Consul k8s - v1.2.1

1.2.1 (Aug 10, 2023)

BREAKING CHANGES:

• control-plane: All policies managed by consul-k8s will now be updated on upgrade. If you previously edited the policies after install, your changes will be overwritten. [GH-2392]

SECURITY:

• Upgrade to use Go 1.20.6 and x/net/http 0.12.0.
  This resolves CVE-2023-29406(net/http). [GH-2642]
• Upgrade to use Go 1.20.7 and x/net 0.13.0.
  This resolves CVE-2023-29409(crypto/tls)
  and CVE-2023-3978(net/html). [GH-2710]

FEATURES:

• Add support for configuring graceful shutdown proxy lifecycle management settings. [GH-2233]
• api-gateway: adds ability to map privileged ports on Gateway listeners to unprivileged ports so that containers do not require additional privileges [GH-2707]
• api-gateway: support deploying to OpenShift 4.11 [GH-2184]
• helm: Adds acls.resources field which can be configured to override the resource settings for the server-acl-init and server-acl-init-cleanup Jobs. [GH-2416]
• sync-catalog: add ability to support weighted loadbalancing by service annotation consul.hashicorp.com/service-weight: <number> [GH-2293]

IMPROVEMENTS:

• (Consul Enterprise) Add support to provide inputs via helm for audit log related configuration [GH-2370]
• (api-gateway) make API gateway controller less verbose [GH-2524]
• Add support to provide the logLevel flag via helm for multiple low level components. Introduces the following fields
• global.acls.logLevel
• global.tls.logLevel
• global.federation.logLevel
• global.gossipEncryption.logLevel
• server.logLevel
• client.logLevel
• meshGateway.logLevel
• ingressGateways.logLevel
• terminatingGateways.logLevel
• telemetryCollector.logLevel [GH-2302]
• control-plane: increase timeout after login for ACL replication to 60 seconds [GH-2656]
• helm: adds values for securityContext and annotations on TLS and ACL init/cleanup jobs. [GH-2525]
• helm: set container securityContexts to match the restricted Pod Security Standards policy to support running Consul in a namespace with restricted PSA enforcement enabled [GH-2572]
• helm: update imageConsulDataplane value to hashicorp/consul-dataplane:1.2.0 [GH-2476]
• helm: update image value to hashicorp/consul:1.16.0 [GH-2476]

BUG FIXES:

• api-gateway: Fix creation of invalid Kubernetes Service when multiple Gateway listeners have the same port. [GH-2413]
• api-gateway: fix helm install when setting copyAnnotations or nodeSelector [GH-2597]
• api-gateway: fixes bug where envoy will silently reject RSA keys less than 2048 bits in length when not in FIPS mode, and
  will reject keys that are not 2048, 3072, or 4096 bits in length in FIPS mode. We now validate
  and reject invalid certs earlier. [GH-2478]
• api-gateway: set route condition appropriately when parent ref includes non-existent section name [GH-2420]
• control-plane: Always update ACL policies upon upgrade. [GH-2392]
• control-plane: fix bug in endpoints controller when deregistering services from consul when a node is deleted. [GH-2571]
• helm: fix CONSUL_LOGIN_DATACENTER for consul client-daemonset. [GH-2652]
• helm: fix ui ingress manifest formatting, and exclude ingressClass when not defined. [GH-2687]
• transparent-proxy: Fix issue where connect-inject lacked sufficient mesh:write privileges in some deployments,
  which prevented virtual IPs from persisting properly. [GH-2520]