backport of commit 1ac7988

.changelog/14930.txt

@@ -0,0 +1 @@
+peering: remove ServerExternalAddresses parameter from token generation endpoint.

.changelog/14971.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+ui: Display notice banner on nodes index page if synthetic nodes are being filtered.
+```

.changelog/15035.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect/ca: Log a warning message instead of erroring when attempting to update the intermediate pki mount when using the Vault provider.
+```

.changelog/15050.txt

@@ -0,0 +1,6 @@
+```release-note:feature
+cli: Add `-consul-dns-port` flag to the `consul connect redirect-traffic` command to allow forwarding DNS traffic to a specific Consul DNS port.
+```
+```release-note:feature
+sdk: Configure `iptables` to forward DNS traffic to a specific DNS port.
+```

.changelog/15065.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: fix the error of wan address isn't taken by the peering token.
+```

.changelog/15068.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+deps: update go-memdb, fixing goroutine leak [[GH-15010](https://github.com/hashicorp/consul/issues/15010)]
+```

.changelog/15090.txt

@@ -0,0 +1,3 @@
+```release-note:note
+deps: Upgrade to use Go 1.19.2
+```

.changelog/15108.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+peering: when wan address is set, peering stream should use the wan address.
+```

.circleci/bash_env.sh

@@ -6,5 +6,5 @@ export GIT_DIRTY=$(test -n "`git status --porcelain`" && echo "+CHANGES" || true
 export GIT_IMPORT=github.com/hashicorp/consul/version
 # we're using this for build date because it's stable across platform builds
 # the env -i and -noprofile are used to ensure we don't try to recursively call this profile when starting bash
-export GIT_DATE=$(env -i /bin/bash --noprofile -norc ${CIRCLE_WORKING_DIRECTORY}/build-support/scripts/build-date.sh)
+export GIT_DATE=$(env -i /bin/bash --noprofile -norc /home/circleci/project/build-support/scripts/build-date.sh)
 export GOLDFLAGS="-X ${GIT_IMPORT}.GitCommit=${GIT_COMMIT}${GIT_DIRTY} -X ${GIT_IMPORT}.BuildDate=${GIT_DATE}"

.circleci/config.yml

@@ -22,7 +22,7 @@ references:
     S3_ARTIFACT_BUCKET: consul-dev-artifacts-v2
     BASH_ENV: .circleci/bash_env.sh
     VAULT_BINARY_VERSION: 1.9.4
-    GO_VERSION: 1.18.1
+    GO_VERSION: 1.19.2
   envoy-versions: &supported_envoy_versions
     - &default_envoy_version "1.20.7"
     - "1.21.5"
@@ -35,7 +35,7 @@ references:
   images:
     # When updating the Go version, remember to also update the versions in the
     # workflows section for go-test-lib jobs.
-    go: &GOLANG_IMAGE docker.mirror.hashicorp.services/cimg/go:1.18.1
+    go: &GOLANG_IMAGE docker.mirror.hashicorp.services/cimg/go:1.19.2
     ember: &EMBER_IMAGE docker.mirror.hashicorp.services/circleci/node:14-browsers
     ubuntu: &UBUNTU_CI_IMAGE ubuntu-2004:202201-02
   cache:
@@ -130,8 +130,6 @@ commands:
     steps:
       - attach_workspace:
           at: /home/circleci/go/bin
-      - run: sudo apt-get update --allow-releaseinfo-change-suite --allow-releaseinfo-change-version && sudo apt-get install -y rsyslog
-      - run: sudo service rsyslog start
       - run: go mod download
       - run:
           name: go test
@@ -1069,26 +1067,26 @@ workflows:
       - dev-build: *filter-ignore-non-go-branches
       - go-test:
           requires: [dev-build]
-      - go-test-lib:
-          name: "go-test-api go1.17"
-          path: api
-          go-version: "1.17"
-          requires: [dev-build]
       - go-test-lib:
           name: "go-test-api go1.18"
           path: api
           go-version: "1.18"
           requires: [dev-build]
       - go-test-lib:
-          name: "go-test-sdk go1.17"
-          path: sdk
-          go-version: "1.17"
-          <<: *filter-ignore-non-go-branches
+          name: "go-test-api go1.19"
+          path: api
+          go-version: "1.19"
+          requires: [ dev-build ]
       - go-test-lib:
           name: "go-test-sdk go1.18"
           path: sdk
           go-version: "1.18"
           <<: *filter-ignore-non-go-branches
+      - go-test-lib:
+          name: "go-test-sdk go1.19"
+          path: sdk
+          go-version: "1.19"
+          <<: *filter-ignore-non-go-branches
       - go-test-race: *filter-ignore-non-go-branches
       - go-test-32bit: *filter-ignore-non-go-branches
       - noop

.github/workflows/build.yml

@@ -71,15 +71,15 @@ jobs:
     strategy:
       matrix:
         include:
-          - {go: "1.18.1", goos: "linux", goarch: "386"}
-          - {go: "1.18.1", goos: "linux", goarch: "amd64"}
-          - {go: "1.18.1", goos: "linux", goarch: "arm"}
-          - {go: "1.18.1", goos: "linux", goarch: "arm64"}
-          - {go: "1.18.1", goos: "freebsd", goarch: "386"}
-          - {go: "1.18.1", goos: "freebsd", goarch: "amd64"}
-          - {go: "1.18.1", goos: "windows", goarch: "386"}
-          - {go: "1.18.1", goos: "windows", goarch: "amd64"}
-          - {go: "1.18.1", goos: "solaris", goarch: "amd64"}
+          - {go: "1.19.2", goos: "linux", goarch: "386"}
+          - {go: "1.19.2", goos: "linux", goarch: "amd64"}
+          - {go: "1.19.2", goos: "linux", goarch: "arm"}
+          - {go: "1.19.2", goos: "linux", goarch: "arm64"}
+          - {go: "1.19.2", goos: "freebsd", goarch: "386"}
+          - {go: "1.19.2", goos: "freebsd", goarch: "amd64"}
+          - {go: "1.19.2", goos: "windows", goarch: "386"}
+          - {go: "1.19.2", goos: "windows", goarch: "amd64"}
+          - {go: "1.19.2", goos: "solaris", goarch: "amd64"}
       fail-fast: true
 
     name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build
@@ -172,7 +172,7 @@ jobs:
       matrix:
         goos: [ darwin ]
         goarch: [ "amd64", "arm64" ]
-        go: [ "1.18.1" ]
+        go: [ "1.19.2" ]
       fail-fast: true
 
     name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build
@@ -272,7 +272,7 @@ jobs:
           version: ${{env.version}}
           target: ubi
           arch: amd64
-          redhat_tag: scan.connect.redhat.com/ospid-60f9fdbec3a80eac643abedf/${{env.repo}}:${{env.version}}-ubi
+          redhat_tag: quay.io/redhat-isv-containers/60f9fdbec3a80eac643abedf:${{env.version}}-ubi
           smoke_test: .github/scripts/verify_docker.sh v${{ env.version }}
 
   build-docker-ubi-dockerhub:

.golangci.yml

@@ -23,10 +23,10 @@ issues:
       text: 'SA9004:'
 
     - linters: [staticcheck]
-      text: 'SA1019: Package github.com/golang/protobuf/jsonpb is deprecated'
+      text: 'SA1019: "github.com/golang/protobuf/jsonpb" is deprecated: Use the "google.golang.org/protobuf/encoding/protojson" package instead.'
 
     - linters: [staticcheck]
-      text: 'SA1019: Package github.com/golang/protobuf/proto is deprecated'
+      text: 'SA1019: "github.com/golang/protobuf/proto" is deprecated: Use the "google.golang.org/protobuf/proto" package instead.'
 
     - linters: [staticcheck]
       text: 'SA1019: ptypes.MarshalAny is deprecated'
@@ -35,7 +35,10 @@ issues:
       text: 'SA1019: ptypes.UnmarshalAny is deprecated'
 
     - linters: [staticcheck]
-      text: 'SA1019: package github.com/golang/protobuf/ptypes is deprecated'  
+      text: 'SA1019: "github.com/golang/protobuf/ptypes" is deprecated: Well-known types have specialized functionality directly injected into the generated packages for each message type. See the deprecation notice for each function for the suggested alternative.'
+
+    - linters: [staticcheck]
+      text: 'SA1019: "io/ioutil" has been deprecated since Go 1.16'
 
     # An argument that always receives the same value is often not a problem.
     - linters: [unparam]
@@ -67,6 +70,14 @@ issues:
       path: '(_oss.go|_oss_test.go|_ent.go|_ent_test.go)'
 
 linters-settings:
+  govet:
+    check-shadowing: true
+    enable-all: true
+    disable:
+      - fieldalignment
+      - nilness
+      - shadow
+      - unusedwrite
   gofmt:
     simplify: true
   forbidigo:

CHANGELOG.md

@@ -1,3 +1,70 @@
+## 1.13.3 (October 19, 2022)
+
+FEATURES:
+
+* agent: Added a new config option `rpc_client_timeout` to tune timeouts for client RPC requests [[GH-14965](https://github.com/hashicorp/consul/issues/14965)]
+* config-entry(ingress-gateway): Added support for `max_connections` for upstream clusters [[GH-14749](https://github.com/hashicorp/consul/issues/14749)]
+
+IMPROVEMENTS:
+
+* connect/ca: Log a warning message instead of erroring when attempting to update the intermediate pki mount when using the Vault provider. [[GH-15035](https://github.com/hashicorp/consul/issues/15035)]
+* connect: Added gateway options to Envoy proxy config for enabling tcp keepalives on terminating gateway upstreams and mesh gateways in remote datacenters. [[GH-14800](https://github.com/hashicorp/consul/issues/14800)]
+* connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 [[GH-14828](https://github.com/hashicorp/consul/issues/14828)]
+* licensing: **(Enterprise Only)** Consul Enterprise production licenses do not degrade or terminate Consul upon expiration. They will only fail when trying to upgrade to a newer version of Consul. Evaluation licenses still terminate. [[GH-1990](https://github.com/hashicorp/consul/issues/1990)]
+
+BUG FIXES:
+
+* agent: avoid leaking the alias check runner goroutine when the check is de-registered [[GH-14935](https://github.com/hashicorp/consul/issues/14935)]
+* ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one [[GH-15005](https://github.com/hashicorp/consul/issues/15005)]
+* cache: prevent goroutine leak in agent cache [[GH-14908](https://github.com/hashicorp/consul/issues/14908)]
+* checks: Fixed a bug that prevented registration of UDP health checks from agent configuration files, such as service definition files with embedded health check definitions. [[GH-14885](https://github.com/hashicorp/consul/issues/14885)]
+* connect: Fixed a bug where transparent proxy does not correctly spawn listeners for upstreams to service-resolvers. [[GH-14751](https://github.com/hashicorp/consul/issues/14751)]
+* snapshot-agent: **(Enterprise only)** Fix a bug when a session is not found in Consul, which leads the agent to panic.
+
+## 1.12.6 (October 19, 2022)
+
+FEATURES:
+
+* agent: Added a new config option `rpc_client_timeout` to tune timeouts for client RPC requests [[GH-14965](https://github.com/hashicorp/consul/issues/14965)]
+* agent: Added information about build date alongside other version information for Consul. Extended /agent/self endpoint and `consul version` commands
+to report this. Agent also reports build date in log on startup. [[GH-13357](https://github.com/hashicorp/consul/issues/13357)]
+* config-entry(ingress-gateway): Added support for `max_connections` for upstream clusters [[GH-14749](https://github.com/hashicorp/consul/issues/14749)]
+
+IMPROVEMENTS:
+
+* connect/ca: Log a warning message instead of erroring when attempting to update the intermediate pki mount when using the Vault provider. [[GH-15035](https://github.com/hashicorp/consul/issues/15035)]
+* connect: Added gateway options to Envoy proxy config for enabling tcp keepalives on terminating gateway upstreams and mesh gateways in remote datacenters. [[GH-14800](https://github.com/hashicorp/consul/issues/14800)]
+* connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 [[GH-14829](https://github.com/hashicorp/consul/issues/14829)]
+* licensing: **(Enterprise Only)** Consul Enterprise production licenses do not degrade or terminate Consul upon expiration. They will only fail when trying to upgrade to a newer version of Consul. Evaluation licenses still terminate. [[GH-1990](https://github.com/hashicorp/consul/issues/1990)]
+
+BUG FIXES:
+
+* agent: avoid leaking the alias check runner goroutine when the check is de-registered [[GH-14935](https://github.com/hashicorp/consul/issues/14935)]
+* ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one [[GH-15005](https://github.com/hashicorp/consul/issues/15005)]
+* cache: prevent goroutine leak in agent cache [[GH-14908](https://github.com/hashicorp/consul/issues/14908)]
+* connect: Fixed a bug where transparent proxy does not correctly spawn listeners for upstreams to service-resolvers. [[GH-14751](https://github.com/hashicorp/consul/issues/14751)]
+* snapshot-agent: **(Enterprise only)** Fix a bug when a session is not found in Consul, which leads the agent to panic.
+
+## 1.11.11 (October 19, 2022)
+
+FEATURES:
+
+* agent: Added a new config option `rpc_client_timeout` to tune timeouts for client RPC requests [[GH-14965](https://github.com/hashicorp/consul/issues/14965)]
+* config-entry(ingress-gateway): Added support for `max_connections` for upstream clusters [[GH-14749](https://github.com/hashicorp/consul/issues/14749)]
+
+IMPROVEMENTS:
+
+* connect/ca: Log a warning message instead of erroring when attempting to update the intermediate pki mount when using the Vault provider. [[GH-15035](https://github.com/hashicorp/consul/issues/15035)]
+* connect: Added gateway options to Envoy proxy config for enabling tcp keepalives on terminating gateway upstreams and mesh gateways in remote datacenters. [[GH-14800](https://github.com/hashicorp/consul/issues/14800)]
+* connect: Bump Envoy 1.20 to 1.20.7 [[GH-14830](https://github.com/hashicorp/consul/issues/14830)]
+
+BUG FIXES:
+
+* agent: avoid leaking the alias check runner goroutine when the check is de-registered [[GH-14935](https://github.com/hashicorp/consul/issues/14935)]
+* ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one [[GH-15005](https://github.com/hashicorp/consul/issues/15005)]
+* cache: prevent goroutine leak in agent cache [[GH-14908](https://github.com/hashicorp/consul/issues/14908)]
+* snapshot-agent: **(Enterprise only)** Fix a bug when a session is not found in Consul, which leads the agent to panic.
+
 ## 1.11.10 (September 22, 2022)
 
 BUG FIXES:

GNUmakefile

@@ -7,7 +7,7 @@ SHELL = bash
 # These version variables can either be a valid string for "go install <module>@<version>"
 # or the string @DEV to imply use what is currently installed locally.
 ###
-GOLANGCI_LINT_VERSION='v1.46.2'
+GOLANGCI_LINT_VERSION='v1.50.1'
 MOCKERY_VERSION='v2.12.2'
 BUF_VERSION='v1.4.0'
 PROTOC_GEN_GO_GRPC_VERSION="v1.2.0"
@@ -149,7 +149,9 @@ dev: dev-build
 dev-build:
 	mkdir -p bin
 	CGO_ENABLED=0 go install -ldflags "$(GOLDFLAGS)" -tags "$(GOTAGS)"
-	cp -f ${MAIN_GOPATH}/bin/consul ./bin/consul
+	# rm needed due to signature caching (https://apple.stackexchange.com/a/428388)
+	rm -f ./bin/consul
+	cp ${MAIN_GOPATH}/bin/consul ./bin/consul
 
 dev-docker: linux
 	@echo "Pulling consul container image - $(CONSUL_IMAGE_VERSION)"

acl/errors.go

@@ -63,7 +63,6 @@ func IsErrPermissionDenied(err error) bool {
 
 // Arguably this should be some sort of union type.
 // The usage of Cause and the rest of the fields is entirely disjoint.
-//
 type PermissionDeniedError struct {
 	Cause string
 

agent/auto-config/auto_config.go

@@ -225,7 +225,7 @@ func (ac *AutoConfig) introToken() (string, error) {
 
 // recordInitialConfiguration is responsible for recording the AutoConfigResponse from
 // the AutoConfig.InitialConfiguration RPC. It is an all-in-one function to do the following
-//   * update the Agent token in the token store
+//   - update the Agent token in the token store
 func (ac *AutoConfig) recordInitialConfiguration(resp *pbautoconf.AutoConfigResponse) error {
 	ac.autoConfigResponse = resp
 

agent/cache-types/connect_ca_leaf.go

@@ -262,10 +262,10 @@ func (c *ConnectCALeaf) rootWatcher(ctx context.Context) {
 //
 // Somewhat arbitrarily the current strategy looks like this:
 //
-//          0                              60%             90%
-//   Issued [------------------------------|===============|!!!!!] Expires
-// 72h TTL: 0                             ~43h            ~65h
-//  1h TTL: 0                              36m             54m
+//	         0                              60%             90%
+//	  Issued [------------------------------|===============|!!!!!] Expires
+//	72h TTL: 0                             ~43h            ~65h
+//	 1h TTL: 0                              36m             54m
 //
 // Where |===| is the soft renewal period where we jitter for the first attempt
 // and |!!!| is the danger zone where we just try immediately.

agent/cache-types/rpc.go

@@ -3,6 +3,7 @@ package cachetype
 // RPC is an interface that an RPC client must implement. This is a helper
 // interface that is implemented by the agent delegate so that Type
 // implementations can request RPC access.
+//
 //go:generate mockery --name RPC --inpackage
 type RPC interface {
 	RPC(method string, args interface{}, reply interface{}) error

agent/cache/request.go

@@ -8,6 +8,7 @@ import (
 //
 // This interface is typically implemented by request structures in
 // the agent/structs package.
+//
 //go:generate mockery --name Request --inpackage
 type Request interface {
 	// CacheInfo returns information used for caching this request.

agent/cache/type.go

@@ -5,6 +5,7 @@ import (
 )
 
 // Type implements the logic to fetch certain types of data.
+//
 //go:generate mockery --name Type --inpackage
 type Type interface {
 	// Fetch fetches a single unique item.

agent/checks/check_test.go

@@ -17,16 +17,17 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/go-uuid"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
+
 	"github.com/hashicorp/consul/agent/mock"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/sdk/freeport"
 	"github.com/hashicorp/consul/sdk/testutil"
 	"github.com/hashicorp/consul/sdk/testutil/retry"
-	"github.com/hashicorp/go-uuid"
-	"github.com/stretchr/testify/require"
-	http2 "golang.org/x/net/http2"
-	"golang.org/x/net/http2/h2c"
 )
 
 func uniqueID() string {
@@ -300,8 +301,6 @@ func TestCheckHTTP(t *testing.T) {
 		{code: 429, status: api.HealthWarning},
 
 		// critical
-		{code: 150, status: api.HealthCritical},
-		{code: 199, status: api.HealthCritical},
 		{code: 300, status: api.HealthCritical},
 		{code: 400, status: api.HealthCritical},
 		{code: 500, status: api.HealthCritical},

agent/config/file_watcher.go

@@ -47,7 +47,7 @@ type FileWatcherEvent struct {
 	Filenames []string
 }
 
-//NewFileWatcher create a file watcher that will watch all the files/folders from configFiles
+// NewFileWatcher create a file watcher that will watch all the files/folders from configFiles
 // if success a fileWatcher will be returned and a nil error
 // otherwise an error and a nil fileWatcher are returned
 func NewFileWatcher(configFiles []string, logger hclog.Logger) (Watcher, error) {

agent/configentry/config_entry.go

@@ -6,9 +6,12 @@ import (
 )
 
 // KindName is a value type useful for maps. You can use:
-//     map[KindName]Payload
+//
+//	map[KindName]Payload
+//
 // instead of:
-//     map[string]map[string]Payload
+//
+//	map[string]map[string]Payload
 type KindName struct {
 	Kind string
 	Name string