Bump github.com/hashicorp/consul from 1.15.2 to 1.15.3 in /consul-lambda

[dependabot]

Bumps github.com/hashicorp/consul from 1.15.2 to 1.15.3.

Release notes

Sourced from github.com/hashicorp/consul's releases.

v1.15.3

1.15.3 (June 1, 2023)

BREAKING CHANGES:

• extensions: The Lua extension now targets local proxy listeners for the configured service's upstreams, rather than remote downstream listeners for the configured service, when ListenerType is set to outbound in extension configuration. See CVE-2023-2816 changelog entry for more details. [GH-17415]

SECURITY:

• Update to UBI base image to 9.2. [GH-17513]
• Upgrade golang.org/x/net to address CVE-2022-41723 [GH-16754]
• Upgrade to use Go 1.20.4. This resolves vulnerabilities CVE-2023-24537(go/scanner), CVE-2023-24538(html/template), CVE-2023-24534(net/textproto) and CVE-2023-24536(mime/multipart). Also, golang.org/x/net has been updated to v0.7.0 to resolve CVEs CVE-2022-41721, CVE-2022-27664 and CVE-2022-41723 [GH-17240]
• extensions: Disable remote downstream proxy patching by Envoy Extensions other than AWS Lambda. Previously, an operator with service:write ACL permissions for an upstream service could modify Envoy proxy config for downstream services without equivalent permissions for those services. This issue only impacts the Lua extension. [CVE-2023-2816] [GH-17415]

FEATURES:

• hcp: Add new metrics sink to collect, aggregate and export server metrics to HCP in OTEL format. [GH-17460]

IMPROVEMENTS:

• Fixes a performance issue in Raft where commit latency can increase by 100x or more when under heavy load. For more details see hashicorp/raft#541. [GH-17081]
• agent: add a configurable maximimum age (default: 7 days) to prevent servers re-joining a cluster with stale data [GH-17171]
• agent: add new metrics to track cpu disk and memory usage for server hosts (defaults to: enabled) [GH-17038]
• connect: update supported envoy versions to 1.22.11, 1.23.8, 1.24.6, 1.25.4 [GH-16889]
• envoy: add MaxEjectionPercent and BaseEjectionTime to passive health check configs. [GH-15979]
• hcp: Add support for linking existing Consul clusters to HCP management plane. [GH-16916]
• logging: change snapshot log header from agent.server.snapshot to agent.server.raft.snapshot [GH-17236]
• peering: allow re-establishing terminated peering from new token without deleting existing peering first. [GH-16776]
• peering: gRPC queries for TrustBundleList, TrustBundleRead, PeeringList, and PeeringRead now support blocking semantics, reducing network and CPU demand. The HTTP APIs for Peering List and Read have been updated to support blocking. [GH-17426]
• raft: Remove expensive reflection from raft/mesh hot path [GH-16552]
• xds: rename envoy_hcp_metrics_bind_socket_dir to envoy_telemetry_collector_bind_socket_dir to remove HCP naming references. [GH-17327]

BUG FIXES:

• Fix an bug where decoding some Config structs with unset pointer fields could fail with reflect: call of reflect.Value.Type on zero Value. [GH-17048]
• acl: (Enterprise only) Check permissions in correct partition/namespace when resolving service in non-default partition/namespace
• acl: Fix an issue where the anonymous token was synthesized in non-primary datacenters which could cause permission errors when federating clusters with ACL replication enabled. [GH-17231]
• acls: Fix ACL bug that can result in sidecar proxies having incorrect endpoints.
• connect: Fix multiple inefficient behaviors when querying service health. [GH-17241]
• gateways: Fix an bug where targeting a virtual service defined by a service-resolver was broken for HTTPRoutes. [GH-17055]
• grpc: ensure grpc resolver correctly uses lan/wan addresses on servers [GH-17270]
• namespaces: adjusts the return type from HTTP list API to return the api module representation of a namespace. This fixes an error with the consul namespace list command when a namespace has a deferred deletion timestamp.
• peering: Fix issue where modifying the list of exported services did not correctly replicate changes for services that exist in a non-default namespace. [GH-17456]
• peering: Fix issue where peer streams could incorrectly deregister services in various scenarios. [GH-17235]
• peering: ensure that merged central configs of peered upstreams for partitioned downstreams work [GH-17179]
• xds: Fix possible panic that can when generating clusters before the root certificates have been fetched. [GH-17185]

Changelog

Sourced from github.com/hashicorp/consul's changelog.

1.15.3 (June 1, 2023)

BREAKING CHANGES:

• extensions: The Lua extension now targets local proxy listeners for the configured service's upstreams, rather than remote downstream listeners for the configured service, when ListenerType is set to outbound in extension configuration. See CVE-2023-2816 changelog entry for more details. [GH-17415]

SECURITY:

• Update to UBI base image to 9.2. [GH-17513]
• Upgrade golang.org/x/net to address CVE-2022-41723 [GH-16754]
• Upgrade to use Go 1.20.4. This resolves vulnerabilities CVE-2023-24537(go/scanner), CVE-2023-24538(html/template), CVE-2023-24534(net/textproto) and CVE-2023-24536(mime/multipart). Also, golang.org/x/net has been updated to v0.7.0 to resolve CVEs CVE-2022-41721 , CVE-2022-27664 and [CVE-2022-41723 ](GHSA-vvpx-j8f3-3w6h .) [GH-17240]
• extensions: Disable remote downstream proxy patching by Envoy Extensions other than AWS Lambda. Previously, an operator with service:write ACL permissions for an upstream service could modify Envoy proxy config for downstream services without equivalent permissions for those services. This issue only impacts the Lua extension. [CVE-2023-2816] [GH-17415]

FEATURES:

• hcp: Add new metrics sink to collect, aggregate and export server metrics to HCP in OTEL format. [GH-17460]

IMPROVEMENTS:

• Fixes a performance issue in Raft where commit latency can increase by 100x or more when under heavy load. For more details see hashicorp/raft#541. [GH-17081]
• agent: add a configurable maximimum age (default: 7 days) to prevent servers re-joining a cluster with stale data [GH-17171]
• agent: add new metrics to track cpu disk and memory usage for server hosts (defaults to: enabled) [GH-17038]
• connect: update supported envoy versions to 1.22.11, 1.23.8, 1.24.6, 1.25.4 [GH-16889]
• envoy: add MaxEjectionPercent and BaseEjectionTime to passive health check configs. [GH-15979]
• hcp: Add support for linking existing Consul clusters to HCP management plane. [GH-16916]
• logging: change snapshot log header from agent.server.snapshot to agent.server.raft.snapshot [GH-17236]
• peering: allow re-establishing terminated peering from new token without deleting existing peering first. [GH-16776]
• peering: gRPC queries for TrustBundleList, TrustBundleRead, PeeringList, and PeeringRead now support blocking semantics, reducing network and CPU demand. The HTTP APIs for Peering List and Read have been updated to support blocking. [GH-17426]
• raft: Remove expensive reflection from raft/mesh hot path [GH-16552]
• xds: rename envoy_hcp_metrics_bind_socket_dir to envoy_telemetry_collector_bind_socket_dir to remove HCP naming references. [GH-17327]

BUG FIXES:

• Fix an bug where decoding some Config structs with unset pointer fields could fail with reflect: call of reflect.Value.Type on zero Value. [GH-17048]
• acl: (Enterprise only) Check permissions in correct partition/namespace when resolving service in non-default partition/namespace
• acl: Fix an issue where the anonymous token was synthesized in non-primary datacenters which could cause permission errors when federating clusters with ACL replication enabled. [GH-17231]
• acls: Fix ACL bug that can result in sidecar proxies having incorrect endpoints.
• connect: Fix multiple inefficient behaviors when querying service health. [GH-17241]
• gateways: Fix an bug where targeting a virtual service defined by a service-resolver was broken for HTTPRoutes. [GH-17055]

... (truncated)

Commits

• 7ce982c remove reverted feature changelog
• 23f4653 stage 1.15.3
• f3b1433 backport of commit cd05b8b921d967f3dde0331cc7d70dc0a3804a4b (#17543)
• aca09d2 Manual backport 1.15.x of Avoid panic applying TProxy Envoy extensions (#17539)
• 7d94518 Backport of [API Gateway] Fix use of virtual resolvers in HTTPRoutes into rel...
• f9d3f8a Backport of hoststats: add package for collecting host statistics including c...
• d991db5 backport of commit 65d5aeaaac207e134a6ab2f0742e8d5a34c90154 (#17531)
• fe5a963 backport of commit 94998bec4bad67d29efb2cbcd95ac9c827908d23 (#17518)
• 1330cc0 backport of commit 87e1f041781a18b55b0841febd53db7c8cc7257f (#17516)
• c0ee120 backport of commit 2d9ed7c43e0b1e33c56a39fb1d6ba66751cab66f (#17510)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cthain]

🤔 May have to take care of this manually because the CI tests are failing. I'll take a look.

[cthain]

There are a couple of issues with CI:

1. It looks like the golangci-lint step is timing out so we may have to increase the window.
2. dependabot doesn't have access to the project secrets, so it can't run the ent tests since they need a Consul license.

I'm going to merge this and will fix any problems in a follow up.