Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
SECURITY:
golang.org/x/net
to v0.17.0 to address CVE-2023-39325
/ CVE-2023-44487(x/net/http2
). [GH-19225]net/http
). [GH-19225]google.golang.org/grpc
to 1.56.3.
This resolves vulnerability CVE-2023-44487. [GH-19414]BUG FIXES:
/v1/catalog/services
endpoint [GH-18322]performance.grpc_keepalive_timeout
and performance.grpc_keepalive_interval
now exist to allow for configuration on how often these dead connections will be cleaned up. [GH-19339]SECURITY:
golang.org/x/net
to v0.17.0 to address CVE-2023-39325
/ CVE-2023-44487(x/net/http2
). [GH-19225]net/http
). [GH-19225]google.golang.org/grpc
to 1.56.3.
This resolves vulnerability CVE-2023-44487. [GH-19414]BUG FIXES:
/v1/catalog/services
endpoint [GH-18322]performance.grpc_keepalive_timeout
and performance.grpc_keepalive_interval
now exist to allow for configuration on how often these dead connections will be cleaned up. [GH-19339]BREAKING CHANGES:
FEATURE PREVIEW: Catalog v2
This release provides the ability to preview Consul's v2 Catalog and Resource API if enabled. The new model supports multi-port application deployments with only a single Envoy proxy. Note that the v1 and v2 catalogs are not cross compatible, and not all Consul features are available within this v2 feature preview. See the v2 Catalog and Resource API documentation for more information. The v2 Catalog and Resources API should be considered a feature preview within this release and should not be used in production environments.
Limitations
Known Issues
Significant Pull Requests
FEATURES:
acl.tokens.dns
config field which specifies the token used implicitly during dns checks. [GH-17936]bind-var
flag to consul acl binding-rule
for templated policy variables. [GH-18719]consul acl templated-policy
commands to read, list and preview templated policies. [GH-18816]IMPROVEMENTS:
CheckRegisterOpts
to Agent API [GH-18943]Token
field to ServiceRegisterOpts
type in Agent API [GH-18983]-templated-policy
, -templated-policy-file
, -replace-templated-policy
, -append-templated-policy
, -replace-templated-policy-file
, -append-templated-policy-file
and -var
flags for creating or updating tokens/roles. [GH-18708]tls.defaults.verify_server_hostname
configuration option. This specifies the default value for any interfaces that support the verify_server_hostname
option. [GH-17155]BUG FIXES:
SECURITY:
cmd/go
),
CVE-2023-39318 (html/template
),
CVE-2023-39319 (html/template
),
CVE-2023-39321 (crypto/tls
), and
CVE-2023-39322 (crypto/tls
) [GH-18742]IMPROVEMENTS:
tcp_use_tls
boolean. By default the agent will use the
TLS configuration in the tls.default
stanza. [GH-18381]BUG FIXES:
/v1/agent/self
not returning latest configuration [GH-18681]SECURITY:
cmd/go
),
CVE-2023-39318 (html/template
),
CVE-2023-39319 (html/template
),
CVE-2023-39321 (crypto/tls
), and
CVE-2023-39322 (crypto/tls
) [GH-18742]IMPROVEMENTS:
BUG FIXES:
/v1/agent/self
not returning latest configuration [GH-18681]SECURITY:
cmd/go
),
CVE-2023-39318 (html/template
),
CVE-2023-39319 (html/template
),
CVE-2023-39321 (crypto/tls
), and
CVE-2023-39322 (crypto/tls
) [GH-18742]IMPROVEMENTS:
BUG FIXES:
/v1/agent/self
not returning latest configuration [GH-18681]SECURITY:
golang.org/x/net
to v0.13.0 to address CVE-2023-3978. [GH-18358]net/http
) for uses of the standard library.
A separate change updates dependencies on golang.org/x/net
to use 0.12.0
. [GH-18190]crypto/tls
). [GH-18358]FEATURES:
consul members
command uses -filter
expression to filter members based on bexpr. [GH-18223]consul operator raft list-peers
command shows the number of commits each follower is trailing the leader by to aid in troubleshooting. [GH-17582]consul watch
command uses -filter
expression to filter response from checks, services, nodes, and service. [GH-17780]IMPROVEMENTS:
property-override
builtin Envoy extension [GH-17759]operator/usage
endpoint now returns node count
cli: consul operator usage
command now returns node count [GH-17939]BUG FIXES:
consul connect envoy
command when starting an API Gateway.
This health check would always fail. [GH-18011]PUT /acl/token/:AccessorID
(update token), no longer requires AccessorID
in the request body. Web UI can now update tokens. [GH-17739]jwt-provider
config entries are created in the default
namespace. [GH-18325]SECURITY:
golang.org/x/net
to v0.13.0 to address CVE-2023-3978. [GH-18358]net/http
) for uses of the standard library.
A separate change updates dependencies on golang.org/x/net
to use 0.12.0
. [GH-18190]crypto/tls
). [GH-18358]FEATURES:
consul members
command uses -filter
expression to filter members based on bexpr. [GH-18223]consul watch
command uses -filter
expression to filter response from checks, services, nodes, and service. [GH-17780]IMPROVEMENTS:
BUG FIXES:
consul connect envoy
command when starting an API Gateway.
This health check would always fail. [GH-18011]SECURITY:
golang.org/x/net
to v0.13.0 to address CVE-2023-3978. [GH-18358]net/http
) for uses of the standard library.
A separate change updates dependencies on golang.org/x/net
to use 0.12.0
. [GH-18190]crypto/tls
). [GH-18358]FEATURES:
consul members
command uses -filter
expression to filter members based on bexpr. [GH-18223]consul watch
command uses -filter
expression to filter response from checks, services, nodes, and service. [GH-17780]IMPROVEMENTS:
BUG FIXES:
BREAKING CHANGES:
/v1/health/connect/
and /v1/health/ingress/
endpoints now immediately return 403 "Permission Denied" errors whenever a token with insufficient service:read
permissions is provided. Prior to this change, the endpoints returned a success code with an empty result list when a token with insufficient permissions was provided. [GH-17424]peer
field is provided.
Visit the 1.16.x upgrade instructions for more information. [GH-16957]SECURITY:
alpine:3.18
. [GH-17719]v1/operator/audit-hash
endpoint to ACL token with operator:read
privileges.FEATURES:
POST /v1/operator/audit-hash
endpoint to calculate the hash of the data used by the audit log hash function and salt.consul operator audit hash
command to retrieve and compare the hash of the data used by the audit log hash function and salt.consul services export
- for exporting a service to a peer or partition [GH-15654]AllowEnablingPermissiveMutualTLS
setting to the mesh config entry and the MutualTLSMode
setting to proxy-defaults and service-defaults. [GH-17035]property-override
built-in Envoy extension that directly patches Envoy resources. [GH-17487]IMPROVEMENTS:
-filter
option to consul config list
for filtering config entries. [GH-17183]datacenter
, ap
(enterprise-only), and namespace
(enterprise-only). Both short-hand and long-hand forms of these query params are now supported via the HTTP API (dc/datacenter, ap/partition, ns/namespace). [GH-17525]BUG FIXES: