Bump github.com/hashicorp/consul from 1.0.7 to 1.11.9

[dependabot]

Bumps github.com/hashicorp/consul from 1.0.7 to 1.11.9.

Release notes

Sourced from github.com/hashicorp/consul's releases.

v1.11.9

1.11.9 (September 20, 2022)

SECURITY:

• auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the AutoConfig.InitialConfiguration endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [GH-14577]
• connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the ConnectCA.Sign endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [GH-14579]

IMPROVEMENTS:

• metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [GH-14161]
• snapshot agent: (Enterprise only) Add support for path-based addressing when using s3 backend.

BUG FIXES:

• ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed. [GH-14516]
• cli: When launching a sidecar proxy with consul connect envoy or consul connect proxy, the -sidecar-for service ID argument is now treated as case-insensitive. [GH-14034]
• connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster. [GH-14598]
• connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring. [GH-14429]
• rpc: Adds a deadline to client RPC calls, so that streams will no longer hang indefinitely in unstable network conditions. [GH-8504] [GH-11500]
• rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries [GH-14233]

v1.11.8

1.11.8 (August 11, 2022)

BUG FIXES:

• connect: Fixed a goroutine/memory leak that would occur when using the ingress gateway. [GH-13847]
• connect: Ingress gateways with a wildcard service entry should no longer pick up non-connect services as upstreams. connect: Terminating gateways with a wildcard service entry should no longer pick up connect services as upstreams. [GH-13958]

v1.11.7

1.11.7 (July 13, 2022)

IMPROVEMENTS:

• connect: Update supported Envoy versions to 1.20.4, 1.19.5, 1.18.6, 1.17.4 [GH-13434]

BUG FIXES:

• agent: Fixed a bug in HTTP handlers where URLs were being decoded twice [GH-13265]
• fix a bug that caused an error when creating grpc or http2 ingress gateway listeners with multiple services [GH-13127]
• xds: Fix a bug where terminating gateway upstream clusters weren't configured properly when the service protocol was http2. [GH-13699]

v1.11.6

1.11.6 (May 25, 2022)

IMPROVEMENTS:

... (truncated)

Changelog

Sourced from github.com/hashicorp/consul's changelog.

1.11.9 (September 20, 2022)

BREAKING CHANGES:

• ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the update capability on the intermediate PKI's tune mount configuration endpoint, such as /sys/mounts/connect_inter/tune. The breaking nature of this change is resolved in 1.11.11. Refer to upgrade guidance for more information.

SECURITY:

• auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the AutoConfig.InitialConfiguration endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [GH-14577]
• connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the ConnectCA.Sign endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [GH-14579]

IMPROVEMENTS:

• metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [GH-14161]
• snapshot agent: (Enterprise only) Add support for path-based addressing when using s3 backend.

BUG FIXES:

• ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed. [GH-14516]
• cli: When launching a sidecar proxy with consul connect envoy or consul connect proxy, the -sidecar-for service ID argument is now treated as case-insensitive. [GH-14034]
• connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster. [GH-14598]
• connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring. [GH-14429]
• rpc: Adds a deadline to client RPC calls, so that streams will no longer hang indefinitely in unstable network conditions. [GH-8504] [GH-11500]
• rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries [GH-14233]

1.13.1 (August 11, 2022)

BUG FIXES:

• agent: Fixed a compatibility issue when restoring snapshots from pre-1.13.0 versions of Consul [GH-14107] [GH-14149]
• connect: Fixed some spurious issues during peering establishment when a follower is dialed [GH-14119]

1.12.4 (August 11, 2022)

BUG FIXES:

• cli: when acl token read is used with the -self and -expanded flags, return an error instead of panicking [GH-13787]
• connect: Fixed a goroutine/memory leak that would occur when using the ingress gateway. [GH-13847]
• connect: Ingress gateways with a wildcard service entry should no longer pick up non-connect services as upstreams. connect: Terminating gateways with a wildcard service entry should no longer pick up connect services as upstreams. [GH-13958]
• ui: Fixes an issue where client side validation errors were not showing in certain areas [GH-14021]

1.11.8 (August 11, 2022)

BUG FIXES:

• connect: Fixed a goroutine/memory leak that would occur when using the ingress gateway. [GH-13847]
• connect: Ingress gateways with a wildcard service entry should no longer pick up non-connect services as upstreams. connect: Terminating gateways with a wildcard service entry should no longer pick up connect services as upstreams. [GH-13958]

... (truncated)

Commits

• 716c835 Stage 1.11.9
• a598243 backport of commit 546f1ec634297d1453c37118654a449ce97992db (#14664)
• d7d1932 Merge pull request #14660 from hashicorp/backport/docs/search-metadata-header...
• ace98ca Merge pull request #14656 from hashicorp/docs/search-metadata-headers
• bf33647 no-op commit due to failed cherry-picking
• 3583279 Backport of docs: Search Description Refresh into release/1.11.x (#14648)
• 5bb87c0 Backport of connect/ca: Don't discard old roots on primaryInitialize into rel...
• cdb4473 Merge pull request #14645 from hashicorp/docs/hot-fix-1-11release
• 629d2c4 fix merge conflict markings
• 9f7c398 Merge pull request #14626 from hashicorp/backport/docs/what-is-consul-devdot-...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.