Update consul Docker tag to v1.15.4

[renovate]

This PR contains the following updates:

Package	Update	Change
consul	patch	1.15.2 -> 1.15.4

---

Release Notes

hashicorp/consul (consul)

v1.15.4

Compare Source

FEATURES:

• cli: consul operator raft list-peers command shows the number of commits each follower is trailing the leader by to aid in troubleshooting. [GH-17582]
• server: (Enterprise Only) allow automatic license utilization reporting. [GH-5102]

IMPROVEMENTS:

• connect: update supported envoy versions to 1.22.11, 1.23.9, 1.24.7, 1.25.6 [GH-17545]
• debug: change default setting of consul debug command. now default duration is 5ms and default log level is 'TRACE' [GH-17596]
• fix metric names in /docs/agent/telemetry [GH-17577]
• gateway: Change status condition reason for invalid certificate on a listener from "Accepted" to "ResolvedRefs". [GH-17115]
• systemd: set service type to notify. [GH-16845]

BUG FIXES:

• cache: fix a few minor goroutine leaks in leaf certs and the agent cache [GH-17636]
• docs: fix list of telemetry metrics [GH-17593]
• gateways: (Enterprise only) Fixed a bug in API gateways where gateway configuration objects in non-default partitions did not reconcile properly. [GH-17581]
• gateways: Fixed a bug in API gateways where binding a route that only targets a service imported from a peer results
  in the programmed gateway having no routes. [GH-17609]
• gateways: Fixed a bug where API gateways were not being taken into account in determining xDS rate limits. [GH-17631]
• http: fixed API endpoint PUT /acl/token/:AccessorID (update token), no longer requires AccessorID in the request body. Web UI can now update tokens. [GH-17739]
• namespaces: (Enterprise only) fixes a bug where agent health checks stop syncing for all services on a node if the namespace of any service has been removed from the server.
• namespaces: (Enterprise only) fixes a bug where namespaces are stuck in a deferred deletion state indefinitely under some conditions.
  Also fixes the Consul query metadata present in the HTTP headers of the namespace read and list endpoints.
• peering: Fix a bug that caused server agents to continue cleaning up peering resources even after loss of leadership. [GH-17483]
• xds: Fixed a bug where modifying ACLs on a token being actively used for an xDS connection caused all xDS updates to fail. [GH-17566]

v1.15.3

Compare Source

BREAKING CHANGES:

• extensions: The Lua extension now targets local proxy listeners for the configured service's upstreams, rather than remote downstream listeners for the configured service, when ListenerType is set to outbound in extension configuration. See CVE-2023-2816 changelog entry for more details. [GH-17415]

SECURITY:

• Update to UBI base image to 9.2. [GH-17513]
• Upgrade golang.org/x/net to address CVE-2022-41723 [GH-16754]
• Upgrade to use Go 1.20.4.
  This resolves vulnerabilities CVE-2023-24537(go/scanner),
  CVE-2023-24538(html/template),
  CVE-2023-24534(net/textproto) and
  CVE-2023-24536(mime/multipart).
  Also, golang.org/x/net has been updated to v0.7.0 to resolve CVEs CVE-2022-41721
  , CVE-2022-27664 and [CVE-2022-41723
  ](GHSA-vvpx-j8f3-3w6h
  .) [GH-17240]
• extensions: Disable remote downstream proxy patching by Envoy Extensions other than AWS Lambda. Previously, an operator with service:write ACL permissions for an upstream service could modify Envoy proxy config for downstream services without equivalent permissions for those services. This issue only impacts the Lua extension. [CVE-2023-2816] [GH-17415]

FEATURES:

• hcp: Add new metrics sink to collect, aggregate and export server metrics to HCP in OTEL format. [GH-17460]

IMPROVEMENTS:

• Fixes a performance issue in Raft where commit latency can increase by 100x or more when under heavy load. For more details see https://github.com/hashicorp/raft/pull/541. [GH-17081]
• agent: add a configurable maximimum age (default: 7 days) to prevent servers re-joining a cluster with stale data [GH-17171]
• agent: add new metrics to track cpu disk and memory usage for server hosts (defaults to: enabled) [GH-17038]
• connect: update supported envoy versions to 1.22.11, 1.23.8, 1.24.6, 1.25.4 [GH-16889]
• envoy: add MaxEjectionPercent and BaseEjectionTime to passive health check configs. [GH-15979]
• hcp: Add support for linking existing Consul clusters to HCP management plane. [GH-16916]
• logging: change snapshot log header from agent.server.snapshot to agent.server.raft.snapshot [GH-17236]
• peering: allow re-establishing terminated peering from new token without deleting existing peering first. [GH-16776]
• peering: gRPC queries for TrustBundleList, TrustBundleRead, PeeringList, and PeeringRead now support blocking semantics,
  reducing network and CPU demand.
  The HTTP APIs for Peering List and Read have been updated to support blocking. [GH-17426]
• raft: Remove expensive reflection from raft/mesh hot path [GH-16552]
• xds: rename envoy_hcp_metrics_bind_socket_dir to envoy_telemetry_collector_bind_socket_dir to remove HCP naming references. [GH-17327]

BUG FIXES:

• Fix an bug where decoding some Config structs with unset pointer fields could fail with reflect: call of reflect.Value.Type on zero Value. [GH-17048]
• acl: (Enterprise only) Check permissions in correct partition/namespace when resolving service in non-default partition/namespace
• acl: Fix an issue where the anonymous token was synthesized in non-primary datacenters which could cause permission errors when federating clusters with ACL replication enabled. [GH-17231]
• acls: Fix ACL bug that can result in sidecar proxies having incorrect endpoints.
• connect: Fix multiple inefficient behaviors when querying service health. [GH-17241]
• gateways: Fix an bug where targeting a virtual service defined by a service-resolver was broken for HTTPRoutes. [GH-17055]
• grpc: ensure grpc resolver correctly uses lan/wan addresses on servers [GH-17270]
• namespaces: adjusts the return type from HTTP list API to return the api module representation of a namespace.
  This fixes an error with the consul namespace list command when a namespace has a deferred deletion timestamp.
• peering: Fix issue where modifying the list of exported services did not correctly replicate changes for services that exist in a non-default namespace. [GH-17456]
• peering: Fix issue where peer streams could incorrectly deregister services in various scenarios. [GH-17235]
• peering: ensure that merged central configs of peered upstreams for partitioned downstreams work [GH-17179]
• xds: Fix possible panic that can when generating clusters before the root certificates have been fetched. [GH-17185]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (1.15.4). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.