v1.8.7

1.8.7 (December 23, 2025)

SECURITY:

• go: upgrade go version to 1.25.5 [GH-5051]

IMPROVEMENTS:

• api-gateway: Add support for file-based Envoy access log sinks via proxy-defaults. Previously, only stdout logging was supported.
  connect-inject: When proxy-defaults enables file-based access logs, automatically inject an emptyDir volume and volumeMount into the consul-dataplane container. [GH-5008]
• api-gateway: Added backward compatibility support for file-based Envoy access log sinks via proxy-defaults. [GH-5026]
• client: Add optional startup staggering for client ACL init to spread /v1/acl/login calls and reduce login storms on large clusters. Controlled via client.aclInit.startupStagger.* values (disabled by default). [GH-5021]

v1.7.9

1.7.9 (December 23, 2025)

SECURITY:

• go: upgrade go version to 1.25.5 [GH-5047]

IMPROVEMENTS:

• api-gateway: Add support for file-based Envoy access log sinks via proxy-defaults. Previously, only stdout logging was supported.
  connect-inject: When proxy-defaults enables file-based access logs, automatically inject an emptyDir volume and volumeMount into the consul-dataplane container. [GH-5008]
• api-gateway: Added backward compatibility support for file-based Envoy access log sinks via proxy-defaults. [GH-5026]
• client: Add optional startup staggering for client ACL init to spread /v1/acl/login calls and reduce login storms on large clusters. Controlled via client.aclInit.startupStagger.* values (disabled by default). [GH-5021]

v1.9.2

1.9.2 (December 23, 2025)

SECURITY:

• Add microdnf upgrade in dockerfile to include future security fixes [GH-4982]
• go: upgrade go version to 1.25.5 [GH-5052]

IMPROVEMENTS:

• api-gateway: Add support for file-based Envoy access log sinks via proxy-defaults. Previously, only stdout logging was supported.
  connect-inject: When proxy-defaults enables file-based access logs, automatically inject an emptyDir volume and volumeMount into the consul-dataplane container. [GH-5008]
• api-gateway: Added backward compatibility support for file-based Envoy access log sinks via proxy-defaults. [GH-5026]
• client: Add optional startup staggering for client ACL init to spread /v1/acl/login calls and reduce login storms on large clusters. Controlled via client.aclInit.startupStagger.* values (disabled by default). [GH-5021]

v1.7.8

1.7.8 (2 December, 2025)

SECURITY:

• crypto: upgrade golang.org/x/crypto to v0.45.0 to fix GO-2025-4134, GO-2025-4135, GO-2025-4116, GHSA-f6x5-jh6r-wrfv
  containerd: upgrade github.com/containerd/containerd to v1.7.29 to fix GO-2025-4100, GO-2025-4108 [GH-4990]

FEATURES:

• cli: Updated the status command to output the consul client & deployments status as well along with existing ones. [GH-4790]

IMPROVEMENTS:

• cni: fixed race conditions with older versions where no cleanup was done for binary
  cni: cleanup of cni binary on previous pod deletion to improve security posture [GH-4757]

v1.9.1

1.9.1 (2 December, 2025)

SECURITY:

• crypto: upgrade golang.org/x/crypto to v0.45.0 to fix GO-2025-4134, GO-2025-4135, GO-2025-4116, GHSA-f6x5-jh6r-wrfv
  containerd: upgrade github.com/containerd/containerd to v1.7.29 to fix GO-2025-4100, GO-2025-4108 [GH-4990]

FEATURES:

• api-gateway: Add support for configuring Kubernetes probes (liveness, readiness, startup) per-Gateway via annotations. Use consul.hashicorp.com/liveness-probe, consul.hashicorp.com/readiness-probe, and consul.hashicorp.com/startup-probe annotations with JSON probe configuration to customize health checks for individual API Gateways. [GH-4901] [GH-4901]
• cli: Add debug command to collect configs, logs, and other data from a Consul on Kubernetes deployment in a archive/dir. [GH-4800]
• cli: Updated the status command to output the consul client & deployments status as well along with existing ones. [GH-4790]
• cli: added new -capture flag to proxy loglevel command, enabling users to capture logs for certain duration. [GH-4788]

v1.8.6

1.8.6 (2 December, 2025)

SECURITY:

• crypto: upgrade golang.org/x/crypto to v0.45.0 to fix GO-2025-4134, GO-2025-4135, GO-2025-4116, GHSA-f6x5-jh6r-wrfv
  containerd: upgrade github.com/containerd/containerd to v1.7.29 to fix GO-2025-4100, GO-2025-4108 [GH-4990]

FEATURES:

• api-gateway: Add support for configuring Kubernetes probes (liveness, readiness, startup) per-Gateway via annotations. Use consul.hashicorp.com/liveness-probe, consul.hashicorp.com/readiness-probe, and consul.hashicorp.com/startup-probe annotations with JSON probe configuration to customize health checks for individual API Gateways. [GH-4901] [GH-4901]
• cli: Updated the status command to output the consul client & deployments status as well along with existing ones. [GH-4790]

IMPROVEMENTS:

• cni: fixed race conditions with older versions where no cleanup was done for binary
  cni: cleanup of cni binary on previous pod deletion to improve security posture [GH-4757]

v1.9.0

1.9.0 (October 27, 2025)

NOTE: Consul K8s 1.9.x is compatible with Consul 1.22.x and Consul Dataplane 1.9.x. Refer to our compatibility matrix for more info.

RELEASE HIGHLIGHTS:

• Enhanced IPv6 Support: Improved CNI kubeconfig generation with better Kubernetes API server URL handling for IPv6 environments
• Updated Dependencies: All Consul submodules updated to their latest GA versions for improved stability and compatibility
• Security Improvements: Go runtime upgraded to 1.25.3 with latest security patches

BUG FIXES:

• control-plane: Enhanced IPv6 support in CNI kubeconfig generation for better Kubernetes API server URL handling [GH-4897]

IMPROVEMENTS:

• deps: update consul/api to v1.33.0
• deps: update consul/sdk to v0.17.0
• deps: update consul/proto-public to v0.7.0
• deps: update consul/envoyextensions to v0.9.0
• deps: update consul/troubleshoot to v0.8.0

SECURITY:

• go: upgrade go version to 1.25.3 [GH-4897]

v1.9.0-rc2

1.9.0-rc2 (October 16, 2025)

FEATURES:

• api-gateway: Added boolean annotation "consul.hashicorp.com/enable-consul-dataplane-as-sidecar" for registering consul-dataplane as init container so that consul-dataplane container is initialised and started before application container. Default value is "false" i.e the feature is disabled by default. Also made the probe properties configurable through annotations. [GH-4678]
• control-plane: Added support to sync multiple ports of a service from k8s to consul. [GH-4778]
• helm: add dual stack flag for IPv6 support. [GH-4776]
• ipv6: Addition of ipv6 changes for consul-k8s connect inject and cni [GH-4779]

IMPROVEMENTS:

• consul-dataplane: now includes both privileged and non-privileged binaries in the image. By default, all use cases use the non-privileged binaries (without NET_BIND_SERVICE). For Ingress, API, and Mesh Gateway use cases, if a privileged port is configured, the privileged binary (with NET_BIND_SERVICE capability) is automatically selected and used. [GH-4745]
• cni: fixed race conditions with older versions where no cleanup was done for binary. cleanup of cni binary on previous pod deletion to improve security posture [GH-4757]
• control-plane: updated endpoints controller to use podIP from endpoint object [GH-4809]
• updated consul image version to 1.22.0-dev [GH-4792]

BUG FIXES:

• api-gateway: Fixed an issue where the gateway controller failed to detect annotation changes in deployments triggered by rollout restarts, preventing restarts from completing successfully. [GH-4767]
• control-plane: fix duplicate health check registrations for API Gateways and Mesh Gateways when node assignment is delayed [GH-4715]

SECURITY:

• cve: upgrade helm.sh/helm/v3 to v3.18.5 to fix CVE-2025-55198, CVE-2025-55199 [GH-4696]
• go: upgrade go version to 1.25.1 [GH-4762]
• security: Updated AWS SDK dependencies and added CVE suppressions. Upgraded github.com/aws/aws-sdk-go from v1.38.63 to v1.55.8 in hack/aws-acceptance-test-cleanup utilities and suppressed CVEs: GO-2022-0635 (AWS S3 Crypto SDK - in-band key negotiation issue) GO-2022-0646 (AWS S3 Crypto SDK - CBC padding oracle issue). These vulnerabilities affect only test cleanup utilities in unused S3 crypto components. They do not impact production consul-k8s deployments. [GH-4870]

v1.8.3

1.8.3 (September 30, 2025)

The consul-k8s and consul-k8s-control-plane packages released as v1.8.2 contained an issue where the Helm charts referenced preview builds of consul and consul-dataplane, instead of the production versions. To correct this issue, both consul-k8s v1.8.2 and consul-k8s-control-plane v1.8.2 were removed and re-released as v1.8.3.
As a result, consul-k8s and consul-k8s-control-plane are versioned at v1.8.3 in this release, while consul-dataplane remains at v1.8.2. This temporary version mismatch is expected, and will be resolved in an upcoming release.

SECURITY:

• go: upgrade go version to 1.25.1 [GH-4762]

FEATURES:

• Added boolean annotation "consul.hashicorp.com/enable-consul-dataplane-as-sidecar" for registering consul-dataplane as init container so that consul-dataplane container is initialised and started before application container. Default value is "false" i.e the feature is disabled by default. Also made the probe properties configurable through annotations. [GH-4678]

BUG FIXES:

• control-plane: fix duplicate health check registrations for API Gateways and Mesh Gateways when node assignment is delayed [GH-4715]

v1.7.6

1.7.6 (September 30, 2025)

The consul-k8s and consul-k8s-control-plane packages released as v1.7.5 contained an issue where the Helm charts referenced preview builds of consul and consul-dataplane, instead of the production versions. To correct this issue, both consul-k8s v1.7.5 and consul-k8s-control-plane v1.7.5 were removed and re-released as v1.7.6.
As a result, consul-k8s and consul-k8s-control-plane are versioned at v1.7.6 in this release, while consul-dataplane remains at v1.7.5. This temporary version mismatch is expected, and will be resolved in an upcoming release.

SECURITY:

• go: upgrade go version to 1.25.1 [GH-4762]

FEATURES:

• Added boolean annotation "consul.hashicorp.com/enable-consul-dataplane-as-sidecar" for registering consul-dataplane as init container so that consul-dataplane container is initialised and started before application container. Default value is "false" i.e the feature is disabled by default. Also made the probe properties configurable through annotations. [GH-4678]

BUG FIXES:

• control-plane: fix duplicate health check registrations for API Gateways and Mesh Gateways when node assignment is delayed [GH-4715]