v1.2.2

1.2.2 (September 21, 2023)

SECURITY:

• Upgrade to use Go 1.20.8. This resolves CVEs
  CVE-2023-39320 (cmd/go),
  CVE-2023-39318 (html/template),
  CVE-2023-39319 (html/template),
  CVE-2023-39321 (crypto/tls), and
  CVE-2023-39322 (crypto/tls) [GH-2936]

FEATURES:

• Add support for new observability service principal in cloud preset [GH-2958]
• helm: Add ability to configure resource requests and limits for Gateway API deployments. [GH-2723]

IMPROVEMENTS:

• Add NET_BIND_SERVICE capability to restricted security context used for consul-dataplane [GH-2787]
• Add new value global.argocd.enabled. Set this to true when using ArgoCD to deploy this chart. [GH-2785]
• Add support for running on GKE Autopilot. [GH-2952]
• api-gateway: reduce log output when disconnecting from consul server [GH-2880]
• control-plane: Improve performance for pod deletions by reducing the number of fetched tokens. [GH-2910]
• control-plane: prevent updation of anonymous-token-policy and anonymous-token if anonymous-token-policy is already attached to the anonymous-token [GH-2790]
• helm: Add JWKSCluster field to JWTProvider CRD. [GH-2881]
• vault: Adds namespace to secretsBackend.vault.connectCA in Helm chart and annotation: "vault.hashicorp.com/namespace: namespace" to
  secretsBackend.vault.agentAnnotations, if "vault.hashicorp.com/namespace" annotation is not present.
  This provides a more convenient way to specify the Vault namespace than nested JSON in connectCA.additionalConfig. [GH-2841]

BUG FIXES:

• audit-log: fix parsing error for some audit log configuration fields fail with uncovertible string to integer errors. [GH-2905]
• bug: Remove global.acls.nodeSelector and global.acls.annotations from Gateway Resources Jobs [GH-2869]
• control-plane: Fix issue where ACL tokens would have an empty pod name that prevented proper token cleanup. [GH-2808]
• control-plane: When using transparent proxy or CNI, reduced required permissions by setting privileged to false. Privileged must be true when using OpenShift without CNI. [GH-2755]
• helm: Update prometheus port and scheme annotations if tls is enabled [GH-2782]
• ingress-gateway: Adds missing PassiveHealthCheck to IngressGateways CRD and updates missing fields on ServiceDefaults CRD [GH-2796]

v1.1.6

1.1.6 (September 21, 2023)

SECURITY:

• Upgrade to use Go 1.20.8. This resolves CVEs
  CVE-2023-39320 (cmd/go),
  CVE-2023-39318 (html/template),
  CVE-2023-39319 (html/template),
  CVE-2023-39321 (crypto/tls), and
  CVE-2023-39322 (crypto/tls) [GH-2936]

IMPROVEMENTS:

• control-plane: Improve performance for pod deletions by reducing the number of fetched tokens. [GH-2910]
• vault: Adds namespace to secretsBackend.vault.connectCA in Helm chart and annotation: "vault.hashicorp.com/namespace: namespace" to
  secretsBackend.vault.agentAnnotations, if "vault.hashicorp.com/namespace" annotation is not present.
  This provides a more convenient way to specify the Vault namespace than nested JSON in connectCA.additionalConfig. [GH-2841]

BUG FIXES:

• audit-log: fix parsing error for some audit log configuration fields fail with uncovertible string to integer errors. [GH-2905]

v1.0.10

1.0.10 (September 21, 2023)

SECURITY:

• Upgrade to use Go 1.19.13. This resolves CVEs
  CVE-2023-39320 (cmd/go),
  CVE-2023-39318 (html/template),
  CVE-2023-39319 (html/template),
  CVE-2023-39321 (crypto/tls), and
  CVE-2023-39322 (crypto/tls) [GH-2938]

IMPROVEMENTS:

• Add NET_BIND_SERVICE capability to restricted security context used for consul-dataplane [GH-2787]
• Add new value global.argocd.enabled. Set this to true when using ArgoCD to deploy this chart. [GH-2785]
• control-plane: Improve performance for pod deletions by reducing the number of fetched tokens. [GH-2910]
• control-plane: prevent updation of anonymous-token-policy and anonymous-token if anonymous-token-policy is already attached to the anonymous-token [GH-2790]
• vault: Adds namespace to secretsBackend.vault.connectCA in Helm chart and annotation: "vault.hashicorp.com/namespace: namespace" to
  secretsBackend.vault.agentAnnotations, if "vault.hashicorp.com/namespace" annotation is not present.
  This provides a more convenient way to specify the Vault namespace than nested JSON in connectCA.additionalConfig. [GH-2841]

BUG FIXES:

• audit-log: fix parsing error for some audit log configuration fields fail with uncovertible string to integer errors. [GH-2905]
• control-plane: Fix issue where ACL tokens would have an empty pod name that prevented proper token cleanup. [GH-2808]
• control-plane: When using transparent proxy or CNI, reduced required permissions by setting privileged to false. Privileged must be true when using OpenShift without CNI. [GH-2755]
• helm: Update prometheus port and scheme annotations if tls is enabled [GH-2782]

v1.1.5

1.1.5 (September 6, 2023)

IMPROVEMENTS:

• Add NET_BIND_SERVICE capability to restricted security context used for consul-dataplane [GH-2787]
• Add new value global.argocd.enabled. Set this to true when using ArgoCD to deploy this chart. [GH-2785]
• control-plane: prevent updation of anonymous-token-policy and anonymous-token if anonymous-token-policy is already attached to the anonymous-token [GH-2790]

BUG FIXES:

• control-plane: Fix issue where ACL tokens would have an empty pod name that prevented proper token cleanup. [GH-2808]
• control-plane: When using transparent proxy or CNI, reduced required permissions by setting privileged to false. Privileged must be true when using OpenShift without CNI. [GH-2755]
• helm: Update prometheus port and scheme annotations if tls is enabled [GH-2782]
• ingress-gateway: Adds missing PassiveHealthCheck to IngressGateways CRD and updates missing fields on ServiceDefaults CRD [GH-2796]

v1.2.1

1.2.1 (Aug 10, 2023)

BREAKING CHANGES:

• control-plane: All policies managed by consul-k8s will now be updated on upgrade. If you previously edited the policies after install, your changes will be overwritten. [GH-2392]

SECURITY:

• Upgrade to use Go 1.20.6 and x/net/http 0.12.0.
  This resolves CVE-2023-29406(net/http). [GH-2642]
• Upgrade to use Go 1.20.7 and x/net 0.13.0.
  This resolves CVE-2023-29409(crypto/tls)
  and CVE-2023-3978(net/html). [GH-2710]

FEATURES:

• Add support for configuring graceful shutdown proxy lifecycle management settings. [GH-2233]
• api-gateway: adds ability to map privileged ports on Gateway listeners to unprivileged ports so that containers do not require additional privileges [GH-2707]
• api-gateway: support deploying to OpenShift 4.11 [GH-2184]
• helm: Adds acls.resources field which can be configured to override the resource settings for the server-acl-init and server-acl-init-cleanup Jobs. [GH-2416]
• sync-catalog: add ability to support weighted loadbalancing by service annotation consul.hashicorp.com/service-weight: <number> [GH-2293]

IMPROVEMENTS:

• (Consul Enterprise) Add support to provide inputs via helm for audit log related configuration [GH-2370]
• (api-gateway) make API gateway controller less verbose [GH-2524]
• Add support to provide the logLevel flag via helm for multiple low level components. Introduces the following fields

1. global.acls.logLevel
2. global.tls.logLevel
3. global.federation.logLevel
4. global.gossipEncryption.logLevel
5. server.logLevel
6. client.logLevel
7. meshGateway.logLevel
8. ingressGateways.logLevel
9. terminatingGateways.logLevel
10. telemetryCollector.logLevel [GH-2302]

• control-plane: increase timeout after login for ACL replication to 60 seconds [GH-2656]
• helm: adds values for securityContext and annotations on TLS and ACL init/cleanup jobs. [GH-2525]
• helm: set container securityContexts to match the restricted Pod Security Standards policy to support running Consul in a namespace with restricted PSA enforcement enabled [GH-2572]
• helm: update imageConsulDataplane value to hashicorp/consul-dataplane:1.2.0 [GH-2476]
• helm: update image value to hashicorp/consul:1.16.0 [GH-2476]

BUG FIXES:

• api-gateway: Fix creation of invalid Kubernetes Service when multiple Gateway listeners have the same port. [GH-2413]
• api-gateway: fix helm install when setting copyAnnotations or nodeSelector [GH-2597]
• api-gateway: fixes bug where envoy will silently reject RSA keys less than 2048 bits in length when not in FIPS mode, and
  will reject keys that are not 2048, 3072, or 4096 bits in length in FIPS mode. We now validate
  and reject invalid certs earlier. [GH-2478]
• api-gateway: set route condition appropriately when parent ref includes non-existent section name [GH-2420]
• control-plane: Always update ACL policies upon upgrade. [GH-2392]
• control-plane: fix bug in endpoints controller when deregistering services from consul when a node is deleted. [GH-2571]
• helm: fix CONSUL_LOGIN_DATACENTER for consul client-daemonset. [GH-2652]
• helm: fix ui ingress manifest formatting, and exclude ingressClass when not defined. [GH-2687]
• transparent-proxy: Fix issue where connect-inject lacked sufficient mesh:write privileges in some deployments,
  which prevented virtual IPs from persisting properly. [GH-2520]

v1.1.4

1.1.4 (Aug 10, 2023)

SECURITY:

• Upgrade to use Go 1.20.6 and x/net/http 0.12.0.
  This resolves CVE-2023-29406(net/http). [GH-2642]
• Upgrade to use Go 1.20.7 and x/net 0.13.0.
  This resolves CVE-2023-29409(crypto/tls)
  and CVE-2023-3978(net/html). [GH-2710]

IMPROVEMENTS:

• Add support to provide the logLevel flag via helm for multiple low level components. Introduces the following fields

1. global.acls.logLevel
2. global.tls.logLevel
3. global.federation.logLevel
4. global.gossipEncryption.logLevel
5. server.logLevel
6. client.logLevel
7. meshGateway.logLevel
8. ingressGateways.logLevel
9. terminatingGateways.logLevel
10. telemetryCollector.logLevel [GH-2302]

• control-plane: increase timeout after login for ACL replication to 60 seconds [GH-2656]
• helm: adds values for securityContext and annotations on TLS and ACL init/cleanup jobs. [GH-2525]
• helm: do not set container securityContexts by default on OpenShift < 4.11 [GH-2678]
• helm: set container securityContexts to match the restricted Pod Security Standards policy to support running Consul in a namespace with restricted PSA enforcement enabled [GH-2572]

BUG FIXES:

• control-plane: fix bug in endpoints controller when deregistering services from consul when a node is deleted. [GH-2571]
• helm: fix CONSUL_LOGIN_DATACENTER for consul client-daemonset. [GH-2652]
• helm: fix ui ingress manifest formatting, and exclude ingressClass when not defined. [GH-2687]

v1.0.9

1.0.9 (Aug 10, 2023)

SECURITY:

• Upgrade to use Go 1.19.11 and x/net/http 0.12.0.
  This resolves CVE-2023-29406(net/http). [GH-2650]
• Upgrade to use Go 1.19.12 and x/net 0.13.0.
  This resolves CVE-2023-29409(crypto/tls)
  and CVE-2023-3978(net/html). [GH-2717]

IMPROVEMENTS:

• Add support to provide the logLevel flag via helm for multiple low level components. Introduces the following fields

1. global.acls.logLevel
2. global.tls.logLevel
3. global.federation.logLevel
4. global.gossipEncryption.logLevel
5. server.logLevel
6. client.logLevel
7. meshGateway.logLevel
8. ingressGateways.logLevel
9. terminatingGateways.logLevel [GH-2302]

• control-plane: increase timeout after login for ACL replication to 60 seconds [GH-2656]
• helm: adds values for securityContext and annotations on TLS and ACL init/cleanup jobs. [GH-2525]
• helm: do not set container securityContexts by default on OpenShift < 4.11 [GH-2678]
• helm: set container securityContexts to match the restricted Pod Security Standards policy to support running Consul in a namespace with restricted PSA enforcement enabled [GH-2572]

BUG FIXES:

• control-plane: fix bug in endpoints controller when deregistering services from consul when a node is deleted. [GH-2571]
• helm: fix CONSUL_LOGIN_DATACENTER for consul client-daemonset. [GH-2652]
• helm: fix ui ingress manifest formatting, and exclude ingressClass when not defined. [GH-2687]

v0.49.8

0.49.8 (July 12, 2023)

IMPROVEMENTS:

• helm: Add connectInject.prepareDataplanesUpgrade setting for help upgrading to dataplanes. This setting is required if upgrading from non-dataplanes to dataplanes when ACLs are enabled. See https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-to-consul-dataplane for more information. [GH-2514]

v1.2.0

1.2.0 (June 28, 2023)

FEATURES:

• Add support for configuring Consul server-side rate limiting [GH-2166]
• api-gateway: Add API Gateway for Consul on Kubernetes leveraging Consul native API Gateway configuration. [GH-2152]
• crd: Add mutualTLSMode to the ProxyDefaults and ServiceDefaults CRDs and allowEnablingPermissiveMutualTLS to the Mesh CRD to support configuring permissive mutual TLS. [GH-2100]
• helm: Add JWTProvider CRD for configuring the jwt-provider config entry. [GH-2209]
• helm: Update the ServiceIntentions CRD to support JWT fields. [GH-2213]

IMPROVEMENTS:

• cli: update minimum go version for project to 1.20. [GH-2102]
• control-plane: add FIPS support [GH-2165]
• control-plane: server ACL Init always appends both, the secrets from the serviceAccount's secretRefs and the one created by the Helm chart, to support Openshift secret handling. [GH-1770]
• control-plane: set agent localities on Consul servers to the server node's topology.kubernetes.io/region label. [GH-2093]
• control-plane: update alpine to 3.17 in the Docker image. [GH-1934]
• control-plane: update minimum go version for project to 1.20. [GH-2102]
• helm: Kubernetes v1.27 is now supported. Minimum tested version of Kubernetes is now v1.24. [GH-2304]
• helm: Update the default amount of memory used by the connect-inject controller so that its less likely to get OOM killed. [GH-2249]
• helm: add failover policy field to service resolver and proxy default CRDs [GH-2030]
• helm: add samenessGroup CRD [GH-2048]
• helm: add samenessGroup field to exported services CRD [GH-2075]
• helm: add samenessGroup field to service resolver CRD [GH-2086]
• helm: add samenessGroup field to source intention CRD [GH-2097]
• helm: update imageConsulDataplane value to hashicorp/consul-dataplane:1.2.0 [GH-2476]
• helm: update image value to hashicorp/consul:1.16.0 [GH-2476]

SECURITY:

• Update Go-Discover in the container has been updated to address CVE-2020-14040 [GH-2390]
• Bump Dockerfile base image to alpine:3.18. Resolves CVE-2023-2650 vulnerability in [email protected] [GH-2284]
• Fix Prometheus CVEs by bumping controller-runtime. [GH-2183]
• Upgrade to use Go 1.20.4.
  This resolves vulnerabilities CVE-2023-24537(go/scanner),
  CVE-2023-24538(html/template),
  CVE-2023-24534(net/textproto) and
  CVE-2023-24536(mime/multipart).
  Also, golang.org/x/net has been updated to v0.7.0 to resolve CVEs CVE-2022-41721, CVE-2022-27664 and CVE-2022-41723
  [GH-2102]

BUG FIXES:

• control-plane: Fix casing of the Enforce Consecutive 5xx field on Service Defaults and acceptance test fixtures. [GH-2266]
• control-plane: fix issue where consul-connect-injector acl token was unintentionally being deleted and not recreated when a container was restarted due to a livenessProbe failure. [GH-1914]

v1.1.3

1.1.3 (June 28, 2023)

BREAKING CHANGES:

• control-plane: All policies managed by consul-k8s will now be updated on upgrade. If you previously edited the policies after install, your changes will be overwritten. [GH-2392]

SECURITY:

• Bump Dockerfile base image to alpine:3.18. Resolves CVE-2023-2650 vulnerability in [email protected] [GH-2284]
• Update Go-Discover in the container has been updated to address CVE-2020-14040 [GH-2390]

FEATURES:

• Add support for configuring graceful shutdown proxy lifecycle management settings. [GH-2233]
• helm: Adds acls.resources field which can be configured to override the resource settings for the server-acl-init and server-acl-init-cleanup Jobs. [GH-2416]
• sync-catalog: add ability to support weighted loadbalancing by service annotation consul.hashicorp.com/service-weight: <number> [GH-2293]

IMPROVEMENTS:

• (Consul Enterprise) Add support to provide inputs via helm for audit log related configuration [GH-2369]
• helm: Update the default amount of memory used by the connect-inject controller so that its less likely to get OOM killed. [GH-2249]

BUG FIXES:

• control-plane: Always update ACL policies upon upgrade. [GH-2392]
• control-plane: Fix casing of the Enforce Consecutive 5xx field on Service Defaults and acceptance test fixtures. [GH-2266]