Merge branch 'hashicorp:main' into master

.changelog/11500.txt

@@ -1,4 +1,4 @@
-```release-note:bugfix
+```release-note:bug
 rpc: Adds a deadline to client RPC calls, so that streams will no longer hang
 indefinitely in unstable network conditions. [[GH-8504](https://github.com/hashicorp/consul/issues/8504)]
-```
+```

.changelog/11742.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+api: Add filtering support to Catalog's List Services (v1/catalog/services)
+```

.changelog/11791.txt

@@ -1,3 +1,3 @@
-```release-note:bugfix
+```release-note:bug
 ui: Change partitions to expect [] from the listing API
 ```

.changelog/11804.txt

@@ -1,4 +1,4 @@
-```release-note:bugfix
+```release-note:bug
 ui: Don't offer to save an intention with a source/destinatiojn wildcard
 partition
 ```

.changelog/11850.txt

@@ -1,3 +1,3 @@
-```release-note:bugfix
+```release-note:bug
 ui: Fixes an issue with the version footer wandering when scrolling
 ```

.changelog/12279.txt

@@ -1,3 +1,3 @@
-```release-note:bugfix
+```release-note:bug
 ui: Ensure proxy instance health is taken into account in Service Instance Listings
 ```

.changelog/12399.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+catalog: Add per-node indexes to reduce watchset firing for unrelated nodes and services.
+```

.changelog/12890.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: service-router destinations have gained a `RetryOn` field for specifying the conditions when Envoy should retry requests beyond specific status codes and generic connection failure which already exists.
+```

.changelog/12905.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+metrics: Service RPC calls less than 1ms are now emitted as a decimal number.
+```

.changelog/13388.txt

@@ -0,0 +1 @@
+agent: windows service health check

.changelog/13481.txt

@@ -0,0 +1,4 @@
+```release-note:improvement
+command: Add support for enabling TLS in the Envoy Prometheus endpoint via the `consul connect envoy` command. 
+Adds the `-prometheus-ca-file`, `-prometheus-ca-path`, `-prometheus-cert-file` and `-prometheus-key-file` flags.
+```

.changelog/13493.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cli: Fix Consul kv CLI 'GET' flags 'keys' and 'recurse' to be set together
+```

.changelog/13532.txt

@@ -0,0 +1,3 @@
+```release-note:breaking-change
+telemetry: config flag `telemetry { disable_compat_1.9 = (true|false) }` has been removed. Before upgrading you should remove this flag from your config if the flag is being used.
+```

.changelog/13607.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Fix a bug that resulted in Lambda services not using the payload-passthrough option as expected.
+```

.changelog/13613.txt

@@ -0,0 +1,4 @@
+```release-note:feature
+connect: Adds a new `destination` field to the `service-default` config entry that allows routing egress traffic
+through a terminating gateway in transparent proxy mode without modifying the catalog.
+```

.changelog/13658.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+streaming: Added topics for `ingress-gateway`, `mesh`, `service-intentions` and `service-resolver` config entry events.
+```

.changelog/13677.txt

@@ -0,0 +1,4 @@
+```release-note:feature
+cli: A new flag for config delete to delete a config entry in a
+valid config file, e.g., config delete -filename intention-allow.hcl
+```

.changelog/13686.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+ui: Add new CopyableCode component and use it in certain pre-existing areas
+```

.changelog/13687.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+server: broadcast the public grpc port using lan serf and update the consul service in the catalog with the same data
+```

.changelog/13699.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Fix a bug where terminating gateway upstream clusters weren't configured properly when the service protocol was `http2`.
+```

.changelog/13722.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+streaming: Added topic that can be used to consume updates about the list of services in a datacenter
+```

.changelog/13782.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+deps: update to latest go-discover to provide ECS auto-discover capabilities.
+```

.changelog/13787.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cli: when `acl token read` is used with the `-self` and `-expanded` flags, return an error instead of panicking
+```

.changelog/13807.txt

@@ -0,0 +1,6 @@
+```release-note: improvement
+connect: Add Envoy 1.23.0 to support matrix
+```
+```release-note: breaking-change
+connect: Removes support for Envoy 1.19
+```

.changelog/13847.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fixed a goroutine/memory leak that would occur when using the ingress gateway.
+```

.changelog/13958.txt

@@ -0,0 +1,4 @@
+```release-note:bug
+connect: Ingress gateways with a wildcard service entry should no longer pick up non-connect services as upstreams.
+connect: Terminating gateways with a wildcard service entry should no longer pick up connect services as upstreams.
+```

.changelog/13998.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: expose new tracing configuration on envoy
+```

.changelog/14021.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fixes an issue where client side validation errors were not showing in certain areas
+```

.changelog/14034.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cli: When launching a sidecar proxy with `consul connect envoy` or `consul connect proxy`, the `-sidecar-for` service ID argument is now treated as case-insensitive.
+```

.changelog/14081.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+agent: Fixes an issue where an agent that fails to start due to bad addresses won't clean up any existing listeners
+```

.changelog/14119.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fixed some spurious issues during peering establishment when a follower is dialed
+```

.changelog/14132.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+raft: add an operator api endpoint and a command to initiate raft leadership transfer.
+```

.changelog/14149.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+agent: Fixed a compatibility issue when restoring snapshots from pre-1.13.0 versions of Consul [[GH-14107](https://github.com/hashicorp/consul/issues/14107)]
+```

.changelog/14161.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics
+```

.changelog/14162.txt

@@ -0,0 +1,5 @@
+```release-note:improvement
+config-entry: Validate that service-resolver `Failover`s and `Redirect`s only
+specify `Partition` and `Namespace` on Consul Enterprise. This prevents scenarios
+where OSS Consul would save service-resolvers that require Consul Enterprise.
+```

.changelog/14178.txt

@@ -0,0 +1,4 @@
+```release-note:breaking-change
+xds: Convert service mesh failover to use Envoy's aggregate clusters. This
+changes the names of some [Envoy dynamic HTTP metrics](https://www.envoyproxy.io/docs/envoy/latest/configuration/upstream/cluster_manager/cluster_stats#dynamic-http-statistics).
+```

.changelog/14233.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries
+```

.changelog/14238.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+envoy: adds additional Envoy outlier ejection parameters to passive health check configurations.
+```

.changelog/14244.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+client: add support for RemoveEmptyTags in Prepared Queries templates.
+```

.changelog/14269.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where `auto_config` and `auto_encrypt` could unintentionally enable TLS for gRPC xDS connections.
+```

.changelog/14285.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+connect: Server address changes are streamed to peers
+```

.changelog/14290.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+envoy: validate name before deleting proxy default configurations. 
+```

.changelog/14340.txt

@@ -0,0 +1,4 @@
+```release-note:feature
+connect: Add local_idle_timeout_ms to allow configuring the Envoy route idle timeout on local_app
+connect: Add IdleTimeout to service-router to allow configuring the Envoy route idle timeout
+```

.changelog/14343.txt

@@ -0,0 +1,4 @@
+```release-note:feature
+ui: Use withCredentials for all HTTP API requests
+```
+

.changelog/14356.txt

@@ -0,0 +1 @@
+xds: configure Envoy `alpn_protocols` for connect-proxy and ingress-gateway based on service protocol.

.changelog/14364.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: Fix issue preventing deletion and recreation of peerings in TERMINATED state.
+```

.changelog/14373.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+xds: Set `max_ejection_percent` on Envoy's outlier detection to 100% for peered services.
+```

.changelog/14378.txt

@@ -0,0 +1,5 @@
+```release-note:bug
+api: Fix a breaking change caused by renaming `QueryDatacenterOptions` to
+`QueryFailoverOptions`. This adds `QueryDatacenterOptions` back as an alias to
+`QueryFailoverOptions` and marks it as deprecated.
+```

.changelog/14395.txt

@@ -0,0 +1,4 @@
+```release-note:feature
+service-defaults: Added support for `local_request_timeout_ms` and
+`local_connect_timeout_ms` in servicedefaults config entry
+```

.changelog/14396.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+peering: Add support to failover to services running on cluster peers.
+```

.changelog/14397.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+xds: servers will limit the number of concurrent xDS streams they can handle to balance the load across all servers
+```

.changelog/14423.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+cli: Adds new subcommands for `peering` workflows. Refer to the [CLI docs](https://www.consul.io/commands/peering) for more information.
+```

.changelog/14429.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring.
+```

.changelog/14433.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+checks: If set, use proxy address for automatically added sidecar check instead of service address.
+```

.changelog/14437.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+acl: Added option to allow for an operator-generated bootstrap token to be passed to the `acl bootstrap` command.
+```

.changelog/14445.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+peering: Add support to redirect to services running on cluster peers with service resolvers.
+```

.changelog/14465.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+dns: support RFC 2782 SRV lookups for prepared queries using format `_<query id or name>._tcp.query[.<datacenter>].<domain>`.
+```

.changelog/14474.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+http: Add new `get-or-empty` operation to the txn api. Refer to the [API docs](https://www.consul.io/api-docs/txn#kv-operations) for more information.
+```

.changelog/14475.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+metrics: Add duplicate metrics that have only a single "consul_" prefix for all existing metrics with double ("consul_consul_") prefix, with the intent to standardize on single prefixes.
+```

.changelog/14495.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+ui: Detect a TokenSecretID cookie and passthrough to localStorage
+```

.changelog/14516.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed.
+```

.changelog/14521.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Reuse connections for requests to /v1/internal/ui/metrics-proxy/
+```

.changelog/14527.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Improve guidance around topology visualisation
+```

.changelog/14556.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+peering: adds an internally managed server certificate for automatic TLS between servers in peer clusters.
+```

.changelog/14563.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+peering: Validate peering tokens for server name conflicts
+```

.changelog/14573.txt

@@ -0,0 +1,3 @@
+```release-note: improvement
+connect: Bump latest Envoy to 1.23.1 in test matrix
+```

.changelog/14577.txt

@@ -0,0 +1,3 @@
+```release-note:security
+auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the `AutoConfig.InitialConfiguration` endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr.
+```

.changelog/14579.txt

@@ -0,0 +1,3 @@
+```release-note:security
+connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the `ConnectCA.Sign` endpoint. The endpoint now only allows for exactly one SAN URI to be specified.
+```

.changelog/14598.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster.
+```

.changelog/14599.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+api: Increase max number of operations inside a transaction for requests to /v1/txn (128)
+```

.changelog/14604.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+ui: Added support for central config merging
+```

.changelog/14606.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Removed Overview page from HCP instalations
+```

.changelog/14616.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+connect: Add Envoy connection balancing configuration fields.
+```

.changelog/14619.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+checks: Do not set interval as timeout value
+```

.changelog/14679.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+dns: **(Enterprise Only)** All enterprise locality labels are now optional in DNS lookups. For example, service lookups support the following format: `[<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>`.
+```

.changelog/14723.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+agent/hcp: add initial HashiCorp Cloud Platform integration
+```

.changelog/14724.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+peering: Add support for stale queries for trust bundle lookups
+```

.changelog/14747.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+peering: return information about the health of the peering when the leader is queried to read a peering.
+```

.changelog/14749.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+config-entry(ingress-gateway): Added support for `max_connections` for upstream clusters
+```

.changelog/14751.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fixed a bug where transparent proxy does not correctly spawn listeners for upstreams to service-resolvers.
+```

.changelog/14796.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+peering: require TLS for peering connections using server cert signed by Connect CA
+```

.changelog/14797.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+peering: Ensure un-exported services get deleted even if the un-export happens while cluster peering replication is down.
+```

.changelog/14800.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Added gateway options to Envoy proxy config for enabling tcp keepalives on terminating gateway upstreams and mesh gateways in remote datacenters.
+```

.changelog/14811.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+DNS-proxy support via gRPC request.
+```

.changelog/14817.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+peering: Add mesh gateway local mode support for cluster peering.
+```

.changelog/14831.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5
+```

.changelog/14832.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+agent: Give better error when client specifies wrong datacenter when auto-encrypt is enabled.
+```

.changelog/14833.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+cli: always use name "global" for proxy-defaults config entries
+```

.changelog/14854.txt

@@ -0,0 +1,3 @@
+```release-note:breaking-change
+peering: Rename `PeerName` to `Peer` on prepared queries and exported services.
+```

.changelog/14869.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+grpc: Merge proxy-defaults and service-defaults in GetEnvoyBootstrapParams response.
+```