Update module github.com/hashicorp/consul/api to v2

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/hashicorp/consul/api	v1.34.3 → v2.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

hashicorp/consul (github.com/hashicorp/consul/api)

v2.0.0

2.0.0 (May 22, 2026)

SECURITY:

• connect: Upgrade envoy version to 1.37.2 and newer versions [GH-23469]
• go: Upgrade go version to 1.26 [GH-23493]
• agent: Increased default HTTP server timeouts to prevent breaking long-polling blocking queries. read_timeout and write_timeout are now set to 15 minutes (up from 30 seconds), while read_header_timeout (10s) and idle_timeout (120s) still provide protection against Slowloris attacks. All timeouts remain configurable via the http_config block. [GH-23267]
• api-gateway, terminating-gateway: Apply HTTP request path normalization on api-gateway and terminating-gateway HTTP listeners to prevent L7 intention RBAC bypass via non-normalized paths (CVE-2024-10005). [GH-23534]
• docker: update ubi base image to ubi9-minimal:9.7. [GH-23553]
• docker: Upgrade curl to >= 8.20.0 from Alpine edge in the container image to address
  CVE-2026-6429,
  CVE-2026-4873,
  CVE-2026-5773,
  CVE-2026-6253,
  CVE-2026-6276,
  CVE-2026-7168,
  CVE-2026-5545.
  Alpine 3.23 stable does not yet carry the patched version. [GH-23750]
• docker: Update to UBI base image to 9.8 for fixing [CVE_2026-2100] [GH-23588]

FEATURES:

• (Enterprise Only) update to go-licensing/v4 and go-census/v3 inorder to adapt to new licenses of PAO.
• Global Rate Limiter: (Enterprise Only) a new "rate-limit" config entry kind that enables dynamic, cluster-wide RPC rate limiting stored in Raft and automatically replicated to all servers. This allows operators to apply or adjust global rate limits at runtime without restarting Consul servers — a critical capability for emergency scenarios where the cluster is under excessive load.
• api-gateway: Added SDS certificate support for API Gateway listeners, including listener-level default TLS certificates and HTTP/TCP route service TLS SDS overrides. Service overrides inherit the listener SDS cluster when omitted, and gateway validation/xDS generation now rejects conflicting override mappings to keep certificate selection deterministic. [GH-23354]
• api-gateway: add support for gateway-level default upstream limits and route service-level limit overrides for MaxConnections, MaxPendingRequests, and MaxConcurrentRequests. [GH-23396]
• api: Added new API "/v1/internal/rpc/methods" that lists all RPC method names. Requires an operator:read ACL token. This is useful when users want to configure rate limits that exclude specific RPC endpoints. [GH-23329]
• ca: (Enterprise Only) Added new Connect CA provider for Cyberark WIM (connect.ca_provider = "pan-distributed-issuer"), enabling Consul to issue certificates through Cyberark WIM.
• server: (Enterprise Only) add stable cluster identity and leader-gated global registry sync for service summary publishing.
• telemetry: (Enterprise Only) Product telemetry for self-managed Consul with anonymous, opt-in usage reporting.
• mesh: (Enterprise Only) Introduce support for multi-port (named port) services in Consul, including the ability to specify and route traffic using port names, as well as to retrieve virtual IPs for specific service ports. It also enforces that certain advanced multi-port features are only available in Consul Enterprise, and includes new utility functions for cluster naming and ALPN protocol generation.

IMPROVEMENTS:

• agent: (Enterprise Only) Add eventually-consistent background cache for Enterprise usage metrics, reducing GET /v1/operator/usage latency from O(PNK) to O(1) and lowering CPU/memory pressure during high-frequency scraping via a watch-driven maintainer goroutine.
• mesh: (Enterprise Only) Introduce support for multi-port (named port) services in Consul, including the ability to specify and route traffic using port names, as well as to retrieve virtual IPs for specific service ports. It also enforces that certain advanced multi-port features are only available in Consul Enterprise, and includes new utility functions for cluster naming and ALPN protocol generation.
• terminating-gateway: Updated the cluster upstream tls to use sds instead of static certs, allowing for dynamic certificate updates without needing to restart the terminating gateway. [GH-23288]
• telemetry: Add certificate expiry monitoring with Prometheus metrics (labeled with datacenter/partition/namespace), structured logging with configurable severity thresholds, and enhanced Connect CA API to include NotAfter field for root and intermediate certificates. [GH-23147]
• deps: Upgrade github.com/hashicorp/vault/sdk from v0.7.0 to v0.25.1 and github.com/hashicorp/vault/api from v1.12.2 to v1.16.0. [GH-23574]
• test-integ: upgrade testcontainers-go (v0.22.0->v0.40.0) and docker/docker (v24.0.5->v28.5.1) in the integration test module. This removes opencontainers/runc as a Go dependency of the test framework. These are test infrastructure dependencies only and have no impact on the consul binary or any consul deployment. [GH-23573]
• xds: (Enterprise Only) add Consecutive5xx, ConsecutiveGatewayFailure, and EnforcingConsecutiveGatewayFailure fields to PassiveHealthCheck, allowing operators to configure Envoy outlier detection thresholds for 5xx responses and gateway failures (502/503/504) on upstreams defaults.

BUG FIXES:

• audit-logging: (Enterprise Only) Fixed JSON unmarshall error when array of obj is passed for auditReq body.
• cli: Enhanced error messages in consul config write command to provide actionable guidance when config entries cannot be modified due to references by gateways or routers. [GH-22921]
• xds: Fixed XDS package to generate correct endpoints and cluster configurations for API Gateways when peered, and updated the API Gateway update handler to propogate mesh gateway config to its upstreams. [GH-23454]
• XDS: Fixes issue with mesh-gateway in remote mode on AWS EKS, as DNS hostnames are assigned to AWS NLBs instead of IPs and envoy's EDS endpoint validation expects address to be an IP. Now EDS load assignment is skipped for non-peer remote mesh gateway targets with hostname based gateways keeping CDS/EDS in sync. [GH-23543]
• api-gateway: resolve service subsets for routes during API gateway discovery chain synthesis. [GH-23294]
• ui: Fix broken documentation links [GH-23578]

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dd-prapprover]

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

• ✅ PR is eligible for auto-approval by rule datadog-agent-renovate - 2026-06-12T05:17:34Z
• ⬜ CI tests passed
• ⬜ Approved
• Manual merge required: this rule does not auto-merge.

➡️ Current phase: CI tests failed. Please fix the failing tests to continue.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d257106bcc

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Update Consul imports before requiring v2

The repo-wide search for Consul imports only finds comp/core/autodiscovery/providers/consul.go and its test, and both still import github.com/hashicorp/consul/api; this patch also keeps that v1 module required at go.mod:961. As a result, the new /v2 requirement on this line is unused, so the Agent continues to compile against v1.32.1 and the intended major upgrade/security fixes are not actually applied. Please update the imports/call sites to /v2 or keep the dependency at v1.

Useful? React with 👍 / 👎.

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor 8c948b5e:

Results for datadog-agent_7.81.0~devel.git.684.dd6bd83.pipeline.118011409-1_amd64.deb:

No change detected

[dd-octo-sts]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 8c948b5
📊 Static Quality Gates Dashboard
🔗 SQG Job

32 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_deb_amd64	752.512 MiB
✅	agent_deb_amd64_fips	708.281 MiB
✅	agent_heroku_amd64	310.776 MiB
✅	agent_rpm_amd64	752.496 MiB
✅	agent_rpm_amd64_fips	708.265 MiB
✅	agent_rpm_arm64	727.877 MiB
✅	agent_rpm_arm64_fips	687.323 MiB
✅	agent_suse_amd64	752.496 MiB
✅	agent_suse_amd64_fips	708.265 MiB
✅	agent_suse_arm64	727.877 MiB
✅	agent_suse_arm64_fips	687.323 MiB
✅	docker_agent_amd64	811.947 MiB
✅	docker_agent_arm64	812.349 MiB
✅	docker_agent_jmx_amd64	1002.890 MiB
✅	docker_agent_jmx_arm64	991.943 MiB
✅	docker_cluster_agent_amd64	209.763 MiB
✅	docker_cluster_agent_arm64	222.896 MiB
✅	docker_cws_instrumentation_amd64	7.447 MiB
✅	docker_cws_instrumentation_arm64	6.877 MiB
✅	docker_dogstatsd_amd64	39.853 MiB
✅	docker_dogstatsd_arm64	37.946 MiB
✅	docker_host_profiler_amd64	305.314 MiB
✅	docker_host_profiler_arm64	316.381 MiB
✅	dogstatsd_deb_amd64	30.515 MiB
✅	dogstatsd_deb_arm64	28.511 MiB
✅	dogstatsd_rpm_amd64	30.515 MiB
✅	dogstatsd_suse_amd64	30.515 MiB
✅	iot_agent_deb_amd64	45.790 MiB
✅	iot_agent_deb_arm64	42.508 MiB
✅	iot_agent_deb_armhf	43.306 MiB
✅	iot_agent_rpm_amd64	45.790 MiB
✅	iot_agent_suse_amd64	45.789 MiB

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: eb234804-2099-41e7-aa86-905f37f7e8f5

Baseline: 8c948b5
Comparison: dd6bd83
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_idle_all_features	memory utilization	-0.27	[-0.31, -0.23]	1	Logs bounds checks dashboard
➖	quality_gate_idle	memory utilization	-0.28	[-0.33, -0.22]	1	Logs bounds checks dashboard
➖	quality_gate_metrics_logs	memory utilization	-0.90	[-1.15, -0.65]	1	Logs bounds checks dashboard
➖	quality_gate_logs	% cpu utilization	-1.82	[-2.84, -0.80]	1	Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	quality_gate_idle	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	144.63MiB ≤ 147MiB	bounds checks dashboard
✅	quality_gate_idle	total_bytes_received	10/10	734.42KiB ≤ 819.20KiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	477.98MiB ≤ 495MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	total_bytes_received	10/10	1.12MiB ≤ 1.25MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	3 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	183.81MiB ≤ 195MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_logs	total_bytes_received	10/10	264.01MiB ≤ 292MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	354.94 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	406.85MiB ≤ 430MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	total_bytes_received	10/10	0.94GiB ≤ 1.04GiB	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

Replicate Execution Details

We run multiple replicates for each experiment/variant. However, we allow replicates to be automatically retried if there are any failures, up to 8 times, at which point the replicate is marked dead and we are unable to run analysis for the entire experiment. We call each of these attempts at running replicates a replicate execution. This section lists all replicate executions that failed due to the target crashing or being oom killed.

Note: In the below tables we bucket failures by experiment, variant, and failure type. For each of these buckets we list out the replicate indexes that failed with an annotation signifying how many times said replicate failed with the given failure mode. In the below example the baseline variant of the experiment named experiment_with_failures had two replicates that failed by oom kills. Replicate 0, which failed 8 executions, and replicate 1 which failed 6 executions, all with the same failure mode.

Experiment	Variant	Replicates	Failure	Logs	Debug Dashboard
experiment_with_failures	baseline	0 (x8) 1 (x6)	Oom killed		Debug Dashboard

The debug dashboard links will take you to a debugging dashboard specifically designed to investigate replicate execution failures.

❌ Retried Profiling Replicate Execution Failures (ddprof)

Note: Profiling replicas may still be executing. See the debug dashboard for up to date status.

Experiment	Variant	Replicates	Failure	Debug Dashboard
quality_gate_idle_all_features	baseline	10	Oom killed	Debug Dashboard
quality_gate_idle_all_features	comparison	10	Oom killed	Debug Dashboard
quality_gate_metrics_logs	baseline	10	Oom killed	Debug Dashboard
quality_gate_metrics_logs	comparison	10	Oom killed	Debug Dashboard

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.

[dd-prapprover]

This PR has been automatically approved by the DD PR Approver bot.

[dd-octo-sts]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-06-09 15:04:23 UTC ℹ️ Start processing command /merge

---

2026-06-09 15:04:31 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals. View in MergeQueue UI.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

---

2026-06-09 19:17:04 UTC ⚠️ MergeQueue: This merge request was unqueued

devflow unqueued this merge request: It did not become mergeable within the expected time

[dd-prapprover]

This PR has been automatically approved by the DD PR Approver bot.

[dd-octo-sts]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-06-09 16:16:27 UTC ℹ️ Start processing command /merge

---

2026-06-09 16:16:29 UTC ❌ MergeQueue

PR already in the queue with status waiting