From df7b7a6b3dc953ed3e864fd64dc281dfe7dd26e7 Mon Sep 17 00:00:00 2001 From: nrichu-hcp Date: Thu, 29 Sep 2022 13:58:43 -0400 Subject: [PATCH 1/9] draft release notes --- .../docs/release-notes/consul-k8s/v0_49_x.mdx | 66 +++++++++++++++++++ website/data/docs-nav-data.json | 4 ++ 2 files changed, 70 insertions(+) create mode 100644 website/content/docs/release-notes/consul-k8s/v0_49_x.mdx diff --git a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx new file mode 100644 index 0000000000..9393c19f9c --- /dev/null +++ b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx @@ -0,0 +1,66 @@ +--- +layout: docs +page_title: 0.49.x +description: >- + Consul on Kubernetes release notes for version 0.49.x +--- + +# Consul on Kubernetes 0.49.0 + +## Release Highlights + +- **Consul CNI Plugin**: This release introduces the Consul CNI Plugin for Consul on Kubernetes, to allow for configuring traffic redirection rules without escalated container privileges such as `CAP_NET_ADMIN`. Refer to [Enable the Consul CNI Plugin](/docs/k8s/installation/install#enable-the-consul-cni-plugin) for more details. The Consul CNI Plugin is supported for Consul K8s 0.49.0+ and Consul 1.13.1+. + +- **Kubernetes 1.24 Support**: Add support for Kubernetes 1.24 where ServiceAccounts no longer have long-term JWT tokens. [[GH-1431](https://github.com/hashicorp/consul-k8s/pull/1431)] + +- **MaxInboundConnections in service-defaults CRD**: Add support for MaxInboundConnections on the Service Defaults CRD. [[GH-1437](https://github.com/hashicorp/consul-k8s/pull/1437)] + +- **API Gateway: ACL auth when using WAN Federation**: Configure ACL auth for controller correctly when deployed in secondary datacenter with federation enabled [[GH-1462](https://github.com/hashicorp/consul-k8s/pull/1462)] + +## What has Changed + +- **Kubernetes 1.24 Support for multiport applications require Kubernetes secrets**: Users deploying multiple services to the same Pod (multiport) on Kubernetes 1.24+ must also deploy a Kubernetes secret for each ServiceAccount associated with the Consul service. The name of the Secret must match the ServiceAccount name and be of type `kubernetes.io/service-account-token` +Example: + + ```yaml + apiVersion: v1 + kind: Secret + metadata: + name: svc1 + annotations: + kubernetes.io/service-account.name: svc1 + type: kubernetes.io/service-account-token + --- + apiVersion: v1 + kind: Secret + metadata: + name: svc2 + annotations: + kubernetes.io/service-account.name: svc2 + type: kubernetes.io/service-account-token + ``` + +## Supported Software + +- Consul 1.11.x, Consul 1.12.x and Consul 1.13.1+ +- Kubernetes 1.19-1.24 +- Kubectl 1.19+ +- Envoy proxy support is determined by the Consul version deployed. Refer to + [Envoy Integration](/docs/connect/proxies/envoy) for details. + +## Upgrading + +For detailed information on upgrading, please refer to the [Upgrades page](/docs/k8s/upgrade) + +## Known Issues +The following issues are know to exist in the v0.49.0 release: + +- Consul CNI Plugin currently does not support RedHat OpenShift as the CNI Plugin Daemonset requires additional SecurityContextConstraint objects to run on OpenShift. Support for OpenShift will be added in an upcoming release. + +## Changelogs + +The changelogs for this major release version and any maintenance versions are listed below. + +~> **Note:** The following link takes you to the changelogs on the GitHub website. + +- [0.49.0](https://github.com/hashicorp/consul-k8s/releases/tag/v0.49.0) diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 6b94e594bd..5004b0c949 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -141,6 +141,10 @@ { "title": "Consul K8s", "routes": [ + { + "title": "v0.49.x", + "path": "release-notes/consul-k8s/v0_49_x" + }, { "title": "v0.48.x", "path": "release-notes/consul-k8s/v0_48_x" From c847ee24469a6034e4679c5d67dd64cb4daeb626 Mon Sep 17 00:00:00 2001 From: nrichu-hcp Date: Thu, 29 Sep 2022 17:12:12 -0400 Subject: [PATCH 2/9] finalized 0.49 release notes --- .../docs/release-notes/consul-k8s/v0_49_x.mdx | 36 +++++-------------- 1 file changed, 8 insertions(+), 28 deletions(-) diff --git a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx index 9393c19f9c..8593af4d50 100644 --- a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx +++ b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx @@ -9,42 +9,22 @@ description: >- ## Release Highlights -- **Consul CNI Plugin**: This release introduces the Consul CNI Plugin for Consul on Kubernetes, to allow for configuring traffic redirection rules without escalated container privileges such as `CAP_NET_ADMIN`. Refer to [Enable the Consul CNI Plugin](/docs/k8s/installation/install#enable-the-consul-cni-plugin) for more details. The Consul CNI Plugin is supported for Consul K8s 0.49.0+ and Consul 1.13.1+. +- **Consul CNI Plugin - OpenShift support**: Support for OpenShift and Multus CNI plugin [GH-1527] -- **Kubernetes 1.24 Support**: Add support for Kubernetes 1.24 where ServiceAccounts no longer have long-term JWT tokens. [[GH-1431](https://github.com/hashicorp/consul-k8s/pull/1431)] +- **Consul API Gateway secondary datacenter support**: Use global ACL auth method to provision ACL tokens for API Gateway in secondary datacenter and Set primary datacenter flag when deploying controller into secondary datacenter with federation enabled [GH-1481] + +- **Cluster Peering**: pass new use_auto_cert value to gRPC TLS config when auto-encrypt is enabled. [GH-1541] + +- **Service tag annotation improvements**: Support escaped commas in service tag annotations for pods which use consul.hashicorp.com/connect-service-tags or consul.hashicorp.com/service-tags. [GH-1532] - **MaxInboundConnections in service-defaults CRD**: Add support for MaxInboundConnections on the Service Defaults CRD. [[GH-1437](https://github.com/hashicorp/consul-k8s/pull/1437)] -- **API Gateway: ACL auth when using WAN Federation**: Configure ACL auth for controller correctly when deployed in secondary datacenter with federation enabled [[GH-1462](https://github.com/hashicorp/consul-k8s/pull/1462)] - -## What has Changed - -- **Kubernetes 1.24 Support for multiport applications require Kubernetes secrets**: Users deploying multiple services to the same Pod (multiport) on Kubernetes 1.24+ must also deploy a Kubernetes secret for each ServiceAccount associated with the Consul service. The name of the Secret must match the ServiceAccount name and be of type `kubernetes.io/service-account-token` -Example: - - ```yaml - apiVersion: v1 - kind: Secret - metadata: - name: svc1 - annotations: - kubernetes.io/service-account.name: svc1 - type: kubernetes.io/service-account-token - --- - apiVersion: v1 - kind: Secret - metadata: - name: svc2 - annotations: - kubernetes.io/service-account.name: svc2 - type: kubernetes.io/service-account-token - ``` - ## Supported Software - Consul 1.11.x, Consul 1.12.x and Consul 1.13.1+ - Kubernetes 1.19-1.24 - Kubectl 1.19+ +- Helm 3.2+ - Envoy proxy support is determined by the Consul version deployed. Refer to [Envoy Integration](/docs/connect/proxies/envoy) for details. @@ -55,7 +35,7 @@ For detailed information on upgrading, please refer to the [Upgrades page](/docs ## Known Issues The following issues are know to exist in the v0.49.0 release: -- Consul CNI Plugin currently does not support RedHat OpenShift as the CNI Plugin Daemonset requires additional SecurityContextConstraint objects to run on OpenShift. Support for OpenShift will be added in an upcoming release. +- Kubernetes 1.25 is not supported as the [pod security admission controller](https://kubernetes.io/blog/2022/08/25/pod-security-admission-stable/) is not supported by Consul K8s. ## Changelogs From 848e989df963d1fbdc132e5f14bc7f6ff9cf7191 Mon Sep 17 00:00:00 2001 From: nrichu-hcp <105801716+nrichu-hcp@users.noreply.github.com> Date: Fri, 30 Sep 2022 11:22:03 -0400 Subject: [PATCH 3/9] Update website/content/docs/release-notes/consul-k8s/v0_49_x.mdx Co-authored-by: David Yu --- website/content/docs/release-notes/consul-k8s/v0_49_x.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx index 8593af4d50..2faeec0e97 100644 --- a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx +++ b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx @@ -13,7 +13,7 @@ description: >- - **Consul API Gateway secondary datacenter support**: Use global ACL auth method to provision ACL tokens for API Gateway in secondary datacenter and Set primary datacenter flag when deploying controller into secondary datacenter with federation enabled [GH-1481] -- **Cluster Peering**: pass new use_auto_cert value to gRPC TLS config when auto-encrypt is enabled. [GH-1541] +- **Cluster Peering**: Utilize new `use_auto_cert` value to gRPC TLS config when auto-encrypt is enabled. [GH-1541] - **Service tag annotation improvements**: Support escaped commas in service tag annotations for pods which use consul.hashicorp.com/connect-service-tags or consul.hashicorp.com/service-tags. [GH-1532] From 560eb2b4a9e4a399549c34d048a08de28c64926b Mon Sep 17 00:00:00 2001 From: nrichu-hcp <105801716+nrichu-hcp@users.noreply.github.com> Date: Fri, 30 Sep 2022 11:22:12 -0400 Subject: [PATCH 4/9] Update website/content/docs/release-notes/consul-k8s/v0_49_x.mdx Co-authored-by: David Yu --- website/content/docs/release-notes/consul-k8s/v0_49_x.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx index 2faeec0e97..4c4bb2f089 100644 --- a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx +++ b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx @@ -35,7 +35,7 @@ For detailed information on upgrading, please refer to the [Upgrades page](/docs ## Known Issues The following issues are know to exist in the v0.49.0 release: -- Kubernetes 1.25 is not supported as the [pod security admission controller](https://kubernetes.io/blog/2022/08/25/pod-security-admission-stable/) is not supported by Consul K8s. +- Kubernetes 1.25 is not supported as the [Pod Security Admission controller](https://kubernetes.io/blog/2022/08/25/pod-security-admission-stable/) is currently not supported by Consul K8s. ## Changelogs From b95ccf166e73a46b911c341fe69b4a9dc6dbec21 Mon Sep 17 00:00:00 2001 From: nrichu-hcp Date: Fri, 30 Sep 2022 11:29:14 -0400 Subject: [PATCH 5/9] added missing links per davids advice --- website/content/docs/release-notes/consul-k8s/v0_49_x.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx index 4c4bb2f089..3a38f7f4f2 100644 --- a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx +++ b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx @@ -9,13 +9,13 @@ description: >- ## Release Highlights -- **Consul CNI Plugin - OpenShift support**: Support for OpenShift and Multus CNI plugin [GH-1527] +- **Consul CNI Plugin - OpenShift support**: Support for OpenShift and Multus CNI plugin [GH-1527](https://github.com/hashicorp/consul-k8s/pull/1527) -- **Consul API Gateway secondary datacenter support**: Use global ACL auth method to provision ACL tokens for API Gateway in secondary datacenter and Set primary datacenter flag when deploying controller into secondary datacenter with federation enabled [GH-1481] +- **Consul API Gateway secondary datacenter support**: Use global ACL auth method to provision ACL tokens for API Gateway in secondary datacenter and Set primary datacenter flag when deploying controller into secondary datacenter with federation enabled [GH-1481](https://github.com/hashicorp/consul-k8s/pull/1481) -- **Cluster Peering**: Utilize new `use_auto_cert` value to gRPC TLS config when auto-encrypt is enabled. [GH-1541] +- **Cluster Peering**: Utilize new `use_auto_cert` value to gRPC TLS config when auto-encrypt is enabled. [GH-1541](https://github.com/hashicorp/consul-k8s/pull/1541) -- **Service tag annotation improvements**: Support escaped commas in service tag annotations for pods which use consul.hashicorp.com/connect-service-tags or consul.hashicorp.com/service-tags. [GH-1532] +- **Service tag annotation improvements**: Support escaped commas in service tag annotations for pods which use consul.hashicorp.com/connect-service-tags or consul.hashicorp.com/service-tags. [GH-1532](https://github.com/hashicorp/consul-k8s/pull/1532) - **MaxInboundConnections in service-defaults CRD**: Add support for MaxInboundConnections on the Service Defaults CRD. [[GH-1437](https://github.com/hashicorp/consul-k8s/pull/1437)] From d4f994a43390c8096e2fb2ed057bb32786a8dd7d Mon Sep 17 00:00:00 2001 From: nrichu-hcp <105801716+nrichu-hcp@users.noreply.github.com> Date: Fri, 30 Sep 2022 11:38:10 -0400 Subject: [PATCH 6/9] Update website/content/docs/release-notes/consul-k8s/v0_49_x.mdx Co-authored-by: David Yu --- website/content/docs/release-notes/consul-k8s/v0_49_x.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx index 3a38f7f4f2..d3e3ef98ce 100644 --- a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx +++ b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx @@ -9,7 +9,7 @@ description: >- ## Release Highlights -- **Consul CNI Plugin - OpenShift support**: Support for OpenShift and Multus CNI plugin [GH-1527](https://github.com/hashicorp/consul-k8s/pull/1527) +- **Consul CNI Plugin - OpenShift support**: Support for OpenShift and Multus CNI plugin [[GH-1527](https://github.com/hashicorp/consul-k8s/pull/1527)] - **Consul API Gateway secondary datacenter support**: Use global ACL auth method to provision ACL tokens for API Gateway in secondary datacenter and Set primary datacenter flag when deploying controller into secondary datacenter with federation enabled [GH-1481](https://github.com/hashicorp/consul-k8s/pull/1481) From 1daf4dcabae6487ffa389df99ac28e46c6a1b4d5 Mon Sep 17 00:00:00 2001 From: nrichu-hcp <105801716+nrichu-hcp@users.noreply.github.com> Date: Fri, 30 Sep 2022 11:38:20 -0400 Subject: [PATCH 7/9] Update website/content/docs/release-notes/consul-k8s/v0_49_x.mdx Co-authored-by: David Yu --- website/content/docs/release-notes/consul-k8s/v0_49_x.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx index d3e3ef98ce..7b3df22c28 100644 --- a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx +++ b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx @@ -11,7 +11,7 @@ description: >- - **Consul CNI Plugin - OpenShift support**: Support for OpenShift and Multus CNI plugin [[GH-1527](https://github.com/hashicorp/consul-k8s/pull/1527)] -- **Consul API Gateway secondary datacenter support**: Use global ACL auth method to provision ACL tokens for API Gateway in secondary datacenter and Set primary datacenter flag when deploying controller into secondary datacenter with federation enabled [GH-1481](https://github.com/hashicorp/consul-k8s/pull/1481) +- **Consul API Gateway secondary datacenter support**: Use global ACL auth method to provision ACL tokens for API Gateway in secondary datacenter and Set primary datacenter flag when deploying controller into secondary datacenter with federation enabled [[GH-1481](https://github.com/hashicorp/consul-k8s/pull/1481)] - **Cluster Peering**: Utilize new `use_auto_cert` value to gRPC TLS config when auto-encrypt is enabled. [GH-1541](https://github.com/hashicorp/consul-k8s/pull/1541) From f04cdeb9915dc3ce58ee69acb7c731688bd2c677 Mon Sep 17 00:00:00 2001 From: nrichu-hcp <105801716+nrichu-hcp@users.noreply.github.com> Date: Fri, 30 Sep 2022 11:38:29 -0400 Subject: [PATCH 8/9] Update website/content/docs/release-notes/consul-k8s/v0_49_x.mdx Co-authored-by: David Yu --- website/content/docs/release-notes/consul-k8s/v0_49_x.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx index 7b3df22c28..35658e4761 100644 --- a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx +++ b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx @@ -13,7 +13,7 @@ description: >- - **Consul API Gateway secondary datacenter support**: Use global ACL auth method to provision ACL tokens for API Gateway in secondary datacenter and Set primary datacenter flag when deploying controller into secondary datacenter with federation enabled [[GH-1481](https://github.com/hashicorp/consul-k8s/pull/1481)] -- **Cluster Peering**: Utilize new `use_auto_cert` value to gRPC TLS config when auto-encrypt is enabled. [GH-1541](https://github.com/hashicorp/consul-k8s/pull/1541) +- **Cluster Peering**: Utilize new `use_auto_cert` value to gRPC TLS config when auto-encrypt is enabled. [[GH-1541](https://github.com/hashicorp/consul-k8s/pull/1541)] - **Service tag annotation improvements**: Support escaped commas in service tag annotations for pods which use consul.hashicorp.com/connect-service-tags or consul.hashicorp.com/service-tags. [GH-1532](https://github.com/hashicorp/consul-k8s/pull/1532) From a9b8b1e48f7386e4619fa85b6f38ba6ff53a8ce0 Mon Sep 17 00:00:00 2001 From: nrichu-hcp <105801716+nrichu-hcp@users.noreply.github.com> Date: Fri, 30 Sep 2022 11:38:36 -0400 Subject: [PATCH 9/9] Update website/content/docs/release-notes/consul-k8s/v0_49_x.mdx Co-authored-by: David Yu --- website/content/docs/release-notes/consul-k8s/v0_49_x.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx index 35658e4761..5f9725cd2a 100644 --- a/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx +++ b/website/content/docs/release-notes/consul-k8s/v0_49_x.mdx @@ -15,7 +15,7 @@ description: >- - **Cluster Peering**: Utilize new `use_auto_cert` value to gRPC TLS config when auto-encrypt is enabled. [[GH-1541](https://github.com/hashicorp/consul-k8s/pull/1541)] -- **Service tag annotation improvements**: Support escaped commas in service tag annotations for pods which use consul.hashicorp.com/connect-service-tags or consul.hashicorp.com/service-tags. [GH-1532](https://github.com/hashicorp/consul-k8s/pull/1532) +- **Service tag annotation improvements**: Support escaped commas in service tag annotations for pods which use consul.hashicorp.com/connect-service-tags or consul.hashicorp.com/service-tags. [[GH-1532](https://github.com/hashicorp/consul-k8s/pull/1532)] - **MaxInboundConnections in service-defaults CRD**: Add support for MaxInboundConnections on the Service Defaults CRD. [[GH-1437](https://github.com/hashicorp/consul-k8s/pull/1437)]