{"ecosystem":"go","package":"github.com/hashicorp/consul","from_version":null,"to_version":null,"changes":[{"from_version":"1.8.19","to_version":"1.9.0","change_type":"api","description":"autopilot: A new `/v1/operator/autopilot/state` HTTP API was created to give greater visibility into what autopilot is doing and how it has classified all the servers it is tracking. [[GH-9103](https://github.com/hashicorp/consul/issues/9103)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"behavior","description":"connect: Switch the default gateway port from 443 to 8443 to avoid assumption of Envoy running as root. [[GH-9113](https://github.com/hashicorp/consul/issues/9113)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"behavior","description":"agent: The `enable_central_service_config` option now defaults to true. [[GH-8746](https://github.com/hashicorp/consul/issues/8746)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"behavior","description":"agent: return the default ACL policy to callers as a header [[GH-9101](https://github.com/hashicorp/consul/issues/9101)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"agent: Allow client agents to be configured with an advertised reconnect timeout to control how long until the nodes are reaped by others in the cluster. [[GH-8781](https://github.com/hashicorp/consul/issues/8781)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"agent: moved ui config options to a new `ui_config` stanza in agent configuration and added new options to display service metrics in the UI. [[GH-8694](https://github.com/hashicorp/consul/issues/8694)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"autopilot: Added a new `consul operator autopilot state` command to retrieve and view the Autopilot state from consul. [[GH-9142](https://github.com/hashicorp/consul/issues/9142)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"cli: update `snapshot inspect` command to provide more detailed snapshot data [[GH-8787](https://github.com/hashicorp/consul/issues/8787)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"agent: Return HTTP 429 when connections per clients limit (`limits.http_max_conns_per_client`) has been reached. [[GH-8221](https://github.com/hashicorp/consul/issues/8221)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"xds: use envoy's rbac filter to handle intentions entirely within envoy [[GH-8569](https://github.com/hashicorp/consul/issues/8569)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"connect: support defining intentions using layer 7 criteria [[GH-8839](https://github.com/hashicorp/consul/issues/8839)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"telemetry: add initialization and definition for non-expiring key metrics in Prometheus [[GH-9088](https://github.com/hashicorp/consul/issues/9088)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"ui: If Prometheus is being used for monitoring the sidecars, the topology view can be configured to display overview metrics for the services. [[GH-8858](https://github.com/hashicorp/consul/issues/8858)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"ui: Services using Connect with Envoy sidecars have a topology tab in the UI showing their upstream and downstream services. [[GH-8788](https://github.com/hashicorp/consul/issues/8788)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"telemetry: track node and service counts and emit them as metrics [[GH-8603](https://github.com/hashicorp/consul/issues/8603)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"server: **(OSS only)** Pre-existing intentions defined with either a source or","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"Fix Consul Enterprise Namespace Config Entry Replication DoS. Previously an operator with service:write ACL permissions in a Consul Enterprise cluster could write a malicious config entry that caused infinite raft writes due to issues with the namespace replication logic. [[CVE-2020-25201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25201)] [[GH-9024](https://github.com/hashicorp/consul/issues/9024)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"Increase the permissions to read from the `/connect/ca/configuration` endpoint to `operator:write`. Previously Connect CA configuration, including the private key, set via this endpoint could be read back by an operator with `operator:read` privileges. [CVE-2020-28053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28053) [[GH-9240](https://github.com/hashicorp/consul/issues/9240)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"agent: Add a new RPC endpoint for streaming cluster state change events to clients.","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"server: **(Enterprise only)** Pre-existing intentions defined with","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"xds: Drop support for Envoy versions 1.12.0, 1.12.1, 1.12.2, and 1.13.0, due to a lack of support for url_path in RBAC. [[GH-8839](https://github.com/hashicorp/consul/issues/8839)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"connect: Update Envoy metrics names and labels for proxy listeners so that attributes like datacenter and namespace can be extracted. [[GH-9207](https://github.com/hashicorp/consul/issues/9207)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"connect: intention destinations can no longer be reassigned [[GH-8834](https://github.com/hashicorp/consul/issues/8834)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"raft: Raft protocol v2 is no longer supported. If currently using protocol v2 then an intermediate upgrade to a version supporting both v2 and v3 protocols will be necessary (1.0.0 - 1.8.x). Note that the Raft protocol configured with the `raft_protocol` setting and the Consul RPC protocol configured with the `protocol` setting and output by the `consul version` command are distinct and supported Consul RPC protocol versions are not altered. [[GH-9103](https://github.com/hashicorp/consul/issues/9103)]","migration_hint":null},{"from_version":"1.8.19","to_version":"1.9.0","change_type":"breaking","description":"sentinel: **(Consul Enterprise only)** update to v0.16.0, which replaces `whitelist` and `blacklist` with `allowlist` and `denylist`","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"api","description":"api: Added filtering support to the v1/connect/intentions endpoint. [[GH-7478](https://github.com/hashicorp/consul/issues/7478)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"api","description":"**Audit Logging [Enterprise]**: Adds instrumentation to record a trail of events (both attempted and authorized) by users of Consul’s HTTP API for purposes of regulatory compliance.","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"agent/xds: add support for configuring passive health checks [[GH-7713](https://github.com/hashicorp/consul/pull/7713)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"connect: Added a new expose CLI command for ingress gateways [[GH-8099](https://github.com/hashicorp/consul/issues/8099)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"connect: add DNSSAN and IPSAN to cache key for ConnectCALeafRequest [[GH-7597](https://github.com/hashicorp/consul/pull/7597)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"connect: support envoy 1.12.3, 1.13.1, and 1.14.1. Envoy 1.10 is no longer officially supported. [[GH-7380](https://github.com/hashicorp/consul/pull/7380)],[[GH-7624](https://github.com/hashicorp/consul/pull/7624)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"config: validate system limits against limits.http_max_conns_per_client [[GH-7434](https://github.com/hashicorp/consul/pull/7434)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"**Single Sign-On (SSO) [Enterprise]**: Lets an operator configure Consul to use an external OpenID Connect (OIDC) provider to automatically handle the lifecycle of creating, distributing and managing ACL tokens for performing CLI operations or accessing the UI.","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"**JSON Web Token (JWT) Auth Method**: Allows exchanging a signed JWT from a trusted external identity provider for a Consul ACL token.","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"build: switched to compile with Go 1.14.1 [[GH-7481](https://github.com/hashicorp/consul/pull/7481)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"auto_encrypt: add validations for auto_encrypt.{tls,allow_tls} [[GH-7704](https://github.com/hashicorp/consul/pull/7704)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"agent: show warning when enable_script_checks is enabled without safety net [[GH-7437](https://github.com/hashicorp/consul/pull/7437)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"acl: change authmethod.Validator to take a logger [[GH-7758](https://github.com/hashicorp/consul/issues/7758)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"ui: Support for termininating and ingress gateways [[GH-7858](https://github.com/hashicorp/consul/pull/7858)] [[GH-7865](https://github.com/hashicorp/consul/pull/7865)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"ui: **(Consul Enterprise only)** SSO support [[GH-7742](https://github.com/hashicorp/consul/pull/7742)] [[GH-7771](https://github.com/hashicorp/consul/pull/7771)] [[GH-7790](https://github.com/hashicorp/consul/pull/7790)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"ui: Help menu to provide further documentation/learn links [[GH-7310](https://github.com/hashicorp/consul/pull/7310)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"serf: allow to restrict servers that can join a given Serf Consul cluster. [[GH-7628](https://github.com/hashicorp/consul/pull/7628)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"cli: Add -config flag to \"acl authmethod update/create\" [[GH-7776](https://github.com/hashicorp/consul/pull/7776)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"acl: add DisplayName field to auth methods [[GH-7769](https://github.com/hashicorp/consul/issues/7769)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"acl: add MaxTokenTTL field to auth methods [[GH-7779](https://github.com/hashicorp/consul/issues/7779)]","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"**Terminating Gateway**: Envoy can now be run as a gateway to enable services in a Consul service mesh to connect to external services through their local proxy. Terminating gateways unlock several of the benefits of a service mesh in the cases where a sidecar proxy cannot be deployed alongside services such as legacy applications or managed cloud databases.","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"**Ingress Gateway**: Envoy can now be run as a gateway to ingress traffic into the Consul service mesh, enabling a more incremental transition for applications.","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"**WAN Federation over Mesh Gateways**: Allows Consul datacenters to federate by forwarding WAN gossip and RPC traffic through Mesh Gateways rather than requiring the servers to be exposed to the WAN directly.","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"breaking","description":"license: **(Consul Enterprise only)** Update licensing to align with the current modules licensing structure.","migration_hint":null},{"from_version":"1.7.14","to_version":"1.8.0","change_type":"removed","description":"acl: Remove deprecated `acl_enforce_version_8` option [[GH-7991](https://github.com/hashicorp/consul/issues/7991)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"api","description":"agent: The ACL requirement for the [agent/force-leave endpoint](https://developer.hashicorp.com/api/agent.html#force-leave-and-shutdown) is now `operator:write` rather than `agent:write`. [[GH-7033](https://github.com/hashicorp/consul/pull/7033)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"api","description":"http: The HTTP API no longer accepts JSON fields that are unknown to it. Instead errors will be returned with 400 status codes [[GH-6874](https://github.com/hashicorp/consul/pull/6874)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"behavior","description":"telemetry: `consul.rpc.query` has changed to only measure the _start_ of `srv.blockingQuery()` calls. In certain rare cases where there are lots of idempotent updates this will cause the metric to report lower than before. The counter should now provides more meaningful behavior that maps to the rate of client-initiated requests. [[GH-7224](https://github.com/hashicorp/consul/pull/7224)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"behavior","description":"agent: default the primary_datacenter to the datacenter if not configured [[GH-7111](https://github.com/hashicorp/consul/issues/7111)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"Key/Value Store","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"acl: Add accessorID of token when ops are denied by ACL system [[GH-7117](https://github.com/hashicorp/consul/pull/7117)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"acl: Use constant time comparison when checking for the ACL agent master token. [[GH-6943](https://github.com/hashicorp/consul/pull/6943)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"ui: Visualisation of the Discovery Chain  [[GH6746]](https://github.com/hashicorp/consul/pull/6746)","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"ui: Adds UI support for [Exposed Checks](https://github.com/hashicorp/consul/pull/6446) [[GH6575]](https://github.com/hashicorp/consul/pull/6575)","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"connect: Allow configuration of upstream connection limits in Envoy [[GH-6829](https://github.com/hashicorp/consul/pull/6829)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"connect: Added a new CA provider allowing Connect certificates to be managed by AWS [ACM Private CA](https://developer.hashicorp.com/docs/connect/ca/aws.html).","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"agent: Add Cloud Auto-join support for Tencent Cloud [[GH-6818](https://github.com/hashicorp/consul/pull/6818)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"UI [[GH6639](https://github.com/hashicorp/consul/pull/6639)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"dns: PTR record queries now return answers that contain the Consul datacenter as a label between `service` and the domain. [[GH-6909](https://github.com/hashicorp/consul/pull/6909)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"intentions: Change the ACL requirement and enforcement for wildcard rules. Previously this would look for an ACL rule that would grant access to the service/intention `*`. Now, in order to write a wildcard intention requires write access to all intentions and reading a wildcard intention requires read access to any intention that would match. Additionally intention listing and reading allow access if the requester can read either side of the intention whereas before it only allowed it for permissions on the destination side. [[GH-7028](https://github.com/hashicorp/consul/pull/7028)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"logging: Switch over to using go-hclog and allow emitting either structured or unstructured logs. This changes the log format quite a bit and could break any log parsing users may have in place. [[GH-1249](https://github.com/hashicorp/consul/issues/1249)][[GH-7130](https://github.com/hashicorp/consul/pull/7130)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"cli: Our Windows 32-bit and 64-bit executables for this version and up will be signed with a HashiCorp certificate. Windows users will no longer see a warning about an \"unknown publisher\" when running our software.","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"cli: Our darwin releases for this version and up will be signed and notarized according to Apple's requirements.","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"dns: Updated miekg/dns dependency to fix a memory leak and CVE-2019-19794. [[GH-6984](https://github.com/hashicorp/consul/issues/6984)], [[GH-7252](https://github.com/hashicorp/consul/issues/7252)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"breaking","description":"updated to compile with [[Go 1.12.16](https://groups.google.com/forum/m/#!topic/golang-announce/Hsw4mHYc470)] which includes a fix for CVE-2020-0601 on windows [[GH-7153](https://github.com/hashicorp/consul/pull/7153)]","migration_hint":null},{"from_version":"1.6.10","to_version":"1.7.0","change_type":"removed","description":"**Namespaces (Consul Enterprise only)** This version adds namespacing to Consul. Namespaces help reduce operational challenges by removing restrictions around uniqueness of resource names across distinct teams, and enable operators to provide self-service through delegation of administrative privileges. Namespace support was added to:","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"api","description":"api: Update filtering language to include substring and regular expression matching on string values [[GH-6190](https://github.com/hashicorp/consul/pull/6190)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"api","description":"connect: ensure time.Duration fields retain their human readable forms in the API [[GH-6348](https://github.com/hashicorp/consul/issues/6348)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"api","description":"agent: add `local-only` parameter to operator/keyring list requests to force queries to only hit local servers. [[GH-6279](https://github.com/hashicorp/consul/pull/6279)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"api","description":"connect: expose an API endpoint to compile the discovery chain [[GH-6248](https://github.com/hashicorp/consul/issues/6248)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"api","description":"api: Display allowed HTTP CIDR information nicely [[GH-6029](https://github.com/hashicorp/consul/pull/6029)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"api","description":"connect: change router syntax for matching query parameters to resemble the syntax for matching paths and headers for consistency. [[GH-6163](https://github.com/hashicorp/consul/issues/6163)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"behavior","description":"connect: introduce ExternalSNI field on service-defaults [[GH-6324](https://github.com/hashicorp/consul/issues/6324)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"behavior","description":"connect: added a new `-bind-address` cli option for envoy to create a mapping of the desired bind addresses to use instead of the default rules or tagged addresses [[GH-6107](https://github.com/hashicorp/consul/pull/6107)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"behavior","description":"agent: health checks: change long timeout behavior to use to user-configured `timeout` value [[GH-6094](https://github.com/hashicorp/consul/pull/6094)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"Updated to compile with Go 1.12.8 which mitigates CVE-2019-9512 and CVE-2019-9514 for the builtin HTTP server [[GH-6319](https://github.com/hashicorp/consul/pull/6319)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package [[GH-6340](https://github.com/hashicorp/consul/issues/6340)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"xds: allow http match criteria to be applied to routes on services using grpc protocols [[GH-6149](https://github.com/hashicorp/consul/issues/6149)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"agent: Added tagged addressing to services similar to the already present Node tagged addressing [[GH-5965](https://github.com/hashicorp/consul/pull/5965)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"connect: allow L7 routers to match on http methods [[GH-6164](https://github.com/hashicorp/consul/issues/6164)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"connect: detect and prevent circular discovery chain references [[GH-6246](https://github.com/hashicorp/consul/issues/6246)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"connect: reconcile how upstream configuration works with discovery chains [[GH-6225](https://github.com/hashicorp/consul/issues/6225)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"connect: rework how the service resolver subset OnlyPassing flag works [[GH-6173](https://github.com/hashicorp/consul/issues/6173)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"connect: simplify the compiled discovery chain data structures [[GH-6242](https://github.com/hashicorp/consul/issues/6242)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"connect: validate and test more of the L7 config entries [[GH-6156](https://github.com/hashicorp/consul/issues/6156)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"gossip: increase size of gossip key generated by keygen to 32 bytes and document support for AES 256 [[GH-6244](https://github.com/hashicorp/consul/issues/6244)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"Updated the google.golang.org/grpc dependency to v1.23.0 to mitigate CVE-2019-9512, CVE-2019-9514, and CVE-2019-9515 for the gRPC server. [[GH-6320](https://github.com/hashicorp/consul/pull/6320)]","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"**Connect Envoy Supports L7 Routing:** Additional configuration entry types `service-router`, `service-resolver`, and `service-splitter`, allow for configuring Envoy sidecars to enable reliability and deployment patterns at L7 such as HTTP path-based routing, traffic shifting, and advanced failover capabilities. For more information see the [L7 traffic management](https://developer.hashicorp.com/docs/connect/l7-traffic-management.html) docs.","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"**Mesh Gateways:** Envoy can now be run as a gateway to route Connect traffic across datacenters using SNI headers, allowing connectivty across platforms and clouds and other complex network topologies. Read more in the [mesh gateway docs](https://developer.hashicorp.com/docs/connect/mesh_gateway.html).","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"breaking","description":"**Intention & CA Replication:** In order to enable connecitivty for services across datacenters, Connect intentions are now replicated and the Connect CA cross-signs from the [primary_datacenter](/docs/agent/config/config-files.html#primary_datacenter). This feature was previously part of Consul Enterprise.","migration_hint":null},{"from_version":"1.5.3","to_version":"1.6.0","change_type":"removed","description":"connect: remove deprecated managed proxies and ProxyDestination config [[GH-6220](https://github.com/hashicorp/consul/pull/6220)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"api","description":"api: Implement data filtering for some endpoints using a new filtering language. [[GH-5579](https://github.com/hashicorp/consul/pull/5579)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"api","description":"api: fix issue in the transaction API where the health check definition struct wasn't being deserialized properly [[GH-5553](https://github.com/hashicorp/consul/issues/5553)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"api","description":"api: fix panic in 'consul acl set-agent-token' [[GH-5533](https://github.com/hashicorp/consul/issues/5533)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"api","description":"/watch: (note this only affects downstream programs importing `/watch` package as a library not the `watch` feature in Consul) The watch package was moved from github.com/hashicorp/consul/watch to github.com/hashicorp/consul/api/watch to live in the API module. This was necessary after updating the repo to use Go modules or else various other bugs cropped up. The watch package API has not changed so projects depending on it should need to only update the import statement to get their code functioning again. [[GH-5664](https://github.com/hashicorp/consul/pull/5664)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"behavior","description":"**Centralized Configuration:** Enables central configuration of some service and proxy defaults. For more information see the [Configuration Entries](https://developer.hashicorp.com/consul/docs/agent/config_entries.html) docs","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"ui: Template-able Dashboard links for Service detail pages [[GH-5704](https://github.com/hashicorp/consul/pull/5704)] [[GH-5777](https://github.com/hashicorp/consul/pull/5777)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"ui: support for ACL Roles [[GH-5635](https://github.com/hashicorp/consul/pull/5635)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"cli: allow to add ip addresses as Subject Alternative Names when creating certificates with `consul tls cert create` [[GH-5602](https://github.com/hashicorp/consul/pull/5602)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"dns: Allow for hot-reload of many DNS configurations. [[GH-4875](https://github.com/hashicorp/consul/pull/4875)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"agent: config is now read if json or hcl is set as the config-format or the extension is either json or hcl [[GH-5723](https://github.com/hashicorp/consul/issues/5723)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"acl: Allow setting token accessor ids and secret ids during token creation. [[GH-4977](https://github.com/hashicorp/consul/issues/4977)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"ui: Service Instances page redesign and further visibility of Connect Proxies [[GH-5326]](https://github.com/hashicorp/consul/pull/5326)","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"ui: Blocking Query support / live updates for Services and Nodes, requires enabling per user via the UI Settings area [[GH-5070]](https://github.com/hashicorp/consul/pull/5070) [[GH-5267]](https://github.com/hashicorp/consul/pull/5267)","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"ui: Finer grained searching for the Service listing page [[GH-5507]](https://github.com/hashicorp/consul/pull/5507)","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"acl: Fix legacy rules translation for JSON based rules. [[GH-5493](https://github.com/hashicorp/consul/issues/5493)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"ui: Add proxy icons to proxy services and instances where appropriate [[GH-5463](https://github.com/hashicorp/consul/pull/5463)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"acl: memdb filter of tokens-by-policy was inverted [[GH-5575](https://github.com/hashicorp/consul/issues/5575)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"connect: Envoy versions lower than 1.9.1 are vulnerable to","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"**Connect Envoy Supports L7 Observability:** We introduce features that allow configuring Envoy sidecars to emit metrics and tracing at L7 (http, http2, grpc supported). For more information see the [Envoy Integration](https://developer.hashicorp.com/consul/docs/connect/proxies/envoy.html) docs.","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"snapshot agent (Consul Enterprise): Added support for saving snapshots to Azure Blob Storage.","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"acl: tokens can be created with an optional expiration time [[GH-5353](https://github.com/hashicorp/consul/issues/5353)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"acl: tokens can now be assigned an optional set of service identities [[GH-5390](https://github.com/hashicorp/consul/issues/5390)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"acl: tokens can now be assigned to roles [[GH-5514](https://github.com/hashicorp/consul/issues/5514)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"breaking","description":"acl: adding support for kubernetes auth provider login [[GH-5600](https://github.com/hashicorp/consul/issues/5600)]","migration_hint":null},{"from_version":"1.4.5","to_version":"1.5.0","change_type":"removed","description":"ui: Legacy UI has been removed. Setting the CONSUL_UI_LEGACY environment variable to 1 or true will no longer revert to serving the old UI. [[GH-5643](https://github.com/hashicorp/consul/pull/5643)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0-rc2","change_type":"api","description":"cmd: Fix `consul operator utilization --help` to show only available options without extra parameters. [[GH-22912](https://github.com/hashicorp/consul/issues/22912)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0-rc2","change_type":"breaking","description":"security: Adding warning when remote/local script checks are enabled without enabling ACL's [[GH-22877](https://github.com/hashicorp/consul/issues/22877)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0-rc2","change_type":"breaking","description":"security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks[CVE-2025-11374](https://nvd.nist.gov/vuln/detail/CVE-2025-11374) [[GH-22916](https://github.com/hashicorp/consul/issues/22916)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0-rc2","change_type":"breaking","description":"security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves [CVE-2025-11375](https://nvd.nist.gov/vuln/detail/CVE-2025-11375). [[GH-22836](https://github.com/hashicorp/consul/issues/22836)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0-rc2","change_type":"breaking","description":"security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [[GH-22850](https://github.com/hashicorp/consul/issues/22850)]","migration_hint":null},{"from_version":"1.22.0-rc1","to_version":"1.22.0-rc2","change_type":"api","description":"cmd: Fix `consul operator utilization --help` to show only available options without extra parameters. [[GH-22912](https://github.com/hashicorp/consul/issues/22912)]","migration_hint":null},{"from_version":"1.22.0-rc1","to_version":"1.22.0-rc2","change_type":"breaking","description":"security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves [CVE-2025-11375](https://nvd.nist.gov/vuln/detail/CVE-2025-11375). [[GH-22836](https://github.com/hashicorp/consul/issues/22836)]","migration_hint":null},{"from_version":"1.22.0-rc1","to_version":"1.22.0-rc2","change_type":"breaking","description":"security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [[GH-22850](https://github.com/hashicorp/consul/issues/22850)]","migration_hint":null},{"from_version":"1.22.0-rc1","to_version":"1.22.0-rc2","change_type":"breaking","description":"security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks[CVE-2025-11374](https://nvd.nist.gov/vuln/detail/CVE-2025-11374) [[GH-22916](https://github.com/hashicorp/consul/issues/22916)]","migration_hint":null},{"from_version":"1.22.0-rc1","to_version":"1.22.0-rc2","change_type":"breaking","description":"security: Adding warning when remote/local script checks are enabled without enabling ACL's [[GH-22877](https://github.com/hashicorp/consul/issues/22877)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"api","description":"agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from \"agent/self\" API. [[GH-22741](https://github.com/hashicorp/consul/issues/22741)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"api","description":"api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [[GH-22837](https://github.com/hashicorp/consul/issues/22837)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"behavior","description":"connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [[GH-22773](https://github.com/hashicorp/consul/issues/22773)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"behavior","description":"command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [[GH-22763](https://github.com/hashicorp/consul/issues/22763)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"behavior","description":"proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [[GH-22772](https://github.com/hashicorp/consul/issues/22772)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"behavior","description":"oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [[GH-22732](https://github.com/hashicorp/consul/issues/22732)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [[GH-22789](https://github.com/hashicorp/consul/issues/22789)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"ui: Allow FQDN to be displayed in the Consul web interface. [[GH-22779](https://github.com/hashicorp/consul/issues/22779)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [[GH-22813](https://github.com/hashicorp/consul/issues/22813)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"ui: Replace yarn with pnpm for package management [[GH-22790](https://github.com/hashicorp/consul/issues/22790)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [[GH-22770](https://github.com/hashicorp/consul/issues/22770)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"cli: `snapshot agent` now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [[GH-11171](https://github.com/hashicorp/consul/issues/11171)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"cmd: Added new subcommand `consul operator utilization [-today-only] [-message] [-y]` to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [[GH-22888](https://github.com/hashicorp/consul/issues/22888)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"security: Upgrade golang to 1.25.3. [[GH-22926](https://github.com/hashicorp/consul/issues/22926)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"ipv6: addtition of ip6tables changes for ipv6 and dual stack support [[GH-22787](https://github.com/hashicorp/consul/issues/22787)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"install: Updated license information displayed during post-install","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"Added support to register a service in consul with multiple ports [[GH-22769](https://github.com/hashicorp/consul/issues/22769)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [[GH-22850](https://github.com/hashicorp/consul/issues/22850)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves [CVE-2025-11375](https://nvd.nist.gov/vuln/detail/CVE-2025-11375). [[GH-22836](https://github.com/hashicorp/consul/issues/22836)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks[CVE-2025-11374](https://nvd.nist.gov/vuln/detail/CVE-2025-11374) [[GH-22916](https://github.com/hashicorp/consul/issues/22916)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"breaking","description":"security: Adding warning when remote/local script checks are enabled without enabling ACL's [[GH-22877](https://github.com/hashicorp/consul/issues/22877)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"deprecated","description":"ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [[GH-22947](https://github.com/hashicorp/consul/issues/22947)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"removed","description":"ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [[GH-22938](https://github.com/hashicorp/consul/issues/22938)]","migration_hint":null},{"from_version":"1.22.0-rc2","to_version":"1.22.0","change_type":"removed","description":"connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [[GH-22824](https://github.com/hashicorp/consul/issues/22824)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"api","description":"api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [[GH-22837](https://github.com/hashicorp/consul/issues/22837)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"api","description":"agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from \"agent/self\" API. [[GH-22741](https://github.com/hashicorp/consul/issues/22741)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"behavior","description":"command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [[GH-22763](https://github.com/hashicorp/consul/issues/22763)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"behavior","description":"proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [[GH-22772](https://github.com/hashicorp/consul/issues/22772)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"behavior","description":"oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [[GH-22732](https://github.com/hashicorp/consul/issues/22732)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"behavior","description":"connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [[GH-22773](https://github.com/hashicorp/consul/issues/22773)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"ui: Replace yarn with pnpm for package management [[GH-22790](https://github.com/hashicorp/consul/issues/22790)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [[GH-22770](https://github.com/hashicorp/consul/issues/22770)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"cli: `snapshot agent` now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [[GH-11171](https://github.com/hashicorp/consul/issues/11171)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"cmd: Added new subcommand `consul operator utilization [-today-only] [-message] [-y]` to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [[GH-22888](https://github.com/hashicorp/consul/issues/22888)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"install: Updated license information displayed during post-install","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"Added support to register a service in consul with multiple ports [[GH-22769](https://github.com/hashicorp/consul/issues/22769)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [[GH-22850](https://github.com/hashicorp/consul/issues/22850)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves [CVE-2025-11375](https://nvd.nist.gov/vuln/detail/CVE-2025-11375). [[GH-22836](https://github.com/hashicorp/consul/issues/22836)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks[CVE-2025-11374](https://nvd.nist.gov/vuln/detail/CVE-2025-11374) [[GH-22916](https://github.com/hashicorp/consul/issues/22916)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [[GH-22789](https://github.com/hashicorp/consul/issues/22789)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"security: Adding warning when remote/local script checks are enabled without enabling ACL's [[GH-22877](https://github.com/hashicorp/consul/issues/22877)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"ui: Allow FQDN to be displayed in the Consul web interface. [[GH-22779](https://github.com/hashicorp/consul/issues/22779)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [[GH-22813](https://github.com/hashicorp/consul/issues/22813)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"security: Upgrade golang to 1.25.3. [[GH-22926](https://github.com/hashicorp/consul/issues/22926)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"breaking","description":"ipv6: addtition of ip6tables changes for ipv6 and dual stack support [[GH-22787](https://github.com/hashicorp/consul/issues/22787)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"deprecated","description":"ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [[GH-22947](https://github.com/hashicorp/consul/issues/22947)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"removed","description":"ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [[GH-22938](https://github.com/hashicorp/consul/issues/22938)]","migration_hint":null},{"from_version":"1.22.0","to_version":"1.22.0","change_type":"removed","description":"connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [[GH-22824](https://github.com/hashicorp/consul/issues/22824)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"behavior","description":"mesh: Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005). [[GH-21816](https://github.com/hashicorp/consul/issues/21816)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"mesh: Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006). [[GH-21816](https://github.com/hashicorp/consul/issues/21816)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"snapshot agent: **(Enterprise only)**  Implement Service Principal Auth for snapshot agent on azure.","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"xds: configures Envoy to load balance over all instances of an external service configured with hostnames when \"envoy_dns_discovery_type\" is set to \"STRICT_DNS\" [[GH-21655](https://github.com/hashicorp/consul/issues/21655)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"mesh: Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006). [[GH-21816](https://github.com/hashicorp/consul/issues/21816)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"removed","description":"api: remove dependency on proto-public, protobuf, and grpc [[GH-21780](https://github.com/hashicorp/consul/issues/21780)]","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"api","description":"Upgrade api submodule to 1.29.6 [[GH-22058](https://github.com/hashicorp/consul/issues/22058)]","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"api","description":"api: Enforces strict content-type header validation to protect against XSS vulnerability. [[GH-21930](https://github.com/hashicorp/consul/issues/21930)]","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"behavior","description":"mesh: **(Enterprise Only)** Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"breaking","description":"mesh: **(Enterprise Only)** Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"breaking","description":"Update `registry.access.redhat.com/ubi9-minimal` image to 9.5 to address [CVE-2024-3596](https://nvd.nist.gov/vuln/detail/CVE-2024-3596),[CVE-2024-2511](https://nvd.nist.gov/vuln/detail/CVE-2024-2511),[CVE-2024-26458](https://nvd.nist.gov/vuln/detail/CVE-2024-26458). [[GH-22011](https://github.com/hashicorp/consul/issues/22011)]","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"breaking","description":"Update `golang.org/x/net` to v0.33.0 to address [GO-2024-3333](https://pkg.go.dev/vuln/GO-2024-3333). [[GH-22021](https://github.com/hashicorp/consul/issues/22021)]","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"breaking","description":"Update `golang.org/x/crypto` to v0.31.0 to address [GO-2024-3321](https://pkg.go.dev/vuln/GO-2024-3321). [[GH-22001](https://github.com/hashicorp/consul/issues/22001)]","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"breaking","description":"Update `github.com/golang-jwt/jwt/v4` to v4.5.1 to address [GHSA-29wx-vh33-7x7r](https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r). [[GH-21951](https://github.com/hashicorp/consul/issues/21951)]","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"breaking","description":"mesh: **(Enterprise Only)** Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"breaking","description":"Resolved issue where hcl would allow duplicates of the same key in acl policy configuration. [[GH-21908](https://github.com/hashicorp/consul/issues/21908)]","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"breaking","description":"proxycfg: fix a bug where peered upstreams watches are canceled even when another target needs it. [[GH-21871](https://github.com/hashicorp/consul/issues/21871)]","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"breaking","description":"xds: configures Envoy to load balance over all instances of an external service configured with hostnames when \"envoy_dns_discovery_type\" is set to \"STRICT_DNS\" [[GH-21655](https://github.com/hashicorp/consul/issues/21655)]","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"breaking","description":"snapshot agent: **(Enterprise only)**  Implement Service Principal Auth for snapshot agent on azure.","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"breaking","description":"state: ensure that identical manual virtual IP updates result in not bumping the modify indexes [[GH-21909](https://github.com/hashicorp/consul/issues/21909)]","migration_hint":null},{"from_version":"1.18.6","to_version":"1.19.4","change_type":"removed","description":"Removed ability to use bexpr to filter results without ACL read on endpoint [[GH-21950](https://github.com/hashicorp/consul/issues/21950)]","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"behavior","description":"jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [[GH-21703](https://github.com/hashicorp/consul/issues/21703)]","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"behavior","description":"mesh: **(Enterprise Only)** Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"breaking","description":"security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"breaking","description":"xds: configures Envoy to load balance over all instances of an external service configured with hostnames when \"envoy_dns_discovery_type\" is set to \"STRICT_DNS\" [[GH-21655](https://github.com/hashicorp/consul/issues/21655)]","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"breaking","description":"Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"breaking","description":"Upgrade Go to use 1.22.7. This addresses CVE","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"breaking","description":"Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"breaking","description":"Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"breaking","description":"mesh: **(Enterprise Only)** Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"breaking","description":"ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"breaking","description":"mesh: **(Enterprise Only)** Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"breaking","description":"ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"breaking","description":"ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"breaking","description":"ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"removed","description":"UI: Remove codemirror linting due to package dependency [[GH-21726](https://github.com/hashicorp/consul/issues/21726)]","migration_hint":null},{"from_version":"1.19.2","to_version":"1.19.3","change_type":"removed","description":"api: remove dependency on proto-public, protobuf, and grpc [[GH-21780](https://github.com/hashicorp/consul/issues/21780)]","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"api","description":"gateways: api-gateway can leverage listener TLS certificates available on the gateway's local filesystem by specifying the public certificate and private key path in the new file-system-certificate configuration entry [[GH-20873](https://github.com/hashicorp/consul/issues/20873)]","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"api","description":"dns: DNS-over-grpc when using `consul-dataplane` now accepts partition, namespace, token as metadata to default those query parameters.","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"api","description":"Upgrade to support k8s.io/apimachinery `v0.18.7 or higher`. This resolves CVE","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"behavior","description":"dns: queries now default to a refactored DNS server that is v1 and v2 Catalog compatible.","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"behavior","description":"dns: new version was not supporting partition or namespace being set to 'default' in CE version. [[GH-21230](https://github.com/hashicorp/consul/issues/21230)]","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"breaking","description":"upgrade go version to v1.22.4. [[GH-21265](https://github.com/hashicorp/consul/issues/21265)]","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"breaking","description":"Upgrade `github.com/envoyproxy/go-control-plane` to 0.12.0. [[GH-20973](https://github.com/hashicorp/consul/issues/20973)]","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"breaking","description":"snapshot: Add `consul snapshot decode` CLI command to output a JSON object stream of all the snapshots data. [[GH-20824](https://github.com/hashicorp/consul/issues/20824)]","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"breaking","description":"telemetry: Add `telemetry.disable_per_tenancy_usage_metrics` in agent configuration to disable setting tenancy labels on usage metrics. This significantly decreases CPU utilization in clusters with many admin partitions or namespaces.","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"breaking","description":"telemetry: Improved the performance usage metrics emission by not outputting redundant metrics. [[GH-20674](https://github.com/hashicorp/consul/issues/20674)]","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"breaking","description":"Upgrade to support Envoy `1.27.5 and 1.28.3`. This resolves CVE","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"breaking","description":"mesh: update supported envoy version 1.29.4 in addition to 1.28.3, 1.27.5, 1.26.8. [[GH-21142](https://github.com/hashicorp/consul/issues/21142)]","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"breaking","description":"docs: Consul DNS Forwarding configuration for OpenShift update for [Resolve Consul DNS Requests in Kubernetes](https://developer.hashicorp.com/consul/docs/k8s/dns) [[GH-20439](https://github.com/hashicorp/consul/issues/20439)]","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"breaking","description":"hcp: fix error logs when failing to push metrics [[GH-20514](https://github.com/hashicorp/consul/issues/20514)]","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"breaking","description":"streaming: Handle ACL errors consistently when blocking query timeout is reached. [[GH-20876](https://github.com/hashicorp/consul/issues/20876)]","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"deprecated","description":"snapshot agent: **(Enterprise only)** Top level single snapshot destinations `local_storage`, `aws_storage`, `azure_blob_storage`, and `google_storage` in snapshot agent configuration files are now deprecated. Use the `backup_destinations` config object instead.","migration_hint":null},{"from_version":"1.18.2","to_version":"1.19.0","change_type":"removed","description":"telemetry: State store usage metrics with a double `consul` element in the metric name have been removed. Please use the same metric without the second `consul` instead. As an example instead of `consul.consul.state.config_entries` use `consul.state.config_entries` [[GH-20674](https://github.com/hashicorp/consul/issues/20674)]","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"behavior","description":"mesh: **(Enterprise Only)** Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"behavior","description":"jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [[GH-21703](https://github.com/hashicorp/consul/issues/21703)]","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"breaking","description":"Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"breaking","description":"Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"breaking","description":"Upgrade Go to use 1.22.7. This addresses CVE","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"breaking","description":"Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"breaking","description":"mesh: **(Enterprise Only)** Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"breaking","description":"mesh: **(Enterprise Only)** Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"breaking","description":"ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"breaking","description":"ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"breaking","description":"ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"breaking","description":"ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"breaking","description":"security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"breaking","description":"xds: configures Envoy to load balance over all instances of an external service configured with hostnames when \"envoy_dns_discovery_type\" is set to \"STRICT_DNS\" [[GH-21655](https://github.com/hashicorp/consul/issues/21655)]","migration_hint":null},{"from_version":"1.18.4","to_version":"1.18.5","change_type":"removed","description":"api: remove dependency on proto-public, protobuf, and grpc [[GH-21780](https://github.com/hashicorp/consul/issues/21780)]","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"api","description":"api: Randomize the returned server list for the WatchServers gRPC endpoint. [[GH-20866](https://github.com/hashicorp/consul/issues/20866)]","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"breaking","description":"xds: Improved the performance of xDS server side load balancing. Its slightly improved in Consul CE with drastic CPU usage reductions in Consul Enterprise. [[GH-20672](https://github.com/hashicorp/consul/issues/20672)]","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"breaking","description":"ui: Adds a \"Link to HCP Consul Central\" modal with integration to side-nav and link to HCP banner. There will be an option to disable the Link to HCP banner from the UI in a follow-up release. [[GH-20474](https://github.com/hashicorp/consul/issues/20474)]","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"breaking","description":"Update `google.golang.org/protobuf` to v1.33.0 to address [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786). [[GH-20801](https://github.com/hashicorp/consul/issues/20801)]","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"breaking","description":"Update the Consul Build Go base image to `alpine3.19`. This resolves CVEs","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"breaking","description":"Upgrade to use Go `1.21.8`. This resolves CVEs","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"breaking","description":"partitions: **(Enterprise only)** Allow disabling of Gossip per Partition [[GH-20669](https://github.com/hashicorp/consul/issues/20669)]","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"breaking","description":"snapshot agent: **(Enterprise only)** Add support for multiple snapshot destinations using the `backup_destinations` config file object.","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"breaking","description":"audit-logs: **(Enterprise Only)** Fixes non ASCII characters in audit logs because of gzip. [[GH-20345](https://github.com/hashicorp/consul/issues/20345)]","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"breaking","description":"connect: Fix issue where Consul-dataplane xDS sessions would not utilize the streaming backend for wan-federated queries. [[GH-20868](https://github.com/hashicorp/consul/issues/20868)]","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"breaking","description":"connect: Fix potential goroutine leak in xDS stream handling. [[GH-20866](https://github.com/hashicorp/consul/issues/20866)]","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"breaking","description":"connect: Fix xDS deadlock that could result in proxies being unable to start. [[GH-20867](https://github.com/hashicorp/consul/issues/20867)]","migration_hint":null},{"from_version":"1.17.4","to_version":"1.18.1","change_type":"breaking","description":"ingress-gateway: **(Enterprise Only)** Fix a bug where on update, Ingress Gateways lost all upstreams for listeners with wildcard services in a different namespace.","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"api","description":"cloud: Adds new API/CLI to initiate and manage linking a Consul cluster to HCP Consul Central [[GH-20312](https://github.com/hashicorp/consul/issues/20312)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"api","description":"docs: add Link API documentation [[GH-20308](https://github.com/hashicorp/consul/issues/20308)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"behavior","description":"agent: Introduces a new agent config default_intention_policy to decouple the default intention behavior from ACLs [[GH-20544](https://github.com/hashicorp/consul/issues/20544)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"behavior","description":"telemetry: Adds fix to always use the value of `telemetry.disable_hostname` when determining whether to prefix gauge-type metrics with the hostname of the Consul agent. Previously, if only the default metric sink was enabled, this configuration was ignored and always treated as `true`, even though its default value is `false`. [[GH-20312](https://github.com/hashicorp/consul/issues/20312)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"ui: Adds a redirect and warning message around unavailable UI with V2 enabled [[GH-20359](https://github.com/hashicorp/consul/issues/20359)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"ui: Added a banner to let users link their clusters to HCP [[GH-20275](https://github.com/hashicorp/consul/issues/20275)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"dns: adds experimental support for a refactored DNS server that is v1 and v2 Catalog compatible.","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"v2: prevent use of the v2 experiments in secondary datacenters for now [[GH-20299](https://github.com/hashicorp/consul/issues/20299)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"agent: **(Enterprise Only)** Add fault injection filter support for Consul Service Mesh","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"cloud: unconditionally add Access-Control-Expose-Headers HTTP header [[GH-20220](https://github.com/hashicorp/consul/issues/20220)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"acl: add policy bindtype to binding rules. [[GH-19499](https://github.com/hashicorp/consul/issues/19499)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address [CVE-2024-23324](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6), [CVE-2024-23325](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26), [CVE-2024-23322](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38), [CVE-2024-23323](https://github.com/envoyproxy/envoy/security/advisories/GHSA-x278-4w4x-r7ch), [CVE-2024-23327](https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j), [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76), [GH-20589](https://github.com/hashicorp/consul/issues/20589)], [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76), and [[GH-19879](https://github.com/hashicorp/consul/issues/19879)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"connect: Update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76) [[GH-19306](https://github.com/hashicorp/consul/issues/19306)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"Update `golang.org/x/crypto` to v0.17.0 to address [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795). [[GH-20023](https://github.com/hashicorp/consul/issues/20023)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"snapshot-agent: **(Enterprise only)** Fix a bug with static AWS credentials where one of the key id or secret key is provided via config file and the other is provided via an environment variable.","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"config-entries: Allow disabling request and idle timeouts with negative values in service router and service resolver config entries. [[GH-19992](https://github.com/hashicorp/consul/issues/19992)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"ui: adds V2CatalogEnabled to config that is passed to the ui [[GH-20353](https://github.com/hashicorp/consul/issues/20353)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"server: Ensure controllers are automatically restarted on internal stream errors. [[GH-20642](https://github.com/hashicorp/consul/issues/20642)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"server: Ensure internal streams are properly terminated on snapshot restore. [[GH-20642](https://github.com/hashicorp/consul/issues/20642)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"resource: lowercase names enforced for v2 resources only. [[GH-19218](https://github.com/hashicorp/consul/issues/19218)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"dns: SERVFAIL when resolving not found PTR records. [[GH-20679](https://github.com/hashicorp/consul/issues/20679)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"breaking","description":"raft:  Fix panic during downgrade from enterprise to oss. [[GH-19311](https://github.com/hashicorp/consul/issues/19311)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"deprecated","description":"connect: Replace usage of deprecated Envoy fields `envoy.config.route.v3.HeaderMatcher.safe_regex_match` and `envoy.type.matcher.v3.RegexMatcher.google_re2`. [[GH-20013](https://github.com/hashicorp/consul/issues/20013)]","migration_hint":null},{"from_version":"1.17.3","to_version":"1.18.0","change_type":"deprecated","description":"connect: Replace usage of deprecated Envoy field `envoy.config.core.v3.HeaderValueOption.append`. [[GH-20078](https://github.com/hashicorp/consul/issues/20078)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"api","description":"config-entry(api-gateway): (Enterprise only) Add JWTFilter to HTTPRoute Filters","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"api","description":"api: RaftLeaderTransfer now requires an id string. An empty string can be specified to keep the old behavior. [[GH-17107](https://github.com/hashicorp/consul/issues/17107)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"api","description":"The v2 catalog API feature preview does not support connections with client agents. As a result, it is only available for Kubernetes deployments, which use [Consul dataplanes](consul/docs/connect/dataplane) instead of client agents.","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"api","description":"When using the v2 API with transparent proxy, Kubernetes pods cannot use L7 liveness, readiness, or startup probes.","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"api","description":"The v2 API only supports transparent proxy mode where services that have permissions to connect to each other can use","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"api","description":"HCP Consul does not support multi-port services or the v2 catalog API in this release.","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"api","description":"The Consul UI does not support multi-port services or the v2 catalog API in this release.","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"api","description":"The v1 and v2 catalog APIs cannot run concurrently.","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"api","description":"dataplane: Allow getting bootstrap parameters when using V2 APIs [[GH-18504](https://github.com/hashicorp/consul/issues/18504)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"api","description":"config-entry(api-gateway): (Enterprise only) Add GatewayPolicy to APIGateway Config Entry listeners","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"api","description":"api-gateway: add retry and timeout filters [[GH-18324](https://github.com/hashicorp/consul/issues/18324)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"api","description":"api-gateway: Add support for response header modifiers on http-route configuration entry [[GH-18646](https://github.com/hashicorp/consul/issues/18646)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"Windows: support consul connect envoy command on Windows [[GH-17694](https://github.com/hashicorp/consul/issues/17694)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"[[Auth resource controllers]](https://github.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/auth/internal)","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"[[Mesh resource controllers]](https://github.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/mesh/internal/controllers)","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"[[Catalog resource controllers]](https://github.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/catalog/internal/controllers)","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"[[V2 Protobufs]](https://github.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/proto-public)","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"audit-logging: **(Enterprise only)** allowing timestamp based filename only on rotation. initially the filename will be just file.json [[GH-18668](https://github.com/hashicorp/consul/issues/18668)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"acl: Add BindRule support for templated policies. Add new BindType: templated-policy and BindVar field for templated policy variables. [[GH-18719](https://github.com/hashicorp/consul/issues/18719)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"cli: Add `bind-var` flag to `consul acl binding-rule` for templated policy variables. [[GH-18719](https://github.com/hashicorp/consul/issues/18719)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"cli: Add `consul acl templated-policy` commands to read, list and preview templated policies. [[GH-18816](https://github.com/hashicorp/consul/issues/18816)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"acl: Add new `acl.tokens.dns` config field which specifies the token used implicitly during dns checks. [[GH-17936](https://github.com/hashicorp/consul/issues/17936)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"Support custom watches on the Consul Controller framework. [[GH-18439](https://github.com/hashicorp/consul/issues/18439)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"acl: Added ACL Templated policies to simplify getting the right ACL token. [[GH-18708](https://github.com/hashicorp/consul/issues/18708)]","migration_hint":null},{"from_version":"1.16.2","to_version":"1.17.0-rc1","change_type":"breaking","description":"acl: Adds a new ACL rule for workload identities [[GH-18769](https://github.com/hashicorp/consul/issues/18769)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"api","description":"The v2 catalog API feature preview does not support connections with client agents. As a result, it is only available for Kubernetes deployments, which use [Consul dataplanes](consul/docs/connect/dataplane) instead of client agents.","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"api","description":"api-gateway: Add support for response header modifiers on http-route configuration entry [[GH-18646](https://github.com/hashicorp/consul/issues/18646)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"api","description":"The v1 and v2 catalog APIs cannot run concurrently.","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"api","description":"api: RaftLeaderTransfer now requires an id string. An empty string can be specified to keep the old behavior. [[GH-17107](https://github.com/hashicorp/consul/issues/17107)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"api","description":"HCP Consul does not support multi-port services or the v2 catalog API in this release.","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"api","description":"The Consul UI does not support multi-port services or the v2 catalog API in this release.","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"api","description":"api-gateway: add retry and timeout filters [[GH-18324](https://github.com/hashicorp/consul/issues/18324)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"[[Mesh resource controllers]](https://github.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/mesh/internal/controllers)","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"Upgrade `google.golang.org/grpc` to 1.56.3.","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"Upgrade Go to 1.20.10.","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"Update `golang.org/x/net` to v0.17.0 to address [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"audit-logging: **(Enterprise only)** allowing timestamp based filename only on rotation. initially the filename will be just file.json [[GH-18668](https://github.com/hashicorp/consul/issues/18668)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"cli: Add `bind-var` flag to `consul acl binding-rule` for templated policy variables. [[GH-18719](https://github.com/hashicorp/consul/issues/18719)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"acl: Adds workload identity templated policy [[GH-19077](https://github.com/hashicorp/consul/issues/19077)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"acl: Adds a new ACL rule for workload identities [[GH-18769](https://github.com/hashicorp/consul/issues/18769)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"acl: Added ACL Templated policies to simplify getting the right ACL token. [[GH-18708](https://github.com/hashicorp/consul/issues/18708)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"acl: Add new `acl.tokens.dns` config field which specifies the token used implicitly during dns checks. [[GH-17936](https://github.com/hashicorp/consul/issues/17936)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"acl: Add BindRule support for templated policies. Add new BindType: templated-policy and BindVar field for templated policy variables. [[GH-18719](https://github.com/hashicorp/consul/issues/18719)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"Windows: support consul connect envoy command on Windows [[GH-17694](https://github.com/hashicorp/consul/issues/17694)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"Support custom watches on the Consul Controller framework. [[GH-18439](https://github.com/hashicorp/consul/issues/18439)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"[[V2 Protobufs]](https://github.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/proto-public)","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"[[Auth resource controllers]](https://github.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/auth/internal)","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"connect: update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76) [[GH-19275](https://github.com/hashicorp/consul/issues/19275)]","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"breaking","description":"[[Catalog resource controllers]](https://github.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/catalog/internal/controllers)","migration_hint":null},{"from_version":"1.16.3","to_version":"1.17.0","change_type":"deprecated","description":"cli: Deprecate the `-admin-access-log-path` flag from `consul connect envoy` command in favor of: `-admin-access-log-config`. [[GH-15946](https://github.com/hashicorp/consul/issues/15946)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"api","description":"api: The `/v1/health/connect/` and `/v1/health/ingress/` endpoints now immediately return 403 \"Permission Denied\" errors whenever a token with insufficient `service:read` permissions is provided. Prior to this change, the endpoints returned a success code with an empty result list when a token with insufficient permissions was provided. [[GH-17424](https://github.com/hashicorp/consul/issues/17424)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"api","description":"api: (Enterprise only) Add `POST /v1/operator/audit-hash` endpoint to calculate the hash of the data used by the audit log hash function and salt.","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"api","description":"* api: Support filtering for config entries. [[GH-17183](https://github.com/hashicorp/consul/issues/17183)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"api","description":"api: Enable setting query options on agent force-leave endpoint. [[GH-15987](https://github.com/hashicorp/consul/issues/15987)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"behavior","description":"mesh: Add new permissive mTLS mode that allows sidecar proxies to forward incoming traffic unmodified to the application. This adds `AllowEnablingPermissiveMutualTLS` setting to the mesh config entry and the `MutualTLSMode` setting to proxy-defaults and service-defaults. [[GH-17035](https://github.com/hashicorp/consul/issues/17035)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"* cli: Add `-filter` option to `consul config list` for filtering config entries. [[GH-17183](https://github.com/hashicorp/consul/issues/17183)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"audit-logging: **(Enterprise only)** limit `v1/operator/audit-hash` endpoint to ACL token with `operator:read` privileges.","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"cli: (Enterprise only) Add a new `consul operator audit hash` command to retrieve and compare the hash of the data used by the audit log hash function and salt.","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"cli: Adds new command - `consul services export` - for exporting a service to a peer or partition [[GH-15654](https://github.com/hashicorp/consul/issues/15654)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"connect: **(Consul Enterprise only)** Implement order-by-locality failover.","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"mesh: Support configuring JWT authentication in Envoy. [[GH-17452](https://github.com/hashicorp/consul/issues/17452)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"server: **(Enterprise Only)** added server side RPC requests IP based read/write rate-limiter. [[GH-4633](https://github.com/hashicorp/consul/issues/4633)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"server: **(Enterprise Only)** allow automatic license utilization reporting. [[GH-5102](https://github.com/hashicorp/consul/issues/5102)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"server: added server side RPC requests global read/write rate-limiter. [[GH-16292](https://github.com/hashicorp/consul/issues/16292)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"xds: Add `property-override` built-in Envoy extension that directly patches Envoy resources. [[GH-17487](https://github.com/hashicorp/consul/issues/17487)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"xds: Add a built-in Envoy extension that inserts External Authorization (ext_authz) network and HTTP filters. [[GH-17495](https://github.com/hashicorp/consul/issues/17495)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"xds: Add a built-in Envoy extension that inserts Wasm HTTP filters. [[GH-16877](https://github.com/hashicorp/consul/issues/16877)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"xds: Add a built-in Envoy extension that inserts Wasm network filters. [[GH-17505](https://github.com/hashicorp/consul/issues/17505)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"audit-logging: (Enterprise only) enable error response and request body logging [[GH-5669](https://github.com/hashicorp/consul/issues/5669)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"audit-logging: **(Enterprise only)** enable error response and request body logging","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"ca: automatically set up Vault's auto-tidy setting for tidy_expired_issuers when using Vault as a CA provider. [[GH-17138](https://github.com/hashicorp/consul/issues/17138)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"ca: support Vault agent auto-auth config for Vault CA provider using AliCloud authentication. [[GH-16224](https://github.com/hashicorp/consul/issues/16224)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"ca: support Vault agent auto-auth config for Vault CA provider using AppRole authentication. [[GH-16259](https://github.com/hashicorp/consul/issues/16259)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"breaking","description":"ca: support Vault agent auto-auth config for Vault CA provider using Azure MSI authentication. [[GH-16298](https://github.com/hashicorp/consul/issues/16298)]","migration_hint":null},{"from_version":"1.15.3","to_version":"1.16.0-rc1","change_type":"removed","description":"peering: Removed deprecated backward-compatibility behavior.","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"api","description":"api: Enable setting query options on agent force-leave endpoint. [[GH-15987](https://github.com/hashicorp/consul/issues/15987)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"api","description":"api: The `/v1/health/connect/` and `/v1/health/ingress/` endpoints now immediately return 403 \"Permission Denied\" errors whenever a token with insufficient `service:read` permissions is provided. Prior to this change, the endpoints returned a success code with an empty result list when a token with insufficient permissions was provided. [[GH-17424](https://github.com/hashicorp/consul/issues/17424)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"api","description":"api: (Enterprise only) Add `POST /v1/operator/audit-hash` endpoint to calculate the hash of the data used by the audit log hash function and salt.","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"api","description":"* api: Support filtering for config entries. [[GH-17183](https://github.com/hashicorp/consul/issues/17183)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"behavior","description":"mesh: Add new permissive mTLS mode that allows sidecar proxies to forward incoming traffic unmodified to the application. This adds `AllowEnablingPermissiveMutualTLS` setting to the mesh config entry and the `MutualTLSMode` setting to proxy-defaults and service-defaults. [[GH-17035](https://github.com/hashicorp/consul/issues/17035)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"mesh: Support configuring JWT authentication in Envoy. [[GH-17452](https://github.com/hashicorp/consul/issues/17452)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"server: **(Enterprise Only)** allow automatic license utilization reporting. [[GH-5102](https://github.com/hashicorp/consul/issues/5102)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"server: added server side RPC requests global read/write rate-limiter. [[GH-16292](https://github.com/hashicorp/consul/issues/16292)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"xds: Add `property-override` built-in Envoy extension that directly patches Envoy resources. [[GH-17487](https://github.com/hashicorp/consul/issues/17487)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"xds: Add a built-in Envoy extension that inserts External Authorization (ext_authz) network and HTTP filters. [[GH-17495](https://github.com/hashicorp/consul/issues/17495)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"xds: Add a built-in Envoy extension that inserts Wasm HTTP filters. [[GH-16877](https://github.com/hashicorp/consul/issues/16877)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"xds: Add a built-in Envoy extension that inserts Wasm network filters. [[GH-17505](https://github.com/hashicorp/consul/issues/17505)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"server: **(Enterprise Only)** added server side RPC requests IP based read/write rate-limiter. [[GH-4633](https://github.com/hashicorp/consul/issues/4633)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"Bump Dockerfile base image to `alpine:3.18`. [[GH-17719](https://github.com/hashicorp/consul/issues/17719)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"audit-logging: **(Enterprise only)** limit `v1/operator/audit-hash` endpoint to ACL token with `operator:read` privileges.","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"cli: (Enterprise only) Add a new `consul operator audit hash` command to retrieve and compare the hash of the data used by the audit log hash function and salt.","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"cli: Adds new command - `consul services export` - for exporting a service to a peer or partition [[GH-15654](https://github.com/hashicorp/consul/issues/15654)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"connect: **(Consul Enterprise only)** Implement order-by-locality failover.","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"* cli: Add `-filter` option to `consul config list` for filtering config entries. [[GH-17183](https://github.com/hashicorp/consul/issues/17183)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"audit-logging: **(Enterprise only)** enable error response and request body logging","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"ca: automatically set up Vault's auto-tidy setting for tidy_expired_issuers when using Vault as a CA provider. [[GH-17138](https://github.com/hashicorp/consul/issues/17138)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"ca: support Vault agent auto-auth config for Vault CA provider using AliCloud authentication. [[GH-16224](https://github.com/hashicorp/consul/issues/16224)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"breaking","description":"connect: Consul versions 1.16.0 and 1.16.1 may have issues when a snapshot restore is performed and the servers are hosting xDS streams. When this bug triggers, it will cause Envoy to incorrectly populate upstream endpoints. This bug only impacts agent-less service mesh and should be fixed in Consul 1.16.2 by [GH-18636](https://github.com/hashicorp/consul/pull/18636).","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"removed","description":"agent: remove agent cache dependency from service mesh leaf certificate management [[GH-17075](https://github.com/hashicorp/consul/issues/17075)]","migration_hint":null},{"from_version":"1.15.4","to_version":"1.16.0","change_type":"removed","description":"peering: Removed deprecated backward-compatibility behavior.","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"api","description":"namespaces: adjusts the return type from HTTP list API to return the `api` module representation of a namespace.","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"behavior","description":"agent: add a configurable maximimum age (default: 7 days) to prevent servers re-joining a cluster with stale data [[GH-17171](https://github.com/hashicorp/consul/issues/17171)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"behavior","description":"connect: Fix multiple inefficient behaviors when querying service health. [[GH-17241](https://github.com/hashicorp/consul/issues/17241)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"behavior","description":"acl: **(Enterprise only)** Check permissions in correct partition/namespace when resolving service in non-default partition/namespace","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"behavior","description":"agent: add new metrics to track cpu disk and memory usage for server hosts (defaults to: enabled) [[GH-17038](https://github.com/hashicorp/consul/issues/17038)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"hcp: Add new metrics sink to collect, aggregate and export server metrics to HCP in OTEL format. [[GH-17460](https://github.com/hashicorp/consul/issues/17460)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"Fixes a performance issue in Raft where commit latency can increase by 100x or more when under heavy load. For more details see https://github.com/hashicorp/raft/pull/541. [[GH-17081](https://github.com/hashicorp/consul/issues/17081)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"grpc: ensure grpc resolver correctly uses lan/wan addresses on servers [[GH-17270](https://github.com/hashicorp/consul/issues/17270)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"envoy: add `MaxEjectionPercent` and `BaseEjectionTime` to passive health check configs. [[GH-15979](https://github.com/hashicorp/consul/issues/15979)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"gateways: Fix an bug where targeting a virtual service defined by a service-resolver was broken for HTTPRoutes. [[GH-17055](https://github.com/hashicorp/consul/issues/17055)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"acls: Fix ACL bug that can result in sidecar proxies having incorrect endpoints.","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"acl: Fix an issue where the anonymous token was synthesized in non-primary datacenters which could cause permission errors when federating clusters with ACL replication enabled. [[GH-17231](https://github.com/hashicorp/consul/issues/17231)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"connect: update supported envoy versions to 1.22.11, 1.23.8, 1.24.6, 1.25.4 [[GH-16889](https://github.com/hashicorp/consul/issues/16889)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"Fix an bug where decoding some Config structs with unset pointer fields could fail with `reflect: call of reflect.Value.Type on zero Value`. [[GH-17048](https://github.com/hashicorp/consul/issues/17048)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"logging: change snapshot log header from `agent.server.snapshot` to `agent.server.raft.snapshot` [[GH-17236](https://github.com/hashicorp/consul/issues/17236)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"peering: gRPC queries for TrustBundleList, TrustBundleRead, PeeringList, and PeeringRead now support blocking semantics,","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"hcp: Add support for linking existing Consul clusters to HCP management plane. [[GH-16916](https://github.com/hashicorp/consul/issues/16916)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"extensions: The Lua extension now targets local proxy listeners for the configured service's upstreams, rather than remote downstream listeners for the configured service, when ListenerType is set to outbound in extension configuration. See [CVE-2023-2816](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2816) changelog entry for more details. [[GH-17415](https://github.com/hashicorp/consul/issues/17415)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"Update to UBI base image to 9.2. [[GH-17513](https://github.com/hashicorp/consul/issues/17513)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"Upgrade golang.org/x/net to address [CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) [[GH-16754](https://github.com/hashicorp/consul/issues/16754)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"Upgrade to use Go 1.20.4.","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"breaking","description":"extensions: Disable remote downstream proxy patching by Envoy Extensions other than AWS Lambda. Previously, an operator with service:write ACL permissions for an upstream service could modify Envoy proxy config for downstream services without equivalent permissions for those services. This issue only impacts the Lua extension. [[CVE-2023-2816](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2816)] [[GH-17415](https://github.com/hashicorp/consul/issues/17415)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"removed","description":"raft: Remove expensive reflection from raft/mesh hot path [[GH-16552](https://github.com/hashicorp/consul/issues/16552)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"removed","description":"peering: allow re-establishing terminated peering from new token without deleting existing peering first. [[GH-16776](https://github.com/hashicorp/consul/issues/16776)]","migration_hint":null},{"from_version":"1.14.7","to_version":"1.15.3","change_type":"removed","description":"xds: rename envoy_hcp_metrics_bind_socket_dir to envoy_telemetry_collector_bind_socket_dir to remove HCP naming references. [[GH-17327](https://github.com/hashicorp/consul/issues/17327)]","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"behavior","description":"mesh: **(Enterprise Only)** Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"breaking","description":"ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"breaking","description":"ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"breaking","description":"ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"breaking","description":"ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"breaking","description":"mesh: **(Enterprise Only)** Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"breaking","description":"mesh: **(Enterprise Only)** Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"breaking","description":"Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"breaking","description":"Upgrade Go to use 1.22.7. This addresses CVE","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"breaking","description":"Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"breaking","description":"Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"breaking","description":"xds: configures Envoy to load balance over all instances of an external service configured with hostnames when \"envoy_dns_discovery_type\" is set to \"STRICT_DNS\" [[GH-21655](https://github.com/hashicorp/consul/issues/21655)]","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"breaking","description":"security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]","migration_hint":null},{"from_version":"1.15.14","to_version":"1.15.15","change_type":"removed","description":"UI: Remove codemirror linting due to package dependency [[GH-21726](https://github.com/hashicorp/consul/issues/21726)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"api","description":"**API Gateway (Beta)** This version adds support for API gateway on VMs. API gateway provides a highly-configurable ingress for requests coming into a Consul network. For more information, refer to the [API gateway](https://developer.hashicorp.com/consul/docs/connect/gateways/api-gateway) documentation. [[GH-16369](https://github.com/hashicorp/consul/issues/16369)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"behavior","description":"connect: adds support for Envoy [access logging](https://developer.hashicorp.com/consul/docs/connect/observability/access-logs). Access logging can be enabled using the [`proxy-defaults`](https://developer.hashicorp.com/consul/docs/connect/config-entries/proxy-defaults#accesslogs) config entry. [[GH-15864](https://github.com/hashicorp/consul/issues/15864)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"behavior","description":"extensions: Refactor Lambda integration to get configured with the Envoy extensions field on service-defaults configuration entries. [[GH-15817](https://github.com/hashicorp/consul/issues/15817)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"behavior","description":"connect: Add `peer` field to service-defaults upstream overrides. The addition of this field makes it possible to apply upstream overrides only to peer services. Prior to this change, overrides would be applied based on matching the `namespace` and `name` fields only, which means users could not have different configuration for local versus peer services. With this change, peer upstreams are only affected if the `peer` field matches the destination peer name. [[GH-15956](https://github.com/hashicorp/consul/issues/15956)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"New error format: \"Supplied token does not exist\" [[GH-16105](https://github.com/hashicorp/consul/issues/16105)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"command: Adds the `operator usage instances` subcommand for displaying total services, connect service instances and billable service instances in the local datacenter or globally. [[GH-16205](https://github.com/hashicorp/consul/issues/16205)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"connect: for early awareness of Envoy incompatibilities, when using the `consul connect envoy` command the Envoy version will now be checked for compatibility. If incompatible Consul will error and exit. [[GH-15818](https://github.com/hashicorp/consul/issues/15818)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"connect: A race condition can cause some service instances to lose their ability to communicate in the mesh after 72 hours (LeafCertTTL) due to a problem with leaf certificate rotation. This bug is fixed in Consul v1.15.2 by [GH-16818](https://github.com/hashicorp/consul/issues/16818).","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"New error formats: \"Requested * does not exist: ACL not found\", \"* not found in namespace $NAMESPACE: ACL not found\"","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"New error format: \"Supplied token does not exist\"","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"Upgrade to use Go 1.20.1.","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"xds: Insert originator service identity into Envoy's dynamic metadata under the `consul` namespace. [[GH-15906](https://github.com/hashicorp/consul/issues/15906)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"xds: Add a built-in Envoy extension that inserts Lua HTTP filters. [[GH-15906](https://github.com/hashicorp/consul/issues/15906)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"acl: Add new `acl.tokens.config_file_registration` config field which specifies the token used","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"acl: anonymous token is logged as 'anonymous token' instead of its accessor ID [[GH-15884](https://github.com/hashicorp/consul/issues/15884)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"cli: adds new CLI commands `consul troubleshoot upstreams` and `consul troubleshoot proxy` to troubleshoot Consul's service mesh configuration and network issues. [[GH-16284](https://github.com/hashicorp/consul/issues/16284)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"config-entry(ingress-gateway): support outlier detection (passive health check) for upstream cluster [[GH-15614](https://github.com/hashicorp/consul/issues/15614)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"connect: Consul will now error and exit when using the `consul connect envoy` command if the Envoy version is incompatible. To ignore this check use flag `--ignore-envoy-compatibility` [[GH-15818](https://github.com/hashicorp/consul/issues/15818)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"breaking","description":"ingress-gateway: upstream cluster will have empty outlier_detection if passive health check is unspecified [[GH-15614](https://github.com/hashicorp/consul/issues/15614)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"deprecated","description":"config: Deprecate `-join`, `-join-wan`, `start_join`, and `start_join_wan`.","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"removed","description":"xds: Remove the `connect.enable_serverless_plugin` agent configuration option. Now","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"removed","description":"acl: remove all acl migration functionality and references to the legacy acl system. [[GH-15947](https://github.com/hashicorp/consul/issues/15947)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"removed","description":"acl: remove all functionality and references for legacy acl policies. [[GH-15922](https://github.com/hashicorp/consul/issues/15922)]","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"removed","description":"New error format: \"Cannot find * to delete\"","migration_hint":null},{"from_version":"1.14.4","to_version":"1.15.0","change_type":"removed","description":"acl errors: Delete and get requests now return descriptive errors when the specified resource cannot be found. Other ACL request errors provide more information about when a resource is missing. Add error for when the ACL system has not been bootstrapped.","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"api","description":"partition: **(Consul Enterprise only)** when loading service from on-disk config file or sending API request to agent endpoint,","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"behavior","description":"connect: Fix configuration merging for transparent proxy upstreams. Proxy-defaults and service-defaults config entries were not correctly merged for implicit upstreams in transparent proxy mode and would result in some configuration not being applied. To avoid issues when upgrading, ensure that any proxy-defaults or service-defaults have correct configuration for upstreams, since all fields will now be properly used to configure proxies. [[GH-16000](https://github.com/hashicorp/consul/issues/16000)]","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"behavior","description":"connect: **(Consul Enterprise only)** Fix issue where upstream configuration from proxy-defaults and service-defaults was not properly merged. This could occur when a mixture of empty-strings and \"default\" were used for the namespace or partition fields.","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"breaking","description":"deps: update to latest go-discover to provide ECS auto-discover capabilities. [[GH-13782](https://github.com/hashicorp/consul/issues/13782)]","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"breaking","description":"connect: Fix issue where service-resolver protocol checks incorrectly errored for failover peer targets. [[GH-15833](https://github.com/hashicorp/consul/issues/15833)]","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"breaking","description":"cli: Fix issue where `consul connect envoy` was unable to configure TLS over unix-sockets to gRPC. [[GH-15913](https://github.com/hashicorp/consul/issues/15913)]","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"breaking","description":"agent: Fix issue where the agent cache would incorrectly mark protobuf objects as updated. [[GH-15866](https://github.com/hashicorp/consul/issues/15866)]","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"breaking","description":"agent: Fix assignment of error when auto-reloading cert and key file changes. [[GH-15769](https://github.com/hashicorp/consul/issues/15769)]","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"breaking","description":"connect: add flags `envoy-ready-bind-port` and `envoy-ready-bind-address` to the `consul connect envoy` command that allows configuration of readiness probe on proxy for any service kind. [[GH-16015](https://github.com/hashicorp/consul/issues/16015)]","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"breaking","description":"peering: Newly created peering connections must use only lowercase characters in the `name` field. Existing peerings with uppercase characters will not be modified, but they may encounter issues in various circumstances. To maintain forward compatibility and avoid issues, it is recommended to destroy and re-create any invalid peering connections so that they do not have a name containing uppercase characters. [[GH-15697](https://github.com/hashicorp/consul/issues/15697)]","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"breaking","description":"grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers. [[GH-15701](https://github.com/hashicorp/consul/issues/15701)]","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"breaking","description":"connect: Add support for ConsulResolver to specifies a filter expression [[GH-15659](https://github.com/hashicorp/consul/issues/15659)]","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"breaking","description":"acl: relax permissions on the `WatchServers`, `WatchRoots` and `GetSupportedDataplaneFeatures` gRPC endpoints to accept *any* valid ACL token [[GH-15346](https://github.com/hashicorp/consul/issues/15346)]","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"breaking","description":"xds: fix bug where sessions for locally-managed services could fail with \"this server has too many xDS streams open\" [[GH-15789](https://github.com/hashicorp/consul/issues/15789)]","migration_hint":null},{"from_version":"1.13.6","to_version":"1.14.4","change_type":"breaking","description":"connect: Fix issue where watches on upstream failover peer targets did not always query the correct data. [[GH-15865](https://github.com/hashicorp/consul/issues/15865)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"api","description":"cli: `consul connect envoy` incorrectly enables TLS for gRPC connections when the HTTP API is TLS-enabled.","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"api","description":"http: Add new `get-or-empty` operation to the txn api. Refer to the [API docs](https://developer.hashicorp.com/api-docs/txn#kv-operations) for more information. [[GH-14474](https://github.com/hashicorp/consul/issues/14474)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"behavior","description":"config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 [[GH-15302](https://github.com/hashicorp/consul/issues/15302)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"behavior","description":"config: update 1.14 config defaults: Enable `peering` and `connect` by default. [[GH-15302](https://github.com/hashicorp/consul/issues/15302)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"ui: Detect a TokenSecretID cookie and passthrough to localStorage [[GH-14495](https://github.com/hashicorp/consul/issues/14495)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"cli: Add `-consul-dns-port` flag to the `consul connect redirect-traffic` command to allow forwarding DNS traffic to a specific Consul DNS port. [[GH-15050](https://github.com/hashicorp/consul/issues/15050)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints [CVE-2022-3920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3920) [[GH-15356](https://github.com/hashicorp/consul/issues/15356)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"DNS-proxy support via gRPC request. [[GH-14811](https://github.com/hashicorp/consul/issues/14811)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"cli: Add -node-name flag to redirect-traffic command to support running in environments without client agents. [[GH-14933](https://github.com/hashicorp/consul/issues/14933)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"xds: Convert service mesh failover to use Envoy's aggregate clusters. This","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"connect: Add Envoy connection balancing configuration fields. [[GH-14616](https://github.com/hashicorp/consul/issues/14616)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"grpc: Added metrics for external gRPC server. Added `server_type=internal|external` label to gRPC metrics. [[GH-14922](https://github.com/hashicorp/consul/issues/14922)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"peering: Add mesh gateway local mode support for cluster peering. [[GH-14817](https://github.com/hashicorp/consul/issues/14817)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"peering: Add support for stale queries for trust bundle lookups [[GH-14724](https://github.com/hashicorp/consul/issues/14724)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"peering: Add support to failover to services running on cluster peers. [[GH-14396](https://github.com/hashicorp/consul/issues/14396)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"peering: Add support to redirect to services running on cluster peers with service resolvers. [[GH-14445](https://github.com/hashicorp/consul/issues/14445)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"peering: add support for routine peering control-plane traffic through mesh gateways [[GH-14981](https://github.com/hashicorp/consul/issues/14981)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"sdk: Configure `iptables` to forward DNS traffic to a specific DNS port. [[GH-15050](https://github.com/hashicorp/consul/issues/15050)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"telemetry: emit memberlist size metrics and broadcast queue depth metric. [[GH-14873](https://github.com/hashicorp/consul/issues/14873)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"ui: Added support for central config merging [[GH-14604](https://github.com/hashicorp/consul/issues/14604)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"ui: Create peerings detail page [[GH-14947](https://github.com/hashicorp/consul/issues/14947)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"breaking","description":"config: Add new `ports.grpc_tls` configuration option.","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"removed","description":"peering: Ensure un-exported services get deleted even if the un-export happens while cluster peering replication is down. [[GH-14797](https://github.com/hashicorp/consul/issues/14797)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"removed","description":"connect: Removes support for Envoy 1.20 [[GH-15093](https://github.com/hashicorp/consul/issues/15093)]","migration_hint":null},{"from_version":"1.13.3","to_version":"1.14.0","change_type":"renamed","description":"peering: Rename `PeerName` to `Peer` on prepared queries and exported services. [[GH-14854](https://github.com/hashicorp/consul/issues/14854)]","migration_hint":null},{"from_version":"1.16.0-rc1","to_version":"1.13.9","change_type":"api","description":"namespaces: adjusts the return type from HTTP list API to return the `api` module representation of a namespace.","migration_hint":null},{"from_version":"1.16.0-rc1","to_version":"1.13.9","change_type":"behavior","description":"connect: Disable peering by default in connect proxies for Consul 1.13. This change was made to prevent inefficient polling","migration_hint":null},{"from_version":"1.16.0-rc1","to_version":"1.13.9","change_type":"behavior","description":"debug: change default setting of consul debug command. now default duration is 5ms and default log level is 'TRACE' [[GH-17596](https://github.com/hashicorp/consul/issues/17596)]","migration_hint":null},{"from_version":"1.16.0-rc1","to_version":"1.13.9","change_type":"breaking","description":"cache: fix a few minor goroutine leaks in leaf certs and the agent cache [[GH-17636](https://github.com/hashicorp/consul/issues/17636)]","migration_hint":null},{"from_version":"1.16.0-rc1","to_version":"1.13.9","change_type":"breaking","description":"systemd: set service type to notify. [[GH-16845](https://github.com/hashicorp/consul/issues/16845)]","migration_hint":null},{"from_version":"1.16.0-rc1","to_version":"1.13.9","change_type":"breaking","description":"server: **(Enterprise Only)** allow automatic license utilization reporting. [[GH-5102](https://github.com/hashicorp/consul/issues/5102)]","migration_hint":null},{"from_version":"1.16.0-rc1","to_version":"1.13.9","change_type":"breaking","description":"Update to UBI base image to 9.2. [[GH-17513](https://github.com/hashicorp/consul/issues/17513)]","migration_hint":null},{"from_version":"1.16.0-rc1","to_version":"1.13.9","change_type":"breaking","description":"peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership. [[GH-17483](https://github.com/hashicorp/consul/issues/17483)]","migration_hint":null},{"from_version":"1.16.0-rc1","to_version":"1.13.9","change_type":"removed","description":"namespaces: **(Enterprise only)** fixes a bug where namespaces are stuck in a deferred deletion state indefinitely under some conditions.","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"api","description":"api: Fix a breaking change caused by renaming `QueryDatacenterOptions` to","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"api","description":"cli: When launching a sidecar proxy with `consul connect envoy` or `consul connect proxy`, the `-sidecar-for` service ID argument is now treated as case-insensitive. [[GH-14034](https://github.com/hashicorp/consul/issues/14034)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"api","description":"envoy: adds additional Envoy outlier ejection parameters to passive health check configurations. [[GH-14238](https://github.com/hashicorp/consul/issues/14238)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"behavior","description":"service-defaults: Added support for `local_request_timeout_ms` and","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"connect: Fix issue where `auto_config` and `auto_encrypt` could unintentionally enable TLS for gRPC xDS connections. [[GH-14269](https://github.com/hashicorp/consul/issues/14269)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"tls: undo breaking change that prevented setting TLS for gRPC when using config flags available in Consul v1.11. [[GH-14668](https://github.com/hashicorp/consul/issues/14668)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries [[GH-14233](https://github.com/hashicorp/consul/issues/14233)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"connect: Fixed some spurious issues during peering establishment when a follower is dialed [[GH-14119](https://github.com/hashicorp/consul/issues/14119)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring. [[GH-14429](https://github.com/hashicorp/consul/issues/14429)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed. [[GH-14516](https://github.com/hashicorp/consul/issues/14516)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"agent: Fixes an issue where an agent that fails to start due to bad addresses won't clean up any existing listeners [[GH-14081](https://github.com/hashicorp/consul/issues/14081)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/ [[GH-14521](https://github.com/hashicorp/consul/issues/14521)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"snapshot agent: **(Enterprise only)** Add support for path-based addressing when using s3 backend.","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"peering: Validate peering tokens for server name conflicts [[GH-14563](https://github.com/hashicorp/consul/issues/14563)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [[GH-14161](https://github.com/hashicorp/consul/issues/14161)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"connect: expose new tracing configuration on envoy [[GH-13998](https://github.com/hashicorp/consul/issues/13998)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"connect: Bump latest Envoy to 1.23.1 in test matrix [[GH-14573](https://github.com/hashicorp/consul/issues/14573)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"connect: Server address changes are streamed to peers [[GH-14285](https://github.com/hashicorp/consul/issues/14285)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"cli: Adds new subcommands for `peering` workflows. Refer to the [CLI docs](https://developer.hashicorp.com/commands/peering) for more information. [[GH-14423](https://github.com/hashicorp/consul/issues/14423)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the `ConnectCA.Sign` endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [[GH-14579](https://github.com/hashicorp/consul/issues/14579)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [[GH-14577](https://github.com/hashicorp/consul/issues/14577)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"breaking","description":"ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the `update` capability on the intermediate PKI's tune mount configuration endpoint, such as `/sys/mounts/connect_inter/tune`. The breaking nature of this change is resolved in 1.13.3. Refer to [upgrade guidance](https://developer.hashicorp.com/docs/upgrading/upgrade-specific#modify-vault-policy-for-vault-ca-provider) for more information.","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"removed","description":"connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster. [[GH-14598](https://github.com/hashicorp/consul/issues/14598)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"removed","description":"envoy: validate name before deleting proxy default configurations. [[GH-14290](https://github.com/hashicorp/consul/issues/14290)]","migration_hint":null},{"from_version":"1.12.5","to_version":"1.13.2","change_type":"removed","description":"peering: Fix issue preventing deletion and recreation of peerings in TERMINATED state. [[GH-14364](https://github.com/hashicorp/consul/issues/14364)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"api","description":"api: `merge-central-config` query parameter support added to some catalog and health endpoints to view a fully resolved service definition (especially when not written into the catalog that way). [[GH-13001](https://github.com/hashicorp/consul/issues/13001)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"api","description":"api: add the ability to specify a path prefix for when consul is behind a reverse proxy or API gateway [[GH-12914](https://github.com/hashicorp/consul/issues/12914)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"api","description":"ca: Leaf certificates can now be obtained via the gRPC API: `Sign` [[GH-12787](https://github.com/hashicorp/consul/issues/12787)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"api","description":"acl: It is now possible to login and logout using the gRPC API [[GH-12935](https://github.com/hashicorp/consul/issues/12935)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"api","description":"**Transparent proxying through terminating gateways** This version adds egress traffic control to destinations outside of Consul's catalog, such as APIs on the public internet. Transparent proxies can dial [destinations defined in service-defaults](https://developer.hashicorp.com/docs/connect/config-entries/service-defaults#destination) and have the traffic routed through terminating gateways. For more information refer to the [terminating gateway](https://developer.hashicorp.com/docs/connect/gateways/terminating-gateway#terminating-gateway-configuration) documentation.","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"api","description":"api: `merge-central-config` query parameter support added to `/catalog/node-services/:node-name` API, to view a fully resolved service definition (especially when not written into the catalog that way). [[GH-13450](https://github.com/hashicorp/consul/issues/13450)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"api","description":"api: `merge-central-config` query parameter support added to `/catalog/node-services/:node-name` API, to view a fully resolved service definition (especially when not written into the catalog that way). [[GH-2046](https://github.com/hashicorp/consul/issues/2046)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"api","description":"grpc: New gRPC endpoint to return envoy bootstrap parameters. [[GH-12825](https://github.com/hashicorp/consul/issues/12825)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"api","description":"grpc: New gRPC endpoint to return envoy bootstrap parameters. [[GH-1717](https://github.com/hashicorp/consul/issues/1717)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"behavior","description":"connect: Adds a new `destination` field to the `service-default` config entry that allows routing egress traffic","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"breaking","description":"config-entry: Exporting a specific service name across all namespace is invalid.","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"breaking","description":"connect: contains an upgrade compatibility issue when restoring snapshots containing service mesh proxy registrations from pre-1.13 versions of Consul [[GH-14107](https://github.com/hashicorp/consul/issues/14107)]. Fixed in 1.13.1 [[GH-14149](https://github.com/hashicorp/consul/issues/14149)]. Refer to [1.13 upgrade guidance](https://developer.hashicorp.com/docs/upgrading/upgrade-specific#all-service-mesh-deployments) for more information.","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"breaking","description":"connect: if a pre-1.13 Consul agent's HTTPS port was not enabled, upgrading to 1.13 may turn on TLS for gRPC communication for Envoy and Consul depending on the agent's TLS configuration. Refer to [1.13 upgrade guidance](https://developer.hashicorp.com/docs/upgrading/upgrade-specific#grpc-tls) for more information.","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"breaking","description":"**Cluster Peering (Beta)** This version adds a new model to federate Consul clusters for both service mesh and traditional service discovery. Cluster peering allows for service interconnectivity with looser coupling than the existing WAN federation. For more information refer to the [cluster peering](https://developer.hashicorp.com/docs/connect/cluster-peering) documentation.","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"breaking","description":"streaming: Added topics for `ingress-gateway`, `mesh`, `service-intentions` and `service-resolver` config entry events. [[GH-13658](https://github.com/hashicorp/consul/issues/13658)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"breaking","description":"server: broadcast the public grpc port using lan serf and update the consul service in the catalog with the same data [[GH-13687](https://github.com/hashicorp/consul/issues/13687)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"breaking","description":"streaming: Added topic that can be used to consume updates about the list of services in a datacenter [[GH-13722](https://github.com/hashicorp/consul/issues/13722)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"breaking","description":"catalog: Add per-node indexes to reduce watchset firing for unrelated nodes and services. [[GH-12399](https://github.com/hashicorp/consul/issues/12399)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"breaking","description":"checks: add UDP health checks.. [[GH-12722](https://github.com/hashicorp/consul/issues/12722)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"breaking","description":"grpc: New gRPC service and endpoint to return the list of supported consul dataplane features [[GH-12695](https://github.com/hashicorp/consul/issues/12695)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"breaking","description":"agent: Added information about build date alongside other version information for Consul. Extended /agent/self endpoint and `consul version` commands","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"removed","description":"cli: A new flag for config delete to delete a config entry in a","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"removed","description":"telemetry: config flag `telemetry { disable_compat_1.9 = (true|false) }` has been removed. Before upgrading you should remove this flag from your config if the flag is being used. [[GH-13532](https://github.com/hashicorp/consul/issues/13532)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"removed","description":"connect: Removes support for Envoy 1.19 [[GH-13807](https://github.com/hashicorp/consul/issues/13807)]","migration_hint":null},{"from_version":"1.12.3","to_version":"1.13.0","change_type":"removed","description":"connect: if using auto-encrypt or auto-config, TLS is required for gRPC communication between Envoy and Consul as of 1.13.0; this TLS for gRPC requirement will be removed in a future 1.13 patch release. Refer to [1.13 upgrade guidance](https://developer.hashicorp.com/docs/upgrading/upgrade-specific#service-mesh-deployments-using-auto-encrypt-or-auto-config) for more information.","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"api","description":"envoy: adds additional Envoy outlier ejection parameters to passive health check configurations. [[GH-14238](https://github.com/hashicorp/consul/issues/14238)]","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"api","description":"cli: When launching a sidecar proxy with `consul connect envoy` or `consul connect proxy`, the `-sidecar-for` service ID argument is now treated as case-insensitive. [[GH-14034](https://github.com/hashicorp/consul/issues/14034)]","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"breaking","description":"connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the `ConnectCA.Sign` endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [[GH-14579](https://github.com/hashicorp/consul/issues/14579)]","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"breaking","description":"rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries [[GH-14233](https://github.com/hashicorp/consul/issues/14233)]","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"breaking","description":"connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring. [[GH-14429](https://github.com/hashicorp/consul/issues/14429)]","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"breaking","description":"snapshot agent: **(Enterprise only)** Add support for path-based addressing when using s3 backend.","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"breaking","description":"ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/ [[GH-14521](https://github.com/hashicorp/consul/issues/14521)]","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"breaking","description":"ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed. [[GH-14516](https://github.com/hashicorp/consul/issues/14516)]","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"breaking","description":"metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [[GH-14161](https://github.com/hashicorp/consul/issues/14161)]","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"breaking","description":"ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the `update` capability on the intermediate PKI's tune mount configuration endpoint, such as `/sys/mounts/connect_inter/tune`. The breaking nature of this change is resolved in 1.12.6. Refer to [upgrade guidance](https://developer.hashicorp.com/docs/upgrading/upgrade-specific#modify-vault-policy-for-vault-ca-provider) for more information.","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"breaking","description":"auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [[GH-14577](https://github.com/hashicorp/consul/issues/14577)]","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"removed","description":"envoy: validate name before deleting proxy default configurations. [[GH-14290](https://github.com/hashicorp/consul/issues/14290)]","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"removed","description":"connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster. [[GH-14598](https://github.com/hashicorp/consul/issues/14598)]","migration_hint":null},{"from_version":"1.11.9","to_version":"1.12.5","change_type":"removed","description":"ui: Removed Overview page from HCP instalations [[GH-14606](https://github.com/hashicorp/consul/issues/14606)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"api","description":"api: add QueryBackend to QueryMeta so an api user can determine if a query was served using which backend (streaming or blocking query). [[GH-12791](https://github.com/hashicorp/consul/issues/12791)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"behavior","description":"server: discovery chains now include a response field named \"Default\" to indicate if they were not constructed from any service-resolver, service-splitter, or service-router config entries [[GH-12511](https://github.com/hashicorp/consul/issues/12511)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"behavior","description":"server: Ensure that service-defaults `Meta` is returned with the response to the `ConfigEntry.ResolveServiceConfig` RPC. [[GH-12529](https://github.com/hashicorp/consul/issues/12529)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"behavior","description":"server: ensure that service-defaults meta is incorporated into the discovery chain response [[GH-12511](https://github.com/hashicorp/consul/issues/12511)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"behavior","description":"agent: bump default min version for connections to TLS 1.2 [[GH-12522](https://github.com/hashicorp/consul/issues/12522)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"tls: it is now possible to configure TLS differently for each of Consul's listeners (i.e. HTTPS, gRPC and the internal multiplexed RPC listener) using the `tls` stanza [[GH-12504](https://github.com/hashicorp/consul/issues/12504)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"config: automatically reload config when a file changes using the `auto-reload-config` CLI flag or `auto_reload_config` config option. [[GH-12329](https://github.com/hashicorp/consul/issues/12329)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"cli: The `token read` command now supports the `-expanded` flag to display detailed role and policy information for the token. [[GH-12670](https://github.com/hashicorp/consul/issues/12670)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"ca: Root certificates can now be consumed from a gRPC streaming endpoint: `WatchRoots` [[GH-12678](https://github.com/hashicorp/consul/issues/12678)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"acl: Added an AWS IAM auth method that allows authenticating to Consul using AWS IAM identities [[GH-12583](https://github.com/hashicorp/consul/issues/12583)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"acl: Add token information to PermissionDeniedErrors [[GH-12567](https://github.com/hashicorp/consul/issues/12567)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"ci: include 'enhancement' entry type in IMPROVEMENTS section of changelog. [[GH-12376](https://github.com/hashicorp/consul/issues/12376)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"agent: add support for specifying TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suites [[GH-12522](https://github.com/hashicorp/consul/issues/12522)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"agent: add additional validation to TLS config [[GH-12522](https://github.com/hashicorp/consul/issues/12522)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"agent: Allow client agents to perform keyring operations [[GH-12442](https://github.com/hashicorp/consul/issues/12442)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"acl: Provide fuller detail in the error messsage when an ACL denies access. [[GH-12470](https://github.com/hashicorp/consul/issues/12470)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"Refactor ACL denied error code and start improving error details [[GH-12308](https://github.com/hashicorp/consul/issues/12308)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry [[GH-12601](https://github.com/hashicorp/consul/issues/12601)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"xds: Add the ability to invoke AWS Lambdas through terminating gateways. [[GH-12681](https://github.com/hashicorp/consul/issues/12681)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"ui: Support connect-native services in the Topology view. [[GH-12098](https://github.com/hashicorp/consul/issues/12098)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"breaking","description":"ui: Added support for AWS IAM Auth Methods [[GH-12786](https://github.com/hashicorp/consul/issues/12786)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"removed","description":"connect: Removes support for Envoy 1.17.4 [[GH-12777](https://github.com/hashicorp/consul/issues/12777)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"removed","description":"sdk: several changes to the testutil configuration structs (removed `ACLMasterToken`, renamed `Master` to `InitialManagement`, and `AgentMaster` to `AgentRecovery`) [[GH-11827](https://github.com/hashicorp/consul/issues/11827)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"removed","description":"telemetry: the disable_compat_1.9 option now defaults to true. 1.9 style `consul.http...` metrics can still be enabled by setting `disable_compat_1.9 = false`. However, we will remove these metrics in 1.13. [[GH-12675](https://github.com/hashicorp/consul/issues/12675)]","migration_hint":null},{"from_version":"1.11.5","to_version":"1.12.0","change_type":"removed","description":"connect: Removes support for Envoy 1.18.6 [[GH-12805](https://github.com/hashicorp/consul/issues/12805)]","migration_hint":null},{"from_version":"1.13.1","to_version":"1.11.9","change_type":"api","description":"cli: When launching a sidecar proxy with `consul connect envoy` or `consul connect proxy`, the `-sidecar-for` service ID argument is now treated as case-insensitive. [[GH-14034](https://github.com/hashicorp/consul/issues/14034)]","migration_hint":null},{"from_version":"1.13.1","to_version":"1.11.9","change_type":"breaking","description":"metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [[GH-14161](https://github.com/hashicorp/consul/issues/14161)]","migration_hint":null},{"from_version":"1.13.1","to_version":"1.11.9","change_type":"breaking","description":"ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed. [[GH-14516](https://github.com/hashicorp/consul/issues/14516)]","migration_hint":null},{"from_version":"1.13.1","to_version":"1.11.9","change_type":"breaking","description":"rpc: Adds a deadline to client RPC calls, so that streams will no longer hang","migration_hint":null},{"from_version":"1.13.1","to_version":"1.11.9","change_type":"breaking","description":"ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the `update` capability on the intermediate PKI's tune mount configuration endpoint, such as `/sys/mounts/connect_inter/tune`. The breaking nature of this change is resolved in 1.11.11. Refer to [upgrade guidance](https://developer.hashicorp.com/docs/upgrading/upgrade-specific#modify-vault-policy-for-vault-ca-provider) for more information.","migration_hint":null},{"from_version":"1.13.1","to_version":"1.11.9","change_type":"breaking","description":"snapshot agent: **(Enterprise only)** Add support for path-based addressing when using s3 backend.","migration_hint":null},{"from_version":"1.13.1","to_version":"1.11.9","change_type":"breaking","description":"connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the `ConnectCA.Sign` endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [[GH-14579](https://github.com/\u001b[Ihashicorp/consul/issues/14579)]","migration_hint":null},{"from_version":"1.13.1","to_version":"1.11.9","change_type":"breaking","description":"auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [[GH-14577](https://github.com/hashicorp/consul/issues/14577)]","migration_hint":null},{"from_version":"1.13.1","to_version":"1.11.9","change_type":"breaking","description":"connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring. [[GH-14429](https://github.com/hashicorp/consul/issues/14429)]","migration_hint":null},{"from_version":"1.13.1","to_version":"1.11.9","change_type":"breaking","description":"rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries [[GH-14233](https://github.com/hashicorp/consul/issues/14233)]","migration_hint":null},{"from_version":"1.13.1","to_version":"1.11.9","change_type":"removed","description":"connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster. [[GH-14598](https://github.com/hashicorp/consul/issues/14598)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"api","description":"api: responses that contain only a partial subset of results, due to filtering by ACL policies, may now include an `X-Consul-Results-Filtered-By-ACLs` header [[GH-11569](https://github.com/hashicorp/consul/issues/11569)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"api","description":"api: Enable setting query options on agent health and maintenance endpoints. [[GH-10691](https://github.com/hashicorp/consul/issues/10691)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"api","description":"ui: Adding support of Consul API Gateway as an external source. [[GH-11371](https://github.com/hashicorp/consul/issues/11371)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"behavior","description":"namespaces: **(Enterprise only)** Creating or editing namespaces that include default ACL policies or ACL roles now requires `acl:write` permission in the default namespace. This change fixes CVE-2021-41805.","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"rpc: authorize raft requests [CVE-2021-37219](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37219) [[GH-10925](https://github.com/hashicorp/consul/issues/10925)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"config: add `dns_config.recursor_strategy` flag to control the order which DNS recursors are queried [[GH-10611](https://github.com/hashicorp/consul/issues/10611)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"config: **(Enterprise Only)** Allow specifying permission mode for audit logs. [[GH-10732](https://github.com/hashicorp/consul/issues/10732)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"ci: Allow configuring graceful stop in testutil. [[GH-10566](https://github.com/hashicorp/consul/issues/10566)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"ci: Upgrade to use Go 1.17.5 [[GH-11799](https://github.com/hashicorp/consul/issues/11799)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"checks: add failures_before_warning setting for interval checks. [[GH-10969](https://github.com/hashicorp/consul/issues/10969)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"agent: add variation of force-leave that exclusively works on the WAN [[GH-11722](https://github.com/hashicorp/consul/issues/11722)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"acl: replication routine to report the last error message. [[GH-10612](https://github.com/hashicorp/consul/issues/10612)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"acls: Show AuthMethodNamespace when reading/listing ACL tokens. [[GH-10598](https://github.com/hashicorp/consul/issues/10598)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"ui: Topology - New views for scenarios where no dependencies exist or ACLs are disabled [[GH-11280](https://github.com/hashicorp/consul/issues/11280)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"ui: Adds visible Consul version information [[GH-11803](https://github.com/hashicorp/consul/issues/11803)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"ui: Adds a copy button to each composite row in tokens list page, if Secret ID returns an actual ID [[GH-10735](https://github.com/hashicorp/consul/issues/10735)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"ui: Add UI support to use Vault as an external source for a service [[GH-10769](https://github.com/hashicorp/consul/issues/10769)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"health-checks: add support for h2c in http2 ping health checks [[GH-10690](https://github.com/hashicorp/consul/issues/10690)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate. [[GH-11449](https://github.com/hashicorp/consul/issues/11449)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"ca: Add a configurable TTL for Connect CA root certificates. The configuration is supported by the Vault and Consul providers. [[GH-11428](https://github.com/hashicorp/consul/issues/11428)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"Admin Partitions (Consul Enterprise only) This version adds admin partitions, a new entity defining administrative and networking boundaries within a Consul deployment. For more information refer to the [Admin Partition](https://developer.hashicorp.com/docs/enterprise/admin-partitions) documentation.","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"breaking","description":"cli: `consul acl set-agent-token master` has been replaced with `consul acl set-agent-token recovery` [[GH-11669](https://github.com/hashicorp/consul/issues/11669)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"removed","description":"acl: The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that nothing is still using the legacy ACL system. See the [Migrate Legacy ACL Tokens Learn Guide](https://learn.hashicorp.com/tutorials/consul/access-control-token-migration) for more information. [[GH-11232](https://github.com/hashicorp/consul/issues/11232)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"removed","description":"cli: Add `-cas` and `-modify-index` flags to the `consul config delete` command to support Check-And-Set (CAS) deletion of config entries [[GH-11419](https://github.com/hashicorp/consul/issues/11419)]","migration_hint":null},{"from_version":"1.10.11","to_version":"1.11.0","change_type":"removed","description":"config: Support Check-And-Set (CAS) deletion of config entries [[GH-11419](https://github.com/hashicorp/consul/issues/11419)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"behavior","description":"connect: Disallow wildcard as name for service-defaults. [[GH-10069](https://github.com/hashicorp/consul/issues/10069)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"cli: Add prefix option to kv import command [[GH-9792](https://github.com/hashicorp/consul/issues/9792)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"xds: emit a labeled gauge of connected xDS streams by version [[GH-10243](https://github.com/hashicorp/consul/issues/10243)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"ui: Transparent Proxy - Service mesh visualization updates [[GH-10002](https://github.com/hashicorp/consul/issues/10002)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"ui: Read-only ACL Auth Methods view [[GH-9617](https://github.com/hashicorp/consul/issues/9617)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"ui: Create a collapsible notices component for the Topology tab [[GH-10270](https://github.com/hashicorp/consul/issues/10270)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"ui: Add Unix Domain Socket support [[GH-10287](https://github.com/hashicorp/consul/issues/10287)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"sdk: Allow excluding inbound and outbound ports, outbound CIDRs, and additional user IDs from traffic redirection in the `iptables` package. [[GH-10134](https://github.com/hashicorp/consul/issues/10134)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"sdk: Add new `iptables` package for applying traffic redirection rules with iptables. [[GH-9910](https://github.com/hashicorp/consul/issues/9910)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"connect: generate upstream service labels for terminating gateway listener stats. [[GH-10404](https://github.com/hashicorp/consul/issues/10404)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled [[GH-9973](https://github.com/hashicorp/consul/issues/9973)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"connect: add support for unix domain sockets addresses for service upstreams and downstreams [[GH-9981](https://github.com/hashicorp/consul/issues/9981)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"connect: Add local_request_timeout_ms to allow configuring the Envoy request timeout on local_app [[GH-9554](https://github.com/hashicorp/consul/issues/9554)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"cli: snapshot inspect command supports JSON output [[GH-9006](https://github.com/hashicorp/consul/issues/9006)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"cli: snapshot inspect command provides KV usage breakdown [[GH-9098](https://github.com/hashicorp/consul/issues/9098)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"cli: Automatically exclude ports from `envoy_prometheus_bind_addr`, `envoy_stats_bind_addr`, and `ListenerPort` from `Expose` config","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"acl: extend the auth-methods list endpoint to include MaxTokenTTL and TokenLocality fields. [[GH-9741](https://github.com/hashicorp/consul/issues/9741)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"cli: Add new `consul connect redirect-traffic` command for applying traffic redirection rules when Transparent Proxy is enabled. [[GH-9910](https://github.com/hashicorp/consul/issues/9910)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"cli: Add additional flags to the `consul connect redirect-traffic` command to allow excluding inbound and outbound ports,","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"checks: add H2 ping health checks. [[GH-8431](https://github.com/hashicorp/consul/issues/8431)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"licensing: **(Enterprise Only)** Consul Enterprise client agents now require a valid non-anonymous ACL token for retrieving their license from the servers. Additionally client agents rely on the value of the `start_join` and `retry_join` configurations for determining the servers to query for the license. Therefore one must be set to use license auto-retrieval. [[GH-10248](https://github.com/hashicorp/consul/issues/10248)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"connect: avoid encoding listener info in ingress and terminating gateway listener stats names. [[GH-10404](https://github.com/hashicorp/consul/issues/10404)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"breaking","description":"xds: exclusively support the Incremental xDS protocol when using xDS v3 [[GH-9855](https://github.com/hashicorp/consul/issues/9855)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"removed","description":"licensing: **(Enterprise Only)** Consul Enterprise has removed support for temporary licensing. All server agents must have a valid license at startup and client agents must have a license at startup or be able to retrieve one from the servers. [[GH-10248](https://github.com/hashicorp/consul/issues/10248)]","migration_hint":null},{"from_version":"1.9.17","to_version":"1.10.0","change_type":"removed","description":"licensing: **(Enterprise Only)** Consul Enterprise 1.10 has removed API driven licensing of servers in favor of license loading via configuration. The `PUT` and `DELETE` methods on the `/v1/operator/license` endpoint will now return 405s, the `consul license put` and `consul license reset` CLI commands have been removed and the `LicensePut` and `LicenseReset` methods in the API client have been altered to always return an error. [[GH-10211](https://github.com/hashicorp/consul/issues/10211)]","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"api","description":"api: Add support for the new Service Meta field in API client [[GH-4045](https://github.com/hashicorp/consul/issues/4045)]","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"api","description":"api: Added support for Prometheus client format in metrics endpoint with `?format=prometheus` (see [docs](https://developer.hashicorp.com/api/agent.html#view-metrics)) [[GH-4014](https://github.com/hashicorp/consul/issues/4014)]","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"behavior","description":"server: Added new configuration options `raft_snapshot_interval` and `raft_snapshot_threshold` to allow operators to  configure how often servers take raft snapshots. The default values for these have been tuned for large and busy clusters with high write load. [[GH-4105](https://github.com/hashicorp/consul/pull/4105/)]","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"breaking","description":"UI: The web UI has been completely redesigned and rebuilt and is in an opt-in beta period.","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"breaking","description":"agent: New Cloud Auto-join provider: Joyent Triton. [[GH-4108](https://github.com/hashicorp/consul/pull/4108)]","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"breaking","description":"agent: (Consul Enterprise) Implemented license management with license propagation within a datacenter.","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"breaking","description":"`enableTagOverride` is no longer valid in service definitions (use `enable_tag_override` instead).","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"breaking","description":"agent: Improve DNS performance on large clusters [[GH-4036](https://github.com/hashicorp/consul/issues/4036)]","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"breaking","description":"agent: `start_join`, `start_join_wan`, `retry_join`, `retry_join_wan` config params now all support go-sockaddr templates [[GH-4102](https://github.com/hashicorp/consul/pull/4102)]","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"breaking","description":"agent: Only call signal.Notify once during agent startup [[PR-4024](https://github.com/hashicorp/consul/pull/4024)]","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"breaking","description":"agent: Add support for the new Service Meta field in agent config [[GH-4045](https://github.com/hashicorp/consul/issues/4045)]","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"breaking","description":"agent: Updated serf library for two bug fixes - allow enough time for leave intents to propagate [[GH-510](https://github.com/hashicorp/serf/pull/510)] and preventing a deadlock [[GH-507](https://github.com/hashicorp/serf/pull/510)]","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"removed","description":"The [deprecated set of metric names](https://developer.hashicorp.com/consul/docs/upgrade-specific.html#metric-names-updated) (beginning with `consul.consul.`) has been removed along with the `enable_deprecated_names` option from the metrics configuration.","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"removed","description":"agent: The following previously deprecated fields and config options have been removed [[GH-4097](https://github.com/hashicorp/consul/pull/4097)]:","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"removed","description":"`CheckID` has been removed from config file check definitions (use `id` instead).","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"removed","description":"`script` has been removed from config file check definitions (use `args` instead).","migration_hint":null},{"from_version":"1.0.8","to_version":"1.1.0","change_type":"removed","description":"agent: When node-level checks (e.g. maintenance mode) were deleted, some watchers currently in between blocking calls may have missed the change in index. See [[GH-3970](https://github.com/hashicorp/consul/pull/3970)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"api","description":"api: Added missing `CheckID` and `Name` fields to API client's `AgentServiceCheck` structure so that IDs and names can be set when registering checks with services. [[GH-3788](https://github.com/hashicorp/consul/issues/3788)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"api","description":"agent: Added agent-side telemetry around Catalog APIs to provide insight on Consul's operation from the user's perspecive. [[GH-3765](https://github.com/hashicorp/consul/issues/3765)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"breaking","description":"ui: Added a URI escape around key/value keys so that it's not possible to create unexpected partial key names when entering characters like `?` inside a key. [[GH-3760](https://github.com/hashicorp/consul/issues/3760)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"breaking","description":"ui: Patched handlebars JS to escape `=` to prevent potential XSS issues. [[GH-3733](https://github.com/hashicorp/consul/issues/3733)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"breaking","description":"agent: Updated Consul's HTTP server to ban all URLs containing non-printable characters (a bad request status will be returned for these cases). This affects some user-facing areas like key/value entry key names which are carried in URLs. [[GH-3762](https://github.com/hashicorp/consul/issues/3762)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"breaking","description":"agent: Added retry-join support for Azure Virtual Machine Scale Sets. [[GH-3824](https://github.com/hashicorp/consul/issues/3824)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"breaking","description":"agent: Added the `NodeID` field back to the /v1/agent/self endpoint's `Config` block. [[GH-3778](https://github.com/hashicorp/consul/issues/3778)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"breaking","description":"agent: Fixed an issue where config file symlinks were not being interpreted correctly. [[GH-3753](https://github.com/hashicorp/consul/issues/3753)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"breaking","description":"agent: Ignore malformed leftover service/check files and warn about them instead of refusing to start. [[GH-1221](https://github.com/hashicorp/consul/issues/1221)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"breaking","description":"agent: Enforce a valid port for the Serf WAN since it can't be disabled. [[GH-3817](https://github.com/hashicorp/consul/issues/3817)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"breaking","description":"agent: Stopped looging messages about zero RTTs when updating network coordinates since they are not harmful to the algorithm. Since we are still trying to find the root cause of these zero measurements, we added new metrics counters so these are still observable. [[GH-3789](https://github.com/hashicorp/consul/issues/3789)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"breaking","description":"server: Fixed a crash when POST-ing an empty body to the /v1/query endpoint. [[GH-3791](https://github.com/hashicorp/consul/issues/3791)]","migration_hint":null},{"from_version":"1.0.2","to_version":"1.0.3","change_type":"removed","description":"server: (Consul Enterprise) Fixed an issue where unhealthy servers were not replaced in a redundancy zone by autopilot (servers previously needed to be removed in order for a replacement to occur).","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"api","description":"**Escaping Behavior Changed for go-discover Configs:** The format for [`-retry-join`](https://developer.hashicorp.com/docs/agent/config/cli-flags#_retry_join) and [`-retry-join-wan`](https://developer.hashicorp.com/docs/agent/config/cli-flags#_retry_join_wan) values that use [go-discover](https://github.com/hashicorp/go-discover) Cloud auto joining has changed. Values in `key=val` sequences must no longer be URL encoded and can be provided as literals as long as they do not contain spaces, backslashes `\\` or double quotes `\"`. If values contain these characters then use double quotes as in `\"some key\"=\"some value\"`. Special characters within a double quoted string can be escaped with a backslash `\\`. [[GH-3417](https://github.com/hashicorp/consul/issues/3417)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"api","description":"**HTTP Verbs are Enforced in Many HTTP APIs:** Many endpoints in the HTTP API that previously took any HTTP verb now check for specific HTTP verbs and enforce them. This may break clients relying on the old behavior. [[GH-3405](https://github.com/hashicorp/consul/issues/3405)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"api","description":"**Config Section of Agent Self Endpoint has Changed:** The /v1/agent/self endpoint's `Config` section has often been in flux as it was directly returning one of Consul's internal data structures. This configuration structure has been moved under `DebugConfig`, and is documents as for debugging use and subject to change, and a small set of elements of `Config` have been maintained and documented. See [Read Configuration](https://developer.hashicorp.com/api/agent.html#read-configuration) endpoint documentation for details. [[GH-3532](https://github.com/hashicorp/consul/issues/3532)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"api","description":"**Config Files Require an Extension:** As part of supporting the [HCL](https://github.com/hashicorp/hcl#syntax) format for Consul's config files, an `.hcl` or `.json` extension is required for all config files loaded by Consul, even when using the [`-config-file`](https://developer.hashicorp.com/docs/agent/config/cli-flags#_config_file) argument to specify a file directly. [[GH-3480](https://github.com/hashicorp/consul/issues/3480)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"behavior","description":"agent: Improved ACL system for the KV store to support list permissions. This behavior can be opted in. For more information, see the [ACL Guide](https://developer.hashicorp.com/docs/guides/acl.html#list-policy-for-keys). [[GH-3511](https://github.com/hashicorp/consul/issues/3511)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"behavior","description":"**Raft Protocol Now Defaults to 3:** The [`-raft-protocol`](https://developer.hashicorp.com/docs/agent/config/cli-flags#_raft_protocol) default has been changed from 2 to 3, enabling all [Autopilot](https://developer.hashicorp.com/docs/guides/autopilot.html) features by default. Version 3 requires Consul running 0.8.0 or newer on all servers in order to work, so if you are upgrading with older servers in a cluster then you will need to set this back to 2 in order to upgrade. See [Raft Protocol Version Compatibility](https://developer.hashicorp.com/docs/upgrade-specific.html#raft-protocol-version-compatibility) for more details. Also the format of `peers.json` used for outage recovery is different when running with the lastest Raft protocol. See [Manual Recovery Using peers.json](https://developer.hashicorp.com/docs/guides/outage.html#manual-recovery-using-peers-json) for a description of the required format. [[GH-3477](https://github.com/hashicorp/consul/issues/3477)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"breaking","description":"agent: Added support to detect public IPv4 and IPv6 addresses on AWS. [[GH-3471](https://github.com/hashicorp/consul/issues/3471)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"breaking","description":"**Support for RFC1464 DNS TXT records:** Consul DNS responses now contain the node meta data encoded according to RFC1464 as TXT records. [[GH-3343](https://github.com/hashicorp/consul/issues/3343)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"breaking","description":"**Checks Validated On Agent Startup:** Consul agents now validate health check definitions in their configuration and will fail at startup if any checks are invalid. In previous versions of Consul, invalid health checks would get skipped. [[GH-3559](https://github.com/hashicorp/consul/issues/3559)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"breaking","description":"**Support for HCL Config Files:** Consul now supports HashiCorp's [HCL](https://github.com/hashicorp/hcl#syntax) format for config files. This is easier to work with than JSON and supports comments. As part of this change, all config files will need to have either an `.hcl` or `.json` extension in order to specify their format. [[GH-3480](https://github.com/hashicorp/consul/issues/3480)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"breaking","description":"**Support for Binding to Multiple Addresses:** Consul now supports binding to multiple addresses for its HTTP, HTTPS, and DNS services. You can provide a space-separated list of addresses to [`-client`](https://developer.hashicorp.com/docs/agent/config/cli-flags#_client) and [`addresses`](https://developer.hashicorp.com/docs/agent/config/config-files.html#addresses) configurations, or specify a [go-sockaddr](https://godoc.org/github.com/hashicorp/go-sockaddr/template) template that resolves to multiple addresses. [[GH-3480](https://github.com/hashicorp/consul/issues/3480)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"breaking","description":"**Sentinel Integration:** (Consul Enterprise) Consul's ACL system integrates with [Sentinel](https://developer.hashicorp.com/docs/guides/sentinel.html) to enable code policies that apply to KV writes.","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"breaking","description":"ui: Fixed an XSS issue with Consul's built-in web UI where node names were not being properly escaped. [[GH-3578](https://github.com/hashicorp/consul/issues/3578)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"breaking","description":"agent: Added a new `discard_check_output` agent-level configuration option that can be used to trade off write load to the Consul servers vs. visibility of health check output. This is reloadable so it can be toggled without fully restarting the agent. [[GH-3562](https://github.com/hashicorp/consul/issues/3562)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"breaking","description":"agent: Added automatic retries to the RPC path, and a brief RPC drain time when servers leave. These changes make Consul more robust during graceful leaves of Consul servers, such as during upgrades, and help shield applications from \"no leader\" errors. These are configured with new [`performance`](https://developer.hashicorp.com/docs/agent/config/config-files.html#performance) options. [[GH-3514](https://github.com/hashicorp/consul/issues/3514)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"breaking","description":"agent: Updates miekg/dns library to later version to pick up bug fixes and improvements. [[GH-3547](https://github.com/hashicorp/consul/issues/3547)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"breaking","description":"**Unauthorized KV Requests Return 403:** When ACLs are enabled, reading a key with an unauthorized token returns a 403. This previously returned a 404 response.","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"breaking","description":"agent: Improved /v1/operator/raft/configuration endpoint which allows Consul to avoid an extra agent RPC call for the `consul operator raft list-peers` command. [[GH-3449](https://github.com/hashicorp/consul/issues/3449)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"deprecated","description":"**Support for Running Subproccesses Directly Without a Shell:** Consul agent checks and watches now support an `args` configuration which is a list of arguments to run for the subprocess, which runs the subprocess directly without a shell. The old `script` and `handler` configurations are now deprecated (specify a shell explicitly if you require one). A `-shell=false` option is also available on `consul lock`, `consul watch`, and `consul exec` to run the subprocesses associated with those without a shell. [[GH-3509](https://github.com/hashicorp/consul/issues/3509)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"deprecated","description":"**Metric Names Updated:** Metric names no longer start with `consul.consul`. To help with transitioning dashboards and other metric consumers, the field `enable_deprecated_names` has been added to the telemetry section of the config, which will enable metrics with the old naming scheme to be sent alongside the new ones. [[GH-3535](https://github.com/hashicorp/consul/issues/3535)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"removed","description":"**Deprecated `configtest` Command Removed:** The `configtest` command was deprecated and has been superseded by the `validate` command.","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"removed","description":"**`advertise_addrs` Removed:** This configuration option was removed since it was redundant with `advertise_addr` and `advertise_addr_wan` in combination with `ports` and also wrongly stated that you could configure both host and port. [[GH-3516](https://github.com/hashicorp/consul/issues/3516)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"removed","description":"**Undocumented Flags in `validate` Command Removed:** The `validate` command supported the `-config-file` and `-config-dir` command line flags but did not document them. This support has been removed since the flags are not required.","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"removed","description":"**Deprecated Options Have Been Removed:** All of Consul's previously deprecated command line flags and config options have been removed, so these will need to be mapped to their equivalents before upgrading. [[GH-3480](https://github.com/hashicorp/consul/issues/3480)]","migration_hint":null},{"from_version":"0.9.4","to_version":"1.0.0","change_type":"renamed","description":"**`statsite_prefix` Renamed to `metrics_prefix`:** Since the `statsite_prefix` configuration option applied to all telemetry providers, `statsite_prefix` was renamed to [`metrics_prefix`](https://developer.hashicorp.com/docs/agent/config/config-files.html#telemetry-metrics_prefix). Configuration files will need to be updated when upgrading to this version of Consul. [[GH-3498](https://github.com/hashicorp/consul/issues/3498)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"api","description":"api: Added the ability to pass in a `context` as part of the `QueryOptions` during a request. This provides a way to cancel outstanding blocking queries. [[GH-3195](https://github.com/hashicorp/consul/issues/3195)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"api","description":"agent: (Consul Enterprise) Snapshot agent rotation uses S3's pagination API, enabling retaining more than a 100 snapshots.","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"api","description":"api: Changed signature for \"done\" channels on `agent.Monitor()` and `session.RenewPeriodic` methods to make them more compatible with `context`. [[GH-3271](https://github.com/hashicorp/consul/issues/3271)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"api","description":"api: Reworked `context` support in the API client to more closely match the Go standard library, and added context support to write requests in addition to read requests. [GH-3273, GH-2992]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"api","description":"agent: Added a new [`block_endpoints`](https://developer.hashicorp.com/docs/agent/config/config-files.html#block_endpoints) configuration option that allows blocking HTTP API endpoints by prefix. This allows operators to completely disallow access to specific endpoints on a given agent. [[GH-3252](https://github.com/hashicorp/consul/issues/3252)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"behavior","description":"agent: Added `node` read privileges to the `acl_agent_master_token` by default so it can see all nodes, which enables it to be used with operations like `consul members`. [[GH-3113](https://github.com/hashicorp/consul/issues/3113)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"behavior","description":"agent: Added a new [`enable_script_checks`](https://developer.hashicorp.com/docs/agent/config/cli-flags#_enable_script_checks) configuration option that defaults to `false`, meaning that in order to allow an agent to run health checks that execute scripts, this will need to be configured and set to `true`. This provides a safer out-of-the-box configuration for Consul where operators must opt-in to allow script-based health checks. [[GH-3087](https://github.com/hashicorp/consul/issues/3087)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"agent: Fixed an issue where watch plans would take up to 10 minutes to close their connections and give up their file descriptors after reloading Consul. [[GH-3018](https://github.com/hashicorp/consul/issues/3018)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"ui: Since the UI is now bundled with the application we no longer provide a separate UI package for downloading. [[GH-3292](https://github.com/hashicorp/consul/issues/3292)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"cli: Added a new [`consul catalog`](https://developer.hashicorp.com/docs/commands/catalog.html) command for reading datacenters, nodes, and services from the catalog. [[GH-3204](https://github.com/hashicorp/consul/issues/3204)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"server: (Consul Enterprise) Added a new [`consul operator area update`](https://developer.hashicorp.com/docs/commands/operator/area.html#update) command and corresponding HTTP endpoint to allow for transitioning the TLS setting of network areas at runtime. [[GH-3075](https://github.com/hashicorp/consul/issues/3075)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"server: (Consul Enterprise) Added a new `UpgradeVersionTag` field to the Autopilot config to allow for using the migration feature to roll out configuration or cluster changes, without having to upgrade Consul itself.","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"agent: Changed /v1/acl/clone response to 403 (from 404) when trying to clone an ACL that doesn't exist. [[GH-1113](https://github.com/hashicorp/consul/issues/1113)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"agent: Changed the `consul exec` ACL resolution logic to use the `acl_agent_token` if it's available. This lets operators configure an `acl_agent_token` with the required `write` privilieges to the `_rexec` prefix of the KV store without giving this to the `acl_token`, which would expose those privileges to users as well. [[GH-3160](https://github.com/hashicorp/consul/issues/3160)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"agent: Updated memberlist to get latest LAN gossip tuning based on the [Lifeguard paper published by Hashicorp Research](https://www.hashicorp.com/blog/making-gossip-more-robust-with-lifeguard/). [[GH-3287](https://github.com/hashicorp/consul/issues/3287)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"docs: Added a complete end-to-end example of ACL bootstrapping in the [ACL Guide](https://developer.hashicorp.com/docs/guides/acl.html#bootstrapping-acls). [[GH-3248](https://github.com/hashicorp/consul/issues/3248)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"vendor: Updated golang.org/x/sys/unix to support IBM s390 platforms. [[GH-3240](https://github.com/hashicorp/consul/issues/3240)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"agent: rewrote Docker health checks without using the Docker client and its dependencies. [[GH-3270](https://github.com/hashicorp/consul/issues/3270)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"agent: (Consul Enterprise) Fixed an issue with the snapshot agent where it could get stuck trying to obtain the leader lock after an extended server outage.","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"agent: Fixed HTTP health checks to allow them to set the `Host` header correctly on outgoing requests. [[GH-3203](https://github.com/hashicorp/consul/issues/3203)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"agent: Serf snapshots can now auto recover from disk write errors without needing a restart. [[GH-1744](https://github.com/hashicorp/consul/issues/1744)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"agent: Fixed an issue in the Docker client where Docker checks would get EOF errors trying to connect to a volume-mounted Docker socket. [[GH-3254](https://github.com/hashicorp/consul/issues/3254)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"breaking","description":"agent: Fixed a crash when using Azure auto discovery. [[GH-3193](https://github.com/hashicorp/consul/issues/3193)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"removed","description":"agent: Fixed log redacting code to properly remove tokens from log lines with ACL tokens in the URL itself: `/v1/acl/clone/:uuid`, `/v1/acl/destroy/:uuid`, `/v1/acl/info/:uuid`. [[GH-3276](https://github.com/hashicorp/consul/issues/3276)]","migration_hint":null},{"from_version":"0.8.5","to_version":"0.9.0","change_type":"removed","description":"agent: Removed registration of the `consul` service from the agent since it's already handled by the leader. This means that Consul servers no longer need to have an `acl_agent_token` with write access to the `consul` service if ACLs are enabled. [[GH-3248](https://github.com/hashicorp/consul/issues/3248)]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"behavior","description":"agent: The default value of [`-disable-host-node-id`](https://developer.hashicorp.com/docs/agent/config/cli-flags#_disable_host_node_id) has been changed from false to true. This means you need to opt-in to host-based node IDs and by default Consul will generate a random node ID. A high number of users struggled to deploy newer versions of Consul with host-based IDs because of various edge cases of how the host IDs work in Docker, on specially-provisioned machines, etc. so changing this from opt-out to opt-in will ease operations for many Consul users. [[GH-3171](https://github.com/hashicorp/consul/issues/3171)]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"behavior","description":"agent: Parse values given to `?passing` for health endpoints. Previously Consul only checked for the existence of the querystring, not the value. That means using `?passing=false` would actually still include passing values. Consul now parses the value given to passing as a boolean. If no value is provided, the old behavior remains. This may be a breaking change for some users, but the old experience was incorrect and caused enough confusion to warrant changing it. [GH-2212, GH-3136]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"breaking","description":"server: Fixed an issue where the leader could return stale data duing queries as it is starting up. [[GH-2644](https://github.com/hashicorp/consul/issues/2644)]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"breaking","description":"agent: Added a `-disable-keyring-file` option to prevent writing keyring data to disk. [[GH-3145](https://github.com/hashicorp/consul/issues/3145)]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"breaking","description":"agent: Added automatic notify to systemd on Linux after LAN join is complete, which makes it easier to order services that depend on Consul being available. [[GH-2121](https://github.com/hashicorp/consul/issues/2121)]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"breaking","description":"dns: Added support for EDNS(0) size adjustments if set in the request frame. This allows DNS responses via UDP which are larger than the standard 512 bytes max if the requesting client can support it. [GH-1980, GH-3131]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"breaking","description":"server: Added a startup warning for servers when expecting to bootstrap with an even number of nodes. [[GH-1282](https://github.com/hashicorp/consul/issues/1282)]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"breaking","description":"agent: (Consul Enterprise) Added support for non rotating, statically named snapshots for S3 snapshots using the snapshot agent.","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"breaking","description":"agent: Fixed a regression where configuring -1 for the port was no longer disabling the DNS server. [[GH-3135](https://github.com/hashicorp/consul/issues/3135)]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"breaking","description":"agent: Fix `consul leave` shutdown race. When shutting down an agent via the `consul leave` command on the command line the output would be `EOF` instead of `Graceful leave completed` [[GH-2880](https://github.com/hashicorp/consul/issues/2880)]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"breaking","description":"agent: Show a better error message than 'EOF' when attempting to join with the wrong gossip key. [[GH-1013](https://github.com/hashicorp/consul/issues/1013)]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"breaking","description":"agent: Fixed an issue where the `Method` and `Header` features of HTTP health checks were not being applied. [[GH-3178](https://github.com/hashicorp/consul/issues/3178)]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"breaking","description":"agent: Fixed an issue where internally-configured watches were not working because of an incorrect protocol error, and unified internal watch handling during reloads of the Consul agent. [[GH-3177](https://github.com/hashicorp/consul/issues/3177)]","migration_hint":null},{"from_version":"0.8.4","to_version":"0.8.5","change_type":"deprecated","description":"agent: The `http_api_response_headers` config has been moved into a new `http_config` struct, so the old form is still supported but is deprecated. [[GH-3142](https://github.com/hashicorp/consul/issues/3142)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"api","description":"api: HttpClient now defaults to nil in the client config and will be generated if left blank. A NewHttpClient function has been added for creating an HttpClient with a custom Transport or TLS config. [[GH-2922](https://github.com/hashicorp/consul/issues/2922)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"api","description":"agent: Added the datacenter of a node to the catalog, health, and query API endpoints which contain a Node structure. [[GH-2713](https://github.com/hashicorp/consul/issues/2713)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"api","description":"api: Added the ACL replication status endpoint to the Go API client library. [[GH-2947](https://github.com/hashicorp/consul/issues/2947)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"breaking","description":"agent: Reduced the timeouts for the `-dev` server mode so that the development server starts up almost instantly. [[GH-2984](https://github.com/hashicorp/consul/issues/2984)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"breaking","description":"agent: Added `verify_incoming_rpc` and `verify_incoming_https` options for more granular control over incoming TLS enforcement. [[GH-2974](https://github.com/hashicorp/consul/issues/2974)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"breaking","description":"agent: Use bind address as source for outgoing connections. [[GH-2822](https://github.com/hashicorp/consul/issues/2822)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"breaking","description":"cli: Added Raft protocol version to output of `operator raft list-peers` command.[[GH-2929](https://github.com/hashicorp/consul/issues/2929)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"breaking","description":"ui: Added optional JSON validation when editing KV entries in the web UI. [[GH-2712](https://github.com/hashicorp/consul/issues/2712)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"breaking","description":"ui: Updated ACL guide links and made guides open in a new tab. [[GH-3010](https://github.com/hashicorp/consul/issues/3010)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"breaking","description":"server: Added a new peers.json format that allows outage recovery when using Raft protocol version 3 and higher. Previously, you'd have to set the Raft protocol version back to 2 in order to manually recover a cluster. See https://developer.hashicorp.com/docs/guides/outage.html#manual-recovery-using-peers-json for more details. [[GH-3003](https://github.com/hashicorp/consul/issues/3003)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"breaking","description":"ui: Add and update favicons [[GH-2945](https://github.com/hashicorp/consul/issues/2945)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"breaking","description":"agent: Added an error at agent startup time if both `-ui` and `-ui-dir` are configured together. [[GH-2576](https://github.com/hashicorp/consul/issues/2576)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"breaking","description":"agent: Added the `ca_path`, `tls_cipher_suites`, and `tls_prefer_server_cipher_suites` options to give more flexibility around configuring TLS. [[GH-2963](https://github.com/hashicorp/consul/issues/2963)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"breaking","description":"server: Fixed a panic when the tombstone garbage collector was stopped. [[GH-2087](https://github.com/hashicorp/consul/issues/2087)]","migration_hint":null},{"from_version":"0.8.1","to_version":"0.8.2","change_type":"breaking","description":"server: Fixed a panic in Autopilot that could occur when a node is elected but cannot complete leader establishment and steps back down. [[GH-2980](https://github.com/hashicorp/consul/issues/2980)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"behavior","description":"**Version 8 ACLs Are Now Opt-Out:** The [`acl_enforce_version_8`](https://developer.hashicorp.com/docs/agent/options.html#acl_enforce_version_8) configuration now defaults to `true` to enable [full version 8 ACL support](https://developer.hashicorp.com/docs/internals/acl.html#version_8_acls) by default. If you are upgrading an existing cluster with ACLs enabled, you will need to set this to `false` during the upgrade on **both Consul agents and Consul servers**. Version 8 ACLs were also changed so that [`acl_datacenter`](https://developer.hashicorp.com/docs/agent/options.html#acl_datacenter) must be set on agents in order to enable the agent-side enforcement of ACLs. This makes for a smoother experience in clusters where ACLs aren't enabled at all, but where the agents would have to wait to contact a Consul server before learning that. [[GH-2844](https://github.com/hashicorp/consul/issues/2844)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"behavior","description":"**Remote Exec Is Now Opt-In:** The default for [`disable_remote_exec`](https://developer.hashicorp.com/docs/agent/options.html#disable_remote_exec) was changed to \"true\", so now operators need to opt-in to having agents support running commands remotely via [`consul exec`](/docs/commands/exec.html). [[GH-2854](https://github.com/hashicorp/consul/issues/2854)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"cli: Standardized handling of CLI options for connecting to the Consul agent. This makes sure that the same set of flags and environment variables works in all CLI commands (see https://developer.hashicorp.com/docs/commands/index.html#environment-variables). [[GH-2717](https://github.com/hashicorp/consul/issues/2717)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"cli: Updated go-cleanhttp library for better HTTP connection handling between CLI commands and the Consul agent (tunes reuse settings). [[GH-2735](https://github.com/hashicorp/consul/issues/2735)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"**Raft Protocol Compatibility:** When upgrading to Consul 0.8.0 from a version lower than 0.7.0, users will need to","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"**Autopilot:** A set of features has been added to allow for automatic operator-friendly management of Consul servers. For more information about Autopilot, see the [Autopilot Guide](https://developer.hashicorp.com/docs/guides/autopilot.html).","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"**Server Health Checking:** An internal health check has been added to track the stability of servers. The thresholds of this health check are tunable as part of the [Autopilot configuration](https://developer.hashicorp.com/docs/agent/options.html#autopilot) and the status can be viewed through the [`/v1/operator/autopilot/health`](https://developer.hashicorp.com/docs/agent/http/operator.html#autopilot-health) HTTP endpoint.","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"**New Server Stabilization:** When a new server is added to the cluster, there will be a waiting period where it must be healthy and stable for a certain amount of time before being promoted to a full, voting member. This threshold can be configured using the new [`server_stabilization_time`](https://developer.hashicorp.com/docs/agent/options.html#server_stabilization_time) setting.","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"**Upgrade Orchestration:** (Consul Enterprise) Autopilot will automatically orchestrate an upgrade strategy for Consul servers where it will initially add newer versions of Consul servers as non-voters, wait for a full set of newer versioned servers to be added, and then gradually swap into service as voters and swap out older versioned servers to non-voters. This allows operators to safely bring up new servers, wait for the upgrade to be complete, and then terminate the old servers.","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"**Network Areas:** (Consul Enterprise) A new capability has been added which allows operators to define network areas that join together two Consul datacenters. Unlike Consul's WAN feature, network areas use just the server RPC port for communication, and pairwise relationships can be made between arbitrary datacenters, so not all servers need to be fully connected. This allows for complex topologies among Consul datacenters like hub/spoke and more general trees. See the [Network Areas Guide](https://developer.hashicorp.com/docs/guides/areas.html) for more details.","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"**WAN Soft Fail:** Request routing between servers in the WAN is now more robust by treating Serf failures as advisory but not final. This means that if there are issues between some subset of the servers in the WAN, Consul will still be able to route RPC requests as long as RPCs are actually still working. Prior to WAN Soft Fail, any datacenters having connectivity problems on the WAN would mean that all DCs might potentially stop sending RPCs to those datacenters. [[GH-2801](https://github.com/hashicorp/consul/issues/2801)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"**WAN Join Flooding:** A new routine was added that looks for Consul servers in the LAN and makes sure that they are joined into the WAN as well. This catches up up newly-added servers onto the WAN as soon as they join the LAN, keeping them in sync automatically. [[GH-2801](https://github.com/hashicorp/consul/issues/2801)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"agent: Fixed a missing case where gossip would stop flowing to dead nodes for a short while. [[GH-2722](https://github.com/hashicorp/consul/issues/2722)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"agent: Changed agent to seed Go's random number generator. [[GH-2722](https://github.com/hashicorp/consul/issues/2722)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"agent: Serf snapshots no longer have the executable bit set on the file. [[GH-2722](https://github.com/hashicorp/consul/issues/2722)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"agent: Consul is now built with Go 1.8. [[GH-2752](https://github.com/hashicorp/consul/issues/2752)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"agent: Updated aws-sdk-go version (used for EC2 auto join) for Go 1.8 compatibility. [[GH-2755](https://github.com/hashicorp/consul/issues/2755)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"agent: User-supplied node IDs are now normalized to lower-case. [[GH-2798](https://github.com/hashicorp/consul/issues/2798)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"breaking","description":"agent: Added checks to enforce uniqueness of agent node IDs at cluster join time and when registering with the catalog. [[GH-2832](https://github.com/hashicorp/consul/issues/2832)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"removed","description":"**Validate command:** To provide consistency across our products, the `configtest` command has been deprecated and replaced with the `validate` command (to match Nomad and Terraform). The `configtest` command will be removed in Consul 0.9. [[GH-2732](https://github.com/hashicorp/consul/issues/2732)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"removed","description":"**Dead Server Cleanup:** Dead servers will periodically be cleaned up and removed from the Raft peer set, to prevent them from interfering with the quorum size and leader elections.","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"removed","description":"**Command-Line Interface RPC Deprecation:** The RPC client interface has been removed. All CLI commands that used RPC and the `-rpc-addr` flag to communicate with Consul have been converted to use the HTTP API and the appropriate flags for it, and the `rpc` field has been removed from the port and address binding configs. You will need to remove these fields from your config files and update any scripts that passed a custom `-rpc-addr` to the following commands: `force-leave`, `info`,  `join`, `keyring`, `leave`, `members`, `monitor`, `reload`","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"removed","description":"cli: Added an `-id` flag to the `operator raft remove-peer` command to allow removing a peer by ID. [[GH-2847](https://github.com/hashicorp/consul/issues/2847)]","migration_hint":null},{"from_version":"0.7.5","to_version":"0.8.0","change_type":"removed","description":"cli: The `operator raft` subcommand has had its two modes split into the `list-peers` and `remove-peer` subcommands. The old flags for these will continue to work for backwards compatibility, but will be removed in Consul 0.9.","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"api","description":"api: Trim leading slashes from keys/prefixes when querying KV endpoints to avoid a bug with redirects in Go 1.7 (golang/go#4800). [[GH-2403](https://github.com/hashicorp/consul/issues/2403)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"api","description":"api: All session options can now be set when using `api.Lock()`. [[GH-2372](https://github.com/hashicorp/consul/issues/2372)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"behavior","description":"The default for `max_stale` has been increased to a near-indefinite threshold (10 years) to allow DNS queries to continue to be served in the event of a long outage with no leader. A new telemetry counter has also been added at `consul.dns.stale_queries` to track when agents serve DNS queries that are over a certain staleness (>5 seconds). [[GH-2481](https://github.com/hashicorp/consul/issues/2481)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"agent: Added the ability to bind Serf WAN and LAN to different interfaces than the general bind address. [[GH-2007](https://github.com/hashicorp/consul/issues/2007)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"**Key/Value Store Command Line Interface:** New `consul kv` commands were added for easy access to all basic key/value store operations. [[GH-2360](https://github.com/hashicorp/consul/issues/2360)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"**Snapshot/Restore:** A new /v1/snapshot HTTP endpoint and corresponding set of `consul snapshot` commands were added for easy point-in-time snapshots for disaster recovery. Snapshots include all state managed by Consul's Raft [consensus protocol](/docs/internals/consensus.html), including Key/Value Entries, Service Catalog, Prepared Queries, Sessions, and ACLs. Snapshots can be restored on the fly into a completely fresh cluster. [[GH-2396](https://github.com/hashicorp/consul/issues/2396)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"**AWS auto-discovery:** New `-retry-join-ec2` configuration options added to allow bootstrapping by automatically discovering AWS instances with a given tag key/value at startup. [[GH-2459](https://github.com/hashicorp/consul/issues/2459)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"agent: Added a new `tls_skip_verify` configuration option for HTTP checks. [[GH-1984](https://github.com/hashicorp/consul/issues/1984)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"build: Consul is now built with Go 1.7.3. [[GH-2281](https://github.com/hashicorp/consul/issues/2281)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"agent: Fixed a Go race issue with log buffering at startup. [[GH-2262](https://github.com/hashicorp/consul/issues/2262)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"agent: Fixed a panic during anti-entropy sync for services and checks. [[GH-2125](https://github.com/hashicorp/consul/issues/2125)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"agent: Fixed an issue on Windows where \"wsarecv\" errors were logged when CLI commands accessed the RPC interface. [[GH-2356](https://github.com/hashicorp/consul/issues/2356)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"agent: Syslog initialization will now retry on errors for up to 60 seconds to avoid a race condition at system startup. [[GH-1610](https://github.com/hashicorp/consul/issues/1610)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"agent: Fixed a panic when both -dev and -bootstrap-expect flags were provided. [[GH-2464](https://github.com/hashicorp/consul/issues/2464)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"agent: Added a retry with backoff when a session fails to invalidate after expiring. [[GH-2435](https://github.com/hashicorp/consul/issues/2435)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"agent: Fixed an issue where Consul would fail to start because of leftover malformed check/service state files. [[GH-1221](https://github.com/hashicorp/consul/issues/1221)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"agent: Fixed agent crashes on macOS Sierra by upgrading Go. [GH-2407, GH-2281]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"agent: Log a warning instead of success when attempting to deregister a nonexistent service. [[GH-2492](https://github.com/hashicorp/consul/issues/2492)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"dns: Fixed external services that pointed to consul addresses (CNAME records) not resolving to A-records. [[GH-1228](https://github.com/hashicorp/consul/issues/1228)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"dns: Fixed an issue with SRV lookups where the service address was different from the node's. [[GH-832](https://github.com/hashicorp/consul/issues/832)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"dns: Fixed an issue where truncated records from a recursor query were improperly reported as errors. [[GH-2384](https://github.com/hashicorp/consul/issues/2384)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"server: Fixed the port numbers in the sample JSON inside peers.info. [[GH-2391](https://github.com/hashicorp/consul/issues/2391)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"breaking","description":"server: Squashes ACL datacenter name to lower case and checks for proper formatting at startup. [GH-2059, GH-1778, GH-2478]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"removed","description":"The api package's `PreparedQuery.Delete()` method now takes `WriteOptions` instead of `QueryOptions`. [[GH-2417](https://github.com/hashicorp/consul/issues/2417)]","migration_hint":null},{"from_version":"0.7.0","to_version":"0.7.1","change_type":"removed","description":"Child process reaping support has been removed, along with the `reap` configuration option. Reaping is also done via [dumb-init](https://github.com/Yelp/dumb-init) in the [Consul Docker image](https://github.com/hashicorp/docker-consul), so removing it from Consul itself simplifies the code and eases future maintainence for Consul. If you are running Consul as PID 1 in a container you will need to arrange for a wrapper process to reap child processes. [[GH-1988](https://github.com/hashicorp/consul/issues/1988)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"api","description":"**Prepared Query Near Parameter:** Prepared queries support baking in a new `Near` sorting parameter. This allows results to be sorted by network round trip time based on a static node, or based on the round trip time from the Consul agent where the request originated. This can be used to find a co-located service instance is one is available, with a transparent fallback to the next best alternate instance otherwise. [[GH-2137](https://github.com/hashicorp/consul/issues/2137)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"api","description":"Consul's Go API client will now send ACL tokens using HTTP headers instead of query parameters, requiring Consul 0.6.0 or later. [[GH-2233](https://github.com/hashicorp/consul/issues/2233)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"api","description":"**Transactional Key/Value API:** A new `/v1/txn` API was added that allows for atomic updates to and fetches from multiple entries in the key/value store inside of an atomic transaction. This includes conditional updates based on obtaining locks, and all other key/value store operations. See the [Key/Value Store Endpoint](https://developer.hashicorp.com/docs/agent/http/kv.html#txn) for more details. [[GH-2028](https://github.com/hashicorp/consul/issues/2028)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"behavior","description":"The behavior of the `peers.json` file is different in this version of Consul. This file won't normally be present and is used only during outage recovery. Be sure to read the updated [Outage Recovery Guide](https://developer.hashicorp.com/docs/guides/outage.html) for details. [[GH-2222](https://github.com/hashicorp/consul/issues/2222)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"behavior","description":"The default behavior of `leave_on_terminate` and `skip_leave_on_interrupt` are now dependent on whether or not the agent is acting as a server or client. When Consul is started as a server the defaults for these are `false` and `true`, respectively, which means that you have to explicitly configure a server to leave the cluster. When Consul is started as a client the defaults are the opposite, which means by default, clients will leave the cluster if shutdown or interrupted. [[GH-1909](https://github.com/hashicorp/consul/issues/1909)] [[GH-2320](https://github.com/hashicorp/consul/issues/2320)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"behavior","description":"Consul's default Raft timing is now set to work more reliably on lower-performance servers, which allows small clusters to use lower cost compute at the expense of reduced performance for failed leader detection and leader elections. You will need to configure Consul to get the same performance as before. See the new [Server Performance](https://developer.hashicorp.com/docs/guides/performance.html) guide for more details. [[GH-2303](https://github.com/hashicorp/consul/issues/2303)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"behavior","description":"agent: Defaults bind address to 127.0.0.1 when running in `-dev` mode. [[GH-1878](https://github.com/hashicorp/consul/issues/1878)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"behavior","description":"**Server Connection Rebalancing:** Consul agents will now periodically reconnect to available Consul servers in order to redistribute their RPC query load. Consul clients will, by default, attempt to establish a new connection every 120s to 180s unless the size of the cluster is sufficiently large. The rate at which agents begin to query new servers is proportional to the size of the Consul cluster (servers should never receive more than 64 new connections per second per Consul server as a result of rebalancing). Clusters in stable environments who use `allow_stale` should see a more even distribution of query load across all of their Consul servers. [[GH-1743](https://github.com/hashicorp/consul/issues/1743)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"behavior","description":"The `allow_stale` configuration for DNS queries to the Consul agent now defaults to `true`, allowing for better utilization of available Consul servers and higher throughput at the expense of weaker consistency. This is almost always an acceptable tradeoff for DNS queries, but this can be reconfigured to use the old default behavior if desired. [[GH-2315](https://github.com/hashicorp/consul/issues/2315)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"behavior","description":"New [`translate_wan_addrs`](https://developer.hashicorp.com/docs/agent/options.html#translate_wan_addrs) behavior from [[GH-2118](https://github.com/hashicorp/consul/issues/2118)] translates addresses in HTTP responses and could break clients that are expecting local addresses. A new `X-Consul-Translate-Addresses` header was added to allow clients to detect if translation is enabled for HTTP responses, and a \"lan\" tag was added to `TaggedAddresses` for clients that need the local address regardless of translation. [[GH-2280](https://github.com/hashicorp/consul/issues/2280)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"breaking","description":"**Circonus Telemetry Support:** Added support for Circonus as a telemetry destination. [[GH-2193](https://github.com/hashicorp/consul/issues/2193)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"breaking","description":"agent: Joins based on a DNS lookup will use TCP and attempt to join with the full list of returned addresses. [[GH-2101](https://github.com/hashicorp/consul/issues/2101)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"breaking","description":"Output from HTTP checks is truncated to 4k when stored on the servers, similar to script check output. [[GH-1952](https://github.com/hashicorp/consul/issues/1952)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"breaking","description":"The Raft peers information in `consul info` has changed format and includes information about the suffrage of a server, which will be used in future versions of Consul. [[GH-2222](https://github.com/hashicorp/consul/issues/2222)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"breaking","description":"agent: Consul will now refuse to start with a helpful message if the same UNIX socket is used for more than one listening endpoint. [[GH-1910](https://github.com/hashicorp/consul/issues/1910)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"breaking","description":"agent: Added version information to the log when Consul starts up. [[GH-1404](https://github.com/hashicorp/consul/issues/1404)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"breaking","description":"**Native ACL Replication:** Added a built-in full replication capability for ACLs. Non-ACL datacenters can now replicate the complete ACL set locally to their state store and fall back to that if there's an outage. Additionally, this provides a good way to make a backup ACL datacenter, or to migrate the ACL datacenter to a different one. See the [ACL Internals Guide](https://developer.hashicorp.com/docs/internals/acl.html#replication) for more details. [[GH-2237](https://github.com/hashicorp/consul/issues/2237)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"breaking","description":"**Serf Lifeguard Updates:** Implemented a new set of feedback controls for the gossip layer that help prevent degraded nodes that can't meet the soft real-time requirements from erroneously causing `serfHealth` flapping in other, healthy nodes. This feature tunes itself automatically and requires no configuration. [[GH-2101](https://github.com/hashicorp/consul/issues/2101)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"breaking","description":"**Automatic Service Deregistration:** Added a new `deregister_critical_service_after` timeout field for health checks which will cause the service associated with that check to get deregistered if the check is critical for longer than the timeout. This is useful for cleanup of health checks registered natively by applications, or in other situations where services may not always be cleanly shutdown. [[GH-679](https://github.com/hashicorp/consul/issues/679)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"breaking","description":"**WAN Address Translation Everywhere:** Extended the [`translate_wan_addrs`](https://developer.hashicorp.com/docs/agent/options.html#translate_wan_addrs) config option to also translate node addresses in HTTP responses, making it easy to use this feature from non-DNS clients. [[GH-2118](https://github.com/hashicorp/consul/issues/2118)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"breaking","description":"**RPC Retries:** Consul will now retry RPC calls that result in \"no leader\" errors for up to 5 seconds. This allows agents to ride out leader elections with a delayed response vs. an error. [[GH-2175](https://github.com/hashicorp/consul/issues/2175)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"breaking","description":"agent: Reap time for failed nodes is now configurable via new `reconnect_timeout` and `reconnect_timeout_wan` config options ([use with caution](https://developer.hashicorp.com/docs/agent/options.html#reconnect_timeout)). [[GH-1935](https://github.com/hashicorp/consul/issues/1935)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"removed","description":"Removed support for protocol version 1, so Consul 0.7 is no longer compatible with Consul versions prior to 0.3. [[GH-2259](https://github.com/hashicorp/consul/issues/2259)]","migration_hint":null},{"from_version":"0.6.4","to_version":"0.7.0","change_type":"removed","description":"agent: Removed an obsolete warning message when Consul starts on Windows. [[GH-1920](https://github.com/hashicorp/consul/issues/1920)]","migration_hint":null}],"total":832,"note":"Curated major-version breaking changes. Always verify against the package's official changelog before migrating.","_cache":"miss"}