consul v1.10.0-beta1 Release Notes

Release Date: 2021-04-16 // almost 3 years ago
  • ๐Ÿ”’ SECURITY:

    • โž• Add content-type headers to raw KV responses to prevent XSS attacks CVE-2020-25864 [GH-10023]
    • ๐Ÿ“œ audit-logging: Parse endpoint URL to prevent requests from bypassing the audit log CVE-2021-28156

    ๐Ÿ”‹ FEATURES:

    • checks: add H2 ping health checks. [GH-8431]
    • cli: Add new consul connect redirect-traffic command for applying traffic redirection rules when Transparent Proxy is enabled. [GH-9910]
    • cli: Add prefix option to kv import command [GH-9792]
    • cli: snapshot inspect command provides KV usage breakdown [GH-9098]
    • ๐Ÿ‘ cli: snapshot inspect command supports JSON output [GH-9006]
    • connect: Add local_request_timeout_ms to allow configuring the Envoy request timeout on local_app [GH-9554]
    • connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled [GH-9973]
    • ๐Ÿ“ฆ sdk: Add new iptables package for applying traffic redirection rules with iptables. [GH-9910]
    • โšก๏ธ ui: Transparent Proxy - Service mesh visualization updates [GH-10002]
    • ๐Ÿ’ป ui: Read-only ACL Auth Methods view [GH-9617]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • acl: extend the auth-methods list endpoint to include MaxTokenTTL and TokenLocality fields. [GH-9741]
    • acl: use the presence of a management policy in the state store as a sign that we already migrated to v2 acls [GH-9505]
    • api: Enable setting query options on agent endpoints. [GH-9903]
    • ๐Ÿ“œ api: AutopilotServerHelath now handles the 429 status code returned by the v1/operator/autopilot/health endpoint and still returned the parsed reply which will indicate server healthiness [GH-8599]
    • cli: added a -force-without-cross-signing flag to the ca set-config command. ๐Ÿ‘ connect/ca: The ForceWithoutCrossSigning field will now work as expected for CA providers that support cross signing. [GH-9672]
    • cli: the consul connect envoy --envoy_statsd_url flag will now resolve the $HOST_IP environment variable, as part of a full url. [GH-8564]
    • 0๏ธโƒฃ client: when a client agent is attempting to dereigster a service, anddoes not have access to the ACL token used to register a service, attempt to use the agent token instead of the default user token. If no agent token is set, fall back to the default user token. [GH-9683]
    • ๐Ÿ‘ connect: Add support for transparently proxying traffic through Envoy. [experimental] [GH-9894]
    • ๐Ÿ”ง connect: Allow per-upstream configuration to be set in service-defaults. [experimental] [GH-9872]
    • connect: Automatically rewrite the Host header for Terminating Gateway HTTP services [GH-9042]
    • ๐Ÿ‘ connect: The builtin connect proxy no longer advertises support for h2 via ALPN. [GH-4466]. [GH-9920]
    • โšก๏ธ connect: Update the service mesh visualization to account for transparent proxies. [GH-10016]
    • connect: adds new flags prometheus-backend-port and prometheus-scrape-port to consul connect envoy to support envoy_prometheus_bind_addr pointing to the merged metrics port when using Consul Connect on K8s. [GH-9768]
    • ๐Ÿšš ui: Move to a sidebar based main navigation [GH-9553]
    • ๐Ÿ›ฐ ui: Use older (~2016) native ES6 features to reduce transpilation and UI JS payload [GH-9729]
    • ๐Ÿ’ป ui: add permanently visible indicator when ACLs are disabled [GH-9864]
    • ๐Ÿ”Š ui: improve accessibility of modal dialogs [GH-9819]
    • ๐Ÿ’ป ui: restrict the viewing/editing of certain UI elements based on the users ACL token [GH-9687]
    • ๐Ÿ”’ ui: support stricter content security policies [GH-9847]
    • ๐Ÿ‘ xds: add support for envoy 1.17.0 [GH-9658]
    • 0๏ธโƒฃ xds: default to speaking xDS v3, but allow for v2 to be spoken upon request [GH-9658]
    • ๐Ÿšš xds: remove deprecated usages of xDS and drop support for envoy 1.13.x [GH-9602]

    ๐Ÿ› BUG FIXES:

    • api: ensure v1/health/ingress/:service endpoint works properly when streaming is enabled [GH-9967]
    • ๐Ÿ›  areas: Fixes a bug which would prevent newer servers in a network areas from connecting to servers running a version of Consul prior to 1.7.3.
    • ๐Ÿ›  audit-logging: (Enterprise only) Fixed an issue that resulted in usage of the agent master token or managed service provider tokens from being resolved properly. [GH-10013]
    • cache: fix a bug in the client agent cache where streaming could potentially leak resources. [GH-9978]. [GH-9978]
    • cache: fix a bug in the client agent cache where streaming would disconnect every 20 minutes and cause delivery delays. [GH-9979]. [GH-9979]
    • checks: add TLSServerName field to allow setting the TLS server name for HTTPS health checks. [GH-9475]
    • ๐Ÿ”Š command: when generating envoy bootstrap configs to stdout do not mix informational logs into the json [GH-9980]
    • config: Fixed a bug where rpc_max_conns_per_client could not be changed by reloading the config. [GH-8696]
    • โž• config: correct config key from advertise_addr_ipv6 to advertise_addr_wan_ipv6 [GH-9851]
    • ๐Ÿ”Š http: fix a bug in Consul Enterprise that would cause the UI to believe namespaces were supported, resulting in warning logs and incorrect UI behaviour. [GH-9923]
    • ๐Ÿ›  snapshot: fixes a bug that would cause snapshots to be missing all but the first ACL Auth Method. [GH-10025]
    • streaming: lookup in health properly handle case-sensitivity and perform filtering based on tags and node-meta [GH-9703]
    • ๐Ÿ’ป ui: Fix intention form cancel button [GH-9901]
    • ๐Ÿ’ป ui: ensure proxy instance API requests perform blocking queries correctly [GH-10039]