v1.14.0
1.14.0 (November 15, 2022)
BREAKING CHANGES:
- config: Add new
ports.grpc_tls
configuration option.
Introduce a new port to better separate TLS config from the existingports.grpc
config.
The newports.grpc_tls
only supports TLS encrypted communication.
The existingports.grpc
now only supports plain-text communication. [GH-15339] - config: update 1.14 config defaults: Enable
peering
andconnect
by default. [GH-15302] - config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 [GH-15302]
- connect: Removes support for Envoy 1.20 [GH-15093]
- peering: Rename
PeerName
toPeer
on prepared queries and exported services. [GH-14854] - xds: Convert service mesh failover to use Envoy's aggregate clusters. This
changes the names of some Envoy dynamic HTTP metrics. [GH-14178]
SECURITY:
- Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints CVE-2022-3920 [GH-15356]
FEATURES:
- DNS-proxy support via gRPC request. [GH-14811]
- cli: Add -node-name flag to redirect-traffic command to support running in environments without client agents. [GH-14933]
- cli: Add
-consul-dns-port
flag to theconsul connect redirect-traffic
command to allow forwarding DNS traffic to a specific Consul DNS port. [GH-15050] - connect: Add Envoy connection balancing configuration fields. [GH-14616]
- grpc: Added metrics for external gRPC server. Added
server_type=internal|external
label to gRPC metrics. [GH-14922] - http: Add new
get-or-empty
operation to the txn api. Refer to the API docs for more information. [GH-14474] - peering: Add mesh gateway local mode support for cluster peering. [GH-14817]
- peering: Add support for stale queries for trust bundle lookups [GH-14724]
- peering: Add support to failover to services running on cluster peers. [GH-14396]
- peering: Add support to redirect to services running on cluster peers with service resolvers. [GH-14445]
- peering: Ensure un-exported services get deleted even if the un-export happens while cluster peering replication is down. [GH-14797]
- peering: add support for routine peering control-plane traffic through mesh gateways [GH-14981]
- sdk: Configure
iptables
to forward DNS traffic to a specific DNS port. [GH-15050] - telemetry: emit memberlist size metrics and broadcast queue depth metric. [GH-14873]
- ui: Added support for central config merging [GH-14604]
- ui: Create peerings detail page [GH-14947]
- ui: Detect a TokenSecretID cookie and passthrough to localStorage [GH-14495]
- ui: Display notice banner on nodes index page if synthetic nodes are being filtered. [GH-14971]
- ui: Filter agentless (synthetic) nodes from the nodes list page. [GH-14970]
- ui: Filter out node health checks on agentless service instances [GH-14986]
- ui: Remove node meta on service instances when using agentless and consolidate external-source labels on service instances page if they all match. [GH-14921]
- ui: Removed reference to node name on service instance page when using agentless [GH-14903]
- ui: Use withCredentials for all HTTP API requests [GH-14343]
- xds: servers will limit the number of concurrent xDS streams they can handle to balance the load across all servers [GH-14397]
IMPROVEMENTS:
- peering: Add peering datacenter and partition to initial handshake. [GH-14889]
- xds: Added a rate limiter to the delivery of proxy config updates, to prevent updates to "global" resources such as wildcard intentions from overwhelming servers (see:
xds.update_max_per_second
config field) [GH-14960] - xds: Removed a bottleneck in Envoy config generation, enabling a higher number of dataplanes per server [GH-14934]
- agent/hcp: add initial HashiCorp Cloud Platform integration [GH-14723]
- agent: Added configuration option cloud.scada_address. [GH-14936]
- api: Add filtering support to Catalog's List Services (v1/catalog/services) [GH-11742]
- api: Increase max number of operations inside a transaction for requests to /v1/txn (128) [GH-14599]
- auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. [GH-15370]
- config-entry: Validate that service-resolver
Failover
s andRedirect
s only
specifyPartition
andNamespace
on Consul Enterprise. This prevents scenarios
where OSS Consul would save service-resolvers that require Consul Enterprise. [GH-14162] - connect: Add Envoy 1.24.0 to support matrix [GH-15093]
- connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 [GH-14831]
- connect: service-router destinations have gained a
RetryOn
field for specifying the conditions when Envoy should retry requests beyond specific status codes and generic connection failure which already exists. [GH-12890] - dns/peering: (Enterprise Only) Support addresses in the formats
<servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul
and<servicename>.virtual.<partition>.ap.<peername>.peer.consul
. This longer form address that allows specifying.peer
would need to be used for tproxy DNS requests made within non-default partitions for imported services. - dns: (Enterprise Only) All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format:
[<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>
. [GH-14679] - integ test: fix flakiness due to test condition from retry app endoint [GH-15233]
- metrics: Service RPC calls less than 1ms are now emitted as a decimal number. [GH-12905]
- peering: adds an internally managed server certificate for automatic TLS between servers in peer clusters. [GH-14556]
- peering: require TLS for peering connections using server cert signed by Connect CA [GH-14796]
- peering: return information about the health of the peering when the leader is queried to read a peering. [GH-14747]
- raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter [GH-14897]
- raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 [GH-14897]
- raft: Fix a race condition where the snapshot file is closed without being opened [GH-14897]
- telemetry: Added a
consul.xds.server.streamStart
metric to measure time taken to first generate xDS resources for an xDS stream. [GH-14957] - ui: Improve guidance around topology visualisation [GH-14527]
- xds: Set
max_ejection_percent
on Envoy's outlier detection to 100% for peered services. [GH-14373]
BUG FIXES:
- checks: Do not set interval as timeout value [GH-14619]
- checks: If set, use proxy address for automatically added sidecar check instead of service address. [GH-14433]
- cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set together [GH-13493]
- connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries. [GH-15186]
- connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. [GH-15083]
- connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. [GH-15320]
- debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters [GH-15155]
- deps: update go-memdb, fixing goroutine leak [GH-15010] [GH-15068]
- grpc: Merge proxy-defaults and service-defaults in GetEnvoyBootstrapParams response. [GH-14869]
- metrics: Add duplicate metrics that have only a single "consul_" prefix for all existing metrics with double ("consul_consul_") prefix, with the intent to standardize on single prefixes. [GH-14475]
- namespace: (Enterprise Only) Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter
- peering: Fix a bug that resulted in /v1/agent/metrics returning an error. [GH-15178]
- peering: fix nil pointer in calling handleUpdateService [GH-15160]
- peering: fix the error of wan address isn't taken by the peering token. [GH-15065]
- peering: when wan address is set, peering stream should use the wan address. [GH-15108]
- proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters. [GH-15272]
- server: fix goroutine/memory leaks in the xDS subsystem (these were present regardless of whether or not xDS was in-use) [GH-14916]
- server: fixes the error trying to source proxy configuration for http checks, in case of proxies using consul-dataplane. [GH-14924]
- xds: Central service configuration (proxy-defaults and service-defaults) is now correctly applied to Consul Dataplane proxies [GH-14962]
NOTES:
- deps: Upgrade to use Go 1.19.2 [GH-15090]