consul v1.12.5 Release Notes
Release Date: 2022-09-20 // over 1 year ago-
๐ฅ BREAKING CHANGES:
- ๐ ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the
update
capability on the intermediate PKI's tune mount configuration endpoint, such as/sys/mounts/connect_inter/tune
. The breaking nature of this change will be resolved in an upcoming 1.12 patch release. Refer to upgrade guidance for more information.
๐ SECURITY:
- auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the
AutoConfig.InitialConfiguration
endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [GH-14577] - connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the
ConnectCA.Sign
endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [GH-14579]
๐ IMPROVEMENTS:
- ๐ง envoy: adds additional Envoy outlier ejection parameters to passive health check configurations. [GH-14238]
- metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [GH-14161]
- snapshot agent: (Enterprise only) Add support for path-based addressing when using s3 backend.
- ๐ป ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/ [GH-14521]
๐ BUG FIXES:
- โก๏ธ ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed. [GH-14516]
- cli: When launching a sidecar proxy with
consul connect envoy
orconsul connect proxy
, the-sidecar-for
service ID argument is now treated as case-insensitive. [GH-14034] - ๐ connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster. [GH-14598]
- ๐ connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring. [GH-14429]
- ๐ง envoy: validate name before deleting proxy default configurations. [GH-14290]
- rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries [GH-14233]
- ๐ ui: Removed Overview page from HCP instalations [GH-14606]
- ๐ ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the