Change8

ent-changelog-1.16.0

Breaking Changes
📦 consul-connectView on GitHub →
2 breaking13 features🐛 6 fixes🔧 11 symbols

Summary

This release introduces several new features, particularly around XDS extensions, permissive mTLS, and enterprise audit logging capabilities. It also contains breaking changes related to permission handling on specific API endpoints and removal of deprecated peering behavior.

⚠️ Breaking Changes

  • The /v1/health/connect/ and /v1/health/ingress/ API endpoints now return 403 "Permission Denied" if the provided token lacks sufficient 'service:read' permissions. Previously, they returned a success code with an empty result list.
  • Deprecated backward-compatibility behavior related to peering has been removed. Upstream overrides in service-defaults will now only apply to peer upstreams when the 'peer' field is explicitly provided.

Migration Steps

  1. Review the 1.16.x upgrade instructions regarding peering changes: Upstream overrides in service-defaults will now only apply to peer upstreams when the 'peer' field is provided. Visit https://developer.hashicorp.com/consul/docs/upgrading/upgrade-specific for more information.

✨ New Features

  • (Enterprise only) Added POST /v1/operator/audit-hash endpoint to calculate the hash of the data used by the audit log hash function and salt via the API.
  • (Enterprise only) Added 'consul operator audit hash' command to retrieve and compare the hash of the data used by the audit log hash function and salt via CLI.
  • Adds new CLI command - 'consul services export' - for exporting a service to a peer or partition.
  • (Consul Enterprise only) Implemented order-by-locality failover for Connect.
  • Added new permissive mTLS mode to the mesh configuration that allows sidecar proxies to forward incoming traffic unmodified to the application. This introduces 'AllowEnablingPermissiveMutualTLS' to mesh config entry and 'MutualTLSMode' to proxy-defaults and service-defaults.
  • Support configuring JWT authentication in Envoy.
  • (Enterprise Only) Added server-side RPC requests IP based read/write rate-limiter.
  • (Enterprise Only) Allow automatic license utilization reporting on the server.
  • Added server-side RPC requests global read/write rate-limiter.
  • xds: Added 'property-override' built-in Envoy extension that directly patches Envoy resources.
  • xds: Added a built-in Envoy extension that inserts External Authorization (ext_authz) network and HTTP filters.
  • xds: Added a built-in Envoy extension that inserts Wasm HTTP filters.
  • xds: Added a built-in Envoy extension that inserts Wasm network filters.

🐛 Bug Fixes

  • Fixed a race condition where an event was published before the associated data was committed to memdb.
  • Fixed issue where changes to service exports were not reflected in proxies.
  • (Enterprise only) Fixed a bug in API gateways where gateway configuration objects in non-default partitions did not reconcile properly.
  • Fixed a bug in API gateways where binding a route that only targets a service imported from a peer resulted in the programmed gateway having no routes.
  • Fixed a bug where API gateways were not being taken into account in determining xDS rate limits.
  • (Enterprise only) Fixed a bug where agent health checks stop syncing for all services on a node if the namespace of any service has been removed from the server.

🔧 Affected Symbols

/v1/health/connect//v1/health/ingress/service-defaultsconsul services exportAllowEnablingPermissiveMutualTLSMutualTLSModev1/operator/audit-hashconsul operator audit hashservice exportsgateway configuration objectsagent health checks