All Versions
183
Latest Version
Avg Release Cycle
29 days
Latest Release
808 days ago

Changelog History
Page 3

  • v1.11.1 Changes

    December 15, 2021

    ๐Ÿ”’ SECURITY:

    ๐Ÿ”‹ FEATURES:

    • ๐Ÿš€ Admin Partitions (Consul Enterprise only) This version adds admin partitions, a new entity defining administrative and networking boundaries within a Consul deployment. For more information refer to the Admin Partition documentation. [GH-11855]
    • networking: (Enterprise Only) Make segment_limit configurable, cap at 256.

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ’ป ui: Fixes an issue with the version footer wandering when scrolling [GH-11850]
  • v1.11.0 Changes

    December 14, 2021

    ๐Ÿ’ฅ BREAKING CHANGES:

    • โฌ†๏ธ acl: The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that nothing is still using the legacy ACL system. See the Migrate Legacy ACL Tokens Learn Guide for more information. [GH-11232]
    • cli: consul acl set-agent-token master has been replaced with consul acl set-agent-token recovery [GH-11669]

    ๐Ÿ”’ SECURITY:

    • namespaces: (Enterprise only) Creating or editing namespaces that include default ACL policies or ACL roles now requires acl:write permission in the default namespace. This change fixes CVE-2021-41805.
    • rpc: authorize raft requests CVE-2021-37219 [GH-10925]

    ๐Ÿ”‹ FEATURES:

    • ๐Ÿ“š Admin Partitions (Consul Enterprise only) This version adds admin partitions, a new entity defining administrative and networking boundaries within a Consul deployment. For more information refer to the Admin Partition documentation.
    • ๐Ÿ”ง ca: Add a configurable TTL for Connect CA root certificates. The configuration is supported by the Vault and Consul providers. [GH-11428]
    • ๐Ÿ”ง ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate. [GH-11449]
    • ๐Ÿ‘ health-checks: add support for h2c in http2 ping health checks [GH-10690]
    • ๐Ÿ’ป ui: Add UI support to use Vault as an external source for a service [GH-10769]
    • ๐Ÿ’ป ui: Adding support of Consul API Gateway as an external source. [GH-11371]
    • ๐Ÿ’ป ui: Adds a copy button to each composite row in tokens list page, if Secret ID returns an actual ID [GH-10735]
    • ๐Ÿ’ป ui: Adds visible Consul version information [GH-11803]
    • ๐Ÿ’ป ui: Topology - New views for scenarios where no dependencies exist or ACLs are disabled [GH-11280]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • acls: Show AuthMethodNamespace when reading/listing ACL tokens. [GH-10598]
    • acl: replication routine to report the last error message. [GH-10612]
    • agent: add variation of force-leave that exclusively works on the WAN [GH-11722]
    • ๐Ÿšง api: Enable setting query options on agent health and maintenance endpoints. [GH-10691]
    • api: responses that contain only a partial subset of results, due to filtering by ACL policies, may now include an X-Consul-Results-Filtered-By-ACLs header [GH-11569]
    • checks: add failures_before_warning setting for interval checks. [GH-10969]
    • โฌ†๏ธ ci: Upgrade to use Go 1.17.5 [GH-11799]
    • ๐Ÿ”ง ci: Allow configuring graceful stop in testutil. [GH-10566]
    • ๐Ÿ‘ cli: Add -cas and -modify-index flags to the consul config delete command to support Check-And-Set (CAS) deletion of config entries [GH-11419]
    • config: (Enterprise Only) Allow specifying permission mode for audit logs. [GH-10732]
    • ๐Ÿ‘ config: Support Check-And-Set (CAS) deletion of config entries [GH-11419]
    • config: add dns_config.recursor_strategy flag to control the order which DNS recursors are queried [GH-10611]
    • config: warn the user if client_addr is empty because client services won't be listening [GH-11461]
    • connect/ca: cease including the common name field in generated x509 non-CA certificates [GH-10424]
    • connect: Add low-level feature to allow an Ingress to retrieve TLS certificates from SDS. [GH-10903]
    • connect: Consul will now generate a unique virtual IP for each connect-enabled service (this will also differ across namespace/partition in Enterprise). [GH-11724]
    • โœ… connect: Support Vault auth methods for the Connect CA Vault provider. Currently, we support any non-deprecated auth methods the latest version of Vault supports (v1.8.5), which include AppRole, AliCloud, AWS, Azure, Cloud Foundry, GitHub, Google Cloud, JWT/OIDC, Kerberos, Kubernetes, LDAP, Oracle Cloud Infrastructure, Okta, Radius, TLS Certificates, and Username & Password. [GH-11573]
    • ๐Ÿ‘ connect: Support manipulating HTTP headers in the mesh. [GH-10613]
    • ๐Ÿ”ง connect: add Namespace configuration setting for Vault CA provider [GH-11477]
    • connect: ingress gateways may now enable built-in TLS for a subset of listeners. [GH-11163]
    • connect: service-resolver subset filters are validated for valid go-bexpr syntax on write [GH-11293]
    • โšก๏ธ connect: update supported envoy versions to 1.19.1, 1.18.4, 1.17.4, 1.16.5 [GH-11115]
    • โšก๏ธ connect: update supported envoy versions to 1.20.0, 1.19.1, 1.18.4, 1.17.4 [GH-11277]
    • debug: Add a new /v1/agent/metrics/stream API endpoint for streaming of metrics [GH-10399]
    • debug: rename cluster capture target to members, to be more consistent with the terms used by the API. [GH-10804]
    • dns: Added a virtual endpoint for querying the assigned virtual IP for a service. [GH-11725]
    • ๐Ÿ›  http: when a URL path is not found, include a message with the 404 status code to help the user understand why (e.g., HTTP API endpoint path not prefixed with /v1/) [GH-11818]
    • ๐Ÿ”ง raft: Added a configuration to disable boltdb freelist syncing [GH-11720]
    • ๐ŸŽ raft: Emit boltdb related performance metrics [GH-11720]
    • raft: Use bbolt instead of the legacy boltdb implementation [GH-11720]
    • ๐Ÿ‘ sdk: Add support for iptable rules that allow DNS lookup redirection to Consul DNS. [GH-11480]
    • segments: (Enterprise only) ensure that the serf_lan_allowed_cidrs applies to network segments [GH-11495]
    • telemetry: add a new agent.tls.cert.expiry metric for tracking when the Agent TLS certificate expires. [GH-10768]
    • telemetry: add a new mesh.active-root-ca.expiry metric for tracking when the root certificate expires. [GH-9924]
    • telemetry: added metrics to track certificates expiry. [GH-10504]
    • types: add TLSVersion and TLSCipherSuite [GH-11645]
    • ๐Ÿ’ป ui: Change partition URL segment prefix from - to _ [GH-11801]
    • ๐Ÿ’ป ui: Add upstream icons for upstreams and upstream instances [GH-11556]
    • ๐Ÿ’ป ui: Add uri guard to prevent future URL encoding issues [GH-11117]
    • ๐Ÿšš ui: Move the majority of our SASS variables to use native CSS custom properties [GH-11200]
    • ๐Ÿšš ui: Removed informational panel from the namespace selector menu when editing namespaces [GH-11130]
    • โšก๏ธ ui: Update UI browser support to 'roughly ~2 years back' [GH-11505]
    • โšก๏ธ ui: Update global notification styling [GH-11577]
    • ๐Ÿ’ป ui: added copy to clipboard button in code editor toolbars [GH-11474]

    ๐Ÿ—„ DEPRECATIONS:

    • ๐Ÿš€ api: /v1/agent/token/agent_master is deprecated and will be removed in a future major release - use /v1/agent/token/agent_recovery instead [GH-11669]
    • config: acl.tokens.master has been renamed to acl.tokens.initial_management, and acl.tokens.agent_master has been renamed to acl.tokens.agent_recovery - the old field names are now deprecated and will be removed in a future major release [GH-11665]
    • tls: With the upgrade to Go 1.17, the ordering of tls_cipher_suites will no longer be honored, and tls_prefer_server_cipher_suites is now ignored. [GH-11364]

    ๐Ÿ› BUG FIXES:

    • acl: (Enterprise only) fix namespace and namespace_prefix policy evaluation when both govern an authz request
    • โšก๏ธ api: Fix default values used for optional fields in autopilot configuration update (POST to /v1/operator/autopilot/configuration) [GH-10558] [GH-10559]
    • api: ensure new partition fields are omit empty for compatibility with older versions of consul [GH-11585]
    • areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time.
    • areas: (Enterprise only) make the gRPC server tracker network area aware [GH-11748]
    • ๐Ÿ›  ca: fixes a bug that caused non blocking leaf cert queries to return the same cached response regardless of ca rotation or leaf cert expiry [GH-11693]
    • ๐Ÿ›  ca: fixes a bug that caused the SigningKeyID to be wrong in the primary DC, when the Vault provider is used, after a CA config creates a new root. [GH-11672]
    • ๐Ÿ›  ca: fixes a bug that caused the intermediate cert used to sign leaf certs to be missing from the /connect/ca/roots API response when the Vault provider was used. [GH-11671]
    • check root and intermediate CA expiry before using it to sign a leaf certificate. [GH-10500]
    • connect/ca: ensure edits to the key type/bits for the connect builtin CA will regenerate the roots [GH-10330]
    • โšก๏ธ connect/ca: require new vault mount points when updating the key type/bits for the vault connect CA provider [GH-10331]
    • ๐Ÿ”’ connect: fix race causing xDS generation to lock up when discovery chains are tracked for services that are no longer upstreams. [GH-11826]
    • ๐Ÿ›  dns: Fixed an issue where on DNS requests made with .alt_domain response was returned as .domain [GH-11348]
    • dns: return an empty answer when asked for an addr dns with type other then A and AAAA. [GH-10401]
    • ๐ŸŽ macos: fixes building with a non-Apple LLVM (such as installed via Homebrew) [GH-11586]
    • namespaces: (Enterprise only) ensure the namespace replicator doesn't replicate deleted namespaces
    • proxycfg: ensure all of the watches are canceled if they are cancelable [GH-11824]
    • snapshot: (Enterprise only) fixed a bug where the snapshot agent would ignore the license_path setting in config files
    • ๐Ÿ’ป ui: Change partitions to expect [] from the listing API [GH-11791]
    • ๐Ÿ’ป ui: Don't offer to save an intention with a source/destination wildcard partition [GH-11804]
    • ๐Ÿ’ป ui: Ensure all types of data get reconciled with the backend data [GH-11237]
    • ๐Ÿ’ป ui: Ensure dc selector correctly shows the currently selected dc [GH-11380]
    • ๐Ÿ’ป ui: Ensure we check intention permissions for specific services when deciding whether to show action buttons for per service intention actions [GH-11409]
    • ๐Ÿ’ป ui: Ensure we filter tokens by policy when showing which tokens use a certain policy whilst editing a policy [GH-11311]
    • ๐Ÿ’ป ui: Ensure we show a readonly designed page for readonly intentions [GH-11767]
    • ๐Ÿ’ป ui: Filter the global intentions list by the currently selected parition rather than a wildcard [GH-11475]
    • ๐Ÿ’ป ui: Fix inline-code brand styling [GH-11578]
    • ๐Ÿ’ป ui: Fix visual issue with slight table header overflow [GH-11670]
    • ๐Ÿ’ป ui: Fixes an issue where under some circumstances after logging we present the ๐ŸŒฒ data loaded previous to you logging in. [GH-11681]
    • ๐Ÿ’ป ui: Gracefully recover from non-existant DC errors [GH-11077]
    • ui: Include Service.Namespace into available variables for dashboard_url_templates [GH-11640]
    • โช ui: Revert to depending on the backend, 'post-user-action', to report ๐Ÿ’ป permissions errors rather than using UI capabilities 'pre-user-action' [GH-11520]
    • 0๏ธโƒฃ ui: Topology - Fix up Default Allow and Permissive Intentions notices [GH-11216]
    • ๐Ÿ’ป ui: code editor styling (layout consistency + wide screen support) [GH-11474]
    • ๐Ÿ‘‰ use the MaxQueryTime instead of RPCHoldTimeout for blocking RPC queries [GH-8978]. [GH-10299]
    • ๐Ÿ windows: fixes arm and arm64 builds [GH-11586]

    NOTES:

    • Renamed the agent_master field to agent_recovery in the acl-tokens.json file in which tokens are persisted on-disk (when acl.enable_token_persistence is enabled) [GH-11744]
  • v1.11.0-beta2 Changes

    November 02, 2021

    ๐Ÿ’ฅ BREAKING CHANGES:

    • โฌ†๏ธ acl: The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that nothing is still using the legacy ACL system. See the Migrate Legacy ACL Tokens Learn Guide for more information. [GH-11232]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ“œ agent: for various /v1/agent endpoints parse the partition parameter on the request [GH-11444]
    • ๐Ÿ”จ agent: refactor the agent delegate interface to be partition friendly [GH-11429]
    • ๐Ÿ‘ cli: Add -cas and -modify-index flags to the consul config delete command to support Check-And-Set (CAS) deletion of config entries [GH-11419]
    • โšก๏ธ cli: update consul members output to display partitions and sort the results usefully [GH-11446]
    • ๐Ÿ’… config: Allow ${} style interpolation for UI Dashboard template URLs [GH-11328]
    • ๐Ÿ‘ config: Support Check-And-Set (CAS) deletion of config entries [GH-11419]
    • connect: (Enterprise only) add support for dialing upstreams in remote partitions through mesh gateways. [GH-11431]
    • connect: (Enterprise only) updates ServiceRead and NodeRead to account for the partition-exports config entry. [GH-11433]
    • connect: ingress gateways may now enable built-in TLS for a subset of listeners. [GH-11163]
    • connect: service-resolver subset filters are validated for valid go-bexpr syntax on write [GH-11293]
    • โšก๏ธ connect: update supported envoy versions to 1.20.0, 1.19.1, 1.18.4, 1.17.4 [GH-11277]

    ๐Ÿ—„ DEPRECATIONS:

    • tls: With the upgrade to Go 1.17, the ordering of tls_cipher_suites will no longer be honored, and tls_prefer_server_cipher_suites is now ignored. [GH-11364]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  api: fixed backwards compatibility issue with AgentService SocketPath field. [GH-11318]
    • ๐Ÿ›  dns: Fixed an issue where on DNS requests made with .alt_domain response was returned as .domain [GH-11348]
    • raft: do not trigger an election if not part of the servers list. [GH-11375]
    • rpc: only attempt to authorize the DNSName in the client cert when verify_incoming_rpc=true [GH-11255]
    • telemetry: fixes a bug with Prometheus consul_autopilot_failure_tolerance metric where 0 is reported instead of NaN on follower servers. [GH-11399]
    • ๐Ÿ’ป ui: Ensure dc selector correctly shows the currently selected dc [GH-11380]
    • ๐Ÿ’ป ui: Ensure we filter tokens by policy when showing which tokens use a certain policy whilst editing a policy [GH-11311]
  • v1.11.0-beta1 Changes

    October 15, 2021

    ๐Ÿ”‹ FEATURES:

    • partitions: allow for partition queries to be forwarded [GH-11099]
    • sso/oidc: (Enterprise only) Add support for providing acr_values in OIDC auth flow [GH-11026]
    • ๐Ÿ’ป ui: Added initial support for admin partition CRUD [GH-11188]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • api: add partition field to acl structs [GH-11080]
    • audit-logging: (Enterprise Only) Audit logs will now include select HTTP headers in each logs payload. Those headers are: Forwarded, Via, X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Proto. [GH-11107]
    • connect: Add low-level feature to allow an Ingress to retrieve TLS certificates from SDS. [GH-10903]
    • โšก๏ธ connect: update supported envoy versions to 1.19.1, 1.18.4, 1.17.4, 1.16.5 [GH-11115]
    • state: reads of partitions now accept an optional memdb.WatchSet
    • telemetry: Add new metrics for the count of KV entries in the Consul store. [GH-11090]
    • ๐Ÿ”ง telemetry: Add new metrics for the count of connect service instances and configuration entries. [GH-11222]
    • ๐Ÿ’ป ui: Add initial support for partitions to intentions [GH-11129]
    • ๐Ÿ’ป ui: Add uri guard to prevent future URL encoding issues [GH-11117]
    • ๐Ÿšš ui: Move the majority of our SASS variables to use native CSS custom properties [GH-11200]
    • ๐Ÿšš ui: Removed informational panel from the namespace selector menu when editing namespaces [GH-11130]

    ๐Ÿ› BUG FIXES:

    • acl: (Enterprise only) Fix bug in 'consul members' filtering with partitions. [GH-11263]
    • acl: (Enterprise only) ensure that auth methods with namespace rules work with partitions [GH-11323]
    • ๐Ÿ›  acl: fixes the fallback behaviour of down_policy with setting extend-cache/async-cache when the token is not cached. [GH-11136]
    • connect: Fix upstream listener escape hatch for prepared queries [GH-11109]
    • grpc: strip local ACL tokens from RPCs during forwarding if crossing datacenters [GH-11099]
    • server: (Enterprise only) Ensure that servers leave network segments when leaving other gossip pools
    • telemetry: Consul Clients no longer emit Autopilot metrics. [GH-11241]
    • telemetry: fixes a bug with Prometheus consul_autopilot_healthy metric where 0 is reported instead of NaN on servers. [GH-11231]
    • ui: (Enterprise Only) Fix saving intentions with namespaced source/destination [GH-11095]
    • โš  ui: Don't show a CRD warning for read-only intentions [GH-11149]
    • ๐Ÿ’ป ui: Ensure all types of data get reconciled with the backend data [GH-11237]
    • ๐Ÿšš ui: Fixed styling of Role remove dialog on the Token edit page [GH-11298]
    • ๐Ÿ’ป ui: Gracefully recover from non-existant DC errors [GH-11077]
    • ๐Ÿ’ป ui: Ignore reported permissions for KV area meaning the KV is always enabled for both read/write access if the HTTP API allows. [GH-10916]
    • 0๏ธโƒฃ ui: Topology - Fix up Default Allow and Permissive Intentions notices [GH-11216]
    • ๐Ÿ’ป ui: hide create button for policies/roles/namespace if users token has no write permissions to those areas [GH-10914]
    • xds: ensure the active streams counters are 64 bit aligned on 32 bit systems [GH-11085]
    • โšก๏ธ xds: fixed a bug where Envoy sidecars could enter a state where they failed to receive xds updates from Consul [GH-10987]
    • ๐Ÿ›  Fixing SOA record to return proper domain when alt domain in use. [GH-10431]
  • v1.11.0-alpha Changes

    September 16, 2021

    ๐Ÿ”’ SECURITY:

    ๐Ÿ”‹ FEATURES:

    • config: add agent config flag for enterprise clients to indicate they wish to join a particular partition [GH-10572]
    • ๐Ÿ›  connect: include optional partition prefixes in SPIFFE identifiers [GH-10507]
    • partitions: (Enterprise only) Adds admin partitions, a new feature to enhance Consul's multitenancy capabilites.
    • ๐Ÿ’ป ui: Add UI support to use Vault as an external source for a service [GH-10769]
    • ๐Ÿ’ป ui: Adds a copy button to each composite row in tokens list page, if Secret ID returns an actual ID [GH-10735]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • acl: replication routine to report the last error message. [GH-10612]
    • ๐Ÿšง api: Enable setting query options on agent health and maintenance endpoints. [GH-10691]
    • checks: add failures_before_warning setting for interval checks. [GH-10969]
    • config: (Enterprise Only) Allow specifying permission mode for audit logs. [GH-10732]
    • config: add dns_config.recursor_strategy flag to control the order which DNS recursors are queried [GH-10611]
    • connect/ca: cease including the common name field in generated x509 non-CA certificates [GH-10424]
    • ๐Ÿ‘ connect: Support manipulating HTTP headers in the mesh. [GH-10613]
    • โšก๏ธ connect: update supported envoy versions to 1.18.4, 1.17.4, 1.16.5 [GH-10961]
    • debug: Add a new /v1/agent/metrics/stream API endpoint for streaming of metrics [GH-10399]
    • debug: rename cluster capture target to members, to be more consistent with the terms used by the API. [GH-10804]
    • structs: prohibit config entries from referencing more than one partition at a time [GH-10478]
    • telemetry: add a new agent.tls.cert.expiry metric for tracking when the Agent TLS certificate expires. [GH-10768]
    • telemetry: add a new mesh.active-root-ca.expiry metric for tracking when the root certificate expires. [GH-9924]

    ๐Ÿ—„ DEPRECATIONS:

    • ๐Ÿ”ง config: the ports.grpc and addresses.grpc configuration settings have been renamed to ports.xds and addresses.xds to better match their function. [GH-10588]

    ๐Ÿ› BUG FIXES:

    • โšก๏ธ api: Fix default values used for optional fields in autopilot configuration update (POST to /v1/operator/autopilot/configuration) [GH-10558] [GH-10559]
    • โช api: Revert early out errors from license APIs to allow v1.10+ clients to manage licenses on older servers [GH-10952]
    • check root and intermediate CA expiry before using it to sign a leaf certificate. [GH-10500]
    • connect/ca: ensure edits to the key type/bits for the connect builtin CA will regenerate the roots [GH-10330]
    • โšก๏ธ connect/ca: require new vault mount points when updating the key type/bits for the vault connect CA provider [GH-10331]
    • dns: return an empty answer when asked for an addr dns with type other then A and AAAA. [GH-10401]
    • tls: consider presented intermediates during server connection tls handshake. [GH-10964]
    • ๐Ÿ‘‰ use the MaxQueryTime instead of RPCHoldTimeout for blocking RPC queries [GH-8978]. [GH-10299]
  • v1.10.12 Changes

    July 13, 2022

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  agent: Fixed a bug in HTTP handlers where URLs were being decoded twice [GH-13264]
    • ๐Ÿ›  fix a bug that caused an error when creating grpc or http2 ingress gateway listeners with multiple services [GH-13127]
  • v1.10.11 Changes

    May 25, 2022

    ๐Ÿ”’ SECURITY:

    • agent: Use SHA256 instead of MD5 to generate persistence file names.

    ๐Ÿ‘Œ IMPROVEMENTS:

    • sentinel: (Enterprise Only) Sentinel now uses SHA256 to generate policy ids

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  Fix a bug when configuring an add_headers directive named Host the header is not set for v1/internal/ui/metrics-proxy/ endpoint. [GH-13071]
    • areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time. [GH-1368]
    • ca: fix a bug that caused a non blocking leaf cert query after a locking leaf cert query to block [GH-12820]
    • health: ensure /v1/health/service/:service endpoint returns the most recent results when a filter is used with streaming #12640 [GH-12640]
    • snapshot-agent: (Enterprise only) Fix a bug where providing the ACL token to the snapshot agent via a CLI or ENV variable without a license configured results in an error during license auto-retrieval.

    NOTES:

    • ci: change action to pull v1 instead of main [GH-12846]
  • v1.10.10 Changes

    April 13, 2022

    ๐Ÿ”’ SECURITY:

    • ๐Ÿš€ agent: Added a new check field, disable_redirects, that allows for disabling the following of redirects for HTTP checks. The intention is to default this to true in a future release so that redirects must explicitly be enabled. [GH-12685]
    • ๐Ÿ”ง connect: Properly set SNI when configured for services behind a terminating gateway. [GH-12672]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • โฑ xds: ensure that all connect timeout configs can apply equally to tproxy direct dial connections [GH-12711]

    ๐Ÿ—„ DEPRECATIONS:

    • tls: With the upgrade to Go 1.17, the ordering of tls_cipher_suites will no longer be honored, and tls_prefer_server_cipher_suites is now ignored. [GH-12766]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ”ง connect/ca: cancel old Vault renewal on CA configuration. Provide a 1 - 6 second backoff on repeated token renewal requests to prevent overwhelming Vault. [GH-12607]
    • โฌ†๏ธ raft: upgrade to v1.3.6 which fixes a bug where a read replica node could attempt bootstrapping raft and prevent other nodes from bootstrapping at all [GH-12496]
    • ๐Ÿ›  replication: Fixed a bug which could prevent ACL replication from continuing successfully after a leader election. [GH-12565]
    • server: fix spurious blocking query suppression for discovery chains [GH-12512]
  • v1.10.9 Changes

    February 28, 2022

    ๐Ÿ”’ SECURITY:

    • agent: Use SHA256 instead of MD5 to generate persistence file names.

    ๐Ÿ”‹ FEATURES:

    • ๐Ÿ‘ ca: support using an external root CA with the vault CA provider [GH-11910]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • โšก๏ธ connect: Update supported Envoy versions to include 1.18.6 [GH-12450]
    • โšก๏ธ connect: update Envoy supported version of 1.20 to 1.20.2 [GH-12434]
    • debug: reduce the capture time for trace to only a single interval instead of the full duration to make trace.out easier to open without running into OOM errors. [GH-12359]
    • โช raft: add additional logging of snapshot restore progress [GH-12325]
    • โฑ rpc: improve blocking queries for items that do not exist, by continuing to block until they exist (or the timeout). [GH-12110]
    • sentinel: (Enterprise Only) Sentinel now uses SHA256 to generate policy ids
    • server: conditionally avoid writing a config entry to raft if it was already the same [GH-12321]
    • server: suppress spurious blocking query returns where multiple config entries are involved [GH-12362]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ“œ agent: Parse datacenter from Create/Delete requests for AuthMethods and BindingRules. [GH-12370]
    • areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time. [GH-1368]
    • ๐Ÿ›  raft: fixed a race condition in leadership transfer that could result in reelection of the current leader [GH-12325]
    • server: (Enterprise only) Namespace deletion will now attempt to delete as many namespaced config entries as possible instead of halting on the first deletion that failed.
    • server: partly fix config entry replication issue that prevents replication in some circumstances [GH-12307]
    • 0๏ธโƒฃ ui: Ensure we always display the Policy default preview in the Namespace editing form [GH-12316]
    • ๐Ÿ›  xds: Fixed Envoy http features such as outlier detection and retry policy not working correctly with transparent proxy. [GH-12385]
  • v1.10.8 Changes

    February 11, 2022

    ๐Ÿ”’ SECURITY:

    • agent: Use SHA256 instead of MD5 to generate persistence file names.

    ๐Ÿ‘Œ IMPROVEMENTS:

    • raft: Consul leaders will attempt to transfer leadership to another server as part of gracefully leaving the cluster. [GH-11376]
    • sentinel: (Enterprise Only) Sentinel now uses SHA256 to generate policy ids

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  Fix a data race when a service is added while the agent is shutting down.. [GH-12302]
    • areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time. [GH-1368]
    • config-entry: fix a panic when creating an ingress gateway config-entry and a proxy service instance, where both providedthe same upstream and downstrem mapping. [GH-12277]
    • config: include all config errors in the error message, previously some could be hidden. [GH-11918]
    • ๐Ÿ›  connect: fixes bug where passthrough addressses for transparent proxies dialed directly weren't being cleaned up. [GH-12223]
    • ๐Ÿ›  memberlist: fixes a bug which prevented members from joining a cluster with large amounts of churn [GH-253] [GH-12047]
    • snapshot: the snapshot save command now saves the snapshot with read permission for only the current user. [GH-11918]
    • xds: allow only one outstanding delta request at a time [GH-12236]
    • xds: fix for delta xDS reconnect bug in LDS/CDS [GH-12174]
    • xds: prevents tight loop where the Consul client agent would repeatedly re-send config that Envoy has rejected. [GH-12195]a