consul v1.6.0 Release Notes
Release Date: 2019-07-26 // almost 5 years ago-
๐ SECURITY:
- โก๏ธ Updated to compile with Go 1.12.8 which mitigates CVE-2019-9512 and CVE-2019-9514 for the builtin HTTP server [GH-6319]
- โก๏ธ Updated the google.golang.org/grpc dependency to v1.23.0 to mitigate CVE-2019-9512, CVE-2019-9514, and CVE-2019-9515 for the gRPC server. [GH-6320]
๐ฅ BREAKING CHANGES:
- ๐ connect: remove deprecated managed proxies and ProxyDestination config [GH-6220]
๐ FEATURES:
- ๐ Connect Envoy Supports L7 Routing: Additional configuration entry types
service-router
,service-resolver
, andservice-splitter
, allow for configuring Envoy sidecars to enable reliability and deployment patterns at L7 such as HTTP path-based routing, traffic shifting, and advanced failover capabilities. For more information see the L7 traffic management docs. - Mesh Gateways: Envoy can now be run as a gateway to route Connect traffic across datacenters using SNI headers, allowing connectivty across platforms and clouds and other complex network topologies. Read more in the mesh gateway docs.
- Intention & CA Replication: In order to enable connecitivty for services across datacenters, Connect intentions are now replicated and the Connect CA cross-signs from the primary_datacenter. This feature was previously part of Consul Enterprise.
- agent: add
local-only
parameter to operator/keyring list requests to force queries to only hit local servers. [GH-6279] - connect: expose an API endpoint to compile the discovery chain [GH-6248]
- ๐ฆ connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package [GH-6340]
- 0๏ธโฃ connect: introduce ExternalSNI field on service-defaults [GH-6324]
- xds: allow http match criteria to be applied to routes on services using grpc protocols [GH-6149]
๐ IMPROVEMENTS:
- agent: Added tagged addressing to services similar to the already present Node tagged addressing [GH-5965]
- ๐ง agent: health checks: change long timeout behavior to use to user-configured
timeout
value [GH-6094] - api: Display allowed HTTP CIDR information nicely [GH-6029]
- โก๏ธ api: Update filtering language to include substring and regular expression matching on string values [GH-6190]
- 0๏ธโฃ connect: added a new
-bind-address
cli option for envoy to create a mapping of the desired bind addresses to use instead of the default rules or tagged addresses [GH-6107] - connect: allow L7 routers to match on http methods [GH-6164]
- connect: change router syntax for matching query parameters to resemble the syntax for matching paths and headers for consistency. [GH-6163]
- connect: detect and prevent circular discovery chain references [GH-6246]
- connect: ensure time.Duration fields retain their human readable forms in the API [GH-6348]
- ๐ง connect: reconcile how upstream configuration works with discovery chains [GH-6225]
- connect: rework how the service resolver subset OnlyPassing flag works [GH-6173]
- connect: simplify the compiled discovery chain data structures [GH-6242]
- โ connect: validate and test more of the L7 config entries [GH-6156]
- ๐ gossip: increase size of gossip key generated by keygen to 32 bytes and document support for AES 256 [GH-6244]
- ๐ license (enterprise): Added license endpoint support to the API client [GH-6268]
- xds: improve how envoy metrics are emitted [GH-6312]
- โ xds: Verified integration test suite with Envoy 1.11.1 [GH-6347]
๐ BUG FIXES:
- ๐ acl: Fixed a bug that could prevent transition from legacy ACL mode to new ACL mode [GH-6332
- agent: blocking central config RPCs iterations should not interfere with each other [GH-6316]
- agent: fix an issue that could cause a panic while transferring leadership due to replication [GH-6104]
- api: Fix a bug where the service tagged addresses were not being returned through the
v1/agent/service/:service
api. [GH-6299] - ๐ api: un-deprecate api.DecodeConfigEntry [GH-6278]
- auto_encrypt: use server-port [GH-6287]
- โก๏ธ autopilot: update to also remove failed nodes from WAN gossip pool [GH-6028]
- cli: ensure that the json form of config entries can be submitted with 'consul config write' [GH-6290]
- ๐ cli: Fixed bindable IP detection with the
connect envoy
command. [GH-6238] - config: Ensure that all config entry writes are transparently forwarded to the primary datacneter. [GH-6327]
- connect: allow 'envoy_cluster_json' escape hatch to continue to function [GH-6378]
- connect: allow mesh gateways to use central config [GH-6302]
- connect: ensure intention replication continues to work when the replication ACL token changes [GH-6288]
- connect: ensure local dc connections do not use the gateway [GH-6085]
- 0๏ธโฃ connect: fix bug in service-resolver redirects if the destination uses a default resolver [GH-6122]
- ๐ connect: Fixed a bug that would prevent CA replication/initializing in a secondary DC from working when ACLs were enabled. [GH-6192]
- ๐ connect : Fixed a regression that broken xds endpoint generation for prepared query upstreams. [GH-6236]
- connect: fix failover through a mesh gateway to a remote datacenter [GH-6259]
- connect: resolve issue where
MeshGatewayConfig
could be returned empty [GH-6093] - โก๏ธ connect: updating a service-defaults config entry should leave an unset protocol alone [GH-6342]
- connect: validate upstreams and prevent duplicates [GH-6224]
- server: if inserting bootstrap config entries fails don't silence the errors [GH-6256]
- snapshot: fix TCP half-close implementation for TLS connections [GH-6216]
KNOWN ISSUES
- auto_encrypt: clients with auto_encrypt enabled won't be able to start because of [GH-6391]. There is a fix, but it came too late and we couldn't include it in the release. It will be part of 1.6.1 and we recommend that if you are using auto_encrypt you postpone the update.