chore(deps): update hashicorp/consul docker tag to v1.22.4

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
hashicorp/consul (source)	minor	1.11.2 → 1.22.4

---

Release Notes

hashicorp/consul (hashicorp/consul)

v1.22.4

Compare Source

1.22.4 (February 18, 2026)

SECURITY:

• security: upgrade go version to 1.25.7 [GH-23204]
• dockerfile: the Consul build Go base image to alpine3.23 [GH-23194]
• connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
• security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]

IMPROVEMENTS:

• api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
• agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
• cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109]

v1.22.3

Compare Source

SECURITY:

• Update the Consul Build Go base image to alpine3.23.2 [GH-23138]

IMPROVEMENTS:

• api: Add consul services imported-services and new api(/v1/exported-services) command to list services imported by partitions within a local datacenter [GH-12045]
• connect: added ability to configure Virtual IP range for t-proxy with CIDRs [GH-23085]

v1.22.2

Compare Source

1.22.2 (December 15, 2025)

SECURITY:

• security: Upgrade golang to 1.25.4. [GH-23029]
• security: upgrade internal packages of RHEL builds to include security fixes [GH-23078]

IMPROVEMENTS:

• ui: upgraded Ember framework from v3.28 to v4.12, improving performance and stability. Upgrades multiple other packages which support Ember v4. [GH-23070]

BUG FIXES:

• agent: fix bug prevents default TCP checks from being re-added on service reload when they were explicitly disabled or when custom checks were specified during initial registration. [GH-23088]
• audit-logging: (Enterprise only) Fixed JSON unmarshall error when array of obj is passed for auditReq body. [GH-11546]
• cli: Enhanced error messages in consul config write command to provide actionable guidance when config entries cannot be modified due to references by gateways or routers. [GH-22921]
• mesh: router + splitter + failover with retry now correctly failover for external services failover subsets through terminating gateways. [GH-23092]

v1.22.1

Compare Source

SECURITY:

• connect: Upgrade envoy version to 1.35.6 [GH-23056]
• security: Updated golang.org/x/crypto from v0.42.0 to v0.44.0. This resolves GO-2025-4116

IMPROVEMENTS:

• ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
• ui: Replaced reopen() calls with direct property assignment and subclassing to resolve Ember component reopen deprecation warnings [GH-22971]
• ui: removed deprecated Route#renderTemplate usage by introducing DebugLayout component and controller-based conditional rendering for docs routes [GH-22978]
• ui: resolved multiple Ember deprecations:

• Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
• Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
• Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

• acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
• xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
• xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

v1.22.0

Compare Source

SECURITY:

• connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]
• security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
• security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
• security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
• security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

FEATURES:

• Added support to register a service in consul with multiple ports [GH-22769]
• agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
• install: Updated license information displayed during post-install
• ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
• oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

• security: Upgrade golang to 1.25.3. [GH-22926]
• ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [GH-22947]
• ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [GH-22938]
• ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [GH-22888]
• api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
• cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise
  http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise
  agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
• cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
• command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
• connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
• proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
• ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]
• ui: Replace yarn with pnpm for package management [GH-22790]
• ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [GH-22813]

BUG FIXES:

• ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
• ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
• ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]
• cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

v1.21.5

Compare Source

SECURITY:

• Migrate transitive dependency from archived mitchellh/mapstructure to go-viper/mapstructure to v2 to address CVE-2025-52893. [GH-22581]
• agent: Add the KV Validations to block path traversal allowing access to unauthorized endpoints. [GH-22682]
• agent: Fix a security vulnerability to filter out anonymous tokens along with empty tokens when setting the Results-Filtered-By-ACLs header [GH-22534]
• agent: Fix a security vulnerability where the attacker could read agent’s TLS certificate and private key by using the group ID that the Consul agent runs as. [GH-22626]
• api: add charset in all applicable content-types. [GH-22598]
• connect: Upgrade envoy version to 1.34.7 [GH-22735]
• security: Fix GHSA-65rg-554r-9j5x (CVE-2024-48908) by upgrading lycheeverse/lychee-action. [GH-22667]
• security: Fix a security vulnerability where the attacker could bypass authentication by passing url params as there was no validation on them. [GH-22612]
• security: perform constant time compare for sensitive values. [GH-22537]
• security: upgrade go version to 1.25.0 [GH-22652]
• security:: (Enterprise only) fix nil pointer dereference.
• security:: (Enterprise only) fix potential race condition in partition CRUD.
• security:: (Enterprise only) perform constant time compare for sensitive values.

FEATURES:

• config: Add new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream [GH-22604]
• config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in API Gateway config and proxy-defaults [GH-22679]
• config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Mesh Gateway via service-defaults and proxy-defaults [GH-22722]
• config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Terminating Gateway service-defaults and proxy-defaults [GH-22680]

IMPROVEMENTS:

• cli: add troubleshoot ports in debug command. A ports.json file is created, which lists the open or closed ports on the host where the command is executed. [GH-22624]

BUG FIXES:

• agent: Don't show admin partition during errors [GH-11154]

v1.21.4

Compare Source

SECURITY:

• security: Update Go to 1.23.12 to address CVE-2025-47906 [GH-22547]

IMPROVEMENTS:

• ui: Replaced internal code editor with HDS (HashiCorp Design System) code editor and code block components for improved accessibility and maintainability across the Consul UI. [GH-22513]

BUG FIXES:

• cli: capture pprof when ACL is enabled and a token with operator:read is used, even if enable_debug config is not explicitly set. [GH-22552]

v1.21.3

Compare Source

IMPROVEMENTS:

• ui: Improved display and handling of IPv6 addresses for better readability and usability in the Consul web interface. [GH-22468]

BUG FIXES:

• cli: validate IP address in service registration to prevent invalid IPs in service and tagged addresses. [GH-22467]
• ui: display IPv6 addresses with proper bracketed formatting [GH-22423]

v1.21.2

Compare Source

SECURITY:

• security: Upgrade UBI base image version to address CVE
  CVE-2025-4802
  CVE-2024-40896
  CVE-2024-12243
  CVE-2025-24528
  CVE-2025-3277
  CVE-2024-12133
  CVE-2024-57970
  CVE-2025-31115 [GH-22409]
• cli: update tls ca and cert create to reduce excessive file perms for generated public files [GH-22286]
• connect: Added non default namespace and partition checks to ConnectCA CSR requests. [GH-22376]
• security: Upgrade Go to 1.23.10. [GH-22412]

IMPROVEMENTS:

• config: Warn about invalid characters in datacenter resulting in non-generation of X.509 certificates when using external CA for agent TLS communication. [GH-22382]
• connect: Use net.JoinHostPort for host:port formatting to handle IPv6. [GH-22359]

BUG FIXES:

• http: return a clear error when both Service.Service and Service.ID are missing during catalog registration [GH-22381]
• license: (Enterprise only) Fixed issue where usage metrics are not written to the snapshot to export the license data. [GH-10668]
• wan-federation: Fixed an issue where advertised IPv6 addresses were causing WAN federation to fail. [GH-22226]

v1.21.1

Compare Source

FEATURES:

• xds: Extend LUA Script support for API Gateway [GH-22321]
• xds: Added a configurable option to disable XDS session load balancing, intended for scenarios where an external load balancer is used in front of Consul servers, making internal load balancing unnecessary.

IMPROVEMENTS:

• http: Add peer query param on catalog service API [GH-22189]

v1.21.0

Compare Source

• Enhancement: Added support for Consul Session to update the state of a Health Check, allowing for more dynamic and responsive health monitoring within the Consul ecosystem. This feature enables sessions to directly influence health check statuses, improving the overall reliability and accuracy of service health assessments.

v1.20.6

Compare Source

1.20.6 (April 25, 2025)

SECURITY:

• Update golang.org/x/net to v0.38.0 to address GHSA-vvgc-356p-c3xw and GO-2025-3595.
  Update github.com/golang-jwt/jwt/v4 to v4.5.2 to address GO-2025-3553 and GHSA-mh63-6h87-95cp.
  Update Go to v1.23.8 to address GO-2025-3563. [GH-22268]

IMPROVEMENTS:

• Added support for Consul Session to update the state of a Health Check, allowing for more dynamic and responsive health monitoring within the Consul ecosystem. This feature enables sessions to directly influence health check statuses, improving the overall reliability and accuracy of service health assessments. [GH-22227]

BUG FIXES:

• agent: Add the missing Service TaggedAddresses and Check Type fields to Txn API. [GH-22220]

v1.20.5

Compare Source

1.20.5 (March 11, 2025)

SECURITY:

• Update golang.org/x/crypto to v0.35.0 to address GO-2025-3487.
  Update golang.org/x/oauth2 to v0.27.0 to address GO-2025-3488.
  Update github.com/go-jose/go-jose/v3 to v3.0.4 to address GO-2025-3485. [GH-22207]
• Upgrade Go to 1.23.6. [GH-22204]

BUG FIXES:

• logging: Fixed compilation error for OS NetBSD. [GH-22184]

v1.20.4

Compare Source

1.20.4 (February 20, 2025)

IMPROVEMENTS:

• dependency: upgrade consul/api to use Go 1.31.2 [GH-22174]

BUG FIXES:

• api: Fixed api submodule checksum mismatch issue by retracted 1.31.1 version [GH-22172] [GH-22172]

v1.20.3

Compare Source

SECURITY:

• Upgrade Go to use v1.22.11 and bump Go X-Repositories to latest. This addresses CVE
  CVE-2024-45341 and
  CVE-2024-45336 [GH-22084]
• Upgrade Go to use v1.22.12 and bump Go X-Repositories to latest. This addresses CVE
  CVE-2025-22866 [GH-22132]

IMPROVEMENTS:

• connect: update supported envoy versions to 1.33.0, 1.32.3 [GH-22138]
• metadata: memoize the parsed build versions [GH-22113]

BUG FIXES:

• Fixed logging error while building for OpenBSD OS [GH-22120] [GH-22120]
• api-gateway: Fixed TLS configuration to properly enforce listener TLS versions and cipher suites [GH-21984]
• aws-auth: Fix bug where calls to AWS IAM and STS services error out due to URL with multiple trailing slashes. [GH-22109]

v1.20.2

Compare Source

SECURITY:

• Removed ability to use bexpr to filter results without ACL read on endpoint [GH-21950]
• Resolved issue where hcl would allow duplicates of the same key in acl policy configuration. [GH-21908]
• Update github.com/golang-jwt/jwt/v4 to v4.5.1 to address GHSA-29wx-vh33-7x7r. [GH-21951]
• Update golang.org/x/crypto to v0.31.0 to address GO-2024-3321. [GH-22001]
• Update golang.org/x/net to v0.33.0 to address GO-2024-3333. [GH-22021]
• Update registry.access.redhat.com/ubi9-minimal image to 9.5 to address CVE-2024-3596,CVE-2024-2511,CVE-2024-26458. [GH-22011]
• api: Enforces strict content-type header validation to protect against XSS vulnerability. [GH-21930]
  FEATURES:
• docs: added the docs for the grafana dashboards [GH-21795]
  BUG FIXES:
• proxycfg: fix a bug where peered upstreams watches are canceled even when another target needs it. [GH-21871]
• state: ensure that identical manual virtual IP updates result in not bumping the modify indexes [GH-21909]

v1.20.1

Compare Source

BREAKING CHANGES:

• mesh: Enable Envoy HttpConnectionManager.normalize_path by default on inbound traffic to mesh proxies. This resolves CVE-2024-10005. [GH-21816]

SECURITY:

• mesh: Add contains and ignoreCase to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves CVE-2024-10006. [GH-21816]
• mesh: Add http.incoming.requestNormalization to Mesh configuration entry to support inbound service traffic request normalization. This resolves CVE-2024-10005 and CVE-2024-10006. [GH-21816]

IMPROVEMENTS:

• api: remove dependency on proto-public, protobuf, and grpc [GH-21780]
• snapshot agent: (Enterprise only) Implement Service Principal Auth for snapshot agent on azure.
• xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [GH-21655]

v1.20.0

Compare Source

SECURITY:

• Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [GH-21704]
• Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [GH-21711]
• UI: Remove codemirror linting due to package dependency [GH-21726]
• Upgrade Go to use 1.22.7. This addresses CVE
  CVE-2024-34155 [GH-21705]
• Upgrade to support aws/aws-sdk-go v1.55.5 or higher. This resolves CVEs
  CVE-2020-8911 and
  CVE-2020-8912. [GH-21684]
• ui: Pin a newer resolution of Braces [GH-21710]
• ui: Pin a newer resolution of Codemirror [GH-21715]
• ui: Pin a newer resolution of Markdown-it [GH-21717]
• ui: Pin a newer resolution of ansi-html [GH-21735]

FEATURES:

• grafana: added the dashboards service-to-service dashboard, service dashboard, and consul dataplane dashboard [GH-21806]
• server: remove v2 tenancy, catalog, and mesh experiments [GH-21592]

IMPROVEMENTS:

• security: upgrade ubi base image to 9.4 [GH-21750]
• connect: Add Envoy 1.31 and 1.30 to support matrix [GH-21616]

BUG FIXES:

• jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [GH-21703]

v1.19.2

Compare Source

SECURITY:

• ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0 [GH-21588]

IMPROVEMENTS:

• Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [GH-21587]

BUG FIXES:

• api-gateway: (Enterprise only) ensure clusters are properly created for JWT providers with a remote URI for the JWKS endpoint [GH-21604]

v1.19.1

Compare Source

SECURITY:

• Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve CVE-2024-39305 [GH-21524]
• Upgrade go version to 1.22.5 to address CVE-2024-24791 [GH-21507]
• Upgrade go-retryablehttp to address CVE-2024-6104 [GH-21384]
• agent: removed reflected cross-site scripting vulnerability [GH-21342]
• ui: Pin and namespace sub-module dependencies related to the Consul UI [GH-21378]

IMPROVEMENTS:

• mesh: update supported envoy version 1.29.5 in addition to 1.28.4, 1.27.6. [GH-21277]

BUG FIXES:

• core: Fix multiple incorrect type conversion for potential overflows [GH-21251]
• core: Fix panic runtime error on AliasCheck [GH-21339]
• dns: Fix a regression where DNS SRV questions were returning duplicate hostnames instead of encoded IPs.
  This affected Nomad integrations with Consul. [GH-21361]
• dns: Fix a regression where DNS tags using the standard lookup syntax, tag.name.service.consul, were being disregarded. [GH-21361]
• dns: Fixes a spam log message "Failed to parse TTL for prepared query..."
  that was always being logged on each prepared query evaluation. [GH-21381]
• terminating-gateway: (Enterprise Only) Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata. [GH-21382]
• txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs. [GH-21519]

v1.19.0

Compare Source

BREAKING CHANGES:

• telemetry: State store usage metrics with a double consul element in the metric name have been removed. Please use the same metric without the second consul instead. As an example instead of consul.consul.state.config_entries use consul.state.config_entries [GH-20674]

SECURITY:

• Upgrade to support Envoy 1.27.5 and 1.28.3. This resolves CVE
  CVE-2024-32475 (auto_sni). [GH-21017]
• Upgrade to support k8s.io/apimachinery v0.18.7 or higher. This resolves CVE
  CVE-2020-8559. [GH-21017]

FEATURES:

• dns: queries now default to a refactored DNS server that is v1 and v2 Catalog compatible.
  Use v1dns in the experiments agent config to disable.
  The legacy server will be removed in a future release of Consul.
  See the Consul 1.19.x Release Notes for removed DNS features. [GH-20715]
• gateways: api-gateway can leverage listener TLS certificates available on the gateway's local filesystem by specifying the public certificate and private key path in the new file-system-certificate configuration entry [GH-20873]

IMPROVEMENTS:

• dns: new version was not supporting partition or namespace being set to 'default' in CE version. [GH-21230]
• mesh: update supported envoy version 1.29.4 in addition to 1.28.3, 1.27.5, 1.26.8. [GH-21142]
• upgrade go version to v1.22.4. [GH-21265]
• Upgrade github.com/envoyproxy/go-control-plane to 0.12.0. [GH-20973]
• dns: DNS-over-grpc when using consul-dataplane now accepts partition, namespace, token as metadata to default those query parameters.
  consul-dataplane v1.5+ will send this information automatically. [GH-20899]
• snapshot: Add consul snapshot decode CLI command to output a JSON object stream of all the snapshots data. [GH-20824]
• telemetry: Add telemetry.disable_per_tenancy_usage_metrics in agent configuration to disable setting tenancy labels on usage metrics. This significantly decreases CPU utilization in clusters with many admin partitions or namespaces.
• telemetry: Improved the performance usage metrics emission by not outputting redundant metrics. [GH-20674]

DEPRECATIONS:

• snapshot agent: (Enterprise only) Top level single snapshot destinations local_storage, aws_storage, azure_blob_storage, and google_storage in snapshot agent configuration files are now deprecated. Use the backup_destinations config object instead.

BUG FIXES:

• docs: Consul DNS Forwarding configuration for OpenShift update for Resolve Consul DNS Requests in Kubernetes [GH-20439]
• hcp: fix error logs when failing to push metrics [GH-20514]
• streaming: Handle ACL errors consistently when blocking query timeout is reached. [GH-20876]

v1.18.2

Compare Source

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

• Bump Dockerfile base image to alpine:3.19. [GH-20897]
• Update vault/api to v1.12.2 to address CVE-2024-28180
  (removes indirect dependency on impacted go-jose.v2) [GH-20910]
• Upgrade Go to use 1.21.10. This addresses CVEs
  CVE-2024-24787 and
  CVE-2024-24788 [GH-21074]
• Upgrade to support Envoy 1.26.8, 1.27.4, 1.27.5, 1.28.2 and 1.28.3. This resolves CVEs
  CVE-2024-27919 (http2). [GH-20956] and CVE-2024-32475 (auto_sni). [GH-21030]
• Upgrade to support k8s.io/apimachinery v0.18.7 or higher. This resolves CVE
  CVE-2020-8559. [GH-21034]
• Upgrade to use Go 1.21.9. This resolves CVE
  CVE-2023-45288 (http2). [GH-20956]
• Upgrade to use golang.org/x/net v0.24.0. This resolves CVE
  CVE-2023-45288 (x/net). [GH-20956]

IMPROVEMENTS:

• gateways: service defaults configuration entries can now be used to set default upstream limits for mesh-gateways [GH-20945]
• connect: Add ability to disable Auto Host Header Rewrite on Terminating Gateway at the service level [GH-20802]

BUG FIXES:

• dns: fix a bug with sameness group queries in DNS where responses did not respect DefaultForFailover.
  DNS requests against sameness groups without this field set will now error as intended.
• error running consul server in 1.18.0: failed to configure SCADA provider user's home directory path: $HOME is not defined [GH-20926]
• server: fix Ent snapshot restore on CE when CE downgrade is enabled [GH-20977]
• xds: Make TCP external service registered with terminating gateway reachable from peered cluster [GH-19881]

v1.18.1

Compare Source

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

BREAKING CHANGES:

• ui: Adds a "Link to HCP Consul Central" modal with integration to side-nav and link to HCP banner. There will be an option to disable the Link to HCP banner from the UI in a follow-up release. [GH-20474]

SECURITY:

• Update google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786. [GH-20801]
• Update the Consul Build Go base image to alpine3.19. This resolves CVEs
  CVE-2023-52425
  CVE-2023-52426 [GH-20812]
• Upgrade to use Go 1.21.8. This resolves CVEs
  CVE-2024-24783 (crypto/x509).
  CVE-2023-45290 (net/http).
  CVE-2023-45289 (net/http, net/http/cookiejar).
  CVE-2024-24785 (html/template).
  CVE-2024-24784 (net/mail). [GH-20812]

IMPROVEMENTS:

• api: Randomize the returned server list for the WatchServers gRPC endpoint. [GH-20866]
• partitions: (Enterprise only) Allow disabling of Gossip per Partition [GH-20669]
• snapshot agent: (Enterprise only) Add support for multiple snapshot destinations using the backup_destinations config file object.
• xds: Improved the performance of xDS server side load balancing. Its slightly improved in Consul CE with drastic CPU usage reductions in Consul Enterprise. [GH-20672]

BUG FIXES:

• audit-logs: (Enterprise Only) Fixes non ASCII characters in audit logs because of gzip. [GH-20345]
• connect: Fix issue where Consul-dataplane xDS sessions would not utilize the streaming backend for wan-federated queries. [GH-20868]
• connect: Fix potential goroutine leak in xDS stream handling. [GH-20866]
• connect: Fix xDS deadlock that could result in proxies being unable to start. [GH-20867]
• ingress-gateway: (Enterprise Only) Fix a bug where on update, Ingress Gateways lost all upstreams for listeners with wildcard services in a different namespace.

v1.18.0

Compare Source

BREAKING CHANGES:

• config-entries: Allow disabling request and idle timeouts with negative values in service router and service resolver config entries. [GH-19992]
• telemetry: Adds fix to always use the value of telemetry.disable_hostname when determining whether to prefix gauge-type metrics with the hostname of the Consul agent. Previously, if only the default metric sink was enabled, this configuration was ignored and always treated as true, even though its default value is false. [GH-20312]

SECURITY:

• Update golang.org/x/crypto to v0.17.0 to address CVE-2023-48795. [GH-20023]
• connect: Update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address CVE-2023-44487 [GH-19306]
• mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, CVE-2023-44487, GH-20589], CVE-2023-44487, and [GH-19879]

FEATURES:

• acl: add policy bindtype to binding rules. [GH-19499]
• agent: Introduces a new agent config default_intention_policy to decouple the default intention behavior from ACLs [GH-20544]
• agent: (Enterprise Only) Add fault injection filter support for Consul Service Mesh
• cloud: Adds new API/CLI to initiate and manage linking a Consul cluster to HCP Consul Central [GH-20312]
• dns: adds experimental support for a refactored DNS server that is v1 and v2 Catalog compatible.
  Use v2dns in the experiments agent config to enable.
  It will automatically be enabled when using the resource-apis (Catalog v2) experiment.
  The new DNS implementation will be the default in Consul 1.19.
  See the Consul 1.18.x Release Notes for deprecated DNS features. [GH-20643]
• ui: Added a banner to let users link their clusters to HCP [GH-20275]
• ui: Adds a redirect and warning message around unavailable UI with V2 enabled [GH-20359]
• ui: adds V2CatalogEnabled to config that is passed to the ui [GH-20353]
• v2: prevent use of the v2 experiments in secondary datacenters for now [GH-20299]

IMPROVEMENTS:

• cloud: unconditionally add Access-Control-Expose-Headers HTTP header [GH-20220]
• connect: Replace usage of deprecated Envoy field envoy.config.core.v3.HeaderValueOption.append. [GH-20078]
• connect: Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2. [GH-20013]
• docs: add Link API documentation [GH-20308]
• resource: lowercase names enforced for v2 resources only. [GH-19218]

BUG FIXES:

• dns: SERVFAIL when resolving not found PTR records. [GH-20679]
• raft: Fix panic during downgrade from enterprise to oss. [GH-19311]
• server: Ensure controllers are automatically restarted on internal stream errors. [GH-20642]
• server: Ensure internal streams are properly terminated on snapshot restore. [GH-20642]
• snapshot-agent: (Enterprise only) Fix a bug with static AWS credentials where one of the key id or secret key is provided via config file and the other is provided via an environment variable.

v1.17.3

Compare Source

SECURITY:

• mesh: Update Envoy versions to 1.27.3 and 1.26.7 to address CVE-2024-23324, CVE-2024-23325, CVE-2024-23322, CVE-2024-23323, CVE-2024-23327, and CVE-2023-44487 [GH-20587]

FEATURES:

• cli: Adds new command exported-services to list all services exported and their consumers. Refer to the CLI docs for more information. [GH-20331]

IMPROVEMENTS:

• ProxyCfg: avoid setting a watch on Internal.ServiceDump when mesh gateway is not used. [GH-20168]
• ProxyCfg: only return the nodes list when querying the Internal.ServiceDump watch from proxycfg [GH-20168]
• Upgrade to use Go 1.21.7. [GH-20545]
• api: add a new api(/v1/exported-services) to list all the exported service and their consumers. [GH-20015]
• connect: Add CaseInsensitive flag to service-routers that allows paths and path prefixes to ignore URL upper and lower casing. [GH-19647]

BUG FIXES:

• audit-logs: (Enterprise Only) Fixes non ASCII characters in audit logs because of gzip. [GH-20345]
• connect: Fix issue where re-persisting existing proxy-defaults using http protocol fails with a protocol-mismatch error. [GH-20481]
• connect: Fix regression with SAN matching on terminating gateways GH-20360 [GH-20417]
• connect: Remove code coupling where the xDS capacity controller could negatively affect raft autopilot performance. [GH-20511]
• logging: add /api prefix to v2 resource endpoint logs [GH-20352]
• mesh: Fix bug where envoy extensions could not be configured with "permissive" mTLS mode. Note that envoy extensions currently do not apply to non-mTLS traffic in permissive mode. [GH-20406]

v1.17.2

Compare Source

KNOWN ISSUES:

• connect: Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6. [GH-20360]

SECURITY:

• Upgrade OpenShift container images to use ubi9-minimal:9.3 as the base image. [GH-20014]

IMPROVEMENTS:

• connect: Remove usage of deprecated Envoy field match_subject_alt_names in favor of match_typed_subject_alt_names. [GH-19954]
• connect: replace usage of deprecated Envoy field envoy.config.router.v3.WeightedCluster.total_weight. [GH-20011]
• xds: Replace usage of deprecated Envoy field envoy.config.cluster.v3.Cluster.http_protocol_options [GH-20010]
• xds: remove usages of deprecated Envoy fields: envoy.config.cluster.v3.Cluster.http2_protocol_options, envoy.config.bootstrap.v3.Admin.access_log_path [GH-19940]
• xds: replace usage of deprecated Envoy field envoy.extensions.filters.http.lua.v3.Lua.inline_code [GH-20012]

DEPRECATIONS:

• cli: Deprecate the -admin-access-log-path flag from consul connect envoy command in favor of: -admin-access-log-config. [GH-19943]

BUG FIXES:

• prepared-query: (Enterprise-only) Fix issue where sameness-group failover targets to peers would attempt to query data from the default partition, rather than the sameness-group's partition always.
• ui: update token list on Role details page to show only linked tokens [GH-19912]

v1.17.1

Compare Source

SECURITY:

• Update github.com/golang-jwt/jwt/v4 to v4.5.0 to address PRISMA-2022-0270. [GH-19705]
• Upgrade to use Go 1.20.12. This resolves CVEs
  CVE-2023-45283: (path/filepath) recognize ??\ as a Root Local Device path prefix (Windows)
  CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows)
  CVE-2023-39326: (net/http) limit chunked data

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks