Consul k8s - v1.0.0

1.0.0 (November 17, 2022)

* Admin Partitions (Consul Enterprise only): Remove the partition service. When configuring Admin Partitions, the expose-servers service should be used instead.
* Consul Dataplane:
* Consul client agents are no longer deployed by default, and Consul service mesh no longer uses Consul clients to operate. This change affects several main areas listed below. [GH-1552]
* A new component consul-dataplane is now injected as a sidecar-proxy instead of plain Envoy. consul-dataplane manages the Envoy proxy process and proxies xDS requests from Envoy to Consul servers.
* All services on the service mesh are now registered directly with the central catalog in Consul servers.
* All service-mesh consul-k8s components are configured to talk directly to Consul servers.
* Mesh, ingress, and terminating gateways are now registered centrally by the endpoints controller, similar to how service-mesh services are registered.
* CLI:
* Change default behavior of consul-k8s install to perform the installation when no answer is provided to the prompt. [GH-1673]
* Helm:
* Kubernetes-1.25 is now supported with the caveat that global.enablePodSecurityPolicies is not supported since PodSecurityPolicies have been removed in favor of PodSecurityStandards in Kubernetes-1.25. Full support for PodSecurityStandards will be added in a follow-on commit. [GH-1726]
* Support simplified default deployment values to allow for easier quick starts and testing:
* Set connectInject.replicas to 1 [GH-1702]
* Set meshGateway.affinity to null and meshGateway.replicas to 1 [GH-1702]
* Set ingressGateways.defaults.affinity to null and ingressGateways.defaults.replicas to 1 [GH-1702]
* Set terminatingGateways.defaults.affinity to null and terminatingGateways.defaults.replicas to 1 [GH-1702]
* Set server.replicas to 1. Formerly, this defaulted to 3. [GH-1551]
* client.enabled now defaults to false. Setting it to true will deploy client agents, however, none of the consul-k8s components will use clients for their operation.
* global.imageEnvoy is no longer used for sidecar proxies, as well as mesh, terminating, and ingress gateways.
* externalServers.grpcPort default is now 8502 instead of 8503.
* meshGateway.service.enabled value is removed. Mesh gateways now will always have a Kubernetes service as this is required to register them as a service with Consul.
* meshGateway.initCopyConsulContainer, ingressGateways.initCopyConsulContainer, terminatingGateways.initCopyConsulContainer values are removed.
* connectInject.enabled now defaults to true. [GH-1551]
* syncCatalog.consulNamespaces.mirroringK8S now defaults to true. [GH-1601]
* connectInject.consulNamespaces.mirroringK8S now defaults to true. [GH-1601]
* Remove controller section from the values file as the controller has now been merged into the connect-inject deployment. [GH-1697]
* Remove global.consulSidecarContainer from values file as there is no longer a consul sidecar. [GH-1635]
* Consul snapshot-agent now runs as a sidecar with Consul servers. [GH-1620]

This results in the following changes to Helm values:
  * Move `client.snapshotAgent` values to `server.snapshotAgent`, with the exception of the following values:
    * `client.snaphostAgent.replicas`
    * `client.snaphostAgent.serviceAccount`
  * Remove `global.secretsBackend.vault.consulSnapshotAgentRole` value. You should now use the `global.secretsBackend.vault.consulServerRole` for access to any Vault secrets.
  • Change dns.enabled and dns.enableRedirection to default to the value of connectInject.transparentProxy.defaultEnabled.
    Previously, dns.enabled defaulted to the value of global.enabled and dns.enableRedirection defaulted to the
    value to false. [GH-1688]
  • Remove global.imageEnvoy and replace with global.imageConsulDataplane for running the sidecar proxy.
  • Add apiGateway.imageEnvoy as for configuring the version of Envoy that the API Gateway uses. [GH-1698]
  • Peering:
  • Rename PeerName to Peer in ExportedServices CRD. [GH-1596]
  • Remove support for customizing the server addresses in peering token generation. Instead, mesh gateways should be used
    to establish peering connections if the server pods are not directly reachable. [GH-1610]
  • Require global.tls.enabled when peering is enabled. [GH-1610]
  • Require meshGateway.enabled when peering is enabled. [GH-1683]

* CLI:
* Add the ability to install HCP self-managed clusters. [GH-1540]
* Add the ability to install the HashiCups demo application via the -demo flag. [GH-1540]
* Consul Dataplane:
* Support merged metrics with consul-dataplane. [GH-1635]
* Support transparent proxying when using consul-dataplane. [GH-1625,GH-1632]
* Enable sync-catalog to only talk to Consul servers. [GH-1659]
* Ingress Gateway
* Add support for MaxConnections, MaxConcurrentRequests, and MaxPendingRequests to Ingress Gateway CRD. [GH-1691]
* Peering:
* Support peering over mesh gateways.
* Add support for PeerThroughMeshGateways in Mesh CRD. [GH-1478]

* consul-k8s status command will only show status of servers if they are expected to be present in the Kubernetes cluster. [GH-1603]
* Update demo charts and CLI command to not presume tproxy when using HCP preset. Also, use the most recent version of hashicups. [GH-1657]
* Update minimum go version for project to 1.19 [GH-1633]
* Enable consul-k8s uninstall to delete custom resources when uninstalling Consul. This is done by default. [GH-1623]
* Control Plane
* Update minimum go version for project to 1.19 [GH-1633]
* Remove unneeded agent:read ACL permissions from mesh gateway policy. [GH-1255]
* Support updating health checks on consul clients during an upgrade to agentless. [GH-1690]
* Remove unused curl from docker images [1624]
* Bump Dockerfile base image for RedHat UBI consul-k8s-control-plane image to ubi-minimal:9.1. [[GH-1725][]]
* Helm:
* Remove deprecated annotation "true" in the server-service template. [GH-1619]
* Support minAvailable on connect injector PodDisruptionBudget. [GH-1557]
* Add tolerations and nodeSelector to Server ACL init jobs and nodeSelector to Webhook cert manager. [GH-1581]
* API Gateway: Add tolerations to apiGateway.managedGatewayClass and apiGateway.controller [GH-1650]
* API Gateway: Create PodSecurityPolicy for controller when global.enablePodSecurityPolicies=true. [GH-1656]
* API Gateway: Create PodSecurityPolicy and allow controller to bind it to ServiceAccounts that it creates for Gateway Deployments when global.enablePodSecurityPolicies=true. [GH-1672]
* Deploy expose-servers service only when Admin Partitions(ENT) is enabled. [GH-1683]
* Use a distroless image for consul-dataplane. [GH-1676]
* The Envoy version is now 1.24.0 for consul-dataplane. [GH-1676]
* Allow addition of extra labels to Connect Inject pods. [GH-1678]
* Add fields localConnectTimeoutMs and localRequestTimeoutMs to the ServiceDefaults CRD. [GH-1647]
* API Gateway: Enable API Gateways to directly connect to Consul servers when running in the agentless configuration. [GH-1694]
* Add connectInject.consulNode.meta to allow users to provide custom metadata to append to the NodeMeta [GH-1707]
* Add externalServers.skipServerWatch which prevents consul-dataplane from consuming the server update stream. This is useful for situations where Consul servers are behind a load balancer. [GH-1686]
* API Gateway: Allow controller to read MeshServices for use as a route backend. [GH-1574]
* API Gateway: Add support for using dynamic server discovery strings when running without agents. [GH-1732]

* Allow optional environment variables for use in the cloud preset to the CLI for cluster bootstrapping. [GH-1608]
* Configure -tls-server-name when so that it matches the server certificate created via HCP [GH-1591]
* Do not query clients in the status command since clients no longer exist. [GH-1573]
* Peering
* Add peering:read permissions to mesh gateway token to fix peering connections through the mesh gateways. [GH-1685]
* Helm:
* Disable PodSecurityPolicies in all templates when global.enablePodSecurityPolicies is false. [GH-1693]


Nov. 17, 2022, 9:24 p.m.
Register or login to:
  • 🔍View and search all Consul k8s releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google