Backport of Vault CA provider clean up previous default issuers into release/1.15.x

.changelog/15979.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+envoy: add `MaxEjectionPercent` and `BaseEjectionTime` to passive health check configs.
+```

.changelog/16257.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue where mesh gateways would use the wrong address when contacting a remote peer with the same datacenter name.
+```

.changelog/16263.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Upgrade to use Go 1.20.1. 
+This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`.
+```

.changelog/16274.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Bump Envoy 1.22.5 to 1.22.7, 1.23.2 to 1.23.4, 1.24.0 to 1.24.2, add 1.25.1, remove 1.21.5
+```

.changelog/16284.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+cli: adds new CLI commands `consul troubleshoot upstreams` and `consul troubleshoot proxy` to troubleshoot Consul's service mesh configuration and network issues.
+```

.changelog/16288.txt

@@ -0,0 +1,8 @@
+```release-note:deprecation
+cli: Deprecate the `-merge-policies` and `-merge-roles` flags from the `consul token update` command in favor of: `-append-policy-id`, `-append-policy-name`, `-append-role-name`, and `-append-role-id`.
+```
+
+```release-note:improvement
+cli: added `-append-policy-id`, `-append-policy-name`, `-append-role-name`, and `-append-role-id` flags to the `consul token update` command.
+These flags allow updates to a token's policies/roles without having to override them completely.  
+```

.changelog/16301.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+agent configuration: Fix issue of using unix socket when https is used.
+```

.changelog/16339.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix bug where services were incorrectly imported as connect-enabled.
+```

.changelog/16358.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+container: Upgrade container image to use to Alpine 3.17.
+```

.changelog/16369.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+**API Gateway (Beta)** This version adds support for API gateway on VMs. API gateway provides a highly-configurable ingress for requests coming into a Consul network. For more information, refer to the [API gateway](https://developer.hashicorp.com/consul/docs/connect/gateways/api-gateway) documentation.
+```

.changelog/16444.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fix issue with lists and filters not rendering properly
+```

.changelog/16445.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cli: ensure acl token read -self works
+```

.changelog/16485.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cli: fix panic read non-existent acl policy
+```

.changelog/16495.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable
+```

.changelog/16497.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+proxycfg: ensure that an irrecoverable error in proxycfg closes the xds session and triggers a replacement proxycfg watcher
+```

.changelog/16498.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services
+```

.changelog/16499.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+mesh: Fix resolution of service resolvers with subsets for external upstreams
+```

.changelog/16506.txt

@@ -0,0 +1,8 @@
+```release-note:deprecation
+cli: Deprecate the `-merge-node-identites` and `-merge-service-identities` flags from the `consul token update` command in favor of: `-append-node-identity` and `-append-service-identity`.
+```
+
+```release-note:improvement
+cli: added `-append-service-identity` and `-append-node-identity` flags to the `consul token update` command.
+These flags allow updates to a token's node identities/service identities without having to override them.  
+```

.changelog/16508.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: support filtering API gateways in the ui and displaying their documentation links
+```

.changelog/16512.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+gateways: fix HTTPRoute bug where service weights could be less than or equal to 0 and result in a downstream envoy protocol error
+```

.changelog/16530.txt

@@ -0,0 +1,7 @@
+```release-note:bug
+cli: Fixes an issue with `consul connect envoy` where a log to STDOUT could malform JSON when used with `-bootstrap`.
+```
+
+```release-note:bug
+cli: Fixes an issue with `consul connect envoy` where grpc-disabled agents were not error-handled correctly.
+```

.changelog/16531.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+gateways: fix HTTPRoute bug where services with a weight not divisible by 10000 are never registered properly
+```

.changelog/16552.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+raft: Remove expensive reflection from raft/mesh hot path
+```

.changelog/16570.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fixes a bug that can lead to peering service deletes impacting the state of local services
+```

.changelog/16574.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fix rendering issues on Overview and empty-states by addressing isHTMLSafe errors
+```

.changelog/16585.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+xds: Allow for configuring connect proxies to send service mesh telemetry to an HCP metrics collection service.
+```

.changelog/16592.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ca: Fixes a bug where updating Vault CA Provider config would cause TLS issues in the service mesh
+```

.changelog/16647.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+raft_logstore: Fixes a bug where restoring a snapshot when using the experimental WAL storage backend causes a panic.
+```

.changelog/16649.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+gateways: Adds validation to ensure the API Gateway has a listener defined when created
+```

.changelog/16651.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+gateway: **(Enterprise only)** Fix bug where namespace/partition would fail to unmarshal.
+```

.changelog/16660.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fix PUT token request with adding missed AccessorID property to requestBody
+```

.changelog/16661.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+gateways: Fixes a bug API gateways using HTTP listeners were taking upwards of 15 seconds to get configured over xDS.
+```

.changelog/16675.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fixes a bug where the importing partition was not added to peered failover targets, which causes issues when the importing partition is a non-default partition.
+```

.changelog/16700.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+audit-logging: (Enterprise only) Fix a bug where `/agent/monitor` and `/agent/metrics` endpoints return a `Streaming not supported` error when audit logs are enabled. This also fixes the delay receiving logs when running `consul monitor` against an agent with audit logs enabled.
+```

.changelog/16729.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue resulting in prepared query failover to cluster peers never un-failing over.
+```

.changelog/16754.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade golang.org/x/net to address [CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723)
+```

.changelog/16776.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+peering: allow re-establishing terminated peering from new token without deleting existing peering first.
+```

.changelog/16781.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+gateway: **(Enterprise only)** Fix bug where namespace/partition would fail to unmarshal for TCPServices.
+```

.changelog/16789.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+gateway: **(Enterprise only)** Fix bug where parent refs and service refs for a route in the same namespace as the route would fallback to the default namespace if the namespace was not specified in the configuration rather than falling back to the routes namespace.
+```

.changelog/16818.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cache: revert cache refactor which could cause blocking queries to never return
+```

.changelog/16845.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+systemd: set service type to notify.
+```

.changelog/16889.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: update supported envoy versions to 1.22.11, 1.23.8, 1.24.6, 1.25.4
+```

.changelog/16916.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+hcp: Add support for linking existing Consul clusters to HCP management plane.
+```

.changelog/17038.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+agent: add new metrics to track cpu disk and memory usage for server hosts (defaults to: enabled)
+```

.changelog/17048.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+Fix an bug where decoding some Config structs with unset pointer fields could fail with `reflect: call of reflect.Value.Type on zero Value`. 
+```

.changelog/17055.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+gateways: Fix an bug where targeting a virtual service defined by a service-resolver was broken for HTTPRoutes.
+```

.changelog/17081.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+Fixes a performance issue in Raft where commit latency can increase by 100x or more when under heavy load. For more details see https://github.com/hashicorp/raft/pull/541.
+```

.changelog/17115.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+gateway: Change status condition reason for invalid certificate on a listener from "Accepted" to "ResolvedRefs".
+```

.changelog/17160.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+Fix a bug that wrongly trims domains when there is an overlap with DC name.
+```

.changelog/17171.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+agent: add a configurable maximimum age (default: 7 days) to prevent servers re-joining a cluster with stale data 
+```

.changelog/17179.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: ensure that merged central configs of peered upstreams for partitioned downstreams work
+```

.changelog/17185.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Fix possible panic that can when generating clusters before the root certificates have been fetched.
+```

.changelog/17231.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+acl: Fix an issue where the anonymous token was synthesized in non-primary datacenters which could cause permission errors when federating clusters with ACL replication enabled.
+```

.changelog/17235.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue where peer streams could incorrectly deregister services in various scenarios.
+```

.changelog/17236.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+logging: change snapshot log header from `agent.server.snapshot` to `agent.server.raft.snapshot`
+```

.changelog/17240.txt

@@ -0,0 +1,12 @@
+```release-note:security
+Upgrade to use Go 1.20.4.
+This resolves vulnerabilities [CVE-2023-24537](https://github.com/advisories/GHSA-9f7g-gqwh-jpf5)(`go/scanner`),
+[CVE-2023-24538](https://github.com/advisories/GHSA-v4m2-x4rp-hv22)(`html/template`),
+[CVE-2023-24534](https://github.com/advisories/GHSA-8v5j-pwr7-w5f8)(`net/textproto`) and
+[CVE-2023-24536](https://github.com/advisories/GHSA-9f7g-gqwh-jpf5)(`mime/multipart`).
+Also, `golang.org/x/net` has been updated to v0.7.0 to resolve CVEs [CVE-2022-41721
+](https://github.com/advisories/GHSA-fxg5-wq6x-vr4w
+), [CVE-2022-27664](https://github.com/advisories/GHSA-69cg-p879-7622) and [CVE-2022-41723
+](https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
+.)
+```

.changelog/17241.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix multiple inefficient behaviors when querying service health.
+```

.changelog/17270.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+grpc: ensure grpc resolver correctly uses lan/wan addresses on servers
+```

.changelog/17327.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ xds: rename envoy_hcp_metrics_bind_socket_dir to envoy_telemetry_collector_bind_socket_dir to remove HCP naming references.
+ ```

.changelog/17415.txt

@@ -0,0 +1,7 @@
+```release-note:security
+extensions: Disable remote downstream proxy patching by Envoy Extensions other than AWS Lambda. Previously, an operator with service:write ACL permissions for an upstream service could modify Envoy proxy config for downstream services without equivalent permissions for those services. This issue only impacts the Lua extension. [[CVE-2023-2816](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2816)]
+```
+
+```release-note:breaking-change
+extensions: The Lua extension now targets local proxy listeners for the configured service's upstreams, rather than remote downstream listeners for the configured service, when ListenerType is set to outbound in extension configuration. See [CVE-2023-2816](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2816) changelog entry for more details.
+```

.changelog/17426.txt

@@ -0,0 +1,5 @@
+```release-note:improvement
+ peering: gRPC queries for TrustBundleList, TrustBundleRead, PeeringList, and PeeringRead now support blocking semantics,
+ reducing network and CPU demand.
+ The HTTP APIs for Peering List and Read have been updated to support blocking.
+ ```

.changelog/17456.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue where modifying the list of exported services did not correctly replicate changes for services that exist in a non-default namespace.
+```

.changelog/17460.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+hcp: Add new metrics sink to collect, aggregate and export server metrics to HCP in OTEL format.
+```

.changelog/17483.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership.
+```

.changelog/17513.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update to UBI base image to 9.2. 
+```

.changelog/17545.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: update supported envoy versions to 1.22.11, 1.23.9, 1.24.7, 1.25.6
+```

.changelog/17565.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+reloadable config: Made enable_debug config reloadable and enable pprof command to work when config toggles to true
+```

.changelog/17566.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Fixed a bug where modifying ACLs on a token being actively used for an xDS connection caused all xDS updates to fail.
+```

.changelog/17577.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+fix metric names in /docs/agent/telemetry
+```

.changelog/17581.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+gateways: **(Enterprise only)** Fixed a bug in API gateways where gateway configuration objects in non-default partitions did not reconcile properly.
+```

.changelog/17582.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+cli: `consul operator raft list-peers` command shows the number of commits each follower is trailing the leader by to aid in troubleshooting.
+```

.changelog/17593.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+docs: fix list of telemetry metrics
+```

.changelog/17596.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ debug: change default setting of consul debug command. now default duration is 5ms and default log level is 'TRACE'
+ ```

.changelog/17609.txt

@@ -0,0 +1,4 @@
+```release-note:bug
+gateways: Fixed a bug in API gateways where binding a route that only targets a service imported from a peer results
+in the programmed gateway having no routes.
+```

.changelog/17631.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+gateways: Fixed a bug where API gateways were not being taken into account in determining xDS rate limits.
+```

.changelog/17636.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cache: fix a few minor goroutine leaks in leaf certs and the agent cache
+```

.changelog/17739.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+http: fixed API endpoint `PUT /acl/token/:AccessorID` (update token), no longer requires `AccessorID` in the request body. Web UI can now update tokens.
+ ```

.changelog/17780.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+cli: `consul watch` command uses `-filter` expression to filter response from checks, services, nodes, and service.
+```

.changelog/17846.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect/ca: Fixes a bug preventing CA configuration updates in secondary datacenters
+```

.changelog/17885.txt

@@ -0,0 +1,2 @@
+```release-note:bug
+ca: Fixed a bug where the Vault provider was not passing the configured role param for AWS auth

.changelog/17888.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Add capture group labels from Envoy cluster FQDNs to Envoy exported metric labels
+```

.changelog/17894.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix incorrect protocol config merging for transparent proxy implicit upstreams.
+```

.changelog/18011.txt

@@ -0,0 +1,4 @@
+```release-note:bug
+connect: Removes the default health check from the `consul connect envoy` command when starting an API Gateway.
+This health check would always fail.
+```

.changelog/18024.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: fix a bug with Envoy potentially starting with incomplete configuration by not waiting enough for initial xDS configuration.
+```

.changelog/18080.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+Fix some typos in metrics docs
+```

.changelog/18140.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+hcp: Removes requirement for HCP to provide a management token
+```

.changelog/18150.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+xds: Explicitly enable WebSocket connection upgrades in HTTP connection manager
+```