Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

After 1.6.2 release PR #4454

Closed
wants to merge 22 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
0def2f7
Backport of Init 1.6 weekly tests into release/1.6.x (#4337)
hc-github-team-consul-core Sep 19, 2024
d3add34
Backport of add exception to pr.yaml into release/1.6.x (#4355)
hc-github-team-consul-core Sep 20, 2024
f4dcfde
Backport of Fixes tolerations not working into release/1.6.x (#4361)
hc-github-team-consul-core Sep 24, 2024
bcc2fa7
Prepare release 1.6.0 rc1 (#4356)
sarahalsmiller Sep 24, 2024
1d107b4
Backport of [NET-11150] ci: fix conditional skip and add safeguard in…
hc-github-team-consul-core Sep 26, 2024
fbe0ae4
Backport of [NET-10985] Fix bug where imagePullSecrets were not set u…
hc-github-team-consul-core Sep 27, 2024
541c6d6
[NET-11222] rollback command (#4377)
jm96441n Oct 2, 2024
d1fe441
Prepare branch for future patch release (#4389)
nathancoleman Oct 16, 2024
36ea32e
Backport of Update changelog to include 1.6.0 into release/1.6.x (#4393)
hc-github-team-consul-core Oct 17, 2024
b79adc9
Backport of [NET-11043] crd: support request normalization and header…
hc-github-team-consul-core Oct 17, 2024
5009272
Test fix for [NET-11043] crd: support request normalization and heade…
hc-github-team-consul-core Oct 18, 2024
bb142fd
Backport of [NET-11297] Purge on disable into release/1.6.x (#4404)
hc-github-team-consul-core Oct 22, 2024
580c2c7
post 1.6.1 - update versions (#4413)
jmurret Nov 4, 2024
bdae721
update changelog (#4420)
jm96441n Nov 5, 2024
7839624
Backport of Refactor `proxy list` command, ensuring api-gateway Pods …
hc-github-team-consul-core Nov 19, 2024
a687d09
Backport of Fix duplicate key in connect-inject ACL policy into relea…
hc-github-team-consul-core Nov 28, 2024
7314e75
Backport of [NET-11256] Add `gateway read` command to consul-k8s CLI …
hc-github-team-consul-core Dec 1, 2024
78ba2c3
Backport of [NET-11256] Add `gateway list` command to consul-k8s CLI …
hc-github-team-consul-core Dec 1, 2024
3418e79
updating api, envoyextensions & troubleshoot submodules to latest ver…
nitin-sachdev-29 Dec 26, 2024
344554c
Updated consul/api, envoyextensions & troubleshoot submodules (#4451)
nitin-sachdev-29 Jan 7, 2025
05989a9
Fixed x/net dependency vulnerability fix in submodules CNI, acceptanc…
nitin-sachdev-29 Jan 8, 2025
89d4f70
suppressing vulnerability GO-2022-0635 for release (#4453)
nitin-sachdev-29 Jan 8, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions .changelog/4255.txt

This file was deleted.

3 changes: 3 additions & 0 deletions .changelog/4315.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
helm: fix issue where the API Gateway GatewayClassConfig tolerations can not be parsed by the Helm chart.
```
5 changes: 5 additions & 0 deletions .changelog/4316.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
```release-note:bug
api-gateway: `global.imagePullSecrets` are now configured on the `ServiceAccount` for `Gateways`.

Note: the referenced image pull Secret(s) must be present in the same namespace the `Gateway` is deployed to.
```
3 changes: 3 additions & 0 deletions .changelog/4333.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set.
```
3 changes: 3 additions & 0 deletions .changelog/4378.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
catalog-sync: Added field to helm chart to purge all services registered with catalog-sync from consul on disabling of catalog-sync.
```
6 changes: 6 additions & 0 deletions .changelog/4385.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
```release-note:security
crd: Add `http.incoming.requestNormalization` to the Mesh CRD to support configuring service traffic request normalization.
```
```release-note:security
crd: Add `contains` and `ignoreCase` to the Intentions CRD to support configuring L7 Header intentions resilient to variable casing and multiple header values.
```
3 changes: 3 additions & 0 deletions .changelog/4426.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
cli: fix issue where the `consul-k8s proxy list` command does not include API gateways.
```
3 changes: 3 additions & 0 deletions .changelog/4432.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
cli: Introduce `gateway read` for collecting multiple components of a gateway's configuration by running a single command.
```
3 changes: 3 additions & 0 deletions .changelog/4433.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
cli: Introduce `gateway list` for collecting multiple components of all gateways' configuration by running a single command.
```
3 changes: 3 additions & 0 deletions .changelog/4434.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
connect-inject: fix issue where the ACL policy for the connect-injector included the `acl = "write"` rule twice when namespaces were not enabled.
```
65 changes: 0 additions & 65 deletions .github/scripts/check_skip_ci.sh

This file was deleted.

1 change: 1 addition & 0 deletions .github/workflows/pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ jobs:
- check-name: acceptance-cni
- check-name: acceptance-tproxy
- check-name: Unit test helm templates
- check-name: Unit test helm gen
- check-name: Unit test enterprise control plane
- check-name: Unit test control plane
- check-name: Unit test cli
Expand Down
57 changes: 51 additions & 6 deletions .github/workflows/reusable-conditional-skip.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,58 @@ jobs:
runs-on: ubuntu-latest
name: Check whether to skip build and tests
outputs:
skip-ci: ${{ steps.check-changed-files.outputs.skip-ci }}
env:
SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }}
skip-ci: ${{ steps.maybe-skip-ci.outputs.skip-ci }}
steps:
# We only allow use of conditional skip in two scenarios:
# 1. PRs
# 2. Pushes (merges) to protected branches (`main`, `release/**`)
#
# The second scenario is the only place we can be sure that checking just the
# latest change on the branch is sufficient. In PRs, we need to check _all_ commits.
# The ability to do this is ultimately determined by the triggers of the calling
# workflow, since `base_ref` (the target branch of a PR) is only available in
# `pull_request` events, not `push`.
- name: Error if conditional check is not allowed
if: ${{ !github.base_ref && !github.ref_protected }}
run: |
echo "Conditional skip requires a PR event with 'base_ref' or 'push' to a protected branch."
echo "github.base_ref: ${{ github.base_ref }}"
echo "github.ref_protected: ${{ github.ref_protected }}"
echo "github.ref_name: ${{ github.ref_name }}"
echo "Check the triggers of the calling workflow to ensure that these requirements are met."
exit 1
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
- name: Check changed files
id: check-changed-files
run: ./.github/scripts/check_skip_ci.sh
- name: Check for skippable file changes
id: changed-files
uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45.0.1
with:
# This is a multi-line YAML string with one match pattern per line.
# Do not use quotes around values, as it's not supported.
# See https://github.com/tj-actions/changed-files/blob/main/README.md#inputs-%EF%B8%8F
# for usage, options, and more details on match syntax.
files: |
.github/workflows/reusable-conditional-skip.yml
LICENSE
.copywrite.hcl
.gitignore
**.md
assets/**
.changelog/**
- name: Print changed files
env:
SKIPPABLE_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
NON_SKIPPABLE_FILES: ${{ steps.changed-files.outputs.other_changed_files }}
run: |
echo "Skippable changed files:"
for file in ${SKIPPABLE_CHANGED_FILES}; do echo " $file"; done
echo
echo "Non-skippable files:"
for file in ${NON_SKIPPABLE_FILES}; do echo " $file"; done
- name: Skip tests and build if only skippable files changed
id: maybe-skip-ci
if: ${{ steps.changed-files.outputs.only_changed == 'true' }}
run: |
echo "Skipping tests and build because only skippable files changed"
echo "skip-ci=true" >> $GITHUB_OUTPUT
4 changes: 4 additions & 0 deletions .github/workflows/security-scan.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# This job runs a non-blocking informational security scan on the repository.
# For release-blocking security scans, see .release/security-scan.hcl.
name: Security Scan

on:
Expand All @@ -9,6 +11,8 @@ on:
branches:
- main
- release/**
# paths-ignore only works for non-required checks.
# Jobs that are required for merge must use reusable-conditional-skip.yml.
paths-ignore:
- 'assets/**'
- '.changelog/**'
Expand Down
28 changes: 28 additions & 0 deletions .github/workflows/weekly-acceptance-1-6-x.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Dispatch to the consul-k8s-workflows with a weekly cron
#
# A separate file is needed for each release because the cron schedules are different for each release.
name: weekly-acceptance-1-6-x
on:
schedule:
# * is a special character in YAML so you have to quote this string
# Run weekly on Friday at 3AM UTC/11PM EST/8PM PST
- cron: '0 3 * * 6'

# these should be the only settings that you will ever need to change
env:
BRANCH: "release/1.6.x"
CONTEXT: "weekly"

jobs:
cloud:
name: cloud
runs-on: ubuntu-latest
steps:
- uses: benc-uk/workflow-dispatch@25b02cc069be46d637e8fe2f1e8484008e9e9609 # v1.2.3
name: cloud
with:
workflow: cloud.yml
repo: hashicorp/consul-k8s-workflows
ref: main
token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
inputs: '{ "context":"${{ env.CONTEXT }}", "repository":"${{ github.repository }}", "branch":"${{ env.BRANCH }}", "sha":"${{ github.sha }}", "token":"${{ secrets.ELEVATED_GITHUB_TOKEN }}" }'
3 changes: 2 additions & 1 deletion .release/security-scan.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,8 @@ binary {
"GHSA-r53h-jv2g-vpx6",
"CVE-2024-26147", # alias
"GHSA-jw44-4f3j-q396", # Tracked in NET-8174
"CVE-2019-25210" # alias
"CVE-2019-25210", # alias
"GO-2022-0635"
]
}
}
Expand Down
78 changes: 78 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,81 @@
## 1.6.2 (January 7, 2025)

IMPROVEMENTS:

* cli: Introduce `gateway list` for collecting multiple components of all gateways' configuration by running a single command. [[GH-4433](https://github.com/hashicorp/consul-k8s/issues/4433)]
* cli: Introduce `gateway read` for collecting multiple components of a gateway's configuration by running a single command. [[GH-4432](https://github.com/hashicorp/consul-k8s/issues/4432)]
* Updated consul/api, envoyextensions & troubleshoot submodules [[PR-4451](https://github.com/hashicorp/consul-k8s/pull/4451)]

BUG FIXES:

* cli: fix issue where the `consul-k8s proxy list` command does not include API gateways. [[GH-4426](https://github.com/hashicorp/consul-k8s/issues/4426)]
* connect-inject: fix issue where the ACL policy for the connect-injector included the `acl = "write"` rule twice when namespaces were not enabled. [[GH-4434](https://github.com/hashicorp/consul-k8s/issues/4434)]

SECURITY:

* updated golang.org/x/net dependency to 0.34.0 to fix vulnerability [[GO-2024-3333](https://pkg.go.dev/vuln/GO-2024-3333)] in CLI, CNI, acceptance and control-plane submodule.[[PR-4452](https://github.com/hashicorp/consul-k8s/pull/4452)]


## 1.6.1 (November 4, 2023)

SECURITY:

* crd: Add `contains` and `ignoreCase` to the Intentions CRD to support configuring L7 Header intentions resilient to variable casing and multiple header values. [[GH-4385](https://github.com/hashicorp/consul-k8s/issues/4385)]
* crd: Add `http.incoming.requestNormalization` to the Mesh CRD to support configuring service traffic request normalization. [[GH-4385](https://github.com/hashicorp/consul-k8s/issues/4385)]

IMPROVEMENTS:

* catalog-sync: Added field to helm chart to purge all services registered with catalog-sync from consul on disabling of catalog-sync. [[GH-4378](https://github.com/hashicorp/consul-k8s/issues/4378)]

BUG FIXES:

* api-gateway: `global.imagePullSecrets` are now configured on the `ServiceAccount` for `Gateways`.

Note: the referenced image pull Secret(s) must be present in the same namespace the `Gateway` is deployed to. [[GH-4316](https://github.com/hashicorp/consul-k8s/issues/4316)]
* helm: fix issue where the API Gateway GatewayClassConfig tolerations can not be parsed by the Helm chart. [[GH-4315](https://github.com/hashicorp/consul-k8s/issues/4315)]

## 1.6.0 (October 16, 2024)

> NOTE: Consul K8s 1.6.x is compatible with Consul 1.20.x and Consul Dataplane 1.6.x. Refer to our [compatibility matrix](https://developer.hashicorp.com/consul/docs/k8s/compatibility) for more info.

SECURITY:

* Upgrade Go to use 1.22.7. This addresses CVE
[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-4313](https://github.com/hashicorp/consul-k8s/issues/4313)]

IMPROVEMENTS:

* dns-proxy: add the ability to deploy a DNS proxy within the kubernetes cluster that forwards DNS requests to the consul server and can be configured with an ACL token and make partition aware DNS requests. [[GH-4300](https://github.com/hashicorp/consul-k8s/issues/4300)]
* sync-catalog: expose prometheus scrape metrics on sync-catalog pods [[GH-4212](https://github.com/hashicorp/consul-k8s/issues/4212)]
* connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [[GH-4307](https://github.com/hashicorp/consul-k8s/issues/4307)]
* helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [[GH-4333](https://github.com/hashicorp/consul-k8s/issues/4333)]

BUG FIXES:

* control-plane: add missing `$HOST_IP` environment variable to consul-dataplane sidecar containers [[GH-4277](https://github.com/hashicorp/consul-k8s/issues/4277)]
* helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [[GH-3989](https://github.com/hashicorp/consul-k8s/issues/3989)]
* sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [[GH-4255](https://github.com/hashicorp/consul-k8s/issues/4255)]

## 1.6.0-rc1 (September 20, 2024)

SECURITY:

* Upgrade Go to use 1.22.7. This addresses CVE
[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-4313](https://github.com/hashicorp/consul-k8s/issues/4313)]

IMPROVEMENTS:

* dns-proxy: add the ability to deploy a DNS proxy within the kubernetes cluster that forwards DNS requests to the consul server and can be configured with an ACL token and make partition aware DNS requests. [[GH-4300](https://github.com/hashicorp/consul-k8s/issues/4300)]
* sync-catalog: expose prometheus scrape metrics on sync-catalog pods [[GH-4212](https://github.com/hashicorp/consul-k8s/issues/4212)]
* connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [[GH-4307](https://github.com/hashicorp/consul-k8s/issues/4307)]
* helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [[GH-4333](https://github.com/hashicorp/consul-k8s/issues/4333)]

BUG FIXES:

* control-plane: add missing `$HOST_IP` environment variable to consul-dataplane sidecar containers [[GH-4277](https://github.com/hashicorp/consul-k8s/issues/4277)]
* helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [[GH-3989](https://github.com/hashicorp/consul-k8s/issues/3989)]
* sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [[GH-4255](https://github.com/hashicorp/consul-k8s/issues/4255)]

## 1.5.3 (August 30, 2024)

SECURITY:
Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ generate-external-crds: ## Generate CRDs for externally defined CRDs and copy th

.PHONY: bats-tests
bats-tests: ## Run Helm chart bats tests.
bats --jobs 4 charts/consul/test/unit
docker run -it -v $(CURDIR):/consul-k8s hashicorpdev/consul-helm-test:latest bats --jobs 4 /consul-k8s/charts/consul/test/unit -f "$(TEST_NAME)"

##@ Control Plane Targets

Expand Down
14 changes: 7 additions & 7 deletions acceptance/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ require (
github.com/google/uuid v1.3.0
github.com/gruntwork-io/terratest v0.46.7
github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240821160356-557f7c37e108
github.com/hashicorp/consul/api v1.29.4
github.com/hashicorp/consul/api v1.30.0
github.com/hashicorp/consul/sdk v0.16.1
github.com/hashicorp/go-multierror v1.1.1
github.com/hashicorp/go-uuid v1.0.3
Expand Down Expand Up @@ -126,15 +126,15 @@ require (
go.opentelemetry.io/otel/metric v1.19.0 // indirect
go.opentelemetry.io/otel/sdk v1.19.0 // indirect
go.opentelemetry.io/otel/trace v1.19.0 // indirect
golang.org/x/crypto v0.26.0 // indirect
golang.org/x/crypto v0.32.0 // indirect
golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect
golang.org/x/mod v0.20.0 // indirect
golang.org/x/net v0.28.0 // indirect
golang.org/x/net v0.34.0 // indirect
golang.org/x/oauth2 v0.10.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.24.0 // indirect
golang.org/x/term v0.23.0 // indirect
golang.org/x/text v0.17.0 // indirect
golang.org/x/sync v0.10.0 // indirect
golang.org/x/sys v0.29.0 // indirect
golang.org/x/term v0.28.0 // indirect
golang.org/x/text v0.21.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.24.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
Expand Down
Loading
Loading