1.10.0-beta1 (April 16, 2021)
SECURITY:
- Add content-type headers to raw KV responses to prevent XSS attacks CVE-2020-25864 [GH-10023]
- audit-logging: Parse endpoint URL to prevent requests from bypassing the audit log CVE-2021-28156
FEATURES:
- cli: Add new
consul connect redirect-traffic
command for applying traffic redirection rules when Transparent Proxy is enabled. [GH-9910] - cli: Add prefix option to kv import command [GH-9792]
- cli: snapshot inspect command provides KV usage breakdown [GH-9098]
- cli: snapshot inspect command supports JSON output [GH-9006]
- connect: Add local_request_timeout_ms to allow configuring the Envoy request timeout on local_app [GH-9554]
- connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled [GH-9973]
- sdk: Add new
iptables
package for applying traffic redirection rules with iptables. [GH-9910] - ui: Read-only ACL Auth Methods view [GH-9617]
IMPROVEMENTS:
- acl: extend the auth-methods list endpoint to include MaxTokenTTL and TokenLocality fields. [GH-9741]
- acl: use the presence of a management policy in the state store as a sign that we already migrated to v2 acls [GH-9505]
- api: Enable setting query options on agent endpoints. [GH-9903]
- api:
AutopilotServerHelath
now handles the 429 status code returned by the v1/operator/autopilot/health endpoint and still returned the parsed reply which will indicate server healthiness [GH-8599] - cli: added a
-force-without-cross-signing
flag to theca set-config
command.
connect/ca: The ForceWithoutCrossSigning field will now work as expected for CA providers that support cross signing. [GH-9672] - cli: the
consul connect envoy --envoy_statsd_url
flag will now resolve the$HOST_IP
environment variable, as part of a full url. [GH-8564] - client: when a client agent is attempting to dereigster a service, anddoes not have access to the ACL token used to register a service, attempt to use the agent token instead of the default user token. If no agent token is set, fall back to the default user token. [GH-9683]
- connect: Add support for transparently proxying traffic through Envoy. [experimental] [GH-9894]
- connect: Allow per-upstream configuration to be set in service-defaults. [experimental] [GH-9872]
- connect: Automatically rewrite the Host header for Terminating Gateway HTTP services [GH-9042]
- connect: The builtin connect proxy no longer advertises support for h2 via ALPN. [GH-4466]. [GH-9920]
- connect: Update the service mesh visualization to account for transparent proxies. [GH-10016]
- connect: adds new flags
prometheus-backend-port
andprometheus-scrape-port
toconsul connect envoy
to support envoy_prometheus_bind_addr pointing to the merged metrics port when using Consul Connect on K8s. [GH-9768] - ui: Move to a sidebar based main navigation [GH-9553]
- ui: Use older (~2016) native ES6 features to reduce transpilation and UI JS payload [GH-9729]
- ui: add permanently visible indicator when ACLs are disabled [GH-9864]
- ui: improve accessibility of modal dialogs [GH-9819]
- ui: restrict the viewing/editing of certain UI elements based on the users ACL token [GH-9687]
- ui: support stricter content security policies [GH-9847]
- xds: add support for envoy 1.17.0 [GH-9658]
- xds: default to speaking xDS v3, but allow for v2 to be spoken upon request [GH-9658]
- xds: remove deprecated usages of xDS and drop support for envoy 1.13.x [GH-9602]
BUG FIXES:
- api: ensure v1/health/ingress/:service endpoint works properly when streaming is enabled [GH-9967]
- areas: Fixes a bug which would prevent newer servers in a network areas from connecting to servers running a version of Consul prior to 1.7.3.
- audit-logging: (Enterprise only) Fixed an issue that resulted in usage of the agent master token or managed service provider tokens from being resolved properly. [GH-10013]
- cache: fix a bug in the client agent cache where streaming could potentially leak resources. [GH-9978]. [GH-9978]
- cache: fix a bug in the client agent cache where streaming would disconnect every
20 minutes and cause delivery delays. [GH-9979]. [GH-9979] - checks: add TLSServerName field to allow setting the TLS server name for HTTPS health checks. [GH-9475]
- command: when generating envoy bootstrap configs to stdout do not mix informational logs into the json [GH-9980]
- config: Fixed a bug where
rpc_max_conns_per_client
could not be changed by reloading the
config. [GH-8696] - config: correct config key from
advertise_addr_ipv6
toadvertise_addr_wan_ipv6
[GH-9851] - http: fix a bug in Consul Enterprise that would cause the UI to believe namespaces were supported, resulting in warning logs and incorrect UI behaviour. [GH-9923]
- snapshot: fixes a bug that would cause snapshots to be missing all but the first ACL Auth Method. [GH-10025]
- streaming: lookup in health properly handle case-sensitivity and perform filtering based on tags and node-meta [GH-9703]
- ui: Fix intention form cancel button [GH-9901]
- ui: ensure proxy instance API requests perform blocking queries correctly [GH-10039]