2
0
mirror of https://github.com/status-im/consul.git synced 2025-02-28 05:10:40 +00:00

21516 Commits

Author SHA1 Message Date
R.B. Boyer
00d74abc4a
metadata: memoize the parsed build versions ()
There will only be a small set of consul build versions that a single consul
server will witness. Inside of metadata.IsConsulServer we use a very
expensive function in the hashicorp/go-version library to parse these into
read-only *version.Version structs all over Consul.

Memoize these in a package cache map. Likely the thing will only have like
2 keys in it ever over the life of the process.
2025-02-03 16:22:10 -06:00
Nathan Coleman
3e0c098890
Consume latest version of consul-awsauth dependency ()
* Consume latest version of consul-awsauth dependency

* Add changelog entry
2025-01-30 18:13:26 -05:00
Judith Malnick
4bca5c5d21
Let education and web presence merge PRs to website directory files. ()
* add consul education and web presence ability to merge PRs to relavent website directory files

* change edu approvers to consul-docs

* let education also edit the docs side navigation

* fix spacing and punctuation

* one more try to fix spacing
2025-01-28 13:45:24 +05:30
Abhishek Sahu
f82f5207a1
chore: Updated the changelogs for 1.20.2, 1.19.4, 1.18.6, 1.15.16 ()
Updated the changelog
2025-01-22 15:09:42 +05:30
Deniz Onur Duzgun
a9ff9e016f
sec: bump go and deps versions ()
* security: bump go and deps versions

* add changelog

* fix go toolchained version

* update changelog message
2025-01-21 11:32:08 -05:00
Anita Akaeze
88539f1b7e
NET-11798: Set APIGateway TLSConfig if unset or empty ()
* NET-11798: Set APIGateway TLSConfig if unset or empty

* add changelog

* update golden file tests

* add missing golden files

* Update .changelog/21984.txt

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* remove use of reflect library and check if object is empty instead

---------

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2025-01-15 09:13:28 -08:00
Abhishek Sahu
c1a887e076
Added labels for redhat validation ()
Update Dockerfile
2025-01-03 12:51:39 +05:30
Deniz Onur Duzgun
f9a54fd8e2
sec: bump envoy patch versions () 2024-12-19 10:11:34 -06:00
sarahalsmiller
a5c7ecc540
[Security] Bump net packages to resolve GO-2024-3333 ()
* bump net packages

* add changelog
2024-12-18 22:55:56 +00:00
R.B. Boyer
507b97d505
chore: remove staff codeowners now that it requires mandatory review () 2024-12-18 16:36:41 -06:00
dependabot[bot]
cdc500b5e8
Bump golang.org/x/crypto from 0.22.0 to 0.31.0 in /testing/deployer ()
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.22.0 to 0.31.0.
- [Commits](https://github.com/golang/crypto/compare/v0.22.0...v0.31.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-12-18 22:00:10 +00:00
sarahalsmiller
2e337ed58e
Suppress redhat linux CVEs ()
suppress redhat linux CVEs
2024-12-18 17:24:28 +00:00
sarahalsmiller
a1f00e4548
Update UBI Image ()
* update image

* change log
2024-12-17 15:56:00 -06:00
sarahalsmiller
4adb3f2e74
Bump alpine image ()
bump alpine image
2024-12-17 20:04:02 +00:00
sarahalsmiller
c181a533fc
[Security] Bump crypto libraries ()
* update crypto libraries

* update crypto libraries

* add changelog, suppress vulnerability that hasn't been fixed yet
2024-12-16 15:21:10 -06:00
sarahalsmiller
81cc8b4211
[Security] Bump envoy versions ()
bump envoy versions
2024-12-16 10:57:00 -06:00
Bhautik
beef7a7417
docs: fix broken link () 2024-11-27 14:17:33 -07:00
Anita Akaeze
4b7f7a8a16
[Security] SECVULN-8621: Fix XSS Vulnerability where content-type header wasn't explicitly set in API requests ()
* Fix XSS Vulnerability where content-type header wasn't explicitly set in API requests

* fix failing unit test
2024-11-27 09:30:14 -08:00
sarahalsmiller
83b6d999f6
Add alpine image cves to suppress list ()
add alpine image cves to suppress list
2024-11-22 17:38:19 +00:00
R.B. Boyer
c81dc8c551
state: ensure that identical manual virtual IP updates result in not bumping the modify indexes ()
The consul-k8s endpoints controller issues catalog register and manual virtual ip
updates without first checking to see if the updates would be effectively not
changing anything. This is supposed to be reasonable because the state store
functions do the check for a no-op update and should discard repeat updates so
that downstream blocking queries watching one of the resources don't fire
pointlessly (and CPU wastefully).

While this is true for the check/service/node catalog updates, it is not true for
the "manual virtual ip" updates triggered by the PUT /v1/internal/service-virtual-ip.
Forcing the connect injector pod to recycle while watching some lightly
modified FSM code can show that a lot of updates are of the update list of ips
from [A] to [A]. Immediately following this stray update you can see a lot of
activity in proxycfg and xds packages waking up due to blocking queries
triggered by this.

This PR skips updates that change nothing both:

- at the RPC layer before passing it to raft (ideally)
- if the write does make it through raft and get applied to the FSM (failsafe)
2024-11-22 11:16:38 -06:00
Mark Campbell-Vincent
bbb2e797f9
Update API Group under backendRefs ()
* Update routes.mdx

Currently backendRefs refers to api-gateway.consul.hashicorp.com as the API Group that should be used when kind is set to Mesh Service. Based on mesh service template, it should just be consul.hashicorp.com.

* Update backendRefs in route to peered doc
2024-11-21 19:51:17 -05:00
John Murret
3c3bdba926
NET-11737 - sec vulnerability - remediate ability to use bexpr to filter results without ACL read on endpoint ()
* NET-11737 - sec vulnerability - remediate ability to use bexpr to filter results without ACL read on endpoint

* add changelog

* update test descriptions to make more sense
2024-11-20 16:26:12 -07:00
Dhia Ayachi
21cca2dc5b
Fix PeerUpstreamEndpoints and UpstreamPeerTrustBundles to only Cancel watch when needed, otherwise keep the watch active ()
* fix to only reset peering watches when no other target need watching

* remove unused logger

* add changelog

* Update .changelog/21871.txt

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

---------

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
2024-11-19 09:36:13 -05:00
sarahalsmiller
6662e48363
Update JWT to resolve CVE-2024-51744 ()
* update jwt package

* add changelog
2024-11-18 13:51:35 -06:00
xwa153
9e75e62a7c
Update CODEOWNER ()
* update code owners
2024-11-15 12:50:06 -08:00
sarahalsmiller
32ce33825d
[Security] Secvuln 8633 Consul configuration allowed repeated keys ()
* upgrade hcl package and account for possiblity of duplicates existing already in the cache

* upgrade to new tag

* add defensive line to prevent potential forever loop

* o mod tidy and changelog

* Update acl/policy.go

* fix raft reversion

* go mod tidy

* fix test

* remove duplicate key in test

* remove duplicates from test cases

* clean up

* go mod tidy

* go mod tidy

* pull in new hcl tag
2024-11-14 09:57:08 -06:00
R.B. Boyer
a2e69236a2
v2: remove HCP Link integration ()
Also prevent de-registered retired v2 types from being restored from a
snapshot, such as these hcp resources. Without doing this, anyone with
any of these types in their state store will retain them forever with no
avenue to remove them.
2024-11-07 11:47:55 -06:00
Yasmin Lorin Kaygalak
32515c77f2
Added the docs for all the grafana dashboards. ()
* Added the docs for all the grafana dashboards.

 Author:   Yasmin Lorin Kaygalak <ykaygala@villanova.edu>

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2024-11-05 10:06:29 -05:00
Jeff Boruszak
f376b6a227
Docs/CE-749-remove-references-from-consul ()
* delete HCP Consul Central references

* Path correction

* missed listing

* Nav update
2024-11-05 06:59:52 -06:00
Deniz Onur Duzgun
1dfc265abe
ci(security-scanner): add support for Red Hat UBI images and fix typo ()
* ci(security-scanner): add support for Red Hat UBI images and fix typo

* hclfmt

* clean-up comments

Co-authored-by: Kent Gruber <kent@hashicorp.com>

---------

Co-authored-by: Kent Gruber <kent@hashicorp.com>
2024-11-04 14:52:01 -05:00
John Maguire
59447e9579
Update changelog () 2024-10-30 14:03:25 -07:00
Jeff Boruszak
6351a821aa
docs: add missing slash in redirect ()
missing slash
2024-10-29 09:53:41 -07:00
Tom Davies
31aae80389
Allow multiple endpoints in Envoy clusters configured with hostnames ()
* xds: allow multiple endpoints for strict_dns

* xds: fixes typo in multi hostname warning
2024-10-28 12:18:04 -07:00
Michael Zalimeni
40c7f73629
[NET-1151 NET-11046] docs: clarify request normalization and L7 headers feature availability ()
docs: clarify request normalization and L7 headers feature availability

- Add notes on feature availability tied to specific fix versions
- Add missing 1.20 upgrade entry
- Remove erroneous 1.17 upgrade entry (version DNE)
- Add missing HCL variant for service intentions config
2024-10-28 11:06:28 -06:00
Michael Zalimeni
2618fc1bd9
chore: retain retracted api submodule version () 2024-10-21 19:58:16 -06:00
sarahalsmiller
e9dbcedaf3
Upgrade envoy version in nightly integration tests ()
Update nightly-test-integrations.yml
2024-10-21 16:19:53 -05:00
Nathan Coleman
94ca67463b
Update Envoy compatibility matrices to include consul 1.20.x and dataplane 1.6.x ()
* Update Envoy compatibility matrices to include consul 1.20.x and dataplane 1.6.x

* Remove non-LTS version from LTS table

* Fix incorrect version in dataplane release matrix

* Remove releases that don't span versions from the matrix of releases that span versions
2024-10-17 21:34:15 +00:00
Nathan Coleman
77daebd3f8
Update compatibility matrix to include 1.20.x ()
* Update compatibility matrix to include 1.20.x

* Update compatibility.mdx
2024-10-17 16:35:44 -04:00
Michael Zalimeni
0ce6730cbe
docs: clarify Envoy and dataplane LTS support policy ()
Update matrices and clarify statements as to when Consul expands
support to new major versions of Envoy and Consul dataplane in light of
Consul LTS or Envoy EOL status.
2024-10-17 13:31:22 -04:00
sarahalsmiller
28b37812b8
Suppress CVE-2024-9143 ()
Update security-scan.hcl
2024-10-17 16:24:19 +00:00
Michael Zalimeni
d9206fc7e2
[NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass ()
mesh: add options for HTTP incoming request normalization

Expose global mesh configuration to enforce inbound HTTP request
normalization on mesh traffic via Envoy xDS config.

mesh: enable inbound URL path normalization by default

mesh: add support for L7 header match contains and ignore_case

Enable partial string and case-insensitive matching in L7 intentions
header match rules.

ui: support L7 header match contains and ignore_case

Co-authored-by: Phil Renaud <phil@riotindustries.com>

test: add request normalization integration bats tests

Add both "positive" and "negative" test suites, showing normalization in
action as well as expected results when it is not enabled, for the same
set of test cases.

Also add some alternative service container test helpers for verifying
raw HTTP request paths, which is difficult to do with Fortio.

docs: update security and reference docs for L7 intentions bypass prevention

- Update security docs with best practices for service intentions
  configuration
- Update configuration entry references for mesh and intentions to
  reflect new values and add guidance on usage
2024-10-16 12:23:33 -04:00
Michael Zalimeni
3370f6b250
chore: remove unintentionally committed consul-k8s submodule ()
Also prevent future re-commits of this submodule path by adding to
.gitignore.
2024-10-16 14:36:04 +00:00
Jeff Boruszak
7e61148f86
docs: Consul v1.20 release notes ()
* Page creation

* DNS views description

* Catalog sync and openshift

* Grafana + consul-k8s release notes

* nav update

* Fix known issues language
2024-10-15 16:40:47 -07:00
Nathan Coleman
044e408391
Post-release updates for 1.20.0 ()
* Update active version list in .release/versions.hcl

* Remove nightly tests for 1.17.x

* Add nightly tests for 1.20.x

* Gate nightly tests for 1.19.x to Enterprise only

* Update CHANGELOG.md
2024-10-15 15:55:02 +00:00
Jeff Boruszak
8f78d7cafd
docs: Consul DNS views on Kubernetes ()
* Backport of ci: update the security-scanner gha token into release/1.20.x ()

backport of commit eb9dbc93f88e8b87d60ed55101a577e49e9299e4

Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com>

* Backport of Initialize 1.20 Release into release/1.20.x ()

* backport of commit a33e903cdf367c9be90b61464aee97fdd4294fd9

* backport of commit 37163dc1a81abb4ba88c18c204ccca5ee61dae5d

* backport of commit 38f0907c7a9f4851080bdec3bb182f1b9e5bed1e

* backport of commit 6ab7ec254b51e6f5012688f8fff3d36a33e8ee57

* backport of commit 7ac4178186a22d1e11cdf0ef69c00a658a6484d0

* backport of commit 5dfebb2cf3a46d3c8a96881b5ab77bd0ff23f5c0

* backport of commit 316d68cb847193f184d3a54fc103996151d1d68a

---------

Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* Backport of Stage rc release into release/1.20.x ()

backport of commit d311f2b63836e1cae1b342f6b0fc07ff69e93f6c

Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>

* Backport of Upgrade ubi image to 9.4 into release/1.20.x ()

* backport of commit 888e302f6e87f27d0c8a0c6facfd6c3a6c8033c5

* backport of commit 17499dc4dcca4aa6f67b3f95bd24b433cd32556b

* backport of commit d933d3727d1ddf4566d0ee7612e3a64029034314

---------

Co-authored-by: Dhia Ayachi <dhia.ayachi@gmail.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* Backport of security: update alpine base image to 3.20 into release/1.20.x ()

* backport of commit 4421ce1677605ae118f741f4251fce65faa8ff87

* Upgrade ubi image to 9.4 ()

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* Backport of fix spacing of bash scripts into release/1.20.x ()

* backport of commit 1e97297215f985e153dd4e92c4444acebbfce0db

* backport of commit b7053f53617fec902a7bf07ebb3b8077334a5cdb

* backport of commit a391f2fa3ce1eb250e5c10546cc1459b5649e587

---------

Co-authored-by: jm96441n <john.maguire@hashicorp.com>

* Backport of [NET-11150] ci: fix conditional skip and add safeguard into release/1.20.x ()

backport of commit c3db6c90013eaa3f4a03d2d06ffea2eb9df3698f

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>

* initial commit

* Initial pages

* Edits to other pages + nav & redirects

* minor fixes

* Backport of security: update alpine base image to 3.20 into release/1.20.x ()

* backport of commit 4421ce1677605ae118f741f4251fce65faa8ff87

* Upgrade ubi image to 9.4 ()

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* CE-679

* align with main

* Content updates

* minor edit

* Apply suggestions from code review

Co-authored-by: Aimee Ukasick <aimee.ukasick@hashicorp.com>
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>

* CoreDNS config update

* small edits

* typo fix

---------

Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>
Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com>
Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>
Co-authored-by: Dhia Ayachi <dhia.ayachi@gmail.com>
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: jm96441n <john.maguire@hashicorp.com>
Co-authored-by: Aimee Ukasick <aimee.ukasick@hashicorp.com>
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2024-10-14 12:38:23 -07:00
Michael Zalimeni
1648c890dd
ci: ensure int test docker pull goes through proxy () 2024-10-14 19:02:29 +00:00
Nathan Coleman
4275e8fa82
Update ENVOY_VERSIONS ()
No new minor versions, just incrementing the patches for hygiene's sake
2024-10-14 16:52:22 +00:00
Nathan Coleman
eda961f4a2
Upgrade test improvements for 1.20.x ()
* Bump Envoy version used for 1.20.x upgrade tests

* Improve README + docstrings
2024-10-11 21:12:48 +00:00
Yasmin Lorin Kaygalak
738acfee1a
Adds grafana dashboards () 2024-10-09 13:30:28 -04:00
Lens0021 / Leslie
09735ec72f
docs: Add missing && in DNS forwading tutorial ()
Add missing `&&` to iptables command.

The original commands fail when being directly pasted into a shell.
2024-10-07 14:52:46 -04:00