Changelog History
Page 11
-
v1.7.3 Changes
May 05, 2020π IMPROVEMENTS:
- acl: (Consul Enterprise only) - Disable the ACL.Bootstrap RPC endpoints when managed service provider tokens are in use. [GH-7614]
- acl: (Consul Enterprise only) - Consul agents will now use the first managed service provider token for the agents token when any are present.
- acl: Added a v1/acl/policy/name/:name HTTP endpoint to read a policy by name. [GH-6615]
- acl: Added JSON format output to all of the ACL CLI commands. [GH-7141]
- β‘οΈ agent/xds: Update mesh gateway to use the service resolver connect timeout when configured [GH-6370]
- π² cli: Log "newer version available" message at
INFO
level [GH-7457] - π§ config: Consul Enterprise specific configuration are now parseable in OSS but will emit warnings about them not being used. [GH-7714
- network areas: (Consul Enterprise only) - Network areas are using memberlist with TCP and for every message a new connection was established. Now the connections multiplexed with yamux, which means that way fewer connections are created.
- network segments: (Consul Enterprise only) - The segment configuration is no longer stored in serf node tags. There is now an RPC endpoint for the same information, which means that the number of network segment is no longer limited by node meta tag size.
- snapshot agent: (Consul Enterprise only) - Azure has different environments, of which it was only possible to use the public one so far. A new flag was added so that every other environment can be used as well, like Azure China.
π BUGFIXES:
- agent: don't let left nodes hold onto their node-id [GH-7775]
- agent: (Consul Enterprise only) Fixed several bugs related to Network Area ann Network Segment compatibility with other features caused by incorrectly doing version or serf tag checking. [GH-7491]
- cli: ensure that 'snapshot save' is fsync safe and also only writes to the requested file on success [GH-7698]
- βͺ cli: fix usage of gzip.Reader to better detect corrupt snapshots during save/restore [GH-7697]
- connect: Fix panic when validating a service-router config entry with no destination [GH-7783]
- namespace: (Consul Enterprise only) Fixed several bugs where results from multiple namespaces would be returned when only a single namespace was being queried when the token making the request had permissions to see all of them.
- snapshot agent (Consul Enterprise only): Ensure snapshots persisted with the local backend are fsync safe and also only writes to the requested file on success.
- snapshot agent (Consul Enterprise only): Verify integrity of snapshots locally before storing with the configured backend.
- π» ui: Ensure blocking queries are used in the service instance page instead of polling [GH-7543]
- π» ui: Fix a refreshing/rescrolling issue for the healthcheck listings [GH-7550] [GH-7365]
- π» ui: Fix token duplication action bug [GH-7552]
- π» ui: Lazily detect HTTP protocol along with a fallback for non-detection [GH-7644] [GH-7643]
- 0οΈβ£ ui: Ensure KV names using 'special' terms within the default namespace are editable when the URL doesn't include the default namespace [GH-7734]
- xds: Fix flapping of mesh gateway connect-service watches [GH-7575]
-
v1.7.2 Changes
March 16, 2020π IMPROVEMENTS:
- π§ agent: add option to configure max request length for
/v1/txn
endpoint [GH-7388] - π build: bump the expected go language version of the main module to 1.13 [GH-7429]
- π» agent: add http_config.response header to the UI headers [GH-7369]
- agent: Added documentation and error messages related to
kv_max_value_size
option [GH-7405]] - agent: Take Prometheus MIME-type header into account [GH-7371]]
π BUGFIXES:
- β‘οΈ acl: Updated token resolution so managed service provider token applies to all endpoints. [GH-7431]
- π agent: Fixed error output when agent crashes early [GH-7411]
- agent: Handle bars in node names when displaying lists in CLI like
consul members
[GH-6652]] - agent: Avoid discarding health check status on
consul reload
[GH-7345]] - network areas: (Consul Enterprise only) - Fixed compatibility issues with network areas and v1.4.0+ ACLs as well as network areas and namespaces. The issue was that secondary datacenters connected to the primary via a network area were not properly detecting that the primary DC supported those other features.
- π sessions: Fixed backwards incompatibility with 1.6.x and earlier [GH-7395][GH-7399]
- π sessions: Fixed backwards incompatibility with 1.6.x and earlier [GH-7395][GH-7398]
- π» ui: Fixed a DOM refreshing bug on the node detail page which forced an scroll reset [GH-7365][GH-7377]
- π» ui: Fix blocking query requests for the coordinates API requests [GH-7378]
- π» ui: Enable recovery from an unreachable datacenter [GH-7404]
- π§ agent: add option to configure max request length for
-
v1.7.1 Changes
February 20, 2020π IMPROVEMENTS:
- agent: sensible keyring error [GH-7272]
- agent: add server
raft.{last,applied}_index
gauges [GH-6694] - π build: Switched to compile with Go 1.13.7 [GH-7262]
- config: increase
http_max_conns_per_client
default to 200 [GH-7289] - π tls: support TLS 1.3 [GH-7325]
π BUGFIXES:
- acl: (Consul Enterprise only) Fixed an issue that prevented remote policy and role resolution from working when namespace policy or role defaults were configured.
- π dns: Fixed an issue that could cause the DNS server to consume excessive CPU resources when trying to parse IPv6 recursor addresses: [GH-6120]
- π§ dns: Fixed an issue that caused Consul to setup a root zone handler when no
alt_domain
was configured. [GH-7323] - π sessions: Fixed an issue that was causing deletions of a non-existent session to return a 500 when ACLs were enabled. [GH-6840]
- π§ xds: Fix envoy retryOn behavior when multiple behaviors are configured [GH-7280]
- π§ xds: Mesh Gateway fixes to prevent configuring extra clusters and for properly handling a service-resolvers default subset. [GH-7294]
- π» ui: Gracefully cope with errors in discovery-chain when connect is disabled [GH-7291]
-
v1.7.0 Changes
February 11, 2020NOTES:
π cli: Our Windows 32-bit and 64-bit executables for this version and up will be signed with a HashiCorp certificate. Windows users will no longer see a warning about an "unknown publisher" when running our software.
π cli: Our darwin releases for this version and up will be signed and notarized according to Apple's requirements.
π Prior to this release, MacOS 10.15+ users attempting to run our software may see the error: "'consul' cannot be opened because the developer cannot be verified." This error affected all MacOS 10.15+ users who downloaded our software directly via web browsers, and was caused by changes to Apple's third-party software requirements.
β¬οΈ MacOS 10.15+ users should plan to upgrade to 1.7.0+.
π SECURITY:
- β‘οΈ dns: Updated miekg/dns dependency to fix a memory leak and CVE-2019-19794. [GH-6984], [GH-7252]
- β‘οΈ updated to compile with [Go 1.12.16] which includes a fix for CVE-2020-0601 on windows [GH-7153]
π₯ BREAKING CHANGES:
- http: The HTTP API no longer accepts JSON fields that are unknown to it. Instead errors will be returned with 400 status codes [GH-6874]
- dns: PTR record queries now return answers that contain the Consul datacenter as a label between
service
and the domain. [GH-6909] - agent: The ACL requirement for the agent/force-leave endpoint is now
operator:write
rather thanagent:write
. [GH-7033] - π logging: Switch over to using go-hclog and allow emitting either structured or unstructured logs. This changes the log format quite a bit and could break any log parsing users may have in place. [GH-1249][GH-7130]
- intentions: Change the ACL requirement and enforcement for wildcard rules. Previously this would look for an ACL rule that would grant access to the service/intention
*
. Now, in order to write a wildcard intention requires write access to all intentions and reading a wildcard intention requires read access to any intention that would match. Additionally intention listing and reading allow access if the requester can read either side of the intention whereas before it only allowed it for permissions on the destination side. [GH-7028] - telemetry:
consul.rpc.query
has changed to only measure the start ofsrv.blockingQuery()
calls. In certain rare cases where there are lots of idempotent updates this will cause the metric to report lower than before. The counter should now provides more meaningful behavior that maps to the rate of client-initiated requests. [GH-7224]
π FEATURES:
- Namespaces (Consul Enterprise only) This version adds namespacing to Consul. Namespaces help reduce operational challenges by removing restrictions around uniqueness of resource names across distinct teams, and enable operators to provide self-service through delegation of administrative privileges. Namespace support was added to:
- ACLs
- Key/Value Store
- Sessions
- Catalog
- Connect
- UI [GH6639]
- π agent: Add Cloud Auto-join support for Tencent Cloud [GH-6818]
- π connect: Added a new CA provider allowing Connect certificates to be managed by AWS ACM Private CA.
- π§ connect: Allow configuration of upstream connection limits in Envoy [GH-6829]
- π» ui: Adds UI support for Exposed Checks [GH6575]
- π» ui: Visualisation of the Discovery Chain [GH6746]
π IMPROVEMENTS:
- acl: Use constant time comparison when checking for the ACL agent master token. [GH-6943]
- acl: Add accessorID of token when ops are denied by ACL system [GH-7117]
- π§ agent: default the primary_datacenter to the datacenter if not configured [GH-7111]
- π§ agent: configurable
MaxQueryTime
andDefaultQueryTime
[GH-3777] - agent: do not deregister service checks twice [GH-6168]
- π agent: remove service sidecars in
cleanupRegistration
[GH-7022] - agent: setup grpc server with auto_encrypt certs and add
-https-port
[GH-7086 - β‘οΈ agent: some check types now support configuring a number of consecutive failure and success before the check status is updated in the catalog. [GH-5739]
- π agent: clients should only attempt to remove pruned nodes once per call [GH-6591]
- π§ agent: Consul HTTP checks can now send a configurable
body
in the request. [GH-6602] - agent: increase watchLimit to 8192. [GH-7200]
- api: A new
/v1/catalog/node-services/:node
endpoint was added that mirrors the existing/v1/catalog/node/:node
endpoint but has a response structure that contains a slice of services instead of a map of service ids to services. This new endpoint allows retrieving all services in all namespaces for a node. [GH-7115] - api: add option to set TLS options in-memory for API client [GH-7093]
- π¦ api: add replace-existing-checks param to the api package [GH-7136]
- π§ auto_encrypt: set dns and ip san for k8s and provide configuration [GH-6944]
- cli: improve the file safety of 'consul tls' subcommands [GH-7186]
- cli: give feedback to CLI user on forceleave command if node does not exist [GH-6841]
- connect: Envoy's whole stats endpoint can now be exposed to allow integrations like DataDog agent [GH-7070]
- connect: check if intermediate cert needs to be renewed. [GH-6835]
- π§ connect: Allow inlining of the TLS certificate in the Envoy configuration. [GH-6360]
- dns: Improvement to enable dual stack IPv4/IPv6 addressing of services and lookup via DNS [GH-6531]
- π lock:
consul lock
will now receive shutdown signals during the lock-acquisition process. [GH-5909] - raft: increase raft notify buffer [GH-6863]
- β‘οΈ raft: update raft to v1.1.2 [GH-7079]
- router: do not surface left servers [GH-6420]
- π² rpc: log method when a server/server RPC call fails [GH-4548]
- sentinel: (Consul Enterprise only) The Sentinel framework was upgraded to v0.13.0. See the Sentinel Release Notes for more information.
- telemetry: Added
consul.rpc.queries_blocking
gauge to measure the current number of in-flight blocking queries. [GH-7224] - 0οΈβ£ ui: Discovery chain improvements for clarifying the default router [GH-7222]
- π» ui: Added unique browser titles to each page [GH-7118]
- β‘οΈ ui: Add live updates/blocking queries to the Intention listing page [GH-7161]
- π» ui: Use more consistent icons with other HashiCorp products in the UI [GH-6851]
- π» ui: Improvements to the Discovery Chain visualisation in respect to redirects [GH-7036]
- π» ui: Improvement keyboard navigation of the main menu [GH-7090]
- π ui: New row confirmation dialogs [GH-7007]
- π» ui: Various visual CSS amends and alterations [GH6495] [[GH6881]](https://github.com/hashicorp/consul/
- π» ui: Hides the Routing tab for a service proxy [GH-7195]
- π» ui: Add ability to search nodes listing page with IP Address [GH-7204]
- xds: mesh gateway CDS requests are now allowed to receive an empty CDS reply [GH-6787]
- β xds: Verified integration test suite with Envoy 1.12.2 & 1.13.0 [GH-6947]
- agent: Added ACL token for Consul managed service providers [GH-7218]
π BUGFIXES:
- agent: fix watch event behavior [GH-5265]
- π agent: ensure node info sync and full sync [GH-7189]
- π autopilot: Fixed dead server removal condition to use correct failure tolerance. [GH-4017]
- cli: services register command now correctly registers an unamed healthcheck [GH-6800]
- π cli: remove
-dev
fromconsul version
in ARM builds in the 1.6.2 release [GH-6875] - cli: ui_content_path config option fix [GH-6601]
- π config: Fixed a bug that caused some config parsing to be case-sensitive: [GH-7191]
- connect: CAs can now use RSA keys correctly to sign EC leafs [GH-6638]
- connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index [GH-7011]
- β‘οΈ connect: ensure that updates to the secondary root CA configuration use the correct signing key ID values for comparison [GH-7012]
- connect: use correct subject key id for leaf certificates. [GH-7091]
- π² log: handle discard all logfiles properly [GH-6945]
- β‘οΈ state: restore a few more service-kind index updates so blocking in ServiceDump works in more cases [GH-6948]
- tls: fix behavior related to auto_encrypt and verify_incoming (#6899) [GH-6811]
- π» ui: Ensure the main navigation menu is closed on click [GH-7164]
- β‘οΈ ui: Ensure KV flags are passed through to Consul on update [GH-7216]
- π» ui: Fix positioning of active icon in main navigation menu [GH-7233]
- π» ui: Ensure the Namespace property is sent to Consul in OSS [GH-7238]
- π ui: Remove the Policy/Service Identity selector from namespace policy form [GH-7124]
- π» ui: Fix positioning of active icon in the selected menu item [GH-7148]
- π ui: Discovery-Chain: Improve parsing of redirects [GH-7174]
- π» ui: Fix styling of βduplicate intentionβ error message [GH6936]
-
v1.7.0-beta4 Changes
January 31, 2020π SECURITY
- agent: mitigate potential DoS vector allowing unbounded server resource usage from unauthenticated connections [GH-7159]
- acl: add ACL enforcement to the
v1/agent/health/service/*
endpoints [GH-7160]
π IMPROVEMENTS:
- π logging: Switch over to using go-hclog and allow emitting either structured or unstructured logs. [GH-1249][GH-7130]
π BUGFIXES:
- acl: (Consul Enterprise only)
intention:write
privileges are now granted by thenamespace-management
policy that is injected into each new namespace. - π config: Fixed a bug that caused some config parsing to be case-sensitive: [GH-7191]
- connect: (Consul Enterprise only) Fixed a bug that caused Envoy intention authorization to improperly request authorization in the
default
namespace. - connect: (Consul Enterprise only) Fixed bugs that caused the intention CLI interface to not properly handle namespaces in the strings passed as its arguments.
- π ui: Remove the Policy/Service Identity selector from namespace policy form [GH-7124]
- π» ui: Fix positioning of active icon in the selected menu item [GH-7148]
- π ui: Discovery-Chain: Improve parsing of redirects [GH-7174]
π IMPROVEMENTS:
-
v1.7.0-beta3 Changes
January 24, 2020π₯ BREAKING CHANGES:
- agent: The ACL requirement for the agent/force-leave endpoint is now
operator:write
rather thanagent:write
. [GH-7033] - intentions: Change the ACL requirement and enforcement for wildcard rules. Previously this would look for an ACL rule that would grant access to the service/intention
*
. Now, in order to write a wildcard intention requires write access to all intentions and reading a wildcard intention requires read access to any intention that would match. Additionally intention listing and reading allow access if the requester can read either side of the intention whereas before it only allowed it for permissions on the destination side. [GH-7028]
π FEATURES:
- acl: (Consul Enterprise only) auth methods defined in the
default
namespace gained the ability to create tokens in alternate namespaces. This capability was implemented for all existing auth methods. - connect: (Consul Enterprise only) Namespaces are now fully functional with Connect and Configuration Entries.
π IMPROVEMENTS:
- π§ agent: default the primary_datacenter to the datacenter if not configured [GH-7111]
- π§ agent: configurable
MaxQueryTime
andDefaultQueryTime
[GH-3777] - agent: do not deregister service checks twice [GH-6168]
- π agent: remove service sidecars in
cleanupRegistration
[GH-7022] - agent: setup grpc server with auto_encrypt certs and add
-https-port
[GH-7086 - api: A new
/v1/catalog/node-services/:node
endpoint was added that mirrors the existing/v1/catalog/node/:node
endpoint but has a response structure that contains a slice of services instead of a map of service ids to services. This new endpoint allow retrieving all services in all namespaces for a node. [GH-7115] - π§ auto_encrypt: set dns and ip san for k8s and provide configuration [GH-6944]
- connect: check if intermediate cert needs to be renewed. [GH-6835]
- dns: Improvement to enable dual stack IPv4/IPv6 addressing of services and lookup via DNS [GH-6531]
- π lock:
consul lock
will now receive shutdown signals during the lock-acquisition process. [GH-5909] - raft: increase raft notify buffer [GH-6863]
- β‘οΈ raft: update raft to v1.1.2 [GH-7079]
- π² rpc: log method when a server/server RPC call fails [GH-4548]
- π» ui: Use more consistent icons with other HashiCorp products in the UI [GH-6851]
- π» ui: Improvements to the Discovery Chain visualisation in respect to redirects [GH-7036]
- π» ui: Improvement keyboard navigation of the main menu [GH-7090]
- π ui: New row confirmation dialogs [GH-7007]
π BUGFIXES:
- connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index [GH-7011]
- β‘οΈ connect: ensure that updates to the secondary root CA configuration use the correct signing key ID values for comparison [GH-7012]
- connect: use correct subject key id for leaf certificates. [GH-7091]
- agent: The ACL requirement for the agent/force-leave endpoint is now
-
v1.7.0-beta2 Changes
December 20, 2019π FEATURES:
- π» ui: UI support for Namespaces [GH6639]
- π» ui: Adds UI support for Exposed Checks [GH6575]
- π» ui: Visualisation of the Discovery Chain [GH6746]
π IMPROVEMENTS:
- acl: Use constant time comparison when checking for the ACL agent master token. [GH-6943]
- api: (Consul Enterprise only) The API client will now configure the HTTP Client's configured default namespace to the value of the
CONSUL_NAMESPACE
environment variable if not explicitly overridden. - π§ connect: Allow inlining of the TLS certificate in the Envoy configuration. [GH-6360]
- namespaces: (Consul Enterprise only) The desired namespace will be defaulted to the namespace of the ACL token used for an HTTP/RPC request if no other namespace is explicitly set.
- namespaces: (Consul Enterprise only) Allow for creating and resolving tokens not linked to any roles, policies or service identities. These tokens can be granted access based on the default policies and roles associated with the tokens namespace.
- π» ui: Various visual CSS amends and alterations [GH6495] [GH6881]
π BUG FIXES
- api: (Consul Enterprise only) The Meta field was added into the
Namespace
struct definition within the API module. Previously the HTTP accepted this field, it was just missing from the API client. - π autopilot: Fixed dead server removal condition to use correct failure tolerance. [GH-4017]
- cli: (Consul Enterprise only) Changed the CLI parameter used to specify the namespace from
-ns
to `-namespace. - dns: (Consul Enterprise only) Fixed an issue resulting in the
dns_config.prefer_namespace
configuration to not work properly. - β‘οΈ dns: Updated miekg/dns dependency to fix a memory leak. [GH-6748]
- π² log: handle discard all logfiles properly [GH-6945]
- β‘οΈ state: restore a few more service-kind index updates so blocking in ServiceDump works in more cases [GH-6948]
- π» ui: Fix styling of βduplicate intentionβ error message [GH6936]
-
v1.7.0-beta1 Changes
December 10, 2019NOTES:
- π cli: Our darwin releases for this version and up will be signed and notarized according to Apple's requirements.
π Prior to this release, MacOS 10.15+ users attempting to run our software may see the error: "'consul' cannot be opened because the developer cannot be verified." This error affected all MacOS 10.15+ users who downloaded our software directly via web browsers, and was caused by changes to Apple's third-party software requirements.
β¬οΈ MacOS 10.15+ users should plan to upgrade to 1.7.0+.
π₯ BREAKING CHANGES:
- http: The HTTP API no longer accepts JSON fields that are unknown to it. Instead errors will be returned with 400 status codes [GH-6874]
- dns: PTR record queries now return answers that contain the Consul datacenter as a label between
service
and the domain. [GH-6909]
π FEATURES
- Namespaces (Consul Enterprise only) This version adds namespacing to Consul. Namespaces help reduce operational challenges by removing restrictions around uniqueness of resource names across distinct teams, and enable operators to provide self-service through delegation of administrative privileges.
- GCP Snapshot Storage (Consul Enterprise only). This allows for Consul snapshots (created as backup for disaster recovery) to be stored in GCP
- π connect: Added a new CA provider allowing Connect certificates to be managed by AWS ACM Private CA.
- π§ connect: Allow configuration of upstream connection limits in Envoy [GH-6829]
- π agent: Add Cloud Auto-join support for Tencent Cloud [GH-6818]
π IMPROVEMENTS
- β‘οΈ agent: some check types now support configuring a number of consecutive failure and success before the check status is updated in the catalog. [GH-5739]
- π agent: clients should only attempt to remove pruned nodes once per call [GH-6591]
- cli: give feedback to CLI user on forceleave command if node does not exist [GH-6841]
- router: do not surface left servers [GH-6420]
- sentinel: (Consul Enterprise only) The Sentinel framework was upgraded to v0.13.0. See the Sentinel Release Notes for more information.
- xds: mesh gateway CDS requests are now allowed to receive an empty CDS reply [GH-6787]
π BUG FIXES
- π cli: remove
-dev
fromconsul version
in ARM builds in the 1.6.2 release [GH-6875] - cli: ui_content_path config option fix [GH-6601]
- agent: fix watch event behavior [GH-5265]
- connect: CAs can now use RSA keys correctly to sign EC leafs [GH-6638]
- cli: services register command now correctly registers an unamed healthcheck [GH-6800]
- tls: fix behavior related to auto_encrypt and verify_incoming (#6899) [GH-6811]
-
v1.6.10 Changes
November 19, 20201.6.10 (November 19, 2020)
π SECURITY:
- π§ Increase the permissions to read from the
/connect/ca/configuration
endpoint tooperator:write
. Previously Connect CA configuration, including the private key, set via this endpoint could be read back by an operator withoperator:read
privileges. CVE-2020-28053 [GH-9240]
- π§ Increase the permissions to read from the
-
v1.6.9 Changes
September 11, 20201.6.9 (September 11, 2020)
π BUG FIXES:
- π api: fixed a panic caused by an api request with Connect=null [GH-8537]