Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix UBI build #1353

Merged
merged 3 commits into from
Jul 19, 2022
Merged

Fix UBI build #1353

merged 3 commits into from
Jul 19, 2022

Conversation

ishustava
Copy link
Contributor

Changes proposed in this PR:

  • fix the version of the docker build github action

How I've tested this PR:
pipeline

How I expect reviewers to test this PR:
👀

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

@ishustava ishustava requested review from a team, curtbushko and Oluwalogoye and removed request for a team July 19, 2022 17:34
Copy link
Contributor

@curtbushko curtbushko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

Copy link
Contributor

@thisisnotashwin thisisnotashwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥳

@ishustava ishustava merged commit eaa82b3 into main Jul 19, 2022
@ishustava ishustava deleted the ishustava/fix-ubi-build branch July 19, 2022 17:37
natitomattis added a commit to team-telnyx/consul-k8s that referenced this pull request Jun 6, 2023
* Add support for version annotation on Peering Dialer and Acceptor. (hashicorp#1302)

* Acceptance Tests for Cluster Peering (hashicorp#1287)

* Add acceptance tests that run connect tests for peering.
- Does not support TLS, ACLs and T-Proxy.
* Add OSS acceptance test

* use anchor link alias for TOC (hashicorp#1298)

* use anchor link alias for TOC in auto-generated helm docs code

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

* Read prometheus TLS config from annotations and pass to bootstrap config

* Add tests for prometheus TLS config validation

* Remove rule preventing agent metrics and TLS from being set simultaneously

* Update CHANGELOG.md

* Update CHANGELOG.md

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>

* fix a broken link (hashicorp#1311)

* Add custom annotations support for catalog sync and connectInject pods via Helm (hashicorp#775)

* Add custom annotations support for catalog sync and connectInject pods via Helm

* changelog for 775 (hashicorp#1312)

* Updating contributing doc to add the correct helm and bats versions (hashicorp#1314)

* Add annotations to support specifying userVolumes and userVolumeMounts for the envoy sidecar (hashicorp#1315)

* add envoy user volumes and volumeMounts via annotations

* use ent images for nightlies and add consul-1.13 nightlies (hashicorp#1305)

* use ent images for nightlies and add support for consul-1.13
* disable nightlies for now

* Updating values docs to only set  global.federation.primaryDatacenter outside of the primary datacenter. (hashicorp#1318)

* Peering webhooks (hashicorp#1310)

- adds validation webhooks for PeeringAcceptor and Peering dialer controllers
- fixes panic by doing a nil check on the PeeringAcceptor SecretRef()

* Update client-daemonset bats tests (hashicorp#1313)

* updates client-daemonset bats tests to be more readable and do not use hard-coded array indexes.

* don't set securitycontext on openshift/okd (hashicorp#1308)

If running on OpenShift, these settings cause problems because the
user and group ids are below the range openshift expects, instead do not set them.

* update changelog for community PR 1308 (hashicorp#1325)

* update changelog for community PR
* fix indentation

* Fixes for AWS acceptance tests cleanup (hashicorp#1328)

* Fix a bug with ELB deletion where we were comparing pointer values for VPC ID instead of strings
* Delete VPCs and their resources even if there's no associated EKS cluster. This so that if EKS cleanup fails in the middle and we
  re-run it, it will continue deleting resources it couldn't on a previous run.

* Adding podDistruptionBudget to connect injector (hashicorp#1316)

* Adding podDistruptionBudget to connect injector

* update changelog (hashicorp#1331)

* CRT Onboarding (hashicorp#1290)

* Release: enable using CRT for releases

* Updating to go 1.18 (hashicorp#1292)

* Updating to go 1.18

* updating changelog, CI, and test dockerfile.

* go mod tidy on /acceptance

* go mod tidy on /cli

* go mod tidy on /control-plane

* go mod tidy on /hack/aws-acceptance-test-cleanup

* go mod tidy on /hack/helm-reference-gen

* updating golangci-lint-action to 3.2.0

* fixing golang version on charts/consul/test/docker/Test.dockerfile

* updating .go-version to v1.18.3

* updating go testsum version to 1.8.1

* updating lint-control-plane to go install lint-consul-retry rather than go get lint-consul-retry. consul repo does this.

* Updating changelog so that changes are listed under improvements rather than breaking changes.

* Replacing strings.Title with cases.Title to make broken CI linting pass (hashicorp#1342)

* Disable wan federation tests on kind because of flakiness (hashicorp#1346)

Currently, WAN federation tests are flaky on kind. We need more time
to investigate. Because these tests run on other clouds and are not flaky,
we are disabling them on kind until we can investigate and re-enable them.

* Actually disable mesh gateway tests on kind! (hashicorp#1351)

* Enable ubi images in the build workflow (hashicorp#1350)

* Add makefile target to prepare release (hashicorp#1349)

* Fix UBI build (hashicorp#1353)

* Skip peering tests on AKS and update AKS version (hashicorp#1355)

* On AKS, we cannot run peering tests yet because the pod network is not flat
* Add a flag to acceptance tests framework to disable peering tests (to be removed once non-flat networks are supported)
* Update AKS version to the supported 1.21.x version (1.21.7 is no longer supported)
* Run AKS nightly acceptance tests with -disable-peering flag

* Build multi-arch dev-images (hashicorp#1338)

* Add a job to build and publish UBI images to dockerhub (hashicorp#1356)

* Use buildx to push latest image tag from main (hashicorp#1357)

* Read created secrets from the API object (hashicorp#1359)

* Read created secrets from the API object
- Avoid reading objects from the cache immediately after creating them
  as they are not guaranteed to exist. This leads to a bug caused by the
race condition.
- Add update RBAC to the secrets for the connect inject controller.
* Update acceptance/tests/peering/peering_connect_test.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update CHANGELOG.md (hashicorp#1360)

* Pre-release 0.46.0 (hashicorp#1361)

* Pass correct compiler flags to go build for the release (hashicorp#1362)

* Remove ECR tags for docker images (hashicorp#1364)

* Putting source back into Dev Mode (hashicorp#1365)

* Support Conditions on Peering CRDs (hashicorp#1335)

* Support Conditions on Peering CRDs
- Add printer columns so describes have more metadata.
* CHANGELOG

* T-Proxy for peering tests (hashicorp#1337)

* Expose Server GRPC on port 8503

* acceptance: Add retry to resource deletion and wait for more for ELB deletion to propagate (hashicorp#1368)

* Add required UBI labels (hashicorp#1367)

* Update alpine to 3.16 (hashicorp#1372)

* Release 0.46.1 (hashicorp#1373)

* Putting source back into Dev Mode (hashicorp#1374)

* Remove unused dockerfiles (hashicorp#1375)

* Enable TLS on Consul Peering (hashicorp#1366)

* Peering ACL support (hashicorp#1343)

* feat(crd): add destination to service-defaults

* update to use gox for dev builds

* ignore vscode

* Bump default Envoy version to 1.23.0 (hashicorp#1377)

Signed-off-by: Evan Culver <eculver@hashicorp.com>

* Increase ELB propagation wait time (hashicorp#1385)

* peering: expose servers over Kubernetes service (hashicorp#1378)

- Add new expose-servers service to Helm chart
- Support scraping addresses from expose-servers service when type LB or Nodeport and using those to generate the token
- Bump consul/api module to use generate token endpoint changes from Update generate token endpoint to take external addresses consul#13844
- Update acceptance tests to deploy 3 servers, and on clouds it'll use a load balancer service, on kind itll use a nodeport service.

* peering: support setting externalServers.hosts in peering token for non-default partitions (hashicorp#1384)

* peering: support static addresses for exposing servers (hashicorp#1392)

* peering: changelog for expose servers over LBs or external addresses (hashicorp#1393)

* peering: set peering server config only when peering Helm value is true (hashicorp#1390)

* CHANGELOG: re-order changelog and remove extraneous trailing FEATURES (hashicorp#1395)

* CHANGELOG: re-order changelog and remove extraneous trailing FEATURES

* charts: add ReferenceGrant permissions to Consul API Gateway ClusterRole

* changelog: add entry for Consul API Gateway ReferenceGrant support

* peering: generate new token only on user-triggered events  (hashicorp#1399)

Previously, we will call generate token endpoint when secret contents change,
i.e. when the resource version in the status of the Acceptor CR doesn't match
the resouce version in the existing secret version. However, this results in a race
condition when multiple reconciles run concurrently. When that happens, one of them ends
up with an outdated CR object and as a result decides that it needs to re-generate the peering
token because those resource versions don't match. This is also undesirable because now
peering tokens have an establishment secret that can only be used one time. If we re-generate
tokens without user knowing, this could result in errors because the dialer will use an outdated secret.

Also, make sure we always update the latest version of the acceptor object by re-fetching
it before updating.

* Add `proxy list` and `proxy read` commands to Consul on Kubernetes CLI

* Add a `PortForward` struct which enables the CLI to port forward `localhost` to Kubernetes Pods.
* Add a command, `consul-k8s proxy list`, which lists all Kubernetes Pods running Envoy proxies managed by Consul.
* Add a command, `consul-k8s proxy read <podname>`, which prints a summary of the Envoy configuration for the proxy running on a given Pod.
* Add behavior testing the new commands to the existing Connect Inject acceptance tests.

* peering: update unit tests to not reuse peering token to be compatible with consul 1.13 (hashicorp#1401)

-and bump unit test consul version to 1.13

* fix permissions for /consul/extra-config (hashicorp#1307)

* fix permissions for /consul/extra-config in openshift environments

On openshift/okd you might not have permissions to create directories
everywhere. But you can introduce mounts.

Here we're just creating insignificant mount-points for the extra-config
to do it's thing, thus eliminating the need for creating the directory,
which the user running the container might not have permissions to do.

Fixes hashicorp#1306

* Fix issue where API gateways were being mis-labeled as Sidecar proxies (hashicorp#1403)

* update changelog (hashicorp#1405)


* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Fix context handling for the CLI (hashicorp#1406)

* Use context as set by user for Kubernetes

* Pass in context using Kube options to CLI run commands

* CHANGELOG: small formatting fixes (hashicorp#1407)

* CHANGELOG: small formatting fixes

* Release 0.47.0 (hashicorp#1413)

* add changelog
* Update consul version in ci and api/sdk package versions
* update release date

* peering: update helm value doc (hashicorp#1415)

* revert to dev mode (hashicorp#1416)

* 0.47.1 (hashicorp#1417)

* 0.47.1 (hashicorp#1418)

* peering: add code blocks for helm docs (hashicorp#1419)

* Add stanza to ci.hcl to trigger helm pipeline (hashicorp#1398)

* put repo in dev mode (hashicorp#1420)

* Update the sed match to replace image (hashicorp#1422)

* Use the pointer pkg instead of BYO functions everywhere (hashicorp#1423)

* Use new GitHub Markdown note syntax (hashicorp#1424)

* Various acceptance tests fixes (hashicorp#1414)

- parallelize nightly tests (they now take ~5h which is the max time circleci will allow us to run w/o output)
- re-establish port forwarding if we lose connection. Sometimes, we lose port-forwarding connection and never re-establish it, which leads to any calls to consul to fail. Instead, we now monitor the local port, and if we can't connect to it, we re-establish port-forwarding
- Add retries to aws cleanup script

* Rename flag for peering token server addresses. (hashicorp#1426)

- The flag was initially named `server-address` but the `server-address` flag has been used across the project to imply ONLY the address of the external server when enabled. This meaning is overloaded in the context of the server address used for generating the peering token. This leads to errors (specifically in the agentless context), where the deployment must explicitly know the list of external servers.

* Fix acceptance tests passing "-config" instead of "-kubeconfig" to CLI (hashicorp#1427)

* config -> kubeconfig

* Run GKE Acceptance

* Stop GKE acceptance tests running on PRs

* values.yaml: add more detail around using connectCA with vault namespaces (hashicorp#1430)

* values.yaml: add more detail around using connectCA with vault namespaces

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

* set PRODUCT_VERSION for default docker build (hashicorp#1429)

* test: egress destination tests (hashicorp#1383)

* README: Update to README regarding upcoming breaking changes (hashicorp#1439)

* README: Update to README regarding upcoming breaking changes

* Fix some smaller Envoy Debugging bugs. (hashicorp#1412)

* Don't show 'non-domain' FQDNs
* Show message about no pods being found
* Fix tests for not showing "non-domain" FQDNs
* Add a warning if field filter and table filter combo is wacky
* Fix linting issue
* Re-add newline in list command
* Return nil from initKubernetes
* Change out to exitCode

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
* Use contains instead of regex
* Include FQDNs without periods as FQDNs
* Expand the filtering tests
* Test multiple warnings properly
* Add changelog improvements

* fix: missing MaxInboundConnections in service-defaults CRD (hashicorp#1437)

* enable nightlies for 1.11 and 1.12 and 1.13 (hashicorp#1339)

* enable nightlies for 1.11 and 1.12 and 1.13

* Update Kubernetes versions for the nightly acceptance tests. (hashicorp#1444)

* Remove Issue Context Bot (hashicorp#1448)

* update the helm repo prior to running helm install in acceptance tests. (hashicorp#1451)

* fix nightlies

* Lint cleanup (hashicorp#1450)

* Fix linting errors throughout the codebase

* CNI Plugin for Consul-k8s (hashicorp#1456)

-  Added a CNI installer daemonset to the helm install. On every node, the installer daemonset:
  - Appends the consul-cni configuration to the main CNI configuration as the final plugin in the CNI chain
  - Installs the consul-cni binary to the node
  - Creates a kubeconfig file so that the the consul-cni plugin can communicate with pods.
  - Repairs the consul-cni configuration if another CNI plugin corrupts the configuration

- Added a consul-cni CNI plugin that is executed by the kubelet when a pod is created.
   -  The consul-cni plugin is a chained plugin and must be installed alongside another CNI plugin (eg. calico)
   -  In order to install and use the plugin you must ensure that connect inject (connectInject.enabled = true) and CNI (connectInject.cni.enabled = true) are enabled in the helm chart.
   -  Note: if using consul-cni on GKE, connectInject.cni.cniBinDir must be set to /home/kubernetes/bin

- Unit, acceptance, and bats (helm) tests to cover all of the above changes/additions.

* Kubernetes 1.24 support (hashicorp#1431)

* Support for Kubernetes 1.21+

* update changelog for kube-1.24 (hashicorp#1461)

* update changelog

* README.md: update K8s versions (hashicorp#1459)

* README.md: update versions

* Add CNI to CRT (hashicorp#1458)

* Get CNI building with CRT

* api-gateway: configure ACL auth appropriately in secondary dc (hashicorp#1462)

* api-gateway: configure acl-auth-method appropriately for controller in secondary dc

Co-Authored-By: Thomas Eckert <thomas.james.eckert@gmail.com>

* Add test coverage for secondary datacenter configuration

* Add changelog entry

* Improve changelog entry

* Fulfill flag dependencies for bats test

Co-authored-by: Thomas Eckert <thomas.james.eckert@gmail.com>

* Fix Listener Filter bugs and cover more Envoy Listener Filter Types (hashicorp#1442)

* Extend timeout for port-forward
* Resolve merge conflict on config fixture
* Resolve merge conflicts on how listeners are displayed
* Fix linting issue
* Finish Ratelimit config
* Unescape >
* Add Changelog
* Fix unit tests
* Fix acceptance tests
* Remove the named return parameter
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>

* CHANGELOG: formatting and missing links (hashicorp#1467)

* Omit non-IP defined endpoints from clusters (hashicorp#1452)

* Omit non-IP defined endpoints from clusters

* Improve perf with regex

* Use ParseIP instead of RegEx

* Add test for parseClusters

* Update the reference to cni package to the current on main. (hashicorp#1472)

* update Kubernetes versions throughout CI (hashicorp#1460)

* update Kube versions throughout CI so nightlies run against supported versions of Kubernetes.

* release 0.48.0 (hashicorp#1473)

* release 0.48.0
* update envoy version to 1.23.1

* put main back into dev (hashicorp#1476)

* update acceptance tests to use latest consul-k8s release (hashicorp#1477)

* Bump helm.sh/helm/v3 from 3.6.1 to 3.9.4 in /cli (hashicorp#1465)

Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.6.1 to 3.9.4.
- [Release notes](https://github.com/helm/helm/releases)
- [Commits](helm/helm@v3.6.1...v3.9.4)

---
updated-dependencies:
- dependency-name: helm.sh/helm/v3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update docs storageclass (hashicorp#1493)

* Update storageclass docs - link to ref arch

* Notify #feed-consul-k8s-ci (hashicorp#1494)

* Make CNI tests dependent on non-CNI tests passing (hashicorp#1495)

* Rolling back helm upgrade in CLI back to 3.6.1 (hashicorp#1492)

* Revert "Bump helm.sh/helm/v3 from 3.6.1 to 3.9.4 in /cli (hashicorp#1465)"

This reverts commit beff736.

* run nightlies on this branch

* removing changes to circleci config

* pin vault helm chart version to v0.21.0 in Acceptance tests (hashicorp#1499)

* pin vault helm chart version to v0.21.0

* add target to makefile

* update Contributing.md

* server-acl-init: Create global ACL auth method for API Gateway in secondary dc (hashicorp#1481)

* server-acl-init: Use global policy + auth method for API Gateway in secondary dc

* Update test assertions to expect global auth method + token

* Add changelog entry

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>

* Update CHANGELOG.md

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>

* ci: add backport pipeline (hashicorp#1489)

* add backport pipeline

* added automerge
- This will automatically merge backported changes without creating a PR if there are no errors. If there are errors  (merge conflicts, failure to cherrypick, etc.), then a PR will be created requiring manual intervention to resolve

* added a token with elevated permissions

Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com>

* Add cli autocomplete (hashicorp#1501)

* enable autocomplete

* add auto-completions
- add AutocompleteFlags() and AutocompleteArgs() to commands to adhere to autocomplete interface
- add variables for command flag names where necessary
- deleted some unused arguments
- refactored some naming package/variable naming collisions

* add cli autocomplete tests

* fixed some linter errors in set

* update changelog

* Re-enable MeshGW tests in acceptance on Kind and update CI binary versions (hashicorp#1491)

* Re-enables meshGW tests in Kind and updates Kind CI images to latest including latest Kube-1.24 versions.

* Update consul-helm-test image and CI to go 1.18 (hashicorp#1498)

* using the current circleci go image for 1.18

* updating consul-helm-test image to v0.12.0

* add `release/**` wild card to ci.hcl (hashicorp#1518)

* add `release/**` wild card
- branches with a leading `release/` will be categorized as release branches

* change CRT messaging to be sent to feed-consul-k8s-ci

* update docs for helm for global.syncCatalog.aclSyncToken (hashicorp#1524)

* update docs for helm for global.syncCatalog.aclSyncToken

* Update charts/consul/values.yaml

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

* Populate primary dc flag for APIGW controller in secondary federated dc (hashicorp#1511)

* Populate primary dc flag for APIGW controller in secondary federated dc

* Add test coverage for primary-datacenter flag

* Add changelog entry

* Update CHANGELOG.md

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>

* fix a typo in the helper template for pdb (hashicorp#1530)

* fix a typo in the helper template for pdb

* downgrade helm version again (hashicorp#1525)

* backport of commit 8a97da4

* backport of commit 69fe217

* create-federation-secret job runs only when server.updatePartition is 0 (hashicorp#1512)

* create-federation-secret job runs only
when server.updatePartition is 0

* I added a test to check createFederationSecret/Job doesn't run when  updatepartition != 0

Co-authored-by: David Yu <dyu@hashicorp.com>

* makefile and scripting updates for stable releases (hashicorp#1526)

- Handles case where we are releasing a beta and want that beta release reflected in the changelog

* fix spacing so ifndef has expected behavior (hashicorp#1536)

* Support escaped commas in service tags for connect (hashicorp#1532)

* support escaped commas in service tag annotations

* backport of commit d46addf

* 0.49.0 Pre-release (hashicorp#1538)

* Initial 0.49.0 branch creation

* backport of commit 96cba08

* backport of commit b3fcc28

* backport of commit 5d07c8d

* backport of commit 4a0bd4e

* backport of commit 5e6203d

* backport of commit 8f50af6 (hashicorp#1550)

This pull request was automerged via backport-assistant

* backport of [1484](hashicorp#1484) (hashicorp#1562)

Co-authored-by: malizz <maliheh.monshizadeh@hashicorp.com>

* backport of commit 0f9f738

* cherry picked changes (hashicorp#1564)

* Set Sept 30th as release date for 0.49.0

* Trigger the pre-staging release of artifacts (hashicorp#1569)

* backport of commit 7c33284

* backport of commit c42526a

* backport of commit 00d9349

* backport of commit b609ab5

* backport of commit 928772d

* backport of commit 4f9b49c

* backport of commit e5a5a6f

* backport of commit 19012ef

* backport of commit 24e616c

* backport of commit 9a3ddc4

* backport of commit bccf760

* backport of commit 428b3af

* backport of commit 4ed72fa

* Add CHANGELOG entry for PR 1581 (hashicorp#1627) (hashicorp#1630)

* Mw/cherry pick ac updates (hashicorp#1649)

* removed make target for GitHub, no longer needed

* The name CLI conflicts with the runner
- build consul-k8s CLI in pipeline instead for GH action (in future commit)
- build consul-K8s CLI in pipeline for CircleCI. CircleCI uses some different go pathing so can't use make cli-dev explicitly for build-cli step
- change name of cli binary from cli to consul-k8s

* replace special characters in tests
- GitHub actions can't upload test files with special characters in the name, so replace all special characters with underscores (_)

* api-gateway: Allow controller to read MeshService resource (hashicorp#1574) (hashicorp#1653)

* Allow the API gateway controller to read MeshService resource

* Add changelog entry

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>

* backport of commit f67364b

* Add PodSecurityPolicy for Consul API Gateway controller (hashicorp#1656) (hashicorp#1666)

* Add PodSecurityPolicy for Consul API Gateway controller

* Grant Consul API Gateway controller access to new PodSecurityPolicy

* Add unit test coverage for clusterrole + podsecuritypolicy

* Add changelog entry

* Use YQ@3 friendly select

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* backport acceptance test pipeline changes for stable releases (hashicorp#1677)

Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com>

* Merge pull request hashicorp#1650 from hashicorp/consul-api-gateway-add-tolerations-support

Consul API Gateway, Add Tolerations support

* api-gateway: allow controller to bind PodSecurityPolicy to ServiceAccounts that it creates (hashicorp#1672) (hashicorp#1682)

* Add PodSecurityPolicy for all Gateway Deployments

* Allow API gateway controller to manage roles + bindings

* Add entry to CHANGELOG

* Consolidate controller ClusterRole mods for enablePodSecurityPolicies

* Update/add unit test coverage for controller ClusterRole

* Check for additional verbs on cluster role

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* Mw/release/0.49.x/fix cloud pipeline (hashicorp#1679)

* updated libraries based on main, especially helm
- resolved an issue with terraform provisioned aws version incompatibility with helm, also updated helm
- we are not supporting eks testing for release branches, but this fix will stay in

* disabling peering tests as these are a beta feature
- peering tests are not fully supported for 0.49 and tests can fail intermittently

* update test dockerfile to handle gcloud deprecations
- this dockerfile more closely matches what is found in main, the big difference being that 0.49 supports go 1.18 instead of 1.19 (at the time of this commit)
- added a new make target for creating the test docker image

* created a new workflow for running nightly release branch tests
- only run a single cloud test (arbitrarily GKE) and kind testing. A single cloud test is sufficient for release branch testing
- gcloud plugin enabled to handle deprecations with older gke cli
- updated consul-helm-test-image to latest version

* Backport of Add support for maxConnections, maxConcurrentRequests, and maxPendingRequests to IngressGateway CRD into release/0.49.x (hashicorp#1700)

* backport of commit 7592592

* backport of commit 876eb7c

* backport of commit 438aae1

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>

* peering: update exported services CRD and bump api module (hashicorp#1596) (hashicorp#1705)

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Add support for maxConnections, maxConcurrentRequests, and maxPendingRequests to IngressGateway CRD (hashicorp#1691) (hashicorp#1706)

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>

* add missing changelog from backport (hashicorp#1713)

* release: bump consul image to 1.13.3 (hashicorp#1715)

* bump consul image to 1.13.3 and run make prepare-release

* unit test with 1.13.3 

* fix unit tests with consul 1.13.3 (hashicorp#1720)

* backport of commit 9cb4489

* set release back into dev mode (hashicorp#1724)

* Backport of Dockerfile: bump up ubi-minimal image to 9.1 into release/0.49.x (hashicorp#1728)

* backport of commit a6f01f3

Co-authored-by: David Yu <dyu@hashicorp.com>

* Add support for LocalConnectTimeoutMs and LocalRequestTimeoutMs on service-defaults CRD (hashicorp#1647) (hashicorp#1748)

* Add support for LocalConnectTimeoutMs and LocalRequestTimeoutMs on the Service Defaults CRD
* auto gen code
* revert the change from make ctrl-generate ctrl-manifests

Co-authored-by: Zhouyang Zhang <84437068+erdanzhang@users.noreply.github.com>

* Backport of Disable PodSecurityPolicy when global.enablePodSecurityPolicies set to false into release/0.49.x (hashicorp#1745)

* no-op commit due to failed cherry-picking

* Disable PodSecurityPolicy when global.enablePodSecurityPolicies set to false (hashicorp#1693)

Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: James (Anh-Tu) Nguyen <tunguyen9889@users.noreply.github.com>

* Release 0.49.2 (hashicorp#1764)

* Release 0.49.2

* set to 0.49.3 dev mode (hashicorp#1766)

* Add global.extraLabels values.yaml setting (hashicorp#1771) (hashicorp#1778)

* Add global.extraLabels values.yaml setting
This setting lets you apply a set of labels to all pods created by the
consul-k8s helm chart.
* Also apply global extra labels to deployments/daemonsets/statefulsets/jobs
* Add global extraLabels to sync catalog deployment

Co-authored-by: Chris Bruce <christopher.bruce@blackrock.com>

* Backport of Update CHANGELOG.md to describe change global.extraLabels into release/0.49.x (hashicorp#1780)

Co-authored-by: David Yu <dyu@hashicorp.com>

* Backport of Ignore partition/namespace on SourceIntention list to match top-level compare logic into release/0.49.x (hashicorp#1806)

* backport of commit a2ba891
* Add changelog note

Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>

* values.yaml - helm chart docs edits for 0.49.x (hashicorp#1805)

* helm chart docs edits
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

* Create annotation to allows users to use proxy health check (hashicorp#1824) (hashicorp#1830)

* Add health checks for services that are synced (hashicorp#1821) (hashicorp#1839)

* Add health checks for services that are synced
- When the type of the service is ClusterIP, a health check will be added to the catalog registration with the health info of the service based on the state of the readiness probe of the pod associated with the service.
- Replace `apiv1` with `corev1` to be consistent across the project.
- Run `go mod tidy`.

* Use Proxy Healthchecks when configured. (hashicorp#1843)

- When a service is configured with the correct annotation, a readiness endpoint with be configured in Consul dataplane, and the readiness probe of the sidecar will be configured to use that endpoint to determine the health of the system. Additionally, when t-proxy is enabled, that port shall be in the ExcludeList for inbound connections.

* Pre-release 0.49.3 (hashicorp#1857)

* set dev mode for 0.49.4 (hashicorp#1859)

* Exclude openebs namespace from injection. (hashicorp#1869) (hashicorp#1875)

* Exclude openebs namespace from injection.

OpenEBS is a Kubernetes storage solution. When you spin up a PVC, under
the hood OpenEBS creates a pod to handle the necessary storage
operations. If the openebs namespace is not excluded from injection,
that pod can't start because our mutatingwebhook config requires all pod
scheduling requests make it to our webhook and our webhook isn't running
yet because the consul servers aren't running.

This is a breaking change but I think it's worth it because it's very
unlikely anyone is using the openebs namespace for anything other than
openebs.

* Changelog

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

* backport of commit ef500b3

* Backport of Dockerfile: Remove gnupg from Consul k8s container into release/0.49.x (hashicorp#1883)

* manual fix of changelog

Co-authored-by: David Yu <dyu@hashicorp.com>

* Backport of Dockerfile: remove `gnupg` from dev image into release/0.49.x (hashicorp#1886)

Co-authored-by: David Yu <dyu@hashicorp.com>

* Pre-release update for 0.49.4 (hashicorp#1888)

* Prepare dev 0.49.5 (hashicorp#1896)

* backport of commit d161351

* [0.49.x] remove livenessProbe from pods with preStop lifecycle hooks that delete ACL tokens (hashicorp#1914)

Currently we use an init container to create a consul ACL token via an
auth method. We configure a preStop lifecycle hook to delete this token
to avoid leaking it but this executes when containers get restarted, not
just when the pod is destroyed.

This means that if a container livenessProbe fails and triggers a
container to be restarted in place the token it was using will be
destroyed but not recreated.

* Backport of Dockerfile: bump Alpine base image to 3.17 into release/0.49.x (hashicorp#1936)

* Manual backport to 0.49.x
Co-authored-by: David Yu <dyu@hashicorp.com>

* Enable envoy bootstrap config logging if global.logLevel == debug (hashicorp#1910)

* Backport of Update links to support DevDot into release/0.49.x (hashicorp#1949)

* fix merge conflicts

---------

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

* Cherry pick terraform checks (hashicorp#1962)

* added CI test to catch bad terraform formatting

* formatted terraform files

* update prepare release to update the changelog (hashicorp#1959)

- Prepare release now requires an additional LAST_RELEASE_GIT_TAG environment variable required by go-changelog
- removed adding the unreleased tag to the Changelog as we will no longer be doing that. All changelog entries will be added at the time of release by the go-changelog tool

* backport of commit fa4c4be

* backport of commit b68593f

* backport of commit a020048

* updated go version to fix cve https://go.dev/issue/58001 (hashicorp#1975)

* updated go version to fix cve https://go.dev/issue/58001

* updated go version to fix cve https://go.dev/issue/58001
- updated go version to use 1.19 everywhere

* update to remove deprecated ioutil

* added changelog files (hashicorp#1981)

- removed unreleased section, we'll now be generating changelog entries as part of the release process

* backport of commit c740fed

* backport of commit d482dd9

* update to consul 1.13.7 (hashicorp#1993)

* ready for 0.49.5 release (hashicorp#2000)

* ready for 0.49.6 dev (hashicorp#2004)

* Backport of values.yaml - set default connect inject init cpu resource limits to `null` to increase service registration times into release/0.49.x (hashicorp#2019)

* backport of commit 7a99af0

---------

Co-authored-by: David Yu <dyu@hashicorp.com>

* backport of commit b89d4aa

* Sync GHA release 0.49.x from main (hashicorp#2058)

* Manual Backport of security: update Go version to 1.19.9 (hashicorp#2108) (hashicorp#2110)

* security: update Go version to 1.19.9

* refactor: go fmt and go mod tidy

* backport of commit 620a80b (hashicorp#2112)

Co-authored-by: DanStough <dan.stough@hashicorp.com>

* chore(ci): fix backport assistant not finding new branches (hashicorp#2116)

* backport of commit ee35a30 (hashicorp#2130)

Co-authored-by: DanStough <dan.stough@hashicorp.com>

* backport of commit 3fdcf96 (hashicorp#2147)

Co-authored-by: Curt Bushko <cbushko@gmail.com>

* Prep release 0.49.6 (hashicorp#2151)

* set dev mode 0.49.7 (hashicorp#2155)

* backport of commit 583d51e (hashicorp#2186)

Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com>

* backport of commit 35593ca (hashicorp#2190)

Co-authored-by: Curt Bushko <cbushko@gmail.com>

* backport of commit 08a2cd3 (hashicorp#2206)

Co-authored-by: DanStough <dan.stough@hashicorp.com>

* backport of commit 5bb00eb (hashicorp#2219)

Co-authored-by: Eric <eric@haberkorn.co>

* backport of commit 71293af (hashicorp#2234)

Co-authored-by: Curt Bushko <cbushko@gmail.com>

---------

Signed-off-by: Evan Culver <eculver@hashicorp.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>
Co-authored-by: Jean Morais <jeanmorais@users.noreply.github.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Erik Berg <eb4x@users.noreply.github.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: jjwong <64273338+WJay-tec@users.noreply.github.com>
Co-authored-by: Kyle Penfound <kylepenfound@protonmail.com>
Co-authored-by: DanStough <dan.stough@hashicorp.com>
Co-authored-by: Evan Culver <eculver@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: brian shore <bshore@hashicorp.com>
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com>
Co-authored-by: cskh <hui.kang@hashicorp.com>
Co-authored-by: Curt Bushko <cbushko@gmail.com>
Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com>
Co-authored-by: Thomas Eckert <thomas.james.eckert@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com>
Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com>
Co-authored-by: Sujata Roy <61177855+20sr20@users.noreply.github.com>
Co-authored-by: hc-github-team-consul-ecosystem <82990057+hc-github-team-consul-ecosystem@users.noreply.github.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
Co-authored-by: malizz <maliheh.monshizadeh@hashicorp.com>
Co-authored-by: Michele Degges <mdeggies@gmail.com>
Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>
Co-authored-by: Semir Patel <semir.patel@hashicorp.com>
Co-authored-by: Zhouyang Zhang <84437068+erdanzhang@users.noreply.github.com>
Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: James (Anh-Tu) Nguyen <tunguyen9889@users.noreply.github.com>
Co-authored-by: Chris Bruce <christopher.bruce@blackrock.com>
Co-authored-by: Ashwin Venkatesh <ashwin.what@gmail.com>
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>
Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com>
Co-authored-by: Eric <eric@haberkorn.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants