v1.3.4

1.3.4 (March 28, 2024)

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-3719]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426⁠ [GH-3741]
• Upgrade helm/v3 to 3.11.3. This resolves the following security vulnerabilities:
  CVE-2023-25165
  CVE-2022-23524
  CVE-2022-23526
  CVE-2022-23525 [GH-3625]
• Upgrade docker/distribution to 2.8.3+incompatible (latest) to resolve CVE-2023-2253. [GH-3625]
• Upgrade docker/docker to 25.0.3+incompatible (latest) to resolve GHSA-jq35-85cj-fj4p. [GH-3625]
• Upgrade filepath-securejoin to 0.2.4 (latest) to resolve GO-2023-2048. [GH-3625]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-3741]
• security: upgrade containerd to 1.7.13 (latest) to resolve GHSA-7ww5-4wqc-m92c. [GH-3625]

IMPROVEMENTS:

• catalog: Topology zone and region information is now read from the Kubernetes endpoints and associated node and added to registered consul services under Metadata. [GH-3693]
• control-plane: publish consul-k8s-control-plane and consul-k8s-control-plane-fips images to official HashiCorp AWS ECR. [GH-3668]

BUG FIXES:

• api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul. [GH-3779]
• control-plane: fix an issue where ACL token cleanup did not respect a pod's GracefulShutdownPeriodSeconds and
  tokens were invalidated immediately on pod entering Terminating state. [GH-3736]
• control-plane: fix an issue where ACL tokens would prematurely be deleted and services would be deregistered if there
  was a K8s API error fetching the pod. [GH-3758]

NOTES:

• build: Releases will now also be available as Debian and RPM packages for the arm64 architecture, refer to the
  Official Packaging Guide for more information. [GH-3428]

v1.2.7

1.2.7 (March 28, 2024)

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-3719]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426⁠ [GH-3741]
• Upgrade helm/v3 to 3.11.3. This resolves the following security vulnerabilities:
  CVE-2023-25165
  CVE-2022-23524
  CVE-2022-23526
  CVE-2022-23525 [GH-3625]
• Upgrade docker/distribution to 2.8.3+incompatible (latest) to resolve CVE-2023-2253. [GH-3625]
• Upgrade docker/docker to 25.0.3+incompatible (latest) to resolve GHSA-jq35-85cj-fj4p. [GH-3625]
• Upgrade filepath-securejoin to 0.2.4 (latest) to resolve GO-2023-2048. [GH-3625]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-3741]
• security: upgrade containerd to 1.7.13 (latest) to resolve GHSA-7ww5-4wqc-m92c. [GH-3625]

IMPROVEMENTS:

• catalog: Topology zone and region information is now read from the Kubernetes endpoints and associated node and added to registered consul services under Metadata. [GH-3693]
• control-plane: publish consul-k8s-control-plane and consul-k8s-control-plane-fips images to official HashiCorp AWS ECR. [GH-3668]

BUG FIXES:

• api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul. [GH-3779]
• control-plane: fix an issue where ACL token cleanup did not respect a pod's GracefulShutdownPeriodSeconds and
  tokens were invalidated immediately on pod entering Terminating state. [GH-3736]
• control-plane: fix an issue where ACL tokens would prematurely be deleted and services would be deregistered if there
  was a K8s API error fetching the pod. [GH-3758]

NOTES:

• build: Releases will now also be available as Debian and RPM packages for the arm64 architecture, refer to the
  Official Packaging Guide for more information. [GH-3428]

v1.4.1

1.4.1 (March 28, 2024)

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-3719]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426⁠ [GH-3741]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-3741]

IMPROVEMENTS:

• api-gateway: Expose prometheus scrape metrics on api-gateway pods. [GH-3811]
• catalog: Topology zone and region information is now read from the Kubernetes endpoints and associated node and added to registered consul services under Metadata. [GH-3693]

BUG FIXES:

• api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul. [GH-3779]
• control-plane: fix an issue where ACL token cleanup did not respect a pod's GracefulShutdownPeriodSeconds and
  tokens were invalidated immediately on pod entering Terminating state. [GH-3736]
• control-plane: fix an issue where ACL tokens would prematurely be deleted and services would be deregistered if there
  was a K8s API error fetching the pod. [GH-3758]

v1.1.11

1.1.11 (March 28, 2024)

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-3719]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426⁠ [GH-3741]
• Upgrade helm/v3 to 3.11.3. This resolves the following security vulnerabilities:
  CVE-2023-25165
  CVE-2022-23524
  CVE-2022-23526
  CVE-2022-23525 [GH-3625]
• Upgrade docker/distribution to 2.8.3+incompatible (latest) to resolve CVE-2023-2253. [GH-3625]
• Upgrade docker/docker to 25.0.3+incompatible (latest) to resolve GHSA-jq35-85cj-fj4p. [GH-3625]
• Upgrade filepath-securejoin to 0.2.4 (latest) to resolve GO-2023-2048. [GH-3625]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-3741]
• security: upgrade containerd to 1.7.13 (latest) to resolve GHSA-7ww5-4wqc-m92c. [GH-3625]

IMPROVEMENTS:

• control-plane: publish consul-k8s-control-plane and consul-k8s-control-plane-fips images to official HashiCorp AWS ECR. [GH-3668]

BUG FIXES:

• control-plane: fix an issue where ACL token cleanup did not respect a pod's GracefulShutdownPeriodSeconds and
  tokens were invalidated immediately on pod entering Terminating state. [GH-3736]
• control-plane: fix an issue where ACL tokens would prematurely be deleted and services would be deregistered if there
  was a K8s API error fetching the pod. [GH-3758]

v1.4.0

1.4.0 (February 29, 2024)

NOTE: Consul K8s 1.4.x is compatible with Consul 1.18.x and Consul Dataplane 1.4.x. Refer to our compatibility matrix for more info.

BREAKING CHANGES:

• server: set autopilot.min_quorum to the correct quorum value to ensure autopilot doesn't prune servers needed for quorum. Also set autopilot. disable_upgrade_migration to true as that setting is meant for blue/green deploys, not rolling deploys.

  This setting makes sense for most use-cases, however if you had a specific reason to use the old settings you can use the following config to keep them:

  server:
    extraConfig: |
      {"autopilot": {"min_quorum": 0, "disable_upgrade_migration": false}} 
  

  [GH-3000]

• server: set leave_on_terminate to true and set the server pod disruption budget maxUnavailable to 1.

  This change makes server rollouts faster and more reliable. However, there is now a potential for reduced reliability if users accidentally
  scale the statefulset down. Now servers will leave the raft pool when they are stopped gracefully which reduces the fault
  tolerance. For example, with 5 servers, you can tolerate a loss of 2 servers' data as raft guarantees data is replicated to
  a majority of nodes (3). However, if you accidentally scale the statefulset down to 3, then the raft quorum will now be 2, and
  if you lose 2 servers, you may lose data. Before this change, the quorum would have remained at 3.

  During a regular rollout, the number of servers will be reduced by 1 at a time, which doesn't affect quorum when running
  an odd number of servers, e.g. quorum for 5 servers is 3, and quorum for 4 servers is also 3. That's why the pod disruption
  budget is being set to 1 now.

  If a server is stopped ungracefully, e.g. due to a node loss, it will not leave the raft pool, and so fault tolerance won't be affected.

  For the vast majority of users, this change will be beneficial, however if you wish to remain with the old settings you
  can set:

  server:
    extraConfig: |
      {"leave_on_terminate": false}
    disruptionBudget:
      maxUnavailable: <previous setting> 
  

  [GH-3000]

SECURITY:

• Update Envoy version to 1.25.11 to address CVE-2023-44487 [GH-3116]
• Upgrade helm/v3 to 3.11.3. This resolves the following security vulnerabilities:
  CVE-2023-25165
  CVE-2022-23524
  CVE-2022-23526
  CVE-2022-23525 [GH-3625]
• Upgrade docker/distribution to 2.8.3+incompatible (latest) to resolve CVE-2023-2253. [GH-3625]
• Upgrade docker/docker to 25.0.3+incompatible (latest) to resolve GHSA-jq35-85cj-fj4p. [GH-3625]
• Upgrade filepath-securejoin to 0.2.4 (latest) to resolve GO-2023-2048. [GH-3625]
• Upgrade containerd to 1.7.13 (latest) to resolve GHSA-7ww5-4wqc-m92c. [GH-3625]

IMPROVEMENTS:

• control-plane: publish consul-k8s-control-plane and consul-k8s-control-plane-fips images to official HashiCorp AWS ECR. [GH-3668]
• helm: Kubernetes v1.29 is now supported. Minimum tested version of Kubernetes is now v1.26. [GH-3675]
• cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [GH-3498]
• control-plane: Add CaseInsensitive flag to service-routers that allows paths and path prefixes to ignore URL upper and lower casing. [GH-3502]

BUG FIXES:

• consul-telemetry-collector: fix args to consul-dataplane when global.acls.manageSystemACLs [GH-3184]

NOTES:

• build: Releases will now also be available as Debian and RPM packages for the arm64 architecture, refer to the
  Official Packaging Guide for more information. [GH-3428]

v1.3.3

1.3.3 (February 15, 2024)

FEATURES:

• helm: introduces global.metrics.datadog overrides to streamline consul-k8s datadog integration.
  helm: introduces server.enableAgentDebug to expose agent enable_debug configuration.
  helm: introduces global.metrics.disableAgentHostName to expose agent telemetry.disable_hostname configuration.
  helm: introduces global.metrics.enableHostMetrics to expose agent telemetry.enable_host_metrics configuration.
  helm: introduces global.metrics.prefixFilter to expose agent telemetry.prefix_filter configuration.
  helm: introduces global.metrics.datadog.dogstatsd.dogstatsdAddr to expose agent telemetry.dogstatsd_addr configuration.
  helm: introduces global.metrics.datadog.dogstatsd.dogstatsdTags to expose agent telemetry.dogstatsd_tags configuration.
  helm: introduces required ad.datadoghq.com/ annotations and tags.datadoghq.com/ labels for integration with Datadog Autodiscovery and Datadog Unified Service Tagging for Consul.
  helm: introduces automated unix domain socket hostPath mounting for containerized integration with datadog within consul-server statefulset.
  helm: introduces global.metrics.datadog.otlp override options to allow OTLP metrics forwarding to Datadog Agent.
  control-plane: adds server-acl-init datadog agent token creation for datadog integration. [GH-3407]

IMPROVEMENTS:

• Upgrade to use Go 1.21.7. [GH-3591]
• api-gateway: Apply connectInject.initContainer.resources to the init container for API gateway Pods. [GH-3531]
• cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [GH-3498]
• control-plane: Add CaseInsensitive flag to service-routers that allows paths and path prefixes to ignore URL upper and lower casing. [GH-3502]
• helm: Change /bin/sh -ec "<command>" to /bin/sh -ec "exec <command>" in helm deployments [GH-3548]

BUG FIXES:

• api-gateway: fix issue where external annotations and labels are being incorrectly deleted on services controlled by the API Gateway [GH-3597]
• mesh-gw: update capabilities on the security context needed for the dataplane container.
  Adds NET_BIND_SERVICE to capabilities.add
  Adds ALL to capabilities.drop unless .Values.meshGateway.hostNetwork is true [GH-3549]

v1.2.6

1.2.6 (February 15, 2024)

FEATURES:

• helm: introduces global.metrics.datadog overrides to streamline consul-k8s datadog integration.
  helm: introduces server.enableAgentDebug to expose agent enable_debug configuration.
  helm: introduces global.metrics.disableAgentHostName to expose agent telemetry.disable_hostname configuration.
  helm: introduces global.metrics.enableHostMetrics to expose agent telemetry.enable_host_metrics configuration.
  helm: introduces global.metrics.prefixFilter to expose agent telemetry.prefix_filter configuration.
  helm: introduces global.metrics.datadog.dogstatsd.dogstatsdAddr to expose agent telemetry.dogstatsd_addr configuration.
  helm: introduces global.metrics.datadog.dogstatsd.dogstatsdTags to expose agent telemetry.dogstatsd_tags configuration.
  helm: introduces required ad.datadoghq.com/ annotations and tags.datadoghq.com/ labels for integration with Datadog Autodiscovery and Datadog Unified Service Tagging for Consul.
  helm: introduces automated unix domain socket hostPath mounting for containerized integration with datadog within consul-server statefulset.
  helm: introduces global.metrics.datadog.otlp override options to allow OTLP metrics forwarding to Datadog Agent.
  control-plane: adds server-acl-init datadog agent token creation for datadog integration. [GH-3407]

IMPROVEMENTS:

• Upgrade to use Go 1.21.7. [GH-3591]
• api-gateway: Apply connectInject.initContainer.resources to the init container for API gateway Pods. [GH-3531]
• cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [GH-3498]
• control-plane: Changed the container ordering in connect-inject to insert consul-dataplane container first if lifecycle is enabled. Container ordering is unchanged if lifecycle is disabled. [GH-2743]
• helm: Change /bin/sh -ec "<command>" to /bin/sh -ec "exec <command>" in helm deployments [GH-3548]

BUG FIXES:

• api-gateway: fix issue where external annotations and labels are being incorrectly deleted on services controlled by the API Gateway [GH-3597]
• mesh-gw: update capabilities on the security context needed for the dataplane container.
  Adds NET_BIND_SERVICE to capabilities.add
  Adds ALL to capabilities.drop unless .Values.meshGateway.hostNetwork is true [GH-3549]

v1.1.10

1.1.10 (February 15, 2024)

IMPROVEMENTS:

• Upgrade to use Go 1.21.7. [GH-3591]
• cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [GH-3498]
• helm: Change /bin/sh -ec "<command>" to /bin/sh -ec "exec <command>" in helm deployments [GH-3548]

BUG FIXES:

• mesh-gw: update capabilities on the security context needed for the dataplane container.
  Adds NET_BIND_SERVICE to capabilities.add
  Adds ALL to capabilities.drop unless .Values.meshGateway.hostNetwork is true [GH-3549]

v1.4.0-rc1

1.4.0-rc1 (February 8, 2024)

NOTE: Consul K8s 1.4.x is compatible with Consul 1.18.x and Consul Dataplane 1.4.x. Refer to our compatibility matrix for more info.

BREAKING CHANGES:

• server: set autopilot.min_quorum to the correct quorum value to ensure autopilot doesn't prune servers needed for quorum. Also set autopilot. disable_upgrade_migration to true as that setting is meant for blue/green deploys, not rolling deploys.

  This setting makes sense for most use-cases, however if you had a specific reason to use the old settings you can use the following config to keep them:

  server:
    extraConfig: |
      {"autopilot": {"min_quorum": 0, "disable_upgrade_migration": false}} 
  

  [GH-3000]

• server: set leave_on_terminate to true and set the server pod disruption budget maxUnavailable to 1. This change makes server rollouts faster and more reliable. However, there is now a potential for reduced reliability if users accidentally scale the statefulset down. Now servers will leave the raft pool when they are stopped gracefully which reduces the fault tolerance. For example, with 5 servers, you can tolerate a loss of 2 servers' data as raft guarantees data is replicated to a majority of nodes (3). However, if you accidentally scale the statefulset down to 3, then the raft quorum will now be 2, and if you lose 2 servers, you may lose data. Before this change, the quorum would have remained at 3.

  During a regular rollout, the number of servers will be reduced by 1 at a time, which doesn't affect quorum when running
  an odd number of servers, e.g. quorum for 5 servers is 3, and quorum for 4 servers is also 3. That's why the pod disruption
  budget is being set to 1 now.

  If a server is stopped ungracefully, e.g. due to a node loss, it will not leave the raft pool, and so fault tolerance won't be affected.

  For the vast majority of users, this change will be beneficial, however if you wish to remain with the old settings you
  can set:

  server:
    extraConfig: |
      {"leave_on_terminate": false}
    disruptionBudget:
      maxUnavailable: <previous setting> 
  

  [GH-3000]

SECURITY:

• Update Envoy version to 1.25.11 to address CVE-2023-44487 [GH-3116]

IMPROVEMENTS:

• cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [GH-3498]
• control-plane: Add CaseInsensitive flag to service-routers that allows paths and path prefixes to ignore URL upper and lower casing. [GH-3502]

BUG FIXES:

• consul-telemetry-collector: fix args to consul-dataplane when global.acls.manageSystemACLs [GH-3184]

v1.3.2

1.3.2 (Jan 25, 2024)

SECURITY:

• Update golang.org/x/crypto to v0.17.0 to address CVE-2023-48795. [GH-3442]
• Upgrade OpenShift container images to use ubi-minimal:9.3 as the base image. [GH-3418]

IMPROVEMENTS:

• Upgrade to use Go 1.21.6. [GH-3478]
• control-plane: Add new consul.hashicorp.com/sidecar-proxy-startup-failure-seconds and consul.hashicorp.com/sidecar-proxy-liveness-failure-seconds annotations that allow users to manually configure startup and liveness probes for Envoy sidecar proxies. [GH-3450]
• control-plane: reduce Consul Catalog API requests required for endpoints reconcile in large clusters [GH-3322]
• cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [GH-3498]

BUG FIXES:

• api-gateway: fix issue where deleting an http-route in a non-default namespace would not remove the route from Consul. [GH-3440]