merge main

.changelog/21339.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix panic runtime error on AliasCheck
+```

.changelog/21342.txt

@@ -0,0 +1,3 @@
+```release-note:security
+agent: removed reflected cross-site scripting vulnerability
+```

.changelog/21361.txt

@@ -0,0 +1,8 @@
+```release-note:bug
+dns: Fix a regression where DNS tags using the standard lookup syntax, `tag.name.service.consul`, were being disregarded.
+```
+
+```release-note:bug
+dns: Fix a regression where DNS SRV questions were returning duplicate hostnames instead of encoded IPs.
+This affected Nomad integrations with Consul.
+```

.changelog/21378.txt

@@ -0,0 +1,3 @@
+```release-note:security
+ui: Pin and namespace sub-module dependencies related to the Consul UI
+```

.changelog/21381.txt

@@ -0,0 +1,4 @@
+```release-note:bug
+dns: Fixes a spam log message "Failed to parse TTL for prepared query..."
+that was always being logged on each prepared query evaluation.
+```

.changelog/21382.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+terminating-gateway: **(Enterprise Only)** Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata.
+```

.changelog/21384.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade go-retryablehttp to address [CVE-2024-6104](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6104)
+```

.changelog/21507.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791)
+```

.changelog/21519.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs.
+```

.changelog/21524.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve [CVE-2024-39305](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39305)
+```

.changelog/21588.txt

@@ -0,0 +1,3 @@
+```release-note:security
+ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0
+```

.changelog/21604.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: **(Enterprise only)** ensure clusters are properly created for JWT providers with a remote URI for the JWKS endpoint
+```

.github/scripts/filter_changed_files_go_test.sh → .github/scripts/check_skip_ci.sh

@@ -5,7 +5,7 @@
 set -euo pipefail
 
 # Get the list of changed files
-# Using `git merge-base` ensures that we're always comparing against the correct branch point. 
+# Using `git merge-base` ensures that we're always comparing against the correct branch point.
 #For example, given the commits:
 #
 # A---B---C---D---W---X---Y---Z # origin/main
@@ -16,27 +16,34 @@ set -euo pipefail
 files_to_check=$(git diff --name-only "$(git merge-base origin/$SKIP_CHECK_BRANCH HEAD~)"...HEAD)
 
 # Define the directories to check
-skipped_directories=("docs/" "ui/" "website/" "grafana/")
+skipped_directories=("docs/" "ui/" "website/" "grafana/" ".changelog/")
 
 # Loop through the changed files and find directories/files outside the skipped ones
-for file_to_check in "${files_to_check[@]}"; do
+files_to_check_array=($files_to_check)
+for file_to_check in "${files_to_check_array[@]}"; do
 	file_is_skipped=false
+	echo "checking file: $file_to_check"
+
+	# Allow changes to:
+	# - This script
+	# - Files in the skipped directories
+	# - Markdown files
 	for dir in "${skipped_directories[@]}"; do
-		if [[ "$file_to_check" == "$dir"* ]] || [[ "$file_to_check" == *.md && "$dir" == *"/" ]]; then
+		if [[ "$file_to_check" == */check_skip_ci.sh ]] ||
+		   [[ "$file_to_check" == "$dir"* ]] ||
+		   [[ "$file_to_check" == *.md ]]; then
 			file_is_skipped=true
 			break
 		fi
 	done
+
 	if [ "$file_is_skipped" != "true" ]; then
-		echo -e $file_to_check
-        SKIP_CI=false
-		echo "Changes detected in non-documentation files - skip-ci: $SKIP_CI"
-        echo "skip-ci=$SKIP_CI" >> "$GITHUB_OUTPUT"
+		echo -e "non-skippable file changed: $file_to_check"
+		echo "Changes detected in non-documentation files - will not skip tests and build"
+        echo "skip-ci=false" >> "$GITHUB_OUTPUT"
 		exit 0 ## if file is outside of the skipped_directory exit script
 	fi
 done
 
-echo -e "$files_to_check"
-SKIP_CI=true
-echo "Changes detected in only documentation files - skip-ci: $SKIP_CI"
-echo "skip-ci=$SKIP_CI" >> "$GITHUB_OUTPUT"
+echo "Changes detected in only documentation files - skipping tests and build"
+echo "skip-ci=true" >> "$GITHUB_OUTPUT"

.github/scripts/verify_artifact.sh

@@ -102,7 +102,8 @@ function verify_rpm {
     ${docker_image} \
     /scripts/verify_rpm.sh \
     "/workdir/${artifact_path}" \
-    "${expect_version}"
+    "${expect_version}" \
+    "${docker_image}"
 }
 
 # Arguments:

.github/scripts/verify_rpm.sh

@@ -10,6 +10,10 @@ set -euo pipefail
 # report why it failed. This is meant to be run as part of the build workflow to verify the built
 # .rpm meets some basic criteria for validity.
 
+# Notably, CentOS 7 is EOL, so we need to point to the vault for updates. It's not clear what alternative
+# we may use in the future that supports linux/386 as the platform was dropped in CentOS 8+9. The docker_image
+# is passed in as the third argument so that the script can determine if it needs to point to the vault for updates.
+
 # set this so we can locate and execute the verify_bin.sh script for verifying version output
 SCRIPT_DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 
@@ -20,6 +24,7 @@ function usage {
 function main {
   local rpm_path="${1:-}"
   local expect_version="${2:-}"
+  local docker_image="${3:-}"
   local got_version
 
   if [[ -z "${rpm_path}" ]]; then
@@ -34,6 +39,12 @@ function main {
     exit 1
   fi
 
+  if [[ -z "${docker_image}" ]]; then
+    echo "ERROR: docker image argument is required"
+    usage
+    exit 1
+  fi
+
   # expand globs for path names, if this fails, the script will exit
   rpm_path=$(echo ${rpm_path})
 
@@ -43,6 +54,12 @@ function main {
     exit 1
   fi
 
+  # CentOS 7 is EOL, so we need to point to the vault for updates
+  if [[ "$docker_image" == *centos:7 ]]; then
+    sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
+    sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
+  fi
+
   yum -y clean all
   yum -y update
   yum -y install which openssl

.github/workflows/backport-assistant.yml

@@ -19,15 +19,15 @@ jobs:
   backport:
     if: github.event.pull_request.merged
     runs-on: ubuntu-latest
-    container: hashicorpdev/backport-assistant:0.4.1
+    container: hashicorpdev/backport-assistant:0.4.4
     steps:
       - name: Run Backport Assistant for release branches
         run: |
           backport-assistant backport -merge-method=squash
         env:
           BACKPORT_LABEL_REGEXP: "backport/(?P<target>\\d+\\.\\d+)"
           BACKPORT_TARGET_TEMPLATE: "release/{{.target}}.x"
-          GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN_WORKFLOW }}
           ENABLE_VERSION_MANIFESTS: true
   backport-ent:
     if: github.event.pull_request.merged && contains(join(github.event.pull_request.labels.*.name), 'backport/ent')

.github/workflows/build.yml

@@ -95,6 +95,8 @@ jobs:
           - {goos: "linux", goarch: "amd64"}
           - {goos: "linux", goarch: "arm"}
           - {goos: "linux", goarch: "arm64"}
+          - {goos: "darwin", goarch: "amd64"}
+          - {goos: "darwin", goarch: "arm64"}
           - {goos: "freebsd", goarch: "386"}
           - {goos: "freebsd", goarch: "amd64"}
           - {goos: "windows", goarch: "386"}
@@ -246,58 +248,6 @@ jobs:
             cp LICENSE $TARGET_DIR/LICENSE.txt
             go build -ldflags="$GOLDFLAGS" -o "$BIN_PATH" -trimpath -buildvcs=false
 
-  build-darwin:
-    needs:
-    - set-product-version
-    - get-go-version
-    runs-on: macos-latest
-    strategy:
-      matrix:
-        goos: [ darwin ]
-        goarch: [ "amd64", "arm64" ]
-      fail-fast: true
-
-    name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build
-    steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-
-      - name: Setup with node and yarn
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
-        with:
-          node-version: '18'
-          cache: 'yarn'
-          cache-dependency-path: 'ui/yarn.lock'
-
-      - name: Build UI
-        run: |
-          CONSUL_VERSION=${{ needs.set-product-version.outputs.product-version }}
-          CONSUL_BINARY_TYPE=${CONSUL_BINARY_TYPE}
-          CONSUL_COPYRIGHT_YEAR=$(git show -s --format=%cd --date=format:%Y HEAD)
-          echo "consul_version is ${CONSUL_VERSION}"
-          echo "consul binary type is ${CONSUL_BINARY_TYPE}"
-          echo "consul copyright year is ${CONSUL_COPYRIGHT_YEAR}"
-          cd ui && make && cd ..
-          rm -rf agent/uiserver/dist
-          mv ui/packages/consul-ui/dist agent/uiserver/
-      - name: Go Build
-        env:
-          PRODUCT_VERSION: ${{ needs.set-product-version.outputs.product-version }}
-          PRERELEASE_VERSION: ${{ needs.set-product-version.outputs.pre-version }}
-          CGO_ENABLED: "0"
-          GOLDFLAGS: "${{needs.set-product-version.outputs.shared-ldflags}}"
-        uses: hashicorp/actions-go-build@make-clean-flag-optional
-        with:
-          product_name: ${{ env.PKG_NAME }}
-          product_version: ${{ needs.set-product-version.outputs.product-version }}
-          go_version: ${{ needs.get-go-version.outputs.go-version }}
-          os: ${{ matrix.goos }}
-          arch: ${{ matrix.goarch }}
-          reproducible: nope
-          clean: false
-          instructions: |-
-            cp LICENSE $TARGET_DIR/LICENSE.txt
-            go build -ldflags="$GOLDFLAGS" -tags netcgo -o "$BIN_PATH" -trimpath -buildvcs=false
-
   build-docker:
     name: Docker ${{ matrix.arch }} build
     needs:
@@ -420,32 +370,6 @@ jobs:
         if: ${{ endsWith(github.repository, '-enterprise') || matrix.arch != 's390x' }}
         run: .github/scripts/verify_artifact.sh ${{ env.zip_name }} v${{ env.version }}
 
-  verify-darwin:
-    needs:
-      - set-product-version
-      - build-darwin
-    runs-on: macos-latest
-    strategy:
-      fail-fast: true
-    env:
-      version: ${{needs.set-product-version.outputs.product-version}}
-      zip_name: consul_${{ needs.set-product-version.outputs.product-version }}_darwin_amd64.zip
-
-    name: Verify amd64 darwin binary
-    steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-
-      - name: Download amd64 darwin zip
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
-        with:
-          name: ${{ env.zip_name }}
-
-      - name: Unzip amd64 darwin zip
-        run: unzip ${{ env.zip_name }}
-
-      - name: Run verification for amd64 darwin binary
-        run: .github/scripts/verify_bin.sh ./consul v${{ env.version }}
-
   verify-linux-packages-deb:
     needs:
       - build

.github/workflows/go-tests.yml

@@ -38,10 +38,10 @@ jobs:
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
-          fetch-depth: 0  
+          fetch-depth: 0
       - name: Get changed files
         id: read-files
-        run: ./.github/scripts/filter_changed_files_go_test.sh
+        run: ./.github/scripts/check_skip_ci.sh
 
   setup:
     needs: [conditional-skip]

.github/workflows/nightly-test-1.18.x.yaml

@@ -14,8 +14,15 @@ env:
   GOPRIVATE: github.com/hashicorp # Required for enterprise deps
 
 jobs:
+  check-ent:
+    runs-on: ubuntu-latest
+    if: ${{ endsWith(github.repository, '-enterprise') }}
+    steps:
+      - run: echo "Building Enterprise"
+
   frontend-test-workspace-node:
     runs-on: ubuntu-latest
+    needs: [check-ent]
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
@@ -45,6 +52,7 @@ jobs:
 
   frontend-build-ce:
     runs-on: ubuntu-latest
+    needs: [check-ent]
     env:
       JOBS: 2
       CONSUL_NSPACES_ENABLED: 0
@@ -117,6 +125,7 @@ jobs:
 
   frontend-build-ent:
     runs-on: ubuntu-latest
+    needs: [check-ent]
     env:
       JOBS: 2
       CONSUL_NSPACES_ENABLED: 1

.github/workflows/nightly-test-integ-peering_commontopo.yml

@@ -39,12 +39,20 @@ jobs:
 
   get-go-version:
     uses: ./.github/workflows/reusable-get-go-version.yml
+    with:
+      ref: ${{ inputs.branch }}
+
+  get-envoy-versions:
+    uses: ./.github/workflows/reusable-get-envoy-versions.yml
+    with:
+      ref: ${{ inputs.branch }}
 
   tests:
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-xl ) }}
     needs:
       - setup
       - get-go-version
+      - get-envoy-versions
     permissions:
       id-token: write # NOTE: this permission is explicitly required for Vault auth.
       contents: read
@@ -62,7 +70,7 @@ jobs:
     name: '${{matrix.test-case}}'
 
     env:
-      ENVOY_VERSION: "1.29.5"
+      ENVOY_VERSION: ${{ needs.get-envoy-versions.outputs.max-envoy-version }}
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       # NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.