github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'main' into cm-bug-11457

pull/20887/head
Conor Mongey 2024-10-16 20:43:06 +01:00 committed by GitHub
parent cbd6ca9f20 d9206fc7e2
commit bfe2e6a5f3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1957 changed files with 33947 additions and 226480 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.changelog/20910.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:security
Update `vault/api` to v1.12.2 to address [CVE-2024-28180](https://nvd.nist.gov/vuln/detail/CVE-2024-28180)
(removes indirect dependency on impacted `go-jose.v2`)
```

9
.changelog/21017.txt Normal file
View File

@ -0,0 +1,9 @@
```release-note:security
Upgrade to support Envoy `1.27.5 and 1.28.3`. This resolves CVE
[CVE-2024-32475](https://nvd.nist.gov/vuln/detail/CVE-2024-32475) (`auto_sni`).
```
```release-note:security
Upgrade to support k8s.io/apimachinery `v0.18.7 or higher`. This resolves CVE
[CVE-2020-8559](https://nvd.nist.gov/vuln/detail/CVE-2020-8559).
```

5
.changelog/21074.txt Normal file
View File

@ -0,0 +1,5 @@
```release-note:security
Upgrade Go to use 1.21.10. This addresses CVEs
[CVE-2024-24787](https://nvd.nist.gov/vuln/detail/CVE-2024-24787) and
[CVE-2024-24788](https://nvd.nist.gov/vuln/detail/CVE-2024-24788)
```

3
.changelog/21113.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:enhancement
upgrade go version to v1.22.3.
```

3
.changelog/21142.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:enhancement
mesh: update supported envoy version 1.29.4 in addition to 1.28.3, 1.27.5, 1.26.8.
```

3
.changelog/21230.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:enhancement
dns: new version was not supporting partition or namespace being set to 'default' in CE version.
```

3
.changelog/21251.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
core: Fix multiple incorrect type conversion for potential overflows
```

3
.changelog/21265.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:enhancement
upgrade go version to v1.22.4.
```

3
.changelog/21277.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:enhancement
mesh: update supported envoy version 1.29.5 in addition to 1.28.4, 1.27.6.
```

3
.changelog/21339.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
core: Fix panic runtime error on AliasCheck
```

3
.changelog/21342.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
agent: removed reflected cross-site scripting vulnerability
```

8
.changelog/21361.txt Normal file
View File

@ -0,0 +1,8 @@
```release-note:bug
dns: Fix a regression where DNS tags using the standard lookup syntax, `tag.name.service.consul`, were being disregarded.
```
```release-note:bug
dns: Fix a regression where DNS SRV questions were returning duplicate hostnames instead of encoded IPs.
This affected Nomad integrations with Consul.
```

3
.changelog/21378.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
ui: Pin and namespace sub-module dependencies related to the Consul UI
```

4
.changelog/21381.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:bug
dns: Fixes a spam log message "Failed to parse TTL for prepared query..."
that was always being logged on each prepared query evaluation.
```

3
.changelog/21382.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
terminating-gateway: **(Enterprise Only)** Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata.
```

3
.changelog/21384.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
Upgrade go-retryablehttp to address [CVE-2024-6104](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6104)
```

3
.changelog/21507.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791)
```

3
.changelog/21519.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs.
```

3
.changelog/21524.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve [CVE-2024-39305](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39305)
```

3
.changelog/21587.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones.
```

3
.changelog/21588.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0
```

3
.changelog/21592.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:feature
server: remove v2 tenancy, catalog, and mesh experiments
```

3
.changelog/21604.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
api-gateway: **(Enterprise only)** ensure clusters are properly created for JWT providers with a remote URI for the JWKS endpoint
```

3
.changelog/21616.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note: improvement
connect: Add Envoy 1.31 and 1.30 to support matrix
```

6
.changelog/21684.txt Normal file
View File

@ -0,0 +1,6 @@
```release-note:security
Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and
[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912).
```

3
.changelog/21703.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6.
```

3
.changelog/21704.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
Explicitly set 'Content-Type' header to mitigate XSS vulnerability.
```

4
.changelog/21705.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:security
Upgrade Go to use 1.22.7. This addresses CVE
[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155)
```

3
.changelog/21710.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
ui: Pin a newer resolution of Braces
```

3
.changelog/21711.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI.
```

3
.changelog/21715.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
ui: Pin a newer resolution of Codemirror
```

3
.changelog/21717.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
ui: Pin a newer resolution of Markdown-it
```

3
.changelog/21726.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
UI: Remove codemirror linting due to package dependency
```

4
.changelog/21729.txt Normal file
View File

@ -0,0 +1,4 @@
```release-notes:security
Bump Dockerfile base image to `alpine:3.20`.
This resolves CVE-2024-7264 and CVE-2024-8096 (curl).
```

3
.changelog/21735.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
ui: Pin a newer resolution of ansi-html
```

3
.changelog/21750.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:enhancement
security: upgrade ubi base image to 9.4
```

7
.changelog/21758.txt Normal file
View File

@ -0,0 +1,7 @@
```release-note:enhancement
raft: update raft library to 1.7.0 which include pre-vote extension
```
```release-note:enhancement
raft: add a configuration `raft_prevote_disabled` to allow disabling raft prevote
```

3
.changelog/21780.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
api: remove dependency on proto-public, protobuf, and grpc
```

3
.changelog/21806.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:feature
grafana: added the dashboards service-to-service dashboard, service dashboard, and consul dataplane dashboard
```

9
.changelog/21816.txt Normal file
View File

@ -0,0 +1,9 @@
```release-note:security
mesh: Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
```
```release-note:security
mesh: Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
```
```release-note:breaking-change
mesh: Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).
```

19
.github/CONTRIBUTING.md vendored
View File

@ -156,13 +156,16 @@ When you're ready to submit a pull request:
5. If there's any reason Consul users might need to know about this change,
[add a changelog entry](../docs/contributing/add-a-changelog-entry.md).
6. Add labels to your pull request. A table of commonly use labels is below.
If you have any questions about which to apply, feel free to call it out in the PR or comments.
| Label | When to Use |
| --- | --- |
| `pr/no-changelog` | This PR does not have an intended changelog entry |
If you have any questions about which to apply, feel free to call it out in the PR or comments. Other labels may automatically be added by GitHub Actions CI.
| Label | When to Use |
|----------------------| --- |
| `pr/no-changelog` | This PR does not have an intended changelog entry |
| `pr/no-backport` | This PR does not have an intended backport target |
| `pr/no-metrics-test` | This PR does not require any testing for metrics |
| `backport/1.12.x` | Backport the changes in this PR to the targeted release branch. Consult the [Consul Release Notes](https://www.consul.io/docs/release-notes) page to view active releases. Website documentation merged to the latest release branch is deployed immediately |
Other labels may automatically be added by the Github Action CI.
| `backport/1.12.x` | Backport the changes in this PR to the targeted release branch. Consult the [Consul Release Notes](https://www.consul.io/docs/release-notes) page and [`versions.hcl`](/.release/versions.hcl) to view active releases. Website documentation merged to the latest release branch is deployed immediately. See [backport policy](#backport-policy) for more information. |
| `backport/all` | If contributing a bug fix or other change applicable to all branches, use `backport/all` to target all active branches automatically. See [backport policy](#backport-policy) for more information. |
7. After you submit, the Consul maintainers team needs time to carefully review your
contribution and ensure it is production-ready, considering factors such as: security,
backwards-compatibility, potential regressions, etc.
@ -174,6 +177,10 @@ When you're ready to submit a pull request:
Assuming the tests pass, the PR will be merged automatically.
If the tests fail, it is you responsibility to resolve the issues with backports and request another reviewer.
### Backport Policy
Consul is maintained as a Community Edition (CE) and an Enterprise product. Bug fixes and patches may be backported to the current major release in CE. In Enterprise, bug fixes and patches may be backported to all maintained releases: the N-2 releases and the 2 latest Long-Term Support (LTS) releases. For more information, refer to Consuls [LTS documentation](https://developer.hashicorp.com/consul/docs/enterprise/long-term-support).
#### Checklists
Some common changes that many PRs require are documented through checklists as

94
.github/pr-labeler.yml vendored
View File

@ -2,45 +2,75 @@
# SPDX-License-Identifier: BUSL-1.1
pr/dependencies:
- vendor/**/*
- go.*
- changed-files:
- any-glob-to-any-file:
- vendor/**/*
- go.*
theme/acls:
- acl/**/*
- changed-files:
- any-glob-to-any-file:
- acl/**/*
theme/agent-cache:
- agent/cache/**/*
- changed-files:
- any-glob-to-any-file:
- agent/cache/**/*
theme/api:
- api/**/*
- changed-files:
- any-glob-to-any-file:
- api/**/*
theme/catalog:
- agent/catalog/**/*
- changed-files:
- any-glob-to-any-file:
- agent/catalog/**/*
theme/certificates:
- tlsutil/**/*
- changed-files:
- any-glob-to-any-file:
- tlsutil/**/*
theme/cli:
- command/**/*
- changed-files:
- any-glob-to-any-file:
- command/**/*
theme/config:
- agent/config/**/*
- changed-files:
- any-glob-to-any-file:
- agent/config/**/*
theme/connect:
- connect/**/*
- agent/connect/**/*
- changed-files:
- any-glob-to-any-file:
- connect/**/*
- agent/connect/**/*
# theme/consul-nomad:
theme/consul-terraform-sync:
- website/content/docs/nia/**/*
- website/content/docs/integrate/nia*
- changed-files:
- any-glob-to-any-file:
- website/content/docs/nia/**/*
- website/content/docs/integrate/nia*
# theme/consul-vault:
theme/contributing:
- .github/**/*
- changed-files:
- any-glob-to-any-file:
- .github/**/*
theme/dns:
- dns/**/*
- changed-files:
- any-glob-to-any-file:
- dns/**/*
theme/envoy/xds:
- agent/xds/**/*
- changed-files:
- any-glob-to-any-file:
- agent/xds/**/*
# theme/federation-usability:
theme/health-checks:
- agent/health*
- api/health*
- changed-files:
- any-glob-to-any-file:
- agent/health*
- api/health*
# theme/ingress-gw:
# theme/internal-cleanup:
theme/internals:
- lib/**/*
- types/**/*
- changed-files:
- any-glob-to-any-file:
- lib/**/*
- types/**/*
# theme/kubernetes:
# theme/mesh-gw:
# theme/operator-usability:
@ -48,19 +78,31 @@ theme/internals:
# theme/service-metadata:
# theme/streaming:
theme/telemetry:
- logging/**/*
- changed-files:
- any-glob-to-any-file:
- logging/**/*
# theme/terminating-gw:
theme/testing:
- ./*test*/**/*
- changed-files:
- any-glob-to-any-file:
- ./*test*/**/*
theme/tls:
- tlsutil/**/*
- changed-files:
- any-glob-to-any-file:
- tlsutil/**/*
theme/ui:
- ui/**/*
- changed-files:
- any-glob-to-any-file:
- ui/**/*
# theme/windows:
# thinking:
# type/bug:
type/ci:
- .github/workflows/*
- changed-files:
- any-glob-to-any-file:
- .github/workflows/*
# type/crash:
type/docs:
- website/**/*
- changed-files:
- any-glob-to-any-file:
- website/**/*

42
.github/scripts/filter_changed_files_go_test.sh vendored
View File

@ -1,42 +0,0 @@
#!/bin/bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -euo pipefail
# Get the list of changed files
# Using `git merge-base` ensures that we're always comparing against the correct branch point.
#For example, given the commits:
#
# A---B---C---D---W---X---Y---Z # origin/main
# \---E---F # feature/branch
#
# ... `git merge-base origin/$SKIP_CHECK_BRANCH HEAD` would return commit `D`
# `...HEAD` specifies from the common ancestor to the latest commit on the current branch (HEAD)..
files_to_check=$(git diff --name-only "$(git merge-base origin/$SKIP_CHECK_BRANCH HEAD~)"...HEAD)
# Define the directories to check
skipped_directories=("docs/" "ui/" "website/" "grafana/")
# Loop through the changed files and find directories/files outside the skipped ones
for file_to_check in "${files_to_check[@]}"; do
file_is_skipped=false
for dir in "${skipped_directories[@]}"; do
if [[ "$file_to_check" == "$dir"* ]] || [[ "$file_to_check" == *.md && "$dir" == *"/" ]]; then
file_is_skipped=true
break
fi
done
if [ "$file_is_skipped" != "true" ]; then
echo -e $file_to_check
SKIP_CI=false
echo "Changes detected in non-documentation files - skip-ci: $SKIP_CI"
echo "skip-ci=$SKIP_CI" >> "$GITHUB_OUTPUT"
exit 0 ## if file is outside of the skipped_directory exit script
fi
done
echo -e "$files_to_check"
SKIP_CI=true
echo "Changes detected in only documentation files - skip-ci: $SKIP_CI"
echo "skip-ci=$SKIP_CI" >> "$GITHUB_OUTPUT"

21
.github/scripts/goldenfile_checker.sh vendored Executable file
View File

@ -0,0 +1,21 @@
#!/bin/bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -euo pipefail
# check if there is a diff in the xds testdata directory after running `make envoy-regen`
echo "regenerating xds files"
make envoy-regen
echo "calculating changed files"
changed_xds_files=$(git --no-pager diff --name-only HEAD "$(git merge-base HEAD "origin/$GITHUB_BRANCH_REF")" | egrep "agent/xds/testdata/.*" || true)
# If we do not find a file in .changelog/, we fail the check
if [ -z "$changed_xds_files" ]; then
# pass status check if no changes were found for xds files
echo "Found no changes to xds golden files"
exit 0
else
echo "Found diffs with xds golden files run 'make envoy-regen' to update them and check that output is expected"
exit 0
fi

3
.github/scripts/verify_artifact.sh vendored
View File

@ -102,7 +102,8 @@ function verify_rpm {
${docker_image} \
/scripts/verify_rpm.sh \
"/workdir/${artifact_path}" \
"${expect_version}"
"${expect_version}" \
"${docker_image}"
}
# Arguments:

17
.github/scripts/verify_rpm.sh vendored
View File

@ -10,6 +10,10 @@ set -euo pipefail
# report why it failed. This is meant to be run as part of the build workflow to verify the built
# .rpm meets some basic criteria for validity.
# Notably, CentOS 7 is EOL, so we need to point to the vault for updates. It's not clear what alternative
# we may use in the future that supports linux/386 as the platform was dropped in CentOS 8+9. The docker_image
# is passed in as the third argument so that the script can determine if it needs to point to the vault for updates.
# set this so we can locate and execute the verify_bin.sh script for verifying version output
SCRIPT_DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
@ -20,6 +24,7 @@ function usage {
function main {
local rpm_path="${1:-}"
local expect_version="${2:-}"
local docker_image="${3:-}"
local got_version
if [[ -z "${rpm_path}" ]]; then
@ -34,6 +39,12 @@ function main {
exit 1
fi
if [[ -z "${docker_image}" ]]; then
echo "ERROR: docker image argument is required"
usage
exit 1
fi
# expand globs for path names, if this fails, the script will exit
rpm_path=$(echo ${rpm_path})
@ -43,6 +54,12 @@ function main {
exit 1
fi
# CentOS 7 is EOL, so we need to point to the vault for updates
if [[ "$docker_image" == *centos:7 ]]; then
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
fi
yum -y clean all
yum -y update
yum -y install which openssl

20
.github/workflows/backport-assistant.yml vendored
View File

@ -19,7 +19,7 @@ jobs:
backport:
if: github.event.pull_request.merged
runs-on: ubuntu-latest
container: hashicorpdev/backport-assistant:0.3.4
container: hashicorpdev/backport-assistant:0.4.4
steps:
- name: Run Backport Assistant for release branches
run: |
@ -27,11 +27,24 @@ jobs:
env:
BACKPORT_LABEL_REGEXP: "backport/(?P<target>\\d+\\.\\d+)"
BACKPORT_TARGET_TEMPLATE: "release/{{.target}}.x"
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN_WORKFLOW }}
ENABLE_VERSION_MANIFESTS: true
backport-ent:
if: github.event.pull_request.merged && contains(join(github.event.pull_request.labels.*.name), 'backport/ent')
runs-on: ubuntu-latest
steps:
- name: Trigger backport for Enterprise
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
with:
token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
repository: hashicorp/consul-enterprise
event-type: ent-backport
client-payload: ${{ toJson(github.event) }}
handle-failure:
needs:
- backport
if: always() && needs.backport.result == 'failure'
- backport-ent
if: always() && (needs.backport.result == 'failure' || needs.backport-ent.result == 'failure')
runs-on: ubuntu-latest
steps:
- name: Comment on PR
@ -41,3 +54,4 @@ jobs:
-X POST \
-d "{ \"body\": \"${github_message}\"}" \
"https://api.github.com/repos/${GITHUB_REPOSITORY}/issues/${{ github.event.pull_request.number }}/comments"

2
.github/workflows/bot-auto-approve.yaml vendored
View File

@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
if: github.actor == 'hc-github-team-consul-core'
steps:
- uses: hmarr/auto-approve-action@44888193675f29a83e04faf4002fa8c0b537b1e4 # v3.2.1
- uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0
with:
review-message: "Auto approved Consul Bot automated PR"
github-token: ${{ secrets.MERGE_APPROVE_TOKEN }}

6
.github/workflows/broken-link-check.yml vendored
View File

@ -12,11 +12,11 @@ jobs:
linkChecker:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Run lychee link checker
id: lychee
uses: lycheeverse/lychee-action@ec3ed119d4f44ad2673a7232460dc7dff59d2421 # v1.8.0
uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0
with:
args: ./website/content/docs/ --base https://developer.hashicorp.com/ --exclude-all-private --exclude '\.(svg|gif|jpg|png)' --exclude 'manage\.auth0\.com' --accept 403 --max-concurrency=24 --no-progress --verbose
# Fail GitHub action when broken links are found?
@ -26,7 +26,7 @@ jobs:
- name: Create GitHub Issue From lychee output file
if: env.lychee_exit_code != 0
uses: peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f # v4.0.1
uses: peter-evans/create-issue-from-file@24452a72d85239eacf1468b0f1982a9f3fec4c94 # v5.0.0
with:
title: Link Checker Report
content-filepath: ./lychee/out.md

14
.github/workflows/build-artifacts.yml vendored
View File

@ -25,7 +25,7 @@ jobs:
compute-large: ${{ steps.setup-outputs.outputs.compute-large }}
compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- id: setup-outputs
name: Setup outputs
run: ./.github/scripts/get_runner_classes.sh
@ -52,7 +52,7 @@ jobs:
- name: Fetch Secrets
if: ${{ endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -61,14 +61,14 @@ jobs:
kv/data/github/${{ github.repository }}/dockerhub username | DOCKERHUB_USERNAME;
kv/data/github/${{ github.repository }}/dockerhub token | DOCKERHUB_TOKEN;
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: ENT specific step as we need to set elevated GitHub permissions.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
@ -83,17 +83,17 @@ jobs:
echo "GITHUB_BUILD_URL=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> $GITHUB_ENV
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
# NOTE: conditional specific logic as we store secrets in Vault in ENT and use GHA secrets in CE.
- name: Login to Docker Hub
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
username: ${{ endsWith(github.repository, '-enterprise') && steps.secrets.outputs.DOCKERHUB_USERNAME || secrets.DOCKERHUB_USERNAME }}
password: ${{ endsWith(github.repository, '-enterprise') && steps.secrets.outputs.DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }}
- name: Docker build and push
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
context: ./bin
file: ./build-support/docker/Consul-Dev.dockerfile

18
.github/workflows/build-distros.yml vendored
View File

@ -31,7 +31,7 @@ jobs:
compute-large: ${{ steps.setup-outputs.outputs.compute-large }}
compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- id: setup-outputs
name: Setup outputs
run: ./.github/scripts/get_runner_classes.sh
@ -60,14 +60,14 @@ jobs:
XC_OS: "freebsd linux windows"
runs-on: ${{ fromJSON(needs.setup.outputs.compute-xl) }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: Build
@ -85,14 +85,14 @@ jobs:
XC_OS: "darwin freebsd linux solaris windows"
runs-on: ${{ fromJSON(needs.setup.outputs.compute-xl) }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: Build
@ -111,7 +111,7 @@ jobs:
CGO_ENABLED: 1
GOOS: linux
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
@ -119,7 +119,7 @@ jobs:
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: |
@ -138,13 +138,13 @@ jobs:
- check-go-mod
runs-on: ${{ fromJSON(needs.setup.outputs.compute-xl) }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: Build

146
.github/workflows/build.yml vendored
View File

@ -30,12 +30,12 @@ jobs:
pre-version: ${{ steps.set-product-version.outputs.prerelease-product-version }}
shared-ldflags: ${{ steps.shared-ldflags.outputs.shared-ldflags }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# action-set-product-version implicitly sets fields like 'product-version' using version/VERSION
# https://github.com/hashicorp/actions-set-product-version
- name: set product version
id: set-product-version
uses: hashicorp/actions-set-product-version@v1
uses: hashicorp/actions-set-product-version@v2
- name: get product version
id: get-product-version
run: |
@ -70,7 +70,7 @@ jobs:
filepath: ${{ steps.generate-metadata-file.outputs.filepath }}
steps:
- name: 'Checkout directory'
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Generate metadata file
id: generate-metadata-file
uses: hashicorp/actions-generate-metadata@v1
@ -78,7 +78,7 @@ jobs:
version: ${{ needs.set-product-version.outputs.product-version }}
product: ${{ env.PKG_NAME }}
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: metadata.json
path: ${{ steps.generate-metadata-file.outputs.filepath }}
@ -95,6 +95,8 @@ jobs:
- {goos: "linux", goarch: "amd64"}
- {goos: "linux", goarch: "arm"}
- {goos: "linux", goarch: "arm64"}
- {goos: "darwin", goarch: "amd64"}
- {goos: "darwin", goarch: "arm64"}
- {goos: "freebsd", goarch: "386"}
- {goos: "freebsd", goarch: "amd64"}
- {goos: "windows", goarch: "386"}
@ -104,10 +106,10 @@ jobs:
name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Setup with node and yarn
uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '18'
cache: 'yarn'
@ -132,17 +134,27 @@ jobs:
PRERELEASE_VERSION: ${{ needs.set-product-version.outputs.pre-version }}
CGO_ENABLED: "0"
GOLDFLAGS: "${{needs.set-product-version.outputs.shared-ldflags}}"
uses: hashicorp/actions-go-build@v0.1.7
uses: hashicorp/actions-go-build@make-clean-flag-optional
with:
product_name: ${{ env.PKG_NAME }}
product_version: ${{ needs.set-product-version.outputs.product-version }}
go_version: ${{ needs.get-go-version.outputs.go-version }}
os: ${{ matrix.goos }}
arch: ${{ matrix.goarch }}
reproducible: report
reproducible: nope
clean: false
instructions: |-
cp LICENSE $TARGET_DIR/LICENSE.txt
go build -ldflags="$GOLDFLAGS" -o "$BIN_PATH" -trimpath -buildvcs=false
- name: Copy license file
if: ${{ !endsWith(github.repository, '-enterprise') }}
env:
LICENSE_DIR: ".release/linux/package/usr/share/doc/${{ env.PKG_NAME }}"
run: |
mkdir -p "$LICENSE_DIR"
cp LICENSE "$LICENSE_DIR/LICENSE.txt"
- name: Package
if: ${{ matrix.goos == 'linux' }}
uses: hashicorp/actions-packaging-linux@v1
@ -153,7 +165,7 @@ jobs:
version: ${{ needs.set-product-version.outputs.product-version }}
maintainer: "HashiCorp"
homepage: "https://github.com/hashicorp/consul"
license: "MPL-2.0"
license: "BSL-1.1"
binary: "dist/${{ env.PKG_NAME }}"
deb_depends: "openssl"
rpm_depends: "openssl"
@ -169,13 +181,13 @@ jobs:
echo "RPM_PACKAGE=$(basename out/*.rpm)" >> $GITHUB_ENV
echo "DEB_PACKAGE=$(basename out/*.deb)" >> $GITHUB_ENV
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: ${{ matrix.goos == 'linux' }}
with:
name: ${{ env.RPM_PACKAGE }}
path: out/${{ env.RPM_PACKAGE }}
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: ${{ matrix.goos == 'linux' }}
with:
name: ${{ env.DEB_PACKAGE }}
@ -195,10 +207,10 @@ jobs:
name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Setup with node and yarn
uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '18'
cache: 'yarn'
@ -223,67 +235,19 @@ jobs:
PRERELEASE_VERSION: ${{ needs.set-product-version.outputs.pre-version }}
CGO_ENABLED: "0"
GOLDFLAGS: "${{needs.set-product-version.outputs.shared-ldflags}}"
uses: hashicorp/actions-go-build@v0.1.7
uses: hashicorp/actions-go-build@make-clean-flag-optional
with:
product_name: ${{ env.PKG_NAME }}
product_version: ${{ needs.set-product-version.outputs.product-version }}
go_version: ${{ needs.get-go-version.outputs.go-version }}
os: ${{ matrix.goos }}
arch: ${{ matrix.goarch }}
reproducible: report
reproducible: nope
clean: false
instructions: |-
cp LICENSE $TARGET_DIR/LICENSE.txt
go build -ldflags="$GOLDFLAGS" -o "$BIN_PATH" -trimpath -buildvcs=false
build-darwin:
needs:
- set-product-version
- get-go-version
runs-on: macos-latest
strategy:
matrix:
goos: [ darwin ]
goarch: [ "amd64", "arm64" ]
fail-fast: true
name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup with node and yarn
uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
with:
node-version: '18'
cache: 'yarn'
cache-dependency-path: 'ui/yarn.lock'
- name: Build UI
run: |
CONSUL_VERSION=${{ needs.set-product-version.outputs.product-version }}
CONSUL_BINARY_TYPE=${CONSUL_BINARY_TYPE}
CONSUL_COPYRIGHT_YEAR=$(git show -s --format=%cd --date=format:%Y HEAD)
echo "consul_version is ${CONSUL_VERSION}"
echo "consul binary type is ${CONSUL_BINARY_TYPE}"
echo "consul copyright year is ${CONSUL_COPYRIGHT_YEAR}"
cd ui && make && cd ..
rm -rf agent/uiserver/dist
mv ui/packages/consul-ui/dist agent/uiserver/
- name: Go Build
env:
PRODUCT_VERSION: ${{ needs.set-product-version.outputs.product-version }}
PRERELEASE_VERSION: ${{ needs.set-product-version.outputs.pre-version }}
CGO_ENABLED: "0"
GOLDFLAGS: "${{needs.set-product-version.outputs.shared-ldflags}}"
uses: hashicorp/actions-go-build@v0.1.7
with:
product_name: ${{ env.PKG_NAME }}
product_version: ${{ needs.set-product-version.outputs.product-version }}
go_version: ${{ needs.get-go-version.outputs.go-version }}
os: ${{ matrix.goos }}
arch: ${{ matrix.goarch }}
reproducible: report
instructions: |-
go build -ldflags="$GOLDFLAGS" -tags netcgo -o "$BIN_PATH" -trimpath -buildvcs=false
build-docker:
name: Docker ${{ matrix.arch }} build
needs:
@ -302,7 +266,7 @@ jobs:
version: ${{needs.set-product-version.outputs.product-version}}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# Strip everything but MAJOR.MINOR from the version string and add a `-dev` suffix
# This naming convention will be used ONLY for per-commit dev images
@ -314,7 +278,7 @@ jobs:
echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" >> $GITHUB_ENV
- name: Docker Build (Action)
uses: hashicorp/actions-docker-build@v1
uses: hashicorp/actions-docker-build@v2
with:
version: ${{env.version}}
target: default
@ -340,7 +304,7 @@ jobs:
version: ${{needs.set-product-version.outputs.product-version}}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# Strip everything but MAJOR.MINOR from the version string and add a `-dev` suffix
# This naming convention will be used ONLY for per-commit dev images
@ -351,7 +315,7 @@ jobs:
echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')"
echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" >> $GITHUB_ENV
- uses: hashicorp/actions-docker-build@v1
- uses: hashicorp/actions-docker-build@v2
with:
version: ${{env.version}}
target: ubi
@ -386,17 +350,17 @@ jobs:
name: Verify ${{ matrix.arch }} linux binary
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
if: ${{ endsWith(github.repository, '-enterprise') || matrix.arch != 's390x' }}
- name: Download ${{ matrix.arch }} zip
if: ${{ endsWith(github.repository, '-enterprise') || matrix.arch != 's390x' }}
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: ${{ env.zip_name }}
- name: Set up QEMU
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
if: ${{ matrix.arch == 'arm' || matrix.arch == 'arm64' }}
with:
# this should be a comma-separated string as opposed to an array
@ -406,32 +370,6 @@ jobs:
if: ${{ endsWith(github.repository, '-enterprise') || matrix.arch != 's390x' }}
run: .github/scripts/verify_artifact.sh ${{ env.zip_name }} v${{ env.version }}
verify-darwin:
needs:
- set-product-version
- build-darwin
runs-on: macos-latest
strategy:
fail-fast: true
env:
version: ${{needs.set-product-version.outputs.product-version}}
zip_name: consul_${{ needs.set-product-version.outputs.product-version }}_darwin_amd64.zip
name: Verify amd64 darwin binary
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Download amd64 darwin zip
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ env.zip_name }}
- name: Unzip amd64 darwin zip
run: unzip ${{ env.zip_name }}
- name: Run verification for amd64 darwin binary
run: .github/scripts/verify_bin.sh ./consul v${{ env.version }}
verify-linux-packages-deb:
needs:
- build
@ -450,7 +388,7 @@ jobs:
name: Verify ${{ matrix.arch }} debian package
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Set package version
run: |
@ -461,12 +399,12 @@ jobs:
echo "pkg_name=consul_${{ env.pkg_version }}-1_${{ matrix.arch }}.deb" >> $GITHUB_ENV
- name: Download workflow artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: ${{ env.pkg_name }}
- name: Set up QEMU
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: all
@ -491,7 +429,7 @@ jobs:
name: Verify ${{ matrix.arch }} rpm
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Set package version
run: |
@ -502,12 +440,12 @@ jobs:
echo "pkg_name=consul-${{ env.pkg_version }}-1.${{ matrix.arch }}.rpm" >> $GITHUB_ENV
- name: Download workflow artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: ${{ env.pkg_name }}
- name: Set up QEMU
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: all

5
.github/workflows/ce-merge-trigger.yml vendored
View File

@ -9,6 +9,11 @@ on:
branches:
- main
- release/**
- '!release/1.18**'
- '!release/1.17**'
- '!release/1.16**'
- '!release/1.15**'
jobs:
trigger-ce-merge:

2
.github/workflows/changelog-checker.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0 # by default the checkout action doesn't checkout all branches

2
.github/workflows/embedded-asset-checker.yml vendored
View File

@ -20,7 +20,7 @@ jobs:
if: "! ( contains(github.event.pull_request.labels.*.name, 'pr/update-ui-assets') || github.event.pull_request.user.login == 'hc-github-team-consul-core' )"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0 # by default the checkout action doesn't checkout all branches

22
.github/workflows/frontend.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
compute-large: ${{ steps.setup-outputs.outputs.compute-large }}
compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- id: setup-outputs
name: Setup outputs
run: ./.github/scripts/get_runner_classes.sh
@ -33,9 +33,9 @@ jobs:
run:
working-directory: ui
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '18'
@ -53,9 +53,9 @@ jobs:
needs: setup
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '18'
@ -83,9 +83,9 @@ jobs:
CONSUL_NSPACES_ENABLED: 0 # NOTE: this should be 1 in ENT.
JOBS: 2 # limit parallelism for broccoli-babel-transpiler
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '18'
@ -93,7 +93,7 @@ jobs:
run: corepack enable
- name: Install Chrome
uses: browser-actions/setup-chrome@c485fa3bab6be59dce18dbc18ef6ab7cbc8ff5f1 # v1.2.0
uses: browser-actions/setup-chrome@82b9ce628cc5595478a9ebadc480958a36457dc2 # v1.6.0
- name: Install dependencies
working-directory: ui
@ -123,9 +123,9 @@ jobs:
CONSUL_NSPACES_ENABLED: 1 # NOTE: this should be 1 in ENT.
JOBS: 2 # limit parallelism for broccoli-babel-transpiler
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '18'
@ -133,7 +133,7 @@ jobs:
run: corepack enable
- name: Install Chrome
uses: browser-actions/setup-chrome@c485fa3bab6be59dce18dbc18ef6ab7cbc8ff5f1 # v1.2.0
uses: browser-actions/setup-chrome@82b9ce628cc5595478a9ebadc480958a36457dc2 # v1.6.0
- name: Install dependencies
working-directory: ui

37
.github/workflows/go-tests.yml vendored
View File

@ -22,7 +22,6 @@ permissions:
env:
TEST_RESULTS: /tmp/test-results
GOPRIVATE: github.com/hashicorp # Required for enterprise deps
SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }}
# concurrency
concurrency:
@ -31,17 +30,7 @@ concurrency:
jobs:
conditional-skip:
runs-on: ubuntu-latest
name: Get files changed and conditionally skip CI
outputs:
skip-ci: ${{ steps.read-files.outputs.skip-ci }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
- name: Get changed files
id: read-files
run: ./.github/scripts/filter_changed_files_go_test.sh
uses: ./.github/workflows/reusable-conditional-skip.yml
setup:
needs: [conditional-skip]
@ -54,7 +43,7 @@ jobs:
compute-large: ${{ steps.setup-outputs.outputs.compute-large }}
compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- id: setup-outputs
name: Setup outputs
run: ./.github/scripts/get_runner_classes.sh
@ -80,12 +69,12 @@ jobs:
- get-go-version
runs-on: ${{ fromJSON(needs.setup.outputs.compute-medium) }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: make proto-tools
@ -106,12 +95,12 @@ jobs:
- get-go-version
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: make --always-make codegen
@ -127,12 +116,12 @@ jobs:
- get-go-version
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go install github.com/reillywatson/enumcover/cmd/enumcover@master && enumcover ./...
@ -143,11 +132,11 @@ jobs:
- get-go-version
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: make lint-container-test-deps
@ -158,12 +147,12 @@ jobs:
- get-go-version
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: make lint-consul-retry
@ -598,7 +587,7 @@ jobs:
# FAILED_TESTS must also be checked to avoid running this step on cancellation due to the summary check above
if: ${{ failure() && env.FAILED_TESTS == 'true' && (github.ref_name == 'main' || startsWith(github.ref_name, 'release/')) }}
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
# Escape entire message string to ensure valid JSON. If invalid, the notification will fail silently in CI.
payload: |

43
.github/workflows/goldenfile-checker.yml vendored Normal file
View File

@ -0,0 +1,43 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# This workflow checks that are no changes necessary to golden files for xds
# tests ensuring they are up to date
name: Golden File Checker
on:
pull_request:
types: [opened, synchronize, labeled]
# Runs on PRs to main and all release branches
branches:
- main
- release/*
jobs:
get-go-version:
uses: ./.github/workflows/reusable-get-go-version.yml
# checks that there is no diff between the existing golden files
goldenfile-check:
runs-on: ubuntu-latest
needs:
- get-go-version
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0 # by default the checkout action doesn't checkout all branches
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: Download Modules
run: go mod download
- name: Check for golden file xds tests in diff
run: ./.github/scripts/goldenfile_checker.sh
env:
GITHUB_BRANCH_REF: ${{ github.event.pull_request.head.ref }}
CONSUL_LICENSE: ${{ secrets.CONSUL_LICENSE }}

2
.github/workflows/issue-comment-created.yml vendored
View File

@ -11,7 +11,7 @@ jobs:
triage:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
with:
labels: |

7
.github/workflows/jira-issues.yaml vendored
View File

@ -16,7 +16,7 @@ jobs:
name: Jira Community Issue sync
steps:
- name: Login
uses: atlassian/gajira-login@ca13f8850ea309cf44a6e4e0c49d9aa48ac3ca4c # v3
uses: atlassian/gajira-login@45fd029b9f1d6d8926c6f04175aa80c0e42c9026 # v3.0.1
env:
JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
@ -49,7 +49,6 @@ jobs:
# customfield_10089 is "Issue Link", customfield_10371 is "Source" (use JIRA API to retrieve)
extraFields: '{ "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}",
"customfield_10371": { "value": "GitHub" },
"customfield_10535": [{ "value": "Service Mesh" }],
"components": [{ "name": "${{ github.event.repository.name }}" }],
"labels": ${{ steps.set-ticket-labels.outputs.LABELS }} }'
env:
@ -91,14 +90,14 @@ jobs:
- name: Close ticket
if: ( github.event.action == 'closed' || github.event.action == 'deleted' ) && steps.search.outputs.issue
uses: atlassian/gajira-transition@4749176faf14633954d72af7a44d7f2af01cc92b # v3
uses: atlassian/gajira-transition@38fc9cd61b03d6a53dd35fcccda172fe04b36de3 # v3.0.1
with:
issue: ${{ steps.search.outputs.issue }}
transition: "Closed"
- name: Reopen ticket
if: github.event.action == 'reopened' && steps.search.outputs.issue
uses: atlassian/gajira-transition@4749176faf14633954d72af7a44d7f2af01cc92b # v3
uses: atlassian/gajira-transition@38fc9cd61b03d6a53dd35fcccda172fe04b36de3 # v3.0.1
with:
issue: ${{ steps.search.outputs.issue }}
transition: "To Do"

9
.github/workflows/jira-pr.yaml vendored
View File

@ -14,7 +14,7 @@ jobs:
name: Jira sync
steps:
- name: Login
uses: atlassian/gajira-login@ca13f8850ea309cf44a6e4e0c49d9aa48ac3ca4c # v3
uses: atlassian/gajira-login@45fd029b9f1d6d8926c6f04175aa80c0e42c9026 # v3.0.1
env:
JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
@ -67,8 +67,7 @@ jobs:
description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created in GitHub by ${{ github.actor }}._"
# customfield_10089 is "Issue Link", customfield_10371 is "Source" (use JIRA API to retrieve)
extraFields: '{ "customfield_10089": "${{ github.event.pull_request.html_url }}",
"customfield_10371": { "value": "GitHub" },
"customfield_10535": [{ "value": "Service Mesh" }],
"customfield_10371": { "value": "GitHub" },
"components": [{ "name": "${{ github.event.repository.name }}" }],
"labels": ${{ steps.set-ticket-labels.outputs.LABELS }} }'
env:
@ -105,14 +104,14 @@ jobs:
- name: Close ticket
if: ( github.event.action == 'closed' || github.event.action == 'deleted' ) && steps.search.outputs.issue
uses: atlassian/gajira-transition@4749176faf14633954d72af7a44d7f2af01cc92b # v3
uses: atlassian/gajira-transition@38fc9cd61b03d6a53dd35fcccda172fe04b36de3 # v3.0.1
with:
issue: ${{ steps.search.outputs.issue }}
transition: "Closed"
- name: Reopen ticket
if: github.event.action == 'reopened' && steps.search.outputs.issue
uses: atlassian/gajira-transition@4749176faf14633954d72af7a44d7f2af01cc92b # v3
uses: atlassian/gajira-transition@38fc9cd61b03d6a53dd35fcccda172fe04b36de3 # v3.0.1
with:
issue: ${{ steps.search.outputs.issue }}
transition: "To Do"

45
.github/workflows/nightly-test-1.15.x.yaml vendored
View File

@ -14,15 +14,22 @@ env:
GOPRIVATE: github.com/hashicorp # Required for enterprise deps
jobs:
check-ent:
runs-on: ubuntu-latest
if: ${{ endsWith(github.repository, '-enterprise') }}
steps:
- run: echo "Building Enterprise"
frontend-test-workspace-node:
runs-on: ubuntu-latest
needs: [check-ent]
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
cache: 'yarn'
@ -45,16 +52,17 @@ jobs:
frontend-build-ce:
runs-on: ubuntu-latest
needs: [check-ent]
env:
JOBS: 2
CONSUL_NSPACES_ENABLED: 0
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
cache: 'yarn'
@ -71,7 +79,7 @@ jobs:
run: make build-ci
- name: Upload CE Frontend
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: frontend-ce-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -88,12 +96,12 @@ jobs:
EMBER_TEST_REPORT: test-results/report-ce.xml #outputs test report for CI test summary
EMBER_TEST_PARALLEL: true #enables test parallelization with ember-exam
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
cache: 'yarn'
@ -105,7 +113,7 @@ jobs:
run: make deps
- name: Download CE Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ce-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -117,16 +125,17 @@ jobs:
frontend-build-ent:
runs-on: ubuntu-latest
needs: [check-ent]
env:
JOBS: 2
CONSUL_NSPACES_ENABLED: 1
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
cache: 'yarn'
@ -143,7 +152,7 @@ jobs:
run: make build-ci
- name: Upload ENT Frontend
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -160,12 +169,12 @@ jobs:
EMBER_TEST_REPORT: test-results/report-ce.xml #outputs test report for CI test summary
EMBER_TEST_PARALLEL: true #enables test parallelization with ember-exam
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
cache: 'yarn'
@ -177,7 +186,7 @@ jobs:
run: make deps
- name: Download ENT Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -191,12 +200,12 @@ jobs:
runs-on: ubuntu-latest
needs: [frontend-build-ent]
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
cache: 'yarn'
@ -208,7 +217,7 @@ jobs:
run: make deps
- name: Download ENT Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -224,7 +233,7 @@ jobs:
steps:
- name: Slack Notification
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{

51
.github/workflows/nightly-test-1.17.x.yaml → .github/workflows/nightly-test-1.18.x.yaml vendored
View File

@ -1,7 +1,7 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
name: Nightly Frontend Test 1.17.x
name: Nightly Frontend Test 1.18.x
on:
schedule:
- cron: '0 4 * * *'
@ -9,20 +9,27 @@ on:
env:
EMBER_PARTITION_TOTAL: 4 # Has to be changed in tandem with the matrix.partition
BRANCH: "release/1.17.x"
BRANCH_NAME: "release-1.17.x" # Used for naming artifacts
BRANCH: "release/1.18.x"
BRANCH_NAME: "release-1.18.x" # Used for naming artifacts
GOPRIVATE: github.com/hashicorp # Required for enterprise deps
jobs:
check-ent:
runs-on: ubuntu-latest
if: ${{ endsWith(github.repository, '-enterprise') }}
steps:
- run: echo "Building Enterprise"
frontend-test-workspace-node:
runs-on: ubuntu-latest
needs: [check-ent]
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18
cache: 'yarn'
@ -45,16 +52,17 @@ jobs:
frontend-build-ce:
runs-on: ubuntu-latest
needs: [check-ent]
env:
JOBS: 2
CONSUL_NSPACES_ENABLED: 0
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18
cache: 'yarn'
@ -71,7 +79,7 @@ jobs:
run: make build-ci
- name: Upload CE Frontend
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: frontend-ce-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -88,12 +96,12 @@ jobs:
EMBER_TEST_REPORT: test-results/report-ce.xml #outputs test report for CI test summary
EMBER_TEST_PARALLEL: true #enables test parallelization with ember-exam
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18
cache: 'yarn'
@ -105,7 +113,7 @@ jobs:
run: make deps
- name: Download CE Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ce-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -117,16 +125,17 @@ jobs:
frontend-build-ent:
runs-on: ubuntu-latest
needs: [check-ent]
env:
JOBS: 2
CONSUL_NSPACES_ENABLED: 1
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18
cache: 'yarn'
@ -143,7 +152,7 @@ jobs:
run: make build-ci
- name: Upload ENT Frontend
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -160,12 +169,12 @@ jobs:
EMBER_TEST_REPORT: test-results/report-ce.xml #outputs test report for CI test summary
EMBER_TEST_PARALLEL: true #enables test parallelization with ember-exam
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18
cache: 'yarn'
@ -177,7 +186,7 @@ jobs:
run: make deps
- name: Download ENT Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -191,12 +200,12 @@ jobs:
runs-on: ubuntu-latest
needs: [frontend-build-ent]
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18
cache: 'yarn'
@ -208,7 +217,7 @@ jobs:
run: make deps
- name: Download ENT Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -224,7 +233,7 @@ jobs:
steps:
- name: Slack Notification
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{

63
.github/workflows/nightly-test-1.14.x.yaml → .github/workflows/nightly-test-1.19.x.yaml vendored
View File

@ -1,7 +1,7 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
name: Nightly Frontend Test 1.14.x
name: Nightly Frontend Test 1.19.x
on:
schedule:
- cron: '0 4 * * *'
@ -9,22 +9,29 @@ on:
env:
EMBER_PARTITION_TOTAL: 4 # Has to be changed in tandem with the matrix.partition
BRANCH: "release/1.14.x"
BRANCH_NAME: "release-1.14.x" # Used for naming artifacts
BRANCH: "release/1.19.x"
BRANCH_NAME: "release-1.19.x" # Used for naming artifacts
GOPRIVATE: github.com/hashicorp # Required for enterprise deps
jobs:
check-ent:
runs-on: ubuntu-latest
if: ${{ endsWith(github.repository, '-enterprise') }}
steps:
- run: echo "Building Enterprise"
frontend-test-workspace-node:
runs-on: ubuntu-latest
needs: [ check-ent ]
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
node-version: 18
cache: 'yarn'
cache-dependency-path: ./ui/yarn.lock
@ -45,18 +52,19 @@ jobs:
frontend-build-ce:
runs-on: ubuntu-latest
needs: [ check-ent ]
env:
JOBS: 2
CONSUL_NSPACES_ENABLED: 0
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
node-version: 18
cache: 'yarn'
cache-dependency-path: ./ui/yarn.lock
@ -71,7 +79,7 @@ jobs:
run: make build-ci
- name: Upload CE Frontend
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: frontend-ce-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -88,14 +96,14 @@ jobs:
EMBER_TEST_REPORT: test-results/report-ce.xml #outputs test report for CI test summary
EMBER_TEST_PARALLEL: true #enables test parallelization with ember-exam
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
node-version: 18
cache: 'yarn'
cache-dependency-path: ./ui/yarn.lock
@ -105,7 +113,7 @@ jobs:
run: make deps
- name: Download CE Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ce-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -117,18 +125,19 @@ jobs:
frontend-build-ent:
runs-on: ubuntu-latest
needs: [ check-ent ]
env:
JOBS: 2
CONSUL_NSPACES_ENABLED: 1
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
node-version: 18
cache: 'yarn'
cache-dependency-path: ./ui/yarn.lock
@ -143,7 +152,7 @@ jobs:
run: make build-ci
- name: Upload ENT Frontend
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -160,14 +169,14 @@ jobs:
EMBER_TEST_REPORT: test-results/report-ce.xml #outputs test report for CI test summary
EMBER_TEST_PARALLEL: true #enables test parallelization with ember-exam
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
node-version: 18
cache: 'yarn'
cache-dependency-path: ./ui/yarn.lock
@ -177,7 +186,7 @@ jobs:
run: make deps
- name: Download ENT Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -191,14 +200,14 @@ jobs:
runs-on: ubuntu-latest
needs: [frontend-build-ent]
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
node-version: 18
cache: 'yarn'
cache-dependency-path: ./ui/yarn.lock
@ -208,7 +217,7 @@ jobs:
run: make deps
- name: Download ENT Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -224,7 +233,7 @@ jobs:
steps:
- name: Slack Notification
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{

63
.github/workflows/nightly-test-1.16.x.yaml → .github/workflows/nightly-test-1.20.x.yaml vendored
View File

@ -1,7 +1,7 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
name: Nightly Frontend Test 1.16.x
name: Nightly Frontend Test 1.20.x
on:
schedule:
- cron: '0 4 * * *'
@ -9,22 +9,29 @@ on:
env:
EMBER_PARTITION_TOTAL: 4 # Has to be changed in tandem with the matrix.partition
BRANCH: "release/1.16.x"
BRANCH_NAME: "release-1.16.x" # Used for naming artifacts
BRANCH: "release/1.20.x"
BRANCH_NAME: "release-1.20.x" # Used for naming artifacts
GOPRIVATE: github.com/hashicorp # Required for enterprise deps
jobs:
check-ent:
runs-on: ubuntu-latest
if: ${{ endsWith(github.repository, '-enterprise') }}
steps:
- run: echo "Building Enterprise"
frontend-test-workspace-node:
runs-on: ubuntu-latest
needs: [ check-ent ]
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
node-version: 18
cache: 'yarn'
cache-dependency-path: ./ui/yarn.lock
@ -45,18 +52,19 @@ jobs:
frontend-build-ce:
runs-on: ubuntu-latest
needs: [ check-ent ]
env:
JOBS: 2
CONSUL_NSPACES_ENABLED: 0
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
node-version: 18
cache: 'yarn'
cache-dependency-path: ./ui/yarn.lock
@ -71,7 +79,7 @@ jobs:
run: make build-ci
- name: Upload CE Frontend
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: frontend-ce-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -88,14 +96,14 @@ jobs:
EMBER_TEST_REPORT: test-results/report-ce.xml #outputs test report for CI test summary
EMBER_TEST_PARALLEL: true #enables test parallelization with ember-exam
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
node-version: 18
cache: 'yarn'
cache-dependency-path: ./ui/yarn.lock
@ -105,7 +113,7 @@ jobs:
run: make deps
- name: Download CE Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ce-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -117,18 +125,19 @@ jobs:
frontend-build-ent:
runs-on: ubuntu-latest
needs: [ check-ent ]
env:
JOBS: 2
CONSUL_NSPACES_ENABLED: 1
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
node-version: 18
cache: 'yarn'
cache-dependency-path: ./ui/yarn.lock
@ -143,7 +152,7 @@ jobs:
run: make build-ci
- name: Upload ENT Frontend
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -160,14 +169,14 @@ jobs:
EMBER_TEST_REPORT: test-results/report-ce.xml #outputs test report for CI test summary
EMBER_TEST_PARALLEL: true #enables test parallelization with ember-exam
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
node-version: 18
cache: 'yarn'
cache-dependency-path: ./ui/yarn.lock
@ -177,7 +186,7 @@ jobs:
run: make deps
- name: Download ENT Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -191,14 +200,14 @@ jobs:
runs-on: ubuntu-latest
needs: [frontend-build-ent]
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 14
node-version: 18
cache: 'yarn'
cache-dependency-path: ./ui/yarn.lock
@ -208,7 +217,7 @@ jobs:
run: make deps
- name: Download ENT Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -224,7 +233,7 @@ jobs:
steps:
- name: Slack Notification
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{

22
.github/workflows/nightly-test-integ-peering_commontopo.yml vendored
View File

@ -6,7 +6,7 @@ name: Nightly test integrations - peering_common_topo
on:
schedule:
# Run nightly at 12AM UTC/8PM EST/5PM PST
- cron: '* 0 * * *'
- cron: '0 0 * * *'
workflow_dispatch: {}
env:
@ -31,7 +31,7 @@ jobs:
enterprise: ${{ steps.runners.outputs.enterprise }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.branch }}
- id: runners
@ -39,12 +39,20 @@ jobs:
get-go-version:
uses: ./.github/workflows/reusable-get-go-version.yml
with:
ref: ${{ inputs.branch }}
get-envoy-versions:
uses: ./.github/workflows/reusable-get-envoy-versions.yml
with:
ref: ${{ inputs.branch }}
tests:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-xl ) }}
needs:
- setup
- get-go-version
- get-envoy-versions
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
@ -62,14 +70,14 @@ jobs:
name: '${{matrix.test-case}}'
env:
ENVOY_VERSION: "1.24.6"
ENVOY_VERSION: ${{ needs.get-envoy-versions.outputs.max-envoy-version }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
@ -117,7 +125,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -157,7 +165,7 @@ jobs:
- name: Notify Slack
if: ${{ failure() }}
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{

107
.github/workflows/nightly-test-integrations-1.15.x.yml vendored
View File

@ -6,7 +6,7 @@ name: Nightly test-integrations 1.15.x
on:
schedule:
# Run nightly at 1AM UTC/9PM EST/6PM PST
- cron: '* 1 * * *'
- cron: '0 1 * * *'
workflow_dispatch: {}
env:
@ -23,8 +23,15 @@ env:
BRANCH_NAME: "release-1.15.x" # Used for naming artifacts
jobs:
check-ent:
runs-on: ubuntu-latest
if: ${{ endsWith(github.repository, '-enterprise') }}
steps:
- run: echo "Building Enterprise"
setup:
runs-on: ubuntu-latest
needs: [check-ent]
name: Setup
outputs:
compute-small: ${{ steps.runners.outputs.compute-small }}
@ -34,14 +41,23 @@ jobs:
enterprise: ${{ steps.runners.outputs.enterprise }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
- id: runners
run: .github/scripts/get_runner_classes.sh
get-go-version:
needs: [check-ent]
uses: ./.github/workflows/reusable-get-go-version.yml
with:
ref: release/1.15.x
get-envoy-versions:
needs: [check-ent]
uses: ./.github/workflows/reusable-get-envoy-versions.yml
with:
ref: release/1.15.x
dev-build:
needs:
@ -65,42 +81,40 @@ jobs:
envoy-matrix: ${{ steps.set-matrix.outputs.envoy-matrix }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
- name: Generate Envoy Job Matrix
id: set-matrix
env:
# this is further going to multiplied in envoy-integration tests by the
# other dimensions in the matrix. Currently TOTAL_RUNNERS would be
# 14 based on these values:
# envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.8", "1.27.4", "1.28.2"]
# xds-target: ["server", "client"]
TOTAL_RUNNERS: 7
# TEST_SPLITS sets the number of test case splits to use in the matrix. This will be
# further multiplied in envoy-integration tests by the other dimensions in the matrix
# to determine the total number of runners used.
TEST_SPLITS: 4
JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
run: |
NUM_RUNNERS=$TOTAL_RUNNERS
NUM_DIRS=$(find ./test/integration/connect/envoy -mindepth 1 -maxdepth 1 -type d | wc -l)
if [ "$NUM_DIRS" -lt "$NUM_RUNNERS" ]; then
echo "TOTAL_RUNNERS is larger than the number of tests/packages to split."
NUM_RUNNERS=$((NUM_DIRS-1))
if [ "$NUM_DIRS" -lt "$TEST_SPLITS" ]; then
echo "TEST_SPLITS is larger than the number of tests/packages to split."
TEST_SPLITS=$((NUM_DIRS-1))
fi
# fix issue where test splitting calculation generates 1 more split than TOTAL_RUNNERS.
NUM_RUNNERS=$((NUM_RUNNERS-1))
# fix issue where test splitting calculation generates 1 more split than TEST_SPLITS.
TEST_SPLITS=$((TEST_SPLITS-1))
{
echo -n "envoy-matrix="
find ./test/integration/connect/envoy -maxdepth 1 -type d -print0 \
| xargs -0 -n 1 basename \
| jq --raw-input --argjson runnercount "$NUM_RUNNERS" "$JQ_SLICER" \
| jq --raw-input --argjson runnercount "$TEST_SPLITS" "$JQ_SLICER" \
| jq --compact-output 'map(join("|"))'
} >> "$GITHUB_OUTPUT"
envoy-integration-test:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }}
needs:
- setup
- get-go-version
- get-envoy-versions
- generate-envoy-job-matrices
- dev-build
permissions:
@ -109,7 +123,7 @@ jobs:
strategy:
fail-fast: false
matrix:
envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.8", "1.27.4", "1.28.2"]
envoy-version: ${{ fromJSON(needs.get-envoy-versions.outputs.envoy-versions-json) }}
xds-target: ["server", "client"]
test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
env:
@ -118,25 +132,29 @@ jobs:
AWS_LAMBDA_REGION: us-west-2
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: fetch binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: ./bin
- name: restore mode+x
run: chmod +x ./bin/consul
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Docker build
run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin
- name: Envoy Integration Tests
id: envoy-integration-tests
env:
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
@ -157,6 +175,23 @@ jobs:
--packages=./test/integration/connect/envoy \
-- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})"
# See https://github.com/orgs/community/discussions/8945#discussioncomment-9897011
# and overall topic discussion for why this is necessary.
- name: Generate artifact ID
id: generate-artifact-id
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
run: |
ARTIFACT_ID=$(uuidgen)
echo "Artifact ID: $ARTIFACT_ID (search this in job summary for download link)"
echo "artifact_id=$ARTIFACT_ID" >> "$GITHUB_ENV"
- name: Upload failure logs
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: envoy-${{ matrix.envoy-version }}-logs-${{ env.artifact_id }}
path: test/integration/connect/envoy/workdir/logs/
# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
@ -167,7 +202,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -188,7 +223,7 @@ jobs:
DATADOG_API_KEY: "${{ endsWith(github.repository, '-enterprise') && env.DATADOG_API_KEY || secrets.DATADOG_API_KEY }}"
DD_ENV: ci
run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml
upgrade-integration-test:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }}
needs:
@ -204,24 +239,34 @@ jobs:
consul-version: ["1.14", "1.15"]
env:
CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
ENVOY_VERSION: "1.24.6"
# ENVOY_VERSION should be the latest version supported by _all_ Consul versions in the
# matrix.consul-version, since we are testing upgrade from an older Consul version.
# In practice, this should be the highest Envoy version supported by the lowest non-LTS
# Consul version in the matrix (LTS versions receive additional Envoy version support).
#
# This value should be kept current in new nightly test workflows, and updated any time
# a new major Envoy release is added to the set supported by Consul versions in
# matrix.consul-version (i.e. whenever the highest common Envoy version across active
# Consul versions changes). The minor Envoy version does not necessarily need to be
# kept current for the purpose of these tests, but the major (1.N) version should be.
ENVOY_VERSION: "1.24.12"
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
# Get go binary from workspace
- name: fetch binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: .
@ -275,7 +320,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -305,7 +350,7 @@ jobs:
- envoy-integration-test
- upgrade-integration-test
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
if: ${{ always() }}
if: ${{ always() && endsWith(github.repository, '-enterprise') }}
steps:
- name: evaluate upstream job results
run: |
@ -317,7 +362,7 @@ jobs:
- name: Notify Slack
if: ${{ failure() }}
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{

482
.github/workflows/nightly-test-integrations-1.18.x.yml vendored Normal file
View File

@ -0,0 +1,482 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
name: Nightly test-integrations 1.18.x
on:
schedule:
# Run nightly at 1AM UTC/9PM EST/6PM PST
- cron: '0 1 * * *'
workflow_dispatch: {}
env:
TEST_RESULTS_DIR: /tmp/test-results
TEST_RESULTS_ARTIFACT_NAME: test-results
CONSUL_LICENSE: ${{ secrets.CONSUL_LICENSE }}
GOTAGS: ${{ endsWith(github.repository, '-enterprise') && 'consulent' || '' }}
GOTESTSUM_VERSION: "1.11.0"
CONSUL_BINARY_UPLOAD_NAME: consul-bin
# strip the hashicorp/ off the front of github.repository for consul
CONSUL_LATEST_IMAGE_NAME: ${{ endsWith(github.repository, '-enterprise') && github.repository || 'hashicorp/consul' }}
GOPRIVATE: github.com/hashicorp # Required for enterprise deps
BRANCH: "release/1.18.x"
BRANCH_NAME: "release-1.18.x" # Used for naming artifacts
jobs:
check-ent:
runs-on: ubuntu-latest
if: ${{ endsWith(github.repository, '-enterprise') }}
steps:
- run: echo "Building Enterprise"
setup:
runs-on: ubuntu-latest
needs: [check-ent]
name: Setup
outputs:
compute-small: ${{ steps.runners.outputs.compute-small }}
compute-medium: ${{ steps.runners.outputs.compute-medium }}
compute-large: ${{ steps.runners.outputs.compute-large }}
compute-xl: ${{ steps.runners.outputs.compute-xl }}
enterprise: ${{ steps.runners.outputs.enterprise }}
steps:
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
- id: runners
run: .github/scripts/get_runner_classes.sh
get-go-version:
needs: [check-ent]
uses: ./.github/workflows/reusable-get-go-version.yml
with:
ref: release/1.18.x
get-envoy-versions:
needs: [check-ent]
uses: ./.github/workflows/reusable-get-envoy-versions.yml
with:
ref: release/1.18.x
dev-build:
needs:
- setup
- get-go-version
uses: ./.github/workflows/reusable-dev-build.yml
with:
runs-on: ${{ needs.setup.outputs.compute-large }}
repository-name: ${{ github.repository }}
uploaded-binary-name: 'consul-bin'
branch-name: "release/1.18.x"
go-version: ${{ needs.get-go-version.outputs.go-version }}
secrets:
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
generate-envoy-job-matrices:
needs: [setup]
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
name: Generate Envoy Job Matrices
outputs:
envoy-matrix: ${{ steps.set-matrix.outputs.envoy-matrix }}
steps:
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
- name: Generate Envoy Job Matrix
id: set-matrix
env:
# TEST_SPLITS sets the number of test case splits to use in the matrix. This will be
# further multiplied in envoy-integration tests by the other dimensions in the matrix
# to determine the total number of runners used.
TEST_SPLITS: 4
JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
run: |
NUM_DIRS=$(find ./test/integration/connect/envoy -mindepth 1 -maxdepth 1 -type d | wc -l)
if [ "$NUM_DIRS" -lt "$TEST_SPLITS" ]; then
echo "TEST_SPLITS is larger than the number of tests/packages to split."
TEST_SPLITS=$((NUM_DIRS-1))
fi
# fix issue where test splitting calculation generates 1 more split than TEST_SPLITS.
TEST_SPLITS=$((TEST_SPLITS-1))
{
echo -n "envoy-matrix="
find ./test/integration/connect/envoy -maxdepth 1 -type d -print0 \
| xargs -0 -n 1 basename \
| jq --raw-input --argjson runnercount "$TEST_SPLITS" "$JQ_SLICER" \
| jq --compact-output 'map(join("|"))'
} >> "$GITHUB_OUTPUT"
envoy-integration-test:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }}
needs:
- setup
- get-go-version
- get-envoy-versions
- generate-envoy-job-matrices
- dev-build
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
strategy:
fail-fast: false
matrix:
envoy-version: ${{ fromJSON(needs.get-envoy-versions.outputs.envoy-versions-json) }}
xds-target: ["server", "client"]
test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
env:
ENVOY_VERSION: ${{ matrix.envoy-version }}
XDS_TARGET: ${{ matrix.xds-target }}
AWS_LAMBDA_REGION: us-west-2
steps:
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: fetch binary
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: ./bin
- name: restore mode+x
run: chmod +x ./bin/consul
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Docker build
run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin
- name: Envoy Integration Tests
id: envoy-integration-tests
env:
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
COMPOSE_INTERACTIVE_NO_CLI: 1
LAMBDA_TESTS_ENABLED: "true"
# tput complains if this isn't set to something.
TERM: ansi
run: |
# shellcheck disable=SC2001
echo "Running $(sed 's,|, ,g' <<< "${{ matrix.test-cases }}" |wc -w) subtests"
# shellcheck disable=SC2001
sed 's,|,\n,g' <<< "${{ matrix.test-cases }}"
go run gotest.tools/gotestsum@v${{env.GOTESTSUM_VERSION}} \
--debug \
--rerun-fails \
--rerun-fails-report=/tmp/gotestsum-rerun-fails \
--jsonfile /tmp/jsonfile/go-test.log \
--packages=./test/integration/connect/envoy \
-- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})"
# See https://github.com/orgs/community/discussions/8945#discussioncomment-9897011
# and overall topic discussion for why this is necessary.
- name: Generate artifact ID
id: generate-artifact-id
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
run: |
ARTIFACT_ID=$(uuidgen)
echo "Artifact ID: $ARTIFACT_ID (search this in job summary for download link)"
echo "artifact_id=$ARTIFACT_ID" >> "$GITHUB_ENV"
- name: Upload failure logs
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: envoy-${{ matrix.envoy-version }}-logs-${{ env.artifact_id }}
path: test/integration/connect/envoy/workdir/logs/
# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: vault-auth
run: vault-auth
# NOTE: ENT specific step as we store secrets in Vault.
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: |
kv/data/github/${{ github.repository }}/datadog apikey | DATADOG_API_KEY;
- name: prepare datadog-ci
if: ${{ !cancelled() && !endsWith(github.repository, '-enterprise') }}
run: |
curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
chmod +x /usr/local/bin/datadog-ci
- name: upload coverage
# do not run on forks
if: ${{ !cancelled() && github.event.pull_request.head.repo.full_name == github.repository }}
env:
DATADOG_API_KEY: "${{ endsWith(github.repository, '-enterprise') && env.DATADOG_API_KEY || secrets.DATADOG_API_KEY }}"
DD_ENV: ci
run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml
upgrade-integration-test:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }}
needs:
- setup
- get-go-version
- dev-build
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
strategy:
fail-fast: false
matrix:
consul-version: ["1.15", "1.16", "1.17", "1.18"]
env:
CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
# ENVOY_VERSION should be the latest version supported by _all_ Consul versions in the
# matrix.consul-version, since we are testing upgrade from an older Consul version.
# In practice, this should be the highest Envoy version supported by the lowest non-LTS
# Consul version in the matrix (LTS versions receive additional Envoy version support).
#
# This value should be kept current in new nightly test workflows, and updated any time
# a new major Envoy release is added to the set supported by Consul versions in
# matrix.consul-version (i.e. whenever the highest common Envoy version across active
# Consul versions changes). The minor Envoy version does not necessarily need to be
# kept current for the purpose of these tests, but the major (1.N) version should be.
ENVOY_VERSION: 1.27.6
steps:
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
# Get go binary from workspace
- name: fetch binary
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: .
- name: restore mode+x
run: chmod +x consul
- name: Build consul:local image
run: docker build -t ${{ env.CONSUL_LATEST_IMAGE_NAME }}:local -f ./build-support/docker/Consul-Dev.dockerfile .
- name: Build consul-envoy:latest-version image
id: buildConsulEnvoyLatestImage
run: |
if ${{ endsWith(github.repository, '-enterprise') }} == 'true'
then
docker build -t consul-envoy:latest-version --build-arg CONSUL_IMAGE=docker.mirror.hashicorp.services/${{ env.CONSUL_LATEST_IMAGE_NAME }}:${{ env.CONSUL_LATEST_VERSION }}-ent --build-arg ENVOY_VERSION=${{ env.ENVOY_VERSION }} -f ./test/integration/consul-container/assets/Dockerfile-consul-envoy ./test/integration/consul-container/assets
else
docker build -t consul-envoy:latest-version --build-arg CONSUL_IMAGE=docker.mirror.hashicorp.services/${{ env.CONSUL_LATEST_IMAGE_NAME }}:${{ env.CONSUL_LATEST_VERSION }} --build-arg ENVOY_VERSION=${{ env.ENVOY_VERSION }} -f ./test/integration/consul-container/assets/Dockerfile-consul-envoy ./test/integration/consul-container/assets
fi
- name: Build consul-envoy:target-version image
id: buildConsulEnvoyTargetImage
continue-on-error: true
run: docker build -t consul-envoy:target-version --build-arg CONSUL_IMAGE=${{ env.CONSUL_LATEST_IMAGE_NAME }}:local --build-arg ENVOY_VERSION=${{ env.ENVOY_VERSION }} -f ./test/integration/consul-container/assets/Dockerfile-consul-envoy ./test/integration/consul-container/assets
- name: Retry Build consul-envoy:target-version image
if: steps.buildConsulEnvoyTargetImage.outcome == 'failure'
run: docker build -t consul-envoy:target-version --build-arg CONSUL_IMAGE=${{ env.CONSUL_LATEST_IMAGE_NAME }}:local --build-arg ENVOY_VERSION=${{ env.ENVOY_VERSION }} -f ./test/integration/consul-container/assets/Dockerfile-consul-envoy ./test/integration/consul-container/assets
- name: Build sds image
run: docker build -t consul-sds-server ./test/integration/connect/envoy/test-sds-server/
- name: Configure GH workaround for ipv6 loopback
if: ${{ !endsWith(github.repository, '-enterprise') }}
run: |
cat /etc/hosts && echo "-----------"
sudo sed -i 's/::1 *localhost ip6-localhost ip6-loopback/::1 ip6-localhost ip6-loopback/g' /etc/hosts
cat /etc/hosts
- name: Upgrade Integration Tests
run: |
mkdir -p "${{ env.TEST_RESULTS_DIR }}"
cd ./test/integration/consul-container/test/upgrade
docker run --rm ${{ env.CONSUL_LATEST_IMAGE_NAME }}:local consul version
go run gotest.tools/gotestsum@v${{env.GOTESTSUM_VERSION}} \
--raw-command \
--format=github-actions \
--rerun-fails \
--packages="./..." \
-- \
go test \
-p=4 \
-tags "${{ env.GOTAGS }}" \
-timeout=30m \
-json \
./... \
--follow-log=false \
--target-image ${{ env.CONSUL_LATEST_IMAGE_NAME }} \
--target-version local \
--latest-image docker.mirror.hashicorp.services/${{ env.CONSUL_LATEST_IMAGE_NAME }} \
--latest-version "${{ env.CONSUL_LATEST_VERSION }}"
ls -lrt
env:
# this is needed because of incompatibility between RYUK container and GHA
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
COMPOSE_INTERACTIVE_NO_CLI: 1
# tput complains if this isn't set to something.
TERM: ansi
# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: vault-auth
run: vault-auth
# NOTE: ENT specific step as we store secrets in Vault.
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: |
kv/data/github/${{ github.repository }}/datadog apikey | DATADOG_API_KEY;
- name: prepare datadog-ci
if: ${{ !cancelled() && !endsWith(github.repository, '-enterprise') }}
run: |
curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
chmod +x /usr/local/bin/datadog-ci
- name: upload coverage
# do not run on forks
if: ${{ !cancelled() && github.event.pull_request.head.repo.full_name == github.repository }}
env:
DATADOG_API_KEY: "${{ endsWith(github.repository, '-enterprise') && env.DATADOG_API_KEY || secrets.DATADOG_API_KEY }}"
DD_ENV: ci
run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml
upgrade-integration-test-deployer:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large ) }}
needs:
- setup
- get-go-version
- dev-build
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
strategy:
fail-fast: false
matrix:
consul-version: [ "1.15", "1.16", "1.17"]
env:
CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
steps:
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
- name: Build image
run: make test-deployer-setup
- name: Upgrade Integration Tests
run: |
mkdir -p "${{ env.TEST_RESULTS_DIR }}"
export NOLOGBUFFER=1
cd ./test-integ/upgrade
docker run --rm ${{ env.CONSUL_LATEST_IMAGE_NAME }}:local consul version
go run gotest.tools/gotestsum@v${{env.GOTESTSUM_VERSION}} \
--raw-command \
--format=standard-verbose \
--debug \
--packages="./..." \
-- \
go test \
-tags "${{ env.GOTAGS }}" \
-timeout=60m \
-parallel=2 \
-json \
./... \
--target-image ${{ env.CONSUL_LATEST_IMAGE_NAME }} \
--target-version local \
--latest-image docker.mirror.hashicorp.services/${{ env.CONSUL_LATEST_IMAGE_NAME }} \
--latest-version "${{ env.CONSUL_LATEST_VERSION }}"
env:
# this is needed because of incompatibility between RYUK container and GHA
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
COMPOSE_INTERACTIVE_NO_CLI: 1
# tput complains if this isn't set to something.
TERM: ansi
# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: vault-auth
run: vault-auth
# NOTE: ENT specific step as we store secrets in Vault.
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: |
kv/data/github/${{ github.repository }}/datadog apikey | DATADOG_API_KEY;
- name: prepare datadog-ci
if: ${{ !cancelled() && !endsWith(github.repository, '-enterprise') }}
run: |
curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
chmod +x /usr/local/bin/datadog-ci
- name: upload coverage
# do not run on forks
if: ${{ !cancelled() && github.event.pull_request.head.repo.full_name == github.repository }}
env:
DATADOG_API_KEY: "${{ endsWith(github.repository, '-enterprise') && env.DATADOG_API_KEY || secrets.DATADOG_API_KEY }}"
DD_ENV: ci
run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml
test-integrations-success:
needs:
- setup
- dev-build
- generate-envoy-job-matrices
- envoy-integration-test
- upgrade-integration-test
- upgrade-integration-test-deployer
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
if: ${{ always() && endsWith(github.repository, '-enterprise') }}
steps:
- name: evaluate upstream job results
run: |
# exit 1 if failure or cancelled result for any upstream job
if printf '${{ toJSON(needs) }}' | grep -E -i '\"result\": \"(failure|cancelled)\"'; then
printf "Tests failed or workflow cancelled:\n\n${{ toJSON(needs) }}"
exit 1
fi
- name: Notify Slack
if: ${{ failure() }}
id: slack
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{
"message": "One or more nightly integration tests have failed on branch ${{ env.BRANCH }} for Consul. ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.CONSUL_NIGHTLY_INTEG_TEST_SLACK_WEBHOOK }}

193
.github/workflows/nightly-test-integrations-1.16.x.yml → .github/workflows/nightly-test-integrations-1.19.x.yml vendored
View File

@ -1,12 +1,12 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
name: Nightly test-integrations 1.16.x
name: Nightly test-integrations 1.19.x
on:
schedule:
# Run nightly at 1AM UTC/9PM EST/6PM PST
- cron: '* 1 * * *'
- cron: '0 1 * * *'
workflow_dispatch: {}
env:
@ -19,8 +19,8 @@ env:
# strip the hashicorp/ off the front of github.repository for consul
CONSUL_LATEST_IMAGE_NAME: ${{ endsWith(github.repository, '-enterprise') && github.repository || 'hashicorp/consul' }}
GOPRIVATE: github.com/hashicorp # Required for enterprise deps
BRANCH: "release/1.16.x"
BRANCH_NAME: "release-1.16.x" # Used for naming artifacts
BRANCH: "release/1.19.x"
BRANCH_NAME: "release-1.19.x" # Used for naming artifacts
jobs:
setup:
@ -34,7 +34,7 @@ jobs:
enterprise: ${{ steps.runners.outputs.enterprise }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
- id: runners
@ -42,6 +42,13 @@ jobs:
get-go-version:
uses: ./.github/workflows/reusable-get-go-version.yml
with:
ref: release/1.19.x
get-envoy-versions:
uses: ./.github/workflows/reusable-get-envoy-versions.yml
with:
ref: release/1.19.x
dev-build:
needs:
@ -52,7 +59,7 @@ jobs:
runs-on: ${{ needs.setup.outputs.compute-large }}
repository-name: ${{ github.repository }}
uploaded-binary-name: 'consul-bin'
branch-name: "release/1.16.x"
branch-name: "release/1.19.x"
go-version: ${{ needs.get-go-version.outputs.go-version }}
secrets:
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
@ -65,42 +72,40 @@ jobs:
envoy-matrix: ${{ steps.set-matrix.outputs.envoy-matrix }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
- name: Generate Envoy Job Matrix
id: set-matrix
env:
# this is further going to multiplied in envoy-integration tests by the
# other dimensions in the matrix. Currently TOTAL_RUNNERS would be
# multiplied by 8 based on these values:
# envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.8"]
# xds-target: ["server", "client"]
TOTAL_RUNNERS: 8
# TEST_SPLITS sets the number of test case splits to use in the matrix. This will be
# further multiplied in envoy-integration tests by the other dimensions in the matrix
# to determine the total number of runners used.
TEST_SPLITS: 4
JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
run: |
NUM_RUNNERS=$TOTAL_RUNNERS
NUM_DIRS=$(find ./test/integration/connect/envoy -mindepth 1 -maxdepth 1 -type d | wc -l)
if [ "$NUM_DIRS" -lt "$NUM_RUNNERS" ]; then
echo "TOTAL_RUNNERS is larger than the number of tests/packages to split."
NUM_RUNNERS=$((NUM_DIRS-1))
if [ "$NUM_DIRS" -lt "$TEST_SPLITS" ]; then
echo "TEST_SPLITS is larger than the number of tests/packages to split."
TEST_SPLITS=$((NUM_DIRS-1))
fi
# fix issue where test splitting calculation generates 1 more split than TOTAL_RUNNERS.
NUM_RUNNERS=$((NUM_RUNNERS-1))
# fix issue where test splitting calculation generates 1 more split than TEST_SPLITS.
TEST_SPLITS=$((TEST_SPLITS-1))
{
echo -n "envoy-matrix="
find ./test/integration/connect/envoy -maxdepth 1 -type d -print0 \
| xargs -0 -n 1 basename \
| jq --raw-input --argjson runnercount "$NUM_RUNNERS" "$JQ_SLICER" \
| jq --raw-input --argjson runnercount "$TEST_SPLITS" "$JQ_SLICER" \
| jq --compact-output 'map(join("|"))'
} >> "$GITHUB_OUTPUT"
envoy-integration-test:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }}
needs:
- setup
- get-go-version
- get-envoy-versions
- generate-envoy-job-matrices
- dev-build
permissions:
@ -109,7 +114,7 @@ jobs:
strategy:
fail-fast: false
matrix:
envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.8"]
envoy-version: ${{ fromJSON(needs.get-envoy-versions.outputs.envoy-versions-json) }}
xds-target: ["server", "client"]
test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
env:
@ -118,15 +123,15 @@ jobs:
AWS_LAMBDA_REGION: us-west-2
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: fetch binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: ./bin
@ -134,12 +139,13 @@ jobs:
run: chmod +x ./bin/consul
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Docker build
run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin
- name: Envoy Integration Tests
id: envoy-integration-tests
env:
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
@ -160,6 +166,23 @@ jobs:
--packages=./test/integration/connect/envoy \
-- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})"
# See https://github.com/orgs/community/discussions/8945#discussioncomment-9897011
# and overall topic discussion for why this is necessary.
- name: Generate artifact ID
id: generate-artifact-id
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
run: |
ARTIFACT_ID=$(uuidgen)
echo "Artifact ID: $ARTIFACT_ID (search this in job summary for download link)"
echo "artifact_id=$ARTIFACT_ID" >> "$GITHUB_ENV"
- name: Upload failure logs
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: envoy-${{ matrix.envoy-version }}-logs-${{ env.artifact_id }}
path: test/integration/connect/envoy/workdir/logs/
# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
@ -170,7 +193,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -197,6 +220,7 @@ jobs:
needs:
- setup
- get-go-version
- get-envoy-versions
- dev-build
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
@ -204,27 +228,37 @@ jobs:
strategy:
fail-fast: false
matrix:
consul-version: ["1.14", "1.15", "1.16"]
consul-version: ["1.15", "1.17", "1.18", "1.19"]
env:
CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
ENVOY_VERSION: "1.24.6"
# ENVOY_VERSION should be the latest version supported by _all_ Consul versions in the
# matrix.consul-version, since we are testing upgrade from an older Consul version.
# In practice, this should be the highest Envoy version supported by the lowest non-LTS
# Consul version in the matrix (LTS versions receive additional Envoy version support).
#
# This value should be kept current in new nightly test workflows, and updated any time
# a new major Envoy release is added to the set supported by Consul versions in
# matrix.consul-version (i.e. whenever the highest common Envoy version across active
# Consul versions changes). The minor Envoy version does not necessarily need to be
# kept current for the purpose of these tests, but the major (1.N) version should be.
ENVOY_VERSION: 1.27.6
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
# Get go binary from workspace
- name: fetch binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: .
@ -296,7 +330,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -318,6 +352,96 @@ jobs:
DD_ENV: ci
run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml
upgrade-integration-test-deployer:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large ) }}
needs:
- setup
- get-go-version
- dev-build
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
strategy:
fail-fast: false
matrix:
consul-version: ["1.15", "1.17", "1.18"]
env:
CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
steps:
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
- name: Build image
run: make test-deployer-setup
- name: Upgrade Integration Tests
run: |
mkdir -p "${{ env.TEST_RESULTS_DIR }}"
export NOLOGBUFFER=1
cd ./test-integ/upgrade
docker run --rm ${{ env.CONSUL_LATEST_IMAGE_NAME }}:local consul version
go run gotest.tools/gotestsum@v${{env.GOTESTSUM_VERSION}} \
--raw-command \
--format=standard-verbose \
--debug \
--packages="./..." \
-- \
go test \
-tags "${{ env.GOTAGS }}" \
-timeout=60m \
-parallel=2 \
-json \
./... \
--target-image ${{ env.CONSUL_LATEST_IMAGE_NAME }} \
--target-version local \
--latest-image docker.mirror.hashicorp.services/${{ env.CONSUL_LATEST_IMAGE_NAME }} \
--latest-version "${{ env.CONSUL_LATEST_VERSION }}"
env:
# this is needed because of incompatibility between RYUK container and GHA
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
COMPOSE_INTERACTIVE_NO_CLI: 1
# tput complains if this isn't set to something.
TERM: ansi
# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: vault-auth
run: vault-auth
# NOTE: ENT specific step as we store secrets in Vault.
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: |
kv/data/github/${{ github.repository }}/datadog apikey | DATADOG_API_KEY;
- name: prepare datadog-ci
if: ${{ !cancelled() && !endsWith(github.repository, '-enterprise') }}
run: |
curl -L --fail "https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
chmod +x /usr/local/bin/datadog-ci
- name: upload coverage
# do not run on forks
if: ${{ !cancelled() && github.event.pull_request.head.repo.full_name == github.repository }}
env:
DATADOG_API_KEY: "${{ endsWith(github.repository, '-enterprise') && env.DATADOG_API_KEY || secrets.DATADOG_API_KEY }}"
DD_ENV: ci
run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml
test-integrations-success:
needs:
@ -326,6 +450,7 @@ jobs:
- generate-envoy-job-matrices
- envoy-integration-test
- upgrade-integration-test
- upgrade-integration-test-deployer
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
if: ${{ always() }}
steps:
@ -339,7 +464,7 @@ jobs:
- name: Notify Slack
if: ${{ failure() }}
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{

110
.github/workflows/nightly-test-integrations-1.17.x.yml → .github/workflows/nightly-test-integrations-1.20.x.yml vendored
View File

@ -1,12 +1,12 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
name: Nightly test-integrations 1.17.x
name: Nightly test-integrations 1.20.x
on:
schedule:
# Run nightly at 1AM UTC/9PM EST/6PM PST
- cron: '* 1 * * *'
- cron: '0 1 * * *'
workflow_dispatch: {}
env:
@ -19,8 +19,8 @@ env:
# strip the hashicorp/ off the front of github.repository for consul
CONSUL_LATEST_IMAGE_NAME: ${{ endsWith(github.repository, '-enterprise') && github.repository || 'hashicorp/consul' }}
GOPRIVATE: github.com/hashicorp # Required for enterprise deps
BRANCH: "release/1.17.x"
BRANCH_NAME: "release-1.17.x" # Used for naming artifacts
BRANCH: "release/1.20.x"
BRANCH_NAME: "release-1.20.x" # Used for naming artifacts
jobs:
setup:
@ -34,7 +34,7 @@ jobs:
enterprise: ${{ steps.runners.outputs.enterprise }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
- id: runners
@ -42,6 +42,13 @@ jobs:
get-go-version:
uses: ./.github/workflows/reusable-get-go-version.yml
with:
ref: release/1.20.x
get-envoy-versions:
uses: ./.github/workflows/reusable-get-envoy-versions.yml
with:
ref: release/1.20.x
dev-build:
needs:
@ -52,7 +59,7 @@ jobs:
runs-on: ${{ needs.setup.outputs.compute-large }}
repository-name: ${{ github.repository }}
uploaded-binary-name: 'consul-bin'
branch-name: "release/1.17.x"
branch-name: "release/1.20.x"
go-version: ${{ needs.get-go-version.outputs.go-version }}
secrets:
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
@ -65,42 +72,40 @@ jobs:
envoy-matrix: ${{ steps.set-matrix.outputs.envoy-matrix }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
- name: Generate Envoy Job Matrix
id: set-matrix
env:
# this is further going to multiplied in envoy-integration tests by the
# other dimensions in the matrix. Currently TOTAL_RUNNERS would be
# multiplied by 8 based on these values:
# envoy-version: ["1.24.12", "1.25.11", "1.26.8", "1.27.4"]
# xds-target: ["server", "client"]
TOTAL_RUNNERS: 4
# TEST_SPLITS sets the number of test case splits to use in the matrix. This will be
# further multiplied in envoy-integration tests by the other dimensions in the matrix
# to determine the total number of runners used.
TEST_SPLITS: 4
JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
run: |
NUM_RUNNERS=$TOTAL_RUNNERS
NUM_DIRS=$(find ./test/integration/connect/envoy -mindepth 1 -maxdepth 1 -type d | wc -l)
if [ "$NUM_DIRS" -lt "$NUM_RUNNERS" ]; then
echo "TOTAL_RUNNERS is larger than the number of tests/packages to split."
NUM_RUNNERS=$((NUM_DIRS-1))
if [ "$NUM_DIRS" -lt "$TEST_SPLITS" ]; then
echo "TEST_SPLITS is larger than the number of tests/packages to split."
TEST_SPLITS=$((NUM_DIRS-1))
fi
# fix issue where test splitting calculation generates 1 more split than TOTAL_RUNNERS.
NUM_RUNNERS=$((NUM_RUNNERS-1))
# fix issue where test splitting calculation generates 1 more split than TEST_SPLITS.
TEST_SPLITS=$((TEST_SPLITS-1))
{
echo -n "envoy-matrix="
find ./test/integration/connect/envoy -maxdepth 1 -type d -print0 \
| xargs -0 -n 1 basename \
| jq --raw-input --argjson runnercount "$NUM_RUNNERS" "$JQ_SLICER" \
| jq --raw-input --argjson runnercount "$TEST_SPLITS" "$JQ_SLICER" \
| jq --compact-output 'map(join("|"))'
} >> "$GITHUB_OUTPUT"
envoy-integration-test:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }}
needs:
- setup
- get-go-version
- get-envoy-versions
- generate-envoy-job-matrices
- dev-build
permissions:
@ -109,7 +114,7 @@ jobs:
strategy:
fail-fast: false
matrix:
envoy-version: ["1.24.12", "1.25.11", "1.26.8", "1.27.4"]
envoy-version: ${{ fromJSON(needs.get-envoy-versions.outputs.envoy-versions-json) }}
xds-target: ["server", "client"]
test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
env:
@ -118,15 +123,15 @@ jobs:
AWS_LAMBDA_REGION: us-west-2
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: fetch binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: ./bin
@ -134,12 +139,13 @@ jobs:
run: chmod +x ./bin/consul
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Docker build
run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin
- name: Envoy Integration Tests
id: envoy-integration-tests
env:
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
@ -160,6 +166,23 @@ jobs:
--packages=./test/integration/connect/envoy \
-- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})"
# See https://github.com/orgs/community/discussions/8945#discussioncomment-9897011
# and overall topic discussion for why this is necessary.
- name: Generate artifact ID
id: generate-artifact-id
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
run: |
ARTIFACT_ID=$(uuidgen)
echo "Artifact ID: $ARTIFACT_ID (search this in job summary for download link)"
echo "artifact_id=$ARTIFACT_ID" >> "$GITHUB_ENV"
- name: Upload failure logs
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: envoy-${{ matrix.envoy-version }}-logs-${{ env.artifact_id }}
path: test/integration/connect/envoy/workdir/logs/
# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
@ -170,7 +193,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -197,6 +220,7 @@ jobs:
needs:
- setup
- get-go-version
- get-envoy-versions
- dev-build
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
@ -204,27 +228,37 @@ jobs:
strategy:
fail-fast: false
matrix:
consul-version: ["1.15", "1.16", "1.17"]
consul-version: ["1.15", "1.18", "1.19"]
env:
CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
ENVOY_VERSION: "1.24.6"
# ENVOY_VERSION should be the latest version supported by _all_ Consul versions in the
# matrix.consul-version, since we are testing upgrade from an older Consul version.
# In practice, this should be the highest Envoy version supported by the lowest non-LTS
# Consul version in the matrix (LTS versions receive additional Envoy version support).
#
# This value should be kept current in new nightly test workflows, and updated any time
# a new major Envoy release is added to the set supported by Consul versions in
# matrix.consul-version (i.e. whenever the highest common Envoy version across active
# Consul versions changes). The minor Envoy version does not necessarily need to be
# kept current for the purpose of these tests, but the major (1.N) version should be.
ENVOY_VERSION: 1.28.7
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
# Get go binary from workspace
- name: fetch binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: .
@ -296,7 +330,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -330,19 +364,19 @@ jobs:
strategy:
fail-fast: false
matrix:
consul-version: [ "1.15", "1.16", "1.17"]
consul-version: ["1.15", "1.18", "1.19"]
env:
CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
@ -387,7 +421,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -430,7 +464,7 @@ jobs:
- name: Notify Slack
if: ${{ failure() }}
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{

86
.github/workflows/nightly-test-integrations.yml vendored
View File

@ -6,7 +6,7 @@ name: Nightly test-integrations
on:
schedule:
# Run nightly at 12AM UTC/8PM EST/5PM PST
- cron: '* 0 * * *'
- cron: '0 0 * * *'
workflow_dispatch: {}
env:
@ -32,7 +32,7 @@ jobs:
enterprise: ${{ steps.runners.outputs.enterprise }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.branch }}
- id: runners
@ -41,6 +41,9 @@ jobs:
get-go-version:
uses: ./.github/workflows/reusable-get-go-version.yml
get-envoy-versions:
uses: ./.github/workflows/reusable-get-envoy-versions.yml
dev-build:
needs:
- setup
@ -55,41 +58,40 @@ jobs:
elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
generate-envoy-job-matrices:
needs: [setup]
needs:
- setup
- get-envoy-versions
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
name: Generate Envoy Job Matrices
outputs:
envoy-matrix: ${{ steps.set-matrix.outputs.envoy-matrix }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.branch }}
- name: Generate Envoy Job Matrix
id: set-matrix
env:
# this is further going to multiplied in envoy-integration tests by the
# other dimensions in the matrix. Currently TOTAL_RUNNERS would be
# multiplied by 8 based on these values:
# envoy-version: ["1.25.11", "1.26.8", "1.27.4", "1.28.2"]
# xds-target: ["server", "client"]
TOTAL_RUNNERS: 8
# TEST_SPLITS sets the number of test case splits to use in the matrix. This will be
# further multiplied in envoy-integration tests by the other dimensions in the matrix
# to determine the total number of runners used.
TEST_SPLITS: 4
JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
run: |
NUM_RUNNERS=$TOTAL_RUNNERS
NUM_DIRS=$(find ./test/integration/connect/envoy -mindepth 1 -maxdepth 1 -type d | wc -l)
if [ "$NUM_DIRS" -lt "$NUM_RUNNERS" ]; then
echo "TOTAL_RUNNERS is larger than the number of tests/packages to split."
NUM_RUNNERS=$((NUM_DIRS-1))
if [ "$NUM_DIRS" -lt "$TEST_SPLITS" ]; then
echo "TEST_SPLITS is larger than the number of tests/packages to split."
TEST_SPLITS=$((NUM_DIRS-1))
fi
# fix issue where test splitting calculation generates 1 more split than TOTAL_RUNNERS.
NUM_RUNNERS=$((NUM_RUNNERS-1))
# fix issue where test splitting calculation generates 1 more split than TEST_SPLITS.
TEST_SPLITS=$((TEST_SPLITS-1))
{
echo -n "envoy-matrix="
find ./test/integration/connect/envoy -maxdepth 1 -type d -print0 \
| xargs -0 -n 1 basename \
| jq --raw-input --argjson runnercount "$NUM_RUNNERS" "$JQ_SLICER" \
| jq --raw-input --argjson runnercount "$TEST_SPLITS" "$JQ_SLICER" \
| jq --compact-output 'map(join("|"))'
} >> "$GITHUB_OUTPUT"
@ -98,6 +100,7 @@ jobs:
needs:
- setup
- get-go-version
- get-envoy-versions
- generate-envoy-job-matrices
- dev-build
permissions:
@ -106,7 +109,7 @@ jobs:
strategy:
fail-fast: false
matrix:
envoy-version: ["1.25.11", "1.26.8", "1.27.4", "1.28.2"]
envoy-version: ${{ fromJSON(needs.get-envoy-versions.outputs.envoy-versions-json) }}
xds-target: ["server", "client"]
test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
env:
@ -115,15 +118,15 @@ jobs:
AWS_LAMBDA_REGION: us-west-2
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.branch }}
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: fetch binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: ./bin
@ -131,7 +134,7 @@ jobs:
run: chmod +x ./bin/consul
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Docker build
run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin
@ -167,7 +170,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -188,7 +191,7 @@ jobs:
DATADOG_API_KEY: "${{ endsWith(github.repository, '-enterprise') && env.DATADOG_API_KEY || secrets.DATADOG_API_KEY }}"
DD_ENV: ci
run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml
upgrade-integration-test:
runs-on: ${{ fromJSON(needs.setup.outputs.compute-large ) }}
needs:
@ -201,30 +204,37 @@ jobs:
strategy:
fail-fast: false
matrix:
consul-version: [ "1.16", "1.17"]
consul-version: ["1.17", "1.18", "1.19"]
env:
CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
# ENVOY_VERSION should be the latest version upported by all
# consul versions in the matrix.consul-version, since we are testing upgrade from
# an older consul version, e.g., 1.26.6 is supported by both 1.16 and 1.17.
ENVOY_VERSION: "1.26.6"
# ENVOY_VERSION should be the latest version supported by _all_ Consul versions in the
# matrix.consul-version, since we are testing upgrade from an older Consul version.
# In practice, this should be the highest Envoy version supported by the lowest non-LTS
# Consul version in the matrix (LTS versions receive additional Envoy version support).
#
# This value should be kept current in new nightly test workflows, and updated any time
# a new major Envoy release is added to the set supported by Consul versions in
# matrix.consul-version (i.e. whenever the highest common Envoy version across active
# Consul versions changes). The minor Envoy version does not necessarily need to be
# kept current for the purpose of these tests, but the major (1.N) version should be.
ENVOY_VERSION: 1.27.6
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.branch }}
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
# Get go binary from workspace
- name: fetch binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: .
@ -296,7 +306,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -329,19 +339,19 @@ jobs:
strategy:
fail-fast: false
matrix:
consul-version: [ "1.16", "1.17"]
consul-version: [ "1.17", "1.18"]
env:
CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.branch }}
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
@ -385,7 +395,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -428,7 +438,7 @@ jobs:
- name: Notify Slack
if: ${{ failure() }}
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{

36
.github/workflows/nightly-test-main.yaml vendored
View File

@ -17,12 +17,12 @@ jobs:
frontend-test-workspace-node:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18
cache: 'yarn'
@ -49,12 +49,12 @@ jobs:
JOBS: 2
CONSUL_NSPACES_ENABLED: 0
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18
cache: 'yarn'
@ -71,7 +71,7 @@ jobs:
run: make build-ci
- name: Upload CE Frontend
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: frontend-ce-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -88,12 +88,12 @@ jobs:
EMBER_TEST_REPORT: test-results/report-ce.xml #outputs test report for CI test summary
EMBER_TEST_PARALLEL: true #enables test parallelization with ember-exam
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18
cache: 'yarn'
@ -105,7 +105,7 @@ jobs:
run: make deps
- name: Download CE Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ce-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -121,12 +121,12 @@ jobs:
JOBS: 2
CONSUL_NSPACES_ENABLED: 1
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18
cache: 'yarn'
@ -143,7 +143,7 @@ jobs:
run: make build-ci
- name: Upload ENT Frontend
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -160,12 +160,12 @@ jobs:
EMBER_TEST_REPORT: test-results/report-ce.xml #outputs test report for CI test summary
EMBER_TEST_PARALLEL: true #enables test parallelization with ember-exam
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18
cache: 'yarn'
@ -177,7 +177,7 @@ jobs:
run: make deps
- name: Download ENT Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -191,12 +191,12 @@ jobs:
runs-on: ubuntu-latest
needs: [frontend-build-ent]
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ env.BRANCH }}
# Not necessary to use yarn, but enables caching
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 18
cache: 'yarn'
@ -208,7 +208,7 @@ jobs:
run: make deps
- name: Download ENT Frontend
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: frontend-ent-${{ env.BRANCH_NAME }}
path: ./ui/packages/consul-ui/dist
@ -224,7 +224,7 @@ jobs:
steps:
- name: Slack Notification
id: slack
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{

10
.github/workflows/pr-labeler.yml vendored
View File

@ -1,6 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
name: "Pull Request Labeler"
on:
pull_request_target:
@ -10,7 +10,9 @@ jobs:
triage:
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@0967ca812e7fdc8f5f71402a1b486d5bd061fe20 # v4.2.0
- name: 'Checkout repo'
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
configuration-path: .github/pr-labeler.yml

2
.github/workflows/pr-metrics-test-checker.yml vendored
View File

@ -14,7 +14,7 @@ jobs:
if: "! ( contains(github.event.pull_request.labels.*.name, 'pr/no-metrics-test') || github.event.pull_request.user.login == 'hc-github-team-consul-core' )"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
name: "checkout repo"
with:
ref: ${{ github.event.pull_request.head.sha }}

4
.github/workflows/reusable-check-go-mod.yml vendored
View File

@ -21,12 +21,12 @@ jobs:
runs-on: ${{ fromJSON(inputs.runs-on) }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(inputs.repository-name, '-enterprise') }}
run: git config --global url."https://${{ secrets.elevated-github-token }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ inputs.go-version }}
# Run on all go.mod (include submodules).

69
.github/workflows/reusable-conditional-skip.yml vendored Normal file
View File

@ -0,0 +1,69 @@
name: conditional-skip
on:
workflow_call:
outputs:
skip-ci:
description: "Whether we should skip build and test jobs"
value: ${{ jobs.check-skip.outputs.skip-ci }}
jobs:
check-skip:
runs-on: ubuntu-latest
name: Check whether to skip build and tests
outputs:
skip-ci: ${{ steps.maybe-skip-ci.outputs.skip-ci }}
steps:
# We only allow use of conditional skip in two scenarios:
# 1. PRs
# 2. Pushes (merges) to protected branches (`main`, `release/**`)
#
# The second scenario is the only place we can be sure that checking just the
# latest change on the branch is sufficient. In PRs, we need to check _all_ commits.
# The ability to do this is ultimately determined by the triggers of the calling
# workflow, since `base_ref` (the target branch of a PR) is only available in
# `pull_request` events, not `push`.
- name: Error if conditional check is not allowed
if: ${{ !github.base_ref && !github.ref_protected }}
run: |
echo "Conditional skip requires a PR event with 'base_ref' or 'push' to a protected branch."
echo "github.base_ref: ${{ github.base_ref }}"
echo "github.ref_protected: ${{ github.ref_protected }}"
echo "github.ref_name: ${{ github.ref_name }}"
echo "Check the triggers of the calling workflow to ensure that these requirements are met."
exit 1
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
- name: Check for skippable file changes
id: changed-files
uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45.0.1
with:
# This is a multi-line YAML string with one match pattern per line.
# Do not use quotes around values, as it's not supported.
# See https://github.com/tj-actions/changed-files/blob/main/README.md#inputs-%EF%B8%8F
# for usage, options, and more details on match syntax.
files: |
.github/workflows/reusable-conditional-skip.yml
**.md
docs/**
ui/**
website/**
grafana/**
.changelog/**
- name: Print changed files
env:
SKIPPABLE_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
NON_SKIPPABLE_FILES: ${{ steps.changed-files.outputs.other_changed_files }}
run: |
echo "Skippable changed files:"
for file in ${SKIPPABLE_CHANGED_FILES}; do echo " $file"; done
echo
echo "Non-skippable files:"
for file in ${NON_SKIPPABLE_FILES}; do echo " $file"; done
- name: Skip tests and build if only skippable files changed
id: maybe-skip-ci
if: ${{ steps.changed-files.outputs.only_changed == 'true' }}
run: |
echo "Skipping tests and build because only skippable files changed"
echo "skip-ci=true" >> $GITHUB_OUTPUT

6
.github/workflows/reusable-dev-build-windows.yml vendored
View File

@ -28,12 +28,12 @@ jobs:
build:
runs-on: 'windows-2019'
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(inputs.repository-name, '-enterprise') }}
run: git config --global url."https://${{ secrets.elevated-github-token }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ inputs.go-version }}
- name: Build
@ -41,7 +41,7 @@ jobs:
GOARCH: ${{ inputs.goarch }}
run: go build .
# save dev build to pass to downstream jobs
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{inputs.uploaded-binary-name}}
path: consul.exe

8
.github/workflows/reusable-dev-build.yml vendored
View File

@ -34,18 +34,18 @@ jobs:
steps:
# NOTE: This is used for nightly job of building release branch.
- name: Checkout branch ${{ inputs.branch-name }}
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ inputs.branch-name }}
if: inputs.branch-name != ''
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
if: inputs.branch-name == ''
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(inputs.repository-name, '-enterprise') }}
run: git config --global url."https://${{ secrets.elevated-github-token }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ inputs.go-version }}
- name: Build
@ -53,7 +53,7 @@ jobs:
GOARCH: ${{ inputs.goarch }}
run: make dev
# save dev build to pass to downstream jobs
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{inputs.uploaded-binary-name}}
path: ./bin/consul

71
.github/workflows/reusable-get-envoy-versions.yml vendored Normal file
View File

@ -0,0 +1,71 @@
name: get-envoy-versions
# Reads the canonical ENVOY_VERSIONS file for either the current branch or a specified version of Consul,
# and returns both the max and all supported Envoy versions.
on:
workflow_call:
inputs:
ref:
description: |
The Consul ref/branch (e.g. release/1.18.x) for which to determine supported Envoy versions.
If not provided, the default actions/checkout value (current ref) is used.
type: string
outputs:
max-envoy-version:
description: The max supported Envoy version for the specified Consul version
value: ${{ jobs.get-envoy-versions.outputs.max-envoy-version }}
envoy-versions:
description: |
All supported Envoy versions for the specified Consul version (formatted as multiline string with one version
per line, in descending order)
value: ${{ jobs.get-envoy-versions.outputs.envoy-versions }}
envoy-versions-json:
description: |
All supported Envoy versions for the specified Consul version (formatted as JSON array)
value: ${{ jobs.get-envoy-versions.outputs.envoy-versions-json }}
jobs:
get-envoy-versions:
name: "Determine supported Envoy versions"
runs-on: ubuntu-latest
outputs:
max-envoy-version: ${{ steps.get-envoy-versions.outputs.max-envoy-version }}
envoy-versions: ${{ steps.get-envoy-versions.outputs.envoy-versions }}
envoy-versions-json: ${{ steps.get-envoy-versions.outputs.envoy-versions-json }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
# If not set, will default to current branch.
ref: ${{ inputs.ref }}
- name: Determine Envoy versions
id: get-envoy-versions
# Note that this script assumes that the ENVOY_VERSIONS file is in the envoyextensions/xdscommon directory.
# If in the future this file moves between branches, we could introduce a workflow input for the path that
# defaults to the new value, and manually configure the old value as needed.
run: |
MAX_ENVOY_VERSION=$(cat envoyextensions/xdscommon/ENVOY_VERSIONS | grep '^[[:digit:]]' | sort -nr | head -n 1)
ENVOY_VERSIONS=$(cat envoyextensions/xdscommon/ENVOY_VERSIONS | grep '^[[:digit:]]' | sort -nr)
ENVOY_VERSIONS_JSON=$(echo -n '[' && echo "${ENVOY_VERSIONS}" | awk '{printf "\"%s\",", $0}' | sed 's/,$//' && echo -n ']')
# Loop through each line of ENVOY_VERSIONS and compare it to the regex
while IFS= read -r version; do
if ! [[ $version =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo 'Invalid version in ENVOY_VERSIONS: '$version' does not match the pattern ^[0-9]+\.[0-9]+\.[0-9]+$'
exit 1
fi
done <<< "$ENVOY_VERSIONS"
if ! [[ $MAX_ENVOY_VERSION =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo 'Invalid MAX_ENVOY_VERSION: '$MAX_ENVOY_VERSION' does not match the pattern ^[0-9]+\.[0-9]+\.[0-9]+$'
exit 1
fi
echo "Supported Envoy versions:"
echo "${ENVOY_VERSIONS}"
echo "envoy-versions<<EOF" >> $GITHUB_OUTPUT
echo "${ENVOY_VERSIONS}" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
echo "Supported Envoy versions JSON: ${ENVOY_VERSIONS_JSON}"
echo "envoy-versions-json=${ENVOY_VERSIONS_JSON}" >> $GITHUB_OUTPUT
echo "Max supported Envoy version: ${MAX_ENVOY_VERSION}"
echo "max-envoy-version=${MAX_ENVOY_VERSION}" >> $GITHUB_OUTPUT

11
.github/workflows/reusable-get-go-version.yml vendored
View File

@ -2,6 +2,12 @@ name: get-go-version
on:
workflow_call:
inputs:
ref:
description: |
The Consul ref/branch (e.g. release/1.18.x) for which to determine the Go version.
If not provided, the default actions/checkout value (current ref) is used.
type: string
outputs:
go-version:
description: "The Go version detected by this workflow"
@ -18,7 +24,10 @@ jobs:
go-version: ${{ steps.get-go-version.outputs.go-version }}
go-version-previous: ${{ steps.get-go-version.outputs.go-version-previous }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
# If not set, will default to current branch.
ref: ${{ inputs.ref }}
- name: Determine Go version
id: get-go-version
# We use .go-version as our source of truth for current Go

6
.github/workflows/reusable-lint.yml vendored
View File

@ -42,19 +42,19 @@ jobs:
fail-fast: true
name: lint ${{ matrix.directory }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(inputs.repository-name, '-enterprise') }}
run: git config --global url."https://${{ secrets.elevated-github-token }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ inputs.go-version }}
- run: go env
- name: Set golangci-lint version
run: echo "GOLANGCI_LINT_VERSION=$(make --no-print-directory print-GOLANGCI_LINT_VERSION)" >> $GITHUB_ENV
- name: lint-${{ matrix.directory }}
uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0
uses: golangci/golangci-lint-action@82d40c283aeb1f2b6595839195e95c2d6a49081b # v5.0.0
with:
working-directory: ${{ matrix.directory }}
version: ${{ env.GOLANGCI_LINT_VERSION }}

28
.github/workflows/reusable-unit-split.yml vendored
View File

@ -63,8 +63,8 @@ jobs:
outputs:
package-matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ inputs.go-version }}
- id: set-matrix
@ -86,12 +86,20 @@ jobs:
ulimit -Sa
echo "Hard limits"
ulimit -Ha
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# upload-artifact requires a unique ID per run. These steps will be repeated with the matrix run, and other unit tests
# will also overlap with the names here. We use a random string rather than trying to do trickery
# with the package matrix.
- id: generate-matrix-id
run: |
MATRIX_RUN_ID=$(head /dev/urandom | tr -dc A-Z | head -c8)
echo "The matrix run ID is $MATRIX_RUN_ID"
echo "matrix-run-id=$MATRIX_RUN_ID" >> "$GITHUB_OUTPUT"
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(inputs.repository-name, '-enterprise') }}
run: git config --global url."https://${{ secrets.elevated-github-token }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ inputs.go-version }}
- run: mkdir -p ${{env.TEST_RESULTS}}
@ -99,7 +107,7 @@ jobs:
working-directory: ${{inputs.directory}}
run: go mod download
- name: Download consul
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: ${{inputs.uploaded-binary-name}}
path: ${{inputs.directory}}
@ -143,7 +151,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -164,15 +172,15 @@ jobs:
DD_ENV: ci
run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" ${{env.TEST_RESULTS}}/gotestsum-report.xml
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: ${{ !cancelled() }}
with:
name: test-results
name: ${{ steps.generate-matrix-id.outputs.matrix-run-id }}-test-results
path: ${{env.TEST_RESULTS}}
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: ${{ !cancelled() }}
with:
name: jsonfile
name: ${{ steps.generate-matrix-id.outputs.matrix-run-id }}-jsonfile
path: /tmp/jsonfile
- name: "Re-run fails report"
if: ${{ !cancelled() }}

24
.github/workflows/reusable-unit.yml vendored
View File

@ -56,12 +56,12 @@ jobs:
go-test:
runs-on: ${{ fromJSON(inputs.runs-on) }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(inputs.repository-name, '-enterprise') }}
run: git config --global url."https://${{ secrets.elevated-github-token }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ inputs.go-version }}
- run: mkdir -p ${{env.TEST_RESULTS}}
@ -69,7 +69,7 @@ jobs:
working-directory: ${{inputs.directory}}
run: go mod download
- name: Download consul
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: ${{inputs.uploaded-binary-name}}
path: ${{inputs.directory}}
@ -110,7 +110,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -130,16 +130,22 @@ jobs:
env:
DD_ENV: ci
run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" ${{env.TEST_RESULTS}}/gotestsum-report.xml
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
# upload-artifact requires a unique ID per run. These steps will overlap with other users of the reusable workflow.
# We use a random string rather than trying to pass in some identifying information.
- id: generate-run-id
run: |
RUN_ID=$(head /dev/urandom | tr -dc A-Z | head -c8)
echo "The run ID is $RUN_ID"
echo "run-id=$RUN_ID" >> "$GITHUB_OUTPUT"
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: ${{ !cancelled() }}
with:
name: test-results
name: ${{ steps.generate-run-id.outputs.run-id }}-test-results
path: ${{env.TEST_RESULTS}}
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: ${{ !cancelled() }}
with:
name: jsonfile
name: ${{ steps.generate-run-id.outputs.run-id }}-jsonfile
path: /tmp/jsonfile
- name: "Re-run fails report"
if: ${{ !cancelled() }}

37
.github/workflows/security-scan.yml vendored
View File

@ -1,3 +1,5 @@
# This job runs a non-blocking informational security scan on the repository.
# For release-blocking security scans, see .release/security-scan.hcl.
name: Security Scan
on:
@ -9,6 +11,12 @@ on:
branches:
- main
- release/**
# paths-ignore only works for non-required checks.
# Jobs that are required for merge must use reusable-conditional-skip.yml.
paths-ignore:
- 'docs/**'
- 'grafana/**'
- '.changelog/**'
# cancel existing runs of the same workflow on the same ref
concurrency:
@ -16,23 +24,8 @@ concurrency:
cancel-in-progress: true
jobs:
conditional-skip:
runs-on: ubuntu-latest
name: Get files changed and conditionally skip CI
outputs:
skip-ci: ${{ steps.read-files.outputs.skip-ci }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
- name: Get changed files
id: read-files
run: ./.github/scripts/filter_changed_files_go_test.sh
setup:
needs: [conditional-skip]
name: Setup
if: needs.conditional-skip.outputs.skip-ci != 'true'
runs-on: ubuntu-latest
outputs:
compute-small: ${{ steps.setup-outputs.outputs.compute-small }}
@ -40,7 +33,7 @@ jobs:
compute-large: ${{ steps.setup-outputs.outputs.compute-large }}
compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- id: setup-outputs
name: Setup outputs
run: ./.github/scripts/get_runner_classes.sh
@ -59,18 +52,18 @@ jobs:
&& (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: Clone Security Scanner repo
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: hashicorp/security-scanner
token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
path: security-scanner
ref: main
@ -87,6 +80,6 @@ jobs:
cat results.sarif | jq
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@46a6823b81f2d7c67ddf123851eea88365bc8a67 # codeql-bundle-v2.13.5
uses: github/codeql-action/upload-sarif@8fd294e26a0e458834582b0fe4988d79966c7c0a # codeql-bundle-v2.18.4
with:
sarif_file: results.sarif
sarif_file: results.sarif

2
.github/workflows/stale.yml vendored
View File

@ -12,7 +12,7 @@ jobs:
permissions:
pull-requests: write
steps:
- uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
- uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
with:
days-before-stale: -1
days-before-close: -1

1219
.github/workflows/test-integrations-windows.yml vendored
View File

File diff suppressed because it is too large Load Diff

127
.github/workflows/test-integrations.yml vendored
View File

@ -13,6 +13,11 @@ on:
- 'backport/docs/**'
- 'backport/ui/**'
- 'backport/mktg-**'
push:
branches:
# Push events on the main branch
- main
- release/**
env:
TEST_RESULTS_DIR: /tmp/test-results
@ -24,25 +29,14 @@ env:
# strip the hashicorp/ off the front of github.repository for consul
CONSUL_LATEST_IMAGE_NAME: ${{ endsWith(github.repository, '-enterprise') && github.repository || 'hashicorp/consul' }}
GOPRIVATE: github.com/hashicorp # Required for enterprise deps
SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }}
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
group: "${{ github.workflow }}-${{ github.head_ref || github.ref }}"
cancel-in-progress: true
jobs:
conditional-skip:
runs-on: ubuntu-latest
name: Get files changed and conditionally skip CI
outputs:
skip-ci: ${{ steps.read-files.outputs.skip-ci }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
- name: Get changed files
id: read-files
run: ./.github/scripts/filter_changed_files_go_test.sh
uses: ./.github/workflows/reusable-conditional-skip.yml
setup:
needs: [conditional-skip]
@ -56,13 +50,16 @@ jobs:
compute-xl: ${{ steps.runners.outputs.compute-xl }}
enterprise: ${{ steps.runners.outputs.enterprise }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- id: runners
run: .github/scripts/get_runner_classes.sh
get-go-version:
uses: ./.github/workflows/reusable-get-go-version.yml
get-envoy-versions:
uses: ./.github/workflows/reusable-get-envoy-versions.yml
dev-build:
needs:
- setup
@ -86,22 +83,22 @@ jobs:
contents: read
strategy:
matrix:
nomad-version: ['v1.7.3', 'v1.6.6', 'v1.5.13']
nomad-version: ['v1.8.3', 'v1.7.7', 'v1.6.10']
steps:
- name: Checkout Nomad
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: hashicorp/nomad
ref: ${{ matrix.nomad-version }}
- name: Install Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
# Do not explicitly set Go version here, as it should depend on what Nomad declares.
go-version-file: 'go.mod'
- name: Fetch Consul binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: ./bin
@ -111,7 +108,9 @@ jobs:
echo "$(pwd)/bin" >> $GITHUB_PATH
- name: Make Nomad dev build
run: make pkg/linux_amd64/nomad
run: |
make pkg/linux_amd64/nomad
echo "$(pwd)/pkg/linux_amd64" >> $GITHUB_PATH
- name: Run integration tests
run: |
@ -134,7 +133,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -167,18 +166,18 @@ jobs:
contents: read
strategy:
matrix:
vault-version: ["1.15.4", "1.14.8", "1.13.12"]
vault-version: ["1.17.5", "1.16.3", "1.15.6"]
env:
VAULT_BINARY_VERSION: ${{ matrix.vault-version }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
# We use the current Consul Go version here since Vault is installed as a binary
# and tests are run from the Consul repo.
@ -218,7 +217,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -263,32 +262,29 @@ jobs:
outputs:
envoy-matrix: ${{ steps.set-matrix.outputs.envoy-matrix }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Generate Envoy Job Matrix
id: set-matrix
env:
# this is further going to multiplied in envoy-integration tests by the
# other dimensions in the matrix. Currently TOTAL_RUNNERS would be
# multiplied by 2 based on these values:
# envoy-version: ["1.28.2"]
# xds-target: ["server", "client"]
TOTAL_RUNNERS: 2
# TEST_SPLITS sets the number of test case splits to use in the matrix. This will be
# further multiplied in envoy-integration tests by the other dimensions in the matrix
# to determine the total number of runners used.
TEST_SPLITS: 4
JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
run: |
NUM_RUNNERS=$TOTAL_RUNNERS
NUM_DIRS=$(find ./test/integration/connect/envoy -mindepth 1 -maxdepth 1 -type d | wc -l)
if [ "$NUM_DIRS" -lt "$NUM_RUNNERS" ]; then
echo "TOTAL_RUNNERS is larger than the number of tests/packages to split."
NUM_RUNNERS=$((NUM_DIRS-1))
if [ "$NUM_DIRS" -lt "$TEST_SPLITS" ]; then
echo "TEST_SPLITS is larger than the number of tests/packages to split."
TEST_SPLITS=$((NUM_DIRS-1))
fi
# fix issue where test splitting calculation generates 1 more split than TOTAL_RUNNERS.
NUM_RUNNERS=$((NUM_RUNNERS-1))
# fix issue where test splitting calculation generates 1 more split than TEST_SPLITS.
TEST_SPLITS=$((TEST_SPLITS-1))
{
echo -n "envoy-matrix="
find ./test/integration/connect/envoy -maxdepth 1 -type d -print0 \
| xargs -0 -n 1 basename \
| jq --raw-input --argjson runnercount "$NUM_RUNNERS" "$JQ_SLICER" \
| jq --raw-input --argjson runnercount "$TEST_SPLITS" "$JQ_SLICER" \
| jq --compact-output 'map(join("|"))'
} >> "$GITHUB_OUTPUT"
@ -297,6 +293,7 @@ jobs:
needs:
- setup
- get-go-version
- get-envoy-versions
- generate-envoy-job-matrices
- dev-build
permissions:
@ -305,21 +302,20 @@ jobs:
strategy:
fail-fast: false
matrix:
envoy-version: ["1.28.2"]
xds-target: ["server", "client"]
test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
env:
ENVOY_VERSION: ${{ matrix.envoy-version }}
ENVOY_VERSION: ${{ needs.get-envoy-versions.outputs.max-envoy-version }}
XDS_TARGET: ${{ matrix.xds-target }}
AWS_LAMBDA_REGION: us-west-2
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: fetch binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: ./bin
@ -327,12 +323,13 @@ jobs:
run: chmod +x ./bin/consul
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Docker build
run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile ./bin
- name: Envoy Integration Tests
id: envoy-integration-tests
env:
GOTESTSUM_JUNITFILE: ${{ env.TEST_RESULTS_DIR }}/results.xml
GOTESTSUM_FORMAT: standard-verbose
@ -353,6 +350,23 @@ jobs:
--packages=./test/integration/connect/envoy \
-- -timeout=30m -tags integration -run="TestEnvoy/(${{ matrix.test-cases }})"
# See https://github.com/orgs/community/discussions/8945#discussioncomment-9897011
# and overall topic discussion for why this is necessary.
- name: Generate artifact ID
id: generate-artifact-id
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
run: |
ARTIFACT_ID=$(uuidgen)
echo "Artifact ID: $ARTIFACT_ID (search this in job summary for download link)"
echo "artifact_id=$ARTIFACT_ID" >> "$GITHUB_ENV"
- name: Upload failure logs
if: ${{ failure() && steps.envoy-integration-tests.conclusion == 'failure' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: envoy-${{ matrix.envoy-version }}-logs-${{ env.artifact_id }}
path: test/integration/connect/envoy/workdir/logs/
# NOTE: ENT specific step as we store secrets in Vault.
- name: Authenticate to Vault
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
@ -363,7 +377,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -390,20 +404,22 @@ jobs:
needs:
- setup
- get-go-version
- get-envoy-versions
- dev-build
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
env:
ENVOY_VERSION: "1.28.2"
CONSUL_DATAPLANE_IMAGE: "docker.io/hashicorppreview/consul-dataplane:1.3-dev-ubi"
ENVOY_VERSION: ${{ needs.get-envoy-versions.outputs.max-envoy-version }}
#TODO don't harcode this image name
CONSUL_DATAPLANE_IMAGE: "docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.6-dev-ubi"
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
@ -412,7 +428,7 @@ jobs:
docker version
docker info
- name: fetch binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: '${{ env.CONSUL_BINARY_UPLOAD_NAME }}'
path: .
@ -476,7 +492,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
@ -509,15 +525,16 @@ jobs:
strategy:
fail-fast: false
env:
DEPLOYER_CONSUL_DATAPLANE_IMAGE: "docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.3-dev"
# TODO @sarah.alsmiller Don't hardcode this version value
DEPLOYER_CONSUL_DATAPLANE_IMAGE: "docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.6-dev"
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
# NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
- name: Setup Git
if: ${{ endsWith(github.repository, '-enterprise') }}
run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- run: go env
@ -560,7 +577,7 @@ jobs:
- name: Fetch Secrets
if: ${{ !cancelled() && endsWith(github.repository, '-enterprise') }}
id: secrets
uses: hashicorp/vault-action@v2.5.0
uses: hashicorp/vault-action@v3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}

2
.github/workflows/verify-envoy-version.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
verify-envoy-version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0 # by default the checkout action doesn't checkout all branches

3
.gitignore vendored
View File

@ -71,3 +71,6 @@ terraform.rc
/go.work
/go.work.sum
.docker
# Avoid accidental commits of consul-k8s submodule used by some dev environments
consul-k8s/

2
.go-version
View File

@ -1 +1 @@
1.21.9
1.22.7

2
.golangci.yml
View File

@ -75,7 +75,9 @@ linters-settings:
simplify: true
forbidigo:
# Forbid the following identifiers (list of regexp).
# Format includes custom message based on https://github.com/ashanbrown/forbidigo/pull/11
forbid:
- '\bhtml\/template\b(# Use text/template instead)?'
- '\bioutil\b(# Use io and os packages instead of ioutil)?'
- '\brequire\.New\b(# Use package-level functions with explicit TestingT)?'
- '\bassert\.New\b(# Use package-level functions with explicit TestingT)?'

20
.release/security-scan.hcl
View File

@ -38,9 +38,14 @@ container {
suppress {
# N.b. `vulnerabilites` is the correct spelling for this tool.
vulnerabilites = [
"CVE-2023-46218", # curl@8.4.0-r0
"CVE-2023-46219", # curl@8.4.0-r0
"CVE-2023-5678", # openssl@3.1.4-r0
"CVE-2024-8096", # curl@8.9.1-r2,
]
paths = [
"internal/tools/proto-gen-rpc-glue/e2e/consul/*",
"test/integration/connect/envoy/test-sds-server/*",
"test/integration/consul-container/*",
"testing/deployer/*",
"test-integ/*",
]
}
}
@ -49,6 +54,7 @@ container {
binary {
go_modules = true
osv = true
go_stdlib = true
# We can't enable npm for binary targets today because we don't yet embed the relevant file
# (yarn.lock) in the Consul binary. This is something we may investigate in the future.
@ -74,7 +80,13 @@ binary {
suppress {
# N.b. `vulnerabilites` is the correct spelling for this tool.
vulnerabilites = [
"GO-2024-2631", # go-jose/v3@v3.0.3 (false positive)
]
paths = [
"internal/tools/proto-gen-rpc-glue/e2e/consul/*",
"test/integration/connect/envoy/test-sds-server/*",
"test/integration/consul-container/*",
"testing/deployer/*",
"test-integ/*",
]
}
}

19
.release/versions.hcl Normal file
View File

@ -0,0 +1,19 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
# This manifest file describes active releases and is consumed by the backport tooling.
# It is only consumed from the default branch, so backporting changes to this file is not necessary.
schema = 1
active_versions {
version "1.20" {
ce_active = true
}
version "1.19" {}
version "1.18" {
lts = true
}
version "1.15" {
lts = true
}
}

364
CHANGELOG.md
View File

@ -1,3 +1,367 @@
## 1.20.0 (October 14, 2024)
SECURITY:
* Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]
* Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]
* UI: Remove codemirror linting due to package dependency [[GH-21726](https://github.com/hashicorp/consul/issues/21726)]
* Upgrade Go to use 1.22.7. This addresses CVE
[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
* Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and
[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
* ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]
* ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]
* ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]
* ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]
FEATURES:
* grafana: added the dashboards service-to-service dashboard, service dashboard, and consul dataplane dashboard [[GH-21806](https://github.com/hashicorp/consul/issues/21806)]
* server: remove v2 tenancy, catalog, and mesh experiments [[GH-21592](https://github.com/hashicorp/consul/issues/21592)]
IMPROVEMENTS:
* security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]
* connect: Add Envoy 1.31 and 1.30 to support matrix [[GH-21616](https://github.com/hashicorp/consul/issues/21616)]
BUG FIXES:
* jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [[GH-21703](https://github.com/hashicorp/consul/issues/21703)]
## 1.20.0-rc1 (September 19, 2024)
SECURITY:
* Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]
* Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]
* UI: Remove codemirror linting due to package dependency [[GH-21726](https://github.com/hashicorp/consul/issues/21726)]
* Upgrade Go to use 1.22.7. This addresses CVE
[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
* Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and
[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
* ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]
* ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]
* ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]
* ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]
FEATURES:
* server: remove v2 tenancy, catalog, and mesh experiments [[GH-21592](https://github.com/hashicorp/consul/issues/21592)]
IMPROVEMENTS:
* security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]
* connect: Add Envoy 1.31 and 1.30 to support matrix [[GH-21616](https://github.com/hashicorp/consul/issues/21616)]
BUG FIXES:
* jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [[GH-21703](https://github.com/hashicorp/consul/issues/21703)]
## 1.19.2 (August 26, 2024)
SECURITY:
* ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0 [[GH-21588](https://github.com/hashicorp/consul/issues/21588)]
IMPROVEMENTS:
* Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [[GH-21587](https://github.com/hashicorp/consul/issues/21587)]
BUG FIXES:
* api-gateway: **(Enterprise only)** ensure clusters are properly created for JWT providers with a remote URI for the JWKS endpoint [[GH-21604](https://github.com/hashicorp/consul/issues/21604)]
## 1.18.4 Enterprise (August 26, 2024)
Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.
SECURITY:
* ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0
IMPROVEMENTS:
* Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [[GH-21587](https://github.com/hashicorp/consul/issues/21587)]
## 1.17.7 Enterprise (August 26, 2024)
SECURITY:
* ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0
IMPROVEMENTS:
* Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [[GH-21587](https://github.com/hashicorp/consul/issues/21587)]
## 1.15.14 Enterprise (August 26, 2024)
Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.
SECURITY:
* ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0 [[GH-21588](https://github.com/hashicorp/consul/issues/21588)]
IMPROVEMENTS:
* Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [[GH-21587](https://github.com/hashicorp/consul/issues/21587)]
## 1.19.1 (July 11, 2024)
SECURITY:
* Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve [CVE-2024-39305](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39305) [[GH-21524](https://github.com/hashicorp/consul/issues/21524)]
* Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791) [[GH-21507](https://github.com/hashicorp/consul/issues/21507)]
* Upgrade go-retryablehttp to address [CVE-2024-6104](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6104) [[GH-21384](https://github.com/hashicorp/consul/issues/21384)]
* agent: removed reflected cross-site scripting vulnerability [[GH-21342](https://github.com/hashicorp/consul/issues/21342)]
* ui: Pin and namespace sub-module dependencies related to the Consul UI [[GH-21378](https://github.com/hashicorp/consul/issues/21378)]
IMPROVEMENTS:
* mesh: update supported envoy version 1.29.5 in addition to 1.28.4, 1.27.6. [[GH-21277](https://github.com/hashicorp/consul/issues/21277)]
BUG FIXES:
* core: Fix multiple incorrect type conversion for potential overflows [[GH-21251](https://github.com/hashicorp/consul/issues/21251)]
* core: Fix panic runtime error on AliasCheck [[GH-21339](https://github.com/hashicorp/consul/issues/21339)]
* dns: Fix a regression where DNS SRV questions were returning duplicate hostnames instead of encoded IPs.
This affected Nomad integrations with Consul. [[GH-21361](https://github.com/hashicorp/consul/issues/21361)]
* dns: Fix a regression where DNS tags using the standard lookup syntax, `tag.name.service.consul`, were being disregarded. [[GH-21361](https://github.com/hashicorp/consul/issues/21361)]
* dns: Fixes a spam log message "Failed to parse TTL for prepared query..."
that was always being logged on each prepared query evaluation. [[GH-21381](https://github.com/hashicorp/consul/issues/21381)]
* terminating-gateway: **(Enterprise Only)** Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata. [[GH-21382](https://github.com/hashicorp/consul/issues/21382)]
* txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs. [[GH-21519](https://github.com/hashicorp/consul/issues/21519)]
## 1.18.3 Enterprise (July 11, 2024)
**Enterprise LTS**: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.
SECURITY:
* Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve [CVE-2024-39305](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39305) [[GH-21524](https://github.com/hashicorp/consul/issues/21524)]
* Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791) [[GH-21507](https://github.com/hashicorp/consul/issues/21507)]
* Upgrade go-retryablehttp to address [CVE-2024-6104](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6104) [[GH-21384](https://github.com/hashicorp/consul/issues/21384)]
* agent: removed reflected cross-site scripting vulnerability [[GH-21342](https://github.com/hashicorp/consul/issues/21342)]
* ui: Pin and namespace sub-module dependencies related to the Consul UI [[GH-21378](https://github.com/hashicorp/consul/issues/21378)]
IMPROVEMENTS:
* mesh: update supported envoy version 1.29.4
* mesh: update supported envoy version 1.29.5 in addition to 1.28.4, 1.27.6. [[GH-21277](https://github.com/hashicorp/consul/issues/21277)]
* upgrade go version to v1.22.3. [[GH-21113](https://github.com/hashicorp/consul/issues/21113)]
* upgrade go version to v1.22.4. [[GH-21265](https://github.com/hashicorp/consul/issues/21265)]
BUG FIXES:
* core: Fix multiple incorrect type conversion for potential overflows [[GH-21251](https://github.com/hashicorp/consul/issues/21251)]
* core: Fix panic runtime error on AliasCheck [[GH-21339](https://github.com/hashicorp/consul/issues/21339)]
* dns: Fixes a spam log message "Failed to parse TTL for prepared query..."
that was always being logged on each prepared query evaluation. [[GH-21381](https://github.com/hashicorp/consul/issues/21381)]
* terminating-gateway: **(Enterprise Only)** Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata. [[GH-21382](https://github.com/hashicorp/consul/issues/21382)]
* txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs. [[GH-21519](https://github.com/hashicorp/consul/issues/21519)]
* v2dns: Fix a regression where DNS SRV questions were returning duplicate hostnames instead of encoded IPs.
This affected Nomad integrations with Consul. [[GH-21361](https://github.com/hashicorp/consul/issues/21361)]
* v2dns: Fix a regression where DNS tags using the standard lookup syntax, `tag.name.service.consul`, were being disregarded. [[GH-21361](https://github.com/hashicorp/consul/issues/21361)]
## 1.17.6 Enterprise (July 11, 2024)
SECURITY:
* Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve [CVE-2024-39305](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39305) [[GH-21524](https://github.com/hashicorp/consul/issues/21524)]
* Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791) [[GH-21507](https://github.com/hashicorp/consul/issues/21507)]
* Upgrade go-retryablehttp to address [CVE-2024-6104](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6104) [[GH-21384](https://github.com/hashicorp/consul/issues/21384)]
* agent: removed reflected cross-site scripting vulnerability [[GH-21342](https://github.com/hashicorp/consul/issues/21342)]
* ui: Pin and namespace sub-module dependencies related to the Consul UI [[GH-21378](https://github.com/hashicorp/consul/issues/21378)]
IMPROVEMENTS:
* upgrade go version to v1.22.3. [[GH-21113](https://github.com/hashicorp/consul/issues/21113)]
* upgrade go version to v1.22.4. [[GH-21265](https://github.com/hashicorp/consul/issues/21265)]
BUG FIXES:
* core: Fix panic runtime error on AliasCheck [[GH-21339](https://github.com/hashicorp/consul/issues/21339)]
* terminating-gateway: **(Enterprise Only)** Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata. [[GH-21382](https://github.com/hashicorp/consul/issues/21382)]
* txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs. [[GH-21519](https://github.com/hashicorp/consul/issues/21519)]
## 1.15.13 Enterprise (July 11, 2024)
**Enterprise LTS**: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.
SECURITY:
* Upgrade envoy module dependencies to version 1.27.7, 1.28.5 and 1.29.7 or higher to resolve [CVE-2024-39305](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39305) [[GH-21524](https://github.com/hashicorp/consul/issues/21524)]
* Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791) [[GH-21507](https://github.com/hashicorp/consul/issues/21507)]
* Upgrade go-retryablehttp to address [CVE-2024-6104](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6104) [[GH-21384](https://github.com/hashicorp/consul/issues/21384)]
* agent: removed reflected cross-site scripting vulnerability [[GH-21342](https://github.com/hashicorp/consul/issues/21342)]
* ui: Pin and namespace sub-module dependencies related to the Consul UI [[GH-21378](https://github.com/hashicorp/consul/issues/21378)]
IMPROVEMENTS:
* mesh: update supported envoy version 1.29.4
* upgrade go version to v1.22.3. [[GH-21113](https://github.com/hashicorp/consul/issues/21113)]
* upgrade go version to v1.22.4. [[GH-21265](https://github.com/hashicorp/consul/issues/21265)]
BUG FIXES:
* core: Fix panic runtime error on AliasCheck [[GH-21339](https://github.com/hashicorp/consul/issues/21339)]
* terminating-gateway: **(Enterprise Only)** Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata. [[GH-21382](https://github.com/hashicorp/consul/issues/21382)]
* txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs. [[GH-21519](https://github.com/hashicorp/consul/issues/21519)]
## 1.19.0 (June 12, 2024)
BREAKING CHANGES:
* telemetry: State store usage metrics with a double `consul` element in the metric name have been removed. Please use the same metric without the second `consul` instead. As an example instead of `consul.consul.state.config_entries` use `consul.state.config_entries` [[GH-20674](https://github.com/hashicorp/consul/issues/20674)]
SECURITY:
* Upgrade to support Envoy `1.27.5 and 1.28.3`. This resolves CVE
[CVE-2024-32475](https://nvd.nist.gov/vuln/detail/CVE-2024-32475) (`auto_sni`). [[GH-21017](https://github.com/hashicorp/consul/issues/21017)]
* Upgrade to support k8s.io/apimachinery `v0.18.7 or higher`. This resolves CVE
[CVE-2020-8559](https://nvd.nist.gov/vuln/detail/CVE-2020-8559). [[GH-21017](https://github.com/hashicorp/consul/issues/21017)]
FEATURES:
* dns: queries now default to a refactored DNS server that is v1 and v2 Catalog compatible.
Use `v1dns` in the `experiments` agent config to disable.
The legacy server will be removed in a future release of Consul.
See the [Consul 1.19.x Release Notes](https://developer.hashicorp.com/consul/docs/release-notes/consul/v1_19_x) for removed DNS features. [[GH-20715](https://github.com/hashicorp/consul/issues/20715)]
* gateways: api-gateway can leverage listener TLS certificates available on the gateway's local filesystem by specifying the public certificate and private key path in the new file-system-certificate configuration entry [[GH-20873](https://github.com/hashicorp/consul/issues/20873)]
IMPROVEMENTS:
* dns: new version was not supporting partition or namespace being set to 'default' in CE version. [[GH-21230](https://github.com/hashicorp/consul/issues/21230)]
* mesh: update supported envoy version 1.29.4 in addition to 1.28.3, 1.27.5, 1.26.8. [[GH-21142](https://github.com/hashicorp/consul/issues/21142)]
* upgrade go version to v1.22.4. [[GH-21265](https://github.com/hashicorp/consul/issues/21265)]
* Upgrade `github.com/envoyproxy/go-control-plane` to 0.12.0. [[GH-20973](https://github.com/hashicorp/consul/issues/20973)]
* dns: DNS-over-grpc when using `consul-dataplane` now accepts partition, namespace, token as metadata to default those query parameters.
`consul-dataplane` v1.5+ will send this information automatically. [[GH-20899](https://github.com/hashicorp/consul/issues/20899)]
* snapshot: Add `consul snapshot decode` CLI command to output a JSON object stream of all the snapshots data. [[GH-20824](https://github.com/hashicorp/consul/issues/20824)]
* telemetry: Add `telemetry.disable_per_tenancy_usage_metrics` in agent configuration to disable setting tenancy labels on usage metrics. This significantly decreases CPU utilization in clusters with many admin partitions or namespaces.
* telemetry: Improved the performance usage metrics emission by not outputting redundant metrics. [[GH-20674](https://github.com/hashicorp/consul/issues/20674)]
DEPRECATIONS:
* snapshot agent: **(Enterprise only)** Top level single snapshot destinations `local_storage`, `aws_storage`, `azure_blob_storage`, and `google_storage` in snapshot agent configuration files are now deprecated. Use the `backup_destinations` config object instead.
BUG FIXES:
* docs: Consul DNS Forwarding configuration for OpenShift update for [Resolve Consul DNS Requests in Kubernetes](https://developer.hashicorp.com/consul/docs/k8s/dns) [[GH-20439](https://github.com/hashicorp/consul/issues/20439)]
* hcp: fix error logs when failing to push metrics [[GH-20514](https://github.com/hashicorp/consul/issues/20514)]
* streaming: Handle ACL errors consistently when blocking query timeout is reached. [[GH-20876](https://github.com/hashicorp/consul/issues/20876)]
## 1.18.2 (May 14, 2024)
**Enterprise LTS**: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.
SECURITY:
* Bump Dockerfile base image to `alpine:3.19`. [[GH-20897](https://github.com/hashicorp/consul/issues/20897)]
* Update `vault/api` to v1.12.2 to address [CVE-2024-28180](https://nvd.nist.gov/vuln/detail/CVE-2024-28180)
(removes indirect dependency on impacted `go-jose.v2`) [[GH-20910](https://github.com/hashicorp/consul/issues/20910)]
* Upgrade Go to use 1.21.10. This addresses CVEs
[CVE-2024-24787](https://nvd.nist.gov/vuln/detail/CVE-2024-24787) and
[CVE-2024-24788](https://nvd.nist.gov/vuln/detail/CVE-2024-24788) [[GH-21074](https://github.com/hashicorp/consul/issues/21074)]
* Upgrade to support Envoy `1.26.8, 1.27.4, 1.27.5, 1.28.2 and 1.28.3`. This resolves CVEs
[CVE-2024-27919](https://nvd.nist.gov/vuln/detail/CVE-2024-27919) (`http2`). [[GH-20956](https://github.com/hashicorp/consul/issues/20956)] and [CVE-2024-32475](https://nvd.nist.gov/vuln/detail/CVE-2024-32475) (`auto_sni`). [[GH-21030](https://github.com/hashicorp/consul/issues/21030)]
* Upgrade to support k8s.io/apimachinery `v0.18.7 or higher`. This resolves CVE
[CVE-2020-8559](https://nvd.nist.gov/vuln/detail/CVE-2020-8559). [[GH-21034](https://github.com/hashicorp/consul/issues/21034)]
* Upgrade to use Go `1.21.9`. This resolves CVE
[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`http2`). [[GH-20956](https://github.com/hashicorp/consul/issues/20956)]
* Upgrade to use golang.org/x/net `v0.24.0`. This resolves CVE
[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`x/net`). [[GH-20956](https://github.com/hashicorp/consul/issues/20956)]
IMPROVEMENTS:
* gateways: service defaults configuration entries can now be used to set default upstream limits for mesh-gateways [[GH-20945](https://github.com/hashicorp/consul/issues/20945)]
* connect: Add ability to disable Auto Host Header Rewrite on Terminating Gateway at the service level [[GH-20802](https://github.com/hashicorp/consul/issues/20802)]
BUG FIXES:
* dns: fix a bug with sameness group queries in DNS where responses did not respect [`DefaultForFailover`](/consul/docs/connect/config-entries/sameness-group#defaultforfailover).
DNS requests against sameness groups without this field set will now error as intended.
* error running consul server in 1.18.0: failed to configure SCADA provider user's home directory path: $HOME is not defined [[GH-20926](https://github.com/hashicorp/consul/issues/20926)]
* server: fix Ent snapshot restore on CE when CE downgrade is enabled [[GH-20977](https://github.com/hashicorp/consul/issues/20977)]
* xds: Make TCP external service registered with terminating gateway reachable from peered cluster [[GH-19881](https://github.com/hashicorp/consul/issues/19881)]
## 1.17.5 Enterprise (May 14, 2024)
SECURITY:
* Bump Dockerfile base image to `alpine:3.19`. [[GH-20897](https://github.com/hashicorp/consul/issues/20897)]
* Update `vault/api` to v1.12.2 to address [CVE-2024-28180](https://nvd.nist.gov/vuln/detail/CVE-2024-28180)
(removes indirect dependency on impacted `go-jose.v2`) [[GH-20910](https://github.com/hashicorp/consul/issues/20910)]
* Upgrade Go to use 1.21.10. This addresses CVEs
[CVE-2024-24787](https://nvd.nist.gov/vuln/detail/CVE-2024-24787) and
[CVE-2024-24788](https://nvd.nist.gov/vuln/detail/CVE-2024-24788) [[GH-21074](https://github.com/hashicorp/consul/issues/21074)]
* Upgrade to support Envoy `1.26.8, 1.27.4, 1.27.5, 1.28.2 and 1.28.3`. This resolves CVEs
[CVE-2024-27919](https://nvd.nist.gov/vuln/detail/CVE-2024-27919) (`http2`). [[GH-20956](https://github.com/hashicorp/consul/issues/20956)] and [CVE-2024-32475](https://nvd.nist.gov/vuln/detail/CVE-2024-32475) (`auto_sni`). [[GH-21030](https://github.com/hashicorp/consul/issues/21030)]
* Upgrade to support k8s.io/apimachinery `v0.18.7 or higher`. This resolves CVE
[CVE-2020-8559](https://nvd.nist.gov/vuln/detail/CVE-2020-8559). [[GH-21033](https://github.com/hashicorp/consul/issues/21033)]
* Upgrade to use Go `1.21.9`. This resolves CVE
[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`http2`). [[GH-20956](https://github.com/hashicorp/consul/issues/20956)]
* Upgrade to use golang.org/x/net `v0.24.0`. This resolves CVE
[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`x/net`). [[GH-20956](https://github.com/hashicorp/consul/issues/20956)]
* security: Remove `coredns/coredns` dependency to address [CVE-2024-0874](https://nvd.nist.gov/vuln/detail/CVE-2024-0874) [[GH-9243](https://github.com/hashicorp/consul/issues/9243)]
BUG FIXES:
* dns: fix a bug with sameness group queries in DNS where responses did not respect [`DefaultForFailover`](/consul/docs/connect/config-entries/sameness-group#defaultforfailover).
DNS requests against sameness groups without this field set will now error as intended.
* xds: Make TCP external service registered with terminating gateway reachable from peered cluster [[GH-19881](https://github.com/hashicorp/consul/issues/19881)]
## 1.16.8 Enterprise (May 14, 2024)
SECURITY:
* Bump Dockerfile base image to `alpine:3.19`. [[GH-20897](https://github.com/hashicorp/consul/issues/20897)]
* Update `vault/api` to v1.12.2 to address [CVE-2024-28180](https://nvd.nist.gov/vuln/detail/CVE-2024-28180)
(removes indirect dependency on impacted `go-jose.v2`) [[GH-20910](https://github.com/hashicorp/consul/issues/20910)]
* Upgrade Go to use 1.21.10. This addresses CVEs
[CVE-2024-24787](https://nvd.nist.gov/vuln/detail/CVE-2024-24787) and
[CVE-2024-24788](https://nvd.nist.gov/vuln/detail/CVE-2024-24788) [[GH-21074](https://github.com/hashicorp/consul/issues/21074)]
* Upgrade to support Envoy `1.26.8, 1.27.4, 1.27.5, 1.28.2 and 1.28.3`. This resolves CVEs
[CVE-2024-27919](https://nvd.nist.gov/vuln/detail/CVE-2024-27919) (`http2`). [[GH-20956](https://github.com/hashicorp/consul/issues/20956)] and [CVE-2024-32475](https://nvd.nist.gov/vuln/detail/CVE-2024-32475) (`auto_sni`). [[GH-21030](https://github.com/hashicorp/consul/issues/21030)]
* Upgrade to support k8s.io/apimachinery `v0.18.7 or higher`. This resolves CVE
[CVE-2020-8559](https://nvd.nist.gov/vuln/detail/CVE-2020-8559). [[GH-21032](https://github.com/hashicorp/consul/issues/21032)]
* Upgrade to use Go `1.21.9`. This resolves CVE
[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`http2`). [[GH-20956](https://github.com/hashicorp/consul/issues/20956)]
* Upgrade to use golang.org/x/net `v0.24.0`. This resolves CVE
[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`x/net`). [[GH-20956](https://github.com/hashicorp/consul/issues/20956)]
* security: Remove `coredns/coredns` dependency to address [CVE-2024-0874](https://nvd.nist.gov/vuln/detail/CVE-2024-0874) [[GH-9244](https://github.com/hashicorp/consul/issues/9244)]
BUG FIXES:
* dns: fix a bug with sameness group queries in DNS where responses did not respect [`DefaultForFailover`](/consul/docs/connect/config-entries/sameness-group#defaultforfailover).
DNS requests against sameness groups without this field set will now error as intended.
* xds: Make TCP external service registered with terminating gateway reachable from peered cluster [[GH-19881](https://github.com/hashicorp/consul/issues/19881)]
## 1.15.12 Enterprise (May 14, 2024)
**Enterprise LTS**: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.
SECURITY:
* Bump Dockerfile base image to `alpine:3.19`. [[GH-20897](https://github.com/hashicorp/consul/issues/20897)]
* Update `vault/api` to v1.12.2 to address [CVE-2024-28180](https://nvd.nist.gov/vuln/detail/CVE-2024-28180)
(removes indirect dependency on impacted `go-jose.v2`) [[GH-20910](https://github.com/hashicorp/consul/issues/20910)]
* Upgrade Go to use 1.21.10. This addresses CVEs
[CVE-2024-24787](https://nvd.nist.gov/vuln/detail/CVE-2024-24787) and
[CVE-2024-24788](https://nvd.nist.gov/vuln/detail/CVE-2024-24788) [[GH-21074](https://github.com/hashicorp/consul/issues/21074)]
* Upgrade to support Envoy `1.26.8, 1.27.4, 1.27.5, 1.28.2 and 1.28.3`. This resolves CVEs
[CVE-2024-27919](https://nvd.nist.gov/vuln/detail/CVE-2024-27919) (`http2`). [[GH-20956](https://github.com/hashicorp/consul/issues/20956)] and [CVE-2024-32475](https://nvd.nist.gov/vuln/detail/CVE-2024-32475) (`auto_sni`). [[GH-21030](https://github.com/hashicorp/consul/issues/21030)]
* Upgrade to support k8s.io/apimachinery `v0.18.7 or higher`. This resolves CVE
[CVE-2020-8559](https://nvd.nist.gov/vuln/detail/CVE-2020-8559). [[GH-21030](https://github.com/hashicorp/consul/issues/21030)]
* Upgrade to use Go `1.21.9`. This resolves CVE
[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`http2`). [[GH-20956](https://github.com/hashicorp/consul/issues/20956)]
* Upgrade to use golang.org/x/net `v0.24.0`. This resolves CVE
[CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) (`x/net`). [[GH-20956](https://github.com/hashicorp/consul/issues/20956)]
* security: Remove `coredns/coredns` dependency to address [CVE-2024-0874](https://nvd.nist.gov/vuln/detail/CVE-2024-0874) [[GH-9245](https://github.com/hashicorp/consul/issues/9245)]
BUG FIXES:
* xds: Make TCP external service registered with terminating gateway reachable from peered cluster [[GH-19881](https://github.com/hashicorp/consul/issues/19881)]
## 1.18.1 (March 26, 2024)
Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

16
Dockerfile
View File

@ -16,7 +16,7 @@
# Official docker image that includes binaries from releases.hashicorp.com. This
# downloads the release from releases.hashicorp.com and therefore requires that
# the release is published before building the Docker image.
FROM docker.mirror.hashicorp.services/alpine:3.19 as official
FROM docker.mirror.hashicorp.services/alpine:3.20 as official
# This is the release of Consul to pull in.
ARG VERSION
@ -112,7 +112,7 @@ CMD ["agent", "-dev", "-client", "0.0.0.0"]
# Production docker image that uses CI built binaries.
# Remember, this image cannot be built locally.
FROM docker.mirror.hashicorp.services/alpine:3.19 as default
FROM docker.mirror.hashicorp.services/alpine:3.20 as default
ARG PRODUCT_VERSION
ARG BIN_NAME
@ -123,7 +123,7 @@ ENV BIN_NAME=$BIN_NAME
ENV PRODUCT_VERSION=$PRODUCT_VERSION
ARG PRODUCT_REVISION
ARG PRODUCT_NAME=$BIN_NAME
ENV PRODUCT_NAME=$BIN_NAME
# TARGETOS and TARGETARCH are set automatically when --platform is provided.
ARG TARGETOS TARGETARCH
@ -136,8 +136,10 @@ LABEL org.opencontainers.image.authors="Consul Team <consul@hashicorp.com>" \
org.opencontainers.image.vendor="HashiCorp" \
org.opencontainers.image.title="consul" \
org.opencontainers.image.description="Consul is a datacenter runtime that provides service discovery, configuration, and orchestration." \
org.opencontainers.image.licenses="BSL-1.1" \
version=${PRODUCT_VERSION}
COPY LICENSE /usr/share/doc/$PRODUCT_NAME/LICENSE.txt
# Set up certificates and base tools.
# libc6-compat is needed to symlink the shared libraries for ARM builds
RUN apk add -v --no-cache \
@ -201,9 +203,8 @@ CMD ["agent", "-dev", "-client", "0.0.0.0"]
# Red Hat UBI-based image
# This target is used to build a Consul image for use on OpenShift.
FROM registry.access.redhat.com/ubi9-minimal:9.3 as ubi
FROM registry.access.redhat.com/ubi9-minimal:9.4 as ubi
ARG PRODUCT_NAME
ARG PRODUCT_VERSION
ARG PRODUCT_REVISION
ARG BIN_NAME
@ -212,8 +213,7 @@ ARG BIN_NAME
# and the version to download. Example: PRODUCT_NAME=consul PRODUCT_VERSION=1.2.3.
ENV BIN_NAME=$BIN_NAME
ENV PRODUCT_VERSION=$PRODUCT_VERSION
ARG PRODUCT_NAME=$BIN_NAME
ENV PRODUCT_NAME=$BIN_NAME
# TARGETOS and TARGETARCH are set automatically when --platform is provided.
ARG TARGETOS TARGETARCH
@ -226,8 +226,10 @@ LABEL org.opencontainers.image.authors="Consul Team <consul@hashicorp.com>" \
org.opencontainers.image.vendor="HashiCorp" \
org.opencontainers.image.title="consul" \
org.opencontainers.image.description="Consul is a datacenter runtime that provides service discovery, configuration, and orchestration." \
org.opencontainers.image.licenses="BSL-1.1" \
version=${PRODUCT_VERSION}
COPY LICENSE /usr/share/doc/$PRODUCT_NAME/LICENSE.txt
# Copy license for Red Hat certification.
COPY LICENSE /licenses/mozilla.txt

19
Makefile
View File

@ -18,7 +18,7 @@ PROTOC_GEN_GO_GRPC_VERSION='v1.2.0'
MOG_VERSION='v0.4.2'
PROTOC_GO_INJECT_TAG_VERSION='v1.3.0'
PROTOC_GEN_GO_BINARY_VERSION='v0.1.0'
DEEP_COPY_VERSION='bc3f5aa5735d8a54961580a3a24422c308c831c2'
DEEP_COPY_VERSION='e112476c0181d3d69067bac191f9b6bcda2ce812'
COPYWRITE_TOOL_VERSION='v0.16.4'
LINT_CONSUL_RETRY_VERSION='v1.4.0'
# Go imports formatter
@ -71,9 +71,10 @@ CONSUL_IMAGE_VERSION?=latest
# When changing the method of Go version detection, also update
# version detection in CI workflows (reusable-get-go-version.yml).
GOLANG_VERSION?=$(shell head -n 1 .go-version)
ENVOY_VERSION?='1.28.0'
CONSUL_DATAPLANE_IMAGE := $(or $(CONSUL_DATAPLANE_IMAGE),"docker.io/hashicorppreview/consul-dataplane:1.3-dev-ubi")
DEPLOYER_CONSUL_DATAPLANE_IMAGE := $(or $(DEPLOYER_CONSUL_DATAPLANE_IMAGE), "docker.io/hashicorppreview/consul-dataplane:1.3-dev")
# Takes the highest version from the ENVOY_VERSIONS file.
ENVOY_VERSION?=$(shell cat envoyextensions/xdscommon/ENVOY_VERSIONS | grep '^[[:digit:]]' | sort -nr | head -n 1)
CONSUL_DATAPLANE_IMAGE := $(or $(CONSUL_DATAPLANE_IMAGE),"docker.io/hashicorppreview/consul-dataplane:1.6-dev-ubi")
DEPLOYER_CONSUL_DATAPLANE_IMAGE := $(or $(DEPLOYER_CONSUL_DATAPLANE_IMAGE), "docker.io/hashicorppreview/consul-dataplane:1.6-dev")
CONSUL_VERSION?=$(shell cat version/VERSION)
@ -293,7 +294,6 @@ lint-container-test-deps: ## Check that the test-container module only imports a
@cd test/integration/consul-container && \
$(CURDIR)/build-support/scripts/check-allowed-imports.sh \
github.com/hashicorp/consul \
"internal/catalog/catalogtest" \
"internal/resource/resourcetest"
##@ Testing
@ -619,6 +619,14 @@ envoy-regen: ## Regenerating envoy golden files
@find "command/connect/envoy/testdata" -name '*.golden' -delete
@go test -tags '$(GOTAGS)' ./command/connect/envoy -update
##@ Changelog
.PHONY: gen-changelog
gen-changelog: ## Generate changelog entry for the current branch based on the currently open PR for that branch
@$(SHELL) $(CURDIR)/build-support/scripts/gen-changelog.sh
##@ Help
# The help target prints out all targets with their descriptions organized
@ -634,3 +642,4 @@ envoy-regen: ## Regenerating envoy golden files
.PHONY: help
help: ## Display this help.
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

25
acl/MockAuthorizer.go
View File

@ -59,31 +59,6 @@ func (m *MockAuthorizer) EventWrite(segment string, ctx *AuthorizerContext) Enfo
return ret.Get(0).(EnforcementDecision)
}
// IdentityRead checks for permission to read a given workload identity.
func (m *MockAuthorizer) IdentityRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// IdentityReadAll checks for permission to read all workload identities.
func (m *MockAuthorizer) IdentityReadAll(ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(ctx)
return ret.Get(0).(EnforcementDecision)
}
// IdentityWrite checks for permission to create or update a given
// workload identity.
func (m *MockAuthorizer) IdentityWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// IdentityWriteAny checks for write permission on any workload identity.
func (m *MockAuthorizer) IdentityWriteAny(ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(ctx)
return ret.Get(0).(EnforcementDecision)
}
// IntentionDefaultAllow determines the default authorized behavior
// when no intentions match a Connect request.
func (m *MockAuthorizer) IntentionDefaultAllow(ctx *AuthorizerContext) EnforcementDecision {

23
acl/acl_ce.go
View File

@ -8,12 +8,25 @@ package acl
const (
WildcardPartitionName = ""
DefaultPartitionName = ""
)
// NonEmptyDefaultPartitionName is the name of the default partition that is
// not empty. An example of this being supplied is when a partition is specified
// in the request for DNS by consul-dataplane. This has been added to support
// DNS v1.5, which needs to be compatible with the original DNS subsystem which
// supports partition being "default" or empty. Otherwise, use DefaultPartitionName.
NonEmptyDefaultPartitionName = "default"
// Reviewer Note: This is a little bit strange; one might want it to be "" like partition name
// However in consul/structs/intention.go we define IntentionDefaultNamespace as 'default' and so
// we use the same here
const DefaultNamespaceName = "default"
// DefaultNamespaceName is used to mimic the behavior in consul/structs/intention.go,
// where we define IntentionDefaultNamespace as 'default' and so we use the same here.
// This is a little bit strange; one might want it to be "" like DefaultPartitionName.
DefaultNamespaceName = "default"
// EmptyNamespaceName is the name of the default partition that is an empty string.
// An example of this being supplied is when a namespace is specifiedDNS v1.
// EmptyNamespaceName has been added to support DNS v1.5, which needs to be
// compatible with the original DNS subsystem which supports partition being "default" or empty.
// Otherwise, use DefaultNamespaceName.
EmptyNamespaceName = ""
)
type EnterpriseConfig struct {
// no fields in CE

188
acl/acl_test.go
View File

@ -40,22 +40,6 @@ func checkAllowEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx
require.Equal(t, Allow, authz.EventWrite(prefix, entCtx))
}
func checkAllowIdentityRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.IdentityRead(prefix, entCtx))
}
func checkAllowIdentityReadAll(t *testing.T, authz Authorizer, _ string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.IdentityReadAll(entCtx))
}
func checkAllowIdentityWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.IdentityWrite(prefix, entCtx))
}
func checkAllowIdentityWriteAny(t *testing.T, authz Authorizer, _ string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.IdentityWriteAny(entCtx))
}
func checkAllowIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.IntentionDefaultAllow(entCtx))
}
@ -196,22 +180,6 @@ func checkDenyEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *
require.Equal(t, Deny, authz.EventWrite(prefix, entCtx))
}
func checkDenyIdentityRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.IdentityRead(prefix, entCtx))
}
func checkDenyIdentityReadAll(t *testing.T, authz Authorizer, _ string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.IdentityReadAll(entCtx))
}
func checkDenyIdentityWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.IdentityWrite(prefix, entCtx))
}
func checkDenyIdentityWriteAny(t *testing.T, authz Authorizer, _ string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.IdentityWriteAny(entCtx))
}
func checkDenyIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.IntentionDefaultAllow(entCtx))
}
@ -360,22 +328,6 @@ func checkDefaultEventWrite(t *testing.T, authz Authorizer, prefix string, entCt
require.Equal(t, Default, authz.EventWrite(prefix, entCtx))
}
func checkDefaultIdentityRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.IdentityRead(prefix, entCtx))
}
func checkDefaultIdentityReadAll(t *testing.T, authz Authorizer, _ string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.IdentityReadAll(entCtx))
}
func checkDefaultIdentityWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.IdentityWrite(prefix, entCtx))
}
func checkDefaultIdentityWriteAny(t *testing.T, authz Authorizer, _ string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.IdentityWriteAny(entCtx))
}
func checkDefaultIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.IntentionDefaultAllow(entCtx))
}
@ -516,10 +468,6 @@ func TestACL(t *testing.T) {
{name: "DenyIntentionDefaultAllow", check: checkDenyIntentionDefaultAllow},
{name: "DenyIntentionRead", check: checkDenyIntentionRead},
{name: "DenyIntentionWrite", check: checkDenyIntentionWrite},
{name: "DenyIdentityRead", check: checkDenyIdentityRead},
{name: "DenyIdentityReadAll", check: checkDenyIdentityReadAll},
{name: "DenyIdentityWrite", check: checkDenyIdentityWrite},
{name: "DenyIdentityWriteAny", check: checkDenyIdentityWriteAny},
{name: "DenyKeyRead", check: checkDenyKeyRead},
{name: "DenyKeyringRead", check: checkDenyKeyringRead},
{name: "DenyKeyringWrite", check: checkDenyKeyringWrite},
@ -554,10 +502,6 @@ func TestACL(t *testing.T) {
{name: "AllowAgentWrite", check: checkAllowAgentWrite},
{name: "AllowEventRead", check: checkAllowEventRead},
{name: "AllowEventWrite", check: checkAllowEventWrite},
{name: "AllowIdentityRead", check: checkAllowIdentityRead},
{name: "AllowIdentityReadAll", check: checkAllowIdentityReadAll},
{name: "AllowIdentityWrite", check: checkAllowIdentityWrite},
{name: "AllowIdentityWriteAny", check: checkAllowIdentityWriteAny},
{name: "AllowIntentionDefaultAllow", check: checkAllowIntentionDefaultAllow},
{name: "AllowIntentionRead", check: checkAllowIntentionRead},
{name: "AllowIntentionWrite", check: checkAllowIntentionWrite},
@ -597,10 +541,6 @@ func TestACL(t *testing.T) {
{name: "AllowAgentWrite", check: checkAllowAgentWrite},
{name: "AllowEventRead", check: checkAllowEventRead},
{name: "AllowEventWrite", check: checkAllowEventWrite},
{name: "AllowIdentityRead", check: checkAllowIdentityRead},
{name: "AllowIdentityReadAll", check: checkAllowIdentityReadAll},
{name: "AllowIdentityWrite", check: checkAllowIdentityWrite},
{name: "AllowIdentityWriteAny", check: checkAllowIdentityWriteAny},
{name: "AllowIntentionDefaultAllow", check: checkAllowIntentionDefaultAllow},
{name: "AllowIntentionRead", check: checkAllowIntentionRead},
{name: "AllowIntentionWrite", check: checkAllowIntentionWrite},
@ -1000,134 +940,6 @@ func TestACL(t *testing.T) {
{name: "ChildOverrideWriteAllowed", prefix: "override", check: checkAllowAgentWrite},
},
},
{
name: "IdentityDefaultAllowPolicyDeny",
defaultPolicy: AllowAll(),
policyStack: []*Policy{
{
PolicyRules: PolicyRules{
Identities: []*IdentityRule{
{
Name: "foo",
Policy: PolicyDeny,
},
},
IdentityPrefixes: []*IdentityRule{
{
Name: "prefix",
Policy: PolicyDeny,
},
},
},
},
},
checks: []aclCheck{
{name: "IdentityFooReadDenied", prefix: "foo", check: checkDenyIdentityRead},
{name: "IdentityFooWriteDenied", prefix: "foo", check: checkDenyIdentityWrite},
{name: "IdentityPrefixReadDenied", prefix: "prefix", check: checkDenyIdentityRead},
{name: "IdentityPrefixWriteDenied", prefix: "prefix", check: checkDenyIdentityWrite},
{name: "IdentityBarReadAllowed", prefix: "fail", check: checkAllowIdentityRead},
{name: "IdentityBarWriteAllowed", prefix: "fail", check: checkAllowIdentityWrite},
},
},
{
name: "IdentityDefaultDenyPolicyAllow",
defaultPolicy: DenyAll(),
policyStack: []*Policy{
{
PolicyRules: PolicyRules{
Identities: []*IdentityRule{
{
Name: "foo",
Policy: PolicyWrite,
},
},
IdentityPrefixes: []*IdentityRule{
{
Name: "prefix",
Policy: PolicyRead,
},
},
},
},
},
checks: []aclCheck{
{name: "IdentityFooReadAllowed", prefix: "foo", check: checkAllowIdentityRead},
{name: "IdentityFooWriteAllowed", prefix: "foo", check: checkAllowIdentityWrite},
{name: "IdentityPrefixReadAllowed", prefix: "prefix", check: checkAllowIdentityRead},
{name: "IdentityPrefixWriteDenied", prefix: "prefix", check: checkDenyIdentityWrite},
{name: "IdentityBarReadDenied", prefix: "fail", check: checkDenyIdentityRead},
{name: "IdentityBarWriteDenied", prefix: "fail", check: checkDenyIdentityWrite},
},
},
{
name: "IdentityDefaultDenyPolicyComplex",
defaultPolicy: DenyAll(),
policyStack: []*Policy{
{
PolicyRules: PolicyRules{
Identities: []*IdentityRule{
{
Name: "football",
Policy: PolicyRead,
},
{
Name: "prefix-forbidden",
Policy: PolicyDeny,
Intentions: PolicyDeny,
},
},
IdentityPrefixes: []*IdentityRule{
{
Name: "foo",
Policy: PolicyWrite,
Intentions: PolicyWrite,
},
{
Name: "prefix",
Policy: PolicyRead,
Intentions: PolicyWrite,
},
},
},
},
{
PolicyRules: PolicyRules{
Identities: []*IdentityRule{
{
Name: "foozball",
Policy: PolicyWrite,
Intentions: PolicyRead,
},
},
},
},
},
checks: []aclCheck{
{name: "IdentityReadAllowed", prefix: "foo", check: checkAllowIdentityRead},
{name: "IdentityWriteAllowed", prefix: "foo", check: checkAllowIdentityWrite},
{name: "TrafficPermissionsReadAllowed", prefix: "foo", check: checkAllowTrafficPermissionsRead},
{name: "TrafficPermissionsWriteAllowed", prefix: "foo", check: checkAllowTrafficPermissionsWrite},
{name: "IdentityReadAllowed", prefix: "football", check: checkAllowIdentityRead},
{name: "IdentityWriteDenied", prefix: "football", check: checkDenyIdentityWrite},
{name: "TrafficPermissionsReadAllowed", prefix: "football", check: checkAllowTrafficPermissionsRead},
// This might be surprising but omitting intention rule gives at most intention:read
// if we have identity:write perms. This matches services as well.
{name: "TrafficPermissionsWriteDenied", prefix: "football", check: checkDenyTrafficPermissionsWrite},
{name: "IdentityReadAllowed", prefix: "prefix", check: checkAllowIdentityRead},
{name: "IdentityWriteDenied", prefix: "prefix", check: checkDenyIdentityWrite},
{name: "TrafficPermissionsReadAllowed", prefix: "prefix", check: checkAllowTrafficPermissionsRead},
{name: "TrafficPermissionsWriteDenied", prefix: "prefix", check: checkAllowTrafficPermissionsWrite},
{name: "IdentityReadDenied", prefix: "prefix-forbidden", check: checkDenyIdentityRead},
{name: "IdentityWriteDenied", prefix: "prefix-forbidden", check: checkDenyIdentityWrite},
{name: "TrafficPermissionsReadDenied", prefix: "prefix-forbidden", check: checkDenyTrafficPermissionsRead},
{name: "TrafficPermissionsWriteDenied", prefix: "prefix-forbidden", check: checkDenyTrafficPermissionsWrite},
{name: "IdentityReadAllowed", prefix: "foozball", check: checkAllowIdentityRead},
{name: "IdentityWriteAllowed", prefix: "foozball", check: checkAllowIdentityWrite},
{name: "TrafficPermissionsReadAllowed", prefix: "foozball", check: checkAllowTrafficPermissionsRead},
{name: "TrafficPermissionsWriteDenied", prefix: "foozball", check: checkDenyTrafficPermissionsWrite},
},
},
{
name: "KeyringDefaultAllowPolicyDeny",
defaultPolicy: AllowAll(),

55
acl/authorizer.go
View File

@ -43,7 +43,6 @@ const (
ResourceACL Resource = "acl"
ResourceAgent Resource = "agent"
ResourceEvent Resource = "event"
ResourceIdentity Resource = "identity"
ResourceIntention Resource = "intention"
ResourceKey Resource = "key"
ResourceKeyring Resource = "keyring"
@ -78,19 +77,6 @@ type Authorizer interface {
// EventWrite determines if a specific event may be fired.
EventWrite(string, *AuthorizerContext) EnforcementDecision
// IdentityRead checks for permission to read a given workload identity.
IdentityRead(string, *AuthorizerContext) EnforcementDecision
// IdentityReadAll checks for permission to read all workload identities.
IdentityReadAll(*AuthorizerContext) EnforcementDecision
// IdentityWrite checks for permission to create or update a given
// workload identity.
IdentityWrite(string, *AuthorizerContext) EnforcementDecision
// IdentityWriteAny checks for write permission on any workload identity.
IdentityWriteAny(*AuthorizerContext) EnforcementDecision
// IntentionDefaultAllow determines the default authorized behavior
// when no intentions match a Connect request.
//
@ -267,40 +253,6 @@ func (a AllowAuthorizer) EventWriteAllowed(name string, ctx *AuthorizerContext)
return nil
}
// IdentityReadAllowed checks for permission to read a given workload identity,
func (a AllowAuthorizer) IdentityReadAllowed(name string, ctx *AuthorizerContext) error {
if a.Authorizer.IdentityRead(name, ctx) != Allow {
return PermissionDeniedByACL(a, ctx, ResourceIdentity, AccessRead, name)
}
return nil
}
// IdentityReadAllAllowed checks for permission to read all workload identities.
func (a AllowAuthorizer) IdentityReadAllAllowed(ctx *AuthorizerContext) error {
if a.Authorizer.IdentityReadAll(ctx) != Allow {
// This is only used to gate certain UI functions right now (e.g metrics)
return PermissionDeniedByACL(a, ctx, ResourceIdentity, AccessRead, "all identities") // read
}
return nil
}
// IdentityWriteAllowed checks for permission to create or update a given
// workload identity.
func (a AllowAuthorizer) IdentityWriteAllowed(name string, ctx *AuthorizerContext) error {
if a.Authorizer.IdentityWrite(name, ctx) != Allow {
return PermissionDeniedByACL(a, ctx, ResourceIdentity, AccessWrite, name)
}
return nil
}
// IdentityWriteAnyAllowed checks for write permission on any workload identity
func (a AllowAuthorizer) IdentityWriteAnyAllowed(ctx *AuthorizerContext) error {
if a.Authorizer.IdentityWriteAny(ctx) != Allow {
return PermissionDeniedByACL(a, ctx, ResourceIdentity, AccessWrite, "any identity")
}
return nil
}
// IntentionReadAllowed determines if a specific intention can be read.
func (a AllowAuthorizer) IntentionReadAllowed(name string, ctx *AuthorizerContext) error {
if a.Authorizer.IntentionRead(name, ctx) != Allow {
@ -579,13 +531,6 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx
case "write":
return authz.EventWrite(segment, ctx), nil
}
case ResourceIdentity:
switch lowerAccess {
case "read":
return authz.IdentityRead(segment, ctx), nil
case "write":
return authz.IdentityWrite(segment, ctx), nil
}
case ResourceIntention:
switch lowerAccess {
case "read":

Some files were not shown because too many files have changed in this diff Show More