Sync release/1.4.x and release/1.4.0 for 1.4.0 GA release (#3694)

* Backport of [NET-5932] chore: remove comment from closed ticket into release/1.4.x (#3637) backport of commit a95e951 Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of build: Create arm64 packages as well into release/1.4.x (#3647) backport of commit affc631 Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com> * Backport of [NET-2420] security: Upgrade helm containerd and several other dependencies into release/1.4.x (#3641) * security: upgrade helm/v3 to 3.11.3 Addresses multiple CVEs: - CVE-2023-25165 - CVE-2022-23524 - CVE-2022-23526 - CVE-2022-23525 * chore: upgrade k8s dependencies to match controller-runtime * security: upgrade containerd to latest Addresses GHSA-7ww5-4wqc-m92c (GO-2023-2412) * security: upgrade docker/docker to latest Addresses GHSA-jq35-85cj-fj4p * security: upgrade docker/distribution to latest Addresses CVE-2023-2253 * security: upgrade filepath-securejoin to latest patch Addresses GHSA-6xv5-86q9-7xr8 (GO-2023-2048) * chore: upgrade oras-go to fix docker incompatibility * Add changelog --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of values.yaml - tlsServerName docs into release/1.4.x (#3667) * backport of commit 1598b40 * backport of commit 41dabc4 --------- Co-authored-by: David Yu <dyu@hashicorp.com> * Backport of [NET-2420] security: re-enable security scan release block into release/1.4.x (#3651) * security: re-enable security scan release block This was previously disabled due to an unresolved false-positive CVE. Re-enabling both secrets and OSV + Go Modules scanning, which per our current scan results should not be a blocker to future releases. Also add security scans on PR and merge to protected branches to allow proactive triage going forward. See hashicorp/consul#19978 for similar change in that repo, adapted here. * security: add scan triage for CVE-2024-25620 (helm/v3) Triage this scan result as `consul-k8s` should not be directly impacted and it is medium severity. Follow-up ticket filed for remediation. Also improve formatting of scan config since this change will be backported. --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of [NET-6741] make: Add target for updating dependencies across all modules into release/1.4.x (#3673) backport of commit 44583d3 Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of build.yml: Add ECR images back into release/1.4.x (#3679) * backport of commit 8fba327 * backport of commit 9a73765 * backport of commit dd2222f --------- Co-authored-by: David Yu <dyu@hashicorp.com> * Backport of build.yml: typo on tags into release/1.4.x (#3684) backport of commit cf8dcbe Co-authored-by: David Yu <dyu@hashicorp.com> * Backport of [NET-8174] security: add scan triage for CVE-2024-26147 (helm/v3) into release/1.4.x (#3692) backport of commit 4b8bc71 Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Backport of bump kind to v0.22.0 and update k8s support into release/1.4.x (#3687) * backport of commit 9f495e0 * backport of commit df8edec * backport of commit ca89a82 --------- Co-authored-by: NicoletaPopoviciu <nicoleta@hashicorp.com> --------- Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com> Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com> Co-authored-by: David Yu <dyu@hashicorp.com> Co-authored-by: NicoletaPopoviciu <nicoleta@hashicorp.com>
hashicorp · Feb 28, 2024 · 573bb90 · 573bb90
1 parent 7ccd3d3
commit 573bb90
Show file tree

Hide file tree

Showing 28 changed files with 753 additions and 582 deletions.
diff --git a/.changelog/3428.txt b/.changelog/3428.txt
@@ -0,0 +1,4 @@
+```release-note:note
+build: Releases will now also be available as Debian and RPM packages for the arm64 architecture, refer to the
+[Official Packaging Guide](https://www.hashicorp.com/official-packaging-guide) for more information.
+```
diff --git a/.changelog/3625.txt b/.changelog/3625.txt
@@ -0,0 +1,19 @@
+```release-note:security
+Upgrade `helm/v3` to 3.11.3. This resolves the following security vulnerabilities:
+[CVE-2023-25165](https://osv.dev/vulnerability/CVE-2023-25165)
+[CVE-2022-23524](https://osv.dev/vulnerability/CVE-2022-23524)
+[CVE-2022-23526](https://osv.dev/vulnerability/CVE-2022-23526)
+[CVE-2022-23525](https://osv.dev/vulnerability/CVE-2022-23525)
+```
+```release-note:security
+security: upgrade containerd to 1.7.13 (latest) to resolve [GHSA-7ww5-4wqc-m92c](https://osv.dev/vulnerability/GO-2023-2412).
+```
+```release-note:security
+Upgrade docker/docker to 25.0.3+incompatible (latest) to resolve [GHSA-jq35-85cj-fj4p](https://osv.dev/vulnerability/GHSA-jq35-85cj-fj4p).
+```
+```release-note:security
+Upgrade docker/distribution to 2.8.3+incompatible (latest) to resolve [CVE-2023-2253](https://osv.dev/vulnerability/CVE-2023-2253).
+```
+```release-note:security
+Upgrade filepath-securejoin to 0.2.4 (latest) to resolve [GO-2023-2048](https://osv.dev/vulnerability/GO-2023-2048).
+```
diff --git a/.changelog/3668.txt b/.changelog/3668.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+control-plane: publish `consul-k8s-control-plane` and `consul-k8s-control-plane-fips` images to official HashiCorp AWS ECR. 
+```
diff --git a/.changelog/3675.txt b/.changelog/3675.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Kubernetes v1.29 is now supported. Minimum tested version of Kubernetes is now v1.26.
+```
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -10,25 +10,15 @@ on:
       - main
       # Push events to branches matching refs/heads/release/**
       - "release/**"
+      # Build on releng branches for testing build pipelines
+      - "releng/**"
 
 env:
   PKG_NAME: "consul-k8s"
 
 jobs:
   get-go-version:
-    name: "Determine Go toolchain version"
-    runs-on: ubuntu-latest
-    outputs:
-      go-version: ${{ steps.get-go-version.outputs.go-version }}
-    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - name: Determine Go version
-        id: get-go-version
-        # We use .go-version as our source of truth for current Go
-        # version, because "goenv" can react to it automatically.
-        run: |
-          echo "Building with Go $(cat .go-version)"
-          echo "go-version=$(cat .go-version)" >> $GITHUB_OUTPUT
+    uses: ./.github/workflows/reusable-get-go-version.yml
 
   get-product-version:
     runs-on: ubuntu-latest
@@ -68,12 +58,12 @@ jobs:
     strategy:
       matrix:
         include:
-        # cli 
+        # cli (We aren't build packages for the linux 32-bit platforms)
           - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "freebsd", goarch: "386", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" }
           - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "freebsd", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" }
-          - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "386", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" }
-          - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" }
-          - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" }
+          - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "386", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s", "skip_packaging": "true" }
+          - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s"}
+          - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s", "skip_packaging": "true"}
           - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" }
           - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "386", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s.exe" }
           - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s.exe" }
@@ -142,7 +132,7 @@ jobs:
             exit 1
           fi
 
-      - name: Install cross-compiler for FIPS on arm
+      - name: Install cross-compiler for FIPS on arm64
         if: ${{ matrix.fips == '+fips1402' && matrix.goarch == 'arm64' }}
         run: |
           sudo apt-get update --allow-releaseinfo-change-suite --allow-releaseinfo-change-version && sudo apt-get install -y gcc-aarch64-linux-gnu
@@ -170,8 +160,8 @@ jobs:
           name: ${{ matrix.pkg_name }}_${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
           path: ${{ matrix.component}}/out/${{ matrix.pkg_name }}_${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
 
-      - name: Package rpm and deb files 
-        if: ${{ matrix.goos == 'linux' && matrix.component == 'cli' && matrix.goarch == 'amd64'}}
+      - name: Package rpm and deb files
+        if: matrix.goos == 'linux' && matrix.component == 'cli' && matrix.skip_packaging != 'true'
         uses: hashicorp/actions-packaging-linux@v1
         with:
           name: consul-k8s${{ matrix.pkg_suffix }}
@@ -186,21 +176,26 @@ jobs:
           rpm_depends: "openssl"
 
       - name: Set package names
-        if: ${{ matrix.goos == 'linux' && matrix.component == 'cli' && matrix.goarch == 'amd64'}}
+        if: matrix.goos == 'linux' && matrix.component == 'cli' && matrix.skip_packaging != 'true'
         run: |
           echo "RPM_PACKAGE=$(basename out/*.rpm)" >> $GITHUB_ENV
           echo "DEB_PACKAGE=$(basename out/*.deb)" >> $GITHUB_ENV
 
-      - name: Test rpm package
-        if: ${{ matrix.goos == 'linux' && matrix.component == 'cli' && matrix.goarch == 'amd64'}}
+      - name: Enable docker runtime emulation for testing packages
+        if: matrix.goos == 'linux' && matrix.component == 'cli' && matrix.skip_packaging != 'true' && matrix.goarch != 'amd64'
+        run: |
+          docker run --privileged \
+                     --rm \
+                     docker.mirror.hashicorp.services/tonistiigi/binfmt@sha256:5540f38542290735d17da57d7084f684c62336105d018c605058daf03e4c8256 --install ${{ matrix.goarch }}
+
+      - name: Test rpm package on platforms on UBI
+        if: matrix.goos == 'linux' && matrix.component == 'cli' && matrix.skip_packaging != 'true'
         uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3
         with:
           image: registry.access.redhat.com/ubi9/ubi:latest
-          options: -v ${{ github.workspace }}:/work
+          options: -v ${{ github.workspace }}:/work --platform linux/${{matrix.goarch}}
           run: |
-            dnf install -qy openssl
-            cd /work
-            rpm -ivh out/${{ env.RPM_PACKAGE }}
+            dnf install -y /work/out/${{ env.RPM_PACKAGE }}
             CONSUL_K8S_VERSION="$(consul-k8s version | awk '{print $2}')"
             VERSION="v${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}"
             if [ "${VERSION}" != "${CONSUL_K8S_VERSION}" ]; then
@@ -211,21 +206,20 @@ jobs:
 
       - name: Upload rpm package
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
-        if: ${{ matrix.goos == 'linux' && matrix.component == 'cli' && matrix.goarch == 'amd64'}}
+        if: matrix.goos == 'linux' && matrix.component == 'cli' && matrix.skip_packaging != 'true'
         with:
           name: ${{ env.RPM_PACKAGE }}
           path: out/${{ env.RPM_PACKAGE }}
 
       - name: Test debian package
-        if: ${{ matrix.goos == 'linux' && matrix.component == 'cli' && matrix.goarch == 'amd64'}}
+        if: matrix.goos == 'linux' && matrix.component == 'cli' && matrix.skip_packaging != 'true'
         uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3
         with:
           image: ubuntu:latest
-          options: -v ${{ github.workspace }}:/work
+          options: -v ${{ github.workspace }}:/work --platform linux/${{matrix.goarch}}
           run: |
-            apt update && apt install -y openssl
-            cd /work
-            apt install ./out/${{ env.DEB_PACKAGE }}
+            apt-get update -qq
+            apt-get install -y /work/out/${{ env.DEB_PACKAGE }}
             CONSUL_K8S_VERSION="$(consul-k8s version | awk '{print $2}')"
             VERSION="v${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}"
             if [ "${VERSION}" != "${CONSUL_K8S_VERSION}" ]; then
@@ -236,7 +230,7 @@ jobs:
 
       - name: Upload debian packages 
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
-        if: ${{ matrix.goos == 'linux' && matrix.component == 'cli' && matrix.goarch == 'amd64'}}
+        if: matrix.goos == 'linux' && matrix.component == 'cli' && matrix.skip_packaging != 'true'
         with:
           name: ${{ env.DEB_PACKAGE }}
           path: out/${{ env.DEB_PACKAGE }}
@@ -297,6 +291,7 @@ jobs:
           workdir: control-plane
           tags: |
             docker.io/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}
+            public.ecr.aws/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}
           dev_tags: |
             docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}
             docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-${{ github.sha }}
@@ -324,6 +319,7 @@ jobs:
           workdir: control-plane
           tags: |
             docker.io/hashicorp/${{ env.repo }}-control-plane-fips:${{ env.version }}
+            public.ecr.aws/hashicorp/${{ env.repo }}-control-plane-fips:${{ env.version }}
           dev_tags: |
             docker.io/hashicorppreview/${{ env.repo }}-control-plane-fips:${{ env.full_dev_tag }}
             docker.io/hashicorppreview/${{ env.repo }}-control-plane-fips:${{ env.full_dev_tag }}-${{ github.sha }}
@@ -387,6 +383,7 @@ jobs:
           workdir: control-plane
           tags: |
             docker.io/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}-ubi
+            public.ecr.aws/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}-ubi
           dev_tags: |
             docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-ubi
             docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-ubi-${{ github.sha }}
@@ -413,6 +410,8 @@ jobs:
           pkg_name: consul-k8s-control-plane_${{ env.version }}
           bin_name: consul-k8s-control-plane
           workdir: control-plane
+          tags: |
+            public.ecr.aws/hashicorp/${{ env.repo }}-control-plane-fips:${{ env.version }}-ubi
           redhat_tag: quay.io/redhat-isv-containers/6486b1beabfc4e51588c0416:${{env.version}}-ubi # this is different than the non-FIPS one
           extra_build_args: |
             GOLANG_VERSION=${{ needs.get-go-version.outputs.go-version }}
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -5,20 +5,7 @@ on:
 
 jobs:
     get-go-version:
-      runs-on: ubuntu-latest
-      outputs:
-        go-version: ${{ steps.get-go-version.outputs.go-version }}
-      steps:
-        - name: Checkout code
-          uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-
-        - name: Determine Go version
-          id: get-go-version
-          # We use .go-version as our source of truth for current Go
-          # version, because "goenv" can react to it automatically.
-          run: |
-            echo "Building with Go $(cat .go-version)"
-            echo "go-version=$(cat .go-version)" >> "${GITHUB_OUTPUT}"
+      uses: ./.github/workflows/reusable-get-go-version.yml
 
     linting:
       name: golangci-lint

diff --git a/.github/workflows/reusable-get-go-version.yml b/.github/workflows/reusable-get-go-version.yml
@@ -0,0 +1,30 @@
+name: get-go-version
+
+on:
+  workflow_call:
+    outputs:
+      go-version:
+        description: "The Go version detected by this workflow"
+        value: ${{ jobs.get-go-version.outputs.go-version }}
+
+jobs:
+  get-go-version:
+    name: "Determine Go toolchain version"
+    runs-on: ubuntu-latest
+    outputs:
+      go-version: ${{ steps.get-go-version.outputs.go-version }}
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Determine Go version
+        id: get-go-version
+        # We use .go-version as our source of truth for current Go
+        # version, because "goenv" can react to it automatically.
+        #
+        # In the future, we can transition from .go-version and goenv to
+        # Go 1.21 `toolchain` directives by updating this workflow rather
+        # than individually setting `go-version-file` in each `setup-go`
+        # job (as of 2024-01-03, `setup-go` does not support `toolchain`).
+        run: |
+          GO_VERSION=$(head -n 1 .go-version)
+          echo "Building with Go ${GO_VERSION}"
+          echo "go-version=${GO_VERSION}" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -0,0 +1,63 @@
+name: Security Scan
+
+on:
+  push:
+    branches:
+      - main
+      - release/**
+  pull_request:
+    branches:
+      - main
+      - release/**
+
+# cancel existing runs of the same workflow on the same ref
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  get-go-version:
+    uses: ./.github/workflows/reusable-get-go-version.yml
+
+  scan:
+    needs:
+      - get-go-version
+    runs-on: ubuntu-latest
+    # The first check ensures this doesn't run on community-contributed PRs, who
+    # won't have the permissions to run this job.
+    if: ${{ (github.repository != 'hashicorp/consul-k8s' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name))
+      && (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }}
+
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: Set up Go
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        with:
+          go-version: ${{ needs.get-go-version.outputs.go-version }}
+
+      - name: Clone Security Scanner repo
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          repository: hashicorp/security-scanner
+          #TODO: replace w/ HASHIBOT_PRODSEC_GITHUB_TOKEN once provisioned
+          token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+          path: security-scanner
+          ref: main
+
+      - name: Scan
+        id: scan
+        uses: ./security-scanner
+        with:
+          repository: "$PWD"
+          # See scan.hcl at repository root for config.
+
+      - name: SARIF Output
+        shell: bash
+        run: |
+          cat results.sarif | jq
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@46a6823b81f2d7c67ddf123851eea88365bc8a67 # codeql-bundle-v2.13.5
+        with:
+          sarif_file: results.sarif
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
@@ -1,16 +1,42 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
+# These scan results are run as part of CRT workflows.
+
+# Un-triaged results will block release. See `security-scanner` docs for more
+# information on how to add `triage` config to unblock releases for specific results.
+# In most cases, we should not need to disable the entire scanner to unblock a release.
+
+# To run manually, install scanner and then from the repository root run
+# `SECURITY_SCANNER_CONFIG_FILE=.release/security-scan.hcl scan ...`
+# To scan a local container, add `local_daemon = true` to the `container` block below.
+# See `security-scanner` docs or run with `--help` for scan target syntax.
+
 container {
-	dependencies = true
-	alpine_secdb = true
-	secrets      = true
+  dependencies = true
+  alpine_secdb = true
+
+  secrets {
+    all = true
+  }
 }
 
 binary {
-	secrets      = true
-	go_modules   = false
-	osv          = true
-	oss_index    = false
-	nvd          = false
-}
+  go_modules   = true
+  osv          = true
+
+  secrets {
+    all = true
+  }
+
+  triage {
+    suppress {
+      vulnerabilites = [
+        # NET-8174 (2024-02-20): Chart YAML path traversal (not impacted)
+        "GHSA-v53g-5gjp-272r", # alias CVE-2024-25620
+        # NET-8174 (2024-02-26): Missing YAML Content Leads To Panic (requires malicious plugin)
+        "GHSA-r53h-jv2g-vpx6", # alias CVE-2024-26147
+      ]
+    }
+  }
+}