Merge pull request #808 from Pix4D/merge-upstream-2025-02-24-part-2

merge upstream 2025 02 24 part 2

.github/renovate.json

@@ -22,6 +22,15 @@
     {
       "matchPackageNames": ["gopkg.in/yaml.v2"],
       "allowedVersions": "<3.0.0"
+    },
+    {
+      "matchPackageNames": ["github.com/containerd/containerd"],
+      "allowedVersions": "<2.0.0"
+    },
+    {
+      "matchPackageNames": ["/garden/"],
+      "matchManagers": ["gomod"],
+      "enabled": false
     }
   ],
   "ignoreDeps": ["elm", "client-go"],

atc/api/handler.go

@@ -33,8 +33,9 @@ import (
 	"github.com/tedsuo/rata"
 )
 
-//go:generate counterfeiter . Pool
+//go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate
 
+//counterfeiter:generate . Pool
 type Pool interface {
 	artifactserver.Pool
 	containerserver.Pool

atc/atccmd/cert_cache.go

@@ -14,7 +14,7 @@ type dbCache struct {
 	es               encryption.Strategy
 }
 
-func newDbCache(conn db.Conn) (autocert.Cache, error) {
+func newDbCache(conn db.DbConn) (autocert.Cache, error) {
 	c := new(dbCache)
 	c.es = conn.EncryptionStrategy()
 	var err error

atc/atccmd/command.go

@@ -88,14 +88,15 @@ import (
 	_ "github.com/concourse/concourse/atc/creds/secretsmanager"
 	_ "github.com/concourse/concourse/atc/creds/ssm"
 	_ "github.com/concourse/concourse/atc/creds/vault"
+
+	_ "github.com/jackc/pgx/v5/stdlib"
 )
 
 const algorithmLimitRows = 100
 
 var schedulerCache = gocache.New(10*time.Second, 10*time.Second)
 
-var defaultDriverName = "postgres"
-var retryingDriverName = "too-many-connections-retrying"
+var defaultDriverName = "pgx"
 
 var flyClientID = "fly"
 var flyClientSecret = "Zmx5"
@@ -179,11 +180,12 @@ type RunCommand struct {
 	} `group:"Policy Checking"`
 
 	Server struct {
-		XFrameOptions         string `long:"x-frame-options" default:"deny" description:"The value to set for the X-Frame-Options header."`
-		ContentSecurityPolicy string `long:"content-security-policy" default:"frame-ancestors 'none'" description:"The value to set for the Content-Security-Policy header."`
-		ClusterName           string `long:"cluster-name" description:"A name for this Concourse cluster, to be displayed on the dashboard page."`
-		ClientID              string `long:"client-id" default:"concourse-web" description:"Client ID to use for login flow"`
-		ClientSecret          string `long:"client-secret" required:"true" description:"Client secret to use for login flow"`
+		XFrameOptions           string `long:"x-frame-options" default:"deny" description:"The value to set for the X-Frame-Options header."`
+		ContentSecurityPolicy   string `long:"content-security-policy" default:"frame-ancestors 'none'" description:"The value to set for the Content-Security-Policy header."`
+		StrictTransportSecurity string `long:"strict-transport-security" description:"The value to set for the Strict-Transport-Security header."`
+		ClusterName             string `long:"cluster-name" description:"A name for this Concourse cluster, to be displayed on the dashboard page."`
+		ClientID                string `long:"client-id" default:"concourse-web" description:"Client ID to use for login flow"`
+		ClientSecret            string `long:"client-secret" required:"true" description:"Client secret to use for login flow"`
 	} `group:"Web Server"`
 
 	LogDBQueries   bool `long:"log-db-queries" description:"Log database queries."`
@@ -564,14 +566,6 @@ func (cmd *RunCommand) Runner(positionalArguments []string) (ifrit.Runner, error
 		return nil, err
 	}
 
-	//FIXME: These only need to run once for the entire binary. At the moment,
-	//they rely on state of the command.
-	db.SetupConnectionRetryingDriver(
-		"postgres",
-		cmd.Postgres.ConnectionString(),
-		retryingDriverName,
-	)
-
 	// Register the sink that collects error metrics
 	if cmd.Metrics.CaptureErrorMetrics {
 		errorSinkCollector := metric.NewErrorSinkCollector(
@@ -603,29 +597,29 @@ func (cmd *RunCommand) Runner(positionalArguments []string) (ifrit.Runner, error
 		return nil, err
 	}
 
-	lockConns, err := constructLockConns(retryingDriverName, cmd.Postgres.ConnectionString())
+	lockConns, err := constructLockConns(defaultDriverName, cmd.Postgres.ConnectionString())
 	if err != nil {
 		return nil, err
 	}
 
 	lockFactory := lock.NewLockFactory(lockConns, metric.LogLockAcquired, metric.LogLockReleased)
 
-	apiConn, err := cmd.constructDBConn(retryingDriverName, logger, cmd.APIMaxOpenConnections, cmd.APIMaxOpenConnections/2, "api", lockFactory)
+	apiConn, err := cmd.constructDBConn(defaultDriverName, logger, cmd.APIMaxOpenConnections, cmd.APIMaxOpenConnections/2, "api", lockFactory)
 	if err != nil {
 		return nil, err
 	}
 
-	backendConn, err := cmd.constructDBConn(retryingDriverName, logger, cmd.BackendMaxOpenConnections, cmd.BackendMaxOpenConnections/2, "backend", lockFactory)
+	backendConn, err := cmd.constructDBConn(defaultDriverName, logger, cmd.BackendMaxOpenConnections, cmd.BackendMaxOpenConnections/2, "backend", lockFactory)
 	if err != nil {
 		return nil, err
 	}
 
-	gcConn, err := cmd.constructDBConn(retryingDriverName, logger, 5, 2, "gc", lockFactory)
+	gcConn, err := cmd.constructDBConn(defaultDriverName, logger, 5, 2, "gc", lockFactory)
 	if err != nil {
 		return nil, err
 	}
 
-	workerConn, err := cmd.constructDBConn(retryingDriverName, logger, 1, 1, "worker", lockFactory)
+	workerConn, err := cmd.constructDBConn(defaultDriverName, logger, 1, 1, "worker", lockFactory)
 	if err != nil {
 		return nil, err
 	}
@@ -696,10 +690,10 @@ func (cmd *RunCommand) Runner(positionalArguments []string) (ifrit.Runner, error
 func (cmd *RunCommand) constructMembers(
 	logger lager.Logger,
 	reconfigurableSink *lager.ReconfigurableSink,
-	apiConn db.Conn,
-	workerConn db.Conn,
-	backendConn db.Conn,
-	gcConn db.Conn,
+	apiConn db.DbConn,
+	workerConn db.DbConn,
+	backendConn db.DbConn,
+	gcConn db.DbConn,
 	storage storage.Storage,
 	lockFactory lock.LockFactory,
 	secretManager creds.Secrets,
@@ -791,8 +785,8 @@ func (cmd *RunCommand) constructMembers(
 func (cmd *RunCommand) constructAPIMembers(
 	logger lager.Logger,
 	reconfigurableSink *lager.ReconfigurableSink,
-	dbConn db.Conn,
-	workerConn db.Conn,
+	dbConn db.DbConn,
+	workerConn db.DbConn,
 	storage storage.Storage,
 	lockFactory lock.LockFactory,
 	secretManager creds.Secrets,
@@ -1015,7 +1009,7 @@ func (cmd *RunCommand) constructAPIMembers(
 
 func (cmd *RunCommand) backendComponents(
 	logger lager.Logger,
-	dbConn db.Conn,
+	dbConn db.DbConn,
 	lockFactory lock.LockFactory,
 	secretManager creds.Secrets,
 	policyChecker policy.Checker,
@@ -1229,7 +1223,7 @@ func (cmd *RunCommand) streamer(cacheFactory db.ResourceCacheFactory) worker.Str
 	)
 }
 
-func (cmd *RunCommand) constructPool(dbConn db.Conn, lockFactory lock.LockFactory, workerCache *db.WorkerCache) (worker.Pool, error) {
+func (cmd *RunCommand) constructPool(dbConn db.DbConn, lockFactory lock.LockFactory, workerCache *db.WorkerCache) (worker.Pool, error) {
 	dbResourceCacheFactory := db.NewResourceCacheFactory(dbConn, lockFactory)
 	dbWorkerBaseResourceTypeFactory := db.NewWorkerBaseResourceTypeFactory(dbConn)
 	dbTaskCacheFactory := db.NewTaskCacheFactory(dbConn)
@@ -1269,7 +1263,7 @@ func (cmd *RunCommand) constructPool(dbConn db.Conn, lockFactory lock.LockFactor
 
 func (cmd *RunCommand) gcComponents(
 	logger lager.Logger,
-	gcConn db.Conn,
+	gcConn db.DbConn,
 	lockFactory lock.LockFactory,
 ) ([]RunnableComponent, error) {
 	dbWorkerLifecycle := db.NewWorkerLifecycle(gcConn)
@@ -1509,7 +1503,7 @@ func (tripper mitmRoundTripper) RoundTrip(req *http.Request) (*http.Response, er
 	return tripper.RoundTripper.RoundTrip(req)
 }
 
-func (cmd *RunCommand) tlsConfig(logger lager.Logger, dbConn db.Conn) (*tls.Config, error) {
+func (cmd *RunCommand) tlsConfig(logger lager.Logger, dbConn db.DbConn) (*tls.Config, error) {
 	tlsConfig := atc.DefaultTLSConfig()
 
 	if cmd.isTLSEnabled() {
@@ -1679,7 +1673,7 @@ func (cmd *RunCommand) constructDBConn(
 	idleConns int,
 	connectionName string,
 	lockFactory lock.LockFactory,
-) (db.Conn, error) {
+) (db.DbConn, error) {
 	dbConn, err := db.Open(logger.Session("db"), driverName, cmd.Postgres.ConnectionString(), cmd.newKey(), cmd.oldKey(), connectionName, lockFactory)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to database: %s", err)
@@ -1823,8 +1817,9 @@ func (cmd *RunCommand) constructHTTPHandler(
 		Logger: logger,
 
 		Handler: wrappa.SecurityHandler{
-			XFrameOptions:         cmd.Server.XFrameOptions,
-			ContentSecurityPolicy: cmd.Server.ContentSecurityPolicy,
+			XFrameOptions:           cmd.Server.XFrameOptions,
+			ContentSecurityPolicy:   cmd.Server.ContentSecurityPolicy,
+			StrictTransportSecurity: cmd.Server.StrictTransportSecurity,
 
 			// proxy Authorization header to/from auth cookie,
 			// to support auth from JS (EventSource) and custom JWT auth

atc/builds/tracker.go

@@ -14,14 +14,14 @@ import (
 
 //go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate
 
-//go:generate counterfeiter . Engine
+//counterfeiter:generate . Engine
 type Engine interface {
 	NewBuild(db.Build) Runnable
 
 	Drain(context.Context)
 }
 
-//go:generate counterfeiter . Runnable
+//counterfeiter:generate . Runnable
 type Runnable interface {
 	Run(context.Context)
 }