releases.shpreview
HashiCorp/Consul/ent-changelog-1.14.0

ent-changelog-1.14.0

v1.14.0 (Enterprise)

December 2, 2025ConsulView original ↗
$npx -y @buildinternet/releases show rel_-lnUZOBpnpL3zP3yuHD18

1.14.0 (November 15, 2022)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

BREAKING CHANGES:

  • config: Add new ports.grpc_tls configuration option. Introduce a new port to better separate TLS config from the existing ports.grpc config. The new ports.grpc_tls only supports TLS encrypted communication. The existing ports.grpc now only supports plain-text communication. [GH-15339]
  • config: update 1.14 config defaults: Enable peering and connect by default. [GH-15302]
  • config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 [GH-15302]
  • connect: Removes support for Envoy 1.20 [GH-15093]
  • peering: Rename PeerName to Peer on prepared queries and exported services. [GH-14854]
  • xds: Convert service mesh failover to use Envoy's aggregate clusters. This changes the names of some Envoy dynamic HTTP metrics. [GH-14178]

SECURITY:

  • Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints CVE-2022-3920 [GH-15356]

FEATURES:

  • DNS-proxy support via gRPC request. [GH-14811]
  • cli: Add -node-name flag to redirect-traffic command to support running in environments without client agents. [GH-14933]
  • cli: Add -consul-dns-port flag to the consul connect redirect-traffic command to allow forwarding DNS traffic to a specific Consul DNS port. [GH-15050]
  • connect: Add Envoy connection balancing configuration fields. [GH-14616]
  • grpc: Added metrics for external gRPC server. Added server_type=internal|external label to gRPC metrics. [GH-14922]
  • http: Add new get-or-empty operation to the txn api. Refer to the API docs for more information. [GH-14474]
  • peering: Add mesh gateway local mode support for cluster peering. [GH-14817]
  • peering: Add support for stale queries for trust bundle lookups [GH-14724]
  • peering: Add support to failover to services running on cluster peers. [GH-14396]
  • peering: Add support to redirect to services running on cluster peers with service resolvers. [GH-14445]
  • peering: Ensure un-exported services get deleted even if the un-export happens while cluster peering replication is down. [GH-14797]
  • peering: add support for routine peering control-plane traffic through mesh gateways [GH-14981]
  • sdk: Configure iptables to forward DNS traffic to a specific DNS port. [GH-15050]
  • telemetry: emit memberlist size metrics and broadcast queue depth metric. [GH-14873]
  • ui: Added support for central config merging [GH-14604]
  • ui: Create peerings detail page [GH-14947]
  • ui: Detect a TokenSecretID cookie and passthrough to localStorage [GH-14495]
  • ui: Display notice banner on nodes index page if synthetic nodes are being filtered. [GH-14971]
  • ui: Filter agentless (synthetic) nodes from the nodes list page. [GH-14970]
  • ui: Filter out node health checks on agentless service instances [GH-14986]
  • ui: Remove node meta on service instances when using agentless and consolidate external-source labels on service instances page if they all match. [GH-14921]
  • ui: Removed reference to node name on service instance page when using agentless [GH-14903]
  • ui: Use withCredentials for all HTTP API requests [GH-14343]
  • xds: servers will limit the number of concurrent xDS streams they can handle to balance the load across all servers [GH-14397]

IMPROVEMENTS:

  • peering: Add peering datacenter and partition to initial handshake. [GH-14889]
  • xds: Added a rate limiter to the delivery of proxy config updates, to prevent updates to "global" resources such as wildcard intentions from overwhelming servers (see: xds.update_max_per_second config field) [GH-14960]
  • xds: Removed a bottleneck in Envoy config generation, enabling a higher number of dataplanes per server [GH-14934]
  • agent/hcp: add initial HashiCorp Cloud Platform integration [GH-14723]
  • agent: Added configuration option cloud.scada_address. [GH-14936]
  • api: Add filtering support to Catalog's List Services (v1/catalog/services) [GH-11742]
  • api: Increase max number of operations inside a transaction for requests to /v1/txn (128) [GH-14599]
  • auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. [GH-15370]
  • config-entry: Validate that service-resolver Failovers and Redirects only specify Partition and Namespace on Consul Enterprise. This prevents scenarios where OSS Consul would save service-resolvers that require Consul Enterprise. [GH-14162]
  • connect: Add Envoy 1.24.0 to support matrix [GH-15093]
  • connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 [GH-14831]
  • connect: service-router destinations have gained a RetryOn field for specifying the conditions when Envoy should retry requests beyond specific status codes and generic connection failure which already exists. [GH-12890]
  • dns/peering: (Enterprise Only) Support addresses in the formats <servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul and <servicename>.virtual.<partition>.ap.<peername>.peer.consul. This longer form address that allows specifying .peer would need to be used for tproxy DNS requests made within non-default partitions for imported services.
  • dns: (Enterprise Only) All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: [<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>. [GH-14679]
  • integ test: fix flakiness due to test condition from retry app endoint [GH-15233]
  • metrics: Service RPC calls less than 1ms are now emitted as a decimal number. [GH-12905]
  • peering: adds an internally managed server certificate for automatic TLS between servers in peer clusters. [GH-14556]
  • peering: require TLS for peering connections using server cert signed by Connect CA [GH-14796]
  • peering: return information about the health of the peering when the leader is queried to read a peering. [GH-14747]
  • raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter [GH-14897]
  • raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 [GH-14897]
  • raft: Fix a race condition where the snapshot file is closed without being opened [GH-14897]
  • telemetry: Added a consul.xds.server.streamStart metric to measure time taken to first generate xDS resources for an xDS stream. [GH-14957]
  • ui: Improve guidance around topology visualisation [GH-14527]
  • xds: Set max_ejection_percent on Envoy's outlier detection to 100% for peered services. [GH-14373]

BUG FIXES:

  • checks: Do not set interval as timeout value [GH-14619]
  • checks: If set, use proxy address for automatically added sidecar check instead of service address. [GH-14433]
  • cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set together [GH-13493]
  • connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries. [GH-15186]
  • connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. [GH-15083]
  • connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. [GH-15320]
  • debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters [GH-15155]
  • deps: update go-memdb, fixing goroutine leak [GH-15010] [GH-15068]
  • grpc: Merge proxy-defaults and service-defaults in GetEnvoyBootstrapParams response. [GH-14869]
  • metrics: Add duplicate metrics that have only a single "consul_" prefix for all existing metrics with double ("consul_consul_") prefix, with the intent to standardize on single prefixes. [GH-14475]
  • namespace: (Enterprise Only) Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter
  • peering: Fix a bug that resulted in /v1/agent/metrics returning an error. [GH-15178]
  • peering: fix nil pointer in calling handleUpdateService [GH-15160]
  • peering: fix the error of wan address isn't taken by the peering token. [GH-15065]
  • peering: when wan address is set, peering stream should use the wan address. [GH-15108]
  • proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters. [GH-15272]
  • server: fix goroutine/memory leaks in the xDS subsystem (these were present regardless of whether or not xDS was in-use) [GH-14916]
  • server: fixes the error trying to source proxy configuration for http checks, in case of proxies using consul-dataplane. [GH-14924]
  • xds: Central service configuration (proxy-defaults and service-defaults) is now correctly applied to Consul Dataplane proxies [GH-14962]

NOTES:

  • deps: Upgrade to use Go 1.19.2 [GH-15090]

Fetched April 8, 2026