v1.0.7

1.0.7 (May 17, 2023)

SECURITY:

• Upgrade to use Go 1.19.9.
  This resolves vulnerabilities CVE-2023-24537(go/scanner),
  CVE-2023-24538(html/template),
  CVE-2023-24534(net/textproto) and
  CVE-2023-24536(mime/multipart).
  Also, golang.org/x/net has been updated to v0.7.0 to resolve CVEs CVE-2022-41721, CVE-2022-27664 and CVE-2022-41723 [GH-2108]

FEATURES:

• sync-catalog: add ability to sync hostname from a Kubernetes Ingress resource to the Consul Catalog during service registration. [GH-2098]

IMPROVEMENTS:

• cli: Add consul-k8s config read command that returns the helm configuration in yaml format. [GH-2078]
• helm: update imageConsulDataplane value to hashicorp/consul-dataplane:1.0.2, image value to hashicorp/consul:1.14.7,
  and imageEnvoy to envoyproxy/envoy:v1.24.7. [GH-2140]

BUG FIXES:

• api-gateway: fix issue where the API Gateway controller is unable to start up successfully when Vault is configured as the secrets backend [GH-2083]
• helm: add missing $HOST_IP environment variable to to mesh gateway deployments. [GH-1808]
• sync-catalog: fix issue where the sync-catalog ACL token were set with an incorrect ENV VAR. [GH-2068]

v0.49.6

0.49.6 (May 17, 2023)

SECURITY:

• Upgrade to use Go 1.19.9.
  This resolves vulnerabilities CVE-2023-24537(go/scanner),
  CVE-2023-24538(html/template),
  CVE-2023-24534(net/textproto) and
  CVE-2023-24536(mime/multipart).
  Also, golang.org/x/net has been updated to v0.7.0 to resolve CVEs CVE-2022-41721
  , CVE-2022-27664 and CVE-2022-41723 [GH-2110]

IMPROVEMENTS:

• helm: Set default limits.cpu resource setting to null for consul-connect-inject-init container to speed up registration times when onboarding services onto the mesh during the init container lifecycle. [GH-2008]

v1.1.1

1.1.1 (March 31, 2023)

IMPROVEMENTS:

• helm: Set default limits.cpu resource setting to null for consul-connect-inject-init container to speed up registration times when onboarding services onto the mesh during the init container lifecycle. [GH-2008]
• helm: When the global.acls.bootstrapToken field is set and the content of the secret is empty, the bootstrap ACL token is written to that secret after bootstrapping ACLs. This applies to both the Vault and Consul secrets backends. [GH-1920]

BUG FIXES:

• api-gateway: fix ACL issue where when adminPartitions and ACLs are enabled, API Gateway Controller is unable to create a new namespace in Consul [GH-2029]
• api-gateway: fix issue where specifying an external server SNI name while using client nodes resulted in a TLS verification error. [GH-2013]

v1.0.6

1.0.6 (March 20, 2023)

IMPROVEMENTS:

• helm: Set default limits.cpu resource setting to null for consul-connect-inject-init container to speed up registration times when onboarding services onto the mesh during the init container lifecycle. [GH-2008]

BUG FIXES:

• api-gateway: fix issue where specifying an external server SNI name while using client nodes resulted in a TLS verification error. [GH-2013]

v1.0.5

1.0.5 (March 9, 2023)

SECURITY:

• upgrade to use Go 1.19.6. This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http. [GH-1976]

IMPROVEMENTS:

• control-plane: server ACL Init always appends both, the secrets from the serviceAccount's secretRefs and the one created by the Helm chart, to support Openshift secret handling. [GH-1770]
• control-plane: update alpine to 3.17 in the Docker image. [GH-1934]
• helm: update imageConsulDataplane value to hashicorp/consul-dataplane:1.1.0. [GH-1953]

v0.49.5

0.49.5 (March 9, 2023)

SECURITY:

• upgrade to use Go 1.19.6. This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http. [GH-1975]

IMPROVEMENTS:

• cli: update minimum go version for project to 1.19. [GH-1975]
• control-plane: server ACL Init always appends both, the secrets from the serviceAccount's secretRefs and the one created by the Helm chart, to support Openshift secret handling. [GH-1770]
• control-plane: update alpine to 3.17 in the Docker image. [GH-1934]
• control-plane: update minimum go version for project to 1.19. [GH-1975]

BUG FIXES:

• control-plane: fix issue where consul-connect-injector acl token was unintentionally being deleted and not recreated when a container was restarted due to a livenessProbe failure. [GH-1914]

v1.1.0

1.1.0 (February 27, 2023)

BREAKING CHANGES:

• Helm:

  • Change defaults to exclude the openebs namespace from sidecar injection. If you previously had pods in that namespace
    that you wanted to be injected, you must now set namespaceSelector as follows:

    connectInject:
      namespaceSelector: |
        matchExpressions:
        - key: "kubernetes.io/metadata.name"
          operator: "NotIn"
          values: ["kube-system","local-path-storage"]

    [GH-1869]

IMPROVEMENTS:

• Helm:
  • CNI: Add connectInject.cni.namespace stanza which allows the CNI plugin resources to be deployed in a namespace other than the namespace that Consul is installed. [GH-1756]
  • Kubernetes v1.26 is now supported. Minimum tested version of Kubernetes is now v1.23. [GH-1852]
  • Add a global.extraLabels stanza to allow setting global Kubernetes labels for all components deployed by the consul-k8s Helm chart. [GH-1778]
  • Add the accessLogs field to the ProxyDefaults CRD. [GH-1816]
  • Add the envoyExtensions field to the ProxyDefaults and ServiceDefaults CRD. [GH-1823]
  • Add the balanceInboundConnections field to the ServiceDefaults CRD. [GH-1823]
  • Add the upstreamConfig.overrides[].peer field to the ServiceDefaults CRD. [GH-1853]
• Control-Plane
  • Update minimum go version for project to 1.20 [GH-1908]
  • Add support for the annotation consul.hashicorp.com/use-proxy-health-check. When this annotation is used by a service, it configures a readiness endpoint on Consul Dataplane and queries it instead of the proxy's inbound port which forwards requests to the application. [GH-1824], [GH-1841]
  • Add health check for synced services based on the status of the Kubernetes readiness probe on synced pod. [GH-1821]
  • Remove extraneous gnupg dependency from consul-k8s-control-plane since it is no longer needed for validating binary artifacts prior to release. [GH-1882]
  • Server ACL Init always appends both, the secrets from the serviceAccount's secretRefs and the one created by the Helm chart, to support Openshift secret handling. [GH-1770]
  • Update alpine to 3.17 in the Docker image. [GH-1934]
• CLI:
  • Update minimum go version for project to 1.20 [GH-1908]
  • Add consul-k8s proxy log podname command for displaying and modifying Envoy log levels for a given Pod. GH-1844, GH-1849, GH-1864

BUG FIXES:

• Control Plane
  • Don't incorrectly diff intention config entries when upgrading from Consul pre-1.12 to 1.12+ [GH-1804]
  • Add discover binary to control-plane image [GH-1749]
• Helm:
  • Don't pass in a CA file to the API Gateway controller when externalServers.useSystemRoots is true. [GH-1743]
  • Use the correct autogenerated cert for the API Gateway Controller when connecting to servers versus clients. [GH-1753]
• Security:
  • Upgrade to use Go 1.20.1 This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http. [GH-1908]

v1.0.4

1.0.4 (February 7, 2023)

BREAKING CHANGES:

• Helm:

  • Change defaults to exclude the openebs namespace from sidecar injection. If you previously had pods in that namespace
    that you wanted to be injected, you must now set namespaceSelector as follows:

    connectInject:
      namespaceSelector: |
        matchExpressions:
        - key: "kubernetes.io/metadata.name"
          operator: "NotIn"
          values: ["kube-system","local-path-storage"]

    [GH-1869]

IMPROVEMENTS:

• Control Plane
  • Remove extraneous gnupg dependency from consul-k8s-control-plane since it is no longer needed for validating binary artifacts prior to release. [GH-1882]

v0.49.4

0.49.4 (February 7, 2023)

BREAKING CHANGES:

• Helm:

  • Change defaults to exclude the openebs namespace from sidecar injection. If you previously had pods in that namespace
    that you wanted to be injected, you must now set namespaceSelector as follows:

    connectInject:
      namespaceSelector: |
        matchExpressions:
        - key: "kubernetes.io/metadata.name"
          operator: "NotIn"
          values: ["kube-system","local-path-storage"]

    [GH-1869]

IMPROVEMENTS:

• Control Plane
  • Remove extraneous gnupg dependency from consul-k8s-control-plane since it is no longer needed for validating binary artifacts prior to release. [GH-1882]

v1.0.3

1.0.3 (January 30, 2023)

IMPROVEMENTS:

• Helm:
  • Kubernetes v1.26 is now supported. Minimum tested version of Kubernetes is now v1.23. [GH-1852]
  • Add a global.extraLabels stanza to allow setting global Kubernetes labels for all components deployed by the consul-k8s Helm chart. [GH-1778]
• Control-Plane
  • Add support for the annotation consul.hashicorp.com/use-proxy-health-check. When this annotation is used by a service, it configures a readiness endpoint on Consul Dataplane and queries it instead of the proxy's inbound port which forwards requests to the application. [GH-1824], [GH-1841]
  • Add health check for synced services based on the status of the Kubernetes readiness probe on synced pod. [GH-1821]

BUG FIXES:

• Control Plane
  • Don't incorrectly diff intention config entries when upgrading from Consul pre-1.12 to 1.12+ [GH-1804]