v1.22.0

Compare Source

1.22.0 Enterprise (October 24, 2025)

SECURITY:

• connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]
• security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
• security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
• security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
• security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

FEATURES:

• Added support to register a service in consul with multiple ports [GH-22769]
• agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
• install: Updated license information displayed during post-install
• ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
• oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

• security: Upgrade golang to 1.25.3. [GH-22926]
• ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [GH-22947]
• ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [GH-22938]
• ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [GH-22888]
• api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
• cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise
  http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise
  agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
• cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
• command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
• connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
• proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
• ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]
• ui: Replace yarn with pnpm for package management [GH-22790]
• ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [GH-22813]

BUG FIXES:

• ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
• ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
• ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]
• cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

v1.21.5

Compare Source

1.21.5 (September 21, 2025)

SECURITY:

• Migrate transitive dependency from archived mitchellh/mapstructure to go-viper/mapstructure to v2 to address CVE-2025-52893. [GH-22581]
• agent: Add the KV Validations to block path traversal allowing access to unauthorized endpoints. [GH-22682]
• agent: Fix a security vulnerability to filter out anonymous tokens along with empty tokens when setting the Results-Filtered-By-ACLs header [GH-22534]
• agent: Fix a security vulnerability where the attacker could read agent’s TLS certificate and private key by using the group ID that the Consul agent runs as. [GH-22626]
• api: add charset in all applicable content-types. [GH-22598]
• connect: Upgrade envoy version to 1.34.7 [GH-22735]
• security: Fix GHSA-65rg-554r-9j5x (CVE-2024-48908) by upgrading lycheeverse/lychee-action. [GH-22667]
• security: Fix a security vulnerability where the attacker could bypass authentication by passing url params as there was no validation on them. [GH-22612]
• security: perform constant time compare for sensitive values. [GH-22537]
• security: upgrade go version to 1.25.0 [GH-22652]
• security:: (Enterprise only) fix nil pointer dereference.
• security:: (Enterprise only) fix potential race condition in partition CRUD.
• security:: (Enterprise only) perform constant time compare for sensitive values.

FEATURES:

• config: Add new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream [GH-22604]
• config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in API Gateway config and proxy-defaults [GH-22679]
• config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Mesh Gateway via service-defaults and proxy-defaults [GH-22722]
• config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Terminating Gateway service-defaults and proxy-defaults [GH-22680]

IMPROVEMENTS:

• cli: add troubleshoot ports in debug command. A ports.json file is created, which lists the open or closed ports on the host where the command is executed. [GH-22624]

BUG FIXES:

• agent: Don't show admin partition during errors [GH-11154]

v1.21.4

Compare Source

1.21.4 (August 13, 2025)

SECURITY:

• security: Update Go to 1.23.12 to address CVE-2025-47906 [GH-22547]

IMPROVEMENTS:

• ui: Replaced internal code editor with HDS (HashiCorp Design System) code editor and code block components for improved accessibility and maintainability across the Consul UI. [GH-22513]

BUG FIXES:

• cli: capture pprof when ACL is enabled and a token with operator:read is used, even if enable_debug config is not explicitly set. [GH-22552]

v1.21.3

Compare Source

1.21.3 (July 18, 2025)

IMPROVEMENTS:

• ui: Improved display and handling of IPv6 addresses for better readability and usability in the Consul web interface. [GH-22468]

BUG FIXES:

• cli: validate IP address in service registration to prevent invalid IPs in service and tagged addresses. [GH-22467]
• ui: display IPv6 addresses with proper bracketed formatting [GH-22423]

v1.21.2

Compare Source

1.21.2 (June 17, 2025)

SECURITY:

• security: Upgrade UBI base image version to address CVE
  CVE-2025-4802
  CVE-2024-40896
  CVE-2024-12243
  CVE-2025-24528
  CVE-2025-3277
  CVE-2024-12133
  CVE-2024-57970
  CVE-2025-31115 [GH-22409]
• cli: update tls ca and cert create to reduce excessive file perms for generated public files [GH-22286]
• connect: Added non default namespace and partition checks to ConnectCA CSR requests. [GH-22376]
• security: Upgrade Go to 1.23.10. [GH-22412]

IMPROVEMENTS:

• config: Warn about invalid characters in datacenter resulting in non-generation of X.509 certificates when using external CA for agent TLS communication. [GH-22382]
• connect: Use net.JoinHostPort for host:port formatting to handle IPv6. [GH-22359]

BUG FIXES:

• http: return a clear error when both Service.Service and Service.ID are missing during catalog registration [GH-22381]
• license: (Enterprise only) Fixed issue where usage metrics are not written to the snapshot to export the license data. [GH-10668]
• wan-federation: Fixed an issue where advertised IPv6 addresses were causing WAN federation to fail. [GH-22226]

v1.21.1

Compare Source

1.21.1 (May 21, 2025)

FEATURES:

• xds: Extend LUA Script support for API Gateway [GH-22321]
• xds: Added a configurable option to disable XDS session load balancing, intended for scenarios where an external load balancer is used in front of Consul servers, making internal load balancing unnecessary.

IMPROVEMENTS:

• http: Add peer query param on catalog service API [GH-22189]

v1.21.0

Compare Source

1.21.0 (May 06, 2025)

FEATURES:

• Simplified external service discovery (Agentless/Gossipless)
• Google Cloud Storage support for K8s snapshots
• OpenShift 4.17 support
• Pod Security Admissions compatibility
• Refreshed documentation structure
• Support for TLS SNI in remote JSONWebKeySet [GH-22177]

🔗 Link to full release details

IMPROVEMENTS:

• raft: add a configuration raft_prevote_disabled to allow disabling raft prevote [GH-21758]
• raft: update raft library to 1.7.0 which include pre-vote extension [GH-21758]
• SubMatView: Log level change from ERROR to INFO for subject materialized view as subscription creation is retryable on ACL change. [GH-22141]
• ui: Adds a copyable token accessor/secret on the settings page when signed in [GH-22105]
• xDS: Log level change from ERROR to INFO for xDS delta discovery request. Stream can be cancelled on server shutdown and other scenarios. It is retryable and error is a superfluous log. [GH-22141]

v1.20.0

Compare Source

1.20.0 (October 14, 2024)

SECURITY:

• Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [GH-21704]
• Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [GH-21711]
• UI: Remove codemirror linting due to package dependency [GH-21726]
• Upgrade Go to use 1.22.7. This addresses CVE
  CVE-2024-34155 [GH-21705]
• Upgrade to support aws/aws-sdk-go v1.55.5 or higher. This resolves CVEs
  CVE-2020-8911 and
  CVE-2020-8912. [GH-21684]
• ui: Pin a newer resolution of Braces [GH-21710]
• ui: Pin a newer resolution of Codemirror [GH-21715]
• ui: Pin a newer resolution of Markdown-it [GH-21717]
• ui: Pin a newer resolution of ansi-html [GH-21735]

FEATURES:

• grafana: added the dashboards service-to-service dashboard, service dashboard, and consul dataplane dashboard [GH-21806]
• server: remove v2 tenancy, catalog, and mesh experiments [GH-21592]

IMPROVEMENTS:

• security: upgrade ubi base image to 9.4 [GH-21750]
• connect: Add Envoy 1.31 and 1.30 to support matrix [GH-21616]

BUG FIXES:

• jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [GH-21703]

v1.19.2

Compare Source

1.19.2 (August 26, 2024)

SECURITY:

• ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0 [GH-21588]

IMPROVEMENTS:

• Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [GH-21587]

BUG FIXES:

• api-gateway: (Enterprise only) ensure clusters are properly created for JWT providers with a remote URI for the JWKS endpoint [GH-21604]

v1.19.1

Compare Source

1.19.1 (July 11, 2024)

SECURITY:

• Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve CVE-2024-39305 [GH-21524]
• Upgrade go version to 1.22.5 to address CVE-2024-24791 [GH-21507]
• Upgrade go-retryablehttp to address CVE-2024-6104 [GH-21384]
• agent: removed reflected cross-site scripting vulnerability [GH-21342]
• ui: Pin and namespace sub-module dependencies related to the Consul UI [GH-21378]

IMPROVEMENTS:

• mesh: update supported envoy version 1.29.5 in addition to 1.28.4, 1.27.6. [GH-21277]

BUG FIXES:

• core: Fix multiple incorrect type conversion for potential overflows [GH-21251]
• core: Fix panic runtime error on AliasCheck [GH-21339]
• dns: Fix a regression where DNS SRV questions were returning duplicate hostnames instead of encoded IPs.
  This affected Nomad integrations with Consul. [GH-21361]
• dns: Fix a regression where DNS tags using the standard lookup syntax, tag.name.service.consul, were being disregarded. [GH-21361]
• dns: Fixes a spam log message "Failed to parse TTL for prepared query..."
  that was always being logged on each prepared query evaluation. [GH-21381]
• terminating-gateway: (Enterprise Only) Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata. [GH-21382]
• txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs. [GH-21519]

v1.19.0

Compare Source

1.19.0 (June 12, 2024)

BREAKING CHANGES:

• telemetry: State store usage metrics with a double consul element in the metric name have been removed. Please use the same metric without the second consul instead. As an example instead of consul.consul.state.config_entries use consul.state.config_entries [GH-20674]

SECURITY:

• Upgrade to support Envoy 1.27.5 and 1.28.3. This resolves CVE
  CVE-2024-32475 (auto_sni). [GH-21017]
• Upgrade to support k8s.io/apimachinery v0.18.7 or higher. This resolves CVE
  CVE-2020-8559. [GH-21017]

FEATURES:

• dns: queries now default to a refactored DNS server that is v1 and v2 Catalog compatible.
  Use v1dns in the experiments agent config to disable.
  The legacy server will be removed in a future release of Consul.
  See the Consul 1.19.x Release Notes for removed DNS features. [GH-20715]
• gateways: api-gateway can leverage listener TLS certificates available on the gateway's local filesystem by specifying the public certificate and private key path in the new file-system-certificate configuration entry [GH-20873]

IMPROVEMENTS:

• dns: new version was not supporting partition or namespace being set to 'default' in CE version. [GH-21230]
• mesh: update supported envoy version 1.29.4 in addition to 1.28.3, 1.27.5, 1.26.8. [GH-21142]
• upgrade go version to v1.22.4. [GH-21265]
• Upgrade github.com/envoyproxy/go-control-plane to 0.12.0. [GH-20973]
• dns: DNS-over-grpc when using consul-dataplane now accepts partition, namespace, token as metadata to default those query parameters.
  consul-dataplane v1.5+ will send this information automatically. [GH-20899]
• snapshot: Add consul snapshot decode CLI command to output a JSON object stream of all the snapshots data. [GH-20824]
• telemetry: Add telemetry.disable_per_tenancy_usage_metrics in agent configuration to disable setting tenancy labels on usage metrics. This significantly decreases CPU utilization in clusters with many admin partitions or namespaces.
• telemetry: Improved the performance usage metrics emission by not outputting redundant metrics. [GH-20674]

DEPRECATIONS:

• snapshot agent: (Enterprise only) Top level single snapshot destinations local_storage, aws_storage, azure_blob_storage, and google_storage in snapshot agent configuration files are now deprecated. Use the backup_destinations config object instead.

BUG FIXES:

• docs: Consul DNS Forwarding configuration for OpenShift update for Resolve Consul DNS Requests in Kubernetes [GH-20439]
• hcp: fix error logs when failing to push metrics [GH-20514]
• streaming: Handle ACL errors consistently when blocking query timeout is reached. [GH-20876]

v1.18.2

Compare Source

1.18.2 (May 14, 2024)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

• Bump Dockerfile base image to alpine:3.19. [GH-20897]
• Update vault/api to v1.12.2 to address CVE-2024-28180
  (removes indirect dependency on impacted go-jose.v2) [GH-20910]
• Upgrade Go to use 1.21.10. This addresses CVEs
  CVE-2024-24787 and
  CVE-2024-24788 [GH-21074]
• Upgrade to support Envoy 1.26.8, 1.27.4, 1.27.5, 1.28.2 and 1.28.3. This resolves CVEs
  CVE-2024-27919 (http2). [GH-20956] and CVE-2024-32475 (auto_sni). [GH-21030]
• Upgrade to support k8s.io/apimachinery v0.18.7 or higher. This resolves CVE
  CVE-2020-8559. [GH-21034]
• Upgrade to use Go 1.21.9. This resolves CVE
  CVE-2023-45288 (http2). [GH-20956]
• Upgrade to use golang.org/x/net v0.24.0. This resolves CVE
  CVE-2023-45288 (x/net). [GH-20956]

IMPROVEMENTS:

• gateways: service defaults configuration entries can now be used to set default upstream limits for mesh-gateways [GH-20945]
• connect: Add ability to disable Auto Host Header Rewrite on Terminating Gateway at the service level [GH-20802]

BUG FIXES:

• dns: fix a bug with sameness group queries in DNS where responses did not respect DefaultForFailover.
  DNS requests against sameness groups without this field set will now error as intended.
• error running consul server in 1.18.0: failed to configure SCADA provider user's home directory path: $HOME is not defined [GH-20926]
• server: fix Ent snapshot restore on CE when CE downgrade is enabled [GH-20977]
• xds: Make TCP external service registered with terminating gateway reachable from peered cluster [GH-19881]

v1.18.1

Compare Source

1.18.1 (March 26, 2024)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

BREAKING CHANGES:

• ui: Adds a "Link to HCP Consul Central" modal with integration to side-nav and link to HCP banner. There will be an option to disable the Link to HCP banner from the UI in a follow-up release. [GH-20474]

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-20801]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426 [GH-20812]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-20812]

IMPROVEMENTS:

• api: Randomize the returned server list for the WatchServers gRPC endpoint. [GH-20866]
• partitions: (Enterprise only) Allow disabling of Gossip per Partition [GH-20669]
• snapshot agent: (Enterprise only) Add support for multiple snapshot destinations using the backup_destinations config file object.
• xds: Improved the performance of xDS server side load balancing. Its slightly improved in Consul CE with drastic CPU usage reductions in Consul Enterprise. [GH-20672]

BUG FIXES:

• audit-logs: (Enterprise Only) Fixes non ASCII characters in audit logs because of gzip. [GH-20345]
• connect: Fix issue where Consul-dataplane xDS sessions would not utilize the streaming backend for wan-federated queries. [GH-20868]
• connect: Fix potential goroutine leak in xDS stream handling. [GH-20866]
• connect: Fix xDS deadlock that could result in proxies being unable to start. [GH-20867]
• ingress-gateway: (Enterprise Only) Fix a bug where on update, Ingress Gateways lost all upstreams for listeners with wildcard services in a different namespace.

v1.18.0

Compare Source

BREAKING CHANGES:

• config-entries: Allow disabling request and idle timeouts with negative values in service router and service resolver config entries. [GH-19992]
• telemetry: Adds fix to always use the value of telemetry.disable_hostname when determining whether to prefix gauge-type metrics with the hostname of the Consul agent. Previously, if only the default metric sink was enabled, this configuration was ignored and always treated as true, even though its default value is false. [GH-20312]

SECURITY:

• Update golang.org/x/crypto to v0.17.0 to address CVE-2023-48795. [GH-20023]
• connect: Update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address CVE-2023-44487 [GH-19306]
• mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, CVE-2023-44487, GH-20589], CVE-2023-44487, and [GH-19879]

FEATURES:

• acl: add policy bindtype to binding rules. [GH-19499]
• agent: Introduces a new agent config default_intention_policy to decouple the default intention behavior from ACLs [GH-20544]
• agent: (Enterprise Only) Add fault injection filter support for Consul Service Mesh
• cloud: Adds new API/CLI to initiate and manage linking a Consul cluster to HCP Consul Central [GH-20312]
• dns: adds experimental support for a refactored DNS server that is v1 and v2 Catalog compatible.
  Use v2dns in the experiments agent config to enable.
  It will automatically be enabled when using the resource-apis (Catalog v2) experiment.
  The new DNS implementation will be the default in Consul 1.19.
  See the Consul 1.18.x Release Notes for deprecated DNS features. [GH-20643]
• ui: Added a banner to let users link their clusters to HCP [GH-20275]
• ui: Adds a redirect and warning message around unavailable UI with V2 enabled [GH-20359]
• ui: adds V2CatalogEnabled to config that is passed to the ui [GH-20353]
• v2: prevent use of the v2 experiments in secondary datacenters for now [GH-20299]

IMPROVEMENTS:

• cloud: unconditionally add Access-Control-Expose-Headers HTTP header [GH-20220]
• connect: Replace usage of deprecated Envoy field envoy.config.core.v3.HeaderValueOption.append. [GH-20078]
• connect: Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2. [GH-20013]
• docs: add Link API documentation [GH-20308]
• resource: lowercase names enforced for v2 resources only. [GH-19218]

BUG FIXES:

• dns: SERVFAIL when resolving not found PTR records. [GH-20679]
• raft: Fix panic during downgrade from enterprise to oss. [GH-19311]
• server: Ensure controllers are automatically restarted on internal stream errors. [GH-20642]
• server: Ensure internal streams are properly terminated on snapshot restore. [GH-20642]
• snapshot-agent: (Enterprise only) Fix a bug with static AWS credentials where one of the key id or secret key is provided via config file and the other is provided via an environment variable.

v1.17.0

Compare Source

1.17.0 (October 31, 2023)

BREAKING CHANGES:

• api: RaftLeaderTransfer now requires an id string. An empty string can be specified to keep the old behavior. [GH-17107]
• audit-logging: (Enterprise only) allowing timestamp based filename only on rotation. initially the filename will be just file.json [GH-18668]

DEPRECATIONS:

• cli: Deprecate the -admin-access-log-path flag from consul connect envoy command in favor of: -admin-access-log-config. [GH-15946]

SECURITY:

• Update golang.org/x/net to v0.17.0 to address CVE-2023-39325
  / CVE-2023-44487(x/net/http2). [GH-19225]
• Upgrade Go to 1.20.10.
  This resolves vulnerability CVE-2023-39325
  / CVE-2023-44487(net/http). [GH-19225]
• Upgrade google.golang.org/grpc to 1.56.3.
  This resolves vulnerability CVE-2023-44487. [GH-19414]
• connect: update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address CVE-2023-44487 [GH-19275]

FEATURE PREVIEW: Catalog v2

This release provides the ability to preview Consul's v2 Catalog and Resource API if enabled. The new model supports
multi-port application deployments with only a single Envoy proxy. Note that the v1 and v2 catalogs are not cross
compatible, and not all Consul features are available within this v2 feature preview. See the v2 Catalog and Resource
API documentation for more information. The v2 Catalog and
Resources API should be considered a feature preview within this release and should not be used in production
environments.

Limitations

• The v2 catalog API feature preview does not support connections with client agents. As a result, it is only available for Kubernetes deployments, which use Consul dataplanes instead of client agents.
• The v1 and v2 catalog APIs cannot run concurrently.
• The Consul UI does not support multi-port services or the v2 catalog API in this release.
• HCP Consul does not support multi-port services or the v2 catalog API in this release.

Significant Pull Requests

• [Catalog resource controllers]
• [Mesh resource controllers]
• [Auth resource controllers]
• [V2 Protobufs]

FEATURES:

• Support custom watches on the Consul Controller framework. [GH-18439]
• Windows: support consul connect envoy command on Windows [GH-17694]
• acl: Add BindRule support for templated policies. Add new BindType: templated-policy and BindVar field for templated policy variables. [GH-18719]
• acl: Add new acl.tokens.dns config field which specifies the token used implicitly during dns checks. [GH-17936]
• acl: Added ACL Templated policies to simplify getting the right ACL token. [GH-18708]
• acl: Adds a new ACL rule for workload identities [GH-18769]
• acl: Adds workload identity templated policy [GH-19077]
• api-gateway: Add support for response header modifiers on http-route configuration entry [GH-18646]
• api-gateway: add retry and timeout filters [GH-18324]
• cli: Add bind-var flag to consul acl binding-rule for templated policy variables. [GH-18719]
• cli: Add consul acl templated-policy commands to read, list and preview templated policies. [GH-18816]
• config-entry(api-gateway): (Enterprise only) Add GatewayPolicy to APIGateway Config Entry listeners
• config-entry(api-gateway): (Enterprise only) Add JWTFilter to HTTPRoute Filters
• dataplane: Allow getting bootstrap parameters when using V2 APIs [GH-18504]
• gateway: (Enterprise only) Add JWT authentication and authorization to APIGateway Listeners and HTTPRoutes.
• mesh: (Enterprise only) Adds rate limiting config to service-defaults [GH-18583]
• xds: Add a built-in Envoy extension that appends OpenTelemetry Access Logging (otel-access-logging) to the HTTP Connection Manager filter. [GH-18336]
• xds: Add support for patching outbound listeners to the built-in Envoy External Authorization extension. [GH-18336]

IMPROVEMENTS:

• raft: upgrade raft-wal library version to 0.4.1. [GH-19314]
• xds: Use downstream protocol when connecting to local app [GH-18573]
• Windows: Integration tests for Consul Windows VMs [GH-18007]
• acl: Use templated policy to generate synthetic policies for tokens/roles with node and/or service identities [GH-18813]
• api: added CheckRegisterOpts to Agent API [GH-18943]
• api: added Token field to ServiceRegisterOpts type in Agent API [GH-18983]
• ca: Vault CA provider config no longer requires root_pki_path for secondary datacenters [GH-17831]
• cli: Added -templated-policy, -templated-policy-file, -replace-templated-policy, -append-templated-policy, -replace-templated-policy-file, -append-templated-policy-file and -var flags for creating or updating tokens/roles. [GH-18708]
• config: Add new tls.defaults.verify_server_hostname configuration option. This specifies the default value for any interfaces that support the verify_server_hostname option. [GH-17155]
• connect: update supported envoy versions to 1.24.10, 1.25.9, 1.26.4, 1.27.0 [GH-18300]
• ui: Use Community verbiage [GH-18560]

BUG FIXES:

• api: add custom marshal/unmarshal for ServiceResolverConfigEntry.RequestTimeout so config entries that set this field can be read using the API. [GH-19031]
• ca: ensure Vault CA provider respects Vault Enterprise namespace configuration. [GH-19095]
• catalog api: fixes a bug with catalog api where filter query parameter was not working correctly for the /v1/catalog/services endpoint [GH-18322]
• connect: (Enterprise only) Fix bug where incorrect service-defaults entries were fetched to determine an upstream's protocol whenever the upstream did not explicitly define the namespace / partition. When this bug occurs, upstreams would use the protocol from a service-default entry in the default namespace / partition, rather than their own namespace / partition.
• connect: Fix bug where uncleanly closed xDS connections would influence connection balancing for too long and prevent envoy instances from starting. Two new configuration fields
  performance.grpc_keepalive_timeout and performance.grpc_keepalive_interval now exist to allow for configuration on how often these dead connections will be cleaned up. [GH-19339]
• dev-mode: Fix dev mode has new line in responses. Now new line is added only when url has pretty query parameter. [GH-18367]
• dns: (Enterprise only) Fix bug where sameness group queries did not correctly inherit the agent's partition.
• docs: fix list of telemetry metrics [GH-17593]
• gateways: Fix a bug where a service in a peered datacenter could not access an external node service through a terminating gateway [GH-18959]
• server: (Enterprise Only) Fixed an issue where snake case keys were rejected when configuring the control-plane-request-limit config entry
• telemetry: emit consul version metric on a regular interval. [GH-6876]
• tlsutil: Default setting of ServerName field in outgoing TLS configuration for checks now handled by crypto/tls. [GH-17481]

v1.16.0

Compare Source

1.16.0 (June 26, 2023)

BREAKING CHANGES:

• api: The /v1/health/connect/ and /v1/health/ingress/ endpoints now immediately return 403 "Permission Denied" errors whenever a token with insufficient service:read permissions is provided. Prior to this change, the endpoints returned a success code with an empty result list when a token with insufficient permissions was provided. [GH-17424]
• peering: Removed deprecated backward-compatibility behavior.
  Upstream overrides in service-defaults will now only apply to peer upstreams when the peer field is provided.
  Visit the 1.16.x upgrade instructions for more information. [GH-16957]

SECURITY:

• Bump Dockerfile base image to alpine:3.18. [GH-17719]
• audit-logging: (Enterprise only) limit v1/operator/audit-hash endpoint to ACL token with operator:read privileges.

FEATURES:

• api: (Enterprise only) Add POST /v1/operator/audit-hash endpoint to calculate the hash of the data used by the audit log hash function and salt.
• cli: (Enterprise only) Add a new consul operator audit hash command to retrieve and compare the hash of the data used by the audit log hash function and salt.
• cli: Adds new command - consul services export - for exporting a service to a peer or partition [GH-15654]
• connect: (Consul Enterprise only) Implement order-by-locality failover.
• mesh: Add new permissive mTLS mode that allows sidecar proxies to forward incoming traffic unmodified to the application. This adds AllowEnablingPermissiveMutualTLS setting to the mesh config entry and the MutualTLSMode setting to proxy-defaults and service-defaults. [GH-17035]
• mesh: Support configuring JWT authentication in Envoy. [GH-17452]
• server: (Enterprise Only) added server side RPC requests IP based read/write rate-limiter. [GH-4633]
• server: (Enterprise Only) allow automatic license utilization