All Versions
183
Latest Version
Avg Release Cycle
29 days
Latest Release
555 days ago

Changelog History
Page 11

  • v1.7.3 Changes

    May 05, 2020

    πŸ‘Œ IMPROVEMENTS:

    • acl: (Consul Enterprise only) - Disable the ACL.Bootstrap RPC endpoints when managed service provider tokens are in use. [GH-7614]
    • acl: (Consul Enterprise only) - Consul agents will now use the first managed service provider token for the agents token when any are present.
    • acl: Added a v1/acl/policy/name/:name HTTP endpoint to read a policy by name. [GH-6615]
    • acl: Added JSON format output to all of the ACL CLI commands. [GH-7141]
    • ⚑️ agent/xds: Update mesh gateway to use the service resolver connect timeout when configured [GH-6370]
    • 🌲 cli: Log "newer version available" message at INFO level [GH-7457]
    • πŸ”§ config: Consul Enterprise specific configuration are now parseable in OSS but will emit warnings about them not being used. [GH-7714
    • network areas: (Consul Enterprise only) - Network areas are using memberlist with TCP and for every message a new connection was established. Now the connections multiplexed with yamux, which means that way fewer connections are created.
    • network segments: (Consul Enterprise only) - The segment configuration is no longer stored in serf node tags. There is now an RPC endpoint for the same information, which means that the number of network segment is no longer limited by node meta tag size.
    • snapshot agent: (Consul Enterprise only) - Azure has different environments, of which it was only possible to use the public one so far. A new flag was added so that every other environment can be used as well, like Azure China.

    πŸ›  BUGFIXES:

    • agent: don't let left nodes hold onto their node-id [GH-7775]
    • agent: (Consul Enterprise only) Fixed several bugs related to Network Area ann Network Segment compatibility with other features caused by incorrectly doing version or serf tag checking. [GH-7491]
    • cli: ensure that 'snapshot save' is fsync safe and also only writes to the requested file on success [GH-7698]
    • βͺ cli: fix usage of gzip.Reader to better detect corrupt snapshots during save/restore [GH-7697]
    • connect: Fix panic when validating a service-router config entry with no destination [GH-7783]
    • namespace: (Consul Enterprise only) Fixed several bugs where results from multiple namespaces would be returned when only a single namespace was being queried when the token making the request had permissions to see all of them.
    • snapshot agent (Consul Enterprise only): Ensure snapshots persisted with the local backend are fsync safe and also only writes to the requested file on success.
    • snapshot agent (Consul Enterprise only): Verify integrity of snapshots locally before storing with the configured backend.
    • πŸ’» ui: Ensure blocking queries are used in the service instance page instead of polling [GH-7543]
    • πŸ’» ui: Fix a refreshing/rescrolling issue for the healthcheck listings [GH-7550] [GH-7365]
    • πŸ’» ui: Fix token duplication action bug [GH-7552]
    • πŸ’» ui: Lazily detect HTTP protocol along with a fallback for non-detection [GH-7644] [GH-7643]
    • 0️⃣ ui: Ensure KV names using 'special' terms within the default namespace are editable when the URL doesn't include the default namespace [GH-7734]
    • xds: Fix flapping of mesh gateway connect-service watches [GH-7575]
  • v1.7.2 Changes

    March 16, 2020

    πŸ‘Œ IMPROVEMENTS:

    • πŸ”§ agent: add option to configure max request length for /v1/txn endpoint [GH-7388]
    • πŸ— build: bump the expected go language version of the main module to 1.13 [GH-7429]
    • πŸ’» agent: add http_config.response header to the UI headers [GH-7369]
    • agent: Added documentation and error messages related to kv_max_value_size option [GH-7405]]
    • agent: Take Prometheus MIME-type header into account [GH-7371]]

    πŸ›  BUGFIXES:

    • ⚑️ acl: Updated token resolution so managed service provider token applies to all endpoints. [GH-7431]
    • πŸ›  agent: Fixed error output when agent crashes early [GH-7411]
    • agent: Handle bars in node names when displaying lists in CLI like consul members [GH-6652]]
    • agent: Avoid discarding health check status on consul reload [GH-7345]]
    • network areas: (Consul Enterprise only) - Fixed compatibility issues with network areas and v1.4.0+ ACLs as well as network areas and namespaces. The issue was that secondary datacenters connected to the primary via a network area were not properly detecting that the primary DC supported those other features.
    • πŸ›  sessions: Fixed backwards incompatibility with 1.6.x and earlier [GH-7395][GH-7399]
    • πŸ›  sessions: Fixed backwards incompatibility with 1.6.x and earlier [GH-7395][GH-7398]
    • πŸ’» ui: Fixed a DOM refreshing bug on the node detail page which forced an scroll reset [GH-7365][GH-7377]
    • πŸ’» ui: Fix blocking query requests for the coordinates API requests [GH-7378]
    • πŸ’» ui: Enable recovery from an unreachable datacenter [GH-7404]
  • v1.7.1 Changes

    February 20, 2020

    πŸ‘Œ IMPROVEMENTS:

    • agent: sensible keyring error [GH-7272]
    • agent: add server raft.{last,applied}_index gauges [GH-6694]
    • πŸ— build: Switched to compile with Go 1.13.7 [GH-7262]
    • config: increase http_max_conns_per_client default to 200 [GH-7289]
    • πŸ‘ tls: support TLS 1.3 [GH-7325]

    πŸ›  BUGFIXES:

    • acl: (Consul Enterprise only) Fixed an issue that prevented remote policy and role resolution from working when namespace policy or role defaults were configured.
    • πŸ“œ dns: Fixed an issue that could cause the DNS server to consume excessive CPU resources when trying to parse IPv6 recursor addresses: [GH-6120]
    • πŸ”§ dns: Fixed an issue that caused Consul to setup a root zone handler when no alt_domain was configured. [GH-7323]
    • πŸ›  sessions: Fixed an issue that was causing deletions of a non-existent session to return a 500 when ACLs were enabled. [GH-6840]
    • πŸ”§ xds: Fix envoy retryOn behavior when multiple behaviors are configured [GH-7280]
    • πŸ”§ xds: Mesh Gateway fixes to prevent configuring extra clusters and for properly handling a service-resolvers default subset. [GH-7294]
    • πŸ’» ui: Gracefully cope with errors in discovery-chain when connect is disabled [GH-7291]
  • v1.7.0 Changes

    February 11, 2020

    NOTES:

    • 🏁 cli: Our Windows 32-bit and 64-bit executables for this version and up will be signed with a HashiCorp certificate. Windows users will no longer see a warning about an "unknown publisher" when running our software.

    • πŸš€ cli: Our darwin releases for this version and up will be signed and notarized according to Apple's requirements.

    πŸš€ Prior to this release, MacOS 10.15+ users attempting to run our software may see the error: "'consul' cannot be opened because the developer cannot be verified." This error affected all MacOS 10.15+ users who downloaded our software directly via web browsers, and was caused by changes to Apple's third-party software requirements.

    ⬆️ MacOS 10.15+ users should plan to upgrade to 1.7.0+.

    πŸ”’ SECURITY:

    • ⚑️ dns: Updated miekg/dns dependency to fix a memory leak and CVE-2019-19794. [GH-6984], [GH-7252]
    • ⚑️ updated to compile with [Go 1.12.16] which includes a fix for CVE-2020-0601 on windows [GH-7153]

    πŸ’₯ BREAKING CHANGES:

    • http: The HTTP API no longer accepts JSON fields that are unknown to it. Instead errors will be returned with 400 status codes [GH-6874]
    • dns: PTR record queries now return answers that contain the Consul datacenter as a label between service and the domain. [GH-6909]
    • agent: The ACL requirement for the agent/force-leave endpoint is now operator:write rather than agent:write. [GH-7033]
    • πŸ”Š logging: Switch over to using go-hclog and allow emitting either structured or unstructured logs. This changes the log format quite a bit and could break any log parsing users may have in place. [GH-1249][GH-7130]
    • intentions: Change the ACL requirement and enforcement for wildcard rules. Previously this would look for an ACL rule that would grant access to the service/intention *. Now, in order to write a wildcard intention requires write access to all intentions and reading a wildcard intention requires read access to any intention that would match. Additionally intention listing and reading allow access if the requester can read either side of the intention whereas before it only allowed it for permissions on the destination side. [GH-7028]
    • telemetry: consul.rpc.query has changed to only measure the start of srv.blockingQuery() calls. In certain rare cases where there are lots of idempotent updates this will cause the metric to report lower than before. The counter should now provides more meaningful behavior that maps to the rate of client-initiated requests. [GH-7224]

    πŸ”‹ FEATURES:

    • Namespaces (Consul Enterprise only) This version adds namespacing to Consul. Namespaces help reduce operational challenges by removing restrictions around uniqueness of resource names across distinct teams, and enable operators to provide self-service through delegation of administrative privileges. Namespace support was added to:
      • ACLs
      • Key/Value Store
      • Sessions
      • Catalog
      • Connect
      • UI [GH6639]
    • πŸ‘ agent: Add Cloud Auto-join support for Tencent Cloud [GH-6818]
    • πŸ“„ connect: Added a new CA provider allowing Connect certificates to be managed by AWS ACM Private CA.
    • πŸ”§ connect: Allow configuration of upstream connection limits in Envoy [GH-6829]
    • πŸ’» ui: Adds UI support for Exposed Checks [GH6575]
    • πŸ’» ui: Visualisation of the Discovery Chain [GH6746]

    πŸ‘Œ IMPROVEMENTS:

    • acl: Use constant time comparison when checking for the ACL agent master token. [GH-6943]
    • acl: Add accessorID of token when ops are denied by ACL system [GH-7117]
    • πŸ”§ agent: default the primary_datacenter to the datacenter if not configured [GH-7111]
    • πŸ”§ agent: configurable MaxQueryTime and DefaultQueryTime [GH-3777]
    • agent: do not deregister service checks twice [GH-6168]
    • 🚚 agent: remove service sidecars in cleanupRegistration [GH-7022]
    • agent: setup grpc server with auto_encrypt certs and add -https-port [GH-7086
    • ⚑️ agent: some check types now support configuring a number of consecutive failure and success before the check status is updated in the catalog. [GH-5739]
    • 🚚 agent: clients should only attempt to remove pruned nodes once per call [GH-6591]
    • πŸ”§ agent: Consul HTTP checks can now send a configurable body in the request. [GH-6602]
    • agent: increase watchLimit to 8192. [GH-7200]
    • api: A new /v1/catalog/node-services/:node endpoint was added that mirrors the existing /v1/catalog/node/:node endpoint but has a response structure that contains a slice of services instead of a map of service ids to services. This new endpoint allows retrieving all services in all namespaces for a node. [GH-7115]
    • api: add option to set TLS options in-memory for API client [GH-7093]
    • πŸ“¦ api: add replace-existing-checks param to the api package [GH-7136]
    • πŸ”§ auto_encrypt: set dns and ip san for k8s and provide configuration [GH-6944]
    • cli: improve the file safety of 'consul tls' subcommands [GH-7186]
    • cli: give feedback to CLI user on forceleave command if node does not exist [GH-6841]
    • connect: Envoy's whole stats endpoint can now be exposed to allow integrations like DataDog agent [GH-7070]
    • connect: check if intermediate cert needs to be renewed. [GH-6835]
    • πŸ”§ connect: Allow inlining of the TLS certificate in the Envoy configuration. [GH-6360]
    • dns: Improvement to enable dual stack IPv4/IPv6 addressing of services and lookup via DNS [GH-6531]
    • πŸ”’ lock: consul lock will now receive shutdown signals during the lock-acquisition process. [GH-5909]
    • raft: increase raft notify buffer [GH-6863]
    • ⚑️ raft: update raft to v1.1.2 [GH-7079]
    • router: do not surface left servers [GH-6420]
    • 🌲 rpc: log method when a server/server RPC call fails [GH-4548]
    • sentinel: (Consul Enterprise only) The Sentinel framework was upgraded to v0.13.0. See the Sentinel Release Notes for more information.
    • telemetry: Added consul.rpc.queries_blocking gauge to measure the current number of in-flight blocking queries. [GH-7224]
    • 0️⃣ ui: Discovery chain improvements for clarifying the default router [GH-7222]
    • πŸ’» ui: Added unique browser titles to each page [GH-7118]
    • ⚑️ ui: Add live updates/blocking queries to the Intention listing page [GH-7161]
    • πŸ’» ui: Use more consistent icons with other HashiCorp products in the UI [GH-6851]
    • πŸ’» ui: Improvements to the Discovery Chain visualisation in respect to redirects [GH-7036]
    • πŸ’» ui: Improvement keyboard navigation of the main menu [GH-7090]
    • πŸ”Š ui: New row confirmation dialogs [GH-7007]
    • πŸ’» ui: Various visual CSS amends and alterations [GH6495] [[GH6881]](https://github.com/hashicorp/consul/
    • πŸ’» ui: Hides the Routing tab for a service proxy [GH-7195]
    • πŸ’» ui: Add ability to search nodes listing page with IP Address [GH-7204]
    • xds: mesh gateway CDS requests are now allowed to receive an empty CDS reply [GH-6787]
    • βœ… xds: Verified integration test suite with Envoy 1.12.2 & 1.13.0 [GH-6947]
    • agent: Added ACL token for Consul managed service providers [GH-7218]

    πŸ›  BUGFIXES:

    • agent: fix watch event behavior [GH-5265]
    • πŸ”€ agent: ensure node info sync and full sync [GH-7189]
    • πŸ›  autopilot: Fixed dead server removal condition to use correct failure tolerance. [GH-4017]
    • cli: services register command now correctly registers an unamed healthcheck [GH-6800]
    • πŸš€ cli: remove -dev from consul version in ARM builds in the 1.6.2 release [GH-6875]
    • cli: ui_content_path config option fix [GH-6601]
    • πŸ“œ config: Fixed a bug that caused some config parsing to be case-sensitive: [GH-7191]
    • connect: CAs can now use RSA keys correctly to sign EC leafs [GH-6638]
    • connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index [GH-7011]
    • ⚑️ connect: ensure that updates to the secondary root CA configuration use the correct signing key ID values for comparison [GH-7012]
    • connect: use correct subject key id for leaf certificates. [GH-7091]
    • 🌲 log: handle discard all logfiles properly [GH-6945]
    • ⚑️ state: restore a few more service-kind index updates so blocking in ServiceDump works in more cases [GH-6948]
    • tls: fix behavior related to auto_encrypt and verify_incoming (#6899) [GH-6811]
    • πŸ’» ui: Ensure the main navigation menu is closed on click [GH-7164]
    • ⚑️ ui: Ensure KV flags are passed through to Consul on update [GH-7216]
    • πŸ’» ui: Fix positioning of active icon in main navigation menu [GH-7233]
    • πŸ’» ui: Ensure the Namespace property is sent to Consul in OSS [GH-7238]
    • 🚚 ui: Remove the Policy/Service Identity selector from namespace policy form [GH-7124]
    • πŸ’» ui: Fix positioning of active icon in the selected menu item [GH-7148]
    • πŸ“œ ui: Discovery-Chain: Improve parsing of redirects [GH-7174]
    • πŸ’» ui: Fix styling of β€˜duplicate intention’ error message [GH6936]
  • v1.7.0-beta4 Changes

    January 31, 2020

    πŸ”’ SECURITY

    • agent: mitigate potential DoS vector allowing unbounded server resource usage from unauthenticated connections [GH-7159]
    • acl: add ACL enforcement to the v1/agent/health/service/* endpoints [GH-7160]

    πŸ‘Œ IMPROVEMENTS:

    • πŸ”Š logging: Switch over to using go-hclog and allow emitting either structured or unstructured logs. [GH-1249][GH-7130]

    πŸ›  BUGFIXES:

    • acl: (Consul Enterprise only) intention:write privileges are now granted by the namespace-management policy that is injected into each new namespace.
    • πŸ“œ config: Fixed a bug that caused some config parsing to be case-sensitive: [GH-7191]
    • connect: (Consul Enterprise only) Fixed a bug that caused Envoy intention authorization to improperly request authorization in the default namespace.
    • connect: (Consul Enterprise only) Fixed bugs that caused the intention CLI interface to not properly handle namespaces in the strings passed as its arguments.
    • 🚚 ui: Remove the Policy/Service Identity selector from namespace policy form [GH-7124]
    • πŸ’» ui: Fix positioning of active icon in the selected menu item [GH-7148]
    • πŸ“œ ui: Discovery-Chain: Improve parsing of redirects [GH-7174]

    πŸ‘Œ IMPROVEMENTS:

    • cli: improve the file safety of 'consul tls' subcommands [GH-7186]
    • πŸ’» ui: Added unique browser titles to each page [GH-7118]
    • ⚑️ ui: Add live updates/blocking queries to the Intention listing page [GH-7161]
  • v1.7.0-beta3 Changes

    January 24, 2020

    πŸ’₯ BREAKING CHANGES:

    • agent: The ACL requirement for the agent/force-leave endpoint is now operator:write rather than agent:write. [GH-7033]
    • intentions: Change the ACL requirement and enforcement for wildcard rules. Previously this would look for an ACL rule that would grant access to the service/intention *. Now, in order to write a wildcard intention requires write access to all intentions and reading a wildcard intention requires read access to any intention that would match. Additionally intention listing and reading allow access if the requester can read either side of the intention whereas before it only allowed it for permissions on the destination side. [GH-7028]

    πŸ”‹ FEATURES:

    • acl: (Consul Enterprise only) auth methods defined in the default namespace gained the ability to create tokens in alternate namespaces. This capability was implemented for all existing auth methods.
    • connect: (Consul Enterprise only) Namespaces are now fully functional with Connect and Configuration Entries.

    πŸ‘Œ IMPROVEMENTS:

    • πŸ”§ agent: default the primary_datacenter to the datacenter if not configured [GH-7111]
    • πŸ”§ agent: configurable MaxQueryTime and DefaultQueryTime [GH-3777]
    • agent: do not deregister service checks twice [GH-6168]
    • 🚚 agent: remove service sidecars in cleanupRegistration [GH-7022]
    • agent: setup grpc server with auto_encrypt certs and add -https-port [GH-7086
    • api: A new /v1/catalog/node-services/:node endpoint was added that mirrors the existing /v1/catalog/node/:node endpoint but has a response structure that contains a slice of services instead of a map of service ids to services. This new endpoint allow retrieving all services in all namespaces for a node. [GH-7115]
    • πŸ”§ auto_encrypt: set dns and ip san for k8s and provide configuration [GH-6944]
    • connect: check if intermediate cert needs to be renewed. [GH-6835]
    • dns: Improvement to enable dual stack IPv4/IPv6 addressing of services and lookup via DNS [GH-6531]
    • πŸ”’ lock: consul lock will now receive shutdown signals during the lock-acquisition process. [GH-5909]
    • raft: increase raft notify buffer [GH-6863]
    • ⚑️ raft: update raft to v1.1.2 [GH-7079]
    • 🌲 rpc: log method when a server/server RPC call fails [GH-4548]
    • πŸ’» ui: Use more consistent icons with other HashiCorp products in the UI [GH-6851]
    • πŸ’» ui: Improvements to the Discovery Chain visualisation in respect to redirects [GH-7036]
    • πŸ’» ui: Improvement keyboard navigation of the main menu [GH-7090]
    • πŸ”Š ui: New row confirmation dialogs [GH-7007]

    πŸ›  BUGFIXES:

    • connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index [GH-7011]
    • ⚑️ connect: ensure that updates to the secondary root CA configuration use the correct signing key ID values for comparison [GH-7012]
    • connect: use correct subject key id for leaf certificates. [GH-7091]
  • v1.7.0-beta2 Changes

    December 20, 2019

    πŸ”‹ FEATURES:

    πŸ‘Œ IMPROVEMENTS:

    • acl: Use constant time comparison when checking for the ACL agent master token. [GH-6943]
    • api: (Consul Enterprise only) The API client will now configure the HTTP Client's configured default namespace to the value of the CONSUL_NAMESPACE environment variable if not explicitly overridden.
    • πŸ”§ connect: Allow inlining of the TLS certificate in the Envoy configuration. [GH-6360]
    • namespaces: (Consul Enterprise only) The desired namespace will be defaulted to the namespace of the ACL token used for an HTTP/RPC request if no other namespace is explicitly set.
    • namespaces: (Consul Enterprise only) Allow for creating and resolving tokens not linked to any roles, policies or service identities. These tokens can be granted access based on the default policies and roles associated with the tokens namespace.
    • πŸ’» ui: Various visual CSS amends and alterations [GH6495] [GH6881]

    πŸ› BUG FIXES

    • api: (Consul Enterprise only) The Meta field was added into the Namespace struct definition within the API module. Previously the HTTP accepted this field, it was just missing from the API client.
    • πŸ›  autopilot: Fixed dead server removal condition to use correct failure tolerance. [GH-4017]
    • cli: (Consul Enterprise only) Changed the CLI parameter used to specify the namespace from -ns to `-namespace.
    • dns: (Consul Enterprise only) Fixed an issue resulting in the dns_config.prefer_namespace configuration to not work properly.
    • ⚑️ dns: Updated miekg/dns dependency to fix a memory leak. [GH-6748]
    • 🌲 log: handle discard all logfiles properly [GH-6945]
    • ⚑️ state: restore a few more service-kind index updates so blocking in ServiceDump works in more cases [GH-6948]
    • πŸ’» ui: Fix styling of β€˜duplicate intention’ error message [GH6936]
  • v1.7.0-beta1 Changes

    December 10, 2019

    NOTES:

    • πŸš€ cli: Our darwin releases for this version and up will be signed and notarized according to Apple's requirements.

    πŸš€ Prior to this release, MacOS 10.15+ users attempting to run our software may see the error: "'consul' cannot be opened because the developer cannot be verified." This error affected all MacOS 10.15+ users who downloaded our software directly via web browsers, and was caused by changes to Apple's third-party software requirements.

    ⬆️ MacOS 10.15+ users should plan to upgrade to 1.7.0+.

    πŸ’₯ BREAKING CHANGES:

    • http: The HTTP API no longer accepts JSON fields that are unknown to it. Instead errors will be returned with 400 status codes [GH-6874]
    • dns: PTR record queries now return answers that contain the Consul datacenter as a label between service and the domain. [GH-6909]

    πŸ”‹ FEATURES

    • Namespaces (Consul Enterprise only) This version adds namespacing to Consul. Namespaces help reduce operational challenges by removing restrictions around uniqueness of resource names across distinct teams, and enable operators to provide self-service through delegation of administrative privileges.
    • GCP Snapshot Storage (Consul Enterprise only). This allows for Consul snapshots (created as backup for disaster recovery) to be stored in GCP
    • πŸ“„ connect: Added a new CA provider allowing Connect certificates to be managed by AWS ACM Private CA.
    • πŸ”§ connect: Allow configuration of upstream connection limits in Envoy [GH-6829]
    • πŸ‘ agent: Add Cloud Auto-join support for Tencent Cloud [GH-6818]

    πŸ‘Œ IMPROVEMENTS

    • ⚑️ agent: some check types now support configuring a number of consecutive failure and success before the check status is updated in the catalog. [GH-5739]
    • 🚚 agent: clients should only attempt to remove pruned nodes once per call [GH-6591]
    • cli: give feedback to CLI user on forceleave command if node does not exist [GH-6841]
    • router: do not surface left servers [GH-6420]
    • sentinel: (Consul Enterprise only) The Sentinel framework was upgraded to v0.13.0. See the Sentinel Release Notes for more information.
    • xds: mesh gateway CDS requests are now allowed to receive an empty CDS reply [GH-6787]

    πŸ› BUG FIXES

    • πŸš€ cli: remove -dev from consul version in ARM builds in the 1.6.2 release [GH-6875]
    • cli: ui_content_path config option fix [GH-6601]
    • agent: fix watch event behavior [GH-5265]
    • connect: CAs can now use RSA keys correctly to sign EC leafs [GH-6638]
    • cli: services register command now correctly registers an unamed healthcheck [GH-6800]
    • tls: fix behavior related to auto_encrypt and verify_incoming (#6899) [GH-6811]
  • v1.6.10 Changes

    November 19, 2020

    1.6.10 (November 19, 2020)

    πŸ”’ SECURITY:

    • πŸ”§ Increase the permissions to read from the /connect/ca/configuration endpoint to operator:write. Previously Connect CA configuration, including the private key, set via this endpoint could be read back by an operator with operator:read privileges. CVE-2020-28053 [GH-9240]
  • v1.6.9 Changes

    September 11, 2020

    1.6.9 (September 11, 2020)

    πŸ› BUG FIXES:

    • πŸ›  api: fixed a panic caused by an api request with Connect=null [GH-8537]