v0.46.0

0.46.0 (July 20, 2022)

IMPROVEMENTS:

• Control Plane
  • Update minimum go version for project to 1.18 [GH-1292]
• CLI
  • Update minimum go version for project to 1.18 [GH-1292]

FEATURES:

• [Experimental] Cluster Peering:
  • Add support for secret watchers on the Peering Acceptor and Peering Dialer controllers. [GH-1284]
  • Add support for version annotation on the Peering Acceptor and Peering Dialer controllers. [GH-1302]
  • Add validation webhooks for the Peering Acceptor and Peering Dialer CRDs [GH-1310]

IMPROVEMENTS:

• Control Plane
  • Added annotations consul.hashicorp.com/prometheus-ca-file, consul.hashicorp.com/prometheus-ca-path, consul.hashicorp.com/prometheus-cert-file, and consul.hashicorp.com/prometheus-key-file for configuring TLS scraping on Prometheus metrics endpoints for Envoy sidecars. To enable, set the cert and key file annotations along with one of the ca file/path annotations. [GH-1303]
  • Added annotations consul.hashicorp.com/consul-sidecar-user-volume and consul.hashicorp.com/consul-sidecar-user-volume-mount for attaching Volumes and VolumeMounts to the Envoy sidecar. Both should be JSON objects. [GH-1315]
• Helm
  • Added connectInject.annotations and syncCatalog.annotations values for setting annotations on connect inject and sync catalog deployments. [GH-775]
  • Added PodDisruptionBudget to the connect injector deployment which can be configured using the connectInject.disruptionBudget stanza. [GH-1316]

BUG FIXES:

• Helm
  • When using Openshift do not set securityContext in gossip-encryption-autogenerate job. [GH-1308]
• Control Plane
  • Fix missing RBAC permissions for the peering controllers to be able to update secrets. [GH-1359]
  • Fix a bug in the peering controller where we tried to read the secret from the cache right after creating it. [GH-1359]

v0.45.0

0.45.0 (June 17, 2022)

FEATURES:

• [Experimental] Cluster Peering: Support Consul cluster peering, which allows service connectivity between two independent clusters.
  [GH-1273]

  Enabling peering will deploy the peering controllers and PeeringAcceptor and PeeringDialer CRDs. The new CRDs are used to establish a peering connection between two clusters.

  See the Cluster Peering on Kubernetes for full instructions.

  Requirements:

  • Consul 1.13+
  • global.peering.enabled=true and connectInject.enabled=true must be set to enable peering.
  • Mesh gateways are required for service to service communication across peers, i.e meshGateway.enabled=true.

IMPROVEMENTS:

• Helm
  • Enable the configuring of snapshot intervals in the client snapshot agent via client.snapshotAgent.interval. [GH-1235]
  • Enable configuring the pod topologySpreadConstraints for mesh, terminating, and ingress gateways. [GH-1257]
  • Present Consul server CA chain when using Vault secrets backend. [GH-1251]
  • API Gateway: Enable configuring of the new High Availability feature (requires Consul API Gateway v0.3.0+). [GH-1261]
  • Enable the configuration of Envoy proxy concurrency via connectInject.sidecarProxy.concurrency which can
    be overridden at the pod level via the annotation consul.hashicorp.com/consul-envoy-proxy-concurrency.
    This PR also sets the default concurrency for envoy proxies to 2. [GH-1277]
  • Update Mesh CRD with Mesh HTTP Config. [GH-1282]
• Control Plane
  • Bump Dockerfile base image for RedHat UBI consul-k8s-control-plane image to ubi-minimal:8.6. [GH-1244]
  • Add additional metadata to service instances registered via catalog sync. [GH-447]
  • Enable configuring Connect Injector and Controller Webhooks' certificates to be managed by Vault. [GH-1191]

BUG FIXES:

• Helm
  • Update client-snapshot-agent so that setting client.snapshotAgent.caCert no longer requires root access to modify the trust store. [GH-1190]
  • Add missing vault agent annotations to the api-gateway-controller-deployment. [GH-1247]
  • Bump default Envoy version to 1.22.2. [GH-1276]

v0.44.0

0.44.0 (May 17, 2022)

BREAKING CHANGES:

• Helm
  • Using the Vault integration requires Consul 1.12.0+. [GH-1213], [GH-1218]

IMPROVEMENTS:

• Helm
  • Enable the ability to configure global.consulAPITimeout to configure how long requests to the Consul API will wait to resolve before canceling. The default value is 5 seconds. [GH-1178]

BUG FIXES:

• Security
  • Bump golang.org/x/crypto and golang.org/x/text dependencies to address CVE-2022-27291 and CVE-2021-38561 respectively on both CLI and Control Plane. There's no known exposure within Consul on Kubernetes as the dependencies are not invoked. [GH-1189]
• Control Plane
  • Endpoints Controller queuing up service registrations/deregistrations when request to agent on a terminated pod does not time out. This could result in pods not being registered and service instances not being deregistered. [GH-714]
• Helm
  • Update client-daemonset to include ca-cert volumeMount only when tls is enabled. [GH-1194]
  • Update create-federation-secret-job to look up the automatically generated gossip encryption key by the right name when global.name is unset or set to something other than consul. [GH-1196]
  • Add Admin Partitions support to Sync Catalog (Consul Enterprise only). [GH-1180]
  • Correct webhook-cert-manager-clusterrole to utilize the web-cert-manager podsecuritypolicy rather than connect-injectors when global.enablePodSecurityPolicies is true. [GH-1202]
  • Enable Consul auto-reload-config only when Vault is enabled. [GH-1213]
  • Revert TLS config to be compatible with Consul 1.11. [GH-1218]

v0.43.0

0.43.0 (April 21, 2022)

BREAKING CHANGES:

• Helm
  • Requires Consul 1.12.0+ as the Server statefulsets are now provisioned with Consul -auto-reload-config flag which monitors changes to specific Consul configuration properties and reloads itself when changes are detected. [GH-1135]
  • API Gateway: Re-use connectInject.consulNamespaces instead of requiring that apiGateway.consulNamespaces have the same value when ACLs are enabled. [GH-1169]

FEATURES:

• Control Plane
  • Add a "consul.hashicorp.com/kubernetes-service" annotation for pods to specify which Kubernetes service they want to use for registration when multiple services target the same pod. [GH-1150]

BUG FIXES:

• CLI
  • Fix issue where clusters not in the same namespace as their deployment name could not be upgraded. [GH-1115]
  • Fix issue where the CLI was looking for secrets in namespaces other than the namespace targeted by the release. [GH-1156]
  • Fix issue where the federation secret was not being found in certain configurations. [GH-1154]
• Control Plane
  • Fix issue where upgrading a deployment from non-service mesh to service mesh would cause Pods to hang in init. [GH-1136]
• Helm
  • Respect client nodeSelector, tolerations, and priorityClass when scheduling create-federation-secret Job. [GH-1108]

IMPROVEMENTS:

• Control Plane
  • Support new annotation for mounting connect-inject volume to other containers. [GH-1111]
• Helm
  • API Gateway: Allow controller to read ReferencePolicy in order to determine if route is allowed for backend in different namespace. [GH-1148]
  • Allow consul to be a destination namespace. [GH-1163]
  • CRDs: Update Mesh and Ingress Gateway CRDs to support TLS config. [GH-1168]

v0.42.0

0.42.0 (April 04, 2022)

BREAKING CHANGES:

• Helm
  • Minimum Kubernetes version supported is 1.19 and now matches what is stated in the README.md file. [GH-1049]
• ACLs
  • Support Terminating Gateway obtaining an ACL token using a k8s auth method. GH-1102
    • Note: If you have updated a token with a new policy for a terminating gateway, this will not apply any more as ACL tokens will be ephemeral and are issued to the terminating gateways when the pod is created and destroyed when the pod is stopped. To achieve the same ACL permissions, you will need to assign the policy to the role for the terminating gateway, rather than the token.
  • Support Mesh Gateway obtaining an ACL token using a k8s auth method. GH-1102
    • Note: This is a breaking change if you are using a mesh gateway with mesh federation. To properly configure mesh federation with mesh gateways, you will need to configure the global.federation.k8sAuthMethodHost in secondary datacenters to point to the address of the Kubernetes API server of the secondary datacenter. This address must be reachable from the Consul servers in the primary datacenter.
  • General Note on old ACL Tokens: As of this release, ACL tokens no longer need to be stored as Kubernetes secrets. They will transparently be provisioned by the Kubernetes Auth Method when client and component pods are provisioned and will also be destroyed when client and component pods are destroyed. Old ACL tokens, however, will still exist as Kubernetes secrets and in Consul and will need to be identified and manually deleted.

FEATURES:

• ACLs: Enable issuing ACL tokens via Consul login with a Kubernetes Auth Method and replace the need for storing ACL tokens as Kubernetes secrets.
  • Support CRD controller obtaining an ACL token via using a k8s auth method. GH-995
  • Support Connect Inject obtaining an ACL token via using a k8s auth method. GH-1076
  • Support Sync Catalog obtaining an ACL token via using a k8s auth method. GH-1081, GHT-1077
  • Support API Gateway controller obtaining an ACL token via using a k8s auth method. GH-1083
  • Support Snapshot Agent obtaining an ACL token via using a k8s auth method. GH-1084
  • Support Mesh Gateway obtaining an ACL token via using a k8s auth method. GH-1085
  • Support Ingress Gateway obtaining an ACL token via using a k8s auth method. GH-1118
  • Support Terminating Gateway obtaining an ACL token via using a k8s auth method. GH-1102
  • Support Consul Client obtaining an ACL token via using a k8s auth method. GH-1093
  • Support issuing global ACL tokens via k8s auth method. GH-1075

IMPROVEMENTS:

• Control Plane
  • Upgrade Docker image Alpine version from 3.14 to 3.15. [GH-1058]
• Helm
  • API Gateway: Allow controller to read Kubernetes namespaces in order to determine if route is allowed for gateway. [GH-1092]
  • Support a pre-configured bootstrap ACL token. [GH-1125]
• Vault
  • Enable snapshot agent configuration to be retrieved from vault. [GH-1113]
• CLI
  • Enable users to set up secondary clusters with existing federation secrets. [GH-1126]

BUG FIXES:

• Helm
  • Don't set TTL for server certificates when using Vault as the secrets backend. [GH-1104]
  • Fix PodSecurityPolicies for clients/mesh gateways when hostNetwork is used. [GH-1090]
• CLI
  • Fix install and upgrade commands for Windows. [GH-1139]

v0.41.1

0.41.1 (February 24, 2022)

BUG FIXES:

• Helm
  • Support Envoy 1.20.2. [GH-1051]

v0.41.0

0.41.0 (February 23, 2022)

FEATURES:

• Support WAN federation via Mesh Gateways with Vault as the secrets backend. [GH-1016,GH-1025,GH-1029,GH-1038]
  • Note: To use WAN federation with ACLs and Vault, you will need to create a KV secret in Vault that will serve as the replication token with
    a random UUID: vault kv put secret/consul/replication key="$(uuidgen)".
  • You will need to then provide this secret to both the primary
    and the secondary datacenters with global.acls.replicationToken values and allow the global.secretsBackend.vault.manageSystemACLsRole Vault role to read it.
    In the primary datacenter, the Helm chart will create the replication token in Consul using the UUID as the secret ID of the token.
• Connect: Support workaround for pods with multiple ports, by registering a Consul service and injecting an Envoy sidecar and init container per port. [GH-1012]
  • Transparent proxying, metrics, and metrics merging are not supported for multi-port pods.
  • Multi-port pods should specify annotations in the format, such that the service names and port names correspond with each other in the specified order, i.e. web service is listening on 8080, web-admin service is listening on 9090.
    • consul.hashicorp.com/connect-service': 'web,web-admin
    • consul.hashicorp.com/connect-service-port': '8080,9090

IMPROVEMENTS:

• Helm
  • Vault: Allow passing arbitrary annotations to the vault agent. [GH-1015]
  • Vault: Add support for customized IP and DNS SANs for server cert in Vault. [GH-1020]
  • Vault: Add support for Enterprise License to be configured in Vault. [GH-1032]
  • API Gateway: Allow Kubernetes namespace to Consul enterprise namespace mapping for deployed gateways and mesh services. [GH-1024]

BUG FIXES:

• API Gateway
  • Fix issue where if the API gateway controller pods restarted, gateway pods would become disconnected from the secret discovery service. [GH-1007]
  • Fix issue where the API gateway controller could not update existing Deployments or Services. [GH-1014]
  • Fix issue where the API gateway controller lacked sufficient permissions to bind routes when ACLs were enabled. [GH-1018]

BREAKING CHANGES:

• Helm
  • Rename fields of IngressGateway CRD to fix incorrect names (gatewayTLSConfig => tls, gatewayServiceTLSConfig => tls, gatewayTLSSDSConfig => sds). [GH-1017]

v0.40.0

0.40.0 (January 27, 2022)

BREAKING CHANGES:

• Helm
  • Some Consul components from the Helm chart have been renamed to ensure consistency in naming across the components.
    This will not be a breaking change if Consul components are not referred to by name externally. Check the PR for the list of renamed components. [GH-993][GH-1000]

FEATURES:

• Helm
  • Support Envoy 1.20.1. [GH-958]
  • Support Consul 1.11.2. [GH-976]
  • Support Consul API Gateway Controller deployment through the Helm chart and provision an ACL token to for API Gateway via server-acl-init [GH-925]

IMPROVEMENTS:

• Helm
  • Allow customization of terminationGracePeriodSeconds on the ingress gateways. [GH-947]
  • Support ui.dashboardURLTemplates.service value for setting dashboard URL templates. [GH-937]
  • Allow using dash-separated names for config entries when using kubectl. [GH-965]
  • Support Pod Security Policies with Vault integration. [GH-985]
  • Rename Consul resources to remove resource kind suffixes from the resource names to standardize resource names across the Helm chart. [GH-993]
  • Append -client to the Consul Daemonset name to standardize resource names across the Helm chart. [GH-1000]
• CLI
  • Show a diff when upgrading a Consul installation on Kubernetes [GH-934]
• Control Plane
  • Support the value $POD_NAME for the annotation consul.hashicorp.com/service-meta-* that will now be interpolated and set to the pod's name in the service's metadata. [GH-982]
  • Allow managing Consul sidecar resources via annotations. [GH-956]
  • Support using a backslash to escape commas in consul.hashicorp.com/service-tags annotation. [GH-983]
  • Avoid making unnecessary calls to Consul in the endpoints controller to improve application startup time when Consul is down. [GH-779]

BUG FIXES:

• Helm
  • Add PodDisruptionBudget Kind when checking for existing versions so that helm template can generate the right version. [GH-923]
• Control Plane
  • Admin Partitions (Consul Enterprise only): Attach anonymous-policy to the anonymous token from non-default partitions to support DNS queries when the default partition is on a VM. [GH-966]

v0.39.0

0.39.0 (December 15, 2021)

FEATURES:

• Helm
  • Support Consul 1.11.1. [GH-935]
  • Support Envoy 1.20.0. [GH-935]
  • Minimum Kubernetes versions supported is 1.18+. [GH-935]
• CLI
  • BETA Add upgrade command to modify Consul installation on Kubernetes. [GH-898]

IMPROVEMENTS:

• Control Plane
  • Bump consul-k8s-control-plane UBI images for OpenShift to use base image ubi-minimal:8.5. [GH-922]
  • Support the value $POD_NAME for the annotation consul.hashicorp.com/service-tags that will now be interpolated and set to the pod name. [GH-931]

v0.38.0

0.38.0 (December 08, 2021)

BREAKING CHANGES:

• Control Plane
  • Update minimum go version for project to 1.17 [GH-878]
  • Add boolean metric to merged metrics response consul_merged_service_metrics_success to indicate if service metrics
    were scraped successfully. [GH-551]

FEATURES:

• Vault as a Secrets Backend: Add support for Vault as a secrets backend for Gossip Encryption, Server TLS certs and Service Mesh TLS certificates,
  removing the existing usage of Kubernetes Secrets for the respective secrets. [GH-904]

  See the Consul Kubernetes and Vault documentation for full install instructions.

  Requirements:

  • Consul 1.11+
  • Vault 1.9+ and Vault-K8s 0.14+ must be installed with the Vault Agent Injector enabled (injector.enabled=true)
    into the Kubernetes cluster that Consul is installed into.
  • global.tls.enableAutoEncryption=true is required for TLS support.
  • If TLS is enabled in Vault, global.secretsBackend.vault.ca must be provided and should reference a Kube secret
    which holds a copy of the Vault CA cert.
  • Add boolean metric to merged metrics response consul_merged_service_metrics_success to indicate if service metrics were
    scraped successfully. [GH-551]

• Helm

  • Rename PartitionExports CRD to ExportedServices. [GH-902]

IMPROVEMENTS:

• CLI
  • Pre-check in the install command to verify the correct license secret exists when using an enterprise Consul image. [GH-875]
• Control Plane
  • Add a label "managed-by" to every secret the control-plane creates. Only delete said secrets on an uninstall. [GH-835]
  • Add support for labeling a Kubernetes service with consul.hashicorp.com/service-ignore to prevent services from being registered in Consul. [GH-858]
• Helm Chart
  • Fail an installation/upgrade if WAN federation and Admin Partitions are both enabled. [GH-892]
  • Add support for setting ingressClassName for UI. [GH-909]
  • Add partition support to Service Resolver, Service Router and Service Splitter CRDs. [GH-908]

BUG FIXES:

• Control Plane:
  • Add a workaround to check that the ACL token is replicated to other Consul servers. [GH-862]
  • Return 500 on prometheus response if unable to get metrics from Envoy. [GH-551]
  • Don't include body of failed service metrics calls in merged metrics response. [GH-551]
• Helm Chart
  • Admin Partitions (Consul Enterprise only): Do not mount Consul CA certs to partition-init job if externalServers.useSystemRoots is true. [GH-885]