Merge branch 'main' into docs/l7-config-entry-reference

.changelog/15979.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+envoy: add `MaxEjectionPercent` and `BaseEjectionTime` to passive health check configs.
+```

.changelog/16916.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+hcp: Add support for linking existing Consul clusters to HCP management plane.
+```

.changelog/17066.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+command: Allow creating ACL Token TTL with greater than 24 hours with the -expires-ttl flag.
+```

.changelog/17115.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+gateway: Change status condition reason for invalid certificate on a listener from "Accepted" to "ResolvedRefs".
+```

.changelog/17138.txt

@@ -0,0 +1,4 @@
+```release-note:improvement
+ca: automatically set up Vault's auto-tidy setting for tidy_expired_issuers when using Vault as a CA provider.
+```
+

.changelog/17171.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+agent: add a configurable maximimum age (default: 7 days) to prevent servers re-joining a cluster with stale data 
+```

.changelog/17179.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: ensure that merged central configs of peered upstreams for partitioned downstreams work
+```

.changelog/17183.txt

@@ -0,0 +1,7 @@
+```release-note:improvement
+* cli: Add `-filter` option to `consul config list` for filtering config entries.
+```
+```release-note:improvement
+* api: Support filtering for config entries.
+```
+

.changelog/17185.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Fix possible panic that can when generating clusters before the root certificates have been fetched.
+```

.changelog/17235.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue where peer streams could incorrectly deregister services in various scenarios.
+```

.changelog/17236.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+logging: change snapshot log header from `agent.server.snapshot` to `agent.server.raft.snapshot`
+```

.changelog/17240.txt

@@ -0,0 +1,12 @@
+```release-note:security
+Upgrade to use Go 1.20.4.
+This resolves vulnerabilities [CVE-2023-24537](https://github.com/advisories/GHSA-9f7g-gqwh-jpf5)(`go/scanner`),
+[CVE-2023-24538](https://github.com/advisories/GHSA-v4m2-x4rp-hv22)(`html/template`),
+[CVE-2023-24534](https://github.com/advisories/GHSA-8v5j-pwr7-w5f8)(`net/textproto`) and
+[CVE-2023-24536](https://github.com/advisories/GHSA-9f7g-gqwh-jpf5)(`mime/multipart`).
+Also, `golang.org/x/net` has been updated to v0.7.0 to resolve CVEs [CVE-2022-41721
+](https://github.com/advisories/GHSA-fxg5-wq6x-vr4w
+), [CVE-2022-27664](https://github.com/advisories/GHSA-69cg-p879-7622) and [CVE-2022-41723
+](https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
+.)
+```

.changelog/17241.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix multiple inefficient behaviors when querying service health.
+```

.changelog/17270.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+grpc: ensure grpc resolver correctly uses lan/wan addresses on servers
+```

.changelog/17317.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: fix a bug with Envoy potentially starting with incomplete configuration by not waiting enough for initial xDS configuration.
+```

.changelog/5200.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: update supported envoy versions to 1.23.8, 1.24.6, 1.25.4, 1.26.0
+```

.github/scripts/verify_envoy_version.sh

@@ -0,0 +1,178 @@
+#!/bin/bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+set -euo pipefail
+
+current_branch=$GITHUB_REF
+GITHUB_DEFAULT_BRANCH='main'
+
+if [ -z "$GITHUB_TOKEN" ]; then
+  echo "GITHUB_TOKEN must be set"
+  exit 1
+fi
+
+if [ -z "$current_branch" ]; then
+  echo "GITHUB_REF must be set"
+  exit 1
+fi
+
+# Get Consul and Envoy version 
+SCRIPT_DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
+pushd $SCRIPT_DIR/../.. # repository root
+consul_envoy_data_json=$(echo go run ./test/integration/consul-container/test/consul_envoy_version/consul_envoy_version.go)
+# go back to where you started when finished
+popd
+
+if [ -z "$consul_envoy_data_json" ]; then
+  echo "Error! Consul and Envoy versions not returned: $consul_envoy_data_json"
+  exit 1
+fi
+
+# sanitize_consul_envoy_version removes characters from result that may contain new lines, spaces, and [...]
+# example envoyVersions:[1.25.4 1.24.6 1.23.8 1.22.11] => 1.25.4 1.24.6 1.23.8 1.22.11
+sanitize_consul_envoy_version() {
+  local _consul_version=$(eval "$consul_envoy_data_json" | jq -r '.ConsulVersion')
+  local _envoy_version=$(eval "$consul_envoy_data_json" | jq -r '.EnvoyVersions' | tr -d '"' | tr -d '\n' | tr -d ' '| tr -d '[]')
+  echo "${_consul_version}" "${_envoy_version}"
+}
+
+# get major version for Consul and Envoy
+get_major_version(){
+  local _verison="$1"
+  local _abbrVersion="$(cut -d "." -f1-2 <<< $_verison)"
+  echo "${_abbrVersion}"
+}
+
+get_latest_envoy_version() {
+  OUTPUT_FILE=$(mktemp)
+  HTTP_CODE=$(curl -L --silent --output "$OUTPUT_FILE" -w "%{http_code}" \
+    -H "Accept: application/vnd.github+json" \
+    -H "Authorization: Bearer ${GITHUB_TOKEN}"\
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    https://api.github.com/repos/envoyproxy/envoy/releases/latest)
+  if [[ ${HTTP_CODE} -lt 200 || ${HTTP_CODE} -gt 299 ]]; then
+    cat >&2 "$OUTPUT_FILE"
+    rm "$OUTPUT_FILE"
+    exit 1
+  fi
+  _latest_envoy_version=$(jq -r '.tag_name' "$OUTPUT_FILE")
+  echo "$_latest_envoy_version" 
+  rm "$OUTPUT_FILE"
+}
+
+# major_envoy_versions takes multiple arguments
+major_envoy_versions(){
+  version=("$@")
+  for i in "${version[@]}";
+  do
+    envoy_versions_array+="$(cut -d "." -f1-2 <<< $i)"
+  done
+  echo "${envoy_versions_array}"
+}
+
+# Get latest Envoy version from envoyproxy repo
+released_envoy_version=$(get_latest_envoy_version)
+major_released_envoy_version="${released_envoy_version[@]:1:4}"
+
+validate_envoy_version_main(){
+  echo "verify "main" GitHub branch has latest envoy version"
+  # Get envoy version for current branch
+  ENVOY_VERSIONS=$(sanitize_consul_envoy_version | awk '{print $2}' | tr ',' ' ')
+  envoy_version_main_branch=$(get_major_version ${ENVOY_VERSIONS})
+
+  if [[ "$envoy_version_main_branch" != "$major_released_envoy_version" ]]; then
+    echo
+    echo "Latest released Envoy version is: "$released_envoy_version""
+    echo "ERROR! Branch $current_branch; Envoy versions: "$ENVOY_VERSIONS" needs to be updated."
+    exit 1
+    else
+      echo "#### SUCCESS! ##### Compatible Envoy versions found: ${ENVOY_VERSIONS}"
+      exit 0
+  fi
+}
+
+if [[ "$current_branch" == *"$GITHUB_DEFAULT_BRANCH"* ]]; then
+  validate_envoy_version_main
+fi 
+
+# filter consul and envoy version 
+CONSUL_VERSION=$(sanitize_consul_envoy_version | awk '{print $1}')
+ENVOY_VERSIONS=$(sanitize_consul_envoy_version | awk '{print $2}' | tr ',' ' ') 
+
+# Get Consul and Envoy version from default branch
+echo checking out "${GITHUB_DEFAULT_BRANCH}" branch
+git checkout "${GITHUB_DEFAULT_BRANCH}"
+
+# filter consul and envoy version from default branch 
+CONSUL_VERSION_DEFAULT_BRANCH=$(sanitize_consul_envoy_version | awk '{print $1}')
+ENVOY_VERSIONS_DEFAULT_BRANCH=$(sanitize_consul_envoy_version | awk '{print $2}' | tr ',' ' ') 
+
+# Ensure required values are not empty
+if [ -z "$CONSUL_VERSION" ] || [ -z "$CONSUL_VERSION_DEFAULT_BRANCH" ] || [ -z "$ENVOY_VERSIONS" ] || [ -z "$ENVOY_VERSIONS_DEFAULT_BRANCH" ]; then
+  echo "Error! Consul version: $CONSUL_VERSION | Consul version default branch: $CONSUL_VERSION_DEFAULT_BRANCH | Envoy version: $ENVOY_VERSIONS | Envoy version default branch: $ENVOY_VERSIONS_DEFAULT_BRANCH cannot be empty"
+  exit 1
+fi
+
+echo checking out branch: "${current_branch}"
+git checkout "${current_branch}"
+
+echo
+echo "Branch ${current_branch} =>Consul version: ${CONSUL_VERSION}; Envoy Version: ${ENVOY_VERSIONS}" 
+echo "Branch ${GITHUB_DEFAULT_BRANCH} =>Consul version: ${CONSUL_VERSION_DEFAULT_BRANCH}; Envoy Version: ${ENVOY_VERSIONS_DEFAULT_BRANCH}" 
+
+## Get major Consul and Envoy versions on release and default branch
+MAJOR_CONSUL_VERSION=$(get_major_version ${CONSUL_VERSION})
+MAJOR_CONSUL_VERSION_DEFAULT_BRANCH=$(get_major_version ${CONSUL_VERSION_DEFAULT_BRANCH})
+MAJOR_ENVOY_VERSION_DEFAULT_BRANCH=$(get_major_version ${ENVOY_VERSIONS_DEFAULT_BRANCH})
+
+_envoy_versions=($ENVOY_VERSIONS)
+_envoy_versions_default=($ENVOY_VERSIONS_DEFAULT_BRANCH)
+
+## Validate supported envoy versions available - should be 4
+echo
+echo "Validating supported envoy versions available on branches: $current_branch and $GITHUB_DEFAULT_BRANCH"
+if [ "${#_envoy_versions_default[@]}" != 4 ] || [ "${#_envoy_versions[@]}" != 4 ]; then
+  echo "Branch $GITHUB_DEFAULT_BRANCH =>Consul version: ${CONSUL_VERSION_DEFAULT_BRANCH}; Envoy versions: $ENVOY_VERSIONS_DEFAULT_BRANCH"
+  echo "Branch $current_branch =>Consul version: ${CONSUL_VERSION}; Envoy versions: $_envoy_versions"
+  echo "ERROR! Envoy should have 4 compatible versions."
+  exit 1
+fi 
+
+echo "Checking if branch $GITHUB_DEFAULT_BRANCH has latest Envoy version"
+## 1. Check "main" GitHub branch has latest envoy version
+if [[ "$MAJOR_ENVOY_VERSION_DEFAULT_BRANCH" != "$major_released_envoy_version" ]]; then
+  echo
+  echo "Latest released Envoy version is: "$released_envoy_version""
+  echo "ERROR! Branch $GITHUB_DEFAULT_BRANCH; Envoy versions: "$ENVOY_VERSIONS_DEFAULT_BRANCH" needs to be updated."
+  exit 1
+  else
+    echo "#### SUCCESS! #####. Compatible Envoy versions found: ${ENVOY_VERSIONS_DEFAULT_BRANCH}"
+    echo
+
+    ## 2. Check main branch and release branch support the same Envoy major versions
+    ## Get the major Consul version on the main and release branch. If both branches have
+    ## the same major Consul version, verify both branches have the same major Envoy versions.
+    ## Return error if major envoy versions are not the same.
+    echo "Checking branch $current_branch and $GITHUB_DEFAULT_BRANCH have the same compatible major Envoy versions."
+    consul_version_diff=$(echo "$MAJOR_CONSUL_VERSION_DEFAULT_BRANCH $MAJOR_CONSUL_VERSION" | awk '{print $1 - $2}')
+    check=$(echo "$consul_version_diff == 0" | bc -l)
+
+    if (( $check )); then
+      echo "Branch $current_branch and $GITHUB_DEFAULT_BRANCH have the same major Consul version "$MAJOR_CONSUL_VERSION""
+      echo "Validating branches have the same Envoy major versions..."
+      _major_envoy_versions=$(major_envoy_versions $ENVOY_VERSIONS)
+      _major_envoy_versions_default=$(major_envoy_versions $ENVOY_VERSIONS_DEFAULT_BRANCH)
+
+      if [[ "$_major_envoy_versions_default" != "$_major_envoy_versions" ]]; then
+          echo "Branch $GITHUB_DEFAULT_BRANCH =>Envoy versions: $_major_envoy_versions"
+          echo "Branch $current_branch =>Envoy versions: $_major_envoy_versions_default"
+          echo "ERROR! Branches should support the same major versions for envoy."
+          exit 1
+          else
+            echo "#### SUCCESS! #####. Compatible Envoy major versions found: $ENVOY_VERSIONS_DEFAULT_BRANCH"
+      fi
+      else 
+        echo "No validation needed. Branches have different Consul versions"
+    fi
+fi

.github/workflows/backport-assistant.yml

@@ -19,7 +19,7 @@ jobs:
   backport:
     if: github.event.pull_request.merged
     runs-on: ubuntu-latest
-    container: hashicorpdev/backport-assistant:0.3.0
+    container: hashicorpdev/backport-assistant:0.3.3
     steps:
       - name: Run Backport Assistant for release branches
         run: |
@@ -28,3 +28,16 @@ jobs:
           BACKPORT_LABEL_REGEXP: "backport/(?P<target>\\d+\\.\\d+)"
           BACKPORT_TARGET_TEMPLATE: "release/{{.target}}.x"
           GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+  handle-failure:
+    needs:
+      - backport
+    if: always() && needs.backport.result == 'failure'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Comment on PR
+        run: |
+          github_message="Backport failed @${{ github.event.sender.login }}. Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          curl -s -H "Authorization: token ${{ secrets.PR_COMMENT_TOKEN }}" \
+            -X POST \
+            -d "{ \"body\": \"${github_message}\"}" \
+            "https://api.github.com/repos/${GITHUB_REPOSITORY}/pull/${{ github.event.pull_request.number }}/comments"

.github/workflows/build-artifacts.yml

@@ -123,9 +123,12 @@ jobs:
     - setup
     - dev-build-push
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
-    if: |
-      (always() && ! cancelled()) &&
-      !contains(needs.*.result, 'failure') &&
-      !contains(needs.*.result, 'cancelled')
+    if: ${{ always() }}
     steps:
-      - run: echo "build-artifacts succeeded"
+      - name: evaluate upstream job results
+        run: |
+          # exit 1 if failure or cancelled result for any upstream job
+          if printf '${{ toJSON(needs) }}' | grep -E -i '\"result\": \"(failure|cancelled)\"'; then
+            printf "Tests failed or workflow cancelled:\n\n${{ toJSON(needs) }}"
+            exit 1
+          fi

.github/workflows/build-distros.yml

@@ -138,9 +138,12 @@ jobs:
     - build-amd64
     - build-arm
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
-    if: |
-      (always() && ! cancelled()) &&
-      !contains(needs.*.result, 'failure') &&
-      !contains(needs.*.result, 'cancelled')
+    if: ${{ always() }}
     steps:
-      - run: echo "build-distros succeeded"
+      - name: evaluate upstream job results
+        run: |
+          # exit 1 if failure or cancelled result for any upstream job
+          if printf '${{ toJSON(needs) }}' | grep -E -i '\"result\": \"(failure|cancelled)\"'; then
+            printf "Tests failed or workflow cancelled:\n\n${{ toJSON(needs) }}"
+            exit 1
+          fi

.github/workflows/build.yml

@@ -82,15 +82,15 @@ jobs:
     strategy:
       matrix:
         include:
-          - {go: "1.20.1", goos: "linux", goarch: "386"}
-          - {go: "1.20.1", goos: "linux", goarch: "amd64"}
-          - {go: "1.20.1", goos: "linux", goarch: "arm"}
-          - {go: "1.20.1", goos: "linux", goarch: "arm64"}
-          - {go: "1.20.1", goos: "freebsd", goarch: "386"}
-          - {go: "1.20.1", goos: "freebsd", goarch: "amd64"}
-          - {go: "1.20.1", goos: "windows", goarch: "386"}
-          - {go: "1.20.1", goos: "windows", goarch: "amd64"}
-          - {go: "1.20.1", goos: "solaris", goarch: "amd64"}
+          - {go: "1.20.4", goos: "linux", goarch: "386"}
+          - {go: "1.20.4", goos: "linux", goarch: "amd64"}
+          - {go: "1.20.4", goos: "linux", goarch: "arm"}
+          - {go: "1.20.4", goos: "linux", goarch: "arm64"}
+          - {go: "1.20.4", goos: "freebsd", goarch: "386"}
+          - {go: "1.20.4", goos: "freebsd", goarch: "amd64"}
+          - {go: "1.20.4", goos: "windows", goarch: "386"}
+          - {go: "1.20.4", goos: "windows", goarch: "amd64"}
+          - {go: "1.20.4", goos: "solaris", goarch: "amd64"}
       fail-fast: true
 
     name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build
@@ -179,7 +179,7 @@ jobs:
       matrix:
         goos: [ darwin ]
         goarch: [ "amd64", "arm64" ]
-        go: [ "1.20.1" ]
+        go: [ "1.20.4" ]
       fail-fast: true
 
     name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build

.github/workflows/frontend.yml

@@ -133,9 +133,12 @@ jobs:
     - node-tests
     - ember-build-test
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
-    if: |
-      (always() && ! cancelled()) &&
-      !contains(needs.*.result, 'failure') &&
-      !contains(needs.*.result, 'cancelled')
+    if: ${{ always() }}
     steps:
-      - run: echo "frontend succeeded"
+      - name: evaluate upstream job results
+        run: |
+          # exit 1 if failure or cancelled result for any upstream job
+          if printf '${{ toJSON(needs) }}' | grep -E -i '\"result\": \"(failure|cancelled)\"'; then
+            printf "Tests failed or workflow cancelled:\n\n${{ toJSON(needs) }}"
+            exit 1
+          fi