Consul - v1.14.0

Security

1.14.0 (November 15, 2022)

BREAKING CHANGES:

  • config: Add new ports.grpc_tls configuration option.
    Introduce a new port to better separate TLS config from the existing ports.grpc config.
    The new ports.grpc_tls only supports TLS encrypted communication.
    The existing ports.grpc now only supports plain-text communication. [GH-15339]
  • config: update 1.14 config defaults: Enable peering and connect by default. [GH-15302]
  • config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 [GH-15302]
  • connect: Removes support for Envoy 1.20 [GH-15093]
  • peering: Rename PeerName to Peer on prepared queries and exported services. [GH-14854]
  • xds: Convert service mesh failover to use Envoy's aggregate clusters. This
    changes the names of some Envoy dynamic HTTP metrics. [GH-14178]

SECURITY:

  • Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints CVE-2022-3920 [GH-15356]

FEATURES:

  • DNS-proxy support via gRPC request. [GH-14811]
  • cli: Add -node-name flag to redirect-traffic command to support running in environments without client agents. [GH-14933]
  • cli: Add -consul-dns-port flag to the consul connect redirect-traffic command to allow forwarding DNS traffic to a specific Consul DNS port. [GH-15050]
  • connect: Add Envoy connection balancing configuration fields. [GH-14616]
  • grpc: Added metrics for external gRPC server. Added server_type=internal|external label to gRPC metrics. [GH-14922]
  • http: Add new get-or-empty operation to the txn api. Refer to the API docs for more information. [GH-14474]
  • peering: Add mesh gateway local mode support for cluster peering. [GH-14817]
  • peering: Add support for stale queries for trust bundle lookups [GH-14724]
  • peering: Add support to failover to services running on cluster peers. [GH-14396]
  • peering: Add support to redirect to services running on cluster peers with service resolvers. [GH-14445]
  • peering: Ensure un-exported services get deleted even if the un-export happens while cluster peering replication is down. [GH-14797]
  • peering: add support for routine peering control-plane traffic through mesh gateways [GH-14981]
  • sdk: Configure iptables to forward DNS traffic to a specific DNS port. [GH-15050]
  • telemetry: emit memberlist size metrics and broadcast queue depth metric. [GH-14873]
  • ui: Added support for central config merging [GH-14604]
  • ui: Create peerings detail page [GH-14947]
  • ui: Detect a TokenSecretID cookie and passthrough to localStorage [GH-14495]
  • ui: Display notice banner on nodes index page if synthetic nodes are being filtered. [GH-14971]
  • ui: Filter agentless (synthetic) nodes from the nodes list page. [GH-14970]
  • ui: Filter out node health checks on agentless service instances [GH-14986]
  • ui: Remove node meta on service instances when using agentless and consolidate external-source labels on service instances page if they all match. [GH-14921]
  • ui: Removed reference to node name on service instance page when using agentless [GH-14903]
  • ui: Use withCredentials for all HTTP API requests [GH-14343]
  • xds: servers will limit the number of concurrent xDS streams they can handle to balance the load across all servers [GH-14397]

IMPROVEMENTS:

  • peering: Add peering datacenter and partition to initial handshake. [GH-14889]
  • xds: Added a rate limiter to the delivery of proxy config updates, to prevent updates to "global" resources such as wildcard intentions from overwhelming servers (see: xds.update_max_per_second config field) [GH-14960]
  • xds: Removed a bottleneck in Envoy config generation, enabling a higher number of dataplanes per server [GH-14934]
  • agent/hcp: add initial HashiCorp Cloud Platform integration [GH-14723]
  • agent: Added configuration option cloud.scada_address. [GH-14936]
  • api: Add filtering support to Catalog's List Services (v1/catalog/services) [GH-11742]
  • api: Increase max number of operations inside a transaction for requests to /v1/txn (128) [GH-14599]
  • auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. [GH-15370]
  • config-entry: Validate that service-resolver Failovers and Redirects only
    specify Partition and Namespace on Consul Enterprise. This prevents scenarios
    where OSS Consul would save service-resolvers that require Consul Enterprise. [GH-14162]
  • connect: Add Envoy 1.24.0 to support matrix [GH-15093]
  • connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 [GH-14831]
  • connect: service-router destinations have gained a RetryOn field for specifying the conditions when Envoy should retry requests beyond specific status codes and generic connection failure which already exists. [GH-12890]
  • dns/peering: (Enterprise Only) Support addresses in the formats <servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul and <servicename>.virtual.<partition>.ap.<peername>.peer.consul. This longer form address that allows specifying .peer would need to be used for tproxy DNS requests made within non-default partitions for imported services.
  • dns: (Enterprise Only) All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: [<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>. [GH-14679]
  • integ test: fix flakiness due to test condition from retry app endoint [GH-15233]
  • metrics: Service RPC calls less than 1ms are now emitted as a decimal number. [GH-12905]
  • peering: adds an internally managed server certificate for automatic TLS between servers in peer clusters. [GH-14556]
  • peering: require TLS for peering connections using server cert signed by Connect CA [GH-14796]
  • peering: return information about the health of the peering when the leader is queried to read a peering. [GH-14747]
  • raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter [GH-14897]
  • raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 [GH-14897]
  • raft: Fix a race condition where the snapshot file is closed without being opened [GH-14897]
  • telemetry: Added a consul.xds.server.streamStart metric to measure time taken to first generate xDS resources for an xDS stream. [GH-14957]
  • ui: Improve guidance around topology visualisation [GH-14527]
  • xds: Set max_ejection_percent on Envoy's outlier detection to 100% for peered services. [GH-14373]

BUG FIXES:

  • checks: Do not set interval as timeout value [GH-14619]
  • checks: If set, use proxy address for automatically added sidecar check instead of service address. [GH-14433]
  • cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set together [GH-13493]
  • connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries. [GH-15186]
  • connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. [GH-15083]
  • connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. [GH-15320]
  • debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters [GH-15155]
  • deps: update go-memdb, fixing goroutine leak [GH-15010] [GH-15068]
  • grpc: Merge proxy-defaults and service-defaults in GetEnvoyBootstrapParams response. [GH-14869]
  • metrics: Add duplicate metrics that have only a single "consul_" prefix for all existing metrics with double ("consul_consul_") prefix, with the intent to standardize on single prefixes. [GH-14475]
  • namespace: (Enterprise Only) Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter
  • peering: Fix a bug that resulted in /v1/agent/metrics returning an error. [GH-15178]
  • peering: fix nil pointer in calling handleUpdateService [GH-15160]
  • peering: fix the error of wan address isn't taken by the peering token. [GH-15065]
  • peering: when wan address is set, peering stream should use the wan address. [GH-15108]
  • proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters. [GH-15272]
  • server: fix goroutine/memory leaks in the xDS subsystem (these were present regardless of whether or not xDS was in-use) [GH-14916]
  • server: fixes the error trying to source proxy configuration for http checks, in case of proxies using consul-dataplane. [GH-14924]
  • xds: Central service configuration (proxy-defaults and service-defaults) is now correctly applied to Consul Dataplane proxies [GH-14962]

NOTES:

  • deps: Upgrade to use Go 1.19.2 [GH-15090]

Details

date
Nov. 15, 2022, 5:45 p.m.
name
v1.14.0
type
Minor
👇
Register or login to:
  • 🔍View and search all Consul releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or