v1.2.1

1.2.1 (Aug 10, 2023)

BREAKING CHANGES:

• control-plane: All policies managed by consul-k8s will now be updated on upgrade. If you previously edited the policies after install, your changes will be overwritten. [GH-2392]

SECURITY:

• Upgrade to use Go 1.20.6 and x/net/http 0.12.0.
  This resolves CVE-2023-29406(net/http). [GH-2642]
• Upgrade to use Go 1.20.7 and x/net 0.13.0.
  This resolves CVE-2023-29409(crypto/tls)
  and CVE-2023-3978(net/html). [GH-2710]

FEATURES:

• Add support for configuring graceful shutdown proxy lifecycle management settings. [GH-2233]
• api-gateway: adds ability to map privileged ports on Gateway listeners to unprivileged ports so that containers do not require additional privileges [GH-2707]
• api-gateway: support deploying to OpenShift 4.11 [GH-2184]
• helm: Adds acls.resources field which can be configured to override the resource settings for the server-acl-init and server-acl-init-cleanup Jobs. [GH-2416]
• sync-catalog: add ability to support weighted loadbalancing by service annotation consul.hashicorp.com/service-weight: <number> [GH-2293]

IMPROVEMENTS:

• (Consul Enterprise) Add support to provide inputs via helm for audit log related configuration [GH-2370]
• (api-gateway) make API gateway controller less verbose [GH-2524]
• Add support to provide the logLevel flag via helm for multiple low level components. Introduces the following fields

1. global.acls.logLevel
2. global.tls.logLevel
3. global.federation.logLevel
4. global.gossipEncryption.logLevel
5. server.logLevel
6. client.logLevel
7. meshGateway.logLevel
8. ingressGateways.logLevel
9. terminatingGateways.logLevel
10. telemetryCollector.logLevel [GH-2302]

• control-plane: increase timeout after login for ACL replication to 60 seconds [GH-2656]
• helm: adds values for securityContext and annotations on TLS and ACL init/cleanup jobs. [GH-2525]
• helm: set container securityContexts to match the restricted Pod Security Standards policy to support running Consul in a namespace with restricted PSA enforcement enabled [GH-2572]
• helm: update imageConsulDataplane value to hashicorp/consul-dataplane:1.2.0 [GH-2476]
• helm: update image value to hashicorp/consul:1.16.0 [GH-2476]

BUG FIXES:

• api-gateway: Fix creation of invalid Kubernetes Service when multiple Gateway listeners have the same port. [GH-2413]
• api-gateway: fix helm install when setting copyAnnotations or nodeSelector [GH-2597]
• api-gateway: fixes bug where envoy will silently reject RSA keys less than 2048 bits in length when not in FIPS mode, and
  will reject keys that are not 2048, 3072, or 4096 bits in length in FIPS mode. We now validate
  and reject invalid certs earlier. [GH-2478]
• api-gateway: set route condition appropriately when parent ref includes non-existent section name [GH-2420]
• control-plane: Always update ACL policies upon upgrade. [GH-2392]
• control-plane: fix bug in endpoints controller when deregistering services from consul when a node is deleted. [GH-2571]
• helm: fix CONSUL_LOGIN_DATACENTER for consul client-daemonset. [GH-2652]
• helm: fix ui ingress manifest formatting, and exclude ingressClass when not defined. [GH-2687]
• transparent-proxy: Fix issue where connect-inject lacked sufficient mesh:write privileges in some deployments,
  which prevented virtual IPs from persisting properly. [GH-2520]

v1.1.4

1.1.4 (Aug 10, 2023)

SECURITY:

• Upgrade to use Go 1.20.6 and x/net/http 0.12.0.
  This resolves CVE-2023-29406(net/http). [GH-2642]
• Upgrade to use Go 1.20.7 and x/net 0.13.0.
  This resolves CVE-2023-29409(crypto/tls)
  and CVE-2023-3978(net/html). [GH-2710]

IMPROVEMENTS:

• Add support to provide the logLevel flag via helm for multiple low level components. Introduces the following fields

1. global.acls.logLevel
2. global.tls.logLevel
3. global.federation.logLevel
4. global.gossipEncryption.logLevel
5. server.logLevel
6. client.logLevel
7. meshGateway.logLevel
8. ingressGateways.logLevel
9. terminatingGateways.logLevel
10. telemetryCollector.logLevel [GH-2302]

• control-plane: increase timeout after login for ACL replication to 60 seconds [GH-2656]
• helm: adds values for securityContext and annotations on TLS and ACL init/cleanup jobs. [GH-2525]
• helm: do not set container securityContexts by default on OpenShift < 4.11 [GH-2678]
• helm: set container securityContexts to match the restricted Pod Security Standards policy to support running Consul in a namespace with restricted PSA enforcement enabled [GH-2572]

BUG FIXES:

• control-plane: fix bug in endpoints controller when deregistering services from consul when a node is deleted. [GH-2571]
• helm: fix CONSUL_LOGIN_DATACENTER for consul client-daemonset. [GH-2652]
• helm: fix ui ingress manifest formatting, and exclude ingressClass when not defined. [GH-2687]

v1.0.9

1.0.9 (Aug 10, 2023)

SECURITY:

• Upgrade to use Go 1.19.11 and x/net/http 0.12.0.
  This resolves CVE-2023-29406(net/http). [GH-2650]
• Upgrade to use Go 1.19.12 and x/net 0.13.0.
  This resolves CVE-2023-29409(crypto/tls)
  and CVE-2023-3978(net/html). [GH-2717]

IMPROVEMENTS:

• Add support to provide the logLevel flag via helm for multiple low level components. Introduces the following fields

1. global.acls.logLevel
2. global.tls.logLevel
3. global.federation.logLevel
4. global.gossipEncryption.logLevel
5. server.logLevel
6. client.logLevel
7. meshGateway.logLevel
8. ingressGateways.logLevel
9. terminatingGateways.logLevel [GH-2302]

• control-plane: increase timeout after login for ACL replication to 60 seconds [GH-2656]
• helm: adds values for securityContext and annotations on TLS and ACL init/cleanup jobs. [GH-2525]
• helm: do not set container securityContexts by default on OpenShift < 4.11 [GH-2678]
• helm: set container securityContexts to match the restricted Pod Security Standards policy to support running Consul in a namespace with restricted PSA enforcement enabled [GH-2572]

BUG FIXES:

• control-plane: fix bug in endpoints controller when deregistering services from consul when a node is deleted. [GH-2571]
• helm: fix CONSUL_LOGIN_DATACENTER for consul client-daemonset. [GH-2652]
• helm: fix ui ingress manifest formatting, and exclude ingressClass when not defined. [GH-2687]

v0.49.8

0.49.8 (July 12, 2023)

IMPROVEMENTS:

• helm: Add connectInject.prepareDataplanesUpgrade setting for help upgrading to dataplanes. This setting is required if upgrading from non-dataplanes to dataplanes when ACLs are enabled. See https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-to-consul-dataplane for more information. [GH-2514]

v1.2.0

1.2.0 (June 28, 2023)

FEATURES:

• Add support for configuring Consul server-side rate limiting [GH-2166]
• api-gateway: Add API Gateway for Consul on Kubernetes leveraging Consul native API Gateway configuration. [GH-2152]
• crd: Add mutualTLSMode to the ProxyDefaults and ServiceDefaults CRDs and allowEnablingPermissiveMutualTLS to the Mesh CRD to support configuring permissive mutual TLS. [GH-2100]
• helm: Add JWTProvider CRD for configuring the jwt-provider config entry. [GH-2209]
• helm: Update the ServiceIntentions CRD to support JWT fields. [GH-2213]

IMPROVEMENTS:

• cli: update minimum go version for project to 1.20. [GH-2102]
• control-plane: add FIPS support [GH-2165]
• control-plane: server ACL Init always appends both, the secrets from the serviceAccount's secretRefs and the one created by the Helm chart, to support Openshift secret handling. [GH-1770]
• control-plane: set agent localities on Consul servers to the server node's topology.kubernetes.io/region label. [GH-2093]
• control-plane: update alpine to 3.17 in the Docker image. [GH-1934]
• control-plane: update minimum go version for project to 1.20. [GH-2102]
• helm: Kubernetes v1.27 is now supported. Minimum tested version of Kubernetes is now v1.24. [GH-2304]
• helm: Update the default amount of memory used by the connect-inject controller so that its less likely to get OOM killed. [GH-2249]
• helm: add failover policy field to service resolver and proxy default CRDs [GH-2030]
• helm: add samenessGroup CRD [GH-2048]
• helm: add samenessGroup field to exported services CRD [GH-2075]
• helm: add samenessGroup field to service resolver CRD [GH-2086]
• helm: add samenessGroup field to source intention CRD [GH-2097]
• helm: update imageConsulDataplane value to hashicorp/consul-dataplane:1.2.0 [GH-2476]
• helm: update image value to hashicorp/consul:1.16.0 [GH-2476]

SECURITY:

• Update Go-Discover in the container has been updated to address CVE-2020-14040 [GH-2390]
• Bump Dockerfile base image to alpine:3.18. Resolves CVE-2023-2650 vulnerability in openssl@3.0.8-r4 [GH-2284]
• Fix Prometheus CVEs by bumping controller-runtime. [GH-2183]
• Upgrade to use Go 1.20.4.
  This resolves vulnerabilities CVE-2023-24537(go/scanner),
  CVE-2023-24538(html/template),
  CVE-2023-24534(net/textproto) and
  CVE-2023-24536(mime/multipart).
  Also, golang.org/x/net has been updated to v0.7.0 to resolve CVEs CVE-2022-41721, CVE-2022-27664 and CVE-2022-41723
  [GH-2102]

BUG FIXES:

• control-plane: Fix casing of the Enforce Consecutive 5xx field on Service Defaults and acceptance test fixtures. [GH-2266]
• control-plane: fix issue where consul-connect-injector acl token was unintentionally being deleted and not recreated when a container was restarted due to a livenessProbe failure. [GH-1914]

v1.1.3

1.1.3 (June 28, 2023)

BREAKING CHANGES:

• control-plane: All policies managed by consul-k8s will now be updated on upgrade. If you previously edited the policies after install, your changes will be overwritten. [GH-2392]

SECURITY:

• Bump Dockerfile base image to alpine:3.18. Resolves CVE-2023-2650 vulnerability in openssl@3.0.8-r4 [GH-2284]
• Update Go-Discover in the container has been updated to address CVE-2020-14040 [GH-2390]

FEATURES:

• Add support for configuring graceful shutdown proxy lifecycle management settings. [GH-2233]
• helm: Adds acls.resources field which can be configured to override the resource settings for the server-acl-init and server-acl-init-cleanup Jobs. [GH-2416]
• sync-catalog: add ability to support weighted loadbalancing by service annotation consul.hashicorp.com/service-weight: <number> [GH-2293]

IMPROVEMENTS:

• (Consul Enterprise) Add support to provide inputs via helm for audit log related configuration [GH-2369]
• helm: Update the default amount of memory used by the connect-inject controller so that its less likely to get OOM killed. [GH-2249]

BUG FIXES:

• control-plane: Always update ACL policies upon upgrade. [GH-2392]
• control-plane: Fix casing of the Enforce Consecutive 5xx field on Service Defaults and acceptance test fixtures. [GH-2266]

v1.0.8

1.0.8 (June 28, 2023)

BREAKING CHANGES:

• control-plane: All policies managed by consul-k8s will now be updated on upgrade. If you previously edited the policies after install, your changes will be overwritten. [GH-2392]

SECURITY:

• Bump Dockerfile base image for RedHat UBI consul-k8s-control-plane image to ubi-minimal:9.2. [GH-2204]
• Bump Dockerfile base image to alpine:3.18. Resolves CVE-2023-2650 vulnerability in openssl@3.0.8-r4 [GH-2284]
• Bump controller-runtime to address CVEs in dependencies. [GH-2225]
• Update Go-Discover in the container has been updated to address CVE-2020-14040 [GH-2390]

FEATURES:

• Add support for configuring graceful shutdown proxy lifecycle management settings. [GH-2233]
• helm: Adds acls.resources field which can be configured to override the resource settings for the server-acl-init and server-acl-init-cleanup Jobs. [GH-2416]
• sync-catalog: add ability to support weighted loadbalancing by service annotation consul.hashicorp.com/service-weight: <number> [GH-2293]

IMPROVEMENTS:

• (Consul Enterprise) Add support to provide inputs via helm for audit log related configuration [GH-2265]
• helm: Update the default amount of memory used by the connect-inject controller so that its less likely to get OOM killed. [GH-2249]

BUG FIXES:

• control-plane: Always update ACL policies upon upgrade. [GH-2392]
• control-plane: Fix casing of the Enforce Consecutive 5xx field on Service Defaults and acceptance test fixtures. [GH-2266]
• control-plane: add support for idleTimeout in the Service Router config [GH-2156]
• control-plane: fix issue with json tags of service defaults fields EnforcingConsecutive5xx, MaxEjectionPercent and BaseEjectionTime. [GH-2159]
• control-plane: fix issue with multiport pods crashlooping due to dataplane port conflicts by ensuring dns redirection is disabled for non-tproxy pods [GH-2176]
• crd: fix bug on service intentions CRD causing some updates to be ignored. [GH-2194]

v0.49.7

0.49.7 (June 28, 2023)

BREAKING CHANGES:

• control-plane: All policies managed by consul-k8s will now be updated on upgrade. If you previously edited the policies after install, your changes will be overwritten. [GH-2392]

SECURITY:

• Bump Dockerfile base image for RedHat UBI consul-k8s-control-plane image to ubi-minimal:9.2. [GH-2204]
• Bump Dockerfile base image to alpine:3.18. Resolves CVE-2023-2650 vulnerability in openssl@3.0.8-r4 [GH-2284]

FEATURES:

• helm: Adds acls.resources field which can be configured to override the resource settings for the server-acl-init and server-acl-init-cleanup Jobs. [GH-2416]

IMPROVEMENTS:

• (Consul Enterprise) Add support to provide inputs via helm for audit log related configuration [GH-2265]
• helm: Update the default amount of memory used by the connect-inject controller so that its less likely to get OOM killed. [GH-2249]

BUG FIXES:

• control-plane: Always update ACL policies upon upgrade. [GH-2392]
• crd: fix bug on service intentions CRD causing some updates to be ignored. [GH-2194]

v1.2.0-rc1

1.2.0-rc1 (June 12, 2023)

SECURITY:

• Bump Dockerfile base image to alpine:3.18. Resolves CVE-2023-2650 vulnerability in openssl@3.0.8-r4 [GH-2284]
• Fix Prometheus CVEs by bumping controller-runtime. [GH-2183]
• Upgrade to use Go 1.20.4. This resolves vulnerabilities CVE-2023-24537(go/scanner), CVE-2023-24538(html/template),
  CVE-2023-24534(net/textproto) and CVE-2023-24536(mime/multipart). Also, golang.org/x/net has been updated to v0.7.0 to resolve CVEs CVE-2022-41721, CVE-2022-27664 and CVE-2022-41723 [GH-2102]

FEATURES:

• Add support for configuring Consul server-side rate limiting [GH-2166]
• api-gateway: Add API Gateway for Consul on Kubernetes leveraging Consul native API Gateway configuration. [GH-2152]
• crd: Add mutualTLSMode to the ProxyDefaults and ServiceDefaults CRDs and allowEnablingPermissiveMutualTLS to the Mesh CRD to support configuring permissive mutual TLS. [GH-2100]
• helm: Add JWTProvider CRD for configuring the jwt-provider config entry. [GH-2209]
• helm: Update the ServiceIntentions CRD to support JWT fields. [GH-2213]

IMPROVEMENTS:

• cli: update minimum go version for project to 1.20. [GH-2102]
• control-plane: add FIPS support [GH-2165]
• control-plane: server ACL Init always appends both, the secrets from the serviceAccount's secretRefs and the one created by the Helm chart, to support Openshift secret handling. [GH-1770]
• control-plane: set agent localities on Consul servers to the server node's topology.kubernetes.io/region label. [GH-2093]
• control-plane: update alpine to 3.17 in the Docker image. [GH-1934]
• control-plane: update minimum go version for project to 1.20. [GH-2102]
• helm: Kubernetes v1.27 is now supported. Minimum tested version of Kubernetes is now v1.24. [GH-2304]
• helm: Update the default amount of memory used by the connect-inject controller so that its less likely to get OOM killed. [GH-2249]
• helm: add failover policy field to service resolver and proxy default CRDs [GH-2030]
• helm: add samenessGroup CRD [GH-2048]
• helm: add samenessGroup field to exported services CRD [GH-2075]
• helm: add samenessGroup field to service resolver CRD [GH-2086]
• helm: add samenessGroup field to source intention CRD [GH-2097]
• helm: update imageConsulDataplane value to hashicorp/consul-dataplane:1.1.0. [GH-1953]

BUG FIXES:

• control-plane: Fix casing of the Enforce Consecutive 5xx field on Service Defaults and acceptance test fixtures. [GH-2266]
• control-plane: fix issue where consul-connect-injector acl token was unintentionally being deleted and not recreated when a container was restarted due to a livenessProbe failure. [GH-1914]

v1.1.2

1.1.2 (June 5, 2023)

SECURITY:

• Bump Dockerfile base image for RedHat UBI consul-k8s-control-plane image to ubi-minimal:9.2. [GH-2204]
• Bump controller-runtime to address CVEs in dependencies. [GH-2226]
• Upgrade to use Go 1.20.4. This resolves vulnerabilities CVE-2023-24537(go/scanner), CVE-2023-24538(html/template),
  CVE-2023-24534(net/textproto) and CVE-2023-24536(mime/multipart). Also, golang.org/x/net has been updated to v0.7.0 to resolve CVEs CVE-2022-41721, CVE-2022-27664 and CVE-2022-41723 [GH-2104]

FEATURES:

• Add support for consul-telemetry-collector to forward envoy metrics to an otelhttp compatible receiver or HCP [GH-2134]
• consul-telemetry-collector: Configure envoy proxy config during registration when consul-telemetry-collector is enabled. [GH-2143]
• sync-catalog: add ability to sync hostname from a Kubernetes Ingress resource to the Consul Catalog during service registration. [GH-2098]

IMPROVEMENTS:

• cli: Add consul-k8s config read command that returns the helm configuration in yaml format. [GH-2078]
• cli: add consul-telemetry-gateway allow-all intention for -demo [GH-2262]
• cli: update cloud preset to enable telemetry collector [GH-2205]
• consul-telemetry-collector: add acceptance tests for consul telemetry collector component [GH-2195]

BUG FIXES:

• crd: fix bug on service intentions CRD causing some updates to be ignored. [GH-2194]
• api-gateway: fix issue where the API Gateway controller is unable to start up successfully when Vault is configured as the secrets backend [GH-2083]
• control-plane: add support for idleTimeout in the Service Router config [GH-2156]
• control-plane: fix issue with json tags of service defaults fields EnforcingConsecutive5xx, MaxEjectionPercent and BaseEjectionTime. [GH-2160]
• control-plane: fix issue with multiport pods crashlooping due to dataplane port conflicts by ensuring dns redirection is disabled for non-tproxy pods [GH-2176]
• helm: add missing $HOST_IP environment variable to to mesh gateway deployments. [GH-1808]
• sync-catalog: fix issue where the sync-catalog ACL token were set with an incorrect ENV VAR. [GH-2068]