Skip to content

Commit

Permalink
Merge branch 'main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
kolorful authored Oct 25, 2024
2 parents 3054c9a + c5f07e8 commit 3b8fcb0
Show file tree
Hide file tree
Showing 49 changed files with 3,309 additions and 353 deletions.
3 changes: 3 additions & 0 deletions .changelog/3874.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:sync-catalog
Add Endpoint health state to registered consul service
```
5 changes: 5 additions & 0 deletions .changelog/4316.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
```release-note:bug
api-gateway: `global.imagePullSecrets` are now configured on the `ServiceAccount` for `Gateways`.

Note: the referenced image pull Secret(s) must be present in the same namespace the `Gateway` is deployed to.
```
3 changes: 3 additions & 0 deletions .changelog/4378.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
catalog-sync: Added field to helm chart to purge all services registered with catalog-sync from consul on disabling of catalog-sync.
```
6 changes: 6 additions & 0 deletions .changelog/4385.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
```release-note:security
crd: Add `http.incoming.requestNormalization` to the Mesh CRD to support configuring service traffic request normalization.
```
```release-note:security
crd: Add `contains` and `ignoreCase` to the Intentions CRD to support configuring L7 Header intentions resilient to variable casing and multiple header values.
```
23 changes: 23 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,26 @@
## 1.6.0 (October 16, 2024)

> NOTE: Consul K8s 1.6.x is compatible with Consul 1.20.x and Consul Dataplane 1.6.x. Refer to our [compatibility matrix](https://developer.hashicorp.com/consul/docs/k8s/compatibility) for more info.

SECURITY:

* Upgrade Go to use 1.22.7. This addresses CVE
[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-4313](https://github.com/hashicorp/consul-k8s/issues/4313)]

IMPROVEMENTS:

* dns-proxy: add the ability to deploy a DNS proxy within the kubernetes cluster that forwards DNS requests to the consul server and can be configured with an ACL token and make partition aware DNS requests. [[GH-4300](https://github.com/hashicorp/consul-k8s/issues/4300)]
* sync-catalog: expose prometheus scrape metrics on sync-catalog pods [[GH-4212](https://github.com/hashicorp/consul-k8s/issues/4212)]
* connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [[GH-4307](https://github.com/hashicorp/consul-k8s/issues/4307)]
* helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [[GH-4333](https://github.com/hashicorp/consul-k8s/issues/4333)]

BUG FIXES:

* control-plane: add missing `$HOST_IP` environment variable to consul-dataplane sidecar containers [[GH-4277](https://github.com/hashicorp/consul-k8s/issues/4277)]
* helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [[GH-3989](https://github.com/hashicorp/consul-k8s/issues/3989)]
* sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [[GH-4255](https://github.com/hashicorp/consul-k8s/issues/4255)]

## 1.5.3 (August 30, 2024)

SECURITY:
Expand Down
2 changes: 1 addition & 1 deletion acceptance/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ require (
github.com/google/uuid v1.3.0
github.com/gruntwork-io/terratest v0.46.7
github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240821160356-557f7c37e108
github.com/hashicorp/consul/api v1.29.4
github.com/hashicorp/consul/api v1.30.0
github.com/hashicorp/consul/sdk v0.16.1
github.com/hashicorp/go-multierror v1.1.1
github.com/hashicorp/go-uuid v1.0.3
Expand Down
4 changes: 2 additions & 2 deletions acceptance/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -186,8 +186,8 @@ github.com/gruntwork-io/terratest v0.46.7 h1:oqGPBBO87SEsvBYaA0R5xOq+Lm2Xc5dmFVf
github.com/gruntwork-io/terratest v0.46.7/go.mod h1:6gI5MlLeyF+SLwqocA5GBzcTix+XiuxCy1BPwKuT+WM=
github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240821160356-557f7c37e108 h1:5jSMtMGeY//hvkAefiomxP1Jqb5MtnKgsnlsZpEwiJE=
github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240821160356-557f7c37e108/go.mod h1:SY22WR9TJmlcK18Et2MAqy+kqAFJzbWFElN89vMTSiM=
github.com/hashicorp/consul/api v1.29.4 h1:P6slzxDLBOxUSj3fWo2o65VuKtbtOXFi7TSSgtXutuE=
github.com/hashicorp/consul/api v1.29.4/go.mod h1:HUlfw+l2Zy68ceJavv2zAyArl2fqhGWnMycyt56sBgg=
github.com/hashicorp/consul/api v1.30.0 h1:ArHVMMILb1nQv8vZSGIwwQd2gtc+oSQZ6CalyiyH2XQ=
github.com/hashicorp/consul/api v1.30.0/go.mod h1:B2uGchvaXVW2JhFoS8nqTxMD5PBykr4ebY4JWHTTeLM=
github.com/hashicorp/consul/proto-public v0.6.2 h1:+DA/3g/IiKlJZb88NBn0ZgXrxJp2NlvCZdEyl+qxvL0=
github.com/hashicorp/consul/proto-public v0.6.2/go.mod h1:cXXbOg74KBNGajC+o8RlA502Esf0R9prcoJgiOX/2Tg=
github.com/hashicorp/consul/sdk v0.16.1 h1:V8TxTnImoPD5cj0U9Spl0TUxcytjcbbJeADFF07KdHg=
Expand Down
10 changes: 5 additions & 5 deletions charts/consul/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@

apiVersion: v2
name: consul
version: 1.6.0-dev
appVersion: 1.20-dev
version: 1.7.0-dev
appVersion: 1.21-dev
kubeVersion: ">=1.22.0-0"
description: Official HashiCorp Consul Chart
home: https://www.consul.io
Expand All @@ -16,11 +16,11 @@ annotations:
artifacthub.io/prerelease: true
artifacthub.io/images: |
- name: consul
image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.20-dev
image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.21-dev
- name: consul-k8s-control-plane
image: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.6-dev
image: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.7-dev
- name: consul-dataplane
image: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.6-dev
image: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.7-dev
- name: envoy
image: envoyproxy/envoy:v1.25.11
artifacthub.io/license: MPL-2.0
Expand Down
18 changes: 18 additions & 0 deletions charts/consul/templates/connect-inject-configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if .Values.connectInject.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "consul.fullname" . }}-connect-inject-config
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
data:
config.json: |
{
"image_pull_secrets": {{ .Values.global.imagePullSecrets | toJson }}
}
{{- end }}
7 changes: 7 additions & 0 deletions charts/consul/templates/connect-inject-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ spec:
- "-ec"
- |
exec consul-k8s-control-plane inject-connect \
-config-file=/consul/config/config.json \
{{- if .Values.global.federation.enabled }}
-enable-federation \
{{- end }}
Expand Down Expand Up @@ -311,6 +312,9 @@ spec:
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
- name: config
mountPath: /consul/config
readOnly: true
{{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }}
- name: certs
mountPath: /etc/connect-injector/certs
Expand All @@ -326,6 +330,9 @@ spec:
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: config
configMap:
name: {{ template "consul.fullname" . }}-connect-inject-config
{{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }}
- name: certs
secret:
Expand Down
49 changes: 47 additions & 2 deletions charts/consul/templates/crd-meshes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,10 +66,55 @@ spec:
http:
description: HTTP defines the HTTP configuration for the service mesh.
properties:
incoming:
description: Incoming configures settings for incoming HTTP traffic
to mesh proxies.
properties:
requestNormalization:
description: |-
RequestNormalizationMeshConfig contains options pertaining to the
normalization of HTTP requests processed by mesh proxies.
properties:
headersWithUnderscoresAction:
description: |-
HeadersWithUnderscoresAction sets the value of the \`headers_with_underscores_action\` option in the Envoy
listener's \`HttpConnectionManager\` under \`common_http_protocol_options\`. The default value of this option is
empty, which is equivalent to \`ALLOW\`. Refer to the Envoy documentation for more information on available
options.
type: string
insecureDisablePathNormalization:
description: |-
InsecureDisablePathNormalization sets the value of the \`normalize_path\` option in the Envoy listener's
`HttpConnectionManager`. The default value is \`false\`. When set to \`true\` in Consul, \`normalize_path\` is
set to \`false\` for the Envoy proxy. This parameter disables the normalization of request URL paths according to
RFC 3986, conversion of \`\\\` to \`/\`, and decoding non-reserved %-encoded characters. When using L7 intentions
with path match rules, we recommend enabling path normalization in order to avoid match rule circumvention with
non-normalized path values.
type: boolean
mergeSlashes:
description: |-
MergeSlashes sets the value of the \`merge_slashes\` option in the Envoy listener's \`HttpConnectionManager\`.
The default value is \`false\`. This option controls the normalization of request URL paths by merging
consecutive \`/\` characters. This normalization is not part of RFC 3986. When using L7 intentions with path
match rules, we recommend enabling this setting to avoid match rule circumvention through non-normalized path
values, unless legitimate service traffic depends on allowing for repeat \`/\` characters, or upstream services
are configured to differentiate between single and multiple slashes.
type: boolean
pathWithEscapedSlashesAction:
description: |-
PathWithEscapedSlashesAction sets the value of the \`path_with_escaped_slashes_action\` option in the Envoy
listener's \`HttpConnectionManager\`. The default value of this option is empty, which is equivalent to
\`IMPLEMENTATION_SPECIFIC_DEFAULT\`. This parameter controls the action taken in response to request URL paths
with escaped slashes in the path. When using L7 intentions with path match rules, we recommend enabling this
setting to avoid match rule circumvention through non-normalized path values, unless legitimate service traffic
depends on allowing for escaped \`/\` or \`\\\` characters, or upstream services are configured to differentiate
between escaped and unescaped slashes. Refer to the Envoy documentation for more information on available
options.
type: string
type: object
type: object
sanitizeXForwardedClientCert:
type: boolean
required:
- sanitizeXForwardedClientCert
type: object
peering:
description: Peering defines the peering configuration for the service
Expand Down
9 changes: 9 additions & 0 deletions charts/consul/templates/crd-serviceintentions.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -168,10 +168,19 @@ spec:
If more than one is configured all must match for the overall match to apply.
items:
properties:
contains:
description: Contains matches if the header
with the given name contains this value.
type: string
exact:
description: Exact matches if the header with
the given name is this value.
type: string
ignoreCase:
description: IgnoreCase ignores the case of
the header value when matching with exact,
prefix, suffix, or contains.
type: boolean
invert:
description: Invert inverts the logic of the
match.
Expand Down
Loading

0 comments on commit 3b8fcb0

Please sign in to comment.