Update module github.com/hashicorp/consul/api to v1.27.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/hashicorp/consul/api	v1.1.0 -> v1.27.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

hashicorp/consul (github.com/hashicorp/consul/api)

v1.17.0

Compare Source

1.17.0 (October 31, 2023)

BREAKING CHANGES:

• api: RaftLeaderTransfer now requires an id string. An empty string can be specified to keep the old behavior. [GH-17107]
• audit-logging: (Enterprise only) allowing timestamp based filename only on rotation. initially the filename will be just file.json [GH-18668]

DEPRECATIONS:

• cli: Deprecate the -admin-access-log-path flag from consul connect envoy command in favor of: -admin-access-log-config. [GH-15946]

SECURITY:

• Update golang.org/x/net to v0.17.0 to address CVE-2023-39325
  / CVE-2023-44487(x/net/http2). [GH-19225]
• Upgrade Go to 1.20.10.
  This resolves vulnerability CVE-2023-39325
  / CVE-2023-44487(net/http). [GH-19225]
• Upgrade google.golang.org/grpc to 1.56.3.
  This resolves vulnerability CVE-2023-44487. [GH-19414]
• connect: update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address CVE-2023-44487 [GH-19275]

FEATURE PREVIEW: Catalog v2

This release provides the ability to preview Consul's v2 Catalog and Resource API if enabled. The new model supports
multi-port application deployments with only a single Envoy proxy. Note that the v1 and v2 catalogs are not cross
compatible, and not all Consul features are available within this v2 feature preview. See the v2 Catalog and Resource
API documentation for more information. The v2 Catalog and
Resources API should be considered a feature preview within this release and should not be used in production
environments.

Limitations

• The v2 catalog API feature preview does not support connections with client agents. As a result, it is only available for Kubernetes deployments, which use Consul dataplanes instead of client agents.
• The v1 and v2 catalog APIs cannot run concurrently.
• The Consul UI does not support multi-port services or the v2 catalog API in this release.
• HCP Consul does not support multi-port services or the v2 catalog API in this release.

Significant Pull Requests

• [Catalog resource controllers]
• [Mesh resource controllers]
• [Auth resource controllers]
• [V2 Protobufs]

FEATURES:

• Support custom watches on the Consul Controller framework. [GH-18439]
• Windows: support consul connect envoy command on Windows [GH-17694]
• acl: Add BindRule support for templated policies. Add new BindType: templated-policy and BindVar field for templated policy variables. [GH-18719]
• acl: Add new acl.tokens.dns config field which specifies the token used implicitly during dns checks. [GH-17936]
• acl: Added ACL Templated policies to simplify getting the right ACL token. [GH-18708]
• acl: Adds a new ACL rule for workload identities [GH-18769]
• acl: Adds workload identity templated policy [GH-19077]
• api-gateway: Add support for response header modifiers on http-route configuration entry [GH-18646]
• api-gateway: add retry and timeout filters [GH-18324]
• cli: Add bind-var flag to consul acl binding-rule for templated policy variables. [GH-18719]
• cli: Add consul acl templated-policy commands to read, list and preview templated policies. [GH-18816]
• config-entry(api-gateway): (Enterprise only) Add GatewayPolicy to APIGateway Config Entry listeners
• config-entry(api-gateway): (Enterprise only) Add JWTFilter to HTTPRoute Filters
• dataplane: Allow getting bootstrap parameters when using V2 APIs [GH-18504]
• gateway: (Enterprise only) Add JWT authentication and authorization to APIGateway Listeners and HTTPRoutes.
• mesh: (Enterprise only) Adds rate limiting config to service-defaults [GH-18583]
• xds: Add a built-in Envoy extension that appends OpenTelemetry Access Logging (otel-access-logging) to the HTTP Connection Manager filter. [GH-18336]
• xds: Add support for patching outbound listeners to the built-in Envoy External Authorization extension. [GH-18336]

IMPROVEMENTS:

• raft: upgrade raft-wal library version to 0.4.1. [GH-19314]
• xds: Use downstream protocol when connecting to local app [GH-18573]
• Windows: Integration tests for Consul Windows VMs [GH-18007]
• acl: Use templated policy to generate synthetic policies for tokens/roles with node and/or service identities [GH-18813]
• api: added CheckRegisterOpts to Agent API [GH-18943]
• api: added Token field to ServiceRegisterOpts type in Agent API [GH-18983]
• ca: Vault CA provider config no longer requires root_pki_path for secondary datacenters [GH-17831]
• cli: Added -templated-policy, -templated-policy-file, -replace-templated-policy, -append-templated-policy, -replace-templated-policy-file, -append-templated-policy-file and -var flags for creating or updating tokens/roles. [GH-18708]
• config: Add new tls.defaults.verify_server_hostname configuration option. This specifies the default value for any interfaces that support the verify_server_hostname option. [GH-17155]
• connect: update supported envoy versions to 1.24.10, 1.25.9, 1.26.4, 1.27.0 [GH-18300]
• ui: Use Community verbiage [GH-18560]

BUG FIXES:

• api: add custom marshal/unmarshal for ServiceResolverConfigEntry.RequestTimeout so config entries that set this field can be read using the API. [GH-19031]
• ca: ensure Vault CA provider respects Vault Enterprise namespace configuration. [GH-19095]
• catalog api: fixes a bug with catalog api where filter query parameter was not working correctly for the /v1/catalog/services endpoint [GH-18322]
• connect: (Enterprise only) Fix bug where incorrect service-defaults entries were fetched to determine an upstream's protocol whenever the upstream did not explicitly define the namespace / partition. When this bug occurs, upstreams would use the protocol from a service-default entry in the default namespace / partition, rather than their own namespace / partition.
• connect: Fix bug where uncleanly closed xDS connections would influence connection balancing for too long and prevent envoy instances from starting. Two new configuration fields
  performance.grpc_keepalive_timeout and performance.grpc_keepalive_interval now exist to allow for configuration on how often these dead connections will be cleaned up. [GH-19339]
• dev-mode: Fix dev mode has new line in responses. Now new line is added only when url has pretty query parameter. [GH-18367]
• dns: (Enterprise only) Fix bug where sameness group queries did not correctly inherit the agent's partition.
• docs: fix list of telemetry metrics [GH-17593]
• gateways: Fix a bug where a service in a peered datacenter could not access an external node service through a terminating gateway [GH-18959]
• server: (Enterprise Only) Fixed an issue where snake case keys were rejected when configuring the control-plane-request-limit config entry
• telemetry: emit consul version metric on a regular interval. [GH-6876]
• tlsutil: Default setting of ServerName field in outgoing TLS configuration for checks now handled by crypto/tls. [GH-17481]

v1.16.0

Compare Source

1.16.0 (June 26, 2023)

BREAKING CHANGES:

• api: The /v1/health/connect/ and /v1/health/ingress/ endpoints now immediately return 403 "Permission Denied" errors whenever a token with insufficient service:read permissions is provided. Prior to this change, the endpoints returned a success code with an empty result list when a token with insufficient permissions was provided. [GH-17424]
• peering: Removed deprecated backward-compatibility behavior.
  Upstream overrides in service-defaults will now only apply to peer upstreams when the peer field is provided.
  Visit the 1.16.x upgrade instructions for more information. [GH-16957]

SECURITY:

• Bump Dockerfile base image to alpine:3.18. [GH-17719]
• audit-logging: (Enterprise only) limit v1/operator/audit-hash endpoint to ACL token with operator:read privileges.

FEATURES:

• api: (Enterprise only) Add POST /v1/operator/audit-hash endpoint to calculate the hash of the data used by the audit log hash function and salt.
• cli: (Enterprise only) Add a new consul operator audit hash command to retrieve and compare the hash of the data used by the audit log hash function and salt.
• cli: Adds new command - consul services export - for exporting a service to a peer or partition [GH-15654]
• connect: (Consul Enterprise only) Implement order-by-locality failover.
• mesh: Add new permissive mTLS mode that allows sidecar proxies to forward incoming traffic unmodified to the application. This adds AllowEnablingPermissiveMutualTLS setting to the mesh config entry and the MutualTLSMode setting to proxy-defaults and service-defaults. [GH-17035]
• mesh: Support configuring JWT authentication in Envoy. [GH-17452]
• server: (Enterprise Only) added server side RPC requests IP based read/write rate-limiter. [GH-4633]
• server: (Enterprise Only) allow automatic license utilization reporting. [GH-5102]
• server: added server side RPC requests global read/write rate-limiter. [GH-16292]
• xds: Add property-override built-in Envoy extension that directly patches Envoy resources. [GH-17487]
• xds: Add a built-in Envoy extension that inserts External Authorization (ext_authz) network and HTTP filters. [GH-17495]
• xds: Add a built-in Envoy extension that inserts Wasm HTTP filters. [GH-16877]
• xds: Add a built-in Envoy extension that inserts Wasm network filters. [GH-17505]

IMPROVEMENTS:

• api: Support filtering for config entries. [GH-17183]
• cli: Add -filter option to consul config list for filtering config entries. [GH-17183]
• agent: remove agent cache dependency from service mesh leaf certificate management [GH-17075]
• api: Enable setting query options on agent force-leave endpoint. [GH-15987]
• audit-logging: (Enterprise only) enable error response and request body logging
• ca: automatically set up Vault's auto-tidy setting for tidy_expired_issuers when using Vault as a CA provider. [GH-17138]
• ca: support Vault agent auto-auth config for Vault CA provider using AliCloud authentication. [GH-16224]
• ca: support Vault agent auto-auth config for Vault CA provider using AppRole authentication. [GH-16259]
• ca: support Vault agent auto-auth config for Vault CA provider using Azure MSI authentication. [GH-16298]
• ca: support Vault agent auto-auth config for Vault CA provider using JWT authentication. [GH-16266]
• ca: support Vault agent auto-auth config for Vault CA provider using Kubernetes authentication. [GH-16262]
• command: Adds ACL enabled to status output on agent startup. [GH-17086]
• command: Allow creating ACL Token TTL with greater than 24 hours with the -expires-ttl flag. [GH-17066]
• connect: (Enterprise Only) Add support for specifying "Partition" and "Namespace" in Prepared Queries failover rules.
• connect: update supported envoy versions to 1.23.10, 1.24.8, 1.25.7, 1.26.2 [GH-17546]
• connect: update supported envoy versions to 1.23.8, 1.24.6, 1.25.4, 1.26.0 [GH-5200]
• fix metric names in /docs/agent/telemetry [GH-17577]
• gateway: Change status condition reason for invalid certificate on a listener from "Accepted" to "ResolvedRefs". [GH-17115]
• http: accept query parameters datacenter, ap (enterprise-only), and namespace (enterprise-only). Both short-hand and long-hand forms of these query params are now supported via the HTTP API (dc/datacenter, ap/partition, ns/namespace). [GH-17525]
• systemd: set service type to notify. [GH-16845]
• ui: Update alerts to Hds::Alert component [GH-16412]
• ui: Update to use Hds::Toast component to show notifications [GH-16519]
• ui: update from and to design-system-components button Hds::Button [GH-16251]
• ui: update typography to styles from hds [GH-16577]

BUG FIXES:

• Fix a race condition where an event is published before the data associated is commited to memdb. [GH-16871]
• connect: Fix issue where changes to service exports were not reflected in proxies. [GH-17775]
• gateways: (Enterprise only) Fixed a bug in API gateways where gateway configuration objects in non-default partitions did not reconcile properly. [GH-17581]
• gateways: Fixed a bug in API gateways where binding a route that only targets a service imported from a peer results
  in the programmed gateway having no routes. [GH-17609]
• gateways: Fixed a bug where API gateways were not being taken into account in determining xDS rate limits. [GH-17631]
• namespaces: (Enterprise only) fixes a bug where agent health checks stop syncing for all services on a node if the namespace of any service has been removed from the server.
• namespaces: (Enterprise only) fixes a bug where namespaces are stuck in a deferred deletion state indefinitely under some conditions.
  Also fixes the Consul query metadata present in the HTTP headers of the namespace read and list endpoints.
• peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership. [GH-17483]
• peering: Fixes a bug where the importing partition was not added to peered failover targets, which causes issues when the importing partition is a non-default partition. [GH-16673]
• ui: fixes ui tests run on CI [GH-16428]
• xds: Fixed a bug where modifying ACLs on a token being actively used for an xDS connection caused all xDS updates to fail. [GH-17566]

v1.15.3

Compare Source

1.15.3 (June 1, 2023)

BREAKING CHANGES:

• extensions: The Lua extension now targets local proxy listeners for the configured service's upstreams, rather than remote downstream listeners for the configured service, when ListenerType is set to outbound in extension configuration. See CVE-2023-2816 changelog entry for more details. [GH-17415]

SECURITY:

• Update to UBI base image to 9.2. [GH-17513]
• Upgrade golang.org/x/net to address CVE-2022-41723 [GH-16754]
• Upgrade to use Go 1.20.4.
  This resolves vulnerabilities CVE-2023-24537(go/scanner),
  CVE-2023-24538(html/template), CVE-2023-24534(net/textproto) and CVE-2023-24536(mime/multipart). Also, golang.org/x/net has been updated to v0.7.0 to resolve CVEs CVE-2022-41721, CVE-2022-27664 and CVE-2022-41723 [GH-17240]
• extensions: Disable remote downstream proxy patching by Envoy Extensions other than AWS Lambda. Previously, an operator with service:write ACL permissions for an upstream service could modify Envoy proxy config for downstream services without equivalent permissions for those services. This issue only impacts the Lua extension. [CVE-2023-2816] [GH-17415]

FEATURES:

• hcp: Add new metrics sink to collect, aggregate and export server metrics to HCP in OTEL format. [GH-17460]

IMPROVEMENTS:

• Fixes a performance issue in Raft where commit latency can increase by 100x or more when under heavy load. For more details see https://github.com/hashicorp/raft/pull/541. [GH-17081]
• agent: add a configurable maximimum age (default: 7 days) to prevent servers re-joining a cluster with stale data [GH-17171]
• agent: add new metrics to track cpu disk and memory usage for server hosts (defaults to: enabled) [GH-17038]
• connect: update supported envoy versions to 1.22.11, 1.23.8, 1.24.6, 1.25.4 [GH-16889]
• envoy: add MaxEjectionPercent and BaseEjectionTime to passive health check configs. [GH-15979]
• hcp: Add support for linking existing Consul clusters to HCP management plane. [GH-16916]
• logging: change snapshot log header from agent.server.snapshot to agent.server.raft.snapshot [GH-17236]
• peering: allow re-establishing terminated peering from new token without deleting existing peering first. [GH-16776]
• peering: gRPC queries for TrustBundleList, TrustBundleRead, PeeringList, and PeeringRead now support blocking semantics, reducing network and CPU demand. The HTTP APIs for Peering List and Read have been updated to support blocking. [GH-17426]
• raft: Remove expensive reflection from raft/mesh hot path [GH-16552]
• xds: rename envoy_hcp_metrics_bind_socket_dir to envoy_telemetry_collector_bind_socket_dir to remove HCP naming references. [GH-17327]

BUG FIXES:

• Fix an bug where decoding some Config structs with unset pointer fields could fail with reflect: call of reflect.Value.Type on zero Value. [GH-17048]
• acl: (Enterprise only) Check permissions in correct partition/namespace when resolving service in non-default partition/namespace
• acl: Fix an issue where the anonymous token was synthesized in non-primary datacenters which could cause permission errors when federating clusters with ACL replication enabled. [GH-17231]
• acls: Fix ACL bug that can result in sidecar proxies having incorrect endpoints.
• connect: Fix multiple inefficient behaviors when querying service health. [GH-17241]
• gateways: Fix an bug where targeting a virtual service defined by a service-resolver was broken for HTTPRoutes. [GH-17055]
• grpc: ensure grpc resolver correctly uses lan/wan addresses on servers [GH-17270]
• namespaces: adjusts the return type from HTTP list API to return the api module representation of a namespace. This fixes an error with the consul namespace list command when a namespace has a deferred deletion timestamp.
• peering: Fix issue where modifying the list of exported services did not correctly replicate changes for services that exist in a non-default namespace. [GH-17456]
• peering: Fix issue where peer streams could incorrectly deregister services in various scenarios. [GH-17235]
• peering: ensure that merged central configs of peered upstreams for partitioned downstreams work [GH-17179]
• xds: Fix possible panic that can when generating clusters before the root certificates have been fetched. [GH-17185]

v1.15.2

Compare Source

1.15.2 (March 30, 2023)

FEATURES:

• xds: Allow for configuring connect proxies to send service mesh telemetry to an HCP metrics collection service. [GH-16585]

BUG FIXES:

• audit-logging: (Enterprise only) Fix a bug where /agent/monitor and /agent/metrics endpoints return a Streaming not supported error when audit logs are enabled. This also fixes the delay receiving logs when running consul monitor against an agent with audit logs enabled. [GH-16700]
• ca: Fixes a bug where updating Vault CA Provider config would cause TLS issues in the service mesh [GH-16592]
• cache: revert cache refactor which could cause blocking queries to never return [GH-16818]
• gateway: (Enterprise only) Fix bug where namespace/partition would fail to unmarshal for TCPServices. [GH-16781]
• gateway: (Enterprise only) Fix bug where namespace/partition would fail to unmarshal. [GH-16651]
• gateway: (Enterprise only) Fix bug where parent refs and service refs for a route in the same namespace as the route would fallback to the default namespace if the namespace was not specified in the configuration rather than falling back to the routes namespace. [GH-16789]
• gateway: (Enterprise only) Fix bug where routes defined in a different namespace than a gateway would fail to register. [GH-16677].
• gateways: Adds validation to ensure the API Gateway has a listener defined when created [GH-16649]
• gateways: Fixes a bug API gateways using HTTP listeners were taking upwards of 15 seconds to get configured over xDS. [GH-16661]
• peering: (Consul Enterprise only) Fix issue where connect-enabled services with peer upstreams incorrectly required service:write access in the default namespace to query data, which was too restrictive. Now having service:write to any namespace is sufficient to query the peering data.
• peering: (Consul Enterprise only) Fix issue where resolvers, routers, and splitters referencing peer targets may not work correctly for non-default partitions and namespaces. Enterprise customers leveraging peering are encouraged to upgrade both servers and agents to avoid this problem.
• peering: Fix issue resulting in prepared query failover to cluster peers never un-failing over. [GH-16729]
• peering: Fixes a bug that can lead to peering service deletes impacting the state of local services [GH-16570]
• peering: Fixes a bug where the importing partition was not added to peered failover targets, which causes issues when the importing partition is a non-default partition. [GH-16675]
• raft_logstore: Fixes a bug where restoring a snapshot when using the experimental WAL storage backend causes a panic. [GH-16647]
• ui: fix PUT token request with adding missed AccessorID property to requestBody [GH-16660]
• ui: fix rendering issues on Overview and empty-states by addressing isHTMLSafe errors [GH-16574]

v1.15.1

Compare Source

1.15.1 (March 7, 2023)

IMPROVEMENTS:

• cli: added -append-policy-id, -append-policy-name, -append-role-name, and -append-role-id flags to the consul token update command.
  These flags allow updates to a token's policies/roles without having to override them completely. [GH-16288]
• cli: added -append-service-identity and -append-node-identity flags to the consul token update command.
  These flags allow updates to a token's node identities/service identities without having to override them. [GH-16506]
• connect: Bump Envoy 1.22.5 to 1.22.7, 1.23.2 to 1.23.4, 1.24.0 to 1.24.2, add 1.25.1, remove 1.21.5 [GH-16274]
• mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable [GH-16495]
• ui: support filtering API gateways in the ui and displaying their documentation links [GH-16508]

DEPRECATIONS:

• cli: Deprecate the -merge-node-identites and -merge-service-identities flags from the consul token update command in favor of: -append-node-identity and -append-service-identity. [GH-16506]
• cli: Deprecate the -merge-policies and -merge-roles flags from the consul token update command in favor of: -append-policy-id, -append-policy-name, -append-role-name, and -append-role-id. [GH-16288]

BUG FIXES:

• cli: Fixes an issue with consul connect envoy where a log to STDOUT could malform JSON when used with -bootstrap. [GH-16530]
• cli: Fixes an issue with consul connect envoy where grpc-disabled agents were not error-handled correctly. [GH-16530]
• cli: ensure acl token read -self works [GH-16445]
• cli: fix panic read non-existent acl policy [GH-16485]
• gateways: fix HTTPRoute bug where service weights could be less than or equal to 0 and result in a downstream envoy protocol error [GH-16512]
• gateways: fix HTTPRoute bug where services with a weight not divisible by 10000 are never registered properly [GH-16531]
• mesh: Fix resolution of service resolvers with subsets for external upstreams [GH-16499]
• proxycfg: ensure that an irrecoverable error in proxycfg closes the xds session and triggers a replacement proxycfg watcher [GH-16497]
• proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services [GH-16498]
• ui: Fix issue with lists and filters not rendering properly [GH-16444]

v1.15.0

Compare Source

1.15.0 (February 23, 2023)

ANNOUNCEMENTS:

• Upcoming in Consul 1.16 we will stop publishing official Dockerhub images and publish only our Verified Publisher images. Users of Docker images should pull from hashicorp/consul instead of consul.

BREAKING CHANGES:

• acl errors: Delete and get requests now return descriptive errors when the specified resource cannot be found. Other ACL request errors provide more information about when a resource is missing. Add error for when the ACL system has not been bootstrapped.
  • Delete Token/Policy/AuthMethod/Role/BindingRule endpoints now return 404 when the resource cannot be found.
    • New error formats: "Requested * does not exist: ACL not found", "* not found in namespace $NAMESPACE: ACL not found"
  • Read Token/Policy/Role endpoints now return 404 when the resource cannot be found.
    • New error format: "Cannot find * to delete"
  • Logout now returns a 401 error when the supplied token cannot be found
    • New error format: "Supplied token does not exist"
  • Token Self endpoint now returns 404 when the token cannot be found.
    • New error format: "Supplied token does not exist" [GH-16105]
• acl: remove all acl migration functionality and references to the legacy acl system. [GH-15947]
• acl: remove all functionality and references for legacy acl policies. [GH-15922]
• config: Deprecate -join, -join-wan, start_join, and start_join_wan.
  These options are now aliases of -retry-join, -retry-join-wan, retry_join, and retry_join_wan, respectively. [GH-15598]
• connect: Add peer field to service-defaults upstream overrides. The addition of this field makes it possible to apply upstream overrides only to peer services. Prior to this change, overrides would be applied based on matching the namespace and name fields only, which means users could not have different configuration for local versus peer services. With this change, peer upstreams are only affected if the peer field matches the destination peer name. [GH-15956]
• connect: Consul will now error and exit when using the consul connect envoy command if the Envoy version is incompatible. To ignore this check use flag --ignore-envoy-compatibility [GH-15818]
• extensions: Refactor Lambda integration to get configured with the Envoy extensions field on service-defaults configuration entries. [GH-15817]
• ingress-gateway: upstream cluster will have empty outlier_detection if passive health check is unspecified [GH-15614]
• xds: Remove the connect.enable_serverless_plugin agent configuration option. Now
  Lambda integration is enabled by default. [GH-15710]

SECURITY:

• Upgrade to use Go 1.20.1.
  This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http. [GH-16263]

FEATURES:

• API Gateway (Beta) This version adds support for API gateway on VMs. API gateway provides a highly-configurable ingress for requests coming into a Consul network. For more information, refer to the API gateway documentation. [GH-16369]
• acl: Add new acl.tokens.config_file_registration config field which specifies the token used
  to register services and checks that are defined in config files. [GH-15828]
• acl: anonymous token is logged as 'anonymous token' instead of its accessor ID [GH-15884]
• cli: adds new CLI commands consul troubleshoot upstreams and consul troubleshoot proxy to troubleshoot Consul's service mesh configuration and network issues. [GH-16284]
• command: Adds the operator usage instances subcommand for displaying total services, connect service instances and billable service instances in the local datacenter or globally. [GH-16205]
• config-entry(ingress-gateway): support outlier detection (passive health check) for upstream cluster [GH-15614]
• connect: adds support for Envoy access logging. Access logging can be enabled using the proxy-defaults config entry. [GH-15864]
• xds: Add a built-in Envoy extension that inserts Lua HTTP filters. [GH-15906]
• xds: Insert originator service identity into Envoy's dynamic metadata under the consul namespace. [GH-15906]

IMPROVEMENTS:

• connect: for early awareness of Envoy incompatibilities, when using the consul connect envoy command the Envoy version will now be checked for compatibility. If incompatible Consul will error and exit. [GH-15818]
• grpc: client agents will switch server on error, and automatically retry on RESOURCE_EXHAUSTED responses [GH-15892]
• raft: add an operator api endpoint and a command to initiate raft leadership transfer. [GH-14132]
• acl: Added option to allow for an operator-generated bootstrap token to be passed to the acl bootstrap command. [GH-14437]
• agent: Give better error when client specifies wrong datacenter when auto-encrypt is enabled. [GH-14832]
• api: updated the go module directive to 1.18. [GH-15297]
• ca: support Vault agent auto-auth config for Vault CA provider using AWS/GCP authentication. [GH-15970]
• cli: always use name "global" for proxy-defaults config entries [GH-14833]
• cli: connect envoy command errors if grpc ports are not open [GH-15794]
• client: add support for RemoveEmptyTags in Prepared Queries templates. [GH-14244]
• connect: Warn if ACLs are enabled but a token is not provided to envoy [GH-15967]
• container: Upgrade container image to use to Alpine 3.17. [GH-16358]
• dns: support RFC 2782 SRV lookups for prepared queries using format _<query id or name>._tcp.query[.<datacenter>].<domain>. [GH-14465]
• ingress-gateways: Don't log error when gateway is registered without a config entry [GH-15001]
• licensing: (Enterprise Only) Consul Enterprise non-terminating production licenses do not degrade or terminate Consul upon expiration. They will only fail when trying to upgrade to a newer version of Consul. Evaluation licenses still terminate.
• raft: Added experimental wal backend for log storage. [GH-16176]
• sdk: updated the go module directive to 1.18. [GH-15297]
• telemetry: Added a consul.xds.server.streamsUnauthenticated metric to track
  the number of active xDS streams handled by the server that are unauthenticated
  because ACLs are not enabled or ACL tokens were missing. [GH-15967]
• ui: Update sidebar width to 280px [GH-16204]
• ui: update Ember version to 3.27; [GH-16227]

DEPRECATIONS:

• acl: Deprecate the token query parameter and warn when it is used for authentication. [GH-16009]
• cli: The -id flag on acl token operations has been changed to -accessor-id for clarity in documentation. The -id flag will continue to work, but operators should use -accessor-id in the future. [GH-16044]

BUG FIXES:

• agent configuration: Fix issue of using unix socket when https is used. [GH-16301]
• cache: refactor agent cache fetching to prevent unnecessary fetches on error [GH-14956]
• cli: fatal error if config file does not have HCL or JSON extension, instead of warn and skip [GH-15107]
• cli: fix ACL token processing unexpected precedence [GH-15274]
• peering: Fix bug where services were incorrectly imported as connect-enabled. [GH-16339]
• peering: Fix issue where mesh gateways would use the wrong address when contacting a remote peer with the same datacenter name. [GH-16257]
• peering: Fix issue where secondary wan-federated datacenters could not be used as peering acceptors. [GH-16230]

v1.14.0

Compare Source

1.14.0 (November 15, 2022)

BREAKING CHANGES:

• config: Add new ports.grpc_tls configuration option.
  Introduce a new port to better separate TLS config from the existing ports.grpc config.
  The new ports.grpc_tls only supports TLS encrypted communication.
  The existing ports.grpc now only supports plain-text communication. [GH-15339]
• config: update 1.14 config defaults: Enable peering and connect by default. [GH-15302]
• config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 [GH-15302]
• connect: Removes support for Envoy 1.20 [GH-15093]
• peering: Rename PeerName to Peer on prepared queries and exported services. [GH-14854]
• xds: Convert service mesh failover to use Envoy's aggregate clusters. This
  changes the names of some Envoy dynamic HTTP metrics. [GH-14178]

SECURITY:

• Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints CVE-2022-3920 [GH-15356]

FEATURES:

• DNS-proxy support via gRPC request. [GH-14811]
• cli: Add -node-name flag to redirect-traffic command to support running in environments without client agents. [GH-14933]
• cli: Add -consul-dns-port flag to the consul connect redirect-traffic command to allow forwarding DNS traffic to a specific Consul DNS port. [GH-15050]
• connect: Add Envoy connection balancing configuration fields. [GH-14616]
• grpc: Added metrics for external gRPC server. Added server_type=internal|external label to gRPC metrics. [GH-14922]
• http: Add new get-or-empty operation to the txn api. Refer to the API docs for more information. [GH-14474]
• peering: Add mesh gateway local mode support for cluster peering. [GH-14817]
• peering: Add support for stale queries for trust bundle lookups [GH-14724]
• peering: Add support to failover to services running on cluster peers. [GH-14396]
• peering: Add support to redirect to services running on cluster peers with service resolvers. [GH-14445]
• peering: Ensure un-exported services get deleted even if the un-export happens while cluster peering replication is down. [GH-14797]
• peering: add support for routine peering control-plane traffic through mesh gateways [GH-14981]
• sdk: Configure iptables to forward DNS traffic to a specific DNS port. [GH-15050]
• telemetry: emit memberlist size metrics and broadcast queue depth metric. [GH-14873]
• ui: Added support for central config merging [GH-14604]
• ui: Create peerings detail page [GH-14947]
• ui: Detect a TokenSecretID cookie and passthrough to localStorage [GH-14495]
• ui: Display notice banner on nodes index page if synthetic nodes are being filtered. [GH-14971]
• ui: Filter agentless (synthetic) nodes from the nodes list page. [GH-14970]
• ui: Filter out node health checks on agentless service instances [GH-14986]
• ui: Remove node meta on service instances when using agentless and consolidate external-source labels on service instances page if they all match. [GH-14921]
• ui: Removed reference to node name on service instance page when using agentless [GH-14903]
• ui: Use withCredentials for all HTTP API requests [GH-14343]
• xds: servers will limit the number of concurrent xDS streams they can handle to balance the load across all servers [GH-14397]

IMPROVEMENTS:

• peering: Add peering datacenter and partition to initial handshake. [GH-14889]
• xds: Added a rate limiter to the delivery of proxy config updates, to prevent updates to "global" resources such as wildcard intentions from overwhelming servers (see: xds.update_max_per_second config field) [GH-14960]
• xds: Removed a bottleneck in Envoy config generation, enabling a higher number of dataplanes per server [GH-14934]
• agent/hcp: add initial HashiCorp Cloud Platform integration [GH-14723]
• agent: Added configuration option cloud.scada_address. [GH-14936]
• api: Add filtering support to Catalog's List Services (v1/catalog/services) [GH-11742]
• api: Increase max number of operations inside a transaction for requests to /v1/txn (128) [GH-14599]
• auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. [GH-15370]
• config-entry: Validate that service-resolver Failovers and Redirects only
  specify Partition and Namespace on Consul Enterprise. This prevents scenarios
  where OSS Consul would save service-resolvers that require Consul Enterprise. [GH-14162]
• connect: Add Envoy 1.24.0 to support matrix [GH-15093]
• connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 [GH-14831]
• connect: service-router destinations have gained a RetryOn field for specifying the conditions when Envoy should retry requests beyond specific status codes and generic connection failure which already exists. [GH-12890]
• dns/peering: (Enterprise Only) Support addresses in the formats <servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul and <servicename>.virtual.<partition>.ap.<peername>.peer.consul. This longer form address that allows specifying .peer would need to be used for tproxy DNS requests made within non-default partitions for imported services.
• dns: (Enterprise Only) All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: [<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>. [GH-14679]
• integ test: fix flakiness due to test condition from retry app endoint [GH-15233]
• metrics: Service RPC calls less than 1ms are now emitted as a decimal number. [GH-12905]
• peering: adds an internally managed server certificate for automatic TLS between servers in peer clusters. [GH-14556]
• peering: require TLS for peering connections using server cert signed by Connect CA [GH-14796]
• peering: return information about the health of the peering when the leader is queried to read a peering. [GH-14747]
• raft: Allow nonVoter to initiate an election to avoid having an election infinite loop when a Voter is converted to NonVoter [GH-14897]
• raft: Cap maximum grpc wait time when heartbeating to heartbeatTimeout/2 [GH-14897]
• raft: Fix a race condition where the snapshot file is closed without being opened [GH-14897]
• telemetry: Added a consul.xds.server.streamStart metric to measure time taken to first generate xDS resources for an xDS stream. [GH-14957]
• ui: Improve guidance around topology visualisation [GH-14527]
• xds: Set max_ejection_percent on Envoy's outlier detection to 100% for peered services. [GH-14373]

BUG FIXES:

• checks: Do not set interval as timeout value [GH-14619]
• checks: If set, use proxy address for automatically added sidecar check instead of service address. [GH-14433]
• cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set together [GH-13493]
• connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries. [GH-15186]
• connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. [GH-15083]
• connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. [GH-15320]
• debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters [GH-15155]
• deps: update go-memdb, fixing goroutine leak [GH-15010] [GH-15068]
• grpc: Merge proxy-defaults and service-defaults in GetEnvoyBootstrapParams response. [GH-14869]
• metrics: Add duplicate metrics that have only a single "consul_" prefix for all existing metrics with double ("consul_consul_") prefix, with the intent to standardize on single prefixes. [GH-14475]
• namespace: (Enterprise Only) Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter
• peering: Fix a bug that resulted in /v1/agent/metrics returning an error. [GH-15178]
• peering: fix nil pointer in calling handleUpdateService [GH-15160]
• peering: fix the error of wan address isn't taken by the peering token. [GH-15065]
• peering: when wan address is set, peering stream should use the wan address. [GH-15108]
• proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters. [GH-15272]
• server: fix goroutine/memory leaks in the xDS subsystem (these were present regardless of whether or not xDS was in-use) [GH-14916]
• server: fixes the error trying to source proxy configuration for http checks, in case of proxies using consul-dataplane. [GH-14924]
• xds: Central service configuration (proxy-defaults and service-defaults) is now correctly applied to Consul Dataplane proxies [GH-14962]

NOTES:

• deps: Upgrade to use Go 1.19.2 [GH-15090]

v1.13.1

Compare Source

1.13.1 (August 12, 2022)

BUG FIXES:

• agent: Fixed a compatibility issue when restoring snapshots from pre-1.13.0 versions of Consul [GH-14107] [GH-14149]
• connect: Fixed some spurious issues during peering establishment when a follower is dialed [[G

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -d -t ./...
go: github.com/micro/go-config@v1.1.1-0.20190603113547-03fb75f2f1e4 requires
	gocloud.dev@v0.12.0 requires
	contrib.go.opencensus.io/exporter/ocagent@v0.4.2 requires
	github.com/census-instrumentation/opencensus-proto@v0.1.0-0.20181214143942-ba49f56771b8: invalid pseudo-version: version before v0.1.0 would have negative patch number