-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NET-5186 Add NET_BIND_SERVICE capability to Consul's restricted securityContext #2787
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nathancoleman
added
the
pr/no-backport
signals that a PR will not contain a backport label
label
Aug 17, 2023
nathancoleman
changed the title
Add NET_BIND_SERVICE capability to Consul's restricted securityContext
NET-5186 Add NET_BIND_SERVICE capability to Consul's restricted securityContext
Aug 17, 2023
Merged
4 tasks
david-yu
approved these changes
Aug 17, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sounds like the best solution to allow privileged ports for now. Should work with both GKE Autopilot and OpenShift.
nathancoleman
force-pushed
the
net-bind-service
branch
from
August 21, 2023 17:25
cf95d32
to
2d13dbf
Compare
nathancoleman
added
backport/1.0.x
backport/1.1.x
Backport to release/1.1.x branch
backport/1.2.x
This release branch is no longer active.
and removed
pr/no-backport
signals that a PR will not contain a backport label
labels
Aug 21, 2023
nathancoleman
commented
Aug 21, 2023
nathancoleman
requested review from
picatz,
zalimeni and
wilkermichael
and removed request for
DanStough
August 21, 2023 18:07
nathancoleman
commented
Aug 22, 2023
curtbushko
approved these changes
Aug 23, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Nathan!
2 tasks
nathancoleman
added a commit
that referenced
this pull request
Aug 25, 2023
…ityContext (#2787) * Add NET_BIND_SERVICE capability to Consul's restricted securityContext * Add changelog entry * Update related bats tests * Change type of release note
nathancoleman
added a commit
that referenced
this pull request
Aug 25, 2023
…ityContext (#2787) * Add NET_BIND_SERVICE capability to Consul's restricted securityContext * Add changelog entry * Update related bats tests * Change type of release note
nathancoleman
added a commit
that referenced
this pull request
Aug 25, 2023
…ityContext (#2787) * Add NET_BIND_SERVICE capability to Consul's restricted securityContext * Add changelog entry * Update related bats tests * Change type of release note
hc-github-team-consul-core
added a commit
that referenced
this pull request
Aug 25, 2023
…ricted securityContext into release/1.0.x (#2837) NET-5186 Add NET_BIND_SERVICE capability to Consul's restricted securityContext (#2787) * Add NET_BIND_SERVICE capability to Consul's restricted securityContext * Add changelog entry * Update related bats tests * Change type of release note Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
hc-github-team-consul-core
added a commit
that referenced
this pull request
Aug 25, 2023
…ricted securityContext into release/1.1.x (#2838) NET-5186 Add NET_BIND_SERVICE capability to Consul's restricted securityContext (#2787) * Add NET_BIND_SERVICE capability to Consul's restricted securityContext * Add changelog entry * Update related bats tests * Change type of release note Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
hc-github-team-consul-core
added a commit
that referenced
this pull request
Aug 25, 2023
…ricted securityContext into release/1.2.x (#2839) NET-5186 Add NET_BIND_SERVICE capability to Consul's restricted securityContext (#2787) * Add NET_BIND_SERVICE capability to Consul's restricted securityContext * Add changelog entry * Update related bats tests * Change type of release note Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2 tasks
absolutelightning
added a commit
that referenced
this pull request
Sep 12, 2023
* test image form consul-enterprise * Revert "test image form consul-enterprise" This reverts commit 2fb794450c8d64a502ebdb296f6836de7be06d59. * Convert acceptance to use github actions (#2046) * Terraform: increase node sizes * update GKE to use already created subnets * Dispatch: dispatch to consul-k8s-workflows * Remove CircleCI (#2050) * Update status on PRs (#2054) * Update status on PRs * Split pr and push into 2 different files so that context can be passed through * Update backport assistant to support -gh-automerge (#2047) * Add a cleanup cron job (#2059) * Add a cleanup cron job * add sameness group CRD (#2048) * draft of adding sameness group CRD * move sameness group tests to ent test file * update tests * fix lint issues * generate yaml and update helm charts * update field descriptions and validation and its test * remove unwanted files, add license comments back * rename samenessgroups to samenessgroup * fix resource names * update failing unit test * Supply chain updates (#2072) * Fix Sync Catalog ACL Token Environment Var Name (#2068) * Fix Sync Catalog ACL Token Environment Var Name * Update ACL variable name in tests * Add changelog for NET 2422 (#2080) * add sameness group to exported services (#2075) * add sameness group to exported services * update CRDs * update deep copy * re add license line * check if sameness group is wildcard * remove experimental tag on peering fields * update error message case * update error message case in webhook test * Adjust API gateway controller deployment appropriately when Vault configured as secrets backend (#2083) * Adjust mount based on whether Vault is enabled as secrets backend * Add changelog entry * Improve wording of changelog entry * Use Vault serverca for CONSUL_CACERT when secrets backend enabled * Add comment to Helm template explaining logic * Add unit test for CONSUL_CACERT with Vault secret path * Add unit tests for removing mounts when Vault is secrets backend * Result of tsccr-helper -pin-all-workflows . (#2089) Co-authored-by: hashicorp-tsccr[bot] <hashicorp-tsccr[bot]@users.noreply.github.com> * set consul server locality from k8s node labels (#2093) * add sameness group to service resolver, update manifests (#2086) * add sameness group to service resolver, update manifests * get the latest api and update acceptance tests * get the latest api in acceptanc tests * update validation code, remove dynamic validations, update tests * check nil pointer * go get latest api * revert acceptance changes * add sameness group to source intention (#2097) * add sameness group to source intention * add more test coverage * add comment on metaValueMaxLength variable * fix comment lint issue * security: update Go version to 1.20.4 (#2102) * Spatel/net 1646 add max ejection percent and base ejection time (#2064) * Add MaxEjectionPercent and BaseEjectionTime to servicedefaults * test with sister branch in consul repo * missed one * fix tag names * fix json tags and duration type * update test * generate yaml files and fix imports --------- Co-authored-by: Semir Patel <semir.patel@hashicorp.com> * chore(ci): fix changelog action for non-main base branches (#2105) * chore(ci): fix backport assistant not finding new branches (#2113) * Customizing Vault Version for WanFed Test (#2043) * Customizing Vault Version for WanFed Test * Modified * Changed according to the review comments * Removed the commented line * Vault server version type changed to String * changed back to VaultServerVersion type * Changing "VaultServerVersion" to type "String" * add config read command (#2078) * add config read command * add tests * lint * update docs * add changelog * fix linting errors * PR feedback * Update CRDs for Permissive mTLS (#2100) * Add mutualTLSMode to service-defaults and proxy-defaults * Add allowEnablingPermisiveMutualTLS to mesh config entry * helm: add HOST_IP to mesh-gateway (#1808) * add HOST_IP to mesh-gateway * chore(ci): fix typo in changelog checker (#2127) * Add support for syncing Ingress hostname to the Consul Catalog (#2098) * Add support for syncing Ingress hostname to the Consul Catalog * fix changelog-checker syntax error * Add telemetry collector deployment to consul-k8s (#2134) * Create values.yaml section for telemetry-collector * Initial telemetry-collector validation and bats test * Add nodeSelector * Add connect-init initContainer * Add consul-dataplane container * Conditionally add ca-cert volume * Include vault annotations * Prune tests to pertinent test cases * Move consul server env vars * Check ca mount for dataplane container * Check correct env var * Set default resources * Set initContainer and tolerations * Support priorityClassName * Support setting initContainer resources * Fix replicas unit test * Turn off tproxy and remove unneeded security context * Set -tls-disabled if global.tls.enabled=false * Set -ca-certs correct if tls is enabled * Set external server args * Set partition flag tests * Label bats tests, remove duplicate flags * Bats tests for service, add metricsserver port * Support annotations and imagePullSecret on serviceAccount * Create configmap for custom configuration * Add configmap to deployment * Fix test names * Remove unneeded cloud validation. fixup comment * Comment values.yaml changes * Switch from sidecar auth method to component auth method * changelog * Add PodSecurityPolicy for consul-telemetry-collector * Rename init container + add comment * Remove logLevel bats tests as it is unsupported right now * Remove auth-method special cases * Replace LOGIN_DATACENTER login with LOGIN_NAMESPACE * Remove unneeded LOGIN_DATACENTER test * NET-2619 - save ClusterIPs to manual vips table (#2124) * Get the consul version from values.yaml (#2146) * [COMPLIANCE] Add Copyright and License Headers (#2079) Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> * Update go-discover (#2157) * update go-discove so we're not pulling in a version of tencent cloud that no longer exists * Update go discover to latest * add helm chart values to configure global server side rate limiting (#2170) * add helm chart values to configure global server side rate limiting * add changelog. * update server checksum for configmap * fix the other 2 checksums * Disable DNS redirection when tproxy is disabled (#2176) * Disable DNS redirection when tproxy is disabled DNS redirection and the various settings that make that possible (like the dataplane binding to a port for DNS) is only useful if tproxy is enabled. Most of the code checked if tproxy was enabled but there was one location where we didn't check. This resulted in a bug with our multiport support where even though tproxy is disabled, we tried to setup the dataplane to proxy DNS. This meant each dataplane tried to bind to 8600 but because there are >1 dataplanes with multiport, there was a port conflict. This PR fixes the location where we didn't check if tproxy was enabled and as a result fixes the multiport issue. * Fix tests (#2181) * [API Gateway] Add stub acceptance test (#2185) * Update consul image so that acceptance tests run (#2189) * API Gateways for Consul on Kubernetes `BETA` (#2152) * Add API Gateway subcommand to Control Plane. Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Add GatewayClassConfig CRD (#2036) * Update dependencies so that CRDs can be added * Generate CRD for GatewayClassConfig * Return empty logger instead of nil due to dependency update * Update sidecar webhook to use ProbeHandler instead of Handler * Update controller sub resources to use sub resource update options * Re-add copyright header that got removed on generation * Use NewTestLogger and ProbeHandler in tests * Add api_gateway_types_test * Remove boilerplate from ctrl-generate as it is no longer required * Add app-copyright-header to Makefile * Clarify GatewayClassConfig description * Remove unneeded fields from GatewayClassConfig * Fix lint issues * Fix TestLogger in enterprise tests * Add Changelog * Fix TestLogger in enterprise test in one more place * Remove the helpers * Remove unused consts * Adds API Gateway Class Config controller * Add Hack for Generating CRDs from external sources (#2060) * Add generate-external-crds to Makefile * Add contributing docs * Add comment about Helm ignoring kustomization.yaml * Update Makefile Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> --------- Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Remove the api-gateway subcommand we decided not to use (#2062) * APIGW Resource Translation (#2070) * WIP: api-gateway resource conversion * convert meta for apigw from k8s * Added tests and updated config entry translation for APIGW * Fix linting issue, move translation code to correct location * Updates from PR comments * Update config entry translation to use k8s type NamedNamespace, updated tests * switch to standard import rename for consul api * Add GatewayClass Controller (#2055) * Add permissions to connect-inject clusterrole * Add gateway api crd deps * Stub out the gatewayclass controller * Add finalizer functions * Use finalizer functions * Add tests for GatewayClass Controller * Change the controller name * Only register gwv1beta1 * Run tests in parallel * Remove RBAC comments * Remove perms from resources not yet implemented * shouldUpdate -> expectedDidUpdate * Don't requeue if in use * Address PR feedback * Apply suggestions from code review Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> * Make gatewayClassFinalizer private * Separate out indexers * Move validation of parametersRef to a helper func * Add reason to ensureStatus * Rename GatewayClassReconciler -> GatewayClassController * Add perms to list gateways * Clean up status conditions * Clean up indexes * Set conditions properly and test them * Test incorrect parametersRef * Fix comments on indexer funcs * Fix lint issues * Set conditions without unnecessary updates * Set ObservedGeneration from parent object * Fix infinite loop issue with invalid config * Fix update issue * Return error if the GatewayClass cannot be reached --------- Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> * Updates GatewayClassConfig Controller to use common finalizer methods * APIGW4CONK8S: HTTP Route/TCPRoute/Secrets Translation (#2088) * Add http route translation * Added copywrite headers * Add namespace translation for service * handle potential nil pointer on section name, check if parent ref if an api gateway, fix comment from PR Review * Added TCPRoute Translation * Fix potential nil pointer deref in tcp service namespace, update tcproute tests * Add inline certs translation, clean up some potential nil pointer derefs * Clean up comments * Linting * Switch out env var usage for field on translator * rename api-gateway/consul package to api-gateway/translation * Adds stub for Gateway Controller * Use the non-deprecated logr test (#2125) * APIGW4CONK8s: Add Consul Cache (#2118) * Added basic cache functionality with most tests, todo: add get method for cache and expand tests * Updated tests for Cache.Run function, removed tests of unexported methods called by Run function * Moved translation function def to translation package, added translate apigw config entry * Add translation for consul config entries to k8s namespaced name meta * Added Get method to cache * Add watch for contoller and setup in inject command * Updated comments, renamed TranslateConsulInlineSecret method to TranslateConsulInlineCertificate * Updates from PR review * Parallelize tests * Bump consul api version * Set api timeout for cache calls * Revert "Bump consul api version" This reverts commit c074b0f749d891f78ddff86b3a7eb62ba1e52a17. * Linting fun * Add Gatekeeper for managing gateway deployment resources (#2117) * Stub out the gatewayclass controller * Change the controller name * Only register gwv1beta1 * Address PR feedback * Adds stub of Gateway Controller * cannot understand why the indexes are not working * some updates, want to do cleanup * rebase and cleanup * Start adding deployer * Flesh out tests * Refactor into a "gatekeeper" * Integrate the gatekeeper into the gateway controller * Simplify the api * Remove the creation of helm config until later * Remove use and rename package to gatekeeper * Add labels to apigateway * Manage ServiceAccount * Manage Deployment * Add more to deployment * Update Helm Values * WIP fleshing out the gateway deployment upsert behavior * Update role and service * Fix merge conflicts * Round out tests * Add test for respecting replicas * Change the Gatekeeper New API and add comments for Upsert and Delete * implement joinResources * accept suggestions from @jm96441n * Use pointer receivers * Separate out mutator * Update deployment correctly * Update Role and ServiceAccount * Fix that silly linting error * Comments on HelmConfig * Add Image to deployment * Merge api-gateway into branch --------- Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com> * Net 3490/reference grants (#2122) * Adds reference grant validation * Adds all necessary methods and tests * lint * some cleanup, fix copypasta test errors * lint * more linting * PR updates, fix capitalization * Add a bunch of TODOs for teamwork * Split out cleanup func and clear up todos * APIGW4CONK8S: Serialize the GatewayClassConfig onto the Gateway for easier retrieval (#2126) * Add serialization of gateway class config * Parallelize tests * Remove prints, fix cache tests * Add outer managed check to ensure we don't fetch config if we don't need to * Stub out where the openshift role info will go (#2145) * APIGW4CONK8S: Function to get all refs for a gateway (#2139) * Added function to get all refs for a gateway * Use k8s objects for references rather than consul objects * Fix comment * [API Gateway] API Gateway Binding Logic (#2142) * initial commit * Add additional TODO * Add some basic lifecycle unit tests * split up implementation * Add more tests and fix some bugs * remove one parallel call in a loop * Fix binding * Add resolvedRefs statuses for routes * Fix issue with empty parent ref that k8s doesn't like * Fix up updates/status ordering * Add basic gateway status setting * Finish up first pass on gateway statuses * Re-organize and begin adding comments * More comments * More comments * More comments * More comments * More comments * Add file that wasn't saved * Add utils unit tests * Add more tests * Final tests * Fix tests * Fix up gateway annotation with binding logic * Update doc comments for linter * Add forgotten file * Fix block in tests due to buffered channel size and better handle context cancelation * Add basic acceptance tests for route binding behavior (#2161) * Configure Gateway Controller with Helm values (#2158) * Stub out the gatewayclass controller * Change the controller name * Only register gwv1beta1 * Address PR feedback * Adds stub of Gateway Controller * cannot understand why the indexes are not working * some updates, want to do cleanup * rebase and cleanup * Start adding deployer * Flesh out tests * Refactor into a "gatekeeper" * Integrate the gatekeeper into the gateway controller * Simplify the api * Remove the creation of helm config until later * Remove use and rename package to gatekeeper * Add labels to apigateway * Manage ServiceAccount * Manage Deployment * Add more to deployment * Update Helm Values * WIP fleshing out the gateway deployment upsert behavior * Update role and service * Fix merge conflicts * Round out tests * Add test for respecting replicas * Change the Gatekeeper New API and add comments for Upsert and Delete * implement joinResources * accept suggestions from @jm96441n * Use pointer receivers * Separate out mutator * Update deployment correctly * Update Role and ServiceAccount * Fix that silly linting error * Comments on HelmConfig * Add Image to deployment * Add Gateway flags to inject-connect * Pass through env vars * Add environment variables to the deployment template * Add conditional injection of environment variables * Add env vars back in * Fix up issues from merge * Test default env vars * Test all of the env vars * Fix up more issues from merge * Pass in values to HelmConfig then to Controller * Just pass config in as a struct * Add gateway-gatewayclass * Add gateway-gatewayclassconfig * Add DeploymentSpec to GatewayClassConfig * Remove deployment configuration settings from HelmConfig * Remove BATs on deployment configuration * Expand gatewayclassconfig * Set deployment replicas in test * Place GatewayClassConfig in the crds/ dir * Update control-plane/api-gateway/gatekeeper/gatekeeper_test.go Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> --------- Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com> Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> * Net 4124/handle syncing consul lifecycle events (#2173) * with type switch * latest changes * remove debugging panic * Updated error in test * Fix bug with capacity v length in the cache list and type that is being subscribed to * Fix linting issues/naming from PR review * Added tests for delete function * Plumbing for gatekeeper with snapshot * [API Gateway] Hooking up API Gateways End-to-End (#2175) * updated gatekeeper, added update call, still needs work * still has some print statements, seeing issues with updates * some linting * run ctrl-manifests and generate * get the whole gamut finally working in a minimum configuration * Fix up tests * Add some tests * Move cache package * Fix up tests after other fixes * Fix up test lifecycle * Fix up linter issues * Remove unnecessary test that panics * Add MeshService CRD * fix bats tests * bats bats bats * baaaatttss * Fix up acceptance test cleanup by introducing uninstall hook to cleanup managed GatewayClass and GatewayClassConfig resources * Add test for deletion failures due to finalizers * reorder commands --------- Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com> * Fix crd loading (#2179) * Fix CRD loading for CLI * Adds crds directory to install with consul-k8s cli * fix tests * testing * fix bats tests --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com> Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> * Add Changelog * Fix up issues after merge back * Fix wildcard usage on enterprise * Don't subscribe to peerings when not enabled * Remove additional changelog entries since we're only going to use 1 --------- Co-authored-by: Melisa Griffin <missylbytes@users.noreply.github.com> Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: John Maguire <john.maguire@hashicorp.com> Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com> * Update consul image on prepare-dev and prepare-release (#2180) Update consul image on prepare-dev and prepare-release * Fix dev mode on main (#2193) * Fix CVEs by updating controller-runtime (#2183) * Bump version of controller runtime * Use SubResourceUpdateOption * Fix test loggr * Fix ProbeHandler * Set runtime to 0.14.6 * Add Changelog * Fix up a few more breaking change issues * Adding support for idleTimeout in Service Router spec (#2156) * Adding support for idleTimeout in Service Router spec * Changelog: add support for idleTimeout in Service Router config (#2200) * add changelog * build(deps): update controller UBI base to 9.2 (#2204) * inject envoy_telemetry_bind_socket_dir proxy config when telemetry collector is enabled (#2143) * inject envoy_telemetry_bind_socket_dir proxy config when telemetry collector is enabled * use metrics.enableTelemetryCollector value to gate controller logic * add changelog entry and unit test * update cloud preset to enable telemetry collector (#2205) * Consul Telemetry acceptance test (#2195) * Fix bug on service intention CRDs causing source partitions and namespaces not to be compared. (#2194) This bug means that swapping partitions and namespaces on sources wouldn't get reflected in Consul. * Add CRD for jwt-provider config entry (#2209) * Add CRD for jwt-provider config entry * Pin consul/api to versions containing the jwt-provider config entry * Update Makefile to use v0.10.0 of sigs.k8s.io/controller-tools/cmd/controller-gen * API Gateway tenancy tests + fixes (#2201) * Initial scaffolding * Fix up some infinite reconciliation issues and initial other bugs * overhaul * get basic e2e working again * Add resource ref validation * Fix up namespace/reference grants * fix binding * clean up logging * cleanup * Get some binder unit tests working again * log guard * Fix unit test * Fix up more binder tests * get more binder tests working * finish binder tests * fix setter test * light touches and un-bak passing tests * Remove controller test as the wiring of deployments is predominantly tests via acceptance tests * Update reference grant tests * fix linter issues * fix acceptance test linters * Fix validation tests * Fix up consul cache tests * fixing up a few more tests * Finish up translation test work * Fix last bit of tests * Update ServiceIntentions CRD for JWT auth (#2213) * Fix setting args for the telemetry-collector (#2224) * Fix setting args for the telemetry-collector Either the docker container or the execution method for the telemetry-collector is making the args not get included on the process. Switch to putting it directly in the command so we can ensure this works as expected * Fix bats test * Fix telemetry collector issue and fix for bat test (#2223) * Get consul-dataplane image from helm chart (#2232) * Add acceptance test cleanup for API Gateway resources (#2237) * improve code readability and fix flaky tests re acl token generation (#2210) * Increase timeout and backoff for retry on flaky test (#2242) * Add fake demo/crds to get around that expectation in chart install (#2245) * NET-4285 add check for pointer (#2246) * Persist virtual-ips for intentions / service-defaults. (#2222) * Allow API Gateways to bind to privileged ports (#2253) * API Gateway lifecycle acceptance tests (#2248) * initial test * More lifecycle work * functional lifecycle tests * accepance: extend api gateway lifecycle test retryCheck timeouts (#2256) To reduce the likelihood of flakes. * api-gateway: create RoleBinding attaching Role to ServiceAccount (#2252) * Create RoleBinding attaching Role to ServiceAccount * Update ClusterRole for controller to allow management of RoleBindings * Separate logic for RoleBinding management from logic for Role * Use pointer receiver for all functions on Gatekeeper struct * Use more descriptive name for NamespacedName arg on delete * Clean up missed code in cherrypick * Remove out-of-scope TODO * Make Upsert docstring more robust, explaining dependency ordering * Add RoleBindings to unit tests for Gatekeeper * Add missing resources to kustomization.yaml (#2255) * Add missing JWT provider resource to kustomization.yaml - Add missing assertions for JWT provider too. * Add OSS tests for exported-services * Fix Gateway trigger for when secret is modified (#2261) * Fix Gateway trigger for when secret is modified * Add some simple unit tests * up some testing timeouts for acceptance tests * Add CRD for ControlPlane RequestLimits (#2166) * Update casing of json tag for ServiceDefault field (#2266) * Add the endpoint ignoring logic for triggering gateway reconciliation (#2227) * [COMPLIANCE] Add Copyright and License Headers (#2271) Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> * Add additional helm hook for resource management (#2259) * Add additional helm hook for resource management * Move GatewayClassConfig CRD to templates * Add CRDs to templates * Add value to values.yaml * Remove GatewayClass and GatewayClassConfig bats * Fix CRD ExportedServices * Change -release to -release-name on gateway-resources subcommand * switch to pointer to avoid lock copy for linter * Move forcible test cleanup to before helm delete since it will now drop CRDs * adjust cleanup logic since it looks like the testing framework sometimes uninstalls the helm chart early * Fix cli unit test and drop CRD reading data since it's no longer embedded in the CLI * Add BATs for Gateway CRDs * Add BATs for Gateway Resources * Update Contributing --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Add missing entries to main CHANGELOG (#2275) * Fixing changelog for 2195 (#2277) * [API Gateway] Add external consul servers test (#2270) * [API Gateway] Add external consul servers test * Fix up releaseName usage on CLI-based tests to mirror helm-based tests * Add check for timeout error (#2280) * Add Consul status to routes and gateways (#2281) * Update alpine to 3.18 to fix CVE-2023-2650 (#2284) * Update alpine to 3.18 * Remove check for reference grant for route to gateway (#2283) * Remove check for reference grant for route to gateway * Fix tenancy tests * Final cleaning up of acceptance test * [API Gateway] Add partition test (#2278) * Add partition test * drop superfluous sprintf * fix linter issue on acceptance test * Add predicated watch for pods * Update memory defaults for connect inject controller (#2249) * Update memory defaults for connect inject controllers * Add changelog entry * Bump up Consul server statefulset memory defaults too * Mw/fix pipeline 1 1 6 (#2282) * update eks and aks to use latest kubernetes version * updated the terraform provider as some fields were deprecated * Add bug to changelog so that go-changelog works (#2276) * Fix retry loops that use `t` (#2311) * Add FIPS builds (#2165) * Add FIPS builds for linux amd64 * add version check * fix CI labels and add local dev commands * fix ci version tagging * switch to ubuntu 20.04 * add CLI version tag * add gcompat for alpine glibc cgo compatibility * remove FIPS version check from connect-init * address comments * activated weekly acceptance tests for 1-2-x (#2315) - making this trigger nightly until after 1.2.0 GA - leaving 0.49.x active until after 1.2.0 GA * Net 4230/add tcp to basic acceptance test (#2297) * first run through, needs help * still need to make secure pass * left something uncommented * it works and also cleanup * fix acceptance tests * [API Gateway] Add acceptance test for cluster peering (#2306) * [API Gateway] Add acceptance test for cluster peering * Fix linter * Fix random unrelated linter errors to get CI to run: revert later? * one more linter fix to later probably revert * more linter fixes * Revert "more linter fixes" This reverts commit 6210dff0e51bbcf2f754f6d666c08292ba958aaa. * Revert "one more linter fix to later probably revert" This reverts commit 030c563bbe0b0a9ef73b33cbea32464416156d8f. * Revert "Fix random unrelated linter errors to get CI to run: revert later?" This reverts commit fdeccabb2f6c4418168cad9be5b2459435b7e30b. * Mw/net 3598 update kind for consul k8s acceptance tests with latest version of kind and k8s 1.27 (#2304) * update cloud tests to use 1.24, 1.25 and 1.26 version of kubernetes for more coverage * updated readme for supported kubernetes versions * added changelog * [API Gateway] WAN Federation test and fixes (#2295) * [API Gateway] WAN Federation test and fixes * Fix unit tests * [API Gateway] fix dangling service registrations (#2321) * Fix when gateways are deleted before we get services populated into cache * a bit of cleanup * api-gateway: add unit tests verifying scaling parameters on GatewayClassConfig are obeyed (#2272) * Add unit tests verifying that scaling parameters on GatewayClassConfig are obeyed * Add test case for scaling w/ no min or max configured * Rename GatewayClassController to prevent name collision (#2317) * Rename GatewayClassController to prevent name collision * Use gateway instead of gatewayclass in name * Use the constant in ownership checks * Change GatewayClass name to "consul" * Change GatewayClass name in cases * Change ApiGatewayClass back * [API Gateway] Conformance Test Fixes (#2326) * Fix SupportedKinds array to be what Conformance test expects * Fix cert validation status condition for listeners * Add programmed condition for listeners * Fix unit test --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * pin for 1.2.x-rc latest Consul submodules (#2327) * Ensure Reconciliation Stops (#2305) * first pass at halting: got httproute and api-gateway done * clean up test * Handle all set for infinite reconcile check * Add table tests for minimal setup * Added some odd field names to test normalization is handled correctly * Use funky casing http routes * Add CRT docker changes for release workflow (#2333) * Update var check with appropriate quotes (#2330) * Revert "Ensure Reconciliation Stops (#2305)" (#2341) This reverts commit 7f6e1cb5c4c2d8797944c1a3e0dcd12943f75138. * Improvement- [NET-189] Added helm inputs for managing audit logs (#2265) * Added helm inputs for managing audit logs * Remove unwanted changes from values * Set Consul service instance localities from K8s node labels (#2346) * fix: use correct flag when translating namespaces (#2353) * fix: use correct flag when translating namespaces * Use non-normalized namespace when deregistering services * Guard against namespace queries when namespaces not enabled in cache * added imagePullPolicy for images in values.yaml (#2310) * added imagePullPolicy for images in values.yaml * fix: renamed pullPolicy key according to image * fixed dafault always in tmpl * changed structure of image in yaml * revert changes * added global imagePullPolicy * fixed typo * added changelog file * [chore]: Pin github action workflows (#2356) * ci: update backport assistant to 0.3.4 (#2365) This brings consul-k8s in line with consul. Most importantly, the backport assistant was updated to automatically assign created PRs to the author of the PR that is being backported. * update changelog based on changes made to 1.2.x (#2348) * update changelog based on changes made to 1.2.x * fixed test cases - enterprise cases were in the OSS test cases * api-gateway: nightly conformance test action (#2257) * trigger conformance tests nightly, squash * remove extra line * Update nightly-api-gateway-conformance.yml * add crds for prioritize by locality (#2357) * set everything to correct version (#2342) making scripts more robust and removing changing helm chart * api-gateway: fix cache and service deletion issue (#2377) * Fix cache and service deletion issue * Add comments * add in acceptance test * Fix indentation * Fix unit test for deleting gateway w/ consul services * Remove redundant service deregistration code * Exit loop early once registration is found for service * Fix import blocking * Set status on pods added to test * Apply suggestions from code review * Reduce count of test gateways to 10 from 100 --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> * Adding support for weighted k8s service (#2293) * Adding support for weighted k8s service * Adding changelog * if per-app weight is 0 then pull the weight to 1 * Addressing review comments * Addressing review comments * Addressing review comments * Comment update * Comment update * Parameterized table test * Parameterized table test * fixing linting issue * fixing linting issue --------- Co-authored-by: srahul3 <rahulsharma@hashicorp.com> * Bumping go-discover to the lastest version (#2390) * Bumping go-discover to the lastest version * Pin Kind versions on release branches (#2384) * pinned kind configuration for CI tests - created a yaml file with the desired pinned versions - created a script to read the yaml - added a make target which can be used in CI to get the desired kind inputs/config --------- Co-authored-by: Curt Bushko <cbushko@gmail.com> * [COMPLIANCE] Add Copyright and License Headers (#2400) Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> * update consul-dataplane on main to use 1.2-dev (#2325) * Acceptance test for permissive mTLS (#2378) * Revert "added imagePullPolicy for images in values.yaml (#2310)" (#2415) This reverts commit 285096241e0d5c5b6d53dd8a37889ab3ea5a8af2. * update with new make targets (#2411) - allow configuration of acceptance testing matrices * feat(helm): add configurable server-acl-init and cleanup resource limits (#2416) * feat(helm): add configurable server-acl-init and cleanup resource limits * Apply suggestions from code review Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> * bugfix yaml path * fix bats test --------- Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> * update redhat registry id (#2337) * Fix auditlog config (#2434) * Add acceptance test to test sync + ingress (#2421) * [COMPLIANCE] Add Copyright and License Headers (#2456) Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> * Fix GatewayClassConfig Test Timing Issue (#2409) * Add retryCheckWithWait func * Fix retry timing on GatewayClassConfig test * remove redundant scale, make scale up number max + 1 * NET-4627, fix acceptance tests flake --------- Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> * always update acl policy if it exists (#2392) * always update acl policy if it exists * added changelog * added unit test * fix typo * added some additional assertions to test * refactored create_or_update unit test * Proxy Lifecycle helm, connect-inject and acceptance tests (#2233) Proxy Lifecycle helm, connect-inject and acceptance tests (#2233) Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> * PR breaking change release note change (#2469) * Add breaking change to release notes * Adds back gateway controller halting integration test (#2412) Co-authored-by: John Maguire <john.maguire@hashicorp.com> * api-gateway: Fix nil pointer exception panic (#2487) * fix nil pointer exception * add unit test * added changelog * delete changelog * Use correct length for certificate RSA key for tests (#2490) * Use correct length for certificate RSA key * api-gateway: Fix nil pointer exception panic (#2487) * fix nil pointer exception * add unit test * added changelog * delete changelog * Remove skip for fixed test --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * APIGW: Validate length of RSA Keys (#2478) * Validate length of RSA key for inline certs * Bring key length check functions over from consul * move validation of key length from certificate parsing into validation of cert * Update to use sentinel errors * Add changelog * Addressing PR comments: fixing text in changelog, fixing import blocks, slight refactor of cert validation for readability * Ensure cert is removed from consul if an invalid one is presented * Fix linting issues, added tests for validating keys * add changelog for 1.2.0 dataplane and consul 1.16.0 (#2496) * add changelog for Consul 1.16.0 * add changelog for dataplane 1.2.0 * Adds chanelog values for 0.49.7 (#2501) * ci: fix eks terraform quota error by cleaning up oidc providers (#2470) cleans up oidc providers older than 8 hours. * build: update versions to 1.3.0-dev (#2511) * [COMPLIANCE] Add Copyright and License Headers (#2507) Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> * values.yaml - replace connect with service mesh for some instances (#2516) * fix connect/service mesh * Update values.yaml * docs: self service changelog instructions (#2526) * feat: adding security context and annotations to tls and acl init/cleanup jobs (#2525) * feat: adding security context and annotations to tls and acl init/cleanup jobs * changelog --------- Co-authored-by: Chinikins <Chinikins@gmail.com> * NET-4813: Fix issue where virtual IP saving had insufficient ACLs. (#2520) Fix issue where virtual IP saving had insufficient ACLs. * reactivate proxy-lifecycle tests (#2532) * Fix test flakes. (#2483) * Update chart to use OSS image (#2528) * Remove todo.txt (#2548) * makes gateway controllers less chatty (#2524) * HCP Observability acceptance test (#2254) * HCP bootstrap preset to always downcase datacenter (#2551) * Lowercase datacenter name from HCP bootstrap response * Add test cases to cloud bootstrap * api-gateway: when multiple listeners have the same port, only add to K8s Service once (#2413) * Modify unit tests to include multiple listeners w/ same port Running the tests on this commit will demonstrate the bug * When multiple listeners have the same port, only add to K8s Service once * Add changelog entry * NET-4482: set route condition appropriately when parent ref includes non-existent section (#2420) * Set route accepted condition appropriately when no listener with section name matching parent * Adjust error message for bind errors that aren't specific to one listener * Include section name in message for NoMatchingParent when available * Add unit test coverage for conditions derived from binding results * Add changelog entry * test: update nightly tests to consul 1.17-dev (#2556) * Update Release Scripts (#2558) * update environment variables with CONSUL_K8s prefix - This will let us check that we have all the environment variables set more easily with `printenv | grep "CONSUL_K8S"` * update imageConsulDataplane without quotes - this makes it consistent with the other images - allows scripting to work similarly to other images * updated utils script - handle replace case where consul-enterprise is in the values.yaml file and charts.yaml file - handle adding pre-release tag in changelog - handle updating consul-dataplane * added missing changelogs (#2565) * added missing changelogs * Update CHANGELOG.md for 0.49.8 --------- Co-authored-by: Curt Bushko <cbushko@gmail.com> * Refactor test framework to allow for more than two kube contexts (#2534) * updated contributing example with new configuration lists add new make target "kind" to makefile * This lets us setup our standard kind environment for testing refactor framework to take config list flags * removed primary/secondary kube flags as this limited us to only two clusters * added flags for kube configs, contexts and namespaces. This way we can support n clusters where n is the length of the longest list. The flags are then combined into a list of objects for use in testing added tests for new helper methods refactored tests * now TestMain for multicluster check that the test arguments contain the expected number of clusters * use helper method `env.GetSecondaryContextKey(t)` which grabs the second context in the list instead of using the defunct environment.SecondaryContextName refactored flag test to use new config lists refactored cli cluster to use get primary helper added multicluster check for vault acceptance * vault tests are multi-cluster but we weren't performing the necessary checks * [COMPLIANCE] Add Copyright and License Headers (#2577) Add copyright and license headers * Consume gateway-api v0.7.1 for acceptance testing (#2578) Changes proposed in this PR: - Consume the same version of gateway-api for acceptance testing that we're consuming in the control plane: https://github.com/hashicorp/consul-k8s/blob/29b6ed36923498afc8f377455d4275653960230f/control-plane/go.mod#L42 How I've tested this PR: - 👀 - 🤖 tests pass How I expect reviewers to test this PR: - See above Checklist: - [ ] Tests added - [ ] [CHANGELOG entry added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry) * Update to handle validation endpoints (#2580) Changes proposed in this PR: - add in new validation call in endpoint How I've tested this PR: Ran it locally and tested the changes How I expect reviewers to test this PR: Read the code and run the command themselves to verify: ``` ./consul-k8s/acceptance/tests/cloud && go test -run TestBasicCloud -v -p 1 -timeout 20m \ -use-kind \ -kubecontext="kind-dc1" \ -consul-image hashicorppreview/consul-enterprise:1.17-dev -consul-k8s-image hashicorppreview/consul-k8s-control-plane:1.3.0-dev -consul-collector-image hashicorp/consul-telemetry-collector:0.0.1 \ -enable-enterprise ``` Checklist: - [X] Tests added - [n/a] [CHANGELOG entry added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry) * test(eks): fix deprecated CSI driver terraform (#2584) Changes proposed in this PR: - Replacing the deprecated [`resolve_conflicts`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon#resolve_conflicts) with the new attributes. I don't know if we really need this setting since it is optional and the addon has no user-defined config, but I'm keeping this to keep the behavior consistent. How I've tested this PR: I did not. How I expect reviewers to test this PR: 👀 Checklist: - [ ] ~Tests added~ - [ ] ~[CHANGELOG entry added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)~ * Add a check to prevent a nil-pointer dereference on Ingress LB (#2592) * test: remove unused workflow inputs (#2589) Changes proposed in this PR: - Removed unused workflow inputs. * chore: Update actions for security (#2601) Changes proposed in this PR: - Update actions that are out of date How I've tested this PR: 👀 How I expect reviewers to test this PR: 👀 Checklist: - [ ] Tests added - [ ] [CHANGELOG entry added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry) * [NET-4122] Doc guidance for federation with externalServers (#2583) Add guidance for proper configuration when joining to a secondary cluster using WAN fed with external servers also enabled. Also clarify federation requirements and fix formatting for an unrelated value. Changes proposed in this PR: - Update base content for generating Helm chart docs to clarify the use case encountered in https://github.com/hashicorp/consul-k8s/issues/2138 - Minor additional fixes - _Follow-up: propagate generated doc changes to `consul` and additionally update https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/servers-outside-kubernetes there_ How I've tested this PR: N/A (docs only) How I expect reviewers to test this PR: 👀 Checklist: - [ ] Tests added - [ ] [CHANGELOG entry added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry) * Handle errors properly when services are de-registered from the catalog (#2571) - In the past, kubernetes nodes were used as the source of truth to determine the list of services that should exist in Consul. - In most cases this was ok but becomes a problem when nodes are quickly deleted from kubernetes such as the case when using spot instances. - Instead, use consul synthetic-nodes to get the list of services and deregister the services that do not have endpoint addresses. --------- Co-authored-by: mr-miles <miles.waller@gmail.com> * Adding support for Enterprise and other improvement on the Customizing Vault Version for WanFed Test (#2481) * Adding support for Enterprise and other improvement on the Customizing Vault Version for WanFed Test This is the extension of the PR - https://github.com/hashicorp/consul-k8s/pull/2043 In this PR, the followings were addressed - 1. Now the vault enterprise version can be provided in the cli command. The previous PR only addressed Vault OSS. 2. Two flags “-no-cleanup-wan-fed” and “test-duration” were introduced to not to cleanup the test environment after successful setup to give it time to do manual testing for features/to reproduce customer issues. Default is 1 hour. 3. This was tested in Kind environment and it works fine. The following was taken out to use the “use-kind” option for WanFed test. //if cfg.UseKind { // t.Skipf("Skipping this test because it's currently flaky on kind") //} * Fix indentation * Fix unit test for deleting gateway w/ consul services * Remove redundant service deregistration code * Exit loop early once registration is found for service * Fix import blocking * Set status on pods added to test * Apply suggestions from code review * Reduce count of test gateways to 10 from 100 --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Changes proposed in this PR: - - How I've tested this PR: How I expect reviewers to test this PR: Checklist: - [ ] Tests added - [ ] CHANGELOG entry added > HashiCorp engineers only, community PRs should not add a changelog entry. > Entries should use present tense (e.g. Add support for...) * Removing the changes in vault_namespaces_test.go * Introducing new flag no-cleanup * Removed "go 1.20" from go.work file * cfg.USEKind check is added back * Removed previousy added "Test Duration" flag * Some changes * Some changes * Differentiate FIPS linux package names (#2599) * added make target for checking for hashicorppreview (#2603) * added make target for checking for hashicorppreview * added check to prepare-release make target * Increase golangci-lint timeout to 10m (#2621) This is meant to solve for recurrent timeouts in several steps, particularly `golangci-lint-control-plane` and `golang-ci-lint-cli`. An accompanying change in `consul-k8s-workflows` should disable caching until the (unclear) root of the issue can be resolved, or we can disable or clear cache in a more targeted way that solves for these cases. * Fix TestAPIGateway_GatewayClassConfig (#2631) * Fix TestAPIGateway_GatewayClassConfig * Remove stray files from bad merge * Support running with restricted PSA enforcement enabled (part 1) (#2572) Support restricted PSA enforcement in a basic setup. This is enough to get a basic setup with ACLs and TLS working and an acceptance test passing (but does not update every component). On OpenShift, we have the option to set the security context or not. If the security context is unset, then it is set automatically by OpenShift SCCs. However, we prefer to set the security context to avoid useless warnings on OpenShift and to reduce the config difference between OpenShift and plain Kube. By default, OpenShift namespaces have the audit and warn PSA labels set to restricted, so we receive pod security warnings when deploying Consul to OpenShift even though the pods will be able to run. Helm chart changes: * Add a helper to the helm chart to define a "restricted" container security context (when pod security policies are not enabled) * Update the following container securityContexts to use the "restricted" settings (not exhaustive) - gateway-cleanup-job.yaml - gateway-resources-job.yaml - gossip-encryption-autogenerate-job.yaml - server-acl-init-cleanup-job.yaml - only if `.Values.server.containerSecurityContext.server.acl-init` is unset - server-acl-init-job.yaml - only if `.Values.server.containerSecurityContext.server.acl-init` is unset - server-statefulset.yaml: - the locality-init container receives the restricted context - the consul container receives the restricted context only if `.Values.server.containerSecurityContext.server` is unset - tls-init-cleanup-job.yaml - only if `.Values.server.containerSecurityContext.server.tls-init` is unset - tls-init-job.yaml - only if `.Values.server.containerSecurityContext.server.tls-init` is unset - webhook-cert-manager-deployment.yaml Acceptance test changes: * When `-enable-openshift` and `-enable-cni` are set, configure the CNI settings correctly for OpenShift. * Add the `-enable-restricted-psa-enforcement` test flag. When this is set, the tests assume the Consul namespace has restricted PSA enforcement enabled. The tests will deploy the CNI (if enabled) into the `kube-system` namespace. Compatible test cases will deploy applications outside of the Consul namespace. * Update the ConnectHelper to configure the NetworkAttachmentDefinition required to be compatible with the CNI on OpenShift. * Add fixtures for static-client and static-server for OpenShift. This is necessary because the deployment configs must reference the network attachment definition when using the CNI on OpenShift. * Update tests in the `acceptance/tests/connect` directory to either run or skip based on -enable-cni and -enable-openshift * change fips delimiter to + (#2480) (#2591) * [NET-4865] security: Upgrade Go and net/http CVE-2023-29406 (#2642) security: Upgrade Go and net/http Upgrade to Go 1.20.6 and `net/http` 1.12.0 to resolve CVE-2023-29406. * Consul client always logs into the local datacenter (#2652) The consul client always logs into the local datacenter * Add support for requestTimeout in Service Resolver spec (#2641) * Add support for requestTimeout in Service Resolver spec * preserve serviceresolvers.yaml Preserving yaml from main, only adding requesttimeout property. * update generated.deepcopy.go * Use latest controller-gen to generate CRDs --------- Co-authored-by: Ashwin Venkatesh <ashwin.what@gmail.com> * Increase timeout for acl replication to 60 seconds and poll every 500 ms (#2656) increase timeout for acl replication to 60 seconds and poll every 500 ms * Update changelog to address cloud auto-join change in 1.0.0 (#2667) * NET-4967: Fix helm install when setting copyAnnotations or nodeSelector for apiGateway (#2597) * Support multiline nodeSelector arg * Support multiline service annotations arg * Update test assertions * Add changelog entry * Fix ordering of licence in templates (#2675) * Mw/net 4260 phase 2 automate the k8s sameness tests (#2579) * add kustomize files - These reflect the different test cases - sameness.yaml defines the ordered list of failovers - static-server responds with a unique name so we can track failover order - static-client includes both DNS and CURL in the image used so we can exec in for testing * add sameness tests - We do a bunch of infra setup for peering and partitions, but after the initial setup only partitions are tested - We test service failover, dns failover and PQ failover scenarios * add 4 kind clusters to make target - The sameness tests require 4 kind clusters, so the make target will now spin up 4 kind clusters - not all tests need 4 kind clusters, but the entire suite of tests can be run with 4 * increase kubectl timeout to 90s - add variable for configuring timeout - timeout was triggering locally on intel mac machine, so this timeout should cover our devs lowest performing machines * add sameness test to test packages * Fix comments on partition connect test * Added logLevel field for components (#2302) * Added logLevel field for components * Add changelog * Fix tests * Rename 2298.txt to 2302.txt * Address comments * Fix tests * Fix helm tests * Address comments * Add client and server loglevels * Fix bats * Update changelog * Fix bats tests * Add missing tsccr entries (#2682) * Use controller-gen 0.8.0 for CRDs (#2684) - Add missing license headers. * Fix ingress (#2687) * [NET-4865] Bump golang.org/x/net to 0.12.0 in cni (#2668) * Bump golang.org/x/net to 0.12.0 in cni This was missed in 5b57e6340dff44157cb7a984ac7220e47849dfb9 as part of a general upgrade of that dependency. * Bump server-connection-manager to v0.1.3 Tidying up following CVE dependency bumps, leading to a new release of this library. * Fix default Ent image tag in acceptance tests (#2683) * Fix default Ent image tag in acceptance tests Rather than hard-coding the Docker repository and parsing the non-Ent image tag for a version, simply replace the image name and retain other coordinates. This is consistent with our tagging scheme introduced in https://github.com/hashicorp/consul/pull/13541 and will allow for using `hashicorppreview` images seamlessly regardless of whether OSS or Ent is being tested. * Add make target for loading images in kind Complement other multi-cluster make targets by supporting image loading across kind clusters. * [NET-5146] security: Upgrade Go and `x/net` (#2710) security: Upgrade Go and x/net Upgrade to Go 1.20.7 and `x/net` 1.13.0 to resolve [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) and [CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978). * Increase timeout while waiting for vault server to be ready (#2709) increase timeout while waiting for server to be ready and fix require.Equal check * Acceptance tests: increase api-gateway retries (#2716) * Increase the retries and add config entry retries * NET-3908: allow configuration of SecurityContextConstraints when running on OpenShift (#2184) Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com> * Gateway privileged port mapping (#2707) * Adds port mapping to Gateway Class Config to avoid running container on privileged ports Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Support restricted PSA enforcement part 2 (#2702) * NET-4413 Implement translation + validation of TLS options (#2711) * Implement validation of TLS options * Use constants for annotation keys * Add changelog entry * Implement TLS options translation * Update changelog entry * Add unit test coverage for TLS option validation * Code review feedback * NET-4993 JWT auth basic acceptance test (#2706) * JWT auth basic acceptance test * Update to run only in enterprise mode, update comment to be correct * Remove usage of `testing.t` in retry block * Fixed last `t` in retry block in tests * Update acceptance/tests/api-gateway/api_gateway_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update acceptance/tests/api-gateway/api_gateway_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Updating filenames for gw jwt cases and adding message about why this test is skipped --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * [NET-5217] Apply K8s node locality to services and sidecars (#2748) Apply K8s node locality to services and sidecars Locality-aware routing is based on proxy locality rather than the proxied service. Ensure we propagate locality to both when registering services. * Adds changelog for release of 1.1.4 (#2754) * Set privileged to false unless on OpenShift without CNI (#2755) * Set privileged to false unless on OpenShift without CNI * Update consul-enterprise-version script to add -ent (#2756) * Automate the k8s sameness tests add peering (#2725) * added fixtures * removed fixtures - intentions only gets added now if acls are enabled - payment-service-resolver is only for locality aware which isn't in scope for this PR * updated sameness tests to include peering - refactored with some helper functions for members (now TestClusters) - made names more uniform, tend more towards the cluster-01-a/cluster-02-a/etc. nomenclature * added 4 clusters to cni make target * disable proxy lifecycle * Updates changelog to include 1.0.9 (#2758) * Adds changelog for 1.2.1, reorders 1.1.4 and 1.0.9 (#2768) * Mw/net 4260 add tproxy coverage (#2776) * add additional tproxy static-client - this doesn't specify an upstream so that tproxy will be able to handle routing * add tproxy coverage - add control-flow to handle using the virtual host name when tproxy is enabled * [NET-2880] Add `PrioritizeByLocality` to `ProxyDefaults` CRD (#2784) Add `PrioritizeByLocality` to `ProxyDefaults` CRD In addition to service resolver, add this field to the CRD for proxy defaults for parity with Consul config options. * AKS 1.24 is deprecated, update to latest 1.25 patch (#2792) * Net 4889 implement retry feature on the api gateway (#2735) * squash, add support for retry loops and timeouts to api-gateway NET-4889, NET-4890 * Update .changelog/2735.txt Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> * clean up extra files * delete custom struct, just use client.Object * delete * revert kustomization * lint cleanups * fix merge reversion, last bit of cleanup --------- Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> * Update Kustomize to use `patches` instead of `patchesStrategicMerge` (#2786) * Fix Kustomization for cases * Fix patches in config * Update `Contributing` * [NET-4498] Test locality propagation to services from k8s (#2791) Test locality propagation to services from k8s Verify that we propagate locality (region and zone) from standard k8s annotations to services registered by consul-k8s. This will later be expanded to exercise multi-cluster locality-based failover. * Use Kubernetes 1.25 on AKS (#2801) * Point mod to main to fix build errors (#2805) point mod to main to fix build errors * Fix peer test flakes. (#2812) This commit fixes an issue where the peering tests would flake due to the fact that we were concurrently modifying a global map. It also adds in retry logic so that the consul servers have sufficient time to initialize before attempting to generate peering tokens. * NET-4806: Fix ACL tokens for pods don't have pod name set (#2808) Fix issue where tokens had missing pod name. Prior to this commit, tokens descriptions would have a missing pod name and would have the form: {pod: "default/"} This poses issues for the endpoints controller, which will try to parse the metadata and use it to clean up the token. Without the pod name, consul-k8s will continually leak tokens. * net-1776, add job lifecycle test and changes to connhelper (#2669) * changes to connhelper, add job lifecycle test * yaml fixes * move around job yaml files, update grace period times * yaml change * timer change * wait for job to start when deploying * fix file paths * Skip Lifecycle Test on t-proxy --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Net 1784 inject sidecar first (#2743) * change container creation order. Change order of container creation so that envoy container is created before app container. * change tests to fit proxy container added first * add sidecar first iff lifecycle enabled * update tests to include/exclude lifecycle * container ordering in multiport + lifecycle, test case * create changelog * change exec calls to specify container specify containers when exec'ing * Update 2743.txt * small fixes to appending sidecar * Add readOnlyRootFilesystem to security context (#2771) (#2789) * Add readOnlyRootFilesystem to security context (#2771) --------- Co-authored-by: mr-miles <miles.waller@gmail.com> Co-authored-by: Paul Glass <pglass@hashicorp.com> * feat: func to create V2 resource client (#2823) * feat: add helm value for consul resource-apis experiment (#2800) * feat: add helm value for consul resource-apis experiment * Apply suggestions from code review Co-authored-by: John Murret <john.murret@hashicorp.com> * PR feedback part 2 --------- Co-authored-by: John Murret <john.murret@hashicorp.com> * add sameness testing performance enhancement (#2822) * NET-5186 Add NET_BIND_SERVICE capability to Consul's restricted securityContext (#2787) * Add NET_BIND_SERVICE capability to Consul's restricted securityContext * Add changelog entry * Update related bats tests * Change type of release note * Added tests for partition dns/pq (#2816) * Added tests for partition dns/pq - did some light refactoring * Mw/net 4888 add namespace tests failover wan fed (#2797) * added fixtures * modified connHelper Create Intention - Function can now take optional intention ops. For now just supports overriding the source/destination namespaces * added WAN Federation test - split out into own test because TestWANFederation also does some PSA related tests. Didn't want to change this test too much, and my test requires consul-k8s mirroring - added new test TestWANFederationFailover which tests some failover scenarios, including to different namespaces and datacenters * refactored connHelper to use opts * fix: lifecycle enabled iptables mismatch (#2842) * refactor: make space for v2 controllers (#2832) refator: make space for v2 controllers * build: update SDK version to use commit from (#2846) * Revert "Add readOnlyRootFilesystem to security context (#2771)" (#2847) Revert "Add readOnlyRootFilesystem to security context (#2771) (#2789)" This reverts commit b75d8034b96ae1e21c0cca66ad5ee9a63af20505. * Fix issue where CLI install test was running Tproxy manually (#2843) * Configure Gateway Deployment Resources (#2723) * Update comments on Deployment * Move resources into managedGatewayClass * Add resource configuration to GatewayClassConfig * Regenerate CRDs * Pass resource configuration into the gateway-resources-job * Pull in resources from GatewayClassConfig * Add flag for resources in `gateway-resources` subcommand * Clean up some comments in existing code * Add gateway-resources configmap * Load configmap into gateway-resources job * Load resources from json * Update CRDs * Read resources in from the configmap * Add BATs for Gateway Resources Configmap * Add Changelog * Fix unquoted value in BATs * Fix how resources.json is read * Fix BATs errors for real * Fix seg fault bug * Fix reading of resources file * Quote "$actual" * Fix zsh/sh differences in BATs * Update control-plane/api-gateway/common/helm_config.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Move resources into DeploymentSpec * Remove extra split in crds --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * correct prometheus port and scheme annotations if tls is enabled (#2782) * correct prometheus port and scheme annotations if tls is enabled * Adds missing fields for PassiveHealthCheck on IngressGateway and ServiceDefault CRDs (#2796…
This was referenced Oct 31, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
backport/1.1.x
Backport to release/1.1.x branch
backport/1.2.x
This release branch is no longer active.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
NET_BIND_SERVICE
capability for consul-dataplane related to NET-5186 Allow dataplane container to bind to privileged ports consul-dataplane#238How I've tested this PR:
443
How I expect reviewers to test this PR:
Checklist: