Backport of Dockerfile: bump up to ubi-minimal:9.3 into release/1.17.x

.changelog/18994.txt

@@ -12,12 +12,6 @@ environments.
 * The v1 and v2 catalog APIs cannot run concurrently.
 * The Consul UI does not support multi-port services or the v2 catalog API in this release.
 * HCP Consul does not support multi-port services or the v2 catalog API in this release.
-* The v2 API only supports transparent proxy mode where services that have permissions to connect to each other can use
-  Kube DNS to connect.
-
-### Known Issues
-* When using the v2 API with transparent proxy, Kubernetes pods cannot use L7 liveness, readiness, or startup probes.
-
 
 [[Catalog resource controllers]](https://github.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/catalog/internal/controllers)
 [[Mesh resource controllers]](https://github.com/hashicorp/consul/tree/e6b724d06249d3e62cd75afe3ee6042ba1fd5415/internal/mesh/internal/controllers)

.changelog/19225.txt

@@ -0,0 +1,9 @@
+```release-note:security
+Upgrade Go to 1.20.10.
+This resolves vulnerability [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
+/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)(`net/http`).
+```
+```release-note:security
+Update `golang.org/x/net` to v0.17.0 to address [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
+/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)(`x/net/http2`).
+```

.changelog/19268.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+Mesh Gateways: Fix a bug where replicated and peered mesh gateways with hostname-based WAN addresses fail to initialize.
+```

.changelog/19274.txt

@@ -0,0 +1,3 @@
+```release-note:security
+connect: update supported envoy versions to 1.24.12, 1.25.11, 1.26.6, 1.27.2 to address [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76)
+```

.changelog/19285.txt

@@ -0,0 +1,7 @@
+```release-note:bug
+ca: Fix bug with Vault CA provider where token renewal goroutines could leak if CA failed to initialize.
+```
+
+```release-note:bug
+ca: Fix bug with Vault CA provider where renewing a retracted token would cause retries in a tight loop, degrading performance.
+```

.changelog/19314.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+raft: upgrade raft-wal library version to 0.4.1.
+```

.changelog/19339.txt

@@ -0,0 +1,4 @@
+```release-note:bug
+connect: Fix bug where uncleanly closed xDS connections would influence connection balancing for too long and prevent envoy instances from starting. Two new configuration fields
+`performance.grpc_keepalive_timeout` and `performance.grpc_keepalive_interval` now exist to allow for configuration on how often these dead connections will be cleaned up.
+```

.changelog/19342.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+Replaces UI Side Nav with Helios Design System Side Nav. Adds dc/partition/namespace searching in Side Nav.
+```

.changelog/19389.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+cli: stop simultaneous usage of -templated-policy and -templated-policy-file when creating a role or token.
+```

.changelog/19414.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Upgrade `google.golang.org/grpc` to 1.56.3.
+This resolves vulnerability [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487).
+```

.changelog/19503.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+wan-federation: Fix a bug where servers wan-federated through mesh-gateways could crash due to overlapping LAN IP addresses.
+```

.changelog/19549.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: clear peer on home logo link
+```

.changelog/19586.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fix being able to view peered services from non-default namnespaces
+```

.changelog/19594.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: move nspace and partitions requests into their selector menus
+```

.changelog/19663.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Default `stats_flush_interval` to 60 seconds when using the Consul Telemetry Collector, unless custom stats sink are present or an explicit flush interval is configured.
+```

.changelog/19666.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+api: Add support for listing ACL tokens by service name when using templated policies.
+```

.changelog/19679.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+CLI: fix a panic when deleting a non existing policy by name.
+```

.changelog/19682.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+cloud: push additional server TLS metadata to HCP
+```

.changelog/19705.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update `github.com/golang-jwt/jwt/v4` to v4.5.0 to address [PRISMA-2022-0270](https://github.com/golang-jwt/jwt/issues/258).
+```

.changelog/19721.txt

@@ -0,0 +1,6 @@
+```release-note:improvement
+metrics: modify consul.client.rpc metric to exclude internal retries for consistency with consul.client.rpc.exceeded and consul.client.rpc.failed
+```
+```release-note:improvement
+metrics: increment consul.client.rpc.failed if RPC fails because no servers are accessible
+```

.changelog/19728.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+acl: add api-gateway templated policy
+```

.changelog/19735.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+acl: add templated policy descriptions
+```

.changelog/19795.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+wan-federation: use a hash to diff config entries when replicating in the secondary DC to avoid unnecessary writes..
+```

.changelog/19821.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+cli: Adds new subcommand `peering exported-services` to list services exported to a peer . Refer to the [CLI docs](https://developer.hashicorp.com/consul/commands/peering) for more information.
+```

.changelog/19827.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+acl: Adds nomad client templated policy
+```

.changelog/19829.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+mesh: parse the proxy-defaults protocol when write the config-entry to avoid parsing it when compiling the discovery chain.
+```

.changelog/19840.txt

@@ -0,0 +1,7 @@
+```release-note:security
+Upgrade to use Go 1.20.12. This resolves CVEs
+[CVE-2023-45283](https://nvd.nist.gov/vuln/detail/CVE-2023-45283): (`path/filepath`) recognize \??\ as a Root Local Device path prefix (Windows)
+[CVE-2023-45284](https://nvd.nist.gov/vuln/detail/CVE-2023-45285): recognize device names with trailing spaces and superscripts (Windows)
+[CVE-2023-39326](https://nvd.nist.gov/vuln/detail/CVE-2023-39326): (`net/http`) limit chunked data overhead
+[CVE-2023-45285](https://nvd.nist.gov/vuln/detail/CVE-2023-45285): (`cmd/go`) go get may unexpectedly fallback to insecure git 
+```

.changelog/19860.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Solves an issue where two upstream services with the same name in different namespaces were not getting routed to correctly by API Gateways.
+```

.changelog/19866.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: ensure child resources are re-sent to Envoy when the parent is updated even if the child already has pending updates.
+```

.changelog/19871.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Add configurable `xds_fetch_timeout_ms` option to proxy registrations that allows users to prevent endpoints from dropping when they have proxies with a large number of upstreams.
+```

.changelog/19907.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: stop manually reconciling services if peering is enabled
+```

.changelog/19912.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: update token list on Role details page to show only linked tokens
+```

.changelog/19940.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+xds: remove usages of deprecated Envoy fields: `envoy.config.cluster.v3.Cluster.http2_protocol_options`, `envoy.config.bootstrap.v3.Admin.access_log_path`
+```

.changelog/19943.txt

@@ -0,0 +1,3 @@
+```release-note:deprecation
+cli: Deprecate the `-admin-access-log-path` flag from `consul connect envoy` command in favor of: `-admin-access-log-config`.
+```

.changelog/20014.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade OpenShift container images to use `ubi9-minimal:9.3` as the base image.
+```

.changelog/_7406.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+server: **(Enterprise Only)** Fixed an issue where snake case keys were rejected when configuring the control-plane-request-limit config entry
+```

.changelog/_7773.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+prepared-query: (Enterprise-only) Fix issue where sameness-group failover targets to peers would attempt to query data from the default partition, rather than the sameness-group's partition always.
+```

.github/scripts/set_test_package_matrix.sh

@@ -6,6 +6,6 @@ set -euo pipefail
 export RUNNER_COUNT=$1
 
 # set matrix var to list of unique packages containing tests
-matrix="$(go list -json="ImportPath,TestGoFiles" ./... | jq --compact-output '. | select(.TestGoFiles != null) | .ImportPath' | jq --slurp --compact-output '.' | jq --argjson runnercount $RUNNER_COUNT  -cM '[_nwise(length / $runnercount | floor)]'))"
+matrix="$(go list -json="ImportPath,TestGoFiles" ./... | jq --compact-output '. | select(.TestGoFiles != null) | .ImportPath' | shuf | jq --slurp --compact-output '.' | jq --argjson runnercount $RUNNER_COUNT  -cM '[_nwise(length / $runnercount | floor)]'))"
 
 echo "matrix=${matrix}" >> "${GITHUB_OUTPUT}"

.github/scripts/verify_envoy_version.sh

@@ -4,7 +4,7 @@
 
 set -euo pipefail
 
-current_branch=$GITHUB_REF
+current_branch=$GITHUB_REF_NAME
 GITHUB_DEFAULT_BRANCH='main'
 
 if [ -z "$GITHUB_TOKEN" ]; then
@@ -13,10 +13,15 @@ if [ -z "$GITHUB_TOKEN" ]; then
 fi
 
 if [ -z "$current_branch" ]; then
-  echo "GITHUB_REF must be set"
+  echo "GITHUB_REF_NAME must be set"
   exit 1
 fi
 
+if [[ "$SKIP_VERIFY_ENVOY_VERSION" = "true" ]]; then
+  echo -e "*************** VERIFY ENVOY VERSION IS DISABLED. To enable, update environment variable in Github settings *****************"
+  exit 0
+fi
+
 # Get Consul and Envoy version 
 SCRIPT_DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 pushd $SCRIPT_DIR/../.. # repository root
@@ -76,7 +81,6 @@ released_envoy_version=$(get_latest_envoy_version)
 major_released_envoy_version="${released_envoy_version[@]:1:4}"
 
 validate_envoy_version_main(){
-  echo "verify "main" GitHub branch has latest envoy version"
   # Get envoy version for current branch
   ENVOY_VERSIONS=$(sanitize_consul_envoy_version | awk '{print $2}' | tr ',' ' ')
   envoy_version_main_branch=$(get_major_version ${ENVOY_VERSIONS})
@@ -118,8 +122,8 @@ echo checking out branch: "${current_branch}"
 git checkout "${current_branch}"
 
 echo
-echo "Branch ${current_branch} =>Consul version: ${CONSUL_VERSION}; Envoy Version: ${ENVOY_VERSIONS}" 
-echo "Branch ${GITHUB_DEFAULT_BRANCH} =>Consul version: ${CONSUL_VERSION_DEFAULT_BRANCH}; Envoy Version: ${ENVOY_VERSIONS_DEFAULT_BRANCH}" 
+echo "Branch ${current_branch} => Consul version: ${CONSUL_VERSION}; Envoy Version: ${ENVOY_VERSIONS}" 
+echo "Branch ${GITHUB_DEFAULT_BRANCH} => Consul version: ${CONSUL_VERSION_DEFAULT_BRANCH}; Envoy Version: ${ENVOY_VERSIONS_DEFAULT_BRANCH}" 
 
 ## Get major Consul and Envoy versions on release and default branch
 MAJOR_CONSUL_VERSION=$(get_major_version ${CONSUL_VERSION})