Merge remote-tracking branch 'upstream/main'

.changelog/2909.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Add readOnlyRootFilesystem to the default restricted security context when runnning `consul-k8s` in a restricted namespaces.
+```

.changelog/3685.txt

@@ -0,0 +1,6 @@
+```release-note:bug
+helm: corrected datadog openmetrics and consul-checks consul server URLs set during automation to use full consul deployment release name
+```
+```release-note:bug
+helm: bug fix for `prometheus.io` annotation omission while using datadog integration with openmetrics/prometheus and consul integration checks
+```

.changelog/3767.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+gateways: api-gateway now uses the Consul file-system-certificate by default for TLS
+```

.changelog/3873.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ConfigEntries controller: Only error for config entries from different datacenters when the config entries are different
+```

.changelog/3918.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul when upgrading between versions.
+```

.changelog/3928.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+terminating-gateways: Remove unnecessary permissions from terminating gateways role
+```

.changelog/3935.txt

@@ -0,0 +1,5 @@
+```release-note:security
+Upgrade `helm/v3` to 3.14.4. This resolves the following security vulnerabilities:
+[CVE-2024-25620](https://osv.dev/vulnerability/CVE-2024-25620)
+[CVE-2024-26147](https://osv.dev/vulnerability/CVE-2024-26147)
+```

.changelog/3943.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+control-plane: Add the ability to register services via CRD.
+```

.changelog/3956.txt

@@ -0,0 +1,7 @@
+```release-note:bug
+control-plane: fix a panic when an upstream annotation is malformed.
+```
+
+```release-note:enhancement
+control-plane: support <space>, <comma> and <\n> as upstream separators.
+```

.changelog/3959.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+api-gateways: Change security settings to make root file system read only and to not allow privilage escalation.
+```

.changelog/3974.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+Create Consul service with mode transparent-proxy even when a cluster IP is not assigned to the service..
+```

.changelog/3978.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect-inject: Fixed issue where on restart, if a managed-gateway-acl-role already existed the container would error
+```

.changelog/3980.txt

@@ -0,0 +1,5 @@
+```release-note:security
+Upgrade Go to use 1.21.10. This addresses CVEs 
+[CVE-2024-24787](https://nvd.nist.gov/vuln/detail/CVE-2024-24787) and
+[CVE-2024-24788](https://nvd.nist.gov/vuln/detail/CVE-2024-24788)
+```

.changelog/3989.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level.
+```

.changelog/3991.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+helm: adds ability to set the Image Pull Policy for all Consul images (consul, consul-k8s, consul-dataplane, consul-telemetry-collector)
+```

.changelog/3994.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+ upgrade go version to v1.22.3.
+```

.changelog/4003.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: fix bug where multiple logical APIGateways would share the same ACL policy.
+```

.changelog/4016.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+Bump Dockerfile base image for `consul-k8s-control-plane` to `alpine:3.19`.
+```

.changelog/4040.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ cni: package `consul-cni` as .deb and .rpm files
+ ```

.changelog/4053.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ partition-init: Role no longer includes unnecessary access to Secrets resource.
+ ```

.changelog/4059.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+endpoints-controller: graceful shutdown logic should not run on a new pod with the same name. Fixes a case where statefulset rollouts could get stuck in graceful shutdown when the new pods come up.
+```

.changelog/4060.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: fix issue where API Gateway specific acl roles/policy were not being cleaned up on deletion of an api-gateway
+```

.changelog/4085.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+upgrade go version to v1.22.4.
+```

.changelog/4091.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cni: fix incorrect release version due to unstable submodule pinning
+```

.changelog/3813.txt → .changelog/4152.txt

@@ -1,3 +1,7 @@
 ```release-note:improvement
 control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift.
 ```
+
+```release-note:bug
+connect-inject: add NET_BIND_SERVICE capability when injecting consul-dataplane sidecar
+```

.changelog/4153.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+terminating-gateway: Fix generated acl policy for external services to include the namespace and partition block if they are enabled.
+```

.changelog/4154.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791)
+```

.changelog/4169.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade go-retryablehttp to v0.7.7 to address [GHSA-v6v8-xj6m-xwqh](https://github.com/advisories/GHSA-v6v8-xj6m-xwqh)
+```

.changelog/4184.txt

@@ -0,0 +1,4 @@
+```release-note:improvement
+* helm: Adds `webhookCertManager.resources` field which can be configured to override the `resource` settings for the `webhook-cert-manager` deployment.
+* helm: Adds `connectInject.apiGateway.managedGatewayClass.resourceJob.resources` field which can be configured to override the `resource` settings for the `gateway-resources-job` job.
+```

.changelog/4210.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry
+```

.changelog/4213.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD.
+```

.changelog/4224.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+terminating-gateways: Fix bug where namespace field was not correctly set on ACL policies if using the `Registration` CRD with the service's namespace unset.
+```

.changelog/4227.txt

@@ -0,0 +1,4 @@
+```release-note:bug
+openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
+This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical.
+```

.changelog/4228.txt

@@ -0,0 +1,6 @@
+```release-note:security
+Upgrade Docker cli to use v.27.1. This addresses CVE
+[CVE-2024-41110](https://nvd.nist.gov/vuln/detail/CVE-2024-41110)```
+
+```release-note:security
+Bump Go to 1.22.5 to address [CVE-2024-24791](https://nvd.nist.gov/vuln/detail/CVE-2024-24791)```

.changelog/4244.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Kubernetes v1.30 is now supported. Minimum tested version of Kubernetes is now v1.27.
+```

.changelog/4247.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified
+```

.changelog/4256.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+config-entry: add validate_clusters to mesh config entry
+```

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+# Helm Docs Review
+
+/charts/consul/values.yaml @hashicorp/consul-docs

.github/scripts/check_skip_ci.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+set -euo pipefail
+
+# first argument is the list, second is the item to check
+function contains() {
+  list=($1)
+  for item in "${list[@]}"; do
+    if [ "$item" == "$2" ]; then
+      return 0
+    fi
+  done
+  return 1
+}
+
+# Get the list of changed files
+# Using `git merge-base` ensures that we're always comparing against the correct branch point.
+#For example, given the commits:
+#
+# A---B---C---D---W---X---Y---Z # origin/main
+#             \---E---F         # feature/branch
+#
+# ... `git merge-base origin/$SKIP_CHECK_BRANCH HEAD` would return commit `D`
+# `...HEAD` specifies from the common ancestor to the latest commit on the current branch (HEAD)..
+files_to_check=$(git diff --name-only "$(git merge-base origin/$SKIP_CHECK_BRANCH HEAD~)"...HEAD)
+
+# Define the directories to check
+skipped_directories=("assets" ".changelog/", "version")
+
+files_to_skip=("LICENSE" ".copywrite.hcl" ".gitignore")
+
+# Loop through the changed files and find directories/files outside the skipped ones
+files_to_check_array=($files_to_check)
+for file_to_check in "${files_to_check_array[@]}"; do
+  file_is_skipped=false
+  echo "checking file: $file_to_check"
+
+  # Allow changes to:
+  # - This script
+  # - Files in the skipped directories
+  # - Markdown files
+  for dir in "${skipped_directories[@]}"; do
+    if [[ "$file_to_check" == */check_skip_ci.sh ]] ||
+      [[ "$file_to_check" == "$dir"* ]] ||
+      [[ "$file_to_check" == *.md ]] ||
+      contains "${files_to_skip[*]}" "$file_to_check"; then
+      file_is_skipped=true
+      break
+    fi
+  done
+
+  if [ "$file_is_skipped" != "true" ]; then
+    echo -e "non-skippable file changed: $file_to_check"
+    SKIP_CI=false
+    echo "Changes detected in non-documentation files - will not skip tests and build"
+    echo "skip-ci=false" >>"$GITHUB_OUTPUT"
+    exit 0 ## if file is outside of the skipped_directory exit script
+  fi
+done
+
+echo "Changes detected in only documentation files - skipping tests and build"
+echo "skip-ci=true" >>"$GITHUB_OUTPUT"