Backport of added check if anonymous token policy exists into release/1.0.x#2862
Closed
hc-github-team-consul-core wants to merge 344 commits intorelease/1.0.xfrom
Closed
Conversation
* fix grammar in changelog checker * add backport checker
Support automatic ACL bootstrapping with the Vault secrets backend With the Vault secrets backend, server-acl-init now: * Runs the Vault agent as a sidecar * Bootstraps ACLs if the Vault bootstrap token is empty or not found, and writes the bootstrap token back to Vault via the Vault agent The Kubernetes backend will write the bootstrap token to the user-provided secret if that secret is empty. The Vault behavior is the same. The Vault backend writes to a default secret name if the secretName and secretKey are not set in the helm chart values. server-acl-init reads the secret directly from k8s or Vault. * Remove -bootstrap-token-file flag from server-acl-init and remove the * Remove the volume/mount for bootstrap token --------- Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com>
* update charts to point to 1.15.1 * updated consul libraries to the latest
…roller Add SNI skip for client node configuration
…`null` to increase service registration times (#2008) * Update values.yaml
Clients are not required for ingress/terminating gateways.
Website has linting that errors when links have the developer.hashicorp.com prefix.
…shicorp/consul-k8s into bug/gateway-controller-incomplete-acl
[COMPLIANCE] add copyright headers to files
…lete-acl Update ACLs, add namespace.write permission
* Bump golang.org/x/net to 0.12.0 in cni This was missed in 5b57e63 as part of a general upgrade of that dependency. * Bump server-connection-manager to v0.1.3 Tidying up following CVE dependency bumps, leading to a new release of this library.
* Fix default Ent image tag in acceptance tests Rather than hard-coding the Docker repository and parsing the non-Ent image tag for a version, simply replace the image name and retain other coordinates. This is consistent with our tagging scheme introduced in hashicorp/consul#13541 and will allow for using `hashicorppreview` images seamlessly regardless of whether OSS or Ent is being tested. * Add make target for loading images in kind Complement other multi-cluster make targets by supporting image loading across kind clusters.
security: Upgrade Go and x/net Upgrade to Go 1.20.7 and `x/net` 1.13.0 to resolve [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) and [CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978).
increase timeout while waiting for server to be ready and fix require.Equal check
* Increase the retries and add config entry retries
…ing on OpenShift (#2184) Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>
* Adds port mapping to Gateway Class Config to avoid running container on privileged ports Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
* Implement validation of TLS options * Use constants for annotation keys * Add changelog entry * Implement TLS options translation * Update changelog entry * Add unit test coverage for TLS option validation * Code review feedback
* JWT auth basic acceptance test * Update to run only in enterprise mode, update comment to be correct * Remove usage of `testing.t` in retry block * Fixed last `t` in retry block in tests * Update acceptance/tests/api-gateway/api_gateway_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update acceptance/tests/api-gateway/api_gateway_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Updating filenames for gw jwt cases and adding message about why this test is skipped --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
Apply K8s node locality to services and sidecars Locality-aware routing is based on proxy locality rather than the proxied service. Ensure we propagate locality to both when registering services.
* Set privileged to false unless on OpenShift without CNI
* added fixtures * removed fixtures - intentions only gets added now if acls are enabled - payment-service-resolver is only for locality aware which isn't in scope for this PR * updated sameness tests to include peering - refactored with some helper functions for members (now TestClusters) - made names more uniform, tend more towards the cluster-01-a/cluster-02-a/etc. nomenclature * added 4 clusters to cni make target * disable proxy lifecycle
* add additional tproxy static-client - this doesn't specify an upstream so that tproxy will be able to handle routing * add tproxy coverage - add control-flow to handle using the virtual host name when tproxy is enabled
hc-github-team-consul-core
force-pushed
the
backport/NET-5174/anonymous-token-policy/legally-humble-fawn
branch
from
e1fa0a7 to
598be58
Compare
hc-github-team-consul-core
force-pushed
the
backport/NET-5174/anonymous-token-policy/legally-humble-fawn
branch
from
598be58 to
e1fa0a7
Compare
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes 16 out of 17 committers have signed the CLA.
Paul Glass seems not to be a GitHub user. Have you signed the CLA already but the status is still pending? Recheck it. |
aahel
deleted the
backport/NET-5174/anonymous-token-policy/legally-humble-fawn
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #2790 to be assessed for backporting due to the inclusion of the label backport/1.0.x.
🚨
The person who merged in the original PR is:
@aahel
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.
The below text is copied from the body of the original PR.
Changes proposed in this PR:
Prevent updating anonymous token if it already exists and is attached to the anonymous token policy
How I've tested this PR:
How I expect reviewers to test this PR:
Checklist:
Overview of commits