Merge branch 'main' into nicoleta-node16

hashicorp · May 13, 2024 · 3a68ebd · 3a68ebd
2 parents 4e66506 + 6db22a7
commit 3a68ebd
Show file tree

Hide file tree

Showing 8 changed files with 1,061 additions and 85 deletions.
diff --git a/.changelog/3978.txt b/.changelog/3978.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+connect-inject: Fixed issue where on restart, if a managed-gateway-acl-role already existed the container would error
+```
diff --git a/.changelog/3980.txt b/.changelog/3980.txt
@@ -0,0 +1,5 @@
+```release-note:security
+Upgrade Go to use 1.21.10. This addresses CVEs 
+[CVE-2024-24787](https://nvd.nist.gov/vuln/detail/CVE-2024-24787) and
+[CVE-2024-24788](https://nvd.nist.gov/vuln/detail/CVE-2024-24788)
+```
diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.21.9
+1.21.10
diff --git a/control-plane/api-gateway/cache/consul.go b/control-plane/api-gateway/cache/consul.go
@@ -397,6 +397,10 @@ func (c *Cache) ensurePolicy(client *api.Client, gatewayName string) (string, er
 	return existing.ID, nil
 }
 
+func getACLRoleName(gatewayName string) string {
+	return fmt.Sprint("managed-gateway-acl-role-", gatewayName)
+}
+
 func (c *Cache) ensureRole(client *api.Client, gatewayName string) (string, error) {
 	policyID, err := c.ensurePolicy(client, gatewayName)
 	if err != nil {
@@ -407,19 +411,21 @@ func (c *Cache) ensureRole(client *api.Client, gatewayName string) (string, erro
 	defer c.aclRoleMutex.Unlock()
 
 	createRole := func() (string, error) {
-		aclRoleName := fmt.Sprint("managed-gateway-acl-role-", gatewayName)
+		aclRoleName := getACLRoleName(gatewayName)
 		role := &api.ACLRole{
 			Name:        aclRoleName,
 			Description: "ACL Role for Managed API Gateways",
 			Policies:    []*api.ACLLink{{ID: policyID}},
 		}
 
 		_, _, err = client.ACL().RoleCreate(role, &api.WriteOptions{})
-		if err != nil {
+		if err != nil && !isRoleExistsErr(err, aclRoleName) {
+			//don't error out in the case that the role already exists.
 			return "", err
 		}
+
 		c.gatewayNameToRole[gatewayName] = role
-		return aclRoleName, err
+		return aclRoleName, nil
 	}
 
 	cachedRole, found := c.gatewayNameToRole[gatewayName]
@@ -592,7 +598,18 @@ func ignoreACLsDisabled(err error) error {
 // isPolicyExistsErr returns true if err is due to trying to call the
 // policy create API when the policy already exists.
 func isPolicyExistsErr(err error, policyName string) bool {
+	return isExistsErr(err, "Policy", policyName)
+}
+
+// isExistsErr returns true if err is due to trying to call an API for a given type and it already exists.
+func isExistsErr(err error, typeName, name string) bool {
 	return err != nil &&
 		strings.Contains(err.Error(), "Unexpected response code: 500") &&
-		strings.Contains(err.Error(), fmt.Sprintf("Invalid Policy: A Policy with Name %q already exists", policyName))
+		strings.Contains(err.Error(), fmt.Sprintf("Invalid %s: A %s with Name %q already exists", typeName, typeName, name))
+}
+
+// isRoleExistsErr returns true if err is due to trying to call the
+// role create API when the role already exists.
+func isRoleExistsErr(err error, roleName string) bool {
+	return isExistsErr(err, "Role", roleName)
 }
diff --git a/control-plane/api/v1alpha1/registration_types.go b/control-plane/api/v1alpha1/registration_types.go
@@ -13,6 +13,7 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 )
 
 func init() {
@@ -289,6 +290,13 @@ func (r *Registration) ToCatalogDeregistration() *capi.CatalogDeregistration {
 	}
 }
 
+func (r *Registration) NamespacedName() types.NamespacedName {
+	return types.NamespacedName{
+		Namespace: r.Namespace,
+		Name:      r.Name,
+	}
+}
+
 // SetSyncedCondition sets the synced condition on the Registration.
 func (r *Registration) SetSyncedCondition(status corev1.ConditionStatus, reason string, message string) {
 	r.Status.Conditions = Conditions{