consul v1.11.0 Release Notes

Release Date: 2021-12-14 // over 2 years ago
  • ๐Ÿ’ฅ BREAKING CHANGES:

    • โฌ†๏ธ acl: The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that nothing is still using the legacy ACL system. See the Migrate Legacy ACL Tokens Learn Guide for more information. [GH-11232]
    • cli: consul acl set-agent-token master has been replaced with consul acl set-agent-token recovery [GH-11669]

    ๐Ÿ”’ SECURITY:

    • namespaces: (Enterprise only) Creating or editing namespaces that include default ACL policies or ACL roles now requires acl:write permission in the default namespace. This change fixes CVE-2021-41805.
    • rpc: authorize raft requests CVE-2021-37219 [GH-10925]

    ๐Ÿ”‹ FEATURES:

    • ๐Ÿ“š Admin Partitions (Consul Enterprise only) This version adds admin partitions, a new entity defining administrative and networking boundaries within a Consul deployment. For more information refer to the Admin Partition documentation.
    • ๐Ÿ”ง ca: Add a configurable TTL for Connect CA root certificates. The configuration is supported by the Vault and Consul providers. [GH-11428]
    • ๐Ÿ”ง ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate. [GH-11449]
    • ๐Ÿ‘ health-checks: add support for h2c in http2 ping health checks [GH-10690]
    • ๐Ÿ’ป ui: Add UI support to use Vault as an external source for a service [GH-10769]
    • ๐Ÿ’ป ui: Adding support of Consul API Gateway as an external source. [GH-11371]
    • ๐Ÿ’ป ui: Adds a copy button to each composite row in tokens list page, if Secret ID returns an actual ID [GH-10735]
    • ๐Ÿ’ป ui: Adds visible Consul version information [GH-11803]
    • ๐Ÿ’ป ui: Topology - New views for scenarios where no dependencies exist or ACLs are disabled [GH-11280]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • acls: Show AuthMethodNamespace when reading/listing ACL tokens. [GH-10598]
    • acl: replication routine to report the last error message. [GH-10612]
    • agent: add variation of force-leave that exclusively works on the WAN [GH-11722]
    • ๐Ÿšง api: Enable setting query options on agent health and maintenance endpoints. [GH-10691]
    • api: responses that contain only a partial subset of results, due to filtering by ACL policies, may now include an X-Consul-Results-Filtered-By-ACLs header [GH-11569]
    • checks: add failures_before_warning setting for interval checks. [GH-10969]
    • โฌ†๏ธ ci: Upgrade to use Go 1.17.5 [GH-11799]
    • ๐Ÿ”ง ci: Allow configuring graceful stop in testutil. [GH-10566]
    • ๐Ÿ‘ cli: Add -cas and -modify-index flags to the consul config delete command to support Check-And-Set (CAS) deletion of config entries [GH-11419]
    • config: (Enterprise Only) Allow specifying permission mode for audit logs. [GH-10732]
    • ๐Ÿ‘ config: Support Check-And-Set (CAS) deletion of config entries [GH-11419]
    • config: add dns_config.recursor_strategy flag to control the order which DNS recursors are queried [GH-10611]
    • config: warn the user if client_addr is empty because client services won't be listening [GH-11461]
    • connect/ca: cease including the common name field in generated x509 non-CA certificates [GH-10424]
    • connect: Add low-level feature to allow an Ingress to retrieve TLS certificates from SDS. [GH-10903]
    • connect: Consul will now generate a unique virtual IP for each connect-enabled service (this will also differ across namespace/partition in Enterprise). [GH-11724]
    • โœ… connect: Support Vault auth methods for the Connect CA Vault provider. Currently, we support any non-deprecated auth methods the latest version of Vault supports (v1.8.5), which include AppRole, AliCloud, AWS, Azure, Cloud Foundry, GitHub, Google Cloud, JWT/OIDC, Kerberos, Kubernetes, LDAP, Oracle Cloud Infrastructure, Okta, Radius, TLS Certificates, and Username & Password. [GH-11573]
    • ๐Ÿ‘ connect: Support manipulating HTTP headers in the mesh. [GH-10613]
    • ๐Ÿ”ง connect: add Namespace configuration setting for Vault CA provider [GH-11477]
    • connect: ingress gateways may now enable built-in TLS for a subset of listeners. [GH-11163]
    • connect: service-resolver subset filters are validated for valid go-bexpr syntax on write [GH-11293]
    • โšก๏ธ connect: update supported envoy versions to 1.19.1, 1.18.4, 1.17.4, 1.16.5 [GH-11115]
    • โšก๏ธ connect: update supported envoy versions to 1.20.0, 1.19.1, 1.18.4, 1.17.4 [GH-11277]
    • debug: Add a new /v1/agent/metrics/stream API endpoint for streaming of metrics [GH-10399]
    • debug: rename cluster capture target to members, to be more consistent with the terms used by the API. [GH-10804]
    • dns: Added a virtual endpoint for querying the assigned virtual IP for a service. [GH-11725]
    • ๐Ÿ›  http: when a URL path is not found, include a message with the 404 status code to help the user understand why (e.g., HTTP API endpoint path not prefixed with /v1/) [GH-11818]
    • ๐Ÿ”ง raft: Added a configuration to disable boltdb freelist syncing [GH-11720]
    • ๐ŸŽ raft: Emit boltdb related performance metrics [GH-11720]
    • raft: Use bbolt instead of the legacy boltdb implementation [GH-11720]
    • ๐Ÿ‘ sdk: Add support for iptable rules that allow DNS lookup redirection to Consul DNS. [GH-11480]
    • segments: (Enterprise only) ensure that the serf_lan_allowed_cidrs applies to network segments [GH-11495]
    • telemetry: add a new agent.tls.cert.expiry metric for tracking when the Agent TLS certificate expires. [GH-10768]
    • telemetry: add a new mesh.active-root-ca.expiry metric for tracking when the root certificate expires. [GH-9924]
    • telemetry: added metrics to track certificates expiry. [GH-10504]
    • types: add TLSVersion and TLSCipherSuite [GH-11645]
    • ๐Ÿ’ป ui: Change partition URL segment prefix from - to _ [GH-11801]
    • ๐Ÿ’ป ui: Add upstream icons for upstreams and upstream instances [GH-11556]
    • ๐Ÿ’ป ui: Add uri guard to prevent future URL encoding issues [GH-11117]
    • ๐Ÿšš ui: Move the majority of our SASS variables to use native CSS custom properties [GH-11200]
    • ๐Ÿšš ui: Removed informational panel from the namespace selector menu when editing namespaces [GH-11130]
    • โšก๏ธ ui: Update UI browser support to 'roughly ~2 years back' [GH-11505]
    • โšก๏ธ ui: Update global notification styling [GH-11577]
    • ๐Ÿ’ป ui: added copy to clipboard button in code editor toolbars [GH-11474]

    ๐Ÿ—„ DEPRECATIONS:

    • ๐Ÿš€ api: /v1/agent/token/agent_master is deprecated and will be removed in a future major release - use /v1/agent/token/agent_recovery instead [GH-11669]
    • config: acl.tokens.master has been renamed to acl.tokens.initial_management, and acl.tokens.agent_master has been renamed to acl.tokens.agent_recovery - the old field names are now deprecated and will be removed in a future major release [GH-11665]
    • tls: With the upgrade to Go 1.17, the ordering of tls_cipher_suites will no longer be honored, and tls_prefer_server_cipher_suites is now ignored. [GH-11364]

    ๐Ÿ› BUG FIXES:

    • acl: (Enterprise only) fix namespace and namespace_prefix policy evaluation when both govern an authz request
    • โšก๏ธ api: Fix default values used for optional fields in autopilot configuration update (POST to /v1/operator/autopilot/configuration) [GH-10558] [GH-10559]
    • api: ensure new partition fields are omit empty for compatibility with older versions of consul [GH-11585]
    • areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time.
    • areas: (Enterprise only) make the gRPC server tracker network area aware [GH-11748]
    • ๐Ÿ›  ca: fixes a bug that caused non blocking leaf cert queries to return the same cached response regardless of ca rotation or leaf cert expiry [GH-11693]
    • ๐Ÿ›  ca: fixes a bug that caused the SigningKeyID to be wrong in the primary DC, when the Vault provider is used, after a CA config creates a new root. [GH-11672]
    • ๐Ÿ›  ca: fixes a bug that caused the intermediate cert used to sign leaf certs to be missing from the /connect/ca/roots API response when the Vault provider was used. [GH-11671]
    • check root and intermediate CA expiry before using it to sign a leaf certificate. [GH-10500]
    • connect/ca: ensure edits to the key type/bits for the connect builtin CA will regenerate the roots [GH-10330]
    • โšก๏ธ connect/ca: require new vault mount points when updating the key type/bits for the vault connect CA provider [GH-10331]
    • ๐Ÿ”’ connect: fix race causing xDS generation to lock up when discovery chains are tracked for services that are no longer upstreams. [GH-11826]
    • ๐Ÿ›  dns: Fixed an issue where on DNS requests made with .alt_domain response was returned as .domain [GH-11348]
    • dns: return an empty answer when asked for an addr dns with type other then A and AAAA. [GH-10401]
    • ๐ŸŽ macos: fixes building with a non-Apple LLVM (such as installed via Homebrew) [GH-11586]
    • namespaces: (Enterprise only) ensure the namespace replicator doesn't replicate deleted namespaces
    • proxycfg: ensure all of the watches are canceled if they are cancelable [GH-11824]
    • snapshot: (Enterprise only) fixed a bug where the snapshot agent would ignore the license_path setting in config files
    • ๐Ÿ’ป ui: Change partitions to expect [] from the listing API [GH-11791]
    • ๐Ÿ’ป ui: Don't offer to save an intention with a source/destination wildcard partition [GH-11804]
    • ๐Ÿ’ป ui: Ensure all types of data get reconciled with the backend data [GH-11237]
    • ๐Ÿ’ป ui: Ensure dc selector correctly shows the currently selected dc [GH-11380]
    • ๐Ÿ’ป ui: Ensure we check intention permissions for specific services when deciding whether to show action buttons for per service intention actions [GH-11409]
    • ๐Ÿ’ป ui: Ensure we filter tokens by policy when showing which tokens use a certain policy whilst editing a policy [GH-11311]
    • ๐Ÿ’ป ui: Ensure we show a readonly designed page for readonly intentions [GH-11767]
    • ๐Ÿ’ป ui: Filter the global intentions list by the currently selected parition rather than a wildcard [GH-11475]
    • ๐Ÿ’ป ui: Fix inline-code brand styling [GH-11578]
    • ๐Ÿ’ป ui: Fix visual issue with slight table header overflow [GH-11670]
    • ๐Ÿ’ป ui: Fixes an issue where under some circumstances after logging we present the ๐ŸŒฒ data loaded previous to you logging in. [GH-11681]
    • ๐Ÿ’ป ui: Gracefully recover from non-existant DC errors [GH-11077]
    • ui: Include Service.Namespace into available variables for dashboard_url_templates [GH-11640]
    • โช ui: Revert to depending on the backend, 'post-user-action', to report ๐Ÿ’ป permissions errors rather than using UI capabilities 'pre-user-action' [GH-11520]
    • 0๏ธโƒฃ ui: Topology - Fix up Default Allow and Permissive Intentions notices [GH-11216]
    • ๐Ÿ’ป ui: code editor styling (layout consistency + wide screen support) [GH-11474]
    • ๐Ÿ‘‰ use the MaxQueryTime instead of RPCHoldTimeout for blocking RPC queries [GH-8978]. [GH-10299]
    • ๐Ÿ windows: fixes arm and arm64 builds [GH-11586]

    NOTES:

    • Renamed the agent_master field to agent_recovery in the acl-tokens.json file in which tokens are persisted on-disk (when acl.enable_token_persistence is enabled) [GH-11744]