v0.42.0

0.42.0 (April 04, 2022)

BREAKING CHANGES:

• Helm
  • Minimum Kubernetes version supported is 1.19 and now matches what is stated in the README.md file. [GH-1049]
• ACLs
  • Support Terminating Gateway obtaining an ACL token using a k8s auth method. GH-1102
    • Note: If you have updated a token with a new policy for a terminating gateway, this will not apply any more as ACL tokens will be ephemeral and are issued to the terminating gateways when the pod is created and destroyed when the pod is stopped. To achieve the same ACL permissions, you will need to assign the policy to the role for the terminating gateway, rather than the token.
  • Support Mesh Gateway obtaining an ACL token using a k8s auth method. GH-1102
    • Note: This is a breaking change if you are using a mesh gateway with mesh federation. To properly configure mesh federation with mesh gateways, you will need to configure the global.federation.k8sAuthMethodHost in secondary datacenters to point to the address of the Kubernetes API server of the secondary datacenter. This address must be reachable from the Consul servers in the primary datacenter.
  • General Note on old ACL Tokens: As of this release, ACL tokens no longer need to be stored as Kubernetes secrets. They will transparently be provisioned by the Kubernetes Auth Method when client and component pods are provisioned and will also be destroyed when client and component pods are destroyed. Old ACL tokens, however, will still exist as Kubernetes secrets and in Consul and will need to be identified and manually deleted.

FEATURES:

• ACLs: Enable issuing ACL tokens via Consul login with a Kubernetes Auth Method and replace the need for storing ACL tokens as Kubernetes secrets.
  • Support CRD controller obtaining an ACL token via using a k8s auth method. GH-995
  • Support Connect Inject obtaining an ACL token via using a k8s auth method. GH-1076
  • Support Sync Catalog obtaining an ACL token via using a k8s auth method. GH-1081, GHT-1077
  • Support API Gateway controller obtaining an ACL token via using a k8s auth method. GH-1083
  • Support Snapshot Agent obtaining an ACL token via using a k8s auth method. GH-1084
  • Support Mesh Gateway obtaining an ACL token via using a k8s auth method. GH-1085
  • Support Ingress Gateway obtaining an ACL token via using a k8s auth method. GH-1118
  • Support Terminating Gateway obtaining an ACL token via using a k8s auth method. GH-1102
  • Support Consul Client obtaining an ACL token via using a k8s auth method. GH-1093
  • Support issuing global ACL tokens via k8s auth method. GH-1075

IMPROVEMENTS:

• Control Plane
  • Upgrade Docker image Alpine version from 3.14 to 3.15. [GH-1058]
• Helm
  • API Gateway: Allow controller to read Kubernetes namespaces in order to determine if route is allowed for gateway. [GH-1092]
  • Support a pre-configured bootstrap ACL token. [GH-1125]
• Vault
  • Enable snapshot agent configuration to be retrieved from vault. [GH-1113]
• CLI
  • Enable users to set up secondary clusters with existing federation secrets. [GH-1126]

BUG FIXES:

• Helm
  • Don't set TTL for server certificates when using Vault as the secrets backend. [GH-1104]
  • Fix PodSecurityPolicies for clients/mesh gateways when hostNetwork is used. [GH-1090]
• CLI
  • Fix install and upgrade commands for Windows. [GH-1139]

v0.41.1

0.41.1 (February 24, 2022)

BUG FIXES:

• Helm
  • Support Envoy 1.20.2. [GH-1051]

v0.41.0

0.41.0 (February 23, 2022)

FEATURES:

• Support WAN federation via Mesh Gateways with Vault as the secrets backend. [GH-1016,GH-1025,GH-1029,GH-1038]
  • Note: To use WAN federation with ACLs and Vault, you will need to create a KV secret in Vault that will serve as the replication token with
    a random UUID: vault kv put secret/consul/replication key="$(uuidgen)".
  • You will need to then provide this secret to both the primary
    and the secondary datacenters with global.acls.replicationToken values and allow the global.secretsBackend.vault.manageSystemACLsRole Vault role to read it.
    In the primary datacenter, the Helm chart will create the replication token in Consul using the UUID as the secret ID of the token.
• Connect: Support workaround for pods with multiple ports, by registering a Consul service and injecting an Envoy sidecar and init container per port. [GH-1012]
  • Transparent proxying, metrics, and metrics merging are not supported for multi-port pods.
  • Multi-port pods should specify annotations in the format, such that the service names and port names correspond with each other in the specified order, i.e. web service is listening on 8080, web-admin service is listening on 9090.
    • consul.hashicorp.com/connect-service': 'web,web-admin
    • consul.hashicorp.com/connect-service-port': '8080,9090

IMPROVEMENTS:

• Helm
  • Vault: Allow passing arbitrary annotations to the vault agent. [GH-1015]
  • Vault: Add support for customized IP and DNS SANs for server cert in Vault. [GH-1020]
  • Vault: Add support for Enterprise License to be configured in Vault. [GH-1032]
  • API Gateway: Allow Kubernetes namespace to Consul enterprise namespace mapping for deployed gateways and mesh services. [GH-1024]

BUG FIXES:

• API Gateway
  • Fix issue where if the API gateway controller pods restarted, gateway pods would become disconnected from the secret discovery service. [GH-1007]
  • Fix issue where the API gateway controller could not update existing Deployments or Services. [GH-1014]
  • Fix issue where the API gateway controller lacked sufficient permissions to bind routes when ACLs were enabled. [GH-1018]

BREAKING CHANGES:

• Helm
  • Rename fields of IngressGateway CRD to fix incorrect names (gatewayTLSConfig => tls, gatewayServiceTLSConfig => tls, gatewayTLSSDSConfig => sds). [GH-1017]

v0.40.0

0.40.0 (January 27, 2022)

BREAKING CHANGES:

• Helm
  • Some Consul components from the Helm chart have been renamed to ensure consistency in naming across the components.
    This will not be a breaking change if Consul components are not referred to by name externally. Check the PR for the list of renamed components. [GH-993][GH-1000]

FEATURES:

• Helm
  • Support Envoy 1.20.1. [GH-958]
  • Support Consul 1.11.2. [GH-976]
  • Support Consul API Gateway Controller deployment through the Helm chart and provision an ACL token to for API Gateway via server-acl-init [GH-925]

IMPROVEMENTS:

• Helm
  • Allow customization of terminationGracePeriodSeconds on the ingress gateways. [GH-947]
  • Support ui.dashboardURLTemplates.service value for setting dashboard URL templates. [GH-937]
  • Allow using dash-separated names for config entries when using kubectl. [GH-965]
  • Support Pod Security Policies with Vault integration. [GH-985]
  • Rename Consul resources to remove resource kind suffixes from the resource names to standardize resource names across the Helm chart. [GH-993]
  • Append -client to the Consul Daemonset name to standardize resource names across the Helm chart. [GH-1000]
• CLI
  • Show a diff when upgrading a Consul installation on Kubernetes [GH-934]
• Control Plane
  • Support the value $POD_NAME for the annotation consul.hashicorp.com/service-meta-* that will now be interpolated and set to the pod's name in the service's metadata. [GH-982]
  • Allow managing Consul sidecar resources via annotations. [GH-956]
  • Support using a backslash to escape commas in consul.hashicorp.com/service-tags annotation. [GH-983]
  • Avoid making unnecessary calls to Consul in the endpoints controller to improve application startup time when Consul is down. [GH-779]

BUG FIXES:

• Helm
  • Add PodDisruptionBudget Kind when checking for existing versions so that helm template can generate the right version. [GH-923]
• Control Plane
  • Admin Partitions (Consul Enterprise only): Attach anonymous-policy to the anonymous token from non-default partitions to support DNS queries when the default partition is on a VM. [GH-966]

v0.39.0

0.39.0 (December 15, 2021)

FEATURES:

• Helm
  • Support Consul 1.11.1. [GH-935]
  • Support Envoy 1.20.0. [GH-935]
  • Minimum Kubernetes versions supported is 1.18+. [GH-935]
• CLI
  • BETA Add upgrade command to modify Consul installation on Kubernetes. [GH-898]

IMPROVEMENTS:

• Control Plane
  • Bump consul-k8s-control-plane UBI images for OpenShift to use base image ubi-minimal:8.5. [GH-922]
  • Support the value $POD_NAME for the annotation consul.hashicorp.com/service-tags that will now be interpolated and set to the pod name. [GH-931]

v0.38.0

0.38.0 (December 08, 2021)

BREAKING CHANGES:

• Control Plane
  • Update minimum go version for project to 1.17 [GH-878]
  • Add boolean metric to merged metrics response consul_merged_service_metrics_success to indicate if service metrics
    were scraped successfully. [GH-551]

FEATURES:

• Vault as a Secrets Backend: Add support for Vault as a secrets backend for Gossip Encryption, Server TLS certs and Service Mesh TLS certificates,
  removing the existing usage of Kubernetes Secrets for the respective secrets. [GH-904]

  See the Consul Kubernetes and Vault documentation for full install instructions.

  Requirements:

  • Consul 1.11+
  • Vault 1.9+ and Vault-K8s 0.14+ must be installed with the Vault Agent Injector enabled (injector.enabled=true)
    into the Kubernetes cluster that Consul is installed into.
  • global.tls.enableAutoEncryption=true is required for TLS support.
  • If TLS is enabled in Vault, global.secretsBackend.vault.ca must be provided and should reference a Kube secret
    which holds a copy of the Vault CA cert.
  • Add boolean metric to merged metrics response consul_merged_service_metrics_success to indicate if service metrics were
    scraped successfully. [GH-551]

• Helm

  • Rename PartitionExports CRD to ExportedServices. [GH-902]

IMPROVEMENTS:

• CLI
  • Pre-check in the install command to verify the correct license secret exists when using an enterprise Consul image. [GH-875]
• Control Plane
  • Add a label "managed-by" to every secret the control-plane creates. Only delete said secrets on an uninstall. [GH-835]
  • Add support for labeling a Kubernetes service with consul.hashicorp.com/service-ignore to prevent services from being registered in Consul. [GH-858]
• Helm Chart
  • Fail an installation/upgrade if WAN federation and Admin Partitions are both enabled. [GH-892]
  • Add support for setting ingressClassName for UI. [GH-909]
  • Add partition support to Service Resolver, Service Router and Service Splitter CRDs. [GH-908]

BUG FIXES:

• Control Plane:
  • Add a workaround to check that the ACL token is replicated to other Consul servers. [GH-862]
  • Return 500 on prometheus response if unable to get metrics from Envoy. [GH-551]
  • Don't include body of failed service metrics calls in merged metrics response. [GH-551]
• Helm Chart
  • Admin Partitions (Consul Enterprise only): Do not mount Consul CA certs to partition-init job if externalServers.useSystemRoots is true. [GH-885]

v0.37.0

0.37.0 (November 18, 2021)

BREAKING CHANGES:

• Previously UI metrics would be enabled when
  global.metrics=false and ui.metrics.enabled=-. If you are no longer seeing UI metrics,
  set global.metrics=true or ui.metrics.enabled=true. [GH-841]

• The enterpriseLicense section of the values file has been migrated from being under the server stanza to being
  under the global stanza. Migrating the contents of server.enterpriseLicense to global.enterpriseLicense will
  ensure the license job works. [GH-856]

• Consul streaming is re-enabled by default.
  Streaming is broken when using multi-DC federation and Consul versions 1.10.0, 1.10.1, 1.10.2.
  If you are using those versions and multi-DC federation, you must upgrade to Consul >= 1.10.3 or set:

  client:
    extraConfig: |
      {"use_streaming_backend": false}

  [GH-851]

FEATURES:

• Helm Chart
  • Add support for Consul services to utilize Consul DNS for service discovery. Set dns.enableRedirection to allow services to
    use Consul DNS via the Consul DNS Service. [GH-833]
• Control Plane
  • Connect: Allow services using Connect to utilize Consul DNS to perform service discovery. [GH-833]

IMPROVEMENTS:

• Control Plane
  • TLS: Support PKCS1 and PKCS8 private keys for Consul certificate authority. [GH-843]
  • Connect: Log a warning when ACLs are enabled and the default service account is used. [GH-842]
  • Update Service Router, Service Splitter and Ingress Gateway CRD with support for RequestHeaders and ResponseHeaders. [GH-863]
  • Update Ingress Gateway CRD with partition support for the IngressService and TLS Config. [GH-863]
• CLI
  • Delete jobs, cluster roles, and cluster role bindings on uninstall. [GH-820]
• Helm Chart
  • Add component labels to all resources. [GH-840]
  • Update Consul version to 1.10.4. [GH-861]
  • Update Service Router, Service Splitter and Ingress Gateway CRD with support for RequestHeaders and ResponseHeaders. [GH-863]
  • Update Ingress Gateway CRD with partition support for the IngressService and TLS Config. [GH-863]
  • Re-enable streaming for Consul clients. [GH-851]

BUG FIXES:

• Control Plane
  • ACLs: Fix issue where if one or more servers fail to have their ACL tokens set on the initial run of server-acl-init
    then on subsequent re-runs of server-acl-init the tokens are never set. [GH-825]
  • ACLs: Fix issue where if the number of Consul servers is increased, the new servers are never provisioned
    an ACL token. [GH-677]
  • Fix issue where after a helm upgrade, users would see x509: certificate signed by unknown authority.
    errors when modifying config entry resources. [GH-837]
• Helm Chart
  • (Consul Enterprise only) Error on Helm install if a reserved name is used for the admin partition name or a
    Consul destination namespace for connect or catalog sync. [GH-846]
  • Truncate Persistent Volume Claim names when namespace names are too long. [GH-799]
  • Fix issue where UI metrics would be enabled when global.metrics=false and ui.metrics.enabled=-. [GH-841]
  • Populate the federation secret with the generated Gossip key when global.gossipEncryption.autoGenerate is set to true. [GH-854]

v0.36.0

0.36.0 (November 02, 2021)

BREAKING CHANGES:

• Helm Chart
  • The kube-system and local-path-storage namespaces are now excluded from connect injection by default on Kubernetes versions >= 1.21. If you wish to enable injection on those namespaces, set connectInject.namespaceSelector to null. [GH-726]

IMPROVEMENTS:

• Helm Chart
  • Automatic retry for gossip-encryption-autogenerate-job on failure [GH-789]
  • kube-system and local-path-storage namespaces are now excluded from connect injection by default on Kubernetes versions >= 1.21. This prevents deadlock issues when kube-system components go down and allows Kind to work without changing the failure policy of the mutating webhook. [GH-726]
  • Add support for services across Admin Partitions to communicate using mesh gateways. [GH-807]
    • Documentation for the installation can be found here.
  • Add support for PartitionExports CRD to enable cross-partition networking. [GH-802]
• CLI
  • Add status command. [GH-768]
  • Add -verbose, -v flag to the consul-k8s install command, which outputs all logs emitted from the installation. By default, verbose is set to false to hide logs that show resources are not ready. [GH-810]
  • Set prometheus.enabled to true and enable all metrics for Consul K8s when installing via the demo preset. [GH-809]
  • Set controller.enabled to true when installing via the demo preset. [GH818]
  • Set global.gossipEncryption.autoGenerate to true and global.tls.enableAutoEncrypt to true when installing via the secure preset. [GH818]
• Control Plane
  • Add support for partition-exports config entry as a Custom Resource Definition to help manage cross-partition networking. [GH-802]

v0.35.0

0.35.0 (October 19, 2021)

FEATURES:

• Control Plane
  • Add gossip-encryption-autogenerate subcommand to generate a random 32 byte Kubernetes secret to be used as a gossip encryption key. [GH-772]
• Helm Chart
  • Add automatic generation of gossip encryption with global.gossipEncryption.autoGenerate=true. [GH-738]
  • Add support for configuring resources for mesh gateway service-init container. [GH-758]

IMPROVEMENTS:

• Control Plane
  • Upgrade Docker image Alpine version from 3.13 to 3.14. [GH-737]
  • CRDs: tune failure backoff so invalid config entries are re-synced more quickly. [GH-788]
• Helm Chart
  • Enable adding extra containers to server and client Pods. [GH-749]
  • ACL support for Admin Partitions. (Consul Enterprise only)
    BETA [GH-766]
    • This feature now enabled ACL support for Admin Partitions. The server-acl-init job now creates a Partition token. This token
      can be used to bootstrap new partitions as well as manage ACLs in the non-default partitions.
    • Partition to partition networking is disabled if ACLs are enabled.
    • Documentation for the installation can be found here.
• CLI
  • Add version command. [GH-741]
  • Add uninstall command. [GH-725]

v0.34.1

0.34.1 (September 17, 2021)

BUG FIX:

• Helm
  • Fix consul-k8s image version in values file. [GH-732]