HashiCorp/Consul

Consul

$npx -y @buildinternet/releases show consul

Sun

Mon

Tue

Wed

Thu

Fri

Sat

AprMayJunJulAugSepOctNovDecJanFebMarApr

Less

Releases4Avg1/moVersionsv1.22.3 → v1.22.6

Dec 2, 2025

v1.18.15 (Enterprise)

1.18.15+ent (September 21, 2025)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

SECURITY:

Migrate transitive dependency from archived mitchellh/mapstructure to go-viper/mapstructure to v2 to address CVE-2025-52893. [GH-22581]
agent: Add the KV Validations to block path traversal allowing access to unauthorized endpoints. [GH-22682]
agent: Fix a security vulnerability to filter out anonymous tokens along with empty tokens when setting the Results-Filtered-By-ACLs header [GH-22534]
agent: Fix a security vulnerability where the attacker could read agent’s TLS certificate and private key by using the group ID that the Consul agent runs as. [GH-22626]
api: add charset in all applicable content-types. [GH-22598]
connect: Upgrade envoy version to 1.32.12 [GH-11332]
security: Fix GHSA-65rg-554r-9j5x (CVE-2024-48908) by upgrading lycheeverse/lychee-action. [GH-22667]
security: Fix a security vulnerability where the attacker could bypass authentication by passing url params as there was no validation on them. [GH-22612]
security: perform constant time compare for sensitive values. [GH-22537]
security: upgrade go version to 1.25.0 [GH-22652]
security:: (Enterprise only) fix nil pointer dereference.
security:: (Enterprise only) fix potential race condition in partition CRUD.
security:: (Enterprise only) perform constant time compare for sensitive values.

FEATURES:

config: Add new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream [GH-22604]
config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in API Gateway config and proxy-defaults [GH-22679]
config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Mesh Gateway via service-defaults and proxy-defaults [GH-22722]
config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Terminating Gateway service-defaults and proxy-defaults [GH-22680]

BUG FIXES:

agent: Don't show admin partition during errors [GH-11154]

v1.18.14 (Enterprise)

1.18.14 Enterprise (August 13, 2025)

SECURITY:

security: Update Go to 1.23.12 to address CVE-2025-47906 [GH-22547]

IMPROVEMENTS:

ui: Replaced internal code editor with HDS (HashiCorp Design System) code editor and code block components for improved accessibility and maintainability across the Consul UI. [GH-22513]

BUG FIXES:

cli: capture pprof when ACL is enabled and a token with operator:read is used, even if enable_debug config is not explicitly set. [GH-22552]
connect: handle Access Control List errors when blocking query timeouts are reached in Consul Connect [GH-20876]

v1.18.13 (Enterprise)

1.18.13 Enterprise (July 28, 2025)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

Bump Dockerfile base image to alpine:3.22. [GH-10870]
build(deps): bump golang.org/x/sync from 0.12.0 to 0.15.0 [GH-10788]

v1.18.12 (Enterprise)

1.18.12 Enterprise (June 18, 2025)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

security: Upgrade UBI base image version to address CVE CVE-2025-4802 CVE-2024-40896 CVE-2024-12243 CVE-2025-24528 CVE-2025-3277 CVE-2024-12133 CVE-2024-57970 CVE-2025-31115 [GH-22409]
cli: update tls ca and cert create to reduce excessive file perms for generated public files [GH-22286]
connect: Added non default namespace and partition checks to ConnectCA CSR requests. [GH-22376]
security: Upgrade Go to 1.23.10. [GH-22412]

IMPROVEMENTS:

config: Warn about invalid characters in datacenter resulting in non-generation of X.509 certificates when using external CA for agent TLS communication. [GH-22382]

BUG FIXES:

http: return a clear error when both Service.Service and Service.ID are missing during catalog registration [GH-22381]
license: (Enterprise only) Fixed issue where usage metrics are not written to the snapshot to export the license data. [GH-10668]

v1.18.0 (Enterprise)

1.18.0 (February 27, 2024)

BREAKING CHANGES:

config-entries: Allow disabling request and idle timeouts with negative values in service router and service resolver config entries. [GH-19992]
telemetry: Adds fix to always use the value of telemetry.disable_hostname when determining whether to prefix gauge-type metrics with the hostname of the Consul agent. Previously, if only the default metric sink was enabled, this configuration was ignored and always treated as true, even though its default value is false. [GH-20312]

SECURITY:

Update golang.org/x/crypto to v0.17.0 to address CVE-2023-48795. [GH-20023]
connect: Update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address CVE-2023-44487 [GH-19306]
mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, CVE-2023-44487, GH-20589], CVE-2023-44487, and [GH-19879]

FEATURES:

acl: add policy bindtype to binding rules. [GH-19499]
agent: Introduces a new agent config default_intention_policy to decouple the default intention behavior from ACLs [GH-20544]
agent: (Enterprise Only) Add fault injection filter support for Consul Service Mesh
cloud: Adds new API/CLI to initiate and manage linking a Consul cluster to HCP Consul Central [GH-20312]
dns: adds experimental support for a refactored DNS server that is v1 and v2 Catalog compatible. Use v2dns in the experiments agent config to enable. It will automatically be enabled when using the resource-apis (Catalog v2) experiment. The new DNS implementation will be the default in Consul 1.19. See the Consul 1.18.x Release Notes for deprecated DNS features. [GH-20643]
ui: Added a banner to let users link their clusters to HCP [GH-20275]
ui: Adds a redirect and warning message around unavailable UI with V2 enabled [GH-20359]
ui: adds V2CatalogEnabled to config that is passed to the ui [GH-20353]
v2: prevent use of the v2 experiments in secondary datacenters for now [GH-20299]

IMPROVEMENTS:

cloud: unconditionally add Access-Control-Expose-Headers HTTP header [GH-20220]
connect: Replace usage of deprecated Envoy field envoy.config.core.v3.HeaderValueOption.append. [GH-20078]
connect: Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2. [GH-20013]
docs: add Link API documentation [GH-20308]
resource: lowercase names enforced for v2 resources only. [GH-19218]

BUG FIXES:

dns: SERVFAIL when resolving not found PTR records. [GH-20679]
raft: Fix panic during downgrade from enterprise to oss. [GH-19311]
server: Ensure controllers are automatically restarted on internal stream errors. [GH-20642]
server: Ensure internal streams are properly terminated on snapshot restore. [GH-20642]
snapshot-agent: (Enterprise only) Fix a bug with static AWS credentials where one of the key id or secret key is provided via config file and the other is provided via an environment variable.

v1.17.0 (Enterprise)

1.17.0 (October 31, 2023)

BREAKING CHANGES:

api: RaftLeaderTransfer now requires an id string. An empty string can be specified to keep the old behavior. [GH-17107]
audit-logging: (Enterprise only) allowing timestamp based filename only on rotation. initially the filename will be just file.json [GH-18668]

SECURITY:

Update golang.org/x/net to v0.17.0 to address CVE-2023-39325 / CVE-2023-44487(x/net/http2). [GH-19225]
Upgrade Go to 1.20.10. This resolves vulnerability CVE-2023-39325 / CVE-2023-44487(net/http). [GH-19225]
Upgrade google.golang.org/grpc to 1.56.3. This resolves vulnerability CVE-2023-44487. [GH-19414]
connect: update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address CVE-2023-44487 [GH-19275]

FEATURE PREVIEW: Catalog v2

This release provides the ability to preview Consul's v2 Catalog and Resource API if enabled. The new model supports multi-port application deployments with only a single Envoy proxy. Note that the v1 and v2 catalogs are not cross compatible, and not all Consul features are available within this v2 feature preview. See the v2 Catalog and Resource API documentation for more information. The v2 Catalog and Resources API should be considered a feature preview within this release and should not be used in production environments.

Limitations

The v2 catalog API feature preview does not support connections with client agents. As a result, it is only available for Kubernetes deployments, which use Consul dataplanes instead of client agents.
The v1 and v2 catalog APIs cannot run concurrently.
The Consul UI does not support multi-port services or the v2 catalog API in this release.
HCP Consul does not support multi-port services or the v2 catalog API in this release.

Significant Pull Requests

FEATURES:

Support custom watches on the Consul Controller framework. [GH-18439]
Windows: support consul connect envoy command on Windows [GH-17694]
acl: Add BindRule support for templated policies. Add new BindType: templated-policy and BindVar field for templated policy variables. [GH-18719]
acl: Add new acl.tokens.dns config field which specifies the token used implicitly during dns checks. [GH-17936]
acl: Added ACL Templated policies to simplify getting the right ACL token. [GH-18708]
acl: Adds a new ACL rule for workload identities [GH-18769]
acl: Adds workload identity templated policy [GH-19077]
api-gateway: Add support for response header modifiers on http-route configuration entry [GH-18646]
api-gateway: add retry and timeout filters [GH-18324]
cli: Add bind-var flag to consul acl binding-rule for templated policy variables. [GH-18719]
cli: Add consul acl templated-policy commands to read, list and preview templated policies. [GH-18816]
config-entry(api-gateway): (Enterprise only) Add GatewayPolicy to APIGateway Config Entry listeners
config-entry(api-gateway): (Enterprise only) Add JWTFilter to HTTPRoute Filters
dataplane: Allow getting bootstrap parameters when using V2 APIs [GH-18504]
gateway: (Enterprise only) Add JWT authentication and authorization to APIGateway Listeners and HTTPRoutes.
mesh: (Enterprise only) Adds rate limiting config to service-defaults [GH-18583]
xds: Add a built-in Envoy extension that appends OpenTelemetry Access Logging (otel-access-logging) to the HTTP Connection Manager filter. [GH-18336]
xds: Add support for patching outbound listeners to the built-in Envoy External Authorization extension. [GH-18336]

IMPROVEMENTS:

raft: upgrade raft-wal library version to 0.4.1. [GH-19314]
xds: Use downstream protocol when connecting to local app [GH-18573]
Windows: Integration tests for Consul Windows VMs [GH-18007]
acl: Use templated policy to generate synthetic policies for tokens/roles with node and/or service identities [GH-18813]
api: added CheckRegisterOpts to Agent API [GH-18943]
api: added Token field to ServiceRegisterOpts type in Agent API [GH-18983]
ca: Vault CA provider config no longer requires root_pki_path for secondary datacenters [GH-17831]
cli: Added -templated-policy, -templated-policy-file, -replace-templated-policy, -append-templated-policy, -replace-templated-policy-file, -append-templated-policy-file and -var flags for creating or updating tokens/roles. [GH-18708]
config: Add new tls.defaults.verify_server_hostname configuration option. This specifies the default value for any interfaces that support the verify_server_hostname option. [GH-17155]
connect: update supported envoy versions to 1.24.10, 1.25.9, 1.26.4, 1.27.0 [GH-18300]
ui: Use Community verbiage [GH-18560]

BUG FIXES:

api: add custom marshal/unmarshal for ServiceResolverConfigEntry.RequestTimeout so config entries that set this field can be read using the API. [GH-19031]
ca: ensure Vault CA provider respects Vault Enterprise namespace configuration. [GH-19095]
catalog api: fixes a bug with catalog api where filter query parameter was not working correctly for the /v1/catalog/services endpoint [GH-18322]
connect: (Enterprise only) Fix bug where incorrect service-defaults entries were fetched to determine an upstream's protocol whenever the upstream did not explicitly define the namespace / partition. When this bug occurs, upstreams would use the protocol from a service-default entry in the default namespace / partition, rather than their own namespace / partition.
connect: Fix bug where uncleanly closed xDS connections would influence connection balancing for too long and prevent envoy instances from starting. Two new configuration fields performance.grpc_keepalive_timeout and performance.grpc_keepalive_interval now exist to allow for configuration on how often these dead connections will be cleaned up. [GH-19339]
dev-mode: Fix dev mode has new line in responses. Now new line is added only when url has pretty query parameter. [GH-18367]
dns: (Enterprise only) Fix bug where sameness group queries did not correctly inherit the agent's partition.
docs: fix list of telemetry metrics [GH-17593]
gateways: Fix a bug where a service in a peered datacenter could not access an external node service through a terminating gateway [GH-18959]
server: (Enterprise Only) Fixed an issue where snake case keys were rejected when configuring the control-plane-request-limit config entry
telemetry: emit consul version metric on a regular interval. [GH-6876]
tlsutil: Default setting of ServerName field in outgoing TLS configuration for checks now handled by crypto/tls. [GH-17481]

v1.16.0 (Enterprise)

1.16.0 (June 26, 2023)

BREAKING CHANGES:

api: The /v1/health/connect/ and /v1/health/ingress/ endpoints now immediately return 403 "Permission Denied" errors whenever a token with insufficient service:read permissions is provided. Prior to this change, the endpoints returned a success code with an empty result list when a token with insufficient permissions was provided. [GH-17424]
peering: Removed deprecated backward-compatibility behavior. Upstream overrides in service-defaults will now only apply to peer upstreams when the peer field is provided. Visit the 1.16.x upgrade instructions for more information. [GH-16957]

SECURITY:

Bump Dockerfile base image to alpine:3.18. [GH-17719]
audit-logging: (Enterprise only) limit v1/operator/audit-hash endpoint to ACL token with operator:read privileges.

FEATURES:

api: (Enterprise only) Add POST /v1/operator/audit-hash endpoint to calculate the hash of the data used by the audit log hash function and salt.
cli: (Enterprise only) Add a new consul operator audit hash command to retrieve and compare the hash of the data used by the audit log hash function and salt.
cli: Adds new command - consul services export - for exporting a service to a peer or partition [GH-15654]
connect: (Consul Enterprise only) Implement order-by-locality failover.
mesh: Add new permissive mTLS mode that allows sidecar proxies to forward incoming traffic unmodified to the application. This adds AllowEnablingPermissiveMutualTLS setting to the mesh config entry and the MutualTLSMode setting to proxy-defaults and service-defaults. [GH-17035]
mesh: Support configuring JWT authentication in Envoy. [GH-17452]
server: (Enterprise Only) added server side RPC requests IP based read/write rate-limiter. [GH-4633]
server: (Enterprise Only) allow automatic license utilization reporting. [GH-5102]
server: added server side RPC requests global read/write rate-limiter. [GH-16292]
xds: Add property-override built-in Envoy extension that directly patches Envoy resources. [GH-17487]
xds: Add a built-in Envoy extension that inserts External Authorization (ext_authz) network and HTTP filters. [GH-17495]
xds: Add a built-in Envoy extension that inserts Wasm HTTP filters. [GH-16877]
xds: Add a built-in Envoy extension that inserts Wasm network filters. [GH-17505]

IMPROVEMENTS:

- api: Support filtering for config entries. [GH-17183]
- cli: Add -filter option to consul config list for filtering config entries. [GH-17183]
agent: remove agent cache dependency from service mesh leaf certificate management [GH-17075]
api: Enable setting query options on agent force-leave endpoint. [GH-15987]
audit-logging: (Enterprise only) enable error response and request body logging
ca: automatically set up Vault's auto-tidy setting for tidy_expired_issuers when using Vault as a CA provider. [GH-17138]
ca: support Vault agent auto-auth config for Vault CA provider using AliCloud authentication. [GH-16224]
ca: support Vault agent auto-auth config for Vault CA provider using AppRole authentication. [GH-16259]
ca: support Vault agent auto-auth config for Vault CA provider using Azure MSI authentication. [GH-16298]
ca: support Vault agent auto-auth config for Vault CA provider using JWT authentication. [GH-16266]
ca: support Vault agent auto-auth config for Vault CA provider using Kubernetes authentication. [GH-16262]
command: Adds ACL enabled to status output on agent startup. [GH-17086]
command: Allow creating ACL Token TTL with greater than 24 hours with the -expires-ttl flag. [GH-17066]
connect: (Enterprise Only) Add support for specifying "Partition" and "Namespace" in Prepared Queries failover rules.
connect: update supported envoy versions to 1.23.10, 1.24.8, 1.25.7, 1.26.2 [GH-17546]
connect: update supported envoy versions to 1.23.8, 1.24.6, 1.25.4, 1.26.0 [GH-5200]
fix metric names in /docs/agent/telemetry [GH-17577]
gateway: Change status condition reason for invalid certificate on a listener from "Accepted" to "ResolvedRefs". [GH-17115]
http: accept query parameters datacenter, ap (enterprise-only), and namespace (enterprise-only). Both short-hand and long-hand forms of these query params are now supported via the HTTP API (dc/datacenter, ap/partition, ns/namespace). [GH-17525]
systemd: set service type to notify. [GH-16845]
ui: Update alerts to Hds::Alert component [GH-16412]
ui: Update to use Hds::Toast component to show notifications [GH-16519]
ui: update from <button> and <a> to design-system-components button Hds::Button [GH-16251]
ui: update typography to styles from hds [GH-16577]

BUG FIXES:

Fix a race condition where an event is published before the data associated is commited to memdb. [GH-16871]
connect: Fix issue where changes to service exports were not reflected in proxies. [GH-17775]
gateways: (Enterprise only) Fixed a bug in API gateways where gateway configuration objects in non-default partitions did not reconcile properly. [GH-17581]
gateways: Fixed a bug in API gateways where binding a route that only targets a service imported from a peer results in the programmed gateway having no routes. [GH-17609]
gateways: Fixed a bug where API gateways were not being taken into account in determining xDS rate limits. [GH-17631]
namespaces: (Enterprise only) fixes a bug where agent health checks stop syncing for all services on a node if the namespace of any service has been removed from the server.
namespaces: (Enterprise only) fixes a bug where namespaces are stuck in a deferred deletion state indefinitely under some conditions. Also fixes the Consul query metadata present in the HTTP headers of the namespace read and list endpoints.
peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership. [GH-17483]
peering: Fixes a bug where the importing partition was not added to peered failover targets, which causes issues when the importing partition is a non-default partition. [GH-16673]
ui: fixes ui tests run on CI [GH-16428]
xds: Fixed a bug where modifying ACLs on a token being actively used for an xDS connection caused all xDS updates to fail. [GH-17566]

v1.15.19 (Enterprise)

What's Changed

[release/1.15.x] CE to ENT merge of (e9ea816) by @hc-github-team-consul-core in https://github.com/hashicorp/consul-enterprise/pull/10331
Backport of Add the missing Service TaggedAddresses and Check Type fields to Txn API into release/1.15.x by @nitin-sachdev-29 in https://github.com/hashicorp/consul-enterprise/pull/10450
Prep release 1.15.19 by @nitin-sachdev-29 in https://github.com/hashicorp/consul-enterprise/pull/10462
Refactor Txn API to use AgentService and add TaggedAddresses support … by @nitin-sachdev-29 in https://github.com/hashicorp/consul-enterprise/pull/10475

Full Changelog: https://github.com/hashicorp/consul-enterprise/compare/v1.15.18+ent...v1.15.19+ent

v1.15.0 (Enterprise)

1.15.0 (February 23, 2023)

BREAKING CHANGES:

acl errors: Delete and get requests now return descriptive errors when the specified resource cannot be found. Other ACL request errors provide more information about when a resource is missing. Add error for when the ACL system has not been bootstrapped.

Delete Token/Policy/AuthMethod/Role/BindingRule endpoints now return 404 when the resource cannot be found.

New error formats: "Requested * does not exist: ACL not found", "* not found in namespace $NAMESPACE: ACL not found"

Read Token/Policy/Role endpoints now return 404 when the resource cannot be found.

New error format: "Cannot find * to delete"

Logout now returns a 401 error when the supplied token cannot be found

New error format: "Supplied token does not exist"

Token Self endpoint now returns 404 when the token cannot be found.

New error format: "Supplied token does not exist" [GH-16105]

acl: remove all acl migration functionality and references to the legacy acl system. [GH-15947]
acl: remove all functionality and references for legacy acl policies. [GH-15922]
config: Deprecate -join, -join-wan, start_join, and start_join_wan. These options are now aliases of -retry-join, -retry-join-wan, retry_join, and retry_join_wan, respectively. [GH-15598]
connect: Add peer field to service-defaults upstream overrides. The addition of this field makes it possible to apply upstream overrides only to peer services. Prior to this change, overrides would be applied based on matching the namespace and name fields only, which means users could not have different configuration for local versus peer services. With this change, peer upstreams are only affected if the peer field matches the destination peer name. [GH-15956]
connect: Consul will now error and exit when using the consul connect envoy command if the Envoy version is incompatible. To ignore this check use flag --ignore-envoy-compatibility [GH-15818]
extensions: Refactor Lambda integration to get configured with the Envoy extensions field on service-defaults configuration entries. [GH-15817]
ingress-gateway: upstream cluster will have empty outlier_detection if passive health check is unspecified [GH-15614]
xds: Remove the connect.enable_serverless_plugin agent configuration option. Now Lambda integration is enabled by default. [GH-15710]

SECURITY:

Upgrade to use Go 1.20.1. This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http. [GH-16263]

FEATURES:

API Gateway (Beta) This version adds support for API gateway on VMs. API gateway provides a highly-configurable ingress for requests coming into a Consul network. For more information, refer to the API gateway documentation. [GH-16369]
acl: Add new acl.tokens.config_file_registration config field which specifies the token used to register services and checks that are defined in config files. [GH-15828]
acl: anonymous token is logged as 'anonymous token' instead of its accessor ID [GH-15884]
cli: adds new CLI commands consul troubleshoot upstreams and consul troubleshoot proxy to troubleshoot Consul's service mesh configuration and network issues. [GH-16284]
command: Adds the operator usage instances subcommand for displaying total services, connect service instances and billable service instances in the local datacenter or globally. [GH-16205]
config-entry(ingress-gateway): support outlier detection (passive health check) for upstream cluster [GH-15614]
connect: adds support for Envoy access logging. Access logging can be enabled using the proxy-defaults config entry. [GH-15864]
xds: Add a built-in Envoy extension that inserts Lua HTTP filters. [GH-15906]
xds: Insert originator service identity into Envoy's dynamic metadata under the consul namespace. [GH-15906]

IMPROVEMENTS:

connect: for early awareness of Envoy incompatibilities, when using the consul connect envoy command the Envoy version will now be checked for compatibility. If incompatible Consul will error and exit. [GH-15818]
grpc: client agents will switch server on error, and automatically retry on RESOURCE_EXHAUSTED responses [GH-15892]
raft: add an operator api endpoint and a command to initiate raft leadership transfer. [GH-14132]
acl: Added option to allow for an operator-generated bootstrap token to be passed to the acl bootstrap command. [GH-14437]
agent: Give better error when client specifies wrong datacenter when auto-encrypt is enabled. [GH-14832]
api: updated the go module directive to 1.18. [GH-15297]
ca: support Vault agent auto-auth config for Vault CA provider using AWS/GCP authentication. [GH-15970]
cli: always use name "global" for proxy-defaults config entries [GH-14833]
cli: connect envoy command errors if grpc ports are not open [GH-15794]
client: add support for RemoveEmptyTags in Prepared Queries templates. [GH-14244]
connect: Warn if ACLs are enabled but a token is not provided to envoy [GH-15967]
container: Upgrade container image to use to Alpine 3.17. [GH-16358]
dns: support RFC 2782 SRV lookups for prepared queries using format _<query id or name>._tcp.query[.<datacenter>].<domain>. [GH-14465]
ingress-gateways: Don't log error when gateway is registered without a config entry [GH-15001]
licensing: (Enterprise Only) Consul Enterprise non-terminating production licenses do not degrade or terminate Consul upon expiration. They will only fail when trying to upgrade to a newer version of Consul. Evaluation licenses still terminate.
raft: Added experimental wal backend for log storage. [GH-16176]
sdk: updated the go module directive to 1.18. [GH-15297]
telemetry: Added a consul.xds.server.streamsUnauthenticated metric to track the number of active xDS streams handled by the server that are unauthenticated because ACLs are not enabled or ACL tokens were missing. [GH-15967]
ui: Update sidebar width to 280px [GH-16204]
ui: update Ember version to 3.27; [GH-16227]

DEPRECATIONS:

acl: Deprecate the token query parameter and warn when it is used for authentication. [GH-16009]
cli: The -id flag on acl token operations has been changed to -accessor-id for clarity in documentation. The -id flag will continue to work, but operators should use -accessor-id in the future. [GH-16044]

BUG FIXES:

agent configuration: Fix issue of using unix socket when https is used. [GH-16301]
cache: refactor agent cache fetching to prevent unnecessary fetches on error [GH-14956]
cli: fatal error if config file does not have HCL or JSON extension, instead of warn and skip [GH-15107]
cli: fix ACL token processing unexpected precedence [GH-15274]
peering: Fix bug where services were incorrectly imported as connect-enabled. [GH-16339]
peering: Fix issue where mesh gateways would use the wrong address when contacting a remote peer with the same datacenter name. [GH-16257]
peering: Fix issue where secondary wan-federated datacenters could not be used as peering acceptors. [GH-16230]

v1.14.0 (Enterprise)

1.14.0 (November 15, 2022)

BREAKING CHANGES:

config: Add new ports.grpc_tls configuration option. Introduce a new port to better separate TLS config from the existing ports.grpc config. The new ports.grpc_tls only supports TLS encrypted communication. The existing ports.grpc now only supports plain-text communication. [GH-15339]
config: update 1.14 config defaults: Enable peering and connect by default. [GH-15302]
config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 [GH-15302]
connect: Removes support for Envoy 1.20 [GH-15093]
peering: Rename PeerName to Peer on prepared queries and exported services. [GH-14854]
xds: Convert service mesh failover to use Envoy's aggregate clusters. This changes the names of some Envoy dynamic HTTP metrics. [GH-14178]

SECURITY:

Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints CVE-2022-3920 [GH-15356]

FEATURES:

DNS-proxy support via gRPC request. [GH-14811]
cli: Add -node-name flag to redirect-traffic command to support running in environments without client agents. [GH-14933]
cli: Add -consul-dns-port flag to the consul connect redirect-traffic command to allow forwarding DNS traffic to a specific Consul DNS port. [GH-15050]
connect: Add Envoy connection balancing configuration fields. [GH-14616]
grpc: Added metrics for external gRPC server. Added server_type=internal|external label to gRPC metrics. [GH-14922]
http: Add new get-or-empty operation to the txn api. Refer to the API docs for more information. [GH-14474]
peering: Add mesh gateway local mode support for cluster peering. [GH-14817]
peering: Add support for stale queries for trust bundle lookups [GH-14724]
peering: Add support to failover to services running on cluster peers. [GH-14396]
peering: Add support to redirect to services running on cluster peers with service resolvers. [GH-14445]
peering: Ensure un-exported services get deleted even if the un-export happens while cluster peering replication is down. [GH-14797]
peering: add support for routine peering control-plane traffic through mesh gateways [GH-14981]
sdk: Configure iptables to forward DNS traffic to a specific DNS port. [GH-15050]
telemetry: emit memberlist size metrics and broadcast queue depth metric. [GH-14873]
ui: Added support for central config merging [GH-14604]
ui: Create peerings detail page [GH-14947]
ui: Detect a TokenSecretID cookie and passthrough to localStorage [GH-14495]
ui: Display notice banner on nodes index page if synthetic nodes are being filtered. [GH-14971]
ui: Filter agentless (synthetic) nodes from the nodes list page. [GH-14970]
ui: Filter out node health checks on agentless service instances [GH-14986]
ui: Remove node meta on service instances when using agentless and consolidate external-source labels on service instances page if they all match. [GH-14921]
ui: Removed reference to node name on service instance page when using agentless [GH-14903]
ui: Use withCredentials for all HTTP API requests [GH-14343]
xds: servers will limit the number of concurrent xDS streams they can handle to balance the load across all servers [GH-14397]

IMPROVEMENTS:

peering: Add peering datacenter and partition to initial handshake. [GH-14889]
xds: Added a rate limiter to the delivery of proxy config updates, to prevent updates to "global" resources such as wildcard intentions from overwhelming servers (see: xds.update_max_per_second config field) [GH-14960]
xds: Removed a bottleneck in Envoy config generation, enabling a higher number of dataplanes per server [GH-14934]
agent/hcp: add initial HashiCorp Cloud Platform integration [GH-14723]
agent: Added configuration option cloud.scada_address. [GH-14936]
api: Add filtering support to Catalog's List Services (v1/catalog/services) [GH-11742]
api: Increase max number of operations inside a transaction for requests to /v1/txn (128) [GH-14599]
auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. [GH-15370]
config-entry: Validate that service-resolver Failovers and Redirects only specify Partition and Namespace on Consul Enterprise. This prevents scenarios where OSS Consul would save service-resolvers that require Consul Enterprise. [GH-14162]
connect: Add Envoy 1.24.0 to support matrix [GH-15093]
connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 [GH-14831]
connect: service-router destinations have gained a RetryOn field for specifying the conditions when Envoy should retry requests beyond specific status codes and generic connection failure which already exists. [GH-12890]
dns/peering: (Enterprise Only) Support addresses in the formats <servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul and <servicename>.virtual.<partition>.ap.<peername>.peer.consul. This longer form address that allows specifying .peer would need to be used for tproxy DNS requests made within non-default partitions for imported services.
dns: (Enterprise Only) All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: [<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>. [GH-14679]
integ test: fix flakiness due to test condition from retry app endoint [GH-15233]
metrics: Service RPC calls less than 1ms are now emitted as a decimal number. [GH-12905]
peering: adds an internally managed server certificate for automatic TLS between servers in peer clusters. [GH-14556]
peering: require TLS for peering connections using server cert signed by Connect CA [GH-14796]
peering: return information about the health of the peering when the leader is queried to read a peering. [GH-14747]
raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter [GH-14897]
raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 [GH-14897]
raft: Fix a race condition where the snapshot file is closed without being opened [GH-14897]
telemetry: Added a consul.xds.server.streamStart metric to measure time taken to first generate xDS resources for an xDS stream. [GH-14957]
ui: Improve guidance around topology visualisation [GH-14527]
xds: Set max_ejection_percent on Envoy's outlier detection to 100% for peered services. [GH-14373]

BUG FIXES:

checks: Do not set interval as timeout value [GH-14619]
checks: If set, use proxy address for automatically added sidecar check instead of service address. [GH-14433]
cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set together [GH-13493]
connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries. [GH-15186]
connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. [GH-15083]
connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. [GH-15320]
debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters [GH-15155]
deps: update go-memdb, fixing goroutine leak [GH-15010] [GH-15068]
grpc: Merge proxy-defaults and service-defaults in GetEnvoyBootstrapParams response. [GH-14869]
metrics: Add duplicate metrics that have only a single "consul_" prefix for all existing metrics with double ("consul_consul_") prefix, with the intent to standardize on single prefixes. [GH-14475]
namespace: (Enterprise Only) Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter
peering: Fix a bug that resulted in /v1/agent/metrics returning an error. [GH-15178]
peering: fix nil pointer in calling handleUpdateService [GH-15160]
peering: fix the error of wan address isn't taken by the peering token. [GH-15065]
peering: when wan address is set, peering stream should use the wan address. [GH-15108]
proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters. [GH-15272]
server: fix goroutine/memory leaks in the xDS subsystem (these were present regardless of whether or not xDS was in-use) [GH-14916]
server: fixes the error trying to source proxy configuration for http checks, in case of proxies using consul-dataplane. [GH-14924]
xds: Central service configuration (proxy-defaults and service-defaults) is now correctly applied to Consul Dataplane proxies [GH-14962]

NOTES:

deps: Upgrade to use Go 1.19.2 [GH-15090]

v1.13.0 (Enterprise)

1.13.0 (August 9, 2022)

BREAKING CHANGES:

config-entry: Exporting a specific service name across all namespace is invalid.
connect: Removes support for Envoy 1.19 [GH-13807]
telemetry: config flag telemetry { disable_compat_1.9 = (true|false) } has been removed. Before upgrading you should remove this flag from your config if the flag is being used. [GH-13532]

FEATURES:

Cluster Peering (Beta) This version adds a new model to federate Consul clusters for both service mesh and traditional service discovery. Cluster peering allows for service interconnectivity with looser coupling than the existing WAN federation. For more information refer to the cluster peering documentation.
Transparent proxying through terminating gateways This version adds egress traffic control to destinations outside of Consul's catalog, such as APIs on the public internet. Transparent proxies can dial destinations defined in service-defaults and have the traffic routed through terminating gateways. For more information refer to the terminating gateway documentation.
acl: It is now possible to login and logout using the gRPC API [GH-12935]
agent: Added information about build date alongside other version information for Consul. Extended /agent/self endpoint and consul version commands to report this. Agent also reports build date in log on startup. [GH-13357]
ca: Leaf certificates can now be obtained via the gRPC API: Sign [GH-12787]
checks: add UDP health checks.. [GH-12722]
cli: A new flag for config delete to delete a config entry in a valid config file, e.g., config delete -filename intention-allow.hcl [GH-13677]
connect: Adds a new destination field to the service-default config entry that allows routing egress traffic through a terminating gateway in transparent proxy mode without modifying the catalog. [GH-13613]
grpc: New gRPC endpoint to return envoy bootstrap parameters. [GH-12825]
grpc: New gRPC endpoint to return envoy bootstrap parameters. [GH-1717]
grpc: New gRPC service and endpoint to return the list of supported consul dataplane features [GH-12695]
server: broadcast the public grpc port using lan serf and update the consul service in the catalog with the same data [GH-13687]
streaming: Added topic that can be used to consume updates about the list of services in a datacenter [GH-13722]
streaming: Added topics for ingress-gateway, mesh, service-intentions and service-resolver config entry events. [GH-13658]

IMPROVEMENTS:

api: merge-central-config query parameter support added to /catalog/node-services/:node-name API, to view a fully resolved service definition (especially when not written into the catalog that way). [GH-13450]
api: merge-central-config query parameter support added to /catalog/node-services/:node-name API, to view a fully resolved service definition (especially when not written into the catalog that way). [GH-2046]
api: merge-central-config query parameter support added to some catalog and health endpoints to view a fully resolved service definition (especially when not written into the catalog that way). [GH-13001]
api: add the ability to specify a path prefix for when consul is behind a reverse proxy or API gateway [GH-12914]
catalog: Add per-node indexes to reduce watchset firing for unrelated nodes and services. [GH-12399]
connect: add validation to ensure connect native services have a port or socketpath specified on catalog registration. This was the only missing piece to ensure all mesh services are validated for a port (or socketpath) specification on catalog registration. [GH-12881]
ui: Add new CopyableCode component and use it in certain pre-existing areas [GH-13686]
acl: Clarify node/service identities must be lowercase [GH-12807]
command: Add support for enabling TLS in the Envoy Prometheus endpoint via the consul connect envoy command. Adds the -prometheus-ca-file, -prometheus-ca-path, -prometheus-cert-file and -prometheus-key-file flags. [GH-13481]
connect: Add Envoy 1.23.0 to support matrix [GH-13807]
connect: Added a max_inbound_connections setting to service-defaults for limiting the number of concurrent inbound connections to each service instance. [GH-13143]
grpc: Add a new ServerDiscovery.WatchServers gRPC endpoint for being notified when the set of ready servers has changed. [GH-12819]
telemetry: Added consul.raft.thread.main.saturation and consul.raft.thread.fsm.saturation metrics to measure approximate saturation of the Raft goroutines [GH-12865]
ui: removed external dependencies for serving UI assets in favor of Go's native embed capabilities [GH-10996]
ui: upgrade ember-composable-helpers to v5.x [GH-13394]

BUG FIXES:

acl: Fixed a bug where the ACL down policy wasn't being applied on remote errors from the primary datacenter. [GH-12885]
cli: when acl token read is used with the -self and -expanded flags, return an error instead of panicking [GH-13787]
connect: Fixed a goroutine/memory leak that would occur when using the ingress gateway. [GH-13847]
connect: Ingress gateways with a wildcard service entry should no longer pick up non-connect services as upstreams. connect: Terminating gateways with a wildcard service entry should no longer pick up connect services as upstreams. [GH-13958]
proxycfg: Fixed a minor bug that would cause configuring a terminating gateway to watch too many service resolvers and waste resources doing filtering. [GH-13012]
raft: upgrade to v1.3.8 which fixes a bug where non cluster member can still be able to participate in an election. [GH-12844]
serf: upgrade serf to v0.9.8 which fixes a bug that crashes Consul when serf keyrings are listed [GH-13062]
ui: Fixes an issue where client side validation errors were not showing in certain areas [GH-14021]

v1.12.0 (Enterprise)

1.12.0 (April 20, 2022)

BREAKING CHANGES:

sdk: several changes to the testutil configuration structs (removed ACLMasterToken, renamed Master to InitialManagement, and AgentMaster to AgentRecovery) [GH-11827]
telemetry: the disable_compat_1.9 option now defaults to true. 1.9 style consul.http... metrics can still be enabled by setting disable_compat_1.9 = false. However, we will remove these metrics in 1.13. [GH-12675]

FEATURES:

acl: Add token information to PermissionDeniedErrors [GH-12567]
acl: Added an AWS IAM auth method that allows authenticating to Consul using AWS IAM identities [GH-12583]
ca: Root certificates can now be consumed from a gRPC streaming endpoint: WatchRoots [GH-12678]
cli: The token read command now supports the -expanded flag to display detailed role and policy information for the token. [GH-12670]
config: automatically reload config when a file changes using the auto-reload-config CLI flag or auto_reload_config config option. [GH-12329]
server: Ensure that service-defaults Meta is returned with the response to the ConfigEntry.ResolveServiceConfig RPC. [GH-12529]
server: discovery chains now include a response field named "Default" to indicate if they were not constructed from any service-resolver, service-splitter, or service-router config entries [GH-12511]
server: ensure that service-defaults meta is incorporated into the discovery chain response [GH-12511]
tls: it is now possible to configure TLS differently for each of Consul's listeners (i.e. HTTPS, gRPC and the internal multiplexed RPC listener) using the tls stanza [GH-12504]
ui: Added support for AWS IAM Auth Methods [GH-12786]
ui: Support connect-native services in the Topology view. [GH-12098]
xds: Add the ability to invoke AWS Lambdas through terminating gateways. [GH-12681]
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry [GH-12601]

IMPROVEMENTS:

Refactor ACL denied error code and start improving error details [GH-12308]
acl: Provide fuller detail in the error messsage when an ACL denies access. [GH-12470]
agent: Allow client agents to perform keyring operations [GH-12442]
agent: add additional validation to TLS config [GH-12522]
agent: add support for specifying TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suites [GH-12522]
agent: bump default min version for connections to TLS 1.2 [GH-12522]
api: add QueryBackend to QueryMeta so an api user can determine if a query was served using which backend (streaming or blocking query). [GH-12791]
ci: include 'enhancement' entry type in IMPROVEMENTS section of changelog. [GH-12376]
ui: Exclude Service Instance Health from Health Check reporting on the Node listing page. The health icons on each individual row now only reflect Node health. [GH-12248]
ui: Improve usability of Topology warning/information panels [GH-12305]
ui: Slightly improve usability of main navigation [GH-12334]
ui: Use @hashicorp/flight icons for all our icons. [GH-12209]
Removed impediments to using a namespace prefixed IntermediatePKIPath in a CA definition. [GH-12655]
acl: Improve handling of region-specific endpoints in the AWS IAM auth method. As part of this, the STSRegion field was removed from the auth method config. [GH-12774]
api: Improve error message if service or health check not found by stating that the entity must be referred to by ID, not name [GH-10894]
autopilot: Autopilot state is now tracked on Raft followers in addition to the leader. Stale queries may be used to query for the non-leaders state. [GH-12617]
autopilot: The autopilot.healthy and autopilot.failure_tolerance metrics are now regularly emitted by all servers. [GH-12617]
ci: Enable security scanning for CRT [GH-11956]
connect: Add Envoy 1.21.1 to support matrix, remove 1.17.4 [GH-12777]
connect: Add Envoy 1.22.0 to support matrix, remove 1.18.6 [GH-12805]
connect: reduce raft apply on CA configuration when no change is performed [GH-12298]
deps: update to latest go-discover to fix vulnerable transitive jwt-go dependency [GH-12739]
grpc, xds: improved reliability of grpc and xds servers by adding recovery-middleware to return and log error in case of panic. [GH-10895]
http: if a GET request has a non-empty body, log a warning that suggests a possible problem (parameters were meant for the query string, but accidentally placed in the body) [GH-11821]
metrics: The consul.raft.boltdb.writeCapacity metric was added and indicates a theoretical number of writes/second that can be performed to Consul. [GH-12646]
sdk: Add support for Partition and RetryJoin to the TestServerConfig struct. [GH-12126]
telemetry: Add new leader label to consul.rpc.server.call and optional target_datacenter, locality, allow_stale, and blocking optional labels. [GH-12727]
ui: In the datacenter selector order Datacenters by Primary, Local then alpanumerically [GH-12478]
ui: Include details on ACL policy dispositions required for unauthorized views [GH-12354]
ui: Move icons away from depending on a CSS preprocessor [GH-12461]
version: Improved performance of the version.GetHumanVersion function by 50% on memory allocation. [GH-11507]

DEPRECATIONS:

acl: The consul.acl.ResolveTokenToIdentity metric is no longer reported. The values that were previous reported as part of this metric will now be part of the consul.acl.ResolveToken metric. [GH-12166]
agent: deprecate older syntax for specifying TLS min version values [GH-12522]
agent: remove support for specifying insecure TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher suites [GH-12522]
config: setting cert_file, key_file, ca_file, ca_path, tls_min_version, tls_cipher_suites, verify_incoming, verify_incoming_rpc, verify_incoming_https, verify_outgoing and verify_server_hostname at the top-level is now deprecated, use the tls stanza instead [GH-12504]

BUG FIXES:

acl: Fix parsing of IAM user and role tags in IAM auth method [GH-12797]
dns: allow max of 63 character DNS labels instead of 64 per RFC 1123 [GH-12535]
logging: fix a bug with incorrect severity syslog messages (all messages were sent with NOTICE severity). [GH-12079]
ui: Added Tags tab to gateways(just like exists for non-gateway services) [GH-12400]

NOTES:

Forked net/rpc to add middleware support: https://github.com/hashicorp/consul-net-rpc/ . [GH-12311]
dependency: Upgrade to use Go 1.18.1 [GH-12808]

v1.11.0 (Enterprise)

1.11.0 (December 14, 2021)

BREAKING CHANGES:

acl: The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that nothing is still using the legacy ACL system. See the Migrate Legacy ACL Tokens Learn Guide for more information. [GH-11232]
cli: consul acl set-agent-token master has been replaced with consul acl set-agent-token recovery [GH-11669]

SECURITY:

namespaces: (Enterprise only) Creating or editing namespaces that include default ACL policies or ACL roles now requires acl:write permission in the default namespace. This change fixes CVE-2021-41805.
rpc: authorize raft requests CVE-2021-37219 [GH-10925]

FEATURES:

Admin Partitions (Consul Enterprise only) This version adds admin partitions, a new entity defining administrative and networking boundaries within a Consul deployment. For more information refer to the Admin Partition documentation.
ca: Add a configurable TTL for Connect CA root certificates. The configuration is supported by the Vault and Consul providers. [GH-11428]
ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate. [GH-11449]
health-checks: add support for h2c in http2 ping health checks [GH-10690]
ui: Add UI support to use Vault as an external source for a service [GH-10769]
ui: Adding support of Consul API Gateway as an external source. [GH-11371]
ui: Adds a copy button to each composite row in tokens list page, if Secret ID returns an actual ID [GH-10735]
ui: Adds visible Consul version information [GH-11803]
ui: Topology - New views for scenarios where no dependencies exist or ACLs are disabled [GH-11280]

IMPROVEMENTS:

acl: replication routine to report the last error message. [GH-10612]
agent: add variation of force-leave that exclusively works on the WAN [GH-11722]
api: Enable setting query options on agent health and maintenance endpoints. [GH-10691]
checks: add failures_before_warning setting for interval checks. [GH-10969]
ci: Upgrade to use Go 1.17.5 [GH-11799]
cli: Add -cas and -modify-index flags to the consul config delete command to support Check-And-Set (CAS) deletion of config entries [GH-11419]
config: (Enterprise Only) Allow specifying permission mode for audit logs. [GH-10732]
config: Support Check-And-Set (CAS) deletion of config entries [GH-11419]
config: add dns_config.recursor_strategy flag to control the order which DNS recursors are queried [GH-10611]
config: warn the user if client_addr is empty because client services won't be listening [GH-11461]
connect/ca: cease including the common name field in generated x509 non-CA certificates [GH-10424]
connect: Add low-level feature to allow an Ingress to retrieve TLS certificates from SDS. [GH-10903]
connect: Consul will now generate a unique virtual IP for each connect-enabled service (this will also differ across namespace/partition in Enterprise). [GH-11724]
connect: Support Vault auth methods for the Connect CA Vault provider. Currently, we support any non-deprecated auth methods the latest version of Vault supports (v1.8.5), which include AppRole, AliCloud, AWS, Azure, Cloud Foundry, GitHub, Google Cloud, JWT/OIDC, Kerberos, Kubernetes, LDAP, Oracle Cloud Infrastructure, Okta, Radius, TLS Certificates, and Username & Password. [GH-11573]
connect: Support manipulating HTTP headers in the mesh. [GH-10613]
connect: add Namespace configuration setting for Vault CA provider [GH-11477]
connect: ingress gateways may now enable built-in TLS for a subset of listeners. [GH-11163]
connect: service-resolver subset filters are validated for valid go-bexpr syntax on write [GH-11293]
connect: update supported envoy versions to 1.19.1, 1.18.4, 1.17.4, 1.16.5 [GH-11115]
connect: update supported envoy versions to 1.20.0, 1.19.1, 1.18.4, 1.17.4 [GH-11277]
debug: Add a new /v1/agent/metrics/stream API endpoint for streaming of metrics [GH-10399]
debug: rename cluster capture target to members, to be more consistent with the terms used by the API. [GH-10804]
dns: Added a virtual endpoint for querying the assigned virtual IP for a service. [GH-11725]
http: when a URL path is not found, include a message with the 404 status code to help the user understand why (e.g., HTTP API endpoint path not prefixed with /v1/) [GH-11818]
raft: Added a configuration to disable boltdb freelist syncing [GH-11720]
raft: Emit boltdb related performance metrics [GH-11720]
raft: Use bbolt instead of the legacy boltdb implementation [GH-11720]
sdk: Add support for iptable rules that allow DNS lookup redirection to Consul DNS. [GH-11480]
segments: (Enterprise only) ensure that the serf_lan_allowed_cidrs applies to network segments [GH-11495]
telemetry: add a new agent.tls.cert.expiry metric for tracking when the Agent TLS certificate expires. [GH-10768]
telemetry: add a new mesh.active-root-ca.expiry metric for tracking when the root certificate expires. [GH-9924]
types: add TLSVersion and TLSCipherSuite [GH-11645]
ui: Add upstream icons for upstreams and upstream instances [GH-11556]
ui: Add uri guard to prevent future URL encoding issues [GH-11117]
ui: Move the majority of our SASS variables to use native CSS custom properties [GH-11200]
ui: Removed informational panel from the namespace selector menu when editing namespaces [GH-11130]
ui: Update UI browser support to 'roughly ~2 years back' [GH-11505]
ui: Update global notification styling [GH-11577]
ui: added copy to clipboard button in code editor toolbars [GH-11474]

DEPRECATIONS:

api: /v1/agent/token/agent_master is deprecated and will be removed in a future major release - use /v1/agent/token/agent_recovery instead [GH-11669]
config: acl.tokens.master has been renamed to acl.tokens.initial_management, and acl.tokens.agent_master has been renamed to acl.tokens.agent_recovery - the old field names are now deprecated and will be removed in a future major release [GH-11665]
tls: With the upgrade to Go 1.17, the ordering of tls_cipher_suites will no longer be honored, and tls_prefer_server_cipher_suites is now ignored. [GH-11364]

BUG FIXES:

acl: (Enterprise only) fix namespace and namespace_prefix policy evaluation when both govern an authz request
api: Fix default values used for optional fields in autopilot configuration update (POST to /v1/operator/autopilot/configuration) [GH-10558] [GH-10559]
api: ensure new partition fields are omit empty for compatibility with older versions of consul [GH-11585]
areas: (Enterprise Only) Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time.
areas: (Enterprise only) make the gRPC server tracker network area aware [GH-11748]
ca: fixes a bug that caused non blocking leaf cert queries to return the same cached response regardless of ca rotation or leaf cert expiry [GH-11693]
ca: fixes a bug that caused the SigningKeyID to be wrong in the primary DC, when the Vault provider is used, after a CA config creates a new root. [GH-11672]
ca: fixes a bug that caused the intermediate cert used to sign leaf certs to be missing from the /connect/ca/roots API response when the Vault provider was used. [GH-11671]
check root and intermediate CA expiry before using it to sign a leaf certificate. [GH-10500]
connect/ca: ensure edits to the key type/bits for the connect builtin CA will regenerate the roots [GH-10330]
connect/ca: require new vault mount points when updating the key type/bits for the vault connect CA provider [GH-10331]
connect: fix race causing xDS generation to lock up when discovery chains are tracked for services that are no longer upstreams. [GH-11826]
dns: Fixed an issue where on DNS requests made with .alt_domain response was returned as .domain [GH-11348]
dns: return an empty answer when asked for an addr dns with type other then A and AAAA. [GH-10401]
macos: fixes building with a non-Apple LLVM (such as installed via Homebrew) [GH-11586]
namespaces: (Enterprise only) ensure the namespace replicator doesn't replicate deleted namespaces
proxycfg: ensure all of the watches are canceled if they are cancelable [GH-11824]
snapshot: (Enterprise only) fixed a bug where the snapshot agent would ignore the license_path setting in config files
ui: Ensure all types of data get reconciled with the backend data [GH-11237]
ui: Ensure dc selector correctly shows the currently selected dc [GH-11380]
ui: Ensure we check intention permissions for specific services when deciding whether to show action buttons for per service intention actions [GH-11409]
ui: Ensure we filter tokens by policy when showing which tokens use a certain policy whilst editing a policy [GH-11311]
ui: Ensure we show a readonly designed page for readonly intentions [GH-11767]
ui: Filter the global intentions list by the currently selected parition rather than a wildcard [GH-11475]
ui: Fix inline-code brand styling [GH-11578]
ui: Fix visual issue with slight table header overflow [GH-11670]
ui: Fixes an issue where under some circumstances after logging we present the data loaded previous to you logging in. [GH-11681]
ui: Gracefully recover from non-existant DC errors [GH-11077]
ui: Include Service.Namespace into available variables for dashboard_url_templates [GH-11640]
ui: Revert to depending on the backend, 'post-user-action', to report permissions errors rather than using UI capabilities 'pre-user-action' [GH-11520]
ui: Topology - Fix up Default Allow and Permissive Intentions notices [GH-11216]
ui: code editor styling (layout consistency + wide screen support) [GH-11474]
use the MaxQueryTime instead of RPCHoldTimeout for blocking RPC queries [GH-8978]. [GH-10299]
windows: fixes arm and arm64 builds [GH-11586]

NOTES:

Renamed the agent_master field to agent_recovery in the acl-tokens.json file in which tokens are persisted on-disk (when acl.enable_token_persistence is enabled) [GH-11744]

Dec 1, 2025

v1.21.7 (Enterprise)

1.21.7 Enterprise (November 17, 2025)

SECURITY:

security: Upgrade golang to 1.25.4. [GH-23029]

IMPROVEMENTS:

ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
ui: resolved multiple Ember deprecations:

Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

v1.21.6 (Enterprise)

1.21.6 Enterprise(October 30, 2025)

SECURITY:

security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
security: Fixed proxied URL path validation to prevent path traversal. [GH-22671]
security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks. This resolves CVE-2025-11392. [GH-22850]
security: Upgrade golang to 1.25.3. [GH-22926]

FEATURES:

install: Updated license information displayed during post-install

IMPROVEMENTS:

api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [GH-22947]
ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]
ui: Replace yarn with pnpm for package management [GH-22790]
ui: Replaced reopen() calls with direct property assignment and subclassing to resolve Ember component reopen deprecation warnings [GH-22971]
ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [GH-22813]
ui: removed deprecated Route#renderTemplate usage by introducing DebugLayout component and controller-based conditional rendering for docs routes [GH-22978]
ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [GH-22938]
ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [GH-22888]

BUG FIXES:

cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]
ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]

Nov 26, 2025

1.22.1 (November 16, 2025)

SECURITY:

connect: Upgrade envoy version to 1.35.6 [GH-23056]
security: Updated golang.org/x/crypto from v0.42.0 to v0.44.0. This resolves GO-2025-4116

IMPROVEMENTS:

ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
ui: Replaced reopen() calls with direct property assignment and subclassing to resolve Ember component reopen deprecation warnings [GH-22971]
ui: removed deprecated Route#renderTemplate usage by introducing DebugLayout component and controller-based conditional rendering for docs routes [GH-22978]
ui: resolved multiple Ember deprecations:

Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

Oct 27, 2025

1.22.0 (October 24, 2025)

SECURITY:

connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]
security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

FEATURES:

Added support to register a service in consul with multiple ports [GH-22769]
agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
install: Updated license information displayed during post-install
ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

security: Upgrade golang to 1.25.3. [GH-22926]
ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [GH-22947]
ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [GH-22938]
ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [GH-22888]
api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]
ui: Replace yarn with pnpm for package management [GH-22790]
ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [GH-22813]

BUG FIXES:

ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]
cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

Oct 15, 2025

1.22.0-rc2 (October 15, 2025)

SECURITY:

security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks. This resolves CVE-2025-11392. [GH-22850]

BUG FIXES:

cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

Sep 30, 2025

1.22.0-rc1 (September 30, 2025)

SECURITY:

connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]

FEATURES:

Added support to register a service in consul with multiple ports [GH-22769]
agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
install: Updated license information displayed during post-install
ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]
ui: Replace yarn with pnpm for package management [GH-22790]
ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [GH-22813]

BUG FIXES:

ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]

Sep 23, 2025

1.21.5 (September 21, 2025)

SECURITY:

Migrate transitive dependency from archived mitchellh/mapstructure to go-viper/mapstructure to v2 to address CVE-2025-52893. [GH-22581]
agent: Add the KV Validations to block path traversal allowing access to unauthorized endpoints. [GH-22682]
agent: Fix a security vulnerability to filter out anonymous tokens along with empty tokens when setting the Results-Filtered-By-ACLs header [GH-22534]
agent: Fix a security vulnerability where the attacker could read agent’s TLS certificate and private key by using the group ID that the Consul agent runs as. [GH-22626]
api: add charset in all applicable content-types. [GH-22598]
connect: Upgrade envoy version to 1.34.7 [GH-22735]
security: Fix GHSA-65rg-554r-9j5x (CVE-2024-48908) by upgrading lycheeverse/lychee-action. [GH-22667]
security: Fix a security vulnerability where the attacker could bypass authentication by passing url params as there was no validation on them. [GH-22612]
security: perform constant time compare for sensitive values. [GH-22537]
security: upgrade go version to 1.25.0 [GH-22652]
security:: (Enterprise only) fix nil pointer dereference.
security:: (Enterprise only) fix potential race condition in partition CRUD.
security:: (Enterprise only) perform constant time compare for sensitive values.

FEATURES:

config: Add new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream [GH-22604]
config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in API Gateway config and proxy-defaults [GH-22679]
config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Mesh Gateway via service-defaults and proxy-defaults [GH-22722]
config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Terminating Gateway service-defaults and proxy-defaults [GH-22680]

IMPROVEMENTS:

cli: add troubleshoot ports in debug command. A ports.json file is created, which lists the open or closed ports on the host where the command is executed. [GH-22624]

BUG FIXES:

agent: Don't show admin partition during errors [GH-11154]

Previous 1 2 3 4 Next

Similar releases

Other sources from this team

Similar sources

Latest

v1.22.6

Source

@hashicorp/consul

Changelog

View changelog

Tracking Since

Jan 23, 2024

Last fetched Apr 19, 2026

.json·.md·.atom

Consul

1.18.15+ent (September 21, 2025)

1.18.14 Enterprise (August 13, 2025)

1.18.13 Enterprise (July 28, 2025)

1.18.12 Enterprise (June 18, 2025)

1.18.0 (February 27, 2024)

1.17.0 (October 31, 2023)

1.16.0 (June 26, 2023)

What's Changed

1.15.0 (February 23, 2023)

1.14.0 (November 15, 2022)

1.13.0 (August 9, 2022)

1.12.0 (April 20, 2022)

1.11.0 (December 14, 2021)

1.21.7 Enterprise (November 17, 2025)

1.21.6 Enterprise(October 30, 2025)

1.22.1 (November 16, 2025)

1.22.0 (October 24, 2025)

1.22.0-rc2 (October 15, 2025)

1.22.0-rc1 (September 30, 2025)

1.21.5 (September 21, 2025)

More from this team

Similar releases

Other sources from this team

Similar sources

Other sources from this team

Similar sources

Similar releases

More from this team