v1.7.5

1.7.5 (July 30, 2020)

BUG FIXES:

• agent: Fixed an issue with lock contention during RPCs when under load while using the Prometheus metrics sink. [GH-8372]
• gossip: Avoid issue where two unique leave events for the same node could lead to infinite rebroadcast storms [GH-8353]
• snapshot: (Consul Enterprise only) Fixed a regression when using Azure blob storage.
• Return a service splitter's weight or a zero [GH-8355]

v1.6.7

1.6.7 (July 30, 2020)

BUG FIXES:

• agent: Fixed an issue with lock contention during RPCs when under load while using the Prometheus metrics sink. [GH-8372]
• gossip: Avoid issue where two unique leave events for the same node could lead to infinite rebroadcast storms [GH-8345]

v1.8.0

1.8.0 (June 18, 2020)

BREAKING CHANGES:

• acl: Remove deprecated acl_enforce_version_8 option [GH-7991]

FEATURES:

• Terminating Gateway: Envoy can now be run as a gateway to enable services in a Consul service mesh to connect to external services through their local proxy. Terminating gateways unlock several of the benefits of a service mesh in the cases where a sidecar proxy cannot be deployed alongside services such as legacy applications or managed cloud databases.

• Ingress Gateway: Envoy can now be run as a gateway to ingress traffic into the Consul service mesh, enabling a more incremental transition for applications.

• WAN Federation over Mesh Gateways: Allows Consul datacenters to federate by forwarding WAN gossip and RPC traffic through Mesh Gateways rather than requiring the servers to be exposed to the WAN directly.

• JSON Web Token (JWT) Auth Method: Allows exchanging a signed JWT from a trusted external identity provider for a Consul ACL token.

• Single Sign-On (SSO) [Enterprise]: Lets an operator configure Consul to use an external OpenID Connect (OIDC) provider to automatically handle the lifecycle of creating, distributing and managing ACL tokens for performing CLI operations or accessing the UI.

• Audit Logging [Enterprise]: Adds instrumentation to record a trail of events (both attempted and authorized) by users of Consul’s HTTP API for purposes of regulatory compliance.

• acl: add DisplayName field to auth methods [GH-7769]

• acl: add MaxTokenTTL field to auth methods [GH-7779]

• agent/xds: add support for configuring passive health checks [GH-7713]

• cli: Add -config flag to "acl authmethod update/create" [GH-7776]

• ui: Help menu to provide further documentation/learn links [GH-7310]

• ui: (Consul Enterprise only) SSO support [GH-7742] [GH-7771] [GH-7790]

• ui: Support for termininating and ingress gateways [GH-7858] [GH-7865]

IMPROVEMENTS:

• acl: change authmethod.Validator to take a logger [GH-7758]
• agent: show warning when enable_script_checks is enabled without safety net [GH-7437]
• api: Added filtering support to the v1/connect/intentions endpoint. [GH-7478]
• auto_encrypt: add validations for auto_encrypt.{tls,allow_tls} [GH-7704]
• build: switched to compile with Go 1.14.1 [GH-7481]
• config: validate system limits against limits.http_max_conns_per_client [GH-7434]
• connect: support envoy 1.12.3, 1.13.1, and 1.14.1. Envoy 1.10 is no longer officially supported. [GH-7380],[GH-7624]
• connect: add DNSSAN and IPSAN to cache key for ConnectCALeafRequest [GH-7597]
• connect: Added a new expose CLI command for ingress gateways [GH-8099]
• license: (Consul Enterprise only) Update licensing to align with the current modules licensing structure.
• logging: catch problems with the log destination earlier by creating the file immediately [GH-7469]
• proxycfg: support path exposed with non-HTTP2 protocol [GH-7510]
• tls: remove old ciphers [GH-7282]
• ui: Show the last 8 characters of AccessorIDs in listing views [GH-7327]
• ui: Make all tabs within the UI linkable/bookmarkable and include in history [GH-7592]
• ui: Redesign of all service pages [GH-7605] [GH-7632] [GH-7655] [GH-7683]
• ui: Show intentions per individual service [GH-7615]
• ui: Improved login/logout flow [GH-7790]
• ui: Revert search to search as you type, add sort control for the service listing page [GH-7489]
• ui: Omit proxy services from the service listing view and mark services as being proxied [GH-7820]
• ui: Display proxies in a proxy info tab with the service instance detail page [GH-7745]
• ui: Add live updates/blocking queries to gateway listings [GH-7967]
• ui: Improved 'empty states' [GH-7940]
• ui: Add ability to sort services based on health [GH-7989]
• ui: Add explanatory tooltip panels for gateway services [GH-8048]
• ui: Reduce discovery-chain log errors [GH-8065]

BUGFIXES:

• agent: (Consul Enterprise only) Fixed several bugs related to Network Area and Network Segment compatibility with other features caused by incorrectly doing version or serf tag checking. [GH-7491]
• agent: rewrite checks with proxy address, not local service address [GH-7518]
• agent: Preserve ModifyIndex for unchanged entry in KV transaciton [GH-7832]
• agent: use default resolver scheme for gRPC dialing [GH-7617]
• cache: Fix go routine leak in the agent cache. [GH-8092]
• cli: enable TLS when CONSUL_HTTP_ADDR has an https scheme [GH-7608]
• connect: Internal refactoring to allow Connect proxy config to contain lists of structured configuration [GH-7963][GH-7964]
• license: (Consul Enterprise only) Fixed a bug that would cause a license reset request to only be applied on the leader server.
• sdk: Fix race condition in freeport [GH-7567]
• server: strip local ACL tokens from RPCs during forwarding if crossing datacenters [GH-7419]
• ui: Quote service names when filtering intentions to prevent 500 errors when accessing a service [GH-7896] [GH-7888]
• ui: Miscellaneous amends for Safari and Firefox [GH-7904] [GH-7907]
• ui: Ensure a value is always passed to CONSUL_SSO_ENABLED [GH-7913]

v1.8.0-rc1

1.8.0-rc1 (June 15, 2020)

BREAKING CHANGES:

• acl: Remove deprecated acl_enforce_version_8 option [GH-7991]

IMPROVEMENTS:

• ui: Add live updates/blocking queries to gateway listings [GH-7967]
• ui: Improved 'empty states' [GH-7940]
• ui: Add ability to sort services based on health [GH-7989]
• ui: Add explanatory tooltip panels for gateway services [GH-8048]
• ui: Reduce discovery-chain log errors [GH-8065]
• connect: Enable mesh and terminating gateways to resolve hostnames to IPv4 addresses using system resolver [GH-7999]
• connect: Always require Host headers when serving L7 traffic through ingress gateways [GH-7990]
• connect: Allow users to specify wildcard host for ingress when TLS is disabled [GH-8083]
• connect: New end point to return healthy ingress gateway instances [GH-8081]
• connect: Added a new expose CLI command for ingress gateways [GH-8099]

BUG FIXES:

• cache: Fix go routine leak in the agent cache. [GH-8092]
• connect: Internal refactoring to allow Connect proxy config to contain lists of structured configuration [GH-7963][GH-7964]
• connect: Handle re-bootstrapping scenario for WAN federation over mesh gateways. [GH-7931]
• server: don't activate federation state replication or anti-entropy until all servers are running 1.8.0 [GH-8014]

v1.7.4

1.7.4 (June 10, 2020)

SECURITY:

• Adding an option http_config.use_cache to disable agent caching for http endpoints, because Consul’s DNS and HTTP API expose a caching feature susceptible to DoS. CVE-2020-13250 [GH-8023]
• Propagate and enforce changes to legacy ACL tokens rules in secondary data centers. CVE-2020-12797 [GH-8047]
• Only resolve local acl token in the datacenter it belongs to. CVE-2020-13170 [GH-8068]
• Requiring service:write permissions, a service-router entry without a destination no longer crashes Consul servers. CVE-2020-12758 [GH-7783]

BUG FIXES:

• acl: Fixed an issue where legacy management tokens could not be used in secondary datacenters. [GH-7908]
• agent: Fixed a race condition that could cause an agent to crash when first starting. [GH-7955]
• connect: setup intermediate_pki_path on secondary when using vault [GH-8001]

v1.6.6

1.6.6 (June 10, 2020)

SECURITY:

• Adding an option http_config.use_cache to disable agent caching for http endpoints, because Consul’s DNS and HTTP API expose a caching feature susceptible to DoS. CVE-2020-13250 [GH-8023]
• Propagate and enforce changes to legacy ACL tokens rules in secondary data centers. CVE-2020-12797 [GH-8047]
• Only resolve local acl token in the datacenter it belongs to. CVE-2020-13170 [GH-8068]

BUG FIXES:

• acl: Fixed an issue where legacy management tokens could not be used in secondary datacenters. [GH-7908]
• agent: Fixed a race condition that could cause an agent to crash when first starting. [GH-7955]

v1.8.0-beta2

1.8.0-beta2 (May 21, 2020)

IMPROVEMENTS:

• xds: Ingress gateways now respect the same binding options as mesh and terminating gateways [GH-7924]

BUGFIXES:

• xds: Fixed bug where deleting a gateway config entry did not correctly remove xDS configuration from the envoy proxy [GH-7898]
• ui: Quote service names when filtering intentions to prevent 500 errors when accessing a service [GH-7896] [GH-7888]
• ui: Miscellaneous amends for Safari and Firefox [GH-7904] [GH-7907]
• ui: Ensure a value is always passed to CONSUL_SSO_ENABLED [GH-7913]
• agent: Preserve ModifyIndex for unchanged entry in KV transaciton [GH-7832]
• agent: use default resolver scheme for gRPC dialing [GH-7617]

v1.8.0-beta1

1.8.0-beta1 (May 14, 2020)

FEATURES:

• Terminating Gateway: Envoy can now be run as a gateway to enable services in a Consul service mesh to connect to external services through their local proxy. Terminating gateways unlock several of the benefits of a service mesh in the cases where a sidecar proxy cannot be deployed alongside services such as legacy applications or managed cloud databases.

• Ingress Gateway: Envoy can now be run as a gateway to ingress traffic into the Consul service mesh, enabling a more incremental transition for applications.

• WAN Federation over Mesh Gateways: Allows Consul datacenters to federate by forwarding WAN gossip and RPC traffic through Mesh Gateways rather than requiring the servers to be exposed to the WAN directly.

• JSON Web Token (JWT) Auth Method: Allows exchanging a signed JWT from a trusted external identity provider for a Consul ACL token.

• Single Sign-On (SSO) [Enterprise]: Lets an operator configure Consul to use an external OpenID Connect (OIDC) provider to automatically handle the lifecycle of creating, distributing and managing ACL tokens for performing CLI operations or accessing the UI.

• Audit Logging [Enterprise]: Adds instrumentation to record a trail of events (both attempted and authorized) by users of Consul’s HTTP API for purposes of regulatory compliance.

• acl: add DisplayName field to auth methods [GH-7769]

• acl: add MaxTokenTTL field to auth methods [GH-7779]

• agent/xds: add support for configuring passive health checks [GH-7713]

• cli: Add -config flag to "acl authmethod update/create" [GH-7776]

• ui: Help menu to provide further documentation/learn links [GH-7310]

• ui: (Consul Enterprise only) SSO support [GH-7742] [GH-7771] [GH-7790]

• ui: Support for termininating and ingress gateways [GH-7858] [GH-7865]

IMPROVEMENTS:

• acl: change authmethod.Validator to take a logger [GH-7758]
• agent: show warning when enable_script_checks is enabled without safety net [GH-7437]
• api: Added filtering support to the v1/connect/intentions endpoint. [GH-7478]
• auto_encrypt: add validations for auto_encrypt.{tls,allow_tls} [GH-7704]
• build: switched to compile with Go 1.14.1 [GH-7481]
• config: validate system limits against limits.http_max_conns_per_client [GH-7434]
• connect: support envoy 1.12.3, 1.13.1, and 1.14.1. Envoy 1.10 is no longer officially supported. [GH-7380],[GH-7624]
• connect: add DNSSAN and IPSAN to cache key for ConnectCALeafRequest [GH-7597]
• license: (Consul Enterprise only) Update licensing to align with the current modules licensing structure.
• logging: catch problems with the log destination earlier by creating the file immediately [GH-7469]
• proxycfg: support path exposed with non-HTTP2 protocol [GH-7510]
• tls: remove old ciphers [GH-7282]
• ui: Show the last 8 characters of AccessorIDs in listing views [GH-7327]
• ui: Make all tabs within the UI linkable/bookmarkable and include in history [GH-7592]
• ui: Redesign of all service pages [GH-7605] [GH-7632] [GH-7655] [GH-7683]
• ui: Show intentions per individual service [GH-7615]
• ui: Improved login/logout flow [GH-7790]
• ui: Revert search to search as you type, add sort control for the service listing page [GH-7489]
• ui: Omit proxy services from the service listing view and mark services as being proxied [GH-7820]
• ui: Display proxies in a proxy info tab with the service instance detail page [GH-7745]

BUGFIXES:

• agent: (Consul Enterprise only) Fixed several bugs related to Network Area and Network Segment compatibility with other features caused by incorrectly doing version or serf tag checking. [GH-7491]
• agent: rewrite checks with proxy address, not local service address [GH-7518]
• cli: enable TLS when CONSUL_HTTP_ADDR has an https scheme [GH-7608]
• license: (Consul Enterprise only) Fixed a bug that would cause a license reset request to only be applied on the leader server.
• sdk: Fix race condition in freeport [GH-7567]
• server: strip local ACL tokens from RPCs during forwarding if crossing datacenters [GH-7419]