Backport of Add NET_BIND_SERVICE to the security context in the deployment of Mesh Gateway (NET-6463) into release/1.0.x

.changelog/1770.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+control-plane: server ACL Init always appends both, the secrets from the serviceAccount's secretRefs and the one created by the Helm chart, to support Openshift secret handling.
+```

.changelog/1808.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+helm: add missing  `$HOST_IP` environment variable to to mesh gateway deployments.
+```

.changelog/1934.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+control-plane: update alpine to 3.17 in the Docker image.
+```

.changelog/1953.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: update `imageConsulDataplane` value to `hashicorp/consul-dataplane:1.1.0`.
+```

.changelog/1976.txt

@@ -0,0 +1,3 @@
+```release-note:security
+upgrade to use Go 1.19.6. This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http.
+```

.changelog/2008.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Set default `limits.cpu` resource setting to `null` for `consul-connect-inject-init` container to speed up registration times when onboarding services onto the mesh during the init container lifecycle. 
+```

.changelog/2013.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: fix issue where specifying an external server SNI name while using client nodes resulted in a TLS verification error.
+```

.changelog/2068.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+sync-catalog: fix issue where the sync-catalog ACL token were set with an incorrect ENV VAR.
+```

.changelog/2078.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+cli: Add `consul-k8s config read` command that returns the helm configuration in yaml format.
+```

.changelog/2083.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: fix issue where the API Gateway controller is unable to start up successfully when Vault is configured as the secrets backend
+```

.changelog/2098.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+sync-catalog: add ability to sync hostname from a Kubernetes Ingress resource to the Consul Catalog during service registration.
+```

.changelog/2108.txt

@@ -0,0 +1,12 @@
+```release-note:security
+Upgrade to use Go 1.19.9.
+This resolves vulnerabilities [CVE-2023-24537](https://github.com/advisories/GHSA-9f7g-gqwh-jpf5)(`go/scanner`),
+[CVE-2023-24538](https://github.com/advisories/GHSA-v4m2-x4rp-hv22)(`html/template`),
+[CVE-2023-24534](https://github.com/advisories/GHSA-8v5j-pwr7-w5f8)(`net/textproto`) and
+[CVE-2023-24536](https://github.com/advisories/GHSA-9f7g-gqwh-jpf5)(`mime/multipart`).
+Also, `golang.org/x/net` has been updated to v0.7.0 to resolve CVEs [CVE-2022-41721
+](https://github.com/advisories/GHSA-fxg5-wq6x-vr4w
+), [CVE-2022-27664](https://github.com/advisories/GHSA-69cg-p879-7622) and [CVE-2022-41723
+](https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
+.)
+```

.changelog/2140.txt

@@ -0,0 +1,4 @@
+```release-note:improvement
+helm: update `imageConsulDataplane` value to `hashicorp/consul-dataplane:1.0.2`, `image` value to `hashicorp/consul:1.14.7`, 
+and `imageEnvoy` to `envoyproxy/envoy:v1.24.7`.
+```

.changelog/2156.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+control-plane: add support for idleTimeout in the Service Router config
+```

.changelog/2159.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+control-plane: fix issue with json tags of service defaults fields EnforcingConsecutive5xx, MaxEjectionPercent and BaseEjectionTime.
+```

.changelog/2176.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+control-plane: fix issue with multiport pods crashlooping due to dataplane port conflicts by ensuring dns redirection is disabled for non-tproxy pods
+```

.changelog/2194.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+crd: fix bug on service intentions CRD causing some updates to be ignored.
+```

.changelog/2204.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Bump Dockerfile base image for RedHat UBI `consul-k8s-control-plane` image to `ubi-minimal:9.2`. 
+```

.changelog/2225.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Bump `controller-runtime` to address CVEs in dependencies.
+```

.changelog/2233.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+Add support for configuring graceful shutdown proxy lifecycle management settings.
+```

.changelog/2249.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Update the default amount of memory used by the connect-inject controller so that its less likely to get OOM killed.
+```

.changelog/2265.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+(Consul Enterprise) Add support to provide inputs via helm for audit log related configuration
+```

.changelog/2266.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+control-plane: Fix casing of the Enforce Consecutive 5xx field on Service Defaults and acceptance test fixtures.
+```

.changelog/2284.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Bump Dockerfile base image to `alpine:3.18`. Resolves [CVE-2023-2650](https://github.com/advisories/GHSA-gqxg-9vfr-p9cg) vulnerability in openssl@3.0.8-r4
+```

.changelog/2293.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+sync-catalog: add ability to support weighted loadbalancing by service annotation `consul.hashicorp.com/service-weight: <number>`
+```

.changelog/2302.txt

@@ -0,0 +1,12 @@
+```release-note:improvement
+Add support to provide the logLevel flag via helm for multiple low level components. Introduces the following fields
+1. `global.acls.logLevel`
+2. `global.tls.logLevel`
+3. `global.federation.logLevel`
+4. `global.gossipEncryption.logLevel`
+5. `server.logLevel`
+6. `client.logLevel`
+7. `meshGateway.logLevel`
+8. `ingressGateways.logLevel`
+9. `terminatingGateways.logLevel`
+```

.changelog/2390.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update [Go-Discover](https://github.com/hashicorp/go-discover) in the container has been updated to address [CVE-2020-14040](https://github.com/advisories/GHSA-5rcv-m4m3-hfh7)
+```

.changelog/2392.txt

@@ -0,0 +1,6 @@
+```release-note:breaking-change
+control-plane: All policies managed by consul-k8s will now be updated on upgrade. If you previously edited the policies after install, your changes will be overwritten.
+```
+```release-note:bug
+control-plane: Always update ACL policies upon upgrade.
+```

.changelog/2416.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+helm: Adds `acls.resources` field which can be configured to override the `resource` settings for the `server-acl-init` and `server-acl-init-cleanup` Jobs.
+```

.changelog/2525.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: adds values for `securityContext` and `annotations` on TLS and ACL init/cleanup jobs.
+```

.changelog/2571.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+control-plane: fix bug in endpoints controller when deregistering services from consul when a node is deleted.
+```

.changelog/2572.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: set container securityContexts to match the `restricted` Pod Security Standards policy to support running Consul in a namespace with restricted PSA enforcement enabled
+```

.changelog/2650.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Upgrade to use Go 1.19.11 and `x/net/http` 0.12.0.
+This resolves [CVE-2023-29406](https://github.com/advisories/GHSA-f8f7-69v5-w4vx)(`net/http`).
+```

.changelog/2652.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+helm: fix CONSUL_LOGIN_DATACENTER for consul client-daemonset.
+```

.changelog/2656.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+control-plane: increase timeout after login for ACL replication to 60 seconds
+```

.changelog/2678.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: do not set container securityContexts by default on OpenShift < 4.11
+```

.changelog/2687.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+helm: fix ui ingress manifest formatting, and exclude `ingressClass` when not defined.
+```

.changelog/2717.txt

@@ -0,0 +1,5 @@
+```release-note:security
+Upgrade to use Go 1.19.12 and `x/net` 0.13.0.
+This resolves [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409)(`crypto/tls`) 
+and [CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978)(`net/html`).
+```

.changelog/2755.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+control-plane: When using transparent proxy or CNI, reduced required permissions by setting privileged to false. Privileged must be true when using OpenShift without CNI.
+```

.changelog/2782.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+helm: Update prometheus port and scheme annotations if tls is enabled
+```

.changelog/2785.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+Add new value `global.argocd.enabled`. Set this to `true` when using ArgoCD to deploy this chart.
+```

.changelog/2787.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+Add NET_BIND_SERVICE capability to restricted security context used for consul-dataplane
+```

.changelog/2790.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+control-plane: prevent updation of anonymous-token-policy and anonymous-token if anonymous-token-policy is already attached to the anonymous-token
+```

.changelog/2808.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+control-plane: Fix issue where ACL tokens would have an empty pod name that prevented proper token cleanup.
+```

.changelog/2841.txt

@@ -0,0 +1,5 @@
+```release-note:improvement
+vault: Adds `namespace` to `secretsBackend.vault.connectCA` in Helm chart and annotation: "vault.hashicorp.com/namespace: namespace" to
+secretsBackend.vault.agentAnnotations, if "vault.hashicorp.com/namespace" annotation is not present.
+This provides a more convenient way to specify the Vault namespace than nested JSON in `connectCA.additionalConfig`.
+```

.changelog/2905.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+audit-log: fix parsing error for some audit log configuration fields fail with uncovertible string to integer errors. 
+```

.changelog/2910.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+control-plane: Improve performance for pod deletions by reducing the number of fetched tokens.
+```

.changelog/2938.txt

@@ -0,0 +1,8 @@
+```release-note:security
+Upgrade to use Go 1.19.13. This resolves CVEs
+[CVE-2023-39320](https://github.com/advisories/GHSA-rxv8-v965-v333) (`cmd/go`),
+[CVE-2023-39318](https://github.com/advisories/GHSA-vq7j-gx56-rxjh) (`html/template`),
+[CVE-2023-39319](https://github.com/advisories/GHSA-vv9m-32rr-3g55) (`html/template`),
+[CVE-2023-39321](https://github.com/advisories/GHSA-9v7r-x7cv-v437) (`crypto/tls`), and
+[CVE-2023-39322](https://github.com/advisories/GHSA-892h-r6cr-53g4) (`crypto/tls`)
+```

.changelog/3085.txt

@@ -0,0 +1,5 @@
+```release-note:security
+Upgrade to use Go 1.20.10 and `x/net` 0.17.0.
+This resolves [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
+/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487).
+```

.changelog/3121.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update Envoy version to 1.24.12 to address [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76)
+```

.changelog/3139.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Upgrade `google.golang.org/grpc` to 1.56.3.
+This resolves vulnerability [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487).
+```

.changelog/3210.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+control-plane: Only delete ACL tokens matched Pod UID in Service Registration metadata 
+```

.changelog/changelog.tmpl

@@ -0,0 +1,57 @@
+{{- if index .NotesByType "breaking-change" -}}
+BREAKING CHANGES:
+
+{{range index .NotesByType "breaking-change" -}}
+* {{ template "note" . }}
+{{ end -}}
+{{- end -}}
+
+{{- if .NotesByType.security }}
+SECURITY:
+
+{{range .NotesByType.security -}}
+* {{ template "note" . }}
+{{ end -}}
+{{- end -}}
+
+{{- if .NotesByType.feature }}
+FEATURES:
+
+{{range .NotesByType.feature -}}
+* {{ template "note" . }}
+{{ end -}}
+{{- end -}}
+
+{{- $improvements := combineTypes .NotesByType.improvement .NotesByType.enhancement -}}
+{{- if $improvements }}
+IMPROVEMENTS:
+
+{{range $improvements | sort -}}
+* {{ template "note" . }}
+{{ end -}}
+{{- end -}}
+
+{{- if .NotesByType.deprecation }}
+DEPRECATIONS:
+
+{{range .NotesByType.deprecation -}}
+* {{ template "note" . }}
+{{ end -}}
+{{- end -}}
+
+{{- if .NotesByType.bug }}
+BUG FIXES:
+
+{{range .NotesByType.bug -}}
+* {{ template "note" . }}
+{{ end -}}
+{{- end -}}
+
+{{- if .NotesByType.note }}
+NOTES:
+
+{{range .NotesByType.note -}}
+* {{ template "note" . }}
+{{ end -}}
+{{- end -}}
+

.changelog/note.tmpl

@@ -0,0 +1,3 @@
+{{- define "note" -}}
+{{.Body}}{{if not (stringHasPrefix .Issue "_")}} [[GH-{{- .Issue -}}](https://github.com/hashicorp/consul-k8s/issues/{{- .Issue -}})]{{end}}
+{{- end -}}