hashicorp · kisunji · Sep 20, 2023 · Sep 20, 2023 · Sep 20, 2023 · Sep 20, 2023
diff --git a/.changelog/2796.txt b/.changelog/2796.txt
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,31 @@
+## 1.0.10 (September 21, 2023)
+
+SECURITY:
+
+* Upgrade to use Go 1.19.13. This resolves CVEs
+[CVE-2023-39320](https://github.com/advisories/GHSA-rxv8-v965-v333) (`cmd/go`),
+[CVE-2023-39318](https://github.com/advisories/GHSA-vq7j-gx56-rxjh) (`html/template`),
+[CVE-2023-39319](https://github.com/advisories/GHSA-vv9m-32rr-3g55) (`html/template`),
+[CVE-2023-39321](https://github.com/advisories/GHSA-9v7r-x7cv-v437) (`crypto/tls`), and
+[CVE-2023-39322](https://github.com/advisories/GHSA-892h-r6cr-53g4) (`crypto/tls`) [[GH-2938](https://github.com/hashicorp/consul-k8s/issues/2938)]
+
+IMPROVEMENTS:
+
+* Add NET_BIND_SERVICE capability to restricted security context used for consul-dataplane [[GH-2787](https://github.com/hashicorp/consul-k8s/issues/2787)]
+* Add new value `global.argocd.enabled`. Set this to `true` when using ArgoCD to deploy this chart. [[GH-2785](https://github.com/hashicorp/consul-k8s/issues/2785)]
+* control-plane: Improve performance for pod deletions by reducing the number of fetched tokens. [[GH-2910](https://github.com/hashicorp/consul-k8s/issues/2910)]
+* control-plane: prevent updation of anonymous-token-policy and anonymous-token if anonymous-token-policy is already attached to the anonymous-token [[GH-2790](https://github.com/hashicorp/consul-k8s/issues/2790)]
+* vault: Adds `namespace` to `secretsBackend.vault.connectCA` in Helm chart and annotation: "vault.hashicorp.com/namespace: namespace" to
+secretsBackend.vault.agentAnnotations, if "vault.hashicorp.com/namespace" annotation is not present.
+This provides a more convenient way to specify the Vault namespace than nested JSON in `connectCA.additionalConfig`. [[GH-2841](https://github.com/hashicorp/consul-k8s/issues/2841)]
+
+BUG FIXES:
+
+* audit-log: fix parsing error for some audit log configuration fields fail with uncovertible string to integer errors. [[GH-2905](https://github.com/hashicorp/consul-k8s/issues/2905)]
+* control-plane: Fix issue where ACL tokens would have an empty pod name that prevented proper token cleanup. [[GH-2808](https://github.com/hashicorp/consul-k8s/issues/2808)]
+* control-plane: When using transparent proxy or CNI, reduced required permissions by setting privileged to false. Privileged must be true when using OpenShift without CNI. [[GH-2755](https://github.com/hashicorp/consul-k8s/issues/2755)]
+* helm: Update prometheus port and scheme annotations if tls is enabled [[GH-2782](https://github.com/hashicorp/consul-k8s/issues/2782)]
+
 ## 1.0.9 (Aug 10, 2023)
 
 SECURITY:

diff --git a/acceptance/go.mod b/acceptance/go.mod
@@ -5,7 +5,7 @@ go 1.19
 require (
 	github.com/gruntwork-io/terratest v0.31.2
 	github.com/hashicorp/consul-k8s/control-plane v0.0.0-20221117191905-0b1cc2b631e3
-	github.com/hashicorp/consul/api v1.10.1-0.20230906155245-56917eb4c968
+	github.com/hashicorp/consul/api v1.18.2
 	github.com/hashicorp/consul/sdk v0.14.1
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/go-version v1.6.0
@@ -83,7 +83,6 @@ require (
 	github.com/urfave/cli v1.22.2 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	golang.org/x/crypto v0.11.0 // indirect
-	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
 	golang.org/x/net v0.13.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
 	golang.org/x/sys v0.10.0 // indirect

diff --git a/acceptance/go.sum b/acceptance/go.sum
@@ -366,8 +366,8 @@ github.com/gruntwork-io/terratest v0.31.2 h1:xvYHA80MUq5kx670dM18HInewOrrQrAN+Xb
 github.com/gruntwork-io/terratest v0.31.2/go.mod h1:EEgJie28gX/4AD71IFqgMj6e99KP5mi81hEtzmDjxTo=
 github.com/hashicorp/consul-k8s/control-plane v0.0.0-20221117191905-0b1cc2b631e3 h1:4wROIZB8Y4cN/wPILChc2zQ/q00z1VyJitdgyLbITdU=
 github.com/hashicorp/consul-k8s/control-plane v0.0.0-20221117191905-0b1cc2b631e3/go.mod h1:j9Db/whkzvNC+KP2GftY0HxxleLm9swxXjlu3tYaOAw=
-github.com/hashicorp/consul/api v1.10.1-0.20230906155245-56917eb4c968 h1:lQ7QmlL0N4/ftLBex8n73Raji29o7EVssqCoeeczKac=
-github.com/hashicorp/consul/api v1.10.1-0.20230906155245-56917eb4c968/go.mod h1:NZJGRFYruc/80wYowkPFCp1LbGmJC9L8izrwfyVx/Wg=
+github.com/hashicorp/consul/api v1.18.2 h1:rBzj4IBJMh0n9BWeSwH7B8A0CSCoeafznlGmo+IQZ0E=
+github.com/hashicorp/consul/api v1.18.2/go.mod h1:2u+zn9nwubj4ZeCl48w6bEBjZImW1jOz56XXil+QNwQ=
 github.com/hashicorp/consul/sdk v0.14.1 h1:ZiwE2bKb+zro68sWzZ1SgHF3kRMBZ94TwOCFRF4ylPs=
 github.com/hashicorp/consul/sdk v0.14.1/go.mod h1:vFt03juSzocLRFo59NkeQHHmQa6+g7oU0pfzdI1mUhg=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -389,8 +389,8 @@ github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjh
 github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
 github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g=
+github.com/hashicorp/go-msgpack v0.5.3 h1:zKjpN5BK/P5lMYrLmBHdBULWbJ0XpYR+7NGzqkZzoD4=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
-github.com/hashicorp/go-msgpack v0.5.5 h1:i9R9JSrqIz0QVLz3sz+i3YJdT7TTSLcfLLzJi9aZTuI=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
@@ -737,8 +737,6 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug=
-golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

diff --git a/charts/consul/Chart.yaml b/charts/consul/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: consul
-version: 1.0.10-dev
-appVersion: 1.14-dev
+version: 1.0.10
+appVersion: 1.14.10
 kubeVersion: ">=1.21.0-0"
 description: Official HashiCorp Consul Chart
 home: https://www.consul.io
@@ -10,14 +10,14 @@ sources:
   - https://github.com/hashicorp/consul
   - https://github.com/hashicorp/consul-k8s
 annotations:
-  artifacthub.io/prerelease: true
+  artifacthub.io/prerelease: false
   artifacthub.io/images: |
     - name: consul
-      image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.14-dev
+      image: hashicorp/consul:1.14.10
     - name: consul-k8s-control-plane
-      image: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.0.10-dev
+      image: hashicorp/consul-k8s-control-plane:1.0.10
     - name: consul-dataplane
-      image: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.0-dev
+      image: hashicorp/consul-dataplane:1.0.6
     - name: envoy
       image: envoyproxy/envoy:v1.24.10
   artifacthub.io/license: MPL-2.0

diff --git a/charts/consul/templates/crd-ingressgateways.yaml b/charts/consul/templates/crd-ingressgateways.yaml
@@ -78,43 +78,6 @@ spec:
                       while waiting for a connection to be established.
                     format: int32
                     type: integer
-                  passiveHealthCheck:
-                    description: PassiveHealthCheck configuration determines how upstream
-                      proxy instances will be monitored for removal from the load
-                      balancing pool.
-                    properties:
-                      baseEjectionTime:
-                        description: The base time that a host is ejected for. The
-                          real time is equal to the base time multiplied by the number
-                          of times the host has been ejected and is capped by max_ejection_time
-                          (Default 300s). Defaults to 30s.
-                        type: string
-                      enforcingConsecutive5xx:
-                        description: EnforcingConsecutive5xx is the % chance that
-                          a host will be actually ejected when an outlier status is
-                          detected through consecutive 5xx. This setting can be used
-                          to disable ejection or to ramp it up slowly. Ex. Setting
-                          this to 10 will make it a 10% chance that the host will
-                          be ejected.
-                        format: int32
-                        type: integer
-                      interval:
-                        description: Interval between health check analysis sweeps.
-                          Each sweep may remove hosts or return hosts to the pool.
-                          Ex. setting this to "10s" will set the interval to 10 seconds.
-                        type: string
-                      maxEjectionPercent:
-                        description: The maximum % of an upstream cluster that can
-                          be ejected due to outlier detection. Defaults to 10% but
-                          will eject at least one host regardless of the value.
-                        format: int32
-                        type: integer
-                      maxFailures:
-                        description: MaxFailures is the count of consecutive failures
-                          that results in a host being removed from the pool.
-                        format: int32
-                        type: integer
-                    type: object
                 type: object
               listeners:
                 description: Listeners declares what ports the ingress gateway should
@@ -194,47 +157,6 @@ spec:
                               service is located. Partitioning is a Consul Enterprise
                               feature.
                             type: string
-                          passiveHealthCheck:
-                            description: PassiveHealthCheck configuration determines
-                              how upstream proxy instances will be monitored for removal
-                              from the load balancing pool.
-                            properties:
-                              baseEjectionTime:
-                                description: The base time that a host is ejected
-                                  for. The real time is equal to the base time multiplied
-                                  by the number of times the host has been ejected
-                                  and is capped by max_ejection_time (Default 300s).
-                                  Defaults to 30s.
-                                type: string
-                              enforcingConsecutive5xx:
-                                description: EnforcingConsecutive5xx is the % chance
-                                  that a host will be actually ejected when an outlier
-                                  status is detected through consecutive 5xx. This
-                                  setting can be used to disable ejection or to ramp
-                                  it up slowly. Ex. Setting this to 10 will make it
-                                  a 10% chance that the host will be ejected.
-                                format: int32
-                                type: integer
-                              interval:
-                                description: Interval between health check analysis
-                                  sweeps. Each sweep may remove hosts or return hosts
-                                  to the pool. Ex. setting this to "10s" will set
-                                  the interval to 10 seconds.
-                                type: string
-                              maxEjectionPercent:
-                                description: The maximum % of an upstream cluster
-                                  that can be ejected due to outlier detection. Defaults
-                                  to 10% but will eject at least one host regardless
-                                  of the value.
-                                format: int32
-                                type: integer
-                              maxFailures:
-                                description: MaxFailures is the count of consecutive
-                                  failures that results in a host being removed from
-                                  the pool.
-                                format: int32
-                                type: integer
-                            type: object
                           requestHeaders:
                             description: Allow HTTP header manipulation to be configured.
                             properties:

diff --git a/charts/consul/templates/crd-servicedefaults.yaml b/charts/consul/templates/crd-servicedefaults.yaml
@@ -257,22 +257,18 @@ spec:
                               The real time is equal to the base time multiplied by
                               the number of times the host has been ejected and is
                               capped by max_ejection_time (Default 300s). Defaults
-                              to 30s.
+                              to 30000ms or 30s.
                             type: string
                           enforcingConsecutive5xx:
                             description: EnforcingConsecutive5xx is the % chance that
                               a host will be actually ejected when an outlier status
                               is detected through consecutive 5xx. This setting can
                               be used to disable ejection or to ramp it up slowly.
-                              Ex. Setting this to 10 will make it a 10% chance that
-                              the host will be ejected.
                             format: int32
                             type: integer
                           interval:
                             description: Interval between health check analysis sweeps.
                               Each sweep may remove hosts or return hosts to the pool.
-                              Ex. setting this to "10s" will set the interval to 10
-                              seconds.
                             type: string
                           maxEjectionPercent:
                             description: The maximum % of an upstream cluster that
@@ -374,22 +370,19 @@ spec:
                                 The real time is equal to the base time multiplied
                                 by the number of times the host has been ejected and
                                 is capped by max_ejection_time (Default 300s). Defaults
-                                to 30s.
+                                to 30000ms or 30s.
                               type: string
                             enforcingConsecutive5xx:
                               description: EnforcingConsecutive5xx is the % chance
                                 that a host will be actually ejected when an outlier
                                 status is detected through consecutive 5xx. This setting
                                 can be used to disable ejection or to ramp it up slowly.
-                                Ex. Setting this to 10 will make it a 10% chance that
-                                the host will be ejected.
                               format: int32
                               type: integer
                             interval:
                               description: Interval between health check analysis
                                 sweeps. Each sweep may remove hosts or return hosts
-                                to the pool. Ex. setting this to "10s" will set the
-                                interval to 10 seconds.
+                                to the pool.
                               type: string
                             maxEjectionPercent:
                               description: The maximum % of an upstream cluster that

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
@@ -66,7 +66,7 @@ global:
   # image: "hashicorp/consul-enterprise:1.10.0-ent"
   # ```
   # @default: hashicorp/consul:<latest version>
-  image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.14-dev
+  image: hashicorp/consul:1.14.10
 
   # Array of objects containing image pull secret names that will be applied to each service account.
   # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image.
@@ -86,7 +86,7 @@ global:
   # image that is used for functionality such as catalog sync.
   # This can be overridden per component.
   # @default: hashicorp/consul-k8s-control-plane:<latest version>
-  imageK8S: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.0.10-dev
+  imageK8S: hashicorp/consul-k8s-control-plane:1.0.10
 
   # The name of the datacenter that the agents should
   # register as. This can't be changed once the Consul cluster is up and running
@@ -653,7 +653,7 @@ global:
   # The name (and tag) of the consul-dataplane Docker image used for the
   # connect-injected sidecar proxies and mesh, terminating, and ingress gateways.
   # @default: hashicorp/consul-dataplane:<latest supported version>
-  imageConsulDataplane: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.1-dev
+  imageConsulDataplane: hashicorp/consul-dataplane:1.0.6
 
   # Configuration for running this Helm chart on the Red Hat OpenShift platform.
   # This Helm chart currently supports OpenShift v4.x+.

diff --git a/cli/version/version.go b/cli/version/version.go
@@ -19,7 +19,7 @@ var (
 	// A pre-release marker for the version. If this is "" (empty string)
 	// then it means that it is a final release. Otherwise, this is a pre-release
 	// such as "dev" (in development), "beta", "rc1", etc.
-	VersionPrerelease = "dev"
+	VersionPrerelease = ""
 )
 
 // GetHumanVersion composes the parts of the version in a way that's suitable

diff --git a/control-plane/api/v1alpha1/ingressgateway_types.go b/control-plane/api/v1alpha1/ingressgateway_types.go
@@ -74,9 +74,6 @@ type IngressServiceConfig struct {
 	// will be allowed at a single point in time. Use this to limit HTTP/2 traffic,
 	// since HTTP/2 has many requests per connection.
 	MaxConcurrentRequests *uint32 `json:"maxConcurrentRequests,omitempty"`
-	// PassiveHealthCheck configuration determines how upstream proxy instances will
-	// be monitored for removal from the load balancing pool.
-	PassiveHealthCheck *PassiveHealthCheck `json:"passiveHealthCheck,omitempty"`
 }
 
 type GatewayTLSConfig struct {
@@ -364,7 +361,6 @@ func (in IngressService) toConsul() capi.IngressService {
 		MaxConnections:        in.MaxConnections,
 		MaxPendingRequests:    in.MaxPendingRequests,
 		MaxConcurrentRequests: in.MaxConcurrentRequests,
-		PassiveHealthCheck:    in.PassiveHealthCheck.toConsul(),
 	}
 }
 
@@ -469,6 +465,5 @@ func (in *IngressServiceConfig) toConsul() *capi.IngressServiceConfig {
 		MaxConnections:        in.MaxConnections,
 		MaxPendingRequests:    in.MaxPendingRequests,
 		MaxConcurrentRequests: in.MaxConcurrentRequests,
-		PassiveHealthCheck:    in.PassiveHealthCheck.toConsul(),
 	}
 }