v1.1.17

1.1.17- (November 4, 2023)

SECURITY:

• Upgrade Go to use 1.22.7. This addresses CVE
  CVE-2024-34155 [GH-4313]
• crd: Add contains and ignoreCase to the Intentions CRD to support configuring L7 Header intentions resilient to variable casing and multiple header values. [GH-4385]
• crd: Add http.incoming.requestNormalization to the Mesh CRD to support configuring service traffic request normalization. [GH-4385]

IMPROVEMENTS:

• helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [GH-4333]

BUG FIXES:

• sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [GH-4255]

v1.6.1

1.6.1 (November 4, 2023)

SECURITY:

• crd: Add contains and ignoreCase to the Intentions CRD to support configuring L7 Header intentions resilient to variable casing and multiple header values. [GH-4385]
• crd: Add http.incoming.requestNormalization to the Mesh CRD to support configuring service traffic request normalization. [GH-4385]

IMPROVEMENTS:

• catalog-sync: Added field to helm chart to purge all services registered with catalog-sync from consul on disabling of catalog-sync. [GH-4378]

BUG FIXES:

• api-gateway: global.imagePullSecrets are now configured on the ServiceAccount for Gateways.

Note: the referenced image pull Secret(s) must be present in the same namespace the Gateway is deployed to. [GH-4316]

• helm: fix issue where the API Gateway GatewayClassConfig tolerations can not be parsed by the Helm chart. [GH-4315]

v1.5.4

1.5.4 (November 4, 2023)

SECURITY:

• Upgrade Go to use 1.22.7. This addresses CVE
  CVE-2024-34155 [GH-4313]
• crd: Add contains and ignoreCase to the Intentions CRD to support configuring L7 Header intentions resilient to variable casing and multiple header values. [GH-4385]
• crd: Add http.incoming.requestNormalization to the Mesh CRD to support configuring service traffic request normalization. [GH-4385]

IMPROVEMENTS:

• connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [GH-4307]
• helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [GH-4333]

BUG FIXES:

• api-gateway: global.imagePullSecrets are now configured on the ServiceAccount for Gateways.

Note: the referenced image pull Secret(s) must be present in the same namespace the Gateway is deployed to. [GH-4316]

• helm: fix issue where the API Gateway GatewayClassConfig tolerations can not be parsed by the Helm chart. [GH-4315]
• sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [GH-4255]

v1.4.7

1.4.7 (November 4, 2023)

SECURITY:

• Upgrade Go to use 1.22.7. This addresses CVE
  CVE-2024-34155 [GH-4313]
• crd: Add contains and ignoreCase to the Intentions CRD to support configuring L7 Header intentions resilient to variable casing and multiple header values. [GH-4385]
• crd: Add http.incoming.requestNormalization to the Mesh CRD to support configuring service traffic request normalization. [GH-4385]

IMPROVEMENTS:

• connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [GH-4307]
• helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [GH-4333]

BUG FIXES:

• api-gateway: global.imagePullSecrets are now configured on the ServiceAccount for Gateways.

Note: the referenced image pull Secret(s) must be present in the same namespace the Gateway is deployed to. [GH-4316]

• helm: fix issue where the API Gateway GatewayClassConfig tolerations can not be parsed by the Helm chart. [GH-4315]
• sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [GH-4255]

v1.6.0

1.6.0 (October 16, 2024)

NOTE: Consul K8s 1.6.x is compatible with Consul 1.20.x and Consul Dataplane 1.6.x. Refer to our compatibility matrix for more info.

SECURITY:

• Upgrade Go to use 1.22.7. This addresses CVE
  CVE-2024-34155 [GH-4313]

IMPROVEMENTS:

• dns-proxy: add the ability to deploy a DNS proxy within the kubernetes cluster that forwards DNS requests to the consul server and can be configured with an ACL token and make partition aware DNS requests. [GH-4300]
• sync-catalog: expose prometheus scrape metrics on sync-catalog pods [GH-4212]
• connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [GH-4307]
• helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [GH-4333]

BUG FIXES:

• control-plane: add missing $HOST_IP environment variable to consul-dataplane sidecar containers [GH-4277]
• helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [GH-3989]
• sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [GH-4255]

v1.6.0-rc1

1.6.0-rc1 (September 20, 2024)

SECURITY:

• Upgrade Go to use 1.22.7. This addresses CVE
  CVE-2024-34155 [GH-4313]

IMPROVEMENTS:

• dns-proxy: add the ability to deploy a DNS proxy within the kubernetes cluster that forwards DNS requests to the consul server and can be configured with an ACL token and make partition aware DNS requests. [GH-4300]
• sync-catalog: expose prometheus scrape metrics on sync-catalog pods [GH-4212]
• connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [GH-4307]
• helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [GH-4333]

BUG FIXES:

• control-plane: add missing $HOST_IP environment variable to consul-dataplane sidecar containers [GH-4277]
• helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [GH-3989]
• sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [GH-4255]

v1.5.3

1.5.3 (August 30, 2024)

SECURITY:

• Bump Go to 1.22.5 to address CVE-2024-24791 [GH-4228]
• Upgrade Docker cli to use v.27.1. This addresses CVE
  CVE-2024-41110 [GH-4228]

IMPROVEMENTS:

• docker: update go-discover binary [GH-4287]
• docker: update ubi base image to ubi9-minimal:9.4. [GH-4287]
• helm: Adds webhookCertManager.resources field which can be configured to override the resource settings for the webhook-cert-manager deployment. [GH-4184]
• helm: Adds connectInject.apiGateway.managedGatewayClass.resourceJob.resources field which can be configured to override the resource settings for the gateway-resources-job job. [GH-4184]
• config-entry: add validate_clusters to mesh config entry [GH-4256]
• helm: Kubernetes v1.30 is now supported. Minimum tested version of Kubernetes is now v1.27. [GH-4244]

BUG FIXES:

• Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD. [GH-4213]
• api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified [GH-4247]
• helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry [GH-4210]
• openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
  This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [GH-4227]
• sync-catalog: fix infinite retry loop when the catalog fails to connect to consul-server during the sync process [GH-4266]
• terminating-gateways: Fix bug where namespace field was not correctly set on ACL policies if using the Registration CRD with the service's namespace unset. [GH-4224]

v1.4.6

1.4.6 (August 30, 2024)

SECURITY:

• Bump Go to 1.22.5 to address CVE-2024-24791 [GH-4228]
• Upgrade Docker cli to use v.27.1. This addresses CVE
  CVE-2024-41110 [GH-4228]

IMPROVEMENTS:

• docker: update go-discover binary [GH-4287]
• docker: update ubi base image to ubi9-minimal:9.4. [GH-4287]
• helm: Adds webhookCertManager.resources field which can be configured to override the resource settings for the webhook-cert-manager deployment. [GH-4184]
• helm: Adds connectInject.apiGateway.managedGatewayClass.resourceJob.resources field which can be configured to override the resource settings for the gateway-resources-job job. [GH-4184]
• config-entry: add validate_clusters to mesh config entry [GH-4256]

BUG FIXES:

• Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD. [GH-4213]
• api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified [GH-4247]
• control-plane: add missing $HOST_IP environment variable to to consul-dataplane sidecar containers [GH-3916]
• helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry [GH-4210]
• openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
  This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [GH-4227]
• sync-catalog: fix infinite retry loop when the catalog fails to connect to consul-server during the sync process [GH-4266]

v1.3.9

1.3.9 (August 30, 2024)

SECURITY:

• Bump Go to 1.22.5 to address CVE-2024-24791 [GH-4228]
• Upgrade Docker cli to use v.27.1. This addresses CVE
  CVE-2024-41110 [GH-4228]

IMPROVEMENTS:

• docker: update go-discover binary [GH-4287]
• docker: update ubi base image to ubi9-minimal:9.4. [GH-4287]
• helm: Adds webhookCertManager.resources field which can be configured to override the resource settings for the webhook-cert-manager deployment. [GH-4184]
• helm: Adds connectInject.apiGateway.managedGatewayClass.resourceJob.resources field which can be configured to override the resource settings for the gateway-resources-job job. [GH-4184]
• config-entry: add validate_clusters to mesh config entry [GH-4256]

BUG FIXES:

• Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD. [GH-4213]
• api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified [GH-4247]
• helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [GH-3989]
• helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry [GH-4210]
• openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
  This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [GH-4227]
• sync-catalog: fix infinite retry loop when the catalog fails to connect to consul-server during the sync process [GH-4266]

v1.1.16

1.1.16 (August 30, 2024)

SECURITY:

• Bump Go to 1.22.5 to address CVE-2024-24791 [GH-4228]
• Upgrade Docker cli to use v.27.1. This addresses CVE
  CVE-2024-41110 [GH-4228]

IMPROVEMENTS:

• docker: update go-discover binary [GH-4287]
• docker: update ubi base image to ubi9-minimal:9.4. [GH-4287]
• helm: Adds webhookCertManager.resources field which can be configured to override the resource settings for the webhook-cert-manager deployment. [GH-4184]
• helm: Adds connectInject.apiGateway.managedGatewayClass.resourceJob.resources field which can be configured to override the resource settings for the gateway-resources-job job. [GH-4184]
• config-entry: add validate_clusters to mesh config entry [GH-4256]

BUG FIXES:

• openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
  This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [GH-4227]
• sync-catalog: fix infinite retry loop when the catalog fails to connect to consul-server during the sync process [GH-4266]