diff --git a/.changelog/21616.txt b/.changelog/21616.txt new file mode 100644 index 000000000000..f26b47c711d8 --- /dev/null +++ b/.changelog/21616.txt @@ -0,0 +1,3 @@ +```release-note: improvement +connect: Add Envoy 1.31 and 1.30 to support matrix +``` diff --git a/.changelog/21703.txt b/.changelog/21703.txt new file mode 100644 index 000000000000..41d226e4898e --- /dev/null +++ b/.changelog/21703.txt @@ -0,0 +1,3 @@ +```release-note:bug +jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. +``` diff --git a/.changelog/21704.txt b/.changelog/21704.txt new file mode 100644 index 000000000000..4e42741ebb39 --- /dev/null +++ b/.changelog/21704.txt @@ -0,0 +1,3 @@ +```release-note:security +Explicitly set 'Content-Type' header to mitigate XSS vulnerability. +``` \ No newline at end of file diff --git a/.changelog/21710.txt b/.changelog/21710.txt new file mode 100644 index 000000000000..d557407635c1 --- /dev/null +++ b/.changelog/21710.txt @@ -0,0 +1,3 @@ +```release-note:security +ui: Pin a newer resolution of Braces +``` diff --git a/.changelog/21711.txt b/.changelog/21711.txt new file mode 100644 index 000000000000..b3ab185a2a3f --- /dev/null +++ b/.changelog/21711.txt @@ -0,0 +1,3 @@ +```release-note:security +Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. +``` diff --git a/.changelog/21715.txt b/.changelog/21715.txt new file mode 100644 index 000000000000..1b9402193232 --- /dev/null +++ b/.changelog/21715.txt @@ -0,0 +1,3 @@ +```release-note:security +ui: Pin a newer resolution of Codemirror +``` diff --git a/.changelog/21717.txt b/.changelog/21717.txt new file mode 100644 index 000000000000..2b51e643020d --- /dev/null +++ b/.changelog/21717.txt @@ -0,0 +1,3 @@ +```release-note:security +ui: Pin a newer resolution of Markdown-it +``` diff --git a/.changelog/21726.txt b/.changelog/21726.txt new file mode 100644 index 000000000000..20251e740cbe --- /dev/null +++ b/.changelog/21726.txt @@ -0,0 +1,3 @@ +```release-note:security +UI: Remove codemirror linting due to package dependency +``` diff --git a/.changelog/21729.txt b/.changelog/21729.txt new file mode 100644 index 000000000000..ce334fdfe901 --- /dev/null +++ b/.changelog/21729.txt @@ -0,0 +1,4 @@ +```release-notes:security +Bump Dockerfile base image to `alpine:3.20`. +This resolves CVE-2024-7264 and CVE-2024-8096 (curl). +``` diff --git a/.changelog/21735.txt b/.changelog/21735.txt new file mode 100644 index 000000000000..223b84b4803c --- /dev/null +++ b/.changelog/21735.txt @@ -0,0 +1,3 @@ +```release-note:security +ui: Pin a newer resolution of ansi-html +``` diff --git a/.github/scripts/check_skip_ci.sh b/.github/scripts/check_skip_ci.sh index 628d8489dfad..a22b990f2692 100755 --- a/.github/scripts/check_skip_ci.sh +++ b/.github/scripts/check_skip_ci.sh @@ -13,7 +13,8 @@ set -euo pipefail # # ... `git merge-base origin/$SKIP_CHECK_BRANCH HEAD` would return commit `D` # `...HEAD` specifies from the common ancestor to the latest commit on the current branch (HEAD).. -files_to_check=$(git diff --name-only "$(git merge-base origin/$SKIP_CHECK_BRANCH HEAD~)"...HEAD) +skip_check_branch=${SKIP_CHECK_BRANCH:?SKIP_CHECK_BRANCH is required} +files_to_check=$(git diff --name-only "$(git merge-base origin/$skip_check_branch HEAD~)"...HEAD) # Define the directories to check skipped_directories=("docs/" "ui/" "website/" "grafana/" ".changelog/") @@ -46,4 +47,4 @@ for file_to_check in "${files_to_check_array[@]}"; do done echo "Changes detected in only documentation files - skipping tests and build" -echo "skip-ci=true" >> "$GITHUB_OUTPUT" \ No newline at end of file +echo "skip-ci=true" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/nightly-test-integrations-1.17.x.yml b/.github/workflows/nightly-test-integrations-1.20.x.yml similarity index 97% rename from .github/workflows/nightly-test-integrations-1.17.x.yml rename to .github/workflows/nightly-test-integrations-1.20.x.yml index 471cdb163f04..a1dd9169f3a4 100644 --- a/.github/workflows/nightly-test-integrations-1.17.x.yml +++ b/.github/workflows/nightly-test-integrations-1.20.x.yml @@ -1,7 +1,7 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 -name: Nightly test-integrations 1.17.x +name: Nightly test-integrations 1.20.x on: schedule: @@ -19,19 +19,12 @@ env: # strip the hashicorp/ off the front of github.repository for consul CONSUL_LATEST_IMAGE_NAME: ${{ endsWith(github.repository, '-enterprise') && github.repository || 'hashicorp/consul' }} GOPRIVATE: github.com/hashicorp # Required for enterprise deps - BRANCH: "release/1.17.x" - BRANCH_NAME: "release-1.17.x" # Used for naming artifacts + BRANCH: "release/1.20.x" + BRANCH_NAME: "release-1.20.x" # Used for naming artifacts jobs: - check-ent: - runs-on: ubuntu-latest - if: ${{ endsWith(github.repository, '-enterprise') }} - steps: - - run: echo "Building Enterprise" - setup: runs-on: ubuntu-latest - needs: [check-ent] name: Setup outputs: compute-small: ${{ steps.runners.outputs.compute-small }} @@ -48,16 +41,14 @@ jobs: run: .github/scripts/get_runner_classes.sh get-go-version: - needs: [check-ent] uses: ./.github/workflows/reusable-get-go-version.yml with: - ref: release/1.17.x + ref: release/1.20.x get-envoy-versions: - needs: [check-ent] uses: ./.github/workflows/reusable-get-envoy-versions.yml with: - ref: release/1.17.x + ref: release/1.20.x dev-build: needs: @@ -68,7 +59,7 @@ jobs: runs-on: ${{ needs.setup.outputs.compute-large }} repository-name: ${{ github.repository }} uploaded-binary-name: 'consul-bin' - branch-name: "release/1.17.x" + branch-name: "release/1.20.x" go-version: ${{ needs.get-go-version.outputs.go-version }} secrets: elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} @@ -223,12 +214,13 @@ jobs: DATADOG_API_KEY: "${{ endsWith(github.repository, '-enterprise') && env.DATADOG_API_KEY || secrets.DATADOG_API_KEY }}" DD_ENV: ci run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml - + upgrade-integration-test: runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }} needs: - setup - get-go-version + - get-envoy-versions - dev-build permissions: id-token: write # NOTE: this permission is explicitly required for Vault auth. @@ -236,7 +228,7 @@ jobs: strategy: fail-fast: false matrix: - consul-version: ["1.15", "1.16", "1.17"] + consul-version: ["1.15", "1.18", "1.19"] env: CONSUL_LATEST_VERSION: ${{ matrix.consul-version }} # ENVOY_VERSION should be the latest version supported by _all_ Consul versions in the @@ -372,7 +364,7 @@ jobs: strategy: fail-fast: false matrix: - consul-version: [ "1.15", "1.16", "1.17"] + consul-version: ["1.15", "1.18", "1.19"] env: CONSUL_LATEST_VERSION: ${{ matrix.consul-version }} steps: @@ -460,7 +452,7 @@ jobs: - upgrade-integration-test - upgrade-integration-test-deployer runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }} - if: ${{ always() && endsWith(github.repository, '-enterprise') }} + if: ${{ always() }} steps: - name: evaluate upstream job results run: | diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 427acd02bb88..0a048c644779 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -9,6 +9,10 @@ on: branches: - main - release/** + paths-ignore: + - 'docs/**' + - 'grafana/**' + - '.changelog/**' # cancel existing runs of the same workflow on the same ref concurrency: @@ -16,23 +20,8 @@ concurrency: cancel-in-progress: true jobs: - conditional-skip: - runs-on: ubuntu-latest - name: Get files changed and conditionally skip CI - outputs: - skip-ci: ${{ steps.read-files.outputs.skip-ci }} - steps: - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - with: - fetch-depth: 0 - - name: Get changed files - id: read-files - run: ./.github/scripts/check_skip_ci.sh - setup: - needs: [conditional-skip] name: Setup - if: needs.conditional-skip.outputs.skip-ci != 'true' runs-on: ubuntu-latest outputs: compute-small: ${{ steps.setup-outputs.outputs.compute-small }} @@ -40,7 +29,7 @@ jobs: compute-large: ${{ steps.setup-outputs.outputs.compute-large }} compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }} steps: - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: setup-outputs name: Setup outputs run: ./.github/scripts/get_runner_classes.sh @@ -59,15 +48,15 @@ jobs: && (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }} steps: - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ needs.get-go-version.outputs.go-version }} - name: Clone Security Scanner repo - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: hashicorp/security-scanner token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }} @@ -87,6 +76,6 @@ jobs: cat results.sarif | jq - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # codeql-bundle-v2.17.1 + uses: github/codeql-action/upload-sarif@8fd294e26a0e458834582b0fe4988d79966c7c0a # codeql-bundle-v2.18.4 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif diff --git a/.github/workflows/test-integrations.yml b/.github/workflows/test-integrations.yml index 8b14ec8e4d58..b62a4648293f 100644 --- a/.github/workflows/test-integrations.yml +++ b/.github/workflows/test-integrations.yml @@ -422,7 +422,8 @@ jobs: contents: read env: ENVOY_VERSION: ${{ needs.get-envoy-versions.outputs.max-envoy-version }} - CONSUL_DATAPLANE_IMAGE: "docker.io/hashicorppreview/consul-dataplane:1.5-dev-ubi" + #TODO don't harcode this image name + CONSUL_DATAPLANE_IMAGE: "docker.io/hashicorppreview/consul-dataplane:1.6-dev-ubi" steps: - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 # NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos. @@ -535,7 +536,8 @@ jobs: strategy: fail-fast: false env: - DEPLOYER_CONSUL_DATAPLANE_IMAGE: "docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.3-dev" + # TODO @sarah.alsmiller Don't hardcode this version value + DEPLOYER_CONSUL_DATAPLANE_IMAGE: "docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.6-dev" steps: - name: Checkout code uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index 05f60ddc4ad9..3edf2cac8245 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -38,10 +38,7 @@ container { suppress { # N.b. `vulnerabilites` is the correct spelling for this tool. vulnerabilites = [ - "CVE-2023-46218", # curl@8.4.0-r0 - "CVE-2023-46219", # curl@8.4.0-r0 - "CVE-2023-5678", # openssl@3.1.4-r0 - "CVE-2024-7264", # curl@8.9.0 + "CVE-2024-8096", # curl@8.9.1-r2, ] paths = [ "internal/tools/proto-gen-rpc-glue/e2e/consul/*", diff --git a/.release/versions.hcl b/.release/versions.hcl index fdc0f2989d27..7c5b4ee7eb28 100644 --- a/.release/versions.hcl +++ b/.release/versions.hcl @@ -6,6 +6,9 @@ schema = 1 active_versions { + version "1.20" { + ce_active = true + }, version "1.19" { ce_active = true } diff --git a/Dockerfile b/Dockerfile index 24c9583f91b0..55e5972bd9e5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ # Official docker image that includes binaries from releases.hashicorp.com. This # downloads the release from releases.hashicorp.com and therefore requires that # the release is published before building the Docker image. -FROM docker.mirror.hashicorp.services/alpine:3.19 as official +FROM docker.mirror.hashicorp.services/alpine:3.20 as official # This is the release of Consul to pull in. ARG VERSION @@ -112,7 +112,7 @@ CMD ["agent", "-dev", "-client", "0.0.0.0"] # Production docker image that uses CI built binaries. # Remember, this image cannot be built locally. -FROM docker.mirror.hashicorp.services/alpine:3.19 as default +FROM docker.mirror.hashicorp.services/alpine:3.20 as default ARG PRODUCT_VERSION ARG BIN_NAME diff --git a/Makefile b/Makefile index 6ad1da52a104..b8b72d5de198 100644 --- a/Makefile +++ b/Makefile @@ -73,8 +73,8 @@ CONSUL_IMAGE_VERSION?=latest GOLANG_VERSION?=$(shell head -n 1 .go-version) # Takes the highest version from the ENVOY_VERSIONS file. ENVOY_VERSION?=$(shell cat envoyextensions/xdscommon/ENVOY_VERSIONS | grep '^[[:digit:]]' | sort -nr | head -n 1) -CONSUL_DATAPLANE_IMAGE := $(or $(CONSUL_DATAPLANE_IMAGE),"docker.io/hashicorppreview/consul-dataplane:1.3-dev-ubi") -DEPLOYER_CONSUL_DATAPLANE_IMAGE := $(or $(DEPLOYER_CONSUL_DATAPLANE_IMAGE), "docker.io/hashicorppreview/consul-dataplane:1.3-dev") +CONSUL_DATAPLANE_IMAGE := $(or $(CONSUL_DATAPLANE_IMAGE),"docker.io/hashicorppreview/consul-dataplane:1.6-dev-ubi") +DEPLOYER_CONSUL_DATAPLANE_IMAGE := $(or $(DEPLOYER_CONSUL_DATAPLANE_IMAGE), "docker.io/hashicorppreview/consul-dataplane:1.6-dev") CONSUL_VERSION?=$(shell cat version/VERSION) @@ -619,6 +619,14 @@ envoy-regen: ## Regenerating envoy golden files @find "command/connect/envoy/testdata" -name '*.golden' -delete @go test -tags '$(GOTAGS)' ./command/connect/envoy -update + +##@ Changelog + +.PHONY: gen-changelog +gen-changelog: ## Generate changelog entry for the current branch based on the currently open PR for that branch + @$(SHELL) $(CURDIR)/build-support/scripts/gen-changelog.sh + + ##@ Help # The help target prints out all targets with their descriptions organized @@ -634,3 +642,4 @@ envoy-regen: ## Regenerating envoy golden files .PHONY: help help: ## Display this help. @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + diff --git a/agent/http.go b/agent/http.go index e7ba26825a81..506377074a6e 100644 --- a/agent/http.go +++ b/agent/http.go @@ -6,6 +6,7 @@ package agent import ( "encoding/json" "fmt" + "github.com/hashicorp/go-hclog" "io" "net" "net/http" @@ -43,6 +44,11 @@ import ( "github.com/hashicorp/consul/proto/private/pbcommon" ) +const ( + contentTypeHeader = "Content-Type" + plainContentType = "text/plain; charset=utf-8" +) + var HTTPSummaries = []prometheus.SummaryDefinition{ { Name: []string{"api", "http"}, @@ -220,6 +226,7 @@ func (s *HTTPHandlers) handler() http.Handler { // If enableDebug register wrapped pprof handlers if !s.agent.enableDebug.Load() && s.checkACLDisabled() { resp.WriteHeader(http.StatusNotFound) + resp.Header().Set(contentTypeHeader, plainContentType) return } @@ -228,6 +235,7 @@ func (s *HTTPHandlers) handler() http.Handler { authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil) if err != nil { + resp.Header().Set(contentTypeHeader, plainContentType) resp.WriteHeader(http.StatusForbidden) return } @@ -237,6 +245,7 @@ func (s *HTTPHandlers) handler() http.Handler { // TODO(partitions): should this be possible in a partition? // TODO(acl-error-enhancements): We should return error details somehow here. if authz.OperatorRead(nil) != acl.Allow { + resp.Header().Set(contentTypeHeader, plainContentType) resp.WriteHeader(http.StatusForbidden) return } @@ -317,6 +326,8 @@ func (s *HTTPHandlers) handler() http.Handler { } h = withRemoteAddrHandler(h) + h = ensureContentTypeHeader(h, s.agent.logger) + s.h = &wrappedMux{ mux: mux, handler: h, @@ -337,6 +348,20 @@ func withRemoteAddrHandler(next http.Handler) http.Handler { }) } +// Injects content type explicitly if not already set into response to prevent XSS +func ensureContentTypeHeader(next http.Handler, logger hclog.Logger) http.Handler { + + return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { + next.ServeHTTP(resp, req) + + val := resp.Header().Get(contentTypeHeader) + if val == "" { + resp.Header().Set(contentTypeHeader, plainContentType) + logger.Debug("warning: content-type header not explicitly set.", "request-path", req.URL) + } + }) +} + // nodeName returns the node name of the agent func (s *HTTPHandlers) nodeName() string { return s.agent.config.NodeName @@ -380,6 +405,8 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc "from", req.RemoteAddr, "error", err, ) + //set response type to plain to prevent XSS + resp.Header().Set(contentTypeHeader, plainContentType) resp.WriteHeader(http.StatusInternalServerError) return } @@ -406,6 +433,8 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc "from", req.RemoteAddr, "error", errMsg, ) + //set response type to plain to prevent XSS + resp.Header().Set(contentTypeHeader, plainContentType) resp.WriteHeader(http.StatusForbidden) fmt.Fprint(resp, errMsg) return @@ -585,6 +614,8 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc resp.Header().Add("X-Consul-Reason", errPayload.Reason) } } else { + //set response type to plain to prevent XSS + resp.Header().Set(contentTypeHeader, plainContentType) handleErr(err) return } @@ -596,6 +627,8 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc if contentType == "application/json" { buf, err = s.marshalJSON(req, obj) if err != nil { + //set response type to plain to prevent XSS + resp.Header().Set(contentTypeHeader, plainContentType) handleErr(err) return } @@ -606,7 +639,7 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc } } } - resp.Header().Set("Content-Type", contentType) + resp.Header().Set(contentTypeHeader, contentType) resp.WriteHeader(httpCode) resp.Write(buf) } diff --git a/agent/http_test.go b/agent/http_test.go index 607061d8681f..497789f68949 100644 --- a/agent/http_test.go +++ b/agent/http_test.go @@ -639,14 +639,14 @@ func TestHTTPAPIResponseHeaders(t *testing.T) { `) defer a.Shutdown() - requireHasHeadersSet(t, a, "/v1/agent/self") + requireHasHeadersSet(t, a, "/v1/agent/self", "application/json") // Check the Index page that just renders a simple message with UI disabled // also gets the right headers. - requireHasHeadersSet(t, a, "/") + requireHasHeadersSet(t, a, "/", "text/plain; charset=utf-8") } -func requireHasHeadersSet(t *testing.T, a *TestAgent, path string) { +func requireHasHeadersSet(t *testing.T, a *TestAgent, path string, contentType string) { t.Helper() resp := httptest.NewRecorder() @@ -661,6 +661,9 @@ func requireHasHeadersSet(t *testing.T, a *TestAgent, path string) { require.Equal(t, "1; mode=block", hdrs.Get("X-XSS-Protection"), "X-XSS-Protection header value incorrect") + + require.Equal(t, contentType, hdrs.Get("Content-Type"), + "") } func TestUIResponseHeaders(t *testing.T) { @@ -680,7 +683,28 @@ func TestUIResponseHeaders(t *testing.T) { `) defer a.Shutdown() - requireHasHeadersSet(t, a, "/ui") + //response header for the UI appears to be being handled by the UI itself. + requireHasHeadersSet(t, a, "/ui", "text/plain; charset=utf-8") +} + +func TestErrorContentTypeHeaderSet(t *testing.T) { + if testing.Short() { + t.Skip("too slow for testing.Short") + } + + t.Parallel() + a := NewTestAgent(t, ` + http_config { + response_headers = { + "Access-Control-Allow-Origin" = "*" + "X-XSS-Protection" = "1; mode=block" + "X-Frame-Options" = "SAMEORIGIN" + } + } + `) + defer a.Shutdown() + + requireHasHeadersSet(t, a, "/fake-path-doesn't-exist", "text/plain; charset=utf-8") } func TestAcceptEncodingGzip(t *testing.T) { diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go index ba04dada22e8..1d69f804c7dd 100644 --- a/agent/xds/clusters.go +++ b/agent/xds/clusters.go @@ -214,9 +214,12 @@ func makeJWTProviderCluster(p *structs.JWTProviderConfigEntry) (*envoy_cluster_v return nil, err } + discoveryType := makeJWKSDiscoveryClusterType(p.JSONWebKeySet.Remote) + lookupFamily := makeJWKSClusterDNSLookupFamilyType(discoveryType) cluster := &envoy_cluster_v3.Cluster{ Name: makeJWKSClusterName(p.Name), - ClusterDiscoveryType: makeJWKSDiscoveryClusterType(p.JSONWebKeySet.Remote), + ClusterDiscoveryType: discoveryType, + DnsLookupFamily: lookupFamily, LoadAssignment: &envoy_endpoint_v3.ClusterLoadAssignment{ ClusterName: makeJWKSClusterName(p.Name), Endpoints: []*envoy_endpoint_v3.LocalityLbEndpoints{ @@ -278,6 +281,23 @@ func makeJWKSDiscoveryClusterType(r *structs.RemoteJWKS) *envoy_cluster_v3.Clust return ct } +func makeJWKSClusterDNSLookupFamilyType(r *envoy_cluster_v3.Cluster_Type) envoy_cluster_v3.Cluster_DnsLookupFamily { + // When using LOGICAL_DNS we want to use the Cluster_ALL lookup family which will fetch all the ip addresses for a given hostname and then + // try to connect to each one and will create the cluster based on the first one that passes. + // When using STRICT_DNS we want to use the CLUSTER_V4_PREFERRED lookup family which will prefer + // creating clusters using ipv4 addresses if those are available. + // Otherwise we fallback to Cluser_AUTO which will use the default behavior, and will be ignored as per the documentation. + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily + switch r.Type { + case envoy_cluster_v3.Cluster_LOGICAL_DNS: + return envoy_cluster_v3.Cluster_ALL + case envoy_cluster_v3.Cluster_STRICT_DNS: + return envoy_cluster_v3.Cluster_V4_PREFERRED + default: + return envoy_cluster_v3.Cluster_AUTO + } +} + func makeJWTCertValidationContext(p *structs.JWKSCluster) *envoy_tls_v3.CertificateValidationContext { vc := &envoy_tls_v3.CertificateValidationContext{} if p == nil || p.TLSCertificates == nil { diff --git a/agent/xds/clusters_test.go b/agent/xds/clusters_test.go index b5105bb698b1..75ef06693169 100644 --- a/agent/xds/clusters_test.go +++ b/agent/xds/clusters_test.go @@ -380,6 +380,56 @@ func TestMakeJWKSDiscoveryClusterType(t *testing.T) { } } +func TestMakeJWKSClusterDNSLookupFamilyType(t *testing.T) { + tests := map[string]struct { + clusterType *envoy_cluster_v3.Cluster_Type + expectedDNSLookupFamily envoy_cluster_v3.Cluster_DnsLookupFamily + }{ + // strict dns and logical dns are the only ones that are different + "jwks with strict dns": { + clusterType: &envoy_cluster_v3.Cluster_Type{ + Type: envoy_cluster_v3.Cluster_STRICT_DNS, + }, + expectedDNSLookupFamily: envoy_cluster_v3.Cluster_V4_PREFERRED, + }, + "jwks with logical dns": { + clusterType: &envoy_cluster_v3.Cluster_Type{ + Type: envoy_cluster_v3.Cluster_LOGICAL_DNS, + }, + expectedDNSLookupFamily: envoy_cluster_v3.Cluster_ALL, + }, + // all should be auto from here down + "jwks with cluster EDS": { + clusterType: &envoy_cluster_v3.Cluster_Type{ + Type: envoy_cluster_v3.Cluster_EDS, + }, + expectedDNSLookupFamily: envoy_cluster_v3.Cluster_AUTO, + }, + "jwks with static dns": { + clusterType: &envoy_cluster_v3.Cluster_Type{ + Type: envoy_cluster_v3.Cluster_STATIC, + }, + expectedDNSLookupFamily: envoy_cluster_v3.Cluster_AUTO, + }, + + "jwks with original dst": { + clusterType: &envoy_cluster_v3.Cluster_Type{ + Type: envoy_cluster_v3.Cluster_ORIGINAL_DST, + }, + expectedDNSLookupFamily: envoy_cluster_v3.Cluster_AUTO, + }, + } + + for name, tt := range tests { + tt := tt + t.Run(name, func(t *testing.T) { + actualDNSLookupFamily := makeJWKSClusterDNSLookupFamilyType(tt.clusterType) + + require.Equal(t, tt.expectedDNSLookupFamily, actualDNSLookupFamily) + }) + } +} + func TestParseJWTRemoteURL(t *testing.T) { tests := map[string]struct { uri string diff --git a/build-support/scripts/gen-changelog.sh b/build-support/scripts/gen-changelog.sh new file mode 100755 index 000000000000..0e2835e95e5c --- /dev/null +++ b/build-support/scripts/gen-changelog.sh @@ -0,0 +1,73 @@ +#! /bin/bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +set -eo pipefail + +pr_number=$(gh pr list -H "$(git rev-parse --abbrev-ref HEAD)" -q ".[0].number" --json "number") + +# check if this changelog is referencing an enterprise change +curdir=$(pwd) + +filename = ".changelog/$pr_number.txt" +if [[ ! $curdir == *"enterprise"* ]]; then + is_enterprise = "n" + read -p "Is this an enterprise PR? (y/n): " is_enterprise + + if [[ $is_enterprise == "y" ]]; then + filename = ".changelog/_$pr_number.txt" + fi +else + filename = ".changelog/_$pr_number.txt" +fi + +# create a new changelog file +touch $filename + +echo "Created a new changelog file for PR $pr_number." + +# prompt user to pick from list of types of changlog from "breaking-change", "security", "feature", "deprecation", or "bug" +echo "Please select the type of change:" +echo "1. breaking-change" +echo "2. security" +echo "3. feature" +echo "4. deprecation" +echo "5. bug" + +if [ -z "$1" ]; then + read -p "Enter your choice: " choice +else + choice=$1 +fi + +type="" + +case $choice in +1) + type="breaking-change" + ;; +2) + type="security" + ;; +3) + type="feature" + ;; +4) + type="deprecation" + ;; +5) + type="bug" + ;; +*) + echo "Invalid choice. Please select a number from 1 to 5." + exit 1 + ;; +esac + +msg="" + +read -ep $'Please enter the changelog message:\n' msg + +echo -e "\`\`\`release-note:$type\n$msg\n\`\`\`" >>"$filename" + +cat .changelog/$pr_number.txt diff --git a/envoyextensions/xdscommon/ENVOY_VERSIONS b/envoyextensions/xdscommon/ENVOY_VERSIONS index eef7f3100eab..264a0d56cfe8 100644 --- a/envoyextensions/xdscommon/ENVOY_VERSIONS +++ b/envoyextensions/xdscommon/ENVOY_VERSIONS @@ -8,7 +8,7 @@ # # See https://www.consul.io/docs/connect/proxies/envoy#supported-versions for more information on Consul's Envoy # version support. +1.31.0 +1.30.4 1.29.7 -1.28.5 -1.27.7 -1.26.8 \ No newline at end of file +1.28.5 \ No newline at end of file diff --git a/scan.hcl b/scan.hcl index b0a1b924b470..0da769efb473 100644 --- a/scan.hcl +++ b/scan.hcl @@ -37,6 +37,7 @@ repository { "test/integration/consul-container/*", "testing/deployer/*", "test-integ/*", + "agent/uiserver/dist/assets/vendor-*.js", ] } } diff --git a/test/integration/connect/envoy/Dockerfile-tcpdump b/test/integration/connect/envoy/Dockerfile-tcpdump index 658cd30a2330..ea076961cfb3 100644 --- a/test/integration/connect/envoy/Dockerfile-tcpdump +++ b/test/integration/connect/envoy/Dockerfile-tcpdump @@ -1,4 +1,4 @@ -FROM alpine:3.17 +FROM alpine:3.20 RUN apk add --no-cache tcpdump VOLUME [ "/data" ] diff --git a/test/integration/connect/envoy/helpers.bash b/test/integration/connect/envoy/helpers.bash index 3efcd38e82e6..1173101716dd 100755 --- a/test/integration/connect/envoy/helpers.bash +++ b/test/integration/connect/envoy/helpers.bash @@ -652,7 +652,7 @@ function docker_consul_for_proxy_bootstrap { function docker_wget { local DC=$1 shift 1 - docker run --rm --network container:envoy_consul-${DC}_1 docker.mirror.hashicorp.services/alpine:3.17 wget "$@" + docker run --rm --network container:envoy_consul-${DC}_1 docker.mirror.hashicorp.services/alpine:3.20 wget "$@" } function docker_curl { diff --git a/testing/deployer/sprawl/sprawltest/test_test.go b/testing/deployer/sprawl/sprawltest/test_test.go index 84fc5ecbfd17..5195716b2b12 100644 --- a/testing/deployer/sprawl/sprawltest/test_test.go +++ b/testing/deployer/sprawl/sprawltest/test_test.go @@ -22,10 +22,11 @@ func TestSprawl(t *testing.T) { cfg := &topology.Config{ Images: topology.Images{ + // TODO NOT HARDCODE // ConsulEnterprise: "consul-dev:latest", - ConsulCE: "hashicorppreview/consul:1.17-dev", - ConsulEnterprise: "hashicorppreview/consul-enterprise:1.17-dev", - Dataplane: "hashicorppreview/consul-dataplane:1.3-dev", + ConsulCE: "hashicorppreview/consul:1.20-dev", + ConsulEnterprise: "hashicorppreview/consul-enterprise:1.20-dev", + Dataplane: "hashicorppreview/consul-dataplane:1.6-dev", }, Networks: []*topology.Network{ {Name: "dc1"}, diff --git a/testing/deployer/topology/default_versions.go b/testing/deployer/topology/default_versions.go index 9e052a44e655..b29ff69e3d4f 100644 --- a/testing/deployer/topology/default_versions.go +++ b/testing/deployer/topology/default_versions.go @@ -5,9 +5,10 @@ package topology +//TODO @sarah.alsmiller figure out if we can delete this const ( - DefaultConsulCEImage = "hashicorp/consul:1.17.0" - DefaultConsulEnterpriseImage = "hashicorp/consul-enterprise:1.17.0-ent" - DefaultEnvoyImage = "envoyproxy/envoy:v1.27.2" - DefaultDataplaneImage = "hashicorp/consul-dataplane:1.3.0" + DefaultConsulCEImage = "hashicorp/consul:1.19.0" + DefaultConsulEnterpriseImage = "hashicorp/consul-enterprise:1.19.0-ent" + DefaultEnvoyImage = "envoyproxy/envoy:v1.28.5" + DefaultDataplaneImage = "hashicorp/consul-dataplane:1.5.0" ) diff --git a/ui/package.json b/ui/package.json index 5fbcacd8e015..2fe24dda1693 100644 --- a/ui/package.json +++ b/ui/package.json @@ -22,7 +22,11 @@ "resolutions": { "xmlhttprequest-ssl": "^1.6.3", "ember-basic-dropdown": "3.0.21", - "glob": "7.2.3" + "glob": "7.2.3", + "braces": "^3.0.0", + "markdown-it": "^12.3.2", + "codemirror": "5.58.2", + "ansi-html": "0.0.8" }, "engines": { "node": "18" diff --git a/ui/packages/consul-ui/app/components/code-editor/index.js b/ui/packages/consul-ui/app/components/code-editor/index.js index 65566d159b76..012f9698dde9 100644 --- a/ui/packages/consul-ui/app/components/code-editor/index.js +++ b/ui/packages/consul-ui/app/components/code-editor/index.js @@ -11,8 +11,6 @@ const DEFAULTS = { lineNumbers: true, theme: 'hashi', showCursorWhenSelecting: true, - gutters: ['CodeMirror-lint-markers'], - lint: true, }; export default Component.extend({ settings: service('settings'), @@ -51,7 +49,6 @@ export default Component.extend({ const editor = this.editor; editor.setOption('mode', mode.mime); - this.helper.lint(editor, mode.mode); set(this, 'mode', mode); } }, diff --git a/ui/packages/consul-ui/app/services/code-mirror/linter.js b/ui/packages/consul-ui/app/services/code-mirror/linter.js index 66b4a3dc4d36..74a0a45b0140 100644 --- a/ui/packages/consul-ui/app/services/code-mirror/linter.js +++ b/ui/packages/consul-ui/app/services/code-mirror/linter.js @@ -4,7 +4,6 @@ */ import Service, { inject as service } from '@ember/service'; -import lint from 'consul-ui/utils/editor/lint'; const MODES = [ { name: 'JSON', @@ -41,10 +40,6 @@ export default class LinterService extends Service { return MODES; } - lint() { - return lint(...arguments); - } - getEditor(element) { return this.dom.element('textarea + div', element).CodeMirror; } diff --git a/ui/packages/consul-ui/app/utils/editor/lint.js b/ui/packages/consul-ui/app/utils/editor/lint.js deleted file mode 100644 index 4c3e824e44bb..000000000000 --- a/ui/packages/consul-ui/app/utils/editor/lint.js +++ /dev/null @@ -1,43 +0,0 @@ -/** - * Copyright (c) HashiCorp, Inc. - * SPDX-License-Identifier: BUSL-1.1 - */ - -/*global CodeMirror*/ - -// CodeMirror doesn't seem to have anyway to hook into whether a mode -// has already loaded, or when a mode has finished loading -// follow more or less what CodeMirror does but doesn't expose -// see codemirror/addon/mode/loadmode.js - -export const createLoader = function ( - $$ = document.getElementsByTagName.bind(document), - CM = CodeMirror -) { - CM.registerHelper('lint', 'ruby', function (text) { - return []; - }); - return function (editor, mode, cb) { - let scripts = [...$$('script')]; - const loaded = scripts.find(function (item) { - return item.src.indexOf(`/codemirror/mode/${mode}/${mode}.js`) !== -1; - }); - CM.autoLoadMode(editor, mode); - if (loaded) { - cb(); - } else { - scripts = [...$$('script')]; - CM.on(scripts[0], 'load', function () { - cb(); - }); - } - }; -}; -const load = createLoader(); -export default function (editor, mode) { - load(editor, mode, function () { - if (editor.getValue().trim().length) { - editor.performLint(); - } - }); -} diff --git a/ui/packages/consul-ui/app/utils/get-environment.js b/ui/packages/consul-ui/app/utils/get-environment.js index 91195d896281..ebfc1763e616 100644 --- a/ui/packages/consul-ui/app/utils/get-environment.js +++ b/ui/packages/consul-ui/app/utils/get-environment.js @@ -4,6 +4,19 @@ */ import { runInDebug } from '@ember/debug'; +import { htmlSafe } from '@ember/template'; + +function sanitizeString(str) { + return htmlSafe( + String(str) + .replace(/&/g, '&') + .replace(//g, '>') + .replace(/"/g, '"') + .replace(/'/g, ''') + ); +} + // 'environment' getter // there are currently 3 levels of environment variables: // 1. Those that can be set by the user by setting localStorage values @@ -58,9 +71,16 @@ export default function (config = {}, win = window, doc = document) { } else { str = cookies(doc.cookie).join(';'); const tab = win.open('', '_blank'); - tab.document.write( - `
${location.href}#${str}

Scenario` - ); + if (tab) { + const safeLocationHref = sanitizeString(location.href); + const safeStr = sanitizeString(str); + tab.document.write(` + + 
${safeLocationHref}#${safeStr}

+ Scenario + + `); + } } }; diff --git a/ui/packages/consul-ui/ember-cli-build.js b/ui/packages/consul-ui/ember-cli-build.js index 653c18df5f75..ecfdc1b35ac6 100644 --- a/ui/packages/consul-ui/ember-cli-build.js +++ b/ui/packages/consul-ui/ember-cli-build.js @@ -206,13 +206,7 @@ module.exports = function (defaults, $ = process.env) { }, codemirror: { keyMaps: ['sublime'], - addonFiles: [ - 'lint/lint.css', - 'lint/lint.js', - 'lint/json-lint.js', - 'lint/yaml-lint.js', - 'mode/loadmode.js', - ], + addonFiles: ['lint/lint.css', 'lint/yaml-lint.js', 'mode/loadmode.js'], }, sassOptions: { implementation: require('sass'), @@ -270,10 +264,7 @@ module.exports = function (defaults, $ = process.env) { // CSS.escape polyfill app.import('node_modules/css.escape/css.escape.js', { outputFile: 'assets/css.escape.js' }); - // JSON linting support. Possibly dynamically loaded via CodeMirror linting. See components/code-editor.js - app.import('node_modules/jsonlint/lib/jsonlint.js', { - outputFile: 'assets/codemirror/mode/javascript/javascript.js', - }); + // Possibly dynamically loaded via CodeMirror linting. See components/code-editor.js app.import('node_modules/codemirror/mode/javascript/javascript.js', { outputFile: 'assets/codemirror/mode/javascript/javascript.js', }); diff --git a/ui/packages/consul-ui/package.json b/ui/packages/consul-ui/package.json index 850cf5cb7b68..44149453e5e0 100644 --- a/ui/packages/consul-ui/package.json +++ b/ui/packages/consul-ui/package.json @@ -170,7 +170,6 @@ "husky": "^4.2.5", "ivy-codemirror": "^2.1.0", "js-yaml": "^4.0.0", - "jsonlint": "^1.6.3", "lint-staged": "^10.2.11", "loader.js": "^4.7.0", "mnemonist": "^0.38.0", diff --git a/ui/yarn.lock b/ui/yarn.lock index c993d4c3c196..10cbc0221d58 100644 --- a/ui/yarn.lock +++ b/ui/yarn.lock @@ -2698,11 +2698,6 @@ resolved "https://registry.npmjs.org/@xtuc/long/-/long-4.2.2.tgz#d291c6a4e97989b5c61d9acf396ae4fe133a718d" integrity sha512-NuHqBY1PB/D8xU6s/thBgOAiAP7HOYDQ32+BFZILJ8ivkUkAHQnWfn6WhL79Owj1qmUnoN/YPhktdIoucipkAQ== -JSV@^4.0.x: - version "4.0.2" - resolved "https://registry.npmjs.org/JSV/-/JSV-4.0.2.tgz#d077f6825571f82132f9dffaed587b4029feff57" - integrity sha512-ZJ6wx9xaKJ3yFUhq5/sk82PJMuUyLk277I8mQeyDgCTjGdjWJIvPfaU5LIXaMuaN2UO1X3kZH4+lgphublZUHw== - a11y-dialog@^6.0.1: version "6.1.2" resolved "https://registry.npmjs.org/a11y-dialog/-/a11y-dialog-6.1.2.tgz#7c6a1d3720462db2f2fde6badba63478fd3cc871" @@ -2869,10 +2864,10 @@ ansi-escapes@^4.2.1, ansi-escapes@^4.3.0: dependencies: type-fest "^0.21.3" -ansi-html@^0.0.7: - version "0.0.7" - resolved "https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz#813584021962a9e9e6fd039f940d12f56ca7859e" - integrity sha512-JoAxEa1DfP9m2xfB/y2r/aKcwXNlltr4+0QSBC4TrLfcxyvepX2Pv0t/xpgGV5bGsDzCYV8SzjWgyCW0T9yYbA== +ansi-html@0.0.8, ansi-html@^0.0.7: + version "0.0.8" + resolved "https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.8.tgz#e969db193b12bcdfa6727b29ffd8882dc13cc501" + integrity sha512-QROYz1I1Kj+8bTYgx0IlMBpRSCIU+7GjbE0oH+KF7QKc+qSF8YAlIutN59Db17tXN70Ono9upT9Ht0iG93W7ug== ansi-regex@^2.0.0: version "2.1.1" @@ -2913,11 +2908,6 @@ ansi-styles@^4.0.0, ansi-styles@^4.1.0: dependencies: color-convert "^2.0.1" -ansi-styles@~1.0.0: - version "1.0.0" - resolved "https://registry.npmjs.org/ansi-styles/-/ansi-styles-1.0.0.tgz#cb102df1c56f5123eab8b67cd7b98027a0279178" - integrity sha512-3iF4FIKdxaVYT3JqQuY3Wat/T2t7TRbbQ94Fu50ZUCbLy4TFbTzr90NOHQodQkNqmeEGCw8WbeP78WNi6SKYUA== - ansi-to-html@^0.6.15, ansi-to-html@^0.6.6: version "0.6.15" resolved "https://registry.npmjs.org/ansi-to-html/-/ansi-to-html-0.6.15.tgz#ac6ad4798a00f6aa045535d7f6a9cb9294eebea7" @@ -3006,11 +2996,6 @@ arr-diff@^4.0.0: resolved "https://registry.npmjs.org/arr-diff/-/arr-diff-4.0.0.tgz#d6461074febfec71e7e15235761a329a5dc7c520" integrity sha512-YVIQ82gZPGBebQV/a8dar4AitzCQs0jjXwMPZllpXMaGjXPYVUawSxQrRsjhjupyVxEvbHgUmIhKVlND+j02kA== -arr-flatten@^1.1.0: - version "1.1.0" - resolved "https://registry.npmjs.org/arr-flatten/-/arr-flatten-1.1.0.tgz#36048bbff4e7b47e136644316c99669ea5ae91f1" - integrity sha512-L3hKV5R/p5o81R7O02IGnwpDmkp6E982XhtbuwSe3O4qOtMMMtodicASA1Cny2U+aCXcNpml+m4dPsvsJ3jatg== - arr-union@^3.1.0: version "3.1.0" resolved "https://registry.npmjs.org/arr-union/-/arr-union-3.1.0.tgz#e39b09aea9def866a8f206e288af63919bae39c4" @@ -4096,23 +4081,7 @@ brace-expansion@^1.1.7: balanced-match "^1.0.0" concat-map "0.0.1" -braces@^2.3.1, braces@^2.3.2: - version "2.3.2" - resolved "https://registry.npmjs.org/braces/-/braces-2.3.2.tgz#5979fd3f14cd531565e5fa2df1abfff1dfaee729" - integrity sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w== - dependencies: - arr-flatten "^1.1.0" - array-unique "^0.3.2" - extend-shallow "^2.0.1" - fill-range "^4.0.0" - isobject "^3.0.1" - repeat-element "^1.1.2" - snapdragon "^0.8.1" - snapdragon-node "^2.0.1" - split-string "^3.0.2" - to-regex "^3.0.1" - -braces@^3.0.3, braces@~3.0.2: +braces@^2.3.1, braces@^2.3.2, braces@^3.0.0, braces@^3.0.3, braces@~3.0.2: version "3.0.3" resolved "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz#490332f40919452272d55a8480adc0c441358789" integrity sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA== @@ -5071,15 +5040,6 @@ chalk@^4.0.0, chalk@^4.1.0, chalk@^4.1.2: ansi-styles "^4.1.0" supports-color "^7.1.0" -chalk@~0.4.0: - version "0.4.0" - resolved "https://registry.npmjs.org/chalk/-/chalk-0.4.0.tgz#5199a3ddcd0c1efe23bc08c1b027b06176e0c64f" - integrity sha512-sQfYDlfv2DGVtjdoQqxS0cEZDroyG8h6TamA6rvxwlrU5BaSLDx9xhatBYl2pxZ7gmpNaPFVwBtdGdu5rQ+tYQ== - dependencies: - ansi-styles "~1.0.0" - has-color "~0.1.0" - strip-ansi "~0.1.0" - character-entities-html4@^1.0.0: version "1.1.4" resolved "https://registry.npmjs.org/character-entities-html4/-/character-entities-html4-1.1.4.tgz#0e64b0a3753ddbf1fdc044c5fd01d0199a02e125" @@ -5302,10 +5262,10 @@ code-point-at@^1.0.0: resolved "https://registry.npmjs.org/code-point-at/-/code-point-at-1.1.0.tgz#0d070b4d043a5bea33a2f1a40e2edb3d9a4ccf77" integrity sha512-RpAVKQA5T63xEj6/giIbUEtZwJ4UFIc3ZtvEkiaUERylqe8xb5IvqcgOurZLahv93CLKfxcw5YI+DZcUBRyLXA== -codemirror@~5.15.0: - version "5.15.2" - resolved "https://registry.npmjs.org/codemirror/-/codemirror-5.15.2.tgz#58b3dc732c6d10d7aae806f4c7cdd56a9b87fe8f" - integrity sha512-QHZClCGimKVK86/+K1YcKwa2/9pzy5OfAsv0nsXlPxxoWOhGc+HxPWQISnIrYMHwA5QCtiObxo5O/tmV4fzOSQ== +codemirror@5.58.2, codemirror@~5.15.0: + version "5.58.2" + resolved "https://registry.npmjs.org/codemirror/-/codemirror-5.58.2.tgz#ed54a1796de1498688bea1cdd4e9eeb187565d1b" + integrity sha512-K/hOh24cCwRutd1Mk3uLtjWzNISOkm4fvXiMO7LucCrqbh6aJDdtqUziim3MZUI6wOY0rvY1SlL1Ork01uMy6w== collection-visit@^1.0.0: version "1.0.0" @@ -7833,11 +7793,6 @@ entities@^3.0.1: resolved "https://registry.npmjs.org/entities/-/entities-3.0.1.tgz#2b887ca62585e96db3903482d336c1006c3001d4" integrity sha512-WiyBqoomrwMdFG1e0kqvASYfnlb0lp8M5o5Fw2OFq1hNZxxcNk8Ik0Xm7LxzBhuidnZB/UtBqVCgUz3kBOP51Q== -entities@~1.1.1: - version "1.1.2" - resolved "https://registry.npmjs.org/entities/-/entities-1.1.2.tgz#bdfa735299664dfafd34529ed4f8522a275fea56" - integrity sha512-f2LZMYl1Fzu7YSBKg+RoROelpOaNrcGmE9AZubeDfrCEia483oW4MI4VyFd5VNHIgQ/7qm1I0wUHK1eJnn2y2w== - entities@~2.1.0: version "2.1.0" resolved "https://registry.npmjs.org/entities/-/entities-2.1.0.tgz#992d3129cf7df6870b96c57858c249a120f8b8b5" @@ -8595,16 +8550,6 @@ filesize@^6.1.0: resolved "https://registry.npmjs.org/filesize/-/filesize-6.4.0.tgz#914f50471dd66fdca3cefe628bd0cde4ef769bcd" integrity sha512-mjFIpOHC4jbfcTfoh4rkWpI31mF7viw9ikj/JyLoKzqlwG/YsefKfvYlYhdYdg/9mtK2z1AzgN/0LvVQ3zdlSQ== -fill-range@^4.0.0: - version "4.0.0" - resolved "https://registry.npmjs.org/fill-range/-/fill-range-4.0.0.tgz#d544811d428f98eb06a63dc402d2403c328c38f7" - integrity sha512-VcpLTWqWDiTerugjj8e3+esbg+skS3M9e54UuR3iCeIDMXCLTsAH8hTSzDQU/X6/6t3eYkOKoZSef2PlU6U1XQ== - dependencies: - extend-shallow "^2.0.1" - is-number "^3.0.0" - repeat-string "^1.6.1" - to-regex-range "^2.1.0" - fill-range@^7.1.1: version "7.1.1" resolved "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz#44265d3cac07e3ea7dc247516380643754a05292" @@ -9367,11 +9312,6 @@ has-bigints@^1.0.1, has-bigints@^1.0.2: resolved "https://registry.npmjs.org/has-bigints/-/has-bigints-1.0.2.tgz#0871bd3e3d51626f6ca0966668ba35d5602d6eaa" integrity sha512-tSvCKtBr9lkF0Ex0aQiP9N+OpV4zi2r/Nee5VkRDbaqv35RLYMzbwQfFSZZH0kR+Rd6302UJZ2p/bJCEoR3VoQ== -has-color@~0.1.0: - version "0.1.7" - resolved "https://registry.npmjs.org/has-color/-/has-color-0.1.7.tgz#67144a5260c34fc3cca677d041daf52fe7b78b2f" - integrity sha512-kaNz5OTAYYmt646Hkqw50/qyxP2vFnTVu5AQ1Zmk22Kk5+4Qx6BpO8+u7IKsML5fOsFk0ZT0AcCJNYwcvaLBvw== - has-dynamic-import@^2.1.0: version "2.1.0" resolved "https://registry.npmjs.org/has-dynamic-import/-/has-dynamic-import-2.1.0.tgz#06359ad7672b9e764aea93a54bb9d6e17542d34c" @@ -10588,14 +10528,6 @@ jsonify@^0.0.1: resolved "https://registry.npmjs.org/jsonify/-/jsonify-0.0.1.tgz#2aa3111dae3d34a0f151c63f3a45d995d9420978" integrity sha512-2/Ki0GcmuqSrgFyelQq9M05y7PS0mEwuIzrf3f1fPqkVDVRvZrPZtVSMHxdgo8Aq0sxAOb/cr2aqqA3LeWHVPg== -jsonlint@^1.6.3: - version "1.6.3" - resolved "https://registry.npmjs.org/jsonlint/-/jsonlint-1.6.3.tgz#cb5e31efc0b78291d0d862fbef05900adf212988" - integrity sha512-jMVTMzP+7gU/IyC6hvKyWpUU8tmTkK5b3BPNuMI9U8Sit+YAWLlZwB6Y6YrdCxfg2kNz05p3XY3Bmm4m26Nv3A== - dependencies: - JSV "^4.0.x" - nomnom "^1.5.x" - just-extend@^4.0.2: version "4.2.1" resolved "https://registry.npmjs.org/just-extend/-/just-extend-4.2.1.tgz#ef5e589afb61e5d66b24eca749409a8939a8c744" @@ -10608,7 +10540,7 @@ keyv@^4.5.3: dependencies: json-buffer "3.0.1" -kind-of@^3.0.2, kind-of@^3.0.3, kind-of@^3.2.0: +kind-of@^3.0.2, kind-of@^3.0.3: version "3.2.2" resolved "https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz#31ea21a734bab9bbb0f32466d893aea51e4a3c64" integrity sha512-NOW9QQXMoZGg/oqnVNoNTTIFEIid1627WCffUBJEdMxYApq7mNE7CpzucIPc+ZQg25Phej7IJSmX3hO+oblOtQ== @@ -10690,13 +10622,6 @@ lines-and-columns@^1.1.6: resolved "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.2.4.tgz#eca284f75d2965079309dc0ad9255abb2ebc1632" integrity sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg== -linkify-it@^2.0.0: - version "2.2.0" - resolved "https://registry.npmjs.org/linkify-it/-/linkify-it-2.2.0.tgz#e3b54697e78bf915c70a38acd78fd09e0058b1cf" - integrity sha512-GnAl/knGn+i1U/wjBz3akz2stz+HrHLsxMwHQGofCDfPvlf+gDKN58UtfmUquTY4/MXeE2x7k19KQmeoZi94Iw== - dependencies: - uc.micro "^1.0.1" - linkify-it@^3.0.1: version "3.0.3" resolved "https://registry.npmjs.org/linkify-it/-/linkify-it-3.0.3.tgz#a98baf44ce45a550efb4d49c769d07524cc2fa2e" @@ -11142,7 +11067,7 @@ markdown-it-terminal@0.2.1: lodash.merge "^4.6.2" markdown-it "^8.3.1" -markdown-it@^12.0.4: +markdown-it@^12.0.4, markdown-it@^12.3.2, markdown-it@^8.3.1: version "12.3.2" resolved "https://registry.npmjs.org/markdown-it/-/markdown-it-12.3.2.tgz#bf92ac92283fe983fe4de8ff8abfb5ad72cd0c90" integrity sha512-TchMembfxfNVpHkbtriWltGWc+m3xszaRD0CZup7GFFhzIgQqxIfn3eGj1yZpfuflzPvfkt611B2Q/Bsk1YnGg== @@ -11153,17 +11078,6 @@ markdown-it@^12.0.4: mdurl "^1.0.1" uc.micro "^1.0.5" -markdown-it@^8.3.1: - version "8.4.2" - resolved "https://registry.npmjs.org/markdown-it/-/markdown-it-8.4.2.tgz#386f98998dc15a37722aa7722084f4020bdd9b54" - integrity sha512-GcRz3AWTqSUphY3vsUqQSFMbgR38a4Lh3GWlHRh/7MRwz8mcu9n2IO7HOh+bXHrR9kOPDl5RNCaEsrneb+xhHQ== - dependencies: - argparse "^1.0.7" - entities "~1.1.1" - linkify-it "^2.0.0" - mdurl "^1.0.1" - uc.micro "^1.0.5" - markdown-table@^2.0.0: version "2.0.0" resolved "https://registry.npmjs.org/markdown-table/-/markdown-table-2.0.0.tgz#194a90ced26d31fe753d8b9434430214c011865b" @@ -11899,14 +11813,6 @@ node-watch@0.7.3: resolved "https://registry.npmjs.org/node-watch/-/node-watch-0.7.3.tgz#6d4db88e39c8d09d3ea61d6568d80e5975abc7ab" integrity sha512-3l4E8uMPY1HdMMryPRUAl+oIHtXtyiTlIiESNSVSNxcPfzAFzeTbXFQkZfAwBbo0B1qMSG8nUABx+Gd+YrbKrQ== -nomnom@^1.5.x: - version "1.8.1" - resolved "https://registry.npmjs.org/nomnom/-/nomnom-1.8.1.tgz#2151f722472ba79e50a76fc125bb8c8f2e4dc2a7" - integrity sha512-5s0JxqhDx9/rksG2BTMVN1enjWSvPidpoSgViZU4ZXULyTe+7jxcCRLB6f42Z0l1xYJpleCBtSyY6Lwg3uu5CQ== - dependencies: - chalk "~0.4.0" - underscore "~1.6.0" - nopt@^3.0.6: version "3.0.6" resolved "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz#c6465dbf08abcd4db359317f79ac68a646b28ff9" @@ -13288,12 +13194,7 @@ remove-trailing-separator@^1.0.1: resolved "https://registry.npmjs.org/remove-trailing-separator/-/remove-trailing-separator-1.1.0.tgz#c24bce2a283adad5bc3f58e0d48249b92379d8ef" integrity sha512-/hS+Y0u3aOfIETiaiirUFwDBDzmXPvO+jAfKTitUngIPzdKc6Z0LoFjM/CK5PL4C+eKwHohlHAb6H0VFfmmUsw== -repeat-element@^1.1.2: - version "1.1.4" - resolved "https://registry.npmjs.org/repeat-element/-/repeat-element-1.1.4.tgz#be681520847ab58c7568ac75fbfad28ed42d39e9" - integrity sha512-LFiNfRcSu7KK3evMyYOuCzv3L10TW7yC1G2/+StMjK8Y6Vqd2MG7r/Qjw4ghtuCOjFvlnms/iMmLqpvW/ES/WQ== - -repeat-string@^1.0.0, repeat-string@^1.6.1: +repeat-string@^1.0.0: version "1.6.1" resolved "https://registry.npmjs.org/repeat-string/-/repeat-string-1.6.1.tgz#8dcae470e1c88abc2d600fff4a776286da75e637" integrity sha512-PV0dzCYDNfRi1jCDbJzpW7jNNDRuCOG/jI5ctQcGKt/clZD+YcPS3yIlWuTJMmESC8aevCFmWJy5wjAFgNqN6w== @@ -13903,22 +13804,6 @@ snake-case@^3.0.3: dot-case "^3.0.4" tslib "^2.0.3" -snapdragon-node@^2.0.1: - version "2.1.1" - resolved "https://registry.npmjs.org/snapdragon-node/-/snapdragon-node-2.1.1.tgz#6c175f86ff14bdb0724563e8f3c1b021a286853b" - integrity sha512-O27l4xaMYt/RSQ5TR3vpWCAB5Kb/czIcqUFOM/C4fYcLnbZUc1PkjTAMjof2pBWaSTwOUd6qUHcFGVGj7aIwnw== - dependencies: - define-property "^1.0.0" - isobject "^3.0.0" - snapdragon-util "^3.0.1" - -snapdragon-util@^3.0.1: - version "3.0.1" - resolved "https://registry.npmjs.org/snapdragon-util/-/snapdragon-util-3.0.1.tgz#f956479486f2acd79700693f6f7b805e45ab56e2" - integrity sha512-mbKkMdQKsjX4BAL4bRYTj21edOf8cN7XHdYUJEe+Zn99hVEYcMvKPct1IqNe7+AZPirn8BCDOQBHQZknqmKlZQ== - dependencies: - kind-of "^3.2.0" - snapdragon@^0.8.1: version "0.8.2" resolved "https://registry.npmjs.org/snapdragon/-/snapdragon-0.8.2.tgz#64922e7c565b0e14204ba1aa7d6964278d25182d" @@ -14136,7 +14021,7 @@ spdx-satisfies@^4.0.0: spdx-expression-parse "^3.0.0" spdx-ranges "^2.0.0" -split-string@^3.0.1, split-string@^3.0.2: +split-string@^3.0.1: version "3.1.0" resolved "https://registry.npmjs.org/split-string/-/split-string-3.1.0.tgz#7cb09dda3a86585705c64b39a6466038682e8fe2" integrity sha512-NzNVhJDYpwceVVii8/Hu6DKfD2G+NrQHlS/V/qgv763EYudVwEcMQNxd2lh+0VrUByXN/oJkl5grOhYWvQUYiw== @@ -14386,11 +14271,6 @@ strip-ansi@^6.0.0, strip-ansi@^6.0.1: dependencies: ansi-regex "^5.0.1" -strip-ansi@~0.1.0: - version "0.1.1" - resolved "https://registry.npmjs.org/strip-ansi/-/strip-ansi-0.1.1.tgz#39e8a98d044d150660abe4a6808acf70bb7bc991" - integrity sha512-behete+3uqxecWlDAm5lmskaSaISA+ThQ4oNNBDTBJt0x2ppR6IPqfZNuj6BLaLJ/Sji4TPZlcRyOis8wXQTLg== - strip-bom@^3.0.0: version "3.0.0" resolved "https://registry.npmjs.org/strip-bom/-/strip-bom-3.0.0.tgz#2334c18e9c759f7bdd56fdef7e9ae3d588e68ed3" @@ -14842,14 +14722,6 @@ to-object-path@^0.3.0: dependencies: kind-of "^3.0.2" -to-regex-range@^2.1.0: - version "2.1.1" - resolved "https://registry.npmjs.org/to-regex-range/-/to-regex-range-2.1.1.tgz#7c80c17b9dfebe599e27367e0d4dd5590141db38" - integrity sha512-ZZWNfCjUokXXDGXFpZehJIkZqq91BcULFq/Pi7M5i4JnxXdhMKAK682z8bCW3o8Hj1wuuzoKcW3DfVzaP6VuNg== - dependencies: - is-number "^3.0.0" - repeat-string "^1.6.1" - to-regex-range@^5.0.1: version "5.0.1" resolved "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz#1648c44aae7c8d988a326018ed72f5b4dd0392e4" @@ -15143,11 +15015,6 @@ underscore@>=1.8.3, underscore@^1.13.2: resolved "https://registry.npmjs.org/underscore/-/underscore-1.13.6.tgz#04786a1f589dc6c09f761fc5f45b89e935136441" integrity sha512-+A5Sja4HP1M08MaXya7p5LvjuM7K6q/2EaC0+iovj/wOcMsTzMvDFbasi/oSapiwOlt252IqsKqPjCl7huKS0A== -underscore@~1.6.0: - version "1.6.0" - resolved "https://registry.npmjs.org/underscore/-/underscore-1.6.0.tgz#8b38b10cacdef63337b8b24e4ff86d45aea529a8" - integrity sha512-z4o1fvKUojIWh9XuaVLUDdf86RQiq13AC1dmHbTpoyuu+bquHms76v16CjycCbec87J7z0k//SiQVk0sMdFmpQ== - undici-types@~5.26.4: version "5.26.5" resolved "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz#bcd539893d00b56e964fd2657a4866b221a65617" diff --git a/version/VERSION b/version/VERSION index ece450e8fe9b..734375f897d0 100644 --- a/version/VERSION +++ b/version/VERSION @@ -1 +1 @@ -1.19.3-dev +1.20.0-dev diff --git a/website/content/docs/connect/proxies/envoy.mdx b/website/content/docs/connect/proxies/envoy.mdx index 2d2436df2075..8180787efbeb 100644 --- a/website/content/docs/connect/proxies/envoy.mdx +++ b/website/content/docs/connect/proxies/envoy.mdx @@ -58,6 +58,7 @@ apply to both Consul Enterprise and Consul community edition (CE). | Consul Version | Compatible Envoy Versions | | -------------- | -------------------------------------- | +| 1.20.x CE | 1.31.x, 1.30.x, 1.29.x, 1.28.x | | 1.19.x CE | 1.29.x, 1.28.x, 1.27.x, 1.26.x | | 1.18.x CE | 1.28.x, 1.27.x, 1.26.x, 1.25.x | | 1.17.x | 1.27.x, 1.26.x, 1.25.x, 1.24.x |