v1.22.5
Breaking Changes📦 consul-connectView on GitHub →
⚠ 2 breaking✨ 1 features🐛 3 fixes🔧 4 symbols
Summary
This release focuses heavily on security improvements, including patching Vault CA provider vulnerabilities, configuring HTTP server timeouts, and upgrading the base Go version. It also includes dependency updates for AWS SDKs and fixes for Envoy certificate handling.
⚠️ Breaking Changes
- Connect component migrated from aws-sdk-go (v1) to aws-sdk-go-v2. Users relying on v1 specific behaviors or APIs in custom integrations might need to update their code.
- HTTP server timeouts are now configured by default to prevent Slowloris attacks on agent HTTP and pprof endpoints. If existing applications relied on very long or infinite timeouts, they might now experience connection closures.
Migration Steps
- If you are using AWS SDK integrations within Consul, review changes related to the migration from aws-sdk-go (v1) to aws-sdk-go-v2.
- If your application relies on extremely long or unconstrained HTTP timeouts for agent HTTP or pprof endpoints, review the new default HTTP server timeout configurations and adjust if necessary.
✨ New Features
- Added the `--aws-iam-endpoint` flag to the `consul login` command for the AWS IAM auth method to allow custom IAM endpoint configuration.
🐛 Bug Fixes
- Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener by consolidating certificates into a single filter chain.
- Fixed Vault provider failure when signing an intermediate CA with isCA=true in a Certificate Signing Request (CSR).
- Fixed an issue where the context check for watches cache fetch would not cancel execution when the manager deregistered the watch.