v1.2.9

1.2.9 (May 24, 2024)

IMPROVEMENTS:

• upgrade go version to v1.22.3. [GH-3994]
• Bump Dockerfile base image for consul-k8s-control-plane to alpine:3.19. [GH-4016]

v1.1.13

1.1.13 (May 24, 2024)

• upgrade go version to v1.22.3. [GH-3994]
• Bump Dockerfile base image for consul-k8s-control-plane to alpine:3.19. [GH-4016]

v1.1.12

1.1.12 (May 20, 2024)

SECURITY:

• Upgrade Go to use 1.21.10. This addresses CVEs
  CVE-2024-24787 and
  CVE-2024-24788 [GH-3980]
• Upgrade helm/v3 to 3.14.4. This resolves the following security vulnerabilities:
  CVE-2024-25620
  CVE-2024-26147 [GH-3935]
• Upgrade to use Go 1.21.9. This resolves CVE
  CVE-2023-45288 (http2). [GH-3900]
• Upgrade to use golang.org/x/net v0.24.0. This resolves CVE
  CVE-2023-45288 (x/net). [GH-3900]

IMPROVEMENTS:

• ConfigEntries controller: Only error for config entries from different datacenters when the config entries are different [GH-3873]

v1.4.2

1.4.2 (May 20, 2024)

SECURITY:

• Upgrade Go to use 1.21.10. This addresses CVEs
  CVE-2024-24787 and
  CVE-2024-24788 [GH-3980]
• Upgrade helm/v3 to 3.14.4. This resolves the following security vulnerabilities:
  CVE-2024-25620
  CVE-2024-26147 [GH-3935]
• Upgrade to use Go 1.21.9. This resolves CVE
  CVE-2023-45288 (http2). [GH-3893]
• Upgrade to use golang.org/x/net v0.24.0. This resolves CVE
  CVE-2023-45288 (x/net). [GH-3893]

FEATURES:

• Add support for configuring graceful startup proxy lifecycle management settings. [GH-3878]

IMPROVEMENTS:

• control-plane: support , and <\n> as upstream separators. [GH-3956]
• ConfigEntries controller: Only error for config entries from different datacenters when the config entries are different [GH-3873]
• control-plane: Add support for receiving iptables configuration via CNI arguments, to support Nomad transparent proxy [GH-3795]
• control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift. [GH-3813]
• helm: only create the default Prometheus path annotation when it's not already specified within the component-specific
  annotations. For example if the client.annotations value sets prometheus.io/path annotation, don't overwrite it with
  the default value. [GH-3846]
• helm: support sync-lb-services-endpoints flag for syncCatalog [GH-3905]
• terminating-gateways: Remove unnecessary permissions from terminating gateways role [GH-3928]

BUG FIXES:

• Create Consul service with mode transparent-proxy even when a cluster IP is not assigned to the service.. [GH-3974]
• api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul when upgrading between versions. [GH-3918]
• api-gateway: fix bug where multiple logical APIGateways would share the same ACL policy. [GH-4000]
• consul-cni: Fixed a bug where the output of -version did not include the version of the binary [GH-3829]
• control-plane: fix a panic when an upstream annotation is malformed. [GH-3956]
• connect-inject: Fixed issue where on restart, if a managed-gateway-acl-role already existed the container would error [GH-3978]

v1.3.5

1.3.5 (May 20, 2024)

SECURITY:

• Upgrade Go to use 1.21.10. This addresses CVEs
  CVE-2024-24787 and
  CVE-2024-24788 [GH-3980]
• Upgrade helm/v3 to 3.14.4. This resolves the following security vulnerabilities:
  CVE-2024-25620
  CVE-2024-26147 [GH-3935]
• Upgrade to use Go 1.21.9. This resolves CVE
  CVE-2023-45288 (http2). [GH-3902]
• Upgrade to use golang.org/x/net v0.24.0. This resolves CVE
  CVE-2023-45288 (x/net). [GH-3902]

FEATURES:

• Add support for configuring graceful startup proxy lifecycle management settings. [GH-3878]

IMPROVEMENTS:

• control-plane: support , and <\n> as upstream separators. [GH-3956]
• ConfigEntries controller: Only error for config entries from different datacenters when the config entries are different [GH-3873]
• control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift. [GH-3813]
• helm: only create the default Prometheus path annotation when it's not already specified within the component-specific
  annotations. For example if the client.annotations value sets prometheus.io/path annotation, don't overwrite it with
  the default value. [GH-3846]
• helm: support sync-lb-services-endpoints flag for syncCatalog [GH-3905]
• terminating-gateways: Remove unnecessary permissions from terminating gateways role [GH-3928]

BUG FIXES:

• Create Consul service with mode transparent-proxy even when a cluster IP is not assigned to the service.. [GH-3974]
• api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul when upgrading between versions. [GH-3918]
• api-gateway: fix bug where multiple logical APIGateways would share the same ACL policy. [GH-4001]
• control-plane: fix a panic when an upstream annotation is malformed. [GH-3956]
• connect-inject: Fixed issue where on restart, if a managed-gateway-acl-role already existed the container would error [GH-3978]

v1.2.8

1.2.8 (May 20, 2024)

SECURITY:

• Upgrade Go to use 1.21.10. This addresses CVEs
  CVE-2024-24787 and
  CVE-2024-24788 [GH-3980]
• Upgrade helm/v3 to 3.14.4. This resolves the following security vulnerabilities:
  CVE-2024-25620
  CVE-2024-26147 [GH-3935]
• Upgrade to use Go 1.21.9. This resolves CVE
  CVE-2023-45288 (http2). [GH-3901]
• Upgrade to use golang.org/x/net v0.24.0. This resolves CVE
  CVE-2023-45288 (x/net). [GH-3901]

IMPROVEMENTS:

• ConfigEntries controller: Only error for config entries from different datacenters when the config entries are different [GH-3873]
• control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift. [GH-3813]
• helm: only create the default Prometheus path annotation when it's not already specified within the component-specific
  annotations. For example if the client.annotations value sets prometheus.io/path annotation, don't overwrite it with
  the default value. [GH-3846]
• helm: support sync-lb-services-endpoints flag for syncCatalog [GH-3905]

BUG FIXES:

• api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul when upgrading between versions. [GH-3918]
• api-gateway: fix bug where multiple logical APIGateways would share the same ACL policy. [GH-4002]
• connect-inject: Fixed issue where on restart, if a managed-gateway-acl-role already existed the container would error [GH-3978]

v1.3.4

1.3.4 (March 28, 2024)

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-3719]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426⁠ [GH-3741]
• Upgrade helm/v3 to 3.11.3. This resolves the following security vulnerabilities:
  CVE-2023-25165
  CVE-2022-23524
  CVE-2022-23526
  CVE-2022-23525 [GH-3625]
• Upgrade docker/distribution to 2.8.3+incompatible (latest) to resolve CVE-2023-2253. [GH-3625]
• Upgrade docker/docker to 25.0.3+incompatible (latest) to resolve GHSA-jq35-85cj-fj4p. [GH-3625]
• Upgrade filepath-securejoin to 0.2.4 (latest) to resolve GO-2023-2048. [GH-3625]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-3741]
• security: upgrade containerd to 1.7.13 (latest) to resolve GHSA-7ww5-4wqc-m92c. [GH-3625]

IMPROVEMENTS:

• catalog: Topology zone and region information is now read from the Kubernetes endpoints and associated node and added to registered consul services under Metadata. [GH-3693]
• control-plane: publish consul-k8s-control-plane and consul-k8s-control-plane-fips images to official HashiCorp AWS ECR. [GH-3668]

BUG FIXES:

• api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul. [GH-3779]
• control-plane: fix an issue where ACL token cleanup did not respect a pod's GracefulShutdownPeriodSeconds and
  tokens were invalidated immediately on pod entering Terminating state. [GH-3736]
• control-plane: fix an issue where ACL tokens would prematurely be deleted and services would be deregistered if there
  was a K8s API error fetching the pod. [GH-3758]

NOTES:

• build: Releases will now also be available as Debian and RPM packages for the arm64 architecture, refer to the
  Official Packaging Guide for more information. [GH-3428]

v1.2.7

1.2.7 (March 28, 2024)

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-3719]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426⁠ [GH-3741]
• Upgrade helm/v3 to 3.11.3. This resolves the following security vulnerabilities:
  CVE-2023-25165
  CVE-2022-23524
  CVE-2022-23526
  CVE-2022-23525 [GH-3625]
• Upgrade docker/distribution to 2.8.3+incompatible (latest) to resolve CVE-2023-2253. [GH-3625]
• Upgrade docker/docker to 25.0.3+incompatible (latest) to resolve GHSA-jq35-85cj-fj4p. [GH-3625]
• Upgrade filepath-securejoin to 0.2.4 (latest) to resolve GO-2023-2048. [GH-3625]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-3741]
• security: upgrade containerd to 1.7.13 (latest) to resolve GHSA-7ww5-4wqc-m92c. [GH-3625]

IMPROVEMENTS:

• catalog: Topology zone and region information is now read from the Kubernetes endpoints and associated node and added to registered consul services under Metadata. [GH-3693]
• control-plane: publish consul-k8s-control-plane and consul-k8s-control-plane-fips images to official HashiCorp AWS ECR. [GH-3668]

BUG FIXES:

• api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul. [GH-3779]
• control-plane: fix an issue where ACL token cleanup did not respect a pod's GracefulShutdownPeriodSeconds and
  tokens were invalidated immediately on pod entering Terminating state. [GH-3736]
• control-plane: fix an issue where ACL tokens would prematurely be deleted and services would be deregistered if there
  was a K8s API error fetching the pod. [GH-3758]

NOTES:

• build: Releases will now also be available as Debian and RPM packages for the arm64 architecture, refer to the
  Official Packaging Guide for more information. [GH-3428]

v1.4.1

1.4.1 (March 28, 2024)

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-3719]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426⁠ [GH-3741]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-3741]

IMPROVEMENTS:

• api-gateway: Expose prometheus scrape metrics on api-gateway pods. [GH-3811]
• catalog: Topology zone and region information is now read from the Kubernetes endpoints and associated node and added to registered consul services under Metadata. [GH-3693]

BUG FIXES:

• api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul. [GH-3779]
• control-plane: fix an issue where ACL token cleanup did not respect a pod's GracefulShutdownPeriodSeconds and
  tokens were invalidated immediately on pod entering Terminating state. [GH-3736]
• control-plane: fix an issue where ACL tokens would prematurely be deleted and services would be deregistered if there
  was a K8s API error fetching the pod. [GH-3758]

v1.1.11

1.1.11 (March 28, 2024)

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-3719]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426⁠ [GH-3741]
• Upgrade helm/v3 to 3.11.3. This resolves the following security vulnerabilities:
  CVE-2023-25165
  CVE-2022-23524
  CVE-2022-23526
  CVE-2022-23525 [GH-3625]
• Upgrade docker/distribution to 2.8.3+incompatible (latest) to resolve CVE-2023-2253. [GH-3625]
• Upgrade docker/docker to 25.0.3+incompatible (latest) to resolve GHSA-jq35-85cj-fj4p. [GH-3625]
• Upgrade filepath-securejoin to 0.2.4 (latest) to resolve GO-2023-2048. [GH-3625]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-3741]
• security: upgrade containerd to 1.7.13 (latest) to resolve GHSA-7ww5-4wqc-m92c. [GH-3625]

IMPROVEMENTS:

• control-plane: publish consul-k8s-control-plane and consul-k8s-control-plane-fips images to official HashiCorp AWS ECR. [GH-3668]

BUG FIXES:

• control-plane: fix an issue where ACL token cleanup did not respect a pod's GracefulShutdownPeriodSeconds and
  tokens were invalidated immediately on pod entering Terminating state. [GH-3736]
• control-plane: fix an issue where ACL tokens would prematurely be deleted and services would be deregistered if there
  was a K8s API error fetching the pod. [GH-3758]