1.11.0 (December 14, 2021)
BREAKING CHANGES:
- acl: The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that nothing is still using the legacy ACL system. See the Migrate Legacy ACL Tokens Learn Guide for more information. [GH-11232]
- cli:
consul acl set-agent-token master
has been replaced withconsul acl set-agent-token recovery
[GH-11669]
SECURITY:
- namespaces: (Enterprise only) Creating or editing namespaces that include default ACL policies or ACL roles now requires
acl:write
permission in the default namespace. This change fixes CVE-2021-41805. - rpc: authorize raft requests CVE-2021-37219 [GH-10925]
FEATURES:
- Admin Partitions (Consul Enterprise only) This version adds admin partitions, a new entity defining administrative and networking boundaries within a Consul deployment. For more information refer to the Admin Partition documentation.
- ca: Add a configurable TTL for Connect CA root certificates. The configuration is supported by the Vault and Consul providers. [GH-11428]
- ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate. [GH-11449]
- health-checks: add support for h2c in http2 ping health checks [GH-10690]
- ui: Add UI support to use Vault as an external source for a service [GH-10769]
- ui: Adding support of Consul API Gateway as an external source. [GH-11371]
- ui: Adds a copy button to each composite row in tokens list page, if Secret ID returns an actual ID [GH-10735]
- ui: Adds visible Consul version information [GH-11803]
- ui: Topology - New views for scenarios where no dependencies exist or ACLs are disabled [GH-11280]
IMPROVEMENTS:
- acls: Show AuthMethodNamespace when reading/listing ACL tokens. [GH-10598]
- acl: replication routine to report the last error message. [GH-10612]
- agent: add variation of force-leave that exclusively works on the WAN [GH-11722]
- api: Enable setting query options on agent health and maintenance endpoints. [GH-10691]
- api: responses that contain only a partial subset of results, due to filtering by ACL policies, may now include an
X-Consul-Results-Filtered-By-ACLs
header [GH-11569] - checks: add failures_before_warning setting for interval checks. [GH-10969]
- ci: Upgrade to use Go 1.17.5 [GH-11799]
- ci: Allow configuring graceful stop in testutil. [GH-10566]
- cli: Add
-cas
and-modify-index
flags to theconsul config delete
command to support Check-And-Set (CAS) deletion of config entries [GH-11419] - config: (Enterprise Only) Allow specifying permission mode for audit logs. [GH-10732]
- config: Support Check-And-Set (CAS) deletion of config entries [GH-11419]
- config: add
dns_config.recursor_strategy
flag to control the order which DNS recursors are queried [GH-10611] - config: warn the user if client_addr is empty because client services won't be listening [GH-11461]
- connect/ca: cease including the common name field in generated x509 non-CA certificates [GH-10424]
- connect: Add low-level feature to allow an Ingress to retrieve TLS certificates from SDS. [GH-10903]
- connect: Consul will now generate a unique virtual IP for each connect-enabled service (this will also differ across namespace/partition in Enterprise). [GH-11724]
- connect: Support Vault auth methods for the Connect CA Vault provider. Currently, we support any non-deprecated auth methods the latest version of Vault supports (v1.8.5), which include AppRole, AliCloud, AWS, Azure, Cloud Foundry, GitHub, Google Cloud, JWT/OIDC, Kerberos, Kubernetes, LDAP, Oracle Cloud Infrastructure, Okta, Radius, TLS Certificates, and Username & Password. [GH-11573]
- connect: Support manipulating HTTP headers in the mesh. [GH-10613]
- connect: add Namespace configuration setting for Vault CA provider [GH-11477]
- connect: ingress gateways may now enable built-in TLS for a subset of listeners. [GH-11163]
- connect: service-resolver subset filters are validated for valid go-bexpr syntax on write [GH-11293]
- connect: update supported envoy versions to 1.19.1, 1.18.4, 1.17.4, 1.16.5 [GH-11115]
- connect: update supported envoy versions to 1.20.0, 1.19.1, 1.18.4, 1.17.4 [GH-11277]
- debug: Add a new /v1/agent/metrics/stream API endpoint for streaming of metrics [GH-10399]
- debug: rename cluster capture target to members, to be more consistent with the terms used by the API. [GH-10804]
- dns: Added a
virtual
endpoint for querying the assigned virtual IP for a service. [GH-11725] - http: when a URL path is not found, include a message with the 404 status code to help the user understand why (e.g., HTTP API endpoint path not prefixed with /v1/) [GH-11818]
- raft: Added a configuration to disable boltdb freelist syncing [GH-11720]
- raft: Emit boltdb related performance metrics [GH-11720]
- raft: Use bbolt instead of the legacy boltdb implementation [GH-11720]
- sdk: Add support for iptable rules that allow DNS lookup redirection to Consul DNS. [GH-11480]
- segments: (Enterprise only) ensure that the serf_lan_allowed_cidrs applies to network segments [GH-11495]
- telemetry: add a new
agent.tls.cert.expiry
metric for tracking when the Agent TLS certificate expires. [GH-10768] - telemetry: add a new
mesh.active-root-ca.expiry
metric for tracking when the root certificate expires. [GH-9924] - telemetry: added metrics to track certificates expiry. [GH-10504]
- types: add TLSVersion and TLSCipherSuite [GH-11645]
- ui: Change partition URL segment prefix from
-
to_
[GH-11801] - ui: Add upstream icons for upstreams and upstream instances [GH-11556]
- ui: Add uri guard to prevent future URL encoding issues [GH-11117]
- ui: Move the majority of our SASS variables to use native CSS custom
properties [GH-11200] - ui: Removed informational panel from the namespace selector menu when editing
namespaces [GH-11130] - ui: Update UI browser support to 'roughly ~2 years back' [GH-11505]
- ui: Update global notification styling [GH-11577]
- ui: added copy to clipboard button in code editor toolbars [GH-11474]
DEPRECATIONS:
- api:
/v1/agent/token/agent_master
is deprecated and will be removed in a future major release - use/v1/agent/token/agent_recovery
instead [GH-11669] - config:
acl.tokens.master
has been renamed toacl.tokens.initial_management
, andacl.tokens.agent_master
has been renamed toacl.tokens.agent_recovery
- the old field names are now deprecated and will be removed in a future major release [GH-11665] - tls: With the upgrade to Go 1.17, the ordering of
tls_cipher_suites
will no longer be honored, andtls_prefer_server_cipher_suites
is now ignored. [GH-11364]
BUG FIXES:
- acl: (Enterprise only) fix namespace and namespace_prefix policy evaluation when both govern an authz request
- api: Fix default values used for optional fields in autopilot configuration update (POST to
/v1/operator/autopilot/configuration
) [GH-10558] [GH-10559] - api: ensure new partition fields are omit empty for compatibility with older versions of consul [GH-11585]
- areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time.
- areas: (Enterprise only) make the gRPC server tracker network area aware [GH-11748]
- ca: fixes a bug that caused non blocking leaf cert queries to return the same cached response regardless of ca rotation or leaf cert expiry [GH-11693]
- ca: fixes a bug that caused the SigningKeyID to be wrong in the primary DC, when the Vault provider is used, after a CA config creates a new root. [GH-11672]
- ca: fixes a bug that caused the intermediate cert used to sign leaf certs to be missing from the /connect/ca/roots API response when the Vault provider was used. [GH-11671]
- check root and intermediate CA expiry before using it to sign a leaf certificate. [GH-10500]
- connect/ca: ensure edits to the key type/bits for the connect builtin CA will regenerate the roots [GH-10330]
- connect/ca: require new vault mount points when updating the key type/bits for the vault connect CA provider [GH-10331]
- connect: fix race causing xDS generation to lock up when discovery chains are tracked for services that are no longer upstreams. [GH-11826]
- dns: Fixed an issue where on DNS requests made with .alt_domain response was returned as .domain [GH-11348]
- dns: return an empty answer when asked for an addr dns with type other then A and AAAA. [GH-10401]
- macos: fixes building with a non-Apple LLVM (such as installed via Homebrew) [GH-11586]
- namespaces: (Enterprise only) ensure the namespace replicator doesn't replicate deleted namespaces
- proxycfg: ensure all of the watches are canceled if they are cancelable [GH-11824]
- snapshot: (Enterprise only) fixed a bug where the snapshot agent would ignore the
license_path
setting in config files - ui: Ensure all types of data get reconciled with the backend data [GH-11237]
- ui: Ensure dc selector correctly shows the currently selected dc [GH-11380]
- ui: Ensure we check intention permissions for specific services when deciding
whether to show action buttons for per service intention actions [GH-11409] - ui: Ensure we filter tokens by policy when showing which tokens use a certain
policy whilst editing a policy [GH-11311] - ui: Ensure we show a readonly designed page for readonly intentions [GH-11767]
- ui: Filter the global intentions list by the currently selected parition rather
than a wildcard [GH-11475] - ui: Fix inline-code brand styling [GH-11578]
- ui: Fix visual issue with slight table header overflow [GH-11670]
- ui: Fixes an issue where under some circumstances after logging we present the
data loaded previous to you logging in. [GH-11681] - ui: Gracefully recover from non-existant DC errors [GH-11077]
- ui: Include
Service.Namespace
into available variables fordashboard_url_templates
[GH-11640] - ui: Revert to depending on the backend, 'post-user-action', to report
permissions errors rather than using UI capabilities 'pre-user-action' [GH-11520] - ui: Topology - Fix up Default Allow and Permissive Intentions notices [GH-11216]
- ui: code editor styling (layout consistency + wide screen support) [GH-11474]
- use the MaxQueryTime instead of RPCHoldTimeout for blocking RPC queries
[GH-8978]. [GH-10299] - windows: fixes arm and arm64 builds [GH-11586]
NOTES:
- Renamed the
agent_master
field toagent_recovery
in theacl-tokens.json
file in which tokens are persisted on-disk (whenacl.enable_token_persistence
is enabled) [GH-11744]