v1.1.0

1.1.0 (February 27, 2023)

BREAKING CHANGES:

• Helm:

  • Change defaults to exclude the openebs namespace from sidecar injection. If you previously had pods in that namespace
    that you wanted to be injected, you must now set namespaceSelector as follows:

    connectInject:
      namespaceSelector: |
        matchExpressions:
        - key: "kubernetes.io/metadata.name"
          operator: "NotIn"
          values: ["kube-system","local-path-storage"]

    [GH-1869]

IMPROVEMENTS:

• Helm:
  • CNI: Add connectInject.cni.namespace stanza which allows the CNI plugin resources to be deployed in a namespace other than the namespace that Consul is installed. [GH-1756]
  • Kubernetes v1.26 is now supported. Minimum tested version of Kubernetes is now v1.23. [GH-1852]
  • Add a global.extraLabels stanza to allow setting global Kubernetes labels for all components deployed by the consul-k8s Helm chart. [GH-1778]
  • Add the accessLogs field to the ProxyDefaults CRD. [GH-1816]
  • Add the envoyExtensions field to the ProxyDefaults and ServiceDefaults CRD. [GH-1823]
  • Add the balanceInboundConnections field to the ServiceDefaults CRD. [GH-1823]
  • Add the upstreamConfig.overrides[].peer field to the ServiceDefaults CRD. [GH-1853]
• Control-Plane
  • Update minimum go version for project to 1.20 [GH-1908]
  • Add support for the annotation consul.hashicorp.com/use-proxy-health-check. When this annotation is used by a service, it configures a readiness endpoint on Consul Dataplane and queries it instead of the proxy's inbound port which forwards requests to the application. [GH-1824], [GH-1841]
  • Add health check for synced services based on the status of the Kubernetes readiness probe on synced pod. [GH-1821]
  • Remove extraneous gnupg dependency from consul-k8s-control-plane since it is no longer needed for validating binary artifacts prior to release. [GH-1882]
  • Server ACL Init always appends both, the secrets from the serviceAccount's secretRefs and the one created by the Helm chart, to support Openshift secret handling. [GH-1770]
  • Update alpine to 3.17 in the Docker image. [GH-1934]
• CLI:
  • Update minimum go version for project to 1.20 [GH-1908]
  • Add consul-k8s proxy log podname command for displaying and modifying Envoy log levels for a given Pod. GH-1844, GH-1849, GH-1864

BUG FIXES:

• Control Plane
  • Don't incorrectly diff intention config entries when upgrading from Consul pre-1.12 to 1.12+ [GH-1804]
  • Add discover binary to control-plane image [GH-1749]
• Helm:
  • Don't pass in a CA file to the API Gateway controller when externalServers.useSystemRoots is true. [GH-1743]
  • Use the correct autogenerated cert for the API Gateway Controller when connecting to servers versus clients. [GH-1753]
• Security:
  • Upgrade to use Go 1.20.1 This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http. [GH-1908]

v1.0.4

1.0.4 (February 7, 2023)

BREAKING CHANGES:

• Helm:

  • Change defaults to exclude the openebs namespace from sidecar injection. If you previously had pods in that namespace
    that you wanted to be injected, you must now set namespaceSelector as follows:

    connectInject:
      namespaceSelector: |
        matchExpressions:
        - key: "kubernetes.io/metadata.name"
          operator: "NotIn"
          values: ["kube-system","local-path-storage"]

    [GH-1869]

IMPROVEMENTS:

• Control Plane
  • Remove extraneous gnupg dependency from consul-k8s-control-plane since it is no longer needed for validating binary artifacts prior to release. [GH-1882]

v0.49.4

0.49.4 (February 7, 2023)

BREAKING CHANGES:

• Helm:

  • Change defaults to exclude the openebs namespace from sidecar injection. If you previously had pods in that namespace
    that you wanted to be injected, you must now set namespaceSelector as follows:

    connectInject:
      namespaceSelector: |
        matchExpressions:
        - key: "kubernetes.io/metadata.name"
          operator: "NotIn"
          values: ["kube-system","local-path-storage"]

    [GH-1869]

IMPROVEMENTS:

• Control Plane
  • Remove extraneous gnupg dependency from consul-k8s-control-plane since it is no longer needed for validating binary artifacts prior to release. [GH-1882]

v1.0.3

1.0.3 (January 30, 2023)

IMPROVEMENTS:

• Helm:
  • Kubernetes v1.26 is now supported. Minimum tested version of Kubernetes is now v1.23. [GH-1852]
  • Add a global.extraLabels stanza to allow setting global Kubernetes labels for all components deployed by the consul-k8s Helm chart. [GH-1778]
• Control-Plane
  • Add support for the annotation consul.hashicorp.com/use-proxy-health-check. When this annotation is used by a service, it configures a readiness endpoint on Consul Dataplane and queries it instead of the proxy's inbound port which forwards requests to the application. [GH-1824], [GH-1841]
  • Add health check for synced services based on the status of the Kubernetes readiness probe on synced pod. [GH-1821]

BUG FIXES:

• Control Plane
  • Don't incorrectly diff intention config entries when upgrading from Consul pre-1.12 to 1.12+ [GH-1804]

v0.49.3

0.49.3 (January 30, 2023)

IMPROVEMENTS:

• Helm:
  • Add a global.extraLabels stanza to allow setting global Kubernetes labels for all components deployed by the consul-k8s Helm chart. [GH-1778]
• Control-Plane
  • Add support for the annotation consul.hashicorp.com/use-proxy-health-check. When this annotation is used by a service, it configures a readiness endpoint on Consul Dataplane and queries it instead of the proxy's inbound port which forwards requests to the application. [GH-1824], [GH-1843]
  • Add health check for synced services based on the status of the Kubernetes readiness probe on synced pod. [GH-1821]

BUG FIXES:

• Control Plane
  • Don't incorrectly diff intention config entries when upgrading from Consul pre-1.12 to 1.12+ [GH-1804]

v1.0.2

1.0.2 (December 1, 2022)

IMPROVEMENTS:

• Helm:
  • CNI: Add connectInject.cni.namespace stanza which allows the CNI plugin resources to be deployed in a namespace other than the namespace that Consul is installed. [GH-1756]

BUG FIXES:

• Helm:
  • Use the correct autogenerated cert for the API Gateway Controller when connecting to servers versus clients. [GH-1753]
  • Don't mount the CA cert when externalServers.useSystemRoots is true. [GH-1753]

v0.49.2

0.49.2 (December 1, 2022)

IMPROVEMENTS:

• Control Plane
  • Bump Dockerfile base image for RedHat UBI consul-k8s-control-plane image to ubi-minimal:9.1. [GH-1725]
• Helm
  • Add fields localConnectTimeoutMs and localRequestTimeoutMs to the ServiceDefaults CRD. [GH-1647]

BUG FIXES:

• Helm:
  • Disable PodSecurityPolicies templating for gossip-encryption-autogenerate and partition-init when global.enablePodSecurityPolicies is false. [GH-1693]

v1.0.1

1.0.1 (November 21, 2022)

BUG FIXES:

• Control Plane
  • Add discover binary to control-plane image [GH-1749]
• Helm:
  • Don't pass in a CA file to the API Gateway controller when externalServers.useSystemRoots is true. [GH-1743]

v1.0.0

1.0.0 (November 17, 2022)

BREAKING CHANGES:

• Admin Partitions (Consul Enterprise only): Remove the partition service. When configuring Admin Partitions, the expose-servers service should be used instead.
• Consul Dataplane:
  • Consul client agents are no longer deployed by default, and Consul service mesh no longer uses Consul clients to operate. This change affects several main areas listed below. [GH-1552]
  • A new component consul-dataplane is now injected as a sidecar-proxy instead of plain Envoy. consul-dataplane manages the Envoy proxy process and proxies xDS requests from Envoy to Consul servers.
  • All services on the service mesh are now registered directly with the central catalog in Consul servers.
  • All service-mesh consul-k8s components are configured to talk directly to Consul servers.
  • Mesh, ingress, and terminating gateways are now registered centrally by the endpoints controller, similar to how service-mesh services are registered.
• CLI:
  • Change default behavior of consul-k8s install to perform the installation when no answer is provided to the prompt. [GH-1673]
• Helm:

  • Kubernetes-1.25 is now supported with the caveat that global.enablePodSecurityPolicies is not supported since PodSecurityPolicies have been removed in favor of PodSecurityStandards in Kubernetes-1.25. Full support for PodSecurityStandards will be added in a follow-on commit. [GH-1726]

  • Support simplified default deployment values to allow for easier quick starts and testing:

    • Set connectInject.replicas to 1 [GH-1702]
    • Set meshGateway.affinity to null and meshGateway.replicas to 1 [GH-1702]
    • Set ingressGateways.defaults.affinity to null and ingressGateways.defaults.replicas to 1 [GH-1702]
    • Set terminatingGateways.defaults.affinity to null and terminatingGateways.defaults.replicas to 1 [GH-1702]
    • Set server.replicas to 1. Formerly, this defaulted to 3. [GH-1551]

  • client.enabled now defaults to false. Setting it to true will deploy client agents, however, none of the consul-k8s components will use clients for their operation.

  • global.imageEnvoy is no longer used for sidecar proxies, as well as mesh, terminating, and ingress gateways.

  • externalServers.grpcPort default is now 8502 instead of 8503.

  • externalServers.hosts no longer supports cloud auto-join strings directly. Instead, include an exec= string in the externalServers.hosts list to invoke the discover CLI. For example, the following string invokes the discover CLI with a cloud auto-join string: exec=discover -q addrs provider=aws region=us-west-2 tag_key=consul-server tag_value=true. The discover CLI is included in the official hashicorp/consul-dataplane images by default.

  • meshGateway.service.enabled value is removed. Mesh gateways now will always have a Kubernetes service as this is required to register them as a service with Consul.

  • meshGateway.initCopyConsulContainer, ingressGateways.initCopyConsulContainer, terminatingGateways.initCopyConsulContainer values are removed.

  • connectInject.enabled now defaults to true. [GH-1551]

  • syncCatalog.consulNamespaces.mirroringK8S now defaults to true. [GH-1601]

  • connectInject.consulNamespaces.mirroringK8S now defaults to true. [GH-1601]

  • Remove controller section from the values file as the controller has now been merged into the connect-inject deployment. [GH-1697]

  • Remove global.consulSidecarContainer from values file as there is no longer a consul sidecar. [GH-1635]

  • Consul snapshot-agent now runs as a sidecar with Consul servers. [GH-1620]

    This results in the following changes to Helm values:

    • Move client.snapshotAgent values to server.snapshotAgent, with the exception of the following values:
      • client.snaphostAgent.replicas
      • client.snaphostAgent.serviceAccount
    • Remove global.secretsBackend.vault.consulSnapshotAgentRole value. You should now use the global.secretsBackend.vault.consulServerRole for access to any Vault secrets.

  • Change dns.enabled and dns.enableRedirection to default to the value of connectInject.transparentProxy.defaultEnabled.
    Previously, dns.enabled defaulted to the value of global.enabled and dns.enableRedirection defaulted to the
    value to false. [GH-1688]

  • Remove global.imageEnvoy and replace with global.imageConsulDataplane for running the sidecar proxy.

  • Add apiGateway.imageEnvoy as for configuring the version of Envoy that the API Gateway uses. [GH-1698]

• Peering:
  • Rename PeerName to Peer in ExportedServices CRD. [GH-1596]
  • Remove support for customizing the server addresses in peering token generation. Instead, mesh gateways should be used
    to establish peering connections if the server pods are not directly reachable. [GH-1610]
  • Require global.tls.enabled when peering is enabled. [GH-1610]
  • Require meshGateway.enabled when peering is enabled. [GH-1683]

FEATURES:

• CLI:
  • Add the ability to install HCP self-managed clusters. [GH-1540]
  • Add the ability to install the HashiCups demo application via the -demo flag. [GH-1540]
• Consul Dataplane:
  • Support merged metrics with consul-dataplane. [GH-1635]
  • Support transparent proxying when using consul-dataplane. [GH-1625,GH-1632]
  • Enable sync-catalog to only talk to Consul servers. [GH-1659]
• Ingress Gateway
  • Add support for MaxConnections, MaxConcurrentRequests, and MaxPendingRequests to Ingress Gateway CRD. [GH-1691]
• Peering:
  • Support peering over mesh gateways.
    • Add support for PeerThroughMeshGateways in Mesh CRD. [GH-1478]

IMPROVEMENTS:

• CLI
  • consul-k8s status command will only show status of servers if they are expected to be present in the Kubernetes cluster. [GH-1603]
  • Update demo charts and CLI command to not presume tproxy when using HCP preset. Also, use the most recent version of hashicups. [GH-1657]
  • Update minimum go version for project to 1.19 [GH-1633]
  • Enable consul-k8s uninstall to delete custom resources when uninstalling Consul. This is done by default. [GH-1623]
• Control Plane
  • Update minimum go version for project to 1.19 [GH-1633]
  • Remove unneeded agent:read ACL permissions from mesh gateway policy. [GH-1255]
  • Support updating health checks on consul clients during an upgrade to agentless. [GH-1690]
  • Remove unused curl from docker images [1624]
  • Bump Dockerfile base image for RedHat UBI consul-k8s-control-plane image to ubi-minimal:9.1. [[GH-1725][https://github.com//pull/1725]]
• Helm:
  • Remove deprecated annotation service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" in the server-service template. [GH-1619]
  • Support minAvailable on connect injector PodDisruptionBudget. [GH-1557]
  • Add tolerations and nodeSelector to Server ACL init jobs and nodeSelector to Webhook cert manager. [GH-1581]
  • API Gateway: Add tolerations to apiGateway.managedGatewayClass and apiGateway.controller [GH-1650]
  • API Gateway: Create PodSecurityPolicy for controller when global.enablePodSecurityPolicies=true. [GH-1656]
  • API Gateway: Create PodSecurityPolicy and allow controller to bind it to ServiceAccounts that it creates for Gateway Deployments when global.enablePodSecurityPolicies=true. [GH-1672]
  • Deploy expose-servers service only when Admin Partitions(ENT) is enabled. [GH-1683]
  • ...

v0.49.1

0.49.1 (November 14, 2022)

BREAKING CHANGES:

• Peering:
  • Rename PeerName to Peer in ExportedServices CRD. [GH-1596]

FEATURES:

• Ingress Gateway
  • Add support for MaxConnections, MaxConcurrentRequests, and MaxPendingRequests to Ingress Gateway CRD. [GH-1691]

IMPROVEMENTS:

• Helm:
  • Add tolerations and nodeSelector to Server ACL init jobs and nodeSelector to Webhook cert manager. [GH-1581]
  • API Gateway: Allow controller to read MeshServices for use as a route backend. [GH-1574]
  • API Gateway: Add tolerations to apiGateway.managedGatewayClass and apiGateway.controller [GH-1650]
  • API Gateway: Create PodSecurityPolicy for controller when global.enablePodSecurityPolicies=true. [GH-1656]
  • API Gateway: Create PodSecurityPolicy and allow controller to bind it to ServiceAccounts that it creates for Gateway Deployments when global.enablePodSecurityPolicies=true. [GH-1672]