Backport of Upgraded go to 1.23.8 into release/1.20.x

.changelog/21655.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS"
+```

.changelog/21750.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+security: upgrade ubi base image to 9.4
+```

.changelog/21780.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+api: remove dependency on proto-public, protobuf, and grpc
+```

.changelog/21795.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+docs: added the docs for the grafana dashboards
+```

.changelog/21806.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+grafana: added the dashboards service-to-service dashboard, service dashboard, and consul dataplane dashboard
+```

.changelog/21816.txt

@@ -0,0 +1,9 @@
+```release-note:security
+mesh: Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
+```
+```release-note:security
+mesh: Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
+```
+```release-note:breaking-change
+mesh: Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).
+```

.changelog/21871.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+proxycfg: fix a bug where peered upstreams watches are canceled even when another target needs it.
+```

.changelog/21908.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Resolved issue where hcl would allow duplicates of the same key in acl policy configuration.
+```

.changelog/21909.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+state: ensure that identical manual virtual IP updates result in not bumping the modify indexes
+```

.changelog/21930.txt

@@ -0,0 +1,3 @@
+```release-note:security
+api: Enforces strict content-type header validation to protect against XSS vulnerability.
+```

.changelog/21950.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Removed ability to use bexpr to filter results without ACL read on endpoint
+```

.changelog/21951.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update `github.com./golang-jwt/jwt/v4` to v4.5.1 to address [GHSA-29wx-vh33-7x7r](https://github.com./golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r).
+```

.changelog/21984.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: Fixed TLS configuration to properly enforce listener TLS versions and cipher suites
+```

.changelog/22001.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update `golang.org/x/crypto` to v0.31.0 to address [GO-2024-3321](https://pkg.go.dev/vuln/GO-2024-3321).
+```

.changelog/22011.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Update `registry.access.redhat.com/ubi9-minimal` image to 9.5 to address [CVE-2024-3596](https://nvd.nist.gov/vuln/detail/CVE-2024-3596),[CVE-2024-2511](https://nvd.nist.gov/vuln/detail/CVE-2024-2511),[CVE-2024-26458](https://nvd.nist.gov/vuln/detail/CVE-2024-26458).
+```
+

.changelog/22021.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Update `golang.org/x/net` to v0.33.0 to address [GO-2024-3333](https://pkg.go.dev/vuln/GO-2024-3333).
+```

.changelog/22084.txt

@@ -0,0 +1,5 @@
+```release-note:security
+Upgrade Go to use v1.22.11 and bump Go X-Repositories to latest. This addresses CVE 
+[CVE-2024-45341](https://nvd.nist.gov/vuln/detail/CVE-2024-45341) and
+[CVE-2024-45336](https://nvd.nist.gov/vuln/detail/CVE-2024-45336)
+```

.changelog/22109.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+aws-auth: Fix bug where calls to AWS IAM and STS services error out due to URL with multiple trailing slashes.
+```

.changelog/22113.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+metadata: memoize the parsed build versions
+```

.changelog/22120.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+Fixed logging error while building for OpenBSD OS [[GH-22120](https://github.com./hashicorp/consul/pull/22120)]
+```

.changelog/22132.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Upgrade Go to use v1.22.12 and bump Go X-Repositories to latest. This addresses CVE
+[CVE-2025-22866](https://nvd.nist.gov/vuln/detail/CVE-2025-22866)
+```

.changelog/22138.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: update supported envoy versions to 1.33.0, 1.32.3
+```

.changelog/22172.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api: Fixed api submodule checksum mismatch issue by retracted 1.31.1 version [[GH-22172](https://github.com./hashicorp/consul/pull/22172)]
+```

.changelog/22174.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+dependency: upgraded consul/api to 1.31.2
+```

.changelog/22184.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+logging: Fixed compilation error for OS NetBSD.
+```

.changelog/22204.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade Go to 1.23.6.
+```

.changelog/22207.txt

@@ -0,0 +1,5 @@
+```release-note:security
+Update `golang.org/x/crypto` to v0.35.0 to address [GO-2025-3487](https://pkg.go.dev/vuln/GO-2025-3487).
+Update `golang.org/x/oauth2` to v0.27.0 to address [GO-2025-3488](https://pkg.go.dev/vuln/GO-2025-3488).
+Update `github.com./go-jose/go-jose/v3` to v3.0.4 to address [GO-2025-3485](https://pkg.go.dev/vuln/GO-2025-3485).
+```

.changelog/22220.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+agent: Add the missing Service TaggedAddresses and Check Type fields to Txn API.
+```

.changelog/22227.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+Added support for Consul Session to update the state of a Health Check, allowing for more dynamic and responsive health monitoring within the Consul ecosystem. This feature enables sessions to directly influence health check statuses, improving the overall reliability and accuracy of service health assessments.
+```

.changelog/22237.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade Go to 1.23.7 and bump X-Repositories to latest.
+```

.github/CODEOWNERS

@@ -1,3 +1,5 @@
+* @hashicorp/consul-selfmanage-maintainers
+
 # Techical Writer Review
 
 /website/content/docs/ @hashicorp/consul-docs
@@ -6,36 +8,5 @@
 
 
 # release configuration
-/.release/                              @hashicorp/release-engineering @hashicorp/github-consul-core
-/.github/workflows/build.yml            @hashicorp/release-engineering @hashicorp/github-consul-core
-
-
-# Staff Engineer Review (protocol buffer definitions)
-/proto-public/   @hashicorp/consul-core-staff
-/proto/          @hashicorp/consul-core-staff
-
-# Staff Engineer Review (v1 architecture shared components)
-/agent/cache/                  @hashicorp/consul-core-staff
-/agent/consul/fsm/             @hashicorp/consul-core-staff
-/agent/consul/leader*.go       @hashicorp/consul-core-staff
-/agent/consul/server*.go       @hashicorp/consul-core-staff
-/agent/consul/state/           @hashicorp/consul-core-staff
-/agent/consul/stream/          @hashicorp/consul-core-staff
-/agent/submatview/             @hashicorp/consul-core-staff
-/agent/blockingquery/          @hashicorp/consul-core-staff
-
-# Staff Engineer Review (raft/autopilot)
-/agent/consul/autopilotevents/  @hashicorp/consul-core-staff
-/agent/consul/autopilot*.go     @hashicorp/consul-core-staff
-
-# Staff Engineer Review (v2 architecture shared components)
-/internal/controller/                   @hashicorp/consul-core-staff
-/internal/resource/                     @hashicorp/consul-core-staff
-/internal/storage/                      @hashicorp/consul-core-staff
-/agent/consul/controller/               @hashicorp/consul-core-staff
-/agent/grpc-external/services/resource/ @hashicorp/consul-core-staff
-
-# Staff Engineer Review (v1 security)
-/acl/                   @hashicorp/consul-core-staff
-/agent/xds/rbac*.go     @hashicorp/consul-core-staff
-/agent/xds/jwt*.go      @hashicorp/consul-core-staff
+/.release/                              @hashicorp/team-selfmanaged-releng @hashicorp/consul-selfmanage-maintainers
+/.github/workflows/build.yml            @hashicorp/team-selfmanaged-releng @hashicorp/consul-selfmanage-maintainers

.github/workflows/go-tests.yml

@@ -22,7 +22,6 @@ permissions:
 env:
   TEST_RESULTS: /tmp/test-results
   GOPRIVATE: github.com./hashicorp # Required for enterprise deps
-  SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }}
 
 # concurrency
 concurrency:
@@ -31,17 +30,7 @@ concurrency:
 
 jobs:
   conditional-skip:
-    runs-on: ubuntu-latest 
-    name: Get files changed and conditionally skip CI
-    outputs:
-      skip-ci: ${{ steps.read-files.outputs.skip-ci }}
-    steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-        with:
-          fetch-depth: 0
-      - name: Get changed files
-        id: read-files
-        run: ./.github/scripts/check_skip_ci.sh
+    uses: ./.github/workflows/reusable-conditional-skip.yml
 
   setup:
     needs: [conditional-skip]

.github/workflows/nightly-test-1.19.x.yaml

@@ -14,8 +14,15 @@ env:
   GOPRIVATE: github.com./hashicorp # Required for enterprise deps
 
 jobs:
+  check-ent:
+    runs-on: ubuntu-latest
+    if: ${{ endsWith(github.repository, '-enterprise') }}
+    steps:
+      - run: echo "Building Enterprise"
+
   frontend-test-workspace-node:
     runs-on: ubuntu-latest
+    needs: [ check-ent ]
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
@@ -45,6 +52,7 @@ jobs:
 
   frontend-build-ce:
     runs-on: ubuntu-latest
+    needs: [ check-ent ]
     env:
       JOBS: 2
       CONSUL_NSPACES_ENABLED: 0
@@ -117,6 +125,7 @@ jobs:
 
   frontend-build-ent:
     runs-on: ubuntu-latest
+    needs: [ check-ent ]
     env:
       JOBS: 2
       CONSUL_NSPACES_ENABLED: 1

.github/workflows/nightly-test-1.17.x.yaml → .github/workflows/nightly-test-1.20.x.yaml

@@ -1,16 +1,16 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-name: Nightly Frontend Test 1.17.x
+name: Nightly Frontend Test 1.20.x
 on:
   schedule:
     - cron: '0 4 * * *'
   workflow_dispatch: {}
 
 env:
   EMBER_PARTITION_TOTAL: 4        # Has to be changed in tandem with the matrix.partition
-  BRANCH: "release/1.17.x"
-  BRANCH_NAME: "release-1.17.x"   # Used for naming artifacts
+  BRANCH: "release/1.20.x"
+  BRANCH_NAME: "release-1.20.x"   # Used for naming artifacts
   GOPRIVATE: github.com./hashicorp # Required for enterprise deps
 
 jobs:
@@ -22,7 +22,7 @@ jobs:
 
   frontend-test-workspace-node:
     runs-on: ubuntu-latest
-    needs: [check-ent]
+    needs: [ check-ent ]
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
@@ -52,7 +52,7 @@ jobs:
 
   frontend-build-ce:
     runs-on: ubuntu-latest
-    needs: [check-ent]
+    needs: [ check-ent ]
     env:
       JOBS: 2
       CONSUL_NSPACES_ENABLED: 0
@@ -125,7 +125,7 @@ jobs:
 
   frontend-build-ent:
     runs-on: ubuntu-latest
-    needs: [check-ent]
+    needs: [ check-ent ]
     env:
       JOBS: 2
       CONSUL_NSPACES_ENABLED: 1