Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of Add readOnlyRootFilesystem to security context (#2771) into release/1.2.x #2830

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
122 commits
Select commit Hold shift + click to select a range
57fef1f
Add bug to changelog so that go-changelog works (#2276)
curtbushko Jun 8, 2023
e35eaa3
Fix retry loops that use `t` (#2311)
Jun 8, 2023
f4435ac
Add FIPS builds (#2165)
skpratt Jun 8, 2023
097f945
activated weekly acceptance tests for 1-2-x (#2315)
wilkermichael Jun 8, 2023
61c7280
Net 4230/add tcp to basic acceptance test (#2297)
missylbytes Jun 9, 2023
555d4a6
[API Gateway] Add acceptance test for cluster peering (#2306)
Jun 9, 2023
b56b7dd
Mw/net 3598 update kind for consul k8s acceptance tests with latest v…
wilkermichael Jun 9, 2023
203c9d1
[API Gateway] WAN Federation test and fixes (#2295)
Jun 9, 2023
da147c1
[API Gateway] fix dangling service registrations (#2321)
Jun 9, 2023
198c443
api-gateway: add unit tests verifying scaling parameters on GatewayCl…
nathancoleman Jun 9, 2023
8245efc
Rename GatewayClassController to prevent name collision (#2317)
Jun 9, 2023
f07736b
[API Gateway] Conformance Test Fixes (#2326)
Jun 9, 2023
6933efe
pin for 1.2.x-rc latest Consul submodules (#2327)
wilkermichael Jun 9, 2023
7f6e1cb
Ensure Reconciliation Stops (#2305)
jm96441n Jun 9, 2023
7e076bb
Add CRT docker changes for release workflow (#2333)
skpratt Jun 10, 2023
4976215
Update var check with appropriate quotes (#2330)
skpratt Jun 11, 2023
60b214e
Revert "Ensure Reconciliation Stops (#2305)" (#2341)
nathancoleman Jun 12, 2023
8f47485
Improvement- [NET-189] Added helm inputs for managing audit logs (#2265)
Ganeshrockz Jun 12, 2023
fc40d5e
Set Consul service instance localities from K8s node labels (#2346)
erichaberkorn Jun 13, 2023
345f62c
fix: use correct flag when translating namespaces (#2353)
nathancoleman Jun 13, 2023
2850962
added imagePullPolicy for images in values.yaml (#2310)
aahel Jun 13, 2023
f2c166f
[chore]: Pin github action workflows (#2356)
curtbushko Jun 13, 2023
80b1f52
ci: update backport assistant to 0.3.4 (#2365)
nathancoleman Jun 13, 2023
e691f46
update changelog based on changes made to 1.2.x (#2348)
wilkermichael Jun 13, 2023
9121afc
api-gateway: nightly conformance test action (#2257)
sarahalsmiller Jun 14, 2023
3ce3302
add crds for prioritize by locality (#2357)
erichaberkorn Jun 15, 2023
19d2fb5
set everything to correct version (#2342)
curtbushko Jun 15, 2023
c4617fc
api-gateway: fix cache and service deletion issue (#2377)
Jun 15, 2023
47d4063
Adding support for weighted k8s service (#2293)
srahul3 Jun 19, 2023
fe4857e
Bumping go-discover to the lastest version (#2390)
eastebry Jun 19, 2023
a3c8771
Pin Kind versions on release branches (#2384)
wilkermichael Jun 19, 2023
aaa54c2
[COMPLIANCE] Add Copyright and License Headers (#2400)
hashicorp-copywrite[bot] Jun 20, 2023
63c7682
update consul-dataplane on main to use 1.2-dev (#2325)
curtbushko Jun 20, 2023
4141f6f
Acceptance test for permissive mTLS (#2378)
Jun 20, 2023
08534e3
Revert "added imagePullPolicy for images in values.yaml (#2310)" (#2415)
Jun 21, 2023
883fbdc
update with new make targets (#2411)
wilkermichael Jun 22, 2023
5b1856e
feat(helm): add configurable server-acl-init and cleanup resource lim…
DanStough Jun 23, 2023
c6c5d52
update redhat registry id (#2337)
alvin-huang Jun 23, 2023
f783f7e
Fix auditlog config (#2434)
Jun 23, 2023
79db263
Add acceptance test to test sync + ingress (#2421)
Jun 23, 2023
c2a149b
[COMPLIANCE] Add Copyright and License Headers (#2456)
hashicorp-copywrite[bot] Jun 26, 2023
c83ce0c
Fix GatewayClassConfig Test Timing Issue (#2409)
Jun 26, 2023
95af4c7
always update acl policy if it exists (#2392)
aahel Jun 27, 2023
e176846
Proxy Lifecycle helm, connect-inject and acceptance tests (#2233)
mikemorris Jun 27, 2023
d3f9b67
PR breaking change release note change (#2469)
Jun 28, 2023
920ee32
Adds back gateway controller halting integration test (#2412)
missylbytes Jun 28, 2023
e976b88
api-gateway: Fix nil pointer exception panic (#2487)
sarahalsmiller Jun 29, 2023
83f050b
Use correct length for certificate RSA key for tests (#2490)
jm96441n Jun 29, 2023
8fe4fb6
APIGW: Validate length of RSA Keys (#2478)
jm96441n Jun 29, 2023
ced0ae8
add changelog for 1.2.0 dataplane and consul 1.16.0 (#2496)
wilkermichael Jun 29, 2023
736649d
Adds chanelog values for 0.49.7 (#2501)
missylbytes Jun 30, 2023
30e9f55
ci: fix eks terraform quota error by cleaning up oidc providers (#2470)
ndhanushkodi Jul 3, 2023
1161322
build: update versions to 1.3.0-dev (#2511)
DanStough Jul 6, 2023
cbcbdc5
[COMPLIANCE] Add Copyright and License Headers (#2507)
hashicorp-copywrite[bot] Jul 7, 2023
0cb24d7
values.yaml - replace connect with service mesh for some instances (#…
Jul 10, 2023
6624d34
docs: self service changelog instructions (#2526)
DanStough Jul 10, 2023
11a1851
feat: adding security context and annotations to tls and acl init/cle…
DanStough Jul 10, 2023
fb02159
NET-4813: Fix issue where virtual IP saving had insufficient ACLs. (#…
hashi-derek Jul 10, 2023
6adb9a2
reactivate proxy-lifecycle tests (#2532)
wilkermichael Jul 10, 2023
4676652
Fix test flakes. (#2483)
hashi-derek Jul 10, 2023
486061a
Update chart to use OSS image (#2528)
curtbushko Jul 11, 2023
6b45156
Remove todo.txt (#2548)
curtbushko Jul 11, 2023
fd201c5
makes gateway controllers less chatty (#2524)
missylbytes Jul 11, 2023
592e457
HCP Observability acceptance test (#2254)
chapmanc Jul 11, 2023
8582286
HCP bootstrap preset to always downcase datacenter (#2551)
chapmanc Jul 11, 2023
4f06479
api-gateway: when multiple listeners have the same port, only add to …
nathancoleman Jul 11, 2023
b8be6a0
NET-4482: set route condition appropriately when parent ref includes …
nathancoleman Jul 11, 2023
73959e7
test: update nightly tests to consul 1.17-dev (#2556)
DanStough Jul 12, 2023
65c4e74
Update Release Scripts (#2558)
wilkermichael Jul 12, 2023
df0e649
added missing changelogs (#2565)
wilkermichael Jul 12, 2023
29b6ed3
Refactor test framework to allow for more than two kube contexts (#2534)
wilkermichael Jul 14, 2023
59228dd
[COMPLIANCE] Add Copyright and License Headers (#2577)
hashicorp-copywrite[bot] Jul 17, 2023
ab462d0
Consume gateway-api v0.7.1 for acceptance testing (#2578)
nathancoleman Jul 18, 2023
c790951
Update to handle validation endpoints (#2580)
chapmanc Jul 18, 2023
07cc5cd
test(eks): fix deprecated CSI driver terraform (#2584)
DanStough Jul 19, 2023
f0530d9
Add a check to prevent a nil-pointer dereference on Ingress LB (#2592)
Jul 19, 2023
b3769b1
test: remove unused workflow inputs (#2589)
DanStough Jul 19, 2023
4d4c35a
chore: Update actions for security (#2601)
curtbushko Jul 20, 2023
a4d9487
[NET-4122] Doc guidance for federation with externalServers (#2583)
zalimeni Jul 20, 2023
414554c
Handle errors properly when services are de-registered from the catal…
curtbushko Jul 20, 2023
ff24495
Adding support for Enterprise and other improvement on the Customizin…
20sr20 Jul 20, 2023
8b45de8
Differentiate FIPS linux package names (#2599)
skpratt Jul 21, 2023
efa2be8
added make target for checking for hashicorppreview (#2603)
wilkermichael Jul 21, 2023
e2adf6f
Increase golangci-lint timeout to 10m (#2621)
zalimeni Jul 21, 2023
1690fe2
Fix TestAPIGateway_GatewayClassConfig (#2631)
Jul 24, 2023
3932e28
Support running with restricted PSA enforcement enabled (part 1) (#2572)
Jul 24, 2023
a924e88
change fips delimiter to + (#2480) (#2591)
skpratt Jul 24, 2023
5b57e63
[NET-4865] security: Upgrade Go and net/http CVE-2023-29406 (#2642)
zalimeni Jul 24, 2023
6b26d91
Consul client always logs into the local datacenter (#2652)
Jul 25, 2023
89a1c6d
Add support for requestTimeout in Service Resolver spec (#2641)
markcampv Jul 25, 2023
94414a7
Increase timeout for acl replication to 60 seconds and poll every 500…
Jul 26, 2023
596a2a7
Update changelog to address cloud auto-join change in 1.0.0 (#2667)
Jul 26, 2023
f026d43
NET-4967: Fix helm install when setting copyAnnotations or nodeSelect…
nathancoleman Jul 26, 2023
7bb0a57
Fix ordering of licence in templates (#2675)
Jul 27, 2023
b6d3e61
Mw/net 4260 phase 2 automate the k8s sameness tests (#2579)
wilkermichael Jul 27, 2023
89ee905
Added logLevel field for components (#2302)
Ganeshrockz Jul 28, 2023
3e1f799
Add missing tsccr entries (#2682)
curtbushko Jul 28, 2023
63567cb
Use controller-gen 0.8.0 for CRDs (#2684)
Jul 28, 2023
3cb0cce
Fix ingress (#2687)
Jul 28, 2023
6835b1e
[NET-4865] Bump golang.org/x/net to 0.12.0 in cni (#2668)
zalimeni Jul 28, 2023
da99ce4
Fix default Ent image tag in acceptance tests (#2683)
zalimeni Jul 31, 2023
8379be9
[NET-5146] security: Upgrade Go and `x/net` (#2710)
zalimeni Aug 2, 2023
61c7761
Increase timeout while waiting for vault server to be ready (#2709)
curtbushko Aug 2, 2023
939e7c3
Acceptance tests: increase api-gateway retries (#2716)
curtbushko Aug 3, 2023
671675d
NET-3908: allow configuration of SecurityContextConstraints when runn…
nathancoleman Aug 8, 2023
71cdbc2
Gateway privileged port mapping (#2707)
missylbytes Aug 8, 2023
a1eb32b
Support restricted PSA enforcement part 2 (#2702)
Aug 8, 2023
f3d099c
NET-4413 Implement translation + validation of TLS options (#2711)
nathancoleman Aug 9, 2023
a287fce
NET-4993 JWT auth basic acceptance test (#2706)
jm96441n Aug 9, 2023
a86533b
[NET-5217] Apply K8s node locality to services and sidecars (#2748)
zalimeni Aug 10, 2023
0100fa4
Adds changelog for release of 1.1.4 (#2754)
missylbytes Aug 11, 2023
6e98cf9
Set privileged to false unless on OpenShift without CNI (#2755)
curtbushko Aug 11, 2023
b57b936
Update consul-enterprise-version script to add -ent (#2756)
curtbushko Aug 11, 2023
1968df4
Automate the k8s sameness tests add peering (#2725)
wilkermichael Aug 11, 2023
6e9f473
Updates changelog to include 1.0.9 (#2758)
missylbytes Aug 14, 2023
ab00c03
Adds changelog for 1.2.1, reorders 1.1.4 and 1.0.9 (#2768)
missylbytes Aug 15, 2023
8a5eff0
Mw/net 4260 add tproxy coverage (#2776)
wilkermichael Aug 16, 2023
48184c6
[NET-2880] Add `PrioritizeByLocality` to `ProxyDefaults` CRD (#2784)
zalimeni Aug 17, 2023
608b0cc
Add readOnlyRootFilesystem to security context (#2771)
mr-miles Aug 17, 2023
2af09e5
backport of commit a80eaf872d08eba60f18e79dbf548620282c9238
Aug 17, 2023
2a8a507
backport of commit 3e85d69c966fbb189b8f940efbd4736420e5324d
Aug 17, 2023
94733f1
backport of commit f8792329eb900f1df9da5efdb2038348ebf8253c
Aug 18, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
11 changes: 0 additions & 11 deletions .changelog/1975.txt

This file was deleted.

3 changes: 0 additions & 3 deletions .changelog/1976.txt

This file was deleted.

3 changes: 3 additions & 0 deletions .changelog/2048.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
helm: add samenessGroup CRD
```
3 changes: 3 additions & 0 deletions .changelog/2075.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
helm: add samenessGroup field to exported services CRD
```
3 changes: 3 additions & 0 deletions .changelog/2086.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
helm: add samenessGroup field to service resolver CRD
```
3 changes: 3 additions & 0 deletions .changelog/2097.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
helm: add samenessGroup field to source intention CRD
```
9 changes: 9 additions & 0 deletions .changelog/2102.txt
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,12 @@ Also, `golang.org/x/net` has been updated to v0.7.0 to resolve CVEs [CVE-2022-41
](https://github.com/advisories/GHSA-vvpx-j8f3-3w6h
.)
```

```release-note:improvement
cli: update minimum go version for project to 1.20.
```

```release-note:improvement
control-plane: update minimum go version for project to 1.20.
```

3 changes: 3 additions & 0 deletions .changelog/2165.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
control-plane: add FIPS support
```
3 changes: 3 additions & 0 deletions .changelog/2184.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:feature
api-gateway: support deploying to OpenShift 4.11
```
3 changes: 3 additions & 0 deletions .changelog/2233.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:feature
Add support for configuring graceful shutdown proxy lifecycle management settings.
```
3 changes: 3 additions & 0 deletions .changelog/2293.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:feature
sync-catalog: add ability to support weighted loadbalancing by service annotation `consul.hashicorp.com/service-weight: <number>`
```
13 changes: 13 additions & 0 deletions .changelog/2302.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
```release-note:improvement
Add support to provide the logLevel flag via helm for multiple low level components. Introduces the following fields
1. `global.acls.logLevel`
2. `global.tls.logLevel`
3. `global.federation.logLevel`
4. `global.gossipEncryption.logLevel`
5. `server.logLevel`
6. `client.logLevel`
7. `meshGateway.logLevel`
8. `ingressGateways.logLevel`
9. `terminatingGateways.logLevel`
10. `telemetryCollector.logLevel`
```
3 changes: 3 additions & 0 deletions .changelog/2304.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
helm: Kubernetes v1.27 is now supported. Minimum tested version of Kubernetes is now v1.24.
```
3 changes: 3 additions & 0 deletions .changelog/2370.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
(Consul Enterprise) Add support to provide inputs via helm for audit log related configuration
```
3 changes: 3 additions & 0 deletions .changelog/2390.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:security
Update [Go-Discover](https://github.com/hashicorp/go-discover) in the container has been updated to address [CVE-2020-14040](https://github.com/advisories/GHSA-5rcv-m4m3-hfh7)
```
6 changes: 6 additions & 0 deletions .changelog/2392.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
```release-note:breaking-change
control-plane: All policies managed by consul-k8s will now be updated on upgrade. If you previously edited the policies after install, your changes will be overwritten.
```
```release-note:bug
control-plane: Always update ACL policies upon upgrade.
```
3 changes: 3 additions & 0 deletions .changelog/2413.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
api-gateway: Fix creation of invalid Kubernetes Service when multiple Gateway listeners have the same port.
```
3 changes: 3 additions & 0 deletions .changelog/2416.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:feature
helm: Adds `acls.resources` field which can be configured to override the `resource` settings for the `server-acl-init` and `server-acl-init-cleanup` Jobs.
```
3 changes: 3 additions & 0 deletions .changelog/2420.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
api-gateway: set route condition appropriately when parent ref includes non-existent section name
```
7 changes: 7 additions & 0 deletions .changelog/2476.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
```release-note:improvement
helm: update `imageConsulDataplane` value to `hashicorp/consul-dataplane:1.2.0`
```

```release-note:improvement
helm: update `image` value to `hashicorp/consul:1.16.0`
```
5 changes: 5 additions & 0 deletions .changelog/2478.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
```release-note:bug
api-gateway: fixes bug where envoy will silently reject RSA keys less than 2048 bits in length when not in FIPS mode, and
will reject keys that are not 2048, 3072, or 4096 bits in length in FIPS mode. We now validate
and reject invalid certs earlier.
```
4 changes: 4 additions & 0 deletions .changelog/2520.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
```release-note:bug
transparent-proxy: Fix issue where connect-inject lacked sufficient `mesh:write` privileges in some deployments,
which prevented virtual IPs from persisting properly.
```
3 changes: 3 additions & 0 deletions .changelog/2524.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
(api-gateway) make API gateway controller less verbose
```
3 changes: 3 additions & 0 deletions .changelog/2525.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
helm: adds values for `securityContext` and `annotations` on TLS and ACL init/cleanup jobs.
```
3 changes: 3 additions & 0 deletions .changelog/2571.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
control-plane: fix bug in endpoints controller when deregistering services from consul when a node is deleted.
```
3 changes: 3 additions & 0 deletions .changelog/2572.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
helm: set container securityContexts to match the `restricted` Pod Security Standards policy to support running Consul in a namespace with restricted PSA enforcement enabled
```
3 changes: 3 additions & 0 deletions .changelog/2597.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
api-gateway: fix helm install when setting copyAnnotations or nodeSelector
```
4 changes: 4 additions & 0 deletions .changelog/2642.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
```release-note:security
Upgrade to use Go 1.20.6 and `x/net/http` 0.12.0.
This resolves [CVE-2023-29406](https://github.com/advisories/GHSA-f8f7-69v5-w4vx)(`net/http`).
```
3 changes: 3 additions & 0 deletions .changelog/2652.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
helm: fix CONSUL_LOGIN_DATACENTER for consul client-daemonset.
```
3 changes: 3 additions & 0 deletions .changelog/2656.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
control-plane: increase timeout after login for ACL replication to 60 seconds
```
3 changes: 3 additions & 0 deletions .changelog/2687.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
helm: fix ui ingress manifest formatting, and exclude `ingressClass` when not defined.
```
3 changes: 3 additions & 0 deletions .changelog/2707.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:feature
api-gateway: adds ability to map privileged ports on Gateway listeners to unprivileged ports so that containers do not require additional privileges
```
5 changes: 5 additions & 0 deletions .changelog/2710.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
```release-note:security
Upgrade to use Go 1.20.7 and `x/net` 0.13.0.
This resolves [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409)(`crypto/tls`)
and [CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978)(`net/html`).
```
3 changes: 3 additions & 0 deletions .changelog/2711.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:feature
api-gateway: translate and validate TLS configuration options, including min/max version and cipher suites, setting Gateway status appropriately
```
3 changes: 3 additions & 0 deletions .changelog/2755.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
control-plane: When using transparent proxy or CNI, reduced required permissions by setting privileged to false. Privileged must be true when using OpenShift without CNI.
```
3 changes: 3 additions & 0 deletions .changelog/2808.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
control-plane: Fix issue where ACL tokens would have an empty pod name that prevented proper token cleanup.
```
Loading