v0.32.1

BUG FIXES:

• ACLs: Support connecting to external Consul servers with an SNI header. [GH-1005]

v0.32.0

BREAKING CHANGES

• Connect: Kubernetes Services are now required for all connect injected applications.
  The Kubernetes service name will be used as the service name to register with Consul unless the annotation consul.hashicorp.com/connect-service is provided to the pod to override this.
  If using ACLs the ServiceAccountName must match the service name used with Consul.

  Example Service:

  ---
  apiVersion: v1
  kind: Service
  metadata:
    name: sample-app
  spec:
    selector:
      app: sample-app
    ports:
    - port: 80
      targetPort: 9090
  ---
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    labels:
      app: sample-app
    name: sample-app
  spec:
    replicas: 1
    selector:
      matchLabels:
        app: sample-app
    template:
      metadata:
        annotations:
          'consul.hashicorp.com/connect-inject': 'true'
        labels:
          app: sample-app
      spec:
        containers:
        - name: sample-app
          image: sample-app:0.1.0
          ports:
          - containerPort: 9090

  Note: if you're already using a Kubernetes service, no changes are required.

• Connect: Transparent Proxy is enabled by default, and the Helm chart now requires Consul 1.10.0 or higher.
  Please see "Support transparent proxy" under FEATURES for more details.

• [Enterprise] For versions of Consul Enterprise 1.9 <v1.9.7 and Consul Enterprise 1.8 <v1.8.12 , if the license was provided as a Kubernetes secret, the key server.enterpriseLicense.enableLicenseAutoload
  needs to explicitly be set to falsein order for the license job to run.

  server:
    enterpriseLicense:
      secretName: <name-of-kubernetes-secret>
      secretKey: <name-of-key-whose-value-is-the-license>
      enableLicenseAutoload: false

  See https://consul.io/docs/upgrading/instructions/upgrade-to-1-10-x for more details.

• Remove templates for a demo installation of Grafana in light of recent license changes to Grafana's licensing. If you were previously setting grafana.enabled to true you must now install Grafana through their Helm chart (https://artifacthub.io/packages/helm/grafana/grafana). [GH-930]

• Remove support for admissionregistration.k8s.io/v1beta1 version of MutatingWebhookConfiguration as it is deprecated in Kubernetes 1.16+. Only the admissionregistration.k8s.io/v1
  version will be supported. [GH-914]

• Update supported kubeVersion in Chart.yaml from >=1.13.0-0 to >=1.16.0-0. [GH-883]

• Connect: The Helm values for health checks and cleanup controller have been removed: connectInject.healthChecks and connectInject.cleanupController.
  This functionality is now enabled by default. You can delete these keys or leave them as they will no longer have any effect.
  [GH-899]

FEATURES:

• Connect: Support transparent proxy. [GH-905]
  This feature allows users to reach other services on the Consul Service Mesh by using KubeDNS instead of using localhost and enforces all inbound and outbound traffic within a pod to go through the Envoy proxy.
  Please see Transparent Proxy docs for more information.

  Note: This feature requires Consul 1.10.0 or higher and consul-k8s v0.26.0 or higher.

  Transparent proxy is enabled by default for all Consul service mesh application. You can disable it for the
  entire Helm installation by setting:

  connectInject:
    transparentProxy:
      defaultEnabled: false

  Alternatively, you can enable or disable it for each individual application by using
  the consul.hashicorp.com/transparent-proxy pod annotation:

  ...
  metadata:
    name: example
    labels:
      app: example
    annotations:
      "consul.hashicorp.com/transparent-proxy": "true"
  ...

• Connect: Allow overwriting Kubernetes HTTP probes when running with transparent proxy enabled. [GH-953]

• Connect: Enable OpenShift for the connect-injector so that we can support running with transparent proxy enabled. [GH-972]

• Add support for global.recursors to set Consul's -recursor flag [GH-985].

IMPROVEMENTS:

• CRDs: Update ServiceDefaults with Mode, TransparentProxy, DialedDirectly and UpstreamConfigs fields. Note: Mode and TransparentProxy should not be set using this CRD but via annotations. [GH-925], [GH-914], [GH-992]
• CRDs: Update ProxyDefaults with Mode, DialedDirectly and TransparentProxy fields. Note: Mode and TransparentProxy should not be set
  using the CRD but via annotations. [GH-928], [GH-914], [GH-992]
• CRDs: Add support for MeshConfigEntry. This resource is supported in Consul 1.10+ [GH-941]
• CRDs: Update the CRD version itself from v1beta1 to v1. Note: This is the version of the definition itself, not the underlying resources; those are still at consul.hashicorp.com/v1alpha1. This update requires no action on the behalf of users. [GH-883]
• Connect: Support high availability of the connect-inject deployment. [GH-903]
• Enterprise: Support applying Consul Enterprise license when security context defaults to non-root users. [GH-880]
• License Autoloading [Enterprise]: Support Consul Enterprise license autoloading for Consul Enterprise 1.10+. If running Consul <1.10 see BREAKING CHANGES section for upgrade instructions.
• Sync Catalog: add new syncCatalog.extraLabels Helm value for configuring labels on sync catalog pods. [GH-892]
• Updated the default envoy image to envoyproxy/envoy-alpine:v1.18.3.
• Add support to set the nodePort value in the Consul UI Service. [GH-878]
• Allow setting annotations on service accounts for: server, client, client snapshot agent, connect inject, controller, ingressGateways, meshGateway,
  syncCatalog, and terminatingGateways. [GH-964]
• Delete secrets created by webhook-cert-manager when the deployment is deleted. [GH-987]
• Connect: connect webhook deployment now uses webhook-cert-manager to bootstrap the webhook certificates instead of generating them inside of the webhook. [GH-861]

BUG FIXES:

• CRDs: Update the type of connectTimeout and TTL in ServiceResolver and ServiceRouter from int64 to string. This allows a user to set these values as a duration string on the resource ex '5s'.
• OpenShift: support server.exposeGossipAndRPCPorts. [GH-932]
• CRDs: Fix a bug where the config field in ProxyDefaults CR was not synced to Consul because apiextensions.k8s.io/v1 requires CRD spec to have structured schema. [GH-921]
• Don't set -disable-host-node-id=false on Consul Clients because it causes Clients to not be able to join the cluster on certain hypervisor or Kind setups. This flag was added in 0.30.0 to stop Consul logging an error when a Client pod was force deleted, but this error does not affect the pod restarting so removing the flag will have no real effect. [GH-936]

KNOWN ISSUES:

• This release does not work when Pod Security Policies are enabled. This will be fixed in the upcoming release.

v0.32.0-beta3

KNOWN ISSUES:

• This beta release does not work when Pod Security Policies are enabled. This will be fixed in the upcoming release.

IMPROVEMENTS:

• Connect: Allow overwriting Kubernetes HTTP probes when running with transparent proxy enabled.
  [GH-953]
• Connect: Enable OpenShift for the connect-injector so that we can support running with transparent
  proxy enabled. [GH-972]
• Updated the default envoy image to envoyproxy/envoy-alpine:v1.18.3.

FEATURES:

• License Autoloading [Enterprise]: Consul Enterprise 1.10+ now requires the enterprise license for Consul to be provided as a Kubernetes secret. Once created, the secret can be
  configured in the helm chart with the following values:

server:
  enterpriseLicense:
    secretName: <name-of-kubernetes-secret>
    secretKey: <name-of-key-whose-value-is-the-license>

BUG FIXES:

• OpenShift: support server.exposeGossipAndRPCPorts. [GH-932]

BREAKING CHANGES:

• [Enterprise] For versions of Consul Enterprise <1.10, if the license was provided as a Kubernetes secret, the key server.enterpriseLicense.enableLicenseAutoload needs to explicitly
  set to false in order for the license job to run.

server:
  enterpriseLicense:
    secretName: <name-of-kubernetes-secret>
    secretKey: <name-of-key-whose-value-is-the-license>
    enableLicenseAutoload: false

v0.32.0-beta2

IMPROVEMENTS:

• Connect: Add namespaces get/list/watch to the connect-inject clusterrole to support the ability to fetch namespace labels which can enable/disable tproxy for an entire namespace. [GH-942]

FEATURES:

• CRDs: Update ServiceDefaults with Mode, TransparentProxy and UpstreamConfigs fields. Note: Mode and TransparentProxy should not be set
  using this CRD but via annotations. [GH-925], [GH-914]
• CRDs: Update ProxyDefaults with Mode and TransparentProxy fields. Note: Mode and TransparentProxy should not be set
  using the CRD but via annotations. [GH-928], [GH-914]
• CRDs: Add support for MeshConfigEntry. This resource is supported in Consul 1.10+ [GH-941]
• Add support to set the nodePort value in the Consul UI Service. [GH-878]

BUG FIXES:

• CRDs: Fix a bug where the config field in ProxyDefaults CR was not synced to Consul because
  apiextensions.k8s.io/v1 requires CRD spec to have structured schema. [GH-921]
• Don't set -disable-host-node-id=false on Consul Clients because it causes Clients to
  not be able to join the cluster on certain hypervisor or Kind setups. This flag was
  added in 0.30.0 to stop Consul logging an error when a Client pod was force deleted,
  but this error does not affect the pod restarting so removing the flag will have
  no real effect. [GH-936]

BREAKING CHANGES:

• Remove templates for a demo installation of Grafana in light of recent license changes to Grafana. [GH-930]
• Remove support for admissionregistration.k8s.io/v1beta1 version of MutatingWebhookConfiguration as it is deprecated in Kubernetes 1.16+. Only the admissionregistration.k8s.io/v1
  version will be supported. [GH-914]

v0.32.0-beta1

IMPROVEMENTS:

• Specify kubeVersion in Chart.yaml to denote that this chart is compatible with Kubernetes 1.16+. [GH-883]
• CRDs: update the CRD versions from v1beta1 to v1. [GH-883]
• Enterprise: support applying Consul Enterprise license when security context defaults to non-root users. [GH-880]
• Sync Catalog: add new syncCatalog.extraLabels Helm value for configuring labels on sync catalog pods. [GH-892]
• Connect: Support high availability of the connect-inject deployment. [GH-903]

BREAKING CHANGES:

• Minimum Kubernetes versions supported is 1.16+. [GH-883]

• Connect: The Helm values for health checks and cleanup controller have been removed: connectInject.healthChecks and connectInject.cleanupController, as these controllers have been replaced by the endpoints controller. [GH-899]

• Connect: connect webhook deployment now uses webhook-cert-manager to bootstrap the webhook certificates instead of generating them inside of the webhook. [GH-861]

• Connect: Kubernetes Services are now required for all connect injected applications.
  The Kubernetes service name will be used as the service name to register with Consul unless the annotation consul.hashicorp.com/connect-service is provided to the pod to override this.
  If using ACLs the ServiceAccountName must match the service name used with Consul.

  Example Service:

  ---
  apiVersion: v1
  kind: Service
  metadata:
    name: sample-app
  spec:
    selector:
      app: sample-app
    ports:
    - port: 80
      targetPort: 9090
  ---
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    labels:
      app: sample-app
    name: sample-app
  spec:
    replicas: 1
    selector:
      matchLabels:
        app: sample-app
    template:
      metadata:
        annotations:
          'consul.hashicorp.com/connect-inject': 'true'
        labels:
          app: sample-app
      spec:
        containers:
        - name: sample-app
          image: sample-app:0.1.0
          ports:
          - containerPort: 9090

  Note: if you're already using a Kubernetes service, no changes are required.

• Connect: -enable-health-checks-controller, -health-checks-reconcile-period, -cleanup-controller-reconcile-period have been removed
  and are no longer supported as the controllers have been replaced by the endpoints controller. [GH-892]

• Connect: Support transparent proxy. [GH-905]
  This feature allows users to reach other services on the Consul Service Mesh by using KubeDNS instead of using localhost
  and enforces all inbound and outbound traffic within a pod to go through the Envoy proxy.
  Please see Transparent Proxy docs for more information.

  Note: This feature is currently in beta and requires consul-k8s v0.26.0-beta1 or higher.

  Transparent proxy is enabled by default for all Consul service mesh application. You can disable it for the
  entire Helm installation by setting:

  connectInject:
    transparentProxy:
      defaultEnabled: false

  Alternatively, you can enable or disable it for each individual application by using
  the consul.hashicorp.com/transparent-proxy pod annotation:

  ...
  metadata:
    name: example
    labels:
      app: example
    annotations:
      "consul.hashicorp.com/transparent-proxy": "true"
  ...

BUG FIXES:

• Add startup probe to connect-inject deployment to give time for certificates to be available.
  Previously, the deployment could be killed by Kubernetes and crash loop because certificates would take a couple
  of seconds. [GH-885]

v0.31.1

BUG FIXES:

• Remove kubeVersion in Chart.yaml since it was causing installs to fail on EKS and GKE. [GH-873]

v0.31.0

⚠️ This release contains a bug causing helm install and helm upgrade to fail because the kubeVersion set in Chart.yaml does not work with many major managed Kubernetes services, like EKS and GKE. Please use v0.31.1 instead. ⚠️

BREAKING CHANGES:

• Helm 2 is no longer supported as of the previous release, 0.30.0. the apiVersion for the Chart.yaml is now correctly set to v2 to properly indicate that the chart is now only supported for Helm 3 [GH-868]

FEATURES:

• Metrics: add support for metrics in Consul. This enables support for Consul Agent metrics,
  Consul Gateway metrics, metrics merging to serve both application and sidecar metrics and support to configure a metrics provider for the Consul UI.
  Additionally, adds templates for a demo installation of Prometheus and Grafana.
  • If you have these Prometheus annotations on your Connect-inject Pods and enable Connect-Inject metrics (via connectInject.metrics.defaultEnabled or consul.hashicorp.com/enable-metrics), they will be overridden:
    • prometheus.io/scrape
    • prometheus.io/port
    • prometheus.io/path

Note Metrics merging is supported in Consul version 1.10+

IMPROVEMENTS:

• CRDs: add field Last Synced Time to CRD status and add printer column on CRD to display time since when the
  resource was last successfully synced with Consul. [GH-849]
• Specify kubeVersion in Chart.yaml to denote that this chart is tested with Kubernetes 1.13+ [GH-870]
• Updated the default Consul image to hashicorp/consul:1.9.4.
• Updated the default consul-k8s image to hashicorp/consul-k8s:0.25.0.

BUG FIXES:

• Increase Consul client daemonset's memory from 25Mi to 50Mi for its client-tls-init
  init container that runs when TLS is enabled and auto-encrypt is disabled. [GH-832]

• Add UDP port specification for server's serf WAN. Previously there was only one
  port specification that defaulted to TCP. However in some cases (like when exposing as a host port)
  UDP traffic would not be routed properly.

  In addition, if server.exposeGossipAndRPCPorts is true, expose the WAN port
  (8302) as a host port. [GH-839]

• Fix a warning when running helm template and overriding client.affinity setting with a string.
  [GH-854]

v0.30.0

BREAKING CHANGES:

• The following Helm settings are no longer supported and will cause errors on helm upgrade.
  See Upgrade to CRDs
  for more information on how to upgrade. [GH-763]

  • connectInject.centralConfig.defaultProtocol
  • connectInject.centralConfig.proxyDefaults
  • connectInject.centralConfig.enabled
  • meshGateway.globalMode

• The consul.hashicorp.com/connect-service-protocol annotation on Connect pods is
  no longer supported with this version of consul-k8s (0.23.0).

  Current deployments that have the annotation should remove it, otherwise they
  will get an error if a pod from that deployment is rescheduled.

  See Upgrade to CRDs
  for more information on how to upgrade.

• The lifecycle-sidecar command and container has been renamed to
  consul-sidecar. The Helm value global.lifecycleSidecarContainer has been
  renamed to global.consulSidecarContainer.
  global.lifecycleSidecarContainer is no longer supported and will cause
  errors on helm upgrade. Please use global.consulSidecarContainer instead.
  [GH-810]

• Ingress Gateways: when running on platforms that use hostnames instead of IPs for LoadBalancers (e.g. EKS)
  the hostname will now be used as the address of the ingress gateway. Previously the first IP was
  used, however, the IP could be recycled or go stale whereas the hostname will always work. [[GH-813](https://github.com//pull/813]

• Helm 2 is no longer supported. It may still work, however the chart is no longer unit tested against Helm 2. [GH-807]

IMPROVEMENTS:

• Add ability to set extra labels on Consul client pods. [GH-612]
• CRDs: add value controller.aclToken to support manually passing in an ACL token to the CRD controller if independently managing ACLs. [GH-783]
• TLS: Consul client certificates now include their pod IPs in the IP SANs. This applies to auto-encrypt enabled and disabled. [GH-805]
• Consul client nodes have a new meta key called "host-ip" set to the IP of the Kubernetes node they're running on. [GH-805]
• Connect: the latest version of consul-k8s cleans up Consul connect service mesh instances whose pods are no longer running.
  This could happen if the pod's preStop hook failed to execute for some reason. [GH-806]
• Updated the default Consul image to hashicorp/consul:1.9.3.
• Updated the default consul-k8s image to hashicorp/consul-k8s:0.24.0.

BUG FIXES:

• Use rbac.authorization.k8s.io/v1 instead of rbac.authorization.k8s.io/v1beta1 API version for the roles and rolebindings used by the tls-init
  and tls-init-cleanup jobs. [GH-789]
• Fix API version of Ingress resource for Consul UI. [GH-786]
• Provide a deterministic host-based node ID for the Consul clients to fix an error when a client is terminated without a graceful shutdown.
  [GH-791]

v0.29.0

IMPROVEMENTS:

• Use consul-k8s subcommand to perform tls-init job. This allows for server certificates to get rotated on subsequent runs.
  Consul servers have to be restarted in order for them to update their server certificates. [GH-749]
• Add support for Ingress resource for Consul UI. [GH-774]
• Updated the default Consul image to hashicorp/consul:1.9.2.
• Updated the default consul-k8s image to hashicorp/consul-k8s:0.23.0.

BUG FIXES:

• Consul servers no longer call consul leave command when restarted or deleted.
  This is because consul leave reduces the quorum size, but we want to maintain the quorum size.
  For example, for a server with 3 replicas the quorum size should always be 2.
  [GH-764]

v0.28.0

⚠️ This release defaults the Consul image to 1.9.1, which panics on upgrades
(Issue). We recommend using
Consul-helm 0.29.0+ or updating the Consul image to 1.9.2+. ⚠️

BREAKING CHANGES:

• Setting server.bootstrapExpect to a value less than server.replicas will now
  give an error. This was a misconfiguration as the servers wouldn't wait
  until the proper number have started before electing a leader. [GH-721]
• Clients and servers now run as non root. Users can also configure server.securityContext and client.securityContext
  if they wish to overwrite this behavior. Please see Helm reference for more information.
  [GH-748]

FEATURES:

• CRDs: add new CRD IngressGateway for configuring Consul's ingress-gateway config entry. [GH-714]
• CRDs: add new CRD TerminatingGateway for configuring Consul's terminating-gateway config entry. [GH-715]
• Enable client agents outside of the K8s cluster to join a consul datacenter
  without the Pod IPs of the consul servers and clients in K8s needing to be
  routable. Adds new helm values server.exposeGossipAndRPCPorts and
  server.ports.serflan.port. To enable external client agents, enable
  server.exposeGossipAndRPCPorts and client.exposeGossipPorts, and set
  server.ports.serflan.port to a port not being used on the host, e.g 9301.
  The internal IP of the K8s nodes do need to be routable from the external
  client agent and the external client agent's IP also needs to be routable
  from the K8s nodes.
  [GH-740]
  Note: If you have an existing Consul Helm deployment and would like to upgrade that deployment to use server.exposeGossipAndRPCPorts and client.exposeGossipPorts, the ports won't get configured correctly due to this Kubernetes issue. You will need to run the following patch commands afterwards to correctly configure the ports:
  • For the clients (edit the hostPort and containerPort values to match the client gossip port):
    • kubectl -n consul patch daemonset hashicorp-consul --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/ports/-", "value": {"containerPort": 8301, "hostPort": 8301, "name": "serflan-udp", "protocol": "UDP"}}]'
  • For the servers (edit the hostPort and containerPort values to match the server gossip port):
    • kubectl -n consul patch statefulset hashicorp-consul-server --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/ports/-", "value": {"containerPort": 9301, "hostPort": 9301, "name": "serflan-udp", "protocol": "UDP"}}]'

IMPROVEMENTS:

• Updated the default consul-k8s image to hashicorp/consul-k8s:0.22.0.
  This release includes an important bug fix where the lifecycle-sidecar sometimes re-registered the application.
  Please see consul-k8s v0.22.0 release for more info.
• Updated the default Consul image to hashicorp/consul:1.9.1.
• Make server.bootstrapExpect optional. If not set, will now default to server.replicas.
  If you're currently setting server.replicas, there is no effect. [GH-721]

BUG FIXES:

• Fix pod security policy when running mesh gateways in hostNetwork mode. [GH-605]

• CRDs: (Consul Enterprise only) change ServiceResolver field failover[].namespaces to failover[].namespace.
  This will not affect existing ServiceResolver resources and will only update the documentation for that field.

  If failover[].namespaces was used previously, it was ignored and after this change it will still be ignored.
  If failover[].namespace was used previously, it worked correctly and after this change it will still work correctly. [GH-714]

• Recreate the Server/Client Pod when the Server/Client ConfigMap is updated via helm upgrade
  by using Server ConfigMap and Client ConfigMap values as hashes on Server StatefulSet and Client DaemonSet annotations respectively.
  This updates the previously hashed values of the extraConfig. [GH-550]

• Remove unused ports 8302 and 8300 from the client daemonset pods. [GH-737]