Backport of Vault CA provider clean up previous default issuers into release/1.14.x

.changelog/13782.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+deps: update to latest go-discover to provide ECS auto-discover capabilities.
+```

.changelog/14340.txt

@@ -0,0 +1,4 @@
+```release-note:feature
+connect: Add local_idle_timeout_ms to allow configuring the Envoy route idle timeout on local_app
+connect: Add IdleTimeout to service-router to allow configuring the Envoy route idle timeout
+```

.changelog/14679.txt

@@ -1,3 +1,3 @@
-```release-note:improvement
-dns: **(Enterprise Only)** All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: <tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>`. 
-```
+```release-note:improvement
+dns: **(Enterprise Only)** All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: `[<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>`.
+```

.changelog/15050.txt

@@ -0,0 +1,6 @@
+```release-note:feature
+cli: Add `-consul-dns-port` flag to the `consul connect redirect-traffic` command to allow forwarding DNS traffic to a specific Consul DNS port.
+```
+```release-note:feature
+sdk: Configure `iptables` to forward DNS traffic to a specific DNS port.
+```

.changelog/15083.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy.
+```

.changelog/15090.txt

@@ -0,0 +1,3 @@
+```release-note:note
+deps: Upgrade to use Go 1.19.2
+```

.changelog/15093.txt

@@ -0,0 +1,6 @@
+```release-note: improvement
+connect: Add Envoy 1.24.0 to support matrix
+```
+```release-note: breaking-change
+connect: Removes support for Envoy 1.20
+```

.changelog/15108.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: when wan address is set, peering stream should use the wan address.
+```

.changelog/15155.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters
+```

.changelog/15160.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: fix nil pointer in calling handleUpdateService
+```

.changelog/15178.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix a bug that resulted in /v1/agent/metrics returning an error.
+```

.changelog/15186.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries.
+```

.changelog/15233.txt

@@ -0,0 +1,3 @@
+```release-note: improvement
+integ test: fix flakiness due to test condition from retry app endoint
+```

.changelog/15253.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fixed issue where using Vault 1.11+ as CA provider would eventually break Intermediate CAs [[GH-15217](https://github.com/hashicorp/consul/issues/15217)]
+```

.changelog/15272.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters.
+```

.changelog/15302.txt

@@ -0,0 +1,7 @@
+```release-note:breaking-change
+config: update 1.14 config defaults: Enable `peering` and `connect` by default.
+```
+
+```release-note:breaking-change
+config: update 1.14 config defaults: Set gRPC TLS port default value to 8503
+```

.changelog/15317.txt

@@ -0,0 +1,3 @@
+```release-note:improvements
+acl: Allow reading imported services and nodes from cluster peers with read all permissions
+```

.changelog/15320.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider.
+```

.changelog/14294.txt → .changelog/15339.txt

@@ -2,5 +2,5 @@
 config: Add new `ports.grpc_tls` configuration option.
 Introduce a new port to better separate TLS config from the existing `ports.grpc` config.
 The new `ports.grpc_tls` only supports TLS encrypted communication.
-The existing `ports.grpc` currently supports both plain-text and tls communication, but tls support will be removed in a future release.
+The existing `ports.grpc` now only supports plain-text communication.
 ```

.changelog/15346.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+acl: relax permissions on the `WatchServers`, `WatchRoots` and `GetSupportedDataplaneFeatures` gRPC endpoints to accept *any* valid ACL token
+```

.changelog/15356.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints [CVE-2022-3920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3920)
+```

.changelog/15370.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names.
+```

.changelog/15423.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+sdk: Fix SDK testutil backwards compatibility by only configuring grpc_tls port for new Consul versions.
+```

.changelog/15466.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cli: Fix issue where `consul connect envoy` incorrectly uses the HTTPS API configuration for xDS connections.
+```

.changelog/15503.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: fix the limit of replication gRPC message; set to 8MB
+```

.changelog/15525.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ca: Fixed issue where using Vault as Connect CA with Vault-managed policies would error on start-up if the intermediate PKI mount existed but was empty
+```

.changelog/15541.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+agent: Fixed issue where blocking queries with short waits could timeout on the client
+```

.changelog/15555.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+ui: Add field for fallback server addresses to peer token generation form 
+```

.changelog/15596.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+dns: Add support for cluster peering `.service` and `.node` DNS queries.
+```

.changelog/15610.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+acl: avoid debug log spam in secondary datacenter servers due to management token not being initialized.
+```

.changelog/15615.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: better represent non-passing states during peer check flattening
+```

.changelog/15659.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Add support for ConsulResolver to specifies a filter expression
+```

.changelog/15661.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fixed issue where using Vault 1.11+ as CA provider in a secondary datacenter would eventually break Intermediate CAs
+```

.changelog/15669.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: ensure all vault connect CA tests use limited privilege tokens
+```

.changelog/15690.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix peering failovers ignoring local mesh gateway configuration.
+```

.changelog/15697.txt

@@ -0,0 +1,3 @@
+```release-note:breaking-change
+peering: Newly created peering connections must use only lowercase characters in the `name` field. Existing peerings with uppercase characters will not be modified, but they may encounter issues in various circumstances. To maintain forward compatibility and avoid issues, it is recommended to destroy and re-create any invalid peering connections so that they do not have a name containing uppercase characters.
+```

.changelog/15701.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers.
+```

.changelog/15705.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade to use Go 1.19.4. This resolves a vulnerability where restricted files can be read on Windows. [CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720)
+```

.changelog/15737.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Upgrades `golang.org/x/net` to prevent a denial of service by excessive memory usage caused by HTTP2 requests. [CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717)
+```
+

.changelog/15760.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where DialedDirectly configuration was not used by Consul Dataplane.
+```

.changelog/15769.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+agent: Fix assignment of error when auto-reloading cert and key file changes.
+```

.changelog/15789.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: fix bug where sessions for locally-managed services could fail with "this server has too many xDS streams open"
+```

.changelog/15833.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where service-resolver protocol checks incorrectly errored for failover peer targets.
+```

.changelog/15865.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where watches on upstream failover peer targets did not always query the correct data.
+```

.changelog/15866.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+agent: Fix issue where the agent cache would incorrectly mark protobuf objects as updated.
+```

.changelog/15913.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cli: Fix issue where `consul connect envoy` was unable to configure TLS over unix-sockets to gRPC.
+```

.changelog/15979.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+envoy: add `MaxEjectionPercent` and `BaseEjectionTime` to passive health check configs.
+```

.changelog/15988.txt

@@ -0,0 +1,3 @@
+```release-note:improvements
+cli: Added a flag, `-enable-config-gen-logging`, to the `connect envoy` command to display log messages when generating the bootstrap config.
+```

.changelog/16000.txt

@@ -0,0 +1,3 @@
+```release-note:breaking-change
+connect: Fix configuration merging for transparent proxy upstreams. Proxy-defaults and service-defaults config entries were not correctly merged for implicit upstreams in transparent proxy mode and would result in some configuration not being applied. To avoid issues when upgrading, ensure that any proxy-defaults or service-defaults have correct configuration for upstreams, since all fields will now be properly used to configure proxies.
+```

.changelog/16015.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+connect: add flags `envoy-ready-bind-port` and `envoy-ready-bind-address` to the `consul connect envoy` command that allows configuration of readiness probe on proxy for any service kind.
+```

.changelog/16024.txt

@@ -0,0 +1,4 @@
+```release-note:improvement
+partitiion: **(Consul Enterprise only)** when loading service from on-disk config file or sending API request to agent endpoint,
+if the partition is unspecified, consul will default the partition in the request to agent's partition
+```

.changelog/16230.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue where secondary wan-federated datacenters could not be used as peering acceptors.
+```

.changelog/16257.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue where mesh gateways would use the wrong address when contacting a remote peer with the same datacenter name.
+```

.changelog/16263.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Upgrade to use Go 1.20.1. 
+This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`.
+```

.changelog/16339.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix bug where services were incorrectly imported as connect-enabled.
+```

.changelog/16358.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+container: Upgrade container image to use to Alpine 3.17.
+```

.changelog/16495.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable
+```

.changelog/16497.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+proxycfg: ensure that an irrecoverable error in proxycfg closes the xds session and triggers a replacement proxycfg watcher
+```

.changelog/16498.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services
+```

.changelog/16499.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+mesh: Fix resolution of service resolvers with subsets for external upstreams
+```

.changelog/16552.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+raft: Remove expensive reflection from raft/mesh hot path
+```

.changelog/16570.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fixes a bug that can lead to peering service deletes impacting the state of local services
+```

.changelog/16592.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ca: Fixes a bug where updating Vault CA Provider config would cause TLS issues in the service mesh
+```

.changelog/16660.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fix PUT token request with adding missed AccessorID property to requestBody
+```

.changelog/16693.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fixes a bug where the importing partition was not added to peered failover targets, which causes issues when the importing partition is a non-default partition.
+```

.changelog/16700.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+audit-logging: (Enterprise only) Fix a bug where `/agent/monitor` and `/agent/metrics` endpoints return a `Streaming not supported` error when audit logs are enabled. This also fixes the delay receiving logs when running `consul monitor` against an agent with audit logs enabled.
+```

.changelog/16729.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue resulting in prepared query failover to cluster peers never un-failing over.
+```

.changelog/16776.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+peering: allow re-establishing terminated peering from new token without deleting existing peering first.
+```

.changelog/16845.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+systemd: set service type to notify.
+```

.changelog/16888.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: update supported envoy versions to 1.21.6, 1.22.11, 1.23.8, 1.24.6
+```

.changelog/16916.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+hcp: Add support for linking existing Consul clusters to HCP management plane.
+```

.changelog/17048.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+Fix an bug where decoding some Config structs with unset pointer fields could fail with `reflect: call of reflect.Value.Type on zero Value`. 
+```

.changelog/17160.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+Fix a bug that wrongly trims domains when there is an overlap with DC name.
+```

.changelog/17185.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Fix possible panic that can when generating clusters before the root certificates have been fetched.
+```

.changelog/17235.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue where peer streams could incorrectly deregister services in various scenarios.
+```

.changelog/17236.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+logging: change snapshot log header from `agent.server.snapshot` to `agent.server.raft.snapshot`
+```

.changelog/17240.txt

@@ -0,0 +1,12 @@
+```release-note:security
+Upgrade to use Go 1.20.4.
+This resolves vulnerabilities [CVE-2023-24537](https://github.com/advisories/GHSA-9f7g-gqwh-jpf5)(`go/scanner`),
+[CVE-2023-24538](https://github.com/advisories/GHSA-v4m2-x4rp-hv22)(`html/template`),
+[CVE-2023-24534](https://github.com/advisories/GHSA-8v5j-pwr7-w5f8)(`net/textproto`) and
+[CVE-2023-24536](https://github.com/advisories/GHSA-9f7g-gqwh-jpf5)(`mime/multipart`).
+Also, `golang.org/x/net` has been updated to v0.7.0 to resolve CVEs [CVE-2022-41721
+](https://github.com/advisories/GHSA-fxg5-wq6x-vr4w
+), [CVE-2022-27664](https://github.com/advisories/GHSA-69cg-p879-7622) and [CVE-2022-41723
+](https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
+.)
+```

.changelog/17241.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix multiple inefficient behaviors when querying service health.
+```

.changelog/17270.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+grpc: ensure grpc resolver correctly uses lan/wan addresses on servers
+```

.changelog/17317.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: fix a bug with Envoy potentially starting with incomplete configuration by not waiting enough for initial xDS configuration.
+```

.changelog/17426.txt

@@ -0,0 +1,5 @@
+```release-note:improvement
+ peering: gRPC queries for TrustBundleList, TrustBundleRead, PeeringList, and PeeringRead now support blocking semantics,
+ reducing network and CPU demand.
+ The HTTP APIs for Peering List and Read have been updated to support blocking.
+ ```

.changelog/17456.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue where modifying the list of exported services did not correctly replicate changes for services that exist in a non-default namespace.
+```

.changelog/17483.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership.
+```

.changelog/17513.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update to UBI base image to 9.2. 
+```

.changelog/17541.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: reverts #17317 fix that caused a downstream error for Ingress/Mesh/Terminating GWs when their respective config entry does not already exist.
+```

.changelog/17547.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: update supported envoy versions to 1.21.6, 1.22.11, 1.23.9, 1.24.7
+```