Merge branch 'main' of https://github.com/hashicorp/consul-k8s into n…

…et-4343/api-gateway-peering-acceptance-test

.changelog/2194.txt

@@ -1,3 +1,3 @@
-```release-note:
+```release-note:bug
 crd: fix bug on service intentions CRD causing some updates to be ignored.
 ```

.github/workflows/weekly-acceptance-1-2-x.yml

@@ -0,0 +1,30 @@
+# Dispatch to the consul-k8s-workflows with a weekly cron
+#
+# A separate file is needed for each release because the cron schedules are different for each release.
+name: weekly-acceptance-1-2-x
+on:
+  schedule:
+    # * is a special character in YAML so you have to quote this string
+    # Run weekly on Wednesday at 3AM UTC/11PM EST/8PM PST
+   # - cron:  '0 3 * * 3'
+    - cron:  '0 0 * * *' # Temporarily nightly until 1.2.0 GA
+
+
+# these should be the only settings that you will ever need to change
+env:
+  BRANCH: "release/1.2.x"
+  CONTEXT: "weekly"
+
+jobs:
+  cloud:
+    name: cloud
+    runs-on: ubuntu-latest
+    steps:
+    - uses: benc-uk/workflow-dispatch@798e70c97009500150087d30d9f11c5444830385 # v1.2.2
+      name: cloud
+      with:
+        workflow: cloud.yml
+        repo: hashicorp/consul-k8s-workflows
+        ref: main
+        token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+        inputs: '{ "context":"${{ env.CONTEXT }}", "repository":"${{ github.repository }}", "branch":"${{ env.BRANCH }}", "sha":"${{ github.sha }}", "token":"${{ secrets.ELEVATED_GITHUB_TOKEN }}" }'

Makefile

@@ -49,6 +49,17 @@ control-plane-dev-docker-multi-arch: check-remote-dev-image-env ## Build consul-
        --push \
        -f $(CURDIR)/control-plane/Dockerfile $(CURDIR)/control-plane
 
+control-plane-fips-dev-docker: ## Build consul-k8s-control-plane FIPS dev Docker image.
+	@$(SHELL) $(CURDIR)/control-plane/build-support/scripts/build-local.sh -o linux -a $(GOARCH) --fips
+	@docker build -t '$(DEV_IMAGE)' \
+       --target=dev \
+       --build-arg 'TARGETARCH=$(GOARCH)' \
+       --build-arg 'GIT_COMMIT=$(GIT_COMMIT)' \
+       --build-arg 'GIT_DIRTY=$(GIT_DIRTY)' \
+       --build-arg 'GIT_DESCRIBE=$(GIT_DESCRIBE)' \
+       --push \
+       -f $(CURDIR)/control-plane/Dockerfile $(CURDIR)/control-plane
+
 control-plane-test: ## Run go test for the control plane.
 	cd control-plane; go test ./...
 
@@ -98,6 +109,10 @@ cli-dev:
 	@echo "==> Installing consul-k8s CLI tool for ${GOOS}/${GOARCH}"
 	@cd cli; go build -o ./bin/consul-k8s; cp ./bin/consul-k8s ${GOPATH}/bin/
 
+cli-fips-dev:
+	@echo "==> Installing consul-k8s CLI tool for ${GOOS}/${GOARCH}"
+	@cd cli; CGO_ENABLED=1 GOEXPERIMENT=boringcrypto go build -o ./bin/consul-k8s -tags "fips"; cp ./bin/consul-k8s ${GOPATH}/bin/
+
 
 cli-lint: ## Run linter in the control-plane directory.
 	cd cli; golangci-lint run -c ../.golangci.yml

acceptance/tests/cli/cli_install_test.go

@@ -74,7 +74,7 @@ func TestInstall(t *testing.T) {
 			retry.RunWith(retrier, t, func(r *retry.R) {
 				for podName := range list {
 					out, err := cli.Run(t, ctx.KubectlOptions(t), "proxy", "read", podName)
-					require.NoError(t, err)
+					require.NoError(r, err)
 
 					output := string(out)
 					logger.Log(t, output)

acceptance/tests/config-entries/config_entries_namespaces_test.go

@@ -242,35 +242,35 @@ func TestControllerNamespaces(t *testing.T) {
 					require.NoError(r, err)
 					rateLimitIPConfigEntry, ok := entry.(*api.RateLimitIPConfigEntry)
 					require.True(r, ok, "could not cast to RateLimitIPConfigEntry")
-					require.Equal(t, "permissive", rateLimitIPConfigEntry.Mode)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ACL.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ACL.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Catalog.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Catalog.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ConfigEntry.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ConfigEntry.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ConnectCA.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ConnectCA.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Coordinate.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Coordinate.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.DiscoveryChain.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.DiscoveryChain.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Health.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Health.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Intention.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Intention.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.KV.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.KV.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Tenancy.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Tenancy.WriteRate)
-					//require.Equal(t, 100.0, rateLimitIPConfigEntry.PreparedQuery.ReadRate)
-					//require.Equal(t, 100.0, rateLimitIPConfigEntry.PreparedQuery.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Session.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Session.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Txn.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Txn.WriteRate)
+					require.Equal(r, "permissive", rateLimitIPConfigEntry.Mode)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ACL.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ACL.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Catalog.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Catalog.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ConfigEntry.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ConfigEntry.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ConnectCA.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ConnectCA.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Coordinate.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Coordinate.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.DiscoveryChain.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.DiscoveryChain.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Health.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Health.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Intention.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Intention.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.KV.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.KV.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Tenancy.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Tenancy.WriteRate)
+					//require.Equal(r, 100.0, rateLimitIPConfigEntry.PreparedQuery.ReadRate)
+					//require.Equal(r, 100.0, rateLimitIPConfigEntry.PreparedQuery.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Session.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Session.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Txn.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Txn.WriteRate)
 				})
 			}
 

acceptance/tests/config-entries/config_entries_test.go

@@ -209,35 +209,35 @@ func TestController(t *testing.T) {
 					require.NoError(r, err)
 					rateLimitIPConfigEntry, ok := entry.(*api.RateLimitIPConfigEntry)
 					require.True(r, ok, "could not cast to RateLimitIPConfigEntry")
-					require.Equal(t, "permissive", rateLimitIPConfigEntry.Mode)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ACL.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ACL.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Catalog.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Catalog.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ConfigEntry.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ConfigEntry.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ConnectCA.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.ConnectCA.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Coordinate.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Coordinate.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.DiscoveryChain.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.DiscoveryChain.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Health.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Health.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Intention.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Intention.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.KV.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.KV.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Tenancy.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Tenancy.WriteRate)
-					//require.Equal(t, 100.0, rateLimitIPConfigEntry.PreparedQuery.ReadRate)
-					//require.Equal(t, 100.0, rateLimitIPConfigEntry.PreparedQuery.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Session.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Session.WriteRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Txn.ReadRate)
-					require.Equal(t, 100.0, rateLimitIPConfigEntry.Txn.WriteRate, 100.0)
+					require.Equal(r, "permissive", rateLimitIPConfigEntry.Mode)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ACL.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ACL.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Catalog.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Catalog.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ConfigEntry.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ConfigEntry.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ConnectCA.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.ConnectCA.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Coordinate.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Coordinate.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.DiscoveryChain.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.DiscoveryChain.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Health.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Health.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Intention.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Intention.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.KV.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.KV.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Tenancy.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Tenancy.WriteRate)
+					//require.Equal(r, 100.0, rateLimitIPConfigEntry.PreparedQuery.ReadRate)
+					//require.Equal(r, 100.0, rateLimitIPConfigEntry.PreparedQuery.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Session.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Session.WriteRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Txn.ReadRate)
+					require.Equal(r, 100.0, rateLimitIPConfigEntry.Txn.WriteRate)
 
 				})
 			}

charts/consul/test/terraform/aks/main.tf

@@ -1,8 +1,15 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
+terraform {
+  required_providers {
+    azurerm = {
+      version = "3.40.0"
+    }
+  }
+}
+
 provider "azurerm" {
-  version = "3.40.0"
   features {}
 }
 
@@ -48,7 +55,7 @@ resource "azurerm_kubernetes_cluster" "default" {
   location                          = azurerm_resource_group.default[count.index].location
   resource_group_name               = azurerm_resource_group.default[count.index].name
   dns_prefix                        = "consul-k8s-${random_id.suffix[count.index].dec}"
-  kubernetes_version                = "1.24.6"
+  kubernetes_version                = "1.26"
   role_based_access_control_enabled = true
 
   // We're setting the network plugin and other network properties explicitly

charts/consul/test/terraform/eks/main.tf

@@ -1,9 +1,16 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
+terraform {
+  required_providers {
+    aws = {
+      version = ">= 4.0.0"
+    }
+  }
+}
+
 provider "aws" {
-  version = ">= 2.28.1"
-  region  = var.region
+  region = var.region
 
   assume_role {
     role_arn = var.role_arn
@@ -28,7 +35,7 @@ resource "random_string" "suffix" {
 module "vpc" {
   count   = var.cluster_count
   source  = "terraform-aws-modules/vpc/aws"
-  version = "3.11.0"
+  version = "4.0.0"
 
   name = "consul-k8s-${random_id.suffix[count.index].dec}"
   # The cidr range needs to be unique in each VPC to allow setting up a peering connection.
@@ -61,7 +68,7 @@ module "eks" {
   kubeconfig_api_version = "client.authentication.k8s.io/v1beta1"
 
   cluster_name    = "consul-k8s-${random_id.suffix[count.index].dec}"
-  cluster_version = "1.23"
+  cluster_version = "1.26"
   subnets         = module.vpc[count.index].private_subnets
   enable_irsa     = true
 

charts/consul/test/terraform/gke/main.tf

@@ -1,9 +1,16 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
+terraform {
+  required_providers {
+    google = {
+      version = "~> 4.58.0"
+    }
+  }
+}
+
 provider "google" {
   project = var.project
-  version = "~> 4.58.0"
   zone    = var.zone
 }
 

cli/version/fips_build.go

@@ -0,0 +1,27 @@
+//go:build fips
+
+package version
+
+// This validates during compilation that we are being built with a FIPS enabled go toolchain
+import (
+	_ "crypto/tls/fipsonly"
+	"runtime"
+	"strings"
+)
+
+// IsFIPS returns true if consul-k8s is operating in FIPS-140-2 mode.
+func IsFIPS() bool {
+	return true
+}
+
+func GetFIPSInfo() string {
+	str := "Enabled"
+	// Try to get the crypto module name
+	gover := strings.Split(runtime.Version(), "X:")
+	if len(gover) >= 2 {
+		gover_last := gover[len(gover)-1]
+		// Able to find crypto module name; add that to status string.
+		str = "FIPS 140-2 Enabled, crypto module " + gover_last
+	}
+	return str
+}

cli/version/non_fips_build.go

@@ -0,0 +1,12 @@
+//go:build !fips
+
+package version
+
+// IsFIPS returns true if consul-k8s is operating in FIPS-140-2 mode.
+func IsFIPS() bool {
+	return false
+}
+
+func GetFIPSInfo() string {
+	return ""
+}

cli/version/version.go

@@ -39,8 +39,12 @@ func GetHumanVersion() string {
 		release = "dev"
 	}
 
+	if IsFIPS() {
+		version += ".fips1402"
+	}
+
 	if release != "" {
-		if !strings.HasSuffix(version, "-"+release) {
+		if !strings.Contains(version, "-"+release) {
 			// if we tagged a prerelease version then the release is in the version already
 			version += fmt.Sprintf("-%s", release)
 		}

control-plane/Dockerfile

@@ -92,7 +92,11 @@ LABEL name=${BIN_NAME} \
 ENV BIN_NAME=${BIN_NAME}
 ENV VERSION=${PRODUCT_VERSION}
 
-RUN apk add --no-cache ca-certificates libcap openssl su-exec iputils libc6-compat iptables
+RUN apk add --no-cache ca-certificates libcap openssl su-exec iputils gcompat libc6-compat libstdc++ iptables
+
+# for FIPS CGO glibc compatibility in alpine
+# see https://github.com/golang/go/issues/59305
+RUN ln -s /lib/libc.so.6 /usr/lib/libresolv.so.2
 
 # TARGETOS and TARGETARCH are set automatically when --platform is provided.
 ARG TARGETOS

control-plane/build-support/functions/20-build.sh

@@ -180,14 +180,22 @@ function build_consul_local {
    #   * - error
    #
    # Note:
-   #   The GOLDFLAGS and GOTAGS environment variables will be used if set
+   #   The GOLDFLAGS, GOEXPERIMENT, and GOTAGS environment variables will be used if set
    #   If the CONSUL_DEV environment var is truthy only the local platform/architecture is built.
    #   If the XC_OS or the XC_ARCH environment vars are present then only those platforms/architectures
    #   will be built. Otherwise all supported platform/architectures are built
    #   The NOGOX environment variable will be used if present. This will prevent using gox and instead
    #   build with go install.
    #   The GOXPARALLEL environment variable is used if set
 
+   if [ $GOTAGS == "fips" ]; then
+     CGO_ENABLED=1
+   else
+     CGO_ENABLED=0
+   fi
+
+   echo "GOEXPERIMENT: $GOEXPERIMENT, GOTAGS: $GOTAGS CGO_ENABLED: $CGO_ENABLED" >> ~/debug.txt
+
    if ! test -d "$1"
    then
       err "ERROR: '$1' is not a directory. build_consul must be called with the path to the top level source as the first argument'"
@@ -242,7 +250,7 @@ function build_consul_local {
    then
       status "Using gox for concurrent compilation"
 
-      CGO_ENABLED=0 gox \
+      CGO_ENABLED=${CGO_ENABLED} GOEXPERIMENT=${GOEXPERIMENT} gox \
          -os="${build_os}" \
          -arch="${build_arch}" \
          -ldflags="${GOLDFLAGS}" \
@@ -290,7 +298,7 @@ function build_consul_local {
             else
               OS_BIN_EXTENSION=""
             fi
-            CGO_ENABLED=0 GOOS=${os} GOARCH=${arch} go build -ldflags "${GOLDFLAGS}" -tags "${GOTAGS}" -o "${outdir}/${bin_name}"
+            CGO_ENABLED=${CGO_ENABLED} GOEXPERIMENT=${GOEXPERIMENT} GOOS=${os} GOARCH=${arch} go build -ldflags "${GOLDFLAGS}" -tags "${GOTAGS}" -o "${outdir}/${bin_name}"
             if test $? -ne 0
             then
                err "ERROR: Failed to build Consul for ${osarch}"