Change8

v2.0.1

📦 consul-connectView on GitHub →
9 features🐛 2 fixes🔧 10 symbols

Summary

This release focuses heavily on security updates, upgrading Go and Envoy versions, and introduces major Enterprise features like Global Rate Limiting and multi-port service support. Bug fixes address critical issues related to leader eviction after server renaming and header stripping in Connect.

Migration Steps

  1. If using API Gateway listeners, review configuration for SDS certificate usage, noting that service overrides inherit the listener SDS cluster when omitted.
  2. If encountering HTTP 500 errors after renaming a server, note that this issue is resolved by ensuring member events resync the server lookup mapping.

✨ New Features

  • **(Enterprise Only)** Global Rate Limiter: a new "rate-limit" config entry kind enabling dynamic, cluster-wide RPC rate limiting stored in Raft and automatically replicated to all servers.
  • **(Enterprise Only)** Update to go-licensing/v4 and go-census/v3 inorder to adapt to new licenses of PAO.
  • API Gateway added SDS certificate support for listeners, including listener-level default TLS certificates and HTTP/TCP route service TLS SDS overrides.
  • API Gateway added support for gateway-level default upstream limits and route service-level limit overrides for MaxConnections, MaxPendingRequests, and MaxConcurrentRequests.
  • New API "/v1/internal/rpc/methods" added that lists all RPC method names (requires an operator:read ACL token).
  • **(Enterprise Only)** Added new Connect CA provider for Cyberark WIM (connect.ca_provider = "pan-distributed-issuer").
  • **(Enterprise Only)** Server added stable cluster identity and leader-gated global registry sync for service summary publishing.
  • **(Enterprise Only)** Product telemetry for self-managed Consul with anonymous, opt-in usage reporting.
  • **(Enterprise Only)** Introduce support for multi-port (named port) services in Consul, including port name routing and VIP retrieval for specific ports.

🐛 Bug Fixes

  • Connect stripped the `x-forwarded-client-cert` header from inbound HTTP requests before forwarding them to local service instances.
  • Fixed a server bug where renaming a server could cause an out-of-order serf event to evict the live leader, resulting in `Raft leader not found in server lookup mapping` (HTTP 500) errors on follower RPCs.

Affected Symbols