backport of commit 223002e

.changelog/540.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade to support Envoy `1.28.4`.
+```

.changelog/578.txt → .changelog/581.txt

@@ -1,3 +1,3 @@
 ```release-note:security
-Upgrade envoy version to 1.29.7 to address [CVE-2024-39305](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39305)
+Upgrade envoy version to 1.28.5 to address [CVE-2024-39305](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39305)
 ```

.github/workflows/build.yml

@@ -335,12 +335,12 @@ jobs:
         server:
           - version: v1.15.0-dev
             image: hashicorppreview/consul:1.15-dev
+          - version: v1.16.0-dev
+            image: hashicorppreview/consul:1.16-dev
+          - version: v1.17.0-dev
+            image: hashicorppreview/consul:1.17-dev
           - version: v1.18.0-dev
             image: hashicorppreview/consul:1.18-dev
-          - version: v1.19.0-dev
-            image: hashicorppreview/consul:1.19-dev
-          - version: v1.20.0-dev
-            image: hashicorppreview/consul:1.20-dev
         dataplane:
           - image_suffix: ""
             docker_target: "release-default"

.github/workflows/jira-issues.yaml

@@ -46,6 +46,8 @@ jobs:
           # customfield_10089 is "Issue Link", customfield_10371 is "Source" (use JIRA API to retrieve)
           extraFields: '{ "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}",
                           "customfield_10371": { "value": "GitHub" },
+                          "customfield_10535": [{ "value": "Service Mesh" }],
+                          "components": [{ "name": "${{ github.event.repository.name }}" }],
                           "labels": ${{ steps.set-ticket-labels.outputs.LABELS }} }'
         env:
           JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}

.github/workflows/jira-pr.yaml

@@ -59,6 +59,8 @@ jobs:
           # customfield_10089 is "Issue Link", customfield_10371 is "Source" (use JIRA API to retrieve)
           extraFields: '{ "customfield_10089": "${{ github.event.pull_request.html_url }}",
                           "customfield_10371": { "value": "GitHub" },
+                          "customfield_10535": [{ "value": "Service Mesh" }],
+                          "components": [{ "name": "${{ github.event.repository.name }}" }],
                           "labels": ${{ steps.set-ticket-labels.outputs.LABELS }} }'
         env:
           JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}

.github/workflows/security-scan.yml

@@ -46,7 +46,8 @@ jobs:
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           repository: hashicorp/security-scanner
-          token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
+          #TODO: replace w/ HASHIBOT_PRODSEC_GITHUB_TOKEN once provisioned
+          token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
           path: security-scanner
           ref: main
 
@@ -65,4 +66,4 @@ jobs:
       - name: Upload SARIF file
         uses: github/codeql-action/upload-sarif@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # codeql-bundle-v2.17.1
         with:
-          sarif_file: results.sarif
+          sarif_file: results.sarif

CHANGELOG.md

@@ -1,10 +1,14 @@
-## 1.5.0 (June 12, 2024)
+## 1.4.3 (July 15, 2024)
+
+SECURITY:
+
+* Upgrade envoy version to 1.28.5 to address [CVE-2024-39305](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39305) [[GH-581](https://github.com/hashicorp/consul-dataplane/pull/581)]
+* Upgrade go version to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791) [[GH-573](https://github.com/hashicorp/consul-dataplane/pull/573)]
+* Upgrade to support Envoy `1.28.4`. [[GH-540](https://github.com/hashicorp/consul-dataplane/pull/540)]
 
 IMPROVEMENTS:
 
 * Upgrade Go to use 1.22.4. [[GH-529](https://github.com/hashicorp/consul-dataplane/pull/529)]
-* Upgrade to support Envoy `1.29.5`. [[GH-533](https://github.com/hashicorp/consul-dataplane/pull/533)]
-* dns: queries proxied by consul-dataplane now assume the same namespace/partition/ACL token as the service registered to the dataplane instance. [[GH-172](https://github.com/hashicorp/consul-dataplane/pull/172)]
 
 ## 1.4.2 (May 21, 2024)
 
@@ -26,63 +30,6 @@ IMPROVEMENTS:
 
 * Upgrade Go to use 1.22.3. [[GH-501](https://github.com/hashicorp/consul-dataplane/pull/501)]
 
-## 1.3.5 (May 24, 2024)
-SECURITY:
-
-* Upgrade Go to use 1.21.10. This addresses CVEs 
-[CVE-2024-24787](https://nvd.nist.gov/vuln/detail/CVE-2024-24787) and
-[CVE-2024-24788](https://nvd.nist.gov/vuln/detail/CVE-2024-24788) [[GH-487](https://github.com/hashicorp/consul-dataplane/pull/487)]
-* Upgrade to support Envoy `1.27.4`. This resolves CVE
-[CVE-2024-27919](https://nvd.nist.gov/vuln/detail/CVE-2024-27919) (`http2`). [[GH-477](https://github.com/hashicorp/consul-dataplane/pull/477)]
-* Upgrade to support Envoy `1.27.5`. This resolves CVE
-[CVE-2024-32475](https://nvd.nist.gov/vuln/detail/CVE-2024-32475). [[GH-497](https://github.com/hashicorp/consul-dataplane/pull/497)]
-* Upgrade to use Go `1.21.9`. This resolves CVE
-[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`http2`). [[GH-477](https://github.com/hashicorp/consul-dataplane/pull/477)]
-* Upgrade to use golang.org/x/net `v0.24.0`. This resolves CVE
-[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`x/net`). [[GH-477](https://github.com/hashicorp/consul-dataplane/pull/477)]
-
-IMPROVEMENTS:
-
-* Upgrade Go to use 1.22.3. [[GH-501](https://github.com/hashicorp/consul-dataplane/pull/501)]
-
-## 1.2.8 (May 24, 2024)
-SECURITY:
-
-* Upgrade Go to use 1.21.10. This addresses CVEs 
-[CVE-2024-24787](https://nvd.nist.gov/vuln/detail/CVE-2024-24787) and
-[CVE-2024-24788](https://nvd.nist.gov/vuln/detail/CVE-2024-24788) [[GH-487](https://github.com/hashicorp/consul-dataplane/pull/487)]
-* Upgrade to support Envoy `1.26.8`. This resolves CVE
-[CVE-2024-27919](https://nvd.nist.gov/vuln/detail/CVE-2024-27919) (`http2`). [[GH-476](https://github.com/hashicorp/consul-dataplane/pull/476)]
-* Upgrade to support Envoy `1.27.5`. This resolves CVE
-[CVE-2024-32475](https://nvd.nist.gov/vuln/detail/CVE-2024-32475). [[GH-498](https://github.com/hashicorp/consul-dataplane/pull/498)]
-* Upgrade to use Go `1.21.9`. This resolves CVE
-[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`http2`). [[GH-476](https://github.com/hashicorp/consul-dataplane/pull/476)]
-* Upgrade to use golang.org/x/net `v0.24.0`. This resolves CVE
-[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`x/net`). [[GH-476](https://github.com/hashicorp/consul-dataplane/pull/476)]
-
-IMPROVEMENTS:
-
-* Upgrade Go to use 1.22.3. [[GH-501](https://github.com/hashicorp/consul-dataplane/pull/501)]
-
-## 1.1.11 (May 20, 2024)
-SECURITY:
-
-* Upgrade Go to use 1.21.10. This addresses CVEs 
-[CVE-2024-24787](https://nvd.nist.gov/vuln/detail/CVE-2024-24787) and
-[CVE-2024-24788](https://nvd.nist.gov/vuln/detail/CVE-2024-24788) [[GH-487](https://github.com/hashicorp/consul-dataplane/pull/487)]
-* Upgrade to support Envoy `1.26.8`. This resolves CVE
-[CVE-2024-27919](https://nvd.nist.gov/vuln/detail/CVE-2024-27919) (`http2`). [[GH-475](https://github.com/hashicorp/consul-dataplane/pull/475)]
-* Upgrade to support Envoy `1.27.5`. This resolves CVE
-[CVE-2024-32475](https://nvd.nist.gov/vuln/detail/CVE-2024-32475). [[GH-499](https://github.com/hashicorp/consul-dataplane/pull/499)]
-* Upgrade to use Go `1.21.9`. This resolves CVE
-[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`http2`). [[GH-475](https://github.com/hashicorp/consul-dataplane/pull/475)]
-* Upgrade to use golang.org/x/net `v0.24.0`. This resolves CVE
-[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`x/net`). [[GH-475](https://github.com/hashicorp/consul-dataplane/pull/475)]
-
-IMPROVEMENTS:
-
-* Upgrade Go to use 1.22.3. [[GH-501](https://github.com/hashicorp/consul-dataplane/pull/501)]
-
 ## 1.4.1 (March 28, 2024)
 
 SECURITY:
@@ -95,44 +42,6 @@ SECURITY:
   [CVE-2024-24785](https://nvd.nist.gov/vuln/detail/CVE-2024-24785) (`html/template`).
   [CVE-2024-24784](https://nvd.nist.gov/vuln/detail/CVE-2024-24784) (`net/mail`). [[GH-465](https://github.com/hashicorp/consul-dataplane/pull/465)]
 
-## 1.3.4 (March 28, 2024)
-
-SECURITY:
-
-* Update `google.golang.org/protobuf` to v1.33.0 to address [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786). [[GH-460](https://github.com/hashicorp/consul-dataplane/pull/460)]
-* Upgrade `consul-dataplane-fips` OpenShift container image to use `ubi9-minimal:9.3` as the base image. [[GH-434](https://github.com/hashicorp/consul-dataplane/pull/434)]
-* Upgrade to use Go `1.21.8`. This resolves CVEs
-  [CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783) (`crypto/x509`).
-  [CVE-2023-45290](https://nvd.nist.gov/vuln/detail/CVE-2023-45290) (`net/http`).
-  [CVE-2023-45289](https://nvd.nist.gov/vuln/detail/CVE-2023-45289) (`net/http`, `net/http/cookiejar`).
-  [CVE-2024-24785](https://nvd.nist.gov/vuln/detail/CVE-2024-24785) (`html/template`).
-  [CVE-2024-24784](https://nvd.nist.gov/vuln/detail/CVE-2024-24784) (`net/mail`). [[GH-465](https://github.com/hashicorp/consul-dataplane/pull/465)]
-
-## 1.2.7 (March 28, 2024)
-
-SECURITY:
-
-* Update `google.golang.org/protobuf` to v1.33.0 to address [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786). [[GH-460](https://github.com/hashicorp/consul-dataplane/pull/460)]
-* Upgrade `consul-dataplane-fips` OpenShift container image to use `ubi9-minimal:9.3` as the base image. [[GH-434](https://github.com/hashicorp/consul-dataplane/pull/434)]
-* Upgrade to use Go `1.21.8`. This resolves CVEs
-  [CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783) (`crypto/x509`).
-  [CVE-2023-45290](https://nvd.nist.gov/vuln/detail/CVE-2023-45290) (`net/http`).
-  [CVE-2023-45289](https://nvd.nist.gov/vuln/detail/CVE-2023-45289) (`net/http`, `net/http/cookiejar`).
-  [CVE-2024-24785](https://nvd.nist.gov/vuln/detail/CVE-2024-24785) (`html/template`).
-  [CVE-2024-24784](https://nvd.nist.gov/vuln/detail/CVE-2024-24784) (`net/mail`). [[GH-465](https://github.com/hashicorp/consul-dataplane/pull/465)]
-
-## 1.1.10 (March 28, 2024)
-
-SECURITY:
-
-* Update `google.golang.org/protobuf` to v1.33.0 to address [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786). [[GH-460](https://github.com/hashicorp/consul-dataplane/pull/460)]
-* Upgrade to use Go `1.21.8`. This resolves CVEs
-[CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783) (`crypto/x509`).
-[CVE-2023-45290](https://nvd.nist.gov/vuln/detail/CVE-2023-45290) (`net/http`).
-[CVE-2023-45289](https://nvd.nist.gov/vuln/detail/CVE-2023-45289) (`net/http`, `net/http/cookiejar`).
-[CVE-2024-24785](https://nvd.nist.gov/vuln/detail/CVE-2024-24785) (`html/template`).
-[CVE-2024-24784](https://nvd.nist.gov/vuln/detail/CVE-2024-24784) (`net/mail`). [[GH-465](https://github.com/hashicorp/consul-dataplane/pull/465)]
-
 ## 1.4.0 (February 28, 2024)
 
 SECURITY:

Dockerfile

@@ -11,7 +11,7 @@
 # prebuilt binaries in any other form.
 #
 ARG GOLANG_VERSION
-FROM envoyproxy/envoy-distroless:v1.29.7 as envoy-binary
+FROM envoyproxy/envoy-distroless:v1.28.5 as envoy-binary
 
 # Modify the envoy binary to be able to bind to privileged ports (< 1024).
 FROM debian:bullseye-slim AS setcap-envoy-binary
@@ -27,7 +27,7 @@ RUN apt-get update && apt install -y libcap2-bin
 RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy
 RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/$BIN_NAME
 
-FROM hashicorp/envoy-fips:1.29.7-fips1402 as envoy-fips-binary
+FROM hashicorp/envoy-fips:1.28.5-fips1402 as envoy-fips-binary
 
 # Modify the envoy-fips binary to be able to bind to privileged ports (< 1024).
 FROM debian:bullseye-slim AS setcap-envoy-fips-binary

Makefile

@@ -69,7 +69,6 @@ docker-run: docker ## run the image of $(TAG)
 
 .PHONY: dev-docker
 dev-docker: docker ## build docker image and tag the image to local
-	echo '$(ARCH)'
 	docker tag '$(PRODUCT_NAME):$(VERSION)'  '$(PRODUCT_NAME):local'
 
 ##@ Testing

cmd/consul-dataplane/config.go

@@ -21,7 +21,6 @@ type FlagOpts struct {
 }
 
 type DataplaneConfigFlags struct {
-	Mode      *string        `json:"mode,omitempty"`
 	Consul    ConsulFlags    `json:"consul,omitempty"`
 	Service   ServiceFlags   `json:"service,omitempty"`
 	Proxy     ProxyFlags     `json:"proxy,omitempty"`
@@ -210,7 +209,6 @@ func (f *FlagOpts) buildConfigFromFile() (DataplaneConfigFlags, error) {
 func buildDefaultConsulDPFlags() (DataplaneConfigFlags, error) {
 	data := `
 	{
-		"mode": "sidecar",
 		"consul": {
 			"grpcPort": 8502,
 			"serverWatchDisabled": false,
@@ -318,7 +316,6 @@ func constructRuntimeConfig(cfg DataplaneConfigFlags, extraArgs []string) (*cons
 				InsecureSkipVerify: boolVal(cfg.Consul.TLS.InsecureSkipVerify),
 			},
 		},
-		Mode:  consuldp.ModeType(stringVal(cfg.Mode)),
 		Proxy: &proxyCfg,
 		Logging: &consuldp.LoggingConfig{
 			Name:     DefaultLogName,

cmd/consul-dataplane/config_test.go

@@ -33,7 +33,6 @@ func TestConfigGeneration(t *testing.T) {
 			},
 			makeExpectedCfg: func(flagOpts *FlagOpts) *consuldp.Config {
 				return &consuldp.Config{
-					Mode: consuldp.ModeTypeSidecar,
 					Consul: &consuldp.ConsulConfig{
 						Addresses:           stringVal(flagOpts.dataplaneConfig.Consul.Addresses),
 						GRPCPort:            intVal(flagOpts.dataplaneConfig.Consul.GRPCPort),
@@ -112,7 +111,6 @@ func TestConfigGeneration(t *testing.T) {
 			},
 			makeExpectedCfg: func(flagOpts *FlagOpts) *consuldp.Config {
 				return &consuldp.Config{
-					Mode: consuldp.ModeTypeSidecar,
 					Consul: &consuldp.ConsulConfig{
 						Addresses:           stringVal(flagOpts.dataplaneConfig.Consul.Addresses),
 						GRPCPort:            intVal(flagOpts.dataplaneConfig.Consul.GRPCPort),
@@ -191,7 +189,6 @@ func TestConfigGeneration(t *testing.T) {
 				if err != nil {
 					return nil, err
 				}
-				opts.dataplaneConfig.Mode = strReference("dns-proxy")
 				opts.dataplaneConfig.Consul.Credentials.Login.BearerTokenPath = strReference("/consul/bearertokenpath/")
 				opts.dataplaneConfig.Consul.Credentials.Login.Datacenter = strReference("dc100")
 				opts.dataplaneConfig.Consul.Credentials.Login.Meta = map[string]string{
@@ -209,7 +206,6 @@ func TestConfigGeneration(t *testing.T) {
 			},
 			makeExpectedCfg: func(flagOpts *FlagOpts) *consuldp.Config {
 				return &consuldp.Config{
-					Mode: consuldp.ModeTypeDNSProxy,
 					Consul: &consuldp.ConsulConfig{
 						Addresses:           stringVal(flagOpts.dataplaneConfig.Consul.Addresses),
 						GRPCPort:            intVal(flagOpts.dataplaneConfig.Consul.GRPCPort),
@@ -314,7 +310,6 @@ func TestConfigGeneration(t *testing.T) {
 			},
 			makeExpectedCfg: func(flagOpts *FlagOpts) *consuldp.Config {
 				return &consuldp.Config{
-					Mode: consuldp.ModeTypeSidecar,
 					Consul: &consuldp.ConsulConfig{
 						Addresses:           stringVal(flagOpts.dataplaneConfig.Consul.Addresses),
 						GRPCPort:            intVal(flagOpts.dataplaneConfig.Consul.GRPCPort),
@@ -413,7 +408,6 @@ func TestConfigGeneration(t *testing.T) {
 			},
 			makeExpectedCfg: func(flagOpts *FlagOpts) *consuldp.Config {
 				return &consuldp.Config{
-					Mode: consuldp.ModeTypeSidecar,
 					Consul: &consuldp.ConsulConfig{
 						Addresses:           stringVal(flagOpts.dataplaneConfig.Consul.Addresses),
 						GRPCPort:            intVal(flagOpts.dataplaneConfig.Consul.GRPCPort),
@@ -527,7 +521,6 @@ func TestConfigGeneration(t *testing.T) {
 			},
 			makeExpectedCfg: func(flagOpts *FlagOpts) *consuldp.Config {
 				return &consuldp.Config{
-					Mode: consuldp.ModeTypeSidecar,
 					Consul: &consuldp.ConsulConfig{
 						Addresses:           "consul_server.dc1",
 						GRPCPort:            8502,
@@ -634,7 +627,6 @@ func TestConfigGeneration(t *testing.T) {
 			},
 			makeExpectedCfg: func(flagOpts *FlagOpts) *consuldp.Config {
 				return &consuldp.Config{
-					Mode: consuldp.ModeTypeSidecar,
 					Consul: &consuldp.ConsulConfig{
 						Addresses:           stringVal(flagOpts.dataplaneConfig.Consul.Addresses),
 						GRPCPort:            intVal(flagOpts.dataplaneConfig.Consul.GRPCPort),
@@ -714,7 +706,6 @@ func TestConfigGeneration(t *testing.T) {
 			desc: "test whether CLI flag values override the file values with proxy flags",
 			flagOpts: func() (*FlagOpts, error) {
 				opts, err := generateFlagOptsWithProxyFlags()
-				opts.dataplaneConfig.Mode = strReference("dns-proxy")
 				if err != nil {
 					return nil, err
 				}
@@ -763,7 +754,6 @@ func TestConfigGeneration(t *testing.T) {
 			},
 			makeExpectedCfg: func(flagOpts *FlagOpts) *consuldp.Config {
 				return &consuldp.Config{
-					Mode: consuldp.ModeTypeDNSProxy,
 					Consul: &consuldp.ConsulConfig{
 						Addresses:           stringVal(flagOpts.dataplaneConfig.Consul.Addresses),
 						GRPCPort:            intVal(flagOpts.dataplaneConfig.Consul.GRPCPort),