Releases: hashicorp/consul-k8s
Releases · hashicorp/consul-k8s
v1.4.4
1.4.4 (July 15, 2024)
SECURITY:
- Upgrade go version to 1.22.5 to address CVE-2024-24791 [GH-4154]
- Upgrade go-retryablehttp to v0.7.7 to address GHSA-v6v8-xj6m-xwqh [GH-4169]
IMPROVEMENTS:
- upgrade go version to v1.22.4. [GH-4085]
- api-gateways: Change security settings to make root file system read only and to not allow privilage escalation. [GH-3959]
- cni: package
consul-cni
as .deb and .rpm files [GH-4040] - control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift. [GH-4152]
- partition-init: Role no longer includes unnecessary access to Secrets resource. [GH-4053]
BUG FIXES:
- api-gateway: fix issue where API Gateway specific acl roles/policy were not being cleaned up on deletion of an api-gateway [GH-4060]
- cni: fix incorrect release version due to unstable submodule pinning [GH-4091]
- connect-inject: add NET_BIND_SERVICE capability when injecting consul-dataplane sidecar [GH-4152]
- endpoints-controller: graceful shutdown logic should not run on a new pod with the same name. Fixes a case where statefulset rollouts could get stuck in graceful shutdown when the new pods come up. [GH-4059]
v1.3.7
1.3.7 (July 16, 2024)
SECURITY:
- Upgrade go version to 1.22.5 to address CVE-2024-24791 [GH-4154]
- Upgrade go-retryablehttp to v0.7.7 to address GHSA-v6v8-xj6m-xwqh [GH-4169]
IMPROVEMENTS:
- upgrade go version to v1.22.4. [GH-4085]
- partition-init: Role no longer includes unnecessary access to Secrets resource. [GH-4053]
BUG FIXES:
- api-gateway: fix issue where API Gateway specific acl roles/policy were not being cleaned up on deletion of an api-gateway [GH-4060]
- cni: fix incorrect release version due to unstable submodule pinning [GH-4091]
- endpoints-controller: graceful shutdown logic should not run on a new pod with the same name. Fixes a case where statefulset rollouts could get stuck in graceful shutdown when the new pods come up. [GH-4059]
v1.1.14
1.1.14 (July 16, 2024)
SECURITY:
- Upgrade go version to 1.22.5 to address CVE-2024-24791 [GH-4154]
- Upgrade go-retryablehttp to v0.7.7 to address GHSA-v6v8-xj6m-xwqh [GH-4169]
IMPROVEMENTS:
- upgrade go version to v1.22.4. [GH-4085]
- partition-init: Role no longer includes unnecessary access to Secrets resource. [GH-4053]
BUG FIXES:
- cni: fix incorrect release version due to unstable submodule pinning [GH-4091]
v1.5.0
1.5.0 (June 13, 2024)
NOTE: Consul K8s 1.5.x is compatible with Consul 1.19.x and Consul Dataplane 1.5.x. Refer to our compatibility matrix for more info.
BREAKING CHANGES:
- api-gateway: The api-gateway stanza located under .Values.api-gateway was deprecated in
1.16.0 of Consul and is being removed as of 1.19.0 in favor of connectInject.apiGateway. [GH-3718]
FEATURES:
- control-plane: Add the ability to register services via CRD. [GH-3943]
- gateways: api-gateway now uses the Consul file-system-certificate by default for TLS [GH-3767]
- helm: adds ability to set the Image Pull Policy for all Consul images (consul, consul-k8s, consul-dataplane, consul-telemetry-collector) [GH-3991]
IMPROVEMENTS:
- upgrade go version to v1.22.4. [GH-4085]
- cni: package
consul-cni
as .deb and .rpm files [GH-4040] - helm: Add readOnlyRootFilesystem to the default restricted security context when runnning
consul-k8s
in a restricted namespaces. [GH-2909]
BUG FIXES:
- api-gateway: fix bug where multiple logical APIGateways would share the same ACL policy. [GH-4003]
- cni: fix incorrect release version due to unstable submodule pinning [GH-4091]
- helm: (datadog integration) updated
server-statefulset.yaml
templating to handle custom Unix Domain Socket paths. [GH-3635] - helm: bug fix for
prometheus.io
annotation omission while using datadog integration with openmetrics/prometheus and consul integration checks [GH-3685] - helm: corrected datadog openmetrics and consul-checks consul server URLs set during automation to use full consul deployment release name [GH-3685]
v1.4.3
v1.3.6
v1.2.9
v1.1.13
v1.1.12
1.1.12 (May 20, 2024)
SECURITY:
- Upgrade Go to use 1.21.10. This addresses CVEs
CVE-2024-24787 and
CVE-2024-24788 [GH-3980] - Upgrade
helm/v3
to 3.14.4. This resolves the following security vulnerabilities:
CVE-2024-25620
CVE-2024-26147 [GH-3935] - Upgrade to use Go
1.21.9
. This resolves CVE
CVE-2023-45288 (http2
). [GH-3900] - Upgrade to use golang.org/x/net
v0.24.0
. This resolves CVE
CVE-2023-45288 (x/net
). [GH-3900]
IMPROVEMENTS:
- ConfigEntries controller: Only error for config entries from different datacenters when the config entries are different [GH-3873]
v1.4.2
1.4.2 (May 20, 2024)
SECURITY:
- Upgrade Go to use 1.21.10. This addresses CVEs
CVE-2024-24787 and
CVE-2024-24788 [GH-3980] - Upgrade
helm/v3
to 3.14.4. This resolves the following security vulnerabilities:
CVE-2024-25620
CVE-2024-26147 [GH-3935] - Upgrade to use Go
1.21.9
. This resolves CVE
CVE-2023-45288 (http2
). [GH-3893] - Upgrade to use golang.org/x/net
v0.24.0
. This resolves CVE
CVE-2023-45288 (x/net
). [GH-3893]
FEATURES:
- Add support for configuring graceful startup proxy lifecycle management settings. [GH-3878]
IMPROVEMENTS:
- control-plane: support , and <\n> as upstream separators. [GH-3956]
- ConfigEntries controller: Only error for config entries from different datacenters when the config entries are different [GH-3873]
- control-plane: Add support for receiving iptables configuration via CNI arguments, to support Nomad transparent proxy [GH-3795]
- control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift. [GH-3813]
- helm: only create the default Prometheus path annotation when it's not already specified within the component-specific
annotations. For example if theclient.annotations
value sets prometheus.io/path annotation, don't overwrite it with
the default value. [GH-3846] - helm: support sync-lb-services-endpoints flag for syncCatalog [GH-3905]
- terminating-gateways: Remove unnecessary permissions from terminating gateways role [GH-3928]
BUG FIXES:
- Create Consul service with mode transparent-proxy even when a cluster IP is not assigned to the service.. [GH-3974]
- api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul when upgrading between versions. [GH-3918]
- api-gateway: fix bug where multiple logical APIGateways would share the same ACL policy. [GH-4000]
- consul-cni: Fixed a bug where the output of
-version
did not include the version of the binary [GH-3829] - control-plane: fix a panic when an upstream annotation is malformed. [GH-3956]
- connect-inject: Fixed issue where on restart, if a managed-gateway-acl-role already existed the container would error [GH-3978]