hashicorp/consul (github.com/hashicorp/consul)
### [`v1.17.0`](https://togithub.com/hashicorp/consul/releases/tag/v1.17.0)
[Compare Source](https://togithub.com/hashicorp/consul/compare/v1.16.3...v1.17.0)
#### 1.17.0 (October 31, 2023)
BREAKING CHANGES:
- api: RaftLeaderTransfer now requires an id string. An empty string can be specified to keep the old behavior. \[[GH-17107](https://togithub.com/hashicorp/consul/issues/17107)]
- audit-logging: **(Enterprise only)** allowing timestamp based filename only on rotation. initially the filename will be just file.json \[[GH-18668](https://togithub.com/hashicorp/consul/issues/18668)]
SECURITY:
- Update `golang.org/x/net` to v0.17.0 to address [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)(`x/net/http2`). \[[GH-19225](https://togithub.com/hashicorp/consul/issues/19225)]
- Upgrade Go to 1.20.10.
This resolves vulnerability [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)(`net/http`). \[[GH-19225](https://togithub.com/hashicorp/consul/issues/19225)]
- Upgrade `google.golang.org/grpc` to 1.56.3.
This resolves vulnerability [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487). \[[GH-19414](https://togithub.com/hashicorp/consul/issues/19414)]
- connect: update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address [CVE-2023-44487](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76) \[[GH-19275](https://togithub.com/hashicorp/consul/issues/19275)]
FEATURE PREVIEW: **Catalog v2**
This release provides the ability to preview Consul's v2 Catalog and Resource API if enabled. The new model supports
multi-port application deployments with only a single Envoy proxy. Note that the v1 and v2 catalogs are not cross
compatible, and not all Consul features are available within this v2 feature preview. See the [v2 Catalog and Resource
API documentation](https://developer.hashicorp.com/consul/docs/architecture/v2) for more information. The v2 Catalog and
Resources API should be considered a feature preview within this release and should not be used in production
environments.
Limitations
- The v2 catalog API feature preview does not support connections with client agents. As a result, it is only available for Kubernetes deployments, which use [Consul dataplanes](consul/docs/connect/dataplane) instead of client agents.
- The v1 and v2 catalog APIs cannot run concurrently.
- The Consul UI does not support multi-port services or the v2 catalog API in this release.
- HCP Consul does not support multi-port services or the v2 catalog API in this release.
Significant Pull Requests
- [\[Catalog resource controllers\]](https://togithub.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/catalog/internal/controllers)
- [\[Mesh resource controllers\]](https://togithub.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/mesh/internal/controllers)
- [\[Auth resource controllers\]](https://togithub.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/auth/internal)
- [\[V2 Protobufs\]](https://togithub.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/proto-public)
FEATURES:
- Support custom watches on the Consul Controller framework. \[[GH-18439](https://togithub.com/hashicorp/consul/issues/18439)]
- Windows: support consul connect envoy command on Windows \[[GH-17694](https://togithub.com/hashicorp/consul/issues/17694)]
- acl: Add BindRule support for templated policies. Add new BindType: templated-policy and BindVar field for templated policy variables. \[[GH-18719](https://togithub.com/hashicorp/consul/issues/18719)]
- acl: Add new `acl.tokens.dns` config field which specifies the token used implicitly during dns checks. \[[GH-17936](https://togithub.com/hashicorp/consul/issues/17936)]
- acl: Added ACL Templated policies to simplify getting the right ACL token. \[[GH-18708](https://togithub.com/hashicorp/consul/issues/18708)]
- acl: Adds a new ACL rule for workload identities \[[GH-18769](https://togithub.com/hashicorp/consul/issues/18769)]
- acl: Adds workload identity templated policy \[[GH-19077](https://togithub.com/hashicorp/consul/issues/19077)]
- api-gateway: Add support for response header modifiers on http-route configuration entry \[[GH-18646](https://togithub.com/hashicorp/consul/issues/18646)]
- api-gateway: add retry and timeout filters \[[GH-18324](https://togithub.com/hashicorp/consul/issues/18324)]
- cli: Add `bind-var` flag to `consul acl binding-rule` for templated policy variables. \[[GH-18719](https://togithub.com/hashicorp/consul/issues/18719)]
- cli: Add `consul acl templated-policy` commands to read, list and preview templated policies. \[[GH-18816](https://togithub.com/hashicorp/consul/issues/18816)]
- config-entry(api-gateway): (Enterprise only) Add GatewayPolicy to APIGateway Config Entry listeners
- config-entry(api-gateway): (Enterprise only) Add JWTFilter to HTTPRoute Filters
- dataplane: Allow getting bootstrap parameters when using V2 APIs \[[GH-18504](https://togithub.com/hashicorp/consul/issues/18504)]
- gateway: **(Enterprise only)** Add JWT authentication and authorization to APIGateway Listeners and HTTPRoutes.
- mesh: **(Enterprise only)** Adds rate limiting config to service-defaults \[[GH-18583](https://togithub.com/hashicorp/consul/issues/18583)]
- xds: Add a built-in Envoy extension that appends OpenTelemetry Access Logging (otel-access-logging) to the HTTP Connection Manager filter. \[[GH-18336](https://togithub.com/hashicorp/consul/issues/18336)]
- xds: Add support for patching outbound listeners to the built-in Envoy External Authorization extension. \[[GH-18336](https://togithub.com/hashicorp/consul/issues/18336)]
IMPROVEMENTS:
- raft: upgrade raft-wal library version to 0.4.1. \[[GH-19314](https://togithub.com/hashicorp/consul/issues/19314)]
- xds: Use downstream protocol when connecting to local app \[[GH-18573](https://togithub.com/hashicorp/consul/issues/18573)]
- Windows: Integration tests for Consul Windows VMs \[[GH-18007](https://togithub.com/hashicorp/consul/issues/18007)]
- acl: Use templated policy to generate synthetic policies for tokens/roles with node and/or service identities \[[GH-18813](https://togithub.com/hashicorp/consul/issues/18813)]
- api: added `CheckRegisterOpts` to Agent API \[[GH-18943](https://togithub.com/hashicorp/consul/issues/18943)]
- api: added `Token` field to `ServiceRegisterOpts` type in Agent API \[[GH-18983](https://togithub.com/hashicorp/consul/issues/18983)]
- ca: Vault CA provider config no longer requires root_pki_path for secondary datacenters \[[GH-17831](https://togithub.com/hashicorp/consul/issues/17831)]
- cli: Added `-templated-policy`, `-templated-policy-file`, `-replace-templated-policy`, `-append-templated-policy`, `-replace-templated-policy-file`, `-append-templated-policy-file` and `-var` flags for creating or updating tokens/roles. \[[GH-18708](https://togithub.com/hashicorp/consul/issues/18708)]
- config: Add new `tls.defaults.verify_server_hostname` configuration option. This specifies the default value for any interfaces that support the `verify_server_hostname` option. \[[GH-17155](https://togithub.com/hashicorp/consul/issues/17155)]
- connect: update supported envoy versions to 1.24.10, 1.25.9, 1.26.4, 1.27.0 \[[GH-18300](https://togithub.com/hashicorp/consul/issues/18300)]
- ui: Use Community verbiage \[[GH-18560](https://togithub.com/hashicorp/consul/issues/18560)]
BUG FIXES:
- api: add custom marshal/unmarshal for ServiceResolverConfigEntry.RequestTimeout so config entries that set this field can be read using the API. \[[GH-19031](https://togithub.com/hashicorp/consul/issues/19031)]
- ca: ensure Vault CA provider respects Vault Enterprise namespace configuration. \[[GH-19095](https://togithub.com/hashicorp/consul/issues/19095)]
- catalog api: fixes a bug with catalog api where filter query parameter was not working correctly for the `/v1/catalog/services` endpoint \[[GH-18322](https://togithub.com/hashicorp/consul/issues/18322)]
- connect: **(Enterprise only)** Fix bug where incorrect service-defaults entries were fetched to determine an upstream's protocol whenever the upstream did not explicitly define the namespace / partition. When this bug occurs, upstreams would use the protocol from a service-default entry in the default namespace / partition, rather than their own namespace / partition.
- connect: Fix bug where uncleanly closed xDS connections would influence connection balancing for too long and prevent envoy instances from starting. Two new configuration fields
`performance.grpc_keepalive_timeout` and `performance.grpc_keepalive_interval` now exist to allow for configuration on how often these dead connections will be cleaned up. \[[GH-19339](https://togithub.com/hashicorp/consul/issues/19339)]
- dev-mode: Fix dev mode has new line in responses. Now new line is added only when url has pretty query parameter. \[[GH-18367](https://togithub.com/hashicorp/consul/issues/18367)]
- dns: **(Enterprise only)** Fix bug where sameness group queries did not correctly inherit the agent's partition.
- docs: fix list of telemetry metrics \[[GH-17593](https://togithub.com/hashicorp/consul/issues/17593)]
- gateways: Fix a bug where a service in a peered datacenter could not access an external node service through a terminating gateway \[[GH-18959](https://togithub.com/hashicorp/consul/issues/18959)]
- server: **(Enterprise Only)** Fixed an issue where snake case keys were rejected when configuring the control-plane-request-limit config entry
- telemetry: emit consul version metric on a regular interval. \[[GH-6876](https://togithub.com/hashicorp/consul/issues/6876)]
- tlsutil: Default setting of ServerName field in outgoing TLS configuration for checks now handled by crypto/tls. \[[GH-17481](https://togithub.com/hashicorp/consul/issues/17481)]
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.16.3->v1.17.0Release Notes
hashicorp/consul (github.com/hashicorp/consul)
### [`v1.17.0`](https://togithub.com/hashicorp/consul/releases/tag/v1.17.0) [Compare Source](https://togithub.com/hashicorp/consul/compare/v1.16.3...v1.17.0) #### 1.17.0 (October 31, 2023) BREAKING CHANGES: - api: RaftLeaderTransfer now requires an id string. An empty string can be specified to keep the old behavior. \[[GH-17107](https://togithub.com/hashicorp/consul/issues/17107)] - audit-logging: **(Enterprise only)** allowing timestamp based filename only on rotation. initially the filename will be just file.json \[[GH-18668](https://togithub.com/hashicorp/consul/issues/18668)] SECURITY: - Update `golang.org/x/net` to v0.17.0 to address [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) / [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)(`x/net/http2`). \[[GH-19225](https://togithub.com/hashicorp/consul/issues/19225)] - Upgrade Go to 1.20.10. This resolves vulnerability [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) / [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)(`net/http`). \[[GH-19225](https://togithub.com/hashicorp/consul/issues/19225)] - Upgrade `google.golang.org/grpc` to 1.56.3. This resolves vulnerability [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487). \[[GH-19414](https://togithub.com/hashicorp/consul/issues/19414)] - connect: update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address [CVE-2023-44487](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76) \[[GH-19275](https://togithub.com/hashicorp/consul/issues/19275)] FEATURE PREVIEW: **Catalog v2** This release provides the ability to preview Consul's v2 Catalog and Resource API if enabled. The new model supports multi-port application deployments with only a single Envoy proxy. Note that the v1 and v2 catalogs are not cross compatible, and not all Consul features are available within this v2 feature preview. See the [v2 Catalog and Resource API documentation](https://developer.hashicorp.com/consul/docs/architecture/v2) for more information. The v2 Catalog and Resources API should be considered a feature preview within this release and should not be used in production environments. Limitations - The v2 catalog API feature preview does not support connections with client agents. As a result, it is only available for Kubernetes deployments, which use [Consul dataplanes](consul/docs/connect/dataplane) instead of client agents. - The v1 and v2 catalog APIs cannot run concurrently. - The Consul UI does not support multi-port services or the v2 catalog API in this release. - HCP Consul does not support multi-port services or the v2 catalog API in this release. Significant Pull Requests - [\[Catalog resource controllers\]](https://togithub.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/catalog/internal/controllers) - [\[Mesh resource controllers\]](https://togithub.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/mesh/internal/controllers) - [\[Auth resource controllers\]](https://togithub.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/auth/internal) - [\[V2 Protobufs\]](https://togithub.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/proto-public) FEATURES: - Support custom watches on the Consul Controller framework. \[[GH-18439](https://togithub.com/hashicorp/consul/issues/18439)] - Windows: support consul connect envoy command on Windows \[[GH-17694](https://togithub.com/hashicorp/consul/issues/17694)] - acl: Add BindRule support for templated policies. Add new BindType: templated-policy and BindVar field for templated policy variables. \[[GH-18719](https://togithub.com/hashicorp/consul/issues/18719)] - acl: Add new `acl.tokens.dns` config field which specifies the token used implicitly during dns checks. \[[GH-17936](https://togithub.com/hashicorp/consul/issues/17936)] - acl: Added ACL Templated policies to simplify getting the right ACL token. \[[GH-18708](https://togithub.com/hashicorp/consul/issues/18708)] - acl: Adds a new ACL rule for workload identities \[[GH-18769](https://togithub.com/hashicorp/consul/issues/18769)] - acl: Adds workload identity templated policy \[[GH-19077](https://togithub.com/hashicorp/consul/issues/19077)] - api-gateway: Add support for response header modifiers on http-route configuration entry \[[GH-18646](https://togithub.com/hashicorp/consul/issues/18646)] - api-gateway: add retry and timeout filters \[[GH-18324](https://togithub.com/hashicorp/consul/issues/18324)] - cli: Add `bind-var` flag to `consul acl binding-rule` for templated policy variables. \[[GH-18719](https://togithub.com/hashicorp/consul/issues/18719)] - cli: Add `consul acl templated-policy` commands to read, list and preview templated policies. \[[GH-18816](https://togithub.com/hashicorp/consul/issues/18816)] - config-entry(api-gateway): (Enterprise only) Add GatewayPolicy to APIGateway Config Entry listeners - config-entry(api-gateway): (Enterprise only) Add JWTFilter to HTTPRoute Filters - dataplane: Allow getting bootstrap parameters when using V2 APIs \[[GH-18504](https://togithub.com/hashicorp/consul/issues/18504)] - gateway: **(Enterprise only)** Add JWT authentication and authorization to APIGateway Listeners and HTTPRoutes. - mesh: **(Enterprise only)** Adds rate limiting config to service-defaults \[[GH-18583](https://togithub.com/hashicorp/consul/issues/18583)] - xds: Add a built-in Envoy extension that appends OpenTelemetry Access Logging (otel-access-logging) to the HTTP Connection Manager filter. \[[GH-18336](https://togithub.com/hashicorp/consul/issues/18336)] - xds: Add support for patching outbound listeners to the built-in Envoy External Authorization extension. \[[GH-18336](https://togithub.com/hashicorp/consul/issues/18336)] IMPROVEMENTS: - raft: upgrade raft-wal library version to 0.4.1. \[[GH-19314](https://togithub.com/hashicorp/consul/issues/19314)] - xds: Use downstream protocol when connecting to local app \[[GH-18573](https://togithub.com/hashicorp/consul/issues/18573)] - Windows: Integration tests for Consul Windows VMs \[[GH-18007](https://togithub.com/hashicorp/consul/issues/18007)] - acl: Use templated policy to generate synthetic policies for tokens/roles with node and/or service identities \[[GH-18813](https://togithub.com/hashicorp/consul/issues/18813)] - api: added `CheckRegisterOpts` to Agent API \[[GH-18943](https://togithub.com/hashicorp/consul/issues/18943)] - api: added `Token` field to `ServiceRegisterOpts` type in Agent API \[[GH-18983](https://togithub.com/hashicorp/consul/issues/18983)] - ca: Vault CA provider config no longer requires root_pki_path for secondary datacenters \[[GH-17831](https://togithub.com/hashicorp/consul/issues/17831)] - cli: Added `-templated-policy`, `-templated-policy-file`, `-replace-templated-policy`, `-append-templated-policy`, `-replace-templated-policy-file`, `-append-templated-policy-file` and `-var` flags for creating or updating tokens/roles. \[[GH-18708](https://togithub.com/hashicorp/consul/issues/18708)] - config: Add new `tls.defaults.verify_server_hostname` configuration option. This specifies the default value for any interfaces that support the `verify_server_hostname` option. \[[GH-17155](https://togithub.com/hashicorp/consul/issues/17155)] - connect: update supported envoy versions to 1.24.10, 1.25.9, 1.26.4, 1.27.0 \[[GH-18300](https://togithub.com/hashicorp/consul/issues/18300)] - ui: Use Community verbiage \[[GH-18560](https://togithub.com/hashicorp/consul/issues/18560)] BUG FIXES: - api: add custom marshal/unmarshal for ServiceResolverConfigEntry.RequestTimeout so config entries that set this field can be read using the API. \[[GH-19031](https://togithub.com/hashicorp/consul/issues/19031)] - ca: ensure Vault CA provider respects Vault Enterprise namespace configuration. \[[GH-19095](https://togithub.com/hashicorp/consul/issues/19095)] - catalog api: fixes a bug with catalog api where filter query parameter was not working correctly for the `/v1/catalog/services` endpoint \[[GH-18322](https://togithub.com/hashicorp/consul/issues/18322)] - connect: **(Enterprise only)** Fix bug where incorrect service-defaults entries were fetched to determine an upstream's protocol whenever the upstream did not explicitly define the namespace / partition. When this bug occurs, upstreams would use the protocol from a service-default entry in the default namespace / partition, rather than their own namespace / partition. - connect: Fix bug where uncleanly closed xDS connections would influence connection balancing for too long and prevent envoy instances from starting. Two new configuration fields `performance.grpc_keepalive_timeout` and `performance.grpc_keepalive_interval` now exist to allow for configuration on how often these dead connections will be cleaned up. \[[GH-19339](https://togithub.com/hashicorp/consul/issues/19339)] - dev-mode: Fix dev mode has new line in responses. Now new line is added only when url has pretty query parameter. \[[GH-18367](https://togithub.com/hashicorp/consul/issues/18367)] - dns: **(Enterprise only)** Fix bug where sameness group queries did not correctly inherit the agent's partition. - docs: fix list of telemetry metrics \[[GH-17593](https://togithub.com/hashicorp/consul/issues/17593)] - gateways: Fix a bug where a service in a peered datacenter could not access an external node service through a terminating gateway \[[GH-18959](https://togithub.com/hashicorp/consul/issues/18959)] - server: **(Enterprise Only)** Fixed an issue where snake case keys were rejected when configuring the control-plane-request-limit config entry - telemetry: emit consul version metric on a regular interval. \[[GH-6876](https://togithub.com/hashicorp/consul/issues/6876)] - tlsutil: Default setting of ServerName field in outgoing TLS configuration for checks now handled by crypto/tls. \[[GH-17481](https://togithub.com/hashicorp/consul/issues/17481)]Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.