Backport of Add known issue for GH-20360. into release/1.17.x (#20443)

Add known issue for GH-20360.

Co-authored-by: Derek Menteer <derek.menteer@hashicorp.com>

CHANGELOG.md

@@ -1,4 +1,9 @@
 ## 1.17.2 (January 23, 2024)
+
+KNOWN ISSUES:
+
+* connect: Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6. [[GH-20360](https://github.com/hashicorp/consul/issues/20360)]
+
 SECURITY:
 
 * Upgrade OpenShift container images to use `ubi9-minimal:9.3` as the base image. [[GH-20014](https://github.com/hashicorp/consul/issues/20014)]

website/content/docs/release-notes/consul/v1_16_x.mdx

@@ -68,6 +68,11 @@ For more detailed information, please refer to the [upgrade details page](/consu
 
 The following issues are known to exist in the v1.16.x releases:
 
+- v1.16.5 - Excessively strict TLS SAN verification is performed by terminating gateways,
+    which prevents connections outside of the mesh to upstream services. Terminating gateway
+    users are advised to avoid deploying these Consul versions. A fix will be present in a future
+    release of Consul 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
+
 - v1.16.0 - v1.16.1 may have issues when a snapshot restore is performed
     and the servers are hosting xDS streams. When this bug triggers, it
     will cause Envoy to incorrectly populate upstream endpoints. It is

website/content/docs/release-notes/consul/v1_17_x.mdx

@@ -74,6 +74,15 @@ We are pleased to announce the following Consul updates.
 
 For more detailed information, please refer to the [upgrade details page](/consul/docs/upgrading/upgrade-specific) and the changelogs.
 
+## Known Issues
+
+The following issues are known to exist in the v1.17.x releases:
+
+- v1.17.2 - Excessively strict TLS SAN verification is performed by terminating gateways,
+    which prevents connections outside of the mesh to upstream services. Terminating gateway
+    users are advised to avoid deploying these Consul versions. A fix will be present in a future
+    release of Consul 1.17.3 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
+
 ## Changelogs
 
 The changelogs for this major release version and any maintenance versions are listed below.

website/content/docs/upgrading/upgrade-specific.mdx

@@ -15,6 +15,11 @@ This page is used to document those details separately from the standard
 upgrade flow.
 
 ## Consul 1.17.x
+
+### Known issues
+
+Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
+
 #### Audit Log naming changes (Enterprise)
 Prior to Consul 1.17.0, audit logs contained timestamps on both the original log file names as well as rotated log file names.
 After Consul 1.17.0, only timestamps will be included in rotated log file names.
@@ -34,6 +39,8 @@ service-defaults are configured in each partition and namespace before upgrading
 
 ### Known issues
 
+Consul versions 1.17.2 and 1.16.5 perform excessively strict TLS SAN verification on terminating gateways, which prevents connections outside of the mesh to upstream services. Terminating gateway users are advised to avoid deploying these Consul versions. A fix will be present in a future release of Consul 1.17.3 and 1.16.6 [[GH-20360](https://github.com/hashicorp/consul/issues/20360)].
+
 Service mesh in Consul versions 1.16.0 and 1.16.1 may have issues when a snapshot restore is performed and the servers are hosting xDS streams.
 When this bug triggers, it causes Envoy to incorrectly populate upstream endpoints. To prevent this issue, service mesh users who run agent-less workloads should upgrade Consul to v1.16.2 or later.