merge main into f-gh-13120 with ACL token expiry work.

hashicorp · Aug 1, 2022 · 3d9e50d · 3d9e50d
1 parent add4ea9
commit 3d9e50d
Show file tree

Hide file tree

Showing 398 changed files with 22,966 additions and 2,230 deletions.
diff --git a/.changelog/13421.txt b/.changelog/13421.txt
@@ -0,0 +1,7 @@
+```release-note:improvement
+core: automatically mark clients with recurring plan rejections as ineligible
+```
+
+```release-note:improvement
+metrics: emit `nomad.nomad.plan.rejection_tracker.node_score` metric for the number of times a node had a plan rejection within the past time window
+```
diff --git a/.changelog/13530.txt b/.changelog/13530.txt
@@ -0,0 +1,7 @@
+```release-note:bug
+api: Fix listing evaluations with the wildcard namespace and an ACL token
+```
+
+```release-note:bug
+ui: Fix a bug that prevented viewing the details of an evaluation in a non-default namespace
+```
diff --git a/.changelog/13621.txt b/.changelog/13621.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+api: HTTP server now returns a 429 error code when hitting the connection limit
+```
diff --git a/.changelog/13651.txt b/.changelog/13651.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fixed a bug where reserved ports on multiple node networks would be treated as a collision. `client.reserved.reserved_ports` is now merged into each `host_network`'s reserved ports instead of being treated as a collision.
+```
diff --git a/.changelog/13658.txt b/.changelog/13658.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+cli: `operator snapshot state` supports `-filter` expressions and avoids writing large temporary files
+```
diff --git a/.changelog/13659.txt b/.changelog/13659.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Allow running jobs from a namespace-limited token
+```
diff --git a/.changelog/13679.txt b/.changelog/13679.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Namespace filter query paramters are now isolated by route
+```
diff --git a/.changelog/13715.txt b/.changelog/13715.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+client: Add built-in support for checks on nomad services
+```
diff --git a/.changelog/13737.txt b/.changelog/13737.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+acl: Fixed a bug where the timestamp for expiring one-time tokens was not deterministic between servers
+```
diff --git a/.changelog/13786.txt b/.changelog/13786.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+metrics: Fixed a bug where blocked evals with no class produced no dc:class scope metrics
+```
diff --git a/.changelog/13865.txt b/.changelog/13865.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Add missing breadcrumb in the Evaluations page.
+```
diff --git a/.changelog/13866.txt b/.changelog/13866.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Reorder and apply the same style to the Evaluations list page filters to match the Job list page.
+```
diff --git a/.changelog/13869.txt b/.changelog/13869.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+servicedisco: Fixed a bug where non-unique services would escape job validation
+```
diff --git a/.changelog/13880.txt b/.changelog/13880.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+namespaces: Fixed a bug that allowed deleting a namespace that contained a CSI volume
+```
diff --git a/.changelog/13894.txt b/.changelog/13894.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+deps: remove unused darwin C library
+```
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -3,7 +3,10 @@ updates:
   - package-ecosystem: gomod
     directory: "/"
     schedule:
-      interval: daily
+      # Start the week with fresh deps
+      interval: "weekly"
+      day: "sunday"
+      time: "09:00"
     labels:
       - "theme/dependencies"
   - package-ecosystem: gomod

diff --git a/.release/ci.hcl b/.release/ci.hcl
@@ -2,12 +2,15 @@ schema = "1"
 
 project "nomad" {
   team = "nomad"
+
   slack {
     notification_channel = "C03B5EWFW01"
   }
+
   github {
     organization = "hashicorp"
     repository   = "nomad"
+
     release_branches = [
       "main",
       "release/1.0.x",
@@ -19,12 +22,12 @@ project "nomad" {
 }
 
 event "merge" {
-  // "entrypoint" to use if build is not run automatically
-  // i.e. send "merge" complete signal to orchestrator to trigger build
+  // "entrypoint" to use if build is not run automatically  // i.e. send "merge" complete signal to orchestrator to trigger build
 }
 
 event "build" {
   depends = ["merge"]
+
   action "build" {
     organization = "hashicorp"
     repository   = "nomad"
@@ -34,6 +37,7 @@ event "build" {
 
 event "upload-dev" {
   depends = ["build"]
+
   action "upload-dev" {
     organization = "hashicorp"
     repository   = "crt-workflows-common"
@@ -47,6 +51,7 @@ event "upload-dev" {
 
 event "security-scan-binaries" {
   depends = ["upload-dev"]
+
   action "security-scan-binaries" {
     organization = "hashicorp"
     repository   = "crt-workflows-common"
@@ -61,6 +66,7 @@ event "security-scan-binaries" {
 
 event "notarize-darwin-amd64" {
   depends = ["security-scan-binaries"]
+
   action "notarize-darwin-amd64" {
     organization = "hashicorp"
     repository   = "crt-workflows-common"
@@ -74,6 +80,7 @@ event "notarize-darwin-amd64" {
 
 event "notarize-darwin-arm64" {
   depends = ["notarize-darwin-amd64"]
+
   action "notarize-darwin-arm64" {
     organization = "hashicorp"
     repository   = "crt-workflows-common"
@@ -87,6 +94,7 @@ event "notarize-darwin-arm64" {
 
 event "notarize-windows-386" {
   depends = ["notarize-darwin-arm64"]
+
   action "notarize-windows-386" {
     organization = "hashicorp"
     repository   = "crt-workflows-common"
@@ -100,6 +108,7 @@ event "notarize-windows-386" {
 
 event "notarize-windows-amd64" {
   depends = ["notarize-windows-386"]
+
   action "notarize-windows-amd64" {
     organization = "hashicorp"
     repository   = "crt-workflows-common"
@@ -113,6 +122,7 @@ event "notarize-windows-amd64" {
 
 event "sign" {
   depends = ["notarize-windows-amd64"]
+
   action "sign" {
     organization = "hashicorp"
     repository   = "crt-workflows-common"
@@ -126,6 +136,7 @@ event "sign" {
 
 event "sign-linux-rpms" {
   depends = ["sign"]
+
   action "sign-linux-rpms" {
     organization = "hashicorp"
     repository   = "crt-workflows-common"
@@ -139,6 +150,7 @@ event "sign-linux-rpms" {
 
 event "verify" {
   depends = ["sign-linux-rpms"]
+
   action "verify" {
     organization = "hashicorp"
     repository   = "crt-workflows-common"
@@ -150,16 +162,26 @@ event "verify" {
   }
 }
 
+event "fossa-scan" {
+  depends = ["verify"]
+
+  action "fossa-scan" {
+    organization = "hashicorp"
+    repository   = "crt-workflows-common"
+    workflow     = "fossa-scan"
+  }
+}
+
 ## These are promotion and post-publish events
 ## they should be added to the end of the file after the verify event stanza.
 
 event "trigger-staging" {
-  // This event is dispatched by the bob trigger-promotion command
-  // and is required - do not delete.
+  // This event is dispatched by the bob trigger-promotion command  // and is required - do not delete.
 }
 
 event "promote-staging" {
   depends = ["trigger-staging"]
+
   action "promote-staging" {
     organization = "hashicorp"
     repository   = "crt-workflows-common"
@@ -173,12 +195,12 @@ event "promote-staging" {
 }
 
 event "trigger-production" {
-  // This event is dispatched by the bob trigger-promotion command
-  // and is required - do not delete.
+  // This event is dispatched by the bob trigger-promotion command  // and is required - do not delete.
 }
 
 event "promote-production" {
   depends = ["trigger-production"]
+
   action "promote-production" {
     organization = "hashicorp"
     repository   = "crt-workflows-common"
@@ -192,6 +214,7 @@ event "promote-production" {
 
 event "promote-production-packaging" {
   depends = ["promote-production"]
+
   action "promote-production-packaging" {
     organization = "hashicorp"
     repository   = "crt-workflows-common"

diff --git a/.release/linux/postrm b/.release/linux/postrm
@@ -4,4 +4,9 @@ if [ "$1" = "purge" ]; then
   userdel nomad
 fi
 
+if [ "$1" == "upgrade" ] && [ -d /run/systemd/system ]; then
+  systemctl --system daemon-reload >/dev/null || true
+  systemctl restart nomad >/dev/null || true
+fi
+
 exit 0
diff --git a/.semgrep/fsm_time.yml b/.semgrep/fsm_time.yml
@@ -0,0 +1,26 @@
+rules:
+  - id: "no-time-in-fsm"
+    patterns:
+      - pattern: time.Now()
+
+      # Metric state is local to the server and therefore must use time.
+      - pattern-not-inside: |
+          defer metrics.MeasureSince(...)
+
+      # The timetable's whole point is to roughly track timestamps for Raft log
+      # indexes, so it must use time.
+      - pattern-not-inside: |
+          $N.timetable.Witness(...)
+    message: |
+      time.Now() should not be called from within the Server's FSM. Apply Raft
+      log messages to the State Store must be deterministic so that each server
+      contains exactly the same state. Since time drifts between nodes, it must
+      be set before the Raft log message is applied so that all Raft members
+      see the same timestamp.
+    languages:
+      - "go"
+    severity: "WARNING"
+    paths:
+      include:
+        - "nomad/fsm.*"
+        - "nomad/state/state_store.*"
diff --git a/.semgrep/rpc_endpoint.yml b/.semgrep/rpc_endpoint.yml
@@ -36,6 +36,15 @@ rules:
           if done, err := $A.$B.forward($METHOD, ...); done {
             return err
           }
+      # Pattern used by endpoints that support both normal ACLs and
+      # workload identity
+      - pattern-not-inside: |
+          if done, err := $A.$B.forward($METHOD, ...); done {
+            return err
+          }
+          ...
+          ... := $T.handleMixedAuthEndpoint(...)
+          ...
       # Pattern used by some Node endpoints.
       - pattern-not-inside: |
           if done, err := $A.$B.forward($METHOD, ...); done {