Backport of Allow dialer to re-establish terminated peering into release/1.14.x

.changelog/13782.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+deps: update to latest go-discover to provide ECS auto-discover capabilities.
+```

.changelog/14340.txt

@@ -0,0 +1,4 @@
+```release-note:feature
+connect: Add local_idle_timeout_ms to allow configuring the Envoy route idle timeout on local_app
+connect: Add IdleTimeout to service-router to allow configuring the Envoy route idle timeout
+```

.changelog/14679.txt

@@ -1,3 +1,3 @@
-```release-note:improvement
-dns: **(Enterprise Only)** All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: <tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>`. 
-```
+```release-note:improvement
+dns: **(Enterprise Only)** All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: `[<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>`.
+```

.changelog/15050.txt

@@ -0,0 +1,6 @@
+```release-note:feature
+cli: Add `-consul-dns-port` flag to the `consul connect redirect-traffic` command to allow forwarding DNS traffic to a specific Consul DNS port.
+```
+```release-note:feature
+sdk: Configure `iptables` to forward DNS traffic to a specific DNS port.
+```

.changelog/15083.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy.
+```

.changelog/15090.txt

@@ -0,0 +1,3 @@
+```release-note:note
+deps: Upgrade to use Go 1.19.2
+```

.changelog/15093.txt

@@ -0,0 +1,6 @@
+```release-note: improvement
+connect: Add Envoy 1.24.0 to support matrix
+```
+```release-note: breaking-change
+connect: Removes support for Envoy 1.20
+```

.changelog/15108.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: when wan address is set, peering stream should use the wan address.
+```

.changelog/15155.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+debug: fixed bug that caused consul debug CLI to error on ACL-disabled clusters
+```

.changelog/15160.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: fix nil pointer in calling handleUpdateService
+```

.changelog/15178.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix a bug that resulted in /v1/agent/metrics returning an error.
+```

.changelog/15186.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries.
+```

.changelog/15233.txt

@@ -0,0 +1,3 @@
+```release-note: improvement
+integ test: fix flakiness due to test condition from retry app endoint
+```

.changelog/15253.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fixed issue where using Vault 1.11+ as CA provider would eventually break Intermediate CAs [[GH-15217](https://github.com/hashicorp/consul/issues/15217)]
+```

.changelog/15272.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters.
+```

.changelog/15302.txt

@@ -0,0 +1,7 @@
+```release-note:breaking-change
+config: update 1.14 config defaults: Enable `peering` and `connect` by default.
+```
+
+```release-note:breaking-change
+config: update 1.14 config defaults: Set gRPC TLS port default value to 8503
+```

.changelog/15317.txt

@@ -0,0 +1,3 @@
+```release-note:improvements
+acl: Allow reading imported services and nodes from cluster peers with read all permissions
+```

.changelog/15320.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider.
+```

.changelog/14294.txt → .changelog/15339.txt

@@ -2,5 +2,5 @@
 config: Add new `ports.grpc_tls` configuration option.
 Introduce a new port to better separate TLS config from the existing `ports.grpc` config.
 The new `ports.grpc_tls` only supports TLS encrypted communication.
-The existing `ports.grpc` currently supports both plain-text and tls communication, but tls support will be removed in a future release.
+The existing `ports.grpc` now only supports plain-text communication.
 ```

.changelog/15346.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+acl: relax permissions on the `WatchServers`, `WatchRoots` and `GetSupportedDataplaneFeatures` gRPC endpoints to accept *any* valid ACL token
+```

.changelog/15356.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints [CVE-2022-3920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3920)
+```

.changelog/15370.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names.
+```

.changelog/15423.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+sdk: Fix SDK testutil backwards compatibility by only configuring grpc_tls port for new Consul versions.
+```

.changelog/15466.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cli: Fix issue where `consul connect envoy` incorrectly uses the HTTPS API configuration for xDS connections.
+```

.changelog/15503.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: fix the limit of replication gRPC message; set to 8MB
+```

.changelog/15525.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ca: Fixed issue where using Vault as Connect CA with Vault-managed policies would error on start-up if the intermediate PKI mount existed but was empty
+```

.changelog/15541.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+agent: Fixed issue where blocking queries with short waits could timeout on the client
+```

.changelog/15555.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+ui: Add field for fallback server addresses to peer token generation form 
+```

.changelog/15596.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+dns: Add support for cluster peering `.service` and `.node` DNS queries.
+```

.changelog/15610.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+acl: avoid debug log spam in secondary datacenter servers due to management token not being initialized.
+```

.changelog/15615.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: better represent non-passing states during peer check flattening
+```

.changelog/15659.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Add support for ConsulResolver to specifies a filter expression
+```

.changelog/15661.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fixed issue where using Vault 1.11+ as CA provider in a secondary datacenter would eventually break Intermediate CAs
+```

.changelog/15669.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: ensure all vault connect CA tests use limited privilege tokens
+```

.changelog/15690.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix peering failovers ignoring local mesh gateway configuration.
+```

.changelog/15697.txt

@@ -0,0 +1,3 @@
+```release-note:breaking-change
+peering: Newly created peering connections must use only lowercase characters in the `name` field. Existing peerings with uppercase characters will not be modified, but they may encounter issues in various circumstances. To maintain forward compatibility and avoid issues, it is recommended to destroy and re-create any invalid peering connections so that they do not have a name containing uppercase characters.
+```

.changelog/15701.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+grpc: Use new balancer implementation to reduce periodic WARN logs when shuffling servers.
+```

.changelog/15705.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade to use Go 1.19.4. This resolves a vulnerability where restricted files can be read on Windows. [CVE-2022-41720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720)
+```

.changelog/15737.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Upgrades `golang.org/x/net` to prevent a denial of service by excessive memory usage caused by HTTP2 requests. [CVE-2022-41717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717)
+```
+

.changelog/15760.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where DialedDirectly configuration was not used by Consul Dataplane.
+```

.changelog/15769.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+agent: Fix assignment of error when auto-reloading cert and key file changes.
+```

.changelog/15789.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: fix bug where sessions for locally-managed services could fail with "this server has too many xDS streams open"
+```

.changelog/15833.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where service-resolver protocol checks incorrectly errored for failover peer targets.
+```

.changelog/15865.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where watches on upstream failover peer targets did not always query the correct data.
+```

.changelog/15866.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+agent: Fix issue where the agent cache would incorrectly mark protobuf objects as updated.
+```

.changelog/15913.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cli: Fix issue where `consul connect envoy` was unable to configure TLS over unix-sockets to gRPC.
+```

.changelog/15988.txt

@@ -0,0 +1,3 @@
+```release-note:improvements
+cli: Added a flag, `-enable-config-gen-logging`, to the `connect envoy` command to display log messages when generating the bootstrap config.
+```

.changelog/16000.txt

@@ -0,0 +1,3 @@
+```release-note:breaking-change
+connect: Fix configuration merging for transparent proxy upstreams. Proxy-defaults and service-defaults config entries were not correctly merged for implicit upstreams in transparent proxy mode and would result in some configuration not being applied. To avoid issues when upgrading, ensure that any proxy-defaults or service-defaults have correct configuration for upstreams, since all fields will now be properly used to configure proxies.
+```

.changelog/16015.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+connect: add flags `envoy-ready-bind-port` and `envoy-ready-bind-address` to the `consul connect envoy` command that allows configuration of readiness probe on proxy for any service kind.
+```

.changelog/16024.txt

@@ -0,0 +1,4 @@
+```release-note:improvement
+partitiion: **(Consul Enterprise only)** when loading service from on-disk config file or sending API request to agent endpoint,
+if the partition is unspecified, consul will default the partition in the request to agent's partition
+```

.changelog/16230.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue where secondary wan-federated datacenters could not be used as peering acceptors.
+```

.changelog/16257.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue where mesh gateways would use the wrong address when contacting a remote peer with the same datacenter name.
+```

.changelog/16263.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Upgrade to use Go 1.20.1. 
+This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`.
+```

.changelog/16339.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix bug where services were incorrectly imported as connect-enabled.
+```

.changelog/16358.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+container: Upgrade container image to use to Alpine 3.17.
+```

.changelog/16495.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+mesh: Add ServiceResolver RequestTimeout for route timeouts to make request timeouts configurable
+```

.changelog/16498.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+proxycfg: fix a bug where terminating gateways were not cleaning up deleted service resolvers for their referenced services
+```

.changelog/16499.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+mesh: Fix resolution of service resolvers with subsets for external upstreams
+```

.changelog/16570.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fixes a bug that can lead to peering service deletes impacting the state of local services
+```

.changelog/16592.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ca: Fixes a bug where updating Vault CA Provider config would cause TLS issues in the service mesh
+```

.changelog/16660.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fix PUT token request with adding missed AccessorID property to requestBody
+```

.changelog/16693.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fixes a bug where the importing partition was not added to peered failover targets, which causes issues when the importing partition is a non-default partition.
+```

.changelog/16700.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+audit-logging: (Enterprise only) Fix a bug where `/agent/monitor` and `/agent/metrics` endpoints return a `Streaming not supported` error when audit logs are enabled. This also fixes the delay receiving logs when running `consul monitor` against an agent with audit logs enabled.
+```

.changelog/16729.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue resulting in prepared query failover to cluster peers never un-failing over.
+```

.changelog/16776.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+peering: allow re-establishing terminated peering from new token without deleting existing peering first.
+```

.changelog/_3550.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+namespace: **(Enterprise Only)** Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter 
+```

.changelog/_3556.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+snapshot: **(Enterprise Only)** Add support for the snapshot agent to use an IAM role for authentication/authorization when managing snapshots in S3.
+```

.changelog/_3557.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+dns/peering: **(Enterprise Only)** Support addresses in the formats `<servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul` and `<servicename>.virtual.<partition>.ap.<peername>.peer.consul`. This longer form address that allows specifying `.peer` would need to be used for tproxy DNS requests made within non-default partitions for imported services.
+```

.changelog/_3729.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+namespace: **(Enterprise Only)** Fix a bug that caused blocking queries during namespace replication to timeout
+```

.changelog/_3783.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cli: **(Enterprise Only)** Fix issue where `consul partition update` subcommand was not registered and therefore not available through the cli.
+```

.changelog/_3846.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+agent: **(Enterprise Only)** Ensure configIntentionsConvertToList does not compare empty strings with populated strings when filtering intentions created prior to AdminPartitions.
+```

.changelog/_4696.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: **(Consul Enterprise only)** Fix issue where connect-enabled services with peer upstreams incorrectly required `service:write` access in the `default` namespace to query data, which was too restrictive. Now having `service:write` to any namespace is sufficient to query the peering data.
+```

.changelog/_4832.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: **(Consul Enterprise only)** Fix issue where resolvers, routers, and splitters referencing peer targets may not work correctly for non-default partitions and namespaces. Enterprise customers leveraging peering are encouraged to upgrade both servers and agents to avoid this problem.
+```

.circleci/bash_env.sh

@@ -6,5 +6,5 @@ export GIT_DIRTY=$(test -n "`git status --porcelain`" && echo "+CHANGES" || true
 export GIT_IMPORT=github.com/hashicorp/consul/version
 # we're using this for build date because it's stable across platform builds
 # the env -i and -noprofile are used to ensure we don't try to recursively call this profile when starting bash
-export GIT_DATE=$(env -i /bin/bash --noprofile -norc ${CIRCLE_WORKING_DIRECTORY}/build-support/scripts/build-date.sh)
+export GIT_DATE=$(env -i /bin/bash --noprofile -norc /home/circleci/project/build-support/scripts/build-date.sh)
 export GOLDFLAGS="-X ${GIT_IMPORT}.GitCommit=${GIT_COMMIT}${GIT_DIRTY} -X ${GIT_IMPORT}.BuildDate=${GIT_DATE}"