from connecting to servers running a version of Consul prior to 1.7.3.
- ๐ audit-logging: (Enterprise only) Fixed an issue that resulted in usage of the agent master token or managed service provider tokens from being resolved properly. [GH-10013]
- cache: fix a bug in the client agent cache where streaming could potentially leak resources. [GH-9978]. [GH-9978]
- cache: fix a bug in the client agent cache where streaming would disconnect every 20 minutes and cause delivery delays. [GH-9979]. [GH-9979]
- ๐ command: when generating envoy bootstrap configs to stdout do not mix informational logs into the json [GH-9980]
- โ config: correct config key from
advertise_addr_ipv6
toadvertise_addr_wan_ipv6
[GH-9851] - ๐ http: fix a bug in Consul Enterprise that would cause the UI to believe namespaces were supported, resulting in warning logs and incorrect UI behaviour. [GH-9923]
- ๐ snapshot: fixes a bug that would cause snapshots to be missing all but the first ACL Auth Method. [GH-10025]
- ๐ป ui: Fix intention form cancel button [GH-9901]
-
v1.9.4 Changes
March 04, 2021๐ IMPROVEMENTS:
- connect: if the token given to the vault provider returns no data avoid a panic [GH-9806]
- ๐ connect: update supported envoy point releases to 1.16.2, 1.15.3, 1.14.6, 1.13.7 [GH-9737]
- ๐ xds: only try to create an ipv6 expose checks listener if ipv6 is supported by the kernel [GH-9765]
๐ BUG FIXES:
- ๐ api: Remove trailing periods from the gateway internal HTTP API endpoint [GH-9752]
- ๐ cache: Prevent spamming the logs for days when a cached request encounters an "ACL not found" error. [GH-9738]
- connect: connect CA Roots in the primary datacenter should use a SigningKeyID derived from their local intermediate [GH-9428]
- proxycfg: avoid potential deadlock in delivering proxy snapshot to watchers. [GH-9689]
- โ replication: Correctly log all replication warnings that should not be suppressed [GH-9320]
- ๐ streaming: fixes a bug caused by caching an incorrect snapshot, that would cause clients to error until the cache expired. [GH-9772]
- ๐ป ui: Exclude proxies when showing the total number of instances on a node. [GH-9749]
- ๐ป ui: Fixed a bug in older browsers relating to String.replaceAll and fieldset w/flexbox usage [GH-9715]
- xds: deduplicate mesh gateway listeners by address in a stable way to prevent some LDS churn [GH-9650]
- xds: prevent LDS flaps in mesh gateways due to unstable datacenter lists; also prevent some flaps in terminating gateways as well [GH-9651]
-
v1.9.3 Changes
February 01, 2021๐ FEATURES:
- ๐ป ui: Add additional search/filter status pills for viewing and removing current filters in listing views [GH-9442]
๐ IMPROVEMENTS:
- ๐ cli: Add new
-cluster-id
andcommon-name
toconsul tls ca create
to support creating a CA for Consul Connect. [GH-9585] - license: (Enterprise only) Temporary client license duration was increased from 30m to 6h.
- server: (Enterprise Only) Validate source namespaces in service-intentions config entries. [GH-9527]
- server: use the presence of stored federation state data as a sign that we already activated the federation state feature flag [GH-9519]
๐ BUG FIXES:
- ๐ autopilot: Fixed a bug that would cause snapshot restoration to stop autopilot on the leader. [GH-9626]
- 0๏ธโฃ server: When wan federating via mesh gateways after initial federation default to using the local mesh gateways unless the heuristic indicates a bypass is required. [GH-9528]
- server: When wan federating via mesh gateways only do heuristic primary DC bypass on the leader. [GH-9366]
- ๐ป ui: Fixed a bug that would cause missing or duplicate service instance healthcheck listings. [GH-9660]
-
v1.9.2 Changes
January 20, 2021๐ FEATURES:
- agent: add config flag
MaxHeaderBytes
to control the maximum size of the http header per client request. [GH-9067] - ๐ง cli: The
consul intention
command now has a newlist
subcommand to allow the listing of configured intentions. It also supports the-namespace=
option. [GH-9468]
๐ IMPROVEMENTS:
- server: deletions of intentions by name using the intention API is now idempotent [GH-9278]
- โ streaming: display a warning on agent(s) when incompatible streaming parameters are used [GH-9530]
- โ ui: Various accessibility scan test improvements [GH-9485]
๐ DEPRECATIONS:
- api: the
tag
,node-meta
, andpassing
query parameters for various health and catalog ๐ endpoints are now deprecated. Thefilter
query parameter should be used as a replacement ๐ for all of the deprecated fields. The deprecated query parameters will be removed in a future ๐ version of Consul. [GH-9262]
๐ BUG FIXES:
- ๐ client: Help added in Prometheus in relases 1.9.0 does not generate warnings anymore in logs [GH-9510]
- client: properly set GRPC over RPC magic numbers when encryption was not set or partially set in the cluster with streaming enabled [GH-9512]
- ๐ connect: Fixed a bug in the AWS PCA Connect CA provider that could cause the intermediate PKI path to be deleted after reconfiguring the CA [GH-9498]
- ๐ connect: Fixed a bug in the Vault Connect CA provider that could cause the intermediate PKI path to be deleted after reconfiguring the CA [GH-9498]
- โก๏ธ connect: Fixed an issue that would prevent updating the Connect CA configuration if the CA provider didn't complete initialization previously. [GH-9498]
- ๐ leader: Fixed a bug that could cause Connect CA initialization failures from allowing leader establishment to complete resulting in potentially infinite leader elections. [GH-9498]
- rpc: Prevent misleading RPC error claiming the lack of a leader when Raft is ok but there are issues with client agents gossiping with the leader. [GH-9487]
- ๐ server: Fixes a server panic introduced in 1.9.0 where Connect service mesh is being used. Node de-registration could panic if it hosted services with multiple upstreams. [GH-9589]
- state: fix computation of usage metrics to account for various places that can modify multiple services in a single transaction. [GH-9440]
- ๐ป ui: Display LockDelay in nanoseconds as a temporary fix to the formatting [GH-9594]
- ๐ป ui: Fix an issue where registering an ingress-gateway with no central config
would result in a JS error due to the API reponse returning
null
[GH-9593] - ๐ป ui: Fixes an issue where clicking backwards and forwards between a service instance can result in a 404 error [GH-9524]
- ๐ ui: Fixes an issue where intention description or metadata could be overwritten if saved from the topology view. [GH-9513]
- ๐ป ui: Fixes an issue with setting -ui-content-path flag/config [GH-9569]
- ๐ป ui: ensure namespace is used for node API requests [GH-9410]
- ๐ป ui: request intention listing with ns=* parameter to retrieve all intentions across namespaces [GH-9432]
- agent: add config flag
-
v1.9.1 Changes
December 11, 20201.9.1 (December 11, 2020)
๐ FEATURES:
- ๐ป ui: add copyable IDs to the Role and Policy views [GH-9296]
๐ IMPROVEMENTS:
- cli: (Enterprise only) A new
-read-replica
flag can now be used to enable running a server as a read only replica. Previously this was enabled with the now deprecated-non-voting-server
flag. [GH-9191] - config: (Enterprise only) A new
read_replica
configuration setting can now be used to enable running a server as a read only replica. Previously this was enabled with the now deprecatednon_voting_server
setting. [GH-9191]
๐ DEPRECATIONS:
- cli: (Enterprise only) The
-non-voting-server
flag is deprecated in favor of the new-read-replica
flag. The-non-voting-server
flag is still present along side the new flag but it will be removed in a future release. [GH-9191] - config: (Enterprise only) The
non_voting_server
configuration setting is deprecated in favor of the newread_replica
setting. Thenon_voting_server
configuration setting is still present but will be removed in a future release. [GH-9191] - gossip: (Enterprise only) Read replicas now advertise themselves by setting the
read_replica
tag. The oldnonvoter
tag is still present but is deprecated and will be removed in a future release. [GH-9191] - server: (Enterprise only) Addition of the
nonvoter
tag to the service registration made for read replicas is deprecated in favor of the new tag name ofread_replica
. Both are present in the registration but thenonvoter
tag will be completely removed in a future release. [GH-9191]
๐ BUG FIXES:
- ๐ agent: prevent duplicate services and check registrations from being synced to servers. [GH-9284]
- โก๏ธ connect: fixes a case when updating the CA config in a secondary datacenter to correctly trigger the creation of a new intermediate certificate [GH-9009]
- connect: only unset the active root in a secondary datacenter when a new one is replacing it [GH-9318]
- namespaces: (Enterprise only) Prevent stalling of replication in secondary datacenters due to conflicts between the namespace replicator and other replicators. [GH-9271]
- streaming: ensure the order of results provided by /health/service/:serviceName is consistent with and without streaming enabled [GH-9247]