backport of commit 418a32f

hashicorp · Sep 17, 2024 · 68b020d · 68b020d
1 parent 55db870
commit 68b020d
Show file tree

Hide file tree

Showing 27 changed files with 5,314 additions and 327 deletions.
diff --git a/.changelog/21750.txt b/.changelog/21750.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+security: upgrade ubi base image to 9.4
+```
diff --git a/.changelog/21806.txt b/.changelog/21806.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+grafana: added the dashboards service-to-service dashboard, service dashboard, and consul dataplane dashboard
+```
diff --git a/.github/scripts/check_skip_ci.sh b/.github/scripts/check_skip_ci.sh
diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml
@@ -22,7 +22,6 @@ permissions:
 env:
   TEST_RESULTS: /tmp/test-results
   GOPRIVATE: github.com/hashicorp # Required for enterprise deps
-  SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }}
 
 # concurrency
 concurrency:
@@ -31,17 +30,7 @@ concurrency:
 
 jobs:
   conditional-skip:
-    runs-on: ubuntu-latest 
-    name: Get files changed and conditionally skip CI
-    outputs:
-      skip-ci: ${{ steps.read-files.outputs.skip-ci }}
-    steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-        with:
-          fetch-depth: 0
-      - name: Get changed files
-        id: read-files
-        run: ./.github/scripts/check_skip_ci.sh
+    uses: ./.github/workflows/reusable-conditional-skip.yml
 
   setup:
     needs: [conditional-skip]

diff --git a/...lows/nightly-test-integrations-1.17.x.yml → ...lows/nightly-test-integrations-1.20.x.yml b/...lows/nightly-test-integrations-1.17.x.yml → ...lows/nightly-test-integrations-1.20.x.yml
@@ -1,7 +1,7 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-name: Nightly test-integrations 1.17.x
+name: Nightly test-integrations 1.20.x
 
 on:
   schedule:
@@ -19,19 +19,12 @@ env:
   # strip the hashicorp/ off the front of github.repository for consul
   CONSUL_LATEST_IMAGE_NAME: ${{ endsWith(github.repository, '-enterprise') && github.repository || 'hashicorp/consul' }}
   GOPRIVATE: github.com/hashicorp # Required for enterprise deps
-  BRANCH: "release/1.17.x"
-  BRANCH_NAME: "release-1.17.x"   # Used for naming artifacts
+  BRANCH: "release/1.20.x"
+  BRANCH_NAME: "release-1.20.x"   # Used for naming artifacts
 
 jobs:
-  check-ent:
-    runs-on: ubuntu-latest
-    if: ${{ endsWith(github.repository, '-enterprise') }}
-    steps:
-      - run: echo "Building Enterprise"
-
   setup:
     runs-on: ubuntu-latest
-    needs: [check-ent]
     name: Setup
     outputs:
       compute-small: ${{ steps.runners.outputs.compute-small }}
@@ -48,16 +41,14 @@ jobs:
         run: .github/scripts/get_runner_classes.sh
 
   get-go-version:
-    needs: [check-ent]
     uses: ./.github/workflows/reusable-get-go-version.yml
     with:
-      ref: release/1.17.x
+      ref: release/1.20.x
 
   get-envoy-versions:
-    needs: [check-ent]
     uses: ./.github/workflows/reusable-get-envoy-versions.yml
     with:
-      ref: release/1.17.x
+      ref: release/1.20.x
 
   dev-build:
     needs:
@@ -68,7 +59,7 @@ jobs:
       runs-on: ${{ needs.setup.outputs.compute-large }}
       repository-name: ${{ github.repository }}
       uploaded-binary-name: 'consul-bin'
-      branch-name: "release/1.17.x"
+      branch-name: "release/1.20.x"
       go-version: ${{ needs.get-go-version.outputs.go-version }}
     secrets:
       elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
@@ -223,20 +214,21 @@ jobs:
           DATADOG_API_KEY: "${{ endsWith(github.repository, '-enterprise') && env.DATADOG_API_KEY || secrets.DATADOG_API_KEY }}"
           DD_ENV: ci
         run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml
-
+  
   upgrade-integration-test:
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }}
     needs:
       - setup
       - get-go-version
+      - get-envoy-versions
       - dev-build
     permissions:
       id-token: write # NOTE: this permission is explicitly required for Vault auth.
       contents: read
     strategy:
       fail-fast: false
       matrix:
-        consul-version: ["1.15", "1.16", "1.17"]
+        consul-version: ["1.15", "1.18", "1.19"]
     env:
       CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
       # ENVOY_VERSION should be the latest version supported by _all_ Consul versions in the
@@ -249,7 +241,7 @@ jobs:
       # matrix.consul-version (i.e. whenever the highest common Envoy version across active
       # Consul versions changes). The minor Envoy version does not necessarily need to be
       # kept current for the purpose of these tests, but the major (1.N) version should be.
-      ENVOY_VERSION: 1.27.6
+      ENVOY_VERSION: 1.28.7
     steps:
       - name: Checkout code
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
@@ -372,7 +364,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        consul-version: [ "1.15", "1.16", "1.17"]
+        consul-version: ["1.15", "1.18", "1.19"]
     env:
       CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
     steps:
@@ -460,7 +452,7 @@ jobs:
     - upgrade-integration-test
     - upgrade-integration-test-deployer
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
-    if: ${{ always() && endsWith(github.repository, '-enterprise') }}
+    if: ${{ always() }}
     steps:
       - name: evaluate upstream job results
         run: |

diff --git a/.github/workflows/reusable-conditional-skip.yml b/.github/workflows/reusable-conditional-skip.yml
@@ -0,0 +1,69 @@
+name: conditional-skip
+
+on:
+  workflow_call:
+    outputs:
+      skip-ci:
+        description: "Whether we should skip build and test jobs"
+        value: ${{ jobs.check-skip.outputs.skip-ci }}
+
+jobs:
+  check-skip:
+    runs-on: ubuntu-latest
+    name: Check whether to skip build and tests
+    outputs:
+      skip-ci: ${{ steps.maybe-skip-ci.outputs.skip-ci }}
+    steps:
+      # We only allow use of conditional skip in two scenarios:
+      #   1. PRs
+      #   2. Pushes (merges) to protected branches (`main`, `release/**`)
+      #
+      # The second scenario is the only place we can be sure that checking just the
+      # latest change on the branch is sufficient. In PRs, we need to check _all_ commits.
+      # The ability to do this is ultimately determined by the triggers of the calling
+      # workflow, since `base_ref` (the target branch of a PR) is only available in
+      # `pull_request` events, not `push`.
+      - name: Error if conditional check is not allowed
+        if: ${{ !github.base_ref && !github.ref_protected }}
+        run: |
+          echo "Conditional skip requires a PR event with 'base_ref' or 'push' to a protected branch."
+          echo "github.base_ref: ${{ github.base_ref }}"
+          echo "github.ref_protected: ${{ github.ref_protected }}"
+          echo "github.ref_name: ${{ github.ref_name }}"
+          echo "Check the triggers of the calling workflow to ensure that these requirements are met."
+          exit 1
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          fetch-depth: 0
+      - name: Check for skippable file changes
+        id: changed-files
+        uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45.0.1
+        with:
+          # This is a multi-line YAML string with one match pattern per line.
+          # Do not use quotes around values, as it's not supported.
+          # See https://github.com/tj-actions/changed-files/blob/main/README.md#inputs-%EF%B8%8F
+          # for usage, options, and more details on match syntax.
+          files: |
+            .github/workflows/reusable-conditional-skip.yml
+            **.md
+            docs/**
+            ui/**
+            website/**
+            grafana/**
+            .changelog/**
+      - name: Print changed files
+        env:
+          SKIPPABLE_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+          NON_SKIPPABLE_FILES: ${{ steps.changed-files.outputs.other_changed_files }}
+        run: |
+          echo "Skippable changed files:"
+          for file in ${SKIPPABLE_CHANGED_FILES}; do echo "  $file"; done
+          echo
+          echo "Non-skippable files:"
+          for file in ${NON_SKIPPABLE_FILES}; do echo "  $file"; done
+      - name: Skip tests and build if only skippable files changed
+        id: maybe-skip-ci
+        if: ${{ steps.changed-files.outputs.only_changed == 'true' }}
+        run: |
+          echo "Skipping tests and build because only skippable files changed"
+          echo "skip-ci=true" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -1,3 +1,5 @@
+# This job runs a non-blocking informational security scan on the repository.
+# For release-blocking security scans, see .release/security-scan.hcl.
 name: Security Scan
 
 on:
@@ -9,6 +11,8 @@ on:
     branches:
       - main
       - release/**
+    # paths-ignore only works for non-required checks.
+    # Jobs that are required for merge must use reusable-conditional-skip.yml.
     paths-ignore:
       - 'docs/**'
       - 'grafana/**'

diff --git a/.github/workflows/test-integrations.yml b/.github/workflows/test-integrations.yml
@@ -29,25 +29,14 @@ env:
   # strip the hashicorp/ off the front of github.repository for consul
   CONSUL_LATEST_IMAGE_NAME: ${{ endsWith(github.repository, '-enterprise') && github.repository || 'hashicorp/consul' }}
   GOPRIVATE: github.com/hashicorp # Required for enterprise deps
-  SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }}
 
 concurrency:
   group: "${{ github.workflow }}-${{ github.head_ref || github.ref }}"
   cancel-in-progress: true
 
 jobs:
   conditional-skip:
-    runs-on: ubuntu-latest
-    name: Get files changed and conditionally skip CI
-    outputs:
-      skip-ci: ${{ steps.read-files.outputs.skip-ci }}
-    steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-        with:
-          fetch-depth: 0
-      - name: Get changed files
-        id: read-files
-        run: ./.github/scripts/check_skip_ci.sh
+    uses: ./.github/workflows/reusable-conditional-skip.yml
 
   setup:
     needs: [conditional-skip]
@@ -423,7 +412,7 @@ jobs:
     env:
       ENVOY_VERSION: ${{ needs.get-envoy-versions.outputs.max-envoy-version }}
       #TODO don't harcode this image name
-      CONSUL_DATAPLANE_IMAGE: "docker.io/hashicorppreview/consul-dataplane:1.6-dev-ubi"
+      CONSUL_DATAPLANE_IMAGE: "docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.6-dev-ubi"
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       # NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.

diff --git a/.release/versions.hcl b/.release/versions.hcl
@@ -6,6 +6,9 @@
 
 schema = 1
 active_versions {
+  version "1.20" {
+    ce_active = true
+  },
   version "1.19" {
     ce_active = true
   }

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,33 @@
+## 1.20.0-rc1 (September 19, 2024)
+
+SECURITY:
+
+* Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]
+* Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]
+* UI: Remove codemirror linting due to package dependency [[GH-21726](https://github.com/hashicorp/consul/issues/21726)]
+* Upgrade Go to use 1.22.7. This addresses CVE 
+[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
+* Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
+[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and 
+[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
+* ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]
+* ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]
+* ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]
+* ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]
+
+FEATURES:
+
+* server: remove v2 tenancy, catalog, and mesh experiments [[GH-21592](https://github.com/hashicorp/consul/issues/21592)]
+
+IMPROVEMENTS:
+
+* security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]
+* connect: Add Envoy 1.31 and 1.30 to support matrix [[GH-21616](https://github.com/hashicorp/consul/issues/21616)]
+
+BUG FIXES:
+
+* jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [[GH-21703](https://github.com/hashicorp/consul/issues/21703)]
+
 ## 1.19.2 (August 26, 2024)
 
 SECURITY:

diff --git a/Dockerfile b/Dockerfile
@@ -203,7 +203,7 @@ CMD ["agent", "-dev", "-client", "0.0.0.0"]
 
 # Red Hat UBI-based image
 # This target is used to build a Consul image for use on OpenShift.
-FROM registry.access.redhat.com/ubi9-minimal:9.3 as ubi
+FROM registry.access.redhat.com/ubi9-minimal:9.4 as ubi
 
 ARG PRODUCT_VERSION
 ARG PRODUCT_REVISION