Change8

ent-changelog-1.15.0

Breaking Changes
📦 consul-connectView on GitHub →
8 breaking9 features🐛 2 fixes1 deprecations🔧 16 symbols

Summary

This release introduces API Gateway (Beta) support, new troubleshooting CLI commands, and significant breaking changes related to ACL error formats and the removal of legacy ACL functionality. It also upgrades the underlying Go version to 1.20.1 to resolve security vulnerabilities.

⚠️ Breaking Changes

  • Delete and get requests for ACL resources now return descriptive 404 errors when the resource cannot be found (e.g., "Requested * does not exist: ACL not found"). Read Token/Policy/Role endpoints now return 404 when the resource cannot be found with format: "Cannot find * to delete". Logout returns 401 if token is missing, format: "Supplied token does not exist". Token Self endpoint returns 404 if token is missing, format: "Supplied token does not exist".
  • All functionality and references to the legacy ACL system have been removed.
  • All functionality and references for legacy ACL policies have been removed.
  • The configuration options `-join`, `-join-wan`, `start_join`, and `start_join_wan` are deprecated and now act as aliases for `-retry-join`, `-retry-join-wan`, `retry_join`, and `retry_join_wan`, respectively.
  • The `peer` field has been added to service-defaults upstream overrides. Overrides will now only apply to peer services if the `peer` field matches the destination peer name; previously, overrides were applied based only on matching `namespace` and `name` fields.
  • The `consul connect envoy` command will now error and exit if the Envoy version is incompatible. Use the `--ignore-envoy-compatibility` flag to bypass this check.
  • The `connect.enable_serverless_plugin` agent configuration option has been removed; Lambda integration is now enabled by default.
  • The Lambda integration configuration has been refactored to use the Envoy extensions field on service-defaults configuration entries.

Migration Steps

  1. If you rely on the specific error formats for ACL resource not found, update your error handling to accommodate the new formats (e.g., "Requested * does not exist: ACL not found").
  2. Remove any configuration or code referencing legacy ACL migration functionality or legacy ACL policies.
  3. If using `-join`, `-join-wan`, `start_join`, or `start_join_wan`, consider migrating to `-retry-join`, `-retry-join-wan`, `retry_join`, or `retry_join_wan` respectively.
  4. Review service-defaults upstream overrides if you configure overrides for both local and peer services; the addition of the `peer` field changes matching logic.
  5. If using `consul connect envoy`, ensure your Envoy version is compatible or use the `--ignore-envoy-compatibility` flag if necessary.
  6. Remove the `connect.enable_serverless_plugin` agent configuration option as Lambda integration is now enabled by default.
  7. If configuring Lambda integration, ensure configuration is done via the Envoy extensions field on service-defaults configuration entries.

✨ New Features

  • Added support for API gateway on VMs (Beta), providing a highly-configurable ingress for requests coming into a Consul network.
  • Added new `acl.tokens.config_file_registration` config field to specify the token used to register services and checks defined in config files.
  • The anonymous token is now logged as 'anonymous token' instead of its accessor ID.
  • Added new CLI commands `consul troubleshoot upstreams` and `consul troubleshoot proxy` for troubleshooting Consul's service mesh configuration and network issues.
  • Added the `operator usage instances` subcommand for displaying total services, connect service instances, and billable service instances.
  • Support outlier detection (passive health check) for upstream clusters in `config-entry(ingress-gateway)`.
  • Added support for Envoy access logging via the `proxy-defaults` config entry.
  • Added a built-in Envoy extension that inserts Lua HTTP filters via XDS.
  • Inserted originator service identity into Envoy's dynamic metadata under the `consul` namespace.

🐛 Bug Fixes

  • ACL delete and get requests now return descriptive errors when the specified resource cannot be found.
  • ACL request errors now provide more information when a resource is missing, including an error for when the ACL system has not been bootstrapped.

🔧 Affected Symbols

Delete Token/Policy/AuthMethod/Role/BindingRule endpointsRead Token/Policy/Role endpointsLogout endpointToken Self endpointacl migration functionalitylegacy acl policies-join-join-wanstart_joinstart_join_wanretry-joinretry-join-wanservice-defaults upstream overridesconsul connect envoyconnect.enable_serverless_pluginLambda integration

⚡ Deprecations

  • The configuration options `-join`, `-join-wan`, `start_join`, and `start_join_wan` are deprecated and now act as aliases for `-retry-join`, `-retry-join-wan`, `retry_join`, and `retry_join_wan`, respectively.