v1.0.0
1.0.0 (November 17, 2022)
BREAKING CHANGES:
- Admin Partitions (Consul Enterprise only): Remove the partition service. When configuring Admin Partitions, the expose-servers service should be used instead.
- Consul Dataplane:
- Consul client agents are no longer deployed by default, and Consul service mesh no longer uses Consul clients to operate. This change affects several main areas listed below. [GH-1552]
- A new component
consul-dataplane
is now injected as a sidecar-proxy instead of plain Envoy.consul-dataplane
manages the Envoy proxy process and proxies xDS requests from Envoy to Consul servers. - All services on the service mesh are now registered directly with the central catalog in Consul servers.
- All service-mesh consul-k8s components are configured to talk directly to Consul servers.
- Mesh, ingress, and terminating gateways are now registered centrally by the endpoints controller, similar to how service-mesh services are registered.
- CLI:
- Change default behavior of
consul-k8s install
to perform the installation when no answer is provided to the prompt. [GH-1673]
- Change default behavior of
- Helm:
-
Kubernetes-1.25 is now supported with the caveat that
global.enablePodSecurityPolicies
is not supported since PodSecurityPolicies have been removed in favor of PodSecurityStandards in Kubernetes-1.25. Full support for PodSecurityStandards will be added in a follow-on commit. [GH-1726] -
Support simplified default deployment values to allow for easier quick starts and testing:
- Set
connectInject.replicas
to 1 [GH-1702] - Set
meshGateway.affinity
to null andmeshGateway.replicas
to 1 [GH-1702] - Set
ingressGateways.defaults.affinity
to null andingressGateways.defaults.replicas
to 1 [GH-1702] - Set
terminatingGateways.defaults.affinity
to null andterminatingGateways.defaults.replicas
to 1 [GH-1702] - Set
server.replicas
to1
. Formerly, this defaulted to3
. [GH-1551]
- Set
-
client.enabled
now defaults tofalse
. Setting it totrue
will deploy client agents, however, none of the consul-k8s components will use clients for their operation. -
global.imageEnvoy
is no longer used for sidecar proxies, as well as mesh, terminating, and ingress gateways. -
externalServers.grpcPort
default is now8502
instead of8503
. -
externalServers.hosts
no longer supports cloud auto-join strings directly. Instead, include anexec=
string in theexternalServers.hosts
list to invoke thediscover
CLI. For example, the following string invokes thediscover
CLI with a cloud auto-join string:exec=discover -q addrs provider=aws region=us-west-2 tag_key=consul-server tag_value=true
. Thediscover
CLI is included in the officialhashicorp/consul-dataplane
images by default. -
meshGateway.service.enabled
value is removed. Mesh gateways now will always have a Kubernetes service as this is required to register them as a service with Consul. -
meshGateway.initCopyConsulContainer
,ingressGateways.initCopyConsulContainer
,terminatingGateways.initCopyConsulContainer
values are removed. -
connectInject.enabled
now defaults totrue
. [GH-1551] -
syncCatalog.consulNamespaces.mirroringK8S
now defaults totrue
. [GH-1601] -
connectInject.consulNamespaces.mirroringK8S
now defaults totrue
. [GH-1601] -
Remove
controller
section from the values file as the controller has now been merged into the connect-inject deployment. [GH-1697] -
Remove
global.consulSidecarContainer
from values file as there is no longer a consul sidecar. [GH-1635] -
Consul snapshot-agent now runs as a sidecar with Consul servers. [GH-1620]
This results in the following changes to Helm values:
- Move
client.snapshotAgent
values toserver.snapshotAgent
, with the exception of the following values:client.snaphostAgent.replicas
client.snaphostAgent.serviceAccount
- Remove
global.secretsBackend.vault.consulSnapshotAgentRole
value. You should now use theglobal.secretsBackend.vault.consulServerRole
for access to any Vault secrets.
- Move
-
Change
dns.enabled
anddns.enableRedirection
to default to the value ofconnectInject.transparentProxy.defaultEnabled
.
Previously,dns.enabled
defaulted to the value ofglobal.enabled
anddns.enableRedirection
defaulted to the
value tofalse
. [GH-1688] -
Remove
global.imageEnvoy
and replace withglobal.imageConsulDataplane
for running the sidecar proxy. -
Add
apiGateway.imageEnvoy
as for configuring the version of Envoy that the API Gateway uses. [GH-1698]
-
- Peering:
- Rename
PeerName
toPeer
in ExportedServices CRD. [GH-1596] - Remove support for customizing the server addresses in peering token generation. Instead, mesh gateways should be used
to establish peering connections if the server pods are not directly reachable. [GH-1610] - Require
global.tls.enabled
when peering is enabled. [GH-1610] - Require
meshGateway.enabled
when peering is enabled. [GH-1683]
- Rename
FEATURES:
- CLI:
- Consul Dataplane:
- Ingress Gateway
- Add support for MaxConnections, MaxConcurrentRequests, and MaxPendingRequests to Ingress Gateway CRD. [GH-1691]
- Peering:
- Support peering over mesh gateways.
- Add support for
PeerThroughMeshGateways
in Mesh CRD. [GH-1478]
- Add support for
- Support peering over mesh gateways.
IMPROVEMENTS:
- CLI
consul-k8s status
command will only show status of servers if they are expected to be present in the Kubernetes cluster. [GH-1603]- Update demo charts and CLI command to not presume tproxy when using HCP preset. Also, use the most recent version of hashicups. [GH-1657]
- Update minimum go version for project to 1.19 [GH-1633]
- Enable
consul-k8s uninstall
to delete custom resources when uninstalling Consul. This is done by default. [GH-1623]
- Control Plane
- Update minimum go version for project to 1.19 [GH-1633]
- Remove unneeded
agent:read
ACL permissions from mesh gateway policy. [GH-1255] - Support updating health checks on consul clients during an upgrade to agentless. [GH-1690]
- Remove unused curl from docker images [1624]
- Bump Dockerfile base image for RedHat UBI
consul-k8s-control-plane
image toubi-minimal:9.1
. [[GH-1725][https://github.com//pull/1725]]
- Helm:
- Remove deprecated annotation
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
in theserver-service
template. [GH-1619] - Support
minAvailable
on connect injectorPodDisruptionBudget
. [GH-1557] - Add
tolerations
andnodeSelector
to Server ACL init jobs andnodeSelector
to Webhook cert manager. [GH-1581] - API Gateway: Add
tolerations
toapiGateway.managedGatewayClass
andapiGateway.controller
[GH-1650] - API Gateway: Create PodSecurityPolicy for controller when
global.enablePodSecurityPolicies=true
. [GH-1656] - API Gateway: Create PodSecurityPolicy and allow controller to bind it to ServiceAccounts that it creates for Gateway Deployments when
global.enablePodSecurityPolicies=true
. [GH-1672] - Deploy
expose-servers
service only when Admin Partitions(ENT) is enabled. [GH-1683] - Use a distroless image for
consul-dataplane
. [GH-1676] - The Envoy version is now 1.24.0 for
consul-dataplane
. [GH-1676] - Allow addition of extra labels to Connect Inject pods. [GH-1678]
- Add fields
localConnectTimeoutMs
andlocalRequestTimeoutMs
to theServiceDefaults
CRD. [GH-1647] - API Gateway: Enable API Gateways to directly connect to Consul servers when running in the agentless configuration. [GH-1694]
- Add
connectInject.consulNode.meta
to allow users to provide custom metadata to append to the NodeMeta [GH-1707] - Add
externalServers.skipServerWatch
which prevents consul-dataplane from consuming the server update stream. This is useful for situations where Consul servers are behind a load balancer. [GH-1686] - API Gateway: Allow controller to read MeshServices for use as a route backend. [GH-1574]
- API Gateway: Add support for using dynamic server discovery strings when running without agents. [GH-1732]
- Remove deprecated annotation
BUG FIXES:
- CLI
- Allow optional environment variables for use in the cloud preset to the CLI for cluster bootstrapping. [GH-1608]
- Configure
-tls-server-name
whenglobal.cloud.enabled=true
so that it matches the server certificate created via HCP [GH-1591] - Do not query clients in the status command since clients no longer exist. [GH-1573]
- Peering
- Add
peering:read
permissions to mesh gateway token to fix peering connections through the mesh gateways. [GH-1685]
- Add
- Helm:
- Disable PodSecurityPolicies in all templates when
global.enablePodSecurityPolicies
isfalse
. [GH-1693]
- Disable PodSecurityPolicies in all templates when