v1.2.5

1.2.5 (Jan 25, 2024)

SECURITY:

• Update golang.org/x/crypto to v0.17.0 to address CVE-2023-48795. [GH-3442]
• Upgrade to use ubi-minimal:9.3 for OpenShift container images. [GH-3418]

IMPROVEMENTS:

• Upgrade to use Go 1.21.6. [GH-3478]
• control-plane: Add new consul.hashicorp.com/sidecar-proxy-startup-failure-seconds and consul.hashicorp.com/sidecar-proxy-liveness-failure-seconds annotations that allow users to manually configure startup and liveness probes for Envoy sidecar proxies. [GH-3450]
• control-plane: reduce Consul Catalog API requests required for endpoints reconcile in large clusters [GH-3322]
• cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [GH-3498]

BUG FIXES:

• api-gateway: fix issue where deleting an http-route in a non-default namespace would not remove the route from Consul. [GH-3440]

v1.1.9

1.1.9 (Jan 25, 2024)

SECURITY:

• Update golang.org/x/crypto to v0.17.0 to address CVE-2023-48795. [GH-3442]
• Upgrade to use ubi-minimal:9.3 for OpenShift container images. [GH-3418]

IMPROVEMENTS:

• Upgrade to use Go 1.21.6. [GH-3478]
• control-plane: Add new consul.hashicorp.com/sidecar-proxy-startup-failure-seconds and consul.hashicorp.com/sidecar-proxy-liveness-failure-seconds annotations that allow users to manually configure startup and liveness probes for Envoy sidecar proxies. [GH-3450]
• control-plane: reduce Consul Catalog API requests required for endpoints reconcile in large clusters [GH-3322]
• cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [GH-3498]

v1.3.1

1.3.1 (December 19, 2023)

SECURITY:

• Update Envoy version to 1.25.11 to address CVE-2023-44487 [GH-3118]
• Update github.com/golang-jwt/jwt/v4 to v4.5.0 to address PRISMA-2022-0270. [GH-3237]
• Upgrade to use Go 1.20.12. This resolves CVEs
  CVE-2023-45283: (path/filepath) recognize ??\ as a Root Local Device path prefix (Windows)
  CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows)
  CVE-2023-39326: (net/http) limit chunked data overhead
  CVE-2023-45285: (cmd/go) go get may unexpectedly fallback to insecure git [GH-3312]

FEATURES:

• control-plane: adds a named port, prometheus, to the consul-dataplane sidecar for use with Prometheus operator. [GH-3222]
• crd: adds the retryOn field to the ServiceRouter CRD. [GH-3308]
• helm: add persistentVolumeClaimRetentionPolicy variable for managing Statefulsets PVC retain policy when deleting or downsizing the statefulset. [GH-3180]

IMPROVEMENTS:

• cli: Add -o json (-output-format json) to consul-k8s proxy list command that returns the result in json format. [GH-3221]
• cli: Add consul-k8s proxy stats command line interface that outputs the localhost:19000/stats of envoy in the pod [GH-3158]
• control-plane: Add new consul.hashicorp.com/proxy-config-map annotation that allows for setting values in the opaque config map for proxy service registrations. [GH-3347]
• helm: add validation that global.cloud.enabled is not set with externalServers.hosts set to HCP-managed clusters [GH-3315]

BUG FIXES:

• consul-telemetry-collector: add telemetryCollector.cloud.resourceId that works even when not global.cloud.enabled [GH-3219]
• consul-telemetry-collector: fix deployments to non-default namespaces when global.enableConsulNamespaces [GH-3215]
• consul-telemetry-collector: fix args to consul-dataplane when global.acls.manageSystemACLs [GH-3184]
• control-plane: Fixes a bug with the control-plane CLI validation where the consul-dataplane sidecar CPU request is compared against the memory limit instead of the CPU limit. [GH-3209]
• control-plane: Only delete ACL tokens matched Pod UID in Service Registration metadata [GH-3210]
• control-plane: fixes an issue with the server-acl-init job where the job would fail on upgrades due to consul server ip address changes. [GH-3137]
• control-plane: only alert on valid errors, not timeouts in gateway [GH-3128]
• control-plane: remove extraneous error log in v2 pod controller when a pod is scheduled, but not yet allocated an IP. [GH-3162]
• control-plane: remove extraneous error log in v2 pod controller when attempting to delete ACL tokens. [GH-3172]
• control-plane: Remove virtual nodes in the Consul Catalog when they do not have any services listed. [GH-3307]
• mesh: prevent extra-config from being loaded twice (and erroring for segment config) on clients and servers. [GH-3337]

v1.2.4

1.2.4 (December 19, 2023)

SECURITY:

• Update github.com/golang-jwt/jwt/v4 to v4.5.0 to address PRISMA-2022-0270. [GH-3237]
• Upgrade to use Go 1.20.12. This resolves CVEs
  CVE-2023-45283: (path/filepath) recognize ??\ as a Root Local Device path prefix (Windows)
  CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows)
  CVE-2023-39326: (net/http) limit chunked data overhead
  CVE-2023-45285: (cmd/go) go get may unexpectedly fallback to insecure git [GH-3312]

FEATURES:

• crd: adds the retryOn field to the ServiceRouter CRD. [GH-3308]
• helm: add persistentVolumeClaimRetentionPolicy variable for managing Statefulsets PVC retain policy when deleting or downsizing the statefulset. [GH-3180]

IMPROVEMENTS:

• cli: Add -o json (-output-format json) to consul-k8s proxy list command that returns the result in json format. [GH-3221]
• cli: Add consul-k8s proxy stats command line interface that outputs the localhost:19000/stats of envoy in the pod [GH-3158]
• control-plane: Add new consul.hashicorp.com/proxy-config-map annotation that allows for setting values in the opaque config map for proxy service registrations. [GH-3347]
• helm: add validation that global.cloud.enabled is not set with externalServers.hosts set to HCP-managed clusters [GH-3315]

BUG FIXES:

• consul-telemetry-collector: add telemetryCollector.cloud.resourceId that works even when not global.cloud.enabled [GH-3219]
• consul-telemetry-collector: fix deployments to non-default namespaces when global.enableConsulNamespaces [GH-3215]
• consul-telemetry-collector: fix args to consul-dataplane when global.acls.manageSystemACLs [GH-3184]
• control-plane: Only delete ACL tokens matched Pod UID in Service Registration metadata [GH-3210]
• control-plane: fixes an issue with the server-acl-init job where the job would fail on upgrades due to consul server ip address changes. [GH-3137]
• control-plane: normalize the partition and namespace fields in V1 CRDs when comparing with saved version of the config-entry. [GH-3284]
• control-plane: Remove virtual nodes in the Consul Catalog when they do not have any services listed. [GH-3307]
• mesh: prevent extra-config from being loaded twice (and erroring for segment config) on clients and servers. [GH-3337]

v1.1.8

1.1.8 (December 19, 2023)

SECURITY:

• Update github.com/golang-jwt/jwt/v4 to v4.5.0 to address PRISMA-2022-0270. [GH-3237]
• Upgrade to use Go 1.20.12. This resolves CVEs
  CVE-2023-45283: (path/filepath) recognize ??\ as a Root Local Device path prefix (Windows)
  CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows)
  CVE-2023-39326: (net/http) limit chunked data overhead
  CVE-2023-45285: (cmd/go) go get may unexpectedly fallback to insecure git [GH-3312]

FEATURES:

• crd: adds the retryOn field to the ServiceRouter CRD. [GH-3308]
• helm: add persistentVolumeClaimRetentionPolicy variable for managing Statefulsets PVC retain policy when deleting or downsizing the statefulset. [GH-3180]

IMPROVEMENTS:

• cli: Add -o json (-output-format json) to consul-k8s proxy list command that returns the result in json format. [GH-3221]
• cli: Add consul-k8s proxy stats command line interface that outputs the localhost:19000/stats of envoy in the pod [GH-3158]
• control-plane: Add new consul.hashicorp.com/proxy-config-map annotation that allows for setting values in the opaque config map for proxy service registrations. [GH-3347]
• helm: add validation that global.cloud.enabled is not set with externalServers.hosts set to HCP-managed clusters [GH-3315]

BUG FIXES:

• consul-telemetry-collector: add telemetryCollector.cloud.resourceId that works even when not global.cloud.enabled [GH-3219]
• consul-telemetry-collector: fix deployments to non-default namespaces when global.enableConsulNamespaces [GH-3215]
• consul-telemetry-collector: fix args to consul-dataplane when global.acls.manageSystemACLs [GH-3184]
• control-plane: Only delete ACL tokens matched Pod UID in Service Registration metadata [GH-3210]
• control-plane: fixes an issue with the server-acl-init job where the job would fail on upgrades due to consul server ip address changes. [GH-3137]
• control-plane: Remove virtual nodes in the Consul Catalog when they do not have any services listed. [GH-3137]
• mesh: prevent extra-config from being loaded twice (and erroring for segment config) on clients and servers. [GH-3337]

v1.3.0

1.3.0 (November 8, 2023)

SECURITY:

• Update Envoy version to 1.25.11 to address CVE-2023-44487 [GH-3117]

FEATURES:

• 🎉 This release provides the ability to preview Consul's v2 Catalog and Resource API if enabled.
  The new model supports multi-port application deployments with only a single Envoy proxy.
  Note that the v1 and v2 catalogs are not cross compatible, and not all Consul features are available within this v2 feature preview.
  See the v2 Catalog and Resource API documentation for more information.
  The v2 Catalog and Resources API should be considered a feature preview within this release and should not be used in production environments.

Limitations

• The v1 and v2 catalog APIs cannot run concurrently.
• The Consul UI must be disable. It does not support multi-port services or the v2 catalog API in this release.
• HCP Consul does not support multi-port services or the v2 catalog API in this release.

[GH-2868]
[GH-2883]
[GH-2930]
[GH-2967] [GH-2941]

• Add the PrioritizeByLocality field to the ServiceResolver and ProxyDefaults CRDs. [GH-2784]
• Set locality on services registered with connect-inject. [GH-2346]
• api-gateway: Add support for response header modifiers in HTTPRoute filters [GH-2904]
• api-gateway: add RouteRetryFilter and RouteTimeoutFilter CRDs [GH-2735]
• helm: (Consul Enterprise) Adds rate limiting config to serviceDefaults CRD [GH-2844]

IMPROVEMENTS:

• (Consul Enterprise) Add support to provide inputs via helm for audit log related configuration [GH-2265]
• control-plane: Changed the container ordering in connect-inject to insert consul-dataplane container first if lifecycle is enabled. Container ordering is unchanged if lifecycle is disabled. [GH-2743]
• helm: Kubernetes v1.28 is now supported. Minimum tested version of Kubernetes is now v1.25. [GH-3138]

BUG FIXES:

• control-plane: Set locality on sidecar proxies in addition to services when registering with connect-inject. [GH-2748]

v1.2.3

1.2.3 (November 2, 2023)

SECURITY:

• Update Envoy version to 1.25.11 to address CVE-2023-44487 [GH-3119]
• Upgrade google.golang.org/grpc to 1.56.3.
  This resolves vulnerability CVE-2023-44487. [GH-3139]
• Upgrade to use Go 1.20.10 and x/net 0.17.0.
  This resolves CVE-2023-39325
  / CVE-2023-44487. [GH-3085]

BUG FIXES:

• api-gateway: fix issue where missing NET_BIND_SERVICE capability prevented api-gateway Pod from starting up when deployed to OpenShift [GH-3070]
• control-plane: only alert on valid errors, not timeouts in gateway [GH-3128]
• crd: fix misspelling of preparedQuery field in ControlPlaneRequestLimit CRD [GH-3001]

v1.1.7

1.1.7 (November 2, 2023)

SECURITY:

• Update Envoy version to 1.25.11 to address CVE-2023-44487 [GH-3120]
• Upgrade google.golang.org/grpc to 1.56.3.
  This resolves vulnerability CVE-2023-44487. [GH-3139]
• Upgrade to use Go 1.20.10 and x/net 0.17.0.
  This resolves CVE-2023-39325
  / CVE-2023-44487. [GH-3085]

v1.0.11

1.0.11 (November 2, 2023)

SECURITY:

• Update Envoy version to 1.24.12 to address CVE-2023-44487 [GH-3121]
• Upgrade google.golang.org/grpc to 1.56.3.
  This resolves vulnerability CVE-2023-44487. [GH-3139]
• Upgrade to use Go 1.20.10 and x/net 0.17.0.
  This resolves CVE-2023-39325
  / CVE-2023-44487. [GH-3085]

v1.3.0-rc1

1.3.0-rc1 (October 10, 2023)

FEATURE PREVIEW: Catalog v2

• 🎉 This release provides the ability to preview Consul's v2 Catalog and Resource API if enabled.
  The new model supports multi-port application deployments with only a single Envoy proxy.
  Note that the v1 and v2 catalogs are not cross compatible, and not all Consul features are available within this v2 feature preview.
  See the v2 Catalog and Resource API documentation for more information.
  The v2 Catalog and Resources API should be considered a feature preview within this release and should not be used in production environments.

Limitations

• The v1 and v2 catalog APIs cannot run concurrently.
• The Consul UI must be disabled. It does not support multi-port services or the v2 catalog API in this release.
• HCP Consul does not support multi-port services or the v2 catalog API in this release.
• The v2 API only supports transparent proxy mode where services that have permissions to connect to each other can use
  Kube DNS to connect.

Known Issues

• When using the v2 API with transparent proxy, Kubernetes pods cannot use L7 liveness, readiness, or startup probes.
  • [GH-2868]
  • [GH-2883]
  • [GH-2930]
  • [GH-2967]
  • [GH-2941]
• Add the PrioritizeByLocality field to the ServiceResolver and ProxyDefaults CRDs. [GH-2784]
• Set locality on services registered with connect-inject. [GH-2346]
• api-gateway: Add support for response header modifiers in HTTPRoute filters [GH-2904]
• api-gateway: add RouteRetryFilter and RouteTimeoutFilter CRDs [GH-2735]
• helm: (Consul Enterprise) Adds rate limiting config to serviceDefaults CRD [GH-2844]

IMPROVEMENTS:

• (Consul Enterprise) Add support to provide inputs via helm for audit log related configuration [GH-2265]
• control-plane: Changed the container ordering in connect-inject to insert consul-dataplane container first if lifecycle is enabled. Container ordering is unchanged if lifecycle is disabled. [GH-2743]

BUG FIXES:

• control-plane: Set locality on sidecar proxies in addition to services when registering with connect-inject. [GH-2748]