backport of commit d0fa205

hashicorp · Apr 1, 2024 · bc1fe92 · bc1fe92
1 parent 17bc757
commit bc1fe92
Show file tree

Hide file tree

Showing 243 changed files with 3,146 additions and 9,066 deletions.
diff --git a/.changelog/20275.txt b/.changelog/20275.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+ui: Added a banner to let users link their clusters to HCP
+```
diff --git a/.changelog/20439.txt b/.changelog/20439.txt
diff --git a/.changelog/20474.txt b/.changelog/20474.txt
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+ui: Adds a "Link to HCP Consul Central" modal with integration to side-nav and link to HCP banner. There will be an option to disable the Link to HCP banner from the UI in a follow-up release.
+```
diff --git a/.changelog/20514.txt b/.changelog/20514.txt
diff --git a/.changelog/20674.txt b/.changelog/20674.txt
diff --git a/.changelog/20802.txt b/.changelog/20802.txt
diff --git a/.changelog/20824.txt b/.changelog/20824.txt
diff --git a/.changelog/20866.txt b/.changelog/20866.txt
diff --git a/.changelog/20867.txt b/.changelog/20867.txt
diff --git a/.changelog/20868.txt b/.changelog/20868.txt
diff --git a/.changelog/20876.txt b/.changelog/20876.txt
diff --git a/.changelog/20897.txt b/.changelog/20897.txt
@@ -0,0 +1,3 @@
+```release-note:security
+ Bump Dockerfile base image to `alpine:3.19`. 
+ ```
diff --git a/.changelog/20926.txt b/.changelog/20926.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+error running consul server in 1.18.0: failed to configure SCADA provider user's home directory path: $HOME is not defined
+```
diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml
@@ -490,26 +490,6 @@ jobs:
       consul-license: ${{secrets.CONSUL_LICENSE}}
       datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}"
 
-  go-test-testing-deployer:
-    needs:
-    - setup
-    - get-go-version
-    - dev-build
-    uses: ./.github/workflows/reusable-unit.yml
-    with:
-      directory: testing/deployer
-      runs-on: ${{ needs.setup.outputs.compute-large }}
-      repository-name: ${{ github.repository }}
-      go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consuldev' || '' }}"
-      go-version: ${{ needs.get-go-version.outputs.go-version }}
-    permissions:
-      id-token: write # NOTE: this permission is explicitly required for Vault auth.
-      contents: read
-    secrets:
-      elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
-      consul-license: ${{secrets.CONSUL_LICENSE}}
-      datadog-api-key: "${{ !endsWith(github.repository, '-enterprise') && secrets.DATADOG_API_KEY || '' }}"
-
   noop:
     runs-on: ubuntu-latest
     steps:
@@ -552,7 +532,6 @@ jobs:
     - go-test-sdk-backwards-compatibility
     - go-test-sdk
     - go-test-32bit
-    - go-test-testing-deployer
     # - go-test-s390x
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
     if: always() && needs.conditional-skip.outputs.skip-ci != 'true'
@@ -606,4 +585,4 @@ jobs:
               "message": ${{ toJSON(env.SLACK_MESSAGE_RAW) }}
             }
         env:
-          SLACK_WEBHOOK_URL: ${{ secrets.CONSUL_PROTECTED_BRANCH_TEST_SLACK_WEBHOOK }}
+          SLACK_WEBHOOK_URL: ${{ secrets.CONSUL_PROTECTED_BRANCH_TEST_SLACK_WEBHOOK }}
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
@@ -67,4 +67,15 @@ binary {
 			]
 		}
 	}
+
+	# Triage items that are _safe_ to ignore here. Note that this list should be
+	# periodically cleaned up to remove items that are no longer found by the scanner.
+	triage {
+		suppress {
+			# N.b. `vulnerabilites` is the correct spelling for this tool.
+			vulnerabilites = [
+				"GO-2024-2631", # go-jose/[email protected] (false positive)
+			]
+		}
+	}
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/Dockerfile b/Dockerfile
@@ -16,7 +16,7 @@
 # Official docker image that includes binaries from releases.hashicorp.com. This
 # downloads the release from releases.hashicorp.com and therefore requires that
 # the release is published before building the Docker image.
-FROM docker.mirror.hashicorp.services/alpine:3.18 as official
+FROM docker.mirror.hashicorp.services/alpine:3.19 as official
 
 # This is the release of Consul to pull in.
 ARG VERSION
@@ -112,7 +112,7 @@ CMD ["agent", "-dev", "-client", "0.0.0.0"]
 
 # Production docker image that uses CI built binaries.
 # Remember, this image cannot be built locally.
-FROM docker.mirror.hashicorp.services/alpine:3.18 as default
+FROM docker.mirror.hashicorp.services/alpine:3.19 as default
 
 ARG PRODUCT_VERSION
 ARG BIN_NAME

diff --git a/Makefile b/Makefile
@@ -11,11 +11,11 @@ GO_MODULES := $(shell find . -name go.mod -exec dirname {} \; | grep -v "proto-g
 # or the string @DEV to imply use what is currently installed locally.
 ###
 GOLANGCI_LINT_VERSION='v1.55.2'
-MOCKERY_VERSION='v2.41.0'
+MOCKERY_VERSION='v2.37.1'
 BUF_VERSION='v1.26.0'
 
 PROTOC_GEN_GO_GRPC_VERSION='v1.2.0'
-MOG_VERSION='v0.4.2'
+MOG_VERSION='v0.4.1'
 PROTOC_GO_INJECT_TAG_VERSION='v1.3.0'
 PROTOC_GEN_GO_BINARY_VERSION='v0.1.0'
 DEEP_COPY_VERSION='bc3f5aa5735d8a54961580a3a24422c308c831c2'

diff --git a/agent/agent.go b/agent/agent.go
@@ -833,7 +833,6 @@ func (a *Agent) Start(ctx context.Context) error {
 			Segment:       a.config.SegmentName,
 			Node:          a.config.NodeName,
 			NodePartition: a.config.PartitionOrEmpty(),
-			DisableNode:   true, // Disable for agentless so that streaming RPCs can be used.
 		},
 		DNSConfig: proxycfg.DNSConfig{
 			Domain:    a.config.DNSDomain,
@@ -879,7 +878,6 @@ func (a *Agent) Start(ctx context.Context) error {
 
 	// start DNS servers
 	if a.baseDeps.UseV2DNS() {
-		a.logger.Warn("DNS v2 is under construction")
 		if err := a.listenAndServeV2DNS(); err != nil {
 			return err
 		}
@@ -1321,7 +1319,7 @@ func (a *Agent) listenHTTP() ([]apiServer, error) {
 	}
 
 	httpAddrs := a.config.HTTPAddrs
-	if a.scadaProvider != nil {
+	if a.config.IsCloudEnabled() && a.scadaProvider != nil {
 		httpAddrs = append(httpAddrs, scada.CAPCoreAPI)
 	}
 

diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -6341,6 +6341,7 @@ func TestAgent_scadaProvider(t *testing.T) {
 	pvd.EXPECT().Listen(scada.CAPCoreAPI.Capability()).Return(l, nil).Once()
 	pvd.EXPECT().Stop().Return(nil).Once()
 	a := TestAgent{
+		HCL: `cloud = { resource_id = "test-resource-id" client_id = "test-client-id" client_secret = "test-client-secret" }`,
 		OverrideDeps: func(deps *BaseDeps) {
 			deps.HCP.Provider = pvd
 		},

diff --git a/agent/catalog_endpoint_test.go b/agent/catalog_endpoint_test.go
@@ -1938,12 +1938,11 @@ func TestCatalog_GatewayServices_Terminating(t *testing.T) {
 					SNI:      "my-domain",
 				},
 				{
-					Name:                   "*",
-					CAFile:                 "ca.crt",
-					CertFile:               "client.crt",
-					KeyFile:                "client.key",
-					SNI:                    "my-alt-domain",
-					DisableAutoHostRewrite: true,
+					Name:     "*",
+					CAFile:   "ca.crt",
+					CertFile: "client.crt",
+					KeyFile:  "client.key",
+					SNI:      "my-alt-domain",
 				},
 			},
 		},
@@ -1966,25 +1965,23 @@ func TestCatalog_GatewayServices_Terminating(t *testing.T) {
 
 		expect := structs.GatewayServices{
 			{
-				Service:         structs.NewServiceName("api", nil),
-				Gateway:         structs.NewServiceName("terminating", nil),
-				GatewayKind:     structs.ServiceKindTerminatingGateway,
-				CAFile:          "api/ca.crt",
-				CertFile:        "api/client.crt",
-				KeyFile:         "api/client.key",
-				SNI:             "my-domain",
-				AutoHostRewrite: true,
+				Service:     structs.NewServiceName("api", nil),
+				Gateway:     structs.NewServiceName("terminating", nil),
+				GatewayKind: structs.ServiceKindTerminatingGateway,
+				CAFile:      "api/ca.crt",
+				CertFile:    "api/client.crt",
+				KeyFile:     "api/client.key",
+				SNI:         "my-domain",
 			},
 			{
-				Service:         structs.NewServiceName("redis", nil),
-				Gateway:         structs.NewServiceName("terminating", nil),
-				GatewayKind:     structs.ServiceKindTerminatingGateway,
-				CAFile:          "ca.crt",
-				CertFile:        "client.crt",
-				KeyFile:         "client.key",
-				SNI:             "my-alt-domain",
-				FromWildcard:    true,
-				AutoHostRewrite: false,
+				Service:      structs.NewServiceName("redis", nil),
+				Gateway:      structs.NewServiceName("terminating", nil),
+				GatewayKind:  structs.ServiceKindTerminatingGateway,
+				CAFile:       "ca.crt",
+				CertFile:     "client.crt",
+				KeyFile:      "client.key",
+				SNI:          "my-alt-domain",
+				FromWildcard: true,
 			},
 		}
 

diff --git a/agent/config/builder.go b/agent/config/builder.go
@@ -1114,8 +1114,8 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 		LocalProxyConfigResyncInterval:    30 * time.Second,
 	}
 
-	// host metrics are enabled by default to support HashiCorp Cloud Platform integration
-	rt.Telemetry.EnableHostMetrics = boolValWithDefault(c.Telemetry.EnableHostMetrics, true)
+	// host metrics are enabled if consul is configured with HashiCorp Cloud Platform integration
+	rt.Telemetry.EnableHostMetrics = boolValWithDefault(c.Telemetry.EnableHostMetrics, rt.IsCloudEnabled())
 
 	rt.TLS, err = b.buildTLSConfig(rt, c.TLS)
 	if err != nil {

diff --git a/agent/config/builder_test.go b/agent/config/builder_test.go
@@ -632,8 +632,7 @@ func TestBuilder_CheckExperimentsInSecondaryDatacenters(t *testing.T) {
 			expectErr: true,
 		},
 		"secondary server v2dns": {
-			hcl:       secondary + `experiments = ["v2dns"]`,
-			expectErr: true,
+			hcl: secondary + `experiments = ["v2dns"]`,
 		},
 		"secondary server v2tenancy": {
 			hcl:       secondary + `experiments = ["v2tenancy"]`,

diff --git a/agent/consul/catalog_endpoint_test.go b/agent/consul/catalog_endpoint_test.go
@@ -3187,36 +3187,33 @@ func TestCatalog_GatewayServices_TerminatingGateway(t *testing.T) {
 
 		expect := structs.GatewayServices{
 			{
-				Service:         structs.NewServiceName("api", nil),
-				Gateway:         structs.NewServiceName("gateway", nil),
-				GatewayKind:     structs.ServiceKindTerminatingGateway,
-				CAFile:          "api/ca.crt",
-				CertFile:        "api/client.crt",
-				KeyFile:         "api/client.key",
-				SNI:             "my-domain",
-				ServiceKind:     structs.GatewayServiceKindService,
-				AutoHostRewrite: true,
+				Service:     structs.NewServiceName("api", nil),
+				Gateway:     structs.NewServiceName("gateway", nil),
+				GatewayKind: structs.ServiceKindTerminatingGateway,
+				CAFile:      "api/ca.crt",
+				CertFile:    "api/client.crt",
+				KeyFile:     "api/client.key",
+				SNI:         "my-domain",
+				ServiceKind: structs.GatewayServiceKindService,
 			},
 			{
-				Service:         structs.NewServiceName("db", nil),
-				Gateway:         structs.NewServiceName("gateway", nil),
-				GatewayKind:     structs.ServiceKindTerminatingGateway,
-				CAFile:          "",
-				CertFile:        "",
-				KeyFile:         "",
-				ServiceKind:     structs.GatewayServiceKindService,
-				AutoHostRewrite: true,
+				Service:     structs.NewServiceName("db", nil),
+				Gateway:     structs.NewServiceName("gateway", nil),
+				GatewayKind: structs.ServiceKindTerminatingGateway,
+				CAFile:      "",
+				CertFile:    "",
+				KeyFile:     "",
+				ServiceKind: structs.GatewayServiceKindService,
 			},
 			{
-				Service:         structs.NewServiceName("redis", nil),
-				Gateway:         structs.NewServiceName("gateway", nil),
-				GatewayKind:     structs.ServiceKindTerminatingGateway,
-				CAFile:          "ca.crt",
-				CertFile:        "client.crt",
-				KeyFile:         "client.key",
-				SNI:             "my-alt-domain",
-				FromWildcard:    true,
-				AutoHostRewrite: true,
+				Service:      structs.NewServiceName("redis", nil),
+				Gateway:      structs.NewServiceName("gateway", nil),
+				GatewayKind:  structs.ServiceKindTerminatingGateway,
+				CAFile:       "ca.crt",
+				CertFile:     "client.crt",
+				KeyFile:      "client.key",
+				SNI:          "my-alt-domain",
+				FromWildcard: true,
 			},
 		}
 
@@ -3348,11 +3345,10 @@ func TestCatalog_GatewayServices_BothGateways(t *testing.T) {
 
 		expect := structs.GatewayServices{
 			{
-				Service:         structs.NewServiceName("api", nil),
-				Gateway:         structs.NewServiceName("gateway", nil),
-				GatewayKind:     structs.ServiceKindTerminatingGateway,
-				ServiceKind:     structs.GatewayServiceKindService,
-				AutoHostRewrite: true,
+				Service:     structs.NewServiceName("api", nil),
+				Gateway:     structs.NewServiceName("gateway", nil),
+				GatewayKind: structs.ServiceKindTerminatingGateway,
+				ServiceKind: structs.GatewayServiceKindService,
 			},
 		}
 
@@ -3572,18 +3568,16 @@ service "gateway" {
 
 		expect := structs.GatewayServices{
 			{
-				Service:         structs.NewServiceName("db", nil),
-				Gateway:         structs.NewServiceName("gateway", nil),
-				GatewayKind:     structs.ServiceKindTerminatingGateway,
-				ServiceKind:     structs.GatewayServiceKindService,
-				AutoHostRewrite: true,
+				Service:     structs.NewServiceName("db", nil),
+				Gateway:     structs.NewServiceName("gateway", nil),
+				GatewayKind: structs.ServiceKindTerminatingGateway,
+				ServiceKind: structs.GatewayServiceKindService,
 			},
 			{
-				Service:         structs.NewServiceName("db_replica", nil),
-				Gateway:         structs.NewServiceName("gateway", nil),
-				GatewayKind:     structs.ServiceKindTerminatingGateway,
-				ServiceKind:     structs.GatewayServiceKindUnknown,
-				AutoHostRewrite: true,
+				Service:     structs.NewServiceName("db_replica", nil),
+				Gateway:     structs.NewServiceName("gateway", nil),
+				GatewayKind: structs.ServiceKindTerminatingGateway,
+				ServiceKind: structs.GatewayServiceKindUnknown,
 			},
 		}
 

diff --git a/agent/consul/controller/controller.go b/agent/consul/controller/controller.go
@@ -11,9 +11,8 @@ import (
 	"sync/atomic"
 	"time"
 
-	"golang.org/x/sync/errgroup"
-
 	"github.com/hashicorp/go-hclog"
+	"golang.org/x/sync/errgroup"
 
 	"github.com/hashicorp/consul/agent/consul/controller/queue"
 	"github.com/hashicorp/consul/agent/consul/state"
@@ -417,7 +416,7 @@ func (c *controller) reconcileHandler(ctx context.Context, req Request) {
 		var requeueAfter RequeueAfterError
 		if errors.As(err, &requeueAfter) {
 			c.work.Forget(req)
-			c.work.AddAfter(req, time.Duration(requeueAfter), false)
+			c.work.AddAfter(req, time.Duration(requeueAfter))
 			return
 		}