Releases: hashicorp/consul
Releases · hashicorp/consul
v1.9.0-beta1
1.9.0-beta1 (October 12, 2020)
BREAKING CHANGES:
- agent: The
enable_central_service_configoption now defaults to true. [GH-8746] - connect: intention destinations can no longer be renamed [GH-8834]
- xds: Drop support for Envoy versions 1.12.0, 1.12.1, 1.12.2, and 1.13.0, due to a lack of support for url_path in RBAC. [GH-8839]
FEATURES:
- agent: Allow client agents to be configured with an advertised reconnect timeout to control how long until the nodes are reaped by others in the cluster. [GH-8781]
- agent: moved ui config options to a new
ui_configstanza in agent configuration and added new options to display service metrics in the UI. [GH-8694] - cli: update
snapshot inspectcommand to provide more detailed snapshot data [GH-8787] - connect: intentions are now managed as a new config entry kind "service-intentions" [GH-8834]
- connect: support defining intentions using layer 7 criteria [GH-8839]
- server: create new memdb table for storing system metadata [GH-8703]
- telemetry: track node and service counts and emit them as metrics [GH-8603]
- ui: If Prometheus is being used for monitoring the sidecars, the topology view can be configured to display overview metrics for the services. [GH-8858]
- ui: Services using Connect with Envoy sidecars have a topology tab in the UI showing their upstream and downstream services. [GH-8788]
- xds: use envoy's rbac filter to handle intentions entirely within envoy [GH-8569]
IMPROVEMENTS:
- agent: Return HTTP 429 when connections per clients limit (
limits.http_max_conns_per_client) has been reached GH-7527. [GH-8221] - agent: add config flag
telemetry { disable_compat_1.9 = (true|false) }to disable deprecated metrics in 1.9 [GH-8877] - agent: add counter
consul.api.httpwith labels for each HTTP path and method. This is intended to replaceconsul.http...[GH-8877] - agent: allow the /v1/connect/intentions/match endpoint to use the agent cache [GH-8875]
- api: The
v1/connect/ca/rootsendpoint now accepts apem=truequery parameter and will return a PEM encoded certificate chain of
all the certificates that would normally be in the JSON version of the response. [GH-8774] - api: support GetMeta() and GetNamespace() on all config entry kinds [GH-8764]
- checks: add health status to the failure message when gRPC healthchecks fail. [GH-8726]
- command: remove conditional envoy bootstrap generation for versions <=1.10.0 since those are not supported [GH-8855]
- connect: The Vault provider will now automatically renew the lease of the token used, if supported. [GH-8560]
- connect: add support for specifying load balancing policy in service-resolver [GH-8585]
- deps: Update raft to v1.2.0 to prevent non-voters from becoming eligible for leader elections and adding peer id as metric label to reduce cardinality in metric names [GH-8822]
- server: (Consul Enterprise only) ensure that we also shutdown network segment serf instances on server shutdown [GH-8786]
- server: make sure that the various replication loggers use consistent logging [GH-8745]
- snapshot agent: Deregister critical snapshotting TTL check if leadership is transferred.
- ui: Upstream and downstream services in the topology tab will show a visual indication if a deny intention or intention with L7 policies is configured. [GH-8846]
DEPRECATIONS:
- agent: The measurements in all of the
consul.http...prefixed metrics have been migrated toconsul.api.http.consul.http...prefixed metrics will be removed in a future version of Consul. [GH-8877] - agent:
ui,ui_dirandui_content_pathare now deprecated for use in agent configuration files. Useui_config.{enable, dir, content_path}instead. The command arguments-ui,-ui-dir, and-ui-content-pathremain supported. [GH-8694]
BUG FIXES:
- agent: make the json/hcl decoding of ConnectProxyConfig fully work with CamelCase and snake_case [GH-8741]
- agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical [GH-8747]
- connect: Fixed an issue where the Vault intermediate was not renewed in the primary datacenter. [GH-8784]
- connect: fix Vault provider not respecting IntermediateCertTTL [GH-8646]
- connect: use stronger validation that ingress gateways have compatible protocols defined for their upstreams [GH-8470]
- fixed a bug that caused logs to be flooded with
[WARN] agent.router: Non-server in server-only area[GH-8685] - license: (Enterprise only) Fixed an issue where the UI would see Namespaces and SSO as licensed when they were not.
- raft: (Enterprise only) properly update consul server meta non_voter for non-voting Enterprise Consul servers [GH-8731]
- ui: show correct datacenter for gateways [GH-8704]
v1.8.4
1.8.4 (September 11, 2020)
FEATURES:
- agent: expose the list of supported envoy versions on /v1/agent/self [GH-8545]
- cache: Config parameters for cache throttling are now reloaded automatically on agent reload. Restarting the agent is not needed anymore. [GH-8552]
- connect: all config entries pick up a meta field [GH-8596]
IMPROVEMENTS:
- api: Added
ACLModemethod to theAgentMembertype to determine what ACL mode the agent is operating in. [GH-8575] - api: Added
IsConsulServermethod to theAgentMembertype to easily determine whether the agent is a server. [GH-8575] - api: Added constants for common tag keys and values in the
Tagsfield of theAgentMemberstruct. [GH-8575] - api: Allow for the client to use TLS over a Unix domain socket. [GH-8602]
- api:
GET v1/operator/keyringalso lists primary keys. [GH-8522] - connect: Add support for http2 and grpc to ingress gateways [GH-8458]
- serf: update to
v0.9.4which supports primary keys in the ListKeys operation. [GH-8522]
BUGFIXES:
- [backport/1.8.x] connect: use stronger validation that ingress gateways have compatible protocols defined for their upstreams [GH-8494]
- agent: ensure that we normalize bootstrapped config entries [GH-8547]
- api: Fixed a panic caused by an api request with Connect=null [GH-8537]
- connect:
connect envoycommand now respects the-ca-pathflag [GH-8606] - connect: fix bug in preventing some namespaced config entry modifications [GH-8601]
- connect: fix renewing secondary intermediate certificates [GH-8588]
- ui: fixed a bug related to in-folder KV creation GH-8613
v1.7.8
v1.6.9
v1.8.3
1.8.3 (August 12, 2020)
BUGFIXES:
- [backport/1.8.x] catalog: fixed a bug where nodes, services, and checks would not be restored with the correct Create/ModifyIndex when restoring from a snapshot GH-8485
- [backport/1.8.x] vendor: update github.com/armon/go-metrics to v0.3.4 GH-8478
- connect: (Consul Enterprise only) Fixed a regression that prevented mesh gateways from routing to services in their local datacenter that reside outside of the default namespace.
v1.7.7
1.7.7 (August 12, 2020)
BUG FIXES:
- [backport/1.7.x] catalog: fixed a bug where nodes, services, and checks would not be restored with the correct Create/ModifyIndex when restoring from a snapshot [GH-8485]
- [backport/1.7.x] vendor: update github.com/armon/go-metrics to v0.3.4 [GH-8478]
- [backport/1.7.x] xds: revert setting set_node_on_first_message_only to true when generating envoy bootstrap config [GH-8441]
v1.6.8
v1.8.2
v1.7.6
v1.8.1
1.8.1 (July 30, 2020)
FEATURES:
- acl: Added ACL Node Identities for easier creation of Consul Agent tokens. [GH-7970]
- agent: Added Consul client agent automatic configuration utilizing JWTs for authorizing the request to generate ACL tokens, TLS certificates and retrieval of the gossip encryption key. [GH-8003], [GH-8035], [GH-8086], [GH-8148], [GH-8157], [GH-8159], [GH-8193], [GH-8253], [GH-8301], [GH-8360], [GH-8362], [GH-8363], [GH-8364], [GH-8409]
IMPROVEMENTS:
- acl: allow auth methods created in the primary datacenter to optionally create global tokens [GH-7899]
- agent: Allow to restrict servers that can join a given Serf Consul cluster. [GH-7628]
- agent: new configuration options allow ratelimiting of the agent-cache:
cache.entry_fetch_rateandcache.entry_fetch_max_burst. [GH-8226] - cli: Output message on success when writing/deleting config entries. [GH-7806]
- connect: Append port number to expected ingress hosts [GH-8190]
- dns: Improve RCODE of response when query targets a non-existent datacenter. [GH-8102],[GH-8218]
- version: The
versionCLI subcommand was altered to always show the git revision the binary was built from on the second line of output. Additionally the command gained a-formatflag with the option now of outputting the version information in JSON form. NOTE This change has the potential to break any parsing done by users of theversioncommands output. In many cases nothing will need to be done but it is possible depending on how the output is parsed. [GH-8268]
BUGFIXES:
- agent: Fixed a bug where Consul could crash when
verify_outgoingwas set to true but no client certificate was used. [GH-8211] - agent: Fixed an issue with lock contention during RPCs when under load while using the Prometheus metrics sink. [GH-8372]
- auto_encrypt: Fixed an issue where auto encrypt certificate signing wasn't using the connect signing rate limiter. [GH-8211]
- auto_encrypt: Fixed several issues around retrieving the first TLS certificate where it would have the wrong CN and SANs. This was being masked by a second bug (also fixed) causing that certificate to immediately be discarded with a second certificate request being made afterwards. [GH-8211]
- auto_encrypt: Fixed an issue that caused auto encrypt certificates to not be updated properly if the agents token was changed and the old token was deleted. [GH-8311]
- connect: fix crash that would result if a mesh or terminating gateway's upstream has a hostname as an address and no healthy service instances available [GH-8158]
- connect: Fixed issue where specifying a prometheus bind address would cause ingress gateways to fail to start up [GH-8371]
- gossip: Avoid issue where two unique leave events for the same node could lead to infinite rebroadcast storms [GH-8343]
- snapshot: (Consul Enterprise only) Fixed a regression when using Azure blob storage.
- xds: version sniff envoy and switch regular expressions from 'regex' to 'safe_regex' on newer envoy versions [GH-8265]