Consul k8s - v1.1.0

Security

1.1.0 (February 27, 2023)

BREAKING CHANGES:
* Helm:
* Change defaults to exclude the openebs namespace from sidecar injection. If you previously had pods in that namespace
that you wanted to be injected, you must now set namespaceSelector as follows:

```yaml
connectInject:
  namespaceSelector: |
    matchExpressions:
    - key: "kubernetes.io/metadata.name"
      operator: "NotIn"
      values: ["kube-system","local-path-storage"]
```
[[GH-1869](https://github.com/hashicorp/consul-k8s/pull/1869)]

IMPROVEMENTS:
* Helm:
* CNI: Add connectInject.cni.namespace stanza which allows the CNI plugin resources to be deployed in a namespace other than the namespace that Consul is installed. [GH-1756]
* Kubernetes v1.26 is now supported. Minimum tested version of Kubernetes is now v1.23. [GH-1852]
* Add a global.extraLabels stanza to allow setting global Kubernetes labels for all components deployed by the consul-k8s Helm chart. [GH-1778]
* Add the accessLogs field to the ProxyDefaults CRD. [GH-1816]
* Add the envoyExtensions field to the ProxyDefaults and ServiceDefaults CRD. [GH-1823]
* Add the balanceInboundConnections field to the ServiceDefaults CRD. [GH-1823]
* Add the upstreamConfig.overrides[].peer field to the ServiceDefaults CRD. [GH-1853]
* Control-Plane
* Update minimum go version for project to 1.20 [GH-1908]
* Add support for the annotation consul.hashicorp.com/use-proxy-health-check. When this annotation is used by a service, it configures a readiness endpoint on Consul Dataplane and queries it instead of the proxy's inbound port which forwards requests to the application. [GH-1824], [GH-1841]
* Add health check for synced services based on the status of the Kubernetes readiness probe on synced pod. [GH-1821]
* Remove extraneous gnupg dependency from consul-k8s-control-plane since it is no longer needed for validating binary artifacts prior to release. [GH-1882]
* Server ACL Init always appends both, the secrets from the serviceAccount's secretRefs and the one created by the Helm chart, to support Openshift secret handling. [GH-1770]
* Update alpine to 3.17 in the Docker image. [GH-1934]
* CLI:
* Update minimum go version for project to 1.20 [GH-1908]
* Add consul-k8s proxy log podname command for displaying and modifying Envoy log levels for a given Pod. GH-1844, GH-1849, GH-1864

BUG FIXES:
* Control Plane
* Don't incorrectly diff intention config entries when upgrading from Consul pre-1.12 to 1.12+ [GH-1804]
* Add discover binary to control-plane image [GH-1749]
* Helm:
* Don't pass in a CA file to the API Gateway controller when externalServers.useSystemRoots is true. [GH-1743]
* Use the correct autogenerated cert for the API Gateway Controller when connecting to servers versus clients. [GH-1753]
* Security:
* Upgrade to use Go 1.20.1 This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http. [GH-1908]

Details

date
Feb. 27, 2023, 3:51 p.m.
name
v1.1.0
type
Minor
official page
https://github.com/hashicorp/consul-k8s/releases/tag/v1.1.0
👇
Register or login to:
  • 🔍View and search all Consul k8s releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or