Merge branch 'main' into david-yu-docs-maksim

.release/security-scan.hcl

@@ -13,19 +13,28 @@
 # See `security-scanner` docs or run with `--help` for scan target syntax.
 
 container {
-	dependencies = true
-	alpine_secdb = true
+  dependencies = true
+  alpine_secdb = true
 
-	secrets {
-		all = true
-	}
+  secrets {
+    all = true
+  }
 }
 
 binary {
-	go_modules   = true
-	osv          = true
+  go_modules   = true
+  osv          = true
 
-	secrets {
-		all = true
-	}
-}
+  secrets {
+    all = true
+  }
+
+  triage {
+    suppress {
+      vulnerabilites = [
+        # NET-8174 (2024-02-20): Chart YAML path traversal (not impacted)
+        "GHSA-v53g-5gjp-272r", # alias CVE-2024-25620
+      ]
+    }
+  }
+}

CHANGELOG.md

@@ -1,3 +1,126 @@
+## 1.3.3 (February 15, 2024)
+
+FEATURES:
+
+* helm: introduces `global.metrics.datadog` overrides to streamline consul-k8s datadog integration.
+helm: introduces `server.enableAgentDebug` to expose agent [`enable_debug`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#enable_debug) configuration.
+helm: introduces `global.metrics.disableAgentHostName` to expose agent [`telemetry.disable_hostname`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-disable_hostname) configuration.
+helm: introduces `global.metrics.enableHostMetrics` to expose agent [`telemetry.enable_host_metrics`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-enable_host_metrics) configuration.
+helm: introduces `global.metrics.prefixFilter` to expose agent [`telemetry.prefix_filter`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-prefix_filter) configuration.
+helm: introduces `global.metrics.datadog.dogstatsd.dogstatsdAddr` to expose agent [`telemetry.dogstatsd_addr`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-dogstatsd_addr) configuration.
+helm: introduces `global.metrics.datadog.dogstatsd.dogstatsdTags` to expose agent [`telemetry.dogstatsd_tags`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-dogstatsd_tags) configuration.
+helm: introduces required `ad.datadoghq.com/` annotations and `tags.datadoghq.com/` labels for integration with [Datadog Autodiscovery](https://docs.datadoghq.com/integrations/consul/?tab=containerized) and [Datadog Unified Service Tagging](https://docs.datadoghq.com/getting_started/tagging/unified_service_tagging/?tab=kubernetes#serverless-environment) for Consul.
+helm: introduces automated unix domain socket hostPath mounting for containerized integration with datadog within consul-server statefulset.
+helm: introduces `global.metrics.datadog.otlp` override options to allow OTLP metrics forwarding to Datadog Agent.
+control-plane: adds `server-acl-init` datadog agent token creation for datadog integration. [[GH-3407](https://github.com/hashicorp/consul-k8s/issues/3407)]
+
+IMPROVEMENTS:
+
+* Upgrade to use Go 1.21.7. [[GH-3591](https://github.com/hashicorp/consul-k8s/issues/3591)]
+* api-gateway: Apply `connectInject.initContainer.resources` to the init container for API gateway Pods. [[GH-3531](https://github.com/hashicorp/consul-k8s/issues/3531)]
+* cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [[GH-3498](https://github.com/hashicorp/consul-k8s/issues/3498)]
+* control-plane: Add `CaseInsensitive` flag to service-routers that allows paths and path prefixes to ignore URL upper and lower casing. [[GH-3502](https://github.com/hashicorp/consul-k8s/issues/3502)]
+* helm: Change `/bin/sh -ec "<command>"` to `/bin/sh -ec "exec <command>"` in helm deployments [[GH-3548](https://github.com/hashicorp/consul-k8s/issues/3548)]
+
+BUG FIXES:
+
+* api-gateway: fix issue where external annotations and labels are being incorrectly deleted on services controlled by the API Gateway [[GH-3597](https://github.com/hashicorp/consul-k8s/issues/3597)]
+* mesh-gw: update capabilities on the security context needed for the dataplane container.
+Adds NET_BIND_SERVICE to capabilities.add
+Adds ALL to capabilities.drop unless .Values.meshGateway.hostNetwork is true [[GH-3549](https://github.com/hashicorp/consul-k8s/issues/3549)]
+
+## 1.2.6 (February 15, 2024)
+
+FEATURES:
+
+* helm: introduces `global.metrics.datadog` overrides to streamline consul-k8s datadog integration.
+helm: introduces `server.enableAgentDebug` to expose agent [`enable_debug`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#enable_debug) configuration.
+helm: introduces `global.metrics.disableAgentHostName` to expose agent [`telemetry.disable_hostname`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-disable_hostname) configuration.
+helm: introduces `global.metrics.enableHostMetrics` to expose agent [`telemetry.enable_host_metrics`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-enable_host_metrics) configuration.
+helm: introduces `global.metrics.prefixFilter` to expose agent [`telemetry.prefix_filter`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-prefix_filter) configuration.
+helm: introduces `global.metrics.datadog.dogstatsd.dogstatsdAddr` to expose agent [`telemetry.dogstatsd_addr`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-dogstatsd_addr) configuration.
+helm: introduces `global.metrics.datadog.dogstatsd.dogstatsdTags` to expose agent [`telemetry.dogstatsd_tags`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-dogstatsd_tags) configuration.
+helm: introduces required `ad.datadoghq.com/` annotations and `tags.datadoghq.com/` labels for integration with [Datadog Autodiscovery](https://docs.datadoghq.com/integrations/consul/?tab=containerized) and [Datadog Unified Service Tagging](https://docs.datadoghq.com/getting_started/tagging/unified_service_tagging/?tab=kubernetes#serverless-environment) for Consul.
+helm: introduces automated unix domain socket hostPath mounting for containerized integration with datadog within consul-server statefulset.
+helm: introduces `global.metrics.datadog.otlp` override options to allow OTLP metrics forwarding to Datadog Agent.
+control-plane: adds `server-acl-init` datadog agent token creation for datadog integration. [[GH-3407](https://github.com/hashicorp/consul-k8s/issues/3407)]
+
+IMPROVEMENTS:
+
+* Upgrade to use Go 1.21.7. [[GH-3591](https://github.com/hashicorp/consul-k8s/issues/3591)]
+* api-gateway: Apply `connectInject.initContainer.resources` to the init container for API gateway Pods. [[GH-3531](https://github.com/hashicorp/consul-k8s/issues/3531)]
+* cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [[GH-3498](https://github.com/hashicorp/consul-k8s/issues/3498)]
+* control-plane: Changed the container ordering in connect-inject to insert consul-dataplane container first if lifecycle is enabled. Container ordering is unchanged if lifecycle is disabled. [[GH-2743](https://github.com/hashicorp/consul-k8s/issues/2743)]
+* helm: Change `/bin/sh -ec "<command>"` to `/bin/sh -ec "exec <command>"` in helm deployments [[GH-3548](https://github.com/hashicorp/consul-k8s/issues/3548)]
+
+BUG FIXES:
+
+* api-gateway: fix issue where external annotations and labels are being incorrectly deleted on services controlled by the API Gateway [[GH-3597](https://github.com/hashicorp/consul-k8s/issues/3597)]
+* mesh-gw: update capabilities on the security context needed for the dataplane container.
+Adds NET_BIND_SERVICE to capabilities.add
+Adds ALL to capabilities.drop unless .Values.meshGateway.hostNetwork is true [[GH-3549](https://github.com/hashicorp/consul-k8s/issues/3549)]
+
+## 1.1.10 (February 15, 2024)
+
+IMPROVEMENTS:
+
+* Upgrade to use Go 1.21.7. [[GH-3591](https://github.com/hashicorp/consul-k8s/issues/3591)]
+* cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [[GH-3498](https://github.com/hashicorp/consul-k8s/issues/3498)]
+* helm: Change `/bin/sh -ec "<command>"` to `/bin/sh -ec "exec <command>"` in helm deployments [[GH-3548](https://github.com/hashicorp/consul-k8s/issues/3548)]
+
+BUG FIXES:
+
+* mesh-gw: update capabilities on the security context needed for the dataplane container.
+Adds NET_BIND_SERVICE to capabilities.add
+Adds ALL to capabilities.drop unless .Values.meshGateway.hostNetwork is true [[GH-3549](https://github.com/hashicorp/consul-k8s/issues/3549)]
+
+## 1.3.2 (Jan 25, 2024)
+
+SECURITY:
+
+* Update `golang.org/x/crypto` to v0.17.0 to address [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795). [[GH-3442](https://github.com/hashicorp/consul-k8s/issues/3442)]
+* Upgrade OpenShift container images to use `ubi-minimal:9.3` as the base image. [[GH-3418](https://github.com/hashicorp/consul-k8s/issues/3418)]
+
+IMPROVEMENTS:
+
+* Upgrade to use Go 1.21.6. [[GH-3478](https://github.com/hashicorp/consul-k8s/issues/3478)]
+* control-plane: Add new `consul.hashicorp.com/sidecar-proxy-startup-failure-seconds` and `consul.hashicorp.com/sidecar-proxy-liveness-failure-seconds` annotations that allow users to manually configure startup and liveness probes for Envoy sidecar proxies. [[GH-3450](https://github.com/hashicorp/consul-k8s/issues/3450)]
+* control-plane: reduce Consul Catalog API requests required for endpoints reconcile in large clusters [[GH-3322](https://github.com/hashicorp/consul-k8s/issues/3322)]
+
+BUG FIXES:
+
+* api-gateway: fix issue where deleting an http-route in a non-default namespace would not remove the route from Consul. [[GH-3440](https://github.com/hashicorp/consul-k8s/issues/3440)]
+
+## 1.2.5 (Jan 25, 2024)
+
+SECURITY:
+
+* Update `golang.org/x/crypto` to v0.17.0 to address [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795). [[GH-3442](https://github.com/hashicorp/consul-k8s/issues/3442)]
+* Upgrade to use `ubi-minimal:9.3` for OpenShift container images. [[GH-3418](https://github.com/hashicorp/consul-k8s/issues/3418)]
+
+IMPROVEMENTS:
+
+* Upgrade to use Go 1.21.6. [[GH-3478](https://github.com/hashicorp/consul-k8s/issues/3478)]
+* control-plane: Add new `consul.hashicorp.com/sidecar-proxy-startup-failure-seconds` and `consul.hashicorp.com/sidecar-proxy-liveness-failure-seconds` annotations that allow users to manually configure startup and liveness probes for Envoy sidecar proxies. [[GH-3450](https://github.com/hashicorp/consul-k8s/issues/3450)]
+* control-plane: reduce Consul Catalog API requests required for endpoints reconcile in large clusters [[GH-3322](https://github.com/hashicorp/consul-k8s/issues/3322)]
+
+BUG FIXES:
+
+* api-gateway: fix issue where deleting an http-route in a non-default namespace would not remove the route from Consul. [[GH-3440](https://github.com/hashicorp/consul-k8s/issues/3440)]
+
+## 1.1.9 (Jan 25, 2024)
+
+SECURITY:
+
+* Update `golang.org/x/crypto` to v0.17.0 to address [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795). [[GH-3442](https://github.com/hashicorp/consul-k8s/issues/3442)]
+* Upgrade to use `ubi-minimal:9.3` for OpenShift container images. [[GH-3418](https://github.com/hashicorp/consul-k8s/issues/3418)]
+
+IMPROVEMENTS:
+
+* Upgrade to use Go 1.21.6. [[GH-3478](https://github.com/hashicorp/consul-k8s/issues/3478)]
+* control-plane: Add new `consul.hashicorp.com/sidecar-proxy-startup-failure-seconds` and `consul.hashicorp.com/sidecar-proxy-liveness-failure-seconds` annotations that allow users to manually configure startup and liveness probes for Envoy sidecar proxies. [[GH-3450](https://github.com/hashicorp/consul-k8s/issues/3450)]
+* control-plane: reduce Consul Catalog API requests required for endpoints reconcile in large clusters [[GH-3322](https://github.com/hashicorp/consul-k8s/issues/3322)]
+
 ## 1.3.1 (December 19, 2023)
 
 SECURITY:

charts/consul/templates/crd-apigateways.yaml

@@ -293,9 +293,6 @@ spec:
                     format: date-time
                     type: string
                 type: object
-            required:
-            - addresses
-            - listeners
             type: object
         type: object
     served: true

control-plane/api/mesh/v2beta1/api_gateway_types.go

@@ -25,7 +25,7 @@ const (
 )
 
 func init() {
-	MeshSchemeBuilder.Register(&GatewayClass{}, &GatewayClassList{}, &APIGateway{}, &APIGatewayList{})
+	MeshSchemeBuilder.Register(&APIGateway{}, &APIGatewayList{})
 }
 
 // +kubebuilder:object:root=true
@@ -46,22 +46,8 @@ type APIGateway struct {
 
 type APIGatewayStatus struct {
 	Status    `json:"status,omitempty"`
-	Addresses []GatewayAddress `json:"addresses"`
-	Listeners []ListenerStatus `json:"listeners"`
-}
-
-func (in *APIGatewayList) ReconcileRequests() []reconcile.Request {
-	requests := make([]reconcile.Request, 0, len(in.Items))
-
-	for _, item := range in.Items {
-		requests = append(requests, reconcile.Request{
-			NamespacedName: types.NamespacedName{
-				Name:      item.Name,
-				Namespace: item.Namespace,
-			},
-		})
-	}
-	return requests
+	Addresses []GatewayAddress `json:"addresses,omitempty"`
+	Listeners []ListenerStatus `json:"listeners,omitempty"`
 }
 
 type ListenerStatus struct {
@@ -85,6 +71,20 @@ type APIGatewayList struct {
 	Items           []*APIGateway `json:"items"`
 }
 
+func (in *APIGatewayList) ReconcileRequests() []reconcile.Request {
+	requests := make([]reconcile.Request, 0, len(in.Items))
+
+	for _, item := range in.Items {
+		requests = append(requests, reconcile.Request{
+			NamespacedName: types.NamespacedName{
+				Name:      item.Name,
+				Namespace: item.Namespace,
+			},
+		})
+	}
+	return requests
+}
+
 func (in *APIGateway) ResourceID(namespace, partition string) *pbresource.ID {
 	return &pbresource.ID{
 		Name: in.Name,

control-plane/config/crd/bases/mesh.consul.hashicorp.com_apigateways.yaml

@@ -289,9 +289,6 @@ spec:
                     format: date-time
                     type: string
                 type: object
-            required:
-            - addresses
-            - listeners
             type: object
         type: object
     served: true

control-plane/controllers/resources/api-gateway-controller.go

@@ -14,14 +14,16 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	meshv2beta1 "github.com/hashicorp/consul-k8s/control-plane/api/mesh/v2beta1"
+	"github.com/hashicorp/consul-k8s/control-plane/gateways"
 )
 
 // APIGatewayController reconciles a APIGateway object.
 type APIGatewayController struct {
 	client.Client
-	Log        logr.Logger
-	Scheme     *runtime.Scheme
-	Controller *ConsulResourceController
+	Log           logr.Logger
+	Scheme        *runtime.Scheme
+	Controller    *ConsulResourceController
+	GatewayConfig gateways.GatewayConfig
 }
 
 // +kubebuilder:rbac:groups=mesh.consul.hashicorp.com,resources=tcproute,verbs=get;list;watch;create;update;patch;delete
@@ -40,14 +42,29 @@ func (r *APIGatewayController) Reconcile(ctx context.Context, req ctrl.Request)
 	}
 
 	// Call hooks
-	if !resource.DeletionTimestamp.IsZero() {
+	if !resource.GetDeletionTimestamp().IsZero() {
 		logger.Info("deletion event")
 
-		if err := r.onDelete(ctx, req, resource); err != nil {
+		if err := onDelete(ctx, req, r.Client, resource); err != nil {
 			return ctrl.Result{}, err
 		}
 	} else {
-		if err := r.onCreateUpdate(ctx, req, resource); err != nil {
+		// Fetch GatewayClassConfig for the gateway
+		if resource.Namespace == "" {
+			resource.Namespace = "default"
+		}
+
+		gcc, err := getGatewayClassConfigByGatewayClassName(ctx, r.Client, resource.Spec.GatewayClassName)
+		if err != nil {
+			r.Log.Error(err, "unable to get gatewayclassconfig for gateway: %s gatewayclass: %s", resource.Name, resource.Spec.GatewayClassName)
+			return ctrl.Result{}, err
+		}
+
+		if err := onCreateUpdate(ctx, r.Client, gatewayConfigs{
+			gcc:           gcc,
+			gatewayConfig: r.GatewayConfig,
+		}, resource, gateways.APIGatewayAnnotationKind); err != nil {
+			logger.Error(err, "unable to create/update gateway")
 			return ctrl.Result{}, err
 		}
 	}
@@ -66,13 +83,3 @@ func (r *APIGatewayController) UpdateStatus(ctx context.Context, obj client.Obje
 func (r *APIGatewayController) SetupWithManager(mgr ctrl.Manager) error {
 	return setupGatewayControllerWithManager[*meshv2beta1.APIGatewayList](mgr, &meshv2beta1.APIGateway{}, r.Client, r, APIGateway_GatewayClassIndex)
 }
-
-func (r *APIGatewayController) onCreateUpdate(ctx context.Context, req ctrl.Request, resource *meshv2beta1.APIGateway) error {
-	// TODO: NET-7449, NET-7450, and NET-7451
-	return nil
-}
-
-func (r *APIGatewayController) onDelete(ctx context.Context, req ctrl.Request, resource *meshv2beta1.APIGateway) error {
-	// TODO: NET-7449, NET-7450, and NET-7451
-	return nil
-}

control-plane/controllers/resources/api-gateway-controller_test.go

@@ -18,6 +18,9 @@ import (
 	"google.golang.org/protobuf/testing/protocmp"
 
 	logrtest "github.com/go-logr/logr/testr"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -31,10 +34,19 @@ func TestAPIGatewayController_ReconcileResourceExists(t *testing.T) {
 	ctx := context.Background()
 
 	s := runtime.NewScheme()
-	s.AddKnownTypes(schema.GroupVersion{
-		Group:   "mesh.consul.hashicorp.com",
-		Version: pbmesh.Version,
-	}, &v2beta1.APIGateway{}, &v2beta1.APIGatewayList{})
+	require.NoError(t, corev1.AddToScheme(s))
+	require.NoError(t, appsv1.AddToScheme(s))
+	require.NoError(t, rbacv1.AddToScheme(s))
+	require.NoError(t, v2beta1.AddMeshToScheme(s))
+	s.AddKnownTypes(
+		schema.GroupVersion{
+			Group:   "mesh.consul.hashicorp.com",
+			Version: pbmesh.Version,
+		},
+		&v2beta1.APIGateway{},
+		&v2beta1.GatewayClass{},
+		&v2beta1.GatewayClassConfig{},
+	)
 
 	apiGW := &v2beta1.APIGateway{
 		ObjectMeta: metav1.ObjectMeta{

control-plane/controllers/resources/gateway_controller_crud.go

@@ -1,3 +1,6 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
 package resources
 
 import (
@@ -31,8 +34,8 @@ type gatewayConfigs struct {
 //  3. Service
 //  4. Role
 //  5. RoleBinding
-func onCreateUpdate[T gateways.Gateway](ctx context.Context, k8sClient client.Client, cfg gatewayConfigs, resource T) error {
-	builder := gateways.NewGatewayBuilder[T](resource, cfg.gatewayConfig, cfg.gcc)
+func onCreateUpdate[T gateways.Gateway](ctx context.Context, k8sClient client.Client, cfg gatewayConfigs, resource T, gatewayKind string) error {
+	builder := gateways.NewGatewayBuilder[T](resource, cfg.gatewayConfig, cfg.gcc, gatewayKind)
 
 	// Create ServiceAccount
 	desiredAccount := builder.ServiceAccount()

control-plane/controllers/resources/mesh_gateway_controller.go

@@ -64,7 +64,7 @@ func (r *MeshGatewayController) Reconcile(ctx context.Context, req ctrl.Request)
 		if err := onCreateUpdate(ctx, r.Client, gatewayConfigs{
 			gcc:           gcc,
 			gatewayConfig: r.GatewayConfig,
-		}, resource); err != nil {
+		}, resource, gateways.MeshGatewayAnnotationKind); err != nil {
 			return ctrl.Result{}, err
 		}
 	}

control-plane/gateways/builder.go

@@ -20,17 +20,19 @@ type Gateway interface {
 // This includes Deployment, Role, Service, and ServiceAccount resources.
 // Configuration is combined from the MeshGateway, GatewayConfig, and GatewayClassConfig.
 type gatewayBuilder[T Gateway] struct {
-	gateway T
-	gcc     *meshv2beta1.GatewayClassConfig
-	config  GatewayConfig
+	gateway     T
+	gcc         *meshv2beta1.GatewayClassConfig
+	config      GatewayConfig
+	gatewayKind string
 }
 
 // NewGatewayBuilder returns a new meshGatewayBuilder for the given MeshGateway,
 // GatewayConfig, and GatewayClassConfig.
-func NewGatewayBuilder[T Gateway](gateway T, gatewayConfig GatewayConfig, gatewayClassConfig *meshv2beta1.GatewayClassConfig) *gatewayBuilder[T] {
+func NewGatewayBuilder[T Gateway](gateway T, gatewayConfig GatewayConfig, gatewayClassConfig *meshv2beta1.GatewayClassConfig, gatewayKind string) *gatewayBuilder[T] {
 	return &gatewayBuilder[T]{
-		gateway: gateway,
-		config:  gatewayConfig,
-		gcc:     gatewayClassConfig,
+		gateway:     gateway,
+		config:      gatewayConfig,
+		gcc:         gatewayClassConfig,
+		gatewayKind: gatewayKind,
 	}
 }