v0.21.0

0.21.0 (November 25, 2020)

IMPROVEMENTS:

• Connect: Add -log-level flag to inject-connect command. [GH-400]
• Connect: Ensure consul-connect-lifecycle-sidecar container shuts down gracefully upon receiving SIGTERM. [GH-389]
• Connect: (Consul Enterprise only) give more descriptive error message if using Consul namespaces with a Consul installation that doesn't support namespaces. [GH-399]

v0.20.0

0.20.0 (November 12, 2020)

FEATURES:

• Connect: Support Kubernetes health probe synchronization with Consul for connect injected pods. [GH-363]
  • Adds a new controller to the connect-inject webhook which is responsible for synchronizing Kubernetes pod health checks with Consul service instance health checks.
    A Consul health check is registered for each connect-injected pod which mirrors the pod's Readiness status to Consul. This modifies connect routing to only
    pods which have passing Kubernetes health checks. See breaking changes for more information.
  • Adds a new label to connect-injected pods which mirrors the consul.hashicorp.com/connect-inject-status annotation.
  • (Consul Enterprise only) Adds a new annotation to connect-injected pods when namespaces are enabled: consul.hashicorp.com/consul-namespace. [GH-376]

BREAKING CHANGES:

• Connect: With the addition of the connect-inject health checks controller any connect services which have failing Kubernetes readiness
  probes will no longer be routable through connect until their Kubernetes health probes are passing.
  Previously, if any connect services were failing their Kubernetes readiness checks they were still routable through connect.
  Users should verify that their connect services are passing Kubernetes readiness probes prior to using health checks synchronization.

DEPRECATIONS:

• create-inject-token in the server-acl-init command has been un-deprecated.
  -create-inject-auth-method has been deprecated and replaced by -create-inject-token.

  -create-inject-namespace-token in the server-acl-init command has been deprecated. Please use -create-inject-token and -enable-namespaces flags
  to achieve the same functionality. [GH-368]

IMPROVEMENTS:

• Connect: support passing extra arguments to the envoy binary. [GH-378]

  Arguments can be passed in 2 ways:

  • via a flag to the consul-k8s inject-connect command,
    e.g. consul-k8s inject-connect -envoy-extra-args="--log-level debug --disable-hot-restart"
  • via pod annotations,
    e.g. consul.hashicorp.com/envoy-extra-args: "--log-level debug --disable-hot-restart"

• CRDs:

  • Add Age column to CRDs. [GH-365]
  • Add validations and field descriptions for ServiceIntentions CRD. [GH-385]
  • Update CRD sync status if deletion in Consul fails. [GH-365]

BUG FIXES:

• Federation: (Consul Enterprise only) ensure replication ACL token can replicate policies and tokens in Consul namespaces other than default. [GH-364]
• CRDs: (Consul Enterprise only) validate custom resources can only set namespace fields if Consul namespaces are enabled. [GH-375]
• CRDs: Ensure ACL token is global so that secondary DCs can manage custom resources.
  Without this fix, controllers running in secondary datacenters would get ACL errors. [GH-369]
• CRDs: (Consul Enterprise only) Do not attempt to create a * namespace when service intentions specify * as destination.namespace. [GH-382]
• CRDs: (Consul Enterprise only) Fix namespace support for ServiceIntentions CRD. [GH-362]
• CRDs: Rename field namespaces -> namespace in ServiceResolver CRD. [GH-365]

v0.19.0

0.19.0 (October 12, 2020)

FEATURES:

• Add beta support for new commands consul-k8s controller and consul-k8s webhook-cert-manager. [GH-353]

  controller will start a Kubernetes controller that acts on Consul
  Custom Resource Definitions. The currently supported CRDs are:

  • ProxyDefaults - https://www.consul.io/docs/agent/config-entries/proxy-defaults
  • ServiceDefaults - https://www.consul.io/docs/agent/config-entries/service-defaults
  • ServiceSplitter - https://www.consul.io/docs/agent/config-entries/service-splitter
  • ServiceRouter - https://www.consul.io/docs/agent/config-entries/service-router
  • ServiceResolver - https://www.consul.io/docs/agent/config-entries/service-resolver
  • ServiceIntentions (requires Consul >= 1.9.0) - https://www.consul.io/docs/agent/config-entries/service-intentions

  See https://www.consul.io/docs/k8s/connect/crds
  for more information on the CRD schemas. Requires Consul >= 1.8.4.

  webhook-cert-manager manages certificates for Kubernetes webhooks. It will
  refresh expiring certificates and update corresponding secrets and mutating
  webhook configurations.

BREAKING CHANGES:

• Connect: No longer set --max-obj-name-len flag when executing envoy. This flag
  was deprecated
  in Envoy 1.11.0 and had no effect from then onwards. With Envoy >= 1.15.0 setting
  this flag will result in an error, hence why we're removing it. [GH-350]

  If you are running any Envoy version >= 1.11.0 this change will have no effect. If you
  are running an Envoy version < 1.11.0 then you must upgrade Envoy to a newer
  version. This can be done by setting the global.imageEnvoy key in the
  Consul Helm chart.

IMPROVEMENTS:

• Add an ability to configure the synthetic Consul node name where catalog sync registers services. [GH-312]
  • Sync: Add -consul-node-name flag to the sync-catalog command to configure the Consul node name for syncing services to Consul.
  • ACLs: Add -sync-consul-node-name flag to the server-acl-init command so that it can create correct policy for the sync catalog.

BUG FIXES:

• Connect: use the first secret of type kubernetes.io/service-account-token when creating/updating auth method. [GH-350]

v0.18.1

0.18.1 (August 10, 2020)

BUG FIXES:

• Connect: Reduce downtime caused by an alias health check of the sidecar proxy not being healthy for up to 1 minute
  when a Connect-enabled service is restarted. Note that this fix reverts the behavior of Consul Connect to the behavior
  it had before consul-k8s v0.16.0 and Consul v1.8.x, where Consul can route to potentially unhealthy instances of a service
  because we don't respect Kubernetes readiness/liveness checks yet. Please follow GH-155
  for updates on that feature. [GH-305]

v0.18.0

0.18.0 (July 30, 2020)

IMPROVEMENTS:

• Connect: Add resource request and limit flags for the injected init and lifecycle sidecar containers. These flags replace the hardcoded values previously included. As part of this change, the default value for the lifecycle sidecar container memory limit has increased from 25Mi to 50Mi. [GH-298], [GH-300]

BUG FIXES:

• Connect: Respect allow/deny list flags when namespaces are disabled. [GH-296]

v0.17.0

0.17.0 (July 09, 2020)

BREAKING CHANGES:

• ACLs: Always update Kubernetes auth method created by the server-acl-init job. Previously, we would only update the auth method if Consul namespaces are enabled. With this change, we always update it to make sure that any configuration changes or updates to the connect-injector-authmethod-svc-account are propagated [GH-282].
• Connect: Connect pods have had the following resource settings changed: consul-connect-inject-init now has its memory limit set to 150M up from 25M and consul-connect-lifecycle-sidecar has its CPU request and limit set to 20m up from 10m. [GH-291]

IMPROVEMENTS:

• Extracted Consul's HTTP flags into our own package so we no longer depend on the internal Consul golang module. [GH-259]

BUG FIXES:

• Connect: Update resource settings to fix out of memory errors and CPU usage at 100% of limit. [GH-283, consul-helm GH-515]
• Connect: Creating a pod with a different service account name than its Consul service name will now result in an error when ACLs are enabled.
  Previously this would not result in an error, but the pod would not be able to send or receive traffic because its ACL token would be for a
  different service name. [GH-237]

v0.16.0

0.16.0 (June 17, 2020)

FEATURES:

• ACLs: server-acl-init now supports creating tokens for ingress and terminating gateways [GH-264].
  • Add -ingress-gateway-name flag that takes the name of an ingress gateway that needs an acl token. May be specified multiple times. [Enterprise Only] If using Consul namespaces and registering the gateway outside of the default namespace, specify the value in the form <GatewayName>.<ConsulNamespace>.
  • Add -terminating-gateway-name flag that takes the name of a terminating gateway that needs an acl token. May be specified multiple times. [Enterprise Only] If using Consul namespaces and registering the gateway outside of the default namespace, specify the value in the form <GatewayName>.<ConsulNamespace>.
• Connect: Add support for configuring resource settings for memory and cpu limits/requests for sidecar proxies. [GH-267]

BREAKING CHANGES:

• Gateways: service-address command will now return hostnames if that is the address of the Kubernetes LB. Previously it would resolve the hostname to 1 IP. The -resolve-hostnames flag was added to preserve the IP resolution behavior. [GH-271]

IMPROVEMENTS:

• Sync: Add -sync-lb-services-endpoints flag to optionally sync load balancer endpoint IPs instead of load balancer ingress IP or hostname to Consul [GH-257].
• Connect: Add pod name to the consul connect metadata for connect injected pods. [GH-231]

BUG FIXES:

• Connect:
  • Fix bug where preStop hook was malformed. This caused Consul ACL tokens to never be deleted for connect services. [GH-265]
  • Fix bug where environment variable for upstream was not populated when using a different datacenter resulted. [GH-246]
  • Fix bug where the Connect health-check was defined with a service name instead of a service ID. This check was passing in consul version before 1.8, but will now fail with versions 1.8 and higher. [GH-272]