v0.26.0
0.26.0 (June 22, 2021)
FEATURES:
-
Connect: Support Transparent Proxy. [GH-481]
This feature enables users to use KubeDNS to reach other services within the Consul Service Mesh,
as well as enforces the inbound and outbound traffic to go through the Envoy proxy.Using transparent proxy for your service mesh applications means:
- Proxy service registrations will set
mode
totransparent
in the proxy configuration
so that Consul can configure the Envoy proxy to have an inbound and outbound listener. - Both proxy and service registrations will include the cluster IP and service port of the Kubernetes service
as tagged addresses so that Consul can configure Envoy to route traffic based on that IP and port. - The
consul-connect-inject-init
container will runconsul connect redirect-traffic
command,
which will apply rules (via iptables) to redirect inbound and outbound traffic to the proxy.
To run this command theconsul-connect-inject-init
requires running as root with capabilityNET_ADMIN
.
This feature includes the following changes:
- Add new
-enable-transparent-proxy
flag to theinject-connect
command.
Whentrue
, transparent proxy will be used for all services on the Consul Service Mesh
within a Kubernetes cluster. This flag defaults totrue
. - Add new
consul.hashicorp.com/transparent-proxy
pod annotation to allow enabling and disabling transparent
proxy for individual services.
- Proxy service registrations will set
-
CRDs: Add CRD for MeshConfigEntry. Supported in Consul 1.10+ [GH-513]
-
Connect: Overwrite Kubernetes HTTP readiness and/or liveness probes to point to Envoy proxy when
transparent proxy is enabled. [GH-517] -
Connect: Allow exclusion of inbound ports, outbound ports and CIDRs, and additional user IDs when
Transparent Proxy is enabled. [GH-506]The following annotations are supported:
consul.hashicorp.com/transparent-proxy-exclude-inbound-ports
- Comma-separated list of inbound ports to exclude.consul.hashicorp.com/transparent-proxy-exclude-outbound-ports
- Comma-separated list of outbound ports to exclude.consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs
- Comma-separated list of IPs or CIDRs to exclude.consul.hashicorp.com/transparent-proxy-exclude-uids
- Comma-separated list of Linux user IDs to exclude.
-
Connect: Add the ability to set default tproxy mode at namespace level via label. [GH-501]
- Setting the annotation
consul.hashicorp.com/transparent-proxy
totrue/false
will define whether tproxy is enabled/disabled for the pod. - Setting the label
consul.hashicorp.com/transparent-proxy
totrue/false
on a namespace will define the default behavior for pods in that namespace, which do not also have the annotation set. - The default tproxy behavior will be defined by the value of
-enable-transparent-proxy
flag to theconsul-k8s inject-connect
command. It can be overridden in a namespace by the the label on the namespace or for a pod using the annotation on the pod.
- Setting the annotation
-
Connect: support upgrades for services deployed before endpoints controller to
upgrade to a version of consul-k8s with endpoints controller. [GH-509] -
Connect: A new command
consul-k8s connect-init
has been added.
It replaces the existing init-container logic for ACL login and Envoy bootstrapping and introduces a polling wait for service registration,
seeEndpoints Controller
for more information.
[GH-446], [GH-452], [GH-459] -
Connect: A new controller
Endpoints Controller
has been added which is responsible for managing service endpoints and service registration.
When a Kubernetes service references a deployed connect-injected pod, the endpoints controller will be responsible for managing the lifecycle of the connect-injected deployment. [GH-455], [GH-467], [GH-470], [GH-475]- This includes:
- service registration and deregistration, formerly managed by the
consul-connect-inject-init
. - monitoring health checks, formerly managed by
healthchecks-controller
. - re-registering services in the events of consul agent failures, formerly managed by
consul-sidecar
.
- service registration and deregistration, formerly managed by the
- The endpoints controller replaces the health checks controller while preserving existing functionality. [GH-472]
- The endpoints controller replaces the cleanup controller while preserving existing functionality.
[GH-476], [GH-454] - Merged metrics configuration support is now partially managed by the endpoints controller.
[GH-469]
- This includes:
IMPROVEMENTS:
- Connect: skip service registration when a service with the same name but in a different Kubernetes namespace is found
and Consul namespaces are not enabled. [GH-527] - Connect: Leader election support for connect-inject deployment. [GH-479]
- Connect: the
consul-connect-inject-init
container has been split into two init containers. [GH-441]
Connect: Connect webhook no longer generates its own certificates and relies on them being provided as files on the disk.
[GH-454]] - CRDs: Update
ServiceDefaults
withMode
,TransparentProxy
,DialedDirectly
andUpstreamConfigs
fields. Note:Mode
andTransparentProxy
should not be set
using this CRD but via annotations. [GH-502], [GH-485], [GH-533] - CRDs: Update
ProxyDefaults
withMode
,DialedDirectly
andTransparentProxy
fields. Note:Mode
andTransparentProxy
should not be set
using the CRD but via annotations. [GH-505], [GH-485], [GH-533] - CRDs: update the CRD versions from v1beta1 to v1. [GH-464]
- Delete secrets created by webhook-cert-manager when the deployment is deleted. [GH-530]
BUG FIXES:
- CRDs: Update the type of connectTimeout and TTL in ServiceResolver and ServiceRouter from time.Duration to metav1.Duration.
This allows a user to set these values as a duration string on the resource. Existing resources that had set a specific integer
duration will continue to function with a duration with 'n' nanoseconds, 'n' being the set value. - CRDs: Fix a bug where the
config
field inProxyDefaults
CR failed syncing to Consul becauseapiextensions.k8s.io/v1
requires CRD spec to have structured schema. [GH-495] - CRDs: make
lastSyncedTime
a pointer to prevent setting last synced time Reconcile errors. [GH-466]
BREAKING CHANGES:
-
Connect: Add a security context to the init copy container and the envoy sidecar and ensure they
do not run as root. If a pod container shares the samerunAsUser
(5995) as Envoy an error is returned.
[GH-493] -
Connect: Kubernetes Services are required for all Consul Service Mesh applications.
The Kubernetes service name will be used as the service name to register with Consul
unless the annotationconsul.hashicorp.com/connect-service
is provided to the deployment/pod to override this.
If using ACLs, the ServiceAccountName must match the service name used with Consul.Note: if you're already using a Kubernetes service, no changes required.
Example Service:
--- apiVersion: v1 kind: Service metadata: name: sample-app spec: selector: app: sample-app ports: - port: 80 targetPort: 9090 --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: sample-app name: sample-app spec: replicas: 1 selector: matchLabels: app: sample-app template: metadata: annotations: 'consul.hashicorp.com/connect-inject': 'true' labels: app: sample-app spec: containers: - name: sample-app image: sample-app:0.1.0 ports: - containerPort: 9090
-
Connect:
consul.hashicorp.com/connect-sync-period
annotation is no longer supported.
This annotation used to configure the sync period of theconsul-sidecar
(akalifecycle-sidecar
).
Since we no longer inject theconsul-sidecar
to keep services registered in Consul, this annotation has
been removed. [GH-467] -
Connect: transparent proxy feature enabled by default. This may break existing deployments.
Please see details of the feature.