After 1.6.2 release PR

.changelog/4315.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+helm: fix issue where the API Gateway GatewayClassConfig tolerations can not be parsed by the Helm chart.
+```

.changelog/4316.txt

@@ -0,0 +1,5 @@
+```release-note:bug
+api-gateway: `global.imagePullSecrets` are now configured on the `ServiceAccount` for `Gateways`.
+
+Note: the referenced image pull Secret(s) must be present in the same namespace the `Gateway` is deployed to.
+```

.changelog/4333.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set.
+```

.changelog/4378.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+catalog-sync: Added field to helm chart to purge all services registered with catalog-sync from consul on disabling of catalog-sync.
+```

.changelog/4385.txt

@@ -0,0 +1,6 @@
+```release-note:security
+crd: Add `http.incoming.requestNormalization` to the Mesh CRD to support configuring service traffic request normalization.
+```
+```release-note:security
+crd: Add `contains` and `ignoreCase` to the Intentions CRD to support configuring L7 Header intentions resilient to variable casing and multiple header values.
+```

.changelog/4426.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cli: fix issue where the `consul-k8s proxy list` command does not include API gateways.
+```

.changelog/4432.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+cli: Introduce `gateway read` for collecting multiple components of a gateway's configuration by running a single command.
+```

.changelog/4433.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+cli: Introduce `gateway list` for collecting multiple components of all gateways' configuration by running a single command.
+```

.changelog/4434.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect-inject: fix issue where the ACL policy for the connect-injector included the `acl = "write"` rule twice when namespaces were not enabled.
+```

.github/workflows/pr.yml

@@ -40,6 +40,7 @@ jobs:
           - check-name: acceptance-cni
           - check-name: acceptance-tproxy
           - check-name: Unit test helm templates
+          - check-name: Unit test helm gen
           - check-name: Unit test enterprise control plane
           - check-name: Unit test control plane
           - check-name: Unit test cli

.github/workflows/reusable-conditional-skip.yml

@@ -12,13 +12,58 @@ jobs:
     runs-on: ubuntu-latest
     name: Check whether to skip build and tests
     outputs:
-      skip-ci: ${{ steps.check-changed-files.outputs.skip-ci }}
-    env:
-      SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }}
+      skip-ci: ${{ steps.maybe-skip-ci.outputs.skip-ci }}
     steps:
+      # We only allow use of conditional skip in two scenarios:
+      #   1. PRs
+      #   2. Pushes (merges) to protected branches (`main`, `release/**`)
+      #
+      # The second scenario is the only place we can be sure that checking just the
+      # latest change on the branch is sufficient. In PRs, we need to check _all_ commits.
+      # The ability to do this is ultimately determined by the triggers of the calling
+      # workflow, since `base_ref` (the target branch of a PR) is only available in
+      # `pull_request` events, not `push`.
+      - name: Error if conditional check is not allowed
+        if: ${{ !github.base_ref && !github.ref_protected }}
+        run: |
+          echo "Conditional skip requires a PR event with 'base_ref' or 'push' to a protected branch."
+          echo "github.base_ref: ${{ github.base_ref }}"
+          echo "github.ref_protected: ${{ github.ref_protected }}"
+          echo "github.ref_name: ${{ github.ref_name }}"
+          echo "Check the triggers of the calling workflow to ensure that these requirements are met."
+          exit 1
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
-      - name: Check changed files
-        id: check-changed-files
-        run: ./.github/scripts/check_skip_ci.sh
+      - name: Check for skippable file changes
+        id: changed-files
+        uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45.0.1
+        with:
+          # This is a multi-line YAML string with one match pattern per line.
+          # Do not use quotes around values, as it's not supported.
+          # See https://github.com/tj-actions/changed-files/blob/main/README.md#inputs-%EF%B8%8F
+          # for usage, options, and more details on match syntax.
+          files: |
+            .github/workflows/reusable-conditional-skip.yml
+            LICENSE
+            .copywrite.hcl
+            .gitignore
+            **.md
+            assets/**
+            .changelog/**
+      - name: Print changed files
+        env:
+          SKIPPABLE_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+          NON_SKIPPABLE_FILES: ${{ steps.changed-files.outputs.other_changed_files }}
+        run: |
+          echo "Skippable changed files:"
+          for file in ${SKIPPABLE_CHANGED_FILES}; do echo "  $file"; done
+          echo
+          echo "Non-skippable files:"
+          for file in ${NON_SKIPPABLE_FILES}; do echo "  $file"; done
+      - name: Skip tests and build if only skippable files changed
+        id: maybe-skip-ci
+        if: ${{ steps.changed-files.outputs.only_changed == 'true' }}
+        run: |
+          echo "Skipping tests and build because only skippable files changed"
+          echo "skip-ci=true" >> $GITHUB_OUTPUT

.github/workflows/security-scan.yml

@@ -1,3 +1,5 @@
+# This job runs a non-blocking informational security scan on the repository.
+# For release-blocking security scans, see .release/security-scan.hcl.
 name: Security Scan
 
 on:
@@ -9,6 +11,8 @@ on:
     branches:
       - main
       - release/**
+    # paths-ignore only works for non-required checks.
+    # Jobs that are required for merge must use reusable-conditional-skip.yml.
     paths-ignore:
       - 'assets/**'
       - '.changelog/**'

.github/workflows/weekly-acceptance-1-6-x.yml

@@ -0,0 +1,28 @@
+# Dispatch to the consul-k8s-workflows with a weekly cron
+#
+# A separate file is needed for each release because the cron schedules are different for each release.
+name: weekly-acceptance-1-6-x
+on:
+  schedule:
+    # * is a special character in YAML so you have to quote this string
+    # Run weekly on Friday at 3AM UTC/11PM EST/8PM PST
+   - cron:  '0 3 * * 6'
+
+# these should be the only settings that you will ever need to change
+env:
+  BRANCH: "release/1.6.x"
+  CONTEXT: "weekly"
+
+jobs:
+  cloud:
+    name: cloud
+    runs-on: ubuntu-latest
+    steps:
+    - uses: benc-uk/workflow-dispatch@25b02cc069be46d637e8fe2f1e8484008e9e9609 # v1.2.3
+      name: cloud
+      with:
+        workflow: cloud.yml
+        repo: hashicorp/consul-k8s-workflows
+        ref: main
+        token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+        inputs: '{ "context":"${{ env.CONTEXT }}", "repository":"${{ github.repository }}", "branch":"${{ env.BRANCH }}", "sha":"${{ github.sha }}", "token":"${{ secrets.ELEVATED_GITHUB_TOKEN }}" }'

.release/security-scan.hcl

@@ -40,7 +40,8 @@ binary {
         "GHSA-r53h-jv2g-vpx6", 
         "CVE-2024-26147", # alias
         "GHSA-jw44-4f3j-q396", # Tracked in NET-8174
-        "CVE-2019-25210" # alias
+        "CVE-2019-25210", # alias
+        "GO-2022-0635"
       ]
     }
   }

CHANGELOG.md

@@ -1,3 +1,81 @@
+## 1.6.2 (January 7, 2025)
+
+IMPROVEMENTS:
+
+* cli: Introduce `gateway list` for collecting multiple components of all gateways' configuration by running a single command. [[GH-4433](https://github.com/hashicorp/consul-k8s/issues/4433)]
+* cli: Introduce `gateway read` for collecting multiple components of a gateway's configuration by running a single command. [[GH-4432](https://github.com/hashicorp/consul-k8s/issues/4432)]
+* Updated consul/api, envoyextensions & troubleshoot submodules [[PR-4451](https://github.com/hashicorp/consul-k8s/pull/4451)]
+
+BUG FIXES:
+
+* cli: fix issue where the `consul-k8s proxy list` command does not include API gateways. [[GH-4426](https://github.com/hashicorp/consul-k8s/issues/4426)]
+* connect-inject: fix issue where the ACL policy for the connect-injector included the `acl = "write"` rule twice when namespaces were not enabled. [[GH-4434](https://github.com/hashicorp/consul-k8s/issues/4434)]
+
+SECURITY:
+
+* updated golang.org/x/net dependency to 0.34.0 to fix vulnerability [[GO-2024-3333](https://pkg.go.dev/vuln/GO-2024-3333)] in CLI, CNI, acceptance and control-plane submodule.[[PR-4452](https://github.com/hashicorp/consul-k8s/pull/4452)]
+
+
+## 1.6.1 (November 4, 2023)
+
+SECURITY:
+
+* crd: Add `contains` and `ignoreCase` to the Intentions CRD to support configuring L7 Header intentions resilient to variable casing and multiple header values. [[GH-4385](https://github.com/hashicorp/consul-k8s/issues/4385)]
+* crd: Add `http.incoming.requestNormalization` to the Mesh CRD to support configuring service traffic request normalization. [[GH-4385](https://github.com/hashicorp/consul-k8s/issues/4385)]
+
+IMPROVEMENTS:
+
+* catalog-sync: Added field to helm chart to purge all services registered with catalog-sync from consul on disabling of catalog-sync. [[GH-4378](https://github.com/hashicorp/consul-k8s/issues/4378)]
+
+BUG FIXES:
+
+* api-gateway: `global.imagePullSecrets` are now configured on the `ServiceAccount` for `Gateways`.
+
+Note: the referenced image pull Secret(s) must be present in the same namespace the `Gateway` is deployed to. [[GH-4316](https://github.com/hashicorp/consul-k8s/issues/4316)]
+* helm: fix issue where the API Gateway GatewayClassConfig tolerations can not be parsed by the Helm chart. [[GH-4315](https://github.com/hashicorp/consul-k8s/issues/4315)]
+
+## 1.6.0 (October 16, 2024)
+
+> NOTE: Consul K8s 1.6.x is compatible with Consul 1.20.x and Consul Dataplane 1.6.x. Refer to our [compatibility matrix](https://developer.hashicorp.com/consul/docs/k8s/compatibility) for more info.
+
+SECURITY:
+
+* Upgrade Go to use 1.22.7. This addresses CVE
+  [CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-4313](https://github.com/hashicorp/consul-k8s/issues/4313)]
+
+IMPROVEMENTS:
+
+* dns-proxy: add the ability to deploy a DNS proxy within the kubernetes cluster that forwards DNS requests to the consul server and can be configured with an ACL token and make partition aware DNS requests. [[GH-4300](https://github.com/hashicorp/consul-k8s/issues/4300)]
+* sync-catalog: expose prometheus scrape metrics on sync-catalog pods [[GH-4212](https://github.com/hashicorp/consul-k8s/issues/4212)]
+* connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [[GH-4307](https://github.com/hashicorp/consul-k8s/issues/4307)]
+* helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [[GH-4333](https://github.com/hashicorp/consul-k8s/issues/4333)]
+
+BUG FIXES:
+
+* control-plane: add missing `$HOST_IP` environment variable to consul-dataplane sidecar containers [[GH-4277](https://github.com/hashicorp/consul-k8s/issues/4277)]
+* helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [[GH-3989](https://github.com/hashicorp/consul-k8s/issues/3989)]
+* sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [[GH-4255](https://github.com/hashicorp/consul-k8s/issues/4255)]
+
+## 1.6.0-rc1 (September 20, 2024)
+
+SECURITY:
+
+* Upgrade Go to use 1.22.7. This addresses CVE 
+[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-4313](https://github.com/hashicorp/consul-k8s/issues/4313)]
+
+IMPROVEMENTS:
+
+* dns-proxy: add the ability to deploy a DNS proxy within the kubernetes cluster that forwards DNS requests to the consul server and can be configured with an ACL token and make partition aware DNS requests. [[GH-4300](https://github.com/hashicorp/consul-k8s/issues/4300)]
+* sync-catalog: expose prometheus scrape metrics on sync-catalog pods [[GH-4212](https://github.com/hashicorp/consul-k8s/issues/4212)]
+* connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [[GH-4307](https://github.com/hashicorp/consul-k8s/issues/4307)]
+* helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [[GH-4333](https://github.com/hashicorp/consul-k8s/issues/4333)]
+
+BUG FIXES:
+
+* control-plane: add missing `$HOST_IP` environment variable to consul-dataplane sidecar containers [[GH-4277](https://github.com/hashicorp/consul-k8s/issues/4277)]
+* helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [[GH-3989](https://github.com/hashicorp/consul-k8s/issues/3989)]
+* sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [[GH-4255](https://github.com/hashicorp/consul-k8s/issues/4255)]
+
 ## 1.5.3 (August 30, 2024)
 
 SECURITY:

Makefile

@@ -32,7 +32,7 @@ generate-external-crds: ## Generate CRDs for externally defined CRDs and copy th
 
 .PHONY: bats-tests
 bats-tests: ## Run Helm chart bats tests.
-	 bats --jobs 4 charts/consul/test/unit
+	docker run -it -v $(CURDIR):/consul-k8s hashicorpdev/consul-helm-test:latest bats --jobs 4 /consul-k8s/charts/consul/test/unit -f "$(TEST_NAME)"
 
 ##@ Control Plane Targets
 

acceptance/go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/gruntwork-io/terratest v0.46.7
 	github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240821160356-557f7c37e108
-	github.com/hashicorp/consul/api v1.29.4
+	github.com/hashicorp/consul/api v1.30.0
 	github.com/hashicorp/consul/sdk v0.16.1
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-uuid v1.0.3
@@ -126,15 +126,15 @@ require (
 	go.opentelemetry.io/otel/metric v1.19.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.19.0 // indirect
 	go.opentelemetry.io/otel/trace v1.19.0 // indirect
-	golang.org/x/crypto v0.26.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
 	golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect
 	golang.org/x/mod v0.20.0 // indirect
-	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/oauth2 v0.10.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.24.0 // indirect
-	golang.org/x/term v0.23.0 // indirect
-	golang.org/x/text v0.17.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/term v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect