v0.49.3

0.49.3 (January 30, 2023)

IMPROVEMENTS:

• Helm:
  • Add a global.extraLabels stanza to allow setting global Kubernetes labels for all components deployed by the consul-k8s Helm chart. [GH-1778]
• Control-Plane
  • Add support for the annotation consul.hashicorp.com/use-proxy-health-check. When this annotation is used by a service, it configures a readiness endpoint on Consul Dataplane and queries it instead of the proxy's inbound port which forwards requests to the application. [GH-1824], [GH-1843]
  • Add health check for synced services based on the status of the Kubernetes readiness probe on synced pod. [GH-1821]

BUG FIXES:

• Control Plane
  • Don't incorrectly diff intention config entries when upgrading from Consul pre-1.12 to 1.12+ [GH-1804]

v1.0.2

1.0.2 (December 1, 2022)

IMPROVEMENTS:

• Helm:
  • CNI: Add connectInject.cni.namespace stanza which allows the CNI plugin resources to be deployed in a namespace other than the namespace that Consul is installed. [GH-1756]

BUG FIXES:

• Helm:
  • Use the correct autogenerated cert for the API Gateway Controller when connecting to servers versus clients. [GH-1753]
  • Don't mount the CA cert when externalServers.useSystemRoots is true. [GH-1753]

v0.49.2

0.49.2 (December 1, 2022)

IMPROVEMENTS:

• Control Plane
  • Bump Dockerfile base image for RedHat UBI consul-k8s-control-plane image to ubi-minimal:9.1. [GH-1725]
• Helm
  • Add fields localConnectTimeoutMs and localRequestTimeoutMs to the ServiceDefaults CRD. [GH-1647]

BUG FIXES:

• Helm:
  • Disable PodSecurityPolicies templating for gossip-encryption-autogenerate and partition-init when global.enablePodSecurityPolicies is false. [GH-1693]

v1.0.1

1.0.1 (November 21, 2022)

BUG FIXES:

• Control Plane
  • Add discover binary to control-plane image [GH-1749]
• Helm:
  • Don't pass in a CA file to the API Gateway controller when externalServers.useSystemRoots is true. [GH-1743]

v1.0.0

1.0.0 (November 17, 2022)

BREAKING CHANGES:

• Admin Partitions (Consul Enterprise only): Remove the partition service. When configuring Admin Partitions, the expose-servers service should be used instead.
• Consul Dataplane:
  • Consul client agents are no longer deployed by default, and Consul service mesh no longer uses Consul clients to operate. This change affects several main areas listed below. [GH-1552]
  • A new component consul-dataplane is now injected as a sidecar-proxy instead of plain Envoy. consul-dataplane manages the Envoy proxy process and proxies xDS requests from Envoy to Consul servers.
  • All services on the service mesh are now registered directly with the central catalog in Consul servers.
  • All service-mesh consul-k8s components are configured to talk directly to Consul servers.
  • Mesh, ingress, and terminating gateways are now registered centrally by the endpoints controller, similar to how service-mesh services are registered.
• CLI:
  • Change default behavior of consul-k8s install to perform the installation when no answer is provided to the prompt. [GH-1673]
• Helm:

  • Kubernetes-1.25 is now supported with the caveat that global.enablePodSecurityPolicies is not supported since PodSecurityPolicies have been removed in favor of PodSecurityStandards in Kubernetes-1.25. Full support for PodSecurityStandards will be added in a follow-on commit. [GH-1726]

  • Support simplified default deployment values to allow for easier quick starts and testing:

    • Set connectInject.replicas to 1 [GH-1702]
    • Set meshGateway.affinity to null and meshGateway.replicas to 1 [GH-1702]
    • Set ingressGateways.defaults.affinity to null and ingressGateways.defaults.replicas to 1 [GH-1702]
    • Set terminatingGateways.defaults.affinity to null and terminatingGateways.defaults.replicas to 1 [GH-1702]
    • Set server.replicas to 1. Formerly, this defaulted to 3. [GH-1551]

  • client.enabled now defaults to false. Setting it to true will deploy client agents, however, none of the consul-k8s components will use clients for their operation.

  • global.imageEnvoy is no longer used for sidecar proxies, as well as mesh, terminating, and ingress gateways.

  • externalServers.grpcPort default is now 8502 instead of 8503.

  • externalServers.hosts no longer supports cloud auto-join strings directly. Instead, include an exec= string in the externalServers.hosts list to invoke the discover CLI. For example, the following string invokes the discover CLI with a cloud auto-join string: exec=discover -q addrs provider=aws region=us-west-2 tag_key=consul-server tag_value=true. The discover CLI is included in the official hashicorp/consul-dataplane images by default.

  • meshGateway.service.enabled value is removed. Mesh gateways now will always have a Kubernetes service as this is required to register them as a service with Consul.

  • meshGateway.initCopyConsulContainer, ingressGateways.initCopyConsulContainer, terminatingGateways.initCopyConsulContainer values are removed.

  • connectInject.enabled now defaults to true. [GH-1551]

  • syncCatalog.consulNamespaces.mirroringK8S now defaults to true. [GH-1601]

  • connectInject.consulNamespaces.mirroringK8S now defaults to true. [GH-1601]

  • Remove controller section from the values file as the controller has now been merged into the connect-inject deployment. [GH-1697]

  • Remove global.consulSidecarContainer from values file as there is no longer a consul sidecar. [GH-1635]

  • Consul snapshot-agent now runs as a sidecar with Consul servers. [GH-1620]

    This results in the following changes to Helm values:

    • Move client.snapshotAgent values to server.snapshotAgent, with the exception of the following values:
      • client.snaphostAgent.replicas
      • client.snaphostAgent.serviceAccount
    • Remove global.secretsBackend.vault.consulSnapshotAgentRole value. You should now use the global.secretsBackend.vault.consulServerRole for access to any Vault secrets.

  • Change dns.enabled and dns.enableRedirection to default to the value of connectInject.transparentProxy.defaultEnabled.
    Previously, dns.enabled defaulted to the value of global.enabled and dns.enableRedirection defaulted to the
    value to false. [GH-1688]

  • Remove global.imageEnvoy and replace with global.imageConsulDataplane for running the sidecar proxy.

  • Add apiGateway.imageEnvoy as for configuring the version of Envoy that the API Gateway uses. [GH-1698]

• Peering:
  • Rename PeerName to Peer in ExportedServices CRD. [GH-1596]
  • Remove support for customizing the server addresses in peering token generation. Instead, mesh gateways should be used
    to establish peering connections if the server pods are not directly reachable. [GH-1610]
  • Require global.tls.enabled when peering is enabled. [GH-1610]
  • Require meshGateway.enabled when peering is enabled. [GH-1683]

FEATURES:

• CLI:
  • Add the ability to install HCP self-managed clusters. [GH-1540]
  • Add the ability to install the HashiCups demo application via the -demo flag. [GH-1540]
• Consul Dataplane:
  • Support merged metrics with consul-dataplane. [GH-1635]
  • Support transparent proxying when using consul-dataplane. [GH-1625,GH-1632]
  • Enable sync-catalog to only talk to Consul servers. [GH-1659]
• Ingress Gateway
  • Add support for MaxConnections, MaxConcurrentRequests, and MaxPendingRequests to Ingress Gateway CRD. [GH-1691]
• Peering:
  • Support peering over mesh gateways.
    • Add support for PeerThroughMeshGateways in Mesh CRD. [GH-1478]

IMPROVEMENTS:

• CLI
  • consul-k8s status command will only show status of servers if they are expected to be present in the Kubernetes cluster. [GH-1603]
  • Update demo charts and CLI command to not presume tproxy when using HCP preset. Also, use the most recent version of hashicups. [GH-1657]
  • Update minimum go version for project to 1.19 [GH-1633]
  • Enable consul-k8s uninstall to delete custom resources when uninstalling Consul. This is done by default. [GH-1623]
• Control Plane
  • Update minimum go version for project to 1.19 [GH-1633]
  • Remove unneeded agent:read ACL permissions from mesh gateway policy. [GH-1255]
  • Support updating health checks on consul clients during an upgrade to agentless. [GH-1690]
  • Remove unused curl from docker images [1624]
  • Bump Dockerfile base image for RedHat UBI consul-k8s-control-plane image to ubi-minimal:9.1. [[GH-1725][https://github.com//pull/1725]]
• Helm:
  • Remove deprecated annotation service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" in the server-service template. [GH-1619]
  • Support minAvailable on connect injector PodDisruptionBudget. [GH-1557]
  • Add tolerations and nodeSelector to Server ACL init jobs and nodeSelector to Webhook cert manager. [GH-1581]
  • API Gateway: Add tolerations to apiGateway.managedGatewayClass and apiGateway.controller [GH-1650]
  • API Gateway: Create PodSecurityPolicy for controller when global.enablePodSecurityPolicies=true. [GH-1656]
  • API Gateway: Create PodSecurityPolicy and allow controller to bind it to ServiceAccounts that it creates for Gateway Deployments when global.enablePodSecurityPolicies=true. [GH-1672]
  • Deploy expose-servers service only when Admin Partitions(ENT) is enabled. [GH-1683]
  • ...

v0.49.1

0.49.1 (November 14, 2022)

BREAKING CHANGES:

• Peering:
  • Rename PeerName to Peer in ExportedServices CRD. [GH-1596]

FEATURES:

• Ingress Gateway
  • Add support for MaxConnections, MaxConcurrentRequests, and MaxPendingRequests to Ingress Gateway CRD. [GH-1691]

IMPROVEMENTS:

• Helm:
  • Add tolerations and nodeSelector to Server ACL init jobs and nodeSelector to Webhook cert manager. [GH-1581]
  • API Gateway: Allow controller to read MeshServices for use as a route backend. [GH-1574]
  • API Gateway: Add tolerations to apiGateway.managedGatewayClass and apiGateway.controller [GH-1650]
  • API Gateway: Create PodSecurityPolicy for controller when global.enablePodSecurityPolicies=true. [GH-1656]
  • API Gateway: Create PodSecurityPolicy and allow controller to bind it to ServiceAccounts that it creates for Gateway Deployments when global.enablePodSecurityPolicies=true. [GH-1672]

v1.0.0-beta5

updating versions for release

v1.0.0-beta4

IMPROVEMENTS:

CLI:

• Update demo charts and CLI command to not presume tproxy when using HCP preset. Also, use the most recent version of hashicups. [GH-1657]

v1.0.0-beta3

1.0.0-beta3 (October 12, 2022)

FEATURES:

• Peering: Add support for PeerThroughMeshGateways in Mesh CRD. [GH-1478]

BREAKING CHANGES:

• Helm:
  • syncCatalog.consulNamespaces.mirroringK8S now defaults to true. [GH-1601]
  • connectInject.consulNamespaces.mirroringK8S now defaults to true. [GH-1601]

IMPROVEMENTS:

• Helm:
  • API Gateway: Allow controller to read MeshServices for use as a route backend. [GH-1574]
• CLI:
  • consul-k8s status command will only show status of servers if they are expected to be present in the Kubernetes cluster. [GH-1603]

v1.0.0-beta2

1.0.0-beta2 (October 6, 2022)

BREAKING CHANGES:

• Helm
  • server.replicas now defaults to 1. Formerly, this defaulted to 3. [GH-1551]
  • connectInject.enabled now defaults to true. [GH-1551]
  • controller.enabled now defaults to true. [GH-1551]

BUG FIXES:

• CLI
  • Pass required environment variables to the CLI for cluster bootstrapping. [GH-1593]
  • Configure -tls-server-name when global.cloud.enabled=true so that it matches the server certificate created via HCP [GH-1591]
  • Do not query clients in the status command since clients no longer exist. [GH-1573]