Skip to content

Releases: hashicorp/consul

v1.7.6

07 Aug 21:05
@hashicorp-ci hashicorp-ci
v1.7.6
819b21d
Compare
Choose a tag to compare
v1.7.6

1.7.6 (August 07, 2020)

BUG FIXES:

  • [backport/1.7.x] xds: revert setting set_node_on_first_message_only to true when generating envoy bootstrap config [GH-8441]
Loading

v1.8.1

30 Jul 22:55
@hashicorp-ci hashicorp-ci
v1.8.1
12f574c
Compare
Choose a tag to compare
v1.8.1

1.8.1 (July 30, 2020)

FEATURES:

IMPROVEMENTS:

  • acl: allow auth methods created in the primary datacenter to optionally create global tokens [GH-7899]
  • agent: Allow to restrict servers that can join a given Serf Consul cluster. [GH-7628]
  • agent: new configuration options allow ratelimiting of the agent-cache: cache.entry_fetch_rate and cache.entry_fetch_max_burst. [GH-8226]
  • cli: Output message on success when writing/deleting config entries. [GH-7806]
  • connect: Append port number to expected ingress hosts [GH-8190]
  • dns: Improve RCODE of response when query targets a non-existent datacenter. [GH-8102],[GH-8218]
  • version: The version CLI subcommand was altered to always show the git revision the binary was built from on the second line of output. Additionally the command gained a -format flag with the option now of outputting the version information in JSON form. NOTE This change has the potential to break any parsing done by users of the version commands output. In many cases nothing will need to be done but it is possible depending on how the output is parsed. [GH-8268]

BUGFIXES:

  • agent: Fixed a bug where Consul could crash when verify_outgoing was set to true but no client certificate was used. [GH-8211]
  • agent: Fixed an issue with lock contention during RPCs when under load while using the Prometheus metrics sink. [GH-8372]
  • auto_encrypt: Fixed an issue where auto encrypt certificate signing wasn't using the connect signing rate limiter. [GH-8211]
  • auto_encrypt: Fixed several issues around retrieving the first TLS certificate where it would have the wrong CN and SANs. This was being masked by a second bug (also fixed) causing that certificate to immediately be discarded with a second certificate request being made afterwards. [GH-8211]
  • auto_encrypt: Fixed an issue that caused auto encrypt certificates to not be updated properly if the agents token was changed and the old token was deleted. [GH-8311]
  • connect: fix crash that would result if a mesh or terminating gateway's upstream has a hostname as an address and no healthy service instances available [GH-8158]
  • connect: Fixed issue where specifying a prometheus bind address would cause ingress gateways to fail to start up [GH-8371]
  • gossip: Avoid issue where two unique leave events for the same node could lead to infinite rebroadcast storms [GH-8343]
  • snapshot: (Consul Enterprise only) Fixed a regression when using Azure blob storage.
  • xds: version sniff envoy and switch regular expressions from 'regex' to 'safe_regex' on newer envoy versions [GH-8265]
Loading

v1.7.5

30 Jul 22:47
@hashicorp-ci hashicorp-ci
v1.7.5
edfb5fc
Compare
Choose a tag to compare
v1.7.5

1.7.5 (July 30, 2020)

BUG FIXES:

  • agent: Fixed an issue with lock contention during RPCs when under load while using the Prometheus metrics sink. [GH-8372]
  • gossip: Avoid issue where two unique leave events for the same node could lead to infinite rebroadcast storms [GH-8353]
  • snapshot: (Consul Enterprise only) Fixed a regression when using Azure blob storage.
  • Return a service splitter's weight or a zero [GH-8355]
Loading

v1.6.7

30 Jul 22:42
@hashicorp-ci hashicorp-ci
v1.6.7
85603d4
Compare
Choose a tag to compare
v1.6.7

1.6.7 (July 30, 2020)

BUG FIXES:

  • agent: Fixed an issue with lock contention during RPCs when under load while using the Prometheus metrics sink. [GH-8372]
  • gossip: Avoid issue where two unique leave events for the same node could lead to infinite rebroadcast storms [GH-8345]
Loading

v1.8.0

18 Jun 19:18
@hashicorp-ci hashicorp-ci
v1.8.0
3111cb8
Compare
Choose a tag to compare
v1.8.0

1.8.0 (June 18, 2020)

BREAKING CHANGES:

  • acl: Remove deprecated acl_enforce_version_8 option [GH-7991]

FEATURES:

  • Terminating Gateway: Envoy can now be run as a gateway to enable services in a Consul service mesh to connect to external services through their local proxy. Terminating gateways unlock several of the benefits of a service mesh in the cases where a sidecar proxy cannot be deployed alongside services such as legacy applications or managed cloud databases.

  • Ingress Gateway: Envoy can now be run as a gateway to ingress traffic into the Consul service mesh, enabling a more incremental transition for applications.

  • WAN Federation over Mesh Gateways: Allows Consul datacenters to federate by forwarding WAN gossip and RPC traffic through Mesh Gateways rather than requiring the servers to be exposed to the WAN directly.

  • JSON Web Token (JWT) Auth Method: Allows exchanging a signed JWT from a trusted external identity provider for a Consul ACL token.

  • Single Sign-On (SSO) [Enterprise]: Lets an operator configure Consul to use an external OpenID Connect (OIDC) provider to automatically handle the lifecycle of creating, distributing and managing ACL tokens for performing CLI operations or accessing the UI.

  • Audit Logging [Enterprise]: Adds instrumentation to record a trail of events (both attempted and authorized) by users of Consul’s HTTP API for purposes of regulatory compliance.

  • acl: add DisplayName field to auth methods [GH-7769]

  • acl: add MaxTokenTTL field to auth methods [GH-7779]

  • agent/xds: add support for configuring passive health checks [GH-7713]

  • cli: Add -config flag to "acl authmethod update/create" [GH-7776]

  • ui: Help menu to provide further documentation/learn links [GH-7310]

  • ui: (Consul Enterprise only) SSO support [GH-7742] [GH-7771] [GH-7790]

  • ui: Support for termininating and ingress gateways [GH-7858] [GH-7865]

IMPROVEMENTS:

  • acl: change authmethod.Validator to take a logger [GH-7758]
  • agent: show warning when enable_script_checks is enabled without safety net [GH-7437]
  • api: Added filtering support to the v1/connect/intentions endpoint. [GH-7478]
  • auto_encrypt: add validations for auto_encrypt.{tls,allow_tls} [GH-7704]
  • build: switched to compile with Go 1.14.1 [GH-7481]
  • config: validate system limits against limits.http_max_conns_per_client [GH-7434]
  • connect: support envoy 1.12.3, 1.13.1, and 1.14.1. Envoy 1.10 is no longer officially supported. [GH-7380],[GH-7624]
  • connect: add DNSSAN and IPSAN to cache key for ConnectCALeafRequest [GH-7597]
  • connect: Added a new expose CLI command for ingress gateways [GH-8099]
  • license: (Consul Enterprise only) Update licensing to align with the current modules licensing structure.
  • logging: catch problems with the log destination earlier by creating the file immediately [GH-7469]
  • proxycfg: support path exposed with non-HTTP2 protocol [GH-7510]
  • tls: remove old ciphers [GH-7282]
  • ui: Show the last 8 characters of AccessorIDs in listing views [GH-7327]
  • ui: Make all tabs within the UI linkable/bookmarkable and include in history [GH-7592]
  • ui: Redesign of all service pages [GH-7605] [GH-7632] [GH-7655] [GH-7683]
  • ui: Show intentions per individual service [GH-7615]
  • ui: Improved login/logout flow [GH-7790]
  • ui: Revert search to search as you type, add sort control for the service listing page [GH-7489]
  • ui: Omit proxy services from the service listing view and mark services as being proxied [GH-7820]
  • ui: Display proxies in a proxy info tab with the service instance detail page [GH-7745]
  • ui: Add live updates/blocking queries to gateway listings [GH-7967]
  • ui: Improved 'empty states' [GH-7940]
  • ui: Add ability to sort services based on health [GH-7989]
  • ui: Add explanatory tooltip panels for gateway services [GH-8048]
  • ui: Reduce discovery-chain log errors [GH-8065]

BUGFIXES:

  • agent: (Consul Enterprise only) Fixed several bugs related to Network Area and Network Segment compatibility with other features caused by incorrectly doing version or serf tag checking. [GH-7491]
  • agent: rewrite checks with proxy address, not local service address [GH-7518]
  • agent: Preserve ModifyIndex for unchanged entry in KV transaciton [GH-7832]
  • agent: use default resolver scheme for gRPC dialing [GH-7617]
  • cache: Fix go routine leak in the agent cache. [GH-8092]
  • cli: enable TLS when CONSUL_HTTP_ADDR has an https scheme [GH-7608]
  • connect: Internal refactoring to allow Connect proxy config to contain lists of structured configuration [GH-7963][GH-7964]
  • license: (Consul Enterprise only) Fixed a bug that would cause a license reset request to only be applied on the leader server.
  • sdk: Fix race condition in freeport [GH-7567]
  • server: strip local ACL tokens from RPCs during forwarding if crossing datacenters [GH-7419]
  • ui: Quote service names when filtering intentions to prevent 500 errors when accessing a service [GH-7896] [GH-7888]
  • ui: Miscellaneous amends for Safari and Firefox [GH-7904] [GH-7907]
  • ui: Ensure a value is always passed to CONSUL_SSO_ENABLED [GH-7913]
Loading

v1.8.0-rc1

15 Jun 22:04
@hashicorp-ci hashicorp-ci
v1.8.0-rc1
44e17c8
Compare
Choose a tag to compare
v1.8.0-rc1 Pre-release
Pre-release

1.8.0-rc1 (June 15, 2020)

BREAKING CHANGES:

  • acl: Remove deprecated acl_enforce_version_8 option [GH-7991]

IMPROVEMENTS:

  • ui: Add live updates/blocking queries to gateway listings [GH-7967]
  • ui: Improved 'empty states' [GH-7940]
  • ui: Add ability to sort services based on health [GH-7989]
  • ui: Add explanatory tooltip panels for gateway services [GH-8048]
  • ui: Reduce discovery-chain log errors [GH-8065]
  • connect: Enable mesh and terminating gateways to resolve hostnames to IPv4 addresses using system resolver [GH-7999]
  • connect: Always require Host headers when serving L7 traffic through ingress gateways [GH-7990]
  • connect: Allow users to specify wildcard host for ingress when TLS is disabled [GH-8083]
  • connect: New end point to return healthy ingress gateway instances [GH-8081]
  • connect: Added a new expose CLI command for ingress gateways [GH-8099]

BUG FIXES:

  • cache: Fix go routine leak in the agent cache. [GH-8092]
  • connect: Internal refactoring to allow Connect proxy config to contain lists of structured configuration [GH-7963][GH-7964]
  • connect: Handle re-bootstrapping scenario for WAN federation over mesh gateways. [GH-7931]
  • server: don't activate federation state replication or anti-entropy until all servers are running 1.8.0 [GH-8014]
Loading

v1.7.4

10 Jun 23:45
@alvin-huang alvin-huang
v1.7.4
d149d7e
Compare
Choose a tag to compare
v1.7.4

1.7.4 (June 10, 2020)

SECURITY:

  • Adding an option http_config.use_cache to disable agent caching for http endpoints, because Consul’s DNS and HTTP API expose a caching feature susceptible to DoS. CVE-2020-13250 [GH-8023]
  • Propagate and enforce changes to legacy ACL tokens rules in secondary data centers. CVE-2020-12797 [GH-8047]
  • Only resolve local acl token in the datacenter it belongs to. CVE-2020-13170 [GH-8068]
  • Requiring service:write permissions, a service-router entry without a destination no longer crashes Consul servers. CVE-2020-12758 [GH-7783]

BUG FIXES:

  • acl: Fixed an issue where legacy management tokens could not be used in secondary datacenters. [GH-7908]
  • agent: Fixed a race condition that could cause an agent to crash when first starting. [GH-7955]
  • connect: setup intermediate_pki_path on secondary when using vault [GH-8001]
Loading

v1.6.6

10 Jun 21:58
@hashicorp-ci hashicorp-ci
v1.6.6
8c161e1
Compare
Choose a tag to compare
v1.6.6

1.6.6 (June 10, 2020)

SECURITY:

  • Adding an option http_config.use_cache to disable agent caching for http endpoints, because Consul’s DNS and HTTP API expose a caching feature susceptible to DoS. CVE-2020-13250 [GH-8023]
  • Propagate and enforce changes to legacy ACL tokens rules in secondary data centers. CVE-2020-12797 [GH-8047]
  • Only resolve local acl token in the datacenter it belongs to. CVE-2020-13170 [GH-8068]

BUG FIXES:

  • acl: Fixed an issue where legacy management tokens could not be used in secondary datacenters. [GH-7908]
  • agent: Fixed a race condition that could cause an agent to crash when first starting. [GH-7955]
Loading

v1.8.0-beta2

21 May 20:27
@hashicorp-ci hashicorp-ci
v1.8.0-beta2
a774d9b
Compare
Choose a tag to compare
v1.8.0-beta2 Pre-release
Pre-release

1.8.0-beta2 (May 21, 2020)

IMPROVEMENTS:

  • xds: Ingress gateways now respect the same binding options as mesh and terminating gateways [GH-7924]

BUGFIXES:

  • xds: Fixed bug where deleting a gateway config entry did not correctly remove xDS configuration from the envoy proxy [GH-7898]
  • ui: Quote service names when filtering intentions to prevent 500 errors when accessing a service [GH-7896] [GH-7888]
  • ui: Miscellaneous amends for Safari and Firefox [GH-7904] [GH-7907]
  • ui: Ensure a value is always passed to CONSUL_SSO_ENABLED [GH-7913]
  • agent: Preserve ModifyIndex for unchanged entry in KV transaciton [GH-7832]
  • agent: use default resolver scheme for gRPC dialing [GH-7617]
Loading

v1.8.0-beta1

15 May 02:11
@hashicorp-ci hashicorp-ci
v1.8.0-beta1
439d148
Compare
Choose a tag to compare
v1.8.0-beta1 Pre-release
Pre-release

1.8.0-beta1 (May 14, 2020)

FEATURES:

  • Terminating Gateway: Envoy can now be run as a gateway to enable services in a Consul service mesh to connect to external services through their local proxy. Terminating gateways unlock several of the benefits of a service mesh in the cases where a sidecar proxy cannot be deployed alongside services such as legacy applications or managed cloud databases.

  • Ingress Gateway: Envoy can now be run as a gateway to ingress traffic into the Consul service mesh, enabling a more incremental transition for applications.

  • WAN Federation over Mesh Gateways: Allows Consul datacenters to federate by forwarding WAN gossip and RPC traffic through Mesh Gateways rather than requiring the servers to be exposed to the WAN directly.

  • JSON Web Token (JWT) Auth Method: Allows exchanging a signed JWT from a trusted external identity provider for a Consul ACL token.

  • Single Sign-On (SSO) [Enterprise]: Lets an operator configure Consul to use an external OpenID Connect (OIDC) provider to automatically handle the lifecycle of creating, distributing and managing ACL tokens for performing CLI operations or accessing the UI.

  • Audit Logging [Enterprise]: Adds instrumentation to record a trail of events (both attempted and authorized) by users of Consul’s HTTP API for purposes of regulatory compliance.

  • acl: add DisplayName field to auth methods [GH-7769]

  • acl: add MaxTokenTTL field to auth methods [GH-7779]

  • agent/xds: add support for configuring passive health checks [GH-7713]

  • cli: Add -config flag to "acl authmethod update/create" [GH-7776]

  • ui: Help menu to provide further documentation/learn links [GH-7310]

  • ui: (Consul Enterprise only) SSO support [GH-7742] [GH-7771] [GH-7790]

  • ui: Support for termininating and ingress gateways [GH-7858] [GH-7865]

IMPROVEMENTS:

  • acl: change authmethod.Validator to take a logger [GH-7758]
  • agent: show warning when enable_script_checks is enabled without safety net [GH-7437]
  • api: Added filtering support to the v1/connect/intentions endpoint. [GH-7478]
  • auto_encrypt: add validations for auto_encrypt.{tls,allow_tls} [GH-7704]
  • build: switched to compile with Go 1.14.1 [GH-7481]
  • config: validate system limits against limits.http_max_conns_per_client [GH-7434]
  • connect: support envoy 1.12.3, 1.13.1, and 1.14.1. Envoy 1.10 is no longer officially supported. [GH-7380],[GH-7624]
  • connect: add DNSSAN and IPSAN to cache key for ConnectCALeafRequest [GH-7597]
  • license: (Consul Enterprise only) Update licensing to align with the current modules licensing structure.
  • logging: catch problems with the log destination earlier by creating the file immediately [GH-7469]
  • proxycfg: support path exposed with non-HTTP2 protocol [GH-7510]
  • tls: remove old ciphers [GH-7282]
  • ui: Show the last 8 characters of AccessorIDs in listing views [GH-7327]
  • ui: Make all tabs within the UI linkable/bookmarkable and include in history [GH-7592]
  • ui: Redesign of all service pages [GH-7605] [GH-7632] [GH-7655] [GH-7683]
  • ui: Show intentions per individual service [GH-7615]
  • ui: Improved login/logout flow [GH-7790]
  • ui: Revert search to search as you type, add sort control for the service listing page [GH-7489]
  • ui: Omit proxy services from the service listing view and mark services as being proxied [GH-7820]
  • ui: Display proxies in a proxy info tab with the service instance detail page [GH-7745]

BUGFIXES:

  • agent: (Consul Enterprise only) Fixed several bugs related to Network Area and Network Segment compatibility with other features caused by incorrectly doing version or serf tag checking. [GH-7491]
  • agent: rewrite checks with proxy address, not local service address [GH-7518]
  • cli: enable TLS when CONSUL_HTTP_ADDR has an https scheme [GH-7608]
  • license: (Consul Enterprise only) Fixed a bug that would cause a license reset request to only be applied on the leader server.
  • sdk: Fix race condition in freeport [GH-7567]
  • server: strip local ACL tokens from RPCs during forwarding if crossing datacenters [GH-7419]
Loading