Change8

ent-changelog-1.17.0

Breaking Changes
📦 consul-connectView on GitHub →
2 breaking19 features🐛 3 fixes🔧 14 symbols

Summary

This release introduces the feature preview of Consul's v2 Catalog and Resource API, alongside significant security updates addressing multiple CVEs. It also adds extensive new features related to ACL templating and API Gateway capabilities.

⚠️ Breaking Changes

  • api: RaftLeaderTransfer now requires an id string. To maintain old behavior, specify an empty string for the id.
  • (Enterprise only) audit-logging: Timestamp based filename is now only allowed on rotation; initially the filename will be just file.json.

Migration Steps

  1. If using `RaftLeaderTransfer`, ensure you provide an `id` string. If you need to maintain the old behavior, pass an empty string for the ID.
  2. Review the limitations of the v2 Catalog API feature preview if considering its use (not supported with client agents, cannot run concurrently with v1, not supported in current UI or HCP Consul for multi-port services).

✨ New Features

  • Introduction of Consul's v2 Catalog and Resource API as a feature preview, supporting multi-port application deployments with a single Envoy proxy (Note: v1 and v2 catalogs are not cross-compatible, and not all features are available).
  • Support custom watches on the Consul Controller framework.
  • Windows: support consul connect envoy command on Windows.
  • acl: Add BindRule support for templated policies, including new BindType: templated-policy and BindVar field.
  • acl: Add new config field `acl.tokens.dns` for the token used implicitly during DNS checks.
  • acl: Added ACL Templated policies to simplify getting the right ACL token.
  • acl: Adds a new ACL rule for workload identities.
  • acl: Adds workload identity templated policy.
  • api-gateway: Add support for response header modifiers on http-route configuration entry.
  • api-gateway: add retry and timeout filters.
  • cli: Add `bind-var` flag to `consul acl binding-rule` for templated policy variables.
  • cli: Add `consul acl templated-policy` commands to read, list and preview templated policies.
  • (Enterprise only) config-entry(api-gateway): Add GatewayPolicy to APIGateway Config Entry listeners.
  • (Enterprise only) config-entry(api-gateway): Add JWTFilter to HTTPRoute Filters.
  • dataplane: Allow getting bootstrap parameters when using V2 APIs.
  • (Enterprise only) gateway: Add JWT authentication and authorization to APIGateway Listeners and HTTPRoutes.
  • (Enterprise only) mesh: Adds rate limiting config to service-defaults.
  • xds: Add a built-in Envoy extension that appends OpenTelemetry Access Logging (otel-access-logging) to the HTTP Connection Manager filter.
  • xds: Add support for patching outbound listeners to the built-in Envoy External Authorization extension.

🐛 Bug Fixes

  • api: add custom marshal/unmarshal for ServiceResolverConfigEntry.RequestTimeout so config entries that set this field can be read using the API.
  • ca: ensure Vault CA provider respects Vault Enterprise namespace configuration.
  • catalog api: fixes a bug with catalog api where filter q...

🔧 Affected Symbols

RaftLeaderTransferapiaudit-logginggolang.org/x/netgoogle.golang.org/grpcenvoyCatalog resource controllersMesh resource controllersAuth resource controllersV2 ProtobufsCheckRegisterOptsServiceRegisterOptsTokenServiceResolverConfigEntry.RequestTimeout