consul v1.9.1 Release Notes

Release Date: 2020-12-11 // 3 months ago
  • 1.9.1 (December 11, 2020)

    ๐Ÿ”‹ FEATURES:

    • ๐Ÿ’ป ui: add copyable IDs to the Role and Policy views [GH-9296]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • cli: (Enterprise only) A new -read-replica flag can now be used to enable running a server as a read only replica. Previously this was enabled with the now deprecated -non-voting-server flag. [GH-9191]
    • config: (Enterprise only) A new read_replica configuration setting can now be used to enable running a server as a read only replica. Previously this was enabled with the now deprecated non_voting_server setting. [GH-9191]

    ๐Ÿ—„ DEPRECATIONS:

    • cli: (Enterprise only) The -non-voting-server flag is deprecated in favor of the new -read-replica flag. The -non-voting-server flag is still present along side the new flag but it will be removed in a future release. [GH-9191]
    • config: (Enterprise only) The non_voting_server configuration setting is deprecated in favor of the new read_replica setting. The non_voting_server configuration setting is still present but will be removed in a future release. [GH-9191]
    • gossip: (Enterprise only) Read replicas now advertise themselves by setting the read_replica tag. The old nonvoter tag is still present but is deprecated and will be removed in a future release. [GH-9191]
    • server: (Enterprise only) Addition of the nonvoter tag to the service registration made for read replicas is deprecated in favor of the new tag name of read_replica. Both are present in the registration but the nonvoter tag will be completely removed in a future release. [GH-9191]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ”€ agent: prevent duplicate services and check registrations from being synced to servers. [GH-9284]
    • โšก๏ธ connect: fixes a case when updating the CA config in a secondary datacenter to correctly trigger the creation of a new intermediate certificate [GH-9009]
    • connect: only unset the active root in a secondary datacenter when a new one is replacing it [GH-9318]
    • namespaces: (Enterprise only) Prevent stalling of replication in secondary datacenters due to conflicts between the namespace replicator and other replicators. [GH-9271]
    • streaming: ensure the order of results provided by /health/service/:serviceName is consistent with and without streaming enabled [GH-9247]

Previous changes from v1.9.0

  • 1.9.0 (November 24, 2020)

    ๐Ÿ’ฅ BREAKING CHANGES:

    • agent: The enable_central_service_config option now defaults to true. [GH-8746]
    • 0๏ธโƒฃ connect: Switch the default gateway port from 443 to 8443 to avoid assumption of Envoy running as root. [GH-9113]
    • โšก๏ธ connect: Update Envoy metrics names and labels for proxy listeners so that attributes like datacenter and namespace can be extracted. [GH-9207]
    • connect: intention destinations can no longer be reassigned [GH-8834]
    • โฌ†๏ธ raft: Raft protocol v2 is no longer supported. If currently using protocol v2 then an intermediate upgrade to a version supporting both v2 and v3 protocols will be necessary (1.0.0 - 1.8.x). Note that the Raft protocol configured with the raft_protocol setting and the Consul RPC protocol configured with the protocol setting and output by the consul version command are distinct and supported Consul RPC protocol versions are not altered. [GH-9103]
    • sentinel: (Consul Enterprise only) update to v0.16.0, which replaces whitelist and blacklist with allowlist and denylist
    • server: (Enterprise only) Pre-existing intentions defined with
      non-existent destination namespaces were non-functional and are erased during
      โฌ†๏ธ the upgrade process. This should not matter as these intentions had nothing to
      enforce. [GH-9186]
    • server: (OSS only) Pre-existing intentions defined with either a source or
      0๏ธโƒฃ destination namespace value that is not "default" are rewritten or deleted
      โฌ‡๏ธ during the upgrade process. Wildcards first attempt to downgrade to "default"
      unless an intention already exists, otherwise these non-functional intentions
      are deleted. [GH-9186]
    • ๐Ÿ‘ xds: Drop support for Envoy versions 1.12.0, 1.12.1, 1.12.2, and 1.13.0, due to a lack of support for url_path in RBAC. [GH-8839]

    ๐Ÿ”’ SECURITY:

    • ๐Ÿ›  Fix Consul Enterprise Namespace Config Entry Replication DoS. Previously an operator with service:write ACL permissions in a Consul Enterprise cluster could write a malicious config entry that caused infinite raft writes due to issues with the namespace replication logic. [CVE-2020-25201] [GH-9024]
    • ๐Ÿ”ง Increase the permissions to read from the /connect/ca/configuration endpoint to operator:write. Previously Connect CA configuration, including the private key, set via this endpoint could be read back by an operator with operator:read privileges. CVE-2020-28053 [GH-9240]

    ๐Ÿ”‹ FEATURES:

    • agent: Add a new RPC endpoint for streaming cluster state change events to clients.
    • ๐Ÿ”ง agent: Allow client agents to be configured with an advertised reconnect timeout to control how long until the nodes are reaped by others in the cluster. [GH-8781]
    • ๐Ÿ”ง agent: moved ui config options to a new ui_config stanza in agent configuration and added new options to display service metrics in the UI. [GH-8694]
    • 0๏ธโƒฃ agent: return the default ACL policy to callers as a header [GH-9101]
    • autopilot: A new /v1/operator/autopilot/state HTTP API was created to give greater visibility into what autopilot is doing and how it has classified all the servers it is tracking. [GH-9103]
    • autopilot: Added a new consul operator autopilot state command to retrieve and view the Autopilot state from consul. [GH-9142]
    • โšก๏ธ cli: update snapshot inspect command to provide more detailed snapshot data [GH-8787]
    • ๐Ÿ‘ connect: support defining intentions using layer 7 criteria [GH-8839]
    • telemetry: add initialization and definition for non-expiring key metrics in Prometheus [GH-9088]
    • telemetry: track node and service counts and emit them as metrics [GH-8603]
    • ๐Ÿ”ง ui: If Prometheus is being used for monitoring the sidecars, the topology view can be configured to display overview metrics for the services. [GH-8858]
    • ๐Ÿ’ป ui: Services using Connect with Envoy sidecars have a topology tab in the UI showing their upstream and downstream services. [GH-8788]
    • xds: use envoy's rbac filter to handle intentions entirely within envoy [GH-8569]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • agent: Return HTTP 429 when connections per clients limit (limits.http_max_conns_per_client) has been reached. [GH-8221]
    • agent: add path_allowlist config option to restrict metrics proxy queries [GH-9059]
    • agent: allow the /v1/connect/intentions/match endpoint to use the agent cache [GH-8875]
    • agent: protect the metrics proxy behind ACLs [GH-9099]
    • api: The v1/connect/ca/roots endpoint now accepts a pem=true query parameter and will return a PEM encoded certificate chain of all the certificates that would normally be in the JSON version of the response. [GH-8774]
    • ๐Ÿ‘ api: support GetMeta() and GetNamespace() on all config entry kinds [GH-8764]
    • autopilot: (Enterprise Only) Autopilot now supports using both Redundancy Zones and Automated Upgrades together. [GH-9103]
    • checks: add health status to the failure message when gRPC healthchecks fail. [GH-8726]
    • โšก๏ธ chore: Update to Go 1.15 with mitigation for golang/go#42138 [GH-9036]
    • ๐Ÿšš command: remove conditional envoy bootstrap generation for versions <=1.10.0 since those are not supported [GH-8855]
    • ๐Ÿ‘ connect: The Vault provider will now automatically renew the lease of the token used, if supported. [GH-8560]
    • ๐Ÿ‘ connect: add support for specifying load balancing policy in service-resolver [GH-8585]
    • connect: intentions are now managed as a new config entry kind "service-intentions" [GH-8834]
    • โšก๏ธ raft: Update raft to v1.2.0 to prevent non-voters from becoming eligible for leader elections and adding peer id as metric label to reduce cardinality in metric names [GH-8822]
    • server: (Consul Enterprise only) ensure that we also shutdown network segment serf instances on server shutdown [GH-8786]
    • server: break up Intention.Apply monolithic method [GH-9007]
    • ๐Ÿ“‡ server: create new memdb table for storing system metadata [GH-8703]
    • ๐ŸŒฒ server: make sure that the various replication loggers use consistent logging [GH-8745]
    • ๐Ÿšš server: remove config entry CAS in legacy intention API bridge code [GH-9151]
    • ๐Ÿš‘ snapshot agent: Deregister critical snapshotting TTL check if leadership is transferred.
    • ๐Ÿ—„ telemetry: All metrics should be present and available to prometheus scrapers when Consul starts. If any non-deprecated metrics are missing please submit an issue with its name. [GH-9198]
    • telemetry: add config flag telemetry { disable_compat_1.9 = (true|false) } to disable deprecated metrics in 1.9 [GH-8877]
    • telemetry: add counter consul.api.http with labels for each HTTP path and method. This is intended to replace consul.http... [GH-8877]
    • ๐Ÿ’ป ui: Add the Upstreams and Exposed Paths tabs for services in mesh [GH-9141]
    • ๐Ÿšš ui: Moves the Proxy health checks to be displayed with the Service health check under the Health Checks tab [GH-9141]
    • ๐Ÿ”ง ui: Upstream and downstream services in the topology tab will show a visual indication if a deny intention or intention with L7 policies is configured. [GH-8846]
    • ui: add dashboard_url_template config option for external dashboard links [GH-9002]

    ๐Ÿ—„ DEPRECATIONS:

    • ๐Ÿš€ Go 1.15 has dropped support for 32-bit binaries for Darwin, so darwin_386 builds will not be available for any 1.9.x+ releases. [GH-9036]
    • ๐Ÿ’ป agent: ui, ui_dir and ui_content_path are now deprecated for use in agent configuration files. Use ui_config.{enable, dir, content_path} instead. The command arguments -ui, -ui-dir, and -ui-content-path remain supported. [GH-8694]
    • ๐Ÿšš telemetry: The measurements in all of the consul.http... prefixed metrics have been migrated to consul.api.http. consul.http... prefixed metrics will be removed in a future version of Consul. [GH-8877]
    • telemetry: the disable_compat_1.9 config will cover more metrics deprecations in future 1.9 point releases. These metrics will be emitted twice for backwards compatibility - if the flag is true, only the new metric name will be written. [GH-9181]

    ๐Ÿ› BUG FIXES:

    • agent: make the json/hcl decoding of ConnectProxyConfig fully work with CamelCase and snake_case [GH-8741]
    • agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical [GH-8747]
    • ๐Ÿ›  api: Fixed a bug where the Check.GRPCUseTLS field could not be set using snake case. [GH-8771]
    • autopilot: (Enterprise Only) Previously servers in other zones would not be promoted when all servers in a second zone had failed. Now the actual behavior matches the docs and autopilot will promote a healthy non-voter from any zone to replace failure of an entire zone. [GH-9103]
    • autopilot: Prevent panic when requesting the autopilot health immediately after a leader is elected. [GH-9204]
    • command: when generating envoy bootstrap configs use the datacenter returned from the agent services endpoint [GH-9229]
    • ๐Ÿ›  connect: Fixed an issue where the Vault intermediate was not renewed in the primary datacenter. [GH-8784]
    • connect: fix Vault provider not respecting IntermediateCertTTL [GH-8646]
    • connect: fix connect sidecars registered via the API not being automatically deregistered with their parent service after an agent restart by persisting the LocallyRegisteredAsSidecar property. [GH-8924]
    • connect: use stronger validation that ingress gateways have compatible protocols defined for their upstreams [GH-8470]
    • ๐Ÿ‘€ license: (Enterprise only) Fixed an issue where the UI would see Namespaces and SSO as licensed when they were not.
    • license: (Enterprise only) Fixed an issue where warnings about Namespaces being unlicensed would be emitted erroneously.
    • namespace: (Enterprise Only) Fixed a bug that could case snapshot restoration to fail when it contained a namespace marked for deletion while still containing other resources in that namespace. [GH-9156]
    • namespace: (Enterprise Only) Fixed an issue where namespaced services and checks were not being deleted when the containing namespace was deleted.
    • โšก๏ธ raft: (Enterprise only) properly update consul server meta non_voter for non-voting Enterprise Consul servers [GH-8731]
    • server: skip deleted and deleting namespaces when migrating intentions to config entries [GH-9186]
    • ๐Ÿ”Š telemetry: fixed a bug that caused logs to be flooded with [WARN] agent.router: Non-server in server-only area [GH-8685]
    • ๐Ÿ’ป ui: show correct datacenter for gateways [GH-8704]