SECURITY:
* Updated to compile with Go 1.12.8 which mitigates CVE-2019-9512 and
CVE-2019-9514 for the builtin HTTP server [GH-6319]
* Updated the google.golang.org/grpc dependency to v1.23.0 to mitigate
CVE-2019-9512, CVE-2019-9514, and CVE-2019-9515 for the gRPC
server. [GH-6320]
BREAKING CHANGES:
* connect: remove deprecated managed proxies and ProxyDestination config [GH-6220]
FEATURES:
* Connect Envoy Supports L7 Routing: Additional configuration entry types
service-router, service-resolver, and service-splitter, allow for
configuring Envoy sidecars to enable reliability and deployment patterns at
L7 such as HTTP path-based routing, traffic shifting, and advanced failover
capabilities. For more information see the L7 traffic management docs.
* Mesh Gateways: Envoy can now be run as a gateway to route Connect traffic
across datacenters using SNI headers, allowing connectivty across platforms
and clouds and other complex network topologies. Read more in the mesh
gateway docs.
* Intention & CA Replication: In order to enable connecitivty for services
across datacenters, Connect intentions are now replicated and the Connect
CA cross-signs from the primary_datacenter. This feature was previously
part of Consul Enterprise.
* agent: add local-only parameter to operator/keyring list requests to
force queries to only hit local servers. [GH-6279]
* connect: expose an API endpoint to compile the discovery chain [GH-6248]
* connect: generate the full SNI names for discovery targets in the
compiler rather than in the xds package [GH-6340]
* connect: introduce ExternalSNI field on service-defaults [GH-6324]
* xds: allow http match criteria to be applied to routes on services using
grpc protocols [GH-6149]
IMPROVEMENTS:
* agent: Added tagged addressing to services similar to the already present
Node tagged addressing [GH-5965]
* agent: health checks: change long timeout behavior to use to
user-configured timeout value [GH-6094]
* api: Display allowed HTTP CIDR information nicely [GH-6029]
* api: Update filtering language to include substring and regular
expression matching on string values [GH-6190]
* connect: added a new -bind-address cli option for envoy to create a
mapping of the desired bind addresses to use instead of the default rules
or tagged addresses [GH-6107]
* connect: allow L7 routers to match on http methods [GH-6164]
* connect: change router syntax for matching query parameters to resemble
the syntax for matching paths and headers for consistency. [GH-6163]
* connect: detect and prevent circular discovery chain references [GH-6246]
* connect: ensure time.Duration fields retain their human readable forms in
the API [GH-6348]
* connect: reconcile how upstream configuration works with discovery chains
[GH-6225]
* connect: rework how the service resolver subset OnlyPassing flag works
[GH-6173]
* connect: simplify the compiled discovery chain data structures [GH-6242]
* connect: validate and test more of the L7 config entries [GH-6156]
* gossip: increase size of gossip key generated by keygen to 32 bytes and
document support for AES 256 [GH-6244]
* license (enterprise): Added license endpoint support to the API client
[GH-6268]
* xds: improve how envoy metrics are emitted [GH-6312]
* xds: Verified integration test suite with Envoy 1.11.1 [GH-6347]
BUG FIXES:
* acl: Fixed a bug that could prevent transition from legacy ACL mode to
new ACL mode [GH-6332
* agent: blocking central config RPCs iterations should not interfere with
each other [GH-6316]
* agent: fix an issue that could cause a panic while transferring
leadership due to replication [GH-6104]
* api: Fix a bug where the service tagged addresses were not being returned
through the v1/agent/service/:service api. [GH-6299]
* api: un-deprecate api.DecodeConfigEntry [GH-6278]
* auto_encrypt: use server-port [GH-6287]
* autopilot: update to also remove failed nodes from WAN gossip pool
[GH-6028]
* cli: ensure that the json form of config entries can be submitted with
'consul config write' [GH-6290]
* cli: Fixed bindable IP detection with the connect envoy
command. [GH-6238]
* config: Ensure that all config entry writes are transparently forwarded
to the primary datacneter. [GH-6327]
* connect: allow 'envoy_cluster_json' escape hatch to continue to function
[GH-6378]
* connect: allow mesh gateways to use central config [GH-6302]
* connect: ensure intention replication continues to work when the
replication ACL token changes [GH-6288]
* connect: ensure local dc connections do not use the gateway [GH-6085]
* connect: fix bug in service-resolver redirects if the destination uses a
default resolver [GH-6122]
* connect: Fixed a bug that would prevent CA replication/initializing in a
secondary DC from working when ACLs were enabled. [GH-6192]
* connect : Fixed a regression that broken xds endpoint generation for
prepared query upstreams. [GH-6236]
* connect: fix failover through a mesh gateway to a remote datacenter
[GH-6259]
* connect: resolve issue where MeshGatewayConfig could be returned empty
[GH-6093]
* connect: updating a service-defaults config entry should leave an unset
protocol alone [GH-6342]
* connect: validate upstreams and prevent duplicates [GH-6224]
* server: if inserting bootstrap config entries fails don't silence the
errors [GH-6256]
* snapshot: fix TCP half-close implementation for TLS connections [GH-6216]
KNOWN ISSUES
* auto_encrypt: clients with auto_encrypt enabled won't be able to start
because of [GH-6391]. There is a fix, but it came too late and we couldn't
include it in the release. It will be part of 1.6.1 and we recommend that
if you are using auto_encrypt you postpone the update.
340101b72f