v0.8.1

0.8.1 (May 10, 2024)

BUG FIXES

• Update google.golang.org/protobuf to v1.33.0 and github.com/golang/protobuf to v1.5.4 to address CVE-2024-24786. [GH-240]
• Fix mesh-init local executable copying in dynamically-linked execution contexts [GH-242]

IMPROVEMENTS

• Bump Go version to 1.21.10
• Bump x/net to 0.23.0

v0.8.0

0.8.0 (Feb 29, 2024)

BREAKING CHANGES

• Following are the changes made to the control-plane container
  • Rename control-plane subcommand to mesh-init. [GH-209]
  • Removes a lot of functionalities from control-plane [GH-207]
  • mesh-init will be a short lived container with the following responsibities
    • Perform Consul login and obtain a ACL token.
    • Register the service and sidecar proxy to Consul catalog.
    • Write ECS binary to shared volume.
    • Prepare and write Consul Dataplane configuration to a shared volume.
  • mesh-init unlike control-plane no longer writes the login token to a shared volume and passes it on to the Consul-dataplane container. It instead generates the login configuration needed to get a Consul ACL token and writes it as part of the Consul dataplane configuration to a shared volume. Dataplane uses the login configuration to mint the token with the required permissions.[GH-208]
• Adds a new command health-sync with the following responsibilities [GH-210]
  • Perform Consul login and obtain an ACL token.
  • Setup the Consul client to talk directly to the server.
  • Accumulate all the health checks associated with the service and the proxy which would have been previously registered as critical by mesh-init
  • Enters into a long running reconciliation loop where it
    • Periodically syncs back ECS container health status into Consul.
    • Marks all service and proxy checks as critical upon receiving SIGTERM.
    • Listens to changes to the Consul servers and reconfigures the Consul client if at all the server details change.
    • Gracefully shuts down(upon receiving SIGTERM) making sure that the Consul Dataplane has terminated properly and then proceeds with deregistering the service and proxy and performs a Consul logout to invalidate the ACL token.
• The transparentProxy.enabled field defaults to true if not specified. Transparent proxy is not yet supported for FARGATE based launch types. When performing upgrades from previous versions of Consul ECS, care must be taken to always pass false for the transparentProxy.enabled field for FARGATE launch types to ensure that mesh-init process doesn't fail due to insufficient privileges when applying traffic redirection rules

FEATURES

• Transparent proxy support for ECS EC2 launch type [GH-212]
  • Add a transparentProxy stanza to the ECS_CONFIG_JSON schema to control traffic redirection settings for the ECS task.[GH-171]
  • Enable support for Consul DNS within the ECS task via the transparentProxy.consulDNS stanza. When enabled, Consul Dataplane starts up a DNS server on port 8600 and proxies DNS queries to the Consul DNS server. The /etc/resolv.conf file of the ECS task is also modified to make sure that 127.0.0.1 is the first nameserver in the list.[GH-170]
  • Adds a redirecttraffic package that invokes the iptables SDK of Consul which internally applies the traffic redirection rules needed to properly setup transparent proxy within the ECS task. [GH-173]
  • The mesh-init process, in addition to registering service and proxy to Consul, also invokes the required modules to apply traffic redirection rules and set up Consul DNS within the ECS task. [GH-174]
• API and terminating gateways
  • Add support for configuring API and terminating gateways as ECS tasks [GH-192]
  • Add following changes to the controller to support API gateways in ACL enabled clusters [GH-198]
    • Create the consul-ecs-api-gateway-role ACL role and consul-ecs-api-gateway-policy ACL policy.
    • Add a new IAM entity tag consul.hashicorp.name.gateway-kind to the existing service auth method's config.
    • Add a new binding rule specific to API gateway that helps binding the API gateway's ACL token to the preconfigured consul-ecs-api-gateway-role
  • Add following changes to the controller to support Terminating gateways in ACL enabled clusters [GH-199]
    • Create the consul-ecs-terminating-gateway-role ACL role. This role will be assigned to the ACL token obtained by the terminating gateway task after performing a Consul login. Users can assign policies to this role via terraform whenever needed.
    • Add a new binding rule specific to terminating gateways that helps bind the terminating gateway's ACL token to the preconfigured consul-ecs-terminating-gateway-role

IMPROVEMENTS

• Bump Go version to 1.21.6

BUG FIXES

• Fix permissions given to the ACL token generated for a Mesh gateway based ECS task. Following are the changes made to add additional permissions [GH-215]
  • Create the consul-ecs-mesh-gateway-role ACL role and consul-ecs-mesh-gateway-policy ACL policy with the mesh:write and peering:read permissions.
  • Add a new binding rule specific to Mesh gateway that helps binding the Mesh gateway's ACL token to the preconfigured consul-ecs-mesh-gateway-role

v0.6.2

0.6.2 (Feb 16, 2024)

IMPROVEMENTS

• Bump Go to 1.21.6

v0.7.3

0.7.3 (Feb 16, 2024)

IMPROVEMENTS

• Bump Go to 1.21.6

v0.8.0-rc1

0.8.0-rc1 (Feb 8, 2024)

BREAKING CHANGES

• Following are the changes made to the control-plane container
  • Rename control-plane subcommand to mesh-init. [GH-209]
  • Removes a lot of functionalities from control-plane [GH-207]
  • mesh-init will be a short lived container with the following responsibities
    • Perform Consul login and obtain a ACL token.
    • Register the service and sidecar proxy to Consul catalog.
    • Write ECS binary to shared volume.
    • Prepare and write Consul Dataplane configuration to a shared volume.
  • mesh-init unlike control-plane no longer writes the login token to a shared volume and passes it on to the Consul-dataplane container. It instead generates the login configuration needed to get a Consul ACL token and writes it as part of the Consul dataplane configuration to a shared volume. Dataplane uses the login configuration to mint the token with the required permissions.[GH-208]
• Adds a new command health-sync with the following responsibilities [GH-210]
  • Perform Consul login and obtain an ACL token.
  • Setup the Consul client to talk directly to the server.
  • Accumulate all the health checks associated with the service and the proxy which would have been previously registered as critical by mesh-init
  • Enters into a long running reconciliation loop where it
    • Periodically syncs back ECS container health status into Consul.
    • Marks all service and proxy checks as critical upon receiving SIGTERM.
    • Listens to changes to the Consul servers and reconfigures the Consul client if at all the server details change.
    • Gracefully shuts down(upon receiving SIGTERM) making sure that the Consul Dataplane has terminated properly and then proceeds with deregistering the service and proxy and performs a Consul logout to invalidate the ACL token.
• The transparentProxy.enabled field defaults to true if not specified. Transparent proxy is not yet supported for FARGATE based launch types. When performing upgrades from previous versions of Consul ECS, care must be taken to always pass false for the transparentProxy.enabled field for FARGET launch types to ensure that mesh-init process doesn't fail due to insufficient privileges when applying traffic redirection rules

FEATURES

• Transparent proxy support for ECS EC2 launch type [GH-212]
  • Add a transparentProxy stanza to the ECS_CONFIG_JSON schema to control traffic redirection settings for the ECS task.[GH-171]
  • Enable support for Consul DNS within the ECS task via the transparentProxy.consulDNS stanza. When enabled, Consul Dataplane starts up a DNS server on port 8600 and proxies DNS queries to the Consul DNS server. The /etc/resolv.conf file of the ECS task is also modified to make sure that 127.0.0.1 is the first nameserver in the list.[GH-170]
  • Adds a redirecttraffic package that invokes the iptables SDK of Consul which internally applies the traffic redirection rules needed to properly setup transparent proxy within the ECS task. [GH-173]
  • The mesh-init process, in addition to registering service and proxy to Consul, also invokes the required modules to apply traffic redirection rules and set up Consul DNS within the ECS task. [GH-174]
• API and terminating gateways
  • Add support for configuring API and terminating gateways as ECS tasks [GH-192]
  • Add following changes to the controller to support API gateways in ACL enabled clusters [GH-198]
    • Create the consul-ecs-api-gateway-role ACL role and consul-ecs-api-gateway-policy ACL policy.
    • Add a new IAM entity tag consul.hashicorp.name.gateway-kind to the existing service auth method's config.
    • Add a new binding rule specific to API gateway that helps binding the API gateway's ACL token to the preconfigured consul-ecs-api-gateway-role
  • Add following changes to the controller to support Terminating gateways in ACL enabled clusters [GH-199]
    • Create the consul-ecs-terminating-gateway-role ACL role. This role will be assigned to the ACL token obtained by the terminating gateway task after performing a Consul login. Users can assign policies to this role via terraform whenever needed.
    • Add a new binding rule specific to terminating gateways that helps bind the terminating gateway's ACL token to the preconfigured consul-ecs-terminating-gateway-role

IMPROVEMENTS

• Bump Go version to 1.21.6

BUG FIXES

• Fix permissions given to the ACL token generated for a Mesh gateway based ECS task. Following are the changes made to add additional permissions [GH-215]
  • Create the consul-ecs-mesh-gateway-role ACL role and consul-ecs-mesh-gateway-policy ACL policy with the mesh:write and peering:read permissions.
  • Add a new binding rule specific to Mesh gateway that helps binding the Mesh gateway's ACL token to the preconfigured consul-ecs-mesh-gateway-role

v0.7.2

0.7.2 (Jan 25, 2024)

BUG FIXES

• Fix permissions given to the ACL token generated for a Mesh gateway based ECS task. The controller must be upgraded to this version for the fix to kick in. Following are the changes made to add additional permissions [GH-216]
  • Create the consul-ecs-mesh-gateway-role ACL role and consul-ecs-mesh-gateway-policy ACL policy with the mesh:write and peering:read permissions.
  • Add a new IAM entity tag consul.hashicorp.name.gateway-kind to the existing service auth method's config.
  • Add a new binding rule specific to Mesh gateway that helps binding the Mesh gateway's ACL token to the preconfigured consul-ecs-mesh-gateway-role

v0.7.1

0.7.1 (Dec 18, 2023)

BUG FIXES

• Fixes a bug which prevented graceful shutdown of the Consul dataplane container. [GH-200]

v0.7.0

0.7.0 (Nov 7, 2023)

BREAKING CHANGES

• Adopt the architecture described in Simplified Service Mesh with Consul Dataplane: [GH-161]
  • Consul client agents are no longer used.
  • Consul Dataplane must be run in place of Envoy in each ECS task. Consul Dataplane manages the Envoy process and proxies xDS requests from Envoy to Consul servers.
  • The consul-ecs binary now communicates with Consul servers using HTTP(S) and GRPC.
  • Services are registered directly with the central catalog on the Consul servers. Services in the same ECS cluster are registered to the same Consul node name.
• Remove the mesh-init and health-sync commands, and add a unified control-plane command to replace them. The control-plane command starts a long running process with the following responsibilities:
  • Automatically (re)discover and (re)connect to Consul servers using connection manager. The consulServer.hosts config option supports an IP, DNS name, or an exec= string specifying a command that returns a list of IP addresses. [GH-143]
  • Make an ACL Login request to obtain an ACL token when using the Consul AWS IAM auth method.
  • Register the service and sidecar proxy with the central catalog on the Consul servers.[GH-144]
  • Write the configuration for Consul Dataplane to a file on a shared volume. [GH-145]
  • Sync ECS health check statuses for the ECS task into the central catalog on the Consul servers on a periodic basis.[GH-146]
  • Gracefully shutdown when an ECS task is stopped. Upon receiving a SIGTERM, mark synced health checks critical and wait for Consul Dataplane to stop. Then remove health checks, services, and perform an ACL Logout if necessary.[GH-147]
• controller: Add a new controller command in place of the acl-controller command with the following changes:
  • Remove all CLI flags. Configuration is read from the ECS_CONFIG_JSON environment variable.[GH-150]
  • Automatically (re)discover and (re)connect to Consul servers, similar to the control-plane command.
  • Because Consul client agents are no longer used, the controller no longer configures the "client" auth method, policy, role, and binding rule which previously enabled Consul client agents to login.
  • Register the ECS cluster as a synthetic node in the central catalog on the Consul servers. The synthetic node is used to register services running in the ECS cluster.
  • Ensure leftover tokens and services are removed for ECS tasks that have stopped.[GH-153]
• Changes to ECS_CONFIG_JSON schema.
  • Remove the consulHTTPAddr and consulCACertFile fields.
  • Add the consulLogin.datacenter field.
  • Add the controller field to support configuring the new controller command.
  • Add the consulServers field to specify the Consul server location and protocol-specific settings.
  • The consulServers.hosts field is required. This specifies the Consul server location as an IP address, DNS name, or exec= string specifying a command that returns a list of IP addresses. To use cloud auto-join, use an exec= string to run the discover CLI. For example, the following string invokes the discover CLI with a cloud auto-join string: exec=discover -q addrs provider=aws region=us-west-2 tag_key=consul-server tag_value=true. The discover CLI is included in the Consul ECS and Consul Dataplane images by default.
  • Remove the service.checks field. Consul agent health checks are no longer supported because Consul client agents are not used. Instead, set the healthSyncContainers field to have consul-ecs sync ECS health checks into Consul.
  • Add the proxy.healthCheckPort field which can be hit to determine Envoy's readiness.
  • Add the proxy.upstreams.destinationPeer field to enable the proxy to hit upstreams present in peer Consul clusters.
  • Add the meshGateway.healthCheckPort field which can be hit to determine Envoy's readiness.
  • Add the proxy.localServiceAddress field to configure Envoy to use a different address for the local service.
• Add the go-discover binary to the Consul ECS image to better support cloud auto-join.[GH-160]

FEATURES

• Use the AWS_REGION container environment variable and AvailabilityZone attribute of an ECS task meta JSON to set the locality parameters in Consul service and proxy registrations. These parameters are used to perform locality aware routing for Consul Enterprise installations. [GH-167]

IMPROVEMENTS

• Bump Golang to 1.20

v0.6.1

0.6.1 (Nov 2, 2023)

IMPROVEMENTS

• Bump Go to 1.20

v0.7.0-rc1

0.7.0-rc1 (Oct 11, 2023)

BREAKING CHANGES

• Adopt the architecture described in Simplified Service Mesh with Consul Dataplane: [GH-161]
  • Consul client agents are no longer used.
  • Consul Dataplane must be run in place of Envoy in each ECS task. Consul Dataplane manages the Envoy process and proxies xDS requests from Envoy to Consul servers.
  • The consul-ecs binary now communicates with Consul servers using HTTP(S) and GRPC.
  • Services are registered directly with the central catalog on the Consul servers. Services in the same ECS cluster are registered to the same Consul node name.
• Remove the mesh-init and health-sync commands, and add a unified control-plane command to replace them. The control-plane command starts a long running process with the following responsibilities:
  • Automatically (re)discover and (re)connect to Consul servers using connection manager. The consulServer.hosts config option supports an IP, DNS name, or an exec= string specifying a command that returns a list of IP addresses. [GH-143]
  • Make an ACL Login request to obtain an ACL token when using the Consul AWS IAM auth method.
  • Register the service and sidecar proxy with the central catalog on the Consul servers.[GH-144]
  • Write the configuration for Consul Dataplane to a file on a shared volume. [GH-145]
  • Sync ECS health check statuses for the ECS task into the central catalog on the Consul servers on a periodic basis.[GH-146]
  • Gracefully shutdown when an ECS task is stopped. Upon receiving a SIGTERM, mark synced health checks critical and wait for Consul Dataplane to stop. Then remove health checks, services, and perform an ACL Logout if necessary.[GH-147]
• controller: Add a new controller command in place of the acl-controller command with the following changes:
  • Remove all CLI flags. Configuration is read from the ECS_CONFIG_JSON environment variable.[GH-150]
  • Automatically (re)discover and (re)connect to Consul servers, similar to the control-plane command.
  • Because Consul client agents are no longer used, the controller no longer configures the "client" auth method, policy, role, and binding rule which previously enabled Consul client agents to login.
  • Register the ECS cluster as a synthetic node in the central catalog on the Consul servers. The synthetic node is used to register services running in the ECS cluster.
  • Ensure leftover tokens and services are removed for ECS tasks that have stopped.[GH-153]
• Changes to ECS_CONFIG_JSON schema.
  • Remove the consulHTTPAddr and consulCACertFile fields.
  • Add the consulLogin.datacenter field.
  • Add the controller field to support configuring the new controller command.
  • Add the consulServers field to specify the Consul server location and protocol-specific settings.
  • The consulServers.hosts field is required. This specifies the Consul server location as an IP address, DNS name, or exec= string specifying a command that returns a list of IP addresses. To use cloud auto-join, use an exec= string to run the discover CLI. For example, the following string invokes the discover CLI with a cloud auto-join string: exec=discover -q addrs provider=aws region=us-west-2 tag_key=consul-server tag_value=true. The discover CLI is included in the Consul ECS and Consul Dataplane images by default.
  • Remove the service.checks field. Consul agent health checks are no longer supported because Consul client agents are not used. Instead, set the healthSyncContainers field to have consul-ecs sync ECS health checks into Consul.
  • Add the proxy.healthCheckPort field which can be hit to determine Envoy's readiness.
  • Add the proxy.upstreams.destinationPeer field to enable the proxy to hit upstreams present in peer Consul clusters.
  • Add the meshGateway.healthCheckPort field which can be hit to determine Envoy's readiness.
  • Add the proxy.localServiceAddress field to configure Envoy to use a different address for the local service.
• Add the go-discover binary to the Consul ECS image to better support cloud auto-join.[GH-160]

FEATURES

• Use the AWS_REGION container environment variable and AvailabilityZone attribute of an ECS task meta JSON to set the locality parameters in Consul service and proxy registrations. These parameters are used to perform locality aware routing for Consul Enterprise installations. [GH-167]