Commit Graph

21501 Commits (81cc8b4211005e0aebf0a34f5ce06fe283e65ae3)

Author SHA1 Message Date
sarahalsmiller 81cc8b4211
[Security] Bump envoy versions (#22002)
bump envoy versions
2024-12-16 10:57:00 -06:00
Bhautik beef7a7417
docs: fix broken link (#21971) 2024-11-27 14:17:33 -07:00
Anita Akaeze 4b7f7a8a16
[Security] SECVULN-8621: Fix XSS Vulnerability where content-type header wasn't explicitly set in API requests (#21930)
* Fix XSS Vulnerability where content-type header wasn't explicitly set in API requests

* fix failing unit test
2024-11-27 09:30:14 -08:00
sarahalsmiller 83b6d999f6
Add alpine image cves to suppress list (#21964)
add alpine image cves to suppress list
2024-11-22 17:38:19 +00:00
R.B. Boyer c81dc8c551
state: ensure that identical manual virtual IP updates result in not bumping the modify indexes (#21909)
The consul-k8s endpoints controller issues catalog register and manual virtual ip
updates without first checking to see if the updates would be effectively not
changing anything. This is supposed to be reasonable because the state store
functions do the check for a no-op update and should discard repeat updates so
that downstream blocking queries watching one of the resources don't fire
pointlessly (and CPU wastefully).

While this is true for the check/service/node catalog updates, it is not true for
the "manual virtual ip" updates triggered by the PUT /v1/internal/service-virtual-ip.
Forcing the connect injector pod to recycle while watching some lightly
modified FSM code can show that a lot of updates are of the update list of ips
from [A] to [A]. Immediately following this stray update you can see a lot of
activity in proxycfg and xds packages waking up due to blocking queries
triggered by this.

This PR skips updates that change nothing both:

- at the RPC layer before passing it to raft (ideally)
- if the write does make it through raft and get applied to the FSM (failsafe)
2024-11-22 11:16:38 -06:00
Mark Campbell-Vincent bbb2e797f9
Update API Group under backendRefs (#21961)
* Update routes.mdx

Currently backendRefs refers to api-gateway.consul.hashicorp.com as the API Group that should be used when kind is set to Mesh Service. Based on mesh service template, it should just be consul.hashicorp.com.

* Update backendRefs in route to peered doc
2024-11-21 19:51:17 -05:00
John Murret 3c3bdba926
NET-11737 - sec vulnerability - remediate ability to use bexpr to filter results without ACL read on endpoint (#21950)
* NET-11737 - sec vulnerability - remediate ability to use bexpr to filter results without ACL read on endpoint

* add changelog

* update test descriptions to make more sense
2024-11-20 16:26:12 -07:00
Dhia Ayachi 21cca2dc5b
Fix PeerUpstreamEndpoints and UpstreamPeerTrustBundles to only Cancel watch when needed, otherwise keep the watch active (#21871)
* fix to only reset peering watches when no other target need watching

* remove unused logger

* add changelog

* Update .changelog/21871.txt

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

---------

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
2024-11-19 09:36:13 -05:00
sarahalsmiller 6662e48363
Update JWT to resolve CVE-2024-51744 (#21951)
* update jwt package

* add changelog
2024-11-18 13:51:35 -06:00
xwa153 9e75e62a7c
Update CODEOWNER (#21947)
* update code owners
2024-11-15 12:50:06 -08:00
sarahalsmiller 32ce33825d
[Security] Secvuln 8633 Consul configuration allowed repeated keys (#21908)
* upgrade hcl package and account for possiblity of duplicates existing already in the cache

* upgrade to new tag

* add defensive line to prevent potential forever loop

* o mod tidy and changelog

* Update acl/policy.go

* fix raft reversion

* go mod tidy

* fix test

* remove duplicate key in test

* remove duplicates from test cases

* clean up

* go mod tidy

* go mod tidy

* pull in new hcl tag
2024-11-14 09:57:08 -06:00
R.B. Boyer a2e69236a2
v2: remove HCP Link integration (#21883)
Also prevent de-registered retired v2 types from being restored from a
snapshot, such as these hcp resources. Without doing this, anyone with
any of these types in their state store will retain them forever with no
avenue to remove them.
2024-11-07 11:47:55 -06:00
Yasmin Lorin Kaygalak 32515c77f2
Added the docs for all the grafana dashboards. (#21795)
* Added the docs for all the grafana dashboards.

 Author:   Yasmin Lorin Kaygalak <ykaygala@villanova.edu>

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2024-11-05 10:06:29 -05:00
Jeff Boruszak f376b6a227
Docs/CE-749-remove-references-from-consul (#21914)
* delete HCP Consul Central references

* Path correction

* missed listing

* Nav update
2024-11-05 06:59:52 -06:00
Deniz Onur Duzgun 1dfc265abe
ci(security-scanner): add support for Red Hat UBI images and fix typo (#21912)
* ci(security-scanner): add support for Red Hat UBI images and fix typo

* hclfmt

* clean-up comments

Co-authored-by: Kent Gruber <kent@hashicorp.com>

---------

Co-authored-by: Kent Gruber <kent@hashicorp.com>
2024-11-04 14:52:01 -05:00
John Maguire 59447e9579
Update changelog (#21896) 2024-10-30 14:03:25 -07:00
Jeff Boruszak 6351a821aa
docs: add missing slash in redirect (#21881)
missing slash
2024-10-29 09:53:41 -07:00
Tom Davies 31aae80389
Allow multiple endpoints in Envoy clusters configured with hostnames (#21655)
* xds: allow multiple endpoints for strict_dns

* xds: fixes typo in multi hostname warning
2024-10-28 12:18:04 -07:00
Michael Zalimeni 40c7f73629
[NET-1151 NET-11046] docs: clarify request normalization and L7 headers feature availability (#21855)
docs: clarify request normalization and L7 headers feature availability

- Add notes on feature availability tied to specific fix versions
- Add missing 1.20 upgrade entry
- Remove erroneous 1.17 upgrade entry (version DNE)
- Add missing HCL variant for service intentions config
2024-10-28 11:06:28 -06:00
Michael Zalimeni 2618fc1bd9
chore: retain retracted api submodule version (#21861) 2024-10-21 19:58:16 -06:00
sarahalsmiller e9dbcedaf3
Upgrade envoy version in nightly integration tests (#21864)
Update nightly-test-integrations.yml
2024-10-21 16:19:53 -05:00
Nathan Coleman 94ca67463b
Update Envoy compatibility matrices to include consul 1.20.x and dataplane 1.6.x (#21852)
* Update Envoy compatibility matrices to include consul 1.20.x and dataplane 1.6.x

* Remove non-LTS version from LTS table

* Fix incorrect version in dataplane release matrix

* Remove releases that don't span versions from the matrix of releases that span versions
2024-10-17 21:34:15 +00:00
Nathan Coleman 77daebd3f8
Update compatibility matrix to include 1.20.x (#21843)
* Update compatibility matrix to include 1.20.x

* Update compatibility.mdx
2024-10-17 16:35:44 -04:00
Michael Zalimeni 0ce6730cbe
docs: clarify Envoy and dataplane LTS support policy (#21337)
Update matrices and clarify statements as to when Consul expands
support to new major versions of Envoy and Consul dataplane in light of
Consul LTS or Envoy EOL status.
2024-10-17 13:31:22 -04:00
sarahalsmiller 28b37812b8
Suppress CVE-2024-9143 (#21848)
Update security-scan.hcl
2024-10-17 16:24:19 +00:00
Michael Zalimeni d9206fc7e2
[NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass (#21816)
mesh: add options for HTTP incoming request normalization

Expose global mesh configuration to enforce inbound HTTP request
normalization on mesh traffic via Envoy xDS config.

mesh: enable inbound URL path normalization by default

mesh: add support for L7 header match contains and ignore_case

Enable partial string and case-insensitive matching in L7 intentions
header match rules.

ui: support L7 header match contains and ignore_case

Co-authored-by: Phil Renaud <phil@riotindustries.com>

test: add request normalization integration bats tests

Add both "positive" and "negative" test suites, showing normalization in
action as well as expected results when it is not enabled, for the same
set of test cases.

Also add some alternative service container test helpers for verifying
raw HTTP request paths, which is difficult to do with Fortio.

docs: update security and reference docs for L7 intentions bypass prevention

- Update security docs with best practices for service intentions
  configuration
- Update configuration entry references for mesh and intentions to
  reflect new values and add guidance on usage
2024-10-16 12:23:33 -04:00
Michael Zalimeni 3370f6b250
chore: remove unintentionally committed consul-k8s submodule (#21833)
Also prevent future re-commits of this submodule path by adding to
.gitignore.
2024-10-16 14:36:04 +00:00
Jeff Boruszak 7e61148f86
docs: Consul v1.20 release notes (#21826)
* Page creation

* DNS views description

* Catalog sync and openshift

* Grafana + consul-k8s release notes

* nav update

* Fix known issues language
2024-10-15 16:40:47 -07:00
Nathan Coleman 044e408391
Post-release updates for 1.20.0 (#21829)
* Update active version list in .release/versions.hcl

* Remove nightly tests for 1.17.x

* Add nightly tests for 1.20.x

* Gate nightly tests for 1.19.x to Enterprise only

* Update CHANGELOG.md
2024-10-15 15:55:02 +00:00
Jeff Boruszak 8f78d7cafd
docs: Consul DNS views on Kubernetes (#21802)
* Backport of ci: update the security-scanner gha token into release/1.20.x (#21754)

backport of commit eb9dbc93f8

Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com>

* Backport of Initialize 1.20 Release into release/1.20.x (#21753)

* backport of commit a33e903cdf

* backport of commit 37163dc1a8

* backport of commit 38f0907c7a

* backport of commit 6ab7ec254b

* backport of commit 7ac4178186

* backport of commit 5dfebb2cf3

* backport of commit 316d68cb84

---------

Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* Backport of Stage rc release into release/1.20.x (#21772)

backport of commit d311f2b638

Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>

* Backport of Upgrade ubi image to 9.4 into release/1.20.x (#21773)

* backport of commit 888e302f6e

* backport of commit 17499dc4dc

* backport of commit d933d3727d

---------

Co-authored-by: Dhia Ayachi <dhia.ayachi@gmail.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* Backport of security: update alpine base image to 3.20 into release/1.20.x (#21774)

* backport of commit 4421ce1677

* Upgrade ubi image to 9.4 (#21750)

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* Backport of fix spacing of bash scripts into release/1.20.x (#21769)

* backport of commit 1e97297215

* backport of commit b7053f5361

* backport of commit a391f2fa3c

---------

Co-authored-by: jm96441n <john.maguire@hashicorp.com>

* Backport of [NET-11150] ci: fix conditional skip and add safeguard into release/1.20.x (#21783)

backport of commit c3db6c9001

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>

* initial commit

* Initial pages

* Edits to other pages + nav & redirects

* minor fixes

* Backport of security: update alpine base image to 3.20 into release/1.20.x (#21774)

* backport of commit 4421ce1677

* Upgrade ubi image to 9.4 (#21750)

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* CE-679

* align with main

* Content updates

* minor edit

* Apply suggestions from code review

Co-authored-by: Aimee Ukasick <aimee.ukasick@hashicorp.com>
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>

* CoreDNS config update

* small edits

* typo fix

---------

Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>
Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com>
Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>
Co-authored-by: Dhia Ayachi <dhia.ayachi@gmail.com>
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: jm96441n <john.maguire@hashicorp.com>
Co-authored-by: Aimee Ukasick <aimee.ukasick@hashicorp.com>
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2024-10-14 12:38:23 -07:00
Michael Zalimeni 1648c890dd
ci: ensure int test docker pull goes through proxy (#21819) 2024-10-14 19:02:29 +00:00
Nathan Coleman 4275e8fa82
Update ENVOY_VERSIONS (#21820)
No new minor versions, just incrementing the patches for hygiene's sake
2024-10-14 16:52:22 +00:00
Nathan Coleman eda961f4a2
Upgrade test improvements for 1.20.x (#21813)
* Bump Envoy version used for 1.20.x upgrade tests

* Improve README + docstrings
2024-10-11 21:12:48 +00:00
Yasmin Lorin Kaygalak 738acfee1a
Adds grafana dashboards (#21806) 2024-10-09 13:30:28 -04:00
Lens0021 / Leslie 09735ec72f
docs: Add missing `&&` in DNS forwading tutorial (#21804)
Add missing `&&` to iptables command.

The original commands fail when being directly pasted into a shell.
2024-10-07 14:52:46 -04:00
John Murret 029ac10acc
update serf links (#21797)
* update serf links

* add .markdown file extension

* update serf links to use /blob/master/

* fix broken links

---------

Co-authored-by: github-team-consul-core <github-team-consul-core@hashicorp.com>
2024-10-02 13:02:23 -06:00
John Maguire a689893991
Add partition field for catalog deregister docs (#21788)
* Add partition field for catalog deregister docs

* Update website/content/api-docs/catalog.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

---------

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2024-09-27 17:16:31 +00:00
sarahalsmiller 718bf7496f
Fix changelog for 1.20-rc1 (#21776)
fix changelog
2024-09-26 10:46:43 -05:00
Michael Zalimeni bfc25b1757
[NET-11150] ci: fix conditional skip and add safeguard (#21781)
ci: fix conditional skip and add safeguard

Adopt a third-party action to avoid script bugs, and to fix a current
issue where the script fails to detect all changes when processing push
events on PR branches.

Adapted from hashicorp/consul-dataplane#637. See that PR for testing
details and background context.
2024-09-25 13:08:24 -04:00
R.B. Boyer 1986c558a8
api: remove dependency on proto-public, protobuf, and grpc (#21780) 2024-09-23 15:14:39 -05:00
Dhia Ayachi 39104a3ce1
Update raft to 1.7.0 and add configuration for prevote (#21758)
* update raft to 1.7.0

* add config to disable raft prevote

* add changelog
2024-09-20 10:35:48 -04:00
Michael Zalimeni c16d6831e8
chore: Update VERSION for next major release (#21756)
This should be set to the next major version now that `release/1.20.x` has been created.
2024-09-19 15:55:45 -05:00
sarahalsmiller dc0fa032e8
Stage rc release (#21770)
stage rc release
2024-09-19 14:58:56 -05:00
John Maguire 2d19cd5810
fix spacing of bash scripts (#21760)
* fix spacing of bash scripts

* shellcheck all the things

* cat filename rather than concatenating pr number
2024-09-19 14:09:42 -04:00
danielehc 250b1dece5
CE-654 - TLS Encryption docs + CE-713 - Gossip Encryption key rotation (#21509)
* New proposed structure

* Fix structure and add some content

* Fix structure and add some content

* Fix structure and add some content

* Add content

* Add content

* mtls steps

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* Encryption docs structure change

* spacing fixes

* Replace <CodeTabs>

* <CodeBlockConfig> alignment

* indent fixes

* spacing

* More Code tabs fixes

* Structure chenges

* Structure chenges

* Extra content and CE-713 migration

* Extra content

* Extra content

* Extra content

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Apply suggestions from code review

* Test CodeTabs

* Test CodeTabs

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

---------

Co-authored-by: boruszak <jeffrey.boruszak@hashicorp.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2024-09-19 11:20:44 +02:00
Nick Wales ac9e694b98
Adds initial sg documentation for the health API (#21763)
Adds initial sg documentation
2024-09-18 12:36:27 -07:00
NicoletaPopoviciu 1a0b1e045b
Update test-integrations.yml to capture latest versions of Nomad and Vault (#21749)
* Update test-integrations.yml

Update Vault/Nomad versions to ensure we're testing the latest versions .

* Update test to test latest available CE versions
2024-09-17 13:20:14 -04:00
Dhia Ayachi fe820d561a
Upgrade ubi image to 9.4 (#21750)
* upgrade go to 1.23.1, upgrade ubi image to 9.4

* add changelog

* revert go version upgrade
2024-09-17 11:48:02 -04:00
Michael Zalimeni 29c2cbcbe2
ci: fix versions.hcl parsing by removing extraneous comma (#21752)
Commas are not expected after HCL blocks. This is causing parsing in BPA
to fail and may interfere w/ other release-related workflows.
2024-09-17 15:27:35 +00:00
Deniz Onur Duzgun 176ea31ed9
ci: update the security-scanner gha token (#21748) 2024-09-17 10:49:01 -04:00