connect: enable setting connect upstream destination namespace

Update service.check.task definition to match code

build: update golang version to 1.18.2

This PR update to Go 1.18.2. Also update the versions of hclfmt
and go-hclogfmt which includes newer dependencies necessary for dealing
with go1.18.

The hcl v2 branch is now 'nomad-v2.9.1+tweaks2', to include a fix for
newer macOS versions: https://github.com/hashicorp/hcl/commit/8927e75e82c19370aabaf06b7dca91c2c9e73e3c

Merge release 1.3.1 branch

tests: minor fixes for some docker tests

ci: switch to 22.04 for GHA Core CI tests

core: fix blocked eval math

Fix numerous go-getter security issues:

- Add timeouts to http, git, and hg operations to prevent DoS
- Add size limit to http to prevent resource exhaustion
- Disable following symlinks in both artifacts and `job run`
- Stop performing initial HEAD request to avoid file corruption on
  retries and DoS opportunities.

**Approach**

Since Nomad has no ability to differentiate a DoS-via-large-artifact vs
a legitimate workload, all of the new limits are configurable at the
client agent level.

The max size of HTTP downloads is also exposed as a node attribute so
that if some workloads have large artifacts they can specify a high
limit in their jobspecs.

In the future all of this plumbing could be extended to enable/disable
specific getters or artifact downloading entirely on a per-node basis.

In the original test, the eval generator would use a random value for
the job ID, resulting in an unxercised code path for duplicate blocked
evals.

drivers/docker: do not set cgroup parent in v1 mode

This PR fixes a bug where the CgroupParent on the docker
HostConfig struct was accidently being set when running in
cgroups v1 mode.

The description of `mount_flags` provides incorrect example
of the accepted value format.

This fixes the issue by changing the example from a string
`ro,noatime` to a slice of strings `["ro", "noatime"]`.

The nightly playwright tests are currently failing because of a
mismatch between the expected version of Chromium and what's in the
container image. Unfortunately the previous specific tag we were using
for the container image is no longer tagged on the registry. With some
testing, I was able to find an image tag that results in a good run.

Nomad errors out when attempting to specify a task for a service that uses consul connect but does not have script or gRPC checks. See https://github.com/hashicorp/nomad/blob/304d0cf5958065d14ab8b704055b1bb11d915876/nomad/structs/structs.go#L6643 for details.

There's no reason to buffer json logs on agent startup
since logs in this format already aren't reordered.

cli: correctly validate job with vault token set

[CI-only] Use the postinstall script for linux packages

This PR fixes `job validate` to respect '-vault-token', '$VAULT_TOKEN',
'-vault-namespace' if set.

It appears that the postinstall script was created but never used.
This change is to actually use the post-install script.