consul v1.6.0 Release Notes

Release Date: 2019-07-26 // 3 months ago
  • 🔒 SECURITY:

    • ⚡️ Updated to compile with Go 1.12.8 which mitigates CVE-2019-9512 and CVE-2019-9514 for the builtin HTTP server [GH-6319]
    • ⚡️ Updated the google.golang.org/grpc dependency to v1.23.0 to mitigate CVE-2019-9512, CVE-2019-9514, and CVE-2019-9515 for the gRPC server. [GH-6320]

    💥 BREAKING CHANGES:

    • 🚚 connect: remove deprecated managed proxies and ProxyDestination config [GH-6220]

    🔋 FEATURES:

    • 👍 Connect Envoy Supports L7 Routing: Additional configuration entry types service-router, service-resolver, and service-splitter, allow for configuring Envoy sidecars to enable reliability and deployment patterns at L7 such as HTTP path-based routing, traffic shifting, and advanced failover capabilities. For more information see the L7 traffic management docs.
    • Mesh Gateways: Envoy can now be run as a gateway to route Connect traffic across datacenters using SNI headers, allowing connectivty across platforms and clouds and other complex network topologies. Read more in the mesh gateway docs.
    • Intention & CA Replication: In order to enable connecitivty for services across datacenters, Connect intentions are now replicated and the Connect CA cross-signs from the primary_datacenter. This feature was previously part of Consul Enterprise.
    • agent: add local-only parameter to operator/keyring list requests to force queries to only hit local servers. [GH-6279]
    • connect: expose an API endpoint to compile the discovery chain [GH-6248]
    • 📦 connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package [GH-6340]
    • 0️⃣ connect: introduce ExternalSNI field on service-defaults [GH-6324]
    • xds: allow http match criteria to be applied to routes on services using grpc protocols [GH-6149]

    👌 IMPROVEMENTS:

    • agent: Added tagged addressing to services similar to the already present Node tagged addressing [GH-5965]
    • 🔧 agent: health checks: change long timeout behavior to use to user-configured timeout value [GH-6094]
    • api: Display allowed HTTP CIDR information nicely [GH-6029]
    • ⚡️ api: Update filtering language to include substring and regular expression matching on string values [GH-6190]
    • 0️⃣ connect: added a new -bind-address cli option for envoy to create a mapping of the desired bind addresses to use instead of the default rules or tagged addresses [GH-6107]
    • connect: allow L7 routers to match on http methods [GH-6164]
    • connect: change router syntax for matching query parameters to resemble the syntax for matching paths and headers for consistency. [GH-6163]
    • connect: detect and prevent circular discovery chain references [GH-6246]
    • connect: ensure time.Duration fields retain their human readable forms in the API [GH-6348]
    • 🔧 connect: reconcile how upstream configuration works with discovery chains [GH-6225]
    • connect: rework how the service resolver subset OnlyPassing flag works [GH-6173]
    • connect: simplify the compiled discovery chain data structures [GH-6242]
    • ✅ connect: validate and test more of the L7 config entries [GH-6156]
    • 👍 gossip: increase size of gossip key generated by keygen to 32 bytes and document support for AES 256 [GH-6244]
    • 👍 license (enterprise): Added license endpoint support to the API client [GH-6268]
    • xds: improve how envoy metrics are emitted [GH-6312]
    • ✅ xds: Verified integration test suite with Envoy 1.11.1 [GH-6347]

    🐛 BUG FIXES:

    • 🛠 acl: Fixed a bug that could prevent transition from legacy ACL mode to new ACL mode [GH-6332
    • agent: blocking central config RPCs iterations should not interfere with each other [GH-6316]
    • agent: fix an issue that could cause a panic while transferring leadership due to replication [GH-6104]
    • api: Fix a bug where the service tagged addresses were not being returned through the v1/agent/service/:service api. [GH-6299]
    • 🗄 api: un-deprecate api.DecodeConfigEntry [GH-6278]
    • auto_encrypt: use server-port [GH-6287]
    • ⚡️ autopilot: update to also remove failed nodes from WAN gossip pool [GH-6028]
    • cli: ensure that the json form of config entries can be submitted with 'consul config write' [GH-6290]
    • 🛠 cli: Fixed bindable IP detection with the connect envoy command. [GH-6238]
    • config: Ensure that all config entry writes are transparently forwarded to the primary datacneter. [GH-6327]
    • connect: allow 'envoy_cluster_json' escape hatch to continue to function [GH-6378]
    • connect: allow mesh gateways to use central config [GH-6302]
    • connect: ensure intention replication continues to work when the replication ACL token changes [GH-6288]
    • connect: ensure local dc connections do not use the gateway [GH-6085]
    • 0️⃣ connect: fix bug in service-resolver redirects if the destination uses a default resolver [GH-6122]
    • 🛠 connect: Fixed a bug that would prevent CA replication/initializing in a secondary DC from working when ACLs were enabled. [GH-6192]
    • 🛠 connect : Fixed a regression that broken xds endpoint generation for prepared query upstreams. [GH-6236]
    • connect: fix failover through a mesh gateway to a remote datacenter [GH-6259]
    • connect: resolve issue where MeshGatewayConfig could be returned empty [GH-6093]
    • ⚡️ connect: updating a service-defaults config entry should leave an unset protocol alone [GH-6342]
    • connect: validate upstreams and prevent duplicates [GH-6224]
    • server: if inserting bootstrap config entries fails don't silence the errors [GH-6256]
    • snapshot: fix TCP half-close implementation for TLS connections [GH-6216]

    KNOWN ISSUES

    • auto_encrypt: clients with auto_encrypt enabled won't be able to start because of [GH-6391]. There is a fix, but it came too late and we couldn't include it in the release. It will be part of 1.6.1 and we recommend that if you are using auto_encrypt you postpone the update.