chore(deps): update helm release consul to v1.7.0

[renovate]

This PR contains the following updates:

Package	Update	Change
consul (source)	minor	1.6.3 -> 1.7.0

---

Release Notes

hashicorp/consul (consul)

v1.7.0

Compare Source

NOTES:

• cli: Our Windows 32-bit and 64-bit executables for this version and up will be signed with a HashiCorp certificate. Windows users will no longer see a warning about an "unknown publisher" when running our software.

• cli: Our darwin releases for this version and up will be signed and notarized according to Apple's requirements.

Prior to this release, MacOS 10.15+ users attempting to run our software may see the error: "'consul' cannot be opened because the developer cannot be verified." This error affected all MacOS 10.15+ users who downloaded our software directly via web browsers, and was caused by changes to Apple's third-party software requirements.

MacOS 10.15+ users should plan to upgrade to 1.7.0+.

SECURITY:

• dns: Updated miekg/dns dependency to fix a memory leak and CVE-2019-19794. [GH-6984], [GH-7252]
• updated to compile with [Go 1.12.16] which includes a fix for CVE-2020-0601 on windows [GH-7153]

BREAKING CHANGES:

• http: The HTTP API no longer accepts JSON fields that are unknown to it. Instead errors will be returned with 400 status codes [GH-6874]
• dns: PTR record queries now return answers that contain the Consul datacenter as a label between service and the domain. [GH-6909]
• agent: The ACL requirement for the agent/force-leave endpoint is now operator:write rather than agent:write. [GH-7033]
• logging: Switch over to using go-hclog and allow emitting either structured or unstructured logs. This changes the log format quite a bit and could break any log parsing users may have in place. [GH-1249][GH-7130]
• intentions: Change the ACL requirement and enforcement for wildcard rules. Previously this would look for an ACL rule that would grant access to the service/intention *. Now, in order to write a wildcard intention requires write access to all intentions and reading a wildcard intention requires read access to any intention that would match. Additionally intention listing and reading allow access if the requester can read either side of the intention whereas before it only allowed it for permissions on the destination side. [GH-7028]
• telemetry: consul.rpc.query has changed to only measure the start of srv.blockingQuery() calls. In certain rare cases where there are lots of idempotent updates this will cause the metric to report lower than before. The counter should now provides more meaningful behavior that maps to the rate of client-initiated requests. [GH-7224]

FEATURES:

• Namespaces (Consul Enterprise only) This version adds namespacing to Consul. Namespaces help reduce operational challenges by removing restrictions around uniqueness of resource names across distinct teams, and enable operators to provide self-service through delegation of administrative privileges. Namespace support was added to:
  • ACLs
  • Key/Value Store
  • Sessions
  • Catalog
  • Connect
  • UI [GH6639]
• agent: Add Cloud Auto-join support for Tencent Cloud [GH-6818]
• connect: Added a new CA provider allowing Connect certificates to be managed by AWS ACM Private CA.
• connect: Allow configuration of upstream connection limits in Envoy [GH-6829]
• ui: Adds UI support for Exposed Checks [GH6575]
• ui: Visualisation of the Discovery Chain [GH6746]

IMPROVEMENTS:

• acl: Use constant time comparison when checking for the ACL agent master token. [GH-6943]
• acl: Add accessorID of token when ops are denied by ACL system [GH-7117]
• agent: default the primary_datacenter to the datacenter if not configured [GH-7111]
• agent: configurable MaxQueryTime and DefaultQueryTime [GH-3777]
• agent: do not deregister service checks twice [GH-6168]
• agent: remove service sidecars in cleanupRegistration [GH-7022]
• agent: setup grpc server with auto_encrypt certs and add -https-port [GH-7086
• agent: some check types now support configuring a number of consecutive failure and success before the check status is updated in the catalog. [GH-5739]
• agent: clients should only attempt to remove pruned nodes once per call [GH-6591]
• agent: Consul HTTP checks can now send a configurable body in the request. [GH-6602]
• agent: increase watchLimit to 8192. [GH-7200]
• api: A new /v1/catalog/node-services/:node endpoint was added that mirrors the existing /v1/catalog/node/:node endpoint but has a response structure that contains a slice of services instead of a map of service ids to services. This new endpoint allows retrieving all services in all namespaces for a node. [GH-7115]
• api: add option to set TLS options in-memory for API client [GH-7093]
• api: add replace-existing-checks param to the api package [GH-7136]
• auto_encrypt: set dns and ip san for k8s and provide configuration [GH-6944]
• cli: improve the file safety of 'consul tls' subcommands [GH-7186]
• cli: give feedback to CLI user on forceleave command if node does not exist [GH-6841]
• connect: Envoy's whole stats endpoint can now be exposed to allow integrations like DataDog agent [GH-7070]
• connect: check if intermediate cert needs to be renewed. [GH-6835]
• connect: Allow inlining of the TLS certificate in the Envoy configuration. [GH-6360]
• dns: Improvement to enable dual stack IPv4/IPv6 addressing of services and lookup via DNS [GH-6531]
• lock: consul lock will now receive shutdown signals during the lock-acquisition process. [GH-5909]
• raft: increase raft notify buffer [GH-6863]
• raft: update raft to v1.1.2 [GH-7079]
• router: do not surface left servers [GH-6420]
• rpc: log method when a server/server RPC call fails [GH-4548]
• sentinel: (Consul Enterprise only) The Sentinel framework was upgraded to v0.13.0. See the Sentinel Release Notes for more information.
• telemetry: Added consul.rpc.queries_blocking gauge to measure the current number of in-flight blocking queries. [GH-7224]
• ui: Discovery chain improvements for clarifying the default router [GH-7222]
• ui: Added unique browser titles to each page [GH-7118]
• ui: Add live updates/blocking queries to the Intention listing page [GH-7161]
• ui: Use more consistent icons with other HashiCorp products in the UI [GH-6851]
• ui: Improvements to the Discovery Chain visualisation in respect to redirects [GH-7036]
• ui: Improvement keyboard navigation of the main menu [GH-7090]
• ui: New row confirmation dialogs [GH-7007]
• ui: Various visual CSS amends and alterations [GH6495] [[GH6881]](https://github.com/hashicorp/consul/
• ui: Hides the Routing tab for a service proxy [GH-7195]
• ui: Add ability to search nodes listing page with IP Address [GH-7204]
• xds: mesh gateway CDS requests are now allowed to receive an empty CDS reply [GH-6787]
• xds: Verified integration test suite with Envoy 1.12.2 & 1.13.0 [GH-6947]
• agent: Added ACL token for Consul managed service providers [GH-7218]

BUGFIXES:

• agent: fix watch event behavior [GH-5265]
• agent: ensure node info sync and full sync [GH-7189]
• autopilot: Fixed dead server removal condition to use correct failure tolerance. [GH-4017]
• cli: services register command now correctly registers an unamed healthcheck [GH-6800]
• cli: remove -dev from consul version in ARM builds in the 1.6.2 release [GH-6875]
• cli: ui_content_path config option fix [GH-6601]
• config: Fixed a bug that caused some config parsing to be case-sensitive: [GH-7191]
• connect: CAs can now use RSA keys correctly to sign EC leafs [GH-6638]
• connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index [GH-7011]
• connect: ensure that updates to the secondary root CA configuration use the correct signing key ID values for comparison [GH-7012]
• connect: use correct subject key id for leaf certificates. [GH-7091]
• log: handle discard all logfiles properly [GH-6945]
• state: restore a few more service-kind index updates so blocking in ServiceDump works in more cases [GH-6948]
• tls: fix behavior related to auto_encrypt and verify_incoming (#​6899) [GH-6811]
• ui: Ensure the main navigation menu is closed on click [GH-7164]
• ui: Ensure KV flags are passed through to Consul on update [GH-7216]
• ui: Fix positioning of active icon in main navigation menu [GH-7233]
• ui: Ensure the Namespace property is sent to Consul in OSS [GH-7238]
• ui: Remove the Policy/Service Identity selector from namespace policy form [GH-7124]
• ui: Fix positioning of active icon in the selected menu item [GH-7148]
• ui: Discovery-Chain: Improve parsing of redirects [GH-7174]
• ui: Fix styling of ‘duplicate intention’ error message [GH6936]

v1.6.4

Compare Source

SECURITY:

• dns: Updated miekg/dns dependency to fix a memory leak and CVE-2019-19794. [GH-6984], [GH-7261]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.