Skip to content

Commit

Permalink
Merge branch 'main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
cuishuang authored Sep 3, 2024
2 parents fadfcb9 + 188af1c commit 58eef1a
Show file tree
Hide file tree
Showing 28 changed files with 250 additions and 52 deletions.
6 changes: 6 additions & 0 deletions .changelog/21684.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
```release-note:security
Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and
[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912).
```

21 changes: 21 additions & 0 deletions .github/workflows/nightly-test-integrations-1.15.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -146,11 +146,15 @@ jobs:
path: ./bin
- name: restore mode+x
run: chmod +x ./bin/consul

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0

- name: Docker build
run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin

- name: Envoy Integration Tests
id: envoy-integration-tests
env:
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
Expand All @@ -171,6 +175,23 @@ jobs:
--packages=./test/integration/connect/envoy \
-- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})"
# See https://github.com/orgs/community/discussions/8945#discussioncomment-9897011
# and overall topic discussion for why this is necessary.
- name: Generate artifact ID
id: generate-artifact-id
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
run: |
ARTIFACT_ID=$(uuidgen)
echo "Artifact ID: $ARTIFACT_ID (search this in job summary for download link)"
echo "artifact_id=$ARTIFACT_ID" >> "$GITHUB_ENV"
- name: Upload failure logs
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: envoy-${{ matrix.envoy-version }}-logs-${{ env.artifact_id }}
path: test/integration/connect/envoy/workdir/logs/

# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
Expand Down
18 changes: 18 additions & 0 deletions .github/workflows/nightly-test-integrations-1.17.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,7 @@ jobs:
run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin

- name: Envoy Integration Tests
id: envoy-integration-tests
env:
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
Expand All @@ -174,6 +175,23 @@ jobs:
--packages=./test/integration/connect/envoy \
-- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})"
# See https://github.com/orgs/community/discussions/8945#discussioncomment-9897011
# and overall topic discussion for why this is necessary.
- name: Generate artifact ID
id: generate-artifact-id
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
run: |
ARTIFACT_ID=$(uuidgen)
echo "Artifact ID: $ARTIFACT_ID (search this in job summary for download link)"
echo "artifact_id=$ARTIFACT_ID" >> "$GITHUB_ENV"
- name: Upload failure logs
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: envoy-${{ matrix.envoy-version }}-logs-${{ env.artifact_id }}
path: test/integration/connect/envoy/workdir/logs/

# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
Expand Down
20 changes: 19 additions & 1 deletion .github/workflows/nightly-test-integrations-1.18.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ jobs:
runs-on: ${{ needs.setup.outputs.compute-large }}
repository-name: ${{ github.repository }}
uploaded-binary-name: 'consul-bin'
branch-name: "release/1.17.x"
branch-name: "release/1.18.x"
go-version: ${{ needs.get-go-version.outputs.go-version }}
secrets:
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
Expand Down Expand Up @@ -154,6 +154,7 @@ jobs:
run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin

- name: Envoy Integration Tests
id: envoy-integration-tests
env:
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
Expand All @@ -174,6 +175,23 @@ jobs:
--packages=./test/integration/connect/envoy \
-- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})"
# See https://github.com/orgs/community/discussions/8945#discussioncomment-9897011
# and overall topic discussion for why this is necessary.
- name: Generate artifact ID
id: generate-artifact-id
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
run: |
ARTIFACT_ID=$(uuidgen)
echo "Artifact ID: $ARTIFACT_ID (search this in job summary for download link)"
echo "artifact_id=$ARTIFACT_ID" >> "$GITHUB_ENV"
- name: Upload failure logs
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: envoy-${{ matrix.envoy-version }}-logs-${{ env.artifact_id }}
path: test/integration/connect/envoy/workdir/logs/

# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
Expand Down
20 changes: 19 additions & 1 deletion .github/workflows/nightly-test-integrations-1.19.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ jobs:
runs-on: ${{ needs.setup.outputs.compute-large }}
repository-name: ${{ github.repository }}
uploaded-binary-name: 'consul-bin'
branch-name: "release/1.17.x"
branch-name: "release/1.19.x"
go-version: ${{ needs.get-go-version.outputs.go-version }}
secrets:
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
Expand Down Expand Up @@ -145,6 +145,7 @@ jobs:
run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin

- name: Envoy Integration Tests
id: envoy-integration-tests
env:
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
Expand All @@ -165,6 +166,23 @@ jobs:
--packages=./test/integration/connect/envoy \
-- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})"
# See https://github.com/orgs/community/discussions/8945#discussioncomment-9897011
# and overall topic discussion for why this is necessary.
- name: Generate artifact ID
id: generate-artifact-id
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
run: |
ARTIFACT_ID=$(uuidgen)
echo "Artifact ID: $ARTIFACT_ID (search this in job summary for download link)"
echo "artifact_id=$ARTIFACT_ID" >> "$GITHUB_ENV"
- name: Upload failure logs
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: envoy-${{ matrix.envoy-version }}-logs-${{ env.artifact_id }}
path: test/integration/connect/envoy/workdir/logs/

# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
Expand Down
23 changes: 23 additions & 0 deletions .github/workflows/test-integrations.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ on:
- 'backport/docs/**'
- 'backport/ui/**'
- 'backport/mktg-**'
push:
branches:
# Push events on the main branch
- main
- release/**

env:
TEST_RESULTS_DIR: /tmp/test-results
Expand Down Expand Up @@ -335,6 +340,7 @@ jobs:
run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin

- name: Envoy Integration Tests
id: envoy-integration-tests
env:
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
Expand All @@ -355,6 +361,23 @@ jobs:
--packages=./test/integration/connect/envoy \
-- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})"
# See https://github.com/orgs/community/discussions/8945#discussioncomment-9897011
# and overall topic discussion for why this is necessary.
- name: Generate artifact ID
id: generate-artifact-id
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
run: |
ARTIFACT_ID=$(uuidgen)
echo "Artifact ID: $ARTIFACT_ID (search this in job summary for download link)"
echo "artifact_id=$ARTIFACT_ID" >> "$GITHUB_ENV"
- name: Upload failure logs
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: envoy-${{ matrix.envoy-version }}-logs-${{ env.artifact_id }}
path: test/integration/connect/envoy/workdir/logs/

# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
Expand Down
46 changes: 46 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,49 @@
## 1.19.2 (August 26, 2024)

SECURITY:

* ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0 [[GH-21588](https://github.com/hashicorp/consul/issues/21588)]

IMPROVEMENTS:

* Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [[GH-21587](https://github.com/hashicorp/consul/issues/21587)]

BUG FIXES:

* api-gateway: **(Enterprise only)** ensure clusters are properly created for JWT providers with a remote URI for the JWKS endpoint [[GH-21604](https://github.com/hashicorp/consul/issues/21604)]

## 1.18.4 Enterprise (August 26, 2024)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:
* ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0

IMPROVEMENTS:

* Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [[GH-21587](https://github.com/hashicorp/consul/issues/21587)]

## 1.17.7 Enterprise (August 26, 2024)

SECURITY:
* ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0

IMPROVEMENTS:

* Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [[GH-21587](https://github.com/hashicorp/consul/issues/21587)]

## 1.15.14 Enterprise (August 26, 2024)

Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.

SECURITY:

* ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0 [[GH-21588](https://github.com/hashicorp/consul/issues/21588)]

IMPROVEMENTS:

* Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [[GH-21587](https://github.com/hashicorp/consul/issues/21587)]

## 1.19.1 (July 11, 2024)

SECURITY:
Expand Down
4 changes: 3 additions & 1 deletion agent/config/builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,13 @@ import (
"time"

"github.com/armon/go-metrics/prometheus"
"golang.org/x/time/rate"

"github.com/hashicorp/go-bexpr"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-sockaddr/template"
"github.com/hashicorp/memberlist"
"golang.org/x/time/rate"

"github.com/hashicorp/consul/agent/cache"
"github.com/hashicorp/consul/agent/checks"
Expand Down Expand Up @@ -774,6 +775,7 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
if err != nil {
return RuntimeConfig{}, fmt.Errorf("config_entries.bootstrap[%d]: %s", i, err)
}
// Ensure Normalize is called before Validate for accurate validation
if err := entry.Normalize(); err != nil {
return RuntimeConfig{}, fmt.Errorf("config_entries.bootstrap[%d]: %s", i, err)
}
Expand Down
4 changes: 2 additions & 2 deletions agent/config_endpoint_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -612,7 +612,7 @@ func TestConfig_Apply_CAS(t *testing.T) {
{
"Kind": "service-defaults",
"Name": "foo",
"Protocol": "udp"
"Protocol": "http"
}
`))
req, _ = http.NewRequest("PUT", "/v1/config?cas=0", body)
Expand All @@ -628,7 +628,7 @@ func TestConfig_Apply_CAS(t *testing.T) {
{
"Kind": "service-defaults",
"Name": "foo",
"Protocol": "udp"
"Protocol": "http"
}
`))
req, _ = http.NewRequest("PUT", fmt.Sprintf("/v1/config?cas=%d", entry.GetRaftIndex().ModifyIndex), body)
Expand Down
4 changes: 3 additions & 1 deletion agent/consul/config_endpoint.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,11 @@ import (

metrics "github.com/armon/go-metrics"
"github.com/armon/go-metrics/prometheus"
hashstructure_v2 "github.com/mitchellh/hashstructure/v2"

"github.com/hashicorp/go-bexpr"
"github.com/hashicorp/go-hclog"
memdb "github.com/hashicorp/go-memdb"
hashstructure_v2 "github.com/mitchellh/hashstructure/v2"

"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/configentry"
Expand Down Expand Up @@ -85,6 +86,7 @@ func (c *ConfigEntry) Apply(args *structs.ConfigEntryRequest, reply *bool) error
}

// Normalize and validate the incoming config entry as if it came from a user.
// Ensure Normalize is called before Validate for accurate validation
if err := args.Entry.Normalize(); err != nil {
return err
}
Expand Down
6 changes: 3 additions & 3 deletions agent/consul/config_replication_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@ package consul
import (
"context"
"fmt"
"github.com/oklog/ulid/v2"
"github.com/stretchr/testify/assert"
"os"
"testing"

"github.com/oklog/ulid/v2"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

"github.com/hashicorp/consul/agent/structs"
Expand Down Expand Up @@ -129,7 +129,7 @@ func TestReplication_ConfigEntries(t *testing.T) {
Entry: &structs.ServiceConfigEntry{
Kind: structs.ServiceDefaults,
Name: fmt.Sprintf("svc-%d", i),
Protocol: "udp",
Protocol: "tcp",
},
}

Expand Down
6 changes: 6 additions & 0 deletions agent/consul/leader.go
Original file line number Diff line number Diff line change
Expand Up @@ -771,6 +771,12 @@ func (s *Server) runACLReplicator(

index, exit, err := replicateFunc(ctx, logger, lastRemoteIndex)
if exit {
metrics.SetGauge([]string{"leader", "replication", metricName, "status"},
0,
)
metrics.SetGauge([]string{"leader", "replication", metricName, "index"},
0,
)
return nil
}

Expand Down
6 changes: 6 additions & 0 deletions agent/consul/replication.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,12 @@ func (r *Replicator) Run(ctx context.Context) error {
// Perform a single round of replication
index, exit, err := r.delegate.Replicate(ctx, atomic.LoadUint64(&r.lastRemoteIndex), r.logger)
if exit {
metrics.SetGauge([]string{"leader", "replication", r.delegate.MetricName(), "status"},
0,
)
metrics.SetGauge([]string{"leader", "replication", r.delegate.MetricName(), "index"},
0,
)
return nil
}
if err != nil {
Expand Down
9 changes: 7 additions & 2 deletions agent/structs/config_entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,11 @@ import (
"time"

"github.com/miekg/dns"

"github.com/hashicorp/go-multierror"
"github.com/mitchellh/hashstructure"
"github.com/mitchellh/mapstructure"

"github.com/hashicorp/consul-net-rpc/go-msgpack/codec"
"github.com/hashicorp/go-multierror"

"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/cache"
Expand Down Expand Up @@ -269,6 +268,12 @@ func (e *ServiceConfigEntry) Validate() error {
validationErr = multierror.Append(validationErr, fmt.Errorf("invalid value for balance_inbound_connections: %v", e.BalanceInboundConnections))
}

switch e.Protocol {
case "", "http", "http2", "grpc", "tcp":
default:
validationErr = multierror.Append(validationErr, fmt.Errorf("invalid value for protocol: %v", e.Protocol))
}

// External endpoints are invalid with an existing service's upstream configuration
if e.UpstreamConfig != nil && e.Destination != nil {
validationErr = multierror.Append(validationErr, errors.New("UpstreamConfig and Destination are mutually exclusive for service defaults"))
Expand Down
Loading

0 comments on commit 58eef1a

Please sign in to comment.