v0.25.0

0.25.0 (March 18, 2021)

FEATURES:

• Metrics: add metrics configuration to inject-connect and metrics-merging capability to consul-sidecar. When metrics and metrics merging are enabled, the consul-sidecar will expose an endpoint that merges the app and proxy metrics.

  The flags -merged-metrics-port, -service-metrics-port and -service-metrics-path can be used to configure the merged metrics server, and the application service metrics endpoint on the consul sidecar.

  The flags -default-enable-metrics, -default-enable-metrics-merging, -default-merged-metrics-port, -default-prometheus-scrape-port and -default-prometheus-scrape-path configure the inject-connect command.

IMPROVEMENTS:

• CRDs: add field Last Synced Time to CRD status and add printer column on CRD to display time since when the
  resource was last successfully synced with Consul. [GH-448]

BUG FIXES:

• CRDs: fix incorrect validation for ServiceResolver. [GH-456]

v0.24.0

0.24.0 (February 16, 2021)

BREAKING CHANGES

• Connect: the lifecycle-sidecar command has been renamed to consul-sidecar. [GH-428]

• Connect: the consul-connect-lifecycle-sidecar container name has been changed to consul-sidecar and the consul-connect-envoy-sidecar container name has been changed to envoy-sidecar.
  [GH-428]

• Connect: the -default-protocol and -enable-central-config flags are no longer supported.
  The consul.hashicorp.com/connect-service-protocol annotation on Connect pods is also
  no longer supported. [GH-418]

  Current deployments that have the annotation should remove it, otherwise they
  will get an error if a pod from that deployment is rescheduled.

  Removing the annotation will not change their protocol
  since the config entry was already written to Consul. If you wish to change
  the protocol you must migrate the config entry to be managed by a
  ServiceDefaults resource.
  See Upgrade to CRDs for more
  information.

  To set the protocol for new services, you must use the
  ServiceDefaults resource,
  e.g.

  apiVersion: consul.hashicorp.com/v1alpha1
  kind: ServiceDefaults
  metadata:
    name: my-service-name
  spec:
    protocol: "http"

• Connect: pods using an upstream that references a datacenter, e.g.
  consul.hashicorp.com/connect-service-upstreams: service:8080:dc2 will
  error during injection if Consul does not have a proxy-defaults config entry
  with a mesh gateway mode
  set to local or remote. [GH-421]

  In practice, this would have already been causing issues since without that
  config setting, traffic wouldn't have been routed through mesh gateways and
  so would not be actually making it to the other service.

FEATURES:

• CRDs: support annotation consul.hashicorp.com/migrate-entry on custom resources
  that will allow an existing config entry to be migrated onto a Kubernetes custom resource. [GH-419]
• Connect: add new cleanup controller that runs in the connect-inject deployment. This
  controller cleans up Consul service instances that remain registered despite their
  pods being deleted. This could happen if the pod's preStop hook failed to execute
  for some reason. [GH-433]

IMPROVEMENTS:

• CRDs: give a more descriptive error when a config entry already exists in Consul. [GH-420]
• Set User-Agent: consul-k8s/<version> header on calls to Consul where <version> is the current
  version of consul-k8s. [GH-434]

v0.23.0

0.23.0 (January 22, 2021)

BUG FIXES:

• CRDs: Fix issue where a ServiceIntentions resource could be continually resynced with Consul
  because Consul's internal representation had a different order for an array than the Kubernetes resource. [GH-416]
• CRDs: (Consul Enterprise only) default the namespace fields on resources where Consul performs namespace defaulting to prevent constant re-syncing.
  [GH-413]

IMPROVEMENTS:

• ACLs: give better error if policy that consul-k8s tries to update was created manually by user. [GH-412]

FEATURES:

• TLS: add tls-init command that is responsible for creating and updating Server TLS certificates. [GH-410]

v0.22.0

0.22.0 (December 21, 2020)

BUG FIXES:

• Connect: on termination of a connect injected pod the lifecycle-sidecar sometimes re-registered the application resulting in
  stale service entries for applications which no longer existed. [GH-409]

BREAKING CHANGES:

• Connect: the flags -envoy-image and -consul-image for command inject-connect are now required. [GH-405]

FEATURES:

• CRDs: add new CRD IngressGateway for configuring Consul's ingress-gateway config entry. [GH-407]
• CRDs: add new CRD TerminatingGateway for configuring Consul's terminating-gateway config entry. [GH-408]

v0.21.0

0.21.0 (November 25, 2020)

IMPROVEMENTS:

• Connect: Add -log-level flag to inject-connect command. [GH-400]
• Connect: Ensure consul-connect-lifecycle-sidecar container shuts down gracefully upon receiving SIGTERM. [GH-389]
• Connect: (Consul Enterprise only) give more descriptive error message if using Consul namespaces with a Consul installation that doesn't support namespaces. [GH-399]

v0.20.0

0.20.0 (November 12, 2020)

FEATURES:

• Connect: Support Kubernetes health probe synchronization with Consul for connect injected pods. [GH-363]
  • Adds a new controller to the connect-inject webhook which is responsible for synchronizing Kubernetes pod health checks with Consul service instance health checks.
    A Consul health check is registered for each connect-injected pod which mirrors the pod's Readiness status to Consul. This modifies connect routing to only
    pods which have passing Kubernetes health checks. See breaking changes for more information.
  • Adds a new label to connect-injected pods which mirrors the consul.hashicorp.com/connect-inject-status annotation.
  • (Consul Enterprise only) Adds a new annotation to connect-injected pods when namespaces are enabled: consul.hashicorp.com/consul-namespace. [GH-376]

BREAKING CHANGES:

• Connect: With the addition of the connect-inject health checks controller any connect services which have failing Kubernetes readiness
  probes will no longer be routable through connect until their Kubernetes health probes are passing.
  Previously, if any connect services were failing their Kubernetes readiness checks they were still routable through connect.
  Users should verify that their connect services are passing Kubernetes readiness probes prior to using health checks synchronization.

DEPRECATIONS:

• create-inject-token in the server-acl-init command has been un-deprecated.
  -create-inject-auth-method has been deprecated and replaced by -create-inject-token.

  -create-inject-namespace-token in the server-acl-init command has been deprecated. Please use -create-inject-token and -enable-namespaces flags
  to achieve the same functionality. [GH-368]

IMPROVEMENTS:

• Connect: support passing extra arguments to the envoy binary. [GH-378]

  Arguments can be passed in 2 ways:

  • via a flag to the consul-k8s inject-connect command,
    e.g. consul-k8s inject-connect -envoy-extra-args="--log-level debug --disable-hot-restart"
  • via pod annotations,
    e.g. consul.hashicorp.com/envoy-extra-args: "--log-level debug --disable-hot-restart"

• CRDs:

  • Add Age column to CRDs. [GH-365]
  • Add validations and field descriptions for ServiceIntentions CRD. [GH-385]
  • Update CRD sync status if deletion in Consul fails. [GH-365]

BUG FIXES:

• Federation: (Consul Enterprise only) ensure replication ACL token can replicate policies and tokens in Consul namespaces other than default. [GH-364]
• CRDs: (Consul Enterprise only) validate custom resources can only set namespace fields if Consul namespaces are enabled. [GH-375]
• CRDs: Ensure ACL token is global so that secondary DCs can manage custom resources.
  Without this fix, controllers running in secondary datacenters would get ACL errors. [GH-369]
• CRDs: (Consul Enterprise only) Do not attempt to create a * namespace when service intentions specify * as destination.namespace. [GH-382]
• CRDs: (Consul Enterprise only) Fix namespace support for ServiceIntentions CRD. [GH-362]
• CRDs: Rename field namespaces -> namespace in ServiceResolver CRD. [GH-365]

v0.19.0

0.19.0 (October 12, 2020)

FEATURES:

• Add beta support for new commands consul-k8s controller and consul-k8s webhook-cert-manager. [GH-353]

  controller will start a Kubernetes controller that acts on Consul
  Custom Resource Definitions. The currently supported CRDs are:

  • ProxyDefaults - https://www.consul.io/docs/agent/config-entries/proxy-defaults
  • ServiceDefaults - https://www.consul.io/docs/agent/config-entries/service-defaults
  • ServiceSplitter - https://www.consul.io/docs/agent/config-entries/service-splitter
  • ServiceRouter - https://www.consul.io/docs/agent/config-entries/service-router
  • ServiceResolver - https://www.consul.io/docs/agent/config-entries/service-resolver
  • ServiceIntentions (requires Consul >= 1.9.0) - https://www.consul.io/docs/agent/config-entries/service-intentions

  See https://www.consul.io/docs/k8s/connect/crds
  for more information on the CRD schemas. Requires Consul >= 1.8.4.

  webhook-cert-manager manages certificates for Kubernetes webhooks. It will
  refresh expiring certificates and update corresponding secrets and mutating
  webhook configurations.

BREAKING CHANGES:

• Connect: No longer set --max-obj-name-len flag when executing envoy. This flag
  was deprecated
  in Envoy 1.11.0 and had no effect from then onwards. With Envoy >= 1.15.0 setting
  this flag will result in an error, hence why we're removing it. [GH-350]

  If you are running any Envoy version >= 1.11.0 this change will have no effect. If you
  are running an Envoy version < 1.11.0 then you must upgrade Envoy to a newer
  version. This can be done by setting the global.imageEnvoy key in the
  Consul Helm chart.

IMPROVEMENTS:

• Add an ability to configure the synthetic Consul node name where catalog sync registers services. [GH-312]
  • Sync: Add -consul-node-name flag to the sync-catalog command to configure the Consul node name for syncing services to Consul.
  • ACLs: Add -sync-consul-node-name flag to the server-acl-init command so that it can create correct policy for the sync catalog.

BUG FIXES:

• Connect: use the first secret of type kubernetes.io/service-account-token when creating/updating auth method. [GH-350]

v0.18.1

0.18.1 (August 10, 2020)

BUG FIXES:

• Connect: Reduce downtime caused by an alias health check of the sidecar proxy not being healthy for up to 1 minute
  when a Connect-enabled service is restarted. Note that this fix reverts the behavior of Consul Connect to the behavior
  it had before consul-k8s v0.16.0 and Consul v1.8.x, where Consul can route to potentially unhealthy instances of a service
  because we don't respect Kubernetes readiness/liveness checks yet. Please follow GH-155
  for updates on that feature. [GH-305]

v0.18.0

0.18.0 (July 30, 2020)

IMPROVEMENTS:

• Connect: Add resource request and limit flags for the injected init and lifecycle sidecar containers. These flags replace the hardcoded values previously included. As part of this change, the default value for the lifecycle sidecar container memory limit has increased from 25Mi to 50Mi. [GH-298], [GH-300]

BUG FIXES:

• Connect: Respect allow/deny list flags when namespaces are disabled. [GH-296]

v0.17.0

0.17.0 (July 09, 2020)

BREAKING CHANGES:

• ACLs: Always update Kubernetes auth method created by the server-acl-init job. Previously, we would only update the auth method if Consul namespaces are enabled. With this change, we always update it to make sure that any configuration changes or updates to the connect-injector-authmethod-svc-account are propagated [GH-282].
• Connect: Connect pods have had the following resource settings changed: consul-connect-inject-init now has its memory limit set to 150M up from 25M and consul-connect-lifecycle-sidecar has its CPU request and limit set to 20m up from 10m. [GH-291]

IMPROVEMENTS:

• Extracted Consul's HTTP flags into our own package so we no longer depend on the internal Consul golang module. [GH-259]

BUG FIXES:

• Connect: Update resource settings to fix out of memory errors and CPU usage at 100% of limit. [GH-283, consul-helm GH-515]
• Connect: Creating a pod with a different service account name than its Consul service name will now result in an error when ACLs are enabled.
  Previously this would not result in an error, but the pod would not be able to send or receive traffic because its ACL token would be for a
  different service name. [GH-237]