v0.27.0

⚠️ This release defaults the Consul image to 1.9.0, which panics on upgrades
(Issue). We recommend using
Consul-helm 0.29.0+ or updating the Consul image to 1.9.2+. ⚠️

IMPROVEMENTS:

• Connect: support connectInject.logLevel setting. [GH-699]
• Connect: (Consul Enterprise only) error out if connectInject.consulNamespaces.mirroringK8S: true but global.enableConsulNamespaces: false. [GH-695]
• Updated the default Consul image to hashicorp/consul:1.9.0.
• Updated the default consul-k8s image to hashicorp/consul-k8s:0.21.0.
• Updated the default envoy image to envoyproxy/envoy-alpine:v1.16.0.

v0.26.0

FEATURES:

• Kubernetes health check synchronization with Consul for connect injected pods via connectInject.healthChecks [GH-651].
  The default behavior for this feature is enabled: true.
  See https://www.consul.io/docs/k8s/connect/health for more information.
  In order to enable this feature for existing installations it is required to restart all connect injected deployments so that they are re-injected.
  Until this is done, health checks for these deployments will not be synced to Consul.

  It is recommended to enable TLS with this setting enabled because it requires making calls to Consul clients across the cluster.
  Without TLS enabled, these calls could leak ACL tokens should the cluster network become compromised.

• Support for custom resource definitions (CRDs) is now generally available.
  CRDs require Consul >= 1.8.4. If you wish to use ServiceIntentions
  custom resources then this requires Consul >= 1.9.0 (which is still in beta as of this release).

  To enable, set controller.enabled: true in your Helm configuration:

  controller:
    enabled: true

  See https://www.consul.io/docs/k8s/crds
  for more information. NOTE: Using CRDs with an existing cluster may require additional steps to migrate previously created
  config entries so they can be managed by CRDs. See https://www.consul.io/docs/k8s/crds/upgrade-to-crds
  for full details.

BREAKING CHANGES:

• This helm release only supports consul-k8s versions 0.20+
• With the addition of the connect-inject health checks controller, any connect services which have failing Kubernetes readiness
  probes will no longer be routable through connect until their Kubernetes health probes are passing.
  Previously, if any connect services were failing their Kubernetes readiness checks they were still routable through connect.
  Users should verify that their connect services are passing Kubernetes readiness probes prior to using health checks synchronization.
• When health checks are enabled, Consul clients will have check_update_interval set to 0s. Previously,
  it was set to its default of 5m. This change ensures the output of the check will show up in the Consul UI immediately. [GH-674]
• CRDs: controller default limits.memory increased from 30Mi to 50Mi and requests.memory increased from 20Mi to 50Mi
  based on observed usage. [GH-649]

BUG FIXES:

• Fix issue where Consul enterprise license job would fail for Consul versions >= 1.8.1. [GH-647]

IMPROVEMENTS:

• Connect: support passing extra arguments to the injected envoy sidecar. [GH-675]

  To pass extra arguments to envoy, set connectInject.envoyExtraArgs in your
  Helm configuration:

  connectInject:
    enabled: true
    envoyExtraArgs: "--log-level debug --disable-hot-restart"

• Connect: update MutatingWebhook resource version to admissionregistration.k8s.io/v1 from admissionregistration.k8s.io/v1beta1
  for clusters where it is supported. [GH-658]

• Updated the default Consul image to consul:1.8.5.

• Updated the default consul-k8s image to hashicorp/consul-k8s:0.20.0.

v0.25.0

FEATURES:

• Support deploying this Helm chart to OpenShift 4.x. [GH-600]

  To install on OpenShift, set global.openshift.enabled to true:

  helm install consul hashicorp/consul \
    --set global.name=consul \
    --set global.openshift.enabled=true

• Beta support for custom resource definitions. [GH-636]

  Requires Consul >= 1.8.4.

  The currently supported CRDs can be used to manage Consul's Configuration Entries,
  specifically:

  • ProxyDefaults - https://www.consul.io/docs/agent/config-entries/proxy-defaults
  • ServiceDefaults - https://www.consul.io/docs/agent/config-entries/service-defaults
  • ServiceSplitter - https://www.consul.io/docs/agent/config-entries/service-splitter
  • ServiceRouter - https://www.consul.io/docs/agent/config-entries/service-router
  • ServiceResolver - https://www.consul.io/docs/agent/config-entries/service-resolver
  • ServiceIntentions (requires Consul >= 1.9.0) - https://www.consul.io/docs/agent/config-entries/service-intentions

  An example use looks like:

  apiVersion: consul.hashicorp.com/v1alpha1
  kind: ServiceDefaults
  metadata:
    name: defaults
  spec:
    protocol: "http"

  See https://www.consul.io/docs/k8s/connect/crds
  for more information on the CRD schemas.

  To enable, set controller.enabled: true in your Helm configuration:

  controller:
    enabled: true

  This will install the CRDs, the controller that watches for CR creation, and
  a webhook certificate manager that manages the certificates for the controller's
  webhooks.

• Add acceptance test framework and automated acceptance tests to the Helm chart.
  Please see Contributing docs for more info on how to run
  and add acceptance tests. [GH-551]

IMPROVEMENTS:

• Add dns.type and dns.additionalSpec settings for changing the DNS service type and adding additional spec. [GH-555]
• Catalog Sync: Can now be run when Consul clients are disabled. It will make API calls to the Consul servers instead. [GH-570]
• Catalog Sync: Add support for changing the Consul node name where services are sync'd. [GH-580]
• Support for setting priorityClassName for sync-catalog and connect-inject deployments. [GH-609]
• Updated the default Consul image to consul:1.8.4.
• Updated the default Envoy image to envoyproxy/envoy-alpine:v1.14.4.

BREAKING CHANGES:

• connectInject.imageEnvoy and meshGateway.imageEnvoy have been removed and now inherit from global.imageEnvoy
  which is now standardized across terminating/ingress/mesh gateways and connectInject.
  global.imageEnvoy is now a required parameter. GH-585

v0.24.1

BUG FIXES:

• Bumps default Consul version to 1.8.2. This version of Consul contains a fix
  for hashicorp/consul#8430
  which causes Consul clients running on the same node as a connect-injected pod
  to crash loop indefinitely when restarted.

• Bumps default consul-k8s version to 0.18.1. This version contains a fix
  for an issue that caused all connect-injected pods to be unhealthy for 60s
  if they were restarted. To roll out this fix, all Connect deployments must
  be restarted so that they are re-injected.

v0.24.0

BREAKING CHANGES:

• Updating either server.extraConfig or client.extraConfig and running helm upgrade will force a restart of the
  server or agent pods respectively.

IMPROVEMENTS:

• Add server.extraConfig and client.extraConfig values as hashes on Server
  StatefulSet and Client Daemonset annotations respectively. This recreates
  the server/client pod when the server/client extraConfig is updated via helm upgrade [GH-550]

• Introduce field server.extraLabels to append additional labels to consul server pods. [GH-553]

• Introduce field server.disableFsGroupSecurityContext which disables setting the fsGroup securityContext on the server statefulset.
  This enables deploying on platforms where the fsGroup is automatically set to an arbitrary gid. (eg OpenShift) [GH-528]

• Connect: Resource settings for Connect, mesh, ingress and terminating gateway init containers and lifecycle sidecars have been made configurable. The default values correspond to the previously set limits, except that the lifecycle sidecar memory limit has been increased to 50Mi [GH-556]. These new fields are:

  • global.lifecycleSidecarContainer.resources - Configures the resource settings for all lifecycle sidecar containers used with Connect inject, mesh gateways, ingress gateways and terminating gateways.
  • connectInject.initContainer.resources - Configures resource settings for the Connect-injected init container.
  • meshGateway.initCopyConsulContainer.resources - Configures the resource settings for the copy-consul-bin init container for mesh gateways.
  • ingressGateways.defaults.initCopyConsulContainer.resources - Configures the resource settings for the copy-consul-bin init container for ingress gateways. Defaults can be overridden per ingress gateway.
  • terminatingGateways.defaults.initCopyConsulContainer.resources - Configures the resource settings for the copy-consul-bin init container for terminating gateways. Defaults can be overridden per terminating gateway.

• Updated the default consul version to 1.8.1.

v0.23.1

BUG FIXES:

• TLS: Fixes bug introduced in 0.23.0 where the DNS subject alternative names
  for the server certs were invalid. This would cause the server-acl-init job
  to run forever without completing. [GH-538]

v0.23.0

BREAKING CHANGES:

• Connect: Resource limits have been set for ingress and terminating gateway containers and
  bumped up for mesh gateways. See deployment definitions for new resource settings. [GH-533, GH-534]

IMPROVEMENTS:

• Default version of consul-k8s has been set to hashicorp/consul-k8s:0.17.0.

• ClusterRoles and ClusterRoleBindings have been converted to Roles and RoleBindings
  for the following components because they only required access within their namespace:

  • Enterprise License Job
  • Server ACL Init
  • Server Statefulset
  • Client Daemonset
  • Client Snapshot Agent

  [GH-403]

• The volumes set by client.extraVolumes are now passed as the last -config-dir argument.
  This means any settings there will override previous settings. This allows users to override
  settings that Helm is setting automatically, for example the acl down policy. [GH-531]

BUG FIXES:

• Connect: Resource settings for mesh, ingress and terminating gateway init containers
  lifecycle sidecar containers have been changed to avoid out of memory errors and hitting CPU limits. [GH-515]
  • copy-consul-bin has its memory limit set to 150M up from 25M
  • lifecycle-sidecar has its CPU request and limit set to 20m up from 10m.

v0.22.0

FEATURES:

• Supports deploying Consul Ingress
  and Terminating Gateways.
  Multiple different gateways of each type can be deployed with default values that can
  be overridden for specific gateways if desired. Full documentation of the configuration
  options can be found in the values file or in the Helm chart documentation
  (Ingress,
  Terminating).
  Requires Consul 1.8.0+.

  Ingress gateways: [GH-456],
  Terminating gateways: [GH-503]

• Resources are now set on all containers. This enables the chart to be deployed
  in clusters that have resource quotas set. This also ensures that Consul
  server and client pods won't be evicted by Kubernetes when nodes reach their
  resource limits.

  Resource settings have been made configurable for sync catalog, connect inject
  and client snapshot deployments and sidecar proxies. [GH-470]

  The default settings were chosen based on a cluster with a small workload.
  For production, we recommend monitoring resource usage and modifying the
  defaults according to your usage. [GH-466]

BREAKING CHANGES:

• It is recommended to use the helm repository to install the helm chart instead of cloning this repo directly. Starting with this release
  the master branch may contain breaking changes.

    $ helm repo add hashicorp https://helm.releases.hashicorp.com
    $ helm install consul hashicorp/consul --set global.name=consul

• Mesh Gateway: meshGateway.enableHealthChecks is no longer supported. This config
  option was to work around an issue where mesh gateways would not listen on their
  bind ports until a Connect service was registered. This issue was fixed in Consul 1.6.2. (GH-464)

• Mesh Gateway: The default resource settings have been changed. To keep
  the previous settings, you must set meshGateway.resources in your own Helm config. (GH-466)

  Before:

  meshGateway:
    resources:
      requests:
        memory: "128Mi"
        cpu: "250m"
      limits:
        memory: "256Mi"
        cpu: "500m"

  After:

  meshGateway:
    resources:
      requests:
        memory: "100Mi"
        cpu: "100m"
      limits:
        memory: "100Mi"
        cpu: "100m"

• Clients and Servers: There are now default resource settings for Consul clients
  and servers. Previously, there were no default settings which meant the default
  was unlimited. This change was made because Kubernetes will prefer to evict
  pods that don't have resource settings and that resulted in the Consul client
  and servers being evicted. The default resource settings were chosen based
  on a low-usage cluster. If you are running a production cluster, use the
  kubectl top command to see how much CPU and memory your clients and servers
  are using and set the resources accordingly [GH-466].

• global.bootstrapACLs has been removed, use global.acls.manageSystemACLs instead [GH-501].

IMPROVEMENTS:

• Add component label to the server, DNS, and UI services [GH-480].

• Provide the ability to set a custom CA Cert for consul snapshot agent [GH-481].

• Add support for client host networking [GH-496].

  To enable:

  client:
    hostNetwork: true
    dnsPolicy: ClusterFirstWithHostNet

• Add ability to set Affinity and Tolerations to Connect Inject and Catalog Sync [GH-335].

• Updated the default consul-k8s version to 0.16.0.

• Updated the default consul version to 1.8.0.

• Update default Envoy image version and OS to envoyproxy/envoy-alpine:1.14.2 [GH-502].

DEPRECATIONS

• Setting resources via YAML string is now deprecated. Instead, set directly as YAML.
  This affects client.resources, server.resources and meshGateway.resources.
  To set directly as YAML, simply remove the pipe (|) character that defines
  the YAML as a string [GH-465]:

  Before:

  client:
    resources: |
      requests:
        memory: "128Mi"
        cpu: "250m"
      limits:
        memory: "256Mi"
        cpu: "500m"

  After:

  client:
    resources:
      requests:
        memory: "128Mi"
        cpu: "250m"
      limits:
        memory: "256Mi"
        cpu: "500m"

v0.21.0

FEATURES

• Add experimental support for multi-datacenter federation via

  global:
    federation:
      enabled: true

  This requires Consul 1.8.0+ (which as of this release is only available as
  a beta. To use the beta, set global.image: consul:1.8.0-beta1)

• Add new Helm value global.federation.createFederationSecret that will
  create a Kubernetes secret in primary datacenters that can be exported to secondary
  datacenters to help bootstrap secondary clusters for federation (GH-447).

IMPROVEMENTS

• Default Consul Docker image is now consul:1.7.3.
• Default consul-k8s Docker image is now hashicorp/consul-k8s:0.15.0.
• ACLs: Restrict permissions for the server-acl-init job [GH-454].

BUG FIXES

• Fix missing NODE_NAME environment variable when setting meshGateway.wanAddress.source=NodeName
  [GH-453].

v0.20.1

BUG FIXES

• Fix a bug where client.join and externalServers.hosts values containing spaces are
  not quoted properly, for example, when providing cloud auto-join strings
  [GH-435].