Skip to content

v1.0.0

Compare
Choose a tag to compare
@hc-github-team-es-release-engineering hc-github-team-es-release-engineering released this 17 Nov 21:24
2d46739

1.0.0 (November 17, 2022)

BREAKING CHANGES:

  • Admin Partitions (Consul Enterprise only): Remove the partition service. When configuring Admin Partitions, the expose-servers service should be used instead.
  • Consul Dataplane:
    • Consul client agents are no longer deployed by default, and Consul service mesh no longer uses Consul clients to operate. This change affects several main areas listed below. [GH-1552]
    • A new component consul-dataplane is now injected as a sidecar-proxy instead of plain Envoy. consul-dataplane manages the Envoy proxy process and proxies xDS requests from Envoy to Consul servers.
    • All services on the service mesh are now registered directly with the central catalog in Consul servers.
    • All service-mesh consul-k8s components are configured to talk directly to Consul servers.
    • Mesh, ingress, and terminating gateways are now registered centrally by the endpoints controller, similar to how service-mesh services are registered.
  • CLI:
    • Change default behavior of consul-k8s install to perform the installation when no answer is provided to the prompt. [GH-1673]
  • Helm:
    • Kubernetes-1.25 is now supported with the caveat that global.enablePodSecurityPolicies is not supported since PodSecurityPolicies have been removed in favor of PodSecurityStandards in Kubernetes-1.25. Full support for PodSecurityStandards will be added in a follow-on commit. [GH-1726]

    • Support simplified default deployment values to allow for easier quick starts and testing:

      • Set connectInject.replicas to 1 [GH-1702]
      • Set meshGateway.affinity to null and meshGateway.replicas to 1 [GH-1702]
      • Set ingressGateways.defaults.affinity to null and ingressGateways.defaults.replicas to 1 [GH-1702]
      • Set terminatingGateways.defaults.affinity to null and terminatingGateways.defaults.replicas to 1 [GH-1702]
      • Set server.replicas to 1. Formerly, this defaulted to 3. [GH-1551]
    • client.enabled now defaults to false. Setting it to true will deploy client agents, however, none of the consul-k8s components will use clients for their operation.

    • global.imageEnvoy is no longer used for sidecar proxies, as well as mesh, terminating, and ingress gateways.

    • externalServers.grpcPort default is now 8502 instead of 8503.

    • externalServers.hosts no longer supports cloud auto-join strings directly. Instead, include an exec= string in the externalServers.hosts list to invoke the discover CLI. For example, the following string invokes the discover CLI with a cloud auto-join string: exec=discover -q addrs provider=aws region=us-west-2 tag_key=consul-server tag_value=true. The discover CLI is included in the official hashicorp/consul-dataplane images by default.

    • meshGateway.service.enabled value is removed. Mesh gateways now will always have a Kubernetes service as this is required to register them as a service with Consul.

    • meshGateway.initCopyConsulContainer, ingressGateways.initCopyConsulContainer, terminatingGateways.initCopyConsulContainer values are removed.

    • connectInject.enabled now defaults to true. [GH-1551]

    • syncCatalog.consulNamespaces.mirroringK8S now defaults to true. [GH-1601]

    • connectInject.consulNamespaces.mirroringK8S now defaults to true. [GH-1601]

    • Remove controller section from the values file as the controller has now been merged into the connect-inject deployment. [GH-1697]

    • Remove global.consulSidecarContainer from values file as there is no longer a consul sidecar. [GH-1635]

    • Consul snapshot-agent now runs as a sidecar with Consul servers. [GH-1620]

      This results in the following changes to Helm values:

      • Move client.snapshotAgent values to server.snapshotAgent, with the exception of the following values:
        • client.snaphostAgent.replicas
        • client.snaphostAgent.serviceAccount
      • Remove global.secretsBackend.vault.consulSnapshotAgentRole value. You should now use the global.secretsBackend.vault.consulServerRole for access to any Vault secrets.
    • Change dns.enabled and dns.enableRedirection to default to the value of connectInject.transparentProxy.defaultEnabled.
      Previously, dns.enabled defaulted to the value of global.enabled and dns.enableRedirection defaulted to the
      value to false. [GH-1688]

    • Remove global.imageEnvoy and replace with global.imageConsulDataplane for running the sidecar proxy.

    • Add apiGateway.imageEnvoy as for configuring the version of Envoy that the API Gateway uses. [GH-1698]

  • Peering:
    • Rename PeerName to Peer in ExportedServices CRD. [GH-1596]
    • Remove support for customizing the server addresses in peering token generation. Instead, mesh gateways should be used
      to establish peering connections if the server pods are not directly reachable. [GH-1610]
    • Require global.tls.enabled when peering is enabled. [GH-1610]
    • Require meshGateway.enabled when peering is enabled. [GH-1683]

FEATURES:

  • CLI:
    • Add the ability to install HCP self-managed clusters. [GH-1540]
    • Add the ability to install the HashiCups demo application via the -demo flag. [GH-1540]
  • Consul Dataplane:
    • Support merged metrics with consul-dataplane. [GH-1635]
    • Support transparent proxying when using consul-dataplane. [GH-1625,GH-1632]
    • Enable sync-catalog to only talk to Consul servers. [GH-1659]
  • Ingress Gateway
    • Add support for MaxConnections, MaxConcurrentRequests, and MaxPendingRequests to Ingress Gateway CRD. [GH-1691]
  • Peering:
    • Support peering over mesh gateways.
      • Add support for PeerThroughMeshGateways in Mesh CRD. [GH-1478]

IMPROVEMENTS:

  • CLI
    • consul-k8s status command will only show status of servers if they are expected to be present in the Kubernetes cluster. [GH-1603]
    • Update demo charts and CLI command to not presume tproxy when using HCP preset. Also, use the most recent version of hashicups. [GH-1657]
    • Update minimum go version for project to 1.19 [GH-1633]
    • Enable consul-k8s uninstall to delete custom resources when uninstalling Consul. This is done by default. [GH-1623]
  • Control Plane
    • Update minimum go version for project to 1.19 [GH-1633]
    • Remove unneeded agent:read ACL permissions from mesh gateway policy. [GH-1255]
    • Support updating health checks on consul clients during an upgrade to agentless. [GH-1690]
    • Remove unused curl from docker images [1624]
    • Bump Dockerfile base image for RedHat UBI consul-k8s-control-plane image to ubi-minimal:9.1. [[GH-1725][https://github.com//pull/1725]]
  • Helm:
    • Remove deprecated annotation service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" in the server-service template. [GH-1619]
    • Support minAvailable on connect injector PodDisruptionBudget. [GH-1557]
    • Add tolerations and nodeSelector to Server ACL init jobs and nodeSelector to Webhook cert manager. [GH-1581]
    • API Gateway: Add tolerations to apiGateway.managedGatewayClass and apiGateway.controller [GH-1650]
    • API Gateway: Create PodSecurityPolicy for controller when global.enablePodSecurityPolicies=true. [GH-1656]
    • API Gateway: Create PodSecurityPolicy and allow controller to bind it to ServiceAccounts that it creates for Gateway Deployments when global.enablePodSecurityPolicies=true. [GH-1672]
    • Deploy expose-servers service only when Admin Partitions(ENT) is enabled. [GH-1683]
    • Use a distroless image for consul-dataplane. [GH-1676]
    • The Envoy version is now 1.24.0 for consul-dataplane. [GH-1676]
    • Allow addition of extra labels to Connect Inject pods. [GH-1678]
    • Add fields localConnectTimeoutMs and localRequestTimeoutMs to the ServiceDefaults CRD. [GH-1647]
    • API Gateway: Enable API Gateways to directly connect to Consul servers when running in the agentless configuration. [GH-1694]
    • Add connectInject.consulNode.meta to allow users to provide custom metadata to append to the NodeMeta [GH-1707]
    • Add externalServers.skipServerWatch which prevents consul-dataplane from consuming the server update stream. This is useful for situations where Consul servers are behind a load balancer. [GH-1686]
    • API Gateway: Allow controller to read MeshServices for use as a route backend. [GH-1574]
    • API Gateway: Add support for using dynamic server discovery strings when running without agents. [GH-1732]

BUG FIXES:

  • CLI
    • Allow optional environment variables for use in the cloud preset to the CLI for cluster bootstrapping. [GH-1608]
    • Configure -tls-server-name when global.cloud.enabled=true so that it matches the server certificate created via HCP [GH-1591]
    • Do not query clients in the status command since clients no longer exist. [GH-1573]
  • Peering
    • Add peering:read permissions to mesh gateway token to fix peering connections through the mesh gateways. [GH-1685]
  • Helm:
    • Disable PodSecurityPolicies in all templates when global.enablePodSecurityPolicies is false. [GH-1693]