Backport of Dockerfile: bump up to ubi-minimal:9.3 into release/1.15.x
#20024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Prior to the introduction of this configuration, grpc keepalive messages were sent after 2 hours of inactivity on the stream. This posed issues in various scenarios where the server-side xds connection balancing was unaware that envoy instances were uncleanly killed / force-closed, since the connections would only be cleaned up after ~5 minutes of TCP timeouts occurred. Setting this config to a 30 second interval with a 20 second timeout ensures that at most, it should take up to 50 seconds for a dead xds connection to be closed.
* bump raft-wal version to 0.4.1 * changelog * go mod tidy integration tests * go mod tidy test-integ
…ller for xds controller and xdsv2 (#19167) * NET-5397 - wire up golden tests from sidecar-proxy controller for xds controller and xdsv2 * WIP * WIP * everything matching except leafCerts. need to mock those * single port destinations working except mixed destinations * golden test input to xds controller tests for destinations * proposed fix for failover group naming errors * clean up test to use helper. * clean up test to use helper. * fix test file * add docstring for test function. * add docstring for test function. * fix linting error * fixing test after route fix merged into main
* gvk partial inference
…r - sources (#19241) * NET-5397 - wire up golden tests from sidecar-proxy controller for xds controller and xdsv2 * WIP * WIP * everything matching except leafCerts. need to mock those * single port destinations working except mixed destinations * golden test input to xds controller tests for destinations * proposed fix for failover group naming errors * clean up test to use helper. * clean up test to use helper. * fix test file * add docstring for test function. * add docstring for test function. * fix linting error * fixing test after route fix merged into main * first source test works * WIP * modify all source files * source tests pass * fixing tests after bug fix in main
…tinations (#19244) * NET-5397 - wire up golden tests from sidecar-proxy controller for xds controller and xdsv2 * WIP * WIP * everything matching except leafCerts. need to mock those * single port destinations working except mixed destinations * golden test input to xds controller tests for destinations * proposed fix for failover group naming errors * clean up test to use helper. * clean up test to use helper. * fix test file * add docstring for test function. * add docstring for test function. * fix linting error * fixing test after route fix merged into main * first source test works * WIP * modify all source files * source tests pass * fixing tests after bug fix in main * got first destination working. * adding destinations * fix docstring for test * fixing tests after bug fix in main
…rces (#19250) * NET-5397 - wire up golden tests from sidecar-proxy controller for xds controller and xdsv2 * WIP * WIP * everything matching except leafCerts. need to mock those * single port destinations working except mixed destinations * golden test input to xds controller tests for destinations * proposed fix for failover group naming errors * clean up test to use helper. * clean up test to use helper. * fix test file * add docstring for test function. * add docstring for test function. * fix linting error * fixing test after route fix merged into main * first source test works * WIP * modify all source files * source tests pass * fixing tests after bug fix in main * got first destination working. * adding destinations * fix docstring for test * fixing tests after bug fix in main * adding source proxies * fixing tests after bug fix in main * got first destination working. * adding destinations * fix docstring for test * fixing tests after bug fix in main * got first destination working. * adding destinations * fix docstring for test * fixing tests after bug fix in main
* Use strict DNS for mesh gateways with hostnames * Add changelog
…gRPC (#19343) * xds: Ensure v2 route match is populated for gRPC Similar to HTTP, ensure that route match config (which is required by Envoy) is populated when default values are used. Because the default matches generated for gRPC contain a single empty `GRPCRouteMatch`, and that proto does not directly support prefix-based config, an interpretation of the empty struct is needed to generate the same output that the `HTTPRouteMatch` is explicitly configured to provide in internal/mesh/internal/controllers/routes/generate.go. * xds: Ensure protocol set for gRPC resources Add explicit protocol in `ProxyStateTemplate` builders and validate it is always set on clusters. This ensures that HTTP filters and `http2_protocol_options` are populated in all the necessary places for gRPC traffic and prevents future unintended omissions of non-TCP protocols. Co-authored-by: John Murret <john.murret@hashicorp.com> --------- Co-authored-by: John Murret <john.murret@hashicorp.com>
* Add clarification for route match behavior * Update website/content/docs/connect/config-entries/service-defaults.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --------- Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
…ble service name) (#19377) * Update v1_17_x.mdx * Update v1_17_x.mdx
* test: add missing tests for read resource namespace * refactor: remove redundant test * refactor: rename import aliases * fix: typo var name * refctor: remove another redundant test
* init * computed exported service * make proto * exported services resource * exported services test * added some tests and namespace exported service * partition exported services * computed service * computed services tests * register types * fix comment * make proto lint * fix proto format make proto * make codegen * Update proto-public/pbmulticluster/v1alpha1/computed_exported_services.proto Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com> * Update internal/multicluster/internal/types/computed_exported_services.go Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com> * using different way of resource creation in tests * make proto * fix computed exported services test * fix tests * differnet validation for computed services for ent and ce * Acls for exported services * added validations for enterprise features in ce * fix error * fix acls test * Update internal/multicluster/internal/types/validation_exported_services_ee.go Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com> * removed the create method * update proto * removed namespace * created seperate function for ce and ent * test files updated and validations fixed * added nil checks * fix tests * added comments * removed tenancy check * added mutation function * fix mutation method * fix list permissions in test * fix pr comments * fix tests * lisence * busl license * Update internal/multicluster/internal/types/helpers_ce.go Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com> * Update internal/multicluster/internal/types/helpers_ce.go Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com> * Update internal/multicluster/internal/types/helpers_ce.go Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com> * make proto * some pr comments addressed * some pr comments addressed * acls helper * some comment changes * removed unused files * fixes * fix function in file * caps * some positioing * added test for validation error * fix names * made valid a function * remvoed patch * removed mutations * v2 beta1 * v2beta1 * rmeoved v1alpha1 * validate error * merge ent * some nits * removed dup func * removed nil check --------- Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>
Add some generic type hook wrappers to first decode the data There seems to be a pattern for Validation, Mutation and Write Authorization hooks where they first need to decode the Any data before doing the domain specific work. This PR introduces 3 new functions to generate wrappers around the other hooks to pre-decode the data into a DecodedResource and pass that in instead of the original pbresource.Resource. This PR also updates the various catalog data types to use the new hook generators.
…3-44487) (#19414) Bump google.golang.org/grpc to 1.56.3 This resolves [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487). Co-authored-by: Chris Thain <chris.m.thain@gmail.com>
* integ test: snapshot mesh frozen bug test
* Update compatibility.mdx
…ata (#19929) Updating peering docs to include stream status and remote data
* Update telemetry.mdx RPC Metrics Update Server Workload telemetry section to demonstrate explicitly enabling metric emission as they're [default disabled](https://github.com/hashicorp/consul/blob/f5bf256425e33c0da805eda6a2fc5ea05100d491/agent/config/builder.go#L2763C1-L2763C1). * Update telemetry.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Update telemetry.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --------- Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
…and access_log_path (#19940) * updating usage of http2_protocol_options and access_log_path * add changelog * update template for AdminAccessLogConfig * remove mucking with AdminAccessLogConfig
… envoy` command in favor of: `-admin-access-log-config`. (#19943) * cli: Deprecate the `-admin-access-log-path` flag from `consul connect envoy` command in favor of: `-admin-access-log-config`. * fix changelog * add in documentation change.
Due to the unintuitive behavior of GHA w.r.t. implicit status check `success()`, test results were only being uploaded on success (failures presumably came from retried tests that passed).
This commit fixes an issue where the partition was not properly set on the peering query failover target created from sameness-groups. Before this change, it was always empty, meaning that the data would be queried with respect to the default partition always. This resulted in a situation where a PQ that was attempting to use a sameness-group for failover would select peers from the default partition, rather than the partition of the sameness-group itself.
Update install-cli.mdx
…19902) * NET-6663 Modify sidecarproxy controller to skip xGateway resources * Check workload metadata after nil-check for workload * Add test asserting that workloads with meta gateway-kind are ignored * Use more common pattern for map access to increase readability
* Update docs for NET-6603 * json format * json caps * Update website/content/docs/k8s/k8s-cli.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --------- Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* Update website/content/docs/k8s/k8s-cli.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * Update website/content/docs/k8s/k8s-cli.mdx Co-authored-by: David Yu <dyu@hashicorp.com> * fix doc * Update website/content/docs/k8s/k8s-cli.mdx Co-authored-by: David Yu <dyu@hashicorp.com> --------- Co-authored-by: David Yu <dyu@hashicorp.com>
* client in tls mode
…lues in service router and service resolver (#19992) * add coverage for testing these timeouts
hc-github-team-consul-core
force-pushed
the
backport/dyu/ubi/carefully-funky-bonefish
branch
from
3344f84 to
ac8c778
Compare
github-team-consul-core-pr-approver
approved these changes
Dec 21, 2023
|
🤔 This PR has changes in the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #20014 to be assessed for backporting due to the inclusion of the label backport/1.15.
🚨
The person who merged in the original PR is:
@david-yu
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.
The below text is copied from the body of the original PR.
Description
ubi-minimal:9.3to remediate vulnerabilities. The currentubi-minimal:9.2image is not actively maintained and CVEs fixes are not backported.Testing & Reproduction steps
Links
PR Checklist
Overview of commits