Releases: hashicorp/consul-k8s
v1.6.0
1.6.0 (October 16, 2024)
NOTE: Consul K8s 1.6.x is compatible with Consul 1.20.x and Consul Dataplane 1.6.x. Refer to our compatibility matrix for more info.
SECURITY:
- Upgrade Go to use 1.22.7. This addresses CVE
CVE-2024-34155 [GH-4313]
IMPROVEMENTS:
- dns-proxy: add the ability to deploy a DNS proxy within the kubernetes cluster that forwards DNS requests to the consul server and can be configured with an ACL token and make partition aware DNS requests. [GH-4300]
- sync-catalog: expose prometheus scrape metrics on sync-catalog pods [GH-4212]
- connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [GH-4307]
- helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [GH-4333]
BUG FIXES:
- control-plane: add missing
$HOST_IP
environment variable to consul-dataplane sidecar containers [GH-4277] - helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [GH-3989]
- sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [GH-4255]
v1.6.0-rc1
1.6.0-rc1 (September 20, 2024)
SECURITY:
- Upgrade Go to use 1.22.7. This addresses CVE
CVE-2024-34155 [GH-4313]
IMPROVEMENTS:
- dns-proxy: add the ability to deploy a DNS proxy within the kubernetes cluster that forwards DNS requests to the consul server and can be configured with an ACL token and make partition aware DNS requests. [GH-4300]
- sync-catalog: expose prometheus scrape metrics on sync-catalog pods [GH-4212]
- connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [GH-4307]
- helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [GH-4333]
BUG FIXES:
- control-plane: add missing
$HOST_IP
environment variable to consul-dataplane sidecar containers [GH-4277] - helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [GH-3989]
- sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [GH-4255]
v1.5.3
1.5.3 (August 30, 2024)
SECURITY:
- Bump Go to 1.22.5 to address CVE-2024-24791 [GH-4228]
- Upgrade Docker cli to use v.27.1. This addresses CVE
CVE-2024-41110 [GH-4228]
IMPROVEMENTS:
- docker: update go-discover binary [GH-4287]
- docker: update ubi base image to
ubi9-minimal:9.4
. [GH-4287] - helm: Adds
webhookCertManager.resources
field which can be configured to override theresource
settings for thewebhook-cert-manager
deployment. [GH-4184] - helm: Adds
connectInject.apiGateway.managedGatewayClass.resourceJob.resources
field which can be configured to override theresource
settings for thegateway-resources-job
job. [GH-4184] - config-entry: add validate_clusters to mesh config entry [GH-4256]
- helm: Kubernetes v1.30 is now supported. Minimum tested version of Kubernetes is now v1.27. [GH-4244]
BUG FIXES:
- Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD. [GH-4213]
- api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified [GH-4247]
- helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry [GH-4210]
- openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [GH-4227] - sync-catalog: fix infinite retry loop when the catalog fails to connect to consul-server during the sync process [GH-4266]
- terminating-gateways: Fix bug where namespace field was not correctly set on ACL policies if using the
Registration
CRD with the service's namespace unset. [GH-4224]
v1.4.6
1.4.6 (August 30, 2024)
SECURITY:
- Bump Go to 1.22.5 to address CVE-2024-24791 [GH-4228]
- Upgrade Docker cli to use v.27.1. This addresses CVE
CVE-2024-41110 [GH-4228]
IMPROVEMENTS:
- docker: update go-discover binary [GH-4287]
- docker: update ubi base image to
ubi9-minimal:9.4
. [GH-4287] - helm: Adds
webhookCertManager.resources
field which can be configured to override theresource
settings for thewebhook-cert-manager
deployment. [GH-4184] - helm: Adds
connectInject.apiGateway.managedGatewayClass.resourceJob.resources
field which can be configured to override theresource
settings for thegateway-resources-job
job. [GH-4184] - config-entry: add validate_clusters to mesh config entry [GH-4256]
BUG FIXES:
- Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD. [GH-4213]
- api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified [GH-4247]
- control-plane: add missing
$HOST_IP
environment variable to to consul-dataplane sidecar containers [GH-3916] - helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry [GH-4210]
- openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [GH-4227] - sync-catalog: fix infinite retry loop when the catalog fails to connect to consul-server during the sync process [GH-4266]
v1.3.9
1.3.9 (August 30, 2024)
SECURITY:
- Bump Go to 1.22.5 to address CVE-2024-24791 [GH-4228]
- Upgrade Docker cli to use v.27.1. This addresses CVE
CVE-2024-41110 [GH-4228]
IMPROVEMENTS:
- docker: update go-discover binary [GH-4287]
- docker: update ubi base image to
ubi9-minimal:9.4
. [GH-4287] - helm: Adds
webhookCertManager.resources
field which can be configured to override theresource
settings for thewebhook-cert-manager
deployment. [GH-4184] - helm: Adds
connectInject.apiGateway.managedGatewayClass.resourceJob.resources
field which can be configured to override theresource
settings for thegateway-resources-job
job. [GH-4184] - config-entry: add validate_clusters to mesh config entry [GH-4256]
BUG FIXES:
- Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD. [GH-4213]
- api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified [GH-4247]
- helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [GH-3989]
- helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry [GH-4210]
- openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [GH-4227] - sync-catalog: fix infinite retry loop when the catalog fails to connect to consul-server during the sync process [GH-4266]
v1.1.16
1.1.16 (August 30, 2024)
SECURITY:
- Bump Go to 1.22.5 to address CVE-2024-24791 [GH-4228]
- Upgrade Docker cli to use v.27.1. This addresses CVE
CVE-2024-41110 [GH-4228]
IMPROVEMENTS:
- docker: update go-discover binary [GH-4287]
- docker: update ubi base image to
ubi9-minimal:9.4
. [GH-4287] - helm: Adds
webhookCertManager.resources
field which can be configured to override theresource
settings for thewebhook-cert-manager
deployment. [GH-4184] - helm: Adds
connectInject.apiGateway.managedGatewayClass.resourceJob.resources
field which can be configured to override theresource
settings for thegateway-resources-job
job. [GH-4184] - config-entry: add validate_clusters to mesh config entry [GH-4256]
BUG FIXES:
- openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [GH-4227] - sync-catalog: fix infinite retry loop when the catalog fails to connect to consul-server during the sync process [GH-4266]
v1.4.5
1.4.5 (August 29, 2024)
SECURITY:
- Bump Go to 1.22.5 to address CVE-2024-24791 [GH-4228]
- Upgrade Docker cli to use v.27.1. This addresses CVE
CVE-2024-41110 [GH-4228]
IMPROVEMENTS:
-
helm: Adds
webhookCertManager.resources
field which can be configured to override theresource
settings for thewebhook-cert-manager
deployment.[GH-4184] -
helm: Adds
connectInject.apiGateway.managedGatewayClass.resourceJob.resources
field which can be configured to override theresource
settings for thegateway-resources-job
job. [GH-4184] -
config-entry: add validate_clusters to mesh config entry [GH-4256]
BUG FIXES:
- Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD. [GH-4213]
- api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified [GH-4247]
- helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry [GH-4210]
- openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [GH-4227]
v1.3.8
1.3.8 (August 29, 2024)
SECURITY:
- Bump Go to 1.22.5 to address CVE-2024-24791 [GH-4228]
- Upgrade Docker cli to use v.27.1. This addresses CVE
CVE-2024-41110 [GH-4228]
IMPROVEMENTS:
-
helm: Adds
webhookCertManager.resources
field which can be configured to override theresource
settings for thewebhook-cert-manager
deployment. [GH-4184] -
helm: Adds
connectInject.apiGateway.managedGatewayClass.resourceJob.resources
field which can be configured to override theresource
settings for thegateway-resources-job
job. [GH-4184] -
config-entry: add validate_clusters to mesh config entry [GH-4256]
BUG FIXES:
- Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD. [GH-4213]
- api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified [GH-4247]
- helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [GH-3989]
- helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry [GH-4210]
- openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [GH-4227]
v1.1.15
1.1.15- (August 28, 2024)
SECURITY:
- Bump Go to 1.22.5 to address CVE-2024-24791 [GH-4228]
- Upgrade Docker cli to use v.27.1. This addresses CVE
CVE-2024-41110 [GH-4228]
IMPROVEMENTS:
- helm: Adds
webhookCertManager.resources
field which can be configured to override theresource
settings for thewebhook-cert-manager
deployment. [GH-4184] - helm: Adds
connectInject.apiGateway.managedGatewayClass.resourceJob.resources
field which can be configured to override theresource
settings for thegateway-resources-job
job. [GH-4184] - config-entry: add validate_clusters to mesh config entry [GH-4256]
BUG FIXES:
- openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [GH-4227]
v1.5.1
1.5.1 (July 16, 2024)
SECURITY:
- Upgrade go version to 1.22.5 to address CVE-2024-24791 [GH-4154]
- Upgrade go-retryablehttp to v0.7.7 to address GHSA-v6v8-xj6m-xwqh [GH-4169]
IMPROVEMENTS:
- api-gateways: Change security settings to make root file system read only and to not allow privilage escalation. [GH-3959]
- control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift. [GH-4152]
- partition-init: Role no longer includes unnecessary access to Secrets resource. [GH-4053]
BUG FIXES:
- api-gateway: fix issue where API Gateway specific acl roles/policy were not being cleaned up on deletion of an api-gateway [GH-4060]
- connect-inject: add NET_BIND_SERVICE capability when injecting consul-dataplane sidecar [GH-4152]
- endpoints-controller: graceful shutdown logic should not run on a new pod with the same name. Fixes a case where statefulset rollouts could get stuck in graceful shutdown when the new pods come up. [GH-4059]
- terminating-gateway: Fix generated acl policy for external services to include the namespace and partition block if they are enabled. [GH-4153]