Skip to content

Commit

Permalink
Merge branch 'main' of ssh://github.com/hashicorp/consul
Browse files Browse the repository at this point in the history
  • Loading branch information
absolutelightning committed Dec 1, 2023
2 parents 5b1cc3c + ac9261a commit a64a031
Show file tree
Hide file tree
Showing 180 changed files with 19,215 additions and 15,353 deletions.
3 changes: 3 additions & 0 deletions .changelog/19705.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:security
Update `github.com/golang-jwt/jwt/v4` to v4.5.0 to address [PRISMA-2022-0270](https://github.com/golang-jwt/jwt/issues/258).
```
3 changes: 3 additions & 0 deletions .changelog/19728.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
acl: add api-gateway templated policy
```
3 changes: 3 additions & 0 deletions .changelog/19735.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
acl: add templated policy descriptions
```
23 changes: 2 additions & 21 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -321,28 +321,8 @@ jobs:
docker.io/hashicorppreview/${{ env.repo }}:${{ env.minor_dev_tag }}-${{ github.sha }}
smoke_test: .github/scripts/verify_docker.sh v${{ env.version }}

build-docker-ubi-redhat:
name: Docker Build UBI Image for RedHat Registry
needs:
- set-product-version
- build
runs-on: ubuntu-latest
env:
repo: ${{github.event.repository.name}}
version: ${{needs.set-product-version.outputs.product-version}}

steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: hashicorp/actions-docker-build@v1
with:
version: ${{env.version}}
target: ubi
arch: amd64
redhat_tag: quay.io/redhat-isv-containers/60f9fdbec3a80eac643abedf:${{env.version}}-ubi
smoke_test: .github/scripts/verify_docker.sh v${{ env.version }}

build-docker-ubi-dockerhub:
name: Docker Build UBI Image for DockerHub
name: Docker Build UBI Images
needs:
- set-product-version
- build
Expand Down Expand Up @@ -377,6 +357,7 @@ jobs:
docker.io/hashicorppreview/${{ env.repo }}:${{ env.minor_dev_tag }}-ubi
docker.io/hashicorppreview/${{ env.repo }}:${{ env.minor_dev_tag }}-ubi-${{ github.sha }}
smoke_test: .github/scripts/verify_docker.sh v${{ env.version }}
redhat_tag: quay.io/redhat-isv-containers/60f9fdbec3a80eac643abedf:${{env.version}}-ubi

verify-linux:
needs:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/go-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ jobs:
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version-file: 'go.mod'
- run: go install github.com/hashicorp/lint-consul-retry@master && lint-consul-retry
- run: go install github.com/hashicorp/lint-consul-retry@v1.3.0 && lint-consul-retry

lint:
needs:
Expand Down
163 changes: 163 additions & 0 deletions .github/workflows/nightly-test-integ-peering_commontopo.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

name: Nightly test integrations - peering_common_topo

on:
schedule:
# Run nightly at 12AM UTC/8PM EST/5PM PST
- cron: '* 0 * * *'
workflow_dispatch: {}

env:
TEST_RESULTS_DIR: /tmp/test-results
CONSUL_LICENSE: ${{ secrets.CONSUL_LICENSE }}
GOTAGS: ${{ endsWith(github.repository, '-enterprise') && 'consulent' || '' }}
GOTESTSUM_VERSION: "1.10.1"
CONSUL_BINARY_UPLOAD_NAME: consul-bin
# strip the hashicorp/ off the front of github.repository for consul
CONSUL_LATEST_IMAGE_NAME: ${{ endsWith(github.repository, '-enterprise') && github.repository || 'hashicorp/consul' }}
GOPRIVATE: github.com/hashicorp # Required for enterprise deps

jobs:
setup:
runs-on: ubuntu-latest
name: Setup
outputs:
compute-small: ${{ steps.runners.outputs.compute-small }}
compute-medium: ${{ steps.runners.outputs.compute-medium }}
compute-large: ${{ steps.runners.outputs.compute-large }}
compute-xl: ${{ steps.runners.outputs.compute-xl }}
enterprise: ${{ steps.runners.outputs.enterprise }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ inputs.branch }}
- id: runners
run: .github/scripts/get_runner_classes.sh

tests:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-xl ) }}
needs:
- setup
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
strategy:
fail-fast: false
matrix:
test-case:
- TestSuitesOnSharedTopo
# these are not part of sharedTopoSuites
- TestAC5PreparedQueryFailover
- TestAC6Failovers
- TestNET5029Failovers
- TestRotateGW
- TestAC7_2RotateLeader
name: '${{matrix.test-case}}'

env:
ENVOY_VERSION: "1.24.6"
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version-file: 'go.mod'
- run: go env
- name: Build
run: |
make dev
mv bin/consul consul
- name: restore mode+x
run: chmod +x consul
- name: Build consul:local image
run: docker build -t ${{ env.CONSUL_LATEST_IMAGE_NAME }}:local -f ./build-support/docker/Consul-Dev.dockerfile .
- name: Peering commonTopo Integration Tests
run: |
export NOLOGBUFFER=1
mkdir -p "${{ env.TEST_RESULTS_DIR }}"
cd ./test-integ/peering_commontopo
docker run --rm ${{ env.CONSUL_LATEST_IMAGE_NAME }}:local consul version
go run gotest.tools/gotestsum@v${{env.GOTESTSUM_VERSION}} \
--raw-command \
--format=standard-verbose \
--debug \
--packages="./..." \
-- \
go test \
-tags "${{ env.GOTAGS }}" \
-run '^${{ matrix.test-case }}$' \
-timeout=60m \
-parallel=1 \
-json . \
--target-image ${{ env.CONSUL_LATEST_IMAGE_NAME }} \
--target-version local \
--latest-image docker.mirror.hashicorp.services/${{ env.CONSUL_LATEST_IMAGE_NAME }} \
--latest-version latest
env:
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
# tput complains if this isn't set to something.
TERM: ansi

- name: Authenticate to Vault
if: ${{ endsWith(github.repository, '-enterprise') && !cancelled() }}
id: vault-auth
run: vault-auth

- name: Fetch Secrets
if: ${{ endsWith(github.repository, '-enterprise') && !cancelled() }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: |
kv/data/github/${{ github.repository }}/datadog apikey | DATADOG_API_KEY;
- name: upload test results
if: ${{ !cancelled() }}
continue-on-error: true
env:
DATADOG_API_KEY: "${{ endsWith(github.repository, '-enterprise') && env.DATADOG_API_KEY || secrets.DATADOG_API_KEY }}"
DD_ENV: ci
run: |
# TODO: we should probably version this and check a shasum or something? or run a container?
which datadog-ci > /dev/null 2>&1 || {
curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
chmod +x /usr/local/bin/datadog-ci
}
datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml
success:
needs:
- setup
- tests
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
if: ${{ always() }}
steps:
- name: evaluate upstream job results
run: |
# exit 1 if failure or cancelled result for any upstream job
if printf '${{ toJSON(needs) }}' | grep -E -i '\"result\": \"(failure|cancelled)\"'; then
printf "Tests failed or workflow cancelled:\n\n${{ toJSON(needs) }}"
exit 1
fi
- name: Notify Slack
if: ${{ failure() }}
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{
"message": "One or more nightly peering_commontopo integration tests have failed. ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.CONSUL_NIGHTLY_INTEG_TEST_SLACK_WEBHOOK }}
94 changes: 0 additions & 94 deletions .github/workflows/nightly-test-integrations.yml
Original file line number Diff line number Diff line change
Expand Up @@ -307,99 +307,6 @@ jobs:
DD_ENV: ci
run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml


peering_commontopo-integration-test:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large ) }}
needs:
- setup
- dev-build
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
strategy:
fail-fast: false
env:
ENVOY_VERSION: "1.24.6"
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version-file: 'go.mod'
- run: go env

# Get go binary from workspace
- name: fetch binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: .
- name: restore mode+x
run: chmod +x consul
- name: Build consul:local image
run: docker build -t ${{ env.CONSUL_LATEST_IMAGE_NAME }}:local -f ./build-support/docker/Consul-Dev.dockerfile .
- name: Peering commonTopo Integration Tests
run: |
mkdir -p "${{ env.TEST_RESULTS_DIR }}"
cd ./test-integ/peering_commontopo
docker run --rm ${{ env.CONSUL_LATEST_IMAGE_NAME }}:local consul version
go run gotest.tools/gotestsum@v${{env.GOTESTSUM_VERSION}} \
--raw-command \
--format=github-actions \
--packages="./..." \
-- \
go test \
-tags "${{ env.GOTAGS }}" \
-timeout=30m \
-json . \
--target-image ${{ env.CONSUL_LATEST_IMAGE_NAME }} \
--target-version local \
--latest-image docker.mirror.hashicorp.services/${{ env.CONSUL_LATEST_IMAGE_NAME }} \
--latest-version latest
ls -lrt
env:
# this is needed because of incompatibility between RYUK container and GHA
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
COMPOSE_INTERACTIVE_NO_CLI: 1
# tput complains if this isn't set to something.
TERM: ansi
# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ endsWith(github.repository, '-enterprise') }}
id: vault-auth
run: vault-auth

# NOTE: ENT specific step as we store secrets in Vault.
- name: Fetch Secrets
if: ${{ endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: |
kv/data/github/${{ github.repository }}/datadog apikey | DATADOG_API_KEY;
- name: prepare datadog-ci
if: ${{ !endsWith(github.repository, '-enterprise') }}
run: |
curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
chmod +x /usr/local/bin/datadog-ci
- name: upload coverage
# do not run on forks
if: github.event.pull_request.head.repo.full_name == github.repository
env:
DATADOG_API_KEY: "${{ endsWith(github.repository, '-enterprise') && env.DATADOG_API_KEY || secrets.DATADOG_API_KEY }}"
DD_ENV: ci
run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml


upgrade-integration-test-deployer:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large ) }}
needs:
Expand Down Expand Up @@ -496,7 +403,6 @@ jobs:
- envoy-integration-test
- upgrade-integration-test
- upgrade-integration-test-deployer
- peering_commontopo-integration-test
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
if: ${{ always() }}
steps:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/reusable-check-go-mod.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ jobs:
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version-file: 'go.mod'
- run: go mod tidy
# Run on all go.mod (include submodules).
- run: make go-mod-tidy
- run: |
if [[ -n $(git status -s) ]]; then
echo "Git directory has changes"
Expand Down
19 changes: 10 additions & 9 deletions LICENSE
Original file line number Diff line number Diff line change
@@ -1,32 +1,33 @@
License text copyright (c) 2020 MariaDB Corporation Ab, All Rights Reserved.
Business Source License is a trademark of MariaDB Corporation Ab.
"Business Source License" is a trademark of MariaDB Corporation Ab.

Parameters

Licensor: HashiCorp, Inc.
Licensed Work: Consul 1.17.0. The Licensed Work is (c) 2023 HashiCorp, Inc.
Licensed Work: Consul Version 1.17.0 or later. The Licensed Work is (c) 2023
HashiCorp, Inc.
Additional Use Grant: You may make production use of the Licensed Work, provided
Your use does not include offering the Licensed Work to third
parties on a hosted or embedded basis in order to compete with
HashiCorps paid version(s) of the Licensed Work. For purposes
HashiCorp's paid version(s) of the Licensed Work. For purposes
of this license:

A competitive offering is a Product that is offered to third
A "competitive offering" is a Product that is offered to third
parties on a paid basis, including through paid support
arrangements, that significantly overlaps with the capabilities
of HashiCorps paid version(s) of the Licensed Work. If Your
of HashiCorp's paid version(s) of the Licensed Work. If Your
Product is not a competitive offering when You first make it
generally available, it will not become a competitive offering
later due to HashiCorp releasing a new version of the Licensed
Work with additional capabilities. In addition, Products that
are not provided on a paid basis are not competitive.

Product means software that is offered to end users to manage
"Product" means software that is offered to end users to manage
in their own environments or offered as a service on a hosted
basis.

Embedded means including the source code or executable code
from the Licensed Work in a competitive offering. Embedded
"Embedded" means including the source code or executable code
from the Licensed Work in a competitive offering. "Embedded"
also means packaging the competitive offering in such a way
that the Licensed Work must be accessed or downloaded for the
competitive offering to operate.
Expand Down Expand Up @@ -85,7 +86,7 @@ Licensor or its affiliates (provided that you may use a trademark or logo of
Licensor as expressly required by this License).

TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
AN AS IS BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
TITLE.
Loading

0 comments on commit a64a031

Please sign in to comment.