Merge branch 'main' into main

hashicorp · Oct 25, 2024 · 3b8fcb0 · 3b8fcb0
2 parents 3054c9a + c5f07e8
commit 3b8fcb0
Show file tree

Hide file tree

Showing 49 changed files with 3,309 additions and 353 deletions.
diff --git a/.changelog/3874.txt b/.changelog/3874.txt
@@ -0,0 +1,3 @@
+```release-note:sync-catalog
+Add Endpoint health state to registered consul service
+```
diff --git a/.changelog/4316.txt b/.changelog/4316.txt
@@ -0,0 +1,5 @@
+```release-note:bug
+api-gateway: `global.imagePullSecrets` are now configured on the `ServiceAccount` for `Gateways`.
+
+Note: the referenced image pull Secret(s) must be present in the same namespace the `Gateway` is deployed to.
+```
diff --git a/.changelog/4378.txt b/.changelog/4378.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+catalog-sync: Added field to helm chart to purge all services registered with catalog-sync from consul on disabling of catalog-sync.
+```
diff --git a/.changelog/4385.txt b/.changelog/4385.txt
@@ -0,0 +1,6 @@
+```release-note:security
+crd: Add `http.incoming.requestNormalization` to the Mesh CRD to support configuring service traffic request normalization.
+```
+```release-note:security
+crd: Add `contains` and `ignoreCase` to the Intentions CRD to support configuring L7 Header intentions resilient to variable casing and multiple header values.
+```
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,26 @@
+## 1.6.0 (October 16, 2024)
+
+> NOTE: Consul K8s 1.6.x is compatible with Consul 1.20.x and Consul Dataplane 1.6.x. Refer to our [compatibility matrix](https://developer.hashicorp.com/consul/docs/k8s/compatibility) for more info.
+
+
+SECURITY:
+
+* Upgrade Go to use 1.22.7. This addresses CVE
+  [CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-4313](https://github.com/hashicorp/consul-k8s/issues/4313)]
+
+IMPROVEMENTS:
+
+* dns-proxy: add the ability to deploy a DNS proxy within the kubernetes cluster that forwards DNS requests to the consul server and can be configured with an ACL token and make partition aware DNS requests. [[GH-4300](https://github.com/hashicorp/consul-k8s/issues/4300)]
+* sync-catalog: expose prometheus scrape metrics on sync-catalog pods [[GH-4212](https://github.com/hashicorp/consul-k8s/issues/4212)]
+* connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [[GH-4307](https://github.com/hashicorp/consul-k8s/issues/4307)]
+* helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [[GH-4333](https://github.com/hashicorp/consul-k8s/issues/4333)]
+
+BUG FIXES:
+
+* control-plane: add missing `$HOST_IP` environment variable to consul-dataplane sidecar containers [[GH-4277](https://github.com/hashicorp/consul-k8s/issues/4277)]
+* helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [[GH-3989](https://github.com/hashicorp/consul-k8s/issues/3989)]
+* sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [[GH-4255](https://github.com/hashicorp/consul-k8s/issues/4255)]
+
 ## 1.5.3 (August 30, 2024)
 
 SECURITY:

diff --git a/acceptance/go.mod b/acceptance/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/gruntwork-io/terratest v0.46.7
 	github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240821160356-557f7c37e108
-	github.com/hashicorp/consul/api v1.29.4
+	github.com/hashicorp/consul/api v1.30.0
 	github.com/hashicorp/consul/sdk v0.16.1
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-uuid v1.0.3

diff --git a/acceptance/go.sum b/acceptance/go.sum
@@ -186,8 +186,8 @@ github.com/gruntwork-io/terratest v0.46.7 h1:oqGPBBO87SEsvBYaA0R5xOq+Lm2Xc5dmFVf
 github.com/gruntwork-io/terratest v0.46.7/go.mod h1:6gI5MlLeyF+SLwqocA5GBzcTix+XiuxCy1BPwKuT+WM=
 github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240821160356-557f7c37e108 h1:5jSMtMGeY//hvkAefiomxP1Jqb5MtnKgsnlsZpEwiJE=
 github.com/hashicorp/consul-k8s/control-plane v0.0.0-20240821160356-557f7c37e108/go.mod h1:SY22WR9TJmlcK18Et2MAqy+kqAFJzbWFElN89vMTSiM=
-github.com/hashicorp/consul/api v1.29.4 h1:P6slzxDLBOxUSj3fWo2o65VuKtbtOXFi7TSSgtXutuE=
-github.com/hashicorp/consul/api v1.29.4/go.mod h1:HUlfw+l2Zy68ceJavv2zAyArl2fqhGWnMycyt56sBgg=
+github.com/hashicorp/consul/api v1.30.0 h1:ArHVMMILb1nQv8vZSGIwwQd2gtc+oSQZ6CalyiyH2XQ=
+github.com/hashicorp/consul/api v1.30.0/go.mod h1:B2uGchvaXVW2JhFoS8nqTxMD5PBykr4ebY4JWHTTeLM=
 github.com/hashicorp/consul/proto-public v0.6.2 h1:+DA/3g/IiKlJZb88NBn0ZgXrxJp2NlvCZdEyl+qxvL0=
 github.com/hashicorp/consul/proto-public v0.6.2/go.mod h1:cXXbOg74KBNGajC+o8RlA502Esf0R9prcoJgiOX/2Tg=
 github.com/hashicorp/consul/sdk v0.16.1 h1:V8TxTnImoPD5cj0U9Spl0TUxcytjcbbJeADFF07KdHg=

diff --git a/charts/consul/Chart.yaml b/charts/consul/Chart.yaml
@@ -3,8 +3,8 @@
 
 apiVersion: v2
 name: consul
-version: 1.6.0-dev
-appVersion: 1.20-dev
+version: 1.7.0-dev
+appVersion: 1.21-dev
 kubeVersion: ">=1.22.0-0"
 description: Official HashiCorp Consul Chart
 home: https://www.consul.io
@@ -16,11 +16,11 @@ annotations:
   artifacthub.io/prerelease: true
   artifacthub.io/images: |
     - name: consul
-      image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.20-dev
+      image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.21-dev
     - name: consul-k8s-control-plane
-      image: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.6-dev
+      image: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.7-dev
     - name: consul-dataplane
-      image: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.6-dev
+      image: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.7-dev
     - name: envoy
       image: envoyproxy/envoy:v1.25.11
   artifacthub.io/license: MPL-2.0

diff --git a/charts/consul/templates/connect-inject-configmap.yaml b/charts/consul/templates/connect-inject-configmap.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.connectInject.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "consul.fullname" . }}-connect-inject-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: connect-injector
+data:
+  config.json: |
+    {
+      "image_pull_secrets": {{ .Values.global.imagePullSecrets | toJson }}
+    }
+{{- end }}
diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml
@@ -141,6 +141,7 @@ spec:
             - "-ec"
             - |
               exec consul-k8s-control-plane inject-connect \
+                -config-file=/consul/config/config.json \
                 {{- if .Values.global.federation.enabled }}
                 -enable-federation \
                 {{- end }}
@@ -311,6 +312,9 @@ spec:
             successThreshold: 1
             timeoutSeconds: 5
           volumeMounts:
+            - name: config
+              mountPath: /consul/config
+              readOnly: true
           {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }}
             - name: certs
               mountPath: /etc/connect-injector/certs
@@ -326,6 +330,9 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
       volumes:
+        - name: config
+          configMap:
+            name: {{ template "consul.fullname" . }}-connect-inject-config
       {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }}
         - name: certs
           secret:

diff --git a/charts/consul/templates/crd-meshes.yaml b/charts/consul/templates/crd-meshes.yaml
@@ -66,10 +66,55 @@ spec:
               http:
                 description: HTTP defines the HTTP configuration for the service mesh.
                 properties:
+                  incoming:
+                    description: Incoming configures settings for incoming HTTP traffic
+                      to mesh proxies.
+                    properties:
+                      requestNormalization:
+                        description: |-
+                          RequestNormalizationMeshConfig contains options pertaining to the
+                          normalization of HTTP requests processed by mesh proxies.
+                        properties:
+                          headersWithUnderscoresAction:
+                            description: |-
+                              HeadersWithUnderscoresAction sets the value of the \`headers_with_underscores_action\` option in the Envoy
+                              listener's \`HttpConnectionManager\` under \`common_http_protocol_options\`. The default value of this option is
+                              empty, which is equivalent to \`ALLOW\`. Refer to the Envoy documentation for more information on available
+                              options.
+                            type: string
+                          insecureDisablePathNormalization:
+                            description: |-
+                              InsecureDisablePathNormalization sets the value of the \`normalize_path\` option in the Envoy listener's
+                              `HttpConnectionManager`. The default value is \`false\`. When set to \`true\` in Consul, \`normalize_path\` is
+                              set to \`false\` for the Envoy proxy. This parameter disables the normalization of request URL paths according to
+                              RFC 3986, conversion of \`\\\` to \`/\`, and decoding non-reserved %-encoded characters. When using L7 intentions
+                              with path match rules, we recommend enabling path normalization in order to avoid match rule circumvention with
+                              non-normalized path values.
+                            type: boolean
+                          mergeSlashes:
+                            description: |-
+                              MergeSlashes sets the value of the \`merge_slashes\` option in the Envoy listener's \`HttpConnectionManager\`.
+                              The default value is \`false\`. This option controls the normalization of request URL paths by merging
+                              consecutive \`/\` characters. This normalization is not part of RFC 3986. When using L7 intentions with path
+                              match rules, we recommend enabling this setting to avoid match rule circumvention through non-normalized path
+                              values, unless legitimate service traffic depends on allowing for repeat \`/\` characters, or upstream services
+                              are configured to differentiate between single and multiple slashes.
+                            type: boolean
+                          pathWithEscapedSlashesAction:
+                            description: |-
+                              PathWithEscapedSlashesAction sets the value of the \`path_with_escaped_slashes_action\` option in the Envoy
+                              listener's \`HttpConnectionManager\`. The default value of this option is empty, which is equivalent to
+                              \`IMPLEMENTATION_SPECIFIC_DEFAULT\`. This parameter controls the action taken in response to request URL paths
+                              with escaped slashes in the path. When using L7 intentions with path match rules, we recommend enabling this
+                              setting to avoid match rule circumvention through non-normalized path values, unless legitimate service traffic
+                              depends on allowing for escaped \`/\` or \`\\\` characters, or upstream services are configured to differentiate
+                              between escaped and unescaped slashes. Refer to the Envoy documentation for more information on available
+                              options.
+                            type: string
+                        type: object
+                    type: object
                   sanitizeXForwardedClientCert:
                     type: boolean
-                required:
-                - sanitizeXForwardedClientCert
                 type: object
               peering:
                 description: Peering defines the peering configuration for the service

diff --git a/charts/consul/templates/crd-serviceintentions.yaml b/charts/consul/templates/crd-serviceintentions.yaml
@@ -168,10 +168,19 @@ spec:
                                   If more than one is configured all must match for the overall match to apply.
                                 items:
                                   properties:
+                                    contains:
+                                      description: Contains matches if the header
+                                        with the given name contains this value.
+                                      type: string
                                     exact:
                                       description: Exact matches if the header with
                                         the given name is this value.
                                       type: string
+                                    ignoreCase:
+                                      description: IgnoreCase ignores the case of
+                                        the header value when matching with exact,
+                                        prefix, suffix, or contains.
+                                      type: boolean
                                     invert:
                                       description: Invert inverts the logic of the
                                         match.