v1.10.0-alpha

1.10.0-alpha (March 18, 2021)

FEATURES:

• cli: Add prefix option to kv import command [GH-9792]
• cli: snapshot inspect command provides KV usage breakdown [GH-9098]
• cli: snapshot inspect command supports JSON output [GH-9006]
• connect: Add local_request_timeout_ms to allow configuring the Envoy request timeout on local_app [GH-9554]

IMPROVEMENTS:

• acl: extend the auth-methods list endpoint to include MaxTokenTTL and TokenLocality fields. [GH-9741]
• acl: use the presence of a management policy in the state store as a sign that we already migrated to v2 acls [GH-9505]
• api: AutopilotServerHelath now handles the 429 status code returned by the v1/operator/autopilot/health endpoint and still returned the parsed reply which will indicate server healthiness [GH-8599]
• cli: added a -force-without-cross-signing flag to the ca set-config command.
  connect/ca: The ForceWithoutCrossSigning field will now work as expected for CA providers that support cross signing. [GH-9672]
• connect: Add support for transparently proxying traffic through Envoy. [experimental] [GH-9894]
• connect: Allow per-upstream configuration to be set in service-defaults. [experimental] [GH-9872]
• connect: adds new flags prometheus-backend-port and prometheus-scrape-port to consul connect envoy to support envoy_prometheus_bind_addr pointing to the merged metrics port when using Consul Connect on K8s. [GH-9768]
• ui: Move to a sidebar based main navigation [GH-9553]
• ui: Use older (~2016) native ES6 features to reduce transpilation and UI JS payload [GH-9729]
• ui: add permanently visible indicator when ACLs are disabled [GH-9864]
• ui: improve accessibility of modal dialogs [GH-9819]
• ui: restrict the viewing/editing of certain UI elements based on the users ACL token [GH-9687]
• ui: support stricter content security policies [GH-9847]
• xds: add support for envoy 1.17.0 [GH-9658]
• xds: default to speaking xDS v3, but allow for v2 to be spoken upon request [GH-9658]
• xds: remove deprecated usages of xDS and drop support for envoy 1.13.x [GH-9602]

BUG FIXES:

• checks: add TLSServerName field to allow setting the TLS server name for HTTPS health checks. [GH-9475]
• config: Fixed a bug where rpc_max_conns_per_client could not be changed by reloading the
  config. [GH-8696]
• config: correct config key from advertise_addr_ipv6 to advertise_addr_wan_ipv6 [GH-9851]
• streaming: lookup in health properly handle case-sensitivity and perform filtering based on tags and node-meta [GH-9703]

v1.9.4

1.9.4 (March 04, 2021)

IMPROVEMENTS:

• connect: if the token given to the vault provider returns no data avoid a panic [GH-9806]
• connect: update supported envoy point releases to 1.16.2, 1.15.3, 1.14.6, 1.13.7 [GH-9737]
• xds: only try to create an ipv6 expose checks listener if ipv6 is supported by the kernel [GH-9765]

BUG FIXES:

• api: Remove trailing periods from the gateway internal HTTP API endpoint [GH-9752]
• cache: Prevent spamming the logs for days when a cached request encounters an "ACL not found" error. [GH-9738]
• connect: connect CA Roots in the primary datacenter should use a SigningKeyID derived from their local intermediate [GH-9428]
• proxycfg: avoid potential deadlock in delivering proxy snapshot to watchers. [GH-9689]
• replication: Correctly log all replication warnings that should not be suppressed [GH-9320]
• streaming: fixes a bug caused by caching an incorrect snapshot, that would cause clients
  to error until the cache expired. [GH-9772]
• ui: Exclude proxies when showing the total number of instances on a node. [GH-9749]
• ui: Fixed a bug in older browsers relating to String.replaceAll and fieldset w/flexbox usage [GH-9715]
• xds: deduplicate mesh gateway listeners by address in a stable way to prevent some LDS churn [GH-9650]
• xds: prevent LDS flaps in mesh gateways due to unstable datacenter lists; also prevent some flaps in terminating gateways as well [GH-9651]

v1.8.9

1.8.9 (March 04, 2021)

IMPROVEMENTS:

• cli: Add new -cluster-id and common-name to consul tls ca create to support creating a CA for Consul Connect. [GH-9585]
• connect: if the token given to the vault provider returns no data avoid a panic [GH-9806]
• connect: update supported envoy point releases to 1.14.6, 1.13.7, 1.12.7, 1.11.2 [GH-9739]
• license: (Enterprise only) Temporary client license duration was increased from 30m to 6h.
• server: use the presense of stored federation state data as a sign that we already activated the federation state feature flag [GH-9519]
• xds: only try to create an ipv6 expose checks listener if ipv6 is supported by the kernel [GH-9765]

BUG FIXES:

• api: Remove trailing periods from the gateway internal HTTP API endpoint [GH-9752]
• cache: Prevent spamming the logs for days when a cached request encounters an "ACL not found" error. [GH-9738]
• connect: connect CA Roots in the primary datacenter should use a SigningKeyID derived from their local intermediate [GH-9428]
• proxycfg: avoid potential deadlock in delivering proxy snapshot to watchers. [GH-9689]
• server: When wan federating via mesh gateways after initial federation default to using the local mesh gateways unless the heuristic indicates a bypass is required. [GH-9528]
• server: When wan federating via mesh gateways only do heuristic primary DC bypass on the leader. [GH-9366]
• xds: deduplicate mesh gateway listeners by address in a stable way to prevent some LDS churn [GH-9650]
• xds: prevent LDS flaps in mesh gateways due to unstable datacenter lists; also prevent some flaps in terminating gateways as well [GH-9651]

v1.7.13

1.7.13 (March 04, 2021)

IMPROVEMENTS:

• connect: update supported envoy point releases to 1.13.7, 1.12.7, 1.11.2, 1.10.0 [GH-9740]
• license: (Enterprise only) Temporary client license duration was increased from 30m to 6h.
• xds: only try to create an ipv6 expose checks listener if ipv6 is supported by the kernel [GH-9765]

BUG FIXES:

• cache: Prevent spamming the logs for days when a cached request encounters an "ACL not found" error. [GH-9738]
• connect: connect CA Roots in the primary datacenter should use a SigningKeyID derived from their local intermediate [GH-9428]
• xds: deduplicate mesh gateway listeners by address in a stable way to prevent some LDS churn [GH-9650]
• xds: prevent LDS flaps in mesh gateways due to unstable datacenter lists; also prevent some flaps in terminating gateways as well [GH-9651]

v1.8.9-beta1

1.8.9-beta1 (February 11, 2021)

IMPROVEMENTS:

• cli: Add new -cluster-id and common-name to consul tls ca create to support creating a CA for Consul Connect. [GH-9585]
• connect: update supported envoy point releases to 1.14.6, 1.13.7, 1.12.7, 1.11.2 [GH-9739]
• license: (Enterprise only) Temporary client license duration was increased from 30m to 6h.
• server: use the presense of stored federation state data as a sign that we already activated the federation state feature flag [GH-9519]

BUG FIXES:

• cache: Prevent spamming the logs for days when a cached request encounters an "ACL not found" error. [GH-9738]
• connect: connect CA Roots in the primary datacenter should use a SigningKeyID derived from their local intermediate [GH-9428]
• proxycfg: avoid potential deadlock in delivering proxy snapshot to watchers. [GH-9689]
• server: When wan federating via mesh gateways after initial federation default to using the local mesh gateways unless the heuristic indicates a bypass is required. [GH-9528]
• server: When wan federating via mesh gateways only do heuristic primary DC bypass on the leader. [GH-9366]
• xds: deduplicate mesh gateway listeners by address in a stable way to prevent some LDS churn [GH-9650]
• xds: prevent LDS flaps in mesh gateways due to unstable datacenter lists; also prevent some flaps in terminating gateways as well [GH-9651]

v1.9.3

1.9.3 (February 01, 2021)

FEATURES:

• ui: Add additional search/filter status pills for viewing and removing current
  filters in listing views [GH-9442]

IMPROVEMENTS:

• cli: Add new -cluster-id and common-name to consul tls ca create to support creating a CA for Consul Connect. [GH-9585]
• license: (Enterprise only) Temporary client license duration was increased from 30m to 6h.
• server: (Enterprise Only) Validate source namespaces in service-intentions config entries. [GH-9527]
• server: use the presense of stored federation state data as a sign that we already activated the federation state feature flag [GH-9519]

BUG FIXES:

• autopilot: Fixed a bug that would cause snapshot restoration to stop autopilot on the leader. [GH-9626]
• server: When wan federating via mesh gateways after initial federation default to using the local mesh gateways unless the heuristic indicates a bypass is required. [GH-9528]
• server: When wan federating via mesh gateways only do heuristic primary DC bypass on the leader. [GH-9366]
• ui: Fixed a bug that would cause missing or duplicate service instance healthcheck listings. [GH-9660]

v1.8.8

1.8.8 (January 22, 2021)

BUG FIXES:

• connect: Fixed a bug in the AWS PCA Connect CA provider that could cause the intermediate PKI path to be deleted after reconfiguring the CA [GH-9498]
• connect: Fixed a bug in the Vault Connect CA provider that could cause the intermediate PKI path to be deleted after reconfiguring the CA [GH-9498]
• connect: Fixed an issue that would prevent updating the Connect CA configuration if the CA provider didn't complete initialization previously. [GH-9498]
• leader: Fixed a bug that could cause Connect CA initialization failures from allowing leader establishment to complete resulting in potentially infinite leader elections. [GH-9498]
• rpc: Prevent misleading RPC error claiming the lack of a leader when Raft is ok but there are issues with client agents gossiping with the leader. [GH-9487]
• ui: ensure namespace is used for node API requests [GH-9488]

v1.7.12

1.7.12 (January 22, 2021)

BUG FIXES:

• rpc: Prevent misleading RPC error claiming the lack of a leader when Raft is ok but there are issues with client agents gossiping with the leader. [GH-9487]
• ui: ensure namespace is used for node API requests [GH-9488]

v1.9.2

1.9.2 (January 20, 2021)

FEATURES:

• agent: add config flag MaxHeaderBytes to control the maximum size of the http header per client request. [GH-9067]
• cli: The consul intention command now has a new list subcommand to allow the listing of configured intentions. It also supports the -namespace= option. [GH-9468]

IMPROVEMENTS:

• server: deletions of intentions by name using the intention API is now idempotent [GH-9278]
• streaming: display a warning on agent(s) when incompatible streaming parameters are used [GH-9530]
• ui: Various accessibility scan test improvements [GH-9485]

DEPRECATIONS:

• api: the tag, node-meta, and passing query parameters for various health and catalog
  endpoints are now deprecated. The filter query parameter should be used as a replacement
  for all of the deprecated fields. The deprecated query parameters will be removed in a future
  version of Consul. [GH-9262]

BUG FIXES:

• client: Help added in Prometheus in relases 1.9.0 does not generate warnings anymore in logs [GH-9510]
• client: properly set GRPC over RPC magic numbers when encryption was not set or partially set in the cluster with streaming enabled [GH-9512]
• connect: Fixed a bug in the AWS PCA Connect CA provider that could cause the intermediate PKI path to be deleted after reconfiguring the CA [GH-9498]
• connect: Fixed a bug in the Vault Connect CA provider that could cause the intermediate PKI path to be deleted after reconfiguring the CA [GH-9498]
• connect: Fixed an issue that would prevent updating the Connect CA configuration if the CA provider didn't complete initialization previously. [GH-9498]
• leader: Fixed a bug that could cause Connect CA initialization failures from allowing leader establishment to complete resulting in potentially infinite leader elections. [GH-9498]
• rpc: Prevent misleading RPC error claiming the lack of a leader when Raft is ok but there are issues with client agents gossiping with the leader. [GH-9487]
• server: Fixes a server panic introduced in 1.9.0 where Connect service mesh is
  being used. Node de-registration could panic if it hosted services with
  multiple upstreams. [GH-9589]
• state: fix computation of usage metrics to account for various places that can modify multiple services in a single transaction. [GH-9440]
• ui: Display LockDelay in nanoseconds as a temporary fix to the formatting [GH-9594]
• ui: Fix an issue where registering an ingress-gateway with no central config
  would result in a JS error due to the API reponse returning null [GH-9593]
• ui: Fixes an issue where clicking backwards and forwards between a service instance can result in a 404 error [GH-9524]
• ui: Fixes an issue where intention description or metadata could be overwritten if saved from the topology view. [GH-9513]
• ui: Fixes an issue with setting -ui-content-path flag/config [GH-9569]
• ui: ensure namespace is used for node API requests [GH-9410]
• ui: request intention listing with ns=* parameter to retrieve all intentions
  across namespaces [GH-9432]

v1.9.1

1.9.1 (December 11, 2020)

FEATURES:

• ui: add copyable IDs to the Role and Policy views [GH-9296]

IMPROVEMENTS:

• cli: (Enterprise only) A new -read-replica flag can now be used to enable running a server as a read only replica. Previously this was enabled with the now deprecated -non-voting-server flag. [GH-9191]
• config: (Enterprise only) A new read_replica configuration setting can now be used to enable running a server as a read only replica. Previously this was enabled with the now deprecated non_voting_server setting. [GH-9191]

DEPRECATIONS:

• cli: (Enterprise only) The -non-voting-server flag is deprecated in favor of the new -read-replica flag. The -non-voting-server flag is still present along side the new flag but it will be removed in a future release. [GH-9191]
• config: (Enterprise only) The non_voting_server configuration setting is deprecated in favor of the new read_replica setting. The non_voting_server configuration setting is still present but will be removed in a future release. [GH-9191]
• gossip: (Enterprise only) Read replicas now advertise themselves by setting the read_replica tag. The old nonvoter tag is still present but is deprecated and will be removed in a future release. [GH-9191]
• server: (Enterprise only) Addition of the nonvoter tag to the service registration made for read replicas is deprecated in favor of the new tag name of read_replica. Both are present in the registration but the nonvoter tag will be completely removed in a future release. [GH-9191]

BUG FIXES:

• agent: prevent duplicate services and check registrations from being synced to servers. [GH-9284]
• connect: fixes a case when updating the CA config in a secondary datacenter to correctly trigger the creation of a new intermediate certificate [GH-9009]
• connect: only unset the active root in a secondary datacenter when a new one is replacing it [GH-9318]
• namespaces: (Enterprise only) Prevent stalling of replication in secondary datacenters due to conflicts between the namespace replicator and other replicators. [GH-9271]
• streaming: ensure the order of results provided by /health/service/:serviceName is consistent with and without streaming enabled [GH-9247]