backport of commit 7c192b6

Author: rboyer

.changelog/4152.txt

@@ -0,0 +1,7 @@
+```release-note:improvement
+control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift.
+```
+
+```release-note:bug
+connect-inject: add NET_BIND_SERVICE capability when injecting consul-dataplane sidecar
+```

.changelog/4153.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+terminating-gateway: Fix generated acl policy for external services to include the namespace and partition block if they are enabled.
+```

.changelog/4154.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791)
+```

.changelog/4169.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade go-retryablehttp to v0.7.7 to address [GHSA-v6v8-xj6m-xwqh](https://github.com/advisories/GHSA-v6v8-xj6m-xwqh)
+```

.changelog/4184.txt

@@ -0,0 +1,4 @@
+```release-note:improvement
+* helm: Adds `webhookCertManager.resources` field which can be configured to override the `resource` settings for the `webhook-cert-manager` deployment.
+* helm: Adds `connectInject.apiGateway.managedGatewayClass.resourceJob.resources` field which can be configured to override the `resource` settings for the `gateway-resources-job` job.
+```

.changelog/4210.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry
+```

.changelog/4213.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD.
+```

.changelog/4224.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+terminating-gateways: Fix bug where namespace field was not correctly set on ACL policies if using the `Registration` CRD with the service's namespace unset.
+```

.changelog/4227.txt

@@ -0,0 +1,4 @@
+```release-note:bug
+openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
+This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical.
+```

.changelog/4228.txt

@@ -0,0 +1,6 @@
+```release-note:security
+Upgrade Docker cli to use v.27.1. This addresses CVE
+[CVE-2024-41110](https://nvd.nist.gov/vuln/detail/CVE-2024-41110)```
+
+```release-note:security
+Bump Go to 1.22.5 to address [CVE-2024-24791](https://nvd.nist.gov/vuln/detail/CVE-2024-24791)```

.changelog/4244.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Kubernetes v1.30 is now supported. Minimum tested version of Kubernetes is now v1.27.
+```

.changelog/4247.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified
+```

.changelog/4255.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters.
+```

.changelog/4256.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+config-entry: add validate_clusters to mesh config entry
+```

.changelog/4266.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+sync-catalog: fix infinite retry loop when the catalog fails to connect to consul-server during the sync process
+```

.changelog/4287.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+docker: update go-discover binary
+```
+
+```release-note:enhancement
+docker: update ubi base image to `ubi9-minimal:9.4`.
+```

.changelog/4307.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole
+```

.changelog/4313.txt

@@ -0,0 +1,4 @@
+```release-note:security
+Upgrade Go to use 1.22.7. This addresses CVE 
+[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155)
+```

.changelog/4315.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+helm: fix issue where the API Gateway GatewayClassConfig tolerations can not be parsed by the Helm chart.
+```

.changelog/4316.txt

@@ -0,0 +1,5 @@
+```release-note:bug
+api-gateway: `global.imagePullSecrets` are now configured on the `ServiceAccount` for `Gateways`.
+
+Note: the referenced image pull Secret(s) must be present in the same namespace the `Gateway` is deployed to.
+```

.changelog/4333.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set.
+```

.github/scripts/check_skip_ci.sh

@@ -27,3 +27,34 @@ jobs:
         ref: main
         token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
         inputs: '{ "context":"${{ env.CONTEXT }}", "actor":"${{ github.actor }}", "repository":"${{ github.repository }}", "branch":"${{ env.BRANCH }}", "sha":"${{ env.SHA }}", "token":"${{ secrets.ELEVATED_GITHUB_TOKEN }}" }'
+
+  pass-required-checks-on-skip:
+    needs: [ conditional-skip ]
+    if: needs.conditional-skip.outputs.skip-ci == 'true'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          # The required checks that should be "passed" when the CI is skipped
+          - check-name: acceptance
+          - check-name: acceptance-cni
+          - check-name: acceptance-tproxy
+          - check-name: Unit test helm templates
+          - check-name: Unit test helm gen
+          - check-name: Unit test enterprise control plane
+          - check-name: Unit test control plane
+          - check-name: Unit test cli
+          - check-name: Unit test acceptance
+          - check-name: Unit test helm gen
+    steps:
+    - name: Update final status
+      uses: docker://ghcr.io/curtbushko/commit-status-action:e1d661c757934ab35c74210b4b70c44099ec747a
+      env:
+        INPUT_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+        INPUT_REPOSITORY: ${{ github.repository }}
+        INPUT_CONTEXT: ${{ matrix.check-name }}
+        INPUT_STATE: success
+        INPUT_DESCRIPTION: "Skipped due to conditional-skip check"
+        INPUT_SHA: ${{ env.SHA }}
+        INPUT_DETAILS_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        INPUT_OWNER: "hashicorp"

.github/workflows/pr.yml

@@ -12,13 +12,58 @@ jobs:
     runs-on: ubuntu-latest
     name: Check whether to skip build and tests
     outputs:
-      skip-ci: ${{ steps.check-changed-files.outputs.skip-ci }}
-    env:
-      SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }}
+      skip-ci: ${{ steps.maybe-skip-ci.outputs.skip-ci }}
     steps:
+      # We only allow use of conditional skip in two scenarios:
+      #   1. PRs
+      #   2. Pushes (merges) to protected branches (`main`, `release/**`)
+      #
+      # The second scenario is the only place we can be sure that checking just the
+      # latest change on the branch is sufficient. In PRs, we need to check _all_ commits.
+      # The ability to do this is ultimately determined by the triggers of the calling
+      # workflow, since `base_ref` (the target branch of a PR) is only available in
+      # `pull_request` events, not `push`.
+      - name: Error if conditional check is not allowed
+        if: ${{ !github.base_ref && !github.ref_protected }}
+        run: |
+          echo "Conditional skip requires a PR event with 'base_ref' or 'push' to a protected branch."
+          echo "github.base_ref: ${{ github.base_ref }}"
+          echo "github.ref_protected: ${{ github.ref_protected }}"
+          echo "github.ref_name: ${{ github.ref_name }}"
+          echo "Check the triggers of the calling workflow to ensure that these requirements are met."
+          exit 1
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
-      - name: Check changed files
-        id: check-changed-files
-        run: ./.github/scripts/check_skip_ci.sh
+      - name: Check for skippable file changes
+        id: changed-files
+        uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45.0.1
+        with:
+          # This is a multi-line YAML string with one match pattern per line.
+          # Do not use quotes around values, as it's not supported.
+          # See https://github.com/tj-actions/changed-files/blob/main/README.md#inputs-%EF%B8%8F
+          # for usage, options, and more details on match syntax.
+          files: |
+            .github/workflows/reusable-conditional-skip.yml
+            LICENSE
+            .copywrite.hcl
+            .gitignore
+            **.md
+            assets/**
+            .changelog/**
+      - name: Print changed files
+        env:
+          SKIPPABLE_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+          NON_SKIPPABLE_FILES: ${{ steps.changed-files.outputs.other_changed_files }}
+        run: |
+          echo "Skippable changed files:"
+          for file in ${SKIPPABLE_CHANGED_FILES}; do echo "  $file"; done
+          echo
+          echo "Non-skippable files:"
+          for file in ${NON_SKIPPABLE_FILES}; do echo "  $file"; done
+      - name: Skip tests and build if only skippable files changed
+        id: maybe-skip-ci
+        if: ${{ steps.changed-files.outputs.only_changed == 'true' }}
+        run: |
+          echo "Skipping tests and build because only skippable files changed"
+          echo "skip-ci=true" >> $GITHUB_OUTPUT

.github/workflows/reusable-conditional-skip.yml

@@ -1,3 +1,5 @@
+# This job runs a non-blocking informational security scan on the repository.
+# For release-blocking security scans, see .release/security-scan.hcl.
 name: Security Scan
 
 on:
@@ -9,20 +11,20 @@ on:
     branches:
       - main
       - release/**
+    # paths-ignore only works for non-required checks.
+    # Jobs that are required for merge must use reusable-conditional-skip.yml.
+    paths-ignore:
+      - 'assets/**'
+      - '.changelog/**'
 
 # cancel existing runs of the same workflow on the same ref
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
 jobs:
-  conditional-skip:
-    uses: ./.github/workflows/reusable-conditional-skip.yml
-
   get-go-version:
     # Cascades down to test jobs
-    needs: [ conditional-skip ]
-    if: needs.conditional-skip.outputs.skip-ci != 'true'
     uses: ./.github/workflows/reusable-get-go-version.yml
 
   scan:
@@ -46,7 +48,7 @@ jobs:
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           repository: hashicorp/security-scanner
-          token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
+          token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
           path: security-scanner
           ref: main
 

.github/workflows/security-scan.yml

@@ -1,7 +1,7 @@
 # Dispatch to the consul-k8s-workflows with a weekly cron
 #
 # A separate file is needed for each release because the cron schedules are different for each release.
-name: weekly-acceptance-1-5-x
+name: weekly-acceptance-1-4-0-rc1
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
@@ -10,7 +10,7 @@ on:
 
 # these should be the only settings that you will ever need to change
 env:
-  BRANCH: "release/1.5.x"
+  BRANCH: "release/1.4.0-rc1"
   CONTEXT: "weekly"
 
 jobs:

.github/workflows/weekly-acceptance-1-5-x.yml .github/workflows/weekly-acceptance-1-4-0-rc1.yml

@@ -1 +1 @@
-1.22.4
+1.22.7

.go-version

@@ -1,3 +1,54 @@
+## 1.5.3 (August 30, 2024)
+
+SECURITY:
+
+* Bump Go to 1.22.5 to address [CVE-2024-24791](https://nvd.nist.gov/vuln/detail/CVE-2024-24791) [[GH-4228](https://github.com/hashicorp/consul-k8s/issues/4228)]
+* Upgrade Docker cli to use v.27.1. This addresses CVE
+[CVE-2024-41110](https://nvd.nist.gov/vuln/detail/CVE-2024-41110) [[GH-4228](https://github.com/hashicorp/consul-k8s/issues/4228)]
+
+IMPROVEMENTS:
+
+* docker: update go-discover binary [[GH-4287](https://github.com/hashicorp/consul-k8s/issues/4287)]
+* docker: update ubi base image to `ubi9-minimal:9.4`. [[GH-4287](https://github.com/hashicorp/consul-k8s/issues/4287)]
+* helm: Adds `webhookCertManager.resources` field which can be configured to override the `resource` settings for the `webhook-cert-manager` deployment. [[GH-4184](https://github.com/hashicorp/consul-k8s/issues/4184)]
+* helm: Adds `connectInject.apiGateway.managedGatewayClass.resourceJob.resources` field which can be configured to override the `resource` settings for the `gateway-resources-job` job. [[GH-4184](https://github.com/hashicorp/consul-k8s/issues/4184)]
+* config-entry: add validate_clusters to mesh config entry [[GH-4256](https://github.com/hashicorp/consul-k8s/issues/4256)]
+* helm: Kubernetes v1.30 is now supported. Minimum tested version of Kubernetes is now v1.27. [[GH-4244](https://github.com/hashicorp/consul-k8s/issues/4244)]
+
+BUG FIXES:
+
+* Fixes install of Consul on GKE Autopilot where the option 'manageNonStandardCRDs' was not being used for the TCPRoute CRD. [[GH-4213](https://github.com/hashicorp/consul-k8s/issues/4213)]
+* api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified [[GH-4247](https://github.com/hashicorp/consul-k8s/issues/4247)]
+* helm: adds imagePullSecret to the gateway-resources job and the gateway-cleanup job, would fail before if the image was in a private registry [[GH-4210](https://github.com/hashicorp/consul-k8s/issues/4210)]
+* openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
+This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. [[GH-4227](https://github.com/hashicorp/consul-k8s/issues/4227)]
+* sync-catalog: fix infinite retry loop when the catalog fails to connect to consul-server during the sync process [[GH-4266](https://github.com/hashicorp/consul-k8s/issues/4266)]
+* terminating-gateways: Fix bug where namespace field was not correctly set on ACL policies if using the `Registration` CRD with the service's namespace unset. [[GH-4224](https://github.com/hashicorp/consul-k8s/issues/4224)]
+
+## 1.5.2 (August 29, 2024)
+
+Release redacted, use `1.5.3`
+
+## 1.5.1 (July 16, 2024)
+
+SECURITY:
+
+* Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791) [[GH-4154](https://github.com/hashicorp/consul-k8s/issues/4154)]
+* Upgrade go-retryablehttp to v0.7.7 to address [GHSA-v6v8-xj6m-xwqh](https://github.com/advisories/GHSA-v6v8-xj6m-xwqh) [[GH-4169](https://github.com/hashicorp/consul-k8s/issues/4169)]
+
+IMPROVEMENTS:
+
+* api-gateways: Change security settings to make root file system read only and to not allow privilage escalation. [[GH-3959](https://github.com/hashicorp/consul-k8s/issues/3959)]
+* control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift. [[GH-4152](https://github.com/hashicorp/consul-k8s/issues/4152)]
+* partition-init: Role no longer includes unnecessary access to Secrets resource. [[GH-4053](https://github.com/hashicorp/consul-k8s/issues/4053)]
+
+BUG FIXES:
+
+* api-gateway: fix issue where API Gateway specific acl roles/policy were not being cleaned up on deletion of an api-gateway [[GH-4060](https://github.com/hashicorp/consul-k8s/issues/4060)]
+* connect-inject: add NET_BIND_SERVICE capability when injecting consul-dataplane sidecar [[GH-4152](https://github.com/hashicorp/consul-k8s/issues/4152)]
+* endpoints-controller: graceful shutdown logic should not run on a new pod with the same name. Fixes a case where statefulset rollouts could get stuck in graceful shutdown when the new pods come up. [[GH-4059](https://github.com/hashicorp/consul-k8s/issues/4059)]
+* terminating-gateway: Fix generated acl policy for external services to include the namespace and partition block if they are enabled. [[GH-4153](https://github.com/hashicorp/consul-k8s/issues/4153)]
+
 ## 1.5.0 (June 13, 2024)
 
 > NOTE: Consul K8s 1.5.x is compatible with Consul 1.19.x and Consul Dataplane 1.5.x. Refer to our [compatibility matrix](https://developer.hashicorp.com/consul/docs/k8s/compatibility) for more info.