1.3.1 (December 19, 2023)
SECURITY:
- Update Envoy version to 1.25.11 to address CVE-2023-44487 [GH-3118]
- Update
github.com/golang-jwt/jwt/v4to v4.5.0 to address PRISMA-2022-0270. [GH-3237] - Upgrade to use Go 1.20.12. This resolves CVEs
CVE-2023-45283: (path/filepath) recognize ??\ as a Root Local Device path prefix (Windows)
CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows)
CVE-2023-39326: (net/http) limit chunked data overhead
CVE-2023-45285: (cmd/go) go get may unexpectedly fallback to insecure git [GH-3312]
FEATURES:
- control-plane: adds a named port,
prometheus, to theconsul-dataplanesidecar for use with Prometheus operator. [GH-3222] - crd: adds the
retryOnfield to the ServiceRouter CRD. [GH-3308] - helm: add persistentVolumeClaimRetentionPolicy variable for managing Statefulsets PVC retain policy when deleting or downsizing the statefulset. [GH-3180]
IMPROVEMENTS:
- cli: Add -o json (-output-format json) to
consul-k8s proxy listcommand that returns the result in json format. [GH-3221] - cli: Add consul-k8s proxy stats command line interface that outputs the localhost:19000/stats of envoy in the pod [GH-3158]
- control-plane: Add new
consul.hashicorp.com/proxy-config-mapannotation that allows for setting values in the opaque config map for proxy service registrations. [GH-3347] - helm: add validation that global.cloud.enabled is not set with externalServers.hosts set to HCP-managed clusters [GH-3315]
BUG FIXES:
- consul-telemetry-collector: add telemetryCollector.cloud.resourceId that works even when not global.cloud.enabled [GH-3219]
- consul-telemetry-collector: fix deployments to non-default namespaces when global.enableConsulNamespaces [GH-3215]
- consul-telemetry-collector: fix args to consul-dataplane when global.acls.manageSystemACLs [GH-3184]
- control-plane: Fixes a bug with the control-plane CLI validation where the consul-dataplane sidecar CPU request is compared against the memory limit instead of the CPU limit. [GH-3209]
- control-plane: Only delete ACL tokens matched Pod UID in Service Registration metadata [GH-3210]
- control-plane: fixes an issue with the server-acl-init job where the job would fail on upgrades due to consul server ip address changes. [GH-3137]
- control-plane: only alert on valid errors, not timeouts in gateway [GH-3128]
- control-plane: remove extraneous error log in v2 pod controller when a pod is scheduled, but not yet allocated an IP. [GH-3162]
- control-plane: remove extraneous error log in v2 pod controller when attempting to delete ACL tokens. [GH-3172]
- control-plane: Remove virtual nodes in the Consul Catalog when they do not have any services listed. [GH-3307]
- mesh: prevent extra-config from being loaded twice (and erroring for segment config) on clients and servers. [GH-3337]