consul v1.12.0 Release Notes
Release Date: 2022-04-20 // about 2 years ago-
💥 BREAKING CHANGES:
- 🚚 connect: Removes support for Envoy 1.17.4 [GH-12777]
- 🚚 connect: Removes support for Envoy 1.18.6 [GH-12805]
- 🔧 sdk: several changes to the testutil configuration structs (removed
ACLMasterToken
, renamedMaster
toInitialManagement
, andAgentMaster
toAgentRecovery
) [GH-11827] - telemetry: the disable_compat_1.9 option now defaults to true. 1.9 style
consul.http...
metrics can still be enabled by settingdisable_compat_1.9 = false
. However, we will remove these metrics in 1.13. [GH-12675]
🔋 FEATURES:
- acl: Add token information to PermissionDeniedErrors [GH-12567]
- acl: Added an AWS IAM auth method that allows authenticating to Consul using AWS IAM identities [GH-12583]
- ca: Root certificates can now be consumed from a gRPC streaming endpoint:
WatchRoots
[GH-12678] - 👍 cli: The
token read
command now supports the-expanded
flag to display detailed role and policy information for the token. [GH-12670] - config: automatically reload config when a file changes using the
auto-reload-config
CLI flag orauto_reload_config
config option. [GH-12329] - 0️⃣ server: Ensure that service-defaults
Meta
is returned with the response to theConfigEntry.ResolveServiceConfig
RPC. [GH-12529] - 0️⃣ server: discovery chains now include a response field named "Default" to indicate if they were not constructed from any service-resolver, service-splitter, or service-router config entries [GH-12511]
- 0️⃣ server: ensure that service-defaults meta is incorporated into the discovery chain response [GH-12511]
- 🔧 tls: it is now possible to configure TLS differently for each of Consul's listeners (i.e. HTTPS, gRPC and the internal multiplexed RPC listener) using the
tls
stanza [GH-12504] - 💻 ui: Added support for AWS IAM Auth Methods [GH-12786]
- 💻 ui: Support connect-native services in the Topology view. [GH-12098]
- xds: Add the ability to invoke AWS Lambdas through terminating gateways. [GH-12681]
- xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry [GH-12601]
👌 IMPROVEMENTS:
- 🔨 Refactor ACL denied error code and start improving error details [GH-12308]
- acl: Provide fuller detail in the error messsage when an ACL denies access. [GH-12470]
- agent: Allow client agents to perform keyring operations [GH-12442]
- agent: add additional validation to TLS config [GH-12522]
- agent: add support for specifying TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suites [GH-12522]
- 0️⃣ agent: bump default min version for connections to TLS 1.2 [GH-12522]
- api: add QueryBackend to QueryMeta so an api user can determine if a query was served using which backend (streaming or blocking query). [GH-12791]
- ci: include 'enhancement' entry type in IMPROVEMENTS section of changelog. [GH-12376]
- 💻 ui: Exclude Service Instance Health from Health Check reporting on the Node listing page. The health icons on each individual row now only reflect Node health. [GH-12248]
- ⚠ ui: Improve usability of Topology warning/information panels [GH-12305]
- 💻 ui: Slightly improve usability of main navigation [GH-12334]
- 💻 ui: Use @hashicorp/flight icons for all our icons. [GH-12209]
- ✂ Removed impediments to using a namespace prefixed IntermediatePKIPath in a CA definition. [GH-12655]
- 🚚 acl: Improve handling of region-specific endpoints in the AWS IAM auth method. As part of this, the
STSRegion
field was removed from the auth method config. [GH-12774] - api: Improve error message if service or health check not found by stating that the entity must be referred to by ID, not name [GH-10894]
- autopilot: Autopilot state is now tracked on Raft followers in addition to the leader. Stale queries may be used to query for the non-leaders state. [GH-12617]
- autopilot: The
autopilot.healthy
andautopilot.failure_tolerance
metrics are now regularly emitted by all servers. [GH-12617] - 🔒 ci: Enable security scanning for CRT [GH-11956]
- 🚚 connect: Add Envoy 1.21.1 to support matrix, remove 1.17.4 [GH-12777]
- 🚚 connect: Add Envoy 1.22.0 to support matrix, remove 1.18.6 [GH-12805]
- 🔧 connect: reduce raft apply on CA configuration when no change is performed [GH-12298]
- ⚡️ deps: update to latest go-discover to fix vulnerable transitive jwt-go dependency [GH-12739]
- 🌲 grpc, xds: improved reliability of grpc and xds servers by adding recovery-middleware to return and log error in case of panic. [GH-10895]
- ⚠ http: if a GET request has a non-empty body, log a warning that suggests a possible problem (parameters were meant for the query string, but accidentally placed in the body) [GH-11821]
- metrics: The
consul.raft.boltdb.writeCapacity
metric was added and indicates a theoretical number of writes/second that can be performed to Consul. [GH-12646] - ✅ sdk: Add support for
Partition
andRetryJoin
to the TestServerConfig struct. [GH-12126] - telemetry: Add new
leader
label toconsul.rpc.server.call
and optionaltarget_datacenter
,locality
,allow_stale
, andblocking
optional labels. [GH-12727] - 💻 ui: In the datacenter selector order Datacenters by Primary, Local then alpanumerically [GH-12478]
- 💻 ui: Include details on ACL policy dispositions required for unauthorized views [GH-12354]
- 🚚 ui: Move icons away from depending on a CSS preprocessor [GH-12461]
- 🔖 version: Improved performance of the version.GetHumanVersion function by 50% on memory allocation. [GH-11507]
🗄 DEPRECATIONS:
- acl: The
consul.acl.ResolveTokenToIdentity
metric is no longer reported. The values that were previous reported as part of this metric will now be part of theconsul.acl.ResolveToken
metric. [GH-12166] - 🗄 agent: deprecate older syntax for specifying TLS min version values [GH-12522]
- agent: remove support for specifying insecure TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher suites [GH-12522]
- config: setting
cert_file
,key_file
,ca_file
,ca_path
,tls_min_version
,tls_cipher_suites
,verify_incoming
,verify_incoming_rpc
,verify_incoming_https
,verify_outgoing
andverify_server_hostname
at the top-level is now deprecated, use thetls
stanza instead [GH-12504]
🐛 BUG FIXES:
- 📜 acl: Fix parsing of IAM user and role tags in IAM auth method [GH-12797]
- dns: allow max of 63 character DNS labels instead of 64 per RFC 1123 [GH-12535]
- 🌲 logging: fix a bug with incorrect severity syslog messages (all messages were sent with NOTICE severity). [GH-12079]
- 💻 ui: Added Tags tab to gateways(just like exists for non-gateway services) [GH-12400]
- 💻 ui: Ensure proxy instance health is taken into account in Service Instance Listings [GH-12279]
- 💻 ui: Fixes an issue with the version footer wandering when scrolling [GH-11850]
NOTES:
- 👍 Forked net/rpc to add middleware support: https://github.com/hashicorp/consul-net-rpc/ . [GH-12311]
- ⬆️ dependency: Upgrade to use Go 1.18.1 [GH-12808]