SECURITY:
- Upgrade Go to use 1.21.10. This addresses CVEs CVE-2024-24787 and CVE-2024-24788 [GH-487]
- Upgrade to support Envoy
1.28.2. This resolves CVE CVE-2024-27919 (http2). [GH-474] - Upgrade to support Envoy
1.28.3. This resolves CVE CVE-2024-32475. [GH-496] - Upgrade to use Go
1.21.9. This resolves CVE CVE-2023-45288 (http2). [GH-474] - Upgrade to use golang.org/x/net
v0.24.0. This resolves CVE CVE-2023-45288 (x/net). [GH-474]
IMPROVEMENTS:
- Upgrade Go to use 1.22.3. [GH-501]
SECURITY:
- Upgrade Go to use 1.21.10. This addresses CVEs CVE-2024-24787 and CVE-2024-24788 [GH-487]
- Upgrade to support Envoy
1.27.4. This resolves CVE CVE-2024-27919 (http2). [GH-477] - Upgrade to support Envoy
1.27.5. This resolves CVE CVE-2024-32475. [GH-497] - Upgrade to use Go
1.21.9. This resolves CVE CVE-2023-45288 (http2). [GH-477] - Upgrade to use golang.org/x/net
v0.24.0. This resolves CVE CVE-2023-45288 (x/net). [GH-477]
IMPROVEMENTS:
- Upgrade Go to use 1.22.3. [GH-501]
SECURITY:
- Upgrade Go to use 1.21.10. This addresses CVEs CVE-2024-24787 and CVE-2024-24788 [GH-487]
- Upgrade to support Envoy
1.26.8. This resolves CVE CVE-2024-27919 (http2). [GH-476] - Upgrade to support Envoy
1.27.5. This resolves CVE CVE-2024-32475. [GH-498] - Upgrade to use Go
1.21.9. This resolves CVE CVE-2023-45288 (http2). [GH-476] - Upgrade to use golang.org/x/net
v0.24.0. This resolves CVE CVE-2023-45288 (x/net). [GH-476]
IMPROVEMENTS:
- Upgrade Go to use 1.22.3. [GH-501]
SECURITY:
- Upgrade Go to use 1.21.10. This addresses CVEs CVE-2024-24787 and CVE-2024-24788 [GH-487]
- Upgrade to support Envoy
1.26.8. This resolves CVE CVE-2024-27919 (http2). [GH-475] - Upgrade to support Envoy
1.27.5. This resolves CVE CVE-2024-32475. [GH-499] - Upgrade to use Go
1.21.9. This resolves CVE CVE-2023-45288 (http2). [GH-475] - Upgrade to use golang.org/x/net
v0.24.0. This resolves CVE CVE-2023-45288 (x/net). [GH-475]
IMPROVEMENTS:
- Upgrade Go to use 1.22.3. [GH-501]
SECURITY:
- Update Envoy version to 1.27.3 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, and CVE-2023-44487 [GH-421]
IMPROVEMENTS:
- Upgrade to use Go 1.21.7. [GH-411]
SECURITY:
- Update Envoy version to 1.27.2 to address CVE-2023-44487 [GH-310]
- Update Envoy version to 1.28.1 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, and CVE-2023-44487 [GH-416]
- Upgrade
consul-dataplane-fipsOpenShift container image to useubi9-minimal:9.3as the base image. [GH-434]
FEATURES:
- Add metrics exporting directly to HCP when configured in core. [GH-370]
IMPROVEMENTS:
- Propagate merged metrics request query params to Envoy to enable metrics filtering. [GH-372]
- Update Envoy version from 1.27 to 1.28 [GH-416]
BUG FIXES:
- Exclude Prometheus scrape path query params from Envoy path match s.t. it does not break merged metrics request routing. [GH-372]
SECURITY:
- Update Envoy version to 1.27.3 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, and CVE-2023-44487 [GH-421]
IMPROVEMENTS:
- Upgrade to use Go 1.21.7. [GH-411]
SECURITY:
- Update Envoy version to 1.26.7 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, and CVE-2023-44487 [GH-417]
IMPROVEMENTS:
- Upgrade to use Go 1.21.7. [GH-411]
SECURITY:
- Upgrade OpenShift container images to use
ubi9-minimal:9.3as the base image. [GH-373]
IMPROVEMENTS:
- Upgrade to use Go 1.21.6. [GH-384]
SECURITY:
- Upgrade OpenShift container images to use
ubi9-minimal:9.3as the base image. [GH-373]
IMPROVEMENTS:
- Upgrade to use Go 1.21.6. [GH-384]
SECURITY:
- Upgrade OpenShift container images to use
ubi9-minimal:9.3as the base image. [GH-373]
IMPROVEMENTS:
- Upgrade to use Go 1.21.6. [GH-384]
SECURITY:
- Update Envoy version to 1.27.2 to address CVE-2023-44487 [GH-314]
- Upgrade to use Go 1.20.12. This resolves CVEs
CVE-2023-45283: (
path/filepath) recognize ??\ as a Root Local Device path prefix (Windows) CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows) CVE-2023-39326: (net/http) limit chunked data overhead CVE-2023-45285: (cmd/go) go get may unexpectedly fallback to insecure git [GH-353]
BUG FIXES:
- Fix issue where the internal grpc-proxy would hit the max message size limit for xDS streams with a large amount of configuration. [GH-357]
SECURITY:
- Upgrade to use Go 1.20.12. This resolves CVEs
CVE-2023-45283: (
path/filepath) recognize ??\ as a Root Local Device path prefix (Windows) CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows) CVE-2023-39326: (net/http) limit chunked data overhead CVE-2023-45285: (cmd/go) go get may unexpectedly fallback to insecure git [GH-353]
BUG FIXES:
- Fix issue where the internal grpc-proxy would hit the max message size limit for xDS streams with a large amount of configuration. [GH-357]
SECURITY:
- Upgrade to use Go 1.20.12. This resolves CVEs
CVE-2023-45283: (
path/filepath) recognize ??\ as a Root Local Device path prefix (Windows) CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows) CVE-2023-39326: (net/http) limit chunked data overhead CVE-2023-45285: (cmd/go) go get may unexpectedly fallback to insecure git [GH-353]
BUG FIXES:
- Fix issue where the internal grpc-proxy would hit the max message size limit for xDS streams with a large amount of configuration. [GH-357]
SECURITY:
- Update Envoy version to 1.27.2 to address CVE-2023-44487 [GH-315]
- Upgrade
google.golang.org/grpcto 1.56.3. This resolves vulnerability CVE-2023-44487. [GH-323] - Upgrade to use Go 1.20.10 and
x/net0.17.0. This resolves CVE-2023-39325 / CVE-2023-44487. [GH-299]
SECURITY:
- Update Envoy version to 1.26.6 to address CVE-2023-44487 [GH-313]
- Upgrade
google.golang.org/grpcto 1.56.3. This resolves vulnerability CVE-2023-44487. [GH-323] - Upgrade to use Go 1.20.10 and
x/net0.17.0. This resolves CVE-2023-39325 / CVE-2023-44487. [GH-299] - Upgrade to use Go 1.20.8. This resolves CVEs
CVE-2023-39320 (
cmd/go), CVE-2023-39318 (html/template), CVE-2023-39319 (html/template), CVE-2023-39321 (crypto/tls), and CVE-2023-39322 (crypto/tls) [GH-261]
SECURITY:
- Update Envoy version to 1.25.11 to address CVE-2023-44487 [GH-312]
- Upgrade
google.golang.org/grpcto 1.56.3. This resolves vulnerability CVE-2023-44487. [GH-323] - Upgrade to use Go 1.20.10 and
x/net0.17.0. This resolves CVE-2023-39325 / CVE-2023-44487. [GH-299] - Upgrade to use Go 1.20.8. This resolves CVEs
CVE-2023-39320 (
cmd/go), CVE-2023-39318 (html/template), CVE-2023-39319 (html/template), CVE-2023-39321 (crypto/tls), and CVE-2023-39322 (crypto/tls) [GH-261]
SECURITY:
- Update Envoy version to 1.24.12 to address CVE-2023-44487 [GH-311]
- Upgrade
google.golang.org/grpcto 1.56.3. This resolves vulnerability CVE-2023-44487. [GH-323] - Upgrade to use Go 1.20.10 and
x/net0.17.0. This resolves CVE-2023-39325 / CVE-2023-44487. [GH-299] - Upgrade to use Go 1.20.8. This resolves CVEs
CVE-2023-39320 (
cmd/go), CVE-2023-39318 (html/template), CVE-2023-39319 (html/template), CVE-2023-39321 (crypto/tls), and CVE-2023-39322 (crypto/tls) [GH-261]
SECURITY:
- Update to Go 1.20.7 and Envoy 1.26.4 within the Dockerfile. [GH-235]
- Upgrade to use Go 1.20.6 and
x/net/http0.12.0. This resolves CVE-2023-29406(net/http). [GH-219] - Upgrade to use Go 1.20.7 and
x/net0.13.0. This resolves CVE-2023-29409(crypto/tls) and CVE-2023-3978(net/html). [GH-227] - Upgrade to use Go 1.20.8. This resolves CVEs
CVE-2023-39320 (
cmd/go), CVE-2023-39318 (html/template), CVE-2023-39319 (html/template), CVE-2023-39321 (crypto/tls), and CVE-2023-39322 (crypto/tls) [GH-261]
FEATURES:
- Add -shutdown-drain-listeners, -shutdown-grace-period, -graceful-shutdown-path and -graceful-port flags to configure proxy lifecycle management settings for the Envoy container. [GH-100]
- Add HTTP server with configurable port and endpoint path for initiating graceful shutdown. [GH-115]
- Catch SIGTERM and SIGINT to initate graceful shutdown in accordance with proxy lifecycle management configuration. [GH-130]
- Make consul dataplane handle bootstrap param response for Catalog and Mesh V2 resources [GH-242]
IMPROVEMENTS:
- Add graceful_startup endpoint and postStart hook in order to guarantee that dataplane starts up before application container. [GH-239]
- Add the
-config-fileflag to support reading configuration options from a JSON file. [GH-164] - In order to support Windows, write Envoy bootstrap configuration to a regular file instead of a named pipe. [GH-188]
- connect: Add capture group labels from Envoy cluster FQDNs to Envoy exported metric labels [GH-184]
BUG FIXES:
- Add support for envoy-extra-args. Fixes Envoy extra-args annotation crashing consul-dataplane container. [GH-133]
- Fix a bug where container user was unable to bind to privileged ports (< 1024). The consul-dataplane container now requires the NET_BIND_SERVICE capability. [GH-238]
- Fix a bug where exiting envoy would inadvertently throw an error [GH-175]
- Fix a bug with Envoy potentially starting with incomplete configuration by not waiting enough for initial xDS configuration. [GH-140]
SECURITY:
- Update to Go 1.20.7 and Envoy 1.26.4 within the Dockerfile. [GH-235]
BUG FIXES:
- Fix a bug where container user was unable to bind to privileged ports (< 1024). The consul-dataplane container now requires the NET_BIND_SERVICE capability. [GH-238]
SECURITY:
- Update to Go 1.20.7 and Envoy 1.25.9 within the Dockerfile. [GH-236]
BUG FIXES:
- Fix a bug where container user was unable to bind to privileged ports (< 1024). The consul-dataplane container now requires the NET_BIND_SERVICE capability. [GH-238]
SECURITY:
- Update to Go 1.20.7 and Envoy 1.24.10 within the Dockerfile. [GH-237]
BUG FIXES:
- Fix a bug where container user was unable to bind to privileged ports (< 1024). The consul-dataplane container now requires the NET_BIND_SERVICE capability. [GH-238]
SECURITY:
- Upgrade to use Go 1.20.7 and
x/net/http0.12.0. This resolves CVE-2023-29406(net/http). [GH-219] - Upgrade to use Go 1.20.7 and
x/net0.13.0. This resolves CVE-2023-29409(crypto/tls) and CVE-2023-3978(net/html). [GH-227]
FEATURES:
- Add -shutdown-drain-listeners, -shutdown-grace-period, -graceful-shutdown-path and -graceful-port flags to configure proxy lifecycle management settings for the Envoy container. [GH-100]
- Add HTTP server with configurable port and endpoint path for initiating graceful shutdown. [GH-115]
- Catch SIGTERM and SIGINT to initate graceful shutdown in accordance with proxy lifecycle management configuration. [GH-130]
IMPROVEMENTS:
- connect: Add capture group labels from Envoy cluster FQDNs to Envoy exported metric labels [GH-184]
BUG FIXES:
- Add support for envoy-extra-args. Fixes Envoy extra-args annotation crashing consul-dataplane container. [GH-133]
- Fix a bug where exiting envoy would inadvertently throw an error [GH-175]
- Fix a bug with Envoy potentially starting with incomplete configuration by not waiting enough for initial xDS configuration. [GH-140]
SECURITY:
- Upgrade to use Go 1.20.6 and
x/net/http0.12.0. This resolves CVE-2023-29406(net/http). [GH-219] - Upgrade to use Go 1.20.7 and
x/net0.13.0. This resolves CVE-2023-29409(crypto/tls) and CVE-2023-3978(net/html). [GH-227]
IMPROVEMENTS:
- connect: Add capture group labels from Envoy cluster FQDNs to Envoy exported metric labels [GH-184]
BUG FIXES:
- Fix a bug with Envoy potentially starting with incomplete configuration by not waiting enough for initial xDS configuration. [GH-140]
SECURITY:
- Upgrade to use Go 1.20.6 and
x/net/http0.12.0. This resolves CVE-2023-29406(net/http). [GH-219] - Upgrade to use Go 1.20.7 and
x/net0.13.0. This resolves CVE-2023-29409(crypto/tls) and CVE-2023-3978(net/html). [GH-227]
IMPROVEMENTS:
- connect: Add capture group labels from Envoy cluster FQDNs to Envoy exported metric labels [GH-184]
BUG FIXES:
- Fix a bug with Envoy potentially starting with incomplete configuration by not waiting enough for initial xDS configuration. [GH-140]
SECURITY:
- Update go-discover to 214571b6a5309addf3db7775f4ee8cf4d264fd5f within the Dockerfile. [GH-153]
- Update to Envoy 1.26.2 within the Dockerfile. [GH-142]
- Update to Go 1.20.4 and Envoy 1.26.1 within the Dockerfile. [GH-97]
SECURITY:
- Update go-discover to 214571b6a5309addf3db7775f4ee8cf4d264fd5f within the Dockerfile. [GH-153]
FEATURES:
- Add -shutdown-drain-listeners, -shutdown-grace-period, -graceful-shutdown-path and -graceful-port flags to configure proxy lifecycle management settings for the Envoy container. [GH-100]
- Add HTTP server with configurable port and endpoint path for initiating graceful shutdown. [GH-115]
- Catch SIGTERM and SIGINT to initate graceful shutdown in accordance with proxy lifecycle management configuration. [GH-130]
BUG FIXES:
- Add support for envoy-extra-args. Fixes Envoy extra-args annotation crashing consul-dataplane container. [GH-133]
- Fix a bug where exiting envoy would inadvertently throw an error [GH-175]
SECURITY:
- Update go-discover to 214571b6a5309addf3db7775f4ee8cf4d264fd5f within the Dockerfile. [GH-153]
FEATURES:
- Add -shutdown-drain-listeners, -shutdown-grace-period, -graceful-shutdown-path and -graceful-port flags to configure proxy lifecycle management settings for the Envoy container. [GH-100]
- Add HTTP server with configurable port and endpoint path for initiating graceful shutdown. [GH-115]
- Catch SIGTERM and SIGINT to initate graceful shutdown in accordance with proxy lifecycle management configuration. [GH-130]
BUG FIXES:
- Add support for envoy-extra-args. Fixes Envoy extra-args annotation crashing consul-dataplane container. [GH-133]
- Fix a bug where exiting envoy would inadvertently throw an error [GH-175]
BUG FIXES:
- Reverts #104 fix that caused a downstream error for Ingress/Mesh/Terminating GWs [GH-131]
SECURITY:
- Update to UBI base image to 9.2. [GH-125]
IMPROVEMENTS:
- Update bootstrap configuration to rename envoy_hcp_metrics_bind_socket_dir to envoy_telemetry_collector_bind_socket_dir to remove HCP naming references. [GH-122]
BUG FIXES:
- Reverts #104 fix that caused a downstream error for Ingress/Mesh/Terminating GWs [GH-131]
SECURITY:
- Update to Go 1.20.4 and Envoy 1.25.6 within the Dockerfile. [GH-98]
- Update to UBI base image to 9.2. [GH-125]
- Upgrade to use Go 1.20.4.
This resolves vulnerabilities CVE-2023-24537(
go/scanner), CVE-2023-24538(html/template), CVE-2023-24534(net/textproto) and CVE-2023-24536(mime/multipart). [GH-94]
FEATURES:
- Add envoy_hcp_metrics_bind_socket_dir flag to configure a directory where a unix socket is created. This enables Envoy metrics collection, which will be forwarded to a HCP metrics collector. [GH-90]
IMPROVEMENTS:
- Update bootstrap configuration to rename envoy_hcp_metrics_bind_socket_dir to envoy_telemetry_collector_bind_socket_dir to remove HCP naming references. [GH-122]
BUG FIXES:
- Fix a bug that threw an error when trying to use
$HOST_IPwith metrics URLs. [GH-106] - Fix a bug with Envoy potentially starting with incomplete configuration by not waiting enough for initial xDS configuration. [GH-104]
SECURITY:
- Update to Go 1.20.4 and Envoy 1.24.7 within the Dockerfile. [GH-99]
- Upgrade golang/x/net to 0.7.0
This resolves vulnerability CVE-2022-41723 in
x/net[GH-81] - Upgrade to use Go 1.20.1.
This resolves vulnerabilities CVE-2022-41724 in
crypto/tlsand CVE-2022-41723 innet/http. [GH-78] - Upgrade to use Go 1.20.4.
This resolves vulnerabilities CVE-2023-24537(
go/scanner), CVE-2023-24538(html/template), CVE-2023-24534(net/textproto) and CVE-2023-24536(mime/multipart). [GH-94]
FEATURES:
- Add envoy_hcp_metrics_bind_socket_dir flag to configure a directory where a unix socket is created. This enables Envoy metrics collection, which will be forwarded to a HCP metrics collector. [GH-90]
IMPROVEMENTS:
- Update consul-server-connection-manager to version 0.1.2. [GH-77]
BUG FIXES:
- Fix a bug that threw an error when trying to use
$HOST_IPwith metrics URLs. [GH-106] - Fix a bug with Envoy potentially starting with incomplete configuration by not waiting enough for initial xDS configuration. [GH-104]
SECURITY:
- Update Envoy to 1.25.1 within the Dockerfile. [GH-71]
- Upgrade golang/x/net to 0.7.0
This resolves vulnerability CVE-2022-41723 in
x/net[GH-81] - Upgrade to use Go 1.20.1.
This resolves vulnerabilities CVE-2022-41724 in
crypto/tlsand CVE-2022-41723 innet/http. [GH-78]
FEATURES:
- support Envoy admin access logs. [GH-65]
IMPROVEMENTS:
- Update consul-server-connection-manager to version 0.1.2. [GH-74]
SECURITY:
- Update to Go 1.19.4 and Envoy 1.24.1 within the Dockerfile. [GH-64]
IMPROVEMENTS:
- Update consul-server-connection-manager to version 0.1.1. [GH-66]
Initial release.