All Versions
80
Latest Version
Avg Release Cycle
28 days
Latest Release
5 days ago

Changelog History
Page 3

  • v1.5.3

    July 25, 2019

    👌 IMPROVEMENTS:

    • 🔧 raft: allow trailing logs to be configured as an escape hatch for extreme load that prevents followers catching up with leader [GH-6186]
    • 🌲 raft: added raft log chunking capabilities to allow for storing larger KV entries [GH-6172]
    • 🔧 agent: added configurable limit for log files to be rotated [GH-5831]
    • api: The v1/status endpoints can now be forwarded to remote datacenters [GH-6198]

    🐛 BUG FIXES:

    • ⚡️ autopilot: update to also remove failed nodes from WAN gossip pool [GH-6028]
    • ⚡️ agent: avoid reverting any check updates that occur while a service is being added or the config is reloaded [GH-6144]
    • 0️⃣ auto-encrypt: fix an issue that could cause cloud retry-join to fail when utilized with auto-encrypt by falling back to a default port [GH-6205]
  • v1.5.2

    June 27, 2019

    🔋 FEATURE

    • tls: auto_encrypt enables automatic RPC cert provisioning for consul clients [GH-5597]

    👌 IMPROVEMENTS

    • 💻 ui: allow for customization of consul UI path [GH-5950]
    • acl: allow service deregistration with node write permission [GH-5217]
    • 👍 agent: support for maximum size for Output of checks [GH-5233]
    • agent: improve startup message when no error occurs [GH-5896]
    • agent: make sure client agent rate limits apply when hitting the client interface on a server directly [GH-5927]
    • 🔀 agent: use stale requests when performing full sync [GH-5873]
    • agent: transfer leadership when establishLeadership fails [GH-5247]
    • 📇 agent: added metadata information about servers into consul service description [GH-5455]
    • 🌲 connect: provide -admin-access-log-path for envoy [GH-5858]
    • ⬆️ connect: upgrade Envoy xDS protocol to support Envoy 1.10 [GH-5872]
    • 👍 dns: support alt domains for dns resolution [GH-5940]
    • license (enterprise): add command to reset license to builtin one
    • 💻 ui: Improve linking between sidecars and proxies and their services/service instances [GH-5944]
    • 💻 ui: Add ability to search for tokens by policy, role or service identity name [GH-5811]

    🐛 BUG FIXES:

    • agent: fix several data races and bugs related to node-local alias checks [GH-5876]
    • ⚡️ api: update link to agent caching in comments [GH-5935]
    • connect: fix proxy address formatting for IPv6 addresses [GH-5460]
    • connect: store signingKeyId instead of authorityKeyId [GH-6005]
    • 💻 ui: fix service instance linking when multiple non-unique service id's exist on multiple nodes [GH-5933]
    • 💻 ui: Improve error messaging for ACL policies [GH-5836]
    • 🛠 txn: Fixed an issue that would allow a CAS operation on a service to work when it shouldn't have. [GH-5971]
  • v1.5.1

    May 22, 2019

    🔒 SECURITY:

    • 🔧 acl: fixed an issue that if an ACL rule is used for prefix matching in a policy, keys not matching that specific prefix can be deleted by a token using that policy even with default_deny settings configured [GH-5888]

    🐛 BUG FIXES:

    • 🛠 agent: Fixed an issue where recreating a node using a different ID would prevent the new node from correctly joining. [GH-5485]
  • v1.5.0

    May 08, 2019

    🔒 SECURITY:

    • connect: Envoy versions lower than 1.9.1 are vulnerable to CVE-2019-9900 and CVE-2019-9901. Both are related to HTTP request parsing and so only affect Consul Connect users if they have configured HTTP routing rules via the "escape hatch". We recommend Envoy 1.9.1 be used. Note that while we officially deprecate support for older version of Envoy in 1.5.0, we recommend using Envoy 1.9.1 with all previous versions of Consul Connect too (back to 1.3.0 where Envoy support was introduced).

    💥 BREAKING CHANGES:

    • ⚡️ /watch: (note this only affects downstream programs importing /watch package as a library not the watch feature in Consul) The watch package was moved from github.com/hashicorp/consul/watch to github.com/hashicorp/consul/api/watch to live in the API module. This was necessary after updating the repo to use Go modules or else various other bugs cropped up. The watch package API has not changed so projects depending on it should need to only update the import statement to get their code functioning again. [GH-5664]
    • 💻 ui: Legacy UI has been removed. Setting the CONSUL_UI_LEGACY environment variable to 1 or true will no longer revert to serving the old UI. [GH-5643]

    🔋 FEATURES:

    • 👍 Connect Envoy Supports L7 Observability: We introduce features that allow configuring Envoy sidecars to emit metrics and tracing at L7 (http, http2, grpc supported). For more information see the Envoy Integration docs.
    • 🔧 Centralized Configuration: Enables central configuration of some service and proxy defaults. For more information see the Configuration Entries docs
    • api: Implement data filtering for some endpoints using a new filtering language. [GH-5579]
    • 👍 snapshot agent (Consul Enterprise): Added support for saving snapshots to Azure Blob Storage.
    • acl: tokens can be created with an optional expiration time [GH-5353]
    • acl: tokens can now be assigned an optional set of service identities [GH-5390]
    • acl: tokens can now be assigned to roles [GH-5514]
    • 👍 acl: adding support for kubernetes auth provider login [GH-5600]
    • 💻 ui: Template-able Dashboard links for Service detail pages [GH-5704] [GH-5777]
    • 💻 ui: support for ACL Roles [GH-5635]

    👌 IMPROVEMENTS:

    • cli: allow to add ip addresses as Subject Alternative Names when creating certificates with consul tls cert create [GH-5602]
    • 🔧 dns: Allow for hot-reload of many DNS configurations. [GH-4875]
    • agent: config is now read if json or hcl is set as the config-format or the extension is either json or hcl [GH-5723]
    • acl: Allow setting token accessor ids and secret ids during token creation. [GH-4977]
    • 💻 ui: Service Instances page redesign and further visibility of Connect Proxies [GH-5326]
    • ⚡️ ui: Blocking Query support / live updates for Services and Nodes, requires enabling per user via the UI Settings area [GH-5070] [GH-5267]
    • 💻 ui: Finer grained searching for the Service listing page [GH-5507]
    • 💻 ui: Add proxy icons to proxy services and instances where appropriate [GH-5463]

    🐛 BUG FIXES:

    • api: fix panic in 'consul acl set-agent-token' [GH-5533]
    • api: fix issue in the transaction API where the health check definition struct wasn't being deserialized properly [GH-5553]
    • acl: memdb filter of tokens-by-policy was inverted [GH-5575]
    • 🌐 acl: Fix legacy rules translation for JSON based rules. [GH-5493]
    • agent: Fixed a bug causing RPC errors when the discovery_max_stale time was exceeded. [GH-4673]
    • agent: Fix an issue with registering health checks for an agent service where the service name would be missing. [GH-5705]
    • connect: fix an issue where Envoy would fail to bootstrap if some upstreams were unavailable [GH-5499]
    • connect: fix an issue where health checks on proxies might be missed by watchers of /health/service/:service API [GH-5506]
    • 🔧 connect: fix a race condition that could leave proxies with no configuration for long periods on startup [GH-5793]
    • 🌲 logger: fix an issue where the log-file option was not respecting the log-level [GH-4778]
    • catalog: fix an issue where renaming nodes could cause registration instability [GH-5518]
    • 🔒 network areas (Consul Enterprise): Fixed an issue that could cause a lock to be held unnecessarily causing other operations to hang.
  • v1.4.5

    May 22, 2019

    🔒 SECURITY:

    • 🔧 acl: fixed an issue that if an ACL rule is used for prefix matching in a policy, keys not matching that specific prefix can be deleted by a token using that policy even with default_deny settings configured [GH-5888]
  • v1.4.4

    March 21, 2019

    🔒 SECURITY:

    • Fixed a problem where verify_server_hostname was not being respected and the default false was being used. This problem exists only in Consul 1.4.3. (CVE-2019-9764) [GH-5519]

    🔋 FEATURES:

    • 🔧 agent: enable reloading of agent-to-agent TLS configuration [GH-5419]

    👌 IMPROVEMENTS:

    • api: /health/service/:service blocking queries now only need a single goroutine regardless of number of instances in the service and watch channel which can massively reduce the number of goroutines on busy servers. [GH-5449]

    🐛 BUG FIXES:

    • ⚡️ api: Fixed a bug where updating node information wasn't reflected in health result index. [GH-5450]
    • 🚚 agent: Fixed a bug that would cause removal of all of an agents health checks when only one service was removed. [GH-5456]
    • 🚚 connect: Fixed a bug where sidecar_service registered proxies might not be removed correctly due to ACLs for the service being removed first dissallowing the agent permission to delete the proxy. [GH-5482]
    • tlsutil: don't use server_name config for RPC connections. [GH-5394]
  • v1.4.3

    March 05, 2019

    🔒 SECURITY:

    • 🛠 Fixed a potential privilege escalation issue with the Consul 1.4.X ACL system when ACL token replication was enabled. (CVE-2019-8336) [GH-5423]

    🐛 BUG FIXES:

    • 🛠 agent: Fixed a bug that could cause invalid memberlist protocol versions to propagate throughout the cluster. [GH-3217]
    • 🛠 server: Fixed a race condition during server initialization and leadership monitoring. [GH-5322]
    • agent: only enable TLS on gRPC if the HTTPS API port is enabled [GH-5287]
    • 0️⃣ agent: Fixed default log file permissions. [GH-5346]
    • 🛠 api: Fixed bug where /connect/intentions endpoint didn't return X-Consul-Index [GH-5355]
    • 🚚 agent: Ensure that reaped servers are removed from RPC routing. [GH-5317]
    • acl: Fix potential race condition when listing or retrieving ACL tokens. [GH-5412]
    • 🛠 agent: Fixed race condition that could turn up while registering services on the local agent. [GH-4998]

    🔋 FEATURES:

    • prepared queries: Enable ServiceMeta filtering for prepared queries. [GH-5291]
    • dns: Enabled caching of RPC responses within the DNS server. [GH-5300]

    👌 IMPROVEMENTS:

    • agent: Check ACLs more often for xDS stream endpoints. [GH-5237]
    • 📇 connect: Sidecar services now inherit tags and service metadata of the parent service by default. [GH-5291]
    • connect: Envoy proxies can now have cluster-specific config overrides via new "escape hatches": [GH-5308]
    • agent: Added opt-in ACL token persistence for tokens set with the agent/token/* endpoints: [GH-5328]
    • 0️⃣ agent: Default to requiring protocol version 1.2 for TLS connections. The docs previously said this was going to be the default in 0.8+ but it had been left at 1.0 until now. [GH-5340]
  • v1.4.2

    January 28, 2019

    🐛 BUG FIXES:

    • 🛠 api: Fixed backwards compatibility in the Consul Go API client. [GH-5270]
    • 🛠 dns: Fixed a bug that would cause node meta TXT records to always be generated even if they were not used in the responses. [GH-5271]
  • v1.4.1

    January 23, 2019

    Note: Consul 1.4.1 can break compatibility with older versions of the Consul Go API client. At this time, we recommend that you not upgrade to 1.4.1 if you use the Go API client or other applications that utilize it such as Nomad. Read more: [GH-5270]

    🔋 FEATURES:

    • 👀 api: The transaction API now supports catalog operations for interacting with nodes, services and checks. See the transacton API page for more information. [GH-4869]

    🔒 SECURITY:

    • Fixed an issue that caused verify_server_hostname to not implicitly configure verify_outgoing to true. The documentation stated this was implicit. The previous implementation had a bug that resulted in this being partially incorrect and resulted in plaintext communication in agent-to-agent RPC when verify_outgoing was not explicitly set. (CVE-2018-19653) [GH-5069]

    👌 IMPROVEMENTS:

    • agent: Improve blocking queries for services that do not exist. [GH-4810]
    • api: Added new /v1/agent/health/service/name/<service name> and /v1/agent/health/service/id/<service id> endpoints to allow querying a services status from the agent itself and avoid querying a Consul server. [GH-2488]
    • api: Added a new allow_write_http_from configuration to set which CIDR network ranges can send non GET/HEAD/OPTIONS HTTP requests. Requests originating from other addresses will be denied. [GH-4712]
    • cli: Added a new cli command: consul tls with subcommands ca create and cert create to help bootstrapping a secure agent TLS setup. This includes a new guide for creating certificates.
    • 🐎 connect: clients are smarter about when they regenerate leaf certificates to improve performance and reliability [GH-5091]
    • 🐎 gossip: CPU performance improvements to memberlist gossip on very large clusters [GH-5189]
    • 👍 connect: Added support for prepared query upstream proxy destination type watching. [GH-4969
    • connect: (Consul Enterprise) Now forwards any intention API calls from secondary datacenters to the primary instead of erroring when intention replication is enabled.
    • connect: Now controls rate of Certificate Signing Requests during a CA rotation so the servers aren't overwhelmed. [GH-5228]

    🐛 BUG FIXES:

    • 🛠 acl: Fixed a concurrent policy resolution issue that would fail to resolve policies for a token [GH-5219]
    • 🛠 acl: Fixed a few racey edge cases regarding policy resolution where the RPC request could error out due to the token used for the request being deleted or modified after the token was read but before policy resolution. [GH-5246]
    • 🛠 acl: Fixed a bug that would cause legacy ACL tokens of type management to not get full privileges when they also had rules set on them. [GH-5261]
    • agent: Prevent health check status flapping during check re-registration. [GH-4904]
    • 🔀 agent: Consul 1.2.3 added DNS weights but this caused an issue with agent Anti-Entropy that didn't set the same default and so performed a re-sync every 2 minutes despite no changes. [GH-5096]
    • 🔀 agent: Fix an anti-entropy state syncing issue where an invalid token being used for registration of 1 service could cause a failure to register a different service with a valid token. [GH-3676]
    • ↪ agent: (Consul Enterprise) Snapshot agent now uses S3 API for unversioned objects to workaround an issue when a bucket has versioning enabled.
    • 🛠 agent: Fixed a bug where agent cache could return an error older than the last non-error value stored. This mostly affected Connect bootstrapping in integration environments but lead to some very hard to track down "impossible" issues [GH-4480]
    • agent: snapshot verification now works regardless of spacing in meta.json [GH-5193]
    • agent: Fixed a bug where disable_host_node_id = false was not working properly [GH-4914]
    • 🔀 agent: Fixed issue where DNS weights added in 1.2.3 caused unnecessary Anti-Entropy syncs due to implicit vs explicit default weights being considered "different". [GH-5126]
    • 👀 api: Fixed an issue where service discovery requests that use both ?cached and multiple repeated tag filters might incorrectly see the cached result for a different query [GH-4987]
    • 🛠 api: Fixed an issue causing blocking query wait times to not be used when retrieving leaf certificates. [GH-4462]
    • cli: display messages from serf in cli [GH-5236]
    • 🛠 connect: Fixed an issue where a blank CA config could be written to a snapshot when Connect was disabled. [GH-4954]
    • 🛠 connect: Fixed a bug with the create and modify indices of leaf certificates not being incremented properly. [GH-4463]
    • 🛠 connect: Fixed an issue where certificates could leak and remain in client memory forever [GH-5091]
    • connect: (Consul Enterprise) When requesting to sign intermediates the primary dc is now used
    • connect: added tls config for vault connect ca provider [GH-5125]
    • connect: Fix a panic on 32 bit systems for unaligned 64 bit atomic operations. [GH-5128]
    • 🛠 debug: Fixed an issue causing the debug archive to not be gzipped. [GH-5141]
    • dns: Fix an issue causing infinite recursion for some DNS queries when a nodes address had bee misconfigured [GH-4907]
    • watch: Fix a data race during setting up a watch plan. [GH-4357]
    • 💻 ui: Correctly encode/decode URLs within the KV areas. Also encode/decode slashes in URLS related to service names [GH5206]
  • v1.4.0

    November 14, 2018

    🔋 FEATURES:

    • 🆕 New ACL System: The ACL system has been redesigned while allowing for in-place upgrades that will automatically migrate to the new system while retaining compatibility for existing ACL tokens for clusters where ACLs are enabled. This new system introduces a number of improvements to tokens including accessor IDs and a new policy model. It also includes a new CLI for ACL interactions and a completely redesigned UI experience to manage ACLs and policies. WAN federated clusters will need to add the additional replication token configuration in order to ensure WAN ACL replication in the new system. [GH-4791]

      • ACL CLI.
      • New ACL HTTP APIs.
      • Splitting ACL Tokens into Tokens and Policies with rules being defined on policies and tokens being linked to policies.
      • ACL Tokens have a public accessor ID now in addition to the secret ID that they used to have.
      • Setting a replication token is now required but it only needs "read" permissions on ACLs.
      • Update to the rules language to allow for exact-matching rules in addition to prefix matching rules
      • Added DC local tokens.
      • Auto-Transitioning from legacy mode to normal mode as the cluster's servers get upgraded.
      • ACL UI updates to support new functionality.
    • Multi-datacenter Connect: (Consul Enterprise) Consul Connect now supports multi-datacenter connections and replicates intentions. This allows WAN federated DCs to provide connections from source and destination proxies in any DC.

    • 🆕 New command consul debug which gathers information about the cluster to help resolve incidents and debug issues faster. [GH-4754]

    👌 IMPROVEMENTS:

    • dns: Implement prefix lookups for DNS TTL. [GH-4605]
    • 👕 ui: Add JSON and YAML linting to the KV code editor. [GH-4814]
    • connect: Fix comment DYNAMIC_DNS to LOGICAL_DNS. [GH-4799]
    • terraform: fix formatting of consul.tf. [GH-4580]

    🐛 BUG FIXES:

    • ⏪ snapshot: Fixed a bug where node ID and datacenter weren't being included in or restored from the snapshots. [GH-4872]
    • 🛠 api: Fixed migration issue where changes to allow multiple tags in 1.3.0 would cause broken results during a migration from earlier versions [GH-4944]