Backport of Net 12039 terminating gateway acl policy fix into release/1.6.x #4663
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* weekly tests * Update .github/workflows/weekly-acceptance-1-6-x.yml Co-authored-by: Nathan Coleman <[email protected]> --------- Co-authored-by: Nathan Coleman <[email protected]>
* ignore gke managed namespaces by default * Add changelog * remove spaces
* testing out changes to bats testing * use pre-built image * update ref for bats testing * remove extra newline * remove extra newline
ci: fix conditional skip and add safeguard Adopt a third-party action to avoid script bugs, and to fix a current issue where the script fails to detect all changes when processing push events on PR branches. Adapted from hashicorp/consul-dataplane#637. See that PR for testing details and background context.
…ys (#4316) * Plumb global.imagePullSecrets through to Gateway's ServiceAccount Since pull secrets are a list of structured objects that cannot easily be passed as a flag value to the container, this approach uses a JSON config file that is created as a ConfigMap and then mounted into the connect-injector Pod and parsed on startup. * Leave camp cleaner than I found it * Make path to config file configurable * Add changelog entry * Add note to changelog entry * Ensure ServiceAccount is created if any image pull secrets are provided * Add test coverage for image pull secret inclusion on gateway ServiceAccount * Adjust note in changelog * Add a helpful comment explaining when/why we create a ServiceAccount * Update .changelog/4316.txt Co-authored-by: Blake Covarrubias <[email protected]> * Return ServiceAccount name when image pull secrets warrant it * Improve unit tests to assert presence of ServiceAccount name on Deployment * Copy helpful comment added elsewhere --------- Co-authored-by: Blake Covarrubias <[email protected]>
* bump kubernetes version for AKS * bump kubernetes version for AKS
* NO-JIRA: cleanup iam_roles as part of nightly test cleanup * remove reference to log, use fmt * fix panic in cleanup code * code review feedback * code review feedback
…3874) Signed-off-by: jukie <[email protected]> --------- Signed-off-by: jukie <[email protected]>
…ns to prevent L7 intentions bypass (#4385) crd: support request normalization and header match options to prevent L7 intentions bypass * crd: support L7 intentions header match contains and ignoreCase * crd: support mesh http.incoming.requestNormalization * crd: remove requirement for mesh http.sanitizeXForwardedClientCert This is a boolean field, and should not be required. Removing the requirement allows for it to be omitted when other fields are specified.
* purge services on disable of sync catalog * gofumpt * update tests for sync catalog * Added changelog * create separate jobs to handle deregistering services when disabling sync catalog * Check error * fix tests * rename field in values file, remove references to pod security policy * remove psp * added bats testing
added bats testing
…#4426) * Refactor `proxy list` command, ensuring api-gateway Pods are included Proxies are also now output in deterministic order based on their proxy type, namespace and name * Stop printing non-JSON info to terminal when `-o json` is requested * Update test assertions to expect sorted output * Add changelog entry
* basic test cases * test fixtures * working openshift test * openshift test packages * update Makefile * Correct name of added Make target * Correct import blocking * Make assertions more robust, clean up code/comments * Add a PR trigger for acceptance tests * Use different source for branch name provided to workflow * Rename PR-triggered workflow * Use local checkout of Helm chart for installation * Use workspace from environment * Add the hashicorp helm repo as part of test setup We will need to consume the cloned repo chart in the future, but I'm trying to get something working first * new chart path * Remove unused code, retry gateway connection, improve logging * Remove PR trigger for nightly acceptance tests * move cleanup calls before the error so they'll clean up even if it errrors * Update acceptance/tests/openshift/main_test.go * update flags to use config * readd pr trigger test to validate change * add license mounting config * fix cert reference --------- Co-authored-by: Nathan Coleman <[email protected]>
* Expand connect-inject policy tests to include the entire matrix of flag values * Only include scoped acl="write" rule when namespaces are enabled * Update test assertions to account for bug fix * Add changelog entry
* Quickly prototype new `gateway proxy read` command * Consolidate routes into single file alongside gateway w/ separate file(s) for orphaned routes * Omit orphaned routes for single gateway read use case * Support JSON output flag for `gateway read` command * Wire up --help for `gateway read` command * Only create zip while when output is archive * Add a synopsis for the `gateway read` command * Add changelog entry * Add test coverage for new `gateway read` command * Minimize version jump between k8s.io dependencies to get working tests * Specify that the namespace is a Kubernetes one
* Add `gateway list` command to consul-k8s CLI * Add changelog entry
* openshift test * add temporary pr trigger * lint fixes * delete pr trigger * Update acceptance/tests/api-gateway/api_gateway_tenancy_test.go * Update acceptance/framework/consul/helm_cluster.go
… (#4470) * feat: add k8s topology zone info for nodePort service * original PR: #4301 --------- Co-authored-by: kolorful <[email protected]>
…Volumes and extraEnvionmentVars (#4471) * update helm chart to allow for configuring google application credentials * changelog
* Set API gateway security context to comply with best practices * update deployment security context * Set SeccompProfile on injected dataplane sidecar * Drop all capabilities in the injected sidecar * Set required securityContext properties on connect-inject-init container * Add changelog entry * May it please the linter * May it please the linter * Add helpful logs to failure message assertion * Set default value for API gateway's mapPrivilegedContainerPorts * Update invalidated unit tests * May it please the linter * Allow privilege escalation when expected for backwards compatibility * add init sec comp to mesh gateway deployment * Update invalidated unit tests --------- Co-authored-by: Sarah Alsmiller <[email protected]>
* upgraded go version to 1.23.6 * added changelog * upgraded go docker image in Dockerfile * updated lint settings * updated lint settings * upgraded golang lint to 1.62.0 * Exclude the errcheck lint warning --------- Co-authored-by: Abhishek <[email protected]>
* added workflow file for 1.7.x branch * upgraded dependencies to latest
* fixed CVEs * fixed CVEs in acceptance and cli
* Changes for CNI autorotate token issue : - Fixed makefile for local dev testing - Fixed tf scripts to migrate to higher version of k8s environment testing - Updated chart values with a new autorotate token param under cni - removed warnings from Dockerfile - Added unit tests for kubeconfig and command tests - Changes for daemonset to include projected tokens and ca certs - Changes for tokenwatcher and copy token on autorotate from pod to host - Add test golden files - Added kubeconfig to include new plugin params on autorotate token feature * testing daemonset upgrade * Fixes for upgrade testing * Changes for CNI autorotate token issue : - Fixed makefile for test verbosity - updated UBI image for redhat build - Added unit tests for kubeconfig and command tests - Changes for tokenwatcher and copy token on autorotate from pod to host - Add test golden files - Added kubeconfig to include new params on autorotate token feature * added changelog * adding verbosity to go lint * - fixed cni-daemonset chart tests - remove untestable tokenfilewatcher * - added watcher retry logic for removed cni-source-token * linter issues fix * linter comment fix * cleaning up PR
#4588) This P.R fixes multiple small issues related to Cloud terraform package versions Retries for test cases in multiple tests Kubernetes version for EKS, GKE and AKS Version update fixes to terraform scripts
* update: consul/api to v1.32.1 * update: parse UseSNI in RemoteJWKS * update: testcases for UseSNI * add: changelog * update: add UseSNI in charts
…amespace on cluster (#4596) * Fixing flaky tests * Setting eks version to 1.32 * Addition of force namespace deletion on cleanup of openshift * Changing retry conditions for api_gateway_sink_test * Fixing linting issue of return value not checked
* Service Health Status in Endpoints Controller Logs This PR includes the health status of the service being registered/updated by the endpoints controller. This helps in identifying the service health state transitions, which is currently not possible and impacts the ability to troubleshoot issues. * added changelog --------- Co-authored-by: Arnab Chatterjee <[email protected]>
* upgraded go to 1.23.10 * added changelog for #4629 * upgraded containerd package in cli to address CVEs
Co-authored-by: compliance-pr-automation[bot] <1425255+compliance-pr-automation-bot[bot]@users.noreply.github.com>
Updating alpine image
* Updating alpine image * Updating to go1.24.4 to solve helm dependency issue * Updating golangci.yml to v2 * Updating go lint action version * Updating go lint action version * Updating go lint action version * Updating go lint action version * Updating go lint action version * Updating go lint action version * Updating go lint action version * Updating go lint action version * Updating go lint action version * Updating go lint action version * Updating go lint action version * Updating go lint action version * Updating go lint action version * Updating go lint action version * Updating go lint action version * Fixing issue with testcases * Setting ubi9-minimal to 9.6
…nd individual services
Co-authored-by: Jeff Boruszak <[email protected]>
…fix/poorly-renewed-tomcat
hc-github-team-consul-core
force-pushed
the
backport/NET-12039-terminating-gateway-acl-policy-fix/poorly-renewed-tomcat
branch
from
5bfbc59 to
bc629c2
Compare
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes 17 out of 18 committers have signed the CLA.
Have you signed the CLA already but the status is still pending? Recheck it. |
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes 17 out of 18 committers have signed the CLA.
Have you signed the CLA already but the status is still pending? Recheck it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #4468 to be assessed for backporting due to the inclusion of the label backport/1.6.x.
🚨
The person who merged in the original PR is:
@natemollica-nm
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.
The below text is copied from the body of the original PR.
Changes proposed in this PR
global.adminPartitions.enabled: trueCurrent workflow requires end users to manually update the Terminating Gateway policies applied by the TerminatingGateway resource controller when AdminPartitions are enabled from:
to
How I've tested this PR
make install-devto deploy dev image with changesTest Matrix for ACL Policies and Admin Partitions with Terminating Gateway
*)partition "default" { namespace "default" { service_prefix "" { policy = "write"; intention = "read"; } } }static-server)partition "default" { namespace "default" { service "static-server" { policy = "write"; intention = "read"; } } }*)partition "dev" { namespace "default" { service_prefix "" { policy = "write"; intention = "read"; } } }static-server)partition "dev" { namespace "default" { service "static-server" { policy = "write"; intention = "read"; } } }*)namespace "default" { service_prefix "" { policy = "write"; intention = "read"; } }static-server)namespace "default" { service "static-server" { policy = "write"; intention = "read"; } }How I expect reviewers to test this PR
👀
Checklist
Overview of commits