Change8

v2.0.0

📦 consul-connectView on GitHub →
9 features🐛 6 fixes🔧 12 symbols

Summary

Version 2.0.0 introduces major features like Global Rate Limiting and multi-port service support (Enterprise Only), alongside numerous security updates and increased default HTTP timeouts to improve stability for long-polling.

Migration Steps

  1. If you rely on default HTTP server timeouts for long-polling blocking queries, note that `read_timeout` and `write_timeout` have increased to 15 minutes (from 30 seconds). If you had custom configurations that relied on the old 30-second timeout, you may need to adjust them.
  2. If using API Gateways or Terminating Gateways, be aware that HTTP request path normalization is now applied to prevent L7 intention RBAC bypass via non-normalized paths.

✨ New Features

  • (Enterprise Only) update to go-licensing/v4 and go-census/v3 inorder to adapt to new licenses of PAO.
  • (Enterprise Only) Global Rate Limiter: a new "rate-limit" config entry kind that enables dynamic, cluster-wide RPC rate limiting stored in Raft and automatically replicated to all servers.
  • api-gateway: Added SDS certificate support for API Gateway listeners, including listener-level default TLS certificates and HTTP/TCP route service TLS SDS overrides.
  • api-gateway: add support for gateway-level default upstream limits and route service-level limit overrides for MaxConnections, MaxPendingRequests, and MaxConcurrentRequests.
  • api: Added new API "/v1/internal/rpc/methods" that lists all RPC method names. Requires an operator:read ACL token.
  • (Enterprise Only) ca: Added new Connect CA provider for Cyberark WIM (connect.ca_provider = "pan-distributed-issuer"), enabling Consul to issue certificates through Cyberark WIM.
  • (Enterprise Only) server: add stable cluster identity and leader-gated global registry sync for service summary publishing.
  • (Enterprise Only) telemetry: Product telemetry for self-managed Consul with anonymous, opt-in usage reporting.
  • (Enterprise Only) mesh: Introduce support for multi-port (named port) services in Consul, including the ability to specify and route traffic using port names, as well as to retrieve virtual IPs for specific service ports.

🐛 Bug Fixes

  • (Enterprise Only) audit-logging: Fixed JSON unmarshall error when array of obj is passed for auditReq body.
  • cli: Enhanced error messages in `consul config write` command to provide actionable guidance when config entries cannot be modified due to references by gateways or routers.
  • xds: Fixed XDS package to generate correct endpoints and cluster configurations for API Gateways when peered, and updated the API Gateway update handler to propogate mesh gateway config to its upstreams.
  • XDS: Fixes issue with mesh-gateway in remote mode on AWS EKS, as DNS hostnames are assigned to AWS NLBs instead of IPs and envoy's EDS endpoint validation expects address to be an IP.
  • api-gateway: resolve service subsets for routes during API gateway discovery chain synthesis.
  • ui: Fix broken documentation links

Affected Symbols

envoyhttp_configapi-gatewayterminating-gatewayconnect.ca_provider/v1/internal/rpc/methodsGET /v1/operator/usageMaxConnectionsMaxPendingRequestsMaxConcurrentRequestsPassiveHealthCheckconsul config write