Backport of correct prometheus port and scheme annotations if tls is enabled into release/1.2.x

.changelog/2048.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: add samenessGroup CRD
+```

.changelog/2075.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: add samenessGroup field to exported services CRD
+```

.changelog/2086.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: add samenessGroup field to service resolver CRD
+```

.changelog/2097.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: add samenessGroup field to source intention CRD
+```

.changelog/2102.txt

@@ -10,3 +10,12 @@ Also, `golang.org/x/net` has been updated to v0.7.0 to resolve CVEs [CVE-2022-41
 ](https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
 .)
 ```
+
+```release-note:improvement
+cli: update minimum go version for project to 1.20.
+```
+
+```release-note:improvement
+control-plane: update minimum go version for project to 1.20.
+```
+

.changelog/2165.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+control-plane: add FIPS support
+```

.changelog/2184.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+api-gateway: support deploying to OpenShift 4.11
+```

.changelog/2233.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+Add support for configuring graceful shutdown proxy lifecycle management settings.
+```

.changelog/2293.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+sync-catalog: add ability to support weighted loadbalancing by service annotation `consul.hashicorp.com/service-weight: <number>`
+```

.changelog/2302.txt

@@ -0,0 +1,13 @@
+```release-note:improvement
+Add support to provide the logLevel flag via helm for multiple low level components. Introduces the following fields
+1. `global.acls.logLevel`
+2. `global.tls.logLevel`
+3. `global.federation.logLevel`
+4. `global.gossipEncryption.logLevel`
+5. `server.logLevel`
+6. `client.logLevel`
+7. `meshGateway.logLevel`
+8. `ingressGateways.logLevel`
+9. `terminatingGateways.logLevel`
+10. `telemetryCollector.logLevel`
+```

.changelog/2304.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Kubernetes v1.27 is now supported. Minimum tested version of Kubernetes is now v1.24.
+```

.changelog/2370.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+(Consul Enterprise) Add support to provide inputs via helm for audit log related configuration
+```

.changelog/2390.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update [Go-Discover](https://github.com/hashicorp/go-discover) in the container has been updated to address [CVE-2020-14040](https://github.com/advisories/GHSA-5rcv-m4m3-hfh7)
+```

.changelog/2392.txt

@@ -0,0 +1,6 @@
+```release-note:breaking-change
+control-plane: All policies managed by consul-k8s will now be updated on upgrade. If you previously edited the policies after install, your changes will be overwritten.
+```
+```release-note:bug
+control-plane: Always update ACL policies upon upgrade.
+```

.changelog/2413.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: Fix creation of invalid Kubernetes Service when multiple Gateway listeners have the same port.
+```

.changelog/2416.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+helm: Adds `acls.resources` field which can be configured to override the `resource` settings for the `server-acl-init` and `server-acl-init-cleanup` Jobs.
+```

.changelog/2420.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: set route condition appropriately when parent ref includes non-existent section name
+```

.changelog/2476.txt

@@ -0,0 +1,7 @@
+```release-note:improvement
+helm: update `imageConsulDataplane` value to `hashicorp/consul-dataplane:1.2.0`
+```
+
+```release-note:improvement
+helm: update `image` value to `hashicorp/consul:1.16.0`
+```

.changelog/2478.txt

@@ -0,0 +1,5 @@
+```release-note:bug
+api-gateway: fixes bug where envoy will silently reject RSA keys less than 2048 bits in length when not in FIPS mode, and
+will reject keys that are not 2048, 3072, or 4096 bits in length in FIPS mode. We now validate
+and reject invalid certs earlier.
+```

.changelog/2520.txt

@@ -0,0 +1,4 @@
+```release-note:bug
+transparent-proxy: Fix issue where connect-inject lacked sufficient `mesh:write` privileges in some deployments,
+which prevented virtual IPs from persisting properly.
+```

.changelog/2524.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+(api-gateway) make API gateway controller less verbose
+```

.changelog/2525.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: adds values for `securityContext` and `annotations` on TLS and ACL init/cleanup jobs.
+```

.changelog/2571.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+control-plane: fix bug in endpoints controller when deregistering services from consul when a node is deleted.
+```

.changelog/2572.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: set container securityContexts to match the `restricted` Pod Security Standards policy to support running Consul in a namespace with restricted PSA enforcement enabled
+```

.changelog/2597.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: fix helm install when setting copyAnnotations or nodeSelector
+```

.changelog/2642.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Upgrade to use Go 1.20.6 and `x/net/http` 0.12.0.
+This resolves [CVE-2023-29406](https://github.com/advisories/GHSA-f8f7-69v5-w4vx)(`net/http`).
+```

.changelog/2652.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+helm: fix CONSUL_LOGIN_DATACENTER for consul client-daemonset.
+```

.changelog/2656.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+control-plane: increase timeout after login for ACL replication to 60 seconds
+```

.changelog/2687.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+helm: fix ui ingress manifest formatting, and exclude `ingressClass` when not defined.
+```

.changelog/2707.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+api-gateway: adds ability to map privileged ports on Gateway listeners to unprivileged ports so that containers do not require additional privileges
+```

.changelog/2710.txt

@@ -0,0 +1,5 @@
+```release-note:security
+Upgrade to use Go 1.20.7 and `x/net` 0.13.0.
+This resolves [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409)(`crypto/tls`) 
+and [CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978)(`net/html`).
+```

.changelog/2711.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+api-gateway: translate and validate TLS configuration options, including min/max version and cipher suites, setting Gateway status appropriately
+```

.changelog/2755.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+control-plane: When using transparent proxy or CNI, reduced required permissions by setting privileged to false. Privileged must be true when using OpenShift without CNI.
+```

.changelog/2782.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+helm: Update prometheus port and scheme annotations if tls is enabled
+```

.changelog/2787.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+Add NET_BIND_SERVICE capability to restricted security context used for consul-dataplane
+```

.changelog/2789.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Add readOnlyRootFilesystem to the default restricted security context when runnning `consul-k8s` in a restricted namespaces. 
+```

.changelog/2808.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+control-plane: Fix issue where ACL tokens would have an empty pod name that prevented proper token cleanup.
+```