Update misc modules - autoclosed

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
alpine	final	minor	3.15.0 -> 3.18.4
github.com/getsentry/sentry-go	replace	minor	v0.13.0 -> v0.25.0
github.com/hashicorp/consul	replace	minor	v1.10.10 -> v1.16.2
github.com/labstack/echo/v4	replace	minor	v4.9.0 -> v4.11.2
github.com/microcosm-cc/bluemonday	replace	patch	v1.0.18 -> v1.0.26
github.com/nats-io/jwt/v2	replace	minor	v2.2.0 -> v2.5.2
github.com/nats-io/nats-server/v2	replace	minor	v2.8.3 -> v2.10.3
github.com/pkg/sftp	replace	patch	v1.13.4 -> v1.13.6
github.com/spf13/viper	require	minor	v1.15.0 -> v1.17.0
golang.org/x/tools	require	minor	v0.1.8 -> v0.14.0

---

Release Notes

getsentry/sentry-go (github.com/getsentry/sentry-go)

v0.25.0: 0.25.0

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.25.0.

Breaking Changes

As previously announced, this release removes two global constants from the SDK.

• sentry.Version was removed. Use sentry.SDKVersion instead (#​727)
• sentry.SDKIdentifier was removed. Use Client.GetSDKIdentifier() instead (#​727)

Features

• Add ClientOptions.IgnoreTransactions, which allows you to ignore specific transactions based on their name (#​717)
• Add ClientOptions.Tags, which allows you to set global tags that are applied to all events. You can also define tags by setting SENTRY_TAGS_ environment variables (#​718)

Bug fixes

• Fix an issue in the profiler that would cause an infinite loop if the duration of a transaction is longer than 30 seconds (#​724)

Misc

• dsn.RequestHeaders() is not to be removed, though it is still considered deprecated and should only be used when using a custom transport that sends events to the /store endpoint (#​720)

v0.24.1: 0.24.1

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.24.1.

Bug fixes

• Prevent a panic in sentryotel.flushSpanProcessor() ((#​711))
• Prevent a panic when setting the SDK identifier (#​715)

v0.24.0: 0.24.0

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.24.0.

Deprecations

• sentry.Version to be removed in 0.25.0. Use sentry.SDKVersion instead.
• sentry.SDKIdentifier to be removed in 0.25.0. Use Client.GetSDKIdentifier() instead.
• dsn.RequestHeaders() to be removed after 0.25.0, but no earlier than December 1, 2023. Requests to the /envelope endpoint are authenticated using the DSN in the envelope header.

Features

• Run a single instance of the profiler instead of multiple ones for each Go routine (#​655)
• Use the route path as the transaction names when using the Gin integration (#​675)
• Set the SDK name accordingly when a framework integration is used (#​694)
• Read release information (VCS revision) from debug.ReadBuildInfo (#​704)

Bug fixes

• [otel] Fix incorrect usage of attributes.Value.AsString (#​684)
• Fix trace function name parsing in profiler on go1.21+ (#​695)

Misc

• Test against Go 1.21 (#​695)
• Make tests more robust (#​698, #​699, #​700, #​702)

v0.23.0: 0.23.0

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.23.0.

Features

• Initial support for Cron Monitoring (#​661)

  This is how the basic usage of the feature looks like:

  // 🟡 Notify Sentry your job is running:
  checkinId := sentry.CaptureCheckIn(
    &sentry.CheckIn{
      MonitorSlug: "<monitor-slug>",
      Status:      sentry.CheckInStatusInProgress,
    },
    nil,
  )
  
  // Execute your scheduled task here...
  
  // 🟢 Notify Sentry your job has completed successfully:
  sentry.CaptureCheckIn(
    &sentry.CheckIn{
      ID:          *checkinId,
      MonitorSlug: "<monitor-slug>",
      Status:      sentry.CheckInStatusOK,
    },
    nil,
  )

  A full example of using Crons Monitoring is available here.

  More documentation on configuring and using Crons can be found here.

• Add support for Event Attachments (#​670)

  It's now possible to add file/binary payloads to Sentry events:

  sentry.ConfigureScope(func(scope *sentry.Scope) {
    scope.AddAttachment(&Attachment{
      Filename:    "report.html",
      ContentType: "text/html",
      Payload:     []byte("<h1>Look, HTML</h1>"),
    })
  })

  The attachment will then be accessible on the Issue Details page.

• Add sampling decision to trace envelope header (#​666)

• Expose SpanFromContext function (#​672)

Bug fixes

• Make Span.Finish a no-op when the span is already finished (#​660)

v0.22.0: 0.22.0

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.22.0.

This release contains initial profiling support, as well as a few bug fixes and improvements.

Features

• Initial (alpha) support for profiling (#​626)

  Profiling is disabled by default. To enable it, configure both TracesSampleRate and ProfilesSampleRate when initializing the SDK:

  err := sentry.Init(sentry.ClientOptions{
    Dsn: "__DSN__",
    EnableTracing: true,
    TracesSampleRate: 1.0,
    // The sampling rate for profiling is relative to TracesSampleRate. In this case, we'll capture profiles for 100% of transactions.
    ProfilesSampleRate: 1.0,
  })

  More documentation on profiling and current limitations can be found here.

• Add transactions/tracing support go the Gin integration (#​644)

Bug fixes

• Always set a valid source on transactions (#​637)
• Clone scope.Context in more places to avoid panics on concurrent reads and writes (#​638)
  • Fixes #​570
• Fix frames recognized as not being in-app still showing as in-app (#​647)

v0.21.0: 0.21.0

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.21.0.

Note: this release includes one breaking change and some deprecations, which are listed below.

Breaking Changes

This change does not apply if you use https://sentry.io

• Remove support for the /store endpoint (#​631)
  • This change requires a self-hosted version of Sentry 20.6.0 or higher. If you are using a version of self-hosted Sentry (aka on-premise) older than 20.6.0, then you will need to upgrade your instance.

Features

• Rename four span option functions (#​611, #​624)
  • TransctionSource -> WithTransactionSource
  • SpanSampled -> WithSpanSampled
  • OpName -> WithOpName
  • TransactionName -> WithTransactionName
  • Old functions TransctionSource, SpanSampled, OpName, and TransactionName are still available but are now deprecated and will be removed in a future release.
• Make client.EventFromMessage and client.EventFromException methods public (#​607)
• Add client.SetException method (#​607)
  • This allows to set or add errors to an existing Event.

Bug Fixes

• Protect from panics while doing concurrent reads/writes to Span data fields (#​609)
• [otel] Improve detection of Sentry-related spans (#​632, #​636)
  • Fixes cases when HTTP spans containing requests to Sentry were captured by Sentry (#​627)

Misc

• Drop testing in (legacy) GOPATH mode (#​618)
• Remove outdated documentation from https://pkg.go.dev/github.com/getsentry/sentry-go (#​623)

v0.20.0: 0.20.0

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.20.0.

Note: this release has some breaking changes, which are listed below.

Breaking Changes

• Remove the following methods: Scope.SetTransaction(), Scope.Transaction() (#​605)

  Span.Name should be used instead to access the transaction's name.

  For example, the following TracesSampler function should be now written as follows:

  Before:

  TracesSampler: func(ctx sentry.SamplingContext) float64 {
    hub := sentry.GetHubFromContext(ctx.Span.Context())
    if hub.Scope().Transaction() == "GET /health" {
      return 0
    }
    return 1
  },

  After:

  TracesSampler: func(ctx sentry.SamplingContext) float64 {
    if ctx.Span.Name == "GET /health" {
      return 0
    }
    return 1
  },

Features

• Add Span.SetContext() method (#​599)
  • It is recommended to use it instead of hub.Scope().SetContext when setting or updating context on transactions.
• Add DebugMeta interface to Event and extend Frame structure with more fields (#​606)
  • More about DebugMeta interface here.

Bug Fixes

• [otel] Fix missing OpenTelemetry context on some events (#​599, #​605)
  • Fixes (#​596).
• [otel] Better handling for HTTP span attributes (#​610)

Misc

• Bump minimum versions: github.com/kataras/iris/v12 to 12.2.0, github.com/labstack/echo/v4 to v4.10.0 (#​595)
  • Resolves GO-2022-1144 / CVE-2022-41717, GO-2023-1495 / CVE-2022-41721, GO-2022-1059 / CVE-2022-32149.
• Bump google.golang.org/protobuf minimum required version to 1.29.1 (#​604)
  • This fixes a potential denial of service issue (CVE-2023-24535).
• Exclude the otel module when building in GOPATH mode (#​615)

v0.19.0: 0.19.0

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.19.0.

Features

• Add support for exception mechanism metadata (#​564)
  • More about exception mechanisms here.

Bug Fixes

• [otel] Use the correct "trace" context when sending a Sentry error (#​580)

Misc

• Drop support for Go 1.17, add support for Go 1.20 (#​563)
  • According to our policy, we're officially supporting the last three minor releases of Go.
• Switch repository license to MIT (#​583)
  • More about Sentry licensing here.
• Bump golang.org/x/text minimum required version to 0.3.8 (#​586)
  • This fixes CVE-2022-32149 vulnerability.

v0.18.0: 0.18.0

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.18.0.
This release contains initial support for OpenTelemetry and various other bug fixes and improvements.

Note: This is the last release supporting Go 1.17.

Features

• Initial support for OpenTelemetry.
  You can now send all your OpenTelemetry spans to Sentry.

  Install the otel module

  go get github.com/getsentry/sentry-go \
         github.com/getsentry/sentry-go/otel

  Configure the Sentry and OpenTelemetry SDKs

  import (
      "go.opentelemetry.io/otel"
      sdktrace "go.opentelemetry.io/otel/sdk/trace"
      "github.com/getsentry/sentry-go"
      "github.com/getsentry/sentry-go/otel"
      // ...
  )
  
  // Initlaize the Sentry SDK
  sentry.Init(sentry.ClientOptions{
      Dsn:              "__DSN__",
      EnableTracing:    true,
      TracesSampleRate: 1.0,
  })
  
  // Set up the Sentry span processor
  tp := sdktrace.NewTracerProvider(
      sdktrace.WithSpanProcessor(sentryotel.NewSentrySpanProcessor()),
      // ...
  )
  otel.SetTracerProvider(tp)
  
  // Set up the Sentry propagator
  otel.SetTextMapPropagator(sentryotel.NewSentryPropagator())

  You can read more about using OpenTelemetry with Sentry in our docs.

Bug Fixes

• Do not freeze the Dynamic Sampling Context when no Sentry values are present in the baggage header (#​532)
• Create a frozen Dynamic Sampling Context when calling span.ToBaggage() (#​566)
• Fix baggage parsing and encoding in vendored otel package (#​568)

Misc

• Add Span.SetDynamicSamplingContext() (#​539)
• Add various getters for Dsn (#​540)
• Add SpanOption::SpanSampled (#​546)
• Add Span.SetData() (#​542)
• Add Span.IsTransaction() (#​543)
• Add Span.GetTransaction() method (#​558)

v0.17.0: 0.17.0

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.17.0.
This release contains a new BeforeSendTransaction hook option and corrects two regressions introduced in 0.16.0.

Features

• Add BeforeSendTransaction hook to ClientOptions (#​517)
  • Here's an example of how BeforeSendTransaction can be used to modify or drop transaction events.

Bug Fixes

• Do not crash in Span.Finish() when the Client is empty (#​520)
  • Fixes #​518
• Attach non-PII/non-sensitive request headers to events when ClientOptions.SendDefaultPii is set to false (#​524)
  • Fixes #​523

Misc

• Clarify how to handle logrus.Fatalf events (#​501)
• Rename the examples directory to _examples (#​521)
  • This removes an indirect dependency to github.com/golang-jwt/jwt

v0.16.0: 0.16.0

Compare Source

The Sentry SDK team is happy to announce the immediate availability of Sentry Go SDK v0.16.0.
Due to ongoing work towards a stable API for v1.0.0, we sadly had to include two breaking changes in this release.

Breaking Changes

• Add EnableTracing, a boolean option flag to enable performance monitoring (false by default).

  • If you're using TracesSampleRate or TracesSampler, this option is required to enable performance monitoring.

    sentry.Init(sentry.ClientOptions{
        EnableTracing: true,
        TracesSampleRate: 1.0,
    })

• Unify TracesSampler #​498

  • TracesSampler was changed to a callback that must return a float64 between 0.0 and 1.0.

    For example, you can apply a sample rate of 1.0 (100%) to all /api transactions, and a sample rate of 0.5 (50%) to all other transactions.
    You can read more about this in our SDK docs.

    sentry.Init(sentry.ClientOptions{
        TracesSampler: sentry.TracesSampler(func(ctx sentry.SamplingContext) float64 {
             hub := sentry.GetHubFromContext(ctx.Span.Context())
             name := hub.Scope().Transaction()
    
             if strings.HasPrefix(name, "GET /api") {
                 return 1.0
             }
    
             return 0.5
         }),
     }

Features

• Send errors logged with Logrus to Sentry.
  • Have a look at our logrus examples on how to use the integration.
• Add support for Dynamic Sampling #​491
  • You can read more about Dynamic Sampling in our product docs.
• Add detailed logging about the reason transactions are being dropped.
  • You can enable SDK logging via sentry.ClientOptions.Debug: true.

Bug Fixes

• Do not clone the hub when calling StartTransaction #​505
  • Fixes #​502

v0.15.0: 0.15.0

Compare Source

• fix: Scope values should not override Event values (#​446)
• feat: Make maximum amount of spans configurable (#​460)
• feat: Add a method to start a transaction (#​482)
• feat: Extend User interface by adding Data, Name and Segment (#​483)
• feat: Add ClientOptions.SendDefaultPII (#​485)

v0.14.0: 0.14.0

Compare Source

• feat: Add function to continue from trace string (#​434)
• feat: Add max-depth options (#​428)
• [breaking] ref: Use a Context type mapping to a map[string]interface{} for all event contexts (#​444)
• [breaking] ref: Replace deprecated ioutil pkg with os & io (#​454)
• ref: Optimize stacktrace.go from size and speed (#​467)
• ci: Test against go1.19 and go1.18, drop go1.16 and go1.15 support (#​432, #​477)
• deps: Dependency update to fix CVEs (#​462, #​464, #​477)

NOTE: This version drops support for Go 1.16 and Go 1.15. The currently supported Go versions are the last 3 stable releases: 1.19, 1.18 and 1.17.

hashicorp/consul (github.com/hashicorp/consul)

v1.16.2

Compare Source

1.16.2 (September 19, 2023)

SECURITY:

• Upgrade to use Go 1.20.8. This resolves CVEs
  CVE-2023-39320 (cmd/go),
  CVE-2023-39318 (html/template),
  CVE-2023-39319 (html/template),
  CVE-2023-39321 (crypto/tls), and
  CVE-2023-39322 (crypto/tls) [GH-18742]

IMPROVEMENTS:

• Adds flag -append-filename (which works on values version, dc, node and status) to consul snapshot save command.
  Adding the flag -append-filename version,dc,node,status will add consul version, consul datacenter, node name and leader/follower
  (status) in the file name given in the snapshot save command before the file extension. [GH-18625]
• Reduce the frequency of metric exports from Consul to HCP from every 10s to every 1m [GH-18584]
• api: Add support for listing ACL tokens by service name. [GH-18667]
• checks: It is now possible to configure agent TCP checks to use TLS with
  optional server SNI and mutual authentication. To use TLS with a TCP check, the
  check must enable the tcp_use_tls boolean. By default the agent will use the
  TLS configuration in the tls.default stanza. [GH-18381]
• command: Adds -since flag in consul debug command which internally calls hcdiag for debug information in the past. [GH-18797]
• log: Currently consul logs files like this consul-{timestamp}.log. This change makes sure that there is always
  consul.log file with the latest logs in it. [GH-18617]

BUG FIXES:

• Inherit locality from services when registering sidecar proxies. [GH-18437]
• UI : Nodes list view was breaking for synthetic-nodes. Fix handles non existence of consul-version meta for node. [GH-18464]
• api: Fix /v1/agent/self not returning latest configuration [GH-18681]
• ca: Vault provider now cleans up the previous Vault issuer and key when generating a new leaf signing certificate [GH-18779] [GH-18773]
• check: prevent go routine leakage when existing Defercheck of same check id is not nil [GH-18558]
• connect: Fix issue where Envoy endpoints would not populate correctly after a snapshot restore. [GH-18636]
• gateways: Fix a bug where gateway to service mappings weren't being cleaned up properly when externally registered proxies were being deregistered. [GH-18831]
• telemetry: emit consul version metric on a regular interval. [GH-18724]

v1.16.1

Compare Source

1.16.1 (August 7, 2023)

SECURITY:

• Update golang.org/x/net to v0.13.0 to address CVE-2023-3978. [GH-18358]
• Upgrade golang.org/x/net to address CVE-2023-29406 [GH-18186]
• Upgrade to use Go 1.20.6.
  This resolves CVE-2023-29406(net/http) for uses of the standard library.
  A separate change updates dependencies on golang.org/x/net to use 0.12.0. [GH-18190]
• Upgrade to use Go 1.20.7.
  This resolves vulnerability CVE-2023-29409(crypto/tls). [GH-18358]

FEATURES:

• cli: consul members command uses -filter expression to filter members based on bexpr. [GH-18223]
• cli: consul operator raft list-peers command shows the number of commits each follower is trailing the leader by to aid in troubleshooting. [GH-17582]
• cli: consul watch command uses -filter expression to filter response from checks, services, nodes, and service. [GH-17780]
• reloadable config: Made enable_debug config reloadable and enable pprof command to work when config toggles to true [GH-17565]
• ui: consul version is displayed in nodes list with filtering and sorting based on versions [GH-17754]

IMPROVEMENTS:

• Fix some typos in metrics docs [GH-18080]
• acl: added builtin ACL policy that provides global read-only access (builtin/global-read-only) [GH-18319]
• acl: allow for a single slash character in policy names [GH-18319]
• connect: Add capture group labels from Envoy cluster FQDNs to Envoy exported metric labels [GH-17888]
• connect: Improve transparent proxy support for virtual services and failovers. [GH-17757]
• connect: update supported envoy versions to 1.23.12, 1.24.10, 1.25.9, 1.26.4 [GH-18303]
• debug: change default setting of consul debug command. now default duration is 5ms and default log level is 'TRACE' [GH-17596]
• extensions: Improve validation and error feedback for property-override builtin Envoy extension [GH-17759]
• hcp: Add dynamic configuration support for the export of server metrics to HCP. [GH-18168]
• hcp: Removes requirement for HCP to provide a management token [GH-18140]
• http: GET API operator/usage endpoint now returns node count
  cli: consul operator usage command now returns node count [GH-17939]
• mesh: Expose remote jwks cluster configuration through jwt-provider config entry [GH-17978]
• mesh: Stop jwt providers referenced by intentions from being deleted. [GH-17755]
• ui: the topology view now properly displays services with mixed connect and non-connect instances. [GH-13023]
• xds: Explicitly enable WebSocket connection upgrades in HTTP connection manager [GH-18150]

BUG FIXES:

• Fix a bug that wrongly trims domains when there is an overlap with DC name. [GH-17160]
• api-gateway: fix race condition in proxy config generation when Consul is notified of the bound-api-gateway config entry before it is notified of the api-gateway config entry. [GH-18291]
• api: Fix client deserialization errors by marking new Enterprise-only prepared query fields as omit empty [GH-18184]
• ca: Fixes a Vault CA provider bug where updating RootPKIPath but not IntermediatePKIPath would not renew leaf signing certificates [GH-18112]
• connect/ca: Fixes a bug preventing CA configuration updates in secondary datacenters [GH-17846]
• connect: (Enterprise only) Fix bug where intentions referencing sameness groups would not always apply to members properly.
• connect: Fix incorrect protocol config merging for transparent proxy implicit upstreams. [GH-17894]
• connect: Removes the default health check from the consul connect envoy command when starting an API Gateway.
  This health check would always fail. [GH-18011]
• connect: fix a bug with Envoy potentially starting with incomplete configuration by not waiting enough for initial xDS configuration. [GH-18024]
• gateway: Fixes a bug where envoy would silently reject RSA keys that are smaller than 2048 bits,
  we now reject those earlier in the process when we validate the certificate. [GH-17911]
• http: fixed API endpoint PUT /acl/token/:AccessorID (update token), no longer requires AccessorID in the request body. Web UI can now update tokens. [GH-17739]
• mesh: (Enterprise Only) Require that jwt-provider config entries are created in the default namespace. [GH-18325]
• snapshot: fix access denied and handle is invalid when we call snapshot save on windows - skip sync() for folders in windows in
  https://github.com/rboyer/safeio/pull/3ll/3 [GH-18302]
• xds: Prevent partial application of non-Required Envoy extensions in the case of failure. [GH-18068]

v1.16.0

Compare Source

1.16.0 (June 26, 2023)

BREAKING CHANGES:

• api: The /v1/health/connect/ and /v1/health/ingress/ endpoints now immediately return 403 "Permission Denied" errors whenever a token with insufficient service:read permissions is provided. Prior to this change, the endpoints returned a success code with an empty result list when a token with insufficient permissions was provided. [GH-17424]
• peering: Removed deprecated backward-compatibility behavior.
  Upstream overrides in service-defaults will now only apply to peer upstreams when the peer field is provided.
  Visit the 1.16.x upgrade instructions for more information. [GH-16957]

SECURITY:

• Bump Dockerfile base image to alpine:3.18. [GH-17719]
• audit-logging: (Enterprise only) limit v1/operator/audit-hash endpoint to ACL token with operator:read privileges.

FEATURES:

• api: (Enterprise only) Add POST /v1/operator/audit-hash endpoint to calculate the hash of the data used by the audit log hash function and salt.
• cli: (Enterprise only) Add a new consul operator audit hash command to retrieve and compare the hash of the data used by the audit log hash function and salt.
• cli: Adds new command - consul services export - for exporting a service to a peer or partition [GH-15654]
• connect: (Consul Enterprise only) Implement order-by-locality failover.
• mesh: Add new permissive mTLS mode that allows sidecar proxies to forward incoming traffic unmodified to the application. This adds AllowEnablingPermissiveMutualTLS setting to the mesh config entry and the MutualTLSMode setting to proxy-defaults and service-defaults. [GH-17035]
• mesh: Support configuring JWT authentication in Envoy. [GH-17452]
• server: (Enterprise Only) added server side RPC requests IP based read/write rate-limiter. [GH-4633]
• server: (Enterprise Only) allow automatic license utilization reporting. [GH-5102]
• server: added server side RPC requests global read/write rate-limiter. [GH-16292]
• xds: Add property-override built-in Envoy extension that directly patches Envoy resources. [GH-17487]
• xds: Add a built-in Envoy extension that inserts External Authorization (ext_authz) network and HTTP filters. [GH-17495]
• xds: Add a built-in Envoy extension that inserts Wasm HTTP filters. [GH-16877]
• xds: Add a built-in Envoy extension that inserts Wasm network filters. [GH-17505]

IMPROVEMENTS:

• api: Support filtering for config entries. [GH-17183]
• cli: Add -filter option to consul config list for filtering config entries. [GH-17183]
• agent: remove agent cache dependency from service mesh leaf certificate management [GH-17075]
• api: Enable setting query options on agent force-leave endpoint. [GH-15987]
• audit-logging: (Enterprise only) enable error response and request body logging
• ca: automatically set up Vault's auto-tidy setting for tidy_expired_issuers when using Vault as a CA provider. [GH-17138]
• ca: support Vault agent auto-auth config for Vault CA provider using AliCloud authentication. [GH-16224]
• ca: support Vault agent auto-auth config for Vault CA provider using AppRole authentication. [GH-16259]
• ca: support Vault agent auto-auth config for Vault CA provider using Azure MSI authentication. [GH-16298]
• ca: support Vault agent auto-auth config for Vault CA provider using JWT authentication. [GH-16266]
• ca: support Vault agent auto-auth config for Vault CA provider using Kubernetes authentication. [GH-16262]
• command: Adds ACL enabled to status output on agent startup. [GH-17086]
• command: Allow creating ACL Token TTL with greater than 24 hours with the -expires-ttl flag. [GH-17066]
• connect: (Enterprise Only) Add support for specifying "Partition" and "Namespace" in Prepared Queries failover rules.
• connect: update supported envoy versions to 1.23.10, 1.24.8, 1.25.7, 1.26.2 [GH-17546]
• connect: update supported envoy versions to 1.23.8, 1.24.6, 1.25.4, 1.26.0 [GH-5200]
• fix metric names in /docs/agent/telemetry [GH-17577]
• gateway: Change status condition reason for invalid certificate on a listener from "Accepted" to "ResolvedRefs". [GH-17115]
• http: accept query parameters datacenter, ap (enterprise-only), and namespace (enterprise-only). Both short-hand and long-hand forms of these query params are now supported via the HTTP API (dc/datacenter, ap/partition, ns/namespace). [GH-17525]
• systemd: set service type to notify. [GH-16845]
• ui: Update alerts to Hds::Alert component [GH-16412]
• ui: Update to use Hds::Toast component to show notifications [GH-16519]
• ui: update from and to design-system-components button Hds::Button [GH-16251]
• ui: update typography to styles from hds [GH-16577]

BUG FIXES:

• Fix a race condition where an event is published before the data associated is commited to memdb. [GH-16871]
• connect: Fix issue where changes to service exports were not reflected in proxies. [GH-17775]
• gateways: (Enterprise only) Fixed a bug in API gateways where gateway configuration objects in non-default partitions did not reconcile properly. [GH-17581]
• gateways: Fixed a bug in API gateways where binding a route that only targets a service imported from a peer results
  in the programmed gateway having no routes. [GH-17609]
• gateways: Fixed a bug where API gateways were not being taken into account in determining xDS rate limits. [GH-17631]
• namespaces: (Enterprise only) fixes a bug where agent health checks stop syncing for all services on a node if the namespace of any service has been removed from the server.
• namespaces: (Enterprise only) fixes a bug where namespaces are stuck in a deferred deletion state indefinitely under some conditions.
  Also fixes the Consul query metadata present in the HTTP headers of the namespace read and list endpoints.
• peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership. [GH-17483]
• peering: Fixes a bug where the importing partition was not added to peered failover targets, which causes issues when the importing partition is a non-default partition. [GH-16673]
• ui: fixes ui tests run on CI [GH-16428]
• xds: Fixed a bug where modifying ACLs on a token being actively used for an xDS connection caused all xDS updates to fail. [GH-17566]

v1.15.6

Compare Source

1.15.6 (September 19, 2023)

SECURITY:

• Upgrade to use Go 1.20.8. This resolves CVEs
  CVE-2023-39320 (cmd/go),
  CVE-2023-39318 (html/template),
  CVE-2023-39319 (html/template),
  CVE-2023-39321 (crypto/tls), and
  CVE-2023-39322 (crypto/tls) [GH-18742]

IMPROVEMENTS:

• Adds flag -append-filename (which works on values version, dc, node and status) to consul snapshot save command.
  Adding the flag -append-filename version,dc,node,status will add consul version, consul datacenter, node name and leader/follower
  (status) in the file name given in the snapshot save command before the file extension. [GH-18625]
• Reduce the frequency of metric exports from Consul to HCP from every 10s to every 1m [GH-18584]
• api: Add support for listing ACL tokens by service name. [GH-18667]
• command: Adds -since flag in consul debug command which internally calls hcdiag for debug information in the past. [GH-18797]
• log: Currently consul logs files like this consul-{timestamp}.log. This change makes sure that there is always
  consul.log file with the latest logs in it. [GH-18617]

BUG FIXES:

• api: Fix /v1/agent/self not returning latest configuration [GH-18681]
• ca: Vault provider now cleans up the previous Vault issuer and key when generating a new leaf signing certificate [GH-18779] [GH-18773]
• check: prevent go routine leakage when existing Defercheck of same check id is not nil [GH-18558]
• gateways: Fix a bug where gateway to service mappings weren't being cleaned up properly when externally registered proxies were being deregistered. [GH-18831]
• telemetry: emit consul version metric on a regular interval. [GH-18724]

v1.15.5

Compare Source

1.15.5 (August 7, 2023)

SECURITY:

• Update golang.org/x/net to v0.13.0 to address CVE-2023-3978. [GH-18358]
• Upgrade golang.org/x/net to address CVE-2023-29406 [GH-18186]
• Upgrade to use Go 1.20.6.
  This resolves CVE-2023-29406(net/http) for uses of the standard library.
  A separate change updates dependencies on golang.org/x/net to use 0.12.0. [GH-18190]
• Upgrade to use Go 1.20.7.
  This resolves vulnerability CVE-2023-29409(crypto/tls). [GH-18358]

FEATURES:

• cli: consul members command uses -filter expression to filter members based on bexpr. [GH-18223]
• cli: consul watch command uses -filter expression to filter response from checks, services, nodes, and service. [GH-17780]
• reloadable config: Made enable_debug config reloadable and enable pprof command to work when config toggles to true [GH-17565]

IMPROVEMENTS:

• Fix some typos in metrics docs [GH-18080]
• acl: added builtin ACL policy that provides global read-only access (builtin/global-read-only) [GH-18319]
• acl: allow for a single slash character in policy names [GH-18319]
• connect: Add capture group labels from Envoy cluster FQDNs to Envoy exported metric labels [GH-17888]
• connect: update supported envoy versions to 1.22.11, 1.23.12, 1.24.10, 1.25.9 [GH-18304]
• hcp: Add dynamic configuration support for the export of server metrics to HCP. [GH-18168]
• hcp: Removes requirement for HCP to provide a management token [GH-18140]
• xds: Explicitly enable WebSocket connection upgrades in HTTP connection manager [GH-18150]

BUG FIXES:

• Fix a bug that wrongly trims domains when there is an overlap with DC name. [GH-17160]
• api-gateway: fix race condition in proxy config generation when Consul is notified of the bound-api-gateway config entry before it is notified of the api-gateway config entry. [GH-18291]
• connect/ca: Fixes a bug preventing CA configuration updates in secondary datacenters [GH-17846]
• connect: Fix incorrect protocol config merging for transparent proxy implicit upstreams. [GH-17894]
• connect: Removes the default health check from the consul connect envoy command when starting an API Gateway.
  This health check would always fail. [GH-18011]
• connect: fix a bug with Envoy potentially starting with incomplete configuration by not waiting enough for initial xDS configuration. [GH-18024]
• snapshot: fix access denied and handle is invalid when we call snapshot save on windows - skip sync() for folders in windows in
  https://github.com/rboyer/safeio/pull/3ll/3 [GH-18302]

v1.15.4

Compare Source

1.15.4 (June 26, 2023)

FEATURES:

• cli: consul operator raft list-peers command shows the number of commits each follower is trailing the leader by to aid in troubleshooting. [GH-17582]
• server: (Enterprise Only) allow automatic license utilization reporting. [GH-5102]

IMPROVEMENTS:

• connect: update supported envoy versions to 1.22.11, 1.23.9, 1.24.7, 1.25.6 [GH-17545]
• debug: change default setting of consul debug command. now default duration is 5ms and default log level is 'TRACE' [GH-17596]
• fix metric names in /docs/agent/telemetry [GH-17577]
• gateway: Change status condition reason for invalid certificate on a listener from "Accepted" to "ResolvedRefs". [GH-17115]
• systemd: set service type to notify. [GH-16845]

BUG FIXES:

• cache: fix a few minor goroutine leaks in leaf certs and the agent cache [GH-17636]
• docs: fix list of telemetry metrics [GH-17593]
• gateways: (Enterprise only) Fixed a bug in API gateways where gateway configuration objects in non-default partitions did not reconcile properly. [GH-17581]
• gateways: Fixed a bug in API gateways where binding a route that only targets a service imported from a peer results
  in the programmed gateway having no routes. [GH-17609]
• gateways: Fixed a bug where API gateways were not being taken into account in determining xDS rate limits. [GH-17631]
• http: fixed API endpoint PUT /acl/token/:AccessorID (update token), no longer requires AccessorID in the request body. Web UI can now update tokens. [GH-17739]
• namespaces: (Enterprise only) fixes a bug where agent health checks stop syncing for all services on a node if the namespace of any service has been removed from the server.
• namespaces: (Enterprise only) fixes a bug where namespaces are stuck in a deferred deletion state indefinitely under some conditions.
  Also fixes the Consul query metadata present in the HTTP headers of the namespace read and list endpoints.
• peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership. [GH-17483]
• xds: Fixed a bug where modifying ACLs on a token being actively used for an xDS connection caused all xDS updates to fail. [GH-17566]

v1.15.3

Compare Source

1.15.3 (June 1, 2023)

BREAKING CHANGES:

• extensions: The Lua extension now targets local proxy listeners for the configured service's upstreams, rather than remote downstream listeners for the configured service, when ListenerType is set to outbound in extension configuration. See CVE-2023-2816 changelog entry for more details. [GH-17415]

SECURITY:

• Update to UBI base image to 9.2. [GH-17513]
• Upgrade golang.org/x/net to address CVE-2022-41723 [GH-16754]
• Upgrade to use Go 1.20.4.
  This resolves vulnerabilities CVE-2023-24537(go/scanner),
  CVE-2023-24538(html/template), CVE-2023-24534(net/textproto) and CVE-2023-24536(mime/multipart). Also, golang.org/x/net has been updated to v0.7.0 to resolve CVEs CVE-2022-41721, CVE-2022-27664 and CVE-2022-41723 [GH-17240]
• extensions: Disable remote downstream proxy patching by Envoy Extensions other than AWS Lambda. Previously, an operator with service:write ACL permissions for an upstream service could modify Envoy proxy config for downstream services without equivalent permissions for those services. This issue only impacts the Lua extension. [CVE-2023-2816] [GH-17415]

FEATURES:

• hcp: Add new metrics sink to collect, aggregate and export server metrics to HCP in OTEL format. [GH-17460]

IMPROVEMENTS:

• Fixes a performance issue in Raft where commit latency can increase by 100x or more when under heavy load. For more details see https://github.com/hashicorp/raft/pull/541. [GH-17081]
• agent: add a configurable maximimum age (default: 7 days) to prevent servers re-joining a cluster with stale data [GH-17171]
• agent: add new metrics to track cpu disk and memory usage for server hosts (defaults to: enabled) [GH-17038]
• connect: update supported envoy versions to 1.22.11, 1.23.8, 1.24.6, 1.25.4 [GH-16889]
• envoy: add MaxEjectionPercent and BaseEjectionTime to passive health check configs. [GH-15979]
• hcp: Add support for linking existing Consul clusters to HCP management plane. [GH-16916]
• logging: change snapshot log header from agent.server.snapshot to agent.server.raft.snapshot [GH-17236]

---

Configuration

📅 Schedule: Branch creation - "after 6am on thursday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: docker run --rm --name=renovate_a_sidecar --label=renovate_a_child --memory=3584m -v "/tmp/worker/cd085c/6f897f/repos/github/giantswarm/node-operator":"/tmp/worker/cd085c/6f897f/repos/github/giantswarm/node-operator" -v "/tmp/worker/cd085c/6f897f/cache":"/tmp/worker/cd085c/6f897f/cache" -e GOPATH -e GOPROXY -e GOSUMDB -e GOFLAGS -e CGO_ENABLED -e GIT_CONFIG_KEY_0 -e GIT_CONFIG_VALUE_0 -e GIT_CONFIG_KEY_1 -e GIT_CONFIG_VALUE_1 -e GIT_CONFIG_KEY_2 -e GIT_CONFIG_VALUE_2 -e GIT_CONFIG_COUNT -e CONTAINERBASE_CACHE_DIR -w "/tmp/worker/cd085c/6f897f/repos/github/giantswarm/node-operator" ghcr.io/containerbase/sidecar:9.23.4 bash -l -c "install-tool golang 1.21.3 && go get -d -t ./... && go mod tidy && go mod tidy"
go: downloading k8s.io/apimachinery v0.26.1
go: downloading github.com/giantswarm/microkit v1.0.0
go: downloading github.com/giantswarm/operatorkit/v7 v7.1.0
go: downloading github.com/giantswarm/microerror v0.4.0
go: downloading github.com/giantswarm/micrologger v1.0.0
go: downloading github.com/spf13/viper v1.17.0
go: downloading github.com/giantswarm/microendpoint v1.0.0
go: downloading github.com/giantswarm/apiextensions/v6 v6.4.1
go: downloading github.com/giantswarm/k8sclient/v7 v7.0.1
go: downloading k8s.io/client-go v0.26.1
go: downloading github.com/giantswarm/certs/v3 v3.1.1
go: downloading github.com/giantswarm/tenantcluster/v5 v5.0.0
go: downloading sigs.k8s.io/controller-runtime v0.14.1
go: downloading k8s.io/api v0.26.1
go: downloading github.com/giantswarm/errors v0.3.0
go: downloading k8s.io/kubectl v0.26.1
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/google/gofuzz v1.2.0
go: downloading k8s.io/klog/v2 v2.90.0
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/go-kit/kit v0.12.0
go: downloading github.com/gorilla/mux v1.8.0
go: downloading github.com/prometheus/client_golang v1.14.0
go: downloading github.com/go-kit/log v0.2.1
go: downloading github.com/go-logr/logr v1.2.3
go: downloading github.com/go-stack/stack v1.8.1
go: downloading github.com/giantswarm/versionbundle v1.0.0
go: downloading github.com/spf13/cobra v1.6.1
go: downloading github.com/fsnotify/fsnotify v1.6.0
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading github.com/sagikazarmark/locafero v0.3.0
go: downloading github.com/sagikazarmark/slog-shim v0.1.0
go: downloading github.com/spf13/afero v1.10.0
go: downloading github.com/spf13/cast v1.5.1
go: downloading github.com/giantswarm/backoff v1.0.0
go: downloading k8s.io/apiextensions-apiserver v0.26.1
go: downloading golang.org/x/sync v0.3.0
go: downloading github.com/giantswarm/to v0.4.0
go: downloading github.com/patrickmn/go-cache v2.1.0+incompatible
go: downloading k8s.io/utils v0.0.0-20230115233650-391b47cb4029
go: downloading golang.org/x/net v0.15.0
go: downloading github.com/evanphx/json-patch/v5 v5.6.0
go: downloading github.com/evanphx/json-patch v5.6.0+incompatible
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading k8s.io/cli-runtime v0.26.1
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
go: downloading github.com/json-iterator/go v1.1.12
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/prometheus/client_model v0.3.0
go: downloading github.com/prometheus/common v0.39.0
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.2.0
go: downloading github.com/golang/protobuf v1.5.3
go: downloading github.com/prometheus/procfs v0.9.0
go: downloading golang.org/x/sys v0.12.0
go: downloading google.golang.org/protobuf v1.31.0
go: downloading github.com/go-logfmt/logfmt v0.5.1
go: downloading github.com/coreos/go-semver v0.3.1
go: downloading gopkg.in/resty.v1 v1.12.0
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/sourcegraph/conc v0.3.0
go: downloading golang.org/x/exp v0.0.0-20230905200255-921286631fa9
go: downloading github.com/subosito/gotenv v1.6.0
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading gopkg.in/ini.v1 v1.67.0
go: downloading github.com/magiconair/properties v1.8.7
go: downloading github.com/pelletier/go-toml/v2 v2.1.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading golang.org/x/text v0.13.0
go: downloading github.com/cenkalti/backoff/v4 v4.2.0
go: downloading github.com/imdario/mergo v0.3.13
go: downloading golang.org/x/term v0.12.0
go: downloading golang.org/x/time v0.3.0
go: downloading github.com/giantswarm/exporterkit v1.0.0
go: downloading github.com/getsentry/sentry-go v0.25.0
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading golang.org/x/oauth2 v0.12.0
go: downloading github.com/pkg/errors v0.9.1
go: downloading k8s.io/kube-openapi v0.0.0-20230123231816-1cb3ae25d79a
go: downloading github.com/google/gnostic v0.6.9
go: downloading sigs.k8s.io/kustomize/api v0.12.1
go: downloading sigs.k8s.io/kustomize/kyaml v0.13.9
go: downloading k8s.io/component-base v0.26.1
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.4
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading gomodules.xyz/jsonpatch/v2 v2.2.0
go: downloading github.com/google/uuid v1.3.0
go: downloading github.com/chai2010/gettext-go v1.0.2
go: downloading github.com/MakeNowJust/heredoc v1.0.0
go: downloading github.com/mitchellh/go-wordwrap v1.0.0
go: downloading github.com/russross/blackfriday/v2 v2.1.0
go: downloading github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d
go: downloading go.uber.org/multierr v1.9.0
go: downloading google.golang.org/appengine v1.6.7
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
go: downloading github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7
go: downloading github.com/peterbourgon/diskv v2.0.1+incompatible
go: downloading github.com/go-openapi/jsonreference v0.20.2
go: downloading github.com/go-openapi/swag v0.22.3
go: downloading github.com/google/go-cmp v0.5.9
go: downloading github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae
go: downloading go.uber.org/atomic v1.9.0
go: downloading github.com/emicklei/go-restful/v3 v3.10.1
go: downloading github.com/go-errors/errors v1.4.2
go: downloading github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
go: downloading github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00
go: downloading github.com/xlab/treeprint v1.1.0
go: downloading github.com/google/btree v1.0.1
go: downloading github.com/go-openapi/jsonpointer v0.19.6
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/josharian/intern v1.0.0
go: downloading github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1
go: downloading go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5
go: downloading github.com/moby/spdystream v0.2.0
go: github.com/nats-io/jwt/[email protected] used for two different module paths (github.com/nats-io/jwt and github.com/nats-io/jwt/v2)