consul v1.7.0-beta3 Release Notes

Release Date: 2020-01-24 // 3 days ago

    • agent: The ACL requirement for the agent/force-leave endpoint is now operator:write rather than agent:write. [GH-7033]
    • intentions: Change the ACL requirement and enforcement for wildcard rules. Previously this would look for an ACL rule that would grant access to the service/intention *. Now, in order to write a wildcard intention requires write access to all intentions and reading a wildcard intention requires read access to any intention that would match. Additionally intention listing and reading allow access if the requester can read either side of the intention whereas before it only allowed it for permissions on the destination side. [GH-7028]

    πŸ”‹ FEATURES:

    • acl: (Consul Enterprise only) auth methods defined in the default namespace gained the ability to create tokens in alternate namespaces. This capability was implemented for all existing auth methods.
    • connect: (Consul Enterprise only) Namespaces are now fully functional with Connect and Configuration Entries.


    • πŸ”§ agent: default the primary_datacenter to the datacenter if not configured [GH-7111]
    • πŸ”§ agent: configurable MaxQueryTime and DefaultQueryTime [GH-3777]
    • agent: do not deregister service checks twice [GH-6168]
    • 🚚 agent: remove service sidecars in cleanupRegistration [GH-7022]
    • agent: setup grpc server with auto_encrypt certs and add -https-port [GH-7086
    • api: A new /v1/catalog/node-services/:node endpoint was added that mirrors the existing /v1/catalog/node/:node endpoint but has a response structure that contains a slice of services instead of a map of service ids to services. This new endpoint allow retrieving all services in all namespaces for a node. [GH-7115]
    • πŸ”§ auto_encrypt: set dns and ip san for k8s and provide configuration [GH-6944]
    • connect: check if intermediate cert needs to be renewed. [GH-6835]
    • dns: Improvement to enable dual stack IPv4/IPv6 addressing of services and lookup via DNS [GH-6531]
    • πŸ”’ lock: consul lock will now receive shutdown signals during the lock-acquisition process. [GH-5909]
    • raft: increase raft notify buffer [GH-6863]
    • ⚑️ raft: update raft to v1.1.2 [GH-7079]
    • 🌲 rpc: log method when a server/server RPC call fails [GH-4548]
    • πŸ’» ui: Use more consistent icons with other HashiCorp products in the UI [GH-6851]
    • πŸ’» ui: Improvements to the Discovery Chain visualisation in respect to redirects [GH-7036]
    • πŸ’» ui: Improvement keyboard navigation of the main menu [GH-7090]
    • πŸ”Š ui: New row confirmation dialogs [GH-7007]

    πŸ›  BUGFIXES:

    • connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index [GH-7011]
    • ⚑️ connect: ensure that updates to the secondary root CA configuration use the correct signing key ID values for comparison [GH-7012]
    • connect: use correct subject key id for leaf certificates. [GH-7091]

Previous changes from v1.7.0-beta2

  • πŸ”‹ FEATURES:


    • acl: Use constant time comparison when checking for the ACL agent master token. [GH-6943]
    • api: (Consul Enterprise only) The API client will now configure the HTTP Client's configured default namespace to the value of the CONSUL_NAMESPACE environment variable if not explicitly overridden.
    • πŸ”§ connect: Allow inlining of the TLS certificate in the Envoy configuration. [GH-6360]
    • namespaces: (Consul Enterprise only) The desired namespace will be defaulted to the namespace of the ACL token used for an HTTP/RPC request if no other namespace is explicitly set.
    • namespaces: (Consul Enterprise only) Allow for creating and resolving tokens not linked to any roles, policies or service identities. These tokens can be granted access based on the default policies and roles associated with the tokens namespace.
    • πŸ’» ui: Various visual CSS amends and alterations [GH6495] [GH6881]

    πŸ› BUG FIXES

    • api: (Consul Enterprise only) The Meta field was added into the Namespace struct definition within the API module. Previously the HTTP accepted this field, it was just missing from the API client.
    • πŸ›  autopilot: Fixed dead server removal condition to use correct failure tolerance. [GH-4017]
    • cli: (Consul Enterprise only) Changed the CLI parameter used to specify the namespace from -ns to `-namespace.
    • dns: (Consul Enterprise only) Fixed an issue resulting in the dns_config.prefer_namespace configuration to not work properly.
    • ⚑️ dns: Updated miekg/dns dependency to fix a memory leak. [GH-6748]
    • 🌲 log: handle discard all logfiles properly [GH-6945]
    • ⚑️ state: restore a few more service-kind index updates so blocking in ServiceDump works in more cases [GH-6948]
    • πŸ’» ui: Fix styling of β€˜duplicate intention’ error message [GH6936]