Skip to content

v0.26.0

Compare
Choose a tag to compare

0.26.0 (June 22, 2021)

FEATURES:

  • Connect: Support Transparent Proxy. [GH-481]
    This feature enables users to use KubeDNS to reach other services within the Consul Service Mesh,
    as well as enforces the inbound and outbound traffic to go through the Envoy proxy.

    Using transparent proxy for your service mesh applications means:

    • Proxy service registrations will set mode to transparent in the proxy configuration
      so that Consul can configure the Envoy proxy to have an inbound and outbound listener.
    • Both proxy and service registrations will include the cluster IP and service port of the Kubernetes service
      as tagged addresses so that Consul can configure Envoy to route traffic based on that IP and port.
    • The consul-connect-inject-init container will run consul connect redirect-traffic command,
      which will apply rules (via iptables) to redirect inbound and outbound traffic to the proxy.
      To run this command the consul-connect-inject-init requires running as root with capability NET_ADMIN.

    This feature includes the following changes:

    • Add new -enable-transparent-proxy flag to the inject-connect command.
      When true, transparent proxy will be used for all services on the Consul Service Mesh
      within a Kubernetes cluster. This flag defaults to true.
    • Add new consul.hashicorp.com/transparent-proxy pod annotation to allow enabling and disabling transparent
      proxy for individual services.
  • CRDs: Add CRD for MeshConfigEntry. Supported in Consul 1.10+ [GH-513]

  • Connect: Overwrite Kubernetes HTTP readiness and/or liveness probes to point to Envoy proxy when
    transparent proxy is enabled. [GH-517]

  • Connect: Allow exclusion of inbound ports, outbound ports and CIDRs, and additional user IDs when
    Transparent Proxy is enabled. [GH-506]

    The following annotations are supported:

    • consul.hashicorp.com/transparent-proxy-exclude-inbound-ports - Comma-separated list of inbound ports to exclude.
    • consul.hashicorp.com/transparent-proxy-exclude-outbound-ports - Comma-separated list of outbound ports to exclude.
    • consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs - Comma-separated list of IPs or CIDRs to exclude.
    • consul.hashicorp.com/transparent-proxy-exclude-uids - Comma-separated list of Linux user IDs to exclude.
  • Connect: Add the ability to set default tproxy mode at namespace level via label. [GH-501]

    • Setting the annotation consul.hashicorp.com/transparent-proxy to true/false will define whether tproxy is enabled/disabled for the pod.
    • Setting the label consul.hashicorp.com/transparent-proxy to true/false on a namespace will define the default behavior for pods in that namespace, which do not also have the annotation set.
    • The default tproxy behavior will be defined by the value of -enable-transparent-proxy flag to the consul-k8s inject-connect command. It can be overridden in a namespace by the the label on the namespace or for a pod using the annotation on the pod.
  • Connect: support upgrades for services deployed before endpoints controller to
    upgrade to a version of consul-k8s with endpoints controller. [GH-509]

  • Connect: A new command consul-k8s connect-init has been added.
    It replaces the existing init-container logic for ACL login and Envoy bootstrapping and introduces a polling wait for service registration,
    see Endpoints Controller for more information.
    [GH-446], [GH-452], [GH-459]

  • Connect: A new controller Endpoints Controller has been added which is responsible for managing service endpoints and service registration.
    When a Kubernetes service references a deployed connect-injected pod, the endpoints controller will be responsible for managing the lifecycle of the connect-injected deployment. [GH-455], [GH-467], [GH-470], [GH-475]

    • This includes:
      • service registration and deregistration, formerly managed by the consul-connect-inject-init.
      • monitoring health checks, formerly managed by healthchecks-controller.
      • re-registering services in the events of consul agent failures, formerly managed by consul-sidecar.
    • The endpoints controller replaces the health checks controller while preserving existing functionality. [GH-472]
    • The endpoints controller replaces the cleanup controller while preserving existing functionality.
      [GH-476], [GH-454]
    • Merged metrics configuration support is now partially managed by the endpoints controller.
      [GH-469]

IMPROVEMENTS:

  • Connect: skip service registration when a service with the same name but in a different Kubernetes namespace is found
    and Consul namespaces are not enabled. [GH-527]
  • Connect: Leader election support for connect-inject deployment. [GH-479]
  • Connect: the consul-connect-inject-init container has been split into two init containers. [GH-441]
    Connect: Connect webhook no longer generates its own certificates and relies on them being provided as files on the disk.
    [GH-454]]
  • CRDs: Update ServiceDefaults with Mode, TransparentProxy, DialedDirectly and UpstreamConfigs fields. Note: Mode and TransparentProxy should not be set
    using this CRD but via annotations. [GH-502], [GH-485], [GH-533]
  • CRDs: Update ProxyDefaults with Mode, DialedDirectly and TransparentProxy fields. Note: Mode and TransparentProxy should not be set
    using the CRD but via annotations. [GH-505], [GH-485], [GH-533]
  • CRDs: update the CRD versions from v1beta1 to v1. [GH-464]
  • Delete secrets created by webhook-cert-manager when the deployment is deleted. [GH-530]

BUG FIXES:

  • CRDs: Update the type of connectTimeout and TTL in ServiceResolver and ServiceRouter from time.Duration to metav1.Duration.
    This allows a user to set these values as a duration string on the resource. Existing resources that had set a specific integer
    duration will continue to function with a duration with 'n' nanoseconds, 'n' being the set value.
  • CRDs: Fix a bug where the config field in ProxyDefaults CR failed syncing to Consul because apiextensions.k8s.io/v1 requires CRD spec to have structured schema. [GH-495]
  • CRDs: make lastSyncedTime a pointer to prevent setting last synced time Reconcile errors. [GH-466]

BREAKING CHANGES:

  • Connect: Add a security context to the init copy container and the envoy sidecar and ensure they
    do not run as root. If a pod container shares the same runAsUser (5995) as Envoy an error is returned.
    [GH-493]

  • Connect: Kubernetes Services are required for all Consul Service Mesh applications.
    The Kubernetes service name will be used as the service name to register with Consul
    unless the annotation consul.hashicorp.com/connect-service is provided to the deployment/pod to override this.
    If using ACLs, the ServiceAccountName must match the service name used with Consul.

    Note: if you're already using a Kubernetes service, no changes required.

    Example Service:

    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: sample-app
    spec:
      selector:
        app: sample-app
      ports:
        - port: 80
          targetPort: 9090
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      labels:
        app: sample-app
      name: sample-app
    spec:
      replicas: 1
      selector:
         matchLabels:
           app: sample-app
      template:
        metadata:
          annotations:
            'consul.hashicorp.com/connect-inject': 'true'
          labels:
            app: sample-app
        spec:
          containers:
          - name: sample-app
            image: sample-app:0.1.0
            ports:
            - containerPort: 9090
  • Connect: consul.hashicorp.com/connect-sync-period annotation is no longer supported.
    This annotation used to configure the sync period of the consul-sidecar (aka lifecycle-sidecar).
    Since we no longer inject the consul-sidecar to keep services registered in Consul, this annotation has
    been removed. [GH-467]

  • Connect: transparent proxy feature enabled by default. This may break existing deployments.
    Please see details of the feature.