Change8

ent-changelog-1.22.0

Breaking Changes
📦 consul-connectView on GitHub →
2 breaking8 features🐛 9 fixes1 deprecations🔧 8 symbols

Summary

This release shares the Consul Enterprise changelog, focusing heavily on security hardening, including Envoy upgrades and DoS mitigations. It also introduces new features like multi-port service registration and OIDC client authentication improvements.

⚠️ Breaking Changes

  • Envoy version support changed: Support for Envoy 1.31.10 is removed; users must now use Envoy 1.35.3 or newer.
  • Key name validation added to the key/value endpoint: This is a breaking change that fixes path traversal attacks. It can be disabled using the `DisableKVKeyValidation` config if necessary.

Migration Steps

  1. If you rely on Envoy versions older than 1.35.3, you must upgrade your environment to use Envoy 1.35.3 or newer.
  2. Review configurations related to the key/value endpoint if you encounter validation errors; consider enabling `DisableKVKeyValidation` if necessary to maintain existing behavior while migrating.
  3. If using IPv6 or dual-stack configurations, note that `connect envoy bootstrap` defaults to `::1` for IPv6 agent bind addresses, and `connect upstream.local_bind_address` and `proxy.local_service_address` default to `::1` for IPv6 agents.

✨ New Features

  • Added support to register a service in Consul with multiple ports.
  • Agent utility function `IsDualStack` added to detect if the agent is configured for both IPv4 and IPv6 based on the bind address from the "agent/self" API.
  • Added client authentication using JWT assertion and PKCE for OIDC; PKCE is enabled by default.
  • IPv6: Added ip6tables changes for IPv6 and dual stack support.
  • CLI: `consul operator utilization` subcommand added to generate a census utilization snapshot.
  • API: New API endpoint `/v1/operator/utilization` added to support enterprise manual snapshot reporting.
  • Agent: Census metrics collection is now always enabled with a configurable option to export it to Hashicorp Reporting.
  • CLI: `snapshot agent` now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI).

🐛 Bug Fixes

  • Envoy startup failures are prevented when TLS transport socket is configured without a CA bundle present (for Envoy v1.35+).
  • Warning added when remote/local script checks are enabled without enabling ACLs.
  • Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks [CVE-2025-11374].
  • Maximum Content-Length added on the event endpoint to fix denial-of-service (DoS) attacks [CVE-2025-11375].
  • UI: Fixed computed property override issues occurring due to Ember v4 deprecation.
  • UI: Fixed issue where FQDN was not displayed in the Consul web interface.
  • UI: Fixed issue where namespaces disappeared and the Welcome to Namespace screen showed up after tab switching.
  • UI: Fixed issue where the three dots on the right-hand side stopped responding after the first delete when deleting multiple tokens or policies.
  • Command: Fixed `consul operator utilization --help` to show only available options without extra parameters.

🔧 Affected Symbols

Envoy (version support change)Consul KV endpointConsul event endpointagent/self API/v1/operator/utilization API`consul operator utilization` subcommand`snapshot agent` CLIember component methods (removed send action)

⚡ Deprecations

  • Ember UI: Removed `send action` instances as part of Ember deprecation cleanup.