Upgrade OpenShift container images to use ubi9-minimal:9.3 as the base image. [GH-20014]
IMPROVEMENTS:
connect: Remove usage of deprecated Envoy field match_subject_alt_names in favor of match_typed_subject_alt_names. [GH-19954]
connect: replace usage of deprecated Envoy field envoy.config.router.v3.WeightedCluster.total_weight. [GH-20011]
xds: Replace usage of deprecated Envoy field envoy.config.cluster.v3.Cluster.http_protocol_options [GH-20010]
xds: remove usages of deprecated Envoy fields: envoy.config.cluster.v3.Cluster.http2_protocol_options, envoy.config.bootstrap.v3.Admin.access_log_path [GH-19940]
xds: replace usage of deprecated Envoy field envoy.extensions.filters.http.lua.v3.Lua.inline_code [GH-20012]
DEPRECATIONS:
cli: Deprecate the -admin-access-log-path flag from consul connect envoy command in favor of: -admin-access-log-config. [GH-19943]
BUG FIXES:
prepared-query: (Enterprise-only) Fix issue where sameness-group failover targets to peers would attempt to query data from the default partition, rather than the sameness-group's partition always.
ui: update token list on Role details page to show only linked tokens [GH-19912]
Upgrade to use Go 1.20.12. This resolves CVEs
CVE-2023-45283: (path/filepath) recognize ??\ as a Root Local Device path prefix (Windows)
CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows)
CVE-2023-39326: (net/http) limit chunked data overhead
CVE-2023-45285: (cmd/go) go get may unexpectedly fallback to insecure git [GH-19840]
connect: update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address CVE-2023-44487 [GH-19274]
Upgrade to use Go 1.20.12. This resolves CVEs
CVE-2023-45283: (path/filepath) recognize ??\ as a Root Local Device path prefix (Windows)
CVE-2023-45284: recognize device names with trailing spaces and superscripts (Windows)
CVE-2023-39326: (net/http) limit chunked data overhead
CVE-2023-45285: (cmd/go) go get may unexpectedly fallback to insecure git [GH-19840]
connect: update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address CVE-2023-44487 [GH-19274]
api: Add support for listing ACL tokens by service name when using templated policies. [GH-19666]
cli: stop simultaneous usage of -templated-policy and -templated-policy-file when creating a role or token. [GH-19389]
cloud: push additional server TLS metadata to HCP [GH-19682]
connect: Default stats_flush_interval to 60 seconds when using the Consul Telemetry Collector, unless custom stats sink are present or an explicit flush interval is configured. [GH-19663]
metrics: increment consul.client.rpc.failed if RPC fails because no servers are accessible [GH-19721]
metrics: modify consul.client.rpc metric to exclude internal retries for consistency with consul.client.rpc.exceeded and consul.client.rpc.failed [GH-19721]
ui: move nspace and partitions requests into their selector menus [GH-19594]
BUG FIXES:
CLI: fix a panic when deleting a non existing policy by name. [GH-19679]
Mesh Gateways: Fix a bug where replicated and peered mesh gateways with hostname-based WAN addresses fail to initialize. [GH-19268]
ca: Fix bug with Vault CA provider where renewing a retracted token would cause retries in a tight loop, degrading performance. [GH-19285]
ca: Fix bug with Vault CA provider where token renewal goroutines could leak if CA failed to initialize. [GH-19285]
connect: Solves an issue where two upstream services with the same name in different namespaces were not getting routed to correctly by API Gateways. [GH-19860]
federation: (Enterprise Only) Fixed an issue where namespace reconciliation could result into the secondary having dangling instances of namespaces marked for deletion
ui: fix being able to view peered services from non-default namnespaces [GH-19586]
ui: stop manually reconciling services if peering is enabled [GH-19907]
wan-federation: Fix a bug where servers wan-federated through mesh-gateways could crash due to overlapping LAN IP addresses. [GH-19503]
xds: Add configurable xds_fetch_timeout_ms option to proxy registrations that allows users to prevent endpoints from dropping when they have proxies with a large number of upstreams. [GH-19871]
xds: ensure child resources are re-sent to Envoy when the parent is updated even if the child already has pending updates. [GH-19866]
1.17.0 (October 31, 2023)
BREAKING CHANGES:
... (truncated)
Commits
7736539 Update troubleshoot module in main go.mod for new version (#20295)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/hashicorp/consul from 1.14.3 to 1.17.2.
Release notes
Sourced from github.com/hashicorp/consul's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/consul's changelog.
... (truncated)
Commits
7736539
Update troubleshoot module in main go.mod for new version (#20295)e625a16
Backport/troubleshoot ports (#20288)814c007
update version (#20255)0e7c7e2
Backport of check error in TestDNSCycleRecursorCheckAllFail before asserting ...ecb6ed0
Backport of ci: Use Consul Go version for Vault int tests into release/1.17.x...39d60cd
Backport of NET-7025 - ci: test-integrations failures in compatibility tests....cd8f8bf
Backport of Add docs for k8s liveness / startup probes. into release/1.17.x (...5d350c6
Backport of agent: remove data race in agent config into release/1.17.x (#20203)05043bc
Backport of docs: fix partition target in samenessgroups into release/1.17.x ...0d97ec5
Backport of Various race condition and test fixes. into release/1.17.x (#20216)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show