v0.34.0

⚠️ This release contains the wrong consul-k8s-control-plane image. Please use v0.34.1 instead.

0.34.0 (September 17, 2021)

FEATURES:

• CLI
  • The consul-k8s CLI enables users to deploy and operate Consul on Kubernetes.
    • Support consul-k8s install command. [GH-713]
• Helm Chart
  • Add support for Admin Partitions. (Consul Enterprise only)
    ALPHA [GH-729]

    • This feature allows Consul to be deployed across multiple Kubernetes clusters while sharing a single set of Consul
      servers. The services on each cluster can be independently managed. This feature is an alpha feature. It requires:

      • a flat pod and node network in order for inter-partition networking to work.
      • TLS to be enabled.
      • Consul Namespaces enabled.

      Transparent Proxy is unsupported for cross partition communication.

To enable Admin Partitions on the server cluster use the following config.

global:
  enableConsulNamespaces: true
  tls:
    enabled: true
  image: hashicorp/consul-enterprise:1.11.0-ent-alpha
  adminPartitions:
    enabled: true
server:
  exposeGossipAndRPCPorts: true
  enterpriseLicense:
    secretName: license
    secretKey: key
connectInject:
  enabled: true
  transparentProxy:
    defaultEnabled: false
  consulNamespaces:
    mirroringK8S: true
controller:
  enabled: true

Identify the LoadBalancer External IP of the partition-service

kubectl get svc consul-consul-partition-service -o json | jq -r '.status.loadBalancer.ingress[0].ip'

Migrate the TLS CA credentials from the server cluster to the workload clusters

kubectl get secret consul-consul-ca-key --context "server-context" -o yaml | kubectl apply --context "workload-context" -f -
kubectl get secret consul-consul-ca-cert --context "server-context" -o yaml | kubectl apply --context "workload-context" -f -

Configure the workload cluster using the following config.

global:
  enabled: false
  enableConsulNamespaces: true
  image: hashicorp/consul-enterprise:1.11.0-ent-alpha
  adminPartitions:
    enabled: true
    name: "alpha" # Name of Admin Partition
  tls:
    enabled: true
    caCert:
      secretName: consul-consul-ca-cert
      secretKey: tls.crt
    caKey:
      secretName: consul-consul-ca-key
      secretKey: tls.key
server:
  enterpriseLicense:
    secretName: license
    secretKey: key
externalServers:
  enabled: true
  hosts: [ "loadbalancer IP" ] # external IP of partition service LB
  tlsServerName: server.dc1.consul
client:
  enabled: true
  exposeGossipPorts: true
  join: [ "loadbalancer IP" ] # external IP of partition service LB
connectInject:
  enabled: true
  consulNamespaces:
    mirroringK8S: true
controller:
  enabled: true

This should lead to the workload cluster having only Consul agents that connect with the Consul server. Services in this
cluster behave like independent services. They can be configured to communicate with services in other partitions by
configuring the upstream configuration on the individual services.

• Control Plane
  • Add support for Admin Partitions. (Consul Enterprise only) **
    ALPHA** [GH-729]
    • Add Partition-Init job that runs in Kubernetes clusters that do not have servers running to provision Admin
      Partitions.
    • Update endpoints-controller, config-entry controller and config entries to add partition config to them.

IMPROVEMENTS:

• Helm Chart
  • Add ability to specify port for ui service. [GH-604]
  • Use policy/v1 for Consul server PodDisruptionBudget if supported. [GH-606]
  • Add readiness, liveness and startup probes to the connect inject deployment. [GH-626][GH-701]
  • Add support for setting container security contexts on client and server Pods. [GH-620]
  • Update Envoy image to 1.18.4 [GH-699]
  • Add configuration for webhook-cert-manager tolerations [GH-712]
  • Update default Consul version to 1.10.2 [GH-718]
• Control Plane
  • Add health endpoint to the connect inject webhook that will be healthy when webhook certs are present and not empty. [GH-626]
  • Catalog Sync: Fix issue registering NodePort services with wrong IPs when a node has multiple IP addresses. [GH-619]
  • Allow registering the same service in multiple namespaces. [GH-697]

BUG FIXES:

• Helm Chart

  • Disable streaming on Consul clients because it is currently not supported when
    doing mesh gateway federation. If you wish to enable it, override the setting using client.extraConfig:

    client:
      extraConfig: |
        {"use_streaming_backend": true}

    [GH-718]

v0.33.0

0.33.0 (August 12, 2021)

BREAKING CHANGES:

• The consul-k8s repository has been merged with consul-helm and now contains the consul-k8s-control-plane binary (previously named consul-k8s) and the Helm chart to deploy Consul on Kubernetes. The docker image previously named hashicorp/consul-k8s has been renamed to hashicorp/consul-k8s-control-plane. The binary and Helm chart will be released together with the same version. NOTE: If you install Consul through the Helm chart and are not customizing the global.imageK8S value then this will not be a breaking change. [GH-589]
  • Helm chart v0.33.0+ will support the corresponding consul-k8s-control-plane image with the same version only. For example Helm chart 0.33.0 will only be supported to work with the default value global.imageK8S: hashicorp/consul-k8s-control-plane:0.33.0.
  • The control-plane binary has been renamed from consul-k8s to consul-k8s-control-plane and is now invoked as consul-k8s-control-plane in the Helm chart. The first version of this newly renamed binary will be 0.33.0.
  • The Go module github.com/hashicorp/consul-k8s has been named to github.com/hashicorp/consul-k8s/control-plane.
  • The Helm chart is located under consul-k8s/charts/consul.
  • The control-plane source code is located under consul-k8s/control-plane.
• Minimum Kubernetes versions supported is 1.17+ and now matches what is stated in the README.md file. [GH-1053]

IMPROVEMENTS:

• Control Plane
  • Add flags -log-level, -log-json to all subcommands to control log level and json formatting. [GH-523]
  • Execute Consul clients and servers using the Docker entrypoint for consistency. [GH-590]
• Helm Chart
  • Substitute HOST_IP/POD_IP/HOSTNAME variables in server.extraConfig and client.extraConfig so they are passed in to server/client config already evaluated at runtime. [GH-1042]
  • Set failurePolicy to Fail for connectInject mutating webhook so that pods fail to schedule when the webhook is offline. This can be controlled via connectInject.failurePolicy. [GH-1024]
  • Allow setting global.logLevel and global.logJSON and propogate this to all consul-k8s commands. [GH-980]
  • Allow setting connectInject.replicas to control number of replicas of webhook injector. [GH-1029]
  • Add the ability to manually specify a k8s secret containing server-cert via the value server.serverCert.secretName. [GH-1024]
  • Allow setting ui.pathType for providers that do not support the default pathType "Prefix". [GH-1012]
  • Allow setting client.nodeMeta to specify arbitrary key-value pairs to associate with the node. [GH-728]

BUG FIXES:

• Control Plane
  • Connect: Use AdmissionregistrationV1 instead of AdmissionregistrationV1beta1 API as it was deprecated in k8s 1.16. [GH-558]
  • Connect: Fix bug where environment variables <NAME>_CONNECT_SERVICE_HOST and
    <NAME>_CONNECT_SERVICE_PORT weren't being set when the upstream annotation was used. [GH-549]
  • Connect: Fix a bug with leaving around ACL tokens after a service has been deregistered. Note that this will not clean up existing leftover ACL tokens. [GH-540][GH-599]
  • CRDs: Fix ProxyDefaults and ServiceDefaults resources not syncing with Consul < 1.10.0 [GH-1023]
  • Connect: Skip service registration for duplicate services only on Kubernetes. [GH-581]
  • Connect: redirect-traffic command passes ACL token when ACLs are enabled. [GH-576]

v0.26.0

0.26.0 (June 22, 2021)

FEATURES:

• Connect: Support Transparent Proxy. [GH-481]
  This feature enables users to use KubeDNS to reach other services within the Consul Service Mesh,
  as well as enforces the inbound and outbound traffic to go through the Envoy proxy.

  Using transparent proxy for your service mesh applications means:

  • Proxy service registrations will set mode to transparent in the proxy configuration
    so that Consul can configure the Envoy proxy to have an inbound and outbound listener.
  • Both proxy and service registrations will include the cluster IP and service port of the Kubernetes service
    as tagged addresses so that Consul can configure Envoy to route traffic based on that IP and port.
  • The consul-connect-inject-init container will run consul connect redirect-traffic command,
    which will apply rules (via iptables) to redirect inbound and outbound traffic to the proxy.
    To run this command the consul-connect-inject-init requires running as root with capability NET_ADMIN.

  This feature includes the following changes:

  • Add new -enable-transparent-proxy flag to the inject-connect command.
    When true, transparent proxy will be used for all services on the Consul Service Mesh
    within a Kubernetes cluster. This flag defaults to true.
  • Add new consul.hashicorp.com/transparent-proxy pod annotation to allow enabling and disabling transparent
    proxy for individual services.

• CRDs: Add CRD for MeshConfigEntry. Supported in Consul 1.10+ [GH-513]

• Connect: Overwrite Kubernetes HTTP readiness and/or liveness probes to point to Envoy proxy when
  transparent proxy is enabled. [GH-517]

• Connect: Allow exclusion of inbound ports, outbound ports and CIDRs, and additional user IDs when
  Transparent Proxy is enabled. [GH-506]

  The following annotations are supported:

  • consul.hashicorp.com/transparent-proxy-exclude-inbound-ports - Comma-separated list of inbound ports to exclude.
  • consul.hashicorp.com/transparent-proxy-exclude-outbound-ports - Comma-separated list of outbound ports to exclude.
  • consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs - Comma-separated list of IPs or CIDRs to exclude.
  • consul.hashicorp.com/transparent-proxy-exclude-uids - Comma-separated list of Linux user IDs to exclude.

• Connect: Add the ability to set default tproxy mode at namespace level via label. [GH-501]

  • Setting the annotation consul.hashicorp.com/transparent-proxy to true/false will define whether tproxy is enabled/disabled for the pod.
  • Setting the label consul.hashicorp.com/transparent-proxy to true/false on a namespace will define the default behavior for pods in that namespace, which do not also have the annotation set.
  • The default tproxy behavior will be defined by the value of -enable-transparent-proxy flag to the consul-k8s inject-connect command. It can be overridden in a namespace by the the label on the namespace or for a pod using the annotation on the pod.

• Connect: support upgrades for services deployed before endpoints controller to
  upgrade to a version of consul-k8s with endpoints controller. [GH-509]

• Connect: A new command consul-k8s connect-init has been added.
  It replaces the existing init-container logic for ACL login and Envoy bootstrapping and introduces a polling wait for service registration,
  see Endpoints Controller for more information.
  [GH-446], [GH-452], [GH-459]

• Connect: A new controller Endpoints Controller has been added which is responsible for managing service endpoints and service registration.
  When a Kubernetes service references a deployed connect-injected pod, the endpoints controller will be responsible for managing the lifecycle of the connect-injected deployment. [GH-455], [GH-467], [GH-470], [GH-475]

  • This includes:
    • service registration and deregistration, formerly managed by the consul-connect-inject-init.
    • monitoring health checks, formerly managed by healthchecks-controller.
    • re-registering services in the events of consul agent failures, formerly managed by consul-sidecar.
  • The endpoints controller replaces the health checks controller while preserving existing functionality. [GH-472]
  • The endpoints controller replaces the cleanup controller while preserving existing functionality.
    [GH-476], [GH-454]
  • Merged metrics configuration support is now partially managed by the endpoints controller.
    [GH-469]

IMPROVEMENTS:

• Connect: skip service registration when a service with the same name but in a different Kubernetes namespace is found
  and Consul namespaces are not enabled. [GH-527]
• Connect: Leader election support for connect-inject deployment. [GH-479]
• Connect: the consul-connect-inject-init container has been split into two init containers. [GH-441]
  Connect: Connect webhook no longer generates its own certificates and relies on them being provided as files on the disk.
  [GH-454]]
• CRDs: Update ServiceDefaults with Mode, TransparentProxy, DialedDirectly and UpstreamConfigs fields. Note: Mode and TransparentProxy should not be set
  using this CRD but via annotations. [GH-502], [GH-485], [GH-533]
• CRDs: Update ProxyDefaults with Mode, DialedDirectly and TransparentProxy fields. Note: Mode and TransparentProxy should not be set
  using the CRD but via annotations. [GH-505], [GH-485], [GH-533]
• CRDs: update the CRD versions from v1beta1 to v1. [GH-464]
• Delete secrets created by webhook-cert-manager when the deployment is deleted. [GH-530]

BUG FIXES:

• CRDs: Update the type of connectTimeout and TTL in ServiceResolver and ServiceRouter from time.Duration to metav1.Duration.
  This allows a user to set these values as a duration string on the resource. Existing resources that had set a specific integer
  duration will continue to function with a duration with 'n' nanoseconds, 'n' being the set value.
• CRDs: Fix a bug where the config field in ProxyDefaults CR failed syncing to Consul because apiextensions.k8s.io/v1 requires CRD spec to have structured schema. [GH-495]
• CRDs: make lastSyncedTime a pointer to prevent setting last synced time Reconcile errors. [GH-466]

BREAKING CHANGES:

• Connect: Add a security context to the init copy container and the envoy sidecar and ensure they
  do not run as root. If a pod container shares the same runAsUser (5995) as Envoy an error is returned.
  [GH-493]

• Connect: Kubernetes Services are required for all Consul Service Mesh applications.
  The Kubernetes service name will be used as the service name to register with Consul
  unless the annotation consul.hashicorp.com/connect-service is provided to the deployment/pod to override this.
  If using ACLs, the ServiceAccountName must match the service name used with Consul.

  Note: if you're already using a Kubernetes service, no changes required.

  Example Service:

  ---
  apiVersion: v1
  kind: Service
  metadata:
    name: sample-app
  spec:
    selector:
      app: sample-app
    ports:
      - port: 80
        targetPort: 9090
  ---
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    labels:
      app: sample-app
    name: sample-app
  spec:
    replicas: 1
    selector:
       matchLabels:
         app: sample-app
    template:
      metadata:
        annotations:
          'consul.hashicorp.com/connect-inject': 'true'
        labels:
          app: sample-app
      spec:
        containers:
        - name: sample-app
          image: sample-app:0.1.0
          ports:
          - containerPort: 9090

• Connect: consul.hashicorp.com/connect-sync-period annotation is no longer supported.
  This annotation used to configure the sync period of the consul-sidecar (aka lifecycle-sidecar).
  Since we no longer inject the consul-sidecar to keep services registered in Consul, this annotation has
  been removed. [GH-467]

• Connect: transparent proxy feature enabled by default. This may break existing deployments.
  Please see details of the feature.

v0.26.0-beta3

0.26.0-beta3 (May 27, 2021)

IMPROVEMENTS:

• Connect: Overwrite Kubernetes HTTP readiness and/or liveness probes to point to Envoy proxy when
  transparent proxy is enabled. [GH-517]
• Connect: Don't set security context for the Envoy proxy when on OpenShift and transparent proxy is disabled.
  [GH-521]
• Connect: consul-connect-inject-init run with privileged: true when transparent proxy is enabled.
  [GH-524]

BUG FIXES:

• Connect: Process every Address in an Endpoints object before returning an error. This ensures an address that isn't reconciled successfully doesn't prevent the remaining addresses from getting reconciled. [GH-519]

v0.26.0-beta2

0.26.0-beta2 (May 06, 2021)

BREAKING CHANGES:

• Connect: Add a security context to the init copy container and the envoy sidecar and ensure they
  do not run as root. If a pod container shares the same runAsUser (5995) as Envoy an error is returned
  on scheduling. [GH-493]

IMPROVEMENTS:

• CRDs: Update ServiceDefaults with Mode, TransparentProxy and UpstreamConfigs fields. Note: Mode and TransparentProxy should not be set
  using this CRD but via annotations. [GH-502], [GH-485]

• CRDs: Update ProxyDefaults with Mode and TransparentProxy fields. Note: Mode and TransparentProxy should not be set
  using the CRD but via annotations. [GH-505], [GH-485]

• CRDs: Add CRD for MeshConfigEntry. Supported in Consul 1.10+ [GH-513]

• Connect: No longer set multiple tagged addresses in Consul when k8s service has multiple ports and Transparent Proxy is enabled.
  [GH-511]

• Connect: Allow exclusion of inbound ports, outbound ports and CIDRs, and additional user IDs when
  Transparent Proxy is enabled. [GH-506]

  The following annotations are supported:

  • consul.hashicorp.com/transparent-proxy-exclude-inbound-ports - Comma-separated list of inbound ports to exclude.
  • consul.hashicorp.com/transparent-proxy-exclude-outbound-ports - Comma-separated list of outbound ports to exclude.
  • consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs - Comma-separated list of IPs or CIDRs to exclude.
  • consul.hashicorp.com/transparent-proxy-exclude-uids - Comma-separated list of Linux user IDs to exclude.

• Connect: Add the ability to set default tproxy mode at namespace level via label. [GH-501]

  • Setting the annotation consul.hashicorp.com/transparent-proxy to true/false will define whether tproxy is enabled/disabled for the pod.
  • Setting the label consul.hashicorp.com/transparent-proxy to true/false on a namespace will define the default behavior for pods in that namespace, which do not also have the annotation set.
  • The default tproxy behavior will be defined by the value of -enable-transparent-proxy flag to the consul-k8s inject-connect command. It can be overridden in a namespace by the the label on the namespace or for a pod using the annotation on the pod.

BUG FIXES:

• Connect: Use runAsNonRoot: false for connect-init's container when tproxy is enabled. [GH-493]
• CRDs: Fix a bug where the config field in ProxyDefaults CR was not synced to Consul because
  apiextensions.k8s.io/v1 requires CRD spec to have structured schema. [GH-495]
• Connect: Fix a bug where health status in Consul is updated incorrectly due to stale pod information in cache.
  [GH-503]

v0.26.0-beta1

0.26.0-beta1 (April 16, 2021)

BREAKING CHANGES:

• Connect: Kubernetes Services are now required for all Consul Service Mesh applications.
  The Kubernetes service name will be used as the service name to register with Consul
  unless the annotation consul.hashicorp.com/connect-service is provided to the deployment/pod to override this.
  If using ACLs, the ServiceAccountName must match the service name used with Consul.

  Note: if you're already using a Kubernetes service, no changes are required.

  Example Service:

  ---
  apiVersion: v1
  kind: Service
  metadata:
    name: sample-app
  spec:
    selector:
      app: sample-app
    ports:
      - port: 80
        targetPort: 9090
  ---
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    labels:
      app: sample-app
    name: sample-app
  spec:
    replicas: 1
    selector:
       matchLabels:
         app: sample-app
    template:
      metadata:
        annotations:
          'consul.hashicorp.com/connect-inject': 'true'
        labels:
          app: sample-app
      spec:
        containers:
        - name: sample-app
          image: sample-app:0.1.0
          ports:
          - containerPort: 9090

• Connect: consul.hashicorp.com/connect-sync-period annotation is no longer supported.
  This annotation was used to configure the sync period of the consul-sidecar (aka lifecycle-sidecar).
  Since we no longer inject the consul-sidecar to keep services registered in Consul, this annotation is
  now meaningless. [GH-467]

• Connect: transparent proxy feature is enabled by default. This may break existing deployments.
  Please see details of the feature below.

FEATURES:

• Connect: Support Transparent Proxy. [GH-481]
  This feature enables users to use KubeDNS to reach other services within the Consul Service Mesh,
  as well as enforces the inbound and outbound traffic to go through the Envoy proxy.
  Using transparent proxy for your service mesh applications means:

  • Proxy service registrations will set mode to transparent in the proxy configuration
    so that Consul can configure the Envoy proxy to have an inbound and outbound listener.
  • Both proxy and service registrations will include the cluster IP and service port of the Kubernetes service
    as tagged addresses so that Consul can configure Envoy to route traffic based on that IP and port.
  • The consul-connect-inject-init container will run consul connect redirect-traffic command,
    which will apply rules (via iptables) to redirect inbound and outbound traffic to the proxy.
    To run this command the consul-connect-inject-init requires running as root with capability NET_ADMIN.

  Note: this feature is currently in beta.

  This feature includes the following changes:

  • Add new -enable-transparent-proxy flag to the inject-connect command.
    When true, transparent proxy will be used for all services on the Consul Service Mesh
    within a Kubernetes cluster. This flag defaults to true.
  • Add new consul.hashicorp.com/transparent-proxy pod annotation to allow enabling and disabling transparent
    proxy for individual services.

IMPROVEMENTS:

• CRDs: update the CRD versions from v1beta1 to v1. [GH-464]
• Connect: the consul-connect-inject-init container has been split into two init containers. [GH-441]
• Connect: A new internal command consul-k8s connect-init has been added.
  It replaces the existing init container logic for ACL login and Envoy bootstrapping and introduces a polling wait for service registration,
  see Endpoints Controller for more information.
  [GH-446], [GH-452], [GH-459]
• Connect: A new controller Endpoints Controller has been added which is responsible for managing service endpoints and service registration.
  When a Kubernetes service referencing a connect-injected pod is deployed, the endpoints controller will be responsible for managing the lifecycle of the connect-injected deployment. [GH-455], [GH-467], [GH-470], [GH-475]

  • This includes:

    • service registration and deregistration, formerly managed by the consul-connect-inject-init.
    • monitoring health checks, formerly managed by healthchecks-controller.
    • re-registering services in the events of consul agent failures, formerly managed by consul-sidecar.

  • The endpoints controller replaces the health checks controller while preserving existing functionality. [GH-472]

  • The endpoints controller replaces the cleanup controller while preserving existing functionality.
    [GH-476], [GH-454]

  • Merged metrics configuration support is now partially managed by the endpoints controller.
    [GH-469]

• Connect: Leader election support for connect webhook and controller deployment. [GH-479]
• Connect: Connect webhook no longer generates its own certificates and relies on them being provided as files on the disk.
  [GH-454]]
• Connect: Connect pods and their Envoy sidecars no longer have a preStop hook as service deregistration is managed by the endpoints controller.
  [GH-467]

BUG FIXES:

• CRDs: make lastSyncedTime a pointer to prevent setting last synced time Reconcile errors. [GH-466]

v0.25.0

0.25.0 (March 18, 2021)

FEATURES:

• Metrics: add metrics configuration to inject-connect and metrics-merging capability to consul-sidecar. When metrics and metrics merging are enabled, the consul-sidecar will expose an endpoint that merges the app and proxy metrics.

  The flags -merged-metrics-port, -service-metrics-port and -service-metrics-path can be used to configure the merged metrics server, and the application service metrics endpoint on the consul sidecar.

  The flags -default-enable-metrics, -default-enable-metrics-merging, -default-merged-metrics-port, -default-prometheus-scrape-port and -default-prometheus-scrape-path configure the inject-connect command.

IMPROVEMENTS:

• CRDs: add field Last Synced Time to CRD status and add printer column on CRD to display time since when the
  resource was last successfully synced with Consul. [GH-448]

BUG FIXES:

• CRDs: fix incorrect validation for ServiceResolver. [GH-456]

v0.24.0

0.24.0 (February 16, 2021)

BREAKING CHANGES

• Connect: the lifecycle-sidecar command has been renamed to consul-sidecar. [GH-428]

• Connect: the consul-connect-lifecycle-sidecar container name has been changed to consul-sidecar and the consul-connect-envoy-sidecar container name has been changed to envoy-sidecar.
  [GH-428]

• Connect: the -default-protocol and -enable-central-config flags are no longer supported.
  The consul.hashicorp.com/connect-service-protocol annotation on Connect pods is also
  no longer supported. [GH-418]

  Current deployments that have the annotation should remove it, otherwise they
  will get an error if a pod from that deployment is rescheduled.

  Removing the annotation will not change their protocol
  since the config entry was already written to Consul. If you wish to change
  the protocol you must migrate the config entry to be managed by a
  ServiceDefaults resource.
  See Upgrade to CRDs for more
  information.

  To set the protocol for new services, you must use the
  ServiceDefaults resource,
  e.g.

  apiVersion: consul.hashicorp.com/v1alpha1
  kind: ServiceDefaults
  metadata:
    name: my-service-name
  spec:
    protocol: "http"

• Connect: pods using an upstream that references a datacenter, e.g.
  consul.hashicorp.com/connect-service-upstreams: service:8080:dc2 will
  error during injection if Consul does not have a proxy-defaults config entry
  with a mesh gateway mode
  set to local or remote. [GH-421]

  In practice, this would have already been causing issues since without that
  config setting, traffic wouldn't have been routed through mesh gateways and
  so would not be actually making it to the other service.

FEATURES:

• CRDs: support annotation consul.hashicorp.com/migrate-entry on custom resources
  that will allow an existing config entry to be migrated onto a Kubernetes custom resource. [GH-419]
• Connect: add new cleanup controller that runs in the connect-inject deployment. This
  controller cleans up Consul service instances that remain registered despite their
  pods being deleted. This could happen if the pod's preStop hook failed to execute
  for some reason. [GH-433]

IMPROVEMENTS:

• CRDs: give a more descriptive error when a config entry already exists in Consul. [GH-420]
• Set User-Agent: consul-k8s/<version> header on calls to Consul where <version> is the current
  version of consul-k8s. [GH-434]

v0.23.0

0.23.0 (January 22, 2021)

BUG FIXES:

• CRDs: Fix issue where a ServiceIntentions resource could be continually resynced with Consul
  because Consul's internal representation had a different order for an array than the Kubernetes resource. [GH-416]
• CRDs: (Consul Enterprise only) default the namespace fields on resources where Consul performs namespace defaulting to prevent constant re-syncing.
  [GH-413]

IMPROVEMENTS:

• ACLs: give better error if policy that consul-k8s tries to update was created manually by user. [GH-412]

FEATURES:

• TLS: add tls-init command that is responsible for creating and updating Server TLS certificates. [GH-410]

v0.22.0

0.22.0 (December 21, 2020)

BUG FIXES:

• Connect: on termination of a connect injected pod the lifecycle-sidecar sometimes re-registered the application resulting in
  stale service entries for applications which no longer existed. [GH-409]

BREAKING CHANGES:

• Connect: the flags -envoy-image and -consul-image for command inject-connect are now required. [GH-405]

FEATURES:

• CRDs: add new CRD IngressGateway for configuring Consul's ingress-gateway config entry. [GH-407]
• CRDs: add new CRD TerminatingGateway for configuring Consul's terminating-gateway config entry. [GH-408]