First-class support for Consul Service Mesh on Kubernetes
SECURITY:
google.golang.org/protobuf
to v1.33.0 to address CVE-2024-24786. [GH-3719]alpine3.19
. This resolves CVEs
CVE-2023-52425
CVE-2023-52426 [GH-3741]helm/v3
to 3.11.3. This resolves the following security vulnerabilities:
CVE-2023-25165
CVE-2022-23524
CVE-2022-23526
CVE-2022-23525 [GH-3625]1.21.8
. This resolves CVEs
CVE-2024-24783 (crypto/x509
).
CVE-2023-45290 (net/http
).
CVE-2023-45289 (net/http
, net/http/cookiejar
).
CVE-2024-24785 (html/template
).
CVE-2024-24784 (net/mail
). [GH-3741]IMPROVEMENTS:
consul-k8s-control-plane
and consul-k8s-control-plane-fips
images to official HashiCorp AWS ECR. [GH-3668]BUG FIXES:
NOTES:
SECURITY:
google.golang.org/protobuf
to v1.33.0 to address CVE-2024-24786. [GH-3719]alpine3.19
. This resolves CVEs
CVE-2023-52425
CVE-2023-52426 [GH-3741]helm/v3
to 3.11.3. This resolves the following security vulnerabilities:
CVE-2023-25165
CVE-2022-23524
CVE-2022-23526
CVE-2022-23525 [GH-3625]1.21.8
. This resolves CVEs
CVE-2024-24783 (crypto/x509
).
CVE-2023-45290 (net/http
).
CVE-2023-45289 (net/http
, net/http/cookiejar
).
CVE-2024-24785 (html/template
).
CVE-2024-24784 (net/mail
). [GH-3741]IMPROVEMENTS:
consul-k8s-control-plane
and consul-k8s-control-plane-fips
images to official HashiCorp AWS ECR. [GH-3668]BUG FIXES:
NOTES:
SECURITY:
google.golang.org/protobuf
to v1.33.0 to address CVE-2024-24786. [GH-3719]alpine3.19
. This resolves CVEs
CVE-2023-52425
CVE-2023-52426 [GH-3741]helm/v3
to 3.11.3. This resolves the following security vulnerabilities:
CVE-2023-25165
CVE-2022-23524
CVE-2022-23526
CVE-2022-23525 [GH-3625]1.21.8
. This resolves CVEs
CVE-2024-24783 (crypto/x509
).
CVE-2023-45290 (net/http
).
CVE-2023-45289 (net/http
, net/http/cookiejar
).
CVE-2024-24785 (html/template
).
CVE-2024-24784 (net/mail
). [GH-3741]IMPROVEMENTS:
consul-k8s-control-plane
and consul-k8s-control-plane-fips
images to official HashiCorp AWS ECR. [GH-3668]BUG FIXES:
SECURITY:
google.golang.org/protobuf
to v1.33.0 to address CVE-2024-24786. [GH-3719]alpine3.19
. This resolves CVEs
CVE-2023-52425
CVE-2023-52426 [GH-3741]1.21.8
. This resolves CVEs
CVE-2024-24783 (crypto/x509
).
CVE-2023-45290 (net/http
).
CVE-2023-45289 (net/http
, net/http/cookiejar
).
CVE-2024-24785 (html/template
).
CVE-2024-24784 (net/mail
). [GH-3741]IMPROVEMENTS:
BUG FIXES:
NOTE: Consul K8s 1.4.x is compatible with Consul 1.18.x and Consul Dataplane 1.4.x. Refer to our compatibility matrix for more info.
BREAKING CHANGES:
server: set autopilot.min_quorum
to the correct quorum value to ensure autopilot doesn't prune servers needed for quorum. Also set autopilot. disable_upgrade_migration
to true
as that setting is meant for blue/green deploys, not rolling deploys.
This setting makes sense for most use-cases, however if you had a specific reason to use the old settings you can use the following config to keep them:
server:
extraConfig: |
{"autopilot": {"min_quorum": 0, "disable_upgrade_migration": false}}
[GH-3000]
server: set leave_on_terminate
to true
and set the server pod disruption budget maxUnavailable
to 1
.
This change makes server rollouts faster and more reliable. However, there is now a potential for reduced reliability if users accidentally scale the statefulset down. Now servers will leave the raft pool when they are stopped gracefully which reduces the fault tolerance. For example, with 5 servers, you can tolerate a loss of 2 servers' data as raft guarantees data is replicated to a majority of nodes (3). However, if you accidentally scale the statefulset down to 3, then the raft quorum will now be 2, and if you lose 2 servers, you may lose data. Before this change, the quorum would have remained at 3.
During a regular rollout, the number of servers will be reduced by 1 at a time, which doesn't affect quorum when running an odd number of servers, e.g. quorum for 5 servers is 3, and quorum for 4 servers is also 3. That's why the pod disruption budget is being set to 1 now.
If a server is stopped ungracefully, e.g. due to a node loss, it will not leave the raft pool, and so fault tolerance won't be affected.
For the vast majority of users, this change will be beneficial, however if you wish to remain with the old settings you can set:
server:
extraConfig: |
{"leave_on_terminate": false}
disruptionBudget:
maxUnavailable: <previous setting>
[GH-3000]
SECURITY:
helm/v3
to 3.11.3. This resolves the following security vulnerabilities:
CVE-2023-25165
CVE-2022-23524
CVE-2022-23526
CVE-2022-23525 [GH-3625]IMPROVEMENTS:
consul-k8s-control-plane
and consul-k8s-control-plane-fips
images to official HashiCorp AWS ECR. [GH-3668]CaseInsensitive
flag to service-routers that allows paths and path prefixes to ignore URL upper and lower casing. [GH-3502]BUG FIXES:
NOTES:
IMPROVEMENTS:
/bin/sh -ec "<command>"
to /bin/sh -ec "exec <command>"
in helm deployments [GH-3548]BUG FIXES:
FEATURES:
global.metrics.datadog
overrides to streamline consul-k8s datadog integration.
helm: introduces server.enableAgentDebug
to expose agent enable_debug
configuration.
helm: introduces global.metrics.disableAgentHostName
to expose agent telemetry.disable_hostname
configuration.
helm: introduces global.metrics.enableHostMetrics
to expose agent telemetry.enable_host_metrics
configuration.
helm: introduces global.metrics.prefixFilter
to expose agent telemetry.prefix_filter
configuration.
helm: introduces global.metrics.datadog.dogstatsd.dogstatsdAddr
to expose agent telemetry.dogstatsd_addr
configuration.
helm: introduces global.metrics.datadog.dogstatsd.dogstatsdTags
to expose agent telemetry.dogstatsd_tags
configuration.
helm: introduces required ad.datadoghq.com/
annotations and tags.datadoghq.com/
labels for integration with Datadog Autodiscovery and Datadog Unified Service Tagging for Consul.
helm: introduces automated unix domain socket hostPath mounting for containerized integration with datadog within consul-server statefulset.
helm: introduces global.metrics.datadog.otlp
override options to allow OTLP metrics forwarding to Datadog Agent.
control-plane: adds server-acl-init
datadog agent token creation for datadog integration. [GH-3407]IMPROVEMENTS:
connectInject.initContainer.resources
to the init container for API gateway Pods. [GH-3531]/bin/sh -ec "<command>"
to /bin/sh -ec "exec <command>"
in helm deployments [GH-3548]BUG FIXES:
FEATURES:
global.metrics.datadog
overrides to streamline consul-k8s datadog integration.
helm: introduces server.enableAgentDebug
to expose agent enable_debug
configuration.
helm: introduces global.metrics.disableAgentHostName
to expose agent telemetry.disable_hostname
configuration.
helm: introduces global.metrics.enableHostMetrics
to expose agent telemetry.enable_host_metrics
configuration.
helm: introduces global.metrics.prefixFilter
to expose agent telemetry.prefix_filter
configuration.
helm: introduces global.metrics.datadog.dogstatsd.dogstatsdAddr
to expose agent telemetry.dogstatsd_addr
configuration.
helm: introduces global.metrics.datadog.dogstatsd.dogstatsdTags
to expose agent telemetry.dogstatsd_tags
configuration.
helm: introduces required ad.datadoghq.com/
annotations and tags.datadoghq.com/
labels for integration with Datadog Autodiscovery and Datadog Unified Service Tagging for Consul.
helm: introduces automated unix domain socket hostPath mounting for containerized integration with datadog within consul-server statefulset.
helm: introduces global.metrics.datadog.otlp
override options to allow OTLP metrics forwarding to Datadog Agent.
control-plane: adds server-acl-init
datadog agent token creation for datadog integration. [GH-3407]IMPROVEMENTS:
connectInject.initContainer.resources
to the init container for API gateway Pods. [GH-3531]CaseInsensitive
flag to service-routers that allows paths and path prefixes to ignore URL upper and lower casing. [GH-3502]/bin/sh -ec "<command>"
to /bin/sh -ec "exec <command>"
in helm deployments [GH-3548]BUG FIXES:
NOTE: Consul K8s 1.4.x is compatible with Consul 1.18.x and Consul Dataplane 1.4.x. Refer to our compatibility matrix for more info.
BREAKING CHANGES:
server: set autopilot.min_quorum
to the correct quorum value to ensure autopilot doesn't prune servers needed for quorum. Also set autopilot. disable_upgrade_migration
to true
as that setting is meant for blue/green deploys, not rolling deploys.
This setting makes sense for most use-cases, however if you had a specific reason to use the old settings you can use the following config to keep them:
server:
extraConfig: |
{"autopilot": {"min_quorum": 0, "disable_upgrade_migration": false}}
[GH-3000]
server: set leave_on_terminate
to true
and set the server pod disruption budget maxUnavailable
to 1
. This change makes server rollouts faster and more reliable. However, there is now a potential for reduced reliability if users accidentally scale the statefulset down. Now servers will leave the raft pool when they are stopped gracefully which reduces the fault tolerance. For example, with 5 servers, you can tolerate a loss of 2 servers' data as raft guarantees data is replicated to a majority of nodes (3). However, if you accidentally scale the statefulset down to 3, then the raft quorum will now be 2, and if you lose 2 servers, you may lose data. Before this change, the quorum would have remained at 3.
During a regular rollout, the number of servers will be reduced by 1 at a time, which doesn't affect quorum when running an odd number of servers, e.g. quorum for 5 servers is 3, and quorum for 4 servers is also 3. That's why the pod disruption budget is being set to 1 now.
If a server is stopped ungracefully, e.g. due to a node loss, it will not leave the raft pool, and so fault tolerance won't be affected.
For the vast majority of users, this change will be beneficial, however if you wish to remain with the old settings you can set:
server:
extraConfig: |
{"leave_on_terminate": false}
disruptionBudget:
maxUnavailable: <previous setting>
[GH-3000]
SECURITY:
IMPROVEMENTS:
CaseInsensitive
flag to service-routers that allows paths and path prefixes to ignore URL upper and lower casing. [GH-3502]BUG FIXES:
SECURITY:
golang.org/x/crypto
to v0.17.0 to address CVE-2023-48795. [GH-3442]ubi-minimal:9.3
as the base image. [GH-3418]IMPROVEMENTS:
consul.hashicorp.com/sidecar-proxy-startup-failure-seconds
and consul.hashicorp.com/sidecar-proxy-liveness-failure-seconds
annotations that allow users to manually configure startup and liveness probes for Envoy sidecar proxies. [GH-3450]BUG FIXES: