releases.shpreview
HashiCorp/Consul/ent-changelog-1.12.0

ent-changelog-1.12.0

v1.12.0 (Enterprise)

December 2, 2025ConsulView original ↗
$npx -y @buildinternet/releases show rel_yMG0rZuvz6HkcxpxMU9A3

1.12.0 (April 20, 2022)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

BREAKING CHANGES:

  • sdk: several changes to the testutil configuration structs (removed ACLMasterToken, renamed Master to InitialManagement, and AgentMaster to AgentRecovery) [GH-11827]
  • telemetry: the disable_compat_1.9 option now defaults to true. 1.9 style consul.http... metrics can still be enabled by setting disable_compat_1.9 = false. However, we will remove these metrics in 1.13. [GH-12675]

FEATURES:

  • acl: Add token information to PermissionDeniedErrors [GH-12567]
  • acl: Added an AWS IAM auth method that allows authenticating to Consul using AWS IAM identities [GH-12583]
  • ca: Root certificates can now be consumed from a gRPC streaming endpoint: WatchRoots [GH-12678]
  • cli: The token read command now supports the -expanded flag to display detailed role and policy information for the token. [GH-12670]
  • config: automatically reload config when a file changes using the auto-reload-config CLI flag or auto_reload_config config option. [GH-12329]
  • server: Ensure that service-defaults Meta is returned with the response to the ConfigEntry.ResolveServiceConfig RPC. [GH-12529]
  • server: discovery chains now include a response field named "Default" to indicate if they were not constructed from any service-resolver, service-splitter, or service-router config entries [GH-12511]
  • server: ensure that service-defaults meta is incorporated into the discovery chain response [GH-12511]
  • tls: it is now possible to configure TLS differently for each of Consul's listeners (i.e. HTTPS, gRPC and the internal multiplexed RPC listener) using the tls stanza [GH-12504]
  • ui: Added support for AWS IAM Auth Methods [GH-12786]
  • ui: Support connect-native services in the Topology view. [GH-12098]
  • xds: Add the ability to invoke AWS Lambdas through terminating gateways. [GH-12681]
  • xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry [GH-12601]

IMPROVEMENTS:

  • Refactor ACL denied error code and start improving error details [GH-12308]
  • acl: Provide fuller detail in the error messsage when an ACL denies access. [GH-12470]
  • agent: Allow client agents to perform keyring operations [GH-12442]
  • agent: add additional validation to TLS config [GH-12522]
  • agent: add support for specifying TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suites [GH-12522]
  • agent: bump default min version for connections to TLS 1.2 [GH-12522]
  • api: add QueryBackend to QueryMeta so an api user can determine if a query was served using which backend (streaming or blocking query). [GH-12791]
  • ci: include 'enhancement' entry type in IMPROVEMENTS section of changelog. [GH-12376]
  • ui: Exclude Service Instance Health from Health Check reporting on the Node listing page. The health icons on each individual row now only reflect Node health. [GH-12248]
  • ui: Improve usability of Topology warning/information panels [GH-12305]
  • ui: Slightly improve usability of main navigation [GH-12334]
  • ui: Use @hashicorp/flight icons for all our icons. [GH-12209]
  • Removed impediments to using a namespace prefixed IntermediatePKIPath in a CA definition. [GH-12655]
  • acl: Improve handling of region-specific endpoints in the AWS IAM auth method. As part of this, the STSRegion field was removed from the auth method config. [GH-12774]
  • api: Improve error message if service or health check not found by stating that the entity must be referred to by ID, not name [GH-10894]
  • autopilot: Autopilot state is now tracked on Raft followers in addition to the leader. Stale queries may be used to query for the non-leaders state. [GH-12617]
  • autopilot: The autopilot.healthy and autopilot.failure_tolerance metrics are now regularly emitted by all servers. [GH-12617]
  • ci: Enable security scanning for CRT [GH-11956]
  • connect: Add Envoy 1.21.1 to support matrix, remove 1.17.4 [GH-12777]
  • connect: Add Envoy 1.22.0 to support matrix, remove 1.18.6 [GH-12805]
  • connect: reduce raft apply on CA configuration when no change is performed [GH-12298]
  • deps: update to latest go-discover to fix vulnerable transitive jwt-go dependency [GH-12739]
  • grpc, xds: improved reliability of grpc and xds servers by adding recovery-middleware to return and log error in case of panic. [GH-10895]
  • http: if a GET request has a non-empty body, log a warning that suggests a possible problem (parameters were meant for the query string, but accidentally placed in the body) [GH-11821]
  • metrics: The consul.raft.boltdb.writeCapacity metric was added and indicates a theoretical number of writes/second that can be performed to Consul. [GH-12646]
  • sdk: Add support for Partition and RetryJoin to the TestServerConfig struct. [GH-12126]
  • telemetry: Add new leader label to consul.rpc.server.call and optional target_datacenter, locality, allow_stale, and blocking optional labels. [GH-12727]
  • ui: In the datacenter selector order Datacenters by Primary, Local then alpanumerically [GH-12478]
  • ui: Include details on ACL policy dispositions required for unauthorized views [GH-12354]
  • ui: Move icons away from depending on a CSS preprocessor [GH-12461]
  • version: Improved performance of the version.GetHumanVersion function by 50% on memory allocation. [GH-11507]

DEPRECATIONS:

  • acl: The consul.acl.ResolveTokenToIdentity metric is no longer reported. The values that were previous reported as part of this metric will now be part of the consul.acl.ResolveToken metric. [GH-12166]
  • agent: deprecate older syntax for specifying TLS min version values [GH-12522]
  • agent: remove support for specifying insecure TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher suites [GH-12522]
  • config: setting cert_file, key_file, ca_file, ca_path, tls_min_version, tls_cipher_suites, verify_incoming, verify_incoming_rpc, verify_incoming_https, verify_outgoing and verify_server_hostname at the top-level is now deprecated, use the tls stanza instead [GH-12504]

BUG FIXES:

  • acl: Fix parsing of IAM user and role tags in IAM auth method [GH-12797]
  • dns: allow max of 63 character DNS labels instead of 64 per RFC 1123 [GH-12535]
  • logging: fix a bug with incorrect severity syslog messages (all messages were sent with NOTICE severity). [GH-12079]
  • ui: Added Tags tab to gateways(just like exists for non-gateway services) [GH-12400]

NOTES:

Fetched April 8, 2026