CHANGELOG.md

Unreleased

BREAKING CHANGES:

• Minimum Kubernetes versions supported is 1.17+ and now matches what is stated in the README.md file. [GH-1053]

IMPROVEMENTS:

• Substitute HOST_IP/POD_IP/HOSTNAME variables in server.extraConfig and client.extraConfig so they are passed in to server/client config already evaluated at runtime. [GH-1042]
• Set failurePolicy to Fail for connectInject mutating webhook so that pods fail to schedule when the webhook is offline. This can be controlled via connectInject.failurePolicy. [GH-1024]
• Allow setting global.logLevel and global.logJSON and propogate this to all consul-k8s commands. [GH-980]
• Allow setting connectInject.replicas to control number of replicas of webhook injector. [GH-1029]
• Add the ability to manually specify a k8s secret containing server-cert via the value server.serverCert.secretName. [GH-1024]

0.32.1 (June 29, 2021)

BUG FIXES:

• ACLs: Support connecting to external Consul servers with an SNI header. [GH-1005]

0.32.0 (June 22, 2021)

BREAKING CHANGES

• Connect: Kubernetes Services are now required for all connect injected applications. The Kubernetes service name will be used as the service name to register with Consul unless the annotation consul.hashicorp.com/connect-service is provided to the pod to override this. If using ACLs the ServiceAccountName must match the service name used with Consul.

  Example Service:

  ---
  apiVersion: v1
  kind: Service
  metadata:
    name: sample-app
  spec:
    selector:
      app: sample-app
    ports:
    - port: 80
      targetPort: 9090
  ---
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    labels:
      app: sample-app
    name: sample-app
  spec:
    replicas: 1
    selector:
      matchLabels:
        app: sample-app
    template:
      metadata:
        annotations:
          'consul.hashicorp.com/connect-inject': 'true'
        labels:
          app: sample-app
      spec:
        containers:
        - name: sample-app
          image: sample-app:0.1.0
          ports:
          - containerPort: 9090

  Note: if you're already using a Kubernetes service, no changes are required.

• Connect: Transparent Proxy is enabled by default, and the Helm chart now requires Consul 1.10.0 or higher. Please see "Support transparent proxy" under FEATURES for more details.

• [Enterprise] For versions of Consul Enterprise 1.9 <v1.9.7 and Consul Enterprise 1.8 <v1.8.12 , if the license was provided as a Kubernetes secret, the key server.enterpriseLicense.enableLicenseAutoload needs to explicitly be set to falsein order for the license job to run.

  server:
    enterpriseLicense:
      secretName: <name-of-kubernetes-secret>
      secretKey: <name-of-key-whose-value-is-the-license>
      enableLicenseAutoload: false

  See https://consul.io/docs/upgrading/instructions/upgrade-to-1-10-x for more details.

• Remove templates for a demo installation of Grafana in light of recent license changes to Grafana's licensing. If you were previously setting grafana.enabled to true you must now install Grafana through their Helm chart (https://artifacthub.io/packages/helm/grafana/grafana). [GH-930]

• Remove support for admissionregistration.k8s.io/v1beta1 version of MutatingWebhookConfiguration as it is deprecated in Kubernetes 1.16+. Only the admissionregistration.k8s.io/v1 version will be supported. [GH-914]

• Update supported kubeVersion in Chart.yaml from >=1.13.0-0 to >=1.16.0-0. [GH-883]

• Connect: The Helm values for health checks and cleanup controller have been removed: connectInject.healthChecks and connectInject.cleanupController. This functionality is now enabled by default. You can delete these keys or leave them as they will no longer have any effect. [GH-899]

FEATURES:

• Connect: Support transparent proxy. [GH-905] This feature allows users to reach other services on the Consul Service Mesh by using KubeDNS instead of using localhost and enforces all inbound and outbound traffic within a pod to go through the Envoy proxy. Please see Transparent Proxy docs for more information.

  Note: This feature requires Consul 1.10.0 or higher and consul-k8s v0.26.0 or higher.

  Transparent proxy is enabled by default for all Consul service mesh application. You can disable it for the entire Helm installation by setting:

  connectInject:
    transparentProxy:
      defaultEnabled: false

  Alternatively, you can enable or disable it for each individual application by using the consul.hashicorp.com/transparent-proxy pod annotation:

  ...
  metadata:
    name: example
    labels:
      app: example
    annotations:
      "consul.hashicorp.com/transparent-proxy": "true"
  ...

• Connect: Allow overwriting Kubernetes HTTP probes when running with transparent proxy enabled. [GH-953]

• Connect: Enable OpenShift for the connect-injector so that we can support running with transparent proxy enabled. [GH-972]

• Add support for global.recursors to set Consul's -recursor flag [GH-985].

IMPROVEMENTS:

• CRDs: Update ServiceDefaults with Mode, TransparentProxy, DialedDirectly and UpstreamConfigs fields. Note: Mode and TransparentProxy should not be set using this CRD but via annotations. [GH-925], [GH-914], [GH-992]
• CRDs: Update ProxyDefaults with Mode, DialedDirectly and TransparentProxy fields. Note: Mode and TransparentProxy should not be set using the CRD but via annotations. [GH-928], [GH-914], [GH-992]
• CRDs: Add support for MeshConfigEntry. This resource is supported in Consul 1.10+ [GH-941]
• CRDs: Update the CRD version itself from v1beta1 to v1. Note: This is the version of the definition itself, not the underlying resources; those are still at consul.hashicorp.com/v1alpha1. This update requires no action on the behalf of users. [GH-883]
• Connect: Support high availability of the connect-inject deployment. [GH-903]
• Enterprise: Support applying Consul Enterprise license when security context defaults to non-root users. [GH-880]
• License Autoloading [Enterprise]: Support Consul Enterprise license autoloading for Consul Enterprise 1.10+. If running Consul <1.10 see BREAKING CHANGES section for upgrade instructions.
• Sync Catalog: add new syncCatalog.extraLabels Helm value for configuring labels on sync catalog pods. [GH-892]
• Updated the default envoy image to envoyproxy/envoy-alpine:v1.18.3.
• Add support to set the nodePort value in the Consul UI Service. [GH-878]
• Allow setting annotations on service accounts for: server, client, client snapshot agent, connect inject, controller, ingressGateways, meshGateway, syncCatalog, and terminatingGateways. [GH-964]
• Delete secrets created by webhook-cert-manager when the deployment is deleted. [GH-987]
• Connect: connect webhook deployment now uses webhook-cert-manager to bootstrap the webhook certificates instead of generating them inside of the webhook. [GH-861]

BUG FIXES:

• CRDs: Update the type of connectTimeout and TTL in ServiceResolver and ServiceRouter from int64 to string. This allows a user to set these values as a duration string on the resource ex '5s'.
• OpenShift: support server.exposeGossipAndRPCPorts. [GH-932]
• CRDs: Fix a bug where the config field in ProxyDefaults CR was not synced to Consul because apiextensions.k8s.io/v1 requires CRD spec to have structured schema. [GH-921]
• Don't set -disable-host-node-id=false on Consul Clients because it causes Clients to not be able to join the cluster on certain hypervisor or Kind setups. This flag was added in 0.30.0 to stop Consul logging an error when a Client pod was force deleted, but this error does not affect the pod restarting so removing the flag will have no real effect. [GH-936]

KNOWN ISSUES:

• This release does not work when Pod Security Policies are enabled. This will be fixed in the upcoming release.

0.32.0-beta3 (May 27, 2021)

KNOWN ISSUES:

• This beta release does not work when Pod Security Policies are enabled. This will be fixed in the upcoming release.

IMPROVEMENTS:

• Connect: Allow overwriting Kubernetes HTTP probes when running with transparent proxy enabled. [GH-953]
• Connect: Enable OpenShift for the connect-injector so that we can support running with transparent proxy enabled. [GH-972]
• Updated the default envoy image to envoyproxy/envoy-alpine:v1.18.3.

FEATURES:

• License Autoloading [Enterprise]: Consul Enterprise 1.10+ now requires the enterprise license for Consul to be provided as a Kubernetes secret. Once created, the secret can be configured in the helm chart with the following values:

server:
  enterpriseLicense:
    secretName: <name-of-kubernetes-secret>
    secretKey: <name-of-key-whose-value-is-the-license>

BUG FIXES:

• OpenShift: support server.exposeGossipAndRPCPorts. [GH-932]

BREAKING CHANGES:

• [Enterprise] For versions of Consul Enterprise <1.10, if the license was provided as a Kubernetes secret, the key server.enterpriseLicense.enableLicenseAutoload needs to explicitly set to false in order for the license job to run.

server:
  enterpriseLicense:
    secretName: <name-of-kubernetes-secret>
    secretKey: <name-of-key-whose-value-is-the-license>
    enableLicenseAutoload: false

0.32.0-beta2 (May 6, 2021)

IMPROVEMENTS:

• Connect: Add namespaces get/list/watch to the connect-inject clusterrole to support the ability to fetch namespace labels which can enable/disable tproxy for an entire namespace. [GH-942]

FEATURES:

• CRDs: Update ServiceDefaults with Mode, TransparentProxy and UpstreamConfigs fields. Note: Mode and TransparentProxy should not be set using this CRD but via annotations. [GH-925], [GH-914]
• CRDs: Update ProxyDefaults with Mode and TransparentProxy fields. Note: Mode and TransparentProxy should not be set using the CRD but via annotations. [GH-928], [GH-914]
• CRDs: Add support for MeshConfigEntry. This resource is supported in Consul 1.10+ [GH-941]
• Add support to set the nodePort value in the Consul UI Service. [GH-878]

BUG FIXES:

• CRDs: Fix a bug where the config field in ProxyDefaults CR was not synced to Consul because apiextensions.k8s.io/v1 requires CRD spec to have structured schema. [GH-921]
• Don't set -disable-host-node-id=false on Consul Clients because it causes Clients to not be able to join the cluster on certain hypervisor or Kind setups. This flag was added in 0.30.0 to stop Consul logging an error when a Client pod was force deleted, but this error does not affect the pod restarting so removing the flag will have no real effect. [GH-936]

BREAKING CHANGES:

• Remove templates for a demo installation of Grafana in light of recent license changes to Grafana. [GH-930]
• Remove support for admissionregistration.k8s.io/v1beta1 version of MutatingWebhookConfiguration as it is deprecated in Kubernetes 1.16+. Only the admissionregistration.k8s.io/v1 version will be supported. [GH-914]

0.32.0-beta1 (Apr 16, 2021)

IMPROVEMENTS:

• Specify kubeVersion in Chart.yaml to denote that this chart is compatible with Kubernetes 1.16+. [GH-883]
• CRDs: update the CRD versions from v1beta1 to v1. [GH-883]
• Enterprise: support applying Consul Enterprise license when security context defaults to non-root users. [GH-880]
• Sync Catalog: add new syncCatalog.extraLabels Helm value for configuring labels on sync catalog pods. [GH-892]
• Connect: Support high availability of the connect-inject deployment. [GH-903]

BREAKING CHANGES:

• Minimum Kubernetes versions supported is 1.16+. [GH-883]

• Connect: The Helm values for health checks and cleanup controller have been removed: connectInject.healthChecks and connectInject.cleanupController, as these controllers have been replaced by the endpoints controller. [GH-899]

• Connect: connect webhook deployment now uses webhook-cert-manager to bootstrap the webhook certificates instead of generating them inside of the webhook. [GH-861]

• Connect: Kubernetes Services are now required for all connect injected applications. The Kubernetes service name will be used as the service name to register with Consul unless the annotation consul.hashicorp.com/connect-service is provided to the pod to override this. If using ACLs the ServiceAccountName must match the service name used with Consul.

  Example Service:

  ---
  apiVersion: v1
  kind: Service
  metadata:
    name: sample-app
  spec:
    selector:
      app: sample-app
    ports:
    - port: 80
      targetPort: 9090
  ---
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    labels:
      app: sample-app
    name: sample-app
  spec:
    replicas: 1
    selector:
      matchLabels:
        app: sample-app
    template:
      metadata:
        annotations:
          'consul.hashicorp.com/connect-inject': 'true'
        labels:
          app: sample-app
      spec:
        containers:
        - name: sample-app
          image: sample-app:0.1.0
          ports:
          - containerPort: 9090

  Note: if you're already using a Kubernetes service, no changes are required.

• Connect: -enable-health-checks-controller, -health-checks-reconcile-period, -cleanup-controller-reconcile-period have been removed and are no longer supported as the controllers have been replaced by the endpoints controller. [GH-892]

• Connect: Support transparent proxy. [GH-905] This feature allows users to reach other services on the Consul Service Mesh by using KubeDNS instead of using localhost and enforces all inbound and outbound traffic within a pod to go through the Envoy proxy. Please see Transparent Proxy docs for more information.

  Note: This feature is currently in beta and requires consul-k8s v0.26.0-beta1 or higher.

  Transparent proxy is enabled by default for all Consul service mesh application. You can disable it for the entire Helm installation by setting:

  connectInject:
    transparentProxy:
      defaultEnabled: false

  Alternatively, you can enable or disable it for each individual application by using the consul.hashicorp.com/transparent-proxy pod annotation:

  ...
  metadata:
    name: example
    labels:
      app: example
    annotations:
      "consul.hashicorp.com/transparent-proxy": "true"
  ...

BUG FIXES:

• Add startup probe to connect-inject deployment to give time for certificates to be available. Previously, the deployment could be killed by Kubernetes and crash loop because certificates would take a couple of seconds. [GH-885]

0.31.1 (Mar 19, 2021)

BUG FIXES:

• Sync Catalog: fix issue running with clients disabled and auto encrypt enabled. [GH-891]
• Remove kubeVersion in Chart.yaml since it was causing installs to fail on EKS and GKE. [GH-873]

0.31.0 (Mar 18, 2021)

BREAKING CHANGES:

• Helm 2 is no longer supported as of the previous release, 0.30.0. the apiVersion for the Chart.yaml is now correctly set to v2 to properly indicate that the chart is now only supported for Helm 3 [GH-868]

FEATURES:

• Metrics: add support for metrics in Consul. This enables support for Consul Agent metrics, Consul Gateway metrics, metrics merging to serve both application and sidecar metrics and support to configure a metrics provider for the Consul UI. Additionally, adds templates for a demo installation of Prometheus and Grafana.
  • If you have these Prometheus annotations on your Connect-inject Pods and enable Connect-Inject metrics (via connectInject.metrics.defaultEnabled or consul.hashicorp.com/enable-metrics), they will be overridden:
    • prometheus.io/scrape
    • prometheus.io/port
    • prometheus.io/path

Note Metrics merging is supported in Consul version 1.10+

IMPROVEMENTS:

• CRDs: add field Last Synced Time to CRD status and add printer column on CRD to display time since when the resource was last successfully synced with Consul. [GH-849]
• Specify kubeVersion in Chart.yaml to denote that this chart is tested with Kubernetes 1.13+ [GH-870]
• Updated the default Consul image to hashicorp/consul:1.9.4.
• Updated the default consul-k8s image to hashicorp/consul-k8s:0.25.0.

BUG FIXES:

• Increase Consul client daemonset's memory from 25Mi to 50Mi for its client-tls-init init container that runs when TLS is enabled and auto-encrypt is disabled. [GH-832]

• Add UDP port specification for server's serf WAN. Previously there was only one port specification that defaulted to TCP. However in some cases (like when exposing as a host port) UDP traffic would not be routed properly.

  In addition, if server.exposeGossipAndRPCPorts is true, expose the WAN port (8302) as a host port. [GH-839]

• Fix a warning when running helm template and overriding client.affinity setting with a string. [GH-854]

0.30.0 (Feb 16, 2021)

BREAKING CHANGES:

• The following Helm settings are no longer supported and will cause errors on helm upgrade. See Upgrade to CRDs for more information on how to upgrade. [GH-763]

  • connectInject.centralConfig.defaultProtocol
  • connectInject.centralConfig.proxyDefaults
  • connectInject.centralConfig.enabled
  • meshGateway.globalMode

• The consul.hashicorp.com/connect-service-protocol annotation on Connect pods is no longer supported with this version of consul-k8s (0.23.0).

  Current deployments that have the annotation should remove it, otherwise they will get an error if a pod from that deployment is rescheduled.

  See Upgrade to CRDs for more information on how to upgrade.

• The lifecycle-sidecar command and container has been renamed to consul-sidecar. The Helm value global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. global.lifecycleSidecarContainer is no longer supported and will cause errors on helm upgrade. Please use global.consulSidecarContainer instead. [GH-810]

• Ingress Gateways: when running on platforms that use hostnames instead of IPs for LoadBalancers (e.g. EKS) the hostname will now be used as the address of the ingress gateway. Previously the first IP was used, however, the IP could be recycled or go stale whereas the hostname will always work. [[GH-813](#813]

• Helm 2 is no longer supported. It may still work, however the chart is no longer unit tested against Helm 2. [GH-807]

IMPROVEMENTS:

• Add ability to set extra labels on Consul client pods. [GH-612]
• CRDs: add value controller.aclToken to support manually passing in an ACL token to the CRD controller if independently managing ACLs. [GH-783]
• TLS: Consul client certificates now include their pod IPs in the IP SANs. This applies to auto-encrypt enabled and disabled. [GH-805]
• Consul client nodes have a new meta key called "host-ip" set to the IP of the Kubernetes node they're running on. [GH-805]
• Connect: the latest version of consul-k8s cleans up Consul connect service mesh instances whose pods are no longer running. This could happen if the pod's preStop hook failed to execute for some reason. [GH-806]
• Updated the default Consul image to hashicorp/consul:1.9.3.
• Updated the default consul-k8s image to hashicorp/consul-k8s:0.24.0.

BUG FIXES:

• Use rbac.authorization.k8s.io/v1 instead of rbac.authorization.k8s.io/v1beta1 API version for the roles and rolebindings used by the tls-init and tls-init-cleanup jobs. [GH-789]
• Fix API version of Ingress resource for Consul UI. [GH-786]
• Provide a deterministic host-based node ID for the Consul clients to fix an error when a client is terminated without a graceful shutdown. [GH-791]

0.29.0 (Jan 22, 2021)

IMPROVEMENTS:

• Use consul-k8s subcommand to perform tls-init job. This allows for server certificates to get rotated on subsequent runs. Consul servers have to be restarted in order for them to update their server certificates. [GH-749]
• Add support for Ingress resource for Consul UI. [GH-774]
• Updated the default Consul image to hashicorp/consul:1.9.2.
• Updated the default consul-k8s image to hashicorp/consul-k8s:0.23.0.

BUG FIXES:

• Consul servers no longer call consul leave command when restarted or deleted. This is because consul leave reduces the quorum size, but we want to maintain the quorum size. For example, for a server with 3 replicas the quorum size should always be 2. [GH-764]

0.28.0 (Dec 21, 2020)

⚠️ This release defaults the Consul image to 1.9.1, which panics on upgrades (Issue). We recommend using Consul-helm 0.29.0+ or updating the Consul image to 1.9.2+. ⚠️

BREAKING CHANGES:

• Setting server.bootstrapExpect to a value less than server.replicas will now give an error. This was a misconfiguration as the servers wouldn't wait until the proper number have started before electing a leader. [GH-721]
• Clients and servers now run as non root. Users can also configure server.securityContext and client.securityContext if they wish to overwrite this behavior. Please see Helm reference for more information. [GH-748]

FEATURES:

• CRDs: add new CRD IngressGateway for configuring Consul's ingress-gateway config entry. [GH-714]
• CRDs: add new CRD TerminatingGateway for configuring Consul's terminating-gateway config entry. [GH-715]
• Enable client agents outside of the K8s cluster to join a consul datacenter without the Pod IPs of the consul servers and clients in K8s needing to be routeable. Adds new helm values server.exposeGossipAndRPCPorts and server.ports.serflan.port. To enable external client agents, enable server.exposeGossipAndRPCPorts and client.exposeGossipAndPorts, and set server.ports.serflan.port to a port not being used on the host, e.g 9301. The internal IP of the K8s nodes do need to be routeable from the external client agent and the external client agent's IP also needs to be routeable from the K8s nodes. [GH-740]

IMPROVEMENTS:

• Updated the default consul-k8s image to hashicorp/consul-k8s:0.22.0. This release includes an important bug fix where the lifecycle-sidecar sometimes re-registered the application. Please see consul-k8s v0.22.0 release for more info.
• Updated the default Consul image to hashicorp/consul:1.9.1.
• Make server.bootstrapExpect optional. If not set, will now default to server.replicas. If you're currently setting server.replicas, there is no effect. [GH-721]

BUG FIXES:

• Fix pod security policy when running mesh gateways in hostNetwork mode. [GH-605]

• CRDs: (Consul Enterprise only) change ServiceResolver field failover[].namespaces to failover[].namespace. This will not affect existing ServiceResolver resources and will only update the documentation for that field.

  If failover[].namespaces was used previously, it was ignored and after this change it will still be ignored. If failover[].namespace was used previously, it worked correctly and after this change it will still work correctly. [GH-714]

• Recreate the Server/Client Pod when the Server/Client ConfigMap is updated via helm upgrade by using Server ConfigMap and Client ConfigMap values as hashes on Server StatefulSet and Client DaemonSet annotations respectively. This updates the previously hashed values of the extraConfig. [GH-550]

• Remove unused ports 8302 and 8300 from the client daemonset pods. [GH-737]

0.27.0 (Nov 25, 2020)

⚠️ This release defaults the Consul image to 1.9.0, which panics on upgrades (Issue). We recommend using Consul-helm 0.29.0+ or updating the Consul image to 1.9.2+. ⚠️

IMPROVEMENTS:

• Connect: support connectInject.logLevel setting. [GH-699]
• Connect: (Consul Enterprise only) error out if connectInject.consulNamespaces.mirroringK8S: true but global.enableConsulNamespaces: false. [GH-695]
• Updated the default Consul image to hashicorp/consul:1.9.0.
• Updated the default consul-k8s image to hashicorp/consul-k8s:0.21.0.
• Updated the default envoy image to envoyproxy/envoy-alpine:v1.16.0.

0.26.0 (Nov 12, 2020)

FEATURES:

• Kubernetes health check synchronization with Consul for connect injected pods via connectInject.healthChecks [GH-651]. The default behavior for this feature is enabled: true. See https://www.consul.io/docs/k8s/connect/health for more information. In order to enable this feature for existing installations it is required to restart all connect injected deployments so that they are re-injected. Until this is done, health checks for these deployments will not be synced to Consul.

  It is recommended to enable TLS with this setting enabled because it requires making calls to Consul clients across the cluster. Without TLS enabled, these calls could leak ACL tokens should the cluster network become compromised.

• Support for custom resource definitions (CRDs) is now generally available. CRDs require Consul >= 1.8.4. If you wish to use ServiceIntentions custom resources then this requires Consul >= 1.9.0 (which is still in beta as of this release).

  To enable, set controller.enabled: true in your Helm configuration:

  controller:
    enabled: true

  See https://www.consul.io/docs/k8s/crds for more information. NOTE: Using CRDs with an existing cluster may require additional steps to migrate previously created config entries so they can be managed by CRDs. See https://www.consul.io/docs/k8s/crds/upgrade-to-crds for full details.

BREAKING CHANGES:

• This helm release only supports consul-k8s versions 0.20+
• With the addition of the connect-inject health checks controller, any connect services which have failing Kubernetes readiness probes will no longer be routable through connect until their Kubernetes health probes are passing. Previously, if any connect services were failing their Kubernetes readiness checks they were still routable through connect. Users should verify that their connect services are passing Kubernetes readiness probes prior to using health checks synchronization.
• When health checks are enabled, Consul clients will have check_update_interval set to 0s. Previously, it was set to its default of 5m. This change ensures the output of the check will show up in the Consul UI immediately. [GH-674]
• CRDs: controller default limits.memory increased from 30Mi to 50Mi and requests.memory increased from 20Mi to 50Mi based on observed usage. [GH-649]

BUG FIXES:

• Fix issue where Consul enterprise license job would fail for Consul versions >= 1.8.1. [GH-647]

IMPROVEMENTS:

• Connect: support passing extra arguments to the injected envoy sidecar. [GH-675]

  To pass extra arguments to envoy, set connectInject.envoyExtraArgs in your Helm configuration:

  connectInject:
    enabled: true
    envoyExtraArgs: "--log-level debug --disable-hot-restart"

• Connect: update MutatingWebhook resource version to admissionregistration.k8s.io/v1 from admissionregistration.k8s.io/v1beta1 for clusters where it is supported. [GH-658]

• Updated the default Consul image to consul:1.8.5.

• Updated the default consul-k8s image to hashicorp/consul-k8s:0.20.0.

0.25.0 (Oct 12, 2020)

FEATURES:

• Support deploying this Helm chart to OpenShift 4.x. [GH-600]

  To install on OpenShift, set global.openshift.enabled to true:

  helm install consul hashicorp/consul \
    --set global.name=consul \
    --set global.openshift.enabled=true

• Beta support for custom resource definitions. [GH-636]

  Requires Consul >= 1.8.4.

  The currently supported CRDs can be used to manage Consul's Configuration Entries, specifically:

  • ProxyDefaults - https://www.consul.io/docs/agent/config-entries/proxy-defaults
  • ServiceDefaults - https://www.consul.io/docs/agent/config-entries/service-defaults
  • ServiceSplitter - https://www.consul.io/docs/agent/config-entries/service-splitter
  • ServiceRouter - https://www.consul.io/docs/agent/config-entries/service-router
  • ServiceResolver - https://www.consul.io/docs/agent/config-entries/service-resolver
  • ServiceIntentions (requires Consul >= 1.9.0) - https://www.consul.io/docs/agent/config-entries/service-intentions

  An example use looks like:

  apiVersion: consul.hashicorp.com/v1alpha1
  kind: ServiceDefaults
  metadata:
    name: defaults
  spec:
    protocol: "http"

  See https://www.consul.io/docs/k8s/crds for more information on the CRD schemas.

  To enable, set controller.enabled: true in your Helm configuration:

  controller:
    enabled: true

  This will install the CRDs, the controller that watches for CR creation, and a webhook certificate manager that manages the certificates for the controller's webhooks.

• Add acceptance test framework and automated acceptance tests to the Helm chart. Please see Contributing docs for more info on how to run and add acceptance tests. [GH-551]

IMPROVEMENTS:

• Add dns.type and dns.additionalSpec settings for changing the DNS service type and adding additional spec. [GH-555]
• Catalog Sync: Can now be run when Consul clients are disabled. It will make API calls to the Consul servers instead. [GH-570]
• Catalog Sync: Add support for changing the Consul node name where services are sync'd. [GH-580]
• Support for setting priorityClassName for sync-catalog and connect-inject deployments. [GH-609]
• Updated the default Consul image to consul:1.8.4.
• Updated the default Envoy image to envoyproxy/envoy-alpine:v1.14.4.

BREAKING CHANGES:

• connectInject.imageEnvoy and meshGateway.imageEnvoy have been removed and now inherit from global.imageEnvoy which is now standardized across terminating/ingress/mesh gateways and connectInject. global.imageEnvoy is now a required parameter. GH-585

0.24.1 (Aug 10, 2020)

BUG FIXES:

• Bumps default Consul version to 1.8.2. This version of Consul contains a fix for hashicorp/consul#8430 which causes Consul clients running on the same node as a connect-injected pod to crash loop indefinitely when restarted.

• Bumps default consul-k8s version to 0.18.1. This version contains a fix for an issue that caused all connect-injected pods to be unhealthy for 60s if they were restarted. To roll out this fix, all Connect deployments must be restarted so that they are re-injected.

0.24.0 (July 31, 2020)

IMPROVEMENTS:

• Add server.extraConfig and client.extraConfig values as hashes on Server StatefulSet and Client Daemonset annotations respectively. This recreates the server/client pod when the server/client extraConfig is updated via helm upgrade [GH-550]

• Introduce field server.extraLabels to append additional labels to consul server pods. [GH-553]

• Introduce field server.disableFsGroupSecurityContext which disables setting the fsGroup securityContext on the server statefulset. This enables deploying on platforms where the fsGroup is automatically set to an arbitrary gid. (eg OpenShift) [GH-528]

• Connect: Resource settings for Connect, mesh, ingress and terminating gateway init containers and lifecycle sidecars have been made configurable. The default values correspond to the previously set limits, except that the lifecycle sidecar memory limit has been increased to 50Mi [GH-556]. These new fields are:

  • global.lifecycleSidecarContainer.resources - Configures the resource settings for all lifecycle sidecar containers used with Connect inject, mesh gateways, ingress gateways and terminating gateways.
  • connectInject.initContainer.resources - Configures resource settings for the Connect-injected init container.
  • meshGateway.initCopyConsulContainer.resources - Configures the resource settings for the copy-consul-bin init container for mesh gateways.
  • ingressGateways.defaults.initCopyConsulContainer.resources - Configures the resource settings for the copy-consul-bin init container for ingress gateways. Defaults can be overridden per ingress gateway.
  • terminatingGateways.defaults.initCopyConsulContainer.resources - Configures the resource settings for the copy-consul-bin init container for terminating gateways. Defaults can be overridden per terminating gateway.

• Updated the default consul version to 1.8.1.

BREAKING CHANGES:

• Updating either server.extraConfig or client.extraConfig and running helm upgrade will force a restart of the server or agent pods respectively.

0.23.1 (July 10, 2020)

BUG FIXES:

• TLS: Fixes bug introduced in 0.23.0 where the DNS subject alternative names for the server certs were invalid. This would cause the server-acl-init job to run forever without completing. [GH-538]

0.23.0 (July 9, 2020)

BREAKING CHANGES:

• Connect: Resource limits have been set for ingress and terminating gateway containers and bumped up for mesh gateways. See deployment definitions for new resource settings. [GH-533, GH-534]

IMPROVEMENTS:

• Default version of consul-k8s has been set to hashicorp/consul-k8s:0.17.0.

• ClusterRoles and ClusterRoleBindings have been converted to Roles and RoleBindings for the following components because they only required access within their namespace:

  • Enterprise License Job
  • Server ACL Init
  • Server Statefulset
  • Client Daemonset
  • Client Snapshot Agent

  [GH-403]

• The volumes set by client.extraVolumes are now passed as the last -config-dir argument. This means any settings there will override previous settings. This allows users to override settings that Helm is setting automatically, for example the acl down policy. [GH-531]

BUG FIXES:

• Connect: Resource settings for mesh, ingress and terminating gateway init containers lifecycle sidecar containers have been changed to avoid out of memory errors and hitting CPU limits. [GH-515]
  • copy-consul-bin has its memory limit set to 150M up from 25M
  • lifecycle-sidecar has its CPU request and limit set to 20m up from 10m.

0.22.0 (June 18, 2020)

FEATURES:

• Supports deploying Consul Ingress and Terminating Gateways. Multiple different gateways of each type can be deployed with default values that can be overridden for specific gateways if desired. Full documentation of the configuration options can be found in the values file or in the Helm chart documentation (Ingress, Terminating). Requires Consul 1.8.0+.

  Ingress gateways: [GH-456], Terminating gateways: [GH-503]

• Resources are now set on all containers. This enables the chart to be deployed in clusters that have resource quotas set. This also ensures that Consul server and client pods won't be evicted by Kubernetes when nodes reach their resource limits.

  Resource settings have been made configurable for sync catalog, connect inject and client snapshot deployments and sidecar proxies. [GH-470]

  The default settings were chosen based on a cluster with a small workload. For production, we recommend monitoring resource usage and modifying the defaults according to your usage. [GH-466]

BREAKING CHANGES:

• If upgrading to Consul 1.8.0 and using Consul Connect, you will need to upgrade consul-k8s to 0.16.0 (by setting global.imageK8S: hashicorp/consul-k8s:0.16.0) and re-roll your Connect pods so they get re-injected, before upgrading consul. This is required because we were previously setting a health check incorrectly that now fails on Consul 1.8.0. If you upgrade to 1.8.0 without upgrading to consul-k8s 0.16.0 and re-rolling your connect pods first, the connect pods will fail their health checks and no traffic will be routed to them.

• It is recommended to use the helm repository to install the helm chart instead of cloning this repo directly. Starting with this release the master branch may contain breaking changes.

    $ helm repo add hashicorp https://helm.releases.hashicorp.com
    $ helm install consul hashicorp/consul --set global.name=consul

• Mesh Gateway: meshGateway.enableHealthChecks is no longer supported. This config option was to work around an issue where mesh gateways would not listen on their bind ports until a Connect service was registered. This issue was fixed in Consul 1.6.2. (GH-464)

• Mesh Gateway: The default resource settings have been changed. To keep the previous settings, you must set meshGateway.resources in your own Helm config. (GH-466)

  Before:

  meshGateway:
    resources:
      requests:
        memory: "128Mi"
        cpu: "250m"
      limits:
        memory: "256Mi"
        cpu: "500m"

  After:

  meshGateway:
    resources:
      requests:
        memory: "100Mi"
        cpu: "100m"
      limits:
        memory: "100Mi"
        cpu: "100m"

• Clients and Servers: There are now default resource settings for Consul clients and servers. Previously, there were no default settings which meant the default was unlimited. This change was made because Kubernetes will prefer to evict pods that don't have resource settings and that resulted in the Consul client and servers being evicted. The default resource settings were chosen based on a low-usage cluster. If you are running a production cluster, use the kubectl top command to see how much CPU and memory your clients and servers are using and set the resources accordingly [GH-466].

• global.bootstrapACLs has been removed, use global.acls.manageSystemACLs instead [GH-501].

IMPROVEMENTS:

• Add component label to the server, DNS, and UI services [GH-480].

• Provide the ability to set a custom CA Cert for consul snapshot agent [GH-481].

• Add support for client host networking [GH-496].

  To enable:

  client:
    hostNetwork: true
    dnsPolicy: ClusterFirstWithHostNet

• Add ability to set Affinity and Tolerations to Connect Inject and Catalog Sync [GH-335].

• Updated the default consul-k8s version to 0.16.0.

• Updated the default consul version to 1.8.0.

• Update default Envoy image version and OS to envoyproxy/envoy-alpine:1.14.2 [GH-502].

DEPRECATIONS

• Setting resources via YAML string is now deprecated. Instead, set directly as YAML. This affects client.resources, server.resources and meshGateway.resources. To set directly as YAML, simply remove the pipe (|) character that defines the YAML as a string [GH-465]:

  Before:

  client:
    resources: |
      requests:
        memory: "128Mi"
        cpu: "250m"
      limits:
        memory: "256Mi"
        cpu: "500m"

  After:

  client:
    resources:
      requests:
        memory: "128Mi"
        cpu: "250m"
      limits:
        memory: "256Mi"
        cpu: "500m"

0.21.0 (May 14, 2020)

FEATURES

• Add experimental support for multi-datacenter federation via

  global:
    federation:
      enabled: true

  This requires Consul 1.8.0+ (which as of this release is only available as a beta. To use the beta, set global.image: consul:1.8.0-beta1)

• Add new Helm value global.federation.createFederationSecret that will create a Kubernetes secret in primary datacenters that can be exported to secondary datacenters to help bootstrap secondary clusters for federation (GH-447).

IMPROVEMENTS

• Default Consul Docker image is now consul:1.7.3.
• Default consul-k8s Docker image is now hashicorp/consul-k8s:0.15.0.
• ACLs: Restrict permissions for the server-acl-init job [GH-454].

BUG FIXES

• Fix missing NODE_NAME environment variable when setting meshGateway.wanAddress.source=NodeName [GH-453].

0.20.1 (Apr 27, 2020)

BUG FIXES

• Fix a bug where client.join and externalServers.hosts values containing spaces are not quoted properly, for example, when providing cloud auto-join strings [GH-435].

0.20.0 (Apr 24, 2020)

BREAKING CHANGES:

• External Servers [GH-430]:

  • externalServers.https.address moved to externalServers.hosts and changed its type from string to array.
  • externalServers.https.port moved to externalServers.httpsPort and its default value changed from 443 to 8501.
  • externalServers.https.tlsServerName moved to externalServers.tlsServerName.
  • externalServers.https.useSystemRoots moved to externalServers.useSystemRoots.

  For example, if previously setting externalServers like so:

  externalServers:
    enabled: true
    https:
      address: "example.com"
      port: 443
      tlsServerName: null
      useSystemRoots: false

  Now you need to change it to the following:

  externalServers:
    enabled: true
    hosts: ["example.com"]
    httpsPort: 443
    tlsServerName: null
    useSystemRoots: false

• Auto-encrypt: You can no longer re-use client.join property if using auto-encrypt with externalServers.enabled set to true. You must provide Consul server HTTPS address via externalServers.hosts and externalServers.httpsPort.

  For example, if previously setting:

  tls:
    enabled: true
    enabledAutoEncrypt: true
  externalServers:
    enabled: true
  client:
    join: ["consul.example.com"]

  Now you need to change it to:

    tls:
      enabled: true
      enabledAutoEncrypt: true
    externalServers:
      enabled: true
      hosts: ["consul.example.com"]
    client:
      join: ["consul.example.com"]

FEATURES:

• Support managing ACLs when running Consul servers externally to Kubernetes:

  • ACLs: Support providing your own bootstrap token [GH-420]. If provided, the server-acl-init job will skip server ACL bootstrapping.

    Example:

    global:
      acls:
        manageSystemACLs: true
        bootstrapToken:
          secretName: bootstrap-token
          secretKey: token

  • External Servers: Add externalServers.k8sAuthMethodHost to allow configuring a custom location of the Kubernetes API server for the auth method created in Consul [GH-420]. The Kubernetes API server provided here must be reachable from the external Consul servers.

    Example:

    externalServers:
      enabled: true
      k8sAuthMethodHost: https://kubernetes-api.example.com:443

IMPROVEMENTS:

• Default to the latest version of consul-k8s: hashicorp/consul-k8s:0.14.0

BUG FIXES:

• tls-init-cleanup can run even if pre-install fails [GH-419].

0.19.0 (Apr 7, 2020)

BREAKING CHANGES:

• Mesh Gateways:

  • meshGateway.wanAddress - The following values are no longer supported:

    meshGateway:
      wanAddress:
        useNodeIP: true
        useNodeName: false
        host: ""

    Instead, if previously setting useNodeIP: true, now you must set:

    meshGateway:
      wanAddress:
        source: "NodeIP"

    If previously setting useNodeName: true, now you must set:

    meshGateway:
      wanAddress:
        source: "NodeName"

    If previously setting host: "example.com", now you must set:

    meshGateway:
      wanAddress:
        source: "Static"
        static: "example.com"

    where meshGateway.wanAddress.static is set to the previous host value.

  • meshGateway.service.enabled now defaults to true. If previously you were enabling mesh gateways but not enabling the service, you must now explicitly set this to false:

    Previously:

    meshGateway:
      enabled: true

    Now:

    meshGateway:
      enabled: true
      service:
        enabled: false

  • meshGateway.service.type now defaults to LoadBalancer instead of ClusterIP. To set to ClusterIP use:

    meshGateway:
      service:
        type: ClusterIP

  • meshGateway.containerPort now defaults to 8443 instead of 443. This is to support running in Google Kubernetes Engine by default. This change should have no effect because the service's targetPort will change accordingly so you will still be able to route to the mesh gateway as before. If you wish to keep the port as 443 you must set:

    meshGateway:
      containerPort: 443

FEATURES:

• Add externalServers configuration to support configuring the Helm chart with Consul servers running outside of a Kubernetes cluster [GH-375]. At the moment, this configuration is only used together with auto-encrypt, but might be extended later for other use-cases.

  To use auto-encrypt with external servers, you can set:

  externalServers:
    enabled: true

  This will tell all consul-k8s components to talk to the external servers to retrieve the clients' CA. Take a look at other properties you can set for externalServers here.

• ACLs: Support ACL replication. ACL replication allows two or more Consul clusters to be federated when ACLs are enabled. One cluster is designated the primary and the rest are secondaries. The primary cluster replicates its ACLs to the secondaries. [GH-368]

  NOTE: This feature requires that the clusters are federated.

  Primary cluster:

  global:
    acls:
      manageSystemACLs: true
      createReplicationToken: true

  The replication acl token Kubernetes secret is exported from the primary cluster into the secondaries and then referenced in their Helm config:

  global:
    acls:
      manageSystemACLs: true
      replicationToken:
        secretName: name
        secretKey: key

• Mesh Gateways: Automatically set mesh gateway addresses when using a Kubernetes Load Balancer service. To use, set:

  meshGateway:
    enabled: true
    service:
      enabled: true
      type: "LoadBalancer"
    wanAddress:
      source: "Service"

  [GH-388]

• Support setting image pull secrets via service accounts [GH-411].

IMPROVEMENTS:

• Default to the latest version of consul-k8s: hashicorp/consul-k8s:0.13.0
• Default to the latest version of Consul: consul:1.7.2
• Allow setting specific secret keys in server.extraVolumes [GH-395]
• Support auto-encrypt [GH-375]. Auto-encrypt is the feature of Consul that allows clients to bootstrap their own certs at startup. To enable it through the Helm Chart, set:

  global:
    tls:
      enabled: true
      enableAutoEncrypt: true

• Run the enterprise license job on Helm upgrades, as well as installs [GH-407].

BUGFIXES:

• Mesh Gateways: Mesh gateways are no longer de-registered when their node's Consul client restarts. [GH-380]

DEPRECATIONS:

• global.bootstrapACLs is deprecated. Instead, set global.acls.manageSystemACLs. global.bootstrapACLs will be supported for the next three releases.

  Previously:

  global:
    bootstrapACLs: true

  Now:

  global:
    acls:
      manageSystemACLs: true

0.18.0 (Mar 18, 2020)

IMPROVEMENTS:

• Allow setting your own certificate authority for Consul to Consul communication (i.e. not Connect service to service communication) [GH-346]. To use, set:

  global:
    tls:
      caCert:
        secretName: null
        secretKey: null
      caKey:
        secretName: null
        secretKey: null

  See values.yaml for more details.
• Allow setting custom annotations for Consul server service [GH-376] To use, set:

  server:
    service:
      annotations: |
        "annotation-key": "annotation-value"

BUG FIXES:

• Fix incompatibility with Helm 3.1.2. [GH-390]
• Ensure the Consul Enterprise license gets applied, even if servers take a long time to come up. [GH-348)

0.17.0 (Feb 21, 2020)

BREAKING CHANGES:

• consul-k8s v0.12.0+ is now required. The chart is passing new flags that are only available in this version. To use this version if not using the chart defaults, set

  global:
    imageK8S: hashicorp/consul-k8s:0.12.0

IMPROVEMENTS:

• Catalog Sync

  • New Helm values have been added to configure which Kubernetes namespaces we will sync from. The defaults are shown below:

    syncCatalog:
      toConsul: true
      k8sAllowNamespaces: ["*"]
      k8sDenyNamespaces: ["kube-system", "kube-public"]

  • If running Consul Enterprise 1.7.0+, Consul namespaces are supported. New Helm values have been added to allow configuring which Consul namespaces Kubernetes services are synced to. See https://www.consul.io/docs/platform/k8s/service-sync.html#consul-enterprise-namespaces for more details.

    global:
      enableConsulNamespaces: true
    syncCatalog:
      consulNamespaces:
        # consulDestinationNamespace is the name of the Consul namespace to register all
        # k8s services into. If the Consul namespace does not already exist,
        # it will be created. This will be ignored if `mirroringK8S` is true.
        consulDestinationNamespace: "default"
    
        # mirroringK8S causes k8s services to be registered into a Consul namespace
        # of the same name as their k8s namespace, optionally prefixed if
        # `mirroringK8SPrefix` is set below. If the Consul namespace does not
        # already exist, it will be created. Turning this on overrides the
        # `consulDestinationNamespace` setting.
        # `addK8SNamespaceSuffix` may no longer be needed if enabling this option.
        mirroringK8S: false
    
        # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
        # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
        # service in the k8s `staging` namespace will be registered into the
        # `k8s-staging` Consul namespace.
        mirroringK8SPrefix: ""

• Connect Inject

  • New Helm values have been added to configure which Kubernetes namespaces we will inject pods in. The defaults are shown below:

    connectInject:
      k8sAllowNamespaces: ["*"]
      k8sDenyNamespaces: []

  • If running Consul Enterprise 1.7.0+, Consul namespaces are supported. New Helm values have been added to allow configuring which Consul namespaces Kubernetes pods are registered into. See https://www.consul.io/docs/platform/k8s/connect.html#consul-enterprise-namespaces for more details.

    global:
      enableConsulNamespaces: true
    
    connectInject:
      consulNamespaces:
        # consulDestinationNamespace is the name of the Consul namespace to register all
        # k8s pods into. If the Consul namespace does not already exist,
        # it will be created. This will be ignored if `mirroringK8S` is true.
        consulDestinationNamespace: "default"
    
        # mirroringK8S causes k8s pods to be registered into a Consul namespace
        # of the same name as their k8s namespace, optionally prefixed if
        # `mirroringK8SPrefix` is set below. If the Consul namespace does not
        # already exist, it will be created. Turning this on overrides the
        # `consulDestinationNamespace` setting.
        mirroringK8S: false
    
        # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
        # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
        # pod in the k8s `staging` namespace will be registered into the
        # `k8s-staging` Consul namespace.
        mirroringK8SPrefix: ""

BUG FIXES:

• Fix template rendering bug when setting connectInject.overrideAuthMethodName [GH-342]
• Set "consul.hashicorp.com/connect-inject": "false" annotation on enterprise license job so it is not connect injected [GH-343]

DEPRECATIONS:

• .syncCatalog.k8sSourceNamespace should no longer be used. Instead, use the new .syncCatalog.k8sAllowNamespaces and .syncCatalog.k8sDenyNamespaces features. For backward compatibility, if both this and the allow/deny lists are set, the allow/deny lists will be ignored.

NOTES:

• Bootstrap ACLs: Previously, ACL policies were not updated after creation. Now, if namespaces are enabled, they are updated every time the ACL bootstrapper is run so that any namespace config changes can be adjusted. This change is only an issue if you are updating ACL policies after creation.

0.16.2 (Jan 15, 2020)

BUG FIXES:

• Fix Helm Chart version.

0.16.1 (Jan 14, 2020)

BUG FIXES:

• Fix a bug with the tls-init job, in which it could not correctly detect CA file if Consul domain is provided [GH-329].

0.16.0 (Jan 10, 2020)

IMPROVEMENTS:

• Optionally allow enabling TLS for Consul communication [GH-313]. If global.tls.enabled is set to true, the Helm chart will generate a CA and necessary certificates and enable TLS for servers, clients, Connect injector, Mesh gateways, catalog sync, ACL bootstrapping, and snapshot agents.

  Note that this feature is only supported if both servers and clients are running on Kubernetes. We will have better support for other deployment architectures, as well as bringing your own CA, in the future.

  Also, note that simply turning on this feature and running helm upgrade will result in downtime if you are using Consul Connect or Sync Catalog features. We will be adding instructions on how to do this upgrade without downtime soon. Additionally, if you do decide to proceed with an upgrade despite downtime and you're using Consul Connect, all application pods need to be recreated after upgrade, so that the Connect injector can re-inject Envoy sidecars with TLS enabled.

• Use the latest version of consul-k8s (0.11.0).

• Add pod name as metadata to client nodes to help users map nodes in Consul to underlying client pods [GH-315].

• Rename enterprise-licence.yaml template to enterprise-license-job.yaml [GH-321].

BUG FIXES:

• Fix graceful termination for servers [GH-313]. terminationGracePeriod is now set to 30 seconds for the servers. The previous setting of 10 seconds wasn't always enough time for a graceful leave, and in those cases, servers leave the cluster in a "failed" state. Additionally, clients always set leave_on_terminate to true. This replaces the preStop hook that was calling consul leave. Note that leave_on_terminate defaults to true for clients as of Consul 0.7, so this change only affects earlier versions.

• Helm test runner now respects the provided namespace [GH-320].

• Add pod security policies for the enterprise-license [GH-325] and the server-acl-init jobs [GH-326].

0.15.0 (Dec 17, 2019)

BREAKING CHANGES:

• connectInject.centralConfig defaults to true now instead of false. This is to make it easier to configure Connect via service-defaults and other routing config [GH-302]. See https://www.consul.io/docs/agent/options.html#enable_central_service_config.

  If you wish to disable central config, set connectInject.centralConfig to false in your local values file. NOTE: If connectInject.enabled is false, then central config is not enabled so this change will not affect you.

• Connect Inject: If using Connect Inject, you must also upgrade your consul-k8s version to a version >= 0.10.1. A new flag is being passed in to consul-k8s which is not supported in earlier versions.

BUG FIXES:

• Fix bug with fullnameOverride and add new global.name setting for changing the default prefix for resources. [GH-286]

• Connect Inject: Fix critical bug where Connect-registered services instances would be de-registered when the Consul client on the same node was restarted. This fix adds a new sidecar that ensures the service instance is always registered. [GH-314]

0.14.0 (Dec 10, 2019)

IMPROVEMENTS:

• Consul client DaemonSet can now use a hostPath mount for its data directory by setting the client.dataDirectoryHostPath value. This setting is currently necessary to ensure that when a Consul client Pod is deleted, e.g. during a Consul version upgrade, it does not lose its Connect service registrations. In the next version, we plan to have services automatically re-register which will remove the need for this. [GH-298] (Update: 0.15.0 uses a version of consul-k8s that fixes this bug and so hostPath is longer necessary)

  Security Warning: If using this setting, Pod Security Policies must be enabled on your cluster and in this Helm chart (via the global.enablePodSecurityPolicies setting) to prevent other Pods from mounting the same host path and gaining access to all of Consul's data. Consul's data is not encrypted at rest.

• New configuration option client.updateStrategy allows setting the update strategy for the Client DaemonSet. [GH-298]

• New configuration option client.dnsPolicy allows setting the DNS policy for the Client DaemonSet. [GH-298]

0.13.0 (Dec 5, 2019)

BREAKING CHANGES:

• client.grpc defaults to true now instead of false. This is to make it harder to misconfigure Connect. [GH-282]

  If you do not wish to enable gRPC for clients, set client.grpc to false in your local values file.

• Add syncCatalog.addK8SNamespaceSuffix and default it to true. [GH-280] Note: upgrading an existing installation will result in deregistering of existing synced services in Consul and registering them with a new name. If you would like to avoid this behavior set syncCatalog.addK8SNamespaceSuffix to false.

  This changes the default service names registered from Kubernetes into Consul. Previously, we would register all Kubernetes services, regardless of namespace, as the same service in Consul. After this change, the default behaviour is to append the Kubernetes namespace to the Consul service name. For example, given a Kubernetes service foo in the namespace namespace, it would be registered in Consul as foo-namespace. The name can also be controlled via the consul.hashicorp.com/service-name annotation.

IMPROVEMENTS:

• Use the latest version of consul (1.6.2)
• Use the latest version of consul-k8s (0.9.5)
• Add connectInject.overrideAuthMethodName to allow setting the -acl-auth-method flag [GH-278]
• Support external to k8s Consul servers [GH-289]

BUG FIXES:

• Do not run server-acl-init during server rollout [GH-292]

0.12.0 (Oct 28, 2019)

IMPROVEMENTS:

• Use the latest version of consul-k8s (0.9.4)
• Support bootstrapACLs when only servers are enabled (not clients) [GH-250]
• Use less privileges for catalog sync when not syncing to k8s [GH-248]
• Enable disabling tests for users using helm template [GH-249]

BUG FIXES:

• Fix missing required field "caBundle" bug [GH-213]

0.11.0 (Oct 15, 2019)

IMPROVEMENTS:

• Use the latest version of Consul (1.6.1)

BUG FIXES:

• Use the latest version of consul-k8s (0.9.3) which fixes issues with upgrading between Helm chart versions when bootstrapACLs is enabled [GH-246].
• Add server-acl-init-cleanup job to clean up the server-acl-init job when it completes successfully [GH-246].
• Add the ability to specify Consul client daemonset affinity [GH-165]

0.10.0 (Oct 4, 2019)

IMPROVEMENTS:

• Use latest version of Consul (1.6.0) and consul-k8s (0.9.2)
• Remove random value from helm test to enable helmfile use [GH-143]

BUG FIXES:

• The latest version of consul-k8s fixes issues with the server-acl-init job failing repeatedly.

0.9.0 (Sep 6, 2019)

IMPROVEMENTS:

• Support running the consul snapshot agent
• Support mesh gateways
• Allow setting annotations for the DNS service
• Allow setting -consul-write-interval, -log-level and -k8s-source-namespace flags for consul-k8s sync
• Allow setting DNS service IP
• Fix issues where acl-init job would fail repeatedly and ACLs would not be bootstrapped

BUG FIXES:

• Fix enterprise license application when ACLs are turned off
• rules key must always be set (fixes #178)

0.8.1 (May 9, 2019)

IMPROVEMENTS:

• Update default consul-k8s version to 0.8.1 for a central config bug fix

0.8.0 (May 8, 2019)

IMPROVEMENTS:

• Support adding a prefix to Kubernetes services registered in Consul [GH 140]
• Support an option for automatically bootstrapping ACLs in a Consul cluster that is run fully in Kubernetes. If connectInject is enabled with this option on, this also automatically configures a new Kubernetes AuthMethod so that injected services are automatically granted ACL tokens based on their Kubernetes service account.
• Support central service configuration including proxy defaults in Connect (available in Consul 1.5+).
• Remove the gossipEncryption.enabled option and instead have the implementation based on the existence of the secretName and secretKey.

0.7.0 (March 21, 2019)

BREAKING CHANGES:

• If previously setting the release name to consul, you must now set fullnameOverride: consul in your config to prevent all resources being renamed.

IMPROVEMENTS:

• Support pod PriorityClasses for Consul servers and clients
• Add annotation and additional spec values for the UI service
• Add liveness and readiness checks to the catalog sync pod [consul-k8s GH 57]
• Support custom annotations for Consul clients and servers
• Support PodSecurityPolicies for Consul components
• Add service accounts and cluster roles/role bindings for each Consul component
• Add the namespace to the metadata volume name
• Support tolerations on Consul client and server pods
• Support gossip protocol encryption
• Allows custom environment variables for Consul client and server pods
• Support nodeSelectors for all components

BUG FIXES:

• Allow setting extraConfig variables using Helm's --set flag [GH 74]
• Fix a formatting bug in the enterprise license command

0.6.0 (February 8, 2019)

IMPROVEMENTS:

• Supports applying a Consul Enterprise License to the cluster through the Helm chart
• Support assigning an ACL token to the catalog sync process [GH 26]
• Updates default consul version to 1.4.2 and consul-k8s version to 0.5.0

BUG FIXES:

• Switch the chart labels to a non-changing value to allow helm upgrades [GH 86]

0.5.0 (January 11, 2019)

IMPROVEMENTS:

• Supports new NodePort syncing style that uses the node ip address
• Adds a configurable tab to the Kubernetes -> Consul sync

0.4.0 (December 7, 2018)

IMPROVEMENTS:

• RBAC support for syncCatalog. This will create the ClusterRole, ClusterRoleBinding and ServiceAccount that is necessary for the catalog sync. [GH-20]
• client: agents now have the node name set to the actual K8S node name [GH-14]
• RBAC support for connectInject. This will create a ClusterRole, ClusterRoleBinding, and ServiceAccount that is necessary for the connect injector to automatically generate TLS certificates to interact with the Kubernetes API.
• Server affinity is now configurable. This makes it easier to run an entire Consul cluster on Minikube. [GH-13]
• Liveness probes are now http calls, reducing errors in the logs.
• All namespaced resources now specify the namespace metadata, making helm template usage in a non-default namespace easier. [GH-66]
• Add support for ClusterIP service syncing.

BUG FIXES:

• Add catalog sync default behavior flag to the chart [GH-28]
• Updated images to point to latest versions for 0.3.0.
• Add missing continuation characters to long commands [GH-26].
• connectInject: set the correct namespace for the MutatingWebhookConfiguration so that deployments work in non-default namespaces. [GH-38]
• Provide a valid maxUnavailable value when replicas=1. [GH-58]
• Correctly sets server resource requirements.
• Update the maxUnavailable default calculation to allow rolling updates on 3 server clusters. [GH-71]

0.3.0 (October 11, 2018)

FEATURES:

• connectInject can install the automatic Connect sidecar injector.

0.2.0 (September 26, 2018)

FEATURES:

• syncCatalog can install the service catalog sync functionality.

IMPROVEMENTS:

• server: support storageClass [GH-7]

0.1.0

Initial release