v1.0.0-beta1

1.0.0-beta1 (October 4, 2022)

FEATURES:

• CLI:
  • Add the ability to install HCP self-managed clusters. [GH-1540]
  • Add the ability to install the HashiCups demo application via the -demo flag. [GH-1540]

BREAKING CHANGES:

• Consul client agents are no longer deployed by default, and Consul service mesh no longer uses Consul clients to operate. This change affects several main areas listed below. [GH-1552]
  • Control plane:
    • A new component consul-dataplane is now injected as a sidecar-proxy instead of plain Envoy. consul-dataplane manages the Envoy proxy process and proxies xDS requests from Envoy to Consul servers.
    • All services on the service mesh are now registered directly with the central catalog in Consul servers.
    • All service-mesh consul-k8s components are configured to talk directly to Consul servers.
    • Mesh, ingress, and terminating gateways are now registered centrally by the endpoints controller, similar to how service-mesh services are registered.
  • Helm:
    • client.enabled now defaults to false. Setting it to true will deploy client agents, however, none of the consul-k8s components will use clients for their operation.
    • global.imageEnvoy is no longer used for sidecar proxies, as well as mesh, terminating, and ingress gateways.
    • externalServers.grpcPort default is now 8502 instead of 8503.
    • meshGateway.service.enabled value is removed. Mesh gateways now will always have a Kubernetes service as this is required to register them as a service with Consul.
    • meshGateway.initCopyConsulContainer, ingressGateways.initCopyConsulContainer, terminatingGateways.initCopyConsulContainer values are removed.
  • Known beta limitations:
    • Transparent proxy is not yet supported.
    • Metrics and observability is not yet supported.
    • API gateway is not yet supported.
    • Executables in the form of exec= are not yet supported when using external servers and ACLs.

v0.49.0

0.49.0 (September 30, 2022)

FEATURES:

• CLI:
  • Add support for tab autocompletion [GH-1437]
• Consul CNI Plugin
  • Support for OpenShift and Multus CNI plugin [GH-1527]

BUG FIXES:

• Control plane
  • Use global ACL auth method to provision ACL tokens for API Gateway in secondary datacenter [GH-1481]
  • Peering: pass new use_auto_cert value to gRPC TLS config when auto-encrypt is enabled. [GH-1541]
• Helm:
  • Only create Federation Secret Job when server.updatePartition is 0 [GH-1512]
  • Fixes a typo in the templating of global.connectInject.disruptionBudget.maxUnavailable. [GH-1530]

IMPROVEMENTS:

• Helm:
  • API Gateway: Set primary datacenter flag when deploying controller into secondary datacenter with federation enabled [GH-1511]
  • API Gateway: Allow controller to create and update Secrets for storing Consul CA cert alongside gateway Deployments [GH-1542]
  • New parameter EnforcingConsecutive5xx which supports a configurable percent chance of automatic ejection of a host when a consecutive number of 5xx response codes are received [GH-1484]
• Control-plane:
  • Support escaped commas in service tag annotations for pods which use consul.hashicorp.com/connect-service-tags or consul.hashicorp.com/service-tags. [GH-1532]

v0.48.0

0.48.0 (September 01, 2022)

FEATURES:

• MaxInboundConnections in service-defaults CRD
  • Add support for MaxInboundConnections on the Service Defaults CRD. [GH-1437]
• Consul CNI Plugin
  • CNI Plugin for Consul-k8s [GH-1465]
• Kubernetes 1.24 Support
  • Add support for Kubernetes 1.24 where ServiceAccounts no longer have long-term JWT tokens. [GH-1431]
  • Upgrade kubeVersion in helm chart to support Kubernetes 1.21+.

BREAKING CHANGES:

• Kubernetes 1.24 Support

  • Users deploying multiple services to the same Pod (multiport) on Kubernetes 1.24 must also deploy a Kubernetes Secret for each ServiceAccount associated with the Consul service. The name of the Secret must match the ServiceAccount name and be of type kubernetes.io/service-account-token [GH-1431]
  • Kubernetes 1.19 and 1.20 are no longer supported.

  Example:

  apiVersion: v1
  kind: Secret
  metadata:
    name: svc1
    annotations:
      kubernetes.io/service-account.name: svc1
  type: kubernetes.io/service-account-token
  ---
  apiVersion: v1
  kind: Secret
  metadata:
    name: svc2
    annotations:
      kubernetes.io/service-account.name: svc2
  type: kubernetes.io/service-account-token

• Control Plane

  • Rename flag server-address to token-server-address in the inject-connect subcommand to avoid overloading the context of the server-address flag. [GH-1426]

IMPROVEMENTS:

• CLI:
  • Display clusters by their short names rather than FQDNs for the proxy read command. [GH-1412]
  • Display a message when proxy list returns no results. [GH-1412]
  • Display a warning when a user passes a field and table filter combination to proxy read where the given field is not present in any of the output tables. [GH-1412]
  • Extend the timeout for consul-k8s proxy read to establish a connection from 5s to 10s. [GH-1442]
  • Expand the set of Envoy Listener Filters that may be parsed and output to the Listeners table. [GH-1442]
• Helm:
  • The default Envoy proxy image is now envoyproxy/envoy:v1.23.1. [GH-1473]

BUG FIXES:

• Helm
  • API Gateway: Configure ACL auth for controller correctly when deployed in secondary datacenter with federation enabled [GH-1462]
• CLI
  • Fix issue where SNI filters for Terminating Gateways showed up as blank lines. [GH-1442]
  • Fix issue where Logical DNS endpoints were being displayed alongside cluster names. [GH-1452]

v0.47.1

0.47.1 (August 12, 2022)

BUG FIXES:

• Helm
  • Update the version of the imageK8S in values.yaml to the latest control-plane image. [GH-1355]

v0.47.0

0.47.0 (August 12, 2022)

FEATURES:

• Transparent Proxy Egress
  • Add support for Destinations on the Service Defaults CRD. [GH-1352]
• CLI:
  • Add consul-k8s proxy list command for displaying Pods running Envoy managed by Consul. [GH-1271]
  • Add consul-k8s proxy read podname command for displaying Envoy configuration for a given Pod. [GH-1271]
• [Experimental] Cluster Peering:
  • Add support for ACLs and TLS. [GH-1343] [GH-1366]
  • Add support for Load Balancers or external addresses in front of Consul servers for peering stream.
    • Support new expose-servers Kubernetes Service deployed by Helm chart to expose the Consul servers, and using the service address in the peering token. [GH-1378]
    • Support non-default partitions by using externalServers.hosts as the server addresses in the peering token. [GH-1384]
    • Support arbitrary addresses as the server addresses in the peering token via global.peering.tokenGeneration.source="static" and global.peering.tokenGeneration.static=["sample-server-address:8502"]. [GH-1392]
  • Generate new peering token only on user-triggered events. [GH-1399]

IMPROVEMENTS:

• Helm
  • Bump default Envoy version to 1.22.4. [GH-1413]
  • Added support for Consul API Gateway to read ReferenceGrant custom resources. This will require either installing Consul API Gateway CRDs from the upcoming v0.4.0 release with kubectl apply --kustomize "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.4.0" or manually installing the ReferenceGrant CRD from the Gateway API v0.5 Experimental Channel when setting apiGateway.enabled=true [GH-1299]

BUG FIXES:

• Helm
  • Fix permissions in client-daemonset and server-statefulset when using extra-config volumes to prevent errors on OpenShift. [GH-1307]

v0.46.1

0.46.1 (July 26, 2022)

IMPROVEMENTS:

• Control Plane
  • Update alpine to 3.16 in the Docker image. [GH-1372]

v0.46.0

0.46.0 (July 20, 2022)

IMPROVEMENTS:

• Control Plane
  • Update minimum go version for project to 1.18 [GH-1292]
• CLI
  • Update minimum go version for project to 1.18 [GH-1292]

FEATURES:

• [Experimental] Cluster Peering:
  • Add support for secret watchers on the Peering Acceptor and Peering Dialer controllers. [GH-1284]
  • Add support for version annotation on the Peering Acceptor and Peering Dialer controllers. [GH-1302]
  • Add validation webhooks for the Peering Acceptor and Peering Dialer CRDs [GH-1310]

IMPROVEMENTS:

• Control Plane
  • Added annotations consul.hashicorp.com/prometheus-ca-file, consul.hashicorp.com/prometheus-ca-path, consul.hashicorp.com/prometheus-cert-file, and consul.hashicorp.com/prometheus-key-file for configuring TLS scraping on Prometheus metrics endpoints for Envoy sidecars. To enable, set the cert and key file annotations along with one of the ca file/path annotations. [GH-1303]
  • Added annotations consul.hashicorp.com/consul-sidecar-user-volume and consul.hashicorp.com/consul-sidecar-user-volume-mount for attaching Volumes and VolumeMounts to the Envoy sidecar. Both should be JSON objects. [GH-1315]
• Helm
  • Added connectInject.annotations and syncCatalog.annotations values for setting annotations on connect inject and sync catalog deployments. [GH-775]
  • Added PodDisruptionBudget to the connect injector deployment which can be configured using the connectInject.disruptionBudget stanza. [GH-1316]

BUG FIXES:

• Helm
  • When using Openshift do not set securityContext in gossip-encryption-autogenerate job. [GH-1308]
• Control Plane
  • Fix missing RBAC permissions for the peering controllers to be able to update secrets. [GH-1359]
  • Fix a bug in the peering controller where we tried to read the secret from the cache right after creating it. [GH-1359]

v0.45.0

0.45.0 (June 17, 2022)

FEATURES:

• [Experimental] Cluster Peering: Support Consul cluster peering, which allows service connectivity between two independent clusters.
  [GH-1273]

  Enabling peering will deploy the peering controllers and PeeringAcceptor and PeeringDialer CRDs. The new CRDs are used to establish a peering connection between two clusters.

  See the Cluster Peering on Kubernetes for full instructions.

  Requirements:

  • Consul 1.13+
  • global.peering.enabled=true and connectInject.enabled=true must be set to enable peering.
  • Mesh gateways are required for service to service communication across peers, i.e meshGateway.enabled=true.

IMPROVEMENTS:

• Helm
  • Enable the configuring of snapshot intervals in the client snapshot agent via client.snapshotAgent.interval. [GH-1235]
  • Enable configuring the pod topologySpreadConstraints for mesh, terminating, and ingress gateways. [GH-1257]
  • Present Consul server CA chain when using Vault secrets backend. [GH-1251]
  • API Gateway: Enable configuring of the new High Availability feature (requires Consul API Gateway v0.3.0+). [GH-1261]
  • Enable the configuration of Envoy proxy concurrency via connectInject.sidecarProxy.concurrency which can
    be overridden at the pod level via the annotation consul.hashicorp.com/consul-envoy-proxy-concurrency.
    This PR also sets the default concurrency for envoy proxies to 2. [GH-1277]
  • Update Mesh CRD with Mesh HTTP Config. [GH-1282]
• Control Plane
  • Bump Dockerfile base image for RedHat UBI consul-k8s-control-plane image to ubi-minimal:8.6. [GH-1244]
  • Add additional metadata to service instances registered via catalog sync. [GH-447]
  • Enable configuring Connect Injector and Controller Webhooks' certificates to be managed by Vault. [GH-1191]

BUG FIXES:

• Helm
  • Update client-snapshot-agent so that setting client.snapshotAgent.caCert no longer requires root access to modify the trust store. [GH-1190]
  • Add missing vault agent annotations to the api-gateway-controller-deployment. [GH-1247]
  • Bump default Envoy version to 1.22.2. [GH-1276]

v0.44.0

0.44.0 (May 17, 2022)

BREAKING CHANGES:

• Helm
  • Using the Vault integration requires Consul 1.12.0+. [GH-1213], [GH-1218]

IMPROVEMENTS:

• Helm
  • Enable the ability to configure global.consulAPITimeout to configure how long requests to the Consul API will wait to resolve before canceling. The default value is 5 seconds. [GH-1178]

BUG FIXES:

• Security
  • Bump golang.org/x/crypto and golang.org/x/text dependencies to address CVE-2022-27291 and CVE-2021-38561 respectively on both CLI and Control Plane. There's no known exposure within Consul on Kubernetes as the dependencies are not invoked. [GH-1189]
• Control Plane
  • Endpoints Controller queuing up service registrations/deregistrations when request to agent on a terminated pod does not time out. This could result in pods not being registered and service instances not being deregistered. [GH-714]
• Helm
  • Update client-daemonset to include ca-cert volumeMount only when tls is enabled. [GH-1194]
  • Update create-federation-secret-job to look up the automatically generated gossip encryption key by the right name when global.name is unset or set to something other than consul. [GH-1196]
  • Add Admin Partitions support to Sync Catalog (Consul Enterprise only). [GH-1180]
  • Correct webhook-cert-manager-clusterrole to utilize the web-cert-manager podsecuritypolicy rather than connect-injectors when global.enablePodSecurityPolicies is true. [GH-1202]
  • Enable Consul auto-reload-config only when Vault is enabled. [GH-1213]
  • Revert TLS config to be compatible with Consul 1.11. [GH-1218]

v0.43.0

0.43.0 (April 21, 2022)

BREAKING CHANGES:

• Helm
  • Requires Consul 1.12.0+ as the Server statefulsets are now provisioned with Consul -auto-reload-config flag which monitors changes to specific Consul configuration properties and reloads itself when changes are detected. [GH-1135]
  • API Gateway: Re-use connectInject.consulNamespaces instead of requiring that apiGateway.consulNamespaces have the same value when ACLs are enabled. [GH-1169]

FEATURES:

• Control Plane
  • Add a "consul.hashicorp.com/kubernetes-service" annotation for pods to specify which Kubernetes service they want to use for registration when multiple services target the same pod. [GH-1150]

BUG FIXES:

• CLI
  • Fix issue where clusters not in the same namespace as their deployment name could not be upgraded. [GH-1115]
  • Fix issue where the CLI was looking for secrets in namespaces other than the namespace targeted by the release. [GH-1156]
  • Fix issue where the federation secret was not being found in certain configurations. [GH-1154]
• Control Plane
  • Fix issue where upgrading a deployment from non-service mesh to service mesh would cause Pods to hang in init. [GH-1136]
• Helm
  • Respect client nodeSelector, tolerations, and priorityClass when scheduling create-federation-secret Job. [GH-1108]

IMPROVEMENTS:

• Control Plane
  • Support new annotation for mounting connect-inject volume to other containers. [GH-1111]
• Helm
  • API Gateway: Allow controller to read ReferencePolicy in order to determine if route is allowed for backend in different namespace. [GH-1148]
  • Allow consul to be a destination namespace. [GH-1163]
  • CRDs: Update Mesh and Ingress Gateway CRDs to support TLS config. [GH-1168]