v0.37.0

0.37.0 (November 18, 2021)

BREAKING CHANGES:

• Previously UI metrics would be enabled when
  global.metrics=false and ui.metrics.enabled=-. If you are no longer seeing UI metrics,
  set global.metrics=true or ui.metrics.enabled=true. [GH-841]

• The enterpriseLicense section of the values file has been migrated from being under the server stanza to being
  under the global stanza. Migrating the contents of server.enterpriseLicense to global.enterpriseLicense will
  ensure the license job works. [GH-856]

• Consul streaming is re-enabled by default.
  Streaming is broken when using multi-DC federation and Consul versions 1.10.0, 1.10.1, 1.10.2.
  If you are using those versions and multi-DC federation, you must upgrade to Consul >= 1.10.3 or set:

  client:
    extraConfig: |
      {"use_streaming_backend": false}

  [GH-851]

FEATURES:

• Helm Chart
  • Add support for Consul services to utilize Consul DNS for service discovery. Set dns.enableRedirection to allow services to
    use Consul DNS via the Consul DNS Service. [GH-833]
• Control Plane
  • Connect: Allow services using Connect to utilize Consul DNS to perform service discovery. [GH-833]

IMPROVEMENTS:

• Control Plane
  • TLS: Support PKCS1 and PKCS8 private keys for Consul certificate authority. [GH-843]
  • Connect: Log a warning when ACLs are enabled and the default service account is used. [GH-842]
  • Update Service Router, Service Splitter and Ingress Gateway CRD with support for RequestHeaders and ResponseHeaders. [GH-863]
  • Update Ingress Gateway CRD with partition support for the IngressService and TLS Config. [GH-863]
• CLI
  • Delete jobs, cluster roles, and cluster role bindings on uninstall. [GH-820]
• Helm Chart
  • Add component labels to all resources. [GH-840]
  • Update Consul version to 1.10.4. [GH-861]
  • Update Service Router, Service Splitter and Ingress Gateway CRD with support for RequestHeaders and ResponseHeaders. [GH-863]
  • Update Ingress Gateway CRD with partition support for the IngressService and TLS Config. [GH-863]
  • Re-enable streaming for Consul clients. [GH-851]

BUG FIXES:

• Control Plane
  • ACLs: Fix issue where if one or more servers fail to have their ACL tokens set on the initial run of server-acl-init
    then on subsequent re-runs of server-acl-init the tokens are never set. [GH-825]
  • ACLs: Fix issue where if the number of Consul servers is increased, the new servers are never provisioned
    an ACL token. [GH-677]
  • Fix issue where after a helm upgrade, users would see x509: certificate signed by unknown authority.
    errors when modifying config entry resources. [GH-837]
• Helm Chart
  • (Consul Enterprise only) Error on Helm install if a reserved name is used for the admin partition name or a
    Consul destination namespace for connect or catalog sync. [GH-846]
  • Truncate Persistent Volume Claim names when namespace names are too long. [GH-799]
  • Fix issue where UI metrics would be enabled when global.metrics=false and ui.metrics.enabled=-. [GH-841]
  • Populate the federation secret with the generated Gossip key when global.gossipEncryption.autoGenerate is set to true. [GH-854]

v0.36.0

0.36.0 (November 02, 2021)

BREAKING CHANGES:

• Helm Chart
  • The kube-system and local-path-storage namespaces are now excluded from connect injection by default on Kubernetes versions >= 1.21. If you wish to enable injection on those namespaces, set connectInject.namespaceSelector to null. [GH-726]

IMPROVEMENTS:

• Helm Chart
  • Automatic retry for gossip-encryption-autogenerate-job on failure [GH-789]
  • kube-system and local-path-storage namespaces are now excluded from connect injection by default on Kubernetes versions >= 1.21. This prevents deadlock issues when kube-system components go down and allows Kind to work without changing the failure policy of the mutating webhook. [GH-726]
  • Add support for services across Admin Partitions to communicate using mesh gateways. [GH-807]
    • Documentation for the installation can be found here.
  • Add support for PartitionExports CRD to enable cross-partition networking. [GH-802]
• CLI
  • Add status command. [GH-768]
  • Add -verbose, -v flag to the consul-k8s install command, which outputs all logs emitted from the installation. By default, verbose is set to false to hide logs that show resources are not ready. [GH-810]
  • Set prometheus.enabled to true and enable all metrics for Consul K8s when installing via the demo preset. [GH-809]
  • Set controller.enabled to true when installing via the demo preset. [GH818]
  • Set global.gossipEncryption.autoGenerate to true and global.tls.enableAutoEncrypt to true when installing via the secure preset. [GH818]
• Control Plane
  • Add support for partition-exports config entry as a Custom Resource Definition to help manage cross-partition networking. [GH-802]

v0.35.0

0.35.0 (October 19, 2021)

FEATURES:

• Control Plane
  • Add gossip-encryption-autogenerate subcommand to generate a random 32 byte Kubernetes secret to be used as a gossip encryption key. [GH-772]
• Helm Chart
  • Add automatic generation of gossip encryption with global.gossipEncryption.autoGenerate=true. [GH-738]
  • Add support for configuring resources for mesh gateway service-init container. [GH-758]

IMPROVEMENTS:

• Control Plane
  • Upgrade Docker image Alpine version from 3.13 to 3.14. [GH-737]
  • CRDs: tune failure backoff so invalid config entries are re-synced more quickly. [GH-788]
• Helm Chart
  • Enable adding extra containers to server and client Pods. [GH-749]
  • ACL support for Admin Partitions. (Consul Enterprise only)
    BETA [GH-766]
    • This feature now enabled ACL support for Admin Partitions. The server-acl-init job now creates a Partition token. This token
      can be used to bootstrap new partitions as well as manage ACLs in the non-default partitions.
    • Partition to partition networking is disabled if ACLs are enabled.
    • Documentation for the installation can be found here.
• CLI
  • Add version command. [GH-741]
  • Add uninstall command. [GH-725]

v0.34.1

0.34.1 (September 17, 2021)

BUG FIX:

• Helm
  • Fix consul-k8s image version in values file. [GH-732]

v0.34.0

⚠️ This release contains the wrong consul-k8s-control-plane image. Please use v0.34.1 instead.

0.34.0 (September 17, 2021)

FEATURES:

• CLI
  • The consul-k8s CLI enables users to deploy and operate Consul on Kubernetes.
    • Support consul-k8s install command. [GH-713]
• Helm Chart
  • Add support for Admin Partitions. (Consul Enterprise only)
    ALPHA [GH-729]

    • This feature allows Consul to be deployed across multiple Kubernetes clusters while sharing a single set of Consul
      servers. The services on each cluster can be independently managed. This feature is an alpha feature. It requires:

      • a flat pod and node network in order for inter-partition networking to work.
      • TLS to be enabled.
      • Consul Namespaces enabled.

      Transparent Proxy is unsupported for cross partition communication.

To enable Admin Partitions on the server cluster use the following config.

global:
  enableConsulNamespaces: true
  tls:
    enabled: true
  image: hashicorp/consul-enterprise:1.11.0-ent-alpha
  adminPartitions:
    enabled: true
server:
  exposeGossipAndRPCPorts: true
  enterpriseLicense:
    secretName: license
    secretKey: key
connectInject:
  enabled: true
  transparentProxy:
    defaultEnabled: false
  consulNamespaces:
    mirroringK8S: true
controller:
  enabled: true

Identify the LoadBalancer External IP of the partition-service

kubectl get svc consul-consul-partition-service -o json | jq -r '.status.loadBalancer.ingress[0].ip'

Migrate the TLS CA credentials from the server cluster to the workload clusters

kubectl get secret consul-consul-ca-key --context "server-context" -o yaml | kubectl apply --context "workload-context" -f -
kubectl get secret consul-consul-ca-cert --context "server-context" -o yaml | kubectl apply --context "workload-context" -f -

Configure the workload cluster using the following config.

global:
  enabled: false
  enableConsulNamespaces: true
  image: hashicorp/consul-enterprise:1.11.0-ent-alpha
  adminPartitions:
    enabled: true
    name: "alpha" # Name of Admin Partition
  tls:
    enabled: true
    caCert:
      secretName: consul-consul-ca-cert
      secretKey: tls.crt
    caKey:
      secretName: consul-consul-ca-key
      secretKey: tls.key
server:
  enterpriseLicense:
    secretName: license
    secretKey: key
externalServers:
  enabled: true
  hosts: [ "loadbalancer IP" ] # external IP of partition service LB
  tlsServerName: server.dc1.consul
client:
  enabled: true
  exposeGossipPorts: true
  join: [ "loadbalancer IP" ] # external IP of partition service LB
connectInject:
  enabled: true
  consulNamespaces:
    mirroringK8S: true
controller:
  enabled: true

This should lead to the workload cluster having only Consul agents that connect with the Consul server. Services in this
cluster behave like independent services. They can be configured to communicate with services in other partitions by
configuring the upstream configuration on the individual services.

• Control Plane
  • Add support for Admin Partitions. (Consul Enterprise only) **
    ALPHA** [GH-729]
    • Add Partition-Init job that runs in Kubernetes clusters that do not have servers running to provision Admin
      Partitions.
    • Update endpoints-controller, config-entry controller and config entries to add partition config to them.

IMPROVEMENTS:

• Helm Chart
  • Add ability to specify port for ui service. [GH-604]
  • Use policy/v1 for Consul server PodDisruptionBudget if supported. [GH-606]
  • Add readiness, liveness and startup probes to the connect inject deployment. [GH-626][GH-701]
  • Add support for setting container security contexts on client and server Pods. [GH-620]
  • Update Envoy image to 1.18.4 [GH-699]
  • Add configuration for webhook-cert-manager tolerations [GH-712]
  • Update default Consul version to 1.10.2 [GH-718]
• Control Plane
  • Add health endpoint to the connect inject webhook that will be healthy when webhook certs are present and not empty. [GH-626]
  • Catalog Sync: Fix issue registering NodePort services with wrong IPs when a node has multiple IP addresses. [GH-619]
  • Allow registering the same service in multiple namespaces. [GH-697]

BUG FIXES:

• Helm Chart

  • Disable streaming on Consul clients because it is currently not supported when
    doing mesh gateway federation. If you wish to enable it, override the setting using client.extraConfig:

    client:
      extraConfig: |
        {"use_streaming_backend": true}

    [GH-718]

v0.33.0

0.33.0 (August 12, 2021)

BREAKING CHANGES:

• The consul-k8s repository has been merged with consul-helm and now contains the consul-k8s-control-plane binary (previously named consul-k8s) and the Helm chart to deploy Consul on Kubernetes. The docker image previously named hashicorp/consul-k8s has been renamed to hashicorp/consul-k8s-control-plane. The binary and Helm chart will be released together with the same version. NOTE: If you install Consul through the Helm chart and are not customizing the global.imageK8S value then this will not be a breaking change. [GH-589]
  • Helm chart v0.33.0+ will support the corresponding consul-k8s-control-plane image with the same version only. For example Helm chart 0.33.0 will only be supported to work with the default value global.imageK8S: hashicorp/consul-k8s-control-plane:0.33.0.
  • The control-plane binary has been renamed from consul-k8s to consul-k8s-control-plane and is now invoked as consul-k8s-control-plane in the Helm chart. The first version of this newly renamed binary will be 0.33.0.
  • The Go module github.com/hashicorp/consul-k8s has been named to github.com/hashicorp/consul-k8s/control-plane.
  • The Helm chart is located under consul-k8s/charts/consul.
  • The control-plane source code is located under consul-k8s/control-plane.
• Minimum Kubernetes versions supported is 1.17+ and now matches what is stated in the README.md file. [GH-1053]

IMPROVEMENTS:

• Control Plane
  • Add flags -log-level, -log-json to all subcommands to control log level and json formatting. [GH-523]
  • Execute Consul clients and servers using the Docker entrypoint for consistency. [GH-590]
• Helm Chart
  • Substitute HOST_IP/POD_IP/HOSTNAME variables in server.extraConfig and client.extraConfig so they are passed in to server/client config already evaluated at runtime. [GH-1042]
  • Set failurePolicy to Fail for connectInject mutating webhook so that pods fail to schedule when the webhook is offline. This can be controlled via connectInject.failurePolicy. [GH-1024]
  • Allow setting global.logLevel and global.logJSON and propogate this to all consul-k8s commands. [GH-980]
  • Allow setting connectInject.replicas to control number of replicas of webhook injector. [GH-1029]
  • Add the ability to manually specify a k8s secret containing server-cert via the value server.serverCert.secretName. [GH-1024]
  • Allow setting ui.pathType for providers that do not support the default pathType "Prefix". [GH-1012]
  • Allow setting client.nodeMeta to specify arbitrary key-value pairs to associate with the node. [GH-728]

BUG FIXES:

• Control Plane
  • Connect: Use AdmissionregistrationV1 instead of AdmissionregistrationV1beta1 API as it was deprecated in k8s 1.16. [GH-558]
  • Connect: Fix bug where environment variables <NAME>_CONNECT_SERVICE_HOST and
    <NAME>_CONNECT_SERVICE_PORT weren't being set when the upstream annotation was used. [GH-549]
  • Connect: Fix a bug with leaving around ACL tokens after a service has been deregistered. Note that this will not clean up existing leftover ACL tokens. [GH-540][GH-599]
  • CRDs: Fix ProxyDefaults and ServiceDefaults resources not syncing with Consul < 1.10.0 [GH-1023]
  • Connect: Skip service registration for duplicate services only on Kubernetes. [GH-581]
  • Connect: redirect-traffic command passes ACL token when ACLs are enabled. [GH-576]

v0.26.0

0.26.0 (June 22, 2021)

FEATURES:

• Connect: Support Transparent Proxy. [GH-481]
  This feature enables users to use KubeDNS to reach other services within the Consul Service Mesh,
  as well as enforces the inbound and outbound traffic to go through the Envoy proxy.

  Using transparent proxy for your service mesh applications means:

  • Proxy service registrations will set mode to transparent in the proxy configuration
    so that Consul can configure the Envoy proxy to have an inbound and outbound listener.
  • Both proxy and service registrations will include the cluster IP and service port of the Kubernetes service
    as tagged addresses so that Consul can configure Envoy to route traffic based on that IP and port.
  • The consul-connect-inject-init container will run consul connect redirect-traffic command,
    which will apply rules (via iptables) to redirect inbound and outbound traffic to the proxy.
    To run this command the consul-connect-inject-init requires running as root with capability NET_ADMIN.

  This feature includes the following changes:

  • Add new -enable-transparent-proxy flag to the inject-connect command.
    When true, transparent proxy will be used for all services on the Consul Service Mesh
    within a Kubernetes cluster. This flag defaults to true.
  • Add new consul.hashicorp.com/transparent-proxy pod annotation to allow enabling and disabling transparent
    proxy for individual services.

• CRDs: Add CRD for MeshConfigEntry. Supported in Consul 1.10+ [GH-513]

• Connect: Overwrite Kubernetes HTTP readiness and/or liveness probes to point to Envoy proxy when
  transparent proxy is enabled. [GH-517]

• Connect: Allow exclusion of inbound ports, outbound ports and CIDRs, and additional user IDs when
  Transparent Proxy is enabled. [GH-506]

  The following annotations are supported:

  • consul.hashicorp.com/transparent-proxy-exclude-inbound-ports - Comma-separated list of inbound ports to exclude.
  • consul.hashicorp.com/transparent-proxy-exclude-outbound-ports - Comma-separated list of outbound ports to exclude.
  • consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs - Comma-separated list of IPs or CIDRs to exclude.
  • consul.hashicorp.com/transparent-proxy-exclude-uids - Comma-separated list of Linux user IDs to exclude.

• Connect: Add the ability to set default tproxy mode at namespace level via label. [GH-501]

  • Setting the annotation consul.hashicorp.com/transparent-proxy to true/false will define whether tproxy is enabled/disabled for the pod.
  • Setting the label consul.hashicorp.com/transparent-proxy to true/false on a namespace will define the default behavior for pods in that namespace, which do not also have the annotation set.
  • The default tproxy behavior will be defined by the value of -enable-transparent-proxy flag to the consul-k8s inject-connect command. It can be overridden in a namespace by the the label on the namespace or for a pod using the annotation on the pod.

• Connect: support upgrades for services deployed before endpoints controller to
  upgrade to a version of consul-k8s with endpoints controller. [GH-509]

• Connect: A new command consul-k8s connect-init has been added.
  It replaces the existing init-container logic for ACL login and Envoy bootstrapping and introduces a polling wait for service registration,
  see Endpoints Controller for more information.
  [GH-446], [GH-452], [GH-459]

• Connect: A new controller Endpoints Controller has been added which is responsible for managing service endpoints and service registration.
  When a Kubernetes service references a deployed connect-injected pod, the endpoints controller will be responsible for managing the lifecycle of the connect-injected deployment. [GH-455], [GH-467], [GH-470], [GH-475]

  • This includes:
    • service registration and deregistration, formerly managed by the consul-connect-inject-init.
    • monitoring health checks, formerly managed by healthchecks-controller.
    • re-registering services in the events of consul agent failures, formerly managed by consul-sidecar.
  • The endpoints controller replaces the health checks controller while preserving existing functionality. [GH-472]
  • The endpoints controller replaces the cleanup controller while preserving existing functionality.
    [GH-476], [GH-454]
  • Merged metrics configuration support is now partially managed by the endpoints controller.
    [GH-469]

IMPROVEMENTS:

• Connect: skip service registration when a service with the same name but in a different Kubernetes namespace is found
  and Consul namespaces are not enabled. [GH-527]
• Connect: Leader election support for connect-inject deployment. [GH-479]
• Connect: the consul-connect-inject-init container has been split into two init containers. [GH-441]
  Connect: Connect webhook no longer generates its own certificates and relies on them being provided as files on the disk.
  [GH-454]]
• CRDs: Update ServiceDefaults with Mode, TransparentProxy, DialedDirectly and UpstreamConfigs fields. Note: Mode and TransparentProxy should not be set
  using this CRD but via annotations. [GH-502], [GH-485], [GH-533]
• CRDs: Update ProxyDefaults with Mode, DialedDirectly and TransparentProxy fields. Note: Mode and TransparentProxy should not be set
  using the CRD but via annotations. [GH-505], [GH-485], [GH-533]
• CRDs: update the CRD versions from v1beta1 to v1. [GH-464]
• Delete secrets created by webhook-cert-manager when the deployment is deleted. [GH-530]

BUG FIXES:

• CRDs: Update the type of connectTimeout and TTL in ServiceResolver and ServiceRouter from time.Duration to metav1.Duration.
  This allows a user to set these values as a duration string on the resource. Existing resources that had set a specific integer
  duration will continue to function with a duration with 'n' nanoseconds, 'n' being the set value.
• CRDs: Fix a bug where the config field in ProxyDefaults CR failed syncing to Consul because apiextensions.k8s.io/v1 requires CRD spec to have structured schema. [GH-495]
• CRDs: make lastSyncedTime a pointer to prevent setting last synced time Reconcile errors. [GH-466]

BREAKING CHANGES:

• Connect: Add a security context to the init copy container and the envoy sidecar and ensure they
  do not run as root. If a pod container shares the same runAsUser (5995) as Envoy an error is returned.
  [GH-493]

• Connect: Kubernetes Services are required for all Consul Service Mesh applications.
  The Kubernetes service name will be used as the service name to register with Consul
  unless the annotation consul.hashicorp.com/connect-service is provided to the deployment/pod to override this.
  If using ACLs, the ServiceAccountName must match the service name used with Consul.

  Note: if you're already using a Kubernetes service, no changes required.

  Example Service:

  ---
  apiVersion: v1
  kind: Service
  metadata:
    name: sample-app
  spec:
    selector:
      app: sample-app
    ports:
      - port: 80
        targetPort: 9090
  ---
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    labels:
      app: sample-app
    name: sample-app
  spec:
    replicas: 1
    selector:
       matchLabels:
         app: sample-app
    template:
      metadata:
        annotations:
          'consul.hashicorp.com/connect-inject': 'true'
        labels:
          app: sample-app
      spec:
        containers:
        - name: sample-app
          image: sample-app:0.1.0
          ports:
          - containerPort: 9090

• Connect: consul.hashicorp.com/connect-sync-period annotation is no longer supported.
  This annotation used to configure the sync period of the consul-sidecar (aka lifecycle-sidecar).
  Since we no longer inject the consul-sidecar to keep services registered in Consul, this annotation has
  been removed. [GH-467]

• Connect: transparent proxy feature enabled by default. This may break existing deployments.
  Please see details of the feature.

v0.26.0-beta3

0.26.0-beta3 (May 27, 2021)

IMPROVEMENTS:

• Connect: Overwrite Kubernetes HTTP readiness and/or liveness probes to point to Envoy proxy when
  transparent proxy is enabled. [GH-517]
• Connect: Don't set security context for the Envoy proxy when on OpenShift and transparent proxy is disabled.
  [GH-521]
• Connect: consul-connect-inject-init run with privileged: true when transparent proxy is enabled.
  [GH-524]

BUG FIXES:

• Connect: Process every Address in an Endpoints object before returning an error. This ensures an address that isn't reconciled successfully doesn't prevent the remaining addresses from getting reconciled. [GH-519]

v0.26.0-beta2

0.26.0-beta2 (May 06, 2021)

BREAKING CHANGES:

• Connect: Add a security context to the init copy container and the envoy sidecar and ensure they
  do not run as root. If a pod container shares the same runAsUser (5995) as Envoy an error is returned
  on scheduling. [GH-493]

IMPROVEMENTS:

• CRDs: Update ServiceDefaults with Mode, TransparentProxy and UpstreamConfigs fields. Note: Mode and TransparentProxy should not be set
  using this CRD but via annotations. [GH-502], [GH-485]

• CRDs: Update ProxyDefaults with Mode and TransparentProxy fields. Note: Mode and TransparentProxy should not be set
  using the CRD but via annotations. [GH-505], [GH-485]

• CRDs: Add CRD for MeshConfigEntry. Supported in Consul 1.10+ [GH-513]

• Connect: No longer set multiple tagged addresses in Consul when k8s service has multiple ports and Transparent Proxy is enabled.
  [GH-511]

• Connect: Allow exclusion of inbound ports, outbound ports and CIDRs, and additional user IDs when
  Transparent Proxy is enabled. [GH-506]

  The following annotations are supported:

  • consul.hashicorp.com/transparent-proxy-exclude-inbound-ports - Comma-separated list of inbound ports to exclude.
  • consul.hashicorp.com/transparent-proxy-exclude-outbound-ports - Comma-separated list of outbound ports to exclude.
  • consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs - Comma-separated list of IPs or CIDRs to exclude.
  • consul.hashicorp.com/transparent-proxy-exclude-uids - Comma-separated list of Linux user IDs to exclude.

• Connect: Add the ability to set default tproxy mode at namespace level via label. [GH-501]

  • Setting the annotation consul.hashicorp.com/transparent-proxy to true/false will define whether tproxy is enabled/disabled for the pod.
  • Setting the label consul.hashicorp.com/transparent-proxy to true/false on a namespace will define the default behavior for pods in that namespace, which do not also have the annotation set.
  • The default tproxy behavior will be defined by the value of -enable-transparent-proxy flag to the consul-k8s inject-connect command. It can be overridden in a namespace by the the label on the namespace or for a pod using the annotation on the pod.

BUG FIXES:

• Connect: Use runAsNonRoot: false for connect-init's container when tproxy is enabled. [GH-493]
• CRDs: Fix a bug where the config field in ProxyDefaults CR was not synced to Consul because
  apiextensions.k8s.io/v1 requires CRD spec to have structured schema. [GH-495]
• Connect: Fix a bug where health status in Consul is updated incorrectly due to stale pod information in cache.
  [GH-503]

v0.26.0-beta1

0.26.0-beta1 (April 16, 2021)

BREAKING CHANGES:

• Connect: Kubernetes Services are now required for all Consul Service Mesh applications.
  The Kubernetes service name will be used as the service name to register with Consul
  unless the annotation consul.hashicorp.com/connect-service is provided to the deployment/pod to override this.
  If using ACLs, the ServiceAccountName must match the service name used with Consul.

  Note: if you're already using a Kubernetes service, no changes are required.

  Example Service:

  ---
  apiVersion: v1
  kind: Service
  metadata:
    name: sample-app
  spec:
    selector:
      app: sample-app
    ports:
      - port: 80
        targetPort: 9090
  ---
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    labels:
      app: sample-app
    name: sample-app
  spec:
    replicas: 1
    selector:
       matchLabels:
         app: sample-app
    template:
      metadata:
        annotations:
          'consul.hashicorp.com/connect-inject': 'true'
        labels:
          app: sample-app
      spec:
        containers:
        - name: sample-app
          image: sample-app:0.1.0
          ports:
          - containerPort: 9090

• Connect: consul.hashicorp.com/connect-sync-period annotation is no longer supported.
  This annotation was used to configure the sync period of the consul-sidecar (aka lifecycle-sidecar).
  Since we no longer inject the consul-sidecar to keep services registered in Consul, this annotation is
  now meaningless. [GH-467]

• Connect: transparent proxy feature is enabled by default. This may break existing deployments.
  Please see details of the feature below.

FEATURES:

• Connect: Support Transparent Proxy. [GH-481]
  This feature enables users to use KubeDNS to reach other services within the Consul Service Mesh,
  as well as enforces the inbound and outbound traffic to go through the Envoy proxy.
  Using transparent proxy for your service mesh applications means:

  • Proxy service registrations will set mode to transparent in the proxy configuration
    so that Consul can configure the Envoy proxy to have an inbound and outbound listener.
  • Both proxy and service registrations will include the cluster IP and service port of the Kubernetes service
    as tagged addresses so that Consul can configure Envoy to route traffic based on that IP and port.
  • The consul-connect-inject-init container will run consul connect redirect-traffic command,
    which will apply rules (via iptables) to redirect inbound and outbound traffic to the proxy.
    To run this command the consul-connect-inject-init requires running as root with capability NET_ADMIN.

  Note: this feature is currently in beta.

  This feature includes the following changes:

  • Add new -enable-transparent-proxy flag to the inject-connect command.
    When true, transparent proxy will be used for all services on the Consul Service Mesh
    within a Kubernetes cluster. This flag defaults to true.
  • Add new consul.hashicorp.com/transparent-proxy pod annotation to allow enabling and disabling transparent
    proxy for individual services.

IMPROVEMENTS:

• CRDs: update the CRD versions from v1beta1 to v1. [GH-464]
• Connect: the consul-connect-inject-init container has been split into two init containers. [GH-441]
• Connect: A new internal command consul-k8s connect-init has been added.
  It replaces the existing init container logic for ACL login and Envoy bootstrapping and introduces a polling wait for service registration,
  see Endpoints Controller for more information.
  [GH-446], [GH-452], [GH-459]
• Connect: A new controller Endpoints Controller has been added which is responsible for managing service endpoints and service registration.
  When a Kubernetes service referencing a connect-injected pod is deployed, the endpoints controller will be responsible for managing the lifecycle of the connect-injected deployment. [GH-455], [GH-467], [GH-470], [GH-475]

  • This includes:

    • service registration and deregistration, formerly managed by the consul-connect-inject-init.
    • monitoring health checks, formerly managed by healthchecks-controller.
    • re-registering services in the events of consul agent failures, formerly managed by consul-sidecar.

  • The endpoints controller replaces the health checks controller while preserving existing functionality. [GH-472]

  • The endpoints controller replaces the cleanup controller while preserving existing functionality.
    [GH-476], [GH-454]

  • Merged metrics configuration support is now partially managed by the endpoints controller.
    [GH-469]

• Connect: Leader election support for connect webhook and controller deployment. [GH-479]
• Connect: Connect webhook no longer generates its own certificates and relies on them being provided as files on the disk.
  [GH-454]]
• Connect: Connect pods and their Envoy sidecars no longer have a preStop hook as service deregistration is managed by the endpoints controller.
  [GH-467]

BUG FIXES:

• CRDs: make lastSyncedTime a pointer to prevent setting last synced time Reconcile errors. [GH-466]