All Versions
200
Latest Version
Avg Release Cycle
70 days
Latest Release
20 days ago

Changelog History
Page 10

  • v1.8.11 Changes

    June 03, 2021

    ๐Ÿ‘Œ IMPROVEMENTS:

    • areas: (Enterprise only) Use server agent's gossip_wan config when setting memberlist configuration for network areas. Previously they used memberlists WAN defaults.
    • cli: added a -force-without-cross-signing flag to the ca set-config command. ๐Ÿ‘ connect/ca: The ForceWithoutCrossSigning field will now work as expected for CA providers that support cross signing. [GH-9672]
    • โšก๏ธ connect: update supported envoy versions to 1.14.7, 1.13.7, 1.12.7, 1.11.2 [GH-10106]
    • telemetry: Add new metrics for status of secondary datacenter replication. [GH-10073]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ—„ agent: ensure we hash the non-deprecated upstream fields on ServiceConfigRequest [GH-10240]
    • 0๏ธโƒฃ api: include the default value of raft settings in the output of /v1/agent/self [GH-8812]
    • areas: (Enterprise only) Revert to the 10s dial timeout used before connection pooling was introduced in 1.7.3.
    • areas: (Enterprise only) Selectively merge gossip_wan config for network areas to avoid attempting to enable gossip encryption where it was not intended or necessary.
    • 0๏ธโƒฃ local: agents will no longer persist the default user token along with a service or check. [GH-10188]
    • server: ensure that central service config flattening properly resets the state each time [GH-10239]

  • v1.8.10 Changes

    April 15, 2021

    ๐Ÿ”’ SECURITY:

    • โž• Add content-type headers to raw KV responses to prevent XSS attacks CVE-2020-25864 [GH-10023]
    • ๐Ÿ“œ audit-logging: Parse endpoint URL to prevent requests from bypassing the audit log CVE-2021-28156

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  areas: Fixes a bug which would prevent newer servers in a network areas from connecting to servers running a version of Consul prior to 1.7.3.
    • ๐Ÿ›  audit-logging: (Enterprise only) Fixed an issue that resulted in usage of the agent master token or managed service provider tokens from being resolved properly. [GH-10013]
    • ๐Ÿ”Š command: when generating envoy bootstrap configs to stdout do not mix informational logs into the json [GH-9980]
    • โž• config: correct config key from advertise_addr_ipv6 to advertise_addr_wan_ipv6 [GH-9851]
    • ๐Ÿ›  snapshot: fixes a bug that would cause snapshots to be missing all but the first ACL Auth Method. [GH-10025]

  • v1.8.9 Changes

    March 04, 2021

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ‘ cli: Add new -cluster-id and common-name to consul tls ca create to support creating a CA for Consul Connect. [GH-9585]
    • connect: if the token given to the vault provider returns no data avoid a panic [GH-9806]
    • ๐Ÿš€ connect: update supported envoy point releases to 1.14.6, 1.13.7, 1.12.7, 1.11.2 [GH-9739]
    • license: (Enterprise only) Temporary client license duration was increased from 30m to 6h.
    • server: use the presense of stored federation state data as a sign that we already activated the federation state feature flag [GH-9519]
    • ๐Ÿ‘ xds: only try to create an ipv6 expose checks listener if ipv6 is supported by the kernel [GH-9765]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿšš api: Remove trailing periods from the gateway internal HTTP API endpoint [GH-9752]
    • ๐Ÿ”Š cache: Prevent spamming the logs for days when a cached request encounters an "ACL not found" error. [GH-9738]
    • connect: connect CA Roots in the primary datacenter should use a SigningKeyID derived from their local intermediate [GH-9428]
    • proxycfg: avoid potential deadlock in delivering proxy snapshot to watchers. [GH-9689]
    • 0๏ธโƒฃ server: When wan federating via mesh gateways after initial federation default to using the local mesh gateways unless the heuristic indicates a bypass is required. [GH-9528]
    • server: When wan federating via mesh gateways only do heuristic primary DC bypass on the leader. [GH-9366]
    • xds: deduplicate mesh gateway listeners by address in a stable way to prevent some LDS churn [GH-9650]
    • xds: prevent LDS flaps in mesh gateways due to unstable datacenter lists; also prevent some flaps in terminating gateways as well [GH-9651]

  • v1.8.8 Changes

    January 22, 2021

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  connect: Fixed a bug in the AWS PCA Connect CA provider that could cause the intermediate PKI path to be deleted after reconfiguring the CA [GH-9498]
    • ๐Ÿ›  connect: Fixed a bug in the Vault Connect CA provider that could cause the intermediate PKI path to be deleted after reconfiguring the CA [GH-9498]
    • โšก๏ธ connect: Fixed an issue that would prevent updating the Connect CA configuration if the CA provider didn't complete initialization previously. [GH-9498]
    • ๐Ÿ›  leader: Fixed a bug that could cause Connect CA initialization failures from allowing leader establishment to complete resulting in potentially infinite leader elections. [GH-9498]
    • rpc: Prevent misleading RPC error claiming the lack of a leader when Raft is ok but there are issues with client agents gossiping with the leader. [GH-9487]
    • ๐Ÿ’ป ui: ensure namespace is used for node API requests [GH-9488]

  • v1.8.7 Changes

    December 10, 2020

    1.8.7 (December 10, 2020)

    ๐Ÿ› BUG FIXES:

    • acl: global tokens created by auth methods now correctly replicate to secondary datacenters [GH-9351]
    • โšก๏ธ connect: fixes a case when updating the CA config in a secondary datacenter to correctly trigger the creation of a new intermediate certificate [GH-9009]
    • connect: only unset the active root in a secondary datacenter when a new one is replacing it [GH-9318]
    • ๐Ÿ‘€ license: (Enterprise only) Fixed an issue where the UI would see Namespaces and SSO as licensed when they were not.
    • license: (Enterprise only) Fixed an issue where warnings about Namespaces being unlicensed would be emitted erroneously.
    • namespace: (Enterprise Only) Fixed a bug that could case snapshot restoration to fail when it contained a namespace marked for deletion while still containing other resources in that namespace. [GH-9156]
    • namespace: (Enterprise Only) Fixed an issue where namespaced services and checks were not being deleted when the containing namespace was deleted.
    • namespaces: (Enterprise only) Prevent stalling of replication in secondary datacenters due to conflicts between the namespace replicator and other replicators. [GH-9271]

  • v1.8.7-beta1 Changes

    December 03, 2020

    1.8.7-beta1 (December 03, 2020)

    ๐Ÿ› BUG FIXES:

    • โšก๏ธ connect: fixes a case when updating the CA config in a secondary datacenter to correctly trigger the creation of a new intermediate certificate [GH-9009]
    • connect: only unset the active root in a secondary datacenter when a new one is replacing it [GH-9318]
    • ๐Ÿ‘€ license: (Enterprise only) Fixed an issue where the UI would see Namespaces and SSO as licensed when they were not.
    • license: (Enterprise only) Fixed an issue where warnings about Namespaces being unlicensed would be emitted erroneously.
    • namespace: (Enterprise Only) Fixed a bug that could case snapshot restoration to fail when it contained a namespace marked for deletion while still containing other resources in that namespace. [GH-9156]
    • namespace: (Enterprise Only) Fixed an issue where namespaced services and checks were not being deleted when the containing namespace was deleted.

  • v1.8.6 Changes

    November 19, 2020

    1.8.6 (November 19, 2020)

    ๐Ÿ”’ SECURITY:

    • ๐Ÿ”ง Increase the permissions to read from the /connect/ca/configuration endpoint to operator:write. Previously Connect CA configuration, including the private key, set via this endpoint could be read back by an operator with operator:read privileges. CVE-2020-28053 [GH-9240]

  • v1.8.5 Changes

    October 23, 2020

    1.8.5 (October 23, 2020)

    ๐Ÿ”’ SECURITY:

    • ๐Ÿ›  Fix Consul Enterprise Namespace Config Entry Replication DoS. Previously an operator with service:write ACL permissions in a Consul Enterprise cluster could write a malicious config entry that caused infinite raft writes due to issues with the namespace replication logic. [CVE-2020-25201] [GH-9024]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • api: The v1/connect/ca/roots endpoint now accepts a pem=true query parameter and will return a PEM encoded certificate chain of
      all the certificates that would normally be in the JSON version of the response. [GH-8774]
    • ๐Ÿ‘ connect: The Vault provider will now automatically renew the lease of the token used, if supported. [GH-8560]
    • ๐Ÿš€ connect: update supported envoy releases to 1.14.5, 1.13.6, 1.12.7, 1.11.2 for 1.8.x [GH-8999]

    ๐Ÿ› BUG FIXES:

    • agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical [GH-8747]
    • ๐Ÿ›  connect: Fixed an issue where the Vault intermediate was not renewed in the primary datacenter. [GH-8784]
    • connect: fix Vault provider not respecting IntermediateCertTTL [GH-8646]
    • connect: fix connect sidecars registered via the API not being automatically deregistered with their parent service after an agent restart by persisting the LocallyRegisteredAsSidecar property. [GH-8924]
    • ๐Ÿ›  fixed a bug that caused logs to be flooded with [WARN] agent.router: Non-server in server-only area [GH-8685]
    • ๐Ÿ’ป ui: show correct datacenter for gateways [GH-8704]

  • v1.8.4 Changes

    September 11, 2020

    1.8.4 (September 11, 2020)

    ๐Ÿ”‹ FEATURES:

    • ๐Ÿ‘ agent: expose the list of supported envoy versions on /v1/agent/self [GH-8545]
    • cache: Config parameters for cache throttling are now reloaded automatically on agent reload. Restarting the agent is not needed anymore. [GH-8552]
    • connect: all config entries pick up a meta field [GH-8596]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • api: Added ACLMode method to the AgentMember type to determine what ACL mode the agent is operating in. [GH-8575]
    • api: Added IsConsulServer method to the AgentMember type to easily determine whether the agent is a server. [GH-8575]
    • api: Added constants for common tag keys and values in the Tags field of the AgentMember struct. [GH-8575]
    • api: Allow for the client to use TLS over a Unix domain socket. [GH-8602]
    • api: GET v1/operator/keyring also lists primary keys. [GH-8522]
    • ๐Ÿ‘ connect: Add support for http2 and grpc to ingress gateways [GH-8458]
    • โšก๏ธ serf: update to v0.9.4 which supports primary keys in the ListKeys operation. [GH-8522]

    ๐Ÿ›  BUGFIXES:

    • [backport/1.8.x] connect: use stronger validation that ingress gateways have compatible protocols defined for their upstreams [GH-8494]
    • agent: ensure that we normalize bootstrapped config entries [GH-8547]
    • ๐Ÿ›  api: Fixed a panic caused by an api request with Connect=null [GH-8537]
    • connect: connect envoy command now respects the -ca-path flag [GH-8606]
    • connect: fix bug in preventing some namespaced config entry modifications [GH-8601]
    • connect: fix renewing secondary intermediate certificates [GH-8588]
    • ๐Ÿ’ป ui: fixed a bug related to in-folder KV creation GH-8613

  • v1.8.3 Changes

    August 12, 2020

    ๐Ÿ›  BUGFIXES:

    • โช catalog: fixed a bug where nodes, services, and checks would not be restored with the correct Create/ModifyIndex when restoring from a snapshot [GH-8485]
    • โšก๏ธ vendor: update github.com/armon/go-metrics to v0.3.4 to mitigate a potential panic when emitting Prometheus metrics at an interval longer than the metric expiry time [GH-8478]
    • connect: (Consul Enterprise only) Fixed a regression that prevented mesh gateways from routing to services in their local datacenter that reside outside of the default namespace.