consul v1.6.0

« Changelog History

consul v1.6.0 Release Notes

• 🔒 SECURITY:

  • ⚡️ Updated to compile with Go 1.12.8 which mitigates CVE-2019-9512 and CVE-2019-9514 for the builtin HTTP server [GH-6319]
  • ⚡️ Updated the google.golang.org/grpc dependency to v1.23.0 to mitigate CVE-2019-9512, CVE-2019-9514, and CVE-2019-9515 for the gRPC server. [GH-6320]

  💥 BREAKING CHANGES:

  • 🚚 connect: remove deprecated managed proxies and ProxyDestination config [GH-6220]

  🔋 FEATURES:

  • 👍 Connect Envoy Supports L7 Routing: Additional configuration entry types service-router, service-resolver, and service-splitter, allow for configuring Envoy sidecars to enable reliability and deployment patterns at L7 such as HTTP path-based routing, traffic shifting, and advanced failover capabilities. For more information see the L7 traffic management docs.
  • Mesh Gateways: Envoy can now be run as a gateway to route Connect traffic across datacenters using SNI headers, allowing connectivty across platforms and clouds and other complex network topologies. Read more in the mesh gateway docs.
  • Intention & CA Replication: In order to enable connecitivty for services across datacenters, Connect intentions are now replicated and the Connect CA cross-signs from the primary_datacenter. This feature was previously part of Consul Enterprise.
  • agent: add local-only parameter to operator/keyring list requests to force queries to only hit local servers. [GH-6279]
  • connect: expose an API endpoint to compile the discovery chain [GH-6248]
  • 📦 connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package [GH-6340]
  • 0️⃣ connect: introduce ExternalSNI field on service-defaults [GH-6324]
  • xds: allow http match criteria to be applied to routes on services using grpc protocols [GH-6149]

  👌 IMPROVEMENTS:

  • agent: Added tagged addressing to services similar to the already present Node tagged addressing [GH-5965]
  • 🔧 agent: health checks: change long timeout behavior to use to user-configured timeout value [GH-6094]
  • api: Display allowed HTTP CIDR information nicely [GH-6029]
  • ⚡️ api: Update filtering language to include substring and regular expression matching on string values [GH-6190]
  • 0️⃣ connect: added a new -bind-address cli option for envoy to create a mapping of the desired bind addresses to use instead of the default rules or tagged addresses [GH-6107]
  • connect: allow L7 routers to match on http methods [GH-6164]
  • connect: change router syntax for matching query parameters to resemble the syntax for matching paths and headers for consistency. [GH-6163]
  • connect: detect and prevent circular discovery chain references [GH-6246]
  • connect: ensure time.Duration fields retain their human readable forms in the API [GH-6348]
  • 🔧 connect: reconcile how upstream configuration works with discovery chains [GH-6225]
  • connect: rework how the service resolver subset OnlyPassing flag works [GH-6173]
  • connect: simplify the compiled discovery chain data structures [GH-6242]
  • ✅ connect: validate and test more of the L7 config entries [GH-6156]
  • 👍 gossip: increase size of gossip key generated by keygen to 32 bytes and document support for AES 256 [GH-6244]
  • 👍 license (enterprise): Added license endpoint support to the API client [GH-6268]
  • xds: improve how envoy metrics are emitted [GH-6312]
  • ✅ xds: Verified integration test suite with Envoy 1.11.1 [GH-6347]

  🐛 BUG FIXES:

  • 🛠 acl: Fixed a bug that could prevent transition from legacy ACL mode to new ACL mode [GH-6332
  • agent: blocking central config RPCs iterations should not interfere with each other [GH-6316]
  • agent: fix an issue that could cause a panic while transferring leadership due to replication [GH-6104]
  • api: Fix a bug where the service tagged addresses were not being returned through the v1/agent/service/:service api. [GH-6299]
  • 🗄 api: un-deprecate api.DecodeConfigEntry [GH-6278]
  • auto_encrypt: use server-port [GH-6287]
  • ⚡️ autopilot: update to also remove failed nodes from WAN gossip pool [GH-6028]
  • cli: ensure that the json form of config entries can be submitted with 'consul config write' [GH-6290]
  • 🛠 cli: Fixed bindable IP detection with the connect envoy command. [GH-6238]
  • config: Ensure that all config entry writes are transparently forwarded to the primary datacneter. [GH-6327]
  • connect: allow 'envoy_cluster_json' escape hatch to continue to function [GH-6378]
  • connect: allow mesh gateways to use central config [GH-6302]
  • connect: ensure intention replication continues to work when the replication ACL token changes [GH-6288]
  • connect: ensure local dc connections do not use the gateway [GH-6085]
  • 0️⃣ connect: fix bug in service-resolver redirects if the destination uses a default resolver [GH-6122]
  • 🛠 connect: Fixed a bug that would prevent CA replication/initializing in a secondary DC from working when ACLs were enabled. [GH-6192]
  • 🛠 connect : Fixed a regression that broken xds endpoint generation for prepared query upstreams. [GH-6236]
  • connect: fix failover through a mesh gateway to a remote datacenter [GH-6259]
  • connect: resolve issue where MeshGatewayConfig could be returned empty [GH-6093]
  • ⚡️ connect: updating a service-defaults config entry should leave an unset protocol alone [GH-6342]
  • connect: validate upstreams and prevent duplicates [GH-6224]
  • server: if inserting bootstrap config entries fails don't silence the errors [GH-6256]
  • snapshot: fix TCP half-close implementation for TLS connections [GH-6216]

  KNOWN ISSUES

  • auto_encrypt: clients with auto_encrypt enabled won't be able to start because of [GH-6391]. There is a fix, but it came too late and we couldn't include it in the release. It will be part of 1.6.1 and we recommend that if you are using auto_encrypt you postpone the update.

• All Versions
• Previous v1.6.0-rc1
• Next v1.6.1
• Latest Version